int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa)
{
EVP_PKEY *pkey;
int ret;
if (rsa == NULL)
{
SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY,ERR_R_PASSED_NULL_PARAMETER);
return(0);
}
if (!ssl_cert_inst(&ssl->cert))
{
SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY,ERR_R_MALLOC_FAILURE);
return(0);
}
if ((pkey=EVP_PKEY_new()) == NULL)
{
SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY,ERR_R_EVP_LIB);
return(0);
}
RSA_up_ref(rsa);
EVP_PKEY_assign_RSA(pkey,rsa);
ret=ssl_set_pkey(ssl->cert,pkey);
EVP_PKEY_free(pkey);
return(ret);
}
static int generate_rsa_keypair(EVP_PKEY* pkey, const keymaster_rsa_keygen_params_t* rsa_params) {
Unique_BIGNUM bn(BN_new());
if (bn.get() == NULL) {
logOpenSSLError("generate_rsa_keypair");
return -1;
}
if (BN_set_word(bn.get(), rsa_params->public_exponent) == 0) {
logOpenSSLError("generate_rsa_keypair");
return -1;
}
/* initialize RSA */
Unique_RSA rsa(RSA_new());
if (rsa.get() == NULL) {
logOpenSSLError("generate_rsa_keypair");
return -1;
}
if (!RSA_generate_key_ex(rsa.get(), rsa_params->modulus_size, bn.get(), NULL) ||
RSA_check_key(rsa.get()) < 0) {
logOpenSSLError("generate_rsa_keypair");
return -1;
}
if (EVP_PKEY_assign_RSA(pkey, rsa.get()) == 0) {
logOpenSSLError("generate_rsa_keypair");
return -1;
}
release_because_ownership_transferred(rsa);
return 0;
}
EVP_PKEY* AuthorityCertificateManager::buildKeysForClient() {
RSA *rsaKeyPair = RSA_generate_key(1024, RSA_F4, NULL, NULL);
EVP_PKEY *rsaKeyPairSpec = EVP_PKEY_new();
EVP_PKEY_assign_RSA(rsaKeyPairSpec, rsaKeyPair);
return rsaKeyPairSpec;
}
int
EVP_PKEY_set1_RSA(EVP_PKEY *pkey, RSA *key)
{
int ret = EVP_PKEY_assign_RSA(pkey, key);
if (ret)
RSA_up_ref(key);
return ret;
}
static int openssl_generate_keypair(const keymaster_device_t* dev,
const keymaster_keypair_t key_type, const void* key_params,
uint8_t** keyBlob, size_t* keyBlobLength) {
ssize_t privateLen, publicLen;
if (key_type != TYPE_RSA) {
ALOGW("Unsupported key type %d", key_type);
return -1;
} else if (key_params == NULL) {
ALOGW("key_params == null");
return -1;
}
keymaster_rsa_keygen_params_t* rsa_params = (keymaster_rsa_keygen_params_t*) key_params;
Unique_BIGNUM bn(BN_new());
if (bn.get() == NULL) {
logOpenSSLError("openssl_generate_keypair");
return -1;
}
if (BN_set_word(bn.get(), rsa_params->public_exponent) == 0) {
logOpenSSLError("openssl_generate_keypair");
return -1;
}
/* initialize RSA */
Unique_RSA rsa(RSA_new());
if (rsa.get() == NULL) {
logOpenSSLError("openssl_generate_keypair");
return -1;
}
if (!RSA_generate_key_ex(rsa.get(), rsa_params->modulus_size, bn.get(), NULL)
|| RSA_check_key(rsa.get()) < 0) {
logOpenSSLError("openssl_generate_keypair");
return -1;
}
/* assign to EVP */
Unique_EVP_PKEY pkey(EVP_PKEY_new());
if (pkey.get() == NULL) {
logOpenSSLError("openssl_generate_keypair");
return -1;
}
if (EVP_PKEY_assign_RSA(pkey.get(), rsa.get()) == 0) {
logOpenSSLError("openssl_generate_keypair");
return -1;
}
OWNERSHIP_TRANSFERRED(rsa);
if (wrap_key(pkey.get(), EVP_PKEY_RSA, keyBlob, keyBlobLength)) {
return -1;
}
return 0;
}
/*
* Generate and store a private key on the token
* FIXME: We should check first whether the token supports
* on-board key generation, and if it does, use its own algorithm
*/
int pkcs11_generate_key(PKCS11_TOKEN *token, int algorithm, unsigned int bits,
char *label, unsigned char* id, size_t id_len)
{
PKCS11_KEY *key_obj;
EVP_PKEY *pk;
RSA *rsa;
BIO *err;
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
BIGNUM *exp = NULL;
BN_GENCB *gencb = NULL;
#endif
int rc;
if (algorithm != EVP_PKEY_RSA) {
PKCS11err(PKCS11_F_PKCS11_GENERATE_KEY, PKCS11_NOT_SUPPORTED);
return -1;
}
err = BIO_new_fp(stderr, BIO_NOCLOSE);
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
exp = BN_new();
rsa = RSA_new();
gencb = BN_GENCB_new();
if (gencb)
BN_GENCB_set(gencb, NULL, err);
if ( rsa == NULL || exp == NULL || gencb == NULL
|| !BN_set_word(exp, RSA_F4) || !RSA_generate_key_ex(rsa, bits, exp, gencb)) {
RSA_free(rsa);
}
BN_GENCB_free(gencb);
BN_free(exp);
#else
rsa = RSA_generate_key(bits, RSA_F4, NULL, err);
#endif
BIO_free(err);
if (rsa == NULL) {
PKCS11err(PKCS11_F_PKCS11_GENERATE_KEY, PKCS11_KEYGEN_FAILED);
return -1;
}
pk = EVP_PKEY_new();
EVP_PKEY_assign_RSA(pk, rsa);
rc = pkcs11_store_key(token, pk, CKO_PRIVATE_KEY,
label, id, id_len, &key_obj);
if (rc == 0) {
PKCS11_KEY_private *kpriv;
kpriv = PRIVKEY(key_obj);
rc = pkcs11_store_key(token, pk, CKO_PUBLIC_KEY,
label, kpriv->id, kpriv->id_len, NULL);
}
EVP_PKEY_free(pk);
return rc;
}
Certificate::Certificate(const string& _subject, const string& _issuer, const string& _validity, const Node::Id_t _owner, RSA *_rsaPubKey) :
#ifdef DEBUG_LEAKS
LeakMonitor(LEAK_TYPE_CERTIFICATE),
#endif
stored(false), verified(false), hasSignature(false), x(NULL), subject(_subject), issuer(_issuer), validity(_validity), pubKey(NULL), rsaPubKey(NULL), x509_PEM_str(NULL)
{
memcpy(owner, _owner, sizeof(Node::Id_t));
x = X509_new();
if (!x) {
HAGGLE_ERR("Could not allocate X509 certificate struct\n");
return;
}
X509_set_version(x, 2);
pubKey = EVP_PKEY_new();
if (!pubKey) {
X509_free(x);
HAGGLE_ERR("Could not allocate X509 EVP_PKEY\n");
return;
}
EVP_PKEY_assign_RSA(pubKey, RSAPublicKey_dup(_rsaPubKey));
X509_set_pubkey(x, pubKey);
rsaPubKey = EVP_PKEY_get1_RSA(pubKey);
/* Set validity.
FIXME: currently hardcoded
*/
int days = 30;
X509_gmtime_adj(X509_get_notBefore(x),0);
X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days);
X509_NAME *subject_name = X509_get_subject_name(x);
/* Set subject */
//X509_NAME_add_entry_by_txt(subname,"C", MBSTRING_ASC, "SE", -1, -1, 0);
X509_NAME_add_entry_by_txt(subject_name, "CN", MBSTRING_ASC, (const unsigned char *)subject.c_str(), -1, -1, 0);
X509_NAME_add_entry_by_txt(subject_name, "O", MBSTRING_ASC, (const unsigned char *)"Haggle", -1, -1, 0);
X509_set_subject_name(x, subject_name);
/* Set issuer */
X509_NAME *issuer_name = X509_get_issuer_name(x);
X509_NAME_add_entry_by_txt(issuer_name, "CN", MBSTRING_ASC, (const unsigned char *)issuer.c_str(), -1, -1, 0);
X509_NAME_add_entry_by_txt(issuer_name, "O", MBSTRING_ASC, (const unsigned char *)"Haggle", -1, -1, 0);
X509_set_issuer_name(x, issuer_name);
//HAGGLE_DBG("Subject=\'%s\' issuer=\'%s\'\n", subject.c_str(), issuer.c_str());
certificate_set_serial(x);
}
static int old_rsa_priv_decode(EVP_PKEY *pkey, const unsigned char **pder,
int derlen) {
RSA *rsa = d2i_RSAPrivateKey(NULL, pder, derlen);
if (rsa == NULL) {
OPENSSL_PUT_ERROR(EVP, old_rsa_priv_decode, ERR_R_RSA_LIB);
return 0;
}
EVP_PKEY_assign_RSA(pkey, rsa);
return 1;
}
int
mono_btls_key_assign_rsa_private_key (EVP_PKEY *pkey, uint8_t *der_data, int der_length)
{
RSA *rsa;
rsa = RSA_private_key_from_bytes (der_data, der_length);
if (!rsa)
return 0;
return EVP_PKEY_assign_RSA (pkey, rsa);
}
static int old_rsa_priv_decode(EVP_PKEY *pkey,
const unsigned char **pder, int derlen)
{
RSA *rsa;
if (!(rsa = d2i_RSAPrivateKey(NULL, pder, derlen))) {
RSAerr(RSA_F_OLD_RSA_PRIV_DECODE, ERR_R_RSA_LIB);
return 0;
}
EVP_PKEY_assign_RSA(pkey, rsa);
return 1;
}
static void mkcert(std::shared_ptr<X509> &cert,
std::shared_ptr<EVP_PKEY> &pkey, int bits, int serial,
int days)
{
RSA *rsa;
X509_NAME *name=NULL;
pkey.reset(EVP_PKEY_new(), &EVP_PKEY_free);
if (!pkey)
throw std::bad_alloc();
cert.reset(X509_new(), &X509_free);
if (!cert)
throw std::bad_alloc();
rsa = RSA_generate_key(bits,RSA_F4,NULL,NULL);
MORDOR_VERIFY(EVP_PKEY_assign_RSA(pkey.get(),rsa));
X509_set_version(cert.get(),2);
ASN1_INTEGER_set(X509_get_serialNumber(cert.get()),serial);
X509_gmtime_adj(X509_get_notBefore(cert.get()),0);
X509_gmtime_adj(X509_get_notAfter(cert.get()),(long)60*60*24*days);
X509_set_pubkey(cert.get(),pkey.get());
name=X509_get_subject_name(cert.get());
/* This function creates and adds the entry, working out the
* correct string type and performing checks on its length.
* Normally we'd check the return value for errors...
*/
X509_NAME_add_entry_by_txt(name,"C",
MBSTRING_ASC,
(const unsigned char *)"United States",
-1, -1, 0);
X509_NAME_add_entry_by_txt(name,"CN",
MBSTRING_ASC,
(const unsigned char *)"Mordor Default Self-signed Certificate",
-1, -1, 0);
/* Its self signed so set the issuer name to be the same as the
* subject.
*/
X509_set_issuer_name(cert.get(),name);
/* Add various extensions: standard extensions */
add_ext(cert.get(), NID_basic_constraints, "critical,CA:TRUE");
add_ext(cert.get(), NID_key_usage, "critical,keyCertSign,cRLSign");
add_ext(cert.get(), NID_subject_key_identifier, "hash");
/* Some Netscape specific extensions */
add_ext(cert.get(), NID_netscape_cert_type, "sslCA");
MORDOR_VERIFY(X509_sign(cert.get(),pkey.get(),EVP_md5()));
}
uint32 CRegProtocol::CreatePrivateKey(char *name,
EVP_PKEY **key)
{
TU_RET err = TU_ERROR_CRYPTO_FAILED;
RSA *rsaKey;
EVP_PKEY *pkey;
FILE *fp;
rsaKey = RSA_generate_key(1024, 65537, NULL, NULL);
if(rsaKey == NULL)
{
TUTRACE((TUTRACE_ERR, "Couldn't generate RSA key\n"));
goto EXIT;
}
//Now store it in a PKEY
pkey = EVP_PKEY_new();
if(!pkey)
{
TUTRACE((TUTRACE_ERR, "Couldn't generate new EVP key\n"));
goto EXIT;
}
if(!EVP_PKEY_assign_RSA(pkey, rsaKey))
{
TUTRACE((TUTRACE_ERR, "Couldn't assign RSA key to EVP key\n"));
RSA_free(rsaKey);
goto EXIT;
}
fp = fopen(name, "w");
if(!PEM_write_PKCS8PrivateKey(fp, pkey, NULL, NULL, 0, NULL, NULL))
{
TUTRACE((TUTRACE_ERR, "Error writing Signing key to file\n"));
fclose(fp);
goto ERR_EVP;
}
fclose(fp);
if(key)
*key = pkey;
else
EVP_PKEY_free(pkey);
return TU_SUCCESS;
ERR_EVP:
EVP_PKEY_free(pkey);
EXIT:
return err;
}
void openssl_evp_asycrypt()
{
RSA *rkey;
BIGNUM *bne;
EVP_PKEY *pubkey[2];
EVP_CIPHER_CTX ctx1, ctx2;
int i, ekl[2], len1 = 0, len2 = 0, len3 = 0;
unsigned char ins[] = "openssl asymmetric encrypt test";
unsigned char iv[8], pen[MAX1_LEN], *ek[2], sde[MAX1_LEN];
ek[0] = (unsigned char *)malloc(MAX1_LEN);
ek[1] = (unsigned char *)malloc(MAX1_LEN);
memset(pen, 0, MAX1_LEN);
memset(sde, 0, MAX1_LEN);
memset(ek[0], 0, MAX1_LEN);
memset(ek[1], 0, MAX1_LEN);
bne = BN_new();
BN_set_word(bne, RSA_3);
rkey = RSA_new();
RSA_generate_key_ex(rkey, MAX1_LEN, bne, NULL);
pubkey[0] = EVP_PKEY_new();
EVP_PKEY_assign_RSA(pubkey[0], rkey);
EVP_CIPHER_CTX_init(&ctx1);
EVP_SealInit(&ctx1, EVP_des_ede3_cbc(), ek, ekl, iv, pubkey, 1);
EVP_SealUpdate(&ctx1, pen, &len1, ins, strlen((char *)ins));
EVP_SealFinal(&ctx1, pen + len1, &len3);
len1 += len3;
printf("\nEVP_ASYEncry(%s) = ", ins);
for (i = 0; i < len1; i++)
printf("0x%.02x ", pen[i]);
printf("\n");
EVP_CIPHER_CTX_cleanup(&ctx1);
len3 = 0;
EVP_CIPHER_CTX_init(&ctx2);
EVP_OpenInit(&ctx2, EVP_des_ede3_cbc(), ek[0], ekl[0], iv, pubkey[0]);
EVP_OpenUpdate(&ctx2, sde, &len2, pen, len1);
EVP_OpenFinal(&ctx2, sde + len2, &len3);
len2 += len3;
printf("EVP_ASYDecry(");
for (i = 0; i < len1; i++)
printf("0x%.02x ", pen[i]);
printf(") = %s\n", sde);
EVP_CIPHER_CTX_cleanup(&ctx2);
free(ek[0]);
free(ek[1]);
EVP_PKEY_free(pubkey[0]);
BN_free(bne);
}
Try<EVP_PKEY*> generate_private_rsa_key(int bits, unsigned long _exponent)
{
// Allocate the in-memory structure for the private key.
EVP_PKEY* private_key = EVP_PKEY_new();
if (private_key == NULL) {
return Error("Failed to allocate key: EVP_PKEY_new");
}
// Allocate space for the exponent.
BIGNUM* exponent = BN_new();
if (exponent == NULL) {
EVP_PKEY_free(private_key);
return Error("Failed to allocate exponent: BN_new");
}
// Assign the exponent.
if (BN_set_word(exponent, _exponent) != 1) {
BN_free(exponent);
EVP_PKEY_free(private_key);
return Error("Failed to set exponent: BN_set_word");
}
// Allocate the in-memory structure for the key pair.
RSA* rsa = RSA_new();
if (rsa == NULL) {
BN_free(exponent);
EVP_PKEY_free(private_key);
return Error("Failed to allocate RSA: RSA_new");
}
// Generate the RSA key pair.
if (RSA_generate_key_ex(rsa, bits, exponent, NULL) != 1) {
RSA_free(rsa);
BN_free(exponent);
EVP_PKEY_free(private_key);
return Error(ERR_error_string(ERR_get_error(), NULL));
}
// We no longer need the exponent, so let's free it.
BN_free(exponent);
// Associate the RSA key with the private key. If this association
// is successful, then the RSA key will be freed when the private
// key is freed.
if (EVP_PKEY_assign_RSA(private_key, rsa) != 1) {
RSA_free(rsa);
EVP_PKEY_free(private_key);
return Error("Failed to assign RSA key: EVP_PKEY_assign_RSA");
}
return private_key;
}
int generateKeysRSA(EVP_PKEY** privKey, EVP_PKEY** pubKey){
RSA* rsa = NULL;
if(privKey == NULL || pubKey == NULL)
return 0;
*privKey = EVP_PKEY_new();
if(*privKey == NULL){
printf("ERR EVP_PKEY_new\n");
return 0;
}
*pubKey = EVP_PKEY_new();
if(*pubKey == NULL){
printf("ERR EVP_PKEY_new\n");
return 0;
}
rsa = RSA_generate_key(2048, RSA_F4, NULL, NULL);
if(rsa == NULL){
printf("ERR RSA_generate_key\n");
return 0;
}
if(1 != EVP_PKEY_assign_RSA(*privKey,
RSAPrivateKey_dup(rsa))){
printf("ERR EVP_PKEY_assign_RSA\n");
return 0;
}
if(1 != EVP_PKEY_assign_RSA(*pubKey,
RSAPublicKey_dup(rsa))){
printf("ERR EVP_PKEY_assign_RSA\n");
return 0;
}
return 1;
}
SEXP PKI_RSAkeygen(SEXP sBits) {
EVP_PKEY *key;
RSA *rsa;
int bits = asInteger(sBits);
if (bits < 512)
Rf_error("invalid key size");
rsa = RSA_generate_key(bits, 65537, 0, 0);
if (!rsa)
Rf_error("%s", ERR_error_string(ERR_get_error(), NULL));
key = EVP_PKEY_new();
EVP_PKEY_assign_RSA(key, rsa);
return wrap_EVP_PKEY(key, PKI_KT_PRIVATE | PKI_KT_PUBLIC);
}
static int rsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
{
const unsigned char *p;
int pklen;
RSA *rsa = NULL;
if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, NULL, pubkey))
return 0;
if (!(rsa = d2i_RSAPublicKey(NULL, &p, pklen))) {
RSAerr(RSA_F_RSA_PUB_DECODE, ERR_R_RSA_LIB);
return 0;
}
EVP_PKEY_assign_RSA(pkey, rsa);
return 1;
}
/* Return 0 if OK, -1 otherwise */
static int
verifyCertChain (BYTE *rootMod, UINT32 rootModLen, UINT32 nCerts, BYTE *certs)
{
X509 *tbsX509 = NULL;
EVP_PKEY *pkey = NULL;
RSA *rsa;
BYTE *pCert;
UINT32 certLen;
int rslt = -1;
int i, j;
EVP_add_digest(EVP_sha1());
pkey = EVP_PKEY_new ();
rsa = RSA_new ();
rsa->n = BN_bin2bn (rootMod, rootModLen, rsa->n);
rsa->e = BN_new();
BN_set_word (rsa->e, 0x10001);
EVP_PKEY_assign_RSA (pkey, rsa);
for (i=nCerts-1; i>=0; i--) {
pCert = certs;
for (j=0; j<i; j++) {
certLen = (pCert[0]<<16) | (pCert[1]<<8) | pCert[2];
pCert += 3 + certLen;
}
certLen = (pCert[0]<<16) | (pCert[1]<<8) | pCert[2];
pCert += 3;
tbsX509 = d2i_X509 (NULL, (unsigned char const **)&pCert, certLen);
if (!tbsX509)
goto done;
if (X509_verify (tbsX509, pkey) != 1)
goto done;
if (i > 0) {
EVP_PKEY_free (pkey);
pkey = X509_get_pubkey(tbsX509);
if (pkey == NULL)
goto done;
}
X509_free (tbsX509);
tbsX509 = NULL;
}
/* Success */
rslt = 0;
done:
if (pkey)
EVP_PKEY_free (pkey);
if (tbsX509)
X509_free (tbsX509);
return rslt;
}
EVP_PKEY *load_pubkey(const char *file)
{
RSA *rsa_pkey = NULL;
BIO *rsa_pkey_file = NULL;
EVP_PKEY *pkey = EVP_PKEY_new();
// Create a new BIO file structure to be used with PEM file
rsa_pkey_file = BIO_new(BIO_s_file());
if (rsa_pkey_file == NULL)
{
fprintf(stderr, "Error crating a new BIO file.\n");
ERR_print_errors_fp(stderr);
goto end;
}
// Read PEM file using BIO's file structure
if (BIO_read_filename(rsa_pkey_file, file) <= 0)
{
fprintf(stderr, "Error opening %s\n",file);
ERR_print_errors_fp(stderr);
goto end;
}
// Read RSA based PEM file into rsa_pkey structure
if (!PEM_read_bio_RSA_PUBKEY(rsa_pkey_file, &rsa_pkey, NULL, NULL))
{
fprintf(stderr, "Error loading RSA Public Key File.\n");
ERR_print_errors_fp(stderr);
goto end;
}
// Populate pkey with the rsa key. rsa_pkey is owned by pkey,
// therefore if we free pkey, rsa_pkey will be freed too
if (!EVP_PKEY_assign_RSA(pkey, rsa_pkey))
{
fprintf(stderr, "Error assigning EVP_PKEY_assign_RSA: failed.\n");
goto end;
}
end:
if (rsa_pkey_file != NULL)
BIO_free(rsa_pkey_file);
if (pkey == NULL)
{
fprintf(stderr, "Error unable to load %s\n", file);
ERR_print_errors_fp(stderr);
}
return(pkey);
}
void pki_evp::veryOldFromData(unsigned char *p, int size )
{
unsigned char *sik, *pdec, *pdec1, *sik1;
int outl, decsize;
unsigned char iv[EVP_MAX_IV_LENGTH];
unsigned char ckey[EVP_MAX_KEY_LENGTH];
memset(iv, 0, EVP_MAX_IV_LENGTH);
RSA *rsakey;
EVP_CIPHER_CTX ctx;
const EVP_CIPHER *cipher = EVP_des_ede3_cbc();
sik = (unsigned char *)OPENSSL_malloc(size);
check_oom(sik);
pki_openssl_error();
pdec = (unsigned char *)OPENSSL_malloc(size);
if (pdec == NULL ) {
OPENSSL_free(sik);
check_oom(pdec);
}
pdec1=pdec;
sik1=sik;
memcpy(iv, p, 8); /* recover the iv */
/* generate the key */
EVP_BytesToKey(cipher, EVP_sha1(), iv, (unsigned char *)oldpasswd,
strlen(oldpasswd), 1, ckey,NULL);
/* we use sha1 as message digest,
* because an md5 version of the password is
* stored in the database...
*/
EVP_CIPHER_CTX_init (&ctx);
EVP_DecryptInit( &ctx, cipher, ckey, iv);
EVP_DecryptUpdate( &ctx, pdec , &outl, p + 8, size -8 );
decsize = outl;
EVP_DecryptFinal( &ctx, pdec + decsize , &outl );
decsize += outl;
pki_openssl_error();
memcpy(sik, pdec, decsize);
if (key->type == EVP_PKEY_RSA) {
rsakey=d2i_RSAPrivateKey(NULL,(const unsigned char **)&pdec, decsize);
if (pki_ign_openssl_error()) {
rsakey = d2i_RSA_PUBKEY(NULL, (const unsigned char **)&sik, decsize);
}
pki_openssl_error();
if (rsakey) EVP_PKEY_assign_RSA(key, rsakey);
}
OPENSSL_free(sik1);
OPENSSL_free(pdec1);
EVP_CIPHER_CTX_cleanup(&ctx);
pki_openssl_error();
encryptKey();
}
SEXP PKI_load_public_RSA(SEXP what) {
EVP_PKEY *key;
RSA *rsa = 0;
const unsigned char *ptr;
if (TYPEOF(what) != RAWSXP)
Rf_error("key must be a raw vector");
ptr = (const unsigned char *) RAW(what);
rsa = d2i_RSA_PUBKEY(&rsa, &ptr, LENGTH(what));
if (!rsa)
Rf_error("%s", ERR_error_string(ERR_get_error(), NULL));
key = EVP_PKEY_new();
EVP_PKEY_assign_RSA(key, rsa);
return wrap_EVP_PKEY(key, PKI_KT_PUBLIC);
}
void pki_evp::generate(int bits, int type, QProgressBar *progress, int curve_nid)
{
RSA *rsakey;
DSA *dsakey;
EC_KEY *eckey;
progress->setMinimum(0);
progress->setMaximum(100);
progress->setValue(50);
switch (type) {
case EVP_PKEY_RSA:
rsakey = RSA_generate_key(bits, 0x10001, inc_progress_bar,
progress);
if (rsakey)
EVP_PKEY_assign_RSA(key, rsakey);
break;
case EVP_PKEY_DSA:
progress->setMaximum(500);
dsakey = DSA_generate_parameters(bits, NULL, 0, NULL, NULL,
inc_progress_bar, progress);
DSA_generate_key(dsakey);
if (dsakey)
EVP_PKEY_assign_DSA(key, dsakey);
break;
case EVP_PKEY_EC:
EC_GROUP *group = EC_GROUP_new_by_curve_name(curve_nid);
if (!group)
break;
eckey = EC_KEY_new();
if (eckey == NULL) {
EC_GROUP_free(group);
break;
}
EC_GROUP_set_asn1_flag(group, 1);
if (EC_KEY_set_group(eckey, group)) {
if (EC_KEY_generate_key(eckey)) {
EVP_PKEY_assign_EC_KEY(key, eckey);
EC_GROUP_free(group);
break;
}
}
EC_KEY_free(eckey);
EC_GROUP_free(group);
break;
}
pki_openssl_error();
encryptKey();
}
Settings::KeyPair CertWizard::generateNewCert(QString qsname, const QString &qsemail) {
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
X509 *x509 = X509_new();
EVP_PKEY *pkey = EVP_PKEY_new();
RSA *rsa = RSA_generate_key(2048,RSA_F4,NULL,NULL);
EVP_PKEY_assign_RSA(pkey, rsa);
X509_set_version(x509, 2);
ASN1_INTEGER_set(X509_get_serialNumber(x509),1);
X509_gmtime_adj(X509_get_notBefore(x509),0);
X509_gmtime_adj(X509_get_notAfter(x509),60*60*24*365*20);
X509_set_pubkey(x509, pkey);
X509_NAME *name=X509_get_subject_name(x509);
if (qsname.isEmpty())
qsname = tr("Mumble User");
X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, reinterpret_cast<unsigned char *>(qsname.toUtf8().data()), -1, -1, 0);
X509_set_issuer_name(x509, name);
add_ext(x509, NID_basic_constraints, SSL_STRING("critical,CA:FALSE"));
add_ext(x509, NID_ext_key_usage, SSL_STRING("clientAuth"));
add_ext(x509, NID_subject_key_identifier, SSL_STRING("hash"));
add_ext(x509, NID_netscape_comment, SSL_STRING("Generated by Mumble"));
add_ext(x509, NID_subject_alt_name, QString::fromLatin1("email:%1").arg(qsemail).toUtf8().data());
X509_sign(x509, pkey, EVP_sha1());
QByteArray crt, key;
crt.resize(i2d_X509(x509, NULL));
unsigned char *dptr=reinterpret_cast<unsigned char *>(crt.data());
i2d_X509(x509, &dptr);
QSslCertificate qscCert = QSslCertificate(crt, QSsl::Der);
key.resize(i2d_PrivateKey(pkey, NULL));
dptr=reinterpret_cast<unsigned char *>(key.data());
i2d_PrivateKey(pkey, &dptr);
QSslKey qskKey = QSslKey(key, QSsl::Rsa, QSsl::Der);
QList<QSslCertificate> qlCert;
qlCert << qscCert;
return Settings::KeyPair(qlCert, qskKey);
}
static int rsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey) {
const uint8_t *p;
int pklen;
RSA *rsa;
if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, NULL, pubkey)) {
return 0;
}
rsa = d2i_RSAPublicKey(NULL, &p, pklen);
if (rsa == NULL) {
OPENSSL_PUT_ERROR(EVP, rsa_pub_decode, ERR_R_RSA_LIB);
return 0;
}
EVP_PKEY_assign_RSA(pkey, rsa);
return 1;
}
std::string
CertificateManager::generateRSACertificate ()
{
RSA *rsa;
std::shared_ptr <EVP_PKEY> private_key;
std::string pem;
std::string rsaKey;
std::string certificateRSA;
rsa = RSA_generate_key(2048, RSA_F4, nullptr, nullptr);
if (rsa == nullptr) {
GST_ERROR ("RSA not created");
return certificateRSA;
}
private_key = std::shared_ptr <EVP_PKEY> (EVP_PKEY_new (),
[] (EVP_PKEY * obj) {
EVP_PKEY_free (obj);
});
if (private_key == nullptr) {
GST_ERROR ("Private key not created");
RSA_free (rsa);
return certificateRSA;
}
if (EVP_PKEY_assign_RSA (private_key.get(), rsa) == 0) {
GST_ERROR ("Private key not assigned");
RSA_free (rsa);
return certificateRSA;
}
rsa = nullptr;
pem = generateCertificate (private_key.get() );
if (pem.empty () ) {
GST_WARNING ("Certificate not generated");
return certificateRSA;
}
rsaKey = privateKeyToPEMString (private_key.get() );
certificateRSA = rsaKey + pem;
return certificateRSA;
}
static void Init() {
ctx = SSL_CTX_new(SSLv23_method());
const uint8_t *bufp = kRSAPrivateKeyDER;
RSA *privkey = d2i_RSAPrivateKey(NULL, &bufp, sizeof(kRSAPrivateKeyDER));
OPENSSL_assert(privkey != NULL);
EVP_PKEY *pkey = EVP_PKEY_new();
EVP_PKEY_assign_RSA(pkey, privkey);
int ret = SSL_CTX_use_PrivateKey(ctx, pkey);
OPENSSL_assert(ret == 1);
EVP_PKEY_free(pkey);
bufp = kCertificateDER;
X509 *cert = d2i_X509(NULL, &bufp, sizeof(kCertificateDER));
OPENSSL_assert(cert != NULL);
ret = SSL_CTX_use_certificate(ctx, cert);
OPENSSL_assert(ret == 1);
X509_free(cert);
}
static int rsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8) {
const uint8_t *p;
int pklen;
if (!PKCS8_pkey_get0(NULL, &p, &pklen, NULL, p8)) {
OPENSSL_PUT_ERROR(EVP, ERR_R_MALLOC_FAILURE);
return 0;
}
RSA *rsa = RSA_private_key_from_bytes(p, pklen);
if (rsa == NULL) {
OPENSSL_PUT_ERROR(EVP, ERR_R_RSA_LIB);
return 0;
}
EVP_PKEY_assign_RSA(pkey, rsa);
return 1;
}
int COsslKey::setPublicKey( sqbind::CSqBinary *pBin )
{_STT();
Destroy();
if ( !pBin || !pBin->getUsed() )
return 0;
m_pkey = EVP_PKEY_new();
if ( !m_pkey )
{ oexERROR( 0, oexT( "EVP_PKEY_new() failed" ) );
Destroy();
return 0;
} // end if
BIO *pBio = BIO_new_mem_buf( pBin->_Ptr(), pBin->getUsed() );
if ( !pBio )
{ oexERROR( 0, oexT( "BIO_new_mem_buf() failed" ) );
Destroy();
return 0;
} // end if
RSA *rsa = PEM_read_bio_RSAPublicKey( pBio, oexNULL, oexNULL, (void*)getPasswordPtr() );
if ( !rsa )
rsa = PEM_read_bio_RSA_PUBKEY( pBio, oexNULL, oexNULL, (void*)getPasswordPtr() );
if ( !rsa )
{ const char *pErr = ERR_reason_error_string( ERR_get_error() );
oexERROR( 0, oexMks( oexT( "PEM_read_bio_RSAPublicKey(), PEM_read_bio_RSA_PUBKEY() failed : " ),
pErr ? oexMbToStr( pErr ) : oexT( "Unknown" ) ) );
Destroy();
return 0;
} // end if
// Assign key
if ( !EVP_PKEY_assign_RSA( m_pkey, rsa ) )
{ oexERROR( 0, oexT( "EVP_PKEY_assign_RSA() failed" ) );
Destroy();
return 0;
} // end if
rsa = oexNULL;
BIO_free( pBio );
return 1;
}
void openssl_evp_rsacripher()
{
RSA *rkey;
BIGNUM *bne;
EVP_PKEY *pubkey[2];
const EVP_CIPHER *type;
EVP_CIPHER_CTX ctx1, ctx2;
int i, ekl[2], total = 0, len1 = 0, len2 = 0;
const unsigned char ins[COMM_LEN] = "openssl evp";
unsigned char outs[LINE_LEN], iv[8], *ek[2], de[LINE_LEN];
bne = BN_new();
BN_set_word(bne, RSA_3);
rkey = RSA_new();
RSA_generate_key_ex(rkey, MAX1_LEN, bne, NULL);
pubkey[0] = EVP_PKEY_new();
EVP_PKEY_assign_RSA(pubkey[0], rkey);
type = EVP_des_cbc();
ek[0] = malloc(LINE_LEN);
ek[1] = malloc(LINE_LEN);
EVP_CIPHER_CTX_init(&ctx1);
EVP_SealInit(&ctx1, type, ek, ekl, iv, pubkey, 1);
EVP_SealUpdate(&ctx1, outs, &total, ins, 11);
EVP_SealFinal(&ctx1, outs + total, &len1);
total += len1;
printf("\nEVP_RSASEAL(%s) = ", ins);
for (i = 0; i < total; i++)
printf("0x%.02x ", outs[i]);
EVP_CIPHER_CTX_cleanup(&ctx1);
memset(de, 0, LINE_LEN);
EVP_CIPHER_CTX_init(&ctx2);
EVP_OpenInit(&ctx2, EVP_des_cbc(), ek[0], ekl[0], iv, pubkey[0]);
EVP_OpenUpdate(&ctx2, de, &len2, outs, total);
EVP_OpenFinal(&ctx2, de + len2, &len1);
len2 += len1;
printf("= %s\n", de);
EVP_CIPHER_CTX_cleanup(&ctx2);
free(ek[0]);
free(ek[1]);
EVP_PKEY_free(pubkey[0]);
BN_free(bne);
}
static EVP_PKEY *
gen_key()
{
EVP_PKEY *pkey = EVP_PKEY_new();
BIGNUM *exponent = BN_new();
RSA *rsa = RSA_new();
if (!pkey || !exponent || !rsa ||
!BN_set_word(exponent, 0x10001) || // 65537
!RSA_generate_key_ex(rsa, 1024, exponent, NULL) ||
!EVP_PKEY_assign_RSA(pkey, rsa)) {
EVP_PKEY_free(pkey);
BN_free(exponent);
RSA_free(rsa);
return NULL;
}
BN_free(exponent);
return pkey;
}
