From fc6fc7ff38ead45fa4d64a407a9cf9ce49f8b578 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Wed, 11 Apr 2012 16:53:11 +0000 Subject: [PATCH] Add options to set additional type specific certificate chains to s_server. --- apps/s_apps.h | 3 ++- apps/s_cb.c | 9 ++++++++- apps/s_client.c | 2 +- apps/s_server.c | 37 ++++++++++++++++++++++++++++++++----- 4 files changed, 43 insertions(+), 8 deletions(-) diff --git a/apps/s_apps.h b/apps/s_apps.h index 39a11d9a77..5de65329a9 100644 --- a/apps/s_apps.h +++ b/apps/s_apps.h @@ -154,7 +154,8 @@ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx); #endif #ifdef HEADER_SSL_H int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file); -int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key); +int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key, + STACK_OF(X509) *chain); int ssl_print_sigalgs(BIO *out, SSL *s); int ssl_print_curves(BIO *out, SSL *s); #endif diff --git a/apps/s_cb.c b/apps/s_cb.c index 4395f194aa..b21a4283df 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c @@ -250,7 +250,8 @@ int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file) return(1); } -int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key) +int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key, + STACK_OF(X509) *chain) { if (cert == NULL) return 1; @@ -275,6 +276,12 @@ int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key) BIO_printf(bio_err,"Private key does not match the certificate public key\n"); return 0; } + if (chain && !SSL_CTX_set1_chain(ctx, chain)) + { + BIO_printf(bio_err,"error setting certificate chain\n"); + ERR_print_errors(bio_err); + return 0; + } return 1; } diff --git a/apps/s_client.c b/apps/s_client.c index 55facead51..16f1ac37db 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -1170,7 +1170,7 @@ bad: #endif SSL_CTX_set_verify(ctx,verify,verify_callback); - if (!set_cert_key_stuff(ctx,cert,key)) + if (!set_cert_key_stuff(ctx,cert,key, NULL)) goto end; if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) || diff --git a/apps/s_server.c b/apps/s_server.c index 063a9f6c41..bb791e08e7 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -270,12 +270,12 @@ extern int verify_depth, verify_return_error; static char *cipher=NULL; static int s_server_verify=SSL_VERIFY_NONE; static int s_server_session_id_context = 1; /* anything will do */ -static const char *s_cert_file=TEST_CERT,*s_key_file=NULL; +static const char *s_cert_file=TEST_CERT,*s_key_file=NULL, *s_chain_file=NULL; #ifndef OPENSSL_NO_TLSEXT static const char *s_cert_file2=TEST_CERT2,*s_key_file2=NULL; static char *curves=NULL; #endif -static char *s_dcert_file=NULL,*s_dkey_file=NULL; +static char *s_dcert_file=NULL,*s_dkey_file=NULL, *s_dchain_file=NULL; #ifdef FIONBIO static int s_nbio=0; #endif @@ -435,8 +435,10 @@ static void s_server_init(void) s_server_verify=SSL_VERIFY_NONE; s_dcert_file=NULL; s_dkey_file=NULL; + s_dchain_file=NULL; s_cert_file=TEST_CERT; s_key_file=NULL; + s_chain_file=NULL; #ifndef OPENSSL_NO_TLSEXT curves=NULL; s_cert_file2=TEST_CERT2; @@ -961,6 +963,7 @@ int MAIN(int argc, char *argv[]) char *dpassarg = NULL, *dpass = NULL; int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM; X509 *s_cert = NULL, *s_dcert = NULL; + STACK_OF(X509) *s_chain = NULL, *s_dchain = NULL; EVP_PKEY *s_key = NULL, *s_dkey = NULL; int no_cache = 0, ext_cache = 0; #ifndef OPENSSL_NO_TLSEXT @@ -1061,6 +1064,11 @@ int MAIN(int argc, char *argv[]) if (--argc < 1) goto bad; passarg = *(++argv); } + else if (strcmp(*argv,"-cert_chain") == 0) + { + if (--argc < 1) goto bad; + s_chain_file= *(++argv); + } else if (strcmp(*argv,"-dhparam") == 0) { if (--argc < 1) goto bad; @@ -1098,6 +1106,11 @@ int MAIN(int argc, char *argv[]) if (--argc < 1) goto bad; s_dkey_file= *(++argv); } + else if (strcmp(*argv,"-dcert_chain") == 0) + { + if (--argc < 1) goto bad; + s_dchain_file= *(++argv); + } else if (strcmp(*argv,"-nocert") == 0) { nocert=1; @@ -1434,6 +1447,13 @@ bad: ERR_print_errors(bio_err); goto end; } + if (s_chain_file) + { + s_chain = load_certs(bio_err, s_chain_file,FORMAT_PEM, + NULL, e, "server certificate chain"); + if (!s_chain) + goto end; + } #ifndef OPENSSL_NO_TLSEXT if (tlsextcbp.servername) @@ -1497,6 +1517,13 @@ bad: ERR_print_errors(bio_err); goto end; } + if (s_dchain_file) + { + s_dchain = load_certs(bio_err, s_dchain_file,FORMAT_PEM, + NULL, e, "second server certificate chain"); + if (!s_dchain) + goto end; + } } @@ -1760,15 +1787,15 @@ bad: } #endif - if (!set_cert_key_stuff(ctx,s_cert,s_key)) + if (!set_cert_key_stuff(ctx, s_cert, s_key, s_chain)) goto end; #ifndef OPENSSL_NO_TLSEXT - if (ctx2 && !set_cert_key_stuff(ctx2,s_cert2,s_key2)) + if (ctx2 && !set_cert_key_stuff(ctx2,s_cert2,s_key2, NULL)) goto end; #endif if (s_dcert != NULL) { - if (!set_cert_key_stuff(ctx,s_dcert,s_dkey)) + if (!set_cert_key_stuff(ctx, s_dcert, s_dkey, s_dchain)) goto end; }