- Added X509 CA Path support

This commit is contained in:
Paul Bakker 2012-06-04 12:46:42 +00:00
parent e6ee41f932
commit 8d914583f3
4 changed files with 92 additions and 1 deletions

View file

@ -19,6 +19,7 @@ Features
* Added support for Hardware Acceleration hooking in SSL/TLS * Added support for Hardware Acceleration hooking in SSL/TLS
* Added OpenSSL / PolarSSL compatibility script (tests/compat.sh) and * Added OpenSSL / PolarSSL compatibility script (tests/compat.sh) and
example application (programs/ssl/o_p_test) (Requires OpenSSL) example application (programs/ssl/o_p_test) (Requires OpenSSL)
* Added X509 CA Path support
Changes Changes
* Removed redundant POLARSSL_DEBUG_MSG define * Removed redundant POLARSSL_DEBUG_MSG define

View file

@ -455,6 +455,22 @@ int x509parse_crt( x509_cert *chain, const unsigned char *buf, size_t buflen );
*/ */
int x509parse_crtfile( x509_cert *chain, const char *path ); int x509parse_crtfile( x509_cert *chain, const char *path );
/** \ingroup x509_module */
/**
* \brief Load one or more certificate files from a path and add them
* to the chained list. Parses permissively. If some
* certificates can be parsed, the result is the number
* of failed certificates it encountered. If none complete
* correctly, the first error is returned.
*
* \param chain points to the start of the chain
* \param path directory / folder to read the certificate files from
*
* \return 0 if all certificates parsed successfully, a positive number
* if partly successful or a specific X509 or PEM error code
*/
int x509parse_crtpath( x509_cert *chain, const char *path );
/** \ingroup x509_module */ /** \ingroup x509_module */
/** /**
* \brief Parse one or more CRLs and add them * \brief Parse one or more CRLs and add them

View file

@ -60,6 +60,10 @@
#if defined(POLARSSL_FS_IO) #if defined(POLARSSL_FS_IO)
#include <stdio.h> #include <stdio.h>
#if !defined(_WIN32)
#include <sys/types.h>
#include <dirent.h>
#endif
#endif #endif
/* /*
@ -1860,6 +1864,68 @@ int x509parse_crtfile( x509_cert *chain, const char *path )
return( ret ); return( ret );
} }
int x509parse_crtpath( x509_cert *chain, const char *path )
{
int ret = 0;
#if defined(_WIN32)
int t_ret;
TCHAR szDir[MAX_PATH];
WIN32_FIND_DATA file_data;
HANDLE hFind;
DWORD dwError = 0;
StringCchCopy(szDir, MAX_PATH, path);
StringCchCat(szDir, MAX_PATH, TEXT("\\*"));
hFind = FindFirstFile( szDir, &file_data );
if (hFind == INVALID_HANDLE_VALUE)
return( POLARSSL_ERR_X509_FILE_IO_ERROR );
do
{
if( file_data.dwAttributes & FILE_ATTRIBUTE_DIRECTORY )
continue;
t_ret = x509parse_crtfile( chain, entry_name );
if( t_ret < 0 )
return( t_ret );
ret += t_ret;
}
while( FindNextFile( hFind, &file_data ) != 0 );
dwError = GetLastError();
if (dwError != ERROR_NO_MORE_FILES)
return( POLARSSL_ERR_X509_FILE_IO_ERROR );
FindClose( hFind );
#else
int t_ret;
struct dirent *entry;
char entry_name[255];
DIR *dir = opendir( path );
if( dir == NULL)
return( POLARSSL_ERR_X509_FILE_IO_ERROR );
while( ( entry = readdir( dir ) ) != NULL )
{
if( entry->d_type != DT_REG )
continue;
snprintf( entry_name, sizeof(entry_name), "%s/%s", path, entry->d_name );
t_ret = x509parse_crtfile( chain, entry_name );
if( t_ret < 0 )
return( t_ret );
ret += t_ret;
}
closedir( dir );
#endif
return( ret );
}
/* /*
* Load one or more CRLs and add them to the chained list * Load one or more CRLs and add them to the chained list
*/ */

View file

@ -46,6 +46,7 @@
#define DFL_REQUEST_PAGE "/" #define DFL_REQUEST_PAGE "/"
#define DFL_DEBUG_LEVEL 0 #define DFL_DEBUG_LEVEL 0
#define DFL_CA_FILE "" #define DFL_CA_FILE ""
#define DFL_CA_PATH ""
#define DFL_CRT_FILE "" #define DFL_CRT_FILE ""
#define DFL_KEY_FILE "" #define DFL_KEY_FILE ""
#define DFL_FORCE_CIPHER 0 #define DFL_FORCE_CIPHER 0
@ -62,6 +63,7 @@ struct options
int debug_level; /* level of debugging */ int debug_level; /* level of debugging */
char *request_page; /* page on server to request */ char *request_page; /* page on server to request */
char *ca_file; /* the file with the CA certificate(s) */ char *ca_file; /* the file with the CA certificate(s) */
char *ca_path; /* the path with the CA certificate(s) reside */
char *crt_file; /* the file with the client certificate */ char *crt_file; /* the file with the client certificate */
char *key_file; /* the file with the client key */ char *key_file; /* the file with the client key */
int force_ciphersuite[2]; /* protocol/ciphersuite to use, or all */ int force_ciphersuite[2]; /* protocol/ciphersuite to use, or all */
@ -79,6 +81,7 @@ void my_debug( void *ctx, int level, const char *str )
#if defined(POLARSSL_FS_IO) #if defined(POLARSSL_FS_IO)
#define USAGE_IO \ #define USAGE_IO \
" ca_file=%%s default: \"\" (pre-loaded)\n" \ " ca_file=%%s default: \"\" (pre-loaded)\n" \
" ca_path=%%s default: \"\" (pre-loaded) (overrides ca_file)\n" \
" crt_file=%%s default: \"\" (pre-loaded)\n" \ " crt_file=%%s default: \"\" (pre-loaded)\n" \
" key_file=%%s default: \"\" (pre-loaded)\n" " key_file=%%s default: \"\" (pre-loaded)\n"
#else #else
@ -164,6 +167,7 @@ int main( int argc, char *argv[] )
opt.debug_level = DFL_DEBUG_LEVEL; opt.debug_level = DFL_DEBUG_LEVEL;
opt.request_page = DFL_REQUEST_PAGE; opt.request_page = DFL_REQUEST_PAGE;
opt.ca_file = DFL_CA_FILE; opt.ca_file = DFL_CA_FILE;
opt.ca_path = DFL_CA_PATH;
opt.crt_file = DFL_CRT_FILE; opt.crt_file = DFL_CRT_FILE;
opt.key_file = DFL_KEY_FILE; opt.key_file = DFL_KEY_FILE;
opt.force_ciphersuite[0]= DFL_FORCE_CIPHER; opt.force_ciphersuite[0]= DFL_FORCE_CIPHER;
@ -201,6 +205,8 @@ int main( int argc, char *argv[] )
opt.request_page = q; opt.request_page = q;
else if( strcmp( p, "ca_file" ) == 0 ) else if( strcmp( p, "ca_file" ) == 0 )
opt.ca_file = q; opt.ca_file = q;
else if( strcmp( p, "ca_path" ) == 0 )
opt.ca_path = q;
else if( strcmp( p, "crt_file" ) == 0 ) else if( strcmp( p, "crt_file" ) == 0 )
opt.crt_file = q; opt.crt_file = q;
else if( strcmp( p, "key_file" ) == 0 ) else if( strcmp( p, "key_file" ) == 0 )
@ -245,7 +251,9 @@ int main( int argc, char *argv[] )
fflush( stdout ); fflush( stdout );
#if defined(POLARSSL_FS_IO) #if defined(POLARSSL_FS_IO)
if( strlen( opt.ca_file ) ) if( strlen( opt.ca_path ) )
ret = x509parse_crtpath( &cacert, opt.ca_path );
else if( strlen( opt.ca_file ) )
ret = x509parse_crtfile( &cacert, opt.ca_file ); ret = x509parse_crtfile( &cacert, opt.ca_file );
else else
#endif #endif