[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_3_0_18-117-g56b91f2
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_3_0_18-117-g56b91f2 |
|
Date: |
Tue, 05 Jun 2012 15:30:55 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=56b91f274a3e720d1470bb576dc851a98a3dccb8
The branch, master has been updated
via 56b91f274a3e720d1470bb576dc851a98a3dccb8 (commit)
via df6f815824489dd51828bd9a28a5f37e95b087c0 (commit)
via 312a62083eccc3f3ea001c4d53d7b6f8da189007 (commit)
via 1d9282d4d568c62c2ae7c9beb784ea4e0feffc10 (commit)
via 72799918466c03c245db7533091f1d6d05b298ad (commit)
from ca1ac3f84a4891149ea3eece155cdef6ce94b033 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 56b91f274a3e720d1470bb576dc851a98a3dccb8
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Tue Jun 5 15:02:01 2012 +0200
Re-use GNUTLS_E_DECRYPTION_FAILED for encrypted structures.
commit df6f815824489dd51828bd9a28a5f37e95b087c0
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Mon Jun 4 17:45:33 2012 +0200
small doc fix
commit 312a62083eccc3f3ea001c4d53d7b6f8da189007
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Mon Jun 4 17:45:14 2012 +0200
Added new test program.
commit 1d9282d4d568c62c2ae7c9beb784ea4e0feffc10
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Mon Jun 4 17:22:07 2012 +0200
print warning to stderr
commit 72799918466c03c245db7533091f1d6d05b298ad
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Mon Jun 4 17:21:51 2012 +0200
doc updates
-----------------------------------------------------------------------
Summary of changes:
.gitignore | 1 +
NEWS | 6 ++--
doc/cha-cert-auth.texi | 18 +++++++++++
doc/cha-cert-auth2.texi | 8 ++++-
lib/gnutls_errors.c | 1 -
lib/gnutls_x509.c | 4 +--
lib/includes/gnutls/gnutls.h.in | 1 -
lib/x509/pkcs12.c | 6 ++--
lib/x509/privkey_pkcs8.c | 4 +-
src/certtool-cfg.c | 2 +-
tests/Makefile.am | 2 +-
tests/{mini-x509-cas.c => mini-x509-2.c} | 48 ++++++++++++++++++++---------
12 files changed, 69 insertions(+), 32 deletions(-)
copy tests/{mini-x509-cas.c => mini-x509-2.c} (84%)
diff --git a/.gitignore b/.gitignore
index 74b4377..79531de 100644
--- a/.gitignore
+++ b/.gitignore
@@ -580,3 +580,4 @@ doc/latex/cha-upgrade.tex
doc/functions/
gl/glthread/.dirstamp
tests/mini-termination
+tests/mini-x509-2
diff --git a/NEWS b/NEWS
index 959a5ec..fbcee70 100644
--- a/NEWS
+++ b/NEWS
@@ -28,15 +28,15 @@ the whole certificate chain (if any) to the credentials
structure, instead
of only the end-user certificate.
** libgnutls: Key import functions such as gnutls_pkcs12_simple_parse()
-and gnutls_x509_privkey_import_pkcs8(), return GNUTLS_E_ENCRYPTED_STRUCTURE
-if the input structure is encrypted but no password was provided.
+and gnutls_x509_privkey_import_pkcs8(), return consistently
+GNUTLS_E_DECRYPTION_FAILED if the input structure is encrypted but no
+password was provided.
** libgnutlsxx: Added session::set_transport_vec_push_function. Patch
by Alexandre Bique.
** API and ABI modifications:
GNUTLS_CERT_SIGNATURE_FAILURE: Added
-GNUTLS_E_ENCRYPTED_STRUCTURE: Added
gnutls_pubkey_verify_hash2: Added
gnutls_pkcs12_simple_parse: Added
gnutls_certificate_set_x509_system_trust: Added
diff --git a/doc/cha-cert-auth.texi b/doc/cha-cert-auth.texi
index 946674c..8c00ece 100644
--- a/doc/cha-cert-auth.texi
+++ b/doc/cha-cert-auth.texi
@@ -84,6 +84,7 @@ acceptable. The framework is illustrated on @ref{fig:x509}.
@menu
* X.509 certificate structure::
+* Importing an X.509 certificate::
* X.509 distinguished names::
* Verifying X.509 certificate paths::
* Verifying a certificate in the context of TLS session::
@@ -194,6 +195,23 @@ their prototypes in @file{gnutls/x509.h}. An example
program to
demonstrate the @acronym{X.509} parsing capabilities can be found at
@ref{ex:x509-info}.
address@hidden Importing an X.509 certificate
address@hidden Importing an X.509 certificate
+
+The certificate structure should be initialized using
@funcref{gnutls_x509_crt_init}, and
+a certificate structure can be imported using
@funcref{gnutls_x509_crt_import}.
+
address@hidden,gnutls_x509_crt_import,gnutls_x509_crt_deinit}
+
+In several functions an array of certificates is required. To assist in
initialization
+and import the following two functions are provided.
+
address@hidden,gnutls_x509_crt_list_import2}
+
+In all cases after use a certificate must be deinitialized using
@funcref{gnutls_x509_crt_deinit}.
+Note that although the functions above apply to @code{gnutls_x509_crt_t}
structure, similar functions
+exist for the CRL structure @code{gnutls_x509_crl_t}.
+
@node X.509 distinguished names
@subsection X.509 distinguished names
@cindex X.509 distinguished name
diff --git a/doc/cha-cert-auth2.texi b/doc/cha-cert-auth2.texi
index 0c731a3..3a2e67c 100644
--- a/doc/cha-cert-auth2.texi
+++ b/doc/cha-cert-auth2.texi
@@ -336,8 +336,12 @@ the holders of the actual data, which may be certificates,
private
keys or encrypted data. A bag of type encrypted should be decrypted
in order for its data to be accessed.
-The following functions are available to read a @acronym{PKCS} #12
-structure.
+To reduce the complexity in parsing the structures the simple
+helper function @funcref{gnutls_pkcs12_simple_parse} is provided. For more
+advanced uses, manual parsing of the structure is required using the
+functions below.
+
address@hidden
@showfuncC{gnutls_pkcs12_get_bag,gnutls_pkcs12_verify_mac,gnutls_pkcs12_bag_decrypt}
diff --git a/lib/gnutls_errors.c b/lib/gnutls_errors.c
index 6ac73a3..c70b3bf 100644
--- a/lib/gnutls_errors.c
+++ b/lib/gnutls_errors.c
@@ -111,7 +111,6 @@ static const gnutls_error_entry error_algorithms[] = {
GNUTLS_E_MPI_PRINT_FAILED, 1),
ERROR_ENTRY (N_("Decryption has failed."), GNUTLS_E_DECRYPTION_FAILED, 1),
ERROR_ENTRY (N_("Encryption has failed."), GNUTLS_E_ENCRYPTION_FAILED, 1),
- ERROR_ENTRY (N_("The provided structure is encrypted."),
GNUTLS_E_ENCRYPTED_STRUCTURE, 1),
ERROR_ENTRY (N_("Public key decryption has failed."),
GNUTLS_E_PK_DECRYPTION_FAILED, 1),
ERROR_ENTRY (N_("Public key encryption has failed."),
diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c
index b308d6b..7bf2a2b 100644
--- a/lib/gnutls_x509.c
+++ b/lib/gnutls_x509.c
@@ -1006,12 +1006,10 @@ certificate_credentials_append_pkey
(gnutls_certificate_credentials_t res,
* This function sets a certificate/private key pair in the
* gnutls_certificate_credentials_t structure. This function may be
* called more than once, in case multiple keys/certificates exist for
- * the server. For clients that wants to send more than its own end
+ * the server. For clients that wants to send more than their own end
* entity certificate (e.g., also an intermediate CA cert) then put
* the certificate chain in @cert_list.
*
- *
- *
* Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code.
*
* Since: 2.4.0
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 39e767c..1a58a53 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -1898,7 +1898,6 @@ gnutls_ecc_curve_t gnutls_ecc_curve_get(gnutls_session_t
session);
#define GNUTLS_E_NO_PRIORITIES_WERE_SET -326
#define GNUTLS_E_X509_UNSUPPORTED_EXTENSION -327
#define GNUTLS_E_SESSION_EOF -328
-#define GNUTLS_E_ENCRYPTED_STRUCTURE -329
#define GNUTLS_E_UNIMPLEMENTED_FEATURE -1250
diff --git a/lib/x509/pkcs12.c b/lib/x509/pkcs12.c
index 452d6a5..78e4075 100644
--- a/lib/x509/pkcs12.c
+++ b/lib/x509/pkcs12.c
@@ -1367,7 +1367,7 @@ cleanup:
* all.
*
* If the provided structure has encrypted fields but no password
- * is provided then this function returns %GNUTLS_E_ENCRYPTED_STRUCTURE.
+ * is provided then this function returns %GNUTLS_E_DECRYPTION_FAILED.
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
@@ -1432,7 +1432,7 @@ gnutls_pkcs12_simple_parse (gnutls_pkcs12_t p12,
{
if (password == NULL)
{
- ret = gnutls_assert_val(GNUTLS_E_ENCRYPTED_STRUCTURE);
+ ret = gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
goto done;
}
@@ -1475,7 +1475,7 @@ gnutls_pkcs12_simple_parse (gnutls_pkcs12_t p12,
case GNUTLS_BAG_PKCS8_ENCRYPTED_KEY:
if (password == NULL)
{
- ret = gnutls_assert_val(GNUTLS_E_ENCRYPTED_STRUCTURE);
+ ret = gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
goto done;
}
diff --git a/lib/x509/privkey_pkcs8.c b/lib/x509/privkey_pkcs8.c
index e921c70..f83582a 100644
--- a/lib/x509/privkey_pkcs8.c
+++ b/lib/x509/privkey_pkcs8.c
@@ -1186,7 +1186,7 @@ error:
* the encryption status cannot be auto-detected.
*
* If the %GNUTLS_PKCS_PLAIN flag is specified and the supplied data
- * are encrypted then %GNUTLS_E_ENCRYPTED_STRUCTURE is returned.
+ * are encrypted then %GNUTLS_E_DECRYPTION_FAILED is returned.
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
@@ -1252,7 +1252,7 @@ gnutls_x509_privkey_import_pkcs8 (gnutls_x509_privkey_t
key,
if (result < 0)
{ /* check if it is encrypted */
if (decode_pkcs8_key(&_data, "", key, 0) == 0)
- result = GNUTLS_E_ENCRYPTED_STRUCTURE;
+ result = GNUTLS_E_DECRYPTION_FAILED;
}
}
else
diff --git a/src/certtool-cfg.c b/src/certtool-cfg.c
index 4538c0a..768c58d 100644
--- a/src/certtool-cfg.c
+++ b/src/certtool-cfg.c
@@ -439,7 +439,7 @@ get_confirmed_pass (bool empty_ok)
do
{
if (pass)
- printf ("Password missmatch, try again.\n");
+ fprintf (stderr, "Password missmatch, try again.\n");
free (copy);
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 19716d7..c1fc53f 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -68,7 +68,7 @@ ctests = mini-deflate simple gc set_pkcs12_cred certder
certuniqueid \
mini-rehandshake rng-fork mini-eagain-dtls resume-dtls \
x509cert x509cert-tl infoaccess rsa-encrypt-decrypt \
mini-loss-time mini-tdb mini-dtls-rehandshake mini-record \
- mini-termination mini-x509-cas
+ mini-termination mini-x509-cas mini-x509-2
if ENABLE_OCSP
ctests += ocsp
diff --git a/tests/mini-x509-cas.c b/tests/mini-x509-2.c
similarity index 84%
copy from tests/mini-x509-cas.c
copy to tests/mini-x509-2.c
index 3e8b6ed..bb862e0 100644
--- a/tests/mini-x509-cas.c
+++ b/tests/mini-x509-2.c
@@ -29,11 +29,11 @@
#include <string.h>
#include <errno.h>
#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
#include "utils.h"
#include "eagain-common.h"
-/* Tests whether a very long CA list, that spans over multiple records
- * is tolerated */
+/* This tests gnutls_certificate_set_x509_key() */
const char* side;
@@ -87,15 +87,17 @@ const gnutls_datum_t server_key = { server_key_pem,
void doit(void)
{
int exit_code = EXIT_SUCCESS;
- const char* ca_file;
+ int ret;
/* Server stuff. */
gnutls_certificate_credentials_t serverx509cred;
gnutls_session_t server;
- int sret = GNUTLS_E_AGAIN, ret;
+ int sret = GNUTLS_E_AGAIN;
/* Client stuff. */
gnutls_certificate_credentials_t clientx509cred;
gnutls_session_t client;
int cret = GNUTLS_E_AGAIN;
+ gnutls_x509_crt_t crt;
+ gnutls_x509_privkey_t pkey;
/* General init. */
gnutls_global_init ();
@@ -103,27 +105,43 @@ void doit(void)
if (debug)
gnutls_global_set_log_level (2);
- ca_file = getenv("CAFILE");
- if (ca_file == NULL)
+ ret = gnutls_x509_crt_init(&crt);
+ if (ret < 0)
{
- ca_file = "certs/ca-certs.pem";
+ fprintf(stderr, "error: %s\n", gnutls_strerror(ret));
+ exit(1);
}
- /* Init server */
- gnutls_certificate_allocate_credentials (&serverx509cred);
- gnutls_certificate_set_x509_key_mem (serverx509cred,
- &server_cert, &server_key,
- GNUTLS_X509_FMT_PEM);
- ret = gnutls_certificate_set_x509_trust_file(serverx509cred, ca_file,
GNUTLS_X509_FMT_PEM);
+ ret = gnutls_x509_privkey_init(&pkey);
+ if (ret < 0)
+ {
+ fprintf(stderr, "error: %s\n", gnutls_strerror(ret));
+ exit(1);
+ }
+
+ ret = gnutls_x509_crt_import(crt, &server_cert, GNUTLS_X509_FMT_PEM);
if (ret < 0)
{
- fprintf(stderr, "%s\n", gnutls_strerror(ret));
+ fprintf(stderr, "error: %s\n", gnutls_strerror(ret));
exit(1);
}
+ ret = gnutls_x509_privkey_import(pkey, &server_key, GNUTLS_X509_FMT_PEM);
+ if (ret < 0)
+ {
+ fprintf(stderr, "error: %s\n", gnutls_strerror(ret));
+ exit(1);
+ }
+
+ /* Init server */
+ gnutls_certificate_allocate_credentials (&serverx509cred);
+ gnutls_certificate_set_x509_key (serverx509cred,
+ &crt, 1, pkey);
+ gnutls_x509_privkey_deinit(pkey);
+ gnutls_x509_crt_deinit(crt);
+
gnutls_init (&server, GNUTLS_SERVER);
gnutls_credentials_set (server, GNUTLS_CRD_CERTIFICATE, serverx509cred);
- gnutls_certificate_server_set_request(server, GNUTLS_CERT_REQUEST);
gnutls_priority_set_direct (server, "NORMAL", NULL);
gnutls_transport_set_push_function (server, server_push);
gnutls_transport_set_pull_function (server, server_pull);
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_3_0_18-117-g56b91f2,
Nikos Mavrogiannopoulos <=