protocols: Add option to set a separate TLS client cert private key file

bruceg · May 21, 2015 · ed80ca1 · ed80ca1
1 parent ee3082c
commit ed80ca1
Show file tree

Hide file tree

Showing 5 changed files with 14 additions and 1 deletion.
diff --git a/NEWS b/NEWS
@@ -11,6 +11,8 @@ Changes in version 1.14
 
 - Support standard shell quoting for options in the "remotes" file.
 
+- Added protocol option to set a separate TLS client private key file.
+
 Development of this version has been sponsored by FutureQuest, Inc.
 ossi@FutureQuest.net  http://www.FutureQuest.net/
 -------------------------------------------------------------------------------

diff --git a/doc/nullmailer-send.8 b/doc/nullmailer-send.8
@@ -139,6 +139,11 @@ command to initiate a TLS session.
 .B x509certfile=\fIFILENAME
 Set the filename for a TLS client certificate to send to the server.
 .TP
+.B x509keyfile=\fIFILENAME
+Set the filename for the private key for a TLS client certificate.
+Defaults to the same file name as
+.BR x509certfile .
+.TP
 .B x509cafile=\fIFILENAME
 Set the TLS certificate authority trust filename. Defaults to
 .IR /etc/ssl/certs/ca-certificates.crt .

diff --git a/protocols/protocol.cc b/protocols/protocol.cc
@@ -59,6 +59,8 @@ cli_option cli_options[] = {
     "Use STARTTLS command", 0 },
   { 0, "x509certfile", cli_option::string, 0, &tls_x509certfile,
     "Client certificate file", 0 },
+  { 0, "x509keyfile", cli_option::string, 0, &tls_x509keyfile,
+    "Client certificate private key file", "the same file as --x509certfile" },
   { 0, "x509cafile", cli_option::string, 0, &tls_x509cafile,
     "Certificate authority trust file", DEFAULT_CA_FILE },
   { 0, "x509crlfile", cli_option::string, 0, &tls_x509crlfile,

diff --git a/protocols/protocol.h b/protocols/protocol.h
@@ -27,6 +27,7 @@ extern void protocol_starttls(fdibuf& netin, fdobuf& netout);
 
 extern int tls_insecure;
 extern const char* tls_x509certfile;
+extern const char* tls_x509keyfile;
 extern const char* tls_x509cafile;
 extern const char* tls_x509crlfile;
 extern int tls_x509derfmt;

diff --git a/protocols/tls_gnutls.cc b/protocols/tls_gnutls.cc
@@ -31,6 +31,7 @@
 
 int tls_insecure = false;
 const char* tls_x509certfile = NULL;
+const char* tls_x509keyfile = NULL;
 const char* tls_x509cafile = NULL;
 const char* tls_x509crlfile = NULL;
 int tls_x509derfmt = false;
@@ -97,8 +98,10 @@ void tls_init(const char* remote)
   gnutls_certificate_set_verify_flags(creds, 0);
 
   gnutls_x509_crt_fmt_t x509fmt = tls_x509derfmt ? GNUTLS_X509_FMT_DER : GNUTLS_X509_FMT_PEM;
+  if (tls_x509keyfile == NULL)
+    tls_x509keyfile = tls_x509certfile;
   if (tls_x509certfile != NULL)
-    gnutls_wrap(gnutls_certificate_set_x509_key_file(creds, tls_x509certfile, tls_x509certfile, x509fmt),
+    gnutls_wrap(gnutls_certificate_set_x509_key_file(creds, tls_x509certfile, tls_x509keyfile, x509fmt),
 		"Error setting SSL/TLS X.509 client certificate");
   if (tls_x509cafile == NULL && access(DEFAULT_CA_FILE, R_OK) == 0)
     tls_x509cafile = DEFAULT_CA_FILE;