view release on metacpan or search on metacpan
call-anal.pl view on Meta::CPAN
qw(name_from_path vname_from_path open_fd_from_path vopen_fd_from_path close_file
zx_CreateFile write_all_fd write_all_fd_fmt
write_all_path_fmt write2_or_append_lock_c_path
read_all_fd read_all hexdump read_all_alloc get_file_size
sha1_safe_base64 zxid_nice_sha1
zx_strf zx_ref_str zx_ref_len_str zx_dup_str zx_dup_len_str zx_dup_cstr
zx_new_len_str zx_str_to_c
zx_ref_attr zx_ref_len_attr zx_attrf zx_dup_attr zx_dup_len_attr
zx_new_str_elem zx_ref_elem zx_ref_len_elem
zx_url_encode zx_url_encode_len zx_url_encode_raw unbase64_raw
zx_rand zx_report_openssl_err zx_memmem zxid_mk_self_sig_cert zxid_extract_private_key );
push @ignore_callee,
qw(hi_pdu_alloc hi_dump nonblock setkernelbufsizes zxid_get_ent_ss zx_pw_authn
xmtp_decode_resp test_ping http_decode smtp_decode_req smtp_decode_resp );
push @ignore_callee, qw(new_zx_ei);
select STDERR; $|=1; select STDOUT;
sub process_func {
const char* comment)
{
X509* ca_cert = NULL;
X509* new_cert = NULL;
X509_REQ* req = NULL;
EVP_PKEY* ca_pkey = NULL;
char* ret = NULL;
if (!ca_id_pem || !passwd || !req_pem) GOTO_ERR("NULL arg(s)");
if (!(ca_pkey = open_private_key(ca_id_pem, passwd))) goto err;
if (!(ca_cert = extract_certificate(ca_id_pem))) goto err;
if (!(req = extract_request(req_pem))) goto err;
if (!(new_cert = certification_authority(ca_cert, ca_pkey, req,
start_date, end_date, serial,
basic_constraints, cert_type,
key_usage, comment))) goto err;
write_certificate(new_cert, &ret);
err:
csharp/zxid.cs view on Meta::CPAN
public static void zxid_sha1_file(SWIGTYPE_p_zxid_conf cf, string name, string sha1) {
zxidPINVOKE.zxid_sha1_file(SWIGTYPE_p_zxid_conf.getCPtr(cf), name, sha1);
}
public static SWIGTYPE_p_X509 zxid_extract_cert(string buf, string name) {
IntPtr cPtr = zxidPINVOKE.zxid_extract_cert(buf, name);
SWIGTYPE_p_X509 ret = (cPtr == IntPtr.Zero) ? null : new SWIGTYPE_p_X509(cPtr, false);
return ret;
}
public static SWIGTYPE_p_p_void zxid_extract_private_key(string buf, string name) {
IntPtr cPtr = zxidPINVOKE.zxid_extract_private_key(buf, name);
SWIGTYPE_p_p_void ret = (cPtr == IntPtr.Zero) ? null : new SWIGTYPE_p_p_void(cPtr, false);
return ret;
}
public static SWIGTYPE_p_X509 zxid_read_cert(SWIGTYPE_p_zxid_conf cf, string name) {
IntPtr cPtr = zxidPINVOKE.zxid_read_cert(SWIGTYPE_p_zxid_conf.getCPtr(cf), name);
SWIGTYPE_p_X509 ret = (cPtr == IntPtr.Zero) ? null : new SWIGTYPE_p_X509(cPtr, false);
return ret;
}
public static SWIGTYPE_p_p_void zxid_read_private_key(SWIGTYPE_p_zxid_conf cf, string name) {
IntPtr cPtr = zxidPINVOKE.zxid_read_private_key(SWIGTYPE_p_zxid_conf.getCPtr(cf), name);
SWIGTYPE_p_p_void ret = (cPtr == IntPtr.Zero) ? null : new SWIGTYPE_p_p_void(cPtr, false);
return ret;
}
public static int zxid_lazy_load_sign_cert_and_pkey(SWIGTYPE_p_zxid_conf cf, SWIGTYPE_p_p_X509 cert, SWIGTYPE_p_p_p_void pkey, string logkey) {
int ret = zxidPINVOKE.zxid_lazy_load_sign_cert_and_pkey(SWIGTYPE_p_zxid_conf.getCPtr(cf), SWIGTYPE_p_p_X509.getCPtr(cert), SWIGTYPE_p_p_p_void.getCPtr(pkey), logkey);
return ret;
}
public static int zxid_set_opt(SWIGTYPE_p_zxid_conf cf, int which, int val) {
csharp/zxidPINVOKE.cs view on Meta::CPAN
[DllImport("zxid", EntryPoint="CSharp_zxid_my_issuer")]
public static extern IntPtr zxid_my_issuer(HandleRef jarg1);
[DllImport("zxid", EntryPoint="CSharp_zxid_sha1_file")]
public static extern void zxid_sha1_file(HandleRef jarg1, string jarg2, string jarg3);
[DllImport("zxid", EntryPoint="CSharp_zxid_extract_cert")]
public static extern IntPtr zxid_extract_cert(string jarg1, string jarg2);
[DllImport("zxid", EntryPoint="CSharp_zxid_extract_private_key")]
public static extern IntPtr zxid_extract_private_key(string jarg1, string jarg2);
[DllImport("zxid", EntryPoint="CSharp_zxid_read_cert")]
public static extern IntPtr zxid_read_cert(HandleRef jarg1, string jarg2);
[DllImport("zxid", EntryPoint="CSharp_zxid_read_private_key")]
public static extern IntPtr zxid_read_private_key(HandleRef jarg1, string jarg2);
[DllImport("zxid", EntryPoint="CSharp_zxid_lazy_load_sign_cert_and_pkey")]
public static extern int zxid_lazy_load_sign_cert_and_pkey(HandleRef jarg1, HandleRef jarg2, HandleRef jarg3, string jarg4);
[DllImport("zxid", EntryPoint="CSharp_zxid_set_opt")]
public static extern int zxid_set_opt(HandleRef jarg1, int jarg2, int jarg3);
[DllImport("zxid", EntryPoint="CSharp_zxid_set_opt_cstr")]
public static extern string zxid_set_opt_cstr(HandleRef jarg1, int jarg2, string jarg3);
* Normally this would cause the verification to happen, but we supply
* a callback that effectively causes verification to pass in any case,
* so that we postpone it to the moment when we see CONNECT. */
SSL_CTX_set_verify(shf->ssl_ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, zxbus_verify_cb);
//SSL_CTX_set_cert_verify_callback(shf->ssl_ctx, zxbus_cert_verify_cb, cf);
/*SSL_CTX_load_verify_locations() SSL_CTX_set_client_CA_list(3) SSL_CTX_set_cert_store(3) */
if (!zxbus_cf->enc_cert)
zxbus_cf->enc_cert = zxid_read_cert(zxbus_cf, "enc-nopw-cert.pem");
if (!zxbus_cf->enc_pkey)
zxbus_cf->enc_pkey = zxid_read_private_key(zxbus_cf, "enc-nopw-cert.pem");
if (!SSL_CTX_use_certificate(shf->ssl_ctx, zxbus_cf->enc_cert)) {
ERR("SSL certificate problem %d", 0);
zx_report_openssl_err("new_shuffler-cert");
return 0;
}
if (!SSL_CTX_use_PrivateKey(shf->ssl_ctx, zxbus_cf->enc_pkey)) {
ERR("SSL private key problem %d", 0);
zx_report_openssl_err("new_shuffler-privkey");
return 0;
}
if (!SSL_CTX_check_private_key(shf->ssl_ctx)) {
ERR("SSL certificate-private key consistency problem %d", 0);
zx_report_openssl_err("new_shuffler-chk-privkey");
return 0;
}
#endif
return shf;
}
/* EOF -- hiinit.c */
if (priv_out) *priv_out = NULL;
if (x509ss_out) *x509ss_out = NULL;
if (request_out) *request_out = NULL;
if (keygen(dn, attr, comment, &pkey, &x509ss, &req) == -1) goto err;
/* Write private key to file. While its being
* written, it will also get encrypted. */
if (passwd && priv_out) {
if (write_private_key(pkey, passwd, priv_out) == -1) goto err;
EVP_PKEY_free(pkey); /* free early so memory can be reused */
pkey = NULL;
}
if (request_out) {
if (write_request(req, request_out) == -1) goto err;
X509_REQ_free(req); /* free early so memory can be reused */
req = NULL;
}
PKCS12_SAFEBAG* bag;
PKCS8_PRIV_KEY_INFO* p8;
PKCS7* authsafe;
unsigned char keyid[EVP_MAX_MD_SIZE];
unsigned int keyidlen = 0;
if (!x509 || !pkey || !pkcs12_passwd) GOTO_ERR("NULL arg(s)");
/* Figure out if cert goes with our private key */
if(X509_check_private_key(x509, pkey)) {
X509_digest(x509, EVP_sha1(), keyid, &keyidlen);
} else
GOTO_ERR("05 x509 cert does not match private key. Wrong files?");
if(!keyidlen) GOTO_ERR("05 No certificate matches private key");
/* Include the cert */
if (!(bags = (STACK_OF(PKCS12_SAFEBAG)*)sk_new(NULL))) GOTO_ERR("no memory?");
if (!(bag = M_PKCS12_x5092certbag(x509))) GOTO_ERR("M_PKCS12_x5092certbag");
char** pkcs12_out)
{
EVP_PKEY* pkey = NULL;
X509* ucert = NULL;
PKCS12* p12 = NULL;
int len = -1;
if (!x509_cert_pem || !priv_key_pem || !priv_passwd
|| !pkcs12_passwd || !pkcs12_out) GOTO_ERR("NULL arg(s)");
if (!(pkey = open_private_key(priv_key_pem, priv_passwd))) goto err;
if (!(ucert = extract_certificate(x509_cert_pem))) goto err;
if (!(p12 = x509_and_pkey_to_pkcs12(friendly_name, ucert, pkey,
pkcs12_passwd))) goto err;
len = save_PKCS12(p12, pkcs12_out);
err:
if (p12) PKCS12_free(p12);
if (ucert) X509_free(ucert);
if (pkey) EVP_PKEY_free(pkey);
return len;
strlen(x509_cert_pem)))) goto err;
while((cert = PEM_read_bio_X509(rbio, NULL, NULL, NULL))) {
sk_X509_push(certs, cert);
}
BIO_free(rbio);
/* Figure out which cert goes with our private key */
for(i = 0; i < sk_X509_num(certs); i++) {
ucert = sk_X509_value(certs, i);
if(X509_check_private_key(ucert, pkey)) {
X509_digest(cert, EVP_sha1(), keyid, &keyidlen);
break;
}
}
if(!keyidlen) GOTO_ERR("05 No certificate matches private key");
/* If chaining get chain from user cert */
#if 0
{
/* Read pkcs12 structure (but do not decrypt private key yet) */
if (!(p12 = load_PKCS12(pkcs12, pkcs12_len))) goto err;
if (pkcs12_to_x509_and_pkey(p12, pkcs12_passwd,
(x509_cert_pem) ? &x509 : NULL,
(priv_passwd && priv_key_pem) ? &pkey : NULL)
== -1) goto err;
if (write_private_key(pkey, priv_passwd, priv_key_pem)==-1) goto err;
ret = write_certificate(x509, x509_cert_pem);
err:
if (p12) PKCS12_free(p12);
if (x509) X509_free(x509);
if (pkey) EVP_PKEY_free(pkey);
return ret;
}
/* more generic because handles multiple certificates and private keys
smime-enc.c view on Meta::CPAN
smime_clear_sign(const char* privkey,
const char* password,
const char* mime_entity)
{
char* b = NULL;
X509* x509 = NULL;
EVP_PKEY* pkey = NULL;
/* Get key and certificate (why do we need both?) */
if (!(pkey = open_private_key(privkey, password))) goto err;
if (!(x509 = extract_certificate(privkey))) goto err;
if (!(b = clear_sign(x509, pkey, mime_entity))) goto err;
err:
if (pkey) EVP_PKEY_free(pkey);
if (x509) X509_free(x509);
return b;
}
/* Sign a mime entity, such as produced by mime_mk_multipart(). Signature
smime-enc.c view on Meta::CPAN
/* Called by: main */
char*
smime_sign(const char* privkey, const char* password, const char* mime_entity)
{
char* b = NULL;
X509* x509 = NULL;
EVP_PKEY* pkey = NULL;
/* Get key and certificate (why do we need both?) */
if (!(pkey = open_private_key(privkey, password))) goto err;
if (!(x509 = extract_certificate(privkey))) goto err;
if (!(b = sign(x509, pkey, mime_entity))) goto err;
err:
if (pkey) EVP_PKEY_free(pkey);
if (x509) X509_free(x509);
return b;
}
/* Encrypt a mime entity such as produced by smime_clear_sign(). */
smime-vfy.c view on Meta::CPAN
const char* passwd,
const char* enc_entity,
char** data_out)
{
int n = -1;
EVP_PKEY *pkey = NULL;
X509 *x509 = NULL;
if (data_out) *data_out = NULL;
if (!privkey || !passwd || !enc_entity || !data_out) GOTO_ERR("NULL arg(s)");
if (!(pkey = open_private_key(privkey, passwd))) goto err;
if (!(x509 = extract_certificate(privkey))) goto err;
n = decrypt(x509, pkey, enc_entity, data_out);
err:
if (pkey) EVP_PKEY_free(pkey);
if (x509) X509_free(x509);
return n;
}
/* ------------------------------------------------ */
smimemime.c view on Meta::CPAN
err:
return NULL;
}
/* Canonicalization involves converting LF->CRLF (Unix) and CR->CRLF (Mac).
* Canonicalization is of prime importance when signing data because
* verification assumes canonicalized form. This canonicalization is really
* not mime specific at all so you can use it for fixing PEM blobs
* on Mac (becaue OpenSSL does not understand lone CR as line termination). */
/* Called by: clear_sign, extract_certificate, extract_request, main, open_private_key, sign */
char*
mime_canon(const char* s)
{
char* d;
char* p;
int len;
len = strlen(s);
p = d = (char*)OPENSSL_malloc(len + len); /* Reserve spaces for CR's to be inserted. */
if (!d) GOTO_ERR("no memory?");
smimeutil.c view on Meta::CPAN
}
strcpy(smime_error_buf, SMIME_VERSION " no randomfile");
RAND_seed(&t,sizeof(t));
RAND_write_file(randomfile); /* create random file if possible */
return -1;
}
/* Initialize a memory BIO to have certain content */
/* Called by: encrypt1, extract_certificate, extract_request, get_pkcs7_from_pem, load_PKCS12, open_private_key, smime_base64, smime_pkcs12_to_pem_generic, smime_sign_engine, smime_verify_signature */
BIO* set_read_BIO_from_buf(const char* buf, int len)
{
BIO* rbio;
BUF_MEM* bm;
if (!buf) GOTO_ERR("NULL file buffer");
if (len == -1) len = strlen(buf);
LOG_PRINT3("set_read_BIO_from_buf %x, len %d", buf, len);
if (!(rbio = BIO_new(BIO_s_mem()))) GOTO_ERR("no memory?");
if (!(bm = BUF_MEM_new())) GOTO_ERR("no memory?");
if (!BUF_MEM_grow(bm, len)) GOTO_ERR("no memory?");
smimeutil.c view on Meta::CPAN
BIO_set_mem_buf(rbio, bm, 0 /*not used*/);
LOG_PRINT("ok");
return rbio;
err:
return NULL;
}
/* Flushes a write BIO and returns the accumulated data as one malloc'd blob
* returns length or -1 if error */
/* Called by: decrypt, get_cert_info, get_req_modulus, save_PKCS12, smime_base64, smime_pkcs12_to_pem_generic x2, smime_verify_signature, write_certificate, write_private_key, write_request */
int get_written_BIO_data(BIO* wbio, char** data)
{
int n;
char* p;
if (!data) GOTO_ERR("NULL arg");
*data = NULL;
BIO_flush(wbio);
n = BIO_get_mem_data(wbio,&p);
LOG_PRINT3("get_written_BIO_data: %x %d bytes", p, n);
if (!((*data)=(char*)OPENSSL_malloc(n+1))) GOTO_ERR("no memory?");
smimeutil.c view on Meta::CPAN
n = strlen((char*)password);
if (n >= buf_size) n = buf_size-1;
memcpy(buf, (char*)password, n);
buf[n] = '\0';
return n;
}
/* Get private key from buffer full of encrypted stuff */
/* Called by: smime_ca, smime_clear_sign, smime_decrypt, smime_sign */
EVP_PKEY* open_private_key(const char* privatekey_pem, const char* password)
{
EVP_PKEY* pkey = NULL;
BIO* rbio = NULL;
LOG_PRINT3("open_private_key: %x %x", privatekey_pem, password);
#ifdef CR_PARANOIA
if (!(privatekey_pem = mime_canon(privatekey_pem))) GOTO_ERR("no memory?");
LOG_PRINT("CR paranoia enabled");
#endif
if (!(rbio = set_read_BIO_from_buf(privatekey_pem, -1))) goto err;
if (!(pkey=PEM_read_bio_PrivateKey(rbio,NULL, password_callback,
(void*)password)))
GOTO_ERR("01 bad password or badly formatted private key pem file (PEM_read_bio_PrivateKey)");
LOG_PRINT("done");
BIO_free(rbio);
smimeutil.c view on Meta::CPAN
#ifdef CR_PARANOIA
if (privatekey_pem) Free((void*)privatekey_pem);
#endif
if (pkey) EVP_PKEY_free(pkey);
if (rbio) BIO_free(rbio);
LOG_PRINT("error");
return NULL;
}
/* Called by: smime_keygen, smime_pkcs12_to_pem */
int write_private_key(EVP_PKEY* pkey, const char* passwd, char** priv_pem_OUT)
{
int len = -1;
BIO* wbio=NULL;
if (!passwd || !priv_pem_OUT || !pkey) GOTO_ERR("NULL arg(s)");
*priv_pem_OUT = NULL;
if (!(wbio = BIO_new(BIO_s_mem()))) GOTO_ERR("no memory?");
LOG_PRINT("write_private_key");
if (!PEM_write_bio_PrivateKey(wbio, pkey, *passwd ? EVP_des_ede3_cbc() : 0,
*passwd ? (unsigned char*)passwd:0, strlen(passwd),
NULL,NULL))
GOTO_ERR("PEM_write_bio_PrivateKey (bad passwd, no memory?)");
len = get_written_BIO_data(wbio, priv_pem_OUT);
err:
if (wbio) BIO_free_all(wbio);
return len;
}
smimeutil.h view on Meta::CPAN
#define CRLF "\015\012"
/* Initialize a memory BIO to have certain content */
DSEXPORT BIO* set_read_BIO_from_buf(const char* buf, int len);
DSEXPORT int get_written_BIO_data(BIO* wbio, char** data);
/* Get private key from buffer full of encrypted stuff */
DSEXPORT EVP_PKEY* open_private_key(const char* privatekey_pem, const char* password);
DSEXPORT int write_private_key(EVP_PKEY* pkey, const char* passwd, char** priv);
/* Extract a certificate from pem encoding */
DSEXPORT X509* extract_certificate(const char* cert);
DSEXPORT int /* returns length of the PEM encoding */
write_certificate(X509* x509, char** x509_cert_pem);
DSEXPORT X509_REQ* extract_request(const char* req);
DSEXPORT int write_request(X509_REQ* x509_req, char** x509_req_pem);
zxbusprod.c view on Meta::CPAN
case 0x02: /* Sx plain sha1 */
sigletter = 'S';
sig = ZX_ALLOC(cf->ctx, 20);
SHA1((unsigned char*)zbuf, zlen, (unsigned char*)sig);
len = 20;
break;
case 0x04: /* Rx RSA-SHA1 signature */
sigletter = 'R';
LOCK(cf->mx, "logsign-wrln");
if (!(log_sign_pkey = cf->log_sign_pkey))
log_sign_pkey = cf->log_sign_pkey = zxid_read_private_key(cf, "logsign-nopw-cert.pem");
UNLOCK(cf->mx, "logsign-wrln");
if (!log_sign_pkey)
break;
len = zxsig_data(cf->ctx, zlen, zbuf, &sig, log_sign_pkey, "enc log line", 0);
break;
case 0x06: /* Dx DSA-SHA1 signature */
ERR("DSA-SHA1 sig not implemented in encrypted mode. Use RSA-SHA1 or none. %x", encflags);
break;
case 0: break; /* Px no signing */
}
zxbusprod.c view on Meta::CPAN
case 0x02: /* SP plain sha1 */
strcpy(sigbuf, "SP ");
sha1_safe_base64(sigbuf+3, n-1, logbuf);
sigbuf[3+27] = ' ';
len = 3+27+1;
p = sigbuf;
break;
case 0x04: /* RP RSA-SHA1 signature */
LOCK(cf->mx, "logsign-wrln");
if (!(log_sign_pkey = cf->log_sign_pkey))
log_sign_pkey = cf->log_sign_pkey = zxid_read_private_key(cf, "logsign-nopw-cert.pem");
UNLOCK(cf->mx, "logsign-wrln");
if (!log_sign_pkey)
break;
zlen = zxsig_data(cf->ctx, n-1, logbuf, &zbuf, log_sign_pkey, "log line", 0);
len = SIMPLE_BASE64_LEN(zlen) + 4;
sig = ZX_ALLOC(cf->ctx, len);
strcpy(sig, "RP ");
p = base64_fancy_raw(zbuf, zlen, sig+3, safe_basis_64, 1<<31, 0, 0, '.');
len = p-sig + 1;
*p = ' ';
zxbusprod.c view on Meta::CPAN
/* Verification strategy: do not attempt verification at SSL layer. Instead
* check the result afterwards against metadata based cert. */
SSL_CTX_set_verify(cf->ssl_ctx, SSL_VERIFY_NONE,0);
//SSL_CTX_set_verify(cf->ssl_ctx, SSL_VERIFY_PEER,0);
//SSL_CTX_set_cert_verify_callback(cf->ssl_ctx, zxbus_cert_verify_cb, cf);
/*SSL_CTX_load_verify_locations() SSL_CTX_set_client_CA_list(3) SSL_CTX_set_cert_store(3) */
LOCK(cf->mx, "logenc wrln");
if (!cf->enc_cert)
cf->enc_cert = zxid_read_cert(cf, "enc-nopw-cert.pem");
if (!cf->enc_pkey)
cf->enc_pkey = zxid_read_private_key(cf, "enc-nopw-cert.pem");
UNLOCK(cf->mx, "logenc wrln");
if (!SSL_CTX_use_certificate(cf->ssl_ctx, cf->enc_cert)) {
ERR("TLS/SSL connection to(%s) can not be made. SSL certificate problem", bu->s);
zx_report_openssl_err("open_bus_url-cert");
goto errout;
}
if (!SSL_CTX_use_PrivateKey(cf->ssl_ctx, cf->enc_pkey)) {
ERR("TLS/SSL connection to(%s) can not be made. SSL private key problem", bu->s);
zx_report_openssl_err("open_bus_url-privkey");
goto errout;
}
if (!SSL_CTX_check_private_key(cf->ssl_ctx)) {
ERR("TLS/SSL connection to(%s) can not be made. SSL certificate-private key consistency problem", bu->s);
zx_report_openssl_err("open_bus_url-chk-privkey");
goto errout;
}
/*SSL_CTX_add_extra_chain_cert(cf->ssl_ctx, ca_cert);*/
}
bu->ssl = SSL_new(cf->ssl_ctx);
if (!bu->ssl) {
ERR("TLS/SSL connection to(%s) can not be made. SSL object initialization problem", bu->s);
zx_report_openssl_err("open_bus_url-ssl");
D("RSA public decrypt failed ret=%d len_cipher_data=%d",ret,ciphered->len);
zx_report_openssl_err("zx_public_decrypt_rsa fail");
return 0;
}
ASSERTOPI(ret, <=, siz);
plain->len = ret;
plain->s[ret] = 0;
return plain;
}
/*() RSA private key decryption. See zxid_read_private_key() and zxid_extract_private_key()
* for ways to read in the private key data structure.
* N.B. This function +only+ does the private key part. It does not
* perform combined dec-session-key-with-priv-key-and-then-data-with-session-key
* operation, though this function could be used as a component to implement
* such a system.
*
* This is considered a low level function. See zxenc_privkey_dec() for a higher level solution. */
/* Called by: zxenc_privkey_dec x2 */
struct zx_str* zx_rsa_priv_dec(struct zx_ctx* c, struct zx_str* ciphered, RSA* rsa_pkey, int pad)
D("RSA private decrypt failed ret=%d len_cipher_data=%d",ret,ciphered->len);
zx_report_openssl_err("zx_priv_decrypt_rsa fail");
return 0;
}
ASSERTOPI(ret, <=, siz);
plain->len = ret;
plain->s[ret] = 0;
return plain;
}
/*() RSA private key encryption. See zxid_read_private_key() and zxid_extract_private_key()
* for ways to read in the private key data structure. */
/* Called by: */
struct zx_str* zx_rsa_priv_enc(struct zx_ctx* c, struct zx_str* plain, RSA* rsa_pkey, int pad)
{
struct zx_str* ciphered;
int ret, siz = RSA_size(rsa_pkey);
ciphered = zx_new_len_str(c, siz);
if (!ciphered)
return 0;
wbio_cert = BIO_new(BIO_s_mem());
DD("write_cert %s", lk);
if (!PEM_write_bio_X509(wbio_cert, x509ss)) {
ERR("write_cert %s", lk);
zx_report_openssl_err("write_cert");
return 0;
}
len = BIO_get_mem_data(wbio_cert, &p);
wbio_pkey = BIO_new(BIO_s_mem());
DD("write_private_key %s", lk);
if (!PEM_write_bio_PrivateKey(wbio_pkey, pkey, 0,0,0,0,0)) {
ERR("write_private_key %s", lk);
zx_report_openssl_err("write_private_key");
return 0;
}
lenq = BIO_get_mem_data(wbio_pkey, &q);
write_all_path_fmt("auto_cert ss", buflen, buf,
"%s" ZXID_PEM_DIR "%s", cf->cpath, name,
"%.*s%.*s", len, p, lenq, q);
BIO_free_all(wbio_cert);
BIO_free_all(wbio_pkey);
zxencdectest.c view on Meta::CPAN
if (got_all <= 0) DIE("Missing data");
buf[got_all] = 0;
/* IBM padding debug */
cf = zxid_new_conf("/var/zxid/");
r = zx_dec_zx_root(cf->ctx, got_all, buf, "zxencdectest");
if (!r || !r->Envelope || r->Envelope->Body || r->Envelope->Body->LogoutRequest)
DIE("Decode failure");
#if 1
cf->enc_pkey = zxid_read_private_key(cf, "sym-idp-enc.pem");
#else
cf->enc_pkey = zxid_read_private_key(cf, "ibm-idp-enc.pem");
#endif
req = r->Envelope->Body->LogoutRequest;
req->NameID = zxid_decrypt_nameid(cf, req->NameID, req->EncryptedID);
printf("r1 nid(%.*s)\n", ZX_GET_CONTENT_LEN(req->NameID), ZX_GET_CONTENT_S(req->NameID));
}
/* Called by: opt */
void test_ibm_cert_problem_enc_dec() /* -r 2 */
{
zxencdectest.c view on Meta::CPAN
cf = zxid_new_conf("/var/zxid/");
nameid = zx_NEW_sa_NameID(cf->ctx,0);
/*nameid->SPNameQualifier = zx_ref_attr(cf->ctx, &nameid->gg, zx_SPNameQualifier_ATTR, spqual);*/
nameid->NameQualifier = zx_ref_attr(cf->ctx, &nameid->gg, zx_NameQualifier_ATTR, "ibmidp");
nameid->Format = zx_ref_attr(cf->ctx, &nameid->gg, zx_Format_ATTR, "persistent");
zx_add_content(cf->ctx, &nameid->gg, zx_ref_str(cf->ctx, "a-persistent-nid"));
#if 0
cf->enc_pkey = zxid_read_private_key(cf, "sym-idp-enc.pem");
#else
cf->enc_pkey = zxid_read_private_key(cf, "ibm-idp-enc.pem");
idp_meta = zxid_get_ent_file(cf, "N9zsU-AwbI1O-U3mvjLmOALtbtU", "test_ibm"); /* IBMIdP */
#endif
req = zxid_mk_logout(cf, nameid, 0, idp_meta);
req->NameID = zxid_decrypt_nameid(cf, req->NameID, req->EncryptedID);
printf("r2 nid(%.*s) should be(a-persistent-nid)\n", ZX_GET_CONTENT_LEN(req->NameID), ZX_GET_CONTENT_S(req->NameID));
}
/* Called by: opt */
void so_enc_dec() /* -r 3 */
ZXID_DECL char* zxid_my_ent_id_cstr(zxid_conf* cf);
ZXID_DECL struct zx_attr_s* zxid_my_ent_id_attr(zxid_conf* cf, struct zx_elem_s* father, int tok);
ZXID_DECL struct zx_str* zxid_my_cdc_url(zxid_conf* cf);
ZXID_DECL struct zx_sa_Issuer_s* zxid_my_issuer(zxid_conf* cf, struct zx_elem_s* father);
ZXID_DECL struct zx_sa_Issuer_s* zxid_issuer(zxid_conf* cf, struct zx_elem_s* father, struct zx_str* nameid, char* affiliation);
/* zxidconf */
#ifdef USE_OPENSSL
ZXID_DECL X509* zxid_extract_cert(char* buf, char* name);
ZXID_DECL EVP_PKEY* zxid_extract_private_key(char* buf, char* name);
ZXID_DECL X509* zxid_read_cert(zxid_conf* cf, char* name);
ZXID_DECL EVP_PKEY* zxid_read_private_key(zxid_conf* cf, char* name);
ZXID_DECL int zxid_lazy_load_sign_cert_and_pkey(zxid_conf* cf, X509** cert, EVP_PKEY** pkey, const char* logkey);
ZXID_DECL const char* zxid_get_cert_signature_algo(X509* cert);
ZXID_DECL const char* zxsig_choose_xmldsig_sig_meth_url(EVP_PKEY* priv_key, const char* dig_alg);
ZXID_DECL const char* zxsig_choose_xmldsig_sig_meth_urlenc(EVP_PKEY* priv_key, const char* dig_alg);
//ZXID_DECL const char* zxid_get_cert_signature_algo_url(X509* cert);
//ZXID_DECL const char* zxid_get_cert_signature_algo_urlenc(X509* cert);
//ZXID_DECL const char* zxid_get_cert_digest_url(X509* cert);
#endif
ZXID_DECL int zxid_set_opt(zxid_conf* cf, int which, int val);
ZXID_DECL char* zxid_set_opt_cstr(zxid_conf* cf, int which, char* val);
zxid_httpd.c view on Meta::CPAN
die_perror("listen(2): can't bind to any address");
}
if (do_ssl) {
SSL_load_error_strings();
SSLeay_add_ssl_algorithms();
ssl_ctx = SSL_CTX_new(SSLv23_server_method());
if (certfile[0] != '\0')
if (!SSL_CTX_use_certificate_file(ssl_ctx, certfile, SSL_FILETYPE_PEM) ||
!SSL_CTX_use_PrivateKey_file(ssl_ctx, certfile, SSL_FILETYPE_PEM) ||
!SSL_CTX_check_private_key(ssl_ctx)) {
ERR_print_errors_fp(stderr);
exit(1);
}
if (cipher) {
if (!SSL_CTX_set_cipher_list(ssl_ctx, cipher)) {
ERR_print_errors_fp(stderr);
exit(1);
}
}
}
ERR("DER decoding of X509 certificate failed.\n%d", 0);
return 0;
}
return x;
}
/*() Extract a private key from PEM encoded string.
* *** This function needs to expand to handle DSA and EC */
/* Called by: */
EVP_PKEY* zxid_extract_private_key(char* buf, char* name)
{
char* p;
char* e;
int typ;
EVP_PKEY* pk = 0; /* Forces d2i_PrivateKey() to alloc the memory. */
OpenSSL_add_all_algorithms();
if (p = strstr(buf, PEM_RSA_PRIV_KEY_START)) {
typ = EVP_PKEY_RSA;
e = PEM_RSA_PRIV_KEY_END;
return 0;
}
++p;
e = strstr(buf, e);
if (!e) {
ERR("End marker not found, typ=%d", typ);
return 0;
}
zx_report_openssl_err("extract_private_key0"); /* *** seems something leaves errors on stack */
p = unbase64_raw(p, e, buf, zx_std_index_64);
if (!d2i_PrivateKey(typ, &pk, (const unsigned char**)&buf, p-buf) || !pk) {
zx_report_openssl_err("extract_private_key"); /* *** seems d2i can leave errors on stack */
ERR("DER decoding of private key failed.\n%d", 0);
return 0;
}
zx_report_openssl_err("extract_private_key2"); /* *** seems d2i can leave errors on stack */
return pk; /* RSA* rsa = EVP_PKEY_get1_RSA(pk); */
}
/*() Extract a private key from PEM encoded file. */
/* Called by: hi_new_shuffler, test_ibm_cert_problem x2, test_ibm_cert_problem_enc_dec x2, zxbus_mint_receipt x2, zxenc_privkey_dec, zxid_init_conf x3, zxid_lazy_load_sign_cert_and_pkey, zxlog_write_line x2 */
EVP_PKEY* zxid_read_private_key(zxid_conf* cf, char* name)
{
char buf[8192];
int got = read_all(sizeof(buf),buf,"read_private_key",1, "%s" ZXID_PEM_DIR "%s", cf->cpath, name);
if (!got && cf->auto_cert)
zxid_mk_self_sig_cert(cf, sizeof(buf), buf, "read_private_key", name);
return zxid_extract_private_key(buf, name);
}
/*() Lazy load signing certificate and private key. This reads them from disk
* if needed. If they do not exist and auto_cert is enabled, they will be
* generated on disk and then read. Once read from disk, they will be cached in
* memory.
*
* > N.B. If the cert does not yet exist, write access to disk will be needed.
* > If it already exists, read access is sufficient. Thus it is more secure
* > to pregenerate the certificate and then set the permissions so that
/* Called by: zxid_anoint_a7n, zxid_anoint_sso_resp, zxid_az_soap x3, zxid_idp_soap_dispatch x2, zxid_idp_sso, zxid_mk_art_deref, zxid_mk_at_cert, zxid_saml2_post_enc, zxid_saml2_redir_enc, zxid_sp_mni_soap, zxid_sp_slo_soap, zxid_sp_soap_dispatch x...
int zxid_lazy_load_sign_cert_and_pkey(zxid_conf* cf, X509** cert, EVP_PKEY** pkey, const char* logkey)
{
LOCK(cf->mx, logkey);
if (cert) {
if (!(*cert = cf->sign_cert)) // Lazy load cert and private key
*cert = cf->sign_cert = zxid_read_cert(cf, "sign-nopw-cert.pem");
}
if (!(*pkey = cf->sign_pkey))
*pkey = cf->sign_pkey = zxid_read_private_key(cf, "sign-nopw-cert.pem");
UNLOCK(cf->mx, logkey);
if (cert && !*cert || !*pkey)
return 0;
return 1;
}
#endif /* USE_OPENSSL */
/*() Set obscure options of ZX and ZXID layers. Used to set debug options.
* Generally setting these options is not supported, but this function
cf->di_allow_create = ZXID_DI_ALLOW_CREATE;
cf->di_nid_fmt = ZXID_DI_NID_FMT;
cf->di_a7n_enc = ZXID_DI_A7N_ENC;
cf->bootstrap_level = ZXID_BOOTSTRAP_LEVEL;
cf->show_conf = ZXID_SHOW_CONF;
#ifdef USE_OPENSSL
if (zxid_path) {
#if 0
/* DO NOT ENABLE! The certificates and keys are read "just in time" if and when needed. */
cf->sign_cert = zxid_read_cert(cf, "sign-nopw-cert.pem");
cf->sign_pkey = zxid_read_private_key(cf, "sign-nopw-cert.pem");
cf->enc_cert = zxid_read_cert(cf, "enc-nopw-cert.pem");
cf->enc_pkey = zxid_read_private_key(cf, "enc-nopw-cert.pem");
cf->log_sign_pkey = zxid_read_private_key(cf, "logsign-nopw-cert.pem");
cf->log_enc_cert = zxid_read_cert(cf, "logenc-nopw-cert.pem");
zxid_sha1_file(cf, "pem/logenc.key", cf->log_symkey);
#endif
}
#else
ERR("This copy of zxid was compiled to NOT use OpenSSL. Reading certificate and private key is not supported. Signing and signature verification are not supported either. Add -DUSE_OPENSSL and recompile. %d", 0);
#endif
cf->md_fetch = ZXID_MD_FETCH;
cf->md_populate_cache = ZXID_MD_POPULATE_CACHE;
cf->md_cache_first = ZXID_MD_CACHE_FIRST;
case 0x02: /* Sx plain sha1 */
sigletter = 'S';
sig = ZX_ALLOC(cf->ctx, 20);
SHA1((unsigned char*)zbuf, zlen, (unsigned char*)sig);
len = 20;
break;
case 0x04: /* Rx RSA-SHA1 signature */
sigletter = 'R';
LOCK(cf->mx, "logsign wrln");
if (!(log_sign_pkey = cf->log_sign_pkey))
log_sign_pkey = cf->log_sign_pkey = zxid_read_private_key(cf, "logsign-nopw-cert.pem");
UNLOCK(cf->mx, "logsign wrln");
if (!log_sign_pkey)
break;
len = zxsig_data(cf->ctx, zlen, zbuf, &sig, log_sign_pkey, "enc log line", cf->blobsig_digest_algo);
break;
case 0x06: /* Dx DSA-SHA1 signature */
ERR("DSA-SHA1 sig not implemented in encrypted mode. Use RSA-SHA1 or none. %x", encflags);
break;
case 0: break; /* Px no signing */
}
case 0x02: /* SP plain sha1 */
strcpy(sigbuf, "SP ");
sha1_safe_base64(sigbuf+3, n-1, logbuf);
sigbuf[3+27] = ' ';
len = 3+27+1;
p = sigbuf;
break;
case 0x04: /* RP RSA-SHA1 signature */
LOCK(cf->mx, "logsign wrln");
if (!(log_sign_pkey = cf->log_sign_pkey))
log_sign_pkey = cf->log_sign_pkey = zxid_read_private_key(cf, "logsign-nopw-cert.pem");
UNLOCK(cf->mx, "logsign wrln");
if (!log_sign_pkey)
break;
zlen = zxsig_data(cf->ctx, n-1, logbuf, &zbuf, log_sign_pkey, "log line", cf->blobsig_digest_algo);
len = SIMPLE_BASE64_LEN(zlen) + 4;
sig = ZX_ALLOC(cf->ctx, len);
strcpy(sig, "RP ");
p = base64_fancy_raw(zbuf, zlen, sig+3, safe_basis_64, 1<<31, 0, 0, '.');
len = p-sig + 1;
*p = ' ';
sigbuf[3+ZXLOG_TIME_SIZ+1+mid_len] = ' ';
sha1_safe_base64(sigbuf+3+ZXLOG_TIME_SIZ+1+mid_len+1, len, buf);
sigbuf[3+ZXLOG_TIME_SIZ+1+mid_len+1+27] = 0;
sigbuf[0] = 'S';
break;
case 0x04: /* RP RSA-SHA signature (detected from key) */
case 0x06: /* RP DSA-SHA signature (detected from key) */
LOCK(cf->mx, "mint_receipt");
/* The sign_pkey is used instead of log_sign_pkey because metadata is used to distribute it. */
if (!cf->sign_pkey)
cf->sign_pkey = zxid_read_private_key(cf, "sign-nopw-cert.pem");
UNLOCK(cf->mx, "mint_receipt");
DD("sign_pkey=%p buf(%.*s) len=%d buf(%s)", cf->sign_pkey, len, buf, len, buf);
if (!cf->sign_pkey)
break;
zlen = zxsig_data(cf->ctx, len, buf, &zbuf, cf->sign_pkey, "receipt", cf->blobsig_digest_algo);
if (errmac_debug>2) HEXDUMP("zbuf:", zbuf, zbuf+zlen, 4096);
len = 3+ZXLOG_TIME_SIZ+1+mid_len+1+SIMPLE_BASE64_LEN(zlen)+1;
if (sigbuf_len < len) { ERR("Too small sigbuf_len=%d, need=%d", sigbuf_len, len); break; }
switch (sigbuf[0]) {
case 'R':
case 'D':
case 'C':
meta = zxid_get_ent(cf, eid);
if (!meta) {
ERR("Unable to find metadata for eid(%s) in verify receipt", eid);
ver = -2;
break;
}
//D("check_private_key(%d)",X509_check_private_key(meta->sign_cert, cf->sign_pkey));
if (SIMPLE_BASE64_PESSIMISTIC_DECODE_LEN(sigbuf_len) > sizeof(sig)) {
ERR("Available signature decoding buffer is too short len=%d, need=%d", (int)sizeof(sig), SIMPLE_BASE64_PESSIMISTIC_DECODE_LEN(sigbuf_len));
ver = -3;
break;
}
p = sigbuf+3+ZXLOG_TIME_SIZ+1+mid_len+1;
DD("zx-rcpt-sig(%.*s) sigbuf_len=%d", sigbuf_len, sigbuf, sigbuf_len);
D("sigbuf(%.*s) len=%d sigbuf=%p lim=%p", (int)(sigbuf_len-(p-sigbuf)), p, (int)(sigbuf_len-(p-sigbuf)), p, sigbuf+sigbuf_len);
p = unbase64_raw(p, sigbuf+sigbuf_len, sig, zx_std_index_64);
zxlogview.c view on Meta::CPAN
read_all(sizeof(buf), buf, "logview opt cert", 1, "%s", (*argv)[0]);
log_verify_cert = zxid_extract_cert(buf, (*argv)[0]);
}
++(*argv); --(*argc);
}
if (*argc) { /* Log decryption key (logenc-nopw-cert.pem) */
if ((*argv)[0][0]) {
gotall = read_all(sizeof(buf), buf, "logview opt key", 1, "%s", (*argv)[0]);
SHA1((unsigned char*)buf, gotall, (unsigned char*)log_symkey);
log_decrypt_pkey = zxid_extract_private_key(buf, (*argv)[0]);
}
++(*argv); --(*argc);
}
}
/* Called by: opt */
static void test_mode(int* argc, char*** argv, char*** env)
{
int gotall;
zxid_conf* cf = zxid_new_conf(0);
++(*argv); --(*argc);
if (*argc) { /* Signature verification certificate (logsign-nopw-cert.pem) */
if ((*argv)[0][0]) {
read_all(sizeof(buf), buf, "logview test_mode private key", 1, "%s", (*argv)[0]);
cf->log_sign_pkey = zxid_extract_private_key(buf, (*argv)[0]);
cf->sign_pkey = cf->enc_pkey = cf->log_sign_pkey;
}
++(*argv); --(*argc);
}
if (*argc) { /* Log encryption key (logenc-nopw-cert.pem) */
if ((*argv)[0][0]) {
gotall = read_all(sizeof(buf), buf, "logview test_mode cert", 1, "%s", (*argv)[0]);
SHA1((unsigned char*)buf, gotall, (unsigned char*)cf->log_symkey);
cf->log_enc_cert = zxid_extract_cert(buf, (*argv)[0]);
zxlog(cf, 0, 0, 0, 0, 0, 0, 0, "N", "C", "EMISS", 0, "EncryptedKey not found");
return 0;
}
raw.s = ZX_ALLOC(cf->ctx, SIMPLE_BASE64_PESSIMISTIC_DECODE_LEN(ss->len));
lim = unbase64_raw(ss->s, ss->s+ss->len, raw.s, zx_std_index_64);
raw.len = lim - raw.s;
LOCK(cf->mx, "zxenc_privkey_dec");
if (!(enc_pkey = cf->enc_pkey))
enc_pkey = cf->enc_pkey = zxid_read_private_key(cf, "enc-nopw-cert.pem");
UNLOCK(cf->mx, "zxenc_privkey_dec");
if (!enc_pkey)
return 0;
if (!ek->EncryptionMethod || !(ss = &ek->EncryptionMethod->Algorithm->g) || !ss->len) {
ERR("Missing or malformed EncryptionMethod %p", ek->EncryptionMethod);
return 0;
}
if (sizeof(ENC_KEYTRAN_RSA_1_5)-1 == ss->len