generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Make tls1_check_chain return a set of flags indicating checks passed

Browse Source 
by a certificate chain. Add additional tests to handle client
certificates: checks for matching certificate type and issuer name
comparison.

Print out results of checks for each candidate chain tested in
s_server/s_client.
This commit is contained in:
Dr. Stephen Henson
2012-07-27 13:39:23 +00:00
parent ec4a50b3c3
commit 6dbb6219e7
8 changed files with 280 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
apps/s_cb.c
View File

@@ -1134,12 +1134,45 @@ struct ssl_excert_st
struct ssl_excert_st *next, *prev;
};
struct chain_flags
{
int flag;
const char *name;
};
struct chain_flags chain_flags_list[] =
{
{CERT_PKEY_VALID, "Overall Validity"},
{CERT_PKEY_SIGN, "Sign with EE key"},
{CERT_PKEY_EE_SIGNATURE, "EE signature"},
{CERT_PKEY_CA_SIGNATURE, "CA signature"},
{CERT_PKEY_EE_PARAM, "EE key parameters"},
{CERT_PKEY_CA_PARAM, "CA key parameters"},
{CERT_PKEY_EXPLICIT_SIGN, "Explicity sign with EE key"},
{CERT_PKEY_ISSUER_NAME, "Issuer Name"},
{CERT_PKEY_CERT_TYPE, "Certificate Type"},
{0, NULL}
};
static void print_chain_flags(BIO *out, int flags)
{
struct chain_flags *ctmp = chain_flags_list;
while(ctmp->name)
{
BIO_printf(out, "\t%s: %s\n", ctmp->name,
flags & ctmp->flag ? "OK" : "NOT OK");
ctmp++;
}
}
/* Very basic selection callback: just use any certificate chain
* reported as valid. More sophisticated could prioritise according
* to local policy.
*/
static int set_cert_cb(SSL *ssl, void *arg)
{
int i, rv;
SSL_EXCERT *exc = arg;
SSL_certs_clear(ssl);
@@ -1151,10 +1184,20 @@ static int set_cert_cb(SSL *ssl, void *arg)
*/
while (exc->next)
exc = exc->next;
i = 0;
while(exc)
{
if (SSL_check_chain(ssl, exc->cert, exc->key, exc->chain))
i++;
rv = SSL_check_chain(ssl, exc->cert, exc->key, exc->chain);
BIO_printf(bio_err, "Checking cert chain %d:\nSubject: ", i);
X509_NAME_print_ex(bio_err, X509_get_subject_name(exc->cert), 0,
XN_FLAG_ONELINE);
BIO_puts(bio_err, "\n");
print_chain_flags(bio_err, rv);
if (rv & CERT_PKEY_VALID)
{
SSL_use_certificate(ssl, exc->cert);
SSL_use_PrivateKey(ssl, exc->key);