- Added X509 CA Path support
This commit is contained in:
parent
e6ee41f932
commit
8d914583f3
4 changed files with 92 additions and 1 deletions
|
@ -19,6 +19,7 @@ Features
|
|||
* Added support for Hardware Acceleration hooking in SSL/TLS
|
||||
* Added OpenSSL / PolarSSL compatibility script (tests/compat.sh) and
|
||||
example application (programs/ssl/o_p_test) (Requires OpenSSL)
|
||||
* Added X509 CA Path support
|
||||
|
||||
Changes
|
||||
* Removed redundant POLARSSL_DEBUG_MSG define
|
||||
|
|
|
@ -455,6 +455,22 @@ int x509parse_crt( x509_cert *chain, const unsigned char *buf, size_t buflen );
|
|||
*/
|
||||
int x509parse_crtfile( x509_cert *chain, const char *path );
|
||||
|
||||
/** \ingroup x509_module */
|
||||
/**
|
||||
* \brief Load one or more certificate files from a path and add them
|
||||
* to the chained list. Parses permissively. If some
|
||||
* certificates can be parsed, the result is the number
|
||||
* of failed certificates it encountered. If none complete
|
||||
* correctly, the first error is returned.
|
||||
*
|
||||
* \param chain points to the start of the chain
|
||||
* \param path directory / folder to read the certificate files from
|
||||
*
|
||||
* \return 0 if all certificates parsed successfully, a positive number
|
||||
* if partly successful or a specific X509 or PEM error code
|
||||
*/
|
||||
int x509parse_crtpath( x509_cert *chain, const char *path );
|
||||
|
||||
/** \ingroup x509_module */
|
||||
/**
|
||||
* \brief Parse one or more CRLs and add them
|
||||
|
|
|
@ -60,6 +60,10 @@
|
|||
|
||||
#if defined(POLARSSL_FS_IO)
|
||||
#include <stdio.h>
|
||||
#if !defined(_WIN32)
|
||||
#include <sys/types.h>
|
||||
#include <dirent.h>
|
||||
#endif
|
||||
#endif
|
||||
|
||||
/*
|
||||
|
@ -1860,6 +1864,68 @@ int x509parse_crtfile( x509_cert *chain, const char *path )
|
|||
return( ret );
|
||||
}
|
||||
|
||||
int x509parse_crtpath( x509_cert *chain, const char *path )
|
||||
{
|
||||
int ret = 0;
|
||||
#if defined(_WIN32)
|
||||
int t_ret;
|
||||
TCHAR szDir[MAX_PATH];
|
||||
WIN32_FIND_DATA file_data;
|
||||
HANDLE hFind;
|
||||
DWORD dwError = 0;
|
||||
|
||||
StringCchCopy(szDir, MAX_PATH, path);
|
||||
StringCchCat(szDir, MAX_PATH, TEXT("\\*"));
|
||||
|
||||
hFind = FindFirstFile( szDir, &file_data );
|
||||
if (hFind == INVALID_HANDLE_VALUE)
|
||||
return( POLARSSL_ERR_X509_FILE_IO_ERROR );
|
||||
|
||||
do
|
||||
{
|
||||
if( file_data.dwAttributes & FILE_ATTRIBUTE_DIRECTORY )
|
||||
continue;
|
||||
|
||||
t_ret = x509parse_crtfile( chain, entry_name );
|
||||
if( t_ret < 0 )
|
||||
return( t_ret );
|
||||
|
||||
ret += t_ret;
|
||||
}
|
||||
while( FindNextFile( hFind, &file_data ) != 0 );
|
||||
|
||||
dwError = GetLastError();
|
||||
if (dwError != ERROR_NO_MORE_FILES)
|
||||
return( POLARSSL_ERR_X509_FILE_IO_ERROR );
|
||||
|
||||
FindClose( hFind );
|
||||
#else
|
||||
int t_ret;
|
||||
struct dirent *entry;
|
||||
char entry_name[255];
|
||||
DIR *dir = opendir( path );
|
||||
|
||||
if( dir == NULL)
|
||||
return( POLARSSL_ERR_X509_FILE_IO_ERROR );
|
||||
|
||||
while( ( entry = readdir( dir ) ) != NULL )
|
||||
{
|
||||
if( entry->d_type != DT_REG )
|
||||
continue;
|
||||
|
||||
snprintf( entry_name, sizeof(entry_name), "%s/%s", path, entry->d_name );
|
||||
t_ret = x509parse_crtfile( chain, entry_name );
|
||||
if( t_ret < 0 )
|
||||
return( t_ret );
|
||||
|
||||
ret += t_ret;
|
||||
}
|
||||
closedir( dir );
|
||||
#endif
|
||||
|
||||
return( ret );
|
||||
}
|
||||
|
||||
/*
|
||||
* Load one or more CRLs and add them to the chained list
|
||||
*/
|
||||
|
|
|
@ -46,6 +46,7 @@
|
|||
#define DFL_REQUEST_PAGE "/"
|
||||
#define DFL_DEBUG_LEVEL 0
|
||||
#define DFL_CA_FILE ""
|
||||
#define DFL_CA_PATH ""
|
||||
#define DFL_CRT_FILE ""
|
||||
#define DFL_KEY_FILE ""
|
||||
#define DFL_FORCE_CIPHER 0
|
||||
|
@ -62,6 +63,7 @@ struct options
|
|||
int debug_level; /* level of debugging */
|
||||
char *request_page; /* page on server to request */
|
||||
char *ca_file; /* the file with the CA certificate(s) */
|
||||
char *ca_path; /* the path with the CA certificate(s) reside */
|
||||
char *crt_file; /* the file with the client certificate */
|
||||
char *key_file; /* the file with the client key */
|
||||
int force_ciphersuite[2]; /* protocol/ciphersuite to use, or all */
|
||||
|
@ -79,6 +81,7 @@ void my_debug( void *ctx, int level, const char *str )
|
|||
#if defined(POLARSSL_FS_IO)
|
||||
#define USAGE_IO \
|
||||
" ca_file=%%s default: \"\" (pre-loaded)\n" \
|
||||
" ca_path=%%s default: \"\" (pre-loaded) (overrides ca_file)\n" \
|
||||
" crt_file=%%s default: \"\" (pre-loaded)\n" \
|
||||
" key_file=%%s default: \"\" (pre-loaded)\n"
|
||||
#else
|
||||
|
@ -164,6 +167,7 @@ int main( int argc, char *argv[] )
|
|||
opt.debug_level = DFL_DEBUG_LEVEL;
|
||||
opt.request_page = DFL_REQUEST_PAGE;
|
||||
opt.ca_file = DFL_CA_FILE;
|
||||
opt.ca_path = DFL_CA_PATH;
|
||||
opt.crt_file = DFL_CRT_FILE;
|
||||
opt.key_file = DFL_KEY_FILE;
|
||||
opt.force_ciphersuite[0]= DFL_FORCE_CIPHER;
|
||||
|
@ -201,6 +205,8 @@ int main( int argc, char *argv[] )
|
|||
opt.request_page = q;
|
||||
else if( strcmp( p, "ca_file" ) == 0 )
|
||||
opt.ca_file = q;
|
||||
else if( strcmp( p, "ca_path" ) == 0 )
|
||||
opt.ca_path = q;
|
||||
else if( strcmp( p, "crt_file" ) == 0 )
|
||||
opt.crt_file = q;
|
||||
else if( strcmp( p, "key_file" ) == 0 )
|
||||
|
@ -245,7 +251,9 @@ int main( int argc, char *argv[] )
|
|||
fflush( stdout );
|
||||
|
||||
#if defined(POLARSSL_FS_IO)
|
||||
if( strlen( opt.ca_file ) )
|
||||
if( strlen( opt.ca_path ) )
|
||||
ret = x509parse_crtpath( &cacert, opt.ca_path );
|
||||
else if( strlen( opt.ca_file ) )
|
||||
ret = x509parse_crtfile( &cacert, opt.ca_file );
|
||||
else
|
||||
#endif
|
||||
|
|
Loading…
Reference in a new issue