#include <string.h>
#include <stdio.h>
#include <dpl/log/log.h>
-#include <certificate-impl.h>
#include <openssl_utils.h>
#include <ckm/ckm-error.h>
#include <vconf.h>
BIO_free_all(bio);
}
-} // namespace anonymous
-
-OCSPModule::OCSPModule()
-{
- // Do nothing.
-}
-
-OCSPModule::~OCSPModule()
-{
- // Do nothing.
-}
-
-int OCSPModule::verify(const CertificateImplVector &certificateChain)
-{
- bool unsupported =
- false; // ocsp is unsupported in certificate in chain (except root CA)
-
- // create trusted store
- X509_STACK_PTR trustedCerts = create_x509_stack();
-
- // skip first 2 certificates
- for (auto it = certificateChain.cbegin() + 2; it < certificateChain.cend();
- it++) {
- if (it->empty()) {
- LogError("Error. Broken certificate chain.");
- return CKM_API_OCSP_STATUS_INTERNAL_ERROR;
- }
-
- sk_X509_push(trustedCerts.get(), it->getX509());
- }
-
- for (int i = 0; i < static_cast<int>(certificateChain.size()) - 1;
- i++) {// except root certificate
- if (certificateChain[i].empty() || certificateChain[i + 1].empty()) {
- LogError("Error. Broken certificate chain.");
- return CKM_API_OCSP_STATUS_INTERNAL_ERROR;
- }
-
- X509 *cert = certificateChain[i].getX509();
- X509 *issuer = certificateChain[i + 1].getX509();
-
- std::string url = certificateChain[i].getOCSPURL();
-
- if (url.empty()) {
- LogError("Certificate in certchain[" << i <<
- "] does not provide OCSP extension.");
- unsupported = true;
- continue;
- }
-
- int result = ocsp_verify(cert, issuer, trustedCerts.get(), url);
- // remove first element from trustedCerts store
- sk_X509_delete(trustedCerts.get(), 0);
-
- if (result != CKM_API_OCSP_STATUS_GOOD) {
- LogError("Fail to OCSP certification check. Errorcode=[" << result <<
- "], on certChain[" << i << "]");
- return result;
- }
- }
-
- if (unsupported)
- return CKM_API_OCSP_STATUS_UNSUPPORTED;
-
- return CKM_API_OCSP_STATUS_GOOD;
-}
-
-int OCSPModule::ocsp_verify(X509 *cert, X509 *issuer,
+int ocspDoVerify(X509 *cert, X509 *issuer,
STACK_OF(X509) *trustedCerts, const std::string &constUrl)
{
OCSP_REQUEST *req = NULL;
}
}
+} // namespace anonymous
+
+int ocspVerify(const CertificateImplVector &certificateChain)
+{
+ bool unsupported =
+ false; // ocsp is unsupported in certificate in chain (except root CA)
+
+ // create trusted store
+ X509_STACK_PTR trustedCerts = create_x509_stack();
+
+ // skip first 2 certificates
+ for (auto it = certificateChain.cbegin() + 2; it < certificateChain.cend();
+ it++) {
+ if (it->empty()) {
+ LogError("Error. Broken certificate chain.");
+ return CKM_API_OCSP_STATUS_INTERNAL_ERROR;
+ }
+
+ sk_X509_push(trustedCerts.get(), it->getX509());
+ }
+
+ for (int i = 0; i < static_cast<int>(certificateChain.size()) - 1;
+ i++) {// except root certificate
+ if (certificateChain[i].empty() || certificateChain[i + 1].empty()) {
+ LogError("Error. Broken certificate chain.");
+ return CKM_API_OCSP_STATUS_INTERNAL_ERROR;
+ }
+
+ X509 *cert = certificateChain[i].getX509();
+ X509 *issuer = certificateChain[i + 1].getX509();
+
+ std::string url = certificateChain[i].getOCSPURL();
+
+ if (url.empty()) {
+ LogError("Certificate in certchain[" << i <<
+ "] does not provide OCSP extension.");
+ unsupported = true;
+ continue;
+ }
+
+ int result = ocspDoVerify(cert, issuer, trustedCerts.get(), url);
+ // remove first element from trustedCerts store
+ sk_X509_delete(trustedCerts.get(), 0);
+
+ if (result != CKM_API_OCSP_STATUS_GOOD) {
+ LogError("Fail to OCSP certification check. Errorcode=[" << result <<
+ "], on certChain[" << i << "]");
+ return result;
+ }
+ }
+
+ if (unsupported)
+ return CKM_API_OCSP_STATUS_UNSUPPORTED;
+
+ return CKM_API_OCSP_STATUS_GOOD;
+}
+
} // namespace CKM
/*
- * Copyright (c) 2014 Samsung Electronics Co.
+ * Copyright (c) 2014-2020 Samsung Electronics Co., Ltd. All rights reserved
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
*/
#pragma once
-#include <openssl/x509v3.h>
-#include <ckm/ckm-type.h>
#include <certificate-impl.h>
-#include <dpl/exception.h>
namespace CKM {
-class OCSPModule {
-public:
- OCSPModule();
- virtual ~OCSPModule();
-
- // all error code from project will be defined in public client api
- // OK, UNKNOWN, REVOKED, NO_NETWORK, TIMEOUT
- int verify(const CertificateImplVector &certificateChain);
-
-private:
- int ocsp_verify(X509 *cert, X509 *issuer, STACK_OF(X509) *trustedCerts,
- const std::string &url);
-};
+// all error code from project will be defined in public client api
+// OK, UNKNOWN, REVOKED, NO_NETWORK, TIMEOUT
+int ocspVerify(const CertificateImplVector &certificateChain);
} // namespace CKM
projects / platform / core / security / key-manager.git / commitdiff