zxid

 view release on metacpan or  search on metacpan

call-anal.pl  view on Meta::CPAN

    qw(name_from_path vname_from_path open_fd_from_path vopen_fd_from_path close_file
       zx_CreateFile write_all_fd write_all_fd_fmt
       write_all_path_fmt write2_or_append_lock_c_path
       read_all_fd read_all hexdump read_all_alloc get_file_size
       sha1_safe_base64 zxid_nice_sha1
       zx_strf zx_ref_str zx_ref_len_str zx_dup_str zx_dup_len_str zx_dup_cstr
       zx_new_len_str zx_str_to_c
       zx_ref_attr zx_ref_len_attr zx_attrf zx_dup_attr zx_dup_len_attr
       zx_new_str_elem zx_ref_elem zx_ref_len_elem
       zx_url_encode zx_url_encode_len zx_url_encode_raw unbase64_raw
       zx_rand zx_report_openssl_err zx_memmem zxid_mk_self_sig_cert zxid_extract_private_key );

push @ignore_callee,
    qw(hi_pdu_alloc hi_dump nonblock setkernelbufsizes zxid_get_ent_ss zx_pw_authn
       xmtp_decode_resp test_ping http_decode smtp_decode_req smtp_decode_resp );

push @ignore_callee, qw(new_zx_ei);

select STDERR; $|=1; select STDOUT;

sub process_func {

certauth.c  view on Meta::CPAN

	 const char* comment)
{
  X509* ca_cert = NULL;
  X509* new_cert = NULL;
  X509_REQ* req = NULL;
  EVP_PKEY* ca_pkey = NULL;
  char* ret = NULL;
  
  if (!ca_id_pem || !passwd || !req_pem) GOTO_ERR("NULL arg(s)");

  if (!(ca_pkey = open_private_key(ca_id_pem, passwd))) goto err;
  if (!(ca_cert = extract_certificate(ca_id_pem))) goto err;
  if (!(req = extract_request(req_pem))) goto err;
  
  if (!(new_cert = certification_authority(ca_cert, ca_pkey, req,
					   start_date, end_date, serial,
					   basic_constraints, cert_type,
					   key_usage, comment))) goto err;
  write_certificate(new_cert, &ret);
  
err:

csharp/zxid.cs  view on Meta::CPAN

  public static void zxid_sha1_file(SWIGTYPE_p_zxid_conf cf, string name, string sha1) {
    zxidPINVOKE.zxid_sha1_file(SWIGTYPE_p_zxid_conf.getCPtr(cf), name, sha1);
  }

  public static SWIGTYPE_p_X509 zxid_extract_cert(string buf, string name) {
    IntPtr cPtr = zxidPINVOKE.zxid_extract_cert(buf, name);
    SWIGTYPE_p_X509 ret = (cPtr == IntPtr.Zero) ? null : new SWIGTYPE_p_X509(cPtr, false);
    return ret;
  }

  public static SWIGTYPE_p_p_void zxid_extract_private_key(string buf, string name) {
    IntPtr cPtr = zxidPINVOKE.zxid_extract_private_key(buf, name);
    SWIGTYPE_p_p_void ret = (cPtr == IntPtr.Zero) ? null : new SWIGTYPE_p_p_void(cPtr, false);
    return ret;
  }

  public static SWIGTYPE_p_X509 zxid_read_cert(SWIGTYPE_p_zxid_conf cf, string name) {
    IntPtr cPtr = zxidPINVOKE.zxid_read_cert(SWIGTYPE_p_zxid_conf.getCPtr(cf), name);
    SWIGTYPE_p_X509 ret = (cPtr == IntPtr.Zero) ? null : new SWIGTYPE_p_X509(cPtr, false);
    return ret;
  }

  public static SWIGTYPE_p_p_void zxid_read_private_key(SWIGTYPE_p_zxid_conf cf, string name) {
    IntPtr cPtr = zxidPINVOKE.zxid_read_private_key(SWIGTYPE_p_zxid_conf.getCPtr(cf), name);
    SWIGTYPE_p_p_void ret = (cPtr == IntPtr.Zero) ? null : new SWIGTYPE_p_p_void(cPtr, false);
    return ret;
  }

  public static int zxid_lazy_load_sign_cert_and_pkey(SWIGTYPE_p_zxid_conf cf, SWIGTYPE_p_p_X509 cert, SWIGTYPE_p_p_p_void pkey, string logkey) {
    int ret = zxidPINVOKE.zxid_lazy_load_sign_cert_and_pkey(SWIGTYPE_p_zxid_conf.getCPtr(cf), SWIGTYPE_p_p_X509.getCPtr(cert), SWIGTYPE_p_p_p_void.getCPtr(pkey), logkey);
    return ret;
  }

  public static int zxid_set_opt(SWIGTYPE_p_zxid_conf cf, int which, int val) {

csharp/zxidPINVOKE.cs  view on Meta::CPAN


  [DllImport("zxid", EntryPoint="CSharp_zxid_my_issuer")]
  public static extern IntPtr zxid_my_issuer(HandleRef jarg1);

  [DllImport("zxid", EntryPoint="CSharp_zxid_sha1_file")]
  public static extern void zxid_sha1_file(HandleRef jarg1, string jarg2, string jarg3);

  [DllImport("zxid", EntryPoint="CSharp_zxid_extract_cert")]
  public static extern IntPtr zxid_extract_cert(string jarg1, string jarg2);

  [DllImport("zxid", EntryPoint="CSharp_zxid_extract_private_key")]
  public static extern IntPtr zxid_extract_private_key(string jarg1, string jarg2);

  [DllImport("zxid", EntryPoint="CSharp_zxid_read_cert")]
  public static extern IntPtr zxid_read_cert(HandleRef jarg1, string jarg2);

  [DllImport("zxid", EntryPoint="CSharp_zxid_read_private_key")]
  public static extern IntPtr zxid_read_private_key(HandleRef jarg1, string jarg2);

  [DllImport("zxid", EntryPoint="CSharp_zxid_lazy_load_sign_cert_and_pkey")]
  public static extern int zxid_lazy_load_sign_cert_and_pkey(HandleRef jarg1, HandleRef jarg2, HandleRef jarg3, string jarg4);

  [DllImport("zxid", EntryPoint="CSharp_zxid_set_opt")]
  public static extern int zxid_set_opt(HandleRef jarg1, int jarg2, int jarg3);

  [DllImport("zxid", EntryPoint="CSharp_zxid_set_opt_cstr")]
  public static extern string zxid_set_opt_cstr(HandleRef jarg1, int jarg2, string jarg3);

hiinit.c  view on Meta::CPAN

   * Normally this would cause the verification to happen, but we supply
   * a callback that effectively causes verification to pass in any case,
   * so that we postpone it to the moment when we see CONNECT. */
  SSL_CTX_set_verify(shf->ssl_ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, zxbus_verify_cb);
  //SSL_CTX_set_cert_verify_callback(shf->ssl_ctx, zxbus_cert_verify_cb, cf);

  /*SSL_CTX_load_verify_locations() SSL_CTX_set_client_CA_list(3) SSL_CTX_set_cert_store(3) */
  if (!zxbus_cf->enc_cert)
    zxbus_cf->enc_cert = zxid_read_cert(zxbus_cf, "enc-nopw-cert.pem");
  if (!zxbus_cf->enc_pkey)
    zxbus_cf->enc_pkey = zxid_read_private_key(zxbus_cf, "enc-nopw-cert.pem");
  if (!SSL_CTX_use_certificate(shf->ssl_ctx, zxbus_cf->enc_cert)) {
    ERR("SSL certificate problem %d", 0);
    zx_report_openssl_err("new_shuffler-cert");
    return 0;
  }
  if (!SSL_CTX_use_PrivateKey(shf->ssl_ctx, zxbus_cf->enc_pkey)) {
    ERR("SSL private key problem %d", 0);
    zx_report_openssl_err("new_shuffler-privkey");
    return 0;
  }
  if (!SSL_CTX_check_private_key(shf->ssl_ctx)) {
    ERR("SSL certificate-private key consistency problem %d", 0);
    zx_report_openssl_err("new_shuffler-chk-privkey");
    return 0;
  }
#endif
  return shf;
}

/* EOF  --  hiinit.c */

keygen.c  view on Meta::CPAN

  if (priv_out) *priv_out = NULL;
  if (x509ss_out) *x509ss_out = NULL;
  if (request_out) *request_out = NULL;
  
  if (keygen(dn, attr, comment, &pkey, &x509ss, &req) == -1) goto err;
  
  /* Write private key to file. While its being
   * written, it will also get encrypted. */
  
  if (passwd && priv_out) {
    if (write_private_key(pkey, passwd, priv_out) == -1) goto err;
    EVP_PKEY_free(pkey);  /* free early so memory can be reused */
    pkey = NULL;
  }
  
  if (request_out) {
    if (write_request(req, request_out) == -1) goto err;
    X509_REQ_free(req);  /* free early so memory can be reused */
    req = NULL;
  }
  

pkcs12.c  view on Meta::CPAN

  PKCS12_SAFEBAG* bag;
  PKCS8_PRIV_KEY_INFO* p8;
  PKCS7* authsafe;
  unsigned char keyid[EVP_MAX_MD_SIZE];
  unsigned int keyidlen = 0;
  
  if (!x509 || !pkey || !pkcs12_passwd) GOTO_ERR("NULL arg(s)");
  
  /* Figure out if cert goes with our private key */

  if(X509_check_private_key(x509, pkey)) {
    X509_digest(x509, EVP_sha1(), keyid, &keyidlen);
  } else
    GOTO_ERR("05 x509 cert does not match private key. Wrong files?");
  if(!keyidlen) GOTO_ERR("05 No certificate matches private key");
  
  /* Include the cert */
  
  if (!(bags = (STACK_OF(PKCS12_SAFEBAG)*)sk_new(NULL))) GOTO_ERR("no memory?");  
  if (!(bag = M_PKCS12_x5092certbag(x509))) GOTO_ERR("M_PKCS12_x5092certbag");
  

pkcs12.c  view on Meta::CPAN

		    char** pkcs12_out)
{
  EVP_PKEY* pkey = NULL;
  X509*     ucert = NULL;
  PKCS12*   p12 = NULL;
  int len = -1;
  
  if (!x509_cert_pem || !priv_key_pem || !priv_passwd
      || !pkcs12_passwd || !pkcs12_out) GOTO_ERR("NULL arg(s)");
  
  if (!(pkey = open_private_key(priv_key_pem, priv_passwd))) goto err;
  if (!(ucert = extract_certificate(x509_cert_pem))) goto err;
  if (!(p12 = x509_and_pkey_to_pkcs12(friendly_name, ucert, pkey,
			    pkcs12_passwd))) goto err;
  len = save_PKCS12(p12, pkcs12_out);
  
err:
  if (p12)   PKCS12_free(p12);
  if (ucert) X509_free(ucert);
  if (pkey)  EVP_PKEY_free(pkey);
  return len;

pkcs12.c  view on Meta::CPAN

				     strlen(x509_cert_pem)))) goto err;
  while((cert = PEM_read_bio_X509(rbio, NULL, NULL, NULL))) {
    sk_X509_push(certs, cert);
  }
  BIO_free(rbio);
  
  /* Figure out which cert goes with our private key */

  for(i = 0; i < sk_X509_num(certs); i++) {
    ucert = sk_X509_value(certs, i);
    if(X509_check_private_key(ucert, pkey)) {
      X509_digest(cert, EVP_sha1(), keyid, &keyidlen);
      break;
    }
  }

  if(!keyidlen) GOTO_ERR("05 No certificate matches private key");
  
  /* If chaining get chain from user cert */
#if 0
  {

pkcs12.c  view on Meta::CPAN

  
  /* Read pkcs12 structure (but do not decrypt private key yet) */
  
  if (!(p12 = load_PKCS12(pkcs12, pkcs12_len))) goto err;

  if (pkcs12_to_x509_and_pkey(p12, pkcs12_passwd,
			      (x509_cert_pem) ? &x509 : NULL,
			      (priv_passwd && priv_key_pem) ? &pkey : NULL)
      == -1) goto err;
    
  if (write_private_key(pkey, priv_passwd, priv_key_pem)==-1) goto err;
  ret = write_certificate(x509, x509_cert_pem);
  
err:
  if (p12) PKCS12_free(p12);
  if (x509) X509_free(x509);
  if (pkey) EVP_PKEY_free(pkey);
  return ret;
}

/* more generic because handles multiple certificates and private keys

smime-enc.c  view on Meta::CPAN

smime_clear_sign(const char* privkey,
		 const char* password,
		 const char* mime_entity)
{
  char* b = NULL;
  X509* x509 = NULL;
  EVP_PKEY* pkey = NULL;

  /* Get key and certificate (why do we need both?) */
  
  if (!(pkey = open_private_key(privkey, password))) goto err;
  if (!(x509 = extract_certificate(privkey))) goto err;
  if (!(b = clear_sign(x509, pkey, mime_entity))) goto err;

err:
  if (pkey)  EVP_PKEY_free(pkey);
  if (x509)  X509_free(x509);
  return b;
}

/* Sign a mime entity, such as produced by mime_mk_multipart(). Signature

smime-enc.c  view on Meta::CPAN

/* Called by:  main */
char*
smime_sign(const char* privkey, const char* password, const char* mime_entity)
{
  char* b = NULL;
  X509* x509 = NULL;
  EVP_PKEY* pkey = NULL;

  /* Get key and certificate (why do we need both?) */
  
  if (!(pkey = open_private_key(privkey, password))) goto err;
  if (!(x509 = extract_certificate(privkey))) goto err;
  if (!(b = sign(x509, pkey, mime_entity))) goto err;

err:
  if (pkey)  EVP_PKEY_free(pkey);
  if (x509)  X509_free(x509);
  return b;
}

/* Encrypt a mime entity such as produced by smime_clear_sign(). */

smime-vfy.c  view on Meta::CPAN

	      const char* passwd,
	      const char* enc_entity,
	      char** data_out)
{
  int  n = -1;
  EVP_PKEY *pkey = NULL;
  X509  *x509 = NULL;
  
  if (data_out) *data_out = NULL;
  if (!privkey || !passwd || !enc_entity || !data_out) GOTO_ERR("NULL arg(s)");
  if (!(pkey = open_private_key(privkey, passwd))) goto err;
  if (!(x509 = extract_certificate(privkey)))      goto err;
  n = decrypt(x509, pkey, enc_entity, data_out);
    
err:  
  if (pkey)  EVP_PKEY_free(pkey);
  if (x509)  X509_free(x509);
  return n;
}

/* ------------------------------------------------ */

smimemime.c  view on Meta::CPAN

err:
  return NULL;
}

/* Canonicalization involves converting LF->CRLF (Unix) and CR->CRLF (Mac).
 * Canonicalization is of prime importance when signing data because
 * verification assumes canonicalized form. This canonicalization is really
 * not mime specific at all so you can use it for fixing PEM blobs
 * on Mac (becaue OpenSSL does not understand lone CR as line termination). */

/* Called by:  clear_sign, extract_certificate, extract_request, main, open_private_key, sign */
char*
mime_canon(const char* s)
{
  char* d;
  char* p;
  int len;
  len = strlen(s);
  p = d = (char*)OPENSSL_malloc(len + len);  /* Reserve spaces for CR's to be inserted. */
  if (!d) GOTO_ERR("no memory?");
  

smimeutil.c  view on Meta::CPAN

  }
  strcpy(smime_error_buf, SMIME_VERSION " no randomfile");
  RAND_seed(&t,sizeof(t));
  RAND_write_file(randomfile);  /* create random file if possible */

  return -1;
}

/* Initialize a memory BIO to have certain content */

/* Called by:  encrypt1, extract_certificate, extract_request, get_pkcs7_from_pem, load_PKCS12, open_private_key, smime_base64, smime_pkcs12_to_pem_generic, smime_sign_engine, smime_verify_signature */
BIO* set_read_BIO_from_buf(const char* buf, int len)
{
  BIO* rbio;  
  BUF_MEM* bm;
  if (!buf) GOTO_ERR("NULL file buffer");
  if (len == -1) len = strlen(buf);
  LOG_PRINT3("set_read_BIO_from_buf %x, len %d", buf, len);
  if (!(rbio = BIO_new(BIO_s_mem()))) GOTO_ERR("no memory?");
  if (!(bm = BUF_MEM_new()))  GOTO_ERR("no memory?");
  if (!BUF_MEM_grow(bm, len)) GOTO_ERR("no memory?");

smimeutil.c  view on Meta::CPAN

  BIO_set_mem_buf(rbio, bm, 0 /*not used*/);
  LOG_PRINT("ok");
  return rbio;
err:
  return NULL;
}

/* Flushes a write BIO and returns the accumulated data as one malloc'd blob
 * returns length or -1 if error */

/* Called by:  decrypt, get_cert_info, get_req_modulus, save_PKCS12, smime_base64, smime_pkcs12_to_pem_generic x2, smime_verify_signature, write_certificate, write_private_key, write_request */
int get_written_BIO_data(BIO* wbio, char** data)
{
  int n;
  char* p;
  if (!data) GOTO_ERR("NULL arg");
  *data = NULL;
  BIO_flush(wbio);
  n = BIO_get_mem_data(wbio,&p);
  LOG_PRINT3("get_written_BIO_data: %x %d bytes", p, n);
  if (!((*data)=(char*)OPENSSL_malloc(n+1))) GOTO_ERR("no memory?");

smimeutil.c  view on Meta::CPAN

  n = strlen((char*)password);
  if (n >= buf_size) n = buf_size-1;
  memcpy(buf, (char*)password, n);
  buf[n] = '\0';
  return n; 
}

/* Get private key from buffer full of encrypted stuff */

/* Called by:  smime_ca, smime_clear_sign, smime_decrypt, smime_sign */
EVP_PKEY* open_private_key(const char* privatekey_pem, const char* password)
{
  EVP_PKEY* pkey = NULL;
  BIO* rbio = NULL;
  LOG_PRINT3("open_private_key: %x %x", privatekey_pem, password);
#ifdef CR_PARANOIA
  if (!(privatekey_pem = mime_canon(privatekey_pem))) GOTO_ERR("no memory?");
  LOG_PRINT("CR paranoia enabled");
#endif
  if (!(rbio = set_read_BIO_from_buf(privatekey_pem, -1))) goto err;
  if (!(pkey=PEM_read_bio_PrivateKey(rbio,NULL, password_callback,
				     (void*)password)))
    GOTO_ERR("01 bad password or badly formatted private key pem file (PEM_read_bio_PrivateKey)");
  LOG_PRINT("done");
  BIO_free(rbio);

smimeutil.c  view on Meta::CPAN

#ifdef CR_PARANOIA
  if (privatekey_pem) Free((void*)privatekey_pem);
#endif
  if (pkey) EVP_PKEY_free(pkey);
  if (rbio) BIO_free(rbio);
  LOG_PRINT("error");
  return NULL;
}

/* Called by:  smime_keygen, smime_pkcs12_to_pem */
int write_private_key(EVP_PKEY* pkey, const char* passwd, char** priv_pem_OUT)
{
  int len = -1;
  BIO* wbio=NULL;
  if (!passwd || !priv_pem_OUT || !pkey) GOTO_ERR("NULL arg(s)");
  *priv_pem_OUT = NULL;
  if (!(wbio = BIO_new(BIO_s_mem()))) GOTO_ERR("no memory?");
  LOG_PRINT("write_private_key");
  if (!PEM_write_bio_PrivateKey(wbio, pkey, *passwd ? EVP_des_ede3_cbc() : 0,
				*passwd ? (unsigned char*)passwd:0, strlen(passwd),
				NULL,NULL))
    GOTO_ERR("PEM_write_bio_PrivateKey (bad passwd, no memory?)");
  len = get_written_BIO_data(wbio, priv_pem_OUT);
err:
  if (wbio) BIO_free_all(wbio);
  return len;
}

smimeutil.h  view on Meta::CPAN

#define CRLF  "\015\012"

/* Initialize a memory BIO to have certain content */

DSEXPORT BIO* set_read_BIO_from_buf(const char* buf, int len);

DSEXPORT int get_written_BIO_data(BIO* wbio, char** data);

/* Get private key from buffer full of encrypted stuff */

DSEXPORT EVP_PKEY* open_private_key(const char* privatekey_pem, const char* password);
DSEXPORT int write_private_key(EVP_PKEY* pkey, const char* passwd, char** priv);

/* Extract a certificate from pem encoding */

DSEXPORT X509* extract_certificate(const char* cert);

DSEXPORT int /* returns length of the PEM encoding */
write_certificate(X509* x509, char** x509_cert_pem);

DSEXPORT X509_REQ* extract_request(const char* req);
DSEXPORT int write_request(X509_REQ* x509_req, char** x509_req_pem);

zxbusprod.c  view on Meta::CPAN

     case 0x02:      /* Sx plain sha1 */
       sigletter = 'S';
       sig = ZX_ALLOC(cf->ctx, 20);
       SHA1((unsigned char*)zbuf, zlen, (unsigned char*)sig);
       len = 20;
       break;
     case 0x04:      /* Rx RSA-SHA1 signature */
       sigletter = 'R';
       LOCK(cf->mx, "logsign-wrln");      
       if (!(log_sign_pkey = cf->log_sign_pkey))
	 log_sign_pkey = cf->log_sign_pkey = zxid_read_private_key(cf, "logsign-nopw-cert.pem");
       UNLOCK(cf->mx, "logsign-wrln");      
       if (!log_sign_pkey)
	 break;
len = zxsig_data(cf->ctx, zlen, zbuf, &sig, log_sign_pkey, "enc log line", 0);
       break;
     case 0x06:      /* Dx DSA-SHA1 signature */
       ERR("DSA-SHA1 sig not implemented in encrypted mode. Use RSA-SHA1 or none. %x", encflags);
       break;
     case 0: break;  /* Px no signing */
     }

zxbusprod.c  view on Meta::CPAN

   case 0x02:   /* SP plain sha1 */
     strcpy(sigbuf, "SP ");
     sha1_safe_base64(sigbuf+3, n-1, logbuf);
     sigbuf[3+27] = ' ';
     len = 3+27+1;
     p = sigbuf;
     break;
   case 0x04:   /* RP RSA-SHA1 signature */
     LOCK(cf->mx, "logsign-wrln");      
     if (!(log_sign_pkey = cf->log_sign_pkey))
       log_sign_pkey = cf->log_sign_pkey = zxid_read_private_key(cf, "logsign-nopw-cert.pem");
     UNLOCK(cf->mx, "logsign-wrln");
     if (!log_sign_pkey)
       break;
zlen = zxsig_data(cf->ctx, n-1, logbuf, &zbuf, log_sign_pkey, "log line", 0);
     len = SIMPLE_BASE64_LEN(zlen) + 4;
     sig = ZX_ALLOC(cf->ctx, len);
     strcpy(sig, "RP ");
     p = base64_fancy_raw(zbuf, zlen, sig+3, safe_basis_64, 1<<31, 0, 0, '.');
     len = p-sig + 1;
     *p = ' ';

zxbusprod.c  view on Meta::CPAN

      /* Verification strategy: do not attempt verification at SSL layer. Instead
       * check the result afterwards against metadata based cert. */
      SSL_CTX_set_verify(cf->ssl_ctx, SSL_VERIFY_NONE,0);
      //SSL_CTX_set_verify(cf->ssl_ctx, SSL_VERIFY_PEER,0);
      //SSL_CTX_set_cert_verify_callback(cf->ssl_ctx, zxbus_cert_verify_cb, cf);
      /*SSL_CTX_load_verify_locations() SSL_CTX_set_client_CA_list(3) SSL_CTX_set_cert_store(3) */
      LOCK(cf->mx, "logenc wrln");
      if (!cf->enc_cert)
	cf->enc_cert = zxid_read_cert(cf, "enc-nopw-cert.pem");
      if (!cf->enc_pkey)
	cf->enc_pkey = zxid_read_private_key(cf, "enc-nopw-cert.pem");
      UNLOCK(cf->mx, "logenc wrln");
      if (!SSL_CTX_use_certificate(cf->ssl_ctx, cf->enc_cert)) {
	ERR("TLS/SSL connection to(%s) can not be made. SSL certificate problem", bu->s);
	zx_report_openssl_err("open_bus_url-cert");
	goto errout;
      }
      if (!SSL_CTX_use_PrivateKey(cf->ssl_ctx, cf->enc_pkey)) {
	ERR("TLS/SSL connection to(%s) can not be made. SSL private key problem", bu->s);
	zx_report_openssl_err("open_bus_url-privkey");
	goto errout;
      }
      if (!SSL_CTX_check_private_key(cf->ssl_ctx)) {
	ERR("TLS/SSL connection to(%s) can not be made. SSL certificate-private key consistency problem", bu->s);
	zx_report_openssl_err("open_bus_url-chk-privkey");
	goto errout;
      }
      /*SSL_CTX_add_extra_chain_cert(cf->ssl_ctx, ca_cert);*/
    }
    bu->ssl = SSL_new(cf->ssl_ctx);
    if (!bu->ssl) {
      ERR("TLS/SSL connection to(%s) can not be made. SSL object initialization problem", bu->s);
      zx_report_openssl_err("open_bus_url-ssl");

zxcrypto.c  view on Meta::CPAN

    D("RSA public decrypt failed ret=%d len_cipher_data=%d",ret,ciphered->len);
    zx_report_openssl_err("zx_public_decrypt_rsa fail");
    return 0;
  }
  ASSERTOPI(ret, <=, siz);
  plain->len = ret;
  plain->s[ret] = 0;
  return plain;
}

/*() RSA private key decryption. See zxid_read_private_key() and zxid_extract_private_key()
 * for ways to read in the private key data structure.
 * N.B. This function +only+ does the private key part. It does not
 * perform combined dec-session-key-with-priv-key-and-then-data-with-session-key
 * operation, though this function could be used as a component to implement
 * such a system.
 *
 * This is considered a low level function. See zxenc_privkey_dec() for a higher level solution. */

/* Called by:  zxenc_privkey_dec x2 */
struct zx_str* zx_rsa_priv_dec(struct zx_ctx* c, struct zx_str* ciphered, RSA* rsa_pkey, int pad)

zxcrypto.c  view on Meta::CPAN

    D("RSA private decrypt failed ret=%d len_cipher_data=%d",ret,ciphered->len);
    zx_report_openssl_err("zx_priv_decrypt_rsa fail");
    return 0;
  }
  ASSERTOPI(ret, <=, siz);
  plain->len = ret;
  plain->s[ret] = 0;
  return plain;
}

/*() RSA private key encryption. See zxid_read_private_key() and zxid_extract_private_key()
 * for ways to read in the private key data structure. */

/* Called by: */
struct zx_str* zx_rsa_priv_enc(struct zx_ctx* c, struct zx_str* plain, RSA* rsa_pkey, int pad)
{
  struct zx_str* ciphered;
  int ret, siz = RSA_size(rsa_pkey);
  ciphered = zx_new_len_str(c, siz);
  if (!ciphered)
    return 0;

zxcrypto.c  view on Meta::CPAN

  wbio_cert = BIO_new(BIO_s_mem());
  DD("write_cert %s", lk);
  if (!PEM_write_bio_X509(wbio_cert, x509ss)) {
    ERR("write_cert %s", lk);
    zx_report_openssl_err("write_cert");
    return 0;
  }
  len = BIO_get_mem_data(wbio_cert, &p);

  wbio_pkey = BIO_new(BIO_s_mem());
  DD("write_private_key %s", lk);
  if (!PEM_write_bio_PrivateKey(wbio_pkey, pkey, 0,0,0,0,0)) {
    ERR("write_private_key %s", lk);
    zx_report_openssl_err("write_private_key");
    return 0;
  }
  lenq = BIO_get_mem_data(wbio_pkey, &q);

  write_all_path_fmt("auto_cert ss", buflen, buf,
		     "%s" ZXID_PEM_DIR "%s", cf->cpath, name,
		     "%.*s%.*s", len, p, lenq, q);

  BIO_free_all(wbio_cert);
  BIO_free_all(wbio_pkey);

zxencdectest.c  view on Meta::CPAN

  if (got_all <= 0) DIE("Missing data");
  buf[got_all] = 0;

  /* IBM padding debug */
  cf = zxid_new_conf("/var/zxid/");
  r = zx_dec_zx_root(cf->ctx, got_all, buf, "zxencdectest");
  if (!r || !r->Envelope || r->Envelope->Body || r->Envelope->Body->LogoutRequest)
    DIE("Decode failure");

#if 1
  cf->enc_pkey = zxid_read_private_key(cf, "sym-idp-enc.pem");
#else
  cf->enc_pkey = zxid_read_private_key(cf, "ibm-idp-enc.pem");
#endif
  
  req = r->Envelope->Body->LogoutRequest;
  req->NameID = zxid_decrypt_nameid(cf, req->NameID, req->EncryptedID);
  printf("r1 nid(%.*s)\n", ZX_GET_CONTENT_LEN(req->NameID), ZX_GET_CONTENT_S(req->NameID));
}

/* Called by:  opt */
void test_ibm_cert_problem_enc_dec()  /* -r 2 */
{

zxencdectest.c  view on Meta::CPAN


  cf = zxid_new_conf("/var/zxid/");

  nameid = zx_NEW_sa_NameID(cf->ctx,0);
  /*nameid->SPNameQualifier = zx_ref_attr(cf->ctx, &nameid->gg, zx_SPNameQualifier_ATTR, spqual);*/
  nameid->NameQualifier = zx_ref_attr(cf->ctx, &nameid->gg, zx_NameQualifier_ATTR, "ibmidp");
  nameid->Format = zx_ref_attr(cf->ctx, &nameid->gg, zx_Format_ATTR, "persistent");
  zx_add_content(cf->ctx, &nameid->gg, zx_ref_str(cf->ctx, "a-persistent-nid"));

#if 0
  cf->enc_pkey = zxid_read_private_key(cf, "sym-idp-enc.pem");
#else
  cf->enc_pkey = zxid_read_private_key(cf, "ibm-idp-enc.pem");
  idp_meta = zxid_get_ent_file(cf, "N9zsU-AwbI1O-U3mvjLmOALtbtU", "test_ibm"); /* IBMIdP */
#endif
  
  req = zxid_mk_logout(cf, nameid, 0, idp_meta);  
  req->NameID = zxid_decrypt_nameid(cf, req->NameID, req->EncryptedID);
  printf("r2 nid(%.*s) should be(a-persistent-nid)\n", ZX_GET_CONTENT_LEN(req->NameID), ZX_GET_CONTENT_S(req->NameID));
}

/* Called by:  opt */
void so_enc_dec()     /* -r 3 */

zxid.h  view on Meta::CPAN

ZXID_DECL char* zxid_my_ent_id_cstr(zxid_conf* cf);
ZXID_DECL struct zx_attr_s* zxid_my_ent_id_attr(zxid_conf* cf, struct zx_elem_s* father, int tok);
ZXID_DECL struct zx_str* zxid_my_cdc_url(zxid_conf* cf);
ZXID_DECL struct zx_sa_Issuer_s* zxid_my_issuer(zxid_conf* cf, struct zx_elem_s* father);
ZXID_DECL struct zx_sa_Issuer_s* zxid_issuer(zxid_conf* cf, struct zx_elem_s* father, struct zx_str* nameid, char* affiliation);

/* zxidconf */

#ifdef USE_OPENSSL
ZXID_DECL X509* zxid_extract_cert(char* buf, char* name);
ZXID_DECL EVP_PKEY*  zxid_extract_private_key(char* buf, char* name);
ZXID_DECL X509* zxid_read_cert(zxid_conf* cf, char* name);
ZXID_DECL EVP_PKEY*  zxid_read_private_key(zxid_conf* cf, char* name);
ZXID_DECL int zxid_lazy_load_sign_cert_and_pkey(zxid_conf* cf, X509** cert, EVP_PKEY** pkey, const char* logkey);
ZXID_DECL const char* zxid_get_cert_signature_algo(X509* cert);
ZXID_DECL const char* zxsig_choose_xmldsig_sig_meth_url(EVP_PKEY* priv_key, const char* dig_alg);
ZXID_DECL const char* zxsig_choose_xmldsig_sig_meth_urlenc(EVP_PKEY* priv_key, const char* dig_alg);
  //ZXID_DECL const char* zxid_get_cert_signature_algo_url(X509* cert);
  //ZXID_DECL const char* zxid_get_cert_signature_algo_urlenc(X509* cert);
  //ZXID_DECL const char* zxid_get_cert_digest_url(X509* cert);
#endif
ZXID_DECL int   zxid_set_opt(zxid_conf* cf, int which, int val);
ZXID_DECL char* zxid_set_opt_cstr(zxid_conf* cf, int which, char* val);

zxid_httpd.c  view on Meta::CPAN

    die_perror("listen(2): can't bind to any address");
  }

  if (do_ssl)	{
    SSL_load_error_strings();
    SSLeay_add_ssl_algorithms();
    ssl_ctx = SSL_CTX_new(SSLv23_server_method());
    if (certfile[0] != '\0')
      if (!SSL_CTX_use_certificate_file(ssl_ctx, certfile, SSL_FILETYPE_PEM) ||
	  !SSL_CTX_use_PrivateKey_file(ssl_ctx, certfile, SSL_FILETYPE_PEM) ||
	  !SSL_CTX_check_private_key(ssl_ctx)) {
	ERR_print_errors_fp(stderr);
	exit(1);
      }
    if (cipher) {
      if (!SSL_CTX_set_cipher_list(ssl_ctx, cipher)) {
	ERR_print_errors_fp(stderr);
	exit(1);
      }
    }
  }

zxidconf.c  view on Meta::CPAN

    ERR("DER decoding of X509 certificate failed.\n%d", 0);
    return 0;
  }
  return x;
}

/*() Extract a private key from PEM encoded string.
 * *** This function needs to expand to handle DSA and EC */

/* Called by: */
EVP_PKEY* zxid_extract_private_key(char* buf, char* name)
{
  char* p;
  char* e;
  int typ;
  EVP_PKEY* pk = 0;  /* Forces d2i_PrivateKey() to alloc the memory. */
  OpenSSL_add_all_algorithms();
  
  if (p = strstr(buf, PEM_RSA_PRIV_KEY_START)) {
    typ = EVP_PKEY_RSA;
    e = PEM_RSA_PRIV_KEY_END;

zxidconf.c  view on Meta::CPAN

    return 0;
  }
  ++p;

  e = strstr(buf, e);
  if (!e) {
    ERR("End marker not found, typ=%d", typ);
    return 0;
  }
  
  zx_report_openssl_err("extract_private_key0"); /* *** seems something leaves errors on stack */
  p = unbase64_raw(p, e, buf, zx_std_index_64);
  if (!d2i_PrivateKey(typ, &pk, (const unsigned char**)&buf, p-buf) || !pk) {
    zx_report_openssl_err("extract_private_key"); /* *** seems d2i can leave errors on stack */
    ERR("DER decoding of private key failed.\n%d", 0);
    return 0;
  }
  zx_report_openssl_err("extract_private_key2"); /* *** seems d2i can leave errors on stack */
  return pk; /* RSA* rsa = EVP_PKEY_get1_RSA(pk); */
}

/*() Extract a private key from PEM encoded file. */

/* Called by:  hi_new_shuffler, test_ibm_cert_problem x2, test_ibm_cert_problem_enc_dec x2, zxbus_mint_receipt x2, zxenc_privkey_dec, zxid_init_conf x3, zxid_lazy_load_sign_cert_and_pkey, zxlog_write_line x2 */
EVP_PKEY* zxid_read_private_key(zxid_conf* cf, char* name)
{
  char buf[8192];
  int got = read_all(sizeof(buf),buf,"read_private_key",1, "%s" ZXID_PEM_DIR "%s", cf->cpath, name);
  if (!got && cf->auto_cert)
    zxid_mk_self_sig_cert(cf, sizeof(buf), buf, "read_private_key", name);
  return zxid_extract_private_key(buf, name);
}

/*() Lazy load signing certificate and private key. This reads them from disk
 * if needed. If they do not exist and auto_cert is enabled, they will be
 * generated on disk and then read. Once read from disk, they will be cached in
 * memory.
 *
 * > N.B. If the cert does not yet exist, write access to disk will be needed.
 * > If it already exists, read access is sufficient. Thus it is more secure
 * > to pregenerate the certificate and then set the permissions so that

zxidconf.c  view on Meta::CPAN


/* Called by:  zxid_anoint_a7n, zxid_anoint_sso_resp, zxid_az_soap x3, zxid_idp_soap_dispatch x2, zxid_idp_sso, zxid_mk_art_deref, zxid_mk_at_cert, zxid_saml2_post_enc, zxid_saml2_redir_enc, zxid_sp_mni_soap, zxid_sp_slo_soap, zxid_sp_soap_dispatch x...
int zxid_lazy_load_sign_cert_and_pkey(zxid_conf* cf, X509** cert, EVP_PKEY** pkey, const char* logkey)
{
  LOCK(cf->mx, logkey);
  if (cert) {
    if (!(*cert = cf->sign_cert)) // Lazy load cert and private key
      *cert = cf->sign_cert = zxid_read_cert(cf, "sign-nopw-cert.pem");
  }
  if (!(*pkey = cf->sign_pkey))
    *pkey = cf->sign_pkey = zxid_read_private_key(cf, "sign-nopw-cert.pem");
  UNLOCK(cf->mx, logkey);
  if (cert && !*cert || !*pkey)
    return 0;
  return 1;
}

#endif  /* USE_OPENSSL */

/*() Set obscure options of ZX and ZXID layers. Used to set debug options.
 * Generally setting these options is not supported, but this function

zxidconf.c  view on Meta::CPAN

  cf->di_allow_create = ZXID_DI_ALLOW_CREATE;
  cf->di_nid_fmt    = ZXID_DI_NID_FMT;
  cf->di_a7n_enc    = ZXID_DI_A7N_ENC;
  cf->bootstrap_level = ZXID_BOOTSTRAP_LEVEL;
  cf->show_conf     = ZXID_SHOW_CONF;
#ifdef USE_OPENSSL
  if (zxid_path) {
#if 0
    /* DO NOT ENABLE! The certificates and keys are read "just in time" if and when needed. */
    cf->sign_cert = zxid_read_cert(cf, "sign-nopw-cert.pem");
    cf->sign_pkey = zxid_read_private_key(cf, "sign-nopw-cert.pem");
    cf->enc_cert = zxid_read_cert(cf, "enc-nopw-cert.pem");
    cf->enc_pkey = zxid_read_private_key(cf, "enc-nopw-cert.pem");
    cf->log_sign_pkey = zxid_read_private_key(cf, "logsign-nopw-cert.pem");
    cf->log_enc_cert = zxid_read_cert(cf, "logenc-nopw-cert.pem");
    zxid_sha1_file(cf, "pem/logenc.key", cf->log_symkey);
#endif
  }
#else
  ERR("This copy of zxid was compiled to NOT use OpenSSL. Reading certificate and private key is not supported. Signing and signature verification are not supported either. Add -DUSE_OPENSSL and recompile. %d", 0);
#endif
  cf->md_fetch = ZXID_MD_FETCH;
  cf->md_populate_cache = ZXID_MD_POPULATE_CACHE;
  cf->md_cache_first    = ZXID_MD_CACHE_FIRST;

zxlog.c  view on Meta::CPAN

    case 0x02:      /* Sx plain sha1 */
      sigletter = 'S';
      sig = ZX_ALLOC(cf->ctx, 20);
      SHA1((unsigned char*)zbuf, zlen, (unsigned char*)sig);
      len = 20;
      break;
    case 0x04:      /* Rx RSA-SHA1 signature */
      sigletter = 'R';
      LOCK(cf->mx, "logsign wrln");      
      if (!(log_sign_pkey = cf->log_sign_pkey))
	log_sign_pkey = cf->log_sign_pkey = zxid_read_private_key(cf, "logsign-nopw-cert.pem");
      UNLOCK(cf->mx, "logsign wrln");      
      if (!log_sign_pkey)
	break;
      len = zxsig_data(cf->ctx, zlen, zbuf, &sig, log_sign_pkey, "enc log line", cf->blobsig_digest_algo);
      break;
    case 0x06:      /* Dx DSA-SHA1 signature */
      ERR("DSA-SHA1 sig not implemented in encrypted mode. Use RSA-SHA1 or none. %x", encflags);
      break;
    case 0: break;  /* Px no signing */
    }

zxlog.c  view on Meta::CPAN

  case 0x02:   /* SP plain sha1 */
    strcpy(sigbuf, "SP ");
    sha1_safe_base64(sigbuf+3, n-1, logbuf);
    sigbuf[3+27] = ' ';
    len = 3+27+1;
    p = sigbuf;
    break;
  case 0x04:   /* RP RSA-SHA1 signature */
    LOCK(cf->mx, "logsign wrln");      
    if (!(log_sign_pkey = cf->log_sign_pkey))
      log_sign_pkey = cf->log_sign_pkey = zxid_read_private_key(cf, "logsign-nopw-cert.pem");
    UNLOCK(cf->mx, "logsign wrln");
    if (!log_sign_pkey)
      break;
    zlen = zxsig_data(cf->ctx, n-1, logbuf, &zbuf, log_sign_pkey, "log line", cf->blobsig_digest_algo);
    len = SIMPLE_BASE64_LEN(zlen) + 4;
    sig = ZX_ALLOC(cf->ctx, len);
    strcpy(sig, "RP ");
    p = base64_fancy_raw(zbuf, zlen, sig+3, safe_basis_64, 1<<31, 0, 0, '.');
    len = p-sig + 1;
    *p = ' ';

zxlog.c  view on Meta::CPAN

    sigbuf[3+ZXLOG_TIME_SIZ+1+mid_len] = ' ';
    sha1_safe_base64(sigbuf+3+ZXLOG_TIME_SIZ+1+mid_len+1, len, buf);
    sigbuf[3+ZXLOG_TIME_SIZ+1+mid_len+1+27] = 0;
    sigbuf[0] = 'S';
    break;
  case 0x04:   /* RP RSA-SHA signature (detected from key) */
  case 0x06:   /* RP DSA-SHA signature (detected from key) */
    LOCK(cf->mx, "mint_receipt");      
    /* The sign_pkey is used instead of log_sign_pkey because metadata is used to distribute it. */
    if (!cf->sign_pkey)
      cf->sign_pkey = zxid_read_private_key(cf, "sign-nopw-cert.pem");
    UNLOCK(cf->mx, "mint_receipt");
    DD("sign_pkey=%p buf(%.*s) len=%d buf(%s)", cf->sign_pkey, len, buf, len, buf);
    if (!cf->sign_pkey)
      break;

    zlen = zxsig_data(cf->ctx, len, buf, &zbuf, cf->sign_pkey, "receipt", cf->blobsig_digest_algo);

    if (errmac_debug>2) HEXDUMP("zbuf:", zbuf, zbuf+zlen, 4096);
    len = 3+ZXLOG_TIME_SIZ+1+mid_len+1+SIMPLE_BASE64_LEN(zlen)+1;
    if (sigbuf_len < len) { ERR("Too small sigbuf_len=%d, need=%d", sigbuf_len, len); break; }

zxlog.c  view on Meta::CPAN

  switch (sigbuf[0]) {
  case 'R':
  case 'D':
  case 'C':
    meta = zxid_get_ent(cf, eid);
    if (!meta) {
      ERR("Unable to find metadata for eid(%s) in verify receipt", eid);
      ver = -2;
      break;
    }
    //D("check_private_key(%d)",X509_check_private_key(meta->sign_cert, cf->sign_pkey));
    if (SIMPLE_BASE64_PESSIMISTIC_DECODE_LEN(sigbuf_len) > sizeof(sig)) {
      ERR("Available signature decoding buffer is too short len=%d, need=%d", (int)sizeof(sig), SIMPLE_BASE64_PESSIMISTIC_DECODE_LEN(sigbuf_len));
      ver = -3;
      break;
    }
    p = sigbuf+3+ZXLOG_TIME_SIZ+1+mid_len+1;
    DD("zx-rcpt-sig(%.*s) sigbuf_len=%d", sigbuf_len, sigbuf, sigbuf_len);
    D("sigbuf(%.*s) len=%d sigbuf=%p lim=%p", (int)(sigbuf_len-(p-sigbuf)), p, (int)(sigbuf_len-(p-sigbuf)), p, sigbuf+sigbuf_len);
    p = unbase64_raw(p, sigbuf+sigbuf_len, sig, zx_std_index_64);

zxlogview.c  view on Meta::CPAN

      read_all(sizeof(buf), buf, "logview opt cert", 1, "%s", (*argv)[0]);
      log_verify_cert = zxid_extract_cert(buf, (*argv)[0]);
    }
    ++(*argv); --(*argc);
  }

  if (*argc) {  /* Log decryption key (logenc-nopw-cert.pem) */
    if ((*argv)[0][0]) {
      gotall = read_all(sizeof(buf), buf, "logview opt key", 1, "%s", (*argv)[0]);
      SHA1((unsigned char*)buf, gotall, (unsigned char*)log_symkey);
      log_decrypt_pkey = zxid_extract_private_key(buf, (*argv)[0]);
    }
    ++(*argv); --(*argc);
  }
}

/* Called by:  opt */
static void test_mode(int* argc, char*** argv, char*** env)
{
  int gotall;
  zxid_conf* cf = zxid_new_conf(0);

  ++(*argv); --(*argc);
  if (*argc) {  /* Signature verification certificate (logsign-nopw-cert.pem) */
    if ((*argv)[0][0]) {
      read_all(sizeof(buf), buf, "logview test_mode private key", 1, "%s", (*argv)[0]);
      cf->log_sign_pkey = zxid_extract_private_key(buf, (*argv)[0]);
      cf->sign_pkey = cf->enc_pkey = cf->log_sign_pkey;
    }
    ++(*argv); --(*argc);
  }
  
  if (*argc) {  /* Log encryption key (logenc-nopw-cert.pem) */
    if ((*argv)[0][0]) {
      gotall = read_all(sizeof(buf), buf, "logview test_mode cert", 1, "%s", (*argv)[0]);
      SHA1((unsigned char*)buf, gotall, (unsigned char*)cf->log_symkey);
      cf->log_enc_cert = zxid_extract_cert(buf, (*argv)[0]);

zxsig.c  view on Meta::CPAN

    zxlog(cf, 0, 0, 0, 0, 0, 0, 0, "N", "C", "EMISS", 0, "EncryptedKey not found");
    return 0;
  }
  
  raw.s = ZX_ALLOC(cf->ctx, SIMPLE_BASE64_PESSIMISTIC_DECODE_LEN(ss->len));
  lim = unbase64_raw(ss->s, ss->s+ss->len, raw.s, zx_std_index_64);
  raw.len = lim - raw.s;
  
  LOCK(cf->mx, "zxenc_privkey_dec");      
  if (!(enc_pkey = cf->enc_pkey))
    enc_pkey = cf->enc_pkey = zxid_read_private_key(cf, "enc-nopw-cert.pem");
  UNLOCK(cf->mx, "zxenc_privkey_dec");      
  if (!enc_pkey)
    return 0;
  
  if (!ek->EncryptionMethod || !(ss = &ek->EncryptionMethod->Algorithm->g) || !ss->len) {
    ERR("Missing or malformed EncryptionMethod %p", ek->EncryptionMethod);
    return 0;
  }
  
  if (sizeof(ENC_KEYTRAN_RSA_1_5)-1 == ss->len



( run in 0.445 second using v1.01-cache-2.11-cpan-a5abf4f5562 )