Browse Source

Add initial CRL support to KSSLCertificate

pull/1/head
Timothy Pearson 3 years ago
parent
commit
5896a404bc
4 changed files with 88 additions and 4 deletions
  1. 8
    0
      tdeio/kssl/kopenssl.cc
  2. 5
    0
      tdeio/kssl/kopenssl.h
  3. 53
    4
      tdeio/kssl/ksslcertificate.cc
  4. 22
    0
      tdeio/kssl/ksslcertificate.h

+ 8
- 0
tdeio/kssl/kopenssl.cc View File

@@ -71,6 +71,7 @@ static char * (*K_SSL_CIPHER_get_version) (SSL_CIPHER *) = 0L;
71 71
 static const char * (*K_SSL_CIPHER_get_name) (SSL_CIPHER *) = 0L;
72 72
 static char * (*K_SSL_CIPHER_description) (SSL_CIPHER *, char *, int) = 0L;
73 73
 static X509 * (*K_d2i_X509) (X509 **,unsigned char **,long) = 0L;
74
+static X509_CRL * (*K_d2i_X509_CRL) (X509_CRL **,unsigned char **,long) = 0L;
74 75
 static int (*K_i2d_X509) (X509 *,unsigned char **) = 0L;
75 76
 static int (*K_X509_cmp) (X509 *, X509 *) = 0L;
76 77
 static void (*K_X509_STORE_CTX_free) (X509_STORE_CTX *) = 0L;
@@ -401,6 +402,7 @@ TDEConfig *cfg;
401 402
       K_RAND_write_file = (int (*)(const char *)) GET_CRYPTOLIB_SYMBOL("RAND_write_file");
402 403
       K_CRYPTO_free = (void (*) (void *)) GET_CRYPTOLIB_SYMBOL("CRYPTO_free");
403 404
       K_d2i_X509 = (X509 * (*)(X509 **,unsigned char **,long)) GET_CRYPTOLIB_SYMBOL("d2i_X509");
405
+      K_d2i_X509_CRL = (X509_CRL * (*)(X509_CRL **,unsigned char **,long)) GET_CRYPTOLIB_SYMBOL("d2i_X509_CRL");
404 406
       K_i2d_X509 = (int (*)(X509 *,unsigned char **)) GET_CRYPTOLIB_SYMBOL("i2d_X509");
405 407
       K_X509_cmp = (int (*)(X509 *, X509 *)) GET_CRYPTOLIB_SYMBOL("X509_cmp");
406 408
       K_X509_STORE_CTX_new = (X509_STORE_CTX * (*) (void)) GET_CRYPTOLIB_SYMBOL("X509_STORE_CTX_new");
@@ -846,6 +848,12 @@ X509 * KOpenSSLProxy::d2i_X509(X509 **a,unsigned char **pp,long length) {
846 848
 }
847 849
 
848 850
 
851
+X509_CRL * KOpenSSLProxy::d2i_X509_CRL(X509_CRL **a,unsigned char **pp,long length) {
852
+   if (K_d2i_X509_CRL) return (K_d2i_X509_CRL)(a,pp,length);
853
+   return 0L;
854
+}
855
+
856
+
849 857
 int KOpenSSLProxy::i2d_X509(X509 *a,unsigned char **pp) {
850 858
    if (K_i2d_X509) return (K_i2d_X509)(a,pp);
851 859
    return -1;

+ 5
- 0
tdeio/kssl/kopenssl.h View File

@@ -291,6 +291,11 @@ public:
291 291
     */
292 292
    X509 * d2i_X509(X509 **a,unsigned char **pp,long length);
293 293
 
294
+   /*
295
+    *   d2i_X509 - Covert a text representation of X509 CRL to an X509_CRL object
296
+    */
297
+   X509_CRL * d2i_X509_CRL(X509_CRL **a,unsigned char **pp,long length);
298
+
294 299
 
295 300
    /*
296 301
     *   i2d_X509 - Covert an X509 object into a text representation

+ 53
- 4
tdeio/kssl/ksslcertificate.cc View File

@@ -83,6 +83,7 @@ public:
83 83
 	bool m_stateCached;
84 84
 	#ifdef KSSL_HAVE_SSL
85 85
 		X509 *m_cert;
86
+		X509_CRL *m_cert_crl;
86 87
 	#endif
87 88
 	KOSSL *kossl;
88 89
 	KSSLCertChain _chain;
@@ -161,6 +162,26 @@ KSSLCertificate *n = NULL;
161 162
 return n;
162 163
 }
163 164
 
165
+KSSLCertificate *KSSLCertificate::crlFromString(TQCString cert) {
166
+KSSLCertificate *n = NULL;
167
+#ifdef KSSL_HAVE_SSL
168
+	if (cert.length() == 0)
169
+		return NULL;
170
+
171
+	TQByteArray qba, qbb = cert.copy();
172
+	KCodecs::base64Decode(qbb, qba);
173
+	unsigned char *qbap = reinterpret_cast<unsigned char *>(qba.data());
174
+	X509_CRL *x5c = KOSSL::self()->d2i_X509_CRL(NULL, &qbap, qba.size());
175
+	if (!x5c) {
176
+		return NULL;
177
+	}
178
+
179
+	n = new KSSLCertificate;
180
+	n->setCRL(x5c);
181
+#endif
182
+return n;
183
+}
184
+
164 185
 
165 186
 
166 187
 TQString KSSLCertificate::getSubject() const {
@@ -544,6 +565,17 @@ d->m_stateCached = false;
544 565
 d->m_stateCache = KSSLCertificate::Unknown;
545 566
 }
546 567
 
568
+void KSSLCertificate::setCRL(X509_CRL *c) {
569
+#ifdef KSSL_HAVE_SSL
570
+d->m_cert_crl = c;
571
+if (c) {
572
+  	d->_extensions.flags = 0;
573
+}
574
+#endif
575
+d->m_stateCached = false;
576
+d->m_stateCache = KSSLCertificate::Unknown;
577
+}
578
+
547 579
 X509 *KSSLCertificate::getCert() {
548 580
 #ifdef KSSL_HAVE_SSL
549 581
 	return d->m_cert;
@@ -624,7 +656,6 @@ KSSLCertificate::KSSLValidationList KSSLCertificate::validateVerbose(KSSLCertifi
624 656
 	X509_STORE *certStore;
625 657
 	X509_LOOKUP *certLookup;
626 658
 	X509_STORE_CTX *certStoreCTX;
627
-	int rc = 0;
628 659
 
629 660
 	if (!d->m_cert)
630 661
 	{
@@ -702,7 +733,7 @@ KSSLCertificate::KSSLValidationList KSSLCertificate::validateVerbose(KSSLCertifi
702 733
 		KSSL_X509CallBack_ca_found = false;
703 734
 
704 735
 		certStoreCTX->error = X509_V_OK;
705
-		rc = d->kossl->X509_verify_cert(certStoreCTX);
736
+		d->kossl->X509_verify_cert(certStoreCTX);
706 737
 		int errcode = certStoreCTX->error;
707 738
 		if (ca && !KSSL_X509CallBack_ca_found) {
708 739
 			ksslv = KSSLCertificate::Irrelevant;
@@ -717,7 +748,7 @@ KSSLCertificate::KSSLValidationList KSSLCertificate::validateVerbose(KSSLCertifi
717 748
 						X509_PURPOSE_NS_SSL_SERVER);
718 749
 
719 750
 			certStoreCTX->error = X509_V_OK;
720
-			rc = d->kossl->X509_verify_cert(certStoreCTX);
751
+			d->kossl->X509_verify_cert(certStoreCTX);
721 752
 			errcode = certStoreCTX->error;
722 753
 			ksslv = processError(errcode);
723 754
 		}
@@ -885,6 +916,24 @@ return TQDateTime::currentDateTime();
885 916
 }
886 917
 
887 918
 
919
+TQDateTime KSSLCertificate::getQDTLastUpdate() const {
920
+#ifdef KSSL_HAVE_SSL
921
+return ASN1_UTCTIME_QDateTime(X509_CRL_get_lastUpdate(d->m_cert_crl), NULL);
922
+#else
923
+return TQDateTime::currentDateTime();
924
+#endif
925
+}
926
+
927
+
928
+TQDateTime KSSLCertificate::getQDTNextUpdate() const {
929
+#ifdef KSSL_HAVE_SSL
930
+return ASN1_UTCTIME_QDateTime(X509_CRL_get_nextUpdate(d->m_cert_crl), NULL);
931
+#else
932
+return TQDateTime::currentDateTime();
933
+#endif
934
+}
935
+
936
+
888 937
 int operator==(KSSLCertificate &x, KSSLCertificate &y) {
889 938
 #ifndef KSSL_HAVE_SSL
890 939
   return 1;
@@ -1115,7 +1164,7 @@ TQStringList KSSLCertificate::subjAltNames() const {
1115 1164
 		TQString s = (const char *)d->kossl->ASN1_STRING_data(val->d.ia5);
1116 1165
 		if (!s.isEmpty()  &&
1117 1166
 				/* skip subjectAltNames with embedded NULs */
1118
-				s.length() == d->kossl->ASN1_STRING_length(val->d.ia5)) {
1167
+				s.length() == (unsigned int)d->kossl->ASN1_STRING_length(val->d.ia5)) {
1119 1168
 			rc += s;
1120 1169
 		}
1121 1170
 	}

+ 22
- 0
tdeio/kssl/ksslcertificate.h View File

@@ -57,8 +57,10 @@ class KSSLX509V3;
57 57
 
58 58
 #ifdef KSSL_HAVE_SSL
59 59
 typedef struct x509_st X509;
60
+typedef struct X509_crl_st X509_CRL;
60 61
 #else
61 62
 class X509;
63
+class X509_CRL;
62 64
 #endif
63 65
 
64 66
 /**
@@ -98,6 +100,13 @@ public:
98 100
 	static KSSLCertificate *fromString(TQCString cert);
99 101
 
100 102
 	/**
103
+	 *  Create an X.509 CRL certificate from a base64 encoded string.
104
+	 *  @param cert the certificate in base64 form
105
+	 *  @return the X.509 CRL certificate, or NULL
106
+	 */
107
+	static KSSLCertificate *crlFromString(TQCString cert);
108
+
109
+	/**
101 110
 	 *  Create an X.509 certificate from the internal representation.
102 111
 	 *  This one duplicates the X509 object for itself.
103 112
 	 *  @param x5 the OpenSSL representation of the certificate
@@ -166,6 +175,18 @@ public:
166 175
 	TQDateTime getQDTNotAfter() const;
167 176
 
168 177
 	/**
178
+	 *  Get the date that the CRL was generated on.
179
+	 *  @return the date
180
+	 */
181
+	TQDateTime getQDTLastUpdate() const;
182
+
183
+	/**
184
+	 *  Get the date that the CRL must be updated by.
185
+	 *  @return the date
186
+	 */
187
+	TQDateTime getQDTNextUpdate() const;
188
+
189
+	/**
169 190
 	 *  Convert the certificate to DER (ASN.1) format.
170 191
 	 *  @return the binary data of the DER encoding
171 192
 	 */
@@ -360,6 +381,7 @@ protected:
360 381
 	KSSLCertificate();
361 382
 
362 383
 	void setCert(X509 *c);
384
+	void setCRL(X509_CRL *c);
363 385
 	void setChain(void *c);
364 386
 	X509 *getCert();
365 387
 	KSSLValidation processError(int ec);

Loading…
Cancel
Save