/*
* X.509 CRL decoder.
*/
static OSSL_STORE_INFO *try_decode_X509CRL(const char *pem_name,
const char *pem_header,
const unsigned char *blob,
size_t len, void **pctx,
int *matchcount,
const UI_METHOD *ui_method,
void *ui_data)
{
OSSL_STORE_INFO *store_info = NULL;
X509_CRL *crl = NULL;
if (pem_name != NULL) {
if (strcmp(pem_name, PEM_STRING_X509_CRL) != 0)
/* No match */
return NULL;
*matchcount = 1;
}
if ((crl = d2i_X509_CRL(NULL, &blob, len)) != NULL) {
*matchcount = 1;
store_info = OSSL_STORE_INFO_new_CRL(crl);
}
if (store_info == NULL)
X509_CRL_free(crl);
return store_info;
}
extern "C" X509_CRL* CryptoNative_DecodeX509Crl(const uint8_t* buf, int32_t len)
{
if (!buf || !len)
{
return nullptr;
}
return d2i_X509_CRL(nullptr, &buf, len);
}
extern "C" X509_CRL* DecodeX509Crl(const unsigned char* buf, int32_t len)
{
if (!buf || !len)
{
return nullptr;
}
return d2i_X509_CRL(nullptr, &buf, len);
}
main2()
{
FILE *in;
unsigned char buf[10240],buf2[10240],*p;
int num,i;
X509_CRL *nx=NULL,*mx=NULL;
in=fopen("crl.der","r");
if (in == NULL)
{
perror("crl.der");
exit(1);
}
num=fread(buf,1,10240,in);
fclose(in);
p=buf;
if (d2i_X509_CRL(&nx,&p,num) == NULL) goto err;
printf("num=%d p-buf=%d\n",num,p-buf);
p=buf2;
num=i2d_X509_CRL(nx,&p);
printf("num=%d p-buf=%d\n",num,p-buf2);
if (memcmp(buf,buf2,num) != 0)
{
fprintf(stderr,"data difference\n");
for (i=0; i<num; i++)
fprintf(stderr,"%c%03d <%02X-%02X>\n",
(buf[i] == buf2[i])?' ':'*',i,
buf[i],buf2[i]);
fprintf(stderr,"\n");
exit(1);
}
return(1);
err:
ERR_load_crypto_strings();
ERR_print_errors(stderr);
return(0);
}
void openssl_x509_verify()
{
FILE *fp;
int uCert1Len;
X509_CRL *Crl = NULL;
X509_STORE_CTX *ctx = NULL;
X509_STORE *rootCertStore = NULL;
STACK_OF(X509) * caCertStack = NULL;
X509 *usrCert1 = NULL, *usrCert2 = NULL, *rootCert = NULL;
unsigned char tmp[MAX4_LEN];
unsigned long uCert2Len, derCrlLen, derRootCertLen;
const unsigned char *derCrl, *derRootCert, *uCert1, *uCert2;
OpenSSL_add_all_algorithms();
printf("\nX509_Verify info:\n");
fp = fopen(RCERTF, "rb");
derRootCertLen = fread(tmp, 1, 4096, fp);
derRootCert = tmp;
fclose(fp);
rootCert = d2i_X509(NULL, &derRootCert, derRootCertLen);
fp = fopen(CRLCRL, "rb");
derCrlLen = fread(tmp, 1, 4096, fp);
derCrl = tmp;
fclose(fp);
Crl = d2i_X509_CRL(NULL, &derCrl, derCrlLen);
rootCertStore = X509_STORE_new();
X509_STORE_add_cert(rootCertStore, rootCert);
X509_STORE_set_flags(rootCertStore, X509_V_FLAG_CRL_CHECK);
X509_STORE_add_crl(rootCertStore, Crl);
ctx = X509_STORE_CTX_new();
fp = fopen(U1CERTF, "rb");
uCert1Len = fread(tmp, 1, 4096, fp);
uCert1 = tmp;
fclose(fp);
usrCert1 = d2i_X509(NULL, &uCert1, uCert1Len);
if (X509_STORE_CTX_init(ctx, rootCertStore, usrCert1, caCertStack) != 1) {
perror("X509_STORE_CTX_init");
return;
}
if (X509_verify_cert(ctx) != 1) {
printf("user1.cer %s\n", X509_verify_cert_error_string(ctx->error));
return;
}
fp = fopen(U2CERTF, "rb");
uCert2Len = fread(tmp, 1, 4096, fp);
uCert2 = tmp;
fclose(fp);
usrCert2 = d2i_X509(NULL, &uCert2, uCert2Len);
if (X509_STORE_CTX_init(ctx, rootCertStore, usrCert2, caCertStack) != 1) {
perror("X509_STORE_CTX_init");
return;
}
if (X509_verify_cert(ctx) != 1) {
printf("user2.cer %s\n", X509_verify_cert_error_string(ctx->error));
return;
}
X509_free(usrCert1);
X509_free(usrCert2);
X509_free(rootCert);
X509_STORE_CTX_cleanup(ctx);
X509_STORE_CTX_free(ctx);
X509_STORE_free(rootCertStore);
return;
}
static int op_capi_get_by_subject(X509_LOOKUP *_lu,int _type,X509_NAME *_name,
X509_OBJECT *_ret) {
HCERTSTORE h_store;
if(_name==NULL)return 0;
if(_name->bytes==NULL||_name->bytes->length<=0||_name->modified) {
if(i2d_X509_NAME(_name,NULL)<0)return 0;
OP_ASSERT(_name->bytes->length>0);
}
h_store=(HCERTSTORE)_lu->method_data;
switch(_type) {
case X509_LU_X509: {
CERT_NAME_BLOB find_para;
PCCERT_CONTEXT cert;
X509 *x;
int ret;
/*Although X509_NAME contains a canon_enc field, that "canonical" [1]
encoding was just made up by OpenSSL.
It doesn't correspond to any actual standard, and since it drops the
initial sequence header, won't be recognized by the Crypto API.
The assumption here is that CertFindCertificateInStore() will allow any
appropriate variations in the encoding when it does its comparison.
This is, however, emphatically not true under Wine, which just compares
the encodings with memcmp().
Most of the time things work anyway, though, and there isn't really
anything we can do to make the situation better.
[1] A "canonical form" is defined as the one where, if you locked 10
mathematicians in a room and asked them to come up with a
representation for something, it's the answer that 9 of them would
give you back.
I don't think OpenSSL's encoding qualifies.*/
find_para.cbData=_name->bytes->length;
find_para.pbData=(unsigned char *)_name->bytes->data;
cert=CertFindCertificateInStore(h_store,X509_ASN_ENCODING,0,
CERT_FIND_SUBJECT_NAME,&find_para,NULL);
if(cert==NULL)return 0;
x=d2i_X509(NULL,(const unsigned char **)&cert->pbCertEncoded,
cert->cbCertEncoded);
CertFreeCertificateContext(cert);
if(x==NULL)return 0;
ret=X509_STORE_add_cert(_lu->store_ctx,x);
X509_free(x);
if(ret)return op_capi_retrieve_by_subject(_lu,_type,_name,_ret);
}
break;
case X509_LU_CRL: {
CERT_INFO cert_info;
CERT_CONTEXT find_para;
PCCRL_CONTEXT crl;
X509_CRL *x;
int ret;
ret=op_capi_retrieve_by_subject(_lu,_type,_name,_ret);
if(ret>0)return ret;
memset(&cert_info,0,sizeof(cert_info));
cert_info.Issuer.cbData=_name->bytes->length;
cert_info.Issuer.pbData=(unsigned char *)_name->bytes->data;
memset(&find_para,0,sizeof(find_para));
find_para.pCertInfo=&cert_info;
crl=CertFindCRLInStore(h_store,0,0,CRL_FIND_ISSUED_BY,&find_para,NULL);
if(crl==NULL)return 0;
x=d2i_X509_CRL(NULL,(const unsigned char **)&crl->pbCrlEncoded,
crl->cbCrlEncoded);
CertFreeCRLContext(crl);
if(x==NULL)return 0;
ret=X509_STORE_add_crl(_lu->store_ctx,x);
X509_CRL_free(x);
if(ret)return op_capi_retrieve_by_subject(_lu,_type,_name,_ret);
}
break;
}
return 0;
}
XSECCryptoKey * InteropResolver::resolveKey(DSIGKeyInfoList * lst) {
// First check if this has an X509 cert + an X509 CRL
const XMLCh * b64cert = NULL;
const XMLCh * b64crl = NULL;
int lstSize = (int) lst->getSize();
for (int i = 0; i < lstSize; ++i) {
DSIGKeyInfo * ki;
ki = lst->item(i);
const XMLCh * rawuri;
if (ki->getKeyInfoType() == DSIGKeyInfo::KEYINFO_X509) {
DSIGKeyInfoX509 * kix509 = static_cast<DSIGKeyInfoX509 *>(ki);
if ((rawuri = kix509->getRawRetrievalURI()) != NULL) {
// We have a raw certificate by de-reference
// Assume it is just a file dereference and open the cert
return openCertURI(rawuri);
}
if (kix509->getCertificateListSize() == 1) {
b64cert = kix509->getCertificateItem(0);
}
if (b64crl == NULL) {
b64crl = kix509->getX509CRL();
}
}
else if (ki->getKeyInfoType() == DSIGKeyInfo::KEYINFO_NAME) {
DSIGKeyInfoName * kn = static_cast<DSIGKeyInfoName *>(ki);
if (kn->getKeyName() != NULL) {
static XMLCh certStr[] = {
XERCES_CPP_NAMESPACE_QUALIFIER chLatin_c,
XERCES_CPP_NAMESPACE_QUALIFIER chLatin_e,
XERCES_CPP_NAMESPACE_QUALIFIER chLatin_r,
XERCES_CPP_NAMESPACE_QUALIFIER chLatin_t,
XERCES_CPP_NAMESPACE_QUALIFIER chLatin_s,
XERCES_CPP_NAMESPACE_QUALIFIER chForwardSlash,
XERCES_CPP_NAMESPACE_QUALIFIER chNull
};
static XMLCh extStr[] = {
XERCES_CPP_NAMESPACE_QUALIFIER chPeriod,
XERCES_CPP_NAMESPACE_QUALIFIER chLatin_c,
XERCES_CPP_NAMESPACE_QUALIFIER chLatin_r,
XERCES_CPP_NAMESPACE_QUALIFIER chLatin_t,
XERCES_CPP_NAMESPACE_QUALIFIER chNull
};
safeBuffer fname;
fname = certStr;
fname.sbXMLChCat(kn->getKeyName());
fname.sbXMLChCat(extStr);
fname.sbStrlwr();
return openCertURI(fname.rawXMLChBuffer());
}
}
}
if (b64cert != NULL && b64crl != NULL) {
// We have a certificate and a crl, lets get the cert and check in the crl
OpenSSLCryptoBase64 b64;
char * transb64cert = XMLString::transcode(b64cert);
unsigned char * x509buf = new unsigned char[strlen(transb64cert)];
ArrayJanitor<unsigned char> j_x509buf(x509buf);
int x509bufLen;
X509 *x;
b64.decodeInit();
x509bufLen = b64.decode((unsigned char *) transb64cert, (unsigned int) strlen(transb64cert), x509buf, (unsigned int) strlen(transb64cert));
x509bufLen += b64.decodeFinish(&x509buf[x509bufLen], (unsigned int) strlen(transb64cert) - x509bufLen);
XSEC_RELEASE_XMLCH(transb64cert);
if (x509bufLen > 0) {
#if defined(XSEC_OPENSSL_D2IX509_CONST_BUFFER)
x = d2i_X509(NULL, (const unsigned char **) (&x509buf), x509bufLen
);
#else
x = d2i_X509(NULL, &x509buf, x509bufLen);
#endif
}
else
return NULL; // Something has gone wrong
if (x == NULL)
return NULL;
// Now the CRL
char * transb64crl = XMLString::transcode(b64crl);
unsigned char * crlbuf = new unsigned char[strlen(transb64crl)];
ArrayJanitor<unsigned char> j_crlbuf(crlbuf);
int crlbufLen;
X509_CRL * c;
b64.decodeInit();
crlbufLen = b64.decode((unsigned char*) transb64crl, (unsigned int) strlen(transb64crl), crlbuf, (unsigned int) strlen(transb64crl));
crlbufLen += b64.decodeFinish(&crlbuf[crlbufLen], (unsigned int) strlen(transb64crl) - crlbufLen);
XSEC_RELEASE_XMLCH(transb64crl);
if (crlbufLen > 0) {
#if defined(XSEC_OPENSSL_D2IX509_CONST_BUFFER)
c = d2i_X509_CRL(NULL, (const unsigned char **) (&crlbuf), crlbufLen);
#else
c = d2i_X509_CRL(NULL, &crlbuf, crlbufLen);
#endif
}
else
return NULL; // Something has gone wrong
if (c == NULL)
return NULL;
// Now check if the cert is in the CRL (code lifted from OpenSSL x509_vfy.c
int idx;
X509_REVOKED rtmp;
/* Look for serial number of certificate in CRL */
rtmp.serialNumber = X509_get_serialNumber(x);
idx = sk_X509_REVOKED_find(c->crl->revoked, &rtmp);
/* Not found: OK */
if(idx != -1) {
std::cerr << "Warning - certificate revoked in attached CRL" << std::endl;
}
OpenSSLCryptoX509 ox(x);
X509_free(x);
X509_CRL_free(c);
return ox.clonePublicKey();
}
// Do a run through each match in the directory
while (m_searchFinished == false) {
X509 * x = nextFile2Cert();
if (x != NULL) {
if (checkMatch(lst, x)) {
OpenSSLCryptoX509 ox(x);
X509_free(x);
return ox.clonePublicKey();
}
}
X509_free(x);
}
return false;
}
