static TS_REQ *create_query(BIO *data_bio, char *digest, const EVP_MD *md, const char *policy, int no_nonce, int cert) { int ret = 0; TS_REQ *ts_req = NULL; int len; TS_MSG_IMPRINT *msg_imprint = NULL; X509_ALGOR *algo = NULL; unsigned char *data = NULL; ASN1_OBJECT *policy_obj = NULL; ASN1_INTEGER *nonce_asn1 = NULL; if (md == NULL && (md = EVP_get_digestbyname("sha1")) == NULL) goto err; if ((ts_req = TS_REQ_new()) == NULL) goto err; if (!TS_REQ_set_version(ts_req, 1)) goto err; if ((msg_imprint = TS_MSG_IMPRINT_new()) == NULL) goto err; if ((algo = X509_ALGOR_new()) == NULL) goto err; if ((algo->algorithm = OBJ_nid2obj(EVP_MD_type(md))) == NULL) goto err; if ((algo->parameter = ASN1_TYPE_new()) == NULL) goto err; algo->parameter->type = V_ASN1_NULL; if (!TS_MSG_IMPRINT_set_algo(msg_imprint, algo)) goto err; if ((len = create_digest(data_bio, digest, md, &data)) == 0) goto err; if (!TS_MSG_IMPRINT_set_msg(msg_imprint, data, len)) goto err; if (!TS_REQ_set_msg_imprint(ts_req, msg_imprint)) goto err; if (policy && (policy_obj = txt2obj(policy)) == NULL) goto err; if (policy_obj && !TS_REQ_set_policy_id(ts_req, policy_obj)) goto err; /* Setting nonce if requested. */ if (!no_nonce && (nonce_asn1 = create_nonce(NONCE_LENGTH)) == NULL) goto err; if (nonce_asn1 && !TS_REQ_set_nonce(ts_req, nonce_asn1)) goto err; if (!TS_REQ_set_cert_req(ts_req, cert)) goto err; ret = 1; err: if (!ret) { TS_REQ_free(ts_req); ts_req = NULL; BIO_printf(bio_err, "could not create query\n"); ERR_print_errors(bio_err); } TS_MSG_IMPRINT_free(msg_imprint); X509_ALGOR_free(algo); OPENSSL_free(data); ASN1_OBJECT_free(policy_obj); ASN1_INTEGER_free(nonce_asn1); return ts_req; }
static LUA_FUNCTION(openssl_ts_req_gc) { TS_REQ *req = CHECK_OBJECT(1, TS_REQ, "openssl.ts_req"); lua_pushnil(L); lua_setmetatable(L, 1); TS_REQ_free(req); return 0; }
static int query_command(const char *data, char *digest, const EVP_MD *md, const char *policy, int no_nonce, int cert, const char *in, const char *out, int text) { int ret = 0; TS_REQ *query = NULL; BIO *in_bio = NULL; BIO *data_bio = NULL; BIO *out_bio = NULL; /* Build query object either from file or from scratch. */ if (in != NULL) { if ((in_bio = BIO_new_file(in, "rb")) == NULL) goto end; query = d2i_TS_REQ_bio(in_bio, NULL); } else { /* Open the file if no explicit digest bytes were specified. */ if (!digest && !(data_bio = BIO_open_with_default(data, "rb", stdin))) goto end; /* Creating the query object. */ query = create_query(data_bio, digest, md, policy, no_nonce, cert); /* Saving the random number generator state. */ } if (query == NULL) goto end; /* Write query either in ASN.1 or in text format. */ if ((out_bio = BIO_open_with_default(out, "wb", stdout)) == NULL) goto end; if (text) { /* Text output. */ if (!TS_REQ_print_bio(out_bio, query)) goto end; } else { /* ASN.1 output. */ if (!i2d_TS_REQ_bio(out_bio, query)) goto end; } ret = 1; end: ERR_print_errors(bio_err); /* Clean up. */ BIO_free_all(in_bio); BIO_free_all(data_bio); BIO_free_all(out_bio); TS_REQ_free(query); return ret; }
static LUA_FUNCTION(openssl_ts_req_new) { TS_REQ *ts_req = TS_REQ_new(); long version = luaL_optinteger(L, 1, 1); int ret = TS_REQ_set_version(ts_req, version); if (ret == 1) { PUSH_OBJECT(ts_req, "openssl.ts_req"); return 1; } TS_REQ_free(ts_req); return 0; }
/* * Query-related method definitions. */ static int query_command(const char *data, char *digest, const EVP_MD *md, const char *policy, int no_nonce, int cert, const char *in, const char *out, int text) { int ret = 0; TS_REQ *query = NULL; BIO *in_bio = NULL; BIO *data_bio = NULL; BIO *out_bio = NULL; /* Build query object. */ if (in != NULL) { if ((in_bio = bio_open_default(in, 'r', FORMAT_ASN1)) == NULL) goto end; query = d2i_TS_REQ_bio(in_bio, NULL); } else { if (digest == NULL && (data_bio = bio_open_default(data, 'r', FORMAT_ASN1)) == NULL) goto end; query = create_query(data_bio, digest, md, policy, no_nonce, cert); } if (query == NULL) goto end; if (text) { if ((out_bio = bio_open_default(out, 'w', FORMAT_TEXT)) == NULL) goto end; if (!TS_REQ_print_bio(out_bio, query)) goto end; } else { if ((out_bio = bio_open_default(out, 'w', FORMAT_ASN1)) == NULL) goto end; if (!i2d_TS_REQ_bio(out_bio, query)) goto end; } ret = 1; end: ERR_print_errors(bio_err); BIO_free_all(in_bio); BIO_free_all(data_bio); BIO_free_all(out_bio); TS_REQ_free(query); return ret; }
int check_time_stamp(TS_RESP* tsResponse, X509* caCert, char* hash, UNSIGNED32 hash_size) { int result = 0; TS_REQ* tsRequest = NULL; TS_VERIFY_CTX* ctx = NULL; TS_MSG_IMPRINT* msgImprint = NULL; ASN1_OCTET_STRING* hashedMessage = NULL; int hashedMessageLength; tsRequest = get_timestamp_request(hash, hash_size, tsResponse->tst_info->nonce); msgImprint = TS_REQ_get_msg_imprint(tsRequest); hashedMessage = TS_MSG_IMPRINT_get_msg(msgImprint); hashedMessageLength = ASN1_STRING_length((ASN1_STRING*)hashedMessage); if (hashedMessageLength != (int)hash_size) { goto end; } if (!(ctx = TS_REQ_to_TS_VERIFY_CTX(tsRequest, NULL))) { goto end; } ctx->flags |= TS_VFY_SIGNATURE; ctx->store = X509_STORE_new(); X509_STORE_add_cert(ctx->store, caCert); if (ossl_TS_RESP_verify_response(ctx, tsResponse)) { result = 1; } end: if (tsRequest != NULL) { TS_REQ_free(tsRequest); } if (ctx != NULL) { TS_VERIFY_CTX_free(ctx); } return result; }
static TS_VERIFY_CTX *create_verify_ctx(char *data, char *digest, char *queryfile, char *CApath, char *CAfile, char *untrusted, X509_VERIFY_PARAM *vpm) { TS_VERIFY_CTX *ctx = NULL; BIO *input = NULL; TS_REQ *request = NULL; int ret = 0; int f = 0; if (data != NULL || digest != NULL) { if ((ctx = TS_VERIFY_CTX_new()) == NULL) goto err; f = TS_VFY_VERSION | TS_VFY_SIGNER; if (data != NULL) { f |= TS_VFY_DATA; if (TS_VERIFY_CTX_set_data(ctx, BIO_new_file(data, "rb")) == NULL) goto err; } else if (digest != NULL) { long imprint_len; unsigned char *hexstr = OPENSSL_hexstr2buf(digest, &imprint_len); f |= TS_VFY_IMPRINT; if (TS_VERIFY_CTX_set_imprint(ctx, hexstr, imprint_len) == NULL) { BIO_printf(bio_err, "invalid digest string\n"); goto err; } } } else if (queryfile != NULL) { if ((input = BIO_new_file(queryfile, "rb")) == NULL) goto err; if ((request = d2i_TS_REQ_bio(input, NULL)) == NULL) goto err; if ((ctx = TS_REQ_to_TS_VERIFY_CTX(request, NULL)) == NULL) goto err; } else return NULL; /* Add the signature verification flag and arguments. */ TS_VERIFY_CTX_add_flags(ctx, f | TS_VFY_SIGNATURE); /* Initialising the X509_STORE object. */ if (TS_VERIFY_CTX_set_store(ctx, create_cert_store(CApath, CAfile, vpm)) == NULL) goto err; /* Loading untrusted certificates. */ if (untrusted && TS_VERIFY_CTS_set_certs(ctx, TS_CONF_load_certs(untrusted)) == NULL) goto err; ret = 1; err: if (!ret) { TS_VERIFY_CTX_free(ctx); ctx = NULL; } BIO_free_all(input); TS_REQ_free(request); return ctx; }
static TS_VERIFY_CTX * create_verify_ctx(char *data, char *digest, char *queryfile, char *ca_path, char *ca_file, char *untrusted) { TS_VERIFY_CTX *ctx = NULL; BIO *input = NULL; TS_REQ *request = NULL; int ret = 0; if (data != NULL || digest != NULL) { if (!(ctx = TS_VERIFY_CTX_new())) goto err; ctx->flags = TS_VFY_VERSION | TS_VFY_SIGNER; if (data != NULL) { ctx->flags |= TS_VFY_DATA; if (!(ctx->data = BIO_new_file(data, "rb"))) goto err; } else if (digest != NULL) { long imprint_len; ctx->flags |= TS_VFY_IMPRINT; if (!(ctx->imprint = string_to_hex(digest, &imprint_len))) { BIO_printf(bio_err, "invalid digest string\n"); goto err; } ctx->imprint_len = imprint_len; } } else if (queryfile != NULL) { /* * The request has just to be read, decoded and converted to * a verify context object. */ if (!(input = BIO_new_file(queryfile, "rb"))) goto err; if (!(request = d2i_TS_REQ_bio(input, NULL))) goto err; if (!(ctx = TS_REQ_to_TS_VERIFY_CTX(request, NULL))) goto err; } else return NULL; /* Add the signature verification flag and arguments. */ ctx->flags |= TS_VFY_SIGNATURE; /* Initialising the X509_STORE object. */ if (!(ctx->store = create_cert_store(ca_path, ca_file))) goto err; /* Loading untrusted certificates. */ if (untrusted && !(ctx->certs = TS_CONF_load_certs(untrusted))) goto err; ret = 1; err: if (!ret) { TS_VERIFY_CTX_free(ctx); ctx = NULL; } BIO_free_all(input); TS_REQ_free(request); return ctx; }
TS_REQ* get_timestamp_request(char* hash, int hash_size, ASN1_INTEGER *nonce_asn1) { int ret = 0; TS_REQ *ts_req = NULL; TS_MSG_IMPRINT *msg_imprint = NULL; X509_ALGOR *algo = NULL; unsigned char *data = NULL; ASN1_OBJECT *policy_obj = NULL; const EVP_MD* md = NULL; /* Setting default message digest. */ if ((md = EVP_get_digestbyname("sha256")) == NULL) { goto err; } /* Creating request object. */ if ((ts_req = TS_REQ_new()) == NULL) { goto err; } /* Setting version. */ if (!TS_REQ_set_version(ts_req, 1)) goto err; /* Creating and adding MSG_IMPRINT object. */ if ((msg_imprint = TS_MSG_IMPRINT_new()) == NULL) { goto err; } /* Adding algorithm. */ if ((algo = X509_ALGOR_new()) == NULL) { goto err; } if ((algo->algorithm = OBJ_nid2obj(EVP_MD_type(md))) == NULL) { goto err; } if ((algo->parameter = ASN1_TYPE_new()) == NULL) { goto err; } algo->parameter->type = V_ASN1_NULL; if (!TS_MSG_IMPRINT_set_algo(msg_imprint, algo)) goto err; /* Adding message digest. */ if (!TS_MSG_IMPRINT_set_msg(msg_imprint, (unsigned char*)hash, hash_size)) goto err; if (!TS_REQ_set_msg_imprint(ts_req, msg_imprint)) goto err; /* Setting policy if requested. */ if ((policy_obj = OBJ_txt2obj("1.1.3", 0)) == NULL) { goto err; } if (policy_obj && !TS_REQ_set_policy_id(ts_req, policy_obj)) goto err; /* Setting nonce if requested. */ if (nonce_asn1 && !TS_REQ_set_nonce(ts_req, nonce_asn1)) goto err; /* Setting certificate request flag if requested. */ if (!TS_REQ_set_cert_req(ts_req, 1)) goto err; ret = 1; err: if (!ret) { TS_REQ_free(ts_req); ts_req = NULL; } TS_MSG_IMPRINT_free(msg_imprint); X509_ALGOR_free(algo); OPENSSL_free(data); ASN1_OBJECT_free(policy_obj); return ts_req; }
UNSIGNED32 get_timestamp_response(const char* urlStr, char* hash, UNSIGNED32 hash_size, UNSIGNED32 httpTimeOut, TS_RESP** tsResponse) { UNSIGNED32 result = TINTERNALERROR; BIO* responseBio = NULL; Url* url = NULL; TS_REQ* tsRequest = NULL; BIO* requestBio = NULL; int requestHeaderLength; int requestLength; int requestContentLength; char requestHeader[2048 + 256]; char* request = NULL; void* contentBuffer = NULL; void* resultBuffer = NULL; int resultLength; TS_MSG_IMPRINT* msgImprint = NULL; ASN1_OCTET_STRING* hashedMessage = NULL; int hashedMessageLength; int httpResult; char *urlBuffer = NULL; int redirection = 0; /* Check if TS url is specified */ if (!urlStr) { goto end; } /* Get Request for timestamp */ tsRequest = get_timestamp_request(hash, hash_size, create_nonce(NONCE_LENGTH)); msgImprint = TS_REQ_get_msg_imprint(tsRequest); hashedMessage = TS_MSG_IMPRINT_get_msg(msgImprint); hashedMessageLength = ASN1_STRING_length((ASN1_STRING*)hashedMessage); if ((int)hash_size != hashedMessageLength) { goto end; } requestBio = BIO_new(BIO_s_mem()); if (requestBio == NULL) { goto end; } if (!i2d_TS_REQ_bio(requestBio, tsRequest)) { goto end; } contentBuffer = memory_alloc(BIO_number_written(requestBio)); if (contentBuffer == NULL) { goto end; } requestContentLength = BIO_read(requestBio, contentBuffer, BIO_number_written(requestBio)); /* Allocate memory buffer for timestamp server url */ urlBuffer = memory_alloc(strlen(urlStr) + 1); if (!urlBuffer) { goto end; } /* Copy TS url to allocated buffer */ strcpy(urlBuffer, urlStr); http_redirect: /* Parse and check URL */ url = parse_url(urlBuffer); if (url == NULL) { goto end; } if (strcmp(url->Scheme, "http") != 0) { goto end; } requestHeaderLength = sprintf(requestHeader, "POST %s HTTP/1.0\r\nHOST: %s\r\nPragma: no-cache\r\nContent-Type: application/timestamp-query\r\nAccept: application/timestamp-reply\r\nContent-Length: %d\r\n\r\n", urlBuffer, url->Host, requestContentLength); requestLength = requestHeaderLength + requestContentLength; request = (char*)memory_alloc(requestLength); if (request == NULL) { goto end; } memcpy(request, requestHeader, requestHeaderLength); memcpy(request + requestHeaderLength, contentBuffer, requestContentLength); httpResult = http_read(url->Host, request, requestLength, url->Port, httpTimeOut, 1, &resultBuffer, &resultLength); if (httpResult == HTTP_REDIRECTION && (resultBuffer) && !redirection) { free_url(url); url = NULL; memory_free(request); request = NULL; /* Allocated buffer for redirected url */ urlBuffer = memory_realloc(urlBuffer, resultLength); if (!urlBuffer) { goto end; } memcpy(urlBuffer, resultBuffer, resultLength); memory_free(resultBuffer); redirection++; goto http_redirect; } else if ((httpResult == HTTP_NOERROR) && (resultBuffer)) { responseBio = BIO_new(BIO_s_mem()); if (responseBio == NULL) { goto end; } BIO_write(responseBio, resultBuffer, resultLength); *tsResponse = d2i_TS_RESP_bio(responseBio, NULL); if (*tsResponse == NULL) { goto end; } result = TNOERR; } else { switch (httpResult) { case HTTP_NOLIVEINTERNET_ERROR: result = TNONET; break; case HTTP_TIMEOUT_ERROR: result = TTIMEOUT; break; case HTTP_RESPONSESTATUS_ERROR: result = TSERVERERROR; break; default: result = TINTERNALERROR; break; } } end: free_url(url); if (tsRequest != NULL) { TS_REQ_free(tsRequest); } if (requestBio != NULL) { BIO_free_all(requestBio); } if (responseBio != NULL) { BIO_free_all(responseBio); } if (request != NULL) { memory_free(request); } if (contentBuffer != NULL) { memory_free(contentBuffer); } if (resultBuffer != NULL) { memory_free(resultBuffer); } if (urlBuffer != NULL) { memory_free(urlBuffer); } return result; }