From e0f8fa85ee3b261d34e9126f670f4fe77617d89d Mon Sep 17 00:00:00 2001 From: Dariusz Michaluk Date: Mon, 8 Jul 2019 16:53:15 +0200 Subject: [PATCH] Migrate to openssl 1.1 Change-Id: I3f19d16650b4d9b12287029480b36d14b8b041f0 --- cert-svc-vcore.pc.in | 2 +- packaging/cert-svc.spec | 4 ++-- src/CMakeLists.txt | 2 +- src/vcore/Certificate.cpp | 46 ++++++++++++++++++++---------------- src/vcore/CertificateLoader.cpp | 6 ++--- src/vcore/api.cpp | 20 +++++++++++----- src/vcore/pkcs12.cpp | 8 +++---- tests/CMakeLists.txt | 2 +- tests/capi/test-certificate.cpp | 4 ++-- tests/vcore/test-time-conversion.cpp | 12 ++++++---- 10 files changed, 60 insertions(+), 46 deletions(-) diff --git a/cert-svc-vcore.pc.in b/cert-svc-vcore.pc.in index a55a4e7..5a0a130 100644 --- a/cert-svc-vcore.pc.in +++ b/cert-svc-vcore.pc.in @@ -4,6 +4,6 @@ includedir=@INCLUDEDIR@ Name: cert-svc-vcore Description: cert-svc-vcore Version: @VERSION@ -Requires: libxml-2.0 libxslt openssl xmlsec1 +Requires: libxml-2.0 libxslt openssl1.1 xmlsec1 Libs: -L${libdir} -lcert-svc-vcore Cflags: -I${includedir}/cert-svc diff --git a/packaging/cert-svc.spec b/packaging/cert-svc.spec index 192c307..c5822d2 100644 --- a/packaging/cert-svc.spec +++ b/packaging/cert-svc.spec @@ -10,10 +10,10 @@ Source0: %{name}-%{version}.tar.gz BuildRequires: cmake BuildRequires: coreutils BuildRequires: findutils -BuildRequires: openssl BuildRequires: pkgconfig(dlog) BuildRequires: pkgconfig(klay) -BuildRequires: pkgconfig(openssl) +BuildRequires: openssl1.1 +BuildRequires: pkgconfig(openssl1.1) BuildRequires: pkgconfig(libpcrecpp) BuildRequires: pkgconfig(xmlsec1) BuildRequires: pkgconfig(libxml-2.0) diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index b52cfe8..2ba45fd 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -22,7 +22,7 @@ PKG_CHECK_MODULES(VCORE_DEPS REQUIRED libxml-2.0 libpcrecpp - openssl + openssl1.1 xmlsec1 dlog libsystemd-journal diff --git a/src/vcore/Certificate.cpp b/src/vcore/Certificate.cpp index 36e021b..6e43ace 100644 --- a/src/vcore/Certificate.cpp +++ b/src/vcore/Certificate.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2016 - 2017 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2016 - 2019 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -279,8 +279,7 @@ std::string Certificate::getField(FieldType type, int fieldNid) const int entryCount = X509_NAME_entry_count(subjectName); for (int i = 0; i < entryCount; ++i) { - subjectEntry = X509_NAME_get_entry(subjectName, - i); + subjectEntry = X509_NAME_get_entry(subjectName, i); if (!subjectEntry) { continue; @@ -294,14 +293,12 @@ std::string Certificate::getField(FieldType type, int fieldNid) const continue; } - ASN1_STRING *pASN1Str = subjectEntry->value; + ASN1_STRING *pASN1Str = X509_NAME_ENTRY_get_data(subjectEntry); unsigned char *pData = NULL; - int nLength = ASN1_STRING_to_UTF8(&pData, - pASN1Str); + int nLength = ASN1_STRING_to_UTF8(&pData, pASN1Str); if (nLength < 0) - VcoreThrowMsg(Certificate::Exception::OpensslInternalError, - "Reading field error."); + VcoreThrowMsg(Certificate::Exception::OpensslInternalError, "Reading field error."); if (!pData) { output = std::string(); @@ -365,12 +362,11 @@ std::string Certificate::getNameHash(FieldType type) const std::string Certificate::getUID(FieldType type) const { - ASN1_BIT_STRING *uid = NULL; + const ASN1_BIT_STRING *uid = NULL; + const ASN1_BIT_STRING *subjectUID, *issuerUID; - if (type == FIELD_SUBJECT) - uid = m_x509->cert_info->subjectUID; - else - uid = m_x509->cert_info->issuerUID; + X509_get0_uids(m_x509, &issuerUID, &subjectUID); + uid = (type == FIELD_SUBJECT) ? subjectUID : issuerUID; if (uid->data == NULL) return std::string(); @@ -411,12 +407,12 @@ std::string Certificate::getOCSPURL() const if (OBJ_obj2nid(ad->method) == NID_ad_OCSP && ad->location->type == GEN_URI) { - void *data = ASN1_STRING_data(ad->location->d.ia5); + const unsigned char *data = ASN1_STRING_get0_data(ad->location->d.ia5); if (!data) retValue = std::string(); else - retValue = std::string(static_cast(data)); + retValue = std::string(reinterpret_cast(data)); break; } @@ -440,15 +436,15 @@ Certificate::AltNameSet Certificate::getAlternativeName(int type) const "openssl sk_GENERAL_NAME_pop err."); if (type == namePart->type) { - char *temp; + const char *temp; switch (type) { case GEN_DNS: - temp = reinterpret_cast(ASN1_STRING_data(namePart->d.dNSName)); + temp = reinterpret_cast(ASN1_STRING_get0_data(namePart->d.dNSName)); break; case GEN_URI: - temp = reinterpret_cast(ASN1_STRING_data(namePart->d.uniformResourceIdentifier)); + temp = reinterpret_cast(ASN1_STRING_get0_data(namePart->d.uniformResourceIdentifier)); break; default: @@ -613,7 +609,7 @@ std::string Certificate::getSignatureAlgorithmString() const VcoreThrowMsg(Certificate::Exception::OpensslInternalError, "Error in BIO_new"); - if (i2a_ASN1_OBJECT(b.get(), m_x509->cert_info->signature->algorithm) < 0) + if (i2a_ASN1_OBJECT(b.get(), X509_get0_tbs_sigalg(m_x509)->algorithm) < 0) VcoreThrowMsg(Certificate::Exception::OpensslInternalError, "Error in i2a_ASN1_OBJECT"); @@ -676,8 +672,16 @@ void Certificate::getPublicKeyDER(unsigned char **pubkey, size_t *len) const std::string Certificate::getPublicKeyAlgoString() const { - return std::string(static_cast( - OBJ_nid2ln(OBJ_obj2nid(m_x509->cert_info->key->algor->algorithm)))); + X509_PUBKEY *pkey = X509_get_X509_PUBKEY(m_x509); + if (!pkey) + return std::string(); + + ASN1_OBJECT *algor_obj; + int ret = X509_PUBKEY_get0_param(&algor_obj, NULL, NULL, NULL, pkey); + if (ret == 0 || !algor_obj) + return std::string(); + + return std::string(static_cast(OBJ_nid2ln(OBJ_obj2nid(algor_obj)))); } int Certificate::isCA() const diff --git a/src/vcore/CertificateLoader.cpp b/src/vcore/CertificateLoader.cpp index f808ba1..b3902ea 100644 --- a/src/vcore/CertificateLoader.cpp +++ b/src/vcore/CertificateLoader.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2016 - 2019 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -78,8 +78,8 @@ CertificateLoader::CertificateLoaderResult CertificateLoader::loadCertificateFro EVP_PKEY *pKey = X509_get_pubkey(m_certificatePtr->getX509()); if (pKey != NULL) { - if (pKey->type == EVP_PKEY_RSA) { - RSA *pRSA = pKey->pkey.rsa; + if (EVP_PKEY_type(EVP_PKEY_base_id(pKey)) == EVP_PKEY_RSA) { + RSA *pRSA = EVP_PKEY_get0_RSA(pKey); if (pRSA) { int keyLength = RSA_size(pRSA); diff --git a/src/vcore/api.cpp b/src/vcore/api.cpp index 918bdb1..0fd6653 100644 --- a/src/vcore/api.cpp +++ b/src/vcore/api.cpp @@ -600,7 +600,7 @@ public: } if (algorithm == NULL) { - md = EVP_get_digestbyobj(cert->cert_info->signature->algorithm); + md = EVP_get_digestbynid(X509_get_signature_nid(cert)); } else { md = EVP_get_digestbyname(algorithm); } @@ -790,16 +790,23 @@ err: break; } - X509_STORE_CTX context; - if(!X509_STORE_CTX_init(&context, store, cert, ustore)) { + X509_STORE_CTX *context; + context = X509_STORE_CTX_new(); + if(!context) { X509_STORE_free(store); sk_X509_free(ustore); return CERTSVC_FAIL; } - int result = X509_verify_cert(&context); + if(!X509_STORE_CTX_init(context, store, cert, ustore)) { + X509_STORE_free(store); + sk_X509_free(ustore); + X509_STORE_CTX_free(context); + return CERTSVC_FAIL; + } + int result = X509_verify_cert(context); if (result == 1 && checkCaFlag) { // check strictly - STACK_OF(X509) *resultChain = X509_STORE_CTX_get1_chain(&context); + STACK_OF(X509) *resultChain = X509_STORE_CTX_get1_chain(context); // the last one is not a CA. while (sk_X509_num(resultChain) > 1) { @@ -815,9 +822,10 @@ err: sk_X509_pop_free(resultChain, X509_free); } - X509_STORE_CTX_cleanup(&context); + X509_STORE_CTX_cleanup(context); X509_STORE_free(store); sk_X509_free(ustore); + X509_STORE_CTX_free(context); if (result == 1) { *status = CERTSVC_SUCCESS; diff --git a/src/vcore/pkcs12.cpp b/src/vcore/pkcs12.cpp index 60509e2..a4d4d0b 100644 --- a/src/vcore/pkcs12.cpp +++ b/src/vcore/pkcs12.cpp @@ -1,5 +1,5 @@ /** - * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2016 - 2019 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -242,7 +242,7 @@ std::string getCommonName(CertType type, const std::string &cert) } X509UniquePtr x509Ptr(x509, X509_free); - const char *subject_c = X509_NAME_oneline(x509->cert_info->subject, NULL, 0); + const char *subject_c = X509_NAME_oneline(X509_get_subject_name(x509), NULL, 0); if (subject_c == NULL) { LogError("Failed to parse x509 structure"); @@ -402,7 +402,7 @@ int verify_cert_details(X509 *cert, STACK_OF(X509) *certv) #ifdef _CERT_SVC_VERIFY_PKCS12 if (certv == NULL) { - pSubject = X509_NAME_oneline(cert->cert_info->subject, NULL, 0); + pSubject = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0); if (!pSubject) { LogError("Failed to get subject name"); @@ -410,7 +410,7 @@ int verify_cert_details(X509 *cert, STACK_OF(X509) *certv) goto free_memory; } - pIssuerName = X509_NAME_oneline(cert->cert_info->issuer, NULL, 0); + pIssuerName = X509_NAME_oneline(X509_get_issuer_name(cert), NULL, 0); if (!pIssuerName) { LogError("Failed to get issuer name"); diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index ba38f67..a3c86e9 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -21,7 +21,7 @@ SET(TARGET_PLUGIN_SAMPLE "cert-svc-validator-plugin") PKG_CHECK_MODULES(TEST_DEP REQUIRED libpcrecpp - openssl + openssl1.1 ) SET(TEST_DIR ${CMAKE_CURRENT_SOURCE_DIR}) diff --git a/tests/capi/test-certificate.cpp b/tests/capi/test-certificate.cpp index e79d310..5ea359b 100644 --- a/tests/capi/test-certificate.cpp +++ b/tests/capi/test-certificate.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2016 - 2019 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -239,7 +239,7 @@ RUNNER_TEST(T01053_cert_get_field_other) _get_string_field_and_check( cert, CERTSVC_KEY, - " Public-Key: (1024 bit)\n" + " RSA Public-Key: (1024 bit)\n" " Modulus:\n" " 00:d8:08:a3:a3:05:fb:e2:df:36:cd:e3:48:2f:3b:\n" " 59:17:ce:e3:32:bf:9f:ef:f1:7c:fb:27:f9:7c:32:\n" diff --git a/tests/vcore/test-time-conversion.cpp b/tests/vcore/test-time-conversion.cpp index 29e0f5c..50ce2ed 100644 --- a/tests/vcore/test-time-conversion.cpp +++ b/tests/vcore/test-time-conversion.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2016 - 2019 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -94,9 +94,10 @@ RUNNER_TEST(T004203_utctime_negative_invalid_format_too_long) -RUNNER_TEST(T004301_gentime_positive_full_local_only) +RUNNER_TEST(T004301_gentime_negative_full_local_only) { - UnitWrapper("20001231235959.999", V_ASN1_GENERALIZEDTIME, 1); + // ASN1_TIME_check() says that time format is syntactically incorrect + UnitWrapper("20001231235959.999", V_ASN1_GENERALIZEDTIME, 0); } RUNNER_TEST(T004302_gentime_positive_full_utc_only) @@ -114,9 +115,10 @@ RUNNER_TEST(T004304_gentime_positive_full_local_and_utc_minus) UnitWrapper("20001231235959.999-1259", V_ASN1_GENERALIZEDTIME, 1); } -RUNNER_TEST(T004305_gentime_positive_no_fff_local_only) +RUNNER_TEST(T004305_gentime_negative_no_fff_local_only) { - UnitWrapper("20001231235959", V_ASN1_GENERALIZEDTIME, 1); + // ASN1_TIME_check() says that time format is syntactically incorrect + UnitWrapper("20001231235959", V_ASN1_GENERALIZEDTIME, 0); } RUNNER_TEST(T004306_gentime_positive_no_fff_utc_only) -- 2.7.4