Print this page
8982 Support building with OpenSSL 1.1
*** 3,12 ****
--- 3,13 ----
*
* Use is subject to license terms.
*/
/*
* Copyright (c) 2012, OmniTI Computer Consulting, Inc. All rights reserved.
+ * Copyright 2018 OmniOS Community Edition (OmniOSce) Association.
*/
/*
* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
* project 2000.
*/
*** 78,88 ****
/* OPENSSL related headers */
#include <openssl/bio.h>
#include <openssl/bn.h>
#include <openssl/asn1.h>
#include <openssl/err.h>
- #include <openssl/bn.h>
#include <openssl/x509.h>
#include <openssl/rsa.h>
#include <openssl/dsa.h>
#include <openssl/x509v3.h>
#include <openssl/objects.h>
--- 79,88 ----
*** 89,98 ****
--- 89,99 ----
#include <openssl/pem.h>
#include <openssl/pkcs12.h>
#include <openssl/ocsp.h>
#include <openssl/des.h>
#include <openssl/rand.h>
+ #include "compat.h"
#define PRINT_ANY_EXTENSION (\
KMF_X509_EXT_KEY_USAGE |\
KMF_X509_EXT_CERT_POLICIES |\
KMF_X509_EXT_SUBJALTNAME |\
*** 135,144 ****
--- 136,146 ----
#define SET_SYS_ERROR(h, c) h->lasterr.kstype = -1; h->lasterr.errcode = c;
/*
* Declare some new macros for managing stacks of EVP_PKEYS.
*/
+ #if OPENSSL_VERSION_NUMBER < 0x10100000L
DECLARE_STACK_OF(EVP_PKEY)
#define sk_EVP_PKEY_new_null() SKM_sk_new_null(EVP_PKEY)
#define sk_EVP_PKEY_free(st) SKM_sk_free(EVP_PKEY, (st))
#define sk_EVP_PKEY_num(st) SKM_sk_num(EVP_PKEY, (st))
*** 145,154 ****
--- 147,161 ----
#define sk_EVP_PKEY_value(st, i) SKM_sk_value(EVP_PKEY, (st), (i))
#define sk_EVP_PKEY_push(st, val) SKM_sk_push(EVP_PKEY, (st), (val))
#define sk_EVP_PKEY_pop_free(st, free_func) SKM_sk_pop_free(EVP_PKEY, (st), \
(free_func))
+ #else
+ /* LINTED E_STATIC_UNUSED */
+ DEFINE_STACK_OF(EVP_PKEY)
+ #endif
+
mutex_t init_lock = DEFAULTMUTEX;
static int ssl_initialized = 0;
static BIO *bio_err = NULL;
static int
*** 291,300 ****
--- 298,308 ----
NULL, /* SetTokenPin */
OpenSSL_StoreKey,
NULL /* Finalize */
};
+ #if OPENSSL_VERSION_NUMBER < 0x10100000L
static mutex_t *lock_cs;
static long *lock_count;
static void
/* ARGSUSED1 */
*** 311,325 ****
--- 319,336 ----
static unsigned long
thread_id()
{
return ((unsigned long)thr_self());
}
+ #endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
KMF_PLUGIN_FUNCLIST *
KMF_Plugin_Initialize()
{
+ #if OPENSSL_VERSION_NUMBER < 0x10100000L
int i;
+ #endif
(void) mutex_lock(&init_lock);
if (!ssl_initialized) {
/*
* Add support for extension OIDs that are not yet in the
*** 333,344 ****
--- 344,358 ----
"X509v3 Policy Constraints");
(void) OBJ_create("2.5.29.46", "freshestCRL",
"X509v3 Freshest CRL");
(void) OBJ_create("2.5.29.54", "inhibitAnyPolicy",
"X509v3 Inhibit Any-Policy");
+
+ #if OPENSSL_VERSION_NUMBER < 0x10100000L
/*
* Set up for thread-safe operation.
+ * This is not required for OpenSSL 1.1
*/
lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof (mutex_t));
if (lock_cs == NULL) {
(void) mutex_unlock(&init_lock);
return (NULL);
*** 358,378 ****
CRYPTO_set_id_callback((unsigned long (*)())thread_id);
if (CRYPTO_get_locking_callback() == NULL)
CRYPTO_set_locking_callback((void (*)())locking_cb);
! OpenSSL_add_all_algorithms();
/* Enable error strings for reporting */
! ERR_load_crypto_strings();
ssl_initialized = 1;
}
(void) mutex_unlock(&init_lock);
return (&openssl_plugin_table);
}
/*
* Convert an SSL DN to a KMF DN.
*/
static KMF_RETURN
get_x509_dn(X509_NAME *sslDN, KMF_X509_NAME *kmfDN)
--- 372,394 ----
CRYPTO_set_id_callback((unsigned long (*)())thread_id);
if (CRYPTO_get_locking_callback() == NULL)
CRYPTO_set_locking_callback((void (*)())locking_cb);
! (void) OpenSSL_add_all_algorithms();
/* Enable error strings for reporting */
! (void) ERR_load_crypto_strings();
! #endif
ssl_initialized = 1;
}
(void) mutex_unlock(&init_lock);
return (&openssl_plugin_table);
}
+
/*
* Convert an SSL DN to a KMF DN.
*/
static KMF_RETURN
get_x509_dn(X509_NAME *sslDN, KMF_X509_NAME *kmfDN)
*** 483,493 ****
if (issuer != NULL && strlen(issuer)) {
rv = kmf_dn_parser(issuer, &issuerDN);
if (rv != KMF_OK)
return (KMF_ERR_BAD_PARAMETER);
! rv = get_x509_dn(xcert->cert_info->issuer, &certIssuerDN);
if (rv != KMF_OK) {
kmf_free_dn(&issuerDN);
return (KMF_ERR_BAD_PARAMETER);
}
--- 499,509 ----
if (issuer != NULL && strlen(issuer)) {
rv = kmf_dn_parser(issuer, &issuerDN);
if (rv != KMF_OK)
return (KMF_ERR_BAD_PARAMETER);
! rv = get_x509_dn(X509_get_issuer_name(xcert), &certIssuerDN);
if (rv != KMF_OK) {
kmf_free_dn(&issuerDN);
return (KMF_ERR_BAD_PARAMETER);
}
*** 498,508 ****
if (rv != KMF_OK) {
rv = KMF_ERR_BAD_PARAMETER;
goto cleanup;
}
! rv = get_x509_dn(xcert->cert_info->subject, &certSubjectDN);
if (rv != KMF_OK) {
rv = KMF_ERR_BAD_PARAMETER;
goto cleanup;
}
findSubject = TRUE;
--- 514,524 ----
if (rv != KMF_OK) {
rv = KMF_ERR_BAD_PARAMETER;
goto cleanup;
}
! rv = get_x509_dn(X509_get_subject_name(xcert), &certSubjectDN);
if (rv != KMF_OK) {
rv = KMF_ERR_BAD_PARAMETER;
goto cleanup;
}
findSubject = TRUE;
*** 512,522 ****
if (findSerial) {
BIGNUM *bn;
/* Comparing BIGNUMs is a pain! */
! bn = ASN1_INTEGER_to_BN(xcert->cert_info->serialNumber, NULL);
if (bn != NULL) {
int bnlen = BN_num_bytes(bn);
if (bnlen == serial->len) {
uchar_t *a = malloc(bnlen);
--- 528,538 ----
if (findSerial) {
BIGNUM *bn;
/* Comparing BIGNUMs is a pain! */
! bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(xcert), NULL);
if (bn != NULL) {
int bnlen = BN_num_bytes(bn);
if (bnlen == serial->len) {
uchar_t *a = malloc(bnlen);
*** 1418,1462 ****
switch (format) {
case KMF_FORMAT_RAWKEY:
/* same as ASN.1 */
case KMF_FORMAT_ASN1:
! if (pkey->type == EVP_PKEY_RSA) {
! rsa = EVP_PKEY_get1_RSA(pkey);
if (private)
rv = i2d_RSAPrivateKey_bio(out, rsa);
else
rv = i2d_RSAPublicKey_bio(out, rsa);
! RSA_free(rsa);
! } else if (pkey->type == EVP_PKEY_DSA) {
! dsa = EVP_PKEY_get1_DSA(pkey);
rv = i2d_DSAPrivateKey_bio(out, dsa);
- DSA_free(dsa);
}
if (rv == 1) {
rv = KMF_OK;
} else {
SET_ERROR(kmfh, rv);
}
break;
case KMF_FORMAT_PEM:
! if (pkey->type == EVP_PKEY_RSA) {
! rsa = EVP_PKEY_get1_RSA(pkey);
if (private)
rv = PEM_write_bio_RSAPrivateKey(out,
rsa, NULL, NULL, 0, NULL,
(cred != NULL ? cred->cred : NULL));
else
rv = PEM_write_bio_RSAPublicKey(out,
rsa);
! RSA_free(rsa);
! } else if (pkey->type == EVP_PKEY_DSA) {
! dsa = EVP_PKEY_get1_DSA(pkey);
rv = PEM_write_bio_DSAPrivateKey(out,
dsa, NULL, NULL, 0, NULL,
(cred != NULL ? cred->cred : NULL));
- DSA_free(dsa);
}
if (rv == 1) {
rv = KMF_OK;
} else {
--- 1434,1470 ----
switch (format) {
case KMF_FORMAT_RAWKEY:
/* same as ASN.1 */
case KMF_FORMAT_ASN1:
! if ((rsa = EVP_PKEY_get0_RSA(pkey)) != NULL) {
if (private)
rv = i2d_RSAPrivateKey_bio(out, rsa);
else
rv = i2d_RSAPublicKey_bio(out, rsa);
! } else if ((dsa = EVP_PKEY_get0_DSA(pkey)) != NULL) {
rv = i2d_DSAPrivateKey_bio(out, dsa);
}
if (rv == 1) {
rv = KMF_OK;
} else {
SET_ERROR(kmfh, rv);
}
break;
case KMF_FORMAT_PEM:
! if ((rsa = EVP_PKEY_get0_RSA(pkey)) != NULL) {
if (private)
rv = PEM_write_bio_RSAPrivateKey(out,
rsa, NULL, NULL, 0, NULL,
(cred != NULL ? cred->cred : NULL));
else
rv = PEM_write_bio_RSAPublicKey(out,
rsa);
! } else if ((dsa = EVP_PKEY_get0_DSA(pkey)) != NULL) {
rv = PEM_write_bio_DSAPrivateKey(out,
dsa, NULL, NULL, 0, NULL,
(cred != NULL ? cred->cred : NULL));
}
if (rv == 1) {
rv = KMF_OK;
} else {
*** 1475,1485 ****
OpenSSL_CreateKeypair(KMF_HANDLE_T handle, int numattr,
KMF_ATTRIBUTE *attrlist)
{
KMF_RETURN rv = KMF_OK;
KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
! uint32_t eValue = 0x010001;
RSA *sslPrivKey = NULL;
DSA *sslDSAKey = NULL;
EVP_PKEY *eprikey = NULL;
EVP_PKEY *epubkey = NULL;
BIO *out = NULL;
--- 1483,1494 ----
OpenSSL_CreateKeypair(KMF_HANDLE_T handle, int numattr,
KMF_ATTRIBUTE *attrlist)
{
KMF_RETURN rv = KMF_OK;
KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
! uint32_t eValue = RSA_F4;
! BIGNUM *eValue_bn = NULL;
RSA *sslPrivKey = NULL;
DSA *sslDSAKey = NULL;
EVP_PKEY *eprikey = NULL;
EVP_PKEY *epubkey = NULL;
BIO *out = NULL;
*** 1487,1496 ****
--- 1496,1513 ----
uint32_t keylen = 1024;
uint32_t keylen_size = sizeof (uint32_t);
boolean_t storekey = TRUE;
KMF_KEY_ALG keytype = KMF_RSA;
+ eValue_bn = BN_new();
+ if (eValue_bn == NULL)
+ return (KMF_ERR_MEMORY);
+ if (BN_set_word(eValue_bn, eValue) == 0) {
+ rv = KMF_ERR_KEYGEN_FAILED;
+ goto cleanup;
+ }
+
rv = kmf_get_attr(KMF_STOREKEY_BOOL_ATTR, attrlist, numattr,
&storekey, NULL);
if (rv != KMF_OK) {
/* "storekey" is optional. Default is TRUE */
rv = KMF_OK;
*** 1501,1516 ****
if (rv != KMF_OK)
/* keytype is optional. KMF_RSA is default */
rv = KMF_OK;
pubkey = kmf_get_attr_ptr(KMF_PUBKEY_HANDLE_ATTR, attrlist, numattr);
! if (pubkey == NULL)
! return (KMF_ERR_BAD_PARAMETER);
privkey = kmf_get_attr_ptr(KMF_PRIVKEY_HANDLE_ATTR, attrlist, numattr);
! if (privkey == NULL)
! return (KMF_ERR_BAD_PARAMETER);
(void) memset(pubkey, 0, sizeof (KMF_KEY_HANDLE));
(void) memset(privkey, 0, sizeof (KMF_KEY_HANDLE));
eprikey = EVP_PKEY_new();
--- 1518,1537 ----
if (rv != KMF_OK)
/* keytype is optional. KMF_RSA is default */
rv = KMF_OK;
pubkey = kmf_get_attr_ptr(KMF_PUBKEY_HANDLE_ATTR, attrlist, numattr);
! if (pubkey == NULL) {
! rv = KMF_ERR_BAD_PARAMETER;
! goto cleanup;
! }
privkey = kmf_get_attr_ptr(KMF_PRIVKEY_HANDLE_ATTR, attrlist, numattr);
! if (privkey == NULL) {
! rv = KMF_ERR_BAD_PARAMETER;
! goto cleanup;
! }
(void) memset(pubkey, 0, sizeof (KMF_KEY_HANDLE));
(void) memset(privkey, 0, sizeof (KMF_KEY_HANDLE));
eprikey = EVP_PKEY_new();
*** 1533,1542 ****
--- 1554,1567 ----
if (rsaexp->len > 0 &&
rsaexp->len <= sizeof (eValue) &&
rsaexp->val != NULL) {
/* LINTED E_BAD_PTR_CAST_ALIGN */
eValue = *(uint32_t *)rsaexp->val;
+ if (BN_set_word(eValue_bn, eValue) == 0) {
+ rv = KMF_ERR_BAD_PARAMETER;
+ goto cleanup;
+ }
} else {
rv = KMF_ERR_BAD_PARAMETER;
goto cleanup;
}
} else {
*** 1552,1563 ****
if (rv != KMF_OK) {
rv = KMF_ERR_BAD_PARAMETER;
goto cleanup;
}
! sslPrivKey = RSA_generate_key(keylen, eValue, NULL, NULL);
! if (sslPrivKey == NULL) {
SET_ERROR(kmfh, ERR_get_error());
rv = KMF_ERR_KEYGEN_FAILED;
} else {
(void) EVP_PKEY_set1_RSA(eprikey, sslPrivKey);
privkey->kstype = KMF_KEYSTORE_OPENSSL;
--- 1577,1590 ----
if (rv != KMF_OK) {
rv = KMF_ERR_BAD_PARAMETER;
goto cleanup;
}
! sslPrivKey = RSA_new();
! if (sslPrivKey == NULL ||
! RSA_generate_key_ex(sslPrivKey, keylen, eValue_bn, NULL)
! == 0) {
SET_ERROR(kmfh, ERR_get_error());
rv = KMF_ERR_KEYGEN_FAILED;
} else {
(void) EVP_PKEY_set1_RSA(eprikey, sslPrivKey);
privkey->kstype = KMF_KEYSTORE_OPENSSL;
*** 1573,1607 ****
pubkey->israw = FALSE;
pubkey->keyclass = KMF_ASYM_PUB;
pubkey->keyp = (void *)epubkey;
}
} else if (keytype == KMF_DSA) {
! DSA *dp;
sslDSAKey = DSA_new();
if (sslDSAKey == NULL) {
SET_ERROR(kmfh, ERR_get_error());
return (KMF_ERR_MEMORY);
}
! if ((sslDSAKey->p = BN_bin2bn(P, sizeof (P), sslDSAKey->p)) ==
! NULL) {
SET_ERROR(kmfh, ERR_get_error());
rv = KMF_ERR_KEYGEN_FAILED;
goto cleanup;
}
! if ((sslDSAKey->q = BN_bin2bn(Q, sizeof (Q), sslDSAKey->q)) ==
! NULL) {
SET_ERROR(kmfh, ERR_get_error());
rv = KMF_ERR_KEYGEN_FAILED;
goto cleanup;
}
- if ((sslDSAKey->g = BN_bin2bn(G, sizeof (G), sslDSAKey->g)) ==
- NULL) {
- SET_ERROR(kmfh, ERR_get_error());
- rv = KMF_ERR_KEYGEN_FAILED;
- goto cleanup;
- }
if (!DSA_generate_key(sslDSAKey)) {
SET_ERROR(kmfh, ERR_get_error());
rv = KMF_ERR_KEYGEN_FAILED;
goto cleanup;
--- 1600,1634 ----
pubkey->israw = FALSE;
pubkey->keyclass = KMF_ASYM_PUB;
pubkey->keyp = (void *)epubkey;
}
} else if (keytype == KMF_DSA) {
! BIGNUM *p, *q, *g;
!
sslDSAKey = DSA_new();
if (sslDSAKey == NULL) {
SET_ERROR(kmfh, ERR_get_error());
return (KMF_ERR_MEMORY);
}
! p = BN_bin2bn(P, sizeof (P), NULL);
! q = BN_bin2bn(Q, sizeof (Q), NULL);
! g = BN_bin2bn(G, sizeof (G), NULL);
! if (p == NULL || q == NULL || g == NULL) {
! BN_free(p);
! BN_free(q);
! BN_free(g);
SET_ERROR(kmfh, ERR_get_error());
rv = KMF_ERR_KEYGEN_FAILED;
goto cleanup;
}
!
! if (DSA_set0_pqg(sslDSAKey, p, q, g) == 0) {
SET_ERROR(kmfh, ERR_get_error());
rv = KMF_ERR_KEYGEN_FAILED;
goto cleanup;
}
if (!DSA_generate_key(sslDSAKey)) {
SET_ERROR(kmfh, ERR_get_error());
rv = KMF_ERR_KEYGEN_FAILED;
goto cleanup;
*** 1616,1662 ****
} else {
SET_ERROR(kmfh, ERR_get_error());
rv = KMF_ERR_KEYGEN_FAILED;
goto cleanup;
}
- dp = DSA_new();
- /* Make a copy for the public key */
- if (dp != NULL) {
- if ((dp->p = BN_new()) == NULL) {
- SET_ERROR(kmfh, ERR_get_error());
- rv = KMF_ERR_MEMORY;
- DSA_free(dp);
- goto cleanup;
- }
- if ((dp->q = BN_new()) == NULL) {
- SET_ERROR(kmfh, ERR_get_error());
- rv = KMF_ERR_MEMORY;
- BN_free(dp->p);
- DSA_free(dp);
- goto cleanup;
- }
- if ((dp->g = BN_new()) == NULL) {
- SET_ERROR(kmfh, ERR_get_error());
- rv = KMF_ERR_MEMORY;
- BN_free(dp->q);
- BN_free(dp->p);
- DSA_free(dp);
- goto cleanup;
- }
- if ((dp->pub_key = BN_new()) == NULL) {
- SET_ERROR(kmfh, ERR_get_error());
- rv = KMF_ERR_MEMORY;
- BN_free(dp->q);
- BN_free(dp->p);
- BN_free(dp->g);
- DSA_free(dp);
- goto cleanup;
- }
- (void) BN_copy(dp->p, sslDSAKey->p);
- (void) BN_copy(dp->q, sslDSAKey->q);
- (void) BN_copy(dp->g, sslDSAKey->g);
- (void) BN_copy(dp->pub_key, sslDSAKey->pub_key);
pubkey->kstype = KMF_KEYSTORE_OPENSSL;
pubkey->keyalg = KMF_DSA;
pubkey->keyclass = KMF_ASYM_PUB;
pubkey->israw = FALSE;
--- 1643,1652 ----
*** 1667,1677 ****
SET_ERROR(kmfh, ERR_get_error());
rv = KMF_ERR_KEYGEN_FAILED;
goto cleanup;
}
}
- }
if (rv != KMF_OK) {
goto cleanup;
}
--- 1657,1666 ----
*** 1717,1726 ****
--- 1706,1718 ----
rv = OpenSSL_StoreKey(handle, i, storeattrs);
}
cleanup:
+ if (eValue_bn != NULL)
+ BN_free(eValue_bn);
+
if (rv != KMF_OK) {
if (eprikey != NULL)
EVP_PKEY_free(eprikey);
if (epubkey != NULL)
*** 1757,1767 ****
* bytes. If not, signature verification for DSA signatures
* may fail in the case where the bignum value does not use
* all of the bits.
*/
static int
! fixbnlen(BIGNUM *bn, unsigned char *buf, int len) {
int bytes = len - BN_num_bytes(bn);
/* prepend with leading 0x00 if necessary */
while (bytes-- > 0)
*buf++ = 0;
--- 1749,1759 ----
* bytes. If not, signature verification for DSA signatures
* may fail in the case where the bignum value does not use
* all of the bits.
*/
static int
! fixbnlen(const BIGNUM *bn, unsigned char *buf, int len) {
int bytes = len - BN_num_bytes(bn);
/* prepend with leading 0x00 if necessary */
while (bytes-- > 0)
*buf++ = 0;
*** 1779,1789 ****
KMF_OID *AlgOID, KMF_DATA *tobesigned, KMF_DATA *output)
{
KMF_RETURN ret = KMF_OK;
KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
KMF_ALGORITHM_INDEX AlgId;
! EVP_MD_CTX ctx;
const EVP_MD *md;
if (key == NULL || AlgOID == NULL ||
tobesigned == NULL || output == NULL ||
tobesigned->Data == NULL ||
--- 1771,1781 ----
KMF_OID *AlgOID, KMF_DATA *tobesigned, KMF_DATA *output)
{
KMF_RETURN ret = KMF_OK;
KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
KMF_ALGORITHM_INDEX AlgId;
! EVP_MD_CTX *ctx;
const EVP_MD *md;
if (key == NULL || AlgOID == NULL ||
tobesigned == NULL || output == NULL ||
tobesigned->Data == NULL ||
*** 1824,1846 ****
SET_ERROR(kmfh, ERR_get_error());
ret = KMF_ERR_INTERNAL;
}
output->Length = len;
} else {
! (void) EVP_MD_CTX_init(&ctx);
! (void) EVP_SignInit_ex(&ctx, md, NULL);
! (void) EVP_SignUpdate(&ctx, tobesigned->Data,
(uint32_t)tobesigned->Length);
len = (uint32_t)output->Length;
p = output->Data;
! if (!EVP_SignFinal(&ctx, p, (uint32_t *)&len, pkey)) {
SET_ERROR(kmfh, ERR_get_error());
len = 0;
ret = KMF_ERR_INTERNAL;
}
output->Length = len;
! (void) EVP_MD_CTX_cleanup(&ctx);
}
} else if (key->keyalg == KMF_DSA) {
DSA *dsa = EVP_PKEY_get1_DSA(key->keyp);
uchar_t hash[EVP_MAX_MD_SIZE];
--- 1816,1839 ----
SET_ERROR(kmfh, ERR_get_error());
ret = KMF_ERR_INTERNAL;
}
output->Length = len;
} else {
! if ((ctx = EVP_MD_CTX_new()) == NULL)
! return (KMF_ERR_MEMORY);
! (void) EVP_SignInit_ex(ctx, md, NULL);
! (void) EVP_SignUpdate(ctx, tobesigned->Data,
(uint32_t)tobesigned->Length);
len = (uint32_t)output->Length;
p = output->Data;
! if (!EVP_SignFinal(ctx, p, (uint32_t *)&len, pkey)) {
SET_ERROR(kmfh, ERR_get_error());
len = 0;
ret = KMF_ERR_INTERNAL;
}
output->Length = len;
! EVP_MD_CTX_free(ctx);
}
} else if (key->keyalg == KMF_DSA) {
DSA *dsa = EVP_PKEY_get1_DSA(key->keyp);
uchar_t hash[EVP_MAX_MD_SIZE];
*** 1861,1893 ****
* are assured of NOT getting ASN.1 output returned.
* KMF does not want ASN.1 encoded results because
* not all mechanisms return ASN.1 encodings (PKCS#11
* and NSS return raw signature data).
*/
! EVP_MD_CTX_init(&ctx);
! (void) EVP_DigestInit_ex(&ctx, md, NULL);
! (void) EVP_DigestUpdate(&ctx, tobesigned->Data,
tobesigned->Length);
! (void) EVP_DigestFinal_ex(&ctx, hash, &hashlen);
/* Only sign first 20 bytes for SHA2 */
if (AlgId == KMF_ALGID_SHA256WithDSA)
hashlen = 20;
dsasig = DSA_do_sign(hash, hashlen, dsa);
if (dsasig != NULL) {
int i;
! output->Length = i = fixbnlen(dsasig->r, output->Data,
hashlen);
! output->Length += fixbnlen(dsasig->s, &output->Data[i],
hashlen);
DSA_SIG_free(dsasig);
} else {
SET_ERROR(kmfh, ERR_get_error());
}
! (void) EVP_MD_CTX_cleanup(&ctx);
} else {
return (KMF_ERR_BAD_PARAMETER);
}
cleanup:
return (ret);
--- 1854,1890 ----
* are assured of NOT getting ASN.1 output returned.
* KMF does not want ASN.1 encoded results because
* not all mechanisms return ASN.1 encodings (PKCS#11
* and NSS return raw signature data).
*/
! if ((ctx = EVP_MD_CTX_new()) == NULL)
! return (KMF_ERR_MEMORY);
! (void) EVP_DigestInit_ex(ctx, md, NULL);
! (void) EVP_DigestUpdate(ctx, tobesigned->Data,
tobesigned->Length);
! (void) EVP_DigestFinal_ex(ctx, hash, &hashlen);
/* Only sign first 20 bytes for SHA2 */
if (AlgId == KMF_ALGID_SHA256WithDSA)
hashlen = 20;
dsasig = DSA_do_sign(hash, hashlen, dsa);
if (dsasig != NULL) {
int i;
! const BIGNUM *r, *s;
!
! DSA_SIG_get0(dsasig, &r, &s);
! output->Length = i = fixbnlen(r, output->Data,
hashlen);
! output->Length += fixbnlen(s, &output->Data[i],
hashlen);
DSA_SIG_free(dsasig);
} else {
SET_ERROR(kmfh, ERR_get_error());
}
! EVP_MD_CTX_free(ctx);
} else {
return (KMF_ERR_BAD_PARAMETER);
}
cleanup:
return (ret);
*** 2021,2041 ****
KMF_RETURN ret = KMF_OK;
KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
X509 *xcert = NULL;
unsigned char *outbuf = NULL;
unsigned char *outbuf_p;
- char *tmpstr = NULL;
int j;
int ext_index, nid, len;
BIO *mem = NULL;
- #if OPENSSL_VERSION_NUMBER < 0x10000000L
- STACK *emlst = NULL;
- #else
STACK_OF(OPENSSL_STRING) *emlst = NULL;
- #endif
X509_EXTENSION *ex;
- X509_CINF *ci;
if (pcert == NULL || pcert->Data == NULL || pcert->Length == 0) {
return (KMF_ERR_BAD_PARAMETER);
}
--- 2018,2032 ----
*** 2073,2085 ****
XN_FLAG_SEP_CPLUS_SPC);
len = BIO_gets(mem, resultStr, KMF_CERT_PRINTABLE_LEN);
break;
case KMF_CERT_VERSION:
! tmpstr = i2s_ASN1_INTEGER(NULL, xcert->cert_info->version);
! (void) strncpy(resultStr, tmpstr, KMF_CERT_PRINTABLE_LEN);
! OPENSSL_free(tmpstr);
len = strlen(resultStr);
break;
case KMF_CERT_SERIALNUM:
if (i2a_ASN1_INTEGER(mem, X509_get_serialNumber(xcert)) > 0) {
--- 2064,2075 ----
XN_FLAG_SEP_CPLUS_SPC);
len = BIO_gets(mem, resultStr, KMF_CERT_PRINTABLE_LEN);
break;
case KMF_CERT_VERSION:
! (void) snprintf(resultStr, KMF_CERT_PRINTABLE_LEN,
! "%ld", X509_get_version(xcert));
len = strlen(resultStr);
break;
case KMF_CERT_SERIALNUM:
if (i2a_ASN1_INTEGER(mem, X509_get_serialNumber(xcert)) > 0) {
*** 2088,2124 ****
KMF_CERT_PRINTABLE_LEN - 2);
}
break;
case KMF_CERT_NOTBEFORE:
! (void) ASN1_TIME_print(mem, X509_get_notBefore(xcert));
len = BIO_gets(mem, resultStr, KMF_CERT_PRINTABLE_LEN);
break;
case KMF_CERT_NOTAFTER:
! (void) ASN1_TIME_print(mem, X509_get_notAfter(xcert));
len = BIO_gets(mem, resultStr, KMF_CERT_PRINTABLE_LEN);
break;
case KMF_CERT_PUBKEY_DATA:
{
EVP_PKEY *pkey = X509_get_pubkey(xcert);
if (pkey == NULL) {
SET_ERROR(kmfh, ERR_get_error());
ret = KMF_ERR_ENCODING;
goto out;
}
! if (pkey->type == EVP_PKEY_RSA) {
(void) BIO_printf(mem,
"RSA Public Key: (%d bit)\n",
! BN_num_bits(pkey->pkey.rsa->n));
! (void) RSA_print(mem, pkey->pkey.rsa, 0);
! } else if (pkey->type == EVP_PKEY_DSA) {
(void) BIO_printf(mem,
"%12sDSA Public Key:\n", "");
! (void) DSA_print(mem, pkey->pkey.dsa, 0);
} else {
(void) BIO_printf(mem,
"%12sUnknown Public Key:\n", "");
}
(void) BIO_printf(mem, "\n");
--- 2078,2118 ----
KMF_CERT_PRINTABLE_LEN - 2);
}
break;
case KMF_CERT_NOTBEFORE:
! (void) ASN1_TIME_print(mem, X509_getm_notBefore(xcert));
len = BIO_gets(mem, resultStr, KMF_CERT_PRINTABLE_LEN);
break;
case KMF_CERT_NOTAFTER:
! (void) ASN1_TIME_print(mem, X509_getm_notAfter(xcert));
len = BIO_gets(mem, resultStr, KMF_CERT_PRINTABLE_LEN);
break;
case KMF_CERT_PUBKEY_DATA:
{
+ RSA *rsa;
+ DSA *dsa;
+
EVP_PKEY *pkey = X509_get_pubkey(xcert);
if (pkey == NULL) {
SET_ERROR(kmfh, ERR_get_error());
ret = KMF_ERR_ENCODING;
goto out;
}
! if ((rsa = EVP_PKEY_get0_RSA(pkey)) != NULL) {
(void) BIO_printf(mem,
"RSA Public Key: (%d bit)\n",
! RSA_bits(rsa));
! (void) RSA_print(mem, rsa, 0);
!
! } else if ((dsa = EVP_PKEY_get0_DSA(pkey)) != NULL) {
(void) BIO_printf(mem,
"%12sDSA Public Key:\n", "");
! (void) DSA_print(mem, dsa, 0);
} else {
(void) BIO_printf(mem,
"%12sUnknown Public Key:\n", "");
}
(void) BIO_printf(mem, "\n");
*** 2126,2159 ****
}
len = BIO_read(mem, resultStr, KMF_CERT_PRINTABLE_LEN);
break;
case KMF_CERT_SIGNATURE_ALG:
case KMF_CERT_PUBKEY_ALG:
if (flag == KMF_CERT_SIGNATURE_ALG) {
! len = i2a_ASN1_OBJECT(mem,
! xcert->sig_alg->algorithm);
} else {
! len = i2a_ASN1_OBJECT(mem,
! xcert->cert_info->key->algor->algorithm);
}
! if (len > 0) {
len = BIO_read(mem, resultStr,
KMF_CERT_PRINTABLE_LEN);
}
break;
case KMF_CERT_EMAIL:
emlst = X509_get1_email(xcert);
- #if OPENSSL_VERSION_NUMBER < 0x10000000L
- for (j = 0; j < sk_num(emlst); j++)
- (void) BIO_printf(mem, "%s\n", sk_value(emlst, j));
- #else
for (j = 0; j < sk_OPENSSL_STRING_num(emlst); j++)
(void) BIO_printf(mem, "%s\n",
sk_OPENSSL_STRING_value(emlst, j));
- #endif
len = BIO_gets(mem, resultStr, KMF_CERT_PRINTABLE_LEN);
X509_email_free(emlst);
break;
case KMF_X509_EXT_ISSUER_ALTNAME:
--- 2120,2173 ----
}
len = BIO_read(mem, resultStr, KMF_CERT_PRINTABLE_LEN);
break;
case KMF_CERT_SIGNATURE_ALG:
case KMF_CERT_PUBKEY_ALG:
+ {
+ #if OPENSSL_VERSION_NUMBER < 0x10100000L
+ ASN1_OBJECT *alg = NULL;
+ #else
+ const ASN1_OBJECT *alg = NULL;
+ #endif
+
if (flag == KMF_CERT_SIGNATURE_ALG) {
! #if OPENSSL_VERSION_NUMBER < 0x10100000L
! alg = xcert->sig_alg->algorithm;
! #else
! const X509_ALGOR *sig_alg = NULL;
!
! X509_get0_signature(NULL, &sig_alg, xcert);
! if (sig_alg != NULL)
! X509_ALGOR_get0(&alg, NULL, NULL,
! sig_alg);
! #endif
} else {
! #if OPENSSL_VERSION_NUMBER < 0x10100000L
! alg = xcert->cert_info->key->algor->algorithm;
! #else
! X509_PUBKEY *key = X509_get_X509_PUBKEY(xcert);
!
! if (key != NULL)
! (void) X509_PUBKEY_get0_param(
! (ASN1_OBJECT **)&alg, NULL, 0,
! NULL, key);
! #endif
}
! if (alg == NULL)
! len = -1;
! else if ((len = i2a_ASN1_OBJECT(mem, alg)) > 0)
len = BIO_read(mem, resultStr,
KMF_CERT_PRINTABLE_LEN);
}
break;
case KMF_CERT_EMAIL:
emlst = X509_get1_email(xcert);
for (j = 0; j < sk_OPENSSL_STRING_num(emlst); j++)
(void) BIO_printf(mem, "%s\n",
sk_OPENSSL_STRING_value(emlst, j));
len = BIO_gets(mem, resultStr, KMF_CERT_PRINTABLE_LEN);
X509_email_free(emlst);
break;
case KMF_X509_EXT_ISSUER_ALTNAME:
*** 2174,2193 ****
nid = ext2NID(flag);
if (nid == NID_undef) {
ret = KMF_ERR_EXTENSION_NOT_FOUND;
goto out;
}
- ci = xcert->cert_info;
! ext_index = X509v3_get_ext_by_NID(ci->extensions, nid, -1);
if (ext_index == -1) {
SET_ERROR(kmfh, ERR_get_error());
ret = KMF_ERR_EXTENSION_NOT_FOUND;
goto out;
}
! ex = X509v3_get_ext(ci->extensions, ext_index);
(void) i2a_ASN1_OBJECT(mem, X509_EXTENSION_get_object(ex));
if (BIO_printf(mem, ": %s\n",
X509_EXTENSION_get_critical(ex) ? "critical" : "") <= 0) {
--- 2188,2206 ----
nid = ext2NID(flag);
if (nid == NID_undef) {
ret = KMF_ERR_EXTENSION_NOT_FOUND;
goto out;
}
! ext_index = X509_get_ext_by_NID(xcert, nid, -1);
if (ext_index == -1) {
SET_ERROR(kmfh, ERR_get_error());
ret = KMF_ERR_EXTENSION_NOT_FOUND;
goto out;
}
! ex = X509_get_ext(xcert, ext_index);
(void) i2a_ASN1_OBJECT(mem, X509_EXTENSION_get_object(ex));
if (BIO_printf(mem, ": %s\n",
X509_EXTENSION_get_critical(ex) ? "critical" : "") <= 0) {
*** 2195,2205 ****
ret = KMF_ERR_ENCODING;
goto out;
}
if (!X509V3_EXT_print(mem, ex, X509V3_EXT_DUMP_UNKNOWN, 4)) {
(void) BIO_printf(mem, "%*s", 4, "");
! (void) M_ASN1_OCTET_STRING_print(mem, ex->value);
}
if (BIO_write(mem, "\n", 1) <= 0) {
SET_ERROR(kmfh, ERR_get_error());
ret = KMF_ERR_ENCODING;
goto out;
--- 2208,2219 ----
ret = KMF_ERR_ENCODING;
goto out;
}
if (!X509V3_EXT_print(mem, ex, X509V3_EXT_DUMP_UNKNOWN, 4)) {
(void) BIO_printf(mem, "%*s", 4, "");
! (void) ASN1_STRING_print(mem,
! X509_EXTENSION_get_data(ex));
}
if (BIO_write(mem, "\n", 1) <= 0) {
SET_ERROR(kmfh, ERR_get_error());
ret = KMF_ERR_ENCODING;
goto out;
*** 2476,2501 ****
return (ret);
}
/* ocsp_find_signer_sk() is copied from openssl source */
! static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id)
{
int i;
unsigned char tmphash[SHA_DIGEST_LENGTH], *keyhash;
! /* Easy if lookup by name */
if (id->type == V_OCSP_RESPID_NAME)
return (X509_find_by_subject(certs, id->value.byName));
/* Lookup by key hash */
/* If key hash isn't SHA1 length then forget it */
! if (id->value.byKey->length != SHA_DIGEST_LENGTH)
return (NULL);
! keyhash = id->value.byKey->data;
/* Calculate hash of each key and compare */
for (i = 0; i < sk_X509_num(certs); i++) {
/* LINTED E_BAD_PTR_CAST_ALIGN */
X509 *x = sk_X509_value(certs, i);
/* Use pubkey_digest to get the key ID value */
--- 2490,2529 ----
return (ret);
}
/* ocsp_find_signer_sk() is copied from openssl source */
! static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_BASICRESP *bs)
{
int i;
unsigned char tmphash[SHA_DIGEST_LENGTH], *keyhash;
+ const ASN1_OCTET_STRING *pid;
! #if OPENSSL_VERSION_NUMBER < 0x10100000L
! OCSP_RESPID *id = bs->tbsResponseData->responderId;
!
if (id->type == V_OCSP_RESPID_NAME)
return (X509_find_by_subject(certs, id->value.byName));
+ pid = id->value.byKey;
+ #else
+ const X509_NAME *pname;
+
+ if (OCSP_resp_get0_id(bs, &pid, &pname) == 0)
+ return (NULL);
+
+ if (pname != NULL)
+ return (X509_find_by_subject(certs, (X509_NAME *)pname));
+ #endif
+
/* Lookup by key hash */
/* If key hash isn't SHA1 length then forget it */
! if (pid->length != SHA_DIGEST_LENGTH)
return (NULL);
! keyhash = pid->data;
/* Calculate hash of each key and compare */
for (i = 0; i < sk_X509_num(certs); i++) {
/* LINTED E_BAD_PTR_CAST_ALIGN */
X509 *x = sk_X509_value(certs, i);
/* Use pubkey_digest to get the key ID value */
*** 2511,2527 ****
static int
ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
X509_STORE *st, unsigned long flags)
{
X509 *signer;
! OCSP_RESPID *rid = bs->tbsResponseData->responderId;
! if ((signer = ocsp_find_signer_sk(certs, rid))) {
*psigner = signer;
return (2);
}
if (!(flags & OCSP_NOINTERN) &&
! (signer = ocsp_find_signer_sk(bs->certs, rid))) {
*psigner = signer;
return (1);
}
/* Maybe lookup from store if by subject name */
--- 2539,2556 ----
static int
ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
X509_STORE *st, unsigned long flags)
{
X509 *signer;
! if ((signer = ocsp_find_signer_sk(certs, bs))) {
*psigner = signer;
return (2);
}
+
if (!(flags & OCSP_NOINTERN) &&
! (signer = ocsp_find_signer_sk(
! (STACK_OF(X509) *)OCSP_resp_get0_certs(bs), bs))) {
*psigner = signer;
return (1);
}
/* Maybe lookup from store if by subject name */
*** 2540,2553 ****
KMF_RETURN ret = KMF_OK;
KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
STACK_OF(X509) *cert_stack = NULL;
X509 *signer = NULL;
X509 *issuer = NULL;
EVP_PKEY *skey = NULL;
unsigned char *ptmp;
-
if (bs == NULL || issuer_cert == NULL)
return (KMF_ERR_BAD_PARAMETER);
/*
* Find the certificate that signed the basic response.
--- 2569,2585 ----
KMF_RETURN ret = KMF_OK;
KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
STACK_OF(X509) *cert_stack = NULL;
X509 *signer = NULL;
X509 *issuer = NULL;
+ #if OPENSSL_VERSION_NUMBER < 0x10100000L
EVP_PKEY *skey = NULL;
+ #else
+ STACK_OF(X509) *cert_stack2 = NULL;
+ #endif
unsigned char *ptmp;
if (bs == NULL || issuer_cert == NULL)
return (KMF_ERR_BAD_PARAMETER);
/*
* Find the certificate that signed the basic response.
*** 2597,2613 ****
--- 2629,2665 ----
goto end;
}
}
/* Verify the signature of the response */
+ #if OPENSSL_VERSION_NUMBER < 0x10100000L
skey = X509_get_pubkey(signer);
if (skey == NULL) {
ret = KMF_ERR_OCSP_BAD_SIGNER;
goto end;
}
ret = OCSP_BASICRESP_verify(bs, skey, 0);
+ #else
+ /*
+ * Technique based on
+ * https://mta.openssl.org/pipermail/openssl-users/
+ * 2017-October/006814.html
+ */
+ if ((cert_stack2 = sk_X509_new_null()) == NULL) {
+ ret = KMF_ERR_INTERNAL;
+ goto end;
+ }
+
+ if (sk_X509_push(cert_stack2, signer) == NULL) {
+ ret = KMF_ERR_INTERNAL;
+ goto end;
+ }
+
+ ret = OCSP_basic_verify(bs, cert_stack2, NULL, OCSP_NOVERIFY);
+ #endif
+
if (ret == 0) {
ret = KMF_ERR_OCSP_RESPONSE_SIGNATURE;
goto end;
}
*** 2618,2640 ****
if (signer != NULL) {
X509_free(signer);
}
if (skey != NULL) {
EVP_PKEY_free(skey);
}
if (cert_stack != NULL) {
sk_X509_free(cert_stack);
}
return (ret);
}
-
-
KMF_RETURN
OpenSSL_GetOCSPStatusForCert(KMF_HANDLE_T handle,
int numattr, KMF_ATTRIBUTE *attrlist)
{
KMF_RETURN ret = KMF_OK;
--- 2670,2696 ----
if (signer != NULL) {
X509_free(signer);
}
+ #if OPENSSL_VERSION_NUMBER < 0x10100000L
if (skey != NULL) {
EVP_PKEY_free(skey);
}
+ #else
+ if (cert_stack2 != NULL) {
+ sk_X509_free(cert_stack2);
+ }
+ #endif
if (cert_stack != NULL) {
sk_X509_free(cert_stack);
}
return (ret);
}
KMF_RETURN
OpenSSL_GetOCSPStatusForCert(KMF_HANDLE_T handle,
int numattr, KMF_ATTRIBUTE *attrlist)
{
KMF_RETURN ret = KMF_OK;
*** 2819,2831 ****
pkey = openssl_load_key(handle, path);
if (pkey == NULL) {
return (KMF_ERR_KEY_NOT_FOUND);
}
if (key != NULL) {
! if (pkey->type == EVP_PKEY_RSA)
key->keyalg = KMF_RSA;
! else if (pkey->type == EVP_PKEY_DSA)
key->keyalg = KMF_DSA;
key->kstype = KMF_KEYSTORE_OPENSSL;
key->keyclass = keyclass;
key->keyp = (void *)pkey;
--- 2875,2887 ----
pkey = openssl_load_key(handle, path);
if (pkey == NULL) {
return (KMF_ERR_KEY_NOT_FOUND);
}
if (key != NULL) {
! if (EVP_PKEY_get0_RSA(pkey) != NULL)
key->keyalg = KMF_RSA;
! else if (EVP_PKEY_get0_DSA(pkey) != NULL)
key->keyalg = KMF_DSA;
key->kstype = KMF_KEYSTORE_OPENSSL;
key->keyclass = keyclass;
key->keyp = (void *)pkey;
*** 3018,3032 ****
}
static int
add_alias_to_bag(PKCS12_SAFEBAG *bag, X509 *xcert)
{
! if (xcert != NULL && xcert->aux != NULL &&
! xcert->aux->alias != NULL) {
if (PKCS12_add_friendlyname_asc(bag,
! (const char *)xcert->aux->alias->data,
! xcert->aux->alias->length) == 0)
return (0);
}
return (1);
}
--- 3074,3089 ----
}
static int
add_alias_to_bag(PKCS12_SAFEBAG *bag, X509 *xcert)
{
! unsigned char *alias;
! int len;
!
! if (xcert != NULL && (alias = X509_alias_get0(xcert, &len)) != NULL) {
if (PKCS12_add_friendlyname_asc(bag,
! (const char *)alias, len) == 0)
return (0);
}
return (1);
}
*** 3041,3051 ****
bag_stack = sk_PKCS12_SAFEBAG_new_null();
if (bag_stack == NULL)
return (NULL);
/* Convert cert from X509 struct to PKCS#12 bag */
! bag = PKCS12_x5092certbag(sslcert);
if (bag == NULL) {
goto out;
}
/* Add the key id to the certificate bag. */
--- 3098,3108 ----
bag_stack = sk_PKCS12_SAFEBAG_new_null();
if (bag_stack == NULL)
return (NULL);
/* Convert cert from X509 struct to PKCS#12 bag */
! bag = PKCS12_SAFEBAG_create_cert(sslcert);
if (bag == NULL) {
goto out;
}
/* Add the key id to the certificate bag. */
*** 3086,3096 ****
p8 = EVP_PKEY2PKCS8(pkey);
if (p8 == NULL) {
return (NULL);
}
/* Put the shrouded key into a PKCS#12 bag. */
! bag = PKCS12_MAKE_SHKEYBAG(
NID_pbe_WithSHA1And3_Key_TripleDES_CBC,
cred->cred, cred->credlen,
NULL, 0, PKCS12_DEFAULT_ITER, p8);
/* Clean up the PKCS#8 shrouded key, don't need it now. */
--- 3143,3153 ----
p8 = EVP_PKEY2PKCS8(pkey);
if (p8 == NULL) {
return (NULL);
}
/* Put the shrouded key into a PKCS#12 bag. */
! bag = PKCS12_SAFEBAG_create_pkcs8_encrypt(
NID_pbe_WithSHA1And3_Key_TripleDES_CBC,
cred->cred, cred->credlen,
NULL, 0, PKCS12_DEFAULT_ITER, p8);
/* Clean up the PKCS#8 shrouded key, don't need it now. */
*** 3126,3225 ****
static EVP_PKEY *
ImportRawRSAKey(KMF_RAW_RSA_KEY *key)
{
RSA *rsa = NULL;
EVP_PKEY *newkey = NULL;
if ((rsa = RSA_new()) == NULL)
! return (NULL);
! if ((rsa->n = BN_bin2bn(key->mod.val, key->mod.len, rsa->n)) == NULL)
! return (NULL);
! if ((rsa->e = BN_bin2bn(key->pubexp.val, key->pubexp.len, rsa->e)) ==
! NULL)
! return (NULL);
! if (key->priexp.val != NULL)
! if ((rsa->d = BN_bin2bn(key->priexp.val, key->priexp.len,
! rsa->d)) == NULL)
! return (NULL);
! if (key->prime1.val != NULL)
! if ((rsa->p = BN_bin2bn(key->prime1.val, key->prime1.len,
! rsa->p)) == NULL)
! return (NULL);
! if (key->prime2.val != NULL)
! if ((rsa->q = BN_bin2bn(key->prime2.val, key->prime2.len,
! rsa->q)) == NULL)
! return (NULL);
! if (key->exp1.val != NULL)
! if ((rsa->dmp1 = BN_bin2bn(key->exp1.val, key->exp1.len,
! rsa->dmp1)) == NULL)
! return (NULL);
! if (key->exp2.val != NULL)
! if ((rsa->dmq1 = BN_bin2bn(key->exp2.val, key->exp2.len,
! rsa->dmq1)) == NULL)
! return (NULL);
! if (key->coef.val != NULL)
! if ((rsa->iqmp = BN_bin2bn(key->coef.val, key->coef.len,
! rsa->iqmp)) == NULL)
! return (NULL);
if ((newkey = EVP_PKEY_new()) == NULL)
! return (NULL);
(void) EVP_PKEY_set1_RSA(newkey, rsa);
/* The original key must be freed once here or it leaks memory */
RSA_free(rsa);
return (newkey);
}
static EVP_PKEY *
ImportRawDSAKey(KMF_RAW_DSA_KEY *key)
{
DSA *dsa = NULL;
EVP_PKEY *newkey = NULL;
if ((dsa = DSA_new()) == NULL)
! return (NULL);
! if ((dsa->p = BN_bin2bn(key->prime.val, key->prime.len,
! dsa->p)) == NULL)
! return (NULL);
! if ((dsa->q = BN_bin2bn(key->subprime.val, key->subprime.len,
! dsa->q)) == NULL)
! return (NULL);
! if ((dsa->g = BN_bin2bn(key->base.val, key->base.len,
! dsa->g)) == NULL)
! return (NULL);
! if ((dsa->priv_key = BN_bin2bn(key->value.val, key->value.len,
! dsa->priv_key)) == NULL)
! return (NULL);
! if (key->pubvalue.val != NULL) {
! if ((dsa->pub_key = BN_bin2bn(key->pubvalue.val,
! key->pubvalue.len, dsa->pub_key)) == NULL)
! return (NULL);
! }
if ((newkey = EVP_PKEY_new()) == NULL)
! return (NULL);
(void) EVP_PKEY_set1_DSA(newkey, dsa);
/* The original key must be freed once here or it leaks memory */
DSA_free(dsa);
return (newkey);
}
static EVP_PKEY *
raw_key_to_pkey(KMF_KEY_HANDLE *key)
--- 3183,3310 ----
static EVP_PKEY *
ImportRawRSAKey(KMF_RAW_RSA_KEY *key)
{
RSA *rsa = NULL;
EVP_PKEY *newkey = NULL;
+ BIGNUM *n = NULL, *e = NULL, *d = NULL,
+ *p = NULL, *q = NULL,
+ *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL;
if ((rsa = RSA_new()) == NULL)
! goto cleanup;
! if ((n = BN_bin2bn(key->mod.val, key->mod.len, NULL)) == NULL)
! goto cleanup;
! if ((e = BN_bin2bn(key->pubexp.val, key->pubexp.len, NULL)) == NULL)
! goto cleanup;
! if (key->priexp.val != NULL &&
! (d = BN_bin2bn(key->priexp.val, key->priexp.len, NULL)) == NULL)
! goto cleanup;
! if (key->prime1.val != NULL &&
! (p = BN_bin2bn(key->prime1.val, key->prime1.len, NULL)) == NULL)
! goto cleanup;
! if (key->prime2.val != NULL &&
! (q = BN_bin2bn(key->prime2.val, key->prime2.len, NULL)) == NULL)
! goto cleanup;
! if (key->exp1.val != NULL &&
! (dmp1 = BN_bin2bn(key->exp1.val, key->exp1.len, NULL)) == NULL)
! goto cleanup;
! if (key->exp2.val != NULL &&
! (dmq1 = BN_bin2bn(key->exp2.val, key->exp2.len, NULL)) == NULL)
! goto cleanup;
! if (key->coef.val != NULL &&
! (iqmp = BN_bin2bn(key->coef.val, key->coef.len, NULL)) == NULL)
! goto cleanup;
+ if (RSA_set0_key(rsa, n, e, d) == 0)
+ goto cleanup;
+ n = e = d = NULL;
+ if (RSA_set0_factors(rsa, p, q) == 0)
+ goto cleanup;
+ p = q = NULL;
+ if (RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp) == 0)
+ goto cleanup;
+ dmp1 = dmq1 = iqmp = NULL;
+
if ((newkey = EVP_PKEY_new()) == NULL)
! goto cleanup;
(void) EVP_PKEY_set1_RSA(newkey, rsa);
+ cleanup:
/* The original key must be freed once here or it leaks memory */
+ if (rsa)
RSA_free(rsa);
+ BN_free(n);
+ BN_free(e);
+ BN_free(d);
+ BN_free(p);
+ BN_free(q);
+ BN_free(dmp1);
+ BN_free(dmq1);
+ BN_free(iqmp);
return (newkey);
}
static EVP_PKEY *
ImportRawDSAKey(KMF_RAW_DSA_KEY *key)
{
DSA *dsa = NULL;
EVP_PKEY *newkey = NULL;
+ BIGNUM *p = NULL, *q = NULL, *g = NULL,
+ *priv_key = NULL, *pub_key = NULL;
if ((dsa = DSA_new()) == NULL)
! goto cleanup;
! if ((p = BN_bin2bn(key->prime.val, key->prime.len, NULL)) == NULL)
! goto cleanup;
! if ((q = BN_bin2bn(key->subprime.val, key->subprime.len, NULL)) == NULL)
! goto cleanup;
! if ((g = BN_bin2bn(key->base.val, key->base.len, NULL)) == NULL)
! goto cleanup;
! if ((priv_key = BN_bin2bn(key->value.val, key->value.len,
! NULL)) == NULL)
! goto cleanup;
! if (key->pubvalue.val != NULL && (pub_key =
! BN_bin2bn(key->pubvalue.val, key->pubvalue.len, NULL)) == NULL)
! goto cleanup;
+ if (DSA_set0_pqg(dsa, p, q, g) == 0)
+ goto cleanup;
+ p = q = g = NULL;
+ if (DSA_set0_key(dsa, pub_key, priv_key) == 0)
+ goto cleanup;
+ pub_key = priv_key = 0;
+
if ((newkey = EVP_PKEY_new()) == NULL)
! goto cleanup;
(void) EVP_PKEY_set1_DSA(newkey, dsa);
+ cleanup:
/* The original key must be freed once here or it leaks memory */
+ if (dsa)
DSA_free(dsa);
+ BN_free(p);
+ BN_free(q);
+ BN_free(g);
+ BN_free(priv_key);
+ BN_free(pub_key);
+
return (newkey);
}
static EVP_PKEY *
raw_key_to_pkey(KMF_KEY_HANDLE *key)
*** 3730,3740 ****
return (rv);
}
static KMF_RETURN
! openssl_parse_bags(STACK_OF(PKCS12_SAFEBAG) *bags, char *pin,
STACK_OF(EVP_PKEY) *keys, STACK_OF(X509) *certs)
{
KMF_RETURN ret;
int i;
--- 3815,3825 ----
return (rv);
}
static KMF_RETURN
! openssl_parse_bags(const STACK_OF(PKCS12_SAFEBAG) *bags, char *pin,
STACK_OF(EVP_PKEY) *keys, STACK_OF(X509) *certs)
{
KMF_RETURN ret;
int i;
*** 3757,3788 ****
X509_ATTRIBUTE *attr = NULL;
if (pkey == NULL || attrib == NULL)
return (KMF_ERR_BAD_PARAMETER);
- if (pkey->attributes == NULL) {
- pkey->attributes = sk_X509_ATTRIBUTE_new_null();
- if (pkey->attributes == NULL)
- return (KMF_ERR_MEMORY);
- }
attr = X509_ATTRIBUTE_create(nid, attrib->type, attrib->value.ptr);
if (attr != NULL) {
int i;
! X509_ATTRIBUTE *a;
! for (i = 0;
! i < sk_X509_ATTRIBUTE_num(pkey->attributes); i++) {
! /* LINTED E_BAD_PTR_CASE_ALIGN */
! a = sk_X509_ATTRIBUTE_value(pkey->attributes, i);
! if (OBJ_obj2nid(a->object) == nid) {
! X509_ATTRIBUTE_free(a);
! /* LINTED E_BAD_PTR_CAST_ALIGN */
! (void) sk_X509_ATTRIBUTE_set(pkey->attributes,
! i, attr);
! return (KMF_OK);
! }
! }
! if (sk_X509_ATTRIBUTE_push(pkey->attributes, attr) == NULL) {
X509_ATTRIBUTE_free(attr);
return (KMF_ERR_MEMORY);
}
} else {
return (KMF_ERR_MEMORY);
--- 3842,3858 ----
X509_ATTRIBUTE *attr = NULL;
if (pkey == NULL || attrib == NULL)
return (KMF_ERR_BAD_PARAMETER);
attr = X509_ATTRIBUTE_create(nid, attrib->type, attrib->value.ptr);
if (attr != NULL) {
int i;
!
! if ((i = EVP_PKEY_get_attr_by_NID(pkey, nid, -1)) != -1)
! (void) EVP_PKEY_delete_attr(pkey, i);
! if (EVP_PKEY_add1_attr(pkey, attr) == 0) {
X509_ATTRIBUTE_free(attr);
return (KMF_ERR_MEMORY);
}
} else {
return (KMF_ERR_MEMORY);
*** 3797,3826 ****
{
KMF_RETURN ret = KMF_OK;
PKCS8_PRIV_KEY_INFO *p8 = NULL;
EVP_PKEY *pkey = NULL;
X509 *xcert = NULL;
! ASN1_TYPE *keyid = NULL;
! ASN1_TYPE *fname = NULL;
uchar_t *data = NULL;
! keyid = PKCS12_get_attr(bag, NID_localKeyID);
! fname = PKCS12_get_attr(bag, NID_friendlyName);
! switch (M_PKCS12_bag_type(bag)) {
case NID_keyBag:
if (keylist == NULL)
goto end;
! pkey = EVP_PKCS82PKEY(bag->value.keybag);
if (pkey == NULL)
ret = KMF_ERR_PKCS12_FORMAT;
break;
case NID_pkcs8ShroudedKeyBag:
if (keylist == NULL)
goto end;
! p8 = M_PKCS12_decrypt_skey(bag, pass, passlen);
if (p8 == NULL)
return (KMF_ERR_AUTH_FAILED);
pkey = EVP_PKCS82PKEY(p8);
PKCS8_PRIV_KEY_INFO_free(p8);
if (pkey == NULL)
--- 3867,3897 ----
{
KMF_RETURN ret = KMF_OK;
PKCS8_PRIV_KEY_INFO *p8 = NULL;
EVP_PKEY *pkey = NULL;
X509 *xcert = NULL;
! const ASN1_TYPE *keyid = NULL;
! const ASN1_TYPE *fname = NULL;
uchar_t *data = NULL;
! keyid = PKCS12_SAFEBAG_get0_attr(bag, NID_localKeyID);
! fname = PKCS12_SAFEBAG_get0_attr(bag, NID_friendlyName);
! switch (PKCS12_SAFEBAG_get_nid(bag)) {
case NID_keyBag:
if (keylist == NULL)
goto end;
! pkey = EVP_PKCS82PKEY(
! PKCS12_SAFEBAG_get0_p8inf(bag));
if (pkey == NULL)
ret = KMF_ERR_PKCS12_FORMAT;
break;
case NID_pkcs8ShroudedKeyBag:
if (keylist == NULL)
goto end;
! p8 = PKCS12_decrypt_skey(bag, pass, passlen);
if (p8 == NULL)
return (KMF_ERR_AUTH_FAILED);
pkey = EVP_PKCS82PKEY(p8);
PKCS8_PRIV_KEY_INFO_free(p8);
if (pkey == NULL)
*** 3827,3839 ****
ret = KMF_ERR_PKCS12_FORMAT;
break;
case NID_certBag:
if (certlist == NULL)
goto end;
! if (M_PKCS12_cert_bag_type(bag) != NID_x509Certificate)
return (KMF_ERR_PKCS12_FORMAT);
! xcert = M_PKCS12_certbag2x509(bag);
if (xcert == NULL) {
ret = KMF_ERR_PKCS12_FORMAT;
goto end;
}
if (keyid != NULL) {
--- 3898,3911 ----
ret = KMF_ERR_PKCS12_FORMAT;
break;
case NID_certBag:
if (certlist == NULL)
goto end;
! if (PKCS12_SAFEBAG_get_bag_nid(bag) !=
! NID_x509Certificate)
return (KMF_ERR_PKCS12_FORMAT);
! xcert = PKCS12_SAFEBAG_get1_cert(bag);
if (xcert == NULL) {
ret = KMF_ERR_PKCS12_FORMAT;
goto end;
}
if (keyid != NULL) {
*** 3863,3874 ****
ret = KMF_ERR_MEMORY;
else
xcert = NULL;
break;
case NID_safeContentsBag:
! return (openssl_parse_bags(bag->value.safes, pass,
! keylist, certlist));
default:
ret = KMF_ERR_PKCS12_FORMAT;
break;
}
--- 3935,3947 ----
ret = KMF_ERR_MEMORY;
else
xcert = NULL;
break;
case NID_safeContentsBag:
! return (openssl_parse_bags(
! PKCS12_SAFEBAG_get0_safes(bag),
! pass, keylist, certlist));
default:
ret = KMF_ERR_PKCS12_FORMAT;
break;
}
*** 4074,4112 ****
exportRawRSAKey(RSA *rsa, KMF_RAW_KEY_DATA *key)
{
KMF_RETURN rv;
KMF_RAW_RSA_KEY *kmfkey = &key->rawdata.rsa;
(void) memset(kmfkey, 0, sizeof (KMF_RAW_RSA_KEY));
! if ((rv = sslBN2KMFBN(rsa->n, &kmfkey->mod)) != KMF_OK)
goto cleanup;
! if ((rv = sslBN2KMFBN(rsa->e, &kmfkey->pubexp)) != KMF_OK)
goto cleanup;
! if (rsa->d != NULL)
! if ((rv = sslBN2KMFBN(rsa->d, &kmfkey->priexp)) != KMF_OK)
goto cleanup;
! if (rsa->p != NULL)
! if ((rv = sslBN2KMFBN(rsa->p, &kmfkey->prime1)) != KMF_OK)
goto cleanup;
! if (rsa->q != NULL)
! if ((rv = sslBN2KMFBN(rsa->q, &kmfkey->prime2)) != KMF_OK)
goto cleanup;
! if (rsa->dmp1 != NULL)
! if ((rv = sslBN2KMFBN(rsa->dmp1, &kmfkey->exp1)) != KMF_OK)
goto cleanup;
! if (rsa->dmq1 != NULL)
! if ((rv = sslBN2KMFBN(rsa->dmq1, &kmfkey->exp2)) != KMF_OK)
goto cleanup;
! if (rsa->iqmp != NULL)
! if ((rv = sslBN2KMFBN(rsa->iqmp, &kmfkey->coef)) != KMF_OK)
goto cleanup;
cleanup:
if (rv != KMF_OK)
kmf_free_raw_key(key);
else
--- 4147,4191 ----
exportRawRSAKey(RSA *rsa, KMF_RAW_KEY_DATA *key)
{
KMF_RETURN rv;
KMF_RAW_RSA_KEY *kmfkey = &key->rawdata.rsa;
+ const BIGNUM *n, *e, *d, *p, *q, *dmp1, *dmpq, *iqmp;
+
+ RSA_get0_key(rsa, &n, &e, &d);
+ RSA_get0_factors(rsa, &p, &q);
+ RSA_get0_crt_params(rsa, &dmp1, &dmpq, &iqmp);
+
(void) memset(kmfkey, 0, sizeof (KMF_RAW_RSA_KEY));
! if ((rv = sslBN2KMFBN((BIGNUM *)n, &kmfkey->mod)) != KMF_OK)
goto cleanup;
! if ((rv = sslBN2KMFBN((BIGNUM *)e, &kmfkey->pubexp)) != KMF_OK)
goto cleanup;
! if (d != NULL)
! if ((rv = sslBN2KMFBN((BIGNUM *)d, &kmfkey->priexp)) != KMF_OK)
goto cleanup;
! if (p != NULL)
! if ((rv = sslBN2KMFBN((BIGNUM *)p, &kmfkey->prime1)) != KMF_OK)
goto cleanup;
! if (q != NULL)
! if ((rv = sslBN2KMFBN((BIGNUM *)q, &kmfkey->prime2)) != KMF_OK)
goto cleanup;
! if (dmp1 != NULL)
! if ((rv = sslBN2KMFBN((BIGNUM *)dmp1, &kmfkey->exp1)) != KMF_OK)
goto cleanup;
! if (dmpq != NULL)
! if ((rv = sslBN2KMFBN((BIGNUM *)dmpq, &kmfkey->exp2)) != KMF_OK)
goto cleanup;
! if (iqmp != NULL)
! if ((rv = sslBN2KMFBN((BIGNUM *)iqmp, &kmfkey->coef)) != KMF_OK)
goto cleanup;
cleanup:
if (rv != KMF_OK)
kmf_free_raw_key(key);
else
*** 4124,4145 ****
static KMF_RETURN
exportRawDSAKey(DSA *dsa, KMF_RAW_KEY_DATA *key)
{
KMF_RETURN rv;
KMF_RAW_DSA_KEY *kmfkey = &key->rawdata.dsa;
(void) memset(kmfkey, 0, sizeof (KMF_RAW_DSA_KEY));
! if ((rv = sslBN2KMFBN(dsa->p, &kmfkey->prime)) != KMF_OK)
goto cleanup;
! if ((rv = sslBN2KMFBN(dsa->q, &kmfkey->subprime)) != KMF_OK)
goto cleanup;
! if ((rv = sslBN2KMFBN(dsa->g, &kmfkey->base)) != KMF_OK)
goto cleanup;
! if ((rv = sslBN2KMFBN(dsa->priv_key, &kmfkey->value)) != KMF_OK)
goto cleanup;
cleanup:
if (rv != KMF_OK)
kmf_free_raw_key(key);
--- 4203,4228 ----
static KMF_RETURN
exportRawDSAKey(DSA *dsa, KMF_RAW_KEY_DATA *key)
{
KMF_RETURN rv;
KMF_RAW_DSA_KEY *kmfkey = &key->rawdata.dsa;
+ const BIGNUM *p, *q, *g, *priv_key;
+ DSA_get0_pqg(dsa, &p, &q, &g);
+ DSA_get0_key(dsa, NULL, &priv_key);
+
(void) memset(kmfkey, 0, sizeof (KMF_RAW_DSA_KEY));
! if ((rv = sslBN2KMFBN((BIGNUM *)p, &kmfkey->prime)) != KMF_OK)
goto cleanup;
! if ((rv = sslBN2KMFBN((BIGNUM *)q, &kmfkey->subprime)) != KMF_OK)
goto cleanup;
! if ((rv = sslBN2KMFBN((BIGNUM *)g, &kmfkey->base)) != KMF_OK)
goto cleanup;
! if ((rv = sslBN2KMFBN((BIGNUM *)priv_key, &kmfkey->value)) != KMF_OK)
goto cleanup;
cleanup:
if (rv != KMF_OK)
kmf_free_raw_key(key);
*** 4218,4305 ****
*keylist = list;
return (KMF_OK);
}
- static X509_ATTRIBUTE *
- find_attr(STACK_OF(X509_ATTRIBUTE) *attrs, int nid)
- {
- X509_ATTRIBUTE *a;
- int i;
-
- if (attrs == NULL)
- return (NULL);
-
- for (i = 0; i < sk_X509_ATTRIBUTE_num(attrs); i++) {
- /* LINTED E_BAD_PTR_CAST_ALIGN */
- a = sk_X509_ATTRIBUTE_value(attrs, i);
- if (OBJ_obj2nid(a->object) == nid)
- return (a);
- }
- return (NULL);
- }
-
static KMF_RETURN
convertToRawKey(EVP_PKEY *pkey, KMF_RAW_KEY_DATA *key)
{
KMF_RETURN rv = KMF_OK;
X509_ATTRIBUTE *attr;
if (pkey == NULL || key == NULL)
return (KMF_ERR_BAD_PARAMETER);
/* Convert SSL key to raw key */
! switch (pkey->type) {
! case EVP_PKEY_RSA:
! rv = exportRawRSAKey(EVP_PKEY_get1_RSA(pkey),
! key);
if (rv != KMF_OK)
return (rv);
! break;
! case EVP_PKEY_DSA:
! rv = exportRawDSAKey(EVP_PKEY_get1_DSA(pkey),
! key);
if (rv != KMF_OK)
return (rv);
! break;
! default:
return (KMF_ERR_BAD_PARAMETER);
! }
/*
* If friendlyName, add it to record.
*/
! attr = find_attr(pkey->attributes, NID_friendlyName);
! if (attr != NULL) {
ASN1_TYPE *ty = NULL;
! int numattr = sk_ASN1_TYPE_num(attr->value.set);
! if (attr->single == 0 && numattr > 0) {
! /* LINTED E_BAD_PTR_CAST_ALIGN */
! ty = sk_ASN1_TYPE_value(attr->value.set, 0);
}
if (ty != NULL) {
- #if OPENSSL_VERSION_NUMBER < 0x10000000L
- key->label = uni2asc(ty->value.bmpstring->data,
- ty->value.bmpstring->length);
- #else
key->label = OPENSSL_uni2asc(ty->value.bmpstring->data,
ty->value.bmpstring->length);
- #endif
}
} else {
key->label = NULL;
}
/*
* If KeyID, add it to record as a KMF_DATA object.
*/
! attr = find_attr(pkey->attributes, NID_localKeyID);
! if (attr != NULL) {
ASN1_TYPE *ty = NULL;
! int numattr = sk_ASN1_TYPE_num(attr->value.set);
! if (attr->single == 0 && numattr > 0) {
! /* LINTED E_BAD_PTR_CAST_ALIGN */
! ty = sk_ASN1_TYPE_value(attr->value.set, 0);
! }
key->id.Data = (uchar_t *)malloc(
ty->value.octet_string->length);
if (key->id.Data == NULL)
return (KMF_ERR_MEMORY);
(void) memcpy(key->id.Data, ty->value.octet_string->data,
--- 4301,4363 ----
*keylist = list;
return (KMF_OK);
}
static KMF_RETURN
convertToRawKey(EVP_PKEY *pkey, KMF_RAW_KEY_DATA *key)
{
KMF_RETURN rv = KMF_OK;
X509_ATTRIBUTE *attr;
+ RSA *rsa;
+ DSA *dsa;
+ int loc;
if (pkey == NULL || key == NULL)
return (KMF_ERR_BAD_PARAMETER);
/* Convert SSL key to raw key */
! if ((rsa = EVP_PKEY_get1_RSA(pkey)) != NULL) {
! rv = exportRawRSAKey(rsa, key);
if (rv != KMF_OK)
return (rv);
! } else if ((dsa = EVP_PKEY_get1_DSA(pkey)) != NULL) {
! rv = exportRawDSAKey(dsa, key);
if (rv != KMF_OK)
return (rv);
! } else
return (KMF_ERR_BAD_PARAMETER);
!
/*
* If friendlyName, add it to record.
*/
!
! if ((loc = EVP_PKEY_get_attr_by_NID(pkey,
! NID_friendlyName, -1)) != -1 &&
! (attr = EVP_PKEY_get_attr(pkey, loc))) {
ASN1_TYPE *ty = NULL;
! int numattr = X509_ATTRIBUTE_count(attr);
! if (numattr > 0) {
! ty = X509_ATTRIBUTE_get0_type(attr, 0);
}
if (ty != NULL) {
key->label = OPENSSL_uni2asc(ty->value.bmpstring->data,
ty->value.bmpstring->length);
}
} else {
key->label = NULL;
}
/*
* If KeyID, add it to record as a KMF_DATA object.
*/
! if ((loc = EVP_PKEY_get_attr_by_NID(pkey,
! NID_localKeyID, -1)) != -1 &&
! (attr = EVP_PKEY_get_attr(pkey, loc)) != NULL) {
ASN1_TYPE *ty = NULL;
! int numattr = X509_ATTRIBUTE_count(attr);
! if (numattr > 0)
! ty = X509_ATTRIBUTE_get0_type(attr, 0);
key->id.Data = (uchar_t *)malloc(
ty->value.octet_string->length);
if (key->id.Data == NULL)
return (KMF_ERR_MEMORY);
(void) memcpy(key->id.Data, ty->value.octet_string->data,
*** 5404,5414 ****
ret = KMF_ERR_BAD_CERTFILE;
goto end;
}
/* Check if the certificate and the CRL have same issuer */
! if (X509_NAME_cmp(xcert->cert_info->issuer, xcrl->crl->issuer) != 0) {
ret = KMF_ERR_ISSUER;
goto end;
}
/* Check to see if the certificate serial number is revoked */
--- 5462,5473 ----
ret = KMF_ERR_BAD_CERTFILE;
goto end;
}
/* Check if the certificate and the CRL have same issuer */
! if (X509_NAME_cmp(X509_get_issuer_name(xcert),
! X509_CRL_get_issuer(xcrl)) != 0) {
ret = KMF_ERR_ISSUER;
goto end;
}
/* Check to see if the certificate serial number is revoked */
*** 5421,5432 ****
}
for (i = 0; i < sk_X509_REVOKED_num(revoke_stack); i++) {
/* LINTED E_BAD_PTR_CAST_ALIGN */
revoke = sk_X509_REVOKED_value(revoke_stack, i);
! if (ASN1_INTEGER_cmp(xcert->cert_info->serialNumber,
! revoke->serialNumber) == 0) {
break;
}
}
if (i < sk_X509_REVOKED_num(revoke_stack)) {
--- 5480,5491 ----
}
for (i = 0; i < sk_X509_REVOKED_num(revoke_stack); i++) {
/* LINTED E_BAD_PTR_CAST_ALIGN */
revoke = sk_X509_REVOKED_value(revoke_stack, i);
! if (ASN1_INTEGER_cmp(X509_get_serialNumber(xcert),
! X509_REVOKED_get0_serialNumber(revoke)) == 0) {
break;
}
}
if (i < sk_X509_REVOKED_num(revoke_stack)) {
*** 5565,5581 ****
if (xcrl == NULL) {
SET_ERROR(kmfh, ERR_get_error());
ret = KMF_ERR_BAD_CRLFILE;
goto cleanup;
}
! i = X509_cmp_time(X509_CRL_get_lastUpdate(xcrl), NULL);
if (i >= 0) {
ret = KMF_ERR_VALIDITY_PERIOD;
goto cleanup;
}
! if (X509_CRL_get_nextUpdate(xcrl)) {
! i = X509_cmp_time(X509_CRL_get_nextUpdate(xcrl), NULL);
if (i <= 0) {
ret = KMF_ERR_VALIDITY_PERIOD;
goto cleanup;
}
--- 5624,5640 ----
if (xcrl == NULL) {
SET_ERROR(kmfh, ERR_get_error());
ret = KMF_ERR_BAD_CRLFILE;
goto cleanup;
}
! i = X509_cmp_time(X509_CRL_get0_lastUpdate(xcrl), NULL);
if (i >= 0) {
ret = KMF_ERR_VALIDITY_PERIOD;
goto cleanup;
}
! if (X509_CRL_get0_nextUpdate(xcrl)) {
! i = X509_cmp_time(X509_CRL_get0_nextUpdate(xcrl), NULL);
if (i <= 0) {
ret = KMF_ERR_VALIDITY_PERIOD;
goto cleanup;
}