Add options to set additional type specific certificate chains to

author Dr. Stephen Henson <steve@openssl.org>

Wed, 11 Apr 2012 16:53:11 +0000 (16:53 +0000)

committer Dr. Stephen Henson <steve@openssl.org>

Wed, 11 Apr 2012 16:53:11 +0000 (16:53 +0000)
author Dr. Stephen Henson <steve@openssl.org>
Wed, 11 Apr 2012 16:53:11 +0000 (16:53 +0000)
committer Dr. Stephen Henson <steve@openssl.org>
Wed, 11 Apr 2012 16:53:11 +0000 (16:53 +0000)
diff --git a/apps/s_apps.h b/apps/s_apps.h

index 39a11d9a775a8b9bb7933e596508690cda251fdf..5de65329a9b40e4ffb03ece92884e94a93d81d5f 100644 (file)
--- a/apps/s_apps.h
+++ b/apps/s_apps.h
@@ -154,7 +154,8 @@ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
  #endif
  #ifdef HEADER_SSL_H
  int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file);
  #endif
  #ifdef HEADER_SSL_H
  int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file);
-int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key);
+int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key,
+                                                       STACK_OF(X509) *chain);
  int ssl_print_sigalgs(BIO *out, SSL *s);
  int ssl_print_curves(BIO *out, SSL *s);
  #endif
  int ssl_print_sigalgs(BIO *out, SSL *s);
  int ssl_print_curves(BIO *out, SSL *s);
  #endif
diff --git a/apps/s_cb.c b/apps/s_cb.c

index 4395f194aa838d587c4048140f83e362ed2a20e7..b21a4283dfb478499fd9adc88810d296e5730edb 100644 (file)
--- a/apps/s_cb.c
+++ b/apps/s_cb.c
@@ -250,7 +250,8 @@ int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file)
         return(1);
         }
  
         return(1);
         }
  
-int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key)
+int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key,
+                                                       STACK_OF(X509) *chain)
         {
         if (cert ==  NULL)
                 return 1;
         {
         if (cert ==  NULL)
                 return 1;
@@ -275,6 +276,12 @@ int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key)
                 BIO_printf(bio_err,"Private key does not match the certificate public key\n");
                 return 0;
                 }
                 BIO_printf(bio_err,"Private key does not match the certificate public key\n");
                 return 0;
                 }
+       if (chain && !SSL_CTX_set1_chain(ctx, chain))
+               {
+               BIO_printf(bio_err,"error setting certificate chain\n");
+               ERR_print_errors(bio_err);
+               return 0;
+               }
         return 1;
         }
  
         return 1;
         }
  
diff --git a/apps/s_client.c b/apps/s_client.c

index 55facead51b26980fc318839ae8a6bba3b8cce79..16f1ac37dbb0ae3dcd32be3cef1f325ee02d35f3 100644 (file)
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -1170,7 +1170,7 @@ bad:
  #endif
  
         SSL_CTX_set_verify(ctx,verify,verify_callback);
  #endif
  
         SSL_CTX_set_verify(ctx,verify,verify_callback);
-       if (!set_cert_key_stuff(ctx,cert,key))
+       if (!set_cert_key_stuff(ctx,cert,key, NULL))
                 goto end;
  
         if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
                 goto end;
  
         if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
diff --git a/apps/s_server.c b/apps/s_server.c

index 063a9f6c41026a573753a4b3a2beb9e73d7cf60a..bb791e08e7125912c75bb85a5179a8d80686d2f1 100644 (file)
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -270,12 +270,12 @@ extern int verify_depth, verify_return_error;
  static char *cipher=NULL;
  static int s_server_verify=SSL_VERIFY_NONE;
  static int s_server_session_id_context = 1; /* anything will do */
  static char *cipher=NULL;
  static int s_server_verify=SSL_VERIFY_NONE;
  static int s_server_session_id_context = 1; /* anything will do */
-static const char *s_cert_file=TEST_CERT,*s_key_file=NULL;
+static const char *s_cert_file=TEST_CERT,*s_key_file=NULL, *s_chain_file=NULL;
  #ifndef OPENSSL_NO_TLSEXT
  static const char *s_cert_file2=TEST_CERT2,*s_key_file2=NULL;
  static char *curves=NULL;
  #endif
  #ifndef OPENSSL_NO_TLSEXT
  static const char *s_cert_file2=TEST_CERT2,*s_key_file2=NULL;
  static char *curves=NULL;
  #endif
-static char *s_dcert_file=NULL,*s_dkey_file=NULL;
+static char *s_dcert_file=NULL,*s_dkey_file=NULL, *s_dchain_file=NULL;
  #ifdef FIONBIO
  static int s_nbio=0;
  #endif
  #ifdef FIONBIO
  static int s_nbio=0;
  #endif
@@ -435,8 +435,10 @@ static void s_server_init(void)
         s_server_verify=SSL_VERIFY_NONE;
         s_dcert_file=NULL;
         s_dkey_file=NULL;
         s_server_verify=SSL_VERIFY_NONE;
         s_dcert_file=NULL;
         s_dkey_file=NULL;
+       s_dchain_file=NULL;
         s_cert_file=TEST_CERT;
         s_key_file=NULL;
         s_cert_file=TEST_CERT;
         s_key_file=NULL;
+       s_chain_file=NULL;
  #ifndef OPENSSL_NO_TLSEXT
         curves=NULL;
         s_cert_file2=TEST_CERT2;
  #ifndef OPENSSL_NO_TLSEXT
         curves=NULL;
         s_cert_file2=TEST_CERT2;
@@ -961,6 +963,7 @@ int MAIN(int argc, char *argv[])
         char *dpassarg = NULL, *dpass = NULL;
         int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM;
         X509 *s_cert = NULL, *s_dcert = NULL;
         char *dpassarg = NULL, *dpass = NULL;
         int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM;
         X509 *s_cert = NULL, *s_dcert = NULL;
+       STACK_OF(X509) *s_chain = NULL, *s_dchain = NULL;
         EVP_PKEY *s_key = NULL, *s_dkey = NULL;
         int no_cache = 0, ext_cache = 0;
  #ifndef OPENSSL_NO_TLSEXT
         EVP_PKEY *s_key = NULL, *s_dkey = NULL;
         int no_cache = 0, ext_cache = 0;
  #ifndef OPENSSL_NO_TLSEXT
@@ -1061,6 +1064,11 @@ int MAIN(int argc, char *argv[])
                         if (--argc < 1) goto bad;
                         passarg = *(++argv);
                         }
                         if (--argc < 1) goto bad;
                         passarg = *(++argv);
                         }
+               else if (strcmp(*argv,"-cert_chain") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       s_chain_file= *(++argv);
+                       }
                 else if (strcmp(*argv,"-dhparam") == 0)
                         {
                         if (--argc < 1) goto bad;
                 else if (strcmp(*argv,"-dhparam") == 0)
                         {
                         if (--argc < 1) goto bad;
@@ -1098,6 +1106,11 @@ int MAIN(int argc, char *argv[])
                         if (--argc < 1) goto bad;
                         s_dkey_file= *(++argv);
                         }
                         if (--argc < 1) goto bad;
                         s_dkey_file= *(++argv);
                         }
+               else if (strcmp(*argv,"-dcert_chain") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       s_dchain_file= *(++argv);
+                       }
                 else if (strcmp(*argv,"-nocert") == 0)
                         {
                         nocert=1;
                 else if (strcmp(*argv,"-nocert") == 0)
                         {
                         nocert=1;
@@ -1434,6 +1447,13 @@ bad:
                         ERR_print_errors(bio_err);
                         goto end;
                         }
                         ERR_print_errors(bio_err);
                         goto end;
                         }
+               if (s_chain_file)
+                       {
+                       s_chain = load_certs(bio_err, s_chain_file,FORMAT_PEM,
+                                       NULL, e, "server certificate chain");
+                       if (!s_chain)
+                               goto end;
+                       }
  
  #ifndef OPENSSL_NO_TLSEXT
                 if (tlsextcbp.servername) 
  
  #ifndef OPENSSL_NO_TLSEXT
                 if (tlsextcbp.servername) 
@@ -1497,6 +1517,13 @@ bad:
                         ERR_print_errors(bio_err);
                         goto end;
                         }
                         ERR_print_errors(bio_err);
                         goto end;
                         }
+               if (s_dchain_file)
+                       {
+                       s_dchain = load_certs(bio_err, s_dchain_file,FORMAT_PEM,
+                               NULL, e, "second server certificate chain");
+                       if (!s_dchain)
+                               goto end;
+                       }
  
                 }
  
  
                 }
  
@@ -1760,15 +1787,15 @@ bad:
                 }
  #endif
         
                 }
  #endif
         
-       if (!set_cert_key_stuff(ctx,s_cert,s_key))
+       if (!set_cert_key_stuff(ctx, s_cert, s_key, s_chain))
                 goto end;
  #ifndef OPENSSL_NO_TLSEXT
                 goto end;
  #ifndef OPENSSL_NO_TLSEXT
-       if (ctx2 && !set_cert_key_stuff(ctx2,s_cert2,s_key2))
+       if (ctx2 && !set_cert_key_stuff(ctx2,s_cert2,s_key2, NULL))
                 goto end; 
  #endif
         if (s_dcert != NULL)
                 {
                 goto end; 
  #endif
         if (s_dcert != NULL)
                 {
-               if (!set_cert_key_stuff(ctx,s_dcert,s_dkey))
+               if (!set_cert_key_stuff(ctx, s_dcert, s_dkey, s_dchain))
                         goto end;
                 }
  
                         goto end;
                 }
author	Dr. Stephen Henson <steve@openssl.org>
	Wed, 11 Apr 2012 16:53:11 +0000 (16:53 +0000)
committer	Dr. Stephen Henson <steve@openssl.org>
	Wed, 11 Apr 2012 16:53:11 +0000 (16:53 +0000)
apps/s_apps.h		patch \| blob \| history
apps/s_cb.c		patch \| blob \| history
apps/s_client.c		patch \| blob \| history
apps/s_server.c		patch \| blob \| history