1 /* vi: set noexpandtab sw=4 sts=4: */
2 /* opkg_pathfinder.c - the opkg package management system
4 Copyright (C) 2009 Camille Moncelier <moncelier@devlife.org>
6 This program is free software; you can redistribute it and/or
7 modify it under the terms of the GNU General Public License as
8 published by the Free Software Foundation; either version 2, or (at
9 your option) any later version.
11 This program is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 General Public License for more details.
18 #include <openssl/ssl.h>
19 #include <libpathfinder.h>
21 #if defined(HAVE_SSLCURL)
22 #include <curl/curl.h>
25 #include "libbb/libbb.h"
26 #include "opkg_message.h"
28 #if defined(HAVE_SSLCURL) || defined(HAVE_OPENSSL)
30 * This callback is called instead of X509_verify_cert to perform path
31 * validation on a certificate using pathfinder.
34 static int pathfinder_verify_callback(X509_STORE_CTX
* ctx
, void *arg
)
37 const char *hex
= "0123456789ABCDEF";
38 size_t size
= i2d_X509(ctx
->cert
, NULL
);
39 unsigned char *keybuf
, *iend
;
40 iend
= keybuf
= xmalloc(size
);
41 i2d_X509(ctx
->cert
, &iend
);
42 char *certdata_str
= xmalloc(size
* 2 + 1);
43 unsigned char *cp
= keybuf
;
44 char *certdata_str_i
= certdata_str
;
46 unsigned char ch
= *cp
++;
47 *certdata_str_i
++ = hex
[(ch
>> 4) & 0xf];
48 *certdata_str_i
++ = hex
[ch
& 0xf];
53 const char *policy
= "2.5.29.32.0"; // anyPolicy
55 pathfinder_dbus_verify(certdata_str
, policy
, 0, 0, &errmsg
);
58 opkg_msg(ERROR
, "Path verification failed: %s.\n", errmsg
);
67 #if defined(HAVE_OPENSSL)
68 int pkcs7_pathfinder_verify_signers(PKCS7
* p7
)
70 STACK_OF(X509
) * signers
;
71 int i
, ret
= 1; /* signers are verified by default */
73 signers
= PKCS7_get0_signers(p7
, NULL
, 0);
75 for (i
= 0; i
< sk_X509_num(signers
); i
++) {
76 X509_STORE_CTX ctx
= {
77 .cert
= sk_X509_value(signers
, i
),
80 if (!pathfinder_verify_callback(&ctx
, NULL
)) {
81 /* Signer isn't verified ! goto jail; */
87 sk_X509_free(signers
);
92 #if defined(HAVE_SSLCURL)
93 CURLcode
curl_ssl_ctx_function(CURL
* curl
, void *sslctx
, void *parm
)
96 SSL_CTX
*ctx
= (SSL_CTX
*) sslctx
;
97 SSL_CTX_set_cert_verify_callback(ctx
, pathfinder_verify_callback
, parm
);