diff --git a/platform/src/ssl_stream.cpp b/platform/src/ssl_stream.cpp index 802690b..05386cf 100644 --- a/platform/src/ssl_stream.cpp +++ b/platform/src/ssl_stream.cpp @@ -149,6 +149,7 @@ struct ssl_mgr char * ecdhcurve; char * crl_url; + unsigned int trusted_cert_load_local; struct cert_store_param cert_verify_param; uint8_t ssl_mode_release_buffers; char trusted_cert_file[TFE_PATH_MAX]; @@ -705,13 +706,18 @@ struct ssl_mgr * ssl_manager_init(const char * ini_profile, const char * section goto error_out; } - MESA_load_profile_string_def(ini_profile, section, "trusted_cert_file", mgr->trusted_cert_file, sizeof(mgr->trusted_cert_file), - "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"); - - MESA_load_profile_string_def(ini_profile, section, "trusted_cert_dir", mgr->trusted_cert_dir, sizeof(mgr->trusted_cert_dir), - "./resource/tfe/trusted_storage"); + MESA_load_profile_uint_def(ini_profile, section, "trusted_cert_load_local", + &(mgr->trusted_cert_load_local), 1); + MESA_load_profile_uint_def(ini_profile, section, "check_cert_crl", &(mgr->cert_verify_param.check_crl), 0); - + if(mgr->trusted_cert_load_local)//Other wise, use policy defined trusted CA file. + { + MESA_load_profile_string_def(ini_profile, section, "trusted_cert_file", mgr->trusted_cert_file, sizeof(mgr->trusted_cert_file), + "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"); + + MESA_load_profile_string_def(ini_profile, section, "trusted_cert_dir", mgr->trusted_cert_dir, sizeof(mgr->trusted_cert_dir), + "./resource/tfe/trusted_storage"); + } mgr->trust_CA_store = ssl_trusted_cert_storage_create(mgr->trusted_cert_file, mgr->trusted_cert_dir, &(mgr->cert_verify_param)); if (mgr->trust_CA_store == NULL) { diff --git a/platform/src/ssl_trusted_cert_storage.cpp b/platform/src/ssl_trusted_cert_storage.cpp index 80394fe..096db2d 100644 --- a/platform/src/ssl_trusted_cert_storage.cpp +++ b/platform/src/ssl_trusted_cert_storage.cpp @@ -109,12 +109,15 @@ static X509_STORE* _X509_store_create(const char* pem_bundle, const char* pem_di { return NULL; } - ret = X509_STORE_load_locations(store, pem_bundle, NULL); - if (ret == 0) + if(pem_bundle&&strlen(pem_bundle)>0) { - return NULL; + ret = X509_STORE_load_locations(store, pem_bundle, NULL); + if (ret == 0) + { + return NULL; + } + TFE_LOG_INFO(g_default_logger, "X509 trust store load pem boundle: %s", pem_bundle); } - X509_VERIFY_PARAM *x509_param=NULL; if(param->check_crl) { @@ -122,31 +125,35 @@ static X509_STORE* _X509_store_create(const char* pem_bundle, const char* pem_di X509_VERIFY_PARAM_set_flags(x509_param, X509_V_FLAG_CRL_CHECK); X509_STORE_set1_param(store, x509_param); X509_VERIFY_PARAM_free(x509_param); + TFE_LOG_INFO(g_default_logger, "X509 trust store enable CRL check"); } struct dirent **namelist = NULL; - n=tfe_scandir(pem_dir, &namelist, NULL, (int (*)(const void*, const void*))alphasort); - if(n < 0) + if(pem_dir&&strlen(pem_dir)>0) { - return store; - } - - for(i=0;id_name); - if(0==strcasecmp(namelist[i]->d_name+strlen(namelist[i]->d_name)-strlen(".pem"), ".pem")) + n=tfe_scandir(pem_dir, &namelist, NULL, (int (*)(const void*, const void*))alphasort); + if(n < 0) { - _X509_add_cert_or_crl_add(store, SSL_X509_OBJ_CERT, path); + return store; } - else if(0==strcasecmp(namelist[i]->d_name+strlen(namelist[i]->d_name)-strlen(".crl"), ".crl")) + + for(i=0;id_name); + if(0==strcasecmp(namelist[i]->d_name+strlen(namelist[i]->d_name)-strlen(".pem"), ".pem")) + { + _X509_add_cert_or_crl_add(store, SSL_X509_OBJ_CERT, path); + } + else if(0==strcasecmp(namelist[i]->d_name+strlen(namelist[i]->d_name)-strlen(".crl"), ".crl")) + { + _X509_add_cert_or_crl_add(store, SSL_X509_OBJ_CRL, path); + } + + TFE_LOG_INFO(g_default_logger, "X509 trust store found X509 additive trust CA: %s", path); + free(namelist[i]); } - TFE_LOG_INFO(g_default_logger, "Found X509 additive trust CA: %s", path); - free(namelist[i]); + free(namelist); } - - free(namelist); return store; }