[Bug-wget] [PATCH] enable client certificates with wget when linked against GnuTLS

Tue, 03 Apr 2012 13:55:32 -0700 

tags 646983 + patch
forwarded 646983 
https://lists.gnu.org/archive/html/bug-wget/2011-10/msg00051.html
thanks

It looks to me like the GnuTLS bindings for wget don't do anything
with client-side certificate credentials.  I suspect this is the cause
of the bug Clint ran into.

In debian, wget transitioned from openssl to gnutls between 1.12 and
1.13, which would explain why Clint's "Error in the push function"
happened last Hallowe'en.

The attached diff enables client-certficates when wget is linked against
GnuTLS.

    --dkg


diff --git a/src/gnutls.c b/src/gnutls.c
index 40a04ef..1d21cf4 100644
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -54,6 +54,20 @@ as that of the covered work.  */
 # include "w32sock.h"
 #endif
 
+static int
+key_type_to_gnutls_type (enum keyfile_type type)
+{
+  switch (type)
+    {
+    case keyfile_pem:
+      return GNUTLS_X509_FMT_PEM;
+    case keyfile_asn1:
+      return GNUTLS_X509_FMT_DER;
+    default:
+      abort ();
+    }
+}
+
 /* Note: some of the functions private to this file have names that
    begin with "wgnutls_" (e.g. wgnutls_read) so that they wouldn't be
    confused with actual gnutls functions -- such as the gnutls_read
@@ -101,6 +115,30 @@ ssl_init ()
       closedir (dir);
     }
 
+  /* Use the private key from the cert file unless otherwise specified. */
+  if (opt.cert_file && !opt.private_key)
+    {
+      opt.private_key = opt.cert_file;
+      opt.private_key_type = opt.cert_type;
+    }
+  /* Use the cert from the private key file unless otherwise specified. */
+  if (!opt.cert_file && opt.private_key)
+    {
+      opt.cert_file = opt.private_key;
+      opt.cert_type = opt.private_key_type;
+    }
+
+  if (opt.cert_file && opt.private_key) {
+    if (opt.private_key_type != opt.cert_type) {
+      /* GnuTLS can't handle this */
+      logprintf (LOG_NOTQUIET, _("ERROR: GnuTLS requires the key and the cert to be of the same type.  Preferring --private-key-type over --certificate-type.\n"));
+    }
+
+    gnutls_certificate_set_x509_key_file (credentials, opt.cert_file,
+                                          opt.private_key,
+                                          key_type_to_gnutls_type(opt.private_key_type));
+  }
+
   if (opt.ca_cert)
     gnutls_certificate_set_x509_trust_file (credentials, opt.ca_cert,
                                             GNUTLS_X509_FMT_PEM);

Attachment: pgpxTK24WfFAz.pgp
Description: PGP signature

Reply via email to