diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2012-12-26 15:21:53 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2012-12-26 15:21:53 +0000 |
commit | b762acadeb09618a63140e30fb385ea106730635 (patch) | |
tree | 8a22cd4ed3d9a467a6bbdd8ab88ee20e995f41cf /apps/s_cb.c | |
parent | 7d779eefb43309319818090c27778bd3f904748e (diff) |
Add support for certificate stores in CERT structure. This makes it
possible to have different stores per SSL structure or one store in
the parent SSL_CTX. Include distint stores for certificate chain
verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN
to build and store a certificate chain in CERT structure: returing
an error if the chain cannot be built: this will allow applications
to test if a chain is correctly configured.
Note: if the CERT based stores are not set then the parent SSL_CTX
store is used to retain compatibility with existing behaviour.
(backport from HEAD)
Diffstat (limited to 'apps/s_cb.c')
-rw-r--r-- | apps/s_cb.c | 32 |
1 files changed, 28 insertions, 4 deletions
diff --git a/apps/s_cb.c b/apps/s_cb.c index 6e26d43de4..f994fbd93b 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c @@ -251,7 +251,7 @@ int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file) } int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key, - STACK_OF(X509) *chain) + STACK_OF(X509) *chain, int build_chain) { if (cert == NULL) return 1; @@ -282,6 +282,13 @@ int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key, ERR_print_errors(bio_err); return 0; } + if (!chain && build_chain && !SSL_CTX_build_cert_chain(ctx, 0)) + { + BIO_printf(bio_err,"error building certificate chain\n"); + ERR_print_errors(bio_err); + return 0; + } + return 1; } @@ -1125,6 +1132,7 @@ struct ssl_excert_st X509 *cert; EVP_PKEY *key; STACK_OF(X509) *chain; + int build_chain; struct ssl_excert_st *next, *prev; }; @@ -1152,7 +1160,16 @@ static int set_cert_cb(SSL *ssl, void *arg) { SSL_use_certificate(ssl, exc->cert); SSL_use_PrivateKey(ssl, exc->key); - if (exc->chain) + /* NB: we wouldn't normally do this as it is + * not efficient building chains on each connection + * better to cache the chain in advance. + */ + if (exc->build_chain) + { + if (!SSL_build_cert_chain(ssl, 0)) + return 0; + } + else if (exc->chain) SSL_set1_chain(ssl, exc->chain); } exc = exc->prev; @@ -1178,6 +1195,7 @@ static int ssl_excert_prepend(SSL_EXCERT **pexc) exc->key = NULL; exc->chain = NULL; exc->prev = NULL; + exc->build_chain = 0; exc->next = *pexc; *pexc = exc; @@ -1262,6 +1280,7 @@ int args_excert(char ***pargs, int *pargc, { char *arg = **pargs, *argn = (*pargs)[1]; SSL_EXCERT *exc = *pexc; + int narg = 2; if (!exc) { if (ssl_excert_prepend(&exc)) @@ -1318,6 +1337,11 @@ int args_excert(char ***pargs, int *pargc, } exc->chainfile = argn; } + else if (strcmp(arg,"-xchain_build") == 0) + { + narg = 1; + exc->build_chain = 1; + } else if (strcmp(arg,"-xcertform") == 0) { if (!argn) @@ -1339,10 +1363,10 @@ int args_excert(char ***pargs, int *pargc, else return 0; - (*pargs) += 2; + (*pargs) += narg; if (pargc) - *pargc -= 2; + *pargc -= narg; *pexc = exc; |