[exim-dev] Lookup for TLS key and certificate

Top Page
Delete this message
Reply to this message
Author: Yevgeny Kosarzhevsky
Date:  
To: exim-dev
Subject: [exim-dev] Lookup for TLS key and certificate
Hi,

I was searching internet and not found how to make exim lookup the database
for TLS key/cert.
After some research I made a dirty solution that allows me to achieve the
result.
I made the attached patch for 4.92 version found in devuan ascii-backports
repository, which is probably mirrored from debian stretch-backports.
The patch replaces current way of reading keys and certificates from files
to providing them inline.

I am now able to lookup TLS keys and certificates as follows:

tls_certificate = ${lookup pgsql{SELECT tls_cert FROM domains \
WHERE domain='${quote_pgsql:$tls_in_sni}'}{$value}\
{${lookup pgsql{SELECT tls_cert FROM domains WHERE \
domain='${quote_pgsql:$qualify_domain}'}{$value}fail}}}

tls_privatekey = ${lookup pgsql{SELECT tls_key FROM domains \
WHERE domain='${quote_pgsql:$tls_in_sni}'}{$value}\
{${lookup pgsql{SELECT tls_key FROM domains WHERE \
domain='${quote_pgsql:$qualify_domain}'}{$value}fail}}}

I have tested connectivity and it works as expected.

Is there any way to include this functionality to exim as the addition and
not the replacement of the existing functionality?
I understand, it may need some extra configuration keywords (maybe
'tls_certificate_inline' and 'tls_privatekey_inline') but I am not sure how
to properly add them.

--
Regards,
Yevgeny
--- exim4-4.92.orig/src/tls-gnu.c
+++ exim4-4.92/src/tls-gnu.c
@@ -849,8 +849,17 @@ static int
 tls_add_certfile(exim_gnutls_state_st * state, const host_item * host,
   uschar * certfile, uschar * keyfile, uschar ** errstr)
 {
-int rc = gnutls_certificate_set_x509_key_file(state->x509_cred,
-    CS certfile, CS keyfile, GNUTLS_X509_FMT_PEM);
+/* int rc = gnutls_certificate_set_x509_key_file(state->x509_cred,
+    CS certfile, CS keyfile, GNUTLS_X509_FMT_PEM); */
+gnutls_datum_t crt = {
+    .data = US certfile,
+    .size = strlen(CS certfile)
+}, key = {
+    .data = US keyfile,
+    .size = strlen(CS keyfile)
+};
+int rc = gnutls_certificate_set_x509_key_mem(state->x509_cred,
+    &crt, &key, GNUTLS_X509_FMT_PEM);
 if (rc < 0)
   return tls_error(
     string_sprintf("cert/key setup: cert=%s key=%s", certfile, keyfile),