From: Heikki Hannikainen <hessu@hes.iki.fi>
Date: Thu, 20 Jun 2013 11:06:25 +0000 (+0300)
Subject: Always load intermediate certificates from a PKCS#12 file
X-Git-Tag: v2.4_alpha1~540
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6481f879eb62cafa6ad652801b2b5c45e546ef44;p=thirdparty%2Fopenvpn.git

Always load intermediate certificates from a PKCS#12 file

Load intermediate certificates from a PKCS#12 file and place them in the
extra certs chain, when trusted CA certs are loaded from an external PEM
file with the --ca option, and the CA certs in PKCS#12 are not to be trusted.

Required when client PKCS#12 file is provided by a different CA
than the server CA, the PKCS#12 file contains intermediate certificates
required for client auth, but the server CA is not in the PKCS#12 file.

When --ca is set, the PKCS#12 provided CA certs are not trusted. Without
this patch, they were ignored completely - with this patch, they're loaded
in the extra certs chain which makes them available for chain verification
but still does not make them trusted if --ca is set. Unless when, of
course, a trusted root is found from the --ca file.

Acked-by: James Yonan <james@openvpn.net>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <alpine.DEB.2.02.1306201400320.10116@jazz.he.fi>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7721

Signed-off-by: Gert Doering <gert@greenie.muc.de>
---

diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index ec76b309d..f64177a86 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -412,16 +412,34 @@ tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file,
   /* Set Certificate Verification chain */
   if (load_ca_file)
    {
+     /* Add CAs from PKCS12 to the cert store and mark them as trusted. 
+      * They're also used to fill in the chain of intermediate certs as
+      * necessary.
+      */
      if (ca && sk_X509_num(ca))
       {
 	for (i = 0; i < sk_X509_num(ca); i++)
 	  {
-	      if (!X509_STORE_add_cert(ctx->ctx->cert_store,sk_X509_value(ca, i)))
+	    if (!X509_STORE_add_cert(ctx->ctx->cert_store,sk_X509_value(ca, i)))
 	      msg (M_SSLERR, "Cannot add certificate to certificate chain (X509_STORE_add_cert)");
 	    if (!SSL_CTX_add_client_CA(ctx->ctx, sk_X509_value(ca, i)))
 	      msg (M_SSLERR, "Cannot add certificate to client CA list (SSL_CTX_add_client_CA)");
 	  }
       }
+   } else {
+     /* If trusted CA certs were loaded from a PEM file, and we ignore the
+      * ones in PKCS12, do load PKCS12-provided certs to the client extra
+      * certs chain just in case they include intermediate CAs needed to
+      * prove my identity to the other end. This does not make them trusted.
+      */
+     if (ca && sk_X509_num(ca))
+      {
+	for (i = 0; i < sk_X509_num(ca); i++)
+	  {
+	    if (!SSL_CTX_add_extra_chain_cert(ctx->ctx,sk_X509_value(ca, i)))
+	      msg (M_SSLERR, "Cannot add extra certificate to chain (SSL_CTX_add_extra_chain_cert)");
+	  }
+      }
    }
   return 0;
 }