[xmlsec] Trusted certs directory

Aleksey Sanin aleksey at aleksey.com
Thu Aug 17 18:20:12 PDT 2006


Sorry, did not get to the patch last night... It looks good but
I wonder if new xmlSecOpenSSLAppKeysMngrAddCertsFile() can be
replaced with the existing xmlSecOpenSSLAppKeysMngrCertLoad()
function?

Aleksey

dnorrell at gmx.net wrote:
> Thanks for this Aleksey.
> 
> I wonder if you would also be prepared to add the attached patch (against the current CVS). It adds xmlSecOpenSSLAppKeysMngrAddCertsFile and xmlSecOpenSSLX509StoreAddCertsFile functions which provide equivalent functionality to the existing xmlSecOpenSSLAppKeysMngrAddCertsPath and xmlSecOpenSSLX509StoreAddCertsPath functions, except that they let you specify multiple certs in a single file. This makes it consistent with other products using openssl (eg. curl & mod_ssl) which allow you to use either or both methods for specifiying trusted certs. I'd like my app to support both methods if possible.
> 
> Many thanks, David
> 
>> You are right! This is a better way to do it! Please, see attached
>> patch that combines this change and my change for error handling
>> for X509_LOOKUP_add_dir() function. I hope it will work for you!
>>
>> Thanks again for bug report and investigation!
>>
>> Aleksey
> 
> 
> ------------------------------------------------------------------------
> 
> Index: include/xmlsec/openssl/app.h
> ===================================================================
> RCS file: /cvs/gnome/xmlsec/include/xmlsec/openssl/app.h,v
> retrieving revision 1.16
> diff -r1.16 app.h
> 57a58,60
>> XMLSEC_CRYPTO_EXPORT int                xmlSecOpenSSLAppKeysMngrAddCertsFile(xmlSecKeysMngrPtr mngr,
>>                                                                          const char *file);
>>
> Index: include/xmlsec/openssl/x509.h
> ===================================================================
> RCS file: /cvs/gnome/xmlsec/include/xmlsec/openssl/x509.h,v
> retrieving revision 1.21
> diff -r1.21 x509.h
> 99a100,102
>> XMLSEC_CRYPTO_EXPORT int                xmlSecOpenSSLX509StoreAddCertsFile(xmlSecKeyDataStorePtr store,
>>                                                                          const char* file);
>>
> Index: src/openssl/app.c
> ===================================================================
> RCS file: /cvs/gnome/xmlsec/src/openssl/app.c,v
> retrieving revision 1.45
> diff -r1.45 app.c
> 1138a1139,1179
>> /**
>>  * xmlSecOpenSSLAppKeysMngrAddCertsFile:
>>  * @mngr:               the keys manager.
>>  * @file:               the file containing trusted certificates.
>>  *
>>  * Reads certs from @file and adds to the list of trusted certificates.
>>  * It is possible for @file to contain multiple certs.
>>  *
>>  * Returns 0 on success or a negative value otherwise.
>>  */
>> int
>> xmlSecOpenSSLAppKeysMngrAddCertsFile(xmlSecKeysMngrPtr mngr, const char *file) {
>>     xmlSecKeyDataStorePtr x509Store;
>>     int ret;
>>
>>     xmlSecAssert2(mngr != NULL, -1);
>>     xmlSecAssert2(file != NULL, -1);
>>
>>     x509Store = xmlSecKeysMngrGetDataStore(mngr, xmlSecOpenSSLX509StoreId);
>>     if(x509Store == NULL) {
>>         xmlSecError(XMLSEC_ERRORS_HERE,
>>                     NULL,
>>                     "xmlSecKeysMngrGetDataStore",
>>                     XMLSEC_ERRORS_R_XMLSEC_FAILED,
>>                     "xmlSecOpenSSLX509StoreId");
>>         return(-1);
>>     }
>>
>>     ret = xmlSecOpenSSLX509StoreAddCertsFile(x509Store, file);
>>     if(ret < 0) {
>>         xmlSecError(XMLSEC_ERRORS_HERE,
>>                     NULL,
>>                     "xmlSecOpenSSLX509StoreAddCertsFile",
>>                     XMLSEC_ERRORS_R_XMLSEC_FAILED,
>>                     "file=%s", xmlSecErrorsSafeString(file));
>>         return(-1);
>>     }
>>
>>     return(0);
>> }
>>
> Index: src/openssl/x509vfy.c
> ===================================================================
> RCS file: /cvs/gnome/xmlsec/src/openssl/x509vfy.c,v
> retrieving revision 1.29
> diff -r1.29 x509vfy.c
> 553a554,595
>> /**
>>  * xmlSecOpenSSLX509StoreAddCertsFile:
>>  * @store: the pointer to OpenSSL x509 store.
>>  * @file: the certs file.
>>  *
>>  * Adds all certs in @file to the list of trusted certs
>>  * in @store. It is possible for @file to contain multiple certs.
>>  *
>>  * Returns 0 on success or a negative value otherwise.
>>  */
>> int
>> xmlSecOpenSSLX509StoreAddCertsFile(xmlSecKeyDataStorePtr store, const char *file) {
>>     xmlSecOpenSSLX509StoreCtxPtr ctx;
>>     X509_LOOKUP *lookup = NULL;
>>
>>     xmlSecAssert2(xmlSecKeyDataStoreCheckId(store, xmlSecOpenSSLX509StoreId), -1);
>>     xmlSecAssert2(file != NULL, -1);
>>
>>     ctx = xmlSecOpenSSLX509StoreGetCtx(store);
>>     xmlSecAssert2(ctx != NULL, -1);
>>     xmlSecAssert2(ctx->xst != NULL, -1);
>>
>>     lookup = X509_STORE_add_lookup(ctx->xst, X509_LOOKUP_file());
>>     if(lookup == NULL) {
>>         xmlSecError(XMLSEC_ERRORS_HERE,
>>                     xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
>>                     "X509_STORE_add_lookup",
>>                     XMLSEC_ERRORS_R_CRYPTO_FAILED,
>>                     XMLSEC_ERRORS_NO_MESSAGE);
>>         return(-1);
>>     }
>>     if(!X509_LOOKUP_load_file(lookup, file, X509_FILETYPE_PEM)) {
>>         xmlSecError(XMLSEC_ERRORS_HERE,
>>                     xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
>>                     "X509_LOOKUP_load_file",
>>                     XMLSEC_ERRORS_R_CRYPTO_FAILED,
>>                     XMLSEC_ERRORS_NO_MESSAGE);
>>         return(-1);
>>     }
>>     return(0);
>> }
>>



More information about the xmlsec mailing list