void TLSClient_Impl::handshake_certificate_received(const void *data, int size)
{
if (conversation_state != cl_tls_state_receive_certificate)
throw Exception("TLS Expected certificate");
uint8_t buffer[3];
copy_data(buffer, 3, data, size);
unsigned int certificate_list_size = buffer[0] << 16 | buffer[1] << 8 | buffer[2];
if ( (size < certificate_list_size) || (certificate_list_size == 0) )
throw Exception("Invalid certification size");
while(certificate_list_size > 0)
{
if (certificate_list_size < 3)
throw Exception("Invalid record length");
copy_data(buffer, 3, data, size);
certificate_list_size -= 3;
unsigned int certificate_size = buffer[0] << 16 | buffer[1] << 8 | buffer[2];
if ( (certificate_list_size < certificate_size) || (certificate_size == 0) )
throw Exception("Invalid certification size");
std::vector<unsigned char> cert_buffer;
cert_buffer.resize(certificate_size);
copy_data(&cert_buffer[0], certificate_size, data, size);
inspect_certificate(cert_buffer);
certificate_list_size -= certificate_size;
}
conversation_state = cl_tls_state_receive_server_hello_done;
}
int main(int argc, const char **argv) {
int i, rv;
pkcs11_handle_t *ph;
struct configuration_st *configuration;
unsigned int slot_num = 0;
cert_object_t **certs;
int cert_count;
/* first of all check whether debugging should be enabled */
for (i = 0; i < argc; i++)
if (strcmp("debug", argv[i]) == 0) {
set_debug_level(1);
}
/* call configure routines */
configuration = pk_configure(argc - 1, argv + 1);
if (!configuration ) {
ERR("Error setting configuration parameters");
return 1;
}
if ((configuration->slot_description != NULL && configuration->slot_num != -1) || (configuration->slot_description == NULL && configuration->slot_num == -1)) {
ERR("Error setting configuration parameters");
return 1;
}
/* init openssl */
rv = crypto_init(&configuration->policy);
if (rv != 0) {
DBG1("crypto_init() failed: %s", get_error());
return 1;
}
/* load pkcs #11 module */
DBG("loading pkcs #11 module...");
rv = load_pkcs11_module(configuration->pkcs11_modulepath, &ph);
if (rv != 0) {
ERR2("load_pkcs11_module(%s) failed: %s", configuration->pkcs11_modulepath,
get_error());
return 1;
}
/* initialise pkcs #11 module */
DBG("initialising pkcs #11 module...");
rv = init_pkcs11_module(ph,configuration->support_threads);
if (rv != 0) {
release_pkcs11_module(ph);
DBG1("init_pkcs11_module() failed: %s", get_error());
return 1;
}
/* open pkcs #11 session */
if (configuration->slot_description != NULL) {
rv = find_slot_by_slotlabel(ph, configuration->slot_description, &slot_num);
} else {
rv = find_slot_by_number(ph, configuration->slot_num, &slot_num);
}
if (rv != 0) {
release_pkcs11_module(ph);
DBG("no token available");
return 1;
}
rv = open_pkcs11_session(ph, slot_num);
if (rv != 0) {
release_pkcs11_module(ph);
ERR1("open_pkcs11_session() failed: %s", get_error());
return 1;
}
/* not really needed, but.... */
rv = pkcs11_pass_login(ph,configuration->nullok);
if (rv != 0) {
ERR1("pkcs11_pass_login() failed: %s", get_error());
return 2;
}
/* get certificate list (cert space is owned by ph) */
certs = get_certificate_list(ph, &cert_count);
if (certs == NULL) {
close_pkcs11_session(ph);
release_pkcs11_module(ph);
ERR1("get_certificates() failed: %s", get_error());
return 3;
}
/* load mapper modules */
load_mappers(configuration->ctx);
/* find valid certificates and look for contents */
DBG1("Found '%d' certificate(s)", cert_count);
for (i = 0; i < cert_count; i++) {
X509 *x509 = get_X509_certificate(certs[i]);
if (x509 != NULL) {
DBG1("verifying the certificate #%d", i + 1);
/* verify certificate (date, signature, CRL, ...) */
rv = verify_certificate(x509, &configuration->policy);
if (rv < 0) {
close_pkcs11_session(ph);
release_pkcs11_module(ph);
unload_mappers();
ERR1("verify_certificate() failed: %s", get_error());
return 1;
} else if (rv != 1) {
ERR1("verify_certificate() failed: %s", get_error());
continue;
}
DBG1("Inspecting certificate #%d",i+1);
inspect_certificate(x509);
}
}
/* unload mappers */
unload_mappers();
/* close pkcs #11 session */
rv = close_pkcs11_session(ph);
if (rv != 0) {
release_pkcs11_module(ph);
ERR1("close_pkcs11_session() failed: %s", get_error());
return 1;
}
/* release pkcs #11 module */
DBG("releasing pkcs #11 module...");
release_pkcs11_module(ph);
DBG("Process completed");
return 0;
}
