Re: [xmlsec] Trusted certs directory

[Aleksey Sanin]

A... OK, got the point!

Aleksey

[EMAIL PROTECTED] wrote:

Aleksey,

I agree that they are both siminar functions. However, I don't believe the 
xmlSecOpenSSLAppKeysMngrCertLoad() function can read multiple certs from a 
single file, which is what I want to do with 
xmlSecOpenSSLAppKeysMngrAddCertsFile(). Essentially, the new function is for 
loading an entire trust-store in one hit (like 
xmlSecOpenSSLAppKeysMngrAddCertsPath) rather than having to add certs 
individually. It also only loads PEM certs.

David.

Sorry, did not get to the patch last night... It looks good but
I wonder if new xmlSecOpenSSLAppKeysMngrAddCertsFile() can be
replaced with the existing xmlSecOpenSSLAppKeysMngrCertLoad()
function?

Aleksey

[EMAIL PROTECTED] wrote:

Thanks for this Aleksey.

I wonder if you would also be prepared to add the attached patch

(against the current CVS). It adds xmlSecOpenSSLAppKeysMngrAddCertsFile and
xmlSecOpenSSLX509StoreAddCertsFile functions which provide equivalent
functionality to the existing xmlSecOpenSSLAppKeysMngrAddCertsPath and
xmlSecOpenSSLX509StoreAddCertsPath functions, except that they let you specify 
multiple
certs in a single file. This makes it consistent with other products using
openssl (eg. curl & mod_ssl) which allow you to use either or both methods
for specifiying trusted certs. I'd like my app to support both methods if
possible.

Many thanks, David

You are right! This is a better way to do it! Please, see attached
patch that combines this change and my change for error handling
for X509_LOOKUP_add_dir() function. I hope it will work for you!

Thanks again for bug report and investigation!

Aleksey

------------------------------------------------------------------------

Index: include/xmlsec/openssl/app.h
===================================================================
RCS file: /cvs/gnome/xmlsec/include/xmlsec/openssl/app.h,v
retrieving revision 1.16
diff -r1.16 app.h
57a58,60

XMLSEC_CRYPTO_EXPORT int

xmlSecOpenSSLAppKeysMngrAddCertsFile(xmlSecKeysMngrPtr mngr,

 const char *file);

Index: include/xmlsec/openssl/x509.h
===================================================================
RCS file: /cvs/gnome/xmlsec/include/xmlsec/openssl/x509.h,v
retrieving revision 1.21
diff -r1.21 x509.h
99a100,102

XMLSEC_CRYPTO_EXPORT int

xmlSecOpenSSLX509StoreAddCertsFile(xmlSecKeyDataStorePtr store,

 const char* file);

Index: src/openssl/app.c
===================================================================
RCS file: /cvs/gnome/xmlsec/src/openssl/app.c,v
retrieving revision 1.45
diff -r1.45 app.c
1138a1139,1179

/**
 * xmlSecOpenSSLAppKeysMngrAddCertsFile:
 * @mngr:               the keys manager.
 * @file:               the file containing trusted certificates.
 *
 * Reads certs from @file and adds to the list of trusted certificates.
 * It is possible for @file to contain multiple certs.
 *
 * Returns 0 on success or a negative value otherwise.
 */
int
xmlSecOpenSSLAppKeysMngrAddCertsFile(xmlSecKeysMngrPtr mngr, const char

*file) {

    xmlSecKeyDataStorePtr x509Store;
    int ret;

    xmlSecAssert2(mngr != NULL, -1);
    xmlSecAssert2(file != NULL, -1);

    x509Store = xmlSecKeysMngrGetDataStore(mngr,

xmlSecOpenSSLX509StoreId);

    if(x509Store == NULL) {
        xmlSecError(XMLSEC_ERRORS_HERE,
                    NULL,
                    "xmlSecKeysMngrGetDataStore",
                    XMLSEC_ERRORS_R_XMLSEC_FAILED,
                    "xmlSecOpenSSLX509StoreId");
        return(-1);
    }

    ret = xmlSecOpenSSLX509StoreAddCertsFile(x509Store, file);
    if(ret < 0) {
        xmlSecError(XMLSEC_ERRORS_HERE,
                    NULL,
                    "xmlSecOpenSSLX509StoreAddCertsFile",
                    XMLSEC_ERRORS_R_XMLSEC_FAILED,
                    "file=%s", xmlSecErrorsSafeString(file));
        return(-1);
    }

    return(0);
}

Index: src/openssl/x509vfy.c
===================================================================
RCS file: /cvs/gnome/xmlsec/src/openssl/x509vfy.c,v
retrieving revision 1.29
diff -r1.29 x509vfy.c
553a554,595

/**
 * xmlSecOpenSSLX509StoreAddCertsFile:
 * @store: the pointer to OpenSSL x509 store.
 * @file: the certs file.
 *
 * Adds all certs in @file to the list of trusted certs
 * in @store. It is possible for @file to contain multiple certs.
 *
 * Returns 0 on success or a negative value otherwise.
 */
int
xmlSecOpenSSLX509StoreAddCertsFile(xmlSecKeyDataStorePtr store, const

char *file) {

    xmlSecOpenSSLX509StoreCtxPtr ctx;
    X509_LOOKUP *lookup = NULL;

    xmlSecAssert2(xmlSecKeyDataStoreCheckId(store,

xmlSecOpenSSLX509StoreId), -1);

    xmlSecAssert2(file != NULL, -1);

    ctx = xmlSecOpenSSLX509StoreGetCtx(store);
    xmlSecAssert2(ctx != NULL, -1);
    xmlSecAssert2(ctx->xst != NULL, -1);

    lookup = X509_STORE_add_lookup(ctx->xst, X509_LOOKUP_file());
    if(lookup == NULL) {
        xmlSecError(XMLSEC_ERRORS_HERE,

xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),

                    "X509_STORE_add_lookup",
                    XMLSEC_ERRORS_R_CRYPTO_FAILED,
                    XMLSEC_ERRORS_NO_MESSAGE);
        return(-1);
    }
    if(!X509_LOOKUP_load_file(lookup, file, X509_FILETYPE_PEM)) {
        xmlSecError(XMLSEC_ERRORS_HERE,

xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),

                    "X509_LOOKUP_load_file",
                    XMLSEC_ERRORS_R_CRYPTO_FAILED,
                    XMLSEC_ERRORS_NO_MESSAGE);
        return(-1);
    }
    return(0);
}

_______________________________________________
xmlsec mailing list
xmlsec@aleksey.com
http://www.aleksey.com/mailman/listinfo/xmlsec