From 154d499be275e9af301e4e2676f72668bc7b21c0 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sat, 7 Apr 2012 14:43:12 +0200 Subject: [PATCH] Enable client certificates when GNU TLS is used. --- NEWS | 2 ++ src/ChangeLog | 5 +++++ src/gnutls.c | 44 ++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 51 insertions(+) diff --git a/NEWS b/NEWS index e0f81a99..5b8d8a63 100644 --- a/NEWS +++ b/NEWS @@ -22,6 +22,8 @@ Please send GNU Wget bug reports to . ** Report stdout close errors. ** Accept the --bit option. + +** Enable client certificates when GNU TLS is used. * Changes in Wget 1.13.4 diff --git a/src/ChangeLog b/src/ChangeLog index 6e6d354f..7c792d62 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,3 +1,8 @@ +2012-04-07 Daniel Kahn Gillmor (tiny change) + + * gnutls.c (key_type_to_gnutls_type): New function. + (ssl_init): Use correctly the specified gnutls certificate. + 2012-04-01 Gijs van Tulder * html-url.c: Prevent crash on incomplete STYLE tag. diff --git a/src/gnutls.c b/src/gnutls.c index 442b1364..291da895 100644 --- a/src/gnutls.c +++ b/src/gnutls.c @@ -54,6 +54,20 @@ as that of the covered work. */ # include "w32sock.h" #endif +static int +key_type_to_gnutls_type (enum keyfile_type type) +{ + switch (type) + { + case keyfile_pem: + return GNUTLS_X509_FMT_PEM; + case keyfile_asn1: + return GNUTLS_X509_FMT_DER; + default: + abort (); + } +} + /* Note: some of the functions private to this file have names that begin with "wgnutls_" (e.g. wgnutls_read) so that they wouldn't be confused with actual gnutls functions -- such as the gnutls_read @@ -108,6 +122,36 @@ ssl_init () closedir (dir); } + /* Use the private key from the cert file unless otherwise specified. */ + if (opt.cert_file && !opt.private_key) + { + opt.private_key = opt.cert_file; + opt.private_key_type = opt.cert_type; + } + /* Use the cert from the private key file unless otherwise specified. */ + if (!opt.cert_file && opt.private_key) + { + opt.cert_file = opt.private_key; + opt.cert_type = opt.private_key_type; + } + + if (opt.cert_file && opt.private_key) + { + int type; + if (opt.private_key_type != opt.cert_type) + { + /* GnuTLS can't handle this */ + logprintf (LOG_NOTQUIET, _("ERROR: GnuTLS requires the key and the \ +cert to be of the same type.\n")); + } + + type = key_type_to_gnutls_type (opt.private_key_type); + + gnutls_certificate_set_x509_key_file (credentials, opt.cert_file, + opt.private_key, + type); + } + if (opt.ca_cert) gnutls_certificate_set_x509_trust_file (credentials, opt.ca_cert, GNUTLS_X509_FMT_PEM); -- 2.39.2