gtls: add support for CURLOPT_CAPATH

author: Alessandro Ghedini <alessandro@ghedini.me> 2015-03-08 20:11:06 +0100
committer: Daniel Stenberg <daniel@haxx.se> 2015-03-10 15:03:54 +0100
commit: 5a1614cecdd57cab8b4ae3e9bc19dfff5ba77e80 (patch)
tree: e8e0417bd371e79d59553334f0522433df75b978 /lib/vtls/gtls.c
parent: 0f24df6e54c193941f04c1c2378ef09366002f2f (diff)
1 files changed, 22 insertions, 0 deletions
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
index 05aef1967..c7925404e 100644
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -97,6 +97,10 @@ static bool gtls_inited = FALSE;
 #  if (GNUTLS_VERSION_NUMBER >= 0x03020d)
 #    define HAS_OCSP
 #  endif
+
+#  if (GNUTLS_VERSION_NUMBER >= 0x030306)
+#    define HAS_CAPATH
+#  endif
 #endif
 
 #ifdef HAS_OCSP
@@ -462,6 +466,24 @@ gtls_connect_step1(struct connectdata *conn,
             rc, data->set.ssl.CAfile);
   }
 
+#ifdef HAS_CAPATH
+  if(data->set.ssl.CApath) {
+    /* set the trusted CA cert directory */
+    rc = gnutls_certificate_set_x509_trust_dir(conn->ssl[sockindex].cred,
+                                                data->set.ssl.CApath,
+                                                GNUTLS_X509_FMT_PEM);
+    if(rc < 0) {
+      infof(data, "error reading ca cert file %s (%s)\n",
+            data->set.ssl.CAfile, gnutls_strerror(rc));
+      if(data->set.ssl.verifypeer)
+        return CURLE_SSL_CACERT_BADFILE;
+    }
+    else
+      infof(data, "found %d certificates in %s\n",
+            rc, data->set.ssl.CApath);
+  }
+#endif
+
   if(data->set.ssl.CRLfile) {
     /* set the CRL list file */
     rc = gnutls_certificate_set_x509_crl_file(conn->ssl[sockindex].cred,
author	Alessandro Ghedini <alessandro@ghedini.me>	2015-03-08 20:11:06 +0100
committer	Daniel Stenberg <daniel@haxx.se>	2015-03-10 15:03:54 +0100
commit	5a1614cecdd57cab8b4ae3e9bc19dfff5ba77e80 (patch)
tree	e8e0417bd371e79d59553334f0522433df75b978 /lib/vtls/gtls.c
parent	0f24df6e54c193941f04c1c2378ef09366002f2f (diff)