static X509_REQ *pki_certificate_request(EVP_PKEY *keyring, digital_id_t *digital_id)
{
jlog(L_DEBUG, "pki_certificate_request");
X509_REQ *cert_req;
X509_NAME *subject;
const EVP_MD *message_digest;
// create a certificate request
cert_req = X509_REQ_new();
// set certificate request 'Subject:'
subject = X509_NAME_new();
X509_NAME_add_entry_by_txt(subject, "commonName", MBSTRING_ASC, (unsigned char*)digital_id->commonName, -1, -1, 0);
X509_NAME_add_entry_by_txt(subject, "countryName", MBSTRING_ASC, (unsigned char*)digital_id->countryName, -1, -1, 0);
X509_NAME_add_entry_by_txt(subject, "stateOrProvinceName", MBSTRING_ASC, (unsigned char*)digital_id->stateOrProvinceName, -1, -1, 0);
X509_NAME_add_entry_by_txt(subject, "localityName", MBSTRING_ASC, (unsigned char*)digital_id->localityName, -1, -1, 0);
X509_NAME_add_entry_by_txt(subject, "emailAddress", MBSTRING_ASC, (unsigned char*)digital_id->emailAddress, -1, -1, 0);
X509_NAME_add_entry_by_txt(subject, "organizationName", MBSTRING_ASC, (unsigned char*)digital_id->organizationName, -1, -1, 0);
X509_REQ_set_subject_name(cert_req, subject);
X509_NAME_free(subject);
// set certificate request public key
X509_REQ_set_pubkey(cert_req, keyring);
// create a message digest
message_digest = EVP_sha1();
// sign certificate request
X509_REQ_sign(cert_req, keyring, message_digest);
return cert_req;
}
void pkcs7_issuer_and_subject_free(pkcs7_issuer_and_subject *a) {
if (a == NULL) return;
X509_NAME_free(a->issuer);
X509_NAME_free(a->subject);
OPENSSL_free(a);
}
// Generate a self-signed certificate, with the public key from the
// given key pair. Caller is responsible for freeing the returned object.
static X509* MakeCertificate(EVP_PKEY* pkey, const char* common_name) {
LOG(LS_INFO) << "Making certificate for " << common_name;
X509* x509 = NULL;
BIGNUM* serial_number = NULL;
X509_NAME* name = NULL;
if ((x509=X509_new()) == NULL)
goto error;
if (!X509_set_pubkey(x509, pkey))
goto error;
// serial number
// temporary reference to serial number inside x509 struct
ASN1_INTEGER* asn1_serial_number;
if (!(serial_number = BN_new()) ||
!BN_pseudo_rand(serial_number, SERIAL_RAND_BITS, 0, 0) ||
!(asn1_serial_number = X509_get_serialNumber(x509)) ||
!BN_to_ASN1_INTEGER(serial_number, asn1_serial_number))
goto error;
if (!X509_set_version(x509, 0L)) // version 1
goto error;
// There are a lot of possible components for the name entries. In
// our P2P SSL mode however, the certificates are pre-exchanged
// (through the secure XMPP channel), and so the certificate
// identification is arbitrary. It can't be empty, so we set some
// arbitrary common_name. Note that this certificate goes out in
// clear during SSL negotiation, so there may be a privacy issue in
// putting anything recognizable here.
if (!(name = X509_NAME_new()) ||
!X509_NAME_add_entry_by_NID(name, NID_commonName, MBSTRING_UTF8,
(unsigned char*)common_name, -1, -1, 0) ||
!X509_set_subject_name(x509, name) ||
!X509_set_issuer_name(x509, name))
goto error;
if (!X509_gmtime_adj(X509_get_notBefore(x509), 0) ||
!X509_gmtime_adj(X509_get_notAfter(x509), CERTIFICATE_LIFETIME))
goto error;
if (!X509_sign(x509, pkey, EVP_sha1()))
goto error;
BN_free(serial_number);
X509_NAME_free(name);
LOG(LS_INFO) << "Returning certificate";
return x509;
error:
BN_free(serial_number);
X509_NAME_free(name);
X509_free(x509);
return NULL;
}
static void string_to_X509_NAME(X509_NAME** name, const std::string& str) {
if(name == NULL) return;
if(*name != NULL) { X509_NAME_free(*name); *name = NULL; }
*name = X509_NAME_new();
if(*name == NULL) return;
// The input string is supposed to be /O=Grid/OU=EMI/CN=UserTest
std::string::size_type pos1 = 0, pos2;
pos1 = str.find("/", 0);
while(pos1 != std::string::npos) {
std::string entry_name, entry_value;
pos2 = str.find("=", pos1);
if(pos2 == std::string::npos) break;
entry_name = str.substr(pos1+1, pos2-pos1-1);
pos1 = str.find("/", pos2);
if(pos1 == std::string::npos) entry_value = str.substr(pos2+1);
else entry_value = str.substr(pos2+1, pos1-pos2-1);
#ifdef HAVE_OPENSSL_OLDRSA
int r = X509_NAME_add_entry_by_txt(*name, (char*)(entry_name.c_str()),
MBSTRING_ASC, (unsigned char*)(entry_value.c_str()), -1, -1, 0);
#else
int r = X509_NAME_add_entry_by_txt(*name, entry_name.c_str(),
MBSTRING_ASC, (const unsigned char*)(entry_value.c_str()), -1, -1, 0);
#endif
};
return;
}
static int set_cn(X509 *crt, ...)
{
int ret = 0;
X509_NAME *n = NULL;
va_list ap;
va_start(ap, crt);
n = X509_NAME_new();
if (n == NULL)
goto out;
while (1) {
int nid;
const char *name;
nid = va_arg(ap, int);
if (nid == 0)
break;
name = va_arg(ap, const char *);
if (!X509_NAME_add_entry_by_NID(n, nid, MBSTRING_ASC,
(unsigned char *)name, -1, -1, 1))
goto out;
}
if (!X509_set_subject_name(crt, n))
goto out;
ret = 1;
out:
X509_NAME_free(n);
va_end(ap);
return ret;
}
void GENERAL_NAME_free(GENERAL_NAME *a)
{
if (a == NULL) return;
switch(a->type) {
case GEN_X400:
case GEN_EDIPARTY:
ASN1_TYPE_free(a->d.other);
break;
case GEN_OTHERNAME:
OTHERNAME_free(a->d.otherName);
break;
case GEN_EMAIL:
case GEN_DNS:
case GEN_URI:
M_ASN1_IA5STRING_free(a->d.ia5);
break;
case GEN_DIRNAME:
X509_NAME_free(a->d.dirn);
break;
case GEN_IPADD:
M_ASN1_OCTET_STRING_free(a->d.ip);
break;
case GEN_RID:
ASN1_OBJECT_free(a->d.rid);
break;
}
OPENSSL_free (a);
}
static int
x509_name_ex_d2i(ASN1_VALUE **val, const unsigned char **in, long len,
const ASN1_ITEM *it, int tag, int aclass, char opt, ASN1_TLC *ctx)
{
const unsigned char *p = *in, *q;
union {
STACK_OF(STACK_OF_X509_NAME_ENTRY) *s;
ASN1_VALUE *a;
} intname = {NULL};
union {
X509_NAME *x;
ASN1_VALUE *a;
} nm = {NULL};
int i, j, ret;
STACK_OF(X509_NAME_ENTRY) *entries;
X509_NAME_ENTRY *entry;
q = p;
/* Get internal representation of Name */
ret = ASN1_item_ex_d2i(&intname.a, &p, len,
ASN1_ITEM_rptr(X509_NAME_INTERNAL), tag, aclass, opt, ctx);
if (ret <= 0)
return ret;
if (*val)
x509_name_ex_free(val, NULL);
if (!x509_name_ex_new(&nm.a, NULL))
goto err;
/* We've decoded it: now cache encoding */
if (!BUF_MEM_grow(nm.x->bytes, p - q))
goto err;
memcpy(nm.x->bytes->data, q, p - q);
/* Convert internal representation to X509_NAME structure */
for (i = 0; i < sk_STACK_OF_X509_NAME_ENTRY_num(intname.s); i++) {
entries = sk_STACK_OF_X509_NAME_ENTRY_value(intname.s, i);
for (j = 0; j < sk_X509_NAME_ENTRY_num(entries); j++) {
entry = sk_X509_NAME_ENTRY_value(entries, j);
entry->set = i;
if (!sk_X509_NAME_ENTRY_push(nm.x->entries, entry))
goto err;
}
sk_X509_NAME_ENTRY_free(entries);
}
sk_STACK_OF_X509_NAME_ENTRY_free(intname.s);
ret = x509_name_canon(nm.x);
if (!ret)
goto err;
nm.x->modified = 0;
*val = nm.a;
*in = p;
return ret;
err:
if (nm.x != NULL)
X509_NAME_free(nm.x);
ASN1err(ASN1_F_X509_NAME_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
return 0;
}
X509_NAME* cnhelper_create_dn(const qeo_platform_device_info *info)
{
X509_NAME* dn = NULL;
do {
dn = X509_NAME_new();
if (dn) {
char devicename[MAX_CN_LENGTH];
strncpy(devicename, info->userFriendlyName, sizeof(devicename));
if (devicename[sizeof(devicename)-1] != '\0'){
strncpy(&devicename[sizeof(devicename)-4], "...", 4);
qeo_log_w("Device name exceeds the maximal allowed length of <%d> characters, cutting it off to <%s>.", sizeof(devicename)-1, devicename);
}
//TODO: now only the friendly name is forwarded to the server, in the future this needs to be extended
if (!X509_NAME_add_entry_by_NID(dn, NID_commonName, MBSTRING_ASC, (unsigned char* ) devicename, -1, -1, 0)) {
X509_NAME_free(dn);
dn = NULL;
break;
}
}
qeo_log_d("created DN for device");
} while (0);
return dn;
}
static int openssl_xname_gc(lua_State* L)
{
X509_NAME* xn = CHECK_OBJECT(1, X509_NAME, "openssl.x509_name");
lua_pushnil(L);
lua_setmetatable(L, 1);
X509_NAME_free(xn);
return 0;
}
/**
This extracts the first commonName and checks it against hostname.
*/
uint32_t
check_cn (SSL *ssl, const char *hostname)
{
uint32_t ret;
char *cn_buf;
X509 *certificate;
X509_NAME *xname;
cn_buf = malloc(HOST_NAME_MAX + 1);
if (NULL == cn_buf)
{
die ("Unable to allocate memory for cn_buf\n");
}
certificate = SSL_get_peer_certificate(ssl);
if (NULL == certificate)
{
die ("Unable to extract certificate\n");
}
memset(cn_buf, '\0', (HOST_NAME_MAX + 1));
xname = X509_get_subject_name(certificate);
ret = X509_NAME_get_text_by_NID(xname, NID_commonName,
cn_buf, HOST_NAME_MAX);
if (-1 == ret && ret != strlen(hostname))
{
die ("Unable to extract commonName\n");
}
if (strcasecmp(cn_buf, hostname))
{
verb ("V: commonName mismatch! Expected: %s - received: %s\n",
hostname, cn_buf);
} else {
verb ("V: commonName matched: %s\n", cn_buf);
X509_NAME_free(xname);
X509_free(certificate);
free(cn_buf);
return 1;
}
X509_NAME_free(xname);
X509_free(certificate);
free(cn_buf);
return 0;
}
MONO_API void
mono_btls_x509_name_free (MonoBtlsX509Name *name)
{
if (name->owns) {
if (name->name) {
X509_NAME_free(name->name);
name->name = NULL;
}
}
OPENSSL_free(name);
}
static STACK_OF(X509_NAME) *
use_inline_load_client_CA_file (SSL_CTX *ctx, const char *ca_string)
{
BIO *in = NULL;
X509 *x = NULL;
X509_NAME *xn = NULL;
STACK_OF(X509_NAME) *ret = NULL, *sk;
sk=sk_X509_NAME_new(xname_cmp);
in = BIO_new_mem_buf ((char *)ca_string, -1);
if (!in)
goto err;
if ((sk == NULL) || (in == NULL))
goto err;
for (;;)
{
if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL)
break;
if (ret == NULL)
{
ret = sk_X509_NAME_new_null();
if (ret == NULL)
goto err;
}
if ((xn=X509_get_subject_name(x)) == NULL) goto err;
/* check for duplicates */
xn=X509_NAME_dup(xn);
if (xn == NULL) goto err;
if (sk_X509_NAME_find(sk,xn) >= 0)
X509_NAME_free(xn);
else
{
sk_X509_NAME_push(sk,xn);
sk_X509_NAME_push(ret,xn);
}
}
if (0)
{
err:
if (ret != NULL) sk_X509_NAME_pop_free(ret,X509_NAME_free);
ret=NULL;
}
if (sk != NULL) sk_X509_NAME_free(sk);
if (in != NULL) BIO_free(in);
if (x != NULL) X509_free(x);
if (ret != NULL)
ERR_clear_error();
return(ret);
}
char *
x509_DN_string(u_int8_t *asn1, size_t sz)
{
X509_NAME *name;
u_int8_t *p = asn1;
char buf[256]; /* XXX Just a guess at a maximum length. */
name = d2i_X509_NAME(NULL, &p, sz);
if (!name) {
log_print("x509_DN_string: d2i_X509_NAME failed");
return 0;
}
if (!X509_NAME_oneline(name, buf, sizeof buf - 1)) {
log_print("x509_DN_string: X509_NAME_oneline failed");
X509_NAME_free(name);
return 0;
}
X509_NAME_free(name);
buf[sizeof buf - 1] = '\0';
return strdup(buf);
}
/*
* Deallocate the memory used by the X509Name object
*
* Arguments: self - The X509Name object
* Returns: None
*/
static void
crypto_X509Name_dealloc(crypto_X509NameObj *self)
{
PyObject_GC_UnTrack(self);
/* Sometimes we don't have to dealloc this */
if (self->dealloc)
X509_NAME_free(self->x509_name);
crypto_X509Name_clear(self);
PyObject_GC_Del(self);
}
X509_NAME *parse_name(const char *orig_name) {
char name[1025];
X509_NAME *parsed = NULL;
char *ptr = name;
char *part;
if(strlen(orig_name) > 1024) {
fprintf(stderr, "Name is to long!\n");
return NULL;
}
strcpy(name, orig_name);
if(*name != '/') {
fprintf(stderr, "Name does not start with '/'!\n");
return NULL;
}
parsed = X509_NAME_new();
if(!parsed) {
fprintf(stderr, "Failed to allocate memory\n");
return NULL;
}
while((part = strtok(ptr, "/"))) {
char *key;
char *value;
char *equals = strchr(part, '=');
if(!equals) {
fprintf(stderr, "The part '%s' doesn't seem to contain a =.\n", part);
goto parse_err;
}
*equals++ = '\0';
value = equals;
key = part;
ptr = NULL;
if(!key) {
fprintf(stderr, "Malformed name (%s)\n", part);
goto parse_err;
}
if(!value) {
fprintf(stderr, "Malformed name (%s)\n", part);
goto parse_err;
}
if(!X509_NAME_add_entry_by_txt(parsed, key, MBSTRING_UTF8, (unsigned char*)value, -1, -1, 0)) {
fprintf(stderr, "Failed adding %s=%s to name.\n", key, value);
goto parse_err;
}
}
return parsed;
parse_err:
X509_NAME_free(parsed);
return NULL;
}
static
std::string
ParseSubject (
IN const void * const p,
IN const unsigned s
) {
char szSubject[1024];
bool fOK = false;
#if defined(_WIN32)
CRYPT_DER_BLOB blobSubject = {s, (PBYTE)p};
if (
CertNameToStrA (
X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
&blobSubject,
CERT_X500_NAME_STR | CERT_NAME_STR_REVERSE_FLAG,
szSubject,
sizeof (szSubject)
) != 0
) {
fOK = true;
}
#else
X509_NAME *name;
name = X509_NAME_new ();
if (name != NULL) {
pkcs11_openssl_d2i_t pp = (pkcs11_openssl_d2i_t)p;
if (
d2i_X509_NAME (
&name,
&pp,
s
)
) {
X509_NAME_oneline (
name,
szSubject,
sizeof (szSubject)
);
fOK = true;
}
X509_NAME_free (name);
}
#endif
if (fOK) {
return szSubject;
}
else {
return "ERROR";
}
}
NamespacesPolicy::NamespacesPolicy(const std::string& issuer_subject_str, const std::string& ca_path): issuer_(issuer_subject_str), file_(NULL) {
X509_NAME* name = NULL;
if(issuer_.empty()) {
error_ = "Issuer for namespaces location is not defined";
return;
}
string_to_X509_NAME(&name, issuer_);
if(!name) {
error_ = "Failed to parsed X509_NAME from string";
return;
}
Init(name, ca_path);
X509_NAME_free(name);
}
char *
ca_asn1_name(uint8_t *asn1, size_t len)
{
X509_NAME *name = NULL;
char *str = NULL;
const uint8_t *p;
p = asn1;
if ((name = d2i_X509_NAME(NULL, &p, len)) == NULL)
return (NULL);
str = ca_x509_name(name);
X509_NAME_free(name);
return (str);
}
/** Return a newly allocated X509 name with commonName <b>cname</b>. */
static X509_NAME *
tor_x509_name_new(const char *cname)
{
int nid;
X509_NAME *name;
if (!(name = X509_NAME_new()))
return NULL;
if ((nid = OBJ_txt2nid("commonName")) == NID_undef) goto error;
if (!(X509_NAME_add_entry_by_NID(name, nid, MBSTRING_ASC,
(unsigned char*)cname, -1, -1, 0)))
goto error;
return name;
error:
X509_NAME_free(name);
return NULL;
}
void spice_openssl_verify_free(SpiceOpenSSLVerify* verify)
{
if (!verify)
return;
free(verify->pubkey);
free(verify->subject);
free(verify->hostname);
if (verify->in_subject)
X509_NAME_free(verify->in_subject);
if (verify->ssl)
SSL_set_app_data(verify->ssl, NULL);
free(verify);
}
static X509 *make_cert()
{
X509 *ret = NULL;
X509 *crt = NULL;
X509_NAME *issuer = NULL;
crt = X509_new();
if (crt == NULL)
goto out;
if (!X509_set_version(crt, 3))
goto out;
ret = crt;
crt = NULL;
out:
X509_NAME_free(issuer);
return ret;
}
static X509 *
gen_cert(EVP_PKEY* pkey, const char *common, int days) {
X509 *x509 = NULL;
BIGNUM *serial_number = NULL;
X509_NAME *name = NULL;
if ((x509 = X509_new()) == NULL)
return NULL;
if (!X509_set_pubkey(x509, pkey))
return NULL;
ASN1_INTEGER* asn1_serial_number;
if ((serial_number = BN_new()) == NULL ||
!BN_pseudo_rand(serial_number, 64, 0, 0) ||
(asn1_serial_number = X509_get_serialNumber(x509)) == NULL ||
!BN_to_ASN1_INTEGER(serial_number, asn1_serial_number))
goto cert_err;
if (!X509_set_version(x509, 0L)) // version 1
goto cert_err;
if ((name = X509_NAME_new()) == NULL ||
!X509_NAME_add_entry_by_NID(
name, NID_commonName, MBSTRING_UTF8,
(unsigned char*)common, -1, -1, 0) ||
!X509_set_subject_name(x509, name) ||
!X509_set_issuer_name(x509, name))
goto cert_err;
if (!X509_gmtime_adj(X509_get_notBefore(x509), 0) ||
!X509_gmtime_adj(X509_get_notAfter(x509), days * 24 * 3600))
goto cert_err;
if (!X509_sign(x509, pkey, EVP_sha1()))
goto cert_err;
if (0) {
cert_err:
X509_free(x509);
x509 = NULL;
}
BN_free(serial_number);
X509_NAME_free(name);
return x509;
}
int X509_NAME_set(X509_NAME **xn, X509_NAME *name)
{
X509_NAME *in;
if (*xn == NULL) return(0);
if (*xn != name)
{
in=X509_NAME_dup(name);
if (in != NULL)
{
X509_NAME_free(*xn);
*xn=in;
}
}
return(*xn != NULL);
}
/**
This extracts the first commonName and checks it against hostname.
*/
uint32_t
check_cn (SSL *ssl, const char *hostname)
{
int ok = 0;
int ret;
char *cn_buf;
X509 *certificate;
X509_NAME *xname;
// We cast this to cast away g++ complaining about the following:
// error: invalid conversion from ‘void*’ to ‘char*’
cn_buf = (char *) xmalloc(TLSDATE_HOST_NAME_MAX + 1);
certificate = SSL_get_peer_certificate(ssl);
if (NULL == certificate)
{
die ("Unable to extract certificate");
}
memset(cn_buf, '\0', (TLSDATE_HOST_NAME_MAX + 1));
xname = X509_get_subject_name(certificate);
ret = X509_NAME_get_text_by_NID(xname, NID_commonName,
cn_buf, TLSDATE_HOST_NAME_MAX);
if (-1 == ret || ret != (int) strlen(cn_buf))
{
die ("Unable to extract commonName");
}
if (strcasecmp(cn_buf, hostname))
{
verb ("V: commonName mismatch! Expected: %s - received: %s",
hostname, cn_buf);
} else {
verb ("V: commonName matched: %s", cn_buf);
ok = 1;
}
X509_NAME_free(xname);
X509_free(certificate);
xfree(cn_buf);
return ok;
}
static PyObject *
ssl_Connection_get_client_ca_list(ssl_ConnectionObj *self, PyObject *args) {
STACK_OF(X509_NAME) *CANames;
PyObject *CAList;
int i, n;
if (!PyArg_ParseTuple(args, ":get_client_ca_list")) {
return NULL;
}
CANames = SSL_get_client_CA_list(self->ssl);
if (CANames == NULL) {
return PyList_New(0);
}
n = sk_X509_NAME_num(CANames);
CAList = PyList_New(n);
if (CAList == NULL) {
return NULL;
}
for (i = 0; i < n; i++) {
X509_NAME *CAName;
PyObject *CA;
CAName = X509_NAME_dup(sk_X509_NAME_value(CANames, i));
if (CAName == NULL) {
Py_DECREF(CAList);
exception_from_error_queue(ssl_Error);
return NULL;
}
CA = (PyObject *)new_x509name(CAName, 1);
if (CA == NULL) {
X509_NAME_free(CAName);
Py_DECREF(CAList);
return NULL;
}
if (PyList_SetItem(CAList, i, CA)) {
Py_DECREF(CA);
Py_DECREF(CAList);
return NULL;
}
}
return CAList;
}
/** Return a newly allocated X509 name with commonName <b>cname</b>. */
static X509_NAME *
tor_x509_name_new(const char *cname)
{
int nid;
X509_NAME *name;
/* LCOV_EXCL_BR_START : these branches will only fail on OOM errors */
if (!(name = X509_NAME_new()))
return NULL;
if ((nid = OBJ_txt2nid("commonName")) == NID_undef) goto error;
if (!(X509_NAME_add_entry_by_NID(name, nid, MBSTRING_ASC,
(unsigned char*)cname, -1, -1, 0)))
goto error;
/* LCOV_EXCL_BR_STOP */
return name;
/* LCOV_EXCL_START : these lines will only execute on out of memory errors*/
error:
X509_NAME_free(name);
return NULL;
/* LCOV_EXCL_STOP */
}
static OCSP_BASICRESP *make_dummy_resp(void)
{
const unsigned char namestr[] = "openssl.example.com";
unsigned char keybytes[128] = {7};
OCSP_BASICRESP *bs = OCSP_BASICRESP_new();
OCSP_BASICRESP *bs_out = NULL;
OCSP_CERTID *cid = NULL;
ASN1_TIME *thisupd = ASN1_TIME_set(NULL, time(NULL));
ASN1_TIME *nextupd = ASN1_TIME_set(NULL, time(NULL) + 200);
X509_NAME *name = X509_NAME_new();
ASN1_BIT_STRING *key = ASN1_BIT_STRING_new();
ASN1_INTEGER *serial = ASN1_INTEGER_new();
if (!X509_NAME_add_entry_by_NID(name, NID_commonName, MBSTRING_ASC,
namestr, -1, -1, 1)
|| !ASN1_BIT_STRING_set(key, keybytes, sizeof(keybytes))
|| !ASN1_INTEGER_set_uint64(serial, (uint64_t)1))
goto err;
cid = OCSP_cert_id_new(EVP_sha256(), name, key, serial);
if (!TEST_ptr(bs)
|| !TEST_ptr(thisupd)
|| !TEST_ptr(nextupd)
|| !TEST_ptr(cid)
|| !TEST_true(OCSP_basic_add1_status(bs, cid,
V_OCSP_CERTSTATUS_UNKNOWN,
0, NULL, thisupd, nextupd)))
goto err;
bs_out = bs;
bs = NULL;
err:
ASN1_TIME_free(thisupd);
ASN1_TIME_free(nextupd);
ASN1_BIT_STRING_free(key);
ASN1_INTEGER_free(serial);
OCSP_CERTID_free(cid);
OCSP_BASICRESP_free(bs);
X509_NAME_free(name);
return bs_out;
}
static bool test_name(const char *name, const char *expected) {
char buf[1024];
BIO *bio;
const char none[] = {0};
X509_NAME *parsed = parse_name(name);
if(parsed == NULL) {
return false;
}
bio = BIO_new(BIO_s_mem());
X509_NAME_print_ex(bio, parsed, 0, XN_FLAG_ONELINE);
BIO_write(bio, none, 1);
BIO_read(bio, buf, 1024);
BIO_free(bio);
X509_NAME_free(parsed);
if(strcmp(buf, expected) != 0) {
fprintf(stderr, "Names not matching: '%s' != '%s'\n", expected, buf);
return false;
}
return true;
}
/* check if subject from cert matches the id */
int
ca_x509_subject_cmp(X509 *cert, struct iked_static_id *id)
{
X509_NAME *subject, *idname = NULL;
const uint8_t *idptr;
size_t idlen;
int ret = -1;
if (id->id_type != IKEV2_ID_ASN1_DN)
return (-1);
if ((subject = X509_get_subject_name(cert)) == NULL)
return (-1);
if (id->id_length <= id->id_offset)
return (-1);
idlen = id->id_length - id->id_offset;
idptr = id->id_data + id->id_offset;
if ((idname = d2i_X509_NAME(NULL, &idptr, idlen)) == NULL)
return (-1);
if (X509_NAME_cmp(subject, idname) == 0)
ret = 0;
X509_NAME_free(idname);
return (ret);
}
void pki_x509req::setSubject(const x509name &n)
{
if (request->req_info->subject != NULL)
X509_NAME_free(request->req_info->subject);
request->req_info->subject = n.get();
}
