/**
* xmlSecOpenSSLX509StoreAddCertsPath:
* @store: the pointer to OpenSSL x509 store.
* @path: the path to the certs dir.
*
* Adds all certs in the @path to the list of trusted certs
* in @store.
*
* Returns: 0 on success or a negative value otherwise.
*/
int
xmlSecOpenSSLX509StoreAddCertsPath(xmlSecKeyDataStorePtr store, const char *path) {
xmlSecOpenSSLX509StoreCtxPtr ctx;
X509_LOOKUP *lookup = NULL;
xmlSecAssert2(xmlSecKeyDataStoreCheckId(store, xmlSecOpenSSLX509StoreId), -1);
xmlSecAssert2(path != NULL, -1);
ctx = xmlSecOpenSSLX509StoreGetCtx(store);
xmlSecAssert2(ctx != NULL, -1);
xmlSecAssert2(ctx->xst != NULL, -1);
lookup = X509_STORE_add_lookup(ctx->xst, X509_LOOKUP_hash_dir());
if(lookup == NULL) {
xmlSecOpenSSLError(xmlSecKeyDataStoreGetName(store),
"X509_STORE_add_lookup");
return(-1);
}
if(!X509_LOOKUP_add_dir(lookup, path, X509_FILETYPE_PEM)) {
xmlSecOpenSSLError(xmlSecKeyDataStoreGetName(store),
"X509_LOOKUP_add_dir");
return(-1);
}
return(0);
}
/**
* xmlSecOpenSSLX509StoreAddCertsFile:
* @store: the pointer to OpenSSL x509 store.
* @file: the certs file.
*
* Adds all certs in @file to the list of trusted certs
* in @store. It is possible for @file to contain multiple certs.
*
* Returns: 0 on success or a negative value otherwise.
*/
int
xmlSecOpenSSLX509StoreAddCertsFile(xmlSecKeyDataStorePtr store, const char *file) {
xmlSecOpenSSLX509StoreCtxPtr ctx;
X509_LOOKUP *lookup = NULL;
xmlSecAssert2(xmlSecKeyDataStoreCheckId(store, xmlSecOpenSSLX509StoreId), -1);
xmlSecAssert2(file != NULL, -1);
ctx = xmlSecOpenSSLX509StoreGetCtx(store);
xmlSecAssert2(ctx != NULL, -1);
xmlSecAssert2(ctx->xst != NULL, -1);
lookup = X509_STORE_add_lookup(ctx->xst, X509_LOOKUP_file());
if(lookup == NULL) {
xmlSecOpenSSLError(xmlSecKeyDataStoreGetName(store),
"X509_STORE_add_lookup");
return(-1);
}
if(!X509_LOOKUP_load_file(lookup, file, X509_FILETYPE_PEM)) {
xmlSecOpenSSLError(xmlSecKeyDataStoreGetName(store),
"X509_LOOKUP_load_file");
return(-1);
}
return(0);
}
/**
* xmlSecOpenSSLX509StoreAdoptCert:
* @store: the pointer to X509 key data store klass.
* @cert: the pointer to OpenSSL X509 certificate.
* @type: the certificate type (trusted/untrusted).
*
* Adds trusted (root) or untrusted certificate to the store.
*
* Returns: 0 on success or a negative value if an error occurs.
*/
int
xmlSecOpenSSLX509StoreAdoptCert(xmlSecKeyDataStorePtr store, X509* cert, xmlSecKeyDataType type) {
xmlSecOpenSSLX509StoreCtxPtr ctx;
int ret;
xmlSecAssert2(xmlSecKeyDataStoreCheckId(store, xmlSecOpenSSLX509StoreId), -1);
xmlSecAssert2(cert != NULL, -1);
ctx = xmlSecOpenSSLX509StoreGetCtx(store);
xmlSecAssert2(ctx != NULL, -1);
if((type & xmlSecKeyDataTypeTrusted) != 0) {
xmlSecAssert2(ctx->xst != NULL, -1);
ret = X509_STORE_add_cert(ctx->xst, cert);
if(ret != 1) {
xmlSecOpenSSLError(xmlSecKeyDataStoreGetName(store),
"X509_STORE_add_cert");
return(-1);
}
/* add cert increments the reference */
X509_free(cert);
} else {
xmlSecAssert2(ctx->untrusted != NULL, -1);
ret = sk_X509_push(ctx->untrusted, cert);
if(ret < 1) {
xmlSecOpenSSLError(xmlSecKeyDataStoreGetName(store),
"sk_X509_push");
return(-1);
}
}
return(0);
}
static void
xmlSecOpenSSLX509StoreFinalize(xmlSecKeyDataStorePtr store) {
xmlSecOpenSSLX509StoreCtxPtr ctx;
xmlSecAssert(xmlSecKeyDataStoreCheckId(store, xmlSecOpenSSLX509StoreId));
ctx = xmlSecOpenSSLX509StoreGetCtx(store);
xmlSecAssert(ctx != NULL);
if(ctx->xst != NULL) {
X509_STORE_free(ctx->xst);
}
if(ctx->untrusted != NULL) {
sk_X509_pop_free(ctx->untrusted, X509_free);
}
if(ctx->crls != NULL) {
sk_X509_CRL_pop_free(ctx->crls, X509_CRL_free);
}
#if !defined(XMLSEC_OPENSSL_096) && !defined(XMLSEC_OPENSSL_097)
if(ctx->vpm != NULL) {
X509_VERIFY_PARAM_free(ctx->vpm);
}
#endif /* !defined(XMLSEC_OPENSSL_096) && !defined(XMLSEC_OPENSSL_097) */
memset(ctx, 0, sizeof(xmlSecOpenSSLX509StoreCtx));
}
/**
* xmlSecOpenSSLX509StoreAddCertsFile:
* @store: the pointer to OpenSSL x509 store.
* @file: the certs file.
*
* Adds all certs in @file to the list of trusted certs
* in @store. It is possible for @file to contain multiple certs.
*
* Returns: 0 on success or a negative value otherwise.
*/
int
xmlSecOpenSSLX509StoreAddCertsFile(xmlSecKeyDataStorePtr store, const char *file) {
xmlSecOpenSSLX509StoreCtxPtr ctx;
X509_LOOKUP *lookup = NULL;
xmlSecAssert2(xmlSecKeyDataStoreCheckId(store, xmlSecOpenSSLX509StoreId), -1);
xmlSecAssert2(file != NULL, -1);
ctx = xmlSecOpenSSLX509StoreGetCtx(store);
xmlSecAssert2(ctx != NULL, -1);
xmlSecAssert2(ctx->xst != NULL, -1);
lookup = X509_STORE_add_lookup(ctx->xst, X509_LOOKUP_file());
if(lookup == NULL) {
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
"X509_STORE_add_lookup",
XMLSEC_ERRORS_R_CRYPTO_FAILED,
XMLSEC_ERRORS_NO_MESSAGE);
return(-1);
}
if(!X509_LOOKUP_load_file(lookup, file, X509_FILETYPE_PEM)) {
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
"X509_LOOKUP_load_file",
XMLSEC_ERRORS_R_CRYPTO_FAILED,
"file='%s'",
xmlSecErrorsSafeString(file)
);
return(-1);
}
return(0);
}
/**
* xmlSecOpenSSLX509StoreFindCert:
* @store: the pointer to X509 key data store klass.
* @subjectName: the desired certificate name.
* @issuerName: the desired certificate issuer name.
* @issuerSerial: the desired certificate issuer serial number.
* @ski: the desired certificate SKI.
* @keyInfoCtx: the pointer to <dsig:KeyInfo/> element processing context.
*
* Searches @store for a certificate that matches given criteria.
*
* Returns: pointer to found certificate or NULL if certificate is not found
* or an error occurs.
*/
X509*
xmlSecOpenSSLX509StoreFindCert(xmlSecKeyDataStorePtr store, xmlChar *subjectName,
xmlChar *issuerName, xmlChar *issuerSerial,
xmlChar *ski, xmlSecKeyInfoCtx* keyInfoCtx) {
xmlSecOpenSSLX509StoreCtxPtr ctx;
X509* res = NULL;
xmlSecAssert2(xmlSecKeyDataStoreCheckId(store, xmlSecOpenSSLX509StoreId), NULL);
xmlSecAssert2(keyInfoCtx != NULL, NULL);
ctx = xmlSecOpenSSLX509StoreGetCtx(store);
xmlSecAssert2(ctx != NULL, NULL);
if((res == NULL) && (ctx->untrusted != NULL)) {
res = xmlSecOpenSSLX509FindCert(ctx->untrusted, subjectName, issuerName, issuerSerial, ski);
}
return(res);
}
/**
* xmlSecOpenSSLX509StoreAdoptCrl:
* @store: the pointer to X509 key data store klass.
* @crl: the pointer to OpenSSL X509_CRL.
*
* Adds X509 CRL to the store.
*
* Returns: 0 on success or a negative value if an error occurs.
*/
int
xmlSecOpenSSLX509StoreAdoptCrl(xmlSecKeyDataStorePtr store, X509_CRL* crl) {
xmlSecOpenSSLX509StoreCtxPtr ctx;
int ret;
xmlSecAssert2(xmlSecKeyDataStoreCheckId(store, xmlSecOpenSSLX509StoreId), -1);
xmlSecAssert2(crl != NULL, -1);
ctx = xmlSecOpenSSLX509StoreGetCtx(store);
xmlSecAssert2(ctx != NULL, -1);
xmlSecAssert2(ctx->crls != NULL, -1);
ret = sk_X509_CRL_push(ctx->crls, crl);
if(ret < 1) {
xmlSecOpenSSLError(xmlSecKeyDataStoreGetName(store),
"sk_X509_CRL_push");
return(-1);
}
return (0);
}
/**
* xmlSecOpenSSLX509StoreAdoptCert:
* @store: the pointer to X509 key data store klass.
* @cert: the pointer to OpenSSL X509 certificate.
* @type: the certificate type (trusted/untrusted).
*
* Adds trusted (root) or untrusted certificate to the store.
*
* Returns: 0 on success or a negative value if an error occurs.
*/
int
xmlSecOpenSSLX509StoreAdoptCert(xmlSecKeyDataStorePtr store, X509* cert, xmlSecKeyDataType type) {
xmlSecOpenSSLX509StoreCtxPtr ctx;
int ret;
xmlSecAssert2(xmlSecKeyDataStoreCheckId(store, xmlSecOpenSSLX509StoreId), -1);
xmlSecAssert2(cert != NULL, -1);
ctx = xmlSecOpenSSLX509StoreGetCtx(store);
xmlSecAssert2(ctx != NULL, -1);
if((type & xmlSecKeyDataTypeTrusted) != 0) {
xmlSecAssert2(ctx->xst != NULL, -1);
ret = X509_STORE_add_cert(ctx->xst, cert);
if(ret != 1) {
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
"X509_STORE_add_cert",
XMLSEC_ERRORS_R_CRYPTO_FAILED,
XMLSEC_ERRORS_NO_MESSAGE);
return(-1);
}
/* add cert increments the reference */
X509_free(cert);
} else {
xmlSecAssert2(ctx->untrusted != NULL, -1);
ret = sk_X509_push(ctx->untrusted, cert);
if(ret < 1) {
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
"sk_X509_push",
XMLSEC_ERRORS_R_CRYPTO_FAILED,
XMLSEC_ERRORS_NO_MESSAGE);
return(-1);
}
}
return(0);
}
/**
* xmlSecOpenSSLX509StoreAdoptCrl:
* @store: the pointer to X509 key data store klass.
* @crl: the pointer to OpenSSL X509_CRL.
*
* Adds X509 CRL to the store.
*
* Returns: 0 on success or a negative value if an error occurs.
*/
int
xmlSecOpenSSLX509StoreAdoptCrl(xmlSecKeyDataStorePtr store, X509_CRL* crl) {
xmlSecOpenSSLX509StoreCtxPtr ctx;
int ret;
xmlSecAssert2(xmlSecKeyDataStoreCheckId(store, xmlSecOpenSSLX509StoreId), -1);
xmlSecAssert2(crl != NULL, -1);
ctx = xmlSecOpenSSLX509StoreGetCtx(store);
xmlSecAssert2(ctx != NULL, -1);
xmlSecAssert2(ctx->crls != NULL, -1);
ret = sk_X509_CRL_push(ctx->crls, crl);
if(ret < 1) {
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
"sk_X509_CRL_push",
XMLSEC_ERRORS_R_CRYPTO_FAILED,
XMLSEC_ERRORS_NO_MESSAGE);
return(-1);
}
return (0);
}
static int
xmlSecOpenSSLX509StoreInitialize(xmlSecKeyDataStorePtr store) {
const xmlChar* path;
X509_LOOKUP *lookup = NULL;
xmlSecOpenSSLX509StoreCtxPtr ctx;
xmlSecAssert2(xmlSecKeyDataStoreCheckId(store, xmlSecOpenSSLX509StoreId), -1);
ctx = xmlSecOpenSSLX509StoreGetCtx(store);
xmlSecAssert2(ctx != NULL, -1);
memset(ctx, 0, sizeof(xmlSecOpenSSLX509StoreCtx));
ctx->xst = X509_STORE_new();
if(ctx->xst == NULL) {
xmlSecOpenSSLError(xmlSecKeyDataStoreGetName(store),
"X509_STORE_new");
return(-1);
}
if(!X509_STORE_set_default_paths(ctx->xst)) {
xmlSecOpenSSLError(xmlSecKeyDataStoreGetName(store),
"X509_STORE_set_default_paths");
return(-1);
}
lookup = X509_STORE_add_lookup(ctx->xst, X509_LOOKUP_hash_dir());
if(lookup == NULL) {
xmlSecOpenSSLError(xmlSecKeyDataStoreGetName(store),
"X509_STORE_add_lookup");
return(-1);
}
path = xmlSecOpenSSLGetDefaultTrustedCertsFolder();
if(path != NULL) {
if(!X509_LOOKUP_add_dir(lookup, (char*)path, X509_FILETYPE_PEM)) {
xmlSecOpenSSLError(xmlSecKeyDataStoreGetName(store),
"X509_LOOKUP_add_dir");
return(-1);
}
} else {
if(!X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT)) {
xmlSecOpenSSLError(xmlSecKeyDataStoreGetName(store),
"X509_LOOKUP_add_dir");
return(-1);
}
}
ctx->untrusted = sk_X509_new_null();
if(ctx->untrusted == NULL) {
xmlSecOpenSSLError(xmlSecKeyDataStoreGetName(store),
"sk_X509_new_null");
return(-1);
}
ctx->crls = sk_X509_CRL_new_null();
if(ctx->crls == NULL) {
xmlSecOpenSSLError(xmlSecKeyDataStoreGetName(store),
"sk_X509_CRL_new_null");
return(-1);
}
ctx->vpm = X509_VERIFY_PARAM_new();
if(ctx->vpm == NULL) {
xmlSecOpenSSLError(xmlSecKeyDataStoreGetName(store),
"X509_VERIFY_PARAM_new");
return(-1);
}
X509_VERIFY_PARAM_set_depth(ctx->vpm, 9); /* the default cert verification path in openssl */
X509_STORE_set1_param(ctx->xst, ctx->vpm);
return(0);
}
/**
* xmlSecOpenSSLX509StoreVerify:
* @store: the pointer to X509 key data store klass.
* @certs: the untrusted certificates stack.
* @crls: the crls stack.
* @keyInfoCtx: the pointer to <dsig:KeyInfo/> element processing context.
*
* Verifies @certs list.
*
* Returns: pointer to the first verified certificate from @certs.
*/
X509*
xmlSecOpenSSLX509StoreVerify(xmlSecKeyDataStorePtr store, XMLSEC_STACK_OF_X509* certs,
XMLSEC_STACK_OF_X509_CRL* crls, xmlSecKeyInfoCtx* keyInfoCtx) {
xmlSecOpenSSLX509StoreCtxPtr ctx;
STACK_OF(X509)* certs2 = NULL;
STACK_OF(X509_CRL)* crls2 = NULL;
X509 * res = NULL;
X509 * cert;
X509 * err_cert = NULL;
X509_STORE_CTX *xsc;
char buf[256];
int err = 0;
int i;
int ret;
xmlSecAssert2(xmlSecKeyDataStoreCheckId(store, xmlSecOpenSSLX509StoreId), NULL);
xmlSecAssert2(certs != NULL, NULL);
xmlSecAssert2(keyInfoCtx != NULL, NULL);
xsc = X509_STORE_CTX_new();
if(xsc == NULL) {
xmlSecOpenSSLError(xmlSecKeyDataStoreGetName(store), "X509_STORE_CTX_new");
goto done;
}
ctx = xmlSecOpenSSLX509StoreGetCtx(store);
xmlSecAssert2(ctx != NULL, NULL);
xmlSecAssert2(ctx->xst != NULL, NULL);
/* dup certs */
certs2 = sk_X509_dup(certs);
if(certs2 == NULL) {
xmlSecOpenSSLError(xmlSecKeyDataStoreGetName(store), "sk_X509_dup");
goto done;
}
/* add untrusted certs from the store */
if(ctx->untrusted != NULL) {
for(i = 0; i < sk_X509_num(ctx->untrusted); ++i) {
ret = sk_X509_push(certs2, sk_X509_value(ctx->untrusted, i));
if(ret < 1) {
xmlSecOpenSSLError(xmlSecKeyDataStoreGetName(store), "sk_X509_push");
goto done;
}
}
}
/* dup crls but remove all non-verified */
if(crls != NULL) {
crls2 = sk_X509_CRL_dup(crls);
if(crls2 == NULL) {
xmlSecOpenSSLError(xmlSecKeyDataStoreGetName(store), "sk_X509_CRL_dup");
goto done;
}
for(i = 0; i < sk_X509_CRL_num(crls2); ) {
ret = xmlSecOpenSSLX509VerifyCRL(ctx->xst, sk_X509_CRL_value(crls2, i));
if(ret == 1) {
++i;
} else if(ret == 0) {
(void)sk_X509_CRL_delete(crls2, i);
} else {
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
"xmlSecOpenSSLX509VerifyCRL",
XMLSEC_ERRORS_R_XMLSEC_FAILED,
XMLSEC_ERRORS_NO_MESSAGE);
goto done;
}
}
}
/* remove all revoked certs */
for(i = 0; i < sk_X509_num(certs2);) {
cert = sk_X509_value(certs2, i);
if(crls2 != NULL) {
ret = xmlSecOpenSSLX509VerifyCertAgainstCrls(crls2, cert);
if(ret == 0) {
(void)sk_X509_delete(certs2, i);
continue;
} else if(ret != 1) {
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
"xmlSecOpenSSLX509VerifyCertAgainstCrls",
XMLSEC_ERRORS_R_XMLSEC_FAILED,
XMLSEC_ERRORS_NO_MESSAGE);
goto done;
}
}
if(ctx->crls != NULL) {
ret = xmlSecOpenSSLX509VerifyCertAgainstCrls(ctx->crls, cert);
if(ret == 0) {
(void)sk_X509_delete(certs2, i);
continue;
} else if(ret != 1) {
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
"xmlSecOpenSSLX509VerifyCertAgainstCrls",
XMLSEC_ERRORS_R_XMLSEC_FAILED,
XMLSEC_ERRORS_NO_MESSAGE);
goto done;
}
}
++i;
}
/* get one cert after another and try to verify */
for(i = 0; i < sk_X509_num(certs2); ++i) {
cert = sk_X509_value(certs2, i);
if(xmlSecOpenSSLX509FindNextChainCert(certs2, cert) == NULL) {
ret = X509_STORE_CTX_init(xsc, ctx->xst, cert, certs2);
if(ret != 1) {
xmlSecOpenSSLError(xmlSecKeyDataStoreGetName(store),
"X509_STORE_CTX_init");
goto done;
}
if(keyInfoCtx->certsVerificationTime > 0) {
X509_STORE_CTX_set_time(xsc, 0, keyInfoCtx->certsVerificationTime);
}
{
X509_VERIFY_PARAM * vpm = NULL;
unsigned long vpm_flags = 0;
vpm = X509_VERIFY_PARAM_new();
if(vpm == NULL) {
xmlSecOpenSSLError(xmlSecKeyDataStoreGetName(store),
"X509_VERIFY_PARAM_new");
goto done;
}
vpm_flags = X509_VERIFY_PARAM_get_flags(vpm);
vpm_flags &= (~X509_V_FLAG_CRL_CHECK);
if(keyInfoCtx->certsVerificationTime > 0) {
vpm_flags |= X509_V_FLAG_USE_CHECK_TIME;
X509_VERIFY_PARAM_set_time(vpm, keyInfoCtx->certsVerificationTime);
}
X509_VERIFY_PARAM_set_depth(vpm, keyInfoCtx->certsVerificationDepth);
X509_VERIFY_PARAM_set_flags(vpm, vpm_flags);
X509_STORE_CTX_set0_param(xsc, vpm);
}
ret = X509_verify_cert(xsc);
err_cert = X509_STORE_CTX_get_current_cert(xsc);
err = X509_STORE_CTX_get_error(xsc);
X509_STORE_CTX_cleanup (xsc);
if(ret == 1) {
res = cert;
goto done;
} else if(ret < 0) {
const char* err_msg;
buf[0] = '\0';
X509_NAME_oneline(X509_get_subject_name(err_cert), buf, sizeof buf);
err_msg = X509_verify_cert_error_string(err);
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
"X509_verify_cert",
XMLSEC_ERRORS_R_CRYPTO_FAILED,
"subj=%s;err=%d;msg=%s",
xmlSecErrorsSafeString(buf),
err,
xmlSecErrorsSafeString(err_msg));
goto done;
} else if(ret == 0) {
const char* err_msg;
buf[0] = '\0';
X509_NAME_oneline(X509_get_subject_name(err_cert), buf, sizeof buf);
err_msg = X509_verify_cert_error_string(err);
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
"X509_verify_cert",
XMLSEC_ERRORS_R_CRYPTO_FAILED,
"subj=%s;err=%d;msg=%s",
xmlSecErrorsSafeString(buf),
err,
xmlSecErrorsSafeString(err_msg));
}
}
}
/* if we came here then we found nothing. do we have any error? */
if((err != 0) && (err_cert != NULL)) {
const char* err_msg;
err_msg = X509_verify_cert_error_string(err);
switch (err) {
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
X509_NAME_oneline(X509_get_issuer_name(err_cert), buf, sizeof buf);
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
NULL,
XMLSEC_ERRORS_R_CERT_ISSUER_FAILED,
"err=%d;msg=%s;issuer=%s",
err,
xmlSecErrorsSafeString(err_msg),
xmlSecErrorsSafeString(buf));
break;
case X509_V_ERR_CERT_NOT_YET_VALID:
case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
NULL,
XMLSEC_ERRORS_R_CERT_NOT_YET_VALID,
"err=%d;msg=%s", err,
xmlSecErrorsSafeString(err_msg));
break;
case X509_V_ERR_CERT_HAS_EXPIRED:
case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
NULL,
XMLSEC_ERRORS_R_CERT_HAS_EXPIRED,
"err=%d;msg=%s", err,
xmlSecErrorsSafeString(err_msg));
break;
default:
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
NULL,
XMLSEC_ERRORS_R_CERT_VERIFY_FAILED,
"err=%d;msg=%s", err,
xmlSecErrorsSafeString(err_msg));
}
}
done:
if(certs2 != NULL) {
sk_X509_free(certs2);
}
if(crls2 != NULL) {
sk_X509_CRL_free(crls2);
}
if(xsc != NULL) {
X509_STORE_CTX_free(xsc);
}
return(res);
}
static int
xmlSecOpenSSLX509StoreInitialize(xmlSecKeyDataStorePtr store) {
const xmlChar* path;
X509_LOOKUP *lookup = NULL;
xmlSecOpenSSLX509StoreCtxPtr ctx;
xmlSecAssert2(xmlSecKeyDataStoreCheckId(store, xmlSecOpenSSLX509StoreId), -1);
ctx = xmlSecOpenSSLX509StoreGetCtx(store);
xmlSecAssert2(ctx != NULL, -1);
memset(ctx, 0, sizeof(xmlSecOpenSSLX509StoreCtx));
ctx->xst = X509_STORE_new();
if(ctx->xst == NULL) {
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
"X509_STORE_new",
XMLSEC_ERRORS_R_CRYPTO_FAILED,
XMLSEC_ERRORS_NO_MESSAGE);
return(-1);
}
if(!X509_STORE_set_default_paths(ctx->xst)) {
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
"X509_STORE_set_default_paths",
XMLSEC_ERRORS_R_CRYPTO_FAILED,
XMLSEC_ERRORS_NO_MESSAGE);
return(-1);
}
lookup = X509_STORE_add_lookup(ctx->xst, X509_LOOKUP_hash_dir());
if(lookup == NULL) {
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
"X509_STORE_add_lookup",
XMLSEC_ERRORS_R_CRYPTO_FAILED,
XMLSEC_ERRORS_NO_MESSAGE);
return(-1);
}
path = xmlSecOpenSSLGetDefaultTrustedCertsFolder();
if(path != NULL) {
if(!X509_LOOKUP_add_dir(lookup, (char*)path, X509_FILETYPE_PEM)) {
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
"X509_LOOKUP_add_dir",
XMLSEC_ERRORS_R_CRYPTO_FAILED,
"path='%s'",
xmlSecErrorsSafeString(path)
);
return(-1);
}
} else {
if(!X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT)) {
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
"X509_LOOKUP_add_dir",
XMLSEC_ERRORS_R_CRYPTO_FAILED,
XMLSEC_ERRORS_NO_MESSAGE
);
return(-1);
}
}
ctx->untrusted = sk_X509_new_null();
if(ctx->untrusted == NULL) {
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
"sk_X509_new_null",
XMLSEC_ERRORS_R_CRYPTO_FAILED,
XMLSEC_ERRORS_NO_MESSAGE);
return(-1);
}
ctx->crls = sk_X509_CRL_new_null();
if(ctx->crls == NULL) {
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
"sk_X509_CRL_new_null",
XMLSEC_ERRORS_R_CRYPTO_FAILED,
XMLSEC_ERRORS_NO_MESSAGE);
return(-1);
}
#if !defined(XMLSEC_OPENSSL_096) && !defined(XMLSEC_OPENSSL_097)
ctx->vpm = X509_VERIFY_PARAM_new();
if(ctx->vpm == NULL) {
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
"X509_VERIFY_PARAM_new",
XMLSEC_ERRORS_R_CRYPTO_FAILED,
XMLSEC_ERRORS_NO_MESSAGE);
return(-1);
}
X509_VERIFY_PARAM_set_depth(ctx->vpm, 9); /* the default cert verification path in openssl */
X509_STORE_set1_param(ctx->xst, ctx->vpm);
#else /* !defined(XMLSEC_OPENSSL_096) && !defined(XMLSEC_OPENSSL_097) */
ctx->xst->depth = 9; /* the default cert verification path in openssl */
#endif /* !defined(XMLSEC_OPENSSL_096) && !defined(XMLSEC_OPENSSL_097) */
return(0);
}
