1 /* vi: set noexpandtab sw=4 sts=4: */
2 /* opkg_pathfinder.c - the opkg package management system
4 Copyright (C) 2009 Camille Moncelier <moncelier@devlife.org>
6 This program is free software; you can redistribute it and/or
7 modify it under the terms of the GNU General Public License as
8 published by the Free Software Foundation; either version 2, or (at
9 your option) any later version.
11 This program is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 General Public License for more details.
17 #include <openssl/ssl.h>
18 #include <libpathfinder.h>
20 #if defined(HAVE_SSLCURL)
21 #include <curl/curl.h>
24 #include "libbb/libbb.h"
25 #include "opkg_message.h"
27 #if defined(HAVE_SSLCURL) || defined(HAVE_OPENSSL)
29 * This callback is called instead of X509_verify_cert to perform path
30 * validation on a certificate using pathfinder.
33 static int pathfinder_verify_callback(X509_STORE_CTX
* ctx
, void *arg
)
36 const char *hex
= "0123456789ABCDEF";
37 size_t size
= i2d_X509(ctx
->cert
, NULL
);
38 unsigned char *keybuf
, *iend
;
39 iend
= keybuf
= xmalloc(size
);
40 i2d_X509(ctx
->cert
, &iend
);
41 char *certdata_str
= xmalloc(size
* 2 + 1);
42 unsigned char *cp
= keybuf
;
43 char *certdata_str_i
= certdata_str
;
45 unsigned char ch
= *cp
++;
46 *certdata_str_i
++ = hex
[(ch
>> 4) & 0xf];
47 *certdata_str_i
++ = hex
[ch
& 0xf];
52 const char *policy
= "2.5.29.32.0"; // anyPolicy
54 pathfinder_dbus_verify(certdata_str
, policy
, 0, 0, &errmsg
);
57 opkg_msg(ERROR
, "Path verification failed: %s.\n", errmsg
);
66 #if defined(HAVE_OPENSSL)
67 int pkcs7_pathfinder_verify_signers(PKCS7
* p7
)
69 STACK_OF(X509
) * signers
;
70 int i
, ret
= 1; /* signers are verified by default */
72 signers
= PKCS7_get0_signers(p7
, NULL
, 0);
74 for (i
= 0; i
< sk_X509_num(signers
); i
++) {
75 X509_STORE_CTX ctx
= {
76 .cert
= sk_X509_value(signers
, i
),
79 if (!pathfinder_verify_callback(&ctx
, NULL
)) {
80 /* Signer isn't verified ! goto jail; */
86 sk_X509_free(signers
);
91 #if defined(HAVE_SSLCURL)
92 CURLcode
curl_ssl_ctx_function(CURL
* curl
, void *sslctx
, void *parm
)
95 SSL_CTX
*ctx
= (SSL_CTX
*) sslctx
;
96 SSL_CTX_set_cert_verify_callback(ctx
, pathfinder_verify_callback
, parm
);