int
EAC_CTX_init_ta(const EAC_CTX *ctx,
const unsigned char *privkey, size_t privkey_len,
const unsigned char *cvca, size_t cvca_len)
{
CVC_CERT *ta_cvca = NULL;
int r = 0;
check(ctx && ctx->ta_ctx, "Invalid arguments");
if (privkey && privkey_len) {
if (ctx->ta_ctx->priv_key)
EVP_PKEY_free(ctx->ta_ctx->priv_key);
ctx->ta_ctx->priv_key = d2i_AutoPrivateKey(&ctx->ta_ctx->priv_key,
&privkey, privkey_len);
if (!ctx->ta_ctx->priv_key)
goto err;
}
if (cvca && cvca_len) {
ta_cvca = CVC_d2i_CVC_CERT(&ta_cvca, &cvca, cvca_len);
}
r = TA_CTX_set_trust_anchor(ctx->ta_ctx, ta_cvca, ctx->bn_ctx);
err:
if (ta_cvca)
CVC_CERT_free(ta_cvca);
return r;
}
int
CA_STEP6_derive_keys(EAC_CTX *ctx, const BUF_MEM *nonce, const BUF_MEM *token)
{
int rv = -1;
check((ctx && ctx->ca_ctx), "Invalid arguments");
if (!KA_CTX_derive_keys(ctx->ca_ctx->ka_ctx, nonce, ctx->md_ctx))
goto err;
rv = verify_authentication_token(ctx->ca_ctx->protocol,
ctx->ca_ctx->ka_ctx,
ctx->bn_ctx, ctx->tr_version, token);
check(rv >= 0, "Failed to verify authentication token");
/* PACE, TA and CA were successful. Update the trust anchor! */
if (rv) {
if (ctx->ta_ctx->new_trust_anchor) {
CVC_CERT_free(ctx->ta_ctx->trust_anchor);
ctx->ta_ctx->trust_anchor = ctx->ta_ctx->new_trust_anchor;
ctx->ta_ctx->new_trust_anchor = NULL;
}
}
err:
return rv;
}
static int print_cvc(const unsigned char *cvc_data, const size_t cvc_len,
const unsigned char *desc_data, const size_t desc_len) {
BIO *bio_stdout = NULL;
CVC_CERT *cvc = NULL;
CVC_CERTIFICATE_DESCRIPTION *desc = NULL;
const unsigned char *p;
int fail = 1;
bio_stdout = BIO_new_fp(stdout, BIO_NOCLOSE);
if (!bio_stdout)
err("could not get output buffer");
if (cvc_data && cvc_len) {
p = cvc_data;
if (!CVC_d2i_CVC_CERT(&cvc, &p, cvc_len))
err("could not parse card verifiable certificate");
puts("Certificate:");
if (!CVC_print(bio_stdout, cvc, 2))
err("could not print card verifiable certificate");
}
/* FIXME: CVC_CERT_print_ctx -> segfault */
/* CVC_CERT_print_ctx(bio_stdout, cvc, 1, NULL); */
if (desc_data && desc_len) {
p = desc_data;
if (!d2i_CVC_CERTIFICATE_DESCRIPTION(&desc, &p, desc_len))
err("could not parse certificate description");
puts("Description:");
if (!certificate_description_print(bio_stdout, desc, 0))
err("could not print certificate description");
}
if (cvc && desc_data && desc_len) {
if (!CVC_check_description(cvc, desc_data, desc_len)) {
puts("certificate description doesn't match certificate");
} else {
puts("certificate description matches certificate");
}
}
fail = 0;
err:
if (desc)
CVC_CERTIFICATE_DESCRIPTION_free(desc);
if (cvc)
CVC_CERT_free(cvc);
if (bio_stdout)
BIO_free_all(bio_stdout);
return fail;
}
void
TA_CTX_clear_free(TA_CTX *ctx) {
if (!ctx)
return;
if (ctx->pk_pcd)
BUF_MEM_free(ctx->pk_pcd);
if (ctx->priv_key)
EVP_PKEY_free(ctx->priv_key);
if (ctx->pub_key)
EVP_PKEY_free(ctx->pub_key);
if (ctx->trust_anchor)
CVC_CERT_free(ctx->trust_anchor);
if (ctx->current_cert)
CVC_CERT_free(ctx->current_cert);
if (ctx->new_trust_anchor)
CVC_CERT_free(ctx->new_trust_anchor);
BUF_MEM_clear_free(ctx->nonce);
OPENSSL_free(ctx);
return;
}
int
TA_CTX_set_trust_anchor(TA_CTX *ctx, const CVC_CERT *trust_anchor,
BN_CTX *bn_ctx)
{
int ok = 0;
check(ctx, "Invalid Parameters");
if (ctx->trust_anchor)
CVC_CERT_free(ctx->trust_anchor);
ctx->trust_anchor = CVC_CERT_dup(trust_anchor);
if (!ctx->trust_anchor)
goto err;
if (ctx->current_cert) {
CVC_CERT_free(ctx->current_cert);
ctx->current_cert = NULL;
}
ok = TA_CTX_set_parameters(ctx, trust_anchor, bn_ctx);
err:
return ok;
}
static int print_cvc(const unsigned char *cvc_data, const size_t cvc_len,
const unsigned char *desc_data, const size_t desc_len,
const unsigned char *csr_data, const size_t csr_len)
{
BIO *bio_stdout = NULL;
CVC_CERT *cvc = NULL;
CVC_CERTIFICATE_DESCRIPTION *desc = NULL;
CVC_CERT_REQUEST *request = NULL;
CVC_CERT_AUTHENTICATION_REQUEST *authentication = NULL;
const unsigned char *p;
int fail = 1;
bio_stdout = BIO_new_fp(stdout, BIO_NOCLOSE);
if (!bio_stdout)
err("could not get output buffer");
if (cvc_data && cvc_len) {
p = cvc_data;
if (!CVC_d2i_CVC_CERT(&cvc, &p, cvc_len))
err("could not parse card verifiable certificate");
puts("Certificate:");
if (!CVC_print(bio_stdout, cvc, 2))
err("could not print card verifiable certificate");
}
/* FIXME: CVC_CERT_print_ctx -> segfault */
/* CVC_CERT_print_ctx(bio_stdout, cvc, 1, NULL); */
if (desc_data && desc_len) {
p = desc_data;
if (!d2i_CVC_CERTIFICATE_DESCRIPTION(&desc, &p, desc_len))
err("could not parse certificate description");
puts("Description:");
if (!certificate_description_print(bio_stdout, desc, 0))
err("could not print certificate description");
}
if (cvc && desc_data && desc_len) {
if (!CVC_check_description(cvc, desc_data, desc_len)) {
puts("certificate description doesn't match certificate");
} else {
puts("certificate description matches certificate");
}
}
if (csr_data && csr_len) {
p = csr_data;
if (d2i_CVC_CERT_REQUEST(&request, &p, csr_len)) {
puts("Certificate Request:");
if (!certificate_request_print(bio_stdout, request, 2))
err("could not print certificate request");
} else {
/* try using an authentication request */
p = csr_data;
if (!d2i_CVC_CERT_AUTHENTICATION_REQUEST(&authentication, &p, desc_len))
err("could not parse certificate request");
puts("Certificate Authentication Request:");
if (!certificate_authentication_request_print(bio_stdout, authentication, 2))
err("could not print certificate authentication request");
}
if (1 == CVC_verify_request_signature(request ? request :
authentication->request)) {
puts("certificate request verified");
} else {
puts("certificate request not verified");
}
}
fail = 0;
err:
if (desc)
CVC_CERTIFICATE_DESCRIPTION_free(desc);
if (cvc)
CVC_CERT_free(cvc);
if (authentication)
CVC_CERT_AUTHENTICATION_REQUEST_free(authentication);
if (request)
CVC_CERT_REQUEST_free(request);
if (bio_stdout)
BIO_free_all(bio_stdout);
return fail;
}
int
TA_CTX_import_certificate(TA_CTX *ctx, const CVC_CERT *next_cert,
BN_CTX *bn_ctx)
{
int ok = 0, i;
const CVC_CERT *trust_anchor = NULL;
check(ctx && next_cert && next_cert->body && next_cert->body->chat &&
next_cert->body->certificate_authority_reference,
"Invalid arguments");
/* Check date to see if the certificate is still valid
* (not for link certificates). */
if ((ctx->flags & TA_FLAG_SKIP_TIMECHECK) != TA_FLAG_SKIP_TIMECHECK
&& CVC_get_role(next_cert->body->chat) != CVC_CVCA
&& cvc_check_time(next_cert) != 1)
goto err;
/* get the current trust anchor */
if (ctx->current_cert) {
trust_anchor = ctx->current_cert;
} else if (ctx->trust_anchor) {
trust_anchor = ctx->trust_anchor;
} else if (ctx->lookup_cvca_cert) {
trust_anchor = ctx->lookup_cvca_cert(
next_cert->body->certificate_authority_reference->data,
next_cert->body->certificate_authority_reference->length);
check(trust_anchor && TA_CTX_set_trust_anchor(ctx, trust_anchor,
bn_ctx),
"Could not look up trust anchor");
}
check(trust_anchor && trust_anchor->body
&& trust_anchor->body->certificate_holder_reference,
"No trust anchor, can't verify certificate");
/* Check chain integrity: The CAR of a certificate must be equal to the
* the CHR of the next certificate in the chain */
check((next_cert->body->certificate_authority_reference
&& trust_anchor->body->certificate_holder_reference
&& next_cert->body->certificate_authority_reference->length ==
trust_anchor->body->certificate_holder_reference->length
&& memcmp(trust_anchor->body->certificate_holder_reference->data,
next_cert->body->certificate_authority_reference->data,
trust_anchor->body->certificate_holder_reference->length) == 0),
"Current CHR does not match next CAR");
i = CVC_verify_signature(next_cert, ctx->pub_key);
check((i > 0), "Could not verify current signature");
/* Certificate has been verified as next part of the chain */
if (ctx->current_cert)
CVC_CERT_free(ctx->current_cert);
ctx->current_cert = CVC_CERT_dup(next_cert);
if (!ctx->current_cert)
goto err;
/* Set a (new) trust anchor */
if (CVC_get_role(next_cert->body->chat) == CVC_CVCA) {
if (ctx->new_trust_anchor)
CVC_CERT_free(ctx->new_trust_anchor);
ctx->new_trust_anchor = CVC_CERT_dup(next_cert);
if (!ctx->new_trust_anchor)
goto err;
}
ok = TA_CTX_set_parameters(ctx, next_cert, bn_ctx);
err:
return ok;
}
