static VALUE
ossl_x509store_set_purpose(VALUE self, VALUE purpose)
{
#if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
X509_STORE *store;
long p = NUM2LONG(purpose);
GetX509Store(self, store);
X509_STORE_set_purpose(store, p);
#else
rb_iv_set(self, "@purpose", purpose);
#endif
return purpose;
}
int swupdate_dgst_init(struct swupdate_cfg *sw, const char *keyfile)
{
struct swupdate_digest *dgst;
int ret;
/*
* Check that it was not called before
*/
if (sw->dgst) {
return -EBUSY;
}
dgst = calloc(1, sizeof(*dgst));
if (!dgst) {
ret = -ENOMEM;
goto dgst_init_error;
}
#if defined(CONFIG_SIGALG_RAWRSA)
/*
* Load public key
*/
dgst->pkey = load_pubkey(keyfile);
if (!dgst->pkey) {
ERROR("Error loading pub key from %s", keyfile);
ret = -EINVAL;
goto dgst_init_error;
}
#elif defined(CONFIG_SIGALG_CMS)
/*
* Load certificate chain
*/
dgst->certs = load_cert_chain(keyfile);
if (!dgst->certs) {
ERROR("Error loading certificate chain from %s", keyfile);
ret = -EINVAL;
goto dgst_init_error;
}
{
static char code_sign_name[] = "Code signing";
static char code_sign_sname[] = "codesign";
if (!X509_PURPOSE_add(X509_PURPOSE_CODE_SIGN, X509_TRUST_EMAIL,
0, check_code_sign, code_sign_name,
code_sign_sname, NULL)) {
ERROR("failed to add code sign purpose");
ret = -EINVAL;
goto dgst_init_error;
}
}
if (!X509_STORE_set_purpose(dgst->certs, sw->globals.cert_purpose)) {
ERROR("failed to set purpose");
ret = -EINVAL;
goto dgst_init_error;
}
#else
TRACE("public key / cert %s ignored, you need to set SIGALG", keyfile);
#endif
/*
* Create context
*/
dgst->ctx = EVP_MD_CTX_create();
if(dgst->ctx == NULL) {
ERROR("EVP_MD_CTX_create failed, error 0x%lx", ERR_get_error());
ret = -ENOMEM;
goto dgst_init_error;
}
sw->dgst = dgst;
return 0;
dgst_init_error:
if (dgst)
free(dgst);
return ret;
}
/* This function makes sure the certificate is still valid by not having any
* compromised certificates in the chain.
* If there is no Certificate Revocation List (CRL) it may be that the private
* keys have not been compromised or the CRL has not been generated by the
* Certificate Authority (CA)
*
* returns: 0 if certificate is valid, X509 store error code otherwise */
static int validate_certificate(X509 *cert, const char *certificate_path, const char *crl)
{
X509_LOOKUP *lookup = NULL;
X509_STORE_CTX *verify_ctx = NULL;
//TODO: Implement a chain verification when required
/* create the cert store and set the verify callback */
if (!(store = X509_STORE_new())) {
error("Failed X509_STORE_new() for %s\n", certificate_path);
goto error;
}
X509_STORE_set_verify_cb_func(store, verify_callback);
if (X509_STORE_set_purpose(store, X509_PURPOSE_ANY) != 1) {
error("Failed X509_STORE_set_purpose() for %s\n", certificate_path);
goto error;
}
/* Add the certificates to be verified to the store */
if (!(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()))) {
error("Failed X509_STORE_add_lookup() for %s\n", certificate_path);
goto error;
}
/* Load the our Root cert, which can be in either DER or PEM format */
if (!X509_load_cert_file(lookup, certificate_path, X509_FILETYPE_PEM)) {
error("Failed X509_load_cert_file() for %s\n", certificate_path);
goto error;
}
if (crl) {
if (!(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file())) ||
(X509_load_crl_file(lookup, crl, X509_FILETYPE_PEM) != 1)) {
error("Failed X509 crl init for %s\n", certificate_path);
goto error;
}
/* set the flags of the store so that CLRs are consulted */
X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
}
/* create a verification context and initialize it */
if (!(verify_ctx = X509_STORE_CTX_new())) {
error("Failed X509_STORE_CTX_new() for %s\n", certificate_path);
goto error;
}
if (X509_STORE_CTX_init(verify_ctx, store, cert, NULL) != 1) {
error("Failed X509_STORE_CTX_init() for %s\n", certificate_path);
goto error;
}
/* Specify which cert to validate in the verify context.
* This is required because we may add multiple certs to the X509 store,
* but we want to validate a specific one out of the group/chain. */
X509_STORE_CTX_set_cert(verify_ctx, cert);
/* verify the certificate */
if (X509_verify_cert(verify_ctx) != 1) {
error("Failed X509_verify_cert() for %s\n", certificate_path);
goto error;
}
X509_STORE_CTX_free(verify_ctx);
if (validate_authority(cert) < 0) {
error("Failed to validate certificate using 'Authority Information Access'\n");
return -1;
}
/* Certificate verified correctly */
return 0;
error:
ERR_print_errors_fp(stderr);
if (verify_ctx) {
X509_STORE_CTX_free(verify_ctx);
}
return X509_STORE_CTX_get_error(verify_ctx);
}
