diff options
-rw-r--r-- | include/xmlsec/keyinfo.h | 11 | ||||
-rw-r--r-- | packaging/xmlsec1.spec | 2 | ||||
-rw-r--r-- | src/openssl/x509vfy.c | 12 | ||||
-rw-r--r-- | xmlsec-openssl.pc.in | 2 | ||||
-rw-r--r-- | xmlsec.pc.in | 2 |
5 files changed, 21 insertions, 8 deletions
diff --git a/include/xmlsec/keyinfo.h b/include/xmlsec/keyinfo.h index dbea0e56..9b26f3dc 100644 --- a/include/xmlsec/keyinfo.h +++ b/include/xmlsec/keyinfo.h @@ -152,6 +152,17 @@ typedef enum { */ #define XMLSEC_KEYINFO_FLAGS_X509DATA_SKIP_STRICT_CHECKS 0x00004000 +/** + * XMLSEC_KEYINFO_FLAGS_SKIP_VERIFY_CHAIN: + * + * If the flag is set then we wont stop document validation + * on certificate chain error. Instead of stopping validation + * we'll just set flag XMLSEC_KEYINFO_ERROR_FLAGS_BROKEN_CHAIN + * as flags2 value. + */ +#define XMLSEC_KEYINFO_FLAGS_ALLOW_BROKEN_CHAIN 0x00008000 +#define XMLSEC_KEYINFO_ERROR_FLAGS_BROKEN_CHAIN 0x00000001 + /** * xmlSecKeyInfoCtx: * @userData: the pointer to user data (xmlsec and xmlsec-crypto diff --git a/packaging/xmlsec1.spec b/packaging/xmlsec1.spec index 74d0d6f7..0d9d2375 100644 --- a/packaging/xmlsec1.spec +++ b/packaging/xmlsec1.spec @@ -84,7 +84,7 @@ make %{?_smp_mflags} %files gcrypt -%{_libdir}/libxmlsec1-gcrypt.so.* +#%{_libdir}/libxmlsec1-gcrypt.so.* %files openssl %{_libdir}/libxmlsec1-openssl.so.* diff --git a/src/openssl/x509vfy.c b/src/openssl/x509vfy.c index 40264c0d..3b6c6af8 100644 --- a/src/openssl/x509vfy.c +++ b/src/openssl/x509vfy.c @@ -310,7 +310,6 @@ xmlSecOpenSSLX509StoreVerify(xmlSecKeyDataStorePtr store, XMLSEC_STACK_OF_X509* X509_VERIFY_PARAM_set_flags(vpm, vpm_flags); #endif /* !defined(XMLSEC_OPENSSL_096) && !defined(XMLSEC_OPENSSL_097) */ - X509_STORE_CTX_init (&xsc, ctx->xst, cert, certs2); if(keyInfoCtx->certsVerificationTime > 0) { @@ -325,14 +324,17 @@ xmlSecOpenSSLX509StoreVerify(xmlSecKeyDataStorePtr store, XMLSEC_STACK_OF_X509* X509_STORE_CTX_set0_param(&xsc, vpm); #endif /* !defined(XMLSEC_OPENSSL_096) && !defined(XMLSEC_OPENSSL_097) */ - ret = X509_verify_cert(&xsc); err_cert = X509_STORE_CTX_get_current_cert(&xsc); err = X509_STORE_CTX_get_error(&xsc); depth = X509_STORE_CTX_get_error_depth(&xsc); - - X509_STORE_CTX_cleanup (&xsc); - + X509_STORE_CTX_cleanup (&xsc); + + if(ret != 1 && keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_ALLOW_BROKEN_CHAIN){ + ret = 1; + keyInfoCtx->flags2 |= XMLSEC_KEYINFO_ERROR_FLAGS_BROKEN_CHAIN; + } + if(ret == 1) { res = cert; goto done; diff --git a/xmlsec-openssl.pc.in b/xmlsec-openssl.pc.in index 31fe2611..a1009c8d 100644 --- a/xmlsec-openssl.pc.in +++ b/xmlsec-openssl.pc.in @@ -7,5 +7,5 @@ Name: xmlsec1-openssl Version: @VERSION@ Description: XML Security Library implements XML Signature and XML Encryption standards Requires: libxml-2.0 >= @LIBXML_MIN_VERSION@ libxslt >= @LIBXSLT_MIN_VERSION@ -Cflags: -DXMLSEC_CRYPTO=\\\"openssl\\\" @XMLSEC_OPENSSL_CFLAGS@ +Cflags: -DXMLSEC_CRYPTO=openssl @XMLSEC_OPENSSL_CFLAGS@ Libs: @XMLSEC_OPENSSL_LIBS@ diff --git a/xmlsec.pc.in b/xmlsec.pc.in index 2207b27d..7b607b61 100644 --- a/xmlsec.pc.in +++ b/xmlsec.pc.in @@ -7,5 +7,5 @@ Name: xmlsec1 Version: @VERSION@ Description: XML Security Library implements XML Signature and XML Encryption standards Requires: libxml-2.0 >= @LIBXML_MIN_VERSION@ libxslt >= @LIBXSLT_MIN_VERSION@ -Cflags: -DXMLSEC_CRYPTO=\\\"@XMLSEC_CRYPTO@\\\" -DXMLSEC_CRYPTO_DYNAMIC_LOADING=1 @XMLSEC_CORE_CFLAGS@ +Cflags: -DXMLSEC_CRYPTO="@XMLSEC_CRYPTO@" -DXMLSEC_CRYPTO_DYNAMIC_LOADING=1 @XMLSEC_CORE_CFLAGS@ Libs: -L${libdir} @XMLSEC_CORE_LIBS@ |