int EAC_CTX_init_ta(const EAC_CTX *ctx, const unsigned char *privkey, size_t privkey_len, const unsigned char *cvca, size_t cvca_len) { CVC_CERT *ta_cvca = NULL; int r = 0; check(ctx && ctx->ta_ctx, "Invalid arguments"); if (privkey && privkey_len) { if (ctx->ta_ctx->priv_key) EVP_PKEY_free(ctx->ta_ctx->priv_key); ctx->ta_ctx->priv_key = d2i_AutoPrivateKey(&ctx->ta_ctx->priv_key, &privkey, privkey_len); if (!ctx->ta_ctx->priv_key) goto err; } if (cvca && cvca_len) { ta_cvca = CVC_d2i_CVC_CERT(&ta_cvca, &cvca, cvca_len); } r = TA_CTX_set_trust_anchor(ctx->ta_ctx, ta_cvca, ctx->bn_ctx); err: if (ta_cvca) CVC_CERT_free(ta_cvca); return r; }
int CA_STEP6_derive_keys(EAC_CTX *ctx, const BUF_MEM *nonce, const BUF_MEM *token) { int rv = -1; check((ctx && ctx->ca_ctx), "Invalid arguments"); if (!KA_CTX_derive_keys(ctx->ca_ctx->ka_ctx, nonce, ctx->md_ctx)) goto err; rv = verify_authentication_token(ctx->ca_ctx->protocol, ctx->ca_ctx->ka_ctx, ctx->bn_ctx, ctx->tr_version, token); check(rv >= 0, "Failed to verify authentication token"); /* PACE, TA and CA were successful. Update the trust anchor! */ if (rv) { if (ctx->ta_ctx->new_trust_anchor) { CVC_CERT_free(ctx->ta_ctx->trust_anchor); ctx->ta_ctx->trust_anchor = ctx->ta_ctx->new_trust_anchor; ctx->ta_ctx->new_trust_anchor = NULL; } } err: return rv; }
static int print_cvc(const unsigned char *cvc_data, const size_t cvc_len, const unsigned char *desc_data, const size_t desc_len) { BIO *bio_stdout = NULL; CVC_CERT *cvc = NULL; CVC_CERTIFICATE_DESCRIPTION *desc = NULL; const unsigned char *p; int fail = 1; bio_stdout = BIO_new_fp(stdout, BIO_NOCLOSE); if (!bio_stdout) err("could not get output buffer"); if (cvc_data && cvc_len) { p = cvc_data; if (!CVC_d2i_CVC_CERT(&cvc, &p, cvc_len)) err("could not parse card verifiable certificate"); puts("Certificate:"); if (!CVC_print(bio_stdout, cvc, 2)) err("could not print card verifiable certificate"); } /* FIXME: CVC_CERT_print_ctx -> segfault */ /* CVC_CERT_print_ctx(bio_stdout, cvc, 1, NULL); */ if (desc_data && desc_len) { p = desc_data; if (!d2i_CVC_CERTIFICATE_DESCRIPTION(&desc, &p, desc_len)) err("could not parse certificate description"); puts("Description:"); if (!certificate_description_print(bio_stdout, desc, 0)) err("could not print certificate description"); } if (cvc && desc_data && desc_len) { if (!CVC_check_description(cvc, desc_data, desc_len)) { puts("certificate description doesn't match certificate"); } else { puts("certificate description matches certificate"); } } fail = 0; err: if (desc) CVC_CERTIFICATE_DESCRIPTION_free(desc); if (cvc) CVC_CERT_free(cvc); if (bio_stdout) BIO_free_all(bio_stdout); return fail; }
void TA_CTX_clear_free(TA_CTX *ctx) { if (!ctx) return; if (ctx->pk_pcd) BUF_MEM_free(ctx->pk_pcd); if (ctx->priv_key) EVP_PKEY_free(ctx->priv_key); if (ctx->pub_key) EVP_PKEY_free(ctx->pub_key); if (ctx->trust_anchor) CVC_CERT_free(ctx->trust_anchor); if (ctx->current_cert) CVC_CERT_free(ctx->current_cert); if (ctx->new_trust_anchor) CVC_CERT_free(ctx->new_trust_anchor); BUF_MEM_clear_free(ctx->nonce); OPENSSL_free(ctx); return; }
int TA_CTX_set_trust_anchor(TA_CTX *ctx, const CVC_CERT *trust_anchor, BN_CTX *bn_ctx) { int ok = 0; check(ctx, "Invalid Parameters"); if (ctx->trust_anchor) CVC_CERT_free(ctx->trust_anchor); ctx->trust_anchor = CVC_CERT_dup(trust_anchor); if (!ctx->trust_anchor) goto err; if (ctx->current_cert) { CVC_CERT_free(ctx->current_cert); ctx->current_cert = NULL; } ok = TA_CTX_set_parameters(ctx, trust_anchor, bn_ctx); err: return ok; }
static int print_cvc(const unsigned char *cvc_data, const size_t cvc_len, const unsigned char *desc_data, const size_t desc_len, const unsigned char *csr_data, const size_t csr_len) { BIO *bio_stdout = NULL; CVC_CERT *cvc = NULL; CVC_CERTIFICATE_DESCRIPTION *desc = NULL; CVC_CERT_REQUEST *request = NULL; CVC_CERT_AUTHENTICATION_REQUEST *authentication = NULL; const unsigned char *p; int fail = 1; bio_stdout = BIO_new_fp(stdout, BIO_NOCLOSE); if (!bio_stdout) err("could not get output buffer"); if (cvc_data && cvc_len) { p = cvc_data; if (!CVC_d2i_CVC_CERT(&cvc, &p, cvc_len)) err("could not parse card verifiable certificate"); puts("Certificate:"); if (!CVC_print(bio_stdout, cvc, 2)) err("could not print card verifiable certificate"); } /* FIXME: CVC_CERT_print_ctx -> segfault */ /* CVC_CERT_print_ctx(bio_stdout, cvc, 1, NULL); */ if (desc_data && desc_len) { p = desc_data; if (!d2i_CVC_CERTIFICATE_DESCRIPTION(&desc, &p, desc_len)) err("could not parse certificate description"); puts("Description:"); if (!certificate_description_print(bio_stdout, desc, 0)) err("could not print certificate description"); } if (cvc && desc_data && desc_len) { if (!CVC_check_description(cvc, desc_data, desc_len)) { puts("certificate description doesn't match certificate"); } else { puts("certificate description matches certificate"); } } if (csr_data && csr_len) { p = csr_data; if (d2i_CVC_CERT_REQUEST(&request, &p, csr_len)) { puts("Certificate Request:"); if (!certificate_request_print(bio_stdout, request, 2)) err("could not print certificate request"); } else { /* try using an authentication request */ p = csr_data; if (!d2i_CVC_CERT_AUTHENTICATION_REQUEST(&authentication, &p, desc_len)) err("could not parse certificate request"); puts("Certificate Authentication Request:"); if (!certificate_authentication_request_print(bio_stdout, authentication, 2)) err("could not print certificate authentication request"); } if (1 == CVC_verify_request_signature(request ? request : authentication->request)) { puts("certificate request verified"); } else { puts("certificate request not verified"); } } fail = 0; err: if (desc) CVC_CERTIFICATE_DESCRIPTION_free(desc); if (cvc) CVC_CERT_free(cvc); if (authentication) CVC_CERT_AUTHENTICATION_REQUEST_free(authentication); if (request) CVC_CERT_REQUEST_free(request); if (bio_stdout) BIO_free_all(bio_stdout); return fail; }
int TA_CTX_import_certificate(TA_CTX *ctx, const CVC_CERT *next_cert, BN_CTX *bn_ctx) { int ok = 0, i; const CVC_CERT *trust_anchor = NULL; check(ctx && next_cert && next_cert->body && next_cert->body->chat && next_cert->body->certificate_authority_reference, "Invalid arguments"); /* Check date to see if the certificate is still valid * (not for link certificates). */ if ((ctx->flags & TA_FLAG_SKIP_TIMECHECK) != TA_FLAG_SKIP_TIMECHECK && CVC_get_role(next_cert->body->chat) != CVC_CVCA && cvc_check_time(next_cert) != 1) goto err; /* get the current trust anchor */ if (ctx->current_cert) { trust_anchor = ctx->current_cert; } else if (ctx->trust_anchor) { trust_anchor = ctx->trust_anchor; } else if (ctx->lookup_cvca_cert) { trust_anchor = ctx->lookup_cvca_cert( next_cert->body->certificate_authority_reference->data, next_cert->body->certificate_authority_reference->length); check(trust_anchor && TA_CTX_set_trust_anchor(ctx, trust_anchor, bn_ctx), "Could not look up trust anchor"); } check(trust_anchor && trust_anchor->body && trust_anchor->body->certificate_holder_reference, "No trust anchor, can't verify certificate"); /* Check chain integrity: The CAR of a certificate must be equal to the * the CHR of the next certificate in the chain */ check((next_cert->body->certificate_authority_reference && trust_anchor->body->certificate_holder_reference && next_cert->body->certificate_authority_reference->length == trust_anchor->body->certificate_holder_reference->length && memcmp(trust_anchor->body->certificate_holder_reference->data, next_cert->body->certificate_authority_reference->data, trust_anchor->body->certificate_holder_reference->length) == 0), "Current CHR does not match next CAR"); i = CVC_verify_signature(next_cert, ctx->pub_key); check((i > 0), "Could not verify current signature"); /* Certificate has been verified as next part of the chain */ if (ctx->current_cert) CVC_CERT_free(ctx->current_cert); ctx->current_cert = CVC_CERT_dup(next_cert); if (!ctx->current_cert) goto err; /* Set a (new) trust anchor */ if (CVC_get_role(next_cert->body->chat) == CVC_CVCA) { if (ctx->new_trust_anchor) CVC_CERT_free(ctx->new_trust_anchor); ctx->new_trust_anchor = CVC_CERT_dup(next_cert); if (!ctx->new_trust_anchor) goto err; } ok = TA_CTX_set_parameters(ctx, next_cert, bn_ctx); err: return ok; }