QuasarApp/qca
4
0
Fork 0
mirror of https://github.com/QuasarApp/qca.git synced 2025-05-16 04:19:34 +00:00
Code Issues Projects Releases Wiki Activity

use untrusted certs for verification

Browse Source 
svn path=/trunk/kdesupport/qca/; revision=664842
This commit is contained in:
Justin Karneges 2007-05-14 23:16:53 +00:00
parent a7cd5e041a
commit 7a923f1f6e
1 changed files with 34 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
plugins/qca-openssl/qca-openssl.cpp
View File

@ -4048,6 +4048,8 @@ public:
return ErrorDecode; return ErrorDecode;
} }
// TODO: require cert
int aliasLength; int aliasLength;
char *aliasData = (char*)X509_alias_get0(cert, &aliasLength); char *aliasData = (char*)X509_alias_get0(cert, &aliasLength);
*name = QString::fromAscii(aliasData, aliasLength); *name = QString::fromAscii(aliasData, aliasLength);
@ -5367,6 +5369,7 @@ class CMSContext : public SMSContext
{ {
public: public:
CertificateCollection trustedCerts; CertificateCollection trustedCerts;
CertificateCollection untrustedCerts;
QList<SecureMessageKey> privateKeys; QList<SecureMessageKey> privateKeys;
CMSContext(Provider *p) : SMSContext(p, "cms") CMSContext(Provider *p) : SMSContext(p, "cms")
@ -5387,6 +5390,11 @@ public:
trustedCerts = trusted; trustedCerts = trusted;
} }
virtual void setUntrustedCertificates(const CertificateCollection &untrusted)
{
untrustedCerts = untrusted;
}
virtual void setPrivateKeys(const QList<SecureMessageKey> &keys) virtual void setPrivateKeys(const QList<SecureMessageKey> &keys)
{ {
privateKeys = keys; privateKeys = keys;
@ -5714,9 +5722,20 @@ public:
return; return;
} }
// intermediates/signers that may not be in the blob
STACK_OF(X509) *other_certs = sk_X509_new_null();
QList<Certificate> untrusted_list = cms->untrustedCerts.certificates();
QList<CRL> untrusted_crls = cms->untrustedCerts.crls(); // we'll use the crls later
for(int n = 0; n < untrusted_list.count(); ++n)
{
X509 *x = static_cast<MyCertContext *>(untrusted_list[n].context())->item.cert;
CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
sk_X509_push(other_certs, x);
}
// get the possible message signers // get the possible message signers
QList<Certificate> signers; QList<Certificate> signers;
STACK_OF(X509) *xs = PKCS7_get0_signers(p7, NULL, 0); STACK_OF(X509) *xs = PKCS7_get0_signers(p7, other_certs, 0);
if(xs) if(xs)
{ {
for(int n = 0; n < sk_X509_num(xs); ++n) for(int n = 0; n < sk_X509_num(xs); ++n)
@ -5746,8 +5765,8 @@ public:
} }
} }
// TODO: what happens if the signer cert isn't here? // signer needs to be supplied in the message itself
// TODO: support using a signer not stored in the signature // or via cms->untrustedCerts
if(signers.isEmpty()) if(signers.isEmpty())
{ {
QMetaObject::invokeMethod(this, "updated", Qt::QueuedConnection); QMetaObject::invokeMethod(this, "updated", Qt::QueuedConnection);
@ -5782,20 +5801,30 @@ public:
CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509_CRL); CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509_CRL);
X509_STORE_add_crl(store, x); X509_STORE_add_crl(store, x);
} }
// add these crls also
crl_list = untrusted_crls;
for(n = 0; n < crl_list.count(); ++n)
{
const MyCRLContext *cc = static_cast<const MyCRLContext *>(crl_list[n].context());
X509_CRL *x = cc->item.crl;
CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509_CRL);
X509_STORE_add_crl(store, x);
}
int ret; int ret;
if(!sig.isEmpty()) { if(!sig.isEmpty()) {
// Detached signMode // Detached signMode
bi = BIO_new(BIO_s_mem()); bi = BIO_new(BIO_s_mem());
BIO_write(bi, in.data(), in.size()); BIO_write(bi, in.data(), in.size());
ret = PKCS7_verify(p7, NULL, store, bi, NULL, 0); ret = PKCS7_verify(p7, other_certs, store, bi, NULL, 0);
BIO_free(bi); BIO_free(bi);
} else { } else {
ret = PKCS7_verify(p7, NULL, store, NULL, out, 0); ret = PKCS7_verify(p7, other_certs, store, NULL, out, 0);
// qDebug() << "Verify: " << ret; // qDebug() << "Verify: " << ret;
} }
//if(!ret) //if(!ret)
// ERR_print_errors_fp(stdout); // ERR_print_errors_fp(stdout);
sk_X509_pop_free(other_certs, X509_free);
X509_STORE_free(store); X509_STORE_free(store);
PKCS7_free(p7); PKCS7_free(p7);