[Pvfs2-cvs] commit by nlmills in pvfs2/src/common/security: pint-security.c pint-security.h

CVS commit program cvs at parl.clemson.edu
Tue Dec 2 00:37:31 EST 2008


Update of /anoncvs/pvfs2/src/common/security
In directory parlweb1:/tmp/cvs-serv14206/src/common/security

Modified Files:
      Tag: cu-security-branch
	pint-security.c pint-security.h 
Log Message:
added security function to verify certificates


Index: pint-security.c
===================================================================
RCS file: /anoncvs/pvfs2/src/common/security/Attic/pint-security.c,v
diff -p -u -r1.1.2.47 -r1.1.2.48
--- pint-security.c	30 Nov 2008 05:28:34 -0000	1.1.2.47
+++ pint-security.c	2 Dec 2008 05:37:31 -0000	1.1.2.48
@@ -13,6 +13,7 @@
 
 #include <openssl/crypto.h>
 #include <openssl/err.h>
+#include <openssl/bio.h>
 #include <openssl/evp.h>
 #include <openssl/pem.h>
 #include <openssl/x509.h>
@@ -339,6 +340,117 @@ int PINT_security_finalize(void)
 
 #ifndef SECURITY_ENCRYPTION_NONE
 
+int PINT_verify_certificate(const char *certstr,
+                            const unsigned char *signature,
+                            unsigned int sig_size)
+{
+    BIO *certbio;
+    X509 *cert;
+    X509_STORE_CTX *store_ctx;
+    EVP_PKEY *pkey;
+    EVP_MD_CTX mdctx;
+    const EVP_MD *md;
+    int ret;
+
+    if (!certstr || !signature || (sig_size == 0))
+    {
+        return -PVFS_EINVAL;
+    }
+
+    /******* Part 1 - verify the certificate */
+
+    certbio = BIO_new_mem_buf((char*)certstr, -1);
+    if (!certbio)
+    {
+        /* TODO: log error message */
+        return -PVFS_EINVAL;
+    }
+
+    cert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
+    if (!cert)
+    {
+        /* TODO: log error message */
+        return -PVFS_EINVAL;
+    }
+    BIO_vfree(certbio);
+
+    store_ctx = X509_STORE_CTX_new();
+    if (!store_ctx)
+    {
+        /* TODO: log error message */
+        X509_free(cert);
+        return -PVFS_EINVAL;
+    }
+    /* XXX: previous versions did not return a value */
+    ret = X509_STORE_CTX_init(store_ctx, security_store, cert, NULL);
+    if (!ret)
+    {
+        /* TODO: log error message */
+        X509_STORE_CTX_free(store_ctx);
+        X509_free(cert);
+        return -PVFS_EINVAL;
+    }
+    /* TODO: set any verification options */
+
+    ret = X509_verify_cert(store_ctx);
+    X509_STORE_CTX_free(store_ctx);
+    if (ret <= 0)
+    {
+        /* TODO: log error message */
+        X509_free(cert);
+        return -PVFS_EPERM;
+    }
+
+    /* TODO: ensure ref counting keeps key from being freed with cert */
+    pkey = X509_get_pubkey(cert);
+    X509_free(cert);
+    if (!pkey)
+    {
+        /* TODO: log error message */
+        return -PVFS_EINVAL;
+    }
+
+    /******* Part 2 - verify the signature */
+
+    EVP_MD_CTX_init(&mdctx);
+
+#if defined(SECURITY_ENCRYPTION_RSA)
+    md = EVP_sha1();
+#elif defined(SECURITY_ENCRYPTION_DSA)
+    md = EVP_dss1();
+#else
+    md = NULL;
+#endif
+
+    ret = EVP_VerifyInit_ex(&mdctx, md, NULL);
+    if (!ret)
+    {
+        /* TODO: log error message */
+        return -PVFS_EINVAL;
+    }
+   
+    ret = EVP_VerifyUpdate(&mdctx, certstr, strlen(certstr));
+    if (!ret)
+    {
+        /* TODO: log error message */
+        return -PVFS_EINVAL;
+    }
+
+    ret = EVP_VerifyFinal(&mdctx, signature, sig_size, pkey);
+    EVP_MD_CTX_cleanup(&mdctx);
+    EVP_PKEY_free(pkey);
+    if (ret == 0)
+    {
+        return -PVFS_EPERM;
+    }
+    else if (ret == -1)
+    {
+        return -PVFS_EINVAL;
+    }
+
+    return 0;
+}
+
 /*  PINT_sign_capability
  *
  *  Takes in a PVFS_capability structure and creates a signature
@@ -753,6 +865,7 @@ static int load_ca_bundle(const char *pa
     }
 
     X509_STORE_set_verify_cb_func(security_store, verify_callback);
+    /* TODO: set any default verification options */
 
     ret = X509_STORE_load_locations(security_store, path, NULL);
     if (!ret)

Index: pint-security.h
===================================================================
RCS file: /anoncvs/pvfs2/src/common/security/Attic/pint-security.h,v
diff -p -u -r1.1.2.22 -r1.1.2.23
--- pint-security.h	10 Nov 2008 12:11:35 -0000	1.1.2.22
+++ pint-security.h	2 Dec 2008 05:37:31 -0000	1.1.2.23
@@ -42,6 +42,8 @@ int PINT_security_initialize(void);
  */
 int PINT_security_finalize(void);
 
+int PINT_verify_certificate(const char *, const unsigned char *, unsigned int);
+
 /* creates a signature from the remaining fields
  * any existing signature is overwritten
  */



More information about the Pvfs2-cvs mailing list