- Added X509 CA Path support
This commit is contained in:
parent
e6ee41f932
commit
8d914583f3
4 changed files with 92 additions and 1 deletions
|
@ -19,6 +19,7 @@ Features
|
||||||
* Added support for Hardware Acceleration hooking in SSL/TLS
|
* Added support for Hardware Acceleration hooking in SSL/TLS
|
||||||
* Added OpenSSL / PolarSSL compatibility script (tests/compat.sh) and
|
* Added OpenSSL / PolarSSL compatibility script (tests/compat.sh) and
|
||||||
example application (programs/ssl/o_p_test) (Requires OpenSSL)
|
example application (programs/ssl/o_p_test) (Requires OpenSSL)
|
||||||
|
* Added X509 CA Path support
|
||||||
|
|
||||||
Changes
|
Changes
|
||||||
* Removed redundant POLARSSL_DEBUG_MSG define
|
* Removed redundant POLARSSL_DEBUG_MSG define
|
||||||
|
|
|
@ -455,6 +455,22 @@ int x509parse_crt( x509_cert *chain, const unsigned char *buf, size_t buflen );
|
||||||
*/
|
*/
|
||||||
int x509parse_crtfile( x509_cert *chain, const char *path );
|
int x509parse_crtfile( x509_cert *chain, const char *path );
|
||||||
|
|
||||||
|
/** \ingroup x509_module */
|
||||||
|
/**
|
||||||
|
* \brief Load one or more certificate files from a path and add them
|
||||||
|
* to the chained list. Parses permissively. If some
|
||||||
|
* certificates can be parsed, the result is the number
|
||||||
|
* of failed certificates it encountered. If none complete
|
||||||
|
* correctly, the first error is returned.
|
||||||
|
*
|
||||||
|
* \param chain points to the start of the chain
|
||||||
|
* \param path directory / folder to read the certificate files from
|
||||||
|
*
|
||||||
|
* \return 0 if all certificates parsed successfully, a positive number
|
||||||
|
* if partly successful or a specific X509 or PEM error code
|
||||||
|
*/
|
||||||
|
int x509parse_crtpath( x509_cert *chain, const char *path );
|
||||||
|
|
||||||
/** \ingroup x509_module */
|
/** \ingroup x509_module */
|
||||||
/**
|
/**
|
||||||
* \brief Parse one or more CRLs and add them
|
* \brief Parse one or more CRLs and add them
|
||||||
|
|
|
@ -60,6 +60,10 @@
|
||||||
|
|
||||||
#if defined(POLARSSL_FS_IO)
|
#if defined(POLARSSL_FS_IO)
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
|
#if !defined(_WIN32)
|
||||||
|
#include <sys/types.h>
|
||||||
|
#include <dirent.h>
|
||||||
|
#endif
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
@ -1860,6 +1864,68 @@ int x509parse_crtfile( x509_cert *chain, const char *path )
|
||||||
return( ret );
|
return( ret );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
int x509parse_crtpath( x509_cert *chain, const char *path )
|
||||||
|
{
|
||||||
|
int ret = 0;
|
||||||
|
#if defined(_WIN32)
|
||||||
|
int t_ret;
|
||||||
|
TCHAR szDir[MAX_PATH];
|
||||||
|
WIN32_FIND_DATA file_data;
|
||||||
|
HANDLE hFind;
|
||||||
|
DWORD dwError = 0;
|
||||||
|
|
||||||
|
StringCchCopy(szDir, MAX_PATH, path);
|
||||||
|
StringCchCat(szDir, MAX_PATH, TEXT("\\*"));
|
||||||
|
|
||||||
|
hFind = FindFirstFile( szDir, &file_data );
|
||||||
|
if (hFind == INVALID_HANDLE_VALUE)
|
||||||
|
return( POLARSSL_ERR_X509_FILE_IO_ERROR );
|
||||||
|
|
||||||
|
do
|
||||||
|
{
|
||||||
|
if( file_data.dwAttributes & FILE_ATTRIBUTE_DIRECTORY )
|
||||||
|
continue;
|
||||||
|
|
||||||
|
t_ret = x509parse_crtfile( chain, entry_name );
|
||||||
|
if( t_ret < 0 )
|
||||||
|
return( t_ret );
|
||||||
|
|
||||||
|
ret += t_ret;
|
||||||
|
}
|
||||||
|
while( FindNextFile( hFind, &file_data ) != 0 );
|
||||||
|
|
||||||
|
dwError = GetLastError();
|
||||||
|
if (dwError != ERROR_NO_MORE_FILES)
|
||||||
|
return( POLARSSL_ERR_X509_FILE_IO_ERROR );
|
||||||
|
|
||||||
|
FindClose( hFind );
|
||||||
|
#else
|
||||||
|
int t_ret;
|
||||||
|
struct dirent *entry;
|
||||||
|
char entry_name[255];
|
||||||
|
DIR *dir = opendir( path );
|
||||||
|
|
||||||
|
if( dir == NULL)
|
||||||
|
return( POLARSSL_ERR_X509_FILE_IO_ERROR );
|
||||||
|
|
||||||
|
while( ( entry = readdir( dir ) ) != NULL )
|
||||||
|
{
|
||||||
|
if( entry->d_type != DT_REG )
|
||||||
|
continue;
|
||||||
|
|
||||||
|
snprintf( entry_name, sizeof(entry_name), "%s/%s", path, entry->d_name );
|
||||||
|
t_ret = x509parse_crtfile( chain, entry_name );
|
||||||
|
if( t_ret < 0 )
|
||||||
|
return( t_ret );
|
||||||
|
|
||||||
|
ret += t_ret;
|
||||||
|
}
|
||||||
|
closedir( dir );
|
||||||
|
#endif
|
||||||
|
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Load one or more CRLs and add them to the chained list
|
* Load one or more CRLs and add them to the chained list
|
||||||
*/
|
*/
|
||||||
|
|
|
@ -46,6 +46,7 @@
|
||||||
#define DFL_REQUEST_PAGE "/"
|
#define DFL_REQUEST_PAGE "/"
|
||||||
#define DFL_DEBUG_LEVEL 0
|
#define DFL_DEBUG_LEVEL 0
|
||||||
#define DFL_CA_FILE ""
|
#define DFL_CA_FILE ""
|
||||||
|
#define DFL_CA_PATH ""
|
||||||
#define DFL_CRT_FILE ""
|
#define DFL_CRT_FILE ""
|
||||||
#define DFL_KEY_FILE ""
|
#define DFL_KEY_FILE ""
|
||||||
#define DFL_FORCE_CIPHER 0
|
#define DFL_FORCE_CIPHER 0
|
||||||
|
@ -62,6 +63,7 @@ struct options
|
||||||
int debug_level; /* level of debugging */
|
int debug_level; /* level of debugging */
|
||||||
char *request_page; /* page on server to request */
|
char *request_page; /* page on server to request */
|
||||||
char *ca_file; /* the file with the CA certificate(s) */
|
char *ca_file; /* the file with the CA certificate(s) */
|
||||||
|
char *ca_path; /* the path with the CA certificate(s) reside */
|
||||||
char *crt_file; /* the file with the client certificate */
|
char *crt_file; /* the file with the client certificate */
|
||||||
char *key_file; /* the file with the client key */
|
char *key_file; /* the file with the client key */
|
||||||
int force_ciphersuite[2]; /* protocol/ciphersuite to use, or all */
|
int force_ciphersuite[2]; /* protocol/ciphersuite to use, or all */
|
||||||
|
@ -79,6 +81,7 @@ void my_debug( void *ctx, int level, const char *str )
|
||||||
#if defined(POLARSSL_FS_IO)
|
#if defined(POLARSSL_FS_IO)
|
||||||
#define USAGE_IO \
|
#define USAGE_IO \
|
||||||
" ca_file=%%s default: \"\" (pre-loaded)\n" \
|
" ca_file=%%s default: \"\" (pre-loaded)\n" \
|
||||||
|
" ca_path=%%s default: \"\" (pre-loaded) (overrides ca_file)\n" \
|
||||||
" crt_file=%%s default: \"\" (pre-loaded)\n" \
|
" crt_file=%%s default: \"\" (pre-loaded)\n" \
|
||||||
" key_file=%%s default: \"\" (pre-loaded)\n"
|
" key_file=%%s default: \"\" (pre-loaded)\n"
|
||||||
#else
|
#else
|
||||||
|
@ -164,6 +167,7 @@ int main( int argc, char *argv[] )
|
||||||
opt.debug_level = DFL_DEBUG_LEVEL;
|
opt.debug_level = DFL_DEBUG_LEVEL;
|
||||||
opt.request_page = DFL_REQUEST_PAGE;
|
opt.request_page = DFL_REQUEST_PAGE;
|
||||||
opt.ca_file = DFL_CA_FILE;
|
opt.ca_file = DFL_CA_FILE;
|
||||||
|
opt.ca_path = DFL_CA_PATH;
|
||||||
opt.crt_file = DFL_CRT_FILE;
|
opt.crt_file = DFL_CRT_FILE;
|
||||||
opt.key_file = DFL_KEY_FILE;
|
opt.key_file = DFL_KEY_FILE;
|
||||||
opt.force_ciphersuite[0]= DFL_FORCE_CIPHER;
|
opt.force_ciphersuite[0]= DFL_FORCE_CIPHER;
|
||||||
|
@ -201,6 +205,8 @@ int main( int argc, char *argv[] )
|
||||||
opt.request_page = q;
|
opt.request_page = q;
|
||||||
else if( strcmp( p, "ca_file" ) == 0 )
|
else if( strcmp( p, "ca_file" ) == 0 )
|
||||||
opt.ca_file = q;
|
opt.ca_file = q;
|
||||||
|
else if( strcmp( p, "ca_path" ) == 0 )
|
||||||
|
opt.ca_path = q;
|
||||||
else if( strcmp( p, "crt_file" ) == 0 )
|
else if( strcmp( p, "crt_file" ) == 0 )
|
||||||
opt.crt_file = q;
|
opt.crt_file = q;
|
||||||
else if( strcmp( p, "key_file" ) == 0 )
|
else if( strcmp( p, "key_file" ) == 0 )
|
||||||
|
@ -245,7 +251,9 @@ int main( int argc, char *argv[] )
|
||||||
fflush( stdout );
|
fflush( stdout );
|
||||||
|
|
||||||
#if defined(POLARSSL_FS_IO)
|
#if defined(POLARSSL_FS_IO)
|
||||||
if( strlen( opt.ca_file ) )
|
if( strlen( opt.ca_path ) )
|
||||||
|
ret = x509parse_crtpath( &cacert, opt.ca_path );
|
||||||
|
else if( strlen( opt.ca_file ) )
|
||||||
ret = x509parse_crtfile( &cacert, opt.ca_file );
|
ret = x509parse_crtfile( &cacert, opt.ca_file );
|
||||||
else
|
else
|
||||||
#endif
|
#endif
|
||||||
|
|
Loading…
Reference in a new issue