int TS_CONF_set_certs(CONF *conf, const char *section, const char *certs,
TS_RESP_CTX *ctx)
{
int ret = 0;
STACK_OF(X509) *certs_obj = NULL;
if (!certs)
certs = NCONF_get_string(conf, section, ENV_CERTS);
/* Certificate chain is optional. */
if (!certs) goto end;
if (!(certs_obj = TS_CONF_load_certs(certs))) goto err;
if (!TS_RESP_CTX_set_certs(ctx, certs_obj)) goto err;
end:
ret = 1;
err:
sk_X509_pop_free(certs_obj, X509_free);
return ret;
}
static TS_VERIFY_CTX *create_verify_ctx(char *data, char *digest,
char *queryfile,
char *CApath, char *CAfile,
char *untrusted,
X509_VERIFY_PARAM *vpm)
{
TS_VERIFY_CTX *ctx = NULL;
BIO *input = NULL;
TS_REQ *request = NULL;
int ret = 0;
int f = 0;
if (data != NULL || digest != NULL) {
if ((ctx = TS_VERIFY_CTX_new()) == NULL)
goto err;
f = TS_VFY_VERSION | TS_VFY_SIGNER;
if (data != NULL) {
f |= TS_VFY_DATA;
if (TS_VERIFY_CTX_set_data(ctx, BIO_new_file(data, "rb")) == NULL)
goto err;
} else if (digest != NULL) {
long imprint_len;
unsigned char *hexstr = OPENSSL_hexstr2buf(digest, &imprint_len);
f |= TS_VFY_IMPRINT;
if (TS_VERIFY_CTX_set_imprint(ctx, hexstr, imprint_len) == NULL) {
BIO_printf(bio_err, "invalid digest string\n");
goto err;
}
}
} else if (queryfile != NULL) {
if ((input = BIO_new_file(queryfile, "rb")) == NULL)
goto err;
if ((request = d2i_TS_REQ_bio(input, NULL)) == NULL)
goto err;
if ((ctx = TS_REQ_to_TS_VERIFY_CTX(request, NULL)) == NULL)
goto err;
} else
return NULL;
/* Add the signature verification flag and arguments. */
TS_VERIFY_CTX_add_flags(ctx, f | TS_VFY_SIGNATURE);
/* Initialising the X509_STORE object. */
if (TS_VERIFY_CTX_set_store(ctx, create_cert_store(CApath, CAfile, vpm))
== NULL)
goto err;
/* Loading untrusted certificates. */
if (untrusted
&& TS_VERIFY_CTS_set_certs(ctx, TS_CONF_load_certs(untrusted)) == NULL)
goto err;
ret = 1;
err:
if (!ret) {
TS_VERIFY_CTX_free(ctx);
ctx = NULL;
}
BIO_free_all(input);
TS_REQ_free(request);
return ctx;
}
static TS_VERIFY_CTX *
create_verify_ctx(char *data, char *digest, char *queryfile, char *ca_path,
char *ca_file, char *untrusted)
{
TS_VERIFY_CTX *ctx = NULL;
BIO *input = NULL;
TS_REQ *request = NULL;
int ret = 0;
if (data != NULL || digest != NULL) {
if (!(ctx = TS_VERIFY_CTX_new()))
goto err;
ctx->flags = TS_VFY_VERSION | TS_VFY_SIGNER;
if (data != NULL) {
ctx->flags |= TS_VFY_DATA;
if (!(ctx->data = BIO_new_file(data, "rb")))
goto err;
} else if (digest != NULL) {
long imprint_len;
ctx->flags |= TS_VFY_IMPRINT;
if (!(ctx->imprint = string_to_hex(digest,
&imprint_len))) {
BIO_printf(bio_err, "invalid digest string\n");
goto err;
}
ctx->imprint_len = imprint_len;
}
} else if (queryfile != NULL) {
/*
* The request has just to be read, decoded and converted to
* a verify context object.
*/
if (!(input = BIO_new_file(queryfile, "rb")))
goto err;
if (!(request = d2i_TS_REQ_bio(input, NULL)))
goto err;
if (!(ctx = TS_REQ_to_TS_VERIFY_CTX(request, NULL)))
goto err;
} else
return NULL;
/* Add the signature verification flag and arguments. */
ctx->flags |= TS_VFY_SIGNATURE;
/* Initialising the X509_STORE object. */
if (!(ctx->store = create_cert_store(ca_path, ca_file)))
goto err;
/* Loading untrusted certificates. */
if (untrusted && !(ctx->certs = TS_CONF_load_certs(untrusted)))
goto err;
ret = 1;
err:
if (!ret) {
TS_VERIFY_CTX_free(ctx);
ctx = NULL;
}
BIO_free_all(input);
TS_REQ_free(request);
return ctx;
}