void ssl_cert_clear_certs(CERT *c) { int i; if (c == NULL) return; for (i = 0; i<SSL_PKEY_NUM; i++) { CERT_PKEY *cpk = c->pkeys + i; if (cpk->x509) { X509_free(cpk->x509); cpk->x509 = NULL; } if (cpk->privatekey) { EVP_PKEY_free(cpk->privatekey); cpk->privatekey = NULL; } if (cpk->chain) { sk_X509_pop_free(cpk->chain, X509_free); cpk->chain = NULL; } } }
void ssl_sess_cert_free(SESS_CERT *sc) { int i; if (sc == NULL) return; i = CRYPTO_add(&sc->references, -1, CRYPTO_LOCK_SSL_SESS_CERT); if (i > 0) return; /* i == 0 */ if (sc->cert_chain != NULL) sk_X509_pop_free(sc->cert_chain, X509_free); for (i = 0; i < SSL_PKEY_NUM; i++) { if (sc->peer_pkeys[i].x509 != NULL) X509_free(sc->peer_pkeys[i].x509); } DH_free(sc->peer_dh_tmp); EC_KEY_free(sc->peer_ecdh_tmp); free(sc); }
static void xmlSecOpenSSLX509StoreFinalize(xmlSecKeyDataStorePtr store) { xmlSecOpenSSLX509StoreCtxPtr ctx; xmlSecAssert(xmlSecKeyDataStoreCheckId(store, xmlSecOpenSSLX509StoreId)); ctx = xmlSecOpenSSLX509StoreGetCtx(store); xmlSecAssert(ctx != NULL); if(ctx->xst != NULL) { X509_STORE_free(ctx->xst); } if(ctx->untrusted != NULL) { sk_X509_pop_free(ctx->untrusted, X509_free); } if(ctx->crls != NULL) { sk_X509_CRL_pop_free(ctx->crls, X509_CRL_free); } #if !defined(XMLSEC_OPENSSL_096) && !defined(XMLSEC_OPENSSL_097) if(ctx->vpm != NULL) { X509_VERIFY_PARAM_free(ctx->vpm); } #endif /* !defined(XMLSEC_OPENSSL_096) && !defined(XMLSEC_OPENSSL_097) */ memset(ctx, 0, sizeof(xmlSecOpenSSLX509StoreCtx)); }
static VALUE ossl_x509stctx_initialize(int argc, VALUE *argv, VALUE self) { VALUE store, cert, chain, t; X509_STORE_CTX *ctx; X509_STORE *x509st; X509 *x509 = NULL; STACK_OF(X509) *x509s = NULL; rb_scan_args(argc, argv, "12", &store, &cert, &chain); GetX509StCtx(self, ctx); SafeGetX509Store(store, x509st); if(!NIL_P(cert)) x509 = DupX509CertPtr(cert); /* NEED TO DUP */ if(!NIL_P(chain)) x509s = ossl_x509_ary2sk(chain); #if (OPENSSL_VERSION_NUMBER >= 0x00907000L) if(X509_STORE_CTX_init(ctx, x509st, x509, x509s) != 1){ sk_X509_pop_free(x509s, X509_free); ossl_raise(eX509StoreError, NULL); } #else X509_STORE_CTX_init(ctx, x509st, x509, x509s); ossl_x509stctx_set_flags(self, rb_iv_get(store, "@flags")); ossl_x509stctx_set_purpose(self, rb_iv_get(store, "@purpose")); ossl_x509stctx_set_trust(self, rb_iv_get(store, "@trust")); #endif if (!NIL_P(t = rb_iv_get(store, "@time"))) ossl_x509stctx_set_time(self, t); rb_iv_set(self, "@verify_callback", rb_iv_get(store, "@verify_callback")); rb_iv_set(self, "@cert", cert); return self; }
/** * This function destroys a globus_gsi_callback_data_t. * @ingroup globus_gsi_callback_data * * @param callback_data * The structure to be destroyed * * @return * GLOBUS_SUCCESS unless an error occurred, in which case, * a globus error object ID is returned */ globus_result_t globus_gsi_callback_data_destroy( globus_gsi_callback_data_t callback_data) { globus_result_t result = GLOBUS_SUCCESS; static char * _function_name_ = "globus_gsi_callback_data_destroy"; GLOBUS_I_GSI_CALLBACK_DEBUG_ENTER; if(!callback_data) { goto exit; } if(callback_data->cert_chain) { sk_X509_pop_free(callback_data->cert_chain, X509_free); } if(callback_data->cert_dir) { globus_libc_free(callback_data->cert_dir); } /* extension_oids have to be free independantly */ globus_object_free(globus_error_get(callback_data->error)); globus_libc_free(callback_data); exit: GLOBUS_I_GSI_CALLBACK_DEBUG_EXIT; return result; }
// success of certificates extraction bool pemData(X509_STORE_CTX* ctx, ListHashSet<String>& certificates) { bool ok = true; STACK_OF(X509)* certs = X509_STORE_CTX_get1_chain(ctx); for (int i = 0; i < sk_X509_num(certs); i++) { X509* uCert = sk_X509_value(certs, i); BIO* bio = BIO_new(BIO_s_mem()); int res = PEM_write_bio_X509(bio, uCert); if (!res) { ok = false; BIO_free(bio); break; } unsigned char* certificateData; long length = BIO_get_mem_data(bio, &certificateData); if (length < 0) { ok = false; BIO_free(bio); break; } certificateData[length] = '\0'; String certificate = certificateData; certificates.add(certificate); BIO_free(bio); } sk_X509_pop_free(certs, X509_free); return ok; }
static VALUE ossl_ocspreq_sign(int argc, VALUE *argv, VALUE self) { VALUE signer_cert, signer_key, certs, flags; OCSP_REQUEST *req; X509 *signer; EVP_PKEY *key; STACK_OF(X509) *x509s; unsigned long flg; int ret; rb_scan_args(argc, argv, "22", &signer_cert, &signer_key, &certs, &flags); signer = GetX509CertPtr(signer_cert); key = GetPrivPKeyPtr(signer_key); flg = NIL_P(flags) ? 0 : NUM2INT(flags); if(NIL_P(certs)){ x509s = sk_X509_new_null(); flags |= OCSP_NOCERTS; } else x509s = ossl_x509_ary2sk(certs); GetOCSPReq(self, req); ret = OCSP_request_sign(req, signer, key, EVP_sha1(), x509s, flg); sk_X509_pop_free(x509s, X509_free); if(!ret) ossl_raise(eOCSPError, NULL); return self; }
static LUA_FUNCTION(openssl_pkcs7_sign) { BIO *in = load_bio_object(L, 1); X509 *cert = CHECK_OBJECT(2, X509, "openssl.x509"); EVP_PKEY *privkey = CHECK_OBJECT(3, EVP_PKEY, "openssl.evp_pkey"); STACK_OF(X509) *others = lua_isnoneornil(L, 4) ? 0 : openssl_sk_x509_fromtable(L, 4); long flags = luaL_optint(L, 5, 0); PKCS7 *p7 = NULL; luaL_argcheck(L, openssl_pkey_is_private(privkey), 3, "must be private key"); if (!X509_check_private_key(cert, privkey)) luaL_error(L, "sigcert and private key not match"); p7 = PKCS7_sign(cert, privkey, others, in, flags); BIO_free(in); if (others) sk_X509_pop_free(others, X509_free); if (p7) { PUSH_OBJECT(p7, "openssl.pkcs7"); return 1; } else { luaL_error(L, "error creating PKCS7 structure!"); } return 0; }
static VALUE ossl_ocspbres_sign(int argc, VALUE *argv, VALUE self) { VALUE signer_cert, signer_key, certs, flags; OCSP_BASICRESP *bs; X509 *signer; EVP_PKEY *key; STACK_OF(X509) *x509s; unsigned long flg; int ret; rb_scan_args(argc, argv, "22", &signer_cert, &signer_key, &certs, &flags); signer = GetX509CertPtr(signer_cert); key = GetPrivPKeyPtr(signer_key); flg = NIL_P(flags) ? 0 : NUM2INT(flags); if(NIL_P(certs)){ x509s = sk_X509_new_null(); flg |= OCSP_NOCERTS; } else{ x509s = ossl_x509_ary2sk(certs); } GetOCSPBasicRes(self, bs); ret = OCSP_basic_sign(bs, signer, key, EVP_sha1(), x509s, flg); sk_X509_pop_free(x509s, X509_free); if(!ret) ossl_raise(eOCSPError, NULL); return self; }
void ssl_cert_clear_certs(CERT *c) { int i; if (c == NULL) return; for (i = 0; i<SSL_PKEY_NUM; i++) { CERT_PKEY *cpk = c->pkeys + i; if (cpk->x509) { X509_free(cpk->x509); cpk->x509 = NULL; } if (cpk->privatekey) { EVP_PKEY_free(cpk->privatekey); cpk->privatekey = NULL; } if (cpk->chain) { sk_X509_pop_free(cpk->chain, X509_free); cpk->chain = NULL; } #ifndef OPENSSL_NO_TLSEXT if (cpk->serverinfo) { OPENSSL_free(cpk->serverinfo); cpk->serverinfo = NULL; cpk->serverinfo_length = 0; } #endif /* Clear all flags apart from explicit sign */ cpk->valid_flags &= CERT_PKEY_EXPLICIT_SIGN; } }
STACK_OF(X509) *CMS_get1_certs(CMS_ContentInfo *cms) { STACK_OF(X509) *certs = NULL; CMS_CertificateChoices *cch; STACK_OF(CMS_CertificateChoices) **pcerts; int i; pcerts = cms_get0_certificate_choices(cms); if (!pcerts) return NULL; for (i = 0; i < sk_CMS_CertificateChoices_num(*pcerts); i++) { cch = sk_CMS_CertificateChoices_value(*pcerts, i); if (cch->type == 0) { if (!certs) { certs = sk_X509_new_null(); if (!certs) return NULL; } if (!sk_X509_push(certs, cch->d.certificate)) { sk_X509_pop_free(certs, X509_free); return NULL; } CRYPTO_add(&cch->d.certificate->references, 1, CRYPTO_LOCK_X509); } } return certs; }
void AC_CERTS_free(AC_CERTS *a) { if (a==NULL) return; sk_X509_pop_free(a->stackcert, X509_free); OPENSSL_free(a); }
static int check_signer_name(CMS_ContentInfo *cms, const char *name) { STACK_OF(CMS_SignerInfo) *infos = CMS_get0_SignerInfos(cms); STACK_OF(X509) *crts; int i, ret = 1; if ((name == NULL) || (name[0] == '\0')) return 0; crts = CMS_get1_certs(cms); for (i = 0; i < sk_CMS_SignerInfo_num(infos); ++i) { CMS_SignerInfo *si = sk_CMS_SignerInfo_value(infos, i); int j; for (j = 0; j < sk_X509_num(crts); ++j) { X509 *crt = sk_X509_value(crts, j); if (CMS_SignerInfo_cert_cmp(si, crt) == 0) { ret = check_common_name( X509_get_subject_name(crt), name); } } } sk_X509_pop_free(crts, X509_free); return ret; }
static VALUE ossl_pkcs12_s_create(int argc, VALUE *argv, VALUE self) { VALUE pass, name, pkey, cert, ca; VALUE obj; char *passphrase, *friendlyname; EVP_PKEY *key; X509 *x509; STACK_OF(X509) *x509s; PKCS12 *p12; rb_scan_args(argc, argv, "41", &pass, &name, &pkey, &cert, &ca); passphrase = NIL_P(pass) ? NULL : StringValuePtr(pass); friendlyname = NIL_P(name) ? NULL : StringValuePtr(name); key = GetPKeyPtr(pkey); x509 = GetX509CertPtr(cert); x509s = NIL_P(ca) ? NULL : ossl_x509_ary2sk(ca); p12 = PKCS12_create(passphrase, friendlyname, key, x509, x509s, 0, 0, 0, 0, 0); sk_X509_pop_free(x509s, X509_free); if(!p12) ossl_raise(ePKCS12Error, NULL); WrapPKCS12(cPKCS12, obj, p12); return obj; }
static LUA_FUNCTION(openssl_pkcs7_encrypt) { PKCS7 * p7 = NULL; BIO *in = load_bio_object(L, 1); STACK_OF(X509) *recipcerts = openssl_sk_x509_fromtable(L, 2); const EVP_CIPHER *cipher = get_cipher(L, 3, "des3"); long flags = luaL_optint(L, 4, 0); if (cipher == NULL) { luaL_error(L, "Failed to get cipher"); } p7 = PKCS7_encrypt(recipcerts, in, cipher, flags); BIO_free(in); sk_X509_pop_free(recipcerts, X509_free); if (p7 == NULL) { lua_pushnil(L); } else { PUSH_OBJECT(p7, "openssl.pkcs7"); } return 1; }
/* * call-seq: * PKCS7.encrypt(certs, data, [, cipher [, flags]]) => pkcs7 */ static VALUE ossl_pkcs7_s_encrypt(int argc, VALUE *argv, VALUE klass) { VALUE certs, data, cipher, flags; STACK_OF(X509) *x509s; BIO *in; const EVP_CIPHER *ciph; int flg, status = 0; VALUE ret; PKCS7 *p7; rb_scan_args(argc, argv, "22", &certs, &data, &cipher, &flags); if(NIL_P(cipher)){ #if !defined(OPENSSL_NO_RC2) ciph = EVP_rc2_40_cbc(); #elif !defined(OPENSSL_NO_DES) ciph = EVP_des_ede3_cbc(); #elif !defined(OPENSSL_NO_RC2) ciph = EVP_rc2_40_cbc(); #elif !defined(OPENSSL_NO_AES) ciph = EVP_EVP_aes_128_cbc(); #else ossl_raise(ePKCS7Error, "Must specify cipher"); #endif } else ciph = GetCipherPtr(cipher); /* NO NEED TO DUP */ flg = NIL_P(flags) ? 0 : NUM2INT(flags); ret = NewPKCS7(cPKCS7); in = ossl_obj2bio(data); x509s = ossl_protect_x509_ary2sk(certs, &status); if(status){ BIO_free(in); rb_jump_tag(status); } if(!(p7 = PKCS7_encrypt(x509s, in, (EVP_CIPHER*)ciph, flg))){ BIO_free(in); sk_X509_pop_free(x509s, X509_free); ossl_raise(ePKCS7Error, NULL); } BIO_free(in); SetPKCS7(ret, p7); ossl_pkcs7_set_data(ret, data); sk_X509_pop_free(x509s, X509_free); return ret; }
void NETSCAPE_CERT_SEQUENCE_free (NETSCAPE_CERT_SEQUENCE *a) { if (a == NULL) return; ASN1_OBJECT_free(a->type); if(a->certs) sk_X509_pop_free(a->certs, X509_free); OPENSSL_free (a); }
void s2n_x509_validator_wipe(struct s2n_x509_validator *validator) { if (validator->cert_chain) { sk_X509_pop_free(validator->cert_chain, X509_free); validator->cert_chain = NULL; } validator->trust_store = NULL; validator->skip_cert_validation = 0; }
/* * Private functions */ static void ossl_x509stctx_free(X509_STORE_CTX *ctx) { if(ctx->untrusted) sk_X509_pop_free(ctx->untrusted, X509_free); if(ctx->cert) X509_free(ctx->cert); X509_STORE_CTX_free(ctx); }
static void z_certificate_chain_free_method(ZObject *s) { ZCertificateChain *self = Z_CAST(s, ZCertificateChain); if (self->cert) X509_free(self->cert); sk_X509_pop_free(self->chain, X509_free); z_object_free_method(s); }
bdoc::SignatureValidator::~SignatureValidator() { if (_ocspCerts) { sk_X509_pop_free(_ocspCerts, X509_free); } if (_issuerX509) { X509_free(_issuerX509); } }
static VALUE ossl_pkcs7_verify(int argc, VALUE *argv, VALUE self) { VALUE certs, store, indata, flags; STACK_OF(X509) *x509s; X509_STORE *x509st; int flg, ok, status = 0; BIO *in, *out; PKCS7 *p7; VALUE data; const char *msg; rb_scan_args(argc, argv, "22", &certs, &store, &indata, &flags); flg = NIL_P(flags) ? 0 : NUM2INT(flags); if(NIL_P(indata)) indata = ossl_pkcs7_get_data(self); in = NIL_P(indata) ? NULL : ossl_obj2bio(indata); if(NIL_P(certs)) x509s = NULL; else{ x509s = ossl_protect_x509_ary2sk(certs, &status); if(status){ BIO_free(in); /* rb_jump_tag(status); */ rb_notimplement(); } } x509st = GetX509StorePtr(store); GetPKCS7(self, p7); if(!(out = BIO_new(BIO_s_mem()))){ BIO_free(in); sk_X509_pop_free(x509s, X509_free); ossl_raise(ePKCS7Error, NULL); } ok = PKCS7_verify(p7, x509s, x509st, in, out, flg); BIO_free(in); if (ok < 0) ossl_raise(ePKCS7Error, NULL); msg = ERR_reason_error_string(ERR_get_error()); ossl_pkcs7_set_err_string(self, msg ? rb_str_new2(msg) : Qnil); ERR_clear_error(); data = ossl_membio2str(out); ossl_pkcs7_set_data(self, data); sk_X509_pop_free(x509s, X509_free); return (ok == 1) ? Qtrue : Qfalse; }
static void ctx_free(ctx *ctx) { if (ctx == NULL) return; sk_X509_INFO_pop_free(ctx->dec, X509_INFO_free); sk_X509_pop_free(ctx->crt, X509_free); SSL_CTX_free(ctx->ctx); OPENSSL_free(ctx); }
/* * Test for CVE-2015-1793 (Alternate Chains Certificate Forgery) * * Chain is as follows: * * rootCA (self-signed) * | * interCA * | * subinterCA subinterCA (self-signed) * | | * leaf ------------------ * | * bad * * rootCA, interCA, subinterCA, subinterCA (ss) all have CA=TRUE * leaf and bad have CA=FALSE * * subinterCA and subinterCA (ss) have the same subject name and keys * * interCA (but not rootCA) and subinterCA (ss) are in the trusted store * (roots.pem) * leaf and subinterCA are in the untrusted list (untrusted.pem) * bad is the certificate being verified (bad.pem) * * Versions vulnerable to CVE-2015-1793 will fail to detect that leaf has * CA=FALSE, and will therefore incorrectly verify bad * */ static int test_alt_chains_cert_forgery(const char *roots_f, const char *untrusted_f, const char *bad_f) { int ret = 0; int i; X509 *x = NULL; STACK_OF(X509) *untrusted = NULL; BIO *bio = NULL; X509_STORE_CTX *sctx = NULL; X509_STORE *store = NULL; X509_LOOKUP *lookup = NULL; store = X509_STORE_new(); if (store == NULL) goto err; lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()); if (lookup == NULL) goto err; if(!X509_LOOKUP_load_file(lookup, roots_f, X509_FILETYPE_PEM)) goto err; untrusted = load_certs_from_file(untrusted_f); if ((bio = BIO_new_file(bad_f, "r")) == NULL) goto err; if((x = PEM_read_bio_X509(bio, NULL, 0, NULL)) == NULL) goto err; sctx = X509_STORE_CTX_new(); if (sctx == NULL) goto err; if (!X509_STORE_CTX_init(sctx, store, x, untrusted)) goto err; i = X509_verify_cert(sctx); if(i == 0 && X509_STORE_CTX_get_error(sctx) == X509_V_ERR_INVALID_CA) { /* This is the result we were expecting: Test passed */ ret = 1; } err: X509_STORE_CTX_free(sctx); X509_free(x); BIO_free(bio); sk_X509_pop_free(untrusted, X509_free); X509_STORE_free(store); if (ret != 1) ERR_print_errors_fp(stderr); return ret; }
// VerifyChain verifies the certificate chain in chain // according to the verification options given as opts. bool X509VerifierPrivate::VerifyChain(std::vector<X509Certificate> chain, const X509VerifierOptions &opts) { bool status = false; X509_STORE_CTX *ctx = X509_STORE_CTX_new(); STACK_OF(X509) *untrusted = sk_X509_new_null(); // Ensure that we have a chain to check on. if (chain.empty()) { goto out; } // If we've been passed a DNS name in opts, // we should check whether the leaf certificate // matches that before doing the more expensive // checks. if (!opts.dns_name.empty()) { if (!X509HostnameVerifier::VerifyHostname(chain.at(0), opts.dns_name)) { std::cerr << "X509VerifierPrivate - hostname verification failed" << std::endl; goto out; } } // Extract our chain into the format that OpenSSL // expects for verification. for (X509Certificate &cert : chain) { X509 *cur = cert.dptr_->AsOpenSSLX509(); sk_X509_push(untrusted, cur); } // Set up the X509_STORE_CTX to verify according to opts. X509_STORE_CTX_init(ctx, store_, sk_X509_value(untrusted, 0), untrusted); // If a time is not specified in opts, use the current system time. if (opts.time == 0) { X509_STORE_CTX_set_time(ctx, 0, std::time(nullptr)); } else { X509_STORE_CTX_set_time(ctx, 0, opts.time); } // If a dns_name is specified in opts, use the SSL server policy. if (!opts.dns_name.empty()) { X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_SSL_SERVER); X509_STORE_CTX_set_trust(ctx, X509_TRUST_SSL_SERVER); } if (X509_verify_cert(ctx) == 1) { status = true; } else { std::cerr << "X509VerifierPrivate - verification error: " << X509_verify_cert_error_string(ctx->error) << std::endl; } out: sk_X509_pop_free(untrusted, X509_free); X509_STORE_CTX_free(ctx); return status; }
static int lka_X509_verify(struct ca_vrfy_req_msg *vrfy, const char *CAfile, const char *CRLfile) { X509 *x509; X509 *x509_tmp; X509 *x509_tmp2; STACK_OF(X509) *x509_chain; const unsigned char *d2i; size_t i; int ret = 0; const char *errstr; x509 = NULL; x509_tmp = NULL; x509_chain = NULL; d2i = vrfy->cert; if (d2i_X509(&x509, &d2i, vrfy->cert_len) == NULL) { x509 = NULL; goto end; } if (vrfy->n_chain) { x509_chain = sk_X509_new_null(); for (i = 0; i < vrfy->n_chain; ++i) { d2i = vrfy->chain_cert[i]; if (d2i_X509(&x509_tmp, &d2i, vrfy->chain_cert_len[i]) == NULL) { x509_tmp = NULL; goto end; } if ((x509_tmp2 = X509_dup(x509_tmp)) == NULL) goto end; sk_X509_insert(x509_chain, x509_tmp2, i); x509_tmp = x509_tmp2 = NULL; } } if (! ca_X509_verify(x509, x509_chain, CAfile, NULL, &errstr)) log_debug("debug: lka: X509 verify: %s", errstr); else ret = 1; end: if (x509) X509_free(x509); if (x509_tmp) X509_free(x509_tmp); if (x509_chain) sk_X509_pop_free(x509_chain, X509_free); return ret; }
RTDECL(int) RTCrStoreConvertToOpenSslCertStack(RTCRSTORE hStore, uint32_t fFlags, void **ppvOpenSslStack) { PRTCRSTOREINT pThis = (PRTCRSTOREINT)hStore; AssertPtrReturn(pThis, VERR_INVALID_HANDLE); AssertReturn(pThis->u32Magic == RTCRSTOREINT_MAGIC, VERR_INVALID_HANDLE); /* * Use the pfnCertFindAll method to add all certificates to the store we're returning. */ int rc; STACK_OF(X509) *pOsslStack = sk_X509_new_null(); if (pOsslStack) { RTCRSTORECERTSEARCH Search; rc = pThis->pProvider->pfnCertFindAll(pThis->pvProvider, &Search); if (RT_SUCCESS(rc)) { do { PCRTCRCERTCTX pCertCtx = pThis->pProvider->pfnCertSearchNext(pThis->pvProvider, &Search); if (!pCertCtx) break; if (pCertCtx->fFlags & RTCRCERTCTX_F_ENC_X509_DER) { X509 *pOsslCert = NULL; const unsigned char *pabEncoded = (const unsigned char *)pCertCtx->pabEncoded; if (d2i_X509(&pOsslCert, &pabEncoded, pCertCtx->cbEncoded) == pOsslCert) { if (!sk_X509_push(pOsslStack, pOsslCert)) { rc = VERR_NO_MEMORY; X509_free(pOsslCert); } } } RTCrCertCtxRelease(pCertCtx); } while (RT_SUCCESS(rc)); pThis->pProvider->pfnCertSearchDestroy(pThis->pvProvider, &Search); if (RT_SUCCESS(rc)) { *ppvOpenSslStack = pOsslStack; return VINF_SUCCESS; } } sk_X509_pop_free(pOsslStack, X509_free); } else rc = VERR_NO_MEMORY; return rc; }
/* * call-seq: * PKCS7.sign(cert, key, data, [, certs [, flags]]) => pkcs7 */ static VALUE ossl_pkcs7_s_sign(int argc, VALUE *argv, VALUE klass) { VALUE cert, key, data, certs, flags; X509 *x509; EVP_PKEY *pkey; BIO *in; STACK_OF(X509) *x509s; int flg, status = 0; PKCS7 *pkcs7; VALUE ret; rb_scan_args(argc, argv, "32", &cert, &key, &data, &certs, &flags); x509 = GetX509CertPtr(cert); /* NO NEED TO DUP */ pkey = GetPrivPKeyPtr(key); /* NO NEED TO DUP */ flg = NIL_P(flags) ? 0 : NUM2INT(flags); ret = NewPKCS7(cPKCS7); in = ossl_obj2bio(data); if(NIL_P(certs)) x509s = NULL; else{ x509s = ossl_protect_x509_ary2sk(certs, &status); if(status){ BIO_free(in); rb_jump_tag(status); } } if(!(pkcs7 = PKCS7_sign(x509, pkey, x509s, in, flg))){ BIO_free(in); sk_X509_pop_free(x509s, X509_free); ossl_raise(ePKCS7Error, NULL); } SetPKCS7(ret, pkcs7); ossl_pkcs7_set_data(ret, data); ossl_pkcs7_set_err_string(ret, Qnil); BIO_free(in); sk_X509_pop_free(x509s, X509_free); return ret; }
/* Free up and clear all certificates and chains */ void ssl_cert_clear_certs(CERT *cert) { if (cert == NULL) { return; } X509_free(cert->x509); cert->x509 = NULL; EVP_PKEY_free(cert->privatekey); cert->privatekey = NULL; sk_X509_pop_free(cert->chain, X509_free); cert->chain = NULL; cert->key_method = NULL; }
/* Delete the memory used for string errors as well as memory allocated for * certificates and private keys. */ void signature_deinit(void) { if (store) { X509_STORE_free(store); store = NULL; } if (x509_stack) { sk_X509_pop_free(x509_stack, X509_free); x509_stack = NULL; } ERR_free_strings(); EVP_cleanup(); CRYPTO_cleanup_all_ex_data(); }