bool Chain::verifyChain(Handle<CertificateCollection> chain, Handle<CrlCollection> crls){
LOGGER_FN();
try{
LOGGER_OPENSSL(X509_STORE_CTX_new);
X509_STORE_CTX *ctx = X509_STORE_CTX_new();
if (!ctx) {
THROW_OPENSSL_EXCEPTION(0, Revocation, NULL, "Error create new store ctx");
}
LOGGER_OPENSSL(X509_STORE_new);
X509_STORE *st = X509_STORE_new();
if (!st) {
THROW_OPENSSL_EXCEPTION(0, Revocation, NULL, "Error create new store");
}
for (int i = 0, c = chain->length(); i < c; i++){
LOGGER_OPENSSL(X509_STORE_add_cert);
X509_STORE_add_cert(st, X509_dup(chain->items(i)->internal()));
}
X509_CRL *xtempCRL = NULL;
LOGGER_OPENSSL(X509_STORE_CTX_init);
X509_STORE_CTX_init(ctx, st, chain->items(0)->internal(), chain->internal());
LOGGER_OPENSSL(X509_STORE_CTX_set0_crls);
X509_STORE_CTX_set0_crls(ctx, crls->internal());
LOGGER_OPENSSL(X509_STORE_CTX_set_flags);
X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_CRL_CHECK);
LOGGER_OPENSSL(X509_STORE_CTX_set_flags);
X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_CRL_CHECK_ALL);
LOGGER_OPENSSL(X509_verify_cert);
if (X509_verify_cert(ctx) <= 0){
return false;
}
return true;
}
catch (Handle<Exception> e){
THROW_EXCEPTION(0, Chain, e, "Error verify chain (provider store)");
}
}
static LUA_FUNCTION(openssl_pkcs7_verify_digest)
{
PKCS7 *p7 = CHECK_OBJECT(1, PKCS7, "openssl.pkcs7");
STACK_OF(X509) *certs = lua_isnoneornil(L, 2) ? NULL : openssl_sk_x509_fromtable(L, 2);
X509_STORE *store = lua_isnoneornil(L, 3) ? NULL : CHECK_OBJECT(3, X509_STORE, "openssl.x509_store");
size_t len;
const char* data = luaL_checklstring(L, 4, &len);
long flags = luaL_optint(L, 5, 0);
int hash = lua_isnoneornil(L, 6) ? 0 : lua_toboolean(L, 6);
STACK_OF(X509) *signers;
X509 *signer;
STACK_OF(PKCS7_SIGNER_INFO) *sinfos;
PKCS7_SIGNER_INFO *si;
X509_STORE_CTX cert_ctx;
int i, j = 0, k, ret = 0;
if (!PKCS7_type_is_signed(p7))
{
luaL_error(L, "pkcs7 must be signedData");
}
/* Check for no data and no content: no data to verify signature */
if (!PKCS7_get_detached(p7))
{
luaL_error(L, "pkcs7 must be detached signedData");
}
sinfos = PKCS7_get_signer_info(p7);
if (!sinfos || !sk_PKCS7_SIGNER_INFO_num(sinfos))
{
luaL_error(L, "pkcs7 signedData without signature");
}
signers = PKCS7_get0_signers(p7, certs, flags);
if (!signers)
{
luaL_error(L, "pkcs7 signedData without signers");
}
if (!store)
flags |= PKCS7_NOVERIFY;
/* Now verify the certificates */
if (!(flags & PKCS7_NOVERIFY))
for (k = 0; k < sk_X509_num(signers); k++)
{
signer = sk_X509_value(signers, k);
if (!(flags & PKCS7_NOCHAIN))
{
if (!X509_STORE_CTX_init(&cert_ctx, store, signer,
p7->d.sign->cert))
{
PKCS7err(PKCS7_F_PKCS7_VERIFY, ERR_R_X509_LIB);
goto err;
}
X509_STORE_CTX_set_default(&cert_ctx, "smime_sign");
}
else if (!X509_STORE_CTX_init(&cert_ctx, store, signer, NULL))
{
PKCS7err(PKCS7_F_PKCS7_VERIFY, ERR_R_X509_LIB);
goto err;
}
if (!(flags & PKCS7_NOCRL))
X509_STORE_CTX_set0_crls(&cert_ctx, p7->d.sign->crl);
i = X509_verify_cert(&cert_ctx);
if (i <= 0)
j = X509_STORE_CTX_get_error(&cert_ctx);
X509_STORE_CTX_cleanup(&cert_ctx);
if (i <= 0)
{
PKCS7err(PKCS7_F_PKCS7_VERIFY,
PKCS7_R_CERTIFICATE_VERIFY_ERROR);
ERR_add_error_data(2, "Verify error:",
X509_verify_cert_error_string(j));
goto err;
}
/* Check for revocation status here */
}
/* Now Verify All Signatures */
if (!(flags & PKCS7_NOSIGS))
for (i = 0; i < sk_PKCS7_SIGNER_INFO_num(sinfos); i++)
{
si = sk_PKCS7_SIGNER_INFO_value(sinfos, i);
signer = sk_X509_value(signers, i);
j = PKCS7_signatureVerify_digest(p7, si, signer,
(const unsigned char*) data, len, hash);
if (j <= 0)
{
PKCS7err(PKCS7_F_PKCS7_VERIFY, PKCS7_R_SIGNATURE_FAILURE);
goto err;
}
}
ret = 1;
err:
if (certs)
sk_X509_pop_free(certs, X509_free);
sk_X509_free(signers);
return openssl_pushresult(L, ret);
}
int main(int argc, char *argv[]) {
X509 *cert;
X509 *cacert;
X509_CRL *crl;
X509_STORE *store;
X509_LOOKUP *lookup;
X509_STORE_CTX *verify_ctx;
STACK_OF(X509) *untrusted;
STACK_OF(X509_CRL) *crls;
FILE *fp;
OpenSSL_add_all_algorithms();
ERR_load_crypto_strings();
/* read the client certificate */
if (!(fp = fopen(CLIENT_CERT, "r"))) {
int_error("Error reading client certificate file");
}
if (!(cert = PEM_read_X509(fp, NULL, NULL, NULL))) {
int_error("Error reading client certificate in file");
}
fclose(fp);
/* read CA certificate */
if (!(fp = fopen(CA_FILE, "r"))) {
int_error("Error reading CA certificate file");
}
if (!(cacert = PEM_read_X509(fp, NULL, NULL, NULL))) {
int_error("Error reading CA certificate in file");
}
fclose(fp);
// Read CRL
if (!(fp = fopen(CRL_FILE, "r"))) {
int_error("Error opening CRL file");
}
if (!(crl = PEM_read_X509_CRL(fp, NULL, NULL, NULL))) {
int_error("Error reading CRL");
}
fclose(fp);
/* create the cert store and set the verify callback */
if (!(store = X509_STORE_new())) {
int_error("Error creating X509_STORE_CTX object");
}
// Add CA cert to Store
if (X509_STORE_add_cert(store, cacert) != 1) {
int_error("Error adding CA certificate to certificate store");
}
// Add CRL to Store
if (X509_STORE_add_crl(store, crl) != 1) {
int_error("Error adding CRL to certificate store");
}
X509_STORE_set_verify_cb_func(store, verify_callback);
/* set the flags of the store so that the CRLs are consulted */
X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
// Create an empty X509_Stack for untrusted
if (!(untrusted = sk_X509_new_null())) {
int_error("Error creating X509_Stack");
}
// Create a CRL_Stack
if (!(crls = sk_X509_CRL_new_null())) {
int_error("Error creating X509_CRL");
}
// Add CRL to CRL_Stack
if (sk_X509_CRL_push(crls, crl) != 1) {
int_error("Error adding a CRL to the Stack of CRLs");
}
/* create a verification context and initialize it */
if (!(verify_ctx = X509_STORE_CTX_new())) {
int_error("Error creating X509_STORE_CTX object");
}
// We are explicitly adding an empty X509_Stack for untrusted
if (X509_STORE_CTX_init(verify_ctx, store, cert, untrusted) != 1) {
int_error("Error initializing verification context");
}
X509_STORE_CTX_set0_crls(verify_ctx, crls);
/* verify the certificate */
if (X509_verify_cert(verify_ctx) != 1) {
int_error("Error verifying the certificate");
}
else {
printf("Certificate verified correctly!\n");
}
return 0;
}
