summaryrefslogtreecommitdiff
path: root/lib/x509/verify-high2.c
diff options
context:
space:
mode:
authorNikos Mavrogiannopoulos <nmav@redhat.com>2014-01-02 12:50:13 +0100
committerNikos Mavrogiannopoulos <nmav@redhat.com>2014-01-02 13:31:10 +0100
commit5a62c80de00658b76e3cdc038d0a09eec808ea7b (patch)
treeeebef26da983398b490f605fdbaf62a1365ac796 /lib/x509/verify-high2.c
parent41ca2b3ab8dbf62b52d750746a7a4cece83bb0e6 (diff)
downloadgnutls-5a62c80de00658b76e3cdc038d0a09eec808ea7b.tar.gz
Updated PKCS #11 support for gnutls_x509_trust_list_add_trust_file().
It will now use the PKCS #11 trust URL while verifying instead of importing all CAs. That way it allows verification on the spot without requiring the gnutls to restart in case of a blacklisted CA.
Diffstat (limited to 'lib/x509/verify-high2.c')
-rw-r--r--lib/x509/verify-high2.c56
1 files changed, 3 insertions, 53 deletions
diff --git a/lib/x509/verify-high2.c b/lib/x509/verify-high2.c
index 1c3c365026..d810a59899 100644
--- a/lib/x509/verify-high2.c
+++ b/lib/x509/verify-high2.c
@@ -158,56 +158,6 @@ gnutls_x509_trust_list_remove_trust_mem(gnutls_x509_trust_list_t list,
#ifdef ENABLE_PKCS11
static
-int import_pkcs11_url(gnutls_x509_trust_list_t list, const char *ca_file,
- unsigned int flags)
-{
- gnutls_x509_crt_t *xcrt_list = NULL;
- gnutls_pkcs11_obj_t *pcrt_list = NULL;
- unsigned int pcrt_list_size = 0, i;
- int ret;
-
- ret =
- gnutls_pkcs11_obj_list_import_url2(&pcrt_list, &pcrt_list_size,
- ca_file,
- GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED_CA,
- 0);
- if (ret < 0)
- return gnutls_assert_val(ret);
-
- if (pcrt_list_size == 0) {
- ret = 0;
- goto cleanup;
- }
-
- xcrt_list =
- gnutls_malloc(sizeof(gnutls_x509_crt_t) * pcrt_list_size);
- if (xcrt_list == NULL) {
- ret = GNUTLS_E_MEMORY_ERROR;
- goto cleanup;
- }
-
- ret =
- gnutls_x509_crt_list_import_pkcs11(xcrt_list, pcrt_list_size,
- pcrt_list, 0);
- if (ret < 0) {
- gnutls_assert();
- goto cleanup;
- }
-
- ret =
- gnutls_x509_trust_list_add_cas(list, xcrt_list, pcrt_list_size,
- flags);
-
- cleanup:
- for (i = 0; i < pcrt_list_size; i++)
- gnutls_pkcs11_obj_deinit(pcrt_list[i]);
- gnutls_free(pcrt_list);
- gnutls_free(xcrt_list);
-
- return ret;
-}
-
-static
int remove_pkcs11_url(gnutls_x509_trust_list_t list, const char *ca_file)
{
gnutls_x509_crt_t *xcrt_list = NULL;
@@ -293,9 +243,9 @@ gnutls_x509_trust_list_add_trust_file(gnutls_x509_trust_list_t list,
#ifdef ENABLE_PKCS11
if (strncmp(ca_file, "pkcs11:", 7) == 0) {
- ret = import_pkcs11_url(list, ca_file, tl_flags);
- if (ret < 0)
- return gnutls_assert_val(ret);
+ list->pkcs11_token = strdup(ca_file);
+
+ return 0;
} else
#endif
{
View Lorry Controller Status