bool Chain::verifyChain(Handle<CertificateCollection> chain, Handle<CrlCollection> crls){ LOGGER_FN(); try{ LOGGER_OPENSSL(X509_STORE_CTX_new); X509_STORE_CTX *ctx = X509_STORE_CTX_new(); if (!ctx) { THROW_OPENSSL_EXCEPTION(0, Revocation, NULL, "Error create new store ctx"); } LOGGER_OPENSSL(X509_STORE_new); X509_STORE *st = X509_STORE_new(); if (!st) { THROW_OPENSSL_EXCEPTION(0, Revocation, NULL, "Error create new store"); } for (int i = 0, c = chain->length(); i < c; i++){ LOGGER_OPENSSL(X509_STORE_add_cert); X509_STORE_add_cert(st, X509_dup(chain->items(i)->internal())); } X509_CRL *xtempCRL = NULL; LOGGER_OPENSSL(X509_STORE_CTX_init); X509_STORE_CTX_init(ctx, st, chain->items(0)->internal(), chain->internal()); LOGGER_OPENSSL(X509_STORE_CTX_set0_crls); X509_STORE_CTX_set0_crls(ctx, crls->internal()); LOGGER_OPENSSL(X509_STORE_CTX_set_flags); X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_CRL_CHECK); LOGGER_OPENSSL(X509_STORE_CTX_set_flags); X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_CRL_CHECK_ALL); LOGGER_OPENSSL(X509_verify_cert); if (X509_verify_cert(ctx) <= 0){ return false; } return true; } catch (Handle<Exception> e){ THROW_EXCEPTION(0, Chain, e, "Error verify chain (provider store)"); } }
static LUA_FUNCTION(openssl_pkcs7_verify_digest) { PKCS7 *p7 = CHECK_OBJECT(1, PKCS7, "openssl.pkcs7"); STACK_OF(X509) *certs = lua_isnoneornil(L, 2) ? NULL : openssl_sk_x509_fromtable(L, 2); X509_STORE *store = lua_isnoneornil(L, 3) ? NULL : CHECK_OBJECT(3, X509_STORE, "openssl.x509_store"); size_t len; const char* data = luaL_checklstring(L, 4, &len); long flags = luaL_optint(L, 5, 0); int hash = lua_isnoneornil(L, 6) ? 0 : lua_toboolean(L, 6); STACK_OF(X509) *signers; X509 *signer; STACK_OF(PKCS7_SIGNER_INFO) *sinfos; PKCS7_SIGNER_INFO *si; X509_STORE_CTX cert_ctx; int i, j = 0, k, ret = 0; if (!PKCS7_type_is_signed(p7)) { luaL_error(L, "pkcs7 must be signedData"); } /* Check for no data and no content: no data to verify signature */ if (!PKCS7_get_detached(p7)) { luaL_error(L, "pkcs7 must be detached signedData"); } sinfos = PKCS7_get_signer_info(p7); if (!sinfos || !sk_PKCS7_SIGNER_INFO_num(sinfos)) { luaL_error(L, "pkcs7 signedData without signature"); } signers = PKCS7_get0_signers(p7, certs, flags); if (!signers) { luaL_error(L, "pkcs7 signedData without signers"); } if (!store) flags |= PKCS7_NOVERIFY; /* Now verify the certificates */ if (!(flags & PKCS7_NOVERIFY)) for (k = 0; k < sk_X509_num(signers); k++) { signer = sk_X509_value(signers, k); if (!(flags & PKCS7_NOCHAIN)) { if (!X509_STORE_CTX_init(&cert_ctx, store, signer, p7->d.sign->cert)) { PKCS7err(PKCS7_F_PKCS7_VERIFY, ERR_R_X509_LIB); goto err; } X509_STORE_CTX_set_default(&cert_ctx, "smime_sign"); } else if (!X509_STORE_CTX_init(&cert_ctx, store, signer, NULL)) { PKCS7err(PKCS7_F_PKCS7_VERIFY, ERR_R_X509_LIB); goto err; } if (!(flags & PKCS7_NOCRL)) X509_STORE_CTX_set0_crls(&cert_ctx, p7->d.sign->crl); i = X509_verify_cert(&cert_ctx); if (i <= 0) j = X509_STORE_CTX_get_error(&cert_ctx); X509_STORE_CTX_cleanup(&cert_ctx); if (i <= 0) { PKCS7err(PKCS7_F_PKCS7_VERIFY, PKCS7_R_CERTIFICATE_VERIFY_ERROR); ERR_add_error_data(2, "Verify error:", X509_verify_cert_error_string(j)); goto err; } /* Check for revocation status here */ } /* Now Verify All Signatures */ if (!(flags & PKCS7_NOSIGS)) for (i = 0; i < sk_PKCS7_SIGNER_INFO_num(sinfos); i++) { si = sk_PKCS7_SIGNER_INFO_value(sinfos, i); signer = sk_X509_value(signers, i); j = PKCS7_signatureVerify_digest(p7, si, signer, (const unsigned char*) data, len, hash); if (j <= 0) { PKCS7err(PKCS7_F_PKCS7_VERIFY, PKCS7_R_SIGNATURE_FAILURE); goto err; } } ret = 1; err: if (certs) sk_X509_pop_free(certs, X509_free); sk_X509_free(signers); return openssl_pushresult(L, ret); }
int main(int argc, char *argv[]) { X509 *cert; X509 *cacert; X509_CRL *crl; X509_STORE *store; X509_LOOKUP *lookup; X509_STORE_CTX *verify_ctx; STACK_OF(X509) *untrusted; STACK_OF(X509_CRL) *crls; FILE *fp; OpenSSL_add_all_algorithms(); ERR_load_crypto_strings(); /* read the client certificate */ if (!(fp = fopen(CLIENT_CERT, "r"))) { int_error("Error reading client certificate file"); } if (!(cert = PEM_read_X509(fp, NULL, NULL, NULL))) { int_error("Error reading client certificate in file"); } fclose(fp); /* read CA certificate */ if (!(fp = fopen(CA_FILE, "r"))) { int_error("Error reading CA certificate file"); } if (!(cacert = PEM_read_X509(fp, NULL, NULL, NULL))) { int_error("Error reading CA certificate in file"); } fclose(fp); // Read CRL if (!(fp = fopen(CRL_FILE, "r"))) { int_error("Error opening CRL file"); } if (!(crl = PEM_read_X509_CRL(fp, NULL, NULL, NULL))) { int_error("Error reading CRL"); } fclose(fp); /* create the cert store and set the verify callback */ if (!(store = X509_STORE_new())) { int_error("Error creating X509_STORE_CTX object"); } // Add CA cert to Store if (X509_STORE_add_cert(store, cacert) != 1) { int_error("Error adding CA certificate to certificate store"); } // Add CRL to Store if (X509_STORE_add_crl(store, crl) != 1) { int_error("Error adding CRL to certificate store"); } X509_STORE_set_verify_cb_func(store, verify_callback); /* set the flags of the store so that the CRLs are consulted */ X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); // Create an empty X509_Stack for untrusted if (!(untrusted = sk_X509_new_null())) { int_error("Error creating X509_Stack"); } // Create a CRL_Stack if (!(crls = sk_X509_CRL_new_null())) { int_error("Error creating X509_CRL"); } // Add CRL to CRL_Stack if (sk_X509_CRL_push(crls, crl) != 1) { int_error("Error adding a CRL to the Stack of CRLs"); } /* create a verification context and initialize it */ if (!(verify_ctx = X509_STORE_CTX_new())) { int_error("Error creating X509_STORE_CTX object"); } // We are explicitly adding an empty X509_Stack for untrusted if (X509_STORE_CTX_init(verify_ctx, store, cert, untrusted) != 1) { int_error("Error initializing verification context"); } X509_STORE_CTX_set0_crls(verify_ctx, crls); /* verify the certificate */ if (X509_verify_cert(verify_ctx) != 1) { int_error("Error verifying the certificate"); } else { printf("Certificate verified correctly!\n"); } return 0; }