Load chain of certificates and all CA certificates from DB

(cherry picked from commit ad15924)
OpenSIPS · May 29, 2019 · 023eb2d · 023eb2d
1 parent ff3588c
commit 023eb2d
Showing 1 changed file with 35 additions and 21 deletions.
diff --git a/modules/tls_mgm/tls_mgm.c b/modules/tls_mgm/tls_mgm.c
@@ -68,6 +68,7 @@
 #include "../../str_list.h"
 
 #include "../../net/proto_tcp/tcp_common_defs.h"
+#include "tls_conn_server.h"
 #include "tls_config.h"
 #include "tls_domain.h"
 #include "tls_params.h"
@@ -971,8 +972,6 @@ static int load_certificate(SSL_CTX * ctx, char *filename)
 	return 0;
 }
 
-/* TODO: currently we can't load a chain of certificates from database
-*/
 static int load_certificate_db(SSL_CTX * ctx, str *blob)
 {
 	X509 *cert = NULL;
@@ -985,18 +984,36 @@ static int load_certificate_db(SSL_CTX * ctx, str *blob)
 	}
 
 	cert = PEM_read_bio_X509(cbio, NULL, 0, NULL);
-	BIO_free(cbio);
 	if (!cert) {
-		LM_ERR("unable to load certificate from buffer\n");
+		LM_ERR("Unable to load certificate from buffer\n");
+		BIO_free(cbio);
 		return -1;
 	}
 
 	if (! SSL_CTX_use_certificate(ctx, cert)) {
-		LM_ERR("unable to use certificate\n");
+		LM_ERR("Unable to use certificate\n");
+		X509_free(cert);
+		BIO_free(cbio);
+		return -1;
 	}
-
+	tls_dump_cert_info("Certificate loaded: ", cert);
 	X509_free(cert);
-	LM_DBG("successfully loaded\n");
+
+	while ((cert = PEM_read_bio_X509(cbio, NULL, 0, NULL)) != NULL) {
+		if (!SSL_CTX_add_extra_chain_cert(ctx, cert)){
+			tls_dump_cert_info("Unable to add chain cert: ", cert);
+			X509_free(cert);
+			BIO_free(cbio);
+			return -1;
+		}
+		/* The x509 certificate provided to SSL_CTX_add_extra_chain_cert()
+		*	will be freed by the library when the SSL_CTX is destroyed.
+		*	An application should not free the x509 object.a*/
+		tls_dump_cert_info("Chain certificate loaded: ", cert);
+	}
+
+	BIO_free(cbio);
+	LM_DBG("Successfully loaded\n");
 	return 0;
 }
 
@@ -1108,7 +1125,7 @@ static int load_ca(SSL_CTX * ctx, char *filename)
 static int load_ca_db(SSL_CTX * ctx, str *blob)
 {
 	X509_STORE *store;
-	X509 *cert;
+	X509 *cert = NULL;
 	BIO *cbio;
 
 	cbio = BIO_new_mem_buf((void*)blob->s,blob->len);
@@ -1118,28 +1135,25 @@ static int load_ca_db(SSL_CTX * ctx, str *blob)
 		return -1;
 	}
 
-	cert = PEM_read_bio_X509(cbio, NULL, 0, NULL);
-	BIO_free(cbio);
-
-	if (!cert) {
-		LM_ERR("unable to load certificate from buffer\n");
-		return -1;
-	}
-
 	store =  SSL_CTX_get_cert_store(ctx);
 	if(!store) {
-		X509_free(cert);
+		BIO_free(cbio);
 		LM_ERR("Unable to get X509 store from ssl context\n");
 		return -1;
 	}
 
-	if (!X509_STORE_add_cert(store, cert)){
+	while ((cert = PEM_read_bio_X509_AUX(cbio, NULL, 0, NULL)) != NULL) {
+		tls_dump_cert_info("CA loaded: ", cert);
+		if (!X509_STORE_add_cert(store, cert)){
+			tls_dump_cert_info("Unable to add ca: ", cert);
+			X509_free(cert);
+			BIO_free(cbio);
+			return -1;
+		}
 		X509_free(cert);
-		LM_ERR("Unable to add ca\n");
-		return -1;
 	}
 
-	X509_free(cert);
+	BIO_free(cbio);
 	LM_DBG("CA successfully loaded\n");
 	return 0;
 }