result_t X509Cert::load(const mbedtls_x509_crt *crt) { if (m_root) return CHECK_ERROR(CALL_E_INVALID_CALL); int32_t ret; ret = mbedtls_x509_crt_parse_der(&m_crt, crt->raw.p, crt->raw.len); if (ret != 0) return CHECK_ERROR(_ssl::setError(ret)); return 0; }
static int setup_cert(struct net_app_ctx *ctx, void *cert) { #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) mbedtls_ssl_conf_psk(&ctx->tls.mbedtls.conf, client_psk, sizeof(client_psk), (const unsigned char *)client_psk_id, sizeof(client_psk_id) - 1); #endif #if defined(MBEDTLS_X509_CRT_PARSE_C) { mbedtls_x509_crt *ca_cert = cert; int ret; ret = mbedtls_x509_crt_parse_der(ca_cert, ca_certificate, sizeof(ca_certificate)); if (ret != 0) { NET_ERR("mbedtls_x509_crt_parse_der failed " "(-0x%x)", -ret); return ret; } mbedtls_ssl_conf_ca_chain(&ctx->tls.mbedtls.conf, ca_cert, NULL); /* In this example, we skip the certificate checks. In real * life scenarios, one should always verify the certificates. */ mbedtls_ssl_conf_authmode(&ctx->tls.mbedtls.conf, MBEDTLS_SSL_VERIFY_REQUIRED); mbedtls_ssl_conf_cert_profile(&ctx->tls.mbedtls.conf, &mbedtls_x509_crt_profile_default); #define VERIFY_CERTS 0 #if VERIFY_CERTS mbedtls_ssl_conf_authmode(&ctx->tls.mbedtls.conf, MBEDTLS_SSL_VERIFY_OPTIONAL); #else ; #endif /* VERIFY_CERTS */ } #endif /* MBEDTLS_X509_CRT_PARSE_C */ return 0; }
result_t X509Cert::load(Buffer_base *derCert) { if (m_root) return CHECK_ERROR(CALL_E_INVALID_CALL); int32_t ret; exlib::string crt; derCert->toString(crt); ret = mbedtls_x509_crt_parse_der(&m_crt, (const unsigned char *)crt.c_str(), crt.length()); if (ret != 0) return CHECK_ERROR(_ssl::setError(ret)); return 0; }
static value cert_add_der( value cert, value data ){ mbedtls_x509_crt *crt; int r; val_check(data,string); if( !val_is_null(cert) ){ val_check_kind(cert,k_cert); crt = val_cert(cert); if( !crt ) neko_error(); }else{ crt = (mbedtls_x509_crt *)alloc(sizeof(mbedtls_x509_crt)); mbedtls_x509_crt_init( crt ); cert = alloc_abstract(k_cert, crt); val_gc(cert,free_cert); } if( (r = mbedtls_x509_crt_parse_der(crt, (const unsigned char*)val_string(data), val_strlen(data))) < 0 ) return ssl_error(r); return cert; }
int setup_cert(struct net_app_ctx *ctx, void *cert) { #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) mbedtls_ssl_conf_psk(&ctx->tls.mbedtls.conf, client_psk, sizeof(client_psk), (const unsigned char *)client_psk_id, sizeof(client_psk_id) - 1); #endif #if defined(MBEDTLS_X509_CRT_PARSE_C) { mbedtls_x509_crt *ca_cert = cert; int ret; ret = mbedtls_x509_crt_parse_der(ca_cert, ca_certificate, sizeof(ca_certificate)); if (ret != 0) { NET_ERR("mbedtls_x509_crt_parse_der failed " "(-0x%x)", -ret); return ret; } /* mbedtls_x509_crt_verify() should be called to verify the * cerificate in the real cases */ mbedtls_ssl_conf_ca_chain(&ctx->tls.mbedtls.conf, ca_cert, NULL); mbedtls_ssl_conf_authmode(&ctx->tls.mbedtls.conf, MBEDTLS_SSL_VERIFY_REQUIRED); mbedtls_ssl_conf_cert_profile(&ctx->tls.mbedtls.conf, &mbedtls_x509_crt_profile_default); } #endif /* MBEDTLS_X509_CRT_PARSE_C */ return 0; }
result_t X509Cert::loadRootCerts() { if (m_rootLoaded) return 0; m_rootLoaded = true; _cert *pca = g_root_ca; int32_t ret; while (pca->size) { ret = mbedtls_x509_crt_parse_der(&m_crt, (const unsigned char *)pca->data, pca->size); if (ret != 0) return CHECK_ERROR(_ssl::setError(ret)); pca++; } return 0; }
result_t X509Cert::loadFile(exlib::string filename) { if (m_root) return CHECK_ERROR(CALL_E_INVALID_CALL); result_t hr; exlib::string data; int32_t ret; hr = fs_base::ac_readFile(filename, data); if (hr < 0) return hr; if (qstrstr(data.c_str(), "BEGIN CERTIFICATE") || qstrstr(data.c_str(), "CKO_CERTIFICATE")) return load(data.c_str()); ret = mbedtls_x509_crt_parse_der(&m_crt, (const unsigned char *)data.c_str(), data.length()); if (ret != 0) return CHECK_ERROR(_ssl::setError(ret)); return 0; }
static CURLcode mbed_connect_step2(struct connectdata *conn, int sockindex) { int ret; struct SessionHandle *data = conn->data; struct ssl_connect_data* connssl = &conn->ssl[sockindex]; const mbedtls_x509_crt *peercert; #ifdef HAS_ALPN const char* next_protocol; #endif char errorbuf[128]; errorbuf[0] = 0; conn->recv[sockindex] = mbed_recv; conn->send[sockindex] = mbed_send; ret = mbedtls_ssl_handshake(&connssl->ssl); if(ret == MBEDTLS_ERR_SSL_WANT_READ) { connssl->connecting_state = ssl_connect_2_reading; return CURLE_OK; } else if(ret == MBEDTLS_ERR_SSL_WANT_WRITE) { connssl->connecting_state = ssl_connect_2_writing; return CURLE_OK; } else if(ret) { #ifdef MBEDTLS_ERROR_C mbedtls_strerror(ret, errorbuf, sizeof(errorbuf)); #endif /* MBEDTLS_ERROR_C */ failf(data, "ssl_handshake returned - mbedTLS: (-0x%04X) %s", -ret, errorbuf); return CURLE_SSL_CONNECT_ERROR; } infof(data, "mbedTLS: Handshake complete, cipher is %s\n", mbedtls_ssl_get_ciphersuite(&conn->ssl[sockindex].ssl) ); ret = mbedtls_ssl_get_verify_result(&conn->ssl[sockindex].ssl); if(ret && data->set.ssl.verifypeer) { if(ret & MBEDTLS_X509_BADCERT_EXPIRED) failf(data, "Cert verify failed: BADCERT_EXPIRED"); if(ret & MBEDTLS_X509_BADCERT_REVOKED) { failf(data, "Cert verify failed: BADCERT_REVOKED"); return CURLE_SSL_CACERT; } if(ret & MBEDTLS_X509_BADCERT_CN_MISMATCH) failf(data, "Cert verify failed: BADCERT_CN_MISMATCH"); if(ret & MBEDTLS_X509_BADCERT_NOT_TRUSTED) failf(data, "Cert verify failed: BADCERT_NOT_TRUSTED"); return CURLE_PEER_FAILED_VERIFICATION; } peercert = mbedtls_ssl_get_peer_cert(&connssl->ssl); if(peercert && data->set.verbose) { const size_t bufsize = 16384; char *buffer = malloc(bufsize); if(!buffer) return CURLE_OUT_OF_MEMORY; if(mbedtls_x509_crt_info(buffer, bufsize, "* ", peercert) > 0) infof(data, "Dumping cert info:\n%s\n", buffer); else infof(data, "Unable to dump certificate information.\n"); free(buffer); } if(data->set.str[STRING_SSL_PINNEDPUBLICKEY]) { int size; CURLcode result; mbedtls_x509_crt *p; unsigned char pubkey[PUB_DER_MAX_BYTES]; if(!peercert || !peercert->raw.p || !peercert->raw.len) { failf(data, "Failed due to missing peer certificate"); return CURLE_SSL_PINNEDPUBKEYNOTMATCH; } p = calloc(1, sizeof(*p)); if(!p) return CURLE_OUT_OF_MEMORY; mbedtls_x509_crt_init(p); /* Make a copy of our const peercert because mbedtls_pk_write_pubkey_der needs a non-const key, for now. https://github.com/ARMmbed/mbedtls/issues/396 */ if(mbedtls_x509_crt_parse_der(p, peercert->raw.p, peercert->raw.len)) { failf(data, "Failed copying peer certificate"); mbedtls_x509_crt_free(p); free(p); return CURLE_SSL_PINNEDPUBKEYNOTMATCH; } size = mbedtls_pk_write_pubkey_der(&p->pk, pubkey, PUB_DER_MAX_BYTES); if(size <= 0) { failf(data, "Failed copying public key from peer certificate"); mbedtls_x509_crt_free(p); free(p); return CURLE_SSL_PINNEDPUBKEYNOTMATCH; } /* mbedtls_pk_write_pubkey_der writes data at the end of the buffer. */ result = Curl_pin_peer_pubkey(data, data->set.str[STRING_SSL_PINNEDPUBLICKEY], &pubkey[PUB_DER_MAX_BYTES - size], size); if(result) { mbedtls_x509_crt_free(p); free(p); return result; } mbedtls_x509_crt_free(p); free(p); } #ifdef HAS_ALPN if(conn->bits.tls_enable_alpn) { next_protocol = mbedtls_ssl_get_alpn_protocol(&connssl->ssl); if(next_protocol) { infof(data, "ALPN, server accepted to use %s\n", next_protocol); #ifdef USE_NGHTTP2 if(!strncmp(next_protocol, NGHTTP2_PROTO_VERSION_ID, NGHTTP2_PROTO_VERSION_ID_LEN) && !next_protocol[NGHTTP2_PROTO_VERSION_ID_LEN]) { conn->negnpn = CURL_HTTP_VERSION_2; } else #endif if(!strncmp(next_protocol, ALPN_HTTP_1_1, ALPN_HTTP_1_1_LENGTH) && !next_protocol[ALPN_HTTP_1_1_LENGTH]) { conn->negnpn = CURL_HTTP_VERSION_1_1; } } else { infof(data, "ALPN, server did not agree to a protocol\n"); } } #endif connssl->connecting_state = ssl_connect_3; infof(data, "SSL connected\n"); return CURLE_OK; }
static value cert_load_defaults(){ #if defined(NEKO_WINDOWS) value v; HCERTSTORE store; PCCERT_CONTEXT cert; mbedtls_x509_crt *chain = (mbedtls_x509_crt *)alloc(sizeof(mbedtls_x509_crt)); mbedtls_x509_crt_init( chain ); if( store = CertOpenSystemStore(0, (LPCSTR)"Root") ){ cert = NULL; while( cert = CertEnumCertificatesInStore(store, cert) ) mbedtls_x509_crt_parse_der( chain, (unsigned char *)cert->pbCertEncoded, cert->cbCertEncoded ); CertCloseStore(store, 0); } v = alloc_abstract(k_cert, chain); val_gc(v,free_cert); return v; #elif defined(NEKO_MAC) CFMutableDictionaryRef search; CFArrayRef result; SecKeychainRef keychain; SecCertificateRef item; CFDataRef dat; value v; mbedtls_x509_crt *chain = NULL; // Load keychain if( SecKeychainOpen("/System/Library/Keychains/SystemRootCertificates.keychain",&keychain) != errSecSuccess ) return val_null; // Search for certificates search = CFDictionaryCreateMutable( NULL, 0, NULL, NULL ); CFDictionarySetValue( search, kSecClass, kSecClassCertificate ); CFDictionarySetValue( search, kSecMatchLimit, kSecMatchLimitAll ); CFDictionarySetValue( search, kSecReturnRef, kCFBooleanTrue ); CFDictionarySetValue( search, kSecMatchSearchList, CFArrayCreate(NULL, (const void **)&keychain, 1, NULL) ); if( SecItemCopyMatching( search, (CFTypeRef *)&result ) == errSecSuccess ){ CFIndex n = CFArrayGetCount( result ); for( CFIndex i = 0; i < n; i++ ){ item = (SecCertificateRef)CFArrayGetValueAtIndex( result, i ); // Get certificate in DER format dat = SecCertificateCopyData( item ); if( dat ){ if( chain == NULL ){ chain = (mbedtls_x509_crt *)alloc(sizeof(mbedtls_x509_crt)); mbedtls_x509_crt_init( chain ); } mbedtls_x509_crt_parse_der( chain, (unsigned char *)CFDataGetBytePtr(dat), CFDataGetLength(dat) ); CFRelease( dat ); } } } CFRelease(keychain); if( chain != NULL ){ v = alloc_abstract(k_cert, chain); val_gc(v,free_cert); return v; }else{ return val_null; } #else return val_null; #endif }
int main( void ) { int ret = exit_ok; mbedtls_net_context server_fd; struct sockaddr_in addr; #if defined(MBEDTLS_X509_CRT_PARSE_C) mbedtls_x509_crt ca; #endif mbedtls_entropy_context entropy; mbedtls_ctr_drbg_context ctr_drbg; mbedtls_ssl_context ssl; mbedtls_ssl_config conf; mbedtls_ctr_drbg_init( &ctr_drbg ); /* * 0. Initialize and setup stuff */ mbedtls_net_init( &server_fd ); mbedtls_ssl_init( &ssl ); mbedtls_ssl_config_init( &conf ); #if defined(MBEDTLS_X509_CRT_PARSE_C) mbedtls_x509_crt_init( &ca ); #endif mbedtls_entropy_init( &entropy ); if( mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy, (const unsigned char *) pers, strlen( pers ) ) != 0 ) { ret = ctr_drbg_seed_failed; goto exit; } if( mbedtls_ssl_config_defaults( &conf, MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT ) != 0 ) { ret = ssl_config_defaults_failed; goto exit; } mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) mbedtls_ssl_conf_psk( &conf, psk, sizeof( psk ), (const unsigned char *) psk_id, sizeof( psk_id ) - 1 ); #endif #if defined(MBEDTLS_X509_CRT_PARSE_C) if( mbedtls_x509_crt_parse_der( &ca, ca_cert, sizeof( ca_cert ) ) != 0 ) { ret = x509_crt_parse_failed; goto exit; } mbedtls_ssl_conf_ca_chain( &conf, &ca, NULL ); mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_REQUIRED ); #endif if( mbedtls_ssl_setup( &ssl, &conf ) != 0 ) { ret = ssl_setup_failed; goto exit; } #if defined(MBEDTLS_X509_CRT_PARSE_C) if( mbedtls_ssl_set_hostname( &ssl, HOSTNAME ) != 0 ) { ret = hostname_failed; goto exit; } #endif /* * 1. Start the connection */ memset( &addr, 0, sizeof( addr ) ); addr.sin_family = AF_INET; ret = 1; /* for endianness detection */ addr.sin_port = *((char *) &ret) == ret ? PORT_LE : PORT_BE; addr.sin_addr.s_addr = *((char *) &ret) == ret ? ADDR_LE : ADDR_BE; ret = 0; if( ( server_fd.fd = socket( AF_INET, SOCK_STREAM, 0 ) ) < 0 ) { ret = socket_failed; goto exit; } if( connect( server_fd.fd, (const struct sockaddr *) &addr, sizeof( addr ) ) < 0 ) { ret = connect_failed; goto exit; } mbedtls_ssl_set_bio( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL ); if( mbedtls_ssl_handshake( &ssl ) != 0 ) { ret = ssl_handshake_failed; goto exit; } /* * 2. Write the GET request and close the connection */ if( mbedtls_ssl_write( &ssl, (const unsigned char *) GET_REQUEST, sizeof( GET_REQUEST ) - 1 ) <= 0 ) { ret = ssl_write_failed; goto exit; } mbedtls_ssl_close_notify( &ssl ); exit: mbedtls_net_free( &server_fd ); mbedtls_ssl_free( &ssl ); mbedtls_ssl_config_free( &conf ); mbedtls_ctr_drbg_free( &ctr_drbg ); mbedtls_entropy_free( &entropy ); #if defined(MBEDTLS_X509_CRT_PARSE_C) mbedtls_x509_crt_free( &ca ); #endif return( ret ); }
void tls_client(void) { int ret = exit_ok; struct tcp_context ctx; ctx.timeout = MBEDTLS_NETWORK_TIMEOUT; #if defined(MBEDTLS_X509_CRT_PARSE_C) mbedtls_x509_crt ca; #endif mbedtls_entropy_context entropy; mbedtls_ctr_drbg_context ctr_drbg; mbedtls_ssl_context ssl; mbedtls_ssl_config conf; mbedtls_ctr_drbg_init(&ctr_drbg); mbedtls_platform_set_printf(PRINT); /* * 0. Initialize and setup stuff */ mbedtls_ssl_init(&ssl); mbedtls_ssl_config_init(&conf); #if defined(MBEDTLS_X509_CRT_PARSE_C) mbedtls_x509_crt_init(&ca); #endif mbedtls_printf("\n . Seeding the random number generator..."); mbedtls_entropy_init(&entropy); mbedtls_entropy_add_source(&entropy, entropy_source, NULL, MBEDTLS_ENTROPY_MAX_GATHER, MBEDTLS_ENTROPY_SOURCE_STRONG); if (mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, (const unsigned char *)pers, strlen(pers)) != 0) { ret = ctr_drbg_seed_failed; mbedtls_printf (" failed\n ! mbedtls_ctr_drbg_seed returned -0x%x\n", -ret); goto exit; } mbedtls_printf(" ok\n"); mbedtls_printf(" . Setting up the SSL/TLS structure..."); if (mbedtls_ssl_config_defaults(&conf, MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT) != 0) { ret = ssl_config_defaults_failed; mbedtls_printf (" failed\n ! mbedtls_ssl_config_defaults returned -0x%x\n\n", -ret); goto exit; } mbedtls_ssl_conf_rng(&conf, mbedtls_ctr_drbg_random, &ctr_drbg); #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) mbedtls_memory_buffer_alloc_init(heap, sizeof(heap)); #endif #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) mbedtls_ssl_conf_psk(&conf, psk, sizeof(psk), (const unsigned char *)psk_id, sizeof(psk_id) - 1); #endif #if defined(MBEDTLS_X509_CRT_PARSE_C) if (mbedtls_x509_crt_parse_der(&ca, ca_cert, sizeof(ca_cert)) != 0) { ret = x509_crt_parse_failed; mbedtls_printf (" failed\n ! mbedtls_x509_crt_parse returned -0x%x\n\n", -ret); goto exit; } mbedtls_ssl_conf_ca_chain(&conf, &ca, NULL); mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_REQUIRED); #endif if (mbedtls_ssl_setup(&ssl, &conf) != 0) { ret = ssl_setup_failed; mbedtls_printf (" failed\n ! mbedtls_ssl_setup returned -0x%x\n\n", -ret); goto exit; } #if defined(MBEDTLS_X509_CRT_PARSE_C) if (mbedtls_ssl_set_hostname(&ssl, HOSTNAME) != 0) { ret = hostname_failed; mbedtls_printf (" failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret); goto exit; } #endif mbedtls_printf(" ok\n"); /* * 1. Start the connection */ mbedtls_printf(" . Connecting to tcp %s...", SERVER_ADDR); if (tcp_set_local_addr(&ctx, LOCAL_ADDR) != 0) { printk("tcp set_local_addr error\n"); goto exit; } if (tcp_init(&ctx, SERVER_ADDR, SERVER_PORT) != 0) { ret = connect_failed; mbedtls_printf(" failed\n ! tcp_init returned -0x%x\n\n", -ret); goto exit; } mbedtls_printf(" ok\n"); mbedtls_ssl_set_bio(&ssl, &ctx, tcp_tx, tcp_rx, NULL); mbedtls_printf(" . Performing the SSL/TLS handshake..."); if (mbedtls_ssl_handshake(&ssl) != 0) { ret = ssl_handshake_failed; mbedtls_printf (" failed\n ! mbedtls_ssl_handshake returned -0x%x\n", -ret); goto exit; } mbedtls_printf(" ok\n"); /* * 2. Write the GET request and close the connection */ mbedtls_printf(" > Write to server:"); if (mbedtls_ssl_write(&ssl, (const unsigned char *)GET_REQUEST, sizeof(GET_REQUEST) - 1) <= 0) { ret = ssl_write_failed; mbedtls_printf (" failed\n ! mbedtls_ssl_write returned -0x%x\n\n", -ret); goto exit; } mbedtls_printf(" ok\n"); mbedtls_printf(" . Closing the connection..."); mbedtls_ssl_close_notify(&ssl); mbedtls_printf(" done\n"); exit: mbedtls_ssl_free(&ssl); mbedtls_ssl_config_free(&conf); mbedtls_ctr_drbg_free(&ctr_drbg); mbedtls_entropy_free(&entropy); #if defined(MBEDTLS_X509_CRT_PARSE_C) mbedtls_x509_crt_free(&ca); #endif }
result_t X509Cert::load(exlib::string txtCert) { if (m_root) return CHECK_ERROR(CALL_E_INVALID_CALL); int32_t ret; if (qstrstr(txtCert.c_str(), "BEGIN CERTIFICATE")) { ret = mbedtls_x509_crt_parse(&m_crt, (const unsigned char *)txtCert.c_str(), txtCert.length() + 1); if (ret != 0) return CHECK_ERROR(_ssl::setError(ret)); return 0; } _parser p(txtCert); QuickArray<std::pair<exlib::string, exlib::string> > values; std::map<exlib::string, bool> verifies; std::map<exlib::string, bool> certs; while (!p.end()) { exlib::string cka_label; exlib::string cka_value; exlib::string cka_serial; exlib::string _value; bool in_multiline = false, in_obj = false; bool is_cert = false; bool is_trust = false; bool is_value = false; bool is_serial = false; bool is_ca = false; bool is_verify = false; while (!p.end()) { exlib::string line; exlib::string cmd, type, value; p.getLine(line); _parser p1(line); p1.skipSpace(); if (p1.get() == '#') continue; if (in_multiline) { if (p1.get() == '\\') { while (p1.get() == '\\') { char ch1, ch2, ch3; p1.skip(); ch1 = p1.getChar(); if (ch1 < '0' || ch1 > '7') break; ch2 = p1.getChar(); if (ch2 < '0' || ch2 > '7') break; ch3 = p1.getChar(); if (ch3 < '0' || ch3 > '7') break; ch1 = (ch1 - '0') * 64 + (ch2 - '0') * 8 + (ch3 - '0'); _value.append(&ch1, 1); } continue; } p1.getWord(cmd); if ((cmd == "END")) { if (is_value) cka_value = _value; else if (is_serial) cka_serial = _value; in_multiline = false; } continue; } p1.getWord(cmd); p1.skipSpace(); p1.getWord(type); if ((type == "MULTILINE_OCTAL")) { in_multiline = true; _value.resize(0); is_value = is_cert && (cmd == "CKA_VALUE"); is_serial = (cmd == "CKA_SERIAL_NUMBER"); continue; } p1.skipSpace(); p1.getLeft(value); if (!in_obj) { if ((cmd == "CKA_CLASS")) { in_obj = true; is_cert = (value == "CKO_CERTIFICATE"); is_trust = (value == "CKO_NSS_TRUST"); } continue; } if ((cmd == "CKA_LABEL")) cka_label = value; else if (is_trust && (cmd == "CKA_TRUST_SERVER_AUTH")) { is_ca = (value == "CKT_NSS_TRUSTED_DELEGATOR"); is_verify = (value == "CKT_NSS_MUST_VERIFY_TRUST"); } if (cmd.empty()) break; } if (!cka_label.empty()) { if (is_trust) { if (is_ca) certs.insert(std::pair<exlib::string, bool>(cka_label + cka_serial, true)); if (is_verify) verifies.insert(std::pair<exlib::string, bool>(cka_label + cka_serial, true)); } else if (is_cert && !cka_value.empty()) values.append(std::pair<exlib::string, exlib::string>(cka_label + cka_serial, cka_value)); } } bool is_loaded = false; int32_t i; for (i = 0; i < (int32_t)values.size(); i++) { std::pair<exlib::string, exlib::string> &c = values[i]; std::map<exlib::string, bool>::iterator it_trust; it_trust = verifies.find(c.first); if (it_trust != verifies.end()) { ret = mbedtls_x509_crt_parse_der(&m_crt, (const unsigned char *)c.second.c_str(), c.second.length()); if (ret != 0) return CHECK_ERROR(_ssl::setError(ret)); is_loaded = true; } } for (i = 0; i < (int32_t)values.size(); i++) { std::pair<exlib::string, exlib::string> &c = values[i]; std::map<exlib::string, bool>::iterator it_trust; it_trust = certs.find(c.first); if (it_trust != certs.end()) { ret = mbedtls_x509_crt_parse_der(&m_crt, (const unsigned char *)c.second.c_str(), c.second.length() ); if (ret != 0) return CHECK_ERROR(_ssl::setError(ret)); is_loaded = true; } } if (!is_loaded) return CHECK_ERROR(_ssl::setError(MBEDTLS_ERR_X509_INVALID_FORMAT)); return 0; }