int check (X509_STORE *ctx, const char *file) { X509 *cert = NULL; int res = 0; X509_STORE_CTX *csc; cert = load_cert_from_file (file); if (!cert) return 0; csc = X509_STORE_CTX_new(); if (!csc) { if (cert) X509_free(cert); return 0; } X509_STORE_set_flags(ctx, 0); if(!X509_STORE_CTX_init(csc, ctx, cert, 0)) { if (cert) X509_free(cert); if (csc) X509_STORE_CTX_free(csc); return 0; } res = X509_verify_cert(csc); X509_STORE_CTX_free(csc); X509_free(cert); return (res > 0); }
char *ssl_certificate_check_signer(X509 *cert) { X509_STORE_CTX store_ctx; X509_STORE *store; char *err_msg = NULL; store = X509_STORE_new(); if (store == NULL) { printf("Can't create X509_STORE\n"); return NULL; } if (!X509_STORE_set_default_paths(store)) { X509_STORE_free(store); return g_strdup(_("Can't load X509 default paths")); } X509_STORE_CTX_init(&store_ctx, store, cert, NULL); if (!X509_verify_cert(&store_ctx)) { err_msg = g_strdup(X509_verify_cert_error_string (X509_STORE_CTX_get_error(&store_ctx))); eb_debug(DBG_CORE, "Can't check signer: %s\n", err_msg); X509_STORE_CTX_cleanup(&store_ctx); X509_STORE_free(store); return err_msg; } X509_STORE_CTX_cleanup(&store_ctx); X509_STORE_free(store); return NULL; }
static int ssl_app_verify_callback(X509_STORE_CTX *ctx, void *arg) { sslctxparm * p = (sslctxparm *) arg; int ok; if (p->verbose > 2) BIO_printf(p->errorbio,"entering ssl_app_verify_callback\n"); if ((ok= X509_verify_cert(ctx)) && ctx->cert) { unsigned char * accessinfo ; if (p->verbose > 1) X509_print_ex(p->errorbio,ctx->cert,0,0); if (accessinfo = my_get_ext(ctx->cert,p->accesstype ,NID_sinfo_access)) { if (p->verbose) BIO_printf(p->errorbio,"Setting URL from SIA to: %s\n", accessinfo); curl_easy_setopt(p->curl, CURLOPT_URL,accessinfo); } else if (accessinfo = my_get_ext(ctx->cert,p->accesstype, NID_info_access)) { if (p->verbose) BIO_printf(p->errorbio,"Setting URL from AIA to: %s\n", accessinfo); curl_easy_setopt(p->curl, CURLOPT_URL,accessinfo); } } if (p->verbose > 2) BIO_printf(p->errorbio,"leaving ssl_app_verify_callback with %d\n", ok); return(ok); }
int net_nfc_util_openssl_verify_certificate(net_nfc_openssl_verify_context_s *context) { int result = 0; X509_STORE_CTX *store_ctx = NULL; store_ctx = X509_STORE_CTX_new(); if (store_ctx != NULL) { X509_STORE_set_flags(context->store, 0); if (X509_STORE_CTX_init(store_ctx, context->store, context->signer_cert, 0) == true) { result = X509_verify_cert(store_ctx); } else { DEBUG_ERR_MSG("X509_STORE_CTX_init failed"); } X509_STORE_CTX_free(store_ctx); } else { DEBUG_ERR_MSG("X509_STORE_CTX_new failed"); } return result; }
/** * Set the "ignore purpose" before to start verifing the certificate chain. */ static int cert_verify_cb(X509_STORE_CTX *x509_ctx, void *ptr) { int verify; lua_State *L; SSL_CTX *ctx = (SSL_CTX*)ptr; p_context pctx = (p_context)SSL_CTX_get_app_data(ctx); L = pctx->L; /* Get verify flags */ luaL_getmetatable(L, "SSL:Verify:Registry"); lua_pushlightuserdata(L, (void*)ctx); lua_gettable(L, -2); verify = (int)lua_tonumber(L, -1); lua_pop(L, 2); /* Remove values from stack */ if (verify & LSEC_VERIFY_IGNORE_PURPOSE) { /* Set parameters to ignore the server purpose */ X509_VERIFY_PARAM *param = X509_STORE_CTX_get0_param(x509_ctx); if (param) { X509_VERIFY_PARAM_set_purpose(param, X509_PURPOSE_SSL_SERVER); X509_VERIFY_PARAM_set_trust(param, X509_TRUST_SSL_SERVER); } } /* Call OpenSSL standard verification function */ return X509_verify_cert(x509_ctx); }
bool SSLConnection::checkCertSigner() { X509_STORE_CTX xsc; X509_STORE *c; bool pass = false; if (!(c = X509_STORE_new())) return false; if (UseSysCerts) { if (!X509_STORE_set_default_paths (c)) { DEBUGPRINT(D_SOCKET,(("X509_STORE_set_default_paths failed"))); } else pass = true; } if (!X509_STORE_load_locations (c, SSLCertFile, NULL)) { DEBUGPRINT(D_SOCKET,("X509_STORE_load_locations_failed")); } else pass = true; if (!pass) { /* nothing to do */ X509_STORE_free (c); return false; } X509_STORE_CTX_init (&xsc, c, cert, NULL); pass = (X509_verify_cert (&xsc) > 0); X509_STORE_CTX_cleanup (&xsc); X509_STORE_free (c); return pass; }
/** * Check if X509Cert is signed by trusted issuer * @return 0 or openssl error_code. Get human readable cause with X509_verify_cert_error_string(code) * @throw IOException if error */ int digidoc::X509Cert::verify() const throw(IOException) { X509_STORE_CTX *csc = X509_STORE_CTX_new(); X509_STORE_CTX_scope csct(&csc); if (!csc) THROW_IOEXCEPTION("Failed to create X509_STORE_CTX %s",ERR_reason_error_string(ERR_get_error())); X509_STORE *store = digidoc::X509CertStore::getInstance()->getCertStore(); X509* x = getX509(); X509_scope xt(&x); if(!X509_STORE_CTX_init(csc, store, x, NULL)) THROW_IOEXCEPTION("Failed to init X509_STORE_CTX %s",ERR_reason_error_string(ERR_get_error())); int ok = X509_verify_cert(csc); if(!ok) { int err = X509_STORE_CTX_get_error(csc); X509Cert cause(X509_STORE_CTX_get_current_cert (csc)); std::ostringstream s; s << "Unable to verify " << cause.getSubject(); s << ". Cause: " << X509_verify_cert_error_string(err); switch(err) { case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: { IOException e(__FILE__, __LINE__, s.str()); e.setCode( Exception::CertificateIssuerMissing ); throw e; break; } default: THROW_IOEXCEPTION(s.str().c_str()); break; } } return ok; }
static int SSL_CTX_use_certificate_file_with_check( SSL_CTX *ctx, char *file, int type) { FILE *fp; X509 *x509; X509_STORE_CTX *sctx; int ret; ret = SSL_CTX_use_certificate_file(ctx, file, type); if(!ret) return ret; if(!(fp = fopen(file, "r"))) { return -1; } x509 = PEM_read_X509(fp, NULL, NULL, NULL); if(!x509){ rewind(fp); x509 = d2i_X509_fp(fp, NULL); } fclose(fp); if(!x509) return -1; X509_STORE_add_cert(ctx->cert_store, x509); sctx = X509_STORE_CTX_new(); X509_STORE_CTX_init(sctx, ctx->cert_store, x509, NULL); X509_STORE_CTX_set_verify_cb(sctx, LocalVerifyCallBack); X509_verify_cert(sctx); X509_STORE_CTX_free(sctx); CheckValidPeriod(x509); return ret; }
static int ssl_verify_ca(X509 *target_cert) { STACK_OF(X509) *ca_stack = NULL; X509_STORE_CTX *store_ctx = NULL; int ret; store_ctx = X509_STORE_CTX_new(); ret = X509_STORE_CTX_init(store_ctx, ca_store, target_cert, ca_stack); if (ret != 1) { printf("X509_STORE_CTX_init fail, ret = %d", ret); goto end; } ret = X509_verify_cert(store_ctx); if (ret != 1) { printf("X509_verify_cert fail, ret = %d, error id = %d, %s\n", ret, store_ctx->error, X509_verify_cert_error_string(store_ctx->error)); goto end; } end: if (store_ctx) { X509_STORE_CTX_free(store_ctx); } return (ret == 1) ? 0 : -1; }
int PKCS7_dataVerify(X509_STORE *cert_store, X509_STORE_CTX *ctx, BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si) { PKCS7_ISSUER_AND_SERIAL *ias; int ret = 0, i; STACK_OF(X509) *cert; X509 *x509; if (p7 == NULL) { PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_INVALID_NULL_POINTER); return 0; } if (p7->d.ptr == NULL) { PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_NO_CONTENT); return 0; } if (PKCS7_type_is_signed(p7)) { cert = p7->d.sign->cert; } else if (PKCS7_type_is_signedAndEnveloped(p7)) { cert = p7->d.signed_and_enveloped->cert; } else { PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_WRONG_PKCS7_TYPE); goto err; } /* XXXX */ ias = si->issuer_and_serial; x509 = X509_find_by_issuer_and_serial(cert, ias->issuer, ias->serial); /* were we able to find the cert in passed to us */ if (x509 == NULL) { PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_UNABLE_TO_FIND_CERTIFICATE); goto err; } /* Lets verify */ if (!X509_STORE_CTX_init(ctx, cert_store, x509, cert)) { PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, ERR_R_X509_LIB); goto err; } X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_SMIME_SIGN); i = X509_verify_cert(ctx); if (i <= 0) { PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, ERR_R_X509_LIB); X509_STORE_CTX_cleanup(ctx); goto err; } X509_STORE_CTX_cleanup(ctx); return PKCS7_signatureVerify(bio, p7, si, x509); err: return ret; }
int main(int argc, char *argv[]) { X509 *cert; X509_STORE *store; X509_LOOKUP *lookup; X509_STORE_CTX *verify_ctx; FILE *fp; OpenSSL_add_all_algorithms(); ERR_load_crypto_strings(); /* frist read the client certificate */ if (!(fp = fopen(CLIENT_CERT, "r"))) { int_error("Error reading client certificate file"); } if (!(cert = PEM_read_X509(fp, NULL, NULL, NULL))) { int_error("Error reading client certificate in file"); } fclose(fp); /* create the cert store and set the verify callback */ if (!(store = X509_STORE_new())) { int_error("Error creating X509_STORE_CTX object"); } X509_STORE_set_verify_cb_func(store, verify_callback); /* load the CA certificates and CRLs */ if (X509_STORE_load_locations(store, CA_FILE, CA_DIR) != 1) { int_error("Error loading the CA file or directory"); } if (X509_STORE_set_default_paths(store) != 1) { int_error("Error loading the system-wide CA certificates"); } if (!(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()))) { int_error("Error creating X509_LOOKUP object"); } if (X509_load_crl_file(lookup, CRL_FILE, X509_FILETYPE_PEM) != 1) { int_error("Error reading the CRL file"); } /* set the flags of the store so that the CRLs are consulted */ X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); /* create a verification context and initialize it */ if (!(verify_ctx = X509_STORE_CTX_new())) { int_error("Error creating X509_STORE_CTX object"); } if (X509_STORE_CTX_init(verify_ctx, store, cert, NULL) != 1) { int_error("Error initializing verification context"); } /* verify the certificate */ if (X509_verify_cert(verify_ctx) != 1) { int_error("Error verifying the certificate"); } else { printf("Certificate verified correctly!\n"); } return 0; }
/** * TrustedObject::verifyCertificate * * Verifies a given certificate * * @param cert X509 cert * @return 1 if verified, other values otherwise * @author Timothy Thong */ int TrustedObject::verifyCertificate(X509 *cert) { OpenSSL_add_all_algorithms(); X509_STORE_CTX_set_cert(ctx, cert); int ret = X509_verify_cert(ctx); EVP_cleanup(); return ret; }
unsigned long dtls1_output_cert_chain(SSL *s, X509 *x) { unsigned char *p; int i; unsigned long l= 3 + DTLS1_HM_HEADER_LENGTH; BUF_MEM *buf; /* TLSv1 sends a chain with nothing in it, instead of an alert */ buf=s->init_buf; if (!BUF_MEM_grow_clean(buf,10)) { SSLerr(SSL_F_DTLS1_OUTPUT_CERT_CHAIN,ERR_R_BUF_LIB); return(0); } if (x != NULL) { X509_STORE_CTX xs_ctx; if (!X509_STORE_CTX_init(&xs_ctx,s->ctx->cert_store,x,NULL)) { SSLerr(SSL_F_DTLS1_OUTPUT_CERT_CHAIN,ERR_R_X509_LIB); return(0); } X509_verify_cert(&xs_ctx); /* Don't leave errors in the queue */ ERR_clear_error(); for (i=0; i < sk_X509_num(xs_ctx.chain); i++) { x = sk_X509_value(xs_ctx.chain, i); if (!dtls1_add_cert_to_buf(buf, &l, x)) { X509_STORE_CTX_cleanup(&xs_ctx); return 0; } } X509_STORE_CTX_cleanup(&xs_ctx); } /* Thawte special :-) */ for (i=0; i<sk_X509_num(s->ctx->extra_certs); i++) { x=sk_X509_value(s->ctx->extra_certs,i); if (!dtls1_add_cert_to_buf(buf, &l, x)) return 0; } l-= (3 + DTLS1_HM_HEADER_LENGTH); p=(unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH]); l2n3(l,p); l+=3; p=(unsigned char *)&(buf->data[0]); p = dtls1_set_message_header(s, p, SSL3_MT_CERTIFICATE, l, 0, l); l+=DTLS1_HM_HEADER_LENGTH; return(l); }
static GTlsCertificateFlags g_tls_database_openssl_verify_chain (GTlsDatabase *database, GTlsCertificate *chain, const gchar *purpose, GSocketConnectable *identity, GTlsInteraction *interaction, GTlsDatabaseVerifyFlags flags, GCancellable *cancellable, GError **error) { GTlsDatabaseOpenssl *self = G_TLS_DATABASE_OPENSSL (database); GTlsDatabaseOpensslPrivate *priv; STACK_OF(X509) *certs; X509_STORE_CTX *csc; X509 *x; GTlsCertificateFlags result = 0; g_return_val_if_fail (G_IS_TLS_CERTIFICATE_OPENSSL (chain), G_TLS_CERTIFICATE_GENERIC_ERROR); priv = g_tls_database_openssl_get_instance_private (self); if (g_cancellable_set_error_if_cancelled (cancellable, error)) return G_TLS_CERTIFICATE_GENERIC_ERROR; certs = convert_certificate_chain_to_openssl (G_TLS_CERTIFICATE_OPENSSL (chain)); csc = X509_STORE_CTX_new (); x = g_tls_certificate_openssl_get_cert (G_TLS_CERTIFICATE_OPENSSL (chain)); if (!X509_STORE_CTX_init (csc, priv->store, x, certs)) { X509_STORE_CTX_free (csc); sk_X509_free (certs); return G_TLS_CERTIFICATE_GENERIC_ERROR; } if (X509_verify_cert (csc) <= 0) result = g_tls_certificate_openssl_convert_error (X509_STORE_CTX_get_error (csc)); X509_STORE_CTX_free (csc); sk_X509_free (certs); if (g_cancellable_set_error_if_cancelled (cancellable, error)) return G_TLS_CERTIFICATE_GENERIC_ERROR; /* We have to check these ourselves since openssl * does not give us flags and UNKNOWN_CA will take priority. */ result |= double_check_before_after_dates (G_TLS_CERTIFICATE_OPENSSL (chain)); if (identity) result |= g_tls_certificate_openssl_verify_identity (G_TLS_CERTIFICATE_OPENSSL (chain), identity); return result; }
bool bdoc::X509Cert::verify(X509_STORE* aStore, struct tm* tm) const { if (aStore == NULL) { THROW_STACK_EXCEPTION("Invalid argument to verify"); } X509_STORE* store = aStore; X509_STORE** ppStore = NULL; X509_STORE_scope xst(ppStore); X509_STORE_CTX *csc = X509_STORE_CTX_new(); X509_STORE_CTX_scope csct(&csc); if (csc == NULL) { THROW_STACK_EXCEPTION("Failed to create X509_STORE_CTX %s",ERR_reason_error_string(ERR_get_error())); } X509* x = getX509(); X509_scope xt(&x); if (!X509_STORE_CTX_init(csc, store, x, NULL)) { THROW_STACK_EXCEPTION("Failed to init X509_STORE_CTX %s",ERR_reason_error_string(ERR_get_error())); } if (tm != NULL) { time_t t = timegm(tm); if (t == -1) { THROW_STACK_EXCEPTION("Given time cannot be represented as calendar time"); } X509_VERIFY_PARAM *param = X509_STORE_CTX_get0_param(csc); if (param == NULL) { THROW_STACK_EXCEPTION("Failed to retrieve X509_STORE_CTX verification parameters %s", ERR_reason_error_string(ERR_get_error())); } X509_VERIFY_PARAM_set_time(param, t); } int ok = X509_verify_cert(csc); if (ok != 1) { int err = X509_STORE_CTX_get_error(csc); X509Cert cause(X509_STORE_CTX_get_current_cert (csc)); std::ostringstream s; s << "Unable to verify " << cause.getSubject(); s << ". Cause: " << X509_verify_cert_error_string(err); switch (err) { case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: { THROW_STACK_EXCEPTION("Certificate issuer missing: %s", s.str().c_str()); } default: THROW_STACK_EXCEPTION(s.str().c_str()); break; } } return (ok == 1); }
static int check_certificate_by_signer (X509 *peercert) { X509_STORE_CTX *xsc; X509_STORE *ctx; int pass = 0, i; ctx = X509_STORE_new (); if (ctx == NULL) return 0; if (option (OPTSSLSYSTEMCERTS)) { if (X509_STORE_set_default_paths (ctx)) pass++; else dprint (2, (debugfile, "X509_STORE_set_default_paths failed\n")); } if (X509_STORE_load_locations (ctx, SslCertFile, NULL)) pass++; else dprint (2, (debugfile, "X509_STORE_load_locations failed\n")); for (i = 0; i < sk_X509_num (SslSessionCerts); i++) pass += (X509_STORE_add_cert (ctx, sk_X509_value (SslSessionCerts, i)) != 0); if (pass == 0) { /* nothing to do */ X509_STORE_free (ctx); return 0; } xsc = X509_STORE_CTX_new(); if (xsc == NULL) return 0; X509_STORE_CTX_init (xsc, ctx, peercert, SslSessionCerts); pass = (X509_verify_cert (xsc) > 0); #ifdef DEBUG if (! pass) { char buf[SHORT_STRING]; int err; err = X509_STORE_CTX_get_error (xsc); snprintf (buf, sizeof (buf), "%s (%d)", X509_verify_cert_error_string(err), err); dprint (2, (debugfile, "X509_verify_cert: %s\n", buf)); dprint (2, (debugfile, " [%s]\n", peercert->name)); } #endif X509_STORE_CTX_free (xsc); X509_STORE_free (ctx); return pass; }
/* * Test for CVE-2015-1793 (Alternate Chains Certificate Forgery) * * Chain is as follows: * * rootCA (self-signed) * | * interCA * | * subinterCA subinterCA (self-signed) * | | * leaf ------------------ * | * bad * * rootCA, interCA, subinterCA, subinterCA (ss) all have CA=TRUE * leaf and bad have CA=FALSE * * subinterCA and subinterCA (ss) have the same subject name and keys * * interCA (but not rootCA) and subinterCA (ss) are in the trusted store * (roots.pem) * leaf and subinterCA are in the untrusted list (untrusted.pem) * bad is the certificate being verified (bad.pem) * * Versions vulnerable to CVE-2015-1793 will fail to detect that leaf has * CA=FALSE, and will therefore incorrectly verify bad * */ static int test_alt_chains_cert_forgery(const char *roots_f, const char *untrusted_f, const char *bad_f) { int ret = 0; int i; X509 *x = NULL; STACK_OF(X509) *untrusted = NULL; BIO *bio = NULL; X509_STORE_CTX *sctx = NULL; X509_STORE *store = NULL; X509_LOOKUP *lookup = NULL; store = X509_STORE_new(); if (store == NULL) goto err; lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()); if (lookup == NULL) goto err; if(!X509_LOOKUP_load_file(lookup, roots_f, X509_FILETYPE_PEM)) goto err; untrusted = load_certs_from_file(untrusted_f); if ((bio = BIO_new_file(bad_f, "r")) == NULL) goto err; if((x = PEM_read_bio_X509(bio, NULL, 0, NULL)) == NULL) goto err; sctx = X509_STORE_CTX_new(); if (sctx == NULL) goto err; if (!X509_STORE_CTX_init(sctx, store, x, untrusted)) goto err; i = X509_verify_cert(sctx); if(i == 0 && X509_STORE_CTX_get_error(sctx) == X509_V_ERR_INVALID_CA) { /* This is the result we were expecting: Test passed */ ret = 1; } err: X509_STORE_CTX_free(sctx); X509_free(x); BIO_free(bio); sk_X509_pop_free(untrusted, X509_free); X509_STORE_free(store); if (ret != 1) ERR_print_errors_fp(stderr); return ret; }
boolean x509_verify_cert(CryptoCert cert, rdpSettings* settings) { char* cert_loc; X509_STORE_CTX* csc; boolean status = false; X509_STORE* cert_ctx = NULL; X509_LOOKUP* lookup = NULL; X509* xcert = cert->px509; cert_ctx = X509_STORE_new(); if (cert_ctx == NULL) goto end; OpenSSL_add_all_algorithms(); lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_file()); if (lookup == NULL) goto end; lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_hash_dir()); if (lookup == NULL) goto end; X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT); cert_loc = get_local_certloc(settings->home_path); if(cert_loc != NULL) { X509_LOOKUP_add_dir(lookup, cert_loc, X509_FILETYPE_ASN1); xfree(cert_loc); } csc = X509_STORE_CTX_new(); if (csc == NULL) goto end; X509_STORE_set_flags(cert_ctx, 0); if(!X509_STORE_CTX_init(csc, cert_ctx, xcert, 0)) goto end; if (X509_verify_cert(csc) == 1) status = true; X509_STORE_CTX_free(csc); X509_STORE_free(cert_ctx); end: return status; }
// VerifyChain verifies the certificate chain in chain // according to the verification options given as opts. bool X509VerifierPrivate::VerifyChain(std::vector<X509Certificate> chain, const X509VerifierOptions &opts) { bool status = false; X509_STORE_CTX *ctx = X509_STORE_CTX_new(); STACK_OF(X509) *untrusted = sk_X509_new_null(); // Ensure that we have a chain to check on. if (chain.empty()) { goto out; } // If we've been passed a DNS name in opts, // we should check whether the leaf certificate // matches that before doing the more expensive // checks. if (!opts.dns_name.empty()) { if (!X509HostnameVerifier::VerifyHostname(chain.at(0), opts.dns_name)) { std::cerr << "X509VerifierPrivate - hostname verification failed" << std::endl; goto out; } } // Extract our chain into the format that OpenSSL // expects for verification. for (X509Certificate &cert : chain) { X509 *cur = cert.dptr_->AsOpenSSLX509(); sk_X509_push(untrusted, cur); } // Set up the X509_STORE_CTX to verify according to opts. X509_STORE_CTX_init(ctx, store_, sk_X509_value(untrusted, 0), untrusted); // If a time is not specified in opts, use the current system time. if (opts.time == 0) { X509_STORE_CTX_set_time(ctx, 0, std::time(nullptr)); } else { X509_STORE_CTX_set_time(ctx, 0, opts.time); } // If a dns_name is specified in opts, use the SSL server policy. if (!opts.dns_name.empty()) { X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_SSL_SERVER); X509_STORE_CTX_set_trust(ctx, X509_TRUST_SSL_SERVER); } if (X509_verify_cert(ctx) == 1) { status = true; } else { std::cerr << "X509VerifierPrivate - verification error: " << X509_verify_cert_error_string(ctx->error) << std::endl; } out: sk_X509_pop_free(untrusted, X509_free); X509_STORE_CTX_free(ctx); return status; }
static VALUE ossl_x509stctx_verify(VALUE self) { X509_STORE_CTX *ctx; int result; GetX509StCtx(self, ctx); X509_STORE_CTX_set_ex_data(ctx, ossl_verify_cb_idx, (void*)rb_iv_get(self, "@verify_callback")); result = X509_verify_cert(ctx); return result ? Qtrue : Qfalse; }
/** * OpenSSL certificate chain verification callback * Verifies certificate chain, setting up context for fetch_curl_verify_callback */ static int fetch_curl_cert_verify_callback(X509_STORE_CTX *x509_ctx, void *parm) { int ok; /* Store fetch struct in context for verify callback */ ok = X509_STORE_CTX_set_app_data(x509_ctx, parm); /* and verify the certificate chain */ if (ok) ok = X509_verify_cert(x509_ctx); return ok; }
BOOL x509_verify_certificate(CryptoCert cert, char* certificate_store_path) { X509_STORE_CTX* csc; BOOL status = FALSE; X509_STORE* cert_ctx = NULL; X509_LOOKUP* lookup = NULL; X509* xcert = cert->px509; cert_ctx = X509_STORE_new(); if (cert_ctx == NULL) goto end; OpenSSL_add_all_algorithms(); lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_file()); if (lookup == NULL) goto end; lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_hash_dir()); if (lookup == NULL) goto end; X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT); if (certificate_store_path != NULL) { X509_LOOKUP_add_dir(lookup, certificate_store_path, X509_FILETYPE_ASN1); } csc = X509_STORE_CTX_new(); if (csc == NULL) goto end; X509_STORE_set_flags(cert_ctx, 0); if (!X509_STORE_CTX_init(csc, cert_ctx, xcert, 0)) goto end; if (X509_verify_cert(csc) == 1) status = TRUE; X509_STORE_CTX_free(csc); X509_STORE_free(cert_ctx); end: return status; }
bool SSLSocket::verifyKeyprint(const string& expKP, bool allowUntrusted) noexcept { if (!ssl) return true; if (expKP.empty() || expKP.find("/") == string::npos) return allowUntrusted; verifyData.reset(new CryptoManager::SSLVerifyData(allowUntrusted, expKP)); SSL_set_ex_data(ssl, CryptoManager::idxVerifyData, verifyData.get()); SSL_CTX* ssl_ctx = SSL_get_SSL_CTX(ssl); X509_STORE* store = X509_STORE_new(); bool result = false; int err = SSL_get_verify_result(ssl); if (ssl_ctx && store) { X509_STORE_CTX* vrfy_ctx = X509_STORE_CTX_new(); X509* cert = SSL_get_peer_certificate(ssl); if (vrfy_ctx && cert && X509_STORE_CTX_init(vrfy_ctx, store, cert, SSL_get_peer_cert_chain(ssl))) { X509_STORE_CTX_set_ex_data(vrfy_ctx, SSL_get_ex_data_X509_STORE_CTX_idx(), ssl); X509_STORE_CTX_set_verify_cb(vrfy_ctx, SSL_CTX_get_verify_callback(ssl_ctx)); int verify_result = 0; if ((verify_result = X509_verify_cert(vrfy_ctx)) >= 0) { err = X509_STORE_CTX_get_error(vrfy_ctx); // Watch out for weird library errors that might not set the context error code if (err == X509_V_OK && verify_result <= 0) err = X509_V_ERR_UNSPECIFIED; // This is for people who don't restart their clients and have low expiration time on their cert result = (err == X509_V_OK || err == X509_V_ERR_CERT_HAS_EXPIRED) || (allowUntrusted && err != X509_V_ERR_APPLICATION_VERIFICATION); } } if (cert) X509_free(cert); if (vrfy_ctx) X509_STORE_CTX_free(vrfy_ctx); if (store) X509_STORE_free(store); } // KeyPrint is a strong indicator of trust SSL_set_verify_result(ssl, err); return result; }
static int cert_verify_callback (X509_STORE_CTX *storeCtx, void *arg) { MonoBtlsSslCtx *ptr = (MonoBtlsSslCtx*)arg; int ret; debug_printf (ptr, "cert_verify_callback(): %p\n", ptr->verify_func); ret = X509_verify_cert (storeCtx); debug_printf (ptr, "cert_verify_callback() #1: %d\n", ret); if (ptr->verify_func) ret = ptr->verify_func (ptr->instance, ret, storeCtx); return ret; }
bool X509Certificate_OpenSSL::verify(ref <const X509Certificate> caCert_) const { ref <const X509Certificate_OpenSSL> caCert = caCert_.dynamicCast <const X509Certificate_OpenSSL>(); bool verified = false; bool error = true; X509_STORE *store = X509_STORE_new(); if (store) { X509_STORE_CTX *verifyCtx = X509_STORE_CTX_new(); if (verifyCtx) { if (X509_STORE_add_cert(store, caCert->m_data->cert)) { X509_STORE_CTX_init(verifyCtx, store, m_data->cert, NULL); int ret = X509_verify_cert(verifyCtx); if (ret == 1) { verified = true; error = false; } else if (ret == 0) { verified = false; error = false; } //X509_verify_cert_error_string(vrfy_ctx->error) X509_STORE_CTX_free(verifyCtx); } } X509_STORE_free(store); } return verified && !error; }
bool Chain::verifyChain(Handle<CertificateCollection> chain, Handle<CrlCollection> crls){ LOGGER_FN(); try{ LOGGER_OPENSSL(X509_STORE_CTX_new); X509_STORE_CTX *ctx = X509_STORE_CTX_new(); if (!ctx) { THROW_OPENSSL_EXCEPTION(0, Revocation, NULL, "Error create new store ctx"); } LOGGER_OPENSSL(X509_STORE_new); X509_STORE *st = X509_STORE_new(); if (!st) { THROW_OPENSSL_EXCEPTION(0, Revocation, NULL, "Error create new store"); } for (int i = 0, c = chain->length(); i < c; i++){ LOGGER_OPENSSL(X509_STORE_add_cert); X509_STORE_add_cert(st, X509_dup(chain->items(i)->internal())); } X509_CRL *xtempCRL = NULL; LOGGER_OPENSSL(X509_STORE_CTX_init); X509_STORE_CTX_init(ctx, st, chain->items(0)->internal(), chain->internal()); LOGGER_OPENSSL(X509_STORE_CTX_set0_crls); X509_STORE_CTX_set0_crls(ctx, crls->internal()); LOGGER_OPENSSL(X509_STORE_CTX_set_flags); X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_CRL_CHECK); LOGGER_OPENSSL(X509_STORE_CTX_set_flags); X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_CRL_CHECK_ALL); LOGGER_OPENSSL(X509_verify_cert); if (X509_verify_cert(ctx) <= 0){ return false; } return true; } catch (Handle<Exception> e){ THROW_EXCEPTION(0, Chain, e, "Error verify chain (provider store)"); } }
static int _SSL_verify_x509(X509 *x509) { X509_STORE *cert_ctx = NULL; X509_LOOKUP *lookup = NULL; X509_STORE_CTX csc; int i; if (!(cert_ctx = X509_STORE_new())) { fprintf(stderr, "_SSL_verify_x509 :: X509_STORE_new failed\n"); exit(1); } /* X509_STORE_set_verify_cb_func(cert_ctx, cb); */ /* if (!(lookup = X509_STORE_add_lookup(cert_ctx,X509_LOOKUP_file()))) { fprintf(stderr, "_SSL_verify_x509 :: X509_STORE_add_lookup failed\n"); exit(1); } if (!X509_LOOKUP_load_file(lookup, NULL, X509_FILETYPE_DEFAULT)) { fprintf(stderr, "_SSL_verify_x509 :: X509_LOOKUP_load_file failed\n"); exit(1); } */ if (!(lookup = X509_STORE_add_lookup(cert_ctx,X509_LOOKUP_hash_dir()))) { fprintf(stderr, "_SSL_verify_x509 :: X509_STORE_add_lookup failed\n"); exit(1); } if (!!X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT)) { fprintf(stderr, "_SSL_verify_x509 :: X509_LOOKUP_add_dir failed\n"); exit(1); } /* ... */ X509_STORE_CTX_init(&csc, cert_ctx, x509, NULL); i = X509_verify_cert(&csc); X509_STORE_CTX_cleanup(&csc); /* ... */ X509_STORE_free(cert_ctx); return (i); }
static int SSL_CTX_use_certificate_with_check( SSL_CTX *ctx, X509 *x509) { int ret; X509_STORE_CTX *sctx; ret = SSL_CTX_use_certificate(ctx, x509); if(!ret)return ret; X509_STORE_add_cert(ctx->cert_store, x509); sctx = X509_STORE_CTX_new(); X509_STORE_CTX_init(sctx, ctx->cert_store, x509, NULL); X509_STORE_CTX_set_verify_cb(sctx, LocalVerifyCallBack); X509_verify_cert(sctx); X509_STORE_CTX_free(sctx); CheckValidPeriod(x509); return ret; }
int ca_X509_verify(void *certificate, void *chain, const char *CAfile, const char *CRLfile, const char **errstr) { X509_STORE *store = NULL; X509_STORE_CTX *xsc = NULL; int ret = 0; if ((store = X509_STORE_new()) == NULL) goto end; if (!X509_STORE_load_locations(store, CAfile, NULL)) { log_warn("warn: unable to load CA file %s", CAfile); goto end; } X509_STORE_set_default_paths(store); if ((xsc = X509_STORE_CTX_new()) == NULL) goto end; if (X509_STORE_CTX_init(xsc, store, certificate, chain) != 1) goto end; X509_STORE_CTX_set_verify_cb(xsc, ca_verify_cb); ret = X509_verify_cert(xsc); end: *errstr = NULL; if (ret != 1) { if (xsc) *errstr = X509_verify_cert_error_string(xsc->error); else if (ERR_peek_last_error()) *errstr = ERR_error_string(ERR_peek_last_error(), NULL); } if (xsc) X509_STORE_CTX_free(xsc); if (store) X509_STORE_free(store); return ret > 0 ? 1 : 0; }
int bud_config_verify_cert(int status, X509_STORE_CTX* s) { bud_config_t* config; bud_context_t* ctx; X509_STORE_CTX store_ctx; X509* cert; X509_STORE* store; SSL* ssl; int r; ssl = X509_STORE_CTX_get_ex_data(s, SSL_get_ex_data_X509_STORE_CTX_idx()); ASSERT(ssl != NULL, "STORE_CTX without associated ssl"); cert = s->cert; ctx = SSL_get_ex_data(ssl, kBudSSLSNIIndex); config = SSL_CTX_get_ex_data(ssl->ctx, kBudSSLConfigIndex); ASSERT(config != NULL, "Config not present in SSL"); if (ctx != NULL && ctx->ca_store != NULL) store = ctx->ca_store; else if (config->contexts[0].ca_store != NULL) store = config->contexts[0].ca_store; else store = NULL; /* No certificate store, validate cert if present */ if (store == NULL) { if (cert != NULL) return SSL_get_verify_result(ssl) == X509_V_OK ? 1 : 0; else if (config->contexts[0].optional_cert) return 1; else return config->contexts[0].request_cert ? 1 : 0; } if (!X509_STORE_CTX_init(&store_ctx, store, cert, NULL)) return 0; r = X509_verify_cert(&store_ctx); X509_STORE_CTX_cleanup(&store_ctx); return r; }