void ssl_cert_clear_certs(CERT *c)
{
int i;
if (c == NULL)
return;
for (i = 0; i<SSL_PKEY_NUM; i++)
{
CERT_PKEY *cpk = c->pkeys + i;
if (cpk->x509)
{
X509_free(cpk->x509);
cpk->x509 = NULL;
}
if (cpk->privatekey)
{
EVP_PKEY_free(cpk->privatekey);
cpk->privatekey = NULL;
}
if (cpk->chain)
{
sk_X509_pop_free(cpk->chain, X509_free);
cpk->chain = NULL;
}
}
}
void
ssl_sess_cert_free(SESS_CERT *sc)
{
int i;
if (sc == NULL)
return;
i = CRYPTO_add(&sc->references, -1, CRYPTO_LOCK_SSL_SESS_CERT);
if (i > 0)
return;
/* i == 0 */
if (sc->cert_chain != NULL)
sk_X509_pop_free(sc->cert_chain, X509_free);
for (i = 0; i < SSL_PKEY_NUM; i++) {
if (sc->peer_pkeys[i].x509 != NULL)
X509_free(sc->peer_pkeys[i].x509);
}
DH_free(sc->peer_dh_tmp);
EC_KEY_free(sc->peer_ecdh_tmp);
free(sc);
}
static void
xmlSecOpenSSLX509StoreFinalize(xmlSecKeyDataStorePtr store) {
xmlSecOpenSSLX509StoreCtxPtr ctx;
xmlSecAssert(xmlSecKeyDataStoreCheckId(store, xmlSecOpenSSLX509StoreId));
ctx = xmlSecOpenSSLX509StoreGetCtx(store);
xmlSecAssert(ctx != NULL);
if(ctx->xst != NULL) {
X509_STORE_free(ctx->xst);
}
if(ctx->untrusted != NULL) {
sk_X509_pop_free(ctx->untrusted, X509_free);
}
if(ctx->crls != NULL) {
sk_X509_CRL_pop_free(ctx->crls, X509_CRL_free);
}
#if !defined(XMLSEC_OPENSSL_096) && !defined(XMLSEC_OPENSSL_097)
if(ctx->vpm != NULL) {
X509_VERIFY_PARAM_free(ctx->vpm);
}
#endif /* !defined(XMLSEC_OPENSSL_096) && !defined(XMLSEC_OPENSSL_097) */
memset(ctx, 0, sizeof(xmlSecOpenSSLX509StoreCtx));
}
static VALUE
ossl_x509stctx_initialize(int argc, VALUE *argv, VALUE self)
{
VALUE store, cert, chain, t;
X509_STORE_CTX *ctx;
X509_STORE *x509st;
X509 *x509 = NULL;
STACK_OF(X509) *x509s = NULL;
rb_scan_args(argc, argv, "12", &store, &cert, &chain);
GetX509StCtx(self, ctx);
SafeGetX509Store(store, x509st);
if(!NIL_P(cert)) x509 = DupX509CertPtr(cert); /* NEED TO DUP */
if(!NIL_P(chain)) x509s = ossl_x509_ary2sk(chain);
#if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
if(X509_STORE_CTX_init(ctx, x509st, x509, x509s) != 1){
sk_X509_pop_free(x509s, X509_free);
ossl_raise(eX509StoreError, NULL);
}
#else
X509_STORE_CTX_init(ctx, x509st, x509, x509s);
ossl_x509stctx_set_flags(self, rb_iv_get(store, "@flags"));
ossl_x509stctx_set_purpose(self, rb_iv_get(store, "@purpose"));
ossl_x509stctx_set_trust(self, rb_iv_get(store, "@trust"));
#endif
if (!NIL_P(t = rb_iv_get(store, "@time")))
ossl_x509stctx_set_time(self, t);
rb_iv_set(self, "@verify_callback", rb_iv_get(store, "@verify_callback"));
rb_iv_set(self, "@cert", cert);
return self;
}
/**
* This function destroys a globus_gsi_callback_data_t.
* @ingroup globus_gsi_callback_data
*
* @param callback_data
* The structure to be destroyed
*
* @return
* GLOBUS_SUCCESS unless an error occurred, in which case,
* a globus error object ID is returned
*/
globus_result_t
globus_gsi_callback_data_destroy(
globus_gsi_callback_data_t callback_data)
{
globus_result_t result = GLOBUS_SUCCESS;
static char * _function_name_ =
"globus_gsi_callback_data_destroy";
GLOBUS_I_GSI_CALLBACK_DEBUG_ENTER;
if(!callback_data)
{
goto exit;
}
if(callback_data->cert_chain)
{
sk_X509_pop_free(callback_data->cert_chain, X509_free);
}
if(callback_data->cert_dir)
{
globus_libc_free(callback_data->cert_dir);
}
/* extension_oids have to be free independantly */
globus_object_free(globus_error_get(callback_data->error));
globus_libc_free(callback_data);
exit:
GLOBUS_I_GSI_CALLBACK_DEBUG_EXIT;
return result;
}
// success of certificates extraction
bool pemData(X509_STORE_CTX* ctx, ListHashSet<String>& certificates)
{
bool ok = true;
STACK_OF(X509)* certs = X509_STORE_CTX_get1_chain(ctx);
for (int i = 0; i < sk_X509_num(certs); i++) {
X509* uCert = sk_X509_value(certs, i);
BIO* bio = BIO_new(BIO_s_mem());
int res = PEM_write_bio_X509(bio, uCert);
if (!res) {
ok = false;
BIO_free(bio);
break;
}
unsigned char* certificateData;
long length = BIO_get_mem_data(bio, &certificateData);
if (length < 0) {
ok = false;
BIO_free(bio);
break;
}
certificateData[length] = '\0';
String certificate = certificateData;
certificates.add(certificate);
BIO_free(bio);
}
sk_X509_pop_free(certs, X509_free);
return ok;
}
static VALUE
ossl_ocspreq_sign(int argc, VALUE *argv, VALUE self)
{
VALUE signer_cert, signer_key, certs, flags;
OCSP_REQUEST *req;
X509 *signer;
EVP_PKEY *key;
STACK_OF(X509) *x509s;
unsigned long flg;
int ret;
rb_scan_args(argc, argv, "22", &signer_cert, &signer_key, &certs, &flags);
signer = GetX509CertPtr(signer_cert);
key = GetPrivPKeyPtr(signer_key);
flg = NIL_P(flags) ? 0 : NUM2INT(flags);
if(NIL_P(certs)){
x509s = sk_X509_new_null();
flags |= OCSP_NOCERTS;
}
else x509s = ossl_x509_ary2sk(certs);
GetOCSPReq(self, req);
ret = OCSP_request_sign(req, signer, key, EVP_sha1(), x509s, flg);
sk_X509_pop_free(x509s, X509_free);
if(!ret) ossl_raise(eOCSPError, NULL);
return self;
}
static LUA_FUNCTION(openssl_pkcs7_sign)
{
BIO *in = load_bio_object(L, 1);
X509 *cert = CHECK_OBJECT(2, X509, "openssl.x509");
EVP_PKEY *privkey = CHECK_OBJECT(3, EVP_PKEY, "openssl.evp_pkey");
STACK_OF(X509) *others = lua_isnoneornil(L, 4) ? 0 : openssl_sk_x509_fromtable(L, 4);
long flags = luaL_optint(L, 5, 0);
PKCS7 *p7 = NULL;
luaL_argcheck(L, openssl_pkey_is_private(privkey), 3, "must be private key");
if (!X509_check_private_key(cert, privkey))
luaL_error(L, "sigcert and private key not match");
p7 = PKCS7_sign(cert, privkey, others, in, flags);
BIO_free(in);
if (others)
sk_X509_pop_free(others, X509_free);
if (p7)
{
PUSH_OBJECT(p7, "openssl.pkcs7");
return 1;
}
else
{
luaL_error(L, "error creating PKCS7 structure!");
}
return 0;
}
static VALUE
ossl_ocspbres_sign(int argc, VALUE *argv, VALUE self)
{
VALUE signer_cert, signer_key, certs, flags;
OCSP_BASICRESP *bs;
X509 *signer;
EVP_PKEY *key;
STACK_OF(X509) *x509s;
unsigned long flg;
int ret;
rb_scan_args(argc, argv, "22", &signer_cert, &signer_key, &certs, &flags);
signer = GetX509CertPtr(signer_cert);
key = GetPrivPKeyPtr(signer_key);
flg = NIL_P(flags) ? 0 : NUM2INT(flags);
if(NIL_P(certs)){
x509s = sk_X509_new_null();
flg |= OCSP_NOCERTS;
}
else{
x509s = ossl_x509_ary2sk(certs);
}
GetOCSPBasicRes(self, bs);
ret = OCSP_basic_sign(bs, signer, key, EVP_sha1(), x509s, flg);
sk_X509_pop_free(x509s, X509_free);
if(!ret) ossl_raise(eOCSPError, NULL);
return self;
}
void ssl_cert_clear_certs(CERT *c)
{
int i;
if (c == NULL)
return;
for (i = 0; i<SSL_PKEY_NUM; i++)
{
CERT_PKEY *cpk = c->pkeys + i;
if (cpk->x509)
{
X509_free(cpk->x509);
cpk->x509 = NULL;
}
if (cpk->privatekey)
{
EVP_PKEY_free(cpk->privatekey);
cpk->privatekey = NULL;
}
if (cpk->chain)
{
sk_X509_pop_free(cpk->chain, X509_free);
cpk->chain = NULL;
}
#ifndef OPENSSL_NO_TLSEXT
if (cpk->serverinfo)
{
OPENSSL_free(cpk->serverinfo);
cpk->serverinfo = NULL;
cpk->serverinfo_length = 0;
}
#endif
/* Clear all flags apart from explicit sign */
cpk->valid_flags &= CERT_PKEY_EXPLICIT_SIGN;
}
}
STACK_OF(X509) *CMS_get1_certs(CMS_ContentInfo *cms)
{
STACK_OF(X509) *certs = NULL;
CMS_CertificateChoices *cch;
STACK_OF(CMS_CertificateChoices) **pcerts;
int i;
pcerts = cms_get0_certificate_choices(cms);
if (!pcerts)
return NULL;
for (i = 0; i < sk_CMS_CertificateChoices_num(*pcerts); i++)
{
cch = sk_CMS_CertificateChoices_value(*pcerts, i);
if (cch->type == 0)
{
if (!certs)
{
certs = sk_X509_new_null();
if (!certs)
return NULL;
}
if (!sk_X509_push(certs, cch->d.certificate))
{
sk_X509_pop_free(certs, X509_free);
return NULL;
}
CRYPTO_add(&cch->d.certificate->references,
1, CRYPTO_LOCK_X509);
}
}
return certs;
}
void AC_CERTS_free(AC_CERTS *a)
{
if (a==NULL) return;
sk_X509_pop_free(a->stackcert, X509_free);
OPENSSL_free(a);
}
static int check_signer_name(CMS_ContentInfo *cms, const char *name)
{
STACK_OF(CMS_SignerInfo) *infos = CMS_get0_SignerInfos(cms);
STACK_OF(X509) *crts;
int i, ret = 1;
if ((name == NULL) || (name[0] == '\0'))
return 0;
crts = CMS_get1_certs(cms);
for (i = 0; i < sk_CMS_SignerInfo_num(infos); ++i) {
CMS_SignerInfo *si = sk_CMS_SignerInfo_value(infos, i);
int j;
for (j = 0; j < sk_X509_num(crts); ++j) {
X509 *crt = sk_X509_value(crts, j);
if (CMS_SignerInfo_cert_cmp(si, crt) == 0) {
ret = check_common_name(
X509_get_subject_name(crt), name);
}
}
}
sk_X509_pop_free(crts, X509_free);
return ret;
}
static VALUE
ossl_pkcs12_s_create(int argc, VALUE *argv, VALUE self)
{
VALUE pass, name, pkey, cert, ca;
VALUE obj;
char *passphrase, *friendlyname;
EVP_PKEY *key;
X509 *x509;
STACK_OF(X509) *x509s;
PKCS12 *p12;
rb_scan_args(argc, argv, "41", &pass, &name, &pkey, &cert, &ca);
passphrase = NIL_P(pass) ? NULL : StringValuePtr(pass);
friendlyname = NIL_P(name) ? NULL : StringValuePtr(name);
key = GetPKeyPtr(pkey);
x509 = GetX509CertPtr(cert);
x509s = NIL_P(ca) ? NULL : ossl_x509_ary2sk(ca);
p12 = PKCS12_create(passphrase, friendlyname, key, x509, x509s,
0, 0, 0, 0, 0);
sk_X509_pop_free(x509s, X509_free);
if(!p12) ossl_raise(ePKCS12Error, NULL);
WrapPKCS12(cPKCS12, obj, p12);
return obj;
}
static LUA_FUNCTION(openssl_pkcs7_encrypt)
{
PKCS7 * p7 = NULL;
BIO *in = load_bio_object(L, 1);
STACK_OF(X509) *recipcerts = openssl_sk_x509_fromtable(L, 2);
const EVP_CIPHER *cipher = get_cipher(L, 3, "des3");
long flags = luaL_optint(L, 4, 0);
if (cipher == NULL)
{
luaL_error(L, "Failed to get cipher");
}
p7 = PKCS7_encrypt(recipcerts, in, cipher, flags);
BIO_free(in);
sk_X509_pop_free(recipcerts, X509_free);
if (p7 == NULL)
{
lua_pushnil(L);
}
else
{
PUSH_OBJECT(p7, "openssl.pkcs7");
}
return 1;
}
/*
* call-seq:
* PKCS7.encrypt(certs, data, [, cipher [, flags]]) => pkcs7
*/
static VALUE
ossl_pkcs7_s_encrypt(int argc, VALUE *argv, VALUE klass)
{
VALUE certs, data, cipher, flags;
STACK_OF(X509) *x509s;
BIO *in;
const EVP_CIPHER *ciph;
int flg, status = 0;
VALUE ret;
PKCS7 *p7;
rb_scan_args(argc, argv, "22", &certs, &data, &cipher, &flags);
if(NIL_P(cipher)){
#if !defined(OPENSSL_NO_RC2)
ciph = EVP_rc2_40_cbc();
#elif !defined(OPENSSL_NO_DES)
ciph = EVP_des_ede3_cbc();
#elif !defined(OPENSSL_NO_RC2)
ciph = EVP_rc2_40_cbc();
#elif !defined(OPENSSL_NO_AES)
ciph = EVP_EVP_aes_128_cbc();
#else
ossl_raise(ePKCS7Error, "Must specify cipher");
#endif
}
else ciph = GetCipherPtr(cipher); /* NO NEED TO DUP */
flg = NIL_P(flags) ? 0 : NUM2INT(flags);
ret = NewPKCS7(cPKCS7);
in = ossl_obj2bio(data);
x509s = ossl_protect_x509_ary2sk(certs, &status);
if(status){
BIO_free(in);
rb_jump_tag(status);
}
if(!(p7 = PKCS7_encrypt(x509s, in, (EVP_CIPHER*)ciph, flg))){
BIO_free(in);
sk_X509_pop_free(x509s, X509_free);
ossl_raise(ePKCS7Error, NULL);
}
BIO_free(in);
SetPKCS7(ret, p7);
ossl_pkcs7_set_data(ret, data);
sk_X509_pop_free(x509s, X509_free);
return ret;
}
void NETSCAPE_CERT_SEQUENCE_free (NETSCAPE_CERT_SEQUENCE *a)
{
if (a == NULL) return;
ASN1_OBJECT_free(a->type);
if(a->certs)
sk_X509_pop_free(a->certs, X509_free);
OPENSSL_free (a);
}
void s2n_x509_validator_wipe(struct s2n_x509_validator *validator) {
if (validator->cert_chain) {
sk_X509_pop_free(validator->cert_chain, X509_free);
validator->cert_chain = NULL;
}
validator->trust_store = NULL;
validator->skip_cert_validation = 0;
}
/*
* Private functions
*/
static void
ossl_x509stctx_free(X509_STORE_CTX *ctx)
{
if(ctx->untrusted)
sk_X509_pop_free(ctx->untrusted, X509_free);
if(ctx->cert)
X509_free(ctx->cert);
X509_STORE_CTX_free(ctx);
}
static void
z_certificate_chain_free_method(ZObject *s)
{
ZCertificateChain *self = Z_CAST(s, ZCertificateChain);
if (self->cert)
X509_free(self->cert);
sk_X509_pop_free(self->chain, X509_free);
z_object_free_method(s);
}
bdoc::SignatureValidator::~SignatureValidator()
{
if (_ocspCerts) {
sk_X509_pop_free(_ocspCerts, X509_free);
}
if (_issuerX509) {
X509_free(_issuerX509);
}
}
static VALUE
ossl_pkcs7_verify(int argc, VALUE *argv, VALUE self)
{
VALUE certs, store, indata, flags;
STACK_OF(X509) *x509s;
X509_STORE *x509st;
int flg, ok, status = 0;
BIO *in, *out;
PKCS7 *p7;
VALUE data;
const char *msg;
rb_scan_args(argc, argv, "22", &certs, &store, &indata, &flags);
flg = NIL_P(flags) ? 0 : NUM2INT(flags);
if(NIL_P(indata)) indata = ossl_pkcs7_get_data(self);
in = NIL_P(indata) ? NULL : ossl_obj2bio(indata);
if(NIL_P(certs)) x509s = NULL;
else{
x509s = ossl_protect_x509_ary2sk(certs, &status);
if(status){
BIO_free(in);
/* rb_jump_tag(status); */
rb_notimplement();
}
}
x509st = GetX509StorePtr(store);
GetPKCS7(self, p7);
if(!(out = BIO_new(BIO_s_mem()))){
BIO_free(in);
sk_X509_pop_free(x509s, X509_free);
ossl_raise(ePKCS7Error, NULL);
}
ok = PKCS7_verify(p7, x509s, x509st, in, out, flg);
BIO_free(in);
if (ok < 0) ossl_raise(ePKCS7Error, NULL);
msg = ERR_reason_error_string(ERR_get_error());
ossl_pkcs7_set_err_string(self, msg ? rb_str_new2(msg) : Qnil);
ERR_clear_error();
data = ossl_membio2str(out);
ossl_pkcs7_set_data(self, data);
sk_X509_pop_free(x509s, X509_free);
return (ok == 1) ? Qtrue : Qfalse;
}
static void
ctx_free(ctx *ctx)
{
if (ctx == NULL)
return;
sk_X509_INFO_pop_free(ctx->dec, X509_INFO_free);
sk_X509_pop_free(ctx->crt, X509_free);
SSL_CTX_free(ctx->ctx);
OPENSSL_free(ctx);
}
/*
* Test for CVE-2015-1793 (Alternate Chains Certificate Forgery)
*
* Chain is as follows:
*
* rootCA (self-signed)
* |
* interCA
* |
* subinterCA subinterCA (self-signed)
* | |
* leaf ------------------
* |
* bad
*
* rootCA, interCA, subinterCA, subinterCA (ss) all have CA=TRUE
* leaf and bad have CA=FALSE
*
* subinterCA and subinterCA (ss) have the same subject name and keys
*
* interCA (but not rootCA) and subinterCA (ss) are in the trusted store
* (roots.pem)
* leaf and subinterCA are in the untrusted list (untrusted.pem)
* bad is the certificate being verified (bad.pem)
*
* Versions vulnerable to CVE-2015-1793 will fail to detect that leaf has
* CA=FALSE, and will therefore incorrectly verify bad
*
*/
static int test_alt_chains_cert_forgery(const char *roots_f,
const char *untrusted_f,
const char *bad_f)
{
int ret = 0;
int i;
X509 *x = NULL;
STACK_OF(X509) *untrusted = NULL;
BIO *bio = NULL;
X509_STORE_CTX *sctx = NULL;
X509_STORE *store = NULL;
X509_LOOKUP *lookup = NULL;
store = X509_STORE_new();
if (store == NULL)
goto err;
lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
if (lookup == NULL)
goto err;
if(!X509_LOOKUP_load_file(lookup, roots_f, X509_FILETYPE_PEM))
goto err;
untrusted = load_certs_from_file(untrusted_f);
if ((bio = BIO_new_file(bad_f, "r")) == NULL)
goto err;
if((x = PEM_read_bio_X509(bio, NULL, 0, NULL)) == NULL)
goto err;
sctx = X509_STORE_CTX_new();
if (sctx == NULL)
goto err;
if (!X509_STORE_CTX_init(sctx, store, x, untrusted))
goto err;
i = X509_verify_cert(sctx);
if(i == 0 && X509_STORE_CTX_get_error(sctx) == X509_V_ERR_INVALID_CA) {
/* This is the result we were expecting: Test passed */
ret = 1;
}
err:
X509_STORE_CTX_free(sctx);
X509_free(x);
BIO_free(bio);
sk_X509_pop_free(untrusted, X509_free);
X509_STORE_free(store);
if (ret != 1)
ERR_print_errors_fp(stderr);
return ret;
}
// VerifyChain verifies the certificate chain in chain
// according to the verification options given as opts.
bool X509VerifierPrivate::VerifyChain(std::vector<X509Certificate> chain, const X509VerifierOptions &opts) {
bool status = false;
X509_STORE_CTX *ctx = X509_STORE_CTX_new();
STACK_OF(X509) *untrusted = sk_X509_new_null();
// Ensure that we have a chain to check on.
if (chain.empty()) {
goto out;
}
// If we've been passed a DNS name in opts,
// we should check whether the leaf certificate
// matches that before doing the more expensive
// checks.
if (!opts.dns_name.empty()) {
if (!X509HostnameVerifier::VerifyHostname(chain.at(0), opts.dns_name)) {
std::cerr << "X509VerifierPrivate - hostname verification failed" << std::endl;
goto out;
}
}
// Extract our chain into the format that OpenSSL
// expects for verification.
for (X509Certificate &cert : chain) {
X509 *cur = cert.dptr_->AsOpenSSLX509();
sk_X509_push(untrusted, cur);
}
// Set up the X509_STORE_CTX to verify according to opts.
X509_STORE_CTX_init(ctx, store_, sk_X509_value(untrusted, 0), untrusted);
// If a time is not specified in opts, use the current system time.
if (opts.time == 0) {
X509_STORE_CTX_set_time(ctx, 0, std::time(nullptr));
} else {
X509_STORE_CTX_set_time(ctx, 0, opts.time);
}
// If a dns_name is specified in opts, use the SSL server policy.
if (!opts.dns_name.empty()) {
X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_SSL_SERVER);
X509_STORE_CTX_set_trust(ctx, X509_TRUST_SSL_SERVER);
}
if (X509_verify_cert(ctx) == 1) {
status = true;
} else {
std::cerr << "X509VerifierPrivate - verification error: " << X509_verify_cert_error_string(ctx->error) << std::endl;
}
out:
sk_X509_pop_free(untrusted, X509_free);
X509_STORE_CTX_free(ctx);
return status;
}
static int
lka_X509_verify(struct ca_vrfy_req_msg *vrfy,
const char *CAfile, const char *CRLfile)
{
X509 *x509;
X509 *x509_tmp;
X509 *x509_tmp2;
STACK_OF(X509) *x509_chain;
const unsigned char *d2i;
size_t i;
int ret = 0;
const char *errstr;
x509 = NULL;
x509_tmp = NULL;
x509_chain = NULL;
d2i = vrfy->cert;
if (d2i_X509(&x509, &d2i, vrfy->cert_len) == NULL) {
x509 = NULL;
goto end;
}
if (vrfy->n_chain) {
x509_chain = sk_X509_new_null();
for (i = 0; i < vrfy->n_chain; ++i) {
d2i = vrfy->chain_cert[i];
if (d2i_X509(&x509_tmp, &d2i, vrfy->chain_cert_len[i]) == NULL) {
x509_tmp = NULL;
goto end;
}
if ((x509_tmp2 = X509_dup(x509_tmp)) == NULL)
goto end;
sk_X509_insert(x509_chain, x509_tmp2, i);
x509_tmp = x509_tmp2 = NULL;
}
}
if (! ca_X509_verify(x509, x509_chain, CAfile, NULL, &errstr))
log_debug("debug: lka: X509 verify: %s", errstr);
else
ret = 1;
end:
if (x509)
X509_free(x509);
if (x509_tmp)
X509_free(x509_tmp);
if (x509_chain)
sk_X509_pop_free(x509_chain, X509_free);
return ret;
}
RTDECL(int) RTCrStoreConvertToOpenSslCertStack(RTCRSTORE hStore, uint32_t fFlags, void **ppvOpenSslStack)
{
PRTCRSTOREINT pThis = (PRTCRSTOREINT)hStore;
AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
AssertReturn(pThis->u32Magic == RTCRSTOREINT_MAGIC, VERR_INVALID_HANDLE);
/*
* Use the pfnCertFindAll method to add all certificates to the store we're returning.
*/
int rc;
STACK_OF(X509) *pOsslStack = sk_X509_new_null();
if (pOsslStack)
{
RTCRSTORECERTSEARCH Search;
rc = pThis->pProvider->pfnCertFindAll(pThis->pvProvider, &Search);
if (RT_SUCCESS(rc))
{
do
{
PCRTCRCERTCTX pCertCtx = pThis->pProvider->pfnCertSearchNext(pThis->pvProvider, &Search);
if (!pCertCtx)
break;
if (pCertCtx->fFlags & RTCRCERTCTX_F_ENC_X509_DER)
{
X509 *pOsslCert = NULL;
const unsigned char *pabEncoded = (const unsigned char *)pCertCtx->pabEncoded;
if (d2i_X509(&pOsslCert, &pabEncoded, pCertCtx->cbEncoded) == pOsslCert)
{
if (!sk_X509_push(pOsslStack, pOsslCert))
{
rc = VERR_NO_MEMORY;
X509_free(pOsslCert);
}
}
}
RTCrCertCtxRelease(pCertCtx);
} while (RT_SUCCESS(rc));
pThis->pProvider->pfnCertSearchDestroy(pThis->pvProvider, &Search);
if (RT_SUCCESS(rc))
{
*ppvOpenSslStack = pOsslStack;
return VINF_SUCCESS;
}
}
sk_X509_pop_free(pOsslStack, X509_free);
}
else
rc = VERR_NO_MEMORY;
return rc;
}
/*
* call-seq:
* PKCS7.sign(cert, key, data, [, certs [, flags]]) => pkcs7
*/
static VALUE
ossl_pkcs7_s_sign(int argc, VALUE *argv, VALUE klass)
{
VALUE cert, key, data, certs, flags;
X509 *x509;
EVP_PKEY *pkey;
BIO *in;
STACK_OF(X509) *x509s;
int flg, status = 0;
PKCS7 *pkcs7;
VALUE ret;
rb_scan_args(argc, argv, "32", &cert, &key, &data, &certs, &flags);
x509 = GetX509CertPtr(cert); /* NO NEED TO DUP */
pkey = GetPrivPKeyPtr(key); /* NO NEED TO DUP */
flg = NIL_P(flags) ? 0 : NUM2INT(flags);
ret = NewPKCS7(cPKCS7);
in = ossl_obj2bio(data);
if(NIL_P(certs)) x509s = NULL;
else{
x509s = ossl_protect_x509_ary2sk(certs, &status);
if(status){
BIO_free(in);
rb_jump_tag(status);
}
}
if(!(pkcs7 = PKCS7_sign(x509, pkey, x509s, in, flg))){
BIO_free(in);
sk_X509_pop_free(x509s, X509_free);
ossl_raise(ePKCS7Error, NULL);
}
SetPKCS7(ret, pkcs7);
ossl_pkcs7_set_data(ret, data);
ossl_pkcs7_set_err_string(ret, Qnil);
BIO_free(in);
sk_X509_pop_free(x509s, X509_free);
return ret;
}
/* Free up and clear all certificates and chains */
void ssl_cert_clear_certs(CERT *cert) {
if (cert == NULL) {
return;
}
X509_free(cert->x509);
cert->x509 = NULL;
EVP_PKEY_free(cert->privatekey);
cert->privatekey = NULL;
sk_X509_pop_free(cert->chain, X509_free);
cert->chain = NULL;
cert->key_method = NULL;
}
/* Delete the memory used for string errors as well as memory allocated for
* certificates and private keys. */
void signature_deinit(void)
{
if (store) {
X509_STORE_free(store);
store = NULL;
}
if (x509_stack) {
sk_X509_pop_free(x509_stack, X509_free);
x509_stack = NULL;
}
ERR_free_strings();
EVP_cleanup();
CRYPTO_cleanup_all_ex_data();
}
