static X509_REQ *pki_certificate_request(EVP_PKEY *keyring, digital_id_t *digital_id)
{
jlog(L_DEBUG, "pki_certificate_request");
X509_REQ *cert_req;
X509_NAME *subject;
const EVP_MD *message_digest;
// create a certificate request
cert_req = X509_REQ_new();
// set certificate request 'Subject:'
subject = X509_NAME_new();
X509_NAME_add_entry_by_txt(subject, "commonName", MBSTRING_ASC, (unsigned char*)digital_id->commonName, -1, -1, 0);
X509_NAME_add_entry_by_txt(subject, "countryName", MBSTRING_ASC, (unsigned char*)digital_id->countryName, -1, -1, 0);
X509_NAME_add_entry_by_txt(subject, "stateOrProvinceName", MBSTRING_ASC, (unsigned char*)digital_id->stateOrProvinceName, -1, -1, 0);
X509_NAME_add_entry_by_txt(subject, "localityName", MBSTRING_ASC, (unsigned char*)digital_id->localityName, -1, -1, 0);
X509_NAME_add_entry_by_txt(subject, "emailAddress", MBSTRING_ASC, (unsigned char*)digital_id->emailAddress, -1, -1, 0);
X509_NAME_add_entry_by_txt(subject, "organizationName", MBSTRING_ASC, (unsigned char*)digital_id->organizationName, -1, -1, 0);
X509_REQ_set_subject_name(cert_req, subject);
X509_NAME_free(subject);
// set certificate request public key
X509_REQ_set_pubkey(cert_req, keyring);
// create a message digest
message_digest = EVP_sha1();
// sign certificate request
X509_REQ_sign(cert_req, keyring, message_digest);
return cert_req;
}
/***
create or generate a new x509_req object.
Note if not give evp_pkey, will create a new x509_req object,or will generate a signed x509_req object.
@function new
@tparam[opt] x509_name subject subject name set to x509_req
@tparam[opt] stack_of_x509_extension extensions add to x509_req
@tparam[opt] stack_of_x509_attribute attributes add to x509_req
@tparam[opt] evp_pkey pkey private key sign the x509_req, and set as public key
@tparam[opt='sha1WithRSAEncryption'] evp_digest|string md_alg, only used when pkey exist, and should fellow pkey
@treturn x509_req certificate sign request object
@see x509_req
*/
static LUA_FUNCTION(openssl_csr_new)
{
X509_REQ *csr = X509_REQ_new();
int i;
int n = lua_gettop(L);
int ret = X509_REQ_set_version(csr, 0L);
for (i = 1; ret == 1 && i <= n; i++)
{
luaL_argcheck(L,
auxiliar_getclassudata(L, "openssl.x509_name", i) ||
auxiliar_getclassudata(L, "openssl.evp_pkey", i),
i, "must be x509_name or evp_pkey");
if (auxiliar_getclassudata(L, "openssl.x509_name", i))
{
X509_NAME * subject = CHECK_OBJECT(i, X509_NAME, "openssl.x509_name");
ret = X509_REQ_set_subject_name(csr, subject);
}
if (auxiliar_getclassudata(L, "openssl.evp_pkey", i))
{
EVP_PKEY *pkey;
const EVP_MD *md;
luaL_argcheck(L, i == n || i == n - 1, i, "must is evp_pkey object");
pkey = CHECK_OBJECT(i, EVP_PKEY, "openssl.evp_pkey");
if (i == n - 1)
md = get_digest(L, n, NULL);
else
md = EVP_get_digestbyname("sha256");
ret = X509_REQ_set_pubkey(csr, pkey);
if (ret == 1)
{
ret = X509_REQ_sign(csr, pkey, md);
if (ret > 0)
ret = 1;
}
break;
}
};
if (ret == 1)
PUSH_OBJECT(csr, "openssl.x509_req");
else
{
X509_REQ_free(csr);
return openssl_pushresult(L, ret);
}
return 1;
}
static LUA_FUNCTION(openssl_csr_subject)
{
X509_REQ *csr = CHECK_OBJECT(1, X509_REQ, "openssl.x509_req");
if (lua_isnone(L, 2))
{
X509_NAME *xn = X509_REQ_get_subject_name(csr);
if (xn)
openssl_push_xname_asobject(L, xn);
else
lua_pushnil(L);
return 1;
}
else
{
X509_NAME* xn = CHECK_OBJECT(2, X509_NAME, "openssl.x509_name");
int ret = X509_REQ_set_subject_name(csr, xn);
return openssl_pushresult(L, ret);
}
}
X509_REQ *
X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
{
X509_REQ *ret;
X509_REQ_INFO *ri;
int i;
EVP_PKEY *pktmp;
ret = X509_REQ_new();
if (ret == NULL) {
X509error(ERR_R_MALLOC_FAILURE);
goto err;
}
ri = ret->req_info;
if ((ri->version = ASN1_INTEGER_new()) == NULL)
goto err;
if (ASN1_INTEGER_set(ri->version, 0) == 0)
goto err;
if (!X509_REQ_set_subject_name(ret, X509_get_subject_name(x)))
goto err;
if ((pktmp = X509_get_pubkey(x)) == NULL)
goto err;
i = X509_REQ_set_pubkey(ret, pktmp);
EVP_PKEY_free(pktmp);
if (!i)
goto err;
if (pkey != NULL) {
if (!X509_REQ_sign(ret, pkey, md))
goto err;
}
return (ret);
err:
X509_REQ_free(ret);
return (NULL);
}
X509_REQ *
X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
{
X509_REQ *ret;
X509_REQ_INFO *ri;
int i;
EVP_PKEY *pktmp;
ret = X509_REQ_new();
if (ret == NULL) {
X509err(X509_F_X509_TO_X509_REQ, ERR_R_MALLOC_FAILURE);
goto err;
}
ri = ret->req_info;
ri->version->length = 1;
ri->version->data = malloc(1);
if (ri->version->data == NULL)
goto err;
ri->version->data[0] = 0; /* version == 0 */
if (!X509_REQ_set_subject_name(ret, X509_get_subject_name(x)))
goto err;
pktmp = X509_get_pubkey(x);
i = X509_REQ_set_pubkey(ret, pktmp);
EVP_PKEY_free(pktmp);
if (!i)
goto err;
if (pkey != NULL) {
if (!X509_REQ_sign(ret, pkey, md))
goto err;
}
return (ret);
err:
X509_REQ_free(ret);
return (NULL);
}
static bool GenerateCertRequest(RsaDevice d, X509_REQ* req)
{
// Create key in EVP format
EVP_PKEY* key = CreateRsaKey(d);
CHECK_CALL(key);
// Create x509 cert signing request (CSR)
CHECK_CALL(X509_REQ_set_pubkey(req, key));
// Add subject name to the CSR
X509_NAME* subj = X509_REQ_get_subject_name(req);
CHECK_CALL(X509_NAME_add_entry_by_txt(
subj, "O", MBSTRING_ASC,
(const unsigned char *)"RSA Device", -1, -1, 0));
CHECK_CALL(X509_REQ_set_subject_name(req, subj));
//X509_REQ_print_fp(stderr, req);
CHECK_CALL(X509_REQ_sign(req, key, EVP_sha1()));
EVP_PKEY_free(key);
return true;
}
static LUA_FUNCTION(openssl_csr_new)
{
X509_REQ *csr = X509_REQ_new();
int i;
int n = lua_gettop(L);
int ret = X509_REQ_set_version(csr, 0L);
for (i = 1; ret == 1 && i <= n; i++)
{
luaL_argcheck(L,
auxiliar_isclass(L, "openssl.stack_of_x509_extension", i) ||
auxiliar_isclass(L, "openssl.stack_of_x509_attribute", i) ||
auxiliar_isclass(L, "openssl.x509_name", i) ||
auxiliar_isclass(L, "openssl.evp_pkey", i),
i, "must be x509_name, stack_of_x509_extension or stack_of_x509_attribute");
if (auxiliar_isclass(L, "openssl.x509_name", i))
{
X509_NAME * subject = CHECK_OBJECT(i, X509_NAME, "openssl.x509_name");
ret = X509_REQ_set_subject_name(csr, subject);
}
if (auxiliar_isclass(L, "openssl.stack_of_x509_attribute", i))
{
int j, m;
STACK_OF(X509_ATTRIBUTE) *attrs = CHECK_OBJECT(i, STACK_OF(X509_ATTRIBUTE), "openssl.stack_of_x509_attribute");
m = sk_X509_ATTRIBUTE_num(attrs);
for (j = 0; ret == 1 && j < m; j++)
{
ret = X509_REQ_add1_attr(csr, sk_X509_ATTRIBUTE_value(attrs, j));
}
}
if (auxiliar_isclass(L, "openssl.stack_of_x509_extension", i))
{
STACK_OF(X509_EXTENSION) *exts =
CHECK_OBJECT(i, STACK_OF(X509_EXTENSION), "openssl.stack_of_x509_extension");
ret = X509_REQ_add_extensions(csr, exts);
}
if (auxiliar_isclass(L, "openssl.evp_pkey", i))
{
EVP_PKEY *pkey;
const EVP_MD *md;
luaL_argcheck(L, i == n || i == n - 1, i, "must is evp_pkey object");
pkey = CHECK_OBJECT(i, EVP_PKEY, "openssl.evp_pkey");
luaL_argcheck(L, openssl_pkey_is_private(pkey), i, "must be private key");
if (i == n - 1)
md = get_digest(L, n);
else
md = EVP_get_digestbyname("sha1");
ret = X509_REQ_set_pubkey(csr, pkey);
if (ret == 1)
{
ret = X509_REQ_sign(csr, pkey, md);
if (ret > 0)
ret = 1;
}
break;
}
};
if (ret == 1)
PUSH_OBJECT(csr, "openssl.x509_req");
else
{
X509_REQ_free(csr);
return openssl_pushresult(L, ret);
}
return 1;
}
int openssl_x509_cert()
{
BIO *b;
FILE *fp;
RSA *rsa;
EVP_PKEY *pkey;
X509_NAME *name;
const EVP_MD *md;
X509_REQ *req, **req2;
X509_NAME_ENTRY *entry;
unsigned int len;
char bytes[COMM_LEN];
const unsigned char *pp;
unsigned char *p, *der, *mdout, buf[MAX1_LEN];
OpenSSL_add_all_algorithms();
printf("\nX509_Cert info:\n");
return -1;
req = X509_REQ_new();
X509_REQ_set_version(req, 1);
name = X509_NAME_new();
strcpy(bytes, "beike");
entry = X509_NAME_ENTRY_create_by_txt(&entry, "commonName",
V_ASN1_UTF8STRING, (unsigned char *)bytes, strlen(bytes));
X509_NAME_add_entry(name, entry, 0, -1);
strcpy(bytes, "BEIJING");
entry = X509_NAME_ENTRY_create_by_txt(&entry, "countryName",
V_ASN1_UTF8STRING, (unsigned char *)bytes, strlen(bytes));
X509_NAME_add_entry(name, entry, 1, -1);
X509_REQ_set_subject_name(req, name);
pkey = EVP_PKEY_new();
rsa = RSA_generate_key(LINE_LEN, RSA_3, NULL, NULL);
EVP_PKEY_assign_RSA(pkey, rsa);
X509_REQ_set_pubkey(req, pkey);
strcpy(bytes, "USTB");
X509_REQ_add1_attr_by_txt(req, "organizationName",
V_ASN1_UTF8STRING, (unsigned char *)bytes, strlen(bytes));
strcpy(bytes, "TECH");
X509_REQ_add1_attr_by_txt(req, "organizationalUnitName",
V_ASN1_UTF8STRING, (unsigned char *)bytes, strlen(bytes));
md = EVP_sha1();
X509_REQ_digest(req, md, mdout, &len);
X509_REQ_sign(req, pkey, md);
b = BIO_new_file("/tmp/certreq.txt", "w");
PEM_write_bio_X509_REQ(b, req);
BIO_free(b);
len = i2d_X509_REQ(req, NULL);
der = (unsigned char *)malloc(len);
p = der;
len = i2d_X509_REQ(req, &p);
X509_REQ_verify(req, pkey);
fp = fopen("/tmp/certder.txt", "wb");
fwrite(der, 1, len, fp);
fclose(fp);
free(der);
X509_REQ_free(req);
b = BIO_new_file("/tmp/certreq.txt", "r");
PEM_read_bio_X509_REQ(b, NULL, NULL, NULL);
fp = fopen("/tmp/certder.txt", "r");
len = fread(buf, 1, MAX1_LEN, fp);
fclose(fp);
pp = buf;
req2 = (X509_REQ **) malloc(sizeof(X509_REQ *));
d2i_X509_REQ(req2, &pp, len);
free(req2);
X509_REQ_free(*req2);
return 0;
}
/*
* initialize ssl engine, load certs and initialize openssl internals
*/
void init_ssl(void)
{
const SSL_METHOD *ssl_method;
RSA *rsa=NULL;
X509_REQ *req = NULL;
X509 *cer = NULL;
EVP_PKEY *pk = NULL;
EVP_PKEY *req_pkey = NULL;
X509_NAME *name = NULL;
FILE *fp;
char buf[SIZ];
int rv = 0;
if (!access("/var/run/egd-pool", F_OK)) {
RAND_egd("/var/run/egd-pool");
}
if (!RAND_status()) {
syslog(LOG_WARNING, "PRNG not adequately seeded, won't do SSL/TLS\n");
return;
}
SSLCritters = malloc(CRYPTO_num_locks() * sizeof(pthread_mutex_t *));
if (!SSLCritters) {
syslog(LOG_ERR, "citserver: can't allocate memory!!\n");
/* Nothing's been initialized, just die */
ShutDownWebcit();
exit(WC_EXIT_SSL);
} else {
int a;
for (a = 0; a < CRYPTO_num_locks(); a++) {
SSLCritters[a] = malloc(sizeof(pthread_mutex_t));
if (!SSLCritters[a]) {
syslog(LOG_EMERG,
"citserver: can't allocate memory!!\n");
/** Nothing's been initialized, just die */
ShutDownWebcit();
exit(WC_EXIT_SSL);
}
pthread_mutex_init(SSLCritters[a], NULL);
}
}
/*
* Initialize SSL transport layer
*/
SSL_library_init();
SSL_load_error_strings();
ssl_method = SSLv23_server_method();
if (!(ssl_ctx = SSL_CTX_new(ssl_method))) {
syslog(LOG_WARNING, "SSL_CTX_new failed: %s\n", ERR_reason_error_string(ERR_get_error()));
return;
}
syslog(LOG_INFO, "Requesting cipher list: %s\n", ssl_cipher_list);
if (!(SSL_CTX_set_cipher_list(ssl_ctx, ssl_cipher_list))) {
syslog(LOG_WARNING, "SSL_CTX_set_cipher_list failed: %s\n", ERR_reason_error_string(ERR_get_error()));
return;
}
CRYPTO_set_locking_callback(ssl_lock);
CRYPTO_set_id_callback(id_callback);
/*
* Get our certificates in order. (FIXME: dirify. this is a setup job.)
* First, create the key/cert directory if it's not there already...
*/
mkdir(CTDL_CRYPTO_DIR, 0700);
/*
* Before attempting to generate keys/certificates, first try
* link to them from the Citadel server if it's on the same host.
* We ignore any error return because it either meant that there
* was nothing in Citadel to link from (in which case we just
* generate new files) or the target files already exist (which
* is not fatal either).
*/
if (!strcasecmp(ctdlhost, "uds")) {
sprintf(buf, "%s/keys/citadel.key", ctdlport);
rv = symlink(buf, CTDL_KEY_PATH);
if (!rv) syslog(LOG_DEBUG, "%s\n", strerror(errno));
sprintf(buf, "%s/keys/citadel.csr", ctdlport);
rv = symlink(buf, CTDL_CSR_PATH);
if (!rv) syslog(LOG_DEBUG, "%s\n", strerror(errno));
sprintf(buf, "%s/keys/citadel.cer", ctdlport);
rv = symlink(buf, CTDL_CER_PATH);
if (!rv) syslog(LOG_DEBUG, "%s\n", strerror(errno));
}
/*
* If we still don't have a private key, generate one.
*/
if (access(CTDL_KEY_PATH, R_OK) != 0) {
syslog(LOG_INFO, "Generating RSA key pair.\n");
rsa = RSA_generate_key(1024, /* modulus size */
65537, /* exponent */
NULL, /* no callback */
NULL /* no callback */
);
if (rsa == NULL) {
syslog(LOG_WARNING, "Key generation failed: %s\n", ERR_reason_error_string(ERR_get_error()));
}
if (rsa != NULL) {
fp = fopen(CTDL_KEY_PATH, "w");
if (fp != NULL) {
chmod(CTDL_KEY_PATH, 0600);
if (PEM_write_RSAPrivateKey(fp, /* the file */
rsa, /* the key */
NULL, /* no enc */
NULL, /* no passphr */
0, /* no passphr */
NULL, /* no callbk */
NULL /* no callbk */
) != 1) {
syslog(LOG_WARNING, "Cannot write key: %s\n",
ERR_reason_error_string(ERR_get_error()));
unlink(CTDL_KEY_PATH);
}
fclose(fp);
}
else {
syslog(LOG_WARNING, "Cannot write key: %s\n", CTDL_KEY_PATH);
ShutDownWebcit();
exit(0);
}
RSA_free(rsa);
}
}
/*
* If there is no certificate file on disk, we will be generating a self-signed certificate
* in the next step. Therefore, if we have neither a CSR nor a certificate, generate
* the CSR in this step so that the next step may commence.
*/
if ( (access(CTDL_CER_PATH, R_OK) != 0) && (access(CTDL_CSR_PATH, R_OK) != 0) ) {
syslog(LOG_INFO, "Generating a certificate signing request.\n");
/*
* Read our key from the file. No, we don't just keep this
* in memory from the above key-generation function, because
* there is the possibility that the key was already on disk
* and we didn't just generate it now.
*/
fp = fopen(CTDL_KEY_PATH, "r");
if (fp) {
rsa = PEM_read_RSAPrivateKey(fp, NULL, NULL, NULL);
fclose(fp);
}
if (rsa) {
/** Create a public key from the private key */
if (pk=EVP_PKEY_new(), pk != NULL) {
EVP_PKEY_assign_RSA(pk, rsa);
if (req = X509_REQ_new(), req != NULL) {
const char *env;
/* Set the public key */
X509_REQ_set_pubkey(req, pk);
X509_REQ_set_version(req, 0L);
name = X509_REQ_get_subject_name(req);
/* Tell it who we are */
/*
* We used to add these fields to the subject, but
* now we don't. Someone doing this for real isn't
* going to use the webcit-generated CSR anyway.
*
X509_NAME_add_entry_by_txt(name, "C",
MBSTRING_ASC, "US", -1, -1, 0);
*
X509_NAME_add_entry_by_txt(name, "ST",
MBSTRING_ASC, "New York", -1, -1, 0);
*
X509_NAME_add_entry_by_txt(name, "L",
MBSTRING_ASC, "Mount Kisco", -1, -1, 0);
*/
env = getenv("O");
if (env == NULL)
env = "Organization name",
X509_NAME_add_entry_by_txt(
name, "O",
MBSTRING_ASC,
(unsigned char*)env,
-1, -1, 0
);
env = getenv("OU");
if (env == NULL)
env = "Citadel server";
X509_NAME_add_entry_by_txt(
name, "OU",
MBSTRING_ASC,
(unsigned char*)env,
-1, -1, 0
);
env = getenv("CN");
if (env == NULL)
env = "*";
X509_NAME_add_entry_by_txt(
name, "CN",
MBSTRING_ASC,
(unsigned char*)env,
-1, -1, 0
);
X509_REQ_set_subject_name(req, name);
/* Sign the CSR */
if (!X509_REQ_sign(req, pk, EVP_md5())) {
syslog(LOG_WARNING, "X509_REQ_sign(): error\n");
}
else {
/* Write it to disk. */
fp = fopen(CTDL_CSR_PATH, "w");
if (fp != NULL) {
chmod(CTDL_CSR_PATH, 0600);
PEM_write_X509_REQ(fp, req);
fclose(fp);
}
else {
syslog(LOG_WARNING, "Cannot write key: %s\n", CTDL_CSR_PATH);
ShutDownWebcit();
exit(0);
}
}
X509_REQ_free(req);
}
}
RSA_free(rsa);
}
else {
syslog(LOG_WARNING, "Unable to read private key.\n");
}
}
/*
* Generate a self-signed certificate if we don't have one.
*/
if (access(CTDL_CER_PATH, R_OK) != 0) {
syslog(LOG_INFO, "Generating a self-signed certificate.\n");
/* Same deal as before: always read the key from disk because
* it may or may not have just been generated.
*/
fp = fopen(CTDL_KEY_PATH, "r");
if (fp) {
rsa = PEM_read_RSAPrivateKey(fp, NULL, NULL, NULL);
fclose(fp);
}
/* This also holds true for the CSR. */
req = NULL;
cer = NULL;
pk = NULL;
if (rsa) {
if (pk=EVP_PKEY_new(), pk != NULL) {
EVP_PKEY_assign_RSA(pk, rsa);
}
fp = fopen(CTDL_CSR_PATH, "r");
if (fp) {
req = PEM_read_X509_REQ(fp, NULL, NULL, NULL);
fclose(fp);
}
if (req) {
if (cer = X509_new(), cer != NULL) {
ASN1_INTEGER_set(X509_get_serialNumber(cer), 0);
X509_set_issuer_name(cer, req->req_info->subject);
X509_set_subject_name(cer, req->req_info->subject);
X509_gmtime_adj(X509_get_notBefore(cer), 0);
X509_gmtime_adj(X509_get_notAfter(cer),(long)60*60*24*SIGN_DAYS);
req_pkey = X509_REQ_get_pubkey(req);
X509_set_pubkey(cer, req_pkey);
EVP_PKEY_free(req_pkey);
/* Sign the cert */
if (!X509_sign(cer, pk, EVP_md5())) {
syslog(LOG_WARNING, "X509_sign(): error\n");
}
else {
/* Write it to disk. */
fp = fopen(CTDL_CER_PATH, "w");
if (fp != NULL) {
chmod(CTDL_CER_PATH, 0600);
PEM_write_X509(fp, cer);
fclose(fp);
}
else {
syslog(LOG_WARNING, "Cannot write key: %s\n", CTDL_CER_PATH);
ShutDownWebcit();
exit(0);
}
}
X509_free(cer);
}
}
RSA_free(rsa);
}
}
/*
* Now try to bind to the key and certificate.
* Note that we use SSL_CTX_use_certificate_chain_file() which allows
* the certificate file to contain intermediate certificates.
*/
SSL_CTX_use_certificate_chain_file(ssl_ctx, CTDL_CER_PATH);
SSL_CTX_use_PrivateKey_file(ssl_ctx, CTDL_KEY_PATH, SSL_FILETYPE_PEM);
if ( !SSL_CTX_check_private_key(ssl_ctx) ) {
syslog(LOG_WARNING, "Cannot install certificate: %s\n",
ERR_reason_error_string(ERR_get_error()));
}
}
BSONObj createCertificateRequest(const BSONObj& a, void* data) {
#ifndef MONGO_CONFIG_SSL
return BSON(
"" << BSON("ok" << false << "errmsg"
<< "Cannot create a certificate signing request without SSL support"));
#else
if (a.nFields() != 1 || a.firstElement().type() != Object) {
return BSON(
"" << BSON("ok" << false << "errmsg"
<< "createCertificateRequest requires a single object argument"));
}
// args can optionally contain some to be determined fields...
BSONObj args = a.firstElement().embeddedObject();
if (!args.hasField("CN")) {
return BSON(
"" << BSON("ok" << false << "errmsg"
<< "createCertificateRequest requires a Common Name (\"CN\") field"));
}
// Generate key pair and certificate signing request
RSA* rsa;
EVP_PKEY* pkey;
X509_REQ* x509req;
X509_NAME* name;
BIO* out;
char client_key[2048];
char client_csr[2048];
pkey = EVP_PKEY_new();
if (!pkey) {
return BSON("" << BSON("ok" << false));
// fail("couldn't generate key");
}
rsa = RSA_generate_key(2048, RSA_F4, NULL, NULL);
if (!EVP_PKEY_assign_RSA(pkey, rsa)) {
return BSON("" << BSON("ok" << false));
// fail("couldn't assign the key");
}
x509req = X509_REQ_new();
X509_REQ_set_pubkey(x509req, pkey);
name = X509_NAME_new();
X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC, (const unsigned char*)"IS", -1, -1, 0);
X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC, (const unsigned char*)"MongoDB", -1, -1, 0);
X509_NAME_add_entry_by_txt(
name, "OU", MBSTRING_ASC, (const unsigned char*)"SkunkWorks client", -1, -1, 0);
X509_NAME_add_entry_by_txt(
name, "CN", MBSTRING_ASC, (const unsigned char*)args.getStringField("CN"), -1, -1, 0);
X509_REQ_set_subject_name(x509req, name);
X509_REQ_set_version(x509req, 2);
if (!X509_REQ_sign(x509req, pkey, EVP_sha1())) {
return BSON("" << BSON("ok" << false));
}
// out = BIO_new_file("client.key.pem", "wb");
out = BIO_new(BIO_s_mem());
if (!PEM_write_bio_PrivateKey(out, pkey, NULL, NULL, 0, NULL, NULL)) {
return BSON("" << BSON("ok" << false));
// fail("can't write private key");
}
int i = BIO_read(out, &client_key, sizeof client_key);
client_key[i] = '\0';
BIO_free_all(out);
out = BIO_new(BIO_s_mem());
if (!PEM_write_bio_X509_REQ_NEW(out, x509req)) {
return BSON("" << BSON("ok" << false));
// fail("coudln't write csr");
}
i = BIO_read(out, &client_csr, sizeof client_csr);
client_csr[i] = '\0';
BIO_free_all(out);
EVP_PKEY_free(pkey);
X509_REQ_free(x509req);
return BSON("" << BSON("ok" << true << "certificateRequest" << client_csr << "privateKey"
<< client_key));
#endif
}
uint32 CRegProtocol::GenerateCertRequest(char *SubjName,
uchar **Cert,
uint32 *CertLength)
{
uint32 err; //= TU_ERROR_CRYPTO_FAILED;
X509_REQ *req;
X509_NAME *subj;
EVP_PKEY *pkey;
int nid;
X509_NAME_ENTRY *ent;
FILE *fp;
int fsize;
//First, get the private key
err = GetPrivateKey(SubjName, TU_KEY_ENC, &pkey);
if(TU_SUCCESS != err)
{
TUTRACE((TUTRACE_ERR, "PROTO: Error getting private key\n"));
goto EXIT;
}
//Now create a new request object
if(!(req = X509_REQ_new()))
{
TUTRACE((TUTRACE_ERR, "PROTO: Error creating new X509 Request\n"));
goto ERR_PKEY;
}
//assign the public key to the request
X509_REQ_set_pubkey (req, pkey);
//Subject name processing.
if(!(subj = X509_NAME_new()))
{
TUTRACE((TUTRACE_ERR, "PROTO: Error creating new X509 Subject\n"));
goto ERR_REQ;
}
//First set the predefined subject fields
for (int i = 0; i < ENTRY_COUNT; i++)
{
if((nid = OBJ_txt2nid (entries[i].key)) == NID_undef)
{
TUTRACE((TUTRACE_ERR, "PROTO: Error getting NID from text\n"));
X509_NAME_free(subj);
goto ERR_REQ;
}
if(!(ent = X509_NAME_ENTRY_create_by_NID(NULL, nid, MBSTRING_ASC,
(uchar *)entries[i].value, -1)))
{
TUTRACE((TUTRACE_ERR, "PROTO: Error creating name entry\n"));
X509_NAME_free(subj);
goto ERR_REQ;
}
if(X509_NAME_add_entry(subj, ent, -1, 0) != 1)
{
TUTRACE((TUTRACE_ERR, "PROTO: Error adding name entry to subject\n"));
X509_NAME_ENTRY_free(ent);
X509_NAME_free(subj);
goto ERR_REQ;
}
}//for
//Next set the common name and description
if((nid = OBJ_txt2nid("commonName")) == NID_undef)
{
TUTRACE((TUTRACE_ERR, "PROTO: Error getting NID from text\n"));
X509_NAME_free(subj);
goto ERR_REQ;
}
if(!(ent = X509_NAME_ENTRY_create_by_NID(NULL, nid, MBSTRING_ASC,
(uchar *)SubjName, -1)))
{
TUTRACE((TUTRACE_ERR, "PROTO: Error creating name entry\n"));
X509_NAME_free(subj);
goto ERR_REQ;
}
if(X509_NAME_add_entry(subj, ent, -1, 0) != 1)
{
TUTRACE((TUTRACE_ERR, "PROTO: Error adding name entry to subject\n"));
X509_NAME_ENTRY_free(ent);
X509_NAME_free(subj);
goto ERR_REQ;
}
//Finally add the subject to the request
if(X509_REQ_set_subject_name (req, subj) != 1)
{
TUTRACE((TUTRACE_ERR, "PROTO: Error setting subject in request\n"));
X509_NAME_free(subj);
goto ERR_REQ;
}
//Sign the request
if(!(X509_REQ_sign(req, pkey, EVP_sha1())))
{
TUTRACE((TUTRACE_ERR, "PROTO: Error signing request\n"));
goto ERR_REQ;
}
//Now we need to serialize the request. So write it to a file and read it out
if(!(fp = fopen("protofile", "w")))
{
TUTRACE((TUTRACE_ERR, "PROTO: Error opening file for writing\n"));
err = TU_ERROR_FILEOPEN;
goto ERR_REQ;
}
if(PEM_write_X509_REQ(fp, req) != 1)
{
TUTRACE((TUTRACE_ERR, "PROTO: Error writing request to file\n"));
err = TU_ERROR_FILEWRITE;
fclose(fp);
goto ERR_REQ;
}
fclose(fp);
//now open it for reading in binary format
if(!(fp = fopen("protofile", "rb")))
{
TUTRACE((TUTRACE_ERR, "PROTO: Error opening file for reading\n"));
err = TU_ERROR_FILEOPEN;
goto ERR_FILE;
}
//get the filesize
fseek(fp, 0, SEEK_END);
fsize = ftell(fp);
if(fsize == -1)
{
TUTRACE((TUTRACE_ERR, "Couldn't determine file size\n"));
err = TU_ERROR_FILEREAD;
goto ERR_FILE;
}
//Allocate memory
*Cert = (uchar *)malloc(fsize);
if(!*Cert)
{
TUTRACE((TUTRACE_ERR, "PROTO: Error allocating memory for cert buffer\n"));
err = TU_ERROR_OUT_OF_MEMORY;
goto ERR_FILE;
}
*CertLength = fsize;
rewind(fp);
fread(*Cert, 1, fsize, fp);
err = TU_SUCCESS;
ERR_FILE:
if(fp)
fclose(fp);
remove("protofile");
ERR_REQ:
X509_REQ_free(req);
ERR_PKEY:
EVP_PKEY_free(pkey);
EXIT:
return err;
}//GenerateCertRequest
int CCertificateRequestGenerator::Generate()
//Generate certificate request and write into a file
{
FILE* fp = NULL;
char* pbPassword = NULL;
EVP_PKEY* pKey = NULL;
X509_REQ* pReq = NULL;
X509_NAME* pSubj = NULL;
const EVP_MD* pDigest = NULL;
DWORD bytesWritten;
struct entry_pack* pEntPack = NULL;
int retFunc = FAIL;
//Get command prompt handle
HANDLE hndl = GetStdHandle(STD_OUTPUT_HANDLE);
OPENSSL_add_all_algorithms_conf();
ERR_load_crypto_strings();
//First read private key from key file
if(!(fp = _tfopen(m_privateKeyFile, _T("r"))))
{
PrintErrorInfo("Error reading key file!", EGeneric, constparams);
WriteConsole(hndl, m_privateKeyFile, wcslen(m_privateKeyFile), &bytesWritten, 0);
return retFunc;
}
if(m_password[0] != 0)
{
DWORD len = 0;
len = _tcslen(m_password);
pbPassword = MakeMBCSString(m_password, CP_UTF8, len);
pKey = PEM_read_PrivateKey(fp, NULL, NULL, pbPassword);
delete pbPassword;
}
else
{
pKey = PEM_read_PrivateKey(fp, NULL, NULL, NULL);
}
fclose(fp); fp = NULL;
if(!pKey)
{
PrintErrorInfo("Error reading private key in key file!", EOPENSSL, constparams);
return retFunc;
}
try
{
//Create a new cert request and add the public key into it
if(!(pReq = X509_REQ_new()))
{
PrintErrorInfo("Error creating X509 request object!", EOPENSSL, constparams);
throw EOPENSSL;
}
X509_REQ_set_pubkey(pReq, pKey);
//Now create DN name entries and assign them to request
if(!(pSubj = X509_NAME_new()))
{
PrintErrorInfo("Error creating X509 name object!", EOPENSSL, constparams);
throw EOPENSSL;
}
//Format DN string
DoFormatted(m_dname, &pEntPack);
if(pEntPack->num == 0)
{
PrintErrorInfo("Error formatting Distinguished Name!", EGeneric, constparams);
throw EGeneric;
}
for (int i = 0; i < pEntPack->num; i++)
{
int nid = 0;
DWORD lent = 0;
X509_NAME_ENTRY *pEnt = NULL;
LPSTR pbMBSTRUTF8 = NULL;
if((pEntPack->entries[i].value == NULL) || (pEntPack->entries[i].key == NULL))
{
PrintErrorInfo("Error in Distinguished Name construction!", EGeneric, constparams);
throw EGeneric;
}
if((nid = OBJ_txt2nid(pEntPack->entries[i].key)) == NID_undef)
{
PrintErrorInfo("Error finding NID for a DN entry!", EOPENSSL, constparams);
throw EOPENSSL;
}
lent = _tcslen(pEntPack->entries[i].value);
pbMBSTRUTF8 = MakeMBCSString(pEntPack->entries[i].value, CP_UTF8, lent);
if(lent > 64) //OpenSSL does not accept a string longer than 64
{
if(!(pEnt = X509_NAME_ENTRY_create_by_NID(NULL, nid, MBSTRING_UTF8, (unsigned char *)"dummy", 5)))
{
PrintErrorInfo("Error creating name entry from NID!", EOPENSSL, constparams);
throw EOPENSSL;
}
pEnt->value->data = (unsigned char *)malloc(lent+1);
for(DWORD j=0; j<lent; j++ )
{
pEnt->value->data[j] = pbMBSTRUTF8[j];
}
pEnt->value->length = lent;
}
else if(!(pEnt = X509_NAME_ENTRY_create_by_NID(NULL, nid, MBSTRING_UTF8, (unsigned char *)pbMBSTRUTF8, lent)))
{
PrintErrorInfo("Error creating name entry from NID!", EOPENSSL, constparams);
throw EOPENSSL;
}
if(X509_NAME_add_entry(pSubj, pEnt, -1, 0) != 1)
{
PrintErrorInfo("Error adding entry to X509 Name!", EOPENSSL, constparams);
throw EOPENSSL;
}
delete pbMBSTRUTF8;
}//for
SYMBIAN_FREE_MEM(pEntPack);
if(X509_REQ_set_subject_name(pReq, pSubj) != 1)
{
PrintErrorInfo("Error adding subject to request!", EOPENSSL, constparams);
throw EOPENSSL;
}
//Find the correct digest and sign the request
if(EVP_PKEY_type(pKey->type) == EVP_PKEY_DSA)
{
pDigest = EVP_dss1();
}
else if(EVP_PKEY_type(pKey->type) == EVP_PKEY_RSA)
{
pDigest = EVP_sha1();
}
else
{
PrintErrorInfo("Error checking private key type!", EOPENSSL, constparams);
throw EOPENSSL;
}
if(!(X509_REQ_sign(pReq, pKey, pDigest)))
{
PrintErrorInfo("Error signing request!", EOPENSSL, constparams);
throw EOPENSSL;
}
if(!(fp = _tfopen(m_RequestFile, _T("w"))))
{
PrintErrorInfo("Error writing to request file!",EGeneric,constparams);
throw EGeneric;
}
if(PEM_write_X509_REQ(fp, pReq) != 1)
{
PrintErrorInfo("Error while writing to request file!", EOPENSSL, constparams);
throw EOPENSSL;
}
//Free variables
EVP_PKEY_free(pKey);
X509_NAME_free(pSubj);
X509_REQ_free(pReq);
fclose(fp);
_tprintf(_T("\nCreated request: "));
WriteConsole(hndl, m_RequestFile, wcslen(m_RequestFile), &bytesWritten, 0);
retFunc = SUCCESS;
}
catch (...)
{
if(pKey)
{
EVP_PKEY_free(pKey);
}
if(pSubj)
{
X509_NAME_free(pSubj);
}
if(pReq)
{
X509_REQ_free(pReq);
}
SYMBIAN_FREE_MEM(pEntPack);
}
return retFunc;
}
void LFNetConfigLoader::retrieveConfig()
{
this->notifyStatus("Loading OpenSSL stuff ...");
OpenSSL_add_all_algorithms();
ERR_load_BIO_strings();
ERR_load_crypto_strings();
this->notifyStatus("Generating private key ...");
BIGNUM* e = BN_new();
BN_set_word(e, RSA_F4);
RSA* key = RSA_new();
RSA_generate_key_ex(key, 4096, e, NULL);
this->notifyStatus("Saving private key ...");
BIO* privateKey = BIO_new_file((_configLocation + "/private.key").toLocal8Bit().data(), "w");
PEM_write_bio_RSAPrivateKey(privateKey, key, NULL, NULL, 0, NULL, NULL);
BIO_free(privateKey);
this->notifyStatus("Generating csr ...");
EVP_PKEY* pkey = EVP_PKEY_new();
EVP_PKEY_assign_RSA(pkey, key);
X509_NAME* name = X509_NAME_new();
X509_NAME_add_entry_by_txt(name, "O", MBSTRING_UTF8, (unsigned char*)"LF-Net", -1, -1, 0);
X509_NAME_add_entry_by_txt(name, "OU", MBSTRING_UTF8, (unsigned char*)"VPN", -1, -1, 0);
X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_UTF8, (unsigned char*)(_username.toUpper() + "_" + _computerName.toUpper()).toUtf8().data(), -1, -1, 0);
X509_REQ* req = X509_REQ_new();
X509_REQ_set_pubkey(req, pkey);
X509_REQ_set_subject_name(req, name);
X509_REQ_set_version(req, 1);
X509_REQ_sign(req, pkey, EVP_sha512());
BIO* request = BIO_new(BIO_s_mem());
PEM_write_bio_X509_REQ(request, req);
BUF_MEM* requestData;
BIO_get_mem_ptr(request, &requestData);
this->notifyStatus("Request certificate using generated csr ...");
QNetworkAccessManager *mgr = new QNetworkAccessManager(this);
connect(mgr, SIGNAL(finished(QNetworkReply*)), this, SLOT(certificateRequestFinished(QNetworkReply*)));
connect(mgr, SIGNAL(authenticationRequired(QNetworkReply*,QAuthenticator*)), this, SLOT(authenticationRequired(QNetworkReply*,QAuthenticator*)));
QNetworkRequest netRequest(QUrl("https://mokoscha.lf-net.org/request_certificate"));
netRequest.setHeader(QNetworkRequest::ContentTypeHeader, "text/plain");
mgr->post(netRequest, QByteArray(requestData->data, requestData->length));
this->notifyStatus("Cleaning up temporary data ...");
BIO_free(request);
X509_REQ_free(req);
X509_NAME_free(name);
EVP_PKEY_free(pkey);
BN_free(e);
this->notifyStatus("Waiting for certificate ...");
}
int createCertificateRequest(char* result, char* keyToCertify, char * country, char* state, char* loc, char* organisation, char *organisationUnit, char* cname, char* email)
{
BIO *mem = BIO_new(BIO_s_mem());
X509_REQ *req=X509_REQ_new();
X509_NAME *nm = X509_NAME_new();
int err=0;
//fill in details
if (strlen(country) > 0) {
if(!(err = X509_NAME_add_entry_by_txt(nm,"C",
MBSTRING_UTF8, (unsigned char*)country, -1, -1, 0))) {
return err;
}
}
if (strlen(state) > 0) {
if(!(err = X509_NAME_add_entry_by_txt(nm,"ST",
MBSTRING_UTF8, (unsigned char*)state, -1, -1, 0))) {
return err;
}
}
if (strlen(loc) > 0) {
if(!(err = X509_NAME_add_entry_by_txt(nm,"L",
MBSTRING_UTF8, (unsigned char*)loc, -1, -1, 0))) {
return err;
}
}
if (strlen(organisation) > 0) {
if(!(err = X509_NAME_add_entry_by_txt(nm,"O",
MBSTRING_UTF8, (unsigned char*)organisation, -1, -1, 0))) {
return err;
}
}
if (strlen(organisationUnit) > 0) {
if(!(err = X509_NAME_add_entry_by_txt(nm,"OU",
MBSTRING_UTF8, (unsigned char*)organisationUnit, -1, -1, 0))) {
return err;
}
}
// This is mandatory to have, rest are optional
if(!(err = X509_NAME_add_entry_by_txt(nm,"CN", MBSTRING_UTF8, (unsigned char*) cname, -1, -1, 0))) {
return err;
}
if (strlen(email) > 0) {
if(!(err = X509_NAME_add_entry_by_txt(nm,"emailAddress",MBSTRING_UTF8, (unsigned char*)email, -1, -1, 0))) {
return err;
}
}
if(!(err = X509_REQ_set_subject_name(req, nm))) {
return err;
}
//Set the public key
//...convert PEM private key into a BIO
BIO* bmem = BIO_new_mem_buf(keyToCertify, -1);
if (!bmem) {
BIO_free(bmem);
return -3;
}
// read the private key into an EVP_PKEY structure
EVP_PKEY* privkey = PEM_read_bio_PrivateKey(bmem, NULL, NULL, NULL);
if (!privkey) {
BIO_free(bmem);
return -4;
}
if(!(err = X509_REQ_set_pubkey(req, privkey)))
{
BIO_free(bmem);
return err;
}
if(!(err = X509_REQ_set_version(req,3)))
{
BIO_free(bmem);
return err;
}
//write it to PEM format
if (!(err = PEM_write_bio_X509_REQ(mem, req))) {
BIO_free(mem);
BIO_free(bmem);
return err;
}
BUF_MEM *bptr;
BIO_get_mem_ptr(mem, &bptr);
BIO_read(mem, result, bptr->length);
BIO_free(bmem);
BIO_free(mem);
return 0;
}
inline void certificate_request::set_subject(name _name) const
{
error::throw_error_if_not(X509_REQ_set_subject_name(ptr().get(), _name.raw()) != 0);
}
TokenError _backend_createRequest(const RegutilInfo *info,
const char *hostname,
const char *password,
char **request, size_t *reqlen) {
// OpenSSL seeds the PRNG automatically, see the manual page for RAND_add.
if (!RAND_status()) {
fprintf(stderr, BINNAME ": no random state!\n");
return TokenError_NoRandomState;
}
// Abort if there are no requests
*request = NULL;
if (!info->pkcs10) return TokenError_Unknown;
// Create certificate requests
bool ok = true;
CertReq *reqs = NULL;
STACK *x509reqs = sk_new_null();
for (const RegutilPKCS10 *pkcs10 = info->pkcs10; pkcs10 != NULL;
pkcs10 = pkcs10->next) {
RSA *rsa = NULL;
EVP_PKEY *privkey = NULL;
X509_NAME *subject = NULL;
X509_REQ *x509req = NULL;
STACK_OF(X509_EXTENSION) *exts = NULL;
// Check the parameters.
// Maximum key size in OpenSSL:
// http://www.mail-archive.com/[email protected]/msg58229.html
if (!pkcs10->subjectDN || pkcs10->keySize < 1024 ||
pkcs10->keySize > 16384)
goto req_error;
// Generate key pair
// FIXME deprecated function
// TODO use OPENSSL_NO_DEPRECATED
rsa = RSA_generate_key(pkcs10->keySize, RSA_F4, NULL, NULL);
if (!rsa) goto req_error;
privkey = EVP_PKEY_new();
if (!privkey) goto req_error;
EVP_PKEY_assign_RSA(privkey, rsa);
// Subject name
subject = certutil_parse_dn(pkcs10->subjectDN, pkcs10->includeFullDN);
if (!subject) goto req_error;
// Create request
x509req = X509_REQ_new();
if (!x509req ||
!X509_REQ_set_version(x509req, 0) ||
!X509_REQ_set_subject_name(x509req, subject) ||
!X509_REQ_set_pubkey(x509req, privkey)) { // yes this is correct(!)
certutil_updateErrorString();
goto req_error;
}
// Set attributes
exts = sk_X509_EXTENSION_new_null();
if (!exts) goto req_error;
X509_EXTENSION *ext = makeKeyUsageExt(pkcs10->keyUsage);
if (!ext || !sk_X509_EXTENSION_push(exts, ext))
goto req_error;
if (!X509_REQ_add_extensions(x509req, exts)) {
certutil_updateErrorString();
goto req_error;
}
exts = NULL;
// Add signature
if (!X509_REQ_sign(x509req, privkey, EVP_sha1())) {
certutil_updateErrorString();
goto req_error;
}
// Store in list
CertReq *req = malloc(sizeof(CertReq));
req->pkcs10 = pkcs10;
req->privkey = privkey;
req->rsa = rsa;
req->x509 = x509req;
req->next = reqs;
reqs = req;
sk_push(x509reqs, (char*)x509req);
continue;
req_error:
// Clean up and set error flag
if (privkey) EVP_PKEY_free(privkey);
else if (rsa) RSA_free(rsa);
X509_NAME_free(subject);
sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
X509_REQ_free(x509req);
ok = false;
}
TokenError error = TokenError_Unknown;
if (ok) {
// Determine filename from certificate name
char *filename = certutil_makeFilename(X509_REQ_get_subject_name(reqs->x509));
// Build the certificate request
request_wrap(x509reqs, request, reqlen);
if (*request && filename) {
// Create the key file in ~/cbt/name.p12
FILE *keyfile = platform_openLocked(filename, Platform_OpenCreate);
if (!keyfile) {
error = TokenError_CantCreateFile;
} else {
error = saveKeys(reqs, hostname, password, keyfile);
if (!platform_closeLocked(keyfile) && !error)
error = TokenError_CantCreateFile;
}
}
if (filename) free(filename);
if (error && *request) free(*request);
}
// Free reqs
while (reqs) {
RSA_free(reqs->rsa); // This free's privkey too
X509_REQ_free(reqs->x509);
CertReq *next = reqs->next;
free(reqs);
reqs = next;
}
sk_free(x509reqs);
return error;
}
wi_x509_t * wi_x509_init_with_common_name(wi_x509_t *x509, wi_rsa_t *rsa, wi_string_t *common_name) {
X509_REQ *req;
EVP_PKEY *pkey = NULL;
X509_NAME *name = NULL;
BIGNUM *bn = NULL;
req = X509_REQ_new();
if(!req)
goto err;
if(X509_REQ_set_version(req, 0) != 1)
goto err;
name = X509_NAME_new();
if(X509_NAME_add_entry_by_NID(name,
NID_commonName,
MBSTRING_ASC,
(unsigned char *) wi_string_cstring(common_name),
-1,
-1,
0) != 1)
goto err;
if(X509_REQ_set_subject_name(req, name) != 1)
goto err;
pkey = EVP_PKEY_new();
EVP_PKEY_set1_RSA(pkey, wi_rsa_rsa(rsa));
if(X509_REQ_set_pubkey(req, pkey) != 1)
goto err;
x509->x509 = X509_new();
if(!x509->x509)
goto err;
bn = BN_new();
if(!bn)
goto err;
if(BN_pseudo_rand(bn, 64, 0, 0) != 1)
goto err;
if(!BN_to_ASN1_INTEGER(bn, X509_get_serialNumber(x509->x509)))
goto err;
if(X509_set_issuer_name(x509->x509, X509_REQ_get_subject_name(req)) != 1)
goto err;
if(!X509_gmtime_adj(X509_get_notBefore(x509->x509), 0))
goto err;
if(!X509_gmtime_adj(X509_get_notAfter(x509->x509), 3600 * 24 * 365))
goto err;
if(X509_set_subject_name(x509->x509, X509_REQ_get_subject_name(req)) != 1)
goto end;
if(X509_set_pubkey(x509->x509, pkey) != 1)
goto err;
if(X509_sign(x509->x509, pkey, EVP_sha1()) == 0)
goto err;
goto end;
err:
wi_error_set_openssl_error();
wi_release(x509);
x509 = NULL;
end:
if(req)
X509_REQ_free(req);
if(pkey)
EVP_PKEY_free(pkey);
if(name)
X509_NAME_free(name);
if(bn)
BN_free(bn);
return x509;
}
// reads the request req_filename and creates a modified creq_filename with the commitment extension added
void writeCommitmentCSR(BIGNUM *commitment_c, char *privkey_filename, char *req_filename, char *creq_filename) {
FILE *fp;
/* read in the request */
X509_REQ *req;
if (!(fp = fopen(req_filename, "r")))
critical_error("Error reading request file");
if (!(req = PEM_read_X509_REQ(fp, NULL, NULL, NULL)))
critical_error("Error reading request in file");
fclose(fp);
/* read in the private key */
EVP_PKEY *pkey;
if (!(fp = fopen(privkey_filename, "r")))
critical_error("Error reading private key file");
if (!(pkey = PEM_read_PrivateKey(fp, NULL, NULL, NULL)))
critical_error("Error reading private key in file");
fclose(fp);
/* create the new request */
X509_REQ *creq;
if (!(creq = X509_REQ_new()))
critical_error("Failed to create X509_REQ object");
X509_REQ_set_pubkey(creq, pkey);
// gets subj from initial requests and adds it to new one
X509_NAME *subj = X509_REQ_get_subject_name(req);
if (X509_REQ_set_subject_name(creq, subj) != 1)
critical_error("Error adding subject to request");
// enable the commitment extension handling (retrieve/print as string)
int nid = _commitmentExt_start();
// get extensions stack of original request
STACK_OF(X509_EXTENSION) *extlist = X509_REQ_get_extensions(req);
// if no extensions, create new stack
if (extlist==NULL) {
extlist = sk_X509_EXTENSION_new_null();
} else { // else check that the extension isn't already there (error!)
X509_EXTENSION *tmp = (X509_EXTENSION*) X509V3_get_d2i(extlist, nid, NULL, NULL);
if (tmp!=NULL)
critical_error("Aborting process: CSR already contains commitment extension!\n");
}
// create commitment extension storing C value as a hex string
X509_EXTENSION *exCommitment = (X509_EXTENSION*) X509V3_EXT_conf_nid(NULL, NULL, nid, BN_bn2hex(commitment_c));
if (!exCommitment)
critical_error("error creating commitment extension");
// push commitment extension into stack
sk_X509_EXTENSION_push(extlist, exCommitment);
// assign extensions to the new request
if (!X509_REQ_add_extensions(creq, extlist))
critical_error("Error adding extensions to the request");
sk_X509_EXTENSION_pop_free(extlist, X509_EXTENSION_free);
/////////////////////////////////////////////////////////////////////
/* pick the correct digest and sign the new request */
EVP_MD *digest;
if (EVP_PKEY_type(pkey->type) == EVP_PKEY_DSA)
digest = (EVP_MD*) EVP_dss1();
else if (EVP_PKEY_type(pkey->type) == EVP_PKEY_RSA)
digest = (EVP_MD*) EVP_sha1();
else
critical_error("Error checking public key for a valid digest");
if (!(X509_REQ_sign(creq, pkey, digest)))
critical_error("Error signing request");
/* write the modified request */
if (!(fp = fopen(creq_filename, "w")))
critical_error("Error writing to request file");
if (PEM_write_X509_REQ(fp, creq) != 1)
critical_error("Error while writing request");
fclose(fp);
// cleanup
_commitmentExt_end();
EVP_PKEY_free(pkey);
X509_REQ_free(req);
X509_REQ_free(creq);
}
LWS_VISIBLE LWS_EXTERN int
lws_tls_acme_sni_csr_create(struct lws_context *context, const char *elements[],
uint8_t *csr, size_t csr_len, char **privkey_pem,
size_t *privkey_len)
{
uint8_t *csr_in = csr;
RSA *rsakey;
X509_REQ *req;
X509_NAME *subj;
EVP_PKEY *pkey;
char *p, *end;
BIO *bio;
long bio_len;
int n, ret = -1;
if (lws_tls_openssl_rsa_new_key(&rsakey, 4096))
return -1;
pkey = EVP_PKEY_new();
if (!pkey)
goto bail0;
if (!EVP_PKEY_set1_RSA(pkey, rsakey))
goto bail1;
req = X509_REQ_new();
if (!req)
goto bail1;
X509_REQ_set_pubkey(req, pkey);
subj = X509_NAME_new();
if (!subj)
goto bail2;
for (n = 0; n < LWS_TLS_REQ_ELEMENT_COUNT; n++)
if (lws_tls_openssl_add_nid(subj, nid_list[n], elements[n])) {
lwsl_notice("%s: failed to add element %d\n", __func__,
n);
goto bail3;
}
if (X509_REQ_set_subject_name(req, subj) != 1)
goto bail3;
if (!X509_REQ_sign(req, pkey, EVP_sha256()))
goto bail3;
/*
* issue the CSR as PEM to a BIO, and translate to b64urlenc without
* headers, trailers, or whitespace
*/
bio = BIO_new(BIO_s_mem());
if (!bio)
goto bail3;
if (PEM_write_bio_X509_REQ(bio, req) != 1) {
BIO_free(bio);
goto bail3;
}
bio_len = BIO_get_mem_data(bio, &p);
end = p + bio_len;
/* strip the header line */
while (p < end && *p != '\n')
p++;
while (p < end && csr_len) {
if (*p == '\n') {
p++;
continue;
}
if (*p == '-')
break;
if (*p == '+')
*csr++ = '-';
else
if (*p == '/')
*csr++ = '_';
else
*csr++ = *p;
p++;
csr_len--;
}
BIO_free(bio);
if (!csr_len) {
lwsl_notice("%s: need %ld for CSR\n", __func__, bio_len);
goto bail3;
}
/*
* Also return the private key as a PEM in memory
* (platform may not have a filesystem)
*/
bio = BIO_new(BIO_s_mem());
if (!bio)
goto bail3;
if (PEM_write_bio_PrivateKey(bio, pkey, NULL, NULL, 0, 0, NULL) != 1) {
BIO_free(bio);
goto bail3;
}
bio_len = BIO_get_mem_data(bio, &p);
*privkey_pem = malloc(bio_len); /* malloc so user code can own / free */
*privkey_len = (size_t)bio_len;
if (!*privkey_pem) {
lwsl_notice("%s: need %ld for private key\n", __func__,
bio_len);
BIO_free(bio);
goto bail3;
}
memcpy(*privkey_pem, p, (int)(long long)bio_len);
BIO_free(bio);
ret = lws_ptr_diff(csr, csr_in);
bail3:
X509_NAME_free(subj);
bail2:
X509_REQ_free(req);
bail1:
EVP_PKEY_free(pkey);
bail0:
RSA_free(rsakey);
return ret;
}
void pki_x509req::setSubject(const x509name &n)
{
X509_REQ_set_subject_name(request, n.get());
}
