-
Notifications
You must be signed in to change notification settings - Fork 5
/
VerifyX509.xs
144 lines (106 loc) · 2.98 KB
/
VerifyX509.xs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
#include "EXTERN.h"
#include "perl.h"
#include "XSUB.h"
#include <openssl/asn1.h>
#include <openssl/objects.h>
#include <openssl/bio.h>
#include <openssl/crypto.h>
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/pem.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
typedef X509_STORE* Crypt__OpenSSL__VerifyX509;
typedef X509* Crypt__OpenSSL__X509;
static int verify_cb(int ok, X509_STORE_CTX *ctx) {
if (!ok)
switch (ctx->error) {
case X509_V_ERR_CERT_HAS_EXPIRED:
/* case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: */
case X509_V_ERR_INVALID_CA:
case X509_V_ERR_PATH_LENGTH_EXCEEDED:
case X509_V_ERR_INVALID_PURPOSE:
case X509_V_ERR_CRL_HAS_EXPIRED:
case X509_V_ERR_CRL_NOT_YET_VALID:
case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION:
ok = 1;
break;
}
return(ok);
}
static const char *ssl_error(void) {
return ERR_error_string(ERR_get_error(), NULL);
}
static const char *ctx_error(X509_STORE_CTX *ctx) {
return X509_verify_cert_error_string(ctx->error);
}
MODULE = Crypt::OpenSSL::VerifyX509 PACKAGE = Crypt::OpenSSL::VerifyX509
PROTOTYPES: DISABLE
BOOT:
ERR_load_crypto_strings();
ERR_load_ERR_strings();
OpenSSL_add_all_algorithms();
Crypt::OpenSSL::VerifyX509
new(class, cafile_str)
SV *class
SV *cafile_str
PREINIT:
int i = 1;
X509_LOOKUP *lookup = NULL;
STRLEN len;
char *cafile;
CODE:
(void) SvPV_nolen(class);
RETVAL = X509_STORE_new();
if (RETVAL == NULL)
croak("failure to allocate x509 store: %s", ssl_error());
X509_STORE_set_verify_cb_func(RETVAL,verify_cb);
/* load CA file given */
lookup = X509_STORE_add_lookup(RETVAL, X509_LOOKUP_file());
if (lookup == NULL)
croak("failure to add file lookup to store: %s", ssl_error());
cafile = SvPV(cafile_str, len);
i = X509_LOOKUP_load_file(lookup, cafile, X509_FILETYPE_PEM);
if (!i)
croak("load CA cert: %s", ssl_error());
/* default hash_dir lookup */
lookup = X509_STORE_add_lookup(RETVAL,X509_LOOKUP_hash_dir());
if (lookup == NULL)
croak("failure to add hash_dir lookup to store: %s", ssl_error());
X509_LOOKUP_add_dir(lookup,NULL,X509_FILETYPE_DEFAULT);
ERR_clear_error();
OUTPUT:
RETVAL
int
verify(store, x509)
Crypt::OpenSSL::VerifyX509 store;
Crypt::OpenSSL::X509 x509;
PREINIT:
X509_STORE_CTX *csc;
CODE:
if (x509 == NULL)
croak("no cert to verify");
csc = X509_STORE_CTX_new();
if (csc == NULL)
croak("csc new: %s", ssl_error());
X509_STORE_set_flags(store, 0);
if (!X509_STORE_CTX_init(csc,store,x509,NULL))
croak("store ctx init: %s", ssl_error());
RETVAL = X509_verify_cert(csc);
X509_STORE_CTX_free(csc);
if (!RETVAL)
croak("verify: %s", ctx_error(csc));
OUTPUT:
RETVAL
void
DESTROY(store)
Crypt::OpenSSL::VerifyX509 store;
PPCODE:
if (store) X509_STORE_free(store); store = 0;
void
__X509_cleanup(void)
PPCODE:
CRYPTO_cleanup_all_ex_data();
ERR_free_strings();
ERR_remove_state(0);
EVP_cleanup();