(81f169e9) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

CHANGES

+10 −0

Original line number	Diff line number	Diff line
		@@ -3,6 +3,16 @@

		Changes between 0.9.6 and 0.9.7 [xx XXX 2000]

		*) Initial OCSP certificate verification added to OCSP_basic_verify()
		and related routines. This uses the standard OpenSSL certificate
		verify routines to perform initial checks (just CA validity) and
		to obtain the certificate chain. Then additional checks will be
		performed on the chain. Currently the root CA is checked to see
		if it is explicitly trusted for OCSP signing. This is used to set
		a root CA as a global signing root: that is any certificate that
		chains to that CA is an acceptable OCSP signing certificate.
		[Steve Henson]

		*) New '-extfile ...' option to 'openssl ca' for reading X.509v3
		extensions from a separate configuration file.
		As when reading extensions from the main configuration file,

+29 −0

Original line number	Diff line number	Diff line
		@@ -837,3 +837,32 @@ void print_name(BIO out, char title, X509_NAME *nm, unsigned long lflags)
		}
		}

		X509_STORE setup_verify(BIO bp, char CAfile, char CApath)
		{
		X509_STORE *store;
		X509_LOOKUP *lookup;
		if(!(store = X509_STORE_new())) goto end;
		lookup=X509_STORE_add_lookup(store,X509_LOOKUP_file());
		if (lookup == NULL) goto end;
		if (CAfile) {
		if(!X509_LOOKUP_load_file(lookup,CAfile,X509_FILETYPE_PEM)) {
		BIO_printf(bp, "Error loading file %s\n", CAfile);
		goto end;
		}
		} else X509_LOOKUP_load_file(lookup,NULL,X509_FILETYPE_DEFAULT);

		lookup=X509_STORE_add_lookup(store,X509_LOOKUP_hash_dir());
		if (lookup == NULL) goto end;
		if (CApath) {
		if(!X509_LOOKUP_add_dir(lookup,CApath,X509_FILETYPE_PEM)) {
		BIO_printf(bp, "Error loading directory %s\n", CApath);
		goto end;
		}
		} else X509_LOOKUP_add_dir(lookup,NULL,X509_FILETYPE_DEFAULT);

		ERR_clear_error();
		return store;
		end:
		X509_STORE_free(store);
		return NULL;
		}

+1 −0

Original line number	Diff line number	Diff line
		@@ -158,6 +158,7 @@ X509 load_cert(BIO err, char *file, int format);
		EVP_PKEY load_key(BIO err, char file, int format, char pass, ENGINE *e);
		EVP_PKEY load_pubkey(BIO err, char file, int format, ENGINE e);
		STACK_OF(X509) load_certs(BIO err, char *file, int format);
		X509_STORE setup_verify(BIO bp, char CAfile, char CApath);

		#define FORMAT_UNDEF 0
		#define FORMAT_ASN1 1

+37 −0

Original line number	Diff line number	Diff line
		@@ -82,14 +82,18 @@ int MAIN(int argc, char **argv)
		int add_nonce = 1;
		OCSP_REQUEST *req = NULL;
		OCSP_RESPONSE *resp = NULL;
		OCSP_BASICRESP *bs = NULL;
		X509 issuer = NULL, cert = NULL;
		X509 *signer = NULL;
		EVP_PKEY *key = NULL;
		BIO cbio = NULL, derbio = NULL;
		BIO *out = NULL;
		int req_text = 0, resp_text = 0;
		char CAfile = NULL, CApath = NULL;
		X509_STORE *store = NULL;
		int ret = 1;
		int badarg = 0;
		int i;
		if (bio_err == NULL) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
		ERR_load_crypto_strings();
		args = argv + 1;
		@@ -153,6 +157,24 @@ int MAIN(int argc, char **argv)
		}
		else badarg = 1;
		}
		else if (!strcmp (*args, "-CAfile"))
		{
		if (args[1])
		{
		args++;
		CAfile = *args;
		}
		else badarg = 1;
		}
		else if (!strcmp (*args, "-CApath"))
		{
		if (args[1])
		{
		args++;
		CApath = *args;
		}
		else badarg = 1;
		}
		else if (!strcmp(*args, "-signkey"))
		{
		if (args[1])
		@@ -386,11 +408,25 @@ int MAIN(int argc, char **argv)

		if (resp_text) OCSP_RESPONSE_print(out, resp, 0);

		store = setup_verify(bio_err, CAfile, CApath);
		if(!store) goto end;

		bs = OCSP_response_get1_basic(resp);

		i = OCSP_basic_verify(bs, NULL, store, 0);

		if(i <= 0)
		{
		BIO_printf(bio_err, "Response verify error (%d)\n", i);
		ERR_print_errors(bio_err);
		}

		ret = 0;

		end:
		ERR_print_errors(bio_err);
		X509_free(signer);
		X509_STORE_free(store);
		EVP_PKEY_free(key);
		X509_free(issuer);
		X509_free(cert);
		@@ -398,6 +434,7 @@ end:
		BIO_free(out);
		OCSP_REQUEST_free(req);
		OCSP_RESPONSE_free(resp);
		OCSP_BASICRESP_free(bs);

		EXIT(ret);
		}

+1 −32

Original line number	Diff line number	Diff line
		@@ -68,7 +68,6 @@

		#undef PROG
		#define PROG smime_main
		static X509_STORE setup_verify(char CAfile, char *CApath);
		static int save_certs(char signerfile, STACK_OF(X509) signers);

		#define SMIME_OP 0x10
		@@ -431,7 +430,7 @@ int MAIN(int argc, char **argv)
		}

		if(operation == SMIME_VERIFY) {
		if(!(store = setup_verify(CAfile, CApath))) goto end;
		if(!(store = setup_verify(bio_err, CAfile, CApath))) goto end;
		}

		ret = 3;
		@@ -530,36 +529,6 @@ end:
		return (ret);
		}

		static X509_STORE setup_verify(char CAfile, char *CApath)
		{
		X509_STORE *store;
		X509_LOOKUP *lookup;
		if(!(store = X509_STORE_new())) goto end;
		lookup=X509_STORE_add_lookup(store,X509_LOOKUP_file());
		if (lookup == NULL) goto end;
		if (CAfile) {
		if(!X509_LOOKUP_load_file(lookup,CAfile,X509_FILETYPE_PEM)) {
		BIO_printf(bio_err, "Error loading file %s\n", CAfile);
		goto end;
		}
		} else X509_LOOKUP_load_file(lookup,NULL,X509_FILETYPE_DEFAULT);

		lookup=X509_STORE_add_lookup(store,X509_LOOKUP_hash_dir());
		if (lookup == NULL) goto end;
		if (CApath) {
		if(!X509_LOOKUP_add_dir(lookup,CApath,X509_FILETYPE_PEM)) {
		BIO_printf(bio_err, "Error loading directory %s\n", CApath);
		goto end;
		}
		} else X509_LOOKUP_add_dir(lookup,NULL,X509_FILETYPE_DEFAULT);

		ERR_clear_error();
		return store;
		end:
		X509_STORE_free(store);
		return NULL;
		}

		static int save_certs(char signerfile, STACK_OF(X509) signers)
		{
		int i;