From: Marcel Poul Date: Sun, 14 Oct 2012 21:37:24 +0000 (+0000) Subject: Intoduce new funcion canl_verify_chain_wo_ossl() to allow caNl cert chain verificatio... X-Git-Tag: glite-jobid-api-c_R_2_2_3_1~7 X-Git-Url: http://scientific.zcu.cz/git/?a=commitdiff_plain;h=44b1199f3901bc461070c9daa5944ad145199c7c;p=jra1mw.git Intoduce new funcion canl_verify_chain_wo_ossl() to allow caNl cert chain verification without preceding openssl verification process. --- diff --git a/emi.canl.canl-c/src/canl_cred.c b/emi.canl.canl-c/src/canl_cred.c index 794b0ec..c1ee783 100644 --- a/emi.canl.canl-c/src/canl_cred.c +++ b/emi.canl.canl-c/src/canl_cred.c @@ -10,6 +10,8 @@ static STACK_OF(X509)* my_sk_X509_dup(glb_ctx *cc, STACK_OF(X509) *stack); extern int proxy_verify_cert_chain(X509 * ucert, STACK_OF(X509) * cert_chain, proxy_verify_desc * pvd); extern proxy_verify_desc *pvd_setup_initializers(char *cadir); extern void pvd_destroy_initializers(void *data); +extern canl_error map_verify_result(unsigned long ssl_err, + const X509_STORE_CTX *store_ctx, SSL *ssl); static STACK_OF(X509)* my_sk_X509_dup(glb_ctx *cc, STACK_OF(X509) *stack) { @@ -695,15 +697,56 @@ canl_verify_chain(canl_ctx ctx, X509 *ucert, STACK_OF(X509) *cert_chain, { int ret = 0; proxy_verify_desc *pvd = NULL; /* verification context */ - - pvd = pvd_setup_initializers(cadir); + + pvd = pvd_setup_initializers(cadir); ret = proxy_verify_cert_chain(ucert, cert_chain, pvd); pvd_destroy_initializers(pvd); if (ret) /* This will be ommited when proxy_verify_cert sets errors itself or propagate them out. */ - return set_error(cc, CANL_ERR_unknown, CANL_ERROR, "Certificate chain" - " validation failed") // TODO error code check + return set_error(ctx, CANL_ERR_unknown, CANL_ERROR, "Certificate chain" + " validation failed"); // TODO error code check + return 0; +} + +canl_err_code CANL_CALLCONV +canl_verify_chain_wo_ossl(canl_ctx ctx, char *cadir, + X509_STORE_CTX *store_ctx) +{ + int ret = 0, depth = 0, i = 0; + STACK_OF(X509) *certstack; + proxy_verify_desc *pvd = NULL; /* verification context */ + unsigned long ssl_err = 0; + canl_error canl_err = 0; + + pvd = pvd_setup_initializers(cadir); + X509_STORE_CTX_set_ex_data(store_ctx, PVD_STORE_EX_DATA_IDX, (void *)pvd); +#ifdef X509_V_FLAG_ALLOW_PROXY_CERTS + X509_STORE_CTX_set_flags(store_ctx, X509_V_FLAG_ALLOW_PROXY_CERTS); +#endif + pvd_destroy_initializers(pvd); + + certstack = X509_STORE_CTX_get_chain(store_ctx); + depth = sk_X509_num(certstack); + /*TODO maybe free() certstack? is it refferenced? */ + + ERR_clear_error(); + /* Go through the client cert chain and check it */ + for (i = depth - 1; i >= 0; i--){ + ret = proxy_verify_callback(1, store_ctx); + if (!ret){ + /* Verification failed */ + ssl_err = ERR_get_error(); + canl_err = map_verify_result(ssl_err, store_ctx, NULL); + if (canl_err) + return set_error (ctx, canl_err, CANL_ERROR, + "Error during SSL handshake"); + else + return set_error(ctx, ssl_err, SSL_ERROR, + "Error during SSL handshake"); + } + } + return 0; } diff --git a/emi.canl.canl-c/src/canl_cred.h b/emi.canl.canl-c/src/canl_cred.h index 31a3204..45acfc7 100644 --- a/emi.canl.canl-c/src/canl_cred.h +++ b/emi.canl.canl-c/src/canl_cred.h @@ -100,11 +100,17 @@ canl_cred_load_req(canl_ctx, canl_cred, const X509_REQ *); /* Routines to verify cert. chain */ /* Verify certificate chain, openssl verif. CRL, OCSP, signing policies etc. - Returns: 1 - OK; 0 - verification failed.*/ + */ canl_err_code CANL_CALLCONV canl_verify_chain(canl_ctx ctx, X509 *ucert, STACK_OF(X509) *cert_chain, char *cadir); +/* Verify certificate chain, SKIP openssl verif. part; Check CRL, OCSP, + * signing policies etc. */ +canl_err_code CANL_CALLCONV +canl_verify_chain_wo_ossl(canl_ctx ctx, char *cadir, + X509_STORE_CTX *store_ctx); + #if 0 canl_err_code CANL_CALLCONV canl_req_get_pair(canl_ctx, canl_x509_req, EVP_PKEY **);