tls: client: also allow vhost client ctx to be initialized with in-memory certs

2025-03-16 00:00:07 +01:00 · 2019-01-11 13:13:40 +08:00 · 2019-01-11 13:13:40 +08:00 · 4608dfc581
commit 4608dfc581
parent d995d75ffb
4 changed files with 23 additions and 2 deletions
--- a/include/libwebsockets/lws-context-vhost.h
+++ b/include/libwebsockets/lws-context-vhost.h
@ -422,14 +422,20 @@ struct lws_context_creation_info {
 	/**< VHOST: Client SSL context init: NULL or the passphrase needed
 	 * for the private key */
 	const char *client_ssl_cert_filepath;
-	/**< VHOST: Client SSL context init:T he certificate the client
+	/**< VHOST: Client SSL context init: The certificate the client
 	 * should present to the peer on connection */
+	const void *client_ssl_cert_mem;
+	/**< VHOST: Client SSL context init: client certificate memory buffer or
+	 * NULL... use this to load client cert from memory instead of file */
+	unsigned int client_ssl_cert_mem_len;
+	/**< VHOST: Client SSL context init: length of client_ssl_cert_mem in
+	 * bytes */
 	const char *client_ssl_private_key_filepath;
 	/**<  VHOST: Client SSL context init: filepath to client private key
 	 * if this is set to NULL but client_ssl_cert_filepath is set, you
 	 * can handle the LWS_CALLBACK_OPENSSL_LOAD_EXTRA_CLIENT_VERIFY_CERTS
 	 * callback of protocols[0] to allow setting of the private key directly
-	 * via openSSL library calls */
+	 * via tls library calls */
 	const char *client_ssl_ca_filepath;
 	/**< VHOST: Client SSL context init: CA certificate filepath or NULL */
 	const void *client_ssl_ca_mem;
--- a/lib/tls/openssl/openssl-client.c
+++ b/lib/tls/openssl/openssl-client.c
@ -360,6 +360,8 @@ lws_tls_client_create_vhost_context(struct lws_vhost *vh,
 				    const void *ca_mem,
 				    unsigned int ca_mem_len,
 				    const char *cert_filepath,
+				    const void *cert_mem,
+				    unsigned int cert_mem_len,
 				    const char *private_key_filepath)
 {
 	SSL_METHOD *method;
@ -492,6 +494,15 @@ lws_tls_client_create_vhost_context(struct lws_vhost *vh,
 			return 1;
 		}
 		lwsl_notice("Loaded client cert %s\n", cert_filepath);
+	} else if (cert_mem && cert_mem_len) {
+		n = SSL_CTX_use_certificate_ASN1(vh->tls.ssl_client_ctx,
+						 cert_mem_len, cert_mem);
+		if (n < 1) {
+			lwsl_err("%s: problem interpreting client cert '%s'\n",
+				 __func__);
+			lws_tls_err_describe();
+			return 1;
+		}
 	}
 	if (private_key_filepath) {
 		lwsl_notice("%s: doing private key filepath\n", __func__);
--- a/lib/tls/private.h
+++ b/lib/tls/private.h
@ -281,6 +281,8 @@ lws_tls_client_create_vhost_context(struct lws_vhost *vh,
 				    const void *ca_mem,
 				    unsigned int ca_mem_len,
 				    const char *cert_filepath,
+				    const void *cert_mem,
+				    unsigned int cert_mem_len,
 				    const char *private_key_filepath);

 LWS_EXTERN lws_tls_ctx *
--- a/lib/tls/tls-client.c
+++ b/lib/tls/tls-client.c
@ -132,6 +132,8 @@ int lws_context_init_client_ssl(const struct lws_context_creation_info *info,
 						info->client_ssl_ca_mem,
 						info->client_ssl_ca_mem_len,
 						cert_filepath,
+						info->client_ssl_cert_mem,
+						info->client_ssl_cert_mem_len,
 						private_key_filepath))
 		return 1;