From e5ebe12b770bbb7bf73177517c339dc3601a5efc Mon Sep 17 00:00:00 2001 From: Zbigniew Jędrzejewski-Szmek Date: Mon, 26 Nov 2012 23:02:14 +0100 Subject: journal-gatewayd: ask clients to provide certificates A certificate authority certificate will be presented to clients, causing them to present their client certificate, if it is signed by this authority (default behaviour of most clients). No certificate checking is actually performed. --- src/journal/journal-gatewayd.c | 32 ++++++++++++++++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) diff --git a/src/journal/journal-gatewayd.c b/src/journal/journal-gatewayd.c index 7e97a3588c..862ee79030 100644 --- a/src/journal/journal-gatewayd.c +++ b/src/journal/journal-gatewayd.c @@ -900,8 +900,9 @@ static int help(void) { "HTTP server for journal events.\n\n" " -h --help Show this help\n" " --version Show package version\n" - " --cert=CERT.PEM Specify server certificate in PEM format\n" - " --key=KEY.PEM Specify server key in PEM format\n", + " --cert=CERT.PEM Server certificate in PEM format\n" + " --key=KEY.PEM Server key in PEM format\n" + " --trust=CERT.PEM Certificat authority certificate in PEM format\n", program_invocation_short_name); return 0; @@ -909,12 +910,14 @@ static int help(void) { static char *key_pem = NULL; static char *cert_pem = NULL; +static char *trust_pem = NULL; static int parse_argv(int argc, char *argv[]) { enum { ARG_VERSION = 0x100, ARG_KEY, ARG_CERT, + ARG_TRUST, }; int r, c; @@ -924,6 +927,7 @@ static int parse_argv(int argc, char *argv[]) { { "version", no_argument, NULL, ARG_VERSION }, { "key", required_argument, NULL, ARG_KEY }, { "cert", required_argument, NULL, ARG_CERT }, + { "trust", required_argument, NULL, ARG_TRUST }, {} }; @@ -968,6 +972,19 @@ static int parse_argv(int argc, char *argv[]) { assert(cert_pem); break; + case ARG_TRUST: + if (trust_pem) { + log_error("CA certificate file specified twice"); + return -EINVAL; + } + r = read_full_file(optarg, &trust_pem, NULL); + if (r < 0) { + log_error("Failed to read CA certificate file: %s", strerror(-r)); + return r; + } + assert(trust_pem); + break; + case '?': return -EINVAL; @@ -985,6 +1002,11 @@ static int parse_argv(int argc, char *argv[]) { return -EINVAL; } + if (trust_pem && !key_pem) { + log_error("CA certificate can only be used with certificate file"); + return -EINVAL; + } + return 1; } @@ -1018,6 +1040,7 @@ int main(int argc, char *argv[]) { { MHD_OPTION_END, 0, NULL }, { MHD_OPTION_END, 0, NULL }, { MHD_OPTION_END, 0, NULL }, + { MHD_OPTION_END, 0, NULL }, { MHD_OPTION_END, 0, NULL }}; int opts_pos = 2; int flags = MHD_USE_THREAD_PER_CONNECTION|MHD_USE_POLL|MHD_USE_DEBUG; @@ -1033,6 +1056,11 @@ int main(int argc, char *argv[]) { {MHD_OPTION_HTTPS_MEM_CERT, 0, cert_pem}; flags |= MHD_USE_SSL; } + if (trust_pem) { + assert(flags & MHD_USE_SSL); + opts[opts_pos++] = (struct MHD_OptionItem) + {MHD_OPTION_HTTPS_MEM_TRUST, 0, trust_pem}; + } d = MHD_start_daemon(flags, 19531, NULL, NULL, -- cgit v1.2.3-54-g00ecf