From: Dr. Stephen Henson Date: Wed, 11 Apr 2012 16:54:07 +0000 (+0000) Subject: Add options to set additional type specific certificate chains to X-Git-Tag: OpenSSL_1_0_2-beta1~665 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=65a0f684849b49033bb035d681b46f96f128f84b;p=oweals%2Fopenssl.git Add options to set additional type specific certificate chains to s_server. --- diff --git a/apps/s_apps.h b/apps/s_apps.h index 39a11d9a77..5de65329a9 100644 --- a/apps/s_apps.h +++ b/apps/s_apps.h @@ -154,7 +154,8 @@ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx); #endif #ifdef HEADER_SSL_H int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file); -int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key); +int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key, + STACK_OF(X509) *chain); int ssl_print_sigalgs(BIO *out, SSL *s); int ssl_print_curves(BIO *out, SSL *s); #endif diff --git a/apps/s_cb.c b/apps/s_cb.c index 4395f194aa..b21a4283df 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c @@ -250,7 +250,8 @@ int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file) return(1); } -int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key) +int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key, + STACK_OF(X509) *chain) { if (cert == NULL) return 1; @@ -275,6 +276,12 @@ int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key) BIO_printf(bio_err,"Private key does not match the certificate public key\n"); return 0; } + if (chain && !SSL_CTX_set1_chain(ctx, chain)) + { + BIO_printf(bio_err,"error setting certificate chain\n"); + ERR_print_errors(bio_err); + return 0; + } return 1; } diff --git a/apps/s_client.c b/apps/s_client.c index 96cb4a61f9..5ad6756ff9 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -1169,7 +1169,7 @@ bad: #endif SSL_CTX_set_verify(ctx,verify,verify_callback); - if (!set_cert_key_stuff(ctx,cert,key)) + if (!set_cert_key_stuff(ctx,cert,key, NULL)) goto end; if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) || diff --git a/apps/s_server.c b/apps/s_server.c index 56e15fae38..23f7988393 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -267,12 +267,12 @@ extern int verify_depth, verify_return_error; static char *cipher=NULL; static int s_server_verify=SSL_VERIFY_NONE; static int s_server_session_id_context = 1; /* anything will do */ -static const char *s_cert_file=TEST_CERT,*s_key_file=NULL; +static const char *s_cert_file=TEST_CERT,*s_key_file=NULL, *s_chain_file=NULL; #ifndef OPENSSL_NO_TLSEXT static const char *s_cert_file2=TEST_CERT2,*s_key_file2=NULL; static char *curves=NULL; #endif -static char *s_dcert_file=NULL,*s_dkey_file=NULL; +static char *s_dcert_file=NULL,*s_dkey_file=NULL, *s_dchain_file=NULL; #ifdef FIONBIO static int s_nbio=0; #endif @@ -431,8 +431,10 @@ static void s_server_init(void) s_server_verify=SSL_VERIFY_NONE; s_dcert_file=NULL; s_dkey_file=NULL; + s_dchain_file=NULL; s_cert_file=TEST_CERT; s_key_file=NULL; + s_chain_file=NULL; #ifndef OPENSSL_NO_TLSEXT curves=NULL; s_cert_file2=TEST_CERT2; @@ -952,6 +954,7 @@ int MAIN(int argc, char *argv[]) char *dpassarg = NULL, *dpass = NULL; int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM; X509 *s_cert = NULL, *s_dcert = NULL; + STACK_OF(X509) *s_chain = NULL, *s_dchain = NULL; EVP_PKEY *s_key = NULL, *s_dkey = NULL; int no_cache = 0; #ifndef OPENSSL_NO_TLSEXT @@ -1050,6 +1053,11 @@ int MAIN(int argc, char *argv[]) if (--argc < 1) goto bad; passarg = *(++argv); } + else if (strcmp(*argv,"-cert_chain") == 0) + { + if (--argc < 1) goto bad; + s_chain_file= *(++argv); + } else if (strcmp(*argv,"-dhparam") == 0) { if (--argc < 1) goto bad; @@ -1087,6 +1095,11 @@ int MAIN(int argc, char *argv[]) if (--argc < 1) goto bad; s_dkey_file= *(++argv); } + else if (strcmp(*argv,"-dcert_chain") == 0) + { + if (--argc < 1) goto bad; + s_dchain_file= *(++argv); + } else if (strcmp(*argv,"-nocert") == 0) { nocert=1; @@ -1417,6 +1430,13 @@ bad: ERR_print_errors(bio_err); goto end; } + if (s_chain_file) + { + s_chain = load_certs(bio_err, s_chain_file,FORMAT_PEM, + NULL, e, "server certificate chain"); + if (!s_chain) + goto end; + } #ifndef OPENSSL_NO_TLSEXT if (tlsextcbp.servername) @@ -1481,6 +1501,13 @@ bad: ERR_print_errors(bio_err); goto end; } + if (s_dchain_file) + { + s_dchain = load_certs(bio_err, s_dchain_file,FORMAT_PEM, + NULL, e, "second server certificate chain"); + if (!s_dchain) + goto end; + } } @@ -1740,15 +1767,15 @@ bad: } #endif - if (!set_cert_key_stuff(ctx,s_cert,s_key)) + if (!set_cert_key_stuff(ctx, s_cert, s_key, s_chain)) goto end; #ifndef OPENSSL_NO_TLSEXT - if (ctx2 && !set_cert_key_stuff(ctx2,s_cert2,s_key2)) + if (ctx2 && !set_cert_key_stuff(ctx2,s_cert2,s_key2, NULL)) goto end; #endif if (s_dcert != NULL) { - if (!set_cert_key_stuff(ctx,s_dcert,s_dkey)) + if (!set_cert_key_stuff(ctx, s_dcert, s_dkey, s_dchain)) goto end; }