[gnutls-help] programmatically building a trusted cert list/crl list

[Nick Flacco]

I have a similar question to the known in advance PK auth question asked a
while back (
http://lists.gnu.org/archive/html/help-gnutls/2012-11/msg00025.html).

Is there a way to override the set x509 trust + crl file functions? I'm
writing a p2p vpn application and there is no central CA- instead I want to
use voting of some sort, or at least make a request to a trusted peer. From
the x509 server examples I have these two functions:

gnutls_certificate_set_x509_trust_file (x509_cred, CAFILE,
> GNUTLS_X509_FMT_PEM);


In the gnutls source there are some other functions for cetting the trust
file/crl it looks like:

int gnutls_certificate_set_x509_trust_mem (gnutls_certificate_credentials_t
> res, const gnutls_datum_t * ca, gnutls_x509_crt_fmt_t type)
> int gnutls_certificate_set_x509_trust (gnutls_certificate_credentials_t
> res, gnutls_x509_crt_t * ca_list, int ca_list_size)


Is there some function where you can automatically pass in trusted certs?
Or is this something where I need my own function to build a list of
certs? I wrote a simple function to do this (modeled after some stuff I saw
in gnutls_x509.c), but it doesn't work- I get an error on
calling gnutls_x509_crt_import, so I'm using it wrong. Any tips?

Here's how I call the function:

  gnutls_x509_crt_t calist[1];
>   populate_calist(calist, sizeofarr(calist));
>   gnutls_certificate_set_x509_trust (xcred, calist, sizeofarr(calist));


Here's the function:

void populate_calist(gnutls_x509_crt_t *cafile, int length)
{
    int ret;

    // 1. Read binary file (pem)
    // 2. Create x509 pem out of it
    // 3. Add this x509 to the certificate list

    // 1. Read binary file
    size_t size;

    gnutls_datum_t x509blob;
    x509blob.data =  (void*)read_binary_file (CAFILE, &size);
    x509blob.size = (unsigned int) size;
    if (x509blob.data == NULL)
    {
        printf("Error reading file '%s'.\n", CAFILE);
        exit(1);
    }


    // 2. So we have the data in binary form, we need to create an x509 pem
out of it
    gnutls_x509_crt_t crt;
    ret = gnutls_x509_crt_init (&crt);
    if (ret < 0)
    {
        printf("Error on gnutls_x509_crt_init\n");
        return ret;
    }
    ret = gnutls_x509_crt_import(crt, x509blob, GNUTLS_X509_FMT_PEM);
    if (ret < 0)
    {
        printf("error gnutls_x509_crt_import\n"); <------------------ I get
this
        exit(1);
    }

    // 3. Init the list and add the cert
    int i = 0; // just do single element for now
    ret = gnutls_x509_crt_init (&ca_file[i]);
    if (ret < 0)
    {
        printf("Error on gnutls_x509_crt_init(ca_list)\n");
        return ret;
    }
    cafile[0] = crt;

    printf("success!\n");

    return;
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20130117/97fa36de/attachment.htm>