AuthorityKeyIdentifierExtension::AuthorityKeyIdentifierExtension(X509_EXTENSION *ext)
throw (CertificationException) : Extension(ext)
{
AUTHORITY_KEYID *authKeyId;
if (this->objectIdentifier.getNid() != NID_authority_key_identifier)
{
throw CertificationException(CertificationException::INVALID_TYPE, "AuthorityKeyIdentifierExtension::AuthorityKeyIdentifierExtension");
}
authKeyId = (AUTHORITY_KEYID *)X509V3_EXT_d2i(ext);
if (authKeyId->keyid)
{
this->keyIdentifier = ByteArray(authKeyId->keyid->data, authKeyId->keyid->length);
}
if (authKeyId->issuer)
{
this->authorityCertIssuer = GeneralNames(authKeyId->issuer);
}
if (authKeyId->serial)
{
this->serialNumber = ASN1_INTEGER_get(authKeyId->serial);
}
else
{
this->serialNumber = -1;
}
AUTHORITY_KEYID_free(authKeyId);
}
X509_EXTENSION* AuthorityKeyIdentifierExtension::getX509Extension()
{
X509_EXTENSION *ret;
AUTHORITY_KEYID *authKeyId;
ByteArray temp;
authKeyId = AUTHORITY_KEYID_new();
if (this->keyIdentifier.size() > 0)
{
authKeyId->keyid = ASN1_OCTET_STRING_new();
temp = this->keyIdentifier;
ASN1_OCTET_STRING_set(authKeyId->keyid, temp.getDataPointer(), temp.size());
}
if (this->authorityCertIssuer.getNumberOfEntries() > 0)
{
authKeyId->issuer = this->authorityCertIssuer.getInternalGeneralNames();
}
if (this->serialNumber >= 0)
{
authKeyId->serial = ASN1_INTEGER_new();
ASN1_INTEGER_set(authKeyId->serial, this->serialNumber);
}
ret = X509V3_EXT_i2d(NID_authority_key_identifier, this->critical?1:0, (void *)authKeyId);
AUTHORITY_KEYID_free(authKeyId);
return ret;
}
static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
void *exarg)
{
X509 *ret = (X509 *)*pval;
switch (operation) {
case ASN1_OP_NEW_POST:
ret->valid = 0;
ret->name = NULL;
ret->ex_flags = 0;
ret->ex_pathlen = -1;
ret->skid = NULL;
ret->akid = NULL;
#ifndef OPENSSL_NO_RFC3779
ret->rfc3779_addr = NULL;
ret->rfc3779_asid = NULL;
#endif
ret->aux = NULL;
ret->crldp = NULL;
CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509, ret, &ret->ex_data);
break;
case ASN1_OP_D2I_POST:
if (ret->name != NULL)
OPENSSL_free(ret->name);
ret->name = X509_NAME_oneline(ret->cert_info->subject, NULL, 0);
break;
case ASN1_OP_FREE_POST:
CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509, ret, &ret->ex_data);
X509_CERT_AUX_free(ret->aux);
ASN1_OCTET_STRING_free(ret->skid);
AUTHORITY_KEYID_free(ret->akid);
CRL_DIST_POINTS_free(ret->crldp);
policy_cache_free(ret->policy_cache);
GENERAL_NAMES_free(ret->altname);
NAME_CONSTRAINTS_free(ret->nc);
#ifndef OPENSSL_NO_RFC3779
sk_IPAddressFamily_pop_free(ret->rfc3779_addr, IPAddressFamily_free);
ASIdentifiers_free(ret->rfc3779_asid);
#endif
if (ret->name != NULL)
OPENSSL_free(ret->name);
break;
}
return 1;
}
static
DWORD
VMCAGetCrlAuthKeyIdHexString(
X509_CRL* pCrl,
PSTR* ppszAid
)
{
DWORD dwError = ERROR_SUCCESS;
PSTR pszAid = NULL;
AUTHORITY_KEYID *pId = NULL;
if (!pCrl && !ppszAid)
{
dwError = ERROR_INVALID_PARAMETER;
BAIL_ON_ERROR(dwError);
}
if (X509_CRL_get_ext_by_NID(pCrl, NID_authority_key_identifier, -1) == -1)
{
dwError = ERROR_NOT_FOUND;
BAIL_ON_ERROR(dwError);
}
pId = (AUTHORITY_KEYID*)X509_CRL_get_ext_d2i(pCrl,
NID_authority_key_identifier, NULL, NULL);
if (!pId)
{
dwError = ERROR_INVALID_PARAMETER;
BAIL_ON_ERROR(dwError);
}
dwError = VMCAKeyIdToHexString(pId->keyid, &pszAid);
BAIL_ON_ERROR(dwError);
*ppszAid = pszAid;
cleanup:
if (pId)
{
AUTHORITY_KEYID_free(pId);
}
return dwError;
error:
if (ppszAid)
{
*ppszAid = NULL;
}
VMCA_SAFE_FREE_MEMORY(pszAid);
goto cleanup;
}
static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
void *exarg)
{
X509 *ret = (X509 *)*pval;
switch (operation) {
case ASN1_OP_NEW_POST:
ret->name = NULL;
ret->ex_flags = 0;
ret->ex_pathlen = -1;
ret->skid = NULL;
ret->akid = NULL;
ret->aux = NULL;
ret->crldp = NULL;
ret->buf = NULL;
CRYPTO_new_ex_data(&ret->ex_data);
CRYPTO_MUTEX_init(&ret->lock);
break;
case ASN1_OP_D2I_PRE:
CRYPTO_BUFFER_free(ret->buf);
ret->buf = NULL;
break;
case ASN1_OP_D2I_POST:
if (ret->name != NULL)
OPENSSL_free(ret->name);
ret->name = X509_NAME_oneline(ret->cert_info->subject, NULL, 0);
break;
case ASN1_OP_FREE_POST:
CRYPTO_MUTEX_cleanup(&ret->lock);
CRYPTO_free_ex_data(&g_ex_data_class, ret, &ret->ex_data);
X509_CERT_AUX_free(ret->aux);
ASN1_OCTET_STRING_free(ret->skid);
AUTHORITY_KEYID_free(ret->akid);
CRL_DIST_POINTS_free(ret->crldp);
policy_cache_free(ret->policy_cache);
GENERAL_NAMES_free(ret->altname);
NAME_CONSTRAINTS_free(ret->nc);
CRYPTO_BUFFER_free(ret->buf);
OPENSSL_free(ret->name);
break;
}
return 1;
}
static PARCCryptoHash *
_GetPublickKeyDigest(PARCPkcs12KeyStore *keystore)
{
parcSecurity_AssertIsInitialized();
assertNotNull(keystore, "Parameter must be non-null PARCPkcs12KeyStore");
if (keystore->public_key_digest == NULL) {
AUTHORITY_KEYID *akid = X509_get_ext_d2i(keystore->x509_cert, NID_authority_key_identifier, NULL, NULL);
if (akid != NULL) {
ASN1_OCTET_STRING *skid = X509_get_ext_d2i(keystore->x509_cert, NID_subject_key_identifier, NULL, NULL);
if (skid != NULL) {
keystore->public_key_digest =
parcBuffer_PutArray(parcBuffer_Allocate(skid->length), skid->length, skid->data);
parcBuffer_Flip(keystore->public_key_digest);
ASN1_OCTET_STRING_free(skid);
}
AUTHORITY_KEYID_free(akid);
}
}
// If we could not load the digest from the certificate, then calculate it from the public key.
if (keystore->public_key_digest == NULL) {
uint8_t digestBuffer[SHA256_DIGEST_LENGTH];
int result = ASN1_item_digest(ASN1_ITEM_rptr(X509_PUBKEY),
EVP_sha256(),
X509_get_X509_PUBKEY(keystore->x509_cert),
digestBuffer,
NULL);
if (result != 1) {
assertTrue(0, "Could not compute digest over certificate public key");
} else {
keystore->public_key_digest =
parcBuffer_PutArray(parcBuffer_Allocate(SHA256_DIGEST_LENGTH), SHA256_DIGEST_LENGTH, digestBuffer);
parcBuffer_Flip(keystore->public_key_digest);
}
}
// This stores a reference, so keystore->public_key_digest will remain valid
// even if the cryptoHasher is destroyed
return parcCryptoHash_Create(PARC_HASH_SHA256, keystore->public_key_digest);
}
static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it)
{
X509 *ret = (X509 *)*pval;
switch(operation) {
case ASN1_OP_NEW_POST:
ret->valid=0;
ret->name = NULL;
ret->ex_flags = 0;
ret->ex_pathlen = -1;
ret->skid = NULL;
ret->akid = NULL;
ret->aux = NULL;
CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509, ret, &ret->ex_data);
break;
case ASN1_OP_D2I_POST:
if (ret->name != NULL) OPENSSL_free(ret->name);
ret->name=X509_NAME_oneline(ret->cert_info->subject,NULL,0);
break;
case ASN1_OP_FREE_POST:
CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509, ret, &ret->ex_data);
X509_CERT_AUX_free(ret->aux);
ASN1_OCTET_STRING_free(ret->skid);
AUTHORITY_KEYID_free(ret->akid);
policy_cache_free(ret->policy_cache);
if (ret->name != NULL) OPENSSL_free(ret->name);
break;
}
return 1;
}
/*
* The X509_CRL structure needs a bit of customisation. Cache some extensions
* and hash of the whole CRL.
*/
static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
void *exarg)
{
X509_CRL *crl = (X509_CRL *)*pval;
STACK_OF(X509_EXTENSION) *exts;
X509_EXTENSION *ext;
int idx;
switch (operation) {
case ASN1_OP_NEW_POST:
crl->idp = NULL;
crl->akid = NULL;
crl->flags = 0;
crl->idp_flags = 0;
crl->idp_reasons = CRLDP_ALL_REASONS;
crl->meth = default_crl_method;
crl->meth_data = NULL;
crl->issuers = NULL;
crl->crl_number = NULL;
crl->base_crl_number = NULL;
break;
case ASN1_OP_D2I_POST:
X509_CRL_digest(crl, EVP_sha1(), crl->sha1_hash, NULL);
crl->idp = X509_CRL_get_ext_d2i(crl,
NID_issuing_distribution_point, NULL,
NULL);
if (crl->idp)
setup_idp(crl, crl->idp);
crl->akid = X509_CRL_get_ext_d2i(crl,
NID_authority_key_identifier, NULL,
NULL);
crl->crl_number = X509_CRL_get_ext_d2i(crl,
NID_crl_number, NULL, NULL);
crl->base_crl_number = X509_CRL_get_ext_d2i(crl,
NID_delta_crl, NULL,
NULL);
/* Delta CRLs must have CRL number */
if (crl->base_crl_number && !crl->crl_number)
crl->flags |= EXFLAG_INVALID;
/*
* See if we have any unhandled critical CRL extensions and indicate
* this in a flag. We only currently handle IDP so anything else
* critical sets the flag. This code accesses the X509_CRL structure
* directly: applications shouldn't do this.
*/
exts = crl->crl.extensions;
for (idx = 0; idx < sk_X509_EXTENSION_num(exts); idx++) {
int nid;
ext = sk_X509_EXTENSION_value(exts, idx);
nid = OBJ_obj2nid(X509_EXTENSION_get_object(ext));
if (nid == NID_freshest_crl)
crl->flags |= EXFLAG_FRESHEST;
if (X509_EXTENSION_get_critical(ext)) {
/* We handle IDP and deltas */
if ((nid == NID_issuing_distribution_point)
|| (nid == NID_authority_key_identifier)
|| (nid == NID_delta_crl))
break;;
crl->flags |= EXFLAG_CRITICAL;
break;
}
}
if (!crl_set_issuers(crl))
return 0;
if (crl->meth->crl_init) {
if (crl->meth->crl_init(crl) == 0)
return 0;
}
break;
case ASN1_OP_FREE_POST:
if (crl->meth->crl_free) {
if (!crl->meth->crl_free(crl))
return 0;
}
AUTHORITY_KEYID_free(crl->akid);
ISSUING_DIST_POINT_free(crl->idp);
ASN1_INTEGER_free(crl->crl_number);
ASN1_INTEGER_free(crl->base_crl_number);
sk_GENERAL_NAMES_pop_free(crl->issuers, GENERAL_NAMES_free);
break;
}
return 1;
}
