Branch: Tag:

2016-04-21

2016-04-21 16:01:19 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.X509: load_authorities() now knows about ca-bundle.crt.

The certificate bundle file seems to have been split up and had
a change of names in RHEL 7.

Fixes validation of SSL certificates on RHEL 7.

1563:       "/etc/pki/tls/certs",    // Redhat Enterprise 6, OpenSSL 1.0.0 +  // Redhat Enterprise 7    // Redhat Fedora Core 4, OpenSSL 0.9.7    // Redhat Fedora Core 5 / 6, OpenSSL 0.9.8   
1623:    foreach(root_cert_dirs, string dir) {    if (!Stdio.is_dir(dir)) continue;    -  // Try the merged certificate file first. -  string pem = Stdio.read_bytes(combine_path(dir, "ca-certificates.crt")); +  int found; +  +  // Try the merged certificate files first. +  foreach(({ "ca-certificates.crt", "ca-bundle.crt", "ca-bundle.trust.crt" }), +  string fname) {    if (pem) {    Standards.PEM.Messages messages = Standards.PEM.Messages(pem);    foreach(messages->get_certificates(), string m) {
1636:    update_expire(tbs);    res[subj] += ({ tbs->public_key });    } +  found = 1;    } -  continue; +     } -  +  } +  if (found) continue;       // Then try the Apple KeyChain files. -  int found; +     foreach(({ "X509Anchors", "X509Certificates" }), string fname) {    string keychain = Stdio.read_bytes(combine_path(dir, fname));    if (keychain) {
1649:    foreach(chain->certs, TBSCertificate tbs) {    string subj = tbs->subject->get_der();    if( !res[subj] || !has_value(res[subj], tbs->public_key ) ) +  { +  update_expire(tbs);    res[subj] += ({ tbs->public_key });    } -  +  }    found = 1;    }    }
1664:    }    fname = combine_path(dir, fname);    if (!Stdio.is_file(fname)) continue; -  pem = Stdio.read_bytes(fname); +  string pem = Stdio.read_bytes(fname);    if (!pem) continue;    string cert = Standards.PEM.simple_decode(pem);    if (!cert) continue;