sblim-commit

[Narasimha S. <nsh...@us...>]

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "SFCB - Small Footprint CIM Broker".

The branch, master has been updated
       via  db20e94be2bb895cacf61b5648c11403edb66b01 (commit)
      from  a308ad3ec7861cf10d27cd1f5214d17ba023e8c7 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit db20e94be2bb895cacf61b5648c11403edb66b01
Author: Narasimha Sharoff <nsh...@us...>
Date:   Wed Jun 1 13:57:29 2011 -0700

    [ 3259627 ] provide a list of acceptable CAs to client

-----------------------------------------------------------------------

Summary of changes:
diff --git a/ChangeLog b/ChangeLog
index f75ffcc..24f1cc4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2011-06-01  Narasimha Sharoff  <nsh...@us...>
+
+	* control.c, genSslCert.sh, httpAdapter.c, sfcb.cfg.pre.in
+	[ 3259627 ] provide a list acceptable CAs to client
+
 2011-05-30  Chris Buccella  <buc...@li...>
 
 	* 10_interop.mof, default.reg.in, interopServerProvider.c, 
diff --git a/NEWS b/NEWS
index 510938b..dec5553 100644
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,7 @@ New features:
 - 3280992 Add systemd file to SFCB sources
 - 3177587 create sfcCommon (SFCB 1.4 now requires sfcCommon lib to be installed)
 - 3309374 Implement CIM_CIMXMLCommunicationMechanism
+- 3259627 provide a list acceptable CAs to client
 
 Bugs fixed: 
 - 3199899 sfcb uninstall process should remove test mof's 
diff --git a/control.c b/control.c
index 5ed1d8a..217bffa 100644
--- a/control.c
+++ b/control.c
@@ -93,6 +93,7 @@ Control         init[] = {
 
   {"sslKeyFilePath", 0, SFCB_CONFDIR "/file.pem"},
   {"sslCertificateFilePath", 0, SFCB_CONFDIR "/server.pem"},
+  {"sslCertList", 0, SFCB_CONFDIR "/clist.pem"},
 
   {"registrationDir", 0, SFCB_STATEDIR "/registration"},
   {"providerDirs", 3, SFCB_LIBDIR " " CMPI_LIBDIR " " LIBDIR},  /* 3:
diff --git a/genSslCert.sh b/genSslCert.sh
index 1e7d544..9bf6320 100644
--- a/genSslCert.sh
+++ b/genSslCert.sh
@@ -47,8 +47,9 @@ chmod 700 $DIR/*.pem
 if [ $DO_SERVER = yes ]
 then
     cp $DIR/cert.pem $TARGETDIR/server.pem
+    cp $DIR/cert.pem $TARGETDIR/clist.pem
     cp $DIR/key.pem $TARGETDIR/file.pem
-    chmod 400 $TARGETDIR/server.pem $TARGETDIR/file.pem
+    chmod 400 $TARGETDIR/server.pem $TARGETDIR/file.pem $TARGETDIR/clist.pem
 fi
 
 if [ $DO_CLIENT = yes ]
diff --git a/httpAdapter.c b/httpAdapter.c
index 130e633..aa2bee0 100644
--- a/httpAdapter.c
+++ b/httpAdapter.c
@@ -105,6 +105,8 @@ static X509    *x509 = NULL;
 int             ccVerifyMode = CC_VERIFY_IGNORE;
 static int      get_cert(int, X509_STORE_CTX *);
 static int      ccValidate(X509 *, char **, int);
+static int	load_cert(const char *);
+static void	print_cert(const char *cert_file, const STACK_OF(X509_NAME) *);
 #endif
 
 /* return codes used by baValidate */
@@ -1549,7 +1551,8 @@ initSSL()
   char           *fnc,
                  *fnk,
                  *fnt,
-                 *fnl;
+                 *fnl,
+                 *fcert;
   int             rc;
   ctx = SSL_CTX_new(SSLv23_method());
   getControlChars("sslCertificateFilePath", &fnc);
@@ -1562,6 +1565,8 @@ initSSL()
     intSSLerror("Error loading private key from file");
   getControlChars("sslClientCertificate", &fnl);
   _SFCB_TRACE(1, ("---  sslClientCertificate = %s", fnl));
+  getControlChars("sslCertList", &fcert);
+  load_cert(fcert);
   if (strcasecmp(fnl, "ignore") == 0) {
     ccVerifyMode = CC_VERIFY_IGNORE;
     SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0);
@@ -1955,6 +1960,54 @@ ccValidate(X509 * certificate, char **principal, int mode)
   }
   _SFCB_RETURN(result);
 }
+
+/* 
+ * Load the list of certificates accepted by the server into ctx object
+ * This information will be sent to the client during SSL handshake
+*/
+static int
+load_cert(const char *cert_file)
+{
+  STACK_OF(x509_NAME) *cert_names;
+
+  if (cert_file == NULL) {
+        mlogf(M_ERROR, M_SHOW,
+              "--- SSL CA list: file %s not found\n", cert_file);
+	return -1;
+  }
+  cert_names = SSL_load_client_CA_file(cert_file);
+  if (cert_names == NULL) {
+        mlogf(M_ERROR, M_SHOW,
+              "--- SSL CA list: cannot read file %s\n", cert_file);
+        return -1;
+  } else {
+#ifdef SFCB_DEBUG
+	print_cert(cert_file, cert_names);
+#endif
+	SSL_CTX_set_client_CA_list(ctx, cert_names);
+  }
+
+ return 0;
+}
+
+/* Print the list of certificates in CTX */
+static void
+print_cert(const char *cert_file, const STACK_OF(X509_NAME) *cert_names)
+{
+  char *str = NULL;
+  int i = 0;
+
+  _SFCB_ENTER(TRACE_HTTPDAEMON, "print_cert");
+  mlogf(M_INFO, M_SHOW, "--- SSL CA list loaded from %s\n", cert_file);
+  if (sk_X509_NAME_num(cert_names) > 0) {
+    for (i=0; i < sk_X509_NAME_num(cert_names); i++) {
+      str = X509_NAME_oneline(sk_X509_NAME_value(cert_names, i),0,0);
+      _SFCB_TRACE(4, ("\t Name #%d:%s\n", (i+1), str));
+      free(str);
+    }
+  }
+  return;
+}
 #endif
 /* MODELINES */
 /* DO NOT EDIT BELOW THIS COMMENT */
diff --git a/sfcb.cfg.pre.in b/sfcb.cfg.pre.in
index acc28ba..70385f2 100644
--- a/sfcb.cfg.pre.in
+++ b/sfcb.cfg.pre.in
@@ -166,6 +166,10 @@ sslKeyFilePath: @sysconfdir@/sfcb/file.pem
 ## Default is @sysconfdir@/sfcb/server.pem
 sslCertificateFilePath: @sysconfdir@/sfcb/server.pem
 
+## Filename containing list of certificates server accepts
+## Default is @sysconfdir@/sfcb/clist.pem
+sslCertList: @sysconfdir@/sfcb/clist.pem
+
 ## How SFCB handles client certificate based authentication. 
 ## ignore - do not request a certificate from the client
 ## accept - request a certificate from the client; do not fail if not presented


hooks/post-receive
-- 
SFCB - Small Footprint CIM Broker