diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2014-01-02 12:50:13 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2014-01-02 13:31:10 +0100 |
commit | 5a62c80de00658b76e3cdc038d0a09eec808ea7b (patch) | |
tree | eebef26da983398b490f605fdbaf62a1365ac796 /lib/x509/verify-high2.c | |
parent | 41ca2b3ab8dbf62b52d750746a7a4cece83bb0e6 (diff) | |
download | gnutls-5a62c80de00658b76e3cdc038d0a09eec808ea7b.tar.gz |
Updated PKCS #11 support for gnutls_x509_trust_list_add_trust_file().
It will now use the PKCS #11 trust URL while verifying instead of importing
all CAs. That way it allows verification on the spot without requiring the
gnutls to restart in case of a blacklisted CA.
Diffstat (limited to 'lib/x509/verify-high2.c')
-rw-r--r-- | lib/x509/verify-high2.c | 56 |
1 files changed, 3 insertions, 53 deletions
diff --git a/lib/x509/verify-high2.c b/lib/x509/verify-high2.c index 1c3c365026..d810a59899 100644 --- a/lib/x509/verify-high2.c +++ b/lib/x509/verify-high2.c @@ -158,56 +158,6 @@ gnutls_x509_trust_list_remove_trust_mem(gnutls_x509_trust_list_t list, #ifdef ENABLE_PKCS11 static -int import_pkcs11_url(gnutls_x509_trust_list_t list, const char *ca_file, - unsigned int flags) -{ - gnutls_x509_crt_t *xcrt_list = NULL; - gnutls_pkcs11_obj_t *pcrt_list = NULL; - unsigned int pcrt_list_size = 0, i; - int ret; - - ret = - gnutls_pkcs11_obj_list_import_url2(&pcrt_list, &pcrt_list_size, - ca_file, - GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED_CA, - 0); - if (ret < 0) - return gnutls_assert_val(ret); - - if (pcrt_list_size == 0) { - ret = 0; - goto cleanup; - } - - xcrt_list = - gnutls_malloc(sizeof(gnutls_x509_crt_t) * pcrt_list_size); - if (xcrt_list == NULL) { - ret = GNUTLS_E_MEMORY_ERROR; - goto cleanup; - } - - ret = - gnutls_x509_crt_list_import_pkcs11(xcrt_list, pcrt_list_size, - pcrt_list, 0); - if (ret < 0) { - gnutls_assert(); - goto cleanup; - } - - ret = - gnutls_x509_trust_list_add_cas(list, xcrt_list, pcrt_list_size, - flags); - - cleanup: - for (i = 0; i < pcrt_list_size; i++) - gnutls_pkcs11_obj_deinit(pcrt_list[i]); - gnutls_free(pcrt_list); - gnutls_free(xcrt_list); - - return ret; -} - -static int remove_pkcs11_url(gnutls_x509_trust_list_t list, const char *ca_file) { gnutls_x509_crt_t *xcrt_list = NULL; @@ -293,9 +243,9 @@ gnutls_x509_trust_list_add_trust_file(gnutls_x509_trust_list_t list, #ifdef ENABLE_PKCS11 if (strncmp(ca_file, "pkcs11:", 7) == 0) { - ret = import_pkcs11_url(list, ca_file, tl_flags); - if (ret < 0) - return gnutls_assert_val(ret); + list->pkcs11_token = strdup(ca_file); + + return 0; } else #endif { |