Thanks for this Aleksey.
I wonder if you would also be prepared to add the attached patch (against the
current CVS). It adds xmlSecOpenSSLAppKeysMngrAddCertsFile and
xmlSecOpenSSLX509StoreAddCertsFile functions which provide equivalent functionality
to the existing xmlSecOpenSSLAppKeysMngrAddCertsPath and
xmlSecOpenSSLX509StoreAddCertsPath functions, except that they let you specify
multiple certs in a single file. This makes it consistent with other products using
openssl (eg. curl & mod_ssl) which allow you to use either or both methods for
specifiying trusted certs. I'd like my app to support both methods if possible.
Many thanks, David
You are right! This is a better way to do it! Please, see attached
patch that combines this change and my change for error handling
for X509_LOOKUP_add_dir() function. I hope it will work for you!
Thanks again for bug report and investigation!
Aleksey
------------------------------------------------------------------------
Index: include/xmlsec/openssl/app.h
===================================================================
RCS file: /cvs/gnome/xmlsec/include/xmlsec/openssl/app.h,v
retrieving revision 1.16
diff -r1.16 app.h
57a58,60
XMLSEC_CRYPTO_EXPORT int
xmlSecOpenSSLAppKeysMngrAddCertsFile(xmlSecKeysMngrPtr mngr,
const
char *file);
Index: include/xmlsec/openssl/x509.h
===================================================================
RCS file: /cvs/gnome/xmlsec/include/xmlsec/openssl/x509.h,v
retrieving revision 1.21
diff -r1.21 x509.h
99a100,102
XMLSEC_CRYPTO_EXPORT int
xmlSecOpenSSLX509StoreAddCertsFile(xmlSecKeyDataStorePtr store,
const
char* file);
Index: src/openssl/app.c
===================================================================
RCS file: /cvs/gnome/xmlsec/src/openssl/app.c,v
retrieving revision 1.45
diff -r1.45 app.c
1138a1139,1179
/**
* xmlSecOpenSSLAppKeysMngrAddCertsFile:
* @mngr: the keys manager.
* @file: the file containing trusted certificates.
*
* Reads certs from @file and adds to the list of trusted certificates.
* It is possible for @file to contain multiple certs.
*
* Returns 0 on success or a negative value otherwise.
*/
int
xmlSecOpenSSLAppKeysMngrAddCertsFile(xmlSecKeysMngrPtr mngr, const char *file) {
xmlSecKeyDataStorePtr x509Store;
int ret;
xmlSecAssert2(mngr != NULL, -1);
xmlSecAssert2(file != NULL, -1);
x509Store = xmlSecKeysMngrGetDataStore(mngr, xmlSecOpenSSLX509StoreId);
if(x509Store == NULL) {
xmlSecError(XMLSEC_ERRORS_HERE,
NULL,
"xmlSecKeysMngrGetDataStore",
XMLSEC_ERRORS_R_XMLSEC_FAILED,
"xmlSecOpenSSLX509StoreId");
return(-1);
}
ret = xmlSecOpenSSLX509StoreAddCertsFile(x509Store, file);
if(ret < 0) {
xmlSecError(XMLSEC_ERRORS_HERE,
NULL,
"xmlSecOpenSSLX509StoreAddCertsFile",
XMLSEC_ERRORS_R_XMLSEC_FAILED,
"file=%s", xmlSecErrorsSafeString(file));
return(-1);
}
return(0);
}
Index: src/openssl/x509vfy.c
===================================================================
RCS file: /cvs/gnome/xmlsec/src/openssl/x509vfy.c,v
retrieving revision 1.29
diff -r1.29 x509vfy.c
553a554,595
/**
* xmlSecOpenSSLX509StoreAddCertsFile:
* @store: the pointer to OpenSSL x509 store.
* @file: the certs file.
*
* Adds all certs in @file to the list of trusted certs
* in @store. It is possible for @file to contain multiple certs.
*
* Returns 0 on success or a negative value otherwise.
*/
int
xmlSecOpenSSLX509StoreAddCertsFile(xmlSecKeyDataStorePtr store, const char
*file) {
xmlSecOpenSSLX509StoreCtxPtr ctx;
X509_LOOKUP *lookup = NULL;
xmlSecAssert2(xmlSecKeyDataStoreCheckId(store, xmlSecOpenSSLX509StoreId),
-1);
xmlSecAssert2(file != NULL, -1);
ctx = xmlSecOpenSSLX509StoreGetCtx(store);
xmlSecAssert2(ctx != NULL, -1);
xmlSecAssert2(ctx->xst != NULL, -1);
lookup = X509_STORE_add_lookup(ctx->xst, X509_LOOKUP_file());
if(lookup == NULL) {
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
"X509_STORE_add_lookup",
XMLSEC_ERRORS_R_CRYPTO_FAILED,
XMLSEC_ERRORS_NO_MESSAGE);
return(-1);
}
if(!X509_LOOKUP_load_file(lookup, file, X509_FILETYPE_PEM)) {
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
"X509_LOOKUP_load_file",
XMLSEC_ERRORS_R_CRYPTO_FAILED,
XMLSEC_ERRORS_NO_MESSAGE);
return(-1);
}
return(0);
}
