void ca_reset(struct privsep *ps, struct privsep_proc *p, void *arg) { struct iked *env = ps->ps_env; struct ca_store *store = arg; if (store->ca_cas != NULL) X509_STORE_free(store->ca_cas); if (store->ca_certs != NULL) X509_STORE_free(store->ca_certs); if ((store->ca_cas = X509_STORE_new()) == NULL) fatalx("ca_reset: failed to get ca store"); if ((store->ca_calookup = X509_STORE_add_lookup(store->ca_cas, X509_LOOKUP_file())) == NULL) fatalx("ca_reset: failed to add ca lookup"); if ((store->ca_certs = X509_STORE_new()) == NULL) fatalx("ca_reset: failed to get cert store"); if ((store->ca_certlookup = X509_STORE_add_lookup(store->ca_certs, X509_LOOKUP_file())) == NULL) fatalx("ca_reset: failed to add cert lookup"); env->sc_priv = store; if (ca_reload(env) != 0) fatal("ca_reset: reload"); }
static X509_STORE *create_store(nsp_state *N) { #define __FN__ __FILE__ ":create_store()" X509_STORE *store; X509_LOOKUP *lookup; if (!(store = X509_STORE_new())) { n_warn(N, __FN__, "Error creating X509_STORE_CTX object"); goto err; } X509_STORE_set_verify_cb_func(store, verify_callback); if (X509_STORE_load_locations(store, CA_FILE, CA_DIR) != 1) { n_warn(N, __FN__, "Error loading the CA file or directory"); goto err; } if (X509_STORE_set_default_paths(store) != 1) { n_warn(N, __FN__, "Error loading the system-wide CA certificates"); goto err; } if (!(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()))) { n_warn(N, __FN__, "Error creating X509_LOOKUP object"); goto err; } if (X509_load_crl_file(lookup, CRL_FILE, X509_FILETYPE_PEM) != 1) { n_warn(N, __FN__, "Error reading the CRL file"); goto err; } X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); return store; err: return NULL; #undef __FN__ }
int GTTruststore_addLookupFile(const char *path) { int res = GT_UNKNOWN_ERROR; X509_LOOKUP *lookup = NULL; if (GT_truststore == NULL) { /* Create an empty trustrore. */ res = GTTruststore_init(0); if (res != GT_OK) goto cleanup; } if (path == NULL) { res = GT_INVALID_ARGUMENT; goto cleanup; } lookup = X509_STORE_add_lookup(GT_truststore, X509_LOOKUP_file()); if (lookup == NULL) { res = GT_OUT_OF_MEMORY; goto cleanup; } if (!X509_LOOKUP_load_file(lookup, path, X509_FILETYPE_PEM)) { res = GT_PKI_BAD_DATA_FORMAT; goto cleanup; } res = GT_OK; cleanup: return res; }
/** * xmlSecOpenSSLX509StoreAddCertsFile: * @store: the pointer to OpenSSL x509 store. * @file: the certs file. * * Adds all certs in @file to the list of trusted certs * in @store. It is possible for @file to contain multiple certs. * * Returns: 0 on success or a negative value otherwise. */ int xmlSecOpenSSLX509StoreAddCertsFile(xmlSecKeyDataStorePtr store, const char *file) { xmlSecOpenSSLX509StoreCtxPtr ctx; X509_LOOKUP *lookup = NULL; xmlSecAssert2(xmlSecKeyDataStoreCheckId(store, xmlSecOpenSSLX509StoreId), -1); xmlSecAssert2(file != NULL, -1); ctx = xmlSecOpenSSLX509StoreGetCtx(store); xmlSecAssert2(ctx != NULL, -1); xmlSecAssert2(ctx->xst != NULL, -1); lookup = X509_STORE_add_lookup(ctx->xst, X509_LOOKUP_file()); if(lookup == NULL) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), "X509_STORE_add_lookup", XMLSEC_ERRORS_R_CRYPTO_FAILED, XMLSEC_ERRORS_NO_MESSAGE); return(-1); } if(!X509_LOOKUP_load_file(lookup, file, X509_FILETYPE_PEM)) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), "X509_LOOKUP_load_file", XMLSEC_ERRORS_R_CRYPTO_FAILED, "file='%s'", xmlSecErrorsSafeString(file) ); return(-1); } return(0); }
X509_STORE *SSL_X509_STORE_create(char *cpFile, char *cpPath) { X509_STORE *pStore; X509_LOOKUP *pLookup; if (cpFile == NULL && cpPath == NULL) return NULL; if ((pStore = X509_STORE_new()) == NULL) return NULL; if (cpFile != NULL) { if ((pLookup = X509_STORE_add_lookup(pStore, X509_LOOKUP_file())) == NULL) { X509_STORE_free(pStore); return NULL; } X509_LOOKUP_load_file(pLookup, cpFile, X509_FILETYPE_PEM); } if (cpPath != NULL) { if ((pLookup = X509_STORE_add_lookup(pStore, X509_LOOKUP_hash_dir())) == NULL) { X509_STORE_free(pStore); return NULL; } X509_LOOKUP_add_dir(pLookup, cpPath, X509_FILETYPE_PEM); } return pStore; }
/** * xmlSecOpenSSLX509StoreAddCertsFile: * @store: the pointer to OpenSSL x509 store. * @file: the certs file. * * Adds all certs in @file to the list of trusted certs * in @store. It is possible for @file to contain multiple certs. * * Returns: 0 on success or a negative value otherwise. */ int xmlSecOpenSSLX509StoreAddCertsFile(xmlSecKeyDataStorePtr store, const char *file) { xmlSecOpenSSLX509StoreCtxPtr ctx; X509_LOOKUP *lookup = NULL; xmlSecAssert2(xmlSecKeyDataStoreCheckId(store, xmlSecOpenSSLX509StoreId), -1); xmlSecAssert2(file != NULL, -1); ctx = xmlSecOpenSSLX509StoreGetCtx(store); xmlSecAssert2(ctx != NULL, -1); xmlSecAssert2(ctx->xst != NULL, -1); lookup = X509_STORE_add_lookup(ctx->xst, X509_LOOKUP_file()); if(lookup == NULL) { xmlSecOpenSSLError(xmlSecKeyDataStoreGetName(store), "X509_STORE_add_lookup"); return(-1); } if(!X509_LOOKUP_load_file(lookup, file, X509_FILETYPE_PEM)) { xmlSecOpenSSLError(xmlSecKeyDataStoreGetName(store), "X509_LOOKUP_load_file"); return(-1); } return(0); }
IoSecureServer *IoSecureServer_setCRLFile(IoSecureServer *self, IoObject *locals, IoMessage *msg) { SSL_CTX *ctx = OCTX(self); IoSeq *pathSeq = IoMessage_locals_seqArgAt_(msg, locals, 0); char *path = IoSeq_asCString(pathSeq); if(ctx == NULL) { IoState_error_(IOSTATE, msg, "SecureServer has no SSL_CTX"); return IONIL(self); } X509_STORE *store = SSL_CTX_get_cert_store(ctx); X509_STORE_set_verify_cb_func(store, IoSecureSockets_Verify_CRL_Callback); X509_STORE_set_flags (store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); X509_LOOKUP *lookup; if (!(lookup = X509_STORE_add_lookup (store, X509_LOOKUP_file ()))) { ERR_print_errors_fp(stderr); IoState_error_(IOSTATE, msg, "Error creating X509_LOOKUP object."); return IONIL(self); } if (X509_load_crl_file(lookup, path, X509_FILETYPE_PEM) != 1) { ERR_print_errors_fp(stderr); IoState_error_(IOSTATE, msg, "Error loading CRL from file %s\n", path); return IONIL(self); } return self; }
/** * Loads a CRL and appends its certificates to the specified SSL context. * * @param context The SSL context. * @param crlPath The path to the CRL file. */ void AddCRLToSSLContext(const shared_ptr<SSL_CTX>& context, const String& crlPath) { X509_STORE *x509_store = SSL_CTX_get_cert_store(context.get()); X509_LOOKUP *lookup; lookup = X509_STORE_add_lookup(x509_store, X509_LOOKUP_file()); if (!lookup) { BOOST_THROW_EXCEPTION(openssl_error() << boost::errinfo_api_function("X509_STORE_add_lookup") << errinfo_openssl_error(ERR_get_error())); } if (X509_LOOKUP_load_file(lookup, crlPath.CStr(), X509_FILETYPE_PEM) != 0) { BOOST_THROW_EXCEPTION(openssl_error() << boost::errinfo_api_function("X509_LOOKUP_load_file") << errinfo_openssl_error(ERR_get_error()) << boost::errinfo_file_name(crlPath)); } X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new(); X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK); X509_STORE_set1_param(x509_store, param); X509_VERIFY_PARAM_free(param); }
int C_TransIPTLS::load_crls(char *P_crlfile) { X509_STORE *L_store; X509_LOOKUP *L_lookup; /* Get the X509_STORE from SSL context */ if (!(L_store = SSL_CTX_get_cert_store(m_ssl_ctx))) { return (-1); } /* Add lookup file to X509_STORE */ if (!(L_lookup = X509_STORE_add_lookup(L_store,X509_LOOKUP_file()))) { return (-1); } /* Add the CRLS to the lookpup object */ if (X509_load_crl_file(L_lookup,m_crl_file,X509_FILETYPE_PEM) != 1) { return (-1); } /* Set the flags of the store so that CRLS's are consulted */ #if OPENSSL_VERSION_NUMBER >= 0x00907000L X509_STORE_set_flags( L_store,X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); #else GEN_ERROR(1, "version OpenSSL (<0.9.7) cannot handle CRL files in capath"); #endif return (1); }
int main(int argc, char *argv[]) { X509 *cert; X509_STORE *store; X509_LOOKUP *lookup; X509_STORE_CTX *verify_ctx; FILE *fp; OpenSSL_add_all_algorithms(); ERR_load_crypto_strings(); /* frist read the client certificate */ if (!(fp = fopen(CLIENT_CERT, "r"))) { int_error("Error reading client certificate file"); } if (!(cert = PEM_read_X509(fp, NULL, NULL, NULL))) { int_error("Error reading client certificate in file"); } fclose(fp); /* create the cert store and set the verify callback */ if (!(store = X509_STORE_new())) { int_error("Error creating X509_STORE_CTX object"); } X509_STORE_set_verify_cb_func(store, verify_callback); /* load the CA certificates and CRLs */ if (X509_STORE_load_locations(store, CA_FILE, CA_DIR) != 1) { int_error("Error loading the CA file or directory"); } if (X509_STORE_set_default_paths(store) != 1) { int_error("Error loading the system-wide CA certificates"); } if (!(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()))) { int_error("Error creating X509_LOOKUP object"); } if (X509_load_crl_file(lookup, CRL_FILE, X509_FILETYPE_PEM) != 1) { int_error("Error reading the CRL file"); } /* set the flags of the store so that the CRLs are consulted */ X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); /* create a verification context and initialize it */ if (!(verify_ctx = X509_STORE_CTX_new())) { int_error("Error creating X509_STORE_CTX object"); } if (X509_STORE_CTX_init(verify_ctx, store, cert, NULL) != 1) { int_error("Error initializing verification context"); } /* verify the certificate */ if (X509_verify_cert(verify_ctx) != 1) { int_error("Error verifying the certificate"); } else { printf("Certificate verified correctly!\n"); } return 0; }
/* * Test for CVE-2015-1793 (Alternate Chains Certificate Forgery) * * Chain is as follows: * * rootCA (self-signed) * | * interCA * | * subinterCA subinterCA (self-signed) * | | * leaf ------------------ * | * bad * * rootCA, interCA, subinterCA, subinterCA (ss) all have CA=TRUE * leaf and bad have CA=FALSE * * subinterCA and subinterCA (ss) have the same subject name and keys * * interCA (but not rootCA) and subinterCA (ss) are in the trusted store * (roots.pem) * leaf and subinterCA are in the untrusted list (untrusted.pem) * bad is the certificate being verified (bad.pem) * * Versions vulnerable to CVE-2015-1793 will fail to detect that leaf has * CA=FALSE, and will therefore incorrectly verify bad * */ static int test_alt_chains_cert_forgery(const char *roots_f, const char *untrusted_f, const char *bad_f) { int ret = 0; int i; X509 *x = NULL; STACK_OF(X509) *untrusted = NULL; BIO *bio = NULL; X509_STORE_CTX *sctx = NULL; X509_STORE *store = NULL; X509_LOOKUP *lookup = NULL; store = X509_STORE_new(); if (store == NULL) goto err; lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()); if (lookup == NULL) goto err; if(!X509_LOOKUP_load_file(lookup, roots_f, X509_FILETYPE_PEM)) goto err; untrusted = load_certs_from_file(untrusted_f); if ((bio = BIO_new_file(bad_f, "r")) == NULL) goto err; if((x = PEM_read_bio_X509(bio, NULL, 0, NULL)) == NULL) goto err; sctx = X509_STORE_CTX_new(); if (sctx == NULL) goto err; if (!X509_STORE_CTX_init(sctx, store, x, untrusted)) goto err; i = X509_verify_cert(sctx); if(i == 0 && X509_STORE_CTX_get_error(sctx) == X509_V_ERR_INVALID_CA) { /* This is the result we were expecting: Test passed */ ret = 1; } err: X509_STORE_CTX_free(sctx); X509_free(x); BIO_free(bio); sk_X509_pop_free(untrusted, X509_free); X509_STORE_free(store); if (ret != 1) ERR_print_errors_fp(stderr); return ret; }
boolean x509_verify_cert(CryptoCert cert, rdpSettings* settings) { char* cert_loc; X509_STORE_CTX* csc; boolean status = false; X509_STORE* cert_ctx = NULL; X509_LOOKUP* lookup = NULL; X509* xcert = cert->px509; cert_ctx = X509_STORE_new(); if (cert_ctx == NULL) goto end; OpenSSL_add_all_algorithms(); lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_file()); if (lookup == NULL) goto end; lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_hash_dir()); if (lookup == NULL) goto end; X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT); cert_loc = get_local_certloc(settings->home_path); if(cert_loc != NULL) { X509_LOOKUP_add_dir(lookup, cert_loc, X509_FILETYPE_ASN1); xfree(cert_loc); } csc = X509_STORE_CTX_new(); if (csc == NULL) goto end; X509_STORE_set_flags(cert_ctx, 0); if(!X509_STORE_CTX_init(csc, cert_ctx, xcert, 0)) goto end; if (X509_verify_cert(csc) == 1) status = true; X509_STORE_CTX_free(csc); X509_STORE_free(cert_ctx); end: return status; }
static X509_STORE * setup_verify(char *CAfile, char *CApath) { X509_STORE *store = NULL; X509_LOOKUP *lookup = NULL; if(!(store = X509_STORE_new())){ // Something bad is happening... goto end; } // adds the X509 file lookup method lookup = X509_STORE_add_lookup(store,X509_LOOKUP_file()); if (lookup == NULL){ goto end; } // Autenticating against one CA file if (CAfile) { if(!X509_LOOKUP_load_file(lookup,CAfile,X509_FILETYPE_PEM)) { // Invalid CA => Bye bye opkg_msg(ERROR, "Error loading file %s.\n", CAfile); goto end; } } else { X509_LOOKUP_load_file(lookup,NULL,X509_FILETYPE_DEFAULT); } // Now look into CApath directory if supplied lookup = X509_STORE_add_lookup(store,X509_LOOKUP_hash_dir()); if (lookup == NULL){ goto end; } if (CApath) { if(!X509_LOOKUP_add_dir(lookup,CApath,X509_FILETYPE_PEM)) { opkg_msg(ERROR, "Error loading directory %s.\n", CApath); goto end; } } else { X509_LOOKUP_add_dir(lookup,NULL,X509_FILETYPE_DEFAULT); } // All right ! ERR_clear_error(); return store; end: X509_STORE_free(store); return NULL; }
static X509_STORE *create_cert_store(char *ca_path, char *ca_file) { X509_STORE *cert_ctx = NULL; X509_LOOKUP *lookup = NULL; int i; /* Creating the X509_STORE object. */ cert_ctx = X509_STORE_new(); /* Setting the callback for certificate chain verification. */ X509_STORE_set_verify_cb(cert_ctx, verify_cb); /* Adding a trusted certificate directory source. */ if (ca_path) { lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_hash_dir()); if (lookup == NULL) { BIO_printf(bio_err, "memory allocation failure\n"); goto err; } i = X509_LOOKUP_add_dir(lookup, ca_path, X509_FILETYPE_PEM); if (!i) { BIO_printf(bio_err, "Error loading directory %s\n", ca_path); goto err; } } /* Adding a trusted certificate file source. */ if (ca_file) { lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_file()); if (lookup == NULL) { BIO_printf(bio_err, "memory allocation failure\n"); goto err; } i = X509_LOOKUP_load_file(lookup, ca_file, X509_FILETYPE_PEM); if (!i) { BIO_printf(bio_err, "Error loading file %s\n", ca_file); goto err; } } return cert_ctx; err: X509_STORE_free(cert_ctx); return NULL; }
BOOL x509_verify_certificate(CryptoCert cert, char* certificate_store_path) { X509_STORE_CTX* csc; BOOL status = FALSE; X509_STORE* cert_ctx = NULL; X509_LOOKUP* lookup = NULL; X509* xcert = cert->px509; cert_ctx = X509_STORE_new(); if (cert_ctx == NULL) goto end; OpenSSL_add_all_algorithms(); lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_file()); if (lookup == NULL) goto end; lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_hash_dir()); if (lookup == NULL) goto end; X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT); if (certificate_store_path != NULL) { X509_LOOKUP_add_dir(lookup, certificate_store_path, X509_FILETYPE_ASN1); } csc = X509_STORE_CTX_new(); if (csc == NULL) goto end; X509_STORE_set_flags(cert_ctx, 0); if (!X509_STORE_CTX_init(csc, cert_ctx, xcert, 0)) goto end; if (X509_verify_cert(csc) == 1) status = TRUE; X509_STORE_CTX_free(csc); X509_STORE_free(cert_ctx); end: return status; }
static X509_LOOKUP_METHOD * get_lookup_method (MonoBtlsX509LookupType type) { switch (type) { case MONO_BTLS_X509_LOOKUP_TYPE_FILE: return X509_LOOKUP_file (); case MONO_BTLS_X509_LOOKUP_TYPE_HASH_DIR: return X509_LOOKUP_hash_dir (); case MONO_BTLS_X509_LOOKUP_TYPE_MONO: return mono_btls_x509_lookup_mono_method (); default: return NULL; } }
/// \brief Used by pkcs7_main() - not to be used directly. /// /// \param N/A /// \return N/A /// X509_STORE * create_store (void) { X509_STORE *store; X509_LOOKUP *lookup; /* create the cert store and set the verify callback */ if (!(store = X509_STORE_new ())) { fprintf (stderr, "Error creating X509_STORE_CTX object\n"); goto err; } X509_STORE_set_verify_cb_func (store, verify_callback); /* load the CA certificates and CRLs */ if (X509_STORE_load_locations (store, CA_FILE, CA_DIR) != 1) { fprintf (stderr, "Error loading the CA file or directory\n"); goto err; } if (X509_STORE_set_default_paths (store) != 1) { fprintf (stderr, "Error loading the system-wide CA certificates\n"); goto err; } if (!(lookup = X509_STORE_add_lookup (store, X509_LOOKUP_file ()))) { fprintf (stderr, "Error creating X509_LOOKUP object\n"); goto err; } /* if (X509_load_crl_file (lookup, CRL_FILE, X509_FILETYPE_PEM) != 1) { fprintf (stderr, "Error reading the CRL file\n"); goto err; } */ /* set the flags of the store so that CRLs are consulted */ X509_STORE_set_flags (store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); return store; err: return NULL; }
static int load_file_lookup(X509_STORE *store, char *name) { X509_LOOKUP *lookup; lookup=X509_STORE_add_lookup(store, X509_LOOKUP_file()); if(!lookup) { sslerror("X509_STORE_add_lookup"); return 0; } if(!X509_LOOKUP_load_file(lookup, name, X509_FILETYPE_PEM)) { s_log(LOG_ERR, "Failed to load %s revocation lookup file", name); sslerror("X509_LOOKUP_load_file"); return 0; } s_log(LOG_DEBUG, "Loaded %s revocation lookup file", name); return 1; /* OK */ }
static bool _mongoc_ssl_setup_crl (SSL_CTX *ctx, const char *crlfile) { X509_STORE *store; X509_LOOKUP *lookup; int status; store = SSL_CTX_get_cert_store (ctx); X509_STORE_set_flags (store, X509_V_FLAG_CRL_CHECK); lookup = X509_STORE_add_lookup (store, X509_LOOKUP_file ()); status = X509_load_crl_file (lookup, crlfile, X509_FILETYPE_PEM); return status != 0; }
int X509_STORE_set_default_paths(X509_STORE *ctx) { X509_LOOKUP *lookup; lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_file()); if (lookup == NULL) return(0); X509_LOOKUP_load_file(lookup,NULL,X509_FILETYPE_DEFAULT); lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_hash_dir()); if (lookup == NULL) return(0); X509_LOOKUP_add_dir(lookup,NULL,X509_FILETYPE_DEFAULT); /* clear any errors */ ERR_clear_error(); return(1); }
static int test_509_dup_cert(int n) { int ret = 0; X509_STORE_CTX *sctx = NULL; X509_STORE *store = NULL; X509_LOOKUP *lookup = NULL; const char *cert_f = test_get_argument(n); if (TEST_ptr(store = X509_STORE_new()) && TEST_ptr(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file())) && TEST_true(X509_load_cert_file(lookup, cert_f, X509_FILETYPE_PEM)) && TEST_true(X509_load_cert_file(lookup, cert_f, X509_FILETYPE_PEM))) ret = 1; X509_STORE_CTX_free(sctx); X509_STORE_free(store); return ret; }
bool SSLManager::_setupCRL(SSL_CTX* context, const std::string& crlFile) { X509_STORE *store = SSL_CTX_get_cert_store(context); fassert(16583, store); X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK); X509_LOOKUP *lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()); fassert(16584, lookup); int status = X509_load_crl_file(lookup, crlFile.c_str(), X509_FILETYPE_PEM); if (status == 0) { error() << "cannot read CRL file: " << crlFile << ' ' << getSSLErrorMessage(ERR_get_error()) << endl; return false; } log() << "ssl imported " << status << " revoked certificate" << ((status == 1) ? "" : "s") << " from the revocation list." << endl; return true; }
int sircc_x509_store_add_certificate(X509_STORE *store, const char *path) { X509_LOOKUP *lookup; lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()); if (!lookup) { c_set_error("cannot create ssl store lookup: %s", sircc_ssl_get_error()); return -1; } if (X509_LOOKUP_load_file(lookup, path, X509_FILETYPE_PEM) == 0) { c_set_error("cannot load ssl certificate from %s: %s", path, sircc_ssl_get_error()); return -1; } return 0; }
static X509_STORE *create_cert_store(char *CApath, char *CAfile, X509_VERIFY_PARAM *vpm) { X509_STORE *cert_ctx = NULL; X509_LOOKUP *lookup = NULL; int i; cert_ctx = X509_STORE_new(); X509_STORE_set_verify_cb(cert_ctx, verify_cb); if (CApath != NULL) { lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_hash_dir()); if (lookup == NULL) { BIO_printf(bio_err, "memory allocation failure\n"); goto err; } i = X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM); if (!i) { BIO_printf(bio_err, "Error loading directory %s\n", CApath); goto err; } } if (CAfile != NULL) { lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_file()); if (lookup == NULL) { BIO_printf(bio_err, "memory allocation failure\n"); goto err; } i = X509_LOOKUP_load_file(lookup, CAfile, X509_FILETYPE_PEM); if (!i) { BIO_printf(bio_err, "Error loading file %s\n", CAfile); goto err; } } if (vpm != NULL) X509_STORE_set1_param(cert_ctx, vpm); return cert_ctx; err: X509_STORE_free(cert_ctx); return NULL; }
static VALUE ossl_x509store_add_file(VALUE self, VALUE file) { X509_STORE *store; X509_LOOKUP *lookup; char *path = NULL; if(file != Qnil){ Check_SafeStr(file); path = RSTRING_PTR(file); } GetX509Store(self, store); lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()); if(lookup == NULL) ossl_raise(eX509StoreError, NULL); if(X509_LOOKUP_load_file(lookup, path, X509_FILETYPE_PEM) != 1){ ossl_raise(eX509StoreError, NULL); } return self; }
SSL_CTX *_sslctx_common_setup (SSL_CTX * the_ctx, _netsnmpTLSBaseData * tlsbase) { char *crlFile; char *cipherList; X509_LOOKUP *lookup; X509_STORE *cert_store = NULL; _load_trusted_certs (the_ctx); /* add in the CRLs if available */ crlFile = netsnmp_ds_get_string (NETSNMP_DS_LIBRARY_ID, NETSNMP_DS_LIB_X509_CRL_FILE); if (NULL != crlFile) { cert_store = SSL_CTX_get_cert_store (the_ctx); DEBUGMSGTL (("sslctx_client", "loading CRL: %s\n", crlFile)); if (!cert_store) LOGANDDIE ("failed to find certificate store"); if (!(lookup = X509_STORE_add_lookup (cert_store, X509_LOOKUP_file ()))) LOGANDDIE ("failed to create a lookup function for the CRL file"); if (X509_load_crl_file (lookup, crlFile, X509_FILETYPE_PEM) != 1) LOGANDDIE ("failed to load the CRL file"); /* tell openssl to check CRLs */ X509_STORE_set_flags (cert_store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); } cipherList = netsnmp_ds_get_string (NETSNMP_DS_LIBRARY_ID, NETSNMP_DS_LIB_TLS_ALGORITMS); if (NULL != cipherList) { if (SSL_CTX_set_cipher_list (the_ctx, cipherList) != 1) LOGANDDIE ("failed to set the cipher list to the requested value"); else snmp_log (LOG_INFO, "set SSL cipher list to '%s'\n", cipherList); } return the_ctx; }
int verify_certificate (const char* certfile, const char* ca_cert) { X509_STORE *cert_ctx=NULL; X509_LOOKUP *lookup=NULL; cert_ctx=X509_STORE_new(); if (!cert_ctx) return 0; OpenSSL_add_all_algorithms(); lookup=X509_STORE_add_lookup(cert_ctx,X509_LOOKUP_file()); if (!lookup) { if (cert_ctx) X509_STORE_free(cert_ctx); return 0; } if(!X509_LOOKUP_load_file(lookup,ca_cert,X509_FILETYPE_PEM)) { if (cert_ctx) X509_STORE_free(cert_ctx); return 0; } lookup=X509_STORE_add_lookup(cert_ctx,X509_LOOKUP_hash_dir()); if (!lookup) { if (cert_ctx) X509_STORE_free(cert_ctx); return 0; } X509_LOOKUP_add_dir(lookup,NULL,X509_FILETYPE_DEFAULT); return check(cert_ctx, certfile); }
static Eina_Bool _ecore_con_ssl_server_crl_add_openssl(Ecore_Con_Server *svr, const char *crl_file) { X509_STORE *st; X509_LOOKUP *lu; static Eina_Bool flag = EINA_FALSE; SSL_ERROR_CHECK_GOTO_ERROR(!(st = SSL_CTX_get_cert_store(svr->ssl_ctx))); SSL_ERROR_CHECK_GOTO_ERROR(!(lu = X509_STORE_add_lookup(st, X509_LOOKUP_file()))); SSL_ERROR_CHECK_GOTO_ERROR(X509_load_crl_file(lu, crl_file, X509_FILETYPE_PEM) < 1); if (!flag) { X509_STORE_set_flags(st, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); flag = EINA_TRUE; } return EINA_TRUE; error: _openssl_print_errors(); return EINA_FALSE; }
int X509_STORE_load_locations(X509_STORE *ctx, const char *file, const char *path) { X509_LOOKUP *lookup; if (file != NULL) { lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_file()); if (lookup == NULL) return(0); if (X509_LOOKUP_load_file(lookup,file,X509_FILETYPE_PEM) != 1) return(0); } if (path != NULL) { lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_hash_dir()); if (lookup == NULL) return(0); if (X509_LOOKUP_add_dir(lookup,path,X509_FILETYPE_PEM) != 1) return(0); } if ((path == NULL) && (file == NULL)) return(0); return(1); }
static X509_STORE * read_cacerts(char *file) { X509_STORE *store; X509_LOOKUP *lookup; if ((store = X509_STORE_new()) == NULL) { warnx("Malloc failed"); goto end; } if ((lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file())) == NULL) { warnx("Unable to load CA certs from file %s", file); goto end; } if (file) { if (!X509_LOOKUP_load_file(lookup, file, X509_FILETYPE_PEM)) { warnx("Unable to load CA certs from file %s", file); goto end; } } else X509_LOOKUP_load_file(lookup, NULL, X509_FILETYPE_DEFAULT); if ((lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir())) == NULL) { warnx("Unable to load CA certs from file %s", file); goto end; } X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT); ERR_clear_error(); return store; end: X509_STORE_free(store); return NULL; }