int sxi_vcrypt_print_cert_info(sxc_client_t *sx, const char *file, int batch_mode)
{
struct PK11_ctx ctx;
CERTCertificate *cert = load_cert_file(sx, file, &ctx);
if(!cert) {
free_PK11_ctx(&ctx);
return -1;
}
if (cert && !batch_mode) {
char *subject = CERT_NameToAscii(&cert->subject);
char *issuer = CERT_NameToAscii(&cert->issuer);
char *common_name = CERT_GetCommonName(&cert->subject);
struct sxi_fmt fmt;
char hash[SXI_SHA1_TEXT_LEN+1];
sxi_fmt_start(&fmt);
sxi_fmt_msg(&fmt, "\tSubject: %s\n", subject);
sxi_fmt_msg(&fmt, "\tIssuer: %s\n", issuer);
if (!sxi_conns_hashcalc_core(sx, NULL, 0,
cert->derCert.data,
cert->derCert.len, hash)) {
sxi_fmt_msg(&fmt, "\tSHA1 Fingerprint: %s\n", hash);
}
sxi_info(sx, "%s", fmt.buf);
PR_Free(subject);
PR_Free(issuer);
PR_Free(common_name);
}
CERT_DestroyCertificate(cert);
free_PK11_ctx(&ctx);
return 0;
}
static X509 *load_cert(const gchar *name, GError **error)
{
g_return_val_if_fail(name != NULL, NULL);
if (g_str_has_prefix(name, "pkcs11:"))
return load_cert_pkcs11(name, error);
else
return load_cert_file(name, error);
}
int sxi_vcrypt_get_cert_fingerprint(sxc_client_t *sx, const char *file, uint8_t *hash, unsigned int *len) {
struct PK11_ctx ctx;
CERTCertificate *cert = load_cert_file(sx, file, &ctx);
if(!cert) {
free_PK11_ctx(&ctx);
return -1;
}
if(sxi_sha1_calc(NULL, 0, cert->derCert.data, cert->derCert.len, hash)) {
sxi_seterr(sx, SXE_ECRYPT, "Failed to compute ca fingerprint");
CERT_DestroyCertificate(cert);
free_PK11_ctx(&ctx);
return -1;
}
if(len)
*len = SXI_SHA1_BIN_LEN;
CERT_DestroyCertificate(cert);
free_PK11_ctx(&ctx);
return 0;
}
NOEXPORT int auth_init(SERVICE_OPTIONS *section) {
int cert_needed=1, key_needed=1;
#ifndef OPENSSL_NO_PSK
if(section->psk_keys) {
if(section->option.client)
SSL_CTX_set_psk_client_callback(section->ctx, psk_client_callback);
else
SSL_CTX_set_psk_server_callback(section->ctx, psk_server_callback);
}
#endif /* !defined(OPENSSL_NO_PSK) */
/* load the certificate and private key */
if(!section->cert || !section->key) {
s_log(LOG_DEBUG, "No certificate or private key specified");
return 0; /* OK */
}
#ifndef OPENSSL_NO_ENGINE
if(section->engine) { /* try to use the engine first */
cert_needed=load_cert_engine(section);
key_needed=load_key_engine(section);
}
#endif
if(cert_needed && load_cert_file(section))
return 1; /* FAILED */
if(key_needed && load_key_file(section))
return 1; /* FAILED */
/* validate the private key against the certificate */
if(!SSL_CTX_check_private_key(section->ctx)) {
sslerror("Private key does not match the certificate");
return 1; /* FAILED */
}
s_log(LOG_DEBUG, "Private key check succeeded");
return 0; /* OK */
}
int main(int argc, char *argv[])
{
int verbose = 0;
bool fakesend=false;
bool initted =false;
int c;
const char *micpemfile = "/boot/mic.pem";
const char *micprivfile= "/boot/mic.priv";
const char *manufact_ca= "/boot/manufacturer.pem";
mbedtls_x509_crt *bootstrap_cert = NULL;
class rpl_debug *deb;
char eui64buf[64];
unsigned char eui64[8];
struct option longoptions[]={
{"help", 0, NULL, '?'},
{"fake", 0, NULL, 'T'},
{"mic", 1, NULL, 'm'},
{"privmic", 1, NULL, 'M'},
{"manuca", 1, NULL, 'R'},
{"verbose", 0, NULL, 'v'},
{0,0,0,0},
};
deb = new rpl_debug(verbose, stderr);
while((c=getopt_long(argc, argv, "?hm:vFM:R:V", longoptions, NULL))!=EOF){
switch(c) {
case 'T':
if(initted) {
fprintf(stderr, "--fake MUST be first argument\n");
exit(16);
}
fakesend=true;
break;
case 'v':
verbose++;
deb->set_verbose(stderr);
break;
case 'V':
fprintf(stderr, "Version: 1.0\n");
usage();
break;
case 'm':
micpemfile = strdup(optarg);
break;
case 'R':
manufact_ca = strdup(optarg);
break;
case 'M':
micprivfile= strdup(optarg);
break;
case '?':
case 'h':
default:
usage();
break;
}
initted = true;
}
if(fakesend) {
pcap_network_interface::scan_devices(deb, false);
} else {
network_interface::scan_devices(deb, false);
}
/* open the certificate file */
if((bootstrap_cert = load_cert_file( manufact_ca, micpemfile))==NULL) {
exit(10);
}
/* extract EUI-64 from certificate */
unsigned int eui64len = extract_eui64_from_cert(eui64, eui64buf, sizeof(eui64buf), bootstrap_cert);
if(!eui64len == -1) {
exit(11);
}
device_identity *di = new device_identity();
for(int ifnum = optind; ifnum < argc; ifnum++) {
class pcap_network_interface *iface = NULL;
const char *ifname = argv[ifnum];
iface = (pcap_network_interface *)pcap_network_interface::find_by_name(ifname);
if(iface == NULL) {
printf("no such interface: %s", ifname);
exit(10);
}
iface->setup_lowpan(eui64, eui64len);
/* now send a neighbor solicitation and then start the coap server */
iface->send_ns(*di);
}
mbedtls_x509_crt_free( bootstrap_cert );
exit(0);
}
