1 /* vi: set noexpandtab sw=4 sts=4: */
2 /* opkg_pathfinder.c - the opkg package management system
4 Copyright (C) 2009 Camille Moncelier <moncelier@devlife.org>
6 This program is free software; you can redistribute it and/or
7 modify it under the terms of the GNU General Public License as
8 published by the Free Software Foundation; either version 2, or (at
9 your option) any later version.
11 This program is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 General Public License for more details.
18 #include <openssl/ssl.h>
19 #include <libpathfinder.h>
21 #if defined(HAVE_SSLCURL)
22 #include <curl/curl.h>
26 #include "libbb/libbb.h"
27 #include "opkg_message.h"
29 #if defined(HAVE_SSLCURL) || defined(HAVE_OPENSSL)
31 * This callback is called instead of X509_verify_cert to perform path
32 * validation on a certificate using pathfinder.
35 static int pathfinder_verify_callback(X509_STORE_CTX
*ctx
, void *arg
)
38 const char *hex
= "0123456789ABCDEF";
39 size_t size
= i2d_X509(ctx
->cert
, NULL
);
40 unsigned char *keybuf
, *iend
;
41 iend
= keybuf
= xmalloc(size
);
42 i2d_X509(ctx
->cert
, &iend
);
43 char *certdata_str
= xmalloc(size
* 2 + 1);
44 unsigned char *cp
= keybuf
;
45 char *certdata_str_i
= certdata_str
;
48 unsigned char ch
= *cp
++;
49 *certdata_str_i
++ = hex
[(ch
>> 4) & 0xf];
50 *certdata_str_i
++ = hex
[ch
& 0xf];
55 const char *policy
= "2.5.29.32.0"; // anyPolicy
56 int validated
= pathfinder_dbus_verify(certdata_str
, policy
, 0, 0, &errmsg
);
59 opkg_msg(ERROR
, "Path verification failed: %s.\n", errmsg
);
68 #if defined(HAVE_OPENSSL)
69 int pkcs7_pathfinder_verify_signers(PKCS7
* p7
)
71 STACK_OF(X509
) *signers
;
72 int i
, ret
= 1; /* signers are verified by default */
74 signers
= PKCS7_get0_signers(p7
, NULL
, 0);
76 for(i
= 0; i
< sk_X509_num(signers
); i
++){
77 X509_STORE_CTX ctx
= {
78 .cert
= sk_X509_value(signers
, i
),
81 if(!pathfinder_verify_callback(&ctx
, NULL
)){
82 /* Signer isn't verified ! goto jail; */
88 sk_X509_free(signers
);
93 #if defined(HAVE_SSLCURL)
94 CURLcode
curl_ssl_ctx_function(CURL
* curl
, void * sslctx
, void * parm
) {
96 SSL_CTX
* ctx
= (SSL_CTX
*) sslctx
;
97 SSL_CTX_set_cert_verify_callback(ctx
, pathfinder_verify_callback
, parm
);