int check_crl ( PKI_X509_CRL *x_crl, PKI_X509_CERT *x_cacert,
OCSPD_CONFIG *conf ) {
PKI_X509_KEYPAIR_VALUE *pkey = NULL;
PKI_X509_KEYPAIR *k = NULL;
int ret = -1;
if (!conf) return (-1);
PKI_RWLOCK_read_lock ( &conf->crl_lock );
if( !x_crl || !x_crl->value || !x_cacert || !x_cacert->value ) {
if( conf->verbose ) {
if(!x_crl || !x_crl->value)
PKI_log_err ("CRL missing");
if(!x_cacert || !x_cacert->value)
PKI_log_err("CA cert missing");
}
PKI_RWLOCK_release_read ( &conf->crl_lock );
return(-1);
}
/* Gets the Public Key of the CA Certificate */
if((pkey = PKI_X509_CERT_get_data( x_cacert,
PKI_X509_DATA_PUBKEY )) == NULL ) {
PKI_log_err( "Can not parse PubKey from CA Cert");
PKI_RWLOCK_release_read ( &conf->crl_lock );
return(-3);
}
if ((k = PKI_X509_new_value(PKI_DATATYPE_X509_KEYPAIR, pkey, NULL))
== NULL ) {
PKI_log_err ("Memory Error!");
PKI_RWLOCK_release_read ( &conf->crl_lock );
return(-3);
}
if ( PKI_X509_verify ( x_crl, k ) == PKI_OK ) {
PKI_log_debug("CRL signature is verified!");
ret = PKI_OK;
} else {
ret = PKI_ERR;
}
k->value = NULL;
PKI_X509_KEYPAIR_free ( k );
PKI_RWLOCK_release_read ( &conf->crl_lock );
if ( ret > 0 ) {
PKI_log(PKI_LOG_INFO, "CRL matching CA cert ok [ %d ]",
ret);
}
return ret;
}
int PKI_X509_CERT_is_selfsigned ( PKI_X509_CERT *x ) {
PKI_X509_KEYPAIR *kp = NULL;
PKI_X509_KEYPAIR *kval = NULL;
int ret = -1;
if (!x) return PKI_ERR;
kval = PKI_X509_CERT_get_data ( x, PKI_X509_DATA_PUBKEY );
if ( !kval ) return PKI_ERR;
kp = PKI_X509_new_value ( PKI_DATATYPE_X509_KEYPAIR, kval, NULL);
if ( !kp ) return PKI_ERR;
ret = PKI_X509_verify ( x, kp );
kp->value = NULL;
PKI_X509_KEYPAIR_free ( kp );
return ret;
}
PKI_X509_OCSP_REQ * ocspd_req_get_socket ( int connfd, OCSPD_CONFIG *ocspd_conf)
{
PKI_X509_OCSP_REQ *req = NULL;
PKI_X509_OCSP_REQ_VALUE *req_val = NULL;
PKI_IO *mem = NULL;
PKI_MEM *pathmem = NULL;
PKI_MEM *b64mem = NULL;
PKI_SOCKET sock;
size_t maxsize = 0;
maxsize = (size_t) ocspd_conf->max_req_size;
PKI_HTTP *http_msg = NULL;
if ( connfd <= 0 ) return NULL;
// Initialize the sock structure
sock.ssl = NULL;
PKI_SOCKET_set_fd ( &sock, connfd );
http_msg = PKI_HTTP_get_message(&sock, (int) ocspd_conf->max_timeout_secs, maxsize);
if (http_msg == NULL)
{
PKI_log_err ("Network Error while reading Request!");
return NULL;
};
/* If method is METHOD_GET we shall de-urlify the buffer and get the
right begin (keep in mind there might be a path set in the config */
if( http_msg->method == PKI_HTTP_METHOD_GET )
{
char *req_pnt = NULL;
if (http_msg->path == NULL)
{
PKI_log_err("Malformed GET request");
goto err;
}
req_pnt = http_msg->path;
while(strchr(req_pnt, '/') != NULL)
{
req_pnt = strchr(req_pnt, '/') + 1;
}
pathmem = PKI_MEM_new_data(strlen(req_pnt), (unsigned char *) req_pnt);
if (pathmem == NULL)
{
PKI_log_err("Memory Allocation Error!");
goto err;
}
if((b64mem = PKI_MEM_url_decode (pathmem, 0)) == NULL)
{
PKI_log_err("Memory Allocation Error!");
PKI_MEM_free(pathmem);
pathmem = NULL; // Safety
goto err;
}
if (PKI_MEM_B64_decode(b64mem, 76) == PKI_ERR )
{
PKI_log_err ("Error decoding B64 Mem");
PKI_MEM_free ( b64mem );
b64mem = NULL;
req_pnt = http_msg->path;
while(req_pnt[0] == '/')
{
req_pnt=req_pnt + 1;
}
b64mem = PKI_MEM_new_data(strlen(req_pnt), (unsigned char *) req_pnt);
if (b64mem == NULL)
{
PKI_log_err("Memory Allocation Error!");
goto err;
}
if (PKI_MEM_B64_decode(b64mem, 76) == PKI_ERR )
{
PKI_log_err ("Error decoding B64 Mem");
PKI_MEM_free ( b64mem );
goto err;
}
}
if((mem = BIO_new_mem_buf(b64mem->data, (int) b64mem->size )) == NULL)
{
PKI_log_err("Memory Allocation Error");
PKI_MEM_free ( b64mem );
goto err;
}
if((req_val = d2i_OCSP_REQ_bio(mem, NULL)) == NULL ) {
PKI_log_err("Can not parse REQ");
}
PKI_MEM_free ( b64mem );
BIO_free (mem);
}
else if ( http_msg->method == PKI_HTTP_METHOD_POST)
{
mem = BIO_new_mem_buf(http_msg->body->data, (int) http_msg->body->size);
if (mem == NULL)
{
PKI_log_err( "Memory Allocation Error");
goto err;
}
else
{
if ((req_val = d2i_OCSP_REQ_bio(mem, NULL)) == NULL)
{
PKI_log_err("Can not parse REQ");
}
BIO_free (mem);
}
}
else
{
PKI_log_err ( "HTTP Method not supported");
goto err;
}
if ( !req_val ) goto err;
req = PKI_X509_new_value(PKI_DATATYPE_X509_OCSP_REQ, req_val, NULL);
if (req == NULL)
{
PKI_log_err ("Can not generate a new X509_OCSP_REQ");
goto err;
}
if ( http_msg ) PKI_HTTP_free ( http_msg );
return (req);
err:
if (http_msg) PKI_HTTP_free(http_msg);
return NULL;
}
int main(int argc, char *argv[])
{
PKI_X509 *sigObj = NULL;
PKI_X509 *obj = NULL;
PKI_X509_KEYPAIR *kp = NULL;
PKI_X509_KEYPAIR_VALUE *pVal = NULL;
// PKI_X509_SIGNATURE *sig = NULL;
PKI_ALGOR *algor = NULL;
PKI_OID *oid = NULL;
char *pnt = NULL;
char *sigName = NULL;
char *kName = NULL;
int nid = 0;
if(argv[0]) prg_name = strdup(argv[0]);
// Check the number of Arguments
if ( argc < 2 ) usage();
while( argc > 0 ) {
argv++;
argc--;
if((pnt = *argv) == NULL) break;
if( strcmp_nocase( pnt, "-in" ) == 0) {
if( ++argv == NULL ) usage();
sigName = *argv;
argc--;
} else if ( strcmp_nocase(pnt, "-signer") == 0) {
if( ++argv == NULL ) usage();
kName = *argv;
argc--;
} else if ( strcmp_nocase(pnt, "-h") == 0 ) {
usage();
} else {
fprintf(stderr, "\n ERROR: unknown param %s\n\n", pnt);
usage();
};
};
if( !sigName ) sigName = "stdin";
if( !kName ) {
fprintf( stderr, "\n ERROR, signer param is needed!\n\n");
usage();
};
// Init LibPKI
PKI_init_all();
// Loads the Signer's Object
obj = PKI_X509_get( kName, PKI_DATATYPE_ANY, NULL, NULL);
if( obj == NULL) {
fprintf(stderr, "ERROR, can not load key source: %s\n\n", kName);
exit(1);
}
// Loads the Signed Object
sigObj = PKI_X509_get( sigName, PKI_DATATYPE_ANY, NULL, NULL);
if( sigObj == NULL) {
fprintf(stderr, "ERROR, can not load signed Object: %s\n\n", kName);
exit(1);
}
// Check if the Object is signed (has a signature ?)
if ( PKI_X509_is_signed ( sigObj ) != PKI_OK ) {
fprintf(stderr, "ERROR, object (%s) is not signed!\n\n", sigName);
exit(1);
}
// Get the Key from the Key Source
switch ( PKI_X509_get_type( obj )) {
case PKI_DATATYPE_X509_KEYPAIR:
kp = obj;
break;
case PKI_DATATYPE_X509_CERT:
pVal = PKI_X509_get_data ( obj, PKI_X509_DATA_PUBKEY );
if ( !pVal ) {
fprintf(stderr, "ERROR, can not retrieve the PubKey!\n\n");
exit(1);
};
kp = PKI_X509_new_value ( PKI_DATATYPE_X509_KEYPAIR, pVal, NULL );
break;
default:
fprintf(stderr, "ERROR, (%s) not a cert or a key (%d)!\n\n",
kName, PKI_X509_get_type( obj ) );
exit(1);
}
if (!kp) {
fprintf( stderr, "ERROR, no key found in %s!\n\n", kName );
exit(1);
};
printf("Signature:\n Info:\n");
printf(" Signed Object Type:\n %s\n",
PKI_X509_get_type_parsed( sigObj ));
algor = PKI_X509_get_data ( sigObj, PKI_X509_DATA_ALGORITHM );
if ( algor ) {
printf(" Algorithm:\n %s\n",
PKI_ALGOR_get_parsed ( algor ));
};
printf("\n Signer's Key Info:\n");
printf(" Scheme: ");
switch ( PKI_X509_KEYPAIR_get_scheme( kp ))
{
case PKI_SCHEME_RSA:
printf("RSA\n");
break;
case PKI_SCHEME_DSA:
printf("DSA\n");
break;
case PKI_SCHEME_ECDSA:
printf("ECDSA\n");
nid = PKI_X509_KEYPAIR_get_curve ( kp );
if((oid = PKI_OID_new_id( nid )) != NULL ) {
printf(" Curve Name: %s\n", PKI_OID_get_descr( oid ));
PKI_OID_free ( oid );
};
break;
default:
printf("Unknown!\n");
exit(1);
};
printf(" Key Size: %d\n", PKI_X509_KEYPAIR_get_size( kp ));
printf("\n Verify: ");
if( PKI_X509_verify(sigObj, kp) == PKI_OK) {
printf("Ok\n");
} else {
printf("ERROR!\n");
};
printf("\n");
return 0;
}
