diff options
Diffstat (limited to 'src/openssl/x509vfy.c')
-rw-r--r-- | src/openssl/x509vfy.c | 1500 |
1 files changed, 750 insertions, 750 deletions
diff --git a/src/openssl/x509vfy.c b/src/openssl/x509vfy.c index 40264c0d..fe51da4e 100644 --- a/src/openssl/x509vfy.c +++ b/src/openssl/x509vfy.c @@ -1,4 +1,4 @@ -/** +/** * XMLSec library * * X509 support @@ -6,7 +6,7 @@ * * This is free software; see Copyright file in the source * distribution for preciese wording. - * + * * Copyright (C) 2002-2003 Aleksey Sanin <aleksey@aleksey.com> */ #include "globals.h" @@ -42,17 +42,17 @@ * Internal OpenSSL X509 store CTX * *************************************************************************/ -typedef struct _xmlSecOpenSSLX509StoreCtx xmlSecOpenSSLX509StoreCtx, - *xmlSecOpenSSLX509StoreCtxPtr; +typedef struct _xmlSecOpenSSLX509StoreCtx xmlSecOpenSSLX509StoreCtx, + *xmlSecOpenSSLX509StoreCtxPtr; struct _xmlSecOpenSSLX509StoreCtx { - X509_STORE* xst; - STACK_OF(X509)* untrusted; + X509_STORE* xst; + STACK_OF(X509)* untrusted; STACK_OF(X509_CRL)* crls; - + #if !defined(XMLSEC_OPENSSL_096) && !defined(XMLSEC_OPENSSL_097) - X509_VERIFY_PARAM * vpm; + X509_VERIFY_PARAM * vpm; #endif /* !defined(XMLSEC_OPENSSL_096) && !defined(XMLSEC_OPENSSL_097) */ -}; +}; /**************************************************************************** * @@ -63,88 +63,88 @@ struct _xmlSecOpenSSLX509StoreCtx { ***************************************************************************/ #define xmlSecOpenSSLX509StoreGetCtx(store) \ ((xmlSecOpenSSLX509StoreCtxPtr)(((xmlSecByte*)(store)) + \ - sizeof(xmlSecKeyDataStoreKlass))) -#define xmlSecOpenSSLX509StoreSize \ + sizeof(xmlSecKeyDataStoreKlass))) +#define xmlSecOpenSSLX509StoreSize \ (sizeof(xmlSecKeyDataStoreKlass) + sizeof(xmlSecOpenSSLX509StoreCtx)) - -static int xmlSecOpenSSLX509StoreInitialize (xmlSecKeyDataStorePtr store); -static void xmlSecOpenSSLX509StoreFinalize (xmlSecKeyDataStorePtr store); + +static int xmlSecOpenSSLX509StoreInitialize (xmlSecKeyDataStorePtr store); +static void xmlSecOpenSSLX509StoreFinalize (xmlSecKeyDataStorePtr store); static xmlSecKeyDataStoreKlass xmlSecOpenSSLX509StoreKlass = { sizeof(xmlSecKeyDataStoreKlass), xmlSecOpenSSLX509StoreSize, /* data */ - xmlSecNameX509Store, /* const xmlChar* name; */ - + xmlSecNameX509Store, /* const xmlChar* name; */ + /* constructors/destructor */ - xmlSecOpenSSLX509StoreInitialize, /* xmlSecKeyDataStoreInitializeMethod initialize; */ - xmlSecOpenSSLX509StoreFinalize, /* xmlSecKeyDataStoreFinalizeMethod finalize; */ + xmlSecOpenSSLX509StoreInitialize, /* xmlSecKeyDataStoreInitializeMethod initialize; */ + xmlSecOpenSSLX509StoreFinalize, /* xmlSecKeyDataStoreFinalizeMethod finalize; */ /* reserved for the future */ - NULL, /* void* reserved0; */ - NULL, /* void* reserved1; */ + NULL, /* void* reserved0; */ + NULL, /* void* reserved1; */ }; -static int xmlSecOpenSSLX509VerifyCRL (X509_STORE* xst, - X509_CRL *crl ); -static X509* xmlSecOpenSSLX509FindCert (STACK_OF(X509) *certs, - xmlChar *subjectName, - xmlChar *issuerName, - xmlChar *issuerSerial, - xmlChar *ski); -static X509* xmlSecOpenSSLX509FindNextChainCert (STACK_OF(X509) *chain, - X509 *cert); -static int xmlSecOpenSSLX509VerifyCertAgainstCrls (STACK_OF(X509_CRL) *crls, - X509* cert); -static X509_NAME* xmlSecOpenSSLX509NameRead (xmlSecByte *str, - int len); -static int xmlSecOpenSSLX509NameStringRead (xmlSecByte **str, - int *strLen, - xmlSecByte *res, - int resLen, - xmlSecByte delim, - int ingoreTrailingSpaces); -static int xmlSecOpenSSLX509NamesCompare (X509_NAME *a, - X509_NAME *b); -static int xmlSecOpenSSLX509_NAME_cmp (const X509_NAME *a, - const X509_NAME *b); -static int xmlSecOpenSSLX509_NAME_ENTRY_cmp (const X509_NAME_ENTRY **a, - const X509_NAME_ENTRY **b); - -/** +static int xmlSecOpenSSLX509VerifyCRL (X509_STORE* xst, + X509_CRL *crl ); +static X509* xmlSecOpenSSLX509FindCert (STACK_OF(X509) *certs, + xmlChar *subjectName, + xmlChar *issuerName, + xmlChar *issuerSerial, + xmlChar *ski); +static X509* xmlSecOpenSSLX509FindNextChainCert (STACK_OF(X509) *chain, + X509 *cert); +static int xmlSecOpenSSLX509VerifyCertAgainstCrls (STACK_OF(X509_CRL) *crls, + X509* cert); +static X509_NAME* xmlSecOpenSSLX509NameRead (xmlSecByte *str, + int len); +static int xmlSecOpenSSLX509NameStringRead (xmlSecByte **str, + int *strLen, + xmlSecByte *res, + int resLen, + xmlSecByte delim, + int ingoreTrailingSpaces); +static int xmlSecOpenSSLX509NamesCompare (X509_NAME *a, + X509_NAME *b); +static int xmlSecOpenSSLX509_NAME_cmp (const X509_NAME * a, + const X509_NAME * b); +static int xmlSecOpenSSLX509_NAME_ENTRY_cmp (const X509_NAME_ENTRY * const *a, + const X509_NAME_ENTRY * const *b); + +/** * xmlSecOpenSSLX509StoreGetKlass: - * + * * The OpenSSL X509 certificates key data store klass. * * Returns: pointer to OpenSSL X509 certificates key data store klass. */ -xmlSecKeyDataStoreId +xmlSecKeyDataStoreId xmlSecOpenSSLX509StoreGetKlass(void) { return(&xmlSecOpenSSLX509StoreKlass); } /** * xmlSecOpenSSLX509StoreFindCert: - * @store: the pointer to X509 key data store klass. - * @subjectName: the desired certificate name. - * @issuerName: the desired certificate issuer name. - * @issuerSerial: the desired certificate issuer serial number. - * @ski: the desired certificate SKI. - * @keyInfoCtx: the pointer to <dsig:KeyInfo/> element processing context. + * @store: the pointer to X509 key data store klass. + * @subjectName: the desired certificate name. + * @issuerName: the desired certificate issuer name. + * @issuerSerial: the desired certificate issuer serial number. + * @ski: the desired certificate SKI. + * @keyInfoCtx: the pointer to <dsig:KeyInfo/> element processing context. * * Searches @store for a certificate that matches given criteria. * * Returns: pointer to found certificate or NULL if certificate is not found * or an error occurs. */ -X509* +X509* xmlSecOpenSSLX509StoreFindCert(xmlSecKeyDataStorePtr store, xmlChar *subjectName, - xmlChar *issuerName, xmlChar *issuerSerial, - xmlChar *ski, xmlSecKeyInfoCtx* keyInfoCtx) { + xmlChar *issuerName, xmlChar *issuerSerial, + xmlChar *ski, xmlSecKeyInfoCtx* keyInfoCtx) { xmlSecOpenSSLX509StoreCtxPtr ctx; X509* res = NULL; - + xmlSecAssert2(xmlSecKeyDataStoreCheckId(store, xmlSecOpenSSLX509StoreId), NULL); xmlSecAssert2(keyInfoCtx != NULL, NULL); @@ -159,24 +159,24 @@ xmlSecOpenSSLX509StoreFindCert(xmlSecKeyDataStorePtr store, xmlChar *subjectName /** * xmlSecOpenSSLX509StoreVerify: - * @store: the pointer to X509 key data store klass. - * @certs: the untrusted certificates stack. - * @crls: the crls stack. - * @keyInfoCtx: the pointer to <dsig:KeyInfo/> element processing context. + * @store: the pointer to X509 key data store klass. + * @certs: the untrusted certificates stack. + * @crls: the crls stack. + * @keyInfoCtx: the pointer to <dsig:KeyInfo/> element processing context. * * Verifies @certs list. * * Returns: pointer to the first verified certificate from @certs. - */ -X509* + */ +X509* xmlSecOpenSSLX509StoreVerify(xmlSecKeyDataStorePtr store, XMLSEC_STACK_OF_X509* certs, - XMLSEC_STACK_OF_X509_CRL* crls, xmlSecKeyInfoCtx* keyInfoCtx) { + XMLSEC_STACK_OF_X509_CRL* crls, xmlSecKeyInfoCtx* keyInfoCtx) { xmlSecOpenSSLX509StoreCtxPtr ctx; STACK_OF(X509)* certs2 = NULL; STACK_OF(X509_CRL)* crls2 = NULL; - X509* res = NULL; - X509* cert; - X509 *err_cert = NULL; + X509 * res = NULL; + X509 * cert; + X509 * err_cert = NULL; char buf[256]; int err = 0, depth; int i; @@ -189,256 +189,256 @@ xmlSecOpenSSLX509StoreVerify(xmlSecKeyDataStorePtr store, XMLSEC_STACK_OF_X509* ctx = xmlSecOpenSSLX509StoreGetCtx(store); xmlSecAssert2(ctx != NULL, NULL); xmlSecAssert2(ctx->xst != NULL, NULL); - + /* dup certs */ certs2 = sk_X509_dup(certs); if(certs2 == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "sk_X509_dup", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - goto done; + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), + "sk_X509_dup", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + goto done; } /* add untrusted certs from the store */ if(ctx->untrusted != NULL) { - for(i = 0; i < sk_X509_num(ctx->untrusted); ++i) { - ret = sk_X509_push(certs2, sk_X509_value(ctx->untrusted, i)); - if(ret < 1) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "sk_X509_push", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - goto done; - } - } + for(i = 0; i < sk_X509_num(ctx->untrusted); ++i) { + ret = sk_X509_push(certs2, sk_X509_value(ctx->untrusted, i)); + if(ret < 1) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), + "sk_X509_push", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + goto done; + } + } } - + /* dup crls but remove all non-verified */ if(crls != NULL) { - crls2 = sk_X509_CRL_dup(crls); - if(crls2 == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "sk_X509_CRL_dup", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - goto done; - } - - for(i = 0; i < sk_X509_CRL_num(crls2); ) { - ret = xmlSecOpenSSLX509VerifyCRL(ctx->xst, sk_X509_CRL_value(crls2, i)); - if(ret == 1) { - ++i; - } else if(ret == 0) { - sk_X509_CRL_delete(crls2, i); - } else { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "xmlSecOpenSSLX509VerifyCRL", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - goto done; - } - } + crls2 = sk_X509_CRL_dup(crls); + if(crls2 == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), + "sk_X509_CRL_dup", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + goto done; + } + + for(i = 0; i < sk_X509_CRL_num(crls2); ) { + ret = xmlSecOpenSSLX509VerifyCRL(ctx->xst, sk_X509_CRL_value(crls2, i)); + if(ret == 1) { + ++i; + } else if(ret == 0) { + (void)sk_X509_CRL_delete(crls2, i); + } else { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), + "xmlSecOpenSSLX509VerifyCRL", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + goto done; + } + } } - + /* remove all revoked certs */ - for(i = 0; i < sk_X509_num(certs2);) { - cert = sk_X509_value(certs2, i); - - if(crls2 != NULL) { - ret = xmlSecOpenSSLX509VerifyCertAgainstCrls(crls2, cert); - if(ret == 0) { - sk_X509_delete(certs2, i); - continue; - } else if(ret != 1) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "xmlSecOpenSSLX509VerifyCertAgainstCrls", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - goto done; - } - } - - if(ctx->crls != NULL) { - ret = xmlSecOpenSSLX509VerifyCertAgainstCrls(ctx->crls, cert); - if(ret == 0) { - sk_X509_delete(certs2, i); - continue; - } else if(ret != 1) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "xmlSecOpenSSLX509VerifyCertAgainstCrls", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - goto done; - } - } - ++i; - } + for(i = 0; i < sk_X509_num(certs2);) { + cert = sk_X509_value(certs2, i); + + if(crls2 != NULL) { + ret = xmlSecOpenSSLX509VerifyCertAgainstCrls(crls2, cert); + if(ret == 0) { + (void)sk_X509_delete(certs2, i); + continue; + } else if(ret != 1) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), + "xmlSecOpenSSLX509VerifyCertAgainstCrls", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + goto done; + } + } + + if(ctx->crls != NULL) { + ret = xmlSecOpenSSLX509VerifyCertAgainstCrls(ctx->crls, cert); + if(ret == 0) { + (void)sk_X509_delete(certs2, i); + continue; + } else if(ret != 1) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), + "xmlSecOpenSSLX509VerifyCertAgainstCrls", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + goto done; + } + } + ++i; + } /* get one cert after another and try to verify */ - for(i = 0; i < sk_X509_num(certs2); ++i) { - cert = sk_X509_value(certs2, i); - if(xmlSecOpenSSLX509FindNextChainCert(certs2, cert) == NULL) { - X509_STORE_CTX xsc; + for(i = 0; i < sk_X509_num(certs2); ++i) { + cert = sk_X509_value(certs2, i); + if(xmlSecOpenSSLX509FindNextChainCert(certs2, cert) == NULL) { + X509_STORE_CTX xsc; #if !defined(XMLSEC_OPENSSL_096) && !defined(XMLSEC_OPENSSL_097) - X509_VERIFY_PARAM * vpm = NULL; - unsigned long vpm_flags = 0; - - vpm = X509_VERIFY_PARAM_new(); - if(vpm == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "X509_VERIFY_PARAM_new", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - goto done; - } - vpm_flags = vpm->flags; + X509_VERIFY_PARAM * vpm = NULL; + unsigned long vpm_flags = 0; + + vpm = X509_VERIFY_PARAM_new(); + if(vpm == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), + "X509_VERIFY_PARAM_new", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + goto done; + } + vpm_flags = vpm->flags; /* - vpm_flags &= (~X509_V_FLAG_X509_STRICT); + vpm_flags &= (~X509_V_FLAG_X509_STRICT); */ - vpm_flags &= (~X509_V_FLAG_CRL_CHECK); + vpm_flags &= (~X509_V_FLAG_CRL_CHECK); - X509_VERIFY_PARAM_set_depth(vpm, 9); - X509_VERIFY_PARAM_set_flags(vpm, vpm_flags); + X509_VERIFY_PARAM_set_depth(vpm, 9); + X509_VERIFY_PARAM_set_flags(vpm, vpm_flags); #endif /* !defined(XMLSEC_OPENSSL_096) && !defined(XMLSEC_OPENSSL_097) */ - - X509_STORE_CTX_init (&xsc, ctx->xst, cert, certs2); - if(keyInfoCtx->certsVerificationTime > 0) { + X509_STORE_CTX_init (&xsc, ctx->xst, cert, certs2); + + if(keyInfoCtx->certsVerificationTime > 0) { #if !defined(XMLSEC_OPENSSL_096) && !defined(XMLSEC_OPENSSL_097) - vpm_flags |= X509_V_FLAG_USE_CHECK_TIME; - X509_VERIFY_PARAM_set_time(vpm, keyInfoCtx->certsVerificationTime); + vpm_flags |= X509_V_FLAG_USE_CHECK_TIME; + X509_VERIFY_PARAM_set_time(vpm, keyInfoCtx->certsVerificationTime); #endif /* !defined(XMLSEC_OPENSSL_096) && !defined(XMLSEC_OPENSSL_097) */ - X509_STORE_CTX_set_time(&xsc, 0, keyInfoCtx->certsVerificationTime); - } + X509_STORE_CTX_set_time(&xsc, 0, keyInfoCtx->certsVerificationTime); + } #if !defined(XMLSEC_OPENSSL_096) && !defined(XMLSEC_OPENSSL_097) - X509_STORE_CTX_set0_param(&xsc, vpm); + X509_STORE_CTX_set0_param(&xsc, vpm); #endif /* !defined(XMLSEC_OPENSSL_096) && !defined(XMLSEC_OPENSSL_097) */ - - ret = X509_verify_cert(&xsc); - err_cert = X509_STORE_CTX_get_current_cert(&xsc); - err = X509_STORE_CTX_get_error(&xsc); - depth = X509_STORE_CTX_get_error_depth(&xsc); - - X509_STORE_CTX_cleanup (&xsc); - - if(ret == 1) { - res = cert; - goto done; - } else if(ret < 0) { - const char* err_msg; - - buf[0] = '\0'; - X509_NAME_oneline(X509_get_subject_name(err_cert), buf, sizeof buf); - err_msg = X509_verify_cert_error_string(err); - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "X509_verify_cert", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - "subj=%s;err=%d;msg=%s", - xmlSecErrorsSafeString(buf), - err, - xmlSecErrorsSafeString(err_msg)); - goto done; - } else if(ret == 0) { - const char* err_msg; - - buf[0] = '\0'; - X509_NAME_oneline(X509_get_subject_name(err_cert), buf, sizeof buf); - err_msg = X509_verify_cert_error_string(err); - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "X509_verify_cert", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - "subj=%s;err=%d;msg=%s", - xmlSecErrorsSafeString(buf), - err, - xmlSecErrorsSafeString(err_msg)); - } - } + + ret = X509_verify_cert(&xsc); + err_cert = X509_STORE_CTX_get_current_cert(&xsc); + err = X509_STORE_CTX_get_error(&xsc); + depth = X509_STORE_CTX_get_error_depth(&xsc); + + X509_STORE_CTX_cleanup (&xsc); + + if(ret == 1) { + res = cert; + goto done; + } else if(ret < 0) { + const char* err_msg; + + buf[0] = '\0'; + X509_NAME_oneline(X509_get_subject_name(err_cert), buf, sizeof buf); + err_msg = X509_verify_cert_error_string(err); + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), + "X509_verify_cert", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + "subj=%s;err=%d;msg=%s", + xmlSecErrorsSafeString(buf), + err, + xmlSecErrorsSafeString(err_msg)); + goto done; + } else if(ret == 0) { + const char* err_msg; + + buf[0] = '\0'; + X509_NAME_oneline(X509_get_subject_name(err_cert), buf, sizeof buf); + err_msg = X509_verify_cert_error_string(err); + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), + "X509_verify_cert", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + "subj=%s;err=%d;msg=%s", + xmlSecErrorsSafeString(buf), + err, + xmlSecErrorsSafeString(err_msg)); + } + } } /* if we came here then we found nothing. do we have any error? */ if((err != 0) && (err_cert != NULL)) { - const char* err_msg; - - err_msg = X509_verify_cert_error_string(err); - switch (err) { - case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: - X509_NAME_oneline(X509_get_issuer_name(err_cert), buf, sizeof buf); - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - NULL, - XMLSEC_ERRORS_R_CERT_ISSUER_FAILED, - "err=%d;msg=%s;issuer=%s", - err, - xmlSecErrorsSafeString(err_msg), - xmlSecErrorsSafeString(buf)); - break; - case X509_V_ERR_CERT_NOT_YET_VALID: - case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - NULL, - XMLSEC_ERRORS_R_CERT_NOT_YET_VALID, - "err=%d;msg=%s", err, - xmlSecErrorsSafeString(err_msg)); - break; - case X509_V_ERR_CERT_HAS_EXPIRED: - case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - NULL, - XMLSEC_ERRORS_R_CERT_HAS_EXPIRED, - "err=%d;msg=%s", err, - xmlSecErrorsSafeString(err_msg)); - break; - default: - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - NULL, - XMLSEC_ERRORS_R_CERT_VERIFY_FAILED, - "err=%d;msg=%s", err, - xmlSecErrorsSafeString(err_msg)); - } + const char* err_msg; + + err_msg = X509_verify_cert_error_string(err); + switch (err) { + case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: + X509_NAME_oneline(X509_get_issuer_name(err_cert), buf, sizeof buf); + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), + NULL, + XMLSEC_ERRORS_R_CERT_ISSUER_FAILED, + "err=%d;msg=%s;issuer=%s", + err, + xmlSecErrorsSafeString(err_msg), + xmlSecErrorsSafeString(buf)); + break; + case X509_V_ERR_CERT_NOT_YET_VALID: + case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), + NULL, + XMLSEC_ERRORS_R_CERT_NOT_YET_VALID, + "err=%d;msg=%s", err, + xmlSecErrorsSafeString(err_msg)); + break; + case X509_V_ERR_CERT_HAS_EXPIRED: + case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), + NULL, + XMLSEC_ERRORS_R_CERT_HAS_EXPIRED, + "err=%d;msg=%s", err, + xmlSecErrorsSafeString(err_msg)); + break; + default: + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), + NULL, + XMLSEC_ERRORS_R_CERT_VERIFY_FAILED, + "err=%d;msg=%s", err, + xmlSecErrorsSafeString(err_msg)); + } } - -done: + +done: if(certs2 != NULL) { - sk_X509_free(certs2); + sk_X509_free(certs2); } if(crls2 != NULL) { - sk_X509_CRL_free(crls2); + sk_X509_CRL_free(crls2); } return(res); } /** * xmlSecOpenSSLX509StoreAdoptCert: - * @store: the pointer to X509 key data store klass. - * @cert: the pointer to OpenSSL X509 certificate. - * @type: the certificate type (trusted/untrusted). + * @store: the pointer to X509 key data store klass. + * @cert: the pointer to OpenSSL X509 certificate. + * @type: the certificate type (trusted/untrusted). * * Adds trusted (root) or untrusted certificate to the store. * * Returns: 0 on success or a negative value if an error occurs. */ -int +int xmlSecOpenSSLX509StoreAdoptCert(xmlSecKeyDataStorePtr store, X509* cert, xmlSecKeyDataType type) { xmlSecOpenSSLX509StoreCtxPtr ctx; int ret; - + xmlSecAssert2(xmlSecKeyDataStoreCheckId(store, xmlSecOpenSSLX509StoreId), -1); xmlSecAssert2(cert != NULL, -1); @@ -460,51 +460,51 @@ xmlSecOpenSSLX509StoreAdoptCert(xmlSecKeyDataStorePtr store, X509* cert, xmlSecK /* add cert increments the reference */ X509_free(cert); } else { - xmlSecAssert2(ctx->untrusted != NULL, -1); - - ret = sk_X509_push(ctx->untrusted, cert); - if(ret < 1) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "sk_X509_push", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - return(-1); - } + xmlSecAssert2(ctx->untrusted != NULL, -1); + + ret = sk_X509_push(ctx->untrusted, cert); + if(ret < 1) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), + "sk_X509_push", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } } return(0); } /** * xmlSecOpenSSLX509StoreAdoptCrl: - * @store: the pointer to X509 key data store klass. - * @crl: the pointer to OpenSSL X509_CRL. + * @store: the pointer to X509 key data store klass. + * @crl: the pointer to OpenSSL X509_CRL. * * Adds X509 CRL to the store. * * Returns: 0 on success or a negative value if an error occurs. */ -int +int xmlSecOpenSSLX509StoreAdoptCrl(xmlSecKeyDataStorePtr store, X509_CRL* crl) { xmlSecOpenSSLX509StoreCtxPtr ctx; int ret; - + xmlSecAssert2(xmlSecKeyDataStoreCheckId(store, xmlSecOpenSSLX509StoreId), -1); xmlSecAssert2(crl != NULL, -1); ctx = xmlSecOpenSSLX509StoreGetCtx(store); xmlSecAssert2(ctx != NULL, -1); - xmlSecAssert2(ctx->crls != NULL, -1); - - ret = sk_X509_CRL_push(ctx->crls, crl); - if(ret < 1) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "sk_X509_CRL_push", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - return(-1); - } + xmlSecAssert2(ctx->crls != NULL, -1); + + ret = sk_X509_CRL_push(ctx->crls, crl); + if(ret < 1) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), + "sk_X509_CRL_push", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } return (0); } @@ -519,7 +519,7 @@ xmlSecOpenSSLX509StoreAdoptCrl(xmlSecKeyDataStorePtr store, X509_CRL* crl) { * * Returns: 0 on success or a negative value otherwise. */ -int +int xmlSecOpenSSLX509StoreAddCertsPath(xmlSecKeyDataStorePtr store, const char *path) { xmlSecOpenSSLX509StoreCtxPtr ctx; X509_LOOKUP *lookup = NULL; @@ -530,25 +530,25 @@ xmlSecOpenSSLX509StoreAddCertsPath(xmlSecKeyDataStorePtr store, const char *path ctx = xmlSecOpenSSLX509StoreGetCtx(store); xmlSecAssert2(ctx != NULL, -1); xmlSecAssert2(ctx->xst != NULL, -1); - + lookup = X509_STORE_add_lookup(ctx->xst, X509_LOOKUP_hash_dir()); if(lookup == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "X509_STORE_add_lookup", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - return(-1); - } + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), + "X509_STORE_add_lookup", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } if(!X509_LOOKUP_add_dir(lookup, path, X509_FILETYPE_PEM)) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "X509_LOOKUP_add_dir", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - "path='%s'", - xmlSecErrorsSafeString(path) - ); - return(-1); + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), + "X509_LOOKUP_add_dir", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + "path='%s'", + xmlSecErrorsSafeString(path) + ); + return(-1); } return(0); } @@ -589,9 +589,9 @@ xmlSecOpenSSLX509StoreAddCertsFile(xmlSecKeyDataStorePtr store, const char *file xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), "X509_LOOKUP_load_file", XMLSEC_ERRORS_R_CRYPTO_FAILED, - "file='%s'", - xmlSecErrorsSafeString(file) - ); + "file='%s'", + xmlSecErrorsSafeString(file) + ); return(-1); } return(0); @@ -601,7 +601,7 @@ static int xmlSecOpenSSLX509StoreInitialize(xmlSecKeyDataStorePtr store) { const xmlChar* path; X509_LOOKUP *lookup = NULL; - + xmlSecOpenSSLX509StoreCtxPtr ctx; xmlSecAssert2(xmlSecKeyDataStoreCheckId(store, xmlSecOpenSSLX509StoreId), -1); @@ -612,96 +612,96 @@ xmlSecOpenSSLX509StoreInitialize(xmlSecKeyDataStorePtr store) { ctx->xst = X509_STORE_new(); if(ctx->xst == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "X509_STORE_new", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - return(-1); + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), + "X509_STORE_new", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); } - + if(!X509_STORE_set_default_paths(ctx->xst)) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "X509_STORE_set_default_paths", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - return(-1); + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), + "X509_STORE_set_default_paths", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); } - - + + lookup = X509_STORE_add_lookup(ctx->xst, X509_LOOKUP_hash_dir()); if(lookup == NULL) { xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "X509_STORE_add_lookup", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); + xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), + "X509_STORE_add_lookup", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); return(-1); - } + } path = xmlSecOpenSSLGetDefaultTrustedCertsFolder(); if(path != NULL) { - if(!X509_LOOKUP_add_dir(lookup, (char*)path, X509_FILETYPE_PEM)) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "X509_LOOKUP_add_dir", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - "path='%s'", - xmlSecErrorsSafeString(path) - ); - return(-1); - } + if(!X509_LOOKUP_add_dir(lookup, (char*)path, X509_FILETYPE_PEM)) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), + "X509_LOOKUP_add_dir", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + "path='%s'", + xmlSecErrorsSafeString(path) + ); + return(-1); + } } else { - if(!X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT)) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "X509_LOOKUP_add_dir", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE - ); - return(-1); - } + if(!X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT)) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), + "X509_LOOKUP_add_dir", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE + ); + return(-1); + } } ctx->untrusted = sk_X509_new_null(); if(ctx->untrusted == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "sk_X509_new_null", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - return(-1); - } + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), + "sk_X509_new_null", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } ctx->crls = sk_X509_CRL_new_null(); if(ctx->crls == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "sk_X509_CRL_new_null", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - return(-1); - } - + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), + "sk_X509_CRL_new_null", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + #if !defined(XMLSEC_OPENSSL_096) && !defined(XMLSEC_OPENSSL_097) ctx->vpm = X509_VERIFY_PARAM_new(); if(ctx->vpm == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "X509_VERIFY_PARAM_new", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - return(-1); - } - X509_VERIFY_PARAM_set_depth(ctx->vpm, 9); /* the default cert verification path in openssl */ + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), + "X509_VERIFY_PARAM_new", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + X509_VERIFY_PARAM_set_depth(ctx->vpm, 9); /* the default cert verification path in openssl */ X509_STORE_set1_param(ctx->xst, ctx->vpm); - + #else /* !defined(XMLSEC_OPENSSL_096) && !defined(XMLSEC_OPENSSL_097) */ - ctx->xst->depth = 9; /* the default cert verification path in openssl */ + ctx->xst->depth = 9; /* the default cert verification path in openssl */ #endif /* !defined(XMLSEC_OPENSSL_096) && !defined(XMLSEC_OPENSSL_097) */ - return(0); + return(0); } static void @@ -711,20 +711,20 @@ xmlSecOpenSSLX509StoreFinalize(xmlSecKeyDataStorePtr store) { ctx = xmlSecOpenSSLX509StoreGetCtx(store); xmlSecAssert(ctx != NULL); - + if(ctx->xst != NULL) { - X509_STORE_free(ctx->xst); + X509_STORE_free(ctx->xst); } if(ctx->untrusted != NULL) { - sk_X509_pop_free(ctx->untrusted, X509_free); + sk_X509_pop_free(ctx->untrusted, X509_free); } if(ctx->crls != NULL) { - sk_X509_CRL_pop_free(ctx->crls, X509_CRL_free); + sk_X509_CRL_pop_free(ctx->crls, X509_CRL_free); } #if !defined(XMLSEC_OPENSSL_096) && !defined(XMLSEC_OPENSSL_097) if(ctx->vpm != NULL) { - X509_VERIFY_PARAM_free(ctx->vpm); + X509_VERIFY_PARAM_free(ctx->vpm); } #endif /* !defined(XMLSEC_OPENSSL_096) && !defined(XMLSEC_OPENSSL_097) */ @@ -739,179 +739,179 @@ xmlSecOpenSSLX509StoreFinalize(xmlSecKeyDataStorePtr store) { *****************************************************************************/ static int xmlSecOpenSSLX509VerifyCRL(X509_STORE* xst, X509_CRL *crl ) { - X509_STORE_CTX xsc; + X509_STORE_CTX xsc; X509_OBJECT xobj; EVP_PKEY *pkey; - int ret; + int ret; xmlSecAssert2(xst != NULL, -1); xmlSecAssert2(crl != NULL, -1); - + X509_STORE_CTX_init(&xsc, xst, NULL, NULL); - ret = X509_STORE_get_by_subject(&xsc, X509_LU_X509, - X509_CRL_get_issuer(crl), &xobj); + ret = X509_STORE_get_by_subject(&xsc, X509_LU_X509, + X509_CRL_get_issuer(crl), &xobj); if(ret <= 0) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "X509_STORE_get_by_subject", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - return(-1); + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "X509_STORE_get_by_subject", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); } pkey = X509_get_pubkey(xobj.data.x509); X509_OBJECT_free_contents(&xobj); if(pkey == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "X509_get_pubkey", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - return(-1); + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "X509_get_pubkey", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); } ret = X509_CRL_verify(crl, pkey); - EVP_PKEY_free(pkey); + EVP_PKEY_free(pkey); if(ret != 1) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "X509_CRL_verify", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "X509_CRL_verify", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); } - X509_STORE_CTX_cleanup (&xsc); + X509_STORE_CTX_cleanup (&xsc); return((ret == 1) ? 1 : 0); } -static X509* +static X509* xmlSecOpenSSLX509FindCert(STACK_OF(X509) *certs, xmlChar *subjectName, - xmlChar *issuerName, xmlChar *issuerSerial, - xmlChar *ski) { + xmlChar *issuerName, xmlChar *issuerSerial, + xmlChar *ski) { X509 *cert = NULL; int i; xmlSecAssert2(certs != NULL, NULL); - + /* todo: may be this is not the fastest way to search certs */ if(subjectName != NULL) { - X509_NAME *nm; - X509_NAME *subj; - - nm = xmlSecOpenSSLX509NameRead(subjectName, xmlStrlen(subjectName)); - if(nm == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "xmlSecOpenSSLX509NameRead", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - "subject=%s", - xmlSecErrorsSafeString(subjectName)); - return(NULL); - } - - for(i = 0; i < sk_X509_num(certs); ++i) { - cert = sk_X509_value(certs, i); - subj = X509_get_subject_name(cert); - if(xmlSecOpenSSLX509NamesCompare(nm, subj) == 0) { - X509_NAME_free(nm); - return(cert); - } - } - X509_NAME_free(nm); + X509_NAME *nm; + X509_NAME *subj; + + nm = xmlSecOpenSSLX509NameRead(subjectName, xmlStrlen(subjectName)); + if(nm == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "xmlSecOpenSSLX509NameRead", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + "subject=%s", + xmlSecErrorsSafeString(subjectName)); + return(NULL); + } + + for(i = 0; i < sk_X509_num(certs); ++i) { + cert = sk_X509_value(certs, i); + subj = X509_get_subject_name(cert); + if(xmlSecOpenSSLX509NamesCompare(nm, subj) == 0) { + X509_NAME_free(nm); + return(cert); + } + } + X509_NAME_free(nm); } else if((issuerName != NULL) && (issuerSerial != NULL)) { - X509_NAME *nm; - X509_NAME *issuer; - BIGNUM *bn; - ASN1_INTEGER *serial; - - nm = xmlSecOpenSSLX509NameRead(issuerName, xmlStrlen(issuerName)); - if(nm == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "xmlSecOpenSSLX509NameRead", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - "issuer=%s", - xmlSecErrorsSafeString(issuerName)); - return(NULL); - } - - bn = BN_new(); - if(bn == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "BN_new", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - X509_NAME_free(nm); - return(NULL); - } - if(BN_dec2bn(&bn, (char*)issuerSerial) == 0) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "BN_dec2bn", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - BN_free(bn); - X509_NAME_free(nm); - return(NULL); - } - - serial = BN_to_ASN1_INTEGER(bn, NULL); - if(serial == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "BN_to_ASN1_INTEGER", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - BN_free(bn); - X509_NAME_free(nm); - return(NULL); - } - BN_free(bn); - - - for(i = 0; i < sk_X509_num(certs); ++i) { - cert = sk_X509_value(certs, i); - if(ASN1_INTEGER_cmp(X509_get_serialNumber(cert), serial) != 0) { - continue; - } - issuer = X509_get_issuer_name(cert); - if(xmlSecOpenSSLX509NamesCompare(nm, issuer) == 0) { - ASN1_INTEGER_free(serial); - X509_NAME_free(nm); - return(cert); - } - } + X509_NAME *nm; + X509_NAME *issuer; + BIGNUM *bn; + ASN1_INTEGER *serial; + + nm = xmlSecOpenSSLX509NameRead(issuerName, xmlStrlen(issuerName)); + if(nm == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "xmlSecOpenSSLX509NameRead", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + "issuer=%s", + xmlSecErrorsSafeString(issuerName)); + return(NULL); + } + + bn = BN_new(); + if(bn == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "BN_new", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + X509_NAME_free(nm); + return(NULL); + } + if(BN_dec2bn(&bn, (char*)issuerSerial) == 0) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "BN_dec2bn", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + BN_free(bn); + X509_NAME_free(nm); + return(NULL); + } + + serial = BN_to_ASN1_INTEGER(bn, NULL); + if(serial == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "BN_to_ASN1_INTEGER", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + BN_free(bn); + X509_NAME_free(nm); + return(NULL); + } + BN_free(bn); + + + for(i = 0; i < sk_X509_num(certs); ++i) { + cert = sk_X509_value(certs, i); + if(ASN1_INTEGER_cmp(X509_get_serialNumber(cert), serial) != 0) { + continue; + } + issuer = X509_get_issuer_name(cert); + if(xmlSecOpenSSLX509NamesCompare(nm, issuer) == 0) { + ASN1_INTEGER_free(serial); + X509_NAME_free(nm); + return(cert); + } + } X509_NAME_free(nm); - ASN1_INTEGER_free(serial); + ASN1_INTEGER_free(serial); } else if(ski != NULL) { - int len; - int index; - X509_EXTENSION *ext; - ASN1_OCTET_STRING *keyId; - - /* our usual trick with base64 decode */ - len = xmlSecBase64Decode(ski, (xmlSecByte*)ski, xmlStrlen(ski)); - if(len < 0) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "xmlSecBase64Decode", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - "ski=%s", - xmlSecErrorsSafeString(ski)); - return(NULL); - } - for(i = 0; i < sk_X509_num(certs); ++i) { - cert = sk_X509_value(certs, i); - index = X509_get_ext_by_NID(cert, NID_subject_key_identifier, -1); - if((index >= 0) && (ext = X509_get_ext(cert, index))) { - keyId = X509V3_EXT_d2i(ext); - if((keyId != NULL) && (keyId->length == len) && - (memcmp(keyId->data, ski, len) == 0)) { - M_ASN1_OCTET_STRING_free(keyId); - return(cert); - } - M_ASN1_OCTET_STRING_free(keyId); - } - } + int len; + int index; + X509_EXTENSION *ext; + ASN1_OCTET_STRING *keyId; + + /* our usual trick with base64 decode */ + len = xmlSecBase64Decode(ski, (xmlSecByte*)ski, xmlStrlen(ski)); + if(len < 0) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "xmlSecBase64Decode", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + "ski=%s", + xmlSecErrorsSafeString(ski)); + return(NULL); + } + for(i = 0; i < sk_X509_num(certs); ++i) { + cert = sk_X509_value(certs, i); + index = X509_get_ext_by_NID(cert, NID_subject_key_identifier, -1); + if((index >= 0) && (ext = X509_get_ext(cert, index))) { + keyId = X509V3_EXT_d2i(ext); + if((keyId != NULL) && (keyId->length == len) && + (memcmp(keyId->data, ski, len) == 0)) { + M_ASN1_OCTET_STRING_free(keyId); + return(cert); + } + M_ASN1_OCTET_STRING_free(keyId); + } + } } return(NULL); @@ -924,14 +924,14 @@ xmlSecOpenSSLX509FindNextChainCert(STACK_OF(X509) *chain, X509 *cert) { xmlSecAssert2(chain != NULL, NULL); xmlSecAssert2(cert != NULL, NULL); - + certSubjHash = X509_subject_name_hash(cert); for(i = 0; i < sk_X509_num(chain); ++i) { - if((sk_X509_value(chain, i) != cert) && - (X509_issuer_name_hash(sk_X509_value(chain, i)) == certSubjHash)) { + if((sk_X509_value(chain, i) != cert) && + (X509_issuer_name_hash(sk_X509_value(chain, i)) == certSubjHash)) { - return(sk_X509_value(chain, i)); - } + return(sk_X509_value(chain, i)); + } } return(NULL); } @@ -942,57 +942,57 @@ xmlSecOpenSSLX509VerifyCertAgainstCrls(STACK_OF(X509_CRL) *crls, X509* cert) { X509_CRL *crl = NULL; X509_REVOKED *revoked; int i, n; - int ret; + int ret; xmlSecAssert2(crls != NULL, -1); xmlSecAssert2(cert != NULL, -1); - + /* * Try to retrieve a CRL corresponding to the issuer of - * the current certificate - */ + * the current certificate + */ n = sk_X509_CRL_num(crls); for(i = 0; i < n; i++) { - crl = sk_X509_CRL_value(crls, i); - if(crl == NULL) { - continue; - } - - issuer = X509_CRL_get_issuer(crl); - if(xmlSecOpenSSLX509NamesCompare(X509_CRL_get_issuer(crl), issuer) == 0) { - break; - } + crl = sk_X509_CRL_value(crls, i); + if(crl == NULL) { + continue; + } + + issuer = X509_CRL_get_issuer(crl); + if(xmlSecOpenSSLX509NamesCompare(X509_CRL_get_issuer(crl), issuer) == 0) { + break; + } } if((i >= n) || (crl == NULL)){ - /* no crls for this issuer */ - return(1); + /* no crls for this issuer */ + return(1); } - /* - * Check date of CRL to make sure it's not expired + /* + * Check date of CRL to make sure it's not expired */ ret = X509_cmp_current_time(X509_CRL_get_nextUpdate(crl)); if (ret == 0) { - /* crl expired */ - return(1); + /* crl expired */ + return(1); } - - /* + + /* * Check if the current certificate is revoked by this CRL */ n = sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl)); for (i = 0; i < n; i++) { revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i); if (ASN1_INTEGER_cmp(revoked->serialNumber, X509_get_serialNumber(cert)) == 0) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - NULL, - XMLSEC_ERRORS_R_CERT_REVOKED, - XMLSEC_ERRORS_NO_MESSAGE); - return(0); + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + NULL, + XMLSEC_ERRORS_R_CERT_REVOKED, + XMLSEC_ERRORS_NO_MESSAGE); + return(0); } } - return(1); + return(1); } static X509_NAME * @@ -1004,167 +1004,167 @@ xmlSecOpenSSLX509NameRead(xmlSecByte *str, int len) { int type = MBSTRING_ASC; xmlSecAssert2(str != NULL, NULL); - + nm = X509_NAME_new(); if(nm == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "X509_NAME_new", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - return(NULL); + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "X509_NAME_new", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(NULL); } - + while(len > 0) { - /* skip spaces after comma or semicolon */ - while((len > 0) && isspace(*str)) { - ++str; --len; - } - - nameLen = xmlSecOpenSSLX509NameStringRead(&str, &len, name, sizeof(name), '=', 0); - if(nameLen < 0) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "xmlSecOpenSSLX509NameStringRead", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - X509_NAME_free(nm); - return(NULL); - } - name[nameLen] = '\0'; - if(len > 0) { - ++str; --len; - if((*str) == '\"') { - ++str; --len; - valueLen = xmlSecOpenSSLX509NameStringRead(&str, &len, - value, sizeof(value), '"', 1); - if(valueLen < 0) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "xmlSecOpenSSLX509NameStringRead", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - X509_NAME_free(nm); - return(NULL); - } - - /* skip quote */ - if((len <= 0) || ((*str) != '\"')) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - NULL, - XMLSEC_ERRORS_R_INVALID_DATA, - "quote is expected:%s", - xmlSecErrorsSafeString(str)); - X509_NAME_free(nm); - return(NULL); - } + /* skip spaces after comma or semicolon */ + while((len > 0) && isspace(*str)) { + ++str; --len; + } + + nameLen = xmlSecOpenSSLX509NameStringRead(&str, &len, name, sizeof(name), '=', 0); + if(nameLen < 0) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "xmlSecOpenSSLX509NameStringRead", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + X509_NAME_free(nm); + return(NULL); + } + name[nameLen] = '\0'; + if(len > 0) { + ++str; --len; + if((*str) == '\"') { + ++str; --len; + valueLen = xmlSecOpenSSLX509NameStringRead(&str, &len, + value, sizeof(value), '"', 1); + if(valueLen < 0) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "xmlSecOpenSSLX509NameStringRead", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + X509_NAME_free(nm); + return(NULL); + } + + /* skip quote */ + if((len <= 0) || ((*str) != '\"')) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + NULL, + XMLSEC_ERRORS_R_INVALID_DATA, + "quote is expected:%s", + xmlSecErrorsSafeString(str)); + X509_NAME_free(nm); + return(NULL); + } ++str; --len; - /* skip spaces before comma or semicolon */ - while((len > 0) && isspace(*str)) { - ++str; --len; - } - if((len > 0) && ((*str) != ',')) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - NULL, - XMLSEC_ERRORS_R_INVALID_DATA, - "comma is expected:%s", - xmlSecErrorsSafeString(str)); - X509_NAME_free(nm); - return(NULL); - } - if(len > 0) { - ++str; --len; - } - type = MBSTRING_ASC; - } else if((*str) == '#') { - /* TODO: read octect values */ - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - NULL, - XMLSEC_ERRORS_R_INVALID_DATA, - "reading octect values is not implemented yet"); - X509_NAME_free(nm); - return(NULL); - } else { - valueLen = xmlSecOpenSSLX509NameStringRead(&str, &len, - value, sizeof(value), ',', 1); - if(valueLen < 0) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "xmlSecOpenSSLX509NameStringRead", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - X509_NAME_free(nm); - return(NULL); - } - type = MBSTRING_ASC; - } - } else { - valueLen = 0; - } - value[valueLen] = '\0'; - if(len > 0) { - ++str; --len; - } - X509_NAME_add_entry_by_txt(nm, (char*)name, type, value, valueLen, -1, 0); + /* skip spaces before comma or semicolon */ + while((len > 0) && isspace(*str)) { + ++str; --len; + } + if((len > 0) && ((*str) != ',')) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + NULL, + XMLSEC_ERRORS_R_INVALID_DATA, + "comma is expected:%s", + xmlSecErrorsSafeString(str)); + X509_NAME_free(nm); + return(NULL); + } + if(len > 0) { + ++str; --len; + } + type = MBSTRING_ASC; + } else if((*str) == '#') { + /* TODO: read octect values */ + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + NULL, + XMLSEC_ERRORS_R_INVALID_DATA, + "reading octect values is not implemented yet"); + X509_NAME_free(nm); + return(NULL); + } else { + valueLen = xmlSecOpenSSLX509NameStringRead(&str, &len, + value, sizeof(value), ',', 1); + if(valueLen < 0) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "xmlSecOpenSSLX509NameStringRead", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + X509_NAME_free(nm); + return(NULL); + } + type = MBSTRING_ASC; + } + } else { + valueLen = 0; + } + value[valueLen] = '\0'; + if(len > 0) { + ++str; --len; + } + X509_NAME_add_entry_by_txt(nm, (char*)name, type, value, valueLen, -1, 0); } - + return(nm); } -static int -xmlSecOpenSSLX509NameStringRead(xmlSecByte **str, int *strLen, - xmlSecByte *res, int resLen, - xmlSecByte delim, int ingoreTrailingSpaces) { - xmlSecByte *p, *q, *nonSpace; +static int +xmlSecOpenSSLX509NameStringRead(xmlSecByte **str, int *strLen, + xmlSecByte *res, int resLen, + xmlSecByte delim, int ingoreTrailingSpaces) { + xmlSecByte *p, *q, *nonSpace; xmlSecAssert2(str != NULL, -1); xmlSecAssert2(strLen != NULL, -1); xmlSecAssert2(res != NULL, -1); - + p = (*str); nonSpace = q = res; - while(((p - (*str)) < (*strLen)) && ((*p) != delim) && ((q - res) < resLen)) { - if((*p) != '\\') { - if(ingoreTrailingSpaces && !isspace(*p)) nonSpace = q; - *(q++) = *(p++); - } else { - ++p; - nonSpace = q; - if(xmlSecIsHex((*p))) { - if((p - (*str) + 1) >= (*strLen)) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - NULL, - XMLSEC_ERRORS_R_INVALID_DATA, - "two hex digits expected"); - return(-1); - } - *(q++) = xmlSecGetHex(p[0]) * 16 + xmlSecGetHex(p[1]); - p += 2; - } else { - if(((++p) - (*str)) >= (*strLen)) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - NULL, - XMLSEC_ERRORS_R_INVALID_DATA, - "escaped symbol missed"); - return(-1); - } - *(q++) = *(p++); - } - } + while(((p - (*str)) < (*strLen)) && ((*p) != delim) && ((q - res) < resLen)) { + if((*p) != '\\') { + if(ingoreTrailingSpaces && !isspace(*p)) nonSpace = q; + *(q++) = *(p++); + } else { + ++p; + nonSpace = q; + if(xmlSecIsHex((*p))) { + if((p - (*str) + 1) >= (*strLen)) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + NULL, + XMLSEC_ERRORS_R_INVALID_DATA, + "two hex digits expected"); + return(-1); + } + *(q++) = xmlSecGetHex(p[0]) * 16 + xmlSecGetHex(p[1]); + p += 2; + } else { + if(((++p) - (*str)) >= (*strLen)) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + NULL, + XMLSEC_ERRORS_R_INVALID_DATA, + "escaped symbol missed"); + return(-1); + } + *(q++) = *(p++); + } + } } if(((p - (*str)) < (*strLen)) && ((*p) != delim)) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - NULL, - XMLSEC_ERRORS_R_INVALID_SIZE, - "buffer is too small"); - return(-1); + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + NULL, + XMLSEC_ERRORS_R_INVALID_SIZE, + "buffer is too small"); + return(-1); } (*strLen) -= (p - (*str)); (*str) = p; @@ -1172,106 +1172,106 @@ xmlSecOpenSSLX509NameStringRead(xmlSecByte **str, int *strLen, } static -int xmlSecOpenSSLX509_NAME_cmp(const X509_NAME *a, const X509_NAME *b) { +int xmlSecOpenSSLX509_NAME_cmp(const X509_NAME * a, const X509_NAME * b) { int i,ret; const X509_NAME_ENTRY *na,*nb; xmlSecAssert2(a != NULL, -1); xmlSecAssert2(b != NULL, 1); - + if (sk_X509_NAME_ENTRY_num(a->entries) != sk_X509_NAME_ENTRY_num(b->entries)) { - return sk_X509_NAME_ENTRY_num(a->entries) - sk_X509_NAME_ENTRY_num(b->entries); + return sk_X509_NAME_ENTRY_num(a->entries) - sk_X509_NAME_ENTRY_num(b->entries); } - + for (i=sk_X509_NAME_ENTRY_num(a->entries)-1; i>=0; i--) { - na=sk_X509_NAME_ENTRY_value(a->entries,i); - nb=sk_X509_NAME_ENTRY_value(b->entries,i); - - ret = xmlSecOpenSSLX509_NAME_ENTRY_cmp(&na, &nb); - if(ret != 0) { - return(ret); - } - } + na=sk_X509_NAME_ENTRY_value(a->entries,i); + nb=sk_X509_NAME_ENTRY_value(b->entries,i); + + ret = xmlSecOpenSSLX509_NAME_ENTRY_cmp(&na, &nb); + if(ret != 0) { + return(ret); + } + } return(0); } -/** +/** * xmlSecOpenSSLX509NamesCompare: * * We have to sort X509_NAME entries to get correct results. * This is ugly but OpenSSL does not support it */ -static int +static int xmlSecOpenSSLX509NamesCompare(X509_NAME *a, X509_NAME *b) { X509_NAME *a1 = NULL; X509_NAME *b1 = NULL; int ret; - - xmlSecAssert2(a != NULL, -1); - xmlSecAssert2(b != NULL, 1); - + + xmlSecAssert2(a != NULL, -1); + xmlSecAssert2(b != NULL, 1); + a1 = X509_NAME_dup(a); if(a1 == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "X509_NAME_dup", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "X509_NAME_dup", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); return(-1); } b1 = X509_NAME_dup(b); if(b1 == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "X509_NAME_dup", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "X509_NAME_dup", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); return(1); } - + /* sort both */ - sk_X509_NAME_ENTRY_set_cmp_func(a1->entries, xmlSecOpenSSLX509_NAME_ENTRY_cmp); + (void)sk_X509_NAME_ENTRY_set_cmp_func(a1->entries, xmlSecOpenSSLX509_NAME_ENTRY_cmp); sk_X509_NAME_ENTRY_sort(a1->entries); - sk_X509_NAME_ENTRY_set_cmp_func(b1->entries, xmlSecOpenSSLX509_NAME_ENTRY_cmp); + (void)sk_X509_NAME_ENTRY_set_cmp_func(b1->entries, xmlSecOpenSSLX509_NAME_ENTRY_cmp); sk_X509_NAME_ENTRY_sort(b1->entries); /* actually compare */ ret = xmlSecOpenSSLX509_NAME_cmp(a1, b1); - + /* cleanup */ X509_NAME_free(a1); X509_NAME_free(b1); return(ret); } -static int -xmlSecOpenSSLX509_NAME_ENTRY_cmp(const X509_NAME_ENTRY **a, const X509_NAME_ENTRY **b) { +static int +xmlSecOpenSSLX509_NAME_ENTRY_cmp(const X509_NAME_ENTRY * const *a, const X509_NAME_ENTRY * const *b) { int ret; - + xmlSecAssert2(a != NULL, -1); xmlSecAssert2(b != NULL, 1); xmlSecAssert2((*a) != NULL, -1); xmlSecAssert2((*b) != NULL, 1); - /* first compare values */ + /* first compare values */ if(((*a)->value == NULL) && ((*b)->value != NULL)) { - return(-1); + return(-1); } else if(((*a)->value != NULL) && ((*b)->value == NULL)) { - return(1); + return(1); } else if(((*a)->value == NULL) && ((*b)->value == NULL)) { - return(0); - } - + return(0); + } + ret = (*a)->value->length - (*b)->value->length; if(ret != 0) { - return(ret); + return(ret); } - + ret = memcmp((*a)->value->data, (*b)->value->data, (*a)->value->length); if(ret != 0) { - return(ret); + return(ret); } /* next compare names */ |