mirror of
https://github.com/moparisthebest/curl
synced 2024-11-11 12:05:06 -05:00
- Sam Listopad provided a patch in feature-request #1900014
http://curl.haxx.se/bug/feature.cgi?id=1900014 that makes libcurl (built to use OpenSSL) support a full chain of certificates in a given PKCS12 certificate.
This commit is contained in:
parent
9dd3e4d481
commit
6982ed4db7
6
CHANGES
6
CHANGES
@ -6,6 +6,12 @@
|
|||||||
|
|
||||||
Changelog
|
Changelog
|
||||||
|
|
||||||
|
Daniel S (23 Feb 2008)
|
||||||
|
- Sam Listopad provided a patch in feature-request #1900014
|
||||||
|
http://curl.haxx.se/bug/feature.cgi?id=1900014 that makes libcurl (built to
|
||||||
|
use OpenSSL) support a full chain of certificates in a given PKCS12
|
||||||
|
certificate.
|
||||||
|
|
||||||
Daniel S (22 Feb 2008)
|
Daniel S (22 Feb 2008)
|
||||||
- Georg Lippitsch made the src/Makefile.vc6 makefile use the same memory model
|
- Georg Lippitsch made the src/Makefile.vc6 makefile use the same memory model
|
||||||
options as the lib/Makefile.vc6 already did.
|
options as the lib/Makefile.vc6 already did.
|
||||||
|
@ -15,6 +15,7 @@ This release includes the following changes:
|
|||||||
o we no longer distribute or install a ca cert bundle
|
o we no longer distribute or install a ca cert bundle
|
||||||
o SSLv2 is now disabled by default for SSL operations
|
o SSLv2 is now disabled by default for SSL operations
|
||||||
o the test509-style setting URL in callback is officially no longer supported
|
o the test509-style setting URL in callback is officially no longer supported
|
||||||
|
o support a full chain of certificates in a given PKCS12 certificate
|
||||||
|
|
||||||
This release includes the following bugfixes:
|
This release includes the following bugfixes:
|
||||||
|
|
||||||
@ -48,6 +49,6 @@ advice from friends like these:
|
|||||||
|
|
||||||
Michal Marek, Dmitry Kurochkin, Niklas Angebrand, Günter Knauf, Yang Tse,
|
Michal Marek, Dmitry Kurochkin, Niklas Angebrand, Günter Knauf, Yang Tse,
|
||||||
Dan Fandrich, Mike Hommey, Pooyan McSporran, Jerome Muffat-Meridol,
|
Dan Fandrich, Mike Hommey, Pooyan McSporran, Jerome Muffat-Meridol,
|
||||||
Kaspar Brand, Gautam Kachroo, Zmey Petroff, Georg Lippitsch
|
Kaspar Brand, Gautam Kachroo, Zmey Petroff, Georg Lippitsch, Sam Listopad
|
||||||
|
|
||||||
Thanks! (and sorry if I forgot to mention someone)
|
Thanks! (and sorry if I forgot to mention someone)
|
||||||
|
35
lib/ssluse.c
35
lib/ssluse.c
@ -364,6 +364,8 @@ int cert_stuff(struct connectdata *conn,
|
|||||||
FILE *f;
|
FILE *f;
|
||||||
PKCS12 *p12;
|
PKCS12 *p12;
|
||||||
EVP_PKEY *pri;
|
EVP_PKEY *pri;
|
||||||
|
STACK_OF(X509) *ca = NULL;
|
||||||
|
int i;
|
||||||
|
|
||||||
f = fopen(cert_file,"rb");
|
f = fopen(cert_file,"rb");
|
||||||
if(!f) {
|
if(!f) {
|
||||||
@ -373,10 +375,15 @@ int cert_stuff(struct connectdata *conn,
|
|||||||
p12 = d2i_PKCS12_fp(f, NULL);
|
p12 = d2i_PKCS12_fp(f, NULL);
|
||||||
fclose(f);
|
fclose(f);
|
||||||
|
|
||||||
|
if(!p12) {
|
||||||
|
failf(data, "error reading PKCS12 file '%s'", cert_file );
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
PKCS12_PBE_add();
|
PKCS12_PBE_add();
|
||||||
|
|
||||||
if(!PKCS12_parse(p12, data->set.str[STRING_KEY_PASSWD], &pri, &x509,
|
if(!PKCS12_parse(p12, data->set.str[STRING_KEY_PASSWD], &pri, &x509,
|
||||||
NULL)) {
|
&ca)) {
|
||||||
failf(data,
|
failf(data,
|
||||||
"could not parse PKCS12 file, check password, OpenSSL error %s",
|
"could not parse PKCS12 file, check password, OpenSSL error %s",
|
||||||
ERR_error_string(ERR_get_error(), NULL) );
|
ERR_error_string(ERR_get_error(), NULL) );
|
||||||
@ -401,6 +408,32 @@ int cert_stuff(struct connectdata *conn,
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (!SSL_CTX_check_private_key (ctx)) {
|
||||||
|
failf(data, "private key from PKCS12 file '%s' "
|
||||||
|
"does not match certificate in same file", cert_file);
|
||||||
|
EVP_PKEY_free(pri);
|
||||||
|
X509_free(x509);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
/* Set Certificate Verification chain */
|
||||||
|
if (ca && sk_num(ca)) {
|
||||||
|
for (i = 0; i < sk_X509_num(ca); i++) {
|
||||||
|
if (!SSL_CTX_add_extra_chain_cert(ctx,sk_X509_value(ca, i))) {
|
||||||
|
failf(data, "cannot add certificate to certificate chain");
|
||||||
|
EVP_PKEY_free(pri);
|
||||||
|
X509_free(x509);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
if (!SSL_CTX_add_client_CA(ctx, sk_X509_value(ca, i))) {
|
||||||
|
failf(data, "cannot add certificate to client CA list",
|
||||||
|
cert_file);
|
||||||
|
EVP_PKEY_free(pri);
|
||||||
|
X509_free(x509);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
EVP_PKEY_free(pri);
|
EVP_PKEY_free(pri);
|
||||||
X509_free(x509);
|
X509_free(x509);
|
||||||
cert_done = 1;
|
cert_done = 1;
|
||||||
|
Loading…
Reference in New Issue
Block a user