void
format_smime_info(int pass, BODY *body, long msgno, gf_io_t pc)
{
PKCS7 *p7;
int i;
if(body->type == TYPEMULTIPART){
PART *p;
for(p=body->nested.part; p; p=p->next)
format_smime_info(pass, &p->body, msgno, pc);
}
p7 = body->sparep;
if(p7){
if(PKCS7_type_is_signed(p7)){
STACK_OF(X509) *signers;
switch(pass){
case 1:
gf_puts(_("This message was cryptographically signed."), pc);
gf_puts(NEWLINE, pc);
break;
case 2:
signers = PKCS7_get0_signers(p7, NULL, 0);
if(signers){
snprintf(tmp_20k_buf, SIZEOF_20KBUF, _("Certificate%s used for signing"),
plural(sk_X509_num(signers)));
gf_puts_uline(tmp_20k_buf, pc);
gf_puts(NEWLINE, pc);
print_separator_line(100, '-', pc);
for(i=0; i<sk_X509_num(signers); i++){
X509 *x = sk_X509_value(signers, i);
if(x){
output_cert_info(x, pc);
gf_puts(NEWLINE, pc);
}
}
}
sk_X509_free(signers);
break;
}
}
else if(PKCS7_type_is_enveloped(p7)){
switch(pass){
case 1:
gf_puts(_("This message was encrypted."), pc);
gf_puts(NEWLINE, pc);
break;
case 2:
if(p7->d.enveloped && p7->d.enveloped->enc_data){
X509_ALGOR *alg = p7->d.enveloped->enc_data->algorithm;
STACK_OF(PKCS7_RECIP_INFO) *ris = p7->d.enveloped->recipientinfo;
int found = 0;
gf_puts(_("The algorithm used to encrypt was "), pc);
if(alg){
char *n = (char *) OBJ_nid2sn( OBJ_obj2nid(alg->algorithm));
gf_puts(n ? n : "<unknown>", pc);
}
else
gf_puts("<unknown>", pc);
gf_puts("." NEWLINE NEWLINE, pc);
snprintf(tmp_20k_buf, SIZEOF_20KBUF, _("Certificate%s for decrypting"),
plural(sk_PKCS7_RECIP_INFO_num(ris)));
gf_puts_uline(tmp_20k_buf, pc);
gf_puts(NEWLINE, pc);
print_separator_line(100, '-', pc);
for(i=0; i<sk_PKCS7_RECIP_INFO_num(ris); i++){
PKCS7_RECIP_INFO *ri;
PERSONAL_CERT *pcert;
ri = sk_PKCS7_RECIP_INFO_value(ris, i);
if(!ri)
continue;
pcert = find_certificate_matching_recip_info(ri);
if(pcert){
if(found){
print_separator_line(25, '*', pc);
gf_puts(NEWLINE, pc);
}
found = 1;
output_cert_info(pcert->cert, pc);
gf_puts(NEWLINE, pc);
}
}
if(!found){
gf_puts(_("No certificate capable of decrypting could be found."), pc);
gf_puts(NEWLINE, pc);
gf_puts(NEWLINE, pc);
}
}
break;
}
}
}
}
su_inline
int tls_post_connection_check(tport_t *self, tls_t *tls)
{
X509 *cert;
int extcount;
int i, j, error;
if (!tls) return -1;
cert = SSL_get_peer_certificate(tls->con);
if (!cert) {
SU_DEBUG_7(("%s(%p): Peer did not provide X.509 Certificate.\n",
__func__, (void *) self));
if (self->tp_accepted && tls->verify_incoming)
return X509_V_ERR_CERT_UNTRUSTED;
else if (!self->tp_accepted && tls->verify_outgoing)
return X509_V_ERR_CERT_UNTRUSTED;
else
return X509_V_OK;
}
tls->subjects = su_strlst_create(tls->home);
if (!tls->subjects)
return X509_V_ERR_OUT_OF_MEM;
extcount = X509_get_ext_count(cert);
/* Find matching subjectAltName.DNS */
for (i = 0; i < extcount; i++) {
X509_EXTENSION *ext;
char const *name;
#if OPENSSL_VERSION_NUMBER > 0x10000000L
const X509V3_EXT_METHOD *vp;
#else
X509V3_EXT_METHOD *vp;
#endif
STACK_OF(CONF_VALUE) *values;
CONF_VALUE *value;
void *d2i;
ext = X509_get_ext(cert, i);
name = OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(ext)));
if (strcmp(name, "subjectAltName") != 0)
continue;
vp = X509V3_EXT_get(ext); if (!vp) continue;
d2i = X509V3_EXT_d2i(ext);
values = vp->i2v(vp, d2i, NULL);
for (j = 0; j < sk_CONF_VALUE_num(values); j++) {
value = sk_CONF_VALUE_value(values, j);
if (strcmp(value->name, "DNS") == 0)
su_strlst_dup_append(tls->subjects, value->value);
if (strcmp(value->name, "IP") == 0)
su_strlst_dup_append(tls->subjects, value->value);
else if (strcmp(value->name, "URI") == 0)
su_strlst_dup_append(tls->subjects, value->value);
}
}
{
X509_NAME *subject;
char name[256];
subject = X509_get_subject_name(cert);
if (subject) {
if (X509_NAME_get_text_by_NID(subject, NID_commonName,
name, sizeof name) > 0) {
usize_t k, N = su_strlst_len(tls->subjects);
name[(sizeof name) - 1] = '\0';
for (k = 0; k < N; k++)
if (su_casematch(su_strlst_item(tls->subjects, k), name) == 0)
break;
if (k >= N)
su_strlst_dup_append(tls->subjects, name);
}
}
}
X509_free(cert);
error = SSL_get_verify_result(tls->con);
if (cert && error == X509_V_OK)
tls->x509_verified = 1;
if (tport_log->log_level >= 7) {
int i, len = su_strlst_len(tls->subjects);
for (i=0; i < len; i++)
SU_DEBUG_7(("%s(%p): Peer Certificate Subject %i: %s\n", \
__func__, (void *)self, i, su_strlst_item(tls->subjects, i)));
if (i == 0)
SU_DEBUG_7(("%s(%p): Peer Certificate provided no usable subjects.\n",
__func__, (void *)self));
}
/* Verify incoming connections */
if (self->tp_accepted) {
if (!tls->verify_incoming)
return X509_V_OK;
if (!tls->x509_verified)
return error;
if (tls->verify_subj_in) {
su_strlst_t const *subjects = self->tp_pri->pri_primary->tp_subjects;
int i, items;
items = subjects ? su_strlst_len(subjects) : 0;
if (items == 0)
return X509_V_OK;
for (i=0; i < items; i++) {
if (tport_subject_search(su_strlst_item(subjects, i), tls->subjects))
return X509_V_OK;
}
SU_DEBUG_3(("%s(%p): Peer Subject Mismatch (incoming connection)\n", \
__func__, (void *)self));
return X509_V_ERR_CERT_UNTRUSTED;
}
}
/* Verify outgoing connections */
else {
char const *subject = self->tp_canon;
if (!tls->verify_outgoing)
return X509_V_OK;
if (!tls->x509_verified || !subject)
return error;
if (tls->verify_subj_out) {
if (tport_subject_search(subject, tls->subjects))
return X509_V_OK; /* Subject match found in verified certificate chain */
SU_DEBUG_3(("%s(%p): Peer Subject Mismatch (%s)\n", \
__func__, (void *)self, subject));
return X509_V_ERR_CERT_UNTRUSTED;
}
}
return error;
}
int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp,
void *x, const EVP_CIPHER *enc, unsigned char *kstr,
int klen, pem_password_cb *callback, void *u)
{
EVP_CIPHER_CTX ctx;
int dsize=0,i,j,ret=0;
unsigned char *p,*data=NULL;
const char *objstr=NULL;
char buf[PEM_BUFSIZE];
unsigned char key[EVP_MAX_KEY_LENGTH];
unsigned char iv[EVP_MAX_IV_LENGTH];
if (enc != NULL)
{
objstr=OBJ_nid2sn(EVP_CIPHER_nid(enc));
if (objstr == NULL)
{
PEMerr(PEM_F_PEM_ASN1_WRITE_BIO,PEM_R_UNSUPPORTED_CIPHER);
goto err;
}
}
if ((dsize=i2d(x,NULL)) < 0)
{
PEMerr(PEM_F_PEM_ASN1_WRITE_BIO,ERR_R_ASN1_LIB);
dsize=0;
goto err;
}
/* dzise + 8 bytes are needed */
/* actually it needs the cipher block size extra... */
data=(unsigned char *)OPENSSL_malloc((unsigned int)dsize+20);
if (data == NULL)
{
PEMerr(PEM_F_PEM_ASN1_WRITE_BIO,ERR_R_MALLOC_FAILURE);
goto err;
}
p=data;
i=i2d(x,&p);
if (enc != NULL)
{
if (kstr == NULL)
{
if (callback == NULL)
klen=PEM_def_callback(buf,PEM_BUFSIZE,1,u);
else
klen=(*callback)(buf,PEM_BUFSIZE,1,u);
if (klen <= 0)
{
PEMerr(PEM_F_PEM_ASN1_WRITE_BIO,PEM_R_READ_KEY);
goto err;
}
#ifdef CHARSET_EBCDIC
/* Convert the pass phrase from EBCDIC */
ebcdic2ascii(buf, buf, klen);
#endif
kstr=(unsigned char *)buf;
}
RAND_add(data,i,0);/* put in the RSA key. */
OPENSSL_assert(enc->iv_len <= (int)sizeof(iv));
if (RAND_pseudo_bytes(iv,enc->iv_len) < 0) /* Generate a salt */
goto err;
/* The 'iv' is used as the iv and as a salt. It is
* NOT taken from the BytesToKey function */
EVP_BytesToKey(enc,EVP_md5(),iv,kstr,klen,1,key,NULL);
if (kstr == (unsigned char *)buf) OPENSSL_cleanse(buf,PEM_BUFSIZE);
OPENSSL_assert(strlen(objstr)+23+2*enc->iv_len+13 <= sizeof buf);
buf[0]='\0';
PEM_proc_type(buf,PEM_TYPE_ENCRYPTED);
PEM_dek_info(buf,objstr,enc->iv_len,(char *)iv);
/* k=strlen(buf); */
EVP_CIPHER_CTX_init(&ctx);
EVP_EncryptInit_ex(&ctx,enc,NULL,key,iv);
EVP_EncryptUpdate(&ctx,data,&j,data,i);
EVP_EncryptFinal_ex(&ctx,&(data[j]),&i);
EVP_CIPHER_CTX_cleanup(&ctx);
i+=j;
ret=1;
}
else
{
ret=1;
buf[0]='\0';
}
i=PEM_write_bio(bp,name,buf,data,i);
if (i <= 0) ret=0;
err:
OPENSSL_cleanse(key,sizeof(key));
OPENSSL_cleanse(iv,sizeof(iv));
OPENSSL_cleanse((char *)&ctx,sizeof(ctx));
OPENSSL_cleanse(buf,PEM_BUFSIZE);
if (data != NULL)
{
OPENSSL_cleanse(data,(unsigned int)dsize);
OPENSSL_free(data);
}
return(ret);
}
static char*
ldaplookup_filter(X509_NAME *name, const char *attribute) {
char *p = NULL;
int k;
BIO *mbio;
mbio = BIO_new(BIO_s_mem());
if (mbio == NULL) return(NULL);
BIO_puts(mbio, "(&");
k = sk_X509_NAME_ENTRY_num(name->entries);
for (--k; k >= 0; k--) {
X509_NAME_ENTRY *ne;
ASN1_STRING *nv;
int nid;
ne = sk_X509_NAME_ENTRY_value(name->entries, k);
nid = OBJ_obj2nid(ne->object);
if (
(nid != NID_organizationName) &&
(nid != NID_organizationalUnitName) &&
(nid != NID_commonName)
) continue;
BIO_puts(mbio, "(");
BIO_puts(mbio, OBJ_nid2sn(nid));
BIO_puts(mbio, "=");
nv = ne->value;
#if 0
/*
TODO:
we must escape '(' and ')' symbols and might to check for other symbols (>=128?)
BIO_puts(mbio, M_ASN1_STRING_data(nv));
*/
{ /* escape '(' and ')' */
p = (char*)M_ASN1_STRING_data(nv);
for (; *p; p++) {
if ((*p == '(') || (*p == ')'))
BIO_write(mbio, "\\", 1);
BIO_write(mbio, p, 1);
}
}
#else
{
char *q, *s;
q = ldaplookup_attr(nv);
if (q == NULL) goto done;
#ifdef TRACE_BY_LDAP
fprintf(stderr, "TRACE_BY_LDAP ldaplookup_filter: ldaplookup_attr(nv) return '%.512s'\n", q);
#endif
/* escape some charecters according to RFC2254 */
for (s=q; *s; s++) {
if ((*s == '*') ||
(*s == '(') ||
(*s == ')')
/* character '\' should be already escaped ! */
) {
/* RFC2254 recommendation */
BIO_printf(mbio, "\\%02X", (int)*s);
continue;
}
BIO_write(mbio, s, 1);
}
OPENSSL_free(q);
}
#endif
BIO_puts(mbio, ")");
}
BIO_puts(mbio, "(");
BIO_puts(mbio, attribute);
BIO_puts(mbio, "=*)");
BIO_puts(mbio, ")");
(void)BIO_flush(mbio);
k = BIO_pending(mbio);
p = OPENSSL_malloc(k + 1);
if (p == NULL) goto done;
k = BIO_read(mbio, p, k);
p[k] = '\0';
#ifdef TRACE_BY_LDAP
fprintf(stderr, "TRACE_BY_LDAP ldaplookup_filter: p=%.512s\n", p);
#endif
done:
BIO_free_all(mbio);
return(p);
}
char *
X509_NAME_oneline(X509_NAME *a, char *buf, int len)
{
X509_NAME_ENTRY *ne;
int i;
int n, lold, l, l1, l2, num, j, type;
const char *s;
char *p;
unsigned char *q;
BUF_MEM *b = NULL;
static const char hex[17] = "0123456789ABCDEF";
int gs_doit[4];
char tmp_buf[80];
if (buf == NULL) {
if ((b = BUF_MEM_new()) == NULL)
goto err;
if (!BUF_MEM_grow(b, 200))
goto err;
b->data[0] = '\0';
len = 200;
}
if (a == NULL) {
if (b) {
buf = b->data;
free(b);
}
strlcpy(buf, "NO X509_NAME", len);
return buf;
}
len--; /* space for '\0' */
l = 0;
for (i = 0; i < sk_X509_NAME_ENTRY_num(a->entries); i++) {
ne = sk_X509_NAME_ENTRY_value(a->entries, i);
n = OBJ_obj2nid(ne->object);
if ((n == NID_undef) || ((s = OBJ_nid2sn(n)) == NULL)) {
i2t_ASN1_OBJECT(tmp_buf, sizeof(tmp_buf), ne->object);
s = tmp_buf;
}
l1 = strlen(s);
type = ne->value->type;
num = ne->value->length;
q = ne->value->data;
if ((type == V_ASN1_GENERALSTRING) && ((num % 4) == 0)) {
gs_doit[0] = gs_doit[1] = gs_doit[2] = gs_doit[3] = 0;
for (j = 0; j < num; j++)
if (q[j] != 0)
gs_doit[j & 3] = 1;
if (gs_doit[0]|gs_doit[1]|gs_doit[2])
gs_doit[0] = gs_doit[1] = gs_doit[2] = gs_doit[3] = 1;
else {
gs_doit[0] = gs_doit[1] = gs_doit[2] = 0;
gs_doit[3] = 1;
}
} else
gs_doit[0] = gs_doit[1] = gs_doit[2] = gs_doit[3] = 1;
for (l2 = j=0; j < num; j++) {
if (!gs_doit[j&3])
continue;
l2++;
if ((q[j] < ' ') || (q[j] > '~'))
l2 += 3;
}
lold = l;
l += 1 + l1 + 1 + l2;
if (b != NULL) {
if (!BUF_MEM_grow(b, l + 1))
goto err;
p = &(b->data[lold]);
} else if (l > len) {
break;
} else
p = &(buf[lold]);
*(p++) = '/';
memcpy(p, s, (unsigned int)l1);
p += l1;
*(p++) = '=';
q = ne->value->data;
for (j = 0; j < num; j++) {
if (!gs_doit[j & 3])
continue;
n = q[j];
if ((n < ' ') || (n > '~')) {
*(p++) = '\\';
*(p++) = 'x';
*(p++) = hex[(n >> 4) & 0x0f];
*(p++) = hex[n & 0x0f];
} else
*(p++) = n;
}
void CertDetail::setReq(pki_x509req *req)
{
image->setPixmap(*MainWindow::csrImg);
headerLabel->setText(tr("Details of the certificate signing request"));
try {
setX509super(req);
// No issuer
tabwidget->removeTab(2);
// verification
if (!req->verify() ) {
signature->setRed();
signature->setText("Failed");
} else {
signature->setGreen();
signature->setText("PKCS#10");
}
signature->disableToolTip();
fingerprints->hide();
validity->hide();
serialLabel->hide();
serialNr->hide();
// The non extension attributes
int cnt = X509_REQ_get_attr_count(req->getReq());
int added = 0;
QGridLayout *attrLayout = new QGridLayout(attributes);
attrLayout->setAlignment(Qt::AlignTop);
attrLayout->setSpacing(6);
attrLayout->setMargin(11);
for (int i = 0, ii = 0; i<cnt; i++) {
int nid;
QLabel *label;
QString trans;
X509_ATTRIBUTE *att = X509_REQ_get_attr(req->getReq(), i);
nid = OBJ_obj2nid(X509_ATTRIBUTE_get0_object(att));
if (X509_REQ_extension_nid(nid)) {
continue;
}
label = new QLabel(this);
trans = dn_translations[nid];
if (Settings["translate_dn"] && !trans.isEmpty()) {
label->setText(trans);
label->setToolTip(QString(OBJ_nid2sn(nid)));
} else {
label->setText(QString(OBJ_nid2ln(nid)));
label->setToolTip(trans);
}
label->setText(QString(OBJ_nid2ln(nid)));
label->setToolTip(QString(OBJ_nid2sn(nid)));
attrLayout->addWidget(label, ii, 0);
added++;
int count = X509_ATTRIBUTE_count(att);
for (int j=0; j<count; j++) {
ASN1_TYPE *at = X509_ATTRIBUTE_get0_type(att, j);
label = labelFromAsn1String(at->value.asn1_string);
attrLayout->addWidget(label, ii, j +1);
}
ii++;
}
if (!added) {
tabwidget->removeTab(2);
}
openssl_error();
} catch (errorEx &err) {
XCA_WARN(err.getString());
}
}
int ECPKParameters_print(BIO *bp, const EC_GROUP *x, int off)
{
unsigned char *buffer = NULL;
size_t buf_len = 0, i;
int ret = 0, reason = ERR_R_BIO_LIB;
BN_CTX *ctx = NULL;
const EC_POINT *point = NULL;
BIGNUM *p = NULL, *a = NULL, *b = NULL, *gen = NULL,
*order = NULL, *cofactor = NULL;
const unsigned char *seed;
size_t seed_len = 0;
static const char *gen_compressed = "Generator (compressed):";
static const char *gen_uncompressed = "Generator (uncompressed):";
static const char *gen_hybrid = "Generator (hybrid):";
if (!x) {
reason = ERR_R_PASSED_NULL_PARAMETER;
goto err;
}
ctx = BN_CTX_new();
if (ctx == NULL) {
reason = ERR_R_MALLOC_FAILURE;
goto err;
}
if (EC_GROUP_get_asn1_flag(x)) {
/* the curve parameter are given by an asn1 OID */
int nid;
const char *nname;
if (!BIO_indent(bp, off, 128))
goto err;
nid = EC_GROUP_get_curve_name(x);
if (nid == 0)
goto err;
if (BIO_printf(bp, "ASN1 OID: %s", OBJ_nid2sn(nid)) <= 0)
goto err;
if (BIO_printf(bp, "\n") <= 0)
goto err;
nname = EC_curve_nid2nist(nid);
if (nname) {
if (!BIO_indent(bp, off, 128))
goto err;
if (BIO_printf(bp, "NIST CURVE: %s\n", nname) <= 0)
goto err;
}
} else {
/* explicit parameters */
int is_char_two = 0;
point_conversion_form_t form;
int tmp_nid = EC_METHOD_get_field_type(EC_GROUP_method_of(x));
if (tmp_nid == NID_X9_62_characteristic_two_field)
is_char_two = 1;
if ((p = BN_new()) == NULL || (a = BN_new()) == NULL ||
(b = BN_new()) == NULL || (order = BN_new()) == NULL ||
(cofactor = BN_new()) == NULL) {
reason = ERR_R_MALLOC_FAILURE;
goto err;
}
#ifndef OPENSSL_NO_EC2M
if (is_char_two) {
if (!EC_GROUP_get_curve_GF2m(x, p, a, b, ctx)) {
reason = ERR_R_EC_LIB;
goto err;
}
} else /* prime field */
#endif
{
if (!EC_GROUP_get_curve_GFp(x, p, a, b, ctx)) {
reason = ERR_R_EC_LIB;
goto err;
}
}
if ((point = EC_GROUP_get0_generator(x)) == NULL) {
reason = ERR_R_EC_LIB;
goto err;
}
if (!EC_GROUP_get_order(x, order, NULL) ||
!EC_GROUP_get_cofactor(x, cofactor, NULL)) {
reason = ERR_R_EC_LIB;
goto err;
}
form = EC_GROUP_get_point_conversion_form(x);
if ((gen = EC_POINT_point2bn(x, point, form, NULL, ctx)) == NULL) {
reason = ERR_R_EC_LIB;
goto err;
}
buf_len = (size_t)BN_num_bytes(p);
if (buf_len < (i = (size_t)BN_num_bytes(a)))
buf_len = i;
if (buf_len < (i = (size_t)BN_num_bytes(b)))
buf_len = i;
if (buf_len < (i = (size_t)BN_num_bytes(gen)))
buf_len = i;
if (buf_len < (i = (size_t)BN_num_bytes(order)))
buf_len = i;
if (buf_len < (i = (size_t)BN_num_bytes(cofactor)))
buf_len = i;
if ((seed = EC_GROUP_get0_seed(x)) != NULL)
seed_len = EC_GROUP_get_seed_len(x);
buf_len += 10;
if ((buffer = OPENSSL_malloc(buf_len)) == NULL) {
reason = ERR_R_MALLOC_FAILURE;
goto err;
}
if (!BIO_indent(bp, off, 128))
goto err;
/* print the 'short name' of the field type */
if (BIO_printf(bp, "Field Type: %s\n", OBJ_nid2sn(tmp_nid))
<= 0)
goto err;
if (is_char_two) {
/* print the 'short name' of the base type OID */
int basis_type = EC_GROUP_get_basis_type(x);
if (basis_type == 0)
goto err;
if (!BIO_indent(bp, off, 128))
goto err;
if (BIO_printf(bp, "Basis Type: %s\n",
OBJ_nid2sn(basis_type)) <= 0)
goto err;
/* print the polynomial */
if ((p != NULL) && !ASN1_bn_print(bp, "Polynomial:", p, buffer,
off))
goto err;
} else {
if ((p != NULL) && !ASN1_bn_print(bp, "Prime:", p, buffer, off))
goto err;
}
if ((a != NULL) && !ASN1_bn_print(bp, "A: ", a, buffer, off))
goto err;
if ((b != NULL) && !ASN1_bn_print(bp, "B: ", b, buffer, off))
goto err;
if (form == POINT_CONVERSION_COMPRESSED) {
if ((gen != NULL) && !ASN1_bn_print(bp, gen_compressed, gen,
buffer, off))
goto err;
} else if (form == POINT_CONVERSION_UNCOMPRESSED) {
if ((gen != NULL) && !ASN1_bn_print(bp, gen_uncompressed, gen,
buffer, off))
goto err;
} else { /* form == POINT_CONVERSION_HYBRID */
if ((gen != NULL) && !ASN1_bn_print(bp, gen_hybrid, gen,
buffer, off))
goto err;
}
if ((order != NULL) && !ASN1_bn_print(bp, "Order: ", order,
buffer, off))
goto err;
if ((cofactor != NULL) && !ASN1_bn_print(bp, "Cofactor: ", cofactor,
buffer, off))
goto err;
if (seed && !print_bin(bp, "Seed:", seed, seed_len, off))
goto err;
}
ret = 1;
err:
if (!ret)
ECerr(EC_F_ECPKPARAMETERS_PRINT, reason);
if (p)
BN_free(p);
if (a)
BN_free(a);
if (b)
BN_free(b);
if (gen)
BN_free(gen);
if (order)
BN_free(order);
if (cofactor)
BN_free(cofactor);
if (ctx)
BN_CTX_free(ctx);
if (buffer != NULL)
OPENSSL_free(buffer);
return (ret);
}
static int do_name_ex(char_io *io_ch, void *arg, X509_NAME *n,
int indent, unsigned long flags)
{
int i, prev = -1, orflags, cnt;
int fn_opt, fn_nid;
ASN1_OBJECT *fn;
ASN1_STRING *val;
X509_NAME_ENTRY *ent;
char objtmp[80];
const char *objbuf;
int outlen, len;
const char *sep_dn, *sep_mv, *sep_eq;
int sep_dn_len, sep_mv_len, sep_eq_len;
if(indent < 0) indent = 0;
outlen = indent;
if(!do_indent(io_ch, arg, indent)) return -1;
switch (flags & XN_FLAG_SEP_MASK)
{
case XN_FLAG_SEP_MULTILINE:
sep_dn = "\n";
sep_dn_len = 1;
sep_mv = " + ";
sep_mv_len = 3;
break;
case XN_FLAG_SEP_COMMA_PLUS:
sep_dn = ",";
sep_dn_len = 1;
sep_mv = "+";
sep_mv_len = 1;
indent = 0;
break;
case XN_FLAG_SEP_CPLUS_SPC:
sep_dn = ", ";
sep_dn_len = 2;
sep_mv = " + ";
sep_mv_len = 3;
indent = 0;
break;
case XN_FLAG_SEP_SPLUS_SPC:
sep_dn = "; ";
sep_dn_len = 2;
sep_mv = " + ";
sep_mv_len = 3;
indent = 0;
break;
default:
return -1;
}
if(flags & XN_FLAG_SPC_EQ) {
sep_eq = " = ";
sep_eq_len = 3;
} else {
sep_eq = "=";
sep_eq_len = 1;
}
fn_opt = flags & XN_FLAG_FN_MASK;
cnt = X509_NAME_entry_count(n);
for(i = 0; i < cnt; i++) {
if(flags & XN_FLAG_DN_REV)
ent = X509_NAME_get_entry(n, cnt - i - 1);
else ent = X509_NAME_get_entry(n, i);
if(prev != -1) {
if(prev == ent->set) {
if(!io_ch(arg, sep_mv, sep_mv_len)) return -1;
outlen += sep_mv_len;
} else {
if(!io_ch(arg, sep_dn, sep_dn_len)) return -1;
outlen += sep_dn_len;
if(!do_indent(io_ch, arg, indent)) return -1;
outlen += indent;
}
}
prev = ent->set;
fn = X509_NAME_ENTRY_get_object(ent);
val = X509_NAME_ENTRY_get_data(ent);
fn_nid = OBJ_obj2nid(fn);
if(fn_opt != XN_FLAG_FN_NONE) {
int objlen, fld_len;
if((fn_opt == XN_FLAG_FN_OID) || (fn_nid==NID_undef) ) {
OBJ_obj2txt(objtmp, sizeof objtmp, fn, 1);
fld_len = 0; /* XXX: what should this be? */
objbuf = objtmp;
} else {
if(fn_opt == XN_FLAG_FN_SN) {
fld_len = FN_WIDTH_SN;
objbuf = OBJ_nid2sn(fn_nid);
} else if(fn_opt == XN_FLAG_FN_LN) {
fld_len = FN_WIDTH_LN;
objbuf = OBJ_nid2ln(fn_nid);
} else {
fld_len = 0; /* XXX: what should this be? */
objbuf = "";
}
}
objlen = strlen(objbuf);
if(!io_ch(arg, objbuf, objlen)) return -1;
if ((objlen < fld_len) && (flags & XN_FLAG_FN_ALIGN)) {
if (!do_indent(io_ch, arg, fld_len - objlen)) return -1;
outlen += fld_len - objlen;
}
if(!io_ch(arg, sep_eq, sep_eq_len)) return -1;
outlen += objlen + sep_eq_len;
}
/* If the field name is unknown then fix up the DER dump
* flag. We might want to limit this further so it will
* DER dump on anything other than a few 'standard' fields.
*/
if((fn_nid == NID_undef) && (flags & XN_FLAG_DUMP_UNKNOWN_FIELDS))
orflags = ASN1_STRFLGS_DUMP_ALL;
else orflags = 0;
len = do_print_ex(io_ch, arg, flags | orflags, val);
if(len < 0) return -1;
outlen += len;
}
return outlen;
}
int test_builtin(BIO *out) {
size_t n = 0;
EC_KEY *eckey = NULL, *wrong_eckey = NULL;
EC_GROUP *group;
ECDSA_SIG *ecdsa_sig = NULL;
unsigned char digest[20], wrong_digest[20];
unsigned char *signature = NULL;
const unsigned char *sig_ptr;
unsigned char *sig_ptr2;
unsigned char *raw_buf = NULL;
unsigned int sig_len, degree, r_len, s_len, bn_len, buf_len;
int nid, ret = 0;
/* fill digest values with some random data */
if (!RAND_pseudo_bytes(digest, 20) || !RAND_pseudo_bytes(wrong_digest, 20)) {
BIO_printf(out, "ERROR: unable to get random data\n");
goto builtin_err;
}
/* create and verify a ecdsa signature with every availble curve
* (with ) */
BIO_printf(out,
"\ntesting ECDSA_sign() and ECDSA_verify() "
"with some internal curves:\n");
static const int kCurveNIDs[] = {NID_secp224r1, NID_X9_62_prime256v1,
NID_secp384r1, NID_secp521r1, NID_undef};
/* now create and verify a signature for every curve */
for (n = 0; kCurveNIDs[n] != NID_undef; n++) {
unsigned char dirt, offset;
nid = kCurveNIDs[n];
/* create new ecdsa key (== EC_KEY) */
eckey = EC_KEY_new();
if (eckey == NULL) {
goto builtin_err;
}
group = EC_GROUP_new_by_curve_name(nid);
if (group == NULL) {
goto builtin_err;
}
if (!EC_KEY_set_group(eckey, group)) {
goto builtin_err;
}
EC_GROUP_free(group);
degree = EC_GROUP_get_degree(EC_KEY_get0_group(eckey));
if (degree < 160) {
/* Too small to test. */
EC_KEY_free(eckey);
eckey = NULL;
continue;
}
BIO_printf(out, "%s: ", OBJ_nid2sn(nid));
/* create key */
if (!EC_KEY_generate_key(eckey)) {
BIO_printf(out, " failed\n");
goto builtin_err;
}
/* create second key */
wrong_eckey = EC_KEY_new();
if (wrong_eckey == NULL) {
goto builtin_err;
}
group = EC_GROUP_new_by_curve_name(nid);
if (group == NULL) {
goto builtin_err;
}
if (EC_KEY_set_group(wrong_eckey, group) == 0) {
goto builtin_err;
}
EC_GROUP_free(group);
if (!EC_KEY_generate_key(wrong_eckey)) {
BIO_printf(out, " failed\n");
goto builtin_err;
}
BIO_printf(out, ".");
(void)BIO_flush(out);
/* check key */
if (!EC_KEY_check_key(eckey)) {
BIO_printf(out, " failed\n");
goto builtin_err;
}
BIO_printf(out, ".");
(void)BIO_flush(out);
/* create signature */
sig_len = ECDSA_size(eckey);
signature = OPENSSL_malloc(sig_len);
if (signature == NULL) {
goto builtin_err;
}
if (!ECDSA_sign(0, digest, 20, signature, &sig_len, eckey)) {
BIO_printf(out, " failed\n");
goto builtin_err;
}
BIO_printf(out, ".");
(void)BIO_flush(out);
/* verify signature */
if (ECDSA_verify(0, digest, 20, signature, sig_len, eckey) != 1) {
BIO_printf(out, " failed\n");
goto builtin_err;
}
BIO_printf(out, ".");
(void)BIO_flush(out);
/* verify signature with the wrong key */
if (ECDSA_verify(0, digest, 20, signature, sig_len, wrong_eckey) == 1) {
BIO_printf(out, " failed\n");
goto builtin_err;
}
BIO_printf(out, ".");
(void)BIO_flush(out);
/* wrong digest */
if (ECDSA_verify(0, wrong_digest, 20, signature, sig_len, eckey) == 1) {
BIO_printf(out, " failed\n");
goto builtin_err;
}
BIO_printf(out, ".");
(void)BIO_flush(out);
/* wrong length */
if (ECDSA_verify(0, digest, 20, signature, sig_len - 1, eckey) == 1) {
BIO_printf(out, " failed\n");
goto builtin_err;
}
BIO_printf(out, ".");
(void)BIO_flush(out);
/* Modify a single byte of the signature: to ensure we don't
* garble the ASN1 structure, we read the raw signature and
* modify a byte in one of the bignums directly. */
sig_ptr = signature;
ecdsa_sig = d2i_ECDSA_SIG(NULL, &sig_ptr, sig_len);
if (ecdsa_sig == NULL) {
BIO_printf(out, " failed\n");
goto builtin_err;
}
/* Store the two BIGNUMs in raw_buf. */
r_len = BN_num_bytes(ecdsa_sig->r);
s_len = BN_num_bytes(ecdsa_sig->s);
bn_len = (degree + 7) / 8;
if (r_len > bn_len || s_len > bn_len) {
BIO_printf(out, " failed\n");
goto builtin_err;
}
buf_len = 2 * bn_len;
raw_buf = OPENSSL_malloc(buf_len);
if (raw_buf == NULL) {
goto builtin_err;
}
/* Pad the bignums with leading zeroes. */
memset(raw_buf, 0, buf_len);
BN_bn2bin(ecdsa_sig->r, raw_buf + bn_len - r_len);
BN_bn2bin(ecdsa_sig->s, raw_buf + buf_len - s_len);
/* Modify a single byte in the buffer. */
offset = raw_buf[10] % buf_len;
dirt = raw_buf[11] ? raw_buf[11] : 1;
raw_buf[offset] ^= dirt;
/* Now read the BIGNUMs back in from raw_buf. */
if (BN_bin2bn(raw_buf, bn_len, ecdsa_sig->r) == NULL ||
BN_bin2bn(raw_buf + bn_len, bn_len, ecdsa_sig->s) == NULL) {
goto builtin_err;
}
sig_ptr2 = signature;
sig_len = i2d_ECDSA_SIG(ecdsa_sig, &sig_ptr2);
if (ECDSA_verify(0, digest, 20, signature, sig_len, eckey) == 1) {
BIO_printf(out, " failed\n");
goto builtin_err;
}
/* Sanity check: undo the modification and verify signature. */
raw_buf[offset] ^= dirt;
if (BN_bin2bn(raw_buf, bn_len, ecdsa_sig->r) == NULL ||
BN_bin2bn(raw_buf + bn_len, bn_len, ecdsa_sig->s) == NULL) {
goto builtin_err;
}
sig_ptr2 = signature;
sig_len = i2d_ECDSA_SIG(ecdsa_sig, &sig_ptr2);
if (ECDSA_verify(0, digest, 20, signature, sig_len, eckey) != 1) {
BIO_printf(out, " failed\n");
goto builtin_err;
}
BIO_printf(out, ".");
(void)BIO_flush(out);
BIO_printf(out, " ok\n");
/* cleanup */
/* clean bogus errors */
ERR_clear_error();
OPENSSL_free(signature);
signature = NULL;
EC_KEY_free(eckey);
eckey = NULL;
EC_KEY_free(wrong_eckey);
wrong_eckey = NULL;
ECDSA_SIG_free(ecdsa_sig);
ecdsa_sig = NULL;
OPENSSL_free(raw_buf);
raw_buf = NULL;
}
ret = 1;
builtin_err:
if (eckey)
EC_KEY_free(eckey);
if (wrong_eckey)
EC_KEY_free(wrong_eckey);
if (ecdsa_sig)
ECDSA_SIG_free(ecdsa_sig);
if (signature)
OPENSSL_free(signature);
if (raw_buf)
OPENSSL_free(raw_buf);
return ret;
}
int MAIN(int argc, char **argv)
{
int ret=1,i;
const char **pp;
int verbose=0, list_cap=0, test_avail=0, test_avail_noise = 0;
ENGINE *e;
STACK *engines = sk_new_null();
STACK *pre_cmds = sk_new_null();
STACK *post_cmds = sk_new_null();
int badops=1;
BIO *bio_out=NULL;
const char *indent = " ";
apps_startup();
SSL_load_error_strings();
if (bio_err == NULL)
bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
if (!load_config(bio_err, NULL))
goto end;
bio_out=BIO_new_fp(stdout,BIO_NOCLOSE);
#ifdef OPENSSL_SYS_VMS
{
BIO *tmpbio = BIO_new(BIO_f_linebuffer());
bio_out = BIO_push(tmpbio, bio_out);
}
#endif
argc--;
argv++;
while (argc >= 1)
{
if (strncmp(*argv,"-v",2) == 0)
{
if(strspn(*argv + 1, "v") < strlen(*argv + 1))
goto skip_arg_loop;
if((verbose=strlen(*argv + 1)) > 4)
goto skip_arg_loop;
}
else if (strcmp(*argv,"-c") == 0)
list_cap=1;
else if (strncmp(*argv,"-t",2) == 0)
{
test_avail=1;
if(strspn(*argv + 1, "t") < strlen(*argv + 1))
goto skip_arg_loop;
if((test_avail_noise = strlen(*argv + 1) - 1) > 1)
goto skip_arg_loop;
}
else if (strcmp(*argv,"-pre") == 0)
{
argc--; argv++;
if (argc == 0)
goto skip_arg_loop;
sk_push(pre_cmds,*argv);
}
else if (strcmp(*argv,"-post") == 0)
{
argc--; argv++;
if (argc == 0)
goto skip_arg_loop;
sk_push(post_cmds,*argv);
}
else if ((strncmp(*argv,"-h",2) == 0) ||
(strcmp(*argv,"-?") == 0))
goto skip_arg_loop;
else
sk_push(engines,*argv);
argc--;
argv++;
}
/* Looks like everything went OK */
badops = 0;
skip_arg_loop:
if (badops)
{
for (pp=engine_usage; (*pp != NULL); pp++)
BIO_printf(bio_err,"%s",*pp);
goto end;
}
if (sk_num(engines) == 0)
{
for(e = ENGINE_get_first(); e != NULL; e = ENGINE_get_next(e))
{
sk_push(engines,(char *)ENGINE_get_id(e));
}
}
for (i=0; i<sk_num(engines); i++)
{
const char *id = sk_value(engines,i);
if ((e = ENGINE_by_id(id)) != NULL)
{
const char *name = ENGINE_get_name(e);
/* Do "id" first, then "name". Easier to auto-parse. */
BIO_printf(bio_out, "(%s) %s\n", id, name);
util_do_cmds(e, pre_cmds, bio_out, indent);
if (strcmp(ENGINE_get_id(e), id) != 0)
{
BIO_printf(bio_out, "Loaded: (%s) %s\n",
ENGINE_get_id(e), ENGINE_get_name(e));
}
if (list_cap)
{
int cap_size = 256;
char *cap_buf = NULL;
int k,n;
const int *nids;
ENGINE_CIPHERS_PTR fn_c;
ENGINE_DIGESTS_PTR fn_d;
if (ENGINE_get_RSA(e) != NULL
&& !append_buf(&cap_buf, "RSA",
&cap_size, 256))
goto end;
if (ENGINE_get_DSA(e) != NULL
&& !append_buf(&cap_buf, "DSA",
&cap_size, 256))
goto end;
if (ENGINE_get_DH(e) != NULL
&& !append_buf(&cap_buf, "DH",
&cap_size, 256))
goto end;
if (ENGINE_get_RAND(e) != NULL
&& !append_buf(&cap_buf, "RAND",
&cap_size, 256))
goto end;
fn_c = ENGINE_get_ciphers(e);
if(!fn_c) goto skip_ciphers;
n = fn_c(e, NULL, &nids, 0);
for(k=0 ; k < n ; ++k)
if(!append_buf(&cap_buf,
OBJ_nid2sn(nids[k]),
&cap_size, 256))
goto end;
skip_ciphers:
fn_d = ENGINE_get_digests(e);
if(!fn_d) goto skip_digests;
n = fn_d(e, NULL, &nids, 0);
for(k=0 ; k < n ; ++k)
if(!append_buf(&cap_buf,
OBJ_nid2sn(nids[k]),
&cap_size, 256))
goto end;
skip_digests:
if (cap_buf && (*cap_buf != '\0'))
BIO_printf(bio_out, " [%s]\n", cap_buf);
OPENSSL_free(cap_buf);
}
if(test_avail)
{
BIO_printf(bio_out, "%s", indent);
if (ENGINE_init(e))
{
BIO_printf(bio_out, "[ available ]\n");
util_do_cmds(e, post_cmds, bio_out, indent);
ENGINE_finish(e);
}
else
{
BIO_printf(bio_out, "[ unavailable ]\n");
if(test_avail_noise)
ERR_print_errors_fp(stdout);
ERR_clear_error();
}
}
if((verbose > 0) && !util_verbose(e, verbose, bio_out, indent))
goto end;
ENGINE_free(e);
}
else
ERR_print_errors(bio_err);
}
ret=0;
end:
ERR_print_errors(bio_err);
sk_pop_free(engines, identity);
sk_pop_free(pre_cmds, identity);
sk_pop_free(post_cmds, identity);
if (bio_out != NULL) BIO_free_all(bio_out);
apps_shutdown();
OPENSSL_EXIT(ret);
}
char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
{
X509_NAME_ENTRY *ne;
int i;
int n,lold,l,l1,l2,num,j,type;
const char *s;
char *p;
unsigned char *q;
BUF_MEM *b=NULL;
static char hex[17]="0123456789ABCDEF";
int gs_doit[4];
char tmp_buf[80];
#ifdef CHARSET_EBCDIC
char ebcdic_buf[1024];
#endif
if (buf == NULL)
{
if ((b=BUF_MEM_new()) == NULL) goto err;
if (!BUF_MEM_grow(b,200)) goto err;
b->data[0]='\0';
len=200;
}
if (a == NULL)
{
if(b)
{
buf=b->data;
OPENSSL_free(b);
}
strncpy(buf,"NO X509_NAME",len);
buf[len-1]='\0';
return buf;
}
len--; /* space for '\0' */
l=0;
for (i=0; i<sk_X509_NAME_ENTRY_num(a->entries); i++)
{
ne=sk_X509_NAME_ENTRY_value(a->entries,i);
n=OBJ_obj2nid(ne->object);
if ((n == NID_undef) || ((s=OBJ_nid2sn(n)) == NULL))
{
i2t_ASN1_OBJECT(tmp_buf,sizeof(tmp_buf),ne->object);
s=tmp_buf;
}
l1=strlen(s);
type=ne->value->type;
num=ne->value->length;
q=ne->value->data;
#ifdef CHARSET_EBCDIC
if (type == V_ASN1_GENERALSTRING ||
type == V_ASN1_VISIBLESTRING ||
type == V_ASN1_PRINTABLESTRING ||
type == V_ASN1_TELETEXSTRING ||
type == V_ASN1_VISIBLESTRING ||
type == V_ASN1_IA5STRING) {
ascii2ebcdic(ebcdic_buf, q,
(num > sizeof ebcdic_buf)
? sizeof ebcdic_buf : num);
q=ebcdic_buf;
}
#endif
if ((type == V_ASN1_GENERALSTRING) && ((num%4) == 0))
{
gs_doit[0]=gs_doit[1]=gs_doit[2]=gs_doit[3]=0;
for (j=0; j<num; j++)
if (q[j] != 0) gs_doit[j&3]=1;
if (gs_doit[0]|gs_doit[1]|gs_doit[2])
gs_doit[0]=gs_doit[1]=gs_doit[2]=gs_doit[3]=1;
else
{
gs_doit[0]=gs_doit[1]=gs_doit[2]=0;
gs_doit[3]=1;
}
}
else
gs_doit[0]=gs_doit[1]=gs_doit[2]=gs_doit[3]=1;
for (l2=j=0; j<num; j++)
{
if (!gs_doit[j&3]) continue;
l2++;
#ifndef CHARSET_EBCDIC
if ((q[j] < ' ') || (q[j] > '~')) l2+=3;
#else
if ((os_toascii[q[j]] < os_toascii[' ']) ||
(os_toascii[q[j]] > os_toascii['~'])) l2+=3;
#endif
}
lold=l;
l+=1+l1+1+l2;
if (b != NULL)
{
if (!BUF_MEM_grow(b,l+1)) goto err;
p= &(b->data[lold]);
}
else if (l > len)
{
break;
}
else
p= &(buf[lold]);
*(p++)='/';
memcpy(p,s,(unsigned int)l1); p+=l1;
*(p++)='=';
#ifndef CHARSET_EBCDIC /* q was assigned above already. */
q=ne->value->data;
#endif
for (j=0; j<num; j++)
{
if (!gs_doit[j&3]) continue;
#ifndef CHARSET_EBCDIC
n=q[j];
if ((n < ' ') || (n > '~'))
{
*(p++)='\\';
*(p++)='x';
*(p++)=hex[(n>>4)&0x0f];
*(p++)=hex[n&0x0f];
}
else
*(p++)=n;
#else
n=os_toascii[q[j]];
if ((n < os_toascii[' ']) ||
(n > os_toascii['~']))
{
*(p++)='\\';
*(p++)='x';
*(p++)=hex[(n>>4)&0x0f];
*(p++)=hex[n&0x0f];
}
/**
* @return returns digest method name.
*/
std::string digidoc::Digest::getName() const
{
return OBJ_nid2sn(d->method);
}
void
sshkey_file_tests(void)
{
struct sshkey *k1, *k2;
struct sshbuf *buf, *pw;
BIGNUM *a, *b, *c;
char *cp;
TEST_START("load passphrase");
pw = load_text_file("pw");
TEST_DONE();
#ifdef WITH_SSH1
TEST_START("parse RSA1 from private");
buf = load_file("rsa1_1");
ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
sshbuf_free(buf);
ASSERT_PTR_NE(k1, NULL);
a = load_bignum("rsa1_1.param.n");
ASSERT_BIGNUM_EQ(k1->rsa->n, a);
BN_free(a);
TEST_DONE();
TEST_START("parse RSA1 from private w/ passphrase");
buf = load_file("rsa1_1_pw");
ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf,
(const char *)sshbuf_ptr(pw), &k2, NULL), 0);
sshbuf_free(buf);
ASSERT_PTR_NE(k2, NULL);
ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
sshkey_free(k2);
TEST_DONE();
TEST_START("load RSA1 from public");
ASSERT_INT_EQ(sshkey_load_public(test_data_file("rsa1_1.pub"), &k2,
NULL), 0);
ASSERT_PTR_NE(k2, NULL);
ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
sshkey_free(k2);
TEST_DONE();
TEST_START("RSA1 key hex fingerprint");
buf = load_text_file("rsa1_1.fp");
cp = sshkey_fingerprint(k1, SSH_DIGEST_SHA256, SSH_FP_BASE64);
ASSERT_PTR_NE(cp, NULL);
ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
sshbuf_free(buf);
free(cp);
TEST_DONE();
TEST_START("RSA1 key bubblebabble fingerprint");
buf = load_text_file("rsa1_1.fp.bb");
cp = sshkey_fingerprint(k1, SSH_DIGEST_SHA1, SSH_FP_BUBBLEBABBLE);
ASSERT_PTR_NE(cp, NULL);
ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
sshbuf_free(buf);
free(cp);
TEST_DONE();
sshkey_free(k1);
#endif
TEST_START("parse RSA from private");
buf = load_file("rsa_1");
ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
sshbuf_free(buf);
ASSERT_PTR_NE(k1, NULL);
a = load_bignum("rsa_1.param.n");
b = load_bignum("rsa_1.param.p");
c = load_bignum("rsa_1.param.q");
ASSERT_BIGNUM_EQ(k1->rsa->n, a);
ASSERT_BIGNUM_EQ(k1->rsa->p, b);
ASSERT_BIGNUM_EQ(k1->rsa->q, c);
BN_free(a);
BN_free(b);
BN_free(c);
TEST_DONE();
TEST_START("parse RSA from private w/ passphrase");
buf = load_file("rsa_1_pw");
ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf,
(const char *)sshbuf_ptr(pw), &k2, NULL), 0);
sshbuf_free(buf);
ASSERT_PTR_NE(k2, NULL);
ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
sshkey_free(k2);
TEST_DONE();
TEST_START("parse RSA from new-format");
buf = load_file("rsa_n");
ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k2, NULL), 0);
sshbuf_free(buf);
ASSERT_PTR_NE(k2, NULL);
ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
sshkey_free(k2);
TEST_DONE();
TEST_START("parse RSA from new-format w/ passphrase");
buf = load_file("rsa_n_pw");
ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf,
(const char *)sshbuf_ptr(pw), &k2, NULL), 0);
sshbuf_free(buf);
ASSERT_PTR_NE(k2, NULL);
ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
sshkey_free(k2);
TEST_DONE();
TEST_START("load RSA from public");
ASSERT_INT_EQ(sshkey_load_public(test_data_file("rsa_1.pub"), &k2,
NULL), 0);
ASSERT_PTR_NE(k2, NULL);
ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
sshkey_free(k2);
TEST_DONE();
TEST_START("load RSA cert");
ASSERT_INT_EQ(sshkey_load_cert(test_data_file("rsa_1"), &k2), 0);
ASSERT_PTR_NE(k2, NULL);
ASSERT_INT_EQ(k2->type, KEY_RSA_CERT);
ASSERT_INT_EQ(sshkey_equal(k1, k2), 0);
ASSERT_INT_EQ(sshkey_equal_public(k1, k2), 1);
TEST_DONE();
TEST_START("RSA key hex fingerprint");
buf = load_text_file("rsa_1.fp");
cp = sshkey_fingerprint(k1, SSH_DIGEST_SHA256, SSH_FP_BASE64);
ASSERT_PTR_NE(cp, NULL);
ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
sshbuf_free(buf);
free(cp);
TEST_DONE();
TEST_START("RSA cert hex fingerprint");
buf = load_text_file("rsa_1-cert.fp");
cp = sshkey_fingerprint(k2, SSH_DIGEST_SHA256, SSH_FP_BASE64);
ASSERT_PTR_NE(cp, NULL);
ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
sshbuf_free(buf);
free(cp);
sshkey_free(k2);
TEST_DONE();
TEST_START("RSA key bubblebabble fingerprint");
buf = load_text_file("rsa_1.fp.bb");
cp = sshkey_fingerprint(k1, SSH_DIGEST_SHA1, SSH_FP_BUBBLEBABBLE);
ASSERT_PTR_NE(cp, NULL);
ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
sshbuf_free(buf);
free(cp);
TEST_DONE();
sshkey_free(k1);
TEST_START("parse DSA from private");
buf = load_file("dsa_1");
ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
sshbuf_free(buf);
ASSERT_PTR_NE(k1, NULL);
a = load_bignum("dsa_1.param.g");
b = load_bignum("dsa_1.param.priv");
c = load_bignum("dsa_1.param.pub");
ASSERT_BIGNUM_EQ(k1->dsa->g, a);
ASSERT_BIGNUM_EQ(k1->dsa->priv_key, b);
ASSERT_BIGNUM_EQ(k1->dsa->pub_key, c);
BN_free(a);
BN_free(b);
BN_free(c);
TEST_DONE();
TEST_START("parse DSA from private w/ passphrase");
buf = load_file("dsa_1_pw");
ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf,
(const char *)sshbuf_ptr(pw), &k2, NULL), 0);
sshbuf_free(buf);
ASSERT_PTR_NE(k2, NULL);
ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
sshkey_free(k2);
TEST_DONE();
TEST_START("parse DSA from new-format");
buf = load_file("dsa_n");
ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k2, NULL), 0);
sshbuf_free(buf);
ASSERT_PTR_NE(k2, NULL);
ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
sshkey_free(k2);
TEST_DONE();
TEST_START("parse DSA from new-format w/ passphrase");
buf = load_file("dsa_n_pw");
ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf,
(const char *)sshbuf_ptr(pw), &k2, NULL), 0);
sshbuf_free(buf);
ASSERT_PTR_NE(k2, NULL);
ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
sshkey_free(k2);
TEST_DONE();
TEST_START("load DSA from public");
ASSERT_INT_EQ(sshkey_load_public(test_data_file("dsa_1.pub"), &k2,
NULL), 0);
ASSERT_PTR_NE(k2, NULL);
ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
sshkey_free(k2);
TEST_DONE();
TEST_START("load DSA cert");
ASSERT_INT_EQ(sshkey_load_cert(test_data_file("dsa_1"), &k2), 0);
ASSERT_PTR_NE(k2, NULL);
ASSERT_INT_EQ(k2->type, KEY_DSA_CERT);
ASSERT_INT_EQ(sshkey_equal(k1, k2), 0);
ASSERT_INT_EQ(sshkey_equal_public(k1, k2), 1);
TEST_DONE();
TEST_START("DSA key hex fingerprint");
buf = load_text_file("dsa_1.fp");
cp = sshkey_fingerprint(k1, SSH_DIGEST_SHA256, SSH_FP_BASE64);
ASSERT_PTR_NE(cp, NULL);
ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
sshbuf_free(buf);
free(cp);
TEST_DONE();
TEST_START("DSA cert hex fingerprint");
buf = load_text_file("dsa_1-cert.fp");
cp = sshkey_fingerprint(k2, SSH_DIGEST_SHA256, SSH_FP_BASE64);
ASSERT_PTR_NE(cp, NULL);
ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
sshbuf_free(buf);
free(cp);
sshkey_free(k2);
TEST_DONE();
TEST_START("DSA key bubblebabble fingerprint");
buf = load_text_file("dsa_1.fp.bb");
cp = sshkey_fingerprint(k1, SSH_DIGEST_SHA1, SSH_FP_BUBBLEBABBLE);
ASSERT_PTR_NE(cp, NULL);
ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
sshbuf_free(buf);
free(cp);
TEST_DONE();
sshkey_free(k1);
TEST_START("parse ECDSA from private");
buf = load_file("ecdsa_1");
ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
sshbuf_free(buf);
ASSERT_PTR_NE(k1, NULL);
buf = load_text_file("ecdsa_1.param.curve");
ASSERT_STRING_EQ((const char *)sshbuf_ptr(buf),
OBJ_nid2sn(k1->ecdsa_nid));
sshbuf_free(buf);
a = load_bignum("ecdsa_1.param.priv");
b = load_bignum("ecdsa_1.param.pub");
c = EC_POINT_point2bn(EC_KEY_get0_group(k1->ecdsa),
EC_KEY_get0_public_key(k1->ecdsa), POINT_CONVERSION_UNCOMPRESSED,
NULL, NULL);
ASSERT_PTR_NE(c, NULL);
ASSERT_BIGNUM_EQ(EC_KEY_get0_private_key(k1->ecdsa), a);
ASSERT_BIGNUM_EQ(b, c);
BN_free(a);
BN_free(b);
BN_free(c);
TEST_DONE();
TEST_START("parse ECDSA from private w/ passphrase");
buf = load_file("ecdsa_1_pw");
ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf,
(const char *)sshbuf_ptr(pw), &k2, NULL), 0);
sshbuf_free(buf);
ASSERT_PTR_NE(k2, NULL);
ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
sshkey_free(k2);
TEST_DONE();
TEST_START("parse ECDSA from new-format");
buf = load_file("ecdsa_n");
ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k2, NULL), 0);
sshbuf_free(buf);
ASSERT_PTR_NE(k2, NULL);
ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
sshkey_free(k2);
TEST_DONE();
TEST_START("parse ECDSA from new-format w/ passphrase");
buf = load_file("ecdsa_n_pw");
ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf,
(const char *)sshbuf_ptr(pw), &k2, NULL), 0);
sshbuf_free(buf);
ASSERT_PTR_NE(k2, NULL);
ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
sshkey_free(k2);
TEST_DONE();
TEST_START("load ECDSA from public");
ASSERT_INT_EQ(sshkey_load_public(test_data_file("ecdsa_1.pub"), &k2,
NULL), 0);
ASSERT_PTR_NE(k2, NULL);
ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
sshkey_free(k2);
TEST_DONE();
TEST_START("load ECDSA cert");
ASSERT_INT_EQ(sshkey_load_cert(test_data_file("ecdsa_1"), &k2), 0);
ASSERT_PTR_NE(k2, NULL);
ASSERT_INT_EQ(k2->type, KEY_ECDSA_CERT);
ASSERT_INT_EQ(sshkey_equal(k1, k2), 0);
ASSERT_INT_EQ(sshkey_equal_public(k1, k2), 1);
TEST_DONE();
TEST_START("ECDSA key hex fingerprint");
buf = load_text_file("ecdsa_1.fp");
cp = sshkey_fingerprint(k1, SSH_DIGEST_SHA256, SSH_FP_BASE64);
ASSERT_PTR_NE(cp, NULL);
ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
sshbuf_free(buf);
free(cp);
TEST_DONE();
TEST_START("ECDSA cert hex fingerprint");
buf = load_text_file("ecdsa_1-cert.fp");
cp = sshkey_fingerprint(k2, SSH_DIGEST_SHA256, SSH_FP_BASE64);
ASSERT_PTR_NE(cp, NULL);
ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
sshbuf_free(buf);
free(cp);
sshkey_free(k2);
TEST_DONE();
TEST_START("ECDSA key bubblebabble fingerprint");
buf = load_text_file("ecdsa_1.fp.bb");
cp = sshkey_fingerprint(k1, SSH_DIGEST_SHA1, SSH_FP_BUBBLEBABBLE);
ASSERT_PTR_NE(cp, NULL);
ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
sshbuf_free(buf);
free(cp);
TEST_DONE();
sshkey_free(k1);
TEST_START("parse Ed25519 from private");
buf = load_file("ed25519_1");
ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
sshbuf_free(buf);
ASSERT_PTR_NE(k1, NULL);
ASSERT_INT_EQ(k1->type, KEY_ED25519);
/* XXX check key contents */
TEST_DONE();
TEST_START("parse Ed25519 from private w/ passphrase");
buf = load_file("ed25519_1_pw");
ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf,
(const char *)sshbuf_ptr(pw), &k2, NULL), 0);
sshbuf_free(buf);
ASSERT_PTR_NE(k2, NULL);
ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
sshkey_free(k2);
TEST_DONE();
TEST_START("load Ed25519 from public");
ASSERT_INT_EQ(sshkey_load_public(test_data_file("ed25519_1.pub"), &k2,
NULL), 0);
ASSERT_PTR_NE(k2, NULL);
ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
sshkey_free(k2);
TEST_DONE();
TEST_START("load Ed25519 cert");
ASSERT_INT_EQ(sshkey_load_cert(test_data_file("ed25519_1"), &k2), 0);
ASSERT_PTR_NE(k2, NULL);
ASSERT_INT_EQ(k2->type, KEY_ED25519_CERT);
ASSERT_INT_EQ(sshkey_equal(k1, k2), 0);
ASSERT_INT_EQ(sshkey_equal_public(k1, k2), 1);
TEST_DONE();
TEST_START("Ed25519 key hex fingerprint");
buf = load_text_file("ed25519_1.fp");
cp = sshkey_fingerprint(k1, SSH_DIGEST_SHA256, SSH_FP_BASE64);
ASSERT_PTR_NE(cp, NULL);
ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
sshbuf_free(buf);
free(cp);
TEST_DONE();
TEST_START("Ed25519 cert hex fingerprint");
buf = load_text_file("ed25519_1-cert.fp");
cp = sshkey_fingerprint(k2, SSH_DIGEST_SHA256, SSH_FP_BASE64);
ASSERT_PTR_NE(cp, NULL);
ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
sshbuf_free(buf);
free(cp);
sshkey_free(k2);
TEST_DONE();
TEST_START("Ed25519 key bubblebabble fingerprint");
buf = load_text_file("ed25519_1.fp.bb");
cp = sshkey_fingerprint(k1, SSH_DIGEST_SHA1, SSH_FP_BUBBLEBABBLE);
ASSERT_PTR_NE(cp, NULL);
ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
sshbuf_free(buf);
free(cp);
TEST_DONE();
sshkey_free(k1);
sshbuf_free(pw);
}
int MAIN(int argc, char **argv)
{
unsigned long nmflag = 0;
X509_CRL *x = NULL;
char *CAfile = NULL, *CApath = NULL;
int ret = 1, i, num, badops = 0, badsig = 0;
BIO *out = NULL;
int informat, outformat, keyformat;
char *infile = NULL, *outfile = NULL, *crldiff = NULL, *keyfile = NULL;
int hash = 0, issuer = 0, lastupdate = 0, nextupdate = 0, noout =
0, text = 0;
#ifndef OPENSSL_NO_MD5
int hash_old = 0;
#endif
int fingerprint = 0, crlnumber = 0;
const char **pp;
X509_STORE *store = NULL;
X509_STORE_CTX ctx;
X509_LOOKUP *lookup = NULL;
X509_OBJECT xobj;
EVP_PKEY *pkey;
int do_ver = 0;
const EVP_MD *md_alg, *digest = EVP_sha1();
apps_startup();
if (bio_err == NULL)
if ((bio_err = BIO_new(BIO_s_file())) != NULL)
BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
if (!load_config(bio_err, NULL))
goto end;
if (bio_out == NULL)
if ((bio_out = BIO_new(BIO_s_file())) != NULL) {
BIO_set_fp(bio_out, stdout, BIO_NOCLOSE);
#ifdef OPENSSL_SYS_VMS
{
BIO *tmpbio = BIO_new(BIO_f_linebuffer());
bio_out = BIO_push(tmpbio, bio_out);
}
#endif
}
informat = FORMAT_PEM;
outformat = FORMAT_PEM;
keyformat = FORMAT_PEM;
argc--;
argv++;
num = 0;
while (argc >= 1) {
#ifdef undef
if (strcmp(*argv, "-p") == 0) {
if (--argc < 1)
goto bad;
if (!args_from_file(++argv, Nargc, Nargv)) {
goto end;
}
*/}
#endif
if (strcmp(*argv, "-inform") == 0) {
if (--argc < 1)
goto bad;
informat = str2fmt(*(++argv));
} else if (strcmp(*argv, "-outform") == 0) {
if (--argc < 1)
goto bad;
outformat = str2fmt(*(++argv));
} else if (strcmp(*argv, "-in") == 0) {
if (--argc < 1)
goto bad;
infile = *(++argv);
} else if (strcmp(*argv, "-gendelta") == 0) {
if (--argc < 1)
goto bad;
crldiff = *(++argv);
} else if (strcmp(*argv, "-key") == 0) {
if (--argc < 1)
goto bad;
keyfile = *(++argv);
} else if (strcmp(*argv, "-keyform") == 0) {
if (--argc < 1)
goto bad;
keyformat = str2fmt(*(++argv));
} else if (strcmp(*argv, "-out") == 0) {
if (--argc < 1)
goto bad;
outfile = *(++argv);
} else if (strcmp(*argv, "-CApath") == 0) {
if (--argc < 1)
goto bad;
CApath = *(++argv);
do_ver = 1;
} else if (strcmp(*argv, "-CAfile") == 0) {
if (--argc < 1)
goto bad;
CAfile = *(++argv);
do_ver = 1;
} else if (strcmp(*argv, "-verify") == 0)
do_ver = 1;
else if (strcmp(*argv, "-text") == 0)
text = 1;
else if (strcmp(*argv, "-hash") == 0)
hash = ++num;
#ifndef OPENSSL_NO_MD5
else if (strcmp(*argv, "-hash_old") == 0)
hash_old = ++num;
#endif
else if (strcmp(*argv, "-nameopt") == 0) {
if (--argc < 1)
goto bad;
if (!set_name_ex(&nmflag, *(++argv)))
goto bad;
} else if (strcmp(*argv, "-issuer") == 0)
issuer = ++num;
else if (strcmp(*argv, "-lastupdate") == 0)
lastupdate = ++num;
else if (strcmp(*argv, "-nextupdate") == 0)
nextupdate = ++num;
else if (strcmp(*argv, "-noout") == 0)
noout = ++num;
else if (strcmp(*argv, "-fingerprint") == 0)
fingerprint = ++num;
else if (strcmp(*argv, "-crlnumber") == 0)
crlnumber = ++num;
else if (strcmp(*argv, "-badsig") == 0)
badsig = 1;
else if ((md_alg = EVP_get_digestbyname(*argv + 1))) {
/* ok */
digest = md_alg;
} else {
BIO_printf(bio_err, "unknown option %s\n", *argv);
badops = 1;
break;
}
argc--;
argv++;
}
if (badops) {
bad:
for (pp = crl_usage; (*pp != NULL); pp++)
BIO_printf(bio_err, "%s", *pp);
goto end;
}
ERR_load_crypto_strings();
x = load_crl(infile, informat);
if (x == NULL) {
goto end;
}
if (do_ver) {
store = X509_STORE_new();
lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
if (lookup == NULL)
goto end;
if (!X509_LOOKUP_load_file(lookup, CAfile, X509_FILETYPE_PEM))
X509_LOOKUP_load_file(lookup, NULL, X509_FILETYPE_DEFAULT);
lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
if (lookup == NULL)
goto end;
if (!X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM))
X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);
ERR_clear_error();
if (!X509_STORE_CTX_init(&ctx, store, NULL, NULL)) {
BIO_printf(bio_err, "Error initialising X509 store\n");
goto end;
}
i = X509_STORE_get_by_subject(&ctx, X509_LU_X509,
X509_CRL_get_issuer(x), &xobj);
if (i <= 0) {
BIO_printf(bio_err, "Error getting CRL issuer certificate\n");
goto end;
}
pkey = X509_get_pubkey(xobj.data.x509);
X509_OBJECT_free_contents(&xobj);
if (!pkey) {
BIO_printf(bio_err, "Error getting CRL issuer public key\n");
goto end;
}
i = X509_CRL_verify(x, pkey);
EVP_PKEY_free(pkey);
if (i < 0)
goto end;
if (i == 0)
BIO_printf(bio_err, "verify failure\n");
else
BIO_printf(bio_err, "verify OK\n");
}
if (crldiff) {
X509_CRL *newcrl, *delta;
if (!keyfile) {
BIO_puts(bio_err, "Missing CRL signing key\n");
goto end;
}
newcrl = load_crl(crldiff, informat);
if (!newcrl)
goto end;
pkey = load_key(bio_err, keyfile, keyformat, 0, NULL, NULL,
"CRL signing key");
if (!pkey) {
X509_CRL_free(newcrl);
goto end;
}
delta = X509_CRL_diff(x, newcrl, pkey, digest, 0);
X509_CRL_free(newcrl);
EVP_PKEY_free(pkey);
if (delta) {
X509_CRL_free(x);
x = delta;
} else {
BIO_puts(bio_err, "Error creating delta CRL\n");
goto end;
}
}
if (num) {
for (i = 1; i <= num; i++) {
if (issuer == i) {
print_name(bio_out, "issuer=", X509_CRL_get_issuer(x),
nmflag);
}
if (crlnumber == i) {
ASN1_INTEGER *crlnum;
crlnum = X509_CRL_get_ext_d2i(x, NID_crl_number, NULL, NULL);
BIO_printf(bio_out, "crlNumber=");
if (crlnum) {
i2a_ASN1_INTEGER(bio_out, crlnum);
ASN1_INTEGER_free(crlnum);
} else
BIO_puts(bio_out, "<NONE>");
BIO_printf(bio_out, "\n");
}
if (hash == i) {
BIO_printf(bio_out, "%08lx\n",
X509_NAME_hash(X509_CRL_get_issuer(x)));
}
#ifndef OPENSSL_NO_MD5
if (hash_old == i) {
BIO_printf(bio_out, "%08lx\n",
X509_NAME_hash_old(X509_CRL_get_issuer(x)));
}
#endif
if (lastupdate == i) {
BIO_printf(bio_out, "lastUpdate=");
ASN1_TIME_print(bio_out, X509_CRL_get_lastUpdate(x));
BIO_printf(bio_out, "\n");
}
if (nextupdate == i) {
BIO_printf(bio_out, "nextUpdate=");
if (X509_CRL_get_nextUpdate(x))
ASN1_TIME_print(bio_out, X509_CRL_get_nextUpdate(x));
else
BIO_printf(bio_out, "NONE");
BIO_printf(bio_out, "\n");
}
if (fingerprint == i) {
int j;
unsigned int n;
unsigned char md[EVP_MAX_MD_SIZE];
if (!X509_CRL_digest(x, digest, md, &n)) {
BIO_printf(bio_err, "out of memory\n");
goto end;
}
BIO_printf(bio_out, "%s Fingerprint=",
OBJ_nid2sn(EVP_MD_type(digest)));
for (j = 0; j < (int)n; j++) {
BIO_printf(bio_out, "%02X%c", md[j], (j + 1 == (int)n)
? '\n' : ':');
}
}
}
}
out = BIO_new(BIO_s_file());
if (out == NULL) {
ERR_print_errors(bio_err);
goto end;
}
if (outfile == NULL) {
BIO_set_fp(out, stdout, BIO_NOCLOSE);
#ifdef OPENSSL_SYS_VMS
{
BIO *tmpbio = BIO_new(BIO_f_linebuffer());
out = BIO_push(tmpbio, out);
}
#endif
} else {
if (BIO_write_filename(out, outfile) <= 0) {
perror(outfile);
goto end;
}
}
if (text)
X509_CRL_print(out, x);
if (noout) {
ret = 0;
goto end;
}
if (badsig)
x->signature->data[x->signature->length - 1] ^= 0x1;
if (outformat == FORMAT_ASN1)
i = (int)i2d_X509_CRL_bio(out, x);
else if (outformat == FORMAT_PEM)
i = PEM_write_bio_X509_CRL(out, x);
else {
BIO_printf(bio_err, "bad output format specified for outfile\n");
goto end;
}
if (!i) {
BIO_printf(bio_err, "unable to write CRL\n");
goto end;
}
ret = 0;
end:
if (ret != 0)
ERR_print_errors(bio_err);
BIO_free_all(out);
BIO_free_all(bio_out);
bio_out = NULL;
X509_CRL_free(x);
if (store) {
X509_STORE_CTX_cleanup(&ctx);
X509_STORE_free(store);
}
apps_shutdown();
OPENSSL_EXIT(ret);
}
static void https_add_ssl_entries(connection *con) {
X509 *xs;
X509_NAME *xn;
X509_NAME_ENTRY *xe;
int i, nentries;
if (
SSL_get_verify_result(con->ssl) != X509_V_OK
|| !(xs = SSL_get_peer_certificate(con->ssl))
) {
return;
}
xn = X509_get_subject_name(xs);
for (i = 0, nentries = X509_NAME_entry_count(xn); i < nentries; ++i) {
int xobjnid;
const char * xobjsn;
data_string *envds;
if (!(xe = X509_NAME_get_entry(xn, i))) {
continue;
}
xobjnid = OBJ_obj2nid((ASN1_OBJECT*)X509_NAME_ENTRY_get_object(xe));
xobjsn = OBJ_nid2sn(xobjnid);
if (!xobjsn) {
continue;
}
if (NULL == (envds = (data_string *)array_get_unused_element(con->environment, TYPE_STRING))) {
envds = data_string_init();
}
buffer_copy_string_len(envds->key, CONST_STR_LEN("SSL_CLIENT_S_DN_"));
buffer_append_string(envds->key, xobjsn);
buffer_copy_string_len(
envds->value,
(const char *)X509_NAME_ENTRY_get_data(xe)->data,
X509_NAME_ENTRY_get_data(xe)->length
);
/* pick one of the exported values as "REMOTE_USER", for example
* ssl.verifyclient.username = "******" or "SSL_CLIENT_S_DN_emailAddress"
*/
if (buffer_is_equal(con->conf.ssl_verifyclient_username, envds->key)) {
data_string *ds;
if (NULL == (ds = (data_string *)array_get_element(con->environment, "REMOTE_USER"))) {
if (NULL == (ds = (data_string *)array_get_unused_element(con->environment, TYPE_STRING))) {
ds = data_string_init();
}
buffer_copy_string(ds->key, "REMOTE_USER");
array_insert_unique(con->environment, (data_unset *)ds);
}
buffer_copy_buffer(ds->value, envds->value);
}
array_insert_unique(con->environment, (data_unset *)envds);
}
if (con->conf.ssl_verifyclient_export_cert) {
BIO *bio;
if (NULL != (bio = BIO_new(BIO_s_mem()))) {
data_string *envds;
int n;
PEM_write_bio_X509(bio, xs);
n = BIO_pending(bio);
if (NULL == (envds = (data_string *)array_get_unused_element(con->environment, TYPE_STRING))) {
envds = data_string_init();
}
buffer_copy_string_len(envds->key, CONST_STR_LEN("SSL_CLIENT_CERT"));
buffer_string_prepare_copy(envds->value, n);
BIO_read(bio, envds->value->ptr, n);
BIO_free(bio);
buffer_commit(envds->value, n);
array_insert_unique(con->environment, (data_unset *)envds);
}
}
X509_free(xs);
}
int MAIN(int argc, char **argv)
{
EC_GROUP *group = NULL;
point_conversion_form_t form = POINT_CONVERSION_UNCOMPRESSED;
int new_form = 0;
int asn1_flag = OPENSSL_EC_NAMED_CURVE;
int new_asn1_flag = 0;
char *curve_name = NULL, *inrand = NULL;
int list_curves = 0, no_seed = 0, check = 0,
badops = 0, text = 0, i, need_rand = 0, genkey = 0;
char *infile = NULL, *outfile = NULL, *prog;
BIO *in = NULL, *out = NULL;
int informat, outformat, noout = 0, C = 0, ret = 1;
char *engine = NULL;
BIGNUM *ec_p = NULL, *ec_a = NULL, *ec_b = NULL,
*ec_gen = NULL, *ec_order = NULL, *ec_cofactor = NULL;
unsigned char *buffer = NULL;
apps_startup();
if (bio_err == NULL)
if ((bio_err = BIO_new(BIO_s_file())) != NULL)
BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
if (!load_config(bio_err, NULL))
goto end;
informat = FORMAT_PEM;
outformat = FORMAT_PEM;
prog = argv[0];
argc--;
argv++;
while (argc >= 1) {
if (strcmp(*argv, "-inform") == 0) {
if (--argc < 1)
goto bad;
informat = str2fmt(*(++argv));
} else if (strcmp(*argv, "-outform") == 0) {
if (--argc < 1)
goto bad;
outformat = str2fmt(*(++argv));
} else if (strcmp(*argv, "-in") == 0) {
if (--argc < 1)
goto bad;
infile = *(++argv);
} else if (strcmp(*argv, "-out") == 0) {
if (--argc < 1)
goto bad;
outfile = *(++argv);
} else if (strcmp(*argv, "-text") == 0)
text = 1;
else if (strcmp(*argv, "-C") == 0)
C = 1;
else if (strcmp(*argv, "-check") == 0)
check = 1;
else if (strcmp(*argv, "-name") == 0) {
if (--argc < 1)
goto bad;
curve_name = *(++argv);
} else if (strcmp(*argv, "-list_curves") == 0)
list_curves = 1;
else if (strcmp(*argv, "-conv_form") == 0) {
if (--argc < 1)
goto bad;
++argv;
new_form = 1;
if (strcmp(*argv, "compressed") == 0)
form = POINT_CONVERSION_COMPRESSED;
else if (strcmp(*argv, "uncompressed") == 0)
form = POINT_CONVERSION_UNCOMPRESSED;
else if (strcmp(*argv, "hybrid") == 0)
form = POINT_CONVERSION_HYBRID;
else
goto bad;
} else if (strcmp(*argv, "-param_enc") == 0) {
if (--argc < 1)
goto bad;
++argv;
new_asn1_flag = 1;
if (strcmp(*argv, "named_curve") == 0)
asn1_flag = OPENSSL_EC_NAMED_CURVE;
else if (strcmp(*argv, "explicit") == 0)
asn1_flag = 0;
else
goto bad;
} else if (strcmp(*argv, "-no_seed") == 0)
no_seed = 1;
else if (strcmp(*argv, "-noout") == 0)
noout = 1;
else if (strcmp(*argv, "-genkey") == 0) {
genkey = 1;
need_rand = 1;
} else if (strcmp(*argv, "-rand") == 0) {
if (--argc < 1)
goto bad;
inrand = *(++argv);
need_rand = 1;
} else if (strcmp(*argv, "-engine") == 0) {
if (--argc < 1)
goto bad;
engine = *(++argv);
} else {
BIO_printf(bio_err, "unknown option %s\n", *argv);
badops = 1;
break;
}
argc--;
argv++;
}
if (badops) {
bad:
BIO_printf(bio_err, "%s [options] <infile >outfile\n", prog);
BIO_printf(bio_err, "where options are\n");
BIO_printf(bio_err, " -inform arg input format - "
"default PEM (DER or PEM)\n");
BIO_printf(bio_err, " -outform arg output format - "
"default PEM\n");
BIO_printf(bio_err, " -in arg input file - "
"default stdin\n");
BIO_printf(bio_err, " -out arg output file - "
"default stdout\n");
BIO_printf(bio_err, " -noout do not print the "
"ec parameter\n");
BIO_printf(bio_err, " -text print the ec "
"parameters in text form\n");
BIO_printf(bio_err, " -check validate the ec "
"parameters\n");
BIO_printf(bio_err, " -C print a 'C' "
"function creating the parameters\n");
BIO_printf(bio_err, " -name arg use the "
"ec parameters with 'short name' name\n");
BIO_printf(bio_err, " -list_curves prints a list of "
"all currently available curve 'short names'\n");
BIO_printf(bio_err, " -conv_form arg specifies the "
"point conversion form \n");
BIO_printf(bio_err, " possible values:"
" compressed\n");
BIO_printf(bio_err, " "
" uncompressed (default)\n");
BIO_printf(bio_err, " "
" hybrid\n");
BIO_printf(bio_err, " -param_enc arg specifies the way"
" the ec parameters are encoded\n");
BIO_printf(bio_err, " in the asn1 der "
"encoding\n");
BIO_printf(bio_err, " possible values:"
" named_curve (default)\n");
BIO_printf(bio_err, " "
" explicit\n");
BIO_printf(bio_err, " -no_seed if 'explicit'"
" parameters are chosen do not" " use the seed\n");
BIO_printf(bio_err, " -genkey generate ec" " key\n");
BIO_printf(bio_err, " -rand file files to use for"
" random number input\n");
BIO_printf(bio_err, " -engine e use engine e, "
"possibly a hardware device\n");
goto end;
}
ERR_load_crypto_strings();
in = BIO_new(BIO_s_file());
out = BIO_new(BIO_s_file());
if ((in == NULL) || (out == NULL)) {
ERR_print_errors(bio_err);
goto end;
}
if (infile == NULL)
BIO_set_fp(in, stdin, BIO_NOCLOSE);
else {
if (BIO_read_filename(in, infile) <= 0) {
perror(infile);
goto end;
}
}
if (outfile == NULL) {
BIO_set_fp(out, stdout, BIO_NOCLOSE);
# ifdef OPENSSL_SYS_VMS
{
BIO *tmpbio = BIO_new(BIO_f_linebuffer());
out = BIO_push(tmpbio, out);
}
# endif
} else {
if (BIO_write_filename(out, outfile) <= 0) {
perror(outfile);
goto end;
}
}
# ifndef OPENSSL_NO_ENGINE
setup_engine(bio_err, engine, 0);
# endif
if (list_curves) {
EC_builtin_curve *curves = NULL;
size_t crv_len = 0;
size_t n = 0;
crv_len = EC_get_builtin_curves(NULL, 0);
curves = OPENSSL_malloc((int)(sizeof(EC_builtin_curve) * crv_len));
if (curves == NULL)
goto end;
if (!EC_get_builtin_curves(curves, crv_len)) {
OPENSSL_free(curves);
goto end;
}
for (n = 0; n < crv_len; n++) {
const char *comment;
const char *sname;
comment = curves[n].comment;
sname = OBJ_nid2sn(curves[n].nid);
if (comment == NULL)
comment = "CURVE DESCRIPTION NOT AVAILABLE";
if (sname == NULL)
sname = "";
BIO_printf(out, " %-10s: ", sname);
BIO_printf(out, "%s\n", comment);
}
OPENSSL_free(curves);
ret = 0;
goto end;
}
if (curve_name != NULL) {
int nid;
/*
* workaround for the SECG curve names secp192r1 and secp256r1 (which
* are the same as the curves prime192v1 and prime256v1 defined in
* X9.62)
*/
if (!strcmp(curve_name, "secp192r1")) {
BIO_printf(bio_err, "using curve name prime192v1 "
"instead of secp192r1\n");
nid = NID_X9_62_prime192v1;
} else if (!strcmp(curve_name, "secp256r1")) {
BIO_printf(bio_err, "using curve name prime256v1 "
"instead of secp256r1\n");
nid = NID_X9_62_prime256v1;
} else
nid = OBJ_sn2nid(curve_name);
if (nid == 0)
nid = EC_curve_nist2nid(curve_name);
if (nid == 0) {
BIO_printf(bio_err, "unknown curve name (%s)\n", curve_name);
goto end;
}
group = EC_GROUP_new_by_curve_name(nid);
if (group == NULL) {
BIO_printf(bio_err, "unable to create curve (%s)\n", curve_name);
goto end;
}
EC_GROUP_set_asn1_flag(group, asn1_flag);
EC_GROUP_set_point_conversion_form(group, form);
} else if (informat == FORMAT_ASN1) {
group = d2i_ECPKParameters_bio(in, NULL);
} else if (informat == FORMAT_PEM) {
group = PEM_read_bio_ECPKParameters(in, NULL, NULL, NULL);
} else {
BIO_printf(bio_err, "bad input format specified\n");
goto end;
}
if (group == NULL) {
BIO_printf(bio_err, "unable to load elliptic curve parameters\n");
ERR_print_errors(bio_err);
goto end;
}
if (new_form)
EC_GROUP_set_point_conversion_form(group, form);
if (new_asn1_flag)
EC_GROUP_set_asn1_flag(group, asn1_flag);
if (no_seed) {
EC_GROUP_set_seed(group, NULL, 0);
}
if (text) {
if (!ECPKParameters_print(out, group, 0))
goto end;
}
if (check) {
BIO_printf(bio_err, "checking elliptic curve parameters: ");
if (!EC_GROUP_check(group, NULL)) {
BIO_printf(bio_err, "failed\n");
ERR_print_errors(bio_err);
goto end;
}
BIO_printf(bio_err, "ok\n");
}
if (C) {
size_t buf_len = 0, tmp_len = 0;
const EC_POINT *point;
int is_prime, len = 0;
const EC_METHOD *meth = EC_GROUP_method_of(group);
if ((ec_p = BN_new()) == NULL || (ec_a = BN_new()) == NULL ||
(ec_b = BN_new()) == NULL || (ec_gen = BN_new()) == NULL ||
(ec_order = BN_new()) == NULL ||
(ec_cofactor = BN_new()) == NULL) {
perror("OPENSSL_malloc");
goto end;
}
is_prime = (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field);
if (is_prime) {
if (!EC_GROUP_get_curve_GFp(group, ec_p, ec_a, ec_b, NULL))
goto end;
} else {
/* TODO */
goto end;
}
if ((point = EC_GROUP_get0_generator(group)) == NULL)
goto end;
if (!EC_POINT_point2bn(group, point,
EC_GROUP_get_point_conversion_form(group),
ec_gen, NULL))
goto end;
if (!EC_GROUP_get_order(group, ec_order, NULL))
goto end;
if (!EC_GROUP_get_cofactor(group, ec_cofactor, NULL))
goto end;
if (!ec_p || !ec_a || !ec_b || !ec_gen || !ec_order || !ec_cofactor)
goto end;
len = BN_num_bits(ec_order);
if ((tmp_len = (size_t)BN_num_bytes(ec_p)) > buf_len)
buf_len = tmp_len;
if ((tmp_len = (size_t)BN_num_bytes(ec_a)) > buf_len)
buf_len = tmp_len;
if ((tmp_len = (size_t)BN_num_bytes(ec_b)) > buf_len)
buf_len = tmp_len;
if ((tmp_len = (size_t)BN_num_bytes(ec_gen)) > buf_len)
buf_len = tmp_len;
if ((tmp_len = (size_t)BN_num_bytes(ec_order)) > buf_len)
buf_len = tmp_len;
if ((tmp_len = (size_t)BN_num_bytes(ec_cofactor)) > buf_len)
buf_len = tmp_len;
buffer = (unsigned char *)OPENSSL_malloc(buf_len);
if (buffer == NULL) {
perror("OPENSSL_malloc");
goto end;
}
ecparam_print_var(out, ec_p, "ec_p", len, buffer);
ecparam_print_var(out, ec_a, "ec_a", len, buffer);
ecparam_print_var(out, ec_b, "ec_b", len, buffer);
ecparam_print_var(out, ec_gen, "ec_gen", len, buffer);
ecparam_print_var(out, ec_order, "ec_order", len, buffer);
ecparam_print_var(out, ec_cofactor, "ec_cofactor", len, buffer);
BIO_printf(out, "\n\n");
BIO_printf(out, "EC_GROUP *get_ec_group_%d(void)\n\t{\n", len);
BIO_printf(out, "\tint ok=0;\n");
BIO_printf(out, "\tEC_GROUP *group = NULL;\n");
BIO_printf(out, "\tEC_POINT *point = NULL;\n");
BIO_printf(out, "\tBIGNUM *tmp_1 = NULL, *tmp_2 = NULL, "
"*tmp_3 = NULL;\n\n");
BIO_printf(out, "\tif ((tmp_1 = BN_bin2bn(ec_p_%d, "
"sizeof(ec_p_%d), NULL)) == NULL)\n\t\t"
"goto err;\n", len, len);
BIO_printf(out, "\tif ((tmp_2 = BN_bin2bn(ec_a_%d, "
"sizeof(ec_a_%d), NULL)) == NULL)\n\t\t"
"goto err;\n", len, len);
BIO_printf(out, "\tif ((tmp_3 = BN_bin2bn(ec_b_%d, "
"sizeof(ec_b_%d), NULL)) == NULL)\n\t\t"
"goto err;\n", len, len);
if (is_prime) {
BIO_printf(out, "\tif ((group = EC_GROUP_new_curve_"
"GFp(tmp_1, tmp_2, tmp_3, NULL)) == NULL)"
"\n\t\tgoto err;\n\n");
} else {
/* TODO */
goto end;
}
BIO_printf(out, "\t/* build generator */\n");
BIO_printf(out, "\tif ((tmp_1 = BN_bin2bn(ec_gen_%d, "
"sizeof(ec_gen_%d), tmp_1)) == NULL)"
"\n\t\tgoto err;\n", len, len);
BIO_printf(out, "\tpoint = EC_POINT_bn2point(group, tmp_1, "
"NULL, NULL);\n");
BIO_printf(out, "\tif (point == NULL)\n\t\tgoto err;\n");
BIO_printf(out, "\tif ((tmp_2 = BN_bin2bn(ec_order_%d, "
"sizeof(ec_order_%d), tmp_2)) == NULL)"
"\n\t\tgoto err;\n", len, len);
BIO_printf(out, "\tif ((tmp_3 = BN_bin2bn(ec_cofactor_%d, "
"sizeof(ec_cofactor_%d), tmp_3)) == NULL)"
"\n\t\tgoto err;\n", len, len);
BIO_printf(out, "\tif (!EC_GROUP_set_generator(group, point,"
" tmp_2, tmp_3))\n\t\tgoto err;\n");
BIO_printf(out, "\n\tok=1;\n");
BIO_printf(out, "err:\n");
BIO_printf(out, "\tif (tmp_1)\n\t\tBN_free(tmp_1);\n");
BIO_printf(out, "\tif (tmp_2)\n\t\tBN_free(tmp_2);\n");
BIO_printf(out, "\tif (tmp_3)\n\t\tBN_free(tmp_3);\n");
BIO_printf(out, "\tif (point)\n\t\tEC_POINT_free(point);\n");
BIO_printf(out, "\tif (!ok)\n");
BIO_printf(out, "\t\t{\n");
BIO_printf(out, "\t\tEC_GROUP_free(group);\n");
BIO_printf(out, "\t\tgroup = NULL;\n");
BIO_printf(out, "\t\t}\n");
BIO_printf(out, "\treturn(group);\n\t}\n");
}
if (!noout) {
if (outformat == FORMAT_ASN1)
i = i2d_ECPKParameters_bio(out, group);
else if (outformat == FORMAT_PEM)
i = PEM_write_bio_ECPKParameters(out, group);
else {
BIO_printf(bio_err, "bad output format specified for"
" outfile\n");
goto end;
}
if (!i) {
BIO_printf(bio_err, "unable to write elliptic "
"curve parameters\n");
ERR_print_errors(bio_err);
goto end;
}
}
if (need_rand) {
app_RAND_load_file(NULL, bio_err, (inrand != NULL));
if (inrand != NULL)
BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
app_RAND_load_files(inrand));
}
if (genkey) {
EC_KEY *eckey = EC_KEY_new();
if (eckey == NULL)
goto end;
assert(need_rand);
if (EC_KEY_set_group(eckey, group) == 0)
goto end;
if (!EC_KEY_generate_key(eckey)) {
EC_KEY_free(eckey);
goto end;
}
if (outformat == FORMAT_ASN1)
i = i2d_ECPrivateKey_bio(out, eckey);
else if (outformat == FORMAT_PEM)
i = PEM_write_bio_ECPrivateKey(out, eckey, NULL,
NULL, 0, NULL, NULL);
else {
BIO_printf(bio_err, "bad output format specified "
"for outfile\n");
EC_KEY_free(eckey);
goto end;
}
EC_KEY_free(eckey);
}
if (need_rand)
app_RAND_write_file(NULL, bio_err);
ret = 0;
end:
if (ec_p)
BN_free(ec_p);
if (ec_a)
BN_free(ec_a);
if (ec_b)
BN_free(ec_b);
if (ec_gen)
BN_free(ec_gen);
if (ec_order)
BN_free(ec_order);
if (ec_cofactor)
BN_free(ec_cofactor);
if (buffer)
OPENSSL_free(buffer);
if (in != NULL)
BIO_free(in);
if (out != NULL)
BIO_free_all(out);
if (group != NULL)
EC_GROUP_free(group);
apps_shutdown();
OPENSSL_EXIT(ret);
}
