diff options
author | joe <joe@61a7d7f5-40b7-0310-9c16-bb0ea8cb1845> | 2005-11-28 11:04:31 +0000 |
---|---|---|
committer | joe <joe@61a7d7f5-40b7-0310-9c16-bb0ea8cb1845> | 2005-11-28 11:04:31 +0000 |
commit | 714dd79720d6e6ff8dfb1bc2fae3ec716aec25cb (patch) | |
tree | 65328570b94b0b92ab133a508762d97a922af5c5 | |
parent | bae5c341934999331f859535097860f419cc8265 (diff) | |
download | neon-714dd79720d6e6ff8dfb1bc2fae3ec716aec25cb.tar.gz |
Merge r759, r760, r761 from trunk:
* src/ne_openssl.c (ne_ssl_clicert_decrypt): Check that private
key/cert match.
* test/makekeys.sh: Create a PKCS#12 client cert with embedded CA
cert.
* test/Makefile.in (clean): Clean all PKCS#12 certs.
* test/ssl.c (load_client_cert): Load the new cert.
* test/ssl.c (wildcard_init): Update error message now most hostname
commands should work OK.
git-svn-id: http://svn.webdav.org/repos/projects/neon/branches/0.25.x@762 61a7d7f5-40b7-0310-9c16-bb0ea8cb1845
-rw-r--r-- | src/ne_openssl.c | 8 | ||||
-rw-r--r-- | test/Makefile.in | 2 | ||||
-rwxr-xr-x | test/makekeys.sh | 3 | ||||
-rw-r--r-- | test/ssl.c | 11 |
4 files changed, 21 insertions, 3 deletions
diff --git a/src/ne_openssl.c b/src/ne_openssl.c index e95f0b7..794858c 100644 --- a/src/ne_openssl.c +++ b/src/ne_openssl.c @@ -792,6 +792,14 @@ int ne_ssl_clicert_decrypt(ne_ssl_client_cert *cc, const char *password) return -1; } + if (X509_check_private_key(cert, pkey) != 1) { + ERR_clear_error(); + X509_free(cert); + EVP_PKEY_free(pkey); + NE_DEBUG(NE_DBG_SSL, "Decrypted private key/cert are not matched."); + return -1; + } + PKCS12_free(cc->p12); populate_cert(&cc->cert, cert); cc->pkey = pkey; diff --git a/test/Makefile.in b/test/Makefile.in index a0ccf24..d633940 100644 --- a/test/Makefile.in +++ b/test/Makefile.in @@ -68,7 +68,7 @@ clean: rm -f *.gc* *.da *.bb* common/*.bb* common/*.gc* common/*.da rm -rf ca .libs rm -f ca-stamp client.key *.csr ssigned.pem wrongcn.pem \ - server.cert client.cert client.p12 *.cert sparse.bin + server.cert client.cert *.p12 *.cert sparse.bin check: $(TESTS) $(HELPERS) @SRCDIR=$(srcdir) $(SHELL) $(srcdir)/run.sh $(TESTS) diff --git a/test/makekeys.sh b/test/makekeys.sh index 81a044b..586ed6f 100755 --- a/test/makekeys.sh +++ b/test/makekeys.sh @@ -171,6 +171,9 @@ echo | ${MKPKCS12} -name "An Unencrypted Neon Client Cert" -out unclient.p12 # generate a PKCS#12 cert with no friendly name echo | ${MKPKCS12} -out noclient.p12 +# a PKCS#12 cert including a bundled CA cert +echo foobar | ${MKPKCS12} -certfile ca/cert.pem -name "A Neon Client Cert With CA" -out clientca.p12 + ### a file containing a complete chain cat ca/cert.pem server.cert > chain.pem @@ -1,6 +1,6 @@ /* neon test suite - Copyright (C) 2002-2004, Joe Orton <joe@manyfish.co.uk> + Copyright (C) 2002-2005, Joe Orton <joe@manyfish.co.uk> This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -368,6 +368,13 @@ static int load_client_cert(void) ONV(name != NULL, ("noclient.p12 had friendly name `%s'", name)); ne_ssl_clicert_free(cc); + /* test for ccert without a friendly name, noclient.p12 */ + cc = ne_ssl_clicert_read("clientca.p12"); + ONN("could not load clientca.p12", cc == NULL); + ONN("encrypted cert marked unencrypted?", !ne_ssl_clicert_encrypted(cc)); + ONN("could not decrypt clientca.p12", ne_ssl_clicert_decrypt(cc, "foobar")); + ne_ssl_clicert_free(cc); + /* tests for loading bogus files. */ cc = ne_ssl_clicert_read("Makefile"); ONN("loaded Makefile as client cert!?", cc != NULL); @@ -482,7 +489,7 @@ static int wildcard_init(void) struct stat stbuf; t_context("wildcard.cert not found:\n" - "This test requires a Linux-like hostname command, see makekeys.sh"); + "Could not determine hostname/FQDN from makekeys.sh"); PRECOND(stat("wildcard.cert", &stbuf) == 0); PRECOND(lookup_hostname() == OK); |