On Thu, Jun 14, 2007 at 03:25:45PM -0700, Brendan Cully wrote:
At least for my case, the cert is stored unencrypted, so no password is needed. The password callback could be added later when someone needs it. If GnuTLS supports it at all (the password callback), it should be quite easy to patch in later.Is there a specific reason why there's no client cert support when linked against GnuTLS? How hard would it be to add it?I had a very quick look at adding it. I stopped when I couldn't figure out where to set a password callback when gnutls needs to decrypt the client cert.
BTW: At least for PKCS #12 files, importing a password-protected certificate (though with parameter instead of callback) is supported:
=== Begin === gnutls_certificate_set_x509_simple_pkcs12_file () int gnutls_certificate_set_x509_simple_pkcs12_file(gnutls_certificate_credentials_t res, const char *pkcs12file, gnutls_x509_crt_fmt_t type, const char *password);
This function sets a certificate/private key pair and/or a CRL in the gnutls_certificate_credentials_t structure. This function may be called more than once
(in case multiple keys/certificates exist for the server).MAC:ed PKCS12 files are supported. Encrypted PKCS12 bags are supported. Encrypted PKCS8 private keys are supported. However, only password based security,
and the same password for all operations, are supported.The private keys may be RSA PKCS1 or DSA private keys encoded in the OpenSSL way.
PKCS12 file may contain many keys and/or certificates, and there is no way to identify which key/certificate pair you want. You should make sure the PKCS12
file only contain one key/certificate pair and/or one CRL.It is believed that the limitations of this function is acceptable for most usage, and that any more flexibility would introduce complexity that would make
it harder to use this functionality at all. === End === CU Sascha -- http://sascha.silbe.org/
Attachment:
pgpiYevwW7UFm.pgp
Description: PGP signature