bool
init_tls_server( const char *cert_file, const char *key_file ) {
debug( "Initializing TLS server ( ctx = %p, cert_file = %s, key_file = %s ).",
ctx, cert_file, key_file );
assert( ctx == NULL );
SSL_library_init();
SSL_load_error_strings();
const SSL_METHOD *method = TLSv1_server_method();
ctx = SSL_CTX_new( method );
if ( ctx == NULL ) {
unsigned long error_no = ERR_get_error();
char error_str[ 256 ];
memset( error_str, '\0', sizeof( error_str ) );
ERR_error_string_n( error_no, error_str, sizeof( error_str ) );
error( "Failed to create SSL context ( %s [%ul] ).", error_str, error_no );
return false;
}
const char *ciphers = "HIGH";
int retval = SSL_CTX_set_cipher_list( ctx, ciphers );
if ( retval != 1 ) {
unsigned long error_no = ERR_get_error();
char error_str[ 256 ];
memset( error_str, '\0', sizeof( error_str ) );
ERR_error_string_n( error_no, error_str, sizeof( error_str ) );
error( "Failed to set cipher list ( ctx = %p, ciphers = %s, retval = %s, error = %s [%ul] ).",
ctx, ciphers, retval, error_str, error_no );
return false;
}
bool ret = load_certificates( cert_file, key_file );
if ( !ret ) {
error( "Failed to load certificates." );
SSL_CTX_free( ctx );
ctx = NULL;
return false;
}
return true;
}
int xml_verify(char *filename) {
xmlSecDSigCtxPtr dsig_ctx = NULL;
xmlDocPtr doc = NULL;
xmlNodePtr root_node;
xmlNodePtr sign_node;
xmlNodePtr cert_node;
xmlNodePtr x509d_node;
xmlNodePtr cur_node;
int result = DCP_FATAL;
xmlSecKeysMngrPtr key_manager;
char cert[5000];
int cert_l;
xmlsec_verify_init();
/* load doc file */
doc = xmlParseFile(filename);
if (doc == NULL) {
dcp_log(LOG_ERROR, "unable to parse file %s", filename);
goto done;
}
/* find root node */
root_node = xmlDocGetRootElement(doc);
if (root_node == NULL){
dcp_log(LOG_ERROR, "unable to find root node");
goto done;
}
/* find signature node */
sign_node = xmlSecFindNode(root_node, xmlSecNodeSignature, xmlSecDSigNs);
if(sign_node == NULL) {
dcp_log(LOG_ERROR, "signature node not found");
goto done;
}
/* create keys manager */
key_manager = load_certificates();
if (key_manager == NULL) {
dcp_log(LOG_ERROR,"create key manager failed");
goto done;
}
/* find certificates */
cur_node = sign_node;
while (x509d_node = xmlSecFindNode(cur_node, xmlSecNodeX509Data, xmlSecDSigNs)) {
cert_node = xmlSecFindNode(x509d_node, xmlSecNodeX509Certificate, xmlSecDSigNs);
if(cert_node == NULL) {
dcp_log(LOG_ERROR, "X509certficate node not found");
goto done;
}
sprintf(cert,"-----BEGIN CERTIFICATE-----\n%s\n-----END CERTIFICATE-----\n",xmlNodeGetContent(cert_node));
cert_l = strlen(cert);
if (xmlSecCryptoAppKeysMngrCertLoadMemory(key_manager, cert, cert_l, xmlSecKeyDataFormatPem, xmlSecKeyDataTypeTrusted) < 0) {
dcp_log(LOG_ERROR, "could read X509certificate node value");
goto done;
}
cur_node = xmlNextElementSibling(x509d_node);
}
/* create signature context */
dsig_ctx = xmlSecDSigCtxCreate(key_manager);
if (dsig_ctx == NULL) {
dcp_log(LOG_ERROR,"create signature opendcp failed");
goto done;
}
/* sign the template */
if (xmlSecDSigCtxVerify(dsig_ctx, sign_node) < 0) {
dcp_log(LOG_ERROR,"signature verify failed");
goto done;
}
if (dsig_ctx->status != xmlSecDSigStatusSucceeded) {
dcp_log(LOG_ERROR,"signature validation failed");
goto done;
}
/* success */
result = 0;
done:
/* destroy keys manager */
xmlSecKeysMngrDestroy(key_manager);
/* destroy signature context */
if(dsig_ctx != NULL) {
xmlSecDSigCtxDestroy(dsig_ctx);
}
/* destroy xml doc */
if(doc != NULL) {
xmlFreeDoc(doc);
}
xmlsec_close();
return(result);
}
