int
X509_load_cert_file(X509_LOOKUP *ctx, const char *file, int type)
{
int ret = 0;
BIO *in = NULL;
int i, count = 0;
X509 *x = NULL;
if (file == NULL)
return (1);
in = BIO_new(BIO_s_file_internal());
if ((in == NULL) || (BIO_read_filename(in, file) <= 0)) {
X509err(X509_F_X509_LOAD_CERT_FILE, ERR_R_SYS_LIB);
goto err;
}
if (type == X509_FILETYPE_PEM) {
for (;;) {
x = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL);
if (x == NULL) {
if ((ERR_GET_REASON(ERR_peek_last_error()) ==
PEM_R_NO_START_LINE) && (count > 0)) {
ERR_clear_error();
break;
} else {
X509err(X509_F_X509_LOAD_CERT_FILE,
ERR_R_PEM_LIB);
goto err;
}
}
i = X509_STORE_add_cert(ctx->store_ctx, x);
if (!i)
goto err;
count++;
X509_free(x);
x = NULL;
}
ret = count;
} else if (type == X509_FILETYPE_ASN1) {
x = d2i_X509_bio(in, NULL);
if (x == NULL) {
X509err(X509_F_X509_LOAD_CERT_FILE, ERR_R_ASN1_LIB);
goto err;
}
i = X509_STORE_add_cert(ctx->store_ctx, x);
if (!i)
goto err;
ret = i;
} else {
X509err(X509_F_X509_LOAD_CERT_FILE, X509_R_BAD_X509_FILETYPE);
goto err;
}
err:
if (x != NULL)
X509_free(x);
if (in != NULL)
BIO_free(in);
return (ret);
}
/**
* xmlSecOpenSSLX509StoreAdoptCert:
* @store: the pointer to X509 key data store klass.
* @cert: the pointer to OpenSSL X509 certificate.
* @type: the certificate type (trusted/untrusted).
*
* Adds trusted (root) or untrusted certificate to the store.
*
* Returns: 0 on success or a negative value if an error occurs.
*/
int
xmlSecOpenSSLX509StoreAdoptCert(xmlSecKeyDataStorePtr store, X509* cert, xmlSecKeyDataType type) {
xmlSecOpenSSLX509StoreCtxPtr ctx;
int ret;
xmlSecAssert2(xmlSecKeyDataStoreCheckId(store, xmlSecOpenSSLX509StoreId), -1);
xmlSecAssert2(cert != NULL, -1);
ctx = xmlSecOpenSSLX509StoreGetCtx(store);
xmlSecAssert2(ctx != NULL, -1);
if((type & xmlSecKeyDataTypeTrusted) != 0) {
xmlSecAssert2(ctx->xst != NULL, -1);
ret = X509_STORE_add_cert(ctx->xst, cert);
if(ret != 1) {
xmlSecOpenSSLError(xmlSecKeyDataStoreGetName(store),
"X509_STORE_add_cert");
return(-1);
}
/* add cert increments the reference */
X509_free(cert);
} else {
xmlSecAssert2(ctx->untrusted != NULL, -1);
ret = sk_X509_push(ctx->untrusted, cert);
if(ret < 1) {
xmlSecOpenSSLError(xmlSecKeyDataStoreGetName(store),
"sk_X509_push");
return(-1);
}
}
return(0);
}
int tls_sc_add_ca_cert(lua_State *L)
{
tls_sc_t *ctx = getSC(L);
X509 *x509;
int newCAStore = FALSE;
if (!ctx->ca_store) {
ctx->ca_store = X509_STORE_new();
newCAStore = TRUE;
}
x509 = _lua_load_x509(L, 2);
if (!x509) {
lua_pushboolean(L, 0);
return 1;
}
X509_STORE_add_cert(ctx->ca_store, x509);
SSL_CTX_add_client_CA(ctx->ctx, x509);
X509_free(x509);
if (newCAStore) {
SSL_CTX_set_cert_store(ctx->ctx, ctx->ca_store);
}
lua_pushboolean(L, 1);
return 1;
}
selene_error_t*
selene_conf_ca_trusted_cert_add(selene_conf_t *conf, const char *certificate)
{
/* TOOD: replace with native x509 :( )*/
BIO *bio = BIO_new(BIO_s_mem());
int r = BIO_write(bio, certificate, strlen(certificate));
if (r <= 0) {
BIO_free(bio);
return selene_error_createf(SELENE_ENOMEM, "Attempting to parse CA certificate, BIO_write returned: %d", r);
}
X509* x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL);
if (!x509) {
BIO_free(bio);
/* TODO: better error messages */
return selene_error_create(SELENE_ENOMEM, "Attempting to parse CA certificate, PEM_read_bio_X509 failed.");
}
BIO_free(bio);
X509_STORE_add_cert(conf->trusted_cert_store, x509);
return SELENE_SUCCESS;
}
static CURLcode sslctxfun( CURL * curl, void * sslctx, void * parm ) {
sslctxparm * p = (sslctxparm *) parm;
SSL_CTX * ctx = (SSL_CTX *) sslctx ;
if ( !SSL_CTX_use_certificate( ctx,p->usercert ) ) {
BIO_printf( p->errorbio, "SSL_CTX_use_certificate problem\n" ); goto err;
}
if ( !SSL_CTX_use_PrivateKey( ctx,p->pkey ) ) {
BIO_printf( p->errorbio, "SSL_CTX_use_PrivateKey\n" ); goto err;
}
if ( !SSL_CTX_check_private_key( ctx ) ) {
BIO_printf( p->errorbio, "SSL_CTX_check_private_key\n" ); goto err;
}
SSL_CTX_set_quiet_shutdown( ctx,1 );
SSL_CTX_set_cipher_list( ctx,"RC4-MD5" );
SSL_CTX_set_mode( ctx, SSL_MODE_AUTO_RETRY );
X509_STORE_add_cert( ctx->cert_store,sk_X509_value( p->ca,sk_X509_num( p->ca ) - 1 ) );
SSL_CTX_set_verify_depth( ctx,2 );
SSL_CTX_set_verify( ctx,SSL_VERIFY_PEER,NULL );
SSL_CTX_set_cert_verify_callback( ctx, ssl_app_verify_callback, parm );
return CURLE_OK ;
err:
ERR_print_errors( p->errorbio );
return CURLE_SSL_CERTPROBLEM;
}
int s2n_x509_trust_store_add_pem(struct s2n_x509_trust_store *store, const char *pem)
{
notnull_check(store);
notnull_check(pem);
if (!store->trust_store) {
store->trust_store = X509_STORE_new();
}
DEFER_CLEANUP(struct s2n_stuffer pem_in_stuffer = {{0}}, s2n_stuffer_free);
DEFER_CLEANUP(struct s2n_stuffer der_out_stuffer = {{0}}, s2n_stuffer_free);
GUARD(s2n_stuffer_alloc_ro_from_string(&pem_in_stuffer, pem));
GUARD(s2n_stuffer_growable_alloc(&der_out_stuffer, 2048));
do {
DEFER_CLEANUP(struct s2n_blob next_cert = {0}, s2n_free);
GUARD(s2n_stuffer_certificate_from_pem(&pem_in_stuffer, &der_out_stuffer));
GUARD(s2n_alloc(&next_cert, s2n_stuffer_data_available(&der_out_stuffer)));
GUARD(s2n_stuffer_read(&der_out_stuffer, &next_cert));
const uint8_t *data = next_cert.data;
DEFER_CLEANUP(X509 *ca_cert = d2i_X509(NULL, &data, next_cert.size), X509_free_pointer);
S2N_ERROR_IF(ca_cert == NULL, S2N_ERR_DECODE_CERTIFICATE);
GUARD_OSSL(X509_STORE_add_cert(store->trust_store, ca_cert), S2N_ERR_DECODE_CERTIFICATE);
} while (s2n_stuffer_data_available(&pem_in_stuffer));
return 0;
}
static X509_STORE *pkcs7_get_ca_store(const char *cacert)
{
X509_STORE *store;
X509 *ca;
ca = pkcs7_get_ca_certificate(cacert);
if (!ca) {
return NULL;
}
store = X509_STORE_new();
if (!store) {
X509_free(ca);
return NULL;
}
if (X509_STORE_add_cert(store, ca) <= 0) {
X509_STORE_free(store);
X509_free(ca);
return NULL;
}
X509_free(ca);
return store;
}
static int
SSL_CTX_use_certificate_file_with_check(
SSL_CTX *ctx,
char *file,
int type)
{
FILE *fp;
X509 *x509;
X509_STORE_CTX *sctx;
int ret;
ret = SSL_CTX_use_certificate_file(ctx, file, type);
if(!ret) return ret;
if(!(fp = fopen(file, "r"))) {
return -1;
}
x509 = PEM_read_X509(fp, NULL, NULL, NULL);
if(!x509){
rewind(fp);
x509 = d2i_X509_fp(fp, NULL);
}
fclose(fp);
if(!x509) return -1;
X509_STORE_add_cert(ctx->cert_store, x509);
sctx = X509_STORE_CTX_new();
X509_STORE_CTX_init(sctx, ctx->cert_store, x509, NULL);
X509_STORE_CTX_set_verify_cb(sctx, LocalVerifyCallBack);
X509_verify_cert(sctx);
X509_STORE_CTX_free(sctx);
CheckValidPeriod(x509);
return ret;
}
int X509_load_cert_crl_file(X509_LOOKUP *ctx, const char *file, int type)
{
STACK_OF(X509_INFO) *inf;
X509_INFO *itmp;
BIO *in;
int i, count = 0;
if (type != X509_FILETYPE_PEM)
return X509_load_cert_file(ctx, file, type);
in = BIO_new_file(file, "r");
if (!in) {
X509err(X509_F_X509_LOAD_CERT_CRL_FILE, ERR_R_SYS_LIB);
return 0;
}
inf = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL);
BIO_free(in);
if (!inf) {
X509err(X509_F_X509_LOAD_CERT_CRL_FILE, ERR_R_PEM_LIB);
return 0;
}
for (i = 0; i < sk_X509_INFO_num(inf); i++) {
itmp = sk_X509_INFO_value(inf, i);
if (itmp->x509) {
X509_STORE_add_cert(ctx->store_ctx, itmp->x509);
count++;
}
if (itmp->crl) {
X509_STORE_add_crl(ctx->store_ctx, itmp->crl);
count++;
}
}
sk_X509_INFO_pop_free(inf, X509_INFO_free);
return count;
}
static int add_pem_cert(SSL_CTX *sslCtx, char const* pem_cert)
{
X509 *cert;
BIO *mem = BIO_new(BIO_s_mem());
if (NULL == mem) {
PUBNUB_LOG_ERROR("SSL_CTX=%p: Failed BIO_new for PEM certificate\n", sslCtx);
return -1;
}
BIO_puts(mem, pem_cert);
cert = PEM_read_bio_X509(mem, NULL, 0, NULL);
BIO_free(mem);
if (NULL == cert) {
ERR_print_errors_cb(print_to_pubnub_log, NULL);
PUBNUB_LOG_ERROR("SSL_CTX=%p: Failed to read PEM certificate\n", sslCtx);
return -1;
}
if (0 == X509_STORE_add_cert(SSL_CTX_get_cert_store(sslCtx), cert)) {
ERR_print_errors_cb(print_to_pubnub_log, NULL);
PUBNUB_LOG_ERROR("SSL_CTX=%p: Failed to add PEM certificate\n", sslCtx);
X509_free(cert);
return -1;
}
X509_free(cert);
return 0;
}
void SSLContext::addVerificationCertificate(const crypto::X509Certificate& certificate)
{
int errCode = X509_STORE_add_cert(SSL_CTX_get_cert_store(_sslContext), const_cast<X509*>(certificate.certificate()));
if (errCode != 1)
{
std::string msg = getLastError();
throw std::runtime_error("SSL Error: Cannot add verification certificate: " + msg);
}
}
apr_status_t serf_ssl_trust_cert(
serf_ssl_context_t *ssl_ctx,
serf_ssl_certificate_t *cert)
{
X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx->ctx);
int result = X509_STORE_add_cert(store, cert->ssl_cert);
return result ? APR_SUCCESS : APR_EGENERAL;
}
static int check_certificate_by_signer (X509 *peercert)
{
X509_STORE_CTX *xsc;
X509_STORE *ctx;
int pass = 0, i;
ctx = X509_STORE_new ();
if (ctx == NULL) return 0;
if (option (OPTSSLSYSTEMCERTS))
{
if (X509_STORE_set_default_paths (ctx))
pass++;
else
dprint (2, (debugfile, "X509_STORE_set_default_paths failed\n"));
}
if (X509_STORE_load_locations (ctx, SslCertFile, NULL))
pass++;
else
dprint (2, (debugfile, "X509_STORE_load_locations failed\n"));
for (i = 0; i < sk_X509_num (SslSessionCerts); i++)
pass += (X509_STORE_add_cert (ctx, sk_X509_value (SslSessionCerts, i)) != 0);
if (pass == 0)
{
/* nothing to do */
X509_STORE_free (ctx);
return 0;
}
xsc = X509_STORE_CTX_new();
if (xsc == NULL) return 0;
X509_STORE_CTX_init (xsc, ctx, peercert, SslSessionCerts);
pass = (X509_verify_cert (xsc) > 0);
#ifdef DEBUG
if (! pass)
{
char buf[SHORT_STRING];
int err;
err = X509_STORE_CTX_get_error (xsc);
snprintf (buf, sizeof (buf), "%s (%d)",
X509_verify_cert_error_string(err), err);
dprint (2, (debugfile, "X509_verify_cert: %s\n", buf));
dprint (2, (debugfile, " [%s]\n", peercert->name));
}
#endif
X509_STORE_CTX_free (xsc);
X509_STORE_free (ctx);
return pass;
}
static int
cryptoMagic(X509 *x0, X509 *x1, X509 *x2,
const unsigned char *toHashData, int toHashLength,
/*XXX const*/ unsigned char *rsaSigData, int rsaSigLen,
DataValue *partialDigest)
{
int rv = 0;
EVP_PKEY *pk = X509_get_pubkey(x2);
if (pk) {
if (pk->type == EVP_PKEY_RSA) {
RSA *rsa = EVP_PKEY_get1_RSA(pk);
if (rsa) {
X509_STORE *store = X509_STORE_new();
if (store) {
X509_STORE_CTX ctx;
X509_STORE_add_cert(store, x0);
X509_STORE_add_cert(store, x1);
if (X509_STORE_CTX_init(&ctx, store, x2, 0) == 1) {
X509_STORE_CTX_set_flags(&ctx, X509_V_FLAG_IGNORE_CRITICAL);
if (X509_verify_cert(&ctx) == 1) {
unsigned char md[SHA_DIGEST_LENGTH];
if (partialDigest) {
// XXX we need to flip ECID back before hashing
flipAppleImg3Header((AppleImg3Header *)toHashData);
doPartialSHA1(md, toHashData, toHashLength, partialDigest);
} else {
SHA1(toHashData, toHashLength, md);
}
rv = RSA_verify(NID_sha1, md, SHA_DIGEST_LENGTH, rsaSigData, rsaSigLen, rsa);
}
X509_STORE_CTX_cleanup(&ctx);
}
X509_STORE_free(store);
}
RSA_free(rsa);
}
}
EVP_PKEY_free(pk);
}
return rv ? 0 : -1;
}
SEXP PKI_verify_cert(SEXP sCA, SEXP sCert) {
X509 *cert;
X509_STORE *store;
X509_STORE_CTX *ctx;
int rv;
PKI_init();
cert = retrieve_cert(sCert, "");
store = X509_STORE_new();
if (TYPEOF(sCA) == VECSXP) {
int i;
for (i = 0; i < LENGTH(sCA); i++)
X509_STORE_add_cert(store, retrieve_cert(VECTOR_ELT(sCA, i),"CA "));
} else
X509_STORE_add_cert(store, retrieve_cert(sCA, "CA "));
ctx = X509_STORE_CTX_new();
X509_STORE_CTX_init(ctx, store, cert, NULL);
rv = X509_verify_cert(ctx);
X509_STORE_CTX_free(ctx);
X509_STORE_free(store);
return ScalarLogical((rv == 1) ? TRUE : FALSE);
}
void PaymentServerTests::paymentServerTests()
{
SelectParams(CBaseChainParams::MAIN);
OptionsModel optionsModel;
PaymentServer* server = new PaymentServer(NULL, false);
X509_STORE* caStore = X509_STORE_new();
X509_STORE_add_cert(caStore, parse_b64der_cert(caCert_BASE64));
PaymentServer::LoadRootCAs(caStore);
server->setOptionsModel(&optionsModel);
server->uiReady();
// Now feed PaymentRequests to server, and observe signals it produces:
std::vector<unsigned char> data = DecodeBase64(paymentrequest1_BASE64);
SendCoinsRecipient r = handleRequest(server, data);
QString merchant;
r.paymentRequest.getMerchant(caStore, merchant);
QCOMPARE(merchant, QString("testmerchant.org"));
// Version of the above, with an expired certificate:
data = DecodeBase64(paymentrequest2_BASE64);
r = handleRequest(server, data);
r.paymentRequest.getMerchant(caStore, merchant);
QCOMPARE(merchant, QString(""));
// Long certificate chain:
data = DecodeBase64(paymentrequest3_BASE64);
r = handleRequest(server, data);
r.paymentRequest.getMerchant(caStore, merchant);
QCOMPARE(merchant, QString("testmerchant8.org"));
// Long certificate chain, with an expired certificate in the middle:
data = DecodeBase64(paymentrequest4_BASE64);
r = handleRequest(server, data);
r.paymentRequest.getMerchant(caStore, merchant);
QCOMPARE(merchant, QString(""));
// Validly signed, but by a CA not in our root CA list:
data = DecodeBase64(paymentrequest5_BASE64);
r = handleRequest(server, data);
r.paymentRequest.getMerchant(caStore, merchant);
QCOMPARE(merchant, QString(""));
// Try again with no root CA's, verifiedMerchant should be empty:
caStore = X509_STORE_new();
PaymentServer::LoadRootCAs(caStore);
data = DecodeBase64(paymentrequest1_BASE64);
r = handleRequest(server, data);
r.paymentRequest.getMerchant(caStore, merchant);
QCOMPARE(merchant, QString(""));
delete server;
}
RTDECL(int) RTCrStoreConvertToOpenSslCertStore(RTCRSTORE hStore, uint32_t fFlags, void **ppvOpenSslStore)
{
PRTCRSTOREINT pThis = (PRTCRSTOREINT)hStore;
AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
AssertReturn(pThis->u32Magic == RTCRSTOREINT_MAGIC, VERR_INVALID_HANDLE);
/*
* Use the pfnCertFindAll method to add all certificates to the store we're returning.
*/
int rc;
X509_STORE *pOsslStore = X509_STORE_new();
if (pOsslStore)
{
RTCRSTORECERTSEARCH Search;
rc = pThis->pProvider->pfnCertFindAll(pThis->pvProvider, &Search);
if (RT_SUCCESS(rc))
{
do
{
PCRTCRCERTCTX pCertCtx = pThis->pProvider->pfnCertSearchNext(pThis->pvProvider, &Search);
if (!pCertCtx)
break;
if (pCertCtx->fFlags & RTCRCERTCTX_F_ENC_X509_DER)
{
X509 *pOsslCert = NULL;
const unsigned char *pabEncoded = (const unsigned char *)pCertCtx->pabEncoded;
if (d2i_X509(&pOsslCert, &pabEncoded, pCertCtx->cbEncoded) == pOsslCert)
{
if (!X509_STORE_add_cert(pOsslStore, pOsslCert))
rc = VERR_NO_MEMORY;
X509_free(pOsslCert);
}
}
RTCrCertCtxRelease(pCertCtx);
} while (RT_SUCCESS(rc));
pThis->pProvider->pfnCertSearchDestroy(pThis->pvProvider, &Search);
if (RT_SUCCESS(rc))
{
*ppvOpenSslStore = pOsslStore;
return VINF_SUCCESS;
}
}
X509_STORE_free(pOsslStore);
}
else
rc = VERR_NO_MEMORY;
return rc;
}
// This imports the certificates in a given Windows certificate store into an
// X509_STORE for
// openssl to use during certificate validation.
static int importCertStoreToX509_STORE(
LPWSTR storeName, DWORD storeLocation, X509_STORE* verifyStore, char* err, size_t err_len) {
int status = 1;
X509* x509Cert = NULL;
HCERTSTORE systemStore =
CertOpenStore(CERT_STORE_PROV_SYSTEM_W, 0, (HCRYPTPROV)NULL, storeLocation | CERT_STORE_READONLY_FLAG, storeName);
if (systemStore == NULL) {
formatError(GetLastError(),"error opening system CA store",err,err_len);
status = 0;
goto CLEANUP;
}
PCCERT_CONTEXT certCtx = NULL;
while ((certCtx = CertEnumCertificatesInStore(systemStore, certCtx)) != NULL) {
const uint8_t * certBytes = (const uint8_t *)(certCtx->pbCertEncoded);
x509Cert = d2i_X509(NULL, &certBytes, certCtx->cbCertEncoded);
if (x509Cert == NULL) {
// 120 from the SSL documentation for ERR_error_string
static const size_t msglen = 120;
char msg[msglen];
ERR_error_string_n(ERR_get_error(), msg, msglen);
snprintf(
err, err_len, "Error parsing X509 object from Windows certificate store %s", msg);
status = 0;
goto CLEANUP;
}
if (1 != X509_STORE_add_cert(verifyStore, x509Cert)) {
int store_error_status = checkX509_STORE_error(err, err_len);
if (!store_error_status) {
status = 0;
goto CLEANUP;
}
}
}
DWORD lastError = GetLastError();
if (lastError != CRYPT_E_NOT_FOUND) {
formatError(lastError,"Error enumerating certificates",err,err_len);
status = 0;
goto CLEANUP;
}
CLEANUP:
if (systemStore != NULL) {
CertCloseStore(systemStore, 0);
}
if (x509Cert != NULL) {
X509_free(x509Cert);
}
return status;
}
static VALUE
ossl_x509store_add_cert(VALUE self, VALUE arg)
{
X509_STORE *store;
X509 *cert;
cert = GetX509CertPtr(arg); /* NO NEED TO DUP */
GetX509Store(self, store);
if (X509_STORE_add_cert(store, cert) != 1){
ossl_raise(eX509StoreError, NULL);
}
return self;
}
bool
_mongoc_openssl_import_cert_store (LPWSTR store_name,
DWORD dwFlags,
X509_STORE *openssl_store)
{
PCCERT_CONTEXT cert = NULL;
HCERTSTORE cert_store;
cert_store = CertOpenStore (
CERT_STORE_PROV_SYSTEM, /* provider */
X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, /* certificate encoding */
0, /* unused */
dwFlags, /* dwFlags */
store_name); /* system store name. "My" or "Root" */
if (cert_store == NULL) {
LPTSTR msg = NULL;
FormatMessage (FORMAT_MESSAGE_ALLOCATE_BUFFER |
FORMAT_MESSAGE_FROM_SYSTEM |
FORMAT_MESSAGE_ARGUMENT_ARRAY,
NULL,
GetLastError (),
LANG_NEUTRAL,
(LPTSTR) &msg,
0,
NULL);
MONGOC_ERROR ("Can't open CA store: 0x%.8X: '%s'", (unsigned int) GetLastError (), msg);
LocalFree (msg);
return false;
}
while ((cert = CertEnumCertificatesInStore (cert_store, cert)) != NULL) {
X509 *x509Obj = d2i_X509 (NULL,
(const unsigned char **) &cert->pbCertEncoded,
cert->cbCertEncoded);
if (x509Obj == NULL) {
MONGOC_WARNING (
"Error parsing X509 object from Windows certificate store");
continue;
}
X509_STORE_add_cert (openssl_store, x509Obj);
X509_free (x509Obj);
}
CertCloseStore (cert_store, 0);
return true;
}
bool net_nfc_util_openssl_add_certificate_of_ca(net_nfc_openssl_verify_context_s *context, uint8_t *buffer, uint32_t length)
{
bool result = false;
X509 *x509 = NULL;
x509 = _load_certificate_from_mem(1, buffer, length, NULL);
if (x509 != NULL)
{
X509_STORE_add_cert(context->store, x509);
result = true;
}
return result;
}
static X509_STORE *load_cert_chain(const char *file)
{
X509_STORE *castore = X509_STORE_new();
if (!castore) {
return NULL;
}
/*
* Set error callback function for verification of CRTs and CRLs in order
* to ignore some errors depending on configuration
*/
X509_STORE_set_verify_cb(castore, cms_verify_callback);
BIO *castore_bio = BIO_new_file(file, "r");
if (!castore_bio) {
TRACE("failed: BIO_new_file(%s)", file);
return NULL;
}
int crt_count = 0;
X509 *crt = NULL;
do {
crt = PEM_read_bio_X509(castore_bio, NULL, 0, NULL);
if (crt) {
crt_count++;
char *subj = X509_NAME_oneline(X509_get_subject_name(crt), NULL, 0);
char *issuer = X509_NAME_oneline(X509_get_issuer_name(crt), NULL, 0);
TRACE("Read PEM #%d: %s %s", crt_count, issuer, subj);
free(subj);
free(issuer);
if (X509_STORE_add_cert(castore, crt) == 0) {
TRACE("Adding certificate to X509_STORE failed");
BIO_free(castore_bio);
X509_STORE_free(castore);
return NULL;
}
}
} while (crt);
BIO_free(castore_bio);
if (crt_count == 0) {
X509_STORE_free(castore);
return NULL;
}
return castore;
}
/*
* Store CA file into store.
*/
static
int X509_store_add_cert_file(X509_STORE *store, const char *fname)
{
FILE *fin = NULL;
X509 *x509 = NULL;
unsigned long err;
assert(store != NULL);
assert(fname != NULL);
fin = fopen(fname, "r");
if (fin == NULL) {
printf_debug(DEBUG_PREFIX_CERT,
"Cannot open certificate '%s'.\n", fname);
goto fail;
}
x509 = PEM_read_X509(fin, NULL, NULL, NULL);
if (x509 == NULL) {
printf_debug(DEBUG_PREFIX_CERT,
"Cannot parse certificate '%s'.\n", fname);
goto fail;
}
if (X509_STORE_add_cert(store, x509) == 0) {
err = ERR_get_error();
printf_debug(DEBUG_PREFIX_CERT,
"Cannot store certificate '%s'. Error: %s.\n", fname,
ERR_error_string(err, NULL));
goto fail;
}
X509_free(x509); x509 = NULL;
fclose(fin); fin = NULL;
return 0;
fail:
if (fin != NULL) {
fclose(fin);
}
if (x509 != NULL) {
X509_free(x509);
}
return -1;
}
/*
* We will put into store X509 object from passed data in buffer only
* when object name match passed. To compare both names we use our
* method "ssh_X509_NAME_cmp"(it is more general).
*/
static int/*bool*/
ldaplookup_data2store(
int type,
X509_NAME* name,
void* buf,
int len,
X509_STORE* store
) {
int ok = 0;
BIO *mbio;
if (name == NULL) return(0);
if (buf == NULL) return(0);
if (len <= 0) return(0);
if (store == NULL) return(0);
mbio = BIO_new_mem_buf(buf, len);
if (mbio == NULL) return(0);
switch (type) {
case X509_LU_X509: {
X509 *x509 = d2i_X509_bio(mbio, NULL);
if(x509 == NULL) goto exit;
/*This is correct since lookup method is by subject*/
if (ssh_X509_NAME_cmp(name, X509_get_subject_name(x509)) != 0) goto exit;
ok = X509_STORE_add_cert(store, x509);
} break;
case X509_LU_CRL: {
X509_CRL *crl = d2i_X509_CRL_bio(mbio, NULL);
if(crl == NULL) goto exit;
if (ssh_X509_NAME_cmp(name, X509_CRL_get_issuer(crl)) != 0) goto exit;
ok = X509_STORE_add_crl(store, crl);
} break;
}
exit:
if (mbio != NULL) BIO_free_all(mbio);
#ifdef TRACE_BY_LDAP
fprintf(stderr, "TRACE_BY_LDAP ldaplookup_data2store: ok=%d\n", ok);
#endif
return(ok);
}
// Adds a buffer containing one or more PEM-encoded
// root certificates to the X509PEMVerifier.
//
// If the certificate (or one of the certificates) could not be
// parsed AddPEM will return immediately, resulting in all of the
// certificates up to the bad certicate being added to the verifier.
bool X509PEMVerifier::AddPEM(const ByteArray &buf) {
BIO *mem = BIO_new_mem_buf(static_cast<void *>(const_cast<char *>(buf.ConstData())), buf.Length());
(void) BIO_set_close(mem, BIO_NOCLOSE);
int ncerts = 0;
while (1) {
X509 *x = PEM_read_bio_X509_AUX(mem, nullptr, nullptr, nullptr);
if (x == nullptr) {
return false;
}
X509_STORE_add_cert(store_, x);
X509_free(x);
ncerts++;
}
return true;
}
bool Chain::verifyChain(Handle<CertificateCollection> chain, Handle<CrlCollection> crls){
LOGGER_FN();
try{
LOGGER_OPENSSL(X509_STORE_CTX_new);
X509_STORE_CTX *ctx = X509_STORE_CTX_new();
if (!ctx) {
THROW_OPENSSL_EXCEPTION(0, Revocation, NULL, "Error create new store ctx");
}
LOGGER_OPENSSL(X509_STORE_new);
X509_STORE *st = X509_STORE_new();
if (!st) {
THROW_OPENSSL_EXCEPTION(0, Revocation, NULL, "Error create new store");
}
for (int i = 0, c = chain->length(); i < c; i++){
LOGGER_OPENSSL(X509_STORE_add_cert);
X509_STORE_add_cert(st, X509_dup(chain->items(i)->internal()));
}
X509_CRL *xtempCRL = NULL;
LOGGER_OPENSSL(X509_STORE_CTX_init);
X509_STORE_CTX_init(ctx, st, chain->items(0)->internal(), chain->internal());
LOGGER_OPENSSL(X509_STORE_CTX_set0_crls);
X509_STORE_CTX_set0_crls(ctx, crls->internal());
LOGGER_OPENSSL(X509_STORE_CTX_set_flags);
X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_CRL_CHECK);
LOGGER_OPENSSL(X509_STORE_CTX_set_flags);
X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_CRL_CHECK_ALL);
LOGGER_OPENSSL(X509_verify_cert);
if (X509_verify_cert(ctx) <= 0){
return false;
}
return true;
}
catch (Handle<Exception> e){
THROW_EXCEPTION(0, Chain, e, "Error verify chain (provider store)");
}
}
bool X509Certificate_OpenSSL::verify(ref <const X509Certificate> caCert_) const
{
ref <const X509Certificate_OpenSSL> caCert =
caCert_.dynamicCast <const X509Certificate_OpenSSL>();
bool verified = false;
bool error = true;
X509_STORE *store = X509_STORE_new();
if (store)
{
X509_STORE_CTX *verifyCtx = X509_STORE_CTX_new();
if (verifyCtx)
{
if (X509_STORE_add_cert(store, caCert->m_data->cert))
{
X509_STORE_CTX_init(verifyCtx, store, m_data->cert, NULL);
int ret = X509_verify_cert(verifyCtx);
if (ret == 1)
{
verified = true;
error = false;
}
else if (ret == 0)
{
verified = false;
error = false;
}
//X509_verify_cert_error_string(vrfy_ctx->error)
X509_STORE_CTX_free(verifyCtx);
}
}
X509_STORE_free(store);
}
return verified && !error;
}
static int
tls_sc_add_root_certs(lua_State *L) {
int i;
tls_sc_t *ctx = getSC(L);
ERR_clear_error();
if (!root_cert_store) {
root_cert_store = X509_STORE_new();
for (i = 0; root_certs[i]; i++) {
BIO *bp = BIO_new(BIO_s_mem());
X509 *x509;
if (!BIO_write(bp, root_certs[i], strlen(root_certs[i]))) {
printf("error writing cert %s\n", root_certs[i]);
BIO_free(bp);
lua_pushboolean(L, 0);
return 1;
}
x509 = PEM_read_bio_X509(bp, NULL, 0, NULL);
if (x509 == NULL) {
char buf[1024];
ERR_error_string(ERR_get_error(), buf);
printf("error writing x509 cert %s\n", buf);
BIO_free(bp);
lua_pushboolean(L, 0);
return 1;
}
X509_STORE_add_cert(root_cert_store, x509);
BIO_free(bp);
X509_free(x509);
}
}
ctx->ca_store = root_cert_store;
SSL_CTX_set_cert_store(ctx->ctx, ctx->ca_store);
lua_pushboolean(L, 1);
return 1;
}
int check_time_stamp(TS_RESP* tsResponse, X509* caCert, char* hash, UNSIGNED32 hash_size)
{
int result = 0;
TS_REQ* tsRequest = NULL;
TS_VERIFY_CTX* ctx = NULL;
TS_MSG_IMPRINT* msgImprint = NULL;
ASN1_OCTET_STRING* hashedMessage = NULL;
int hashedMessageLength;
tsRequest = get_timestamp_request(hash, hash_size, tsResponse->tst_info->nonce);
msgImprint = TS_REQ_get_msg_imprint(tsRequest);
hashedMessage = TS_MSG_IMPRINT_get_msg(msgImprint);
hashedMessageLength = ASN1_STRING_length((ASN1_STRING*)hashedMessage);
if (hashedMessageLength != (int)hash_size)
{
goto end;
}
if (!(ctx = TS_REQ_to_TS_VERIFY_CTX(tsRequest, NULL)))
{
goto end;
}
ctx->flags |= TS_VFY_SIGNATURE;
ctx->store = X509_STORE_new();
X509_STORE_add_cert(ctx->store, caCert);
if (ossl_TS_RESP_verify_response(ctx, tsResponse))
{
result = 1;
}
end:
if (tsRequest != NULL)
{
TS_REQ_free(tsRequest);
}
if (ctx != NULL)
{
TS_VERIFY_CTX_free(ctx);
}
return result;
}
bud_error_t bud_config_load_ca_arr(X509_STORE** store,
const JSON_Array* ca) {
int i;
int count;
bud_error_t err;
err = bud_config_verify_all_strings(ca, "ca");
if (!bud_is_ok(err))
return err;
*store = X509_STORE_new();
if (*store == NULL)
return bud_error_str(kBudErrNoMem, "CA store");
count = json_array_get_count(ca);
for (i = 0; i < count; i++) {
const char* cert;
BIO* b;
X509* x509;
cert = json_array_get_string(ca, i);
b = BIO_new_mem_buf((void*) cert, -1);
if (b == NULL)
return bud_error_str(kBudErrNoMem, "BIO_new_mem_buf:CA store bio");
while ((x509 = PEM_read_bio_X509(b, NULL, NULL, NULL)) != NULL) {
if (x509 == NULL) {
err = bud_error_dstr(kBudErrParseCert, cert);
break;
}
if (X509_STORE_add_cert(*store, x509) != 1) {
err = bud_error(kBudErrAddCert);
break;
}
X509_free(x509);
x509 = NULL;
}
BIO_free_all(b);
if (x509 != NULL)
X509_free(x509);
}
return err;
}
