void
ca_reset(struct privsep *ps, struct privsep_proc *p, void *arg)
{
struct iked *env = ps->ps_env;
struct ca_store *store = arg;
if (store->ca_cas != NULL)
X509_STORE_free(store->ca_cas);
if (store->ca_certs != NULL)
X509_STORE_free(store->ca_certs);
if ((store->ca_cas = X509_STORE_new()) == NULL)
fatalx("ca_reset: failed to get ca store");
if ((store->ca_calookup = X509_STORE_add_lookup(store->ca_cas,
X509_LOOKUP_file())) == NULL)
fatalx("ca_reset: failed to add ca lookup");
if ((store->ca_certs = X509_STORE_new()) == NULL)
fatalx("ca_reset: failed to get cert store");
if ((store->ca_certlookup = X509_STORE_add_lookup(store->ca_certs,
X509_LOOKUP_file())) == NULL)
fatalx("ca_reset: failed to add cert lookup");
env->sc_priv = store;
if (ca_reload(env) != 0)
fatal("ca_reset: reload");
}
static X509_STORE *create_store(nsp_state *N)
{
#define __FN__ __FILE__ ":create_store()"
X509_STORE *store;
X509_LOOKUP *lookup;
if (!(store = X509_STORE_new())) {
n_warn(N, __FN__, "Error creating X509_STORE_CTX object");
goto err;
}
X509_STORE_set_verify_cb_func(store, verify_callback);
if (X509_STORE_load_locations(store, CA_FILE, CA_DIR) != 1) {
n_warn(N, __FN__, "Error loading the CA file or directory");
goto err;
}
if (X509_STORE_set_default_paths(store) != 1) {
n_warn(N, __FN__, "Error loading the system-wide CA certificates");
goto err;
}
if (!(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()))) {
n_warn(N, __FN__, "Error creating X509_LOOKUP object");
goto err;
}
if (X509_load_crl_file(lookup, CRL_FILE, X509_FILETYPE_PEM) != 1) {
n_warn(N, __FN__, "Error reading the CRL file");
goto err;
}
X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
return store;
err:
return NULL;
#undef __FN__
}
int GTTruststore_addLookupFile(const char *path)
{
int res = GT_UNKNOWN_ERROR;
X509_LOOKUP *lookup = NULL;
if (GT_truststore == NULL) {
/* Create an empty trustrore. */
res = GTTruststore_init(0);
if (res != GT_OK) goto cleanup;
}
if (path == NULL) {
res = GT_INVALID_ARGUMENT;
goto cleanup;
}
lookup = X509_STORE_add_lookup(GT_truststore, X509_LOOKUP_file());
if (lookup == NULL) {
res = GT_OUT_OF_MEMORY;
goto cleanup;
}
if (!X509_LOOKUP_load_file(lookup, path, X509_FILETYPE_PEM)) {
res = GT_PKI_BAD_DATA_FORMAT;
goto cleanup;
}
res = GT_OK;
cleanup:
return res;
}
/**
* xmlSecOpenSSLX509StoreAddCertsFile:
* @store: the pointer to OpenSSL x509 store.
* @file: the certs file.
*
* Adds all certs in @file to the list of trusted certs
* in @store. It is possible for @file to contain multiple certs.
*
* Returns: 0 on success or a negative value otherwise.
*/
int
xmlSecOpenSSLX509StoreAddCertsFile(xmlSecKeyDataStorePtr store, const char *file) {
xmlSecOpenSSLX509StoreCtxPtr ctx;
X509_LOOKUP *lookup = NULL;
xmlSecAssert2(xmlSecKeyDataStoreCheckId(store, xmlSecOpenSSLX509StoreId), -1);
xmlSecAssert2(file != NULL, -1);
ctx = xmlSecOpenSSLX509StoreGetCtx(store);
xmlSecAssert2(ctx != NULL, -1);
xmlSecAssert2(ctx->xst != NULL, -1);
lookup = X509_STORE_add_lookup(ctx->xst, X509_LOOKUP_file());
if(lookup == NULL) {
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
"X509_STORE_add_lookup",
XMLSEC_ERRORS_R_CRYPTO_FAILED,
XMLSEC_ERRORS_NO_MESSAGE);
return(-1);
}
if(!X509_LOOKUP_load_file(lookup, file, X509_FILETYPE_PEM)) {
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
"X509_LOOKUP_load_file",
XMLSEC_ERRORS_R_CRYPTO_FAILED,
"file='%s'",
xmlSecErrorsSafeString(file)
);
return(-1);
}
return(0);
}
X509_STORE *SSL_X509_STORE_create(char *cpFile, char *cpPath)
{
X509_STORE *pStore;
X509_LOOKUP *pLookup;
if (cpFile == NULL && cpPath == NULL)
return NULL;
if ((pStore = X509_STORE_new()) == NULL)
return NULL;
if (cpFile != NULL) {
if ((pLookup = X509_STORE_add_lookup(pStore, X509_LOOKUP_file())) == NULL) {
X509_STORE_free(pStore);
return NULL;
}
X509_LOOKUP_load_file(pLookup, cpFile, X509_FILETYPE_PEM);
}
if (cpPath != NULL) {
if ((pLookup = X509_STORE_add_lookup(pStore, X509_LOOKUP_hash_dir())) == NULL) {
X509_STORE_free(pStore);
return NULL;
}
X509_LOOKUP_add_dir(pLookup, cpPath, X509_FILETYPE_PEM);
}
return pStore;
}
/**
* xmlSecOpenSSLX509StoreAddCertsFile:
* @store: the pointer to OpenSSL x509 store.
* @file: the certs file.
*
* Adds all certs in @file to the list of trusted certs
* in @store. It is possible for @file to contain multiple certs.
*
* Returns: 0 on success or a negative value otherwise.
*/
int
xmlSecOpenSSLX509StoreAddCertsFile(xmlSecKeyDataStorePtr store, const char *file) {
xmlSecOpenSSLX509StoreCtxPtr ctx;
X509_LOOKUP *lookup = NULL;
xmlSecAssert2(xmlSecKeyDataStoreCheckId(store, xmlSecOpenSSLX509StoreId), -1);
xmlSecAssert2(file != NULL, -1);
ctx = xmlSecOpenSSLX509StoreGetCtx(store);
xmlSecAssert2(ctx != NULL, -1);
xmlSecAssert2(ctx->xst != NULL, -1);
lookup = X509_STORE_add_lookup(ctx->xst, X509_LOOKUP_file());
if(lookup == NULL) {
xmlSecOpenSSLError(xmlSecKeyDataStoreGetName(store),
"X509_STORE_add_lookup");
return(-1);
}
if(!X509_LOOKUP_load_file(lookup, file, X509_FILETYPE_PEM)) {
xmlSecOpenSSLError(xmlSecKeyDataStoreGetName(store),
"X509_LOOKUP_load_file");
return(-1);
}
return(0);
}
IoSecureServer *IoSecureServer_setCRLFile(IoSecureServer *self, IoObject *locals, IoMessage *msg)
{
SSL_CTX *ctx = OCTX(self);
IoSeq *pathSeq = IoMessage_locals_seqArgAt_(msg, locals, 0);
char *path = IoSeq_asCString(pathSeq);
if(ctx == NULL)
{
IoState_error_(IOSTATE, msg, "SecureServer has no SSL_CTX");
return IONIL(self);
}
X509_STORE *store = SSL_CTX_get_cert_store(ctx);
X509_STORE_set_verify_cb_func(store, IoSecureSockets_Verify_CRL_Callback);
X509_STORE_set_flags (store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
X509_LOOKUP *lookup;
if (!(lookup = X509_STORE_add_lookup (store, X509_LOOKUP_file ())))
{
ERR_print_errors_fp(stderr);
IoState_error_(IOSTATE, msg, "Error creating X509_LOOKUP object.");
return IONIL(self);
}
if (X509_load_crl_file(lookup, path, X509_FILETYPE_PEM) != 1)
{
ERR_print_errors_fp(stderr);
IoState_error_(IOSTATE, msg, "Error loading CRL from file %s\n", path);
return IONIL(self);
}
return self;
}
/**
* Loads a CRL and appends its certificates to the specified SSL context.
*
* @param context The SSL context.
* @param crlPath The path to the CRL file.
*/
void AddCRLToSSLContext(const shared_ptr<SSL_CTX>& context, const String& crlPath)
{
X509_STORE *x509_store = SSL_CTX_get_cert_store(context.get());
X509_LOOKUP *lookup;
lookup = X509_STORE_add_lookup(x509_store, X509_LOOKUP_file());
if (!lookup) {
BOOST_THROW_EXCEPTION(openssl_error()
<< boost::errinfo_api_function("X509_STORE_add_lookup")
<< errinfo_openssl_error(ERR_get_error()));
}
if (X509_LOOKUP_load_file(lookup, crlPath.CStr(), X509_FILETYPE_PEM) != 0) {
BOOST_THROW_EXCEPTION(openssl_error()
<< boost::errinfo_api_function("X509_LOOKUP_load_file")
<< errinfo_openssl_error(ERR_get_error())
<< boost::errinfo_file_name(crlPath));
}
X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new();
X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);
X509_STORE_set1_param(x509_store, param);
X509_VERIFY_PARAM_free(param);
}
int C_TransIPTLS::load_crls(char *P_crlfile)
{
X509_STORE *L_store;
X509_LOOKUP *L_lookup;
/* Get the X509_STORE from SSL context */
if (!(L_store = SSL_CTX_get_cert_store(m_ssl_ctx))) {
return (-1);
}
/* Add lookup file to X509_STORE */
if (!(L_lookup = X509_STORE_add_lookup(L_store,X509_LOOKUP_file()))) {
return (-1);
}
/* Add the CRLS to the lookpup object */
if (X509_load_crl_file(L_lookup,m_crl_file,X509_FILETYPE_PEM) != 1) {
return (-1);
}
/* Set the flags of the store so that CRLS's are consulted */
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
X509_STORE_set_flags( L_store,X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
#else
GEN_ERROR(1, "version OpenSSL (<0.9.7) cannot handle CRL files in capath");
#endif
return (1);
}
int main(int argc, char *argv[]) {
X509 *cert;
X509_STORE *store;
X509_LOOKUP *lookup;
X509_STORE_CTX *verify_ctx;
FILE *fp;
OpenSSL_add_all_algorithms();
ERR_load_crypto_strings();
/* frist read the client certificate */
if (!(fp = fopen(CLIENT_CERT, "r"))) {
int_error("Error reading client certificate file");
}
if (!(cert = PEM_read_X509(fp, NULL, NULL, NULL))) {
int_error("Error reading client certificate in file");
}
fclose(fp);
/* create the cert store and set the verify callback */
if (!(store = X509_STORE_new())) {
int_error("Error creating X509_STORE_CTX object");
}
X509_STORE_set_verify_cb_func(store, verify_callback);
/* load the CA certificates and CRLs */
if (X509_STORE_load_locations(store, CA_FILE, CA_DIR) != 1) {
int_error("Error loading the CA file or directory");
}
if (X509_STORE_set_default_paths(store) != 1) {
int_error("Error loading the system-wide CA certificates");
}
if (!(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()))) {
int_error("Error creating X509_LOOKUP object");
}
if (X509_load_crl_file(lookup, CRL_FILE, X509_FILETYPE_PEM) != 1) {
int_error("Error reading the CRL file");
}
/* set the flags of the store so that the CRLs are consulted */
X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
/* create a verification context and initialize it */
if (!(verify_ctx = X509_STORE_CTX_new())) {
int_error("Error creating X509_STORE_CTX object");
}
if (X509_STORE_CTX_init(verify_ctx, store, cert, NULL) != 1) {
int_error("Error initializing verification context");
}
/* verify the certificate */
if (X509_verify_cert(verify_ctx) != 1) {
int_error("Error verifying the certificate");
}
else {
printf("Certificate verified correctly!\n");
}
return 0;
}
/*
* Test for CVE-2015-1793 (Alternate Chains Certificate Forgery)
*
* Chain is as follows:
*
* rootCA (self-signed)
* |
* interCA
* |
* subinterCA subinterCA (self-signed)
* | |
* leaf ------------------
* |
* bad
*
* rootCA, interCA, subinterCA, subinterCA (ss) all have CA=TRUE
* leaf and bad have CA=FALSE
*
* subinterCA and subinterCA (ss) have the same subject name and keys
*
* interCA (but not rootCA) and subinterCA (ss) are in the trusted store
* (roots.pem)
* leaf and subinterCA are in the untrusted list (untrusted.pem)
* bad is the certificate being verified (bad.pem)
*
* Versions vulnerable to CVE-2015-1793 will fail to detect that leaf has
* CA=FALSE, and will therefore incorrectly verify bad
*
*/
static int test_alt_chains_cert_forgery(const char *roots_f,
const char *untrusted_f,
const char *bad_f)
{
int ret = 0;
int i;
X509 *x = NULL;
STACK_OF(X509) *untrusted = NULL;
BIO *bio = NULL;
X509_STORE_CTX *sctx = NULL;
X509_STORE *store = NULL;
X509_LOOKUP *lookup = NULL;
store = X509_STORE_new();
if (store == NULL)
goto err;
lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
if (lookup == NULL)
goto err;
if(!X509_LOOKUP_load_file(lookup, roots_f, X509_FILETYPE_PEM))
goto err;
untrusted = load_certs_from_file(untrusted_f);
if ((bio = BIO_new_file(bad_f, "r")) == NULL)
goto err;
if((x = PEM_read_bio_X509(bio, NULL, 0, NULL)) == NULL)
goto err;
sctx = X509_STORE_CTX_new();
if (sctx == NULL)
goto err;
if (!X509_STORE_CTX_init(sctx, store, x, untrusted))
goto err;
i = X509_verify_cert(sctx);
if(i == 0 && X509_STORE_CTX_get_error(sctx) == X509_V_ERR_INVALID_CA) {
/* This is the result we were expecting: Test passed */
ret = 1;
}
err:
X509_STORE_CTX_free(sctx);
X509_free(x);
BIO_free(bio);
sk_X509_pop_free(untrusted, X509_free);
X509_STORE_free(store);
if (ret != 1)
ERR_print_errors_fp(stderr);
return ret;
}
boolean x509_verify_cert(CryptoCert cert, rdpSettings* settings)
{
char* cert_loc;
X509_STORE_CTX* csc;
boolean status = false;
X509_STORE* cert_ctx = NULL;
X509_LOOKUP* lookup = NULL;
X509* xcert = cert->px509;
cert_ctx = X509_STORE_new();
if (cert_ctx == NULL)
goto end;
OpenSSL_add_all_algorithms();
lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_file());
if (lookup == NULL)
goto end;
lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_hash_dir());
if (lookup == NULL)
goto end;
X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);
cert_loc = get_local_certloc(settings->home_path);
if(cert_loc != NULL)
{
X509_LOOKUP_add_dir(lookup, cert_loc, X509_FILETYPE_ASN1);
xfree(cert_loc);
}
csc = X509_STORE_CTX_new();
if (csc == NULL)
goto end;
X509_STORE_set_flags(cert_ctx, 0);
if(!X509_STORE_CTX_init(csc, cert_ctx, xcert, 0))
goto end;
if (X509_verify_cert(csc) == 1)
status = true;
X509_STORE_CTX_free(csc);
X509_STORE_free(cert_ctx);
end:
return status;
}
static X509_STORE *
setup_verify(char *CAfile, char *CApath)
{
X509_STORE *store = NULL;
X509_LOOKUP *lookup = NULL;
if(!(store = X509_STORE_new())){
// Something bad is happening...
goto end;
}
// adds the X509 file lookup method
lookup = X509_STORE_add_lookup(store,X509_LOOKUP_file());
if (lookup == NULL){
goto end;
}
// Autenticating against one CA file
if (CAfile) {
if(!X509_LOOKUP_load_file(lookup,CAfile,X509_FILETYPE_PEM)) {
// Invalid CA => Bye bye
opkg_msg(ERROR, "Error loading file %s.\n", CAfile);
goto end;
}
} else {
X509_LOOKUP_load_file(lookup,NULL,X509_FILETYPE_DEFAULT);
}
// Now look into CApath directory if supplied
lookup = X509_STORE_add_lookup(store,X509_LOOKUP_hash_dir());
if (lookup == NULL){
goto end;
}
if (CApath) {
if(!X509_LOOKUP_add_dir(lookup,CApath,X509_FILETYPE_PEM)) {
opkg_msg(ERROR, "Error loading directory %s.\n", CApath);
goto end;
}
} else {
X509_LOOKUP_add_dir(lookup,NULL,X509_FILETYPE_DEFAULT);
}
// All right !
ERR_clear_error();
return store;
end:
X509_STORE_free(store);
return NULL;
}
static X509_STORE *create_cert_store(char *ca_path, char *ca_file)
{
X509_STORE *cert_ctx = NULL;
X509_LOOKUP *lookup = NULL;
int i;
/* Creating the X509_STORE object. */
cert_ctx = X509_STORE_new();
/* Setting the callback for certificate chain verification. */
X509_STORE_set_verify_cb(cert_ctx, verify_cb);
/* Adding a trusted certificate directory source. */
if (ca_path)
{
lookup = X509_STORE_add_lookup(cert_ctx,
X509_LOOKUP_hash_dir());
if (lookup == NULL)
{
BIO_printf(bio_err, "memory allocation failure\n");
goto err;
}
i = X509_LOOKUP_add_dir(lookup, ca_path, X509_FILETYPE_PEM);
if (!i)
{
BIO_printf(bio_err, "Error loading directory %s\n",
ca_path);
goto err;
}
}
/* Adding a trusted certificate file source. */
if (ca_file)
{
lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_file());
if (lookup == NULL)
{
BIO_printf(bio_err, "memory allocation failure\n");
goto err;
}
i = X509_LOOKUP_load_file(lookup, ca_file, X509_FILETYPE_PEM);
if (!i)
{
BIO_printf(bio_err, "Error loading file %s\n", ca_file);
goto err;
}
}
return cert_ctx;
err:
X509_STORE_free(cert_ctx);
return NULL;
}
BOOL x509_verify_certificate(CryptoCert cert, char* certificate_store_path)
{
X509_STORE_CTX* csc;
BOOL status = FALSE;
X509_STORE* cert_ctx = NULL;
X509_LOOKUP* lookup = NULL;
X509* xcert = cert->px509;
cert_ctx = X509_STORE_new();
if (cert_ctx == NULL)
goto end;
OpenSSL_add_all_algorithms();
lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_file());
if (lookup == NULL)
goto end;
lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_hash_dir());
if (lookup == NULL)
goto end;
X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);
if (certificate_store_path != NULL)
{
X509_LOOKUP_add_dir(lookup, certificate_store_path, X509_FILETYPE_ASN1);
}
csc = X509_STORE_CTX_new();
if (csc == NULL)
goto end;
X509_STORE_set_flags(cert_ctx, 0);
if (!X509_STORE_CTX_init(csc, cert_ctx, xcert, 0))
goto end;
if (X509_verify_cert(csc) == 1)
status = TRUE;
X509_STORE_CTX_free(csc);
X509_STORE_free(cert_ctx);
end:
return status;
}
static X509_LOOKUP_METHOD *
get_lookup_method (MonoBtlsX509LookupType type)
{
switch (type) {
case MONO_BTLS_X509_LOOKUP_TYPE_FILE:
return X509_LOOKUP_file ();
case MONO_BTLS_X509_LOOKUP_TYPE_HASH_DIR:
return X509_LOOKUP_hash_dir ();
case MONO_BTLS_X509_LOOKUP_TYPE_MONO:
return mono_btls_x509_lookup_mono_method ();
default:
return NULL;
}
}
/// \brief Used by pkcs7_main() - not to be used directly.
///
/// \param N/A
/// \return N/A
///
X509_STORE *
create_store (void)
{
X509_STORE *store;
X509_LOOKUP *lookup;
/* create the cert store and set the verify callback */
if (!(store = X509_STORE_new ()))
{
fprintf (stderr, "Error creating X509_STORE_CTX object\n");
goto err;
}
X509_STORE_set_verify_cb_func (store, verify_callback);
/* load the CA certificates and CRLs */
if (X509_STORE_load_locations (store, CA_FILE, CA_DIR) != 1)
{
fprintf (stderr, "Error loading the CA file or directory\n");
goto err;
}
if (X509_STORE_set_default_paths (store) != 1)
{
fprintf (stderr, "Error loading the system-wide CA certificates\n");
goto err;
}
if (!(lookup = X509_STORE_add_lookup (store, X509_LOOKUP_file ())))
{
fprintf (stderr, "Error creating X509_LOOKUP object\n");
goto err;
}
/* if (X509_load_crl_file (lookup, CRL_FILE, X509_FILETYPE_PEM) != 1)
{
fprintf (stderr, "Error reading the CRL file\n");
goto err;
}
*/
/* set the flags of the store so that CRLs are consulted */
X509_STORE_set_flags (store, X509_V_FLAG_CRL_CHECK |
X509_V_FLAG_CRL_CHECK_ALL);
return store;
err:
return NULL;
}
static int load_file_lookup(X509_STORE *store, char *name) {
X509_LOOKUP *lookup;
lookup=X509_STORE_add_lookup(store, X509_LOOKUP_file());
if(!lookup) {
sslerror("X509_STORE_add_lookup");
return 0;
}
if(!X509_LOOKUP_load_file(lookup, name, X509_FILETYPE_PEM)) {
s_log(LOG_ERR, "Failed to load %s revocation lookup file", name);
sslerror("X509_LOOKUP_load_file");
return 0;
}
s_log(LOG_DEBUG, "Loaded %s revocation lookup file", name);
return 1; /* OK */
}
static bool
_mongoc_ssl_setup_crl (SSL_CTX *ctx,
const char *crlfile)
{
X509_STORE *store;
X509_LOOKUP *lookup;
int status;
store = SSL_CTX_get_cert_store (ctx);
X509_STORE_set_flags (store, X509_V_FLAG_CRL_CHECK);
lookup = X509_STORE_add_lookup (store, X509_LOOKUP_file ());
status = X509_load_crl_file (lookup, crlfile, X509_FILETYPE_PEM);
return status != 0;
}
int X509_STORE_set_default_paths(X509_STORE *ctx)
{
X509_LOOKUP *lookup;
lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_file());
if (lookup == NULL) return(0);
X509_LOOKUP_load_file(lookup,NULL,X509_FILETYPE_DEFAULT);
lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_hash_dir());
if (lookup == NULL) return(0);
X509_LOOKUP_add_dir(lookup,NULL,X509_FILETYPE_DEFAULT);
/* clear any errors */
ERR_clear_error();
return(1);
}
static int test_509_dup_cert(int n)
{
int ret = 0;
X509_STORE_CTX *sctx = NULL;
X509_STORE *store = NULL;
X509_LOOKUP *lookup = NULL;
const char *cert_f = test_get_argument(n);
if (TEST_ptr(store = X509_STORE_new())
&& TEST_ptr(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()))
&& TEST_true(X509_load_cert_file(lookup, cert_f, X509_FILETYPE_PEM))
&& TEST_true(X509_load_cert_file(lookup, cert_f, X509_FILETYPE_PEM)))
ret = 1;
X509_STORE_CTX_free(sctx);
X509_STORE_free(store);
return ret;
}
bool SSLManager::_setupCRL(SSL_CTX* context, const std::string& crlFile) {
X509_STORE *store = SSL_CTX_get_cert_store(context);
fassert(16583, store);
X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK);
X509_LOOKUP *lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
fassert(16584, lookup);
int status = X509_load_crl_file(lookup, crlFile.c_str(), X509_FILETYPE_PEM);
if (status == 0) {
error() << "cannot read CRL file: " << crlFile << ' ' <<
getSSLErrorMessage(ERR_get_error()) << endl;
return false;
}
log() << "ssl imported " << status << " revoked certificate" <<
((status == 1) ? "" : "s") << " from the revocation list." <<
endl;
return true;
}
int
sircc_x509_store_add_certificate(X509_STORE *store, const char *path) {
X509_LOOKUP *lookup;
lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
if (!lookup) {
c_set_error("cannot create ssl store lookup: %s",
sircc_ssl_get_error());
return -1;
}
if (X509_LOOKUP_load_file(lookup, path, X509_FILETYPE_PEM) == 0) {
c_set_error("cannot load ssl certificate from %s: %s",
path, sircc_ssl_get_error());
return -1;
}
return 0;
}
static X509_STORE *create_cert_store(char *CApath, char *CAfile, X509_VERIFY_PARAM *vpm)
{
X509_STORE *cert_ctx = NULL;
X509_LOOKUP *lookup = NULL;
int i;
cert_ctx = X509_STORE_new();
X509_STORE_set_verify_cb(cert_ctx, verify_cb);
if (CApath != NULL) {
lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_hash_dir());
if (lookup == NULL) {
BIO_printf(bio_err, "memory allocation failure\n");
goto err;
}
i = X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM);
if (!i) {
BIO_printf(bio_err, "Error loading directory %s\n", CApath);
goto err;
}
}
if (CAfile != NULL) {
lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_file());
if (lookup == NULL) {
BIO_printf(bio_err, "memory allocation failure\n");
goto err;
}
i = X509_LOOKUP_load_file(lookup, CAfile, X509_FILETYPE_PEM);
if (!i) {
BIO_printf(bio_err, "Error loading file %s\n", CAfile);
goto err;
}
}
if (vpm != NULL)
X509_STORE_set1_param(cert_ctx, vpm);
return cert_ctx;
err:
X509_STORE_free(cert_ctx);
return NULL;
}
static VALUE
ossl_x509store_add_file(VALUE self, VALUE file)
{
X509_STORE *store;
X509_LOOKUP *lookup;
char *path = NULL;
if(file != Qnil){
Check_SafeStr(file);
path = RSTRING_PTR(file);
}
GetX509Store(self, store);
lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
if(lookup == NULL) ossl_raise(eX509StoreError, NULL);
if(X509_LOOKUP_load_file(lookup, path, X509_FILETYPE_PEM) != 1){
ossl_raise(eX509StoreError, NULL);
}
return self;
}
SSL_CTX *_sslctx_common_setup (SSL_CTX * the_ctx, _netsnmpTLSBaseData * tlsbase)
{
char *crlFile;
char *cipherList;
X509_LOOKUP *lookup;
X509_STORE *cert_store = NULL;
_load_trusted_certs (the_ctx);
/* add in the CRLs if available */
crlFile = netsnmp_ds_get_string (NETSNMP_DS_LIBRARY_ID, NETSNMP_DS_LIB_X509_CRL_FILE);
if (NULL != crlFile)
{
cert_store = SSL_CTX_get_cert_store (the_ctx);
DEBUGMSGTL (("sslctx_client", "loading CRL: %s\n", crlFile));
if (!cert_store)
LOGANDDIE ("failed to find certificate store");
if (!(lookup = X509_STORE_add_lookup (cert_store, X509_LOOKUP_file ())))
LOGANDDIE ("failed to create a lookup function for the CRL file");
if (X509_load_crl_file (lookup, crlFile, X509_FILETYPE_PEM) != 1)
LOGANDDIE ("failed to load the CRL file");
/* tell openssl to check CRLs */
X509_STORE_set_flags (cert_store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
}
cipherList = netsnmp_ds_get_string (NETSNMP_DS_LIBRARY_ID, NETSNMP_DS_LIB_TLS_ALGORITMS);
if (NULL != cipherList)
{
if (SSL_CTX_set_cipher_list (the_ctx, cipherList) != 1)
LOGANDDIE ("failed to set the cipher list to the requested value");
else
snmp_log (LOG_INFO, "set SSL cipher list to '%s'\n", cipherList);
}
return the_ctx;
}
int verify_certificate (const char* certfile, const char* ca_cert)
{
X509_STORE *cert_ctx=NULL;
X509_LOOKUP *lookup=NULL;
cert_ctx=X509_STORE_new();
if (!cert_ctx)
return 0;
OpenSSL_add_all_algorithms();
lookup=X509_STORE_add_lookup(cert_ctx,X509_LOOKUP_file());
if (!lookup)
{
if (cert_ctx)
X509_STORE_free(cert_ctx);
return 0;
}
if(!X509_LOOKUP_load_file(lookup,ca_cert,X509_FILETYPE_PEM))
{
if (cert_ctx)
X509_STORE_free(cert_ctx);
return 0;
}
lookup=X509_STORE_add_lookup(cert_ctx,X509_LOOKUP_hash_dir());
if (!lookup)
{
if (cert_ctx)
X509_STORE_free(cert_ctx);
return 0;
}
X509_LOOKUP_add_dir(lookup,NULL,X509_FILETYPE_DEFAULT);
return check(cert_ctx, certfile);
}
static Eina_Bool
_ecore_con_ssl_server_crl_add_openssl(Ecore_Con_Server *svr,
const char *crl_file)
{
X509_STORE *st;
X509_LOOKUP *lu;
static Eina_Bool flag = EINA_FALSE;
SSL_ERROR_CHECK_GOTO_ERROR(!(st = SSL_CTX_get_cert_store(svr->ssl_ctx)));
SSL_ERROR_CHECK_GOTO_ERROR(!(lu = X509_STORE_add_lookup(st, X509_LOOKUP_file())));
SSL_ERROR_CHECK_GOTO_ERROR(X509_load_crl_file(lu, crl_file, X509_FILETYPE_PEM) < 1);
if (!flag)
{
X509_STORE_set_flags(st, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
flag = EINA_TRUE;
}
return EINA_TRUE;
error:
_openssl_print_errors();
return EINA_FALSE;
}
int X509_STORE_load_locations(X509_STORE *ctx, const char *file,
const char *path)
{
X509_LOOKUP *lookup;
if (file != NULL)
{
lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_file());
if (lookup == NULL) return(0);
if (X509_LOOKUP_load_file(lookup,file,X509_FILETYPE_PEM) != 1)
return(0);
}
if (path != NULL)
{
lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_hash_dir());
if (lookup == NULL) return(0);
if (X509_LOOKUP_add_dir(lookup,path,X509_FILETYPE_PEM) != 1)
return(0);
}
if ((path == NULL) && (file == NULL))
return(0);
return(1);
}
static X509_STORE *
read_cacerts(char *file)
{
X509_STORE *store;
X509_LOOKUP *lookup;
if ((store = X509_STORE_new()) == NULL) {
warnx("Malloc failed");
goto end;
}
if ((lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file())) ==
NULL) {
warnx("Unable to load CA certs from file %s", file);
goto end;
}
if (file) {
if (!X509_LOOKUP_load_file(lookup, file, X509_FILETYPE_PEM)) {
warnx("Unable to load CA certs from file %s", file);
goto end;
}
} else
X509_LOOKUP_load_file(lookup, NULL, X509_FILETYPE_DEFAULT);
if ((lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir())) ==
NULL) {
warnx("Unable to load CA certs from file %s", file);
goto end;
}
X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);
ERR_clear_error();
return store;
end:
X509_STORE_free(store);
return NULL;
}
