[rt-commit] r188 - in /redwax-tool/trunk: ChangeLog redwax-tool.c redwax-tool.h redwax_keychain.c redwax_openssl.c redwax_p11kit.c redwax_unbound.c
rt-commit at redwax.eu
rt-commit at redwax.eu
Tue Oct 29 23:05:23 CET 2024
Author: minfrin at redwax.eu
Date: Tue Oct 29 23:05:22 2024
New Revision: 188
Log:
Add --filter-verify-dane to optionally ignore
DANE validation errors. This allows DANE validation
failure to appear in the metadata output, rather
than having the certificate filtered.
Modified:
redwax-tool/trunk/ChangeLog
redwax-tool/trunk/redwax-tool.c
redwax-tool/trunk/redwax-tool.h
redwax-tool/trunk/redwax_keychain.c
redwax-tool/trunk/redwax_openssl.c
redwax-tool/trunk/redwax_p11kit.c
redwax-tool/trunk/redwax_unbound.c
Modified: redwax-tool/trunk/ChangeLog
==============================================================================
--- redwax-tool/trunk/ChangeLog (original)
+++ redwax-tool/trunk/ChangeLog Tue Oct 29 23:05:22 2024
@@ -1,5 +1,11 @@
Changes with v0.9.6
+
+ *) Add --filter-verify-dane to optionally ignore
+ DANE validation errors. This allows DANE validation
+ failure to appear in the metadata output, rather
+ than having the certificate filtered.
+ [Graham Leggett]
*) Remove unused LDNS_FMT_SHORT symbol that is not
widely available. [Graham Leggett]
Modified: redwax-tool/trunk/redwax-tool.c
==============================================================================
--- redwax-tool/trunk/redwax-tool.c (original)
+++ redwax-tool/trunk/redwax-tool.c Tue Oct 29 23:05:22 2024
@@ -80,6 +80,9 @@
APR_HOOK_LINK(complete_verify_param);
APR_HOOK_LINK(set_verify_date);
APR_HOOK_LINK(set_verify_expiry);
+ APR_HOOK_LINK(complete_verify_expiry);
+ APR_HOOK_LINK(set_verify_dane);
+ APR_HOOK_LINK(complete_verify_dane);
APR_HOOK_LINK(set_purpose);
APR_HOOK_LINK(complete_purpose);
APR_HOOK_LINK(set_tlsa);
@@ -144,6 +147,12 @@
(redwax_tool_t * r, const char *arg), (r, arg), OK, DECLINED);
APR_IMPLEMENT_EXTERNAL_HOOK_RUN_ALL(rt, REDWAX, int, set_verify_expiry,
(redwax_tool_t * r, const char *arg), (r, arg), OK, DECLINED);
+APR_IMPLEMENT_EXTERNAL_HOOK_RUN_ALL(rt, REDWAX, int, complete_verify_expiry,
+ (redwax_tool_t * r, apr_hash_t *params), (r, params), OK, DECLINED);
+APR_IMPLEMENT_EXTERNAL_HOOK_RUN_ALL(rt, REDWAX, int, set_verify_dane,
+ (redwax_tool_t * r, const char *arg), (r, arg), OK, DECLINED);
+APR_IMPLEMENT_EXTERNAL_HOOK_RUN_ALL(rt, REDWAX, int, complete_verify_dane,
+ (redwax_tool_t * r, apr_hash_t *params), (r, params), OK, DECLINED);
APR_IMPLEMENT_EXTERNAL_HOOK_RUN_ALL(rt, REDWAX, int, set_purpose,
(redwax_tool_t * r, const char *arg), (r, arg), OK, DECLINED);
APR_IMPLEMENT_EXTERNAL_HOOK_RUN_ALL(rt, REDWAX, int, complete_purpose,
@@ -255,10 +264,11 @@
#define REDWAX_TOOL_FILTER_CURRENT 266
#define REDWAX_TOOL_FILTER_DATE 267
#define REDWAX_TOOL_FILTER_EXPIRY 268
-#define REDWAX_TOOL_FILTER_PURPOSE 269
-#define REDWAX_TOOL_FILTER_VERIFY_PARAM 270
-#define REDWAX_TOOL_FILTER_VERIFY_TLSA 271
-#define REDWAX_TOOL_FILTER_VERIFY_SMIMEA 272
+#define REDWAX_TOOL_FILTER_DANE 269
+#define REDWAX_TOOL_FILTER_PURPOSE 270
+#define REDWAX_TOOL_FILTER_VERIFY_PARAM 271
+#define REDWAX_TOOL_FILTER_VERIFY_TLSA 272
+#define REDWAX_TOOL_FILTER_VERIFY_SMIMEA 273
#define REDWAX_TOOL_CERT_OUT 274
#define REDWAX_TOOL_NO_CERT_OUT 275
#define REDWAX_TOOL_CHAIN_OUT 276
@@ -363,6 +373,7 @@
#endif
{ "filter-date", REDWAX_TOOL_FILTER_DATE, 1, " --filter-date=date\t\tSet the date to be used for certificate\n\t\t\t\tverification. If unset, it will default to the\n\t\t\t\tcurrent time. Date format is generalized time\n\t\t\t\tsyntax as defined in RFC 4517 section 3.3.13." },
{ "filter-expiry", REDWAX_TOOL_FILTER_EXPIRY, 1, " --filter-expiry=[option]\tVerify certificate expiry. 'check' does expiry\n\t\t\t\tverification. 'ignore' allows expired\n\t\t\t\tcertificates. 'ignore-leaf' allows expired leaf\n\t\t\t\tcertificates. 'ignore-chain' allows expired\n\t\t\t\tchain certificates. Default is 'check'." },
+ { "filter-dane", REDWAX_TOOL_FILTER_DANE, 1, " --filter-dane=[option]\tVerify certificate DANE records. 'check' does\n\t\t\t\tdane verification. 'ignore' allows certificates\n\t\t\t\twith mismatched DANE TLSA or SMIMEA records.\n\t\t\t\tDefault is 'check'." },
{ "filter-purpose", REDWAX_TOOL_FILTER_PURPOSE, 1, " --filter-purpose=purpose\tSet the purpose of the certificate to verify.\n\t\t\t\tIf unset, it will default to any purpose." },
{ "text-out", REDWAX_TOOL_TEXT_OUT, 0,
" --text-out\t\t\tInclude additional text in certificate PEM and\n\t\t\t\tmetadata output." },
@@ -1815,6 +1826,56 @@
return APR_SUCCESS;
}
+static apr_status_t redwax_complete_verify_expiry(redwax_tool_t *r, const char *arg,
+ redwax_token_quoted_e quoted)
+{
+ apr_hash_t *expiries = apr_hash_make(r->pool);
+
+ apr_hash_index_t *hi;
+ void *val;
+ int arglen = strlen(arg);
+
+ rt_run_complete_verify_expiry(r, expiries);
+
+ for (hi = apr_hash_first(r->pool, expiries); hi; hi = apr_hash_next(hi)) {
+ apr_hash_this(hi, NULL, NULL, &val);
+
+ if (!strncmp(arg, (const char *)val, arglen)) {
+
+ apr_file_printf(r->out, "%s \n",
+ redwax_pescape_echo_quoted(r->pool,
+ (const char *)val, quoted, 1));
+ }
+ }
+
+ return APR_SUCCESS;
+}
+
+static apr_status_t redwax_complete_verify_dane(redwax_tool_t *r, const char *arg,
+ redwax_token_quoted_e quoted)
+{
+ apr_hash_t *danes = apr_hash_make(r->pool);
+
+ apr_hash_index_t *hi;
+ void *val;
+ int arglen = strlen(arg);
+
+ rt_run_complete_verify_dane(r, danes);
+
+ for (hi = apr_hash_first(r->pool, danes); hi; hi = apr_hash_next(hi)) {
+ apr_hash_this(hi, NULL, NULL, &val);
+
+ if (!strncmp(arg, (const char *)val, arglen)) {
+
+ apr_file_printf(r->out, "%s \n",
+ redwax_pescape_echo_quoted(r->pool,
+ (const char *)val, quoted, 1));
+ }
+ }
+
+ return APR_SUCCESS;
+}
+
static apr_status_t redwax_complete_purpose(redwax_tool_t *r, const char *arg,
redwax_token_quoted_e quoted)
{
@@ -2375,6 +2436,8 @@
{
apr_status_t status = rt_run_set_verify_param(r, arg);
+ /* FIXME: detect DECLINED and exit with REDWAX_EXIT_NOTIMPL */
+
if (status) {
r->rc = REDWAX_EXIT_OPTIONS;
}
@@ -2396,6 +2459,17 @@
static apr_status_t redwax_set_verify_expiry(redwax_tool_t *r, const char *arg)
{
apr_status_t status = rt_run_set_verify_expiry(r, arg);
+
+ if (status) {
+ r->rc = REDWAX_EXIT_OPTIONS;
+ }
+
+ return status;
+}
+
+static apr_status_t redwax_set_verify_dane(redwax_tool_t *r, const char *arg)
+{
+ apr_status_t status = rt_run_set_verify_dane(r, arg);
if (status) {
r->rc = REDWAX_EXIT_OPTIONS;
@@ -2810,6 +2884,12 @@
}
case REDWAX_TOOL_FILTER_EXPIRY: {
if (redwax_set_verify_expiry(r, optarg)) {
+ return REDWAX_EXIT_OPTIONS;
+ }
+ break;
+ }
+ case REDWAX_TOOL_FILTER_DANE: {
+ if (redwax_set_verify_dane(r, optarg)) {
return REDWAX_EXIT_OPTIONS;
}
break;
@@ -3196,6 +3276,14 @@
redwax_complete_verify_param(r, optarg, state.isquoted);
break;
}
+ case REDWAX_TOOL_FILTER_EXPIRY: {
+ redwax_complete_verify_expiry(r, optarg, state.isquoted);
+ break;
+ }
+ case REDWAX_TOOL_FILTER_DANE: {
+ redwax_complete_verify_dane(r, optarg, state.isquoted);
+ break;
+ }
case REDWAX_TOOL_FILTER_PURPOSE: {
redwax_complete_purpose(r, optarg, state.isquoted);
break;
@@ -3410,6 +3498,14 @@
}
case REDWAX_TOOL_FILTER_VERIFY_PARAM: {
redwax_complete_verify_param(r, "", state.isquoted);
+ break;
+ }
+ case REDWAX_TOOL_FILTER_EXPIRY: {
+ redwax_complete_verify_expiry(r, "", state.isquoted);
+ break;
+ }
+ case REDWAX_TOOL_FILTER_DANE: {
+ redwax_complete_verify_dane(r, "", state.isquoted);
break;
}
case REDWAX_TOOL_FILTER_PURPOSE: {
@@ -3623,6 +3719,7 @@
r.ips = apr_hash_make(r.pool);
r.dns_requests = apr_array_make(r.pool, 10, sizeof(redwax_dns_t));
+ r.tlsa_qnames = apr_array_make(r.pool, 10, sizeof(const char *));
r.pkcs11_in.pkcs11_modules = apr_array_make(r.pool, 10,
sizeof(const char*));
Modified: redwax-tool/trunk/redwax-tool.h
==============================================================================
--- redwax-tool/trunk/redwax-tool.h (original)
+++ redwax-tool/trunk/redwax-tool.h Tue Oct 29 23:05:22 2024
@@ -99,6 +99,11 @@
REDWAX_EXPIRY_IGNORE_LEAF,
REDWAX_EXPIRY_IGNORE_CHAIN
} redwax_expiry_e;
+
+typedef enum redwax_dane_e {
+ REDWAX_DANE_CHECK = 0,
+ REDWAX_DANE_IGNORE
+} redwax_dane_e;
typedef struct redwax_tool_t {
apr_pool_t *pool;
@@ -122,6 +127,7 @@
apr_array_header_t *keys_in;
apr_array_header_t *keys_out;
apr_array_header_t *dns_requests;
+ apr_array_header_t *tlsa_qnames;
apr_hash_t *emails;
apr_hash_t *hostnames;
apr_hash_t *ips;
@@ -155,6 +161,7 @@
redwax_format_e format;
redwax_order_e order;
redwax_expiry_e expiry;
+ redwax_dane_e dane;
int poll_work;
int current;
int cert_out;
@@ -255,6 +262,7 @@
typedef struct redwax_crl_t {
apr_pool_t *pool;
+ redwax_conf_vector_t *per_module;
const char *header;
const unsigned char *der;
apr_size_t len;
@@ -772,11 +780,35 @@
(redwax_tool_t *r, const char *arg));
/**
+ * Hook to complete the verification expiry.
+ *
+ * @param r The redwax-tool context.
+ */
+APR_DECLARE_EXTERNAL_HOOK(rt, REDWAX, apr_status_t, complete_verify_expiry,
+ (redwax_tool_t *r, apr_hash_t *purposes));
+
+/**
* Hook to set the verification expiry.
*
* @param r The redwax-tool context.
*/
APR_DECLARE_EXTERNAL_HOOK(rt, REDWAX, apr_status_t, set_verify_expiry,
+ (redwax_tool_t *r, const char *arg));
+
+/**
+ * Hook to complete verification dane.
+ *
+ * @param r The redwax-tool context.
+ */
+APR_DECLARE_EXTERNAL_HOOK(rt, REDWAX, apr_status_t, complete_verify_dane,
+ (redwax_tool_t *r, apr_hash_t *purposes));
+
+/**
+ * Hook to set the verification dane policy.
+ *
+ * @param r The redwax-tool context.
+ */
+APR_DECLARE_EXTERNAL_HOOK(rt, REDWAX, apr_status_t, set_verify_dane,
(redwax_tool_t *r, const char *arg));
/**
Modified: redwax-tool/trunk/redwax_keychain.c
==============================================================================
--- redwax-tool/trunk/redwax_keychain.c (original)
+++ redwax-tool/trunk/redwax_keychain.c Tue Oct 29 23:05:22 2024
@@ -242,6 +242,8 @@
sizeof(redwax_certificate_t));
cert->pool = p;
+ cert->per_module = redwax_create_module_config(cert->pool);
+
cert->common.type = REDWAX_CERTIFICATE_X509;
CFDataRef der = SecCertificateCopyData(cref);
@@ -350,6 +352,8 @@
redwax_certificate_t *cert = apr_pcalloc(p,
sizeof(redwax_certificate_t));
cert->pool = p;
+
+ cert->per_module = redwax_create_module_config(cert->pool);
cert->common.type = REDWAX_CERTIFICATE_X509;
@@ -638,6 +642,8 @@
return status;
}
+// fixme - trusted needs own config option
+
if (APR_SUCCESS != (status = redwax_keychain_process_trusted(r))) {
return status;
}
Modified: redwax-tool/trunk/redwax_openssl.c
==============================================================================
--- redwax-tool/trunk/redwax_openssl.c (original)
+++ redwax-tool/trunk/redwax_openssl.c Tue Oct 29 23:05:22 2024
@@ -56,6 +56,14 @@
#define REDWAX_ORDER_KEY_FIRST_TEXT "key-first"
#define REDWAX_ORDER_KEY_LAST_TEXT "key-last"
+#define REDWAX_EXPIRY_CHECK_TEXT "check"
+#define REDWAX_EXPIRY_IGNORE_TEXT "ignore"
+#define REDWAX_EXPIRY_IGNORE_LEAF_TEXT "ignore-leaf"
+#define REDWAX_EXPIRY_IGNORE_CHAIN_TEXT "ignore-chain"
+
+#define REDWAX_DANE_CHECK_TEXT "check"
+#define REDWAX_DANE_IGNORE_TEXT "ignore"
+
#define REDWAX_PKCS12_MIN 8
#define REDWAX_PKCS12_MAX HUGE_STRING_LEN
@@ -65,6 +73,15 @@
SSL_CTX *dane_ctx;
SSL *dane_ssl;
} openssl_config_t;
+
+typedef struct {
+ /* verification result code */
+ int verification;
+} openssl_certificate_config_t;
+
+typedef struct {
+ /* nothing yet */
+} openssl_key_config_t;
// move to config above
static STACK_OF(X509) *cert_index;
@@ -1254,6 +1271,8 @@
}
+ cert->per_module = redwax_create_module_config(cert->pool);
+
cert->header = header;
cert->label = (const char *)X509_alias_get0(x, &label_len);
cert->label_len = label_len;
@@ -1288,6 +1307,8 @@
apr_pool_create(&cert->pool, r->pool);
+ cert->per_module = redwax_create_module_config(cert->pool);
+
cert->common.type = REDWAX_CERTIFICATE_X509;
cert->common.category = REDWAX_CERTIFICATE_TRUSTED;
@@ -1328,6 +1349,8 @@
apr_pool_create(&crl->pool, r->pool);
+ crl->per_module = redwax_create_module_config(crl->pool);
+
crl->header = header;
crl->der = data;
crl->len = len;
@@ -1412,6 +1435,9 @@
if (p8inf && pkey) {
redwax_key_t *key;
+#if 0
+ openssl_key_config_t *key_config;
+#endif
BIO *kbio;
@@ -1434,6 +1460,12 @@
key = apr_array_push(r->keys_in);
apr_pool_create(&key->pool, r->pool);
+
+ key->per_module = redwax_create_module_config(key->pool);
+#if 0
+ key_config = apr_pcalloc(key->pool, sizeof(openssl_key_config_t));
+ redwax_set_module_config(key->per_module, &openssl_module, key_config);
+#endif
key->header = header;
key->len = BIO_get_mem_data(kbio, &key->der);
@@ -1677,24 +1709,68 @@
return APR_SUCCESS;
}
+apr_status_t redwax_openssl_complete_verify_expiry(redwax_tool_t *r,
+ apr_hash_t *expiries)
+{
+ apr_hash_set(expiries, REDWAX_EXPIRY_CHECK_TEXT,
+ strlen(REDWAX_EXPIRY_CHECK_TEXT), REDWAX_EXPIRY_CHECK_TEXT);
+ apr_hash_set(expiries, REDWAX_EXPIRY_IGNORE_TEXT,
+ strlen(REDWAX_EXPIRY_IGNORE_TEXT), REDWAX_EXPIRY_IGNORE_TEXT);
+ apr_hash_set(expiries, REDWAX_EXPIRY_IGNORE_LEAF_TEXT,
+ strlen(REDWAX_EXPIRY_IGNORE_LEAF_TEXT), REDWAX_EXPIRY_IGNORE_LEAF_TEXT);
+ apr_hash_set(expiries, REDWAX_EXPIRY_IGNORE_CHAIN_TEXT,
+ strlen(REDWAX_EXPIRY_IGNORE_CHAIN_TEXT), REDWAX_EXPIRY_IGNORE_CHAIN_TEXT);
+
+ return APR_SUCCESS;
+}
+
static apr_status_t redwax_openssl_set_verify_expiry(redwax_tool_t *r, const char *arg)
{
- if (!strcmp(arg, "check")) {
+ if (!strcmp(arg, REDWAX_EXPIRY_CHECK_TEXT)) {
r->expiry = REDWAX_EXPIRY_CHECK;
}
- else if (!strcmp(arg, "ignore")) {
+ else if (!strcmp(arg, REDWAX_EXPIRY_IGNORE_TEXT)) {
r->expiry = REDWAX_EXPIRY_IGNORE;
}
- else if (!strcmp(arg, "ignore-leaf")) {
+ else if (!strcmp(arg, REDWAX_EXPIRY_IGNORE_LEAF_TEXT)) {
r->expiry = REDWAX_EXPIRY_IGNORE_LEAF;
}
- else if (!strcmp(arg, "ignore-chain")) {
+ else if (!strcmp(arg, REDWAX_EXPIRY_IGNORE_CHAIN_TEXT)) {
r->expiry = REDWAX_EXPIRY_IGNORE_CHAIN;
}
else {
redwax_print_error(r,
"Verify expiry not one of 'check', 'ignore', 'ignore-leaf' or 'ignore-chain': %s\n", arg);
+ return APR_EINVAL;
+ }
+
+ return APR_SUCCESS;
+}
+
+apr_status_t redwax_openssl_complete_verify_dane(redwax_tool_t *r,
+ apr_hash_t *danes)
+{
+ apr_hash_set(danes, REDWAX_DANE_CHECK_TEXT,
+ strlen(REDWAX_DANE_CHECK_TEXT), REDWAX_DANE_CHECK_TEXT);
+ apr_hash_set(danes, REDWAX_DANE_IGNORE_TEXT,
+ strlen(REDWAX_DANE_IGNORE_TEXT), REDWAX_DANE_IGNORE_TEXT);
+
+ return APR_SUCCESS;
+}
+
+static apr_status_t redwax_openssl_set_verify_dane(redwax_tool_t *r, const char *arg)
+{
+
+ if (!strcmp(arg, "check")) {
+ r->dane = REDWAX_DANE_CHECK;
+ }
+ else if (!strcmp(arg, "ignore")) {
+ r->dane = REDWAX_DANE_IGNORE;
+ }
+ else {
+ redwax_print_error(r,
+ "Verify dane not one of 'check' or 'ignore': %s\n", arg);
return APR_EINVAL;
}
@@ -2071,6 +2147,9 @@
X509_STORE_CTX_get_ex_data(ctx,
redwax_get_x509_store_ctx_index());
+ redwax_certificate_t *cert =
+ X509_get_ex_data(current_cert, redwax_get_x509_index());
+
if ((bio = BIO_new(BIO_s_mem())) == NULL) {
return 0;
}
@@ -2081,6 +2160,16 @@
0, XN_FLAG_RFC2253);
len = BIO_get_mem_data(bio, &buf);
}
+
+ openssl_certificate_config_t *config = redwax_get_module_config(cert->per_module, &openssl_module);
+
+ if (!config) {
+ config = apr_pcalloc(cert->pool, sizeof(openssl_certificate_config_t));
+ redwax_set_module_config(cert->per_module, &openssl_module, config);
+ }
+
+ /* set verification result */
+ config->verification = X509_STORE_CTX_get_error(ctx);
if ((r->expiry == REDWAX_EXPIRY_IGNORE
|| (r->expiry == REDWAX_EXPIRY_IGNORE_LEAF && depth == 0)
@@ -2092,6 +2181,14 @@
"verify-filter: %d: %.*s: certificate expired, accepting anyway\n",
X509_STORE_CTX_get_error_depth(ctx), len, buf);
}
+ else if ((r->dane == REDWAX_DANE_IGNORE)
+ && X509_STORE_CTX_get_error(ctx) == X509_V_ERR_DANE_NO_MATCH) {
+ X509_STORE_CTX_set_error(ctx, X509_V_OK);
+ ok = 1;
+ redwax_print_error(r,
+ "verify-filter: %d: %.*s: dane mismatch, accepting anyway\n",
+ X509_STORE_CTX_get_error_depth(ctx), len, buf);
+ }
else if (!ok) {
redwax_print_error(r,
"verify-filter: %d: %.*s: verify failed: %s\n",
@@ -2226,6 +2323,8 @@
X509_STORE_CTX_set_ex_data(ctx,
redwax_get_x509_store_ctx_index(), (void *)r);
+
+ X509_set_ex_data(x, redwax_get_x509_index(), (void *)cert);
X509_STORE_CTX_set0_trusted_stack(ctx, trusted_index);
X509_STORE_CTX_set0_crls(ctx, crl_index);
@@ -3239,6 +3338,8 @@
apr_pool_create(&key->pool, r->pool);
+ key->per_module = redwax_create_module_config(key->pool);
+
if ((kbio = BIO_new(BIO_s_mem())) == NULL) {
return APR_ENOMEM;
}
@@ -3309,6 +3410,8 @@
key = apr_array_push(r->keys_in);
apr_pool_create(&key->pool, r->pool);
+
+ key->per_module = redwax_create_module_config(key->pool);
if ((kbio = BIO_new(BIO_s_mem())) == NULL) {
return APR_ENOMEM;
@@ -4906,6 +5009,13 @@
{
X509 *x = NULL;
+ openssl_certificate_config_t *conf = redwax_get_module_config(cert->per_module, &openssl_module);
+
+ if (!conf) {
+ conf = apr_pcalloc(cert->pool, sizeof(openssl_certificate_config_t));
+ redwax_set_module_config(cert->per_module, &openssl_module, conf);
+ }
+
redwax_metadata_push_object(m, "Certificate", 0);
redwax_metadata_add_string(m, "Origin", cert->origin);
if (cert->common.type == REDWAX_CERTIFICATE_X509 && cert->x509 &&
@@ -5037,6 +5147,10 @@
else {
valid_status = apr_psprintf(m->pool, "Expires in %d day(s) %d second(s)", pday, psec);
}
+ }
+
+ if (conf->verification == X509_V_ERR_DANE_NO_MATCH) {
+ valid_error = apr_psprintf(m->pool, "DANE mismatch: TLSA records do not match: %s", apr_array_pstrcat(r->pool, r->tlsa_qnames, ','));
}
if (valid_error) {
@@ -5960,7 +6074,7 @@
}
static apr_status_t redwax_openssl_normalise_certificate(redwax_tool_t *r,
- redwax_certificate_t *cert, int index)
+ redwax_certificate_t *cert, int must_index)
{
/*
@@ -6004,7 +6118,7 @@
}
/* handle indexing */
- if (index) {
+ if (must_index) {
switch (cert->common.category) {
case REDWAX_CERTIFICATE_END_ENTITY: {
@@ -6237,7 +6351,10 @@
rt_hook_complete_verify_param(redwax_openssl_complete_verify_param, NULL, NULL, APR_HOOK_MIDDLE);
rt_hook_set_verify_param(redwax_openssl_set_verify_param, NULL, NULL, APR_HOOK_MIDDLE);
rt_hook_set_verify_date(redwax_openssl_set_verify_date, NULL, NULL, APR_HOOK_MIDDLE);
+ rt_hook_complete_verify_expiry(redwax_openssl_complete_verify_expiry, NULL, NULL, APR_HOOK_MIDDLE);
rt_hook_set_verify_expiry(redwax_openssl_set_verify_expiry, NULL, NULL, APR_HOOK_MIDDLE);
+ rt_hook_complete_verify_dane(redwax_openssl_complete_verify_dane, NULL, NULL, APR_HOOK_MIDDLE);
+ rt_hook_set_verify_dane(redwax_openssl_set_verify_dane, NULL, NULL, APR_HOOK_MIDDLE);
rt_hook_complete_purpose(redwax_openssl_complete_purpose, NULL, NULL, APR_HOOK_MIDDLE);
rt_hook_set_purpose(redwax_openssl_set_purpose, NULL, NULL, APR_HOOK_MIDDLE);
rt_hook_process_pem_in(redwax_openssl_process_pem_in, NULL, NULL, APR_HOOK_MIDDLE);
Modified: redwax-tool/trunk/redwax_p11kit.c
==============================================================================
--- redwax-tool/trunk/redwax_p11kit.c (original)
+++ redwax-tool/trunk/redwax_p11kit.c Tue Oct 29 23:05:22 2024
@@ -62,6 +62,14 @@
#define CK_CERTIFICATE_CATEGORY_AUTHORITY 2UL
#define CK_CERTIFICATE_CATEGORY_OTHER_ENTITY 3UL
#endif
+
+typedef struct {
+ /* nothing yet */
+} p11kit_certificate_config_t;
+
+typedef struct {
+ /* nothing yet */
+} p11kit_key_config_t;
typedef struct redwax_pkcs11_session_t {
CK_FUNCTION_LIST *module;
@@ -1839,13 +1847,25 @@
};
int cert_template_len = 3;
+ redwax_certificate_t *cert;
+#if 0
+ p11kit_certificate_config_t *cert_config;
+#endif
+
apr_pool_t *p;
apr_pool_create(&p, r->pool);
- redwax_certificate_t *cert = apr_pcalloc(p,
+ cert = apr_pcalloc(p,
sizeof(redwax_certificate_t));
+
cert->pool = p;
+
+ cert->per_module = redwax_create_module_config(cert->pool);
+#if 0
+ cert_config = apr_pcalloc(cert->pool, sizeof(p11kit_certificate_config_t));
+ redwax_set_module_config(cert->per_module, &p11kit_module, cert_config);
+#endif
ret = redwax_p11kit_read_attributes(cert->pool, module, session, object,
cert_template, cert_template_len);
@@ -1996,6 +2016,9 @@
if (CKK_RSA == type) {
redwax_key_t *key;
+#if 0
+ p11kit_key_config_t *key_config;
+#endif
CK_ATTRIBUTE key_template[] =
{ { CKA_MODULUS, NULL_PTR, 0 },
@@ -2012,6 +2035,12 @@
key = apr_array_push(r->keys_in);
apr_pool_create(&key->pool, r->keys_in->pool);
+
+ key->per_module = redwax_create_module_config(key->pool);
+#if 0
+ key_config = apr_pcalloc(key->pool, sizeof(p11kit_key_config_t));
+ redwax_set_module_config(key->per_module, &p11kit_module, key_config);
+#endif
key->common.type = REDWAX_KEY_RSA;
Modified: redwax-tool/trunk/redwax_unbound.c
==============================================================================
--- redwax-tool/trunk/redwax_unbound.c (original)
+++ redwax-tool/trunk/redwax_unbound.c Tue Oct 29 23:05:22 2024
@@ -150,6 +150,8 @@
if (uri.port) {
+ const char **qname;
+
const char *tlsa = apr_psprintf(r->pool, "_%d._%s.%s", uri.port, uri.scheme, uri.hostname);
redwax_dns_t *dns = apr_array_push(r->dns_requests);
@@ -161,6 +163,9 @@
dns->rrclass = 1 /* CLASS IN (internet) */;
dns->cb = rt_run_process_tlsa;
+ qname = apr_array_push(r->tlsa_qnames);
+ *qname = tlsa;
+
return APR_SUCCESS;
}
else {
@@ -181,6 +186,8 @@
while ((ent = getservent())) {
if (!strcmp(uri.scheme, ent->s_name)) {
+
+ const char **qname;
const char *tlsa = apr_psprintf(r->pool, "_%d._%s.%s",
uri.port ? uri.port : ntohs(ent->s_port),
@@ -195,6 +202,9 @@
dns->rrclass = 1 /* CLASS IN (internet) */;
dns->cb = rt_run_process_tlsa;
+ qname = apr_array_push(r->tlsa_qnames);
+ *qname = tlsa;
+
found = 1;
}
More information about the rt-commit
mailing list