int check_crl ( PKI_X509_CRL *x_crl, PKI_X509_CERT *x_cacert, OCSPD_CONFIG *conf ) { PKI_X509_KEYPAIR_VALUE *pkey = NULL; PKI_X509_KEYPAIR *k = NULL; int ret = -1; if (!conf) return (-1); PKI_RWLOCK_read_lock ( &conf->crl_lock ); if( !x_crl || !x_crl->value || !x_cacert || !x_cacert->value ) { if( conf->verbose ) { if(!x_crl || !x_crl->value) PKI_log_err ("CRL missing"); if(!x_cacert || !x_cacert->value) PKI_log_err("CA cert missing"); } PKI_RWLOCK_release_read ( &conf->crl_lock ); return(-1); } /* Gets the Public Key of the CA Certificate */ if((pkey = PKI_X509_CERT_get_data( x_cacert, PKI_X509_DATA_PUBKEY )) == NULL ) { PKI_log_err( "Can not parse PubKey from CA Cert"); PKI_RWLOCK_release_read ( &conf->crl_lock ); return(-3); } if ((k = PKI_X509_new_value(PKI_DATATYPE_X509_KEYPAIR, pkey, NULL)) == NULL ) { PKI_log_err ("Memory Error!"); PKI_RWLOCK_release_read ( &conf->crl_lock ); return(-3); } if ( PKI_X509_verify ( x_crl, k ) == PKI_OK ) { PKI_log_debug("CRL signature is verified!"); ret = PKI_OK; } else { ret = PKI_ERR; } k->value = NULL; PKI_X509_KEYPAIR_free ( k ); PKI_RWLOCK_release_read ( &conf->crl_lock ); if ( ret > 0 ) { PKI_log(PKI_LOG_INFO, "CRL matching CA cert ok [ %d ]", ret); } return ret; }
int PKI_X509_CERT_is_selfsigned ( PKI_X509_CERT *x ) { PKI_X509_KEYPAIR *kp = NULL; PKI_X509_KEYPAIR *kval = NULL; int ret = -1; if (!x) return PKI_ERR; kval = PKI_X509_CERT_get_data ( x, PKI_X509_DATA_PUBKEY ); if ( !kval ) return PKI_ERR; kp = PKI_X509_new_value ( PKI_DATATYPE_X509_KEYPAIR, kval, NULL); if ( !kp ) return PKI_ERR; ret = PKI_X509_verify ( x, kp ); kp->value = NULL; PKI_X509_KEYPAIR_free ( kp ); return ret; }
PKI_X509_OCSP_REQ * ocspd_req_get_socket ( int connfd, OCSPD_CONFIG *ocspd_conf) { PKI_X509_OCSP_REQ *req = NULL; PKI_X509_OCSP_REQ_VALUE *req_val = NULL; PKI_IO *mem = NULL; PKI_MEM *pathmem = NULL; PKI_MEM *b64mem = NULL; PKI_SOCKET sock; size_t maxsize = 0; maxsize = (size_t) ocspd_conf->max_req_size; PKI_HTTP *http_msg = NULL; if ( connfd <= 0 ) return NULL; // Initialize the sock structure sock.ssl = NULL; PKI_SOCKET_set_fd ( &sock, connfd ); http_msg = PKI_HTTP_get_message(&sock, (int) ocspd_conf->max_timeout_secs, maxsize); if (http_msg == NULL) { PKI_log_err ("Network Error while reading Request!"); return NULL; }; /* If method is METHOD_GET we shall de-urlify the buffer and get the right begin (keep in mind there might be a path set in the config */ if( http_msg->method == PKI_HTTP_METHOD_GET ) { char *req_pnt = NULL; if (http_msg->path == NULL) { PKI_log_err("Malformed GET request"); goto err; } req_pnt = http_msg->path; while(strchr(req_pnt, '/') != NULL) { req_pnt = strchr(req_pnt, '/') + 1; } pathmem = PKI_MEM_new_data(strlen(req_pnt), (unsigned char *) req_pnt); if (pathmem == NULL) { PKI_log_err("Memory Allocation Error!"); goto err; } if((b64mem = PKI_MEM_url_decode (pathmem, 0)) == NULL) { PKI_log_err("Memory Allocation Error!"); PKI_MEM_free(pathmem); pathmem = NULL; // Safety goto err; } if (PKI_MEM_B64_decode(b64mem, 76) == PKI_ERR ) { PKI_log_err ("Error decoding B64 Mem"); PKI_MEM_free ( b64mem ); b64mem = NULL; req_pnt = http_msg->path; while(req_pnt[0] == '/') { req_pnt=req_pnt + 1; } b64mem = PKI_MEM_new_data(strlen(req_pnt), (unsigned char *) req_pnt); if (b64mem == NULL) { PKI_log_err("Memory Allocation Error!"); goto err; } if (PKI_MEM_B64_decode(b64mem, 76) == PKI_ERR ) { PKI_log_err ("Error decoding B64 Mem"); PKI_MEM_free ( b64mem ); goto err; } } if((mem = BIO_new_mem_buf(b64mem->data, (int) b64mem->size )) == NULL) { PKI_log_err("Memory Allocation Error"); PKI_MEM_free ( b64mem ); goto err; } if((req_val = d2i_OCSP_REQ_bio(mem, NULL)) == NULL ) { PKI_log_err("Can not parse REQ"); } PKI_MEM_free ( b64mem ); BIO_free (mem); } else if ( http_msg->method == PKI_HTTP_METHOD_POST) { mem = BIO_new_mem_buf(http_msg->body->data, (int) http_msg->body->size); if (mem == NULL) { PKI_log_err( "Memory Allocation Error"); goto err; } else { if ((req_val = d2i_OCSP_REQ_bio(mem, NULL)) == NULL) { PKI_log_err("Can not parse REQ"); } BIO_free (mem); } } else { PKI_log_err ( "HTTP Method not supported"); goto err; } if ( !req_val ) goto err; req = PKI_X509_new_value(PKI_DATATYPE_X509_OCSP_REQ, req_val, NULL); if (req == NULL) { PKI_log_err ("Can not generate a new X509_OCSP_REQ"); goto err; } if ( http_msg ) PKI_HTTP_free ( http_msg ); return (req); err: if (http_msg) PKI_HTTP_free(http_msg); return NULL; }
int main(int argc, char *argv[]) { PKI_X509 *sigObj = NULL; PKI_X509 *obj = NULL; PKI_X509_KEYPAIR *kp = NULL; PKI_X509_KEYPAIR_VALUE *pVal = NULL; // PKI_X509_SIGNATURE *sig = NULL; PKI_ALGOR *algor = NULL; PKI_OID *oid = NULL; char *pnt = NULL; char *sigName = NULL; char *kName = NULL; int nid = 0; if(argv[0]) prg_name = strdup(argv[0]); // Check the number of Arguments if ( argc < 2 ) usage(); while( argc > 0 ) { argv++; argc--; if((pnt = *argv) == NULL) break; if( strcmp_nocase( pnt, "-in" ) == 0) { if( ++argv == NULL ) usage(); sigName = *argv; argc--; } else if ( strcmp_nocase(pnt, "-signer") == 0) { if( ++argv == NULL ) usage(); kName = *argv; argc--; } else if ( strcmp_nocase(pnt, "-h") == 0 ) { usage(); } else { fprintf(stderr, "\n ERROR: unknown param %s\n\n", pnt); usage(); }; }; if( !sigName ) sigName = "stdin"; if( !kName ) { fprintf( stderr, "\n ERROR, signer param is needed!\n\n"); usage(); }; // Init LibPKI PKI_init_all(); // Loads the Signer's Object obj = PKI_X509_get( kName, PKI_DATATYPE_ANY, NULL, NULL); if( obj == NULL) { fprintf(stderr, "ERROR, can not load key source: %s\n\n", kName); exit(1); } // Loads the Signed Object sigObj = PKI_X509_get( sigName, PKI_DATATYPE_ANY, NULL, NULL); if( sigObj == NULL) { fprintf(stderr, "ERROR, can not load signed Object: %s\n\n", kName); exit(1); } // Check if the Object is signed (has a signature ?) if ( PKI_X509_is_signed ( sigObj ) != PKI_OK ) { fprintf(stderr, "ERROR, object (%s) is not signed!\n\n", sigName); exit(1); } // Get the Key from the Key Source switch ( PKI_X509_get_type( obj )) { case PKI_DATATYPE_X509_KEYPAIR: kp = obj; break; case PKI_DATATYPE_X509_CERT: pVal = PKI_X509_get_data ( obj, PKI_X509_DATA_PUBKEY ); if ( !pVal ) { fprintf(stderr, "ERROR, can not retrieve the PubKey!\n\n"); exit(1); }; kp = PKI_X509_new_value ( PKI_DATATYPE_X509_KEYPAIR, pVal, NULL ); break; default: fprintf(stderr, "ERROR, (%s) not a cert or a key (%d)!\n\n", kName, PKI_X509_get_type( obj ) ); exit(1); } if (!kp) { fprintf( stderr, "ERROR, no key found in %s!\n\n", kName ); exit(1); }; printf("Signature:\n Info:\n"); printf(" Signed Object Type:\n %s\n", PKI_X509_get_type_parsed( sigObj )); algor = PKI_X509_get_data ( sigObj, PKI_X509_DATA_ALGORITHM ); if ( algor ) { printf(" Algorithm:\n %s\n", PKI_ALGOR_get_parsed ( algor )); }; printf("\n Signer's Key Info:\n"); printf(" Scheme: "); switch ( PKI_X509_KEYPAIR_get_scheme( kp )) { case PKI_SCHEME_RSA: printf("RSA\n"); break; case PKI_SCHEME_DSA: printf("DSA\n"); break; case PKI_SCHEME_ECDSA: printf("ECDSA\n"); nid = PKI_X509_KEYPAIR_get_curve ( kp ); if((oid = PKI_OID_new_id( nid )) != NULL ) { printf(" Curve Name: %s\n", PKI_OID_get_descr( oid )); PKI_OID_free ( oid ); }; break; default: printf("Unknown!\n"); exit(1); }; printf(" Key Size: %d\n", PKI_X509_KEYPAIR_get_size( kp )); printf("\n Verify: "); if( PKI_X509_verify(sigObj, kp) == PKI_OK) { printf("Ok\n"); } else { printf("ERROR!\n"); }; printf("\n"); return 0; }