AuthorityKeyIdentifierExtension::AuthorityKeyIdentifierExtension(X509_EXTENSION *ext) throw (CertificationException) : Extension(ext) { AUTHORITY_KEYID *authKeyId; if (this->objectIdentifier.getNid() != NID_authority_key_identifier) { throw CertificationException(CertificationException::INVALID_TYPE, "AuthorityKeyIdentifierExtension::AuthorityKeyIdentifierExtension"); } authKeyId = (AUTHORITY_KEYID *)X509V3_EXT_d2i(ext); if (authKeyId->keyid) { this->keyIdentifier = ByteArray(authKeyId->keyid->data, authKeyId->keyid->length); } if (authKeyId->issuer) { this->authorityCertIssuer = GeneralNames(authKeyId->issuer); } if (authKeyId->serial) { this->serialNumber = ASN1_INTEGER_get(authKeyId->serial); } else { this->serialNumber = -1; } AUTHORITY_KEYID_free(authKeyId); }
X509_EXTENSION* AuthorityKeyIdentifierExtension::getX509Extension() { X509_EXTENSION *ret; AUTHORITY_KEYID *authKeyId; ByteArray temp; authKeyId = AUTHORITY_KEYID_new(); if (this->keyIdentifier.size() > 0) { authKeyId->keyid = ASN1_OCTET_STRING_new(); temp = this->keyIdentifier; ASN1_OCTET_STRING_set(authKeyId->keyid, temp.getDataPointer(), temp.size()); } if (this->authorityCertIssuer.getNumberOfEntries() > 0) { authKeyId->issuer = this->authorityCertIssuer.getInternalGeneralNames(); } if (this->serialNumber >= 0) { authKeyId->serial = ASN1_INTEGER_new(); ASN1_INTEGER_set(authKeyId->serial, this->serialNumber); } ret = X509V3_EXT_i2d(NID_authority_key_identifier, this->critical?1:0, (void *)authKeyId); AUTHORITY_KEYID_free(authKeyId); return ret; }
static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) { X509 *ret = (X509 *)*pval; switch (operation) { case ASN1_OP_NEW_POST: ret->valid = 0; ret->name = NULL; ret->ex_flags = 0; ret->ex_pathlen = -1; ret->skid = NULL; ret->akid = NULL; #ifndef OPENSSL_NO_RFC3779 ret->rfc3779_addr = NULL; ret->rfc3779_asid = NULL; #endif ret->aux = NULL; ret->crldp = NULL; CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509, ret, &ret->ex_data); break; case ASN1_OP_D2I_POST: if (ret->name != NULL) OPENSSL_free(ret->name); ret->name = X509_NAME_oneline(ret->cert_info->subject, NULL, 0); break; case ASN1_OP_FREE_POST: CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509, ret, &ret->ex_data); X509_CERT_AUX_free(ret->aux); ASN1_OCTET_STRING_free(ret->skid); AUTHORITY_KEYID_free(ret->akid); CRL_DIST_POINTS_free(ret->crldp); policy_cache_free(ret->policy_cache); GENERAL_NAMES_free(ret->altname); NAME_CONSTRAINTS_free(ret->nc); #ifndef OPENSSL_NO_RFC3779 sk_IPAddressFamily_pop_free(ret->rfc3779_addr, IPAddressFamily_free); ASIdentifiers_free(ret->rfc3779_asid); #endif if (ret->name != NULL) OPENSSL_free(ret->name); break; } return 1; }
static DWORD VMCAGetCrlAuthKeyIdHexString( X509_CRL* pCrl, PSTR* ppszAid ) { DWORD dwError = ERROR_SUCCESS; PSTR pszAid = NULL; AUTHORITY_KEYID *pId = NULL; if (!pCrl && !ppszAid) { dwError = ERROR_INVALID_PARAMETER; BAIL_ON_ERROR(dwError); } if (X509_CRL_get_ext_by_NID(pCrl, NID_authority_key_identifier, -1) == -1) { dwError = ERROR_NOT_FOUND; BAIL_ON_ERROR(dwError); } pId = (AUTHORITY_KEYID*)X509_CRL_get_ext_d2i(pCrl, NID_authority_key_identifier, NULL, NULL); if (!pId) { dwError = ERROR_INVALID_PARAMETER; BAIL_ON_ERROR(dwError); } dwError = VMCAKeyIdToHexString(pId->keyid, &pszAid); BAIL_ON_ERROR(dwError); *ppszAid = pszAid; cleanup: if (pId) { AUTHORITY_KEYID_free(pId); } return dwError; error: if (ppszAid) { *ppszAid = NULL; } VMCA_SAFE_FREE_MEMORY(pszAid); goto cleanup; }
static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) { X509 *ret = (X509 *)*pval; switch (operation) { case ASN1_OP_NEW_POST: ret->name = NULL; ret->ex_flags = 0; ret->ex_pathlen = -1; ret->skid = NULL; ret->akid = NULL; ret->aux = NULL; ret->crldp = NULL; ret->buf = NULL; CRYPTO_new_ex_data(&ret->ex_data); CRYPTO_MUTEX_init(&ret->lock); break; case ASN1_OP_D2I_PRE: CRYPTO_BUFFER_free(ret->buf); ret->buf = NULL; break; case ASN1_OP_D2I_POST: if (ret->name != NULL) OPENSSL_free(ret->name); ret->name = X509_NAME_oneline(ret->cert_info->subject, NULL, 0); break; case ASN1_OP_FREE_POST: CRYPTO_MUTEX_cleanup(&ret->lock); CRYPTO_free_ex_data(&g_ex_data_class, ret, &ret->ex_data); X509_CERT_AUX_free(ret->aux); ASN1_OCTET_STRING_free(ret->skid); AUTHORITY_KEYID_free(ret->akid); CRL_DIST_POINTS_free(ret->crldp); policy_cache_free(ret->policy_cache); GENERAL_NAMES_free(ret->altname); NAME_CONSTRAINTS_free(ret->nc); CRYPTO_BUFFER_free(ret->buf); OPENSSL_free(ret->name); break; } return 1; }
static PARCCryptoHash * _GetPublickKeyDigest(PARCPkcs12KeyStore *keystore) { parcSecurity_AssertIsInitialized(); assertNotNull(keystore, "Parameter must be non-null PARCPkcs12KeyStore"); if (keystore->public_key_digest == NULL) { AUTHORITY_KEYID *akid = X509_get_ext_d2i(keystore->x509_cert, NID_authority_key_identifier, NULL, NULL); if (akid != NULL) { ASN1_OCTET_STRING *skid = X509_get_ext_d2i(keystore->x509_cert, NID_subject_key_identifier, NULL, NULL); if (skid != NULL) { keystore->public_key_digest = parcBuffer_PutArray(parcBuffer_Allocate(skid->length), skid->length, skid->data); parcBuffer_Flip(keystore->public_key_digest); ASN1_OCTET_STRING_free(skid); } AUTHORITY_KEYID_free(akid); } } // If we could not load the digest from the certificate, then calculate it from the public key. if (keystore->public_key_digest == NULL) { uint8_t digestBuffer[SHA256_DIGEST_LENGTH]; int result = ASN1_item_digest(ASN1_ITEM_rptr(X509_PUBKEY), EVP_sha256(), X509_get_X509_PUBKEY(keystore->x509_cert), digestBuffer, NULL); if (result != 1) { assertTrue(0, "Could not compute digest over certificate public key"); } else { keystore->public_key_digest = parcBuffer_PutArray(parcBuffer_Allocate(SHA256_DIGEST_LENGTH), SHA256_DIGEST_LENGTH, digestBuffer); parcBuffer_Flip(keystore->public_key_digest); } } // This stores a reference, so keystore->public_key_digest will remain valid // even if the cryptoHasher is destroyed return parcCryptoHash_Create(PARC_HASH_SHA256, keystore->public_key_digest); }
static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it) { X509 *ret = (X509 *)*pval; switch(operation) { case ASN1_OP_NEW_POST: ret->valid=0; ret->name = NULL; ret->ex_flags = 0; ret->ex_pathlen = -1; ret->skid = NULL; ret->akid = NULL; ret->aux = NULL; CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509, ret, &ret->ex_data); break; case ASN1_OP_D2I_POST: if (ret->name != NULL) OPENSSL_free(ret->name); ret->name=X509_NAME_oneline(ret->cert_info->subject,NULL,0); break; case ASN1_OP_FREE_POST: CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509, ret, &ret->ex_data); X509_CERT_AUX_free(ret->aux); ASN1_OCTET_STRING_free(ret->skid); AUTHORITY_KEYID_free(ret->akid); policy_cache_free(ret->policy_cache); if (ret->name != NULL) OPENSSL_free(ret->name); break; } return 1; }
/* * The X509_CRL structure needs a bit of customisation. Cache some extensions * and hash of the whole CRL. */ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) { X509_CRL *crl = (X509_CRL *)*pval; STACK_OF(X509_EXTENSION) *exts; X509_EXTENSION *ext; int idx; switch (operation) { case ASN1_OP_NEW_POST: crl->idp = NULL; crl->akid = NULL; crl->flags = 0; crl->idp_flags = 0; crl->idp_reasons = CRLDP_ALL_REASONS; crl->meth = default_crl_method; crl->meth_data = NULL; crl->issuers = NULL; crl->crl_number = NULL; crl->base_crl_number = NULL; break; case ASN1_OP_D2I_POST: X509_CRL_digest(crl, EVP_sha1(), crl->sha1_hash, NULL); crl->idp = X509_CRL_get_ext_d2i(crl, NID_issuing_distribution_point, NULL, NULL); if (crl->idp) setup_idp(crl, crl->idp); crl->akid = X509_CRL_get_ext_d2i(crl, NID_authority_key_identifier, NULL, NULL); crl->crl_number = X509_CRL_get_ext_d2i(crl, NID_crl_number, NULL, NULL); crl->base_crl_number = X509_CRL_get_ext_d2i(crl, NID_delta_crl, NULL, NULL); /* Delta CRLs must have CRL number */ if (crl->base_crl_number && !crl->crl_number) crl->flags |= EXFLAG_INVALID; /* * See if we have any unhandled critical CRL extensions and indicate * this in a flag. We only currently handle IDP so anything else * critical sets the flag. This code accesses the X509_CRL structure * directly: applications shouldn't do this. */ exts = crl->crl.extensions; for (idx = 0; idx < sk_X509_EXTENSION_num(exts); idx++) { int nid; ext = sk_X509_EXTENSION_value(exts, idx); nid = OBJ_obj2nid(X509_EXTENSION_get_object(ext)); if (nid == NID_freshest_crl) crl->flags |= EXFLAG_FRESHEST; if (X509_EXTENSION_get_critical(ext)) { /* We handle IDP and deltas */ if ((nid == NID_issuing_distribution_point) || (nid == NID_authority_key_identifier) || (nid == NID_delta_crl)) break;; crl->flags |= EXFLAG_CRITICAL; break; } } if (!crl_set_issuers(crl)) return 0; if (crl->meth->crl_init) { if (crl->meth->crl_init(crl) == 0) return 0; } break; case ASN1_OP_FREE_POST: if (crl->meth->crl_free) { if (!crl->meth->crl_free(crl)) return 0; } AUTHORITY_KEYID_free(crl->akid); ISSUING_DIST_POINT_free(crl->idp); ASN1_INTEGER_free(crl->crl_number); ASN1_INTEGER_free(crl->base_crl_number); sk_GENERAL_NAMES_pop_free(crl->issuers, GENERAL_NAMES_free); break; } return 1; }