From 294100108cb4ef6fdb6624792e1a7e11d2d7397e Mon Sep 17 00:00:00 2001 From: Timothy Pearson Date: Thu, 3 Sep 2015 13:36:26 -0500 Subject: Add initial CRL support to KSSLCertificate (cherry picked from commit 5896a404bcc63085cf0a50d232d2d631a5107228) --- tdeio/kssl/kopenssl.cc | 8 ++++++ tdeio/kssl/kopenssl.h | 5 ++++ tdeio/kssl/ksslcertificate.cc | 57 ++++++++++++++++++++++++++++++++++++++++--- tdeio/kssl/ksslcertificate.h | 22 +++++++++++++++++ 4 files changed, 88 insertions(+), 4 deletions(-) diff --git a/tdeio/kssl/kopenssl.cc b/tdeio/kssl/kopenssl.cc index afcc3c987..bc89a420a 100644 --- a/tdeio/kssl/kopenssl.cc +++ b/tdeio/kssl/kopenssl.cc @@ -71,6 +71,7 @@ static char * (*K_SSL_CIPHER_get_version) (SSL_CIPHER *) = 0L; static const char * (*K_SSL_CIPHER_get_name) (SSL_CIPHER *) = 0L; static char * (*K_SSL_CIPHER_description) (SSL_CIPHER *, char *, int) = 0L; static X509 * (*K_d2i_X509) (X509 **,unsigned char **,long) = 0L; +static X509_CRL * (*K_d2i_X509_CRL) (X509_CRL **,unsigned char **,long) = 0L; static int (*K_i2d_X509) (X509 *,unsigned char **) = 0L; static int (*K_X509_cmp) (X509 *, X509 *) = 0L; static void (*K_X509_STORE_CTX_free) (X509_STORE_CTX *) = 0L; @@ -401,6 +402,7 @@ TDEConfig *cfg; K_RAND_write_file = (int (*)(const char *)) GET_CRYPTOLIB_SYMBOL("RAND_write_file"); K_CRYPTO_free = (void (*) (void *)) GET_CRYPTOLIB_SYMBOL("CRYPTO_free"); K_d2i_X509 = (X509 * (*)(X509 **,unsigned char **,long)) GET_CRYPTOLIB_SYMBOL("d2i_X509"); + K_d2i_X509_CRL = (X509_CRL * (*)(X509_CRL **,unsigned char **,long)) GET_CRYPTOLIB_SYMBOL("d2i_X509_CRL"); K_i2d_X509 = (int (*)(X509 *,unsigned char **)) GET_CRYPTOLIB_SYMBOL("i2d_X509"); K_X509_cmp = (int (*)(X509 *, X509 *)) GET_CRYPTOLIB_SYMBOL("X509_cmp"); K_X509_STORE_CTX_new = (X509_STORE_CTX * (*) (void)) GET_CRYPTOLIB_SYMBOL("X509_STORE_CTX_new"); @@ -846,6 +848,12 @@ X509 * KOpenSSLProxy::d2i_X509(X509 **a,unsigned char **pp,long length) { } +X509_CRL * KOpenSSLProxy::d2i_X509_CRL(X509_CRL **a,unsigned char **pp,long length) { + if (K_d2i_X509_CRL) return (K_d2i_X509_CRL)(a,pp,length); + return 0L; +} + + int KOpenSSLProxy::i2d_X509(X509 *a,unsigned char **pp) { if (K_i2d_X509) return (K_i2d_X509)(a,pp); return -1; diff --git a/tdeio/kssl/kopenssl.h b/tdeio/kssl/kopenssl.h index 59cf7b560..9d0537051 100644 --- a/tdeio/kssl/kopenssl.h +++ b/tdeio/kssl/kopenssl.h @@ -291,6 +291,11 @@ public: */ X509 * d2i_X509(X509 **a,unsigned char **pp,long length); + /* + * d2i_X509 - Covert a text representation of X509 CRL to an X509_CRL object + */ + X509_CRL * d2i_X509_CRL(X509_CRL **a,unsigned char **pp,long length); + /* * i2d_X509 - Covert an X509 object into a text representation diff --git a/tdeio/kssl/ksslcertificate.cc b/tdeio/kssl/ksslcertificate.cc index 1f95c3912..95e0866ca 100644 --- a/tdeio/kssl/ksslcertificate.cc +++ b/tdeio/kssl/ksslcertificate.cc @@ -83,6 +83,7 @@ public: bool m_stateCached; #ifdef KSSL_HAVE_SSL X509 *m_cert; + X509_CRL *m_cert_crl; #endif KOSSL *kossl; KSSLCertChain _chain; @@ -161,6 +162,26 @@ KSSLCertificate *n = NULL; return n; } +KSSLCertificate *KSSLCertificate::crlFromString(TQCString cert) { +KSSLCertificate *n = NULL; +#ifdef KSSL_HAVE_SSL + if (cert.length() == 0) + return NULL; + + TQByteArray qba, qbb = cert.copy(); + KCodecs::base64Decode(qbb, qba); + unsigned char *qbap = reinterpret_cast(qba.data()); + X509_CRL *x5c = KOSSL::self()->d2i_X509_CRL(NULL, &qbap, qba.size()); + if (!x5c) { + return NULL; + } + + n = new KSSLCertificate; + n->setCRL(x5c); +#endif +return n; +} + TQString KSSLCertificate::getSubject() const { @@ -544,6 +565,17 @@ d->m_stateCached = false; d->m_stateCache = KSSLCertificate::Unknown; } +void KSSLCertificate::setCRL(X509_CRL *c) { +#ifdef KSSL_HAVE_SSL +d->m_cert_crl = c; +if (c) { + d->_extensions.flags = 0; +} +#endif +d->m_stateCached = false; +d->m_stateCache = KSSLCertificate::Unknown; +} + X509 *KSSLCertificate::getCert() { #ifdef KSSL_HAVE_SSL return d->m_cert; @@ -624,7 +656,6 @@ KSSLCertificate::KSSLValidationList KSSLCertificate::validateVerbose(KSSLCertifi X509_STORE *certStore; X509_LOOKUP *certLookup; X509_STORE_CTX *certStoreCTX; - int rc = 0; if (!d->m_cert) { @@ -702,7 +733,7 @@ KSSLCertificate::KSSLValidationList KSSLCertificate::validateVerbose(KSSLCertifi KSSL_X509CallBack_ca_found = false; certStoreCTX->error = X509_V_OK; - rc = d->kossl->X509_verify_cert(certStoreCTX); + d->kossl->X509_verify_cert(certStoreCTX); int errcode = certStoreCTX->error; if (ca && !KSSL_X509CallBack_ca_found) { ksslv = KSSLCertificate::Irrelevant; @@ -717,7 +748,7 @@ KSSLCertificate::KSSLValidationList KSSLCertificate::validateVerbose(KSSLCertifi X509_PURPOSE_NS_SSL_SERVER); certStoreCTX->error = X509_V_OK; - rc = d->kossl->X509_verify_cert(certStoreCTX); + d->kossl->X509_verify_cert(certStoreCTX); errcode = certStoreCTX->error; ksslv = processError(errcode); } @@ -885,6 +916,24 @@ return TQDateTime::currentDateTime(); } +TQDateTime KSSLCertificate::getQDTLastUpdate() const { +#ifdef KSSL_HAVE_SSL +return ASN1_UTCTIME_QDateTime(X509_CRL_get_lastUpdate(d->m_cert_crl), NULL); +#else +return TQDateTime::currentDateTime(); +#endif +} + + +TQDateTime KSSLCertificate::getQDTNextUpdate() const { +#ifdef KSSL_HAVE_SSL +return ASN1_UTCTIME_QDateTime(X509_CRL_get_nextUpdate(d->m_cert_crl), NULL); +#else +return TQDateTime::currentDateTime(); +#endif +} + + int operator==(KSSLCertificate &x, KSSLCertificate &y) { #ifndef KSSL_HAVE_SSL return 1; @@ -1115,7 +1164,7 @@ TQStringList KSSLCertificate::subjAltNames() const { TQString s = (const char *)d->kossl->ASN1_STRING_data(val->d.ia5); if (!s.isEmpty() && /* skip subjectAltNames with embedded NULs */ - s.length() == d->kossl->ASN1_STRING_length(val->d.ia5)) { + s.length() == (unsigned int)d->kossl->ASN1_STRING_length(val->d.ia5)) { rc += s; } } diff --git a/tdeio/kssl/ksslcertificate.h b/tdeio/kssl/ksslcertificate.h index 0c5f87323..67f6a808d 100644 --- a/tdeio/kssl/ksslcertificate.h +++ b/tdeio/kssl/ksslcertificate.h @@ -57,8 +57,10 @@ class KSSLX509V3; #ifdef KSSL_HAVE_SSL typedef struct x509_st X509; +typedef struct X509_crl_st X509_CRL; #else class X509; +class X509_CRL; #endif /** @@ -97,6 +99,13 @@ public: */ static KSSLCertificate *fromString(TQCString cert); + /** + * Create an X.509 CRL certificate from a base64 encoded string. + * @param cert the certificate in base64 form + * @return the X.509 CRL certificate, or NULL + */ + static KSSLCertificate *crlFromString(TQCString cert); + /** * Create an X.509 certificate from the internal representation. * This one duplicates the X509 object for itself. @@ -165,6 +174,18 @@ public: */ TQDateTime getQDTNotAfter() const; + /** + * Get the date that the CRL was generated on. + * @return the date + */ + TQDateTime getQDTLastUpdate() const; + + /** + * Get the date that the CRL must be updated by. + * @return the date + */ + TQDateTime getQDTNextUpdate() const; + /** * Convert the certificate to DER (ASN.1) format. * @return the binary data of the DER encoding @@ -360,6 +381,7 @@ protected: KSSLCertificate(); void setCert(X509 *c); + void setCRL(X509_CRL *c); void setChain(void *c); X509 *getCert(); KSSLValidation processError(int ec); -- cgit v1.2.1