int set_privileges( OCSPD_CONFIG *conf ) {
struct passwd *pw = NULL;
struct group *gr = NULL;
if( (gr = getgrnam( conf->group ) ) == NULL ) {
PKI_log_err("Cannot find group %s", conf->group);
return 0;
}
if( (pw = getpwnam( conf->user ) ) == NULL ) {
PKI_log_err ("Cannot find user %s", conf->user);
return 0;
}
if (setgid (gr->gr_gid) == -1) {
PKI_log_err ("Error setting group %d (%s)",
gr->gr_gid, conf->group);
return 0;
}
if (setuid (pw->pw_uid) == -1) {
PKI_log_err("Error setting user %d (%s)",
pw->pw_uid, conf->user );
return 0;
}
return 1;
}
int set_chroot( OCSPD_CONFIG *conf ) {
if( (!conf) || (!conf->chroot_dir))
return(1);
/* Now chroot the running process before starting the server */
if( chdir ( conf->chroot_dir ) != 0 ) {
/* Error in changing to working directory */
PKI_log_err ("SECURITY::CHROOT::ERROR [%s]", strerror(errno));
perror(NULL);
return(0);
}
if( chroot( conf->chroot_dir ) != 0 ) {
/* Error chrooting the process */
PKI_log_err ("SECURITY::CHROOT::ERROR [%s]", strerror(errno));
perror(NULL);
return(0);
}
PKI_log(PKI_LOG_INFO,"SECURITY::CHROOT::Completed [%s]",
conf->chroot_dir );
/* Ok, chdir and chroot! */
return(1);
}
void logXmlMessages( void *userData, xmlErrorPtr error ) {
#if LIBXML_VERSION >= LIBXML_MIN_VERSION
PKI_log_err( "XML I/O Error: %s", error->message);
#else
PKI_log_err( "XML I/O Error");
#endif
return;
}
void handle_sigabrt ( int i ) {
PKI_log_err("SIGABRT::received - should not happen,");
PKI_log_err("SIGABRT::please enable strict locking.");
PKI_log_err("ERROR::SIGABRT::Fatal Error, aborting server!");
return;
}
int ocspd_reload_all_ca ( OCSPD_CONFIG *conf ) {
int i=0;
CA_LIST_ENTRY *ca = NULL;
for( i = 0; i < PKI_STACK_elements( conf->ca_list); i++) {
ca = PKI_STACK_get_num( conf->ca_list, i );
/* Let's free the CA certs list, if present */
/*
if( ca->cert ) {
sk_X509_pop_free(ca->cert, X509_free );
}
*/
if (ca->ca_url ) {
if ( ca->ca_cert) PKI_X509_CERT_free ( ca->ca_cert );
/* Get the CA certificate */
ca->ca_cert = PKI_X509_CERT_get_url ( ca->ca_url,
NULL, NULL );
}
/*
if(!ca->cert || !sk_X509_num(ca->cert)) {
syslog(LOG_ERR, "Error loading CA URL data.");
continue;
} else {
if(conf->verbose)
syslog( LOG_INFO,
"CA CERT for %s loaded successfully.",
ca->ca_id );
}
*/
if( !ca->ca_cert ) {
if( ca->ca_url && ca->ca_url->url_s ) {
PKI_log_err ( "Can not load CA cert from %s",
ca->ca_url->url_s);
} else {
PKI_log_err ( "Can not load CA cert!");
continue;
}
} else {
PKI_log( PKI_LOG_INFO, " CA cert for %s loaded ok",
ca->ca_id );
}
if((ca->cid = CA_ENTRY_CERTID_new ( ca->ca_cert,
conf->digest)) == NULL ) {
PKI_log_err( "CA List structure init error (CERTID).");
continue;
}
}
return 1;
}
int PKI_X509_PKCS7_encode ( PKI_X509_PKCS7 *p7, unsigned char *data,
size_t size ) {
int type = NID_pkcs7_signed;
PKCS7_SIGNER_INFO *signerInfo = NULL;
BIO *bio = NULL;
if( !p7 || !p7->value ) return ( PKI_ERR );
type = PKI_X509_PKCS7_get_type ( p7 );
if (( type == PKI_X509_PKCS7_TYPE_ENCRYPTED )
|| (type == PKI_X509_PKCS7_TYPE_SIGNEDANDENCRYPTED)) {
if ( PKI_X509_PKCS7_has_recipients ( p7 ) == PKI_ERR ) {
PKI_log_debug ( "PKI_X509_PKCS7_encode()::Missing "
"Recipients!");
return PKI_ERR;
}
}
if ( (type == PKI_X509_PKCS7_TYPE_SIGNED) ||
(type == PKI_X509_PKCS7_TYPE_SIGNEDANDENCRYPTED )) {
if(( signerInfo = PKI_X509_PKCS7_get_signer_info( p7,
-1 )) == NULL ) {
return ( PKI_ERR );
}
PKCS7_add_signed_attribute ( signerInfo, NID_pkcs9_contentType,
V_ASN1_OBJECT, OBJ_nid2obj(NID_pkcs7_data));
}
if((bio = PKCS7_dataInit(p7->value, NULL)) == NULL ) {
PKI_log_err("PKI_X509_PKCS7_sign()::Error dataInit [%s]",
ERR_error_string(ERR_get_error(),NULL));
return ( PKI_ERR );
}
if( BIO_write( bio, data, (int) size ) <= 0 ) {
PKI_log_err("PKI_X509_PKCS7_sign()::Error dataSign [%s]",
ERR_error_string(ERR_get_error(),NULL));
return ( PKI_ERR );
}
(void)BIO_flush(bio);
if(!PKCS7_dataFinal( p7->value, bio )) {
PKI_log_err("PKI_X509_PKCS7_sign()::Error End dataSign [%s]",
ERR_error_string(ERR_get_error(),NULL));
return ( PKI_ERR );
};
if( bio ) BIO_free_all ( bio );
return ( PKI_OK );
}
int PKI_X509_OCSP_RESP_add ( PKI_X509_OCSP_RESP *resp,
OCSP_CERTID *cid, PKI_OCSP_CERTSTATUS status,
PKI_TIME *revokeTime, PKI_TIME *thisUpdate,
PKI_TIME *nextUpdate,
PKI_X509_CRL_REASON reason,
PKI_X509_EXTENSION *invalidityDate ) {
OCSP_SINGLERESP *single = NULL;
PKI_TIME *myThisUpdate = NULL;
PKI_OCSP_RESP *r = NULL;
if ( !resp || !resp->value || !cid ) return ( PKI_ERR );
r = resp->value;
if( !r->bs )
{
// Creates the basic response object
if ((r->bs = OCSP_BASICRESP_new()) == NULL)
{
PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL);
return PKI_ERR;
}
}
if (thisUpdate == NULL )
{
myThisUpdate = X509_gmtime_adj(NULL,0);
}
else
{
myThisUpdate = PKI_TIME_dup(thisUpdate);
}
if((single = OCSP_basic_add1_status(r->bs, cid,
status, reason, revokeTime, myThisUpdate, nextUpdate))== NULL)
{
PKI_log_err ("Can not create basic entry!");
return ( PKI_ERR );
}
if (myThisUpdate) PKI_TIME_free(myThisUpdate);
if (invalidityDate)
{
if (!OCSP_SINGLERESP_add1_ext_i2d(single,
NID_invalidity_date, invalidityDate, 0, 0))
{
PKI_log_err("Can not create extension entry for response!");
return PKI_ERR;
}
}
return PKI_OK;
}
int check_crl ( PKI_X509_CRL *x_crl, PKI_X509_CERT *x_cacert,
OCSPD_CONFIG *conf ) {
PKI_X509_KEYPAIR_VALUE *pkey = NULL;
PKI_X509_KEYPAIR *k = NULL;
int ret = -1;
if (!conf) return (-1);
PKI_RWLOCK_read_lock ( &conf->crl_lock );
if( !x_crl || !x_crl->value || !x_cacert || !x_cacert->value ) {
if( conf->verbose ) {
if(!x_crl || !x_crl->value)
PKI_log_err ("CRL missing");
if(!x_cacert || !x_cacert->value)
PKI_log_err("CA cert missing");
}
PKI_RWLOCK_release_read ( &conf->crl_lock );
return(-1);
}
/* Gets the Public Key of the CA Certificate */
if((pkey = PKI_X509_CERT_get_data( x_cacert,
PKI_X509_DATA_PUBKEY )) == NULL ) {
PKI_log_err( "Can not parse PubKey from CA Cert");
PKI_RWLOCK_release_read ( &conf->crl_lock );
return(-3);
}
if ((k = PKI_X509_new_value(PKI_DATATYPE_X509_KEYPAIR, pkey, NULL))
== NULL ) {
PKI_log_err ("Memory Error!");
PKI_RWLOCK_release_read ( &conf->crl_lock );
return(-3);
}
if ( PKI_X509_verify ( x_crl, k ) == PKI_OK ) {
PKI_log_debug("CRL signature is verified!");
ret = PKI_OK;
} else {
ret = PKI_ERR;
}
k->value = NULL;
PKI_X509_KEYPAIR_free ( k );
PKI_RWLOCK_release_read ( &conf->crl_lock );
if ( ret > 0 ) {
PKI_log(PKI_LOG_INFO, "CRL matching CA cert ok [ %d ]",
ret);
}
return ret;
}
int OCSPD_load_crl ( CA_LIST_ENTRY *ca, OCSPD_CONFIG *conf ) {
int ret = 0;
if( !ca ) return PKI_ERR;
if( !ca->crl_url ) {
PKI_log_err ("CRL URL is empty (%s)!", ca->ca_id );
return PKI_ERR;
}
if ( ca->crl ) PKI_X509_CRL_free ( ca->crl );
if (( ca->crl = PKI_X509_CRL_get_url ( ca->crl_url,
NULL, NULL )) == NULL ) {
PKI_log_err ("Failed loading CRL for %s", ca->ca_id );
return PKI_ERR;
}
/* Let's check the CRL against the CA certificate */
if( (ret = check_crl( ca->crl, ca->ca_cert, conf )) < 1 ) {
PKI_log_err( "CRL/CA check error [ %s:%d ]",
ca->ca_id, ret );
return PKI_ERR;
}
/* Now we copy the lastUpdate and nextUpdate fields */
if( ca->crl ) {
ca->lastUpdate = PKI_TIME_dup(
PKI_X509_CRL_get_data (ca->crl,
PKI_X509_DATA_LASTUPDATE));
ca->nextUpdate = PKI_TIME_dup (
PKI_X509_CRL_get_data (ca->crl,
PKI_X509_DATA_NEXTUPDATE ));
}
if((ca->crl_status = check_crl_validity(ca, conf )) == CRL_OK ) {
if(conf->verbose) PKI_log( PKI_LOG_INFO, "CRL for %s is Valid",
ca->ca_id );
} else {
PKI_log_err ( "CRL for %s has ERRORS (%d)", ca->ca_id,
ca->crl_status );
}
/* Let's get the CRLs entries, if any */
if( ocspd_build_crl_entries_list ( ca, ca->crl ) == NULL ) {
PKI_log(PKI_LOG_ALWAYS, "No CRL Entries for %s", ca->ca_id );
};
if(conf->verbose) PKI_log( PKI_LOG_ALWAYS, "CRL loaded for %s", ca->ca_id );
return PKI_OK;
}
int PKI_X509_OCSP_RESP_copy_nonce ( PKI_X509_OCSP_RESP *resp,
PKI_X509_OCSP_REQ *req ) {
PKI_OCSP_RESP *r = NULL;
if ( !resp || !resp->value || !req || !req->value )
{
PKI_ERROR(PKI_ERR_PARAM_NULL, NULL);
return PKI_ERR;
}
r = resp->value;
if (!r->bs)
{
PKI_log_err("Missing basic request in OCSP REQ value");
return PKI_ERR;
}
if(!OCSP_copy_nonce( r->bs, req->value ))
{
PKI_ERROR(PKI_ERR_OCSP_NONCE_COPY, NULL);
return PKI_ERR;
}
return PKI_OK;
}
int ocspd_reload_crls ( OCSPD_CONFIG *conf ) {
int i, err;
CA_LIST_ENTRY *a = NULL;
if( conf->verbose )
PKI_log( PKI_LOG_INFO, "INFO::CRL Reload %ld CAs",
PKI_STACK_elements (conf->ca_list));
err = 0;
for( i=0; i < PKI_STACK_elements (conf->ca_list); i++ ) {
a = PKI_STACK_get_num ( conf->ca_list, i );
if( conf->verbose )
PKI_log(PKI_LOG_INFO, "INFO::Reloading CRL for CA [%s]",
a->ca_id );
if( ocspd_load_ca_crl(a, conf) < 0 ) {
PKI_log_err("Reload CRL for CA [%s]", a->ca_id );
err++;
continue;
}
}
PKI_log(PKI_LOG_INFO, "CRL Reloaded (%d ok, %d err)",
i - err, err );
return(1);
}
PKI_MEM * HSM_OPENSSL_sign(PKI_MEM *der, PKI_DIGEST_ALG *digest, PKI_X509_KEYPAIR *key)
{
EVP_MD_CTX *ctx = NULL;
size_t out_size = 0;
size_t ossl_ret = 0;
PKI_MEM *out_mem = NULL;
EVP_PKEY *pkey = NULL;
if (!der || !der->data || !key || !key->value)
{
PKI_ERROR( PKI_ERR_PARAM_NULL, NULL);
return NULL;
}
// Private Key
pkey = key->value;
// Get the Maximum size of a signature
ossl_ret = out_size = (size_t) EVP_PKEY_size(pkey);
// Initialize the return structure
out_mem = PKI_MEM_new ((size_t)out_size);
ctx = EVP_MD_CTX_new();
if (!out_mem || !ctx) {
if (ctx) EVP_MD_CTX_free(ctx);
if (out_mem) PKI_MEM_free(out_mem);
PKI_ERROR( PKI_ERR_MEMORY_ALLOC, NULL);
return NULL;
}
EVP_MD_CTX_init(ctx);
EVP_SignInit_ex(ctx, digest, NULL);
EVP_SignUpdate (ctx, der->data, der->size);
// Finalize the signature
if (!EVP_SignFinal(ctx, out_mem->data, (unsigned int *) &ossl_ret, pkey))
{
PKI_log_err("ERROR while finalizing signature (%s)",
HSM_OPENSSL_get_errdesc(HSM_OPENSSL_get_errno(), NULL, 0));
PKI_MEM_free(out_mem);
out_mem = NULL;
}
else out_mem->size = (size_t) ossl_ret;
// Cleanup the context
#if OPENSSL_VERSION_NUMBER <= 0x1010000f
EVP_MD_CTX_cleanup(ctx);
#else
EVP_MD_CTX_reset(ctx);
#endif
EVP_MD_CTX_free(ctx);
return out_mem;
}
int PKI_HMAC_finalize(PKI_HMAC *hmac)
{
int size = 0;
unsigned int verify_size = 0;
if (!hmac || !hmac->initialized)
return PKI_ERROR(PKI_ERR_PARAM_NULL, NULL);
// Let's prepare the return value
size = EVP_MD_size(hmac->digestAlg);
verify_size = (unsigned int) size;
// Generate a new PKI_MEM container
hmac->value = PKI_MEM_new((size_t) size);
// Let's finalize the HMAC
#if OPENSSL_VERSION_NUMBER > 0x0090900fL
int rv = HMAC_Final(&hmac->ctx, hmac->value->data, &verify_size);
if (!rv)
{
PKI_log_err("can not finalize HMAC");
PKI_MEM_free(hmac->value);
hmac->value = NULL;
return PKI_ERR;
}
#else
// In OpenSSL < 0.9.9 the return value is actually void
HMAC_Final(&hmac->ctx, hmac->value->data, &verify_size);
#endif
// Checks the sizes
if (verify_size != size)
{
PKI_log_err("Error while finalizing HMAC, size (%d) should be (%d)",
verify_size, hmac->value->size);
PKI_MEM_free(hmac->value);
hmac->value = NULL;
return PKI_ERR;
}
return PKI_OK;
}
int PKI_X509_PKCS7_add_cert (PKI_X509_PKCS7 *p7, PKI_X509_CERT *x) {
if ( !p7 || !p7->value || !x || !x->value ) {
PKI_log_err( "PKI_X509_PKCS7_add_cert()::Missing required param!");
return PKI_ERR;
}
PKCS7_add_certificate( p7->value, x->value );
return( PKI_OK );
}
int PKI_X509_PKCS7_add_crl ( PKI_X509_PKCS7 *p7, PKI_X509_CRL *crl ) {
if ( !p7 || !p7->value || !crl ) {
PKI_log_err( "PKI_X509_PKCS7_add_crl()::Missing CRL");
return PKI_ERR;
}
PKCS7_add_crl( p7->value, crl->value );
return( PKI_OK );
}
/*
* \brief Returns a B64 encoded PKI_MEM for the hmac value
*/
PKI_MEM *PKI_HMAC_get_value_b64(PKI_HMAC *hmac)
{
PKI_MEM *ret = NULL;
// This returns a duplicate of the PKI_MEM value
ret = PKI_HMAC_get_value(hmac);
if (!ret) PKI_log_err("can not get the HMAC PKI_MEM value");
// If a valid PKI_MEM is returned, let's B64 it
if (ret && ret->data && ret->size > 0)
{
if (PKI_MEM_encode(ret, PKI_DATA_FORMAT_B64, 0) != PKI_OK)
{
PKI_log_err("can not B64 encoding HMAC PKI_MEM value");
if (ret) PKI_MEM_free(ret);
return NULL;
}
}
return ret;
}
int thread_make ( int i )
{
PKI_THREAD *th_id = NULL;
int * id = NULL;
// Basic Memory Check
if (!ocspd_conf || !ocspd_conf->threads_list) return -1;
// Gets the right pointer where to store the new thread identifier
th_id = &ocspd_conf->threads_list[i].thread_tid;
if ((id = (int *) PKI_Malloc(sizeof(int))) == NULL)
{
PKI_log_err("Memory allocation error!");
return -1;
}
// Assign the thread id
*id = i;
// Let's generate the new thread
// if ((ret = PKI_THREAD_create(th_id, NULL, thread_main, (void *) &i)) != PKI_OK)
if ((th_id = PKI_THREAD_new(thread_main, (void *) id)) == NULL)
{
PKI_log_err("ERROR::OPENCA_SRV_ERR_THREAD_CREATE");
return(-1);
}
// Copy the value of the thread structure
memcpy(&ocspd_conf->threads_list[i].thread_tid, th_id, sizeof(PKI_THREAD));
// Frees the memory associated with the original structure
PKI_Free(th_id);
// Returns ok
return OCSPD_SRV_OK;
}
PKI_X509_CERT_TYPE PKI_X509_CERT_get_type(const PKI_X509_CERT *x) {
PKI_X509_CERT_TYPE ret = PKI_X509_CERT_TYPE_USER;
const PKI_X509_NAME *subj = NULL;
const PKI_X509_NAME *issuer = NULL;
BASIC_CONSTRAINTS *bs = NULL;
PKI_X509_EXTENSION *ext = NULL;
if (!x || !x->value || (x->type != PKI_DATATYPE_X509_CERT) )
return PKI_X509_CERT_TYPE_UNKNOWN;
subj = PKI_X509_CERT_get_data ( x, PKI_X509_DATA_SUBJECT );
issuer = PKI_X509_CERT_get_data ( x, PKI_X509_DATA_ISSUER );
if ( subj && issuer ) {
if ( PKI_X509_NAME_cmp( subj, issuer ) == 0) {
ret |= PKI_X509_CERT_TYPE_ROOT;
}
}
if((ext = PKI_X509_CERT_get_extension_by_id ( x,
NID_basic_constraints)) != NULL ) {
if(( bs = ext->value )) {
if ( bs->ca ) ret |= PKI_X509_CERT_TYPE_CA;
BASIC_CONSTRAINTS_free ( bs );
}
PKI_X509_EXTENSION_free ( ext );
}
if((ext = PKI_X509_CERT_get_extension_by_id ( x,
NID_proxyCertInfo )) != NULL ) {
if ( ret & PKI_X509_CERT_TYPE_CA ) {
PKI_log_err ( "Certificate Error, Proxy Cert info set",
"in a CA certificate!");
} else {
ret |= PKI_X509_CERT_TYPE_PROXY;
}
PKI_X509_EXTENSION_free ( ext );
}
return ret;
}
int PKI_MEM_add( PKI_MEM *buf, char *data, size_t data_size ) {
size_t curr_size = 0;
if( (!buf) || (!data) || (data_size == 0) ) {
return (PKI_ERR);
}
curr_size = PKI_MEM_get_size ( buf );
if( PKI_MEM_grow( buf, data_size ) == 0 ) {
PKI_log_err("Can not mem grow!");
return (PKI_ERR);
}
memcpy(buf->data + curr_size, data, data_size );
return( PKI_OK );
}
PKI_X509_EXTENSION_STACK *PKI_X509_CERT_get_extensions(const PKI_X509_CERT *x) {
PKI_X509_EXTENSION_STACK *ret = NULL;
int i = 0;
int ext_count = 0;
if (!x) return NULL;
if ((ext_count = X509_get_ext_count (x->value)) <= 0 ) return NULL;
for ( i=0; i < ext_count; i++ ) {
LIBPKI_X509_EXTENSION *ext = NULL;
// PKI_X509_EXTENSION_VALUE *ext = NULL;
PKI_X509_EXTENSION *pki_ext = NULL;
if((ext = X509_get_ext ( x->value, i )) == NULL ) {
continue;
}
if((pki_ext = PKI_X509_EXTENSION_new()) == NULL ) {
PKI_log_err ( "Memory Allocation");
continue;
}
if( ext->object == NULL ) {
PKI_X509_EXTENSION_free ( pki_ext );
continue;
}
pki_ext->oid = PKI_OID_dup ( ext->object );
pki_ext->critical = ext->critical;
if((pki_ext->value = X509V3_EXT_d2i ( ext )) == NULL ) {
PKI_log_debug( "Extension %d -- not parsable", i);
PKI_X509_EXTENSION_free ( pki_ext );
continue;
}
}
return ret;
}
PKI_X509_EXTENSION_STACK *PKI_X509_EXTENSION_get_list ( void *x,
PKI_X509_DATA type ) {
PKI_X509_EXTENSION_STACK *ret = NULL;
int i = 0;
int ext_count = 0;
if (!x) return NULL;
if ((ext_count = X509_get_ext_count (x)) <= 0 ) return NULL;
if(( ret = PKI_STACK_X509_EXTENSION_new()) == NULL ) return NULL;
for ( i=0; i < ext_count; i++ ) {
PKI_X509_EXTENSION_VALUE *ext = NULL;
PKI_X509_EXTENSION *pki_ext = NULL;
if((ext = X509_get_ext ( x, i )) == NULL ) {
continue;
}
if((pki_ext = PKI_X509_EXTENSION_new()) == NULL ) {
PKI_log_err ( "Memory Allocation");
continue;
}
pki_ext->oid = ext->object;
pki_ext->critical = ext->critical;
if((pki_ext->value = X509V3_EXT_d2i ( ext )) == NULL ) {
PKI_log_debug( "Extension %d -- not parsable", i);
PKI_X509_EXTENSION_free ( pki_ext );
continue;
}
PKI_STACK_X509_EXTENSION_push ( ret, pki_ext );
}
return ret;
}
int PKI_X509_PKCS7_add_cert_stack ( PKI_X509_PKCS7 *p7,
PKI_X509_CERT_STACK *x_sk ) {
int i;
if( !p7 || !p7->value || !x_sk ) {
PKI_log_err( "PKI_X509_PKCS7_add_crl_stack()::Missing param!");
return PKI_ERR;
}
for( i=0; i < PKI_STACK_X509_CERT_elements( x_sk ); i++ ) {
PKI_X509_CERT *x = NULL;
if(( x = PKI_STACK_X509_CERT_get_num( x_sk, i )) == NULL) {
continue;
}
PKCS7_add_certificate( p7->value, x->value );
}
return ( PKI_OK );
}
int PKI_X509_PKCS7_add_crl_stack ( PKI_X509_PKCS7 *p7,
PKI_X509_CRL_STACK *crl_sk ) {
int i;
if( !p7 || !p7->value || !crl_sk ) {
PKI_log_err( "PKI_X509_PKCS7_add_crl_stack()::Missing param!");
return PKI_ERR;
}
for( i=0; i < PKI_STACK_X509_CRL_elements( crl_sk ); i++ ) {
PKI_X509_CRL *crl = NULL;
if(( crl = PKI_STACK_X509_CRL_get_num ( crl_sk, i )) == NULL ){
continue;
}
PKCS7_add_crl ( p7->value, crl->value );
}
return PKI_OK;
}
int set_alrm_handler( void ) {
/* Now on the parent process we setup the auto_checking
functions */
struct sigaction sa;
if( ocspd_conf->crl_auto_reload ||
ocspd_conf->crl_check_validity ) {
int auto_rel, val_check;
/* Help variable, for readability reasons */
auto_rel = ocspd_conf->crl_auto_reload;
val_check = ocspd_conf->crl_check_validity;
/* This returns the min of the two values if it
is not 0, otherwise return the other */
ocspd_conf->alarm_decrement =
(( auto_rel > val_check ) ?
(val_check ? val_check : auto_rel) :
(auto_rel ? auto_rel : val_check ));
sa.sa_handler = auto_crl_check;
sigemptyset(&sa.sa_mask);
sa.sa_flags = SA_RESTART;
if (sigaction(SIGALRM, &sa, NULL) == -1) {
PKI_log_err("Error handling the death processes");
exit(1);
}
/* signal( SIGALRM, auto_crl_check ); */
alarm ( (unsigned int) ocspd_conf->alarm_decrement );
} else {
signal( SIGALRM, SIG_IGN);
}
return 1;
}
PKI_X509_PKCS7 *PKI_X509_PKCS7_new ( PKI_X509_PKCS7_TYPE type ) {
PKI_X509_PKCS7 *p7 = NULL;
PKI_X509_PKCS7_VALUE *value = NULL;
if((p7 = PKI_X509_new( PKI_DATATYPE_X509_PKCS7, NULL )) == NULL ) {
PKI_log_debug("PKI_X509_PKCS7_new()::Memory Error!");
return ( NULL );
}
if((value = p7->cb->create()) == NULL ) {
PKI_log_debug ("Memory Allocation Error.");
return NULL;
}
if(!PKCS7_set_type( value, type )) {
PKI_log_err( "PKI_X509_PKCS7_new()::Can not set PKCS7 type!");
return ( NULL );
}
p7->value = value;
switch ( type ) {
case PKI_X509_PKCS7_TYPE_ENCRYPTED:
case PKI_X509_PKCS7_TYPE_SIGNEDANDENCRYPTED:
if(!PKI_X509_PKCS7_set_cipher( p7,
(EVP_CIPHER *) PKI_CIPHER_AES(256,cbc))) {
PKI_log_debug("PKI_X509_PKCS7_new()::Can not set "
"cipher!");
};
break;
case PKI_X509_PKCS7_TYPE_SIGNED:
PKCS7_content_new ( value, NID_pkcs7_data );
break;
default:
break;
}
return ( p7 );
}
int PKI_X509_CERT_add_extension_stack(PKI_X509_CERT *x,
const PKI_X509_EXTENSION_STACK *ext) {
int i = 0;
PKI_X509_EXTENSION *ossl_ext = NULL;
if( !x || !x->value || !ext ) return (PKI_ERR);
for( i = 0; i < PKI_STACK_X509_EXTENSION_elements(ext); i++ ) {
ossl_ext = PKI_STACK_X509_EXTENSION_get_num( ext, i);
if( !ossl_ext ) continue;
if(!X509_add_ext ((X509 *) x->value, ossl_ext->value, -1 )) {
PKI_log_err ( "Adding Extensions::%s",
ERR_error_string( ERR_get_error(), NULL ) );
return ( PKI_ERR );
};
}
return (PKI_OK);
}
/*! \brief Returns the type of DNS records identified by the passed char * arg */
int URL_get_dns_type(char *str) {
int ret = -1;
if (!str) return ret;
#ifdef HAVE_LIBRESOLV
if (strncmp_nocase(str, "AAAA", 4) == 0) {
ret = T_AAAA;
} else if (strncmp_nocase(str, "A", 1) == 0) {
ret = T_A;
} else if (strncmp_nocase(str, "NS", 2) == 0) {
ret = T_NS;
} else if (strncmp_nocase(str, "MX", 2) == 0) {
ret = T_MX;
} else if (strncmp_nocase(str, "CNAME", 5) == 0) {
ret = T_CNAME;
} else if (strncmp_nocase(str, "SRV", 3) == 0) {
ret = T_SRV;
} else if (strncmp_nocase(str, "TXT", 3) == 0) {
ret = T_TXT;
} else if (strncmp_nocase(str, "CERT", 4) == 0) {
ret = T_CERT;
} else if (strncmp_nocase(str, "ANY", 3) == 0) {
ret = T_ANY;
} else if (atoi(str) > 0) {
ret = atoi(str);
} else {
PKI_log_err("DNS URI: record type (%s) not supported.", str);
}
PKI_log_debug("DNS URI: record type (%s=%d) parsed", str, ret);
#else
PKI_log_debug("DNS URI: dns support disabled at compile time");
#endif
return ret;
}
PKI_X509_KEYPAIR *HSM_X509_KEYPAIR_new_url( PKI_KEYPARAMS *params,
URL *url, PKI_CRED *cred, HSM *driver ) {
PKI_X509_KEYPAIR *ret = NULL;
HSM *hsm = NULL;
if ( !params ) {
PKI_ERROR(PKI_ERR_PARAM_NULL, NULL);
return NULL;
};
if( driver ) {
hsm = driver;
} else {
hsm = (HSM *) HSM_get_default();
// PKI_log_debug("Getting Default HSM (%p/%p)", hsm, &openssl_hsm );
/*
PKI_log_debug("%s:%d::DEBUG => Getting Default HSM (%p/%p)",
__FILE__, __LINE__, hsm, &openssl_hsm );
PKI_log_debug("%s:%d::DEBUG => Default HSM (CALLBK %p/%p)",
hsm->callbacks, &openssl_hsm_callbacks );
hsm->callbacks = &openssl_hsm_callbacks;
PKI_log_debug("%s:%d::DEBUG (CB keypair_new_url=>%p)",
__FILE__, __LINE__ , hsm->callbacks->keypair_new_url );
*/
}
if( hsm && hsm->callbacks && hsm->callbacks->keypair_new_url ) {
ret = hsm->callbacks->keypair_new_url(params,url,cred,hsm);
} else {
PKI_log_err("HSM does not provide key generation");
// ret = HSM_OPENSSL_KEYPAIR_new( type, bits, url, cred, NULL );
}
return ( ret );
}
int main (int argc, char *argv[]) {
PKI_MEM_STACK *sk = NULL;
PKI_MEM *obj = NULL;
PKI_SSL *ssl = NULL;
// PKI_TOKEN *tk = NULL;
PKI_SOCKET *sock = NULL;
URL * url = NULL;
char *url_s = NULL;
char *outurl_s = "fd://1";
char *trusted_certs = NULL;
char *dump_cert = NULL;
char *dump_chain = NULL;
int debug = 0;
int verify_chain = 1;
int i = 0;
int timeout = 0;
int get_via_socket = 0;
PKI_init_all();
if( !argv[1] ) {
usage();
return(1);
}
for( i = 1; i <= argc; i++ ) {
if( strcmp_nocase( argv[i], "-out" ) == 0 ) {
outurl_s = argv[++i];
} else if ( strcmp_nocase ( argv[i], "-trusted" ) == 0 ) {
trusted_certs = argv[++i];
} else if ( strcmp_nocase ( argv[i], "-dumpcert" ) == 0 ) {
if((dump_cert = argv[++i]) == NULL ) {
fprintf(stderr, "\nERROR: -dumpcert needs a file url!\n\n");
exit(1);
}
} else if ( strcmp_nocase ( argv[i], "-dumpchain" ) == 0 ) {
if((dump_chain = argv[++i]) == NULL ) {
fprintf(stderr, "\nERROR: -dumpchain needs a file url!\n\n");
exit(1);
}
} else if ( strcmp_nocase ( argv[i], "-timeout" ) == 0 ) {
timeout = atoi( argv[++i] );
if ( timeout < 0 ) timeout = 0;
} else if ( strcmp_nocase ( argv[i], "-no_verify" ) == 0 ) {
verify_chain = 0;
} else if ( strcmp_nocase( argv[i], "-debug" ) == 0 ) {
debug = 1;
} else {
url_s = argv[i];
if ( i < argc - 1 ) {
fprintf( stderr, "Args after URL ignored!(%s %d/%d)\n",
url_s, i, argc );
}
break;
}
}
if((url = URL_new( url_s )) == NULL ) {
printf("\nERROR, %s is not a valid URL!\n\n", url_s );
usage();
return (1);
}
if( debug ) {
if(( PKI_log_init (PKI_LOG_TYPE_STDERR, PKI_LOG_INFO, NULL,
PKI_LOG_FLAGS_ENABLE_DEBUG, NULL )) == PKI_ERR) {
exit(1);
}
} else {
if(( PKI_log_init (PKI_LOG_TYPE_STDERR, PKI_LOG_INFO, NULL,
0, NULL )) == PKI_ERR) {
exit(1);
}
}
// Check if we should use the socket approach or the simple URL
// retrieval facility
switch (url->proto) {
case URI_PROTO_FD:
case URI_PROTO_FILE:
case URI_PROTO_HTTP:
case URI_PROTO_HTTPS:
case URI_PROTO_LDAP:
get_via_socket = 1;
break;
default:
get_via_socket = 0;
}
//
// -------------------------- Setup the SSL Options ------------------------
//
if(( ssl = PKI_SSL_new( NULL )) == NULL ) {
fprintf(stderr, "ERROR: Memory allocation error (PKI_SSL_new)\n");
return ( 1 );
}
if ( trusted_certs ) {
PKI_X509_CERT_STACK *sk = NULL;
if(( sk = PKI_X509_CERT_STACK_get ( trusted_certs, NULL, NULL))
== NULL ) {
PKI_log_err ("Can't load Trusted Certs from %s",
trusted_certs );
return 1;
}
PKI_SSL_set_trusted ( ssl, sk );
if ( verify_chain ) {
PKI_SSL_set_verify(ssl, PKI_SSL_VERIFY_PEER_REQUIRE);
} else {
PKI_SSL_set_verify(ssl, PKI_SSL_VERIFY_PEER);
}
}
if ( verify_chain == 0 ) {
PKI_SSL_set_verify ( ssl, PKI_SSL_VERIFY_NONE );
fprintf(stderr, "WARNING: no verify set!\n");
}
if(( sock = PKI_SOCKET_new ()) == NULL ) {
fprintf(stderr, "ERROR, can not create a new Socket!\n\n");
exit(1);
}
PKI_SOCKET_set_ssl ( sock, ssl );
//
// ------------------------------ Retrieve Data -----------------------------
//
if (get_via_socket) {
if( PKI_SOCKET_open( sock, url_s, timeout ) == PKI_ERR ) {
fprintf(stderr, "ERROR, can not connect to %s!\n\n", url_s);
exit(1);
}
ssl = PKI_SOCKET_get_ssl (sock);
if (dump_cert) {
PKI_X509_CERT *x = NULL;
if ( !ssl ) {
fprintf( stderr,
"ERROR: Can not dump cert (no SSL)\n");
}
if((x = PKI_SSL_get_peer_cert ( ssl )) == NULL ) {
fprintf( stderr,
"ERROR: No Peer certificate is available\n");
}
if( PKI_X509_CERT_put ( x, PKI_DATA_FORMAT_PEM,
dump_cert, NULL, NULL, NULL ) == PKI_ERR){
fprintf(stderr, "ERROR: can not write Peer cert to "
"%s\n", dump_cert );
}
}
if (dump_chain) {
PKI_X509_CERT_STACK *x_sk = NULL;
if ( !ssl ) {
fprintf( stderr,
"ERROR: Can not dump cert (no SSL)\n");
}
if((x_sk = PKI_SSL_get_peer_chain ( ssl )) == NULL ) {
fprintf( stderr,
"ERROR: No certificate chain is available\n");
}
if( PKI_X509_CERT_STACK_put ( x_sk, PKI_DATA_FORMAT_PEM,
dump_chain, NULL, NULL, NULL ) == PKI_ERR){
fprintf(stderr, "ERROR: can not write Peer cert to "
"%s\n", dump_cert );
}
}
if((sk = URL_get_data_socket ( sock, timeout, 0 )) == NULL ) {
fprintf(stderr, "ERROR, can not retrieve data!\n\n");
return(-1);
}
PKI_SOCKET_close ( sock );
PKI_SOCKET_free ( sock );
}
else // Get Data via the usual URL socket-less approach
{
sk = URL_get_data_url (url, timeout, 0, ssl);
}
PKI_log_debug("URL: Number of retrieved entries is %d",
PKI_STACK_MEM_elements(sk));
while( (obj = PKI_STACK_MEM_pop ( sk )) != NULL ) {
URL_put_data ( outurl_s, obj, NULL, NULL, 0, 0, NULL );
}
return 0;
}
PKI_CONFIG * PKI_CONFIG_OID_load ( char *oidFile ) {
PKI_OID *oid = NULL;
PKI_CONFIG *doc = NULL;
PKI_CONFIG_ELEMENT *curr = NULL;
PKI_CONFIG_ELEMENT_STACK *sk = NULL;
int size = 0;
int i = 0;
if ( !oidFile ) return NULL;
if((doc = PKI_CONFIG_load ( oidFile)) == NULL ) {
PKI_log_err ("Can not open OID file %s", oidFile );
return (NULL);
};
// if((oid = PKI_OID_get( searchName )) != NULL ) {
// return ( oid );
// }
// snprintf( (char *) oidSearchBuff, BUFF_MAX_SIZE,
// "/objectIdentifiers/oid[@name=\"%s\"]", searchName );
if (( sk = PKI_CONFIG_get_element_stack ( doc,
(char *) "/objectIdentifiers/oid" )) == NULL ) {
// PKI_log_debug("[WARNING] no OID found in %s", oidFile );
return NULL;
}
size = PKI_STACK_CONFIG_ELEMENT_elements ( sk );
for( i = 0; i < size; i++ ) {
curr = PKI_STACK_CONFIG_ELEMENT_get_num ( sk, i );
if( curr && curr->type == XML_ELEMENT_NODE ) {
xmlChar *name = NULL;
xmlChar *descr = NULL;
xmlChar *val = NULL;
name = xmlGetProp( curr, (xmlChar *) "name" );
descr = xmlGetProp( curr, (xmlChar *) "description" );
val = xmlNodeListGetString(doc, curr->xmlChildrenNode, 1);
PKI_log_debug("[OID load] Creating OID (%s, %s, %s)",
name, descr, val );
oid = PKI_OID_new ( (char *) val, (char *) name,
(char *) descr);
if( descr ) xmlFree ( descr );
if( name ) xmlFree ( name );
if( val ) xmlFree ( val );
if( oid == NULL ) {
PKI_log_debug("Failed Creating OID (%s, %s, %s)",
name, descr, val );
}
}
}
return (doc);
}
