static LUA_FUNCTION(openssl_crl_read)
{
BIO * in = load_bio_object(L, 1);
int fmt = luaL_checkoption(L, 2, "auto", format);
X509_CRL *crl = NULL;
if (fmt == FORMAT_AUTO)
{
fmt = bio_is_der(in) ? FORMAT_DER : FORMAT_PEM;
}
if (fmt == FORMAT_PEM)
{
crl = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL);
BIO_reset(in);
}
else if (fmt == FORMAT_DER)
{
crl = d2i_X509_CRL_bio(in, NULL);
BIO_reset(in);
}
BIO_free(in);
if (crl)
{
PUSH_OBJECT(crl, "openssl.x509_crl");
return 1;
}
return openssl_pushresult(L, 0);
}
static VALUE
ossl_x509crl_initialize(int argc, VALUE *argv, VALUE self)
{
BIO *in;
X509_CRL *crl = rb_rdata_fetch(self);
X509_CRL *x = crl;
VALUE arg;
if (rb_scan_args(argc, argv, "01", &arg) == 0) {
return self;
}
arg = ossl_to_der_if_possible(arg);
in = ossl_obj2bio(arg);
crl = PEM_read_bio_X509_CRL(in, &x, NULL, NULL);
rb_rdata_store(self, x);
if (!crl) {
OSSL_BIO_reset(in);
crl = d2i_X509_CRL_bio(in, &x);
rb_rdata_store(self, x);
}
BIO_free(in);
if (!crl) ossl_raise(eX509CRLError, NULL);
return self;
}
static LUA_FUNCTION(openssl_crl_read)
{
BIO * in = load_bio_object(L, 1);
int fmt = luaL_checkoption(L, 2, "auto", format);
X509_CRL *crl = NULL;
if (fmt == FORMAT_AUTO || fmt == FORMAT_PEM)
{
crl = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL);
BIO_reset(in);
}
if ((fmt == FORMAT_AUTO && crl == NULL) || fmt == FORMAT_DER)
{
crl = d2i_X509_CRL_bio(in, NULL);
BIO_reset(in);
}
BIO_free(in);
if (crl)
{
PUSH_OBJECT(crl, "openssl.x509_crl");
return 1;
}
return 0;
}
int
X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type)
{
int ret = 0;
BIO *in = NULL;
int i, count = 0;
X509_CRL *x = NULL;
if (file == NULL)
return (1);
in = BIO_new(BIO_s_file_internal());
if ((in == NULL) || (BIO_read_filename(in, file) <= 0)) {
X509err(X509_F_X509_LOAD_CRL_FILE, ERR_R_SYS_LIB);
goto err;
}
if (type == X509_FILETYPE_PEM) {
for (;;) {
x = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL);
if (x == NULL) {
if ((ERR_GET_REASON(ERR_peek_last_error()) ==
PEM_R_NO_START_LINE) && (count > 0)) {
ERR_clear_error();
break;
} else {
X509err(X509_F_X509_LOAD_CRL_FILE,
ERR_R_PEM_LIB);
goto err;
}
}
i = X509_STORE_add_crl(ctx->store_ctx, x);
if (!i)
goto err;
count++;
X509_CRL_free(x);
x = NULL;
}
ret = count;
} else if (type == X509_FILETYPE_ASN1) {
x = d2i_X509_CRL_bio(in, NULL);
if (x == NULL) {
X509err(X509_F_X509_LOAD_CRL_FILE, ERR_R_ASN1_LIB);
goto err;
}
i = X509_STORE_add_crl(ctx->store_ctx, x);
if (!i)
goto err;
ret = i;
} else {
X509err(X509_F_X509_LOAD_CRL_FILE, X509_R_BAD_X509_FILETYPE);
goto err;
}
err:
if (x != NULL)
X509_CRL_free(x);
if (in != NULL)
BIO_free(in);
return (ret);
}
static int
tls_sc_add_crl(lua_State *L) {
tls_sc_t *ctx = getSC(L);
X509_CRL *x509;
BIO *bio;
bio = _lua_load_bio(L, -1);
if (!bio) {
lua_pushboolean(L, 0);
return 1;
}
x509 = PEM_read_bio_X509_CRL(bio, NULL, NULL, NULL);
if (x509 == NULL) {
BIO_free(bio);
lua_pushboolean(L, 0);
return 1;
}
X509_STORE_add_crl(ctx->ca_store, x509);
X509_STORE_set_flags(ctx->ca_store,
X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
BIO_free(bio);
X509_CRL_free(x509);
lua_pushboolean(L, 1);
return 1;
}
void pki_crl::fromPEM_BIO(BIO *bio, QString name)
{
X509_CRL*_crl;
_crl = PEM_read_bio_X509_CRL(bio, NULL, NULL, NULL);
openssl_error(name);
X509_CRL_free(crl);
crl = _crl;
setIntName(rmslashdot(name));
}
/*
* Create a CRL from an array of strings.
*/
static X509_CRL *CRL_from_strings(const char **pem)
{
char *p;
BIO *b = glue2bio(pem, &p);
X509_CRL *crl = PEM_read_bio_X509_CRL(b, NULL, NULL, NULL);
OPENSSL_free(p);
BIO_free(b);
return crl;
}
static
DWORD
VMCAPEMToX509Crl(
PSTR pCrl,
X509_CRL** ppX509Crl
)
{
DWORD dwError = 0;
BIO* pBioMem = NULL;
X509_CRL *pX509Crl = NULL;
if (!pCrl || !ppX509Crl)
{
dwError = ERROR_INVALID_PARAMETER;
BAIL_ON_ERROR(dwError);
}
pBioMem = BIO_new_mem_buf((PVOID) pCrl, -1);
if ( pBioMem == NULL)
{
dwError = ERROR_OUTOFMEMORY;
BAIL_ON_ERROR(dwError);
}
pX509Crl = PEM_read_bio_X509_CRL(pBioMem, NULL, NULL, NULL);
if (pX509Crl == NULL)
{
dwError = ERROR_INVALID_PARAMETER;
BAIL_ON_ERROR(dwError);
}
*ppX509Crl = pX509Crl;
cleanup :
if (pBioMem)
{
BIO_free(pBioMem);
}
return dwError;
error :
*ppX509Crl = NULL;
if (pX509Crl != NULL)
{
X509_CRL_free(pX509Crl);
}
goto cleanup;
}
void parse_pem(const std::string& crl_txt)
{
BIO *bio = BIO_new_mem_buf(const_cast<char *>(crl_txt.c_str()), crl_txt.length());
if (!bio)
throw OpenSSLException();
X509_CRL *crl = PEM_read_bio_X509_CRL(bio, NULL, NULL, NULL);
BIO_free(bio);
if (!crl)
throw OpenSSLException("CRL::parse_pem");
erase();
crl_ = crl;
}
void Crl::Load()
{
if(!download.Get(url.c_str(), path.c_str()))
{
pf_log[W_INFO] << "CRL download failed";
throw DownloadFailed();
}
pf_log[W_INFO] << "Loading CRL file : \"" << path << "\".";
if(crl)
{
X509_CRL_free(crl);
crl = NULL;
}
// TODO: simplify-me with openssl's BIO
FILE* f = fopen(path.c_str(), "r");
if(!f)
throw BadCRL(std::string(strerror(errno)));
if(fseek(f, 0, SEEK_END))
throw BadCRL(std::string(strerror(errno)));
size_t file_size = ftell(f);
rewind(f);
char buf[file_size];
if(fread(buf, file_size, 1, f) <= 0)
{
fclose(f);
throw BadCRL(std::string(strerror(errno)));
}
if(file_size > INT_MAX)
throw BadCRL(std::string("File is too big"));
BIO* raw_crl = BIO_new_mem_buf(buf, (int)file_size);
crl = PEM_read_bio_X509_CRL(raw_crl, NULL, NULL, NULL);
BIO_free(raw_crl);
if(!crl)
{
std::string str = std::string(ERR_error_string( ERR_get_error(), NULL));
throw BadCRL(str);
}
char* str = X509_NAME_oneline (X509_CRL_get_issuer (crl), 0, 0);
pf_log[W_INFO] << "CRL issued by: " << str;
}
static X509_CRL * load_crl(char * ca_name)
{
FILE * fp ;
BIO * in ;
X509_CRL * crl ;
char filename[FIELD_SZ+5];
sprintf(filename, "%s.crl", ca_name);
in = BIO_new(BIO_s_file());
if ((fp=fopen(filename, "rb"))==NULL) {
BIO_free(in);
return NULL ;
}
BIO_set_fp(in, fp, BIO_NOCLOSE);
crl = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL);
fclose(fp);
BIO_free(in);
return crl ;
}
static X509_CRL *load_crl(char *infile, int format)
{
X509_CRL *x=NULL;
BIO *in=NULL;
in=BIO_new(BIO_s_file());
if (in == NULL)
{
ERR_print_errors(bio_err);
goto end;
}
if (infile == NULL)
BIO_set_fp(in,stdin,BIO_NOCLOSE);
else
{
if (BIO_read_filename(in,infile) <= 0)
{
perror(infile);
goto end;
}
}
if (format == FORMAT_ASN1)
x=d2i_X509_CRL_bio(in,NULL);
else if (format == FORMAT_PEM)
x=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL);
else {
BIO_printf(bio_err,"bad input format specified for input crl\n");
goto end;
}
if (x == NULL)
{
BIO_printf(bio_err,"unable to load CRL\n");
ERR_print_errors(bio_err);
goto end;
}
end:
BIO_free(in);
return(x);
}
Handle<CRL> Provider_System::getCRLFromURI(Handle<std::string> uri, Handle<std::string> format){
LOGGER_FN();
try{
BIO *bioFile = NULL;
X509_CRL *hcrl = NULL;
LOGGER_OPENSSL(BIO_new);
bioFile = BIO_new(BIO_s_file());
LOGGER_OPENSSL(BIO_read_filename);
if (BIO_read_filename(bioFile, uri->c_str()) > 0){
LOGGER_OPENSSL(BIO_seek);
BIO_seek(bioFile, 0);
if (strcmp(format->c_str(), "PEM") == 0){
LOGGER_OPENSSL(PEM_read_bio_X509_CRL);
hcrl = PEM_read_bio_X509_CRL(bioFile, NULL, NULL, NULL);
}
else if (strcmp(format->c_str(), "DER") == 0){
LOGGER_OPENSSL(d2i_X509_CRL_bio);
hcrl = d2i_X509_CRL_bio(bioFile, NULL);
}
else{
THROW_EXCEPTION(0, Provider_System, NULL, "Unsupported format. Only PEM | DER");
}
}
LOGGER_OPENSSL(BIO_free);
BIO_free(bioFile);
if (!hcrl){
THROW_EXCEPTION(0, Provider_System, NULL, "Unable decode CRL from PEM/DE");
}
else{
return new CRL(hcrl);
}
}
catch (Handle<Exception> e){
THROW_EXCEPTION(0, Provider_System, e, "getCRLFromURI");
}
}
static VALUE
ossl_x509crl_initialize(int argc, VALUE *argv, VALUE self)
{
BIO *in;
X509_CRL *crl;
VALUE arg;
if (rb_scan_args(argc, argv, "01", &arg) == 0) {
return self;
}
arg = ossl_to_der_if_possible(arg);
in = ossl_obj2bio(arg);
crl = PEM_read_bio_X509_CRL(in, (X509_CRL **)&DATA_PTR(self), NULL, NULL);
if (!crl) {
BIO_reset(in);
crl = d2i_X509_CRL_bio(in, (X509_CRL **)&DATA_PTR(self));
}
BIO_free(in);
if (!crl) ossl_raise(eX509CRLError, NULL);
return self;
}
int MAIN(int argc, char **argv)
{
int i, badops = 0;
BIO *in = NULL, *out = NULL;
int informat, outformat;
char *infile, *outfile, *prog, *certfile;
PKCS7 *p7 = NULL;
PKCS7_SIGNED *p7s = NULL;
X509_CRL *crl = NULL;
STACK_OF(OPENSSL_STRING) *certflst = NULL;
STACK_OF(X509_CRL) *crl_stack = NULL;
STACK_OF(X509) *cert_stack = NULL;
int ret = 1, nocrl = 0;
apps_startup();
if (bio_err == NULL)
if ((bio_err = BIO_new(BIO_s_file())) != NULL)
BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
infile = NULL;
outfile = NULL;
informat = FORMAT_PEM;
outformat = FORMAT_PEM;
prog = argv[0];
argc--;
argv++;
while (argc >= 1) {
if (strcmp(*argv, "-inform") == 0) {
if (--argc < 1)
goto bad;
informat = str2fmt(*(++argv));
} else if (strcmp(*argv, "-outform") == 0) {
if (--argc < 1)
goto bad;
outformat = str2fmt(*(++argv));
} else if (strcmp(*argv, "-in") == 0) {
if (--argc < 1)
goto bad;
infile = *(++argv);
} else if (strcmp(*argv, "-nocrl") == 0) {
nocrl = 1;
} else if (strcmp(*argv, "-out") == 0) {
if (--argc < 1)
goto bad;
outfile = *(++argv);
} else if (strcmp(*argv, "-certfile") == 0) {
if (--argc < 1)
goto bad;
if (!certflst)
certflst = sk_OPENSSL_STRING_new_null();
if (!certflst)
goto end;
if (!sk_OPENSSL_STRING_push(certflst, *(++argv))) {
sk_OPENSSL_STRING_free(certflst);
goto end;
}
} else {
BIO_printf(bio_err, "unknown option %s\n", *argv);
badops = 1;
break;
}
argc--;
argv++;
}
if (badops) {
bad:
BIO_printf(bio_err, "%s [options] <infile >outfile\n", prog);
BIO_printf(bio_err, "where options are\n");
BIO_printf(bio_err, " -inform arg input format - DER or PEM\n");
BIO_printf(bio_err, " -outform arg output format - DER or PEM\n");
BIO_printf(bio_err, " -in arg input file\n");
BIO_printf(bio_err, " -out arg output file\n");
BIO_printf(bio_err,
" -certfile arg certificates file of chain to a trusted CA\n");
BIO_printf(bio_err, " (can be used more than once)\n");
BIO_printf(bio_err,
" -nocrl no crl to load, just certs from '-certfile'\n");
ret = 1;
goto end;
}
ERR_load_crypto_strings();
in = BIO_new(BIO_s_file());
out = BIO_new(BIO_s_file());
if ((in == NULL) || (out == NULL)) {
ERR_print_errors(bio_err);
goto end;
}
if (!nocrl) {
if (infile == NULL)
BIO_set_fp(in, stdin, BIO_NOCLOSE);
else {
if (BIO_read_filename(in, infile) <= 0) {
perror(infile);
goto end;
}
}
if (informat == FORMAT_ASN1)
crl = d2i_X509_CRL_bio(in, NULL);
else if (informat == FORMAT_PEM)
crl = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL);
else {
BIO_printf(bio_err, "bad input format specified for input crl\n");
goto end;
}
if (crl == NULL) {
BIO_printf(bio_err, "unable to load CRL\n");
ERR_print_errors(bio_err);
goto end;
}
}
if ((p7 = PKCS7_new()) == NULL)
goto end;
if ((p7s = PKCS7_SIGNED_new()) == NULL)
goto end;
p7->type = OBJ_nid2obj(NID_pkcs7_signed);
p7->d.sign = p7s;
p7s->contents->type = OBJ_nid2obj(NID_pkcs7_data);
if (!ASN1_INTEGER_set(p7s->version, 1))
goto end;
if ((crl_stack = sk_X509_CRL_new_null()) == NULL)
goto end;
p7s->crl = crl_stack;
if (crl != NULL) {
sk_X509_CRL_push(crl_stack, crl);
crl = NULL; /* now part of p7 for OPENSSL_freeing */
}
if ((cert_stack = sk_X509_new_null()) == NULL)
goto end;
p7s->cert = cert_stack;
if (certflst)
for (i = 0; i < sk_OPENSSL_STRING_num(certflst); i++) {
certfile = sk_OPENSSL_STRING_value(certflst, i);
if (add_certs_from_file(cert_stack, certfile) < 0) {
BIO_printf(bio_err, "error loading certificates\n");
ERR_print_errors(bio_err);
goto end;
}
}
sk_OPENSSL_STRING_free(certflst);
if (outfile == NULL) {
BIO_set_fp(out, stdout, BIO_NOCLOSE);
#ifdef OPENSSL_SYS_VMS
{
BIO *tmpbio = BIO_new(BIO_f_linebuffer());
out = BIO_push(tmpbio, out);
}
#endif
} else {
if (BIO_write_filename(out, outfile) <= 0) {
perror(outfile);
goto end;
}
}
if (outformat == FORMAT_ASN1)
i = i2d_PKCS7_bio(out, p7);
else if (outformat == FORMAT_PEM)
i = PEM_write_bio_PKCS7(out, p7);
else {
BIO_printf(bio_err, "bad output format specified for outfile\n");
goto end;
}
if (!i) {
BIO_printf(bio_err, "unable to write pkcs7 object\n");
ERR_print_errors(bio_err);
goto end;
}
ret = 0;
end:
if (in != NULL)
BIO_free(in);
if (out != NULL)
BIO_free_all(out);
if (p7 != NULL)
PKCS7_free(p7);
if (crl != NULL)
X509_CRL_free(crl);
apps_shutdown();
OPENSSL_EXIT(ret);
}
/*
* Load the new content from a Certificate Revocation List (CRL).
*/
static int crl_reloader_reload_file(X509_LOOKUP *ctx)
{
int cnt, ok = 0;
struct stat st;
BIO *in = NULL;
TLS_CRL_Reload_Context *data;
data = (TLS_CRL_Reload_Context *)ctx->method_data;
if (!data->crl_file_name) {
goto bail_out;
}
if (stat(data->crl_file_name, &st) != 0) {
goto bail_out;
}
in = BIO_new_file(data->crl_file_name, "r");
if (!in) {
goto bail_out;
}
/*
* Load a maximum of MAX_CRLS Certificate Revocation Lists.
*/
data->mtime = st.st_mtime;
for (cnt = 0; cnt < MAX_CRLS; cnt++) {
X509_CRL *crl;
if ((crl = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL)) == NULL) {
if (cnt == 0) {
/*
* We try to read multiple times only the first is fatal.
*/
goto bail_out;
} else {
break;
}
}
if (data->crls[cnt]) {
X509_CRL_free(data->crls[cnt]);
}
data->crls[cnt] = crl;
}
/*
* Clear the other slots.
*/
while (++cnt < MAX_CRLS) {
if (data->crls[cnt]) {
X509_CRL_free(data->crls[cnt]);
data->crls[cnt] = NULL;
}
}
ok = 1;
bail_out:
if (in) {
BIO_free(in);
}
return ok;
}
int ca_x509_verify_crl(struct conf **confs,
X509 *peer_cert, const char *ssl_peer_cn)
{
int n;
int i;
int ret=-1;
BIO *in=NULL;
BIGNUM *bnser=NULL;
X509_CRL *crl=NULL;
X509_REVOKED *revoked;
ASN1_INTEGER *serial=NULL;
char *crl_path=NULL;
const char *ca_name=get_string(confs[OPT_CA_NAME]);
int crl_check=get_int(confs[OPT_CA_CRL_CHECK]);
if(!crl_check
|| !ca_name || !*ca_name
|| !gca_dir)
{
ret=0;
goto end;
}
if(!(crl_path=get_crl_path(ca_name)))
goto end;
if(!(in=BIO_new_file(crl_path, "r")))
{
logp("CRL: cannot read: %s\n", crl_path);
goto end;
}
if(!(crl=PEM_read_bio_X509_CRL(in, NULL, NULL, NULL)))
{
logp_ssl_err("CRL: cannot read CRL from file %s\n", crl_path);
goto end;
}
if(X509_NAME_cmp(X509_CRL_get_issuer(crl),
X509_get_issuer_name(peer_cert)))
{
logp_ssl_err("CRL: CRL %s is from a different issuer than the issuer of certificate %\ns", crl_path, ssl_peer_cn);
goto end;
}
n=sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl));
for(i=0; i<n; i++)
{
revoked=(X509_REVOKED *)
sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);
if(!ASN1_INTEGER_cmp(revoked->serialNumber, X509_get_serialNumber(peer_cert)))
{
serial=X509_get_serialNumber(peer_cert);
bnser=ASN1_INTEGER_to_BN(serial, NULL);
logp_ssl_err("CRL check failed: %s (%s) is revoked\n",
ssl_peer_cn,
serial ? BN_bn2hex(bnser):"not available");
goto end;
}
}
ret=0;
end:
if(in) BIO_free(in);
if(crl) X509_CRL_free(crl);
free_w(&crl_path);
return ret;
}
int crl2pkcs7_main(int argc, char **argv)
{
BIO *in = NULL, *out = NULL;
PKCS7 *p7 = NULL;
PKCS7_SIGNED *p7s = NULL;
STACK_OF(OPENSSL_STRING) *certflst = NULL;
STACK_OF(X509) *cert_stack = NULL;
STACK_OF(X509_CRL) *crl_stack = NULL;
X509_CRL *crl = NULL;
char *infile = NULL, *outfile = NULL, *prog, *certfile;
int i = 0, informat = FORMAT_PEM, outformat = FORMAT_PEM, ret = 1, nocrl =
0;
OPTION_CHOICE o;
prog = opt_init(argc, argv, crl2pkcs7_options);
while ((o = opt_next()) != OPT_EOF) {
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
opt_help(crl2pkcs7_options);
ret = 0;
goto end;
case OPT_INFORM:
if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
goto opthelp;
break;
case OPT_OUTFORM:
if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat))
goto opthelp;
break;
case OPT_IN:
infile = opt_arg();
break;
case OPT_OUT:
outfile = opt_arg();
break;
case OPT_NOCRL:
nocrl = 1;
break;
case OPT_CERTFILE:
if ((certflst == NULL)
&& (certflst = sk_OPENSSL_STRING_new_null()) == NULL)
goto end;
if (!sk_OPENSSL_STRING_push(certflst, *(++argv))) {
sk_OPENSSL_STRING_free(certflst);
goto end;
}
break;
}
}
argc = opt_num_rest();
argv = opt_rest();
if (!app_load_modules(NULL))
goto end;
if (!nocrl) {
in = bio_open_default(infile, RB(informat));
if (in == NULL)
goto end;
if (informat == FORMAT_ASN1)
crl = d2i_X509_CRL_bio(in, NULL);
else if (informat == FORMAT_PEM)
crl = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL);
if (crl == NULL) {
BIO_printf(bio_err, "unable to load CRL\n");
ERR_print_errors(bio_err);
goto end;
}
}
if ((p7 = PKCS7_new()) == NULL)
goto end;
if ((p7s = PKCS7_SIGNED_new()) == NULL)
goto end;
p7->type = OBJ_nid2obj(NID_pkcs7_signed);
p7->d.sign = p7s;
p7s->contents->type = OBJ_nid2obj(NID_pkcs7_data);
if (!ASN1_INTEGER_set(p7s->version, 1))
goto end;
if ((crl_stack = sk_X509_CRL_new_null()) == NULL)
goto end;
p7s->crl = crl_stack;
if (crl != NULL) {
sk_X509_CRL_push(crl_stack, crl);
crl = NULL; /* now part of p7 for OPENSSL_freeing */
}
if ((cert_stack = sk_X509_new_null()) == NULL)
goto end;
p7s->cert = cert_stack;
if (certflst)
for (i = 0; i < sk_OPENSSL_STRING_num(certflst); i++) {
certfile = sk_OPENSSL_STRING_value(certflst, i);
if (add_certs_from_file(cert_stack, certfile) < 0) {
BIO_printf(bio_err, "error loading certificates\n");
ERR_print_errors(bio_err);
goto end;
}
}
sk_OPENSSL_STRING_free(certflst);
out = bio_open_default(outfile, WB(outformat));
if (out == NULL)
goto end;
if (outformat == FORMAT_ASN1)
i = i2d_PKCS7_bio(out, p7);
else if (outformat == FORMAT_PEM)
i = PEM_write_bio_PKCS7(out, p7);
if (!i) {
BIO_printf(bio_err, "unable to write pkcs7 object\n");
ERR_print_errors(bio_err);
goto end;
}
ret = 0;
end:
BIO_free(in);
BIO_free_all(out);
PKCS7_free(p7);
X509_CRL_free(crl);
return (ret);
}
int scep_config(scep_t *scep, char *configfile) {
char *name;
BIO *bio;
long eline;
/* open the configuration file */
scep->conf = CONF_load(NULL, (configfile) ? configfile
: OPENSCEPDIR "/openscep.cnf", &eline);
if (scep->conf == NULL) {
BIO_printf(bio_err, "%s:%d: cannot read config file %s\n",
__FILE__, __LINE__, configfile);
goto err;
}
/* see whether the configuration knows something about debug */
name = CONF_get_string(scep->conf, "scepd", "debug");
if (name) {
if (atoi(name) > 0)
debug = atoi(name);
if (debug)
BIO_printf(bio_err, "%s:%d: conf sets debug to %d\n",
__FILE__, __LINE__, debug);
}
/* scan the configuration for some common values */
scep->name = CONF_get_string(scep->conf, "scepd", "name");
if (debug)
BIO_printf(bio_err, "%s:%d: name: %s\n", __FILE__, __LINE__,
scep->name);
/* get the ca certificate, private key and crl */
name = CONF_get_string(scep->conf, "scepd", "cacert");
name = (name) ? name : OPENSCEPDIR "/cacert.pem";
bio = BIO_new(BIO_s_file());
BIO_read_filename(bio, name);
scep->cacert = PEM_read_bio_X509(bio, NULL, NULL, NULL);
if (scep->cacert == NULL) {
BIO_printf(bio_err, "%s:%d: cannot read CA "
"certificate\n", __FILE__, __LINE__);
goto err;
}
BIO_free(bio);
if (debug)
BIO_printf(bio_err, "%s:%d: CA certificate from %s read\n",
__FILE__, __LINE__, name);
name = CONF_get_string(scep->conf, "scepd", "cakey");
name = (name) ? name : OPENSCEPDIR "/cakey.pem";
bio = BIO_new(BIO_s_file());
BIO_read_filename(bio, name);
scep->capkey = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL);
if (scep->capkey == NULL) {
BIO_printf(bio_err, "%s:%d: cannot read private key\n",
__FILE__, __LINE__);
goto err;
}
BIO_free(bio);
if (debug)
BIO_printf(bio_err, "%s:%d: CA private key from %s read\n",
__FILE__, __LINE__, name);
name = CONF_get_string(scep->conf, "scepd", "crl");
name = (name) ? name : OPENSCEPDIR "/crl.pem";
bio = BIO_new(BIO_s_file());
BIO_read_filename(bio, name);
scep->crl = PEM_read_bio_X509_CRL(bio, NULL, NULL, NULL);
if (scep->crl == NULL) {
BIO_printf(bio_err, "%s:%d: cannot read CRL\n",
__FILE__, __LINE__);
goto err;
}
BIO_free(bio);
if (debug)
BIO_printf(bio_err, "%s:%d: CA CRL from %s read\n",
__FILE__, __LINE__, name);
/* set ldap parameters */
scep->l.ldaphost = CONF_get_string(scep->conf, "ldap", "ldaphost");
scep->l.ldapport = atoi(CONF_get_string(scep->conf, "ldap", "ldapport"));
scep->l.ldapbase = CONF_get_string(scep->conf, "ldap", "ldapbase");
scep->l.binddn = CONF_get_string(scep->conf, "ldap", "binddn");
scep->l.bindpw = CONF_get_string(scep->conf, "ldap", "bindpw");
if (debug)
BIO_printf(bio_err, "%s:%d: LDAP parameters ldap://%s:%d, "
"base %s, bind as %s/%s\n", __FILE__, __LINE__,
scep->l.ldaphost, scep->l.ldapport,
(scep->l.ldapbase) ? scep->l.ldapbase : "(not set)",
(scep->l.binddn) ? scep->l.binddn : "(not set)",
(scep->l.bindpw) ? scep->l.bindpw : "(not set)");
/* configure automatic granting of requests */
name = CONF_get_string(scep->conf, "scepd", "automatic");
if (name != NULL) {
if (strcasecmp(name, "true") == 0) {
scep->automatic = 1;
if (debug)
BIO_printf(bio_err, "%s:%d: automatic mode "
"enabled\n", __FILE__, __LINE__);
}
}
/* check for transaction id checking against fingerprint */
name = CONF_get_string(scep->conf, "scepd", "checktransid");
if (name != NULL) {
if ((strcasecmp(name, "false") == 0) ||
(strcasecmp(name, "no") == 0)) {
scep->check_transid = 0;
if (debug)
BIO_printf(bio_err, "%s:%d: check of transid "
"against fingerprint disabled\n",
__FILE__, __LINE__);
}
}
/* check for the proxy community string */
name = CONF_get_string(scep->conf, "scepd", "proxycommunity");
if (name != NULL) {
scep->community = strdup(name);
if (debug)
BIO_printf(bio_err, "%s:%d: proxy community is '%s'\n",
__FILE__, __LINE__, scep->community);
}
return 0;
/* error return */
err:
ERR_print_errors(bio_err);
return -1;
}
int addToCRL(char* pemSigningKey, char* pemOldCrl, char* pemRevokedCert, char* result) {
int err = 0;
BIO* bioSigningKey = BIO_new_mem_buf(pemSigningKey, -1);
if (!bioSigningKey) {
return ERR_peek_error();
}
BIO* bioRevCert = BIO_new_mem_buf(pemRevokedCert, -1);
if (!bioRevCert) {
BIO_free(bioSigningKey);
return ERR_peek_error();
}
BIO* bioOldCRL = BIO_new_mem_buf(pemOldCrl, -1);
if (!bioOldCRL) {
BIO_free(bioSigningKey);
BIO_free(bioRevCert);
return ERR_peek_error();
}
X509* badCert = PEM_read_bio_X509(bioRevCert, NULL, NULL, NULL);
if (!badCert) {
BIO_free(bioSigningKey);
BIO_free(bioRevCert);
return ERR_peek_error();
}
EVP_PKEY* caKey = PEM_read_bio_PrivateKey(bioSigningKey, NULL, NULL, NULL);
if (!caKey) {
BIO_free(bioSigningKey);
BIO_free(bioRevCert);
return -18;
}
X509_CRL* crl = PEM_read_bio_X509_CRL(bioOldCRL, NULL, NULL, NULL);
if (!crl) {
BIO_free(bioSigningKey);
BIO_free(bioRevCert);
return ERR_peek_error();
}
X509_REVOKED* revoked = X509_REVOKED_new();
X509_REVOKED_set_serialNumber(revoked, X509_get_serialNumber(badCert));
ASN1_TIME* tmptm = ASN1_TIME_new();
X509_gmtime_adj(tmptm, long(0));
X509_REVOKED_set_revocationDate(revoked, tmptm);
//set the reason? Not yet.
// ASN1_ENUMERATED* rtmp = ASN1_ENUMERATED_new();
// ASN1_ENUMERATED_set(rtmp, reasonCode);
// goto err;
// if (!X509_REVOKED_add1_ext_i2d(rev, NID_crl_reason, rtmp, 0, 0))
// goto err;
// }
if(!(err = X509_CRL_add0_revoked(crl,revoked))) {
BIO_free(bioSigningKey);
BIO_free(bioRevCert);
return err;
}
X509_CRL_sort(crl);
if(!(err=X509_CRL_sign(crl,caKey,EVP_sha1()))) {
BIO_free(bioSigningKey);
BIO_free(bioRevCert);
return err;
}
BIO *mem = BIO_new(BIO_s_mem());
PEM_write_bio_X509_CRL(mem,crl);
BUF_MEM *bptr;
BIO_get_mem_ptr(mem, &bptr);
BIO_read(mem, result, bptr->length);
BIO_free(bioRevCert);
BIO_free(bioSigningKey);
BIO_free(bioOldCRL);
BIO_free(mem);
return 0;
}
Handle<PkiItem> Provider_System::objectToPKIItem(Handle<std::string> uri){
LOGGER_FN();
Handle<PkiItem> item;
Handle<Bio> in = new Bio(BIO_TYPE_FILE, uri->c_str(), "rb");
try{
item = new PkiItem();
X509_REQ *xreq = NULL;
X509 *xcert = NULL;
X509_CRL *xcrl = NULL;
Handle<Certificate> hcert = NULL;
Handle<CRL> hcrl = NULL;
std::string listCertStore[] = {
"MY",
"OTHERS",
"TRUST",
"CRL"
};
std::string strTrust = (uri->substr(0, (uri->find_last_of(CROSSPLATFORM_SLASH))));
strTrust = strTrust.substr(strTrust.find_last_of(CROSSPLATFORM_SLASH) + 1, strTrust.length());
bool trueTrust = false;
for (int i = 0, c = sizeof(listCertStore) / sizeof(*listCertStore); i < c; i++){
if (strcmp(listCertStore[i].c_str(), strTrust.c_str()) == 0){
trueTrust = true;
break;
}
}
if (!trueTrust){
THROW_EXCEPTION(0, Provider_System, NULL, "Category of object is uncorrect");
}
int enc;
if (itPrivateKey(uri, &enc)){
item->type = new std::string("KEY");
item->uri = uri;
item->provider = new std::string("SYSTEM");
item->category = new std::string(strTrust);
item->keyEncrypted = enc;
item->format = new std::string("PEM");
Handle<std::string> keyHash = new std::string(uri->c_str());
const size_t last_slash_idx = keyHash->find_last_of(CROSSPLATFORM_SLASH);
if (std::string::npos != last_slash_idx){
keyHash->erase(0, last_slash_idx + 1);
}
const size_t period_idx = keyHash->rfind('.');
if (std::string::npos != period_idx){
keyHash->erase(period_idx);
}
if (keyHash->length() == 40){
item->hash = keyHash;
}
else{
THROW_EXCEPTION(0, Provider_System, NULL, "Error length hash (need 40 for sha1). Hash is privatekey filename");
}
return item;
}
in->seek(0);
LOGGER_OPENSSL(PEM_read_bio_X509);
xcert = PEM_read_bio_X509(in->internal(), NULL, NULL, NULL);
if (xcert){
hcert = new Certificate(xcert);
item->format = new std::string("PEM");
}
else{
in->seek(0);
LOGGER_OPENSSL(d2i_X509_bio);
xcert = d2i_X509_bio(in->internal(), NULL);
if (xcert){
hcert = new Certificate(xcert);
item->format = new std::string("DER");
}
}
if (!hcert.isEmpty()){
item->type = new std::string("CERTIFICATE");
item->uri = uri;
item->provider = new std::string("SYSTEM");
item->category = new std::string(strTrust);
char * hexHash;
Handle<std::string> hhash = hcert->getThumbprint();
PkiStore::bin_to_strhex((unsigned char *)hhash->c_str(), hhash->length(), &hexHash);
item->hash = new std::string(hexHash);
item->certSubjectName = hcert->getSubjectName();
item->certSubjectFriendlyName = hcert->getSubjectFriendlyName();
item->certIssuerName = hcert->getIssuerName();
item->certIssuerFriendlyName = hcert->getIssuerFriendlyName();
item->certSerial = hcert->getSerialNumber();
item->certOrganizationName = hcert->getOrganizationName();
item->certSignatureAlgorithm = hcert->getSignatureAlgorithm();
item->certNotBefore = hcert->getNotBefore();
item->certNotAfter = hcert->getNotAfter();
item->certKey = getKey(uri);
return item;
}
in->seek(0);
LOGGER_OPENSSL(PEM_read_bio_X509_REQ);
xreq = PEM_read_bio_X509_REQ(in->internal(), NULL, NULL, NULL);
if (xreq){
item->format = new std::string("PEM");
}
else{
in->seek(0);
LOGGER_OPENSSL(d2i_X509_REQ_bio);
xreq = d2i_X509_REQ_bio(in->internal(), NULL);
if (xreq){
item->format = new std::string("DER");
}
}
if (xreq){
item->type = new std::string("REQUEST");
item->uri = uri;
item->provider = new std::string("SYSTEM");
item->category = new std::string(strTrust);
/* SHA-1 hash */
unsigned char hash[EVP_MAX_MD_SIZE] = { 0 };
unsigned int hashlen = 0;
LOGGER_OPENSSL(X509_digest);
if (!X509_REQ_digest(xreq, EVP_sha1(), hash, &hashlen)) {
THROW_OPENSSL_EXCEPTION(0, Provider_System, NULL, "X509_REQ_digest");
}
Handle<std::string> hhash = new std::string((char *)hash, hashlen);
char * hexHash;
PkiStore::bin_to_strhex((unsigned char *)hhash->c_str(), hhash->length(), &hexHash);
item->hash = new std::string(hexHash);
/* Request subject name */
LOGGER_OPENSSL(X509_REQ_get_subject_name);
X509_NAME *name = X509_REQ_get_subject_name(xreq);
if (!name){
THROW_EXCEPTION(0, Provider_System, NULL, "X509_NAME is NULL");
}
LOGGER_OPENSSL(X509_NAME_oneline_ex);
std::string str_name = X509_NAME_oneline_ex(name);
Handle<std::string> nameRes = new std::string(str_name.c_str(), str_name.length());
item->csrSubjectName = nameRes;
/* Request subject friendly name */
Handle<std::string> friendlyName = new std::string("");
int nid = NID_commonName;
LOGGER_OPENSSL(X509_NAME_get_index_by_NID);
int index = X509_NAME_get_index_by_NID(name, nid, -1);
if (index >= 0) {
LOGGER_OPENSSL(X509_NAME_get_entry);
X509_NAME_ENTRY *issuerNameCommonName = X509_NAME_get_entry(name, index);
if (issuerNameCommonName) {
LOGGER_OPENSSL(X509_NAME_ENTRY_get_data);
ASN1_STRING *issuerCNASN1 = X509_NAME_ENTRY_get_data(issuerNameCommonName);
if (issuerCNASN1 != NULL) {
unsigned char *utf = NULL;
LOGGER_OPENSSL(ASN1_STRING_to_UTF8);
ASN1_STRING_to_UTF8(&utf, issuerCNASN1);
friendlyName = new std::string((char *)utf);
OPENSSL_free(utf);
}
}
}
else {
friendlyName = new std::string("No common name");
}
item->csrSubjectFriendlyName = friendlyName;
item->csrKey = getKey(uri);
return item;
}
in->seek(0);
LOGGER_OPENSSL(PEM_read_bio_X509_CRL);
xcrl = PEM_read_bio_X509_CRL(in->internal(), NULL, NULL, NULL);
if (xcrl){
hcrl = new CRL(xcrl);
item->format = new std::string("PEM");
}
else{
in->seek(0);
LOGGER_OPENSSL(d2i_X509_CRL_bio);
xcrl = d2i_X509_CRL_bio(in->internal(), NULL);
if (xcrl){
hcrl = new CRL(xcrl);
item->format = new std::string("DER");
}
}
if (!hcrl.isEmpty()){
item->type = new std::string("CRL");
item->uri = uri;
item->provider = new std::string("SYSTEM");
item->category = new std::string(strTrust);
char * hexHash;
Handle<std::string> hhash = hcrl->getThumbprint();
PkiStore::bin_to_strhex((unsigned char *)hhash->c_str(), hhash->length(), &hexHash);
item->hash = new std::string(hexHash);
item->crlIssuerName = hcrl->issuerName();
item->crlIssuerFriendlyName = hcrl->issuerFriendlyName();
item->crlLastUpdate = hcrl->getThisUpdate();
item->crlNextUpdate = hcrl->getNextUpdate();
return item;
}
}
catch (Handle<Exception> e){
THROW_EXCEPTION(0, Provider_System, e, "Object type not supported");
}
if (item->type->length() == 0){
return NULL;
}
}
extern "C" X509_CRL* CryptoNative_PemReadBioX509Crl(BIO* bio)
{
return PEM_read_bio_X509_CRL(bio, nullptr, nullptr, nullptr);
}
