diff options
author | sarmurug <sarmurug@cisco.com> | 2022-03-29 18:24:44 +0530 |
---|---|---|
committer | Florin Coras <florin.coras@gmail.com> | 2022-03-29 17:13:59 +0000 |
commit | 8f63d38e993e74a4d811438aca9f6c8e69dea479 (patch) | |
tree | cf6347e9752718b31952a76b8fff6c5116d486f0 | |
parent | 5760fdfb8c042e008156f435d2530e87582f2e40 (diff) |
tls: Support for client certificate-key pair
Type: improvement
Signed-off-by: sarmurug <sarmurug@cisco.com>
Change-Id: Ibbfe827b9c4c603a6fe7cc49970a46bd683194ce
-rw-r--r-- | src/plugins/tlsopenssl/tls_openssl.c | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/src/plugins/tlsopenssl/tls_openssl.c b/src/plugins/tlsopenssl/tls_openssl.c index 74b8142a68d..740ba059e77 100644 --- a/src/plugins/tlsopenssl/tls_openssl.c +++ b/src/plugins/tlsopenssl/tls_openssl.c @@ -628,6 +628,52 @@ openssl_ctx_read (tls_ctx_t *ctx, session_t *ts) } static int +openssl_set_ckpair (SSL *ssl_connection, u32 ckpair_index) +{ + app_cert_key_pair_t *ckpair; + BIO *cert_bio; + EVP_PKEY *pkey; + X509 *srvcert; + + ckpair = app_cert_key_pair_get_if_valid (ckpair_index); + if (!ckpair) + return -1; + + if (!ckpair->cert || !ckpair->key) + { + TLS_DBG (1, "tls cert and/or key not configured"); + return -1; + } + /* + * Set the key and cert + */ + cert_bio = BIO_new (BIO_s_mem ()); + BIO_write (cert_bio, ckpair->cert, vec_len (ckpair->cert)); + srvcert = PEM_read_bio_X509 (cert_bio, NULL, NULL, NULL); + if (!srvcert) + { + clib_warning ("unable to parse certificate"); + return -1; + } + SSL_use_certificate (ssl_connection, srvcert); + BIO_free (cert_bio); + + cert_bio = BIO_new (BIO_s_mem ()); + BIO_write (cert_bio, ckpair->key, vec_len (ckpair->key)); + pkey = PEM_read_bio_PrivateKey (cert_bio, NULL, NULL, NULL); + if (!pkey) + { + clib_warning ("unable to parse pkey"); + return -1; + } + SSL_use_PrivateKey (ssl_connection, pkey); + BIO_free (cert_bio); + TLS_DBG (1, "TLS client using ckpair index: %d", ckpair_index); + + return 0; +} + +static int openssl_ctx_init_client (tls_ctx_t * ctx) { long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION; @@ -694,6 +740,10 @@ openssl_ctx_init_client (tls_ctx_t * ctx) TLS_DBG (1, "Couldn't set hostname"); return -1; } + if (openssl_set_ckpair (oc->ssl, ctx->ckpair_index)) + { + TLS_DBG (1, "Couldn't set client certificate-key pair"); + } /* * 2. Do the first steps in the handshake. |