Print this page
8982 Support building with OpenSSL 1.1
@@ -3,10 +3,11 @@
*
* Use is subject to license terms.
*/
/*
* Copyright (c) 2012, OmniTI Computer Consulting, Inc. All rights reserved.
+ * Copyright 2018 OmniOS Community Edition (OmniOSce) Association.
*/
/*
* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
* project 2000.
*/
@@ -78,11 +79,10 @@
/* OPENSSL related headers */
#include <openssl/bio.h>
#include <openssl/bn.h>
#include <openssl/asn1.h>
#include <openssl/err.h>
-#include <openssl/bn.h>
#include <openssl/x509.h>
#include <openssl/rsa.h>
#include <openssl/dsa.h>
#include <openssl/x509v3.h>
#include <openssl/objects.h>
@@ -89,10 +89,11 @@
#include <openssl/pem.h>
#include <openssl/pkcs12.h>
#include <openssl/ocsp.h>
#include <openssl/des.h>
#include <openssl/rand.h>
+#include "compat.h"
#define PRINT_ANY_EXTENSION (\
KMF_X509_EXT_KEY_USAGE |\
KMF_X509_EXT_CERT_POLICIES |\
KMF_X509_EXT_SUBJALTNAME |\
@@ -135,10 +136,11 @@
#define SET_SYS_ERROR(h, c) h->lasterr.kstype = -1; h->lasterr.errcode = c;
/*
* Declare some new macros for managing stacks of EVP_PKEYS.
*/
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
DECLARE_STACK_OF(EVP_PKEY)
#define sk_EVP_PKEY_new_null() SKM_sk_new_null(EVP_PKEY)
#define sk_EVP_PKEY_free(st) SKM_sk_free(EVP_PKEY, (st))
#define sk_EVP_PKEY_num(st) SKM_sk_num(EVP_PKEY, (st))
@@ -145,10 +147,15 @@
#define sk_EVP_PKEY_value(st, i) SKM_sk_value(EVP_PKEY, (st), (i))
#define sk_EVP_PKEY_push(st, val) SKM_sk_push(EVP_PKEY, (st), (val))
#define sk_EVP_PKEY_pop_free(st, free_func) SKM_sk_pop_free(EVP_PKEY, (st), \
(free_func))
+#else
+/* LINTED E_STATIC_UNUSED */
+DEFINE_STACK_OF(EVP_PKEY)
+#endif
+
mutex_t init_lock = DEFAULTMUTEX;
static int ssl_initialized = 0;
static BIO *bio_err = NULL;
static int
@@ -291,10 +298,11 @@
NULL, /* SetTokenPin */
OpenSSL_StoreKey,
NULL /* Finalize */
};
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
static mutex_t *lock_cs;
static long *lock_count;
static void
/* ARGSUSED1 */
@@ -311,15 +319,18 @@
static unsigned long
thread_id()
{
return ((unsigned long)thr_self());
}
+#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
KMF_PLUGIN_FUNCLIST *
KMF_Plugin_Initialize()
{
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
int i;
+#endif
(void) mutex_lock(&init_lock);
if (!ssl_initialized) {
/*
* Add support for extension OIDs that are not yet in the
@@ -333,12 +344,15 @@
"X509v3 Policy Constraints");
(void) OBJ_create("2.5.29.46", "freshestCRL",
"X509v3 Freshest CRL");
(void) OBJ_create("2.5.29.54", "inhibitAnyPolicy",
"X509v3 Inhibit Any-Policy");
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
/*
* Set up for thread-safe operation.
+ * This is not required for OpenSSL 1.1
*/
lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof (mutex_t));
if (lock_cs == NULL) {
(void) mutex_unlock(&init_lock);
return (NULL);
@@ -358,21 +372,23 @@
CRYPTO_set_id_callback((unsigned long (*)())thread_id);
if (CRYPTO_get_locking_callback() == NULL)
CRYPTO_set_locking_callback((void (*)())locking_cb);
- OpenSSL_add_all_algorithms();
+ (void) OpenSSL_add_all_algorithms();
/* Enable error strings for reporting */
- ERR_load_crypto_strings();
+ (void) ERR_load_crypto_strings();
+#endif
ssl_initialized = 1;
}
(void) mutex_unlock(&init_lock);
return (&openssl_plugin_table);
}
+
/*
* Convert an SSL DN to a KMF DN.
*/
static KMF_RETURN
get_x509_dn(X509_NAME *sslDN, KMF_X509_NAME *kmfDN)
@@ -483,11 +499,11 @@
if (issuer != NULL && strlen(issuer)) {
rv = kmf_dn_parser(issuer, &issuerDN);
if (rv != KMF_OK)
return (KMF_ERR_BAD_PARAMETER);
- rv = get_x509_dn(xcert->cert_info->issuer, &certIssuerDN);
+ rv = get_x509_dn(X509_get_issuer_name(xcert), &certIssuerDN);
if (rv != KMF_OK) {
kmf_free_dn(&issuerDN);
return (KMF_ERR_BAD_PARAMETER);
}
@@ -498,11 +514,11 @@
if (rv != KMF_OK) {
rv = KMF_ERR_BAD_PARAMETER;
goto cleanup;
}
- rv = get_x509_dn(xcert->cert_info->subject, &certSubjectDN);
+ rv = get_x509_dn(X509_get_subject_name(xcert), &certSubjectDN);
if (rv != KMF_OK) {
rv = KMF_ERR_BAD_PARAMETER;
goto cleanup;
}
findSubject = TRUE;
@@ -512,11 +528,11 @@
if (findSerial) {
BIGNUM *bn;
/* Comparing BIGNUMs is a pain! */
- bn = ASN1_INTEGER_to_BN(xcert->cert_info->serialNumber, NULL);
+ bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(xcert), NULL);
if (bn != NULL) {
int bnlen = BN_num_bytes(bn);
if (bnlen == serial->len) {
uchar_t *a = malloc(bnlen);
@@ -1418,45 +1434,37 @@
switch (format) {
case KMF_FORMAT_RAWKEY:
/* same as ASN.1 */
case KMF_FORMAT_ASN1:
- if (pkey->type == EVP_PKEY_RSA) {
- rsa = EVP_PKEY_get1_RSA(pkey);
+ if ((rsa = EVP_PKEY_get0_RSA(pkey)) != NULL) {
if (private)
rv = i2d_RSAPrivateKey_bio(out, rsa);
else
rv = i2d_RSAPublicKey_bio(out, rsa);
- RSA_free(rsa);
- } else if (pkey->type == EVP_PKEY_DSA) {
- dsa = EVP_PKEY_get1_DSA(pkey);
+ } else if ((dsa = EVP_PKEY_get0_DSA(pkey)) != NULL) {
rv = i2d_DSAPrivateKey_bio(out, dsa);
- DSA_free(dsa);
}
if (rv == 1) {
rv = KMF_OK;
} else {
SET_ERROR(kmfh, rv);
}
break;
case KMF_FORMAT_PEM:
- if (pkey->type == EVP_PKEY_RSA) {
- rsa = EVP_PKEY_get1_RSA(pkey);
+ if ((rsa = EVP_PKEY_get0_RSA(pkey)) != NULL) {
if (private)
rv = PEM_write_bio_RSAPrivateKey(out,
rsa, NULL, NULL, 0, NULL,
(cred != NULL ? cred->cred : NULL));
else
rv = PEM_write_bio_RSAPublicKey(out,
rsa);
- RSA_free(rsa);
- } else if (pkey->type == EVP_PKEY_DSA) {
- dsa = EVP_PKEY_get1_DSA(pkey);
+ } else if ((dsa = EVP_PKEY_get0_DSA(pkey)) != NULL) {
rv = PEM_write_bio_DSAPrivateKey(out,
dsa, NULL, NULL, 0, NULL,
(cred != NULL ? cred->cred : NULL));
- DSA_free(dsa);
}
if (rv == 1) {
rv = KMF_OK;
} else {
@@ -1475,11 +1483,12 @@
OpenSSL_CreateKeypair(KMF_HANDLE_T handle, int numattr,
KMF_ATTRIBUTE *attrlist)
{
KMF_RETURN rv = KMF_OK;
KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
- uint32_t eValue = 0x010001;
+ uint32_t eValue = RSA_F4;
+ BIGNUM *eValue_bn = NULL;
RSA *sslPrivKey = NULL;
DSA *sslDSAKey = NULL;
EVP_PKEY *eprikey = NULL;
EVP_PKEY *epubkey = NULL;
BIO *out = NULL;
@@ -1487,10 +1496,18 @@
uint32_t keylen = 1024;
uint32_t keylen_size = sizeof (uint32_t);
boolean_t storekey = TRUE;
KMF_KEY_ALG keytype = KMF_RSA;
+ eValue_bn = BN_new();
+ if (eValue_bn == NULL)
+ return (KMF_ERR_MEMORY);
+ if (BN_set_word(eValue_bn, eValue) == 0) {
+ rv = KMF_ERR_KEYGEN_FAILED;
+ goto cleanup;
+ }
+
rv = kmf_get_attr(KMF_STOREKEY_BOOL_ATTR, attrlist, numattr,
&storekey, NULL);
if (rv != KMF_OK) {
/* "storekey" is optional. Default is TRUE */
rv = KMF_OK;
@@ -1501,16 +1518,20 @@
if (rv != KMF_OK)
/* keytype is optional. KMF_RSA is default */
rv = KMF_OK;
pubkey = kmf_get_attr_ptr(KMF_PUBKEY_HANDLE_ATTR, attrlist, numattr);
- if (pubkey == NULL)
- return (KMF_ERR_BAD_PARAMETER);
+ if (pubkey == NULL) {
+ rv = KMF_ERR_BAD_PARAMETER;
+ goto cleanup;
+ }
privkey = kmf_get_attr_ptr(KMF_PRIVKEY_HANDLE_ATTR, attrlist, numattr);
- if (privkey == NULL)
- return (KMF_ERR_BAD_PARAMETER);
+ if (privkey == NULL) {
+ rv = KMF_ERR_BAD_PARAMETER;
+ goto cleanup;
+ }
(void) memset(pubkey, 0, sizeof (KMF_KEY_HANDLE));
(void) memset(privkey, 0, sizeof (KMF_KEY_HANDLE));
eprikey = EVP_PKEY_new();
@@ -1533,10 +1554,14 @@
if (rsaexp->len > 0 &&
rsaexp->len <= sizeof (eValue) &&
rsaexp->val != NULL) {
/* LINTED E_BAD_PTR_CAST_ALIGN */
eValue = *(uint32_t *)rsaexp->val;
+ if (BN_set_word(eValue_bn, eValue) == 0) {
+ rv = KMF_ERR_BAD_PARAMETER;
+ goto cleanup;
+ }
} else {
rv = KMF_ERR_BAD_PARAMETER;
goto cleanup;
}
} else {
@@ -1552,12 +1577,14 @@
if (rv != KMF_OK) {
rv = KMF_ERR_BAD_PARAMETER;
goto cleanup;
}
- sslPrivKey = RSA_generate_key(keylen, eValue, NULL, NULL);
- if (sslPrivKey == NULL) {
+ sslPrivKey = RSA_new();
+ if (sslPrivKey == NULL ||
+ RSA_generate_key_ex(sslPrivKey, keylen, eValue_bn, NULL)
+ == 0) {
SET_ERROR(kmfh, ERR_get_error());
rv = KMF_ERR_KEYGEN_FAILED;
} else {
(void) EVP_PKEY_set1_RSA(eprikey, sslPrivKey);
privkey->kstype = KMF_KEYSTORE_OPENSSL;
@@ -1573,35 +1600,35 @@
pubkey->israw = FALSE;
pubkey->keyclass = KMF_ASYM_PUB;
pubkey->keyp = (void *)epubkey;
}
} else if (keytype == KMF_DSA) {
- DSA *dp;
+ BIGNUM *p, *q, *g;
+
sslDSAKey = DSA_new();
if (sslDSAKey == NULL) {
SET_ERROR(kmfh, ERR_get_error());
return (KMF_ERR_MEMORY);
}
- if ((sslDSAKey->p = BN_bin2bn(P, sizeof (P), sslDSAKey->p)) ==
- NULL) {
+ p = BN_bin2bn(P, sizeof (P), NULL);
+ q = BN_bin2bn(Q, sizeof (Q), NULL);
+ g = BN_bin2bn(G, sizeof (G), NULL);
+ if (p == NULL || q == NULL || g == NULL) {
+ BN_free(p);
+ BN_free(q);
+ BN_free(g);
SET_ERROR(kmfh, ERR_get_error());
rv = KMF_ERR_KEYGEN_FAILED;
goto cleanup;
}
- if ((sslDSAKey->q = BN_bin2bn(Q, sizeof (Q), sslDSAKey->q)) ==
- NULL) {
+
+ if (DSA_set0_pqg(sslDSAKey, p, q, g) == 0) {
SET_ERROR(kmfh, ERR_get_error());
rv = KMF_ERR_KEYGEN_FAILED;
goto cleanup;
}
- if ((sslDSAKey->g = BN_bin2bn(G, sizeof (G), sslDSAKey->g)) ==
- NULL) {
- SET_ERROR(kmfh, ERR_get_error());
- rv = KMF_ERR_KEYGEN_FAILED;
- goto cleanup;
- }
if (!DSA_generate_key(sslDSAKey)) {
SET_ERROR(kmfh, ERR_get_error());
rv = KMF_ERR_KEYGEN_FAILED;
goto cleanup;
@@ -1616,47 +1643,10 @@
} else {
SET_ERROR(kmfh, ERR_get_error());
rv = KMF_ERR_KEYGEN_FAILED;
goto cleanup;
}
- dp = DSA_new();
- /* Make a copy for the public key */
- if (dp != NULL) {
- if ((dp->p = BN_new()) == NULL) {
- SET_ERROR(kmfh, ERR_get_error());
- rv = KMF_ERR_MEMORY;
- DSA_free(dp);
- goto cleanup;
- }
- if ((dp->q = BN_new()) == NULL) {
- SET_ERROR(kmfh, ERR_get_error());
- rv = KMF_ERR_MEMORY;
- BN_free(dp->p);
- DSA_free(dp);
- goto cleanup;
- }
- if ((dp->g = BN_new()) == NULL) {
- SET_ERROR(kmfh, ERR_get_error());
- rv = KMF_ERR_MEMORY;
- BN_free(dp->q);
- BN_free(dp->p);
- DSA_free(dp);
- goto cleanup;
- }
- if ((dp->pub_key = BN_new()) == NULL) {
- SET_ERROR(kmfh, ERR_get_error());
- rv = KMF_ERR_MEMORY;
- BN_free(dp->q);
- BN_free(dp->p);
- BN_free(dp->g);
- DSA_free(dp);
- goto cleanup;
- }
- (void) BN_copy(dp->p, sslDSAKey->p);
- (void) BN_copy(dp->q, sslDSAKey->q);
- (void) BN_copy(dp->g, sslDSAKey->g);
- (void) BN_copy(dp->pub_key, sslDSAKey->pub_key);
pubkey->kstype = KMF_KEYSTORE_OPENSSL;
pubkey->keyalg = KMF_DSA;
pubkey->keyclass = KMF_ASYM_PUB;
pubkey->israw = FALSE;
@@ -1667,11 +1657,10 @@
SET_ERROR(kmfh, ERR_get_error());
rv = KMF_ERR_KEYGEN_FAILED;
goto cleanup;
}
}
- }
if (rv != KMF_OK) {
goto cleanup;
}
@@ -1717,10 +1706,13 @@
rv = OpenSSL_StoreKey(handle, i, storeattrs);
}
cleanup:
+ if (eValue_bn != NULL)
+ BN_free(eValue_bn);
+
if (rv != KMF_OK) {
if (eprikey != NULL)
EVP_PKEY_free(eprikey);
if (epubkey != NULL)
@@ -1757,11 +1749,11 @@
* bytes. If not, signature verification for DSA signatures
* may fail in the case where the bignum value does not use
* all of the bits.
*/
static int
-fixbnlen(BIGNUM *bn, unsigned char *buf, int len) {
+fixbnlen(const BIGNUM *bn, unsigned char *buf, int len) {
int bytes = len - BN_num_bytes(bn);
/* prepend with leading 0x00 if necessary */
while (bytes-- > 0)
*buf++ = 0;
@@ -1779,11 +1771,11 @@
KMF_OID *AlgOID, KMF_DATA *tobesigned, KMF_DATA *output)
{
KMF_RETURN ret = KMF_OK;
KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
KMF_ALGORITHM_INDEX AlgId;
- EVP_MD_CTX ctx;
+ EVP_MD_CTX *ctx;
const EVP_MD *md;
if (key == NULL || AlgOID == NULL ||
tobesigned == NULL || output == NULL ||
tobesigned->Data == NULL ||
@@ -1824,23 +1816,24 @@
SET_ERROR(kmfh, ERR_get_error());
ret = KMF_ERR_INTERNAL;
}
output->Length = len;
} else {
- (void) EVP_MD_CTX_init(&ctx);
- (void) EVP_SignInit_ex(&ctx, md, NULL);
- (void) EVP_SignUpdate(&ctx, tobesigned->Data,
+ if ((ctx = EVP_MD_CTX_new()) == NULL)
+ return (KMF_ERR_MEMORY);
+ (void) EVP_SignInit_ex(ctx, md, NULL);
+ (void) EVP_SignUpdate(ctx, tobesigned->Data,
(uint32_t)tobesigned->Length);
len = (uint32_t)output->Length;
p = output->Data;
- if (!EVP_SignFinal(&ctx, p, (uint32_t *)&len, pkey)) {
+ if (!EVP_SignFinal(ctx, p, (uint32_t *)&len, pkey)) {
SET_ERROR(kmfh, ERR_get_error());
len = 0;
ret = KMF_ERR_INTERNAL;
}
output->Length = len;
- (void) EVP_MD_CTX_cleanup(&ctx);
+ EVP_MD_CTX_free(ctx);
}
} else if (key->keyalg == KMF_DSA) {
DSA *dsa = EVP_PKEY_get1_DSA(key->keyp);
uchar_t hash[EVP_MAX_MD_SIZE];
@@ -1861,33 +1854,37 @@
* are assured of NOT getting ASN.1 output returned.
* KMF does not want ASN.1 encoded results because
* not all mechanisms return ASN.1 encodings (PKCS#11
* and NSS return raw signature data).
*/
- EVP_MD_CTX_init(&ctx);
- (void) EVP_DigestInit_ex(&ctx, md, NULL);
- (void) EVP_DigestUpdate(&ctx, tobesigned->Data,
+ if ((ctx = EVP_MD_CTX_new()) == NULL)
+ return (KMF_ERR_MEMORY);
+ (void) EVP_DigestInit_ex(ctx, md, NULL);
+ (void) EVP_DigestUpdate(ctx, tobesigned->Data,
tobesigned->Length);
- (void) EVP_DigestFinal_ex(&ctx, hash, &hashlen);
+ (void) EVP_DigestFinal_ex(ctx, hash, &hashlen);
/* Only sign first 20 bytes for SHA2 */
if (AlgId == KMF_ALGID_SHA256WithDSA)
hashlen = 20;
dsasig = DSA_do_sign(hash, hashlen, dsa);
if (dsasig != NULL) {
int i;
- output->Length = i = fixbnlen(dsasig->r, output->Data,
+ const BIGNUM *r, *s;
+
+ DSA_SIG_get0(dsasig, &r, &s);
+ output->Length = i = fixbnlen(r, output->Data,
hashlen);
- output->Length += fixbnlen(dsasig->s, &output->Data[i],
+ output->Length += fixbnlen(s, &output->Data[i],
hashlen);
DSA_SIG_free(dsasig);
} else {
SET_ERROR(kmfh, ERR_get_error());
}
- (void) EVP_MD_CTX_cleanup(&ctx);
+ EVP_MD_CTX_free(ctx);
} else {
return (KMF_ERR_BAD_PARAMETER);
}
cleanup:
return (ret);
@@ -2021,21 +2018,15 @@
KMF_RETURN ret = KMF_OK;
KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
X509 *xcert = NULL;
unsigned char *outbuf = NULL;
unsigned char *outbuf_p;
- char *tmpstr = NULL;
int j;
int ext_index, nid, len;
BIO *mem = NULL;
-#if OPENSSL_VERSION_NUMBER < 0x10000000L
- STACK *emlst = NULL;
-#else
STACK_OF(OPENSSL_STRING) *emlst = NULL;
-#endif
X509_EXTENSION *ex;
- X509_CINF *ci;
if (pcert == NULL || pcert->Data == NULL || pcert->Length == 0) {
return (KMF_ERR_BAD_PARAMETER);
}
@@ -2073,13 +2064,12 @@
XN_FLAG_SEP_CPLUS_SPC);
len = BIO_gets(mem, resultStr, KMF_CERT_PRINTABLE_LEN);
break;
case KMF_CERT_VERSION:
- tmpstr = i2s_ASN1_INTEGER(NULL, xcert->cert_info->version);
- (void) strncpy(resultStr, tmpstr, KMF_CERT_PRINTABLE_LEN);
- OPENSSL_free(tmpstr);
+ (void) snprintf(resultStr, KMF_CERT_PRINTABLE_LEN,
+ "%ld", X509_get_version(xcert));
len = strlen(resultStr);
break;
case KMF_CERT_SERIALNUM:
if (i2a_ASN1_INTEGER(mem, X509_get_serialNumber(xcert)) > 0) {
@@ -2088,37 +2078,41 @@
KMF_CERT_PRINTABLE_LEN - 2);
}
break;
case KMF_CERT_NOTBEFORE:
- (void) ASN1_TIME_print(mem, X509_get_notBefore(xcert));
+ (void) ASN1_TIME_print(mem, X509_getm_notBefore(xcert));
len = BIO_gets(mem, resultStr, KMF_CERT_PRINTABLE_LEN);
break;
case KMF_CERT_NOTAFTER:
- (void) ASN1_TIME_print(mem, X509_get_notAfter(xcert));
+ (void) ASN1_TIME_print(mem, X509_getm_notAfter(xcert));
len = BIO_gets(mem, resultStr, KMF_CERT_PRINTABLE_LEN);
break;
case KMF_CERT_PUBKEY_DATA:
{
+ RSA *rsa;
+ DSA *dsa;
+
EVP_PKEY *pkey = X509_get_pubkey(xcert);
if (pkey == NULL) {
SET_ERROR(kmfh, ERR_get_error());
ret = KMF_ERR_ENCODING;
goto out;
}
- if (pkey->type == EVP_PKEY_RSA) {
+ if ((rsa = EVP_PKEY_get0_RSA(pkey)) != NULL) {
(void) BIO_printf(mem,
"RSA Public Key: (%d bit)\n",
- BN_num_bits(pkey->pkey.rsa->n));
- (void) RSA_print(mem, pkey->pkey.rsa, 0);
- } else if (pkey->type == EVP_PKEY_DSA) {
+ RSA_bits(rsa));
+ (void) RSA_print(mem, rsa, 0);
+
+ } else if ((dsa = EVP_PKEY_get0_DSA(pkey)) != NULL) {
(void) BIO_printf(mem,
"%12sDSA Public Key:\n", "");
- (void) DSA_print(mem, pkey->pkey.dsa, 0);
+ (void) DSA_print(mem, dsa, 0);
} else {
(void) BIO_printf(mem,
"%12sUnknown Public Key:\n", "");
}
(void) BIO_printf(mem, "\n");
@@ -2126,34 +2120,54 @@
}
len = BIO_read(mem, resultStr, KMF_CERT_PRINTABLE_LEN);
break;
case KMF_CERT_SIGNATURE_ALG:
case KMF_CERT_PUBKEY_ALG:
+ {
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ ASN1_OBJECT *alg = NULL;
+#else
+ const ASN1_OBJECT *alg = NULL;
+#endif
+
if (flag == KMF_CERT_SIGNATURE_ALG) {
- len = i2a_ASN1_OBJECT(mem,
- xcert->sig_alg->algorithm);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ alg = xcert->sig_alg->algorithm;
+#else
+ const X509_ALGOR *sig_alg = NULL;
+
+ X509_get0_signature(NULL, &sig_alg, xcert);
+ if (sig_alg != NULL)
+ X509_ALGOR_get0(&alg, NULL, NULL,
+ sig_alg);
+#endif
} else {
- len = i2a_ASN1_OBJECT(mem,
- xcert->cert_info->key->algor->algorithm);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ alg = xcert->cert_info->key->algor->algorithm;
+#else
+ X509_PUBKEY *key = X509_get_X509_PUBKEY(xcert);
+
+ if (key != NULL)
+ (void) X509_PUBKEY_get0_param(
+ (ASN1_OBJECT **)&alg, NULL, 0,
+ NULL, key);
+#endif
}
- if (len > 0) {
+ if (alg == NULL)
+ len = -1;
+ else if ((len = i2a_ASN1_OBJECT(mem, alg)) > 0)
len = BIO_read(mem, resultStr,
KMF_CERT_PRINTABLE_LEN);
}
break;
case KMF_CERT_EMAIL:
emlst = X509_get1_email(xcert);
-#if OPENSSL_VERSION_NUMBER < 0x10000000L
- for (j = 0; j < sk_num(emlst); j++)
- (void) BIO_printf(mem, "%s\n", sk_value(emlst, j));
-#else
for (j = 0; j < sk_OPENSSL_STRING_num(emlst); j++)
(void) BIO_printf(mem, "%s\n",
sk_OPENSSL_STRING_value(emlst, j));
-#endif
len = BIO_gets(mem, resultStr, KMF_CERT_PRINTABLE_LEN);
X509_email_free(emlst);
break;
case KMF_X509_EXT_ISSUER_ALTNAME:
@@ -2174,20 +2188,19 @@
nid = ext2NID(flag);
if (nid == NID_undef) {
ret = KMF_ERR_EXTENSION_NOT_FOUND;
goto out;
}
- ci = xcert->cert_info;
- ext_index = X509v3_get_ext_by_NID(ci->extensions, nid, -1);
+ ext_index = X509_get_ext_by_NID(xcert, nid, -1);
if (ext_index == -1) {
SET_ERROR(kmfh, ERR_get_error());
ret = KMF_ERR_EXTENSION_NOT_FOUND;
goto out;
}
- ex = X509v3_get_ext(ci->extensions, ext_index);
+ ex = X509_get_ext(xcert, ext_index);
(void) i2a_ASN1_OBJECT(mem, X509_EXTENSION_get_object(ex));
if (BIO_printf(mem, ": %s\n",
X509_EXTENSION_get_critical(ex) ? "critical" : "") <= 0) {
@@ -2195,11 +2208,12 @@
ret = KMF_ERR_ENCODING;
goto out;
}
if (!X509V3_EXT_print(mem, ex, X509V3_EXT_DUMP_UNKNOWN, 4)) {
(void) BIO_printf(mem, "%*s", 4, "");
- (void) M_ASN1_OCTET_STRING_print(mem, ex->value);
+ (void) ASN1_STRING_print(mem,
+ X509_EXTENSION_get_data(ex));
}
if (BIO_write(mem, "\n", 1) <= 0) {
SET_ERROR(kmfh, ERR_get_error());
ret = KMF_ERR_ENCODING;
goto out;
@@ -2476,26 +2490,40 @@
return (ret);
}
/* ocsp_find_signer_sk() is copied from openssl source */
-static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id)
+static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_BASICRESP *bs)
{
int i;
unsigned char tmphash[SHA_DIGEST_LENGTH], *keyhash;
+ const ASN1_OCTET_STRING *pid;
- /* Easy if lookup by name */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ OCSP_RESPID *id = bs->tbsResponseData->responderId;
+
if (id->type == V_OCSP_RESPID_NAME)
return (X509_find_by_subject(certs, id->value.byName));
+ pid = id->value.byKey;
+#else
+ const X509_NAME *pname;
+
+ if (OCSP_resp_get0_id(bs, &pid, &pname) == 0)
+ return (NULL);
+
+ if (pname != NULL)
+ return (X509_find_by_subject(certs, (X509_NAME *)pname));
+#endif
+
/* Lookup by key hash */
/* If key hash isn't SHA1 length then forget it */
- if (id->value.byKey->length != SHA_DIGEST_LENGTH)
+ if (pid->length != SHA_DIGEST_LENGTH)
return (NULL);
- keyhash = id->value.byKey->data;
+ keyhash = pid->data;
/* Calculate hash of each key and compare */
for (i = 0; i < sk_X509_num(certs); i++) {
/* LINTED E_BAD_PTR_CAST_ALIGN */
X509 *x = sk_X509_value(certs, i);
/* Use pubkey_digest to get the key ID value */
@@ -2511,17 +2539,18 @@
static int
ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
X509_STORE *st, unsigned long flags)
{
X509 *signer;
- OCSP_RESPID *rid = bs->tbsResponseData->responderId;
- if ((signer = ocsp_find_signer_sk(certs, rid))) {
+ if ((signer = ocsp_find_signer_sk(certs, bs))) {
*psigner = signer;
return (2);
}
+
if (!(flags & OCSP_NOINTERN) &&
- (signer = ocsp_find_signer_sk(bs->certs, rid))) {
+ (signer = ocsp_find_signer_sk(
+ (STACK_OF(X509) *)OCSP_resp_get0_certs(bs), bs))) {
*psigner = signer;
return (1);
}
/* Maybe lookup from store if by subject name */
@@ -2540,14 +2569,17 @@
KMF_RETURN ret = KMF_OK;
KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
STACK_OF(X509) *cert_stack = NULL;
X509 *signer = NULL;
X509 *issuer = NULL;
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
EVP_PKEY *skey = NULL;
+#else
+ STACK_OF(X509) *cert_stack2 = NULL;
+#endif
unsigned char *ptmp;
-
if (bs == NULL || issuer_cert == NULL)
return (KMF_ERR_BAD_PARAMETER);
/*
* Find the certificate that signed the basic response.
@@ -2597,17 +2629,37 @@
goto end;
}
}
/* Verify the signature of the response */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
skey = X509_get_pubkey(signer);
if (skey == NULL) {
ret = KMF_ERR_OCSP_BAD_SIGNER;
goto end;
}
ret = OCSP_BASICRESP_verify(bs, skey, 0);
+#else
+ /*
+ * Technique based on
+ * https://mta.openssl.org/pipermail/openssl-users/
+ * 2017-October/006814.html
+ */
+ if ((cert_stack2 = sk_X509_new_null()) == NULL) {
+ ret = KMF_ERR_INTERNAL;
+ goto end;
+ }
+
+ if (sk_X509_push(cert_stack2, signer) == NULL) {
+ ret = KMF_ERR_INTERNAL;
+ goto end;
+ }
+
+ ret = OCSP_basic_verify(bs, cert_stack2, NULL, OCSP_NOVERIFY);
+#endif
+
if (ret == 0) {
ret = KMF_ERR_OCSP_RESPONSE_SIGNATURE;
goto end;
}
@@ -2618,23 +2670,27 @@
if (signer != NULL) {
X509_free(signer);
}
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
if (skey != NULL) {
EVP_PKEY_free(skey);
}
+#else
+ if (cert_stack2 != NULL) {
+ sk_X509_free(cert_stack2);
+ }
+#endif
if (cert_stack != NULL) {
sk_X509_free(cert_stack);
}
return (ret);
}
-
-
KMF_RETURN
OpenSSL_GetOCSPStatusForCert(KMF_HANDLE_T handle,
int numattr, KMF_ATTRIBUTE *attrlist)
{
KMF_RETURN ret = KMF_OK;
@@ -2819,13 +2875,13 @@
pkey = openssl_load_key(handle, path);
if (pkey == NULL) {
return (KMF_ERR_KEY_NOT_FOUND);
}
if (key != NULL) {
- if (pkey->type == EVP_PKEY_RSA)
+ if (EVP_PKEY_get0_RSA(pkey) != NULL)
key->keyalg = KMF_RSA;
- else if (pkey->type == EVP_PKEY_DSA)
+ else if (EVP_PKEY_get0_DSA(pkey) != NULL)
key->keyalg = KMF_DSA;
key->kstype = KMF_KEYSTORE_OPENSSL;
key->keyclass = keyclass;
key->keyp = (void *)pkey;
@@ -3018,15 +3074,16 @@
}
static int
add_alias_to_bag(PKCS12_SAFEBAG *bag, X509 *xcert)
{
- if (xcert != NULL && xcert->aux != NULL &&
- xcert->aux->alias != NULL) {
+ unsigned char *alias;
+ int len;
+
+ if (xcert != NULL && (alias = X509_alias_get0(xcert, &len)) != NULL) {
if (PKCS12_add_friendlyname_asc(bag,
- (const char *)xcert->aux->alias->data,
- xcert->aux->alias->length) == 0)
+ (const char *)alias, len) == 0)
return (0);
}
return (1);
}
@@ -3041,11 +3098,11 @@
bag_stack = sk_PKCS12_SAFEBAG_new_null();
if (bag_stack == NULL)
return (NULL);
/* Convert cert from X509 struct to PKCS#12 bag */
- bag = PKCS12_x5092certbag(sslcert);
+ bag = PKCS12_SAFEBAG_create_cert(sslcert);
if (bag == NULL) {
goto out;
}
/* Add the key id to the certificate bag. */
@@ -3086,11 +3143,11 @@
p8 = EVP_PKEY2PKCS8(pkey);
if (p8 == NULL) {
return (NULL);
}
/* Put the shrouded key into a PKCS#12 bag. */
- bag = PKCS12_MAKE_SHKEYBAG(
+ bag = PKCS12_SAFEBAG_create_pkcs8_encrypt(
NID_pbe_WithSHA1And3_Key_TripleDES_CBC,
cred->cred, cred->credlen,
NULL, 0, PKCS12_DEFAULT_ITER, p8);
/* Clean up the PKCS#8 shrouded key, don't need it now. */
@@ -3126,100 +3183,128 @@
static EVP_PKEY *
ImportRawRSAKey(KMF_RAW_RSA_KEY *key)
{
RSA *rsa = NULL;
EVP_PKEY *newkey = NULL;
+ BIGNUM *n = NULL, *e = NULL, *d = NULL,
+ *p = NULL, *q = NULL,
+ *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL;
if ((rsa = RSA_new()) == NULL)
- return (NULL);
+ goto cleanup;
- if ((rsa->n = BN_bin2bn(key->mod.val, key->mod.len, rsa->n)) == NULL)
- return (NULL);
+ if ((n = BN_bin2bn(key->mod.val, key->mod.len, NULL)) == NULL)
+ goto cleanup;
- if ((rsa->e = BN_bin2bn(key->pubexp.val, key->pubexp.len, rsa->e)) ==
- NULL)
- return (NULL);
+ if ((e = BN_bin2bn(key->pubexp.val, key->pubexp.len, NULL)) == NULL)
+ goto cleanup;
- if (key->priexp.val != NULL)
- if ((rsa->d = BN_bin2bn(key->priexp.val, key->priexp.len,
- rsa->d)) == NULL)
- return (NULL);
+ if (key->priexp.val != NULL &&
+ (d = BN_bin2bn(key->priexp.val, key->priexp.len, NULL)) == NULL)
+ goto cleanup;
- if (key->prime1.val != NULL)
- if ((rsa->p = BN_bin2bn(key->prime1.val, key->prime1.len,
- rsa->p)) == NULL)
- return (NULL);
+ if (key->prime1.val != NULL &&
+ (p = BN_bin2bn(key->prime1.val, key->prime1.len, NULL)) == NULL)
+ goto cleanup;
- if (key->prime2.val != NULL)
- if ((rsa->q = BN_bin2bn(key->prime2.val, key->prime2.len,
- rsa->q)) == NULL)
- return (NULL);
+ if (key->prime2.val != NULL &&
+ (q = BN_bin2bn(key->prime2.val, key->prime2.len, NULL)) == NULL)
+ goto cleanup;
- if (key->exp1.val != NULL)
- if ((rsa->dmp1 = BN_bin2bn(key->exp1.val, key->exp1.len,
- rsa->dmp1)) == NULL)
- return (NULL);
+ if (key->exp1.val != NULL &&
+ (dmp1 = BN_bin2bn(key->exp1.val, key->exp1.len, NULL)) == NULL)
+ goto cleanup;
- if (key->exp2.val != NULL)
- if ((rsa->dmq1 = BN_bin2bn(key->exp2.val, key->exp2.len,
- rsa->dmq1)) == NULL)
- return (NULL);
+ if (key->exp2.val != NULL &&
+ (dmq1 = BN_bin2bn(key->exp2.val, key->exp2.len, NULL)) == NULL)
+ goto cleanup;
- if (key->coef.val != NULL)
- if ((rsa->iqmp = BN_bin2bn(key->coef.val, key->coef.len,
- rsa->iqmp)) == NULL)
- return (NULL);
+ if (key->coef.val != NULL &&
+ (iqmp = BN_bin2bn(key->coef.val, key->coef.len, NULL)) == NULL)
+ goto cleanup;
+ if (RSA_set0_key(rsa, n, e, d) == 0)
+ goto cleanup;
+ n = e = d = NULL;
+ if (RSA_set0_factors(rsa, p, q) == 0)
+ goto cleanup;
+ p = q = NULL;
+ if (RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp) == 0)
+ goto cleanup;
+ dmp1 = dmq1 = iqmp = NULL;
+
if ((newkey = EVP_PKEY_new()) == NULL)
- return (NULL);
+ goto cleanup;
(void) EVP_PKEY_set1_RSA(newkey, rsa);
+cleanup:
/* The original key must be freed once here or it leaks memory */
+ if (rsa)
RSA_free(rsa);
+ BN_free(n);
+ BN_free(e);
+ BN_free(d);
+ BN_free(p);
+ BN_free(q);
+ BN_free(dmp1);
+ BN_free(dmq1);
+ BN_free(iqmp);
return (newkey);
}
static EVP_PKEY *
ImportRawDSAKey(KMF_RAW_DSA_KEY *key)
{
DSA *dsa = NULL;
EVP_PKEY *newkey = NULL;
+ BIGNUM *p = NULL, *q = NULL, *g = NULL,
+ *priv_key = NULL, *pub_key = NULL;
if ((dsa = DSA_new()) == NULL)
- return (NULL);
+ goto cleanup;
- if ((dsa->p = BN_bin2bn(key->prime.val, key->prime.len,
- dsa->p)) == NULL)
- return (NULL);
+ if ((p = BN_bin2bn(key->prime.val, key->prime.len, NULL)) == NULL)
+ goto cleanup;
- if ((dsa->q = BN_bin2bn(key->subprime.val, key->subprime.len,
- dsa->q)) == NULL)
- return (NULL);
+ if ((q = BN_bin2bn(key->subprime.val, key->subprime.len, NULL)) == NULL)
+ goto cleanup;
- if ((dsa->g = BN_bin2bn(key->base.val, key->base.len,
- dsa->g)) == NULL)
- return (NULL);
+ if ((g = BN_bin2bn(key->base.val, key->base.len, NULL)) == NULL)
+ goto cleanup;
- if ((dsa->priv_key = BN_bin2bn(key->value.val, key->value.len,
- dsa->priv_key)) == NULL)
- return (NULL);
+ if ((priv_key = BN_bin2bn(key->value.val, key->value.len,
+ NULL)) == NULL)
+ goto cleanup;
- if (key->pubvalue.val != NULL) {
- if ((dsa->pub_key = BN_bin2bn(key->pubvalue.val,
- key->pubvalue.len, dsa->pub_key)) == NULL)
- return (NULL);
- }
+ if (key->pubvalue.val != NULL && (pub_key =
+ BN_bin2bn(key->pubvalue.val, key->pubvalue.len, NULL)) == NULL)
+ goto cleanup;
+ if (DSA_set0_pqg(dsa, p, q, g) == 0)
+ goto cleanup;
+ p = q = g = NULL;
+ if (DSA_set0_key(dsa, pub_key, priv_key) == 0)
+ goto cleanup;
+ pub_key = priv_key = 0;
+
if ((newkey = EVP_PKEY_new()) == NULL)
- return (NULL);
+ goto cleanup;
(void) EVP_PKEY_set1_DSA(newkey, dsa);
+cleanup:
/* The original key must be freed once here or it leaks memory */
+ if (dsa)
DSA_free(dsa);
+ BN_free(p);
+ BN_free(q);
+ BN_free(g);
+ BN_free(priv_key);
+ BN_free(pub_key);
+
return (newkey);
}
static EVP_PKEY *
raw_key_to_pkey(KMF_KEY_HANDLE *key)
@@ -3730,11 +3815,11 @@
return (rv);
}
static KMF_RETURN
-openssl_parse_bags(STACK_OF(PKCS12_SAFEBAG) *bags, char *pin,
+openssl_parse_bags(const STACK_OF(PKCS12_SAFEBAG) *bags, char *pin,
STACK_OF(EVP_PKEY) *keys, STACK_OF(X509) *certs)
{
KMF_RETURN ret;
int i;
@@ -3757,32 +3842,17 @@
X509_ATTRIBUTE *attr = NULL;
if (pkey == NULL || attrib == NULL)
return (KMF_ERR_BAD_PARAMETER);
- if (pkey->attributes == NULL) {
- pkey->attributes = sk_X509_ATTRIBUTE_new_null();
- if (pkey->attributes == NULL)
- return (KMF_ERR_MEMORY);
- }
attr = X509_ATTRIBUTE_create(nid, attrib->type, attrib->value.ptr);
if (attr != NULL) {
int i;
- X509_ATTRIBUTE *a;
- for (i = 0;
- i < sk_X509_ATTRIBUTE_num(pkey->attributes); i++) {
- /* LINTED E_BAD_PTR_CASE_ALIGN */
- a = sk_X509_ATTRIBUTE_value(pkey->attributes, i);
- if (OBJ_obj2nid(a->object) == nid) {
- X509_ATTRIBUTE_free(a);
- /* LINTED E_BAD_PTR_CAST_ALIGN */
- (void) sk_X509_ATTRIBUTE_set(pkey->attributes,
- i, attr);
- return (KMF_OK);
- }
- }
- if (sk_X509_ATTRIBUTE_push(pkey->attributes, attr) == NULL) {
+
+ if ((i = EVP_PKEY_get_attr_by_NID(pkey, nid, -1)) != -1)
+ (void) EVP_PKEY_delete_attr(pkey, i);
+ if (EVP_PKEY_add1_attr(pkey, attr) == 0) {
X509_ATTRIBUTE_free(attr);
return (KMF_ERR_MEMORY);
}
} else {
return (KMF_ERR_MEMORY);
@@ -3797,30 +3867,31 @@
{
KMF_RETURN ret = KMF_OK;
PKCS8_PRIV_KEY_INFO *p8 = NULL;
EVP_PKEY *pkey = NULL;
X509 *xcert = NULL;
- ASN1_TYPE *keyid = NULL;
- ASN1_TYPE *fname = NULL;
+ const ASN1_TYPE *keyid = NULL;
+ const ASN1_TYPE *fname = NULL;
uchar_t *data = NULL;
- keyid = PKCS12_get_attr(bag, NID_localKeyID);
- fname = PKCS12_get_attr(bag, NID_friendlyName);
+ keyid = PKCS12_SAFEBAG_get0_attr(bag, NID_localKeyID);
+ fname = PKCS12_SAFEBAG_get0_attr(bag, NID_friendlyName);
- switch (M_PKCS12_bag_type(bag)) {
+ switch (PKCS12_SAFEBAG_get_nid(bag)) {
case NID_keyBag:
if (keylist == NULL)
goto end;
- pkey = EVP_PKCS82PKEY(bag->value.keybag);
+ pkey = EVP_PKCS82PKEY(
+ PKCS12_SAFEBAG_get0_p8inf(bag));
if (pkey == NULL)
ret = KMF_ERR_PKCS12_FORMAT;
break;
case NID_pkcs8ShroudedKeyBag:
if (keylist == NULL)
goto end;
- p8 = M_PKCS12_decrypt_skey(bag, pass, passlen);
+ p8 = PKCS12_decrypt_skey(bag, pass, passlen);
if (p8 == NULL)
return (KMF_ERR_AUTH_FAILED);
pkey = EVP_PKCS82PKEY(p8);
PKCS8_PRIV_KEY_INFO_free(p8);
if (pkey == NULL)
@@ -3827,13 +3898,14 @@
ret = KMF_ERR_PKCS12_FORMAT;
break;
case NID_certBag:
if (certlist == NULL)
goto end;
- if (M_PKCS12_cert_bag_type(bag) != NID_x509Certificate)
+ if (PKCS12_SAFEBAG_get_bag_nid(bag) !=
+ NID_x509Certificate)
return (KMF_ERR_PKCS12_FORMAT);
- xcert = M_PKCS12_certbag2x509(bag);
+ xcert = PKCS12_SAFEBAG_get1_cert(bag);
if (xcert == NULL) {
ret = KMF_ERR_PKCS12_FORMAT;
goto end;
}
if (keyid != NULL) {
@@ -3863,12 +3935,13 @@
ret = KMF_ERR_MEMORY;
else
xcert = NULL;
break;
case NID_safeContentsBag:
- return (openssl_parse_bags(bag->value.safes, pass,
- keylist, certlist));
+ return (openssl_parse_bags(
+ PKCS12_SAFEBAG_get0_safes(bag),
+ pass, keylist, certlist));
default:
ret = KMF_ERR_PKCS12_FORMAT;
break;
}
@@ -4074,39 +4147,45 @@
exportRawRSAKey(RSA *rsa, KMF_RAW_KEY_DATA *key)
{
KMF_RETURN rv;
KMF_RAW_RSA_KEY *kmfkey = &key->rawdata.rsa;
+ const BIGNUM *n, *e, *d, *p, *q, *dmp1, *dmpq, *iqmp;
+
+ RSA_get0_key(rsa, &n, &e, &d);
+ RSA_get0_factors(rsa, &p, &q);
+ RSA_get0_crt_params(rsa, &dmp1, &dmpq, &iqmp);
+
(void) memset(kmfkey, 0, sizeof (KMF_RAW_RSA_KEY));
- if ((rv = sslBN2KMFBN(rsa->n, &kmfkey->mod)) != KMF_OK)
+ if ((rv = sslBN2KMFBN((BIGNUM *)n, &kmfkey->mod)) != KMF_OK)
goto cleanup;
- if ((rv = sslBN2KMFBN(rsa->e, &kmfkey->pubexp)) != KMF_OK)
+ if ((rv = sslBN2KMFBN((BIGNUM *)e, &kmfkey->pubexp)) != KMF_OK)
goto cleanup;
- if (rsa->d != NULL)
- if ((rv = sslBN2KMFBN(rsa->d, &kmfkey->priexp)) != KMF_OK)
+ if (d != NULL)
+ if ((rv = sslBN2KMFBN((BIGNUM *)d, &kmfkey->priexp)) != KMF_OK)
goto cleanup;
- if (rsa->p != NULL)
- if ((rv = sslBN2KMFBN(rsa->p, &kmfkey->prime1)) != KMF_OK)
+ if (p != NULL)
+ if ((rv = sslBN2KMFBN((BIGNUM *)p, &kmfkey->prime1)) != KMF_OK)
goto cleanup;
- if (rsa->q != NULL)
- if ((rv = sslBN2KMFBN(rsa->q, &kmfkey->prime2)) != KMF_OK)
+ if (q != NULL)
+ if ((rv = sslBN2KMFBN((BIGNUM *)q, &kmfkey->prime2)) != KMF_OK)
goto cleanup;
- if (rsa->dmp1 != NULL)
- if ((rv = sslBN2KMFBN(rsa->dmp1, &kmfkey->exp1)) != KMF_OK)
+ if (dmp1 != NULL)
+ if ((rv = sslBN2KMFBN((BIGNUM *)dmp1, &kmfkey->exp1)) != KMF_OK)
goto cleanup;
- if (rsa->dmq1 != NULL)
- if ((rv = sslBN2KMFBN(rsa->dmq1, &kmfkey->exp2)) != KMF_OK)
+ if (dmpq != NULL)
+ if ((rv = sslBN2KMFBN((BIGNUM *)dmpq, &kmfkey->exp2)) != KMF_OK)
goto cleanup;
- if (rsa->iqmp != NULL)
- if ((rv = sslBN2KMFBN(rsa->iqmp, &kmfkey->coef)) != KMF_OK)
+ if (iqmp != NULL)
+ if ((rv = sslBN2KMFBN((BIGNUM *)iqmp, &kmfkey->coef)) != KMF_OK)
goto cleanup;
cleanup:
if (rv != KMF_OK)
kmf_free_raw_key(key);
else
@@ -4124,22 +4203,26 @@
static KMF_RETURN
exportRawDSAKey(DSA *dsa, KMF_RAW_KEY_DATA *key)
{
KMF_RETURN rv;
KMF_RAW_DSA_KEY *kmfkey = &key->rawdata.dsa;
+ const BIGNUM *p, *q, *g, *priv_key;
+ DSA_get0_pqg(dsa, &p, &q, &g);
+ DSA_get0_key(dsa, NULL, &priv_key);
+
(void) memset(kmfkey, 0, sizeof (KMF_RAW_DSA_KEY));
- if ((rv = sslBN2KMFBN(dsa->p, &kmfkey->prime)) != KMF_OK)
+ if ((rv = sslBN2KMFBN((BIGNUM *)p, &kmfkey->prime)) != KMF_OK)
goto cleanup;
- if ((rv = sslBN2KMFBN(dsa->q, &kmfkey->subprime)) != KMF_OK)
+ if ((rv = sslBN2KMFBN((BIGNUM *)q, &kmfkey->subprime)) != KMF_OK)
goto cleanup;
- if ((rv = sslBN2KMFBN(dsa->g, &kmfkey->base)) != KMF_OK)
+ if ((rv = sslBN2KMFBN((BIGNUM *)g, &kmfkey->base)) != KMF_OK)
goto cleanup;
- if ((rv = sslBN2KMFBN(dsa->priv_key, &kmfkey->value)) != KMF_OK)
+ if ((rv = sslBN2KMFBN((BIGNUM *)priv_key, &kmfkey->value)) != KMF_OK)
goto cleanup;
cleanup:
if (rv != KMF_OK)
kmf_free_raw_key(key);
@@ -4218,88 +4301,63 @@
*keylist = list;
return (KMF_OK);
}
-static X509_ATTRIBUTE *
-find_attr(STACK_OF(X509_ATTRIBUTE) *attrs, int nid)
-{
- X509_ATTRIBUTE *a;
- int i;
-
- if (attrs == NULL)
- return (NULL);
-
- for (i = 0; i < sk_X509_ATTRIBUTE_num(attrs); i++) {
- /* LINTED E_BAD_PTR_CAST_ALIGN */
- a = sk_X509_ATTRIBUTE_value(attrs, i);
- if (OBJ_obj2nid(a->object) == nid)
- return (a);
- }
- return (NULL);
-}
-
static KMF_RETURN
convertToRawKey(EVP_PKEY *pkey, KMF_RAW_KEY_DATA *key)
{
KMF_RETURN rv = KMF_OK;
X509_ATTRIBUTE *attr;
+ RSA *rsa;
+ DSA *dsa;
+ int loc;
if (pkey == NULL || key == NULL)
return (KMF_ERR_BAD_PARAMETER);
/* Convert SSL key to raw key */
- switch (pkey->type) {
- case EVP_PKEY_RSA:
- rv = exportRawRSAKey(EVP_PKEY_get1_RSA(pkey),
- key);
+ if ((rsa = EVP_PKEY_get1_RSA(pkey)) != NULL) {
+ rv = exportRawRSAKey(rsa, key);
if (rv != KMF_OK)
return (rv);
- break;
- case EVP_PKEY_DSA:
- rv = exportRawDSAKey(EVP_PKEY_get1_DSA(pkey),
- key);
+ } else if ((dsa = EVP_PKEY_get1_DSA(pkey)) != NULL) {
+ rv = exportRawDSAKey(dsa, key);
if (rv != KMF_OK)
return (rv);
- break;
- default:
+ } else
return (KMF_ERR_BAD_PARAMETER);
- }
+
/*
* If friendlyName, add it to record.
*/
- attr = find_attr(pkey->attributes, NID_friendlyName);
- if (attr != NULL) {
+
+ if ((loc = EVP_PKEY_get_attr_by_NID(pkey,
+ NID_friendlyName, -1)) != -1 &&
+ (attr = EVP_PKEY_get_attr(pkey, loc))) {
ASN1_TYPE *ty = NULL;
- int numattr = sk_ASN1_TYPE_num(attr->value.set);
- if (attr->single == 0 && numattr > 0) {
- /* LINTED E_BAD_PTR_CAST_ALIGN */
- ty = sk_ASN1_TYPE_value(attr->value.set, 0);
+ int numattr = X509_ATTRIBUTE_count(attr);
+ if (numattr > 0) {
+ ty = X509_ATTRIBUTE_get0_type(attr, 0);
}
if (ty != NULL) {
-#if OPENSSL_VERSION_NUMBER < 0x10000000L
- key->label = uni2asc(ty->value.bmpstring->data,
- ty->value.bmpstring->length);
-#else
key->label = OPENSSL_uni2asc(ty->value.bmpstring->data,
ty->value.bmpstring->length);
-#endif
}
} else {
key->label = NULL;
}
/*
* If KeyID, add it to record as a KMF_DATA object.
*/
- attr = find_attr(pkey->attributes, NID_localKeyID);
- if (attr != NULL) {
+ if ((loc = EVP_PKEY_get_attr_by_NID(pkey,
+ NID_localKeyID, -1)) != -1 &&
+ (attr = EVP_PKEY_get_attr(pkey, loc)) != NULL) {
ASN1_TYPE *ty = NULL;
- int numattr = sk_ASN1_TYPE_num(attr->value.set);
- if (attr->single == 0 && numattr > 0) {
- /* LINTED E_BAD_PTR_CAST_ALIGN */
- ty = sk_ASN1_TYPE_value(attr->value.set, 0);
- }
+ int numattr = X509_ATTRIBUTE_count(attr);
+ if (numattr > 0)
+ ty = X509_ATTRIBUTE_get0_type(attr, 0);
key->id.Data = (uchar_t *)malloc(
ty->value.octet_string->length);
if (key->id.Data == NULL)
return (KMF_ERR_MEMORY);
(void) memcpy(key->id.Data, ty->value.octet_string->data,
@@ -5404,11 +5462,12 @@
ret = KMF_ERR_BAD_CERTFILE;
goto end;
}
/* Check if the certificate and the CRL have same issuer */
- if (X509_NAME_cmp(xcert->cert_info->issuer, xcrl->crl->issuer) != 0) {
+ if (X509_NAME_cmp(X509_get_issuer_name(xcert),
+ X509_CRL_get_issuer(xcrl)) != 0) {
ret = KMF_ERR_ISSUER;
goto end;
}
/* Check to see if the certificate serial number is revoked */
@@ -5421,12 +5480,12 @@
}
for (i = 0; i < sk_X509_REVOKED_num(revoke_stack); i++) {
/* LINTED E_BAD_PTR_CAST_ALIGN */
revoke = sk_X509_REVOKED_value(revoke_stack, i);
- if (ASN1_INTEGER_cmp(xcert->cert_info->serialNumber,
- revoke->serialNumber) == 0) {
+ if (ASN1_INTEGER_cmp(X509_get_serialNumber(xcert),
+ X509_REVOKED_get0_serialNumber(revoke)) == 0) {
break;
}
}
if (i < sk_X509_REVOKED_num(revoke_stack)) {
@@ -5565,17 +5624,17 @@
if (xcrl == NULL) {
SET_ERROR(kmfh, ERR_get_error());
ret = KMF_ERR_BAD_CRLFILE;
goto cleanup;
}
- i = X509_cmp_time(X509_CRL_get_lastUpdate(xcrl), NULL);
+ i = X509_cmp_time(X509_CRL_get0_lastUpdate(xcrl), NULL);
if (i >= 0) {
ret = KMF_ERR_VALIDITY_PERIOD;
goto cleanup;
}
- if (X509_CRL_get_nextUpdate(xcrl)) {
- i = X509_cmp_time(X509_CRL_get_nextUpdate(xcrl), NULL);
+ if (X509_CRL_get0_nextUpdate(xcrl)) {
+ i = X509_cmp_time(X509_CRL_get0_nextUpdate(xcrl), NULL);
if (i <= 0) {
ret = KMF_ERR_VALIDITY_PERIOD;
goto cleanup;
}