int X509_load_cert_file(X509_LOOKUP *ctx, const char *file, int type) { int ret = 0; BIO *in = NULL; int i, count = 0; X509 *x = NULL; if (file == NULL) return (1); in = BIO_new(BIO_s_file_internal()); if ((in == NULL) || (BIO_read_filename(in, file) <= 0)) { X509err(X509_F_X509_LOAD_CERT_FILE, ERR_R_SYS_LIB); goto err; } if (type == X509_FILETYPE_PEM) { for (;;) { x = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL); if (x == NULL) { if ((ERR_GET_REASON(ERR_peek_last_error()) == PEM_R_NO_START_LINE) && (count > 0)) { ERR_clear_error(); break; } else { X509err(X509_F_X509_LOAD_CERT_FILE, ERR_R_PEM_LIB); goto err; } } i = X509_STORE_add_cert(ctx->store_ctx, x); if (!i) goto err; count++; X509_free(x); x = NULL; } ret = count; } else if (type == X509_FILETYPE_ASN1) { x = d2i_X509_bio(in, NULL); if (x == NULL) { X509err(X509_F_X509_LOAD_CERT_FILE, ERR_R_ASN1_LIB); goto err; } i = X509_STORE_add_cert(ctx->store_ctx, x); if (!i) goto err; ret = i; } else { X509err(X509_F_X509_LOAD_CERT_FILE, X509_R_BAD_X509_FILETYPE); goto err; } err: if (x != NULL) X509_free(x); if (in != NULL) BIO_free(in); return (ret); }
/** * xmlSecOpenSSLX509StoreAdoptCert: * @store: the pointer to X509 key data store klass. * @cert: the pointer to OpenSSL X509 certificate. * @type: the certificate type (trusted/untrusted). * * Adds trusted (root) or untrusted certificate to the store. * * Returns: 0 on success or a negative value if an error occurs. */ int xmlSecOpenSSLX509StoreAdoptCert(xmlSecKeyDataStorePtr store, X509* cert, xmlSecKeyDataType type) { xmlSecOpenSSLX509StoreCtxPtr ctx; int ret; xmlSecAssert2(xmlSecKeyDataStoreCheckId(store, xmlSecOpenSSLX509StoreId), -1); xmlSecAssert2(cert != NULL, -1); ctx = xmlSecOpenSSLX509StoreGetCtx(store); xmlSecAssert2(ctx != NULL, -1); if((type & xmlSecKeyDataTypeTrusted) != 0) { xmlSecAssert2(ctx->xst != NULL, -1); ret = X509_STORE_add_cert(ctx->xst, cert); if(ret != 1) { xmlSecOpenSSLError(xmlSecKeyDataStoreGetName(store), "X509_STORE_add_cert"); return(-1); } /* add cert increments the reference */ X509_free(cert); } else { xmlSecAssert2(ctx->untrusted != NULL, -1); ret = sk_X509_push(ctx->untrusted, cert); if(ret < 1) { xmlSecOpenSSLError(xmlSecKeyDataStoreGetName(store), "sk_X509_push"); return(-1); } } return(0); }
int tls_sc_add_ca_cert(lua_State *L) { tls_sc_t *ctx = getSC(L); X509 *x509; int newCAStore = FALSE; if (!ctx->ca_store) { ctx->ca_store = X509_STORE_new(); newCAStore = TRUE; } x509 = _lua_load_x509(L, 2); if (!x509) { lua_pushboolean(L, 0); return 1; } X509_STORE_add_cert(ctx->ca_store, x509); SSL_CTX_add_client_CA(ctx->ctx, x509); X509_free(x509); if (newCAStore) { SSL_CTX_set_cert_store(ctx->ctx, ctx->ca_store); } lua_pushboolean(L, 1); return 1; }
selene_error_t* selene_conf_ca_trusted_cert_add(selene_conf_t *conf, const char *certificate) { /* TOOD: replace with native x509 :( )*/ BIO *bio = BIO_new(BIO_s_mem()); int r = BIO_write(bio, certificate, strlen(certificate)); if (r <= 0) { BIO_free(bio); return selene_error_createf(SELENE_ENOMEM, "Attempting to parse CA certificate, BIO_write returned: %d", r); } X509* x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL); if (!x509) { BIO_free(bio); /* TODO: better error messages */ return selene_error_create(SELENE_ENOMEM, "Attempting to parse CA certificate, PEM_read_bio_X509 failed."); } BIO_free(bio); X509_STORE_add_cert(conf->trusted_cert_store, x509); return SELENE_SUCCESS; }
static CURLcode sslctxfun( CURL * curl, void * sslctx, void * parm ) { sslctxparm * p = (sslctxparm *) parm; SSL_CTX * ctx = (SSL_CTX *) sslctx ; if ( !SSL_CTX_use_certificate( ctx,p->usercert ) ) { BIO_printf( p->errorbio, "SSL_CTX_use_certificate problem\n" ); goto err; } if ( !SSL_CTX_use_PrivateKey( ctx,p->pkey ) ) { BIO_printf( p->errorbio, "SSL_CTX_use_PrivateKey\n" ); goto err; } if ( !SSL_CTX_check_private_key( ctx ) ) { BIO_printf( p->errorbio, "SSL_CTX_check_private_key\n" ); goto err; } SSL_CTX_set_quiet_shutdown( ctx,1 ); SSL_CTX_set_cipher_list( ctx,"RC4-MD5" ); SSL_CTX_set_mode( ctx, SSL_MODE_AUTO_RETRY ); X509_STORE_add_cert( ctx->cert_store,sk_X509_value( p->ca,sk_X509_num( p->ca ) - 1 ) ); SSL_CTX_set_verify_depth( ctx,2 ); SSL_CTX_set_verify( ctx,SSL_VERIFY_PEER,NULL ); SSL_CTX_set_cert_verify_callback( ctx, ssl_app_verify_callback, parm ); return CURLE_OK ; err: ERR_print_errors( p->errorbio ); return CURLE_SSL_CERTPROBLEM; }
int s2n_x509_trust_store_add_pem(struct s2n_x509_trust_store *store, const char *pem) { notnull_check(store); notnull_check(pem); if (!store->trust_store) { store->trust_store = X509_STORE_new(); } DEFER_CLEANUP(struct s2n_stuffer pem_in_stuffer = {{0}}, s2n_stuffer_free); DEFER_CLEANUP(struct s2n_stuffer der_out_stuffer = {{0}}, s2n_stuffer_free); GUARD(s2n_stuffer_alloc_ro_from_string(&pem_in_stuffer, pem)); GUARD(s2n_stuffer_growable_alloc(&der_out_stuffer, 2048)); do { DEFER_CLEANUP(struct s2n_blob next_cert = {0}, s2n_free); GUARD(s2n_stuffer_certificate_from_pem(&pem_in_stuffer, &der_out_stuffer)); GUARD(s2n_alloc(&next_cert, s2n_stuffer_data_available(&der_out_stuffer))); GUARD(s2n_stuffer_read(&der_out_stuffer, &next_cert)); const uint8_t *data = next_cert.data; DEFER_CLEANUP(X509 *ca_cert = d2i_X509(NULL, &data, next_cert.size), X509_free_pointer); S2N_ERROR_IF(ca_cert == NULL, S2N_ERR_DECODE_CERTIFICATE); GUARD_OSSL(X509_STORE_add_cert(store->trust_store, ca_cert), S2N_ERR_DECODE_CERTIFICATE); } while (s2n_stuffer_data_available(&pem_in_stuffer)); return 0; }
static X509_STORE *pkcs7_get_ca_store(const char *cacert) { X509_STORE *store; X509 *ca; ca = pkcs7_get_ca_certificate(cacert); if (!ca) { return NULL; } store = X509_STORE_new(); if (!store) { X509_free(ca); return NULL; } if (X509_STORE_add_cert(store, ca) <= 0) { X509_STORE_free(store); X509_free(ca); return NULL; } X509_free(ca); return store; }
static int SSL_CTX_use_certificate_file_with_check( SSL_CTX *ctx, char *file, int type) { FILE *fp; X509 *x509; X509_STORE_CTX *sctx; int ret; ret = SSL_CTX_use_certificate_file(ctx, file, type); if(!ret) return ret; if(!(fp = fopen(file, "r"))) { return -1; } x509 = PEM_read_X509(fp, NULL, NULL, NULL); if(!x509){ rewind(fp); x509 = d2i_X509_fp(fp, NULL); } fclose(fp); if(!x509) return -1; X509_STORE_add_cert(ctx->cert_store, x509); sctx = X509_STORE_CTX_new(); X509_STORE_CTX_init(sctx, ctx->cert_store, x509, NULL); X509_STORE_CTX_set_verify_cb(sctx, LocalVerifyCallBack); X509_verify_cert(sctx); X509_STORE_CTX_free(sctx); CheckValidPeriod(x509); return ret; }
int X509_load_cert_crl_file(X509_LOOKUP *ctx, const char *file, int type) { STACK_OF(X509_INFO) *inf; X509_INFO *itmp; BIO *in; int i, count = 0; if (type != X509_FILETYPE_PEM) return X509_load_cert_file(ctx, file, type); in = BIO_new_file(file, "r"); if (!in) { X509err(X509_F_X509_LOAD_CERT_CRL_FILE, ERR_R_SYS_LIB); return 0; } inf = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL); BIO_free(in); if (!inf) { X509err(X509_F_X509_LOAD_CERT_CRL_FILE, ERR_R_PEM_LIB); return 0; } for (i = 0; i < sk_X509_INFO_num(inf); i++) { itmp = sk_X509_INFO_value(inf, i); if (itmp->x509) { X509_STORE_add_cert(ctx->store_ctx, itmp->x509); count++; } if (itmp->crl) { X509_STORE_add_crl(ctx->store_ctx, itmp->crl); count++; } } sk_X509_INFO_pop_free(inf, X509_INFO_free); return count; }
static int add_pem_cert(SSL_CTX *sslCtx, char const* pem_cert) { X509 *cert; BIO *mem = BIO_new(BIO_s_mem()); if (NULL == mem) { PUBNUB_LOG_ERROR("SSL_CTX=%p: Failed BIO_new for PEM certificate\n", sslCtx); return -1; } BIO_puts(mem, pem_cert); cert = PEM_read_bio_X509(mem, NULL, 0, NULL); BIO_free(mem); if (NULL == cert) { ERR_print_errors_cb(print_to_pubnub_log, NULL); PUBNUB_LOG_ERROR("SSL_CTX=%p: Failed to read PEM certificate\n", sslCtx); return -1; } if (0 == X509_STORE_add_cert(SSL_CTX_get_cert_store(sslCtx), cert)) { ERR_print_errors_cb(print_to_pubnub_log, NULL); PUBNUB_LOG_ERROR("SSL_CTX=%p: Failed to add PEM certificate\n", sslCtx); X509_free(cert); return -1; } X509_free(cert); return 0; }
void SSLContext::addVerificationCertificate(const crypto::X509Certificate& certificate) { int errCode = X509_STORE_add_cert(SSL_CTX_get_cert_store(_sslContext), const_cast<X509*>(certificate.certificate())); if (errCode != 1) { std::string msg = getLastError(); throw std::runtime_error("SSL Error: Cannot add verification certificate: " + msg); } }
apr_status_t serf_ssl_trust_cert( serf_ssl_context_t *ssl_ctx, serf_ssl_certificate_t *cert) { X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx->ctx); int result = X509_STORE_add_cert(store, cert->ssl_cert); return result ? APR_SUCCESS : APR_EGENERAL; }
static int check_certificate_by_signer (X509 *peercert) { X509_STORE_CTX *xsc; X509_STORE *ctx; int pass = 0, i; ctx = X509_STORE_new (); if (ctx == NULL) return 0; if (option (OPTSSLSYSTEMCERTS)) { if (X509_STORE_set_default_paths (ctx)) pass++; else dprint (2, (debugfile, "X509_STORE_set_default_paths failed\n")); } if (X509_STORE_load_locations (ctx, SslCertFile, NULL)) pass++; else dprint (2, (debugfile, "X509_STORE_load_locations failed\n")); for (i = 0; i < sk_X509_num (SslSessionCerts); i++) pass += (X509_STORE_add_cert (ctx, sk_X509_value (SslSessionCerts, i)) != 0); if (pass == 0) { /* nothing to do */ X509_STORE_free (ctx); return 0; } xsc = X509_STORE_CTX_new(); if (xsc == NULL) return 0; X509_STORE_CTX_init (xsc, ctx, peercert, SslSessionCerts); pass = (X509_verify_cert (xsc) > 0); #ifdef DEBUG if (! pass) { char buf[SHORT_STRING]; int err; err = X509_STORE_CTX_get_error (xsc); snprintf (buf, sizeof (buf), "%s (%d)", X509_verify_cert_error_string(err), err); dprint (2, (debugfile, "X509_verify_cert: %s\n", buf)); dprint (2, (debugfile, " [%s]\n", peercert->name)); } #endif X509_STORE_CTX_free (xsc); X509_STORE_free (ctx); return pass; }
static int cryptoMagic(X509 *x0, X509 *x1, X509 *x2, const unsigned char *toHashData, int toHashLength, /*XXX const*/ unsigned char *rsaSigData, int rsaSigLen, DataValue *partialDigest) { int rv = 0; EVP_PKEY *pk = X509_get_pubkey(x2); if (pk) { if (pk->type == EVP_PKEY_RSA) { RSA *rsa = EVP_PKEY_get1_RSA(pk); if (rsa) { X509_STORE *store = X509_STORE_new(); if (store) { X509_STORE_CTX ctx; X509_STORE_add_cert(store, x0); X509_STORE_add_cert(store, x1); if (X509_STORE_CTX_init(&ctx, store, x2, 0) == 1) { X509_STORE_CTX_set_flags(&ctx, X509_V_FLAG_IGNORE_CRITICAL); if (X509_verify_cert(&ctx) == 1) { unsigned char md[SHA_DIGEST_LENGTH]; if (partialDigest) { // XXX we need to flip ECID back before hashing flipAppleImg3Header((AppleImg3Header *)toHashData); doPartialSHA1(md, toHashData, toHashLength, partialDigest); } else { SHA1(toHashData, toHashLength, md); } rv = RSA_verify(NID_sha1, md, SHA_DIGEST_LENGTH, rsaSigData, rsaSigLen, rsa); } X509_STORE_CTX_cleanup(&ctx); } X509_STORE_free(store); } RSA_free(rsa); } } EVP_PKEY_free(pk); } return rv ? 0 : -1; }
SEXP PKI_verify_cert(SEXP sCA, SEXP sCert) { X509 *cert; X509_STORE *store; X509_STORE_CTX *ctx; int rv; PKI_init(); cert = retrieve_cert(sCert, ""); store = X509_STORE_new(); if (TYPEOF(sCA) == VECSXP) { int i; for (i = 0; i < LENGTH(sCA); i++) X509_STORE_add_cert(store, retrieve_cert(VECTOR_ELT(sCA, i),"CA ")); } else X509_STORE_add_cert(store, retrieve_cert(sCA, "CA ")); ctx = X509_STORE_CTX_new(); X509_STORE_CTX_init(ctx, store, cert, NULL); rv = X509_verify_cert(ctx); X509_STORE_CTX_free(ctx); X509_STORE_free(store); return ScalarLogical((rv == 1) ? TRUE : FALSE); }
void PaymentServerTests::paymentServerTests() { SelectParams(CBaseChainParams::MAIN); OptionsModel optionsModel; PaymentServer* server = new PaymentServer(NULL, false); X509_STORE* caStore = X509_STORE_new(); X509_STORE_add_cert(caStore, parse_b64der_cert(caCert_BASE64)); PaymentServer::LoadRootCAs(caStore); server->setOptionsModel(&optionsModel); server->uiReady(); // Now feed PaymentRequests to server, and observe signals it produces: std::vector<unsigned char> data = DecodeBase64(paymentrequest1_BASE64); SendCoinsRecipient r = handleRequest(server, data); QString merchant; r.paymentRequest.getMerchant(caStore, merchant); QCOMPARE(merchant, QString("testmerchant.org")); // Version of the above, with an expired certificate: data = DecodeBase64(paymentrequest2_BASE64); r = handleRequest(server, data); r.paymentRequest.getMerchant(caStore, merchant); QCOMPARE(merchant, QString("")); // Long certificate chain: data = DecodeBase64(paymentrequest3_BASE64); r = handleRequest(server, data); r.paymentRequest.getMerchant(caStore, merchant); QCOMPARE(merchant, QString("testmerchant8.org")); // Long certificate chain, with an expired certificate in the middle: data = DecodeBase64(paymentrequest4_BASE64); r = handleRequest(server, data); r.paymentRequest.getMerchant(caStore, merchant); QCOMPARE(merchant, QString("")); // Validly signed, but by a CA not in our root CA list: data = DecodeBase64(paymentrequest5_BASE64); r = handleRequest(server, data); r.paymentRequest.getMerchant(caStore, merchant); QCOMPARE(merchant, QString("")); // Try again with no root CA's, verifiedMerchant should be empty: caStore = X509_STORE_new(); PaymentServer::LoadRootCAs(caStore); data = DecodeBase64(paymentrequest1_BASE64); r = handleRequest(server, data); r.paymentRequest.getMerchant(caStore, merchant); QCOMPARE(merchant, QString("")); delete server; }
RTDECL(int) RTCrStoreConvertToOpenSslCertStore(RTCRSTORE hStore, uint32_t fFlags, void **ppvOpenSslStore) { PRTCRSTOREINT pThis = (PRTCRSTOREINT)hStore; AssertPtrReturn(pThis, VERR_INVALID_HANDLE); AssertReturn(pThis->u32Magic == RTCRSTOREINT_MAGIC, VERR_INVALID_HANDLE); /* * Use the pfnCertFindAll method to add all certificates to the store we're returning. */ int rc; X509_STORE *pOsslStore = X509_STORE_new(); if (pOsslStore) { RTCRSTORECERTSEARCH Search; rc = pThis->pProvider->pfnCertFindAll(pThis->pvProvider, &Search); if (RT_SUCCESS(rc)) { do { PCRTCRCERTCTX pCertCtx = pThis->pProvider->pfnCertSearchNext(pThis->pvProvider, &Search); if (!pCertCtx) break; if (pCertCtx->fFlags & RTCRCERTCTX_F_ENC_X509_DER) { X509 *pOsslCert = NULL; const unsigned char *pabEncoded = (const unsigned char *)pCertCtx->pabEncoded; if (d2i_X509(&pOsslCert, &pabEncoded, pCertCtx->cbEncoded) == pOsslCert) { if (!X509_STORE_add_cert(pOsslStore, pOsslCert)) rc = VERR_NO_MEMORY; X509_free(pOsslCert); } } RTCrCertCtxRelease(pCertCtx); } while (RT_SUCCESS(rc)); pThis->pProvider->pfnCertSearchDestroy(pThis->pvProvider, &Search); if (RT_SUCCESS(rc)) { *ppvOpenSslStore = pOsslStore; return VINF_SUCCESS; } } X509_STORE_free(pOsslStore); } else rc = VERR_NO_MEMORY; return rc; }
// This imports the certificates in a given Windows certificate store into an // X509_STORE for // openssl to use during certificate validation. static int importCertStoreToX509_STORE( LPWSTR storeName, DWORD storeLocation, X509_STORE* verifyStore, char* err, size_t err_len) { int status = 1; X509* x509Cert = NULL; HCERTSTORE systemStore = CertOpenStore(CERT_STORE_PROV_SYSTEM_W, 0, (HCRYPTPROV)NULL, storeLocation | CERT_STORE_READONLY_FLAG, storeName); if (systemStore == NULL) { formatError(GetLastError(),"error opening system CA store",err,err_len); status = 0; goto CLEANUP; } PCCERT_CONTEXT certCtx = NULL; while ((certCtx = CertEnumCertificatesInStore(systemStore, certCtx)) != NULL) { const uint8_t * certBytes = (const uint8_t *)(certCtx->pbCertEncoded); x509Cert = d2i_X509(NULL, &certBytes, certCtx->cbCertEncoded); if (x509Cert == NULL) { // 120 from the SSL documentation for ERR_error_string static const size_t msglen = 120; char msg[msglen]; ERR_error_string_n(ERR_get_error(), msg, msglen); snprintf( err, err_len, "Error parsing X509 object from Windows certificate store %s", msg); status = 0; goto CLEANUP; } if (1 != X509_STORE_add_cert(verifyStore, x509Cert)) { int store_error_status = checkX509_STORE_error(err, err_len); if (!store_error_status) { status = 0; goto CLEANUP; } } } DWORD lastError = GetLastError(); if (lastError != CRYPT_E_NOT_FOUND) { formatError(lastError,"Error enumerating certificates",err,err_len); status = 0; goto CLEANUP; } CLEANUP: if (systemStore != NULL) { CertCloseStore(systemStore, 0); } if (x509Cert != NULL) { X509_free(x509Cert); } return status; }
static VALUE ossl_x509store_add_cert(VALUE self, VALUE arg) { X509_STORE *store; X509 *cert; cert = GetX509CertPtr(arg); /* NO NEED TO DUP */ GetX509Store(self, store); if (X509_STORE_add_cert(store, cert) != 1){ ossl_raise(eX509StoreError, NULL); } return self; }
bool _mongoc_openssl_import_cert_store (LPWSTR store_name, DWORD dwFlags, X509_STORE *openssl_store) { PCCERT_CONTEXT cert = NULL; HCERTSTORE cert_store; cert_store = CertOpenStore ( CERT_STORE_PROV_SYSTEM, /* provider */ X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, /* certificate encoding */ 0, /* unused */ dwFlags, /* dwFlags */ store_name); /* system store name. "My" or "Root" */ if (cert_store == NULL) { LPTSTR msg = NULL; FormatMessage (FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ARGUMENT_ARRAY, NULL, GetLastError (), LANG_NEUTRAL, (LPTSTR) &msg, 0, NULL); MONGOC_ERROR ("Can't open CA store: 0x%.8X: '%s'", (unsigned int) GetLastError (), msg); LocalFree (msg); return false; } while ((cert = CertEnumCertificatesInStore (cert_store, cert)) != NULL) { X509 *x509Obj = d2i_X509 (NULL, (const unsigned char **) &cert->pbCertEncoded, cert->cbCertEncoded); if (x509Obj == NULL) { MONGOC_WARNING ( "Error parsing X509 object from Windows certificate store"); continue; } X509_STORE_add_cert (openssl_store, x509Obj); X509_free (x509Obj); } CertCloseStore (cert_store, 0); return true; }
bool net_nfc_util_openssl_add_certificate_of_ca(net_nfc_openssl_verify_context_s *context, uint8_t *buffer, uint32_t length) { bool result = false; X509 *x509 = NULL; x509 = _load_certificate_from_mem(1, buffer, length, NULL); if (x509 != NULL) { X509_STORE_add_cert(context->store, x509); result = true; } return result; }
static X509_STORE *load_cert_chain(const char *file) { X509_STORE *castore = X509_STORE_new(); if (!castore) { return NULL; } /* * Set error callback function for verification of CRTs and CRLs in order * to ignore some errors depending on configuration */ X509_STORE_set_verify_cb(castore, cms_verify_callback); BIO *castore_bio = BIO_new_file(file, "r"); if (!castore_bio) { TRACE("failed: BIO_new_file(%s)", file); return NULL; } int crt_count = 0; X509 *crt = NULL; do { crt = PEM_read_bio_X509(castore_bio, NULL, 0, NULL); if (crt) { crt_count++; char *subj = X509_NAME_oneline(X509_get_subject_name(crt), NULL, 0); char *issuer = X509_NAME_oneline(X509_get_issuer_name(crt), NULL, 0); TRACE("Read PEM #%d: %s %s", crt_count, issuer, subj); free(subj); free(issuer); if (X509_STORE_add_cert(castore, crt) == 0) { TRACE("Adding certificate to X509_STORE failed"); BIO_free(castore_bio); X509_STORE_free(castore); return NULL; } } } while (crt); BIO_free(castore_bio); if (crt_count == 0) { X509_STORE_free(castore); return NULL; } return castore; }
/* * Store CA file into store. */ static int X509_store_add_cert_file(X509_STORE *store, const char *fname) { FILE *fin = NULL; X509 *x509 = NULL; unsigned long err; assert(store != NULL); assert(fname != NULL); fin = fopen(fname, "r"); if (fin == NULL) { printf_debug(DEBUG_PREFIX_CERT, "Cannot open certificate '%s'.\n", fname); goto fail; } x509 = PEM_read_X509(fin, NULL, NULL, NULL); if (x509 == NULL) { printf_debug(DEBUG_PREFIX_CERT, "Cannot parse certificate '%s'.\n", fname); goto fail; } if (X509_STORE_add_cert(store, x509) == 0) { err = ERR_get_error(); printf_debug(DEBUG_PREFIX_CERT, "Cannot store certificate '%s'. Error: %s.\n", fname, ERR_error_string(err, NULL)); goto fail; } X509_free(x509); x509 = NULL; fclose(fin); fin = NULL; return 0; fail: if (fin != NULL) { fclose(fin); } if (x509 != NULL) { X509_free(x509); } return -1; }
/* * We will put into store X509 object from passed data in buffer only * when object name match passed. To compare both names we use our * method "ssh_X509_NAME_cmp"(it is more general). */ static int/*bool*/ ldaplookup_data2store( int type, X509_NAME* name, void* buf, int len, X509_STORE* store ) { int ok = 0; BIO *mbio; if (name == NULL) return(0); if (buf == NULL) return(0); if (len <= 0) return(0); if (store == NULL) return(0); mbio = BIO_new_mem_buf(buf, len); if (mbio == NULL) return(0); switch (type) { case X509_LU_X509: { X509 *x509 = d2i_X509_bio(mbio, NULL); if(x509 == NULL) goto exit; /*This is correct since lookup method is by subject*/ if (ssh_X509_NAME_cmp(name, X509_get_subject_name(x509)) != 0) goto exit; ok = X509_STORE_add_cert(store, x509); } break; case X509_LU_CRL: { X509_CRL *crl = d2i_X509_CRL_bio(mbio, NULL); if(crl == NULL) goto exit; if (ssh_X509_NAME_cmp(name, X509_CRL_get_issuer(crl)) != 0) goto exit; ok = X509_STORE_add_crl(store, crl); } break; } exit: if (mbio != NULL) BIO_free_all(mbio); #ifdef TRACE_BY_LDAP fprintf(stderr, "TRACE_BY_LDAP ldaplookup_data2store: ok=%d\n", ok); #endif return(ok); }
// Adds a buffer containing one or more PEM-encoded // root certificates to the X509PEMVerifier. // // If the certificate (or one of the certificates) could not be // parsed AddPEM will return immediately, resulting in all of the // certificates up to the bad certicate being added to the verifier. bool X509PEMVerifier::AddPEM(const ByteArray &buf) { BIO *mem = BIO_new_mem_buf(static_cast<void *>(const_cast<char *>(buf.ConstData())), buf.Length()); (void) BIO_set_close(mem, BIO_NOCLOSE); int ncerts = 0; while (1) { X509 *x = PEM_read_bio_X509_AUX(mem, nullptr, nullptr, nullptr); if (x == nullptr) { return false; } X509_STORE_add_cert(store_, x); X509_free(x); ncerts++; } return true; }
bool Chain::verifyChain(Handle<CertificateCollection> chain, Handle<CrlCollection> crls){ LOGGER_FN(); try{ LOGGER_OPENSSL(X509_STORE_CTX_new); X509_STORE_CTX *ctx = X509_STORE_CTX_new(); if (!ctx) { THROW_OPENSSL_EXCEPTION(0, Revocation, NULL, "Error create new store ctx"); } LOGGER_OPENSSL(X509_STORE_new); X509_STORE *st = X509_STORE_new(); if (!st) { THROW_OPENSSL_EXCEPTION(0, Revocation, NULL, "Error create new store"); } for (int i = 0, c = chain->length(); i < c; i++){ LOGGER_OPENSSL(X509_STORE_add_cert); X509_STORE_add_cert(st, X509_dup(chain->items(i)->internal())); } X509_CRL *xtempCRL = NULL; LOGGER_OPENSSL(X509_STORE_CTX_init); X509_STORE_CTX_init(ctx, st, chain->items(0)->internal(), chain->internal()); LOGGER_OPENSSL(X509_STORE_CTX_set0_crls); X509_STORE_CTX_set0_crls(ctx, crls->internal()); LOGGER_OPENSSL(X509_STORE_CTX_set_flags); X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_CRL_CHECK); LOGGER_OPENSSL(X509_STORE_CTX_set_flags); X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_CRL_CHECK_ALL); LOGGER_OPENSSL(X509_verify_cert); if (X509_verify_cert(ctx) <= 0){ return false; } return true; } catch (Handle<Exception> e){ THROW_EXCEPTION(0, Chain, e, "Error verify chain (provider store)"); } }
bool X509Certificate_OpenSSL::verify(ref <const X509Certificate> caCert_) const { ref <const X509Certificate_OpenSSL> caCert = caCert_.dynamicCast <const X509Certificate_OpenSSL>(); bool verified = false; bool error = true; X509_STORE *store = X509_STORE_new(); if (store) { X509_STORE_CTX *verifyCtx = X509_STORE_CTX_new(); if (verifyCtx) { if (X509_STORE_add_cert(store, caCert->m_data->cert)) { X509_STORE_CTX_init(verifyCtx, store, m_data->cert, NULL); int ret = X509_verify_cert(verifyCtx); if (ret == 1) { verified = true; error = false; } else if (ret == 0) { verified = false; error = false; } //X509_verify_cert_error_string(vrfy_ctx->error) X509_STORE_CTX_free(verifyCtx); } } X509_STORE_free(store); } return verified && !error; }
static int tls_sc_add_root_certs(lua_State *L) { int i; tls_sc_t *ctx = getSC(L); ERR_clear_error(); if (!root_cert_store) { root_cert_store = X509_STORE_new(); for (i = 0; root_certs[i]; i++) { BIO *bp = BIO_new(BIO_s_mem()); X509 *x509; if (!BIO_write(bp, root_certs[i], strlen(root_certs[i]))) { printf("error writing cert %s\n", root_certs[i]); BIO_free(bp); lua_pushboolean(L, 0); return 1; } x509 = PEM_read_bio_X509(bp, NULL, 0, NULL); if (x509 == NULL) { char buf[1024]; ERR_error_string(ERR_get_error(), buf); printf("error writing x509 cert %s\n", buf); BIO_free(bp); lua_pushboolean(L, 0); return 1; } X509_STORE_add_cert(root_cert_store, x509); BIO_free(bp); X509_free(x509); } } ctx->ca_store = root_cert_store; SSL_CTX_set_cert_store(ctx->ctx, ctx->ca_store); lua_pushboolean(L, 1); return 1; }
int check_time_stamp(TS_RESP* tsResponse, X509* caCert, char* hash, UNSIGNED32 hash_size) { int result = 0; TS_REQ* tsRequest = NULL; TS_VERIFY_CTX* ctx = NULL; TS_MSG_IMPRINT* msgImprint = NULL; ASN1_OCTET_STRING* hashedMessage = NULL; int hashedMessageLength; tsRequest = get_timestamp_request(hash, hash_size, tsResponse->tst_info->nonce); msgImprint = TS_REQ_get_msg_imprint(tsRequest); hashedMessage = TS_MSG_IMPRINT_get_msg(msgImprint); hashedMessageLength = ASN1_STRING_length((ASN1_STRING*)hashedMessage); if (hashedMessageLength != (int)hash_size) { goto end; } if (!(ctx = TS_REQ_to_TS_VERIFY_CTX(tsRequest, NULL))) { goto end; } ctx->flags |= TS_VFY_SIGNATURE; ctx->store = X509_STORE_new(); X509_STORE_add_cert(ctx->store, caCert); if (ossl_TS_RESP_verify_response(ctx, tsResponse)) { result = 1; } end: if (tsRequest != NULL) { TS_REQ_free(tsRequest); } if (ctx != NULL) { TS_VERIFY_CTX_free(ctx); } return result; }
bud_error_t bud_config_load_ca_arr(X509_STORE** store, const JSON_Array* ca) { int i; int count; bud_error_t err; err = bud_config_verify_all_strings(ca, "ca"); if (!bud_is_ok(err)) return err; *store = X509_STORE_new(); if (*store == NULL) return bud_error_str(kBudErrNoMem, "CA store"); count = json_array_get_count(ca); for (i = 0; i < count; i++) { const char* cert; BIO* b; X509* x509; cert = json_array_get_string(ca, i); b = BIO_new_mem_buf((void*) cert, -1); if (b == NULL) return bud_error_str(kBudErrNoMem, "BIO_new_mem_buf:CA store bio"); while ((x509 = PEM_read_bio_X509(b, NULL, NULL, NULL)) != NULL) { if (x509 == NULL) { err = bud_error_dstr(kBudErrParseCert, cert); break; } if (X509_STORE_add_cert(*store, x509) != 1) { err = bud_error(kBudErrAddCert); break; } X509_free(x509); x509 = NULL; } BIO_free_all(b); if (x509 != NULL) X509_free(x509); } return err; }