#include "openssl/x509.h"
#include "openssl/x509_vfy.h"
#include "asterisk.h"
#include "asterisk/logger.h"
#include "asterisk/stringfields.h"

Include dependency graph for crypto_utils.h:

This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Data Structures
struct	crypto_cert_store
	ao2 object wrapper for X509_STORE that provides locking and refcounting More...

Macros
#define	crypto_free_cert_store(store) ao2_cleanup(store)
	Free an X509 store.

#define	crypto_lock_cert_store(store) ao2_lock(store)
	Locks an X509 Store.

#define	crypto_unlock_cert_store(store) ao2_unlock(store)
	Unlocks an X509 Store.

Functions
time_t	crypto_asn_time_as_time_t (ASN1_TIME *at)
	Return a time_t for an ASN1_TIME.

struct crypto_cert_store *	crypto_create_cert_store (void)
	Create an empty X509 store.

int	crypto_extract_raw_privkey (EVP_PKEY key, unsigned char *buffer)
	Extract raw private key from EVP_PKEY.

int	crypto_extract_raw_pubkey (EVP_PKEY key, unsigned char *buffer)
	Extract raw public key from EVP_PKEY.

ASN1_OCTET_STRING *	crypto_get_cert_extension_data (X509 cert, int nid, const char short_name)
	Return the data from a specific extension in a cert.

char *	crypto_get_cert_subject (X509 cert, const char short_name)
	Returns the Subject (or component of Subject) from a certificate.

int	crypto_get_raw_pubkey_from_cert (X509 cert, unsigned char *raw_key)
	Retrieve RAW public key from cert.

int	crypto_has_private_key_from_memory (const char *buffer, size_t size)
	Check if the supplied buffer has a private key.

int	crypto_is_cert_time_valid (X509 *cert, time_t reftime)
	Check if the reftime is within the cert's valid dates.

int	crypto_is_cert_trusted (struct crypto_cert_store store, X509 cert, STACK_OF(X509) cert_chain, const char *err_msg)
	Check if the cert is trusted.

int	crypto_load (void)
	Initialize the crypto utils.

X509 *	crypto_load_cert_chain_from_file (const char filename, STACK_OF(X509) *chain_stack)
	Load an X509 Cert and any chained certs from a file.

X509 *	crypto_load_cert_chain_from_memory (const char buffer, size_t size, STACK_OF(X509) *cert_chain)
	Load an X509 Cert and any chained certs from a NULL terminated buffer.

int	crypto_load_cert_store (struct crypto_cert_store store, const char file, const char *path)
	Load an X509 Store with either certificates or CRLs.

X509_CRL *	crypto_load_crl_from_file (const char *filename)
	Load an X509 CRL from a PEM file.

int	crypto_load_crl_store (struct crypto_cert_store store, const char file, const char *path)
	Load an X509 Store with certificate revocation lists.

EVP_PKEY *	crypto_load_private_key_from_memory (const char *buffer, size_t size)
	Load a private key from memory.

EVP_PKEY *	crypto_load_privkey_from_file (const char *filename)
	Load a private key from a file.

int	crypto_load_untrusted_cert_store (struct crypto_cert_store store, const char file, const char *path)
	Load an X509 Store with untrusted certificates.

void	crypto_log_openssl (int level, char file, int line, const char function, const char *fmt,...)
	Print a log message with any OpenSSL errors appended.

int	crypto_register_x509_extension (const char oid, const char short_name, const char *long_name)
	Register a certificate extension to openssl.

int	crypto_show_cli_store (struct crypto_cert_store *store, int fd)
	Dump a cert store to the asterisk CLI.

int	crypto_unload (void)
	Clean up the crypto utils.

Macro Definition Documentation

◆ crypto_free_cert_store

#define crypto_free_cert_store ( store ) ao2_cleanup(store)

Free an X509 store.

Parameters

store X509 Store to free

Definition at line 207 of file crypto_utils.h.

◆ crypto_lock_cert_store

#define crypto_lock_cert_store ( store ) ao2_lock(store)

Locks an X509 Store.

Parameters

store X509 Store to lock

Return values

<=	0 failure
0	success

Definition at line 279 of file crypto_utils.h.

◆ crypto_unlock_cert_store

#define crypto_unlock_cert_store ( store ) ao2_unlock(store)

Unlocks an X509 Store.

Parameters

store X509 Store to unlock

Return values

<=	0 failure
0	success

Definition at line 289 of file crypto_utils.h.

Function Documentation

◆ crypto_asn_time_as_time_t()

time_t crypto_asn_time_as_time_t ( ASN1_TIME * at )

Return a time_t for an ASN1_TIME.

Parameters

at ASN1_TIME

Returns: time_t corresponding to the ASN1_TIME

Definition at line 900 of file crypto_utils.c.

{
    int pday;
    int psec;
    time_t rt = time(NULL);
 
    if (!ASN1_TIME_diff(&pday, &psec, NULL, at)) {
        crypto_log_openssl(LOG_ERROR, "Unable to calculate time diff\n");
        return 0;
    }
 
    rt += ((pday * SECS_PER_DAY) + psec);
 
    return rt;
}

References crypto_log_openssl(), LOG_ERROR, NULL, and SECS_PER_DAY.

Referenced by add_cert_expiration_to_astdb().

◆ crypto_create_cert_store()

struct crypto_cert_store * crypto_create_cert_store ( void )

Create an empty X509 store.

Returns: crypto_cert_store * or NULL on error

Definition at line 479 of file crypto_utils.c.

{
    struct crypto_cert_store *store = ao2_alloc(sizeof(*store), crypto_cert_store_destructor);
    if (!store) {
        ast_log(LOG_ERROR, "Failed to create crypto_cert_store\n");
        return NULL;
    }
 
    store->certs = X509_STORE_new();
    if (!store->certs) {
        crypto_log_openssl(LOG_ERROR, "Failed to create X509_STORE\n");
        ao2_ref(store, -1);
        return NULL;
    }
 
    store->untrusted = X509_STORE_new();
    if (!store->untrusted) {
        crypto_log_openssl(LOG_ERROR, "Failed to create untrusted X509_STORE\n");
        ao2_ref(store, -1);
        return NULL;
    }
    store->untrusted_stack = sk_X509_new_null();
    if (!store->untrusted_stack) {
        crypto_log_openssl(LOG_ERROR, "Failed to create untrusted stack\n");
        ao2_ref(store, -1);
        return NULL;
    }
 
    store->crls = X509_STORE_new();
    if (!store->crls) {
        crypto_log_openssl(LOG_ERROR, "Failed to create CRL X509_STORE\n");
        ao2_ref(store, -1);
        return NULL;
    }
    store->crl_stack = sk_X509_CRL_new_null();
    if (!store->crl_stack) {
        crypto_log_openssl(LOG_ERROR, "Failed to create CRL stack\n");
        ao2_ref(store, -1);
        return NULL;
    }
 
    return store;
}

References ao2_alloc, ao2_ref, ast_log, crypto_cert_store::certs, crypto_cert_store::crls, crypto_cert_store_destructor(), crypto_log_openssl(), LOG_ERROR, NULL, and crypto_cert_store::untrusted.

Referenced by vs_check_common_config().

◆ crypto_extract_raw_privkey()

int crypto_extract_raw_privkey	(	EVP_PKEY *	key,
		unsigned char **	buffer
	)

Extract raw private key from EVP_PKEY.

Parameters

key	Key to extract from
buffer	Pointer to unsigned char * to receive raw key Must be freed with ast_free after use

Return values

<=0	An error has occurred
>0	Length of raw key

Definition at line 409 of file crypto_utils.c.

{
    RAII_VAR(BIO *, bio, NULL, BIO_free_all);
 
    bio = BIO_new(BIO_s_mem());
 
    if (!bio || (PEM_write_bio_PrivateKey(bio, key, NULL, NULL, 0, NULL, NULL) <= 0)) {
        crypto_log_openssl(LOG_ERROR, "Unable to write privkey to BIO\n");
        return -1;
    }
 
    return dump_mem_bio(bio, buffer);
}

References crypto_log_openssl(), dump_mem_bio(), LOG_ERROR, NULL, and RAII_VAR.

Referenced by as_check_common_config().

◆ crypto_extract_raw_pubkey()

int crypto_extract_raw_pubkey	(	EVP_PKEY *	key,
		unsigned char **	buffer
	)

Extract raw public key from EVP_PKEY.

Parameters

key	Key to extract from
buffer	Pointer to unsigned char * to receive raw key Must be freed with ast_free after use

Return values

<=0	An error has occurred
>0	Length of raw key

Definition at line 382 of file crypto_utils.c.

{
    RAII_VAR(BIO *, bio, NULL, BIO_free_all);
 
    bio = BIO_new(BIO_s_mem());
 
    if (!bio || (PEM_write_bio_PUBKEY(bio, key) <= 0)) {
        crypto_log_openssl(LOG_ERROR, "Unable to write pubkey to BIO\n");
        return -1;
    }
 
    return dump_mem_bio(bio, buffer);
}

References crypto_log_openssl(), dump_mem_bio(), LOG_ERROR, NULL, and RAII_VAR.

Referenced by crypto_get_raw_pubkey_from_cert().

◆ crypto_get_cert_extension_data()

ASN1_OCTET_STRING * crypto_get_cert_extension_data	(	X509 *	cert,
		int	nid,
		const char *	short_name
	)

Return the data from a specific extension in a cert.

Parameters

cert	The cert containing the extension
nid	The NID of the extension (0 to search locally registered extensions by short_name)
short_name	The short name of the extension (only for locally registered extensions)

Note: Either nid or short_name may be supplied. If both are, nid takes precedence.; The extension nid may be any of the built-in values in openssl/obj_mac.h or a NID returned by ast_crypto_register_x509_extension().

Returns: The data for the extension or NULL if not found

Warning: Do NOT attempt to free the returned buffer.

Definition at line 107 of file crypto_utils.c.

{
    int ex_idx;
    X509_EXTENSION *ex;
 
    if (nid <= 0) {
        nid = OBJ_sn2nid(short_name);
        if (nid == NID_undef) {
            ast_log(LOG_ERROR, "Extension object for %s not found\n", short_name);
            return NULL;
        }
    } else {
        const char *tmp = OBJ_nid2sn(nid);
        if (!tmp) {
            ast_log(LOG_ERROR, "Extension object for NID %d not found\n", nid);
            return NULL;
        }
    }
 
    ex_idx = X509_get_ext_by_NID(cert, nid, -1);
    if (ex_idx < 0) {
        ast_log(LOG_ERROR, "Extension index not found in certificate\n");
        return NULL;
    }
    ex = X509_get_ext(cert, ex_idx);
    if (!ex) {
        ast_log(LOG_ERROR, "Extension not found in certificate\n");
        return NULL;
    }
 
    return X509_EXTENSION_get_data(ex);
}

References ast_log, LOG_ERROR, and NULL.

Referenced by check_tn_auth_list().

◆ crypto_get_cert_subject()

char * crypto_get_cert_subject	(	X509 *	cert,
		const char *	short_name
	)

Returns the Subject (or component of Subject) from a certificate.

Parameters

cert	The X509 certificate
short_name	The upper case short name of the component to extract. May be NULL to extract the entire subject.

Returns: Entire subject or component. Must be freed with ast_free();

Definition at line 917 of file crypto_utils.c.

{
    size_t len = 0;
    RAII_VAR(char *, buffer, NULL, ast_std_free);
    char *search_buff = NULL;
    char *search = NULL;
    size_t search_len = 0;
    char *rtn = NULL;
    char *line = NULL;
    /*
     * If short_name was supplied, we want a multiline subject
     * with each component on a separate line.  This makes it easier
     * to iterate over the components to find the one we want.
     * Otherwise, we just want the whole subject on one line.
     */
    unsigned long flags =
        short_name ? XN_FLAG_FN_SN | XN_FLAG_SEP_MULTILINE : XN_FLAG_ONELINE;
    FILE *fp = open_memstream(&buffer, &len);
    BIO *bio = fp ? BIO_new_fp(fp, BIO_CLOSE) : NULL;
    X509_NAME *subject = X509_get_subject_name(cert);
    int rc = 0;
 
    if (!fp || !bio || !subject) {
        return NULL;
    }
 
    rc = X509_NAME_print_ex(bio, subject, 0, flags);
    BIO_free(bio);
    if (rc < 0) {
        return NULL;
    }
 
    if (!short_name) {
        rtn = ast_malloc(len + 1);
        if (rtn) {
            strcpy(rtn, buffer); /* Safe */
        }
        return rtn;
    }
 
    search_len = strlen(short_name) + 1;
    rc = ast_asprintf(&search, "%s=", short_name);
    if (rc != search_len) {
        return NULL;
    }
 
    search_buff = buffer;
    while((line = ast_read_line_from_buffer(&search_buff))) {
        if (ast_begins_with(line, search)) {
            rtn = ast_malloc(strlen(line) - search_len + 1);
            if (rtn) {
                strcpy(rtn, line + search_len); /* Safe */
            }
            break;
        }
    }
 
    ast_std_free(search);
    return rtn;
}

References ast_asprintf, ast_begins_with(), ast_malloc, ast_read_line_from_buffer(), ast_std_free(), len(), NULL, and RAII_VAR.

Referenced by check_cert().

◆ crypto_get_raw_pubkey_from_cert()

int crypto_get_raw_pubkey_from_cert	(	X509 *	cert,
		unsigned char **	raw_key
	)

Retrieve RAW public key from cert.

Parameters

cert	The cert containing the extension
raw_key	Address of char * to place the raw key. Must be freed with ast_free after use

Return values

<=0	An error has occurred
>0	Length of raw key

Definition at line 396 of file crypto_utils.c.

{
    RAII_VAR(EVP_PKEY *, public_key, X509_get_pubkey(cert), EVP_PKEY_free);
 
    if (!public_key) {
        crypto_log_openssl(LOG_ERROR, "Unable to retrieve pubkey from cert\n");
        return -1;
    }
 
    return crypto_extract_raw_pubkey(public_key, buffer);
}

References crypto_extract_raw_pubkey(), crypto_log_openssl(), LOG_ERROR, and RAII_VAR.

Referenced by check_cert().

◆ crypto_has_private_key_from_memory()

int crypto_has_private_key_from_memory	(	const char *	buffer,
		size_t	size
	)

Check if the supplied buffer has a private key.

Note: This function can be used to check a certificate PEM file to see if it also has a private key in it.

Parameters

buffer	arbitrary buffer
size	buffer size

Return values

1	buffer has a private key
0	buffer does not have a private key

Definition at line 355 of file crypto_utils.c.

{
    RAII_VAR(EVP_PKEY *, key, load_private_key_from_memory(buffer, size), EVP_PKEY_free);
 
    return key ? 1 : 0;
}

References load_private_key_from_memory(), and RAII_VAR.

Referenced by as_check_common_config().

◆ crypto_is_cert_time_valid()

int crypto_is_cert_time_valid	(	X509 *	cert,
		time_t	reftime
	)

Check if the reftime is within the cert's valid dates.

Parameters

cert	The cert to check
reftime	to use or 0 to use current time

Return values

1	Cert is valid
0	Cert is not valid

Definition at line 810 of file crypto_utils.c.

{
    ASN1_STRING *notbefore;
    ASN1_STRING *notafter;
 
    if (!reftime) {
        reftime = time(NULL);
    }
    notbefore = X509_get_notBefore(cert);
    notafter = X509_get_notAfter(cert);
    if (!notbefore || !notafter) {
        ast_log(LOG_ERROR, "Either notbefore or notafter were not present in the cert\n");
        return 0;
    }
 
    return (X509_cmp_time(notbefore, &reftime) < 0 &&
        X509_cmp_time(notafter, &reftime) > 0);
}

References ast_log, LOG_ERROR, and NULL.

Referenced by as_check_common_config(), and check_cert().

◆ crypto_is_cert_trusted()

int crypto_is_cert_trusted	(	struct crypto_cert_store *	store,
		X509 *	cert,
		STACK_OF(X509) *	cert_chain,
		const char **	err_msg
	)

Check if the cert is trusted.

Parameters

store	The CA store to check against
cert	The cert to check
cert_chain	An untrusted certificate chain that may have accompanied the cert.
err_msg	Optional pointer to a const char *

Return values

1	Cert is trusted
0	Cert is not trusted

Definition at line 829 of file crypto_utils.c.

{
    X509_STORE_CTX *verify_ctx = NULL;
    RAII_VAR(STACK_OF(X509) *, untrusted_stack, NULL, sk_X509_free);
    int rc = 0;
 
    if (!(verify_ctx = X509_STORE_CTX_new())) {
        crypto_log_openssl(LOG_ERROR, "Unable to create verify_ctx\n");
        return 0;
    }
 
    if (cert_chain && sk_X509_num(cert_chain) > 0) {
        int untrusted_count = store->untrusted_stack ? sk_X509_num(store->untrusted_stack) : 0;
        int i = 0;
 
        untrusted_stack = sk_X509_dup(cert_chain);
        if (!untrusted_stack) {
            crypto_log_openssl(LOG_ERROR, "Unable to duplicate untrusted stack\n");
            X509_STORE_CTX_free(verify_ctx);
            return 0;
        }
        /*
         * If store->untrusted_stack was NULL for some reason then
         * untrusted_count will be 0 so the loop will never run.
         */
        for (i = 0; i < untrusted_count; i++) {
            X509 *c = sk_X509_value(store->untrusted_stack, i);
            if (sk_X509_push(untrusted_stack, c) <= 0) {
                crypto_log_openssl(LOG_ERROR, "Unable to push untrusted cert onto stack\n");
                sk_X509_free(untrusted_stack);
                X509_STORE_CTX_free(verify_ctx);
                return 0;
            }
        }
    /*
     * store->untrusted_stack should always be allocated even if empty
     * but we'll make sure.
     */
    } else if (store->untrusted_stack){
        /* This is a dead simple shallow clone */
        ast_debug(4, "cert_chain had no certs\n");
        untrusted_stack = sk_X509_dup(store->untrusted_stack);
        if (!untrusted_stack) {
            crypto_log_openssl(LOG_ERROR, "Unable to duplicate untrusted stack\n");
            X509_STORE_CTX_free(verify_ctx);
            return 0;
        }
    }
 
    if (X509_STORE_CTX_init(verify_ctx, store->certs, cert, untrusted_stack) != 1) {
        X509_STORE_CTX_cleanup(verify_ctx);
        X509_STORE_CTX_free(verify_ctx);
        crypto_log_openssl(LOG_ERROR, "Unable to initialize verify_ctx\n");
        return 0;
    }
    X509_STORE_CTX_set0_crls(verify_ctx, store->crl_stack);
 
    rc = X509_verify_cert(verify_ctx);
    if (rc != 1 && err_msg != NULL) {
        int err = X509_STORE_CTX_get_error(verify_ctx);
        *err_msg = X509_verify_cert_error_string(err);
    }
 
    X509_STORE_CTX_cleanup(verify_ctx);
    X509_STORE_CTX_free(verify_ctx);
 
    return rc;
}

References ast_debug, c, crypto_log_openssl(), LOG_ERROR, NULL, RAII_VAR, and pem_file_cb_data::store.

Referenced by check_cert(), and cli_verify_cert().

◆ crypto_load()

int crypto_load ( void )

Initialize the crypto utils.

Definition at line 978 of file crypto_utils.c.

{
    return AST_MODULE_LOAD_SUCCESS;
}

References AST_MODULE_LOAD_SUCCESS.

Referenced by ast_crypto_reload(), load_module(), load_module(), and reload().

◆ crypto_load_cert_chain_from_file()

X509 * crypto_load_cert_chain_from_file	(	const char *	filename,
		STACK_OF(X509) **	chain_stack
	)

Load an X509 Cert and any chained certs from a file.

Parameters

filename	PEM file
chain_stack	The address of a STACK_OF(X509) pointer to receive the chain of certificates if any.

Note: The caller is responsible for freeing the cert_chain stack and any certs in it.

Returns: X509* or NULL on error

Definition at line 203 of file crypto_utils.c.

{
    FILE *fp;
    X509 *end_cert = NULL;
 
    if (ast_strlen_zero(filename)) {
        ast_log(LOG_ERROR, "filename was null or empty\n");
        return NULL;
    }
 
    fp = fopen(filename, "r");
    if (!fp) {
        ast_log(LOG_ERROR, "Failed to open %s: %s\n", filename, strerror(errno));
        return NULL;
    }
 
    end_cert = PEM_read_X509(fp, &end_cert, NULL, NULL);
    if (!end_cert) {
        crypto_log_openssl(LOG_ERROR, "Failed to create end_cert from %s\n", filename);
        fclose(fp);
        return NULL;
    }
 
    /*
     * If the caller provided a stack, we will read the chain certs
     * (if any) into it.
     */
    if (cert_chain) {
        X509 *chain_cert = NULL;
 
        *cert_chain = sk_X509_new_null();
        while ((chain_cert = PEM_read_X509(fp, &chain_cert, NULL, NULL)) != NULL) {
            if (sk_X509_push(*cert_chain, chain_cert) <= 0) {
                crypto_log_openssl(LOG_ERROR, "Failed to add chain cert from %s to list\n",
                    filename);
                fclose(fp);
                X509_free(end_cert);
                sk_X509_pop_free(*cert_chain, X509_free);
                return NULL;
            }
            /* chain_cert needs to be reset to NULL after every call to PEM_read_X509 */
            chain_cert = NULL;
        }
    }
 
    if (DEBUG_ATLEAST(4)) {
        char subj[1024];
 
        X509_NAME_oneline(X509_get_subject_name(end_cert), subj, 1024);
        ast_debug(4, "Opened end cert '%s' from '%s'\n", subj, filename);
 
        if (cert_chain && *cert_chain) {
            debug_cert_chain(4, *cert_chain);
        } else {
            ast_debug(4, "No chain certs found in '%s'\n", filename);
        }
    }
 
    fclose(fp);
 
    return end_cert;
}

References ast_debug, ast_log, ast_strlen_zero(), crypto_log_openssl(), DEBUG_ATLEAST, debug_cert_chain, errno, LOG_ERROR, and NULL.

Referenced by cli_verify_cert(), crypto_load_store_from_cert_file(), and retrieve_cert_from_cache().

◆ crypto_load_cert_chain_from_memory()

X509 * crypto_load_cert_chain_from_memory	(	const char *	buffer,
		size_t	size,
		STACK_OF(X509) **	cert_chain
	)

Load an X509 Cert and any chained certs from a NULL terminated buffer.

Parameters

buffer	containing the cert
size	size of the buffer. May be -1 if the buffer is NULL terminated.
chain_stack	The address of a STACK_OF(X509) pointer to receive the chain of certificates if any.

Note: The caller is responsible for freeing the cert_chain stack and any certs in it.

Returns: X509* or NULL on error

Definition at line 266 of file crypto_utils.c.

{
    RAII_VAR(BIO *, bio, NULL, BIO_free_all);
    X509 *end_cert = NULL;
 
    if (ast_strlen_zero(buffer) || size <= 0) {
        ast_log(LOG_ERROR, "buffer was null or empty\n");
        return NULL;
    }
 
    bio = BIO_new_mem_buf(buffer, size);
    if (!bio) {
        crypto_log_openssl(LOG_ERROR, "Unable to create memory BIO\n");
        return NULL;
    }
 
    end_cert = PEM_read_bio_X509(bio, NULL, NULL, NULL);
    if (!end_cert) {
        crypto_log_openssl(LOG_ERROR, "Failed to create end_cert from BIO\n");
        return NULL;
    }
 
    /*
     * If the caller provided a stack, we will read the chain certs
     * (if any) into it.
     */
    if (cert_chain) {
        X509 *chain_cert = NULL;
 
        *cert_chain = sk_X509_new_null();
        while ((chain_cert = PEM_read_bio_X509(bio, &chain_cert, NULL, NULL)) != NULL) {
            if (sk_X509_push(*cert_chain, chain_cert) <= 0) {
                crypto_log_openssl(LOG_ERROR, "Failed to add chain cert from BIO to list\n");
                X509_free(end_cert);
                sk_X509_pop_free(*cert_chain, X509_free);
                return NULL;
            }
            /* chain_cert needs to be reset to NULL after every call to PEM_read_X509 */
            chain_cert = NULL;
        }
    }
 
    if (DEBUG_ATLEAST(4)) {
        char subj[1024];
 
        X509_NAME_oneline(X509_get_subject_name(end_cert), subj, 1024);
        ast_debug(4, "Opened end cert '%s' from BIO\n", subj);
 
        if (cert_chain && *cert_chain) {
            debug_cert_chain(4, *cert_chain);
        } else {
            ast_debug(4, "No chain certs found in BIO\n");
        }
    }
 
    return end_cert;
}

References ast_debug, ast_log, ast_strlen_zero(), crypto_log_openssl(), DEBUG_ATLEAST, debug_cert_chain, LOG_ERROR, NULL, and RAII_VAR.

Referenced by as_check_common_config(), and retrieve_cert_from_url().

◆ crypto_load_cert_store()

int crypto_load_cert_store	(	struct crypto_cert_store *	store,
		const char *	file,
		const char *	path
	)

Load an X509 Store with either certificates or CRLs.

Parameters

store	X509 Store to load
file	Certificate or CRL file to load or NULL
path	Path to directory with hashed certs or CRLs to load or NULL

Note: At least 1 file or path must be specified.

Return values

<=	0 failure
0	success

Definition at line 652 of file crypto_utils.c.

{
    if (ast_strlen_zero(file) && ast_strlen_zero(path)) {
        ast_log(LOG_ERROR, "Both file and path can't be NULL\n");
        return -1;
    }
 
    if (!store || !store->certs) {
        ast_log(LOG_ERROR, "store or store->certs is NULL\n");
        return -1;
    }
 
    return _crypto_load_cert_store(store->certs, file, path);
}

References _crypto_load_cert_store(), ast_log, ast_strlen_zero(), LOG_ERROR, and pem_file_cb_data::store.

Referenced by vs_check_common_config().

◆ crypto_load_crl_from_file()

X509_CRL * crypto_load_crl_from_file ( const char * filename )

Load an X509 CRL from a PEM file.

Parameters

filename PEM file

Returns: X509_CRL* or NULL on error

Definition at line 165 of file crypto_utils.c.

{
    FILE *fp;
    X509_CRL *crl = NULL;
 
    if (ast_strlen_zero(filename)) {
        ast_log(LOG_ERROR, "filename was null or empty\n");
        return NULL;
    }
 
    fp = fopen(filename, "r");
    if (!fp) {
        ast_log(LOG_ERROR, "Failed to open %s: %s\n", filename, strerror(errno));
        return NULL;
    }
 
    crl = PEM_read_X509_CRL(fp, &crl, NULL, NULL);
    fclose(fp);
    if (!crl) {
        crypto_log_openssl(LOG_ERROR, "Failed to create CRL from %s\n", filename);
    }
    return crl;
}

References ast_log, ast_strlen_zero(), crypto_log_openssl(), errno, LOG_ERROR, and NULL.

Referenced by crypto_load_store_from_crl_file().

◆ crypto_load_crl_store()

int crypto_load_crl_store	(	struct crypto_cert_store *	store,
		const char *	file,
		const char *	path
	)

Load an X509 Store with certificate revocation lists.

Parameters

store	X509 Store to load
file	CRL file to load or NULL
path	Path to directory with hashed CRLs to load or NULL

Note: At least 1 file or path must be specified.

Return values

<=	0 failure
0	success

Definition at line 711 of file crypto_utils.c.

{
    int rc = 0;
    STACK_OF(X509_OBJECT) *objs = NULL;
    int count = 0;
    int i = 0;
 
    if (ast_strlen_zero(file) && ast_strlen_zero(path)) {
        ast_log(LOG_ERROR, "Both file and path can't be NULL\n");
        return -1;
    }
 
    if (!store || !store->untrusted || !store->untrusted_stack) {
        ast_log(LOG_ERROR, "store wasn't initialized properly\n");
        return -1;
    }
 
    rc = _crypto_load_crl_store(store->crls, file, path);
    if (rc != 0) {
        return rc;
    }
 
    /*
     * We need to extract the CRLs from the store and push them onto the
     * crl stack.  This is because the verification context needs
     * a stack of CRLs and not the store.
     * The store holds the references to the CRLs so we can't
     * free it.
     */
    objs = X509_STORE_get0_objects(store->crls);
    count = sk_X509_OBJECT_num(objs);
    for (i = 0; i < count ; i++) {
        X509_OBJECT *o = sk_X509_OBJECT_value(objs, i);
        if (X509_OBJECT_get_type(o) == X509_LU_CRL) {
            X509_CRL *c = X509_OBJECT_get0_X509_CRL(o);
            sk_X509_CRL_push(store->crl_stack, c);
        }
    }
 
    return 0;
}

References _crypto_load_crl_store(), ast_log, ast_strlen_zero(), c, LOG_ERROR, NULL, and pem_file_cb_data::store.

Referenced by vs_check_common_config().

◆ crypto_load_private_key_from_memory()

EVP_PKEY * crypto_load_private_key_from_memory	(	const char *	buffer,
		size_t	size
	)

Load a private key from memory.

Parameters

buffer	private key
size	buffer size

Returns: EVP_PKEY* or NULL on error

Definition at line 346 of file crypto_utils.c.

{
    EVP_PKEY *key = load_private_key_from_memory(buffer, size);
    if (!key) {
        crypto_log_openssl(LOG_ERROR, "Unable to load private key from memory\n");
    }
    return key;
}

References crypto_log_openssl(), load_private_key_from_memory(), and LOG_ERROR.

◆ crypto_load_privkey_from_file()

EVP_PKEY * crypto_load_privkey_from_file ( const char * filename )

Load a private key from a file.

Parameters

filename File to load from

Returns: EVP_PKEY *key or NULL on error

Definition at line 141 of file crypto_utils.c.

{
    EVP_PKEY *key = NULL;
    FILE *fp;
 
    if (ast_strlen_zero(filename)) {
        ast_log(LOG_ERROR, "filename was null or empty\n");
        return NULL;
    }
 
    fp = fopen(filename, "r");
    if (!fp) {
        ast_log(LOG_ERROR, "Failed to open %s: %s\n", filename, strerror(errno));
        return NULL;
    }
 
    key = PEM_read_PrivateKey(fp, NULL, NULL, NULL);
    fclose(fp);
    if (!key) {
        crypto_log_openssl(LOG_ERROR, "Failed to load private key from %s\n", filename);
    }
    return key;
}

References ast_log, ast_strlen_zero(), crypto_log_openssl(), errno, LOG_ERROR, and NULL.

Referenced by as_check_common_config().

◆ crypto_load_untrusted_cert_store()

int crypto_load_untrusted_cert_store	(	struct crypto_cert_store *	store,
		const char *	file,
		const char *	path
	)

Load an X509 Store with untrusted certificates.

Parameters

store	X509 Store to load
file	Certificate file to load or NULL
path	Path to directory with hashed certs to load or NULL

Note: At least 1 file or path must be specified.

Return values

<=	0 failure
0	success

Definition at line 668 of file crypto_utils.c.

{
    int rc = 0;
    STACK_OF(X509_OBJECT) *objs = NULL;
    int count = 0;
    int i = 0;
 
    if (ast_strlen_zero(file) && ast_strlen_zero(path)) {
        ast_log(LOG_ERROR, "Both file and path can't be NULL\n");
        return -1;
    }
 
    if (!store || !store->untrusted || !store->untrusted_stack) {
        ast_log(LOG_ERROR, "store wasn't initialized properly\n");
        return -1;
    }
 
    rc = _crypto_load_cert_store(store->untrusted, file, path);
    if (rc != 0) {
        return rc;
    }
 
    /*
     * We need to extract the certs from the store and push them onto the
     * untrusted stack.  This is because the verification context needs
     * a stack of untrusted certs and not the store.
     * The store holds the references to the certs so we can't
     * free it.
     */
    objs = X509_STORE_get0_objects(store->untrusted);
    count = sk_X509_OBJECT_num(objs);
    for (i = 0; i < count ; i++) {
        X509_OBJECT *o = sk_X509_OBJECT_value(objs, i);
        if (X509_OBJECT_get_type(o) == X509_LU_X509) {
            X509 *c = X509_OBJECT_get0_X509(o);
            sk_X509_push(store->untrusted_stack, c);
        }
    }
 
    return 0;
}

References _crypto_load_cert_store(), ast_log, ast_strlen_zero(), c, LOG_ERROR, NULL, and pem_file_cb_data::store.

Referenced by vs_check_common_config().

◆ crypto_log_openssl()

void crypto_log_openssl	(	int	level,
		char *	file,
		int	line,
		const char *	function,
		const char *	fmt,
			...
	)

Print a log message with any OpenSSL errors appended.

Parameters

level	Type of log event
file	Will be provided by the AST_LOG_* macro
line	Will be provided by the AST_LOG_* macro
function	Will be provided by the AST_LOG_* macro
fmt	This is what is important. The format is the same as your favorite breed of printf. You know how that works, right? :-)

Definition at line 45 of file crypto_utils.c.

{
    FILE *fp;
    char *buffer;
    size_t length;
    va_list ap;
    char *tmp_fmt;
 
    fp = open_memstream(&buffer, &length);
    if (!fp) {
        return;
    }
 
    va_start(ap, fmt);
    if (!ast_strlen_zero(fmt)) {
        size_t fmt_len = strlen(fmt);
        if (fmt[fmt_len - 1] == '\n') {
            tmp_fmt = ast_strdupa(fmt);
            tmp_fmt[fmt_len - 1] = '\0';
            fmt = tmp_fmt;
        }
    }
    vfprintf(fp, fmt, ap);
    fputs(": ", fp);
    ERR_print_errors_fp(fp);
    fclose(fp);
 
    if (length) {
        ast_log(level, file, line, function, "%s\n", buffer);
    }
 
    ast_std_free(buffer);
}

References ast_log, ast_std_free(), ast_strdupa, and ast_strlen_zero().

Referenced by check_tn_auth_list(), crypto_asn_time_as_time_t(), crypto_create_cert_store(), crypto_extract_raw_privkey(), crypto_extract_raw_pubkey(), crypto_get_raw_pubkey_from_cert(), crypto_is_cert_trusted(), crypto_load_cert_chain_from_file(), crypto_load_cert_chain_from_memory(), crypto_load_crl_from_file(), crypto_load_private_key_from_memory(), crypto_load_privkey_from_file(), crypto_load_store_from_cert_file(), crypto_load_store_from_crl_file(), crypto_register_x509_extension(), dump_mem_bio(), and load_private_key_from_memory().

◆ crypto_register_x509_extension()

int crypto_register_x509_extension	(	const char *	oid,
		const char *	short_name,
		const char *	long_name
	)

Register a certificate extension to openssl.

Parameters

oid	The OID of the extension
short_name	The short name of the extension
long_name	The long name of the extension

Return values

<0	Extension was not successfully added
>=	NID of the added extension

Definition at line 80 of file crypto_utils.c.

{
    int nid = 0;
 
    if (ast_strlen_zero(oid) || ast_strlen_zero(short_name) ||
        ast_strlen_zero(long_name)) {
        ast_log(LOG_ERROR, "One or more of oid, short_name or long_name are NULL or empty\n");
        return -1;
    }
 
    nid = OBJ_sn2nid(short_name);
    if (nid != NID_undef) {
        ast_log(LOG_NOTICE, "NID %d, object %s already registered\n", nid, short_name);
        return nid;
    }
 
    nid = OBJ_create(oid, short_name, long_name);
    if (nid == NID_undef) {
        crypto_log_openssl(LOG_ERROR, "Couldn't register %s X509 extension\n", short_name);
        return -1;
    }
    ast_log(LOG_NOTICE, "Registered object %s as NID %d\n", short_name, nid);
 
    return nid;
}

References ast_log, ast_strlen_zero(), crypto_log_openssl(), LOG_ERROR, and LOG_NOTICE.

Referenced by load_module().

◆ crypto_show_cli_store()

int crypto_show_cli_store	(	struct crypto_cert_store *	store,
		int	fd
	)

Dump a cert store to the asterisk CLI.

Parameters

store	X509 Store to dump
fd	The CLI fd to print to

Return values

Count of objects printed

Definition at line 754 of file crypto_utils.c.

{
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
    STACK_OF(X509_OBJECT) *objs = NULL;
    int count = 0;
    int untrusted_count = 0;
    int crl_count = 0;
    int i = 0;
    char subj[1024];
 
    /*
     * The CA certificates are stored in the certs store.
     */
    objs = X509_STORE_get0_objects(store->certs);
    count = sk_X509_OBJECT_num(objs);
 
    for (i = 0; i < count ; i++) {
        X509_OBJECT *o = sk_X509_OBJECT_value(objs, i);
        if (X509_OBJECT_get_type(o) == X509_LU_X509) {
            X509 *c = X509_OBJECT_get0_X509(o);
            X509_NAME_oneline(X509_get_subject_name(c), subj, 1024);
            ast_cli(fd, "Cert: %s\n", subj);
        } else {
            ast_log(LOG_ERROR, "CRLs are not allowed in the CA cert store\n");
        }
    }
 
    /*
     * Although the untrusted certs are stored in the untrusted store,
     * we already have the stack of certificates so we can just
     * list them directly.
     */
    untrusted_count = sk_X509_num(store->untrusted_stack);
    for (i = 0; i < untrusted_count ; i++) {
        X509 *c = sk_X509_value(store->untrusted_stack, i);
        X509_NAME_oneline(X509_get_subject_name(c), subj, 1024);
        ast_cli(fd, "Untrusted: %s\n", subj);
    }
 
    /*
     * Same for the CRLs.
     */
    crl_count = sk_X509_CRL_num(store->crl_stack);
    for (i = 0; i < crl_count ; i++) {
        X509_CRL *crl = sk_X509_CRL_value(store->crl_stack, i);
        X509_NAME_oneline(X509_CRL_get_issuer(crl), subj, 1024);
        ast_cli(fd, "CRL: %s\n", subj);
    }
 
    return count + untrusted_count + crl_count;
#else
    ast_cli(fd, "This command is not supported until OpenSSL 1.1.0\n");
    return 0;
#endif
}

References ast_cli(), ast_log, c, LOG_ERROR, NULL, and pem_file_cb_data::store.

◆ crypto_unload()

int crypto_unload ( void )

Clean up the crypto utils.

Definition at line 983 of file crypto_utils.c.

{
    return 0;
}

Referenced by unload_module().

Data Structures

Macros

Functions

Macro Definition Documentation

◆ crypto_free_cert_store

◆ crypto_lock_cert_store

◆ crypto_unlock_cert_store

Function Documentation

◆ crypto_asn_time_as_time_t()

◆ crypto_create_cert_store()

◆ crypto_extract_raw_privkey()

◆ crypto_extract_raw_pubkey()

◆ crypto_get_cert_extension_data()

◆ crypto_get_cert_subject()

◆ crypto_get_raw_pubkey_from_cert()

◆ crypto_has_private_key_from_memory()

◆ crypto_is_cert_time_valid()

◆ crypto_is_cert_trusted()

◆ crypto_load()

◆ crypto_load_cert_chain_from_file()

◆ crypto_load_cert_chain_from_memory()

◆ crypto_load_cert_store()

◆ crypto_load_crl_from_file()

◆ crypto_load_crl_store()

◆ crypto_load_private_key_from_memory()

◆ crypto_load_privkey_from_file()

◆ crypto_load_untrusted_cert_store()

◆ crypto_log_openssl()

◆ crypto_register_x509_extension()

◆ crypto_show_cli_store()

◆ crypto_unload()