generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

New option to add CRLs for s_client and s_server.

Browse Source
This commit is contained in:
Dr. Stephen Henson 2012-12-02 16:16:28 +00:00
parent 95ea531864
commit fdb78f3d88
8 changed files with 165 additions and 55 deletions

3
CHANGES

@ -4,6 +4,9 @@
Changes between 1.0.x and 1.1.0 [xx XXX xxxx] Changes between 1.0.x and 1.1.0 [xx XXX xxxx]
*) New options -CRL and -CRLform for s_client and s_server for CRLs.
[Steve Henson]
*) Extend OCSP I/O functions so they can be used for simple general purpose *) Extend OCSP I/O functions so they can be used for simple general purpose
HTTP as well as OCSP. New wrapper function which can be used to download HTTP as well as OCSP. New wrapper function which can be used to download
CRLs using the OCSP API. CRLs using the OCSP API.

49
apps/apps.c

@ -929,6 +929,55 @@ end:
return(x); return(x);
} }
X509_CRL *load_crl(char *infile, int format)
{
X509_CRL *x=NULL;
BIO *in=NULL;
if (format == FORMAT_HTTP)
{
load_cert_crl_http(infile, bio_err, NULL, &x);
return x;
}
in=BIO_new(BIO_s_file());
if (in == NULL)
{
ERR_print_errors(bio_err);
goto end;
}
if (infile == NULL)
BIO_set_fp(in,stdin,BIO_NOCLOSE);
else
{
if (BIO_read_filename(in,infile) <= 0)
{
perror(infile);
goto end;
}
}
if (format == FORMAT_ASN1)
x=d2i_X509_CRL_bio(in,NULL);
else if (format == FORMAT_PEM)
x=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL);
else {
BIO_printf(bio_err,"bad input format specified for input crl\n");
goto end;
}
if (x == NULL)
{
BIO_printf(bio_err,"unable to load CRL\n");
ERR_print_errors(bio_err);
goto end;
}
end:
BIO_free(in);
return(x);
}
EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin, EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
const char *pass, ENGINE *e, const char *key_descrip) const char *pass, ENGINE *e, const char *key_descrip)
{ {

1
apps/apps.h

@ -245,6 +245,7 @@ int app_passwd(BIO *err, char *arg1, char *arg2, char **pass1, char **pass2);
int add_oid_section(BIO *err, CONF *conf); int add_oid_section(BIO *err, CONF *conf);
X509 *load_cert(BIO *err, const char *file, int format, X509 *load_cert(BIO *err, const char *file, int format,
const char *pass, ENGINE *e, const char *cert_descrip); const char *pass, ENGINE *e, const char *cert_descrip);
X509_CRL *load_crl(char *infile, int format);
int load_cert_crl_http(const char *url, BIO *err, int load_cert_crl_http(const char *url, BIO *err,
X509 **pcert, X509_CRL **pcrl); X509 **pcert, X509_CRL **pcrl);
EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin, EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,

50
apps/crl.c

@ -93,7 +93,6 @@ static const char *crl_usage[]={
NULL NULL
}; };
static X509_CRL *load_crl(char *file, int format);
static BIO *bio_out=NULL; static BIO *bio_out=NULL;
int MAIN(int, char **); int MAIN(int, char **);
@ -401,52 +400,3 @@ end:
apps_shutdown(); apps_shutdown();
OPENSSL_EXIT(ret); OPENSSL_EXIT(ret);
} }
static X509_CRL *load_crl(char *infile, int format)
{
X509_CRL *x=NULL;
BIO *in=NULL;
if (format == FORMAT_HTTP)
{
load_cert_crl_http(infile, bio_err, NULL, &x);
return x;
}
in=BIO_new(BIO_s_file());
if (in == NULL)
{
ERR_print_errors(bio_err);
goto end;
}
if (infile == NULL)
BIO_set_fp(in,stdin,BIO_NOCLOSE);
else
{
if (BIO_read_filename(in,infile) <= 0)
{
perror(infile);
goto end;
}
}
if (format == FORMAT_ASN1)
x=d2i_X509_CRL_bio(in,NULL);
else if (format == FORMAT_PEM)
x=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL);
else {
BIO_printf(bio_err,"bad input format specified for input crl\n");
goto end;
}
if (x == NULL)
{
BIO_printf(bio_err,"unable to load CRL\n");
ERR_print_errors(bio_err);
goto end;
}
end:
BIO_free(in);
return(x);
}

4
apps/s_apps.h

@ -201,7 +201,9 @@ int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx,
int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr); int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr);
int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx, int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx,
STACK_OF(OPENSSL_STRING) *str, int no_ecdhe); STACK_OF(OPENSSL_STRING) *str, int no_ecdhe);
int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls);
int ssl_load_stores(SSL_CTX *ctx, int ssl_load_stores(SSL_CTX *ctx,
const char *vfyCApath, const char *vfyCAfile, const char *vfyCApath, const char *vfyCAfile,
const char *chCApath, const char *chCAfile); const char *chCApath, const char *chCAfile,
STACK_OF(X509_CRL) *crls);
#endif #endif

31
apps/s_cb.c

@ -293,7 +293,6 @@ int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key,
ERR_print_errors(bio_err); ERR_print_errors(bio_err);
return 0; return 0;
} }
return 1; return 1;
} }
@ -1670,9 +1669,36 @@ int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx,
return 1; return 1;
} }
static int add_crls_store(X509_STORE *st, STACK_OF(X509_CRL) *crls)
{
X509_CRL *crl;
int i;
if (crls)
{
for (i = 0; i < sk_X509_CRL_num(crls); i++)
{
crl = sk_X509_CRL_value(crls, i);
X509_STORE_add_crl(st, crl);
}
}
return 1;
}
int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls)
{
X509_STORE *st;
if (crls)
{
st = SSL_CTX_get_cert_store(ctx);
add_crls_store(st, crls);
}
return 1;
}
int ssl_load_stores(SSL_CTX *ctx, int ssl_load_stores(SSL_CTX *ctx,
const char *vfyCApath, const char *vfyCAfile, const char *vfyCApath, const char *vfyCAfile,
const char *chCApath, const char *chCAfile) const char *chCApath, const char *chCAfile,
STACK_OF(X509_CRL) *crls)
{ {
X509_STORE *vfy = NULL, *ch = NULL; X509_STORE *vfy = NULL, *ch = NULL;
int rv = 0; int rv = 0;
@ -1681,6 +1707,7 @@ int ssl_load_stores(SSL_CTX *ctx,
vfy = X509_STORE_new(); vfy = X509_STORE_new();
if (!X509_STORE_load_locations(vfy, vfyCAfile, vfyCApath)) if (!X509_STORE_load_locations(vfy, vfyCAfile, vfyCApath))
goto err; goto err;
add_crls_store(vfy, crls);
SSL_CTX_set1_verify_cert_store(ctx, vfy); SSL_CTX_set1_verify_cert_store(ctx, vfy);
} }
if (chCApath || chCAfile) if (chCApath || chCAfile)

40
apps/s_client.c

@ -639,6 +639,10 @@ int MAIN(int argc, char **argv)
SSL_CONF_CTX *cctx = NULL; SSL_CONF_CTX *cctx = NULL;
STACK_OF(OPENSSL_STRING) *ssl_args = NULL; STACK_OF(OPENSSL_STRING) *ssl_args = NULL;
char *crl_file = NULL;
int crl_format = FORMAT_PEM;
STACK_OF(X509_CRL) *crls = NULL;
meth=SSLv23_client_method(); meth=SSLv23_client_method();
apps_startup(); apps_startup();
@ -708,6 +712,11 @@ int MAIN(int argc, char **argv)
if (--argc < 1) goto bad; if (--argc < 1) goto bad;
cert_file= *(++argv); cert_file= *(++argv);
} }
else if (strcmp(*argv,"-CRL") == 0)
{
if (--argc < 1) goto bad;
crl_file= *(++argv);
}
else if (strcmp(*argv,"-sess_out") == 0) else if (strcmp(*argv,"-sess_out") == 0)
{ {
if (--argc < 1) goto bad; if (--argc < 1) goto bad;
@ -723,6 +732,11 @@ int MAIN(int argc, char **argv)
if (--argc < 1) goto bad; if (--argc < 1) goto bad;
cert_format = str2fmt(*(++argv)); cert_format = str2fmt(*(++argv));
} }
else if (strcmp(*argv,"-CRLform") == 0)
{
if (--argc < 1) goto bad;
crl_format = str2fmt(*(++argv));
}
else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm)) else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
{ {
if (badarg) if (badarg)
@ -1128,6 +1142,26 @@ bad:
} }
} }
if (crl_file)
{
X509_CRL *crl;
crl = load_crl(crl_file, crl_format);
if (!crl)
{
BIO_puts(bio_err, "Error loading CRL\n");
ERR_print_errors(bio_err);
goto end;
}
crls = sk_X509_CRL_new_null();
if (!crls || !sk_X509_CRL_push(crls, crl))
{
BIO_puts(bio_err, "Error adding CRL\n");
ERR_print_errors(bio_err);
X509_CRL_free(crl);
goto end;
}
}
if (!load_excert(&exc, bio_err)) if (!load_excert(&exc, bio_err))
goto end; goto end;
@ -1179,7 +1213,7 @@ bad:
goto end; goto end;
} }
if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile)) if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile, crls))
{ {
BIO_printf(bio_err, "Error loading store locations\n"); BIO_printf(bio_err, "Error loading store locations\n");
ERR_print_errors(bio_err); ERR_print_errors(bio_err);
@ -1241,6 +1275,8 @@ bad:
/* goto end; */ /* goto end; */
} }
ssl_ctx_add_crls(ctx, crls);
if (!set_cert_key_stuff(ctx,cert,key, NULL, build_chain)) if (!set_cert_key_stuff(ctx,cert,key, NULL, build_chain))
goto end; goto end;
@ -1983,6 +2019,8 @@ end:
if (ctx != NULL) SSL_CTX_free(ctx); if (ctx != NULL) SSL_CTX_free(ctx);
if (cert) if (cert)
X509_free(cert); X509_free(cert);
if (crls)
sk_X509_CRL_pop_free(crls, X509_CRL_free);
if (key) if (key)
EVP_PKEY_free(key); EVP_PKEY_free(key);
if (pass) if (pass)

42
apps/s_server.c

@ -999,6 +999,10 @@ int MAIN(int argc, char *argv[])
SSL_CONF_CTX *cctx = NULL; SSL_CONF_CTX *cctx = NULL;
STACK_OF(OPENSSL_STRING) *ssl_args = NULL; STACK_OF(OPENSSL_STRING) *ssl_args = NULL;
char *crl_file = NULL;
int crl_format = FORMAT_PEM;
STACK_OF(X509_CRL) *crls = NULL;
meth=SSLv23_server_method(); meth=SSLv23_server_method();
local_argc=argc; local_argc=argc;
@ -1077,6 +1081,11 @@ int MAIN(int argc, char *argv[])
if (--argc < 1) goto bad; if (--argc < 1) goto bad;
s_cert_file= *(++argv); s_cert_file= *(++argv);
} }
else if (strcmp(*argv,"-CRL") == 0)
{
if (--argc < 1) goto bad;
crl_file= *(++argv);
}
#ifndef OPENSSL_NO_TLSEXT #ifndef OPENSSL_NO_TLSEXT
else if (strcmp(*argv,"-authz") == 0) else if (strcmp(*argv,"-authz") == 0)
{ {
@ -1167,6 +1176,11 @@ int MAIN(int argc, char *argv[])
no_cache = 1; no_cache = 1;
else if (strcmp(*argv,"-ext_cache") == 0) else if (strcmp(*argv,"-ext_cache") == 0)
ext_cache = 1; ext_cache = 1;
else if (strcmp(*argv,"-CRLform") == 0)
{
if (--argc < 1) goto bad;
crl_format = str2fmt(*(++argv));
}
else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm)) else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
{ {
if (badarg) if (badarg)
@ -1567,6 +1581,26 @@ bad:
} }
#endif #endif
if (crl_file)
{
X509_CRL *crl;
crl = load_crl(crl_file, crl_format);
if (!crl)
{
BIO_puts(bio_err, "Error loading CRL\n");
ERR_print_errors(bio_err);
goto end;
}
crls = sk_X509_CRL_new_null();
if (!crls || !sk_X509_CRL_push(crls, crl))
{
BIO_puts(bio_err, "Error adding CRL\n");
ERR_print_errors(bio_err);
X509_CRL_free(crl);
goto end;
}
}
if (s_dcert_file) if (s_dcert_file)
{ {
@ -1702,10 +1736,12 @@ bad:
if (vpm) if (vpm)
SSL_CTX_set1_param(ctx, vpm); SSL_CTX_set1_param(ctx, vpm);
ssl_ctx_add_crls(ctx, crls);
if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, no_ecdhe)) if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, no_ecdhe))
goto end; goto end;
if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile)) if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile, crls))
{ {
BIO_printf(bio_err, "Error loading store locations\n"); BIO_printf(bio_err, "Error loading store locations\n");
ERR_print_errors(bio_err); ERR_print_errors(bio_err);
@ -1768,6 +1804,8 @@ bad:
if (vpm) if (vpm)
SSL_CTX_set1_param(ctx2, vpm); SSL_CTX_set1_param(ctx2, vpm);
ssl_ctx_add_crls(ctx2, crls);
if (!args_ssl_call(ctx2, bio_err, cctx, ssl_args, no_ecdhe)) if (!args_ssl_call(ctx2, bio_err, cctx, ssl_args, no_ecdhe))
goto end; goto end;
} }
@ -1973,6 +2011,8 @@ end:
if (ctx != NULL) SSL_CTX_free(ctx); if (ctx != NULL) SSL_CTX_free(ctx);
if (s_cert) if (s_cert)
X509_free(s_cert); X509_free(s_cert);
if (crls)
sk_X509_CRL_pop_free(crls, X509_CRL_free);
if (s_dcert) if (s_dcert)
X509_free(s_dcert); X509_free(s_dcert);
if (s_key) if (s_key)