7 * This is free software; see Copyright file in the source
8 * distribution for preciese wording.
10 * Copyright (C) 2002-2003 Aleksey Sanin <aleksey@aleksey.com>
14 #ifndef XMLSEC_NO_X509
23 #include <libxml/tree.h>
24 #include <openssl/evp.h>
25 #include <openssl/x509.h>
26 #include <openssl/x509_vfy.h>
27 #include <openssl/x509v3.h>
28 #include <openssl/asn1.h>
30 #include <xmlsec/xmlsec.h>
31 #include <xmlsec/xmltree.h>
32 #include <xmlsec/keys.h>
33 #include <xmlsec/keyinfo.h>
34 #include <xmlsec/keysmngr.h>
35 #include <xmlsec/x509.h>
36 #include <xmlsec/base64.h>
37 #include <xmlsec/errors.h>
39 #include <xmlsec/openssl/crypto.h>
40 #include <xmlsec/openssl/evp.h>
41 #include <xmlsec/openssl/x509.h>
43 /*************************************************************************
45 * X509 utility functions
47 ************************************************************************/
48 static int xmlSecOpenSSLX509DataNodeRead (xmlSecKeyDataPtr data,
50 xmlSecKeyInfoCtxPtr keyInfoCtx);
51 static int xmlSecOpenSSLX509CertificateNodeRead (xmlSecKeyDataPtr data,
53 xmlSecKeyInfoCtxPtr keyInfoCtx);
54 static int xmlSecOpenSSLX509CertificateNodeWrite (X509* cert,
56 xmlSecKeyInfoCtxPtr keyInfoCtx);
57 static int xmlSecOpenSSLX509SubjectNameNodeRead (xmlSecKeyDataPtr data,
59 xmlSecKeyInfoCtxPtr keyInfoCtx);
60 static int xmlSecOpenSSLX509SubjectNameNodeWrite (X509* cert,
62 xmlSecKeyInfoCtxPtr keyInfoCtx);
63 static int xmlSecOpenSSLX509IssuerSerialNodeRead (xmlSecKeyDataPtr data,
65 xmlSecKeyInfoCtxPtr keyInfoCtx);
66 static int xmlSecOpenSSLX509IssuerSerialNodeWrite (X509* cert,
68 xmlSecKeyInfoCtxPtr keyInfoCtx);
69 static int xmlSecOpenSSLX509SKINodeRead (xmlSecKeyDataPtr data,
71 xmlSecKeyInfoCtxPtr keyInfoCtx);
72 static int xmlSecOpenSSLX509SKINodeWrite (X509* cert,
74 xmlSecKeyInfoCtxPtr keyInfoCtx);
75 static int xmlSecOpenSSLX509CRLNodeRead (xmlSecKeyDataPtr data,
77 xmlSecKeyInfoCtxPtr keyInfoCtx);
78 static int xmlSecOpenSSLX509CRLNodeWrite (X509_CRL* crl,
80 xmlSecKeyInfoCtxPtr keyInfoCtx);
81 static int xmlSecOpenSSLKeyDataX509VerifyAndExtractKey(xmlSecKeyDataPtr data,
83 xmlSecKeyInfoCtxPtr keyInfoCtx);
84 static X509* xmlSecOpenSSLX509CertDerRead (const xmlSecByte* buf,
86 static X509* xmlSecOpenSSLX509CertBase64DerRead (xmlChar* buf);
87 static xmlChar* xmlSecOpenSSLX509CertBase64DerWrite (X509* cert,
89 static X509_CRL* xmlSecOpenSSLX509CrlDerRead (xmlSecByte* buf,
91 static X509_CRL* xmlSecOpenSSLX509CrlBase64DerRead (xmlChar* buf);
92 static xmlChar* xmlSecOpenSSLX509CrlBase64DerWrite (X509_CRL* crl,
94 static xmlChar* xmlSecOpenSSLX509NameWrite (X509_NAME* nm);
95 static xmlChar* xmlSecOpenSSLASN1IntegerWrite (ASN1_INTEGER *asni);
96 static xmlChar* xmlSecOpenSSLX509SKIWrite (X509* cert);
97 static void xmlSecOpenSSLX509CertDebugDump (X509* cert,
99 static void xmlSecOpenSSLX509CertDebugXmlDump (X509* cert,
101 static int xmlSecOpenSSLX509CertGetTime (ASN1_TIME* t,
104 /*************************************************************************
106 * Internal OpenSSL X509 data CTX
108 ************************************************************************/
109 typedef struct _xmlSecOpenSSLX509DataCtx xmlSecOpenSSLX509DataCtx,
110 *xmlSecOpenSSLX509DataCtxPtr;
111 struct _xmlSecOpenSSLX509DataCtx {
113 STACK_OF(X509)* certsList;
114 STACK_OF(X509_CRL)* crlsList;
117 /**************************************************************************
119 * <dsig:X509Data> processing
122 * The X509Data Element (http://www.w3.org/TR/xmldsig-core/#sec-X509Data)
124 * An X509Data element within KeyInfo contains one or more identifiers of keys
125 * or X509 certificates (or certificates' identifiers or a revocation list).
126 * The content of X509Data is:
128 * 1. At least one element, from the following set of element types; any of these may appear together or more than once iff (if and only if) each instance describes or is related to the same certificate:
130 * * The X509IssuerSerial element, which contains an X.509 issuer
131 * distinguished name/serial number pair that SHOULD be compliant
132 * with RFC2253 [LDAP-DN],
133 * * The X509SubjectName element, which contains an X.509 subject
134 * distinguished name that SHOULD be compliant with RFC2253 [LDAP-DN],
135 * * The X509SKI element, which contains the base64 encoded plain (i.e.
136 * non-DER-encoded) value of a X509 V.3 SubjectKeyIdentifier extension.
137 * * The X509Certificate element, which contains a base64-encoded [X509v3]
139 * * Elements from an external namespace which accompanies/complements any
140 * of the elements above.
141 * * The X509CRL element, which contains a base64-encoded certificate
142 * revocation list (CRL) [X509v3].
144 * Any X509IssuerSerial, X509SKI, and X509SubjectName elements that appear
145 * MUST refer to the certificate or certificates containing the validation key.
146 * All such elements that refer to a particular individual certificate MUST be
147 * grouped inside a single X509Data element and if the certificate to which
148 * they refer appears, it MUST also be in that X509Data element.
150 * Any X509IssuerSerial, X509SKI, and X509SubjectName elements that relate to
151 * the same key but different certificates MUST be grouped within a single
152 * KeyInfo but MAY occur in multiple X509Data elements.
154 * All certificates appearing in an X509Data element MUST relate to the
155 * validation key by either containing it or being part of a certification
156 * chain that terminates in a certificate containing the validation key.
158 * No ordering is implied by the above constraints.
160 * Note, there is no direct provision for a PKCS#7 encoded "bag" of
161 * certificates or CRLs. However, a set of certificates and CRLs can occur
162 * within an X509Data element and multiple X509Data elements can occur in a
163 * KeyInfo. Whenever multiple certificates occur in an X509Data element, at
164 * least one such certificate must contain the public key which verifies the
169 * <element name="X509Data" type="ds:X509DataType"/>
170 * <complexType name="X509DataType">
171 * <sequence maxOccurs="unbounded">
173 * <element name="X509IssuerSerial" type="ds:X509IssuerSerialType"/>
174 * <element name="X509SKI" type="base64Binary"/>
175 * <element name="X509SubjectName" type="string"/>
176 * <element name="X509Certificate" type="base64Binary"/>
177 * <element name="X509CRL" type="base64Binary"/>
178 * <any namespace="##other" processContents="lax"/>
182 * <complexType name="X509IssuerSerialType">
184 * <element name="X509IssuerName" type="string"/>
185 * <element name="X509SerialNumber" type="integer"/>
191 * <!ELEMENT X509Data ((X509IssuerSerial | X509SKI | X509SubjectName |
192 * X509Certificate | X509CRL)+ %X509.ANY;)>
193 * <!ELEMENT X509IssuerSerial (X509IssuerName, X509SerialNumber) >
194 * <!ELEMENT X509IssuerName (#PCDATA) >
195 * <!ELEMENT X509SubjectName (#PCDATA) >
196 * <!ELEMENT X509SerialNumber (#PCDATA) >
197 * <!ELEMENT X509SKI (#PCDATA) >
198 * <!ELEMENT X509Certificate (#PCDATA) >
199 * <!ELEMENT X509CRL (#PCDATA) >
201 * -----------------------------------------------------------------------
203 * xmlSecOpenSSLX509DataCtx is located after xmlSecTransform
205 *************************************************************************/
206 #define xmlSecOpenSSLX509DataSize \
207 (sizeof(xmlSecKeyData) + sizeof(xmlSecOpenSSLX509DataCtx))
208 #define xmlSecOpenSSLX509DataGetCtx(data) \
209 ((xmlSecOpenSSLX509DataCtxPtr)(((xmlSecByte*)(data)) + sizeof(xmlSecKeyData)))
211 static int xmlSecOpenSSLKeyDataX509Initialize (xmlSecKeyDataPtr data);
212 static int xmlSecOpenSSLKeyDataX509Duplicate (xmlSecKeyDataPtr dst,
213 xmlSecKeyDataPtr src);
214 static void xmlSecOpenSSLKeyDataX509Finalize (xmlSecKeyDataPtr data);
215 static int xmlSecOpenSSLKeyDataX509XmlRead (xmlSecKeyDataId id,
218 xmlSecKeyInfoCtxPtr keyInfoCtx);
219 static int xmlSecOpenSSLKeyDataX509XmlWrite (xmlSecKeyDataId id,
222 xmlSecKeyInfoCtxPtr keyInfoCtx);
223 static xmlSecKeyDataType xmlSecOpenSSLKeyDataX509GetType (xmlSecKeyDataPtr data);
224 static const xmlChar* xmlSecOpenSSLKeyDataX509GetIdentifier (xmlSecKeyDataPtr data);
226 static void xmlSecOpenSSLKeyDataX509DebugDump (xmlSecKeyDataPtr data,
228 static void xmlSecOpenSSLKeyDataX509DebugXmlDump (xmlSecKeyDataPtr data,
233 static xmlSecKeyDataKlass xmlSecOpenSSLKeyDataX509Klass = {
234 sizeof(xmlSecKeyDataKlass),
235 xmlSecOpenSSLX509DataSize,
239 xmlSecKeyDataUsageKeyInfoNode | xmlSecKeyDataUsageRetrievalMethodNodeXml,
240 /* xmlSecKeyDataUsage usage; */
241 xmlSecHrefX509Data, /* const xmlChar* href; */
242 xmlSecNodeX509Data, /* const xmlChar* dataNodeName; */
243 xmlSecDSigNs, /* const xmlChar* dataNodeNs; */
245 /* constructors/destructor */
246 xmlSecOpenSSLKeyDataX509Initialize, /* xmlSecKeyDataInitializeMethod initialize; */
247 xmlSecOpenSSLKeyDataX509Duplicate, /* xmlSecKeyDataDuplicateMethod duplicate; */
248 xmlSecOpenSSLKeyDataX509Finalize, /* xmlSecKeyDataFinalizeMethod finalize; */
249 NULL, /* xmlSecKeyDataGenerateMethod generate; */
252 xmlSecOpenSSLKeyDataX509GetType, /* xmlSecKeyDataGetTypeMethod getType; */
253 NULL, /* xmlSecKeyDataGetSizeMethod getSize; */
254 xmlSecOpenSSLKeyDataX509GetIdentifier, /* xmlSecKeyDataGetIdentifier getIdentifier; */
257 xmlSecOpenSSLKeyDataX509XmlRead, /* xmlSecKeyDataXmlReadMethod xmlRead; */
258 xmlSecOpenSSLKeyDataX509XmlWrite, /* xmlSecKeyDataXmlWriteMethod xmlWrite; */
259 NULL, /* xmlSecKeyDataBinReadMethod binRead; */
260 NULL, /* xmlSecKeyDataBinWriteMethod binWrite; */
263 xmlSecOpenSSLKeyDataX509DebugDump, /* xmlSecKeyDataDebugDumpMethod debugDump; */
264 xmlSecOpenSSLKeyDataX509DebugXmlDump, /* xmlSecKeyDataDebugDumpMethod debugXmlDump; */
266 /* reserved for the future */
267 NULL, /* void* reserved0; */
268 NULL, /* void* reserved1; */
272 * xmlSecOpenSSLKeyDataX509GetKlass:
274 * The OpenSSL X509 key data klass (http://www.w3.org/TR/xmldsig-core/#sec-X509Data).
276 * Returns: the X509 data klass.
279 xmlSecOpenSSLKeyDataX509GetKlass(void) {
280 return(&xmlSecOpenSSLKeyDataX509Klass);
284 * xmlSecOpenSSLKeyDataX509GetKeyCert:
285 * @data: the pointer to X509 key data.
287 * Gets the certificate from which the key was extracted.
289 * Returns: the key's certificate or NULL if key data was not used for key
290 * extraction or an error occurs.
293 xmlSecOpenSSLKeyDataX509GetKeyCert(xmlSecKeyDataPtr data) {
294 xmlSecOpenSSLX509DataCtxPtr ctx;
296 xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataX509Id), NULL);
298 ctx = xmlSecOpenSSLX509DataGetCtx(data);
299 xmlSecAssert2(ctx != NULL, NULL);
301 return(ctx->keyCert);
305 * xmlSecOpenSSLKeyDataX509AdoptKeyCert:
306 * @data: the pointer to X509 key data.
307 * @cert: the pointer to OpenSSL X509 certificate.
309 * Sets the key's certificate in @data.
311 * Returns: 0 on success or a negative value if an error occurs.
314 xmlSecOpenSSLKeyDataX509AdoptKeyCert(xmlSecKeyDataPtr data, X509* cert) {
315 xmlSecOpenSSLX509DataCtxPtr ctx;
317 xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataX509Id), -1);
318 xmlSecAssert2(cert != NULL, -1);
320 ctx = xmlSecOpenSSLX509DataGetCtx(data);
321 xmlSecAssert2(ctx != NULL, -1);
323 if(ctx->keyCert != NULL) {
324 X509_free(ctx->keyCert);
331 * xmlSecOpenSSLKeyDataX509AdoptCert:
332 * @data: the pointer to X509 key data.
333 * @cert: the pointer to OpenSSL X509 certificate.
335 * Adds certificate to the X509 key data.
337 * Returns: 0 on success or a negative value if an error occurs.
340 xmlSecOpenSSLKeyDataX509AdoptCert(xmlSecKeyDataPtr data, X509* cert) {
341 xmlSecOpenSSLX509DataCtxPtr ctx;
344 xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataX509Id), -1);
345 xmlSecAssert2(cert != NULL, -1);
347 ctx = xmlSecOpenSSLX509DataGetCtx(data);
348 xmlSecAssert2(ctx != NULL, -1);
350 if(ctx->certsList == NULL) {
351 ctx->certsList = sk_X509_new_null();
352 if(ctx->certsList == NULL) {
353 xmlSecError(XMLSEC_ERRORS_HERE,
354 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
356 XMLSEC_ERRORS_R_CRYPTO_FAILED,
357 XMLSEC_ERRORS_NO_MESSAGE);
362 ret = sk_X509_push(ctx->certsList, cert);
364 xmlSecError(XMLSEC_ERRORS_HERE,
365 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
367 XMLSEC_ERRORS_R_CRYPTO_FAILED,
368 XMLSEC_ERRORS_NO_MESSAGE);
376 * xmlSecOpenSSLKeyDataX509GetCert:
377 * @data: the pointer to X509 key data.
378 * @pos: the desired certificate position.
380 * Gets a certificate from X509 key data.
382 * Returns: the pointer to certificate or NULL if @pos is larger than the
383 * number of certificates in @data or an error occurs.
386 xmlSecOpenSSLKeyDataX509GetCert(xmlSecKeyDataPtr data, xmlSecSize pos) {
387 xmlSecOpenSSLX509DataCtxPtr ctx;
389 xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataX509Id), NULL);
391 ctx = xmlSecOpenSSLX509DataGetCtx(data);
392 xmlSecAssert2(ctx != NULL, NULL);
393 xmlSecAssert2(ctx->certsList != NULL, NULL);
394 xmlSecAssert2((int)pos < sk_X509_num(ctx->certsList), NULL);
396 return(sk_X509_value(ctx->certsList, pos));
400 * xmlSecOpenSSLKeyDataX509GetCertsSize:
401 * @data: the pointer to X509 key data.
403 * Gets the number of certificates in @data.
405 * Returns: te number of certificates in @data.
408 xmlSecOpenSSLKeyDataX509GetCertsSize(xmlSecKeyDataPtr data) {
409 xmlSecOpenSSLX509DataCtxPtr ctx;
411 xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataX509Id), 0);
413 ctx = xmlSecOpenSSLX509DataGetCtx(data);
414 xmlSecAssert2(ctx != NULL, 0);
416 return((ctx->certsList != NULL) ? sk_X509_num(ctx->certsList) : 0);
420 * xmlSecOpenSSLKeyDataX509AdoptCrl:
421 * @data: the pointer to X509 key data.
422 * @crl: the pointer to OpenSSL X509 CRL.
424 * Adds CRL to the X509 key data.
426 * Returns: 0 on success or a negative value if an error occurs.
429 xmlSecOpenSSLKeyDataX509AdoptCrl(xmlSecKeyDataPtr data, X509_CRL* crl) {
430 xmlSecOpenSSLX509DataCtxPtr ctx;
433 xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataX509Id), -1);
434 xmlSecAssert2(crl != NULL, -1);
436 ctx = xmlSecOpenSSLX509DataGetCtx(data);
437 xmlSecAssert2(ctx != NULL, -1);
439 if(ctx->crlsList == NULL) {
440 ctx->crlsList = sk_X509_CRL_new_null();
441 if(ctx->crlsList == NULL) {
442 xmlSecError(XMLSEC_ERRORS_HERE,
443 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
444 "sk_X509_CRL_new_null",
445 XMLSEC_ERRORS_R_CRYPTO_FAILED,
446 XMLSEC_ERRORS_NO_MESSAGE);
451 ret = sk_X509_CRL_push(ctx->crlsList, crl);
453 xmlSecError(XMLSEC_ERRORS_HERE,
454 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
456 XMLSEC_ERRORS_R_CRYPTO_FAILED,
457 XMLSEC_ERRORS_NO_MESSAGE);
465 * xmlSecOpenSSLKeyDataX509GetCrl:
466 * @data: the pointer to X509 key data.
467 * @pos: the desired CRL position.
469 * Gets a CRL from X509 key data.
471 * Returns: the pointer to CRL or NULL if @pos is larger than the
472 * number of CRLs in @data or an error occurs.
475 xmlSecOpenSSLKeyDataX509GetCrl(xmlSecKeyDataPtr data, xmlSecSize pos) {
476 xmlSecOpenSSLX509DataCtxPtr ctx;
478 xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataX509Id), NULL);
480 ctx = xmlSecOpenSSLX509DataGetCtx(data);
481 xmlSecAssert2(ctx != NULL, NULL);
483 xmlSecAssert2(ctx->crlsList != NULL, NULL);
484 xmlSecAssert2((int)pos < sk_X509_CRL_num(ctx->crlsList), NULL);
486 return(sk_X509_CRL_value(ctx->crlsList, pos));
490 * xmlSecOpenSSLKeyDataX509GetCrlsSize:
491 * @data: the pointer to X509 key data.
493 * Gets the number of CRLs in @data.
495 * Returns: te number of CRLs in @data.
498 xmlSecOpenSSLKeyDataX509GetCrlsSize(xmlSecKeyDataPtr data) {
499 xmlSecOpenSSLX509DataCtxPtr ctx;
501 xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataX509Id), 0);
503 ctx = xmlSecOpenSSLX509DataGetCtx(data);
504 xmlSecAssert2(ctx != NULL, 0);
506 return((ctx->crlsList != NULL) ? sk_X509_CRL_num(ctx->crlsList) : 0);
510 xmlSecOpenSSLKeyDataX509Initialize(xmlSecKeyDataPtr data) {
511 xmlSecOpenSSLX509DataCtxPtr ctx;
513 xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataX509Id), -1);
515 ctx = xmlSecOpenSSLX509DataGetCtx(data);
516 xmlSecAssert2(ctx != NULL, -1);
518 memset(ctx, 0, sizeof(xmlSecOpenSSLX509DataCtx));
523 xmlSecOpenSSLKeyDataX509Duplicate(xmlSecKeyDataPtr dst, xmlSecKeyDataPtr src) {
528 xmlSecSize size, pos;
531 xmlSecAssert2(xmlSecKeyDataCheckId(dst, xmlSecOpenSSLKeyDataX509Id), -1);
532 xmlSecAssert2(xmlSecKeyDataCheckId(src, xmlSecOpenSSLKeyDataX509Id), -1);
535 size = xmlSecOpenSSLKeyDataX509GetCertsSize(src);
536 for(pos = 0; pos < size; ++pos) {
537 certSrc = xmlSecOpenSSLKeyDataX509GetCert(src, pos);
538 if(certSrc == NULL) {
539 xmlSecError(XMLSEC_ERRORS_HERE,
540 xmlSecErrorsSafeString(xmlSecKeyDataGetName(src)),
541 "xmlSecOpenSSLKeyDataX509GetCert",
542 XMLSEC_ERRORS_R_XMLSEC_FAILED,
547 certDst = X509_dup(certSrc);
548 if(certDst == NULL) {
549 xmlSecError(XMLSEC_ERRORS_HERE,
550 xmlSecErrorsSafeString(xmlSecKeyDataGetName(dst)),
552 XMLSEC_ERRORS_R_CRYPTO_FAILED,
553 XMLSEC_ERRORS_NO_MESSAGE);
557 ret = xmlSecOpenSSLKeyDataX509AdoptCert(dst, certDst);
559 xmlSecError(XMLSEC_ERRORS_HERE,
560 xmlSecErrorsSafeString(xmlSecKeyDataGetName(dst)),
561 "xmlSecOpenSSLKeyDataX509AdoptCert",
562 XMLSEC_ERRORS_R_XMLSEC_FAILED,
563 XMLSEC_ERRORS_NO_MESSAGE);
570 size = xmlSecOpenSSLKeyDataX509GetCrlsSize(src);
571 for(pos = 0; pos < size; ++pos) {
572 crlSrc = xmlSecOpenSSLKeyDataX509GetCrl(src, pos);
574 xmlSecError(XMLSEC_ERRORS_HERE,
575 xmlSecErrorsSafeString(xmlSecKeyDataGetName(src)),
576 "xmlSecOpenSSLKeyDataX509GetCrl",
577 XMLSEC_ERRORS_R_XMLSEC_FAILED,
582 crlDst = X509_CRL_dup(crlSrc);
584 xmlSecError(XMLSEC_ERRORS_HERE,
585 xmlSecErrorsSafeString(xmlSecKeyDataGetName(dst)),
587 XMLSEC_ERRORS_R_CRYPTO_FAILED,
588 XMLSEC_ERRORS_NO_MESSAGE);
592 ret = xmlSecOpenSSLKeyDataX509AdoptCrl(dst, crlDst);
594 xmlSecError(XMLSEC_ERRORS_HERE,
595 xmlSecErrorsSafeString(xmlSecKeyDataGetName(dst)),
596 "xmlSecOpenSSLKeyDataX509AdoptCrl",
597 XMLSEC_ERRORS_R_XMLSEC_FAILED,
598 XMLSEC_ERRORS_NO_MESSAGE);
599 X509_CRL_free(crlDst);
604 /* copy key cert if exist */
605 certSrc = xmlSecOpenSSLKeyDataX509GetKeyCert(src);
606 if(certSrc != NULL) {
607 certDst = X509_dup(certSrc);
608 if(certDst == NULL) {
609 xmlSecError(XMLSEC_ERRORS_HERE,
610 xmlSecErrorsSafeString(xmlSecKeyDataGetName(dst)),
612 XMLSEC_ERRORS_R_CRYPTO_FAILED,
613 XMLSEC_ERRORS_NO_MESSAGE);
616 ret = xmlSecOpenSSLKeyDataX509AdoptKeyCert(dst, certDst);
618 xmlSecError(XMLSEC_ERRORS_HERE,
619 xmlSecErrorsSafeString(xmlSecKeyDataGetName(dst)),
620 "xmlSecOpenSSLKeyDataX509AdoptKeyCert",
621 XMLSEC_ERRORS_R_XMLSEC_FAILED,
622 XMLSEC_ERRORS_NO_MESSAGE);
631 xmlSecOpenSSLKeyDataX509Finalize(xmlSecKeyDataPtr data) {
632 xmlSecOpenSSLX509DataCtxPtr ctx;
634 xmlSecAssert(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataX509Id));
636 ctx = xmlSecOpenSSLX509DataGetCtx(data);
637 xmlSecAssert(ctx != NULL);
639 if(ctx->certsList != NULL) {
640 sk_X509_pop_free(ctx->certsList, X509_free);
642 if(ctx->crlsList != NULL) {
643 sk_X509_CRL_pop_free(ctx->crlsList, X509_CRL_free);
645 if(ctx->keyCert != NULL) {
646 X509_free(ctx->keyCert);
648 memset(ctx, 0, sizeof(xmlSecOpenSSLX509DataCtx));
652 xmlSecOpenSSLKeyDataX509XmlRead(xmlSecKeyDataId id, xmlSecKeyPtr key,
653 xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
654 xmlSecKeyDataPtr data;
657 xmlSecAssert2(id == xmlSecOpenSSLKeyDataX509Id, -1);
658 xmlSecAssert2(key != NULL, -1);
659 xmlSecAssert2(node != NULL, -1);
660 xmlSecAssert2(keyInfoCtx != NULL, -1);
662 data = xmlSecKeyEnsureData(key, id);
664 xmlSecError(XMLSEC_ERRORS_HERE,
665 xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
666 "xmlSecKeyEnsureData",
667 XMLSEC_ERRORS_R_XMLSEC_FAILED,
668 XMLSEC_ERRORS_NO_MESSAGE);
672 ret = xmlSecOpenSSLX509DataNodeRead(data, node, keyInfoCtx);
674 xmlSecError(XMLSEC_ERRORS_HERE,
675 xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
676 "xmlSecOpenSSLX509DataNodeRead",
677 XMLSEC_ERRORS_R_XMLSEC_FAILED,
678 XMLSEC_ERRORS_NO_MESSAGE);
682 if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS) == 0) {
683 ret = xmlSecOpenSSLKeyDataX509VerifyAndExtractKey(data, key, keyInfoCtx);
685 xmlSecError(XMLSEC_ERRORS_HERE,
686 xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
687 "xmlSecOpenSSLKeyDataX509VerifyAndExtractKey",
688 XMLSEC_ERRORS_R_XMLSEC_FAILED,
689 XMLSEC_ERRORS_NO_MESSAGE);
697 xmlSecOpenSSLKeyDataX509XmlWrite(xmlSecKeyDataId id, xmlSecKeyPtr key,
698 xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
699 xmlSecKeyDataPtr data;
702 xmlSecSize size, pos;
706 xmlSecAssert2(id == xmlSecOpenSSLKeyDataX509Id, -1);
707 xmlSecAssert2(key != NULL, -1);
708 xmlSecAssert2(node != NULL, -1);
709 xmlSecAssert2(keyInfoCtx != NULL, -1);
711 content = xmlSecX509DataGetNodeContent (node, 1, keyInfoCtx);
713 xmlSecError(XMLSEC_ERRORS_HERE,
714 xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
715 "xmlSecX509DataGetNodeContent",
716 XMLSEC_ERRORS_R_XMLSEC_FAILED,
717 "content=%d", content);
719 } else if(content == 0) {
720 /* by default we are writing certificates and crls */
721 content = XMLSEC_X509DATA_DEFAULT;
725 data = xmlSecKeyGetData(key, id);
727 /* no x509 data in the key */
732 size = xmlSecOpenSSLKeyDataX509GetCertsSize(data);
733 for(pos = 0; pos < size; ++pos) {
734 cert = xmlSecOpenSSLKeyDataX509GetCert(data, pos);
736 xmlSecError(XMLSEC_ERRORS_HERE,
737 xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
738 "xmlSecOpenSSLKeyDataX509GetCert",
739 XMLSEC_ERRORS_R_XMLSEC_FAILED,
744 if((content & XMLSEC_X509DATA_CERTIFICATE_NODE) != 0) {
745 ret = xmlSecOpenSSLX509CertificateNodeWrite(cert, node, keyInfoCtx);
747 xmlSecError(XMLSEC_ERRORS_HERE,
748 xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
749 "xmlSecOpenSSLX509CertificateNodeWrite",
750 XMLSEC_ERRORS_R_XMLSEC_FAILED,
756 if((content & XMLSEC_X509DATA_SUBJECTNAME_NODE) != 0) {
757 ret = xmlSecOpenSSLX509SubjectNameNodeWrite(cert, node, keyInfoCtx);
759 xmlSecError(XMLSEC_ERRORS_HERE,
760 xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
761 "xmlSecOpenSSLX509SubjectNameNodeWrite",
762 XMLSEC_ERRORS_R_XMLSEC_FAILED,
768 if((content & XMLSEC_X509DATA_ISSUERSERIAL_NODE) != 0) {
769 ret = xmlSecOpenSSLX509IssuerSerialNodeWrite(cert, node, keyInfoCtx);
771 xmlSecError(XMLSEC_ERRORS_HERE,
772 xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
773 "xmlSecOpenSSLX509IssuerSerialNodeWrite",
774 XMLSEC_ERRORS_R_XMLSEC_FAILED,
780 if((content & XMLSEC_X509DATA_SKI_NODE) != 0) {
781 ret = xmlSecOpenSSLX509SKINodeWrite(cert, node, keyInfoCtx);
783 xmlSecError(XMLSEC_ERRORS_HERE,
784 xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
785 "xmlSecOpenSSLX509SKINodeWrite",
786 XMLSEC_ERRORS_R_XMLSEC_FAILED,
793 /* write crls if needed */
794 if((content & XMLSEC_X509DATA_CRL_NODE) != 0) {
795 size = xmlSecOpenSSLKeyDataX509GetCrlsSize(data);
796 for(pos = 0; pos < size; ++pos) {
797 crl = xmlSecOpenSSLKeyDataX509GetCrl(data, pos);
799 xmlSecError(XMLSEC_ERRORS_HERE,
800 xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
801 "xmlSecOpenSSLKeyDataX509GetCrl",
802 XMLSEC_ERRORS_R_XMLSEC_FAILED,
807 ret = xmlSecOpenSSLX509CRLNodeWrite(crl, node, keyInfoCtx);
809 xmlSecError(XMLSEC_ERRORS_HERE,
810 xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
811 "xmlSecOpenSSLX509CRLNodeWrite",
812 XMLSEC_ERRORS_R_XMLSEC_FAILED,
823 static xmlSecKeyDataType
824 xmlSecOpenSSLKeyDataX509GetType(xmlSecKeyDataPtr data) {
825 xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataX509Id), xmlSecKeyDataTypeUnknown);
827 /* TODO: return verified/not verified status */
828 return(xmlSecKeyDataTypeUnknown);
831 static const xmlChar*
832 xmlSecOpenSSLKeyDataX509GetIdentifier(xmlSecKeyDataPtr data) {
833 xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataX509Id), NULL);
840 xmlSecOpenSSLKeyDataX509DebugDump(xmlSecKeyDataPtr data, FILE* output) {
842 xmlSecSize size, pos;
844 xmlSecAssert(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataX509Id));
845 xmlSecAssert(output != NULL);
847 fprintf(output, "=== X509 Data:\n");
848 cert = xmlSecOpenSSLKeyDataX509GetKeyCert(data);
850 fprintf(output, "==== Key Certificate:\n");
851 xmlSecOpenSSLX509CertDebugDump(cert, output);
854 size = xmlSecOpenSSLKeyDataX509GetCertsSize(data);
855 for(pos = 0; pos < size; ++pos) {
856 cert = xmlSecOpenSSLKeyDataX509GetCert(data, pos);
858 xmlSecError(XMLSEC_ERRORS_HERE,
859 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
860 "xmlSecOpenSSLKeyDataX509GetCert",
861 XMLSEC_ERRORS_R_XMLSEC_FAILED,
865 fprintf(output, "==== Certificate:\n");
866 xmlSecOpenSSLX509CertDebugDump(cert, output);
869 /* we don't print out crls */
873 xmlSecOpenSSLKeyDataX509DebugXmlDump(xmlSecKeyDataPtr data, FILE* output) {
875 xmlSecSize size, pos;
877 xmlSecAssert(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataX509Id));
878 xmlSecAssert(output != NULL);
880 fprintf(output, "<X509Data>\n");
881 cert = xmlSecOpenSSLKeyDataX509GetKeyCert(data);
883 fprintf(output, "<KeyCertificate>\n");
884 xmlSecOpenSSLX509CertDebugXmlDump(cert, output);
885 fprintf(output, "</KeyCertificate>\n");
888 size = xmlSecOpenSSLKeyDataX509GetCertsSize(data);
889 for(pos = 0; pos < size; ++pos) {
890 cert = xmlSecOpenSSLKeyDataX509GetCert(data, pos);
892 xmlSecError(XMLSEC_ERRORS_HERE,
893 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
894 "xmlSecOpenSSLKeyDataX509GetCert",
895 XMLSEC_ERRORS_R_XMLSEC_FAILED,
899 fprintf(output, "<Certificate>\n");
900 xmlSecOpenSSLX509CertDebugXmlDump(cert, output);
901 fprintf(output, "</Certificate>\n");
904 /* we don't print out crls */
905 fprintf(output, "</X509Data>\n");
909 xmlSecOpenSSLX509DataNodeRead(xmlSecKeyDataPtr data, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
913 xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataX509Id), -1);
914 xmlSecAssert2(node != NULL, -1);
915 xmlSecAssert2(keyInfoCtx != NULL, -1);
917 for(cur = xmlSecGetNextElementNode(node->children);
919 cur = xmlSecGetNextElementNode(cur->next)) {
922 if(xmlSecCheckNodeName(cur, xmlSecNodeX509Certificate, xmlSecDSigNs)) {
923 ret = xmlSecOpenSSLX509CertificateNodeRead(data, cur, keyInfoCtx);
924 } else if(xmlSecCheckNodeName(cur, xmlSecNodeX509SubjectName, xmlSecDSigNs)) {
925 ret = xmlSecOpenSSLX509SubjectNameNodeRead(data, cur, keyInfoCtx);
926 } else if(xmlSecCheckNodeName(cur, xmlSecNodeX509IssuerSerial, xmlSecDSigNs)) {
927 ret = xmlSecOpenSSLX509IssuerSerialNodeRead(data, cur, keyInfoCtx);
928 } else if(xmlSecCheckNodeName(cur, xmlSecNodeX509SKI, xmlSecDSigNs)) {
929 ret = xmlSecOpenSSLX509SKINodeRead(data, cur, keyInfoCtx);
930 } else if(xmlSecCheckNodeName(cur, xmlSecNodeX509CRL, xmlSecDSigNs)) {
931 ret = xmlSecOpenSSLX509CRLNodeRead(data, cur, keyInfoCtx);
932 } else if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_X509DATA_STOP_ON_UNKNOWN_CHILD) != 0) {
933 /* laxi schema validation: ignore unknown nodes */
934 xmlSecError(XMLSEC_ERRORS_HERE,
935 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
936 xmlSecErrorsSafeString(xmlSecNodeGetName(cur)),
937 XMLSEC_ERRORS_R_UNEXPECTED_NODE,
938 XMLSEC_ERRORS_NO_MESSAGE);
942 xmlSecError(XMLSEC_ERRORS_HERE,
943 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
944 xmlSecErrorsSafeString(xmlSecNodeGetName(cur)),
945 XMLSEC_ERRORS_R_XMLSEC_FAILED,
954 xmlSecOpenSSLX509CertificateNodeRead(xmlSecKeyDataPtr data, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
959 xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataX509Id), -1);
960 xmlSecAssert2(node != NULL, -1);
961 xmlSecAssert2(keyInfoCtx != NULL, -1);
963 content = xmlNodeGetContent(node);
964 if((content == NULL) || (xmlSecIsEmptyString(content) == 1)) {
965 if(content != NULL) {
968 if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_STOP_ON_EMPTY_NODE) != 0) {
969 xmlSecError(XMLSEC_ERRORS_HERE,
970 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
971 xmlSecErrorsSafeString(xmlSecNodeGetName(node)),
972 XMLSEC_ERRORS_R_INVALID_NODE_CONTENT,
973 XMLSEC_ERRORS_NO_MESSAGE);
979 cert = xmlSecOpenSSLX509CertBase64DerRead(content);
981 xmlSecError(XMLSEC_ERRORS_HERE,
982 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
983 "xmlSecOpenSSLX509CertBase64DerRead",
984 XMLSEC_ERRORS_R_XMLSEC_FAILED,
985 XMLSEC_ERRORS_NO_MESSAGE);
990 ret = xmlSecOpenSSLKeyDataX509AdoptCert(data, cert);
992 xmlSecError(XMLSEC_ERRORS_HERE,
993 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
994 "xmlSecOpenSSLKeyDataX509AdoptCert",
995 XMLSEC_ERRORS_R_XMLSEC_FAILED,
996 XMLSEC_ERRORS_NO_MESSAGE);
1007 xmlSecOpenSSLX509CertificateNodeWrite(X509* cert, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
1011 xmlSecAssert2(cert != NULL, -1);
1012 xmlSecAssert2(node != NULL, -1);
1013 xmlSecAssert2(keyInfoCtx != NULL, -1);
1015 /* set base64 lines size from context */
1016 buf = xmlSecOpenSSLX509CertBase64DerWrite(cert, keyInfoCtx->base64LineSize);
1018 xmlSecError(XMLSEC_ERRORS_HERE,
1020 "xmlSecOpenSSLX509CertBase64DerWrite",
1021 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1022 XMLSEC_ERRORS_NO_MESSAGE);
1026 cur = xmlSecAddChild(node, xmlSecNodeX509Certificate, xmlSecDSigNs);
1028 xmlSecError(XMLSEC_ERRORS_HERE,
1031 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1033 xmlSecErrorsSafeString(xmlSecNodeX509Certificate));
1038 /* todo: add \n around base64 data - from context */
1039 /* todo: add errors check */
1040 xmlNodeSetContent(cur, xmlSecStringCR);
1041 xmlNodeSetContent(cur, buf);
1047 xmlSecOpenSSLX509SubjectNameNodeRead(xmlSecKeyDataPtr data, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
1048 xmlSecKeyDataStorePtr x509Store;
1054 xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataX509Id), -1);
1055 xmlSecAssert2(node != NULL, -1);
1056 xmlSecAssert2(keyInfoCtx != NULL, -1);
1057 xmlSecAssert2(keyInfoCtx->keysMngr != NULL, -1);
1059 x509Store = xmlSecKeysMngrGetDataStore(keyInfoCtx->keysMngr, xmlSecOpenSSLX509StoreId);
1060 if(x509Store == NULL) {
1061 xmlSecError(XMLSEC_ERRORS_HERE,
1062 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1063 "xmlSecKeysMngrGetDataStore",
1064 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1065 XMLSEC_ERRORS_NO_MESSAGE);
1069 subject = xmlNodeGetContent(node);
1070 if((subject == NULL) || (xmlSecIsEmptyString(subject) == 1)) {
1071 if(subject != NULL) {
1074 if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_STOP_ON_EMPTY_NODE) != 0) {
1075 xmlSecError(XMLSEC_ERRORS_HERE,
1076 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1077 xmlSecErrorsSafeString(xmlSecNodeGetName(node)),
1078 XMLSEC_ERRORS_R_INVALID_NODE_CONTENT,
1079 XMLSEC_ERRORS_NO_MESSAGE);
1085 cert = xmlSecOpenSSLX509StoreFindCert(x509Store, subject, NULL, NULL, NULL, keyInfoCtx);
1088 if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_X509DATA_STOP_ON_UNKNOWN_CERT) != 0) {
1089 xmlSecError(XMLSEC_ERRORS_HERE,
1090 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1092 XMLSEC_ERRORS_R_CERT_NOT_FOUND,
1094 xmlSecErrorsSafeString(subject));
1103 cert2 = X509_dup(cert);
1105 xmlSecError(XMLSEC_ERRORS_HERE,
1106 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1108 XMLSEC_ERRORS_R_CRYPTO_FAILED,
1109 XMLSEC_ERRORS_NO_MESSAGE);
1115 ret = xmlSecOpenSSLKeyDataX509AdoptCert(data, cert2);
1117 xmlSecError(XMLSEC_ERRORS_HERE,
1118 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1119 "xmlSecOpenSSLKeyDataX509AdoptCert",
1120 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1121 XMLSEC_ERRORS_NO_MESSAGE);
1132 xmlSecOpenSSLX509SubjectNameNodeWrite(X509* cert, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx ATTRIBUTE_UNUSED) {
1133 xmlChar* buf = NULL;
1134 xmlNodePtr cur = NULL;
1136 xmlSecAssert2(cert != NULL, -1);
1137 xmlSecAssert2(node != NULL, -1);
1139 buf = xmlSecOpenSSLX509NameWrite(X509_get_subject_name(cert));
1141 xmlSecError(XMLSEC_ERRORS_HERE,
1143 "xmlSecOpenSSLX509NameWrite(X509_get_subject_name)",
1144 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1145 XMLSEC_ERRORS_NO_MESSAGE);
1149 cur = xmlSecAddChild(node, xmlSecNodeX509SubjectName, xmlSecDSigNs);
1151 xmlSecError(XMLSEC_ERRORS_HERE,
1154 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1156 xmlSecErrorsSafeString(xmlSecNodeX509SubjectName));
1160 xmlSecNodeEncodeAndSetContent(cur, buf);
1166 xmlSecOpenSSLX509IssuerSerialNodeRead(xmlSecKeyDataPtr data, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
1167 xmlSecKeyDataStorePtr x509Store;
1169 xmlChar *issuerName;
1170 xmlChar *issuerSerial;
1175 xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataX509Id), -1);
1176 xmlSecAssert2(node != NULL, -1);
1177 xmlSecAssert2(keyInfoCtx != NULL, -1);
1178 xmlSecAssert2(keyInfoCtx->keysMngr != NULL, -1);
1180 x509Store = xmlSecKeysMngrGetDataStore(keyInfoCtx->keysMngr, xmlSecOpenSSLX509StoreId);
1181 if(x509Store == NULL) {
1182 xmlSecError(XMLSEC_ERRORS_HERE,
1183 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1184 "xmlSecKeysMngrGetDataStore",
1185 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1186 XMLSEC_ERRORS_NO_MESSAGE);
1190 cur = xmlSecGetNextElementNode(node->children);
1192 if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_STOP_ON_EMPTY_NODE) != 0) {
1193 xmlSecError(XMLSEC_ERRORS_HERE,
1194 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1195 xmlSecErrorsSafeString(xmlSecNodeX509IssuerName),
1196 XMLSEC_ERRORS_R_NODE_NOT_FOUND,
1198 xmlSecErrorsSafeString(xmlSecNodeGetName(cur)));
1204 /* the first is required node X509IssuerName */
1205 if(!xmlSecCheckNodeName(cur, xmlSecNodeX509IssuerName, xmlSecDSigNs)) {
1206 xmlSecError(XMLSEC_ERRORS_HERE,
1207 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1208 xmlSecErrorsSafeString(xmlSecNodeX509IssuerName),
1209 XMLSEC_ERRORS_R_NODE_NOT_FOUND,
1211 xmlSecErrorsSafeString(xmlSecNodeGetName(cur)));
1214 issuerName = xmlNodeGetContent(cur);
1215 if(issuerName == NULL) {
1216 xmlSecError(XMLSEC_ERRORS_HERE,
1217 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1218 xmlSecErrorsSafeString(xmlSecNodeGetName(cur)),
1219 XMLSEC_ERRORS_R_INVALID_NODE_CONTENT,
1221 xmlSecErrorsSafeString(xmlSecNodeX509IssuerName));
1224 cur = xmlSecGetNextElementNode(cur->next);
1226 /* next is required node X509SerialNumber */
1227 if((cur == NULL) || !xmlSecCheckNodeName(cur, xmlSecNodeX509SerialNumber, xmlSecDSigNs)) {
1228 xmlSecError(XMLSEC_ERRORS_HERE,
1229 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1230 xmlSecErrorsSafeString(xmlSecNodeGetName(cur)),
1231 XMLSEC_ERRORS_R_NODE_NOT_FOUND,
1233 xmlSecErrorsSafeString(xmlSecNodeX509SerialNumber));
1234 xmlFree(issuerName);
1237 issuerSerial = xmlNodeGetContent(cur);
1238 if(issuerSerial == NULL) {
1239 xmlSecError(XMLSEC_ERRORS_HERE,
1240 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1241 xmlSecErrorsSafeString(xmlSecNodeX509SerialNumber),
1242 XMLSEC_ERRORS_R_INVALID_NODE_CONTENT,
1244 xmlSecErrorsSafeString(xmlSecNodeGetName(cur)));
1245 xmlFree(issuerName);
1248 cur = xmlSecGetNextElementNode(cur->next);
1251 xmlSecError(XMLSEC_ERRORS_HERE,
1252 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1253 xmlSecErrorsSafeString(xmlSecNodeGetName(cur)),
1254 XMLSEC_ERRORS_R_UNEXPECTED_NODE,
1255 XMLSEC_ERRORS_NO_MESSAGE);
1256 xmlFree(issuerSerial);
1257 xmlFree(issuerName);
1261 cert = xmlSecOpenSSLX509StoreFindCert(x509Store, NULL, issuerName, issuerSerial, NULL, keyInfoCtx);
1264 if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_X509DATA_STOP_ON_UNKNOWN_CERT) != 0) {
1265 xmlSecError(XMLSEC_ERRORS_HERE,
1266 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1268 XMLSEC_ERRORS_R_CERT_NOT_FOUND,
1269 "issuerName=%s;issuerSerial=%s",
1270 xmlSecErrorsSafeString(issuerName),
1271 xmlSecErrorsSafeString(issuerSerial));
1272 xmlFree(issuerSerial);
1273 xmlFree(issuerName);
1276 xmlFree(issuerSerial);
1277 xmlFree(issuerName);
1281 cert2 = X509_dup(cert);
1283 xmlSecError(XMLSEC_ERRORS_HERE,
1284 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1286 XMLSEC_ERRORS_R_CRYPTO_FAILED,
1287 XMLSEC_ERRORS_NO_MESSAGE);
1288 xmlFree(issuerSerial);
1289 xmlFree(issuerName);
1293 ret = xmlSecOpenSSLKeyDataX509AdoptCert(data, cert2);
1295 xmlSecError(XMLSEC_ERRORS_HERE,
1296 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1297 "xmlSecOpenSSLKeyDataX509AdoptCert",
1298 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1299 XMLSEC_ERRORS_NO_MESSAGE);
1301 xmlFree(issuerSerial);
1302 xmlFree(issuerName);
1306 xmlFree(issuerSerial);
1307 xmlFree(issuerName);
1312 xmlSecOpenSSLX509IssuerSerialNodeWrite(X509* cert, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx ATTRIBUTE_UNUSED) {
1314 xmlNodePtr issuerNameNode;
1315 xmlNodePtr issuerNumberNode;
1318 xmlSecAssert2(cert != NULL, -1);
1319 xmlSecAssert2(node != NULL, -1);
1321 /* create xml nodes */
1322 cur = xmlSecAddChild(node, xmlSecNodeX509IssuerSerial, xmlSecDSigNs);
1324 xmlSecError(XMLSEC_ERRORS_HERE,
1327 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1329 xmlSecErrorsSafeString(xmlSecNodeX509IssuerSerial));
1333 issuerNameNode = xmlSecAddChild(cur, xmlSecNodeX509IssuerName, xmlSecDSigNs);
1334 if(issuerNameNode == NULL) {
1335 xmlSecError(XMLSEC_ERRORS_HERE,
1338 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1340 xmlSecErrorsSafeString(xmlSecNodeX509IssuerName));
1344 issuerNumberNode = xmlSecAddChild(cur, xmlSecNodeX509SerialNumber, xmlSecDSigNs);
1345 if(issuerNumberNode == NULL) {
1346 xmlSecError(XMLSEC_ERRORS_HERE,
1349 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1351 xmlSecErrorsSafeString(xmlSecNodeX509SerialNumber));
1356 buf = xmlSecOpenSSLX509NameWrite(X509_get_issuer_name(cert));
1358 xmlSecError(XMLSEC_ERRORS_HERE,
1360 "xmlSecOpenSSLX509NameWrite(X509_get_issuer_name)",
1361 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1362 XMLSEC_ERRORS_NO_MESSAGE);
1365 xmlSecNodeEncodeAndSetContent(issuerNameNode, buf);
1368 buf = xmlSecOpenSSLASN1IntegerWrite(X509_get_serialNumber(cert));
1370 xmlSecError(XMLSEC_ERRORS_HERE,
1372 "xmlSecOpenSSLASN1IntegerWrite(X509_get_serialNumber)",
1373 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1374 XMLSEC_ERRORS_NO_MESSAGE);
1377 xmlSecNodeEncodeAndSetContent(issuerNumberNode, buf);
1385 xmlSecOpenSSLX509SKINodeRead(xmlSecKeyDataPtr data, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
1386 xmlSecKeyDataStorePtr x509Store;
1392 xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataX509Id), -1);
1393 xmlSecAssert2(node != NULL, -1);
1394 xmlSecAssert2(keyInfoCtx != NULL, -1);
1395 xmlSecAssert2(keyInfoCtx->keysMngr != NULL, -1);
1397 x509Store = xmlSecKeysMngrGetDataStore(keyInfoCtx->keysMngr, xmlSecOpenSSLX509StoreId);
1398 if(x509Store == NULL) {
1399 xmlSecError(XMLSEC_ERRORS_HERE,
1400 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1401 "xmlSecKeysMngrGetDataStore",
1402 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1403 XMLSEC_ERRORS_NO_MESSAGE);
1407 ski = xmlNodeGetContent(node);
1408 if((ski == NULL) || (xmlSecIsEmptyString(ski) == 1)) {
1412 if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_STOP_ON_EMPTY_NODE) != 0) {
1413 xmlSecError(XMLSEC_ERRORS_HERE,
1414 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1415 xmlSecErrorsSafeString(xmlSecNodeGetName(node)),
1416 XMLSEC_ERRORS_R_INVALID_NODE_CONTENT,
1418 xmlSecErrorsSafeString(xmlSecNodeX509SKI));
1424 cert = xmlSecOpenSSLX509StoreFindCert(x509Store, NULL, NULL, NULL, ski, keyInfoCtx);
1428 if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_X509DATA_STOP_ON_UNKNOWN_CERT) != 0) {
1429 xmlSecError(XMLSEC_ERRORS_HERE,
1430 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1432 XMLSEC_ERRORS_R_CERT_NOT_FOUND,
1434 xmlSecErrorsSafeString(ski));
1440 cert2 = X509_dup(cert);
1442 xmlSecError(XMLSEC_ERRORS_HERE,
1443 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1445 XMLSEC_ERRORS_R_CRYPTO_FAILED,
1446 XMLSEC_ERRORS_NO_MESSAGE);
1451 ret = xmlSecOpenSSLKeyDataX509AdoptCert(data, cert2);
1453 xmlSecError(XMLSEC_ERRORS_HERE,
1454 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1455 "xmlSecOpenSSLKeyDataX509AdoptCert",
1456 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1457 XMLSEC_ERRORS_NO_MESSAGE);
1468 xmlSecOpenSSLX509SKINodeWrite(X509* cert, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx ATTRIBUTE_UNUSED) {
1469 xmlChar *buf = NULL;
1470 xmlNodePtr cur = NULL;
1472 xmlSecAssert2(cert != NULL, -1);
1473 xmlSecAssert2(node != NULL, -1);
1475 buf = xmlSecOpenSSLX509SKIWrite(cert);
1477 xmlSecError(XMLSEC_ERRORS_HERE,
1479 "xmlSecOpenSSLX509SKIWrite",
1480 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1481 XMLSEC_ERRORS_NO_MESSAGE);
1485 cur = xmlSecAddChild(node, xmlSecNodeX509SKI, xmlSecDSigNs);
1487 xmlSecError(XMLSEC_ERRORS_HERE,
1490 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1492 xmlSecErrorsSafeString(xmlSecNodeX509SKI));
1496 xmlSecNodeEncodeAndSetContent(cur, buf);
1503 xmlSecOpenSSLX509CRLNodeRead(xmlSecKeyDataPtr data, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
1508 xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataX509Id), -1);
1509 xmlSecAssert2(node != NULL, -1);
1510 xmlSecAssert2(keyInfoCtx != NULL, -1);
1512 content = xmlNodeGetContent(node);
1513 if((content == NULL) || (xmlSecIsEmptyString(content) == 1)) {
1514 if(content != NULL) {
1517 if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_STOP_ON_EMPTY_NODE) != 0) {
1518 xmlSecError(XMLSEC_ERRORS_HERE,
1519 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1520 xmlSecErrorsSafeString(xmlSecNodeGetName(node)),
1521 XMLSEC_ERRORS_R_INVALID_NODE_CONTENT,
1522 XMLSEC_ERRORS_NO_MESSAGE);
1528 crl = xmlSecOpenSSLX509CrlBase64DerRead(content);
1530 xmlSecError(XMLSEC_ERRORS_HERE,
1531 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1532 "xmlSecOpenSSLX509CrlBase64DerRead",
1533 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1534 XMLSEC_ERRORS_NO_MESSAGE);
1539 ret = xmlSecOpenSSLKeyDataX509AdoptCrl(data, crl);
1541 xmlSecError(XMLSEC_ERRORS_HERE,
1542 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1543 "xmlSecOpenSSLKeyDataX509AdoptCrl",
1544 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1545 XMLSEC_ERRORS_NO_MESSAGE);
1556 xmlSecOpenSSLX509CRLNodeWrite(X509_CRL* crl, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
1557 xmlChar* buf = NULL;
1558 xmlNodePtr cur = NULL;
1560 xmlSecAssert2(crl != NULL, -1);
1561 xmlSecAssert2(node != NULL, -1);
1562 xmlSecAssert2(keyInfoCtx != NULL, -1);
1564 /* set base64 lines size from context */
1565 buf = xmlSecOpenSSLX509CrlBase64DerWrite(crl, keyInfoCtx->base64LineSize);
1567 xmlSecError(XMLSEC_ERRORS_HERE,
1569 "xmlSecOpenSSLX509CrlBase64DerWrite",
1570 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1571 XMLSEC_ERRORS_NO_MESSAGE);
1575 cur = xmlSecAddChild(node, xmlSecNodeX509CRL, xmlSecDSigNs);
1577 xmlSecError(XMLSEC_ERRORS_HERE,
1580 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1582 xmlSecErrorsSafeString(xmlSecNodeX509CRL));
1586 /* todo: add \n around base64 data - from context */
1587 /* todo: add errors check */
1588 xmlNodeSetContent(cur, xmlSecStringCR);
1589 xmlNodeSetContent(cur, buf);
1596 xmlSecOpenSSLKeyDataX509VerifyAndExtractKey(xmlSecKeyDataPtr data, xmlSecKeyPtr key,
1597 xmlSecKeyInfoCtxPtr keyInfoCtx) {
1598 xmlSecOpenSSLX509DataCtxPtr ctx;
1599 xmlSecKeyDataStorePtr x509Store;
1602 xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataX509Id), -1);
1603 xmlSecAssert2(key != NULL, -1);
1604 xmlSecAssert2(keyInfoCtx != NULL, -1);
1605 xmlSecAssert2(keyInfoCtx->keysMngr != NULL, -1);
1607 ctx = xmlSecOpenSSLX509DataGetCtx(data);
1608 xmlSecAssert2(ctx != NULL, -1);
1610 x509Store = xmlSecKeysMngrGetDataStore(keyInfoCtx->keysMngr, xmlSecOpenSSLX509StoreId);
1611 if(x509Store == NULL) {
1612 xmlSecError(XMLSEC_ERRORS_HERE,
1613 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1614 "xmlSecKeysMngrGetDataStore",
1615 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1616 XMLSEC_ERRORS_NO_MESSAGE);
1620 if((ctx->keyCert == NULL) && (ctx->certsList != NULL) && (xmlSecKeyGetValue(key) == NULL)) {
1623 cert = xmlSecOpenSSLX509StoreVerify(x509Store, ctx->certsList, ctx->crlsList, keyInfoCtx);
1625 xmlSecKeyDataPtr keyValue;
1627 ctx->keyCert = X509_dup(cert);
1628 if(ctx->keyCert == NULL) {
1629 xmlSecError(XMLSEC_ERRORS_HERE,
1630 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1632 XMLSEC_ERRORS_R_CRYPTO_FAILED,
1633 XMLSEC_ERRORS_NO_MESSAGE);
1637 keyValue = xmlSecOpenSSLX509CertGetKey(ctx->keyCert);
1638 if(keyValue == NULL) {
1639 xmlSecError(XMLSEC_ERRORS_HERE,
1640 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1641 "xmlSecOpenSSLX509CertGetKey",
1642 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1643 XMLSEC_ERRORS_NO_MESSAGE);
1647 /* verify that the key matches our expectations */
1648 if(xmlSecKeyReqMatchKeyValue(&(keyInfoCtx->keyReq), keyValue) != 1) {
1649 xmlSecError(XMLSEC_ERRORS_HERE,
1650 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1651 "xmlSecKeyReqMatchKeyValue",
1652 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1653 XMLSEC_ERRORS_NO_MESSAGE);
1654 xmlSecKeyDataDestroy(keyValue);
1658 ret = xmlSecKeySetValue(key, keyValue);
1660 xmlSecError(XMLSEC_ERRORS_HERE,
1661 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1662 "xmlSecKeySetValue",
1663 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1664 XMLSEC_ERRORS_NO_MESSAGE);
1665 xmlSecKeyDataDestroy(keyValue);
1669 if((X509_get_notBefore(ctx->keyCert) != NULL) && (X509_get_notAfter(ctx->keyCert) != NULL)) {
1670 ret = xmlSecOpenSSLX509CertGetTime(X509_get_notBefore(ctx->keyCert), &(key->notValidBefore));
1672 xmlSecError(XMLSEC_ERRORS_HERE,
1673 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1674 "xmlSecOpenSSLX509CertGetTime",
1675 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1679 ret = xmlSecOpenSSLX509CertGetTime(X509_get_notAfter(ctx->keyCert), &(key->notValidAfter));
1681 xmlSecError(XMLSEC_ERRORS_HERE,
1682 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1683 "xmlSecOpenSSLX509CertGetTime",
1684 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1689 key->notValidBefore = key->notValidAfter = 0;
1691 } else if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_X509DATA_STOP_ON_INVALID_CERT) != 0) {
1692 xmlSecError(XMLSEC_ERRORS_HERE,
1693 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1695 XMLSEC_ERRORS_R_CERT_NOT_FOUND,
1696 XMLSEC_ERRORS_NO_MESSAGE);
1704 extern time_t timegm (struct tm *tm);
1705 #else /* HAVE_TIMEGM */
1707 #define timegm(tm) (mktime(tm) - _timezone)
1709 /* Absolutely not the best way but it's the only ANSI compatible way I know.
1710 * If you system has a native struct tm --> GMT time_t conversion function
1711 * (like timegm) use it instead.
1714 my_timegm(struct tm *t) {
1738 return (tl - (tb - tl));
1741 #define timegm(tm) my_timegm(tm)
1743 #endif /* HAVE_TIMEGM */
1746 xmlSecOpenSSLX509CertGetTime(ASN1_TIME* t, time_t* res) {
1750 xmlSecAssert2(t != NULL, -1);
1751 xmlSecAssert2(res != NULL, -1);
1754 #ifndef XMLSEC_OPENSSL_096
1755 if(!ASN1_TIME_check(t)) {
1756 xmlSecError(XMLSEC_ERRORS_HERE,
1759 XMLSEC_ERRORS_R_CRYPTO_FAILED,
1760 XMLSEC_ERRORS_NO_MESSAGE);
1763 #endif /* XMLSEC_OPENSSL_096 */
1765 memset(&tm, 0, sizeof(tm));
1767 #define g2(p) (((p)[0]-'0')*10+(p)[1]-'0')
1768 if(t->type == V_ASN1_UTCTIME) {
1769 xmlSecAssert2(t->length > 12, -1);
1772 /* this code is copied from OpenSSL asn1/a_utctm.c file */
1773 tm.tm_year = g2(t->data);
1774 if(tm.tm_year < 50) {
1777 tm.tm_mon = g2(t->data + 2) - 1;
1778 tm.tm_mday = g2(t->data + 4);
1779 tm.tm_hour = g2(t->data + 6);
1780 tm.tm_min = g2(t->data + 8);
1781 tm.tm_sec = g2(t->data + 10);
1782 if(t->data[12] == 'Z') {
1785 xmlSecAssert2(t->length > 16, -1);
1787 offset = g2(t->data + 13) * 60 + g2(t->data + 15);
1788 if(t->data[12] == '-') {
1794 xmlSecAssert2(t->length > 14, -1);
1796 tm.tm_year = g2(t->data) * 100 + g2(t->data + 2);
1797 tm.tm_mon = g2(t->data + 4) - 1;
1798 tm.tm_mday = g2(t->data + 6);
1799 tm.tm_hour = g2(t->data + 8);
1800 tm.tm_min = g2(t->data + 10);
1801 tm.tm_sec = g2(t->data + 12);
1802 if(t->data[14] == 'Z') {
1805 xmlSecAssert2(t->length > 18, -1);
1807 offset = g2(t->data + 15) * 60 + g2(t->data + 17);
1808 if(t->data[14] == '-') {
1815 (*res) = timegm(&tm) - offset * 60;
1820 * xmlSecOpenSSLX509CertGetKey:
1821 * @cert: the certificate.
1823 * Extracts public key from the @cert.
1825 * Returns: public key value or NULL if an error occurs.
1828 xmlSecOpenSSLX509CertGetKey(X509* cert) {
1829 xmlSecKeyDataPtr data;
1830 EVP_PKEY *pKey = NULL;
1832 xmlSecAssert2(cert != NULL, NULL);
1834 pKey = X509_get_pubkey(cert);
1836 xmlSecError(XMLSEC_ERRORS_HERE,
1839 XMLSEC_ERRORS_R_CRYPTO_FAILED,
1840 XMLSEC_ERRORS_NO_MESSAGE);
1844 data = xmlSecOpenSSLEvpKeyAdopt(pKey);
1846 xmlSecError(XMLSEC_ERRORS_HERE,
1848 "xmlSecOpenSSLEvpKeyAdopt",
1849 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1850 XMLSEC_ERRORS_NO_MESSAGE);
1851 EVP_PKEY_free(pKey);
1859 xmlSecOpenSSLX509CertBase64DerRead(xmlChar* buf) {
1862 xmlSecAssert2(buf != NULL, NULL);
1864 /* usual trick with base64 decoding "in-place" */
1865 ret = xmlSecBase64Decode(buf, (xmlSecByte*)buf, xmlStrlen(buf));
1867 xmlSecError(XMLSEC_ERRORS_HERE,
1869 "xmlSecBase64Decode",
1870 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1871 XMLSEC_ERRORS_NO_MESSAGE);
1875 return(xmlSecOpenSSLX509CertDerRead((xmlSecByte*)buf, ret));
1879 xmlSecOpenSSLX509CertDerRead(const xmlSecByte* buf, xmlSecSize size) {
1884 xmlSecAssert2(buf != NULL, NULL);
1885 xmlSecAssert2(size > 0, NULL);
1887 mem = BIO_new(BIO_s_mem());
1889 xmlSecError(XMLSEC_ERRORS_HERE,
1892 XMLSEC_ERRORS_R_CRYPTO_FAILED,
1897 ret = BIO_write(mem, buf, size);
1899 xmlSecError(XMLSEC_ERRORS_HERE,
1902 XMLSEC_ERRORS_R_CRYPTO_FAILED,
1908 cert = d2i_X509_bio(mem, NULL);
1910 xmlSecError(XMLSEC_ERRORS_HERE,
1913 XMLSEC_ERRORS_R_CRYPTO_FAILED,
1914 XMLSEC_ERRORS_NO_MESSAGE);
1924 xmlSecOpenSSLX509CertBase64DerWrite(X509* cert, int base64LineWrap) {
1925 xmlChar *res = NULL;
1927 xmlSecByte *p = NULL;
1930 xmlSecAssert2(cert != NULL, NULL);
1932 mem = BIO_new(BIO_s_mem());
1934 xmlSecError(XMLSEC_ERRORS_HERE,
1937 XMLSEC_ERRORS_R_CRYPTO_FAILED,
1942 /* todo: add error checks */
1943 i2d_X509_bio(mem, cert);
1946 size = BIO_get_mem_data(mem, &p);
1947 if((size <= 0) || (p == NULL)){
1948 xmlSecError(XMLSEC_ERRORS_HERE,
1951 XMLSEC_ERRORS_R_CRYPTO_FAILED,
1952 XMLSEC_ERRORS_NO_MESSAGE);
1957 res = xmlSecBase64Encode(p, size, base64LineWrap);
1959 xmlSecError(XMLSEC_ERRORS_HERE,
1961 "xmlSecBase64Encode",
1962 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1963 XMLSEC_ERRORS_NO_MESSAGE);
1973 xmlSecOpenSSLX509CrlBase64DerRead(xmlChar* buf) {
1976 xmlSecAssert2(buf != NULL, NULL);
1978 /* usual trick with base64 decoding "in-place" */
1979 ret = xmlSecBase64Decode(buf, (xmlSecByte*)buf, xmlStrlen(buf));
1981 xmlSecError(XMLSEC_ERRORS_HERE,
1983 "xmlSecBase64Decode",
1984 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1985 XMLSEC_ERRORS_NO_MESSAGE);
1989 return(xmlSecOpenSSLX509CrlDerRead((xmlSecByte*)buf, ret));
1993 xmlSecOpenSSLX509CrlDerRead(xmlSecByte* buf, xmlSecSize size) {
1994 X509_CRL *crl = NULL;
1998 xmlSecAssert2(buf != NULL, NULL);
1999 xmlSecAssert2(size > 0, NULL);
2001 mem = BIO_new(BIO_s_mem());
2003 xmlSecError(XMLSEC_ERRORS_HERE,
2006 XMLSEC_ERRORS_R_CRYPTO_FAILED,
2011 ret = BIO_write(mem, buf, size);
2013 xmlSecError(XMLSEC_ERRORS_HERE,
2016 XMLSEC_ERRORS_R_CRYPTO_FAILED,
2022 crl = d2i_X509_CRL_bio(mem, NULL);
2024 xmlSecError(XMLSEC_ERRORS_HERE,
2027 XMLSEC_ERRORS_R_CRYPTO_FAILED,
2028 XMLSEC_ERRORS_NO_MESSAGE);
2038 xmlSecOpenSSLX509CrlBase64DerWrite(X509_CRL* crl, int base64LineWrap) {
2039 xmlChar *res = NULL;
2041 xmlSecByte *p = NULL;
2044 xmlSecAssert2(crl != NULL, NULL);
2046 mem = BIO_new(BIO_s_mem());
2048 xmlSecError(XMLSEC_ERRORS_HERE,
2051 XMLSEC_ERRORS_R_CRYPTO_FAILED,
2056 /* todo: add error checks */
2057 i2d_X509_CRL_bio(mem, crl);
2060 size = BIO_get_mem_data(mem, &p);
2061 if((size <= 0) || (p == NULL)){
2062 xmlSecError(XMLSEC_ERRORS_HERE,
2065 XMLSEC_ERRORS_R_CRYPTO_FAILED,
2066 XMLSEC_ERRORS_NO_MESSAGE);
2071 res = xmlSecBase64Encode(p, size, base64LineWrap);
2073 xmlSecError(XMLSEC_ERRORS_HERE,
2075 "xmlSecBase64Encode",
2076 XMLSEC_ERRORS_R_XMLSEC_FAILED,
2077 XMLSEC_ERRORS_NO_MESSAGE);
2087 xmlSecOpenSSLX509NameWrite(X509_NAME* nm) {
2088 xmlChar *res = NULL;
2092 xmlSecAssert2(nm != NULL, NULL);
2094 mem = BIO_new(BIO_s_mem());
2096 xmlSecError(XMLSEC_ERRORS_HERE,
2099 XMLSEC_ERRORS_R_CRYPTO_FAILED,
2104 if (X509_NAME_print_ex(mem, nm, 0, XN_FLAG_RFC2253) <=0) {
2105 xmlSecError(XMLSEC_ERRORS_HERE,
2107 "X509_NAME_print_ex",
2108 XMLSEC_ERRORS_R_CRYPTO_FAILED,
2109 XMLSEC_ERRORS_NO_MESSAGE);
2114 BIO_flush(mem); /* should call flush ? */
2116 size = BIO_pending(mem);
2117 res = xmlMalloc(size + 1);
2119 xmlSecError(XMLSEC_ERRORS_HERE,
2122 XMLSEC_ERRORS_R_MALLOC_FAILED,
2123 XMLSEC_ERRORS_NO_MESSAGE);
2128 size = BIO_read(mem, res, size);
2136 xmlSecOpenSSLASN1IntegerWrite(ASN1_INTEGER *asni) {
2137 xmlChar *res = NULL;
2141 xmlSecAssert2(asni != NULL, NULL);
2143 bn = ASN1_INTEGER_to_BN(asni, NULL);
2145 xmlSecError(XMLSEC_ERRORS_HERE,
2147 "ASN1_INTEGER_to_BN",
2148 XMLSEC_ERRORS_R_CRYPTO_FAILED,
2149 XMLSEC_ERRORS_NO_MESSAGE);
2155 xmlSecError(XMLSEC_ERRORS_HERE,
2158 XMLSEC_ERRORS_R_CRYPTO_FAILED,
2159 XMLSEC_ERRORS_NO_MESSAGE);
2166 /* OpenSSL and LibXML2 can have different memory callbacks, i.e.
2167 when data is allocated in OpenSSL should be freed with OpenSSL
2168 method, not with LibXML2 method.
2170 res = xmlCharStrdup(p);
2172 xmlSecError(XMLSEC_ERRORS_HERE,
2175 XMLSEC_ERRORS_R_MALLOC_FAILED,
2176 XMLSEC_ERRORS_NO_MESSAGE);
2186 xmlSecOpenSSLX509SKIWrite(X509* cert) {
2187 xmlChar *res = NULL;
2189 X509_EXTENSION *ext;
2190 ASN1_OCTET_STRING *keyId;
2192 xmlSecAssert2(cert != NULL, NULL);
2194 index = X509_get_ext_by_NID(cert, NID_subject_key_identifier, -1);
2196 xmlSecError(XMLSEC_ERRORS_HERE,
2198 "Certificate without SubjectKeyIdentifier extension",
2199 XMLSEC_ERRORS_R_CRYPTO_FAILED,
2200 XMLSEC_ERRORS_NO_MESSAGE);
2204 ext = X509_get_ext(cert, index);
2206 xmlSecError(XMLSEC_ERRORS_HERE,
2209 XMLSEC_ERRORS_R_CRYPTO_FAILED,
2210 XMLSEC_ERRORS_NO_MESSAGE);
2214 keyId = X509V3_EXT_d2i(ext);
2215 if (keyId == NULL) {
2216 xmlSecError(XMLSEC_ERRORS_HERE,
2219 XMLSEC_ERRORS_R_CRYPTO_FAILED,
2220 XMLSEC_ERRORS_NO_MESSAGE);
2221 M_ASN1_OCTET_STRING_free(keyId);
2225 res = xmlSecBase64Encode(M_ASN1_STRING_data(keyId), M_ASN1_STRING_length(keyId), 0);
2227 xmlSecError(XMLSEC_ERRORS_HERE,
2229 "xmlSecBase64Encode",
2230 XMLSEC_ERRORS_R_XMLSEC_FAILED,
2231 XMLSEC_ERRORS_NO_MESSAGE);
2232 M_ASN1_OCTET_STRING_free(keyId);
2235 M_ASN1_OCTET_STRING_free(keyId);
2241 xmlSecOpenSSLX509CertDebugDump(X509* cert, FILE* output) {
2245 xmlSecAssert(cert != NULL);
2246 xmlSecAssert(output != NULL);
2248 fprintf(output, "==== Subject Name: %s\n",
2249 X509_NAME_oneline(X509_get_subject_name(cert), buf, sizeof(buf)));
2250 fprintf(output, "==== Issuer Name: %s\n",
2251 X509_NAME_oneline(X509_get_issuer_name(cert), buf, sizeof(buf)));
2252 fprintf(output, "==== Issuer Serial: ");
2253 bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(cert),NULL);
2255 BN_print_fp(output, bn);
2257 fprintf(output, "\n");
2259 fprintf(output, "unknown\n");
2265 xmlSecOpenSSLX509CertDebugXmlDump(X509* cert, FILE* output) {
2269 xmlSecAssert(cert != NULL);
2270 xmlSecAssert(output != NULL);
2272 fprintf(output, "<SubjectName>");
2273 xmlSecPrintXmlString(output,
2274 BAD_CAST X509_NAME_oneline(X509_get_subject_name(cert), buf, sizeof(buf))
2276 fprintf(output, "</SubjectName>\n");
2279 fprintf(output, "<IssuerName>");
2280 xmlSecPrintXmlString(output,
2281 BAD_CAST X509_NAME_oneline(X509_get_issuer_name(cert), buf, sizeof(buf)));
2282 fprintf(output, "</IssuerName>\n");
2284 fprintf(output, "<SerialNumber>");
2285 bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(cert),NULL);
2287 BN_print_fp(output, bn);
2290 fprintf(output, "</SerialNumber>\n");
2294 /**************************************************************************
2296 * Raw X509 Certificate processing
2299 *************************************************************************/
2300 static int xmlSecOpenSSLKeyDataRawX509CertBinRead (xmlSecKeyDataId id,
2302 const xmlSecByte* buf,
2304 xmlSecKeyInfoCtxPtr keyInfoCtx);
2306 static xmlSecKeyDataKlass xmlSecOpenSSLKeyDataRawX509CertKlass = {
2307 sizeof(xmlSecKeyDataKlass),
2308 sizeof(xmlSecKeyData),
2311 xmlSecNameRawX509Cert,
2312 xmlSecKeyDataUsageRetrievalMethodNodeBin,
2313 /* xmlSecKeyDataUsage usage; */
2314 xmlSecHrefRawX509Cert, /* const xmlChar* href; */
2315 NULL, /* const xmlChar* dataNodeName; */
2316 xmlSecDSigNs, /* const xmlChar* dataNodeNs; */
2318 /* constructors/destructor */
2319 NULL, /* xmlSecKeyDataInitializeMethod initialize; */
2320 NULL, /* xmlSecKeyDataDuplicateMethod duplicate; */
2321 NULL, /* xmlSecKeyDataFinalizeMethod finalize; */
2322 NULL, /* xmlSecKeyDataGenerateMethod generate; */
2325 NULL, /* xmlSecKeyDataGetTypeMethod getType; */
2326 NULL, /* xmlSecKeyDataGetSizeMethod getSize; */
2327 NULL, /* xmlSecKeyDataGetIdentifier getIdentifier; */
2330 NULL, /* xmlSecKeyDataXmlReadMethod xmlRead; */
2331 NULL, /* xmlSecKeyDataXmlWriteMethod xmlWrite; */
2332 xmlSecOpenSSLKeyDataRawX509CertBinRead, /* xmlSecKeyDataBinReadMethod binRead; */
2333 NULL, /* xmlSecKeyDataBinWriteMethod binWrite; */
2336 NULL, /* xmlSecKeyDataDebugDumpMethod debugDump; */
2337 NULL, /* xmlSecKeyDataDebugDumpMethod debugXmlDump; */
2339 /* reserved for the future */
2340 NULL, /* void* reserved0; */
2341 NULL, /* void* reserved1; */
2345 * xmlSecOpenSSLKeyDataRawX509CertGetKlass:
2347 * The raw X509 certificates key data klass.
2349 * Returns: raw X509 certificates key data klass.
2352 xmlSecOpenSSLKeyDataRawX509CertGetKlass(void) {
2353 return(&xmlSecOpenSSLKeyDataRawX509CertKlass);
2357 xmlSecOpenSSLKeyDataRawX509CertBinRead(xmlSecKeyDataId id, xmlSecKeyPtr key,
2358 const xmlSecByte* buf, xmlSecSize bufSize,
2359 xmlSecKeyInfoCtxPtr keyInfoCtx) {
2360 xmlSecKeyDataPtr data;
2364 xmlSecAssert2(id == xmlSecOpenSSLKeyDataRawX509CertId, -1);
2365 xmlSecAssert2(key != NULL, -1);
2366 xmlSecAssert2(buf != NULL, -1);
2367 xmlSecAssert2(bufSize > 0, -1);
2368 xmlSecAssert2(keyInfoCtx != NULL, -1);
2370 cert = xmlSecOpenSSLX509CertDerRead(buf, bufSize);
2372 xmlSecError(XMLSEC_ERRORS_HERE,
2374 "xmlSecOpenSSLX509CertDerRead",
2375 XMLSEC_ERRORS_R_XMLSEC_FAILED,
2376 XMLSEC_ERRORS_NO_MESSAGE);
2380 data = xmlSecKeyEnsureData(key, xmlSecOpenSSLKeyDataX509Id);
2382 xmlSecError(XMLSEC_ERRORS_HERE,
2383 xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
2384 "xmlSecKeyEnsureData",
2385 XMLSEC_ERRORS_R_XMLSEC_FAILED,
2386 XMLSEC_ERRORS_NO_MESSAGE);
2391 ret = xmlSecOpenSSLKeyDataX509AdoptCert(data, cert);
2393 xmlSecError(XMLSEC_ERRORS_HERE,
2394 xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
2395 "xmlSecOpenSSLKeyDataX509AdoptCert",
2396 XMLSEC_ERRORS_R_XMLSEC_FAILED,
2397 XMLSEC_ERRORS_NO_MESSAGE);
2402 ret = xmlSecOpenSSLKeyDataX509VerifyAndExtractKey(data, key, keyInfoCtx);
2404 xmlSecError(XMLSEC_ERRORS_HERE,
2405 xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
2406 "xmlSecOpenSSLKeyDataX509VerifyAndExtractKey",
2407 XMLSEC_ERRORS_R_XMLSEC_FAILED,
2408 XMLSEC_ERRORS_NO_MESSAGE);
2414 #endif /* XMLSEC_NO_X509 */