/** Generate a new certificate for our loaded or generated keys, and write it
* to disk. Return 0 on success, nonzero on failure. */
static int
generate_certificate(void)
{
char buf[8192];
time_t now = time(NULL);
struct tm tm;
char published[ISO_TIME_LEN+1];
char expires[ISO_TIME_LEN+1];
char fingerprint[FINGERPRINT_LEN+1];
char *ident = key_to_string(identity_key);
char *signing = key_to_string(signing_key);
FILE *f;
size_t signed_len;
char digest[DIGEST_LEN];
char signature[1024]; /* handles up to 8192-bit keys. */
int r;
get_fingerprint(identity_key, fingerprint);
tor_localtime_r(&now, &tm);
tm.tm_mon += months_lifetime;
format_iso_time(published, now);
format_iso_time(expires, mktime(&tm));
tor_snprintf(buf, sizeof(buf),
"dir-key-certificate-version 3"
"%s%s"
"\nfingerprint %s\n"
"dir-key-published %s\n"
"dir-key-expires %s\n"
"dir-identity-key\n%s"
"dir-signing-key\n%s"
"dir-key-certification\n",
address?"\ndir-address ":"", address?address:"",
fingerprint, published, expires, ident, signing);
tor_free(ident);
tor_free(signing);
signed_len = strlen(buf);
SHA1((const unsigned char*)buf,signed_len,(unsigned char*)digest);
r = RSA_private_encrypt(DIGEST_LEN, (unsigned char*)digest,
(unsigned char*)signature,
EVP_PKEY_get1_RSA(identity_key),
RSA_PKCS1_PADDING);
strlcat(buf, "-----BEGIN SIGNATURE-----\n", sizeof(buf));
signed_len = strlen(buf);
base64_encode(buf+signed_len, sizeof(buf)-signed_len, signature, r);
strlcat(buf, "-----END SIGNATURE-----\n", sizeof(buf));
if (!(f = fopen(certificate_file, "w"))) {
log_err(LD_GENERAL, "Couldn't open %s for writing: %s",
certificate_file, strerror(errno));
return 1;
}
fputs(buf, f);
fclose(f);
return 0;
}
void definition_cache::add(environment const & env, name const & n, expr const & pre_type, expr const & pre_value,
level_param_names const & ls, expr const & type, expr const & value, bool is_trusted) {
dependencies deps;
collect_dependencies(env, type, deps);
collect_dependencies(env, value, deps);
uint64 fingerprint = get_fingerprint(env);
lock_guard<mutex> lc(m_mutex);
add_core(n, pre_type, pre_value, ls, type, value, deps, fingerprint, is_trusted);
}
static void ssl_manager_load_certs (void)
{
GDir *dir;
const gchar *d;
GError *error = NULL;
gchar *path;
int row = 0;
GtkListStore *store;
store = GTK_LIST_STORE(gtk_tree_view_get_model
(GTK_TREE_VIEW(manager.certlist)));
gtk_list_store_clear(store);
path = g_strconcat(get_rc_dir(), G_DIR_SEPARATOR_S,
"certs", G_DIR_SEPARATOR_S, NULL);
if((dir = g_dir_open(path, 0, &error)) == NULL) {
debug_print("couldn't open dir '%s': %s (%d)\n", path,
error->message, error->code);
g_error_free(error);
return;
}
while ((d = g_dir_read_name(dir)) != NULL) {
gchar *server = NULL, *port = NULL, *fp = NULL;
SSLCertificate *cert;
if(strstr(d, ".cert") != d + (strlen(d) - strlen(".cert")))
continue;
get_serverport(d, &server, &port);
fp = get_fingerprint(d);
if (server != NULL && port != NULL) {
gint portnum = atoi(port);
if (portnum > 0 && portnum <= 65535) {
cert = ssl_certificate_find(server, portnum, fp);
ssl_manager_list_view_insert_cert(manager.certlist, NULL,
server, port, cert);
}
}
g_free(server);
g_free(port);
g_free(fp);
row++;
}
g_dir_close(dir);
g_free(path);
}
static void ssl_manager_load_certs (void)
{
DIR *dir;
struct dirent *d;
gchar *path;
int row = 0;
GtkListStore *store;
store = GTK_LIST_STORE(gtk_tree_view_get_model
(GTK_TREE_VIEW(manager.certlist)));
gtk_list_store_clear(store);
path = g_strconcat(get_rc_dir(), G_DIR_SEPARATOR_S,
"certs", G_DIR_SEPARATOR_S, NULL);
if((dir = opendir(path)) == NULL) {
perror("opendir");
return;
}
while ((d = readdir(dir)) != NULL) {
gchar *server, *port, *fp;
SSLCertificate *cert;
if(!strstr(d->d_name, ".cert"))
continue;
server = get_server(d->d_name);
port = get_port(d->d_name);
fp = get_fingerprint(d->d_name);
cert = ssl_certificate_find(server, atoi(port), fp);
ssl_manager_list_view_insert_cert(manager.certlist, NULL,
server, port, cert);
g_free(server);
g_free(port);
g_free(fp);
row++;
}
closedir(dir);
g_free(path);
}
optional<std::tuple<level_param_names, expr, expr>>
definition_cache::find(environment const & env, name const & n, expr const & pre_type, expr const & pre_value, bool is_trusted) {
entry e;
{
lock_guard<mutex> lc(m_mutex);
if (auto it = m_definitions.find(n)) {
e = *it;
} else {
return optional<std::tuple<level_param_names, expr, expr>>();
}
}
level_param_names ls;
if (e.m_is_trusted == is_trusted &&
expr_eq_modulo_placeholders_fn()(e.m_pre_type, pre_type) &&
expr_eq_modulo_placeholders_fn()(e.m_pre_value, pre_value) &&
get_fingerprint(env) == e.m_fingerprint &&
check_dependencies(env, e.m_dependencies)) {
return some(std::make_tuple(e.m_params, e.m_type, e.m_value));
} else {
return optional<std::tuple<level_param_names, expr, expr>>();
}
}
/* We have parsed a 'certif:' attribute from a 'key-cert' object.
* Now perform the check to make sure the hexid specified in the
* 'key-cert:' attribute matches the hexid from the 'certif:'
* attribute. We perform this check (and others) by adding the
* 'certif:' attribute/PGP key block to a temp ring and parsing
* the output from PGP. Additionally, we check the following:
*
* 1. make sure there is only 1 hexid in the key
* 2. make sure there is at least 1 owner/uid specified
* 3. make sure we get a 'Successful' return string from PGP
* 4. call get_fingerprint () to get the key fingerprint
* which checks to make sure there is only 1 fingerprint
*
* Return:
*
* file name of key certificate file if there were no errors found
* - the file can then be used to easily add the PGP key to the
* local ring
* - the key fingerprint and owner(s)/uid(s) are saved to be
* used for the corresponding 'key-cert' auto-generated fields
* NULL otherwise
*/
char *hexid_check (parse_info_t *o) {
#ifdef PGP
char pgpinfn[256], tmp_pgp_dir[256], ebuf[1024];
FILE *pgpin;
char_list_t *p;
pgp_data_t pdat;
int pgp_errors = 0, fd;
#endif
/* If we don't have PGP installed then there is nothing to do. */
#ifndef PGP
error_msg_queue (o, "PGP is not installed on the system. Cannot perform operation.", ERROR_MSG);
return NULL;
#else
/* make a tmp directory for the pgp rings */
umask (0022);
strcpy (tmp_pgp_dir, "/var/tmp/pgp.XXXXXX");
if (mkdtemp (tmp_pgp_dir) == NULL) {
error_msg_queue (o, "Internal error. Couldn't create temp directory for PGP\n", ERROR_MSG);
return NULL;
}
/* create a file and put the key certificate into it */
strcpy (pgpinfn, "/var/tmp/irrsyntax.XXXXXX");
fd = mkstemp (pgpinfn);
if ((pgpin = fdopen (fd, "w")) == NULL) {
error_msg_queue (o,
"Internal error. Could not check 'key-cert:' temp file creation error", ERROR_MSG);
goto pgp_errors_jump;
}
fwrite (o->u.kc.certif, sizeof (char), strlen (o->u.kc.certif), pgpin);
fclose (pgpin);
/* add the certificate to a temp ring */
if (!pgp_add (default_trace, tmp_pgp_dir, pgpinfn, &pdat)) {
error_msg_queue (o, "Couldn't add key-cert to ring. Didn't get successful reply from PGP", ERROR_MSG);
goto pgp_errors_jump;
}
/* certificate checks */
/* do we have more than 1 hex ID? */
if (pdat.hex_cnt > 1) {
error_msg_queue (o, "Too many public keys in certificate", ERROR_MSG);
pgp_errors = 1;
}
/* does the hex ID of the 'key-cert' attr match the certificate hex ID ? */
else if (strcmp (pdat.hex_first->key, o->u.kc.kchexid)) {
snprintf (ebuf, 1024, "Hex-ID mistmatch: 'key-cert:' (%s) 'certif:' (%s)\n",
o->u.kc.kchexid, pdat.hex_first->key);
error_msg_queue (o, ebuf, ERROR_MSG);
pgp_errors = 1;
}
/* owner check */
else if (pdat.owner_first == NULL) {
error_msg_queue (o, "No uid's/owners found in certificate", ERROR_MSG);
pgp_errors = 1;
}
/* grab all the owners */
else {
o->u.kc.owner_count = pdat.owner_cnt;
for (p = pdat.owner_first; p != NULL; p = p->next)
o->u.kc.owner = my_concat (o->u.kc.owner, p->key, 0);
}
/* get the key fingerprint */
if (!pgp_errors &&
!get_fingerprint (o, tmp_pgp_dir, &pdat))
pgp_errors = 1;
if (o->u.kc.owner != NULL)
if (verbose) fprintf (dfile,
"owner count (%d) owner (%s)\n", o->u.kc.owner_count, o->u.kc.owner);
if (o->u.kc.fingerpr != NULL)
if (verbose) fprintf (dfile, "fingerpr (%s)\n", o->u.kc.fingerpr);
/* end debug */
/* clean up */
pgp_free (&pdat);
/* if we have errors then we won't need the key file */
if (pgp_errors) {
pgp_errors_jump:
rm_tmpdir (tmp_pgp_dir); /* can get rid of temporary directory */
remove (pgpinfn);
return NULL;
}
rm_tmpdir (tmp_pgp_dir); /* can get rid of temporary directory */
/* leave pgp key for possible addition to local ring */
return strdup (pgpinfn);
#endif
}
void
output_cert_info(X509 *cert, gf_io_t pc)
{
char buf[256];
STORE_S *left,*right;
gf_io_t spc;
int len;
left = so_get(CharStar, NULL, EDIT_ACCESS);
right = so_get(CharStar, NULL, EDIT_ACCESS);
if(!(left && right))
return;
gf_set_so_writec(&spc, left);
if(!cert->cert_info){
gf_puts("Couldn't find certificate info.", spc);
gf_puts(NEWLINE, spc);
}
else{
gf_puts_uline("Subject (whose certificate it is)", spc);
gf_puts(NEWLINE, spc);
output_X509_NAME(cert->cert_info->subject, spc);
gf_puts(NEWLINE, spc);
gf_puts_uline("Serial Number", spc);
gf_puts(NEWLINE, spc);
snprintf(buf, sizeof(buf), "%ld", ASN1_INTEGER_get(cert->cert_info->serialNumber));
gf_puts(buf, spc);
gf_puts(NEWLINE, spc);
gf_puts(NEWLINE, spc);
gf_puts_uline("Validity", spc);
gf_puts(NEWLINE, spc);
{
BIO *mb = BIO_new(BIO_s_mem());
char iobuf[4096];
gf_puts("Not Before: ", spc);
(void) BIO_reset(mb);
ASN1_UTCTIME_print(mb, cert->cert_info->validity->notBefore);
(void) BIO_flush(mb);
while((len = BIO_read(mb, iobuf, sizeof(iobuf))) > 0)
gf_nputs(iobuf, len, spc);
gf_puts(NEWLINE, spc);
gf_puts("Not After: ", spc);
(void) BIO_reset(mb);
ASN1_UTCTIME_print(mb, cert->cert_info->validity->notAfter);
(void) BIO_flush(mb);
while((len = BIO_read(mb, iobuf, sizeof(iobuf))) > 0)
gf_nputs(iobuf, len, spc);
gf_puts(NEWLINE, spc);
gf_puts(NEWLINE, spc);
BIO_free(mb);
}
}
gf_clear_so_writec(left);
gf_set_so_writec(&spc, right);
if(!cert->cert_info){
gf_puts(_("Couldn't find certificate info."), spc);
gf_puts(NEWLINE, spc);
}
else{
gf_puts_uline("Issuer", spc);
gf_puts(NEWLINE, spc);
output_X509_NAME(cert->cert_info->issuer, spc);
gf_puts(NEWLINE, spc);
}
gf_clear_so_writec(right);
side_by_side(left, right, pc);
gf_puts_uline("SHA1 Fingerprint", pc);
gf_puts(NEWLINE, pc);
get_fingerprint(cert, EVP_sha1(), buf, sizeof(buf));
gf_puts(buf, pc);
gf_puts(NEWLINE, pc);
gf_puts_uline("MD5 Fingerprint", pc);
gf_puts(NEWLINE, pc);
get_fingerprint(cert, EVP_md5(), buf, sizeof(buf));
gf_puts(buf, pc);
gf_puts(NEWLINE, pc);
so_give(&left);
so_give(&right);
}
