307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
|
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
|
-
-
-
-
+
+
+
+
-
+
-
+
-
-
+
+
-
+
-
-
+
+
-
-
+
+
-
+
-
+
-
+
-
+
|
N -= got;
pContent = (void*)&((char*)pContent)[got];
}
return total;
}
/*
** If an certgroup has been specified on the command line, then use it to look
** up certificates and keys, and then store the URL-certgroup association in
** the global database. If no certgroup has been specified on the command line,
** see if there's an entry for the url in global_config, and use it if
** If a certbundle has been specified on the command line, then use it to look
** up certificates and keys, and then store the URL-certbundle association in
** the global database. If no certbundle has been specified on the command
** line, see if there's an entry for the url in global_config, and use it if
** applicable.
*/
void ssl_load_client_authfiles(void){
char *zGroupName = NULL;
char *zBundleName = NULL;
char *cafile;
char *capath;
char *certfile;
char *keyfile;
if( g.urlCertGroup ){
if( g.urlCertBundle ){
char *zName;
zName = mprintf("certgroup:%s", g.urlName);
db_set(zName, g.urlCertGroup, 1);
zName = mprintf("certbundle:%s", g.urlName);
db_set(zName, g.urlCertBundle, 1);
free(zName);
zGroupName = strdup(g.urlCertGroup);
zBundleName = strdup(g.urlCertBundle);
}else{
db_swap_connections();
zGroupName = db_text(0, "SELECT value FROM global_config"
" WHERE name='certgroup:%q'", g.urlName);
zBundleName = db_text(0, "SELECT value FROM global_config"
" WHERE name='certbundle:%q'", g.urlName);
db_swap_connections();
}
if( !zGroupName ){
/* No cert group specified or found cached */
if( !zBundleName ){
/* No cert bundle specified on command line or found cached for URL */
return;
}
db_swap_connections();
create_cert_table_if_not_exist();
cafile = db_text(0, "SELECT filepath FROM certs WHERE name=%Q"
" AND type='cafile'", zGroupName);
" AND type='cafile'", zBundleName);
capath = db_text(0, "SELECT filepath FROM certs WHERE name=%Q"
" AND type='capath'", zGroupName);
" AND type='capath'", zBundleName);
db_swap_connections();
if( cafile || capath ){
/* The OpenSSL documentation warns that if several CA certificates match
** the same name, key identifier and serial number conditions, only the
** first will be examined. The caveat situation occurs when one stores an
** expired CA certificate among the valid ones.
** Simply put: Do not mix expired and valid certificates.
*/
if( SSL_CTX_load_verify_locations(sslCtx, cafile, capath)==0 ){
fossil_fatal("SSL: Unable to load CA verification file/path");
}
}
db_swap_connections();
keyfile = db_text(0, "SELECT filepath FROM certs WHERE name=%Q"
" AND type='ckey'", zGroupName);
" AND type='ckey'", zBundleName);
certfile = db_text(0, "SELECT filepath FROM certs WHERE name=%Q"
" AND type='ccert'", zGroupName);
" AND type='ccert'", zBundleName);
db_swap_connections();
if( SSL_CTX_use_certificate_file(sslCtx, certfile, SSL_FILETYPE_PEM)<=0 ){
fossil_fatal("SSL: Unable to open client certificate in %s.", certfile);
}
if( SSL_CTX_use_PrivateKey_file(sslCtx, keyfile, SSL_FILETYPE_PEM)<=0 ){
fossil_fatal("SSL: Unable to open client key in %s.", keyfile);
|
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
|
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
|
-
-
+
+
-
+
-
+
+
-
+
-
+
-
+
-
-
+
-
+
-
-
+
+
-
+
|
/*
** COMMAND: cert
**
** Usage: %fossil cert SUBCOMMAND ...
**
** Manage/group PKI keys/certificates to be able to use client
** certificates and register CA certificates for SSL verifications.
** Manage/bundle PKI client keys/certificates and CA certificates for SSL
** certificate chain verifications.
**
** %fossil cert add NAME ?--key KEYFILE? ?--cert CERTFILE?
** ?--cafile CAFILE? ?--capath CAPATH?
**
** Create a certificate group NAME with the associated
** Create a certificate bundle NAME with the associated
** certificates/keys. If a client certificate is specified but no
** key, it is assumed that the key is located in the client
** certificate file. The file format must be PEM.
** certificate file.
** The file formats must be PEM.
**
** %fossil cert list
**
** List all credential groups, their values and their URL
** List all certificate bundles, their values and their URL
** associations.
**
** %fossil cert disassociate URL
**
** Disassociate URL from any credential group(s).
** Disassociate URL from any certificate bundle.
**
** %fossil cert delete NAME
**
** Remove the credential group NAME and all it's associated URL
** Remove the certificate bundle NAME and all its URL associations.
** associations.
const char *zCmd = "list";
const char *zCmd = "list"; /* Default sub-command */
if( g.argc>=3 ){
zCmd = g.argv[2];
}
n = strlen(zCmd);
if( strncmp(zCmd, "add", n)==0 ){
const char *zContainer;
const char *zCKey;
const char *zCCert;
const char *zCAFile;
const char *zCAPath;
if( g.argc<5 ){
usage("add NAME ?--key CLIENTKEY? ?--cert CLIENTCERT? ?--cafile CAFILE? "
usage("add NAME ?--key KEYFILE? ?--cert CERTFILE? ?--cafile CAFILE? "
"?--capath CAPATH?");
}
zContainer = g.argv[3];
zCKey = find_option("key",0,1);
zCCert = find_option("cert",0,1);
zCAFile = find_option("cafile",0,1);
zCAPath = find_option("capath",0,1);
/* If a client certificate was specified, but a key was not, assume the
* key is stored in the same file as the certificate.
*/
** key is stored in the same file as the certificate.
*/
if( !zCKey && zCCert ){
zCKey = zCCert;
}
db_open_config(0);
db_swap_connections();
create_cert_table_if_not_exist();
db_begin_transaction();
if( db_exists("SELECT 1 FROM certs WHERE name='%q'", zContainer)!=0 ){
db_end_transaction(0);
fossil_fatal("certificate group \"%s\" already exists", zContainer);
fossil_fatal("certificate bundle \"%s\" already exists", zContainer);
}
if( zCKey ){
db_multi_exec("INSERT INTO certs (name,type,filepath) "
"VALUES(%Q,'ckey',%Q)",
zContainer, zCKey);
}
if( zCCert ){
|
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
|
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
|
-
+
-
-
-
+
+
+
-
-
-
+
+
+
-
+
-
+
-
+
-
+
+
-
+
-
+
|
"VALUES(%Q,'capath',%Q)",
zContainer, zCAPath);
}
db_end_transaction(0);
db_swap_connections();
}else if(strncmp(zCmd, "list", n)==0){
Stmt q;
char *grp = NULL;
char *bndl = NULL;
db_open_config(0);
db_swap_connections();
create_cert_table_if_not_exist();
db_prepare(&q, "SELECT name,type,filepath FROM certs"
" WHERE type NOT IN ('server')"
" ORDER BY name,type");
while( db_step(&q)==SQLITE_ROW ){
const char *zCont = db_column_text(&q, 0);
const char *zType = db_column_text(&q, 1);
const char *zFilePath = db_column_text(&q, 2);
if( fossil_strcmp(zCont, grp)!=0 ){
free(grp);
grp = strdup(zCont);
if( fossil_strcmp(zCont, bndl)!=0 ){
free(bndl);
bndl = strdup(zCont);
puts(zCont);
}
printf("\t%s=%s\n", zType, zFilePath);
}
db_finalize(&q);
/* List the URL associations. */
db_prepare(&q, "SELECT name FROM global_config"
" WHERE name LIKE 'certgroup:%%' AND value=%Q"
" ORDER BY name", grp);
free(grp);
" WHERE name LIKE 'certbundle:%%' AND value=%Q"
" ORDER BY name", bndl);
free(bndl);
while( db_step(&q)==SQLITE_ROW ){
const char *zName = db_column_text(&q, 0);
static int first = 1;
if( first ) {
puts("\tAssociations");
first = 0;
}
printf("\t\t%s\n", zName+10);
printf("\t\t%s\n", zName+11);
}
db_swap_connections();
}else if(strncmp(zCmd, "disassociate", n)==0){
const char *zURL;
if( g.argc<4 ){
usage("disassociate URL");
}
zURL = g.argv[3];
db_open_config(0);
db_swap_connections();
db_begin_transaction();
db_multi_exec("DELETE FROM global_config WHERE name='certgroup:%q'",
db_multi_exec("DELETE FROM global_config WHERE name='certbundle:%q'",
zURL);
if( db_changes() == 0 ){
fossil_warning("No certificate group associated with URL \"%s\".",
fossil_warning("No certificate bundle associated with URL \"%s\".",
zURL);
}else{
printf("%s disassociated from its certificate group.\n", zURL);
printf("%s disassociated from its certificate bundle.\n", zURL);
}
db_end_transaction(0);
db_swap_connections();
}else if(strncmp(zCmd, "delete", n)==0){
const char *zContainer;
if( g.argc<4 ){
usage("delete NAME");
}
zContainer = g.argv[3];
db_open_config(0);
db_swap_connections();
create_cert_table_if_not_exist();
db_begin_transaction();
db_multi_exec("DELETE FROM certs WHERE name=%Q", zContainer);
if( db_changes() == 0 ){
fossil_warning("No certificate group named \"%s\" found",
fossil_warning("No certificate bundle named \"%s\" found",
zContainer);
}else{
printf("%d entries removed\n", db_changes());
}
db_multi_exec("DELETE FROM global_config WHERE name LIKE 'certgroup:%%'"
db_multi_exec("DELETE FROM global_config WHERE name LIKE 'certbundle:%%'"
" AND value=%Q", zContainer);
if( db_changes() > 0 ){
printf("%d associations removed\n", db_changes());
}
db_end_transaction(0);
db_swap_connections();
}else{
fossil_panic("cert subcommand should be one of: "
"add list disassociate delete");
}
}
|