The last line of code is the interesting I assume.
you can replace the three usual functions for loading a client key, a client
cert
and verify locations by code like the following.
It takes first a pkcs12 file containing a key, a cert and a ca cert. The ca cert
is assumed to be the 'trustworthy one'. You can of course have more certs and
another logic that may not take all additional certs or else.
if (!(p12bio = BIO_new_file(p.p12file , "rb"))) {
BIO_printf(p.errorbio, "Error opening P12 file %s\n",
p.p12file); goto err;
}
if (!(p.p12 = d2i_PKCS12_bio (p12bio, NULL))) {
BIO_printf(p.errorbio, "Cannot decode P12 structure %s\n",
p.p12file); goto err;
}
p.ca= NULL;
if (!(PKCS12_parse (p.p12, p.pst, &(p.pkey), &(p.usercert), &(p.ca) )
)) {
BIO_printf(p.errorbio,"Invalid P12 structure in %s\n",
p.p12file); goto err;
}
if (sk_X509_num(p.ca) <= 0) {
BIO_printf(p.errorbio,"No trustworthy CA given.%s\n",
p.p12file); goto err;
}
Here we have all data loaded into memory.
if (!SSL_CTX_use_certificate(ctx,p.usercert)) {
BIO_printf(p.errorbio, "SSL_CTX_use_certificate problem\n");
goto err;
}
if (!SSL_CTX_use_PrivateKey(ctx,p.pkey)) {
BIO_printf(p.errorbio, "SSL_CTX_use_PrivateKey\n"); goto err;
}
if (!SSL_CTX_check_private_key(ctx)) {
BIO_printf(p.errorbio, "SSL_CTX_check_private_key\n"); goto err;
}
X509_STORE_add_cert(ctx->cert_store,sk_X509_value(p.ca,sk_X509_num(p.ca)-1));
The previous line is the one you were looking at. you have have instead used
a buffer with the cert (openssl x509 -C) and d2i_X509 to parse it.
The full program can be found in the docs/examples/curlx.c avaiable at
curl.haxx.se
have fun
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
