Home Explore Help
Register Sign In
OWEALs
/
openssl
mirror of git://git.openssl.org/openssl.git
2
0
Fork 1
Files Issues 1 Wiki
Tree: a28d06f3e9
Branches Tags
openssl
/
apps
/
ts.c

ts.c 31 KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022 
  1. /*
    2. 

  2.  * Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved.
    3. 

  3.  *
    4. 

  4.  * Licensed under the Apache License 2.0 (the "License").  You may not use
    5. 

  5.  * this file except in compliance with the License.  You can obtain a copy
    6. 

  6.  * in the file LICENSE in the source distribution or at
    7. 

  7.  * https://www.openssl.org/source/license.html
    8. 

  8.  */
    9. 

  9. 

  10. #include <openssl/opensslconf.h>
    11. 

  11. #include <stdio.h>
    12. 

  12. #include <stdlib.h>
    13. 

  13. #include <string.h>
    14. 

  14. #include "apps.h"
    15. 

  15. #include "progs.h"
    16. 

  16. #include <openssl/bio.h>
    17. 

  17. #include <openssl/err.h>
    18. 

  18. #include <openssl/pem.h>
    19. 

  19. #include <openssl/rand.h>
    20. 

  20. #include <openssl/ts.h>
    21. 

  21. #include <openssl/bn.h>
    22. 

  22. 

  23. /* Request nonce length, in bits (must be a multiple of 8). */
    24. 

  24. #define NONCE_LENGTH            64
    25. 

  25. 

  26. /* Name of config entry that defines the OID file. */
    27. 

  27. #define ENV_OID_FILE            "oid_file"
    28. 

  28. 

  29. /* Is |EXACTLY_ONE| of three pointers set? */
    30. 

  30. #define EXACTLY_ONE(a, b, c) \
    31. 

  31.         (( a && !b && !c) || \
    32. 

  32.          ( b && !a && !c) || \
    33. 

  33.          ( c && !a && !b))
    34. 

  34. 

  35. static ASN1_OBJECT *txt2obj(const char *oid);
    36. 

  36. static CONF *load_config_file(const char *configfile);
    37. 

  37. 

  38. /* Query related functions. */
    39. 

  39. static int query_command(const char *data, const char *digest,
    40. 

  40.                          const EVP_MD *md, const char *policy, int no_nonce,
    41. 

  41.                          int cert, const char *in, const char *out, int text);
    42. 

  42. static TS_REQ *create_query(BIO *data_bio, const char *digest, const EVP_MD *md,
    43. 

  43.                             const char *policy, int no_nonce, int cert);
    44. 

  44. static int create_digest(BIO *input, const char *digest,
    45. 

  45.                          const EVP_MD *md, unsigned char **md_value);
    46. 

  46. static ASN1_INTEGER *create_nonce(int bits);
    47. 

  47. 

  48. /* Reply related functions. */
    49. 

  49. static int reply_command(CONF *conf, const char *section, const char *engine,
    50. 

  50.                          const char *queryfile, const char *passin, const char *inkey,
    51. 

  51.                          const EVP_MD *md, const char *signer, const char *chain,
    52. 

  52.                          const char *policy, const char *in, int token_in,
    53. 

  53.                          const char *out, int token_out, int text);
    54. 

  54. static TS_RESP *read_PKCS7(BIO *in_bio);
    55. 

  55. static TS_RESP *create_response(CONF *conf, const char *section, const char *engine,
    56. 

  56.                                 const char *queryfile, const char *passin,
    57. 

  57.                                 const char *inkey, const EVP_MD *md, const char *signer,
    58. 

  58.                                 const char *chain, const char *policy);
    59. 

  59. static ASN1_INTEGER *serial_cb(TS_RESP_CTX *ctx, void *data);
    60. 

  60. static ASN1_INTEGER *next_serial(const char *serialfile);
    61. 

  61. static int save_ts_serial(const char *serialfile, ASN1_INTEGER *serial);
    62. 

  62. 

  63. /* Verify related functions. */
    64. 

  64. static int verify_command(const char *data, const char *digest, const char *queryfile,
    65. 

  65.                           const char *in, int token_in,
    66. 

  66.                           const char *CApath, const char *CAfile,
    67. 

  67.                           const char *CAstore,
    68. 

  68.                           const char *untrusted, X509_VERIFY_PARAM *vpm);
    69. 

  69. static TS_VERIFY_CTX *create_verify_ctx(const char *data, const char *digest,
    70. 

  70.                                         const char *queryfile,
    71. 

  71.                                         const char *CApath, const char *CAfile,
    72. 

  72.                                         const char *CAstore,
    73. 

  73.                                         const char *untrusted,
    74. 

  74.                                         X509_VERIFY_PARAM *vpm);
    75. 

  75. static X509_STORE *create_cert_store(const char *CApath, const char *CAfile,
    76. 

  76.                                      const char *CAstore, X509_VERIFY_PARAM *vpm);
    77. 

  77. static int verify_cb(int ok, X509_STORE_CTX *ctx);
    78. 

  78. 

  79. typedef enum OPTION_choice {
    80. 

  80.     OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
    81. 

  81.     OPT_ENGINE, OPT_CONFIG, OPT_SECTION, OPT_QUERY, OPT_DATA,
    82. 

  82.     OPT_DIGEST, OPT_TSPOLICY, OPT_NO_NONCE, OPT_CERT,
    83. 

  83.     OPT_IN, OPT_TOKEN_IN, OPT_OUT, OPT_TOKEN_OUT, OPT_TEXT,
    84. 

  84.     OPT_REPLY, OPT_QUERYFILE, OPT_PASSIN, OPT_INKEY, OPT_SIGNER,
    85. 

  85.     OPT_CHAIN, OPT_VERIFY, OPT_CAPATH, OPT_CAFILE, OPT_CASTORE, OPT_UNTRUSTED,
    86. 

  86.     OPT_MD, OPT_V_ENUM, OPT_R_ENUM, OPT_PROV_ENUM
    87. 

  87. } OPTION_CHOICE;
    88. 

  88. 

  89. const OPTIONS ts_options[] = {
    90. 

  90.     OPT_SECTION("General"),
    91. 

  91.     {"help", OPT_HELP, '-', "Display this summary"},
    92. 

  92.     {"config", OPT_CONFIG, '<', "Configuration file"},
    93. 

  93.     {"section", OPT_SECTION, 's', "Section to use within config file"},
    94. 

  94. #ifndef OPENSSL_NO_ENGINE
    95. 

  95.     {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
    96. 

  96. #endif
    97. 

  97.     {"inkey", OPT_INKEY, 's', "File with private key for reply"},
    98. 

  98.     {"signer", OPT_SIGNER, 's', "Signer certificate file"},
    99. 

  99.     {"chain", OPT_CHAIN, '<', "File with signer CA chain"},
    100. 

  100.     {"CAfile", OPT_CAFILE, '<', "File with trusted CA certs"},
    101. 

  101.     {"CApath", OPT_CAPATH, '/', "Path to trusted CA files"},
    102. 

  102.     {"CAstore", OPT_CASTORE, ':', "URI to trusted CA store"},
    103. 

  103.     {"untrusted", OPT_UNTRUSTED, '<', "File with untrusted certs"},
    104. 

  104.     {"token_in", OPT_TOKEN_IN, '-', "Input is a PKCS#7 file"},
    105. 

  105.     {"token_out", OPT_TOKEN_OUT, '-', "Output is a PKCS#7 file"},
    106. 

  106.     {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
    107. 

  107.     {"", OPT_MD, '-', "Any supported digest"},
    108. 

  108. 

  109.     OPT_SECTION("Query"),
    110. 

  110.     {"query", OPT_QUERY, '-', "Generate a TS query"},
    111. 

  111.     {"data", OPT_DATA, '<', "File to hash"},
    112. 

  112.     {"digest", OPT_DIGEST, 's', "Digest (as a hex string)"},
    113. 

  113.     {"queryfile", OPT_QUERYFILE, '<', "File containing a TS query"},
    114. 

  114.     {"cert", OPT_CERT, '-', "Put cert request into query"},
    115. 

  115.     {"in", OPT_IN, '<', "Input file"},
    116. 

  116. 

  117.     OPT_SECTION("Verify"),
    118. 

  118.     {"verify", OPT_VERIFY, '-', "Verify a TS response"},
    119. 

  119.     {"reply", OPT_REPLY, '-', "Generate a TS reply"},
    120. 

  120.     {"tspolicy", OPT_TSPOLICY, 's', "Policy OID to use"},
    121. 

  121.     {"no_nonce", OPT_NO_NONCE, '-', "Do not include a nonce"},
    122. 

  122.     {"out", OPT_OUT, '>', "Output file"},
    123. 

  123.     {"text", OPT_TEXT, '-', "Output text (not DER)"},
    124. 

  124. 

  125.     OPT_R_OPTIONS,
    126. 

  126.     OPT_V_OPTIONS,
    127. 

  127.     OPT_PROV_OPTIONS,
    128. 

  128.     {NULL}
    129. 

  129. };
    130. 

  130. 

  131. /*
    132. 

  132.  * This command is so complex, special help is needed.
    133. 

  133.  */
    134. 

  134. static char* opt_helplist[] = {
    135. 

  135.     "",
    136. 

  136.     "Typical uses:",
    137. 

  137.     " openssl ts -query [-rand file...] [-config file] [-data file]",
    138. 

  138.     "    [-digest hexstring] [-tspolicy oid] [-no_nonce] [-cert]",
    139. 

  139.     "    [-in file] [-out file] [-text]",
    140. 

  140.     "",
    141. 

  141.     " openssl ts -reply [-config file] [-section tsa_section]",
    142. 

  142.     "    [-queryfile file] [-passin password]",
    143. 

  143.     "    [-signer tsa_cert.pem] [-inkey private_key.pem]",
    144. 

  144.     "    [-chain certs_file.pem] [-tspolicy oid]",
    145. 

  145.     "    [-in file] [-token_in] [-out file] [-token_out]",
    146. 

  146. #ifndef OPENSSL_NO_ENGINE
    147. 

  147.     "    [-text] [-engine id]",
    148. 

  148. #else
    149. 

  149.     "    [-text]",
    150. 

  150. #endif
    151. 

  151.     "",
    152. 

  152.     " openssl ts -verify -CApath dir -CAfile file.pem -CAstore uri",
    153. 

  153.     "   -untrusted file.pem [-data file] [-digest hexstring]",
    154. 

  154.     "    [-queryfile file] -in file [-token_in] ...",
    155. 

  155.     NULL,
    156. 

  156. };
    157. 

  157. 

  158. int ts_main(int argc, char **argv)
    159. 

  159. {
    160. 

  160.     CONF *conf = NULL;
    161. 

  161.     const char *CAfile = NULL, *untrusted = NULL, *prog;
    162. 

  162.     const char *configfile = default_config_file, *engine = NULL;
    163. 

  163.     const char *section = NULL, *digestname = NULL;
    164. 

  164.     char **helpp;
    165. 

  165.     char *password = NULL;
    166. 

  166.     char *data = NULL, *digest = NULL, *policy = NULL;
    167. 

  167.     char *in = NULL, *out = NULL, *queryfile = NULL, *passin = NULL;
    168. 

  168.     char *inkey = NULL, *signer = NULL, *chain = NULL, *CApath = NULL;
    169. 

  169.     char *CAstore = NULL;
    170. 

  170.     const EVP_MD *md = NULL;
    171. 

  171.     OPTION_CHOICE o, mode = OPT_ERR;
    172. 

  172.     int ret = 1, no_nonce = 0, cert = 0, text = 0;
    173. 

  173.     int vpmtouched = 0;
    174. 

  174.     X509_VERIFY_PARAM *vpm = NULL;
    175. 

  175.     /* Input is ContentInfo instead of TimeStampResp. */
    176. 

  176.     int token_in = 0;
    177. 

  177.     /* Output is ContentInfo instead of TimeStampResp. */
    178. 

  178.     int token_out = 0;
    179. 

  179. 

  180.     if ((vpm = X509_VERIFY_PARAM_new()) == NULL)
    181. 

  181.         goto end;
    182. 

  182. 

  183.     prog = opt_init(argc, argv, ts_options);
    184. 

  184.     while ((o = opt_next()) != OPT_EOF) {
    185. 

  185.         switch (o) {
    186. 

  186.         case OPT_EOF:
    187. 

  187.         case OPT_ERR:
    188. 

  188.  opthelp:
    189. 

  189.             BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
    190. 

  190.             goto end;
    191. 

  191.         case OPT_HELP:
    192. 

  192.             opt_help(ts_options);
    193. 

  193.             for (helpp = opt_helplist; *helpp; ++helpp)
    194. 

  194.                 BIO_printf(bio_err, "%s\n", *helpp);
    195. 

  195.             ret = 0;
    196. 

  196.             goto end;
    197. 

  197.         case OPT_CONFIG:
    198. 

  198.             configfile = opt_arg();
    199. 

  199.             break;
    200. 

  200.         case OPT_SECTION:
    201. 

  201.             section = opt_arg();
    202. 

  202.             break;
    203. 

  203.         case OPT_QUERY:
    204. 

  204.         case OPT_REPLY:
    205. 

  205.         case OPT_VERIFY:
    206. 

  206.             if (mode != OPT_ERR)
    207. 

  207.                 goto opthelp;
    208. 

  208.             mode = o;
    209. 

  209.             break;
    210. 

  210.         case OPT_DATA:
    211. 

  211.             data = opt_arg();
    212. 

  212.             break;
    213. 

  213.         case OPT_DIGEST:
    214. 

  214.             digest = opt_arg();
    215. 

  215.             break;
    216. 

  216.         case OPT_R_CASES:
    217. 

  217.             if (!opt_rand(o))
    218. 

  218.                 goto end;
    219. 

  219.             break;
    220. 

  220.         case OPT_PROV_CASES:
    221. 

  221.             if (!opt_provider(o))
    222. 

  222.                 goto end;
    223. 

  223.             break;
    224. 

  224.         case OPT_TSPOLICY:
    225. 

  225.             policy = opt_arg();
    226. 

  226.             break;
    227. 

  227.         case OPT_NO_NONCE:
    228. 

  228.             no_nonce = 1;
    229. 

  229.             break;
    230. 

  230.         case OPT_CERT:
    231. 

  231.             cert = 1;
    232. 

  232.             break;
    233. 

  233.         case OPT_IN:
    234. 

  234.             in = opt_arg();
    235. 

  235.             break;
    236. 

  236.         case OPT_TOKEN_IN:
    237. 

  237.             token_in = 1;
    238. 

  238.             break;
    239. 

  239.         case OPT_OUT:
    240. 

  240.             out = opt_arg();
    241. 

  241.             break;
    242. 

  242.         case OPT_TOKEN_OUT:
    243. 

  243.             token_out = 1;
    244. 

  244.             break;
    245. 

  245.         case OPT_TEXT:
    246. 

  246.             text = 1;
    247. 

  247.             break;
    248. 

  248.         case OPT_QUERYFILE:
    249. 

  249.             queryfile = opt_arg();
    250. 

  250.             break;
    251. 

  251.         case OPT_PASSIN:
    252. 

  252.             passin = opt_arg();
    253. 

  253.             break;
    254. 

  254.         case OPT_INKEY:
    255. 

  255.             inkey = opt_arg();
    256. 

  256.             break;
    257. 

  257.         case OPT_SIGNER:
    258. 

  258.             signer = opt_arg();
    259. 

  259.             break;
    260. 

  260.         case OPT_CHAIN:
    261. 

  261.             chain = opt_arg();
    262. 

  262.             break;
    263. 

  263.         case OPT_CAPATH:
    264. 

  264.             CApath = opt_arg();
    265. 

  265.             break;
    266. 

  266.         case OPT_CAFILE:
    267. 

  267.             CAfile = opt_arg();
    268. 

  268.             break;
    269. 

  269.         case OPT_CASTORE:
    270. 

  270.             CAstore = opt_arg();
    271. 

  271.             break;
    272. 

  272.         case OPT_UNTRUSTED:
    273. 

  273.             untrusted = opt_arg();
    274. 

  274.             break;
    275. 

  275.         case OPT_ENGINE:
    276. 

  276.             engine = opt_arg();
    277. 

  277.             break;
    278. 

  278.         case OPT_MD:
    279. 

  279.             digestname = opt_unknown();
    280. 

  280.             break;
    281. 

  281.         case OPT_V_CASES:
    282. 

  282.             if (!opt_verify(o, vpm))
    283. 

  283.                 goto end;
    284. 

  284.             vpmtouched++;
    285. 

  285.             break;
    286. 

  286.         }
    287. 

  287.     }
    288. 

  288. 

  289.     /* No extra arguments. */
    290. 

  290.     argc = opt_num_rest();
    291. 

  291.     if (argc != 0 || mode == OPT_ERR)
    292. 

  292.         goto opthelp;
    293. 

  293. 

  294.     app_RAND_load();
    295. 

  295.     if (digestname != NULL) {
    296. 

  296.         if (!opt_md(digestname, &md))
    297. 

  297.             goto opthelp;
    298. 

  298.     }
    299. 

  299.     if (mode == OPT_REPLY && passin &&
    300. 

  300.         !app_passwd(passin, NULL, &password, NULL)) {
    301. 

  301.         BIO_printf(bio_err, "Error getting password.\n");
    302. 

  302.         goto end;
    303. 

  303.     }
    304. 

  304. 

  305.     if ((conf = load_config_file(configfile)) == NULL)
    306. 

  306.         goto end;
    307. 

  307.     if (configfile != default_config_file && !app_load_modules(conf))
    308. 

  308.         goto end;
    309. 

  309. 

  310.     /* Check parameter consistency and execute the appropriate function. */
    311. 

  311.     if (mode == OPT_QUERY) {
    312. 

  312.         if (vpmtouched)
    313. 

  313.             goto opthelp;
    314. 

  314.         if ((data != NULL) && (digest != NULL))
    315. 

  315.             goto opthelp;
    316. 

  316.         ret = !query_command(data, digest, md, policy, no_nonce, cert,
    317. 

  317.                              in, out, text);
    318. 

  318.     } else if (mode == OPT_REPLY) {
    319. 

  319.         if (vpmtouched)
    320. 

  320.             goto opthelp;
    321. 

  321.         if ((in != NULL) && (queryfile != NULL))
    322. 

  322.             goto opthelp;
    323. 

  323.         if (in == NULL) {
    324. 

  324.             if ((conf == NULL) || (token_in != 0))
    325. 

  325.                 goto opthelp;
    326. 

  326.         }
    327. 

  327.         ret = !reply_command(conf, section, engine, queryfile,
    328. 

  328.                              password, inkey, md, signer, chain, policy,
    329. 

  329.                              in, token_in, out, token_out, text);
    330. 

  330. 

  331.     } else if (mode == OPT_VERIFY) {
    332. 

  332.         if ((in == NULL) || !EXACTLY_ONE(queryfile, data, digest))
    333. 

  333.             goto opthelp;
    334. 

  334.         ret = !verify_command(data, digest, queryfile, in, token_in,
    335. 

  335.                               CApath, CAfile, CAstore, untrusted,
    336. 

  336.                               vpmtouched ? vpm : NULL);
    337. 

  337.     } else {
    338. 

  338.         goto opthelp;
    339. 

  339.     }
    340. 

  340. 

  341.  end:
    342. 

  342.     X509_VERIFY_PARAM_free(vpm);
    343. 

  343.     NCONF_free(conf);
    344. 

  344.     OPENSSL_free(password);
    345. 

  345.     return ret;
    346. 

  346. }
    347. 

  347. 

  348. /*
    349. 

  349.  * Configuration file-related function definitions.
    350. 

  350.  */
    351. 

  351. 

  352. static ASN1_OBJECT *txt2obj(const char *oid)
    353. 

  353. {
    354. 

  354.     ASN1_OBJECT *oid_obj = NULL;
    355. 

  355. 

  356.     if ((oid_obj = OBJ_txt2obj(oid, 0)) == NULL)
    357. 

  357.         BIO_printf(bio_err, "cannot convert %s to OID\n", oid);
    358. 

  358. 

  359.     return oid_obj;
    360. 

  360. }
    361. 

  361. 

  362. static CONF *load_config_file(const char *configfile)
    363. 

  363. {
    364. 

  364.     CONF *conf = app_load_config(configfile);
    365. 

  365. 

  366.     if (conf != NULL) {
    367. 

  367.         const char *p;
    368. 

  368. 

  369.         BIO_printf(bio_err, "Using configuration from %s\n", configfile);
    370. 

  370.         p = NCONF_get_string(conf, NULL, ENV_OID_FILE);
    371. 

  371.         if (p != NULL) {
    372. 

  372.             BIO *oid_bio = BIO_new_file(p, "r");
    373. 

  373.             if (!oid_bio)
    374. 

  374.                 ERR_print_errors(bio_err);
    375. 

  375.             else {
    376. 

  376.                 OBJ_create_objects(oid_bio);
    377. 

  377.                 BIO_free_all(oid_bio);
    378. 

  378.             }
    379. 

  379.         } else
    380. 

  380.             ERR_clear_error();
    381. 

  381.         if (!add_oid_section(conf))
    382. 

  382.             ERR_print_errors(bio_err);
    383. 

  383.     }
    384. 

  384.     return conf;
    385. 

  385. }
    386. 

  386. 

  387. /*
    388. 

  388.  * Query-related method definitions.
    389. 

  389.  */
    390. 

  390. static int query_command(const char *data, const char *digest, const EVP_MD *md,
    391. 

  391.                          const char *policy, int no_nonce,
    392. 

  392.                          int cert, const char *in, const char *out, int text)
    393. 

  393. {
    394. 

  394.     int ret = 0;
    395. 

  395.     TS_REQ *query = NULL;
    396. 

  396.     BIO *in_bio = NULL;
    397. 

  397.     BIO *data_bio = NULL;
    398. 

  398.     BIO *out_bio = NULL;
    399. 

  399. 

  400.     /* Build query object. */
    401. 

  401.     if (in != NULL) {
    402. 

  402.         if ((in_bio = bio_open_default(in, 'r', FORMAT_ASN1)) == NULL)
    403. 

  403.             goto end;
    404. 

  404.         query = d2i_TS_REQ_bio(in_bio, NULL);
    405. 

  405.     } else {
    406. 

  406.         if (digest == NULL
    407. 

  407.             && (data_bio = bio_open_default(data, 'r', FORMAT_ASN1)) == NULL)
    408. 

  408.             goto end;
    409. 

  409.         query = create_query(data_bio, digest, md, policy, no_nonce, cert);
    410. 

  410.     }
    411. 

  411.     if (query == NULL)
    412. 

  412.         goto end;
    413. 

  413. 

  414.     if (text) {
    415. 

  415.         if ((out_bio = bio_open_default(out, 'w', FORMAT_TEXT)) == NULL)
    416. 

  416.             goto end;
    417. 

  417.         if (!TS_REQ_print_bio(out_bio, query))
    418. 

  418.             goto end;
    419. 

  419.     } else {
    420. 

  420.         if ((out_bio = bio_open_default(out, 'w', FORMAT_ASN1)) == NULL)
    421. 

  421.             goto end;
    422. 

  422.         if (!i2d_TS_REQ_bio(out_bio, query))
    423. 

  423.             goto end;
    424. 

  424.     }
    425. 

  425. 

  426.     ret = 1;
    427. 

  427. 

  428.  end:
    429. 

  429.     ERR_print_errors(bio_err);
    430. 

  430.     BIO_free_all(in_bio);
    431. 

  431.     BIO_free_all(data_bio);
    432. 

  432.     BIO_free_all(out_bio);
    433. 

  433.     TS_REQ_free(query);
    434. 

  434.     return ret;
    435. 

  435. }
    436. 

  436. 

  437. static TS_REQ *create_query(BIO *data_bio, const char *digest, const EVP_MD *md,
    438. 

  438.                             const char *policy, int no_nonce, int cert)
    439. 

  439. {
    440. 

  440.     int ret = 0;
    441. 

  441.     TS_REQ *ts_req = NULL;
    442. 

  442.     int len;
    443. 

  443.     TS_MSG_IMPRINT *msg_imprint = NULL;
    444. 

  444.     X509_ALGOR *algo = NULL;
    445. 

  445.     unsigned char *data = NULL;
    446. 

  446.     ASN1_OBJECT *policy_obj = NULL;
    447. 

  447.     ASN1_INTEGER *nonce_asn1 = NULL;
    448. 

  448. 

  449.     if (md == NULL && (md = EVP_get_digestbyname("sha256")) == NULL)
    450. 

  450.         goto err;
    451. 

  451.     if ((ts_req = TS_REQ_new()) == NULL)
    452. 

  452.         goto err;
    453. 

  453.     if (!TS_REQ_set_version(ts_req, 1))
    454. 

  454.         goto err;
    455. 

  455.     if ((msg_imprint = TS_MSG_IMPRINT_new()) == NULL)
    456. 

  456.         goto err;
    457. 

  457.     if ((algo = X509_ALGOR_new()) == NULL)
    458. 

  458.         goto err;
    459. 

  459.     if ((algo->algorithm = OBJ_nid2obj(EVP_MD_type(md))) == NULL)
    460. 

  460.         goto err;
    461. 

  461.     if ((algo->parameter = ASN1_TYPE_new()) == NULL)
    462. 

  462.         goto err;
    463. 

  463.     algo->parameter->type = V_ASN1_NULL;
    464. 

  464.     if (!TS_MSG_IMPRINT_set_algo(msg_imprint, algo))
    465. 

  465.         goto err;
    466. 

  466.     if ((len = create_digest(data_bio, digest, md, &data)) == 0)
    467. 

  467.         goto err;
    468. 

  468.     if (!TS_MSG_IMPRINT_set_msg(msg_imprint, data, len))
    469. 

  469.         goto err;
    470. 

  470.     if (!TS_REQ_set_msg_imprint(ts_req, msg_imprint))
    471. 

  471.         goto err;
    472. 

  472.     if (policy && (policy_obj = txt2obj(policy)) == NULL)
    473. 

  473.         goto err;
    474. 

  474.     if (policy_obj && !TS_REQ_set_policy_id(ts_req, policy_obj))
    475. 

  475.         goto err;
    476. 

  476. 

  477.     /* Setting nonce if requested. */
    478. 

  478.     if (!no_nonce && (nonce_asn1 = create_nonce(NONCE_LENGTH)) == NULL)
    479. 

  479.         goto err;
    480. 

  480.     if (nonce_asn1 && !TS_REQ_set_nonce(ts_req, nonce_asn1))
    481. 

  481.         goto err;
    482. 

  482.     if (!TS_REQ_set_cert_req(ts_req, cert))
    483. 

  483.         goto err;
    484. 

  484. 

  485.     ret = 1;
    486. 

  486.  err:
    487. 

  487.     if (!ret) {
    488. 

  488.         TS_REQ_free(ts_req);
    489. 

  489.         ts_req = NULL;
    490. 

  490.         BIO_printf(bio_err, "could not create query\n");
    491. 

  491.         ERR_print_errors(bio_err);
    492. 

  492.     }
    493. 

  493.     TS_MSG_IMPRINT_free(msg_imprint);
    494. 

  494.     X509_ALGOR_free(algo);
    495. 

  495.     OPENSSL_free(data);
    496. 

  496.     ASN1_OBJECT_free(policy_obj);
    497. 

  497.     ASN1_INTEGER_free(nonce_asn1);
    498. 

  498.     return ts_req;
    499. 

  499. }
    500. 

  500. 

  501. static int create_digest(BIO *input, const char *digest, const EVP_MD *md,
    502. 

  502.                          unsigned char **md_value)
    503. 

  503. {
    504. 

  504.     int md_value_len;
    505. 

  505.     int rv = 0;
    506. 

  506.     EVP_MD_CTX *md_ctx = NULL;
    507. 

  507. 

  508.     md_value_len = EVP_MD_size(md);
    509. 

  509.     if (md_value_len < 0)
    510. 

  510.         return 0;
    511. 

  511. 

  512.     if (input != NULL) {
    513. 

  513.         unsigned char buffer[4096];
    514. 

  514.         int length;
    515. 

  515. 

  516.         md_ctx = EVP_MD_CTX_new();
    517. 

  517.         if (md_ctx == NULL)
    518. 

  518.             return 0;
    519. 

  519.         *md_value = app_malloc(md_value_len, "digest buffer");
    520. 

  520.         if (!EVP_DigestInit(md_ctx, md))
    521. 

  521.             goto err;
    522. 

  522.         while ((length = BIO_read(input, buffer, sizeof(buffer))) > 0) {
    523. 

  523.             if (!EVP_DigestUpdate(md_ctx, buffer, length))
    524. 

  524.                 goto err;
    525. 

  525.         }
    526. 

  526.         if (!EVP_DigestFinal(md_ctx, *md_value, NULL))
    527. 

  527.             goto err;
    528. 

  528.         md_value_len = EVP_MD_size(md);
    529. 

  529.     } else {
    530. 

  530.         long digest_len;
    531. 

  531. 

  532.         *md_value = OPENSSL_hexstr2buf(digest, &digest_len);
    533. 

  533.         if (*md_value == NULL || md_value_len != digest_len) {
    534. 

  534.             OPENSSL_free(*md_value);
    535. 

  535.             *md_value = NULL;
    536. 

  536.             BIO_printf(bio_err, "bad digest, %d bytes "
    537. 

  537.                        "must be specified\n", md_value_len);
    538. 

  538.             return 0;
    539. 

  539.         }
    540. 

  540.     }
    541. 

  541.     rv = md_value_len;
    542. 

  542.  err:
    543. 

  543.     EVP_MD_CTX_free(md_ctx);
    544. 

  544.     return rv;
    545. 

  545. }
    546. 

  546. 

  547. static ASN1_INTEGER *create_nonce(int bits)
    548. 

  548. {
    549. 

  549.     unsigned char buf[20];
    550. 

  550.     ASN1_INTEGER *nonce = NULL;
    551. 

  551.     int len = (bits - 1) / 8 + 1;
    552. 

  552.     int i;
    553. 

  553. 

  554.     if (len > (int)sizeof(buf))
    555. 

  555.         goto err;
    556. 

  556.     if (RAND_bytes(buf, len) <= 0)
    557. 

  557.         goto err;
    558. 

  558. 

  559.     /* Find the first non-zero byte and creating ASN1_INTEGER object. */
    560. 

  560.     for (i = 0; i < len && !buf[i]; ++i)
    561. 

  561.         continue;
    562. 

  562.     if ((nonce = ASN1_INTEGER_new()) == NULL)
    563. 

  563.         goto err;
    564. 

  564.     OPENSSL_free(nonce->data);
    565. 

  565.     nonce->length = len - i;
    566. 

  566.     nonce->data = app_malloc(nonce->length + 1, "nonce buffer");
    567. 

  567.     memcpy(nonce->data, buf + i, nonce->length);
    568. 

  568.     return nonce;
    569. 

  569. 

  570.  err:
    571. 

  571.     BIO_printf(bio_err, "could not create nonce\n");
    572. 

  572.     ASN1_INTEGER_free(nonce);
    573. 

  573.     return NULL;
    574. 

  574. }
    575. 

  575. 

  576. /*
    577. 

  577.  * Reply-related method definitions.
    578. 

  578.  */
    579. 

  579. 

  580. static int reply_command(CONF *conf, const char *section, const char *engine,
    581. 

  581.                          const char *queryfile, const char *passin, const char *inkey,
    582. 

  582.                          const EVP_MD *md, const char *signer, const char *chain,
    583. 

  583.                          const char *policy, const char *in, int token_in,
    584. 

  584.                          const char *out, int token_out, int text)
    585. 

  585. {
    586. 

  586.     int ret = 0;
    587. 

  587.     TS_RESP *response = NULL;
    588. 

  588.     BIO *in_bio = NULL;
    589. 

  589.     BIO *query_bio = NULL;
    590. 

  590.     BIO *inkey_bio = NULL;
    591. 

  591.     BIO *signer_bio = NULL;
    592. 

  592.     BIO *out_bio = NULL;
    593. 

  593. 

  594.     if (in != NULL) {
    595. 

  595.         if ((in_bio = BIO_new_file(in, "rb")) == NULL)
    596. 

  596.             goto end;
    597. 

  597.         if (token_in) {
    598. 

  598.             response = read_PKCS7(in_bio);
    599. 

  599.         } else {
    600. 

  600.             response = d2i_TS_RESP_bio(in_bio, NULL);
    601. 

  601.         }
    602. 

  602.     } else {
    603. 

  603.         response = create_response(conf, section, engine, queryfile,
    604. 

  604.                                    passin, inkey, md, signer, chain, policy);
    605. 

  605.         if (response != NULL)
    606. 

  606.             BIO_printf(bio_err, "Response has been generated.\n");
    607. 

  607.         else
    608. 

  608.             BIO_printf(bio_err, "Response is not generated.\n");
    609. 

  609.     }
    610. 

  610.     if (response == NULL)
    611. 

  611.         goto end;
    612. 

  612. 

  613.     /* Write response. */
    614. 

  614.     if (text) {
    615. 

  615.         if ((out_bio = bio_open_default(out, 'w', FORMAT_TEXT)) == NULL)
    616. 

  616.         goto end;
    617. 

  617.         if (token_out) {
    618. 

  618.             TS_TST_INFO *tst_info = TS_RESP_get_tst_info(response);
    619. 

  619.             if (!TS_TST_INFO_print_bio(out_bio, tst_info))
    620. 

  620.                 goto end;
    621. 

  621.         } else {
    622. 

  622.             if (!TS_RESP_print_bio(out_bio, response))
    623. 

  623.                 goto end;
    624. 

  624.         }
    625. 

  625.     } else {
    626. 

  626.         if ((out_bio = bio_open_default(out, 'w', FORMAT_ASN1)) == NULL)
    627. 

  627.             goto end;
    628. 

  628.         if (token_out) {
    629. 

  629.             PKCS7 *token = TS_RESP_get_token(response);
    630. 

  630.             if (!i2d_PKCS7_bio(out_bio, token))
    631. 

  631.                 goto end;
    632. 

  632.         } else {
    633. 

  633.             if (!i2d_TS_RESP_bio(out_bio, response))
    634. 

  634.                 goto end;
    635. 

  635.         }
    636. 

  636.     }
    637. 

  637. 

  638.     ret = 1;
    639. 

  639. 

  640.  end:
    641. 

  641.     ERR_print_errors(bio_err);
    642. 

  642.     BIO_free_all(in_bio);
    643. 

  643.     BIO_free_all(query_bio);
    644. 

  644.     BIO_free_all(inkey_bio);
    645. 

  645.     BIO_free_all(signer_bio);
    646. 

  646.     BIO_free_all(out_bio);
    647. 

  647.     TS_RESP_free(response);
    648. 

  648.     return ret;
    649. 

  649. }
    650. 

  650. 

  651. /* Reads a PKCS7 token and adds default 'granted' status info to it. */
    652. 

  652. static TS_RESP *read_PKCS7(BIO *in_bio)
    653. 

  653. {
    654. 

  654.     int ret = 0;
    655. 

  655.     PKCS7 *token = NULL;
    656. 

  656.     TS_TST_INFO *tst_info = NULL;
    657. 

  657.     TS_RESP *resp = NULL;
    658. 

  658.     TS_STATUS_INFO *si = NULL;
    659. 

  659. 

  660.     if ((token = d2i_PKCS7_bio(in_bio, NULL)) == NULL)
    661. 

  661.         goto end;
    662. 

  662.     if ((tst_info = PKCS7_to_TS_TST_INFO(token)) == NULL)
    663. 

  663.         goto end;
    664. 

  664.     if ((resp = TS_RESP_new()) == NULL)
    665. 

  665.         goto end;
    666. 

  666.     if ((si = TS_STATUS_INFO_new()) == NULL)
    667. 

  667.         goto end;
    668. 

  668.     if (!TS_STATUS_INFO_set_status(si, TS_STATUS_GRANTED))
    669. 

  669.         goto end;
    670. 

  670.     if (!TS_RESP_set_status_info(resp, si))
    671. 

  671.         goto end;
    672. 

  672.     TS_RESP_set_tst_info(resp, token, tst_info);
    673. 

  673.     token = NULL;               /* Ownership is lost. */
    674. 

  674.     tst_info = NULL;            /* Ownership is lost. */
    675. 

  675.     ret = 1;
    676. 

  676. 

  677.  end:
    678. 

  678.     PKCS7_free(token);
    679. 

  679.     TS_TST_INFO_free(tst_info);
    680. 

  680.     if (!ret) {
    681. 

  681.         TS_RESP_free(resp);
    682. 

  682.         resp = NULL;
    683. 

  683.     }
    684. 

  684.     TS_STATUS_INFO_free(si);
    685. 

  685.     return resp;
    686. 

  686. }
    687. 

  687. 

  688. static TS_RESP *create_response(CONF *conf, const char *section, const char *engine,
    689. 

  689.                                 const char *queryfile, const char *passin,
    690. 

  690.                                 const char *inkey, const EVP_MD *md, const char *signer,
    691. 

  691.                                 const char *chain, const char *policy)
    692. 

  692. {
    693. 

  693.     int ret = 0;
    694. 

  694.     TS_RESP *response = NULL;
    695. 

  695.     BIO *query_bio = NULL;
    696. 

  696.     TS_RESP_CTX *resp_ctx = NULL;
    697. 

  697. 

  698.     if ((query_bio = BIO_new_file(queryfile, "rb")) == NULL)
    699. 

  699.         goto end;
    700. 

  700.     if ((section = TS_CONF_get_tsa_section(conf, section)) == NULL)
    701. 

  701.         goto end;
    702. 

  702.     if ((resp_ctx = TS_RESP_CTX_new()) == NULL)
    703. 

  703.         goto end;
    704. 

  704.     if (!TS_CONF_set_serial(conf, section, serial_cb, resp_ctx))
    705. 

  705.         goto end;
    706. 

  706. #ifndef OPENSSL_NO_ENGINE
    707. 

  707.     if (!TS_CONF_set_crypto_device(conf, section, engine))
    708. 

  708.         goto end;
    709. 

  709. #endif
    710. 

  710.     if (!TS_CONF_set_signer_cert(conf, section, signer, resp_ctx))
    711. 

  711.         goto end;
    712. 

  712.     if (!TS_CONF_set_certs(conf, section, chain, resp_ctx))
    713. 

  713.         goto end;
    714. 

  714.     if (!TS_CONF_set_signer_key(conf, section, inkey, passin, resp_ctx))
    715. 

  715.         goto end;
    716. 

  716. 

  717.     if (md) {
    718. 

  718.         if (!TS_RESP_CTX_set_signer_digest(resp_ctx, md))
    719. 

  719.             goto end;
    720. 

  720.     } else if (!TS_CONF_set_signer_digest(conf, section, NULL, resp_ctx)) {
    721. 

  721.             goto end;
    722. 

  722.     }
    723. 

  723. 

  724.     if (!TS_CONF_set_ess_cert_id_digest(conf, section, resp_ctx))
    725. 

  725.         goto end;
    726. 

  726.     if (!TS_CONF_set_def_policy(conf, section, policy, resp_ctx))
    727. 

  727.         goto end;
    728. 

  728.     if (!TS_CONF_set_policies(conf, section, resp_ctx))
    729. 

  729.         goto end;
    730. 

  730.     if (!TS_CONF_set_digests(conf, section, resp_ctx))
    731. 

  731.         goto end;
    732. 

  732.     if (!TS_CONF_set_accuracy(conf, section, resp_ctx))
    733. 

  733.         goto end;
    734. 

  734.     if (!TS_CONF_set_clock_precision_digits(conf, section, resp_ctx))
    735. 

  735.         goto end;
    736. 

  736.     if (!TS_CONF_set_ordering(conf, section, resp_ctx))
    737. 

  737.         goto end;
    738. 

  738.     if (!TS_CONF_set_tsa_name(conf, section, resp_ctx))
    739. 

  739.         goto end;
    740. 

  740.     if (!TS_CONF_set_ess_cert_id_chain(conf, section, resp_ctx))
    741. 

  741.         goto end;
    742. 

  742.     if ((response = TS_RESP_create_response(resp_ctx, query_bio)) == NULL)
    743. 

  743.         goto end;
    744. 

  744.     ret = 1;
    745. 

  745. 

  746.  end:
    747. 

  747.     if (!ret) {
    748. 

  748.         TS_RESP_free(response);
    749. 

  749.         response = NULL;
    750. 

  750.     }
    751. 

  751.     TS_RESP_CTX_free(resp_ctx);
    752. 

  752.     BIO_free_all(query_bio);
    753. 

  753.     return response;
    754. 

  754. }
    755. 

  755. 

  756. static ASN1_INTEGER *serial_cb(TS_RESP_CTX *ctx, void *data)
    757. 

  757. {
    758. 

  758.     const char *serial_file = (const char *)data;
    759. 

  759.     ASN1_INTEGER *serial = next_serial(serial_file);
    760. 

  760. 

  761.     if (serial == NULL) {
    762. 

  762.         TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
    763. 

  763.                                     "Error during serial number "
    764. 

  764.                                     "generation.");
    765. 

  765.         TS_RESP_CTX_add_failure_info(ctx, TS_INFO_ADD_INFO_NOT_AVAILABLE);
    766. 

  766.     } else {
    767. 

  767.         save_ts_serial(serial_file, serial);
    768. 

  768.     }
    769. 

  769. 

  770.     return serial;
    771. 

  771. }
    772. 

  772. 

  773. static ASN1_INTEGER *next_serial(const char *serialfile)
    774. 

  774. {
    775. 

  775.     int ret = 0;
    776. 

  776.     BIO *in = NULL;
    777. 

  777.     ASN1_INTEGER *serial = NULL;
    778. 

  778.     BIGNUM *bn = NULL;
    779. 

  779. 

  780.     if ((serial = ASN1_INTEGER_new()) == NULL)
    781. 

  781.         goto err;
    782. 

  782. 

  783.     if ((in = BIO_new_file(serialfile, "r")) == NULL) {
    784. 

  784.         ERR_clear_error();
    785. 

  785.         BIO_printf(bio_err, "Warning: could not open file %s for "
    786. 

  786.                    "reading, using serial number: 1\n", serialfile);
    787. 

  787.         if (!ASN1_INTEGER_set(serial, 1))
    788. 

  788.             goto err;
    789. 

  789.     } else {
    790. 

  790.         char buf[1024];
    791. 

  791.         if (!a2i_ASN1_INTEGER(in, serial, buf, sizeof(buf))) {
    792. 

  792.             BIO_printf(bio_err, "unable to load number from %s\n",
    793. 

  793.                        serialfile);
    794. 

  794.             goto err;
    795. 

  795.         }
    796. 

  796.         if ((bn = ASN1_INTEGER_to_BN(serial, NULL)) == NULL)
    797. 

  797.             goto err;
    798. 

  798.         ASN1_INTEGER_free(serial);
    799. 

  799.         serial = NULL;
    800. 

  800.         if (!BN_add_word(bn, 1))
    801. 

  801.             goto err;
    802. 

  802.         if ((serial = BN_to_ASN1_INTEGER(bn, NULL)) == NULL)
    803. 

  803.             goto err;
    804. 

  804.     }
    805. 

  805.     ret = 1;
    806. 

  806. 

  807.  err:
    808. 

  808.     if (!ret) {
    809. 

  809.         ASN1_INTEGER_free(serial);
    810. 

  810.         serial = NULL;
    811. 

  811.     }
    812. 

  812.     BIO_free_all(in);
    813. 

  813.     BN_free(bn);
    814. 

  814.     return serial;
    815. 

  815. }
    816. 

  816. 

  817. static int save_ts_serial(const char *serialfile, ASN1_INTEGER *serial)
    818. 

  818. {
    819. 

  819.     int ret = 0;
    820. 

  820.     BIO *out = NULL;
    821. 

  821. 

  822.     if ((out = BIO_new_file(serialfile, "w")) == NULL)
    823. 

  823.         goto err;
    824. 

  824.     if (i2a_ASN1_INTEGER(out, serial) <= 0)
    825. 

  825.         goto err;
    826. 

  826.     if (BIO_puts(out, "\n") <= 0)
    827. 

  827.         goto err;
    828. 

  828.     ret = 1;
    829. 

  829.  err:
    830. 

  830.     if (!ret)
    831. 

  831.         BIO_printf(bio_err, "could not save serial number to %s\n",
    832. 

  832.                    serialfile);
    833. 

  833.     BIO_free_all(out);
    834. 

  834.     return ret;
    835. 

  835. }
    836. 

  836. 

  837. 

  838. /*
    839. 

  839.  * Verify-related method definitions.
    840. 

  840.  */
    841. 

  841. 

  842. static int verify_command(const char *data, const char *digest, const char *queryfile,
    843. 

  843.                           const char *in, int token_in,
    844. 

  844.                           const char *CApath, const char *CAfile,
    845. 

  845.                           const char *CAstore, const char *untrusted,
    846. 

  846.                           X509_VERIFY_PARAM *vpm)
    847. 

  847. {
    848. 

  848.     BIO *in_bio = NULL;
    849. 

  849.     PKCS7 *token = NULL;
    850. 

  850.     TS_RESP *response = NULL;
    851. 

  851.     TS_VERIFY_CTX *verify_ctx = NULL;
    852. 

  852.     int ret = 0;
    853. 

  853. 

  854.     if ((in_bio = BIO_new_file(in, "rb")) == NULL)
    855. 

  855.         goto end;
    856. 

  856.     if (token_in) {
    857. 

  857.         if ((token = d2i_PKCS7_bio(in_bio, NULL)) == NULL)
    858. 

  858.             goto end;
    859. 

  859.     } else {
    860. 

  860.         if ((response = d2i_TS_RESP_bio(in_bio, NULL)) == NULL)
    861. 

  861.             goto end;
    862. 

  862.     }
    863. 

  863. 

  864.     if ((verify_ctx = create_verify_ctx(data, digest, queryfile,
    865. 

  865.                                         CApath, CAfile, CAstore, untrusted,
    866. 

  866.                                         vpm)) == NULL)
    867. 

  867.         goto end;
    868. 

  868. 

  869.     ret = token_in
    870. 

  870.         ? TS_RESP_verify_token(verify_ctx, token)
    871. 

  871.         : TS_RESP_verify_response(verify_ctx, response);
    872. 

  872. 

  873.  end:
    874. 

  874.     printf("Verification: ");
    875. 

  875.     if (ret)
    876. 

  876.         printf("OK\n");
    877. 

  877.     else {
    878. 

  878.         printf("FAILED\n");
    879. 

  879.         ERR_print_errors(bio_err);
    880. 

  880.     }
    881. 

  881. 

  882.     BIO_free_all(in_bio);
    883. 

  883.     PKCS7_free(token);
    884. 

  884.     TS_RESP_free(response);
    885. 

  885.     TS_VERIFY_CTX_free(verify_ctx);
    886. 

  886.     return ret;
    887. 

  887. }
    888. 

  888. 

  889. static TS_VERIFY_CTX *create_verify_ctx(const char *data, const char *digest,
    890. 

  890.                                         const char *queryfile,
    891. 

  891.                                         const char *CApath, const char *CAfile,
    892. 

  892.                                         const char *CAstore,
    893. 

  893.                                         const char *untrusted,
    894. 

  894.                                         X509_VERIFY_PARAM *vpm)
    895. 

  895. {
    896. 

  896.     TS_VERIFY_CTX *ctx = NULL;
    897. 

  897.     BIO *input = NULL;
    898. 

  898.     TS_REQ *request = NULL;
    899. 

  899.     int ret = 0;
    900. 

  900.     int f = 0;
    901. 

  901. 

  902.     if (data != NULL || digest != NULL) {
    903. 

  903.         if ((ctx = TS_VERIFY_CTX_new()) == NULL)
    904. 

  904.             goto err;
    905. 

  905.         f = TS_VFY_VERSION | TS_VFY_SIGNER;
    906. 

  906.         if (data != NULL) {
    907. 

  907.             BIO *out = NULL;
    908. 

  908. 

  909.             f |= TS_VFY_DATA;
    910. 

  910.             if ((out = BIO_new_file(data, "rb")) == NULL)
    911. 

  911.                 goto err;
    912. 

  912.             if (TS_VERIFY_CTX_set_data(ctx, out) == NULL) {
    913. 

  913.                 BIO_free_all(out);
    914. 

  914.                 goto err;
    915. 

  915.             }
    916. 

  916.         } else if (digest != NULL) {
    917. 

  917.             long imprint_len;
    918. 

  918.             unsigned char *hexstr = OPENSSL_hexstr2buf(digest, &imprint_len);
    919. 

  919.             f |= TS_VFY_IMPRINT;
    920. 

  920.             if (TS_VERIFY_CTX_set_imprint(ctx, hexstr, imprint_len) == NULL) {
    921. 

  921.                 BIO_printf(bio_err, "invalid digest string\n");
    922. 

  922.                 goto err;
    923. 

  923.             }
    924. 

  924.         }
    925. 

  925. 

  926.     } else if (queryfile != NULL) {
    927. 

  927.         if ((input = BIO_new_file(queryfile, "rb")) == NULL)
    928. 

  928.             goto err;
    929. 

  929.         if ((request = d2i_TS_REQ_bio(input, NULL)) == NULL)
    930. 

  930.             goto err;
    931. 

  931.         if ((ctx = TS_REQ_to_TS_VERIFY_CTX(request, NULL)) == NULL)
    932. 

  932.             goto err;
    933. 

  933.     } else {
    934. 

  934.         return NULL;
    935. 

  935.     }
    936. 

  936. 

  937.     /* Add the signature verification flag and arguments. */
    938. 

  938.     TS_VERIFY_CTX_add_flags(ctx, f | TS_VFY_SIGNATURE);
    939. 

  939. 

  940.     /* Initialising the X509_STORE object. */
    941. 

  941.     if (TS_VERIFY_CTX_set_store(ctx,
    942. 

  942.                                 create_cert_store(CApath, CAfile, CAstore, vpm))
    943. 

  943.             == NULL)
    944. 

  944.         goto err;
    945. 

  945. 

  946.     /* Loading untrusted certificates. */
    947. 

  947.     if (untrusted
    948. 

  948.         && TS_VERIFY_CTX_set_certs(ctx, TS_CONF_load_certs(untrusted)) == NULL)
    949. 

  949.         goto err;
    950. 

  950.     ret = 1;
    951. 

  951. 

  952.  err:
    953. 

  953.     if (!ret) {
    954. 

  954.         TS_VERIFY_CTX_free(ctx);
    955. 

  955.         ctx = NULL;
    956. 

  956.     }
    957. 

  957.     BIO_free_all(input);
    958. 

  958.     TS_REQ_free(request);
    959. 

  959.     return ctx;
    960. 

  960. }
    961. 

  961. 

  962. static X509_STORE *create_cert_store(const char *CApath, const char *CAfile,
    963. 

  963.                                      const char *CAstore, X509_VERIFY_PARAM *vpm)
    964. 

  964. {
    965. 

  965.     X509_STORE *cert_ctx = NULL;
    966. 

  966.     X509_LOOKUP *lookup = NULL;
    967. 

  967.     OSSL_LIB_CTX *libctx = app_get0_libctx();
    968. 

  968.     const char *propq = app_get0_propq();
    969. 

  969. 

  970.     cert_ctx = X509_STORE_new();
    971. 

  971.     X509_STORE_set_verify_cb(cert_ctx, verify_cb);
    972. 

  972.     if (CApath != NULL) {
    973. 

  973.         lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_hash_dir());
    974. 

  974.         if (lookup == NULL) {
    975. 

  975.             BIO_printf(bio_err, "memory allocation failure\n");
    976. 

  976.             goto err;
    977. 

  977.         }
    978. 

  978.         if (!X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM)) {
    979. 

  979.             BIO_printf(bio_err, "Error loading directory %s\n", CApath);
    980. 

  980.             goto err;
    981. 

  981.         }
    982. 

  982.     }
    983. 

  983. 

  984.     if (CAfile != NULL) {
    985. 

  985.         lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_file());
    986. 

  986.         if (lookup == NULL) {
    987. 

  987.             BIO_printf(bio_err, "memory allocation failure\n");
    988. 

  988.             goto err;
    989. 

  989.         }
    990. 

  990.         if (!X509_LOOKUP_load_file_ex(lookup, CAfile, X509_FILETYPE_PEM, libctx,
    991. 

  991.                                       propq)) {
    992. 

  992.             BIO_printf(bio_err, "Error loading file %s\n", CAfile);
    993. 

  993.             goto err;
    994. 

  994.         }
    995. 

  995.     }
    996. 

  996. 

  997.     if (CAstore != NULL) {
    998. 

  998.         lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_store());
    999. 

  999.         if (lookup == NULL) {
    1000. 

  1000.             BIO_printf(bio_err, "memory allocation failure\n");
    1001. 

  1001.             goto err;
    1002. 

  1002.         }
    1003. 

  1003.         if (!X509_LOOKUP_load_store_ex(lookup, CAstore, libctx, propq)) {
    1004. 

  1004.             BIO_printf(bio_err, "Error loading store URI %s\n", CAstore);
    1005. 

  1005.             goto err;
    1006. 

  1006.         }
    1007. 

  1007.     }
    1008. 

  1008. 

  1009.     if (vpm != NULL)
    1010. 

  1010.         X509_STORE_set1_param(cert_ctx, vpm);
    1011. 

  1011. 

  1012.     return cert_ctx;
    1013. 

  1013. 

  1014.  err:
    1015. 

  1015.     X509_STORE_free(cert_ctx);
    1016. 

  1016.     return NULL;
    1017. 

  1017. }
    1018. 

  1018. 

  1019. static int verify_cb(int ok, X509_STORE_CTX *ctx)
    1020. 

  1020. {
    1021. 

  1021.     return ok;
    1022. 

  1022. }
    1023.