diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2008-02-23 12:27:45 +0000 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2008-02-23 12:27:45 +0000 |
| commit | 6982ed4db767d23141c2399be47595d47a45f4fe (patch) | |
| tree | 245be2d43d5ac3486aa91f99cf8329dbf0b04633 /lib | |
| parent | 9dd3e4d48140a0852a3f86bd91a691645be319d8 (diff) | |
- Sam Listopad provided a patch in feature-request #1900014
http://curl.haxx.se/bug/feature.cgi?id=1900014 that makes libcurl (built to
use OpenSSL) support a full chain of certificates in a given PKCS12
certificate.
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/ssluse.c | 35 |
1 files changed, 34 insertions, 1 deletions
diff --git a/lib/ssluse.c b/lib/ssluse.c index ac6b057cb..889cfc84f 100644 --- a/lib/ssluse.c +++ b/lib/ssluse.c @@ -364,6 +364,8 @@ int cert_stuff(struct connectdata *conn, FILE *f; PKCS12 *p12; EVP_PKEY *pri; + STACK_OF(X509) *ca = NULL; + int i; f = fopen(cert_file,"rb"); if(!f) { @@ -373,10 +375,15 @@ int cert_stuff(struct connectdata *conn, p12 = d2i_PKCS12_fp(f, NULL); fclose(f); + if(!p12) { + failf(data, "error reading PKCS12 file '%s'", cert_file ); + return 0; + } + PKCS12_PBE_add(); if(!PKCS12_parse(p12, data->set.str[STRING_KEY_PASSWD], &pri, &x509, - NULL)) { + &ca)) { failf(data, "could not parse PKCS12 file, check password, OpenSSL error %s", ERR_error_string(ERR_get_error(), NULL) ); @@ -401,6 +408,32 @@ int cert_stuff(struct connectdata *conn, return 0; } + if (!SSL_CTX_check_private_key (ctx)) { + failf(data, "private key from PKCS12 file '%s' " + "does not match certificate in same file", cert_file); + EVP_PKEY_free(pri); + X509_free(x509); + return 0; + } + /* Set Certificate Verification chain */ + if (ca && sk_num(ca)) { + for (i = 0; i < sk_X509_num(ca); i++) { + if (!SSL_CTX_add_extra_chain_cert(ctx,sk_X509_value(ca, i))) { + failf(data, "cannot add certificate to certificate chain"); + EVP_PKEY_free(pri); + X509_free(x509); + return 0; + } + if (!SSL_CTX_add_client_CA(ctx, sk_X509_value(ca, i))) { + failf(data, "cannot add certificate to client CA list", + cert_file); + EVP_PKEY_free(pri); + X509_free(x509); + return 0; + } + } + } + EVP_PKEY_free(pri); X509_free(x509); cert_done = 1; |