Add openconnect_get_cert_DER() function

This translates a cert into an SSL-library-agnostic form, so that the caller
can then process it using their own choice of tools.

As with the new openconnect_get_cert_details(), this isn't marked as a
public function yet because we anticipate more changes to the API.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

diff --git a/libopenconnect.map.in b/libopenconnect.map.in
index bdbc02d..82adb67 100644 (file)
--- a/libopenconnect.map.in
+++ b/libopenconnect.map.in
@@ -54,5 +54,6 @@ OPENCONNECT_PRIVATE {
        openconnect_create_useragent;
        openconnect_report_ssl_errors;
        openconnect_get_cert_details;
+       openconnect_get_cert_DER;
        openconnect_sha1;
 };

diff --git a/openconnect.h b/openconnect.h
index 1d4e723..d889f89 100644 (file)
--- a/openconnect.h
+++ b/openconnect.h
@@ -130,6 +130,10 @@ int openconnect_get_cert_sha1(struct openconnect_info *vpninfo,
                              struct x509_st *cert, char *buf);
 char *openconnect_get_cert_details(struct openconnect_info *vpninfo,
                                   struct x509_st *cert);
+/* Returns the length of the created DER output, in a newly-allocated buffer
+   that will need to be freed by the caller. */
+int openconnect_get_cert_DER(struct openconnect_info *vpninfo,
+                            struct x509_st *cert, unsigned char **buf);
 int openconnect_set_http_proxy(struct openconnect_info *vpninfo, char *proxy);
 int openconnect_passphrase_from_fsid(struct openconnect_info *vpninfo);
 int openconnect_obtain_cookie(struct openconnect_info *vpninfo);

diff --git a/openssl.c b/openssl.c
index c18478f..57e3fc9 100644 (file)
--- a/openssl.c
+++ b/openssl.c
@@ -22,6 +22,8 @@
  *   Boston, MA 02110-1301 USA
  */
 
+#include <errno.h>
+
 #include <openssl/evp.h>
 
 #include "openconnect-internal.h"
@@ -36,3 +38,27 @@ int openconnect_sha1(unsigned char *result, void *data, int len)
 
         return 0;
 }
+
+int openconnect_get_cert_DER(struct openconnect_info *vpninfo,
+                            struct x509_st *cert, unsigned char **buf)
+{
+       BIO *bp = BIO_new(BIO_s_mem());
+       BUF_MEM *certinfo;
+       size_t l;
+
+       if (!i2d_X509_bio(bp, cert)) {
+               BIO_free(bp);
+               return -EIO;
+       }
+
+       BIO_get_mem_ptr(bp, &certinfo);
+       l = certinfo->length;
+       *buf = malloc(l);
+       if (!*buf) {
+               BIO_free(bp);
+               return -ENOMEM;
+       }
+       memcpy(*buf, certinfo->data, l);
+       BIO_free(bp);
+       return l;
+}