Add initial CRL support to KSSLCertificate

pull/1/head
Timothy Pearson 9 years ago
parent 70bb9dde2a
commit 5896a404bc

@ -71,6 +71,7 @@ static char * (*K_SSL_CIPHER_get_version) (SSL_CIPHER *) = 0L;
static const char * (*K_SSL_CIPHER_get_name) (SSL_CIPHER *) = 0L; static const char * (*K_SSL_CIPHER_get_name) (SSL_CIPHER *) = 0L;
static char * (*K_SSL_CIPHER_description) (SSL_CIPHER *, char *, int) = 0L; static char * (*K_SSL_CIPHER_description) (SSL_CIPHER *, char *, int) = 0L;
static X509 * (*K_d2i_X509) (X509 **,unsigned char **,long) = 0L; static X509 * (*K_d2i_X509) (X509 **,unsigned char **,long) = 0L;
static X509_CRL * (*K_d2i_X509_CRL) (X509_CRL **,unsigned char **,long) = 0L;
static int (*K_i2d_X509) (X509 *,unsigned char **) = 0L; static int (*K_i2d_X509) (X509 *,unsigned char **) = 0L;
static int (*K_X509_cmp) (X509 *, X509 *) = 0L; static int (*K_X509_cmp) (X509 *, X509 *) = 0L;
static void (*K_X509_STORE_CTX_free) (X509_STORE_CTX *) = 0L; static void (*K_X509_STORE_CTX_free) (X509_STORE_CTX *) = 0L;
@ -401,6 +402,7 @@ TDEConfig *cfg;
K_RAND_write_file = (int (*)(const char *)) GET_CRYPTOLIB_SYMBOL("RAND_write_file"); K_RAND_write_file = (int (*)(const char *)) GET_CRYPTOLIB_SYMBOL("RAND_write_file");
K_CRYPTO_free = (void (*) (void *)) GET_CRYPTOLIB_SYMBOL("CRYPTO_free"); K_CRYPTO_free = (void (*) (void *)) GET_CRYPTOLIB_SYMBOL("CRYPTO_free");
K_d2i_X509 = (X509 * (*)(X509 **,unsigned char **,long)) GET_CRYPTOLIB_SYMBOL("d2i_X509"); K_d2i_X509 = (X509 * (*)(X509 **,unsigned char **,long)) GET_CRYPTOLIB_SYMBOL("d2i_X509");
K_d2i_X509_CRL = (X509_CRL * (*)(X509_CRL **,unsigned char **,long)) GET_CRYPTOLIB_SYMBOL("d2i_X509_CRL");
K_i2d_X509 = (int (*)(X509 *,unsigned char **)) GET_CRYPTOLIB_SYMBOL("i2d_X509"); K_i2d_X509 = (int (*)(X509 *,unsigned char **)) GET_CRYPTOLIB_SYMBOL("i2d_X509");
K_X509_cmp = (int (*)(X509 *, X509 *)) GET_CRYPTOLIB_SYMBOL("X509_cmp"); K_X509_cmp = (int (*)(X509 *, X509 *)) GET_CRYPTOLIB_SYMBOL("X509_cmp");
K_X509_STORE_CTX_new = (X509_STORE_CTX * (*) (void)) GET_CRYPTOLIB_SYMBOL("X509_STORE_CTX_new"); K_X509_STORE_CTX_new = (X509_STORE_CTX * (*) (void)) GET_CRYPTOLIB_SYMBOL("X509_STORE_CTX_new");
@ -846,6 +848,12 @@ X509 * KOpenSSLProxy::d2i_X509(X509 **a,unsigned char **pp,long length) {
} }
X509_CRL * KOpenSSLProxy::d2i_X509_CRL(X509_CRL **a,unsigned char **pp,long length) {
if (K_d2i_X509_CRL) return (K_d2i_X509_CRL)(a,pp,length);
return 0L;
}
int KOpenSSLProxy::i2d_X509(X509 *a,unsigned char **pp) { int KOpenSSLProxy::i2d_X509(X509 *a,unsigned char **pp) {
if (K_i2d_X509) return (K_i2d_X509)(a,pp); if (K_i2d_X509) return (K_i2d_X509)(a,pp);
return -1; return -1;

@ -291,6 +291,11 @@ public:
*/ */
X509 * d2i_X509(X509 **a,unsigned char **pp,long length); X509 * d2i_X509(X509 **a,unsigned char **pp,long length);
/*
* d2i_X509 - Covert a text representation of X509 CRL to an X509_CRL object
*/
X509_CRL * d2i_X509_CRL(X509_CRL **a,unsigned char **pp,long length);
/* /*
* i2d_X509 - Covert an X509 object into a text representation * i2d_X509 - Covert an X509 object into a text representation

@ -83,6 +83,7 @@ public:
bool m_stateCached; bool m_stateCached;
#ifdef KSSL_HAVE_SSL #ifdef KSSL_HAVE_SSL
X509 *m_cert; X509 *m_cert;
X509_CRL *m_cert_crl;
#endif #endif
KOSSL *kossl; KOSSL *kossl;
KSSLCertChain _chain; KSSLCertChain _chain;
@ -161,6 +162,26 @@ KSSLCertificate *n = NULL;
return n; return n;
} }
KSSLCertificate *KSSLCertificate::crlFromString(TQCString cert) {
KSSLCertificate *n = NULL;
#ifdef KSSL_HAVE_SSL
if (cert.length() == 0)
return NULL;
TQByteArray qba, qbb = cert.copy();
KCodecs::base64Decode(qbb, qba);
unsigned char *qbap = reinterpret_cast<unsigned char *>(qba.data());
X509_CRL *x5c = KOSSL::self()->d2i_X509_CRL(NULL, &qbap, qba.size());
if (!x5c) {
return NULL;
}
n = new KSSLCertificate;
n->setCRL(x5c);
#endif
return n;
}
TQString KSSLCertificate::getSubject() const { TQString KSSLCertificate::getSubject() const {
@ -544,6 +565,17 @@ d->m_stateCached = false;
d->m_stateCache = KSSLCertificate::Unknown; d->m_stateCache = KSSLCertificate::Unknown;
} }
void KSSLCertificate::setCRL(X509_CRL *c) {
#ifdef KSSL_HAVE_SSL
d->m_cert_crl = c;
if (c) {
d->_extensions.flags = 0;
}
#endif
d->m_stateCached = false;
d->m_stateCache = KSSLCertificate::Unknown;
}
X509 *KSSLCertificate::getCert() { X509 *KSSLCertificate::getCert() {
#ifdef KSSL_HAVE_SSL #ifdef KSSL_HAVE_SSL
return d->m_cert; return d->m_cert;
@ -624,7 +656,6 @@ KSSLCertificate::KSSLValidationList KSSLCertificate::validateVerbose(KSSLCertifi
X509_STORE *certStore; X509_STORE *certStore;
X509_LOOKUP *certLookup; X509_LOOKUP *certLookup;
X509_STORE_CTX *certStoreCTX; X509_STORE_CTX *certStoreCTX;
int rc = 0;
if (!d->m_cert) if (!d->m_cert)
{ {
@ -702,7 +733,7 @@ KSSLCertificate::KSSLValidationList KSSLCertificate::validateVerbose(KSSLCertifi
KSSL_X509CallBack_ca_found = false; KSSL_X509CallBack_ca_found = false;
certStoreCTX->error = X509_V_OK; certStoreCTX->error = X509_V_OK;
rc = d->kossl->X509_verify_cert(certStoreCTX); d->kossl->X509_verify_cert(certStoreCTX);
int errcode = certStoreCTX->error; int errcode = certStoreCTX->error;
if (ca && !KSSL_X509CallBack_ca_found) { if (ca && !KSSL_X509CallBack_ca_found) {
ksslv = KSSLCertificate::Irrelevant; ksslv = KSSLCertificate::Irrelevant;
@ -717,7 +748,7 @@ KSSLCertificate::KSSLValidationList KSSLCertificate::validateVerbose(KSSLCertifi
X509_PURPOSE_NS_SSL_SERVER); X509_PURPOSE_NS_SSL_SERVER);
certStoreCTX->error = X509_V_OK; certStoreCTX->error = X509_V_OK;
rc = d->kossl->X509_verify_cert(certStoreCTX); d->kossl->X509_verify_cert(certStoreCTX);
errcode = certStoreCTX->error; errcode = certStoreCTX->error;
ksslv = processError(errcode); ksslv = processError(errcode);
} }
@ -885,6 +916,24 @@ return TQDateTime::currentDateTime();
} }
TQDateTime KSSLCertificate::getQDTLastUpdate() const {
#ifdef KSSL_HAVE_SSL
return ASN1_UTCTIME_QDateTime(X509_CRL_get_lastUpdate(d->m_cert_crl), NULL);
#else
return TQDateTime::currentDateTime();
#endif
}
TQDateTime KSSLCertificate::getQDTNextUpdate() const {
#ifdef KSSL_HAVE_SSL
return ASN1_UTCTIME_QDateTime(X509_CRL_get_nextUpdate(d->m_cert_crl), NULL);
#else
return TQDateTime::currentDateTime();
#endif
}
int operator==(KSSLCertificate &x, KSSLCertificate &y) { int operator==(KSSLCertificate &x, KSSLCertificate &y) {
#ifndef KSSL_HAVE_SSL #ifndef KSSL_HAVE_SSL
return 1; return 1;
@ -1115,7 +1164,7 @@ TQStringList KSSLCertificate::subjAltNames() const {
TQString s = (const char *)d->kossl->ASN1_STRING_data(val->d.ia5); TQString s = (const char *)d->kossl->ASN1_STRING_data(val->d.ia5);
if (!s.isEmpty() && if (!s.isEmpty() &&
/* skip subjectAltNames with embedded NULs */ /* skip subjectAltNames with embedded NULs */
s.length() == d->kossl->ASN1_STRING_length(val->d.ia5)) { s.length() == (unsigned int)d->kossl->ASN1_STRING_length(val->d.ia5)) {
rc += s; rc += s;
} }
} }

@ -57,8 +57,10 @@ class KSSLX509V3;
#ifdef KSSL_HAVE_SSL #ifdef KSSL_HAVE_SSL
typedef struct x509_st X509; typedef struct x509_st X509;
typedef struct X509_crl_st X509_CRL;
#else #else
class X509; class X509;
class X509_CRL;
#endif #endif
/** /**
@ -97,6 +99,13 @@ public:
*/ */
static KSSLCertificate *fromString(TQCString cert); static KSSLCertificate *fromString(TQCString cert);
/**
* Create an X.509 CRL certificate from a base64 encoded string.
* @param cert the certificate in base64 form
* @return the X.509 CRL certificate, or NULL
*/
static KSSLCertificate *crlFromString(TQCString cert);
/** /**
* Create an X.509 certificate from the internal representation. * Create an X.509 certificate from the internal representation.
* This one duplicates the X509 object for itself. * This one duplicates the X509 object for itself.
@ -165,6 +174,18 @@ public:
*/ */
TQDateTime getQDTNotAfter() const; TQDateTime getQDTNotAfter() const;
/**
* Get the date that the CRL was generated on.
* @return the date
*/
TQDateTime getQDTLastUpdate() const;
/**
* Get the date that the CRL must be updated by.
* @return the date
*/
TQDateTime getQDTNextUpdate() const;
/** /**
* Convert the certificate to DER (ASN.1) format. * Convert the certificate to DER (ASN.1) format.
* @return the binary data of the DER encoding * @return the binary data of the DER encoding
@ -360,6 +381,7 @@ protected:
KSSLCertificate(); KSSLCertificate();
void setCert(X509 *c); void setCert(X509 *c);
void setCRL(X509_CRL *c);
void setChain(void *c); void setChain(void *c);
X509 *getCert(); X509 *getCert();
KSSLValidation processError(int ec); KSSLValidation processError(int ec);

Loading…
Cancel
Save