static int process_request(request_rec* r) { char message[MESSAGE_LEN]; sprintf(message, "Starting Tractis auth module process for url %s\n", r->uri); log_debug(message); char *enabled = is_enabled(r); //Not enabled if (enabled == NULL || strcmp(enabled,"true") !=0) { char buff[MESSAGE_LEN]; sprintf(buff,"Module not enabled for given url"); log_debug(buff); return DECLINED; } else { char buff[MESSAGE_LEN]; sprintf(buff,"Module enabled for given url"); log_debug(buff); } //Recover credentials char *user = get_username(r); char *password = get_password(r); char *api_key = get_api_key(r); if (is_debug_enabled()) { char debug_message[MESSAGE_LEN]; sprintf(debug_message, "Credentials are %s:%s and api key is %s", user,password,api_key); log_debug(debug_message); } char* certificate = (char*)apr_table_get(r->subprocess_env, "SSL_CLIENT_CERT"); //The certificate is not present so the client is not allowed to use the service if (!certificate) { char error_message[MESSAGE_LEN]; log_error(401, "No certificate has been provided"); return 401; //HTTP unauthorized } else { if (is_debug_enabled()) { char message[MESSAGE_LEN + strlen(certificate)]; sprintf(message, "User provided certificate \n->%s<-",certificate); log_debug(message); } } int certificate_status = validate_certificate(r,certificate, user, password, api_key); if (certificate_status == VALID) return OK; else { if(is_info_enabled()) { char validation_result[MESSAGE_LEN]; sprintf(validation_result, "The provided certificate reported unsuccessful validation, result code is %d", certificate_status); log_info(validation_result); } //Non valid auth return 401; } }
std::list<std::string> socket_helpers::connection_info::validate_ssl() { std::list<std::string> list; if (!ssl.enabled) return list; #ifndef USE_SSL list.push_back("SSL is not supported (not compiled with openssl)"); #endif #ifdef USE_SSL validate_certificate(ssl.certificate, list); validate_certificate(ssl.ca_path, list); if (!ssl.certificate_key.empty() && !boost::filesystem::is_regular(ssl.certificate_key)) list.push_back("Certificate key not found: " + ssl.certificate_key); if (!ssl.dh_key.empty() && !boost::filesystem::is_regular(ssl.dh_key)) list.push_back("DH key not found: " + ssl.dh_key); #endif return list; }
/* This function must be called before trying to sign any file. * It loads string for errors, and ciphers are auto-loaded by OpenSSL now. * If this function fails it may be because the certificate cannot * be validated. * * returns: true if can initialize and validate certificates, otherwise false */ bool initialize_signature(void) { int ret = -1; time_t mod_sec = 0; struct tm *alttime; struct stat statt; string_or_die(&CERTNAME, "%s/%s", cert_path, SWUPDCERT); ERR_load_crypto_strings(); ERR_load_PKCS7_strings(); EVP_add_digest(EVP_sha256()); if (!get_pubkey()) { goto fail; } ret = validate_certificate(); if (ret) { printf("Failed to verify certificate: %s\n", X509_verify_cert_error_string(ret)); if (ret == X509_V_ERR_CERT_NOT_YET_VALID) { /* If we can retrieve an approx. good system time, report out to user */ if (stat("/usr/lib/os-release", &statt) != -1) { mod_sec = statt.st_mtim.tv_sec; char timebuf[30]; alttime = localtime(&mod_sec); strftime(timebuf, sizeof(timebuf), "%F", alttime); printf("System clock should be at least %s\n", timebuf); } } goto fail; } /* Push our trust cert(s) to the stack, which is a set of certificates * in which to search for the signer's cert. */ x509_stack = sk_X509_new_null(); if (!x509_stack) { goto fail; } sk_X509_push(x509_stack, cert); return true; fail: return false; }
/* This function must be called before trying to sign any file. * It loads string for errors, and ciphers are auto-loaded by OpenSSL now. * If this function fails it may be because the certificate cannot * be validated. * * returns: true if can initialize and validate certificates, otherwise false */ bool signature_init(const char *certificate_path, const char *crl) { int ret = -1; X509 *cert; if (!certificate_path) { error("Invalid swupd certificate - Empty"); return false; } ERR_load_crypto_strings(); ERR_load_PKCS7_strings(); EVP_add_digest(EVP_sha256()); cert = get_cert_from_path(certificate_path); if (!cert) { goto fail; } ret = validate_certificate(cert, certificate_path, crl); if (ret) { if (ret == X509_V_ERR_CERT_NOT_YET_VALID) { BIO *b; time_t currtime = 0; struct tm *timeinfo; char time_str[50]; /* The system time wasn't sane, print out what it is and the cert validity range */ time(&currtime); timeinfo = localtime(&currtime); strftime(time_str, sizeof(time_str), "%a %b %d %H:%M:%S %Y", timeinfo); warn("Current time is %s\n", time_str); info("Certificate validity is:\n"); b = BIO_new_fp(stdout, BIO_NOCLOSE); if (b == NULL) { error("Failed to create BIO wrapping stream\n"); goto fail; } /* The ASN1_TIME_print function does not include a newline... */ if (!ASN1_TIME_print(b, X509_get_notBefore(cert))) { info("\n"); error("Failed to get certificate begin date\n"); goto fail; } info("\n"); if (!ASN1_TIME_print(b, X509_get_notAfter(cert))) { info("\n"); error("Failed to get certificate expiration date\n"); goto fail; } info("\n"); BIO_free(b); } goto fail; } /* Push our trust cert(s) to the stack, which is a set of certificates * in which to search for the signer's cert. */ x509_stack = sk_X509_new_null(); if (!x509_stack) { goto fail; } sk_X509_push(x509_stack, cert); return true; fail: error("Failed to verify certificate: %s\n", X509_verify_cert_error_string(ret)); return false; }