diff options
| author | Chung-yih Wang <cywang@google.com> | 2009-09-01 16:36:06 +0800 |
|---|---|---|
| committer | Chung-yih Wang <cywang@google.com> | 2009-09-01 16:36:06 +0800 |
| commit | c71b33c4b0968b34be24a02f2d27ef75747052d7 (patch) | |
| tree | 2acfcdb259464dc783617cf33d31705af75a49af | |
| parent | 61149877668f2d0c95a9b9b0155f43b4191040bc (diff) | |
| download | wpa_supplicant-c71b33c4b0968b34be24a02f2d27ef75747052d7.tar.gz | |
Support certificate chain for CA cert from blob data.
We have to use PEM format for blob data and modify the ca_cert handling to
support certificate chain for CA certificates. Since the original code
can not support the CA chain from blob.
| -rw-r--r-- | eap_tls_common.c | 6 | ||||
| -rw-r--r-- | tls_openssl.c | 40 |
2 files changed, 42 insertions, 4 deletions
diff --git a/eap_tls_common.c b/eap_tls_common.c index de17886..bf9bf9c 100644 --- a/eap_tls_common.c +++ b/eap_tls_common.c @@ -162,7 +162,11 @@ struct wpa_config_blob *get_blob_from_keystore(const char *name) } } if (blob) { - convert_PEM_to_DER(blob); + // We have to use PEM format here and modify the ca_cert + // handling to support cert. chain for CA certificates. + // Since the original code can not support the CA chain + // from blob data. + if (strstr(name, "CACERT") == NULL) convert_PEM_to_DER(blob); add_temporal_blob(blob); } return blob; diff --git a/tls_openssl.c b/tls_openssl.c index cb6b974..2bbffea 100644 --- a/tls_openssl.c +++ b/tls_openssl.c @@ -43,7 +43,7 @@ struct tls_connection { SSL *ssl; BIO *ssl_in, *ssl_out; #ifndef OPENSSL_NO_ENGINE - ENGINE *engine; /* functional reference to the engine */ + ENGINE *engine; /* functional reference to the engine */ EVP_PKEY *private_key; /* the private key if using engine */ #endif /* OPENSSL_NO_ENGINE */ char *subject_match, *altsubject_match; @@ -571,7 +571,7 @@ static void ssl_info_cb(const SSL *ssl, int where, int ret) * @pre: an array of commands and values that load an engine initialized * in the engine specific function * @post: an array of commands and values that initialize an already loaded - * engine (or %NULL if not required) + * engine (or %NULL if not required) * @id: the engine id of the engine to load (only required if post is not %NULL * * This function is a generic function that loads any openssl engine. @@ -1092,6 +1092,34 @@ static int tls_load_ca_der(void *_ssl_ctx, const char *ca_cert) } #endif /* OPENSSL_NO_STDIO */ +#ifdef ANDROID +static int add_cert_chain_from_blob(X509_STORE *store, char *value, int size) +{ + int i, ret = -1; + BIO *bio = NULL; + STACK_OF(X509_INFO) *stack = NULL; + + bio = BIO_new(BIO_s_mem()); + if (bio == NULL) goto end; + BIO_write(bio, value, size); + stack = PEM_X509_INFO_read_bio(bio, NULL, NULL, NULL); + if (stack == NULL) goto end; + for (i = 0; i < sk_X509_INFO_num(stack); ++i) { + X509_INFO *info = sk_X509_INFO_value(stack, i); + if (info->x509) { + X509_STORE_add_cert(store, info->x509); + } + if (info->crl) { + X509_STORE_add_crl(store, info->crl); + } + } + sk_X509_INFO_pop_free(stack, X509_INFO_free); + ret = 0; +end: + if (bio != NULL) BIO_free(bio); + return ret; +} +#endif static int tls_connection_ca_cert(void *_ssl_ctx, struct tls_connection *conn, const char *ca_cert, const u8 *ca_cert_blob, @@ -1110,8 +1138,12 @@ static int tls_connection_ca_cert(void *_ssl_ctx, struct tls_connection *conn, "certificate store", __func__); return -1; } - if (ca_cert_blob) { +#ifdef ANDROID + return add_cert_chain_from_blob(ssl_ctx->cert_store, + (char*)ca_cert_blob, + (int)ca_cert_blob_len); +#else X509 *cert = d2i_X509(NULL, (OPENSSL_d2i_TYPE) &ca_cert_blob, ca_cert_blob_len); if (cert == NULL) { @@ -1141,8 +1173,10 @@ static int tls_connection_ca_cert(void *_ssl_ctx, struct tls_connection *conn, "to certificate store", __func__); SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb); return 0; +#endif } + #ifdef CONFIG_NATIVE_WINDOWS if (ca_cert && tls_cryptoapi_ca_cert(ssl_ctx, conn->ssl, ca_cert) == 0) { |