From: Richard Levitte Date: Fri, 11 Aug 2000 19:43:20 +0000 (+0000) Subject: The pkcs12 had no way of getting a CA file or path to be used when X-Git-Tag: OpenSSL-engine-0_9_6-beta1~12^2~69 X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=88364bc2bc310d1d31baee8ed010d8190512a4e2 The pkcs12 had no way of getting a CA file or path to be used when building a complete chain. Now added through the -CAfile and -CApath arguments. --- diff --git a/CHANGES b/CHANGES index 10a8ca5d43..d6a276b012 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,9 @@ Changes between 0.9.5a and 0.9.6 [xx XXX 2000] + *) Add the arguments -CAfile and -CApath to the pkcs12 utility. + [Richard Levitte] + *) The obj_dat.pl script was messing up the sorting of object names. The reason was that it compared the quoted version of strings as a result "OCSP" > "OCSP Signing" because diff --git a/apps/pkcs12.c b/apps/pkcs12.c index 3f958943b4..576f49b7f7 100644 --- a/apps/pkcs12.c +++ b/apps/pkcs12.c @@ -78,7 +78,7 @@ EVP_CIPHER *enc; #define CLCERTS 0x8 #define CACERTS 0x10 -int get_cert_chain(X509 *cert, STACK_OF(X509) **chain); +int get_cert_chain (X509 *cert, X509_STORE *store, STACK_OF(X509) **chain); int dump_certs_keys_p12(BIO *out, PKCS12 *p12, char *pass, int passlen, int options, char *pempass); int dump_certs_pkeys_bags(BIO *out, STACK_OF(PKCS12_SAFEBAG) *bags, char *pass, int passlen, int options, char *pempass); @@ -117,6 +117,7 @@ int MAIN(int argc, char **argv) char *passargin = NULL, *passargout = NULL, *passarg = NULL; char *passin = NULL, *passout = NULL; char *inrand = NULL; + char *CApath = NULL, *CAfile = NULL; apps_startup(); @@ -225,6 +226,16 @@ int MAIN(int argc, char **argv) passarg = *args; noprompt = 1; } else badarg = 1; + } else if (!strcmp(*args,"-CApath")) { + if (args[1]) { + args++; + CApath = *args; + } else badarg = 1; + } else if (!strcmp(*args,"-CAfile")) { + if (args[1]) { + args++; + CAfile = *args; + } else badarg = 1; } else badarg = 1; } else badarg = 1; @@ -238,6 +249,8 @@ int MAIN(int argc, char **argv) BIO_printf (bio_err, "-chain add certificate chain\n"); BIO_printf (bio_err, "-inkey file private key if not infile\n"); BIO_printf (bio_err, "-certfile f add all certs in f\n"); + BIO_printf (bio_err, "-CApath arg - PEM format directory of CA's\n"); + BIO_printf (bio_err, "-CAfile arg - PEM format file of CA's\n"); BIO_printf (bio_err, "-name \"name\" use name as friendly name\n"); BIO_printf (bio_err, "-caname \"nm\" use nm as CA friendly name (can be used more than once).\n"); BIO_printf (bio_err, "-in infile input filename\n"); @@ -423,7 +436,16 @@ int MAIN(int argc, char **argv) if (chain) { int vret; STACK_OF(X509) *chain2; - vret = get_cert_chain (ucert, &chain2); + X509_STORE *store = X509_STORE_new(); + if (!store) + { + BIO_printf (bio_err, "Memory allocation error\n"); + goto end; + } + if (!X509_STORE_load_locations(store, CAfile, CApath)) + X509_STORE_set_default_paths (store); + + vret = get_cert_chain (ucert, store, &chain2); if (vret) { BIO_printf (bio_err, "Error %s getting chain.\n", X509_verify_cert_error_string(vret)); @@ -496,8 +518,6 @@ int MAIN(int argc, char **argv) i2d_PKCS12_bio (out, p12); - PKCS12_free(p12); - ret = 0; #ifdef CRYPTO_MDEBUG @@ -557,8 +577,8 @@ int MAIN(int argc, char **argv) CRYPTO_pop_info(); #endif ret = 0; - end: - PKCS12_free(p12); + end: + if (p12) PKCS12_free(p12); if(export_cert || inrand) app_RAND_write_file(NULL, bio_err); #ifdef CRYPTO_MDEBUG CRYPTO_remove_all_info(); @@ -690,15 +710,12 @@ int dump_certs_pkeys_bag (BIO *out, PKCS12_SAFEBAG *bag, char *pass, /* Hope this is OK .... */ -int get_cert_chain (X509 *cert, STACK_OF(X509) **chain) +int get_cert_chain (X509 *cert, X509_STORE *store, STACK_OF(X509) **chain) { - X509_STORE *store; X509_STORE_CTX store_ctx; STACK_OF(X509) *chn; int i; - store = X509_STORE_new (); - X509_STORE_set_default_paths (store); X509_STORE_CTX_init(&store_ctx, store, cert, NULL); if (X509_verify_cert(&store_ctx) <= 0) { i = X509_STORE_CTX_get_error (&store_ctx);