#error compat/openssl.h depends on USE_OPENSSL
#endif
+#include <algorithm>
+
#if HAVE_OPENSSL_ASN1_H
#include <openssl/asn1.h>
#endif
#include "security/KeyData.h"
#include "SquidConfig.h"
#include "ssl/bio.h"
+#include "ssl/gadgets.h"
/**
* Read certificate from file.
return false;
}
- if (X509 *certificate = PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr)) {
- cert.resetWithoutLocking(certificate);
- }
+ cert = Ssl::ReadX509Certificate(bio); // error detected/reported below
#elif USE_GNUTLS
const char *certFilename = certFile.c_str();
// and add to the chain any other certificate exist in the file
CertPointer latestCert = cert;
- while (auto ca = PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr)) {
+ while (const auto ca = Ssl::ReadX509Certificate(bio)) {
// get Issuer name of the cert for debug display
- char *nameStr = X509_NAME_oneline(X509_get_subject_name(ca), nullptr, 0);
+ char *nameStr = X509_NAME_oneline(X509_get_subject_name(ca.get()), nullptr, 0);
#if TLS_CHAIN_NO_SELFSIGNED // ignore self-signed certs in the chain
// self-signed certificates are not valid in a sent chain
- if (X509_check_issued(ca, ca) == X509_V_OK) {
+ if (X509_check_issued(ca.get(), ca.get()) == X509_V_OK) {
debugs(83, DBG_PARSE_NOTE(2), "CA " << nameStr << " is self-signed, will not be chained: " << nameStr);
OPENSSL_free(nameStr);
continue;
}
#endif
// checks that the chained certs are actually part of a chain for validating cert
- const auto checkCode = X509_check_issued(ca, latestCert.get());
+ const auto checkCode = X509_check_issued(ca.get(), latestCert.get());
if (checkCode == X509_V_OK) {
debugs(83, DBG_PARSE_NOTE(3), "Adding issuer CA: " << nameStr);
// OpenSSL API requires that we order certificates such that the
Ssl::BIO_Pointer bio;
if (!Ssl::OpenCertsFileForReading(bio, filename.c_str()))
return false;
- if (!Ssl::ReadX509Certificate(bio, cert))
+ if (!(cert = Ssl::ReadX509Certificate(bio)))
return false;
if (!Ssl::ReadPrivateKey(bio, pkey, NULL))
return false;
- // The orig certificate is not mandatory
- (void)Ssl::ReadX509Certificate(bio, orig);
+ orig = Ssl::ReadX509Certificate(bio); // optional; may be nil
return true;
}
Ssl::BIO_Pointer bio(BIO_new(BIO_s_mem()));
BIO_puts(bio.get(), bufferToRead);
- X509 * certPtr = NULL;
- cert.resetWithoutLocking(PEM_read_bio_X509(bio.get(), &certPtr, 0, 0));
- if (!cert)
+ if (!(cert = Ssl::ReadX509Certificate(bio)))
return false;
EVP_PKEY * pkeyPtr = NULL;
Ssl::BIO_Pointer bio(BIO_new(BIO_s_mem()));
BIO_puts(bio.get(), bufferToRead);
- X509 * certPtr = NULL;
- cert.resetWithoutLocking(PEM_read_bio_X509(bio.get(), &certPtr, 0, 0));
- if (!cert)
+ if (!(cert = Ssl::ReadX509Certificate(bio)))
return false;
return true;
return true;
}
-bool
-Ssl::ReadX509Certificate(Ssl::BIO_Pointer &bio, Security::CertPointer & cert)
+Security::CertPointer
+Ssl::ReadX509Certificate(const BIO_Pointer &bio)
{
assert(bio);
- if (X509 *certificate = PEM_read_bio_X509(bio.get(), NULL, NULL, NULL)) {
- cert.resetWithoutLocking(certificate);
- return true;
- }
- return false;
+ return Security::CertPointer(PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr));
}
bool
#ifndef SQUID_SSL_GADGETS_H
#define SQUID_SSL_GADGETS_H
+#if USE_OPENSSL
+
#include "base/HardFun.h"
+#include "compat/openssl.h"
#include "security/forward.h"
#include "ssl/crtd_message.h"
-#if USE_OPENSSL
-#include "compat/openssl.h"
+#include <string>
+
#if HAVE_OPENSSL_ASN1_H
#include <openssl/asn1.h>
#endif
#if HAVE_OPENSSL_X509V3_H
#include <openssl/x509v3.h>
#endif
-#endif
-#include <string>
namespace Ssl
{
*/
bool OpenCertsFileForReading(BIO_Pointer &bio, const char *filename);
-/**
- \ingroup SslCrtdSslAPI
- * Read a certificate from bio
- */
-bool ReadX509Certificate(BIO_Pointer &bio, Security::CertPointer & cert);
+/// reads and returns a certificate using the given OpenSSL BIO
+/// \returns a nil pointer on errors (TODO: throw instead)
+Security::CertPointer ReadX509Certificate(const BIO_Pointer &);
/**
\ingroup SslCrtdSslAPI
const ASN1_BIT_STRING *X509_get_signature(const Security::CertPointer &);
} // namespace Ssl
+
+#endif // USE_OPENSSL
#endif // SQUID_SSL_GADGETS_H
bool
Ssl::loadCerts(const char *certsFile, Ssl::CertsIndexedList &list)
{
- BIO *in = BIO_new_file(certsFile, "r");
+ const BIO_Pointer in(BIO_new_file(certsFile, "r"));
if (!in) {
debugs(83, DBG_IMPORTANT, "Failed to open '" << certsFile << "' to load certificates");
return false;
}
- X509 *aCert;
- while((aCert = PEM_read_bio_X509(in, NULL, NULL, NULL))) {
+ while (auto aCert = ReadX509Certificate(in)) {
static char buffer[2048];
- X509_NAME_oneline(X509_get_subject_name(aCert), buffer, sizeof(buffer));
- list.insert(std::pair<SBuf, X509 *>(SBuf(buffer), aCert));
+ X509_NAME_oneline(X509_get_subject_name(aCert.get()), buffer, sizeof(buffer));
+ list.insert(std::pair<SBuf, X509 *>(SBuf(buffer), aCert.release()));
}
debugs(83, 4, "Loaded " << list.size() << " certificates from file: '" << certsFile << "'");
- BIO_free(in);
return true;
}
projects / thirdparty / squid.git / commitdiff
