From 2f6ed9c675aff1feb2da0fce75e2cb40c97a64ad Mon Sep 17 00:00:00 2001
From: rfm <rfm@72102866-910b-0410-8b05-ffd578937521>
Date: Fri, 28 Sep 2012 14:20:42 +0000
Subject: [PATCH] add certificate revocation list support

git-svn-id: svn+ssh://svn.gna.org/svn/gnustep/libs/base/trunk@35614 72102866-910b-0410-8b05-ffd578937521
---
 Source/GSTLS.h |  1 +
 Source/GSTLS.m | 78 +++++++++++++++++++++++++++++++++++++++++++++++---
 2 files changed, 75 insertions(+), 4 deletions(-)

diff --git a/Source/GSTLS.h b/Source/GSTLS.h
index d2c0ff4a2..1e9c87489 100644
--- a/Source/GSTLS.h
+++ b/Source/GSTLS.h
@@ -29,6 +29,7 @@
 @class  NSString;
 
 extern NSString * const GSTLSCAFile;
+extern NSString * const GSTLSRevokeFile;
 extern NSString * const GSTLSCertificateFile;
 extern NSString * const GSTLSCertificateKeyFile;
 extern NSString * const GSTLSCertificateKeyPassword;
diff --git a/Source/GSTLS.m b/Source/GSTLS.m
index 542a07f0e..3bfe25a3d 100644
--- a/Source/GSTLS.m
+++ b/Source/GSTLS.m
@@ -24,6 +24,7 @@
 #import "common.h"
 
 #import "Foundation/NSArray.h"
+#import "Foundation/NSBundle.h"
 #import "Foundation/NSData.h"
 #import "Foundation/NSDictionary.h"
 #import "Foundation/NSEnumerator.h"
@@ -43,6 +44,7 @@
 /* Constants to control TLS/SSL (options).
  */
 NSString * const GSTLSCAFile = @"GSTLSCAFile";
+NSString * const GSTLSRevokeFile = @"GSTLSRevokeFile";
 NSString * const GSTLSCertificateFile = @"GSTLSCertificateFile";
 NSString * const GSTLSCertificateKeyFile = @"GSTLSCertificateKeyFile";
 NSString * const GSTLSCertificateKeyPassword = @"GSTLSCertificateKeyPassword";
@@ -98,6 +100,7 @@ GSTLSLog(int level, const char *msg)
  * default string.
  */
 static NSString *caFile = @"/etc/ssl/certs/ca-certificates.crt";
+static NSString *revokeFile = @"/etc/ssl/certs/revoke.crl";
 
 /* The verifyServer variable tells us if connections to a remote server should
  * (by default) verify its certificate against trusted authorities.
@@ -143,6 +146,15 @@ static gnutls_anon_client_credentials_t anoncred;
       ASSIGN(caFile, str);
     }
 
+  /* The GSTLSRevokeFile user default overrides the builtin value or the
+   * GS_TLS_REVOKE environment variable.
+   */
+  str = [[NSUserDefaults standardUserDefaults] stringForKey: GSTLSRevokeFile];
+  if (nil != str)
+    {
+      ASSIGN(revokeFile, str);
+    }
+
   str = [[NSUserDefaults standardUserDefaults] stringForKey: GSTLSCAVerify];
   if (nil != str)
     {
@@ -171,19 +183,38 @@ static gnutls_anon_client_credentials_t anoncred;
         {
           NSUserDefaults	*defs;
           NSProcessInfo         *pi;
+          NSBundle              *bundle;
           NSString              *str;
 
           beenHere = YES;
 
+          bundle = [NSBundle bundleForClass: [NSObject class]];
+
           /* Let the GS_TLS_CA_FILE environment variable override the
            * default certificate authority location.
            */
           pi = [NSProcessInfo processInfo];
           str = [[pi environment] objectForKey: @"GS_TLS_CA_FILE"];
-          if (nil != str)
+          if (nil == str)
             {
-              ASSIGN(caFile, str);
+              str = [bundle pathForResource: @"ca-certificates"
+                                     ofType: @"crt"
+                                inDirectory: @"GNUTLS"];
             }
+          ASSIGN(caFile, str);
+
+          /* Let the GS_TLS_REVOKE environment variable override the
+           * default revocation list location.
+           */
+          pi = [NSProcessInfo processInfo];
+          str = [[pi environment] objectForKey: @"GS_TLS_REVOKE"];
+          if (nil == str)
+            {
+              str = [bundle pathForResource: @"revoke"
+                                     ofType: @"crl"
+                                inDirectory: @"GNUTLS"];
+            }
+          ASSIGN(revokeFile, str);
 
           str = [[pi environment] objectForKey: @"GS_TLS_CA_VERIFY"];
           if (nil != str)
@@ -843,9 +874,48 @@ static NSMutableDictionary      *privateKeyCache1 = nil;
             }
         }
 
+      /* Load default revocation list.
+       */
+      if ([revokeFile length] > 0)
+        {
+          const char    *path = [revokeFile fileSystemRepresentation];
+          int           ret;
+
+          ret = gnutls_certificate_set_x509_crl_file(certcred,
+            path, GNUTLS_X509_FMT_PEM);
+          if (ret < 0)
+            {
+              NSLog(@"Problem loading revocation list from %@: %s",
+                revokeFile, gnutls_strerror(ret));
+            }
+          else if (0 == ret && YES == debug)
+            {
+              NSLog(@"No revocation loaded from %@", revokeFile);
+            }
+        }
+
+      /* Load any specified revocation list.
+       */
+      str = [opts objectForKey: GSTLSRevokeFile];
+      if ([str length] > 0)
+        {
+          const char    *path = [str fileSystemRepresentation];
+          int           ret;
+
+          ret = gnutls_certificate_set_x509_crl_file(certcred,
+            path, GNUTLS_X509_FMT_PEM);
+          if (ret < 0)
+            {
+              NSLog(@"Problem loading revocation list from %@: %s",
+                str, gnutls_strerror(ret));
+            }
+          else if (0 == ret && YES == debug)
+            {
+              NSLog(@"No revocation loaded from %@", str);
+            }
+        }
+
 /*
-      gnutls_certificate_set_x509_crl_file
-        (certcred, "crl.pem", GNUTLS_X509_FMT_PEM);
       gnutls_certificate_set_verify_function(certcred,
         _verify_certificate_callback);