static int
SSL_CTX_use_certificate_file_with_check(
SSL_CTX *ctx,
char *file,
int type)
{
FILE *fp;
X509 *x509;
X509_STORE_CTX *sctx;
int ret;
ret = SSL_CTX_use_certificate_file(ctx, file, type);
if(!ret) return ret;
if(!(fp = fopen(file, "r"))) {
return -1;
}
x509 = PEM_read_X509(fp, NULL, NULL, NULL);
if(!x509){
rewind(fp);
x509 = d2i_X509_fp(fp, NULL);
}
fclose(fp);
if(!x509) return -1;
X509_STORE_add_cert(ctx->cert_store, x509);
sctx = X509_STORE_CTX_new();
X509_STORE_CTX_init(sctx, ctx->cert_store, x509, NULL);
X509_STORE_CTX_set_verify_cb(sctx, LocalVerifyCallBack);
X509_verify_cert(sctx);
X509_STORE_CTX_free(sctx);
CheckValidPeriod(x509);
return ret;
}
bool SSLSocket::verifyKeyprint(const string& expKP, bool allowUntrusted) noexcept
{
if (!ssl)
return true;
if (expKP.empty() || expKP.find("/") == string::npos)
return allowUntrusted;
verifyData.reset(new CryptoManager::SSLVerifyData(allowUntrusted, expKP));
SSL_set_ex_data(ssl, CryptoManager::idxVerifyData, verifyData.get());
SSL_CTX* ssl_ctx = SSL_get_SSL_CTX(ssl);
X509_STORE* store = X509_STORE_new();
bool result = false;
int err = SSL_get_verify_result(ssl);
if (ssl_ctx && store)
{
X509_STORE_CTX* vrfy_ctx = X509_STORE_CTX_new();
X509* cert = SSL_get_peer_certificate(ssl);
if (vrfy_ctx && cert && X509_STORE_CTX_init(vrfy_ctx, store, cert, SSL_get_peer_cert_chain(ssl)))
{
X509_STORE_CTX_set_ex_data(vrfy_ctx, SSL_get_ex_data_X509_STORE_CTX_idx(), ssl);
X509_STORE_CTX_set_verify_cb(vrfy_ctx, SSL_CTX_get_verify_callback(ssl_ctx));
int verify_result = 0;
if ((verify_result = X509_verify_cert(vrfy_ctx)) >= 0)
{
err = X509_STORE_CTX_get_error(vrfy_ctx);
// Watch out for weird library errors that might not set the context error code
if (err == X509_V_OK && verify_result <= 0)
err = X509_V_ERR_UNSPECIFIED;
// This is for people who don't restart their clients and have low expiration time on their cert
result = (err == X509_V_OK || err == X509_V_ERR_CERT_HAS_EXPIRED) || (allowUntrusted && err != X509_V_ERR_APPLICATION_VERIFICATION);
}
}
if (cert) X509_free(cert);
if (vrfy_ctx) X509_STORE_CTX_free(vrfy_ctx);
if (store) X509_STORE_free(store);
}
// KeyPrint is a strong indicator of trust
SSL_set_verify_result(ssl, err);
return result;
}
static int
SSL_CTX_use_certificate_with_check(
SSL_CTX *ctx,
X509 *x509)
{
int ret;
X509_STORE_CTX *sctx;
ret = SSL_CTX_use_certificate(ctx, x509);
if(!ret)return ret;
X509_STORE_add_cert(ctx->cert_store, x509);
sctx = X509_STORE_CTX_new();
X509_STORE_CTX_init(sctx, ctx->cert_store, x509, NULL);
X509_STORE_CTX_set_verify_cb(sctx, LocalVerifyCallBack);
X509_verify_cert(sctx);
X509_STORE_CTX_free(sctx);
CheckValidPeriod(x509);
return ret;
}
int
ca_X509_verify(void *certificate, void *chain, const char *CAfile,
const char *CRLfile, const char **errstr)
{
X509_STORE *store = NULL;
X509_STORE_CTX *xsc = NULL;
int ret = 0;
if ((store = X509_STORE_new()) == NULL)
goto end;
if (!X509_STORE_load_locations(store, CAfile, NULL)) {
log_warn("warn: unable to load CA file %s", CAfile);
goto end;
}
X509_STORE_set_default_paths(store);
if ((xsc = X509_STORE_CTX_new()) == NULL)
goto end;
if (X509_STORE_CTX_init(xsc, store, certificate, chain) != 1)
goto end;
X509_STORE_CTX_set_verify_cb(xsc, ca_verify_cb);
ret = X509_verify_cert(xsc);
end:
*errstr = NULL;
if (ret != 1) {
if (xsc)
*errstr = X509_verify_cert_error_string(xsc->error);
else if (ERR_peek_last_error())
*errstr = ERR_error_string(ERR_peek_last_error(), NULL);
}
if (xsc)
X509_STORE_CTX_free(xsc);
if (store)
X509_STORE_free(store);
return ret > 0 ? 1 : 0;
}
bool SSLSocket::verifyKeyprint(const string& expKP, bool allowUntrusted) noexcept {
if(!ssl)
return true;
if(expKP.empty() || expKP.find("/") == string::npos)
return allowUntrusted;
verifyData.reset(new CryptoManager::SSLVerifyData(allowUntrusted, expKP));
SSL_set_ex_data(ssl, CryptoManager::idxVerifyData, verifyData.get());
SSL_CTX* ssl_ctx = SSL_get_SSL_CTX(ssl);
X509_STORE* store = SSL_CTX_get_cert_store(ctx);
bool result = allowUntrusted;
int err = SSL_get_verify_result(ssl);
if(ssl_ctx && store) {
X509_STORE_CTX* vrfy_ctx = X509_STORE_CTX_new();
X509* cert = SSL_get_peer_certificate(ssl);
if(vrfy_ctx && cert && X509_STORE_CTX_init(vrfy_ctx, store, cert, SSL_get_peer_cert_chain(ssl))) {
auto vrfy_cb = SSL_CTX_get_verify_callback(ssl_ctx);
X509_STORE_CTX_set_ex_data(vrfy_ctx, SSL_get_ex_data_X509_STORE_CTX_idx(), ssl);
X509_STORE_CTX_set_verify_cb(vrfy_ctx, vrfy_cb);
if(X509_verify_cert(vrfy_ctx) >= 0) {
err = X509_STORE_CTX_get_error(vrfy_ctx);
// This is for people who don't restart their clients and have low expiration time on their cert
result = (err == X509_V_OK) || (err == X509_V_ERR_CERT_HAS_EXPIRED);
}
}
if(cert) X509_free(cert);
if(vrfy_ctx) X509_STORE_CTX_free(vrfy_ctx);
}
// KeyPrint is a strong indicator of trust (TODO: check that this KeyPrint is mediated by a trusted hub)
SSL_set_verify_result(ssl, err);
return result;
}
extern "C" void CryptoNative_X509StoreCtxSetVerifyCallback(X509_STORE_CTX* ctx, X509StoreVerifyCallback callback)
{
X509_STORE_CTX_set_verify_cb(ctx, callback);
}
