int flash_validate_certificate(int signed_fd, int *data_fd) { int ret = 0; const char *cert_path; X509_STORE *store = NULL; CMS_ContentInfo *content_info; BIO *content; cert_path = fastboot_getvar("certificate-path"); if (!strcmp(cert_path, "")) { D(ERR, "could not find cert-key value in config file"); goto finish; } store = cert_store_from_path(cert_path); if (store == NULL) { D(ERR, "unable to create certification store"); goto finish; } if (cert_read(signed_fd, &content_info, &content)) { D(ERR, "reading data failed"); goto finish; } ret = cert_verify(content, content_info, store, data_fd); cert_release(content, content_info); return ret; finish: if (store != NULL) cert_release_store(store); return ret; }
int main (int argc, char **argv) { int arg_idx = 0; char *privcert_file = NULL; char *pubcert_file = NULL; char *priv_file = NULL; char *pub_file = NULL; char *priv_id = NULL; char *pub_id = NULL; char *label = DEFAULT_LABEL; dckey *priv = NULL; dckey *pub = NULL; cert *priv_cert = NULL; cert *pub_cert = NULL; printf("argc count is: %d\n", argc); if((argc < 7) || (argc > 8)) { printf("Invalid number of arguments!!!\n"); usage (argv[0], argc); } printf("argc value is: %d\n", argc); ri (); priv_file = argv[++arg_idx]; privcert_file = argv[++arg_idx]; priv_id = argv[++arg_idx]; pub_file = argv[++arg_idx]; pubcert_file = argv[++arg_idx]; pub_id = argv[++arg_idx]; if (argc - 2 == arg_idx) { /* there was a label */ label = argv[++arg_idx]; } pub_cert = pki_check(pubcert_file, pub_file, pub_id); /* check above won't return if something was wrong */ pub = pub_cert->public_key; if (!cert_verify (priv_cert = cert_read (privcert_file))) { printf ("%s: trouble reading certificate from %s, " "or certificate expired\n", getprogname (), privcert_file); perror (getprogname ()); exit (-1); } else if (!dcareequiv(pub_cert->issuer,priv_cert->issuer)) { printf ("%s: certificates issued by different CAs.\n", getprogname ()); printf ("\tOwn (%s's) certificate in %s\n", priv_id, privcert_file); printf ("\tOther (%s's) certificate in %s\n", pub_id, pubcert_file); } else { priv = priv_from_file (priv_file); nidh (priv, pub, priv_id, pub_id, label); } return 0; }
/* Verifies the validity of a certificate */ void pki_check(char *cert_file, char *pk_file, char *id) { cert *c = cert_read (cert_file); dckey *pk = pk_from_file (pk_file); if (!c) { printf ("Error reading the certificate from %s\n", cert_file); exit (1); } if (!pk) { printf ("Error reading the public key from %s\n", pk_file); exit (1); } if (!cert_verify (c)) { printf ("Certificate invalid or expired\n"); exit (1); } if (!dcareequiv (c->public_key, pk)) { printf ("The certificate in %s does not refer to the public key in %s\n", cert_file, pk_file); exit (1); } if (strcmp (c->identity, id) != 0) { printf ("The certificate in %s does not refer to identity %s\n", cert_file, id); exit (1); } /* everything checked out */ printf ("Valid certificate\n"); exit (0); }
int main (int argc, char **argv) { int fdca, fdpk; dckey *ca = NULL, *pk = NULL; char *id = NULL; char *cert_file = NULL, *pk_file = NULL; int duration = -1; ri (); if (argc < 2) usage (argv[0]); else if (argc == 2) { if (strcmp (argv[1], "init") != 0) usage (argv[0]); else { setprogname (argv[0]); pki_init (); } } else if (argc == 5) { if (strcmp (argv[1], "check") != 0) usage (argv[0]); else { setprogname (argv[0]); pki_check (argv[2], argv[3], argv[4]); } } else if (strcmp (argv[1], "cert") != 0) { usage (argv[0]); } else { /* cert commnad */ setprogname (argv[0]); /* first, let's take care of the options, if any */ parse_options (&pk, &cert_file, &duration, argc, argv); /* the last two args are ID and PK-FILE */ pk_file = argv[argc - 2]; id = argv[argc - 1]; /* set up default values for parameters not affected by the options */ if (!cert_file) { /* default cert_file is ID.cert */ if (cat_str (&cert_file, id) || cat_str (&cert_file, ".cert")) { xfree (cert_file); exit (1); } } if (duration == -1) /* default duration is 30 days */ duration = 30; /* take care of the public key that we are certifying */ /* if the -g option was used, we have to write the pk to pk_file */ if (pk) write_pkfile (pk_file, pk); /* otherwise, import pk from pk_file */ else { if ((fdpk = open (pk_file, O_RDONLY)) == -1) { if (errno == ENOENT) { usage (argv[0]); } else { perror (argv[0]); exit (1); } } else if (!(pk = import_pub_from_file (fdpk))) { fprintf (stderr, "%s: no public key found in %s\n", argv[0], pk_file); close (fdpk); exit (1); } close (fdpk); fdpk = -1; } /* now read the ca private key from ./.pki/ca.priv */ if ((fdca = open ("./.pki/ca.priv", O_RDONLY)) == -1) { if (errno == ENOENT) { usage (argv[0]); } else { perror (argv[0]); exit (1); } } else { if (!(ca = import_priv_from_file (fdca))) { fprintf (stderr, "%s: no private key found in %s\n", argv[0], "./.pki/ca.priv"); close (fdca); exit (1); } close (fdca); fdca = -1; /* prepare a cert, sign it and write it to cert_file */ switch (cert_sign_n_write (ca, id, pk, duration, cert_file)) { case 0: /* no error */ /* the ca signing key is not needed anymore: wipe it out */ dcfree (ca); ca = NULL; break; case -1: /* trouble with the write system call */ check_n_free (&cert_file); dcfree (ca); exit (1); case -2: /* trouble preparing/signinig the certificate */ check_n_free (&cert_file); dcfree (ca); exit (1); default: check_n_free (&cert_file); dcfree (ca); exit (1); } assert (cert_verify (cert_read (cert_file))); dcfree (pk); pk = NULL; } } check_n_free (&cert_file); return 0; }
static int cert_verify_callback (gnutls_session_t session) { int rc; unsigned int status = 0; int ssh = ENABLED_OPT(TOFU); const char* txt_service; if (!x509_cafile && !pgp_keyring) return 0; rc = cert_verify(session, hostname); if (rc == 0) { printf ("*** Verifying server certificate failed...\n"); if (!insecure && !ssh) return -1; } else if (ENABLED_OPT(OCSP)) { /* off-line verification succeeded. Try OCSP */ rc = cert_verify_ocsp(session); if (rc == 0) { printf ("*** Verifying (with OCSP) server certificate failed...\n"); if (!insecure && !ssh) return -1; } else if (rc == -1) printf("*** OCSP response ignored\n"); } if (ssh) /* try ssh auth */ { unsigned int list_size; const gnutls_datum_t * cert; cert = gnutls_certificate_get_peers(session, &list_size); if (cert == NULL) { fprintf(stderr, "Cannot obtain peer's certificate!\n"); return -1; } txt_service = port_to_service(service); rc = gnutls_verify_stored_pubkey(NULL, NULL, hostname, txt_service, GNUTLS_CRT_X509, cert, 0); if (rc == GNUTLS_E_NO_CERTIFICATE_FOUND) { print_cert_info_compact(session); fprintf(stderr, "Host %s (%s) has never been contacted before.\n", hostname, txt_service); if (status == 0) fprintf(stderr, "Its certificate is valid for %s.\n", hostname); rc = read_yesno("Are you sure you want to trust it? (y/N): "); if (rc == 0) return -1; } else if (rc == GNUTLS_E_CERTIFICATE_KEY_MISMATCH) { print_cert_info_compact(session); fprintf(stderr, "Warning: host %s is known and it is associated with a different key.\n", hostname); fprintf(stderr, "It might be that the server has multiple keys, or an attacker replaced the key to eavesdrop this connection .\n"); if (status == 0) fprintf(stderr, "Its certificate is valid for %s.\n", hostname); rc = read_yesno("Do you trust the received key? (y/N): "); if (rc == 0) return -1; } else if (rc < 0) { fprintf(stderr, "gnutls_verify_stored_pubkey: %s\n", gnutls_strerror(rc)); return -1; } if (rc != 0) { rc = gnutls_store_pubkey(NULL, NULL, hostname, txt_service, GNUTLS_CRT_X509, cert, 0, 0); if (rc < 0) fprintf(stderr, "Could not store key: %s\n", gnutls_strerror(rc)); } } return 0; }
static int cert_verify_callback (gnutls_session_t session) { int rc; unsigned int status = 0; int ssh = ENABLED_OPT(TOFU); #ifdef HAVE_DANE int dane = ENABLED_OPT(DANE); #endif int ca_verify = ENABLED_OPT(CA_VERIFICATION); const char* txt_service; print_cert_info (session, verbose, print_cert); if (ca_verify) { rc = cert_verify(session, hostname); if (rc == 0) { printf ("*** Verifying server certificate failed...\n"); if (!insecure && !ssh) return -1; } else if (ENABLED_OPT(OCSP) && gnutls_ocsp_status_request_is_checked(session, 0) == 0) { /* off-line verification succeeded. Try OCSP */ rc = cert_verify_ocsp(session); if (rc == 0) { printf ("*** Verifying (with OCSP) server certificate failed...\n"); if (!insecure && !ssh) return -1; } else if (rc == -1) printf("*** OCSP response ignored\n"); } } if (ssh) /* try ssh auth */ { unsigned int list_size; const gnutls_datum_t * cert; cert = gnutls_certificate_get_peers(session, &list_size); if (cert == NULL) { fprintf(stderr, "Cannot obtain peer's certificate!\n"); return -1; } txt_service = port_to_service(service); rc = gnutls_verify_stored_pubkey(NULL, NULL, hostname, txt_service, GNUTLS_CRT_X509, cert, 0); if (rc == GNUTLS_E_NO_CERTIFICATE_FOUND) { print_cert_info_compact(session); fprintf(stderr, "Host %s (%s) has never been contacted before.\n", hostname, txt_service); if (status == 0) fprintf(stderr, "Its certificate is valid for %s.\n", hostname); rc = read_yesno("Are you sure you want to trust it? (y/N): "); if (rc == 0) return -1; } else if (rc == GNUTLS_E_CERTIFICATE_KEY_MISMATCH) { print_cert_info_compact(session); fprintf(stderr, "Warning: host %s is known and it is associated with a different key.\n", hostname); fprintf(stderr, "It might be that the server has multiple keys, or an attacker replaced the key to eavesdrop this connection .\n"); if (status == 0) fprintf(stderr, "Its certificate is valid for %s.\n", hostname); rc = read_yesno("Do you trust the received key? (y/N): "); if (rc == 0) return -1; } else if (rc < 0) { fprintf(stderr, "gnutls_verify_stored_pubkey: %s\n", gnutls_strerror(rc)); return -1; } if (rc != 0) { rc = gnutls_store_pubkey(NULL, NULL, hostname, txt_service, GNUTLS_CRT_X509, cert, 0, 0); if (rc < 0) fprintf(stderr, "Could not store key: %s\n", gnutls_strerror(rc)); } } #ifdef HAVE_DANE if (dane) /* try DANE auth */ { unsigned int sflags = ENABLED_OPT(LOCAL_DNS)?0:DANE_F_IGNORE_LOCAL_RESOLVER; rc = dane_verify_session_crt( NULL, session, hostname, udp?"udp":"tcp", atoi(service), sflags, 0, &status); if (rc < 0) { fprintf(stderr, "*** DANE verification error: %s\n", dane_strerror(rc)); if (!insecure) return -1; } else { gnutls_datum_t out; rc = dane_verification_status_print( status, &out, 0); if (rc < 0) { fprintf(stderr, "*** DANE error: %s\n", dane_strerror(rc)); if (!insecure) return -1; } fprintf(stderr, "- %s\n", out.data); gnutls_free(out.data); } } #endif return 0; }
int main (int argc, char **argv) { const char *ke_msg1 = NULL; char *ke_msg2 = NULL; char *ca_file = NULL; char *sk_file = NULL; char *cert_file = NULL; char *resp_id = NULL; int out_fd; flow1 *to_b = NULL; flow2 *from_b = NULL; cert *own_cert = NULL; dckey *sk = NULL; dckey *ca_pk = NULL; u_char seskey[sha1_hashsize], secret[aes_blocklen]; char *pretty_secret = NULL; if ((argc == 5) && argv[1][0] != '-') { /* no -p option */ ca_file = "./.pki/ca.pub"; } else if ((argc == 6) && (argv[1][0] != '-') && (argv[1] + 1) && (argv[1][1] != 'p') && (argv[1] + 2)) { /* -p option present, followed by CERT-FILE without separating blank */ ca_file = argv[1] + 2; } else if ((argc == 7) && !strcmp (argv[1], "-p")) { /* -p option present, followed by blank and CERT-FILE */ ca_file = argv[2]; } else { usage (argv[0]); /* does not return */ } setprogname (argv[0]); ri (); sk_file = argv[argc - 4]; cert_file = argv[argc - 3]; resp_id = argv[argc - 2]; out_fd = atoi (argv[argc - 1]); if (!cert_verify (own_cert = cert_read (cert_file))) { fprintf (stderr, "%s: trouble reading certificate from %s, or certificate expired\n", getprogname (), cert_file); perror (getprogname ()); exit (1); } else { to_b = prepare_ke_msg (own_cert, xstrdup (resp_id)); sk = sk_from_file (sk_file); ke_msg1 = export_ke_msg (to_b, sk); dcfree (sk); sk = NULL; write_chunk (1, ke_msg1, strlen (ke_msg1)); check_n_free ((char **) &ke_msg1); ca_pk = pk_from_file (ca_file); if (!(ke_msg2 = read_line (0)) || !(from_b = process_ke_reply (to_b, ke_msg2, ca_pk))) { fprintf (stderr, "error reading/parsing bob's message:\n%s", ke_msg2); dcfree (ca_pk); ca_pk = NULL; check_n_free(&ke_msg2); exit (1); } dcfree (ca_pk); ca_pk = NULL; check_n_free(&ke_msg2); /* derive_key looks at seskey to know if it the caller is alice or bob */ seskey[0] = 'a'; if (derive_key (seskey, to_b, from_b) == -1) { fprintf (stderr, "error deriving session key for alice.\n"); flow1_clr (to_b); flow2_clr (from_b); exit (1); } else { /* choose a random number to send */ prng_getbytes (secret, aes_blocklen); cat_buf (&pretty_secret, secret, aes_blocklen); /* send it to bob, encrypted under the newly established session key */ send_secret (1, secret, seskey); /* dump the chosen secret to standard error */ if ((write_chunk (out_fd, pretty_secret, strlen (pretty_secret)) == -1) || (write_chunk (out_fd, "\n", 1) == -1)) { fprintf (stderr, "error writing to the launcher.\n"); bzero (seskey, sha1_hashsize); bzero (secret, sizeof (secret)); bzero (pretty_secret, strlen (pretty_secret)); xfree (pretty_secret); pretty_secret = NULL; flow1_clr (to_b); flow2_clr (from_b); exit (1); } /* wipe out sensitive data */ bzero (seskey, sha1_hashsize); bzero (secret, sizeof (secret)); bzero (pretty_secret, strlen (pretty_secret)); xfree (pretty_secret); pretty_secret = NULL; flow1_clr (to_b); flow2_clr (from_b); } } /* fprintf (stderr, "alice:done.\n"); */ return 0; }