Always load intermediate certificates from a PKCS#12 file

Load intermediate certificates from a PKCS#12 file and place them in the
extra certs chain, when trusted CA certs are loaded from an external PEM
file with the --ca option, and the CA certs in PKCS#12 are not to be trusted.

Required when client PKCS#12 file is provided by a different CA
than the server CA, the PKCS#12 file contains intermediate certificates
required for client auth, but the server CA is not in the PKCS#12 file.

When --ca is set, the PKCS#12 provided CA certs are not trusted. Without
this patch, they were ignored completely - with this patch, they're loaded
in the extra certs chain which makes them available for chain verification
but still does not make them trusted if --ca is set. Unless when, of
course, a trusted root is found from the --ca file.

Acked-by: James Yonan <james@openvpn.net>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <alpine.DEB.2.02.1306201400320.10116@jazz.he.fi>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7721

Signed-off-by: Gert Doering <gert@greenie.muc.de>

diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index ec76b309dc9fb7a6f30e8d3dfd663d8da6583d7d..f64177a8608c5e16de990de34c7ca3519b0d4a09 100644 (file)
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -412,16 +412,34 @@ tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file,
   /* Set Certificate Verification chain */
   if (load_ca_file)
    {
+     /* Add CAs from PKCS12 to the cert store and mark them as trusted. 
+      * They're also used to fill in the chain of intermediate certs as
+      * necessary.
+      */
      if (ca && sk_X509_num(ca))
       {
        for (i = 0; i < sk_X509_num(ca); i++)
          {
-             if (!X509_STORE_add_cert(ctx->ctx->cert_store,sk_X509_value(ca, i)))
+           if (!X509_STORE_add_cert(ctx->ctx->cert_store,sk_X509_value(ca, i)))
              msg (M_SSLERR, "Cannot add certificate to certificate chain (X509_STORE_add_cert)");
            if (!SSL_CTX_add_client_CA(ctx->ctx, sk_X509_value(ca, i)))
              msg (M_SSLERR, "Cannot add certificate to client CA list (SSL_CTX_add_client_CA)");
          }
       }
+   } else {
+     /* If trusted CA certs were loaded from a PEM file, and we ignore the
+      * ones in PKCS12, do load PKCS12-provided certs to the client extra
+      * certs chain just in case they include intermediate CAs needed to
+      * prove my identity to the other end. This does not make them trusted.
+      */
+     if (ca && sk_X509_num(ca))
+      {
+       for (i = 0; i < sk_X509_num(ca); i++)
+         {
+           if (!SSL_CTX_add_extra_chain_cert(ctx->ctx,sk_X509_value(ca, i)))
+             msg (M_SSLERR, "Cannot add extra certificate to chain (SSL_CTX_add_extra_chain_cert)");
+         }
+      }
    }
   return 0;
 }