static LUA_FUNCTION(openssl_crl_read) { BIO * in = load_bio_object(L, 1); int fmt = luaL_checkoption(L, 2, "auto", format); X509_CRL *crl = NULL; if (fmt == FORMAT_AUTO) { fmt = bio_is_der(in) ? FORMAT_DER : FORMAT_PEM; } if (fmt == FORMAT_PEM) { crl = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL); BIO_reset(in); } else if (fmt == FORMAT_DER) { crl = d2i_X509_CRL_bio(in, NULL); BIO_reset(in); } BIO_free(in); if (crl) { PUSH_OBJECT(crl, "openssl.x509_crl"); return 1; } return openssl_pushresult(L, 0); }
static VALUE ossl_x509crl_initialize(int argc, VALUE *argv, VALUE self) { BIO *in; X509_CRL *crl = rb_rdata_fetch(self); X509_CRL *x = crl; VALUE arg; if (rb_scan_args(argc, argv, "01", &arg) == 0) { return self; } arg = ossl_to_der_if_possible(arg); in = ossl_obj2bio(arg); crl = PEM_read_bio_X509_CRL(in, &x, NULL, NULL); rb_rdata_store(self, x); if (!crl) { OSSL_BIO_reset(in); crl = d2i_X509_CRL_bio(in, &x); rb_rdata_store(self, x); } BIO_free(in); if (!crl) ossl_raise(eX509CRLError, NULL); return self; }
static LUA_FUNCTION(openssl_crl_read) { BIO * in = load_bio_object(L, 1); int fmt = luaL_checkoption(L, 2, "auto", format); X509_CRL *crl = NULL; if (fmt == FORMAT_AUTO || fmt == FORMAT_PEM) { crl = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL); BIO_reset(in); } if ((fmt == FORMAT_AUTO && crl == NULL) || fmt == FORMAT_DER) { crl = d2i_X509_CRL_bio(in, NULL); BIO_reset(in); } BIO_free(in); if (crl) { PUSH_OBJECT(crl, "openssl.x509_crl"); return 1; } return 0; }
int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type) { int ret = 0; BIO *in = NULL; int i, count = 0; X509_CRL *x = NULL; if (file == NULL) return (1); in = BIO_new(BIO_s_file_internal()); if ((in == NULL) || (BIO_read_filename(in, file) <= 0)) { X509err(X509_F_X509_LOAD_CRL_FILE, ERR_R_SYS_LIB); goto err; } if (type == X509_FILETYPE_PEM) { for (;;) { x = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL); if (x == NULL) { if ((ERR_GET_REASON(ERR_peek_last_error()) == PEM_R_NO_START_LINE) && (count > 0)) { ERR_clear_error(); break; } else { X509err(X509_F_X509_LOAD_CRL_FILE, ERR_R_PEM_LIB); goto err; } } i = X509_STORE_add_crl(ctx->store_ctx, x); if (!i) goto err; count++; X509_CRL_free(x); x = NULL; } ret = count; } else if (type == X509_FILETYPE_ASN1) { x = d2i_X509_CRL_bio(in, NULL); if (x == NULL) { X509err(X509_F_X509_LOAD_CRL_FILE, ERR_R_ASN1_LIB); goto err; } i = X509_STORE_add_crl(ctx->store_ctx, x); if (!i) goto err; ret = i; } else { X509err(X509_F_X509_LOAD_CRL_FILE, X509_R_BAD_X509_FILETYPE); goto err; } err: if (x != NULL) X509_CRL_free(x); if (in != NULL) BIO_free(in); return (ret); }
static int tls_sc_add_crl(lua_State *L) { tls_sc_t *ctx = getSC(L); X509_CRL *x509; BIO *bio; bio = _lua_load_bio(L, -1); if (!bio) { lua_pushboolean(L, 0); return 1; } x509 = PEM_read_bio_X509_CRL(bio, NULL, NULL, NULL); if (x509 == NULL) { BIO_free(bio); lua_pushboolean(L, 0); return 1; } X509_STORE_add_crl(ctx->ca_store, x509); X509_STORE_set_flags(ctx->ca_store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); BIO_free(bio); X509_CRL_free(x509); lua_pushboolean(L, 1); return 1; }
void pki_crl::fromPEM_BIO(BIO *bio, QString name) { X509_CRL*_crl; _crl = PEM_read_bio_X509_CRL(bio, NULL, NULL, NULL); openssl_error(name); X509_CRL_free(crl); crl = _crl; setIntName(rmslashdot(name)); }
/* * Create a CRL from an array of strings. */ static X509_CRL *CRL_from_strings(const char **pem) { char *p; BIO *b = glue2bio(pem, &p); X509_CRL *crl = PEM_read_bio_X509_CRL(b, NULL, NULL, NULL); OPENSSL_free(p); BIO_free(b); return crl; }
static DWORD VMCAPEMToX509Crl( PSTR pCrl, X509_CRL** ppX509Crl ) { DWORD dwError = 0; BIO* pBioMem = NULL; X509_CRL *pX509Crl = NULL; if (!pCrl || !ppX509Crl) { dwError = ERROR_INVALID_PARAMETER; BAIL_ON_ERROR(dwError); } pBioMem = BIO_new_mem_buf((PVOID) pCrl, -1); if ( pBioMem == NULL) { dwError = ERROR_OUTOFMEMORY; BAIL_ON_ERROR(dwError); } pX509Crl = PEM_read_bio_X509_CRL(pBioMem, NULL, NULL, NULL); if (pX509Crl == NULL) { dwError = ERROR_INVALID_PARAMETER; BAIL_ON_ERROR(dwError); } *ppX509Crl = pX509Crl; cleanup : if (pBioMem) { BIO_free(pBioMem); } return dwError; error : *ppX509Crl = NULL; if (pX509Crl != NULL) { X509_CRL_free(pX509Crl); } goto cleanup; }
void parse_pem(const std::string& crl_txt) { BIO *bio = BIO_new_mem_buf(const_cast<char *>(crl_txt.c_str()), crl_txt.length()); if (!bio) throw OpenSSLException(); X509_CRL *crl = PEM_read_bio_X509_CRL(bio, NULL, NULL, NULL); BIO_free(bio); if (!crl) throw OpenSSLException("CRL::parse_pem"); erase(); crl_ = crl; }
void Crl::Load() { if(!download.Get(url.c_str(), path.c_str())) { pf_log[W_INFO] << "CRL download failed"; throw DownloadFailed(); } pf_log[W_INFO] << "Loading CRL file : \"" << path << "\"."; if(crl) { X509_CRL_free(crl); crl = NULL; } // TODO: simplify-me with openssl's BIO FILE* f = fopen(path.c_str(), "r"); if(!f) throw BadCRL(std::string(strerror(errno))); if(fseek(f, 0, SEEK_END)) throw BadCRL(std::string(strerror(errno))); size_t file_size = ftell(f); rewind(f); char buf[file_size]; if(fread(buf, file_size, 1, f) <= 0) { fclose(f); throw BadCRL(std::string(strerror(errno))); } if(file_size > INT_MAX) throw BadCRL(std::string("File is too big")); BIO* raw_crl = BIO_new_mem_buf(buf, (int)file_size); crl = PEM_read_bio_X509_CRL(raw_crl, NULL, NULL, NULL); BIO_free(raw_crl); if(!crl) { std::string str = std::string(ERR_error_string( ERR_get_error(), NULL)); throw BadCRL(str); } char* str = X509_NAME_oneline (X509_CRL_get_issuer (crl), 0, 0); pf_log[W_INFO] << "CRL issued by: " << str; }
static X509_CRL * load_crl(char * ca_name) { FILE * fp ; BIO * in ; X509_CRL * crl ; char filename[FIELD_SZ+5]; sprintf(filename, "%s.crl", ca_name); in = BIO_new(BIO_s_file()); if ((fp=fopen(filename, "rb"))==NULL) { BIO_free(in); return NULL ; } BIO_set_fp(in, fp, BIO_NOCLOSE); crl = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL); fclose(fp); BIO_free(in); return crl ; }
static X509_CRL *load_crl(char *infile, int format) { X509_CRL *x=NULL; BIO *in=NULL; in=BIO_new(BIO_s_file()); if (in == NULL) { ERR_print_errors(bio_err); goto end; } if (infile == NULL) BIO_set_fp(in,stdin,BIO_NOCLOSE); else { if (BIO_read_filename(in,infile) <= 0) { perror(infile); goto end; } } if (format == FORMAT_ASN1) x=d2i_X509_CRL_bio(in,NULL); else if (format == FORMAT_PEM) x=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL); else { BIO_printf(bio_err,"bad input format specified for input crl\n"); goto end; } if (x == NULL) { BIO_printf(bio_err,"unable to load CRL\n"); ERR_print_errors(bio_err); goto end; } end: BIO_free(in); return(x); }
Handle<CRL> Provider_System::getCRLFromURI(Handle<std::string> uri, Handle<std::string> format){ LOGGER_FN(); try{ BIO *bioFile = NULL; X509_CRL *hcrl = NULL; LOGGER_OPENSSL(BIO_new); bioFile = BIO_new(BIO_s_file()); LOGGER_OPENSSL(BIO_read_filename); if (BIO_read_filename(bioFile, uri->c_str()) > 0){ LOGGER_OPENSSL(BIO_seek); BIO_seek(bioFile, 0); if (strcmp(format->c_str(), "PEM") == 0){ LOGGER_OPENSSL(PEM_read_bio_X509_CRL); hcrl = PEM_read_bio_X509_CRL(bioFile, NULL, NULL, NULL); } else if (strcmp(format->c_str(), "DER") == 0){ LOGGER_OPENSSL(d2i_X509_CRL_bio); hcrl = d2i_X509_CRL_bio(bioFile, NULL); } else{ THROW_EXCEPTION(0, Provider_System, NULL, "Unsupported format. Only PEM | DER"); } } LOGGER_OPENSSL(BIO_free); BIO_free(bioFile); if (!hcrl){ THROW_EXCEPTION(0, Provider_System, NULL, "Unable decode CRL from PEM/DE"); } else{ return new CRL(hcrl); } } catch (Handle<Exception> e){ THROW_EXCEPTION(0, Provider_System, e, "getCRLFromURI"); } }
static VALUE ossl_x509crl_initialize(int argc, VALUE *argv, VALUE self) { BIO *in; X509_CRL *crl; VALUE arg; if (rb_scan_args(argc, argv, "01", &arg) == 0) { return self; } arg = ossl_to_der_if_possible(arg); in = ossl_obj2bio(arg); crl = PEM_read_bio_X509_CRL(in, (X509_CRL **)&DATA_PTR(self), NULL, NULL); if (!crl) { BIO_reset(in); crl = d2i_X509_CRL_bio(in, (X509_CRL **)&DATA_PTR(self)); } BIO_free(in); if (!crl) ossl_raise(eX509CRLError, NULL); return self; }
int MAIN(int argc, char **argv) { int i, badops = 0; BIO *in = NULL, *out = NULL; int informat, outformat; char *infile, *outfile, *prog, *certfile; PKCS7 *p7 = NULL; PKCS7_SIGNED *p7s = NULL; X509_CRL *crl = NULL; STACK_OF(OPENSSL_STRING) *certflst = NULL; STACK_OF(X509_CRL) *crl_stack = NULL; STACK_OF(X509) *cert_stack = NULL; int ret = 1, nocrl = 0; apps_startup(); if (bio_err == NULL) if ((bio_err = BIO_new(BIO_s_file())) != NULL) BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT); infile = NULL; outfile = NULL; informat = FORMAT_PEM; outformat = FORMAT_PEM; prog = argv[0]; argc--; argv++; while (argc >= 1) { if (strcmp(*argv, "-inform") == 0) { if (--argc < 1) goto bad; informat = str2fmt(*(++argv)); } else if (strcmp(*argv, "-outform") == 0) { if (--argc < 1) goto bad; outformat = str2fmt(*(++argv)); } else if (strcmp(*argv, "-in") == 0) { if (--argc < 1) goto bad; infile = *(++argv); } else if (strcmp(*argv, "-nocrl") == 0) { nocrl = 1; } else if (strcmp(*argv, "-out") == 0) { if (--argc < 1) goto bad; outfile = *(++argv); } else if (strcmp(*argv, "-certfile") == 0) { if (--argc < 1) goto bad; if (!certflst) certflst = sk_OPENSSL_STRING_new_null(); if (!certflst) goto end; if (!sk_OPENSSL_STRING_push(certflst, *(++argv))) { sk_OPENSSL_STRING_free(certflst); goto end; } } else { BIO_printf(bio_err, "unknown option %s\n", *argv); badops = 1; break; } argc--; argv++; } if (badops) { bad: BIO_printf(bio_err, "%s [options] <infile >outfile\n", prog); BIO_printf(bio_err, "where options are\n"); BIO_printf(bio_err, " -inform arg input format - DER or PEM\n"); BIO_printf(bio_err, " -outform arg output format - DER or PEM\n"); BIO_printf(bio_err, " -in arg input file\n"); BIO_printf(bio_err, " -out arg output file\n"); BIO_printf(bio_err, " -certfile arg certificates file of chain to a trusted CA\n"); BIO_printf(bio_err, " (can be used more than once)\n"); BIO_printf(bio_err, " -nocrl no crl to load, just certs from '-certfile'\n"); ret = 1; goto end; } ERR_load_crypto_strings(); in = BIO_new(BIO_s_file()); out = BIO_new(BIO_s_file()); if ((in == NULL) || (out == NULL)) { ERR_print_errors(bio_err); goto end; } if (!nocrl) { if (infile == NULL) BIO_set_fp(in, stdin, BIO_NOCLOSE); else { if (BIO_read_filename(in, infile) <= 0) { perror(infile); goto end; } } if (informat == FORMAT_ASN1) crl = d2i_X509_CRL_bio(in, NULL); else if (informat == FORMAT_PEM) crl = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL); else { BIO_printf(bio_err, "bad input format specified for input crl\n"); goto end; } if (crl == NULL) { BIO_printf(bio_err, "unable to load CRL\n"); ERR_print_errors(bio_err); goto end; } } if ((p7 = PKCS7_new()) == NULL) goto end; if ((p7s = PKCS7_SIGNED_new()) == NULL) goto end; p7->type = OBJ_nid2obj(NID_pkcs7_signed); p7->d.sign = p7s; p7s->contents->type = OBJ_nid2obj(NID_pkcs7_data); if (!ASN1_INTEGER_set(p7s->version, 1)) goto end; if ((crl_stack = sk_X509_CRL_new_null()) == NULL) goto end; p7s->crl = crl_stack; if (crl != NULL) { sk_X509_CRL_push(crl_stack, crl); crl = NULL; /* now part of p7 for OPENSSL_freeing */ } if ((cert_stack = sk_X509_new_null()) == NULL) goto end; p7s->cert = cert_stack; if (certflst) for (i = 0; i < sk_OPENSSL_STRING_num(certflst); i++) { certfile = sk_OPENSSL_STRING_value(certflst, i); if (add_certs_from_file(cert_stack, certfile) < 0) { BIO_printf(bio_err, "error loading certificates\n"); ERR_print_errors(bio_err); goto end; } } sk_OPENSSL_STRING_free(certflst); if (outfile == NULL) { BIO_set_fp(out, stdout, BIO_NOCLOSE); #ifdef OPENSSL_SYS_VMS { BIO *tmpbio = BIO_new(BIO_f_linebuffer()); out = BIO_push(tmpbio, out); } #endif } else { if (BIO_write_filename(out, outfile) <= 0) { perror(outfile); goto end; } } if (outformat == FORMAT_ASN1) i = i2d_PKCS7_bio(out, p7); else if (outformat == FORMAT_PEM) i = PEM_write_bio_PKCS7(out, p7); else { BIO_printf(bio_err, "bad output format specified for outfile\n"); goto end; } if (!i) { BIO_printf(bio_err, "unable to write pkcs7 object\n"); ERR_print_errors(bio_err); goto end; } ret = 0; end: if (in != NULL) BIO_free(in); if (out != NULL) BIO_free_all(out); if (p7 != NULL) PKCS7_free(p7); if (crl != NULL) X509_CRL_free(crl); apps_shutdown(); OPENSSL_EXIT(ret); }
/* * Load the new content from a Certificate Revocation List (CRL). */ static int crl_reloader_reload_file(X509_LOOKUP *ctx) { int cnt, ok = 0; struct stat st; BIO *in = NULL; TLS_CRL_Reload_Context *data; data = (TLS_CRL_Reload_Context *)ctx->method_data; if (!data->crl_file_name) { goto bail_out; } if (stat(data->crl_file_name, &st) != 0) { goto bail_out; } in = BIO_new_file(data->crl_file_name, "r"); if (!in) { goto bail_out; } /* * Load a maximum of MAX_CRLS Certificate Revocation Lists. */ data->mtime = st.st_mtime; for (cnt = 0; cnt < MAX_CRLS; cnt++) { X509_CRL *crl; if ((crl = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL)) == NULL) { if (cnt == 0) { /* * We try to read multiple times only the first is fatal. */ goto bail_out; } else { break; } } if (data->crls[cnt]) { X509_CRL_free(data->crls[cnt]); } data->crls[cnt] = crl; } /* * Clear the other slots. */ while (++cnt < MAX_CRLS) { if (data->crls[cnt]) { X509_CRL_free(data->crls[cnt]); data->crls[cnt] = NULL; } } ok = 1; bail_out: if (in) { BIO_free(in); } return ok; }
int ca_x509_verify_crl(struct conf **confs, X509 *peer_cert, const char *ssl_peer_cn) { int n; int i; int ret=-1; BIO *in=NULL; BIGNUM *bnser=NULL; X509_CRL *crl=NULL; X509_REVOKED *revoked; ASN1_INTEGER *serial=NULL; char *crl_path=NULL; const char *ca_name=get_string(confs[OPT_CA_NAME]); int crl_check=get_int(confs[OPT_CA_CRL_CHECK]); if(!crl_check || !ca_name || !*ca_name || !gca_dir) { ret=0; goto end; } if(!(crl_path=get_crl_path(ca_name))) goto end; if(!(in=BIO_new_file(crl_path, "r"))) { logp("CRL: cannot read: %s\n", crl_path); goto end; } if(!(crl=PEM_read_bio_X509_CRL(in, NULL, NULL, NULL))) { logp_ssl_err("CRL: cannot read CRL from file %s\n", crl_path); goto end; } if(X509_NAME_cmp(X509_CRL_get_issuer(crl), X509_get_issuer_name(peer_cert))) { logp_ssl_err("CRL: CRL %s is from a different issuer than the issuer of certificate %\ns", crl_path, ssl_peer_cn); goto end; } n=sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl)); for(i=0; i<n; i++) { revoked=(X509_REVOKED *) sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i); if(!ASN1_INTEGER_cmp(revoked->serialNumber, X509_get_serialNumber(peer_cert))) { serial=X509_get_serialNumber(peer_cert); bnser=ASN1_INTEGER_to_BN(serial, NULL); logp_ssl_err("CRL check failed: %s (%s) is revoked\n", ssl_peer_cn, serial ? BN_bn2hex(bnser):"not available"); goto end; } } ret=0; end: if(in) BIO_free(in); if(crl) X509_CRL_free(crl); free_w(&crl_path); return ret; }
int crl2pkcs7_main(int argc, char **argv) { BIO *in = NULL, *out = NULL; PKCS7 *p7 = NULL; PKCS7_SIGNED *p7s = NULL; STACK_OF(OPENSSL_STRING) *certflst = NULL; STACK_OF(X509) *cert_stack = NULL; STACK_OF(X509_CRL) *crl_stack = NULL; X509_CRL *crl = NULL; char *infile = NULL, *outfile = NULL, *prog, *certfile; int i = 0, informat = FORMAT_PEM, outformat = FORMAT_PEM, ret = 1, nocrl = 0; OPTION_CHOICE o; prog = opt_init(argc, argv, crl2pkcs7_options); while ((o = opt_next()) != OPT_EOF) { switch (o) { case OPT_EOF: case OPT_ERR: opthelp: BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); goto end; case OPT_HELP: opt_help(crl2pkcs7_options); ret = 0; goto end; case OPT_INFORM: if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat)) goto opthelp; break; case OPT_OUTFORM: if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat)) goto opthelp; break; case OPT_IN: infile = opt_arg(); break; case OPT_OUT: outfile = opt_arg(); break; case OPT_NOCRL: nocrl = 1; break; case OPT_CERTFILE: if ((certflst == NULL) && (certflst = sk_OPENSSL_STRING_new_null()) == NULL) goto end; if (!sk_OPENSSL_STRING_push(certflst, *(++argv))) { sk_OPENSSL_STRING_free(certflst); goto end; } break; } } argc = opt_num_rest(); argv = opt_rest(); if (!app_load_modules(NULL)) goto end; if (!nocrl) { in = bio_open_default(infile, RB(informat)); if (in == NULL) goto end; if (informat == FORMAT_ASN1) crl = d2i_X509_CRL_bio(in, NULL); else if (informat == FORMAT_PEM) crl = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL); if (crl == NULL) { BIO_printf(bio_err, "unable to load CRL\n"); ERR_print_errors(bio_err); goto end; } } if ((p7 = PKCS7_new()) == NULL) goto end; if ((p7s = PKCS7_SIGNED_new()) == NULL) goto end; p7->type = OBJ_nid2obj(NID_pkcs7_signed); p7->d.sign = p7s; p7s->contents->type = OBJ_nid2obj(NID_pkcs7_data); if (!ASN1_INTEGER_set(p7s->version, 1)) goto end; if ((crl_stack = sk_X509_CRL_new_null()) == NULL) goto end; p7s->crl = crl_stack; if (crl != NULL) { sk_X509_CRL_push(crl_stack, crl); crl = NULL; /* now part of p7 for OPENSSL_freeing */ } if ((cert_stack = sk_X509_new_null()) == NULL) goto end; p7s->cert = cert_stack; if (certflst) for (i = 0; i < sk_OPENSSL_STRING_num(certflst); i++) { certfile = sk_OPENSSL_STRING_value(certflst, i); if (add_certs_from_file(cert_stack, certfile) < 0) { BIO_printf(bio_err, "error loading certificates\n"); ERR_print_errors(bio_err); goto end; } } sk_OPENSSL_STRING_free(certflst); out = bio_open_default(outfile, WB(outformat)); if (out == NULL) goto end; if (outformat == FORMAT_ASN1) i = i2d_PKCS7_bio(out, p7); else if (outformat == FORMAT_PEM) i = PEM_write_bio_PKCS7(out, p7); if (!i) { BIO_printf(bio_err, "unable to write pkcs7 object\n"); ERR_print_errors(bio_err); goto end; } ret = 0; end: BIO_free(in); BIO_free_all(out); PKCS7_free(p7); X509_CRL_free(crl); return (ret); }
int scep_config(scep_t *scep, char *configfile) { char *name; BIO *bio; long eline; /* open the configuration file */ scep->conf = CONF_load(NULL, (configfile) ? configfile : OPENSCEPDIR "/openscep.cnf", &eline); if (scep->conf == NULL) { BIO_printf(bio_err, "%s:%d: cannot read config file %s\n", __FILE__, __LINE__, configfile); goto err; } /* see whether the configuration knows something about debug */ name = CONF_get_string(scep->conf, "scepd", "debug"); if (name) { if (atoi(name) > 0) debug = atoi(name); if (debug) BIO_printf(bio_err, "%s:%d: conf sets debug to %d\n", __FILE__, __LINE__, debug); } /* scan the configuration for some common values */ scep->name = CONF_get_string(scep->conf, "scepd", "name"); if (debug) BIO_printf(bio_err, "%s:%d: name: %s\n", __FILE__, __LINE__, scep->name); /* get the ca certificate, private key and crl */ name = CONF_get_string(scep->conf, "scepd", "cacert"); name = (name) ? name : OPENSCEPDIR "/cacert.pem"; bio = BIO_new(BIO_s_file()); BIO_read_filename(bio, name); scep->cacert = PEM_read_bio_X509(bio, NULL, NULL, NULL); if (scep->cacert == NULL) { BIO_printf(bio_err, "%s:%d: cannot read CA " "certificate\n", __FILE__, __LINE__); goto err; } BIO_free(bio); if (debug) BIO_printf(bio_err, "%s:%d: CA certificate from %s read\n", __FILE__, __LINE__, name); name = CONF_get_string(scep->conf, "scepd", "cakey"); name = (name) ? name : OPENSCEPDIR "/cakey.pem"; bio = BIO_new(BIO_s_file()); BIO_read_filename(bio, name); scep->capkey = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL); if (scep->capkey == NULL) { BIO_printf(bio_err, "%s:%d: cannot read private key\n", __FILE__, __LINE__); goto err; } BIO_free(bio); if (debug) BIO_printf(bio_err, "%s:%d: CA private key from %s read\n", __FILE__, __LINE__, name); name = CONF_get_string(scep->conf, "scepd", "crl"); name = (name) ? name : OPENSCEPDIR "/crl.pem"; bio = BIO_new(BIO_s_file()); BIO_read_filename(bio, name); scep->crl = PEM_read_bio_X509_CRL(bio, NULL, NULL, NULL); if (scep->crl == NULL) { BIO_printf(bio_err, "%s:%d: cannot read CRL\n", __FILE__, __LINE__); goto err; } BIO_free(bio); if (debug) BIO_printf(bio_err, "%s:%d: CA CRL from %s read\n", __FILE__, __LINE__, name); /* set ldap parameters */ scep->l.ldaphost = CONF_get_string(scep->conf, "ldap", "ldaphost"); scep->l.ldapport = atoi(CONF_get_string(scep->conf, "ldap", "ldapport")); scep->l.ldapbase = CONF_get_string(scep->conf, "ldap", "ldapbase"); scep->l.binddn = CONF_get_string(scep->conf, "ldap", "binddn"); scep->l.bindpw = CONF_get_string(scep->conf, "ldap", "bindpw"); if (debug) BIO_printf(bio_err, "%s:%d: LDAP parameters ldap://%s:%d, " "base %s, bind as %s/%s\n", __FILE__, __LINE__, scep->l.ldaphost, scep->l.ldapport, (scep->l.ldapbase) ? scep->l.ldapbase : "(not set)", (scep->l.binddn) ? scep->l.binddn : "(not set)", (scep->l.bindpw) ? scep->l.bindpw : "(not set)"); /* configure automatic granting of requests */ name = CONF_get_string(scep->conf, "scepd", "automatic"); if (name != NULL) { if (strcasecmp(name, "true") == 0) { scep->automatic = 1; if (debug) BIO_printf(bio_err, "%s:%d: automatic mode " "enabled\n", __FILE__, __LINE__); } } /* check for transaction id checking against fingerprint */ name = CONF_get_string(scep->conf, "scepd", "checktransid"); if (name != NULL) { if ((strcasecmp(name, "false") == 0) || (strcasecmp(name, "no") == 0)) { scep->check_transid = 0; if (debug) BIO_printf(bio_err, "%s:%d: check of transid " "against fingerprint disabled\n", __FILE__, __LINE__); } } /* check for the proxy community string */ name = CONF_get_string(scep->conf, "scepd", "proxycommunity"); if (name != NULL) { scep->community = strdup(name); if (debug) BIO_printf(bio_err, "%s:%d: proxy community is '%s'\n", __FILE__, __LINE__, scep->community); } return 0; /* error return */ err: ERR_print_errors(bio_err); return -1; }
int addToCRL(char* pemSigningKey, char* pemOldCrl, char* pemRevokedCert, char* result) { int err = 0; BIO* bioSigningKey = BIO_new_mem_buf(pemSigningKey, -1); if (!bioSigningKey) { return ERR_peek_error(); } BIO* bioRevCert = BIO_new_mem_buf(pemRevokedCert, -1); if (!bioRevCert) { BIO_free(bioSigningKey); return ERR_peek_error(); } BIO* bioOldCRL = BIO_new_mem_buf(pemOldCrl, -1); if (!bioOldCRL) { BIO_free(bioSigningKey); BIO_free(bioRevCert); return ERR_peek_error(); } X509* badCert = PEM_read_bio_X509(bioRevCert, NULL, NULL, NULL); if (!badCert) { BIO_free(bioSigningKey); BIO_free(bioRevCert); return ERR_peek_error(); } EVP_PKEY* caKey = PEM_read_bio_PrivateKey(bioSigningKey, NULL, NULL, NULL); if (!caKey) { BIO_free(bioSigningKey); BIO_free(bioRevCert); return -18; } X509_CRL* crl = PEM_read_bio_X509_CRL(bioOldCRL, NULL, NULL, NULL); if (!crl) { BIO_free(bioSigningKey); BIO_free(bioRevCert); return ERR_peek_error(); } X509_REVOKED* revoked = X509_REVOKED_new(); X509_REVOKED_set_serialNumber(revoked, X509_get_serialNumber(badCert)); ASN1_TIME* tmptm = ASN1_TIME_new(); X509_gmtime_adj(tmptm, long(0)); X509_REVOKED_set_revocationDate(revoked, tmptm); //set the reason? Not yet. // ASN1_ENUMERATED* rtmp = ASN1_ENUMERATED_new(); // ASN1_ENUMERATED_set(rtmp, reasonCode); // goto err; // if (!X509_REVOKED_add1_ext_i2d(rev, NID_crl_reason, rtmp, 0, 0)) // goto err; // } if(!(err = X509_CRL_add0_revoked(crl,revoked))) { BIO_free(bioSigningKey); BIO_free(bioRevCert); return err; } X509_CRL_sort(crl); if(!(err=X509_CRL_sign(crl,caKey,EVP_sha1()))) { BIO_free(bioSigningKey); BIO_free(bioRevCert); return err; } BIO *mem = BIO_new(BIO_s_mem()); PEM_write_bio_X509_CRL(mem,crl); BUF_MEM *bptr; BIO_get_mem_ptr(mem, &bptr); BIO_read(mem, result, bptr->length); BIO_free(bioRevCert); BIO_free(bioSigningKey); BIO_free(bioOldCRL); BIO_free(mem); return 0; }
Handle<PkiItem> Provider_System::objectToPKIItem(Handle<std::string> uri){ LOGGER_FN(); Handle<PkiItem> item; Handle<Bio> in = new Bio(BIO_TYPE_FILE, uri->c_str(), "rb"); try{ item = new PkiItem(); X509_REQ *xreq = NULL; X509 *xcert = NULL; X509_CRL *xcrl = NULL; Handle<Certificate> hcert = NULL; Handle<CRL> hcrl = NULL; std::string listCertStore[] = { "MY", "OTHERS", "TRUST", "CRL" }; std::string strTrust = (uri->substr(0, (uri->find_last_of(CROSSPLATFORM_SLASH)))); strTrust = strTrust.substr(strTrust.find_last_of(CROSSPLATFORM_SLASH) + 1, strTrust.length()); bool trueTrust = false; for (int i = 0, c = sizeof(listCertStore) / sizeof(*listCertStore); i < c; i++){ if (strcmp(listCertStore[i].c_str(), strTrust.c_str()) == 0){ trueTrust = true; break; } } if (!trueTrust){ THROW_EXCEPTION(0, Provider_System, NULL, "Category of object is uncorrect"); } int enc; if (itPrivateKey(uri, &enc)){ item->type = new std::string("KEY"); item->uri = uri; item->provider = new std::string("SYSTEM"); item->category = new std::string(strTrust); item->keyEncrypted = enc; item->format = new std::string("PEM"); Handle<std::string> keyHash = new std::string(uri->c_str()); const size_t last_slash_idx = keyHash->find_last_of(CROSSPLATFORM_SLASH); if (std::string::npos != last_slash_idx){ keyHash->erase(0, last_slash_idx + 1); } const size_t period_idx = keyHash->rfind('.'); if (std::string::npos != period_idx){ keyHash->erase(period_idx); } if (keyHash->length() == 40){ item->hash = keyHash; } else{ THROW_EXCEPTION(0, Provider_System, NULL, "Error length hash (need 40 for sha1). Hash is privatekey filename"); } return item; } in->seek(0); LOGGER_OPENSSL(PEM_read_bio_X509); xcert = PEM_read_bio_X509(in->internal(), NULL, NULL, NULL); if (xcert){ hcert = new Certificate(xcert); item->format = new std::string("PEM"); } else{ in->seek(0); LOGGER_OPENSSL(d2i_X509_bio); xcert = d2i_X509_bio(in->internal(), NULL); if (xcert){ hcert = new Certificate(xcert); item->format = new std::string("DER"); } } if (!hcert.isEmpty()){ item->type = new std::string("CERTIFICATE"); item->uri = uri; item->provider = new std::string("SYSTEM"); item->category = new std::string(strTrust); char * hexHash; Handle<std::string> hhash = hcert->getThumbprint(); PkiStore::bin_to_strhex((unsigned char *)hhash->c_str(), hhash->length(), &hexHash); item->hash = new std::string(hexHash); item->certSubjectName = hcert->getSubjectName(); item->certSubjectFriendlyName = hcert->getSubjectFriendlyName(); item->certIssuerName = hcert->getIssuerName(); item->certIssuerFriendlyName = hcert->getIssuerFriendlyName(); item->certSerial = hcert->getSerialNumber(); item->certOrganizationName = hcert->getOrganizationName(); item->certSignatureAlgorithm = hcert->getSignatureAlgorithm(); item->certNotBefore = hcert->getNotBefore(); item->certNotAfter = hcert->getNotAfter(); item->certKey = getKey(uri); return item; } in->seek(0); LOGGER_OPENSSL(PEM_read_bio_X509_REQ); xreq = PEM_read_bio_X509_REQ(in->internal(), NULL, NULL, NULL); if (xreq){ item->format = new std::string("PEM"); } else{ in->seek(0); LOGGER_OPENSSL(d2i_X509_REQ_bio); xreq = d2i_X509_REQ_bio(in->internal(), NULL); if (xreq){ item->format = new std::string("DER"); } } if (xreq){ item->type = new std::string("REQUEST"); item->uri = uri; item->provider = new std::string("SYSTEM"); item->category = new std::string(strTrust); /* SHA-1 hash */ unsigned char hash[EVP_MAX_MD_SIZE] = { 0 }; unsigned int hashlen = 0; LOGGER_OPENSSL(X509_digest); if (!X509_REQ_digest(xreq, EVP_sha1(), hash, &hashlen)) { THROW_OPENSSL_EXCEPTION(0, Provider_System, NULL, "X509_REQ_digest"); } Handle<std::string> hhash = new std::string((char *)hash, hashlen); char * hexHash; PkiStore::bin_to_strhex((unsigned char *)hhash->c_str(), hhash->length(), &hexHash); item->hash = new std::string(hexHash); /* Request subject name */ LOGGER_OPENSSL(X509_REQ_get_subject_name); X509_NAME *name = X509_REQ_get_subject_name(xreq); if (!name){ THROW_EXCEPTION(0, Provider_System, NULL, "X509_NAME is NULL"); } LOGGER_OPENSSL(X509_NAME_oneline_ex); std::string str_name = X509_NAME_oneline_ex(name); Handle<std::string> nameRes = new std::string(str_name.c_str(), str_name.length()); item->csrSubjectName = nameRes; /* Request subject friendly name */ Handle<std::string> friendlyName = new std::string(""); int nid = NID_commonName; LOGGER_OPENSSL(X509_NAME_get_index_by_NID); int index = X509_NAME_get_index_by_NID(name, nid, -1); if (index >= 0) { LOGGER_OPENSSL(X509_NAME_get_entry); X509_NAME_ENTRY *issuerNameCommonName = X509_NAME_get_entry(name, index); if (issuerNameCommonName) { LOGGER_OPENSSL(X509_NAME_ENTRY_get_data); ASN1_STRING *issuerCNASN1 = X509_NAME_ENTRY_get_data(issuerNameCommonName); if (issuerCNASN1 != NULL) { unsigned char *utf = NULL; LOGGER_OPENSSL(ASN1_STRING_to_UTF8); ASN1_STRING_to_UTF8(&utf, issuerCNASN1); friendlyName = new std::string((char *)utf); OPENSSL_free(utf); } } } else { friendlyName = new std::string("No common name"); } item->csrSubjectFriendlyName = friendlyName; item->csrKey = getKey(uri); return item; } in->seek(0); LOGGER_OPENSSL(PEM_read_bio_X509_CRL); xcrl = PEM_read_bio_X509_CRL(in->internal(), NULL, NULL, NULL); if (xcrl){ hcrl = new CRL(xcrl); item->format = new std::string("PEM"); } else{ in->seek(0); LOGGER_OPENSSL(d2i_X509_CRL_bio); xcrl = d2i_X509_CRL_bio(in->internal(), NULL); if (xcrl){ hcrl = new CRL(xcrl); item->format = new std::string("DER"); } } if (!hcrl.isEmpty()){ item->type = new std::string("CRL"); item->uri = uri; item->provider = new std::string("SYSTEM"); item->category = new std::string(strTrust); char * hexHash; Handle<std::string> hhash = hcrl->getThumbprint(); PkiStore::bin_to_strhex((unsigned char *)hhash->c_str(), hhash->length(), &hexHash); item->hash = new std::string(hexHash); item->crlIssuerName = hcrl->issuerName(); item->crlIssuerFriendlyName = hcrl->issuerFriendlyName(); item->crlLastUpdate = hcrl->getThisUpdate(); item->crlNextUpdate = hcrl->getNextUpdate(); return item; } } catch (Handle<Exception> e){ THROW_EXCEPTION(0, Provider_System, e, "Object type not supported"); } if (item->type->length() == 0){ return NULL; } }
extern "C" X509_CRL* CryptoNative_PemReadBioX509Crl(BIO* bio) { return PEM_read_bio_X509_CRL(bio, nullptr, nullptr, nullptr); }