diff options
author | Michal Rokos <m.rokos@sh.cvut.cz> | 2002-01-10 19:32:01 +0000 |
---|---|---|
committer | Michal Rokos <m.rokos@sh.cvut.cz> | 2002-01-10 19:32:01 +0000 |
commit | 122bbe51a8d137fdc1cb16e762bf516c2a9255cb (patch) | |
tree | d02b4c7da6ff6163f1b4b6b93e5e887b0014c0a0 | |
parent | 6dfe210e0c550953aff89b3fe7f05f35fdda8263 (diff) | |
download | ruby-openssl-history-122bbe51a8d137fdc1cb16e762bf516c2a9255cb.tar.gz |
* fixed and improved verify_callbacks in ossl_(ssl|x509store).c
* enhanced ossl_x509store.rb examples
-rw-r--r-- | ChangeLog | 4 | ||||
-rw-r--r-- | ossl_cipher.c | 10 | ||||
-rw-r--r-- | ossl_ssl.c | 16 | ||||
-rw-r--r-- | ossl_x509store.c | 90 | ||||
-rwxr-xr-x | test/ossl_x509store.rb | 80 |
5 files changed, 114 insertions, 86 deletions
@@ -4,6 +4,10 @@ Copyright (C) 2001 Michal Rokos <m.rokos@sh.cvut.cz> All rights reserved. $Log$ +Revision 1.23 2002/01/10 19:32:23 majkl + * fixed and improved verify_callbacks in ossl_(ssl|x509store).c + * enhanced ossl_x509store.rb examples + Revision 1.22 2002/01/10 17:33:16 majkl * OpenSSL::Cipher::BITx constant == x (so BIT40 = 40,...) diff --git a/ossl_cipher.c b/ossl_cipher.c index e02e644..94685fb 100644 --- a/ossl_cipher.c +++ b/ossl_cipher.c @@ -26,11 +26,11 @@ #define CBC 0x8000 #define EDE 0x0001 #define EDE3 0x0002 -#define BIT40 0x0028 /*40*/ -#define BIT64 0x0040 /*64*/ -#define BIT128 0x0080 /*128*/ -#define BIT192 0x00C0 /*192*/ -#define BIT256 0x0100 /*256*/ +#define BIT40 0x0028 /*== 40*/ +#define BIT64 0x0040 /*== 64*/ +#define BIT128 0x0080 /*== 128*/ +#define BIT192 0x00C0 /*== 192*/ +#define BIT256 0x0100 /*== 256*/ /* * Classes @@ -139,21 +139,27 @@ ssl_false(VALUE dummy) static int MS_CALLBACK ssl_verify_callback(int ok, X509_STORE_CTX *ctx) { - VALUE x509stc, args, ret; - - ret = (ok) ? Qtrue : Qfalse; + VALUE x509stc, args, ret = Qnil; if (!NIL_P(ssl_verify_callback_proc)) { x509stc = ossl_x509store_new(ctx); rb_funcall(x509stc, rb_intern("protect"), 0, NULL); args = rb_ary_new2(3); rb_ary_store(args, 0, ssl_verify_callback_proc); - rb_ary_store(args, 1, ret); + rb_ary_store(args, 1, ok ? Qtrue : Qfalse); rb_ary_store(args, 2, x509stc); ret = rb_rescue(ssl_call_callback_proc, args, ssl_false, Qnil); + + if (ret == Qtrue) { + ok = 1; + ctx->error = X509_V_OK; + } else { + ok = 0; + ctx->error = X509_V_ERR_CERT_REJECTED; + } } - return (ret == Qtrue) ? 1 : 0; + return ok; } static void diff --git a/ossl_x509store.c b/ossl_x509store.c index fc36ce4..994d20f 100644 --- a/ossl_x509store.c +++ b/ossl_x509store.c @@ -29,8 +29,7 @@ VALUE eX509StoreError; /* * General callback for OpenSSL verify */ -int -ossl_x509store_verify_cb(int, X509_STORE_CTX *); +int ossl_x509store_verify_cb(int, X509_STORE_CTX *); /* * Struct @@ -46,8 +45,8 @@ ossl_x509store_free(ossl_x509store *storep) if (storep) { if (storep->store && storep->protect == 0) X509_STORE_CTX_free(storep->store); - else - storep->store = NULL; + + storep->store = NULL; free(storep); } } @@ -215,37 +214,33 @@ ossl_x509store_add_trusted(VALUE self, VALUE cert) return cert; } -/* - * DOESN'T WORK!!! - * I have to walk X509_OBJECTS in storep->store static VALUE -ossl_x509store_get_chain(obj) - VALUE obj; +ossl_x509store_get_chain(VALUE self) { - ossl_x509store *storep = NULL; - X509_STORE_CTX ctx; + ossl_x509store *storep = NULL; X509 *x509 = NULL; int i, num; - VALUE ary, cert; + VALUE ary; GetX509Store(self, storep); - X509_STORE_CTX_init(&ctx, storep->store, NULL, NULL); - X509_verify_cert(&ctx); - num = sk_X509_num(ctx.chain); - rb_bug("chain=%d", num); + num = sk_X509_num(storep->store->chain); + + if (num < 0) { + rb_warning("certs in chain < 0???"); + return rb_ary_new(); + } - if (num < 0) return rb_ary_new(); ary = rb_ary_new2(num); + for(i=0; i<num; i++) { - x509 = sk_X509_value(ctx.chain, i); - cert = ossl_x509_new(x509); - rb_ary_push(ary, cert); + x509 = sk_X509_value(storep->store->chain, i); + rb_ary_push(ary, ossl_x509_new(x509)); + X509_free(x509); } return ary; } - */ static VALUE ossl_x509store_add_crl(VALUE self, VALUE crlst) @@ -268,38 +263,6 @@ ossl_x509store_add_crl(VALUE self, VALUE crlst) return crlst; } -/* - * No need for -static VALUE -ossl_x509store_add(VALUE self, VALUE arg) -{ - ossl_x509store *storep = NULL; - X509 *x509 = NULL; - X509_CRL *crl = NULL; - - GetX509Store(self, storep); - - switch (OSSL_TYPE(arg)) { - case T_OSSL_X509CRL: - crl = ossl_x509crl_get_X509_CRL(arg); - if (!X509_STORE_add_crl(storep->store, crl)) { - rb_raise(eX509StoreError, "%s", ossl_error()); - } - break; - case T_OSSL_X509: - x509 = ossl_x509_get_X509(arg); - if (!X509_STORE_add_cert(storep->store, x509)) { - rb_raise(eX509StoreError, "%s", ossl_error()); - } - break; - default: - rb_raise(rb_eTypeError, "unsupported type"); - } - - return obj; -} - */ - static VALUE ossl_x509store_call_verify_cb_proc(VALUE args) { @@ -321,7 +284,7 @@ ossl_x509store_verify_false(VALUE dummy) return Qfalse; } -int +int MS_CALLBACK ossl_x509store_verify_cb(int ok, X509_STORE_CTX *ctx) { VALUE proc, store_ctx, args, ret = Qnil; @@ -333,15 +296,23 @@ ossl_x509store_verify_cb(int ok, X509_STORE_CTX *ctx) if (!NIL_P(proc)) { store_ctx = ossl_x509store_new(ctx); - rb_funcall(store_ctx, rb_intern("protect"), 0, NULL); /* called default by ossl_..new */ + /* rb_funcall(store_ctx, rb_intern("protect"), 0, NULL); -- called default by ossl_..new */ args = rb_ary_new2(3); rb_ary_store(args, 0, proc); rb_ary_store(args, 1, ok ? Qtrue : Qfalse); rb_ary_store(args, 2, store_ctx); ret = rb_rescue(ossl_x509store_call_verify_cb_proc, args, ossl_x509store_verify_false, Qnil); + + if (ret == Qtrue) { + ok = 1; + ctx->error = X509_V_OK; + } else { + ok = 0; + ctx->error = X509_V_ERR_CERT_REJECTED; + } } - return (ret == Qtrue) ? 1 : 0; + return ok; } static VALUE @@ -481,17 +452,14 @@ Init_ossl_x509store(VALUE module) rb_attr(cX509Store, rb_intern("verify_callback"), 1, 0, Qfalse); rb_define_method(cX509Store, "verify_callback=", ossl_x509store_set_verify_cb, 1); -/* - * DOESN'T WORK! :-(( - BUT NOW WILL! :-)) - rb_define_method(cX509Store, "chain", ossl_x509store_get_chain, 0); - */ rb_define_method(cX509Store, "add_trusted", ossl_x509store_add_trusted, 1); rb_define_method(cX509Store, "add_crl", ossl_x509store_add_crl, 1); - /*rb_define_method(cX509Store, "<<", ossl_x509store_add, 1);*/ + rb_define_method(cX509Store, "verify", ossl_x509store_verify, 1); rb_define_method(cX509Store, "verify_status", ossl_x509store_get_verify_status, 0); rb_define_method(cX509Store, "verify_message", ossl_x509store_get_verify_message, 0); rb_define_method(cX509Store, "verify_depth", ossl_x509store_get_verify_depth, 0); + rb_define_method(cX509Store, "chain", ossl_x509store_get_chain, 0); rb_define_method(cX509Store, "cert", ossl_x509store_get_cert, 0); rb_define_method(cX509Store, "protect", ossl_x509store_protect, 0); rb_define_method(cX509Store, "set_default_paths", ossl_x509store_set_default_paths, 0); diff --git a/test/ossl_x509store.rb b/test/ossl_x509store.rb index ba81100..f76dd69 100755 --- a/test/ossl_x509store.rb +++ b/test/ossl_x509store.rb @@ -4,23 +4,73 @@ require 'openssl' include OpenSSL include X509 +verify_cb = Proc.new {|ok, x509_store| + puts "\t\t====begin Verify====" + puts "\t\tOK = #{ok}" + puts "\t\tchecking #{x509_store.cert.subject.to_str}" + puts "\t\tstatus = #{x509_store.verify_status} - that is \"#{x509_store.verify_message}\"" + puts "\t\t==== end Verify====" + #raise "SOME ERROR!" # Cert will be rejected + #false # Cert will be rejected + #true # Cert is OK + ok # just throw 'ok' through +} + p ca = Certificate.new(File.open("./cacert.pem").read) -p cakey = ca.public_key +puts "CA = #{ca.subject.to_str}, serial = #{ca.serial}" +cakey = ca.public_key + p cert = Certificate.new(File.open("./01cert.pem").read) -p key = cert.public_key -p cert.serial -#cert2 = Certificate.new(File.open("./02cert.pem").read) +puts "Cert = #{cert.subject.to_str}, serial = #{cert.serial}" +key = cert.public_key + p crl = CRL.new(File.open("./01crl.pem").read) -p crl.verify cakey -p crl.revoked[0].serial -#p ca.issuer.to_str -#p ca.subject.to_str -#p cert.subject.to_str -#p cert.issuer.to_str +print "Is CRL signed by CA?..." +if crl.verify cakey + puts "Yes - OK!" +else + puts "NO - Strange... Let's stop." + exit +end + +puts "In CRL there are serials:" +crl.revoked.each {|revoked| + puts "> #{revoked.serial} - revoked at #{revoked.time}" +} + p store = Store.new -#p store.add_trusted ca # :-)) -p store.add_trusted cert # :-(( -#p store.add_trusted cert2 # :-(( -p store.add_crl crl #CRL does NOT have affect on validity in current OpenSSL <= 0.9.6b !!! -p store.verify cert + +## +# Uncomment to see what is checked... +store.verify_callback = verify_cb + +store.add_trusted ca + +puts "====================" +puts "Is CERT OK?..." +if store.verify cert + puts "Yes - we didn't add CRL to store!" + puts "\t\t(status = #{store.verify_status} - that is \"#{store.verify_message}\")" +else + puts "NO - HEY, this is error!" + puts "\t\t(status = #{store.verify_status} - that is \"#{store.verify_message}\")" +end + +puts "Let's add CRL..." + store.add_crl crl #CRL does NOT have affect on validity in current OpenSSL <= 0.9.6c !!! + +puts "====================" +puts "Is CERT still OK?..." +if store.verify cert + puts "Yes - HEY, this is bug! OpenSSL <= 0.9.6c doesn't care about CRL in Store :-((((" + puts "\t\t(status = #{store.verify_status} - that is \"#{store.verify_message}\")" +else + puts "No - now it works!" + puts "\t\t(status = #{store.verify_status} - that is \"#{store.verify_message}\")" +end + +puts "Trusted certs:" +store.chain.each_with_index {|cert, i| + puts "> #{i} --- #{cert.subject.to_str}" +} |