int
mcp_frame_process_input(McpFrame * mfr, const char *linein, char *outbuf, int bufsize)
{
if (!strncmp_nocase(linein, MCP_MESG_PREFIX, 3)) {
/* treat it as an out-of-band message, and parse it. */
if (mfr->enabled || !strncmp_nocase(MCP_INIT_MESG, linein + 3, 4)) {
if (!mcp_internal_parse(mfr, linein + 3)) {
strncpy(outbuf, linein, bufsize);
outbuf[bufsize - 1] = '\0';
return 1;
}
return 0;
} else {
strncpy(outbuf, linein, bufsize);
outbuf[bufsize - 1] = '\0';
return 1;
}
} else if (mfr->enabled && !strncmp_nocase(linein, MCP_QUOTE_PREFIX, 3)) {
/* It's quoted in-band data. Strip the quoting. */
strncpy(outbuf, linein + 3, bufsize);
} else {
/* It's in-band data. Return it raw. */
strncpy(outbuf, linein, bufsize);
}
outbuf[bufsize - 1] = '\0';
return 1;
}
ngram_file_type_t
ngram_file_name_to_type(const char *file_name)
{
const char *ext;
ext = strrchr(file_name, '.');
if (ext == NULL) {
return NGRAM_INVALID;
}
if (0 == strcmp_nocase(ext, ".gz")) {
while (--ext >= file_name) {
if (*ext == '.')
break;
}
if (ext < file_name) {
return NGRAM_INVALID;
}
}
else if (0 == strcmp_nocase(ext, ".bz2")) {
while (--ext >= file_name) {
if (*ext == '.')
break;
}
if (ext < file_name) {
return NGRAM_INVALID;
}
}
/* We use strncmp because there might be a .gz on the end. */
if (0 == strncmp_nocase(ext, ".ARPA", 5))
return NGRAM_ARPA;
if (0 == strncmp_nocase(ext, ".DMP", 4)
|| 0 == strncmp_nocase(ext, ".BIN", 4))
return NGRAM_BIN;
return NGRAM_INVALID;
}
char * PKI_HTTP_get_header_txt (const char * orig_data,
const char * header) {
char *tk = NULL, *pnt = NULL;
char *ret = NULL;
char *data = NULL;
int found = 0;
if( !orig_data || !header || !strlen(orig_data) || !strlen(header))
{
PKI_ERROR(PKI_ERR_PARAM_NULL, NULL);
return NULL;
}
if ((data = strdup(orig_data)) == NULL)
{
PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL);
return NULL;
}
for (tk = strtok_r ( data, "\r\n", &pnt ); tk; tk = strtok_r(NULL, "\r\n", &pnt))
{
if ( tk == NULL ) break;
if (strncmp_nocase(tk, header, (int) strlen(header)) == 0)
{
found = 1;
break;
}
}
if (!found)
{
PKI_Free ( data );
return NULL;
}
if ((pnt = strchr( tk, ':' )) == NULL)
{
PKI_Free ( data );
return NULL;
}
pnt++;
while ((pnt != NULL ) && (*pnt == ' ' )) {
pnt++;
}
if (pnt) ret = strdup( pnt );
PKI_Free ( data );
return ret;
}
/*! \brief Returns the type of DNS records identified by the passed char * arg */
int URL_get_dns_type(char *str) {
int ret = -1;
if (!str) return ret;
#ifdef HAVE_LIBRESOLV
if (strncmp_nocase(str, "AAAA", 4) == 0) {
ret = T_AAAA;
} else if (strncmp_nocase(str, "A", 1) == 0) {
ret = T_A;
} else if (strncmp_nocase(str, "NS", 2) == 0) {
ret = T_NS;
} else if (strncmp_nocase(str, "MX", 2) == 0) {
ret = T_MX;
} else if (strncmp_nocase(str, "CNAME", 5) == 0) {
ret = T_CNAME;
} else if (strncmp_nocase(str, "SRV", 3) == 0) {
ret = T_SRV;
} else if (strncmp_nocase(str, "TXT", 3) == 0) {
ret = T_TXT;
} else if (strncmp_nocase(str, "CERT", 4) == 0) {
ret = T_CERT;
} else if (strncmp_nocase(str, "ANY", 3) == 0) {
ret = T_ANY;
} else if (atoi(str) > 0) {
ret = atoi(str);
} else {
PKI_log_err("DNS URI: record type (%s) not supported.", str);
}
PKI_log_debug("DNS URI: record type (%s=%d) parsed", str, ret);
#else
PKI_log_debug("DNS URI: dns support disabled at compile time");
#endif
return ret;
}
char *pkcs11_parse_url_getval ( URL * url, char *keyword ) {
char * ret = NULL;
char * tmp_s = NULL;
char * tmp_s2 = NULL;
char *col = NULL;
char *val = NULL;
if( !url || !url->path ) return( NULL );
tmp_s = url->path;
while((tmp_s2 = strchr(tmp_s, '/')) != NULL ) {
tmp_s2++;
tmp_s = tmp_s2;
}
if((col = PKI_Malloc( 1024 )) == NULL ) {
return( NULL );
}
if((val = PKI_Malloc( 1024 )) == NULL ) {
PKI_Free( col );
return (NULL);
}
while( sscanf(tmp_s, "(%[^=]=\"%[^\"])", col, val) > 1 ) {
if( (strlen(col) == strlen(keyword)) &&
(strncmp_nocase( col,keyword,(int)strlen(keyword)) ) == 0 ) {
ret = strdup( val );
goto end;
}
/* The tmp_s should point to the next token */
tmp_s += strlen(col) + strlen(val) + 3;
}
end:
if( col ) PKI_Free ( col );
if( val ) PKI_Free ( val );
return( ret );
}
PKI_STACK *PKI_X509_CERT_get_cdp (const PKI_X509_CERT *x) {
STACK_OF(DIST_POINT) *sk_cdp = NULL;
DIST_POINT *cdp = NULL;
STACK_OF(CONF_VALUE) *sk_val = NULL;
CONF_VALUE *v = NULL;
PKI_STACK *ret = NULL;
PKI_X509_CERT_VALUE *cert = NULL;
char *tmp_s = NULL;
int k = -1;
int i = 0;
if ( !x || !x->value ) return NULL;
cert = (PKI_X509_CERT_VALUE *) x->value;
if(( sk_cdp = X509_get_ext_d2i(cert,
NID_crl_distribution_points,
NULL, NULL)) == NULL ) {
return NULL;
}
/* Should we go through the whole stack ? Maybe, now we just
take the first value... */
if ( sk_DIST_POINT_num ( sk_cdp ) < 1 ) {
return NULL;
}
for ( i = 0 ; i < sk_DIST_POINT_num ( sk_cdp ); i++ ) {
cdp = sk_DIST_POINT_value ( sk_cdp, i );
if( cdp->distpoint ) {
if(cdp->distpoint->type == 0) {
if( cdp->distpoint->name.fullname ) {
sk_val = i2v_GENERAL_NAMES(NULL,
cdp->distpoint->name.fullname,
sk_val);
k=0;
for( ;; ) {
v = sk_CONF_VALUE_value( sk_val, k++ );
if( v == NULL ) break;
if( strncmp_nocase("URI",
v->name, 3) == 0 ) {
PKI_log_debug( "INFO::Found "
"CDP in cert %s:%s",
v->name, v->value );
if (!ret) {
ret = PKI_STACK_new_null ();
if (!ret) return NULL;
}
tmp_s = strdup( v->value );
PKI_STACK_push ( ret, tmp_s );
}
}
// sk_CONF_VALUE_free(sk_val);
}
} // else {
// DIST_POINT_free( cdp );
// sk_DIST_POINT_free( sk_cdp );
//}
}
}
return ret;
}
int
mcp_intern_is_mesg_start(McpFrame * mfr, const char *in)
{
char mesgname[128];
char authkey[128];
char *subname = NULL;
McpMesg *newmsg = NULL;
McpPkg *pkg = NULL;
int longlen = 0;
if (!mcp_intern_is_ident(&in, mesgname, sizeof(mesgname)))
return 0;
if (strcmp_nocase(mesgname, MCP_INIT_PKG)) {
if (!isspace(*in))
return 0;
while (isspace(*in))
in++;
if (!mcp_intern_is_unquoted(&in, authkey, sizeof(authkey)))
return 0;
if (strcmp(authkey, mfr->authkey))
return 0;
}
if (strncmp_nocase(mesgname, MCP_INIT_PKG, 3)) {
for (pkg = mfr->packages; pkg; pkg = pkg->next) {
int pkgnamelen = strlen(pkg->pkgname);
if (!strncmp_nocase(pkg->pkgname, mesgname, pkgnamelen)) {
if (mesgname[pkgnamelen] == '\0' || mesgname[pkgnamelen] == '-') {
if (pkgnamelen > longlen) {
longlen = pkgnamelen;
}
}
}
}
}
if (!longlen) {
int neglen = strlen(MCP_NEGOTIATE_PKG);
if (!strncmp_nocase(mesgname, MCP_NEGOTIATE_PKG, neglen)) {
longlen = neglen;
} else if (!strcmp_nocase(mesgname, MCP_INIT_PKG)) {
longlen = strlen(mesgname);
} else {
return 0;
}
}
subname = mesgname + longlen;
if (*subname) {
*subname++ = '\0';
}
newmsg = (McpMesg *) malloc(sizeof(McpMesg));
mcp_mesg_init(newmsg, mesgname, subname);
while (*in) {
if (!mcp_intern_is_keyval(newmsg, &in)) {
mcp_mesg_clear(newmsg);
free(newmsg);
return 0;
}
}
/* Okay, we've recieved a valid message. */
if (newmsg->incomplete) {
/* It's incomplete. Remember it to finish later. */
const char *msgdt = mcp_mesg_arg_getline(newmsg, MCP_DATATAG, 0);
newmsg->datatag = string_dup(msgdt);
mcp_mesg_arg_remove(newmsg, MCP_DATATAG);
newmsg->next = mfr->messages;
mfr->messages = newmsg;
} else {
/* It's complete. Execute the callback function for this package. */
mcp_frame_package_docallback(mfr, newmsg);
mcp_mesg_clear(newmsg);
free(newmsg);
}
return 1;
}
/*
* Parses the PKI_MEM that contains the header looking for specific HTTP
* headers, the requested path, and the HTTP version and code. Returns
* PKI_OK in case of success, PKI_ERR otherwise.
*/
int __parse_http_header(PKI_HTTP *msg)
{
// Let's parse the first line of the HTTP message
char *eol = NULL;
char *method = NULL;
char *path = NULL;
char *http_version = NULL;
char *line = NULL;
char *tmp_ptr = NULL;
size_t line_size = 0;
// Shortcut for msg->head
PKI_MEM *m = NULL;
// Checks the input
if (msg == NULL || msg->head == NULL || msg->head->data == NULL || msg->head->size < 1)
{
PKI_ERROR(PKI_ERR_PARAM_NULL, NULL);
return PKI_ERR;
}
// For better understanding, we use a proxy variable to access the head
m = msg->head;
// Let's parse the path and the details from the first line in the header
if (((eol = strchr((char *)m->data, '\n')) == NULL) &&
(eol = strchr((char*)m->data, '\r')) == NULL)
{
// ERROR: here we should have at least one line (since we already
// have the eoh detected, return the error by returning NULL
return PKI_ERR;
}
// Let's parse the path and version number
line_size = (size_t) (eol - (char*)m->data);
if ((line = PKI_Malloc(line_size + 1)) == NULL)
{
PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL);
return PKI_ERR;
}
// Copy the first line (strtok_r alters the original string)
memcpy(line, m->data, line_size);
// Retrieves the first token - [i.e., GET/POST/HTTP ...]
method = strtok_r(line, " ", &tmp_ptr);
if (method == NULL)
{
PKI_log_err("Can not parse HTTP method");
PKI_Free(line);
return PKI_ERR;
}
if (strncmp_nocase(method, PKI_HTTP_METHOD_HTTP_TXT, 4) == 0)
{
// This is usually an HTTP response
msg->method = PKI_HTTP_METHOD_HTTP;
// Let's get the version and the code
if (sscanf((const char *)msg->head->data,"HTTP/%f %d", &msg->version, &msg->code) < 1)
{
PKI_log_debug("ERROR Parsing HTTP Version and Code");
PKI_Free(line);
return PKI_ERR;
}
}
else if (strncmp_nocase(method, PKI_HTTP_METHOD_GET_TXT, 3) == 0 ||
strncmp_nocase(method, PKI_HTTP_METHOD_POST_TXT, 4) == 0)
{
if (strncmp_nocase(method, PKI_HTTP_METHOD_GET_TXT, 3) == 0)
msg->method = PKI_HTTP_METHOD_GET;
else
msg->method = PKI_HTTP_METHOD_POST;
path = strtok_r(NULL, " ", &tmp_ptr);
if (path == NULL)
{
// This is an error, we should get the path for a POST or a GET
PKI_Free(line);
return PKI_ERR;
}
msg->path = strdup(path);
http_version = strtok_r(NULL, " ", &tmp_ptr);
if (http_version == NULL)
{
// This is an error, we should be able to get the HTTP version from the third token
PKI_Free(line);
return PKI_ERR;
}
else if(sscanf(http_version,"HTTP/%f", &msg->version) < 1)
{
PKI_log_debug("ERROR Parsing HTTP Version");
PKI_Free(line);
return PKI_ERR;
}
}
else
{
PKI_log_err("Unsupported HTTP Method detected (%s)", method);
PKI_Free(line);
return PKI_ERR;
}
// We do not need the line anymore, let's free the memory
if (line) PKI_Free(line);
// Success
return PKI_OK;
}
int PKI_HTTP_get_socket (const PKI_SOCKET * sock,
const char * data,
size_t data_size,
const char * content_type,
int method,
int timeout,
size_t max_size,
PKI_MEM_STACK ** sk ) {
size_t len = 0;
const char *my_cont_type = "application/unknown";
PKI_HTTP *http_rv = NULL;
int rv = -1;
int ret = PKI_OK;
size_t max_len = 0;
size_t auth_len = 0;
char *tmp = NULL;
char *auth_tmp = NULL;
char *head_get =
"GET %s HTTP/1.1\r\n"
"Host: %s\r\n"
"User-Agent: LibPKI\r\n"
"Connection: close\r\n"
"%s";
char *head_post =
"POST %s HTTP/1.1\r\n"
"Host: %s\r\n"
"User-Agent: LibPKI\r\n"
"Connection: close\r\n"
"Content-type: %s\r\n"
"Content-Length: %d\r\n"
"%s";
char *head = NULL;
if ( timeout < 0 ) timeout = 0;
if ( !sock || !sock->url ) return PKI_ERR;
// Process the authentication information if provided by the caller
if (sock->url && sock->url->usr && sock->url->pwd)
{
// Rough estimate for the auth string
max_len = strlen(sock->url->usr) + strlen(sock->url->pwd) + 100;
// Special case for when a usr/pwd was specified in the URL
auth_tmp = PKI_Malloc(len);
auth_len = (size_t)snprintf(auth_tmp, len, "Authentication: user %s:%s\r\n\r\n", sock->url->usr, sock->url->pwd);
}
else
{
// If we do not have the auth info, we just add the end of header
auth_len = 2;
auth_tmp = "\r\n";
}
if (method == PKI_HTTP_METHOD_GET)
{
// Gets the right header
head = head_get;
// Estimate the header's final size
max_len =
strlen(head) +
strlen(sock->url->path) +
strlen(sock->url->addr) +
101;
// Allocates enough space for the header
tmp = PKI_Malloc ( max_len + auth_len );
// Prints the header into the tmp container
len = (size_t) snprintf(tmp, max_len, head, sock->url->path, sock->url->addr, auth_tmp);
}
else if (method == PKI_HTTP_METHOD_POST)
{
// Gets the right head
head = head_post;
// Determines the right content type
if ( content_type ) my_cont_type = content_type;
else my_cont_type = "text/html";
// Checks the max len for the allocated header
max_len =
strlen(head) +
strlen(sock->url->path) +
strlen(sock->url->addr) +
strlen(my_cont_type) +
101;
// Allocates the memory for the header
tmp = PKI_Malloc ( max_len + auth_len );
// Prints the header into the tmp container
len = (size_t) snprintf(tmp, max_len, head, sock->url->path, sock->url->addr,
my_cont_type, data_size, auth_tmp );
}
else
{
PKI_log_err ( "Method (%d) not supported!", method );
return PKI_ERR;
}
// PKI_MEM *r = PKI_MEM_new_data(len, tmp);
// URL_put_data("file://http_req.txt", r, NULL, NULL, 0, 0, NULL);
// PKI_MEM_free(r);
if ((rv = (int) PKI_SOCKET_write(sock, tmp, len)) < 0)
{
PKI_log_err("Can not write HTTP header to socket");
PKI_Free(tmp);
goto err;
}
// Free the tmp pointer that held the request header
if (tmp) PKI_Free (tmp);
// If we were using a POST method, we need to actually send the data
if(data != NULL)
{
PKI_log_err("{DEBUG} Writing Data -> data_size = %d, data = %p", data_size, data);
if ((PKI_SOCKET_write(sock, data, data_size)) < 0)
{
PKI_log_err ("Can not write POST to socket.");
goto err;
}
}
// Let's now wait for the response from the server
if ((http_rv = PKI_HTTP_get_message(sock, timeout, max_size)) == NULL)
{
PKI_log_err ("HTTP retrieval error\n");
goto err;
}
// We shall now check for the return code
if (http_rv->code >= 400 )
{
goto err;
}
else if (http_rv->code >= 300)
{
/* Redirection - let's try that */
if (http_rv->location == NULL)
{
PKI_log_debug ( "HTTP Redirection but no location provided!");
goto err;
}
PKI_log_debug("HTTP Redirection Detected [URL: %s]", http_rv->location );
if (strstr(http_rv->location, "://") != NULL)
{
URL *url_tmp = NULL;
if( strncmp_nocase( http_rv->location, sock->url->url_s,
(int) strlen(http_rv->location)) == 0)
{
PKI_log_debug( "HTTP cyclic redirection!");
goto err;
}
if ((url_tmp = URL_new ( http_rv->location )) == NULL)
{
PKI_log_debug("HTTP location is not a valid URI (%s)", http_rv->location );
goto err;
}
if ( sock->url->ssl == 0 )
{
ret = PKI_HTTP_get_url ( url_tmp, data,
data_size, content_type, method, timeout,
max_size, sk, NULL );
}
else
{
PKI_SSL *ssl2 = PKI_SSL_dup ( sock->ssl );
ret = PKI_HTTP_get_url ( url_tmp, data,
data_size, content_type, method, timeout,
max_size, sk, ssl2 );
}
if ( url_tmp ) URL_free ( url_tmp );
goto end;
}
else
{
const char *prot_s = NULL;
char new_url[2048];
URL *my_new_url = NULL;
PKI_SSL *ssl2 = PKI_SSL_dup ( sock->ssl );
prot_s = URL_proto_to_string ( sock->url->proto );
if( !prot_s ) goto err;
snprintf(new_url, sizeof(new_url),"%s://%s%s", prot_s, sock->url->addr, http_rv->location );
if( strncmp_nocase( new_url, sock->url->url_s, (int) strlen ( new_url )) == 0 )
{
PKI_log_debug( "HTTP cyclic redirection!");
goto err;
}
my_new_url = URL_new ( new_url );
ret = PKI_HTTP_get_url ( my_new_url, data, data_size, content_type, method,
timeout, max_size, sk, ssl2 );
if (ssl2) PKI_SSL_free ( ssl2 );
}
}
else if (http_rv->code != 200)
{
PKI_log_debug( "Unknown HTTP Return code [Code: %d]", http_rv->code );
goto err;
}
/*
PKI_log_err("{DEBUG} method = %d, header->size = %d, body = %p, body_size = %d",
http_rv->method, http_rv->head->size, http_rv->body, http_rv->body->size);
URL_put_data("file://http-resp-header.txt", http_rv->head, NULL, NULL, 0, 0, NULL);
URL_put_data("file://http-resp-data.txt", http_rv->body, NULL, NULL, 0, 0, NULL);
*/
// If a Pointer was provided, we want the data back
if (sk) {
// Checks if the caller provided an already allocated data
// structure. If not, we allocate it.
if (*sk) PKI_STACK_MEM_free_all(*sk);
// Allocates a new structure
if ((*sk = PKI_STACK_MEM_new()) == NULL) {
// If a memory error occurs report it and exit
PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL);
// Nothing more to do
goto err;
}
// Add the returned value to the stack
if (PKI_STACK_MEM_push(*sk, http_rv->body) != PKI_OK) {
PKI_log_err("Can not push the HTTP result body in the result stack");
goto err;
}
// Remove ownership of the body PKI_MEM from the original
// HTTP msg container
http_rv->body = NULL;
}
end:
// Finally free the HTTP message memory
if (http_rv) PKI_HTTP_free(http_rv);
// Returns the result
return ret;
err:
// Error condition
if (http_rv) PKI_HTTP_free ( http_rv );
// Free the locally allocated memory
if (*sk) PKI_STACK_MEM_free_all(*sk);
*sk = NULL;
return PKI_ERR;
}
PKI_MEM_STACK *URL_get_data_pkcs11_url ( URL *url, ssize_t size ) {
#ifdef HAVE_P11
// PKCS11_CTX *ctx = NULL;
PKCS11_SLOT *slots = NULL;
PKCS11_TOKEN *tk = NULL;
char *libfile = NULL;
int num = 0;
int i = 0;
char * search_label = NULL;
char * search_id = NULL;
char * search_slot = NULL;
char * search_slotid = NULL;
PKI_MEM *tmp_mem = NULL;
PKI_MEM_STACK *sk = NULL;
if( !url ) return (NULL);
/*
if((libfile = pkcs11_parse_url_libpath ( url )) == NULL ) {
return( NULL );
}
*/
/*
slot = pkcs11_parse_url_slot ( url );
id = pkcs11_parse_url_id ( url );
*/
if( ctx == NULL ) {
if((ctx = PKCS11_CTX_new ()) == NULL ) {
return(NULL);
}
PKI_log_debug("Loading %s Library", url->addr );
if(( i = PKCS11_CTX_load(ctx, url->addr)) != 0 ) {
PKI_log_err("Can not load library %s [err::%d]", url->addr, i);
// ERR_print_errors_fp( stderr );
}
}
if( PKCS11_enumerate_slots( ctx, &slots, &num ) == -1 ) {
PKI_log_err ("Can not enumerate slots");
goto err;
};
if(( sk = PKI_STACK_MEM_new()) == NULL ) {
goto err;
}
search_slot = pkcs11_parse_url_getval( url, "slot" );
search_slotid = pkcs11_parse_url_getval( url, "slotid" );
search_label = pkcs11_parse_url_getval( url, "label" );
search_id = pkcs11_parse_url_getval( url, "id" );
if( search_slot )
PKI_log_debug("DEBUG::PKCS11::SEARCH::SLOT => %s\n", search_slot);
if( search_slotid )
PKI_log_debug("DEBUG::PKCS11::SEARCH::SLOTID => %s\n", search_slotid);
if( search_label )
PKI_log_debug("DEBUG::PKCS11::SEARCH::LABEL => %s\n", search_label);
if( search_id )
PKI_log_debug("DEBUG::PKCS11::SEARCH::ID => %s\n", search_id);
for(i = 0; i < num; i++ ) {
BIO *mem = NULL;
BUF_MEM *mem_buf = NULL;
PKCS11_CERT *certs = NULL;
PKCS11_SLOT *p = NULL;
PKCS11_CERT *x = NULL;
PKCS11_KEY *keyList = NULL;
PKCS11_KEY *key = NULL;
EVP_PKEY *evp_pkey = NULL;
int n = 0;
int t = 0;
int n_objs = 0;
int p_ret = 0;
p = &slots[i];
if((!p) || ((tk = p->token) == NULL) ) {
continue;
}
if( (search_slot) && ( strncmp_nocase( search_slot,
tk->label, strlen(search_slot) == 0) )) {
continue;
}
if( (search_slotid) && ( atoi(search_slotid) != i )) {
PKI_log_debug("PKCS11::SLOTID is %s (%d), curr is %d\n",
search_slotid, atoi(search_slotid), i);
continue;
}
if( strncmp_nocase( url->attrs, "cert", 4 ) == 0) {
PKI_log_debug("PKCS11::CERT DATATYPE SELECTED!\n");
if((mem = BIO_new(BIO_s_mem())) == NULL ) {
goto err;
}
/* Get the list of certificates in the slot */
p_ret = PKCS11_enumerate_certs( tk, &certs, &n_objs);
for( n = 0; n < n_objs; n++ ) {
/* Pointer to the current certificate */
x = &certs[n];
PKI_log_debug("PKCS11::CERT label=%s\n",
x->label);
PKI_log_debug("PKCS11::CERT id=");
for( t = 0; t < x->id_len; t ++ ) {
printf("%c", x->id[t] );
} printf("\n");
if( (search_label) &&
(strncmp_nocase( search_label, x->label,
strlen( search_label)) != 0 )){
PKI_log_debug("PKCS11::LABEL does not"
"match, SKIPPING!!!!\n");
continue;
}
if( search_id ) {
int stop = 0;
for( t = 0; t < x->id_len; t ++ ) {
if( search_id[t] != x->id[t] ) {
stop = 1;
break;
}
}
if( stop == 1 ) {
printf("DEBUG::PKCS11::ID does not"
"match, SKIPPING!!!!\n");
continue;
}
}
/* Write the cert in PEM format to memory */
p_ret = PEM_write_bio_X509( mem, x->x509 );
/* Get the pointer to the memory buffer */
BIO_get_mem_ptr( mem, &mem_buf );
/* Push a PKI_MEM buffer on the stack */
tmp_mem = PKI_MEM_new_null();
PKI_MEM_add ( tmp_mem, mem_buf->data,
mem_buf->length);
PKI_STACK_push( sk, tmp_mem );
}
/* Free the temp memory buffer */
if( mem ) BIO_free( mem );
} else if (strncmp_nocase( url->attrs, "key", 3) == 0 ) {
char *pin = NULL;
PKI_log_debug("PKCS11::KEY DATATYPE SELECTED!\n");
pin = pkcs11_parse_url_getval( url, "pin" );
if ( (tk->loginRequired == 1) && (pin != NULL ) ) {
p_ret = PKCS11_login ( p, 0, pin );
PKI_log_debug("PKCS11::LOGIN Result %d\n",
p_ret );
}
if((mem = BIO_new(BIO_s_mem())) == NULL ) {
goto err;
}
p_ret = PKCS11_enumerate_keys ( tk, &keyList, &n_objs );
for( n = 0; n < n_objs; n++ ) {
key = &keyList[n];
printf("DEBUG::PKCS11::KEY label=%s\n",
key->label);
printf("DEBUG::PKCS11::KEY id=");
for( t = 0; t < key->id_len; t ++ ) {
printf("%c", key->id[t] );
} printf("\n");
if( (search_label) &&
(strncmp_nocase( search_label, x->label,
strlen( search_label)) != 0 )){
printf("DEBUG::PKCS11::LABEL does not"
"match, SKIPPING!!!!\n");
continue;
}
if( search_id ) {
int stop = 0;
for( t = 0; t < x->id_len; t ++ ) {
if( search_id[t] != x->id[t] ) {
stop = 1;
break;
}
}
if( stop == 1 ) {
printf("DEBUG::PKCS11::ID does not"
"match, SKIPPING!!!!\n");
continue;
}
}
/* Get Private Key in OpenSSL format */
evp_pkey = PKCS11_get_private_key( key );
/* Write the cert in PEM format to memory */
p_ret = PEM_write_bio_PUBKEY( mem, evp_pkey );
/* Get the pointer to the memory buffer */
BIO_get_mem_ptr( mem, &mem_buf );
/* Push a PKI_MEM buffer on the stack */
tmp_mem = PKI_MEM_new_null();
PKI_MEM_add ( tmp_mem, mem_buf->data,
mem_buf->length);
PKI_STACK_push( sk, tmp_mem );
}
if( mem ) BIO_free ( mem );
} else {
printf("DEBUG::PKCS11::OTHER DATATYPE SELECTED!\n");
}
}
err:
if( slots ) PKCS11_release_all_slots( ctx, slots, num );
/*
if( ctx ) {
PKCS11_CTX_unload(ctx);
PKCS11_CTX_free(ctx);
}
*/
if( libfile ) PKI_Free (libfile);
if( search_slot ) PKI_Free ( search_slot );
if( search_slotid ) PKI_Free ( search_slotid );
if( search_label ) PKI_Free ( search_label );
if( search_id ) PKI_Free ( search_id );
return ( sk );
#else
return ( NULL );
#endif
}
int OCSPD_build_ca_list ( OCSPD_CONFIG *handler,
PKI_CONFIG_STACK *ca_conf_sk) {
int i = 0;
PKI_STACK *ca_list = NULL;
PKI_log_debug("Building CA List");
if ( !ca_conf_sk ) {
PKI_log( PKI_LOG_ERR, "No stack of ca configs!");
return ( PKI_ERR );
}
if((ca_list = PKI_STACK_new((void (*))CA_LIST_ENTRY_free)) == NULL ) {
PKI_log_err ( "Memory Error");
return ( PKI_ERR );
}
for (i = 0; i < PKI_STACK_CONFIG_elements( ca_conf_sk ); i++)
{
char *tmp_s = NULL;
URL *tmp_url = NULL;
PKI_X509_CERT *tmp_cert = NULL;
CA_LIST_ENTRY *ca = NULL;
PKI_CONFIG *cnf = NULL;
/* Get the current Configureation file */
cnf = PKI_STACK_CONFIG_get_num( ca_conf_sk, i );
if (!cnf) continue;
/* Get the CA cert from the cfg file itself */
if((tmp_s = PKI_CONFIG_get_value( cnf, "/caConfig/caCertValue" )) == NULL )
{
/* Get the CA parsed url */
if((tmp_url = URL_new( PKI_CONFIG_get_value( cnf, "/caConfig/caCertUrl" ))) == NULL )
{
/* Error, can not parse url data */
PKI_log( PKI_LOG_ERR, "Can not parse CA cert url (%s)",
PKI_CONFIG_get_value(cnf, "/caConfig/caCertUrl"));
continue;
}
if((tmp_cert = PKI_X509_CERT_get_url(tmp_url, NULL, NULL ))== NULL)
{
PKI_log_err("Can not get CA cert from (%s)", tmp_url);
URL_free (tmp_url);
continue;
}
}
else
{
PKI_X509_CERT_STACK *cc_sk = NULL;
PKI_MEM *mm = NULL;
if((mm = PKI_MEM_new_null()) == NULL )
{
PKI_Free(tmp_s);
continue;
}
PKI_MEM_add ( mm, tmp_s, strlen(tmp_s));
if((cc_sk=PKI_X509_CERT_STACK_get_mem(mm, NULL)) == NULL )
{
PKI_log_err ( "Can not parse cert from /caConfig/caCertValue");
PKI_Free(tmp_s);
continue;
}
if ((tmp_cert = PKI_STACK_X509_CERT_pop( cc_sk )) == NULL )
{
PKI_log_err ( "No elements on stack from /caConfig/caCertValue");
PKI_STACK_X509_CERT_free_all(cc_sk);
PKI_Free(tmp_s);
continue;
}
PKI_STACK_X509_CERT_free ( cc_sk );
PKI_Free(tmp_s);
}
/* OCSPD create the CA entry */
if ((ca = CA_LIST_ENTRY_new()) == NULL )
{
PKI_log_err ( "CA List structure init error");
/* remember to do THIS!!!! */
if( tmp_url ) URL_free ( tmp_url );
if( tmp_cert ) PKI_X509_CERT_free ( tmp_cert );
continue;
}
ca->ca_cert = tmp_cert;
tmp_cert = NULL;
ca->ca_url = tmp_url;
tmp_url = NULL;
ca->ca_id = PKI_CONFIG_get_value( cnf, "/caConfig/name" );
ca->cid = CA_ENTRY_CERTID_new ( ca->ca_cert, handler->digest );
/* Get the CRL URL and the CRL itself */
if((tmp_s = PKI_CONFIG_get_value(cnf, "/caConfig/crlUrl")) == NULL)
{
PKI_STACK *cdp_sk = NULL;
/* Now let's get it from PRQP */
/* Now from the Certificate */
if((cdp_sk = PKI_X509_CERT_get_cdp (ca->ca_cert)) ==NULL)
{
// No source for the CRL Distribution Point
PKI_log_err ( "ERROR::Can not find the CDP for %s, skipping CA", ca->ca_id );
CA_LIST_ENTRY_free ( ca );
continue;
}
while ((tmp_s = PKI_STACK_pop ( cdp_sk )) != NULL)
{
if ((ca->crl_url = URL_new ( tmp_s )) == NULL )
{
PKI_log_err( "URL %s not in the right format!");
CA_LIST_ENTRY_free ( ca );
continue;
}
else if( tmp_s ) PKI_Free ( tmp_s );
break;
}
}
else
{
PKI_log_debug("Got CRL Url -> %s", tmp_s );
if((ca->crl_url = URL_new ( tmp_s )) == NULL )
{
PKI_log_err ("Error Parsing CRL URL [%s] for CA [%s]", ca->ca_id, tmp_s);
CA_LIST_ENTRY_free ( ca );
PKI_Free(tmp_s);
continue;
}
PKI_Free(tmp_s);
}
if(OCSPD_load_crl ( ca, handler ) == PKI_ERR )
{
PKI_log_err ( "Can not get CRL for %s", ca->ca_id);
CA_LIST_ENTRY_free ( ca );
continue;
}
/* If the Server has a Token to be used with this CA, let's
load it */
if((tmp_s = PKI_CONFIG_get_value ( cnf, "/caConfig/serverToken" )) == NULL)
{
/* No token in config, let's see if a specific cert
is configured */
ca->token = NULL;
if((tmp_s = PKI_CONFIG_get_value ( cnf, "/caConfig/serverCertUrl" )) == NULL )
{
/* No cert is configured, we will use the defaults */
ca->server_cert = NULL;
}
else
{
/* The Server's cert URL is found, let's load the certificate */
if ((tmp_cert = PKI_X509_CERT_get ( tmp_s, NULL, NULL )) == NULL )
{
PKI_log_err("Can not get server's cert from %s!", tmp_s );
CA_LIST_ENTRY_free ( ca );
PKI_Free(tmp_s);
continue;
}
else
{
ca->server_cert = tmp_cert;
}
PKI_Free(tmp_s);
}
}
else
{
/* A Token for this CA is found - we do not load
it to avoid problems with Thread Initialization */
ca->server_cert = NULL;
ca->token_name = tmp_s;
ca->token = PKI_TOKEN_new_null();
if ((tmp_s = PKI_CONFIG_get_value ( cnf, "/caConfig/pkiConfigDir" )) != NULL) {
ca->token_config_dir = strdup( tmp_s );
PKI_Free(tmp_s);
}
else
{
ca->token_config_dir = strdup(handler->token_config_dir);
}
}
if((tmp_s = PKI_CONFIG_get_value ( cnf, "/caConfig/caCompromised" )) == NULL) {
ca->compromised = 0;
}
else
{
ca->compromised = atoi(tmp_s);
PKI_Free(tmp_s);
}
/* Responder Id Type */
if ((tmp_s = PKI_CONFIG_get_value(cnf, "/caConfig/responderIdType")) != NULL)
{
if (strncmp_nocase(tmp_s, "keyid", 5) == 0)
{
ca->response_id_type = PKI_X509_OCSP_RESPID_TYPE_BY_KEYID;
}
else if (strncmp_nocase(tmp_s, "name", 4) == 0)
{
ca->response_id_type = PKI_X509_OCSP_RESPID_TYPE_BY_NAME;
}
else
{
PKI_log_err("Can not parse responderIdType: %s (allowed 'keyid' or 'name')", tmp_s);
exit(1);
}
PKI_Free(tmp_s);
}
else
{
// Default Value
ca->response_id_type = PKI_X509_OCSP_RESPID_TYPE_BY_NAME;
}
// Now let's add the CA_LIST_ENTRY to the list of configured CAs
PKI_STACK_push ( ca_list, ca );
}
handler->ca_list = ca_list;
return ( PKI_OK );
}
/* Functions */
OCSPD_CONFIG * OCSPD_load_config(char *configfile)
{
OCSPD_CONFIG *h = NULL;
PKI_CONFIG *cnf = NULL;
PKI_CONFIG_STACK *ca_config_stack = NULL;
char *tmp_s = NULL;
char *tmp_s2 = NULL;
int i;
/* Check for the environment variable PRQP_CONF */
if (configfile == NULL) configfile = getenv("OCSPD_CONF");
/* If not, check for the default CONFIG_FILE */
if (configfile == NULL) configfile = CONFIG_FILE;
if( !configfile ) {
/* No config file is available */
PKI_log(PKI_LOG_ERR, "No config file provided!");
return (NULL);
}
/* Load the config file */
if(( cnf = PKI_CONFIG_load ( configfile )) == NULL ) {
PKI_log( PKI_LOG_ERR, "Can not load config file [%s]!",
configfile );
return (NULL);
}
if(( h = (OCSPD_CONFIG *)PKI_Malloc(sizeof(OCSPD_CONFIG))) == NULL) {
PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL);
goto err;
}
/* Set the group and user string to NULL */
h->user = NULL;
h->group = NULL;
/* Set the PRQPD verbose status */
h->verbose = 0;
h->debug = 0;
h->nthreads = 5;
h->http_proto = "1.0";
h->max_timeout_secs = 5;
h->crl_auto_reload = 3600;
h->crl_reload_expired = 1;
h->crl_check_validity = 600;
/* Copy the config filename so that it could be re-loaded on SIGHUP */
h->cnf_filename = strdup( configfile );
/* Initialize the COND variables and MUTEXES */
for( i = 0; i < sizeof ( h->mutexes ) / sizeof( PKI_MUTEX ); i++ )
{
PKI_MUTEX_init ( &h->mutexes[i] );
}
for( i = 0; i < sizeof ( h->condVars ) / sizeof( PKI_COND ); i++)
{
PKI_COND_init ( &h->condVars[i] );
}
PKI_RWLOCK_init ( &h->crl_lock );
/* Token Initialization */
if (( tmp_s = PKI_CONFIG_get_value( cnf, "/serverConfig/general/pkiConfigDir")) == NULL)
{
PKI_log_err("Missing pkiConfigDir in configuration!");
return NULL;
}
else
{
if ((tmp_s2 = PKI_CONFIG_get_value( cnf, "/serverConfig/general/token" )) != NULL)
{
h->token_name = strdup( tmp_s2 );
h->token_config_dir = strdup ( tmp_s );
if ((h->token = PKI_TOKEN_new_null()) == NULL)
{
PKI_log( PKI_LOG_ERR, "Memory error for new token");
exit(1);
}
PKI_Free(tmp_s2);
}
else
{
PKI_log_err("No General Token provided in configuration.");
PKI_Free(tmp_s);
return NULL;
}
PKI_Free(tmp_s);
}
/* Thread configuration */
if((tmp_s = PKI_CONFIG_get_value(cnf, "/serverConfig/general/spawnThreads")) != NULL)
{
int t = 0;
if((t = atoi( tmp_s )) > 0 ) h->nthreads = t;
PKI_Free(tmp_s);
}
if((tmp_s = PKI_CONFIG_get_value( cnf, "/serverConfig/general/caConfigDir")) != NULL)
{
h->ca_config_dir = strdup(tmp_s);
ca_config_stack = PKI_CONFIG_load_dir(h->ca_config_dir, NULL);
if (ca_config_stack == NULL)
{
PKI_log( PKI_LOG_ERR, "Can't load caConfigDir (%s)", h->ca_config_dir);
PKI_Free(tmp_s);
goto err;
}
PKI_Free(tmp_s);
}
else
{
PKI_log( PKI_LOG_ERR, "/serverConfig/general/caConfigDir needed in conf!\n");
goto err;
}
/* Pid File */
if((tmp_s = PKI_CONFIG_get_value( cnf, "/serverConfig/general/pidFile")) != NULL )
{
h->pidfile = strdup(tmp_s);
PKI_Free(tmp_s);
}
/* AutoReload timeout */
if((tmp_s = PKI_CONFIG_get_value( cnf,
"/serverConfig/general/crlAutoReload")) != NULL)
{
h->crl_auto_reload = atoi(tmp_s);
if( h->crl_auto_reload <= 0 )
{
h->crl_auto_reload = 0;
PKI_log(PKI_LOG_INFO, "Auto Reload Disabled");
}
PKI_Free(tmp_s);
}
/* CRL validity check timeout */
if((tmp_s = PKI_CONFIG_get_value( cnf,
"/serverConfig/general/crlCheckValidity")) != NULL )
{
h->crl_check_validity = atoi(tmp_s);
if ( h->crl_check_validity <= 0 )
{
h->crl_check_validity = 0;
PKI_log(PKI_LOG_INFO, "CRL check validity disabled");
}
PKI_Free(tmp_s);
}
/* AutoReload timeout */
if ((tmp_s = PKI_CONFIG_get_value( cnf,
"/serverConfig/general/crlReloadExpired")) != NULL )
{
if (strncmp_nocase(tmp_s, "n", 1) == 0)
{
h->crl_reload_expired = 0;
PKI_log(PKI_LOG_INFO, "Expired CRLs Reload Disabled");
}
PKI_Free(tmp_s);
}
/* Server Privileges */
if ((tmp_s = PKI_CONFIG_get_value(cnf, "/serverConfig/security/user")) != NULL)
{
h->user = strdup(tmp_s);
PKI_Free(tmp_s);
}
if ((tmp_s = PKI_CONFIG_get_value( cnf, "/serverConfig/security/group" )) != NULL)
{
h->group = strdup(tmp_s);
PKI_Free(tmp_s);
}
if ((tmp_s = PKI_CONFIG_get_value( cnf, "/serverConfig/security/chrootDir" )) != NULL )
{
h->chroot_dir = strdup(tmp_s);
PKI_Free(tmp_s);
}
/* Bind Address */
if((tmp_s = PKI_CONFIG_get_value( cnf, "/serverConfig/network/bindAddress" )) == NULL)
{
// If not bindAddress, let's use the universal one
tmp_s = strdup("http://0.0.0.0:2560");
}
if ((h->bindUrl = URL_new( tmp_s )) == NULL)
{
PKI_log( PKI_LOG_ERR, "Can't parse bindAddress (%s)", tmp_s );
PKI_Free(tmp_s);
goto err;
}
// We need to free the tmp_s
PKI_Free(tmp_s);
/* HTTP Version */
if((tmp_s = PKI_CONFIG_get_value( cnf, "/serverConfig/network/httpProtocol")) != NULL)
{
h->http_proto = strdup(tmp_s);
PKI_Free(tmp_s);
}
/* Timeout for incoming connections */
if((tmp_s = PKI_CONFIG_get_value( cnf, "/serverConfig/network/timeOut")) != NULL )
{
long t = 0;
if ((t = atol( tmp_s )) > 0) h->max_timeout_secs = (unsigned int) t;
PKI_Free(tmp_s);
}
/* Maximum Request Size */
if((tmp_s = PKI_CONFIG_get_value( cnf,
"/serverConfig/response/maxReqSize" )) != NULL ) {
int t = 0;
if((t = atoi( tmp_s )) > 0 ) {
h->max_req_size = t;
}
PKI_Free(tmp_s);
}
// Default
h->digest = PKI_DIGEST_ALG_SHA1;
/* Digest Algorithm to be used */
if ((tmp_s = PKI_CONFIG_get_value(cnf, "/serverConfig/response/digestAlgorithm" )) != NULL)
{
h->digest = PKI_DIGEST_ALG_get_by_name( tmp_s );
if (!h->digest)
{
PKI_log_err("Can not parse response digest algorithm: %s", tmp_s);
exit(1);
}
else PKI_log_debug("Selected response digest algorithm: %s", tmp_s);
PKI_Free(tmp_s);
}
/* Signing Digest Algorithm to be used */
if((tmp_s = PKI_CONFIG_get_value( cnf,
"/serverConfig/response/signatureDigestAlgorithm" )) == NULL)
{
PKI_log_debug("No specific signature digest algorithm selected.");
h->sigDigest = NULL;
}
else
{
h->sigDigest = PKI_DIGEST_ALG_get_by_name( tmp_s );
if (!h->sigDigest)
{
PKI_log_err("Can not parse signing digest algorithm: %s", tmp_s);
exit(1);
}
else PKI_log_debug("Selected signature digest algorithm: %s", tmp_s);
PKI_Free(tmp_s);
}
/* Now Parse the PRQP Response Section */
if ((tmp_s = PKI_CONFIG_get_value( cnf, "/serverConfig/response/validity/days" )) != NULL)
{
h->ndays = atoi(tmp_s);
PKI_Free(tmp_s);
}
if ((tmp_s = PKI_CONFIG_get_value( cnf, "/serverConfig/response/validity/mins" )) != NULL)
{
h->nmin = atoi(tmp_s);
PKI_Free(tmp_s);
}
h->set_nextUpdate = h->ndays * 3600 + h->nmin * 60;
/* Database Options */
if ((tmp_s = PKI_CONFIG_get_value( cnf, "/serverConfig/general/dbUrl")) != NULL)
{
if ((h->db_url = URL_new ( tmp_s )) == NULL)
{
PKI_log_err ( "Database Url not parsable (%s)", tmp_s );
PKI_Free(tmp_s);
goto err;
}
PKI_Free(tmp_s);
}
/* Database Persistant */
if ((tmp_s = PKI_CONFIG_get_value( cnf, "/serverConfig/general/dbPersistant")) != NULL)
{
if (strncmp_nocase ( "n", tmp_s, 1 ) == 0 )
h->db_persistant = 0;
else
h->db_persistant = 1;
PKI_Free(tmp_s);
}
/* Now we should load the CA configuration files and generate the
CERT_ID for the different CAs */
if ((OCSPD_build_ca_list( h, ca_config_stack )) == PKI_ERR )
{
PKI_log(PKI_LOG_ERR, "Can not build CA list!");
if (ca_config_stack) PKI_STACK_CONFIG_free ( ca_config_stack );
goto err;
}
if (ca_config_stack) PKI_STACK_CONFIG_free ( ca_config_stack );
return ( h );
err:
if( ca_config_stack ) PKI_STACK_CONFIG_free ( ca_config_stack );
if( cnf ) PKI_CONFIG_free ( cnf );
if( h ) PKI_Free ( h );
return( NULL );
}
PKI_X509_EXTENSION *PKI_X509_EXTENSION_value_new_profile (
PKI_X509_PROFILE *profile, PKI_CONFIG *oids,
PKI_CONFIG_ELEMENT *extNode, PKI_TOKEN *tk ) {
/* TODO: Implement the extended version of the extensions, this
should allow better extensions management. That is, the value
will be encoded as:
extName=@section
[ section ]
extName=value
otherVal=val
otherVal=val
...
The corresponding XML should be:
<pki:extension name=".." critical=".." >
<pki:value name="" type=".." tag=".."> .. </pki:value>
<pki:value name="" type=".." tag=".."> .. </pki:value>
</pki:extension>
*/
PKI_CONFIG_ELEMENT *valNode = NULL;
PKI_X509_EXTENSION *ret = NULL;
PKI_X509_EXTENSION_VALUE *ext = NULL;
xmlChar *type_s = NULL;
xmlChar *tag_s = NULL;
xmlChar *oid_s = NULL;
xmlChar *value_s = NULL;
xmlChar *name_s = NULL;
xmlChar *crit_s = NULL;
PKI_OID *oid = NULL;
X509V3_CTX v3_ctx;
CONF *conf = NULL;
char *envValString = NULL;
char *valString = NULL;
int crit = 0;
if( !profile || !extNode ) {
PKI_log_debug("ERROR, no profile or extNode provided in "
"PKI_X509_EXTENSION_value_new_profile()");
return (NULL);
}
if((crit_s = xmlGetProp( extNode, BAD_CAST "critical" )) != NULL ) {
if( strncmp_nocase( (char *) crit_s, "n", 1 ) == 0) {
crit = 0;
} else {
crit = 1;
}
}
if((name_s = xmlGetProp( extNode, BAD_CAST "name" )) == NULL ) {
PKI_log_debug("ERROR, no name property in node %s",
extNode->name);
if( crit_s ) xmlFree ( crit_s );
return (NULL);
}
if ((oid = PKI_OID_get((char *) name_s)) == NULL)
{
if ((oid = PKI_CONFIG_OID_search(oids, (char *)name_s)) == NULL)
{
PKI_ERROR(PKI_ERR_OBJECT_CREATE, NULL);
return NULL;
}
}
else
{
PKI_OID_free ( oid );
}
/*
int nid = NID_undef;
if((nid = OBJ_sn2nid( (char *) name_s )) == NID_undef ) {
PKI_OID *oid = NULL;
oid = PKI_CONFIG_OID_search ( oids, (char *) name_s );
if( !oid ) {
PKI_log_debug( "ERROR, can not create object (%s)!",
name_s );
return( NULL );
}
}
*/
if ((valString = (char *) PKI_Malloc(BUFF_MAX_SIZE)) == NULL)
{
PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL);
if( name_s ) xmlFree ( name_s );
if( crit_s ) xmlFree (crit_s);
return( NULL );
}
memset( valString, 0, BUFF_MAX_SIZE );
if( crit == 1 ) snprintf( valString, BUFF_MAX_SIZE -1, "%s", "critical" );
for (valNode = extNode->children; valNode; valNode = valNode->next)
{
if ((valNode->type == XML_ELEMENT_NODE) &&
((strncmp_nocase((char *)(valNode->name),"value",5)) == 0))
{
char tmp[BUFF_MAX_SIZE];
type_s = xmlGetProp( valNode, BAD_CAST "type" );
tag_s = xmlGetProp( valNode, BAD_CAST "tag" );
oid_s = xmlGetProp( valNode, BAD_CAST "oid" );
value_s = xmlNodeListGetString( profile,
valNode->xmlChildrenNode, 0);
if( oid_s ) {
/* Let's be sure the OID is created */
if((oid = PKI_CONFIG_OID_search(oids,
(char *) value_s)) == NULL ) {
PKI_log_debug ("WARNING, no oid "
"created for %s!", oid_s );
} else {
PKI_OID_free ( oid );
}
}
memset((unsigned char * )tmp, 0, BUFF_MAX_SIZE );
if( tag_s ) {
snprintf( tmp, BUFF_MAX_SIZE - 1, "%s;",
_ext_txt( tag_s ) );
}
if( type_s == NULL ) {
if( !oid_s ) {
strncat( tmp, (char *) value_s,
BUFF_MAX_SIZE - strlen( tmp ));
} else {
if( value_s && (strlen((char *) value_s) > 0) ) {
strncat( tmp, (char *) oid_s,
BUFF_MAX_SIZE - strlen( tmp ) );
strncat( tmp, ":",
BUFF_MAX_SIZE - strlen ( tmp ));
strncat( tmp, (char *) value_s,
BUFF_MAX_SIZE - strlen (tmp ));
} else {
strncat( tmp, "OID:",
BUFF_MAX_SIZE - strlen(tmp));
strncat( tmp, (char *) oid_s,
BUFF_MAX_SIZE - strlen( tmp ));
}
}
} else {
strncat( tmp, (char *) _ext_txt(type_s),
BUFF_MAX_SIZE - strlen( tmp ));
if( value_s && (strlen((char*)value_s) > 0) ) {
if(strcmp_nocase( (char*) type_s, "ia5org")) {
strncat( tmp, ":",
BUFF_MAX_SIZE - strlen( tmp ));
} else {
strncat( tmp, ",",
BUFF_MAX_SIZE - strlen( tmp ));
}
strncat( tmp, (char *) value_s,
BUFF_MAX_SIZE - strlen( tmp ));
}
}
if( strlen( valString ) > 0 ) {
strncat( valString, ",", BUFF_MAX_SIZE - 1);
}
strncat( valString, (char *) tmp, BUFF_MAX_SIZE - 1 );
if( type_s ) xmlFree ( type_s );
if( oid_s ) xmlFree ( oid_s );
if( tag_s ) xmlFree ( tag_s );
if( value_s ) xmlFree ( value_s );
}
}
//PKI_log_debug("INFO, Encoding %s=%s", name_s, valString);
v3_ctx.db = NULL;
v3_ctx.db_meth = NULL;
v3_ctx.crl = NULL;
v3_ctx.flags = 0;
if ( tk ) {
v3_ctx.issuer_cert = (X509 *)
PKI_X509_get_value ( tk->cacert );
v3_ctx.subject_cert = (X509 *)
PKI_X509_get_value ( tk->cert );
v3_ctx.subject_req = (X509_REQ *)
PKI_X509_get_value ( tk->req );
} else {
v3_ctx.issuer_cert = NULL;
v3_ctx.subject_cert = NULL;
v3_ctx.subject_req = NULL;
}
/* Sets the ctx.db and ctx.method */
conf = NCONF_new( NULL );
X509V3_set_nconf(&v3_ctx, conf);
if((envValString = get_env_string( valString )) != NULL ) {
PKI_log_debug("EXT STRING => %s=%s", name_s, envValString);
ext = X509V3_EXT_conf(NULL, &v3_ctx, (char *) name_s,
(char *) envValString);
PKI_Free ( envValString );
} else {
ext = X509V3_EXT_conf(NULL, &v3_ctx, (char *) name_s,
(char *) valString);
}
if( !ext ) {
PKI_log_debug("EXT::ERR::%s",
ERR_error_string(ERR_get_error(), NULL ));
return NULL;
}
if(( ret = PKI_X509_EXTENSION_new()) == NULL ) {
PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL);
X509_EXTENSION_free ( ext );
return NULL;
}
ret->value = ext;
ret->oid = ext->object;
if( name_s ) xmlFree ( name_s );
if( crit_s ) xmlFree (crit_s );
if( valString ) PKI_Free ( valString );
if( conf ) NCONF_free ( conf );
return ( ret );
}
