Modify SSLProxyMachineCertificateChainFile to use X509 instead of X509_INFO and use openssl to construct the chain

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1170833 13f79535-47bb-0310-9956-ffa450edef68
2025-08-08 15:02:10 +03:00 · 2011-09-14 20:16:02 +00:00
parent 63e02b35ac
commit 47cf15b852
6 changed files with 42 additions and 62 deletions
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -1115,7 +1115,9 @@ static void ssl_init_proxy_certs(server_rec *s,
    int n, ncerts = 0;
    STACK_OF(X509_INFO) *sk;
    modssl_pk_proxy_t *pkp = mctx->pkp;
-    STACK_OF(X509_INFO) *chain;
+    STACK_OF(X509) *chain;
+    X509_STORE_CTX *sctx;
+    X509_STORE *store = SSL_CTX_get_cert_store(mctx->ssl_ctx);

    SSL_CTX_set_client_cert_cb(mctx->ssl_ctx,
                               ssl_callback_proxy_cert);
@@ -1161,29 +1163,42 @@ static void ssl_init_proxy_certs(server_rec *s,
                 ncerts);
    pkp->certs = sk;

-    if (!pkp->ca_cert_file) {
+
+    if (!pkp->ca_cert_file || !store) {
        return;
    }

    /* Load all of the CA certs and construct a chain */
-    sk = sk_X509_INFO_new_null();
+    pkp->ca_certs = (STACK_OF(X509) **) apr_pcalloc(p, ncerts * sizeof(sk));
+    sctx = X509_STORE_CTX_new();

-    SSL_X509_INFO_load_file(ptemp, sk, pkp->ca_cert_file);
-    pkp->ca_certs = (STACK_OF(X509_INFO) **) apr_pcalloc(p, ncerts * sizeof(sk));
+    if (!sctx) {
+        ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
+                     "SSL proxy client cert initialization failed");
+        ssl_die();
+    }
+
+    X509_STORE_load_locations(store, pkp->ca_cert_file, NULL);

    for (n = 0; n < ncerts; n++) {
-        int len;
+        int i;
        X509_INFO *inf = sk_X509_INFO_value(pkp->certs, n);
-        chain = sk_X509_INFO_new_null();
-        len = SSL_X509_INFO_create_chain(inf->x509, sk, chain);
+        X509_STORE_CTX_init(sctx, store, inf->x509, NULL);
+        X509_verify_cert(sctx);
+        ERR_clear_error();
+
+        chain = X509_STORE_CTX_get1_chain(sctx);
+        sk_X509_shift(chain);
+        i=sk_X509_num(chain);
        pkp->ca_certs[n] = chain;
+        X509_STORE_CTX_cleanup(sctx);

        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
                     "client certificate %i has loaded %i "
-                     "intermediary signers ", n, len);
+                     "intermediate CA%s", n, i, i == 1 ? "" : "s");
    }

-    sk_X509_INFO_free(sk);
+    X509_STORE_CTX_free(sctx);
 }

 static void ssl_init_proxy_ctx(server_rec *s,