From: james Date: Sat, 15 Oct 2005 05:07:29 +0000 (+0000) Subject: Enable the use of --ca together with --pkcs12. If --ca is X-Git-Tag: v2.1_rc1~143 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e83b8190d46352f8a625491b10af19c8b0ac2def;p=thirdparty%2Fopenvpn.git Enable the use of --ca together with --pkcs12. If --ca is used at the same time as --pkcs12, the CA certificate is loaded from the file specified by --ca regardless if the pkcs12 file contains a CA cert or not (Mathias Sundman). Pre-2.1-beta3 git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@612 e7ae566f-a301-0410-adde-c780ea21d3b5 --- diff --git a/ChangeLog b/ChangeLog index 0658da61e..aa03feb4b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,10 @@ $Id$ 2005.10.xx -- Version 2.1-beta3 * Added PKCS#11 support (Alon Bar-Lev). +* Enable the use of --ca together with --pkcs12. If --ca is + used at the same time as --pkcs12, the CA certificate is loaded + from the file specified by --ca regardless if the pkcs12 file + contains a CA cert or not (Mathias Sundman). * NOTE TO PACKAGE MAINTAINERS: Moved "plugin" directory to "plugins". This is to work around a strange problem with the diff --git a/options.c b/options.c index c7e788fbb..fa911b68d 100644 --- a/options.c +++ b/options.c @@ -405,7 +405,7 @@ static const char usage_message[] = " by a Certificate Authority in --ca file.\n" "--key file : Local private key in .pem format.\n" "--pkcs12 file : PKCS#12 file containing local private key, local certificate\n" - " and root CA certificate.\n" + " and optionally the root CA certificate.\n" #ifdef ENABLE_PKCS11 "--pkcs11-providers provider ... : PKCS#11 provider to load.\n" "--pkcs11-sign-mode mode ... : PKCS#11 signature method.\n" @@ -1683,8 +1683,6 @@ options_postprocess (struct options *options, bool first_time) #endif if (options->pkcs12_file) { - if (options->ca_file) - msg(M_USAGE, "Parameter --ca cannot be used when --pkcs12 is also specified."); if (options->cert_file) msg(M_USAGE, "Parameter --cert cannot be used when --pkcs12 is also specified."); if (options->priv_key_file) diff --git a/ssl.c b/ssl.c index 304e6ed73..17b418b23 100644 --- a/ssl.c +++ b/ssl.c @@ -833,14 +833,17 @@ init_ssl (const struct options *options) msg (M_SSLERR, "Private key does not match the certificate"); /* Set Certificate Verification chain */ - if (ca && sk_num(ca)) + if (!options->ca_file) { - for (i = 0; i < sk_X509_num(ca); i++) + if (ca && sk_num(ca)) { - if (!X509_STORE_add_cert(ctx->cert_store,sk_X509_value(ca, i))) - msg (M_SSLERR, "Cannot add certificate to certificate chain (X509_STORE_add_cert)"); - if (!SSL_CTX_add_client_CA(ctx, sk_X509_value(ca, i))) - msg (M_SSLERR, "Cannot add certificate to client CA list (SSL_CTX_add_client_CA)"); + for (i = 0; i < sk_X509_num(ca); i++) + { + if (!X509_STORE_add_cert(ctx->cert_store,sk_X509_value(ca, i))) + msg (M_SSLERR, "Cannot add certificate to certificate chain (X509_STORE_add_cert)"); + if (!SSL_CTX_add_client_CA(ctx, sk_X509_value(ca, i))) + msg (M_SSLERR, "Cannot add certificate to client CA list (SSL_CTX_add_client_CA)"); + } } } } @@ -906,7 +909,10 @@ init_ssl (const struct options *options) msg (M_SSLERR, "Private key does not match the certificate"); } } + } + if (options->ca_file) + { /* Load CA file for verifying peer supplied certificate */ ASSERT (options->ca_file); if (!SSL_CTX_load_verify_locations (ctx, options->ca_file, NULL)) @@ -920,9 +926,8 @@ init_ssl (const struct options *options) msg (M_SSLERR, "Cannot load CA certificate file %s (SSL_load_client_CA_file)", options->ca_file); SSL_CTX_set_client_CA_list (ctx, cert_names); } - } - + /* Enable the use of certificate chains */ if (using_cert_file) {