summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>2012-11-26 23:02:14 +0100
committerZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>2014-03-17 01:55:48 -0400
commite5ebe12b770bbb7bf73177517c339dc3601a5efc (patch)
treeab8d318472c82a80905c3576e068fd5a68f77150
parente0aa3726103448097e5ad7cc6f427e142103a321 (diff)
journal-gatewayd: ask clients to provide certificates
A certificate authority certificate will be presented to clients, causing them to present their client certificate, if it is signed by this authority (default behaviour of most clients). No certificate checking is actually performed.
-rw-r--r--src/journal/journal-gatewayd.c32
1 files changed, 30 insertions, 2 deletions
diff --git a/src/journal/journal-gatewayd.c b/src/journal/journal-gatewayd.c
index 7e97a3588c..862ee79030 100644
--- a/src/journal/journal-gatewayd.c
+++ b/src/journal/journal-gatewayd.c
@@ -900,8 +900,9 @@ static int help(void) {
"HTTP server for journal events.\n\n"
" -h --help Show this help\n"
" --version Show package version\n"
- " --cert=CERT.PEM Specify server certificate in PEM format\n"
- " --key=KEY.PEM Specify server key in PEM format\n",
+ " --cert=CERT.PEM Server certificate in PEM format\n"
+ " --key=KEY.PEM Server key in PEM format\n"
+ " --trust=CERT.PEM Certificat authority certificate in PEM format\n",
program_invocation_short_name);
return 0;
@@ -909,12 +910,14 @@ static int help(void) {
static char *key_pem = NULL;
static char *cert_pem = NULL;
+static char *trust_pem = NULL;
static int parse_argv(int argc, char *argv[]) {
enum {
ARG_VERSION = 0x100,
ARG_KEY,
ARG_CERT,
+ ARG_TRUST,
};
int r, c;
@@ -924,6 +927,7 @@ static int parse_argv(int argc, char *argv[]) {
{ "version", no_argument, NULL, ARG_VERSION },
{ "key", required_argument, NULL, ARG_KEY },
{ "cert", required_argument, NULL, ARG_CERT },
+ { "trust", required_argument, NULL, ARG_TRUST },
{}
};
@@ -968,6 +972,19 @@ static int parse_argv(int argc, char *argv[]) {
assert(cert_pem);
break;
+ case ARG_TRUST:
+ if (trust_pem) {
+ log_error("CA certificate file specified twice");
+ return -EINVAL;
+ }
+ r = read_full_file(optarg, &trust_pem, NULL);
+ if (r < 0) {
+ log_error("Failed to read CA certificate file: %s", strerror(-r));
+ return r;
+ }
+ assert(trust_pem);
+ break;
+
case '?':
return -EINVAL;
@@ -985,6 +1002,11 @@ static int parse_argv(int argc, char *argv[]) {
return -EINVAL;
}
+ if (trust_pem && !key_pem) {
+ log_error("CA certificate can only be used with certificate file");
+ return -EINVAL;
+ }
+
return 1;
}
@@ -1018,6 +1040,7 @@ int main(int argc, char *argv[]) {
{ MHD_OPTION_END, 0, NULL },
{ MHD_OPTION_END, 0, NULL },
{ MHD_OPTION_END, 0, NULL },
+ { MHD_OPTION_END, 0, NULL },
{ MHD_OPTION_END, 0, NULL }};
int opts_pos = 2;
int flags = MHD_USE_THREAD_PER_CONNECTION|MHD_USE_POLL|MHD_USE_DEBUG;
@@ -1033,6 +1056,11 @@ int main(int argc, char *argv[]) {
{MHD_OPTION_HTTPS_MEM_CERT, 0, cert_pem};
flags |= MHD_USE_SSL;
}
+ if (trust_pem) {
+ assert(flags & MHD_USE_SSL);
+ opts[opts_pos++] = (struct MHD_OptionItem)
+ {MHD_OPTION_HTTPS_MEM_TRUST, 0, trust_pem};
+ }
d = MHD_start_daemon(flags, 19531,
NULL, NULL,