Thanks Dave !
Your suggestion and demo code are pretty good !
And I also read the source code of " SSL_CTX_load_verify_locations" api and
find that:
We can imitate the implement of " X509_load_cert_crl_file" function in
X509_load_cert_crl_file file
int X509_load_cert_crl_file(X509_LOOKUP *ctx, const char *file, int type)
{
STACK_OF(X509_INFO) *inf;
X509_INFO *itmp;
BIO *in;
int i, count = 0;
if(type != X509_FILETYPE_PEM)
return X509_load_cert_file(ctx, file, type);
in = BIO_new_file(file, "r");
if(!in) {
X509err(X509_F_X509_LOAD_CERT_CRL_FILE,ERR_R_SYS_LIB);
return 0;
}
inf = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL);
BIO_free(in);
if(!inf) {
X509err(X509_F_X509_LOAD_CERT_CRL_FILE,ERR_R_PEM_LIB);
return 0;
}
for(i = 0; i < sk_X509_INFO_num(inf); i++) {
itmp = sk_X509_INFO_value(inf, i);
if(itmp->x509) {
X509_STORE_add_cert(ctx->store_ctx, itmp->x509);
count++;
}
if(itmp->crl) {
X509_STORE_add_crl(ctx->store_ctx, itmp->crl);
count++;
}
}
sk_X509_INFO_pop_free(inf, X509_INFO_free);
return count;
}
only need some little change, we can create a new function named "
SSL_CTX_use_certificate_chain"
which complies with the naming conventions like " SSL_CTX_use_certificate".
Int SSL_CTX_use_certificate_chain(SSL_CTX *ctx, const unsigned char *d, long
len)
{
BIO *in;
X509_INFO *itmp;
int i, count = 0;
in = BIO_new_mem_buf( (void *)d, len );
if( !in )
{
<set the error code>
return 0;
}
inf = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL);
BIO_free(in);
if(!inf) {
<set the error code>
return 0;
}
for(i = 0; i < sk_X509_INFO_num(inf); i++) {
itmp = sk_X509_INFO_value(inf, i);
if(itmp->x509) {
if( ! SSL_CTX_add_extra_chain_cert(
ctx, itmp->x509) )){
<set the error code>
<how to handle error>
break;
}
count++
}
..... <something else if needed>
}
return count;
}
Best wishes
Miles.zhaof
-----邮件原件-----
发件人: [email protected] [mailto:owner-openssl-users@openssl.
org] 代表 Dave Thompson
发送时间: 2012年12月21日 14:01
收件人: [email protected]
主题: RE: how to load a certs chain from memory, thanks
>From: [email protected] On Behalf Of
[email protected]
>Sent: Thursday, 20 December, 2012 22:10
>I want to load a certs chain from memory ( ie. From a std::string variable
>with the certs chain's content loading from the mysql db ).
>The content of certs chain is like a CAfile.
Not entirely. Both are a sequence of certs, but the certs in a chain
should be related and those in a trustore mostly should not. Also
an openssl CAfile or use_chain_file must be PEM, but other chain storage
(like pkcs7) need not -- but if you're going to put it in a std::string,
and maybe store as varchar or text in db, you probably do want PEM.
>Because loading from memory, can not call the
"SSL_CTX_load_verify_locations" api.
>So I call "SSL_CTX_add_extra_chain_cert" instead of
"SSL_CTX_load_verify_locations",
>but "SSL_CTX_add_extra_chain_cert" only load the first cert in the chain,
not all of them.
You can call add_extra_chain_cert more than once. The problem is
your code only *reads* the first cert in the sequence.
>And I can't get the number of certs in a chain. The content of chain
>is uploaded from webpage.
>Following is the demo code: <snip>
What you need to do is parse each cert and call add_extra_chain_cert.
If the data is a sequence of PEM-format certs, just create a memBIO with
the whole thing and then loop PEM_read_bio'ing from there until it
returns failure. If you want to know how many certs there are, keep
a counter of the number of times the loop executes.
Google "openssl certificate chain memory buffer" the first hit is false
(it's about *one* cert in memory, but has "related" links about chains),
but 2 4 and 5 are all a similar question from Aravind GJ, and answer by me
with (minimal) code, last year on this list. (It should also be possible
to search the list archives directly, but I never bother.)
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
