void *mech_ctx; //like SSL_CTX *
unsigned int flags;
char *ca_dir;
+ char *ca_file;
char *crl_dir;
cert_key_store *cert_key;
} mech_glb_ctx;
if (store_from->ca_dir) {
int len = strlen(store_from->ca_dir);
store_to->ca_dir = (char *) malloc((len + 1) * sizeof (char));
- if (store_to->ca_dir)
+ if (!store_to->ca_dir)
return NULL;
strncpy (store_to->ca_dir, store_from->ca_dir, len + 1);
}
if (store_from->crl_dir) {
int len = strlen(store_from->crl_dir);
store_to->crl_dir = (char *) malloc((len + 1) * sizeof (char));
- if (store_to->crl_dir)
+ if (!store_to->crl_dir)
return NULL;
strncpy (store_to->crl_dir, store_from->crl_dir, len + 1);
}
return store_to;
}
-static int
+int
set_ocsp_store(canl_ocsprequest_t *ocspreq, canl_x509store_t *store)
{
if (!ocspreq)
return 1;
if (store){
+ if (ocspreq->store)
+ canl_x509store_free(ocspreq->store);
ocspreq->store = store_dup(store);
if (!ocspreq->store)
return 1;
int set_ocsp_maxage(canl_ocsprequest_t *ocspreq, int maxage);
int set_ocsp_url(canl_ocsprequest_t *ocspreq, char *url);
int set_ocsp_issuer(canl_ocsprequest_t *ocspreq, X509 *issuer);
+int set_ocsp_store(canl_ocsprequest_t *ocspreq, canl_x509store_t *store);
int ocsprequest_init(canl_ocsprequest_t **ocspreq);
void ocsprequest_free(canl_ocsprequest_t *or);
return set_error(cc, ENOMEM, POSIX_ERROR, "Not enough memory");
err = proxy_get_filenames(0, &ca_cert_fn, &ca_cert_dirn, NULL, NULL, NULL);
- if (!err && (ca_cert_fn || ca_cert_dirn))
- SSL_CTX_load_verify_locations(ssl_ctx, ca_cert_fn, ca_cert_dirn);
+ if (!err){
+ /* set ca dir and ca file to SSL_CTX*/
+ if (ca_cert_fn || ca_cert_dirn)
+ SSL_CTX_load_verify_locations(ssl_ctx, ca_cert_fn, ca_cert_dirn);
+ /* set ca dir and/or ca file to canl glb_ctx*/
+ if (!(*m_glb_ctx)->ca_file && ca_cert_fn && !access(ca_cert_fn, R_OK)) {
+ err = canl_ctx_set_ca_fn(cc, ca_cert_fn);
+ if (err)
+ return err;
+ }
+ if (!(*m_glb_ctx)->ca_dir && ca_cert_dirn && !access(ca_cert_dirn, R_OK)) {
+ err = canl_ctx_set_ca_dir(cc, ca_cert_dirn);
+ if (err)
+ return err;
+ }
+ }
+
if (ca_cert_fn)
free(ca_cert_fn);
return ssl_set_dir(glb_cc, &m_ctx->ca_dir, dir);
}
+canl_err_code
+canl_ctx_set_ca_fn(canl_ctx cc, const char *fn)
+{
+ glb_ctx *glb_cc = (glb_ctx*) cc;
+ mech_glb_ctx *m_ctx = (mech_glb_ctx *)glb_cc->mech_ctx;
+
+ if (!cc)
+ return EINVAL;
+
+ if (!m_ctx)
+ return set_error(glb_cc, EINVAL, POSIX_ERROR, "SSL context not"
+ " initialized");
+
+ return ssl_set_dir(glb_cc, &m_ctx->ca_file, fn);
+}
+
static canl_err_code
ssl_get_peer(glb_ctx *cc, io_handler *io, void *auth_ctx, canl_principal *peer)
{
canl_ctx_set_ca_dir(canl_ctx, const char *);
canl_err_code CANL_CALLCONV
-canl_ctx_set_crl_dir(canl_ctx, const char *);
+canl_ctx_set_ca_fn(canl_ctx, const char *);
+
+canl_err_code CANL_CALLCONV
+canl_ctx_sfncrl_dir(canl_ctx, const char *);
canl_err_code CANL_CALLCONV
canl_ctx_set_pkcs11_lib(canl_ctx, const char *);
}
#endif /* X509_V_ERR_CERT_REVOKED */
+ cert_dir = pvd->pvxd->certdir ? pvd->pvxd->certdir :
+ getenv(X509_CERT_DIR);
/* Do not need to check self signed certs against ca_policy_file */
if (X509_NAME_cmp(X509_get_subject_name(ctx->current_cert),
X509_get_issuer_name(ctx->current_cert)))
{
- cert_dir = pvd->pvxd->certdir ? pvd->pvxd->certdir :
- getenv(X509_CERT_DIR);
{
char * error_string = NULL;
set_ocsp_cert(ocsp_data, ctx->current_cert);
if (ctx->current_issuer)
set_ocsp_issuer(ocsp_data, ctx->current_issuer);
+ if (cert_dir){
+ canl_x509store_t *c_store = NULL;
+ if (!canl_x509store_init(&c_store)) {
+ c_store->ca_dir = strdup(cert_dir);
+ set_ocsp_store(ocsp_data, c_store);
+ canl_x509store_free(c_store);
+ c_store = NULL;
+ }
+ }
+
do_ocsp_verify (ocsp_data);
/* TODO sign key and cert */
}
git://scientific.zcu.cz / jra1mw.git / commitdiff