Home Explore Help
Sign In
OWEALs
/
openssl
mirror of git://git.openssl.org/openssl.git
2
0
Fork 0
Files Issues 1 Wiki
Tree: f31ac32001
Branches Tags
openssl
/
apps
/
ts.c

ts.c 31 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015 
  1. /*
    2. 

  2.  * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved.
    3. 

  3.  *
    4. 

  4.  * Licensed under the Apache License 2.0 (the "License").  You may not use
    5. 

  5.  * this file except in compliance with the License.  You can obtain a copy
    6. 

  6.  * in the file LICENSE in the source distribution or at
    7. 

  7.  * https://www.openssl.org/source/license.html
    8. 

  8.  */
    9. 

  9. 

  10. #include <openssl/opensslconf.h>
    11. 

  11. #include <stdio.h>
    12. 

  12. #include <stdlib.h>
    13. 

  13. #include <string.h>
    14. 

  14. #include "apps.h"
    15. 

  15. #include "progs.h"
    16. 

  16. #include <openssl/bio.h>
    17. 

  17. #include <openssl/err.h>
    18. 

  18. #include <openssl/pem.h>
    19. 

  19. #include <openssl/rand.h>
    20. 

  20. #include <openssl/ts.h>
    21. 

  21. #include <openssl/bn.h>
    22. 

  22. 

  23. /* Request nonce length, in bits (must be a multiple of 8). */
    24. 

  24. #define NONCE_LENGTH            64
    25. 

  25. 

  26. /* Name of config entry that defines the OID file. */
    27. 

  27. #define ENV_OID_FILE            "oid_file"
    28. 

  28. 

  29. /* Is |EXACTLY_ONE| of three pointers set? */
    30. 

  30. #define EXACTLY_ONE(a, b, c) \
    31. 

  31.         (( a && !b && !c) || \
    32. 

  32.          ( b && !a && !c) || \
    33. 

  33.          ( c && !a && !b))
    34. 

  34. 

  35. static ASN1_OBJECT *txt2obj(const char *oid);
    36. 

  36. static CONF *load_config_file(const char *configfile);
    37. 

  37. 

  38. /* Query related functions. */
    39. 

  39. static int query_command(const char *data, const char *digest,
    40. 

  40.                          const EVP_MD *md, const char *policy, int no_nonce,
    41. 

  41.                          int cert, const char *in, const char *out, int text);
    42. 

  42. static TS_REQ *create_query(BIO *data_bio, const char *digest, const EVP_MD *md,
    43. 

  43.                             const char *policy, int no_nonce, int cert);
    44. 

  44. static int create_digest(BIO *input, const char *digest,
    45. 

  45.                          const EVP_MD *md, unsigned char **md_value);
    46. 

  46. static ASN1_INTEGER *create_nonce(int bits);
    47. 

  47. 

  48. /* Reply related functions. */
    49. 

  49. static int reply_command(CONF *conf, const char *section, const char *engine,
    50. 

  50.                          const char *queryfile, const char *passin, const char *inkey,
    51. 

  51.                          const EVP_MD *md, const char *signer, const char *chain,
    52. 

  52.                          const char *policy, const char *in, int token_in,
    53. 

  53.                          const char *out, int token_out, int text);
    54. 

  54. static TS_RESP *read_PKCS7(BIO *in_bio);
    55. 

  55. static TS_RESP *create_response(CONF *conf, const char *section, const char *engine,
    56. 

  56.                                 const char *queryfile, const char *passin,
    57. 

  57.                                 const char *inkey, const EVP_MD *md, const char *signer,
    58. 

  58.                                 const char *chain, const char *policy);
    59. 

  59. static ASN1_INTEGER *serial_cb(TS_RESP_CTX *ctx, void *data);
    60. 

  60. static ASN1_INTEGER *next_serial(const char *serialfile);
    61. 

  61. static int save_ts_serial(const char *serialfile, ASN1_INTEGER *serial);
    62. 

  62. 

  63. /* Verify related functions. */
    64. 

  64. static int verify_command(const char *data, const char *digest, const char *queryfile,
    65. 

  65.                           const char *in, int token_in,
    66. 

  66.                           const char *CApath, const char *CAfile,
    67. 

  67.                           const char *CAstore,
    68. 

  68.                           const char *untrusted, X509_VERIFY_PARAM *vpm);
    69. 

  69. static TS_VERIFY_CTX *create_verify_ctx(const char *data, const char *digest,
    70. 

  70.                                         const char *queryfile,
    71. 

  71.                                         const char *CApath, const char *CAfile,
    72. 

  72.                                         const char *CAstore,
    73. 

  73.                                         const char *untrusted,
    74. 

  74.                                         X509_VERIFY_PARAM *vpm);
    75. 

  75. static X509_STORE *create_cert_store(const char *CApath, const char *CAfile,
    76. 

  76.                                      const char *CAstore, X509_VERIFY_PARAM *vpm);
    77. 

  77. static int verify_cb(int ok, X509_STORE_CTX *ctx);
    78. 

  78. 

  79. typedef enum OPTION_choice {
    80. 

  80.     OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
    81. 

  81.     OPT_ENGINE, OPT_CONFIG, OPT_SECTION, OPT_QUERY, OPT_DATA,
    82. 

  82.     OPT_DIGEST, OPT_TSPOLICY, OPT_NO_NONCE, OPT_CERT,
    83. 

  83.     OPT_IN, OPT_TOKEN_IN, OPT_OUT, OPT_TOKEN_OUT, OPT_TEXT,
    84. 

  84.     OPT_REPLY, OPT_QUERYFILE, OPT_PASSIN, OPT_INKEY, OPT_SIGNER,
    85. 

  85.     OPT_CHAIN, OPT_VERIFY, OPT_CAPATH, OPT_CAFILE, OPT_CASTORE, OPT_UNTRUSTED,
    86. 

  86.     OPT_MD, OPT_V_ENUM, OPT_R_ENUM, OPT_PROV_ENUM
    87. 

  87. } OPTION_CHOICE;
    88. 

  88. 

  89. const OPTIONS ts_options[] = {
    90. 

  90.     OPT_SECTION("General"),
    91. 

  91.     {"help", OPT_HELP, '-', "Display this summary"},
    92. 

  92.     {"config", OPT_CONFIG, '<', "Configuration file"},
    93. 

  93.     {"section", OPT_SECTION, 's', "Section to use within config file"},
    94. 

  94. #ifndef OPENSSL_NO_ENGINE
    95. 

  95.     {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
    96. 

  96. #endif
    97. 

  97.     {"inkey", OPT_INKEY, 's', "File with private key for reply"},
    98. 

  98.     {"signer", OPT_SIGNER, 's', "Signer certificate file"},
    99. 

  99.     {"chain", OPT_CHAIN, '<', "File with signer CA chain"},
    100. 

  100.     {"CAfile", OPT_CAFILE, '<', "File with trusted CA certs"},
    101. 

  101.     {"CApath", OPT_CAPATH, '/', "Path to trusted CA files"},
    102. 

  102.     {"CAstore", OPT_CASTORE, ':', "URI to trusted CA store"},
    103. 

  103.     {"untrusted", OPT_UNTRUSTED, '<', "File with untrusted certs"},
    104. 

  104.     {"token_in", OPT_TOKEN_IN, '-', "Input is a PKCS#7 file"},
    105. 

  105.     {"token_out", OPT_TOKEN_OUT, '-', "Output is a PKCS#7 file"},
    106. 

  106.     {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
    107. 

  107.     {"", OPT_MD, '-', "Any supported digest"},
    108. 

  108. 

  109.     OPT_SECTION("Query"),
    110. 

  110.     {"query", OPT_QUERY, '-', "Generate a TS query"},
    111. 

  111.     {"data", OPT_DATA, '<', "File to hash"},
    112. 

  112.     {"digest", OPT_DIGEST, 's', "Digest (as a hex string)"},
    113. 

  113.     {"queryfile", OPT_QUERYFILE, '<', "File containing a TS query"},
    114. 

  114.     {"cert", OPT_CERT, '-', "Put cert request into query"},
    115. 

  115.     {"in", OPT_IN, '<', "Input file"},
    116. 

  116. 

  117.     OPT_SECTION("Verify"),
    118. 

  118.     {"verify", OPT_VERIFY, '-', "Verify a TS response"},
    119. 

  119.     {"reply", OPT_REPLY, '-', "Generate a TS reply"},
    120. 

  120.     {"tspolicy", OPT_TSPOLICY, 's', "Policy OID to use"},
    121. 

  121.     {"no_nonce", OPT_NO_NONCE, '-', "Do not include a nonce"},
    122. 

  122.     {"out", OPT_OUT, '>', "Output file"},
    123. 

  123.     {"text", OPT_TEXT, '-', "Output text (not DER)"},
    124. 

  124. 

  125.     OPT_R_OPTIONS,
    126. 

  126.     OPT_V_OPTIONS,
    127. 

  127.     OPT_PROV_OPTIONS,
    128. 

  128.     {NULL}
    129. 

  129. };
    130. 

  130. 

  131. /*
    132. 

  132.  * This command is so complex, special help is needed.
    133. 

  133.  */
    134. 

  134. static char* opt_helplist[] = {
    135. 

  135.     "",
    136. 

  136.     "Typical uses:",
    137. 

  137.     " openssl ts -query [-rand file...] [-config file] [-data file]",
    138. 

  138.     "    [-digest hexstring] [-tspolicy oid] [-no_nonce] [-cert]",
    139. 

  139.     "    [-in file] [-out file] [-text]",
    140. 

  140.     "",
    141. 

  141.     " openssl ts -reply [-config file] [-section tsa_section]",
    142. 

  142.     "    [-queryfile file] [-passin password]",
    143. 

  143.     "    [-signer tsa_cert.pem] [-inkey private_key.pem]",
    144. 

  144.     "    [-chain certs_file.pem] [-tspolicy oid]",
    145. 

  145.     "    [-in file] [-token_in] [-out file] [-token_out]",
    146. 

  146. #ifndef OPENSSL_NO_ENGINE
    147. 

  147.     "    [-text] [-engine id]",
    148. 

  148. #else
    149. 

  149.     "    [-text]",
    150. 

  150. #endif
    151. 

  151.     "",
    152. 

  152.     " openssl ts -verify -CApath dir -CAfile file.pem -CAstore uri",
    153. 

  153.     "   -untrusted file.pem [-data file] [-digest hexstring]",
    154. 

  154.     "    [-queryfile file] -in file [-token_in] ...",
    155. 

  155.     NULL,
    156. 

  156. };
    157. 

  157. 

  158. int ts_main(int argc, char **argv)
    159. 

  159. {
    160. 

  160.     CONF *conf = NULL;
    161. 

  161.     const char *CAfile = NULL, *untrusted = NULL, *prog;
    162. 

  162.     const char *configfile = default_config_file, *engine = NULL;
    163. 

  163.     const char *section = NULL;
    164. 

  164.     char **helpp;
    165. 

  165.     char *password = NULL;
    166. 

  166.     char *data = NULL, *digest = NULL, *policy = NULL;
    167. 

  167.     char *in = NULL, *out = NULL, *queryfile = NULL, *passin = NULL;
    168. 

  168.     char *inkey = NULL, *signer = NULL, *chain = NULL, *CApath = NULL;
    169. 

  169.     char *CAstore = NULL;
    170. 

  170.     const EVP_MD *md = NULL;
    171. 

  171.     OPTION_CHOICE o, mode = OPT_ERR;
    172. 

  172.     int ret = 1, no_nonce = 0, cert = 0, text = 0;
    173. 

  173.     int vpmtouched = 0;
    174. 

  174.     X509_VERIFY_PARAM *vpm = NULL;
    175. 

  175.     /* Input is ContentInfo instead of TimeStampResp. */
    176. 

  176.     int token_in = 0;
    177. 

  177.     /* Output is ContentInfo instead of TimeStampResp. */
    178. 

  178.     int token_out = 0;
    179. 

  179. 

  180.     if ((vpm = X509_VERIFY_PARAM_new()) == NULL)
    181. 

  181.         goto end;
    182. 

  182. 

  183.     prog = opt_init(argc, argv, ts_options);
    184. 

  184.     while ((o = opt_next()) != OPT_EOF) {
    185. 

  185.         switch (o) {
    186. 

  186.         case OPT_EOF:
    187. 

  187.         case OPT_ERR:
    188. 

  188.  opthelp:
    189. 

  189.             BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
    190. 

  190.             goto end;
    191. 

  191.         case OPT_HELP:
    192. 

  192.             opt_help(ts_options);
    193. 

  193.             for (helpp = opt_helplist; *helpp; ++helpp)
    194. 

  194.                 BIO_printf(bio_err, "%s\n", *helpp);
    195. 

  195.             ret = 0;
    196. 

  196.             goto end;
    197. 

  197.         case OPT_CONFIG:
    198. 

  198.             configfile = opt_arg();
    199. 

  199.             break;
    200. 

  200.         case OPT_SECTION:
    201. 

  201.             section = opt_arg();
    202. 

  202.             break;
    203. 

  203.         case OPT_QUERY:
    204. 

  204.         case OPT_REPLY:
    205. 

  205.         case OPT_VERIFY:
    206. 

  206.             if (mode != OPT_ERR)
    207. 

  207.                 goto opthelp;
    208. 

  208.             mode = o;
    209. 

  209.             break;
    210. 

  210.         case OPT_DATA:
    211. 

  211.             data = opt_arg();
    212. 

  212.             break;
    213. 

  213.         case OPT_DIGEST:
    214. 

  214.             digest = opt_arg();
    215. 

  215.             break;
    216. 

  216.         case OPT_R_CASES:
    217. 

  217.             if (!opt_rand(o))
    218. 

  218.                 goto end;
    219. 

  219.             break;
    220. 

  220.         case OPT_PROV_CASES:
    221. 

  221.             if (!opt_provider(o))
    222. 

  222.                 goto end;
    223. 

  223.             break;
    224. 

  224.         case OPT_TSPOLICY:
    225. 

  225.             policy = opt_arg();
    226. 

  226.             break;
    227. 

  227.         case OPT_NO_NONCE:
    228. 

  228.             no_nonce = 1;
    229. 

  229.             break;
    230. 

  230.         case OPT_CERT:
    231. 

  231.             cert = 1;
    232. 

  232.             break;
    233. 

  233.         case OPT_IN:
    234. 

  234.             in = opt_arg();
    235. 

  235.             break;
    236. 

  236.         case OPT_TOKEN_IN:
    237. 

  237.             token_in = 1;
    238. 

  238.             break;
    239. 

  239.         case OPT_OUT:
    240. 

  240.             out = opt_arg();
    241. 

  241.             break;
    242. 

  242.         case OPT_TOKEN_OUT:
    243. 

  243.             token_out = 1;
    244. 

  244.             break;
    245. 

  245.         case OPT_TEXT:
    246. 

  246.             text = 1;
    247. 

  247.             break;
    248. 

  248.         case OPT_QUERYFILE:
    249. 

  249.             queryfile = opt_arg();
    250. 

  250.             break;
    251. 

  251.         case OPT_PASSIN:
    252. 

  252.             passin = opt_arg();
    253. 

  253.             break;
    254. 

  254.         case OPT_INKEY:
    255. 

  255.             inkey = opt_arg();
    256. 

  256.             break;
    257. 

  257.         case OPT_SIGNER:
    258. 

  258.             signer = opt_arg();
    259. 

  259.             break;
    260. 

  260.         case OPT_CHAIN:
    261. 

  261.             chain = opt_arg();
    262. 

  262.             break;
    263. 

  263.         case OPT_CAPATH:
    264. 

  264.             CApath = opt_arg();
    265. 

  265.             break;
    266. 

  266.         case OPT_CAFILE:
    267. 

  267.             CAfile = opt_arg();
    268. 

  268.             break;
    269. 

  269.         case OPT_CASTORE:
    270. 

  270.             CAstore = opt_arg();
    271. 

  271.             break;
    272. 

  272.         case OPT_UNTRUSTED:
    273. 

  273.             untrusted = opt_arg();
    274. 

  274.             break;
    275. 

  275.         case OPT_ENGINE:
    276. 

  276.             engine = opt_arg();
    277. 

  277.             break;
    278. 

  278.         case OPT_MD:
    279. 

  279.             if (!opt_md(opt_unknown(), &md))
    280. 

  280.                 goto opthelp;
    281. 

  281.             break;
    282. 

  282.         case OPT_V_CASES:
    283. 

  283.             if (!opt_verify(o, vpm))
    284. 

  284.                 goto end;
    285. 

  285.             vpmtouched++;
    286. 

  286.             break;
    287. 

  287.         }
    288. 

  288.     }
    289. 

  289.     if (mode == OPT_ERR || opt_num_rest() != 0)
    290. 

  290.         goto opthelp;
    291. 

  291. 

  292.     if (mode == OPT_REPLY && passin &&
    293. 

  293.         !app_passwd(passin, NULL, &password, NULL)) {
    294. 

  294.         BIO_printf(bio_err, "Error getting password.\n");
    295. 

  295.         goto end;
    296. 

  296.     }
    297. 

  297. 

  298.     if ((conf = load_config_file(configfile)) == NULL)
    299. 

  299.         goto end;
    300. 

  300.     if (configfile != default_config_file && !app_load_modules(conf))
    301. 

  301.         goto end;
    302. 

  302. 

  303.     /* Check parameter consistency and execute the appropriate function. */
    304. 

  304.     if (mode == OPT_QUERY) {
    305. 

  305.         if (vpmtouched)
    306. 

  306.             goto opthelp;
    307. 

  307.         if ((data != NULL) && (digest != NULL))
    308. 

  308.             goto opthelp;
    309. 

  309.         ret = !query_command(data, digest, md, policy, no_nonce, cert,
    310. 

  310.                              in, out, text);
    311. 

  311.     } else if (mode == OPT_REPLY) {
    312. 

  312.         if (vpmtouched)
    313. 

  313.             goto opthelp;
    314. 

  314.         if ((in != NULL) && (queryfile != NULL))
    315. 

  315.             goto opthelp;
    316. 

  316.         if (in == NULL) {
    317. 

  317.             if ((conf == NULL) || (token_in != 0))
    318. 

  318.                 goto opthelp;
    319. 

  319.         }
    320. 

  320.         ret = !reply_command(conf, section, engine, queryfile,
    321. 

  321.                              password, inkey, md, signer, chain, policy,
    322. 

  322.                              in, token_in, out, token_out, text);
    323. 

  323. 

  324.     } else if (mode == OPT_VERIFY) {
    325. 

  325.         if ((in == NULL) || !EXACTLY_ONE(queryfile, data, digest))
    326. 

  326.             goto opthelp;
    327. 

  327.         ret = !verify_command(data, digest, queryfile, in, token_in,
    328. 

  328.                               CApath, CAfile, CAstore, untrusted,
    329. 

  329.                               vpmtouched ? vpm : NULL);
    330. 

  330.     } else {
    331. 

  331.         goto opthelp;
    332. 

  332.     }
    333. 

  333. 

  334.  end:
    335. 

  335.     X509_VERIFY_PARAM_free(vpm);
    336. 

  336.     NCONF_free(conf);
    337. 

  337.     OPENSSL_free(password);
    338. 

  338.     return ret;
    339. 

  339. }
    340. 

  340. 

  341. /*
    342. 

  342.  * Configuration file-related function definitions.
    343. 

  343.  */
    344. 

  344. 

  345. static ASN1_OBJECT *txt2obj(const char *oid)
    346. 

  346. {
    347. 

  347.     ASN1_OBJECT *oid_obj = NULL;
    348. 

  348. 

  349.     if ((oid_obj = OBJ_txt2obj(oid, 0)) == NULL)
    350. 

  350.         BIO_printf(bio_err, "cannot convert %s to OID\n", oid);
    351. 

  351. 

  352.     return oid_obj;
    353. 

  353. }
    354. 

  354. 

  355. static CONF *load_config_file(const char *configfile)
    356. 

  356. {
    357. 

  357.     CONF *conf = app_load_config(configfile);
    358. 

  358. 

  359.     if (conf != NULL) {
    360. 

  360.         const char *p;
    361. 

  361. 

  362.         BIO_printf(bio_err, "Using configuration from %s\n", configfile);
    363. 

  363.         p = NCONF_get_string(conf, NULL, ENV_OID_FILE);
    364. 

  364.         if (p != NULL) {
    365. 

  365.             BIO *oid_bio = BIO_new_file(p, "r");
    366. 

  366.             if (!oid_bio)
    367. 

  367.                 ERR_print_errors(bio_err);
    368. 

  368.             else {
    369. 

  369.                 OBJ_create_objects(oid_bio);
    370. 

  370.                 BIO_free_all(oid_bio);
    371. 

  371.             }
    372. 

  372.         } else
    373. 

  373.             ERR_clear_error();
    374. 

  374.         if (!add_oid_section(conf))
    375. 

  375.             ERR_print_errors(bio_err);
    376. 

  376.     }
    377. 

  377.     return conf;
    378. 

  378. }
    379. 

  379. 

  380. /*
    381. 

  381.  * Query-related method definitions.
    382. 

  382.  */
    383. 

  383. static int query_command(const char *data, const char *digest, const EVP_MD *md,
    384. 

  384.                          const char *policy, int no_nonce,
    385. 

  385.                          int cert, const char *in, const char *out, int text)
    386. 

  386. {
    387. 

  387.     int ret = 0;
    388. 

  388.     TS_REQ *query = NULL;
    389. 

  389.     BIO *in_bio = NULL;
    390. 

  390.     BIO *data_bio = NULL;
    391. 

  391.     BIO *out_bio = NULL;
    392. 

  392. 

  393.     /* Build query object. */
    394. 

  394.     if (in != NULL) {
    395. 

  395.         if ((in_bio = bio_open_default(in, 'r', FORMAT_ASN1)) == NULL)
    396. 

  396.             goto end;
    397. 

  397.         query = d2i_TS_REQ_bio(in_bio, NULL);
    398. 

  398.     } else {
    399. 

  399.         if (digest == NULL
    400. 

  400.             && (data_bio = bio_open_default(data, 'r', FORMAT_ASN1)) == NULL)
    401. 

  401.             goto end;
    402. 

  402.         query = create_query(data_bio, digest, md, policy, no_nonce, cert);
    403. 

  403.     }
    404. 

  404.     if (query == NULL)
    405. 

  405.         goto end;
    406. 

  406. 

  407.     if (text) {
    408. 

  408.         if ((out_bio = bio_open_default(out, 'w', FORMAT_TEXT)) == NULL)
    409. 

  409.             goto end;
    410. 

  410.         if (!TS_REQ_print_bio(out_bio, query))
    411. 

  411.             goto end;
    412. 

  412.     } else {
    413. 

  413.         if ((out_bio = bio_open_default(out, 'w', FORMAT_ASN1)) == NULL)
    414. 

  414.             goto end;
    415. 

  415.         if (!i2d_TS_REQ_bio(out_bio, query))
    416. 

  416.             goto end;
    417. 

  417.     }
    418. 

  418. 

  419.     ret = 1;
    420. 

  420. 

  421.  end:
    422. 

  422.     ERR_print_errors(bio_err);
    423. 

  423.     BIO_free_all(in_bio);
    424. 

  424.     BIO_free_all(data_bio);
    425. 

  425.     BIO_free_all(out_bio);
    426. 

  426.     TS_REQ_free(query);
    427. 

  427.     return ret;
    428. 

  428. }
    429. 

  429. 

  430. static TS_REQ *create_query(BIO *data_bio, const char *digest, const EVP_MD *md,
    431. 

  431.                             const char *policy, int no_nonce, int cert)
    432. 

  432. {
    433. 

  433.     int ret = 0;
    434. 

  434.     TS_REQ *ts_req = NULL;
    435. 

  435.     int len;
    436. 

  436.     TS_MSG_IMPRINT *msg_imprint = NULL;
    437. 

  437.     X509_ALGOR *algo = NULL;
    438. 

  438.     unsigned char *data = NULL;
    439. 

  439.     ASN1_OBJECT *policy_obj = NULL;
    440. 

  440.     ASN1_INTEGER *nonce_asn1 = NULL;
    441. 

  441. 

  442.     if (md == NULL && (md = EVP_get_digestbyname("sha256")) == NULL)
    443. 

  443.         goto err;
    444. 

  444.     if ((ts_req = TS_REQ_new()) == NULL)
    445. 

  445.         goto err;
    446. 

  446.     if (!TS_REQ_set_version(ts_req, 1))
    447. 

  447.         goto err;
    448. 

  448.     if ((msg_imprint = TS_MSG_IMPRINT_new()) == NULL)
    449. 

  449.         goto err;
    450. 

  450.     if ((algo = X509_ALGOR_new()) == NULL)
    451. 

  451.         goto err;
    452. 

  452.     if ((algo->algorithm = OBJ_nid2obj(EVP_MD_type(md))) == NULL)
    453. 

  453.         goto err;
    454. 

  454.     if ((algo->parameter = ASN1_TYPE_new()) == NULL)
    455. 

  455.         goto err;
    456. 

  456.     algo->parameter->type = V_ASN1_NULL;
    457. 

  457.     if (!TS_MSG_IMPRINT_set_algo(msg_imprint, algo))
    458. 

  458.         goto err;
    459. 

  459.     if ((len = create_digest(data_bio, digest, md, &data)) == 0)
    460. 

  460.         goto err;
    461. 

  461.     if (!TS_MSG_IMPRINT_set_msg(msg_imprint, data, len))
    462. 

  462.         goto err;
    463. 

  463.     if (!TS_REQ_set_msg_imprint(ts_req, msg_imprint))
    464. 

  464.         goto err;
    465. 

  465.     if (policy && (policy_obj = txt2obj(policy)) == NULL)
    466. 

  466.         goto err;
    467. 

  467.     if (policy_obj && !TS_REQ_set_policy_id(ts_req, policy_obj))
    468. 

  468.         goto err;
    469. 

  469. 

  470.     /* Setting nonce if requested. */
    471. 

  471.     if (!no_nonce && (nonce_asn1 = create_nonce(NONCE_LENGTH)) == NULL)
    472. 

  472.         goto err;
    473. 

  473.     if (nonce_asn1 && !TS_REQ_set_nonce(ts_req, nonce_asn1))
    474. 

  474.         goto err;
    475. 

  475.     if (!TS_REQ_set_cert_req(ts_req, cert))
    476. 

  476.         goto err;
    477. 

  477. 

  478.     ret = 1;
    479. 

  479.  err:
    480. 

  480.     if (!ret) {
    481. 

  481.         TS_REQ_free(ts_req);
    482. 

  482.         ts_req = NULL;
    483. 

  483.         BIO_printf(bio_err, "could not create query\n");
    484. 

  484.         ERR_print_errors(bio_err);
    485. 

  485.     }
    486. 

  486.     TS_MSG_IMPRINT_free(msg_imprint);
    487. 

  487.     X509_ALGOR_free(algo);
    488. 

  488.     OPENSSL_free(data);
    489. 

  489.     ASN1_OBJECT_free(policy_obj);
    490. 

  490.     ASN1_INTEGER_free(nonce_asn1);
    491. 

  491.     return ts_req;
    492. 

  492. }
    493. 

  493. 

  494. static int create_digest(BIO *input, const char *digest, const EVP_MD *md,
    495. 

  495.                          unsigned char **md_value)
    496. 

  496. {
    497. 

  497.     int md_value_len;
    498. 

  498.     int rv = 0;
    499. 

  499.     EVP_MD_CTX *md_ctx = NULL;
    500. 

  500. 

  501.     md_value_len = EVP_MD_size(md);
    502. 

  502.     if (md_value_len < 0)
    503. 

  503.         return 0;
    504. 

  504. 

  505.     if (input != NULL) {
    506. 

  506.         unsigned char buffer[4096];
    507. 

  507.         int length;
    508. 

  508. 

  509.         md_ctx = EVP_MD_CTX_new();
    510. 

  510.         if (md_ctx == NULL)
    511. 

  511.             return 0;
    512. 

  512.         *md_value = app_malloc(md_value_len, "digest buffer");
    513. 

  513.         if (!EVP_DigestInit(md_ctx, md))
    514. 

  514.             goto err;
    515. 

  515.         while ((length = BIO_read(input, buffer, sizeof(buffer))) > 0) {
    516. 

  516.             if (!EVP_DigestUpdate(md_ctx, buffer, length))
    517. 

  517.                 goto err;
    518. 

  518.         }
    519. 

  519.         if (!EVP_DigestFinal(md_ctx, *md_value, NULL))
    520. 

  520.             goto err;
    521. 

  521.         md_value_len = EVP_MD_size(md);
    522. 

  522.     } else {
    523. 

  523.         long digest_len;
    524. 

  524. 

  525.         *md_value = OPENSSL_hexstr2buf(digest, &digest_len);
    526. 

  526.         if (*md_value == NULL || md_value_len != digest_len) {
    527. 

  527.             OPENSSL_free(*md_value);
    528. 

  528.             *md_value = NULL;
    529. 

  529.             BIO_printf(bio_err, "bad digest, %d bytes "
    530. 

  530.                        "must be specified\n", md_value_len);
    531. 

  531.             return 0;
    532. 

  532.         }
    533. 

  533.     }
    534. 

  534.     rv = md_value_len;
    535. 

  535.  err:
    536. 

  536.     EVP_MD_CTX_free(md_ctx);
    537. 

  537.     return rv;
    538. 

  538. }
    539. 

  539. 

  540. static ASN1_INTEGER *create_nonce(int bits)
    541. 

  541. {
    542. 

  542.     unsigned char buf[20];
    543. 

  543.     ASN1_INTEGER *nonce = NULL;
    544. 

  544.     int len = (bits - 1) / 8 + 1;
    545. 

  545.     int i;
    546. 

  546. 

  547.     if (len > (int)sizeof(buf))
    548. 

  548.         goto err;
    549. 

  549.     if (RAND_bytes(buf, len) <= 0)
    550. 

  550.         goto err;
    551. 

  551. 

  552.     /* Find the first non-zero byte and creating ASN1_INTEGER object. */
    553. 

  553.     for (i = 0; i < len && !buf[i]; ++i)
    554. 

  554.         continue;
    555. 

  555.     if ((nonce = ASN1_INTEGER_new()) == NULL)
    556. 

  556.         goto err;
    557. 

  557.     OPENSSL_free(nonce->data);
    558. 

  558.     nonce->length = len - i;
    559. 

  559.     nonce->data = app_malloc(nonce->length + 1, "nonce buffer");
    560. 

  560.     memcpy(nonce->data, buf + i, nonce->length);
    561. 

  561.     return nonce;
    562. 

  562. 

  563.  err:
    564. 

  564.     BIO_printf(bio_err, "could not create nonce\n");
    565. 

  565.     ASN1_INTEGER_free(nonce);
    566. 

  566.     return NULL;
    567. 

  567. }
    568. 

  568. 

  569. /*
    570. 

  570.  * Reply-related method definitions.
    571. 

  571.  */
    572. 

  572. 

  573. static int reply_command(CONF *conf, const char *section, const char *engine,
    574. 

  574.                          const char *queryfile, const char *passin, const char *inkey,
    575. 

  575.                          const EVP_MD *md, const char *signer, const char *chain,
    576. 

  576.                          const char *policy, const char *in, int token_in,
    577. 

  577.                          const char *out, int token_out, int text)
    578. 

  578. {
    579. 

  579.     int ret = 0;
    580. 

  580.     TS_RESP *response = NULL;
    581. 

  581.     BIO *in_bio = NULL;
    582. 

  582.     BIO *query_bio = NULL;
    583. 

  583.     BIO *inkey_bio = NULL;
    584. 

  584.     BIO *signer_bio = NULL;
    585. 

  585.     BIO *out_bio = NULL;
    586. 

  586. 

  587.     if (in != NULL) {
    588. 

  588.         if ((in_bio = BIO_new_file(in, "rb")) == NULL)
    589. 

  589.             goto end;
    590. 

  590.         if (token_in) {
    591. 

  591.             response = read_PKCS7(in_bio);
    592. 

  592.         } else {
    593. 

  593.             response = d2i_TS_RESP_bio(in_bio, NULL);
    594. 

  594.         }
    595. 

  595.     } else {
    596. 

  596.         response = create_response(conf, section, engine, queryfile,
    597. 

  597.                                    passin, inkey, md, signer, chain, policy);
    598. 

  598.         if (response != NULL)
    599. 

  599.             BIO_printf(bio_err, "Response has been generated.\n");
    600. 

  600.         else
    601. 

  601.             BIO_printf(bio_err, "Response is not generated.\n");
    602. 

  602.     }
    603. 

  603.     if (response == NULL)
    604. 

  604.         goto end;
    605. 

  605. 

  606.     /* Write response. */
    607. 

  607.     if (text) {
    608. 

  608.         if ((out_bio = bio_open_default(out, 'w', FORMAT_TEXT)) == NULL)
    609. 

  609.         goto end;
    610. 

  610.         if (token_out) {
    611. 

  611.             TS_TST_INFO *tst_info = TS_RESP_get_tst_info(response);
    612. 

  612.             if (!TS_TST_INFO_print_bio(out_bio, tst_info))
    613. 

  613.                 goto end;
    614. 

  614.         } else {
    615. 

  615.             if (!TS_RESP_print_bio(out_bio, response))
    616. 

  616.                 goto end;
    617. 

  617.         }
    618. 

  618.     } else {
    619. 

  619.         if ((out_bio = bio_open_default(out, 'w', FORMAT_ASN1)) == NULL)
    620. 

  620.             goto end;
    621. 

  621.         if (token_out) {
    622. 

  622.             PKCS7 *token = TS_RESP_get_token(response);
    623. 

  623.             if (!i2d_PKCS7_bio(out_bio, token))
    624. 

  624.                 goto end;
    625. 

  625.         } else {
    626. 

  626.             if (!i2d_TS_RESP_bio(out_bio, response))
    627. 

  627.                 goto end;
    628. 

  628.         }
    629. 

  629.     }
    630. 

  630. 

  631.     ret = 1;
    632. 

  632. 

  633.  end:
    634. 

  634.     ERR_print_errors(bio_err);
    635. 

  635.     BIO_free_all(in_bio);
    636. 

  636.     BIO_free_all(query_bio);
    637. 

  637.     BIO_free_all(inkey_bio);
    638. 

  638.     BIO_free_all(signer_bio);
    639. 

  639.     BIO_free_all(out_bio);
    640. 

  640.     TS_RESP_free(response);
    641. 

  641.     return ret;
    642. 

  642. }
    643. 

  643. 

  644. /* Reads a PKCS7 token and adds default 'granted' status info to it. */
    645. 

  645. static TS_RESP *read_PKCS7(BIO *in_bio)
    646. 

  646. {
    647. 

  647.     int ret = 0;
    648. 

  648.     PKCS7 *token = NULL;
    649. 

  649.     TS_TST_INFO *tst_info = NULL;
    650. 

  650.     TS_RESP *resp = NULL;
    651. 

  651.     TS_STATUS_INFO *si = NULL;
    652. 

  652. 

  653.     if ((token = d2i_PKCS7_bio(in_bio, NULL)) == NULL)
    654. 

  654.         goto end;
    655. 

  655.     if ((tst_info = PKCS7_to_TS_TST_INFO(token)) == NULL)
    656. 

  656.         goto end;
    657. 

  657.     if ((resp = TS_RESP_new()) == NULL)
    658. 

  658.         goto end;
    659. 

  659.     if ((si = TS_STATUS_INFO_new()) == NULL)
    660. 

  660.         goto end;
    661. 

  661.     if (!TS_STATUS_INFO_set_status(si, TS_STATUS_GRANTED))
    662. 

  662.         goto end;
    663. 

  663.     if (!TS_RESP_set_status_info(resp, si))
    664. 

  664.         goto end;
    665. 

  665.     TS_RESP_set_tst_info(resp, token, tst_info);
    666. 

  666.     token = NULL;               /* Ownership is lost. */
    667. 

  667.     tst_info = NULL;            /* Ownership is lost. */
    668. 

  668.     ret = 1;
    669. 

  669. 

  670.  end:
    671. 

  671.     PKCS7_free(token);
    672. 

  672.     TS_TST_INFO_free(tst_info);
    673. 

  673.     if (!ret) {
    674. 

  674.         TS_RESP_free(resp);
    675. 

  675.         resp = NULL;
    676. 

  676.     }
    677. 

  677.     TS_STATUS_INFO_free(si);
    678. 

  678.     return resp;
    679. 

  679. }
    680. 

  680. 

  681. static TS_RESP *create_response(CONF *conf, const char *section, const char *engine,
    682. 

  682.                                 const char *queryfile, const char *passin,
    683. 

  683.                                 const char *inkey, const EVP_MD *md, const char *signer,
    684. 

  684.                                 const char *chain, const char *policy)
    685. 

  685. {
    686. 

  686.     int ret = 0;
    687. 

  687.     TS_RESP *response = NULL;
    688. 

  688.     BIO *query_bio = NULL;
    689. 

  689.     TS_RESP_CTX *resp_ctx = NULL;
    690. 

  690. 

  691.     if ((query_bio = BIO_new_file(queryfile, "rb")) == NULL)
    692. 

  692.         goto end;
    693. 

  693.     if ((section = TS_CONF_get_tsa_section(conf, section)) == NULL)
    694. 

  694.         goto end;
    695. 

  695.     if ((resp_ctx = TS_RESP_CTX_new()) == NULL)
    696. 

  696.         goto end;
    697. 

  697.     if (!TS_CONF_set_serial(conf, section, serial_cb, resp_ctx))
    698. 

  698.         goto end;
    699. 

  699. #ifndef OPENSSL_NO_ENGINE
    700. 

  700.     if (!TS_CONF_set_crypto_device(conf, section, engine))
    701. 

  701.         goto end;
    702. 

  702. #endif
    703. 

  703.     if (!TS_CONF_set_signer_cert(conf, section, signer, resp_ctx))
    704. 

  704.         goto end;
    705. 

  705.     if (!TS_CONF_set_certs(conf, section, chain, resp_ctx))
    706. 

  706.         goto end;
    707. 

  707.     if (!TS_CONF_set_signer_key(conf, section, inkey, passin, resp_ctx))
    708. 

  708.         goto end;
    709. 

  709. 

  710.     if (md) {
    711. 

  711.         if (!TS_RESP_CTX_set_signer_digest(resp_ctx, md))
    712. 

  712.             goto end;
    713. 

  713.     } else if (!TS_CONF_set_signer_digest(conf, section, NULL, resp_ctx)) {
    714. 

  714.             goto end;
    715. 

  715.     }
    716. 

  716. 

  717.     if (!TS_CONF_set_ess_cert_id_digest(conf, section, resp_ctx))
    718. 

  718.         goto end;
    719. 

  719.     if (!TS_CONF_set_def_policy(conf, section, policy, resp_ctx))
    720. 

  720.         goto end;
    721. 

  721.     if (!TS_CONF_set_policies(conf, section, resp_ctx))
    722. 

  722.         goto end;
    723. 

  723.     if (!TS_CONF_set_digests(conf, section, resp_ctx))
    724. 

  724.         goto end;
    725. 

  725.     if (!TS_CONF_set_accuracy(conf, section, resp_ctx))
    726. 

  726.         goto end;
    727. 

  727.     if (!TS_CONF_set_clock_precision_digits(conf, section, resp_ctx))
    728. 

  728.         goto end;
    729. 

  729.     if (!TS_CONF_set_ordering(conf, section, resp_ctx))
    730. 

  730.         goto end;
    731. 

  731.     if (!TS_CONF_set_tsa_name(conf, section, resp_ctx))
    732. 

  732.         goto end;
    733. 

  733.     if (!TS_CONF_set_ess_cert_id_chain(conf, section, resp_ctx))
    734. 

  734.         goto end;
    735. 

  735.     if ((response = TS_RESP_create_response(resp_ctx, query_bio)) == NULL)
    736. 

  736.         goto end;
    737. 

  737.     ret = 1;
    738. 

  738. 

  739.  end:
    740. 

  740.     if (!ret) {
    741. 

  741.         TS_RESP_free(response);
    742. 

  742.         response = NULL;
    743. 

  743.     }
    744. 

  744.     TS_RESP_CTX_free(resp_ctx);
    745. 

  745.     BIO_free_all(query_bio);
    746. 

  746.     return response;
    747. 

  747. }
    748. 

  748. 

  749. static ASN1_INTEGER *serial_cb(TS_RESP_CTX *ctx, void *data)
    750. 

  750. {
    751. 

  751.     const char *serial_file = (const char *)data;
    752. 

  752.     ASN1_INTEGER *serial = next_serial(serial_file);
    753. 

  753. 

  754.     if (serial == NULL) {
    755. 

  755.         TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
    756. 

  756.                                     "Error during serial number "
    757. 

  757.                                     "generation.");
    758. 

  758.         TS_RESP_CTX_add_failure_info(ctx, TS_INFO_ADD_INFO_NOT_AVAILABLE);
    759. 

  759.     } else {
    760. 

  760.         save_ts_serial(serial_file, serial);
    761. 

  761.     }
    762. 

  762. 

  763.     return serial;
    764. 

  764. }
    765. 

  765. 

  766. static ASN1_INTEGER *next_serial(const char *serialfile)
    767. 

  767. {
    768. 

  768.     int ret = 0;
    769. 

  769.     BIO *in = NULL;
    770. 

  770.     ASN1_INTEGER *serial = NULL;
    771. 

  771.     BIGNUM *bn = NULL;
    772. 

  772. 

  773.     if ((serial = ASN1_INTEGER_new()) == NULL)
    774. 

  774.         goto err;
    775. 

  775. 

  776.     if ((in = BIO_new_file(serialfile, "r")) == NULL) {
    777. 

  777.         ERR_clear_error();
    778. 

  778.         BIO_printf(bio_err, "Warning: could not open file %s for "
    779. 

  779.                    "reading, using serial number: 1\n", serialfile);
    780. 

  780.         if (!ASN1_INTEGER_set(serial, 1))
    781. 

  781.             goto err;
    782. 

  782.     } else {
    783. 

  783.         char buf[1024];
    784. 

  784.         if (!a2i_ASN1_INTEGER(in, serial, buf, sizeof(buf))) {
    785. 

  785.             BIO_printf(bio_err, "unable to load number from %s\n",
    786. 

  786.                        serialfile);
    787. 

  787.             goto err;
    788. 

  788.         }
    789. 

  789.         if ((bn = ASN1_INTEGER_to_BN(serial, NULL)) == NULL)
    790. 

  790.             goto err;
    791. 

  791.         ASN1_INTEGER_free(serial);
    792. 

  792.         serial = NULL;
    793. 

  793.         if (!BN_add_word(bn, 1))
    794. 

  794.             goto err;
    795. 

  795.         if ((serial = BN_to_ASN1_INTEGER(bn, NULL)) == NULL)
    796. 

  796.             goto err;
    797. 

  797.     }
    798. 

  798.     ret = 1;
    799. 

  799. 

  800.  err:
    801. 

  801.     if (!ret) {
    802. 

  802.         ASN1_INTEGER_free(serial);
    803. 

  803.         serial = NULL;
    804. 

  804.     }
    805. 

  805.     BIO_free_all(in);
    806. 

  806.     BN_free(bn);
    807. 

  807.     return serial;
    808. 

  808. }
    809. 

  809. 

  810. static int save_ts_serial(const char *serialfile, ASN1_INTEGER *serial)
    811. 

  811. {
    812. 

  812.     int ret = 0;
    813. 

  813.     BIO *out = NULL;
    814. 

  814. 

  815.     if ((out = BIO_new_file(serialfile, "w")) == NULL)
    816. 

  816.         goto err;
    817. 

  817.     if (i2a_ASN1_INTEGER(out, serial) <= 0)
    818. 

  818.         goto err;
    819. 

  819.     if (BIO_puts(out, "\n") <= 0)
    820. 

  820.         goto err;
    821. 

  821.     ret = 1;
    822. 

  822.  err:
    823. 

  823.     if (!ret)
    824. 

  824.         BIO_printf(bio_err, "could not save serial number to %s\n",
    825. 

  825.                    serialfile);
    826. 

  826.     BIO_free_all(out);
    827. 

  827.     return ret;
    828. 

  828. }
    829. 

  829. 

  830. 

  831. /*
    832. 

  832.  * Verify-related method definitions.
    833. 

  833.  */
    834. 

  834. 

  835. static int verify_command(const char *data, const char *digest, const char *queryfile,
    836. 

  836.                           const char *in, int token_in,
    837. 

  837.                           const char *CApath, const char *CAfile,
    838. 

  838.                           const char *CAstore, const char *untrusted,
    839. 

  839.                           X509_VERIFY_PARAM *vpm)
    840. 

  840. {
    841. 

  841.     BIO *in_bio = NULL;
    842. 

  842.     PKCS7 *token = NULL;
    843. 

  843.     TS_RESP *response = NULL;
    844. 

  844.     TS_VERIFY_CTX *verify_ctx = NULL;
    845. 

  845.     int ret = 0;
    846. 

  846. 

  847.     if ((in_bio = BIO_new_file(in, "rb")) == NULL)
    848. 

  848.         goto end;
    849. 

  849.     if (token_in) {
    850. 

  850.         if ((token = d2i_PKCS7_bio(in_bio, NULL)) == NULL)
    851. 

  851.             goto end;
    852. 

  852.     } else {
    853. 

  853.         if ((response = d2i_TS_RESP_bio(in_bio, NULL)) == NULL)
    854. 

  854.             goto end;
    855. 

  855.     }
    856. 

  856. 

  857.     if ((verify_ctx = create_verify_ctx(data, digest, queryfile,
    858. 

  858.                                         CApath, CAfile, CAstore, untrusted,
    859. 

  859.                                         vpm)) == NULL)
    860. 

  860.         goto end;
    861. 

  861. 

  862.     ret = token_in
    863. 

  863.         ? TS_RESP_verify_token(verify_ctx, token)
    864. 

  864.         : TS_RESP_verify_response(verify_ctx, response);
    865. 

  865. 

  866.  end:
    867. 

  867.     printf("Verification: ");
    868. 

  868.     if (ret)
    869. 

  869.         printf("OK\n");
    870. 

  870.     else {
    871. 

  871.         printf("FAILED\n");
    872. 

  872.         ERR_print_errors(bio_err);
    873. 

  873.     }
    874. 

  874. 

  875.     BIO_free_all(in_bio);
    876. 

  876.     PKCS7_free(token);
    877. 

  877.     TS_RESP_free(response);
    878. 

  878.     TS_VERIFY_CTX_free(verify_ctx);
    879. 

  879.     return ret;
    880. 

  880. }
    881. 

  881. 

  882. static TS_VERIFY_CTX *create_verify_ctx(const char *data, const char *digest,
    883. 

  883.                                         const char *queryfile,
    884. 

  884.                                         const char *CApath, const char *CAfile,
    885. 

  885.                                         const char *CAstore,
    886. 

  886.                                         const char *untrusted,
    887. 

  887.                                         X509_VERIFY_PARAM *vpm)
    888. 

  888. {
    889. 

  889.     TS_VERIFY_CTX *ctx = NULL;
    890. 

  890.     BIO *input = NULL;
    891. 

  891.     TS_REQ *request = NULL;
    892. 

  892.     int ret = 0;
    893. 

  893.     int f = 0;
    894. 

  894. 

  895.     if (data != NULL || digest != NULL) {
    896. 

  896.         if ((ctx = TS_VERIFY_CTX_new()) == NULL)
    897. 

  897.             goto err;
    898. 

  898.         f = TS_VFY_VERSION | TS_VFY_SIGNER;
    899. 

  899.         if (data != NULL) {
    900. 

  900.             BIO *out = NULL;
    901. 

  901. 

  902.             f |= TS_VFY_DATA;
    903. 

  903.             if ((out = BIO_new_file(data, "rb")) == NULL)
    904. 

  904.                 goto err;
    905. 

  905.             if (TS_VERIFY_CTX_set_data(ctx, out) == NULL) {
    906. 

  906.                 BIO_free_all(out);
    907. 

  907.                 goto err;
    908. 

  908.             }
    909. 

  909.         } else if (digest != NULL) {
    910. 

  910.             long imprint_len;
    911. 

  911.             unsigned char *hexstr = OPENSSL_hexstr2buf(digest, &imprint_len);
    912. 

  912.             f |= TS_VFY_IMPRINT;
    913. 

  913.             if (TS_VERIFY_CTX_set_imprint(ctx, hexstr, imprint_len) == NULL) {
    914. 

  914.                 BIO_printf(bio_err, "invalid digest string\n");
    915. 

  915.                 goto err;
    916. 

  916.             }
    917. 

  917.         }
    918. 

  918. 

  919.     } else if (queryfile != NULL) {
    920. 

  920.         if ((input = BIO_new_file(queryfile, "rb")) == NULL)
    921. 

  921.             goto err;
    922. 

  922.         if ((request = d2i_TS_REQ_bio(input, NULL)) == NULL)
    923. 

  923.             goto err;
    924. 

  924.         if ((ctx = TS_REQ_to_TS_VERIFY_CTX(request, NULL)) == NULL)
    925. 

  925.             goto err;
    926. 

  926.     } else {
    927. 

  927.         return NULL;
    928. 

  928.     }
    929. 

  929. 

  930.     /* Add the signature verification flag and arguments. */
    931. 

  931.     TS_VERIFY_CTX_add_flags(ctx, f | TS_VFY_SIGNATURE);
    932. 

  932. 

  933.     /* Initialising the X509_STORE object. */
    934. 

  934.     if (TS_VERIFY_CTX_set_store(ctx,
    935. 

  935.                                 create_cert_store(CApath, CAfile, CAstore, vpm))
    936. 

  936.             == NULL)
    937. 

  937.         goto err;
    938. 

  938. 

  939.     /* Loading untrusted certificates. */
    940. 

  940.     if (untrusted
    941. 

  941.         && TS_VERIFY_CTX_set_certs(ctx, TS_CONF_load_certs(untrusted)) == NULL)
    942. 

  942.         goto err;
    943. 

  943.     ret = 1;
    944. 

  944. 

  945.  err:
    946. 

  946.     if (!ret) {
    947. 

  947.         TS_VERIFY_CTX_free(ctx);
    948. 

  948.         ctx = NULL;
    949. 

  949.     }
    950. 

  950.     BIO_free_all(input);
    951. 

  951.     TS_REQ_free(request);
    952. 

  952.     return ctx;
    953. 

  953. }
    954. 

  954. 

  955. static X509_STORE *create_cert_store(const char *CApath, const char *CAfile,
    956. 

  956.                                      const char *CAstore, X509_VERIFY_PARAM *vpm)
    957. 

  957. {
    958. 

  958.     X509_STORE *cert_ctx = NULL;
    959. 

  959.     X509_LOOKUP *lookup = NULL;
    960. 

  960.     OSSL_LIB_CTX *libctx = app_get0_libctx();
    961. 

  961.     const char *propq = app_get0_propq();
    962. 

  962. 

  963.     cert_ctx = X509_STORE_new();
    964. 

  964.     X509_STORE_set_verify_cb(cert_ctx, verify_cb);
    965. 

  965.     if (CApath != NULL) {
    966. 

  966.         lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_hash_dir());
    967. 

  967.         if (lookup == NULL) {
    968. 

  968.             BIO_printf(bio_err, "memory allocation failure\n");
    969. 

  969.             goto err;
    970. 

  970.         }
    971. 

  971.         if (!X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM)) {
    972. 

  972.             BIO_printf(bio_err, "Error loading directory %s\n", CApath);
    973. 

  973.             goto err;
    974. 

  974.         }
    975. 

  975.     }
    976. 

  976. 

  977.     if (CAfile != NULL) {
    978. 

  978.         lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_file());
    979. 

  979.         if (lookup == NULL) {
    980. 

  980.             BIO_printf(bio_err, "memory allocation failure\n");
    981. 

  981.             goto err;
    982. 

  982.         }
    983. 

  983.         if (!X509_LOOKUP_load_file_ex(lookup, CAfile, X509_FILETYPE_PEM, libctx,
    984. 

  984.                                       propq)) {
    985. 

  985.             BIO_printf(bio_err, "Error loading file %s\n", CAfile);
    986. 

  986.             goto err;
    987. 

  987.         }
    988. 

  988.     }
    989. 

  989. 

  990.     if (CAstore != NULL) {
    991. 

  991.         lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_store());
    992. 

  992.         if (lookup == NULL) {
    993. 

  993.             BIO_printf(bio_err, "memory allocation failure\n");
    994. 

  994.             goto err;
    995. 

  995.         }
    996. 

  996.         if (!X509_LOOKUP_load_store_ex(lookup, CAstore, libctx, propq)) {
    997. 

  997.             BIO_printf(bio_err, "Error loading store URI %s\n", CAstore);
    998. 

  998.             goto err;
    999. 

  999.         }
    1000. 

  1000.     }
    1001. 

  1001. 

  1002.     if (vpm != NULL)
    1003. 

  1003.         X509_STORE_set1_param(cert_ctx, vpm);
    1004. 

  1004. 

  1005.     return cert_ctx;
    1006. 

  1006. 

  1007.  err:
    1008. 

  1008.     X509_STORE_free(cert_ctx);
    1009. 

  1009.     return NULL;
    1010. 

  1010. }
    1011. 

  1011. 

  1012. static int verify_cb(int ok, X509_STORE_CTX *ctx)
    1013. 

  1013. {
    1014. 

  1014.     return ok;
    1015. 

  1015. }
    1016.