[gnutls-help] programmatically building a trusted cert list/crl list

Nick Flacco mail.flacco at gmail.com
Fri Jan 18 04:11:48 CET 2013

I have a similar question to the known in advance PK auth question asked a
while back (

Is there a way to override the set x509 trust + crl file functions? I'm
writing a p2p vpn application and there is no central CA- instead I want to
use voting of some sort, or at least make a request to a trusted peer. From
the x509 server examples I have these two functions:

gnutls_certificate_set_x509_trust_file (x509_cred, CAFILE,

In the gnutls source there are some other functions for cetting the trust
file/crl it looks like:

int gnutls_certificate_set_x509_trust_mem (gnutls_certificate_credentials_t
> res, const gnutls_datum_t * ca, gnutls_x509_crt_fmt_t type)
> int gnutls_certificate_set_x509_trust (gnutls_certificate_credentials_t
> res, gnutls_x509_crt_t * ca_list, int ca_list_size)

Is there some function where you can automatically pass in trusted certs?
Or is this something where I need my own function to build a list of
certs? I wrote a simple function to do this (modeled after some stuff I saw
in gnutls_x509.c), but it doesn't work- I get an error on
calling gnutls_x509_crt_import, so I'm using it wrong. Any tips?

Here's how I call the function:

  gnutls_x509_crt_t calist[1];
>   populate_calist(calist, sizeofarr(calist));
>   gnutls_certificate_set_x509_trust (xcred, calist, sizeofarr(calist));

Here's the function:

void populate_calist(gnutls_x509_crt_t *cafile, int length)
    int ret;

    // 1. Read binary file (pem)
    // 2. Create x509 pem out of it
    // 3. Add this x509 to the certificate list

    // 1. Read binary file
    size_t size;

    gnutls_datum_t x509blob;
    x509blob.data =  (void*)read_binary_file (CAFILE, &size);
    x509blob.size = (unsigned int) size;
    if (x509blob.data == NULL)
        printf("Error reading file '%s'.\n", CAFILE);

    // 2. So we have the data in binary form, we need to create an x509 pem
out of it
    gnutls_x509_crt_t crt;
    ret = gnutls_x509_crt_init (&crt);
    if (ret < 0)
        printf("Error on gnutls_x509_crt_init\n");
        return ret;
    ret = gnutls_x509_crt_import(crt, x509blob, GNUTLS_X509_FMT_PEM);
    if (ret < 0)
        printf("error gnutls_x509_crt_import\n"); <------------------ I get

    // 3. Init the list and add the cert
    int i = 0; // just do single element for now
    ret = gnutls_x509_crt_init (&ca_file[i]);
    if (ret < 0)
        printf("Error on gnutls_x509_crt_init(ca_list)\n");
        return ret;
    cafile[0] = crt;


-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20130117/97fa36de/attachment.htm>

More information about the Gnutls-help mailing list