Blame SOURCES/net-snmp-5.9-intermediate-certs.patch

962144
diff --git a/include/net-snmp/library/cert_util.h b/include/net-snmp/library/cert_util.h
962144
index 80e2a19..143adbb 100644
962144
--- a/include/net-snmp/library/cert_util.h
962144
+++ b/include/net-snmp/library/cert_util.h
962144
@@ -55,7 +55,8 @@ extern "C" {
962144
         char           *common_name;
962144
 
962144
         u_char          hash_type;
962144
-        u_char          _pad[3]; /* for future use */
962144
+        u_char          _pad[1]; /* for future use */
962144
+        u_short         offset;
962144
     } netsnmp_cert;
962144
 
962144
 /** types */
962144
@@ -100,6 +101,7 @@ extern "C" {
962144
 
962144
     NETSNMP_IMPORT
962144
     netsnmp_cert *netsnmp_cert_find(int what, int where, void *hint);
962144
+    netsnmp_void_array *netsnmp_certs_find(int what, int where, void *hint);
962144
 
962144
     int netsnmp_cert_check_vb_fingerprint(const netsnmp_variable_list *var);
962144
 
962144
diff --git a/include/net-snmp/library/dir_utils.h b/include/net-snmp/library/dir_utils.h
962144
index 471bb0b..6c5a23f 100644
962144
--- a/include/net-snmp/library/dir_utils.h
962144
+++ b/include/net-snmp/library/dir_utils.h
962144
@@ -53,6 +53,8 @@ extern "C" {
962144
 #define NETSNMP_DIR_NSFILE                            0x0010
962144
 /** load stats in netsnmp_file */
962144
 #define NETSNMP_DIR_NSFILE_STATS                      0x0020
962144
+/** allow files to be indexed more than once */
962144
+#define NETSNMP_DIR_ALLOW_DUPLICATES                  0x0040
962144
 
962144
     
962144
         
962144
diff --git a/snmplib/cert_util.c b/snmplib/cert_util.c
962144
index e7b7114..bee0b5f 100644
962144
--- a/snmplib/cert_util.c
962144
+++ b/snmplib/cert_util.c
962144
@@ -100,7 +100,7 @@ netsnmp_feature_child_of(tls_fingerprint_build, cert_util_all);
962144
  * bump this value whenever cert index format changes, so indexes
962144
  * will be regenerated with new format.
962144
  */
962144
-#define CERT_INDEX_FORMAT  1
962144
+#define CERT_INDEX_FORMAT  2
962144
 
962144
 static netsnmp_container *_certs = NULL;
962144
 static netsnmp_container *_keys = NULL;
962144
@@ -126,6 +126,8 @@ static int  _cert_fn_ncompare(netsnmp_cert_common *lhs,
962144
                               netsnmp_cert_common *rhs);
962144
 static void _find_partner(netsnmp_cert *cert, netsnmp_key *key);
962144
 static netsnmp_cert *_find_issuer(netsnmp_cert *cert);
962144
+static netsnmp_void_array *_cert_reduce_subset_first(netsnmp_void_array *matching);
962144
+static netsnmp_void_array *_cert_reduce_subset_what(netsnmp_void_array *matching, int what);
962144
 static netsnmp_void_array *_cert_find_subset_fn(const char *filename,
962144
                                                 const char *directory);
962144
 static netsnmp_void_array *_cert_find_subset_sn(const char *subject);
962144
@@ -345,6 +347,8 @@ _get_cert_container(const char *use)
962144
 {
962144
     netsnmp_container *c;
962144
 
962144
+    int rc;
962144
+
962144
     c = netsnmp_container_find("certs:binary_array");
962144
     if (NULL == c) {
962144
         snmp_log(LOG_ERR, "could not create container for %s\n", use);
962144
@@ -354,6 +358,8 @@ _get_cert_container(const char *use)
962144
     c->free_item = (netsnmp_container_obj_func*)_cert_free;
962144
     c->compare = (netsnmp_container_compare*)_cert_compare;
962144
 
962144
+    CONTAINER_SET_OPTIONS(c, CONTAINER_KEY_ALLOW_DUPLICATES, rc);
962144
+
962144
     return c;
962144
 }
962144
 
962144
@@ -362,6 +368,8 @@ _setup_containers(void)
962144
 {
962144
     netsnmp_container *additional_keys;
962144
 
962144
+    int rc;
962144
+
962144
     _certs = _get_cert_container("netsnmp certificates");
962144
     if (NULL == _certs)
962144
         return;
962144
@@ -376,6 +384,7 @@ _setup_containers(void)
962144
     additional_keys->container_name = strdup("certs_cn");
962144
     additional_keys->free_item = NULL;
962144
     additional_keys->compare = (netsnmp_container_compare*)_cert_cn_compare;
962144
+    CONTAINER_SET_OPTIONS(additional_keys, CONTAINER_KEY_ALLOW_DUPLICATES, rc);
962144
     netsnmp_container_add_index(_certs, additional_keys);
962144
 
962144
     /** additional keys: subject name */
962144
@@ -389,6 +398,7 @@ _setup_containers(void)
962144
     additional_keys->free_item = NULL;
962144
     additional_keys->compare = (netsnmp_container_compare*)_cert_sn_compare;
962144
     additional_keys->ncompare = (netsnmp_container_compare*)_cert_sn_ncompare;
962144
+    CONTAINER_SET_OPTIONS(additional_keys, CONTAINER_KEY_ALLOW_DUPLICATES, rc);
962144
     netsnmp_container_add_index(_certs, additional_keys);
962144
 
962144
     /** additional keys: file name */
962144
@@ -402,6 +412,7 @@ _setup_containers(void)
962144
     additional_keys->free_item = NULL;
962144
     additional_keys->compare = (netsnmp_container_compare*)_cert_fn_compare;
962144
     additional_keys->ncompare = (netsnmp_container_compare*)_cert_fn_ncompare;
962144
+    CONTAINER_SET_OPTIONS(additional_keys, CONTAINER_KEY_ALLOW_DUPLICATES, rc);
962144
     netsnmp_container_add_index(_certs, additional_keys);
962144
 
962144
     _keys = netsnmp_container_find("cert_keys:binary_array");
962144
@@ -424,9 +435,9 @@ netsnmp_cert_map_container(void)
962144
 }
962144
 
962144
 static netsnmp_cert *
962144
-_new_cert(const char *dirname, const char *filename, int certType,
962144
-          int hashType, const char *fingerprint, const char *common_name,
962144
-          const char *subject)
962144
+_new_cert(const char *dirname, const char *filename, int certType, int offset,
962144
+          int allowed_uses, int hashType, const char *fingerprint,
962144
+          const char *common_name,  const char *subject)
962144
 {
962144
     netsnmp_cert    *cert;
962144
 
962144
@@ -446,8 +457,10 @@ _new_cert(const char *dirname, const char *filename, int certType,
962144
 
962144
     cert->info.dir = strdup(dirname);
962144
     cert->info.filename = strdup(filename);
962144
-    cert->info.allowed_uses = NS_CERT_REMOTE_PEER;
962144
+    /* only the first certificate is allowed to be a remote peer */
962144
+    cert->info.allowed_uses = allowed_uses;
962144
     cert->info.type = certType;
962144
+    cert->offset = offset;
962144
     if (fingerprint) {
962144
         cert->hash_type = hashType;
962144
         cert->fingerprint = strdup(fingerprint);
962144
@@ -884,14 +897,86 @@ _certindex_new( const char *dirname )
962144
  * certificate utility functions
962144
  *
962144
  */
962144
+static BIO *
962144
+netsnmp_open_bio(const char *dir, const char *filename)
962144
+{
962144
+    BIO            *certbio;
962144
+    char            file[SNMP_MAXPATH];
962144
+
962144
+    DEBUGMSGT(("9:cert:read", "Checking file %s\n", filename));
962144
+
962144
+    certbio = BIO_new(BIO_s_file());
962144
+    if (NULL == certbio) {
962144
+        snmp_log(LOG_ERR, "error creating BIO\n");
962144
+        return NULL;
962144
+    }
962144
+
962144
+    snprintf(file, sizeof(file),"%s/%s", dir, filename);
962144
+    if (BIO_read_filename(certbio, file) <=0) {
962144
+        snmp_log(LOG_ERR, "error reading certificate/key %s into BIO\n", file);
962144
+        BIO_vfree(certbio);
962144
+        return NULL;
962144
+    }
962144
+
962144
+    return certbio;
962144
+}
962144
+
962144
+static void
962144
+netsnmp_ocert_parse(netsnmp_cert *cert, X509 *ocert)
962144
+{
962144
+    int             is_ca;
962144
+
962144
+    cert->ocert = ocert;
962144
+
962144
+    /*
962144
+     * X509_check_ca return codes:
962144
+     * 0 not a CA
962144
+     * 1 is a CA
962144
+     * 2 basicConstraints absent so "maybe" a CA
962144
+     * 3 basicConstraints absent but self signed V1.
962144
+     * 4 basicConstraints absent but keyUsage present and keyCertSign asserted.
962144
+     * 5 outdated Netscape Certificate Type CA extension.
962144
+     */
962144
+    is_ca = X509_check_ca(ocert);
962144
+    if (1 == is_ca)
962144
+        cert->info.allowed_uses |= NS_CERT_CA;
962144
+
962144
+    if (NULL == cert->subject) {
962144
+        cert->subject = X509_NAME_oneline(X509_get_subject_name(ocert), NULL,
962144
+                                          0);
962144
+        DEBUGMSGT(("9:cert:add:subject", "subject name: %s\n", cert->subject));
962144
+    }
962144
+
962144
+    if (NULL == cert->issuer) {
962144
+        cert->issuer = X509_NAME_oneline(X509_get_issuer_name(ocert), NULL, 0);
962144
+        if (strcmp(cert->subject, cert->issuer) == 0) {
962144
+            free(cert->issuer);
962144
+            cert->issuer = strdup("self-signed");
962144
+        }
962144
+        DEBUGMSGT(("9:cert:add:issuer", "CA issuer: %s\n", cert->issuer));
962144
+    }
962144
+
962144
+    if (NULL == cert->fingerprint) {
962144
+        cert->hash_type = netsnmp_openssl_cert_get_hash_type(ocert);
962144
+        cert->fingerprint =
962144
+            netsnmp_openssl_cert_get_fingerprint(ocert, cert->hash_type);
962144
+    }
962144
+
962144
+    if (NULL == cert->common_name) {
962144
+        cert->common_name =netsnmp_openssl_cert_get_commonName(ocert, NULL,
962144
+                                                               NULL);
962144
+        DEBUGMSGT(("9:cert:add:name","%s\n", cert->common_name));
962144
+    }
962144
+
962144
+}
962144
+
962144
 static X509 *
962144
 netsnmp_ocert_get(netsnmp_cert *cert)
962144
 {
962144
     BIO            *certbio;
962144
     X509           *ocert = NULL;
962144
+    X509           *ncert = NULL;
962144
     EVP_PKEY       *okey = NULL;
962144
-    char            file[SNMP_MAXPATH];
962144
-    int             is_ca;
962144
 
962144
     if (NULL == cert)
962144
         return NULL;
962144
@@ -908,51 +993,33 @@ netsnmp_ocert_get(netsnmp_cert *cert)
962144
         }
962144
     }
962144
 
962144
-    DEBUGMSGT(("9:cert:read", "Checking file %s\n", cert->info.filename));
962144
-
962144
-    certbio = BIO_new(BIO_s_file());
962144
-    if (NULL == certbio) {
962144
-        snmp_log(LOG_ERR, "error creating BIO\n");
962144
+    certbio = netsnmp_open_bio(cert->info.dir, cert->info.filename);
962144
+    if (!certbio) {
962144
         return NULL;
962144
     }
962144
 
962144
-    snprintf(file, sizeof(file),"%s/%s", cert->info.dir, cert->info.filename);
962144
-    if (BIO_read_filename(certbio, file) <=0) {
962144
-        snmp_log(LOG_ERR, "error reading certificate %s into BIO\n", file);
962144
-        BIO_vfree(certbio);
962144
-        return NULL;
962144
-    }
962144
-
962144
-    if (NS_CERT_TYPE_UNKNOWN == cert->info.type) {
962144
-        char *pos = strrchr(cert->info.filename, '.');
962144
-        if (NULL == pos)
962144
-            return NULL;
962144
-        cert->info.type = _cert_ext_type(++pos);
962144
-        netsnmp_assert(cert->info.type != NS_CERT_TYPE_UNKNOWN);
962144
-    }
962144
-
962144
     switch (cert->info.type) {
962144
 
962144
         case NS_CERT_TYPE_DER:
962144
+            (void)BIO_seek(certbio, cert->offset);
962144
             ocert = d2i_X509_bio(certbio,NULL); /* DER/ASN1 */
962144
             if (NULL != ocert)
962144
                 break;
962144
-            (void)BIO_reset(certbio);
962144
             /* Check for PEM if DER didn't work */
962144
             /* FALLTHROUGH */
962144
 
962144
         case NS_CERT_TYPE_PEM:
962144
-            ocert = PEM_read_bio_X509_AUX(certbio, NULL, NULL, NULL);
962144
+            (void)BIO_seek(certbio, cert->offset);
962144
+            ocert = ncert = PEM_read_bio_X509_AUX(certbio, NULL, NULL, NULL);
962144
             if (NULL == ocert)
962144
                 break;
962144
             if (NS_CERT_TYPE_DER == cert->info.type) {
962144
                 DEBUGMSGT(("9:cert:read", "Changing type from DER to PEM\n"));
962144
                 cert->info.type = NS_CERT_TYPE_PEM;
962144
             }
962144
-            /** check for private key too */
962144
-            if (NULL == cert->key) {
962144
-                (void)BIO_reset(certbio);
962144
-                okey =  PEM_read_bio_PrivateKey(certbio, NULL, NULL, NULL);
962144
+            /** check for private key too, but only if we're the first certificate */
962144
+            if (0 == cert->offset && NULL == cert->key) {
962144
+                okey = PEM_read_bio_PrivateKey(certbio, NULL, NULL, NULL);
962144
                 if (NULL != okey) {
962144
                     netsnmp_key  *key;
962144
                     DEBUGMSGT(("cert:read:key", "found key with cert in %s\n",
962144
@@ -979,7 +1046,7 @@ netsnmp_ocert_get(netsnmp_cert *cert)
962144
             break;
962144
 #ifdef CERT_PKCS12_SUPPORT_MAYBE_LATER
962144
         case NS_CERT_TYPE_PKCS12:
962144
-            (void)BIO_reset(certbio);
962144
+            (void)BIO_seek(certbio, cert->offset);
962144
             PKCS12 *p12 = d2i_PKCS12_bio(certbio, NULL);
962144
             if ( (NULL != p12) && (PKCS12_verify_mac(p12, "", 0) ||
962144
                                    PKCS12_verify_mac(p12, NULL, 0)))
962144
@@ -999,46 +1066,7 @@ netsnmp_ocert_get(netsnmp_cert *cert)
962144
         return NULL;
962144
     }
962144
 
962144
-    cert->ocert = ocert;
962144
-    /*
962144
-     * X509_check_ca return codes:
962144
-     * 0 not a CA
962144
-     * 1 is a CA
962144
-     * 2 basicConstraints absent so "maybe" a CA
962144
-     * 3 basicConstraints absent but self signed V1.
962144
-     * 4 basicConstraints absent but keyUsage present and keyCertSign asserted.
962144
-     * 5 outdated Netscape Certificate Type CA extension.
962144
-     */
962144
-    is_ca = X509_check_ca(ocert);
962144
-    if (1 == is_ca)
962144
-        cert->info.allowed_uses |= NS_CERT_CA;
962144
-
962144
-    if (NULL == cert->subject) {
962144
-        cert->subject = X509_NAME_oneline(X509_get_subject_name(ocert), NULL,
962144
-                                          0);
962144
-        DEBUGMSGT(("9:cert:add:subject", "subject name: %s\n", cert->subject));
962144
-    }
962144
-
962144
-    if (NULL == cert->issuer) {
962144
-        cert->issuer = X509_NAME_oneline(X509_get_issuer_name(ocert), NULL, 0);
962144
-        if (strcmp(cert->subject, cert->issuer) == 0) {
962144
-            free(cert->issuer);
962144
-            cert->issuer = strdup("self-signed");
962144
-        }
962144
-        DEBUGMSGT(("9:cert:add:issuer", "CA issuer: %s\n", cert->issuer));
962144
-    }
962144
-    
962144
-    if (NULL == cert->fingerprint) {
962144
-        cert->hash_type = netsnmp_openssl_cert_get_hash_type(ocert);
962144
-        cert->fingerprint =
962144
-            netsnmp_openssl_cert_get_fingerprint(ocert, cert->hash_type);
962144
-    }
962144
-    
962144
-    if (NULL == cert->common_name) {
962144
-        cert->common_name =netsnmp_openssl_cert_get_commonName(ocert, NULL,
962144
-                                                               NULL);
962144
-        DEBUGMSGT(("9:cert:add:name","%s\n", cert->common_name));
962144
-    }
962144
+    netsnmp_ocert_parse(cert, ocert);
962144
 
962144
     return ocert;
962144
 }
962144
@@ -1048,7 +1076,6 @@ netsnmp_okey_get(netsnmp_key  *key)
962144
 {
962144
     BIO            *keybio;
962144
     EVP_PKEY       *okey;
962144
-    char            file[SNMP_MAXPATH];
962144
 
962144
     if (NULL == key)
962144
         return NULL;
962144
@@ -1056,19 +1083,8 @@ netsnmp_okey_get(netsnmp_key  *key)
962144
     if (key->okey)
962144
         return key->okey;
962144
 
962144
-    snprintf(file, sizeof(file),"%s/%s", key->info.dir, key->info.filename);
962144
-    DEBUGMSGT(("cert:key:read", "Checking file %s\n", key->info.filename));
962144
-
962144
-    keybio = BIO_new(BIO_s_file());
962144
-    if (NULL == keybio) {
962144
-        snmp_log(LOG_ERR, "error creating BIO\n");
962144
-        return NULL;
962144
-    }
962144
-
962144
-    if (BIO_read_filename(keybio, file) <=0) {
962144
-        snmp_log(LOG_ERR, "error reading certificate %s into BIO\n",
962144
-                 key->info.filename);
962144
-        BIO_vfree(keybio);
962144
+    keybio = netsnmp_open_bio(key->info.dir, key->info.filename);
962144
+    if (!keybio) {
962144
         return NULL;
962144
     }
962144
 
962144
@@ -1154,7 +1170,7 @@ netsnmp_cert_load_x509(netsnmp_cert *cert)
962144
             cert->issuer_cert =  _find_issuer(cert);
962144
             if (NULL == cert->issuer_cert) {
962144
                 DEBUGMSGT(("cert:load:warn",
962144
-                           "couldn't load CA chain for cert %s\n",
962144
+                           "couldn't load full CA chain for cert %s\n",
962144
                            cert->info.filename));
962144
                 rc = CERT_LOAD_PARTIAL;
962144
                 break;
962144
@@ -1163,7 +1179,7 @@ netsnmp_cert_load_x509(netsnmp_cert *cert)
962144
         /** get issuer ocert */
962144
         if ((NULL == cert->issuer_cert->ocert) &&
962144
             (netsnmp_ocert_get(cert->issuer_cert) == NULL)) {
962144
-            DEBUGMSGT(("cert:load:warn", "couldn't load cert chain for %s\n",
962144
+            DEBUGMSGT(("cert:load:warn", "couldn't load full cert chain for %s\n",
962144
                        cert->info.filename));
962144
             rc = CERT_LOAD_PARTIAL;
962144
             break;
962144
@@ -1184,7 +1200,7 @@ _find_partner(netsnmp_cert *cert, netsnmp_key *key)
962144
         return;
962144
     }
962144
 
962144
-    if(key) {
962144
+    if (key) {
962144
         if (key->cert) {
962144
             DEBUGMSGT(("cert:partner", "key already has partner\n"));
962144
             return;
962144
@@ -1197,7 +1213,8 @@ _find_partner(netsnmp_cert *cert, netsnmp_key *key)
962144
             return;
962144
         *pos = 0;
962144
 
962144
-        matching = _cert_find_subset_fn( filename, key->info.dir );
962144
+        matching = _cert_reduce_subset_first(_cert_find_subset_fn( filename,
962144
+                                             key->info.dir ));
962144
         if (!matching)
962144
             return;
962144
         if (1 == matching->size) {
962144
@@ -1217,7 +1234,7 @@ _find_partner(netsnmp_cert *cert, netsnmp_key *key)
962144
             DEBUGMSGT(("cert:partner", "%s matches multiple certs\n",
962144
                           key->info.filename));
962144
     }
962144
-    else if(cert) {
962144
+    else if (cert) {
962144
         if (cert->key) {
962144
             DEBUGMSGT(("cert:partner", "cert already has partner\n"));
962144
             return;
962144
@@ -1255,76 +1272,189 @@ _find_partner(netsnmp_cert *cert, netsnmp_key *key)
962144
     }
962144
 }
962144
 
962144
+static netsnmp_key *
962144
+_add_key(EVP_PKEY *okey, const char* dirname, const char* filename, FILE *index)
962144
+{
962144
+    netsnmp_key  *key;
962144
+
962144
+    key = _new_key(dirname, filename);
962144
+    if (NULL == key) {
962144
+        return NULL;
962144
+    }
962144
+
962144
+    key->okey = okey;
962144
+
962144
+    if (-1 == CONTAINER_INSERT(_keys, key)) {
962144
+        DEBUGMSGT(("cert:key:file:add:err",
962144
+                   "error inserting key into container\n"));
962144
+        netsnmp_key_free(key);
962144
+        key = NULL;
962144
+    }
962144
+    if (index) {
962144
+        fprintf(index, "k:%s\n", filename);
962144
+    }
962144
+
962144
+    return key;
962144
+}
962144
+
962144
+static netsnmp_cert *
962144
+_add_cert(X509 *ocert, const char* dirname, const char* filename, int type, int offset,
962144
+          int allowed_uses, FILE *index)
962144
+{
962144
+    netsnmp_cert *cert;
962144
+
962144
+    cert = _new_cert(dirname, filename, type, offset,
962144
+                     allowed_uses, -1, NULL, NULL, NULL);
962144
+    if (NULL == cert)
962144
+        return NULL;
962144
+
962144
+    netsnmp_ocert_parse(cert, ocert);
962144
+
962144
+    if (-1 == CONTAINER_INSERT(_certs, cert)) {
962144
+        DEBUGMSGT(("cert:file:add:err",
962144
+                   "error inserting cert into container\n"));
962144
+        netsnmp_cert_free(cert);
962144
+        return NULL;
962144
+    }
962144
+
962144
+    if (index) {
962144
+        /** filename = NAME_MAX = 255 */
962144
+        /** fingerprint max = 64*3=192 for sha512 */
962144
+        /** common name / CN  = 64 */
962144
+        if (cert)
962144
+            fprintf(index, "c:%s %d %d %d %d %s '%s' '%s'\n", filename,
962144
+                    cert->info.type, cert->offset, cert->info.allowed_uses,
962144
+                    cert->hash_type, cert->fingerprint,
962144
+                    cert->common_name, cert->subject);
962144
+    }
962144
+
962144
+    return cert;
962144
+}
962144
+
962144
 static int
962144
 _add_certfile(const char* dirname, const char* filename, FILE *index)
962144
 {
962144
-    X509         *ocert;
962144
-    EVP_PKEY     *okey;
962144
+    BIO          *certbio;
962144
+    X509         *ocert = NULL;
962144
+    X509         *ncert;
962144
+    EVP_PKEY     *okey = NULL;
962144
     netsnmp_cert *cert = NULL;
962144
     netsnmp_key  *key = NULL;
962144
     char          certfile[SNMP_MAXPATH];
962144
     int           type;
962144
+    int           offset = 0;
962144
 
962144
     if (((const void*)NULL == dirname) || (NULL == filename))
962144
         return -1;
962144
 
962144
     type = _type_from_filename(filename);
962144
-    netsnmp_assert(type != NS_CERT_TYPE_UNKNOWN);
962144
+    if (type == NS_CERT_TYPE_UNKNOWN) {
962144
+        snmp_log(LOG_ERR, "certificate file '%s' type not recognised, ignoring\n", filename);
962144
+        return -1;
962144
+    }
962144
 
962144
-    snprintf(certfile, sizeof(certfile),"%s/%s", dirname, filename);
962144
+    certbio = netsnmp_open_bio(dirname, filename);
962144
+    if (!certbio) {
962144
+        return -1;
962144
+    }
962144
 
962144
-    DEBUGMSGT(("9:cert:file:add", "Checking file: %s (type %d)\n", filename,
962144
-               type));
962144
+    switch (type) {
962144
 
962144
-    if (NS_CERT_TYPE_KEY == type) {
962144
-        key = _new_key(dirname, filename);
962144
-        if (NULL == key)
962144
-            return -1;
962144
-        okey = netsnmp_okey_get(key);
962144
-        if (NULL == okey) {
962144
-            netsnmp_key_free(key);
962144
-            return -1;
962144
-        }
962144
-        key->okey = okey;
962144
-        if (-1 == CONTAINER_INSERT(_keys, key)) {
962144
-            DEBUGMSGT(("cert:key:file:add:err",
962144
-                       "error inserting key into container\n"));
962144
-            netsnmp_key_free(key);
962144
-            key = NULL;
962144
-        }
962144
-    }
962144
-    else {
962144
-        cert = _new_cert(dirname, filename, type, -1, NULL, NULL, NULL);
962144
-        if (NULL == cert)
962144
-            return -1;
962144
-        ocert = netsnmp_ocert_get(cert);
962144
-        if (NULL == ocert) {
962144
-            netsnmp_cert_free(cert);
962144
-            return -1;
962144
-        }
962144
-        cert->ocert = ocert;
962144
-        if (-1 == CONTAINER_INSERT(_certs, cert)) {
962144
-            DEBUGMSGT(("cert:file:add:err",
962144
-                       "error inserting cert into container\n"));
962144
-            netsnmp_cert_free(cert);
962144
-            cert = NULL;
962144
-        }
962144
-    }
962144
-    if ((NULL == cert) && (NULL == key)) {
962144
-        DEBUGMSGT(("cert:file:add:failure", "for %s\n", certfile));
962144
-        return -1;
962144
+       case NS_CERT_TYPE_KEY: 
962144
+
962144
+           okey = PEM_read_bio_PrivateKey(certbio, NULL, NULL, NULL);
962144
+           if (NULL == okey)
962144
+               snmp_log(LOG_ERR, "error parsing key file %s\n",
962144
+                     key->info.filename);
962144
+           else {
962144
+               key = _add_key(okey, dirname, filename, index);
962144
+               if (NULL == key) {
962144
+                   EVP_PKEY_free(okey);
962144
+                      okey = NULL;
962144
+               }
962144
+           }
962144
+           break;
962144
+
962144
+        case NS_CERT_TYPE_DER:
962144
+
962144
+            ocert = d2i_X509_bio(certbio, NULL); /* DER/ASN1 */
962144
+            if (NULL != ocert) {
962144
+                if (!_add_cert(ocert, dirname, filename, type, 0,
962144
+                               NS_CERT_REMOTE_PEER, index)) {
962144
+                    X509_free(ocert);
962144
+                    ocert = NULL;
962144
+                }
962144
+                break;
962144
+            }
962144
+            (void)BIO_reset(certbio);
962144
+            /* Check for PEM if DER didn't work */
962144
+            /* FALLTHROUGH */
962144
+
962144
+        case NS_CERT_TYPE_PEM:
962144
+
962144
+            if (NS_CERT_TYPE_DER == type) {
962144
+                DEBUGMSGT(("9:cert:read", "Changing type from DER to PEM\n"));
962144
+                type = NS_CERT_TYPE_PEM;
962144
+            }
962144
+
962144
+            /* read the private key first so we can record this in the index */
962144
+            okey = PEM_read_bio_PrivateKey(certbio, NULL, NULL, NULL);
962144
+
962144
+            (void)BIO_reset(certbio);
962144
+
962144
+            /* certs are read after the key */
962144
+	    ocert = ncert = PEM_read_bio_X509_AUX(certbio, NULL, NULL, NULL);
962144
+            if (NULL != ocert) {
962144
+                cert = _add_cert(ncert, dirname, filename, type, 0,
962144
+                                 okey ? NS_CERT_IDENTITY | NS_CERT_REMOTE_PEER :
962144
+                                 NS_CERT_REMOTE_PEER, index);
962144
+                if (NULL == cert) {
962144
+                    X509_free(ocert);
962144
+                    ocert = ncert = NULL;
962144
+                }
962144
+            }
962144
+            while (NULL != ncert) {
962144
+                offset = BIO_tell(certbio);
962144
+                ncert = PEM_read_bio_X509_AUX(certbio, NULL, NULL, NULL);
962144
+                if (ncert) {
962144
+                    if (NULL == _add_cert(ncert, dirname, filename, type, offset, 0, index)) {
962144
+                        X509_free(ncert);
962144
+                        ncert = NULL;
962144
+                    }
962144
+                }
962144
+            }
962144
+
962144
+            if (NULL != okey) {
962144
+                DEBUGMSGT(("cert:read:key", "found key with cert in %s\n",
962144
+                           cert->info.filename));
962144
+                key = _add_key(okey, dirname, filename, NULL);
962144
+                if (NULL != key) {
962144
+                    DEBUGMSGT(("cert:read:partner", "%s match found!\n",
962144
+                               cert->info.filename));
962144
+                    key->cert = cert;
962144
+                    cert->key = key;
962144
+                }
962144
+                else {
962144
+                    EVP_PKEY_free(okey);
962144
+                    okey = NULL;
962144
+                }
962144
+            }
962144
+
962144
+            break;
962144
+
962144
+#ifdef CERT_PKCS12_SUPPORT_MAYBE_LATER
962144
+        case NS_CERT_TYPE_PKCS12:
962144
+#endif
962144
+
962144
+        default:
962144
+            break;
962144
     }
962144
 
962144
-    if (index) {
962144
-        /** filename = NAME_MAX = 255 */
962144
-        /** fingerprint max = 64*3=192 for sha512 */
962144
-        /** common name / CN  = 64 */
962144
-        if (cert)
962144
-            fprintf(index, "c:%s %d %d %s '%s' '%s'\n", filename,
962144
-                    cert->info.type, cert->hash_type, cert->fingerprint,
962144
-                    cert->common_name, cert->subject);
962144
-        else if (key)
962144
-            fprintf(index, "k:%s\n", filename);
962144
+    BIO_vfree(certbio);
962144
+
962144
+    if ((NULL == ocert) && (NULL == okey)) {
962144
+        snmp_log(LOG_ERR, "certificate file '%s' contained neither certificate nor key, ignoring\n", certfile);
962144
+        return -1;
962144
     }
962144
 
962144
     return 0;
962144
@@ -1338,8 +1468,10 @@ _cert_read_index(const char *dirname, struct stat *dirstat)
962144
     struct stat     idx_stat;
962144
     char            tmpstr[SNMP_MAXPATH + 5], filename[NAME_MAX];
962144
     char            fingerprint[EVP_MAX_MD_SIZE*3], common_name[64+1], type_str[15];
962144
-    char            subject[SNMP_MAXBUF_SMALL], hash_str[15];
962144
-    int             count = 0, type, hash, version;
962144
+    char            subject[SNMP_MAXBUF_SMALL], hash_str[15], offset_str[15];
962144
+    char            allowed_uses_str[15];
962144
+    ssize_t         offset;
962144
+    int             count = 0, type, allowed_uses, hash, version;
962144
     netsnmp_cert    *cert;
962144
     netsnmp_key     *key;
962144
     netsnmp_container *newer, *found;
962144
@@ -1381,7 +1513,8 @@ _cert_read_index(const char *dirname, struct stat *dirstat)
962144
         netsnmp_directory_container_read_some(NULL, dirname,
962144
                                               _time_filter, &idx_stat,
962144
                                               NETSNMP_DIR_NSFILE |
962144
-                                              NETSNMP_DIR_NSFILE_STATS);
962144
+                                              NETSNMP_DIR_NSFILE_STATS |
962144
+                                              NETSNMP_DIR_ALLOW_DUPLICATES);
962144
     if (newer) {
962144
         DEBUGMSGT(("cert:index:parse", "Index outdated; files modified\n"));
962144
         CONTAINER_FREE_ALL(newer, NULL);
962144
@@ -1425,6 +1558,8 @@ _cert_read_index(const char *dirname, struct stat *dirstat)
962144
             pos = &tmpstr[2];
962144
             if ((NULL == (pos=copy_nword(pos, filename, sizeof(filename)))) ||
962144
                 (NULL == (pos=copy_nword(pos, type_str, sizeof(type_str)))) ||
962144
+                (NULL == (pos=copy_nword(pos, offset_str, sizeof(offset_str)))) ||
962144
+                (NULL == (pos=copy_nword(pos, allowed_uses_str, sizeof(allowed_uses_str)))) ||
962144
                 (NULL == (pos=copy_nword(pos, hash_str, sizeof(hash_str)))) ||
962144
                 (NULL == (pos=copy_nword(pos, fingerprint,
962144
                                          sizeof(fingerprint)))) ||
962144
@@ -1437,9 +1572,11 @@ _cert_read_index(const char *dirname, struct stat *dirstat)
962144
                 break;
962144
             }
962144
             type = atoi(type_str);
962144
+            offset = atoi(offset_str);
962144
+            allowed_uses = atoi(allowed_uses_str);
962144
             hash = atoi(hash_str);
962144
-            cert = _new_cert(dirname, filename, type, hash, fingerprint,
962144
-                             common_name, subject);
962144
+            cert = _new_cert(dirname, filename, type, offset, allowed_uses, hash,
962144
+                             fingerprint, common_name, subject);
962144
             if (cert && 0 == CONTAINER_INSERT(found, cert))
962144
                 ++count;
962144
             else {
962144
@@ -1543,7 +1680,8 @@ _add_certdir(const char *dirname)
962144
         netsnmp_directory_container_read_some(NULL, dirname,
962144
                                               _cert_cert_filter, NULL,
962144
                                               NETSNMP_DIR_RELATIVE_PATH |
962144
-                                              NETSNMP_DIR_EMPTY_OK );
962144
+                                              NETSNMP_DIR_EMPTY_OK |
962144
+                                              NETSNMP_DIR_ALLOW_DUPLICATES);
962144
     if (NULL == cert_container) {
962144
         DEBUGMSGT(("cert:index:dir",
962144
                     "error creating container for cert files\n"));
962144
@@ -1631,7 +1769,7 @@ _cert_print(netsnmp_cert *c, void *context)
962144
     if (NULL == c)
962144
         return;
962144
 
962144
-    DEBUGMSGT(("cert:dump", "cert %s in %s\n", c->info.filename, c->info.dir));
962144
+    DEBUGMSGT(("cert:dump", "cert %s in %s at offset %d\n", c->info.filename, c->info.dir, c->offset));
962144
     DEBUGMSGT(("cert:dump", "   type %d flags 0x%x (%s)\n",
962144
              c->info.type, c->info.allowed_uses,
962144
               _mode_str(c->info.allowed_uses)));
962144
@@ -1835,7 +1973,8 @@ netsnmp_cert_find(int what, int where, void *hint)
962144
         netsnmp_void_array *matching;
962144
 
962144
         DEBUGMSGT(("cert:find:params", " hint = %s\n", (char *)hint));
962144
-        matching = _cert_find_subset_fn( filename, NULL );
962144
+        matching = _cert_reduce_subset_what(_cert_find_subset_fn(
962144
+                                            filename, NULL ), what);
962144
         if (!matching)
962144
             return NULL;
962144
         if (1 == matching->size)
962144
@@ -1881,6 +2020,32 @@ netsnmp_cert_find(int what, int where, void *hint)
962144
     return result;
962144
 }
962144
 
962144
+netsnmp_void_array *
962144
+netsnmp_certs_find(int what, int where, void *hint)
962144
+{
962144
+
962144
+    DEBUGMSGT(("certs:find:params", "looking for %s(%d) in %s(0x%x), hint %p\n",
962144
+               _mode_str(what), what, _where_str(where), where, hint));
962144
+
962144
+    if (NS_CERTKEY_FILE == where) {
962144
+        /** hint == filename */
962144
+        char               *filename = (char*)hint;
962144
+        netsnmp_void_array *matching;
962144
+
962144
+        DEBUGMSGT(("cert:find:params", " hint = %s\n", (char *)hint));
962144
+        matching = _cert_reduce_subset_what(_cert_find_subset_fn(
962144
+                                            filename, NULL ), what);
962144
+
962144
+        return matching;
962144
+    } /* where = NS_CERTKEY_FILE */
962144
+    else { /* unknown location */
962144
+
962144
+        DEBUGMSGT(("certs:find:err", "unhandled location %d for %d\n", where,
962144
+                   what));
962144
+        return NULL;
962144
+    }
962144
+}
962144
+
962144
 #ifndef NETSNMP_FEATURE_REMOVE_CERT_FINGERPRINTS
962144
 int
962144
 netsnmp_cert_check_vb_fingerprint(const netsnmp_variable_list *var)
962144
@@ -2278,6 +2443,124 @@ _reduce_subset_dir(netsnmp_void_array *matching, const char *directory)
962144
     }
962144
 }
962144
 
962144
+/*
962144
+ * reduce subset by eliminating any certificates that are not the
962144
+ * first certficate in a file. This allows us to ignore certificate
962144
+ * chains when testing for specific certificates, and to match keys
962144
+ * to the first certificate only.
962144
+ */
962144
+static netsnmp_void_array *
962144
+_cert_reduce_subset_first(netsnmp_void_array *matching)
962144
+{
962144
+    netsnmp_cert *cc;
962144
+    int i = 0, j, newsize;
962144
+
962144
+    if ((NULL == matching))
962144
+        return matching;
962144
+
962144
+    newsize = matching->size;
962144
+
962144
+    for( ; i < matching->size; ) {
962144
+        /*
962144
+         * if we've shifted matches down we'll hit a NULL entry before
962144
+         * we hit the end of the array.
962144
+         */
962144
+        if (NULL == matching->array[i])
962144
+            break;
962144
+        /*
962144
+         * skip over valid matches. The first entry has an offset of zero.
962144
+         */
962144
+        cc = (netsnmp_cert*)matching->array[i];
962144
+        if (0 == cc->offset) {
962144
+            ++i;
962144
+            continue;
962144
+        }
962144
+        /*
962144
+         * shrink array by shifting everything down a spot. Might not be
962144
+         * the most efficient soloution, but this is just happening at
962144
+         * startup and hopefully most certs won't have common prefixes.
962144
+         */
962144
+        --newsize;
962144
+        for ( j=i; j < newsize; ++j )
962144
+            matching->array[j] = matching->array[j+1];
962144
+        matching->array[j] = NULL;
962144
+        /** no ++i; just shifted down, need to look at same position again */
962144
+    }
962144
+    /*
962144
+     * if we shifted, set the new size
962144
+     */
962144
+    if (newsize != matching->size) {
962144
+        DEBUGMSGT(("9:cert:subset:first", "shrank from %" NETSNMP_PRIz "d to %d\n",
962144
+                   matching->size, newsize));
962144
+        matching->size = newsize;
962144
+    }
962144
+
962144
+    if (0 == matching->size) {
962144
+        free(matching->array);
962144
+        SNMP_FREE(matching);
962144
+    }
962144
+
962144
+    return matching;
962144
+}
962144
+
962144
+/*
962144
+ * reduce subset by eliminating any certificates that do not match
962144
+ * purpose specified.
962144
+ */
962144
+static netsnmp_void_array *
962144
+_cert_reduce_subset_what(netsnmp_void_array *matching, int what)
962144
+{
962144
+    netsnmp_cert_common *cc;
962144
+    int i = 0, j, newsize;
962144
+
962144
+    if ((NULL == matching))
962144
+        return matching;
962144
+
962144
+    newsize = matching->size;
962144
+
962144
+    for( ; i < matching->size; ) {
962144
+        /*
962144
+         * if we've shifted matches down we'll hit a NULL entry before
962144
+         * we hit the end of the array.
962144
+         */
962144
+        if (NULL == matching->array[i])
962144
+            break;
962144
+        /*
962144
+         * skip over valid matches. The first entry has an offset of zero.
962144
+         */
962144
+        cc = (netsnmp_cert_common *)matching->array[i];
962144
+        if ((cc->allowed_uses & what)) {
962144
+            ++i;
962144
+            continue;
962144
+        }
962144
+        /*
962144
+         * shrink array by shifting everything down a spot. Might not be
962144
+         * the most efficient soloution, but this is just happening at
962144
+         * startup and hopefully most certs won't have common prefixes.
962144
+         */
962144
+        --newsize;
962144
+        for ( j=i; j < newsize; ++j )
962144
+            matching->array[j] = matching->array[j+1];
962144
+        matching->array[j] = NULL;
962144
+        /** no ++i; just shifted down, need to look at same position again */
962144
+    }
962144
+    /*
962144
+     * if we shifted, set the new size
962144
+     */
962144
+    if (newsize != matching->size) {
962144
+        DEBUGMSGT(("9:cert:subset:what", "shrank from %" NETSNMP_PRIz "d to %d\n",
962144
+                   matching->size, newsize));
962144
+        matching->size = newsize;
962144
+    }
962144
+
962144
+    if (0 == matching->size) {
962144
+        free(matching->array);
962144
+        SNMP_FREE(matching);
962144
+    }
962144
+
962144
+    return matching;
962144
+}
962144
+
962144
 static netsnmp_void_array *
962144
 _cert_find_subset_common(const char *filename, netsnmp_container *container)
962144
 {
962144
diff --git a/snmplib/dir_utils.c b/snmplib/dir_utils.c
962144
index c2dd989..e7145e4 100644
962144
--- a/snmplib/dir_utils.c
962144
+++ b/snmplib/dir_utils.c
962144
@@ -107,6 +107,9 @@ netsnmp_directory_container_read_some(netsnmp_container *user_container,
962144
         /** default to unsorted */
962144
         if (! (flags & NETSNMP_DIR_SORTED))
962144
             CONTAINER_SET_OPTIONS(container, CONTAINER_KEY_UNSORTED, rc);
962144
+        /** default to duplicates not allowed */
962144
+        if (! (flags & NETSNMP_DIR_ALLOW_DUPLICATES))
962144
+           CONTAINER_SET_OPTIONS(container, CONTAINER_KEY_ALLOW_DUPLICATES, rc);
962144
     }
962144
 
962144
     dir = opendir(dirname);
962144
diff --git a/snmplib/transports/snmpTLSBaseDomain.c b/snmplib/transports/snmpTLSBaseDomain.c
962144
index a3a85bc..b9baeae 100644
962144
--- a/snmplib/transports/snmpTLSBaseDomain.c
962144
+++ b/snmplib/transports/snmpTLSBaseDomain.c
962144
@@ -68,7 +68,7 @@ static unsigned long ERR_get_error_all(const char **file, int *line,
962144
 /* this is called during negotiation */
962144
 int verify_callback(int ok, X509_STORE_CTX *ctx) {
962144
     int err, depth;
962144
-    char buf[1024], *fingerprint;
962144
+    char subject[SNMP_MAXBUF_MEDIUM], issuer[SNMP_MAXBUF_MEDIUM], *fingerprint;
962144
     X509 *thecert;
962144
     netsnmp_cert *cert;
962144
     _netsnmp_verify_info *verify_info;
962144
@@ -80,10 +80,12 @@ int verify_callback(int ok, X509_STORE_CTX *ctx) {
962144
     
962144
     /* things to do: */
962144
 
962144
-    X509_NAME_oneline(X509_get_subject_name(thecert), buf, sizeof(buf));
962144
+    X509_NAME_oneline(X509_get_subject_name(thecert), subject, sizeof(subject));
962144
+    X509_NAME_oneline(X509_get_issuer_name(thecert), issuer, sizeof(issuer));
962144
     fingerprint = netsnmp_openssl_cert_get_fingerprint(thecert, -1);
962144
-    DEBUGMSGTL(("tls_x509:verify", "Cert: %s\n", buf));
962144
-    DEBUGMSGTL(("tls_x509:verify", "  fp: %s\n", fingerprint ?
962144
+    DEBUGMSGTL(("tls_x509:verify", " subject: %s\n", subject));
962144
+    DEBUGMSGTL(("tls_x509:verify", "  issuer: %s\n", issuer));
962144
+    DEBUGMSGTL(("tls_x509:verify", "      fp: %s\n", fingerprint ?
962144
                 fingerprint : "unknown"));
962144
 
962144
     ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
962144
@@ -118,7 +120,7 @@ int verify_callback(int ok, X509_STORE_CTX *ctx) {
962144
         } else {
962144
             DEBUGMSGTL(("tls_x509:verify", "  no matching fp found\n"));
962144
             /* log where we are and why called */
962144
-            snmp_log(LOG_ERR, "tls verification failure: ok=%d ctx=%p depth=%d err=%i:%s\n", ok, ctx, depth, err, X509_verify_cert_error_string(err));
962144
+            snmp_log(LOG_ERR, "tls verification failure: ok=%d ctx=%p depth=%d fp=%s subject='%s' issuer='%s' err=%i:%s\n", ok, ctx, depth, fingerprint, subject, issuer, err, X509_verify_cert_error_string(err));
962144
             SNMP_FREE(fingerprint);
962144
             return 0;
962144
         }
962144
@@ -434,21 +436,48 @@ netsnmp_tlsbase_extract_security_name(SSL *ssl, _netsnmpTLSBaseData *tlsdata) {
962144
 int
962144
 _trust_this_cert(SSL_CTX *the_ctx, char *certspec) {
962144
     netsnmp_cert *trustcert;
962144
+    netsnmp_cert *candidate;
962144
+    netsnmp_void_array *matching = NULL;
962144
+
962144
+    int                 i;
962144
 
962144
     DEBUGMSGTL(("sslctx_client", "Trying to load a trusted certificate: %s\n",
962144
                 certspec));
962144
 
962144
     /* load this identifier into the trust chain */
962144
     trustcert = netsnmp_cert_find(NS_CERT_CA,
962144
-                                  NS_CERTKEY_MULTIPLE,
962144
+                                  NS_CERTKEY_FINGERPRINT,
962144
                                   certspec);
962144
+
962144
+    /* loop through all CA certs in the given files */
962144
+    if (!trustcert) {
962144
+        matching = netsnmp_certs_find(NS_CERT_CA,
962144
+                                      NS_CERTKEY_FILE,
962144
+                                      certspec);
962144
+        for (i = 0; (matching) && (i < matching->size); ++i) {
962144
+            candidate = (netsnmp_cert*)matching->array[i];
962144
+            if (netsnmp_cert_trust(the_ctx, candidate) != SNMPERR_SUCCESS) {
962144
+                free(matching->array);
962144
+                free(matching);
962144
+                LOGANDDIE("failed to load trust certificate");
962144
+            }
962144
+        } /** matching loop */
962144
+
962144
+        if (matching) {
962144
+            free(matching->array);
962144
+            free(matching);
962144
+            return 1;
962144
+	}
962144
+    }
962144
+
962144
+    /* fall back to trusting the remote peer certificate */
962144
     if (!trustcert)
962144
         trustcert = netsnmp_cert_find(NS_CERT_REMOTE_PEER,
962144
                                       NS_CERTKEY_MULTIPLE,
962144
                                       certspec);
962144
     if (!trustcert)
962144
         LOGANDDIE("failed to find requested certificate to trust");
962144
-        
962144
+
962144
     /* Add the certificate to the context */
962144
     if (netsnmp_cert_trust(the_ctx, trustcert) != SNMPERR_SUCCESS)
962144
         LOGANDDIE("failed to load trust certificate");