From: Marcel Poul <marcel.poul@cern.ch>
Date: Mon, 2 Jul 2012 11:02:55 +0000 (+0000)
Subject: cert. chain verification routine added to API
X-Git-Tag: gridsite-core_R_1_7_22~44
X-Git-Url: http://scientific.zcu.cz/git/?a=commitdiff_plain;h=89a0dfffdfcf955148bb9d3e8519bb5d81eb6e82;p=jra1mw.git

cert. chain verification routine added to API
---

diff --git a/emi.canl.canl-c/src/canl_cred.c b/emi.canl.canl-c/src/canl_cred.c
index ac9ccb9..a71b892 100644
--- a/emi.canl.canl-c/src/canl_cred.c
+++ b/emi.canl.canl-c/src/canl_cred.c
@@ -7,6 +7,10 @@
 #define LIFETIME_TRESHOLD 10*24*60*60 //10 days
 
 static STACK_OF(X509)* my_sk_X509_dup(glb_ctx *cc, STACK_OF(X509) *stack);
+extern int proxy_verify_cert_chain(X509 * ucert, STACK_OF(X509) * cert_chain, proxy_verify_desc * pvd);
+extern void proxy_verify_ctx_init(proxy_verify_ctx_desc * pvxd);
+static proxy_verify_desc *setup_initializers(char *cadir);
+static void destroy_initializers(void *data);
 
 static STACK_OF(X509)* my_sk_X509_dup(glb_ctx *cc, STACK_OF(X509) *stack)
 {
@@ -630,6 +634,65 @@ canl_cred_load_req(canl_ctx ctx, canl_cred cred_out, const X509_REQ *req_in)
     return 0;
 }
 
+/*TODO ENOSYS for now*/
+canl_err_code CANL_CALLCONV
+canl_verify_chain(canl_ctx ctx, X509 *ucert, STACK_OF(X509) *cert_chain,
+        char *cadir)
+{
+    proxy_verify_desc *pvd = NULL; /* verification context */
+    
+    pvd = setup_initializers(cadir);    
+    proxy_verify_cert_chain(ucert, cert_chain, pvd);
+
+    destroy_initializers(pvd);
+    return ENOSYS;
+}
+
+static proxy_verify_desc *setup_initializers(char *cadir)
+{
+    proxy_verify_ctx_desc *pvxd = NULL;
+    proxy_verify_desc *pvd = NULL;
+
+    pvd  = (proxy_verify_desc*)     malloc(sizeof(proxy_verify_desc));
+    pvxd = (proxy_verify_ctx_desc *)malloc(sizeof(proxy_verify_ctx_desc));
+    pvd->cert_store = NULL;
+
+
+    if (!pvd || !pvxd) {
+        free(pvd);
+        free(pvxd);
+        return NULL;
+    }
+
+    proxy_verify_ctx_init(pvxd);
+    proxy_verify_init(pvd, pvxd);
+
+    pvd->pvxd->certdir = cadir;
+
+    return pvd;
+
+}
+
+static void destroy_initializers(void *data)
+{
+    proxy_verify_desc *pvd = (proxy_verify_desc *)data;
+
+    if (pvd) {
+        if (pvd->pvxd)
+            proxy_verify_ctx_release(pvd->pvxd);
+
+        free(pvd->pvxd);
+        pvd->pvxd = NULL;
+        proxy_verify_release(pvd);
+
+        /* X509_STORE_CTX_free segfaults if passed a NULL store_ctx */
+        if (pvd->cert_store)
+            X509_STORE_CTX_free(pvd->cert_store);
+        pvd->cert_store = NULL;
+
+        free(pvd);
+    }
+}
 
 #if 0
 canl_err_code CANL_CALLCONV
diff --git a/emi.canl.canl-c/src/canl_cred.h b/emi.canl.canl-c/src/canl_cred.h
index 432ad9f..3cc2917 100644
--- a/emi.canl.canl-c/src/canl_cred.h
+++ b/emi.canl.canl-c/src/canl_cred.h
@@ -92,6 +92,11 @@ canl_cred_save_req(canl_ctx, canl_cred, X509_REQ **);
 canl_err_code CANL_CALLCONV
 canl_cred_load_req(canl_ctx, canl_cred, const X509_REQ *);
 
+/* Routines to verify cert. chain */
+canl_err_code CANL_CALLCONV
+canl_verify_chain(canl_ctx ctx, X509 *ucert, STACK_OF(X509) *cert_chain,
+                  char *cadir);
+
 #if 0
 canl_err_code CANL_CALLCONV
 canl_req_get_pair(canl_ctx, canl_x509_req, EVP_PKEY **);