static int
client_verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
{
char buf[256];
X509 *err_cert;
int err, depth;
err_cert = X509_STORE_CTX_get_current_cert(x509_ctx);
err = X509_STORE_CTX_get_error(x509_ctx);
depth = X509_STORE_CTX_get_error_depth(x509_ctx);
X509_NAME_oneline(X509_get_subject_name(err_cert), buf, 256);
if (!preverify_ok) {
lock_file(stderr);
fprintf(stderr, "verify error:num=%d:%s:depth=%d:%s\n", err,
X509_verify_cert_error_string(err), depth, buf);
if (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT) {
X509_NAME_oneline(
X509_get_issuer_name(X509_STORE_CTX_get_current_cert(x509_ctx)), buf,
256);
fprintf(stderr, "issuer= %s\n", buf);
}
unlock_file(stderr);
return preverify_ok;
}
/* They've passed the preverification */
/* if there are contents of the cert we wanted to verify, we'd do it here.
*/
return preverify_ok;
}
int verify_callback(int ok, X509_STORE_CTX *ctx) {
int err, depth;
char buf[1024];
X509 *thecert;
thecert = X509_STORE_CTX_get_current_cert(ctx);
err = X509_STORE_CTX_get_error(ctx);
depth = X509_STORE_CTX_get_error_depth(ctx);
/* things to do: */
X509_NAME_oneline(X509_get_subject_name(thecert), buf, sizeof(buf));
DEBUGMSGTL(("dtlsudp_x509",
"Cert: %s\n", buf));
DEBUGMSGTL(("dtlsudp_x509",
" verify value: %d, depth=%d, error code=%d, error string=%s\n",
ok, depth, err, _x509_get_error(err, "verify callback")));
/* check if we allow self-signed certs */
if (netsnmp_ds_get_boolean(NETSNMP_DS_LIBRARY_ID,
NETSNMP_DS_LIB_ALLOW_SELF_SIGNED) &&
(X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT == err ||
X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN == err)) {
DEBUGMSGTL(("dtlsudp_x509", " accepting a self-signed certificate\n"));
return 1;
}
DEBUGMSGTL(("dtlsudp_x509", " returing the passed in value of %d\n", ok));
return(ok);
}
static int engine_verify_callback(int preverify_ok, X509_STORE_CTX* ctx) {
X509* err_cert;
SSL* ssl;
int bytes;
unsigned char* buf = NULL;
if(!preverify_ok) {
err_cert = X509_STORE_CTX_get_current_cert(ctx);
if(err_cert) {
/*
* Save the failed certificate for inspection/logging.
*/
bytes = i2d_X509(err_cert, &buf);
if(bytes > 0) {
ms_cert_buf* cert_buf = (ms_cert_buf*)malloc(sizeof(ms_cert_buf));
cert_buf->buf = buf;
cert_buf->bytes = bytes;
ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
SSL_set_app_data(ssl, cert_buf);
}
}
}
return preverify_ok;
}
static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx)
{
int err;
X509 *err_cert;
/* it is ok to use a self signed certificate
* This case will catch both the initial ok == 0 and the
* final ok == 1 calls to this function */
err=X509_STORE_CTX_get_error(ctx);
if (err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)
return 1;
/* BAD we should have gotten an error. Normally if everything
* worked X509_STORE_CTX_get_error(ctx) will still be set to
* DEPTH_ZERO_SELF_.... */
if (ok)
{
BIO_printf(bio_err,"error with certificate to be certified - should be self signed\n");
return 0;
}
else
{
err_cert=X509_STORE_CTX_get_current_cert(ctx);
print_name(bio_err, NULL, X509_get_subject_name(err_cert),0);
BIO_printf(bio_err,"error with certificate - error %d at depth %d\n%s\n",
err,X509_STORE_CTX_get_error_depth(ctx),
X509_verify_cert_error_string(err));
return 1;
}
}
/*! This is called each time a certificate verification occurs. It allows us to
catch failures and report them.
*/
/* static */ int
BSecureSocket::Private::VerifyCallback(int ok, X509_STORE_CTX* ctx)
{
// OpenSSL already checked the certificate again the certificate store for
// us, and tells the result of that in the ok parameter.
// If the verification succeeded, no need for any further checks. Let's
// proceed with the connection.
if (ok)
return ok;
// The certificate verification failed. Signal this to the BSecureSocket.
// First of all, get the affected BSecureSocket
SSL* ssl = (SSL*)X509_STORE_CTX_get_ex_data(ctx,
SSL_get_ex_data_X509_STORE_CTX_idx());
BSecureSocket* socket = (BSecureSocket*)SSL_get_ex_data(ssl, sDataIndex);
// Get the certificate that we could not validate (this may not be the one
// we got from the server, but something higher up in the certificate
// chain)
X509* x509 = X509_STORE_CTX_get_current_cert(ctx);
BCertificate::Private* certificate
= new(std::nothrow) BCertificate::Private(x509);
if (certificate == NULL)
return 0;
int error = X509_STORE_CTX_get_error(ctx);
const char* message = X509_verify_cert_error_string(error);
// Let the BSecureSocket (or subclass) decide if we should continue anyway.
BCertificate failedCertificate(certificate);
return socket->CertificateVerificationFailed(failedCertificate, message);
}
static int certificate_verify_callback(int preverify_ok, X509_STORE_CTX * ctx) {
char fnm[FILE_PATH_SIZE];
DIR * dir = NULL;
int err = 0;
int found = 0;
snprintf(fnm, sizeof(fnm), "%s/ssl", tcf_dir);
if (!err && (dir = opendir(fnm)) == NULL) err = errno;
while (!err && !found) {
int l = 0;
X509 * cert = NULL;
FILE * fp = NULL;
struct dirent * ent = readdir(dir);
if (ent == NULL) break;
l = strlen(ent->d_name);
if (l < 5 || strcmp(ent->d_name + l -5 , ".cert") != 0) continue;
snprintf(fnm, sizeof(fnm), "%s/ssl/%s", tcf_dir, ent->d_name);
if (!err && (fp = fopen(fnm, "r")) == NULL) err = errno;
if (!err && (cert = PEM_read_X509(fp, NULL, NULL, NULL)) == NULL) err = set_ssl_errno();
if (!err && fclose(fp) != 0) err = errno;
if (!err && X509_cmp(X509_STORE_CTX_get_current_cert(ctx), cert) == 0) found = 1;
}
if (dir != NULL && closedir(dir) < 0 && !err) err = errno;
if (err) trace(LOG_ALWAYS, "Cannot read certificate %s: %s", fnm, errno_to_str(err));
else if (!found) trace(LOG_ALWAYS, "Authentication failure: invalid certificate");
return err == 0 && found;
}
int
tls_session_verify_dn(X509_STORE_CTX *ctx)
{
SSL *ssl = X509_STORE_CTX_get_app_data(ctx);
TLSSession *self = SSL_get_app_data(ssl);
gboolean match = FALSE;
GList *current_dn = self->ctx->trusted_dn_list;
X509 *cert = X509_STORE_CTX_get_current_cert(ctx);
GString *dn;
if (!current_dn || !cert)
return TRUE;
dn = g_string_sized_new(128);
tls_x509_format_dn(X509_get_subject_name(cert), dn);
do
{
if (g_pattern_match_simple((const gchar *) current_dn->data, dn->str))
{
match = TRUE;
break;
}
}
while ((current_dn = g_list_next(current_dn)) != NULL);
return match;
}
int OsSSL::verifyCallback(int valid, // validity so far from openssl
X509_STORE_CTX* store // certificate information db
)
{
X509* cert = X509_STORE_CTX_get_current_cert(store);
if (valid)
{
// apply any additional logic we want
}
else
{
// log the details of why openssl thinks this is not valid
char issuer[256];
char subject[256];
X509_NAME_oneline(X509_get_issuer_name(cert), issuer, sizeof(issuer));
X509_NAME_oneline(X509_get_subject_name(cert), subject, sizeof(subject));
OsSysLog::add(FAC_KERNEL, PRI_ERR,
"OsSSL::verifyCallback invalid certificate at depth %d\n"
" error='%s'\n"
" issuer='%s'\n"
" subject='%s'",
X509_STORE_CTX_get_error_depth(store),
X509_verify_cert_error_string(X509_STORE_CTX_get_error(store)),
issuer, subject);
}
return valid;
}
static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
{
printf("*** Verify callback function called\n");
char buf[256];
X509 *err_cert;
int err, depth;
SSL *ssl;
err_cert = X509_STORE_CTX_get_current_cert(ctx);
err = X509_STORE_CTX_get_error(ctx);
depth = X509_STORE_CTX_get_error_depth(ctx);
/*
* Retrieve the pointer to the SSL of the connection currently treated
* and the application specific data stored into the SSL object.
*/
ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
//mydata = SSL_get_ex_data(ssl, mydata_index);
X509_NAME_oneline(X509_get_subject_name(err_cert), buf, 256);
/*
* Catch a too long certificate chain. The depth limit set using
* SSL_CTX_set_verify_depth() is by purpose set to "limit+1" so
* that whenever the "depth>verify_depth" condition is met, we
* have violated the limit and want to log this error condition.
* We must do it here, because the CHAIN_TOO_LONG error would not
* be found explicitly; only errors introduced by cutting off the
* additional certificates would be logged.
*/
#if 0
if (depth > mydata->verify_depth) {
preverify_ok = 0;
err = X509_V_ERR_CERT_CHAIN_TOO_LONG;
X509_STORE_CTX_set_error(ctx, err);
}
#endif
if (!preverify_ok) {
printf("verify error:num=%d:%s:depth=%d:%s\n", err,
X509_verify_cert_error_string(err), depth, buf);
}
printf("depth=%d:%s\n", depth, buf);
/*
* At this point, err contains the last verification error. We can use
* it for something special
*/
if (!preverify_ok && (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT)) {
X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), buf, 256);
printf("issuer= %s\n", buf);
}
#if 0
if (mydata->always_continue)
return 1;
else
#endif
return preverify_ok;
}
int verify_callback(int ok, X509_STORE_CTX *store)
{
char data[256];
/*
* succeeds if ok <> 0
* Only intervene if failed
*/
if (!ok) {
// ok = 0
X509 *cert = X509_STORE_CTX_get_current_cert(store);
int depth = X509_STORE_CTX_get_error_depth(store);
int err = X509_STORE_CTX_get_error(store);
fprintf(stderr, "-Error with certificate at depth: %d\n", depth);
X509_NAME_oneline(X509_get_issuer_name(cert), data, 256);
fprintf(stderr, " issuer = %s\n", data);
X509_NAME_oneline(X509_get_subject_name(cert), data, 256);
fprintf(stderr, " subject = %s\n", data);
fprintf(stderr, " err %i:%s\n", err, X509_verify_cert_error_string(err));
}
return ok;
}
NOEXPORT int cert_check_local(X509_STORE_CTX *callback_ctx) {
X509 *cert=X509_STORE_CTX_get_current_cert(callback_ctx);
X509_OBJECT obj;
#if OPENSSL_VERSION_NUMBER>=0x10000000L
STACK_OF(X509) *sk;
int i;
sk=X509_STORE_get1_certs(callback_ctx, X509_get_subject_name(cert));
if(sk) {
for(i=0; i<sk_X509_num(sk); i++)
if(compare_pubkeys(cert, sk_X509_value(sk, i))) {
sk_X509_pop_free(sk, X509_free);
return 1; /* accept */
}
sk_X509_pop_free(sk, X509_free);
}
#endif
/* pre-1.0.0 API only returns a single matching certificate */
if(X509_STORE_get_by_subject(callback_ctx, X509_LU_X509,
X509_get_subject_name(cert), &obj)==1 &&
compare_pubkeys(cert, obj.data.x509))
return 1; /* accept */
s_log(LOG_WARNING,
"CERT: Certificate not found in local repository");
X509_STORE_CTX_set_error(callback_ctx, X509_V_ERR_CERT_REJECTED);
return 0; /* reject */
}
NOEXPORT int verify_checks(int preverify_ok, X509_STORE_CTX *callback_ctx) {
X509 *cert;
int depth;
char *subject;
cert=X509_STORE_CTX_get_current_cert(callback_ctx);
depth=X509_STORE_CTX_get_error_depth(callback_ctx);
subject=X509_NAME2text(X509_get_subject_name(cert));
s_log(LOG_DEBUG, "Verification started at depth=%d: %s", depth, subject);
if(!cert_check(callback_ctx, preverify_ok)) {
s_log(LOG_WARNING, "Rejected by CERT at depth=%d: %s", depth, subject);
str_free(subject);
return 0; /* reject */
}
if(!crl_check(callback_ctx)) {
s_log(LOG_WARNING, "Rejected by CRL at depth=%d: %s", depth, subject);
str_free(subject);
return 0; /* reject */
}
#ifndef OPENSSL_NO_OCSP
if(!ocsp_check(callback_ctx)) {
s_log(LOG_WARNING, "Rejected by OCSP at depth=%d: %s", depth, subject);
str_free(subject);
return 0; /* reject */
}
#endif /* !defined(OPENSSL_NO_OCSP) */
s_log(depth ? LOG_INFO : LOG_NOTICE,
"Certificate accepted at depth=%d: %s", depth, subject);
str_free(subject);
return 1; /* accept */
}
bool SslConnection::verifyCertificate(bool preverified, ssl::verify_context &context)
{
char subjectName[256];
auto cert = X509_STORE_CTX_get_current_cert(context.native_handle());
X509_NAME_oneline(X509_get_subject_name(cert), subjectName, 256);
return preverified;
}
/**
* Check if X509Cert is signed by trusted issuer
* @return 0 or openssl error_code. Get human readable cause with X509_verify_cert_error_string(code)
* @throw IOException if error
*/
int digidoc::X509Cert::verify() const throw(IOException)
{
X509_STORE_CTX *csc = X509_STORE_CTX_new(); X509_STORE_CTX_scope csct(&csc);
if (!csc)
THROW_IOEXCEPTION("Failed to create X509_STORE_CTX %s",ERR_reason_error_string(ERR_get_error()));
X509_STORE *store = digidoc::X509CertStore::getInstance()->getCertStore();
X509* x = getX509(); X509_scope xt(&x);
if(!X509_STORE_CTX_init(csc, store, x, NULL))
THROW_IOEXCEPTION("Failed to init X509_STORE_CTX %s",ERR_reason_error_string(ERR_get_error()));
int ok = X509_verify_cert(csc);
if(!ok)
{
int err = X509_STORE_CTX_get_error(csc);
X509Cert cause(X509_STORE_CTX_get_current_cert (csc));
std::ostringstream s;
s << "Unable to verify " << cause.getSubject();
s << ". Cause: " << X509_verify_cert_error_string(err);
switch(err)
{
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
{
IOException e(__FILE__, __LINE__, s.str());
e.setCode( Exception::CertificateIssuerMissing );
throw e;
break;
}
default: THROW_IOEXCEPTION(s.str().c_str()); break;
}
}
return ok;
}
static int swSSL_verify_callback(int ok, X509_STORE_CTX *x509_store)
{
#if 0
char *subject, *issuer;
int err, depth;
X509 *cert;
X509_NAME *sname, *iname;
X509_STORE_CTX_get_ex_data(x509_store, SSL_get_ex_data_X509_STORE_CTX_idx());
cert = X509_STORE_CTX_get_current_cert(x509_store);
err = X509_STORE_CTX_get_error(x509_store);
depth = X509_STORE_CTX_get_error_depth(x509_store);
sname = X509_get_subject_name(cert);
subject = sname ? X509_NAME_oneline(sname, NULL, 0) : "(none)";
iname = X509_get_issuer_name(cert);
issuer = iname ? X509_NAME_oneline(iname, NULL, 0) : "(none)";
swWarn("verify:%d, error:%d, depth:%d, subject:\"%s\", issuer:\"%s\"", ok, err, depth, subject, issuer);
if (sname)
{
OPENSSL_free(subject);
}
if (iname)
{
OPENSSL_free(issuer);
}
#endif
return 1;
}
static int
OpenSSL_verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
{
SSL *ssl;
int n;
struct lws *wsi;
union lws_tls_cert_info_results ir;
X509 *topcert = X509_STORE_CTX_get_current_cert(x509_ctx);
ssl = X509_STORE_CTX_get_ex_data(x509_ctx,
SSL_get_ex_data_X509_STORE_CTX_idx());
/*
* !!! nasty openssl requires the index to come as a library-scope
* static
*/
wsi = SSL_get_ex_data(ssl, openssl_websocket_private_data_index);
n = lws_tls_openssl_cert_info(topcert, LWS_TLS_CERT_INFO_COMMON_NAME,
&ir, sizeof(ir.ns.name));
if (!n)
lwsl_info("%s: client cert CN '%s'\n", __func__, ir.ns.name);
else
lwsl_info("%s: couldn't get client cert CN\n", __func__);
n = wsi->vhost->protocols[0].callback(wsi,
LWS_CALLBACK_OPENSSL_PERFORM_CLIENT_CERT_VERIFICATION,
x509_ctx, ssl, preverify_ok);
/* convert return code from 0 = OK to 1 = OK */
return !n;
}
int tls_verify_certificate_callback(int ok, X509_STORE_CTX *ctx)
{
char buf[CCERT_BUFSIZ];
X509 *cert;
int err;
int depth;
int max_depth;
SSL *con;
TLS_SESS_STATE *TLScontext;
/* May be NULL as of OpenSSL 1.0, thanks for the API change! */
cert = X509_STORE_CTX_get_current_cert(ctx);
err = X509_STORE_CTX_get_error(ctx);
con = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
TLScontext = SSL_get_ex_data(con, TLScontext_index);
depth = X509_STORE_CTX_get_error_depth(ctx);
/* Don't log the internal root CA unless there's an unexpected error. */
if (ok && TLScontext->tadepth > 0 && depth > TLScontext->tadepth)
return (1);
/*
* Certificate chain depth limit violations are mis-reported by the
* OpenSSL library, from SSL_CTX_set_verify(3):
*
* The certificate verification depth set with SSL[_CTX]_verify_depth()
* stops the verification at a certain depth. The error message produced
* will be that of an incomplete certificate chain and not
* X509_V_ERR_CERT_CHAIN_TOO_LONG as may be expected.
*
* We set a limit that is one higher than the user requested limit. If this
* higher limit is reached, we raise an error even a trusted root CA is
* present at this depth. This disambiguates trust chain truncation from
* an incomplete trust chain.
*/
max_depth = SSL_get_verify_depth(con) - 1;
/*
* We never terminate the SSL handshake in the verification callback,
* rather we allow the TLS handshake to continue, but mark the session as
* unverified. The application is responsible for closing any sessions
* with unverified credentials.
*/
if (max_depth >= 0 && depth > max_depth) {
X509_STORE_CTX_set_error(ctx, err = X509_V_ERR_CERT_CHAIN_TOO_LONG);
ok = 0;
}
if (ok == 0)
update_error_state(TLScontext, depth, cert, err);
if (TLScontext->log_mask & TLS_LOG_VERBOSE) {
if (cert)
X509_NAME_oneline(X509_get_subject_name(cert), buf, sizeof(buf));
else
strcpy(buf, "<unknown>");
msg_info("%s: depth=%d verify=%d subject=%s",
TLScontext->namaddr, depth, ok, printable(buf, '?'));
}
return (1);
}
int _mosquitto_server_certificate_verify(int preverify_ok, X509_STORE_CTX *ctx)
{
/* Preverify should have already checked expiry, revocation.
* We need to verify the hostname. */
struct mosquitto *mosq;
SSL *ssl;
X509 *cert;
/* Always reject if preverify_ok has failed. */
if(!preverify_ok) return 0;
ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
mosq = SSL_get_ex_data(ssl, tls_ex_index_mosq);
if(!mosq) return 0;
if(mosq->tls_insecure == false){
if(X509_STORE_CTX_get_error_depth(ctx) == 0){
/* FIXME - use X509_check_host() etc. for sufficiently new openssl (>=1.1.x) */
cert = X509_STORE_CTX_get_current_cert(ctx);
/* This is the peer certificate, all others are upwards in the chain. */
#if defined(WITH_BROKER)
return _mosquitto_verify_certificate_hostname(cert, mosq->bridge->addresses[mosq->bridge->cur_address].address);
#else
return _mosquitto_verify_certificate_hostname(cert, mosq->host);
#endif
}else{
return preverify_ok;
}
}else{
return preverify_ok;
}
}
static int my_verify_callback(int ok, X509_STORE_CTX *ctx)
{
X509 *check_cert;
SSL *ssl;
MYSQL *mysql;
ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
mysql= (MYSQL *)SSL_get_app_data(ssl);
/* skip verification if no ca_file/path was specified */
if (!mysql->options.ssl_ca && !mysql->options.ssl_capath)
{
ok= 1;
return 1;
}
if (!ok)
{
uint depth;
if (!(check_cert= X509_STORE_CTX_get_current_cert(ctx)))
return 0;
depth= X509_STORE_CTX_get_error_depth(ctx);
if (depth == 0)
ok= 1;
}
return ok;
}
static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx) {
int ret = preverify_ok;
/* determine the status for the current cert */
X509_STORE_CTX_get_current_cert(ctx);
int err = X509_STORE_CTX_get_error(ctx);
int depth = X509_STORE_CTX_get_error_depth(ctx);
/* conjure the stream & context to use */
SSL *ssl = (SSL*)X509_STORE_CTX_get_ex_data
(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
SSLSocket *stream =
(SSLSocket*)SSL_get_ex_data(ssl, SSLSocket::GetSSLExDataIndex());
/* if allow_self_signed is set, make sure that verification succeeds */
if (err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT &&
stream->getContext()["allow_self_signed"].toBoolean()) {
ret = 1;
}
/* check the depth */
Variant vdepth = stream->getContext()["verify_depth"];
if (vdepth.toBoolean() && depth > vdepth.toInt64()) {
ret = 0;
X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_CHAIN_TOO_LONG);
}
return ret;
}
/* This callback is called for every certificate in a chain. ok is true if
OpenSSL's internal verification has verified the certificate. We don't change
anything about the verification, we only need access to the certificates to
provide diagnostics. */
static int verify_callback(int ok, X509_STORE_CTX *store)
{
X509 *cert = X509_STORE_CTX_get_current_cert(store);
int err = X509_STORE_CTX_get_error(store);
/* Print the subject, issuer, and fingerprint depending on the verbosity
level. */
if ((!ok && o.verbose) || o.debug > 1) {
char digest_buf[SHA1_STRING_LENGTH + 1];
loguser("Subject: ");
X509_NAME_print_ex_fp(stderr, X509_get_subject_name(cert), 0, XN_FLAG_COMPAT);
loguser_noprefix("\n");
loguser("Issuer: ");
X509_NAME_print_ex_fp(stderr, X509_get_issuer_name(cert), 0, XN_FLAG_COMPAT);
loguser_noprefix("\n");
assert(ssl_cert_fp_str_sha1(cert, digest_buf, sizeof(digest_buf)) != NULL);
loguser("SHA-1 fingerprint: %s\n", digest_buf);
}
if (!ok && o.verbose) {
loguser("Certificate verification failed (%s).\n",
X509_verify_cert_error_string(err));
}
return ok;
}
extern "C" int ssl_verify_wrapper(int preverify_ok, X509_STORE_CTX *ctx)
{
// if the pre verification has failed, then don't bother validating via ruby
if (preverify_ok != 1) {
return preverify_ok;
}
unsigned long binding;
X509 *cert;
SSL *ssl;
BUF_MEM *buf;
BIO *out;
int result;
cert = X509_STORE_CTX_get_current_cert(ctx);
ssl = (SSL*) X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
binding = (unsigned long) SSL_get_ex_data(ssl, 0);
out = BIO_new(BIO_s_mem());
PEM_write_bio_X509(out, cert);
BIO_write(out, "\0", 1);
BIO_get_mem_ptr(out, &buf);
ConnectionDescriptor *cd = dynamic_cast <ConnectionDescriptor*> (Bindable_t::GetObject(binding));
result = (cd->VerifySslPeer(buf->data) == true ? 1 : 0);
BUF_MEM_free(buf);
return result;
}
static int verify_callback(int ok, X509_STORE_CTX *store) {
SSL *ssl;
struct stream_fd *sfd;
struct packet_stream *ps;
struct call_media *media;
ssl = X509_STORE_CTX_get_ex_data(store, SSL_get_ex_data_X509_STORE_CTX_idx());
sfd = SSL_get_app_data(ssl);
if (sfd->dtls.ssl != ssl)
return 0;
ps = sfd->stream;
if (!ps)
return 0;
if (PS_ISSET(ps, FINGERPRINT_VERIFIED))
return 1;
media = ps->media;
if (!media)
return 0;
if (ps->dtls_cert)
X509_free(ps->dtls_cert);
ps->dtls_cert = X509_dup(X509_STORE_CTX_get_current_cert(store));
if (!media->fingerprint.hash_func)
return 1; /* delay verification */
if (dtls_verify_cert(ps))
return 0;
return 1;
}
int
verify_callback(int ok, X509_STORE_CTX * ctx)
{
X509 *err_cert;
int err, depth;
err_cert = X509_STORE_CTX_get_current_cert(ctx);
err = X509_STORE_CTX_get_error(ctx);
depth = X509_STORE_CTX_get_error_depth(ctx);
BIO_printf(bio_err, "depth=%d ", depth);
if (err_cert) {
X509_NAME_print_ex(bio_err, X509_get_subject_name(err_cert),
0, XN_FLAG_ONELINE);
BIO_puts(bio_err, "\n");
} else
BIO_puts(bio_err, "<no cert>\n");
if (!ok) {
BIO_printf(bio_err, "verify error:num=%d:%s\n", err,
X509_verify_cert_error_string(err));
if (verify_depth >= depth) {
if (!verify_return_error)
ok = 1;
verify_error = X509_V_OK;
} else {
ok = 0;
verify_error = X509_V_ERR_CERT_CHAIN_TOO_LONG;
}
}
switch (err) {
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
BIO_puts(bio_err, "issuer= ");
X509_NAME_print_ex(bio_err, X509_get_issuer_name(err_cert),
0, XN_FLAG_ONELINE);
BIO_puts(bio_err, "\n");
break;
case X509_V_ERR_CERT_NOT_YET_VALID:
case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
BIO_printf(bio_err, "notBefore=");
ASN1_TIME_print(bio_err, X509_get_notBefore(err_cert));
BIO_printf(bio_err, "\n");
break;
case X509_V_ERR_CERT_HAS_EXPIRED:
case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
BIO_printf(bio_err, "notAfter=");
ASN1_TIME_print(bio_err, X509_get_notAfter(err_cert));
BIO_printf(bio_err, "\n");
break;
case X509_V_ERR_NO_EXPLICIT_POLICY:
policies_print(bio_err, ctx);
break;
}
if (err == X509_V_OK && ok == 2)
policies_print(bio_err, ctx);
BIO_printf(bio_err, "verify return:%d\n", ok);
return (ok);
}
/*****************************************************************************************
* Authorization routines
*****************************************************************************************/
int ossl_verify_cb (int ok, X509_STORE_CTX *ctx)
{
int cert_error = X509_STORE_CTX_get_error(ctx);
X509 *current_cert = X509_STORE_CTX_get_current_cert(ctx);
EST_LOG_INFO("enter function: ok=%d cert_error=%d", ok, cert_error);
if (!ok) {
if (current_cert) {
X509_NAME_print_ex_fp(stdout,
X509_get_subject_name(current_cert),
0, XN_FLAG_ONELINE);
printf("\n");
}
EST_LOG_INFO("%serror %d at %d depth lookup: %s",
X509_STORE_CTX_get0_parent_ctx(ctx) ? "[CRL path]" : "",
cert_error,
X509_STORE_CTX_get_error_depth(ctx),
X509_verify_cert_error_string(cert_error));
switch (cert_error) {
case X509_V_ERR_UNABLE_TO_GET_CRL:
/*
* We've enabled CRL checking in the TLS stack. If
* the application hasn't loaded a CRL, then this
* verify error can occur. The peer's cert is valid,
* but we can't confirm if it was revoked. We'll
* warn the application.
*/
EST_LOG_WARN("No CRL loaded, TLS peer will be allowed.");
ok = 1;
break;
case X509_V_ERR_NO_EXPLICIT_POLICY:
case X509_V_ERR_CERT_HAS_EXPIRED:
/* since we are just checking the certificates, it is
* ok if they are self signed. But we should still warn
* the user.
*/
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
/* Continue after extension errors too */
case X509_V_ERR_INVALID_CA:
case X509_V_ERR_INVALID_NON_CA:
case X509_V_ERR_PATH_LENGTH_EXCEEDED:
case X509_V_ERR_INVALID_PURPOSE:
case X509_V_ERR_CRL_HAS_EXPIRED:
case X509_V_ERR_CRL_NOT_YET_VALID:
case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION:
case X509_V_ERR_CERT_REVOKED:
default:
EST_LOG_WARN("Certificate verify failed (reason=%d)",
cert_error);
break;
}
return ok;
}
return (ok);
}
int _qvd_verify_cert_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
{
SSL *ssl;
SSL_CTX *sslctx;
qvdclient *qvd ;
ssl = X509_STORE_CTX_get_ex_data(x509_ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
sslctx = SSL_get_SSL_CTX(ssl);
qvd = SSL_CTX_get_ex_data(sslctx, _qvd_ssl_index);
X509 *cert = X509_STORE_CTX_get_current_cert(x509_ctx);
int depth = X509_STORE_CTX_get_error_depth(x509_ctx);
int err = X509_STORE_CTX_get_error(x509_ctx);
/* save the certificate by incrementing the reference count and
* keeping a pointer */
if (depth < MAX_CERTS && !certificate[depth]) {
certificate[depth] = cert;
certificate_error[depth] = err;
cert->references++;
}
/* See http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html# */
if (preverify_ok)
{
qvd_printf("_qvd_verify_cert_callback: Certificate was validated\n");
return preverify_ok;
}
if (qvd->ssl_verify_callback == NULL)
{
qvd_printf("_qvd_verify_cert_callback: No callback specified returning false (specify if you wissh callbacks for unknown certs with qvd_set_unknown_cert_callback)\n");
return 0;
}
BIO *bio_out = BIO_new(BIO_s_mem());
BUF_MEM *biomem;
int result;
PEM_write_bio_X509(bio_out, certificate[depth]);
BIO_get_mem_ptr(bio_out, &biomem);
char cert_info[1024];
char issuer[256], subject[256];
X509_NAME_oneline(X509_get_issuer_name(certificate[depth]), issuer, 256);
X509_NAME_oneline(X509_get_subject_name(certificate[depth]), subject, 256);
snprintf(cert_info, 1023, "Serial: %lu\n\nIssuer: %s\n\nValidity:\n\tNot before: %s\n\tNot after: %s\n\nSubject: %s\n",
ASN1_INTEGER_get(X509_get_serialNumber(certificate[depth])), issuer,
X509_get_notBefore(certificate[depth])->data, X509_get_notAfter(cert)->data, subject);
cert_info[1023] = '\0';
result = qvd->ssl_verify_callback(qvd, cert_info, biomem->data);
if (result)
{
_qvd_save_certificate(qvd, certificate[depth], depth, biomem);
}
BIO_free(bio_out);
return result;
}
static bool verify_certificate(bool preverified, boost::asio::ssl::verify_context& ctx, log::logger_t& lg)
{
// In this example we will simply print the certificate's subject name.
char subject_name[256];
X509* cert = X509_STORE_CTX_get_current_cert(ctx.native_handle());
X509_NAME_oneline(X509_get_subject_name(cert), subject_name, 256);
//GCE_INFO(lg) << "Verifying " << subject_name;
return preverified;
}
static
int cert_verify_callback( int ok, X509_STORE_CTX *ctx ) {
X509 *err_cert;
char buf[256];
err_cert = X509_STORE_CTX_get_current_cert( ctx );
X509_NAME_oneline( X509_get_subject_name( err_cert ), buf, sizeof( buf ) );
return ok;
}
static VALUE
ossl_x509stctx_get_curr_cert(VALUE self)
{
X509_STORE_CTX *ctx;
GetX509StCtx(self, ctx);
return ossl_x509_new(X509_STORE_CTX_get_current_cert(ctx));
}
bool bdoc::X509Cert::verify(X509_STORE* aStore, struct tm* tm) const
{
if (aStore == NULL) {
THROW_STACK_EXCEPTION("Invalid argument to verify");
}
X509_STORE* store = aStore;
X509_STORE** ppStore = NULL;
X509_STORE_scope xst(ppStore);
X509_STORE_CTX *csc = X509_STORE_CTX_new();
X509_STORE_CTX_scope csct(&csc);
if (csc == NULL) {
THROW_STACK_EXCEPTION("Failed to create X509_STORE_CTX %s",ERR_reason_error_string(ERR_get_error()));
}
X509* x = getX509();
X509_scope xt(&x);
if (!X509_STORE_CTX_init(csc, store, x, NULL)) {
THROW_STACK_EXCEPTION("Failed to init X509_STORE_CTX %s",ERR_reason_error_string(ERR_get_error()));
}
if (tm != NULL) {
time_t t = timegm(tm);
if (t == -1) {
THROW_STACK_EXCEPTION("Given time cannot be represented as calendar time");
}
X509_VERIFY_PARAM *param = X509_STORE_CTX_get0_param(csc);
if (param == NULL) {
THROW_STACK_EXCEPTION("Failed to retrieve X509_STORE_CTX verification parameters %s",
ERR_reason_error_string(ERR_get_error()));
}
X509_VERIFY_PARAM_set_time(param, t);
}
int ok = X509_verify_cert(csc);
if (ok != 1) {
int err = X509_STORE_CTX_get_error(csc);
X509Cert cause(X509_STORE_CTX_get_current_cert (csc));
std::ostringstream s;
s << "Unable to verify " << cause.getSubject();
s << ". Cause: " << X509_verify_cert_error_string(err);
switch (err) {
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
{
THROW_STACK_EXCEPTION("Certificate issuer missing: %s", s.str().c_str());
}
default: THROW_STACK_EXCEPTION(s.str().c_str()); break;
}
}
return (ok == 1);
}
