STACK_OF(X509) *CMS_get0_signers(CMS_ContentInfo *cms) { STACK_OF(X509) *signers = NULL; STACK_OF(CMS_SignerInfo) *sinfos; CMS_SignerInfo *si; int i; sinfos = CMS_get0_SignerInfos(cms); for (i = 0; i < sk_CMS_SignerInfo_num(sinfos); i++) { si = sk_CMS_SignerInfo_value(sinfos, i); if (si->signer) { if (!signers) { signers = sk_X509_new_null(); if (!signers) return NULL; } if (!sk_X509_push(signers, si->signer)) { sk_X509_free(signers); return NULL; } } } return signers; }
int PKCS7_add_certificate(PKCS7 *p7, X509 *x509) { int i; STACK_OF(X509) **sk; i = OBJ_obj2nid(p7->type); switch (i) { case NID_pkcs7_signed: sk = &(p7->d.sign->cert); break; case NID_pkcs7_signedAndEnveloped: sk = &(p7->d.signed_and_enveloped->cert); break; default: PKCS7err(PKCS7_F_PKCS7_ADD_CERTIFICATE, PKCS7_R_WRONG_CONTENT_TYPE); return 0; } if (*sk == NULL) *sk = sk_X509_new_null(); if (*sk == NULL) { PKCS7err(PKCS7_F_PKCS7_ADD_CERTIFICATE, ERR_R_MALLOC_FAILURE); return 0; } X509_up_ref(x509); if (!sk_X509_push(*sk, x509)) { X509_free(x509); return 0; } return 1; }
static VALUE ossl_ocspreq_sign(int argc, VALUE *argv, VALUE self) { VALUE signer_cert, signer_key, certs, flags; OCSP_REQUEST *req; X509 *signer; EVP_PKEY *key; STACK_OF(X509) *x509s; unsigned long flg; int ret; rb_scan_args(argc, argv, "22", &signer_cert, &signer_key, &certs, &flags); signer = GetX509CertPtr(signer_cert); key = GetPrivPKeyPtr(signer_key); flg = NIL_P(flags) ? 0 : NUM2INT(flags); if(NIL_P(certs)){ x509s = sk_X509_new_null(); flags |= OCSP_NOCERTS; } else x509s = ossl_x509_ary2sk(certs); GetOCSPReq(self, req); ret = OCSP_request_sign(req, signer, key, EVP_sha1(), x509s, flg); sk_X509_pop_free(x509s, X509_free); if(!ret) ossl_raise(eOCSPError, NULL); return self; }
STACK_OF(X509) *CMS_get1_certs(CMS_ContentInfo *cms) { STACK_OF(X509) *certs = NULL; CMS_CertificateChoices *cch; STACK_OF(CMS_CertificateChoices) **pcerts; int i; pcerts = cms_get0_certificate_choices(cms); if (!pcerts) return NULL; for (i = 0; i < sk_CMS_CertificateChoices_num(*pcerts); i++) { cch = sk_CMS_CertificateChoices_value(*pcerts, i); if (cch->type == 0) { if (!certs) { certs = sk_X509_new_null(); if (!certs) return NULL; } if (!sk_X509_push(certs, cch->d.certificate)) { sk_X509_pop_free(certs, X509_free); return NULL; } X509_up_ref(cch->d.certificate); } } return certs; }
static VALUE ossl_ocspbres_sign(int argc, VALUE *argv, VALUE self) { VALUE signer_cert, signer_key, certs, flags; OCSP_BASICRESP *bs; X509 *signer; EVP_PKEY *key; STACK_OF(X509) *x509s; unsigned long flg; int ret; rb_scan_args(argc, argv, "22", &signer_cert, &signer_key, &certs, &flags); signer = GetX509CertPtr(signer_cert); key = GetPrivPKeyPtr(signer_key); flg = NIL_P(flags) ? 0 : NUM2INT(flags); if(NIL_P(certs)){ x509s = sk_X509_new_null(); flg |= OCSP_NOCERTS; } else{ x509s = ossl_x509_ary2sk(certs); } GetOCSPBasicRes(self, bs); ret = OCSP_basic_sign(bs, signer, key, EVP_sha1(), x509s, flg); sk_X509_pop_free(x509s, X509_free); if(!ret) ossl_raise(eOCSPError, NULL); return self; }
STACK_OF(X509) *TS_CONF_load_certs(const char *file) { BIO *certs = NULL; STACK_OF(X509) *othercerts = NULL; STACK_OF(X509_INFO) *allcerts = NULL; int i; if ((certs = BIO_new_file(file, "r")) == NULL) goto end; if ((othercerts = sk_X509_new_null()) == NULL) goto end; allcerts = PEM_X509_INFO_read_bio(certs, NULL, NULL, NULL); for (i = 0; i < sk_X509_INFO_num(allcerts); i++) { X509_INFO *xi = sk_X509_INFO_value(allcerts, i); if (xi->x509) { sk_X509_push(othercerts, xi->x509); xi->x509 = NULL; } } end: if (othercerts == NULL) fprintf(stderr, "unable to load certificates: %s\n", file); sk_X509_INFO_pop_free(allcerts, X509_INFO_free); BIO_free(certs); return othercerts; }
void pki_pkcs7::signBio(pki_x509 *crt, BIO *bio) { pki_key *privkey; EVP_PKEY *pk; STACK_OF(X509) *certstack; if (!crt) return; privkey = crt->getRefKey(); if (!privkey) throw errorEx("No private key for signing found", getClassName()); certstack = sk_X509_new_null(); pki_x509 *signer = crt->getSigner(); if (signer == crt) signer = NULL; while (signer != NULL ) { sk_X509_push(certstack, signer->getCert()); openssl_error(); if (signer == signer->getSigner() ) signer = NULL; else signer = signer->getSigner(); } if (p7) PKCS7_free(p7); pk = privkey->decryptKey(); p7 = PKCS7_sign(crt->getCert(), pk, certstack, bio, PKCS7_BINARY); EVP_PKEY_free(pk); openssl_error(); sk_X509_free(certstack); }
int PKCS7_add_certificate(PKCS7 *p7, X509 *x509) { int i; STACK_OF(X509) **sk; i=OBJ_obj2nid(p7->type); switch (i) { case NID_pkcs7_signed: sk= &(p7->d.sign->cert); break; case NID_pkcs7_signedAndEnveloped: sk= &(p7->d.signed_and_enveloped->cert); break; default: PKCS7err(PKCS7_F_PKCS7_ADD_CERTIFICATE,PKCS7_R_WRONG_CONTENT_TYPE); return(0); } if (*sk == NULL) *sk=sk_X509_new_null(); CRYPTO_add(&x509->references,1,CRYPTO_LOCK_X509); sk_X509_push(*sk,x509); return(1); }
pki_pkcs12::pki_pkcs12(const QString fname, pem_password_cb *cb) :pki_base(fname) { FILE *fp; char pass[MAX_PASS_LENGTH]; EVP_PKEY *mykey = NULL; X509 *mycert = NULL; key=NULL; cert=NULL; passcb = cb; class_name="pki_pkcs12"; certstack = sk_X509_new_null(); pass_info p(XCA_TITLE, tr("Please enter the password to decrypt the PKCS#12 file.") + "\n'" + fname + "'"); fp = fopen(QString2filename(fname), "rb"); if (fp) { PKCS12 *pkcs12 = d2i_PKCS12_fp(fp, NULL); fclose(fp); if (ign_openssl_error()) { if (pkcs12) PKCS12_free(pkcs12); throw errorEx(tr("Unable to load the PKCS#12 (pfx) file %1.").arg(fname)); } if (PKCS12_verify_mac(pkcs12, "", 0) || PKCS12_verify_mac(pkcs12, NULL, 0)) pass[0] = '\0'; else if (passcb(pass, MAX_PASS_LENGTH, 0, &p) < 0) { /* cancel pressed */ PKCS12_free(pkcs12); throw errorEx("",""); } PKCS12_parse(pkcs12, pass, &mykey, &mycert, &certstack); int error = ERR_peek_error(); if (ERR_GET_REASON(error) == PKCS12_R_MAC_VERIFY_FAILURE) { ign_openssl_error(); PKCS12_free(pkcs12); throw errorEx(getClassName(), tr("The supplied password was wrong (%1)").arg(ERR_reason_error_string(error))); } ign_openssl_error(); if (mycert) { if (mycert->aux && mycert->aux->alias) { alias = asn1ToQString(mycert->aux->alias); alias = QString::fromUtf8(alias.toAscii()); } cert = new pki_x509(mycert); if (alias.isEmpty()) { cert->autoIntName(); } else { cert->setIntName(alias); } alias = cert->getIntName(); } if (mykey) { key = new pki_evp(mykey); key->setIntName(alias + "_key"); key->bogusEncryptKey(); } PKCS12_free(pkcs12); } else fopen_error(fname); }
ZCertificateChain * z_certificate_chain_new(void) { ZCertificateChain *self = Z_NEW_COMPAT(Z_CLASS(ZCertificateChain), ZCertificateChain); self->chain = sk_X509_new_null(); return self; }
pki_pkcs12::pki_pkcs12(const QString d, pki_x509 *acert, pki_evp *akey) :pki_base(d) { class_name="pki_pkcs12"; key = new pki_evp(akey); cert = new pki_x509(acert); certstack = sk_X509_new_null(); openssl_error(); }
int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert) { if (!resp->certs && !(resp->certs = sk_X509_new_null())) return 0; if(!sk_X509_push(resp->certs, cert)) return 0; CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509); return 1; }
int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert) { if (resp->certs == NULL && (resp->certs = sk_X509_new_null()) == NULL) return 0; if (!sk_X509_push(resp->certs, cert)) return 0; X509_up_ref(cert); return 1; }
static int lka_X509_verify(struct ca_vrfy_req_msg *vrfy, const char *CAfile, const char *CRLfile) { X509 *x509; X509 *x509_tmp; X509 *x509_tmp2; STACK_OF(X509) *x509_chain; const unsigned char *d2i; size_t i; int ret = 0; const char *errstr; x509 = NULL; x509_tmp = NULL; x509_chain = NULL; d2i = vrfy->cert; if (d2i_X509(&x509, &d2i, vrfy->cert_len) == NULL) { x509 = NULL; goto end; } if (vrfy->n_chain) { x509_chain = sk_X509_new_null(); for (i = 0; i < vrfy->n_chain; ++i) { d2i = vrfy->chain_cert[i]; if (d2i_X509(&x509_tmp, &d2i, vrfy->chain_cert_len[i]) == NULL) { x509_tmp = NULL; goto end; } if ((x509_tmp2 = X509_dup(x509_tmp)) == NULL) goto end; sk_X509_insert(x509_chain, x509_tmp2, i); x509_tmp = x509_tmp2 = NULL; } } if (! ca_X509_verify(x509, x509_chain, CAfile, NULL, &errstr)) log_debug("debug: lka: X509 verify: %s", errstr); else ret = 1; end: if (x509) X509_free(x509); if (x509_tmp) X509_free(x509_tmp); if (x509_chain) sk_X509_pop_free(x509_chain, X509_free); return ret; }
MonoBtlsX509Chain * mono_btls_x509_chain_new (void) { MonoBtlsX509Chain *chain = (MonoBtlsX509Chain *)OPENSSL_malloc (sizeof (MonoBtlsX509Chain)); if (chain == NULL) return NULL; memset(chain, 0, sizeof(MonoBtlsX509Chain)); chain->certs = sk_X509_new_null (); chain->references = 1; return chain; }
RTDECL(int) RTCrStoreConvertToOpenSslCertStack(RTCRSTORE hStore, uint32_t fFlags, void **ppvOpenSslStack) { PRTCRSTOREINT pThis = (PRTCRSTOREINT)hStore; AssertPtrReturn(pThis, VERR_INVALID_HANDLE); AssertReturn(pThis->u32Magic == RTCRSTOREINT_MAGIC, VERR_INVALID_HANDLE); /* * Use the pfnCertFindAll method to add all certificates to the store we're returning. */ int rc; STACK_OF(X509) *pOsslStack = sk_X509_new_null(); if (pOsslStack) { RTCRSTORECERTSEARCH Search; rc = pThis->pProvider->pfnCertFindAll(pThis->pvProvider, &Search); if (RT_SUCCESS(rc)) { do { PCRTCRCERTCTX pCertCtx = pThis->pProvider->pfnCertSearchNext(pThis->pvProvider, &Search); if (!pCertCtx) break; if (pCertCtx->fFlags & RTCRCERTCTX_F_ENC_X509_DER) { X509 *pOsslCert = NULL; const unsigned char *pabEncoded = (const unsigned char *)pCertCtx->pabEncoded; if (d2i_X509(&pOsslCert, &pabEncoded, pCertCtx->cbEncoded) == pOsslCert) { if (!sk_X509_push(pOsslStack, pOsslCert)) { rc = VERR_NO_MEMORY; X509_free(pOsslCert); } } } RTCrCertCtxRelease(pCertCtx); } while (RT_SUCCESS(rc)); pThis->pProvider->pfnCertSearchDestroy(pThis->pvProvider, &Search); if (RT_SUCCESS(rc)) { *ppvOpenSslStack = pOsslStack; return VINF_SUCCESS; } } sk_X509_pop_free(pOsslStack, X509_free); } else rc = VERR_NO_MEMORY; return rc; }
// VerifyChain verifies the certificate chain in chain // according to the verification options given as opts. bool X509VerifierPrivate::VerifyChain(std::vector<X509Certificate> chain, const X509VerifierOptions &opts) { bool status = false; X509_STORE_CTX *ctx = X509_STORE_CTX_new(); STACK_OF(X509) *untrusted = sk_X509_new_null(); // Ensure that we have a chain to check on. if (chain.empty()) { goto out; } // If we've been passed a DNS name in opts, // we should check whether the leaf certificate // matches that before doing the more expensive // checks. if (!opts.dns_name.empty()) { if (!X509HostnameVerifier::VerifyHostname(chain.at(0), opts.dns_name)) { std::cerr << "X509VerifierPrivate - hostname verification failed" << std::endl; goto out; } } // Extract our chain into the format that OpenSSL // expects for verification. for (X509Certificate &cert : chain) { X509 *cur = cert.dptr_->AsOpenSSLX509(); sk_X509_push(untrusted, cur); } // Set up the X509_STORE_CTX to verify according to opts. X509_STORE_CTX_init(ctx, store_, sk_X509_value(untrusted, 0), untrusted); // If a time is not specified in opts, use the current system time. if (opts.time == 0) { X509_STORE_CTX_set_time(ctx, 0, std::time(nullptr)); } else { X509_STORE_CTX_set_time(ctx, 0, opts.time); } // If a dns_name is specified in opts, use the SSL server policy. if (!opts.dns_name.empty()) { X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_SSL_SERVER); X509_STORE_CTX_set_trust(ctx, X509_TRUST_SSL_SERVER); } if (X509_verify_cert(ctx) == 1) { status = true; } else { std::cerr << "X509VerifierPrivate - verification error: " << X509_verify_cert_error_string(ctx->error) << std::endl; } out: sk_X509_pop_free(untrusted, X509_free); X509_STORE_CTX_free(ctx); return status; }
opts_t * opts_new(void) { opts_t *opts; opts = malloc(sizeof(opts_t)); memset(opts, 0, sizeof(opts_t)); opts->sslcomp = 1; opts->chain = sk_X509_new_null(); return opts; }
static STACK_OF(X509) * convert_certificate_chain_to_openssl (GTlsCertificateOpenssl *chain) { GTlsCertificate *cert; STACK_OF(X509) *openssl_chain; openssl_chain = sk_X509_new_null (); for (cert = G_TLS_CERTIFICATE (chain); cert; cert = g_tls_certificate_get_issuer (cert)) sk_X509_push (openssl_chain, g_tls_certificate_openssl_get_cert (G_TLS_CERTIFICATE_OPENSSL (cert))); return openssl_chain; }
/** * This function initializes a globus_gsi_callback_data_t. * @ingroup globus_gsi_callback_data * * @param callback_data * Reference to the structure to be initialized * * @return * GLOBUS_SUCCESS unless an error occurred, in which case, * a globus error object ID is returned */ globus_result_t globus_gsi_callback_data_init( globus_gsi_callback_data_t * callback_data) { globus_result_t result = GLOBUS_SUCCESS; static char * _function_name_ = "globus_gsi_callback_data_init"; GLOBUS_I_GSI_CALLBACK_DEBUG_ENTER; if(callback_data == NULL) { GLOBUS_GSI_CALLBACK_ERROR_RESULT( result, GLOBUS_GSI_CALLBACK_ERROR_CALLBACK_DATA, (_CLS("NULL pointer to callback_data passed to function: %s"), _function_name_)); goto exit; } *callback_data = malloc(sizeof(globus_i_gsi_callback_data_t)); if(*callback_data == NULL) { result = globus_error_put( globus_error_wrap_errno_error( GLOBUS_GSI_CALLBACK_MODULE, errno, GLOBUS_GSI_CALLBACK_ERROR_ERRNO, __FILE__, _function_name_, __LINE__, "Error allocating space (malloc) for callback data")); goto exit; } memset(*callback_data, 0, sizeof(globus_i_gsi_callback_data_t)); (*callback_data)->max_proxy_depth = -1; (*callback_data)->cert_type = GLOBUS_GSI_CERT_UTILS_TYPE_EEC; (*callback_data)->cert_chain = sk_X509_new_null(); (*callback_data)->error = GLOBUS_SUCCESS; (*callback_data)->check_self_signed_policy = GLOBUS_FALSE; exit: GLOBUS_I_GSI_CALLBACK_DEBUG_EXIT; return result; }
static STACK_OF(X509) * chain_from_pem_file(const uschar * file) { BIO * bp; X509 * x; STACK_OF(X509) * sk; if (!(sk = sk_X509_new_null())) return NULL; if (!(bp = BIO_new_file(CS file, "r"))) return NULL; while ((x = PEM_read_bio_X509(bp, NULL, 0, NULL))) sk_X509_push(sk, x); BIO_free(bp); return sk; }
void pki_pkcs7::encryptBio(pki_x509 *crt, BIO *bio) { STACK_OF(X509) *certstack; if (!crt) return; certstack = sk_X509_new_null(); sk_X509_push(certstack, crt->getCert()); openssl_error(); if (p7) PKCS7_free(p7); p7 = PKCS7_encrypt(certstack, bio, EVP_des_ede3_cbc(), PKCS7_BINARY); openssl_error(); sk_X509_free(certstack); }
int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert) { OCSP_SIGNATURE *sig; if (!req->optionalSignature) req->optionalSignature = OCSP_SIGNATURE_new(); sig = req->optionalSignature; if (!sig) return 0; if (!cert) return 1; if (!sig->certs && !(sig->certs = sk_X509_new_null())) return 0; if(!sk_X509_push(sig->certs, cert)) return 0; CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509); return 1; }
int s2n_x509_validator_init(struct s2n_x509_validator *validator, struct s2n_x509_trust_store *trust_store, uint8_t check_ocsp) { notnull_check(trust_store); validator->trust_store = trust_store; validator->skip_cert_validation = 0; validator->check_stapled_ocsp = check_ocsp; validator->max_chain_depth = DEFAULT_MAX_CHAIN_DEPTH; validator->cert_chain = NULL; if (validator->trust_store->trust_store) { validator->cert_chain = sk_X509_new_null(); } return 0; }
/** * Parses X.509 PEM formatted certificates from file. The file can contain multiple * certificates. You can just use 'cat' command in linux to add multiple PEM formatted * X.509 certificates to one file (e.g. <code>cat cert1.pem cert2.pem > certs.pem</code>). * NB! This struct must be freed using sk_X509_free() function from OpenSSL or * with X509Stack_scope struct. * * @param path PEM formatted X.509 certificates file path. * @return returns stack of parsed X.509 certificates. * @throws IOException throws exception if the file does not contain X.509 * PEM formatted certificate(s). */ STACK_OF(X509)* digidoc::X509Cert::loadX509Stack(const std::string& path) throw(IOException) { // Create an empty X.509 stack. STACK_OF(X509)* stack = sk_X509_new_null(); if(stack == NULL) { THROW_IOEXCEPTION("Failed to create X.509 certificate stack."); } // Initialize OpenSSL file. BIO* file = BIO_new(BIO_s_file()); BIO_scope fileScope(&file); if(file == NULL) { THROW_IOEXCEPTION("Failed to open X.509 certificates file '%s': %s", path.c_str(), ERR_reason_error_string(ERR_get_error())); } // Open file, which can contain multiple X.509 certificates. if(BIO_read_filename(file, path.c_str()) <= 0) { THROW_IOEXCEPTION("Failed to open X.509 certificates file '%s': %s", path.c_str(), ERR_reason_error_string(ERR_get_error())); } // Read certificates info from the file. STACK_OF(X509_INFO)* certsInfo = PEM_X509_INFO_read_bio(file, NULL, NULL, NULL); if(certsInfo == NULL) { THROW_IOEXCEPTION("Failed to read X.509 certificates from file '%s': %s", path.c_str(), ERR_reason_error_string(ERR_get_error())); } // Put all found certificates to the stack. for(int i = 0; i < sk_X509_INFO_num(certsInfo); i++) { X509_INFO* xi = sk_X509_INFO_value(certsInfo, i); if(xi->x509 != NULL) { sk_X509_push(stack, xi->x509); xi->x509 = NULL; } } // Release resources. sk_X509_INFO_pop_free(certsInfo, X509_INFO_free); return stack; }
static STACK_OF(X509) * read_fullchain(const char *file, int *count) { int i; BIO *bio; STACK_OF(X509_INFO) *xis = NULL; X509_INFO *xi; STACK_OF(X509) *rv = NULL; *count = 0; if ((bio = BIO_new_file(file, "r")) == NULL) { warn("Unable to read a certificate from %s", file); return NULL; } if ((xis = PEM_X509_INFO_read_bio(bio, NULL, NULL, NULL)) == NULL) { warnx("Unable to read PEM format from %s", file); return NULL; } BIO_free(bio); if (sk_X509_INFO_num(xis) <= 0) { warnx("No certificates in file %s", file); goto end; } if ((rv = sk_X509_new_null()) == NULL) { warnx("malloc failed"); goto end; } for (i = 0; i < sk_X509_INFO_num(xis); i++) { xi = sk_X509_INFO_value(xis, i); if (xi->x509 == NULL) continue; if (!sk_X509_push(rv, xi->x509)) { warnx("unable to build x509 chain"); sk_X509_pop_free(rv, X509_free); rv = NULL; goto end; } xi->x509 = NULL; (*count)++; } end: sk_X509_INFO_pop_free(xis, X509_INFO_free); return rv; }
/** * Returns a list of all x509 certificates in a PKCS12 object. */ static STACK_OF(X509) *pkcs12_listCerts(PKCS12 *p12) { STACK_OF(X509) *x509s = sk_X509_new_null(); if (!x509s) return NULL; // Extract all PKCS7 safes STACK_OF(PKCS7) *pkcs7s = PKCS12_unpack_authsafes(p12); if (!pkcs7s) { certutil_updateErrorString(); sk_X509_free(x509s); return NULL; } // For each PKCS7 safe int nump = sk_PKCS7_num(pkcs7s); for (int p = 0; p < nump; p++) { PKCS7 *p7 = sk_PKCS7_value(pkcs7s, p); if (!p7) continue; STACK_OF(PKCS12_SAFEBAG) *safebags = PKCS12_unpack_p7data(p7); if (!safebags) { certutil_updateErrorString(); continue; } // For each PKCS12 safebag int numb = sk_PKCS12_SAFEBAG_num(safebags); for (int i = 0; i < numb; i++) { PKCS12_SAFEBAG *bag = sk_PKCS12_SAFEBAG_value(safebags, i); if (!bag) continue; if (M_PKCS12_bag_type(bag) == NID_certBag) { // Extract x509 cert X509 *x509 = PKCS12_certbag2x509(bag); if (x509 == NULL) { certutil_updateErrorString(); } else { sk_X509_push(x509s, x509); } } } sk_PKCS12_SAFEBAG_pop_free(safebags, PKCS12_SAFEBAG_free); } sk_PKCS7_pop_free(pkcs7s, PKCS7_free); return x509s; }
int myproxy_ocsp_set_responder_cert(const char *path) { BIO * in = NULL; X509 * x = NULL; int count; int rval = -1; sk_X509_pop_free(responder_cert, X509_free); responder_cert = NULL; in = BIO_new(BIO_s_file_internal()); if (in == NULL || BIO_read_filename(in, path) <= 0) { verror_put_string("error reading %s", path); goto exit; } responder_cert = sk_X509_new_null(); if (!responder_cert) { verror_put_string("sk_X509_new_null() failed in " "myproxy_ocsp_set_responder_cert()"); goto exit; } for (count = 0; ; count++) { x = PEM_read_bio_X509(in, NULL, NULL, NULL); if (x == NULL) { if ((ERR_GET_REASON(ERR_peek_error()) == PEM_R_NO_START_LINE) && (count > 0)) { ERR_clear_error(); break; } else { verror_put_string("error reading %s", path); goto exit; } } sk_X509_insert(responder_cert,x,sk_X509_num(responder_cert)); x = NULL; } rval = 0; /* success */ exit: if (in) BIO_free_all(in); if (x) X509_free(x); return rval; }
/* This function must be called before trying to sign any file. * It loads string for errors, and ciphers are auto-loaded by OpenSSL now. * If this function fails it may be because the certificate cannot * be validated. * * returns: true if can initialize and validate certificates, otherwise false */ bool initialize_signature(void) { int ret = -1; time_t mod_sec = 0; struct tm *alttime; struct stat statt; string_or_die(&CERTNAME, "%s/%s", cert_path, SWUPDCERT); ERR_load_crypto_strings(); ERR_load_PKCS7_strings(); EVP_add_digest(EVP_sha256()); if (!get_pubkey()) { goto fail; } ret = validate_certificate(); if (ret) { printf("Failed to verify certificate: %s\n", X509_verify_cert_error_string(ret)); if (ret == X509_V_ERR_CERT_NOT_YET_VALID) { /* If we can retrieve an approx. good system time, report out to user */ if (stat("/usr/lib/os-release", &statt) != -1) { mod_sec = statt.st_mtim.tv_sec; char timebuf[30]; alttime = localtime(&mod_sec); strftime(timebuf, sizeof(timebuf), "%F", alttime); printf("System clock should be at least %s\n", timebuf); } } goto fail; } /* Push our trust cert(s) to the stack, which is a set of certificates * in which to search for the signer's cert. */ x509_stack = sk_X509_new_null(); if (!x509_stack) { goto fail; } sk_X509_push(x509_stack, cert); return true; fail: return false; }
/* 功能:验证签名 入口: char*certFile 证书(含匙) char* plainText 明文 char* cipherText 签名 出口: bool true 签名验证成功 bool false 验证失败 */ bool PKCS7_VerifySign(char*certFile,char* plainText,char* cipherText ) { /* Get X509 */ FILE* fp = fopen (certFile, "r"); if (fp == NULL) return false; X509* x509 = PEM_read_X509(fp, NULL, NULL, NULL); fclose (fp); if (x509 == NULL) { ERR_print_errors_fp (stderr); return false; } //BASE64解码 unsigned char *retBuf[1024*8]; int retBufLen = sizeof(retBuf); memset(retBuf,0,sizeof(retBuf)); decodeBase64(cipherText,(void *)retBuf,&retBufLen); //从签名中取PKCS7对象 BIO* vin = BIO_new_mem_buf(retBuf,retBufLen); PKCS7 *p7 = d2i_PKCS7_bio(vin,NULL); //取STACK_OF(X509)对象 STACK_OF(X509) *stack=sk_X509_new_null();//X509_STORE_new() sk_X509_push(stack,x509); //明码数据转为BIO BIO *bio = BIO_new(BIO_s_mem()); BIO_puts(bio,plainText); //验证签名 int err = PKCS7_verify(p7, stack, NULL,bio, NULL, PKCS7_NOVERIFY); if (err != 1) { ERR_print_errors_fp (stderr); return false; } return true; }