return ret;
}
-
-int CryptoService::verifyCertificateChain(const CertificateImpl &certificate,
- const CertificateImplVector &untrustedCertificates,
- const CertificateImplVector &userTrustedCertificates,
- CertificateImplVector &certificateChainVector) {
-
- X509 *cert = X509_new();
- X509 *tempCert;
- rawBufferToX509(&cert, certificate.getDER());
-
- std::vector<X509 *> trustedCerts;
- std::vector<X509 *> userTrustedCerts;
- std::vector<X509 *> untrustedChain;
-
- STACK_OF(X509) *sysCerts = loadSystemCerts(CKM_SYSTEM_CERTS_PATH);
-
- // check the parameters of functions
- if(&certificate == NULL) {
- LogError("Error in certificate value");
- ThrowMsg(CryptoService::Exception::Crypto_internal, "Error in certificate value");
- }
-
- // check the parameters of functions
- if(&untrustedCertificates == NULL) {
- LogError("Error in untrustedCertificates value");
- ThrowMsg(CryptoService::Exception::Crypto_internal, "Error in untrustedCertificates value");
- }
-
- // check the parameters of functions
- if(&userTrustedCertificates == NULL) {
- LogError("Error in userTrustedCertificates value");
- ThrowMsg(CryptoService::Exception::Crypto_internal, "Error in userTrustedCertificates value");
- }
-
- // check the parameters of functions
- if(&certificateChainVector == NULL) {
- LogError("Error in certificateChainVector value");
- ThrowMsg(CryptoService::Exception::Crypto_internal, "Error in certificateChainVector value");
- }
-
- Try {
- while((tempCert = sk_X509_pop(sysCerts)) != NULL) {
- trustedCerts.push_back(tempCert);
- }
-
- for(unsigned int i=0;i<userTrustedCertificates.size();i++) {
- if((tempCert = X509_new()) == NULL) {
- LogError("Error in X509_new function");
- ThrowMsg(CryptoService::Exception::opensslError, "Error in X509_new function");
- }
- rawBufferToX509(&tempCert, userTrustedCertificates[i].getDER());
- userTrustedCerts.push_back(tempCert);
- }
-
- for(unsigned int i=0;i<untrustedCertificates.size();i++) {
- if((tempCert = X509_new()) == NULL) {
- LogError("Error in X509_new function");
- ThrowMsg(CryptoService::Exception::opensslError, "Error in X509_new function");
- }
- rawBufferToX509(&tempCert, untrustedCertificates[i].getDER());
- untrustedChain.push_back(tempCert);
- }
-
- std::vector<X509 *> chain = verifyCertChain(cert, trustedCerts, userTrustedCerts, untrustedChain);
-
- RawBuffer tmpBuf;
- for(unsigned int i=0;i<chain.size();i++) {
- x509ToRawBuffer(tmpBuf, chain[i]);
- CertificateImpl tmpCertImpl((const RawBuffer)tmpBuf, DataFormat::FORM_DER);
- certificateChainVector.push_back(tmpCertImpl);
- }
- } Catch(CryptoService::Exception::opensslError) {
- if(cert != NULL) {
- X509_free(cert);
- }
-
- for(unsigned int i=0;i<trustedCerts.size();i++) {
- if(trustedCerts[i] != NULL) {
- X509_free(trustedCerts[i]);
- }
- }
-
- for(unsigned int i=0;i<untrustedChain.size();i++) {
- if(untrustedChain[i] != NULL) {
- X509_free(untrustedChain[i]);
- }
- }
-
- for(unsigned int i=0;i<userTrustedCerts.size();i++) {
- if(userTrustedCerts[i] != NULL) {
- X509_free(userTrustedCerts[i]);
- }
- }
- ReThrowMsg(CryptoService::Exception::opensslError,"Error in openssl function !!");
- }
-
- if(cert != NULL) {
- X509_free(cert);
- }
-
- for(unsigned int i=0;i<trustedCerts.size();i++) {
- if(trustedCerts[i] != NULL) {
- X509_free(trustedCerts[i]);
- }
- }
-
- for(unsigned int i=0;i<untrustedChain.size();i++) {
- if(untrustedChain[i] != NULL) {
- X509_free(untrustedChain[i]);
- }
- }
-
- for(unsigned int i=0;i<userTrustedCerts.size();i++) {
- if(userTrustedCerts[i] != NULL) {
- X509_free(userTrustedCerts[i]);
- }
- }
-
- return CKM_VERIFY_CHAIN_SUCCESS;
-}
-
-/*
- * truestedCerts means the system certificate list stored in system securely.
- * return : std::vector<X509 *> certChain; the order is user cert, middle ca certs, and root ca cert.
- */
-
-std::vector<X509 *> CryptoService::verifyCertChain(X509 *cert,
- std::vector<X509 *> &trustedCerts,
- std::vector<X509 *> &userTrustedCerts,
- std::vector<X509 *> &untrustedchain){
-
- std::vector<X509 *> certChain;
- X509_STORE *tstore = X509_STORE_new();
- STACK_OF(X509) *uchain = sk_X509_new_null();
- std::vector<X509 *>::iterator iVec_it;
-
- for(iVec_it = trustedCerts.begin(); iVec_it != trustedCerts.end(); iVec_it++) {
- X509_STORE_add_cert(tstore, *iVec_it);
- }
- for(iVec_it = userTrustedCerts.begin(); iVec_it != userTrustedCerts.end(); iVec_it++) {
- X509_STORE_add_cert(tstore, *iVec_it);
- }
-
- for(iVec_it = untrustedchain.begin(); iVec_it != untrustedchain.end(); iVec_it++) {
- sk_X509_push(uchain, *iVec_it);
- }
-
- // Create the context to verify the certificate.
- X509_STORE_CTX *ctx = X509_STORE_CTX_new();
-
- // Initial the store to verify the certificate.
- X509_STORE_CTX_init(ctx, tstore, cert, uchain);
-
- int verified = X509_verify_cert(ctx);
-
- if(verified == OPENSSL_SUCCESS) {
- STACK_OF(X509) *chain = X509_STORE_CTX_get1_chain(ctx);
- X509 *icert;
- while((icert = sk_X509_pop(chain))) {
- certChain.insert(certChain.begin(),icert);
- }
- }
-
- X509_STORE_CTX_cleanup(ctx);
- X509_STORE_CTX_free(ctx);
- X509_STORE_free(tstore);
- sk_X509_free(uchain);
- ctx = NULL;
- tstore = NULL;
- uchain = NULL;
-
- if(verified != OPENSSL_SUCCESS) {
- LogError("Error in verifying certification chain");
- ThrowMsg(CryptoService::Exception::Crypto_internal, "Error in verifying certification chain");
- }
-
- return certChain;
-}
-
-bool CryptoService::hasValidCAFlag(std::vector<X509 *> &certChain) {
- // KeyUsage if present should allow cert signing;
- // If basicConstraints says not a CA then say so.
-
- X509 *cert = NULL;
- int isCA;
-
- if(certChain.size() < 2) // certChain should have more than 2 certs.
- return false;
-
- std::vector<X509 *>::iterator it;
- for(it = certChain.begin()+1; it != certChain.end(); it++) { // start from the second cert
- cert = *it;
- isCA = X509_check_ca(cert);
- // For MDPP compliance.
- // if it returns 1, this means that the cert has the basicConstraints and CAFlag=true.
- // X509_check_ca can return 0(is not CACert), 1(is CACert), 3, 4, 5(may be CACert).
- if(isCA != 1) {
- return false;
- }
- }
-
- return true;
-}
}
projects / platform / core / security / key-manager.git / commitdiff