mirror of
https://github.com/asterisk/asterisk.git
synced 2025-09-02 19:16:15 +00:00
2fb3215f03
* Fixed a bug in crypto_show_cli_store that was causing asterisk
to crash if there were certificate revocation lists in the
verification certificate store. We're also now prefixing
certificates with "Cert:" and CRLs with "CRL:" to distinguish them
in the list.
* Added 'untrusted_cert_file' and 'untrusted_cert_path' options
to both verification and profile objects. If you have CRLs that
are signed by a different CA than the incoming X5U certificate
(indirect CRL), you'll need to provide the certificate of the
CRL signer here. Thse will show up as 'Untrusted" when showing
the verification or profile objects.
* Fixed loading of crl_path. The OpenSSL API we were using to
load CRLs won't actually load them from a directory, only a file.
We now scan the directory ourselves and load the files one-by-one.
* Fixed the verification flags being set on the certificate store.
- Removed the CRL_CHECK_ALL flag as this was causing all certificates
to be checked for CRL extensions and failing to verify the cert if
there was none. This basically caused all certs to fail when a CRL
was provided via crl_file or crl_path.
- Added the EXTENDED_CRL_SUPPORT flag as it is required to handle
indirect CRLs.
* Added a new CLI command...
`stir_shaken verify certificate_file <certificate_file> [ <profile> ]`
which will assist troubleshooting certificate problems by allowing
the user to manually verify a certificate file against either the
global verification certificate store or the store for a specific
profile.
* Updated the XML documentation and the sample config file.
Resolves: #809
855 lines
21 KiB
C
855 lines
21 KiB
C
/*
|
|
* Asterisk -- An open source telephony toolkit.
|
|
*
|
|
* Copyright (C) 2023, Sangoma Technologies Corporation
|
|
*
|
|
* George Joseph <gjoseph@sangoma.com>
|
|
*
|
|
* See http://www.asterisk.org for more information about
|
|
* the Asterisk project. Please do not directly contact
|
|
* any of the maintainers of this project for assistance;
|
|
* the project provides a web site, mailing lists and IRC
|
|
* channels for your use.
|
|
*
|
|
* This program is free software, distributed under the terms of
|
|
* the GNU General Public License Version 2. See the LICENSE file
|
|
* at the top of the source tree.
|
|
*/
|
|
|
|
#include <sys/stat.h>
|
|
|
|
#include <openssl/err.h>
|
|
#include <openssl/ssl.h>
|
|
#include <openssl/evp.h>
|
|
#include <openssl/md5.h>
|
|
#include <openssl/sha.h>
|
|
#include <openssl/bio.h>
|
|
#include <openssl/obj_mac.h>
|
|
#include <openssl/x509.h>
|
|
#include <openssl/x509v3.h>
|
|
#include <openssl/x509_vfy.h>
|
|
|
|
#include "crypto_utils.h"
|
|
|
|
#include "asterisk.h"
|
|
#include "asterisk/cli.h"
|
|
#include "asterisk/file.h"
|
|
#include "asterisk/logger.h"
|
|
#include "asterisk/module.h"
|
|
#include "asterisk/stringfields.h"
|
|
#include "asterisk/utils.h"
|
|
#include "asterisk/vector.h"
|
|
#include "asterisk/cli.h"
|
|
|
|
void __attribute__((format(printf, 5, 6)))
|
|
crypto_log_openssl(int level, char *file, int line, const char *function,
|
|
const char *fmt, ...)
|
|
{
|
|
FILE *fp;
|
|
char *buffer;
|
|
size_t length;
|
|
va_list ap;
|
|
char *tmp_fmt;
|
|
|
|
fp = open_memstream(&buffer, &length);
|
|
if (!fp) {
|
|
return;
|
|
}
|
|
|
|
va_start(ap, fmt);
|
|
if (!ast_strlen_zero(fmt)) {
|
|
size_t fmt_len = strlen(fmt);
|
|
if (fmt[fmt_len - 1] == '\n') {
|
|
tmp_fmt = ast_strdupa(fmt);
|
|
tmp_fmt[fmt_len - 1] = '\0';
|
|
fmt = tmp_fmt;
|
|
}
|
|
}
|
|
vfprintf(fp, fmt, ap);
|
|
fputs(": ", fp);
|
|
ERR_print_errors_fp(fp);
|
|
fclose(fp);
|
|
|
|
if (length) {
|
|
ast_log(level, file, line, function, "%s\n", buffer);
|
|
}
|
|
|
|
ast_std_free(buffer);
|
|
}
|
|
|
|
int crypto_register_x509_extension(const char *oid, const char *short_name,
|
|
const char *long_name)
|
|
{
|
|
int nid = 0;
|
|
|
|
if (ast_strlen_zero(oid) || ast_strlen_zero(short_name) ||
|
|
ast_strlen_zero(long_name)) {
|
|
ast_log(LOG_ERROR, "One or more of oid, short_name or long_name are NULL or empty\n");
|
|
return -1;
|
|
}
|
|
|
|
nid = OBJ_sn2nid(short_name);
|
|
if (nid != NID_undef) {
|
|
ast_log(LOG_NOTICE, "NID %d, object %s already registered\n", nid, short_name);
|
|
return nid;
|
|
}
|
|
|
|
nid = OBJ_create(oid, short_name, long_name);
|
|
if (nid == NID_undef) {
|
|
crypto_log_openssl(LOG_ERROR, "Couldn't register %s X509 extension\n", short_name);
|
|
return -1;
|
|
}
|
|
ast_log(LOG_NOTICE, "Registered object %s as NID %d\n", short_name, nid);
|
|
|
|
return nid;
|
|
}
|
|
|
|
ASN1_OCTET_STRING *crypto_get_cert_extension_data(X509 *cert,
|
|
int nid, const char *short_name)
|
|
{
|
|
int ex_idx;
|
|
X509_EXTENSION *ex;
|
|
|
|
if (nid <= 0) {
|
|
nid = OBJ_sn2nid(short_name);
|
|
if (nid == NID_undef) {
|
|
ast_log(LOG_ERROR, "Extension object for %s not found\n", short_name);
|
|
return NULL;
|
|
}
|
|
} else {
|
|
const char *tmp = OBJ_nid2sn(nid);
|
|
if (!tmp) {
|
|
ast_log(LOG_ERROR, "Extension object for NID %d not found\n", nid);
|
|
return NULL;
|
|
}
|
|
}
|
|
|
|
ex_idx = X509_get_ext_by_NID(cert, nid, -1);
|
|
if (ex_idx < 0) {
|
|
ast_log(LOG_ERROR, "Extension index not found in certificate\n");
|
|
return NULL;
|
|
}
|
|
ex = X509_get_ext(cert, ex_idx);
|
|
if (!ex) {
|
|
ast_log(LOG_ERROR, "Extension not found in certificate\n");
|
|
return NULL;
|
|
}
|
|
|
|
return X509_EXTENSION_get_data(ex);
|
|
}
|
|
|
|
EVP_PKEY *crypto_load_privkey_from_file(const char *filename)
|
|
{
|
|
EVP_PKEY *key = NULL;
|
|
FILE *fp;
|
|
|
|
if (ast_strlen_zero(filename)) {
|
|
ast_log(LOG_ERROR, "filename was null or empty\n");
|
|
return NULL;
|
|
}
|
|
|
|
fp = fopen(filename, "r");
|
|
if (!fp) {
|
|
ast_log(LOG_ERROR, "Failed to open %s: %s\n", filename, strerror(errno));
|
|
return NULL;
|
|
}
|
|
|
|
key = PEM_read_PrivateKey(fp, NULL, NULL, NULL);
|
|
fclose(fp);
|
|
if (!key) {
|
|
crypto_log_openssl(LOG_ERROR, "Failed to load private key from %s\n", filename);
|
|
}
|
|
return key;
|
|
}
|
|
|
|
X509_CRL *crypto_load_crl_from_file(const char *filename)
|
|
{
|
|
FILE *fp;
|
|
X509_CRL *crl = NULL;
|
|
|
|
if (ast_strlen_zero(filename)) {
|
|
ast_log(LOG_ERROR, "filename was null or empty\n");
|
|
return NULL;
|
|
}
|
|
|
|
fp = fopen(filename, "r");
|
|
if (!fp) {
|
|
ast_log(LOG_ERROR, "Failed to open %s: %s\n", filename, strerror(errno));
|
|
return NULL;
|
|
}
|
|
|
|
crl = PEM_read_X509_CRL(fp, &crl, NULL, NULL);
|
|
fclose(fp);
|
|
if (!crl) {
|
|
crypto_log_openssl(LOG_ERROR, "Failed to create CRL from %s\n", filename);
|
|
}
|
|
return crl;
|
|
}
|
|
|
|
X509 *crypto_load_cert_from_file(const char *filename)
|
|
{
|
|
FILE *fp;
|
|
X509 *cert = NULL;
|
|
|
|
if (ast_strlen_zero(filename)) {
|
|
ast_log(LOG_ERROR, "filename was null or empty\n");
|
|
return NULL;
|
|
}
|
|
|
|
fp = fopen(filename, "r");
|
|
if (!fp) {
|
|
ast_log(LOG_ERROR, "Failed to open %s: %s\n", filename, strerror(errno));
|
|
return NULL;
|
|
}
|
|
|
|
cert = PEM_read_X509(fp, &cert, NULL, NULL);
|
|
fclose(fp);
|
|
if (!cert) {
|
|
crypto_log_openssl(LOG_ERROR, "Failed to create cert from %s\n", filename);
|
|
}
|
|
return cert;
|
|
}
|
|
|
|
X509 *crypto_load_cert_from_memory(const char *buffer, size_t size)
|
|
{
|
|
RAII_VAR(BIO *, bio, NULL, BIO_free_all);
|
|
X509 *cert = NULL;
|
|
|
|
if (ast_strlen_zero(buffer) || size <= 0) {
|
|
ast_log(LOG_ERROR, "buffer was null or empty\n");
|
|
return NULL;
|
|
}
|
|
|
|
bio = BIO_new_mem_buf(buffer, size);
|
|
if (!bio) {
|
|
crypto_log_openssl(LOG_ERROR, "Unable to create memory BIO\n");
|
|
return NULL;
|
|
}
|
|
|
|
cert = PEM_read_bio_X509(bio, NULL, NULL, NULL);
|
|
if (!cert) {
|
|
crypto_log_openssl(LOG_ERROR, "Failed to create cert from BIO\n");
|
|
}
|
|
return cert;
|
|
}
|
|
|
|
static EVP_PKEY *load_private_key_from_memory(const char *buffer, size_t size)
|
|
{
|
|
RAII_VAR(BIO *, bio, NULL, BIO_free_all);
|
|
EVP_PKEY *key = NULL;
|
|
|
|
if (ast_strlen_zero(buffer) || size <= 0) {
|
|
ast_log(LOG_ERROR, "buffer was null or empty\n");
|
|
return NULL;
|
|
}
|
|
|
|
bio = BIO_new_mem_buf(buffer, size);
|
|
if (!bio) {
|
|
crypto_log_openssl(LOG_ERROR, "Unable to create memory BIO\n");
|
|
return NULL;
|
|
}
|
|
|
|
key = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL);
|
|
|
|
return key;
|
|
}
|
|
|
|
EVP_PKEY *crypto_load_private_key_from_memory(const char *buffer, size_t size)
|
|
{
|
|
EVP_PKEY *key = load_private_key_from_memory(buffer, size);
|
|
if (!key) {
|
|
crypto_log_openssl(LOG_ERROR, "Unable to load private key from memory\n");
|
|
}
|
|
return key;
|
|
}
|
|
|
|
int crypto_has_private_key_from_memory(const char *buffer, size_t size)
|
|
{
|
|
RAII_VAR(EVP_PKEY *, key, load_private_key_from_memory(buffer, size), EVP_PKEY_free);
|
|
|
|
return key ? 1 : 0;
|
|
}
|
|
|
|
static int dump_mem_bio(BIO *bio, unsigned char **buffer)
|
|
{
|
|
char *temp_ptr;
|
|
int raw_key_len;
|
|
|
|
raw_key_len = BIO_get_mem_data(bio, &temp_ptr);
|
|
if (raw_key_len <= 0) {
|
|
crypto_log_openssl(LOG_ERROR, "Unable to extract raw public key\n");
|
|
return -1;
|
|
}
|
|
*buffer = ast_malloc(raw_key_len);
|
|
if (!*buffer) {
|
|
ast_log(LOG_ERROR, "Unable to allocate memory for raw public key\n");
|
|
return -1;
|
|
}
|
|
memcpy(*buffer, temp_ptr, raw_key_len);
|
|
|
|
return raw_key_len;
|
|
}
|
|
|
|
int crypto_extract_raw_pubkey(EVP_PKEY *key, unsigned char **buffer)
|
|
{
|
|
RAII_VAR(BIO *, bio, NULL, BIO_free_all);
|
|
|
|
bio = BIO_new(BIO_s_mem());
|
|
|
|
if (!bio || (PEM_write_bio_PUBKEY(bio, key) <= 0)) {
|
|
crypto_log_openssl(LOG_ERROR, "Unable to write pubkey to BIO\n");
|
|
return -1;
|
|
}
|
|
|
|
return dump_mem_bio(bio, buffer);
|
|
}
|
|
|
|
int crypto_get_raw_pubkey_from_cert(X509 *cert,
|
|
unsigned char **buffer)
|
|
{
|
|
RAII_VAR(EVP_PKEY *, public_key, X509_get_pubkey(cert), EVP_PKEY_free);
|
|
|
|
if (!public_key) {
|
|
crypto_log_openssl(LOG_ERROR, "Unable to retrieve pubkey from cert\n");
|
|
return -1;
|
|
}
|
|
|
|
return crypto_extract_raw_pubkey(public_key, buffer);
|
|
}
|
|
|
|
int crypto_extract_raw_privkey(EVP_PKEY *key, unsigned char **buffer)
|
|
{
|
|
RAII_VAR(BIO *, bio, NULL, BIO_free_all);
|
|
|
|
bio = BIO_new(BIO_s_mem());
|
|
|
|
if (!bio || (PEM_write_bio_PrivateKey(bio, key, NULL, NULL, 0, NULL, NULL) <= 0)) {
|
|
crypto_log_openssl(LOG_ERROR, "Unable to write privkey to BIO\n");
|
|
return -1;
|
|
}
|
|
|
|
return dump_mem_bio(bio, buffer);
|
|
}
|
|
|
|
/*
|
|
* Notes on the crypto_cert_store object:
|
|
*
|
|
* We've discoverd a few issues with the X509_STORE object in OpenSSL
|
|
* that requires us to a bit more work to get the desired behavior.
|
|
*
|
|
* Basically, although X509_STORE_load_locations() and X509_STORE_load_path()
|
|
* work file for trusted certs, they refuse to load either CRLs or
|
|
* untrusted certs from directories, which is needed to support the
|
|
* crl_path and untrusted_cert_path options. So we have to brute force
|
|
* it a bit. We now use PEM_read_X509() and PEM_read_X509_CRL() to load
|
|
* the objects from files and then use X509_STORE_add_cert() and
|
|
* X509_STORE_add_crl() to add them to the store. This is a bit more
|
|
* work but it gets the job done. To load from directories, we
|
|
* simply use ast_file_read_dirs() with a callback that calls
|
|
* those functions. This also fixes an issue where certificates
|
|
* loaded using ca_path don't show up when displaying the
|
|
* verification or profile objects from the CLI.
|
|
*
|
|
* NOTE: X509_STORE_load_file() could have been used instead of
|
|
* PEM_read_X509()/PEM_read_X509_CRL() and
|
|
* X509_STORE_add_cert()/X509_STORE_add_crl() but X509_STORE_load_file()
|
|
* didn't appear in OpenSSL until version 1.1.1. :(
|
|
*
|
|
* Another issue we have is that, while X509_verify_cert() can use
|
|
* an X509_STORE of CA certificates directly, it can't use X509_STOREs
|
|
* of untrusted certs or CRLs. Instead, it needs a stack of X509
|
|
* objects for untrusted certs and a stack of X509_CRL objects for CRLs.
|
|
* So we need to extract the untrusted certs and CRLs from their
|
|
* stores and push them onto the stacks when the configuration is
|
|
* loaded. We still use the stores as intermediaries because they
|
|
* make it easy to load the certs and CRLs from files and directories
|
|
* and they handle freeing the objects when the store is freed.
|
|
*/
|
|
|
|
static void crypto_cert_store_destructor(void *obj)
|
|
{
|
|
struct crypto_cert_store *store = obj;
|
|
|
|
if (store->certs) {
|
|
X509_STORE_free(store->certs);
|
|
}
|
|
if (store->untrusted) {
|
|
X509_STORE_free(store->untrusted);
|
|
}
|
|
if (store->untrusted_stack) {
|
|
sk_X509_free(store->untrusted_stack);
|
|
}
|
|
if (store->crls) {
|
|
X509_STORE_free(store->crls);
|
|
}
|
|
if (store->crl_stack) {
|
|
sk_X509_CRL_free(store->crl_stack);
|
|
}
|
|
}
|
|
|
|
struct crypto_cert_store *crypto_create_cert_store(void)
|
|
{
|
|
struct crypto_cert_store *store = ao2_alloc(sizeof(*store), crypto_cert_store_destructor);
|
|
if (!store) {
|
|
ast_log(LOG_ERROR, "Failed to create crypto_cert_store\n");
|
|
return NULL;
|
|
}
|
|
|
|
store->certs = X509_STORE_new();
|
|
if (!store->certs) {
|
|
crypto_log_openssl(LOG_ERROR, "Failed to create X509_STORE\n");
|
|
ao2_ref(store, -1);
|
|
return NULL;
|
|
}
|
|
|
|
store->untrusted = X509_STORE_new();
|
|
if (!store->untrusted) {
|
|
crypto_log_openssl(LOG_ERROR, "Failed to create untrusted X509_STORE\n");
|
|
ao2_ref(store, -1);
|
|
return NULL;
|
|
}
|
|
store->untrusted_stack = sk_X509_new_null();
|
|
if (!store->untrusted_stack) {
|
|
crypto_log_openssl(LOG_ERROR, "Failed to create untrusted stack\n");
|
|
ao2_ref(store, -1);
|
|
return NULL;
|
|
}
|
|
|
|
store->crls = X509_STORE_new();
|
|
if (!store->crls) {
|
|
crypto_log_openssl(LOG_ERROR, "Failed to create CRL X509_STORE\n");
|
|
ao2_ref(store, -1);
|
|
return NULL;
|
|
}
|
|
store->crl_stack = sk_X509_CRL_new_null();
|
|
if (!store->crl_stack) {
|
|
crypto_log_openssl(LOG_ERROR, "Failed to create CRL stack\n");
|
|
ao2_ref(store, -1);
|
|
return NULL;
|
|
}
|
|
|
|
return store;
|
|
}
|
|
|
|
static int crypto_load_store_from_cert_file(X509_STORE *store, const char *file)
|
|
{
|
|
X509 *cert;
|
|
int rc = 0;
|
|
|
|
if (ast_strlen_zero(file)) {
|
|
ast_log(LOG_ERROR, "file was null or empty\n");
|
|
return -1;
|
|
}
|
|
|
|
cert = crypto_load_cert_from_file(file);
|
|
if (!cert) {
|
|
return -1;
|
|
}
|
|
rc = X509_STORE_add_cert(store, cert);
|
|
X509_free(cert);
|
|
if (!rc) {
|
|
crypto_log_openssl(LOG_ERROR, "Failed to load store from file '%s'\n", file);
|
|
return -1;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int crypto_load_store_from_crl_file(X509_STORE *store, const char *file)
|
|
{
|
|
X509_CRL *crl;
|
|
int rc = 0;
|
|
|
|
if (ast_strlen_zero(file)) {
|
|
ast_log(LOG_ERROR, "file was null or empty\n");
|
|
return -1;
|
|
}
|
|
|
|
crl = crypto_load_crl_from_file(file);
|
|
if (!crl) {
|
|
return -1;
|
|
}
|
|
rc = X509_STORE_add_crl(store, crl);
|
|
X509_CRL_free(crl);
|
|
if (!rc) {
|
|
crypto_log_openssl(LOG_ERROR, "Failed to load store from file '%s'\n", file);
|
|
return -1;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
struct pem_file_cb_data {
|
|
X509_STORE *store;
|
|
int is_crl;
|
|
};
|
|
|
|
static int pem_file_cb(const char *dir_name, const char *filename, void *obj)
|
|
{
|
|
struct pem_file_cb_data* data = obj;
|
|
char *filename_merged = NULL;
|
|
struct stat statbuf;
|
|
int rc = 0;
|
|
|
|
if (ast_asprintf(&filename_merged, "%s/%s", dir_name, filename) < 0) {
|
|
return -1;
|
|
}
|
|
|
|
if (lstat(filename_merged, &statbuf)) {
|
|
printf("Error reading path stats - %s: %s\n",
|
|
filename_merged, strerror(errno));
|
|
return -1;
|
|
}
|
|
|
|
/* We only want the symlinks from the directory */
|
|
if (!S_ISLNK(statbuf.st_mode)) {
|
|
return 0;
|
|
}
|
|
|
|
if (data->is_crl) {
|
|
rc = crypto_load_store_from_crl_file(data->store, filename_merged);
|
|
} else {
|
|
rc = crypto_load_store_from_cert_file(data->store, filename_merged);
|
|
}
|
|
|
|
return rc;
|
|
}
|
|
|
|
static int _crypto_load_cert_store(X509_STORE *store, const char *file, const char *path)
|
|
{
|
|
int rc = 0;
|
|
|
|
if (!ast_strlen_zero(file)) {
|
|
rc = crypto_load_store_from_cert_file(store, file);
|
|
if (rc != 0) {
|
|
return -1;
|
|
}
|
|
}
|
|
|
|
if (!ast_strlen_zero(path)) {
|
|
struct pem_file_cb_data data = { .store = store, .is_crl = 0 };
|
|
if (ast_file_read_dirs(path, pem_file_cb, &data, 0)) {
|
|
return -1;
|
|
}
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int _crypto_load_crl_store(X509_STORE *store, const char *file, const char *path)
|
|
{
|
|
int rc = 0;
|
|
|
|
if (!ast_strlen_zero(file)) {
|
|
rc = crypto_load_store_from_crl_file(store, file);
|
|
if (rc != 0) {
|
|
return -1;
|
|
}
|
|
}
|
|
|
|
if (!ast_strlen_zero(path)) {
|
|
struct pem_file_cb_data data = { .store = store, .is_crl = 1 };
|
|
if (ast_file_read_dirs(path, pem_file_cb, &data, 0)) {
|
|
return -1;
|
|
}
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
int crypto_load_cert_store(struct crypto_cert_store *store, const char *file,
|
|
const char *path)
|
|
{
|
|
if (ast_strlen_zero(file) && ast_strlen_zero(path)) {
|
|
ast_log(LOG_ERROR, "Both file and path can't be NULL\n");
|
|
return -1;
|
|
}
|
|
|
|
if (!store || !store->certs) {
|
|
ast_log(LOG_ERROR, "store or store->certs is NULL\n");
|
|
return -1;
|
|
}
|
|
|
|
return _crypto_load_cert_store(store->certs, file, path);
|
|
}
|
|
|
|
int crypto_load_untrusted_cert_store(struct crypto_cert_store *store, const char *file,
|
|
const char *path)
|
|
{
|
|
int rc = 0;
|
|
STACK_OF(X509_OBJECT) *objs = NULL;
|
|
int count = 0;
|
|
int i = 0;
|
|
|
|
if (ast_strlen_zero(file) && ast_strlen_zero(path)) {
|
|
ast_log(LOG_ERROR, "Both file and path can't be NULL\n");
|
|
return -1;
|
|
}
|
|
|
|
if (!store || !store->untrusted || !store->untrusted_stack) {
|
|
ast_log(LOG_ERROR, "store wasn't initialized properly\n");
|
|
return -1;
|
|
}
|
|
|
|
rc = _crypto_load_cert_store(store->untrusted, file, path);
|
|
if (rc != 0) {
|
|
return rc;
|
|
}
|
|
|
|
/*
|
|
* We need to extract the certs from the store and push them onto the
|
|
* untrusted stack. This is because the verification context needs
|
|
* a stack of untrusted certs and not the store.
|
|
* The store holds the references to the certs so we can't
|
|
* free it.
|
|
*/
|
|
objs = X509_STORE_get0_objects(store->untrusted);
|
|
count = sk_X509_OBJECT_num(objs);
|
|
for (i = 0; i < count ; i++) {
|
|
X509_OBJECT *o = sk_X509_OBJECT_value(objs, i);
|
|
if (X509_OBJECT_get_type(o) == X509_LU_X509) {
|
|
X509 *c = X509_OBJECT_get0_X509(o);
|
|
sk_X509_push(store->untrusted_stack, c);
|
|
}
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
int crypto_load_crl_store(struct crypto_cert_store *store, const char *file,
|
|
const char *path)
|
|
{
|
|
int rc = 0;
|
|
STACK_OF(X509_OBJECT) *objs = NULL;
|
|
int count = 0;
|
|
int i = 0;
|
|
|
|
if (ast_strlen_zero(file) && ast_strlen_zero(path)) {
|
|
ast_log(LOG_ERROR, "Both file and path can't be NULL\n");
|
|
return -1;
|
|
}
|
|
|
|
if (!store || !store->untrusted || !store->untrusted_stack) {
|
|
ast_log(LOG_ERROR, "store wasn't initialized properly\n");
|
|
return -1;
|
|
}
|
|
|
|
rc = _crypto_load_crl_store(store->crls, file, path);
|
|
if (rc != 0) {
|
|
return rc;
|
|
}
|
|
|
|
/*
|
|
* We need to extract the CRLs from the store and push them onto the
|
|
* crl stack. This is because the verification context needs
|
|
* a stack of CRLs and not the store.
|
|
* The store holds the references to the CRLs so we can't
|
|
* free it.
|
|
*/
|
|
objs = X509_STORE_get0_objects(store->crls);
|
|
count = sk_X509_OBJECT_num(objs);
|
|
for (i = 0; i < count ; i++) {
|
|
X509_OBJECT *o = sk_X509_OBJECT_value(objs, i);
|
|
if (X509_OBJECT_get_type(o) == X509_LU_CRL) {
|
|
X509_CRL *c = X509_OBJECT_get0_X509_CRL(o);
|
|
sk_X509_CRL_push(store->crl_stack, c);
|
|
}
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
int crypto_show_cli_store(struct crypto_cert_store *store, int fd)
|
|
{
|
|
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
|
|
STACK_OF(X509_OBJECT) *objs = NULL;
|
|
int count = 0;
|
|
int untrusted_count = 0;
|
|
int crl_count = 0;
|
|
int i = 0;
|
|
char subj[1024];
|
|
|
|
/*
|
|
* The CA certificates are stored in the certs store.
|
|
*/
|
|
objs = X509_STORE_get0_objects(store->certs);
|
|
count = sk_X509_OBJECT_num(objs);
|
|
|
|
for (i = 0; i < count ; i++) {
|
|
X509_OBJECT *o = sk_X509_OBJECT_value(objs, i);
|
|
if (X509_OBJECT_get_type(o) == X509_LU_X509) {
|
|
X509 *c = X509_OBJECT_get0_X509(o);
|
|
X509_NAME_oneline(X509_get_subject_name(c), subj, 1024);
|
|
ast_cli(fd, "Cert: %s\n", subj);
|
|
} else {
|
|
ast_log(LOG_ERROR, "CRLs are not allowed in the CA cert store\n");
|
|
}
|
|
}
|
|
|
|
/*
|
|
* Although the untrusted certs are stored in the untrusted store,
|
|
* we already have the stack of certificates so we can just
|
|
* list them directly.
|
|
*/
|
|
untrusted_count = sk_X509_num(store->untrusted_stack);
|
|
for (i = 0; i < untrusted_count ; i++) {
|
|
X509 *c = sk_X509_value(store->untrusted_stack, i);
|
|
X509_NAME_oneline(X509_get_subject_name(c), subj, 1024);
|
|
ast_cli(fd, "Untrusted: %s\n", subj);
|
|
}
|
|
|
|
/*
|
|
* Same for the CRLs.
|
|
*/
|
|
crl_count = sk_X509_CRL_num(store->crl_stack);
|
|
for (i = 0; i < crl_count ; i++) {
|
|
X509_CRL *crl = sk_X509_CRL_value(store->crl_stack, i);
|
|
X509_NAME_oneline(X509_CRL_get_issuer(crl), subj, 1024);
|
|
ast_cli(fd, "CRL: %s\n", subj);
|
|
}
|
|
|
|
return count + untrusted_count + crl_count;
|
|
#else
|
|
ast_cli(fd, "This command is not supported until OpenSSL 1.1.0\n");
|
|
return 0;
|
|
#endif
|
|
}
|
|
|
|
int crypto_is_cert_time_valid(X509*cert, time_t reftime)
|
|
{
|
|
ASN1_STRING *notbefore;
|
|
ASN1_STRING *notafter;
|
|
|
|
if (!reftime) {
|
|
reftime = time(NULL);
|
|
}
|
|
notbefore = X509_get_notBefore(cert);
|
|
notafter = X509_get_notAfter(cert);
|
|
if (!notbefore || !notafter) {
|
|
ast_log(LOG_ERROR, "Either notbefore or notafter were not present in the cert\n");
|
|
return 0;
|
|
}
|
|
|
|
return (X509_cmp_time(notbefore, &reftime) < 0 &&
|
|
X509_cmp_time(notafter, &reftime) > 0);
|
|
}
|
|
|
|
int crypto_is_cert_trusted(struct crypto_cert_store *store, X509 *cert, const char **err_msg)
|
|
{
|
|
X509_STORE_CTX *verify_ctx = NULL;
|
|
int rc = 0;
|
|
|
|
if (!(verify_ctx = X509_STORE_CTX_new())) {
|
|
crypto_log_openssl(LOG_ERROR, "Unable to create verify_ctx\n");
|
|
return 0;
|
|
}
|
|
|
|
if (X509_STORE_CTX_init(verify_ctx, store->certs, cert, store->untrusted_stack) != 1) {
|
|
X509_STORE_CTX_cleanup(verify_ctx);
|
|
X509_STORE_CTX_free(verify_ctx);
|
|
crypto_log_openssl(LOG_ERROR, "Unable to initialize verify_ctx\n");
|
|
return 0;
|
|
}
|
|
X509_STORE_CTX_set0_crls(verify_ctx, store->crl_stack);
|
|
|
|
rc = X509_verify_cert(verify_ctx);
|
|
if (rc != 1 && err_msg != NULL) {
|
|
int err = X509_STORE_CTX_get_error(verify_ctx);
|
|
*err_msg = X509_verify_cert_error_string(err);
|
|
}
|
|
X509_STORE_CTX_cleanup(verify_ctx);
|
|
X509_STORE_CTX_free(verify_ctx);
|
|
|
|
return rc;
|
|
}
|
|
|
|
#define SECS_PER_DAY 86400
|
|
time_t crypto_asn_time_as_time_t(ASN1_TIME *at)
|
|
{
|
|
int pday;
|
|
int psec;
|
|
time_t rt = time(NULL);
|
|
|
|
if (!ASN1_TIME_diff(&pday, &psec, NULL, at)) {
|
|
crypto_log_openssl(LOG_ERROR, "Unable to calculate time diff\n");
|
|
return 0;
|
|
}
|
|
|
|
rt += ((pday * SECS_PER_DAY) + psec);
|
|
|
|
return rt;
|
|
}
|
|
#undef SECS_PER_DAY
|
|
|
|
char *crypto_get_cert_subject(X509 *cert, const char *short_name)
|
|
{
|
|
size_t len = 0;
|
|
RAII_VAR(char *, buffer, NULL, ast_std_free);
|
|
char *search_buff = NULL;
|
|
char *search = NULL;
|
|
size_t search_len = 0;
|
|
char *rtn = NULL;
|
|
char *line = NULL;
|
|
/*
|
|
* If short_name was supplied, we want a multiline subject
|
|
* with each component on a separate line. This makes it easier
|
|
* to iterate over the components to find the one we want.
|
|
* Otherwise, we just want the whole subject on one line.
|
|
*/
|
|
unsigned long flags =
|
|
short_name ? XN_FLAG_FN_SN | XN_FLAG_SEP_MULTILINE : XN_FLAG_ONELINE;
|
|
FILE *fp = open_memstream(&buffer, &len);
|
|
BIO *bio = fp ? BIO_new_fp(fp, BIO_CLOSE) : NULL;
|
|
X509_NAME *subject = X509_get_subject_name(cert);
|
|
int rc = 0;
|
|
|
|
if (!fp || !bio || !subject) {
|
|
return NULL;
|
|
}
|
|
|
|
rc = X509_NAME_print_ex(bio, subject, 0, flags);
|
|
BIO_free(bio);
|
|
if (rc < 0) {
|
|
return NULL;
|
|
}
|
|
|
|
if (!short_name) {
|
|
rtn = ast_malloc(len + 1);
|
|
if (rtn) {
|
|
strcpy(rtn, buffer); /* Safe */
|
|
}
|
|
return rtn;
|
|
}
|
|
|
|
search_len = strlen(short_name) + 1;
|
|
rc = ast_asprintf(&search, "%s=", short_name);
|
|
if (rc != search_len) {
|
|
return NULL;
|
|
}
|
|
|
|
search_buff = buffer;
|
|
while((line = ast_read_line_from_buffer(&search_buff))) {
|
|
if (ast_begins_with(line, search)) {
|
|
rtn = ast_malloc(strlen(line) - search_len + 1);
|
|
if (rtn) {
|
|
strcpy(rtn, line + search_len); /* Safe */
|
|
}
|
|
break;
|
|
}
|
|
}
|
|
|
|
ast_std_free(search);
|
|
return rtn;
|
|
}
|
|
|
|
int crypto_load(void)
|
|
{
|
|
return AST_MODULE_LOAD_SUCCESS;
|
|
}
|
|
|
|
int crypto_unload(void)
|
|
{
|
|
return 0;
|
|
}
|
|
|