mirror of
https://github.com/pocoproject/poco.git
synced 2024-12-14 02:57:45 +01:00
manually merge #3448, part 1 (Crypto)
This commit is contained in:
Günter Obiltschnig
parent
82ef12b875
commit
11ffdc7807
@ -22,7 +22,9 @@
|
||||
#include "Poco/Mutex.h"
|
||||
#include "Poco/AtomicCounter.h"
|
||||
#include <openssl/crypto.h>
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||
#include <openssl/provider.h>
|
||||
#endif
|
||||
#if defined(OPENSSL_FIPS) && OPENSSL_VERSION_NUMBER < 0x010001000L
|
||||
#include <openssl/fips.h>
|
||||
#endif
|
||||
@ -82,6 +84,10 @@ protected:
|
||||
private:
|
||||
static Poco::FastMutex* _mutexes;
|
||||
static Poco::AtomicCounter _rc;
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||
static OSSL_PROVIDER* _defaultProvider;
|
||||
static OSSL_PROVIDER* _legacyProvider;
|
||||
#endif
|
||||
};
|
||||
|
||||
|
||||
|
||||
@ -98,20 +98,22 @@ namespace
|
||||
{
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
||||
_pContext = EVP_CIPHER_CTX_new();
|
||||
EVP_CipherInit(
|
||||
if (!_pContext) throwError();
|
||||
int rc = EVP_CipherInit(
|
||||
_pContext,
|
||||
_pCipher,
|
||||
&_key[0],
|
||||
_iv.empty() ? 0 : &_iv[0],
|
||||
(dir == DIR_ENCRYPT) ? 1 : 0);
|
||||
#else
|
||||
EVP_CipherInit(
|
||||
int rc = EVP_CipherInit(
|
||||
&_context,
|
||||
_pCipher,
|
||||
&_key[0],
|
||||
_iv.empty() ? 0 : &_iv[0],
|
||||
(dir == DIR_ENCRYPT) ? 1 : 0);
|
||||
#endif
|
||||
if (rc == 0) throwError();
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x10001000L
|
||||
if (_iv.size() != EVP_CIPHER_iv_length(_pCipher) && EVP_CIPHER_mode(_pCipher) == EVP_CIPH_GCM_MODE)
|
||||
|
||||
@ -60,6 +60,10 @@ namespace Crypto {
|
||||
|
||||
Poco::FastMutex* OpenSSLInitializer::_mutexes(0);
|
||||
Poco::AtomicCounter OpenSSLInitializer::_rc;
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x0907000L
|
||||
OSSL_PROVIDER* OpenSSLInitializer::_defaultProvider(0);
|
||||
OSSL_PROVIDER* OpenSSLInitializer::_legacyProvider(0);
|
||||
#endif
|
||||
|
||||
|
||||
OpenSSLInitializer::OpenSSLInitializer()
|
||||
@ -94,6 +98,11 @@ void OpenSSLInitializer::initialize()
|
||||
SSL_load_error_strings();
|
||||
OpenSSL_add_all_algorithms();
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||
_defaultProvider = OSSL_PROVIDER_load(NULL, "default");
|
||||
_legacyProvider = OSSL_PROVIDER_load(NULL, "legacy");
|
||||
#endif
|
||||
|
||||
char seed[SEEDSIZE];
|
||||
RandomInputStream rnd;
|
||||
rnd.read(seed, sizeof(seed));
|
||||
@ -132,6 +141,11 @@ void OpenSSLInitializer::uninitialize()
|
||||
delete [] _mutexes;
|
||||
|
||||
CONF_modules_free();
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||
OSSL_PROVIDER_unload(_defaultProvider);
|
||||
OSSL_PROVIDER_unload(_legacyProvider);
|
||||
#endif
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -171,7 +171,15 @@ void PKCS12Container::load(PKCS12* pPKCS12, const std::string& password)
|
||||
int certCount = sk_X509_num(pCA);
|
||||
for (int i = 0; i < certCount; ++i)
|
||||
{
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||
X509* pX509 = sk_X509_value(pCA, i);
|
||||
#else
|
||||
// Cert order is reversed on OpenSSL < 3.
|
||||
// https://github.com/openssl/openssl/issues/16421
|
||||
// https://github.com/openssl/openssl/pull/12641
|
||||
// https://github.com/jeroen/openssl/commit/f5eb85eb0fd432406a24abda6511c449eaee6162
|
||||
X509* pX509 = sk_X509_value(pCA, certCount - i - 1);
|
||||
#endif
|
||||
if (pX509)
|
||||
{
|
||||
_caCertList.push_back(X509Certificate(pX509, true));
|
||||
|
||||
@ -134,29 +134,29 @@ void PKCS12ContainerTest::fullList(const PKCS12Container::CAList& caList,
|
||||
assertTrue (caNamesList[certOrder[1]].empty());
|
||||
}
|
||||
|
||||
assertTrue (caList[certOrder[0]].subjectName() == "C=CH,ST=Zug,O=Crypto Vally,CN=CV Root CA v3");
|
||||
assertTrue (caList[certOrder[0]].subjectName() == "C=CH,ST=Zug,O=Crypto Vally,CN=CV Intermediate CA v3");
|
||||
assertTrue (caList[certOrder[0]].issuerName() == "C=CH,ST=Zug,O=Crypto Vally,CN=CV Root CA v3");
|
||||
assertTrue (caList[certOrder[0]].commonName() == "CV Root CA v3");
|
||||
assertTrue (caList[certOrder[0]].commonName() == "CV Intermediate CA v3");
|
||||
assertTrue (caList[certOrder[0]].subjectName(X509Certificate::NID_COUNTRY) == "CH");
|
||||
assertTrue (caList[certOrder[0]].subjectName(X509Certificate::NID_LOCALITY_NAME).empty());
|
||||
assertTrue (caList[certOrder[0]].subjectName(X509Certificate::NID_STATE_OR_PROVINCE) == "Zug");
|
||||
assertTrue (caList[certOrder[0]].subjectName(X509Certificate::NID_ORGANIZATION_NAME) == "Crypto Vally");
|
||||
assertTrue (caList[certOrder[0]].subjectName(X509Certificate::NID_ORGANIZATION_UNIT_NAME).empty());
|
||||
assertTrue (caList[certOrder[0]].subjectName(X509Certificate::NID_PKCS9_EMAIL_ADDRESS).empty());
|
||||
assertTrue (caList[certOrder[0]].serialNumber() == "C3ECA1FCEAA16055");
|
||||
assertTrue (caList[certOrder[0]].serialNumber() == "1000");
|
||||
assertTrue (caList[certOrder[0]].version() == 3);
|
||||
assertTrue (caList[certOrder[0]].signatureAlgorithm() == "sha256WithRSAEncryption");
|
||||
|
||||
assertTrue (caList[certOrder[1]].subjectName() == "C=CH,ST=Zug,O=Crypto Vally,CN=CV Intermediate CA v3");
|
||||
assertTrue (caList[certOrder[1]].subjectName() == "C=CH,ST=Zug,O=Crypto Vally,CN=CV Root CA v3");
|
||||
assertTrue (caList[certOrder[1]].issuerName() == "C=CH,ST=Zug,O=Crypto Vally,CN=CV Root CA v3");
|
||||
assertTrue (caList[certOrder[1]].commonName() == "CV Intermediate CA v3");
|
||||
assertTrue (caList[certOrder[1]].commonName() == "CV Root CA v3");
|
||||
assertTrue (caList[certOrder[1]].subjectName(X509Certificate::NID_COUNTRY) == "CH");
|
||||
assertTrue (caList[certOrder[1]].subjectName(X509Certificate::NID_LOCALITY_NAME).empty());
|
||||
assertTrue (caList[certOrder[1]].subjectName(X509Certificate::NID_STATE_OR_PROVINCE) == "Zug");
|
||||
assertTrue (caList[certOrder[1]].subjectName(X509Certificate::NID_ORGANIZATION_NAME) == "Crypto Vally");
|
||||
assertTrue (caList[certOrder[1]].subjectName(X509Certificate::NID_ORGANIZATION_UNIT_NAME).empty());
|
||||
assertTrue (caList[certOrder[1]].subjectName(X509Certificate::NID_PKCS9_EMAIL_ADDRESS).empty());
|
||||
assertTrue (caList[certOrder[1]].serialNumber() == "1000");
|
||||
assertTrue (caList[certOrder[1]].serialNumber() == "C3ECA1FCEAA16055");
|
||||
assertTrue (caList[certOrder[1]].version() == 3);
|
||||
assertTrue (caList[certOrder[1]].signatureAlgorithm() == "sha256WithRSAEncryption");
|
||||
}
|
||||
@ -200,36 +200,36 @@ void PKCS12ContainerTest::certsOnlyList(const PKCS12Container::CAList& caList,
|
||||
|
||||
if (caNamesList.size())
|
||||
{
|
||||
assertTrue (caNamesList[certOrder[0]].empty());
|
||||
assertTrue (caNamesList[certOrder[1]].empty());
|
||||
assertTrue (caNamesList[certOrder[0]] == "vally-ca");
|
||||
assertTrue (caNamesList[certOrder[1]] == "vally-ca");
|
||||
assertTrue (caNamesList[certOrder[2]].empty());
|
||||
assertTrue (caNamesList[certOrder[3]] == "vally-ca");
|
||||
assertTrue (caNamesList[certOrder[4]] == "vally-ca");
|
||||
assertTrue (caNamesList[certOrder[3]].empty());
|
||||
assertTrue (caNamesList[certOrder[4]].empty());
|
||||
}
|
||||
|
||||
assertTrue (caList[certOrder[0]].subjectName() == "C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3");
|
||||
assertTrue (caList[certOrder[0]].issuerName() == "C=US,O=Internet Security Research Group,CN=ISRG Root X1");
|
||||
assertTrue (caList[certOrder[0]].commonName() == "Let's Encrypt Authority X3");
|
||||
assertTrue (caList[certOrder[0]].subjectName(X509Certificate::NID_COUNTRY) == "US");
|
||||
assertTrue (caList[certOrder[0]].subjectName() == "C=CH,ST=Zug,O=Crypto Vally,CN=CV Intermediate CA v3");
|
||||
assertTrue (caList[certOrder[0]].issuerName() == "C=CH,ST=Zug,O=Crypto Vally,CN=CV Root CA v3");
|
||||
assertTrue (caList[certOrder[0]].commonName() == "CV Intermediate CA v3");
|
||||
assertTrue (caList[certOrder[0]].subjectName(X509Certificate::NID_COUNTRY) == "CH");
|
||||
assertTrue (caList[certOrder[0]].subjectName(X509Certificate::NID_LOCALITY_NAME).empty());
|
||||
assertTrue (caList[certOrder[0]].subjectName(X509Certificate::NID_STATE_OR_PROVINCE).empty());
|
||||
assertTrue (caList[certOrder[0]].subjectName(X509Certificate::NID_ORGANIZATION_NAME) == "Let's Encrypt");
|
||||
assertTrue (caList[certOrder[0]].subjectName(X509Certificate::NID_STATE_OR_PROVINCE) == "Zug");
|
||||
assertTrue (caList[certOrder[0]].subjectName(X509Certificate::NID_ORGANIZATION_NAME) == "Crypto Vally");
|
||||
assertTrue (caList[certOrder[0]].subjectName(X509Certificate::NID_ORGANIZATION_UNIT_NAME).empty());
|
||||
assertTrue (caList[certOrder[0]].subjectName(X509Certificate::NID_PKCS9_EMAIL_ADDRESS).empty());
|
||||
assertTrue (caList[certOrder[0]].serialNumber() == "D3B17226342332DCF40528512AEC9C6A");
|
||||
assertTrue (caList[certOrder[0]].serialNumber()== "1000");
|
||||
assertTrue (caList[certOrder[0]].version() == 3);
|
||||
assertTrue (caList[certOrder[0]].signatureAlgorithm() == "sha256WithRSAEncryption");
|
||||
|
||||
assertTrue (caList[certOrder[1]].subjectName() == "C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3");
|
||||
assertTrue (caList[certOrder[1]].issuerName() == "O=Digital Signature Trust Co.,CN=DST Root CA X3");
|
||||
assertTrue (caList[certOrder[1]].commonName() == "Let's Encrypt Authority X3");
|
||||
assertTrue (caList[certOrder[1]].subjectName(X509Certificate::NID_COUNTRY) == "US");
|
||||
assertTrue (caList[certOrder[1]].subjectName() == "C=CH,ST=Zug,O=Crypto Vally,CN=CV Root CA v3");
|
||||
assertTrue (caList[certOrder[1]].issuerName() == "C=CH,ST=Zug,O=Crypto Vally,CN=CV Root CA v3");
|
||||
assertTrue (caList[certOrder[1]].commonName() == "CV Root CA v3");
|
||||
assertTrue (caList[certOrder[1]].subjectName(X509Certificate::NID_COUNTRY) == "CH");
|
||||
assertTrue (caList[certOrder[1]].subjectName(X509Certificate::NID_LOCALITY_NAME).empty());
|
||||
assertTrue (caList[certOrder[1]].subjectName(X509Certificate::NID_STATE_OR_PROVINCE).empty());
|
||||
assertTrue (caList[certOrder[1]].subjectName(X509Certificate::NID_ORGANIZATION_NAME) == "Let's Encrypt");
|
||||
assertTrue (caList[certOrder[1]].subjectName(X509Certificate::NID_STATE_OR_PROVINCE) == "Zug");
|
||||
assertTrue (caList[certOrder[1]].subjectName(X509Certificate::NID_ORGANIZATION_NAME) == "Crypto Vally");
|
||||
assertTrue (caList[certOrder[1]].subjectName(X509Certificate::NID_ORGANIZATION_UNIT_NAME).empty());
|
||||
assertTrue (caList[certOrder[1]].subjectName(X509Certificate::NID_PKCS9_EMAIL_ADDRESS).empty());
|
||||
assertTrue (caList[certOrder[1]].serialNumber() == "0A0141420000015385736A0B85ECA708");
|
||||
assertTrue (caList[certOrder[1]].serialNumber() == "C3ECA1FCEAA16055");
|
||||
assertTrue (caList[certOrder[1]].version() == 3);
|
||||
assertTrue (caList[certOrder[1]].signatureAlgorithm() == "sha256WithRSAEncryption");
|
||||
|
||||
@ -246,31 +246,32 @@ void PKCS12ContainerTest::certsOnlyList(const PKCS12Container::CAList& caList,
|
||||
assertTrue (caList[certOrder[2]].version() == 3);
|
||||
assertTrue (caList[certOrder[2]].signatureAlgorithm() == "sha256WithRSAEncryption");
|
||||
|
||||
assertTrue (caList[certOrder[3]].subjectName() == "C=CH,ST=Zug,O=Crypto Vally,CN=CV Root CA v3");
|
||||
assertTrue (caList[certOrder[3]].issuerName() == "C=CH,ST=Zug,O=Crypto Vally,CN=CV Root CA v3");
|
||||
assertTrue (caList[certOrder[3]].commonName() == "CV Root CA v3");
|
||||
assertTrue (caList[certOrder[3]].subjectName(X509Certificate::NID_COUNTRY) == "CH");
|
||||
assertTrue (caList[certOrder[3]].subjectName() == "C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3");
|
||||
assertTrue (caList[certOrder[3]].issuerName() == "O=Digital Signature Trust Co.,CN=DST Root CA X3");
|
||||
assertTrue (caList[certOrder[3]].commonName() == "Let's Encrypt Authority X3");
|
||||
assertTrue (caList[certOrder[3]].subjectName(X509Certificate::NID_COUNTRY) == "US");
|
||||
assertTrue (caList[certOrder[3]].subjectName(X509Certificate::NID_LOCALITY_NAME).empty());
|
||||
assertTrue (caList[certOrder[3]].subjectName(X509Certificate::NID_STATE_OR_PROVINCE) == "Zug");
|
||||
assertTrue (caList[certOrder[3]].subjectName(X509Certificate::NID_ORGANIZATION_NAME) == "Crypto Vally");
|
||||
assertTrue (caList[certOrder[3]].subjectName(X509Certificate::NID_STATE_OR_PROVINCE).empty());
|
||||
assertTrue (caList[certOrder[3]].subjectName(X509Certificate::NID_ORGANIZATION_NAME) == "Let's Encrypt");
|
||||
assertTrue (caList[certOrder[3]].subjectName(X509Certificate::NID_ORGANIZATION_UNIT_NAME).empty());
|
||||
assertTrue (caList[certOrder[3]].subjectName(X509Certificate::NID_PKCS9_EMAIL_ADDRESS).empty());
|
||||
assertTrue (caList[certOrder[3]].serialNumber() == "C3ECA1FCEAA16055");
|
||||
assertTrue (caList[certOrder[3]].serialNumber() == "0A0141420000015385736A0B85ECA708");
|
||||
assertTrue (caList[certOrder[3]].version() == 3);
|
||||
assertTrue (caList[certOrder[3]].signatureAlgorithm() == "sha256WithRSAEncryption");
|
||||
|
||||
assertTrue (caList[certOrder[4]].subjectName() == "C=CH,ST=Zug,O=Crypto Vally,CN=CV Intermediate CA v3");
|
||||
assertTrue (caList[certOrder[4]].issuerName() == "C=CH,ST=Zug,O=Crypto Vally,CN=CV Root CA v3");
|
||||
assertTrue (caList[certOrder[4]].commonName() == "CV Intermediate CA v3");
|
||||
assertTrue (caList[certOrder[4]].subjectName(X509Certificate::NID_COUNTRY) == "CH");
|
||||
assertTrue (caList[certOrder[4]].subjectName() == "C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3");
|
||||
assertTrue (caList[certOrder[4]].issuerName() == "C=US,O=Internet Security Research Group,CN=ISRG Root X1");
|
||||
assertTrue (caList[certOrder[4]].commonName() == "Let's Encrypt Authority X3");
|
||||
assertTrue (caList[certOrder[4]].subjectName(X509Certificate::NID_COUNTRY) == "US");
|
||||
assertTrue (caList[certOrder[4]].subjectName(X509Certificate::NID_LOCALITY_NAME).empty());
|
||||
assertTrue (caList[certOrder[4]].subjectName(X509Certificate::NID_STATE_OR_PROVINCE) == "Zug");
|
||||
assertTrue (caList[certOrder[4]].subjectName(X509Certificate::NID_ORGANIZATION_NAME) == "Crypto Vally");
|
||||
assertTrue (caList[certOrder[4]].subjectName(X509Certificate::NID_STATE_OR_PROVINCE).empty());
|
||||
assertTrue (caList[certOrder[4]].subjectName(X509Certificate::NID_ORGANIZATION_NAME) == "Let's Encrypt");
|
||||
assertTrue (caList[certOrder[4]].subjectName(X509Certificate::NID_ORGANIZATION_UNIT_NAME).empty());
|
||||
assertTrue (caList[certOrder[4]].subjectName(X509Certificate::NID_PKCS9_EMAIL_ADDRESS).empty());
|
||||
assertTrue (caList[certOrder[4]].serialNumber()== "1000");
|
||||
assertTrue (caList[certOrder[4]].serialNumber() == "D3B17226342332DCF40528512AEC9C6A");
|
||||
assertTrue (caList[certOrder[4]].version() == 3);
|
||||
assertTrue (caList[certOrder[4]].signatureAlgorithm() == "sha256WithRSAEncryption");
|
||||
|
||||
}
|
||||
|
||||
|
||||
@ -281,9 +282,8 @@ void PKCS12ContainerTest::testPEMReadWrite()
|
||||
std::string file = getTestFilesPath("certs-only", "pem");
|
||||
X509Certificate::List certsOnly = X509Certificate::readPEM(file);
|
||||
assertTrue (certsOnly.size() == 5);
|
||||
// PEM is written by openssl in reverse order from p12
|
||||
std::vector<int> certOrder;
|
||||
for(int i = (int)certsOnly.size() - 1; i >= 0; --i) certOrder.push_back(i);
|
||||
for(int i = 0; i < certsOnly.size(); ++i) certOrder.push_back(i);
|
||||
certsOnlyList(certsOnly, PKCS12Container::CANameList(), certOrder);
|
||||
|
||||
TemporaryFile tmpFile;
|
||||
@ -301,7 +301,7 @@ void PKCS12ContainerTest::testPEMReadWrite()
|
||||
assertTrue (full.size() == 2);
|
||||
|
||||
certOrder.clear();
|
||||
for(int i = (int)full.size() - 1; i >= 0; --i) certOrder.push_back(i);
|
||||
for(int i = 0; i < full.size(); ++i) certOrder.push_back(i);
|
||||
fullList(full, PKCS12Container::CANameList(), certOrder);
|
||||
|
||||
TemporaryFile tmpFile2;
|
||||
|
||||
Loading…
Reference in New Issue
Block a user