- Sam Listopad provided a patch in feature-request #1900014 (6982ed4d) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP curl

CHANGES

+6 −0

Original line number	Diff line number	Diff line
		@@ -6,6 +6,12 @@

		Changelog

		Daniel S (23 Feb 2008)
		- Sam Listopad provided a patch in feature-request #1900014
		http://curl.haxx.se/bug/feature.cgi?id=1900014 that makes libcurl (built to
		use OpenSSL) support a full chain of certificates in a given PKCS12
		certificate.

		Daniel S (22 Feb 2008)
		- Georg Lippitsch made the src/Makefile.vc6 makefile use the same memory model
		options as the lib/Makefile.vc6 already did.

+2 −1

Original line number	Diff line number	Diff line
		@@ -15,6 +15,7 @@ This release includes the following changes:
		o we no longer distribute or install a ca cert bundle
		o SSLv2 is now disabled by default for SSL operations
		o the test509-style setting URL in callback is officially no longer supported
		o support a full chain of certificates in a given PKCS12 certificate

		This release includes the following bugfixes:

		@@ -48,6 +49,6 @@ advice from friends like these:

		Michal Marek, Dmitry Kurochkin, Niklas Angebrand, Günter Knauf, Yang Tse,
		Dan Fandrich, Mike Hommey, Pooyan McSporran, Jerome Muffat-Meridol,
		Kaspar Brand, Gautam Kachroo, Zmey Petroff, Georg Lippitsch
		Kaspar Brand, Gautam Kachroo, Zmey Petroff, Georg Lippitsch, Sam Listopad

		Thanks! (and sorry if I forgot to mention someone)

+34 −1

Original line number	Diff line number	Diff line
		@@ -364,6 +364,8 @@ int cert_stuff(struct connectdata *conn,
		FILE *f;
		PKCS12 *p12;
		EVP_PKEY *pri;
		STACK_OF(X509) *ca = NULL;
		int i;

		f = fopen(cert_file,"rb");
		if(!f) {
		@@ -373,10 +375,15 @@ int cert_stuff(struct connectdata *conn,
		p12 = d2i_PKCS12_fp(f, NULL);
		fclose(f);

		if(!p12) {
		failf(data, "error reading PKCS12 file '%s'", cert_file );
		return 0;
		}

		PKCS12_PBE_add();

		if(!PKCS12_parse(p12, data->set.str[STRING_KEY_PASSWD], &pri, &x509,
		NULL)) {
		&ca)) {
		failf(data,
		"could not parse PKCS12 file, check password, OpenSSL error %s",
		ERR_error_string(ERR_get_error(), NULL) );
		@@ -401,6 +408,32 @@ int cert_stuff(struct connectdata *conn,
		return 0;
		}

		if (!SSL_CTX_check_private_key (ctx)) {
		failf(data, "private key from PKCS12 file '%s' "
		"does not match certificate in same file", cert_file);
		EVP_PKEY_free(pri);
		X509_free(x509);
		return 0;
		}
		/* Set Certificate Verification chain */
		if (ca && sk_num(ca)) {
		for (i = 0; i < sk_X509_num(ca); i++) {
		if (!SSL_CTX_add_extra_chain_cert(ctx,sk_X509_value(ca, i))) {
		failf(data, "cannot add certificate to certificate chain");
		EVP_PKEY_free(pri);
		X509_free(x509);
		return 0;
		}
		if (!SSL_CTX_add_client_CA(ctx, sk_X509_value(ca, i))) {
		failf(data, "cannot add certificate to client CA list",
		cert_file);
		EVP_PKEY_free(pri);
		X509_free(x509);
		return 0;
		}
		}
		}

		EVP_PKEY_free(pri);
		X509_free(x509);
		cert_done = 1;