summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTimothy Pearson <[email protected]>2015-09-03 13:36:26 -0500
committerSlávek Banko <[email protected]>2017-01-01 19:40:57 +0100
commit294100108cb4ef6fdb6624792e1a7e11d2d7397e (patch)
tree7183153210e82f9e4010dd4b31c42e562326e26e
parent291a19f7d3cd6aa7e1b612da34c5747aea07e119 (diff)
downloadtdelibs-294100108cb4ef6fdb6624792e1a7e11d2d7397e.tar.gz
tdelibs-294100108cb4ef6fdb6624792e1a7e11d2d7397e.zip
Add initial CRL support to KSSLCertificate
(cherry picked from commit 5896a404bcc63085cf0a50d232d2d631a5107228)
-rw-r--r--tdeio/kssl/kopenssl.cc8
-rw-r--r--tdeio/kssl/kopenssl.h5
-rw-r--r--tdeio/kssl/ksslcertificate.cc57
-rw-r--r--tdeio/kssl/ksslcertificate.h22
4 files changed, 88 insertions, 4 deletions
diff --git a/tdeio/kssl/kopenssl.cc b/tdeio/kssl/kopenssl.cc
index afcc3c987..bc89a420a 100644
--- a/tdeio/kssl/kopenssl.cc
+++ b/tdeio/kssl/kopenssl.cc
@@ -71,6 +71,7 @@ static char * (*K_SSL_CIPHER_get_version) (SSL_CIPHER *) = 0L;
static const char * (*K_SSL_CIPHER_get_name) (SSL_CIPHER *) = 0L;
static char * (*K_SSL_CIPHER_description) (SSL_CIPHER *, char *, int) = 0L;
static X509 * (*K_d2i_X509) (X509 **,unsigned char **,long) = 0L;
+static X509_CRL * (*K_d2i_X509_CRL) (X509_CRL **,unsigned char **,long) = 0L;
static int (*K_i2d_X509) (X509 *,unsigned char **) = 0L;
static int (*K_X509_cmp) (X509 *, X509 *) = 0L;
static void (*K_X509_STORE_CTX_free) (X509_STORE_CTX *) = 0L;
@@ -401,6 +402,7 @@ TDEConfig *cfg;
K_RAND_write_file = (int (*)(const char *)) GET_CRYPTOLIB_SYMBOL("RAND_write_file");
K_CRYPTO_free = (void (*) (void *)) GET_CRYPTOLIB_SYMBOL("CRYPTO_free");
K_d2i_X509 = (X509 * (*)(X509 **,unsigned char **,long)) GET_CRYPTOLIB_SYMBOL("d2i_X509");
+ K_d2i_X509_CRL = (X509_CRL * (*)(X509_CRL **,unsigned char **,long)) GET_CRYPTOLIB_SYMBOL("d2i_X509_CRL");
K_i2d_X509 = (int (*)(X509 *,unsigned char **)) GET_CRYPTOLIB_SYMBOL("i2d_X509");
K_X509_cmp = (int (*)(X509 *, X509 *)) GET_CRYPTOLIB_SYMBOL("X509_cmp");
K_X509_STORE_CTX_new = (X509_STORE_CTX * (*) (void)) GET_CRYPTOLIB_SYMBOL("X509_STORE_CTX_new");
@@ -846,6 +848,12 @@ X509 * KOpenSSLProxy::d2i_X509(X509 **a,unsigned char **pp,long length) {
}
+X509_CRL * KOpenSSLProxy::d2i_X509_CRL(X509_CRL **a,unsigned char **pp,long length) {
+ if (K_d2i_X509_CRL) return (K_d2i_X509_CRL)(a,pp,length);
+ return 0L;
+}
+
+
int KOpenSSLProxy::i2d_X509(X509 *a,unsigned char **pp) {
if (K_i2d_X509) return (K_i2d_X509)(a,pp);
return -1;
diff --git a/tdeio/kssl/kopenssl.h b/tdeio/kssl/kopenssl.h
index 59cf7b560..9d0537051 100644
--- a/tdeio/kssl/kopenssl.h
+++ b/tdeio/kssl/kopenssl.h
@@ -291,6 +291,11 @@ public:
*/
X509 * d2i_X509(X509 **a,unsigned char **pp,long length);
+ /*
+ * d2i_X509 - Covert a text representation of X509 CRL to an X509_CRL object
+ */
+ X509_CRL * d2i_X509_CRL(X509_CRL **a,unsigned char **pp,long length);
+
/*
* i2d_X509 - Covert an X509 object into a text representation
diff --git a/tdeio/kssl/ksslcertificate.cc b/tdeio/kssl/ksslcertificate.cc
index 1f95c3912..95e0866ca 100644
--- a/tdeio/kssl/ksslcertificate.cc
+++ b/tdeio/kssl/ksslcertificate.cc
@@ -83,6 +83,7 @@ public:
bool m_stateCached;
#ifdef KSSL_HAVE_SSL
X509 *m_cert;
+ X509_CRL *m_cert_crl;
#endif
KOSSL *kossl;
KSSLCertChain _chain;
@@ -161,6 +162,26 @@ KSSLCertificate *n = NULL;
return n;
}
+KSSLCertificate *KSSLCertificate::crlFromString(TQCString cert) {
+KSSLCertificate *n = NULL;
+#ifdef KSSL_HAVE_SSL
+ if (cert.length() == 0)
+ return NULL;
+
+ TQByteArray qba, qbb = cert.copy();
+ KCodecs::base64Decode(qbb, qba);
+ unsigned char *qbap = reinterpret_cast<unsigned char *>(qba.data());
+ X509_CRL *x5c = KOSSL::self()->d2i_X509_CRL(NULL, &qbap, qba.size());
+ if (!x5c) {
+ return NULL;
+ }
+
+ n = new KSSLCertificate;
+ n->setCRL(x5c);
+#endif
+return n;
+}
+
TQString KSSLCertificate::getSubject() const {
@@ -544,6 +565,17 @@ d->m_stateCached = false;
d->m_stateCache = KSSLCertificate::Unknown;
}
+void KSSLCertificate::setCRL(X509_CRL *c) {
+#ifdef KSSL_HAVE_SSL
+d->m_cert_crl = c;
+if (c) {
+ d->_extensions.flags = 0;
+}
+#endif
+d->m_stateCached = false;
+d->m_stateCache = KSSLCertificate::Unknown;
+}
+
X509 *KSSLCertificate::getCert() {
#ifdef KSSL_HAVE_SSL
return d->m_cert;
@@ -624,7 +656,6 @@ KSSLCertificate::KSSLValidationList KSSLCertificate::validateVerbose(KSSLCertifi
X509_STORE *certStore;
X509_LOOKUP *certLookup;
X509_STORE_CTX *certStoreCTX;
- int rc = 0;
if (!d->m_cert)
{
@@ -702,7 +733,7 @@ KSSLCertificate::KSSLValidationList KSSLCertificate::validateVerbose(KSSLCertifi
KSSL_X509CallBack_ca_found = false;
certStoreCTX->error = X509_V_OK;
- rc = d->kossl->X509_verify_cert(certStoreCTX);
+ d->kossl->X509_verify_cert(certStoreCTX);
int errcode = certStoreCTX->error;
if (ca && !KSSL_X509CallBack_ca_found) {
ksslv = KSSLCertificate::Irrelevant;
@@ -717,7 +748,7 @@ KSSLCertificate::KSSLValidationList KSSLCertificate::validateVerbose(KSSLCertifi
X509_PURPOSE_NS_SSL_SERVER);
certStoreCTX->error = X509_V_OK;
- rc = d->kossl->X509_verify_cert(certStoreCTX);
+ d->kossl->X509_verify_cert(certStoreCTX);
errcode = certStoreCTX->error;
ksslv = processError(errcode);
}
@@ -885,6 +916,24 @@ return TQDateTime::currentDateTime();
}
+TQDateTime KSSLCertificate::getQDTLastUpdate() const {
+#ifdef KSSL_HAVE_SSL
+return ASN1_UTCTIME_QDateTime(X509_CRL_get_lastUpdate(d->m_cert_crl), NULL);
+#else
+return TQDateTime::currentDateTime();
+#endif
+}
+
+
+TQDateTime KSSLCertificate::getQDTNextUpdate() const {
+#ifdef KSSL_HAVE_SSL
+return ASN1_UTCTIME_QDateTime(X509_CRL_get_nextUpdate(d->m_cert_crl), NULL);
+#else
+return TQDateTime::currentDateTime();
+#endif
+}
+
+
int operator==(KSSLCertificate &x, KSSLCertificate &y) {
#ifndef KSSL_HAVE_SSL
return 1;
@@ -1115,7 +1164,7 @@ TQStringList KSSLCertificate::subjAltNames() const {
TQString s = (const char *)d->kossl->ASN1_STRING_data(val->d.ia5);
if (!s.isEmpty() &&
/* skip subjectAltNames with embedded NULs */
- s.length() == d->kossl->ASN1_STRING_length(val->d.ia5)) {
+ s.length() == (unsigned int)d->kossl->ASN1_STRING_length(val->d.ia5)) {
rc += s;
}
}
diff --git a/tdeio/kssl/ksslcertificate.h b/tdeio/kssl/ksslcertificate.h
index 0c5f87323..67f6a808d 100644
--- a/tdeio/kssl/ksslcertificate.h
+++ b/tdeio/kssl/ksslcertificate.h
@@ -57,8 +57,10 @@ class KSSLX509V3;
#ifdef KSSL_HAVE_SSL
typedef struct x509_st X509;
+typedef struct X509_crl_st X509_CRL;
#else
class X509;
+class X509_CRL;
#endif
/**
@@ -98,6 +100,13 @@ public:
static KSSLCertificate *fromString(TQCString cert);
/**
+ * Create an X.509 CRL certificate from a base64 encoded string.
+ * @param cert the certificate in base64 form
+ * @return the X.509 CRL certificate, or NULL
+ */
+ static KSSLCertificate *crlFromString(TQCString cert);
+
+ /**
* Create an X.509 certificate from the internal representation.
* This one duplicates the X509 object for itself.
* @param x5 the OpenSSL representation of the certificate
@@ -166,6 +175,18 @@ public:
TQDateTime getQDTNotAfter() const;
/**
+ * Get the date that the CRL was generated on.
+ * @return the date
+ */
+ TQDateTime getQDTLastUpdate() const;
+
+ /**
+ * Get the date that the CRL must be updated by.
+ * @return the date
+ */
+ TQDateTime getQDTNextUpdate() const;
+
+ /**
* Convert the certificate to DER (ASN.1) format.
* @return the binary data of the DER encoding
*/
@@ -360,6 +381,7 @@ protected:
KSSLCertificate();
void setCert(X509 *c);
+ void setCRL(X509_CRL *c);
void setChain(void *c);
X509 *getCert();
KSSLValidation processError(int ec);