void CA_LIST_ENTRY_free ( CA_LIST_ENTRY *ca ) {
if ( !ca ) return;
if ( ca->ca_id )
{
PKI_log(PKI_LOG_INFO, "MEM::Freeing %s CA config", ca->ca_id );
PKI_Free ( ca->ca_id );
}
if ( ca->ca_cert ) PKI_X509_CERT_free ( ca->ca_cert );
if ( ca->cid ) CA_ENTRY_CERTID_free ( ca->cid );
if ( ca->ca_url ) URL_free ( ca->ca_url );
if ( ca->crl_url ) URL_free ( ca->crl_url );
if ( ca->crl_list )
{
X509_REVOKED *r = NULL;
while ((r = sk_X509_REVOKED_pop ( ca->crl_list )) != NULL)
{
X509_REVOKED_free ( r );
}
}
if ( ca->nextUpdate ) PKI_TIME_free ( ca->nextUpdate );
if ( ca->lastUpdate ) PKI_TIME_free ( ca->lastUpdate );
if ( ca->token_name ) PKI_Free ( ca->token_name );
if ( ca->token ) PKI_TOKEN_free ( ca->token );
PKI_Free ( ca );
return;
}
int ocspd_reload_all_ca ( OCSPD_CONFIG *conf ) {
int i=0;
CA_LIST_ENTRY *ca = NULL;
for( i = 0; i < PKI_STACK_elements( conf->ca_list); i++) {
ca = PKI_STACK_get_num( conf->ca_list, i );
/* Let's free the CA certs list, if present */
/*
if( ca->cert ) {
sk_X509_pop_free(ca->cert, X509_free );
}
*/
if (ca->ca_url ) {
if ( ca->ca_cert) PKI_X509_CERT_free ( ca->ca_cert );
/* Get the CA certificate */
ca->ca_cert = PKI_X509_CERT_get_url ( ca->ca_url,
NULL, NULL );
}
/*
if(!ca->cert || !sk_X509_num(ca->cert)) {
syslog(LOG_ERR, "Error loading CA URL data.");
continue;
} else {
if(conf->verbose)
syslog( LOG_INFO,
"CA CERT for %s loaded successfully.",
ca->ca_id );
}
*/
if( !ca->ca_cert ) {
if( ca->ca_url && ca->ca_url->url_s ) {
PKI_log_err ( "Can not load CA cert from %s",
ca->ca_url->url_s);
} else {
PKI_log_err ( "Can not load CA cert!");
continue;
}
} else {
PKI_log( PKI_LOG_INFO, " CA cert for %s loaded ok",
ca->ca_id );
}
if((ca->cid = CA_ENTRY_CERTID_new ( ca->ca_cert,
conf->digest)) == NULL ) {
PKI_log_err( "CA List structure init error (CERTID).");
continue;
}
}
return 1;
}
PKI_X509_CERT * PKI_X509_CERT_new (const PKI_X509_CERT * ca_cert,
const PKI_X509_KEYPAIR * kPair,
const PKI_X509_REQ * req,
const char * subj_s,
const char * serial_s,
uint64_t validity,
const PKI_X509_PROFILE * conf,
const PKI_ALGOR * algor,
const PKI_CONFIG * oids,
HSM *hsm ) {
PKI_X509_CERT *ret = NULL;
PKI_X509_CERT_VALUE *val = NULL;
PKI_X509_NAME *subj = NULL;
PKI_X509_NAME *issuer = NULL;
PKI_DIGEST_ALG *digest = NULL;
PKI_X509_KEYPAIR_VALUE *signingKey = NULL;
PKI_TOKEN *tk = NULL;
PKI_X509_KEYPAIR_VALUE *certPubKeyVal = NULL;
int rv = 0;
int ver = 2;
int64_t notBeforeVal = 0;
ASN1_INTEGER *serial = NULL;
char *ver_s = NULL;
/* Check if the REQUIRED PKEY has been passed */
if (!kPair || !kPair->value) {
PKI_ERROR(PKI_ERR_PARAM_NULL, NULL);
return (NULL);
};
signingKey = kPair->value;
/* TODO: This has to be fixed, to work on every option */
if ( subj_s )
{
subj = PKI_X509_NAME_new ( subj_s );
}
else if (conf || req)
{
char *tmp_s = NULL;
// Let's use the configuration option first
if (conf) {
// Get the value of the DN, if present
if ((tmp_s = PKI_CONFIG_get_value( conf,
"/profile/subject/dn")) != NULL ) {
// Builds from the DN in the config
subj = PKI_X509_NAME_new(tmp_s);
PKI_Free ( tmp_s );
}
}
// If we still do not have a name, let's check
// the request for one
if (req && !subj) {
const PKI_X509_NAME * req_subj = NULL;
// Copy the name from the request
if ((req_subj = PKI_X509_REQ_get_data(req,
PKI_X509_DATA_SUBJECT)) != NULL) {
subj = PKI_X509_NAME_dup(req_subj);
}
}
// If no name is provided, let's use an empty one
// TODO: Shall we remove this and fail instead ?
if (!subj) subj = PKI_X509_NAME_new( "" );
}
else
{
struct utsname myself;
char tmp_name[1024];
if (uname(&myself) < 0) {
subj = PKI_X509_NAME_new( "" );
} else {
sprintf( tmp_name, "CN=%s", myself.nodename );
subj = PKI_X509_NAME_new( tmp_name );
}
}
if (!subj) {
PKI_ERROR(PKI_ERR_X509_CERT_CREATE_SUBJECT, subj_s );
goto err;
}
if( ca_cert ) {
const PKI_X509_NAME *ca_subject = NULL;
/* Let's get the ca_cert subject and dup that data */
// ca_subject = (PKI_X509_NAME *)
// X509_get_subject_name( (X509 *) ca_cert );
ca_subject = PKI_X509_CERT_get_data( ca_cert,
PKI_X509_DATA_SUBJECT );
if( ca_subject ) {
issuer = (PKI_X509_NAME *) X509_NAME_dup((X509_NAME *)ca_subject);
} else {
PKI_ERROR(PKI_ERR_X509_CERT_CREATE_ISSUER, NULL);
goto err;
}
} else {
issuer = (PKI_X509_NAME *) X509_NAME_dup((X509_NAME *) subj);
}
if( !issuer ) {
PKI_ERROR(PKI_ERR_X509_CERT_CREATE_ISSUER, NULL);
goto err;
}
if(( ret = PKI_X509_CERT_new_null()) == NULL ) {
PKI_ERROR(PKI_ERR_OBJECT_CREATE, NULL);
goto err;
}
/* Alloc memory structure for the Certificate */
if((ret->value = ret->cb->create()) == NULL ) {
PKI_ERROR(PKI_ERR_OBJECT_CREATE, NULL);
return (NULL);
}
val = ret->value;
if(( ver_s = PKI_CONFIG_get_value( conf, "/profile/version")) != NULL ) {
ver = atoi( ver_s ) - 1;
if ( ver < 0 )
ver = 0;
PKI_Free ( ver_s );
} else {
ver = 2;
};
if (!X509_set_version(val,ver)) {
PKI_ERROR(PKI_ERR_X509_CERT_CREATE_VERSION, NULL);
goto err;
}
if (serial_s) {
char * tmp_s = (char *) serial_s;
serial = s2i_ASN1_INTEGER(NULL, tmp_s);
} else {
// If cacert we assume it is a normal cert - let's create a
// random serial number, otherwise - it's a self-signed, use
// the usual 'fake' 0
if ( ca_cert ) {
unsigned char bytes[11];
RAND_bytes(bytes, sizeof(bytes));
bytes[0] = 0;
serial = PKI_INTEGER_new_bin(bytes, sizeof(bytes));
} else {
serial = s2i_ASN1_INTEGER( NULL, "0");
};
};
if(!X509_set_serialNumber( val, serial )) {
PKI_ERROR(PKI_ERR_X509_CERT_CREATE_SERIAL, serial_s);
goto err;
}
/* Set the issuer Name */
// rv = X509_set_issuer_name((X509 *) ret, (X509_NAME *) issuer);
if(!X509_set_issuer_name( val, (X509_NAME *) issuer)) {
PKI_ERROR(PKI_ERR_X509_CERT_CREATE_ISSUER, NULL);
goto err;
}
/* Set the subject Name */
if(!X509_set_subject_name(val, (X509_NAME *) subj)) {
PKI_ERROR(PKI_ERR_X509_CERT_CREATE_SUBJECT, NULL);
goto err;
}
/* Set the start date (notBefore) */
if (conf)
{
int years = 0;
int days = 0;
int hours = 0;
int mins = 0;
int secs = 0;
char *tmp_s = NULL;
if(( tmp_s = PKI_CONFIG_get_value( conf,
"/profile/notBefore/years")) != NULL ) {
years = atoi( tmp_s );
PKI_Free ( tmp_s );
};
if(( tmp_s = PKI_CONFIG_get_value( conf,
"/profile/notBefore/days")) != NULL ) {
days = atoi( tmp_s );
PKI_Free ( tmp_s );
};
if(( tmp_s = PKI_CONFIG_get_value( conf,
"/profile/notBefore/hours")) != NULL ) {
hours = atoi( tmp_s );
PKI_Free ( tmp_s );
};
if(( tmp_s = PKI_CONFIG_get_value( conf,
"/profile/notBefore/minutes")) != NULL ) {
mins = atoi( tmp_s );
PKI_Free ( tmp_s );
};
if(( tmp_s = PKI_CONFIG_get_value( conf,
"/profile/notBefore/seconds")) != NULL ) {
secs = atoi( tmp_s );
PKI_Free ( tmp_s );
};
notBeforeVal = secs +
( mins * 60 ) +
( hours * 3600 ) +
( days * 3600 * 24 ) +
( years * 3600 * 24 * 365 );
};
/* Set the validity (notAfter) */
if( conf && validity == 0 )
{
long long years = 0;
long long days = 0;
long long hours = 0;
long long mins = 0;
long long secs = 0;
char *tmp_s = NULL;
if(( tmp_s = PKI_CONFIG_get_value( conf,
"/profile/validity/years")) != NULL ) {
years = atoll( tmp_s );
PKI_Free ( tmp_s );
};
if(( tmp_s = PKI_CONFIG_get_value( conf,
"/profile/validity/days")) != NULL ) {
days = atoll( tmp_s );
PKI_Free ( tmp_s );
};
if(( tmp_s = PKI_CONFIG_get_value( conf,
"/profile/validity/hours")) != NULL ) {
hours = atoll( tmp_s );
PKI_Free ( tmp_s );
};
if(( tmp_s = PKI_CONFIG_get_value( conf,
"/profile/validity/minutes")) != NULL ) {
mins = atoll( tmp_s );
PKI_Free ( tmp_s );
};
if(( tmp_s = PKI_CONFIG_get_value( conf,
"/profile/validity/minutes")) != NULL ) {
secs = atoll( tmp_s );
PKI_Free ( tmp_s );
};
validity = (unsigned long long) secs +
(unsigned long long) ( mins * 60 ) +
(unsigned long long) ( hours * 3600 ) +
(unsigned long long) ( days * 3600 * 24 ) +
(unsigned long long) ( years * 3600 * 24 * 365 );
};
if (validity <= 0) validity = 30 * 3600 * 24;
#if ( LIBPKI_OS_BITS == LIBPKI_OS32 )
long notBeforeVal32 = (long) notBeforeVal;
if (X509_gmtime_adj(X509_get_notBefore(val), notBeforeVal32 ) == NULL)
{
#else
if (X509_gmtime_adj(X509_get_notBefore(val), notBeforeVal ) == NULL)
{
#endif
PKI_ERROR(PKI_ERR_X509_CERT_CREATE_NOTBEFORE, NULL);
goto err;
}
/* Set the end date in a year */
if (X509_gmtime_adj(X509_get_notAfter(val),(long int) validity) == NULL)
{
PKI_DEBUG("ERROR: can not set notAfter field!");
goto err;
}
/* Copy the PKEY if it is in the request, otherwise use the
public part of the PKI_X509_CERT */
if (req)
{
certPubKeyVal = (PKI_X509_KEYPAIR_VALUE *)
PKI_X509_REQ_get_data(req, PKI_X509_DATA_KEYPAIR_VALUE);
if( !certPubKeyVal ) {
PKI_DEBUG("ERROR, can not get pubkey from req!");
goto err;
}
}
else
{
/* Self Signed -- Same Public Key! */
certPubKeyVal = signingKey;
}
if (!ca_cert && conf)
{
char *tmp_s = NULL;
if(( tmp_s = PKI_X509_PROFILE_get_value( conf,
"/profile/keyParams/algorithm")) != NULL )
{
PKI_ALGOR *myAlg = NULL;
PKI_DIGEST_ALG *dgst = NULL;
if((myAlg = PKI_ALGOR_get_by_name( tmp_s )) != NULL )
{
if(!algor) algor = myAlg;
if((dgst = PKI_ALGOR_get_digest( myAlg )) != NULL )
{
PKI_DEBUG("Got Signing Algorithm: %s, %s",
PKI_DIGEST_ALG_get_parsed(dgst), PKI_ALGOR_get_parsed(myAlg));
digest = dgst;
}
else
{
PKI_DEBUG("Can not parse digest algorithm from %s", tmp_s);
}
}
else
{
PKI_DEBUG("Can not parse key algorithm from %s", tmp_s);
}
PKI_Free ( tmp_s );
}
}
if (conf)
{
PKI_KEYPARAMS *kParams = NULL;
PKI_SCHEME_ID scheme;
scheme = PKI_ALGOR_get_scheme( algor );
kParams = PKI_KEYPARAMS_new(scheme, conf);
if (kParams)
{
/* Sets the point compression */
switch ( kParams->scheme )
{
#ifdef ENABLE_ECDSA
case PKI_SCHEME_ECDSA:
if ( (int) kParams->ec.form > 0 )
{
# if OPENSSL_VERSION_NUMBER < 0x1010000fL
EC_KEY_set_conv_form(certPubKeyVal->pkey.ec,
(point_conversion_form_t) kParams->ec.form);
# else
EC_KEY_set_conv_form(EVP_PKEY_get0_EC_KEY(certPubKeyVal),
(point_conversion_form_t) kParams->ec.form);
# endif
}
if ( kParams->ec.asn1flags > -1 )
{
# if OPENSSL_VERSION_NUMBER < 0x1010000fL
EC_KEY_set_asn1_flag(certPubKeyVal->pkey.ec,
kParams->ec.asn1flags );
# else
EC_KEY_set_asn1_flag(EVP_PKEY_get0_EC_KEY(certPubKeyVal),
kParams->ec.asn1flags );
# endif
}
break;
#endif
case PKI_SCHEME_RSA:
case PKI_SCHEME_DSA:
break;
default:
// Nothing to do
PKI_ERROR(PKI_ERR_GENERAL, "Signing Scheme Uknown %d!", kParams->scheme);
break;
}
}
}
if (!X509_set_pubkey(val, certPubKeyVal))
{
PKI_DEBUG("ERROR, can not set pubkey in cert!");
goto err;
}
if (conf)
{
if((tk = PKI_TOKEN_new_null()) == NULL )
{
PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL);
goto err;
}
PKI_TOKEN_set_cert(tk, ret);
if (ca_cert) {
PKI_TOKEN_set_cacert(tk, (PKI_X509_CERT *)ca_cert);
} else {
PKI_TOKEN_set_cacert(tk, (PKI_X509_CERT *)ret);
}
if (req) PKI_TOKEN_set_req(tk, (PKI_X509_REQ *)req );
if (kPair) PKI_TOKEN_set_keypair ( tk, (PKI_X509_KEYPAIR *)kPair );
rv = PKI_X509_EXTENSIONS_cert_add_profile(conf, oids, ret, tk);
if (rv != PKI_OK)
{
PKI_DEBUG( "ERROR, can not set extensions!");
tk->cert = NULL;
tk->cacert = NULL;
tk->req = NULL;
tk->keypair = NULL;
PKI_TOKEN_free ( tk );
goto err;
}
// Cleanup for the token (used only to add extensions)
tk->cert = NULL;
tk->cacert = NULL;
tk->req = NULL;
tk->keypair = NULL;
PKI_TOKEN_free ( tk );
}
if (!digest)
{
if (!algor)
{
PKI_log_debug("Getting the Digest Algorithm from the CA cert");
// Let's get the Digest Algorithm from the CA Cert
if (ca_cert)
{
if((algor = PKI_X509_CERT_get_data(ca_cert,
PKI_X509_DATA_ALGORITHM )) == NULL)
{
PKI_log_err("Can not retrieve DATA algorithm from CA cert");
}
}
}
// If we have an Algor from either the passed argument or
// the CA Certificate, extract the digest from it. Otherwise
// get the digest from the signing key
if (algor)
{
if((digest = PKI_ALGOR_get_digest(algor)) == NULL )
{
PKI_log_err("Can not get digest from algor");
}
}
// Check, if still no digest, let's try from the signing Key
if (digest == NULL)
{
if ((digest = PKI_DIGEST_ALG_get_by_key( kPair )) == NULL)
{
PKI_log_err("Can not infer digest algor from the key pair");
}
}
}
// No Digest Here ? We failed...
if (digest == NULL)
{
PKI_log_err("PKI_X509_CERT_new()::Can not get the digest!");
return( NULL );
}
// Sign the data
if (PKI_X509_sign(ret, digest, kPair) == PKI_ERR)
{
PKI_log_err ("Can not sign certificate [%s]",
ERR_error_string(ERR_get_error(), NULL ));
PKI_X509_CERT_free ( ret );
return NULL;
}
#if ( OPENSSL_VERSION_NUMBER >= 0x0090900f )
# if OPENSSL_VERSION_NUMBER < 0x1010000fL
PKI_X509_CERT_VALUE *cVal = (PKI_X509_CERT_VALUE *) ret->value;
if (cVal && cVal->cert_info)
{
PKI_log_debug("Signature = %s",
PKI_ALGOR_get_parsed(cVal->cert_info->signature));
}
# endif
// PKI_X509_CINF_FULL *cFull = NULL;
// cFull = (PKI_X509_CINF_FULL *) cVal->cert_info;
// cFull->enc.modified = 1;
#endif
return ret;
err:
if (ret) PKI_X509_CERT_free(ret);
if (subj) PKI_X509_NAME_free(subj);
if (issuer) PKI_X509_NAME_free(issuer);
return NULL;
}
/*!
* \brief Signs a PKI_X509_CERT
*/
int PKI_X509_CERT_sign(PKI_X509_CERT *cert, PKI_X509_KEYPAIR *kp,
PKI_DIGEST_ALG *digest) {
const PKI_ALGOR *alg = NULL;
if( !cert || !cert->value || !kp || !kp->value ) {
PKI_ERROR(PKI_ERR_PARAM_NULL, NULL);
return PKI_ERR;
}
if(!digest) {
if((alg = PKI_X509_CERT_get_data(cert, PKI_X509_DATA_ALGORITHM))!=NULL) {
digest = PKI_ALGOR_get_digest ( alg );
}
}
if(!digest) {
if((digest = PKI_DIGEST_ALG_get_by_key(kp)) == NULL) {
PKI_log_err("PKI_X509_CERT_new()::Can not get digest algor "
"from key");
return PKI_ERR;
}
}
if( PKI_X509_sign(cert, digest, kp) == PKI_ERR) {
PKI_log_err ("PKI_X509_CERT_new()::Can not sign certificate [%s]",
ERR_error_string(ERR_get_error(), NULL ));
return PKI_ERR;
}
return PKI_OK;
};
/*!
* \brief Signs a PKI_X509_CERT by using a configured PKI_TOKEN
*/
int PKI_X509_CERT_sign_tk ( PKI_X509_CERT *cert, PKI_TOKEN *tk,
PKI_DIGEST_ALG *digest) {
PKI_X509_KEYPAIR *kp = NULL;
if( !cert || !cert->value || !tk ) {
PKI_ERROR(PKI_ERR_PARAM_NULL, NULL);
return PKI_ERR;
};
if( PKI_TOKEN_login( tk ) == PKI_ERR ) {
PKI_ERROR(PKI_ERR_HSM_LOGIN, NULL);
return PKI_ERR;
};
if((kp = PKI_TOKEN_get_keypair( tk )) == NULL ) {
return PKI_ERR;
};
return PKI_X509_CERT_sign ( cert, kp, digest );
};
int PKI_X509_PKCS7_VALUE_print_bio ( PKI_IO *bio,
PKI_X509_PKCS7_VALUE *p7val ) {
int type;
int i,j;
int cert_num = -1;
int crl_num = -1;
int signers_num = -1;
char *tmp_str = NULL;
PKI_X509_PKCS7 *msg = NULL;
PKCS7_SIGNER_INFO *si = NULL;
PKI_X509_CERT *cert = NULL;
PKI_DIGEST *digest = NULL;
PKI_MEM *mem = NULL;
if (!bio || !p7val ) return PKI_ERR;
if (( msg = PKI_X509_new_dup_value ( PKI_DATATYPE_X509_PKCS7,
p7val, NULL )) == NULL ) {
return PKI_ERR;
}
type = PKI_X509_PKCS7_get_type ( msg );
BIO_printf( bio, "PKCS#7 Message:\r\n" );
BIO_printf( bio, " Message Type:\r\n " );
switch ( type ) {
case PKI_X509_PKCS7_TYPE_ENCRYPTED:
BIO_printf( bio, "Encrypted\r\n" );
break;
case PKI_X509_PKCS7_TYPE_SIGNED:
BIO_printf( bio, "Signed\r\n" );
break;
case PKI_X509_PKCS7_TYPE_SIGNEDANDENCRYPTED:
BIO_printf( bio, "Signed and Encrypted\r\n" );
break;
default:
BIO_printf( bio, "Unknown (%d)\r\n", type );
break;
}
BIO_printf( bio, " Message Data:\r\n");
if (( mem = PKI_X509_PKCS7_get_raw_data ( msg )) == NULL ) {
BIO_printf( bio, " None.\r\n");
} else {
int msg_type = 0;
BIO_printf( bio, " Size=%u bytes\r\n",
(unsigned int) mem->size );
msg_type = PKI_X509_PKCS7_get_type ( msg );
if ( msg_type == PKI_X509_PKCS7_TYPE_ENCRYPTED ||
msg_type ==
PKI_X509_PKCS7_TYPE_SIGNEDANDENCRYPTED){
BIO_printf( bio, " Encrypted=yes\r\n");
BIO_printf( bio, " Algorithm=%s\r\n",
PKI_ALGOR_get_parsed (
PKI_X509_PKCS7_get_encode_alg ( msg )));
} else {
BIO_printf( bio, " Encrypted=no\r\n");
}
PKI_MEM_free ( mem );
}
i = 0;
if (( si = PKI_X509_PKCS7_get_signer_info ( msg, i )) == NULL ) {
BIO_printf(bio, " Signature Info:\r\n" );
BIO_printf(bio, " No Signature found.\r\n" );
}
// Print the Signer Info
BIO_printf( bio, " Signer Info:\r\n");
signers_num = PKI_X509_PKCS7_get_signers_num ( msg );
for ( i = 0; i < signers_num; i++ ) {
PKCS7_ISSUER_AND_SERIAL *ias = NULL;
BIO_printf ( bio, " [%d of %d] Signer Details:\r\n",
i+1, signers_num );
if (( si = PKI_X509_PKCS7_get_signer_info ( msg, i )) == NULL )
break;
if((ias = si->issuer_and_serial) == NULL ) {
BIO_printf ( bio, " "
"ERROR::Missing Info!\r\n");
} else {
tmp_str = PKI_INTEGER_get_parsed ( ias->serial );
BIO_printf ( bio, " Serial=%s\r\n", tmp_str );
PKI_Free ( tmp_str );
tmp_str = PKI_X509_NAME_get_parsed ( ias->issuer );
BIO_printf ( bio, " Issuer=%s\r\n", tmp_str );
PKI_Free ( tmp_str );
}
if ( si->digest_enc_alg ) {
BIO_printf( bio, " "
"Encryption Algoritm=%s\r\n",
PKI_ALGOR_get_parsed ( si->digest_enc_alg ));
}
if ( si->digest_alg ) {
BIO_printf( bio, " Digest Algorithm=%s\r\n",
PKI_ALGOR_get_parsed ( si->digest_alg ));
}
BIO_printf( bio, " Signed Attributes:\r\n");
if ( si->auth_attr ) {
PKI_X509_ATTRIBUTE *a = NULL;
int attr_num = 0;
char * tmp_str = NULL;
for ( attr_num = 0; attr_num <
PKI_STACK_X509_ATTRIBUTE_elements (
si->auth_attr ); attr_num++ ) {
a = PKI_STACK_X509_ATTRIBUTE_get_num (
si->auth_attr, attr_num );
if ( PKI_OID_get_id ( a->object ) ==
NID_pkcs9_messageDigest ) {
tmp_str = PKI_X509_ATTRIBUTE_get_parsed
( a );
BIO_printf( bio, " "
"Message Digest:");
for ( j=0; j < strlen(tmp_str); j++ ) {
if ( ( j % 60 ) == 0 ) {
BIO_printf (bio,
"\r\n ");
}
BIO_printf(bio,"%c",tmp_str[j]);
} BIO_printf( bio, "\r\n");
// PKI_Free ( tmp_str );
} else {
BIO_printf( bio, " %s=",
PKI_X509_ATTRIBUTE_get_descr (
a ) );
tmp_str=
PKI_X509_ATTRIBUTE_get_parsed(a);
BIO_printf( bio, "%s\r\n", tmp_str );
PKI_Free ( tmp_str );
}
}
} else {
BIO_printf( bio, " None.\r\n");
}
BIO_printf( bio," Non Signed Attributes:\r\n");
if ( si->unauth_attr ) {
PKI_X509_ATTRIBUTE *a = NULL;
int attr_num = 0;
char * tmp_str = NULL;
for ( attr_num = 0; attr_num <
PKI_STACK_X509_ATTRIBUTE_elements (
si->auth_attr ); attr_num++ ) {
a = PKI_STACK_X509_ATTRIBUTE_get_num (
si->auth_attr, attr_num );
BIO_printf( bio, " %s=",
PKI_X509_ATTRIBUTE_get_descr ( a ) );
tmp_str = PKI_X509_ATTRIBUTE_get_parsed ( a );
BIO_printf( bio, "%s\r\n", tmp_str );
PKI_Free ( tmp_str );
}
BIO_printf( bio, "\r\n");
} else {
BIO_printf( bio, " None.\r\n");
}
}
BIO_printf( bio, "\r\n Recipients Info:\r\n");
if( PKI_X509_PKCS7_has_recipients ( msg ) == PKI_ERR ) {
BIO_printf( bio, " No Recipients\r\n");
} else {
int rec_num = 0;
PKI_X509_CERT *rec = NULL;
rec_num = PKI_X509_PKCS7_get_recipients_num ( msg );
for ( i=0; i < rec_num; i++ ) {
rec = PKI_X509_PKCS7_get_recipient_cert ( msg, i );
if ( !rec ) {
PKCS7_RECIP_INFO *ri = NULL;
PKCS7_ISSUER_AND_SERIAL *ias = NULL;
BIO_printf( bio, " "
"[%d of %d] Recipient Details:\r\n",
i+1, rec_num );
ri = PKI_X509_PKCS7_get_recipient_info ( msg,i);
if (!ri) {
BIO_printf(bio," <ERROR>");
continue;
}
if((ias = ri->issuer_and_serial) != NULL ) {
tmp_str = PKI_INTEGER_get_parsed (
ias->serial );
BIO_printf( bio, " "
"Serial=%s\r\n", tmp_str );
PKI_Free ( tmp_str );
tmp_str = PKI_X509_NAME_get_parsed (
ias->issuer );
BIO_printf( bio, " "
"Issuer=%s\r\n", tmp_str );
PKI_Free ( tmp_str );
BIO_printf( bio, " "
"Key Encoding Algorithm=%s\r\n",
PKI_ALGOR_get_parsed (
ri->key_enc_algor ));
}
} else {
BIO_printf( bio, " "
"[%d] Recipient Certificate:\r\n", i );
tmp_str = PKI_X509_CERT_get_parsed( cert,
PKI_X509_DATA_SUBJECT );
BIO_printf( bio, " "
"Subject=%s\r\n", tmp_str);
PKI_Free ( tmp_str );
}
}
}
/* Now Let's Check the CRLs */
BIO_printf(bio, "\r\n Certificates:\r\n");
if ((cert_num = PKI_X509_PKCS7_get_certs_num ( msg )) > 0 ) {
PKI_X509_CERT * cert = NULL;
for (i = 0; i < cert_num; i++ ) {
BIO_printf( bio, " [%d of %d] Certificate:\r\n",
i+1, cert_num);
if((cert = PKI_X509_PKCS7_get_cert ( msg, i )) == NULL ) {
BIO_printf( bio, " Error.\r\n");
continue;
};
tmp_str = PKI_X509_CERT_get_parsed( cert,
PKI_X509_DATA_SERIAL );
BIO_printf( bio, " Serial=%s\r\n",
tmp_str );
PKI_Free ( tmp_str );
tmp_str = PKI_X509_CERT_get_parsed( cert,
PKI_X509_DATA_ISSUER );
BIO_printf( bio, " Issuer=%s\r\n", tmp_str );
PKI_Free ( tmp_str );
tmp_str = PKI_X509_CERT_get_parsed( cert,
PKI_X509_DATA_SUBJECT );
BIO_printf( bio, " Subject=%s\r\n", tmp_str);
PKI_Free ( tmp_str );
digest = PKI_X509_CERT_fingerprint( cert,
PKI_DIGEST_ALG_DEFAULT );
tmp_str = PKI_DIGEST_get_parsed ( digest );
BIO_printf( bio, " Fingerprint [%s]:",
PKI_DIGEST_ALG_get_parsed (
PKI_DIGEST_ALG_DEFAULT ));
for ( j=0; j < strlen(tmp_str); j++ ) {
if ( ( j % 60 ) == 0 ) {
BIO_printf (bio,"\r\n ");
}
BIO_printf( bio, "%c", tmp_str[j] );
} BIO_printf( bio, "\r\n");
PKI_DIGEST_free ( digest );
PKI_Free ( tmp_str );
PKI_X509_CERT_free ( cert );
// X509_signature_print(bp,
// br->signatureAlgorithm, br->signature);
}
} else {
BIO_printf( bio, " None.\r\n");
}
BIO_printf(bio, "\r\n Certificate Revocation Lists:\r\n");
if((crl_num = PKI_X509_PKCS7_get_crls_num ( msg )) > 0 ) {
PKI_X509_CRL * crl = NULL;
for ( i = 0; i < crl_num; i++ ) {
BIO_printf( bio, " [%d of %d] CRL Details:\r\n",
i+1, crl_num );
if(( crl = PKI_X509_PKCS7_get_crl ( msg, i )) == NULL ) {
BIO_printf(bio," ERROR::Missing Data\r\n");
continue;
}
tmp_str = PKI_X509_CRL_get_parsed(crl,PKI_X509_DATA_VERSION);
BIO_printf( bio, " Version=%s\r\n", tmp_str );
PKI_Free ( tmp_str );
// tmp_str = PKI_X509_CRL_get_parsed(crl,PKI_X509_DATA_SERIAL);
// BIO_printf( bio, " Serial=%s\r\n", tmp_str );
// PKI_Free ( tmp_str );
tmp_str = PKI_X509_CRL_get_parsed(crl,PKI_X509_DATA_ISSUER);
BIO_printf( bio, " Issuer=%s\r\n", tmp_str );
PKI_Free ( tmp_str );
tmp_str = PKI_X509_CRL_get_parsed(crl,
PKI_X509_DATA_ALGORITHM);
BIO_printf( bio, " Algorithm=%s\r\n", tmp_str );
PKI_Free ( tmp_str );
tmp_str = PKI_X509_CRL_get_parsed(crl,
PKI_X509_DATA_NOTBEFORE);
BIO_printf( bio, " Not Before=%s\r\n", tmp_str );
PKI_Free ( tmp_str );
tmp_str = PKI_X509_CRL_get_parsed(crl,
PKI_X509_DATA_NOTAFTER);
BIO_printf( bio, " Not After=%s\r\n", tmp_str );
PKI_Free ( tmp_str );
PKI_X509_CRL_free ( crl );
}
} else {
BIO_printf( bio, " None.\r\n");
}
BIO_printf(bio, "\r\n");
return PKI_OK;
}
int OCSPD_build_ca_list ( OCSPD_CONFIG *handler,
PKI_CONFIG_STACK *ca_conf_sk) {
int i = 0;
PKI_STACK *ca_list = NULL;
PKI_log_debug("Building CA List");
if ( !ca_conf_sk ) {
PKI_log( PKI_LOG_ERR, "No stack of ca configs!");
return ( PKI_ERR );
}
if((ca_list = PKI_STACK_new((void (*))CA_LIST_ENTRY_free)) == NULL ) {
PKI_log_err ( "Memory Error");
return ( PKI_ERR );
}
for (i = 0; i < PKI_STACK_CONFIG_elements( ca_conf_sk ); i++)
{
char *tmp_s = NULL;
URL *tmp_url = NULL;
PKI_X509_CERT *tmp_cert = NULL;
CA_LIST_ENTRY *ca = NULL;
PKI_CONFIG *cnf = NULL;
/* Get the current Configureation file */
cnf = PKI_STACK_CONFIG_get_num( ca_conf_sk, i );
if (!cnf) continue;
/* Get the CA cert from the cfg file itself */
if((tmp_s = PKI_CONFIG_get_value( cnf, "/caConfig/caCertValue" )) == NULL )
{
/* Get the CA parsed url */
if((tmp_url = URL_new( PKI_CONFIG_get_value( cnf, "/caConfig/caCertUrl" ))) == NULL )
{
/* Error, can not parse url data */
PKI_log( PKI_LOG_ERR, "Can not parse CA cert url (%s)",
PKI_CONFIG_get_value(cnf, "/caConfig/caCertUrl"));
continue;
}
if((tmp_cert = PKI_X509_CERT_get_url(tmp_url, NULL, NULL ))== NULL)
{
PKI_log_err("Can not get CA cert from (%s)", tmp_url);
URL_free (tmp_url);
continue;
}
}
else
{
PKI_X509_CERT_STACK *cc_sk = NULL;
PKI_MEM *mm = NULL;
if((mm = PKI_MEM_new_null()) == NULL )
{
PKI_Free(tmp_s);
continue;
}
PKI_MEM_add ( mm, tmp_s, strlen(tmp_s));
if((cc_sk=PKI_X509_CERT_STACK_get_mem(mm, NULL)) == NULL )
{
PKI_log_err ( "Can not parse cert from /caConfig/caCertValue");
PKI_Free(tmp_s);
continue;
}
if ((tmp_cert = PKI_STACK_X509_CERT_pop( cc_sk )) == NULL )
{
PKI_log_err ( "No elements on stack from /caConfig/caCertValue");
PKI_STACK_X509_CERT_free_all(cc_sk);
PKI_Free(tmp_s);
continue;
}
PKI_STACK_X509_CERT_free ( cc_sk );
PKI_Free(tmp_s);
}
/* OCSPD create the CA entry */
if ((ca = CA_LIST_ENTRY_new()) == NULL )
{
PKI_log_err ( "CA List structure init error");
/* remember to do THIS!!!! */
if( tmp_url ) URL_free ( tmp_url );
if( tmp_cert ) PKI_X509_CERT_free ( tmp_cert );
continue;
}
ca->ca_cert = tmp_cert;
tmp_cert = NULL;
ca->ca_url = tmp_url;
tmp_url = NULL;
ca->ca_id = PKI_CONFIG_get_value( cnf, "/caConfig/name" );
ca->cid = CA_ENTRY_CERTID_new ( ca->ca_cert, handler->digest );
/* Get the CRL URL and the CRL itself */
if((tmp_s = PKI_CONFIG_get_value(cnf, "/caConfig/crlUrl")) == NULL)
{
PKI_STACK *cdp_sk = NULL;
/* Now let's get it from PRQP */
/* Now from the Certificate */
if((cdp_sk = PKI_X509_CERT_get_cdp (ca->ca_cert)) ==NULL)
{
// No source for the CRL Distribution Point
PKI_log_err ( "ERROR::Can not find the CDP for %s, skipping CA", ca->ca_id );
CA_LIST_ENTRY_free ( ca );
continue;
}
while ((tmp_s = PKI_STACK_pop ( cdp_sk )) != NULL)
{
if ((ca->crl_url = URL_new ( tmp_s )) == NULL )
{
PKI_log_err( "URL %s not in the right format!");
CA_LIST_ENTRY_free ( ca );
continue;
}
else if( tmp_s ) PKI_Free ( tmp_s );
break;
}
}
else
{
PKI_log_debug("Got CRL Url -> %s", tmp_s );
if((ca->crl_url = URL_new ( tmp_s )) == NULL )
{
PKI_log_err ("Error Parsing CRL URL [%s] for CA [%s]", ca->ca_id, tmp_s);
CA_LIST_ENTRY_free ( ca );
PKI_Free(tmp_s);
continue;
}
PKI_Free(tmp_s);
}
if(OCSPD_load_crl ( ca, handler ) == PKI_ERR )
{
PKI_log_err ( "Can not get CRL for %s", ca->ca_id);
CA_LIST_ENTRY_free ( ca );
continue;
}
/* If the Server has a Token to be used with this CA, let's
load it */
if((tmp_s = PKI_CONFIG_get_value ( cnf, "/caConfig/serverToken" )) == NULL)
{
/* No token in config, let's see if a specific cert
is configured */
ca->token = NULL;
if((tmp_s = PKI_CONFIG_get_value ( cnf, "/caConfig/serverCertUrl" )) == NULL )
{
/* No cert is configured, we will use the defaults */
ca->server_cert = NULL;
}
else
{
/* The Server's cert URL is found, let's load the certificate */
if ((tmp_cert = PKI_X509_CERT_get ( tmp_s, NULL, NULL )) == NULL )
{
PKI_log_err("Can not get server's cert from %s!", tmp_s );
CA_LIST_ENTRY_free ( ca );
PKI_Free(tmp_s);
continue;
}
else
{
ca->server_cert = tmp_cert;
}
PKI_Free(tmp_s);
}
}
else
{
/* A Token for this CA is found - we do not load
it to avoid problems with Thread Initialization */
ca->server_cert = NULL;
ca->token_name = tmp_s;
ca->token = PKI_TOKEN_new_null();
if ((tmp_s = PKI_CONFIG_get_value ( cnf, "/caConfig/pkiConfigDir" )) != NULL) {
ca->token_config_dir = strdup( tmp_s );
PKI_Free(tmp_s);
}
else
{
ca->token_config_dir = strdup(handler->token_config_dir);
}
}
if((tmp_s = PKI_CONFIG_get_value ( cnf, "/caConfig/caCompromised" )) == NULL) {
ca->compromised = 0;
}
else
{
ca->compromised = atoi(tmp_s);
PKI_Free(tmp_s);
}
/* Responder Id Type */
if ((tmp_s = PKI_CONFIG_get_value(cnf, "/caConfig/responderIdType")) != NULL)
{
if (strncmp_nocase(tmp_s, "keyid", 5) == 0)
{
ca->response_id_type = PKI_X509_OCSP_RESPID_TYPE_BY_KEYID;
}
else if (strncmp_nocase(tmp_s, "name", 4) == 0)
{
ca->response_id_type = PKI_X509_OCSP_RESPID_TYPE_BY_NAME;
}
else
{
PKI_log_err("Can not parse responderIdType: %s (allowed 'keyid' or 'name')", tmp_s);
exit(1);
}
PKI_Free(tmp_s);
}
else
{
// Default Value
ca->response_id_type = PKI_X509_OCSP_RESPID_TYPE_BY_NAME;
}
// Now let's add the CA_LIST_ENTRY to the list of configured CAs
PKI_STACK_push ( ca_list, ca );
}
handler->ca_list = ca_list;
return ( PKI_OK );
}
