Lines Matching defs:cert
160 X509 *cert = NULL;
201 if (!mk_x509_cert(&cert, &pkey, TLS_GENCERT_BITS,
206 if (!write_x509files(pkey, cert,
220 if (cert && pkey) {
222 || !SSL_CTX_use_certificate(ctx, cert)) {
273 /* ask for cert, but a client does not have to send one */
276 /* default: ask for cert and check it */
297 if (cert || read_certfile(&cert, certfilename)) {
298 get_fingerprint(cert, &fp, NULL);
299 get_commonname(cert, &cn);
316 * get fingerprint of cert
323 get_fingerprint(const X509 *cert, char **returnstring, const char *alg_name)
356 DPRINTF(D_TLS, "get_fingerprint(cert@%p, return@%p, alg \"%s\")\n",
357 cert, returnstring, alg_name);
373 if (!X509_digest(cert, digest, md, &len)) {
400 * gets first CN from cert in returnstring (has to be freed by caller)
404 get_commonname(X509 *cert, char **returnstring)
411 x509name = X509_get_subject_name(cert);
429 * test if cert matches as configured hostname or IP
438 match_hostnames(X509 *cert, const char *hostname, const char *subject)
450 cert, hostname, subject);
459 if (!(gennames = X509_get_ext_d2i(cert, NID_subject_alt_name,
491 x509name = X509_get_subject_name(cert);
526 match_fingerprint(const X509 *cert, const char *fingerprint)
534 DPRINTF((D_TLS|D_CALL), "match_fingerprint(cert@%p, fp \"%s\")\n",
535 cert, fingerprint);
546 if (!get_fingerprint(cert, &certfingerprint, alg)) {
579 DPRINTF((D_TLS|D_CALL), "match_certfile(cert@%p, file \"%s\") "
586 * caller has to free it later with 'OPENSSL_free(cert);'
589 read_certfile(X509 **cert, const char *certfilename)
595 cert, certfilename);
596 if (!cert || !certfilename)
605 if (!(*cert = PEM_read_X509(certfile, NULL, NULL, NULL))
606 && !(*cert = d2i_X509_fp(certfile, NULL))) {
672 * then we check whether the hostname or configured subject matches the cert.
697 DPRINTF((D_TLS|D_CALL), "check cert for connection with %s. "
715 "cert for issuer=%s\n", cur_issuerline);
727 * X509VERIFY_IFPRESENT: if we got her, then a cert is present,
731 * > 0: peer provided CA cert. remember if its valid,
733 * == 0: the peer's own cert. check this for final decision
735 * true: valid certificate chain from a trust anchor to this cert
744 * !NULL: a peer cert with this fingerprint is trusted
945 * ... but does if the cert is not accepted */
1189 || copy_config_value_quoted("cert=\"",
1432 * cert and immediately match against hostname */
1990 write_x509files(EVP_PKEY *pkey, X509 *cert,
2006 if (!X509_print_fp(certfile, cert)
2007 || !PEM_write_X509(certfile, cert))
2017 /* adds all local IP addresses as subjectAltNames to cert x.
2022 x509_cert_add_subjectAltName(X509 *cert, X509V3_CTX *ctx)
2076 X509_add_ext(cert, ext, -1);
2088 X509 *cert;
2106 cert = *x509p;
2107 else if ((cert = X509_new()) == NULL) {
2131 X509_set_version(cert, 3);
2132 ASN1_INTEGER_set(X509_get_serialNumber(cert), serial);
2133 X509_gmtime_adj(X509_get_notBefore(cert), 0);
2134 X509_gmtime_adj(X509_get_notAfter(cert), (long)60 * 60 * 24 * days);
2136 if (!X509_set_pubkey(cert, pk)) {
2146 name = X509_get_subject_name(cert);
2155 X509_set_issuer_name(cert, name);
2161 X509V3_set_ctx(&ctx, cert, cert, NULL, NULL, 0);
2165 X509_add_ext(cert, ex, -1);
2170 X509_add_ext(cert, ex, -1);
2175 X509_add_ext(cert, ex, -1);
2181 X509_add_ext(cert, ex, -1);
2186 X509_add_ext(cert, ex, -1);
2189 (void)x509_cert_add_subjectAltName(cert, &ctx);
2191 if (!X509_sign(cert, pk, EVP_sha1())) {
2195 if (X509_verify(cert, pk) != 1) {
2200 *x509p = cert;
Indexes created Mon Sep 29 21:09:56 GMT 2025