diff --git a/nts_ke_client.c b/nts_ke_client.c index 7eec3e2..d99346d 100644 --- a/nts_ke_client.c +++ b/nts_ke_client.c @@ -281,7 +281,7 @@ NKC_CreateInstance(IPSockAddr *address, const char *name) /* Share the credentials with other client instances */ if (!client_credentials) - client_credentials = NKSN_CreateCertCredentials(NULL, NULL, CNF_GetNtsTrustedCertFile()); + client_credentials = NKSN_CreateClientCertCredentials(CNF_GetNtsTrustedCertFile()); client_credentials_refs++; return inst; diff --git a/nts_ke_server.c b/nts_ke_server.c index bc02ad7..7a45903 100644 --- a/nts_ke_server.c +++ b/nts_ke_server.c @@ -742,7 +742,7 @@ NKS_Initialise(void) return; if (helper_sock_fd == INVALID_SOCK_FD) { - server_credentials = NKSN_CreateCertCredentials(cert, key, NULL); + server_credentials = NKSN_CreateServerCertCredentials(cert, key); if (!server_credentials) return; } else { diff --git a/nts_ke_session.c b/nts_ke_session.c index a7f042a..ac6df25 100644 --- a/nts_ke_session.c +++ b/nts_ke_session.c @@ -641,8 +641,8 @@ deinit_gnutls(void) /* ================================================== */ -void * -NKSN_CreateCertCredentials(char *cert, char *key, char *trusted_certs) +static void * +create_credentials(const char *cert, const char *key, const char *trusted_certs) { gnutls_certificate_credentials_t credentials = NULL; int r; @@ -654,11 +654,15 @@ NKSN_CreateCertCredentials(char *cert, char *key, char *trusted_certs) goto error; if (cert && key) { + assert(!trusted_certs); + r = gnutls_certificate_set_x509_key_file(credentials, cert, key, GNUTLS_X509_FMT_PEM); if (r < 0) goto error; } else { + assert(!cert && !key); + if (!CNF_GetNoSystemCert()) { r = gnutls_certificate_set_x509_system_trust(credentials); if (r < 0) @@ -687,6 +691,22 @@ error: /* ================================================== */ +void * +NKSN_CreateServerCertCredentials(const char *cert, const char *key) +{ + return create_credentials(cert, key, NULL); +} + +/* ================================================== */ + +void * +NKSN_CreateClientCertCredentials(const char *trusted_certs) +{ + return create_credentials(NULL, NULL, trusted_certs); +} + +/* ================================================== */ + void NKSN_DestroyCertCredentials(void *credentials) { diff --git a/nts_ke_session.h b/nts_ke_session.h index f8e46f9..a5647d5 100644 --- a/nts_ke_session.h +++ b/nts_ke_session.h @@ -36,10 +36,11 @@ typedef struct NKSN_Instance_Record *NKSN_Instance; the session. */ typedef int (*NKSN_MessageHandler)(void *arg); -/* Get client or server credentials using certificates of trusted CAs, - or a server certificate and key. The credentials may be shared between +/* Get server or client credentials using a server certificate and key, + or certificates of trusted CAs. The credentials may be shared between different clients or servers. */ -extern void *NKSN_CreateCertCredentials(char *cert, char *key, char *trusted_certs); +extern void *NKSN_CreateServerCertCredentials(const char *cert, const char *key); +extern void *NKSN_CreateClientCertCredentials(const char *trusted_certs); /* Destroy the credentials */ extern void NKSN_DestroyCertCredentials(void *credentials); diff --git a/test/unit/nts_ke_session.c b/test/unit/nts_ke_session.c index adcade6..1465ac9 100644 --- a/test/unit/nts_ke_session.c +++ b/test/unit/nts_ke_session.c @@ -174,8 +174,8 @@ test_unit(void) server = NKSN_CreateInstance(1, NULL, handle_request, NULL); client = NKSN_CreateInstance(0, "test", handle_response, NULL); - server_cred = NKSN_CreateCertCredentials("nts_ke.crt", "nts_ke.key", NULL); - client_cred = NKSN_CreateCertCredentials(NULL, NULL, "nts_ke.crt"); + server_cred = NKSN_CreateServerCertCredentials("nts_ke.crt", "nts_ke.key"); + client_cred = NKSN_CreateClientCertCredentials("nts_ke.crt"); TEST_CHECK(socketpair(AF_UNIX, SOCK_STREAM, 0, sock_fds) == 0); TEST_CHECK(fcntl(sock_fds[0], F_SETFL, O_NONBLOCK) == 0);