diff options
| author | thekuwayama <thekuwayama@gmail.com> | 2020-01-01 09:33:53 +0900 |
|---|---|---|
| committer | Samuel Williams <samuel.williams@oriontransfer.co.nz> | 2020-01-25 00:30:40 +1300 |
| commit | 8b4fa5e336c7544ea677ccee160ec6d221559e10 (patch) | |
| tree | 4052949d2d5d0fa8e7dc65ac5adaf7e4b9aa1708 | |
| parent | 443d13e9b2c127230fde2733959eaa4d41eb355d (diff) | |
| download | ruby-openssl-8b4fa5e336c7544ea677ccee160ec6d221559e10.tar.gz | |
check with EVP_PKEY_cmp in advance
| -rw-r--r-- | ext/openssl/ossl_ssl.c | 35 |
1 files changed, 33 insertions, 2 deletions
diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c index ee56edc0..d1eb977e 100644 --- a/ext/openssl/ossl_ssl.c +++ b/ext/openssl/ossl_ssl.c @@ -1354,14 +1354,45 @@ static VALUE ossl_sslctx_add_certificate_chain_file(VALUE self, VALUE certs_path, VALUE pkey_path) { SSL_CTX *ctx; + X509 *x509; + char *ccerts_path, *cpkey_path; + FILE *fp; + EVP_PKEY *pkey, *pub_pkey; GetSSLCTX(self, ctx); + /* Retrieve private key */ + cpkey_path = StringValueCStr(pkey_path); + fp = fopen(cpkey_path, "r"); + if (!fp) + rb_raise(rb_eArgError, "failed to open pkey file"); + pkey = PEM_read_PrivateKey(fp, NULL, 0, NULL); + fclose(fp); + if (!pkey) + rb_raise(rb_eArgError, "failed to open pkey file"); + /* Retrieve public key */ + ccerts_path = StringValueCStr(certs_path); + fp = fopen(ccerts_path, "r"); + if (!fp) + rb_raise(rb_eArgError, "failed to open certs file"); + x509 = PEM_read_X509(fp, NULL, 0, NULL); + fclose(fp); + if (!x509) + rb_raise(rb_eArgError, "failed to open certs file"); + pub_pkey = X509_get_pubkey(x509); + /* The reference counter is bumped, and decremented immediately. */ + EVP_PKEY_free(pub_pkey); + if (!pub_pkey) + rb_raise(rb_eArgError, "certificate does not contain public key"); + + if (EVP_PKEY_cmp(pub_pkey, pkey) != 1) + rb_raise(rb_eArgError, "public key mismatch"); + /* SSL_CTX_use_certificate_chain_file() loads PEM format file. */ - if (SSL_CTX_use_certificate_chain_file(ctx, StringValueCStr(certs_path)) != 1) + if (SSL_CTX_use_certificate_chain_file(ctx, ccerts_path) != 1) ossl_raise(eSSLError, "SSL_CTX_use_certificate_chain_file"); - if (SSL_CTX_use_PrivateKey_file(ctx, StringValueCStr(pkey_path), SSL_FILETYPE_PEM) != 1) + if (SSL_CTX_use_PrivateKey_file(ctx, cpkey_path, SSL_FILETYPE_PEM) != 1) ossl_raise(eSSLError, "SSL_CTX_use_PrivateKey_file"); return self; |