Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement keys verification in OpenSSL (issue #558) #581

Merged
merged 4 commits into from
Mar 5, 2023
Merged

Implement keys verification in OpenSSL (issue #558) #581

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
0b58800
Framework for verifying keys
lsh123 Mar 5, 2023
5258888
added --verify-keys parameter
lsh123 Mar 5, 2023
ee261f5
fix typo and mscrypto build
lsh123 Mar 5, 2023
1893298
implement keys verification in OpenSSL
lsh123 Mar 5, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
85 changes: 68 additions & 17 deletions apps/crypto.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -100,13 +100,16 @@ xmlSecAppCryptoSimpleKeysMngrCrlLoad(xmlSecKeysMngrPtr mngr, const char *filenam
int
xmlSecAppCryptoSimpleKeysMngrKeyAndCertsLoad(xmlSecKeysMngrPtr mngr,
const char* files, const char* pwd, const char* name,
xmlSecKeyDataType type, xmlSecKeyDataFormat format
xmlSecKeyDataType type, xmlSecKeyDataFormat format,
xmlSecKeyInfoCtxPtr keyInfoCtx, int verifyKey
) {
const char* cert_file;
xmlSecKeyPtr key;
int ret;

xmlSecAssert2(mngr != NULL, -1);
xmlSecAssert2(files != NULL, -1);
xmlSecAssert2(keyInfoCtx != NULL, -1);

/* first is the key file */
key = xmlSecCryptoAppKeyLoadEx(files, type, format, pwd, xmlSecCryptoAppGetDefaultPwdCallback(), (void*)files);
Expand All @@ -127,23 +130,39 @@ xmlSecAppCryptoSimpleKeysMngrKeyAndCertsLoad(xmlSecKeysMngrPtr mngr,
}

#ifndef XMLSEC_NO_X509
for(files += strlen(files) + 1; (files[0] != '\0'); files += strlen(files) + 1) {
ret = xmlSecCryptoAppKeyCertLoad(key, files, format);
for(cert_file = files + strlen(files) + 1; (cert_file[0] != '\0'); cert_file += strlen(cert_file) + 1) {
ret = xmlSecCryptoAppKeyCertLoad(key, cert_file, format);
if(ret < 0) {
fprintf(stderr, "Error: xmlSecCryptoAppKeyCertLoad failed: file=%s\n",
xmlSecErrorsSafeString(files));
xmlSecErrorsSafeString(cert_file));
xmlSecKeyDestroy(key);
return(-1);
}
}
#else /* XMLSEC_NO_X509 */
files += strlen(files) + 1;
if(files[0] != '\0') {
cert_file = files + strlen(files) + 1;
if(cert_file[0] != '\0') {
fprintf(stderr, "Error: X509 support is disabled\n");
return(-1);
}
#endif /* XMLSEC_NO_X509 */


if(verifyKey != 0) {
ret = xmlSecCryptoAppDefaultKeysMngrVerifyKey(mngr, key, keyInfoCtx);
if(ret < 0) {
fprintf(stderr, "Error: xmlSecCryptoAppDefaultKeysMngrVerifyKey failed: filename='%s'\n",
xmlSecErrorsSafeString(files));
xmlSecKeyDestroy(key);
return(-1);
} else if(ret != 1) {
fprintf(stderr, "Error: key cannot be verified: filename='%s'\n",
xmlSecErrorsSafeString(files));
xmlSecKeyDestroy(key);
return(-1);
}
}

ret = xmlSecCryptoAppDefaultKeysMngrAdoptKey(mngr, key);
if(ret < 0) {
fprintf(stderr, "Error: xmlSecCryptoAppDefaultKeysMngrAdoptKey failed\n");
Expand All @@ -156,25 +175,24 @@ xmlSecAppCryptoSimpleKeysMngrKeyAndCertsLoad(xmlSecKeysMngrPtr mngr,

int
xmlSecAppCryptoSimpleKeysMngrEngineKeyAndCertsLoad(xmlSecKeysMngrPtr mngr,
const char* engineAndKeyId,
const char* certFiles,
const char* pwd,
const char* name,
xmlSecKeyDataType type,
xmlSecKeyDataFormat keyFormat,
xmlSecKeyDataFormat certFormat) {
const char* engineAndKeyId, const char* certFiles,
const char* pwd, const char* name,
xmlSecKeyDataType type, xmlSecKeyDataFormat keyFormat, xmlSecKeyDataFormat certFormat,
xmlSecKeyInfoCtxPtr keyInfoCtx, int verifyKey
) {
xmlSecKeyPtr key;
int ret;

xmlSecAssert2(mngr != NULL, -1);
xmlSecAssert2(engineAndKeyId != NULL, -1);
xmlSecAssert2(certFiles != NULL, -1);
xmlSecAssert2(keyInfoCtx != NULL, -1);

/* load key */
key = xmlSecCryptoAppKeyLoadEx(engineAndKeyId, type, keyFormat, pwd,
xmlSecCryptoAppGetDefaultPwdCallback(), (void*)engineAndKeyId);
if(key == NULL) {
fprintf(stderr, "Error: xmlSecCryptoAppKeyLoadEx failed: file=%s\n",
fprintf(stderr, "Error: xmlSecCryptoAppKeyLoadEx failed: engineAndKeyId=%s\n",
xmlSecErrorsSafeString(engineAndKeyId));
return(-1);
}
Expand Down Expand Up @@ -208,6 +226,21 @@ xmlSecAppCryptoSimpleKeysMngrEngineKeyAndCertsLoad(xmlSecKeysMngrPtr mngr,
}
#endif /* XMLSEC_NO_X509 */

if(verifyKey != 0) {
ret = xmlSecCryptoAppDefaultKeysMngrVerifyKey(mngr, key, keyInfoCtx);
if(ret < 0) {
fprintf(stderr, "Error: xmlSecCryptoAppDefaultKeysMngrVerifyKey failed: engineAndKeyId='%s'\n",
xmlSecErrorsSafeString(engineAndKeyId));
xmlSecKeyDestroy(key);
return(-1);
} else if(ret != 1) {
fprintf(stderr, "Error: key cannot be verified: engineAndKeyId='%s'\n",
xmlSecErrorsSafeString(engineAndKeyId));
xmlSecKeyDestroy(key);
return(-1);
}
}

/* add key to KM */
ret = xmlSecCryptoAppDefaultKeysMngrAdoptKey(mngr, key);
if(ret < 0) {
Expand All @@ -220,32 +253,50 @@ xmlSecAppCryptoSimpleKeysMngrEngineKeyAndCertsLoad(xmlSecKeysMngrPtr mngr,
}

int
xmlSecAppCryptoSimpleKeysMngrPkcs12KeyLoad(xmlSecKeysMngrPtr mngr, const char *filename, const char* pwd, const char *name) {
xmlSecAppCryptoSimpleKeysMngrPkcs12KeyLoad(xmlSecKeysMngrPtr mngr, const char *filename, const char* pwd,
const char *name, xmlSecKeyInfoCtxPtr keyInfoCtx, int verifyKey
) {
xmlSecKeyPtr key;
int ret;

xmlSecAssert2(mngr != NULL, -1);
xmlSecAssert2(filename != NULL, -1);
xmlSecAssert2(keyInfoCtx != NULL, -1);

#ifndef XMLSEC_NO_X509
key = xmlSecCryptoAppKeyLoadEx(filename, xmlSecKeyDataTypePrivate, xmlSecKeyDataFormatPkcs12, pwd,
xmlSecCryptoAppGetDefaultPwdCallback(), (void*)filename);
if(key == NULL) {
fprintf(stderr, "Error: xmlSecCryptoAppKeyLoadEx failed: filename=%s\n",
fprintf(stderr, "Error: xmlSecCryptoAppKeyLoadEx failed: filename='%s'\n",
xmlSecErrorsSafeString(filename));
return(-1);
}

if(name != NULL) {
ret = xmlSecKeySetName(key, BAD_CAST name);
if(ret < 0) {
fprintf(stderr, "Error: xmlSecKeySetName failed: name=%s\n",
fprintf(stderr, "Error: xmlSecKeySetName failed: name='%s'\n",
xmlSecErrorsSafeString(name));
xmlSecKeyDestroy(key);
return(-1);
}
}

if(verifyKey != 0) {
ret = xmlSecCryptoAppDefaultKeysMngrVerifyKey(mngr, key, keyInfoCtx);
if(ret < 0) {
fprintf(stderr, "Error: xmlSecCryptoAppDefaultKeysMngrVerifyKey failed: filename='%s'\n",
xmlSecErrorsSafeString(filename));
xmlSecKeyDestroy(key);
return(-1);
} else if(ret != 1) {
fprintf(stderr, "Error: key cannot be verified: filename='%s'\n",
xmlSecErrorsSafeString(filename));
xmlSecKeyDestroy(key);
return(-1);
}
}

ret = xmlSecCryptoAppDefaultKeysMngrAdoptKey(mngr, key);
if(ret < 0) {
fprintf(stderr, "Error: xmlSecCryptoAppDefaultKeysMngrAdoptKey failed\n");
Expand Down
12 changes: 9 additions & 3 deletions apps/crypto.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,19 +50,25 @@ int xmlSecAppCryptoSimpleKeysMngrKeyAndCertsLoad (xmlSecKeysMngrP
const char* pwd,
const char* name,
xmlSecKeyDataType type,
xmlSecKeyDataFormat format);
xmlSecKeyDataFormat format,
xmlSecKeyInfoCtxPtr keyInfoCtx,
int verifyKey);
int xmlSecAppCryptoSimpleKeysMngrEngineKeyAndCertsLoad (xmlSecKeysMngrPtr mngr,
const char* engineAndKeyId,
const char* certFiles,
const char* pwd,
const char* name,
xmlSecKeyDataType type,
xmlSecKeyDataFormat keyFormat,
xmlSecKeyDataFormat certFormat);
xmlSecKeyDataFormat certFormat,
xmlSecKeyInfoCtxPtr keyInfoCtx,
int verifyKey);
int xmlSecAppCryptoSimpleKeysMngrPkcs12KeyLoad (xmlSecKeysMngrPtr mngr,
const char* filename,
const char* pwd,
const char* name);
const char* name,
xmlSecKeyInfoCtxPtr keyInfoCtx,
int verifyKey);
int xmlSecAppCryptoSimpleKeysMngrBinaryKeyLoad (xmlSecKeysMngrPtr mngr,
const char* keyKlass,
const char* filename,
Expand Down
Loading