Enable client certificates when GNU TLS is used.

2025-02-05 09:10:12 +08:00 · 2012-04-07 14:43:12 +02:00 · 2012-04-07 14:43:12 +02:00 · 154d499be2
commit 154d499be2
parent 08a147c672
3 changed files with 51 additions and 0 deletions
--- a/2
+++ b/2
@ -22,6 +22,8 @@ Please send GNU Wget bug reports to <bug-wget@gnu.org>.
 ** Report stdout close errors.

 ** Accept the --bit option.
+
+** Enable client certificates when GNU TLS is used.

 * Changes in Wget 1.13.4

--- a/src/ChangeLog
+++ b/src/ChangeLog
@ -1,3 +1,8 @@
+2012-04-07  Daniel Kahn Gillmor <dkg@fifthhorseman.net> (tiny change)
+
+	* gnutls.c (key_type_to_gnutls_type): New function.
+	(ssl_init): Use correctly the specified gnutls certificate.
+
 2012-04-01  Gijs van Tulder  <gvtulder@gmail.com>

 	* html-url.c: Prevent crash on incomplete STYLE tag.
--- a/src/gnutls.c
+++ b/src/gnutls.c
@ -54,6 +54,20 @@ as that of the covered work.  */
 # include "w32sock.h"
 #endif

+static int
+key_type_to_gnutls_type (enum keyfile_type type)
+{
+  switch (type)
+    {
+    case keyfile_pem:
+      return GNUTLS_X509_FMT_PEM;
+    case keyfile_asn1:
+      return GNUTLS_X509_FMT_DER;
+    default:
+      abort ();
+    }
+}
+
 /* Note: some of the functions private to this file have names that
   begin with "wgnutls_" (e.g. wgnutls_read) so that they wouldn't be
   confused with actual gnutls functions -- such as the gnutls_read
@ -108,6 +122,36 @@ ssl_init ()
      closedir (dir);
    }

+  /* Use the private key from the cert file unless otherwise specified. */
+  if (opt.cert_file && !opt.private_key)
+    {
+      opt.private_key = opt.cert_file;
+      opt.private_key_type = opt.cert_type;
+    }
+  /* Use the cert from the private key file unless otherwise specified. */
+  if (!opt.cert_file && opt.private_key)
+    {
+      opt.cert_file = opt.private_key;
+      opt.cert_type = opt.private_key_type;
+    }
+
+  if (opt.cert_file && opt.private_key)
+    {
+      int type;
+      if (opt.private_key_type != opt.cert_type)
+	{
+	  /* GnuTLS can't handle this */
+	  logprintf (LOG_NOTQUIET, _("ERROR: GnuTLS requires the key and the \
+cert to be of the same type.\n"));
+	}
+
+      type = key_type_to_gnutls_type (opt.private_key_type);
+
+      gnutls_certificate_set_x509_key_file (credentials, opt.cert_file,
+					    opt.private_key,
+					    type);
+    }
+
  if (opt.ca_cert)
    gnutls_certificate_set_x509_trust_file (credentials, opt.ca_cert,
                                            GNUTLS_X509_FMT_PEM);