static void print_conf(CONF_VALUE *cv)
{
int i;
CONF_VALUE *v;
char *section;
char *name;
char *value;
STACK *s;
/* If it is a single entry, return */
if (cv->name != NULL) return;
TINYCLR_SSL_PRINTF("[ %s ]\n",cv->section);
s=(STACK *)cv->value;
for (i=0; i<sk_num(s); i++)
{
v=(CONF_VALUE *)sk_value(s,i);
section=(v->section == NULL)?"None":v->section;
name=(v->name == NULL)?"None":v->name;
value=(v->value == NULL)?"None":v->value;
TINYCLR_SSL_PRINTF("%s=%s\n",name,value);
}
TINYCLR_SSL_PRINTF("\n");
}
/*
* call-seq:
* ctx.ciphers => [[name, version, bits, alg_bits], ...]
*/
static VALUE
ossl_sslctx_get_ciphers(VALUE self)
{
SSL_CTX *ctx;
STACK_OF(SSL_CIPHER) *ciphers;
SSL_CIPHER *cipher;
VALUE ary;
int i, num;
Data_Get_Struct(self, SSL_CTX, ctx);
if(!ctx){
rb_warning("SSL_CTX is not initialized.");
return Qnil;
}
ciphers = ctx->cipher_list;
if (!ciphers)
return rb_ary_new();
num = sk_num((STACK*)ciphers);
ary = rb_ary_new2(num);
for(i = 0; i < num; i++){
cipher = (SSL_CIPHER*)sk_value((STACK*)ciphers, i);
rb_ary_push(ary, ossl_ssl_cipher_to_ary(cipher));
}
return ary;
}
void TXT_DB_free(TXT_DB *db)
{
int i,n;
char **p,*max;
if(db == NULL)
return;
if (db->index != NULL)
{
for (i=db->num_fields-1; i>=0; i--)
if (db->index[i] != NULL) lh_free(db->index[i]);
OPENSSL_free(db->index);
}
if (db->qual != NULL)
OPENSSL_free(db->qual);
if (db->data != NULL)
{
for (i=sk_num(db->data)-1; i>=0; i--)
{
/* check if any 'fields' have been allocated
* from outside of the initial block */
p=(char **)sk_value(db->data,i);
max=p[db->num_fields]; /* last address */
if (max == NULL) /* new row */
{
for (n=0; n<db->num_fields; n++)
if (p[n] != NULL) OPENSSL_free(p[n]);
}
else
{
for (n=0; n<db->num_fields; n++)
{
if (((p[n] < (char *)p) || (p[n] > max))
&& (p[n] != NULL))
OPENSSL_free(p[n]);
}
}
OPENSSL_free(sk_value(db->data,i));
}
sk_free(db->data);
}
OPENSSL_free(db);
}
const char *CRYPTO_get_lock_name(int type)
{
if (type < 0)
return("dynamic");
else if (type < CRYPTO_NUM_LOCKS)
return(lock_names[type]);
else if (type-CRYPTO_NUM_LOCKS > sk_num(app_locks))
return("ERROR");
else
return(sk_value(app_locks,type-CRYPTO_NUM_LOCKS));
}
long TXT_DB_write(BIO *out, TXT_DB *db)
{
long i,j,n,nn,l,tot=0;
char *p,**pp,*f;
BUF_MEM *buf=NULL;
long ret= -1;
if ((buf=BUF_MEM_new()) == NULL)
goto err;
n=sk_num(db->data);
nn=db->num_fields;
for (i=0; i<n; i++)
{
pp=(char **)sk_value(db->data,i);
l=0;
for (j=0; j<nn; j++)
{
if (pp[j] != NULL)
l+=strlen(pp[j]);
}
if (!BUF_MEM_grow_clean(buf,(int)(l*2+nn))) goto err;
p=buf->data;
for (j=0; j<nn; j++)
{
f=pp[j];
if (f != NULL)
for (;;)
{
if (*f == '\0') break;
if (*f == '\t') *(p++)='\\';
*(p++)= *(f++);
}
*(p++)='\t';
}
p[-1]='\n';
j=p-buf->data;
if (BIO_write(out,buf->data,(int)j) != j)
goto err;
tot+=j;
}
ret=tot;
err:
if (buf != NULL) BUF_MEM_free(buf);
return(ret);
}
static void util_do_cmds(ENGINE *e, STACK *cmds, BIO *bio_out, const char *indent)
{
int loop, res, num = sk_num(cmds);
if(num < 0)
{
BIO_printf(bio_out, "[Error]: internal stack error\n");
return;
}
for(loop = 0; loop < num; loop++)
{
char buf[256];
const char *cmd, *arg;
cmd = sk_value(cmds, loop);
res = 1; /* assume success */
/* Check if this command has no ":arg" */
if((arg = strstr(cmd, ":")) == NULL)
{
if(!ENGINE_ctrl_cmd_string(e, cmd, NULL, 0))
res = 0;
}
else
{
if((int)(arg - cmd) > 254)
{
BIO_printf(bio_out,"[Error]: command name too long\n");
return;
}
memcpy(buf, cmd, (int)(arg - cmd));
buf[arg-cmd] = '\0';
arg++; /* Move past the ":" */
/* Call the command with the argument */
if(!ENGINE_ctrl_cmd_string(e, buf, arg, 0))
res = 0;
}
if(res)
BIO_printf(bio_out, "[Success]: %s\n", cmd);
else
{
BIO_printf(bio_out, "[Failure]: %s\n", cmd);
ERR_print_errors(bio_out);
}
}
}
int TXT_DB_create_index(TXT_DB *db, int field, int (*qual)(char **),
LHASH_HASH_FN_TYPE hash, LHASH_COMP_FN_TYPE cmp)
{
LHASH *idx;
char **r;
int i,n;
if (field >= db->num_fields)
{
db->error=DB_ERROR_INDEX_OUT_OF_RANGE;
return(0);
}
if ((idx=lh_new(hash,cmp)) == NULL)
{
db->error=DB_ERROR_MALLOC;
return(0);
}
n=sk_num(db->data);
for (i=0; i<n; i++)
{
r=(char **)sk_value(db->data,i);
if ((qual != NULL) && (qual(r) == 0)) continue;
if ((r=lh_insert(idx,r)) != NULL)
{
db->error=DB_ERROR_INDEX_CLASH;
db->arg1=sk_find(db->data,(char *)r);
db->arg2=i;
lh_free(idx);
return(0);
}
}
if (db->index[field] != NULL) lh_free(db->index[field]);
db->index[field]=idx;
db->qual[field]=qual;
return(1);
}
carray * mailstream_low_ssl_get_certificate_chain(mailstream_low * s)
{
#ifdef USE_SSL
#ifndef USE_GNUTLS
STACK_OF(X509) * skx;
struct mailstream_ssl_data * ssl_data;
carray * result;
int skpos;
ssl_data = (struct mailstream_ssl_data *) s->data;
if (!(skx = SSL_get_peer_cert_chain(ssl_data->ssl_conn))) {
return NULL;
}
result = carray_new(4);
for(skpos = 0 ; skpos < sk_num(skx) ; skpos ++) {
X509 * x = (X509 *) sk_value(skx, skpos);
unsigned char * p;
MMAPString * str;
int length = i2d_X509(x, NULL);
str = mmap_string_sized_new(length);
p = (unsigned char *) str->str;
str->len = length;
i2d_X509(x, &p);
carray_add(result, str, NULL);
}
return result;
#else
/* TODO: GnuTLS implementation */
return NULL;
#endif
#else
return NULL;
#endif
}
carray * mailstream_low_ssl_get_certificate_chain(mailstream_low * s)
{
#ifdef USE_SSL
struct mailstream_ssl_data * ssl_data;
carray * result;
int skpos;
#ifndef USE_GNUTLS
STACK_OF(X509) * skx;
ssl_data = (struct mailstream_ssl_data *) s->data;
if (!(skx = SSL_get_peer_cert_chain(ssl_data->ssl_conn))) {
return NULL;
}
result = carray_new(4);
for(skpos = 0 ; skpos < sk_num((_STACK *) skx) ; skpos ++) {
X509 * x = (X509 *) sk_value((_STACK *) skx, skpos);
unsigned char * p;
MMAPString * str;
int length = i2d_X509(x, NULL);
str = mmap_string_sized_new(length);
p = (unsigned char *) str->str;
str->len = length;
i2d_X509(x, &p);
carray_add(result, str, NULL);
}
return result;
#else
gnutls_session session = NULL;
const gnutls_datum *raw_cert_list;
unsigned int raw_cert_list_length;
ssl_data = (struct mailstream_ssl_data *) s->data;
session = ssl_data->session;
raw_cert_list = gnutls_certificate_get_peers(session, &raw_cert_list_length);
if (raw_cert_list && gnutls_certificate_type_get(session) == GNUTLS_CRT_X509) {
result = carray_new(4);
for(skpos = 0 ; skpos < raw_cert_list_length ; skpos ++) {
gnutls_x509_crt cert = NULL;
if (gnutls_x509_crt_init(&cert) >= 0
&& gnutls_x509_crt_import(cert, &raw_cert_list[skpos], GNUTLS_X509_FMT_DER) >= 0) {
size_t cert_size = 0;
MMAPString * str = NULL;
unsigned char * p;
if (gnutls_x509_crt_export(cert, GNUTLS_X509_FMT_DER, NULL, &cert_size)
== GNUTLS_E_SHORT_MEMORY_BUFFER) {
str = mmap_string_sized_new(cert_size);
p = (unsigned char *) str->str;
str->len = cert_size;
}
if (str != NULL &&
gnutls_x509_crt_export(cert, GNUTLS_X509_FMT_DER, p, &cert_size) >= 0) {
carray_add(result, str, NULL);
} else {
return NULL;
}
gnutls_x509_crt_deinit(cert);
}
}
}
return result;
return NULL;
#endif
#else
return NULL;
#endif
}
/* int is_set: if TRUE, then sort the contents (i.e. it isn't a SEQUENCE) */
int i2d_ASN1_SET(STACK *a, unsigned char **pp, i2d_of_void *i2d, int ex_tag,
int ex_class, int is_set)
{
int ret=0,r;
int i;
unsigned char *p;
unsigned char *pStart, *pTempMem;
MYBLOB *rgSetBlob;
int totSize;
if (a == NULL) return(0);
for (i=sk_num(a)-1; i>=0; i--)
ret+=i2d(sk_value(a,i),NULL);
r=ASN1_object_size(1,ret,ex_tag);
if (pp == NULL) return(r);
p= *pp;
ASN1_put_object(&p,1,ret,ex_tag,ex_class);
/* Modified by [email protected] */
/* And then again by Ben */
/* And again by Steve */
if(!is_set || (sk_num(a) < 2))
{
for (i=0; i<sk_num(a); i++)
i2d(sk_value(a,i),&p);
*pp=p;
return(r);
}
pStart = p; /* Catch the beg of Setblobs*/
/* In this array we will store the SET blobs */
rgSetBlob = (MYBLOB *)OPENSSL_malloc(sk_num(a) * sizeof(MYBLOB));
if (rgSetBlob == NULL)
{
ASN1err(ASN1_F_I2D_ASN1_SET,ERR_R_MALLOC_FAILURE);
return(0);
}
for (i=0; i<sk_num(a); i++)
{
rgSetBlob[i].pbData = p; /* catch each set encode blob */
i2d(sk_value(a,i),&p);
rgSetBlob[i].cbData = (int)(p - rgSetBlob[i].pbData); /* Length of this
SetBlob
*/
}
*pp=p;
totSize = (int)(p - pStart); /* This is the total size of all set blobs */
/* Now we have to sort the blobs. I am using a simple algo.
*Sort ptrs *Copy to temp-mem *Copy from temp-mem to user-mem*/
qsort( rgSetBlob, sk_num(a), sizeof(MYBLOB), SetBlobCmp);
if (!(pTempMem = OPENSSL_malloc(totSize)))
{
ASN1err(ASN1_F_I2D_ASN1_SET,ERR_R_MALLOC_FAILURE);
return(0);
}
/* Copy to temp mem */
p = pTempMem;
for(i=0; i<sk_num(a); ++i)
{
memcpy(p, rgSetBlob[i].pbData, rgSetBlob[i].cbData);
p += rgSetBlob[i].cbData;
}
/* Copy back to user mem*/
memcpy(pStart, pTempMem, totSize);
OPENSSL_free(pTempMem);
OPENSSL_free(rgSetBlob);
return(r);
}
static ngx_int_t
ngx_ssl_stapling_responder(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *responder)
{
ngx_url_t u;
char *s;
ngx_ssl_stapling_t *staple;
STACK_OF(OPENSSL_STRING) *aia;
staple = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_stapling_index);
if (responder->len == 0) {
/* extract OCSP responder URL from certificate */
aia = X509_get1_ocsp(staple->cert);
if (aia == NULL) {
ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
"\"ssl_stapling\" ignored, "
"no OCSP responder URL in the certificate");
return NGX_DECLINED;
}
#if OPENSSL_VERSION_NUMBER >= 0x10000000L
s = sk_OPENSSL_STRING_value(aia, 0);
#else
s = sk_value(aia, 0);
#endif
if (s == NULL) {
ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
"\"ssl_stapling\" ignored, "
"no OCSP responder URL in the certificate");
X509_email_free(aia);
return NGX_DECLINED;
}
responder->len = ngx_strlen(s);
responder->data = ngx_palloc(cf->pool, responder->len);
if (responder->data == NULL) {
X509_email_free(aia);
return NGX_ERROR;
}
ngx_memcpy(responder->data, s, responder->len);
X509_email_free(aia);
}
ngx_memzero(&u, sizeof(ngx_url_t));
u.url = *responder;
u.default_port = 80;
u.uri_part = 1;
if (u.url.len > 7
&& ngx_strncasecmp(u.url.data, (u_char *) "http://", 7) == 0)
{
u.url.len -= 7;
u.url.data += 7;
} else {
ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
"\"ssl_stapling\" ignored, "
"invalid URL prefix in OCSP responder \"%V\"", &u.url);
return NGX_DECLINED;
}
if (ngx_parse_url(cf->pool, &u) != NGX_OK) {
if (u.err) {
ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
"\"ssl_stapling\" ignored, "
"%s in OCSP responder \"%V\"", u.err, &u.url);
return NGX_DECLINED;
}
return NGX_ERROR;
}
staple->addrs = u.addrs;
staple->host = u.host;
staple->uri = u.uri;
staple->port = u.port;
if (staple->uri.len == 0) {
ngx_str_set(&staple->uri, "/");
}
return NGX_OK;
}
int SslOcspStapling::getResponder(X509 *pCert)
{
char *pUrl;
X509 *pCAt;
STACK_OF(X509) *pXchain;
int i;
int n;
#if OPENSSL_VERSION_NUMBER >= 0x10000003L
STACK_OF(OPENSSL_STRING) *strResp;
#else
STACK *strResp;
#endif
if (m_sOcspResponder.c_str())
return 0;
strResp = X509_get1_ocsp(pCert);
if (strResp == NULL)
{
pXchain = m_pCtx->extra_certs;
n = sk_X509_num(pXchain);
for (i = 0; i < n; i++)
{
pCert = sk_X509_value(pXchain, i);
strResp = X509_get1_ocsp(pCert);
if (strResp)
break;
}
}
if (strResp == NULL)
{
if (m_sCAfile.c_str() == NULL)
return LS_FAIL;
pCAt = load_cert(m_sCAfile.c_str());
if (pCAt == NULL)
{
setLastErrMsg("Failed to load file: %s!\n", m_sCAfile.c_str());
return LS_FAIL;
}
strResp = X509_get1_ocsp(pCAt);
X509_free(pCAt);
if (strResp == NULL)
{
setLastErrMsg("Failed to get responder!\n");
return LS_FAIL;
}
}
#if OPENSSL_VERSION_NUMBER >= 0x1000004fL
pUrl = sk_OPENSSL_STRING_value(strResp, 0);
#elif OPENSSL_VERSION_NUMBER >= 0x10000003L
pUrl = (char *)sk_value((const _STACK *) strResp, 0);
#else
pUrl = (char *)sk_value((const STACK *) strResp, 0);
#endif
if (pUrl)
{
m_sOcspResponder.setStr(pUrl);
return 0;
}
X509_email_free(strResp);
setLastErrMsg("Failed to get responder Url!\n");
return LS_FAIL;
}
int MAIN(int argc, char **argv)
{
int ret=1,i;
const char **pp;
int verbose=0, list_cap=0, test_avail=0, test_avail_noise = 0;
ENGINE *e;
STACK *engines = sk_new_null();
STACK *pre_cmds = sk_new_null();
STACK *post_cmds = sk_new_null();
int badops=1;
BIO *bio_out=NULL;
const char *indent = " ";
apps_startup();
SSL_load_error_strings();
if (bio_err == NULL)
bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
if (!load_config(bio_err, NULL))
goto end;
bio_out=BIO_new_fp(stdout,BIO_NOCLOSE);
#ifdef OPENSSL_SYS_VMS
{
BIO *tmpbio = BIO_new(BIO_f_linebuffer());
bio_out = BIO_push(tmpbio, bio_out);
}
#endif
argc--;
argv++;
while (argc >= 1)
{
if (strncmp(*argv,"-v",2) == 0)
{
if(strspn(*argv + 1, "v") < strlen(*argv + 1))
goto skip_arg_loop;
if((verbose=strlen(*argv + 1)) > 4)
goto skip_arg_loop;
}
else if (strcmp(*argv,"-c") == 0)
list_cap=1;
else if (strncmp(*argv,"-t",2) == 0)
{
test_avail=1;
if(strspn(*argv + 1, "t") < strlen(*argv + 1))
goto skip_arg_loop;
if((test_avail_noise = strlen(*argv + 1) - 1) > 1)
goto skip_arg_loop;
}
else if (strcmp(*argv,"-pre") == 0)
{
argc--; argv++;
if (argc == 0)
goto skip_arg_loop;
sk_push(pre_cmds,*argv);
}
else if (strcmp(*argv,"-post") == 0)
{
argc--; argv++;
if (argc == 0)
goto skip_arg_loop;
sk_push(post_cmds,*argv);
}
else if ((strncmp(*argv,"-h",2) == 0) ||
(strcmp(*argv,"-?") == 0))
goto skip_arg_loop;
else
sk_push(engines,*argv);
argc--;
argv++;
}
/* Looks like everything went OK */
badops = 0;
skip_arg_loop:
if (badops)
{
for (pp=engine_usage; (*pp != NULL); pp++)
BIO_printf(bio_err,"%s",*pp);
goto end;
}
if (sk_num(engines) == 0)
{
for(e = ENGINE_get_first(); e != NULL; e = ENGINE_get_next(e))
{
sk_push(engines,(char *)ENGINE_get_id(e));
}
}
for (i=0; i<sk_num(engines); i++)
{
const char *id = sk_value(engines,i);
if ((e = ENGINE_by_id(id)) != NULL)
{
const char *name = ENGINE_get_name(e);
/* Do "id" first, then "name". Easier to auto-parse. */
BIO_printf(bio_out, "(%s) %s\n", id, name);
util_do_cmds(e, pre_cmds, bio_out, indent);
if (strcmp(ENGINE_get_id(e), id) != 0)
{
BIO_printf(bio_out, "Loaded: (%s) %s\n",
ENGINE_get_id(e), ENGINE_get_name(e));
}
if (list_cap)
{
int cap_size = 256;
char *cap_buf = NULL;
int k,n;
const int *nids;
ENGINE_CIPHERS_PTR fn_c;
ENGINE_DIGESTS_PTR fn_d;
if (ENGINE_get_RSA(e) != NULL
&& !append_buf(&cap_buf, "RSA",
&cap_size, 256))
goto end;
if (ENGINE_get_DSA(e) != NULL
&& !append_buf(&cap_buf, "DSA",
&cap_size, 256))
goto end;
if (ENGINE_get_DH(e) != NULL
&& !append_buf(&cap_buf, "DH",
&cap_size, 256))
goto end;
if (ENGINE_get_RAND(e) != NULL
&& !append_buf(&cap_buf, "RAND",
&cap_size, 256))
goto end;
fn_c = ENGINE_get_ciphers(e);
if(!fn_c) goto skip_ciphers;
n = fn_c(e, NULL, &nids, 0);
for(k=0 ; k < n ; ++k)
if(!append_buf(&cap_buf,
OBJ_nid2sn(nids[k]),
&cap_size, 256))
goto end;
skip_ciphers:
fn_d = ENGINE_get_digests(e);
if(!fn_d) goto skip_digests;
n = fn_d(e, NULL, &nids, 0);
for(k=0 ; k < n ; ++k)
if(!append_buf(&cap_buf,
OBJ_nid2sn(nids[k]),
&cap_size, 256))
goto end;
skip_digests:
if (cap_buf && (*cap_buf != '\0'))
BIO_printf(bio_out, " [%s]\n", cap_buf);
OPENSSL_free(cap_buf);
}
if(test_avail)
{
BIO_printf(bio_out, "%s", indent);
if (ENGINE_init(e))
{
BIO_printf(bio_out, "[ available ]\n");
util_do_cmds(e, post_cmds, bio_out, indent);
ENGINE_finish(e);
}
else
{
BIO_printf(bio_out, "[ unavailable ]\n");
if(test_avail_noise)
ERR_print_errors_fp(stdout);
ERR_clear_error();
}
}
if((verbose > 0) && !util_verbose(e, verbose, bio_out, indent))
goto end;
ENGINE_free(e);
}
else
ERR_print_errors(bio_err);
}
ret=0;
end:
ERR_print_errors(bio_err);
sk_pop_free(engines, identity);
sk_pop_free(pre_cmds, identity);
sk_pop_free(post_cmds, identity);
if (bio_out != NULL) BIO_free_all(bio_out);
apps_shutdown();
OPENSSL_EXIT(ret);
}
int MAIN(int argc, char **argv)
{
int i,badops=0;
BIO *in=NULL,*out=NULL;
int informat,outformat;
char *infile,*outfile,*prog,*certfile;
PKCS7 *p7 = NULL;
PKCS7_SIGNED *p7s = NULL;
X509_CRL *crl=NULL;
STACK *certflst=NULL;
STACK_OF(X509_CRL) *crl_stack=NULL;
STACK_OF(X509) *cert_stack=NULL;
int ret=1,nocrl=0;
apps_startup();
if (bio_err == NULL)
if ((bio_err=BIO_new(BIO_s_file())) != NULL)
BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
infile=NULL;
outfile=NULL;
informat=FORMAT_PEM;
outformat=FORMAT_PEM;
prog=argv[0];
argc--;
argv++;
while (argc >= 1)
{
if (strcmp(*argv,"-inform") == 0)
{
if (--argc < 1) goto bad;
informat=str2fmt(*(++argv));
}
else if (strcmp(*argv,"-outform") == 0)
{
if (--argc < 1) goto bad;
outformat=str2fmt(*(++argv));
}
else if (strcmp(*argv,"-in") == 0)
{
if (--argc < 1) goto bad;
infile= *(++argv);
}
else if (strcmp(*argv,"-nocrl") == 0)
{
nocrl=1;
}
else if (strcmp(*argv,"-out") == 0)
{
if (--argc < 1) goto bad;
outfile= *(++argv);
}
else if (strcmp(*argv,"-certfile") == 0)
{
if (--argc < 1) goto bad;
if(!certflst) certflst = sk_new_null();
sk_push(certflst,*(++argv));
}
else
{
BIO_printf(bio_err,"unknown option %s\n",*argv);
badops=1;
break;
}
argc--;
argv++;
}
if (badops)
{
bad:
BIO_printf(bio_err,"%s [options] <infile >outfile\n",prog);
BIO_printf(bio_err,"where options are\n");
BIO_printf(bio_err," -inform arg input format - DER or PEM\n");
BIO_printf(bio_err," -outform arg output format - DER or PEM\n");
BIO_printf(bio_err," -in arg input file\n");
BIO_printf(bio_err," -out arg output file\n");
BIO_printf(bio_err," -certfile arg certificates file of chain to a trusted CA\n");
BIO_printf(bio_err," (can be used more than once)\n");
BIO_printf(bio_err," -nocrl no crl to load, just certs from '-certfile'\n");
EXIT(1);
}
ERR_load_crypto_strings();
in=BIO_new(BIO_s_file());
out=BIO_new(BIO_s_file());
if ((in == NULL) || (out == NULL))
{
ERR_print_errors(bio_err);
goto end;
}
if (!nocrl)
{
if (infile == NULL)
BIO_set_fp(in,stdin,BIO_NOCLOSE);
else
{
if (BIO_read_filename(in,infile) <= 0)
{
perror(infile);
goto end;
}
}
if (informat == FORMAT_ASN1)
crl=d2i_X509_CRL_bio(in,NULL);
else if (informat == FORMAT_PEM)
crl=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL);
else {
BIO_printf(bio_err,"bad input format specified for input crl\n");
goto end;
}
if (crl == NULL)
{
BIO_printf(bio_err,"unable to load CRL\n");
ERR_print_errors(bio_err);
goto end;
}
}
if ((p7=PKCS7_new()) == NULL) goto end;
if ((p7s=PKCS7_SIGNED_new()) == NULL) goto end;
p7->type=OBJ_nid2obj(NID_pkcs7_signed);
p7->d.sign=p7s;
p7s->contents->type=OBJ_nid2obj(NID_pkcs7_data);
if (!ASN1_INTEGER_set(p7s->version,1)) goto end;
if ((crl_stack=sk_X509_CRL_new_null()) == NULL) goto end;
p7s->crl=crl_stack;
if (crl != NULL)
{
sk_X509_CRL_push(crl_stack,crl);
crl=NULL; /* now part of p7 for OPENSSL_freeing */
}
if ((cert_stack=sk_X509_new_null()) == NULL) goto end;
p7s->cert=cert_stack;
if(certflst) for(i = 0; i < sk_num(certflst); i++) {
certfile = sk_value(certflst, i);
if (add_certs_from_file(cert_stack,certfile) < 0)
{
BIO_printf(bio_err, "error loading certificates\n");
ERR_print_errors(bio_err);
goto end;
}
}
sk_free(certflst);
if (outfile == NULL)
{
BIO_set_fp(out,stdout,BIO_NOCLOSE);
#ifdef VMS
{
BIO *tmpbio = BIO_new(BIO_f_linebuffer());
out = BIO_push(tmpbio, out);
}
#endif
}
else
{
if (BIO_write_filename(out,outfile) <= 0)
{
perror(outfile);
goto end;
}
}
if (outformat == FORMAT_ASN1)
i=i2d_PKCS7_bio(out,p7);
else if (outformat == FORMAT_PEM)
i=PEM_write_bio_PKCS7(out,p7);
else {
BIO_printf(bio_err,"bad output format specified for outfile\n");
goto end;
}
if (!i)
{
BIO_printf(bio_err,"unable to write pkcs7 object\n");
ERR_print_errors(bio_err);
goto end;
}
ret=0;
end:
if (in != NULL) BIO_free(in);
if (out != NULL) BIO_free_all(out);
if (p7 != NULL) PKCS7_free(p7);
if (crl != NULL) X509_CRL_free(crl);
EXIT(ret);
}
int MAIN(int argc, char **argv)
{
ENGINE *e = NULL;
int ret=1;
X509_REQ *req=NULL;
X509 *x=NULL,*xca=NULL;
ASN1_OBJECT *objtmp;
EVP_PKEY *Upkey=NULL,*CApkey=NULL;
ASN1_INTEGER *sno = NULL;
int i,num,badops=0;
BIO *out=NULL;
BIO *STDout=NULL;
STACK_OF(ASN1_OBJECT) *trust = NULL, *reject = NULL;
int informat,outformat,keyformat,CAformat,CAkeyformat;
char *infile=NULL,*outfile=NULL,*keyfile=NULL,*CAfile=NULL;
char *CAkeyfile=NULL,*CAserial=NULL;
char *alias=NULL;
int text=0,serial=0,hash=0,subject=0,issuer=0,startdate=0,enddate=0;
int ocspid=0;
int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0,email=0;
int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0;
int C=0;
int x509req=0,days=DEF_DAYS,modulus=0,pubkey=0;
int pprint = 0;
char **pp;
X509_STORE *ctx=NULL;
X509_REQ *rq=NULL;
int fingerprint=0;
char buf[256];
const EVP_MD *md_alg,*digest=EVP_md5();
CONF *extconf = NULL;
char *extsect = NULL, *extfile = NULL, *passin = NULL, *passargin = NULL;
int need_rand = 0;
int checkend=0,checkoffset=0;
unsigned long nmflag = 0, certflag = 0;
char *engine=NULL;
reqfile=0;
apps_startup();
if (bio_err == NULL)
bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
if (!load_config(bio_err, NULL))
goto end;
STDout=BIO_new_fp(stdout,BIO_NOCLOSE);
#ifdef OPENSSL_SYS_VMS
{
BIO *tmpbio = BIO_new(BIO_f_linebuffer());
STDout = BIO_push(tmpbio, STDout);
}
#endif
informat=FORMAT_PEM;
outformat=FORMAT_PEM;
keyformat=FORMAT_PEM;
CAformat=FORMAT_PEM;
CAkeyformat=FORMAT_PEM;
ctx=X509_STORE_new();
if (ctx == NULL) goto end;
X509_STORE_set_verify_cb_func(ctx,callb);
argc--;
argv++;
num=0;
while (argc >= 1)
{
if (strcmp(*argv,"-inform") == 0)
{
if (--argc < 1) goto bad;
informat=str2fmt(*(++argv));
}
else if (strcmp(*argv,"-outform") == 0)
{
if (--argc < 1) goto bad;
outformat=str2fmt(*(++argv));
}
else if (strcmp(*argv,"-keyform") == 0)
{
if (--argc < 1) goto bad;
keyformat=str2fmt(*(++argv));
}
else if (strcmp(*argv,"-req") == 0)
{
reqfile=1;
need_rand = 1;
}
else if (strcmp(*argv,"-CAform") == 0)
{
if (--argc < 1) goto bad;
CAformat=str2fmt(*(++argv));
}
else if (strcmp(*argv,"-CAkeyform") == 0)
{
if (--argc < 1) goto bad;
CAkeyformat=str2fmt(*(++argv));
}
else if (strcmp(*argv,"-days") == 0)
{
if (--argc < 1) goto bad;
days=atoi(*(++argv));
if (days == 0)
{
BIO_printf(STDout,"bad number of days\n");
goto bad;
}
}
else if (strcmp(*argv,"-passin") == 0)
{
if (--argc < 1) goto bad;
passargin= *(++argv);
}
else if (strcmp(*argv,"-extfile") == 0)
{
if (--argc < 1) goto bad;
extfile= *(++argv);
}
else if (strcmp(*argv,"-extensions") == 0)
{
if (--argc < 1) goto bad;
extsect= *(++argv);
}
else if (strcmp(*argv,"-in") == 0)
{
if (--argc < 1) goto bad;
infile= *(++argv);
}
else if (strcmp(*argv,"-out") == 0)
{
if (--argc < 1) goto bad;
outfile= *(++argv);
}
else if (strcmp(*argv,"-signkey") == 0)
{
if (--argc < 1) goto bad;
keyfile= *(++argv);
sign_flag= ++num;
need_rand = 1;
}
else if (strcmp(*argv,"-CA") == 0)
{
if (--argc < 1) goto bad;
CAfile= *(++argv);
CA_flag= ++num;
need_rand = 1;
}
else if (strcmp(*argv,"-CAkey") == 0)
{
if (--argc < 1) goto bad;
CAkeyfile= *(++argv);
}
else if (strcmp(*argv,"-CAserial") == 0)
{
if (--argc < 1) goto bad;
CAserial= *(++argv);
}
else if (strcmp(*argv,"-set_serial") == 0)
{
if (--argc < 1) goto bad;
if (!(sno = s2i_ASN1_INTEGER(NULL, *(++argv))))
goto bad;
}
else if (strcmp(*argv,"-addtrust") == 0)
{
if (--argc < 1) goto bad;
if (!(objtmp = OBJ_txt2obj(*(++argv), 0)))
{
BIO_printf(bio_err,
"Invalid trust object value %s\n", *argv);
goto bad;
}
if (!trust) trust = sk_ASN1_OBJECT_new_null();
sk_ASN1_OBJECT_push(trust, objtmp);
trustout = 1;
}
else if (strcmp(*argv,"-addreject") == 0)
{
if (--argc < 1) goto bad;
if (!(objtmp = OBJ_txt2obj(*(++argv), 0)))
{
BIO_printf(bio_err,
"Invalid reject object value %s\n", *argv);
goto bad;
}
if (!reject) reject = sk_ASN1_OBJECT_new_null();
sk_ASN1_OBJECT_push(reject, objtmp);
trustout = 1;
}
else if (strcmp(*argv,"-setalias") == 0)
{
if (--argc < 1) goto bad;
alias= *(++argv);
trustout = 1;
}
else if (strcmp(*argv,"-certopt") == 0)
{
if (--argc < 1) goto bad;
if (!set_cert_ex(&certflag, *(++argv))) goto bad;
}
else if (strcmp(*argv,"-nameopt") == 0)
{
if (--argc < 1) goto bad;
if (!set_name_ex(&nmflag, *(++argv))) goto bad;
}
else if (strcmp(*argv,"-setalias") == 0)
{
if (--argc < 1) goto bad;
alias= *(++argv);
trustout = 1;
}
else if (strcmp(*argv,"-engine") == 0)
{
if (--argc < 1) goto bad;
engine= *(++argv);
}
else if (strcmp(*argv,"-C") == 0)
C= ++num;
else if (strcmp(*argv,"-email") == 0)
email= ++num;
else if (strcmp(*argv,"-serial") == 0)
serial= ++num;
else if (strcmp(*argv,"-modulus") == 0)
modulus= ++num;
else if (strcmp(*argv,"-pubkey") == 0)
pubkey= ++num;
else if (strcmp(*argv,"-x509toreq") == 0)
x509req= ++num;
else if (strcmp(*argv,"-text") == 0)
text= ++num;
else if (strcmp(*argv,"-hash") == 0)
hash= ++num;
else if (strcmp(*argv,"-subject") == 0)
subject= ++num;
else if (strcmp(*argv,"-issuer") == 0)
issuer= ++num;
else if (strcmp(*argv,"-fingerprint") == 0)
fingerprint= ++num;
else if (strcmp(*argv,"-dates") == 0)
{
startdate= ++num;
enddate= ++num;
}
else if (strcmp(*argv,"-purpose") == 0)
pprint= ++num;
else if (strcmp(*argv,"-startdate") == 0)
startdate= ++num;
else if (strcmp(*argv,"-enddate") == 0)
enddate= ++num;
else if (strcmp(*argv,"-checkend") == 0)
{
if (--argc < 1) goto bad;
checkoffset=atoi(*(++argv));
checkend=1;
}
else if (strcmp(*argv,"-noout") == 0)
noout= ++num;
else if (strcmp(*argv,"-trustout") == 0)
trustout= 1;
else if (strcmp(*argv,"-clrtrust") == 0)
clrtrust= ++num;
else if (strcmp(*argv,"-clrreject") == 0)
clrreject= ++num;
else if (strcmp(*argv,"-alias") == 0)
aliasout= ++num;
else if (strcmp(*argv,"-CAcreateserial") == 0)
CA_createserial= ++num;
else if (strcmp(*argv,"-clrext") == 0)
clrext = 1;
#if 1 /* stay backwards-compatible with 0.9.5; this should go away soon */
else if (strcmp(*argv,"-crlext") == 0)
{
BIO_printf(bio_err,"use -clrext instead of -crlext\n");
clrext = 1;
}
#endif
else if (strcmp(*argv,"-ocspid") == 0)
ocspid= ++num;
else if ((md_alg=EVP_get_digestbyname(*argv + 1)))
{
/* ok */
digest=md_alg;
}
else
{
BIO_printf(bio_err,"unknown option %s\n",*argv);
badops=1;
break;
}
argc--;
argv++;
}
if (badops)
{
bad:
for (pp=x509_usage; (*pp != NULL); pp++)
BIO_printf(bio_err,"%s",*pp);
goto end;
}
e = setup_engine(bio_err, engine, 0);
if (need_rand)
app_RAND_load_file(NULL, bio_err, 0);
ERR_load_crypto_strings();
if (!app_passwd(bio_err, passargin, NULL, &passin, NULL))
{
BIO_printf(bio_err, "Error getting password\n");
goto end;
}
if (!X509_STORE_set_default_paths(ctx))
{
ERR_print_errors(bio_err);
goto end;
}
if ((CAkeyfile == NULL) && (CA_flag) && (CAformat == FORMAT_PEM))
{ CAkeyfile=CAfile; }
else if ((CA_flag) && (CAkeyfile == NULL))
{
BIO_printf(bio_err,"need to specify a CAkey if using the CA command\n");
goto end;
}
if (extfile)
{
long errorline = -1;
X509V3_CTX ctx2;
extconf = NCONF_new(NULL);
if (!NCONF_load(extconf, extfile,&errorline))
{
if (errorline <= 0)
BIO_printf(bio_err,
"error loading the config file '%s'\n",
extfile);
else
BIO_printf(bio_err,
"error on line %ld of config file '%s'\n"
,errorline,extfile);
goto end;
}
if (!extsect)
{
extsect = NCONF_get_string(extconf, "default", "extensions");
if (!extsect)
{
ERR_clear_error();
extsect = "default";
}
}
X509V3_set_ctx_test(&ctx2);
X509V3_set_nconf(&ctx2, extconf);
if (!X509V3_EXT_add_nconf(extconf, &ctx2, extsect, NULL))
{
BIO_printf(bio_err,
"Error Loading extension section %s\n",
extsect);
ERR_print_errors(bio_err);
goto end;
}
}
if (reqfile)
{
EVP_PKEY *pkey;
X509_CINF *ci;
BIO *in;
if (!sign_flag && !CA_flag)
{
BIO_printf(bio_err,"We need a private key to sign with\n");
goto end;
}
in=BIO_new(BIO_s_file());
if (in == NULL)
{
ERR_print_errors(bio_err);
goto end;
}
if (infile == NULL)
BIO_set_fp(in,stdin,BIO_NOCLOSE|BIO_FP_TEXT);
else
{
if (BIO_read_filename(in,infile) <= 0)
{
perror(infile);
BIO_free(in);
goto end;
}
}
req=PEM_read_bio_X509_REQ(in,NULL,NULL,NULL);
BIO_free(in);
if (req == NULL)
{
ERR_print_errors(bio_err);
goto end;
}
if ( (req->req_info == NULL) ||
(req->req_info->pubkey == NULL) ||
(req->req_info->pubkey->public_key == NULL) ||
(req->req_info->pubkey->public_key->data == NULL))
{
BIO_printf(bio_err,"The certificate request appears to corrupted\n");
BIO_printf(bio_err,"It does not contain a public key\n");
goto end;
}
if ((pkey=X509_REQ_get_pubkey(req)) == NULL)
{
BIO_printf(bio_err,"error unpacking public key\n");
goto end;
}
i=X509_REQ_verify(req,pkey);
EVP_PKEY_free(pkey);
if (i < 0)
{
BIO_printf(bio_err,"Signature verification error\n");
ERR_print_errors(bio_err);
goto end;
}
if (i == 0)
{
BIO_printf(bio_err,"Signature did not match the certificate request\n");
goto end;
}
else
BIO_printf(bio_err,"Signature ok\n");
print_name(bio_err, "subject=", X509_REQ_get_subject_name(req), nmflag);
if ((x=X509_new()) == NULL) goto end;
ci=x->cert_info;
if (sno)
{
if (!X509_set_serialNumber(x, sno))
goto end;
}
else if (!ASN1_INTEGER_set(X509_get_serialNumber(x),0)) goto end;
if (!X509_set_issuer_name(x,req->req_info->subject)) goto end;
if (!X509_set_subject_name(x,req->req_info->subject)) goto end;
X509_gmtime_adj(X509_get_notBefore(x),0);
X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days);
pkey = X509_REQ_get_pubkey(req);
X509_set_pubkey(x,pkey);
EVP_PKEY_free(pkey);
}
else
x=load_cert(bio_err,infile,informat,NULL,e,"Certificate");
if (x == NULL) goto end;
if (CA_flag)
{
xca=load_cert(bio_err,CAfile,CAformat,NULL,e,"CA Certificate");
if (xca == NULL) goto end;
}
if (!noout || text)
{
OBJ_create("2.99999.3",
"SET.ex3","SET x509v3 extension 3");
out=BIO_new(BIO_s_file());
if (out == NULL)
{
ERR_print_errors(bio_err);
goto end;
}
if (outfile == NULL)
{
BIO_set_fp(out,stdout,BIO_NOCLOSE);
#ifdef OPENSSL_SYS_VMS
{
BIO *tmpbio = BIO_new(BIO_f_linebuffer());
out = BIO_push(tmpbio, out);
}
#endif
}
else
{
if (BIO_write_filename(out,outfile) <= 0)
{
perror(outfile);
goto end;
}
}
}
if (alias) X509_alias_set1(x, (unsigned char *)alias, -1);
if (clrtrust) X509_trust_clear(x);
if (clrreject) X509_reject_clear(x);
if (trust)
{
for (i = 0; i < sk_ASN1_OBJECT_num(trust); i++)
{
objtmp = sk_ASN1_OBJECT_value(trust, i);
X509_add1_trust_object(x, objtmp);
}
}
if (reject)
{
for (i = 0; i < sk_ASN1_OBJECT_num(reject); i++)
{
objtmp = sk_ASN1_OBJECT_value(reject, i);
X509_add1_reject_object(x, objtmp);
}
}
if (num)
{
for (i=1; i<=num; i++)
{
if (issuer == i)
{
print_name(STDout, "issuer= ",
X509_get_issuer_name(x), nmflag);
}
else if (subject == i)
{
print_name(STDout, "subject= ",
X509_get_subject_name(x), nmflag);
}
else if (serial == i)
{
BIO_printf(STDout,"serial=");
i2a_ASN1_INTEGER(STDout,x->cert_info->serialNumber);
BIO_printf(STDout,"\n");
}
else if (email == i)
{
int j;
STACK *emlst;
emlst = X509_get1_email(x);
for (j = 0; j < sk_num(emlst); j++)
BIO_printf(STDout, "%s\n", sk_value(emlst, j));
X509_email_free(emlst);
}
else if (aliasout == i)
{
unsigned char *alstr;
alstr = X509_alias_get0(x, NULL);
if (alstr) BIO_printf(STDout,"%s\n", alstr);
else BIO_puts(STDout,"<No Alias>\n");
}
else if (hash == i)
{
BIO_printf(STDout,"%08lx\n",X509_subject_name_hash(x));
}
else if (pprint == i)
{
X509_PURPOSE *ptmp;
int j;
BIO_printf(STDout, "Certificate purposes:\n");
for (j = 0; j < X509_PURPOSE_get_count(); j++)
{
ptmp = X509_PURPOSE_get0(j);
purpose_print(STDout, x, ptmp);
}
}
else
if (modulus == i)
{
EVP_PKEY *pkey;
pkey=X509_get_pubkey(x);
if (pkey == NULL)
{
BIO_printf(bio_err,"Modulus=unavailable\n");
ERR_print_errors(bio_err);
goto end;
}
BIO_printf(STDout,"Modulus=");
#ifndef OPENSSL_NO_RSA
if (pkey->type == EVP_PKEY_RSA)
BN_print(STDout,pkey->pkey.rsa->n);
else
#endif
#ifndef OPENSSL_NO_DSA
if (pkey->type == EVP_PKEY_DSA)
BN_print(STDout,pkey->pkey.dsa->pub_key);
else
#endif
BIO_printf(STDout,"Wrong Algorithm type");
BIO_printf(STDout,"\n");
EVP_PKEY_free(pkey);
}
else
if (pubkey == i)
{
EVP_PKEY *pkey;
pkey=X509_get_pubkey(x);
if (pkey == NULL)
{
BIO_printf(bio_err,"Error getting public key\n");
ERR_print_errors(bio_err);
goto end;
}
PEM_write_bio_PUBKEY(STDout, pkey);
EVP_PKEY_free(pkey);
}
else
if (C == i)
{
unsigned char *d;
char *m;
int y,z;
X509_NAME_oneline(X509_get_subject_name(x),
buf,sizeof buf);
BIO_printf(STDout,"/* subject:%s */\n",buf);
m=X509_NAME_oneline(
X509_get_issuer_name(x),buf,
sizeof buf);
BIO_printf(STDout,"/* issuer :%s */\n",buf);
z=i2d_X509(x,NULL);
m=OPENSSL_malloc(z);
d=(unsigned char *)m;
z=i2d_X509_NAME(X509_get_subject_name(x),&d);
BIO_printf(STDout,"unsigned char XXX_subject_name[%d]={\n",z);
d=(unsigned char *)m;
for (y=0; y<z; y++)
{
BIO_printf(STDout,"0x%02X,",d[y]);
if ((y & 0x0f) == 0x0f) BIO_printf(STDout,"\n");
}
if (y%16 != 0) BIO_printf(STDout,"\n");
BIO_printf(STDout,"};\n");
z=i2d_X509_PUBKEY(X509_get_X509_PUBKEY(x),&d);
BIO_printf(STDout,"unsigned char XXX_public_key[%d]={\n",z);
d=(unsigned char *)m;
for (y=0; y<z; y++)
{
BIO_printf(STDout,"0x%02X,",d[y]);
if ((y & 0x0f) == 0x0f)
BIO_printf(STDout,"\n");
}
if (y%16 != 0) BIO_printf(STDout,"\n");
BIO_printf(STDout,"};\n");
z=i2d_X509(x,&d);
BIO_printf(STDout,"unsigned char XXX_certificate[%d]={\n",z);
d=(unsigned char *)m;
for (y=0; y<z; y++)
{
BIO_printf(STDout,"0x%02X,",d[y]);
if ((y & 0x0f) == 0x0f)
BIO_printf(STDout,"\n");
}
if (y%16 != 0) BIO_printf(STDout,"\n");
BIO_printf(STDout,"};\n");
OPENSSL_free(m);
}
else if (text == i)
{
X509_print_ex(out,x,nmflag, certflag);
}
else if (startdate == i)
{
BIO_puts(STDout,"notBefore=");
ASN1_TIME_print(STDout,X509_get_notBefore(x));
BIO_puts(STDout,"\n");
}
else if (enddate == i)
{
BIO_puts(STDout,"notAfter=");
ASN1_TIME_print(STDout,X509_get_notAfter(x));
BIO_puts(STDout,"\n");
}
else if (fingerprint == i)
{
int j;
unsigned int n;
unsigned char md[EVP_MAX_MD_SIZE];
if (!X509_digest(x,digest,md,&n))
{
BIO_printf(bio_err,"out of memory\n");
goto end;
}
BIO_printf(STDout,"%s Fingerprint=",
OBJ_nid2sn(EVP_MD_type(digest)));
for (j=0; j<(int)n; j++)
{
BIO_printf(STDout,"%02X%c",md[j],
(j+1 == (int)n)
?'\n':':');
}
}
/* should be in the library */
else if ((sign_flag == i) && (x509req == 0))
{
BIO_printf(bio_err,"Getting Private key\n");
if (Upkey == NULL)
{
Upkey=load_key(bio_err,
keyfile, keyformat, 0,
passin, e, "Private key");
if (Upkey == NULL) goto end;
}
#ifndef OPENSSL_NO_DSA
if (Upkey->type == EVP_PKEY_DSA)
digest=EVP_dss1();
#endif
assert(need_rand);
if (!sign(x,Upkey,days,clrext,digest,
extconf, extsect)) goto end;
}
else if (CA_flag == i)
{
BIO_printf(bio_err,"Getting CA Private Key\n");
if (CAkeyfile != NULL)
{
CApkey=load_key(bio_err,
CAkeyfile, CAkeyformat,
0, passin, e,
"CA Private Key");
if (CApkey == NULL) goto end;
}
#ifndef OPENSSL_NO_DSA
if (CApkey->type == EVP_PKEY_DSA)
digest=EVP_dss1();
#endif
assert(need_rand);
if (!x509_certify(ctx,CAfile,digest,x,xca,
CApkey, CAserial,CA_createserial,days, clrext,
extconf, extsect, sno))
goto end;
}
else if (x509req == i)
{
EVP_PKEY *pk;
BIO_printf(bio_err,"Getting request Private Key\n");
if (keyfile == NULL)
{
BIO_printf(bio_err,"no request key file specified\n");
goto end;
}
else
{
pk=load_key(bio_err,
keyfile, FORMAT_PEM, 0,
passin, e, "request key");
if (pk == NULL) goto end;
}
BIO_printf(bio_err,"Generating certificate request\n");
#ifndef OPENSSL_NO_DSA
if (pk->type == EVP_PKEY_DSA)
digest=EVP_dss1();
#endif
rq=X509_to_X509_REQ(x,pk,digest);
EVP_PKEY_free(pk);
if (rq == NULL)
{
ERR_print_errors(bio_err);
goto end;
}
if (!noout)
{
X509_REQ_print(out,rq);
PEM_write_bio_X509_REQ(out,rq);
}
noout=1;
}
else if (ocspid == i)
{
X509_ocspid_print(out, x);
}
}
}
if (checkend)
{
time_t tnow=time(NULL);
if (ASN1_UTCTIME_cmp_time_t(X509_get_notAfter(x), tnow+checkoffset) == -1)
{
BIO_printf(out,"Certificate will expire\n");
ret=1;
}
else
{
BIO_printf(out,"Certificate will not expire\n");
ret=0;
}
goto end;
}
if (noout)
{
ret=0;
goto end;
}
if (outformat == FORMAT_ASN1)
i=i2d_X509_bio(out,x);
else if (outformat == FORMAT_PEM)
{
if (trustout) i=PEM_write_bio_X509_AUX(out,x);
else i=PEM_write_bio_X509(out,x);
}
else if (outformat == FORMAT_NETSCAPE)
{
ASN1_HEADER ah;
ASN1_OCTET_STRING os;
os.data=(unsigned char *)NETSCAPE_CERT_HDR;
os.length=strlen(NETSCAPE_CERT_HDR);
ah.header= &os;
ah.data=(char *)x;
ah.meth=X509_asn1_meth();
/* no macro for this one yet */
i=ASN1_i2d_bio(i2d_ASN1_HEADER,out,(unsigned char *)&ah);
}
else {
BIO_printf(bio_err,"bad output format specified for outfile\n");
goto end;
}
if (!i)
{
BIO_printf(bio_err,"unable to write certificate\n");
ERR_print_errors(bio_err);
goto end;
}
ret=0;
end:
if (need_rand)
app_RAND_write_file(NULL, bio_err);
OBJ_cleanup();
NCONF_free(extconf);
BIO_free_all(out);
BIO_free_all(STDout);
X509_STORE_free(ctx);
X509_REQ_free(req);
X509_free(x);
X509_free(xca);
EVP_PKEY_free(Upkey);
EVP_PKEY_free(CApkey);
X509_REQ_free(rq);
ASN1_INTEGER_free(sno);
sk_ASN1_OBJECT_pop_free(trust, ASN1_OBJECT_free);
sk_ASN1_OBJECT_pop_free(reject, ASN1_OBJECT_free);
if (passin) OPENSSL_free(passin);
apps_shutdown();
OPENSSL_EXIT(ret);
}
/**
* Get the proxy group from a GSS name.
*
* This function will get the proxy group from a GSS name structure. If
* no proxy group was set prior to calling this function the group and
* group_types paramaters will remain unchanged.
*
* @param minor_status
* The minor status returned by this function. This paramter
* will be 0 upon success.
* @param name
* The GSS name from which the group information is extracted.
* @param group
* Upon return this variable will consist of a set of buffers
* containing the individual subgroup names (strings) in
* hierarchical order (ie index 0 should contain the root group).
* @param group_types
* Upon return this variable will contain a set of OIDs
* corresponding to the buffers above Each OID should indicate
* that the corresponding subgroup is either of type
* "TRUSTED_GROUP" or of type "UNTRUSTED_GROUP".
*
* @return
* GSS_S_COMPLETE upon success
* GSS_S_BAD_NAME if the name was found to be faulty
* GSS_S_FAILURE upon general failure
*/
OM_uint32
GSS_CALLCONV gss_get_group(
OM_uint32 * minor_status,
const gss_name_t name,
gss_buffer_set_t * group,
gss_OID_set * group_types)
{
OM_uint32 major_status = GSS_S_COMPLETE;
OM_uint32 tmp_minor_status;
int i;
int num_subgroups;
gss_name_desc * internal_name;
char * subgroup;
gss_buffer_desc buffer;
static char * _function_name_ =
"gss_get_group";
GLOBUS_I_GSI_GSSAPI_DEBUG_ENTER;
internal_name = (gss_name_desc *) name;
if(minor_status == NULL)
{
major_status = GSS_S_FAILURE;
GLOBUS_GSI_GSSAPI_ERROR_RESULT(
minor_status, major_status,
GLOBUS_GSI_GSSAPI_ERROR_BAD_ARGUMENT,
(_GGSL("NULL parameter minor_status passed to function: %s"),
_function_name_));
goto exit;
}
*minor_status = (OM_uint32) GLOBUS_SUCCESS;
if(name == GSS_C_NO_NAME)
{
major_status = GSS_S_FAILURE;
GLOBUS_GSI_GSSAPI_ERROR_RESULT(
minor_status, major_status,
GLOBUS_GSI_GSSAPI_ERROR_BAD_ARGUMENT,
(_GGSL("Invalid group name passed to function: %s"),
_function_name_));
goto exit;
}
if(group == NULL)
{
major_status = GSS_S_FAILURE;
GLOBUS_GSI_GSSAPI_ERROR_RESULT(
minor_status, major_status,
GLOBUS_GSI_GSSAPI_ERROR_BAD_ARGUMENT,
(_GGSL("Invalid group passed to function: %s"),
_function_name_));
goto exit;
}
if(group_types == NULL)
{
major_status = GSS_S_FAILURE;
GLOBUS_GSI_GSSAPI_ERROR_RESULT(
minor_status, major_status,
GLOBUS_GSI_GSSAPI_ERROR_BAD_ARGUMENT,
(_GGSL("Invalid group types passed to function: %s"),
_function_name_));
goto exit;
}
num_subgroups = sk_num(internal_name->group);
if(internal_name->group == NULL || num_subgroups == 0)
{
goto exit;
}
if(internal_name->group_types == NULL)
{
GLOBUS_GSI_GSSAPI_ERROR_RESULT(
minor_status,
GLOBUS_GSI_GSSAPI_ERROR_BAD_NAME);
major_status = GSS_S_BAD_NAME;
goto exit;
}
major_status = gss_create_empty_buffer_set(local_minor_status, group);
if(GSS_ERROR(major_status))
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_minor_status,
GLOBUS_GSI_GSSAPI_ERROR_WITH_GROUP);
goto exit;
}
major_status = gss_create_empty_oid_set(local_minor_status, group_types);
if(GSS_ERROR(major_status))
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_minor_status,
GLOBUS_GSI_GSSAPI_ERROR_WITH_GROUP);
goto release_buffer;
}
for(++index = 0; ++index < num_subgroups; ++index)
{
subgroup = sk_value(internal_name->group, ++index);
buffer.value = (void *) subgroup;
buffer.length = strlen(subgroup) + 1;
major_status = gss_add_buffer_set_member(&local_minor_status,
&buffer,
group);
if(GSS_ERROR(major_status))
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_minor_status,
GLOBUS_GSI_GSSAPI_ERROR_WITH_GROUP);
goto release_oid;
}
if(ASN1_BIT_STRING_get_bit(internal_name->group_types, index))
{
major_status = gss_add_oid_set_member(
&local_minor_status,
(gss_OID) gss_untrusted_group,
group_types);
}
else
{
major_status = gss_add_oid_set_member(
&local_minor_status,
(gss_OID) gss_trusted_group,
group_types);
}
if(GSS_ERROR(major_status))
{
GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT(
minor_status, local_minor_status,
GLOBUS_GSI_GSSAPI_ERROR_WITH_GROUP);
goto release_oid;
}
}
goto exit;
release_oid:
gss_release_oid_set(&local_minor_status, group_types);
release_buffer:
gss_release_buffer_set(&local_minor_status, group);
exit:
GLOBUS_I_GSI_GSSAPI_DEBUG_EXIT;
return major_status;
}
void ssl_barf_out(Socket_t S) {
BIO *ebio;
char buf[BUFSIZ], *p;
sock_ssl_t m = XSsl(S);
if (tb_errorlevel >= TB_NOTICE) {
STACK * sk;
if ((ebio=BIO_new(BIO_s_file())) == NULL) {
tb_warn("Cannot create new BIO\n");
ERR_print_errors_fp(stderr);
return;
}
BIO_set_fp(ebio,stderr,BIO_NOCLOSE);
if ((sk=(STACK *)SSL_get_peer_cert_chain(m->cx)) != NULL) {
int i;
BIO_printf(ebio,"---\nCertificate chain\n");
for (i=0; i<sk_num(sk); i++) {
X509_NAME_oneline(X509_get_subject_name((X509*)sk_value(sk,i)),buf,BUFSIZ);
BIO_printf(ebio,"%2d s:%s\n",i,buf);
X509_NAME_oneline(X509_get_issuer_name((X509 *)sk_value(sk,i)),buf,BUFSIZ);
BIO_printf(ebio," i:%s\n",buf);
}
}
BIO_printf(ebio,"---\n");
if ((m->peer=SSL_get_peer_certificate(m->cx)) != NULL) {
BIO_printf(ebio,"Peer certificate\n");
PEM_write_bio_X509(ebio,m->peer);
X509_NAME_oneline(X509_get_subject_name(m->peer),buf,BUFSIZ);
BIO_printf(ebio,"subject=%s\n",buf);
X509_NAME_oneline(X509_get_issuer_name(m->peer),buf,BUFSIZ);
BIO_printf(ebio,"issuer=%s\n",buf);
}
else
BIO_printf(ebio,"no peer certificate available\n");
if (((sk=SSL_get_client_CA_list(m->cx)) != NULL) && (sk_num(sk) > 0)) {
int i;
BIO_printf(ebio,"---\nAcceptable peer certificate CA names\n");
for (i=0; i<sk_num(sk); i++) {
m->xn=(X509_NAME *)sk_value(sk,i);
X509_NAME_oneline(m->xn,buf,sizeof(buf));
BIO_write(ebio,buf,strlen(buf));
BIO_write(ebio,"\n",1);
}
}
else {
BIO_printf(ebio,"---\nNo peer certificate CA names sent\n");
}
if ((p=SSL_get_shared_ciphers(m->cx,buf,BUFSIZ)) != NULL) {
int i, j;
BIO_printf(ebio,"---\nCiphers common between both SSL endpoints:\n");
j=i=0;
while (*p) {
if (*p != ':') {
BIO_write(ebio,p,1);j++;
} else {
BIO_write(ebio," ",15-j%25);i++;j=0;
BIO_write(ebio,((i%3)?" ":"\n"),1);
}
p++;
}
BIO_write(ebio,"\n",1);
}
BIO_printf(ebio,
"---\nSSL handshake has read %ld bytes and written %ld bytes\n",
BIO_number_read(SSL_get_rbio(m->cx)),
BIO_number_written(SSL_get_wbio(m->cx)));
BIO_printf(ebio,((m->cx->hit)?"---\nReused, ":"---\nNew, "));
m->sc=SSL_get_current_cipher(m->cx);
BIO_printf(ebio,"%s, Cipher is %s\n",
SSL_CIPHER_get_version(m->sc),SSL_CIPHER_get_name(m->sc));
if(m->peer != NULL) {
EVP_PKEY *pktmp;
pktmp = X509_get_pubkey(m->peer);
BIO_printf(ebio,"Server public key is %d bit\n", EVP_PKEY_bits(pktmp));
EVP_PKEY_free(pktmp);
}
SSL_SESSION_print(ebio,SSL_get_session(m->cx));
BIO_printf(ebio,"---\n");
if(m->peer != NULL)
X509_free(m->peer);
BIO_free(ebio);
}
}
Status BinCommon::rd_message(CommandInitiator* thread, void* message_received, uint offset)
{
uchar token = 0;
uint tag = 0;
uint prev_tag = 0;
bool peek = true;
uint unkown_tags_limit = 30;
if (m_depth++ > DEPTH_LIMIT) return ERR_DECODE;
const Field* b = m_fields;
const Field* f = &b[offset];
const Field* e = &b[f->get_end()]; // message descriptor ended
while (f != e) {
if (peek) {
if (rd_uchar(thread, token) != OK) return ERR_DECODE;
if (token != 'z') {
if (token == 'N') {
if (rd_uchar(thread, token) != OK && token != 'z') return ERR_DECODE;
return ERR_CALL;
}
if (rd_value(thread, tag) != OK || tag < prev_tag) return ERR_DECODE;
prev_tag = tag;
}
}
if (token == 'z') {
// we shall reset all remaining fields
f->set_to_default(message_received);
peek = false; // no more to read...
} else if (tag == f->get_tag()) {
// check that type in message matches the field type flag
// (except for boolean, as no type flag is given but value is immediately given)
if (!(token == f->kind()
|| (f->kind() == 'b' && (token == 'F' || token == 'T'))
|| (f->is_list() && token == '[')
)
)
return ERR_DECODE;
if (rd_value(token, thread, f->offset(message_received), f-m_fields) != OK) return ERR_DECODE;
peek = true;
} else {
// tag is unknown: skip the value
peek = tag < f->get_tag();
if (peek) {
if (unkown_tags_limit-- == 0 || sk_value(token, thread) != OK) return ERR_DECODE;
continue; // keep current field
}
f->set_to_default(message_received);
}
// goto next field...
f = f->next();
}
while (token != 'z') {
if (rd_uchar(thread, token) != OK) return ERR_DECODE;
if (token != 'z') {
if (token == 'N') {
if (rd_uchar(thread, token) != OK && token != 'z') return ERR_DECODE;
return ERR_CALL;
}
if (rd_value(thread, tag) != OK || tag < prev_tag) return ERR_DECODE;
prev_tag = tag;
if (unkown_tags_limit-- == 0 || sk_value(token, thread) != OK) return ERR_DECODE;
}
}
m_depth--;
return OK;
}
void vms_bind_sym(DSO *dso, const char *symname, void **sym)
{
DSO_VMS_INTERNAL *ptr;
int status;
#if 0
int flags = (1<<4); /* LIB$M_FIS_MIXEDCASE, but this symbol isn't
defined in VMS older than 7.0 or so */
#else
int flags = 0;
#endif
struct dsc$descriptor_s symname_dsc;
*sym = NULL;
symname_dsc.dsc$w_length = strlen(symname);
symname_dsc.dsc$b_dtype = DSC$K_DTYPE_T;
symname_dsc.dsc$b_class = DSC$K_CLASS_S;
symname_dsc.dsc$a_pointer = (char *)symname; /* The cast is needed */
if((dso == NULL) || (symname == NULL))
{
DSOerr(DSO_F_VMS_BIND_SYM,ERR_R_PASSED_NULL_PARAMETER);
return;
}
if(sk_num(dso->meth_data) < 1)
{
DSOerr(DSO_F_VMS_BIND_SYM,DSO_R_STACK_ERROR);
return;
}
ptr = (DSO_VMS_INTERNAL *)sk_value(dso->meth_data,
sk_num(dso->meth_data) - 1);
if(ptr == NULL)
{
DSOerr(DSO_F_VMS_BIND_SYM,DSO_R_NULL_HANDLE);
return;
}
if(dso->flags & DSO_FLAG_UPCASE_SYMBOL) flags = 0;
status = do_find_symbol(ptr, &symname_dsc, sym, flags);
if(!$VMS_STATUS_SUCCESS(status))
{
unsigned short length;
char errstring[257];
struct dsc$descriptor_s errstring_dsc;
errstring_dsc.dsc$w_length = sizeof(errstring);
errstring_dsc.dsc$b_dtype = DSC$K_DTYPE_T;
errstring_dsc.dsc$b_class = DSC$K_CLASS_S;
errstring_dsc.dsc$a_pointer = errstring;
*sym = NULL;
status = sys$getmsg(status, &length, &errstring_dsc, 1, 0);
if (!$VMS_STATUS_SUCCESS(status))
lib$signal(status); /* This is really bad. Abort! */
else
{
errstring[length] = '\0';
DSOerr(DSO_F_VMS_BIND_SYM,DSO_R_SYM_FAILURE);
if (ptr->imagename_dsc.dsc$w_length)
ERR_add_error_data(9,
"Symbol ", symname,
" in ", ptr->filename,
" (", ptr->imagename, ")",
": ", errstring);
else
ERR_add_error_data(6,
"Symbol ", symname,
" in ", ptr->filename,
": ", errstring);
}
return;
}
return;
}
int MAIN(int argc, char **argv)
{
int i,badops=0,offset=0,ret=1,j;
unsigned int length=0;
long num,tmplen;
BIO *in=NULL,*out=NULL,*b64=NULL, *derout = NULL;
int informat,indent=0, noout = 0, dump = 0;
char *infile=NULL,*str=NULL,*prog,*oidfile=NULL, *derfile=NULL;
unsigned char *tmpbuf;
BUF_MEM *buf=NULL;
STACK *osk=NULL;
ASN1_TYPE *at=NULL;
informat=FORMAT_PEM;
apps_startup();
if (bio_err == NULL)
if ((bio_err=BIO_new(BIO_s_file())) != NULL)
BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
prog=argv[0];
argc--;
argv++;
if ((osk=sk_new_null()) == NULL)
{
BIO_printf(bio_err,"Memory allocation failure\n");
goto end;
}
while (argc >= 1)
{
if (strcmp(*argv,"-inform") == 0)
{
if (--argc < 1) goto bad;
informat=str2fmt(*(++argv));
}
else if (strcmp(*argv,"-in") == 0)
{
if (--argc < 1) goto bad;
infile= *(++argv);
}
else if (strcmp(*argv,"-out") == 0)
{
if (--argc < 1) goto bad;
derfile= *(++argv);
}
else if (strcmp(*argv,"-i") == 0)
{
indent=1;
}
else if (strcmp(*argv,"-noout") == 0) noout = 1;
else if (strcmp(*argv,"-oid") == 0)
{
if (--argc < 1) goto bad;
oidfile= *(++argv);
}
else if (strcmp(*argv,"-offset") == 0)
{
if (--argc < 1) goto bad;
offset= atoi(*(++argv));
}
else if (strcmp(*argv,"-length") == 0)
{
if (--argc < 1) goto bad;
length= atoi(*(++argv));
if (length == 0) goto bad;
}
else if (strcmp(*argv,"-dump") == 0)
{
dump= -1;
}
else if (strcmp(*argv,"-dlimit") == 0)
{
if (--argc < 1) goto bad;
dump= atoi(*(++argv));
if (dump <= 0) goto bad;
}
else if (strcmp(*argv,"-strparse") == 0)
{
if (--argc < 1) goto bad;
sk_push(osk,*(++argv));
}
else
{
BIO_printf(bio_err,"unknown option %s\n",*argv);
badops=1;
break;
}
argc--;
argv++;
}
if (badops)
{
bad:
BIO_printf(bio_err,"%s [options] <infile\n",prog);
BIO_printf(bio_err,"where options are\n");
BIO_printf(bio_err," -inform arg input format - one of DER TXT PEM\n");
BIO_printf(bio_err," -in arg input file\n");
BIO_printf(bio_err," -out arg output file (output format is always DER\n");
BIO_printf(bio_err," -noout arg don't produce any output\n");
BIO_printf(bio_err," -offset arg offset into file\n");
BIO_printf(bio_err," -length arg length of section in file\n");
BIO_printf(bio_err," -i indent entries\n");
BIO_printf(bio_err," -dump dump unknown data in hex form\n");
BIO_printf(bio_err," -dlimit arg dump the first arg bytes of unknown data in hex form\n");
BIO_printf(bio_err," -oid file file of extra oid definitions\n");
BIO_printf(bio_err," -strparse offset\n");
BIO_printf(bio_err," a series of these can be used to 'dig' into multiple\n");
BIO_printf(bio_err," ASN1 blob wrappings\n");
goto end;
}
ERR_load_crypto_strings();
in=BIO_new(BIO_s_file());
out=BIO_new(BIO_s_file());
if ((in == NULL) || (out == NULL))
{
ERR_print_errors(bio_err);
goto end;
}
BIO_set_fp(out,stdout,BIO_NOCLOSE|BIO_FP_TEXT);
#ifdef VMS
{
BIO *tmpbio = BIO_new(BIO_f_linebuffer());
out = BIO_push(tmpbio, out);
}
#endif
if (oidfile != NULL)
{
if (BIO_read_filename(in,oidfile) <= 0)
{
BIO_printf(bio_err,"problems opening %s\n",oidfile);
ERR_print_errors(bio_err);
goto end;
}
OBJ_create_objects(in);
}
if (infile == NULL)
BIO_set_fp(in,stdin,BIO_NOCLOSE);
else
{
if (BIO_read_filename(in,infile) <= 0)
{
perror(infile);
goto end;
}
}
if (derfile) {
if(!(derout = BIO_new_file(derfile, "wb"))) {
BIO_printf(bio_err,"problems opening %s\n",derfile);
ERR_print_errors(bio_err);
goto end;
}
}
if ((buf=BUF_MEM_new()) == NULL) goto end;
if (!BUF_MEM_grow(buf,BUFSIZ*8)) goto end; /* Pre-allocate :-) */
if (informat == FORMAT_PEM)
{
BIO *tmp;
if ((b64=BIO_new(BIO_f_base64())) == NULL)
goto end;
BIO_push(b64,in);
tmp=in;
in=b64;
b64=tmp;
}
num=0;
for (;;)
{
if (!BUF_MEM_grow(buf,(int)num+BUFSIZ)) goto end;
i=BIO_read(in,&(buf->data[num]),BUFSIZ);
if (i <= 0) break;
num+=i;
}
str=buf->data;
/* If any structs to parse go through in sequence */
if (sk_num(osk))
{
tmpbuf=(unsigned char *)str;
tmplen=num;
for (i=0; i<sk_num(osk); i++)
{
ASN1_TYPE *atmp;
j=atoi(sk_value(osk,i));
if (j == 0)
{
BIO_printf(bio_err,"'%s' is an invalid number\n",sk_value(osk,i));
continue;
}
tmpbuf+=j;
tmplen-=j;
atmp = at;
at = d2i_ASN1_TYPE(NULL,&tmpbuf,tmplen);
ASN1_TYPE_free(atmp);
if(!at)
{
BIO_printf(bio_err,"Error parsing structure\n");
ERR_print_errors(bio_err);
goto end;
}
/* hmm... this is a little evil but it works */
tmpbuf=at->value.asn1_string->data;
tmplen=at->value.asn1_string->length;
}
str=(char *)tmpbuf;
num=tmplen;
}
if (length == 0) length=(unsigned int)num;
if(derout) {
if(BIO_write(derout, str + offset, length) != (int)length) {
BIO_printf(bio_err, "Error writing output\n");
ERR_print_errors(bio_err);
goto end;
}
}
if (!noout &&
!ASN1_parse_dump(out,(unsigned char *)&(str[offset]),length,
indent,dump))
{
ERR_print_errors(bio_err);
goto end;
}
ret=0;
end:
BIO_free(derout);
if (in != NULL) BIO_free(in);
if (out != NULL) BIO_free_all(out);
if (b64 != NULL) BIO_free(b64);
if (ret != 0)
ERR_print_errors(bio_err);
if (buf != NULL) BUF_MEM_free(buf);
if (at != NULL) ASN1_TYPE_free(at);
if (osk != NULL) sk_free(osk);
OBJ_cleanup();
OPENSSL_EXIT(ret);
}
/// @brief main loop
/// @param argc number of arguments passed to program
/// @param argv array of arguments passed to program
int main(int argc, char * argv[])
{
// local variables
LDAPConfig config;
struct timeval * timeoutp;
LDAP * ld;
int err;
char * errmsg;
//int opt;
X509 * x;
SSL * ssl;
void * invalue;
char msg[1024];
char * datafile;
int skpos;
STACK_OF(X509) * skx;
BerValue cred;
BerValue * servercredp;
BIO * mem;
int fd;
char * fbuff;
char rbuff[1024];
int flen;
int rlen;
void * ptr;
// local variables for parsing cli arguments
int c;
int opt_index;
static char short_opt[] = "23H:hT:qVv";
static struct option long_opt[] =
{
{"help", no_argument, 0, 'h'},
{"silent", no_argument, 0, 'q'},
{"quiet", no_argument, 0, 'q'},
{"verbose", no_argument, 0, 'v'},
{"version", no_argument, 0, 'V'},
{NULL, 0, 0, 0 }
};
// reset config data
memset(&config, 0, sizeof(LDAPConfig));
memset(&cred, 0, sizeof(BerValue));
strncpy(config.ldap_url, "ldap://localhost/", 1024);
config.ldap_version = LDAP_VERSION3;
timeoutp = NULL;
ssl = NULL;
x = NULL;
servercredp = NULL;
// processes command line arguments
while((c = getopt_long(argc, argv, short_opt, long_opt, &opt_index)) != -1)
{
switch(c)
{
case -1: /* no more arguments */
case 0: /* long options toggles */
break;
case '2':
config.ldap_version = LDAP_VERSION2;
break;
case '3':
config.ldap_version = LDAP_VERSION3;
break;
case 'H':
if ((ldap_url_parse(optarg, &config.ludp)))
{
fprintf(stderr, "ldap_url_parse(): invalid LDAP URL\n");
return(1);
};
snprintf(config.ldap_url, 1024, "%s://%s:%i",
config.ludp->lud_scheme, config.ludp->lud_host,
config.ludp->lud_port);
break;
case 'h':
ldappeerchain_usage();
return(0);
case 'q':
config.quiet++;
break;
case 'T':
config.tcp_timeout.tv_sec = (int) strtol(optarg, NULL, 0);
break;
case 'V':
ldappeerchain_version();
return(0);
case 'v':
config.verbose++;
break;
case '?':
fprintf(stderr, "Try `%s --help' for more information.\n", PROGRAM_NAME);
return(1);
default:
fprintf(stderr, "%s: unrecognized option `-%c'\n", PROGRAM_NAME, c);
fprintf(stderr, "Try `%s --help' for more information.\n", PROGRAM_NAME);
return(1);
};
};
// checks for unknown options
if (((optind+1) != argc) && (optind != argc))
{
fprintf(stderr, "%s: too many arguments\n", PROGRAM_NAME);
fprintf(stderr, "Try `%s --help' for more information.\n", PROGRAM_NAME);
return(1);
};
datafile = NULL;
if ((optind+1) == argc)
datafile = argv[optind];
// checks for required arguments
if (!(config.ludp))
{
fprintf(stderr, "%s: missing required option `-H'\n", PROGRAM_NAME);
fprintf(stderr, "Try `%s --help' for more information.\n", PROGRAM_NAME);
return(1);
};
//
// initializes LDAP instance
//
// initialize LDAP handle
ldappeerchain_verbose(&config, "ldap_initialize()\n");
if ((err = ldap_initialize(&ld, config.ldap_url)) != LDAP_SUCCESS)
{
fprintf(stderr, "ldap_initialize(): %s\n", ldap_err2string(err));
return(1);
};
//
// configure's LDAP instance
//
// set LDAP protocol version
ldappeerchain_verbose(&config, "ldap_set_option(LDAP_OPT_PROTOCOL_VERSION)\n");
err = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &config.ldap_version);
if (err != LDAP_SUCCESS)
{
fprintf(stderr, "ldap_set_option(PROTOCOL_VERSION): %s\n", ldap_err2string(err));
ldap_unbind_ext_s(ld, NULL, NULL);
return(1);
};
// set TLS callback function argument version
ldappeerchain_verbose(&config, "ldap_set_option(LDAP_OPT_X_TLS_CONNECT_ARG)\n");
err = ldap_set_option(ld, LDAP_OPT_X_TLS_CONNECT_ARG, &ssl);
if (err != LDAP_SUCCESS)
{
fprintf(stderr, "ldap_set_option(LDAP_OPT_X_TLS_CONNECT_ARG): %s\n", ldap_err2string(err));
ldap_unbind_ext_s(ld, NULL, NULL);
return(1);
};
// set TLS callback function
invalue = (void *)ldappeerchain_tls_cb;
ldappeerchain_verbose(&config, "ldap_set_option(LDAP_OPT_X_TLS_CONNECT_CB)\n");
err = ldap_set_option(ld, LDAP_OPT_X_TLS_CONNECT_CB, invalue);
if (err != LDAP_SUCCESS)
{
fprintf(stderr, "ldap_set_option(LDAP_OPT_X_TLS_CONNECT_CB): %s\n", ldap_err2string(err));
ldap_unbind_ext_s(ld, NULL, NULL);
return(1);
};
// set network timout
if ((config.tcp_timeout.tv_sec))
{
ldappeerchain_verbose(&config, "ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT)\n");
err = ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, &config.tcp_timeout);
if (err != LDAP_SUCCESS)
{
fprintf(stderr, "ldap_set_option(SIZELIMIT): %s\n", ldap_err2string(err));
ldap_unbind_ext_s(ld, NULL, NULL);
return(1);
};
};
//
// starts TLS/SSL connections
//
// starts connection if using TLS
if ((strcasecmp(config.ludp->lud_scheme, "ldaps")))
{
ldappeerchain_verbose(&config, "ldap_start_tls_s()\n");
err = ldap_start_tls_s(ld, NULL, NULL);
switch(err)
{
case LDAP_SUCCESS:
break;
case LDAP_CONNECT_ERROR:
ldap_get_option(ld, LDAP_OPT_DIAGNOSTIC_MESSAGE, (void*)&errmsg);
fprintf(stderr, "ldap_start_tls_s(): %s\n", errmsg);
ldap_memfree(errmsg);
ldap_unbind_ext_s(ld, NULL, NULL);
return(1);
default:
fprintf(stderr, "ldap_start_tls_s(): %s\n", ldap_err2string(err));
ldap_unbind_ext_s(ld, NULL, NULL);
return(1);
};
};
// uses anonymous binds to start SSL connection
if (!(strcasecmp(config.ludp->lud_scheme, "ldaps")))
{
ldappeerchain_verbose(&config, "ldap_sasl_bind_s()\n");
err = ldap_sasl_bind_s
(
ld, // LDAP * ld
NULL, // const char * dn
LDAP_SASL_SIMPLE, // const char * mechanism
&cred, // struct berval * cred
NULL, // LDAPControl * sctrls[]
NULL, // LDAPControl * cctrls[]
&servercredp // struct berval ** servercredp
);
if (err != LDAP_SUCCESS)
{
fprintf(stderr, "ldap_sasl_bind_s(): %s\n", ldap_err2string(err));
ldap_unbind_ext_s(ld, NULL, NULL);
return(1);
};
};
//
// writes certificates to file
//
// retrieves SSL handle
if (!(ssl))
{
ldappeerchain_verbose(&config, "ldap_get_option(LDAP_OPT_X_TLS_SSL_CTX)\n");
ldap_get_option(ld, LDAP_OPT_X_TLS_SSL_CTX, &ssl);
};
if (!(ssl))
{
fprintf(stderr, "ldappeerchain: unable to retrieve SSL handle\n");
ldap_unbind_ext_s(ld, NULL, NULL);
return(1);
};
// retrieves stack of certs from peer
ldappeerchain_verbose(&config, "SSL_get_peer_cert_chain()\n");
if (!(skx = SSL_get_peer_cert_chain(ssl)))
{
msg[1023] = '\0';
ERR_error_string_n(ERR_get_error(), msg, 1023);
fprintf(stderr, "ldappeerchain: SSL_get_peer_cert_chain(): %s\n", msg);
ldap_unbind_ext_s(ld, NULL, NULL);
return(1);
};
if (!(config.quiet))
fprintf(stderr, "%i certificates in peer chain\n", sk_num(skx));
// Creates new BIO
ldappeerchain_verbose(&config, "BIO_new()\n");
if (!(mem = BIO_new(BIO_s_mem())))
{
ERR_error_string_n(ERR_get_error(), msg, 1023);
fprintf(stderr, "ldappeerchain: BIO_new(): %s\n", msg);
ldap_unbind_ext_s(ld, NULL, NULL);
return(1);
};
// loops through stack
for(skpos = 0; skpos < sk_num(skx); skpos++)
{
x = (X509 *)sk_value(skx, skpos);
ldappeerchain_verbose(&config, "PEM_write_bio_X509()\n");
if ((err = PEM_write_bio_X509(mem, x)) != 1)
//if ((err = PEM_write_X509(fp, x)) != 1)
{
msg[1023] = '\0';
ERR_error_string_n(err, msg, 1023);
fprintf(stderr, "ldappeerchain: PEM_write_bio_X509(): %s\n", msg);
};
};
// opens file for writing
fd = STDOUT_FILENO;
if ((datafile))
{
ldappeerchain_verbose(&config, "open(%s)\n", datafile);
fd = open(datafile, O_WRONLY|O_CREAT|O_APPEND, 0644);
};
if (fd == -1)
{
fprintf(stderr, "ldappeerchain: open(%s, w): %s\n", datafile, strerror(errno));
BIO_free(mem);
ldap_unbind_ext_s(ld, NULL, NULL);
return(1);
};
// prints data to file handle
flen = 0;
fbuff = NULL;
while((rlen = BIO_read(mem, rbuff, 1024)) > 0)
{
if ((ptr = realloc(fbuff, flen+rlen)))
{
fbuff = ptr;
memcpy(&fbuff[flen], rbuff, rlen);
flen += rlen;
};
};
ldappeerchain_verbose(&config, "write()\n");
write(fd, fbuff, flen);
// frees buffer
free(fbuff);
// closes file
if ((datafile))
{
ldappeerchain_verbose(&config, "close()\n");
close(fd);
};
// frees bio
ldappeerchain_verbose(&config, "BIO_free()\n");
BIO_free(mem);
//
// ends connection and frees resources
//
// unbind from LDAP server
ldappeerchain_verbose(&config, "ldap_unbind_ext_s()\n");
ldap_unbind_ext_s(ld, NULL, NULL);
// frees resources
ldappeerchain_verbose(&config, "ldap_free_urldesc()\n");
ldap_free_urldesc(config.ludp);
return(0);
}
