Merge pull request #1644 from JacobBarthelmeh/Compatibility-Layer
add ca when getting chain from x509 store
This commit is contained in:
toddouska
GitHub
commit
9f35d211e0
@ -8739,6 +8739,15 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
||||
store->userCtx = ssl->verifyCbCtx;
|
||||
store->certs = args->certs;
|
||||
store->totalCerts = args->totalCerts;
|
||||
|
||||
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
|
||||
if (ssl->ctx->x509_store_pt != NULL) {
|
||||
store->store = ssl->ctx->x509_store_pt;
|
||||
}
|
||||
else {
|
||||
store->store = &ssl->ctx->x509_store;
|
||||
}
|
||||
#endif
|
||||
#if !defined(NO_CERTS)
|
||||
InitX509(x509, 1, ssl->heap);
|
||||
#if defined(KEEP_PEER_CERT) || \
|
||||
@ -8822,6 +8831,15 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
||||
store->userCtx = ssl->verifyCbCtx;
|
||||
store->certs = args->certs;
|
||||
store->totalCerts = args->totalCerts;
|
||||
|
||||
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
|
||||
if (ssl->ctx->x509_store_pt != NULL) {
|
||||
store->store = ssl->ctx->x509_store_pt;
|
||||
}
|
||||
else {
|
||||
store->store = &ssl->ctx->x509_store;
|
||||
}
|
||||
#endif
|
||||
#if !defined(NO_CERTS)
|
||||
InitX509(x509, 1, ssl->heap);
|
||||
#if defined(KEEP_PEER_CERT) || defined(SESSION_CERTS)
|
||||
@ -9411,6 +9429,15 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
||||
store->userCtx = ssl->verifyCbCtx;
|
||||
store->certs = args->certs;
|
||||
store->totalCerts = args->totalCerts;
|
||||
|
||||
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
|
||||
if (ssl->ctx->x509_store_pt != NULL) {
|
||||
store->store = ssl->ctx->x509_store_pt;
|
||||
}
|
||||
else {
|
||||
store->store = &ssl->ctx->x509_store;
|
||||
}
|
||||
#endif
|
||||
#ifdef KEEP_PEER_CERT
|
||||
if (ssl->peerCert.subject.sz > 0)
|
||||
store->current_cert = &ssl->peerCert;
|
||||
@ -9464,6 +9491,13 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
||||
store->userCtx = ssl->verifyCbCtx;
|
||||
store->certs = args->certs;
|
||||
store->totalCerts = args->totalCerts;
|
||||
|
||||
if (ssl->ctx->x509_store_pt != NULL) {
|
||||
store->store = ssl->ctx->x509_store_pt;
|
||||
}
|
||||
else {
|
||||
store->store = &ssl->ctx->x509_store;
|
||||
}
|
||||
#ifdef KEEP_PEER_CERT
|
||||
if (ssl->peerCert.subject.sz > 0)
|
||||
store->current_cert = &ssl->peerCert;
|
||||
|
||||
44
src/ssl.c
44
src/ssl.c
@ -17840,6 +17840,8 @@ void wolfSSL_PKCS12_PBE_add(void)
|
||||
|
||||
WOLFSSL_STACK* wolfSSL_X509_STORE_CTX_get_chain(WOLFSSL_X509_STORE_CTX* ctx)
|
||||
{
|
||||
WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_get_chain");
|
||||
|
||||
if (ctx == NULL) {
|
||||
return NULL;
|
||||
}
|
||||
@ -17858,6 +17860,7 @@ WOLFSSL_STACK* wolfSSL_X509_STORE_CTX_get_chain(WOLFSSL_X509_STORE_CTX* ctx)
|
||||
|
||||
XMEMSET(sk, 0, sizeof(WOLFSSL_STACK));
|
||||
ctx->chain = sk;
|
||||
|
||||
for (i = 0; i < c->count && i < MAX_CHAIN_DEPTH; i++) {
|
||||
WOLFSSL_X509* x509 = wolfSSL_get_chain_X509(c, i);
|
||||
|
||||
@ -17870,9 +17873,41 @@ WOLFSSL_STACK* wolfSSL_X509_STORE_CTX_get_chain(WOLFSSL_X509_STORE_CTX* ctx)
|
||||
if (wolfSSL_sk_X509_push(sk, x509) != SSL_SUCCESS) {
|
||||
WOLFSSL_MSG("Unable to load x509 into stack");
|
||||
wolfSSL_sk_X509_free(sk);
|
||||
wolfSSL_X509_free(x509);
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
|
||||
#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA)
|
||||
/* add CA used to verify top of chain to the list */
|
||||
if (c->count > 0) {
|
||||
WOLFSSL_X509* x509 = wolfSSL_get_chain_X509(c, c->count - 1);
|
||||
if (x509 != NULL) {
|
||||
WOLFSSL_X509* issuer = NULL;
|
||||
if (wolfSSL_X509_STORE_CTX_get1_issuer(&issuer, ctx, x509)
|
||||
== WOLFSSL_SUCCESS) {
|
||||
/* check that the certificate being looked up is not self
|
||||
* signed and that a issuer was found */
|
||||
if (issuer != NULL && wolfSSL_X509_NAME_cmp(&x509->issuer,
|
||||
&x509->subject) != 0) {
|
||||
if (wolfSSL_sk_X509_push(sk, issuer) != SSL_SUCCESS) {
|
||||
WOLFSSL_MSG("Unable to load CA x509 into stack");
|
||||
wolfSSL_sk_X509_free(sk);
|
||||
wolfSSL_X509_free(issuer);
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
else {
|
||||
WOLFSSL_MSG("Certificate is self signed");
|
||||
}
|
||||
}
|
||||
else {
|
||||
WOLFSSL_MSG("Could not find CA for certificate");
|
||||
}
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
}
|
||||
#endif /* SESSION_CERTS */
|
||||
|
||||
@ -32233,9 +32268,11 @@ int wolfSSL_set_ocsp_url(WOLFSSL* ssl, char* url)
|
||||
ssl->url = url;
|
||||
return WOLFSSL_SUCCESS;
|
||||
}
|
||||
#endif /* WOLFSSL_NGINX || WOLFSSL_HAPROXY */
|
||||
#endif /* OCSP */
|
||||
#endif /* OPENSSL_ALL / WOLFSSL_NGINX / WOLFSSL_HAPROXY */
|
||||
|
||||
#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA)
|
||||
#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || \
|
||||
defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)
|
||||
int wolfSSL_CTX_get_extra_chain_certs(WOLFSSL_CTX* ctx, WOLF_STACK_OF(X509)** chain)
|
||||
{
|
||||
word32 idx;
|
||||
@ -32471,8 +32508,9 @@ char* wolfSSL_sk_WOLFSSL_STRING_value(WOLF_STACK_OF(WOLFSSL_STRING)* strings,
|
||||
return NULL;
|
||||
return strings->data.string;
|
||||
}
|
||||
#endif /* HAVE_OCSP */
|
||||
#endif /* WOLFSSL_NGINX || WOLFSSL_HAPROXY || OPENSSL_EXTRA || OPENSSL_ALL */
|
||||
|
||||
#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
|
||||
#ifdef HAVE_ALPN
|
||||
void wolfSSL_get0_alpn_selected(const WOLFSSL *ssl, const unsigned char **data,
|
||||
unsigned int *len)
|
||||
|
||||
@ -1707,7 +1707,8 @@ struct WOLFSSL_OCSP {
|
||||
WOLFSSL_CERT_MANAGER* cm; /* pointer back to cert manager */
|
||||
OcspEntry* ocspList; /* OCSP response list */
|
||||
wolfSSL_Mutex ocspLock; /* OCSP list lock */
|
||||
#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
|
||||
#if defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA) || \
|
||||
defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
|
||||
int(*statusCb)(WOLFSSL*, void*);
|
||||
#endif
|
||||
};
|
||||
@ -2371,7 +2372,8 @@ struct WOLFSSL_CTX {
|
||||
#ifdef OPENSSL_EXTRA
|
||||
WOLF_STACK_OF(WOLFSSL_X509_NAME)* ca_names;
|
||||
#endif
|
||||
#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined (WOLFSSL_HAPROXY)
|
||||
#if defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA) || \
|
||||
defined(WOLFSSL_NGINX) || defined (WOLFSSL_HAPROXY)
|
||||
WOLF_STACK_OF(WOLFSSL_X509)* x509Chain;
|
||||
#endif
|
||||
#ifdef WOLFSSL_TLS13
|
||||
|
||||
@ -2839,7 +2839,8 @@ WOLFSSL_API int wolfSSL_CTX_set_tlsext_ticket_key_cb(WOLFSSL_CTX *, int (*)(
|
||||
WOLFSSL_EVP_CIPHER_CTX *ectx, WOLFSSL_HMAC_CTX *hctx, int enc));
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_OCSP
|
||||
#if defined(HAVE_OCSP) || defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) || \
|
||||
defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
|
||||
WOLFSSL_API int wolfSSL_CTX_get_extra_chain_certs(WOLFSSL_CTX* ctx,
|
||||
WOLF_STACK_OF(X509)** chain);
|
||||
WOLFSSL_API int wolfSSL_CTX_set_tlsext_status_cb(WOLFSSL_CTX* ctx,
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user