bool Chain::verifyChain(Handle<CertificateCollection> chain, Handle<CrlCollection> crls){
LOGGER_FN();
try{
LOGGER_OPENSSL(X509_STORE_CTX_new);
X509_STORE_CTX *ctx = X509_STORE_CTX_new();
if (!ctx) {
THROW_OPENSSL_EXCEPTION(0, Revocation, NULL, "Error create new store ctx");
}
LOGGER_OPENSSL(X509_STORE_new);
X509_STORE *st = X509_STORE_new();
if (!st) {
THROW_OPENSSL_EXCEPTION(0, Revocation, NULL, "Error create new store");
}
for (int i = 0, c = chain->length(); i < c; i++){
LOGGER_OPENSSL(X509_STORE_add_cert);
X509_STORE_add_cert(st, X509_dup(chain->items(i)->internal()));
}
X509_CRL *xtempCRL = NULL;
LOGGER_OPENSSL(X509_STORE_CTX_init);
X509_STORE_CTX_init(ctx, st, chain->items(0)->internal(), chain->internal());
LOGGER_OPENSSL(X509_STORE_CTX_set0_crls);
X509_STORE_CTX_set0_crls(ctx, crls->internal());
LOGGER_OPENSSL(X509_STORE_CTX_set_flags);
X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_CRL_CHECK);
LOGGER_OPENSSL(X509_STORE_CTX_set_flags);
X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_CRL_CHECK_ALL);
LOGGER_OPENSSL(X509_verify_cert);
if (X509_verify_cert(ctx) <= 0){
return false;
}
return true;
}
catch (Handle<Exception> e){
THROW_EXCEPTION(0, Chain, e, "Error verify chain (provider store)");
}
}
static VALUE
ossl_x509stctx_set_flags(VALUE self, VALUE flags)
{
X509_STORE_CTX *store;
long f = NUM2LONG(flags);
GetX509StCtx(self, store);
X509_STORE_CTX_set_flags(store, f);
return flags;
}
extern "C" int32_t CryptoNative_X509StoreCtxInit(X509_STORE_CTX* ctx, X509_STORE* store, X509* x509, X509Stack* extraStore)
{
int32_t val = X509_STORE_CTX_init(ctx, store, x509, extraStore);
if (val != 0)
{
X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_CHECK_SS_SIGNATURE);
}
return val;
}
static int
cryptoMagic(X509 *x0, X509 *x1, X509 *x2,
const unsigned char *toHashData, int toHashLength,
/*XXX const*/ unsigned char *rsaSigData, int rsaSigLen,
DataValue *partialDigest)
{
int rv = 0;
EVP_PKEY *pk = X509_get_pubkey(x2);
if (pk) {
if (pk->type == EVP_PKEY_RSA) {
RSA *rsa = EVP_PKEY_get1_RSA(pk);
if (rsa) {
X509_STORE *store = X509_STORE_new();
if (store) {
X509_STORE_CTX ctx;
X509_STORE_add_cert(store, x0);
X509_STORE_add_cert(store, x1);
if (X509_STORE_CTX_init(&ctx, store, x2, 0) == 1) {
X509_STORE_CTX_set_flags(&ctx, X509_V_FLAG_IGNORE_CRITICAL);
if (X509_verify_cert(&ctx) == 1) {
unsigned char md[SHA_DIGEST_LENGTH];
if (partialDigest) {
// XXX we need to flip ECID back before hashing
flipAppleImg3Header((AppleImg3Header *)toHashData);
doPartialSHA1(md, toHashData, toHashLength, partialDigest);
} else {
SHA1(toHashData, toHashLength, md);
}
rv = RSA_verify(NID_sha1, md, SHA_DIGEST_LENGTH, rsaSigData, rsaSigLen, rsa);
}
X509_STORE_CTX_cleanup(&ctx);
}
X509_STORE_free(store);
}
RSA_free(rsa);
}
}
EVP_PKEY_free(pk);
}
return rv ? 0 : -1;
}
int
x509_cert_validate(void *scert)
{
X509_STORE_CTX csc;
X509_NAME *issuer, *subject;
X509 *cert = (X509 *) scert;
EVP_PKEY *key;
int res, err;
/*
* Validate the peer certificate by checking with the CA certificates
* we trust.
*/
X509_STORE_CTX_init(&csc, x509_cas, cert, NULL);
#if OPENSSL_VERSION_NUMBER >= 0x00908000L
/* XXX See comment in x509_read_crls_from_dir. */
if (x509_cas->param->flags & X509_V_FLAG_CRL_CHECK) {
X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_CRL_CHECK);
X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_CRL_CHECK_ALL);
}
#elif OPENSSL_VERSION_NUMBER >= 0x00907000L
/* XXX See comment in x509_read_crls_from_dir. */
if (x509_cas->flags & X509_V_FLAG_CRL_CHECK) {
X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_CRL_CHECK);
X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_CRL_CHECK_ALL);
}
#endif
res = X509_verify_cert(&csc);
err = csc.error;
X509_STORE_CTX_cleanup(&csc);
/*
* Return if validation succeeded or self-signed certs are not
* accepted.
*
* XXX X509_verify_cert seems to return -1 if the validation should be
* retried somehow. We take this as an error and give up.
*/
if (res > 0)
return 1;
else if (res < 0 ||
(res == 0 && err != X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)) {
if (err)
log_print("x509_cert_validate: %.100s",
X509_verify_cert_error_string(err));
return 0;
} else if (!conf_get_str("X509-certificates", "Accept-self-signed")) {
if (err)
log_print("x509_cert_validate: %.100s",
X509_verify_cert_error_string(err));
return 0;
}
issuer = X509_get_issuer_name(cert);
subject = X509_get_subject_name(cert);
if (!issuer || !subject || X509_name_cmp(issuer, subject))
return 0;
key = X509_get_pubkey(cert);
if (!key) {
log_print("x509_cert_validate: could not get public key from "
"self-signed cert");
return 0;
}
if (X509_verify(cert, key) == -1) {
log_print("x509_cert_validate: self-signed cert is bad");
return 0;
}
return 1;
}
int
ca_validate_cert(struct iked *env, struct iked_static_id *id,
void *data, size_t len)
{
struct ca_store *store = env->sc_priv;
X509_STORE_CTX csc;
BIO *rawcert = NULL;
X509 *cert = NULL;
int ret = -1, result, error;
X509_NAME *subject;
const char *errstr = "failed";
if (len == 0) {
/* Data is already an X509 certificate */
cert = (X509 *)data;
} else {
/* Convert data to X509 certificate */
if ((rawcert = BIO_new_mem_buf(data, len)) == NULL)
goto done;
if ((cert = d2i_X509_bio(rawcert, NULL)) == NULL)
goto done;
}
/* Certificate needs a valid subjectName */
if ((subject = X509_get_subject_name(cert)) == NULL) {
errstr = "invalid subject";
goto done;
}
if (id != NULL) {
if ((ret = ca_validate_pubkey(env, id, X509_get_pubkey(cert),
0)) == 0) {
errstr = "in public key file, ok";
goto done;
}
switch (id->id_type) {
case IKEV2_ID_ASN1_DN:
if (ca_x509_subject_cmp(cert, id) < 0) {
errstr = "ASN1_DN identifier mismatch";
goto done;
}
break;
default:
if (ca_x509_subjectaltname_cmp(cert, id) != 0) {
errstr = "invalid subjectAltName extension";
goto done;
}
break;
}
}
bzero(&csc, sizeof(csc));
X509_STORE_CTX_init(&csc, store->ca_cas, cert, NULL);
if (store->ca_cas->param->flags & X509_V_FLAG_CRL_CHECK) {
X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_CRL_CHECK);
X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_CRL_CHECK_ALL);
}
result = X509_verify_cert(&csc);
error = csc.error;
X509_STORE_CTX_cleanup(&csc);
if (error != 0) {
errstr = X509_verify_cert_error_string(error);
goto done;
}
if (!result) {
/* XXX should we accept self-signed certificates? */
errstr = "rejecting self-signed certificate";
goto done;
}
/* Success */
ret = 0;
errstr = "ok";
done:
if (cert != NULL)
log_debug("%s: %s %.100s", __func__, cert->name, errstr);
if (rawcert != NULL) {
BIO_free(rawcert);
if (cert != NULL)
X509_free(cert);
}
return (ret);
}
/*============================================================================
* OpcUa_P_OpenSSL_PKI_ValidateCertificate
*===========================================================================*/
OpcUa_StatusCode OpcUa_P_OpenSSL_PKI_ValidateCertificate(
OpcUa_PKIProvider* a_pProvider,
OpcUa_ByteString* a_pCertificate,
OpcUa_Void* a_pCertificateStore,
OpcUa_Int* a_pValidationCode /* Validation return codes from OpenSSL */
)
{
OpcUa_P_OpenSSL_CertificateStore_Config* pCertificateStoreCfg;
const unsigned char* p;
X509* pX509Certificate = OpcUa_Null;
STACK_OF(X509)* pX509Chain = OpcUa_Null;
X509_STORE_CTX* verify_ctx = OpcUa_Null; /* holds data used during verification process */
char CertFile[MAX_PATH];
struct dirent **dirlist = NULL;
int numCertificates = 0, i;
OpcUa_InitializeStatus(OpcUa_Module_P_OpenSSL, "PKI_ValidateCertificate");
OpcUa_ReturnErrorIfArgumentNull(a_pProvider);
OpcUa_ReturnErrorIfArgumentNull(a_pProvider->Handle);
OpcUa_ReturnErrorIfArgumentNull(a_pCertificate);
OpcUa_ReturnErrorIfArgumentNull(a_pCertificateStore);
OpcUa_ReturnErrorIfArgumentNull(a_pValidationCode);
pCertificateStoreCfg = (OpcUa_P_OpenSSL_CertificateStore_Config*)a_pProvider->Handle;
/* convert DER encoded bytestring certificate to openssl X509 certificate */
p = a_pCertificate->Data;
if(!(pX509Certificate = d2i_X509((X509**)OpcUa_Null, &p, a_pCertificate->Length)))
{
OpcUa_GotoErrorWithStatus(OpcUa_Bad);
}
while(p < a_pCertificate->Data + a_pCertificate->Length)
{
X509* pX509AddCertificate;
if(!(pX509AddCertificate = d2i_X509((X509**)OpcUa_Null, &p, a_pCertificate->Data + a_pCertificate->Length - p)))
{
OpcUa_GotoErrorWithStatus(OpcUa_Bad);
}
if(pX509Chain == NULL)
{
pX509Chain = sk_X509_new_null();
OpcUa_GotoErrorIfAllocFailed(pX509Chain);
}
if(!sk_X509_push(pX509Chain, pX509AddCertificate))
{
X509_free(pX509AddCertificate);
OpcUa_GotoErrorWithStatus(OpcUa_Bad);
}
}
/* create verification context and initialize it */
if(!(verify_ctx = X509_STORE_CTX_new()))
{
OpcUa_GotoErrorWithStatus(OpcUa_Bad);
}
#if (OPENSSL_VERSION_NUMBER > 0x00907000L)
if(X509_STORE_CTX_init(verify_ctx, (X509_STORE*)a_pCertificateStore, pX509Certificate, pX509Chain) != 1)
{
OpcUa_GotoErrorWithStatus(OpcUa_Bad);
}
#else
X509_STORE_CTX_init(verify_ctx, (X509_STORE*)a_pCertificateStore, pX509Certificate, pX509Chain);
#endif
if(X509_STORE_CTX_set_app_data(verify_ctx, pCertificateStoreCfg) != 1)
{
OpcUa_GotoErrorWithStatus(OpcUa_Bad);
}
if((pCertificateStoreCfg->Flags & OPCUA_P_PKI_OPENSSL_CHECK_REVOCATION_ALL) == OPCUA_P_PKI_OPENSSL_CHECK_REVOCATION_ALL_EXCEPT_SELF_SIGNED
&& !verify_ctx->check_issued(verify_ctx, pX509Certificate, pX509Certificate))
{
/* set the flags of the store so that CRLs are consulted */
X509_STORE_CTX_set_flags(verify_ctx, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
}
/* verify the certificate */
*a_pValidationCode = X509_V_OK;
if(X509_verify_cert(verify_ctx) <= 0)
{
*a_pValidationCode = verify_ctx->error;
switch(verify_ctx->error)
{
case X509_V_ERR_CERT_HAS_EXPIRED:
case X509_V_ERR_CERT_NOT_YET_VALID:
case X509_V_ERR_CRL_NOT_YET_VALID:
case X509_V_ERR_CRL_HAS_EXPIRED:
case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
{
uStatus = OpcUa_BadCertificateTimeInvalid;
break;
}
case X509_V_ERR_CERT_REVOKED:
{
uStatus = OpcUa_BadCertificateRevoked;
break;
}
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
{
uStatus = OpcUa_BadCertificateUntrusted;
break;
}
case X509_V_ERR_CERT_SIGNATURE_FAILURE:
{
uStatus = OpcUa_BadSecurityChecksFailed;
break;
}
default:
{
uStatus = OpcUa_BadCertificateInvalid;
}
}
OpcUa_GotoErrorIfBad(uStatus);
}
if(pCertificateStoreCfg->Flags & OPCUA_P_PKI_OPENSSL_REQUIRE_CHAIN_CERTIFICATE_IN_TRUST_LIST)
{
FILE* pCertificateFile;
X509* pTrustCert;
STACK_OF(X509)* chain;
int trusted, n;
chain = X509_STORE_CTX_get_chain(verify_ctx);
trusted = 0;
if(pCertificateStoreCfg->CertificateTrustListLocation == NULL || pCertificateStoreCfg->CertificateTrustListLocation[0] == '\0')
{
uStatus = OpcUa_Bad;
OpcUa_GotoErrorIfBad(uStatus);
}
numCertificates = scandir(pCertificateStoreCfg->CertificateTrustListLocation, &dirlist, certificate_filter_der, alphasort);
for (i=0; i<numCertificates; i++)
{
uStatus = OpcUa_P_OpenSSL_BuildFullPath(pCertificateStoreCfg->CertificateTrustListLocation, dirlist[i]->d_name, MAX_PATH, CertFile);
OpcUa_GotoErrorIfBad(uStatus);
/* read DER certificates */
pCertificateFile = fopen(CertFile, "r");
if(pCertificateFile == OpcUa_Null)
{
continue; /* ignore access errors */
}
pTrustCert = d2i_X509_fp(pCertificateFile, (X509**)OpcUa_Null);
fclose(pCertificateFile);
if(pTrustCert == OpcUa_Null)
{
continue; /* ignore parse errors */
}
for(n = 0; n < sk_X509_num(chain); n++)
{
if (X509_cmp(sk_X509_value(chain, n), pTrustCert) == 0)
break;
}
X509_free(pTrustCert);
if(n < sk_X509_num(chain))
{
trusted = 1;
break;
}
}
for (i=0; i<numCertificates; i++)
{
free(dirlist[i]);
}
free(dirlist);
dirlist = NULL;
if(!trusted)
{
uStatus = OpcUa_BadCertificateUntrusted;
OpcUa_GotoErrorIfBad(uStatus);
}
}
X509_STORE_CTX_free(verify_ctx);
X509_free(pX509Certificate);
if(pX509Chain != OpcUa_Null)
{
sk_X509_pop_free(pX509Chain, X509_free);
}
OpcUa_ReturnStatusCode;
OpcUa_BeginErrorHandling;
if(dirlist != NULL)
{
for (i=0; i<numCertificates; i++)
{
free(dirlist[i]);
}
free(dirlist);
}
if(verify_ctx != OpcUa_Null)
{
X509_STORE_CTX_free(verify_ctx);
}
if(pX509Certificate != OpcUa_Null)
{
X509_free(pX509Certificate);
}
if(pX509Chain != OpcUa_Null)
{
sk_X509_pop_free(pX509Chain, X509_free);
}
OpcUa_FinishErrorHandling;
}
static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
X509 *x, X509 *xca, EVP_PKEY *pkey, char *serialfile, int create,
int days, int clrext, CONF *conf, char *section, ASN1_INTEGER *sno)
{
int ret=0;
ASN1_INTEGER *bs=NULL;
X509_STORE_CTX xsc;
EVP_PKEY *upkey;
upkey = X509_get_pubkey(xca);
EVP_PKEY_copy_parameters(upkey,pkey);
EVP_PKEY_free(upkey);
if(!X509_STORE_CTX_init(&xsc,ctx,x,NULL))
{
BIO_printf(bio_err,"Error initialising X509 store\n");
goto end;
}
if (sno) bs = sno;
else if (!(bs = x509_load_serial(CAfile, serialfile, create)))
goto end;
/* if (!X509_STORE_add_cert(ctx,x)) goto end;*/
/* NOTE: this certificate can/should be self signed, unless it was
* a certificate request in which case it is not. */
X509_STORE_CTX_set_cert(&xsc,x);
X509_STORE_CTX_set_flags(&xsc, X509_V_FLAG_CHECK_SS_SIGNATURE);
if (!reqfile && X509_verify_cert(&xsc) <= 0)
goto end;
if (!X509_check_private_key(xca,pkey))
{
BIO_printf(bio_err,"CA certificate and CA private key do not match\n");
goto end;
}
if (!X509_set_issuer_name(x,X509_get_subject_name(xca))) goto end;
if (!X509_set_serialNumber(x,bs)) goto end;
if (X509_gmtime_adj(X509_get_notBefore(x),0L) == NULL)
goto end;
/* hardwired expired */
if (X509_time_adj_ex(X509_get_notAfter(x),days, 0, NULL) == NULL)
goto end;
if (clrext)
{
while (X509_get_ext_count(x) > 0) X509_delete_ext(x, 0);
}
if (conf)
{
X509V3_CTX ctx2;
X509_set_version(x,2); /* version 3 certificate */
X509V3_set_ctx(&ctx2, xca, x, NULL, NULL, 0);
X509V3_set_nconf(&ctx2, conf);
if (!X509V3_EXT_add_nconf(conf, &ctx2, section, x)) goto end;
}
if (!X509_sign(x,pkey,digest)) goto end;
ret=1;
end:
X509_STORE_CTX_cleanup(&xsc);
if (!ret)
ERR_print_errors(bio_err);
if (!sno) ASN1_INTEGER_free(bs);
return ret;
}
