Example #1
0
// Verify the signed block, the first 32 bytes of the data must be the certificate hash to work.
int __fastcall util_verify(char* signature, int signlen, struct util_cert* cert, char** data)
{
	unsigned int size, r;
	BIO *out = NULL;
	PKCS7 *message = NULL;
	char* data2 = NULL;
	char hash[UTIL_HASHSIZE];
	STACK_OF(X509) *st = NULL;

	cert->x509 = NULL;
	cert->pkey = NULL;
	*data = NULL;
	message = d2i_PKCS7(NULL, (const unsigned char**)&signature, signlen);
	if (message == NULL) goto error;
	out = BIO_new(BIO_s_mem());

	// Lets rebuild the original message and check the size
	size = i2d_PKCS7(message, NULL);
	if (size < (unsigned int)signlen) goto error;

	// Check the PKCS7 signature, but not the certificate chain.
	r = PKCS7_verify(message, NULL, NULL, NULL, out, PKCS7_NOVERIFY);
	if (r == 0) goto error;

	// If data block contains less than 32 bytes, fail.
	size = BIO_get_mem_data(out, &data2);
	if (size <= UTIL_HASHSIZE) goto error;

	// Copy the data block
	*data = (char*)malloc(size + 1);
	if (*data == NULL) goto error;
	memcpy(*data, data2, size);
	(*data)[size] = 0;

	// Get the certificate signer
	st = PKCS7_get0_signers(message, NULL, PKCS7_NOVERIFY);
	cert->x509 = X509_dup(sk_X509_value(st, 0));
	sk_X509_free(st);

	// Get a full certificate hash of the signer
	r = UTIL_HASHSIZE;
	X509_digest(cert->x509, EVP_sha256(), (unsigned char*)hash, &r);

	// Check certificate hash with first 32 bytes of data.
	if (memcmp(hash, *data, UTIL_HASHSIZE) != 0) goto error;

	// Approved, cleanup and return.
	BIO_free(out);
	PKCS7_free(message);

	return size;

error:
	if (out != NULL) BIO_free(out);
	if (message != NULL) PKCS7_free(message);
	if (*data != NULL) free(*data);
	if (cert->x509 != NULL) { X509_free(cert->x509); cert->x509 = NULL; }

	return 0;
}
Example #2
0
static int verify_callback(int ok, X509_STORE_CTX *store) {
	SSL *ssl;
	struct stream_fd *sfd;
	struct packet_stream *ps;
	struct call_media *media;

	ssl = X509_STORE_CTX_get_ex_data(store, SSL_get_ex_data_X509_STORE_CTX_idx());
	sfd = SSL_get_app_data(ssl);
	if (sfd->dtls.ssl != ssl)
		return 0;
	ps = sfd->stream;
	if (!ps)
		return 0;
	if (PS_ISSET(ps, FINGERPRINT_VERIFIED))
		return 1;
	media = ps->media;
	if (!media)
		return 0;

	if (ps->dtls_cert)
		X509_free(ps->dtls_cert);
	ps->dtls_cert = X509_dup(X509_STORE_CTX_get_current_cert(store));

	if (!media->fingerprint.hash_func)
		return 1; /* delay verification */

	if (dtls_verify_cert(ps))
		return 0;
	return 1;
}
Example #3
0
static CryptoCert tls_get_certificate(rdpTls* tls, BOOL peer)
{
	CryptoCert cert;
	X509* remote_cert;

	if (peer)
		remote_cert = SSL_get_peer_certificate(tls->ssl);
	else
		remote_cert = X509_dup( SSL_get_certificate(tls->ssl) );

	if (!remote_cert)
	{
		WLog_ERR(TAG, "failed to get the server TLS certificate");
		return NULL;
	}

	cert = malloc(sizeof(*cert));
	if (!cert)
	{
		X509_free(remote_cert);
		return NULL;
	}

	cert->px509 = remote_cert;
	return cert;
}
Example #4
0
static CryptoCert tls_get_certificate(rdpTls* tls, BOOL peer)
{
	CryptoCert cert;
	X509* remote_cert;
	STACK_OF(X509) *chain;

	if (peer)
		remote_cert = SSL_get_peer_certificate(tls->ssl);
	else
		remote_cert = X509_dup(SSL_get_certificate(tls->ssl));

	if (!remote_cert)
	{
		WLog_ERR(TAG, "failed to get the server TLS certificate");
		return NULL;
	}

	cert = malloc(sizeof(*cert));

	if (!cert)
	{
		X509_free(remote_cert);
		return NULL;
	}

	cert->px509 = remote_cert;
	/* Get the peer's chain. If it does not exist, we're setting NULL (clean data either way) */
	chain = SSL_get_peer_cert_chain(tls->ssl);
	cert->px509chain = chain;
	return cert;
}
Example #5
0
static int ssl_cache_trusted_cert (X509 *c)
{
        dprint (1, (debugfile, "trusted: %s\n", c->name));
        if (!SslSessionCerts)
                SslSessionCerts = sk_X509_new_null();
        return (sk_X509_push (SslSessionCerts, X509_dup(c)));
}
Example #6
0
static CryptoCert tls_get_certificate(rdpTls* tls, BOOL peer)
{
	CryptoCert cert;
	X509* remote_cert;

	if (peer)
		remote_cert = SSL_get_peer_certificate(tls->ssl);
	else
		remote_cert = X509_dup( SSL_get_certificate(tls->ssl) );

	if (!remote_cert)
	{
		DEBUG_WARN( "%s: failed to get the server TLS certificate\n", __FUNCTION__);
		return NULL;
	}

	cert = malloc(sizeof(*cert));
	if (!cert)
	{
		X509_free(remote_cert);
		return NULL;
	}

	cert->px509 = remote_cert;
	return cert;
}
Example #7
0
      static ::X509 *dup(const ::X509 *x509)
      {
	if (x509)
	  return X509_dup(const_cast< ::X509 * >(x509));
	else
	  return NULL;
      }
Example #8
0
File: ssl.c Project: darnir/neomutt
/**
 * ssl_cache_trusted_cert - Cache a trusted certificate
 * @param c Certificate
 * @retval >0 Number of elements in the cache
 * @retval  0 Error
 */
static int ssl_cache_trusted_cert(X509 *c)
{
  mutt_debug(LL_DEBUG1, "trusted\n");
  if (!SslSessionCerts)
    SslSessionCerts = sk_X509_new_null();
  return sk_X509_push(SslSessionCerts, X509_dup(c));
}
LLBasicCertificate::LLBasicCertificate(X509* pCert) 
{
	if (!pCert || !pCert->cert_info)
	{
		throw LLInvalidCertificate(this);
	}	
	mCert = X509_dup(pCert);
}
Certificate& Certificate::operator=(const Certificate& cert)
{
	if(cert.ssl_cert != NULL)
		ssl_cert = X509_dup(cert.ssl_cert);
	else
		ssl_cert = NULL;

	return *this;
}
Example #11
0
X509* bdoc::X509Cert::copyX509(X509* cert)
{
	X509* copy = X509_dup(cert);
	if (copy == NULL) {
		THROW_STACK_EXCEPTION("Failed to copy X509 certificate: %s", ERR_reason_error_string(ERR_get_error()));
	}

	return copy;
}
Example #12
0
pki_x509 *pki_pkcs7::getCert(int x)
{
	pki_x509 *cert;
	cert = new pki_x509(X509_dup(sk_X509_value(getCertStack(), x)));
	openssl_error();
	cert->autoIntName();
	cert->pkiSource = imported;
	return cert;
}
Example #13
0
Certificate* Pkcs12::getCertificate(string password) throw(Pkcs12Exception)
{
	if(this->privKey == NULL)
	{
		this->parse(password);
	}
	
	return new Certificate(X509_dup(this->cert->getX509()));
}
Example #14
0
void SSLConnect::setToken( const QSslCertificate &cert, Qt::HANDLE key )
{
	if( !d->ssl )
		return d->setError( tr("SSL context is missing") );
	if( cert.isNull() )
		return d->setError( tr("Certificate is empty") );
	if( !SSL_use_certificate( d->ssl, X509_dup( (X509*)cert.handle() ) ) ||
		!SSL_use_PrivateKey( d->ssl, (EVP_PKEY*)key ) )
		d->setError();
}
Example #15
0
/**
 * Creates a copy of the X509 certificate.
 *
 * @param cert X509 certificate to be copied.
 * @return returns copy of X509.
 * @throws IOException throws exception if the X509 cert structure copy fails.
 */
X509* digidoc::X509Cert::copyX509(X509* cert) throw(IOException)
{
    X509* copy = X509_dup(cert);
    if(copy == NULL)
    {
        THROW_IOEXCEPTION("Failed to copy X509 certificate: %s", ERR_reason_error_string(ERR_get_error()));
    }

    return copy;
}
Example #16
0
X509* DsaCa_SignCertificate(DsaCa ca, X509* cert_in)
{
  CHECK_CALL(X509_verify(cert_in, DsaParams_GetEaPublicKey(ca->params)));
  CHECK_CALL(cert_in);
  X509* cert_out = X509_dup(cert_in);
  CHECK_CALL(cert_out);

  CHECK_CALL(X509_sign(cert_in, DsaParams_GetCaPrivateKey(ca->params), EVP_sha1()));
  
  return cert_out;
}
Example #17
0
static int
lka_X509_verify(struct ca_vrfy_req_msg *vrfy,
                const char *CAfile, const char *CRLfile)
{
    X509			*x509;
    X509			*x509_tmp;
    X509			*x509_tmp2;
    STACK_OF(X509)		*x509_chain;
    const unsigned char    	*d2i;
    size_t			i;
    int			ret = 0;
    const char		*errstr;

    x509 = NULL;
    x509_tmp = NULL;
    x509_chain = NULL;

    d2i = vrfy->cert;
    if (d2i_X509(&x509, &d2i, vrfy->cert_len) == NULL) {
        x509 = NULL;
        goto end;
    }

    if (vrfy->n_chain) {
        x509_chain = sk_X509_new_null();
        for (i = 0; i < vrfy->n_chain; ++i) {
            d2i = vrfy->chain_cert[i];
            if (d2i_X509(&x509_tmp, &d2i, vrfy->chain_cert_len[i]) == NULL) {
                x509_tmp = NULL;
                goto end;
            }

            if ((x509_tmp2 = X509_dup(x509_tmp)) == NULL)
                goto end;
            sk_X509_insert(x509_chain, x509_tmp2, i);
            x509_tmp = x509_tmp2 = NULL;
        }
    }
    if (! ca_X509_verify(x509, x509_chain, CAfile, NULL, &errstr))
        log_debug("debug: lka: X509 verify: %s", errstr);
    else
        ret = 1;

end:
    if (x509)
        X509_free(x509);
    if (x509_tmp)
        X509_free(x509_tmp);
    if (x509_chain)
        sk_X509_pop_free(x509_chain, X509_free);

    return ret;
}
Example #18
0
pki_x509 *pki_pkcs12::getCa(int x) {
	pki_x509 *cert = NULL;
	X509 *crt = X509_dup(sk_X509_value(certstack, x));
	if (crt) {
		cert = new pki_x509(crt);
		if (alias.isEmpty()) {
			cert->autoIntName();
		} else {
			cert->setIntName(QString(alias + "_ca_%1").arg(x));
		}
	}
	openssl_error();
	return cert;
}
std::vector<Certificate *> Pkcs7SignedData::getCertificates()
{
	std::vector<Certificate *> ret;
	int i, num;
	X509 *oneCertificate;
	Certificate *certificate;
	num = sk_X509_num(this->pkcs7->d.sign->cert);
	for (i=0;i<num;i++)
	{
		oneCertificate = sk_X509_value(this->pkcs7->d.sign->cert, i);
		certificate = new Certificate(X509_dup(oneCertificate));
		ret.push_back(certificate);
	}
	return ret;
}
X509 *
pkcs11h_openssl_session_getX509 (
	IN const pkcs11h_openssl_session_t openssl_session
) {
	X509 *x509 = NULL;
	PKCS11H_BOOL ok = FALSE;

	_PKCS11H_ASSERT (openssl_session!=NULL);

	_PKCS11H_DEBUG (
		PKCS11H_LOG_DEBUG2,
		"PKCS#11: pkcs11h_openssl_session_getX509 - entry openssl_session=%p",
		(void *)openssl_session
	);

	if (
		openssl_session->x509 == NULL &&
		(openssl_session->x509 = pkcs11h_openssl_getX509 (openssl_session->certificate)) == NULL
	) {
		_PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: Cannot get certificate object");
		goto cleanup;
	}

	if ((x509 = X509_dup (openssl_session->x509)) == NULL) {
		_PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: Cannot duplicate certificate object");
		goto cleanup;
	}

	ok = TRUE;

cleanup:

	if (!ok) {
		if (x509 != NULL) {
			X509_free (x509);
			x509 = NULL;
		}
	}

	_PKCS11H_DEBUG (
		PKCS11H_LOG_DEBUG2,
		"PKCS#11: pkcs11h_openssl_session_getX509 - return x509=%p",
		(void *)x509
	);

	return x509;
}
Example #21
0
static SSLCertificate *ssl_certificate_new_lookup(X509 *x509_cert,
	const char *host, int port, int lookup)
{
	SSLCertificate *cert = g_new0(SSLCertificate, 1);

	if (host == NULL || x509_cert == NULL) {
		ssl_certificate_destroy(cert);
		return NULL;
	}
	cert->x509_cert = X509_dup(x509_cert);
	if (lookup)
		cert->host = get_fqdn(host, port);
	else
		cert->host = g_strdup(host);
	cert->port = port;
	return cert;
}
Example #22
0
bool Chain::verifyChain(Handle<CertificateCollection> chain, Handle<CrlCollection> crls){
	LOGGER_FN();

	try{
		LOGGER_OPENSSL(X509_STORE_CTX_new);
		X509_STORE_CTX *ctx = X509_STORE_CTX_new();
		if (!ctx) {
			THROW_OPENSSL_EXCEPTION(0, Revocation, NULL, "Error create new store ctx");
		}

		LOGGER_OPENSSL(X509_STORE_new);
		X509_STORE *st = X509_STORE_new();
		if (!st) {
			THROW_OPENSSL_EXCEPTION(0, Revocation, NULL, "Error create new store");
		}

		for (int i = 0, c = chain->length(); i < c; i++){
			LOGGER_OPENSSL(X509_STORE_add_cert);
			X509_STORE_add_cert(st, X509_dup(chain->items(i)->internal()));
		}

		X509_CRL *xtempCRL = NULL;

		LOGGER_OPENSSL(X509_STORE_CTX_init);
		X509_STORE_CTX_init(ctx, st, chain->items(0)->internal(), chain->internal());

		LOGGER_OPENSSL(X509_STORE_CTX_set0_crls);
		X509_STORE_CTX_set0_crls(ctx, crls->internal());

		LOGGER_OPENSSL(X509_STORE_CTX_set_flags);
		X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_CRL_CHECK);
		LOGGER_OPENSSL(X509_STORE_CTX_set_flags);
		X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_CRL_CHECK_ALL);

		LOGGER_OPENSSL(X509_verify_cert);
		if (X509_verify_cert(ctx) <= 0){
			return false;
		}

		return true;
	}
	catch (Handle<Exception> e){
		THROW_EXCEPTION(0, Chain, e, "Error verify chain (provider store)");
	}	
}
Example #23
0
X509 *
ssl_update_certificate(X509 *oldcert, EVP_PKEY *pkey, EVP_PKEY *capkey,
    X509 *cacert)
{
	char		 name[2][TLS_NAME_SIZE];
	X509		*cert = NULL;

	name[0][0] = name[1][0] = '\0';
	if (!X509_NAME_oneline(X509_get_subject_name(oldcert),
	    name[0], sizeof(name[0])) ||
	    !X509_NAME_oneline(X509_get_issuer_name(oldcert),
	    name[1], sizeof(name[1])))
		goto done;

	if ((cert = X509_dup(oldcert)) == NULL)
		goto done;

	/* Update certificate key and use our CA as the issuer */
	X509_set_pubkey(cert, pkey);
	X509_set_issuer_name(cert, X509_get_subject_name(cacert));

	/* Sign with our CA */
	if (!X509_sign(cert, capkey, EVP_sha1())) {
		X509_free(cert);
		cert = NULL;
	}

#if DEBUG_CERT
	log_debug("%s: subject %s", __func__, name[0]);
	log_debug("%s: issuer %s", __func__, name[1]);
#if DEBUG > 2
	X509_print_fp(stdout, cert);
#endif
#endif

 done:
	if (cert == NULL)
		ssl_error(__func__, name[0]);

	return (cert);
}
Example #24
0
std::vector<SmartcardCertificate *> SmartcardSlot::getCertificates()
		throw (SmartcardModuleException)
{
	PKCS11_CERT *certs;
	unsigned int i, j, ncerts;
	char *bufferId;
	std::string id, label, serial;
	int rc, k, emptySlots;
	std::vector<SmartcardCertificate *> ret;
	std::vector<SmartcardCertificate *>::iterator iter;
	emptySlots = 0;
	SmartcardCertificate *cert;

	rc = PKCS11_enumerate_certs(this->slot[0].token, &certs, &ncerts);
	if (rc < 0){
		for (iter=ret.begin();iter!=ret.end();iter++)
		{
			ret.erase(iter);
			delete *iter;
		}
		throw SmartcardModuleException(SmartcardModuleException::ENUMERATING_CERTIFICATES, "SmartcardSlot::getCertificates", true);
	}
	for (j=0;j<ncerts;j++)
	{
		bufferId = (char *)calloc((certs[j].id_len * 2) + 1, sizeof(char));
		for (k=0;k<certs[j].id_len;k++)
		{
			sprintf(&(bufferId[k*2]), "%02X", certs[i].id[k]);
		}
		id.append(bufferId);
		free(bufferId);
		label = certs[j].label;
		serial = this->slot[0].token->serialnr;
		cert = new SmartcardCertificate(id, label, serial, X509_dup(certs[j].x509));
		ret.push_back(cert);
	}
	return ret;
}
Example #25
0
int
x509_cert_insert(int id, void *scert)
{
	X509	*cert;
	int	 res;

	cert = X509_dup((X509 *)scert);
	if (!cert) {
		log_print("x509_cert_insert: X509_dup failed");
		return 0;
	}
	if (x509_generate_kn(id, cert) == 0) {
		LOG_DBG((LOG_POLICY, 50,
		    "x509_cert_insert: x509_generate_kn failed"));
		X509_free(cert);
		return 0;
	}

	res = x509_hash_enter(cert);
	if (!res)
		X509_free(cert);

	return res;
}
Example #26
0
u2fs_X509_t *dup_cert(const u2fs_X509_t * cert)
{
  return (u2fs_X509_t *) X509_dup((X509 *) cert);
}
// retrieve an openssl x509 object,
// which must be freed by X509_free
X509* LLBasicCertificate::getOpenSSLX509() const
{ 
	return X509_dup(mCert); 
}  
Example #28
0
void pki_pkcs12::addCaCert(pki_x509 *ca)
{
	if (!ca) return;
	sk_X509_push(certstack, X509_dup(ca->getCert()));
	openssl_error();
}
Example #29
0
bool SSLSocket::enableCrypto(bool activate /* = true */) {
  if (activate && !m_data->m_ssl_active) {
    double timeout = m_data->m_connect_timeout;
    bool blocked = m_data->m_is_blocked;
    if (!m_data->m_state_set) {
      if (m_data->m_client) {
        SSL_set_connect_state(m_data->m_handle);
      } else {
        SSL_set_accept_state(m_data->m_handle);
      }
      m_data->m_state_set = true;
    }

    if (m_data->m_client && setBlocking(false)) {
      m_data->m_is_blocked = false;
    }

    int n;
    bool retry = true;
    do {
      if (m_data->m_client) {
        struct timeval tvs, tve;
        struct timezone tz;

        gettimeofday(&tvs, &tz);
        n = SSL_connect(m_data->m_handle);
        gettimeofday(&tve, &tz);

        timeout -= (tve.tv_sec + (double) tve.tv_usec / 1000000) -
          (tvs.tv_sec + (double) tvs.tv_usec / 1000000);
        if (timeout < 0) {
          raise_warning("SSL: connection timeout");
          return -1;
        }
      } else {
        n = SSL_accept(m_data->m_handle);
      }

      if (n <= 0) {
        retry = handleError(n, true);
      } else {
        break;
      }
    } while (retry);

    if (m_data->m_client &&
        m_data->m_is_blocked != blocked &&
        setBlocking(blocked)) {
      m_data->m_is_blocked = blocked;
    }

    if (n == 1) {
      X509 *peer_cert = SSL_get_peer_certificate(m_data->m_handle);
      if (!applyVerificationPolicy(peer_cert)) {
        SSL_shutdown(m_data->m_handle);
      } else {
        m_data->m_ssl_active = true;

        /* allow the script to capture the peer cert
         * and/or the certificate chain */
        if (m_context[s_capture_peer_cert].toBoolean()) {
          m_context.set(s_peer_certificate,
                        Variant(makeSmartPtr<Certificate>(peer_cert)));
          peer_cert = nullptr;
        }

        if (m_context[s_capture_peer_cert_chain].toBoolean()) {
          Array arr;
          STACK_OF(X509) *chain = SSL_get_peer_cert_chain(m_data->m_handle);
          if (chain) {
            for (int i = 0; i < sk_X509_num(chain); i++) {
              X509 *mycert = X509_dup(sk_X509_value(chain, i));
              arr.append(Variant(makeSmartPtr<Certificate>(mycert)));
            }
          }
          m_context.set(s_peer_certificate_chain, arr);
        }
      }

      if (peer_cert) {
        X509_free(peer_cert);
      }
    } else  {
      n = errno == EAGAIN ? 0 : -1;
    }

    return n >= 0;

  } else if (!activate && m_data->m_ssl_active) {
    /* deactivate - common for server/client */
    SSL_shutdown(m_data->m_handle);
    m_data->m_ssl_active = false;
  }
  return true;
}
Example #30
0
void *
x509_cert_dup(void *scert)
{
	return X509_dup(scert);
}