static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx) {
if (!preverify_ok) {
char buf[256];
X509_NAME_oneline(X509_get_subject_name(X509_STORE_CTX_get_current_cert(ctx)), buf, 256);
int err = X509_STORE_CTX_get_error(ctx);
auto warning = PSTRING() << "verify error:num=" << err << ":" << X509_verify_cert_error_string(err)
<< ":depth=" << X509_STORE_CTX_get_error_depth(ctx) << ":" << buf;
double now = Time::now();
static std::mutex warning_mutex;
{
std::lock_guard<std::mutex> lock(warning_mutex);
static std::map<std::string, double> next_warning_time;
double &next = next_warning_time[warning];
if (next <= now) {
next = now + 300; // one warning per 5 minutes
LOG(WARNING) << warning;
}
}
}
return preverify_ok;
}
/*
* Before trusting a certificate, you must make sure that the
* certificate is 'valid'. There are several steps that your
* application can take in determining if a certificate is
* valid. Commonly used steps are:
*
* 1.Verifying the certificate's signature, and verifying that
* the certificate has been issued by a trusted Certificate
* Authority.
*
* 2.Verifying that the certificate is valid for the present date
* (i.e. it is being presented within its validity dates).
*
* 3.Verifying that the certificate has not been revoked by its
* issuing Certificate Authority, by checking with respect to a
* Certificate Revocation List (CRL).
*
* 4.Verifying that the credentials presented by the certificate
* fulfill additional requirements specific to the application,
* such as with respect to access control lists or with respect
* to OCSP (Online Certificate Status Processing).
*
* NOTE: This callback will be called multiple times based on the
* depth of the root certificate chain
*/
static int cbtls_verify(int ok, X509_STORE_CTX *ctx)
{
char subject[1024]; /* Used for the subject name */
char issuer[1024]; /* Used for the issuer name */
char common_name[1024];
char cn_str[1024];
EAP_HANDLER *handler = NULL;
X509 *client_cert;
SSL *ssl;
int err, depth;
EAP_TLS_CONF *conf;
int my_ok = ok;
REQUEST *request;
client_cert = X509_STORE_CTX_get_current_cert(ctx);
err = X509_STORE_CTX_get_error(ctx);
depth = X509_STORE_CTX_get_error_depth(ctx);
if (!my_ok) {
radlog(L_ERR,"--> verify error:num=%d:%s\n",err,
X509_verify_cert_error_string(err));
return my_ok;
}
/*
* Retrieve the pointer to the SSL of the connection currently treated
* and the application specific data stored into the SSL object.
*/
ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
handler = (EAP_HANDLER *)SSL_get_ex_data(ssl, 0);
request = handler->request;
conf = (EAP_TLS_CONF *)SSL_get_ex_data(ssl, 1);
/*
* Get the Subject & Issuer
*/
subject[0] = issuer[0] = '\0';
X509_NAME_oneline(X509_get_subject_name(client_cert), subject,
sizeof(subject));
X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), issuer,
sizeof(issuer));
subject[sizeof(subject) - 1] = '\0';
issuer[sizeof(issuer) - 1] = '\0';
/*
* Get the Common Name
*/
X509_NAME_get_text_by_NID(X509_get_subject_name(client_cert),
NID_commonName, common_name, sizeof(common_name));
common_name[sizeof(common_name) - 1] = '\0';
switch (ctx->error) {
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
radlog(L_ERR, "issuer= %s\n", issuer);
break;
case X509_V_ERR_CERT_NOT_YET_VALID:
case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
radlog(L_ERR, "notBefore=");
#if 0
ASN1_TIME_print(bio_err, X509_get_notBefore(ctx->current_cert));
#endif
break;
case X509_V_ERR_CERT_HAS_EXPIRED:
case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
radlog(L_ERR, "notAfter=");
#if 0
ASN1_TIME_print(bio_err, X509_get_notAfter(ctx->current_cert));
#endif
break;
}
/*
* If we're at the actual client cert, apply additional
* checks.
*/
if (depth == 0) {
/*
* If the conf tells us to, check cert issuer
* against the specified value and fail
* verification if they don't match.
*/
if (conf->check_cert_issuer &&
(strcmp(issuer, conf->check_cert_issuer) != 0)) {
radlog(L_AUTH, "rlm_eap_tls: Certificate issuer (%s) does not match specified value (%s)!", issuer, conf->check_cert_issuer);
my_ok = 0;
}
/*
* If the conf tells us to, check the CN in the
* cert against xlat'ed value, but only if the
* previous checks passed.
*/
if (my_ok && conf->check_cert_cn) {
if (!radius_xlat(cn_str, sizeof(cn_str), conf->check_cert_cn, handler->request, NULL)) {
radlog(L_ERR, "rlm_eap_tls (%s): xlat failed.",
conf->check_cert_cn);
/* if this fails, fail the verification */
my_ok = 0;
} else {
RDEBUG2("checking certificate CN (%s) with xlat'ed value (%s)", common_name, cn_str);
if (strcmp(cn_str, common_name) != 0) {
radlog(L_AUTH, "rlm_eap_tls: Certificate CN (%s) does not match specified value (%s)!", common_name, cn_str);
my_ok = 0;
}
}
} /* check_cert_cn */
} /* depth == 0 */
if (debug_flag > 0) {
RDEBUG2("chain-depth=%d, ", depth);
RDEBUG2("error=%d", err);
RDEBUG2("--> User-Name = %s", handler->identity);
RDEBUG2("--> BUF-Name = %s", common_name);
RDEBUG2("--> subject = %s", subject);
RDEBUG2("--> issuer = %s", issuer);
RDEBUG2("--> verify return:%d", my_ok);
}
return my_ok;
}
static void print_stuff(BIO *bio, SSL *s, int full)
{
X509 *peer=NULL;
char *p;
static const char *space=" ";
char buf[BUFSIZ];
STACK_OF(X509) *sk;
STACK_OF(X509_NAME) *sk2;
SSL_CIPHER *c;
X509_NAME *xn;
int j,i;
#ifndef OPENSSL_NO_COMP
const COMP_METHOD *comp, *expansion;
#endif
if (full)
{
int got_a_chain = 0;
sk=SSL_get_peer_cert_chain(s);
if (sk != NULL)
{
got_a_chain = 1; /* we don't have it for SSL2 (yet) */
BIO_printf(bio,"---\nCertificate chain\n");
for (i=0; i<sk_X509_num(sk); i++)
{
X509_NAME_oneline(X509_get_subject_name(
sk_X509_value(sk,i)),buf,sizeof buf);
BIO_printf(bio,"%2d s:%s\n",i,buf);
X509_NAME_oneline(X509_get_issuer_name(
sk_X509_value(sk,i)),buf,sizeof buf);
BIO_printf(bio," i:%s\n",buf);
if (c_showcerts)
PEM_write_bio_X509(bio,sk_X509_value(sk,i));
}
}
BIO_printf(bio,"---\n");
peer=SSL_get_peer_certificate(s);
if (peer != NULL)
{
BIO_printf(bio,"Server certificate\n");
if (!(c_showcerts && got_a_chain)) /* Redundant if we showed the whole chain */
PEM_write_bio_X509(bio,peer);
X509_NAME_oneline(X509_get_subject_name(peer),
buf,sizeof buf);
BIO_printf(bio,"subject=%s\n",buf);
X509_NAME_oneline(X509_get_issuer_name(peer),
buf,sizeof buf);
BIO_printf(bio,"issuer=%s\n",buf);
}
else
BIO_printf(bio,"no peer certificate available\n");
sk2=SSL_get_client_CA_list(s);
if ((sk2 != NULL) && (sk_X509_NAME_num(sk2) > 0))
{
BIO_printf(bio,"---\nAcceptable client certificate CA names\n");
for (i=0; i<sk_X509_NAME_num(sk2); i++)
{
xn=sk_X509_NAME_value(sk2,i);
X509_NAME_oneline(xn,buf,sizeof(buf));
BIO_write(bio,buf,strlen(buf));
BIO_write(bio,"\n",1);
}
}
else
{
BIO_printf(bio,"---\nNo client certificate CA names sent\n");
}
p=SSL_get_shared_ciphers(s,buf,sizeof buf);
if (p != NULL)
{
/* This works only for SSL 2. In later protocol
* versions, the client does not know what other
* ciphers (in addition to the one to be used
* in the current connection) the server supports. */
BIO_printf(bio,"---\nCiphers common between both SSL endpoints:\n");
j=i=0;
while (*p)
{
if (*p == ':')
{
BIO_write(bio,space,15-j%25);
i++;
j=0;
BIO_write(bio,((i%3)?" ":"\n"),1);
}
else
{
BIO_write(bio,p,1);
j++;
}
p++;
}
BIO_write(bio,"\n",1);
}
BIO_printf(bio,"---\nSSL handshake has read %ld bytes and written %ld bytes\n",
BIO_number_read(SSL_get_rbio(s)),
BIO_number_written(SSL_get_wbio(s)));
}
BIO_printf(bio,((s->hit)?"---\nReused, ":"---\nNew, "));
c=SSL_get_current_cipher(s);
BIO_printf(bio,"%s, Cipher is %s\n",
SSL_CIPHER_get_version(c),
SSL_CIPHER_get_name(c));
if (peer != NULL) {
EVP_PKEY *pktmp;
pktmp = X509_get_pubkey(peer);
BIO_printf(bio,"Server public key is %d bit\n",
EVP_PKEY_bits(pktmp));
EVP_PKEY_free(pktmp);
}
#ifndef OPENSSL_NO_COMP
comp=SSL_get_current_compression(s);
expansion=SSL_get_current_expansion(s);
BIO_printf(bio,"Compression: %s\n",
comp ? SSL_COMP_get_name(comp) : "NONE");
BIO_printf(bio,"Expansion: %s\n",
expansion ? SSL_COMP_get_name(expansion) : "NONE");
#endif
SSL_SESSION_print(bio,SSL_get_session(s));
BIO_printf(bio,"---\n");
if (peer != NULL)
X509_free(peer);
/* flush, or debugging output gets mixed with http response */
(void)BIO_flush(bio);
}
void OsSSL::logConnectParams(const OsSysLogFacility facility, ///< callers facility
const OsSysLogPriority priority, ///< log priority
const char* callerMsg, ///< Identifies circumstances of connection
SSL* connection ///< SSL connection to be described
)
{
if (connection)
{
char* subjectStr = NULL;
char* issuerStr = NULL;
UtlString altNames;
// Extract the subject and issuer information about the peer
// and the certificate validation result. Neither of these
// are meaningful without the other.
// (note various dynamically allocated items - freed below)
int validity = SSL_get_verify_result(connection);
X509* peer_cert = SSL_get_peer_certificate(connection);
if (peer_cert)
{
subjectStr = X509_NAME_oneline(X509_get_subject_name(peer_cert),0,0);
issuerStr = X509_NAME_oneline(X509_get_issuer_name(peer_cert),0,0);
// Look for the subjectAltName URI or DNS attributes
GENERAL_NAMES* names;
names = (GENERAL_NAMES*)X509_get_ext_d2i(peer_cert, NID_subject_alt_name, NULL, NULL);
for(int i = 0; i < sk_GENERAL_NAME_num(names); i++)
{
GENERAL_NAME* name = sk_GENERAL_NAME_value(names, i);
switch (name->type)
{
case GEN_DNS:
{
ASN1_IA5STRING* uri = name->d.uniformResourceIdentifier;
if (!altNames.isNull())
{
altNames.append(",");
}
altNames.append((const char*)(uri->data),uri->length);
}
break;
case GEN_URI:
{
ASN1_IA5STRING* uri = name->d.uniformResourceIdentifier;
if (!altNames.isNull())
{
altNames.append(",");
}
altNames.append((const char*)(uri->data),uri->length);
}
break;
default:
// don't care about any other values
break;
}
}
sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
}
// Get the name of the encryption applied to the connection
const char* cipher = SSL_get_cipher(connection);
OsSysLog::add(FAC_KERNEL, PRI_DEBUG,
"%s SSL Connection:\n"
" status: %s\n"
" peer: '%s'\n"
" alt names: %s\n"
" cipher: '%s'\n"
" issuer: '%s'",
callerMsg,
validity == X509_V_OK ? "Verified" : "NOT VERIFIED",
subjectStr ? subjectStr : "",
altNames.isNull() ? "" : altNames.data(),
cipher ? cipher : "",
issuerStr ? issuerStr : ""
);
// Release the various dynamic things
if (subjectStr)
{
OPENSSL_free(subjectStr);
}
if (issuerStr)
{
OPENSSL_free(issuerStr);
}
if (peer_cert)
{
X509_free(peer_cert);
}
}
else
{
OsSysLog::add(FAC_KERNEL, PRI_ERR,
"OsSSL::logConnectParams called by %s with NULL connection",
callerMsg
);
}
}
int MAIN(int argc, char **argv)
{
ENGINE *e = NULL;
int ret=1;
X509_REQ *req=NULL;
X509 *x=NULL,*xca=NULL;
ASN1_OBJECT *objtmp;
STACK_OF(OPENSSL_STRING) *sigopts = NULL;
EVP_PKEY *Upkey=NULL,*CApkey=NULL;
ASN1_INTEGER *sno = NULL;
int i,num,badops=0;
BIO *out=NULL;
BIO *STDout=NULL;
STACK_OF(ASN1_OBJECT) *trust = NULL, *reject = NULL;
int informat,outformat,keyformat,CAformat,CAkeyformat;
char *infile=NULL,*outfile=NULL,*keyfile=NULL,*CAfile=NULL;
char *CAkeyfile=NULL,*CAserial=NULL;
char *alias=NULL;
int text=0,serial=0,subject=0,issuer=0,startdate=0,enddate=0;
int next_serial=0;
int subject_hash=0,issuer_hash=0,ocspid=0;
#ifndef OPENSSL_NO_MD5
int subject_hash_old=0,issuer_hash_old=0;
#endif
int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0,email=0;
int ocsp_uri=0;
int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0;
int C=0;
int x509req=0,days=DEF_DAYS,modulus=0,pubkey=0;
int pprint = 0;
const char **pp;
X509_STORE *ctx=NULL;
X509_REQ *rq=NULL;
int fingerprint=0;
char buf[256];
const EVP_MD *md_alg,*digest=NULL;
CONF *extconf = NULL;
char *extsect = NULL, *extfile = NULL, *passin = NULL, *passargin = NULL;
int need_rand = 0;
int checkend=0,checkoffset=0;
unsigned long nmflag = 0, certflag = 0;
#ifndef OPENSSL_NO_ENGINE
char *engine=NULL;
#endif
reqfile=0;
apps_startup();
if (bio_err == NULL)
bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
if (!load_config(bio_err, NULL))
goto end;
STDout=BIO_new_fp(stdout,BIO_NOCLOSE);
#ifdef OPENSSL_SYS_VMS
{
BIO *tmpbio = BIO_new(BIO_f_linebuffer());
STDout = BIO_push(tmpbio, STDout);
}
#endif
informat=FORMAT_PEM;
outformat=FORMAT_PEM;
keyformat=FORMAT_PEM;
CAformat=FORMAT_PEM;
CAkeyformat=FORMAT_PEM;
ctx=X509_STORE_new();
if (ctx == NULL) goto end;
X509_STORE_set_verify_cb(ctx,callb);
argc--;
argv++;
num=0;
while (argc >= 1)
{
if (strcmp(*argv,"-inform") == 0)
{
if (--argc < 1) goto bad;
informat=str2fmt(*(++argv));
}
else if (strcmp(*argv,"-outform") == 0)
{
if (--argc < 1) goto bad;
outformat=str2fmt(*(++argv));
}
else if (strcmp(*argv,"-keyform") == 0)
{
if (--argc < 1) goto bad;
keyformat=str2fmt(*(++argv));
}
else if (strcmp(*argv,"-req") == 0)
{
reqfile=1;
need_rand = 1;
}
else if (strcmp(*argv,"-CAform") == 0)
{
if (--argc < 1) goto bad;
CAformat=str2fmt(*(++argv));
}
else if (strcmp(*argv,"-CAkeyform") == 0)
{
if (--argc < 1) goto bad;
CAkeyformat=str2fmt(*(++argv));
}
else if (strcmp(*argv,"-sigopt") == 0)
{
if (--argc < 1)
goto bad;
if (!sigopts)
sigopts = sk_OPENSSL_STRING_new_null();
if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, *(++argv)))
goto bad;
}
else if (strcmp(*argv,"-days") == 0)
{
if (--argc < 1) goto bad;
days=atoi(*(++argv));
if (days == 0)
{
BIO_printf(STDout,"bad number of days\n");
goto bad;
}
}
else if (strcmp(*argv,"-passin") == 0)
{
if (--argc < 1) goto bad;
passargin= *(++argv);
}
else if (strcmp(*argv,"-extfile") == 0)
{
if (--argc < 1) goto bad;
extfile= *(++argv);
}
else if (strcmp(*argv,"-extensions") == 0)
{
if (--argc < 1) goto bad;
extsect= *(++argv);
}
else if (strcmp(*argv,"-in") == 0)
{
if (--argc < 1) goto bad;
infile= *(++argv);
}
else if (strcmp(*argv,"-out") == 0)
{
if (--argc < 1) goto bad;
outfile= *(++argv);
}
else if (strcmp(*argv,"-signkey") == 0)
{
if (--argc < 1) goto bad;
keyfile= *(++argv);
sign_flag= ++num;
need_rand = 1;
}
else if (strcmp(*argv,"-CA") == 0)
{
if (--argc < 1) goto bad;
CAfile= *(++argv);
CA_flag= ++num;
need_rand = 1;
}
else if (strcmp(*argv,"-CAkey") == 0)
{
if (--argc < 1) goto bad;
CAkeyfile= *(++argv);
}
else if (strcmp(*argv,"-CAserial") == 0)
{
if (--argc < 1) goto bad;
CAserial= *(++argv);
}
else if (strcmp(*argv,"-set_serial") == 0)
{
if (--argc < 1) goto bad;
if (!(sno = s2i_ASN1_INTEGER(NULL, *(++argv))))
goto bad;
}
else if (strcmp(*argv,"-addtrust") == 0)
{
if (--argc < 1) goto bad;
if (!(objtmp = OBJ_txt2obj(*(++argv), 0)))
{
BIO_printf(bio_err,
"Invalid trust object value %s\n", *argv);
goto bad;
}
if (!trust) trust = sk_ASN1_OBJECT_new_null();
sk_ASN1_OBJECT_push(trust, objtmp);
trustout = 1;
}
else if (strcmp(*argv,"-addreject") == 0)
{
if (--argc < 1) goto bad;
if (!(objtmp = OBJ_txt2obj(*(++argv), 0)))
{
BIO_printf(bio_err,
"Invalid reject object value %s\n", *argv);
goto bad;
}
if (!reject) reject = sk_ASN1_OBJECT_new_null();
sk_ASN1_OBJECT_push(reject, objtmp);
trustout = 1;
}
else if (strcmp(*argv,"-setalias") == 0)
{
if (--argc < 1) goto bad;
alias= *(++argv);
trustout = 1;
}
else if (strcmp(*argv,"-certopt") == 0)
{
if (--argc < 1) goto bad;
if (!set_cert_ex(&certflag, *(++argv))) goto bad;
}
else if (strcmp(*argv,"-nameopt") == 0)
{
if (--argc < 1) goto bad;
if (!set_name_ex(&nmflag, *(++argv))) goto bad;
}
#ifndef OPENSSL_NO_ENGINE
else if (strcmp(*argv,"-engine") == 0)
{
if (--argc < 1) goto bad;
engine= *(++argv);
}
#endif
else if (strcmp(*argv,"-C") == 0)
C= ++num;
else if (strcmp(*argv,"-email") == 0)
email= ++num;
else if (strcmp(*argv,"-ocsp_uri") == 0)
ocsp_uri= ++num;
else if (strcmp(*argv,"-serial") == 0)
serial= ++num;
else if (strcmp(*argv,"-next_serial") == 0)
next_serial= ++num;
else if (strcmp(*argv,"-modulus") == 0)
modulus= ++num;
else if (strcmp(*argv,"-pubkey") == 0)
pubkey= ++num;
else if (strcmp(*argv,"-x509toreq") == 0)
x509req= ++num;
else if (strcmp(*argv,"-text") == 0)
text= ++num;
else if (strcmp(*argv,"-hash") == 0
|| strcmp(*argv,"-subject_hash") == 0)
subject_hash= ++num;
#ifndef OPENSSL_NO_MD5
else if (strcmp(*argv,"-subject_hash_old") == 0)
subject_hash_old= ++num;
#endif
else if (strcmp(*argv,"-issuer_hash") == 0)
issuer_hash= ++num;
#ifndef OPENSSL_NO_MD5
else if (strcmp(*argv,"-issuer_hash_old") == 0)
issuer_hash_old= ++num;
#endif
else if (strcmp(*argv,"-subject") == 0)
subject= ++num;
else if (strcmp(*argv,"-issuer") == 0)
issuer= ++num;
else if (strcmp(*argv,"-fingerprint") == 0)
fingerprint= ++num;
else if (strcmp(*argv,"-dates") == 0)
{
startdate= ++num;
enddate= ++num;
}
else if (strcmp(*argv,"-purpose") == 0)
pprint= ++num;
else if (strcmp(*argv,"-startdate") == 0)
startdate= ++num;
else if (strcmp(*argv,"-enddate") == 0)
enddate= ++num;
else if (strcmp(*argv,"-checkend") == 0)
{
if (--argc < 1) goto bad;
checkoffset=atoi(*(++argv));
checkend=1;
}
else if (strcmp(*argv,"-noout") == 0)
noout= ++num;
else if (strcmp(*argv,"-trustout") == 0)
trustout= 1;
else if (strcmp(*argv,"-clrtrust") == 0)
clrtrust= ++num;
else if (strcmp(*argv,"-clrreject") == 0)
clrreject= ++num;
else if (strcmp(*argv,"-alias") == 0)
aliasout= ++num;
else if (strcmp(*argv,"-CAcreateserial") == 0)
CA_createserial= ++num;
else if (strcmp(*argv,"-clrext") == 0)
clrext = 1;
#if 1 /* stay backwards-compatible with 0.9.5; this should go away soon */
else if (strcmp(*argv,"-crlext") == 0)
{
BIO_printf(bio_err,"use -clrext instead of -crlext\n");
clrext = 1;
}
#endif
else if (strcmp(*argv,"-ocspid") == 0)
ocspid= ++num;
else if ((md_alg=EVP_get_digestbyname(*argv + 1)))
{
/* ok */
digest=md_alg;
}
else
{
BIO_printf(bio_err,"unknown option %s\n",*argv);
badops=1;
break;
}
argc--;
argv++;
}
if (badops)
{
bad:
for (pp=x509_usage; (*pp != NULL); pp++)
BIO_printf(bio_err,"%s",*pp);
goto end;
}
#ifndef OPENSSL_NO_ENGINE
e = setup_engine(bio_err, engine, 0);
#endif
if (need_rand)
app_RAND_load_file(NULL, bio_err, 0);
ERR_load_crypto_strings();
if (!app_passwd(bio_err, passargin, NULL, &passin, NULL))
{
BIO_printf(bio_err, "Error getting password\n");
goto end;
}
if (!X509_STORE_set_default_paths(ctx))
{
ERR_print_errors(bio_err);
goto end;
}
if ((CAkeyfile == NULL) && (CA_flag) && (CAformat == FORMAT_PEM))
{ CAkeyfile=CAfile; }
else if ((CA_flag) && (CAkeyfile == NULL))
{
BIO_printf(bio_err,"need to specify a CAkey if using the CA command\n");
goto end;
}
if (extfile)
{
long errorline = -1;
X509V3_CTX ctx2;
extconf = NCONF_new(NULL);
if (!NCONF_load(extconf, extfile,&errorline))
{
if (errorline <= 0)
BIO_printf(bio_err,
"error loading the config file '%s'\n",
extfile);
else
BIO_printf(bio_err,
"error on line %ld of config file '%s'\n"
,errorline,extfile);
goto end;
}
if (!extsect)
{
extsect = NCONF_get_string(extconf, "default", "extensions");
if (!extsect)
{
ERR_clear_error();
extsect = "default";
}
}
X509V3_set_ctx_test(&ctx2);
X509V3_set_nconf(&ctx2, extconf);
if (!X509V3_EXT_add_nconf(extconf, &ctx2, extsect, NULL))
{
BIO_printf(bio_err,
"Error Loading extension section %s\n",
extsect);
ERR_print_errors(bio_err);
goto end;
}
}
if (reqfile)
{
EVP_PKEY *pkey;
BIO *in;
if (!sign_flag && !CA_flag)
{
BIO_printf(bio_err,"We need a private key to sign with\n");
goto end;
}
in=BIO_new(BIO_s_file());
if (in == NULL)
{
ERR_print_errors(bio_err);
goto end;
}
if (infile == NULL)
BIO_set_fp(in,stdin,BIO_NOCLOSE|BIO_FP_TEXT);
else
{
if (BIO_read_filename(in,infile) <= 0)
{
perror(infile);
BIO_free(in);
goto end;
}
}
req=PEM_read_bio_X509_REQ(in,NULL,NULL,NULL);
BIO_free(in);
if (req == NULL)
{
ERR_print_errors(bio_err);
goto end;
}
if ( (req->req_info == NULL) ||
(req->req_info->pubkey == NULL) ||
(req->req_info->pubkey->public_key == NULL) ||
(req->req_info->pubkey->public_key->data == NULL))
{
BIO_printf(bio_err,"The certificate request appears to corrupted\n");
BIO_printf(bio_err,"It does not contain a public key\n");
goto end;
}
if ((pkey=X509_REQ_get_pubkey(req)) == NULL)
{
BIO_printf(bio_err,"error unpacking public key\n");
goto end;
}
i=X509_REQ_verify(req,pkey);
EVP_PKEY_free(pkey);
if (i < 0)
{
BIO_printf(bio_err,"Signature verification error\n");
ERR_print_errors(bio_err);
goto end;
}
if (i == 0)
{
BIO_printf(bio_err,"Signature did not match the certificate request\n");
goto end;
}
else
BIO_printf(bio_err,"Signature ok\n");
print_name(bio_err, "subject=", X509_REQ_get_subject_name(req), nmflag);
if ((x=X509_new()) == NULL) goto end;
if (sno == NULL)
{
sno = ASN1_INTEGER_new();
if (!sno || !rand_serial(NULL, sno))
goto end;
if (!X509_set_serialNumber(x, sno))
goto end;
ASN1_INTEGER_free(sno);
sno = NULL;
}
else if (!X509_set_serialNumber(x, sno))
goto end;
if (!X509_set_issuer_name(x,req->req_info->subject)) goto end;
if (!X509_set_subject_name(x,req->req_info->subject)) goto end;
X509_gmtime_adj(X509_get_notBefore(x),0);
X509_time_adj_ex(X509_get_notAfter(x),days, 0, NULL);
pkey = X509_REQ_get_pubkey(req);
X509_set_pubkey(x,pkey);
EVP_PKEY_free(pkey);
}
else
x=load_cert(bio_err,infile,informat,NULL,e,"Certificate");
if (x == NULL) goto end;
if (CA_flag)
{
xca=load_cert(bio_err,CAfile,CAformat,NULL,e,"CA Certificate");
if (xca == NULL) goto end;
}
if (!noout || text || next_serial)
{
OBJ_create("2.99999.3",
"SET.ex3","SET x509v3 extension 3");
out=BIO_new(BIO_s_file());
if (out == NULL)
{
ERR_print_errors(bio_err);
goto end;
}
if (outfile == NULL)
{
BIO_set_fp(out,stdout,BIO_NOCLOSE);
#ifdef OPENSSL_SYS_VMS
{
BIO *tmpbio = BIO_new(BIO_f_linebuffer());
out = BIO_push(tmpbio, out);
}
#endif
}
else
{
if (BIO_write_filename(out,outfile) <= 0)
{
perror(outfile);
goto end;
}
}
}
if (alias) X509_alias_set1(x, (unsigned char *)alias, -1);
if (clrtrust) X509_trust_clear(x);
if (clrreject) X509_reject_clear(x);
if (trust)
{
for (i = 0; i < sk_ASN1_OBJECT_num(trust); i++)
{
objtmp = sk_ASN1_OBJECT_value(trust, i);
X509_add1_trust_object(x, objtmp);
}
}
if (reject)
{
for (i = 0; i < sk_ASN1_OBJECT_num(reject); i++)
{
objtmp = sk_ASN1_OBJECT_value(reject, i);
X509_add1_reject_object(x, objtmp);
}
}
if (num)
{
for (i=1; i<=num; i++)
{
if (issuer == i)
{
print_name(STDout, "issuer= ",
X509_get_issuer_name(x), nmflag);
}
else if (subject == i)
{
print_name(STDout, "subject= ",
X509_get_subject_name(x), nmflag);
}
else if (serial == i)
{
BIO_printf(STDout,"serial=");
i2a_ASN1_INTEGER(STDout,
X509_get_serialNumber(x));
BIO_printf(STDout,"\n");
}
else if (next_serial == i)
{
BIGNUM *bnser;
ASN1_INTEGER *ser;
ser = X509_get_serialNumber(x);
bnser = ASN1_INTEGER_to_BN(ser, NULL);
if (!bnser)
goto end;
if (!BN_add_word(bnser, 1))
goto end;
ser = BN_to_ASN1_INTEGER(bnser, NULL);
if (!ser)
goto end;
BN_free(bnser);
i2a_ASN1_INTEGER(out, ser);
ASN1_INTEGER_free(ser);
BIO_puts(out, "\n");
}
else if ((email == i) || (ocsp_uri == i))
{
int j;
STACK_OF(OPENSSL_STRING) *emlst;
if (email == i)
emlst = X509_get1_email(x);
else
emlst = X509_get1_ocsp(x);
for (j = 0; j < sk_OPENSSL_STRING_num(emlst); j++)
BIO_printf(STDout, "%s\n",
sk_OPENSSL_STRING_value(emlst, j));
X509_email_free(emlst);
}
else if (aliasout == i)
{
unsigned char *alstr;
alstr = X509_alias_get0(x, NULL);
if (alstr) BIO_printf(STDout,"%s\n", alstr);
else BIO_puts(STDout,"<No Alias>\n");
}
else if (subject_hash == i)
{
BIO_printf(STDout,"%08lx\n",X509_subject_name_hash(x));
}
#ifndef OPENSSL_NO_MD5
else if (subject_hash_old == i)
{
BIO_printf(STDout,"%08lx\n",X509_subject_name_hash_old(x));
}
#endif
else if (issuer_hash == i)
{
BIO_printf(STDout,"%08lx\n",X509_issuer_name_hash(x));
}
#ifndef OPENSSL_NO_MD5
else if (issuer_hash_old == i)
{
BIO_printf(STDout,"%08lx\n",X509_issuer_name_hash_old(x));
}
#endif
else if (pprint == i)
{
X509_PURPOSE *ptmp;
int j;
BIO_printf(STDout, "Certificate purposes:\n");
for (j = 0; j < X509_PURPOSE_get_count(); j++)
{
ptmp = X509_PURPOSE_get0(j);
purpose_print(STDout, x, ptmp);
}
}
else
if (modulus == i)
{
EVP_PKEY *pkey;
pkey=X509_get_pubkey(x);
if (pkey == NULL)
{
BIO_printf(bio_err,"Modulus=unavailable\n");
ERR_print_errors(bio_err);
goto end;
}
BIO_printf(STDout,"Modulus=");
#ifndef OPENSSL_NO_RSA
if (pkey->type == EVP_PKEY_RSA)
BN_print(STDout,pkey->pkey.rsa->n);
else
#endif
#ifndef OPENSSL_NO_DSA
if (pkey->type == EVP_PKEY_DSA)
BN_print(STDout,pkey->pkey.dsa->pub_key);
else
#endif
BIO_printf(STDout,"Wrong Algorithm type");
BIO_printf(STDout,"\n");
EVP_PKEY_free(pkey);
}
else
if (pubkey == i)
{
EVP_PKEY *pkey;
pkey=X509_get_pubkey(x);
if (pkey == NULL)
{
BIO_printf(bio_err,"Error getting public key\n");
ERR_print_errors(bio_err);
goto end;
}
PEM_write_bio_PUBKEY(STDout, pkey);
EVP_PKEY_free(pkey);
}
else
if (C == i)
{
unsigned char *d;
char *m;
int y,z;
X509_NAME_oneline(X509_get_subject_name(x),
buf,sizeof buf);
BIO_printf(STDout,"/* subject:%s */\n",buf);
m=X509_NAME_oneline(
X509_get_issuer_name(x),buf,
sizeof buf);
BIO_printf(STDout,"/* issuer :%s */\n",buf);
z=i2d_X509(x,NULL);
m=OPENSSL_malloc(z);
d=(unsigned char *)m;
z=i2d_X509_NAME(X509_get_subject_name(x),&d);
BIO_printf(STDout,"unsigned char XXX_subject_name[%d]={\n",z);
d=(unsigned char *)m;
for (y=0; y<z; y++)
{
BIO_printf(STDout,"0x%02X,",d[y]);
if ((y & 0x0f) == 0x0f) BIO_printf(STDout,"\n");
}
if (y%16 != 0) BIO_printf(STDout,"\n");
BIO_printf(STDout,"};\n");
z=i2d_X509_PUBKEY(X509_get_X509_PUBKEY(x),&d);
BIO_printf(STDout,"unsigned char XXX_public_key[%d]={\n",z);
d=(unsigned char *)m;
for (y=0; y<z; y++)
{
BIO_printf(STDout,"0x%02X,",d[y]);
if ((y & 0x0f) == 0x0f)
BIO_printf(STDout,"\n");
}
if (y%16 != 0) BIO_printf(STDout,"\n");
BIO_printf(STDout,"};\n");
z=i2d_X509(x,&d);
BIO_printf(STDout,"unsigned char XXX_certificate[%d]={\n",z);
d=(unsigned char *)m;
for (y=0; y<z; y++)
{
BIO_printf(STDout,"0x%02X,",d[y]);
if ((y & 0x0f) == 0x0f)
BIO_printf(STDout,"\n");
}
if (y%16 != 0) BIO_printf(STDout,"\n");
BIO_printf(STDout,"};\n");
OPENSSL_free(m);
}
else if (text == i)
{
X509_print_ex(out,x,nmflag, certflag);
}
else if (startdate == i)
{
BIO_puts(STDout,"notBefore=");
ASN1_TIME_print(STDout,X509_get_notBefore(x));
BIO_puts(STDout,"\n");
}
else if (enddate == i)
{
BIO_puts(STDout,"notAfter=");
ASN1_TIME_print(STDout,X509_get_notAfter(x));
BIO_puts(STDout,"\n");
}
else if (fingerprint == i)
{
int j;
unsigned int n;
unsigned char md[EVP_MAX_MD_SIZE];
const EVP_MD *fdig = digest;
if (!fdig)
fdig = EVP_sha1();
if (!X509_digest(x,fdig,md,&n))
{
BIO_printf(bio_err,"out of memory\n");
goto end;
}
BIO_printf(STDout,"%s Fingerprint=",
OBJ_nid2sn(EVP_MD_type(fdig)));
for (j=0; j<(int)n; j++)
{
BIO_printf(STDout,"%02X%c",md[j],
(j+1 == (int)n)
?'\n':':');
}
}
/* should be in the library */
else if ((sign_flag == i) && (x509req == 0))
{
BIO_printf(bio_err,"Getting Private key\n");
if (Upkey == NULL)
{
Upkey=load_key(bio_err,
keyfile, keyformat, 0,
passin, e, "Private key");
if (Upkey == NULL) goto end;
}
assert(need_rand);
if (!sign(x,Upkey,days,clrext,digest,
extconf, extsect)) goto end;
}
else if (CA_flag == i)
{
BIO_printf(bio_err,"Getting CA Private Key\n");
if (CAkeyfile != NULL)
{
CApkey=load_key(bio_err,
CAkeyfile, CAkeyformat,
0, passin, e,
"CA Private Key");
if (CApkey == NULL) goto end;
}
assert(need_rand);
if (!x509_certify(ctx,CAfile,digest,x,xca,
CApkey, sigopts,
CAserial,CA_createserial,days, clrext,
extconf, extsect, sno))
goto end;
}
else if (x509req == i)
{
EVP_PKEY *pk;
BIO_printf(bio_err,"Getting request Private Key\n");
if (keyfile == NULL)
{
BIO_printf(bio_err,"no request key file specified\n");
goto end;
}
else
{
pk=load_key(bio_err,
keyfile, keyformat, 0,
passin, e, "request key");
if (pk == NULL) goto end;
}
BIO_printf(bio_err,"Generating certificate request\n");
rq=X509_to_X509_REQ(x,pk,digest);
EVP_PKEY_free(pk);
if (rq == NULL)
{
ERR_print_errors(bio_err);
goto end;
}
if (!noout)
{
X509_REQ_print(out,rq);
PEM_write_bio_X509_REQ(out,rq);
}
noout=1;
}
else if (ocspid == i)
{
X509_ocspid_print(out, x);
}
}
}
if (checkend)
{
time_t tcheck=time(NULL) + checkoffset;
if (X509_cmp_time(X509_get_notAfter(x), &tcheck) < 0)
{
BIO_printf(out,"Certificate will expire\n");
ret=1;
}
else
{
BIO_printf(out,"Certificate will not expire\n");
ret=0;
}
goto end;
}
if (noout)
{
ret=0;
goto end;
}
if (outformat == FORMAT_ASN1)
i=i2d_X509_bio(out,x);
else if (outformat == FORMAT_PEM)
{
if (trustout) i=PEM_write_bio_X509_AUX(out,x);
else i=PEM_write_bio_X509(out,x);
}
else if (outformat == FORMAT_NETSCAPE)
{
NETSCAPE_X509 nx;
ASN1_OCTET_STRING hdr;
hdr.data=(unsigned char *)NETSCAPE_CERT_HDR;
hdr.length=strlen(NETSCAPE_CERT_HDR);
nx.header= &hdr;
nx.cert=x;
i=ASN1_item_i2d_bio(ASN1_ITEM_rptr(NETSCAPE_X509),out,&nx);
}
else {
BIO_printf(bio_err,"bad output format specified for outfile\n");
goto end;
}
if (!i)
{
BIO_printf(bio_err,"unable to write certificate\n");
ERR_print_errors(bio_err);
goto end;
}
ret=0;
end:
if (need_rand)
app_RAND_write_file(NULL, bio_err);
OBJ_cleanup();
NCONF_free(extconf);
BIO_free_all(out);
BIO_free_all(STDout);
X509_STORE_free(ctx);
X509_REQ_free(req);
X509_free(x);
X509_free(xca);
EVP_PKEY_free(Upkey);
EVP_PKEY_free(CApkey);
if (sigopts)
sk_OPENSSL_STRING_free(sigopts);
X509_REQ_free(rq);
ASN1_INTEGER_free(sno);
sk_ASN1_OBJECT_pop_free(trust, ASN1_OBJECT_free);
sk_ASN1_OBJECT_pop_free(reject, ASN1_OBJECT_free);
if (passin) OPENSSL_free(passin);
apps_shutdown();
OPENSSL_EXIT(ret);
}
/*
FIXME: Master-Key, Extensions, CA bits
(openssl x509 -text -in servcert.pem)
*/
int
_SSL_get_cert_info (struct cert_info *cert_info, SSL * ssl)
{
X509 *peer_cert;
EVP_PKEY *peer_pkey;
/* EVP_PKEY *ca_pkey; */
/* EVP_PKEY *tmp_pkey; */
char notBefore[64];
char notAfter[64];
int alg;
int sign_alg;
if (!(peer_cert = SSL_get_peer_certificate (ssl)))
return (1); /* FATAL? */
X509_NAME_oneline (X509_get_subject_name (peer_cert), cert_info->subject,
sizeof (cert_info->subject));
X509_NAME_oneline (X509_get_issuer_name (peer_cert), cert_info->issuer,
sizeof (cert_info->issuer));
broke_oneline (cert_info->subject, cert_info->subject_word);
broke_oneline (cert_info->issuer, cert_info->issuer_word);
alg = OBJ_obj2nid (peer_cert->cert_info->key->algor->algorithm);
sign_alg = OBJ_obj2nid (peer_cert->sig_alg->algorithm);
ASN1_TIME_snprintf (notBefore, sizeof (notBefore),
X509_get_notBefore (peer_cert));
ASN1_TIME_snprintf (notAfter, sizeof (notAfter),
X509_get_notAfter (peer_cert));
peer_pkey = X509_get_pubkey (peer_cert);
strncpy (cert_info->algorithm,
(alg == NID_undef) ? "Unknown" : OBJ_nid2ln (alg),
sizeof (cert_info->algorithm));
cert_info->algorithm_bits = EVP_PKEY_bits (peer_pkey);
strncpy (cert_info->sign_algorithm,
(sign_alg == NID_undef) ? "Unknown" : OBJ_nid2ln (sign_alg),
sizeof (cert_info->sign_algorithm));
/* EVP_PKEY_bits(ca_pkey)); */
cert_info->sign_algorithm_bits = 0;
strncpy (cert_info->notbefore, notBefore, sizeof (cert_info->notbefore));
strncpy (cert_info->notafter, notAfter, sizeof (cert_info->notafter));
EVP_PKEY_free (peer_pkey);
/* SSL_SESSION_print_fp(stdout, SSL_get_session(ssl)); */
/*
if (ssl->session->sess_cert->peer_rsa_tmp) {
tmp_pkey = EVP_PKEY_new();
EVP_PKEY_assign_RSA(tmp_pkey, ssl->session->sess_cert->peer_rsa_tmp);
cert_info->rsa_tmp_bits = EVP_PKEY_bits (tmp_pkey);
EVP_PKEY_free(tmp_pkey);
} else
fprintf(stderr, "REMOTE SIDE DOESN'T PROVIDES ->peer_rsa_tmp\n");
*/
cert_info->rsa_tmp_bits = 0;
X509_free (peer_cert);
return (0);
}
///
/// Called to verify X509 client certificates
///
static int verifyX509Certificate(int ok, X509_STORE_CTX *xContext)
{
X509 *cert;
SSL *ssl;
MaOpenSslSocket *sslSocket;
MaOpenSslConfig *config;
char subject[260], issuer[260], peer[260];
int error, depth;
subject[0] = issuer[0] = '\0';
ssl = (SSL*) X509_STORE_CTX_get_app_data(xContext);
sslSocket = (MaOpenSslSocket*) SSL_get_app_data(ssl);
config = (MaOpenSslConfig*) sslSocket->getConfig();
cert = X509_STORE_CTX_get_current_cert(xContext);
depth = X509_STORE_CTX_get_error_depth(xContext);
error = X509_STORE_CTX_get_error(xContext);
if (X509_NAME_oneline(X509_get_subject_name(cert), subject,
sizeof(subject) - 1) < 0) {
ok = 0;
}
//
// FUTURE -- should compare subject name and host name. Need smart compare
//
if (X509_NAME_oneline(X509_get_issuer_name(xContext->current_cert), issuer,
sizeof(issuer) - 1) < 0) {
ok = 0;
}
if (X509_NAME_get_text_by_NID(X509_get_subject_name(xContext->current_cert),
NID_commonName, peer, sizeof(peer) - 1) < 0) {
ok = 0;
}
//
// Customizers: add your own code here to validate client certificates
//
if (ok && config->verifyDepth < depth) {
if (error == 0) {
error = X509_V_ERR_CERT_CHAIN_TOO_LONG;
}
ok = 0;
}
if (error != 0) {
mprAssert(!ok);
}
#if UNUSED
switch (error) {
case X509_V_ERR_CERT_HAS_EXPIRED:
case X509_V_ERR_CERT_NOT_YET_VALID:
case X509_V_ERR_CERT_REJECTED:
case X509_V_ERR_CERT_SIGNATURE_FAILURE:
case X509_V_ERR_CERT_UNTRUSTED:
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
case X509_V_ERR_INVALID_CA:
case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
default:
ok = 0;
break;
}
#endif
if (!ok) {
mprLog(0, "SSL: Certification failed: subject %s\n", subject);
mprLog(4, "SSL: Issuer: %s\n", issuer);
mprLog(4, "SSL: Peer: %s\n", peer);
mprLog(4, "SSL: Error: %d: %s\n", error,
X509_verify_cert_error_string(error));
} else {
mprLog(0, "SSL: Certificate verified: subject %s\n", subject);
mprLog(4, "SSL: Issuer: %s\n", issuer);
mprLog(4, "SSL: Peer: %s\n", peer);
}
return ok;
}
static int ssl_do(struct st_VioSSLFd *ptr, Vio *vio, long timeout,
ssl_handshake_func_t func,
unsigned long *ssl_errno_holder)
{
int r;
SSL *ssl;
my_socket sd= mysql_socket_getfd(vio->mysql_socket);
DBUG_ENTER("ssl_do");
DBUG_PRINT("enter", ("ptr: 0x%lx, sd: %d ctx: 0x%lx",
(long) ptr, sd, (long) ptr->ssl_context));
if (!(ssl= SSL_new(ptr->ssl_context)))
{
DBUG_PRINT("error", ("SSL_new failure"));
*ssl_errno_holder= ERR_get_error();
DBUG_RETURN(1);
}
DBUG_PRINT("info", ("ssl: 0x%lx timeout: %ld", (long) ssl, timeout));
SSL_clear(ssl);
SSL_SESSION_set_timeout(SSL_get_session(ssl), timeout);
SSL_set_fd(ssl, sd);
#ifndef HAVE_YASSL
SSL_set_options(ssl, SSL_OP_NO_COMPRESSION);
#endif
/*
Since yaSSL does not support non-blocking send operations, use
special transport functions that properly handles non-blocking
sockets. These functions emulate the behavior of blocking I/O
operations by waiting for I/O to become available.
*/
#ifdef HAVE_YASSL
/* Set first argument of the transport functions. */
yaSSL_transport_set_ptr(ssl, vio);
/* Set functions to use in order to send and receive data. */
yaSSL_transport_set_recv_function(ssl, yassl_recv);
yaSSL_transport_set_send_function(ssl, yassl_send);
#endif
if ((r= ssl_handshake_loop(vio, ssl, func, ssl_errno_holder)) < 1)
{
DBUG_PRINT("error", ("SSL_connect/accept failure"));
SSL_free(ssl);
DBUG_RETURN(1);
}
/*
Connection succeeded. Install new function handlers,
change type, set sd to the fd used when connecting
and set pointer to the SSL structure
*/
if (vio_reset(vio, VIO_TYPE_SSL, SSL_get_fd(ssl), ssl, 0))
DBUG_RETURN(1);
#ifndef DBUG_OFF
{
/* Print some info about the peer */
X509 *cert;
char buf[512];
DBUG_PRINT("info",("SSL connection succeeded"));
DBUG_PRINT("info",("Using cipher: '%s'" , SSL_get_cipher_name(ssl)));
if ((cert= SSL_get_peer_certificate (ssl)))
{
DBUG_PRINT("info",("Peer certificate:"));
X509_NAME_oneline(X509_get_subject_name(cert), buf, sizeof(buf));
DBUG_PRINT("info",("\t subject: '%s'", buf));
X509_NAME_oneline(X509_get_issuer_name(cert), buf, sizeof(buf));
DBUG_PRINT("info",("\t issuer: '%s'", buf));
X509_free(cert);
}
else
DBUG_PRINT("info",("Peer does not have certificate."));
if (SSL_get_shared_ciphers(ssl, buf, sizeof(buf)))
{
DBUG_PRINT("info",("shared_ciphers: '%s'", buf));
}
else
DBUG_PRINT("info",("no shared ciphers!"));
}
#endif
DBUG_RETURN(0);
}
/* See http://archives.seul.org/libevent/users/Jan-2013/msg00039.html */
static int cert_verify_callback(X509_STORE_CTX *x509_ctx, void *arg)
{
char cert_str[256];
const char *host = (const char *) arg;
const char *res_str = "X509_verify_cert failed";
HostnameValidationResult res = Error;
/* This is the function that OpenSSL would call if we hadn't called
* SSL_CTX_set_cert_verify_callback(). Therefore, we are "wrapping"
* the default functionality, rather than replacing it. */
int ok_so_far = 0;
X509 *server_cert = NULL;
if (ignore_cert) {
return 1;
}
ok_so_far = X509_verify_cert(x509_ctx);
server_cert = X509_STORE_CTX_get_current_cert(x509_ctx);
if (ok_so_far) {
res = validate_hostname(host, server_cert);
switch (res) {
case MatchFound:
res_str = "MatchFound";
break;
case MatchNotFound:
res_str = "MatchNotFound";
break;
case NoSANPresent:
res_str = "NoSANPresent";
break;
case MalformedCertificate:
res_str = "MalformedCertificate";
break;
case Error:
res_str = "Error";
break;
default:
res_str = "WTF!";
break;
}
}
X509_NAME_oneline(X509_get_subject_name (server_cert),
cert_str, sizeof (cert_str));
if (res == MatchFound) {
printf("https server '%s' has this certificate, "
"which looks good to me:\n%s\n",
host, cert_str);
return 1;
} else {
printf("Got '%s' for hostname '%s' and certificate:\n%s\n",
res_str, host, cert_str);
return 0;
}
}
/*
* Check for:
* - cert identity matching domain name
* - cert is within validity perios
* - digital sig is valid
* Notes:
* The default certificate format for openssl is PEM, which is base64
* encoded DER with header/footer lines.
* Certs in SSL protocol travel on the wire using DER encoding of ASN.1.
* Refer to RFC 5280 for X.509 PKI Cert and CRL Profile
* d2i (Der to Internal) APIs are used to convert certs on wire into internal
* storage format for certs.
*/
verifyCertificate(sslStruct *sslC) {
uchar *buff, *subj, *issuer;
int version;
const uchar *ptr, *tmpPtr;
const uchar *data;
size_t len, msgLen, totalCertLen, serverCertLen;
size_t parsedLen = 0;
size_t verifyCertLen;
int count = 0;
#define CERT_LEN_INDEX 1
// buff[0] points to Handshake Type - certificate
buff = cfg.sslC->buff;
len = cfg.sslC->buffLen; // Length of Certificate Packet
msgLen = GET_BE16(&buff[CERT_LEN_INDEX+1]); // len - 4
// From here is the payload. Starts from Cert Len (includes all Certs)
totalCertLen = GET_BE16(&buff[CERT_LEN_INDEX+1+3]);
// Now is the 1st Certificate - i.e. Server Cert
serverCertLen = GET_BE16(&buff[CERT_LEN_INDEX+1+3+3]);
printf(" Pkg Len = %d, Total Cert Len = %d\n", msgLen, totalCertLen);
printf(" Server Certificate verification, Len: %d\n", serverCertLen);
// Parse the Server Cert
ptr = &buff[10];
X509 *cert = d2i_X509(NULL, &ptr, serverCertLen);
if (cert == NULL) {
printf("\n d2i_X509 returns NULL for Cert verification");
return -1;
}
printf(".........Server Certificate........................\n");
subj = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0);
issuer = X509_NAME_oneline(X509_get_issuer_name(cert), NULL, 0);
version = ((int)X509_get_version(cert)) + 1; // 0 indexed
printf("Subject: %s, \nIssuer: %s, \n Version: %d",
subj, issuer, version);
// Get Public Key Algorith Name
int pkey = OBJ_obj2nid(cert->cert_info->key->algor->algorithm);
if (pkey == NID_undef) {
printf ("\n Cert Verify: unable to find signature algo");
goto clean;
}
char sigalgo[100];
const char * sslbuf = OBJ_nid2ln(pkey);
if (strlen(sslbuf) > 100) {
printf ("\n Cert Verify: len is greater than allocated");
goto clean;
}
strncpy(sigalgo, sslbuf, 100);
printf(", Public Key Algorithm Algorithm: %s", sigalgo);
EVP_PKEY *public_key = X509_get_pubkey(cert);
if (pkey == NID_rsaEncryption) {
if (public_key == NULL) {
printf("\nUnable to get public key from certificate");
return -1;
}
char *rsa_e_dec, *rsa_n_hex;
sslC->rsa_key = public_key->pkey.rsa;
// Both the following are printable strings and need to be freed
// by caling OPENSSL_free()
rsa_e_dec = BN_bn2dec(sslC->rsa_key->e); // RSA Exponent
rsa_n_hex = BN_bn2hex(sslC->rsa_key->n); // RSA Modulus
//printf("\n RSA Exponent = %s, \n RSA Modulus = %s", rsa_e_dec, rsa_n_hex);
}
EVP_PKEY_free(public_key);
clean:
OPENSSL_free(subj);
OPENSSL_free(issuer);
// Parse the Server Cert Chain
ptr = &buff[10+serverCertLen]; // Set ptr to point to next Cert Len field
parsedLen = serverCertLen+3;
tmpPtr = ptr+3;
while (parsedLen < totalCertLen) {
printf("\n.........Server Certificate Chain %d.............", count++);
//printf("\n Len: Parsed: %d, Total: %d", parsedLen, totalCertLen);
verifyCertLen = GET_BE16(&ptr[1]);
printf("\nCert Chain Len: %d", verifyCertLen);
X509 *cert = d2i_X509(NULL, &tmpPtr, serverCertLen);
if (cert == NULL) {
printf("\n d2i_X509 returns NULL for Cert verification chain");
return -1;
}
subj = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0);
printf("\nSubject: %s", subj);
OPENSSL_free(subj);
ptr += verifyCertLen + 3; // Set ptr to point to next Cert Len field
tmpPtr = ptr+3;
parsedLen += verifyCertLen+3;
} // End parsing Cert Chain
printf("\n..................................................\n");
}
void tls_log_verify_error(TLS_SESS_STATE *TLScontext)
{
char buf[CCERT_BUFSIZ];
int err = TLScontext->errorcode;
X509 *cert = TLScontext->errorcert;
int depth = TLScontext->errordepth;
#define PURPOSE ((depth>0) ? "CA": TLScontext->am_server ? "client": "server")
if (err == X509_V_OK)
return;
/*
* Specific causes for verification failure.
*/
switch (err) {
case X509_V_ERR_CERT_UNTRUSTED:
/*
* We expect the error cert to be the leaf, but it is likely
* sufficient to omit it from the log, even less user confusion.
*/
msg_info("certificate verification failed for %s: "
"not trusted by local or TLSA policy", TLScontext->namaddr);
break;
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
msg_info("certificate verification failed for %s: "
"self-signed certificate", TLScontext->namaddr);
break;
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
/*
* There is no difference between issuing cert not provided and
* provided, but not found in CAfile/CApath. Either way, we don't
* trust it.
*/
if (cert)
X509_NAME_oneline(X509_get_issuer_name(cert), buf, sizeof(buf));
else
strcpy(buf, "<unknown>");
msg_info("certificate verification failed for %s: untrusted issuer %s",
TLScontext->namaddr, printable(buf, '?'));
break;
case X509_V_ERR_CERT_NOT_YET_VALID:
case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
msg_info("%s certificate verification failed for %s: certificate not"
" yet valid", PURPOSE, TLScontext->namaddr);
break;
case X509_V_ERR_CERT_HAS_EXPIRED:
case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
msg_info("%s certificate verification failed for %s: certificate has"
" expired", PURPOSE, TLScontext->namaddr);
break;
case X509_V_ERR_INVALID_PURPOSE:
msg_info("certificate verification failed for %s: not designated for "
"use as a %s certificate", TLScontext->namaddr, PURPOSE);
break;
case X509_V_ERR_CERT_CHAIN_TOO_LONG:
msg_info("certificate verification failed for %s: "
"certificate chain longer than limit(%d)",
TLScontext->namaddr, depth - 1);
break;
default:
msg_info("%s certificate verification failed for %s: num=%d:%s",
PURPOSE, TLScontext->namaddr, err,
X509_verify_cert_error_string(err));
break;
}
}
int
sslverify(struct server *srv, SSL *ssl, char **cause)
{
X509 *x509;
int error;
char *fqdn, name[256], *ptr, *ptr2;
const char *s;
if ((x509 = SSL_get_peer_certificate(ssl)) == NULL) {
/* No certificate, error since we wanted to verify it. */
s = "no certificate";
goto error;
}
/* Verify certificate. */
if ((error = SSL_get_verify_result(ssl)) != X509_V_OK) {
s = X509_verify_cert_error_string(error);
goto error;
}
/* Get certificate name. */
X509_NAME_oneline(X509_get_subject_name(x509), name, sizeof name);
/* Check for CN field. */
if ((ptr = strstr(name, "/CN=")) == NULL) {
s = "CN missing";
goto error;
}
/* Verify CN field. */
getaddrs(srv->host, &fqdn, NULL);
do {
ptr += 4;
ptr2 = strchr(ptr, '/');
if (ptr2 != NULL)
*ptr2 = '\0';
/* Compare against both given host and FQDN. */
if (fnmatch(ptr, srv->host, FNM_NOESCAPE|FNM_CASEFOLD) == 0 ||
(fqdn != NULL &&
fnmatch(ptr, fqdn, FNM_NOESCAPE|FNM_CASEFOLD)) == 0)
break;
if (ptr2 != NULL)
*ptr2 = '/';
} while ((ptr = strstr(ptr, "/CN=")) != NULL);
/* No valid CN found. Try alternative names. */
if (ptr == NULL)
ptr = check_alt_names(srv->host, fqdn, x509);
if (fqdn != NULL)
xfree(fqdn);
/* No valid CN found. */
if (ptr == NULL) {
s = "no matching CN";
goto error;
}
/* Valid CN found. */
X509_free(x509);
return (0);
error:
xasprintf(cause, "certificate verification failed: %s", s);
if (x509 != NULL)
X509_free(x509);
return (-1);
}
bool
ssl_check_certificate (int fd, const char *host)
{
X509 *cert;
char common_name[256];
long vresult;
bool success = true;
/* If the user has specified --no-check-cert, we still want to warn
him about problems with the server's certificate. */
const char *severity = opt.check_cert ? _("ERROR") : _("WARNING");
struct openssl_transport_context *ctx = fd_transport_context (fd);
SSL *conn = ctx->conn;
assert (conn != NULL);
cert = SSL_get_peer_certificate (conn);
if (!cert)
{
logprintf (LOG_NOTQUIET, _("%s: No certificate presented by %s.\n"),
severity, escnonprint (host));
success = false;
goto no_cert; /* must bail out since CERT is NULL */
}
IF_DEBUG
{
char *subject = X509_NAME_oneline (X509_get_subject_name (cert), 0, 0);
char *issuer = X509_NAME_oneline (X509_get_issuer_name (cert), 0, 0);
DEBUGP (("certificate:\n subject: %s\n issuer: %s\n",
escnonprint (subject), escnonprint (issuer)));
OPENSSL_free (subject);
OPENSSL_free (issuer);
}
vresult = SSL_get_verify_result (conn);
if (vresult != X509_V_OK)
{
char *issuer = X509_NAME_oneline (X509_get_issuer_name (cert), 0, 0);
logprintf (LOG_NOTQUIET,
_("%s: cannot verify %s's certificate, issued by `%s':\n"),
severity, escnonprint (host), escnonprint (issuer));
/* Try to print more user-friendly (and translated) messages for
the frequent verification errors. */
switch (vresult)
{
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
logprintf (LOG_NOTQUIET,
_(" Unable to locally verify the issuer's authority.\n"));
break;
case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
logprintf (LOG_NOTQUIET, _(" Self-signed certificate encountered.\n"));
break;
case X509_V_ERR_CERT_NOT_YET_VALID:
logprintf (LOG_NOTQUIET, _(" Issued certificate not yet valid.\n"));
break;
case X509_V_ERR_CERT_HAS_EXPIRED:
logprintf (LOG_NOTQUIET, _(" Issued certificate has expired.\n"));
break;
default:
/* For the less frequent error strings, simply provide the
OpenSSL error message. */
logprintf (LOG_NOTQUIET, " %s\n",
X509_verify_cert_error_string (vresult));
}
success = false;
/* Fall through, so that the user is warned about *all* issues
with the cert (important with --no-check-certificate.) */
}
/* Check that HOST matches the common name in the certificate.
#### The following remains to be done:
- It should use dNSName/ipAddress subjectAltName extensions if
available; according to rfc2818: "If a subjectAltName extension
of type dNSName is present, that MUST be used as the identity."
- When matching against common names, it should loop over all
common names and choose the most specific one, i.e. the last
one, not the first one, which the current code picks.
- Ensure that ASN1 strings from the certificate are encoded as
UTF-8 which can be meaningfully compared to HOST. */
common_name[0] = '\0';
X509_NAME_get_text_by_NID (X509_get_subject_name (cert),
NID_commonName, common_name, sizeof (common_name));
if (!pattern_match (common_name, host))
{
logprintf (LOG_NOTQUIET, _("\
%s: certificate common name `%s' doesn't match requested host name `%s'.\n"),
severity, escnonprint (common_name), escnonprint (host));
success = false;
}
static int connect_local(CLI *c) { /* spawn local process */
#if defined (USE_WIN32) || defined (__vms)
s_log(LOG_ERR, "LOCAL MODE NOT SUPPORTED ON WIN32 and OpenVMS PLATFORM");
return -1;
#else /* USE_WIN32, __vms */
char env[3][STRLEN], name[STRLEN], *portname;
int fd[2], pid;
X509 *peer;
#ifdef HAVE_PTHREAD_SIGMASK
sigset_t newmask;
#endif
if (c->opt->option.pty) {
char tty[STRLEN];
if(pty_allocate(fd, fd+1, tty, STRLEN)) {
return -1;
}
s_log(LOG_DEBUG, "%s allocated", tty);
} else {
if(make_sockets(fd))
return -1;
}
pid=fork();
c->pid=(unsigned long)pid;
switch(pid) {
case -1: /* error */
closesocket(fd[0]);
closesocket(fd[1]);
ioerror("fork");
return -1;
case 0: /* child */
closesocket(fd[0]);
dup2(fd[1], 0);
dup2(fd[1], 1);
if(!options.option.foreground)
dup2(fd[1], 2);
closesocket(fd[1]);
safecopy(env[0], "REMOTE_HOST=");
safeconcat(env[0], c->accepting_address);
portname=strrchr(env[0], ':');
if(portname) /* strip the port name */
*portname='\0';
putenv(env[0]);
if(c->opt->option.transparent) {
putenv("LD_PRELOAD=" LIBDIR "/libstunnel.so");
/* For Tru64 _RLD_LIST is used instead */
putenv("_RLD_LIST=" LIBDIR "/libstunnel.so:DEFAULT");
}
if(c->ssl) {
peer=SSL_get_peer_certificate(c->ssl);
if(peer) {
safecopy(env[1], "SSL_CLIENT_DN=");
X509_NAME_oneline(X509_get_subject_name(peer), name, STRLEN);
safestring(name);
safeconcat(env[1], name);
putenv(env[1]);
safecopy(env[2], "SSL_CLIENT_I_DN=");
X509_NAME_oneline(X509_get_issuer_name(peer), name, STRLEN);
safestring(name);
safeconcat(env[2], name);
putenv(env[2]);
X509_free(peer);
}
}
#ifdef HAVE_PTHREAD_SIGMASK
sigemptyset(&newmask);
sigprocmask(SIG_SETMASK, &newmask, NULL);
#endif
execvp(c->opt->execname, c->opt->execargs);
ioerror(c->opt->execname); /* execv failed */
_exit(1);
default:
break;
}
/* parent */
s_log(LOG_INFO, "Local mode child started (PID=%lu)", c->pid);
closesocket(fd[1]);
#ifdef FD_CLOEXEC
fcntl(fd[0], F_SETFD, FD_CLOEXEC);
#endif
return fd[0];
#endif /* USE_WIN32,__vms */
}
int x509_main(int argc, char **argv)
{
ASN1_INTEGER *sno = NULL;
ASN1_OBJECT *objtmp;
BIO *out = NULL;
CONF *extconf = NULL;
EVP_PKEY *Upkey = NULL, *CApkey = NULL, *fkey = NULL;
STACK_OF(ASN1_OBJECT) *trust = NULL, *reject = NULL;
STACK_OF(OPENSSL_STRING) *sigopts = NULL;
X509 *x = NULL, *xca = NULL;
X509_REQ *req = NULL, *rq = NULL;
X509_STORE *ctx = NULL;
const EVP_MD *digest = NULL;
char *CAkeyfile = NULL, *CAserial = NULL, *fkeyfile = NULL, *alias = NULL;
char *checkhost = NULL, *checkemail = NULL, *checkip = NULL;
char *extsect = NULL, *extfile = NULL, *passin = NULL, *passinarg = NULL;
char *infile = NULL, *outfile = NULL, *keyfile = NULL, *CAfile = NULL;
char buf[256], *prog;
int x509req = 0, days = DEF_DAYS, modulus = 0, pubkey = 0, pprint = 0;
int C = 0, CAformat = FORMAT_PEM, CAkeyformat = FORMAT_PEM;
int fingerprint = 0, reqfile = 0, need_rand = 0, checkend = 0;
int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyformat = FORMAT_PEM;
int next_serial = 0, subject_hash = 0, issuer_hash = 0, ocspid = 0;
int noout = 0, sign_flag = 0, CA_flag = 0, CA_createserial = 0, email = 0;
int ocsp_uri = 0, trustout = 0, clrtrust = 0, clrreject = 0, aliasout = 0;
int ret = 1, i, num = 0, badsig = 0, clrext = 0, nocert = 0;
int text = 0, serial = 0, subject = 0, issuer = 0, startdate = 0;
int checkoffset = 0, enddate = 0;
unsigned long nmflag = 0, certflag = 0;
OPTION_CHOICE o;
ENGINE *e = NULL;
#ifndef OPENSSL_NO_MD5
int subject_hash_old = 0, issuer_hash_old = 0;
#endif
ctx = X509_STORE_new();
if (ctx == NULL)
goto end;
X509_STORE_set_verify_cb(ctx, callb);
prog = opt_init(argc, argv, x509_options);
while ((o = opt_next()) != OPT_EOF) {
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
opt_help(x509_options);
ret = 0;
goto end;
case OPT_INFORM:
if (!opt_format(opt_arg(), OPT_FMT_ANY, &informat))
goto opthelp;
break;
case OPT_IN:
infile = opt_arg();
break;
case OPT_OUTFORM:
if (!opt_format(opt_arg(), OPT_FMT_ANY, &outformat))
goto opthelp;
break;
case OPT_KEYFORM:
if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &keyformat))
goto opthelp;
break;
case OPT_CAFORM:
if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &CAformat))
goto opthelp;
break;
case OPT_CAKEYFORM:
if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &CAkeyformat))
goto opthelp;
break;
case OPT_OUT:
outfile = opt_arg();
break;
case OPT_REQ:
reqfile = need_rand = 1;
break;
case OPT_SIGOPT:
if (!sigopts)
sigopts = sk_OPENSSL_STRING_new_null();
if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, opt_arg()))
goto opthelp;
break;
#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
case OPT_FORCE_VERSION:
force_version = atoi(opt_arg()) - 1;
break;
#endif
case OPT_DAYS:
days = atoi(opt_arg());
break;
case OPT_PASSIN:
passinarg = opt_arg();
break;
case OPT_EXTFILE:
extfile = opt_arg();
break;
case OPT_EXTENSIONS:
extsect = opt_arg();
break;
case OPT_SIGNKEY:
keyfile = opt_arg();
sign_flag = ++num;
need_rand = 1;
break;
case OPT_CA:
CAfile = opt_arg();
CA_flag = ++num;
need_rand = 1;
break;
case OPT_CAKEY:
CAkeyfile = opt_arg();
break;
case OPT_CASERIAL:
CAserial = opt_arg();
break;
case OPT_SET_SERIAL:
if ((sno = s2i_ASN1_INTEGER(NULL, opt_arg())) == NULL)
goto opthelp;
break;
case OPT_FORCE_PUBKEY:
fkeyfile = opt_arg();
break;
case OPT_ADDTRUST:
if ((objtmp = OBJ_txt2obj(opt_arg(), 0)) == NULL) {
BIO_printf(bio_err,
"%s: Invalid trust object value %s\n",
prog, opt_arg());
goto opthelp;
}
if (trust == NULL && (trust = sk_ASN1_OBJECT_new_null()) == NULL)
goto end;
sk_ASN1_OBJECT_push(trust, objtmp);
trustout = 1;
break;
case OPT_ADDREJECT:
if ((objtmp = OBJ_txt2obj(opt_arg(), 0)) == NULL) {
BIO_printf(bio_err,
"%s: Invalid reject object value %s\n",
prog, opt_arg());
goto opthelp;
}
if (reject == NULL
&& (reject = sk_ASN1_OBJECT_new_null()) == NULL)
goto end;
sk_ASN1_OBJECT_push(reject, objtmp);
trustout = 1;
break;
case OPT_SETALIAS:
alias = opt_arg();
trustout = 1;
break;
case OPT_CERTOPT:
if (!set_cert_ex(&certflag, opt_arg()))
goto opthelp;
break;
case OPT_NAMEOPT:
if (!set_name_ex(&nmflag, opt_arg()))
goto opthelp;
break;
case OPT_ENGINE:
e = setup_engine(opt_arg(), 0);
break;
case OPT_C:
C = ++num;
break;
case OPT_EMAIL:
email = ++num;
break;
case OPT_OCSP_URI:
ocsp_uri = ++num;
break;
case OPT_SERIAL:
serial = ++num;
break;
case OPT_NEXT_SERIAL:
next_serial = ++num;
break;
case OPT_MODULUS:
modulus = ++num;
break;
case OPT_PUBKEY:
pubkey = ++num;
break;
case OPT_X509TOREQ:
x509req = ++num;
break;
case OPT_TEXT:
text = ++num;
break;
case OPT_SUBJECT:
subject = ++num;
break;
case OPT_ISSUER:
issuer = ++num;
break;
case OPT_FINGERPRINT:
fingerprint = ++num;
break;
case OPT_HASH:
subject_hash = ++num;
break;
case OPT_ISSUER_HASH:
issuer_hash = ++num;
break;
case OPT_PURPOSE:
pprint = ++num;
break;
case OPT_STARTDATE:
startdate = ++num;
break;
case OPT_ENDDATE:
enddate = ++num;
break;
case OPT_NOOUT:
noout = ++num;
break;
case OPT_NOCERT:
nocert = 1;
break;
case OPT_TRUSTOUT:
trustout = 1;
break;
case OPT_CLRTRUST:
clrtrust = ++num;
break;
case OPT_CLRREJECT:
clrreject = ++num;
break;
case OPT_ALIAS:
aliasout = ++num;
break;
case OPT_CACREATESERIAL:
CA_createserial = ++num;
break;
case OPT_CLREXT:
clrext = 1;
break;
case OPT_OCSPID:
ocspid = ++num;
break;
case OPT_BADSIG:
badsig = 1;
break;
#ifndef OPENSSL_NO_MD5
case OPT_SUBJECT_HASH_OLD:
subject_hash_old = ++num;
break;
case OPT_ISSUER_HASH_OLD:
issuer_hash_old = ++num;
break;
#endif
case OPT_DATES:
startdate = ++num;
enddate = ++num;
break;
case OPT_CHECKEND:
checkoffset = atoi(opt_arg());
checkend = 1;
break;
case OPT_CHECKHOST:
checkhost = opt_arg();
break;
case OPT_CHECKEMAIL:
checkemail = opt_arg();
break;
case OPT_CHECKIP:
checkip = opt_arg();
break;
case OPT_MD:
if (!opt_md(opt_unknown(), &digest))
goto opthelp;
}
}
argc = opt_num_rest();
argv = opt_rest();
if (argc != 0) {
BIO_printf(bio_err, "%s: Unknown parameter %s\n", prog, argv[0]);
goto opthelp;
}
out = bio_open_default(outfile, "w");
if (out == NULL)
goto end;
if (need_rand)
app_RAND_load_file(NULL, 0);
if (!app_passwd(passinarg, NULL, &passin, NULL)) {
BIO_printf(bio_err, "Error getting password\n");
goto end;
}
if (!X509_STORE_set_default_paths(ctx)) {
ERR_print_errors(bio_err);
goto end;
}
if (fkeyfile) {
fkey = load_pubkey(fkeyfile, keyformat, 0, NULL, e, "Forced key");
if (fkey == NULL)
goto end;
}
if ((CAkeyfile == NULL) && (CA_flag) && (CAformat == FORMAT_PEM)) {
CAkeyfile = CAfile;
} else if ((CA_flag) && (CAkeyfile == NULL)) {
BIO_printf(bio_err,
"need to specify a CAkey if using the CA command\n");
goto end;
}
if (extfile) {
long errorline = -1;
X509V3_CTX ctx2;
extconf = NCONF_new(NULL);
if (!NCONF_load(extconf, extfile, &errorline)) {
if (errorline <= 0)
BIO_printf(bio_err,
"error loading the config file '%s'\n", extfile);
else
BIO_printf(bio_err,
"error on line %ld of config file '%s'\n",
errorline, extfile);
goto end;
}
if (!extsect) {
extsect = NCONF_get_string(extconf, "default", "extensions");
if (!extsect) {
ERR_clear_error();
extsect = "default";
}
}
X509V3_set_ctx_test(&ctx2);
X509V3_set_nconf(&ctx2, extconf);
if (!X509V3_EXT_add_nconf(extconf, &ctx2, extsect, NULL)) {
BIO_printf(bio_err,
"Error Loading extension section %s\n", extsect);
ERR_print_errors(bio_err);
goto end;
}
}
if (reqfile) {
EVP_PKEY *pkey;
BIO *in;
if (!sign_flag && !CA_flag) {
BIO_printf(bio_err, "We need a private key to sign with\n");
goto end;
}
in = bio_open_default(infile, "r");
if (in == NULL)
goto end;
req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL);
BIO_free(in);
if (req == NULL) {
ERR_print_errors(bio_err);
goto end;
}
if ((req->req_info == NULL) ||
(req->req_info->pubkey == NULL) ||
(req->req_info->pubkey->public_key == NULL) ||
(req->req_info->pubkey->public_key->data == NULL)) {
BIO_printf(bio_err,
"The certificate request appears to corrupted\n");
BIO_printf(bio_err, "It does not contain a public key\n");
goto end;
}
if ((pkey = X509_REQ_get_pubkey(req)) == NULL) {
BIO_printf(bio_err, "error unpacking public key\n");
goto end;
}
i = X509_REQ_verify(req, pkey);
EVP_PKEY_free(pkey);
if (i < 0) {
BIO_printf(bio_err, "Signature verification error\n");
ERR_print_errors(bio_err);
goto end;
}
if (i == 0) {
BIO_printf(bio_err,
"Signature did not match the certificate request\n");
goto end;
} else
BIO_printf(bio_err, "Signature ok\n");
print_name(bio_err, "subject=", X509_REQ_get_subject_name(req),
nmflag);
if ((x = X509_new()) == NULL)
goto end;
if (sno == NULL) {
sno = ASN1_INTEGER_new();
if (!sno || !rand_serial(NULL, sno))
goto end;
if (!X509_set_serialNumber(x, sno))
goto end;
ASN1_INTEGER_free(sno);
sno = NULL;
} else if (!X509_set_serialNumber(x, sno))
goto end;
if (!X509_set_issuer_name(x, req->req_info->subject))
goto end;
if (!X509_set_subject_name(x, req->req_info->subject))
goto end;
X509_gmtime_adj(X509_get_notBefore(x), 0);
X509_time_adj_ex(X509_get_notAfter(x), days, 0, NULL);
if (fkey)
X509_set_pubkey(x, fkey);
else {
pkey = X509_REQ_get_pubkey(req);
X509_set_pubkey(x, pkey);
EVP_PKEY_free(pkey);
}
} else
x = load_cert(infile, informat, NULL, e, "Certificate");
if (x == NULL)
goto end;
if (CA_flag) {
xca = load_cert(CAfile, CAformat, NULL, e, "CA Certificate");
if (xca == NULL)
goto end;
}
if (!noout || text || next_serial) {
OBJ_create("2.99999.3", "SET.ex3", "SET x509v3 extension 3");
}
if (alias)
X509_alias_set1(x, (unsigned char *)alias, -1);
if (clrtrust)
X509_trust_clear(x);
if (clrreject)
X509_reject_clear(x);
if (trust) {
for (i = 0; i < sk_ASN1_OBJECT_num(trust); i++) {
objtmp = sk_ASN1_OBJECT_value(trust, i);
X509_add1_trust_object(x, objtmp);
}
}
if (reject) {
for (i = 0; i < sk_ASN1_OBJECT_num(reject); i++) {
objtmp = sk_ASN1_OBJECT_value(reject, i);
X509_add1_reject_object(x, objtmp);
}
}
if (num) {
for (i = 1; i <= num; i++) {
if (issuer == i) {
print_name(out, "issuer= ", X509_get_issuer_name(x), nmflag);
} else if (subject == i) {
print_name(out, "subject= ",
X509_get_subject_name(x), nmflag);
} else if (serial == i) {
BIO_printf(out, "serial=");
i2a_ASN1_INTEGER(out, X509_get_serialNumber(x));
BIO_printf(out, "\n");
} else if (next_serial == i) {
BIGNUM *bnser;
ASN1_INTEGER *ser;
ser = X509_get_serialNumber(x);
bnser = ASN1_INTEGER_to_BN(ser, NULL);
if (!bnser)
goto end;
if (!BN_add_word(bnser, 1))
goto end;
ser = BN_to_ASN1_INTEGER(bnser, NULL);
if (!ser)
goto end;
BN_free(bnser);
i2a_ASN1_INTEGER(out, ser);
ASN1_INTEGER_free(ser);
BIO_puts(out, "\n");
} else if ((email == i) || (ocsp_uri == i)) {
int j;
STACK_OF(OPENSSL_STRING) *emlst;
if (email == i)
emlst = X509_get1_email(x);
else
emlst = X509_get1_ocsp(x);
for (j = 0; j < sk_OPENSSL_STRING_num(emlst); j++)
BIO_printf(out, "%s\n",
sk_OPENSSL_STRING_value(emlst, j));
X509_email_free(emlst);
} else if (aliasout == i) {
unsigned char *alstr;
alstr = X509_alias_get0(x, NULL);
if (alstr)
BIO_printf(out, "%s\n", alstr);
else
BIO_puts(out, "<No Alias>\n");
} else if (subject_hash == i) {
BIO_printf(out, "%08lx\n", X509_subject_name_hash(x));
}
#ifndef OPENSSL_NO_MD5
else if (subject_hash_old == i) {
BIO_printf(out, "%08lx\n", X509_subject_name_hash_old(x));
}
#endif
else if (issuer_hash == i) {
BIO_printf(out, "%08lx\n", X509_issuer_name_hash(x));
}
#ifndef OPENSSL_NO_MD5
else if (issuer_hash_old == i) {
BIO_printf(out, "%08lx\n", X509_issuer_name_hash_old(x));
}
#endif
else if (pprint == i) {
X509_PURPOSE *ptmp;
int j;
BIO_printf(out, "Certificate purposes:\n");
for (j = 0; j < X509_PURPOSE_get_count(); j++) {
ptmp = X509_PURPOSE_get0(j);
purpose_print(out, x, ptmp);
}
} else if (modulus == i) {
EVP_PKEY *pkey;
pkey = X509_get_pubkey(x);
if (pkey == NULL) {
BIO_printf(bio_err, "Modulus=unavailable\n");
ERR_print_errors(bio_err);
goto end;
}
BIO_printf(out, "Modulus=");
#ifndef OPENSSL_NO_RSA
if (pkey->type == EVP_PKEY_RSA)
BN_print(out, pkey->pkey.rsa->n);
else
#endif
#ifndef OPENSSL_NO_DSA
if (pkey->type == EVP_PKEY_DSA)
BN_print(out, pkey->pkey.dsa->pub_key);
else
#endif
BIO_printf(out, "Wrong Algorithm type");
BIO_printf(out, "\n");
EVP_PKEY_free(pkey);
} else if (pubkey == i) {
EVP_PKEY *pkey;
pkey = X509_get_pubkey(x);
if (pkey == NULL) {
BIO_printf(bio_err, "Error getting public key\n");
ERR_print_errors(bio_err);
goto end;
}
PEM_write_bio_PUBKEY(out, pkey);
EVP_PKEY_free(pkey);
} else if (C == i) {
unsigned char *d;
char *m;
int len;
X509_NAME_oneline(X509_get_subject_name(x), buf, sizeof buf);
BIO_printf(out, "/*\n"
" * Subject: %s\n", buf);
m = X509_NAME_oneline(X509_get_issuer_name(x), buf, sizeof buf);
BIO_printf(out, " * Issuer: %s\n"
" */\n", buf);
len = i2d_X509(x, NULL);
m = app_malloc(len, "x509 name buffer");
d = (unsigned char *)m;
len = i2d_X509_NAME(X509_get_subject_name(x), &d);
print_array(out, "the_subject_name", len, (unsigned char *)m);
d = (unsigned char *)m;
len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(x), &d);
print_array(out, "the_public_key", len, (unsigned char *)m);
d = (unsigned char *)m;
len = i2d_X509(x, &d);
print_array(out, "the_certificate", len, (unsigned char *)m);
OPENSSL_free(m);
} else if (text == i) {
X509_print_ex(out, x, nmflag, certflag);
} else if (startdate == i) {
BIO_puts(out, "notBefore=");
ASN1_TIME_print(out, X509_get_notBefore(x));
BIO_puts(out, "\n");
} else if (enddate == i) {
BIO_puts(out, "notAfter=");
ASN1_TIME_print(out, X509_get_notAfter(x));
BIO_puts(out, "\n");
} else if (fingerprint == i) {
int j;
unsigned int n;
unsigned char md[EVP_MAX_MD_SIZE];
const EVP_MD *fdig = digest;
if (!fdig)
fdig = EVP_sha1();
if (!X509_digest(x, fdig, md, &n)) {
BIO_printf(bio_err, "out of memory\n");
goto end;
}
BIO_printf(out, "%s Fingerprint=",
OBJ_nid2sn(EVP_MD_type(fdig)));
for (j = 0; j < (int)n; j++) {
BIO_printf(out, "%02X%c", md[j], (j + 1 == (int)n)
? '\n' : ':');
}
}
/* should be in the library */
else if ((sign_flag == i) && (x509req == 0)) {
BIO_printf(bio_err, "Getting Private key\n");
if (Upkey == NULL) {
Upkey = load_key(keyfile, keyformat, 0,
passin, e, "Private key");
if (Upkey == NULL)
goto end;
}
assert(need_rand);
if (!sign(x, Upkey, days, clrext, digest, extconf, extsect))
goto end;
} else if (CA_flag == i) {
BIO_printf(bio_err, "Getting CA Private Key\n");
if (CAkeyfile != NULL) {
CApkey = load_key(CAkeyfile, CAkeyformat,
0, passin, e, "CA Private Key");
if (CApkey == NULL)
goto end;
}
assert(need_rand);
if (!x509_certify(ctx, CAfile, digest, x, xca,
CApkey, sigopts,
CAserial, CA_createserial, days, clrext,
extconf, extsect, sno, reqfile))
goto end;
} else if (x509req == i) {
EVP_PKEY *pk;
BIO_printf(bio_err, "Getting request Private Key\n");
if (keyfile == NULL) {
BIO_printf(bio_err, "no request key file specified\n");
goto end;
} else {
pk = load_key(keyfile, keyformat, 0,
passin, e, "request key");
if (pk == NULL)
goto end;
}
BIO_printf(bio_err, "Generating certificate request\n");
rq = X509_to_X509_REQ(x, pk, digest);
EVP_PKEY_free(pk);
if (rq == NULL) {
ERR_print_errors(bio_err);
goto end;
}
if (!noout) {
X509_REQ_print(out, rq);
PEM_write_bio_X509_REQ(out, rq);
}
noout = 1;
} else if (ocspid == i) {
X509_ocspid_print(out, x);
}
}
}
if (checkend) {
time_t tcheck = time(NULL) + checkoffset;
if (X509_cmp_time(X509_get_notAfter(x), &tcheck) < 0) {
BIO_printf(out, "Certificate will expire\n");
ret = 1;
} else {
BIO_printf(out, "Certificate will not expire\n");
ret = 0;
}
goto end;
}
print_cert_checks(out, x, checkhost, checkemail, checkip);
if (noout || nocert) {
ret = 0;
goto end;
}
if (badsig)
x->signature->data[x->signature->length - 1] ^= 0x1;
if (outformat == FORMAT_ASN1)
i = i2d_X509_bio(out, x);
else if (outformat == FORMAT_PEM) {
if (trustout)
i = PEM_write_bio_X509_AUX(out, x);
else
i = PEM_write_bio_X509(out, x);
} else if (outformat == FORMAT_NETSCAPE) {
NETSCAPE_X509 nx;
ASN1_OCTET_STRING hdr;
hdr.data = (unsigned char *)NETSCAPE_CERT_HDR;
hdr.length = strlen(NETSCAPE_CERT_HDR);
nx.header = &hdr;
nx.cert = x;
i = ASN1_item_i2d_bio(ASN1_ITEM_rptr(NETSCAPE_X509), out, &nx);
} else {
BIO_printf(bio_err, "bad output format specified for outfile\n");
goto end;
}
if (!i) {
BIO_printf(bio_err, "unable to write certificate\n");
ERR_print_errors(bio_err);
goto end;
}
ret = 0;
end:
if (need_rand)
app_RAND_write_file(NULL);
OBJ_cleanup();
NCONF_free(extconf);
BIO_free_all(out);
X509_STORE_free(ctx);
X509_REQ_free(req);
X509_free(x);
X509_free(xca);
EVP_PKEY_free(Upkey);
EVP_PKEY_free(CApkey);
EVP_PKEY_free(fkey);
sk_OPENSSL_STRING_free(sigopts);
X509_REQ_free(rq);
ASN1_INTEGER_free(sno);
sk_ASN1_OBJECT_pop_free(trust, ASN1_OBJECT_free);
sk_ASN1_OBJECT_pop_free(reject, ASN1_OBJECT_free);
OPENSSL_free(passin);
return (ret);
}
void *thread_main (void *arg)
{
int s, AcceptSocket;
#ifdef _WIN32
WORD wVersionRequested;
WSADATA wsaData;
#endif /* */
struct sockaddr_in service;
int err;
size_t client_len;
SSL_CTX *ctx;
SSL *ssl;
X509 *client_cert;
char *str;
char buf[1024];
ssl = (SSL *) arg;
//取出socket
s = SSL_get_fd (ssl);
//接受SSL连接
err = SSL_accept (ssl);
if (err < 0)
{
printf ("ssl accerr\n");
return;
}
printf ("SSL connection using %s\n", SSL_get_cipher (ssl));
//检索证书
client_cert = SSL_get_peer_certificate (ssl);
if (client_cert != NULL)
{
printf ("Client certificate:\n");
//获得客户端证书subject并转变成字符型,以便进行打印
str = X509_NAME_oneline (X509_get_subject_name (client_cert), 0, 0);
CHK_NULL (str);
printf ("\t subject: %s\n", str);
OPENSSL_free (str);
//获得客户端证书issuer并转变成字符型,以便进行打印
str = X509_NAME_oneline (X509_get_issuer_name (client_cert), 0, 0);
CHK_NULL (str);
printf ("\t issuer: %s\n", str);
OPENSSL_free (str);
X509_free (client_cert);
}
else
printf ("Client does not have certificate.\n");
//进行安全会话
memset (buf, 0, 1024);
err = SSL_read (ssl, buf, sizeof (buf) - 1);
if (err < 0)
{
printf ("ssl read err\n");
close (s);
return;
}
printf ("get : %s\n", buf);
#if 0
buf[err] = '\0';
err = SSL_write (ssl, "I hear you.", strlen ("I hear you."));
#endif /* */
SSL_free (ssl);
close (s);
}
// Write information about an untrusted certificate
BOOL ProduceUntrustedCertificateXML(BIO *target, const DEFCERT_UNTRUSTED_cert_st *entry, EVP_PKEY *key, int sig_alg)
{
unsigned int i, read_len=0;
int outl;
if(target == NULL)
return FALSE;
if(entry->dercert_data == NULL)
return TRUE;
EVP_ENCODE_CTX base_64;
unsigned char *buffer = new unsigned char[BUFFER_SIZE+1];
if(buffer == NULL)
return FALSE;
BOOL ret = FALSE;
X509 *cert=NULL;
char *name=NULL;
do{
if(!BIO_puts(target, "-->\n<!-- Copyright (C) 2008-2009 Opera Software ASA. All Rights Reserved. -->\n\n<untrusted-certificate>\n"))
break;
const unsigned char *data = entry->dercert_data;
cert = d2i_X509(NULL, &data, entry->dercert_len);
if(cert == NULL)
break;
// Cert name in one line
char *name = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0);
if(!name)
break;
if(!WriteXML(target, "subject", name, (char *) buffer, BUFFER_SIZE))
break;
OPENSSL_free(name);
// friendly name
if(entry->nickname)
if(!WriteXML(target, "shortname", entry->nickname, (char *) buffer, BUFFER_SIZE))
break;
// reason it is untrusted
if(entry->reason)
if(!WriteXML(target, "untrusted-reason", entry->reason, (char *) buffer, BUFFER_SIZE))
break;
if(!BIO_puts(target, "<certificate-data>\n"))
break;
EVP_EncodeInit(&base_64);
read_len=0;
// Write Base64 encoded certificate
for(i = 0; i < entry->dercert_len; i+= read_len)
{
read_len = (BUFFER_SIZE/4)*3;
if(i + read_len > entry->dercert_len)
read_len = entry->dercert_len -i;
outl =0;
EVP_EncodeUpdate(&base_64, buffer, &outl, entry->dercert_data+i, read_len);
if(outl && !BIO_write(target, buffer, outl))
break;
}
outl =0;
EVP_EncodeFinal(&base_64, buffer, &outl);
if(outl && !BIO_write(target, buffer, outl))
break;
if(!BIO_puts(target, "\n</certificate-data>\n"))
break;
if(!BIO_puts(target, "</untrusted-certificate>\n"))
break;
ret = TRUE;
}
while(0);
X509_free(cert);
OPENSSL_free(name);
delete [] buffer;
return ret;
}
/*
* Before trusting a certificate, you must make sure that the
* certificate is 'valid'. There are several steps that your
* application can take in determining if a certificate is
* valid. Commonly used steps are:
*
* 1.Verifying the certificate's signature, and verifying that
* the certificate has been issued by a trusted Certificate
* Authority.
*
* 2.Verifying that the certificate is valid for the present date
* (i.e. it is being presented within its validity dates).
*
* 3.Verifying that the certificate has not been revoked by its
* issuing Certificate Authority, by checking with respect to a
* Certificate Revocation List (CRL).
*
* 4.Verifying that the credentials presented by the certificate
* fulfill additional requirements specific to the application,
* such as with respect to access control lists or with respect
* to OCSP (Online Certificate Status Processing).
*
* NOTE: This callback will be called multiple times based on the
* depth of the root certificate chain
*/
static int cbtls_verify(int ok, X509_STORE_CTX *ctx)
{
char subject[1024]; /* Used for the subject name */
char issuer[1024]; /* Used for the issuer name */
char common_name[1024];
char cn_str[1024];
char buf[64];
EAP_HANDLER *handler = NULL;
X509 *client_cert;
X509 *issuer_cert;
SSL *ssl;
int err, depth, lookup;
EAP_TLS_CONF *conf;
int my_ok = ok;
REQUEST *request;
ASN1_INTEGER *sn = NULL;
ASN1_TIME *asn_time = NULL;
#ifdef HAVE_OPENSSL_OCSP_H
X509_STORE *ocsp_store = NULL;
#endif
client_cert = X509_STORE_CTX_get_current_cert(ctx);
err = X509_STORE_CTX_get_error(ctx);
depth = X509_STORE_CTX_get_error_depth(ctx);
lookup = depth;
/*
* Log client/issuing cert. If there's an error, log
* issuing cert.
*/
if ((lookup > 1) && !my_ok) lookup = 1;
/*
* Retrieve the pointer to the SSL of the connection currently treated
* and the application specific data stored into the SSL object.
*/
ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
handler = (EAP_HANDLER *)SSL_get_ex_data(ssl, 0);
request = handler->request;
conf = (EAP_TLS_CONF *)SSL_get_ex_data(ssl, 1);
#ifdef HAVE_OPENSSL_OCSP_H
ocsp_store = (X509_STORE *)SSL_get_ex_data(ssl, 2);
#endif
/*
* Get the Serial Number
*/
buf[0] = '\0';
sn = X509_get_serialNumber(client_cert);
/*
* For this next bit, we create the attributes *only* if
* we're at the client or issuing certificate.
*/
if ((lookup <= 1) && sn && (sn->length < (sizeof(buf) / 2))) {
char *p = buf;
int i;
for (i = 0; i < sn->length; i++) {
sprintf(p, "%02x", (unsigned int)sn->data[i]);
p += 2;
}
pairadd(&handler->certs,
pairmake(cert_attr_names[EAPTLS_SERIAL][lookup], buf, T_OP_SET));
}
/*
* Get the Expiration Date
*/
buf[0] = '\0';
asn_time = X509_get_notAfter(client_cert);
if ((lookup <= 1) && asn_time && (asn_time->length < MAX_STRING_LEN)) {
memcpy(buf, (char*) asn_time->data, asn_time->length);
buf[asn_time->length] = '\0';
pairadd(&handler->certs,
pairmake(cert_attr_names[EAPTLS_EXPIRATION][lookup], buf, T_OP_SET));
}
/*
* Get the Subject & Issuer
*/
subject[0] = issuer[0] = '\0';
X509_NAME_oneline(X509_get_subject_name(client_cert), subject,
sizeof(subject));
subject[sizeof(subject) - 1] = '\0';
if ((lookup <= 1) && subject[0] && (strlen(subject) < MAX_STRING_LEN)) {
pairadd(&handler->certs,
pairmake(cert_attr_names[EAPTLS_SUBJECT][lookup], subject, T_OP_SET));
}
X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), issuer,
sizeof(issuer));
issuer[sizeof(issuer) - 1] = '\0';
if ((lookup <= 1) && issuer[0] && (strlen(issuer) < MAX_STRING_LEN)) {
pairadd(&handler->certs,
pairmake(cert_attr_names[EAPTLS_ISSUER][lookup], issuer, T_OP_SET));
}
/*
* Get the Common Name
*/
X509_NAME_get_text_by_NID(X509_get_subject_name(client_cert),
NID_commonName, common_name, sizeof(common_name));
common_name[sizeof(common_name) - 1] = '\0';
if ((lookup <= 1) && common_name[0] && (strlen(common_name) < MAX_STRING_LEN)) {
pairadd(&handler->certs,
pairmake(cert_attr_names[EAPTLS_CN][lookup], common_name, T_OP_SET));
}
/*
* If the CRL has expired, that might still be OK.
*/
if (!my_ok &&
(conf->allow_expired_crl) &&
(err == X509_V_ERR_CRL_HAS_EXPIRED)) {
my_ok = 1;
X509_STORE_CTX_set_error( ctx, 0 );
}
if (!my_ok) {
const char *p = X509_verify_cert_error_string(err);
radlog(L_ERR,"--> verify error:num=%d:%s\n",err, p);
radius_pairmake(request, &request->packet->vps,
"Module-Failure-Message", p, T_OP_SET);
return my_ok;
}
switch (ctx->error) {
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
radlog(L_ERR, "issuer= %s\n", issuer);
break;
case X509_V_ERR_CERT_NOT_YET_VALID:
case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
radlog(L_ERR, "notBefore=");
#if 0
ASN1_TIME_print(bio_err, X509_get_notBefore(ctx->current_cert));
#endif
break;
case X509_V_ERR_CERT_HAS_EXPIRED:
case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
radlog(L_ERR, "notAfter=");
#if 0
ASN1_TIME_print(bio_err, X509_get_notAfter(ctx->current_cert));
#endif
break;
}
/*
* If we're at the actual client cert, apply additional
* checks.
*/
if (depth == 0) {
/*
* If the conf tells us to, check cert issuer
* against the specified value and fail
* verification if they don't match.
*/
if (conf->check_cert_issuer &&
(strcmp(issuer, conf->check_cert_issuer) != 0)) {
radlog(L_AUTH, "rlm_eap_tls: Certificate issuer (%s) does not match specified value (%s)!", issuer, conf->check_cert_issuer);
my_ok = 0;
}
/*
* If the conf tells us to, check the CN in the
* cert against xlat'ed value, but only if the
* previous checks passed.
*/
if (my_ok && conf->check_cert_cn) {
if (!radius_xlat(cn_str, sizeof(cn_str), conf->check_cert_cn, handler->request, NULL)) {
radlog(L_ERR, "rlm_eap_tls (%s): xlat failed.",
conf->check_cert_cn);
/* if this fails, fail the verification */
my_ok = 0;
} else {
RDEBUG2("checking certificate CN (%s) with xlat'ed value (%s)", common_name, cn_str);
if (strcmp(cn_str, common_name) != 0) {
radlog(L_AUTH, "rlm_eap_tls: Certificate CN (%s) does not match specified value (%s)!", common_name, cn_str);
my_ok = 0;
}
}
} /* check_cert_cn */
#ifdef HAVE_OPENSSL_OCSP_H
if (my_ok && conf->ocsp_enable){
RDEBUG2("--> Starting OCSP Request");
if(X509_STORE_CTX_get1_issuer(&issuer_cert, ctx, client_cert)!=1) {
radlog(L_ERR, "Error: Couldn't get issuer_cert for %s", common_name);
}
my_ok = ocsp_check(ocsp_store, issuer_cert, client_cert, conf);
}
#endif
while (conf->verify_client_cert_cmd) {
char filename[256];
int fd;
FILE *fp;
snprintf(filename, sizeof(filename), "%s/%s.client.XXXXXXXX",
conf->verify_tmp_dir, progname);
fd = mkstemp(filename);
if (fd < 0) {
RDEBUG("Failed creating file in %s: %s",
conf->verify_tmp_dir, strerror(errno));
break;
}
fp = fdopen(fd, "w");
if (!fp) {
RDEBUG("Failed opening file %s: %s",
filename, strerror(errno));
break;
}
if (!PEM_write_X509(fp, client_cert)) {
fclose(fp);
RDEBUG("Failed writing certificate to file");
goto do_unlink;
}
fclose(fp);
if (!radius_pairmake(request, &request->packet->vps,
"TLS-Client-Cert-Filename",
filename, T_OP_SET)) {
RDEBUG("Failed creating TLS-Client-Cert-Filename");
goto do_unlink;
}
RDEBUG("Verifying client certificate: %s",
conf->verify_client_cert_cmd);
if (radius_exec_program(conf->verify_client_cert_cmd,
request, 1, NULL, 0,
request->packet->vps,
NULL, 1) != 0) {
radlog(L_AUTH, "rlm_eap_tls: Certificate CN (%s) fails external verification!", common_name);
my_ok = 0;
} else {
RDEBUG("Client certificate CN %s passed external validation", common_name);
}
do_unlink:
unlink(filename);
break;
}
} /* depth == 0 */
if (debug_flag > 0) {
RDEBUG2("chain-depth=%d, ", depth);
RDEBUG2("error=%d", err);
RDEBUG2("--> User-Name = %s", handler->identity);
RDEBUG2("--> BUF-Name = %s", common_name);
RDEBUG2("--> subject = %s", subject);
RDEBUG2("--> issuer = %s", issuer);
RDEBUG2("--> verify return:%d", my_ok);
}
return my_ok;
}
static int load_pkcs12_certificate(struct openconnect_info *vpninfo, PKCS12 *p12)
{
EVP_PKEY *pkey = NULL;
X509 *cert = NULL;
STACK_OF(X509) *ca;
int ret = 0;
char *pass;
pass = vpninfo->cert_password;
vpninfo->cert_password = NULL;
retrypass:
/* We do this every time round the loop, to work around a bug in
OpenSSL < 1.0.0-beta2 -- where the stack at *ca will be freed
when PKCS12_parse() returns an error, but *ca is left pointing
to the freed memory. */
ca = NULL;
if (!pass && request_passphrase(vpninfo, "openconnect_pkcs12", &pass,
_("Enter PKCS#12 pass phrase:")) < 0) {
PKCS12_free(p12);
return -EINVAL;
}
if (!PKCS12_parse(p12, pass, &pkey, &cert, &ca)) {
unsigned long err = ERR_peek_error();
openconnect_report_ssl_errors(vpninfo);
if (ERR_GET_LIB(err) == ERR_LIB_PKCS12 &&
ERR_GET_FUNC(err) == PKCS12_F_PKCS12_PARSE &&
ERR_GET_REASON(err) == PKCS12_R_MAC_VERIFY_FAILURE) {
vpn_progress(vpninfo, PRG_ERR,
_("Parse PKCS#12 failed (wrong passphrase?)\n"));
free(pass);
pass = NULL;
goto retrypass;
}
vpn_progress(vpninfo, PRG_ERR,
_("Parse PKCS#12 failed (see above errors)\n"));
PKCS12_free(p12);
free(pass);
return -EINVAL;
}
free(pass);
if (cert) {
char buf[200];
vpninfo->cert_x509 = cert;
SSL_CTX_use_certificate(vpninfo->https_ctx, cert);
X509_NAME_oneline(X509_get_subject_name(cert), buf, sizeof(buf));
vpn_progress(vpninfo, PRG_INFO,
_("Using client certificate '%s'\n"), buf);
} else {
vpn_progress(vpninfo, PRG_ERR,
_("PKCS#12 contained no certificate!"));
ret = -EINVAL;
}
if (pkey) {
SSL_CTX_use_PrivateKey(vpninfo->https_ctx, pkey);
EVP_PKEY_free(pkey);
} else {
vpn_progress(vpninfo, PRG_ERR,
_("PKCS#12 contained no private key!"));
ret = -EINVAL;
}
/* Only include supporting certificates which are actually necessary */
if (ca) {
int i;
next:
for (i = 0; i < sk_X509_num(ca); i++) {
X509 *cert2 = sk_X509_value(ca, i);
if (X509_check_issued(cert2, cert) == X509_V_OK) {
char buf[200];
if (cert2 == cert)
break;
if (X509_check_issued(cert2, cert2) == X509_V_OK)
break;
X509_NAME_oneline(X509_get_subject_name(cert2),
buf, sizeof(buf));
vpn_progress(vpninfo, PRG_DEBUG,
_("Extra cert from PKCS#12: '%s'\n"), buf);
CRYPTO_add(&cert2->references, 1, CRYPTO_LOCK_X509);
SSL_CTX_add_extra_chain_cert(vpninfo->https_ctx, cert2);
cert = cert2;
goto next;
}
}
sk_X509_pop_free(ca, X509_free);
}
PKCS12_free(p12);
return ret;
}
CERTIFICATE_CLASS::CERTIFICATE_CLASS(X509* x509_ptr)
// DESCRIPTION : Constructor that fills in the certificate values.
// PRECONDITIONS :
// POSTCONDITIONS :
// EXCEPTIONS :
// NOTES :
//<<===========================================================================
{
char* name_ptr;
EVP_PKEY* publicKey_ptr;
versionM = X509_get_version(x509_ptr) + 1/* change to 1 based*/;
name_ptr = X509_NAME_oneline(X509_get_subject_name(x509_ptr), NULL, 0);
if (name_ptr != NULL)
{
subjectM = name_ptr;
OPENSSL_free(name_ptr);
}
else
{
subjectM = "";
}
name_ptr = X509_NAME_oneline(X509_get_issuer_name(x509_ptr), NULL, 0);
if (name_ptr != NULL)
{
issuerM = name_ptr;;
OPENSSL_free(name_ptr);
}
else
{
issuerM = "";
}
OPENSSL_CLASS::asn1TimeToTm(X509_get_notBefore(x509_ptr), effectiveDateM);
OPENSSL_CLASS::asn1TimeToTm(X509_get_notAfter(x509_ptr), expirationDateM);
signatureKeyLengthM = 0;
signatureAlgorithmM = "";
publicKey_ptr = X509_get_pubkey(x509_ptr);
if (publicKey_ptr != NULL)
{
if (publicKey_ptr->type == EVP_PKEY_RSA)
{
signatureAlgorithmM = "RSA";
if ((publicKey_ptr->pkey.rsa != NULL) && (publicKey_ptr->pkey.rsa->n != NULL))
{
signatureKeyLengthM = BN_num_bits(publicKey_ptr->pkey.rsa->n);
}
}
else if (publicKey_ptr->type == EVP_PKEY_DSA)
{
signatureAlgorithmM = "DSA";
if ((publicKey_ptr->pkey.dsa != NULL) && (publicKey_ptr->pkey.dsa->p != NULL))
{
signatureKeyLengthM = BN_num_bits(publicKey_ptr->pkey.dsa->p);
}
}
EVP_PKEY_free(publicKey_ptr);
}
OPENSSL_CLASS::serialNumberToString(X509_get_serialNumber(x509_ptr), serialNumberM);
}
//----------------------------------------------------------------------------
TEST_F(FiberTest, SSLconnectDisconnectFiberFromClient) {
boost::log::core::get()->set_filter(boost::log::trivial::severity >=
boost::log::trivial::info);
Wait();
typedef boost::asio::ssl::stream<fiber> ssl_fiber_t;
boost::asio::ssl::context ctx(boost::asio::ssl::context::tlsv12);
std::function<bool(bool, boost::asio::ssl::verify_context&)> verify_callback =
[](bool preverified, boost::asio::ssl::verify_context& ctx) {
BOOST_LOG_TRIVIAL(debug) << "------------------------------" << std::endl;
X509_STORE_CTX* cts = ctx.native_handle();
X509* cert = X509_STORE_CTX_get_current_cert(ctx.native_handle());
char subject_name[256];
auto err = X509_STORE_CTX_get_error(ctx.native_handle());
auto depth_err = X509_STORE_CTX_get_error_depth(ctx.native_handle());
BOOST_LOG_TRIVIAL(debug) << "Error " << X509_verify_cert_error_string(err)
<< std::endl;
BOOST_LOG_TRIVIAL(debug) << "Depth " << depth_err << std::endl;
X509* issuer = cts->current_issuer;
if (issuer) {
X509_NAME_oneline(X509_get_subject_name(issuer), subject_name, 256);
BOOST_LOG_TRIVIAL(debug) << "Issuer " << subject_name << "\n";
}
X509_NAME_oneline(X509_get_subject_name(cert), subject_name, 256);
BOOST_LOG_TRIVIAL(debug) << "Verifying " << subject_name << "\n";
BOOST_LOG_TRIVIAL(debug) << "------------------------------" << std::endl;
return preverified;
};
ctx.set_verify_depth(100);
// Set the mutual authentication
ctx.set_verify_mode(boost::asio::ssl::verify_peer |
boost::asio::ssl::verify_fail_if_no_peer_cert);
// Set the callback to verify the cetificate chains of the peer
ctx.set_verify_callback(boost::bind(verify_callback, _1, _2));
// Load the file containing the trusted certificate authorities
SSL_CTX_load_verify_locations(ctx.native_handle(), "./certs/trusted/ca.crt",
NULL);
// The certificate used by the local peer
ctx.use_certificate_chain_file("./certs/certificate.crt");
// The private key used by the local peer
ctx.use_private_key_file("./certs/private.key",
boost::asio::ssl::context::pem);
// The Diffie-Hellman parameter file
ctx.use_tmp_dh_file("./certs/dh4096.pem");
// Force a specific cipher suite
SSL_CTX_set_cipher_list(ctx.native_handle(), "DHE-RSA-AES256-GCM-SHA384");
fiber_acceptor fib_acceptor(io_service_server_);
ssl_fiber_t ssl_fiber_client(io_service_client_, ctx);
ssl_fiber_t ssl_fiber_server(io_service_server_, ctx);
std::promise<bool> client_closed;
std::promise<bool> server_closed;
uint32_t buffer_s = 1;
uint32_t buffer_c = 0;
auto sent = [this, &server_closed, &ssl_fiber_server, &buffer_s](
const boost::system::error_code& ec, size_t length) {
EXPECT_EQ(ec.value(), 0) << "Sent handler should not be in error";
BOOST_LOG_TRIVIAL(debug) << "Server sent: " << buffer_s << std::endl;
server_closed.set_value(true);
};
auto async_handshaked_s = [this, &ssl_fiber_server, &buffer_s, &sent](
const boost::system::error_code& ec) {
EXPECT_EQ(ec.value(), 0) << "Handshaked handler should not be in error";
buffer_s = 10;
boost::asio::async_write(ssl_fiber_server,
boost::asio::buffer(&buffer_s, sizeof(buffer_s)),
boost::bind<void>(sent, _1, _2));
};
auto async_accept_s = [this, &ssl_fiber_server, &async_handshaked_s](
const boost::system::error_code& ec) {
EXPECT_EQ(ec.value(), 0) << "Accept handler should not be in error";
ssl_fiber_server.async_handshake(boost::asio::ssl::stream_base::server,
boost::bind<void>(async_handshaked_s, _1));
};
auto received = [this, &client_closed, &ssl_fiber_client, &buffer_c,
&buffer_s](const boost::system::error_code& ec,
size_t length) {
EXPECT_EQ(ec.value(), 0) << "Received handler should not be in error " << ec.message();
EXPECT_EQ(buffer_s, buffer_c);
BOOST_LOG_TRIVIAL(debug) << "client received: " << buffer_c << std::endl;
ssl_fiber_client.next_layer().close();
client_closed.set_value(true);
};
auto async_handshaked_c = [this, &ssl_fiber_client, &buffer_c, &received](
const boost::system::error_code& ec) {
EXPECT_EQ(ec.value(), 0) << "Handshaked handler should not be in error";
boost::asio::async_read(ssl_fiber_client,
boost::asio::buffer(&buffer_c, sizeof(buffer_c)),
boost::bind<void>(received, _1, _2));
};
auto async_connect_c = [this, &ssl_fiber_client, &async_handshaked_c](
const boost::system::error_code& ec) {
EXPECT_EQ(ec.value(), 0) << "Connect handler should not be in error";
ssl_fiber_client.async_handshake(boost::asio::ssl::stream_base::client,
boost::bind<void>(async_handshaked_c, _1));
};
boost::system::error_code acceptor_ec;
fiber_endpoint server_endpoint(boost::asio::fiber::stream_fiber<socket>::v1(),
demux_server_, 1);
fib_acceptor.open(server_endpoint.protocol(), acceptor_ec);
fib_acceptor.bind(server_endpoint, acceptor_ec);
fib_acceptor.listen(boost::asio::socket_base::max_connections, acceptor_ec);
fib_acceptor.async_accept(ssl_fiber_server.next_layer(),
boost::bind<void>(async_accept_s, _1));
fiber_endpoint client_endpoint(boost::asio::fiber::stream_fiber<socket>::v1(),
demux_client_, 1);
ssl_fiber_client.next_layer().async_connect(
client_endpoint, boost::bind<void>(async_connect_c, _1));
client_closed.get_future().wait();
server_closed.get_future().wait();
boost::system::error_code ec;
ssl_fiber_server.next_layer().close(ec);
fib_acceptor.close(ec);
}
/*
* Given an X509 certificate, create a KeyNote assertion where
* Issuer/Subject -> Authorizer/Licensees.
* XXX RSA-specific.
*/
int
x509_generate_kn(int id, X509 *cert)
{
static const char fmt[] = "Authorizer: \"rsa-hex:%s\"\nLicensees: \"rsa-hex:%s"
"\"\nConditions: %s >= \"%s\" && %s <= \"%s\";\n";
char *ikey = NULL, *skey = NULL, *buf = NULL;
char isname[256], subname[256];
static const char fmt2[] = "Authorizer: \"DN:%s\"\nLicensees: \"DN:%s\"\n"
"Conditions: %s >= \"%s\" && %s <= \"%s\";\n";
X509_NAME *issuer, *subject;
struct keynote_deckey dc;
X509_STORE_CTX csc;
X509_OBJECT obj;
X509 *icert;
RSA *key = NULL;
time_t tt;
char before[15], after[15], *timecomp, *timecomp2;
ASN1_TIME *tm;
int i;
LOG_DBG((LOG_POLICY, 90,
"x509_generate_kn: generating KeyNote policy for certificate %p",
cert));
issuer = X509_get_issuer_name(cert);
subject = X509_get_subject_name(cert);
/* Missing or self-signed, ignore cert but don't report failure. */
if (!issuer || !subject || !X509_name_cmp(issuer, subject))
return 1;
if (!x509_cert_get_key(cert, &key)) {
LOG_DBG((LOG_POLICY, 30,
"x509_generate_kn: failed to get public key from cert"));
return 0;
}
dc.dec_algorithm = KEYNOTE_ALGORITHM_RSA;
dc.dec_key = key;
ikey = kn_encode_key(&dc, INTERNAL_ENC_PKCS1, ENCODING_HEX,
KEYNOTE_PUBLIC_KEY);
if (keynote_errno == ERROR_MEMORY) {
log_print("x509_generate_kn: failed to get memory for "
"public key");
LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: cannot get "
"subject key"));
goto fail;
}
if (!ikey) {
LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: cannot get "
"subject key"));
goto fail;
}
RSA_free(key);
key = NULL;
/* Now find issuer's certificate so we can get the public key. */
X509_STORE_CTX_init(&csc, x509_cas, cert, NULL);
if (X509_STORE_get_by_subject(&csc, X509_LU_X509, issuer, &obj) !=
X509_LU_X509) {
X509_STORE_CTX_cleanup(&csc);
X509_STORE_CTX_init(&csc, x509_certs, cert, NULL);
if (X509_STORE_get_by_subject(&csc, X509_LU_X509, issuer, &obj)
!= X509_LU_X509) {
X509_STORE_CTX_cleanup(&csc);
LOG_DBG((LOG_POLICY, 30,
"x509_generate_kn: no certificate found for "
"issuer"));
goto fail;
}
}
X509_STORE_CTX_cleanup(&csc);
icert = obj.data.x509;
if (icert == NULL) {
LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: "
"missing certificates, cannot construct X509 chain"));
goto fail;
}
if (!x509_cert_get_key(icert, &key)) {
LOG_DBG((LOG_POLICY, 30,
"x509_generate_kn: failed to get public key from cert"));
goto fail;
}
X509_OBJECT_free_contents(&obj);
dc.dec_algorithm = KEYNOTE_ALGORITHM_RSA;
dc.dec_key = key;
skey = kn_encode_key(&dc, INTERNAL_ENC_PKCS1, ENCODING_HEX,
KEYNOTE_PUBLIC_KEY);
if (keynote_errno == ERROR_MEMORY) {
log_error("x509_generate_kn: failed to get memory for public "
"key");
LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: cannot get issuer "
"key"));
goto fail;
}
if (!skey) {
LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: cannot get issuer "
"key"));
goto fail;
}
RSA_free(key);
key = NULL;
if (((tm = X509_get_notBefore(cert)) == NULL) ||
(tm->type != V_ASN1_UTCTIME &&
tm->type != V_ASN1_GENERALIZEDTIME)) {
tt = time(0);
strftime(before, 14, "%Y%m%d%H%M%S", localtime(&tt));
timecomp = "LocalTimeOfDay";
} else {
if (tm->data[tm->length - 1] == 'Z') {
timecomp = "GMTTimeOfDay";
i = tm->length - 2;
} else {
timecomp = "LocalTimeOfDay";
i = tm->length - 1;
}
for (; i >= 0; i--) {
if (tm->data[i] < '0' || tm->data[i] > '9') {
LOG_DBG((LOG_POLICY, 30,
"x509_generate_kn: invalid data in "
"NotValidBefore time field"));
goto fail;
}
}
if (tm->type == V_ASN1_UTCTIME) {
if ((tm->length < 10) || (tm->length > 13)) {
LOG_DBG((LOG_POLICY, 30,
"x509_generate_kn: invalid length "
"of NotValidBefore time field (%d)",
tm->length));
goto fail;
}
/* Validity checks. */
if ((tm->data[2] != '0' && tm->data[2] != '1') ||
(tm->data[2] == '0' && tm->data[3] == '0') ||
(tm->data[2] == '1' && tm->data[3] > '2') ||
(tm->data[4] > '3') ||
(tm->data[4] == '0' && tm->data[5] == '0') ||
(tm->data[4] == '3' && tm->data[5] > '1') ||
(tm->data[6] > '2') ||
(tm->data[6] == '2' && tm->data[7] > '3') ||
(tm->data[8] > '5')) {
LOG_DBG((LOG_POLICY, 30,
"x509_generate_kn: invalid value in "
"NotValidBefore time field"));
goto fail;
}
/* Stupid UTC tricks. */
if (tm->data[0] < '5')
snprintf(before, sizeof before, "20%s",
tm->data);
else
snprintf(before, sizeof before, "19%s",
tm->data);
} else { /* V_ASN1_GENERICTIME */
if ((tm->length < 12) || (tm->length > 15)) {
LOG_DBG((LOG_POLICY, 30,
"x509_generate_kn: invalid length of "
"NotValidBefore time field (%d)",
tm->length));
goto fail;
}
/* Validity checks. */
if ((tm->data[4] != '0' && tm->data[4] != '1') ||
(tm->data[4] == '0' && tm->data[5] == '0') ||
(tm->data[4] == '1' && tm->data[5] > '2') ||
(tm->data[6] > '3') ||
(tm->data[6] == '0' && tm->data[7] == '0') ||
(tm->data[6] == '3' && tm->data[7] > '1') ||
(tm->data[8] > '2') ||
(tm->data[8] == '2' && tm->data[9] > '3') ||
(tm->data[10] > '5')) {
LOG_DBG((LOG_POLICY, 30,
"x509_generate_kn: invalid value in "
"NotValidBefore time field"));
goto fail;
}
snprintf(before, sizeof before, "%s", tm->data);
}
/* Fix missing seconds. */
if (tm->length < 12) {
before[12] = '0';
before[13] = '0';
}
/* This will overwrite trailing 'Z'. */
before[14] = '\0';
}
tm = X509_get_notAfter(cert);
if (tm == NULL &&
(tm->type != V_ASN1_UTCTIME &&
tm->type != V_ASN1_GENERALIZEDTIME)) {
tt = time(0);
strftime(after, 14, "%Y%m%d%H%M%S", localtime(&tt));
timecomp2 = "LocalTimeOfDay";
} else {
if (tm->data[tm->length - 1] == 'Z') {
timecomp2 = "GMTTimeOfDay";
i = tm->length - 2;
} else {
timecomp2 = "LocalTimeOfDay";
i = tm->length - 1;
}
for (; i >= 0; i--) {
if (tm->data[i] < '0' || tm->data[i] > '9') {
LOG_DBG((LOG_POLICY, 30,
"x509_generate_kn: invalid data in "
"NotValidAfter time field"));
goto fail;
}
}
if (tm->type == V_ASN1_UTCTIME) {
if ((tm->length < 10) || (tm->length > 13)) {
LOG_DBG((LOG_POLICY, 30,
"x509_generate_kn: invalid length of "
"NotValidAfter time field (%d)",
tm->length));
goto fail;
}
/* Validity checks. */
if ((tm->data[2] != '0' && tm->data[2] != '1') ||
(tm->data[2] == '0' && tm->data[3] == '0') ||
(tm->data[2] == '1' && tm->data[3] > '2') ||
(tm->data[4] > '3') ||
(tm->data[4] == '0' && tm->data[5] == '0') ||
(tm->data[4] == '3' && tm->data[5] > '1') ||
(tm->data[6] > '2') ||
(tm->data[6] == '2' && tm->data[7] > '3') ||
(tm->data[8] > '5')) {
LOG_DBG((LOG_POLICY, 30,
"x509_generate_kn: invalid value in "
"NotValidAfter time field"));
goto fail;
}
/* Stupid UTC tricks. */
if (tm->data[0] < '5')
snprintf(after, sizeof after, "20%s",
tm->data);
else
snprintf(after, sizeof after, "19%s",
tm->data);
} else { /* V_ASN1_GENERICTIME */
if ((tm->length < 12) || (tm->length > 15)) {
LOG_DBG((LOG_POLICY, 30,
"x509_generate_kn: invalid length of "
"NotValidAfter time field (%d)",
tm->length));
goto fail;
}
/* Validity checks. */
if ((tm->data[4] != '0' && tm->data[4] != '1') ||
(tm->data[4] == '0' && tm->data[5] == '0') ||
(tm->data[4] == '1' && tm->data[5] > '2') ||
(tm->data[6] > '3') ||
(tm->data[6] == '0' && tm->data[7] == '0') ||
(tm->data[6] == '3' && tm->data[7] > '1') ||
(tm->data[8] > '2') ||
(tm->data[8] == '2' && tm->data[9] > '3') ||
(tm->data[10] > '5')) {
LOG_DBG((LOG_POLICY, 30,
"x509_generate_kn: invalid value in "
"NotValidAfter time field"));
goto fail;
}
snprintf(after, sizeof after, "%s", tm->data);
}
/* Fix missing seconds. */
if (tm->length < 12) {
after[12] = '0';
after[13] = '0';
}
after[14] = '\0'; /* This will overwrite trailing 'Z' */
}
if (asprintf(&buf, fmt, skey, ikey, timecomp, before, timecomp2,
after) == -1) {
log_error("x509_generate_kn: "
"failed to allocate memory for KeyNote credential");
goto fail;
}
free(ikey);
ikey = NULL;
free(skey);
skey = NULL;
if (kn_add_assertion(id, buf, strlen(buf), ASSERT_FLAG_LOCAL) == -1) {
LOG_DBG((LOG_POLICY, 30,
"x509_generate_kn: failed to add new KeyNote credential"));
goto fail;
}
/* We could print the assertion here, but log_print() truncates... */
LOG_DBG((LOG_POLICY, 60, "x509_generate_kn: added credential"));
free(buf);
buf = NULL;
if (!X509_NAME_oneline(issuer, isname, 256)) {
LOG_DBG((LOG_POLICY, 50,
"x509_generate_kn: "
"X509_NAME_oneline (issuer, ...) failed"));
goto fail;
}
if (!X509_NAME_oneline(subject, subname, 256)) {
LOG_DBG((LOG_POLICY, 50,
"x509_generate_kn: "
"X509_NAME_oneline (subject, ...) failed"));
goto fail;
}
if (asprintf(&buf, fmt2, isname, subname, timecomp, before,
timecomp2, after) == -1) {
log_error("x509_generate_kn: malloc failed");
return 0;
}
if (kn_add_assertion(id, buf, strlen(buf), ASSERT_FLAG_LOCAL) == -1) {
LOG_DBG((LOG_POLICY, 30,
"x509_generate_kn: failed to add new KeyNote credential"));
goto fail;
}
LOG_DBG((LOG_POLICY, 80, "x509_generate_kn: added credential:\n%s",
buf));
free(buf);
return 1;
fail:
free(buf);
free(skey);
free(ikey);
if (key)
RSA_free(key);
return 0;
}
int DoSSLClientNegotiation(STREAM *S, int Flags)
{
int result=FALSE, val;
#ifdef HAVE_LIBSSL
SSL_METHOD *Method;
SSL_CTX *ctx;
SSL *ssl;
//struct x509 *cert=NULL;
X509 *cert=NULL;
if (S)
{
INTERNAL_SSL_INIT();
// SSL_load_ciphers();
Method=SSLv23_client_method();
if (! Method) Method=SSLv2_client_method();
ctx=SSL_CTX_new(Method);
if (! ctx) HandleSSLError();
else
{
STREAM_INTERNAL_SSL_ADD_SECURE_KEYS(S,ctx);
ssl=SSL_new(ctx);
SSL_set_fd(ssl,S->in_fd);
STREAMSetItem(S,"LIBUSEFUL-SSL-CTX",ssl);
result=SSL_connect(ssl);
S->Flags|=SF_SSL;
val=SSL_get_verify_result(ssl);
switch(val)
{
case X509_V_OK:
STREAMSetValue(S,"SSL-Certificate-Verify","OK");
break;
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
STREAMSetValue(S,"SSL-Certificate-Verify","unable to get issuer");
break;
case X509_V_ERR_UNABLE_TO_GET_CRL:
STREAMSetValue(S,"SSL-Certificate-Verify","unable to get certificate CRL");
break;
case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
STREAMSetValue(S,"SSL-Certificate-Verify","unable to decrypt certificate's signature");
break;
case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
STREAMSetValue(S,"SSL-Certificate-Verify","unable to decrypt CRL's signature");
break;
case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
STREAMSetValue(S,"SSL-Certificate-Verify","unable to decode issuer public key");
break;
case X509_V_ERR_CERT_SIGNATURE_FAILURE:
STREAMSetValue(S,"SSL-Certificate-Verify","certificate signature invalid");
break;
case X509_V_ERR_CRL_SIGNATURE_FAILURE:
STREAMSetValue(S,"SSL-Certificate-Verify","CRL signature invalid");
break;
case X509_V_ERR_CERT_NOT_YET_VALID:
STREAMSetValue(S,"SSL-Certificate-Verify","certificate is not yet valid");
break;
case X509_V_ERR_CERT_HAS_EXPIRED:
STREAMSetValue(S,"SSL-Certificate-Verify","certificate has expired");
break;
case X509_V_ERR_CRL_NOT_YET_VALID:
STREAMSetValue(S,"SSL-Certificate-Verify","CRL is not yet valid the CRL is not yet valid.");
break;
case X509_V_ERR_CRL_HAS_EXPIRED:
STREAMSetValue(S,"SSL-Certificate-Verify","CRL has expired the CRL has expired.");
break;
case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
STREAMSetValue(S,"SSL-Certificate-Verify","invalid notBefore value");
break;
case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
STREAMSetValue(S,"SSL-Certificate-Verify","invalid notAfter value");
break;
case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
STREAMSetValue(S,"SSL-Certificate-Verify","invalid CRL lastUpdate value");
break;
case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
STREAMSetValue(S,"SSL-Certificate-Verify","invalid CRL nextUpdate value");
break;
case X509_V_ERR_OUT_OF_MEM:
STREAMSetValue(S,"SSL-Certificate-Verify","out of memory");
break;
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
STREAMSetValue(S,"SSL-Certificate-Verify","self signed certificate");
break;
case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
STREAMSetValue(S,"SSL-Certificate-Verify","self signed certificate in certificate chain");
break;
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
STREAMSetValue(S,"SSL-Certificate-Verify","cant find root certificate in local database");
break;
case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
STREAMSetValue(S,"SSL-Certificate-Verify","ERROR: unable to verify the first certificate");
break;
case X509_V_ERR_CERT_CHAIN_TOO_LONG:
STREAMSetValue(S,"SSL-Certificate-Verify","certificate chain too long");
break;
case X509_V_ERR_CERT_REVOKED:
STREAMSetValue(S,"SSL-Certificate-Verify","certificate revoked");
break;
case X509_V_ERR_INVALID_CA:
STREAMSetValue(S,"SSL-Certificate-Verify","invalid CA certificate");
break;
case X509_V_ERR_PATH_LENGTH_EXCEEDED:
STREAMSetValue(S,"SSL-Certificate-Verify","path length constraint exceeded");
break;
case X509_V_ERR_INVALID_PURPOSE:
STREAMSetValue(S,"SSL-Certificate-Verify","unsupported certificate purpose");
break;
case X509_V_ERR_CERT_UNTRUSTED:
STREAMSetValue(S,"SSL-Certificate-Verify","certificate not trusted");
break;
case X509_V_ERR_CERT_REJECTED:
STREAMSetValue(S,"SSL-Certificate-Verify","certificate rejected");
break;
case X509_V_ERR_SUBJECT_ISSUER_MISMATCH:
STREAMSetValue(S,"SSL-Certificate-Verify","subject issuer mismatch");
break;
case X509_V_ERR_AKID_SKID_MISMATCH:
STREAMSetValue(S,"SSL-Certificate-Verify","authority and subject key identifier mismatch");
break;
case X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH:
STREAMSetValue(S,"SSL-Certificate-Verify","authority and issuer serial number mismatch");
break;
case X509_V_ERR_KEYUSAGE_NO_CERTSIGN:
STREAMSetValue(S,"SSL-Certificate-Verify","key usage does not include certificate signing");
break;
case X509_V_ERR_APPLICATION_VERIFICATION:
STREAMSetValue(S,"SSL-Certificate-Verify","application verification failure");
break;
}
}
cert=SSL_get_peer_certificate(ssl);
if (cert)
{
STREAMSetValue(S,"SSL-Certificate-Issuer",X509_NAME_oneline( X509_get_issuer_name(cert),NULL, 0));
}
}
STREAMSetValue(S,"SSL-Cipher",STREAMQuerySSLCipher(S));
#endif
return(result);
}
/* This callback is called during each verification process,
at each step during the chain of certificates (this function
is not the certificate_verification one!). */
int verify_callback(int pre_verify_ok, X509_STORE_CTX *ctx) {
char buf[256];
X509 *err_cert;
int err, depth;
depth = X509_STORE_CTX_get_error_depth(ctx);
LM_NOTICE("depth = %d\n",depth);
if ( depth > VERIFY_DEPTH_S ) {
LM_NOTICE("cert chain too long ( depth > VERIFY_DEPTH_S)\n");
pre_verify_ok=0;
}
if( pre_verify_ok ) {
LM_NOTICE("preverify is good: verify return: %d\n", pre_verify_ok);
return pre_verify_ok;
}
err_cert = X509_STORE_CTX_get_current_cert(ctx);
err = X509_STORE_CTX_get_error(ctx);
X509_NAME_oneline(X509_get_subject_name(err_cert),buf,sizeof buf);
LM_NOTICE("subject = %s\n", buf);
LM_NOTICE("verify error:num=%d:%s\n",
err, X509_verify_cert_error_string(err));
LM_NOTICE("error code is %d\n", ctx->error);
switch (ctx->error) {
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert),
buf,sizeof buf);
LM_NOTICE("issuer= %s\n",buf);
break;
case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
case X509_V_ERR_CERT_NOT_YET_VALID:
LM_NOTICE("notBefore\n");
break;
case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
case X509_V_ERR_CERT_HAS_EXPIRED:
LM_NOTICE("notAfter\n");
break;
case X509_V_ERR_CERT_SIGNATURE_FAILURE:
case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
LM_NOTICE("unable to decrypt cert "
"signature\n");
break;
case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
LM_NOTICE("unable to decode issuer "
"public key\n");
break;
case X509_V_ERR_OUT_OF_MEM:
LM_NOTICE("out of memory \n");
break;
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
LM_NOTICE("Self signed certificate "
"issue\n");
break;
case X509_V_ERR_CERT_CHAIN_TOO_LONG:
LM_NOTICE("certificate chain too long\n");
break;
case X509_V_ERR_INVALID_CA:
LM_NOTICE("invalid CA\n");
break;
case X509_V_ERR_PATH_LENGTH_EXCEEDED:
LM_NOTICE("path length exceeded\n");
break;
case X509_V_ERR_INVALID_PURPOSE:
LM_NOTICE("invalid purpose\n");
break;
case X509_V_ERR_CERT_UNTRUSTED:
LM_NOTICE("certificate untrusted\n");
break;
case X509_V_ERR_CERT_REJECTED:
LM_NOTICE("certificate rejected\n");
break;
default:
LM_NOTICE("something wrong with the cert"
" ... error code is %d (check x509_vfy.h)\n", ctx->error);
break;
}
LM_NOTICE("verify return:%d\n", pre_verify_ok);
return(pre_verify_ok);
}
int HttpsRetriever::ssl_check_certificate (int fd , const char *host)
{
X509 *cert;
char common_name[256];
long vresult;
int success = 1;
/* If the user has specified --no-check-cert, we still want to warn
him about problems with the server's certificate. */
const char *severity = opt.check_cert ? "ERROR" : "WARNING" ;
SSL *ssl ;
// SSL *ssl = (SSL *) fd_transport_context (fd);
assert (ssl != NULL);
cert = SSL_get_peer_certificate (ssl);
if (!cert)
{
// logprintf (LOG_NOTQUIET, "%s: No certificate presented by %s.\n",
// severity, (host));
fprintf(stderr , "%s: No certificate presented by %s.\n",severity, (host));
success = 0;
goto no_cert; /* must bail out since CERT is NULL */
}
#ifdef ENABLE_DEBUG
if (opt.debug)
{
char *subject = X509_NAME_oneline (X509_get_subject_name (cert), 0, 0);
char *issuer = X509_NAME_oneline (X509_get_issuer_name (cert), 0, 0);
DEBUGP (("certificate:\n subject: %s\n issuer: %s\n",
(subject), (issuer)));
OPENSSL_free (subject);
OPENSSL_free (issuer);
}
#endif
vresult = SSL_get_verify_result (ssl);
if (vresult != X509_V_OK)
{
/* #### We might want to print saner (and translatable) error
messages for several frequently encountered errors. The
candidates would include
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY,
X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN,
X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT,
X509_V_ERR_CERT_NOT_YET_VALID, X509_V_ERR_CERT_HAS_EXPIRED,
and possibly others. The current approach would still be
used for the less frequent failure cases. */
// logprintf (LOG_NOTQUIET,
// _("%s: Certificate verification error for %s: %s\n"),
// severity, escnonprint (host),
// X509_verify_cert_error_string (vresult));
fprintf(stderr , "%s: Certificate verification error for %s: %s\n" ,
severity, (host) , X509_verify_cert_error_string (vresult));
success = 0;
/* Fall through, so that the user is warned about *all* issues
with the cert (important with --no-check-certificate.) */
}
/* Check that HOST matches the common name in the certificate.
#### The following remains to be done:
- It should use dNSName/ipAddress subjectAltName extensions if
available; according to rfc2818: "If a subjectAltName extension
of type dNSName is present, that MUST be used as the identity."
- When matching against common names, it should loop over all
common names and choose the most specific one, i.e. the last
one, not the first one, which the current code picks.
- Ensure that ASN1 strings from the certificate are encoded as
UTF-8 which can be meaningfully compared to HOST. */
common_name[0] = '\0';
X509_NAME_get_text_by_NID (X509_get_subject_name (cert),
NID_commonName, common_name, sizeof (common_name));
if (!pattern_match (common_name, host))
{
//logprintf (LOG_NOTQUIET, _("\
//%s: certificate common name `%s' doesn't match requested host name `%s'.\n"),
// severity, escnonprint (common_name), escnonprint (host));
fprintf(stderr , "%s: certificate common name `%s' doesn't match requested host name `%s'.\n" ,
severity, (common_name), (host));
success = 0;
}
if (success)
DEBUGP (("X509 certificate successfully verified and matches host %s\n",
(host)));
X509_free (cert);
no_cert:
if (opt.check_cert && !success)
// logprintf (LOG_NOTQUIET, _("\
//To connect to %s insecurely, use `--no-check-certificate'.\n"),
// escnonprint (host));
fprintf(stderr , "To connect to %s insecurely, use `--no-check-certificate'.\n" ,
(host));
/* Allow --no-check-cert to disable certificate checking. */
return opt.check_cert ? success : 1;
return -1 ;
}
MONO_API int
mono_btls_x509_name_print_string (MonoBtlsX509Name *name, char *buffer, int size)
{
*buffer = 0;
return X509_NAME_oneline (name->name, buffer, size) != NULL;
}
/* Get the validated names for the connection peer.
*
* Usually, the names in the altNames will be easier to parse and use than commonName
* Returns
* - true if the connection peer is validated by a trusted authority
* - false if not, in which case no names are returned.
*/
bool OsSSL::peerIdentity( SSL* connection ///< SSL connection to be described
,UtlSList* altNames /**< UtlStrings for verfied subjectAltNames
* are added to this - caller must free them.
*/
,UtlString* commonName ///< the Subject name is returned here
)
{
bool peerCertTrusted = false;
# ifdef TEST_DEBUG
UtlString debugMsg;
# endif
if (altNames)
{
altNames->destroyAll();
}
if (commonName)
{
commonName->remove(0);
}
if (connection)
{
// Extract the subject and issuer information about the peer
// and the certificate validation result. Neither of these
// are meaningful without the other.
// (note various dynamically allocated items - freed below)
X509* peer_cert = SSL_get_peer_certificate(connection);
if (peer_cert)
{
if (X509_V_OK == SSL_get_verify_result(connection))
{
peerCertTrusted = true;
char* subjectStr = X509_NAME_oneline(X509_get_subject_name(peer_cert),NULL,0);
// @TODO this should also enforce any extendedKeyUsage limitations
# ifdef TEST_DEBUG
debugMsg.append("OsSSL::peerIdentity verified");
# endif
if (subjectStr)
{
// this should always be true, I think...
if (commonName)
{
commonName->append(subjectStr);
}
# ifdef TEST_DEBUG
debugMsg.append(" '");
debugMsg.append(subjectStr);
debugMsg.append("'");
# endif
OPENSSL_free(subjectStr);
}
if (altNames)
{
// Look for the subjectAltName attributes
GENERAL_NAMES* names;
names = (GENERAL_NAMES*)X509_get_ext_d2i(peer_cert, NID_subject_alt_name, NULL, NULL);
for(int i = 0; i < sk_GENERAL_NAME_num(names); i++)
{
GENERAL_NAME* name = sk_GENERAL_NAME_value(names, i);
ASN1_IA5STRING* nameValue;
UtlString* normalizedName;
switch (name->type)
{
case GEN_DNS:
case GEN_URI:
nameValue = name->d.uniformResourceIdentifier;
normalizedName
= new UtlString((const char*)(nameValue->data),nameValue->length);
// @TODO: We should parse this value before adjusting the case,
// but that requires doing it at a higher level in the stack
// where we can parse a URL, and we don't yet have selection
// based on type anyway.
normalizedName->toLower();
# ifdef TEST_DEBUG
debugMsg.append(" '");
debugMsg.append(*normalizedName);
debugMsg.append("'");
# endif
altNames->append(normalizedName);
break;
default:
// don't care about any other values
break;
}
}
sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
}
# ifdef TEST_DEBUG
OsSysLog::add(FAC_KERNEL, PRI_DEBUG, "%s", debugMsg.data());
# endif
}
else
{
OsSysLog::add(FAC_KERNEL, PRI_ERR, "OsSSL::peerIdentity peer not validated");
}
X509_free(peer_cert);
}
else
{
OsSysLog::add(FAC_KERNEL, PRI_WARNING, "OsSSL::peerIdentity no peer certificate");
}
}
else
{
OsSysLog::add(FAC_KERNEL, PRI_CRIT, "OsSSL::peerIdentity called with NULL connection");
}
return peerCertTrusted;
}
int
f_starttls( SNET *sn, int ac, char **av )
{
int rc;
X509 *peer;
char buf[ 1024 ];
if ( ac != 1 ) {
snet_writef( sn, "%d Syntax error (no parameters allowed)\r\n", 501 );
return( 1 );
} else {
snet_writef( sn, "%d Ready to start TLS\r\n", 220 );
}
/* We get here when the client asks for TLS with the STARTTLS verb */
/*
* Client MUST NOT attempt to start a TLS session if a TLS
* session is already active. No mention of what to do if it does...
*
* Once STARTTLS has succeeded, the STARTTLS verb is no longer valid
*/
/*
* Begin TLS
*/
/* This is where the TLS start */
/* At this point the client is also starting TLS */
/* 1 is for server, 0 is client */
if (( rc = snet_starttls( sn, ctx, 1 )) != 1 ) {
syslog( LOG_ERR, "f_starttls: snet_starttls: %s",
ERR_error_string( ERR_get_error(), NULL ) );
snet_writef( sn, "%d SSL didn't work error! XXX\r\n", 501 );
return( 1 );
}
if ( authlevel >= 2 ) {
if (( peer = SSL_get_peer_certificate( sn->sn_ssl ))
== NULL ) {
syslog( LOG_ERR, "no peer certificate" );
return( -1 );
}
syslog( LOG_INFO, "CERT Subject: %s\n",
X509_NAME_oneline( X509_get_subject_name( peer ), buf,
sizeof( buf )));
X509_NAME_get_text_by_NID( X509_get_subject_name( peer ),
NID_commonName, buf, sizeof( buf ));
if (( remote_cn = strdup( buf )) == NULL ) {
syslog( LOG_ERR, "strdup: %m" );
X509_free( peer );
return( -1 );
}
X509_free( peer );
}
/* get command file */
if ( command_k( "config", 0 ) < 0 ) {
/* Client not in config */
commands = noauth;
ncommands = sizeof( noauth ) / sizeof( noauth[ 0 ] );
} else {
/* Client in config */
commands = auth;
ncommands = sizeof( auth ) / sizeof( auth[ 0 ] );
if ( read_kfile( sn, command_file ) != 0 ) {
/* error message given in list_transcripts */
exit( 1 );
}
}
return( 0 );
}
int main(int argc, char *argv[]) {
scep_t scep;
int c, rc, bytes, fd;
char filename[1024];
BIO *inbio = NULL, *outbio, *membio;
char *conffile;
struct tms start;
/* start timekeeping */
times(&start);
/* clean out the scep structure (some fields will be set by */
/* command line parsing routine) */
scep_clear(&scep);
if (debug)
fprintf(stderr, "%s:%d: cleared scep structure\n",
__FILE__, __LINE__);
/* initialize the OpenSSL library */
scepinit();
if (debug)
fprintf(stderr, "%s:%d: initialized libraries\n",
__FILE__, __LINE__);
/* set umask to something not dangerous */
umask(022);
/* read the command line arguments, if any */
while (EOF != (c = getopt(argc, argv, "df:")))
switch (c) {
case 'd':
debug++;
break;
case 'f':
conffile = optarg;
if (debug)
fprintf(stderr, "%s:%d: config file is %s\n",
__FILE__, __LINE__, conffile);
break;
}
/* read the configuration file */
scep_config(&scep, (conffile) ? conffile : OPENSCEPDIR "/openscep.cnf");
/* initialize the LDAP backend */
scep_ldap_init(&scep);
/* read the stuff from standard input and write it to a request */
/* file so that debugging becomes simpler */
inbio = BIO_new(BIO_s_file());
BIO_set_fp(inbio, stdin, BIO_NOCLOSE);
membio = BIO_new(BIO_s_mem());
do {
unsigned char buffer[1024];
bytes = BIO_read(inbio, buffer, sizeof(buffer));
if (bytes > 0) {
BIO_write(membio, buffer, bytes);
if (debug)
BIO_printf(bio_err, "%s:%d: writing chunk of"
"size %d\n", __FILE__, __LINE__, bytes);
} else
BIO_printf(bio_err, "%s:%d: no more data from inbio\n",
__FILE__, __LINE__);
} while (bytes > 0);
BIO_flush(membio);
/* the decode call does the following three things */
/* - verify the signed data PKCS#7 */
/* - extract the signed attributes */
/* - decrypt the enveloped data */
scep.request.base64 = 1;
if (decode(&scep, membio) < 0) {
BIO_printf(bio_err, "%s:%d: decode failed\n", __FILE__,
__LINE__);
syslog(LOG_ERR, "%s:%d: scepd failed to decode request",
__FILE__, __LINE__);
goto err;
}
BIO_free(membio);
/* inform the debug log about the message we have received */
if (debug) {
char name[1024];
BIO_printf(bio_err, "%s:%d: message with transaction id %s\n",
__FILE__, __LINE__, scep.transId);
X509_NAME_oneline(X509_get_subject_name((scep.selfsignedcert)
? scep.selfsignedcert : scep.clientcert), name, 1024);
BIO_printf(bio_err, "%s:%d: sender is %s\n", __FILE__, __LINE__,
name);
}
/* swap nonces and create a reply nonce */
if (scep.recipientNonce) {
free(scep.recipientNonce);
}
scep.recipientNonce = scep.senderNonce;
scep.recipientNonceLength = scep.senderNonceLength;
scep.senderNonceLength = 16;
scep.senderNonce = (unsigned char *)malloc(scep.senderNonceLength);
RAND_bytes(scep.senderNonce, scep.senderNonceLength);
/* branch according to message type */
if (scep.request.messageType == NULL) {
syslog(LOG_ERR, "%s:%d: message of undefined type received",
__FILE__, __LINE__);
BIO_printf(bio_err, "%s:%d: undefined message type\n",
__FILE__, __LINE__);
goto err;
}
scep.reply.messageType = SCEP_MESSAGE_TYPE_CERTREP;
switch (atoi(scep.request.messageType)) {
case MSG_CERTREP: /* CertRep */
syslog(LOG_WARNING, "%s:%d: CertRep message, should not happen",
__FILE__, __LINE__);
if (debug)
BIO_printf(bio_err, "%s:%d: CertRep message received\n",
__FILE__, __LINE__);
rc = certrep(&scep);
break;
case MSG_V2PROXY:
/* proxy requests are checked during decoding */
/* at this point, we have an acceptable proxy request */
/* so we can fall through to a v2 request */
case MSG_V2REQUEST: /* v2 request received */
/* XXX fixme: implement version 2 */
rc = v2request(&scep);
break;
case MSG_PKCSREQ: /* PKCSReq */
syslog(LOG_INFO, "%s:%d: PKCSReq message received", __FILE__,
__LINE__);
if (debug)
BIO_printf(bio_err, "%s:%d: PKCSReq message received\n",
__FILE__, __LINE__);
rc = pkcsreq(&scep);
break;
case MSG_GETCERTINITIAL: /* GetCertInitial */
syslog(LOG_INFO, "%s:%d: GetCertInitial message received",
__FILE__, __LINE__);
if (debug)
BIO_printf(bio_err, "%s:%d: GetCertInitial message "
"received\n", __FILE__, __LINE__);
rc = getcertinitial(&scep);
break;
case MSG_GETCERT: /* GetCert */
syslog(LOG_INFO, "%s:%d: GetCert message received",
__FILE__, __LINE__);
if (debug)
BIO_printf(bio_err, "%s:%d: GetCert message received\n",
__FILE__, __LINE__);
rc = getcert(&scep);
break;
case MSG_GETCRL: /* GetCRL */
syslog(LOG_INFO, "%s:%d: GetCRL message received", __FILE__,
__LINE__);
if (debug)
BIO_printf(bio_err, "%s:%d: GetCRL message received\n",
__FILE__, __LINE__);
rc = getcrl(&scep);
break;
default:
syslog(LOG_WARNING, "%s:%d: message of unknown type: %s",
__FILE__, __LINE__, scep.request.messageType);
BIO_printf(bio_err, "%s:%d: unknown message type: %s\n",
__FILE__, __LINE__, scep.request.messageType);
scep.reply.failinfo = SCEP_FAILURE_BADREQUEST;
}
prepreply:
if (debug)
BIO_printf(bio_err, "%s:%d: reply prepared, encoding follows\n",
__FILE__, __LINE__);
if (rc < 0) {
/* create a failure reply by setting the failinfo field */
BIO_printf(bio_err, "%s:%d: bad return code from handler\n",
__FILE__, __LINE__);
scep.reply.failinfo = SCEP_FAILURE_BADREQUEST;
}
/* encode the reply */
if (encode(&scep) < 0) {
BIO_printf(bio_err, "%s:%d: encoding failed\n", __FILE__,
__LINE__);
syslog(LOG_ERR, "%s:%d: scepd failed to encode the reply",
__FILE__, __LINE__);
goto err;
}
/* print a HTTP header */
if (debug)
BIO_printf(bio_err, "%s:%d: preparing reply headers\n",
__FILE__, __LINE__);
printf("Content-Transfer-Encoding: 8bit\r\n");
printf("Content-Type: application/x-pki-message\r\n");
printf("Content-Length: %d\r\n\r\n", scep.reply.length);
fflush(stdout);
if (debug)
BIO_printf(bio_err, "%s:%d: headers sent\n", __FILE__,
__LINE__);
/* return the result PKCS#7 as DER on stdout */
if (scep.reply.length != (bytes = write(fileno(stdout), scep.reply.data,
scep.reply.length))) {
BIO_printf(bio_err, "%s:%d: message write incomplete "
"%d != %d\n", __FILE__, __LINE__, scep.reply.data,
bytes);
}
printf("\r\n"); /* make sure message is properly closed */
if (debug)
BIO_printf(bio_err, "%s:%d: %d bytes of content sent\n",
__FILE__, __LINE__, bytes);
/* write the same data also to a file for debugging */
if (debug) {
snprintf(filename, sizeof(filename), "%s/%d.pkireply.der",
tmppath, getpid());
fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, 0666);
write(fd, scep.reply.data, scep.reply.length);
close(fd);
BIO_printf(bio_err, "%s:%d: reply written to file %s\n",
__FILE__, __LINE__, filename);
}
BIO_free(outbio);
/* successful completion */
ERR_print_errors(bio_err); /* just in case something is still there */
syslog(LOG_DEBUG, "%s:%d: scepd successfully completed",
__FILE__, __LINE__);
logtimes(&start);
exit(EXIT_SUCCESS);
/* but we may as well fail */
err:
ERR_print_errors(bio_err);
syslog(LOG_DEBUG, "%s:%d: scepd failed", __FILE__, __LINE__);
logtimes(&start);
exit(EXIT_FAILURE);
}
int dtls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx) {
//int rc = 0;
unsigned int lenHash;
const EVP_MD *pEvp = NULL;
DTLS_FINGERPRINT_T fingerprint;
X509 *pX509 = NULL;
SSL *pSSLCtxt = NULL;
int sslCbDataIndex;
char buf[1024];
char buf2[1024];
DTLS_FINGERPRINT_VERIFY_T *pFingerprintVerify = NULL;
pSSLCtxt = X509_STORE_CTX_get_ex_data(x509_ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
for(sslCbDataIndex = 0; sslCbDataIndex <= s_sslCbDataIndex; sslCbDataIndex++) {
if((pFingerprintVerify = SSL_get_ex_data(pSSLCtxt, sslCbDataIndex))) {
break;
}
}
//LOG(X_DEBUG("DTLS_VERIFY_CB preverify_ok:%d, pFingerprintVerify: 0x%x, name:'%s'"), preverify_ok, pFingerprintVerify, X509_NAME_oneline(X509_get_subject_name(x509_ctx->cert), buf, sizeof(buf)));
if(!pFingerprintVerify || pFingerprintVerify->verified) {
return 1;
}
//LOG(X_DEBUG("Verify fingerprint type:%d"), pFingerprintVerify->fingerprint.type); LOGHEX_DEBUG(pFingerprintVerify->fingerprint.buf, pFingerprintVerify->fingerprint.len);
if(!(pX509 = x509_ctx->cert)) {
return 0;
}
memset(&fingerprint, 0, sizeof(fingerprint));
fingerprint.type = pFingerprintVerify->fingerprint.type;
if(!(pEvp = dtlsFingerprintTypeToEVP(fingerprint.type))) {
LOG(X_ERROR("Invalid DTLS fingerprint verification digest type %s (%d)"),
sdp_dtls_get_fingerprint_typestr(fingerprint.type), fingerprint.type);
return 0;
}
lenHash = sizeof(fingerprint.buf);
if(X509_digest(pX509, pEvp, fingerprint.buf, &lenHash) != 1 || lenHash <= 0) {
LOG(X_ERROR("DTLS X509_digest failed for peer certificate: %s"), ERR_reason_error_string(ERR_get_error()));
return 0;
} else {
fingerprint.len = lenHash;
}
if(fingerprint.len != pFingerprintVerify->fingerprint.len ||
memcmp(fingerprint.buf, pFingerprintVerify->fingerprint.buf, fingerprint.len)) {
LOG(X_ERROR("DTLS fingerprint verification failed for %s fingerprint length %d for remote certificate: %s"),
sdp_dtls_get_fingerprint_typestr(fingerprint.type), fingerprint.len,
X509_NAME_oneline(X509_get_subject_name(x509_ctx->cert), buf, sizeof(buf)));
LOG(X_DEBUG("DTLS remote fingerprint %s does not match %s"),
dtls_fingerprint2str(&fingerprint, buf2, sizeof(buf2)),
dtls_fingerprint2str(&pFingerprintVerify->fingerprint, buf, sizeof(buf)));
return 0;
}
pFingerprintVerify->verified = 1;
LOG(X_DEBUG("DTLS verified %s fingerprint length %d for remote cerficate: %s"),
sdp_dtls_get_fingerprint_typestr(fingerprint.type), fingerprint.len,
X509_NAME_oneline(X509_get_subject_name(x509_ctx->cert), buf, sizeof(buf)));
//LOG(X_DEBUG("DTLS_VERIFY_CB fingerprint type:%d, len: %d"), fingerprint.type, fingerprint.len); LOGHEX_DEBUG(fingerprint.buf, fingerprint.len);
return 1;
}
