Re: [xmlsec] Trusted certs directory

Tue, 15 Aug 2006 08:32:49 -0700 

You are right! This is a better way to do it! Please, see attached
patch that combines this change and my change for error handling
for X509_LOOKUP_add_dir() function. I hope it will work for you!

Thanks again for bug report and investigation!

Aleksey

Index: src/openssl/x509vfy.c
===================================================================
RCS file: /cvs/gnome/xmlsec/src/openssl/x509vfy.c,v
retrieving revision 1.28
diff -u -r1.28 x509vfy.c
--- src/openssl/x509vfy.c       23 May 2006 01:39:39 -0000      1.28
+++ src/openssl/x509vfy.c       15 Aug 2006 15:28:12 -0000
@@ -540,13 +540,21 @@
                    XMLSEC_ERRORS_NO_MESSAGE);
        return(-1);
     }    
-    X509_LOOKUP_add_dir(lookup, path, X509_FILETYPE_DEFAULT);
+    if(!X509_LOOKUP_add_dir(lookup, path, X509_FILETYPE_PEM)) {
+       xmlSecError(XMLSEC_ERRORS_HERE,
+                   xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
+                   "X509_LOOKUP_add_dir",
+                   XMLSEC_ERRORS_R_CRYPTO_FAILED,
+                   XMLSEC_ERRORS_NO_MESSAGE);
+       return(-1);
+    }
     return(0);
 }
 
 static int
 xmlSecOpenSSLX509StoreInitialize(xmlSecKeyDataStorePtr store) {
     const xmlChar* path;
+    X509_LOOKUP *lookup = NULL;
     
     xmlSecOpenSSLX509StoreCtxPtr ctx;
     xmlSecAssert2(xmlSecKeyDataStoreCheckId(store, xmlSecOpenSSLX509StoreId), 
-1);
@@ -575,20 +583,36 @@
        return(-1);
     }
     
+       
+    lookup = X509_STORE_add_lookup(ctx->xst, X509_LOOKUP_hash_dir());
+    if(lookup == NULL) {
+         xmlSecError(XMLSEC_ERRORS_HERE,
+                   xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
+                   "X509_STORE_add_lookup",
+                   XMLSEC_ERRORS_R_CRYPTO_FAILED,
+                   XMLSEC_ERRORS_NO_MESSAGE);
+         return(-1);
+    }    
+
     path = xmlSecOpenSSLGetDefaultTrustedCertsFolder();
     if(path != NULL) {
-       X509_LOOKUP *lookup = NULL;
-       
-       lookup = X509_STORE_add_lookup(ctx->xst, X509_LOOKUP_hash_dir());
-        if(lookup == NULL) {
+       if(!X509_LOOKUP_add_dir(lookup, (char*)path, X509_FILETYPE_PEM)) {
            xmlSecError(XMLSEC_ERRORS_HERE,
                    xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
-                   "X509_STORE_add_lookup",
+                   "X509_LOOKUP_add_dir",
+                   XMLSEC_ERRORS_R_CRYPTO_FAILED,
+                   XMLSEC_ERRORS_NO_MESSAGE);
+           return(-1);
+       }    
+    } else {
+       if(!X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT)) {
+           xmlSecError(XMLSEC_ERRORS_HERE,
+                   xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
+                   "X509_LOOKUP_add_dir",
                    XMLSEC_ERRORS_R_CRYPTO_FAILED,
                    XMLSEC_ERRORS_NO_MESSAGE);
            return(-1);
        }    
-       X509_LOOKUP_add_dir(lookup, (char*)path, X509_FILETYPE_DEFAULT);
     }
 
     ctx->untrusted = sk_X509_new_null();

_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec

Reply via email to