projects
/
shibboleth
/
cpp-xmltooling.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
cc2cf14
)
Add warning for policy mapping on older OpenSSL.
author
Scott Cantor
<cantor.2@osu.edu>
Wed, 16 Nov 2011 21:34:37 +0000
(21:34 +0000)
committer
Scott Cantor
<cantor.2@osu.edu>
Wed, 16 Nov 2011 21:34:37 +0000
(21:34 +0000)
xmltooling/security/impl/PKIXPathValidator.cpp
patch
|
blob
|
history
diff --git
a/xmltooling/security/impl/PKIXPathValidator.cpp
b/xmltooling/security/impl/PKIXPathValidator.cpp
index
1864774
..
602d001
100644
(file)
--- a/
xmltooling/security/impl/PKIXPathValidator.cpp
+++ b/
xmltooling/security/impl/PKIXPathValidator.cpp
@@
-51,8
+51,11
@@
using namespace std;
namespace {
static int XMLTOOL_DLLLOCAL error_callback(int ok, X509_STORE_CTX* ctx)
{
namespace {
static int XMLTOOL_DLLLOCAL error_callback(int ok, X509_STORE_CTX* ctx)
{
- if (!ok)
- Category::getInstance("OpenSSL").error("path validation failure: %s", X509_verify_cert_error_string(ctx->error));
+ if (!ok) {
+ Category::getInstance("OpenSSL").error(
+ "path validation failure at depth(%d): %s", ctx->error_depth, X509_verify_cert_error_string(ctx->error)
+ );
+ }
return ok;
}
return ok;
}
@@
-400,17
+403,21
@@
bool PKIXPathValidator::validate(X509* EE, STACK_OF(X509)* untrusted, const Path
#endif
}
#endif
}
+ if (ret == 1) {
+ m_log.debug("successfully validated certificate chain");
+ }
+#if (OPENSSL_VERSION_NUMBER < 0x10000000L)
+ else if (X509_STORE_CTX_get_error(&ctx) == X509_V_ERR_NO_EXPLICIT_POLICY && !pkixParams->isPolicyMappingInhibited()) {
+ m_log.warn("policy mapping requires OpenSSL 1.0.0 or later");
+ }
+#endif
+
// Clean up...
X509_STORE_CTX_cleanup(&ctx);
X509_STORE_free(store);
sk_X509_free(CAstack);
// Clean up...
X509_STORE_CTX_cleanup(&ctx);
X509_STORE_free(store);
sk_X509_free(CAstack);
- if (ret==1) {
- m_log.debug("successfully validated certificate chain");
- return true;
- }
-
- return false;
+ return (ret == 1);
}
XSECCryptoX509CRL* PKIXPathValidator::getRemoteCRLs(const char* cdpuri) const
}
XSECCryptoX509CRL* PKIXPathValidator::getRemoteCRLs(const char* cdpuri) const