Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Move 3 functions to the appropriate util module. #34

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Move 3 functions to the appropriate util module. #34

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 0 additions & 39 deletions include/secutils/credentials/cert.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -99,19 +99,6 @@ int CERTS_save(OPTIONAL const STACK_OF(X509) *certs, const char *file, OPTIONAL
void CERTS_free(OPTIONAL STACK_OF(X509) *certs);


/*!*****************************************************************************
* @brief parse an X.500 Distinguished Name (DN)
*
* @param dn string to be parsed, format "/type0=value0/type1=value1/type2=..." where characters may be escaped by '\'.
* The NULL-DN may be given as "/" or "".
* @param chtype type of the string, e.g., MBSTRING_ASC, as defined in openssl/asn1.h
* @param multirdn flag whether to allow multi-valued RDNs
* @return ASN.1 representation of the DN, or null on error
*******************************************************************************/
/* this function is used by the genCMPClient API implementation */
X509_NAME* UTIL_parse_name(const char* dn, long chtype, bool multirdn);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I acknowledge the discrepancy between the name and the location of the function,
but better not move it to UTIL, which is meant just for stuff that does not fit better elsewhere.
Instead, just rename the function to include CERT rather than UTIL_.



/*!*****************************************************************************
* @brief log messsage about the given certificate, printing its subject
*
Expand Down Expand Up @@ -177,30 +164,4 @@ bool CERT_check_all(const char *uri, OPTIONAL STACK_OF(X509) *certs, int type_CA
OPTIONAL const X509_VERIFY_PARAM *vpm);


/*!*****************************************************************************
* @brief add certificate to given stack, optionally only if not already contained
*
* @param sk stack of certificates
* @param cert certificate to be pushed to the stack
* @param no_duplicate flag governing whether to add cert if it is a duplicate
* @return true on success, else false
*******************************************************************************/
bool UTIL_sk_X509_add1_cert(STACK_OF(X509) * sk, X509* cert, bool no_duplicate);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I acknowledge the discrepancy between the name and the location of the function,
but better not move it to UTIL, which is meant just for stuff that does not fit better elsewhere.
Instead, just rename the function to include CERT rather than UTIL_.



/*!*****************************************************************************
* @brief add stack of certificates to given stack,
* optionally only if not self-signed and optionally if not already contained
*
* @param sk stack of certificates
* @param certs (optional) stack of certificates to be pushed to the stack
* @param no_self_signed flag governing whether to add self-signed certs
* @param no_duplicates flag governing whether to add cert if it is a duplicate
* @return true on success, else false
*******************************************************************************/
/* this function is used by the genCMPClient API implementation */
int UTIL_sk_X509_add1_certs(STACK_OF(X509) * sk, OPTIONAL const STACK_OF(X509) * certs, int no_self_signed,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I acknowledge the discrepancy between the name and the location of the function,
but better not move it to UTIL, which is meant just for stuff that does not fit better elsewhere.
Instead, just rename the function to include CERT rather than UTIL_.

int no_duplicates);


#endif /* SECUTILS_CERT_H_ */
36 changes: 36 additions & 0 deletions include/secutils/util/util.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -195,6 +195,30 @@ typedef u_int64_t uint64_t;
STACK_OF(X509) *X509_STORE_get1_all_certs(X509_STORE *store);
# endif

/*!*****************************************************************************
* @brief add certificate to given stack, optionally only if not already contained
*
* @param sk stack of certificates
* @param cert certificate to be pushed to the stack
* @param no_duplicate flag governing whether to add cert if it is a duplicate
* @return true on success, else false
*******************************************************************************/
bool UTIL_sk_X509_add1_cert(STACK_OF(X509) * sk, X509* cert, bool no_duplicate);

/*!*****************************************************************************
* @brief add stack of certificates to given stack,
* optionally only if not self-signed and optionally if not already contained
*
* @param sk stack of certificates
* @param certs (optional) stack of certificates to be pushed to the stack
* @param no_self_signed flag governing whether to add self-signed certs
* @param no_duplicates flag governing whether to add cert if it is a duplicate
* @return true on success, else false
*******************************************************************************/
/* this function is used by the genCMPClient API implementation */
int UTIL_sk_X509_add1_certs(STACK_OF(X509) * sk, OPTIONAL const STACK_OF(X509) * certs, int no_self_signed,
int no_duplicates);

/*!*****************************************************************************
* @brief initialize the OpenSSL crypto library
* @param version expected OpenSSL version number
Expand Down Expand Up @@ -262,6 +286,18 @@ void *UTIL_read_file(const char *filename, int *lenp);
******************************************************************************/
bool UTIL_write_file(const char *filename, const void *data, size_t len);

/*!*****************************************************************************
* @brief parse an X.500 Distinguished Name (DN)
*
* @param dn string to be parsed, format "/type0=value0/type1=value1/type2=..." where characters may be escaped by '\'.
* The NULL-DN may be given as "/" or "".
* @param chtype type of the string, e.g., MBSTRING_ASC, as defined in openssl/asn1.h
* @param multirdn flag whether to allow multi-valued RDNs
* @return ASN.1 representation of the DN, or null on error
*******************************************************************************/
/* this function is used by the genCMPClient API implementation */
X509_NAME* UTIL_parse_name(const char* dn, long chtype, bool multirdn);

/*!*****************************************************************************
* @brief call given function on each file in dir, optionally with recursion
* @param fn function to be called on each file.
Expand Down
200 changes: 0 additions & 200 deletions src/credentials/cert.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,151 +71,6 @@ void CERTS_free(OPTIONAL STACK_OF(X509) *certs)
sk_X509_pop_free(certs, X509_free);
}

/*
* dn is expected to be in the format "/type0=value0/type1=value1/type2=..."
* where characters may be escaped by '\'.
* The NULL-DN may be given as "/" or "".
*/
/* adapted from OpenSSL:apps/lib/apps.c */
X509_NAME* UTIL_parse_name(const char* dn, long chtype, bool multirdn)
{
size_t buflen = strlen(dn) + 1; /* to copy the types and values.
* Due to escaping, the copy can only become shorter */
char* buf = OPENSSL_malloc(buflen);
size_t max_ne = buflen / (1 + 1) + 1; /* maximum number of name elements */
const char** ne_types = OPENSSL_malloc(max_ne * sizeof(char*));
char** ne_values = OPENSSL_malloc(max_ne * sizeof(char*));
int* mval = OPENSSL_malloc(max_ne * sizeof(int));

const char* sp = dn;
char* bp = buf;
int i, ne_num = 0;

X509_NAME* n = 0;
int nid;

if(0 is_eq buf or 0 is_eq ne_types or 0 is_eq ne_values or 0 is_eq mval)
{
LOG_err("Malloc error");
goto error;
}

/* no multivalued RDN by default */
mval[ne_num] = 0;

if(*sp not_eq '\0' and *sp++ not_eq '/')
{ /* skip leading '/' */
LOG(FL_ERR, "DN '%s' does not start with '/'.", dn);
goto error;
}

while(*sp not_eq '\0')
{
/* collect type */
ne_types[ne_num] = bp;
/* parse element name */
while(*sp not_eq '=')
{
if(*sp is_eq '\\')
{ /* is there anything to escape in the * type...? */
if(*++sp not_eq '\0')
{
*bp++ = *sp++;
}
else
{
LOG(FL_ERR, "Escape character at end of DN '%s'", dn);
goto error;
}
}
else if(*sp is_eq '\0')
{
LOG(FL_ERR, "End of string encountered while processing type of DN '%s' element #%d", dn, ne_num);
goto error;
}
else
{
*bp++ = *sp++;
}
}
sp++;
*bp++ = '\0';
/* parse element value */
ne_values[ne_num] = bp;
while(*sp not_eq '\0')
{
if(*sp is_eq '\\')
{
if(*++sp not_eq '\0')
{
*bp++ = *sp++;
}
else
{
LOG(FL_ERR, "Escape character at end of DN '%s'", dn);
goto error;
}
}
else if(*sp is_eq '/')
{ /* start of next element */
sp++;
/* no multivalued RDN by default */
mval[ne_num + 1] = 0;
break;
}
else if(*sp is_eq '+' and multirdn)
{
/* a not escaped + signals a multi-valued RDN */
sp++;
mval[ne_num + 1] = -1;
break;
}
else
{
*bp++ = *sp++;
}
}
*bp++ = '\0';
ne_num++;
}

if(0 is_eq(n = X509_NAME_new()))
{
goto error;
}

for(i = 0; i < ne_num; i++)
{
if((nid = OBJ_txt2nid(ne_types[i])) is_eq NID_undef)
{
LOG(FL_WARN, "DN '%s' attribute %s has no known NID, skipped", dn, ne_types[i]);
continue;
}

if(0 is_eq * ne_values[i])
{
LOG(FL_WARN, "No value provided for DN '%s' attribute %s, skipped", dn, ne_types[i]);
continue;
}

if(0 is_eq X509_NAME_add_entry_by_NID(n, nid, chtype, (unsigned char*)ne_values[i], -1, -1, mval[i]))
{
ERR_print_errors(bio_err);
LOG(FL_ERR, "Error adding name attribute '/%s=%s'", ne_types[i], ne_values[i]);
X509_NAME_free(n);
n = 0;
goto error;
}
}

error:
OPENSSL_free(ne_values);
OPENSSL_free(ne_types);
OPENSSL_free(mval);
OPENSSL_free(buf);
return n;
}


void CERT_print(OPTIONAL const X509* cert, OPTIONAL BIO* bio, unsigned long neg_cflags)
{
Expand Down Expand Up @@ -362,58 +217,3 @@ bool CERT_check_all(const char *uri, OPTIONAL STACK_OF(X509) *certs, int type_CA
&& ret; /* Having 'ret' after the '&&', all certs are checked. */
return ret;
}


/* start of definitions borrowed from OpenSSL:crypto/cmp/cmp_lib.c */
static int X509_cmp_from_ptrs(const struct x509_st* const* a, const struct x509_st* const* b)
{
return X509_cmp(*a, *b);
}

bool UTIL_sk_X509_add1_cert(STACK_OF(X509) * sk, X509* cert, bool no_duplicate)
{
if(no_duplicate)
{
sk_X509_set_cmp_func(sk, &X509_cmp_from_ptrs);
if(sk_X509_find(sk, cert) >= 0)
{
return 1;
}
}
if(0 is_eq sk_X509_push(sk, cert))
{
return 0;
}
return X509_up_ref(cert);
}

int UTIL_sk_X509_add1_certs(STACK_OF(X509) * sk, OPTIONAL const STACK_OF(X509) * certs, int no_self_signed,
int no_duplicates)
{
int i = 0;

if(sk is_eq 0)
{
return 0;
}

if(certs is_eq 0)
{
return 1;
}
const int n = sk_X509_num(certs);
for(i = 0; i < n; i++)
{
X509* cert = sk_X509_value(certs, i);
if((not no_self_signed or X509_check_issued(cert, cert) not_eq X509_V_OK)
and (not UTIL_sk_X509_add1_cert(sk, cert, no_duplicates)))
{
return 0;
}
}
return 1;
}
/* end of definitions borrowed from OpenSSL:crypto/cmp/cmp_lib.c */



Loading