* fixed and improved verify_callbacks in ossl_(ssl|x509store).c

	* enhanced ossl_x509store.rb examples

5 files changed, 114 insertions, 86 deletions

diff --git a/ChangeLog b/ChangeLog
index 1c5ef90..0716c48 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,6 +4,10 @@ Copyright (C) 2001 Michal Rokos <m.rokos@sh.cvut.cz>
 All rights reserved.
 
 $Log$
+Revision 1.23  2002/01/10 19:32:23  majkl
+	* fixed and improved verify_callbacks in ossl_(ssl|x509store).c
+	* enhanced ossl_x509store.rb examples
+
 Revision 1.22  2002/01/10 17:33:16  majkl
 	* OpenSSL::Cipher::BITx constant == x (so BIT40 = 40,...)
 
diff --git a/ossl_cipher.c b/ossl_cipher.c
index e02e644..94685fb 100644
--- a/ossl_cipher.c
+++ b/ossl_cipher.c
@@ -26,11 +26,11 @@
 #define CBC	0x8000
 #define EDE	0x0001
 #define EDE3	0x0002
-#define BIT40	0x0028 /*40*/
-#define BIT64	0x0040 /*64*/
-#define BIT128	0x0080 /*128*/
-#define BIT192	0x00C0 /*192*/
-#define BIT256	0x0100 /*256*/
+#define BIT40	0x0028 /*==  40*/
+#define BIT64	0x0040 /*==  64*/
+#define BIT128	0x0080 /*== 128*/
+#define BIT192	0x00C0 /*== 192*/
+#define BIT256	0x0100 /*== 256*/
 
 /*
  * Classes
diff --git a/ossl_ssl.c b/ossl_ssl.c
index 5df61ff..9315387 100644
--- a/ossl_ssl.c
+++ b/ossl_ssl.c
@@ -139,21 +139,27 @@ ssl_false(VALUE dummy)
 static int MS_CALLBACK
 ssl_verify_callback(int ok, X509_STORE_CTX *ctx)
 {
-	VALUE x509stc, args, ret;
-
-	ret = (ok) ? Qtrue : Qfalse;
+	VALUE x509stc, args, ret = Qnil;
 
 	if (!NIL_P(ssl_verify_callback_proc)) {
 		x509stc = ossl_x509store_new(ctx);
 		rb_funcall(x509stc, rb_intern("protect"), 0, NULL);
 		args = rb_ary_new2(3);
 		rb_ary_store(args, 0, ssl_verify_callback_proc);
-		rb_ary_store(args, 1, ret);
+		rb_ary_store(args, 1, ok ? Qtrue : Qfalse);
 		rb_ary_store(args, 2, x509stc);
 		ret = rb_rescue(ssl_call_callback_proc, args, ssl_false, Qnil);
+
+		if (ret == Qtrue) {
+			ok = 1;
+			ctx->error = X509_V_OK;
+		} else {
+			ok = 0;
+			ctx->error = X509_V_ERR_CERT_REJECTED;
+		}
 	}
 
-	return (ret == Qtrue) ? 1 : 0;
+	return ok;
 }
 
 static void
diff --git a/ossl_x509store.c b/ossl_x509store.c
index fc36ce4..994d20f 100644
--- a/ossl_x509store.c
+++ b/ossl_x509store.c
@@ -29,8 +29,7 @@ VALUE eX509StoreError;
 /*
  * General callback for OpenSSL verify
  */
-int 
-ossl_x509store_verify_cb(int, X509_STORE_CTX *);
+int ossl_x509store_verify_cb(int, X509_STORE_CTX *);
 
 /*
  * Struct
@@ -46,8 +45,8 @@ ossl_x509store_free(ossl_x509store *storep)
 	if (storep) {
 		if (storep->store && storep->protect == 0)
 			X509_STORE_CTX_free(storep->store);
-		else
-			storep->store = NULL;
+		
+		storep->store = NULL;
 		free(storep);
 	}
 }
@@ -215,37 +214,33 @@ ossl_x509store_add_trusted(VALUE self, VALUE cert)
 	return cert;
 }
 
-/*
- * DOESN'T WORK!!!
- * I have to walk X509_OBJECTS in storep->store
 static VALUE
-ossl_x509store_get_chain(obj)
-	VALUE obj;
+ossl_x509store_get_chain(VALUE self)
 {
-	 ossl_x509store *storep = NULL;
-	X509_STORE_CTX ctx;
+	ossl_x509store *storep = NULL;
 	X509 *x509 = NULL;
 	int i, num;
-	VALUE ary, cert;
+	VALUE ary;
 
 	GetX509Store(self, storep);
 
-	X509_STORE_CTX_init(&ctx, storep->store, NULL, NULL);
-	X509_verify_cert(&ctx);
-	num = sk_X509_num(ctx.chain);
-	rb_bug("chain=%d", num);
+	num = sk_X509_num(storep->store->chain);
+	
+	if (num < 0) {
+		rb_warning("certs in chain < 0???");
+		return rb_ary_new();
+	}
 	
-	if (num < 0) return rb_ary_new();
 	ary = rb_ary_new2(num);
+	
 	for(i=0; i<num; i++) {
-		x509 = sk_X509_value(ctx.chain, i);
-		cert = ossl_x509_new(x509);
-		rb_ary_push(ary, cert);
+		x509 = sk_X509_value(storep->store->chain, i);
+		rb_ary_push(ary, ossl_x509_new(x509));
+		X509_free(x509);
 	}
 	
 	return ary;
 }
- */
 
 static VALUE 
 ossl_x509store_add_crl(VALUE self, VALUE crlst)
@@ -268,38 +263,6 @@ ossl_x509store_add_crl(VALUE self, VALUE crlst)
 	return crlst;
 }
 
-/*
- * No need for
-static VALUE
-ossl_x509store_add(VALUE self, VALUE arg)
-{
-	ossl_x509store *storep = NULL;
-	X509 *x509 = NULL;
-	X509_CRL *crl = NULL;
-
-	GetX509Store(self, storep);
-
-	switch (OSSL_TYPE(arg)) {
-		case T_OSSL_X509CRL:
-			crl = ossl_x509crl_get_X509_CRL(arg);
-			if (!X509_STORE_add_crl(storep->store, crl)) {
-				rb_raise(eX509StoreError, "%s", ossl_error());
-			}
-			break;
-		case T_OSSL_X509:
-			x509 = ossl_x509_get_X509(arg);
-			if (!X509_STORE_add_cert(storep->store, x509)) {
-				rb_raise(eX509StoreError, "%s", ossl_error());
-			}
-			break;
-		default:
-			rb_raise(rb_eTypeError, "unsupported type");
-	}
-	
-	return obj;
-}
- */
-
 static VALUE 
 ossl_x509store_call_verify_cb_proc(VALUE args)
 {
@@ -321,7 +284,7 @@ ossl_x509store_verify_false(VALUE dummy)
 	return Qfalse;
 }
 
-int 
+int MS_CALLBACK
 ossl_x509store_verify_cb(int ok, X509_STORE_CTX *ctx)
 {
 	VALUE proc, store_ctx, args, ret = Qnil;
@@ -333,15 +296,23 @@ ossl_x509store_verify_cb(int ok, X509_STORE_CTX *ctx)
 	
 	if (!NIL_P(proc)) {
 		store_ctx = ossl_x509store_new(ctx);
-		rb_funcall(store_ctx, rb_intern("protect"), 0, NULL); /* called default by ossl_..new */
+		/* rb_funcall(store_ctx, rb_intern("protect"), 0, NULL); -- called default by ossl_..new */
 		args = rb_ary_new2(3);
 		rb_ary_store(args, 0, proc);
 		rb_ary_store(args, 1, ok ? Qtrue : Qfalse);
 		rb_ary_store(args, 2, store_ctx);
 		ret = rb_rescue(ossl_x509store_call_verify_cb_proc, args, ossl_x509store_verify_false, Qnil);
+		
+		if (ret == Qtrue) {
+			ok = 1;
+			ctx->error = X509_V_OK;
+		} else {
+			ok = 0;
+			ctx->error = X509_V_ERR_CERT_REJECTED;
+		}
 	}
 
-	return (ret == Qtrue) ? 1 : 0;
+	return ok;
 }
 
 static VALUE 
@@ -481,17 +452,14 @@ Init_ossl_x509store(VALUE module)
 	rb_attr(cX509Store, rb_intern("verify_callback"), 1, 0, Qfalse);
 	rb_define_method(cX509Store, "verify_callback=", ossl_x509store_set_verify_cb, 1);
 	
-/*
- * DOESN'T WORK! :-(( - BUT NOW WILL! :-))
-	rb_define_method(cX509Store, "chain", ossl_x509store_get_chain, 0);
- */
 	rb_define_method(cX509Store, "add_trusted", ossl_x509store_add_trusted, 1);
 	rb_define_method(cX509Store, "add_crl", ossl_x509store_add_crl, 1);
-	/*rb_define_method(cX509Store, "<<", ossl_x509store_add, 1);*/
+	
 	rb_define_method(cX509Store, "verify", ossl_x509store_verify, 1);
 	rb_define_method(cX509Store, "verify_status", ossl_x509store_get_verify_status, 0);
 	rb_define_method(cX509Store, "verify_message", ossl_x509store_get_verify_message, 0);
 	rb_define_method(cX509Store, "verify_depth", ossl_x509store_get_verify_depth, 0);
+	rb_define_method(cX509Store, "chain", ossl_x509store_get_chain, 0);
 	rb_define_method(cX509Store, "cert", ossl_x509store_get_cert, 0);
 	rb_define_method(cX509Store, "protect", ossl_x509store_protect, 0);
 	rb_define_method(cX509Store, "set_default_paths", ossl_x509store_set_default_paths, 0);
diff --git a/test/ossl_x509store.rb b/test/ossl_x509store.rb
index ba81100..f76dd69 100755
--- a/test/ossl_x509store.rb
+++ b/test/ossl_x509store.rb
@@ -4,23 +4,73 @@ require 'openssl'
 include OpenSSL
 include X509
 
+verify_cb = Proc.new {|ok, x509_store|
+  puts "\t\t====begin Verify===="
+  puts "\t\tOK = #{ok}"
+  puts "\t\tchecking #{x509_store.cert.subject.to_str}"
+  puts "\t\tstatus = #{x509_store.verify_status} - that is \"#{x509_store.verify_message}\""
+  puts "\t\t==== end Verify===="
+  #raise "SOME ERROR!" # Cert will be rejected
+  #false # Cert will be rejected
+  #true # Cert is OK
+  ok # just throw 'ok' through
+}
+							  
 p ca = Certificate.new(File.open("./cacert.pem").read)
-p cakey = ca.public_key
+puts "CA = #{ca.subject.to_str}, serial = #{ca.serial}"
+cakey = ca.public_key
+
 p cert = Certificate.new(File.open("./01cert.pem").read)
-p key = cert.public_key
-p cert.serial
-#cert2 = Certificate.new(File.open("./02cert.pem").read)
+puts "Cert = #{cert.subject.to_str}, serial = #{cert.serial}"
+key = cert.public_key
+
 p crl = CRL.new(File.open("./01crl.pem").read)
-p crl.verify cakey
-p crl.revoked[0].serial
-#p ca.issuer.to_str
-#p ca.subject.to_str
-#p cert.subject.to_str
-#p cert.issuer.to_str
+print "Is CRL signed by CA?..."
+if crl.verify cakey
+  puts "Yes - OK!"
+else
+  puts "NO - Strange... Let's stop."
+  exit
+end
+
+puts "In CRL there are serials:"
+crl.revoked.each {|revoked|
+  puts "> #{revoked.serial} - revoked at #{revoked.time}"
+}
+
 p store = Store.new
-#p store.add_trusted ca # :-))
-p store.add_trusted cert # :-((
-#p store.add_trusted cert2 # :-((
-p store.add_crl crl #CRL does NOT have affect on validity in current OpenSSL <= 0.9.6b !!!
-p store.verify cert
+
+##
+# Uncomment to see what is checked...
+store.verify_callback = verify_cb
+
+store.add_trusted ca
+
+puts "===================="
+puts "Is CERT OK?..."
+if store.verify cert
+  puts "Yes - we didn't add CRL to store!"
+  puts "\t\t(status = #{store.verify_status} - that is \"#{store.verify_message}\")"
+else
+  puts "NO - HEY, this is error!"
+  puts "\t\t(status = #{store.verify_status} - that is \"#{store.verify_message}\")"
+end
+
+puts "Let's add CRL..."
+ store.add_crl crl #CRL does NOT have affect on validity in current OpenSSL <= 0.9.6c !!!
+
+puts "===================="
+puts "Is CERT still OK?..."
+if store.verify cert
+  puts "Yes - HEY, this is bug! OpenSSL <= 0.9.6c doesn't care about CRL in Store :-(((("
+  puts "\t\t(status = #{store.verify_status} - that is \"#{store.verify_message}\")"
+else
+  puts "No - now it works!"
+  puts "\t\t(status = #{store.verify_status} - that is \"#{store.verify_message}\")"
+end
+
+puts "Trusted certs:"
+store.chain.each_with_index {|cert, i|
+	puts "> #{i} --- #{cert.subject.to_str}"
+}