gnustep/libs-base
0
0
Fork 0
mirror of https://github.com/gnustep/libs-base.git synced 2025-04-25 09:41:15 +00:00
Code Issues Projects Releases Packages Wiki Activity

add certificate revocation list support

Browse source 
git-svn-id: svn+ssh://svn.gna.org/svn/gnustep/libs/base/trunk@35614 72102866-910b-0410-8b05-ffd578937521
This commit is contained in:
rfm 2012-09-28 14:20:42 +00:00
parent be0fd4b26e
commit 2f6ed9c675
2 changed files with 75 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
Source/GSTLS.h
View file

@ -29,6 +29,7 @@
@class NSString; @class NSString;
extern NSString * const GSTLSCAFile; extern NSString * const GSTLSCAFile;
extern NSString * const GSTLSRevokeFile;
extern NSString * const GSTLSCertificateFile; extern NSString * const GSTLSCertificateFile;
extern NSString * const GSTLSCertificateKeyFile; extern NSString * const GSTLSCertificateKeyFile;
extern NSString * const GSTLSCertificateKeyPassword; extern NSString * const GSTLSCertificateKeyPassword;

78
Source/GSTLS.m
View file

@ -24,6 +24,7 @@
#import "common.h" #import "common.h"
#import "Foundation/NSArray.h" #import "Foundation/NSArray.h"
#import "Foundation/NSBundle.h"
#import "Foundation/NSData.h" #import "Foundation/NSData.h"
#import "Foundation/NSDictionary.h" #import "Foundation/NSDictionary.h"
#import "Foundation/NSEnumerator.h" #import "Foundation/NSEnumerator.h"
@ -43,6 +44,7 @@
/* Constants to control TLS/SSL (options). /* Constants to control TLS/SSL (options).
*/ */
NSString * const GSTLSCAFile = @"GSTLSCAFile"; NSString * const GSTLSCAFile = @"GSTLSCAFile";
NSString * const GSTLSRevokeFile = @"GSTLSRevokeFile";
NSString * const GSTLSCertificateFile = @"GSTLSCertificateFile"; NSString * const GSTLSCertificateFile = @"GSTLSCertificateFile";
NSString * const GSTLSCertificateKeyFile = @"GSTLSCertificateKeyFile"; NSString * const GSTLSCertificateKeyFile = @"GSTLSCertificateKeyFile";
NSString * const GSTLSCertificateKeyPassword = @"GSTLSCertificateKeyPassword"; NSString * const GSTLSCertificateKeyPassword = @"GSTLSCertificateKeyPassword";
@ -98,6 +100,7 @@ GSTLSLog(int level, const char *msg)
* default string. * default string.
*/ */
static NSString *caFile = @"/etc/ssl/certs/ca-certificates.crt"; static NSString *caFile = @"/etc/ssl/certs/ca-certificates.crt";
static NSString *revokeFile = @"/etc/ssl/certs/revoke.crl";
/* The verifyServer variable tells us if connections to a remote server should /* The verifyServer variable tells us if connections to a remote server should
* (by default) verify its certificate against trusted authorities. * (by default) verify its certificate against trusted authorities.
@ -143,6 +146,15 @@ static gnutls_anon_client_credentials_t anoncred;
ASSIGN(caFile, str); ASSIGN(caFile, str);
} }
/* The GSTLSRevokeFile user default overrides the builtin value or the
* GS_TLS_REVOKE environment variable.
*/
str = [[NSUserDefaults standardUserDefaults] stringForKey: GSTLSRevokeFile];
if (nil != str)
{
ASSIGN(revokeFile, str);
}
str = [[NSUserDefaults standardUserDefaults] stringForKey: GSTLSCAVerify]; str = [[NSUserDefaults standardUserDefaults] stringForKey: GSTLSCAVerify];
if (nil != str) if (nil != str)
{ {
@ -171,19 +183,38 @@ static gnutls_anon_client_credentials_t anoncred;
{ {
NSUserDefaults *defs; NSUserDefaults *defs;
NSProcessInfo *pi; NSProcessInfo *pi;
NSBundle *bundle;
NSString *str; NSString *str;
beenHere = YES; beenHere = YES;
bundle = [NSBundle bundleForClass: [NSObject class]];
/* Let the GS_TLS_CA_FILE environment variable override the /* Let the GS_TLS_CA_FILE environment variable override the
* default certificate authority location. * default certificate authority location.
*/ */
pi = [NSProcessInfo processInfo]; pi = [NSProcessInfo processInfo];
str = [[pi environment] objectForKey: @"GS_TLS_CA_FILE"]; str = [[pi environment] objectForKey: @"GS_TLS_CA_FILE"];
if (nil != str) if (nil == str)
{ {
ASSIGN(caFile, str); str = [bundle pathForResource: @"ca-certificates"
ofType: @"crt"
inDirectory: @"GNUTLS"];
} }
ASSIGN(caFile, str);
/* Let the GS_TLS_REVOKE environment variable override the
* default revocation list location.
*/
pi = [NSProcessInfo processInfo];
str = [[pi environment] objectForKey: @"GS_TLS_REVOKE"];
if (nil == str)
{
str = [bundle pathForResource: @"revoke"
ofType: @"crl"
inDirectory: @"GNUTLS"];
}
ASSIGN(revokeFile, str);
str = [[pi environment] objectForKey: @"GS_TLS_CA_VERIFY"]; str = [[pi environment] objectForKey: @"GS_TLS_CA_VERIFY"];
if (nil != str) if (nil != str)
@ -843,9 +874,48 @@ static NSMutableDictionary *privateKeyCache1 = nil;
} }
} }
/* Load default revocation list.
*/
if ([revokeFile length] > 0)
{
const char *path = [revokeFile fileSystemRepresentation];
int ret;
ret = gnutls_certificate_set_x509_crl_file(certcred,
path, GNUTLS_X509_FMT_PEM);
if (ret < 0)
{
NSLog(@"Problem loading revocation list from %@: %s",
revokeFile, gnutls_strerror(ret));
}
else if (0 == ret && YES == debug)
{
NSLog(@"No revocation loaded from %@", revokeFile);
}
}
/* Load any specified revocation list.
*/
str = [opts objectForKey: GSTLSRevokeFile];
if ([str length] > 0)
{
const char *path = [str fileSystemRepresentation];
int ret;
ret = gnutls_certificate_set_x509_crl_file(certcred,
path, GNUTLS_X509_FMT_PEM);
if (ret < 0)
{
NSLog(@"Problem loading revocation list from %@: %s",
str, gnutls_strerror(ret));
}
else if (0 == ret && YES == debug)
{
NSLog(@"No revocation loaded from %@", str);
}
}
/* /*
gnutls_certificate_set_x509_crl_file
(certcred, "crl.pem", GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_verify_function(certcred, gnutls_certificate_set_verify_function(certcred,
_verify_certificate_callback); _verify_certificate_callback);