EXPORT_C int OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b) { int ret; ret = OBJ_cmp(a->hashAlgorithm->algorithm, b->hashAlgorithm->algorithm); if (ret) return ret; ret = ASN1_OCTET_STRING_cmp(a->issuerNameHash, b->issuerNameHash); if (ret) return ret; return ASN1_OCTET_STRING_cmp(a->issuerKeyHash, b->issuerKeyHash); }
int cms_keyid_cert_cmp(ASN1_OCTET_STRING *keyid, X509 *cert) { X509_check_purpose(cert, -1, -1); if (!cert->skid) return -1; return ASN1_OCTET_STRING_cmp(keyid, cert->skid); }
int cms_keyid_cert_cmp(ASN1_OCTET_STRING *keyid, X509 *cert) { const ASN1_OCTET_STRING *cert_keyid = X509_get0_subject_key_id(cert); if (cert_keyid == NULL) return -1; return ASN1_OCTET_STRING_cmp(keyid, cert_keyid); }
int X509_check_issued(X509 *issuer, X509 *subject) { if(X509_NAME_cmp(X509_get_subject_name(issuer), X509_get_issuer_name(subject))) return X509_V_ERR_SUBJECT_ISSUER_MISMATCH; x509v3_cache_extensions(issuer); x509v3_cache_extensions(subject); if(subject->akid) { /* Check key ids (if present) */ if(subject->akid->keyid && issuer->skid && ASN1_OCTET_STRING_cmp(subject->akid->keyid, issuer->skid) ) return X509_V_ERR_AKID_SKID_MISMATCH; /* Check serial number */ if(subject->akid->serial && ASN1_INTEGER_cmp(X509_get_serialNumber(issuer), subject->akid->serial)) return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH; /* Check issuer name */ if(subject->akid->issuer) { /* Ugh, for some peculiar reason AKID includes * SEQUENCE OF GeneralName. So look for a DirName. * There may be more than one but we only take any * notice of the first. */ GENERAL_NAMES *gens; GENERAL_NAME *gen; X509_NAME *nm = NULL; int i; gens = subject->akid->issuer; for(i = 0; i < sk_GENERAL_NAME_num(gens); i++) { gen = sk_GENERAL_NAME_value(gens, i); if(gen->type == GEN_DIRNAME) { nm = gen->d.dirn; break; } } if(nm && X509_NAME_cmp(nm, X509_get_issuer_name(issuer))) return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH; } } if(subject->ex_flags & EXFLAG_PROXY) { if(ku_reject(issuer, KU_DIGITAL_SIGNATURE)) return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE; } else if(ku_reject(issuer, KU_KEY_CERT_SIGN)) return X509_V_ERR_KEYUSAGE_NO_CERTSIGN; return X509_V_OK; }
int CMS_RecipientInfo_kekri_id_cmp(CMS_RecipientInfo *ri, const unsigned char *id, size_t idlen) { ASN1_OCTET_STRING tmp_os; CMS_KEKRecipientInfo *kekri; if (ri->type != CMS_RECIPINFO_KEK) { CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_ID_CMP, CMS_R_NOT_KEK); return -2; } kekri = ri->d.kekri; tmp_os.type = V_ASN1_OCTET_STRING; tmp_os.flags = 0; tmp_os.data = (unsigned char *)id; tmp_os.length = (int)idlen; return ASN1_OCTET_STRING_cmp(&tmp_os, kekri->kekid->keyIdentifier); }
int cms_SignerIdentifier_cert_cmp(CMS_SignerIdentifier *sid, X509 *cert) { int ret; if (sid->type == CMS_SIGNERINFO_ISSUER_SERIAL) { ret = X509_NAME_cmp(sid->d.issuerAndSerialNumber->issuer, X509_get_issuer_name(cert)); if (ret) return ret; return ASN1_INTEGER_cmp(sid->d.issuerAndSerialNumber->serialNumber, X509_get_serialNumber(cert)); } else if (sid->type == CMS_SIGNERINFO_KEYIDENTIFIER) { X509_check_purpose(cert, -1, -1); if (!cert->skid) return -1; return ASN1_OCTET_STRING_cmp(sid->d.subjectKeyIdentifier, cert->skid); } else return -1; }
int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid) { if(!akid) return X509_V_OK; /* Check key ids (if present) */ if(akid->keyid && issuer->skid && ASN1_OCTET_STRING_cmp(akid->keyid, issuer->skid) ) return X509_V_ERR_AKID_SKID_MISMATCH; /* Check serial number */ if(akid->serial && ASN1_INTEGER_cmp(X509_get_serialNumber(issuer), akid->serial)) return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH; /* Check issuer name */ if(akid->issuer) { /* Ugh, for some peculiar reason AKID includes * SEQUENCE OF GeneralName. So look for a DirName. * There may be more than one but we only take any * notice of the first. */ GENERAL_NAMES *gens; GENERAL_NAME *gen; X509_NAME *nm = NULL; int i; gens = akid->issuer; for(i = 0; i < sk_GENERAL_NAME_num(gens); i++) { gen = sk_GENERAL_NAME_value(gens, i); if(gen->type == GEN_DIRNAME) { nm = gen->d.dirn; break; } } if(nm && X509_NAME_cmp(nm, X509_get_issuer_name(issuer))) return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH; } return X509_V_OK; }
/* Returns 0 if they are equal, != 0 otherwise. */ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b) { int result = -1; if (!a || !b || a->type != b->type) return -1; switch (a->type) { case GEN_X400: case GEN_EDIPARTY: result = ASN1_TYPE_cmp(a->d.other, b->d.other); break; case GEN_OTHERNAME: result = OTHERNAME_cmp(a->d.otherName, b->d.otherName); break; case GEN_EMAIL: case GEN_DNS: case GEN_URI: result = ASN1_STRING_cmp(a->d.ia5, b->d.ia5); break; case GEN_DIRNAME: result = X509_NAME_cmp(a->d.dirn, b->d.dirn); break; case GEN_IPADD: result = ASN1_OCTET_STRING_cmp(a->d.ip, b->d.ip); break; case GEN_RID: result = OBJ_cmp(a->d.rid, b->d.rid); break; } return result; }
static int hmac_pkey_public_cmp(const EVP_PKEY *a, const EVP_PKEY *b) { return ASN1_OCTET_STRING_cmp(EVP_PKEY_get0(a), EVP_PKEY_get0(b)); }
bool InteropResolver::checkMatch(DSIGKeyInfoList * lst, X509 * x) { // Check if the parameters in x match the required certificate int sz = (int) lst->getSize(); DSIGKeyInfo* k; for (int i = 0; i < sz; ++i) { k = lst->item(i); if (k->getKeyInfoType() == DSIGKeyInfo::KEYINFO_X509) { DSIGKeyInfoX509 * kx = static_cast<DSIGKeyInfoX509 *>(k); const XMLCh * serial = kx->getX509IssuerSerialNumber(); if (serial != NULL) { char * cserial = XMLString::transcode(serial); char * xserial; BIGNUM * bnserial = ASN1_INTEGER_to_BN(x->cert_info->serialNumber, NULL); xserial = BN_bn2dec(bnserial); BN_free(bnserial); if (strcmp(xserial, cserial) == 0) { OPENSSL_free(xserial); XSEC_RELEASE_XMLCH(cserial); return true; } //delete[] xserial; XSEC_RELEASE_XMLCH(cserial); OPENSSL_free(xserial); } /* * Either it's not a serial number, or we didn't pass, so lets * look at the next option. */ const XMLCh * ski = kx->getX509SKI(); if (ski != NULL) { char * cski = XMLString::transcode(ski); int clen = (int) strlen(cski); unsigned char * xski = new unsigned char[clen]; ArrayJanitor <unsigned char> j_xski(xski); // Decode OpenSSLCryptoBase64 b64; b64.decodeInit(); int xlen = b64.decode((unsigned char *) cski, clen, xski, clen); xlen += b64.decodeFinish(&xski[xlen], clen - xlen); XSEC_RELEASE_XMLCH(cski); if (xlen != 0) { // Have a buffer with a number in it STACK_OF(X509_EXTENSION) *exts; exts = x->cert_info->extensions; if (exts != NULL) { // Find the Subject Key Identifier OID X509_EXTENSION * ext; ASN1_OBJECT * objski = OBJ_nid2obj(NID_subject_key_identifier); int extn = X509v3_get_ext_by_OBJ(exts, objski, -1); if (extn != -1) { // Dummy up an OCTET_STRING from the xski unsigned char * octxski = new unsigned char[xlen + 2]; ArrayJanitor<unsigned char> j_octxski(octxski); octxski[0] = 4; octxski[1] = xlen; memcpy(&octxski[2], xski, xlen); ext = sk_X509_EXTENSION_value(exts,extn); ASN1_OCTET_STRING *skid = ext->value; ASN1_OCTET_STRING * xskid = M_ASN1_OCTET_STRING_new(); ASN1_STRING_set(xskid, octxski, xlen+2); if (ASN1_OCTET_STRING_cmp(xskid, skid) == 0) { ASN1_OCTET_STRING_free(xskid); return true; } } } } } /* Not a subject key identifier */ const XMLCh *sn = kx->getX509SubjectName(); if (sn != NULL) { char * csn = XMLString::transcode(sn); X509_NAME * x509name = X509_get_subject_name(x); X509_NAME * snname = X509_NAME_create_from_txt(csn); XSEC_RELEASE_XMLCH(csn); if (snname != NULL) { if (!X509_NAME_cmp(x509name, snname)) { X509_NAME_free(snname); return true; } X509_NAME_free(snname); } } } } return false; }