[xmlsec] Trusted certs directory
Aleksey Sanin
aleksey at aleksey.com
Fri Aug 18 08:00:33 PDT 2006
A... OK, got the point!
Aleksey
dnorrell at gmx.net wrote:
> Aleksey,
>
> I agree that they are both siminar functions. However, I don't believe the xmlSecOpenSSLAppKeysMngrCertLoad() function can read multiple certs from a single file, which is what I want to do with xmlSecOpenSSLAppKeysMngrAddCertsFile(). Essentially, the new function is for loading an entire trust-store in one hit (like xmlSecOpenSSLAppKeysMngrAddCertsPath) rather than having to add certs individually. It also only loads PEM certs.
>
> David.
>
>> Sorry, did not get to the patch last night... It looks good but
>> I wonder if new xmlSecOpenSSLAppKeysMngrAddCertsFile() can be
>> replaced with the existing xmlSecOpenSSLAppKeysMngrCertLoad()
>> function?
>>
>> Aleksey
>>
>> dnorrell at gmx.net wrote:
>>> Thanks for this Aleksey.
>>>
>>> I wonder if you would also be prepared to add the attached patch
>> (against the current CVS). It adds xmlSecOpenSSLAppKeysMngrAddCertsFile and
>> xmlSecOpenSSLX509StoreAddCertsFile functions which provide equivalent
>> functionality to the existing xmlSecOpenSSLAppKeysMngrAddCertsPath and
>> xmlSecOpenSSLX509StoreAddCertsPath functions, except that they let you specify multiple
>> certs in a single file. This makes it consistent with other products using
>> openssl (eg. curl & mod_ssl) which allow you to use either or both methods
>> for specifiying trusted certs. I'd like my app to support both methods if
>> possible.
>>> Many thanks, David
>>>
>>>> You are right! This is a better way to do it! Please, see attached
>>>> patch that combines this change and my change for error handling
>>>> for X509_LOOKUP_add_dir() function. I hope it will work for you!
>>>>
>>>> Thanks again for bug report and investigation!
>>>>
>>>> Aleksey
>>>
>>> ------------------------------------------------------------------------
>>>
>>> Index: include/xmlsec/openssl/app.h
>>> ===================================================================
>>> RCS file: /cvs/gnome/xmlsec/include/xmlsec/openssl/app.h,v
>>> retrieving revision 1.16
>>> diff -r1.16 app.h
>>> 57a58,60
>>>> XMLSEC_CRYPTO_EXPORT int
>> xmlSecOpenSSLAppKeysMngrAddCertsFile(xmlSecKeysMngrPtr mngr,
>>>>
>> const char *file);
>>> Index: include/xmlsec/openssl/x509.h
>>> ===================================================================
>>> RCS file: /cvs/gnome/xmlsec/include/xmlsec/openssl/x509.h,v
>>> retrieving revision 1.21
>>> diff -r1.21 x509.h
>>> 99a100,102
>>>> XMLSEC_CRYPTO_EXPORT int
>> xmlSecOpenSSLX509StoreAddCertsFile(xmlSecKeyDataStorePtr store,
>>>>
>> const char* file);
>>> Index: src/openssl/app.c
>>> ===================================================================
>>> RCS file: /cvs/gnome/xmlsec/src/openssl/app.c,v
>>> retrieving revision 1.45
>>> diff -r1.45 app.c
>>> 1138a1139,1179
>>>> /**
>>>> * xmlSecOpenSSLAppKeysMngrAddCertsFile:
>>>> * @mngr: the keys manager.
>>>> * @file: the file containing trusted certificates.
>>>> *
>>>> * Reads certs from @file and adds to the list of trusted certificates.
>>>> * It is possible for @file to contain multiple certs.
>>>> *
>>>> * Returns 0 on success or a negative value otherwise.
>>>> */
>>>> int
>>>> xmlSecOpenSSLAppKeysMngrAddCertsFile(xmlSecKeysMngrPtr mngr, const char
>> *file) {
>>>> xmlSecKeyDataStorePtr x509Store;
>>>> int ret;
>>>>
>>>> xmlSecAssert2(mngr != NULL, -1);
>>>> xmlSecAssert2(file != NULL, -1);
>>>>
>>>> x509Store = xmlSecKeysMngrGetDataStore(mngr,
>> xmlSecOpenSSLX509StoreId);
>>>> if(x509Store == NULL) {
>>>> xmlSecError(XMLSEC_ERRORS_HERE,
>>>> NULL,
>>>> "xmlSecKeysMngrGetDataStore",
>>>> XMLSEC_ERRORS_R_XMLSEC_FAILED,
>>>> "xmlSecOpenSSLX509StoreId");
>>>> return(-1);
>>>> }
>>>>
>>>> ret = xmlSecOpenSSLX509StoreAddCertsFile(x509Store, file);
>>>> if(ret < 0) {
>>>> xmlSecError(XMLSEC_ERRORS_HERE,
>>>> NULL,
>>>> "xmlSecOpenSSLX509StoreAddCertsFile",
>>>> XMLSEC_ERRORS_R_XMLSEC_FAILED,
>>>> "file=%s", xmlSecErrorsSafeString(file));
>>>> return(-1);
>>>> }
>>>>
>>>> return(0);
>>>> }
>>>>
>>> Index: src/openssl/x509vfy.c
>>> ===================================================================
>>> RCS file: /cvs/gnome/xmlsec/src/openssl/x509vfy.c,v
>>> retrieving revision 1.29
>>> diff -r1.29 x509vfy.c
>>> 553a554,595
>>>> /**
>>>> * xmlSecOpenSSLX509StoreAddCertsFile:
>>>> * @store: the pointer to OpenSSL x509 store.
>>>> * @file: the certs file.
>>>> *
>>>> * Adds all certs in @file to the list of trusted certs
>>>> * in @store. It is possible for @file to contain multiple certs.
>>>> *
>>>> * Returns 0 on success or a negative value otherwise.
>>>> */
>>>> int
>>>> xmlSecOpenSSLX509StoreAddCertsFile(xmlSecKeyDataStorePtr store, const
>> char *file) {
>>>> xmlSecOpenSSLX509StoreCtxPtr ctx;
>>>> X509_LOOKUP *lookup = NULL;
>>>>
>>>> xmlSecAssert2(xmlSecKeyDataStoreCheckId(store,
>> xmlSecOpenSSLX509StoreId), -1);
>>>> xmlSecAssert2(file != NULL, -1);
>>>>
>>>> ctx = xmlSecOpenSSLX509StoreGetCtx(store);
>>>> xmlSecAssert2(ctx != NULL, -1);
>>>> xmlSecAssert2(ctx->xst != NULL, -1);
>>>>
>>>> lookup = X509_STORE_add_lookup(ctx->xst, X509_LOOKUP_file());
>>>> if(lookup == NULL) {
>>>> xmlSecError(XMLSEC_ERRORS_HERE,
>>>>
>> xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
>>>> "X509_STORE_add_lookup",
>>>> XMLSEC_ERRORS_R_CRYPTO_FAILED,
>>>> XMLSEC_ERRORS_NO_MESSAGE);
>>>> return(-1);
>>>> }
>>>> if(!X509_LOOKUP_load_file(lookup, file, X509_FILETYPE_PEM)) {
>>>> xmlSecError(XMLSEC_ERRORS_HERE,
>>>>
>> xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
>>>> "X509_LOOKUP_load_file",
>>>> XMLSEC_ERRORS_R_CRYPTO_FAILED,
>>>> XMLSEC_ERRORS_NO_MESSAGE);
>>>> return(-1);
>>>> }
>>>> return(0);
>>>> }
>>>>
>
More information about the xmlsec
mailing list