Verify signing certificate

9471c9bc · Tomáš Stefan · 88c90fc3 · 9471c9bc · 9471c9bc · 9471c9bc
Commit 9471c9bc authored Mar 14, 2018 by Tomáš Stefan
6 changed files
--- a/include/constants.h
+++ b/include/constants.h
@@ -34,6 +34,10 @@
 #define SUBFILTER_UNKNOWN               0
 #define SUBFILTER_adbe_x509_rsa_sha1    1

+#define CERT_STATUS_UNKNOWN   0
+#define CERT_STATUS_VERIFIED  1
+#define CERT_STATUS_FAILED    2
+
 #define DEALLOCATE_FILE       0x01
 #define DEALLOCATE_BUFFER     0x02


--- a/include/cryptography.h
+++ b/include/cryptography.h
@@ -10,6 +10,8 @@ sigil_err_t compute_sha1_hash_over_range(sigil_t *sgl);

 sigil_err_t load_certificates(sigil_t *sgl);

+sigil_err_t verify_signing_certificate(sigil_t *sgl);
+
 int sigil_sigil_self_test(int verbosity);

 #endif /* PDF_SIGIL_CRYPTOGRAPHY_H */
--- a/include/sigil.h
+++ b/include/sigil.h
@@ -10,6 +10,10 @@ sigil_err_t sigil_set_pdf_file(sigil_t *sgl, FILE *pdf_file);
 sigil_err_t sigil_set_pdf_path(sigil_t *sgl, const char *path_to_pdf);
 sigil_err_t sigil_set_pdf_buffer(sigil_t *sgl, char *pdf_content, size_t size);

+sigil_err_t sigil_set_trusted_default_system(sigil_t *sgl);
+sigil_err_t sigil_set_trusted_file(sigil_t *sgl, const char *path_to_file);
+sigil_err_t sigil_set_trusted_dir(sigil_t *sgl, const char *path_to_dir);
+
 sigil_err_t sigil_verify(sigil_t *sgl);

 // ... get functions TODO

--- a/include/types.h
+++ b/include/types.h
@@ -88,6 +88,8 @@ typedef struct {
    contents_t    *contents;
    unsigned char  computed_hash[EVP_MAX_MD_SIZE];
    unsigned int   computed_hash_len;
+    int            signing_cert_status;
+    X509_STORE    *trusted_store;
 } sigil_t;

 #endif /* PDF_SIGIL_TYPES_H */
--- a/lib/cryptography.c
+++ b/lib/cryptography.c
@@ -190,3 +190,57 @@ sigil_err_t load_certificates(sigil_t *sgl)

    return ERR_NO;
 }
+
+sigil_err_t verify_signing_certificate(sigil_t *sgl)
+{
+    X509_STORE_CTX *ctx;
+    cert_t *additional_cert;
+    STACK_OF(X509) *trusted_chain;
+
+    if (sgl == NULL || sgl->certificates == NULL)
+        return ERR_PARAMETER;
+
+    trusted_chain = sk_X509_new_null();
+
+    additional_cert = sgl->certificates->next;
+
+    while (additional_cert != NULL) {
+        if (sk_X509_push(trusted_chain, additional_cert->x509) == 0) {
+            sk_X509_free(trusted_chain);
+            return ERR_OPENSSL;
+        }
+
+        additional_cert = additional_cert->next;
+    }
+
+    ctx = X509_STORE_CTX_new();
+    if (ctx == NULL) {
+        sk_X509_free(trusted_chain);
+        return ERR_OPENSSL;
+    }
+
+    // initialize store context
+    if (X509_STORE_CTX_init(ctx, sgl->trusted_store, sgl->certificates->x509, trusted_chain) != 1) {
+        sk_X509_free(trusted_chain);
+        return ERR_OPENSSL;
+    }
+
+
+    // signing certificate to be verified
+    X509_STORE_CTX_set_cert(ctx, sgl->certificates->x509);
+
+    // verify
+    if (X509_verify_cert(ctx) == 1) {
+        // verification successful
+        sgl->signing_cert_status = CERT_STATUS_VERIFIED;
+    } else {
+        // verification not successful
+        sgl->signing_cert_status = CERT_STATUS_FAILED;
+    }
+
+    sk_X509_free(trusted_chain);
+
+    X509_STORE_CTX_free(ctx);
+
+    return ERR_NO;
+}
--- a/lib/sigil.c
+++ b/lib/sigil.c
@@ -61,7 +61,9 @@ sigil_err_t sigil_init(sigil_t **sgl)
    (*sgl)->certificates                    = NULL;
    (*sgl)->contents                        = NULL;
    (*sgl)->computed_hash_len               = 0;
+    (*sgl)->signing_cert_status             = CERT_STATUS_UNKNOWN;

+    (*sgl)->trusted_store = X509_STORE_new();

    return ERR_NO;
 }
@@ -187,6 +189,48 @@ sigil_err_t sigil_set_pdf_buffer(sigil_t *sgl, char *pdf_content, size_t size)
    return ERR_NO;
 }

+sigil_err_t sigil_set_trusted_default_system(sigil_t *sgl)
+{
+    if (sgl == NULL)
+        return ERR_PARAMETER;
+
+    if (sgl->trusted_store == NULL)
+        return ERR_OPENSSL;
+
+    if (X509_STORE_set_default_paths(sgl->trusted_store) != 1)
+        return ERR_OPENSSL;
+
+    return ERR_NO;
+}
+
+sigil_err_t sigil_set_trusted_file(sigil_t *sgl, const char *path_to_file)
+{
+    if (sgl == NULL || path_to_file == NULL)
+        return ERR_PARAMETER;
+
+    if (sgl->trusted_store == NULL)
+        return ERR_OPENSSL;
+
+    if (X509_STORE_load_locations(sgl->trusted_store, path_to_file, NULL) != 1)
+        return ERR_OPENSSL;
+
+    return ERR_NO;
+}
+
+sigil_err_t sigil_set_trusted_dir(sigil_t *sgl, const char *path_to_dir)
+{
+    if (sgl == NULL || path_to_dir == NULL)
+        return ERR_PARAMETER;
+
+    if (sgl->trusted_store == NULL)
+        return ERR_OPENSSL;
+
+    if (X509_STORE_load_locations(sgl->trusted_store, NULL, path_to_dir) != 1)
+        return ERR_OPENSSL;
+
+    return ERR_NO;
+}
+
 static sigil_err_t sigil_verify_adbe_x509_rsa_sha1(sigil_t *sgl)
 {
    sigil_err_t err;
@@ -202,6 +246,10 @@ static sigil_err_t sigil_verify_adbe_x509_rsa_sha1(sigil_t *sgl)
    if (err != ERR_NO)
        return err;

+    err = verify_signing_certificate(sgl);
+    if (err != ERR_NO)
+        return err;
+

 }

@@ -363,6 +411,9 @@ void sigil_free(sigil_t **sgl)
    if ((*sgl)->contents != NULL)
        contents_free(*sgl);

+    if ((*sgl)->trusted_store != NULL)
+        X509_STORE_free((*sgl)->trusted_store);
+
    free(*sgl);
    *sgl = NULL;
 }
@@ -416,6 +467,9 @@ int sigil_sigil_self_test(int verbosity)
        if (sgl == NULL)
            goto failed;

+        if (sigil_set_trusted_default_system(sgl) != ERR_NO)
+            goto failed;
+
        if (sigil_verify(sgl) != ERR_NO || 1)
            goto failed;