commons-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mt...@apache.org
Subject svn commit: r1171484 - in /commons/sandbox/runtime/trunk/src/main/native: include/acr/ssl.h modules/openssl/api.c modules/openssl/ctx.c modules/openssl/password.c
Date Fri, 16 Sep 2011 10:04:01 GMT
Author: mturk
Date: Fri Sep 16 10:04:00 2011
New Revision: 1171484

URL: http://svn.apache.org/viewvc?rev=1171484&view=rev
Log:
Add option for loading multiple key/cert formats

Modified:
    commons/sandbox/runtime/trunk/src/main/native/include/acr/ssl.h
    commons/sandbox/runtime/trunk/src/main/native/modules/openssl/api.c
    commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ctx.c
    commons/sandbox/runtime/trunk/src/main/native/modules/openssl/password.c

Modified: commons/sandbox/runtime/trunk/src/main/native/include/acr/ssl.h
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/include/acr/ssl.h?rev=1171484&r1=1171483&r2=1171484&view=diff
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/native/include/acr/ssl.h (original)
+++ commons/sandbox/runtime/trunk/src/main/native/include/acr/ssl.h Fri Sep 16 10:04:00 2011
@@ -43,6 +43,8 @@
 #include <openssl/err.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
+#include <openssl/pkcs12.h>
+#include <openssl/ui.h>
 #include <openssl/crypto.h>
 #include <openssl/evp.h>
 #include <openssl/rand.h>
@@ -165,6 +167,22 @@
 #define SSL_MODE_SERVER         1
 #define SSL_MODE_COMBINED       2
 
+#define SSL_FORMAT_UNDEF        0
+#define SSL_FORMAT_ASN1         1
+#define SSL_FORMAT_TEXT         2
+#define SSL_FORMAT_PEM          3
+#define SSL_FORMAT_NETSCAPE     4
+#define SSL_FORMAT_PKCS12       5
+#define SSL_FORMAT_SMIME        6
+#define SSL_FORMAT_ENGINE       7
+#define SSL_FORMAT_IISSGC       8  /* XXX this stupid macro helps us to avoid
+                                    * adding yet another param to load_*key()
+                                    */
+#define SSL_FORMAT_PEMRSA       9   /* PEM RSAPubicKey format */
+#define SSL_FORMAT_ASN1RSA     10   /* DER RSAPubicKey format */
+#define SSL_FORMAT_MSBLOB      11   /* MS Key blob format */
+#define SSL_FORMAT_PVK         12   /* MS PVK file format */
+
 #define SSL_BIO_FLAG_RDONLY     1
 #define SSL_BIO_FLAG_CALLBACK   2
 #define SSL_DEFAULT_CACHE_SIZE  256
@@ -375,6 +393,7 @@ void       *ssl_get_app_data2(SSL *);
 void        ssl_set_app_data2(SSL *, void *);
 int         ssl_password_callback(char *, int, int, void *);
 int         ssl_no_password_callback(char *buf, int bufsiz, int verify, void *cb);
+int         ssl_password_set(ssl_pass_cb_t *, const char *);
 void        ssl_bio_close(BIO *);
 void        ssl_bio_doref(BIO *);
 DH         *ssl_dh_get_tmp_param(int);

Modified: commons/sandbox/runtime/trunk/src/main/native/modules/openssl/api.c
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/modules/openssl/api.c?rev=1171484&r1=1171483&r2=1171484&view=diff
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/native/modules/openssl/api.c (original)
+++ commons/sandbox/runtime/trunk/src/main/native/modules/openssl/api.c Fri Sep 16 10:04:00
2011
@@ -126,6 +126,7 @@ struct SSLAPIst {
 
     /*** EVP      ***/
     void                (*fpEVP_PKEY_free)(EVP_PKEY *);
+    EVP_PKEY*           (*fpd2i_PrivateKey_bio)(BIO *, EVP_PKEY **);
     
     /*** MD5      ***/
     unsigned char*      (*fpMD5)(const unsigned char *, size_t, unsigned char *);
@@ -142,6 +143,12 @@ struct SSLAPIst {
     X509*               (*fpPEM_read_bio_X509_AUX)(BIO *, X509 **, pem_password_cb *, void
*);
     EVP_PKEY*           (*fpPEM_read_bio_PrivateKey)(BIO *, EVP_PKEY **, pem_password_cb
*, void *);
 
+    /*** PKCS12   ***/
+    PKCS12*             (*fpd2i_PKCS12_bio)(BIO *, PKCS12 **);
+    void                (*fpPKCS12_free)(PKCS12 *);
+    int                 (*fpPKCS12_parse)(PKCS12 *, const char *, EVP_PKEY **, X509 **, STACK_OF(X509)
**);
+    int                 (*fpPKCS12_verify_mac)(PKCS12 *, const char *, int);
+    
     /*** RAND     ***/
     int                 (*fpRAND_bytes)(unsigned char *, int);
     int                 (*fpRAND_egd)(const char *);
@@ -340,7 +347,8 @@ ACR_JNI_EXPORT(jboolean, Native, ldopens
 
     /*** EVP      ***/
     CRYPTO_FPLOAD(EVP_PKEY_free);
-    
+    CRYPTO_FPLOAD(d2i_PrivateKey_bio);
+
     /*** MD5      ***/
     CRYPTO_FPLOAD(MD5);
     CRYPTO_FPLOAD(MD5_Final);
@@ -356,6 +364,12 @@ ACR_JNI_EXPORT(jboolean, Native, ldopens
     CRYPTO_FPLOAD(PEM_read_bio_X509_AUX);
     CRYPTO_FPLOAD(PEM_read_bio_PrivateKey);
 
+    /*** PKCS12   ***/
+    CRYPTO_FPLOAD(d2i_PKCS12_bio);
+    CRYPTO_FPLOAD(PKCS12_free);
+    CRYPTO_FPLOAD(PKCS12_parse);
+    CRYPTO_FPLOAD(PKCS12_verify_mac);
+    
     /*** RAND     ***/
     CRYPTO_FPLOAD(RAND_bytes);
     CRYPTO_FPLOAD(RAND_egd);
@@ -672,6 +686,11 @@ void EVP_PKEY_free(EVP_PKEY *pkey)
     SSLAPI_CALL(EVP_PKEY_free)(pkey);
 }
 
+EVP_PKEY *d2i_PrivateKey_bio(BIO *bio, EVP_PKEY **pkey)
+{
+    return SSLAPI_CALL(d2i_PrivateKey_bio)(bio, pkey);
+}
+
 unsigned char *MD5(const unsigned char *d, size_t n, unsigned char *md)
 {
     return SSLAPI_CALL(MD5)(d, n, md);
@@ -717,6 +736,27 @@ EVP_PKEY *PEM_read_bio_PrivateKey(BIO *b
     return SSLAPI_CALL(PEM_read_bio_PrivateKey)(bp, x, cb, u);
 }
 
+void PKCS12_free(PKCS12 *x)
+{
+    SSLAPI_CALL(PKCS12_free)(x);
+}
+
+PKCS12 *d2i_PKCS12_bio(BIO *bp, PKCS12 **p12)
+{
+    return SSLAPI_CALL(d2i_PKCS12_bio)(bp, p12);
+}
+
+int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
+                 STACK_OF(X509) **ca)
+{
+    return SSLAPI_CALL(PKCS12_parse)(p12, pass, pkey, cert, ca);
+}
+
+int PKCS12_verify_mac(PKCS12 *p12, const char *pass, int passlen)
+{
+    return SSLAPI_CALL(PKCS12_verify_mac)(p12, pass, passlen);
+}
+
 int RAND_bytes(unsigned char *buf, int num)
 {
     return SSLAPI_CALL(RAND_bytes)(buf, num);

Modified: commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ctx.c
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ctx.c?rev=1171484&r1=1171483&r2=1171484&view=diff
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ctx.c (original)
+++ commons/sandbox/runtime/trunk/src/main/native/modules/openssl/ctx.c Fri Sep 16 10:04:00
2011
@@ -257,11 +257,49 @@ ACR_SSL_EXPORT(void, SSLContext, setpass
     c->password_callback = J2P(cb, ssl_pass_cb_t *);
 }
 
-EVP_PKEY *load_pem_key(acr_ssl_ctxt_t *c, const char *file)
+static int load_pkcs12(BIO *in, const char *desc, pem_password_cb *pcb,  void *pcd,
+                       EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca)
+{
+    const char *pass;
+    char        buff[PEM_BUFSIZE];
+    int         len, rc = 0;
+    PKCS12     *p12;
+
+    p12 = d2i_PKCS12_bio(in, 0);
+    if (p12 == 0) {
+        /* Error loading PKCS12 file */
+        goto cleanup;
+    }
+    /* See if an empty password will do */
+    if (PKCS12_verify_mac(p12, "", 0) || PKCS12_verify_mac(p12, 0, 0)) {
+        pass = "";
+    }
+    else {
+        if (pcb == 0)
+            pcb = (pem_password_cb *)ssl_password_callback;
+        len = (*pcb)(buff, PEM_BUFSIZE, 0, pcd);
+        if (len < 0) {
+            /* Passpharse callback error */
+            goto cleanup;
+        }
+        if (!PKCS12_verify_mac(p12, buff, len)) {
+            /* Mac verify error (wrong password?) in PKCS12 file */
+            goto cleanup;
+        }
+        pass = buff;
+    }
+    rc = PKCS12_parse(p12, pass, pkey, cert, ca);
+cleanup:
+    if (p12 != 0)
+        PKCS12_free(p12);
+    return rc;
+}
+
+EVP_PKEY *load_key(acr_ssl_ctxt_t *c, int format,
+                   const char *file, const char *desc)
 {
     BIO      *bio = 0;
     EVP_PKEY *key = 0;
-    int i;
 
     if ((bio = BIO_new(BIO_s_file())) == 0)
         return 0;
@@ -269,22 +307,33 @@ EVP_PKEY *load_pem_key(acr_ssl_ctxt_t *c
         BIO_free(bio);
         return 0;
     }
-    for (i = 0; i < 3; i++) {
+    if (c->password_callback != 0) {
+        if (desc != 0)
+            c->password_callback->desc = desc;
+        else
+            c->password_callback->desc = file;
+    }
+    if (format == SSL_FORMAT_ASN1) {
+        key = d2i_PrivateKey_bio(bio, 0);
+    }    
+    else if (format == SSL_FORMAT_PEM) {
         key = PEM_read_bio_PrivateKey(bio, 0,
                                       ssl_password_callback,
                                       c->password_callback);
-        if (key != 0)
-            break;
-        if (c->password_callback != 0) {
-            ACR_MFREE(c->password_callback->password);
-        }
-        BIO_ctrl(bio, BIO_CTRL_RESET, 0, 0);
+    }
+    else if (format == SSL_FORMAT_PKCS12) {
+        if (!load_pkcs12(bio, desc,
+                         ssl_password_callback,
+                         c->password_callback,
+                         &key, 0, 0))
+            key = 0;
     }
     BIO_free(bio);
     return key;
 }
 
-X509 *load_pem_cert(acr_ssl_ctxt_t *c, const char *file)
+X509 *load_cert(acr_ssl_ctxt_t *c, int format,
+                const char *file, const char *desc)
 {
     BIO  *bio  = 0;
     X509 *cert = 0;
@@ -295,14 +344,20 @@ X509 *load_pem_cert(acr_ssl_ctxt_t *c, c
         BIO_free(bio);
         return 0;
     }
-    cert = PEM_read_bio_X509_AUX(bio, 0,
-                                 ssl_password_callback,
-                                 c->password_callback);
-    if (cert == 0 && ERR_GET_REASON(ERR_get_error()) == PEM_R_NO_START_LINE) {
-        ERR_clear_error();
-        BIO_ctrl(bio, BIO_CTRL_RESET, 0, 0);
+    if (c->password_callback != 0) {
+        if (desc != 0)
+            c->password_callback->desc = desc;
+        else
+            c->password_callback->desc = file;
+    }
+    if (format == SSL_FORMAT_ASN1) {
         cert = d2i_X509_bio(bio, 0);
     }
+    else if (format == SSL_FORMAT_PEM) {
+        cert = PEM_read_bio_X509_AUX(bio, 0,
+                                     ssl_password_callback,
+                                     c->password_callback);
+    }
     BIO_free(bio);
     return cert;
 }

Modified: commons/sandbox/runtime/trunk/src/main/native/modules/openssl/password.c
URL: http://svn.apache.org/viewvc/commons/sandbox/runtime/trunk/src/main/native/modules/openssl/password.c?rev=1171484&r1=1171483&r2=1171484&view=diff
==============================================================================
--- commons/sandbox/runtime/trunk/src/main/native/modules/openssl/password.c (original)
+++ commons/sandbox/runtime/trunk/src/main/native/modules/openssl/password.c Fri Sep 16 10:04:00
2011
@@ -40,12 +40,12 @@ int ssl_password_callback(char *buf, int
 
     if (buf == 0 || bufsiz < 0)
         return -1;
-    buf[0] = '\0';
+    memset(buf, 0, bufsiz);
     if (pcb == 0)
         pcb = acr_ssl_password_cb;
     if (pcb == 0)
         return -1;
-    if (pcb->password == 0) {
+    if (pcb->password == 0 && pcb->cb != 0) {
         jstring str = 0;
         JNIEnv *env = AcrGetJNIEnv();
         if (IS_INVALID_HANDLE(env))
@@ -60,14 +60,28 @@ int ssl_password_callback(char *buf, int
         if (AcrCallbackRun(env, pcb->cb, str, 0, 0) != 0)
             return -1;
     }
-    if (pcb->password != 0) {
+    if (pcb->password != 0 && pcb->password_len < bufsiz) {
         /* Return already obtained password */
-        strlcpy(buf, pcb->password, bufsiz);
+        memcpy(buf, pcb->password, pcb->password_len);
         return pcb->password_len;
     }
     return -1;
 }
 
+int ssl_password_set(ssl_pass_cb_t *pcb, const char *password)
+{
+    memset(pcb, 0, sizeof(ssl_pass_cb_t));
+    if (password != 0 && *password != '\0') {
+        strlcpy(pcb->buf, password, sizeof(pcb->buf));
+        pcb->password     = pcb->buf;
+        pcb->password_len = strlen(pcb->password);
+        return 1;
+    }
+    else
+        return 0;
+}
+
+
 ACR_SSL_EXPORT(jlong, PasswordCallback, new0)(JNI_STDARGS)
 {
     ssl_pass_cb_t *pc;



Mime
View raw message