[PATCH] Add openconnect_get_client_cert() to API

Jussi Kukkonen jku at linux.intel.com
Sat Sep 17 05:31:58 EDT 2011 

This allows UIs to e.g. warn the user about near-future
certificate expiration.
---

I just experienced client certificate expiry with openconnect and
figured we could be more informative about this situation. I don't have
good suggestions for the openconnect binary -- looking at the code it
seems to have warned me a couple of months (!) in advance, and I just
hadn't reacted... but the NM and connman UIs are sorely lacking in this
regard and it seems they don't have all the information they need to
solve the problem.

Would this be an acceptable addition to the openconnect api? It would
allow the library users to do whatever they want with
X509_get_notAfter(), X509_cmp_time(), etc using the client cert.


 library.c              |    8 ++++++++
 openconnect-internal.h |    1 +
 openconnect.h          |    1 +
 ssl.c                  |    2 +-
 4 files changed, 11 insertions(+), 1 deletions(-)

diff --git a/library.c b/library.c
index 0a1b76a..a62f326 100644
--- a/library.c
+++ b/library.c
@@ -143,6 +143,14 @@ void openconnect_set_client_cert (struct openconnect_info *vpninfo, char *cert,
 		vpninfo->sslkey = cert;
 }
 
+struct x509_st *openconnect_get_client_cert (struct openconnect_info *vpninfo)
+{
+	if (reload_pem_cert(vpninfo))
+		return NULL;
+
+	return vpninfo->cert_x509;
+}
+
 struct x509_st *openconnect_get_peer_cert (struct openconnect_info *vpninfo)
 {
 	return SSL_get_peer_certificate(vpninfo->https_ssl);
diff --git a/openconnect-internal.h b/openconnect-internal.h
index bddc9a1..5ee6990 100644
--- a/openconnect-internal.h
+++ b/openconnect-internal.h
@@ -259,6 +259,7 @@ void openconnect_close_https(struct openconnect_info *vpninfo);
 int get_cert_md5_fingerprint(struct openconnect_info *vpninfo, X509 *cert,
 			     char *buf);
 void report_ssl_errors(struct openconnect_info *vpninfo);
+int reload_pem_cert(struct openconnect_info *vpninfo);
 
 /* mainloop.c */
 int vpn_add_pollfd(struct openconnect_info *vpninfo, int fd, short events);
diff --git a/openconnect.h b/openconnect.h
index d4930d1..78d3b41 100644
--- a/openconnect.h
+++ b/openconnect.h
@@ -126,6 +126,7 @@ void openconnect_set_xmlsha1 (struct openconnect_info *, char *, int size);
 void openconnect_set_cafile (struct openconnect_info *, char *);
 void openconnect_setup_csd (struct openconnect_info *, uid_t, int silent, char *wrapper);
 void openconnect_set_client_cert (struct openconnect_info *, char *cert, char *sslkey);
+struct x509_st *openconnect_get_client_cert (struct openconnect_info *vpninfo);
 struct x509_st *openconnect_get_peer_cert (struct openconnect_info *);
 int openconnect_get_port (struct openconnect_info *);
 char *openconnect_get_cookie (struct openconnect_info *);
diff --git a/ssl.c b/ssl.c
index 9e41126..3b24b2d 100644
--- a/ssl.c
+++ b/ssl.c
@@ -276,7 +276,7 @@ static int load_tpm_certificate(struct openconnect_info *vpninfo)
 }
 #endif
 
-static int reload_pem_cert(struct openconnect_info *vpninfo)
+int reload_pem_cert(struct openconnect_info *vpninfo)
 {
 	BIO *b = BIO_new(BIO_s_file_internal());
 
-- 
1.7.6

More information about the openconnect-devel mailing list