diff options
Diffstat (limited to 'src/openssl/x509vfy.c')
| -rw-r--r-- | src/openssl/x509vfy.c | 579 |
1 files changed, 219 insertions, 360 deletions
diff --git a/src/openssl/x509vfy.c b/src/openssl/x509vfy.c index f828afb2..2e54f136 100644 --- a/src/openssl/x509vfy.c +++ b/src/openssl/x509vfy.c @@ -1,7 +1,5 @@ -/** - * XMLSec library - * - * X509 support +/* + * XML Security Library (http://www.aleksey.com/xmlsec). * * * This is free software; see Copyright file in the source @@ -9,6 +7,13 @@ * * Copyright (C) 2002-2016 Aleksey Sanin <aleksey@aleksey.com>. All Rights Reserved. */ +/** + * SECTION:x509vfy + * @Short_description: X509 certificates verification support functions for OpenSSL. + * @Stability: Private + * + */ + #include "globals.h" #ifndef XMLSEC_NO_X509 @@ -20,10 +25,6 @@ #include <errno.h> #include <libxml/tree.h> -#include <openssl/evp.h> -#include <openssl/x509.h> -#include <openssl/x509_vfy.h> -#include <openssl/x509v3.h> #include <xmlsec/xmlsec.h> #include <xmlsec/xmltree.h> @@ -36,11 +37,18 @@ #include <xmlsec/openssl/crypto.h> #include <xmlsec/openssl/evp.h> #include <xmlsec/openssl/x509.h> +#include "openssl_compat.h" -/* new API from OpenSSL 1.1.0 */ -#if !defined(XMLSEC_OPENSSL_110) -#define X509_REVOKED_get0_serialNumber(x) ((x)->serialNumber) -#endif /* !defined(XMLSEC_OPENSSL_110) */ +#include <openssl/evp.h> +#include <openssl/x509.h> +#include <openssl/x509_vfy.h> +#include <openssl/x509v3.h> + +#ifdef OPENSSL_IS_BORINGSSL +typedef size_t x509_size_t; +#else /* OPENSSL_IS_BORINGSSL */ +typedef int x509_size_t; +#endif /* OPENSSL_IS_BORINGSSL */ /************************************************************************** * @@ -181,15 +189,22 @@ xmlSecOpenSSLX509StoreVerify(xmlSecKeyDataStorePtr store, XMLSEC_STACK_OF_X509* X509 * res = NULL; X509 * cert; X509 * err_cert = NULL; - char buf[256]; + X509_STORE_CTX *xsc; int err = 0; - int i; + x509_size_t i; int ret; xmlSecAssert2(xmlSecKeyDataStoreCheckId(store, xmlSecOpenSSLX509StoreId), NULL); xmlSecAssert2(certs != NULL, NULL); xmlSecAssert2(keyInfoCtx != NULL, NULL); + xsc = X509_STORE_CTX_new(); + if(xsc == NULL) { + xmlSecOpenSSLError("X509_STORE_CTX_new", + xmlSecKeyDataStoreGetName(store)); + goto done; + } + ctx = xmlSecOpenSSLX509StoreGetCtx(store); xmlSecAssert2(ctx != NULL, NULL); xmlSecAssert2(ctx->xst != NULL, NULL); @@ -197,11 +212,8 @@ xmlSecOpenSSLX509StoreVerify(xmlSecKeyDataStorePtr store, XMLSEC_STACK_OF_X509* /* dup certs */ certs2 = sk_X509_dup(certs); if(certs2 == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "sk_X509_dup", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); + xmlSecOpenSSLError("sk_X509_dup", + xmlSecKeyDataStoreGetName(store)); goto done; } @@ -210,11 +222,8 @@ xmlSecOpenSSLX509StoreVerify(xmlSecKeyDataStorePtr store, XMLSEC_STACK_OF_X509* for(i = 0; i < sk_X509_num(ctx->untrusted); ++i) { ret = sk_X509_push(certs2, sk_X509_value(ctx->untrusted, i)); if(ret < 1) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "sk_X509_push", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); + xmlSecOpenSSLError("sk_X509_push", + xmlSecKeyDataStoreGetName(store)); goto done; } } @@ -224,11 +233,8 @@ xmlSecOpenSSLX509StoreVerify(xmlSecKeyDataStorePtr store, XMLSEC_STACK_OF_X509* if(crls != NULL) { crls2 = sk_X509_CRL_dup(crls); if(crls2 == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "sk_X509_CRL_dup", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); + xmlSecOpenSSLError("sk_X509_CRL_dup", + xmlSecKeyDataStoreGetName(store)); goto done; } @@ -239,11 +245,8 @@ xmlSecOpenSSLX509StoreVerify(xmlSecKeyDataStorePtr store, XMLSEC_STACK_OF_X509* } else if(ret == 0) { (void)sk_X509_CRL_delete(crls2, i); } else { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "xmlSecOpenSSLX509VerifyCRL", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); + xmlSecInternalError("xmlSecOpenSSLX509VerifyCRL", + xmlSecKeyDataStoreGetName(store)); goto done; } } @@ -259,11 +262,8 @@ xmlSecOpenSSLX509StoreVerify(xmlSecKeyDataStorePtr store, XMLSEC_STACK_OF_X509* (void)sk_X509_delete(certs2, i); continue; } else if(ret != 1) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "xmlSecOpenSSLX509VerifyCertAgainstCrls", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); + xmlSecInternalError("xmlSecOpenSSLX509VerifyCertAgainstCrls", + xmlSecKeyDataStoreGetName(store)); goto done; } } @@ -274,11 +274,8 @@ xmlSecOpenSSLX509StoreVerify(xmlSecKeyDataStorePtr store, XMLSEC_STACK_OF_X509* (void)sk_X509_delete(certs2, i); continue; } else if(ret != 1) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "xmlSecOpenSSLX509VerifyCertAgainstCrls", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); + xmlSecInternalError("xmlSecOpenSSLX509VerifyCertAgainstCrls", + xmlSecKeyDataStoreGetName(store)); goto done; } } @@ -289,18 +286,16 @@ xmlSecOpenSSLX509StoreVerify(xmlSecKeyDataStorePtr store, XMLSEC_STACK_OF_X509* for(i = 0; i < sk_X509_num(certs2); ++i) { cert = sk_X509_value(certs2, i); if(xmlSecOpenSSLX509FindNextChainCert(certs2, cert) == NULL) { - X509_STORE_CTX xsc; - - if(!X509_STORE_CTX_init(&xsc, ctx->xst, cert, certs2)) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "X509_STORE_CTX_init", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); + + ret = X509_STORE_CTX_init(xsc, ctx->xst, cert, certs2); + if(ret != 1) { + xmlSecOpenSSLError("X509_STORE_CTX_init", + xmlSecKeyDataStoreGetName(store)); goto done; } + if(keyInfoCtx->certsVerificationTime > 0) { - X509_STORE_CTX_set_time(&xsc, 0, keyInfoCtx->certsVerificationTime); + X509_STORE_CTX_set_time(xsc, 0, keyInfoCtx->certsVerificationTime); } { @@ -309,11 +304,8 @@ xmlSecOpenSSLX509StoreVerify(xmlSecKeyDataStorePtr store, XMLSEC_STACK_OF_X509* vpm = X509_VERIFY_PARAM_new(); if(vpm == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "X509_VERIFY_PARAM_new", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); + xmlSecOpenSSLError("X509_VERIFY_PARAM_new", + xmlSecKeyDataStoreGetName(store)); goto done; } vpm_flags = X509_VERIFY_PARAM_get_flags(vpm); @@ -324,54 +316,41 @@ xmlSecOpenSSLX509StoreVerify(xmlSecKeyDataStorePtr store, XMLSEC_STACK_OF_X509* X509_VERIFY_PARAM_set_time(vpm, keyInfoCtx->certsVerificationTime); } - X509_VERIFY_PARAM_set_depth(vpm, 9); + X509_VERIFY_PARAM_set_depth(vpm, keyInfoCtx->certsVerificationDepth); X509_VERIFY_PARAM_set_flags(vpm, vpm_flags); - X509_STORE_CTX_set0_param(&xsc, vpm); + X509_STORE_CTX_set0_param(xsc, vpm); } - ret = X509_verify_cert(&xsc); - err_cert = X509_STORE_CTX_get_current_cert(&xsc); - err = X509_STORE_CTX_get_error(&xsc); - - X509_STORE_CTX_cleanup (&xsc); - if(ret != 1 && keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_ALLOW_BROKEN_CHAIN){ + if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS) == 0) { + ret = X509_verify_cert(xsc); + } else { ret = 1; - keyInfoCtx->flags2 |= XMLSEC_KEYINFO_ERROR_FLAGS_BROKEN_CHAIN; } + err_cert = X509_STORE_CTX_get_current_cert(xsc); + err = X509_STORE_CTX_get_error(xsc); + + X509_STORE_CTX_cleanup (xsc); if(ret == 1) { res = cert; goto done; } else if(ret < 0) { - const char* err_msg; - - buf[0] = '\0'; - X509_NAME_oneline(X509_get_subject_name(err_cert), buf, sizeof buf); - err_msg = X509_verify_cert_error_string(err); - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "X509_verify_cert", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - "subj=%s;err=%d;msg=%s", - xmlSecErrorsSafeString(buf), - err, - xmlSecErrorsSafeString(err_msg)); + /* real error */ + xmlSecOpenSSLError("X509_verify_cert", xmlSecKeyDataStoreGetName(store)); goto done; } else if(ret == 0) { const char* err_msg; + char subject[256], issuer[256]; - buf[0] = '\0'; - X509_NAME_oneline(X509_get_subject_name(err_cert), buf, sizeof buf); + X509_NAME_oneline(X509_get_subject_name(err_cert), subject, sizeof(subject)); + X509_NAME_oneline(X509_get_issuer_name(err_cert), issuer, sizeof(issuer)); err_msg = X509_verify_cert_error_string(err); - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "X509_verify_cert", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - "subj=%s;err=%d;msg=%s", - xmlSecErrorsSafeString(buf), - err, - xmlSecErrorsSafeString(err_msg)); + + xmlSecOtherError5(XMLSEC_ERRORS_R_CERT_VERIFY_FAILED, + xmlSecKeyDataStoreGetName(store), + "X509_verify_cert: subject=%s; issuer=%s; err=%d; msg=%s", + subject, issuer, err, xmlSecErrorsSafeString(err_msg)); } } } @@ -379,45 +358,39 @@ xmlSecOpenSSLX509StoreVerify(xmlSecKeyDataStorePtr store, XMLSEC_STACK_OF_X509* /* if we came here then we found nothing. do we have any error? */ if((err != 0) && (err_cert != NULL)) { const char* err_msg; + char subject[256], issuer[256]; + X509_NAME_oneline(X509_get_subject_name(err_cert), subject, sizeof(subject)); + X509_NAME_oneline(X509_get_issuer_name(err_cert), issuer, sizeof(issuer)); err_msg = X509_verify_cert_error_string(err); + switch (err) { case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: - X509_NAME_oneline(X509_get_issuer_name(err_cert), buf, sizeof buf); - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - NULL, - XMLSEC_ERRORS_R_CERT_ISSUER_FAILED, - "err=%d;msg=%s;issuer=%s", - err, - xmlSecErrorsSafeString(err_msg), - xmlSecErrorsSafeString(buf)); + xmlSecOtherError5(XMLSEC_ERRORS_R_CERT_ISSUER_FAILED, + xmlSecKeyDataStoreGetName(store), + "subject=%s; issuer=%s; err=%d; msg=%s", + subject, issuer, err, xmlSecErrorsSafeString(err_msg)); break; case X509_V_ERR_CERT_NOT_YET_VALID: case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - NULL, - XMLSEC_ERRORS_R_CERT_NOT_YET_VALID, - "err=%d;msg=%s", err, - xmlSecErrorsSafeString(err_msg)); + xmlSecOtherError5(XMLSEC_ERRORS_R_CERT_NOT_YET_VALID, + xmlSecKeyDataStoreGetName(store), + "subject=%s; issuer=%s; err=%d; msg=%s", + subject, issuer, err, xmlSecErrorsSafeString(err_msg)); break; case X509_V_ERR_CERT_HAS_EXPIRED: case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - NULL, - XMLSEC_ERRORS_R_CERT_HAS_EXPIRED, - "err=%d;msg=%s", err, - xmlSecErrorsSafeString(err_msg)); + xmlSecOtherError5(XMLSEC_ERRORS_R_CERT_HAS_EXPIRED, + xmlSecKeyDataStoreGetName(store), + "subject=%s; issuer=%s; err=%d; msg=%s", + subject, issuer, err, xmlSecErrorsSafeString(err_msg)); break; default: - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - NULL, - XMLSEC_ERRORS_R_CERT_VERIFY_FAILED, - "err=%d;msg=%s", err, - xmlSecErrorsSafeString(err_msg)); + xmlSecOtherError5(XMLSEC_ERRORS_R_CERT_VERIFY_FAILED, + xmlSecKeyDataStoreGetName(store), + "subject=%s; issuer=%s; err=%d; msg=%s", + subject, issuer, err, xmlSecErrorsSafeString(err_msg)); + break; } } @@ -428,6 +401,9 @@ done: if(crls2 != NULL) { sk_X509_CRL_free(crls2); } + if(xsc != NULL) { + X509_STORE_CTX_free(xsc); + } return(res); } @@ -457,11 +433,8 @@ xmlSecOpenSSLX509StoreAdoptCert(xmlSecKeyDataStorePtr store, X509* cert, xmlSecK ret = X509_STORE_add_cert(ctx->xst, cert); if(ret != 1) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "X509_STORE_add_cert", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); + xmlSecOpenSSLError("X509_STORE_add_cert", + xmlSecKeyDataStoreGetName(store)); return(-1); } /* add cert increments the reference */ @@ -471,11 +444,8 @@ xmlSecOpenSSLX509StoreAdoptCert(xmlSecKeyDataStorePtr store, X509* cert, xmlSecK ret = sk_X509_push(ctx->untrusted, cert); if(ret < 1) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "sk_X509_push", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); + xmlSecOpenSSLError("sk_X509_push", + xmlSecKeyDataStoreGetName(store)); return(-1); } } @@ -505,11 +475,8 @@ xmlSecOpenSSLX509StoreAdoptCrl(xmlSecKeyDataStorePtr store, X509_CRL* crl) { ret = sk_X509_CRL_push(ctx->crls, crl); if(ret < 1) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "sk_X509_CRL_push", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); + xmlSecOpenSSLError("sk_X509_CRL_push", + xmlSecKeyDataStoreGetName(store)); return(-1); } @@ -540,21 +507,15 @@ xmlSecOpenSSLX509StoreAddCertsPath(xmlSecKeyDataStorePtr store, const char *path lookup = X509_STORE_add_lookup(ctx->xst, X509_LOOKUP_hash_dir()); if(lookup == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "X509_STORE_add_lookup", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); + xmlSecOpenSSLError("X509_STORE_add_lookup", + xmlSecKeyDataStoreGetName(store)); return(-1); } if(!X509_LOOKUP_add_dir(lookup, path, X509_FILETYPE_PEM)) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "X509_LOOKUP_add_dir", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - "path='%s'", - xmlSecErrorsSafeString(path) - ); + xmlSecOpenSSLError2("X509_LOOKUP_add_dir", + xmlSecKeyDataStoreGetName(store), + "path='%s'", + xmlSecErrorsSafeString(path)); return(-1); } return(0); @@ -563,7 +524,7 @@ xmlSecOpenSSLX509StoreAddCertsPath(xmlSecKeyDataStorePtr store, const char *path /** * xmlSecOpenSSLX509StoreAddCertsFile: * @store: the pointer to OpenSSL x509 store. - * @file: the certs file. + * @filename: the certs file. * * Adds all certs in @file to the list of trusted certs * in @store. It is possible for @file to contain multiple certs. @@ -571,12 +532,12 @@ xmlSecOpenSSLX509StoreAddCertsPath(xmlSecKeyDataStorePtr store, const char *path * Returns: 0 on success or a negative value otherwise. */ int -xmlSecOpenSSLX509StoreAddCertsFile(xmlSecKeyDataStorePtr store, const char *file) { +xmlSecOpenSSLX509StoreAddCertsFile(xmlSecKeyDataStorePtr store, const char *filename) { xmlSecOpenSSLX509StoreCtxPtr ctx; X509_LOOKUP *lookup = NULL; xmlSecAssert2(xmlSecKeyDataStoreCheckId(store, xmlSecOpenSSLX509StoreId), -1); - xmlSecAssert2(file != NULL, -1); + xmlSecAssert2(filename != NULL, -1); ctx = xmlSecOpenSSLX509StoreGetCtx(store); xmlSecAssert2(ctx != NULL, -1); @@ -584,21 +545,15 @@ xmlSecOpenSSLX509StoreAddCertsFile(xmlSecKeyDataStorePtr store, const char *file lookup = X509_STORE_add_lookup(ctx->xst, X509_LOOKUP_file()); if(lookup == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "X509_STORE_add_lookup", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); + xmlSecOpenSSLError("X509_STORE_add_lookup", + xmlSecKeyDataStoreGetName(store)); return(-1); } - if(!X509_LOOKUP_load_file(lookup, file, X509_FILETYPE_PEM)) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "X509_LOOKUP_load_file", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - "file='%s'", - xmlSecErrorsSafeString(file) - ); + if(!X509_LOOKUP_load_file(lookup, filename, X509_FILETYPE_PEM)) { + xmlSecOpenSSLError2("X509_LOOKUP_load_file", + xmlSecKeyDataStoreGetName(store), + "filename='%s'", + xmlSecErrorsSafeString(filename)); return(-1); } return(0); @@ -619,85 +574,60 @@ xmlSecOpenSSLX509StoreInitialize(xmlSecKeyDataStorePtr store) { ctx->xst = X509_STORE_new(); if(ctx->xst == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "X509_STORE_new", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); + xmlSecOpenSSLError("X509_STORE_new", + xmlSecKeyDataStoreGetName(store)); return(-1); } if(!X509_STORE_set_default_paths(ctx->xst)) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "X509_STORE_set_default_paths", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); + xmlSecOpenSSLError("X509_STORE_set_default_paths", + xmlSecKeyDataStoreGetName(store)); return(-1); } lookup = X509_STORE_add_lookup(ctx->xst, X509_LOOKUP_hash_dir()); if(lookup == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "X509_STORE_add_lookup", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); + xmlSecOpenSSLError("X509_STORE_add_lookup", + xmlSecKeyDataStoreGetName(store)); return(-1); } path = xmlSecOpenSSLGetDefaultTrustedCertsFolder(); if(path != NULL) { if(!X509_LOOKUP_add_dir(lookup, (char*)path, X509_FILETYPE_PEM)) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "X509_LOOKUP_add_dir", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - "path='%s'", - xmlSecErrorsSafeString(path) - ); + xmlSecOpenSSLError2("X509_LOOKUP_add_dir", + xmlSecKeyDataStoreGetName(store), + "path='%s'", + xmlSecErrorsSafeString(path)); return(-1); } } else { if(!X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT)) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "X509_LOOKUP_add_dir", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE - ); + xmlSecOpenSSLError("X509_LOOKUP_add_dir", + xmlSecKeyDataStoreGetName(store)); return(-1); } } ctx->untrusted = sk_X509_new_null(); if(ctx->untrusted == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "sk_X509_new_null", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); + xmlSecOpenSSLError("sk_X509_new_null", + xmlSecKeyDataStoreGetName(store)); return(-1); } ctx->crls = sk_X509_CRL_new_null(); if(ctx->crls == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "sk_X509_CRL_new_null", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); + xmlSecOpenSSLError("sk_X509_CRL_new_null", + xmlSecKeyDataStoreGetName(store)); return(-1); } ctx->vpm = X509_VERIFY_PARAM_new(); if(ctx->vpm == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "X509_VERIFY_PARAM_new", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); + xmlSecOpenSSLError("X509_VERIFY_PARAM_new", + xmlSecKeyDataStoreGetName(store)); return(-1); } X509_VERIFY_PARAM_set_depth(ctx->vpm, 9); /* the default cert verification path in openssl */ @@ -740,54 +670,54 @@ xmlSecOpenSSLX509StoreFinalize(xmlSecKeyDataStorePtr store) { *****************************************************************************/ static int xmlSecOpenSSLX509VerifyCRL(X509_STORE* xst, X509_CRL *crl ) { - X509_STORE_CTX xsc; - X509_OBJECT xobj; - EVP_PKEY *pkey; + X509_STORE_CTX *xsc = NULL; + X509_OBJECT *xobj = NULL; + EVP_PKEY *pkey = NULL; int ret; xmlSecAssert2(xst != NULL, -1); xmlSecAssert2(crl != NULL, -1); - ret = X509_STORE_CTX_init(&xsc, xst, NULL, NULL); - if(ret <= 0) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "X509_STORE_CTX_init", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - return(-1); + xsc = X509_STORE_CTX_new(); + if(xsc == NULL) { + xmlSecOpenSSLError("X509_STORE_CTX_new", NULL); + goto err; } - ret = X509_STORE_get_by_subject(&xsc, X509_LU_X509, - X509_CRL_get_issuer(crl), &xobj); + xobj = (X509_OBJECT *)X509_OBJECT_new(); + if(xobj == NULL) { + xmlSecOpenSSLError("X509_OBJECT_new", NULL); + goto err; + } + + ret = X509_STORE_CTX_init(xsc, xst, NULL, NULL); + if(ret != 1) { + xmlSecOpenSSLError("X509_STORE_CTX_init", NULL); + goto err; + } + ret = X509_STORE_CTX_get_by_subject(xsc, X509_LU_X509, + X509_CRL_get_issuer(crl), xobj); if(ret <= 0) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "X509_STORE_get_by_subject", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - return(-1); + xmlSecOpenSSLError("X509_STORE_CTX_get_by_subject", NULL); + goto err; } - pkey = X509_get_pubkey(xobj.data.x509); - X509_OBJECT_free_contents(&xobj); + pkey = X509_get_pubkey(X509_OBJECT_get0_X509(xobj)); if(pkey == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "X509_get_pubkey", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - return(-1); + xmlSecOpenSSLError("X509_get_pubkey", NULL); + goto err; } ret = X509_CRL_verify(crl, pkey); EVP_PKEY_free(pkey); if(ret != 1) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "X509_CRL_verify", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); + xmlSecOpenSSLError("X509_CRL_verify", NULL); } - X509_STORE_CTX_cleanup (&xsc); + X509_STORE_CTX_free(xsc); + X509_OBJECT_free(xobj); return((ret == 1) ? 1 : 0); + +err: + X509_STORE_CTX_free(xsc); + X509_OBJECT_free(xobj); + return(-1); } static X509* @@ -795,7 +725,7 @@ xmlSecOpenSSLX509FindCert(STACK_OF(X509) *certs, xmlChar *subjectName, xmlChar *issuerName, xmlChar *issuerSerial, xmlChar *ski) { X509 *cert = NULL; - int i; + x509_size_t i; xmlSecAssert2(certs != NULL, NULL); @@ -806,12 +736,8 @@ xmlSecOpenSSLX509FindCert(STACK_OF(X509) *certs, xmlChar *subjectName, nm = xmlSecOpenSSLX509NameRead(subjectName, xmlStrlen(subjectName)); if(nm == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "xmlSecOpenSSLX509NameRead", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - "subject=%s", - xmlSecErrorsSafeString(subjectName)); + xmlSecInternalError2("xmlSecOpenSSLX509NameRead", NULL, + "subject=%s", xmlSecErrorsSafeString(subjectName)); return(NULL); } @@ -832,31 +758,19 @@ xmlSecOpenSSLX509FindCert(STACK_OF(X509) *certs, xmlChar *subjectName, nm = xmlSecOpenSSLX509NameRead(issuerName, xmlStrlen(issuerName)); if(nm == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "xmlSecOpenSSLX509NameRead", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - "issuer=%s", - xmlSecErrorsSafeString(issuerName)); + xmlSecInternalError2("xmlSecOpenSSLX509NameRead", NULL, + "issuer=%s", xmlSecErrorsSafeString(issuerName)); return(NULL); } bn = BN_new(); if(bn == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "BN_new", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); + xmlSecOpenSSLError("BN_new", NULL); X509_NAME_free(nm); return(NULL); } if(BN_dec2bn(&bn, (char*)issuerSerial) == 0) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "BN_dec2bn", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); + xmlSecOpenSSLError("BN_dec2bn", NULL); BN_free(bn); X509_NAME_free(nm); return(NULL); @@ -864,11 +778,7 @@ xmlSecOpenSSLX509FindCert(STACK_OF(X509) *certs, xmlChar *subjectName, serial = BN_to_ASN1_INTEGER(bn, NULL); if(serial == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "BN_to_ASN1_INTEGER", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); + xmlSecOpenSSLError("BN_to_ASN1_INTEGER", NULL); BN_free(bn); X509_NAME_free(nm); return(NULL); @@ -900,26 +810,29 @@ xmlSecOpenSSLX509FindCert(STACK_OF(X509) *certs, xmlChar *subjectName, /* our usual trick with base64 decode */ len = xmlSecBase64Decode(ski, (xmlSecByte*)ski, xmlStrlen(ski)); if(len < 0) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "xmlSecBase64Decode", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - "ski=%s", - xmlSecErrorsSafeString(ski)); + xmlSecInternalError2("xmlSecBase64Decode", NULL, + "ski=%s", xmlSecErrorsSafeString(ski)); return(NULL); } for(i = 0; i < sk_X509_num(certs); ++i) { cert = sk_X509_value(certs, i); index = X509_get_ext_by_NID(cert, NID_subject_key_identifier, -1); - if((index >= 0) && (ext = X509_get_ext(cert, index))) { - keyId = X509V3_EXT_d2i(ext); - if((keyId != NULL) && (keyId->length == len) && - (memcmp(keyId->data, ski, len) == 0)) { - ASN1_OCTET_STRING_free(keyId); - return(cert); - } + if(index < 0) { + continue; + } + ext = X509_get_ext(cert, index); + if(ext == NULL) { + continue; + } + keyId = (ASN1_OCTET_STRING *)X509V3_EXT_d2i(ext); + if(keyId == NULL) { + continue; + } + if((keyId->length == len) && (memcmp(keyId->data, ski, len) == 0)) { ASN1_OCTET_STRING_free(keyId); + return(cert); } + ASN1_OCTET_STRING_free(keyId); } } @@ -929,7 +842,7 @@ xmlSecOpenSSLX509FindCert(STACK_OF(X509) *certs, xmlChar *subjectName, static X509* xmlSecOpenSSLX509FindNextChainCert(STACK_OF(X509) *chain, X509 *cert) { unsigned long certSubjHash; - int i; + x509_size_t i; xmlSecAssert2(chain != NULL, NULL); xmlSecAssert2(cert != NULL, NULL); @@ -950,7 +863,7 @@ xmlSecOpenSSLX509VerifyCertAgainstCrls(STACK_OF(X509_CRL) *crls, X509* cert) { X509_NAME *issuer; X509_CRL *crl = NULL; X509_REVOKED *revoked; - int i, n; + x509_size_t i, n; int ret; xmlSecAssert2(crls != NULL, -1); @@ -980,7 +893,7 @@ xmlSecOpenSSLX509VerifyCertAgainstCrls(STACK_OF(X509_CRL) *crls, X509* cert) { /* * Check date of CRL to make sure it's not expired */ - ret = X509_cmp_current_time(X509_CRL_get_nextUpdate(crl)); + ret = X509_cmp_current_time(X509_CRL_get0_nextUpdate(crl)); if (ret == 0) { /* crl expired */ return(1); @@ -993,11 +906,7 @@ xmlSecOpenSSLX509VerifyCertAgainstCrls(STACK_OF(X509_CRL) *crls, X509* cert) { for (i = 0; i < n; i++) { revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i); if (ASN1_INTEGER_cmp(X509_REVOKED_get0_serialNumber(revoked), X509_get_serialNumber(cert)) == 0) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - NULL, - XMLSEC_ERRORS_R_CERT_REVOKED, - XMLSEC_ERRORS_NO_MESSAGE); + xmlSecOtherError(XMLSEC_ERRORS_R_CERT_REVOKED, NULL, NULL); return(0); } } @@ -1016,11 +925,7 @@ xmlSecOpenSSLX509NameRead(xmlSecByte *str, int len) { nm = X509_NAME_new(); if(nm == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "X509_NAME_new", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); + xmlSecOpenSSLError("X509_NAME_new", NULL); return(NULL); } @@ -1032,11 +937,7 @@ xmlSecOpenSSLX509NameRead(xmlSecByte *str, int len) { nameLen = xmlSecOpenSSLX509NameStringRead(&str, &len, name, sizeof(name), '=', 0); if(nameLen < 0) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "xmlSecOpenSSLX509NameStringRead", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); + xmlSecInternalError("xmlSecOpenSSLX509NameStringRead", NULL); X509_NAME_free(nm); return(NULL); } @@ -1048,23 +949,14 @@ xmlSecOpenSSLX509NameRead(xmlSecByte *str, int len) { valueLen = xmlSecOpenSSLX509NameStringRead(&str, &len, value, sizeof(value), '"', 1); if(valueLen < 0) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "xmlSecOpenSSLX509NameStringRead", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); + xmlSecInternalError("xmlSecOpenSSLX509NameStringRead", NULL); X509_NAME_free(nm); return(NULL); } /* skip quote */ if((len <= 0) || ((*str) != '\"')) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - NULL, - XMLSEC_ERRORS_R_INVALID_DATA, - "quote is expected:%s", - xmlSecErrorsSafeString(str)); + xmlSecInvalidIntegerDataError("char", (*str), "quote '\"'", NULL); X509_NAME_free(nm); return(NULL); } @@ -1075,12 +967,7 @@ xmlSecOpenSSLX509NameRead(xmlSecByte *str, int len) { ++str; --len; } if((len > 0) && ((*str) != ',')) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - NULL, - XMLSEC_ERRORS_R_INVALID_DATA, - "comma is expected:%s", - xmlSecErrorsSafeString(str)); + xmlSecInvalidIntegerDataError("char", (*str), "comma ','", NULL); X509_NAME_free(nm); return(NULL); } @@ -1090,22 +977,14 @@ xmlSecOpenSSLX509NameRead(xmlSecByte *str, int len) { type = MBSTRING_ASC; } else if((*str) == '#') { /* TODO: read octect values */ - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - NULL, - XMLSEC_ERRORS_R_INVALID_DATA, - "reading octect values is not implemented yet"); + xmlSecNotImplementedError("reading octect values is not implemented yet"); X509_NAME_free(nm); return(NULL); } else { valueLen = xmlSecOpenSSLX509NameStringRead(&str, &len, value, sizeof(value), ',', 1); if(valueLen < 0) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "xmlSecOpenSSLX509NameStringRead", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); + xmlSecInternalError("xmlSecOpenSSLX509NameStringRead", NULL); X509_NAME_free(nm); return(NULL); } @@ -1138,29 +1017,23 @@ xmlSecOpenSSLX509NameStringRead(xmlSecByte **str, int *strLen, nonSpace = q = res; while(((p - (*str)) < (*strLen)) && ((*p) != delim) && ((q - res) < resLen)) { if((*p) != '\\') { - if(ingoreTrailingSpaces && !isspace(*p)) nonSpace = q; + if(ingoreTrailingSpaces && !isspace(*p)) { + nonSpace = q; + } *(q++) = *(p++); } else { ++p; nonSpace = q; if(xmlSecIsHex((*p))) { if((p - (*str) + 1) >= (*strLen)) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - NULL, - XMLSEC_ERRORS_R_INVALID_DATA, - "two hex digits expected"); + xmlSecInvalidDataError("two hex digits expected", NULL); return(-1); } *(q++) = xmlSecGetHex(p[0]) * 16 + xmlSecGetHex(p[1]); p += 2; } else { if(((++p) - (*str)) >= (*strLen)) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - NULL, - XMLSEC_ERRORS_R_INVALID_DATA, - "escaped symbol missed"); + xmlSecInvalidDataError("escaped symbol missed", NULL); return(-1); } *(q++) = *(p++); @@ -1168,19 +1041,15 @@ xmlSecOpenSSLX509NameStringRead(xmlSecByte **str, int *strLen, } } if(((p - (*str)) < (*strLen)) && ((*p) != delim)) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - NULL, - XMLSEC_ERRORS_R_INVALID_SIZE, - "buffer is too small"); + xmlSecInvalidSizeOtherError("buffer is too small", NULL); return(-1); } - (*strLen) -= (p - (*str)); + (*strLen) -= (int)(p - (*str)); (*str) = p; - return((ingoreTrailingSpaces) ? nonSpace - res + 1 : q - res); + return(int)((ingoreTrailingSpaces) ? nonSpace - res + 1 : q - res); } -/** +/* * This function DOES NOT create duplicates for X509_NAME_ENTRY objects! */ static STACK_OF(X509_NAME_ENTRY)* @@ -1190,11 +1059,7 @@ xmlSecOpenSSLX509_NAME_ENTRIES_copy(X509_NAME * a) { res = sk_X509_NAME_ENTRY_new(xmlSecOpenSSLX509_NAME_ENTRY_cmp); if(res == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "sk_X509_NAME_ENTRY_new", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); + xmlSecOpenSSLError("sk_X509_NAME_ENTRY_new", NULL); return(NULL); } @@ -1249,20 +1114,12 @@ xmlSecOpenSSLX509NamesCompare(X509_NAME *a, X509_NAME *b) { a1 = xmlSecOpenSSLX509_NAME_ENTRIES_copy(a); if(a1 == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "xmlSecOpenSSLX509_NAME_ENTRIES_copy", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); + xmlSecInternalError("xmlSecOpenSSLX509_NAME_ENTRIES_copy", NULL); return(-1); } b1 = xmlSecOpenSSLX509_NAME_ENTRIES_copy(b); if(b1 == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "xmlSecOpenSSLX509_NAME_ENTRIES_copy", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); + xmlSecInternalError("xmlSecOpenSSLX509_NAME_ENTRIES_copy", NULL); sk_X509_NAME_ENTRY_free(a1); return(1); } @@ -1286,6 +1143,7 @@ static int xmlSecOpenSSLX509_NAME_ENTRY_cmp(const X509_NAME_ENTRY * const *a, const X509_NAME_ENTRY * const *b) { ASN1_STRING *a_value, *b_value; ASN1_OBJECT *a_name, *b_name; + int a_len, b_len; int ret; xmlSecAssert2(a != NULL, -1); @@ -1306,13 +1164,15 @@ xmlSecOpenSSLX509_NAME_ENTRY_cmp(const X509_NAME_ENTRY * const *a, const X509_NA return(0); } - ret = ASN1_STRING_length(a_value) - ASN1_STRING_length(b_value); + a_len = ASN1_STRING_length(a_value); + b_len = ASN1_STRING_length(b_value); + ret = a_len - b_len; if(ret != 0) { return(ret); } - if(ASN1_STRING_length(a_value) > 0) { - ret = memcmp(ASN1_STRING_data(a_value), ASN1_STRING_data(b_value), ASN1_STRING_length(a_value)); + if(a_len > 0) { + ret = memcmp(ASN1_STRING_get0_data(a_value), ASN1_STRING_get0_data(b_value), a_len); if(ret != 0) { return(ret); } @@ -1333,7 +1193,6 @@ xmlSecOpenSSLX509_NAME_ENTRY_cmp(const X509_NAME_ENTRY * const *a, const X509_NA return(OBJ_cmp(a_name, b_name)); } - #endif /* XMLSEC_NO_X509 */ |