[xmlsec] New feature in xmlsec
jean-etienne.schwartz@bull.net
jean-etienne.schwartz@bull.net
Wed, 5 Feb 2003 16:47:09 +0100
Hello aleksey,
at first, really thank you for your good ``xmlsec'' library.
The hint of this feature is to improve the certificate verification
by adding a limitation in the certificate chain. This is necessary because
OpenSSL use a default maximum chain length of nine.
The next 'diffs' are made on the xmlsec-0.0.12 tree
The modifications in 'x509.c' are valid for OpenSSL-0.9.6 and OpenSSL-0.9.7
The test against a 0 value of depth is for backward comptability (the key
manager is
initialized with this value) and for sematic: a value of 0 allow *ONLY*
self signed
certificates.
Regards
Jean-Etienne SCHWARTZ
src/x509.c
if a maximum chain length is asked, give it to OpenSSL
Add the chain depth in the error message
--- ori/src/x509.c Sun Dec 22 07:52:15 2002
+++ src/x509.c Wed Feb 5 14:49:24 2003
@@ -1033,6 +1033,8 @@
X509_STORE_CTX xsc;
X509_STORE_CTX_init (&xsc, store->xst, cert, certs);
+ if (store->xst->depth > 0)
+ X509_STORE_CTX_set_depth (&xsc, store->xst->depth);
if(store->x509_store_flags & X509_V_FLAG_USE_CHECK_TIME) {
X509_STORE_CTX_set_time(&xsc, 0,
x509Data->certsVerificationTime);
@@ -1069,8 +1071,8 @@
X509_NAME_oneline(X509_get_issuer_name(err_cert), buf,
256);
xmlSecError(XMLSEC_ERRORS_HERE,
XMLSEC_ERRORS_R_CERT_ISSUER_FAILED,
- "error=%d (%s); issuer=\"%s\"", err,
- X509_verify_cert_error_string(err), buf);
+ "error=%d (%s); depth=%d, issuer=\"%s\"", err,
+ X509_verify_cert_error_string(err), depth, buf);
break;
case X509_V_ERR_CERT_NOT_YET_VALID:
case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
@@ -1089,8 +1091,8 @@
default:
xmlSecError(XMLSEC_ERRORS_HERE,
XMLSEC_ERRORS_R_CERT_VERIFY_FAILED,
- "error=%d (%s)", err,
- X509_verify_cert_error_string(err));
+ "error=%d (%s); depth=%d", err,
+ X509_verify_cert_error_string(err), depth);
}
}
sk_X509_free(certs);
src/keysmngr.c
include/xmlsec/keysmngr.h
Add an API to specify the maximum chain length
--- ori/src/keysmngr.c Thu Oct 10 08:11:20 2002
+++ src/keysmngr.c Wed Feb 5 15:36:15 2003
@@ -718,4 +718,12 @@
}
+void
+xmlSecSimpleKeysMngrSetVerifyDepth(xmlSecKeysMngrPtr mngr, int depth) {
+ xmlSecAssert(mngr != NULL);
+ xmlSecAssert(mngr->x509Data != NULL);
+
+ if (depth > 0)
+ ((xmlSecX509StorePtr)mngr->x509Data)->xst->depth = depth ;
+}
#endif /* XMLSEC_NO_X509 */
--- ori/include/xmlsec/keysmngr.h Thu Oct 10 06:04:20 2002
+++ include/xmlsec/keysmngr.h Wed Feb 5 14:48:35 2003
@@ -76,6 +76,8 @@
const char *pwd);
XMLSEC_EXPORT void xmlSecSimpleKeysMngrSetCertsFlags(xmlSecKeysMngrPtr
mngr,
unsigned long
flags);
+XMLSEC_EXPORT void
xmlSecSimpleKeysMngrSetVerifyDepth(xmlSecKeysMngrPtr mngr,
+ int depth);
#endif /* XMLSEC_NO_X509 */
apps/xmlsec
the command line interface
--- ori/apps/xmlsec.c Mon Jan 27 07:00:34 2003
+++ apps/xmlsec.c Wed Feb 5 16:29:56 2003
@@ -181,6 +181,7 @@
#ifndef XMLSEC_NO_X509
" --pkcs12[:<name>] <file>\n"
" load private key from pkcs12 file\n"
+ " --depth <number> maximum chain depth\n"
#endif /* XMLSEC_NO_X509 */
#ifndef XMLSEC_NO_HMAC
" --hmackey[:<name>] <file>\n"
@@ -328,6 +329,7 @@
int pos;
int ret;
int templateRequired = 0;
+ int depth = 0;
/**
* Read the command
@@ -558,6 +560,11 @@
ret = 0;
} else {
ret = -1;
+ }
+ } else if((strncmp(argv[pos], "--depth", 7) == 0) && (pos + 1 <
argc)) {
+ depth = atoi(argv[++pos]);
+ if(keyMgr != NULL) {
+ xmlSecSimpleKeysMngrSetVerifyDepth(keyMgr, depth);
}
} else