cacertinmem.c: use multiple certificates for loading CA-chain

Closes #3421

docs/examples/cacertinmem.c

@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -29,7 +29,7 @@
 #include <curl/curl.h>
 #include <stdio.h>
 
-size_t writefunction(void *ptr, size_t size, size_t nmemb, void *stream)
+static size_t writefunction(void *ptr, size_t size, size_t nmemb, void *stream)
 {
   fwrite(ptr, size, nmemb, (FILE *)stream);
   return (nmemb*size);
@@ -38,88 +38,86 @@ size_t writefunction(void *ptr, size_t size, size_t nmemb, void *stream)
 static CURLcode sslctx_function(CURL *curl, void *sslctx, void *parm)
 {
   CURLcode rv = CURLE_ABORTED_BY_CALLBACK;
-  X509_STORE *store = NULL;
+
-  X509 *cert = NULL;
+  /** This example uses two (fake) certificates **/
-  BIO *bio = NULL;
+  static const char mypem[] =
-  char *mypem =
-    /* CA for example.com. CN = DigiCert High Assurance EV Root CA */
     "-----BEGIN CERTIFICATE-----\n"
-    "MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs\n"
+    "MIIH0zCCBbugAwIBAgIIXsO3pkN/pOAwDQYJKoZIhvcNAQEFBQAwQjESMBAGA1UE\n"
-    "MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\n"
+    "AwwJQUNDVlJBSVoxMRAwDgYDVQQLDAdQS0lBQ0NWMQ0wCwYDVQQKDARBQ0NWMQsw\n"
-    "d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j\n"
+    "CQYDVQQGEwJFUzAeFw0xMTA1MDUwOTM3MzdaFw0zMDEyMzEwOTM3MzdaMEIxEjAQ\n"
-    "ZSBFViBSb290IENBMB4XDTA2MTExMDAwMDAwMFoXDTMxMTExMDAwMDAwMFowbDEL\n"
+    "BgNVBAMMCUFDQ1ZSQUlaMTEQMA4GA1UECwwHUEtJQUNDVjENMAsGA1UECgwEQUND\n"
-    "MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3\n"
+    "VjELMAkGA1UEBhMCRVMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCb\n"
-    "LmRpZ2ljZXJ0LmNvbTErMCkGA1UEAxMiRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2Ug\n"
+    "qau/YUqXry+XZpp0X9DZlv3P4uRm7x8fRzPCRKPfmt4ftVTdFXxpNRFvu8gMjmoY\n"
-    "RVYgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbM5XPm\n"
+    "HtiP2Ra8EEg2XPBjs5BaXCQ316PWywlxufEBcoSwfdtNgM3802/J+Nq2DoLSRYWo\n"
-    "+9S75S0tMqbf5YE/yc0lSbZxKsPVlDRnogocsF9ppkCxxLeyj9CYpKlBWTrT3JTW\n"
+    "G2ioPej0RGy9ocLLA76MPhMAhN9KSMDjIgro6TenGEyxCQ0jVn8ETdkXhBilyNpA\n"
-    "PNt0OKRKzE0lgvdKpVMSOO7zSW1xkX5jtqumX8OkhPhPYlG++MXs2ziS4wblCJEM\n"
+    "0KIV9VMJcRz/RROE5iZe+OCIHAr8Fraocwa48GOEAqDGWuzndN9wrqODJerWx5eH\n"
-    "xChBVfvLWokVfnHoNb9Ncgk9vjo4UFt3MRuNs8ckRZqnrG0AFFoEt7oT61EKmEFB\n"
+    "k6fGioozl2A3ED6XPm4pFdahD9GILBKfb6qkxkLrQaLjlUPTAYVtjrs78yM2x/47\n"
-    "Ik5lYYeBQVCmeVyJ3hlKV9Uu5l0cUyx+mM0aBhakaHPQNAQTXKFx01p8VdteZOE3\n"
+    "JyCpZET/LtZ1qmxNYEAZSUNUY9rizLpm5U9EelvZaoErQNV/+QEnWCzI7UiRfD+m\n"
-    "hzBWBOURtCmAEvF5OYiiAhF8J2a3iLd48soKqDirCmTCv2ZdlYTBoSUeh10aUAsg\n"
+    "AM/EKXMRNt6GGT6d7hmKG9Ww7Y49nCrADdg9ZuM8Db3VlFzi4qc1GwQA9j9ajepD\n"
-    "EsxBu24LUTi4S8sCAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQF\n"
+    "vV+JHanBsMyZ4k0ACtrJJ1vnE5Bc5PUzolVt3OAJTS+xJlsndQAJxGJ3KQhfnlms\n"
-    "MAMBAf8wHQYDVR0OBBYEFLE+w2kD+L9HAdSYJhoIAu9jZCvDMB8GA1UdIwQYMBaA\n"
+    "tn6tn1QwIgPBHnFk/vk4CpYY3QIUrCPLBhwepH2NDd4nQeit2hW3sCPdK6jT2iWH\n"
-    "FLE+w2kD+L9HAdSYJhoIAu9jZCvDMA0GCSqGSIb3DQEBBQUAA4IBAQAcGgaX3Nec\n"
+    "7ehVRE2I9DZ+hJp4rPcOVkkO1jMl1oRQQmwgEh0q1b688nCBpHBgvgW1m54ERL5h\n"
-    "nzyIZgYIVyHbIUf4KmeqvxgydkAQV8GK83rZEWWONfqe/EW1ntlMMUu4kehDLI6z\n"
+    "I6zppSSMEYCUWqKiuUnSwdzRp+0xESyeGabu4VXhwOrPDYTkF7eifKXeVSUG7szA\n"
-    "eM7b41N5cdblIZQB2lWHmiRk9opmzN6cN82oNLFpmyPInngiK3BD41VHMWEZ71jF\n"
+    "h1xA2syVP1XgNce4hL60Xc16gwFy7ofmXx2utYXGJt/mwZrpHgJHnyqobalbz+xF\n"
-    "hS9OMPagMRYjyOfiZRYzy78aG6A9+MpeizGLYAiJLQwGXFK3xPkKmNEVX58Svnw2\n"
+    "d3+YJ5oyXSrjhO7FmGYvliAd3djDJ9ew+f7Zfc3Qn48LFFhRny+Lwzgt3uiP1o2H\n"
-    "Yzi9RKR/5CYrCsSXaQ3pjOLAEFe4yHYSkVXySGnYvCoCWw9E1CAx2/S6cCZdkGCe\n"
+    "pPVWQxaZLPSkVrQ0uGE3ycJYgBugl6H8WY3pEfbRD0tVNEYqi4Y7\n"
-    "vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep\n"
+    "-----END CERTIFICATE-----\n"
-    "+OkuE6N36B9K\n"
+    "-----BEGIN CERTIFICATE-----\n"
+    "MIIFtTCCA52gAwIBAgIIYY3HhjsBggUwDQYJKoZIhvcNAQEFBQAwRDEWMBQGA1UE\n"
+    "AwwNQUNFRElDT00gUm9vdDEMMAoGA1UECwwDUEtJMQ8wDQYDVQQKDAZFRElDT00x\n"
+    "CzAJBgNVBAYTAkVTMB4XDTA4MDQxODE2MjQyMloXDTI4MDQxMzE2MjQyMlowRDEW\n"
+    "MBQGA1UEAwwNQUNFRElDT00gUm9vdDEMMAoGA1UECwwDUEtJMQ8wDQYDVQQKDAZF\n"
+    "RElDT00xCzAJBgNVBAYTAkVTMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC\n"
+    "AgEA/5KV4WgGdrQsyFhIyv2AVClVYyT/kGWbEHV7w2rbYgIB8hiGtXxaOLHkWLn7\n"
+    "09gtn70yN78sFW2+tfQh0hOR2QetAQXW8713zl9CgQr5auODAKgrLlUTY4HKRxx7\n"
+    "XBZXehuDYAQ6PmXDzQHe3qTWDLqO3tkE7hdWIpuPY/1NFgu3e3eM+SW10W2ZEi5P\n"
+    "gvoFNTPhNahXwOf9jU8/kzJPeGYDdwdY6ZXIfj7QeQCM8htRM5u8lOk6e25SLTKe\n"
+    "I6RF+7YuE7CLGLHdztUdp0J/Vb77W7tH1PwkzQSulgUV1qzOMPPKC8W64iLgpq0i\n"
+    "5ALudBF/TP94HTXa5gI06xgSYXcGCRZj6hitoocf8seACQl1ThCojz2GuHURwCRi\n"
+    "ipZ7SkXp7FnFvmuD5uHorLUwHv4FB4D54SMNUI8FmP8sX+g7tq3PgbUhh8oIKiMn\n"
+    "MCArz+2UW6yyetLHKKGKC5tNSixthT8Jcjxn4tncB7rrZXtaAWPWkFtPF2Y9fwsZ\n"
+    "o5NjEFIqnxQWWOLcpfShFosOkYuByptZ+thrkQdlVV9SH686+5DdaaVbnG0OLLb6\n"
+    "zqylfDJKZ0DcMDQj3dcEI2bw/FWAp/tmGYI1Z2JwOV5vx+qQQEQIHriy1tvuWacN\n"
+    "GHk0vFQYXlPKNFHtRQrmjseCNj6nOGOpMCwXEGCSn1WHElkQwg9naRHMTh5+Spqt\n"
+    "r0CodaxWkHS4oJyleW/c6RrIaQXpuvoDs3zk4E7Czp3otkYNbn5XOmeUwssfnHdK\n"
+    "Z05phkOTOPu220+DkdRgfks+KzgHVZhepA==\n"
     "-----END CERTIFICATE-----\n";
 
-  /* clear the current thread's OpenSSL error queue */
+  BIO *cbio = BIO_new_mem_buf(mypem, sizeof(mypem));
-  ERR_clear_error();
+  X509_STORE  *cts = SSL_CTX_get_cert_store((SSL_CTX *)sslctx);
+  X509_INFO *itmp;
+  int i, count = 0;
+  STACK_OF(X509_INFO) *inf;
+  (void)curl;
+  (void)parm;
 
-  /* get a BIO */
+  if(!cts || !cbio) {
-  bio = BIO_new_mem_buf(mypem, -1);
+    return rv;
-  if(!bio)
-    goto err;
-
-  /* use it to read the PEM formatted certificate from memory into an X509
-   * structure that SSL can use
-   */
-  if(!PEM_read_bio_X509(bio, &cert, 0, NULL))
-    goto err;
-
-  /* get a pointer to the X509 certificate store (which may be empty!) */
-  store = SSL_CTX_get_cert_store((SSL_CTX *)sslctx);
-  if(!store)
-    goto err;
-
-  /* add our certificate to this store */
-  if(!X509_STORE_add_cert(store, cert)) {
-    unsigned long error = ERR_peek_last_error();
-
-    /* Ignore error X509_R_CERT_ALREADY_IN_HASH_TABLE which means the
-     * certificate is already in the store. That could happen if
-     * libcurl already loaded the certificate from a ca cert bundle
-     * set at libcurl build-time or runtime.
-     */
-    if(ERR_GET_LIB(error) != ERR_LIB_X509 ||
-       ERR_GET_REASON(error) != X509_R_CERT_ALREADY_IN_HASH_TABLE)
-      goto err;
-
-    ERR_clear_error();
   }
 
-  rv = CURLE_OK;
+  inf = PEM_X509_INFO_read_bio(cbio, NULL, NULL, NULL);
 
-err:
+  if(!inf) {
-  if(rv != CURLE_OK) {
+    BIO_free(cbio);
-    char errbuf[256];
+    return rv;
-    unsigned long error = ERR_peek_last_error();
+  }
 
-    fprintf(stderr, "error adding certificate\n");
+  for(i = 0; i < sk_X509_INFO_num(inf); i++) {
-    if(error) {
+    itmp = sk_X509_INFO_value(inf, i);
-      ERR_error_string_n(error, errbuf, sizeof(errbuf));
+    if(itmp->x509) {
-      fprintf(stderr, "%s\n", errbuf);
+      X509_STORE_add_cert(cts, itmp->x509);
+      count++;
+    }
+    if(itmp->crl) {
+      X509_STORE_add_crl(cts, itmp->crl);
+      count++;
     }
   }
 
-  X509_free(cert);
+  sk_X509_INFO_pop_free(inf, X509_INFO_free);
-  BIO_free(bio);
+  BIO_free(cbio);
-  ERR_clear_error();
 
+  rv = CURLE_OK;
   return rv;
 }
 
@@ -142,9 +140,9 @@ int main(void)
   rv = curl_easy_setopt(ch, CURLOPT_SSL_VERIFYPEER, 1L);
   rv = curl_easy_setopt(ch, CURLOPT_URL, "https://www.example.com/");
 
-  /* turn off the default CA locations (optional)
+  /* Turn off the default CA locations, otherwise libcurl will load CA
-   * otherwise libcurl will load CA certificates from the locations that
+   * certificates from the locations that were detected/specified at
-   * were detected/specified at build-time
+   * build-time
    */
   rv = curl_easy_setopt(ch, CURLOPT_CAINFO, NULL);
   rv = curl_easy_setopt(ch, CURLOPT_CAPATH, NULL);