Re: svn commit: r1160863 - in /httpd/httpd/trunk: docs/manual/mod/ modules/ssl/

Sat, 03 Sep 2011 13:42:03 -0700 

On 9/3/2011 11:26 AM, Dr Stephen Henson wrote:
> Some errors (signature error, expired certificates) should arguably logged or
> even treated as fatal errors. This would be because the cause is a badly
> configured server and it is better to get the user to fix their configuration
> than send a certificate chain that is invalid.
>
> In other cases you may hit problems because sometimes a certificate "chain"
> which doesn't quite fit the PKIX definition is used. An example would be a 
> proxy
> certificate chain (for some value of "proxy", not necessarily standard)
> where some certificates in the chain are not CA certificates in the normal
> definition (basic constraints CA=TRUE). That kind of "chain" cannot directly 
> be
> built up using X509_verify_cert().

Thank you for the note. I was hoping you and Kaspar would comment on the
updated method I'm using. Rather than storing the chain as
STACK_OF(X509_INFO) I have switched to STACK_OF(X509) and am using the
following function to build the chain.
Comments are definitely appreciated as I don't have a very good frame of
reference for using X509_verify_cert().

int SSL_X509_create_chain(const X509 *x509,
                          STACK_OF(X509_INFO) *ca_certs,
                          STACK_OF(X509) *chain)
{
    int i;
    X509_STORE_CTX *ctx;
    X509 *cert = (X509 *)x509;
    X509_INFO *ca_cert;
    STACK_OF(X509) *verified_stack;
    STACK_OF(X509) *tmp_stack=sk_X509_new_null();

    /* construct a temporary X509 chain from the X509_INFO chain */
    for(i = 0; i < sk_X509_INFO_num(ca_certs); i++) {
        ca_cert=sk_X509_INFO_value(ca_certs, i);
        sk_X509_push(tmp_stack, ca_cert->x509);
        }

    ctx = X509_STORE_CTX_new();
    if (ctx == NULL){
        sk_X509_pop_free(tmp_stack, X509_free);
        return -1;
        }
    if (!X509_STORE_CTX_init(ctx, NULL, cert, NULL)) {
        sk_X509_pop_free(tmp_stack, X509_free);
        return -1;
        }
    X509_STORE_CTX_trusted_stack(ctx, tmp_stack);

    X509_verify_cert(ctx);
    /* Ignore verification errors */
    ERR_clear_error();

    verified_stack=X509_STORE_CTX_get1_chain(ctx);

    for(i = sk_X509_num(tmp_stack) - 1; i >= 0; i--) {
        sk_X509_push(chain, sk_X509_value(tmp_stack, i));
    }

    X509_STORE_CTX_free(ctx);
    return sk_X509_num(chain);

}

-- 
--
Daniel Ruggeri

Reply via email to