Commit 53c2bc21 authored by Benjamin REIS's avatar Benjamin REIS

add support to pkcs12 file

parent fd63ab5b
......@@ -11,7 +11,7 @@ dnl information on the package
dnl ---------------------------
dnl update both the version for AC_INIT and the LIBSOFIA_SIP_UA_MAJOR_MINOR
AC_INIT([sofia-sip], [1.13.16bc])
AC_INIT([sofia-sip], [1.13.17bc])
AC_CONFIG_SRCDIR([libsofia-sip-ua/sip/sofia-sip/sip.h])
AC_CONFIG_MACRO_DIR([m4])
AC_SUBST(VER_LIBSOFIA_SIP_UA_MAJOR_MINOR, [1.13])
......
......@@ -49,6 +49,8 @@
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/pem.h>
#include <openssl/pkcs12.h>
#include <openssl/rand.h>
#include <openssl/bio.h>
#include <openssl/opensslv.h>
......@@ -313,32 +315,92 @@ int tls_init_context(tls_t *tls, tls_issues_t const *ti)
SSL_CTX_set_default_passwd_cb_userdata(tls->ctx, (void *)ti);
}
if (!SSL_CTX_use_certificate_file(tls->ctx,
ti->cert,
SSL_FILETYPE_PEM)) {
if(ti->keystore) {
FILE *fp;
EVP_PKEY *pkey;
X509 *cert;
STACK_OF(X509) *ca = NULL;
PKCS12 *p12;
OpenSSL_add_all_algorithms();
ERR_load_crypto_strings();
fp = fopen(ti->keystore, "rb");
if (fp == NULL) {
SU_DEBUG_1(("%s Error opening file : %s\n", "tls_init_context", ti->keystore));
#if require_client_certificate
errno = EIO;
#endif
return -1;
}
p12 = d2i_PKCS12_fp(fp, NULL);
fclose (fp);
if (!p12) {
SU_DEBUG_1(("%s: Error reading PKCS#12 file : %s\n", "tls_init_context", ti->keystore));
#if require_client_certificate
errno = EIO;
#endif
return -1;
}
if (!PKCS12_parse(p12, ti->passphrase ? ti->passphrase : "", &pkey, &cert, &ca)) {
SU_DEBUG_1(("%s: Error parsing PKCS#12 file : %s\n", "tls_init_context", ti->keystore));
#if require_client_certificate
errno = EIO;
#endif
return -1;
}
if (!SSL_CTX_use_certificate(tls->ctx, cert)) {
if (ti->configured > 0) {
SU_DEBUG_1(("%s: invalid local certificate.\n",
"tls_init_context"));
tls_log_errors(3, "tls_init_context", 0);
#if require_client_certificate
errno = EIO;
return -1;
#endif
}
}
if (!SSL_CTX_use_PrivateKey(tls->ctx,pkey)) {
if (ti->configured > 0) {
SU_DEBUG_1(("%s: invalid private key\n",
"tls_init_context"));
tls_log_errors(3, "tls_init_context(key)", 0);
#if require_client_certificate
errno = EIO;
return -1;
#endif
}
}
PKCS12_free(p12);
sk_X509_pop_free(ca, X509_free);
X509_free(cert);
EVP_PKEY_free(pkey);
} else {
if (!SSL_CTX_use_certificate_file(tls->ctx,
ti->cert,
SSL_FILETYPE_PEM)) {
if (ti->configured > 0) {
SU_DEBUG_1(("%s: invalid local certificate: %s\n",
"tls_init_context", ti->cert));
tls_log_errors(3, "tls_init_context", 0);
SU_DEBUG_1(("%s: invalid local certificate: %s\n",
"tls_init_context", ti->cert));
tls_log_errors(3, "tls_init_context", 0);
#if require_client_certificate
errno = EIO;
return -1;
errno = EIO;
return -1;
#endif
}
}
}
}
if (!SSL_CTX_use_PrivateKey_file(tls->ctx,
ti->key,
SSL_FILETYPE_PEM)) {
if (ti->configured > 0) {
SU_DEBUG_1(("%s: invalid private key: %s\n",
"tls_init_context", ti->key));
tls_log_errors(3, "tls_init_context(key)", 0);
if (!SSL_CTX_use_PrivateKey_file(tls->ctx,
ti->key,
SSL_FILETYPE_PEM)) {
if (ti->configured > 0) {
SU_DEBUG_1(("%s: invalid private key: %s\n",
"tls_init_context", ti->key));
tls_log_errors(3, "tls_init_context(key)", 0);
#if require_client_certificate
errno = EIO;
return -1;
errno = EIO;
return -1;
#endif
}
}
}
}
if (!SSL_CTX_check_private_key(tls->ctx)) {
......
......@@ -65,6 +65,7 @@ typedef struct tls_issues_s {
*/
int version; /* For tls1, version is 1. When ssl3/ssl2 is
* used, it is 0. */
char *keystore; /* Path a p12 key store file */
} tls_issues_t;
typedef struct tport_tls_s {
......
......@@ -49,6 +49,7 @@
#include <errno.h>
#include <limits.h>
#include <string.h>
#include <libgen.h>
#include <sofia-sip/su_string.h>
#if HAVE_FUNC
......@@ -220,7 +221,6 @@ static int tport_tls_init_master(tport_primary_t *pri,
ti.verify_depth = tls_depth;
ti.verify_date = tls_date;
ti.version = tls_version;
tlspri->tlspri_master = tls_init_master(&ti);
}
} else {
......@@ -231,17 +231,22 @@ static int tport_tls_init_master(tport_primary_t *pri,
}
if (path) {
ti.policy = tls_policy | (tls_verify ? TPTLS_VERIFY_ALL : 0);
ti.verify_depth = tls_depth;
ti.verify_date = tls_date;
ti.configured = path != tbf;
ti.randFile = su_sprintf(autohome, "%s/%s", path, "tls_seed.dat");
ti.key = su_sprintf(autohome, "%s/%s", path, "agent.pem");
ti.passphrase = su_strdup(autohome, passphrase);
ti.cert = ti.key;
ti.CAfile = su_sprintf(autohome, "%s/%s", path, "cafile.pem");
ti.version = tls_version;
ti.CApath = su_strdup(autohome, path);
const char *base_name = basename(path);
ti.keystore = NULL;
if(base_name && strcmp(base_name, "")!= 0) {
ti.keystore = path;
}
ti.policy = tls_policy | (tls_verify ? TPTLS_VERIFY_ALL : 0);
ti.verify_depth = tls_depth;
ti.verify_date = tls_date;
ti.configured = path != tbf;
ti.randFile = su_sprintf(autohome, "%s/%s", path, "tls_seed.dat");
ti.key = su_sprintf(autohome, "%s/%s", path, "agent.pem");
ti.passphrase = su_strdup(autohome, passphrase);
ti.cert = ti.key;
ti.CAfile = su_sprintf(autohome, "%s/%s", path, "cafile.pem");
ti.version = tls_version;
ti.CApath = su_strdup(autohome, path);
SU_DEBUG_9(("%s(%p): tls key = %s\n", __func__, (void *)pri, ti.key));
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment