int set_privileges( OCSPD_CONFIG *conf ) { struct passwd *pw = NULL; struct group *gr = NULL; if( (gr = getgrnam( conf->group ) ) == NULL ) { PKI_log_err("Cannot find group %s", conf->group); return 0; } if( (pw = getpwnam( conf->user ) ) == NULL ) { PKI_log_err ("Cannot find user %s", conf->user); return 0; } if (setgid (gr->gr_gid) == -1) { PKI_log_err ("Error setting group %d (%s)", gr->gr_gid, conf->group); return 0; } if (setuid (pw->pw_uid) == -1) { PKI_log_err("Error setting user %d (%s)", pw->pw_uid, conf->user ); return 0; } return 1; }
int set_chroot( OCSPD_CONFIG *conf ) { if( (!conf) || (!conf->chroot_dir)) return(1); /* Now chroot the running process before starting the server */ if( chdir ( conf->chroot_dir ) != 0 ) { /* Error in changing to working directory */ PKI_log_err ("SECURITY::CHROOT::ERROR [%s]", strerror(errno)); perror(NULL); return(0); } if( chroot( conf->chroot_dir ) != 0 ) { /* Error chrooting the process */ PKI_log_err ("SECURITY::CHROOT::ERROR [%s]", strerror(errno)); perror(NULL); return(0); } PKI_log(PKI_LOG_INFO,"SECURITY::CHROOT::Completed [%s]", conf->chroot_dir ); /* Ok, chdir and chroot! */ return(1); }
void logXmlMessages( void *userData, xmlErrorPtr error ) { #if LIBXML_VERSION >= LIBXML_MIN_VERSION PKI_log_err( "XML I/O Error: %s", error->message); #else PKI_log_err( "XML I/O Error"); #endif return; }
void handle_sigabrt ( int i ) { PKI_log_err("SIGABRT::received - should not happen,"); PKI_log_err("SIGABRT::please enable strict locking."); PKI_log_err("ERROR::SIGABRT::Fatal Error, aborting server!"); return; }
int ocspd_reload_all_ca ( OCSPD_CONFIG *conf ) { int i=0; CA_LIST_ENTRY *ca = NULL; for( i = 0; i < PKI_STACK_elements( conf->ca_list); i++) { ca = PKI_STACK_get_num( conf->ca_list, i ); /* Let's free the CA certs list, if present */ /* if( ca->cert ) { sk_X509_pop_free(ca->cert, X509_free ); } */ if (ca->ca_url ) { if ( ca->ca_cert) PKI_X509_CERT_free ( ca->ca_cert ); /* Get the CA certificate */ ca->ca_cert = PKI_X509_CERT_get_url ( ca->ca_url, NULL, NULL ); } /* if(!ca->cert || !sk_X509_num(ca->cert)) { syslog(LOG_ERR, "Error loading CA URL data."); continue; } else { if(conf->verbose) syslog( LOG_INFO, "CA CERT for %s loaded successfully.", ca->ca_id ); } */ if( !ca->ca_cert ) { if( ca->ca_url && ca->ca_url->url_s ) { PKI_log_err ( "Can not load CA cert from %s", ca->ca_url->url_s); } else { PKI_log_err ( "Can not load CA cert!"); continue; } } else { PKI_log( PKI_LOG_INFO, " CA cert for %s loaded ok", ca->ca_id ); } if((ca->cid = CA_ENTRY_CERTID_new ( ca->ca_cert, conf->digest)) == NULL ) { PKI_log_err( "CA List structure init error (CERTID)."); continue; } } return 1; }
int PKI_X509_PKCS7_encode ( PKI_X509_PKCS7 *p7, unsigned char *data, size_t size ) { int type = NID_pkcs7_signed; PKCS7_SIGNER_INFO *signerInfo = NULL; BIO *bio = NULL; if( !p7 || !p7->value ) return ( PKI_ERR ); type = PKI_X509_PKCS7_get_type ( p7 ); if (( type == PKI_X509_PKCS7_TYPE_ENCRYPTED ) || (type == PKI_X509_PKCS7_TYPE_SIGNEDANDENCRYPTED)) { if ( PKI_X509_PKCS7_has_recipients ( p7 ) == PKI_ERR ) { PKI_log_debug ( "PKI_X509_PKCS7_encode()::Missing " "Recipients!"); return PKI_ERR; } } if ( (type == PKI_X509_PKCS7_TYPE_SIGNED) || (type == PKI_X509_PKCS7_TYPE_SIGNEDANDENCRYPTED )) { if(( signerInfo = PKI_X509_PKCS7_get_signer_info( p7, -1 )) == NULL ) { return ( PKI_ERR ); } PKCS7_add_signed_attribute ( signerInfo, NID_pkcs9_contentType, V_ASN1_OBJECT, OBJ_nid2obj(NID_pkcs7_data)); } if((bio = PKCS7_dataInit(p7->value, NULL)) == NULL ) { PKI_log_err("PKI_X509_PKCS7_sign()::Error dataInit [%s]", ERR_error_string(ERR_get_error(),NULL)); return ( PKI_ERR ); } if( BIO_write( bio, data, (int) size ) <= 0 ) { PKI_log_err("PKI_X509_PKCS7_sign()::Error dataSign [%s]", ERR_error_string(ERR_get_error(),NULL)); return ( PKI_ERR ); } (void)BIO_flush(bio); if(!PKCS7_dataFinal( p7->value, bio )) { PKI_log_err("PKI_X509_PKCS7_sign()::Error End dataSign [%s]", ERR_error_string(ERR_get_error(),NULL)); return ( PKI_ERR ); }; if( bio ) BIO_free_all ( bio ); return ( PKI_OK ); }
int PKI_X509_OCSP_RESP_add ( PKI_X509_OCSP_RESP *resp, OCSP_CERTID *cid, PKI_OCSP_CERTSTATUS status, PKI_TIME *revokeTime, PKI_TIME *thisUpdate, PKI_TIME *nextUpdate, PKI_X509_CRL_REASON reason, PKI_X509_EXTENSION *invalidityDate ) { OCSP_SINGLERESP *single = NULL; PKI_TIME *myThisUpdate = NULL; PKI_OCSP_RESP *r = NULL; if ( !resp || !resp->value || !cid ) return ( PKI_ERR ); r = resp->value; if( !r->bs ) { // Creates the basic response object if ((r->bs = OCSP_BASICRESP_new()) == NULL) { PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL); return PKI_ERR; } } if (thisUpdate == NULL ) { myThisUpdate = X509_gmtime_adj(NULL,0); } else { myThisUpdate = PKI_TIME_dup(thisUpdate); } if((single = OCSP_basic_add1_status(r->bs, cid, status, reason, revokeTime, myThisUpdate, nextUpdate))== NULL) { PKI_log_err ("Can not create basic entry!"); return ( PKI_ERR ); } if (myThisUpdate) PKI_TIME_free(myThisUpdate); if (invalidityDate) { if (!OCSP_SINGLERESP_add1_ext_i2d(single, NID_invalidity_date, invalidityDate, 0, 0)) { PKI_log_err("Can not create extension entry for response!"); return PKI_ERR; } } return PKI_OK; }
int check_crl ( PKI_X509_CRL *x_crl, PKI_X509_CERT *x_cacert, OCSPD_CONFIG *conf ) { PKI_X509_KEYPAIR_VALUE *pkey = NULL; PKI_X509_KEYPAIR *k = NULL; int ret = -1; if (!conf) return (-1); PKI_RWLOCK_read_lock ( &conf->crl_lock ); if( !x_crl || !x_crl->value || !x_cacert || !x_cacert->value ) { if( conf->verbose ) { if(!x_crl || !x_crl->value) PKI_log_err ("CRL missing"); if(!x_cacert || !x_cacert->value) PKI_log_err("CA cert missing"); } PKI_RWLOCK_release_read ( &conf->crl_lock ); return(-1); } /* Gets the Public Key of the CA Certificate */ if((pkey = PKI_X509_CERT_get_data( x_cacert, PKI_X509_DATA_PUBKEY )) == NULL ) { PKI_log_err( "Can not parse PubKey from CA Cert"); PKI_RWLOCK_release_read ( &conf->crl_lock ); return(-3); } if ((k = PKI_X509_new_value(PKI_DATATYPE_X509_KEYPAIR, pkey, NULL)) == NULL ) { PKI_log_err ("Memory Error!"); PKI_RWLOCK_release_read ( &conf->crl_lock ); return(-3); } if ( PKI_X509_verify ( x_crl, k ) == PKI_OK ) { PKI_log_debug("CRL signature is verified!"); ret = PKI_OK; } else { ret = PKI_ERR; } k->value = NULL; PKI_X509_KEYPAIR_free ( k ); PKI_RWLOCK_release_read ( &conf->crl_lock ); if ( ret > 0 ) { PKI_log(PKI_LOG_INFO, "CRL matching CA cert ok [ %d ]", ret); } return ret; }
int OCSPD_load_crl ( CA_LIST_ENTRY *ca, OCSPD_CONFIG *conf ) { int ret = 0; if( !ca ) return PKI_ERR; if( !ca->crl_url ) { PKI_log_err ("CRL URL is empty (%s)!", ca->ca_id ); return PKI_ERR; } if ( ca->crl ) PKI_X509_CRL_free ( ca->crl ); if (( ca->crl = PKI_X509_CRL_get_url ( ca->crl_url, NULL, NULL )) == NULL ) { PKI_log_err ("Failed loading CRL for %s", ca->ca_id ); return PKI_ERR; } /* Let's check the CRL against the CA certificate */ if( (ret = check_crl( ca->crl, ca->ca_cert, conf )) < 1 ) { PKI_log_err( "CRL/CA check error [ %s:%d ]", ca->ca_id, ret ); return PKI_ERR; } /* Now we copy the lastUpdate and nextUpdate fields */ if( ca->crl ) { ca->lastUpdate = PKI_TIME_dup( PKI_X509_CRL_get_data (ca->crl, PKI_X509_DATA_LASTUPDATE)); ca->nextUpdate = PKI_TIME_dup ( PKI_X509_CRL_get_data (ca->crl, PKI_X509_DATA_NEXTUPDATE )); } if((ca->crl_status = check_crl_validity(ca, conf )) == CRL_OK ) { if(conf->verbose) PKI_log( PKI_LOG_INFO, "CRL for %s is Valid", ca->ca_id ); } else { PKI_log_err ( "CRL for %s has ERRORS (%d)", ca->ca_id, ca->crl_status ); } /* Let's get the CRLs entries, if any */ if( ocspd_build_crl_entries_list ( ca, ca->crl ) == NULL ) { PKI_log(PKI_LOG_ALWAYS, "No CRL Entries for %s", ca->ca_id ); }; if(conf->verbose) PKI_log( PKI_LOG_ALWAYS, "CRL loaded for %s", ca->ca_id ); return PKI_OK; }
int PKI_X509_OCSP_RESP_copy_nonce ( PKI_X509_OCSP_RESP *resp, PKI_X509_OCSP_REQ *req ) { PKI_OCSP_RESP *r = NULL; if ( !resp || !resp->value || !req || !req->value ) { PKI_ERROR(PKI_ERR_PARAM_NULL, NULL); return PKI_ERR; } r = resp->value; if (!r->bs) { PKI_log_err("Missing basic request in OCSP REQ value"); return PKI_ERR; } if(!OCSP_copy_nonce( r->bs, req->value )) { PKI_ERROR(PKI_ERR_OCSP_NONCE_COPY, NULL); return PKI_ERR; } return PKI_OK; }
int ocspd_reload_crls ( OCSPD_CONFIG *conf ) { int i, err; CA_LIST_ENTRY *a = NULL; if( conf->verbose ) PKI_log( PKI_LOG_INFO, "INFO::CRL Reload %ld CAs", PKI_STACK_elements (conf->ca_list)); err = 0; for( i=0; i < PKI_STACK_elements (conf->ca_list); i++ ) { a = PKI_STACK_get_num ( conf->ca_list, i ); if( conf->verbose ) PKI_log(PKI_LOG_INFO, "INFO::Reloading CRL for CA [%s]", a->ca_id ); if( ocspd_load_ca_crl(a, conf) < 0 ) { PKI_log_err("Reload CRL for CA [%s]", a->ca_id ); err++; continue; } } PKI_log(PKI_LOG_INFO, "CRL Reloaded (%d ok, %d err)", i - err, err ); return(1); }
PKI_MEM * HSM_OPENSSL_sign(PKI_MEM *der, PKI_DIGEST_ALG *digest, PKI_X509_KEYPAIR *key) { EVP_MD_CTX *ctx = NULL; size_t out_size = 0; size_t ossl_ret = 0; PKI_MEM *out_mem = NULL; EVP_PKEY *pkey = NULL; if (!der || !der->data || !key || !key->value) { PKI_ERROR( PKI_ERR_PARAM_NULL, NULL); return NULL; } // Private Key pkey = key->value; // Get the Maximum size of a signature ossl_ret = out_size = (size_t) EVP_PKEY_size(pkey); // Initialize the return structure out_mem = PKI_MEM_new ((size_t)out_size); ctx = EVP_MD_CTX_new(); if (!out_mem || !ctx) { if (ctx) EVP_MD_CTX_free(ctx); if (out_mem) PKI_MEM_free(out_mem); PKI_ERROR( PKI_ERR_MEMORY_ALLOC, NULL); return NULL; } EVP_MD_CTX_init(ctx); EVP_SignInit_ex(ctx, digest, NULL); EVP_SignUpdate (ctx, der->data, der->size); // Finalize the signature if (!EVP_SignFinal(ctx, out_mem->data, (unsigned int *) &ossl_ret, pkey)) { PKI_log_err("ERROR while finalizing signature (%s)", HSM_OPENSSL_get_errdesc(HSM_OPENSSL_get_errno(), NULL, 0)); PKI_MEM_free(out_mem); out_mem = NULL; } else out_mem->size = (size_t) ossl_ret; // Cleanup the context #if OPENSSL_VERSION_NUMBER <= 0x1010000f EVP_MD_CTX_cleanup(ctx); #else EVP_MD_CTX_reset(ctx); #endif EVP_MD_CTX_free(ctx); return out_mem; }
int PKI_HMAC_finalize(PKI_HMAC *hmac) { int size = 0; unsigned int verify_size = 0; if (!hmac || !hmac->initialized) return PKI_ERROR(PKI_ERR_PARAM_NULL, NULL); // Let's prepare the return value size = EVP_MD_size(hmac->digestAlg); verify_size = (unsigned int) size; // Generate a new PKI_MEM container hmac->value = PKI_MEM_new((size_t) size); // Let's finalize the HMAC #if OPENSSL_VERSION_NUMBER > 0x0090900fL int rv = HMAC_Final(&hmac->ctx, hmac->value->data, &verify_size); if (!rv) { PKI_log_err("can not finalize HMAC"); PKI_MEM_free(hmac->value); hmac->value = NULL; return PKI_ERR; } #else // In OpenSSL < 0.9.9 the return value is actually void HMAC_Final(&hmac->ctx, hmac->value->data, &verify_size); #endif // Checks the sizes if (verify_size != size) { PKI_log_err("Error while finalizing HMAC, size (%d) should be (%d)", verify_size, hmac->value->size); PKI_MEM_free(hmac->value); hmac->value = NULL; return PKI_ERR; } return PKI_OK; }
int PKI_X509_PKCS7_add_cert (PKI_X509_PKCS7 *p7, PKI_X509_CERT *x) { if ( !p7 || !p7->value || !x || !x->value ) { PKI_log_err( "PKI_X509_PKCS7_add_cert()::Missing required param!"); return PKI_ERR; } PKCS7_add_certificate( p7->value, x->value ); return( PKI_OK ); }
int PKI_X509_PKCS7_add_crl ( PKI_X509_PKCS7 *p7, PKI_X509_CRL *crl ) { if ( !p7 || !p7->value || !crl ) { PKI_log_err( "PKI_X509_PKCS7_add_crl()::Missing CRL"); return PKI_ERR; } PKCS7_add_crl( p7->value, crl->value ); return( PKI_OK ); }
/* * \brief Returns a B64 encoded PKI_MEM for the hmac value */ PKI_MEM *PKI_HMAC_get_value_b64(PKI_HMAC *hmac) { PKI_MEM *ret = NULL; // This returns a duplicate of the PKI_MEM value ret = PKI_HMAC_get_value(hmac); if (!ret) PKI_log_err("can not get the HMAC PKI_MEM value"); // If a valid PKI_MEM is returned, let's B64 it if (ret && ret->data && ret->size > 0) { if (PKI_MEM_encode(ret, PKI_DATA_FORMAT_B64, 0) != PKI_OK) { PKI_log_err("can not B64 encoding HMAC PKI_MEM value"); if (ret) PKI_MEM_free(ret); return NULL; } } return ret; }
int thread_make ( int i ) { PKI_THREAD *th_id = NULL; int * id = NULL; // Basic Memory Check if (!ocspd_conf || !ocspd_conf->threads_list) return -1; // Gets the right pointer where to store the new thread identifier th_id = &ocspd_conf->threads_list[i].thread_tid; if ((id = (int *) PKI_Malloc(sizeof(int))) == NULL) { PKI_log_err("Memory allocation error!"); return -1; } // Assign the thread id *id = i; // Let's generate the new thread // if ((ret = PKI_THREAD_create(th_id, NULL, thread_main, (void *) &i)) != PKI_OK) if ((th_id = PKI_THREAD_new(thread_main, (void *) id)) == NULL) { PKI_log_err("ERROR::OPENCA_SRV_ERR_THREAD_CREATE"); return(-1); } // Copy the value of the thread structure memcpy(&ocspd_conf->threads_list[i].thread_tid, th_id, sizeof(PKI_THREAD)); // Frees the memory associated with the original structure PKI_Free(th_id); // Returns ok return OCSPD_SRV_OK; }
PKI_X509_CERT_TYPE PKI_X509_CERT_get_type(const PKI_X509_CERT *x) { PKI_X509_CERT_TYPE ret = PKI_X509_CERT_TYPE_USER; const PKI_X509_NAME *subj = NULL; const PKI_X509_NAME *issuer = NULL; BASIC_CONSTRAINTS *bs = NULL; PKI_X509_EXTENSION *ext = NULL; if (!x || !x->value || (x->type != PKI_DATATYPE_X509_CERT) ) return PKI_X509_CERT_TYPE_UNKNOWN; subj = PKI_X509_CERT_get_data ( x, PKI_X509_DATA_SUBJECT ); issuer = PKI_X509_CERT_get_data ( x, PKI_X509_DATA_ISSUER ); if ( subj && issuer ) { if ( PKI_X509_NAME_cmp( subj, issuer ) == 0) { ret |= PKI_X509_CERT_TYPE_ROOT; } } if((ext = PKI_X509_CERT_get_extension_by_id ( x, NID_basic_constraints)) != NULL ) { if(( bs = ext->value )) { if ( bs->ca ) ret |= PKI_X509_CERT_TYPE_CA; BASIC_CONSTRAINTS_free ( bs ); } PKI_X509_EXTENSION_free ( ext ); } if((ext = PKI_X509_CERT_get_extension_by_id ( x, NID_proxyCertInfo )) != NULL ) { if ( ret & PKI_X509_CERT_TYPE_CA ) { PKI_log_err ( "Certificate Error, Proxy Cert info set", "in a CA certificate!"); } else { ret |= PKI_X509_CERT_TYPE_PROXY; } PKI_X509_EXTENSION_free ( ext ); } return ret; }
int PKI_MEM_add( PKI_MEM *buf, char *data, size_t data_size ) { size_t curr_size = 0; if( (!buf) || (!data) || (data_size == 0) ) { return (PKI_ERR); } curr_size = PKI_MEM_get_size ( buf ); if( PKI_MEM_grow( buf, data_size ) == 0 ) { PKI_log_err("Can not mem grow!"); return (PKI_ERR); } memcpy(buf->data + curr_size, data, data_size ); return( PKI_OK ); }
PKI_X509_EXTENSION_STACK *PKI_X509_CERT_get_extensions(const PKI_X509_CERT *x) { PKI_X509_EXTENSION_STACK *ret = NULL; int i = 0; int ext_count = 0; if (!x) return NULL; if ((ext_count = X509_get_ext_count (x->value)) <= 0 ) return NULL; for ( i=0; i < ext_count; i++ ) { LIBPKI_X509_EXTENSION *ext = NULL; // PKI_X509_EXTENSION_VALUE *ext = NULL; PKI_X509_EXTENSION *pki_ext = NULL; if((ext = X509_get_ext ( x->value, i )) == NULL ) { continue; } if((pki_ext = PKI_X509_EXTENSION_new()) == NULL ) { PKI_log_err ( "Memory Allocation"); continue; } if( ext->object == NULL ) { PKI_X509_EXTENSION_free ( pki_ext ); continue; } pki_ext->oid = PKI_OID_dup ( ext->object ); pki_ext->critical = ext->critical; if((pki_ext->value = X509V3_EXT_d2i ( ext )) == NULL ) { PKI_log_debug( "Extension %d -- not parsable", i); PKI_X509_EXTENSION_free ( pki_ext ); continue; } } return ret; }
PKI_X509_EXTENSION_STACK *PKI_X509_EXTENSION_get_list ( void *x, PKI_X509_DATA type ) { PKI_X509_EXTENSION_STACK *ret = NULL; int i = 0; int ext_count = 0; if (!x) return NULL; if ((ext_count = X509_get_ext_count (x)) <= 0 ) return NULL; if(( ret = PKI_STACK_X509_EXTENSION_new()) == NULL ) return NULL; for ( i=0; i < ext_count; i++ ) { PKI_X509_EXTENSION_VALUE *ext = NULL; PKI_X509_EXTENSION *pki_ext = NULL; if((ext = X509_get_ext ( x, i )) == NULL ) { continue; } if((pki_ext = PKI_X509_EXTENSION_new()) == NULL ) { PKI_log_err ( "Memory Allocation"); continue; } pki_ext->oid = ext->object; pki_ext->critical = ext->critical; if((pki_ext->value = X509V3_EXT_d2i ( ext )) == NULL ) { PKI_log_debug( "Extension %d -- not parsable", i); PKI_X509_EXTENSION_free ( pki_ext ); continue; } PKI_STACK_X509_EXTENSION_push ( ret, pki_ext ); } return ret; }
int PKI_X509_PKCS7_add_cert_stack ( PKI_X509_PKCS7 *p7, PKI_X509_CERT_STACK *x_sk ) { int i; if( !p7 || !p7->value || !x_sk ) { PKI_log_err( "PKI_X509_PKCS7_add_crl_stack()::Missing param!"); return PKI_ERR; } for( i=0; i < PKI_STACK_X509_CERT_elements( x_sk ); i++ ) { PKI_X509_CERT *x = NULL; if(( x = PKI_STACK_X509_CERT_get_num( x_sk, i )) == NULL) { continue; } PKCS7_add_certificate( p7->value, x->value ); } return ( PKI_OK ); }
int PKI_X509_PKCS7_add_crl_stack ( PKI_X509_PKCS7 *p7, PKI_X509_CRL_STACK *crl_sk ) { int i; if( !p7 || !p7->value || !crl_sk ) { PKI_log_err( "PKI_X509_PKCS7_add_crl_stack()::Missing param!"); return PKI_ERR; } for( i=0; i < PKI_STACK_X509_CRL_elements( crl_sk ); i++ ) { PKI_X509_CRL *crl = NULL; if(( crl = PKI_STACK_X509_CRL_get_num ( crl_sk, i )) == NULL ){ continue; } PKCS7_add_crl ( p7->value, crl->value ); } return PKI_OK; }
int set_alrm_handler( void ) { /* Now on the parent process we setup the auto_checking functions */ struct sigaction sa; if( ocspd_conf->crl_auto_reload || ocspd_conf->crl_check_validity ) { int auto_rel, val_check; /* Help variable, for readability reasons */ auto_rel = ocspd_conf->crl_auto_reload; val_check = ocspd_conf->crl_check_validity; /* This returns the min of the two values if it is not 0, otherwise return the other */ ocspd_conf->alarm_decrement = (( auto_rel > val_check ) ? (val_check ? val_check : auto_rel) : (auto_rel ? auto_rel : val_check )); sa.sa_handler = auto_crl_check; sigemptyset(&sa.sa_mask); sa.sa_flags = SA_RESTART; if (sigaction(SIGALRM, &sa, NULL) == -1) { PKI_log_err("Error handling the death processes"); exit(1); } /* signal( SIGALRM, auto_crl_check ); */ alarm ( (unsigned int) ocspd_conf->alarm_decrement ); } else { signal( SIGALRM, SIG_IGN); } return 1; }
PKI_X509_PKCS7 *PKI_X509_PKCS7_new ( PKI_X509_PKCS7_TYPE type ) { PKI_X509_PKCS7 *p7 = NULL; PKI_X509_PKCS7_VALUE *value = NULL; if((p7 = PKI_X509_new( PKI_DATATYPE_X509_PKCS7, NULL )) == NULL ) { PKI_log_debug("PKI_X509_PKCS7_new()::Memory Error!"); return ( NULL ); } if((value = p7->cb->create()) == NULL ) { PKI_log_debug ("Memory Allocation Error."); return NULL; } if(!PKCS7_set_type( value, type )) { PKI_log_err( "PKI_X509_PKCS7_new()::Can not set PKCS7 type!"); return ( NULL ); } p7->value = value; switch ( type ) { case PKI_X509_PKCS7_TYPE_ENCRYPTED: case PKI_X509_PKCS7_TYPE_SIGNEDANDENCRYPTED: if(!PKI_X509_PKCS7_set_cipher( p7, (EVP_CIPHER *) PKI_CIPHER_AES(256,cbc))) { PKI_log_debug("PKI_X509_PKCS7_new()::Can not set " "cipher!"); }; break; case PKI_X509_PKCS7_TYPE_SIGNED: PKCS7_content_new ( value, NID_pkcs7_data ); break; default: break; } return ( p7 ); }
int PKI_X509_CERT_add_extension_stack(PKI_X509_CERT *x, const PKI_X509_EXTENSION_STACK *ext) { int i = 0; PKI_X509_EXTENSION *ossl_ext = NULL; if( !x || !x->value || !ext ) return (PKI_ERR); for( i = 0; i < PKI_STACK_X509_EXTENSION_elements(ext); i++ ) { ossl_ext = PKI_STACK_X509_EXTENSION_get_num( ext, i); if( !ossl_ext ) continue; if(!X509_add_ext ((X509 *) x->value, ossl_ext->value, -1 )) { PKI_log_err ( "Adding Extensions::%s", ERR_error_string( ERR_get_error(), NULL ) ); return ( PKI_ERR ); }; } return (PKI_OK); }
/*! \brief Returns the type of DNS records identified by the passed char * arg */ int URL_get_dns_type(char *str) { int ret = -1; if (!str) return ret; #ifdef HAVE_LIBRESOLV if (strncmp_nocase(str, "AAAA", 4) == 0) { ret = T_AAAA; } else if (strncmp_nocase(str, "A", 1) == 0) { ret = T_A; } else if (strncmp_nocase(str, "NS", 2) == 0) { ret = T_NS; } else if (strncmp_nocase(str, "MX", 2) == 0) { ret = T_MX; } else if (strncmp_nocase(str, "CNAME", 5) == 0) { ret = T_CNAME; } else if (strncmp_nocase(str, "SRV", 3) == 0) { ret = T_SRV; } else if (strncmp_nocase(str, "TXT", 3) == 0) { ret = T_TXT; } else if (strncmp_nocase(str, "CERT", 4) == 0) { ret = T_CERT; } else if (strncmp_nocase(str, "ANY", 3) == 0) { ret = T_ANY; } else if (atoi(str) > 0) { ret = atoi(str); } else { PKI_log_err("DNS URI: record type (%s) not supported.", str); } PKI_log_debug("DNS URI: record type (%s=%d) parsed", str, ret); #else PKI_log_debug("DNS URI: dns support disabled at compile time"); #endif return ret; }
PKI_X509_KEYPAIR *HSM_X509_KEYPAIR_new_url( PKI_KEYPARAMS *params, URL *url, PKI_CRED *cred, HSM *driver ) { PKI_X509_KEYPAIR *ret = NULL; HSM *hsm = NULL; if ( !params ) { PKI_ERROR(PKI_ERR_PARAM_NULL, NULL); return NULL; }; if( driver ) { hsm = driver; } else { hsm = (HSM *) HSM_get_default(); // PKI_log_debug("Getting Default HSM (%p/%p)", hsm, &openssl_hsm ); /* PKI_log_debug("%s:%d::DEBUG => Getting Default HSM (%p/%p)", __FILE__, __LINE__, hsm, &openssl_hsm ); PKI_log_debug("%s:%d::DEBUG => Default HSM (CALLBK %p/%p)", hsm->callbacks, &openssl_hsm_callbacks ); hsm->callbacks = &openssl_hsm_callbacks; PKI_log_debug("%s:%d::DEBUG (CB keypair_new_url=>%p)", __FILE__, __LINE__ , hsm->callbacks->keypair_new_url ); */ } if( hsm && hsm->callbacks && hsm->callbacks->keypair_new_url ) { ret = hsm->callbacks->keypair_new_url(params,url,cred,hsm); } else { PKI_log_err("HSM does not provide key generation"); // ret = HSM_OPENSSL_KEYPAIR_new( type, bits, url, cred, NULL ); } return ( ret ); }
int main (int argc, char *argv[]) { PKI_MEM_STACK *sk = NULL; PKI_MEM *obj = NULL; PKI_SSL *ssl = NULL; // PKI_TOKEN *tk = NULL; PKI_SOCKET *sock = NULL; URL * url = NULL; char *url_s = NULL; char *outurl_s = "fd://1"; char *trusted_certs = NULL; char *dump_cert = NULL; char *dump_chain = NULL; int debug = 0; int verify_chain = 1; int i = 0; int timeout = 0; int get_via_socket = 0; PKI_init_all(); if( !argv[1] ) { usage(); return(1); } for( i = 1; i <= argc; i++ ) { if( strcmp_nocase( argv[i], "-out" ) == 0 ) { outurl_s = argv[++i]; } else if ( strcmp_nocase ( argv[i], "-trusted" ) == 0 ) { trusted_certs = argv[++i]; } else if ( strcmp_nocase ( argv[i], "-dumpcert" ) == 0 ) { if((dump_cert = argv[++i]) == NULL ) { fprintf(stderr, "\nERROR: -dumpcert needs a file url!\n\n"); exit(1); } } else if ( strcmp_nocase ( argv[i], "-dumpchain" ) == 0 ) { if((dump_chain = argv[++i]) == NULL ) { fprintf(stderr, "\nERROR: -dumpchain needs a file url!\n\n"); exit(1); } } else if ( strcmp_nocase ( argv[i], "-timeout" ) == 0 ) { timeout = atoi( argv[++i] ); if ( timeout < 0 ) timeout = 0; } else if ( strcmp_nocase ( argv[i], "-no_verify" ) == 0 ) { verify_chain = 0; } else if ( strcmp_nocase( argv[i], "-debug" ) == 0 ) { debug = 1; } else { url_s = argv[i]; if ( i < argc - 1 ) { fprintf( stderr, "Args after URL ignored!(%s %d/%d)\n", url_s, i, argc ); } break; } } if((url = URL_new( url_s )) == NULL ) { printf("\nERROR, %s is not a valid URL!\n\n", url_s ); usage(); return (1); } if( debug ) { if(( PKI_log_init (PKI_LOG_TYPE_STDERR, PKI_LOG_INFO, NULL, PKI_LOG_FLAGS_ENABLE_DEBUG, NULL )) == PKI_ERR) { exit(1); } } else { if(( PKI_log_init (PKI_LOG_TYPE_STDERR, PKI_LOG_INFO, NULL, 0, NULL )) == PKI_ERR) { exit(1); } } // Check if we should use the socket approach or the simple URL // retrieval facility switch (url->proto) { case URI_PROTO_FD: case URI_PROTO_FILE: case URI_PROTO_HTTP: case URI_PROTO_HTTPS: case URI_PROTO_LDAP: get_via_socket = 1; break; default: get_via_socket = 0; } // // -------------------------- Setup the SSL Options ------------------------ // if(( ssl = PKI_SSL_new( NULL )) == NULL ) { fprintf(stderr, "ERROR: Memory allocation error (PKI_SSL_new)\n"); return ( 1 ); } if ( trusted_certs ) { PKI_X509_CERT_STACK *sk = NULL; if(( sk = PKI_X509_CERT_STACK_get ( trusted_certs, NULL, NULL)) == NULL ) { PKI_log_err ("Can't load Trusted Certs from %s", trusted_certs ); return 1; } PKI_SSL_set_trusted ( ssl, sk ); if ( verify_chain ) { PKI_SSL_set_verify(ssl, PKI_SSL_VERIFY_PEER_REQUIRE); } else { PKI_SSL_set_verify(ssl, PKI_SSL_VERIFY_PEER); } } if ( verify_chain == 0 ) { PKI_SSL_set_verify ( ssl, PKI_SSL_VERIFY_NONE ); fprintf(stderr, "WARNING: no verify set!\n"); } if(( sock = PKI_SOCKET_new ()) == NULL ) { fprintf(stderr, "ERROR, can not create a new Socket!\n\n"); exit(1); } PKI_SOCKET_set_ssl ( sock, ssl ); // // ------------------------------ Retrieve Data ----------------------------- // if (get_via_socket) { if( PKI_SOCKET_open( sock, url_s, timeout ) == PKI_ERR ) { fprintf(stderr, "ERROR, can not connect to %s!\n\n", url_s); exit(1); } ssl = PKI_SOCKET_get_ssl (sock); if (dump_cert) { PKI_X509_CERT *x = NULL; if ( !ssl ) { fprintf( stderr, "ERROR: Can not dump cert (no SSL)\n"); } if((x = PKI_SSL_get_peer_cert ( ssl )) == NULL ) { fprintf( stderr, "ERROR: No Peer certificate is available\n"); } if( PKI_X509_CERT_put ( x, PKI_DATA_FORMAT_PEM, dump_cert, NULL, NULL, NULL ) == PKI_ERR){ fprintf(stderr, "ERROR: can not write Peer cert to " "%s\n", dump_cert ); } } if (dump_chain) { PKI_X509_CERT_STACK *x_sk = NULL; if ( !ssl ) { fprintf( stderr, "ERROR: Can not dump cert (no SSL)\n"); } if((x_sk = PKI_SSL_get_peer_chain ( ssl )) == NULL ) { fprintf( stderr, "ERROR: No certificate chain is available\n"); } if( PKI_X509_CERT_STACK_put ( x_sk, PKI_DATA_FORMAT_PEM, dump_chain, NULL, NULL, NULL ) == PKI_ERR){ fprintf(stderr, "ERROR: can not write Peer cert to " "%s\n", dump_cert ); } } if((sk = URL_get_data_socket ( sock, timeout, 0 )) == NULL ) { fprintf(stderr, "ERROR, can not retrieve data!\n\n"); return(-1); } PKI_SOCKET_close ( sock ); PKI_SOCKET_free ( sock ); } else // Get Data via the usual URL socket-less approach { sk = URL_get_data_url (url, timeout, 0, ssl); } PKI_log_debug("URL: Number of retrieved entries is %d", PKI_STACK_MEM_elements(sk)); while( (obj = PKI_STACK_MEM_pop ( sk )) != NULL ) { URL_put_data ( outurl_s, obj, NULL, NULL, 0, 0, NULL ); } return 0; }
PKI_CONFIG * PKI_CONFIG_OID_load ( char *oidFile ) { PKI_OID *oid = NULL; PKI_CONFIG *doc = NULL; PKI_CONFIG_ELEMENT *curr = NULL; PKI_CONFIG_ELEMENT_STACK *sk = NULL; int size = 0; int i = 0; if ( !oidFile ) return NULL; if((doc = PKI_CONFIG_load ( oidFile)) == NULL ) { PKI_log_err ("Can not open OID file %s", oidFile ); return (NULL); }; // if((oid = PKI_OID_get( searchName )) != NULL ) { // return ( oid ); // } // snprintf( (char *) oidSearchBuff, BUFF_MAX_SIZE, // "/objectIdentifiers/oid[@name=\"%s\"]", searchName ); if (( sk = PKI_CONFIG_get_element_stack ( doc, (char *) "/objectIdentifiers/oid" )) == NULL ) { // PKI_log_debug("[WARNING] no OID found in %s", oidFile ); return NULL; } size = PKI_STACK_CONFIG_ELEMENT_elements ( sk ); for( i = 0; i < size; i++ ) { curr = PKI_STACK_CONFIG_ELEMENT_get_num ( sk, i ); if( curr && curr->type == XML_ELEMENT_NODE ) { xmlChar *name = NULL; xmlChar *descr = NULL; xmlChar *val = NULL; name = xmlGetProp( curr, (xmlChar *) "name" ); descr = xmlGetProp( curr, (xmlChar *) "description" ); val = xmlNodeListGetString(doc, curr->xmlChildrenNode, 1); PKI_log_debug("[OID load] Creating OID (%s, %s, %s)", name, descr, val ); oid = PKI_OID_new ( (char *) val, (char *) name, (char *) descr); if( descr ) xmlFree ( descr ); if( name ) xmlFree ( name ); if( val ) xmlFree ( val ); if( oid == NULL ) { PKI_log_debug("Failed Creating OID (%s, %s, %s)", name, descr, val ); } } } return (doc); }