method

add_certificate

v2_6_3 - Show latest stable - 0 notes - Class: SSLContext

1_8_6_287
1_8_7_72
1_8_7_330
1_9_1_378
1_9_2_180
1_9_3_125
1_9_3_392
2_1_10
2_2_9
2_4_6
2_5_5 (0)
2_6_3 (0)
What's this?

add_certificate(p1, p2, p3 = v3) public

Adds a certificate to the context. pkey must be a corresponding private key with certificate.

Multiple certificates with different public key type can be added by repeated calls of this method, and OpenSSL will choose the most appropriate certificate during the handshake.

#cert=, #key=, and #extra_chain_cert= are old accessor methods for setting certificate and internally call this method.

Parameters

certificate	A certificate. An instance of OpenSSL::X509::Certificate.
pkey	The private key for certificate. An instance of OpenSSL::PKey::PKey.
extra_certs	Optional. An array of OpenSSL::X509::Certificate. When sending a certificate chain, the certificates specified by this are sent following certificate, in the order in the array.

Example

rsa_cert = OpenSSL::X509::Certificate.new(...)
rsa_pkey = OpenSSL::PKey.read(...)
ca_intermediate_cert = OpenSSL::X509::Certificate.new(...)
ctx.add_certificate(rsa_cert, rsa_pkey, [ca_intermediate_cert])

ecdsa_cert = ...
ecdsa_pkey = ...
another_ca_cert = ...
ctx.add_certificate(ecdsa_cert, ecdsa_pkey, [another_ca_cert])

Note

OpenSSL before the version 1.0.2 could handle only one extra chain across all key types. Calling this method discards the chain set previously.

Show source

static VALUE
ossl_sslctx_add_certificate(int argc, VALUE *argv, VALUE self)
{
    VALUE cert, key, extra_chain_ary;
    SSL_CTX *ctx;
    X509 *x509;
    STACK_OF(X509) *extra_chain = NULL;
    EVP_PKEY *pkey, *pub_pkey;

    GetSSLCTX(self, ctx);
    rb_scan_args(argc, argv, "21", &cert, &key, &extra_chain_ary);
    rb_check_frozen(self);
    x509 = GetX509CertPtr(cert);
    pkey = GetPrivPKeyPtr(key);

    /*
     * The reference counter is bumped, and decremented immediately.
     * X509_get0_pubkey() is only available in OpenSSL >= 1.1.0.
     */
    pub_pkey = X509_get_pubkey(x509);
    EVP_PKEY_free(pub_pkey);
    if (!pub_pkey)
        rb_raise(rb_eArgError, "certificate does not contain public key");
    if (EVP_PKEY_cmp(pub_pkey, pkey) != 1)
        rb_raise(rb_eArgError, "public key mismatch");

    if (argc >= 3)
        extra_chain = ossl_x509_ary2sk(extra_chain_ary);

    if (!SSL_CTX_use_certificate(ctx, x509)) {
        sk_X509_pop_free(extra_chain, X509_free);
        ossl_raise(eSSLError, "SSL_CTX_use_certificate");
    }
    if (!SSL_CTX_use_PrivateKey(ctx, pkey)) {
        sk_X509_pop_free(extra_chain, X509_free);
        ossl_raise(eSSLError, "SSL_CTX_use_PrivateKey");
    }

    if (extra_chain) {
#if OPENSSL_VERSION_NUMBER >= 0x10002000 && !defined(LIBRESSL_VERSION_NUMBER)
        if (!SSL_CTX_set0_chain(ctx, extra_chain)) {
            sk_X509_pop_free(extra_chain, X509_free);
            ossl_raise(eSSLError, "SSL_CTX_set0_chain");
        }
#else
        STACK_OF(X509) *orig_extra_chain;
        X509 *x509_tmp;

        /* First, clear the existing chain */
        SSL_CTX_get_extra_chain_certs(ctx, &orig_extra_chain);
        if (orig_extra_chain && sk_X509_num(orig_extra_chain)) {
            rb_warning("SSL_CTX_set0_chain() is not available; " \
                       "clearing previously set certificate chain");
            SSL_CTX_clear_extra_chain_certs(ctx);
        }
        while ((x509_tmp = sk_X509_shift(extra_chain))) {
            /* Transfers ownership */
            if (!SSL_CTX_add_extra_chain_cert(ctx, x509_tmp)) {
                X509_free(x509_tmp);
                sk_X509_pop_free(extra_chain, X509_free);
                ossl_raise(eSSLError, "SSL_CTX_add_extra_chain_cert");
            }
        }
        sk_X509_free(extra_chain);
#endif
    }
    return self;
}

add_certificate

Related methods

Parameters

Example

Note