Browse Source

Add initial CRL support to KSSLCertificate

pull/1/head
Timothy Pearson 4 years ago
parent
commit
5896a404bc
4 changed files with 88 additions and 4 deletions
  1. +8
    -0
      tdeio/kssl/kopenssl.cc
  2. +5
    -0
      tdeio/kssl/kopenssl.h
  3. +53
    -4
      tdeio/kssl/ksslcertificate.cc
  4. +22
    -0
      tdeio/kssl/ksslcertificate.h

+ 8
- 0
tdeio/kssl/kopenssl.cc View File

@@ -71,6 +71,7 @@ static char * (*K_SSL_CIPHER_get_version) (SSL_CIPHER *) = 0L;
static const char * (*K_SSL_CIPHER_get_name) (SSL_CIPHER *) = 0L;
static char * (*K_SSL_CIPHER_description) (SSL_CIPHER *, char *, int) = 0L;
static X509 * (*K_d2i_X509) (X509 **,unsigned char **,long) = 0L;
static X509_CRL * (*K_d2i_X509_CRL) (X509_CRL **,unsigned char **,long) = 0L;
static int (*K_i2d_X509) (X509 *,unsigned char **) = 0L;
static int (*K_X509_cmp) (X509 *, X509 *) = 0L;
static void (*K_X509_STORE_CTX_free) (X509_STORE_CTX *) = 0L;
@@ -401,6 +402,7 @@ TDEConfig *cfg;
K_RAND_write_file = (int (*)(const char *)) GET_CRYPTOLIB_SYMBOL("RAND_write_file");
K_CRYPTO_free = (void (*) (void *)) GET_CRYPTOLIB_SYMBOL("CRYPTO_free");
K_d2i_X509 = (X509 * (*)(X509 **,unsigned char **,long)) GET_CRYPTOLIB_SYMBOL("d2i_X509");
K_d2i_X509_CRL = (X509_CRL * (*)(X509_CRL **,unsigned char **,long)) GET_CRYPTOLIB_SYMBOL("d2i_X509_CRL");
K_i2d_X509 = (int (*)(X509 *,unsigned char **)) GET_CRYPTOLIB_SYMBOL("i2d_X509");
K_X509_cmp = (int (*)(X509 *, X509 *)) GET_CRYPTOLIB_SYMBOL("X509_cmp");
K_X509_STORE_CTX_new = (X509_STORE_CTX * (*) (void)) GET_CRYPTOLIB_SYMBOL("X509_STORE_CTX_new");
@@ -846,6 +848,12 @@ X509 * KOpenSSLProxy::d2i_X509(X509 **a,unsigned char **pp,long length) {
}


X509_CRL * KOpenSSLProxy::d2i_X509_CRL(X509_CRL **a,unsigned char **pp,long length) {
if (K_d2i_X509_CRL) return (K_d2i_X509_CRL)(a,pp,length);
return 0L;
}


int KOpenSSLProxy::i2d_X509(X509 *a,unsigned char **pp) {
if (K_i2d_X509) return (K_i2d_X509)(a,pp);
return -1;

+ 5
- 0
tdeio/kssl/kopenssl.h View File

@@ -291,6 +291,11 @@ public:
*/
X509 * d2i_X509(X509 **a,unsigned char **pp,long length);

/*
* d2i_X509 - Covert a text representation of X509 CRL to an X509_CRL object
*/
X509_CRL * d2i_X509_CRL(X509_CRL **a,unsigned char **pp,long length);


/*
* i2d_X509 - Covert an X509 object into a text representation

+ 53
- 4
tdeio/kssl/ksslcertificate.cc View File

@@ -83,6 +83,7 @@ public:
bool m_stateCached;
#ifdef KSSL_HAVE_SSL
X509 *m_cert;
X509_CRL *m_cert_crl;
#endif
KOSSL *kossl;
KSSLCertChain _chain;
@@ -161,6 +162,26 @@ KSSLCertificate *n = NULL;
return n;
}

KSSLCertificate *KSSLCertificate::crlFromString(TQCString cert) {
KSSLCertificate *n = NULL;
#ifdef KSSL_HAVE_SSL
if (cert.length() == 0)
return NULL;

TQByteArray qba, qbb = cert.copy();
KCodecs::base64Decode(qbb, qba);
unsigned char *qbap = reinterpret_cast<unsigned char *>(qba.data());
X509_CRL *x5c = KOSSL::self()->d2i_X509_CRL(NULL, &qbap, qba.size());
if (!x5c) {
return NULL;
}

n = new KSSLCertificate;
n->setCRL(x5c);
#endif
return n;
}



TQString KSSLCertificate::getSubject() const {
@@ -544,6 +565,17 @@ d->m_stateCached = false;
d->m_stateCache = KSSLCertificate::Unknown;
}

void KSSLCertificate::setCRL(X509_CRL *c) {
#ifdef KSSL_HAVE_SSL
d->m_cert_crl = c;
if (c) {
d->_extensions.flags = 0;
}
#endif
d->m_stateCached = false;
d->m_stateCache = KSSLCertificate::Unknown;
}

X509 *KSSLCertificate::getCert() {
#ifdef KSSL_HAVE_SSL
return d->m_cert;
@@ -624,7 +656,6 @@ KSSLCertificate::KSSLValidationList KSSLCertificate::validateVerbose(KSSLCertifi
X509_STORE *certStore;
X509_LOOKUP *certLookup;
X509_STORE_CTX *certStoreCTX;
int rc = 0;

if (!d->m_cert)
{
@@ -702,7 +733,7 @@ KSSLCertificate::KSSLValidationList KSSLCertificate::validateVerbose(KSSLCertifi
KSSL_X509CallBack_ca_found = false;

certStoreCTX->error = X509_V_OK;
rc = d->kossl->X509_verify_cert(certStoreCTX);
d->kossl->X509_verify_cert(certStoreCTX);
int errcode = certStoreCTX->error;
if (ca && !KSSL_X509CallBack_ca_found) {
ksslv = KSSLCertificate::Irrelevant;
@@ -717,7 +748,7 @@ KSSLCertificate::KSSLValidationList KSSLCertificate::validateVerbose(KSSLCertifi
X509_PURPOSE_NS_SSL_SERVER);

certStoreCTX->error = X509_V_OK;
rc = d->kossl->X509_verify_cert(certStoreCTX);
d->kossl->X509_verify_cert(certStoreCTX);
errcode = certStoreCTX->error;
ksslv = processError(errcode);
}
@@ -885,6 +916,24 @@ return TQDateTime::currentDateTime();
}


TQDateTime KSSLCertificate::getQDTLastUpdate() const {
#ifdef KSSL_HAVE_SSL
return ASN1_UTCTIME_QDateTime(X509_CRL_get_lastUpdate(d->m_cert_crl), NULL);
#else
return TQDateTime::currentDateTime();
#endif
}


TQDateTime KSSLCertificate::getQDTNextUpdate() const {
#ifdef KSSL_HAVE_SSL
return ASN1_UTCTIME_QDateTime(X509_CRL_get_nextUpdate(d->m_cert_crl), NULL);
#else
return TQDateTime::currentDateTime();
#endif
}


int operator==(KSSLCertificate &x, KSSLCertificate &y) {
#ifndef KSSL_HAVE_SSL
return 1;
@@ -1115,7 +1164,7 @@ TQStringList KSSLCertificate::subjAltNames() const {
TQString s = (const char *)d->kossl->ASN1_STRING_data(val->d.ia5);
if (!s.isEmpty() &&
/* skip subjectAltNames with embedded NULs */
s.length() == d->kossl->ASN1_STRING_length(val->d.ia5)) {
s.length() == (unsigned int)d->kossl->ASN1_STRING_length(val->d.ia5)) {
rc += s;
}
}

+ 22
- 0
tdeio/kssl/ksslcertificate.h View File

@@ -57,8 +57,10 @@ class KSSLX509V3;

#ifdef KSSL_HAVE_SSL
typedef struct x509_st X509;
typedef struct X509_crl_st X509_CRL;
#else
class X509;
class X509_CRL;
#endif

/**
@@ -98,6 +100,13 @@ public:
static KSSLCertificate *fromString(TQCString cert);

/**
* Create an X.509 CRL certificate from a base64 encoded string.
* @param cert the certificate in base64 form
* @return the X.509 CRL certificate, or NULL
*/
static KSSLCertificate *crlFromString(TQCString cert);

/**
* Create an X.509 certificate from the internal representation.
* This one duplicates the X509 object for itself.
* @param x5 the OpenSSL representation of the certificate
@@ -166,6 +175,18 @@ public:
TQDateTime getQDTNotAfter() const;

/**
* Get the date that the CRL was generated on.
* @return the date
*/
TQDateTime getQDTLastUpdate() const;

/**
* Get the date that the CRL must be updated by.
* @return the date
*/
TQDateTime getQDTNextUpdate() const;

/**
* Convert the certificate to DER (ASN.1) format.
* @return the binary data of the DER encoding
*/
@@ -360,6 +381,7 @@ protected:
KSSLCertificate();

void setCert(X509 *c);
void setCRL(X509_CRL *c);
void setChain(void *c);
X509 *getCert();
KSSLValidation processError(int ec);

Loading…
Cancel
Save