* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
- * http://www.apache.org/licenses/LICENSE-2.0
+ * ://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
#include <stdlib.h>
#include <sys/smack.h>
#include <unistd.h>
+#include <fts.h>
+#include <openssl/pem.h>
+#include <openssl/bio.h>
#include <limits>
#include <key-manager-util.h>
#include <dpl/log/log.h>
+
+
namespace {
const size_t SIZE_T_MAX = std::numeric_limits<size_t>::max();
} // namespace anonymous
return exe;
}
+void rawBufferToX509(X509 **ppCert, RawBuffer rawCert) {
+ BIO *bio = BIO_new(BIO_s_mem());
+ BIO_write(bio, rawCert.data(), rawCert.size());
+ d2i_X509_bio(bio, ppCert);
+ BIO_free_all(bio);
+}
+
+void x509ToRawBuffer(RawBuffer &buf, X509 *cert) {
+ int len = i2d_X509(cert, NULL);
+ unsigned char tmpBuff[len];
+ unsigned char *p = tmpBuff;
+ i2d_X509(cert, &p);
+ buf.assign(tmpBuff, tmpBuff +len);
+}
+
+STACK_OF(X509) *loadSystemCerts( const char * dirpath) {
+ FTS *fts = NULL;
+ FTSENT *ftsent;
+ char tmp[10];
+ STACK_OF(X509) *systemCerts = sk_X509_new_null();
+
+ X509 *cert;
+
+ if (NULL == (fts = fts_open((char * const *) &dirpath, FTS_LOGICAL, NULL))) {
+ printf("Fail to open directories. dir=%s \n", dirpath);
+ return NULL;
+ }
+
+ while ((ftsent = fts_read(fts)) != NULL) {
+ if (ftsent->fts_info == FTS_ERR || ftsent->fts_info == FTS_NS) {
+ printf("Fail to read directories. dir=%s \n", dirpath);
+ fts_close(fts);
+ return NULL;
+ }
+
+ if (ftsent->fts_info != FTS_F)
+ continue;
+
+ if (-1 != readlink(ftsent->fts_path, tmp, 10)) // ignore link file
+ continue;
+
+ cert = loadCert(ftsent->fts_path);
+ if(cert != NULL) {
+ sk_X509_push(systemCerts, cert);
+ }
+ }
+ if (fts != NULL)
+ fts_close(fts);
+
+ return systemCerts;
+}
+
+
+X509 *loadCert(const char *file) {
+ FILE *fp = fopen(file, "r");
+ if(fp == NULL)
+ return NULL;
+ X509 *cert;
+ if(!(cert = d2i_X509_fp(fp, NULL))) {
+ fseek(fp, 0, SEEK_SET);
+ cert = PEM_read_X509(fp, NULL, NULL, NULL);
+ }
+ fclose(fp);
+ return cert;
+}
+
+
} // namespace CKM
#define CENT_KEY_MNG_UTIL_H
#include <sys/types.h>
+#include <ckm/ckm-type.h>
+#include <openssl/x509v3.h>
+
+#define CKM_SYSTEM_CERTS_PATH "/opt/etc/ssl/certs"
namespace CKM {
int util_smack_label_is_valid(const char *smack_label);
char *read_exe_path_from_proc(pid_t pid);
+void rawBufferToX509(X509 **ppCert, RawBuffer rawCert);
+void x509ToRawBuffer(RawBuffer &buf, X509 *cert);
+
+STACK_OF(X509) *loadSystemCerts( const char * dirpath);
+X509 *loadCert(const char *file);
+
} // namespace CKM
#endif /*CENT_KEY_MNG_UTIL_H*/
* @brief OCSP implementation.
*/
-#include "ocsp.h"
+#include <ocsp.h>
#include <stdio.h>
#include <string.h>
#include <openssl/pem.h>
#include <openssl/ssl.h>
#include <fts.h>
#include <unistd.h>
-
+#include <key-manager-util.h>
/* Maximum leeway in validity period: default 5 minutes */
#define MAX_VALIDITY_PERIOD (5 * 60)
int result = -1;
for(unsigned int i=0; i < certificateChain.size() -1; i++) {// except root certificate
- cert = certificateChain[i].getX509();
- issuer = certificateChain[i+1].getX509();
+ cert = X509_new();
+ rawBufferToX509(&cert, certificateChain[i].getDER());
+ issuer = X509_new();
+ rawBufferToX509(&issuer, certificateChain[i+1].getDER());
extractAIAUrl(cert, url);
result = ocsp_verify(cert, issuer, systemCerts, url, &ocspStatus);
+ X509_free(cert);
+ X509_free(issuer);
if(result != OCSP_STATUS_GOOD) {
return result;
}
}
-STACK_OF(X509) *OCSPModule::loadSystemCerts( const char * dirpath) {
- FTS *fts = NULL;
- FTSENT *ftsent;
- char tmp[10];
- STACK_OF(X509) *systemCerts = sk_X509_new_null();
-
- X509 *cert;
-
- if (NULL == (fts = fts_open((char * const *) &dirpath, FTS_LOGICAL, NULL))) {
- printf("Fail to open directories. dir=%s \n", dirpath);
- return NULL;
- }
-
- while ((ftsent = fts_read(fts)) != NULL) {
- if (ftsent->fts_info == FTS_ERR || ftsent->fts_info == FTS_NS) {
- printf("Fail to read directories. dir=%s \n", dirpath);
- fts_close(fts);
- return NULL;
- }
-
- if (ftsent->fts_info != FTS_F)
- continue;
-
- if (-1 != readlink(ftsent->fts_path, tmp, 10)) // ignore link file
- continue;
-
- cert = loadCert(ftsent->fts_path);
- if(cert != NULL) {
- sk_X509_push(systemCerts, cert);
- }
- }
- if (fts != NULL)
- fts_close(fts);
-
- return systemCerts;
-}
-
-
-X509 *OCSPModule::loadCert(const char *file) {
- FILE *fp = fopen(file, "r");
- if(fp == NULL)
- return NULL;
- X509 *cert;
- if(!(cert = d2i_X509_fp(fp, NULL))) {
- fseek(fp, 0, SEEK_SET);
- cert = PEM_read_X509(fp, NULL, NULL, NULL);
- }
- fclose(fp);
- return cert;
-}
-
void OCSPModule::extractAIAUrl(X509 *cert, char *url) {
STACK_OF(OPENSSL_STRING) *aia = NULL;
aia = X509_get1_ocsp(cert);
#include <openssl/x509v3.h>
-#include <vector>
-
-
-//########################################################
-// This is temporary code.
-// It should be removed when real CertificateImpl is ready.
-namespace CKM {
-class CertificateImpl
-{
- public:
- explicit CertificateImpl(X509 *cert);
- ~CertificateImpl();
- X509 *getX509(void) const;
- protected:
- X509 *m_x509;
-};
-
-CertificateImpl::CertificateImpl(X509 *cert){
- m_x509 = X509_dup(cert);
- if (!m_x509) {
- }
-};
-X509 *CertificateImpl::getX509(void) const{
- return m_x509;
-};
-
-typedef std::vector<CertificateImpl> CertificateImplVector;
-} // namespace CKM
-//########################################################
-
+#include <ckm/ckm-type.h>
+#include <client-certificate-impl.h>
#define OCSP_STATUS_GOOD 1
#define OCSP_STATUS_REMOTE_ERROR 7
#define OCSP_STATUS_INTERNAL_ERROR 8
-#define CKM_SYSTEM_CERTS_PATH "/opt/etc/ssl/certs" // or "/usr/share/cert-svc/ca-certs"
-
-
namespace CKM {
private:
int ocsp_verify(X509 *cert, X509 *issuer, STACK_OF(X509) *systemCerts, char *url, int *ocspStatus);
void extractAIAUrl(X509 *cert, char *url);
-
- static STACK_OF(X509) *loadSystemCerts( const char * dirpath);
- static X509 *loadCert(const char *file);
-
static STACK_OF(X509) *systemCerts;
+
};
STACK_OF(X509) *OCSPModule::systemCerts;