root
/
openssl
mirror of https://github.com/openssl/openssl.git
1
0
Fork 0
Code Issues Actions 7 Packages Projects Releases Wiki Activity

Add options to set additional type specific certificate chains to 

s_server.
This commit is contained in:
Dr. Stephen Henson 2012-04-11 16:54:07 +00:00
parent e1a7db8fdd
commit 65a0f68484
4 changed files with 43 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
apps/s_apps.h
View File

@ -154,7 +154,8 @@ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
#endif
#ifdef HEADER_SSL_H
int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file);
int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key);
int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key,
STACK_OF(X509) *chain);
int ssl_print_sigalgs(BIO *out, SSL *s);
int ssl_print_curves(BIO *out, SSL *s);
#endif

9
apps/s_cb.c
View File

@ -250,7 +250,8 @@ int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file)
return(1);
}
int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key)
int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key,
STACK_OF(X509) *chain)
{
if (cert == NULL)
return 1;
@ -275,6 +276,12 @@ int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key)
BIO_printf(bio_err,"Private key does not match the certificate public key\n");
return 0;
}
if (chain && !SSL_CTX_set1_chain(ctx, chain))
{
BIO_printf(bio_err,"error setting certificate chain\n");
ERR_print_errors(bio_err);
return 0;
}
return 1;
}

2
apps/s_client.c
View File

@ -1169,7 +1169,7 @@ bad:
#endif
SSL_CTX_set_verify(ctx,verify,verify_callback);
if (!set_cert_key_stuff(ctx,cert,key))
if (!set_cert_key_stuff(ctx,cert,key, NULL))
goto end;
if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||

37
apps/s_server.c
View File

@ -267,12 +267,12 @@ extern int verify_depth, verify_return_error;
static char *cipher=NULL;
static int s_server_verify=SSL_VERIFY_NONE;
static int s_server_session_id_context = 1; /* anything will do */
static const char *s_cert_file=TEST_CERT,*s_key_file=NULL;
static const char *s_cert_file=TEST_CERT,*s_key_file=NULL, *s_chain_file=NULL;
#ifndef OPENSSL_NO_TLSEXT
static const char *s_cert_file2=TEST_CERT2,*s_key_file2=NULL;
static char *curves=NULL;
#endif
static char *s_dcert_file=NULL,*s_dkey_file=NULL;
static char *s_dcert_file=NULL,*s_dkey_file=NULL, *s_dchain_file=NULL;
#ifdef FIONBIO
static int s_nbio=0;
#endif
@ -431,8 +431,10 @@ static void s_server_init(void)
s_server_verify=SSL_VERIFY_NONE;
s_dcert_file=NULL;
s_dkey_file=NULL;
s_dchain_file=NULL;
s_cert_file=TEST_CERT;
s_key_file=NULL;
s_chain_file=NULL;
#ifndef OPENSSL_NO_TLSEXT
curves=NULL;
s_cert_file2=TEST_CERT2;
@ -952,6 +954,7 @@ int MAIN(int argc, char *argv[])
char *dpassarg = NULL, *dpass = NULL;
int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM;
X509 *s_cert = NULL, *s_dcert = NULL;
STACK_OF(X509) *s_chain = NULL, *s_dchain = NULL;
EVP_PKEY *s_key = NULL, *s_dkey = NULL;
int no_cache = 0;
#ifndef OPENSSL_NO_TLSEXT
@ -1050,6 +1053,11 @@ int MAIN(int argc, char *argv[])
if (--argc < 1) goto bad;
passarg = *(++argv);
}
else if (strcmp(*argv,"-cert_chain") == 0)
{
if (--argc < 1) goto bad;
s_chain_file= *(++argv);
}
else if (strcmp(*argv,"-dhparam") == 0)
{
if (--argc < 1) goto bad;
@ -1087,6 +1095,11 @@ int MAIN(int argc, char *argv[])
if (--argc < 1) goto bad;
s_dkey_file= *(++argv);
}
else if (strcmp(*argv,"-dcert_chain") == 0)
{
if (--argc < 1) goto bad;
s_dchain_file= *(++argv);
}
else if (strcmp(*argv,"-nocert") == 0)
{
nocert=1;
@ -1417,6 +1430,13 @@ bad:
ERR_print_errors(bio_err);
goto end;
}
if (s_chain_file)
{
s_chain = load_certs(bio_err, s_chain_file,FORMAT_PEM,
NULL, e, "server certificate chain");
if (!s_chain)
goto end;
}
#ifndef OPENSSL_NO_TLSEXT
if (tlsextcbp.servername)
@ -1481,6 +1501,13 @@ bad:
ERR_print_errors(bio_err);
goto end;
}
if (s_dchain_file)
{
s_dchain = load_certs(bio_err, s_dchain_file,FORMAT_PEM,
NULL, e, "second server certificate chain");
if (!s_dchain)
goto end;
}
}
@ -1740,15 +1767,15 @@ bad:
}
#endif
if (!set_cert_key_stuff(ctx,s_cert,s_key))
if (!set_cert_key_stuff(ctx, s_cert, s_key, s_chain))
goto end;
#ifndef OPENSSL_NO_TLSEXT
if (ctx2 && !set_cert_key_stuff(ctx2,s_cert2,s_key2))
if (ctx2 && !set_cert_key_stuff(ctx2,s_cert2,s_key2, NULL))
goto end;
#endif
if (s_dcert != NULL)
{
if (!set_cert_key_stuff(ctx,s_dcert,s_dkey))
if (!set_cert_key_stuff(ctx, s_dcert, s_dkey, s_dchain))
goto end;
}