New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLS: PKCS 12 support #1636
TLS: PKCS 12 support #1636
Conversation
Build SUCCESS, the tests were executed on test branch: master and test suite: functions |
Build SUCCESS, the tests were executed on test branch: master and test suite: functions |
Build SUCCESS, the tests were executed on test branch: master and test suite: functions |
Build SUCCESS, the tests were executed on test branch: master and test suite: functions |
lib/tlscontext.c
Outdated
if (!p12_file) | ||
return FALSE; | ||
|
||
PKCS12 *pkcs12 = d2i_PKCS12_fp(p12_file, NULL); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you factor out a static PKCS12 *_load_pkcs12_file(const gchar *filename);
function?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Of course :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
return FALSE; | ||
} | ||
|
||
PKCS12_free(pkcs12); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What do you think about a static gboolean _load_pkcs12_content(PKCS12 *pkcs12, EVP_PKEY **private_key, X509 **cert,STACK_OF(X509) **ca_list);
function?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like it. :) The only reason I had this complexity in one single function was the fact that this module is already full of helper functions from different levels of abstractions.
Should I place these functions to the OpenSSL compat layer or just create a openssl_utils unit?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it can goes to the compat layer.
Build SUCCESS, the tests were executed on test branch: master and test suite: functions |
Let's signal error when both p12 and cert/keys are provided in the config. |
Build SUCCESS, the tests were executed on test branch: master and test suite: functions |
@furiel Good idea, thanks. |
Build SUCCESS, the tests were executed on test branch: master and test suite: functions |
Signed-off-by: László Várady <laszlo.varady@balabit.com>
Passphrase is not implemented yet. Signed-off-by: László Várady <laszlo.varady@balabit.com>
Signed-off-by: László Várady <laszlo.varady@balabit.com>
Build SUCCESS, the tests were executed on test branch: master and test suite: functions |
The new
pkcs12-file()
TLS option can be used to specify aPKCS #12
file container that can storea private key, a certificate and CA certs.
pkcs12-file()
works together with theca-dir()
option, but this is optional since the p12 file may contain CA certificates as well.If this option is used in the configuration file, the value of
key-file()
andcert-file()
will be omitted.Passphrase is currently not supported.
Example:
Example config: