certificate files. Upon startup, each client certificate configured will
be examined and a chain of trust will be constructed.
</p>
+<note type="warning"><title>Security warning</title>
+<p>If this directive is enabled, all of the certificates in the file will be
+trusted as if they were also in <directive module="mod_ssl">
+SSLProxyCACertificateFile</directive>.</p>
+</note>
<example><title>Example</title>
SSLProxyMachineCertificateChainFile /usr/local/apache2/conf/ssl.crt/proxyCA.pem
</example>
int n, ncerts = 0;
STACK_OF(X509_INFO) *sk;
modssl_pk_proxy_t *pkp = mctx->pkp;
- STACK_OF(X509_INFO) *chain;
+ STACK_OF(X509) *chain;
+ X509_STORE_CTX *sctx;
+ X509_STORE *store = SSL_CTX_get_cert_store(mctx->ssl_ctx);
SSL_CTX_set_client_cert_cb(mctx->ssl_ctx,
ssl_callback_proxy_cert);
ncerts);
pkp->certs = sk;
- if (!pkp->ca_cert_file) {
+
+ if (!pkp->ca_cert_file || !store) {
return;
}
/* Load all of the CA certs and construct a chain */
- sk = sk_X509_INFO_new_null();
+ pkp->ca_certs = (STACK_OF(X509) **) apr_pcalloc(p, ncerts * sizeof(sk));
+ sctx = X509_STORE_CTX_new();
+
+ if (!sctx) {
+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
+ "SSL proxy client cert initialization failed");
+ ssl_die();
+ }
- SSL_X509_INFO_load_file(ptemp, sk, pkp->ca_cert_file);
- pkp->ca_certs = (STACK_OF(X509_INFO) **) apr_pcalloc(p, ncerts * sizeof(sk));
+ X509_STORE_load_locations(store, pkp->ca_cert_file, NULL);
for (n = 0; n < ncerts; n++) {
- int len;
+ int i;
X509_INFO *inf = sk_X509_INFO_value(pkp->certs, n);
- chain = sk_X509_INFO_new_null();
- len = SSL_X509_INFO_create_chain(inf->x509, sk, chain);
+ X509_STORE_CTX_init(sctx, store, inf->x509, NULL);
+ X509_verify_cert(sctx);
+ ERR_clear_error();
+
+ chain = X509_STORE_CTX_get1_chain(sctx);
+ sk_X509_shift(chain);
+ i=sk_X509_num(chain);
pkp->ca_certs[n] = chain;
+ X509_STORE_CTX_cleanup(sctx);
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
"client certificate %i has loaded %i "
- "intermediary signers ", n, len);
+ "intermediate CA%s", n, i, i == 1 ? "" : "s");
}
- sk_X509_INFO_free(sk);
+ X509_STORE_CTX_free(sctx);
}
static void ssl_init_proxy_ctx(server_rec *s,
server_rec *s = mySrvFromConn(c);
SSLSrvConfigRec *sc = mySrvConfig(s);
X509_NAME *ca_name, *issuer, *ca_issuer;
- X509_INFO *info, *ca_info;
+ X509_INFO *info;
+ X509 *ca_cert;
STACK_OF(X509_NAME) *ca_list;
STACK_OF(X509_INFO) *certs = sc->proxy->pkp->certs;
- STACK_OF(X509_INFO) *ca_certs;
- STACK_OF(X509_INFO) **ca_cert_chains;
+ STACK_OF(X509) *ca_certs;
+ STACK_OF(X509) **ca_cert_chains;
int i, j, k;
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
return TRUE;
}
- if (ca_cert_chains) {
+ if (ca_cert_chains) {
/*
- * Failed to find direct issuer - search intermediaries
+ * Failed to find direct issuer - search intermediates
* (by issuer name), if provided.
*/
ca_certs = ca_cert_chains[j];
- for (k = 0; k < sk_X509_INFO_num(ca_certs); k++) {
- ca_info = sk_X509_INFO_value(ca_certs, k);
- ca_issuer = X509_get_issuer_name(ca_info->x509);
+ for (k = 0; k < sk_X509_num(ca_certs); k++) {
+ ca_cert = sk_X509_value(ca_certs, k);
+ ca_issuer = X509_get_issuer_name(ca_cert);
if(X509_NAME_cmp(ca_issuer, ca_name) == 0 ) {
- modssl_proxy_info_log(c, info, "found acceptable cert by intermediary");
+ modssl_proxy_info_log(c, info, "found acceptable cert by intermediate CA");
modssl_set_cert_info(info, x509, pkey);
-
+
return TRUE;
}
} /* end loop through chained certs */
const char *cert_path;
const char *ca_cert_file;
STACK_OF(X509_INFO) *certs;
- STACK_OF(X509_INFO) **ca_certs; /* ptr to array of ptrs */
+ STACK_OF(X509) **ca_certs; /* ptr to array of ptrs */
} modssl_pk_proxy_t;
/** stuff related to authentication that can also be per-dir */
return ok;
}
-/*
- * Construct a stack of X509_INFO containing only certificates
- * that have signed the provided certificate or are an intermediary
- * signer of the certificate
-*/
-int SSL_X509_INFO_create_chain(const X509 *x509,
- STACK_OF(X509_INFO) *ca_certs,
- STACK_OF(X509_INFO) *chain)
-{
- int can_proceed = 1;
- int len = 0;
- int i;
- X509 *certificate = (X509 *)x509;
- X509_INFO *info;
- X509_NAME *cert_issuer_name, *ca_name, *ca_issuer_name;
-
- while (can_proceed) {
- can_proceed = 0;
- cert_issuer_name = X509_get_issuer_name(certificate);
-
- for (i = 0; i < sk_X509_INFO_num(ca_certs); i++) {
- info = sk_X509_INFO_value(ca_certs, i);
- ca_name = X509_get_subject_name(info->x509);
- ca_issuer_name = X509_get_issuer_name(info->x509);
-
- if (X509_NAME_cmp(cert_issuer_name, ca_name) == 0) {
- /* Check for a self-signed cert (no issuer) */
- can_proceed = X509_NAME_cmp(ca_name, ca_issuer_name) == 0
- ? 0 : 1;
- len++;
- certificate = info->x509;
- sk_X509_INFO_unshift(chain, info);
- break;
- }
- }
- }
-
- return len;
-}
-
/* _________________________________________________________________
**
** Extra Server Certificate Chain Support
BOOL SSL_X509_INFO_load_path(apr_pool_t *, STACK_OF(X509_INFO) *, const char *);
int SSL_CTX_use_certificate_chain(SSL_CTX *, char *, int, pem_password_cb *);
char *SSL_SESSION_id2sz(unsigned char *, int, char *, int);
-int SSL_X509_INFO_create_chain(const X509 *, STACK_OF(X509_INFO) *, STACK_OF(X509_INFO) *);
#endif /* __SSL_UTIL_SSL_H__ */
/** @} */
projects / apache / commitdiff