From 3fed1cf36fe6799b5987d376334d29dd7b7f70e8 Mon Sep 17 00:00:00 2001
From: Paulo Matias <paulo.matias@usp.br>
Date: Sun, 2 May 2010 00:40:21 -0300
Subject: [PATCH] Make it possible to use client certificates to connect with a
 nodejs server, and make verifyPeer behaviour consistant.

---
 src/node_crypto.cc | 21 ++++-----------------
 1 file changed, 4 insertions(+), 17 deletions(-)

diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index 270196a..653c759 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -28,8 +28,6 @@ static Persistent<String> valid_to_symbol;
 static Persistent<String> name_symbol;
 static Persistent<String> version_symbol;
 
-static int x509_verify_error;
-
 static inline const char *errno_string(int errorno) {
 #define ERRNO_CASE(e)  case e: return #e;
   switch (errorno) {
@@ -354,8 +352,7 @@ static inline const char *errno_string(int errorno) {
 
 
 static int verify_callback(int ok, X509_STORE_CTX *ctx) {
-  x509_verify_error = ctx->error;
-  return(ok);
+  return(1); // Ignore errors by now. VerifyPeer will catch them by using SSL_get_verify_result.
 }
 
 
@@ -431,6 +428,7 @@ Handle<Value> SecureContext::Init(const Arguments& args) {
   // SSL_CTX_set_session_cache_mode(sc->pCtx,SSL_SESS_CACHE_OFF);
 
   sc->caStore = X509_STORE_new();
+  SSL_CTX_set_cert_store(sc->pCtx, sc->caStore);
   return True();
 }
 
@@ -604,6 +602,7 @@ Handle<Value> SecureStream::New(const Arguments& args) {
   p->pbioRead = BIO_new(BIO_s_mem());
   p->pbioWrite = BIO_new(BIO_s_mem());
   SSL_set_bio(p->pSSL, p->pbioRead, p->pbioWrite);
+  SSL_set_verify(p->pSSL, SSL_VERIFY_PEER, verify_callback);
   p->server = isServer>0;
   if (p->server) {
     SSL_set_accept_state(p->pSSL);
@@ -873,20 +872,8 @@ Handle<Value> SecureStream::VerifyPeer(const Arguments& args) {
   SecureContext *sc = ObjectWrap::Unwrap<SecureContext>(args[0]->ToObject());
 
   if (ss->pSSL == NULL) return False();
-  if (sc->caStore == NULL) return False();
-
-  X509 *cert = SSL_get_peer_certificate(ss->pSSL);
-  STACK_OF(X509) *certChain = SSL_get_peer_cert_chain(ss->pSSL);
-  X509_STORE_set_verify_cb_func(sc->caStore, verify_callback);
-  X509_STORE_CTX *storeCtx = X509_STORE_CTX_new();
-  X509_STORE_CTX_init(storeCtx, sc->caStore, cert, certChain);
-
-  x509_verify_error = 0;
-  // OS X Bug in openssl : x509_verify_cert is always true?
-  // This is why we have our global.
-  X509_verify_cert(storeCtx);
 
-  X509_STORE_CTX_free(storeCtx);
+  long x509_verify_error = SSL_get_verify_result(ss->pSSL);
 
   // Can also check for:
   // X509_V_ERR_CERT_HAS_EXPIRED
-- 
2.7.4