|
version 1.45, 2005/02/05 22:59:24
|
version 1.48, 2005/03/08 23:19:31
|
|
|
|
| // Callback function that is called by the OpenSSL library. This function | // Callback function that is called by the OpenSSL library. This function |
| // checks whether the certificate is listed in any of the CRL's | // checks whether the certificate is listed in any of the CRL's |
| // | // |
| |
// return 1 if revoked, 0 otherwise |
| |
// |
| int SSLCallback::verificationCRLCallback(int ok, X509_STORE_CTX *ctx, X509_STORE* sslCRLStore) | int SSLCallback::verificationCRLCallback(int ok, X509_STORE_CTX *ctx, X509_STORE* sslCRLStore) |
| { | { |
| PEG_METHOD_ENTER(TRC_SSL, "SSLCallback::verificationCRLCallback"); | PEG_METHOD_ENTER(TRC_SSL, "SSLCallback::verificationCRLCallback"); |
| | |
| //PEP187 function |
char buf[1024]; |
| //ATTN: must reimplement this callback 2/2/2005 |
|
| |
//check whether a CRL store was specified |
| |
if (sslCRLStore == NULL) |
| |
{ |
| |
PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL3, "---> SSL: CRL store is NULL"); |
| |
return 0; |
| |
} |
| |
|
| |
//get the current certificate info |
| |
X509* currentCert; |
| |
X509_NAME* issuerName; |
| |
X509_NAME* subjectName; |
| |
ASN1_INTEGER* serialNumber; |
| |
|
| |
currentCert = X509_STORE_CTX_get_current_cert(ctx); |
| |
subjectName = X509_get_subject_name(currentCert); |
| |
issuerName = X509_get_issuer_name(currentCert); |
| |
serialNumber = X509_get_serialNumber(currentCert); |
| |
|
| |
//log certificate information |
| |
//this is information in the "public" key, so it does no harm to log it |
| |
X509_NAME_oneline(issuerName, buf, sizeof(buf)); |
| |
PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL4, "---> SSL: Certificate Data: Issuer/Subject"); |
| |
PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL4, buf); |
| |
X509_NAME_oneline(subjectName, buf, sizeof(buf)); |
| |
PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL4, buf); |
| |
|
| |
//initialize the CRL store |
| |
X509_STORE_CTX crlStoreCtx; |
| |
X509_STORE_CTX_init(&crlStoreCtx, sslCRLStore, NULL, NULL); |
| |
|
| |
PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL4, "---> SSL: Initialized CRL store"); |
| |
|
| |
//attempt to get a CRL issued by the certificate's issuer |
| |
X509_OBJECT obj; |
| |
if (X509_STORE_get_by_subject(&crlStoreCtx, X509_LU_CRL, issuerName, &obj) <= 0) |
| |
{ |
| |
PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL3, "---> SSL: No CRL by that issuer"); |
| |
return 0; |
| |
} |
| |
X509_STORE_CTX_cleanup(&crlStoreCtx); |
| |
|
| |
//get CRL |
| |
X509_CRL* crl = obj.data.crl; |
| |
if (crl == NULL) |
| |
{ |
| |
PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL4, "---> SSL: CRL is null"); |
| |
return 0; |
| |
} else |
| |
{ |
| |
PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL4, "---> SSL: Found CRL by that issuer"); |
| |
} |
| |
|
| |
//get revoked certificates |
| |
STACK_OF(X509_REVOKED)* revokedCerts = NULL; |
| |
revokedCerts = X509_CRL_get_REVOKED(crl); |
| |
int numRevoked = sk_X509_REVOKED_num(revokedCerts); |
| |
Tracer::trace(TRC_SSL, Tracer::LEVEL4,"---> SSL: Number of certificates revoked by the issuer %d\n", numRevoked); |
| |
|
| |
//check whether the subject's certificate is revoked |
| |
X509_REVOKED* revokedCert = NULL; |
| |
for (int i = 0; i < sk_X509_REVOKED_num(revokedCerts); i++) |
| |
{ |
| |
revokedCert = (X509_REVOKED *)sk_value(X509_CRL_get_REVOKED(crl), i); |
| |
|
| |
//a matching serial number indicates revocation |
| |
if (ASN1_INTEGER_cmp(revokedCert->serialNumber, serialNumber) == 0) |
| |
{ |
| |
PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL2, "---> SSL: Certificate is revoked"); |
| |
X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REVOKED); |
| |
return 1; |
| |
} |
| |
} |
| |
|
| |
PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL4, "---> SSL: Certificate is not revoked at this level"); |
| | |
| PEG_METHOD_EXIT(); | PEG_METHOD_EXIT(); |
| return ok; |
return 0; |
| } | } |
| | |
| // | // |
|
|
|
| Tracer::trace(TRC_SSL, Tracer::LEVEL4, | Tracer::trace(TRC_SSL, Tracer::LEVEL4, |
| "--->SSL: No verification callback specified"); | "--->SSL: No verification callback specified"); |
| | |
| if (exData->_crlStore == NULL) |
if (exData->_crlStore != NULL) |
| { |
|
| PEG_METHOD_EXIT(); |
|
| return (preVerifyOk); |
|
| } else |
|
| { | { |
| revoked = verificationCRLCallback(preVerifyOk,ctx,exData->_crlStore); | revoked = verificationCRLCallback(preVerifyOk,ctx,exData->_crlStore); |
| |
Tracer::trace(TRC_SSL, Tracer::LEVEL4, "---> SSL: CRL callback returned %d", revoked); |
| |
|
| |
if (revoked) //with the SSL callbacks '0' indicates failure |
| |
{ |
| PEG_METHOD_EXIT(); | PEG_METHOD_EXIT(); |
| return (revoked); |
return 0; |
| |
} |
| } | } |
| } | } |
| | |
| // | // |
| // Check to see if a CRL path is defined | // Check to see if a CRL path is defined |
| // | // |
| if (exData->_crlStore) |
if (exData->_crlStore != NULL) |
| { | { |
| revoked = verificationCRLCallback(preVerifyOk,ctx,exData->_crlStore); | revoked = verificationCRLCallback(preVerifyOk,ctx,exData->_crlStore); |
| Tracer::trace(TRC_SSL, Tracer::LEVEL4, |
Tracer::trace(TRC_SSL, Tracer::LEVEL4, "---> SSL: CRL callback returned %d", revoked); |
| "---> SSL: CRL callback returned %d", revoked); |
|
| |
if (revoked) //with the SSL callbacks '0' indicates failure |
| |
{ |
| |
PEG_METHOD_EXIT(); |
| |
return 0; |
| } | } |
| |
} |
| |
|
| |
Tracer::trace(TRC_SSL, Tracer::LEVEL4, "---> SSL: CRL callback returned %d", revoked); |
| | |
| // | // |
| // get the current certificate | // get the current certificate |
|
|
|
| _certPath = sslContextRep._certPath; | _certPath = sslContextRep._certPath; |
| _keyPath = sslContextRep._keyPath; | _keyPath = sslContextRep._keyPath; |
| _crlPath = sslContextRep._crlPath; | _crlPath = sslContextRep._crlPath; |
| |
_crlStore = sslContextRep._crlStore; |
| _verifyPeer = sslContextRep._verifyPeer; | _verifyPeer = sslContextRep._verifyPeer; |
| _certificateVerifyFunction = sslContextRep._certificateVerifyFunction; | _certificateVerifyFunction = sslContextRep._certificateVerifyFunction; |
| _randomFile = sslContextRep._randomFile; | _randomFile = sslContextRep._randomFile; |
Return to
SSLContext.cpp
CVS log
Up to [Pegasus] / pegasus / src / Pegasus / Common