/**
* Converts individual X.509 subject entry to string.
*
* @param ln Long name of the requested entry (see openssl/objects.h)
* @return subject name entry converted to string.
* @throws IOException exception is throws if the conversion failed.
*/
std::string digidoc::X509Cert::getSubjectInfo(const std::string& ln) const throw(IOException)
{
X509_NAME* name = X509_get_subject_name(cert);
if(name == NULL)
{
THROW_IOEXCEPTION("Failed to convert X.509 certificate subject: %s", ERR_reason_error_string(ERR_get_error()));
}
int idx = X509_NAME_get_index_by_NID(name, OBJ_ln2nid(ln.c_str()), -1);
if(idx < 0)
{
THROW_IOEXCEPTION("Failed to retrieve X.509 certificate info: field '%s' not found", ln.c_str());
}
X509_NAME_ENTRY *entry = X509_NAME_get_entry(name, idx);
if(!entry)
{
THROW_IOEXCEPTION("Failed to convert X.509 certificate field: %s", ERR_reason_error_string(ERR_get_error()));
}
ASN1_STRING *asnstr = X509_NAME_ENTRY_get_data(entry);
unsigned char *data = NULL;
int len = ASN1_STRING_to_UTF8(&data, asnstr);
if(len < 0)
{
THROW_IOEXCEPTION("Failed to convert X.509 certificate field: %s", ERR_reason_error_string(ERR_get_error()));
}
std::string result(reinterpret_cast<const char *>(data));
OPENSSL_free(data);
return result;
}
int
tls_config_set_ecdhecurves(struct tls_config *config, const char *curves)
{
int *curves_list = NULL, *curves_new;
size_t curves_num = 0;
char *cs = NULL;
char *p, *q;
int rv = -1;
int nid;
free(config->ecdhecurves);
config->ecdhecurves = NULL;
config->ecdhecurves_len = 0;
if (curves == NULL || strcasecmp(curves, "default") == 0)
curves = TLS_ECDHE_CURVES;
if ((cs = strdup(curves)) == NULL) {
tls_config_set_errorx(config, "out of memory");
goto err;
}
q = cs;
while ((p = strsep(&q, ",:")) != NULL) {
while (*p == ' ' || *p == '\t')
p++;
nid = OBJ_sn2nid(p);
if (nid == NID_undef)
nid = OBJ_ln2nid(p);
if (nid == NID_undef)
nid = EC_curve_nist2nid(p);
if (nid == NID_undef) {
tls_config_set_errorx(config,
"invalid ecdhe curve '%s'", p);
goto err;
}
if ((curves_new = reallocarray(curves_list, curves_num + 1,
sizeof(int))) == NULL) {
tls_config_set_errorx(config, "out of memory");
goto err;
}
curves_list = curves_new;
curves_list[curves_num] = nid;
curves_num++;
}
config->ecdhecurves = curves_list;
config->ecdhecurves_len = curves_num;
curves_list = NULL;
rv = 0;
err:
free(cs);
free(curves_list);
return (rv);
}
static int pkey_ec_ctrl_str(EVP_PKEY_CTX *ctx,
const char *type, const char *value)
{
if (strcmp(type, "ec_paramgen_curve") == 0) {
int nid;
nid = EC_curve_nist2nid(value);
if (nid == NID_undef)
nid = OBJ_sn2nid(value);
if (nid == NID_undef)
nid = OBJ_ln2nid(value);
if (nid == NID_undef) {
ECerr(EC_F_PKEY_EC_CTRL_STR, EC_R_INVALID_CURVE);
return 0;
}
return EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, nid);
#ifndef OPENSSL_NO_SM2
} else if (!strcmp(type, "ec_scheme")) {
int scheme;
if (!strcmp(value, "secg"))
scheme = NID_secg_scheme;
else if (!strcmp(value, "sm2"))
scheme = NID_sm_scheme;
else
return -2;
return EVP_PKEY_CTX_set_ec_scheme(ctx, scheme);
} else if (!strcmp(type, "signer_id")) {
return EVP_PKEY_CTX_set_signer_id(ctx, value);
} else if (!strcmp(type, "ec_encrypt_param")) {
int encrypt_param;
if (!(encrypt_param = OBJ_txt2nid(value))) {
ECerr(EC_F_PKEY_EC_CTRL_STR, EC_R_INVALID_EC_ENCRYPT_PARAM);
return 0;
}
return EVP_PKEY_CTX_set_ec_encrypt_param(ctx, encrypt_param);
#endif
} else if (strcmp(type, "ec_param_enc") == 0) {
int param_enc;
if (strcmp(value, "explicit") == 0)
param_enc = 0;
else if (strcmp(value, "named_curve") == 0)
param_enc = OPENSSL_EC_NAMED_CURVE;
else
return -2;
return EVP_PKEY_CTX_set_ec_param_enc(ctx, param_enc);
} else if (strcmp(type, "ecdh_kdf_md") == 0) {
const EVP_MD *md;
if ((md = EVP_get_digestbyname(value)) == NULL) {
ECerr(EC_F_PKEY_EC_CTRL_STR, EC_R_INVALID_DIGEST);
return 0;
}
return EVP_PKEY_CTX_set_ecdh_kdf_md(ctx, md);
} else if (strcmp(type, "ecdh_cofactor_mode") == 0) {
int co_mode;
co_mode = atoi(value);
return EVP_PKEY_CTX_set_ecdh_cofactor_mode(ctx, co_mode);
}
return -2;
}
static int do_tcreate(const char *value, const char *name)
{
char *eptr;
int nid, i, rv = 0;
long tbl_min = -1, tbl_max = -1;
unsigned long tbl_mask = 0, tbl_flags = 0;
STACK_OF(CONF_VALUE) *lst = NULL;
CONF_VALUE *cnf = NULL;
nid = OBJ_sn2nid(name);
if (nid == NID_undef)
nid = OBJ_ln2nid(name);
if (nid == NID_undef)
goto err;
lst = X509V3_parse_list(value);
if (!lst)
goto err;
for (i = 0; i < sk_CONF_VALUE_num(lst); i++) {
cnf = sk_CONF_VALUE_value(lst, i);
if (strcmp(cnf->name, "min") == 0) {
tbl_min = strtoul(cnf->value, &eptr, 0);
if (*eptr)
goto err;
} else if (strcmp(cnf->name, "max") == 0) {
tbl_max = strtoul(cnf->value, &eptr, 0);
if (*eptr)
goto err;
} else if (strcmp(cnf->name, "mask") == 0) {
if (!ASN1_str2mask(cnf->value, &tbl_mask) || !tbl_mask)
goto err;
} else if (strcmp(cnf->name, "flags") == 0) {
if (strcmp(cnf->value, "nomask") == 0)
tbl_flags = STABLE_NO_MASK;
else if (strcmp(cnf->value, "none") == 0)
tbl_flags = STABLE_FLAGS_CLEAR;
else
goto err;
} else
goto err;
}
rv = 1;
err:
if (rv == 0) {
ASN1err(ASN1_F_DO_TCREATE, ASN1_R_INVALID_STRING_TABLE_VALUE);
if (cnf)
ERR_add_error_data(4, "field=", cnf->name,
", value=", cnf->value);
else
ERR_add_error_data(4, "name=", name, ", value=", value);
} else {
rv = ASN1_STRING_TABLE_add(nid, tbl_min, tbl_max,
tbl_mask, tbl_flags);
if (!rv)
ASN1err(ASN1_F_DO_TCREATE, ERR_R_MALLOC_FAILURE);
}
sk_CONF_VALUE_pop_free(lst, X509V3_conf_free);
return rv;
}
__owur static int parse_expected_sign_hash(int *ptype, const char *value)
{
int nid;
if (value == NULL)
return 0;
nid = OBJ_sn2nid(value);
if (nid == NID_undef)
nid = OBJ_ln2nid(value);
if (nid == NID_undef)
return 0;
*ptype = nid;
return 1;
}
PKI_OID *PKI_OID_new( char *oid, char *name, char *descr ) {
PKI_OID *ret = NULL;
int nid = NID_undef;
if( !oid && !name && !descr ) return NULL;
/* Check if the object already exists */
if( ((nid = OBJ_sn2nid(name)) != NID_undef) ||
((nid = OBJ_ln2nid(name)) != NID_undef) )
ret = OBJ_nid2obj(nid);
if(!ret) {
/* If it does not exists, then create it */
(void) OBJ_create( oid, name, descr );
if( ((nid = OBJ_sn2nid(name)) != NID_undef) ||
((nid = OBJ_ln2nid(name)) != NID_undef) )
ret = OBJ_nid2obj(nid);
}
/* If successful it returns the new Object, otherwise it
return NULL */
return ( ret );
}
extern "C" const ASN1_OBJECT* GetObjectDefinitionByName(const char* friendlyName)
{
int nid = OBJ_ln2nid(friendlyName);
if (nid == NID_undef)
{
nid = OBJ_sn2nid(friendlyName);
}
if (nid == NID_undef)
{
return nullptr;
}
return OBJ_nid2obj(nid);
}
const ASN1_OBJECT* CryptoNative_GetObjectDefinitionByName(const char* friendlyName)
{
int nid = OBJ_ln2nid(friendlyName);
if (nid == NID_undef)
{
nid = OBJ_sn2nid(friendlyName);
}
if (nid == NID_undef)
{
return NULL;
}
return OBJ_nid2obj(nid);
}
int
tls1_set_groups_list(uint16_t **out_group_ids, size_t *out_group_ids_len,
const char *groups)
{
uint16_t *new_group_ids, *group_ids = NULL;
size_t ngroups = 0;
char *gs, *p, *q;
int nid;
if ((gs = strdup(groups)) == NULL)
return 0;
q = gs;
while ((p = strsep(&q, ":")) != NULL) {
nid = OBJ_sn2nid(p);
if (nid == NID_undef)
nid = OBJ_ln2nid(p);
if (nid == NID_undef)
nid = EC_curve_nist2nid(p);
if (nid == NID_undef)
goto err;
if ((new_group_ids = reallocarray(group_ids, ngroups + 1,
sizeof(uint16_t))) == NULL)
goto err;
group_ids = new_group_ids;
group_ids[ngroups] = tls1_ec_nid2curve_id(nid);
if (group_ids[ngroups] == 0)
goto err;
ngroups++;
}
free(gs);
free(*out_group_ids);
*out_group_ids = group_ids;
*out_group_ids_len = ngroups;
return 1;
err:
free(gs);
free(group_ids);
return 0;
}
/**
* Converts individual X.509 issuer entry to string.
*
* @param ln long name of the requested entry (see openssl/objects.h)
* @return issuer name entry converted to string.
* @throws IOException exception is throws if the conversion failed.
*/
std::string digidoc::X509Cert::getIssuerInfo(const std::string& ln) const throw(IOException)
{
char buf[1024];
X509_NAME* name = X509_get_issuer_name(cert);
if(name == NULL)
{
THROW_IOEXCEPTION("Failed to convert X.509 certificate issuer: %s", ERR_reason_error_string(ERR_get_error()));
}
if(X509_NAME_get_text_by_NID(name, OBJ_ln2nid(ln.c_str()), buf, 1024) < 0)
{
THROW_IOEXCEPTION("Failed to retrieve X.509 certificate info: field '%s' not found", ln.c_str());
}
return std::string(buf);
}
static int pkey_ec_ctrl_str(EVP_PKEY_CTX *ctx,
const char *type, const char *value)
{
if (!strcmp(type, "ec_paramgen_curve"))
{
int nid;
nid = OBJ_sn2nid(value);
if (nid == NID_undef)
nid = OBJ_ln2nid(value);
if (nid == NID_undef)
{
ECerr(EC_F_PKEY_EC_CTRL_STR, EC_R_INVALID_CURVE);
return 0;
}
return EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, nid);
}
return -2;
}
static int pkey_ec_ctrl_str(EVP_PKEY_CTX *ctx,
const char *type, const char *value)
{
if (strcmp(type, "ec_paramgen_curve") == 0) {
int nid;
nid = EC_curve_nist2nid(value);
if (nid == NID_undef)
nid = OBJ_sn2nid(value);
if (nid == NID_undef)
nid = OBJ_ln2nid(value);
if (nid == NID_undef) {
ECerr(EC_F_PKEY_EC_CTRL_STR, EC_R_INVALID_CURVE);
return 0;
}
return EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, nid);
} else if (strcmp(type, "ec_param_enc") == 0) {
int param_enc;
if (strcmp(value, "explicit") == 0)
param_enc = 0;
else if (strcmp(value, "named_curve") == 0)
param_enc = OPENSSL_EC_NAMED_CURVE;
else
return -2;
return EVP_PKEY_CTX_set_ec_param_enc(ctx, param_enc);
} else if (strcmp(type, "ecdh_kdf_md") == 0) {
const EVP_MD *md;
md = EVP_get_digestbyname(value);
if (md == NULL) {
ECerr(EC_F_PKEY_EC_CTRL_STR, EC_R_INVALID_DIGEST);
return 0;
}
return EVP_PKEY_CTX_set_ecdh_kdf_md(ctx, md);
} else if (strcmp(type, "ecdh_cofactor_mode") == 0) {
uint8_t error;
int co_mode;
co_mode = safe_atoi(value, INT_MIN, INT_MAX, &error);
if (error)
return 0; /* TODO(KC): Is this the correct error to return here? */
return EVP_PKEY_CTX_set_ecdh_cofactor_mode(ctx, co_mode);
}
return -2;
}
static int pkey_ec_ctrl_str(EVP_PKEY_CTX *ctx,
const char *type, const char *value)
{
if (!strcmp(type, "ec_paramgen_curve")) {
int nid;
nid = EC_curve_nist2nid(value);
if (nid == NID_undef)
nid = OBJ_sn2nid(value);
if (nid == NID_undef)
nid = OBJ_ln2nid(value);
if (nid == NID_undef) {
ECerr(EC_F_PKEY_EC_CTRL_STR, EC_R_INVALID_CURVE);
return 0;
}
return EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, nid);
} else if (!strcmp(type, "ec_param_enc")) {
int param_enc;
if (!strcmp(value, "explicit"))
param_enc = 0;
else if (!strcmp(value, "named_curve"))
param_enc = OPENSSL_EC_NAMED_CURVE;
else
return -2;
return EVP_PKEY_CTX_set_ec_param_enc(ctx, param_enc);
} else if (!strcmp(type, "ecdh_kdf_md")) {
const EVP_MD *md;
if (!(md = EVP_get_digestbyname(value))) {
ECerr(EC_F_PKEY_EC_CTRL_STR, EC_R_INVALID_DIGEST);
return 0;
}
return EVP_PKEY_CTX_set_ecdh_kdf_md(ctx, md);
} else if (!strcmp(type, "ecdh_cofactor_mode")) {
int co_mode;
co_mode = atoi(value);
return EVP_PKEY_CTX_set_ecdh_cofactor_mode(ctx, co_mode);
}
return -2;
}
ASN1_OBJECT *OBJ_txt2obj(const char *s, int no_name)
{
int nid = NID_undef;
ASN1_OBJECT *op=NULL;
unsigned char *buf;
unsigned char *p;
const unsigned char *cp;
int i, j;
if(!no_name) {
if( ((nid = OBJ_sn2nid(s)) != NID_undef) ||
((nid = OBJ_ln2nid(s)) != NID_undef) )
return OBJ_nid2obj(nid);
}
/* Work out size of content octets */
i=a2d_ASN1_OBJECT(NULL,0,s,-1);
if (i <= 0) {
/* Clear the error */
ERR_clear_error();
return NULL;
}
/* Work out total size */
j = ASN1_object_size(0,i,V_ASN1_OBJECT);
if((buf=(unsigned char *)OPENSSL_malloc(j)) == NULL) return NULL;
p = buf;
/* Write out tag+length */
ASN1_put_object(&p,0,i,V_ASN1_OBJECT,V_ASN1_UNIVERSAL);
/* Write out contents */
a2d_ASN1_OBJECT(p,i,s,-1);
cp=buf;
op=d2i_ASN1_OBJECT(NULL,&cp,j);
OPENSSL_free(buf);
return op;
}
__owur static int parse_expected_key_type(int *ptype, const char *value)
{
int nid;
const EVP_PKEY_ASN1_METHOD *ameth;
if (value == NULL)
return 0;
ameth = EVP_PKEY_asn1_find_str(NULL, value, -1);
if (ameth != NULL)
EVP_PKEY_asn1_get0_info(&nid, NULL, NULL, NULL, NULL, ameth);
else
nid = OBJ_sn2nid(value);
if (nid == NID_undef)
nid = OBJ_ln2nid(value);
#ifndef OPENSSL_NO_EC
if (nid == NID_undef)
nid = EC_curve_nist2nid(value);
#endif
if (nid == NID_undef)
return 0;
*ptype = nid;
return 1;
}
const char *OBJ_ln2sn(const char *ln)
{
return OBJ_nid2sn(OBJ_ln2nid(ln));
}
static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
const char *keyfile, int keyform, int key_type,
char *passinarg, int pkey_op, ENGINE *e,
const int engine_impl, EVP_PKEY **ppkey)
{
EVP_PKEY *pkey = NULL;
EVP_PKEY_CTX *ctx = NULL;
ENGINE *impl = NULL;
char *passin = NULL;
int rv = -1;
X509 *x;
if (((pkey_op == EVP_PKEY_OP_SIGN) || (pkey_op == EVP_PKEY_OP_DECRYPT)
|| (pkey_op == EVP_PKEY_OP_DERIVE))
&& (key_type != KEY_PRIVKEY && kdfalg == NULL)) {
BIO_printf(bio_err, "A private key is needed for this operation\n");
goto end;
}
if (!app_passwd(passinarg, NULL, &passin, NULL)) {
BIO_printf(bio_err, "Error getting password\n");
goto end;
}
switch (key_type) {
case KEY_PRIVKEY:
pkey = load_key(keyfile, keyform, 0, passin, e, "Private Key");
break;
case KEY_PUBKEY:
pkey = load_pubkey(keyfile, keyform, 0, NULL, e, "Public Key");
break;
case KEY_CERT:
x = load_cert(keyfile, keyform, "Certificate");
if (x) {
pkey = X509_get_pubkey(x);
X509_free(x);
}
break;
case KEY_NONE:
break;
}
#ifndef OPENSSL_NO_ENGINE
if (engine_impl)
impl = e;
#endif
if (kdfalg != NULL) {
int kdfnid = OBJ_sn2nid(kdfalg);
if (kdfnid == NID_undef) {
kdfnid = OBJ_ln2nid(kdfalg);
if (kdfnid == NID_undef) {
BIO_printf(bio_err, "The given KDF \"%s\" is unknown.\n",
kdfalg);
goto end;
}
}
ctx = EVP_PKEY_CTX_new_id(kdfnid, impl);
} else {
EC_KEY *eckey = NULL;
const EC_GROUP *group = NULL;
int nid;
if (pkey == NULL)
goto end;
/* SM2 needs a special treatment */
if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
if ((eckey = EVP_PKEY_get0_EC_KEY(pkey)) == NULL
|| (group = EC_KEY_get0_group(eckey)) == NULL
|| (nid = EC_GROUP_get_curve_name(group)) == 0)
goto end;
if (nid == NID_sm2)
EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2);
}
*pkeysize = EVP_PKEY_size(pkey);
ctx = EVP_PKEY_CTX_new(pkey, impl);
if (ppkey != NULL)
*ppkey = pkey;
EVP_PKEY_free(pkey);
}
if (ctx == NULL)
goto end;
switch (pkey_op) {
case EVP_PKEY_OP_SIGN:
rv = EVP_PKEY_sign_init(ctx);
break;
case EVP_PKEY_OP_VERIFY:
rv = EVP_PKEY_verify_init(ctx);
break;
case EVP_PKEY_OP_VERIFYRECOVER:
rv = EVP_PKEY_verify_recover_init(ctx);
break;
case EVP_PKEY_OP_ENCRYPT:
rv = EVP_PKEY_encrypt_init(ctx);
break;
case EVP_PKEY_OP_DECRYPT:
rv = EVP_PKEY_decrypt_init(ctx);
break;
case EVP_PKEY_OP_DERIVE:
rv = EVP_PKEY_derive_init(ctx);
break;
}
if (rv <= 0) {
EVP_PKEY_CTX_free(ctx);
ctx = NULL;
}
end:
OPENSSL_free(passin);
return ctx;
}
static int pkey_ec_ctrl_str(EVP_PKEY_CTX *ctx,
const char *type, const char *value)
{
if (!strcmp(type, "ec_paramgen_curve")) {
int nid;
nid = EC_curve_nist2nid(value);
if (nid == NID_undef)
nid = OBJ_sn2nid(value);
if (nid == NID_undef)
nid = OBJ_ln2nid(value);
if (nid == NID_undef) {
ECerr(EC_F_PKEY_EC_CTRL_STR, EC_R_INVALID_CURVE);
return 0;
}
printf("curve = %s\n", value);
return EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, nid);
} else if (!strcmp(type, "ec_param_enc")) {
int param_enc;
if (!strcmp(value, "explicit"))
param_enc = 0;
else if (!strcmp(value, "named_curve"))
param_enc = OPENSSL_EC_NAMED_CURVE;
else
return -2;
return EVP_PKEY_CTX_set_ec_param_enc(ctx, param_enc);
#ifndef OPENSSL_NO_GMSSL
} else if (!strcmp(type, "ec_sign_algor")) {
int sign_type;
if (!strcmp(value, "ecdsa"))
sign_type = NID_secg_scheme;
else if (!strcmp(value, "sm2"))
sign_type = NID_sm_scheme;
else
return -2;
return EVP_PKEY_CTX_set_ec_sign_type(ctx, sign_type);
} else if (!strcmp(type, "ec_encrypt_algor")) {
int enc_type;
if (!strcmp(value, "ecies"))
enc_type = NID_secg_scheme;
else if (!strcmp(value, "sm2"))
enc_type = NID_sm_scheme;
else
return -2;
return EVP_PKEY_CTX_set_ec_enc_type(ctx, enc_type);
} else if (!strcmp(type, "ec_derive_algor")) {
int dh_type;
if (!strcmp(value, "ecdh"))
dh_type = NID_secg_scheme;
else if (!strcmp(value, "sm2"))
dh_type = NID_sm_scheme;
else
return -2;
return EVP_PKEY_CTX_set_ec_dh_type(ctx, dh_type);
#endif
} else if (!strcmp(type, "ecdh_kdf_md")) {
const EVP_MD *md;
if (!(md = EVP_get_digestbyname(value))) {
ECerr(EC_F_PKEY_EC_CTRL_STR, EC_R_INVALID_DIGEST);
return 0;
}
return EVP_PKEY_CTX_set_ecdh_kdf_md(ctx, md);
} else if (!strcmp(type, "ecdh_cofactor_mode")) {
int co_mode;
co_mode = atoi(value);
return EVP_PKEY_CTX_set_ecdh_cofactor_mode(ctx, co_mode);
}
return -2;
}