+ LDAP_FREE( buf.data );
+ if ( rc < 0 ) return rc;
+
+ rc = tlsg_getfile( lt->lt_certfile, &buf );
+ if ( rc ) return -1;
+ rc = gnutls_x509_crt_list_import( certs, &max, &buf,
+ GNUTLS_X509_FMT_PEM, 0 );
+ LDAP_FREE( buf.data );
+ if ( rc < 0 ) return rc;
+
+ /* If there's only one cert and it's not self-signed,
+ * then we have to build the cert chain.
+ */
+ if ( max == 1 && !gnutls_x509_crt_check_issuer( certs[0], certs[0] )) {
+ gnutls_x509_crt_t *cas;
+ unsigned int i, j, ncas;
+
+ gnutls_certificate_get_x509_cas( ctx->cred, &cas, &ncas );
+ for ( i = 1; i<VERIFY_DEPTH; i++ ) {
+ for ( j = 0; j<ncas; j++ ) {
+ if ( gnutls_x509_crt_check_issuer( certs[i-1], cas[j] )) {
+ certs[i] = cas[j];
+ max++;
+ /* If this CA is self-signed, we're done */
+ if ( gnutls_x509_crt_check_issuer( cas[j], cas[j] ))
+ j = ncas;
+ break;
+ }
+ }
+ /* only continue if we found a CA and it was not self-signed */
+ if ( j == ncas )
+ break;
+ }
+ }
+ rc = gnutls_certificate_set_x509_key( ctx->cred, certs, max, key );