static void testVerifyPublicationsFileWithNoConstraints(CuTest *tc) { int res; KSI_PublicationsFile *pubFile = NULL; KSI_CertConstraint arr[] = { {NULL, NULL}, {NULL, NULL} }; KSI_ERR_clearErrors(ctx); res = KSI_PublicationsFile_fromFile(ctx, getFullResourcePath(TEST_PUBLICATIONS_FILE), &pubFile); CuAssert(tc, "Unable to read publications file", res == KSI_OK && pubFile != NULL); res = KSI_CTX_setDefaultPubFileCertConstraints(ctx, arr); CuAssert(tc, "Unable to delete OID 1.2.840.113549.1.9.1", res == KSI_OK); /* Verification should not fail. */ res = KSI_PublicationsFile_verify(pubFile, ctx); CuAssert(tc, "Publications file may not verify with no constraints.", res == KSI_PUBFILE_VERIFICATION_NOT_CONFIGURED); arr[0].oid = KSI_CERT_EMAIL; arr[0].val = "*****@*****.**"; res = KSI_CTX_setDefaultPubFileCertConstraints(ctx, arr); CuAssert(tc, "Unable to set OID 1.2.840.113549.1.9.1 back to normal", res == KSI_OK); /* Verification should not fail. */ res = KSI_PublicationsFile_verify(pubFile, ctx); CuAssert(tc, "Publications file must verify with e-mail.", res == KSI_OK); KSI_PublicationsFile_free(pubFile); }
static void testVerifyPublicationsFileWithAttributeNotPresent(CuTest *tc) { int res; KSI_PublicationsFile *pubFile = NULL; KSI_CertConstraint arr[] = { {NULL, NULL}, {NULL, NULL} }; KSI_ERR_clearErrors(ctx); res = KSI_PublicationsFile_fromFile(ctx, getFullResourcePath(TEST_PUBLICATIONS_FILE), &pubFile); CuAssert(tc, "Unable to read publications file", res == KSI_OK && pubFile != NULL); arr[0].oid = "2.5.4.9"; arr[0].val = "Local pub"; res = KSI_CTX_setDefaultPubFileCertConstraints(ctx, arr); CuAssert(tc, "Unable to delete OID 2.5.4.9", res == KSI_OK); /* Verification should fail. */ res = KSI_PublicationsFile_verify(pubFile, ctx); CuAssert(tc, "Publications file must verify with address.", res != KSI_OK); arr[0].oid = KSI_CERT_EMAIL; arr[0].val = "*****@*****.**"; res = KSI_CTX_setDefaultPubFileCertConstraints(ctx, arr); CuAssert(tc, "Unable to set OID 2.5.4.9 back to normal", res == KSI_OK); /* Verification should not fail. */ res = KSI_PublicationsFile_verify(pubFile, ctx); CuAssert(tc, "Publications file must verify.", res == KSI_OK); KSI_PublicationsFile_free(pubFile); }
static void testVerifyPublicationsFileWithOrganization(CuTest *tc) { int res; KSI_PublicationsFile *pubFile = NULL; KSI_CertConstraint arr[] = { {KSI_CERT_EMAIL, "*****@*****.**"}, {NULL, NULL}, {NULL, NULL} }; KSI_ERR_clearErrors(ctx); res = KSI_PublicationsFile_fromFile(ctx, getFullResourcePath(TEST_PUBLICATIONS_FILE), &pubFile); CuAssert(tc, "Unable to read publications file", res == KSI_OK && pubFile != NULL); arr[1].oid = KSI_CERT_ORGANIZATION; arr[1].val = "Guardtime AS"; res = KSI_CTX_setDefaultPubFileCertConstraints(ctx, arr); CuAssert(tc, "Unable to set OID 2.5.4.10", res == KSI_OK); /* Verification should fail. */ res = KSI_PublicationsFile_verify(pubFile, ctx); CuAssert(tc, "Publications file must verify with OID='2.5.4.10' value 'Guardtime AS'.", res == KSI_OK); arr[1].val = "Guardtime US"; res = KSI_CTX_setDefaultPubFileCertConstraints(ctx, arr); CuAssert(tc, "Unable to set OID 2.5.4.10", res == KSI_OK); /* Verification should fail. */ res = KSI_PublicationsFile_verify(pubFile, ctx); CuAssert(tc, "Publications file may not verify with wrong company'.", res != KSI_OK); /* Verification should succeed. */ arr[1].oid = NULL; arr[1].val = NULL; res = KSI_CTX_setDefaultPubFileCertConstraints(ctx, arr); CuAssert(tc, "Unable to set OID 2.5.4.10", res == KSI_OK); /* Verification should fail. */ res = KSI_PublicationsFile_verify(pubFile, ctx); CuAssert(tc, "Publications file must verify with OID='2.5.4.10' removed from the constraints", res == KSI_OK); CuAssert(tc, "Publications file should verify with mock certificate.", res == KSI_OK); KSI_PublicationsFile_free(pubFile); }
int KSI_CTX_setPublicationCertEmail(KSI_CTX *ctx, const char *email) { int res = KSI_UNKNOWN_ERROR; char *tmp = NULL; KSI_CertConstraint arr[] = { { KSI_CERT_EMAIL, NULL }, { NULL, NULL } }; if (ctx == NULL || email == NULL) { res = KSI_INVALID_ARGUMENT; goto cleanup; } /* The value is only read - cast is safe. */ arr[0].val = (char *) email; res = KSI_CTX_setDefaultPubFileCertConstraints(ctx, arr); if (res != KSI_OK) { KSI_pushError(ctx, res, NULL); goto cleanup; } /* Keep the value for compatibility. */ if (email != NULL && email[0] != '\0') { size_t len = strlen(email); tmp = KSI_calloc(len + 1, 1); if (tmp == NULL) { res = KSI_OUT_OF_MEMORY; goto cleanup; } memcpy(tmp, email, len + 1); } KSI_free(ctx->publicationCertEmail_DEPRECATED); ctx->publicationCertEmail_DEPRECATED = tmp; tmp = NULL; res = KSI_OK; cleanup: KSI_free(tmp); return res; }
static void testReceivePublicationsFileInvalidPki(CuTest *tc) { int res; KSI_PublicationsFile *pubFile = NULL; KSI_PKITruststore *pki = NULL; KSI_CertConstraint arr[] = { {KSI_CERT_EMAIL, "*****@*****.**"}, {NULL, NULL} }; KSI_CTX *ctx = NULL; res = KSITest_CTX_clone(&ctx); CuAssert(tc, "Unable to create new context.", res == KSI_OK && ctx != NULL); KSI_ERR_clearErrors(ctx); res = KSI_CTX_setPublicationUrl(ctx, getFullResourcePathUri(TEST_PUBLICATIONS_FILE_INVALID_PKI)); CuAssert(tc, "Unable to clear pubfile URI.", res == KSI_OK); /* Configure expected PIK cert and constraints for pub. file. */ res = KSI_PKITruststore_new(ctx, 0, &pki); CuAssert(tc, "Unable to get PKI truststore from context.", res == KSI_OK && pki != NULL); res = KSI_CTX_setPKITruststore(ctx, pki); CuAssert(tc, "Unable to set new pki truststrore for ksi context.", res == KSI_OK); res = KSI_PKITruststore_addLookupFile(pki, getFullResourcePath("resource/tlv/mock.crt")); CuAssert(tc, "Unable to read certificate", res == KSI_OK); res = KSI_CTX_setDefaultPubFileCertConstraints(ctx, arr); CuAssert(tc, "Unable to set OID 2.5.4.10", res == KSI_OK); res = KSI_receivePublicationsFile(ctx, &pubFile); CuAssert(tc, "Unable to receive publications file.", res == KSI_OK && pubFile != NULL); res = KSI_verifyPublicationsFile(ctx, pubFile); CuAssert(tc, "Publications file should NOT verify as PKI signature is wrong.", res == KSI_INVALID_PKI_SIGNATURE); KSI_PublicationsFile_free(pubFile); KSI_CTX_free(ctx); }
int main(int argc, char **argv) { KSI_CTX *ksi = NULL; int res; FILE *out = NULL; KSI_Signature *sig = NULL; KSI_Signature *ext = NULL; unsigned char *raw = NULL; size_t raw_len; unsigned count; FILE *logFile = NULL; const KSI_CertConstraint pubFileCertConstr[] = { { KSI_CERT_EMAIL, "*****@*****.**"}, { NULL, NULL } }; if (argc != 5) { printf("Usage:\n" " %s <signature> <extended> <extender uri> <pub-file url>\n", argv[0]); res = KSI_INVALID_ARGUMENT; goto cleanup; } /* Init KSI context */ res = KSI_CTX_new(&ksi); if (res != KSI_OK) { fprintf(stderr, "Unable to init KSI context.\n"); goto cleanup; } logFile = fopen("ksi_extend.log", "w"); if (logFile == NULL) { fprintf(stderr, "Unable to open log file.\n"); } res = KSI_CTX_setDefaultPubFileCertConstraints(ksi, pubFileCertConstr); if (res != KSI_OK) { fprintf(stderr, "Unable to configure publications file cert constraints.\n"); goto cleanup; } KSI_CTX_setLoggerCallback(ksi, KSI_LOG_StreamLogger, logFile); KSI_CTX_setLogLevel(ksi, KSI_LOG_DEBUG); KSI_LOG_info(ksi, "Using KSI version: '%s'", KSI_getVersion()); res = KSI_CTX_setExtender(ksi, argv[3], "anon", "anon"); if (res != KSI_OK) goto cleanup; res = KSI_CTX_setPublicationUrl(ksi, argv[4]); if (res != KSI_OK) goto cleanup; /* Read the signature. */ res = KSI_Signature_fromFile(ksi, argv[1], &sig); if (res != KSI_OK) { KSI_ERR_statusDump(ksi, stdout); fprintf(stderr, "Unable to read signature from '%s'\n", argv[1]); goto cleanup; } /* Make sure the signature is ok. */ res = KSI_verifySignature(ksi, sig); if (res != KSI_OK) { fprintf(stderr, "Unable to verify signature.\n"); KSI_ERR_statusDump(ksi, stderr); goto cleanup; } /* Extend the signature. */ res = KSI_extendSignature(ksi, sig, &ext); if (res != KSI_OK) { if (res == KSI_EXTEND_NO_SUITABLE_PUBLICATION) { printf("No suitable publication to extend to.\n"); goto cleanup; } fprintf(stderr, "Unable to extend signature.\n"); KSI_ERR_statusDump(ksi, stderr); goto cleanup; } /* To be extra sure, lets verify the extended signature. */ res = KSI_verifySignature(ksi, ext); if (res != KSI_OK) { fprintf(stderr, "Unable to verify the extended signature.\n"); KSI_ERR_statusDump(ksi, stderr); goto cleanup; } /* Serialize the extended signature. */ res = KSI_Signature_serialize(ext, &raw, &raw_len); if (res != KSI_OK) { fprintf(stderr, "Unable to serialize extended signature.\n"); goto cleanup; } /* Open output file. */ out = fopen(argv[2], "wb"); if (out == NULL) { fprintf(stderr, "Unable to open output file '%s'\n", argv[2]); res = KSI_IO_ERROR; goto cleanup; } count = (unsigned) fwrite(raw, 1, raw_len, out); if (count != raw_len) { fprintf(stderr, "Failed to write output file.\n"); res = KSI_IO_ERROR; goto cleanup; } printf("Signature extended."); cleanup: if (logFile != NULL) fclose(logFile); if (out != NULL) fclose(out); KSI_Signature_free(sig); KSI_Signature_free(ext); KSI_free(raw); KSI_CTX_free(ksi); return res; }
static void testVerifyPublicationsFileWithFileSpecificConstraints(CuTest *tc) { int res; KSI_PublicationsFile *pubFile = NULL; KSI_CertConstraint empty[] = { {NULL, NULL}, {NULL, NULL} }; KSI_CertConstraint email[] = { {KSI_CERT_EMAIL, "*****@*****.**"}, {NULL, NULL} }; KSI_CertConstraint wrong[] = { {KSI_CERT_EMAIL, "*****@*****.**"}, {NULL, NULL} }; KSI_CertConstraint unknown[] = { {"3.2.840.113549.1.9.1", "*****@*****.**"}, {NULL, NULL} }; res = KSI_CTX_setDefaultPubFileCertConstraints(ctx, email); CuAssert(tc, "Unable to set default certificate constraints", res == KSI_OK); res = KSI_PublicationsFile_fromFile(ctx, getFullResourcePath(TEST_PUBLICATIONS_FILE), &pubFile); CuAssert(tc, "Unable to read publications file", res == KSI_OK && pubFile != NULL); res = KSI_PublicationsFile_setCertConstraints(pubFile, NULL); CuAssert(tc, "Unable to set publications file certificate constraints.", res == KSI_OK); res = KSI_verifyPublicationsFile(ctx, pubFile); CuAssert(tc, "Unable to verify publications file with context based constraints.", res == KSI_OK); res = KSI_PublicationsFile_setCertConstraints(pubFile, empty); CuAssert(tc, "Unable to set publications file certificate constraints.", res == KSI_OK); res = KSI_verifyPublicationsFile(ctx, pubFile); CuAssert(tc, "Publications file should not verify with empty certificate constraints.", res != KSI_OK); res = KSI_PublicationsFile_setCertConstraints(pubFile, email); CuAssert(tc, "Unable to set publications file certificate constraints.", res == KSI_OK); res = KSI_verifyPublicationsFile(ctx, pubFile); CuAssert(tc, "Unable to verify publications file with email.", res == KSI_OK); res = KSI_PublicationsFile_setCertConstraints(pubFile, wrong); CuAssert(tc, "Unable to set publications file certificate constraints.", res == KSI_OK); res = KSI_verifyPublicationsFile(ctx, pubFile); CuAssert(tc, "Publications file should not verify with wrong certificate constraints.", res != KSI_OK); res = KSI_PublicationsFile_setCertConstraints(pubFile, unknown); CuAssert(tc, "Unable to set publications file certificate constraints.", res == KSI_OK); res = KSI_verifyPublicationsFile(ctx, pubFile); CuAssert(tc, "Publications file should not verify with unknown certificate constraints.", res == KSI_INVALID_ARGUMENT); res = KSI_CTX_setDefaultPubFileCertConstraints(ctx, wrong); CuAssert(tc, "Unable to set default certificate constraints", res == KSI_OK); res = KSI_PublicationsFile_setCertConstraints(pubFile, email); CuAssert(tc, "Unable to set publications file certificate constraints.", res == KSI_OK); res = KSI_verifyPublicationsFile(ctx, pubFile); CuAssert(tc, "Unable to verify publications file with email.", res == KSI_OK); KSI_PublicationsFile_free(pubFile); }
int main(int argc, char **argv) { KSI_CTX *ksi = NULL; int res = KSI_UNKNOWN_ERROR; KSI_DataHash *hsh = NULL; KSI_RequestHandle *handle[REQUESTS]; KSI_NetworkClient *http = NULL; FILE *logFile = NULL; size_t i; KSI_DataHasher *hsr = NULL; const KSI_CertConstraint pubFileCertConstr[] = { { KSI_CERT_EMAIL, "*****@*****.**"}, { NULL, NULL } }; struct { size_t ok; size_t nok; } stat; stat.ok = 0; stat.nok = 0; /* Create new KSI context for this thread. */ res = KSI_CTX_new(&ksi); if (res != KSI_OK) { fprintf(stderr, "Unable to create context.\n"); goto cleanup; } res = KSI_CTX_setDefaultPubFileCertConstraints(ksi, pubFileCertConstr); if (res != KSI_OK) { fprintf(stderr, "Unable to configure publications file cert constraints.\n"); goto cleanup; } /* Configure the logger. */ res = OpenLogging(ksi, "multi_curl.log", &logFile); if (res != KSI_OK) goto cleanup; KSI_LOG_info(ksi, "Using KSI version: '%s'", KSI_getVersion()); /* Check publications file url. */ res = KSI_CTX_setPublicationUrl(ksi, "http://verify.guardtime.com/ksi-publications.bin"); if (res != KSI_OK) { fprintf(stderr, "Unable to set publications file url.\n"); goto cleanup; } res = KSI_HttpClient_new(ksi, &http); if (res != KSI_OK) { fprintf(stderr, "Unable to create http client.\n"); goto cleanup; } res = KSI_HttpClient_setAggregator(http, "http://ksigw.test.guardtime.com:3332", "anon", "anon"); if (res != KSI_OK) { fprintf(stderr, "Unable to set aggregator url.\n"); goto cleanup; } KSI_HttpClient_setReadTimeoutSeconds(http, 10); KSI_HttpClient_setConnectTimeoutSeconds(http, 10); for (i = 0; i < REQUESTS; i++) { char buf[100]; size_t len; KSI_AggregationReq *req = NULL; len = KSI_snprintf(buf, sizeof(buf), "Hello %d", i); res = KSI_DataHash_create(ksi, buf, len, KSI_getHashAlgorithmByName("default"), &hsh); if (res != KSI_OK) { fprintf(stderr, "Unable to create hash."); goto cleanup; } res = KSI_AggregationReq_new(ksi, &req); if (res != KSI_OK) { fprintf(stderr, "Unable to create request."); goto cleanup; } res = KSI_AggregationReq_setRequestHash(req, hsh); if (res != KSI_OK) { fprintf(stderr, "Unable to set request hash."); goto cleanup; } res = KSI_NetworkClient_sendSignRequest(http, req, &handle[i]); if (res != KSI_OK) { fprintf(stderr, "Unable to send aggregation request."); goto cleanup; } KSI_AggregationReq_free(req); } res = KSI_NetworkClient_performAll(http, handle, REQUESTS); if (res != KSI_OK) { fprintf(stderr, "Unable to perform requests."); goto cleanup; } for (i = 0; i < REQUESTS; i++) { KSI_AggregationResp *resp = NULL; res = KSI_RequestHandle_getAggregationResponse(handle[i], &resp); if (res != KSI_OK) { const KSI_RequestHandleStatus *st = NULL; res = KSI_RequestHandle_getResponseStatus(handle[i], &st); if (res == KSI_OK) { printf("Status code = %ld: %s\n", st->code, st->errm); } KSI_ERR_statusDump(ksi, stdout); stat.nok++; } else { stat.ok ++; } KSI_AggregationResp_free(resp); } printf("Requests:\n" " Successful: %llu\n" " Failed: %llu\n" " TOTAL: %llu\n", (unsigned long long)stat.ok, (unsigned long long)stat.nok, (unsigned long long)(stat.ok + stat.nok)); res = KSI_OK; cleanup: if (logFile != NULL) fclose(logFile); if (res != KSI_OK && ksi != NULL) { KSI_ERR_statusDump(ksi, stderr); } KSI_DataHash_free(hsh); KSI_DataHasher_free(hsr); KSI_CTX_free(ksi); return res; }
int main(int argc, char **argv) { int res = KSI_UNKNOWN_ERROR; /* Signature read from the file. */ KSI_Signature *sig = NULL; /* Signature extended to the publication. */ KSI_Signature *ext = NULL; /* Hash of the data file. */ KSI_DataHash *hsh = NULL; /* Hash value extracted from the signature. */ KSI_DataHash *signHsh = NULL; /* Data file hasher. */ KSI_DataHasher *hsr = NULL; /* Input file descriptor. */ FILE *in = NULL; /* Buffer for reading the input. */ unsigned char buf[1024]; /* Length of the buffer content. */ size_t buf_len; /* Verification info object. */ const KSI_VerificationResult *info = NULL; /* File descriptor for logging. */ FILE *logFile = NULL; const KSI_CertConstraint pubFileCertConstr[] = { { KSI_CERT_EMAIL, "*****@*****.**"}, { NULL, NULL } }; /* Init context. */ res = KSI_CTX_new(&ksi); if (res != KSI_OK) { fprintf(stderr, "Unable to init KSI context.\n"); goto cleanup; } logFile = fopen("ksi_verify.log", "w"); if (logFile == NULL) { fprintf(stderr, "Unable to open log file.\n"); } res = KSI_CTX_setDefaultPubFileCertConstraints(ksi, pubFileCertConstr); if (res != KSI_OK) { fprintf(stderr, "Unable to configure publications file cert constraints.\n"); goto cleanup; } /* Configure the logger. */ KSI_CTX_setLoggerCallback(ksi, KSI_LOG_StreamLogger, logFile); KSI_CTX_setLogLevel(ksi, KSI_LOG_DEBUG); KSI_LOG_info(ksi, "Using KSI version: '%s'", KSI_getVersion()); /* Check parameters. */ if (argc != 6) { fprintf(stderr, "Usage\n" " %s <data file | -> <signature> <publication-str> <extender url> <pub-file url>\n", argv[0]); goto cleanup; } /* Configure extender. */ res = KSI_CTX_setExtender(ksi, argv[4], "anon", "anon"); if (res != KSI_OK) { fprintf(stderr, "Unable to set extender parameters.\n"); goto cleanup; } /* Set the publications file url. */ res = KSI_CTX_setPublicationUrl(ksi, argv[4]); if (res != KSI_OK) { fprintf(stderr, "Unable to set publications file url.\n"); goto cleanup; } printf("Reading signature... "); /* Read the signature. */ res = KSI_Signature_fromFile(ksi, argv[2], &sig); if (res != KSI_OK) { printf("failed (%s)\n", KSI_getErrorString(res)); goto cleanup; } printf("ok\n"); printf("Verifying the signature with the publication... "); res = extendToPublication(sig, argv[3], &ext); switch (res) { case KSI_OK: printf("ok\n"); break; case KSI_VERIFICATION_FAILURE: printf("failed\n"); break; default: printf("failed (%s)\n", KSI_getErrorString(res)); goto cleanup; } /* Create hasher. */ res = KSI_Signature_createDataHasher(ext, &hsr); if (res != KSI_OK) { fprintf(stderr, "Unable to create data hasher.\n"); goto cleanup; } if (strcmp(argv[1], "-")) { in = fopen(argv[1], "rb"); if (in == NULL) { fprintf(stderr, "Unable to open data file '%s'.\n", argv[1]); goto cleanup; } /* Calculate the hash of the document. */ while (!feof(in)) { buf_len = fread(buf, 1, sizeof(buf), in); res = KSI_DataHasher_add(hsr, buf, buf_len); if (res != KSI_OK) { fprintf(stderr, "Unable hash the document.\n"); goto cleanup; } } /* Finalize the hash computation. */ res = KSI_DataHasher_close(hsr, &hsh); if (res != KSI_OK) { fprintf(stderr, "Failed to close the hashing process.\n"); goto cleanup; } res = KSI_Signature_getDocumentHash(sig, &signHsh); if (res != KSI_OK) goto cleanup; printf("Verifying document hash... "); if (!KSI_DataHash_equals(hsh, signHsh)) { printf("Wrong document!\n"); goto cleanup; } printf("ok\n"); } res = KSI_Signature_getVerificationResult(ext, &info); if (res != KSI_OK) goto cleanup; if (info != NULL) { size_t i; printf("Verification info:\n"); for (i = 0; i < KSI_VerificationResult_getStepResultCount(info); i++) { const KSI_VerificationStepResult *result = NULL; const char *desc = NULL; res = KSI_VerificationResult_getStepResult(info, i, &result); if (res != KSI_OK) goto cleanup; printf("\t0x%02x:\t%s", KSI_VerificationStepResult_getStep(result), KSI_VerificationStepResult_isSuccess(result) ? "OK" : "FAIL"); desc = KSI_VerificationStepResult_getDescription(result); if (desc && *desc) { printf(" (%s)", desc); } printf("\n"); } } res = KSI_OK; cleanup: if (logFile != NULL) fclose(logFile); if (res != KSI_OK && ksi != NULL) { KSI_ERR_statusDump(ksi, stderr); } if (in != NULL) fclose(in); KSI_Signature_free(sig); KSI_Signature_free(ext); KSI_DataHasher_free(hsr); KSI_DataHash_free(hsh); KSI_CTX_free(ksi); return res; }