Add requestCAfile option

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3015)
This commit is contained in:
Dr. Stephen Henson 2017-03-20 18:32:43 +00:00
parent 3578020bb1
commit d2add501f0

View File

@ -547,7 +547,7 @@ typedef enum OPTION_choice {
OPT_SERVERINFO, OPT_STARTTLS, OPT_SERVERNAME,
OPT_USE_SRTP, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN, OPT_SMTPHOST,
OPT_ASYNC, OPT_SPLIT_SEND_FRAG, OPT_MAX_PIPELINES, OPT_READ_BUF,
OPT_KEYLOG_FILE, OPT_EARLY_DATA,
OPT_KEYLOG_FILE, OPT_EARLY_DATA, OPT_REQCAFILE,
OPT_V_ENUM,
OPT_X_ENUM,
OPT_S_ENUM,
@ -587,6 +587,8 @@ const OPTIONS s_client_options[] = {
"Do not load the default certificates file"},
{"no-CApath", OPT_NOCAPATH, '-',
"Do not load certificates from the default certificates directory"},
{"requestCAfile", OPT_REQCAFILE, '<',
"PEM format file of CA names sent to server"},
{"dane_tlsa_domain", OPT_DANE_TLSA_DOMAIN, 's', "DANE TLSA base domain"},
{"dane_tlsa_rrdata", OPT_DANE_TLSA_RRDATA, 's',
"DANE TLSA rrdata presentation form"},
@ -831,6 +833,7 @@ int s_client_main(int argc, char **argv)
char *port = OPENSSL_strdup(PORT);
char *inrand = NULL;
char *passarg = NULL, *pass = NULL, *vfyCApath = NULL, *vfyCAfile = NULL;
char *ReqCAfile = NULL;
char *sess_in = NULL, *crl_file = NULL, *p;
char *xmpphost = NULL;
const char *ehlo = "mail.example.com";
@ -1276,6 +1279,9 @@ int s_client_main(int argc, char **argv)
case OPT_BUILD_CHAIN:
build_chain = 1;
break;
case OPT_REQCAFILE:
ReqCAfile = opt_arg();
break;
case OPT_CAFILE:
CAfile = opt_arg();
break;
@ -1577,6 +1583,16 @@ int s_client_main(int argc, char **argv)
ERR_print_errors(bio_err);
goto end;
}
if (ReqCAfile != NULL) {
STACK_OF(X509_NAME) *nm = sk_X509_NAME_new_null();
if (nm == NULL || !SSL_add_file_cert_subjects_to_stack(nm, ReqCAfile)) {
sk_X509_NAME_pop_free(nm, X509_NAME_free);
BIO_printf(bio_err, "Error loading CA names\n");
ERR_print_errors(bio_err);
goto end;
}
SSL_CTX_set0_CA_list(ctx, nm);
}
#ifndef OPENSSL_NO_ENGINE
if (ssl_client_engine) {
if (!SSL_CTX_set_client_cert_engine(ctx, ssl_client_engine)) {