Added possibility to set RootCA by buffer instead of file

include/belle-sip/auth-helper.h

@@ -238,6 +238,15 @@ BELLESIP_EXPORT belle_tls_crypto_config_t *belle_tls_crypto_config_new(void);
  */
 BELLESIP_EXPORT int belle_tls_crypto_config_set_root_ca(belle_tls_crypto_config_t *obj, const char *path);
 
+/**
+ * Set the content of the trusted certificate chain
+ * @param[in/out]	obj		The crypto configuration object to set
+ * @param[in]		data	The content to the trusted certificate chain data(NULL terminated string)
+ *
+ * @return 0 on success
+ */
+BELLESIP_EXPORT int belle_tls_crypto_config_set_root_ca_data(belle_tls_crypto_config_t *obj, const char *data);
+
 /**
  * Set the exception flags to manage exception overriding during peer certificate verification
  * @param[in/out]	obj		The crypto configuration object to set

src/auth_event.c

@@ -85,7 +85,7 @@ belle_tls_verify_policy_t *belle_tls_verify_policy_new(){
 	return (belle_tls_verify_policy_t *)belle_tls_crypto_config_new();
 }
 
-int belle_tls_verify_policy_set_root_ca(belle_tls_verify_policy_t *obj, const char *path){
+int belle_tls_verify_policy_set_root_ca(belle_tls_verify_policy_t *obj, const char *path) {
 	return belle_tls_crypto_config_set_root_ca(obj, path);
 }
 
@@ -98,8 +98,9 @@ unsigned int belle_tls_verify_policy_get_exceptions(const belle_tls_verify_polic
 }
 /* end of deprecated on 2016/02/02 */
 
-static void crypto_config_uninit(belle_tls_crypto_config_t *obj){
+static void crypto_config_uninit(belle_tls_crypto_config_t *obj) {
 	if (obj->root_ca) belle_sip_free(obj->root_ca);
+	if (obj->root_ca_data) belle_sip_free(obj->root_ca_data);
 }
 
 BELLE_SIP_DECLARE_NO_IMPLEMENTED_INTERFACES(belle_tls_crypto_config_t);
@@ -123,19 +124,37 @@ belle_tls_crypto_config_t *belle_tls_crypto_config_new(void){
 }
 
 int belle_tls_crypto_config_set_root_ca(belle_tls_crypto_config_t *obj, const char *path){
-	if (obj->root_ca){
+	if (obj->root_ca) {
 		belle_sip_free(obj->root_ca);
-		obj->root_ca=NULL;
+		obj->root_ca = NULL;
 	}
-	if (path){
-		obj->root_ca=belle_sip_strdup(path);
-		belle_sip_message("Root ca path set to %s",obj->root_ca);
+	if (path) {
+		obj->root_ca = belle_sip_strdup(path);
+		belle_sip_message("Root ca path set to %s", obj->root_ca);
 	} else {
 		belle_sip_message("Root ca path disabled");
 	}
 	return 0;
 }
 
+int belle_tls_crypto_config_set_root_ca_data(belle_tls_crypto_config_t *obj, const char *data) {
+	if (obj->root_ca) {
+		belle_sip_free(obj->root_ca);
+		obj->root_ca = NULL;
+	}
+	if (obj->root_ca_data) {
+		belle_sip_free(obj->root_ca_data);
+		obj->root_ca_data = NULL;
+	}
+	if (data) {
+		obj->root_ca_data = belle_sip_strdup(data);
+		belle_sip_message("Root ca data set to %s", obj->root_ca_data);
+	} else {
+		belle_sip_message("Root ca data disabled");
+	}
+	return 0;
+}
+
 void belle_tls_crypto_config_set_verify_exceptions(belle_tls_crypto_config_t *obj, int flags){
 	obj->exception_flags=flags;
 }

src/channel.h

@@ -225,6 +225,7 @@ belle_sip_channel_t *belle_sip_channel_find_from_list(belle_sip_list_t *l, int a
 struct belle_tls_crypto_config{
 	belle_sip_object_t base;
 	char *root_ca; /**< path to the trusted certificate chain used when verifiying peer certificate */
+	char *root_ca_data; /**< content of the trusted certificate chain used when verifiying peer certificate */
 	int exception_flags; /**< override some exception raised during certificate verification, can be:
 						   BELLE_TLS_VERIFY_NONE do not override any exception
 						   BELLE_TLS_VERIFY_CN_MISMATCH ignore Common Name mismatch exception

src/transports/tls_channel.c

@@ -788,6 +788,26 @@ static int belle_sip_tls_channel_load_root_ca(belle_sip_tls_channel_t *obj, cons
 	return -1;
 }
 
+static int belle_sip_tls_channel_load_root_ca_from_buffer(belle_sip_tls_channel_t *obj, const char *data) {
+	int err = 0;
+	if (data != NULL) {
+		if (obj->root_ca) {
+			bctbx_x509_certificate_free(obj->root_ca);
+		}
+		obj->root_ca = bctbx_x509_certificate_new();
+		//certificate data must to contain in size the NULL character
+		err = bctbx_x509_certificate_parse(obj->root_ca, data, strlen(data) + 1);
+		if (err) {
+			belle_sip_error("Failed to load root ca from string data: 0x%x", err);
+			return -1;
+		}
+		belle_sip_message("Root ca loaded from string data");
+		return 0;
+	}
+	belle_sip_error("Could not load root ca from null string");
+	return -1;
+}
+
 belle_sip_channel_t * belle_sip_channel_new_tls(belle_sip_stack_t *stack, belle_tls_crypto_config_t *crypto_config, const char *bindip, int localport, const char *peer_cname, const char *dest, int port) {
 	belle_sip_tls_channel_t *obj=belle_sip_object_new(belle_sip_tls_channel_t);
 	belle_sip_stream_channel_t* super=(belle_sip_stream_channel_t*)obj;
@@ -814,8 +834,10 @@ belle_sip_channel_t * belle_sip_channel_new_tls(belle_sip_stack_t *stack, belle_
 
 	bctbx_ssl_config_set_rng(obj->sslcfg, random_generator, NULL);
 	bctbx_ssl_set_io_callbacks(obj->sslctx, obj, tls_callback_write, tls_callback_read);
-	if (crypto_config->root_ca && belle_sip_tls_channel_load_root_ca(obj,crypto_config->root_ca)==0){
-		bctbx_ssl_config_set_ca_chain(obj->sslcfg, obj->root_ca, super->base.peer_cname ? super->base.peer_cname : super->base.peer_name );
+	if (crypto_config->root_ca_data && belle_sip_tls_channel_load_root_ca_from_buffer(obj, crypto_config->root_ca_data) == 0) {
+		bctbx_ssl_config_set_ca_chain(obj->sslcfg, obj->root_ca, super->base.peer_cname ? super->base.peer_cname : super->base.peer_name);
+	} else if (crypto_config->root_ca && belle_sip_tls_channel_load_root_ca(obj, crypto_config->root_ca) == 0) {
+		bctbx_ssl_config_set_ca_chain(obj->sslcfg, obj->root_ca, super->base.peer_cname ? super->base.peer_cname : super->base.peer_name);
 	}
 	bctbx_ssl_config_set_callback_verify(obj->sslcfg, belle_sip_ssl_verify, crypto_config);
 	bctbx_ssl_config_set_callback_cli_cert(obj->sslcfg, belle_sip_client_certificate_request_callback, obj);