static void ssl_certificate_save(SSLCertificate *cert) { char *file, *port; FILE *fp; file = g_strconcat(config_dir, G_DIR_SEPARATOR_S, "certs", G_DIR_SEPARATOR_S, NULL); if (!is_dir_exist(file)) mkdir(file, S_IRWXU); g_free(file); port = g_strdup_printf("%d", cert->port); file = g_strconcat(config_dir, G_DIR_SEPARATOR_S, "certs", G_DIR_SEPARATOR_S, cert->host, ".", port, ".cert", NULL); g_free(port); fp = fopen(file, "wb"); if (fp == NULL) { g_free(file); eb_debug(DBG_CORE, "Can't save certificate !\n"); return; } i2d_X509_fp(fp, cert->x509_cert); g_free(file); fclose(fp); }
void CertificateDialog::save() { QString file = QFileDialog::getSaveFileName( this, tr("Guardar certificado"), QString( "%1%2%3.pem" ) .arg( QDesktopServices::storageLocation( QDesktopServices::DocumentsLocation ) ) .arg( QDir::separator() ) .arg( "" ), tr("Certificados (*.cer *.crt *.pem)") ); if( file.isEmpty() ) return; //X509 * cert = getSignerCertData(index); FILE *fp; char *_a = "a", *_w="w", *p = _w; //if (append) p=_a; fp = fopen(qPrintable(file) , p); if (fp != NULL) { if (d->internalCert){ //if (PEM) if ((QFileInfo( file ).suffix().toLower() == "pem") || (QFileInfo( file ).suffix().toLower() == "crt")) PEM_write_X509(fp, d->internalCert); else i2d_X509_fp(fp, d->internalCert); openssl_error(""); } } //else fopen_error(file); else QMessageBox::warning( this, tr("Guardar certificado"), tr("Error al guardar archivo") ); fclose(fp); /* QFile f( file ); if( f.open( QIODevice::WriteOnly ) ) { f.write( QFileInfo( file ).suffix().toLower() == "pem" ? d->cert.toPem() : d->cert.toDer() ); f.close(); } else QMessageBox::warning( this, tr("Guardar certificado"), tr("Error al guardar archivo") ); */ }
int main(int argc, char *argv[]) { STACK_OF(X509_EXTENSION) * sk = NULL; X509_EXTENSION *hash_ext = NULL; X509_EXTENSION *nvctr_ext = NULL; X509_EXTENSION *trusted_key_ext = NULL; X509_EXTENSION *non_trusted_key_ext = NULL; FILE *file = NULL; int i, tz_nvctr_nid, ntz_nvctr_nid, hash_nid, pk_nid; int c, opt_idx = 0; unsigned int err_code; unsigned char md[SHA256_DIGEST_LENGTH]; const EVP_MD *md_info; NOTICE("CoT Generation Tool: %s\n", build_msg); NOTICE("Target platform: %s\n", platform_msg); /* Set default options */ key_alg = KEY_ALG_RSA; while (1) { /* getopt_long stores the option index here. */ c = getopt_long(argc, argv, "ahknp", long_opt, &opt_idx); /* Detect the end of the options. */ if (c == -1) { break; } switch (c) { case 'a': key_alg = get_key_alg(optarg); if (key_alg < 0) { ERROR("Invalid key algorithm '%s'\n", optarg); exit(1); } break; case 'h': print_help(argv[0]); break; case 'k': save_keys = 1; break; case 'n': new_keys = 1; break; case 'p': print_cert = 1; break; case BL2_ID: certs[BL2_CERT].bin = strdup(optarg); break; case BL30_ID: certs[BL30_CERT].bin = strdup(optarg); break; case BL31_ID: certs[BL31_CERT].bin = strdup(optarg); break; case BL32_ID: certs[BL32_CERT].bin = strdup(optarg); break; case BL33_ID: certs[BL33_CERT].bin = strdup(optarg); break; case BL2_CERT_ID: certs[BL2_CERT].fn = strdup(optarg); break; case TRUSTED_KEY_CERT_ID: certs[TRUSTED_KEY_CERT].fn = strdup(optarg); break; case BL30_KEY_CERT_ID: certs[BL30_KEY_CERT].fn = strdup(optarg); break; case BL30_CERT_ID: certs[BL30_CERT].fn = strdup(optarg); break; case BL31_KEY_CERT_ID: certs[BL31_KEY_CERT].fn = strdup(optarg); break; case BL31_CERT_ID: certs[BL31_CERT].fn = strdup(optarg); break; case BL32_KEY_CERT_ID: certs[BL32_KEY_CERT].fn = strdup(optarg); break; case BL32_CERT_ID: certs[BL32_CERT].fn = strdup(optarg); break; case BL33_KEY_CERT_ID: certs[BL33_KEY_CERT].fn = strdup(optarg); break; case BL33_CERT_ID: certs[BL33_CERT].fn = strdup(optarg); break; case ROT_KEY_ID: keys[ROT_KEY].fn = strdup(optarg); break; case TRUSTED_WORLD_KEY_ID: keys[TRUSTED_WORLD_KEY].fn = strdup(optarg); break; case NON_TRUSTED_WORLD_KEY_ID: keys[NON_TRUSTED_WORLD_KEY].fn = strdup(optarg); break; case BL30_KEY_ID: keys[BL30_KEY].fn = strdup(optarg); break; case BL31_KEY_ID: keys[BL31_KEY].fn = strdup(optarg); break; case BL32_KEY_ID: keys[BL32_KEY].fn = strdup(optarg); break; case BL33_KEY_ID: keys[BL33_KEY].fn = strdup(optarg); break; case '?': default: printf("%s\n", optarg); exit(1); } } /* Set the value of the NVCounters */ tf_nvcounter = NVCOUNTER_VALUE; non_tf_nvcounter = NVCOUNTER_VALUE; /* Check command line arguments */ check_cmd_params(); /* Register the new types and OIDs for the extensions */ if (ext_init(tbb_ext) != 0) { ERROR("Cannot initialize TBB extensions\n"); exit(1); } /* Indicate SHA256 as image hash algorithm in the certificate * extension */ md_info = EVP_sha256(); /* Get non-volatile counters NIDs */ CHECK_OID(tz_nvctr_nid, TZ_FW_NVCOUNTER_OID); CHECK_OID(ntz_nvctr_nid, NTZ_FW_NVCOUNTER_OID); /* Load private keys from files (or generate new ones) */ for (i = 0 ; i < NUM_KEYS ; i++) { /* First try to load the key from disk */ if (key_load(&keys[i], &err_code)) { /* Key loaded successfully */ continue; } /* Key not loaded. Check the error code */ if (err_code == KEY_ERR_MALLOC) { /* Cannot allocate memory. Abort. */ ERROR("Malloc error while loading '%s'\n", keys[i].fn); exit(1); } else if (err_code == KEY_ERR_LOAD) { /* File exists, but it does not contain a valid private * key. Abort. */ ERROR("Error loading '%s'\n", keys[i].fn); exit(1); } /* File does not exist, could not be opened or no filename was * given */ if (new_keys) { /* Try to create a new key */ NOTICE("Creating new key for '%s'\n", keys[i].desc); if (!key_create(&keys[i], key_alg)) { ERROR("Error creating key '%s'\n", keys[i].desc); exit(1); } } else { if (err_code == KEY_ERR_OPEN) { ERROR("Error opening '%s'\n", keys[i].fn); } else { ERROR("Key '%s' not specified\n", keys[i].desc); } exit(1); } } /* ********************************************************************* * BL2 certificate (Trusted Boot Firmware certificate): * - Self-signed with OEM ROT private key * - Extensions: * - TrustedFirmwareNVCounter (TODO) * - BL2 hash **********************************************************************/ CHECK_NULL(sk, sk_X509_EXTENSION_new_null()); /* Add the NVCounter as a critical extension */ CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT, tf_nvcounter)); sk_X509_EXTENSION_push(sk, nvctr_ext); /* Add hash of BL2 as an extension */ if (!sha_file(certs[BL2_CERT].bin, md)) { ERROR("Cannot calculate the hash of %s\n", certs[BL2_CERT].bin); exit(1); } CHECK_OID(hash_nid, BL2_HASH_OID); CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info, md, SHA256_DIGEST_LENGTH)); sk_X509_EXTENSION_push(sk, hash_ext); /* Create certificate. Signed with ROT key */ if (!cert_new(&certs[BL2_CERT], VAL_DAYS, 0, sk)) { ERROR("Cannot create %s\n", certs[BL2_CERT].cn); exit(1); } sk_X509_EXTENSION_free(sk); /* ********************************************************************* * Trusted Key certificate: * - Self-signed with OEM ROT private key * - Extensions: * - TrustedFirmwareNVCounter (TODO) * - TrustedWorldPK * - NonTrustedWorldPK **********************************************************************/ CHECK_NULL(sk, sk_X509_EXTENSION_new_null()); CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT, tf_nvcounter)); sk_X509_EXTENSION_push(sk, nvctr_ext); CHECK_OID(pk_nid, TZ_WORLD_PK_OID); CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT, keys[TRUSTED_WORLD_KEY].key)); sk_X509_EXTENSION_push(sk, trusted_key_ext); CHECK_OID(pk_nid, NTZ_WORLD_PK_OID); CHECK_NULL(non_trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT, keys[NON_TRUSTED_WORLD_KEY].key)); sk_X509_EXTENSION_push(sk, non_trusted_key_ext); if (!cert_new(&certs[TRUSTED_KEY_CERT], VAL_DAYS, 0, sk)) { ERROR("Cannot create %s\n", certs[TRUSTED_KEY_CERT].cn); exit(1); } sk_X509_EXTENSION_free(sk); /* ********************************************************************* * BL30 Key certificate (Trusted SCP Firmware Key certificate): * - Self-signed with Trusted World key * - Extensions: * - TrustedFirmwareNVCounter (TODO) * - SCPFirmwareContentCertPK **********************************************************************/ if (bl30_present) { CHECK_NULL(sk, sk_X509_EXTENSION_new_null()); CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT, tf_nvcounter)); sk_X509_EXTENSION_push(sk, nvctr_ext); CHECK_OID(pk_nid, BL30_CONTENT_CERT_PK_OID); CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT, keys[BL30_KEY].key)); sk_X509_EXTENSION_push(sk, trusted_key_ext); if (!cert_new(&certs[BL30_KEY_CERT], VAL_DAYS, 0, sk)) { ERROR("Cannot create %s\n", certs[BL30_KEY_CERT].cn); exit(1); } sk_X509_EXTENSION_free(sk); } /* ********************************************************************* * BL30 certificate (SCP Firmware Content certificate): * - Signed with Trusted World Key * - Extensions: * - TrustedFirmwareNVCounter (TODO) * - SCPFirmwareHash **********************************************************************/ if (bl30_present) { CHECK_NULL(sk, sk_X509_EXTENSION_new_null()); CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT, tf_nvcounter)); sk_X509_EXTENSION_push(sk, nvctr_ext); if (!sha_file(certs[BL30_CERT].bin, md)) { ERROR("Cannot calculate the hash of %s\n", certs[BL30_CERT].bin); exit(1); } CHECK_OID(hash_nid, BL30_HASH_OID); CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info, md, SHA256_DIGEST_LENGTH)); sk_X509_EXTENSION_push(sk, hash_ext); if (!cert_new(&certs[BL30_CERT], VAL_DAYS, 0, sk)) { ERROR("Cannot create %s\n", certs[BL30_CERT].cn); exit(1); } sk_X509_EXTENSION_free(sk); } /* ********************************************************************* * BL31 Key certificate (Trusted SoC Firmware Key certificate): * - Self-signed with Trusted World key * - Extensions: * - TrustedFirmwareNVCounter (TODO) * - SoCFirmwareContentCertPK **********************************************************************/ CHECK_NULL(sk, sk_X509_EXTENSION_new_null()); CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT, tf_nvcounter)); sk_X509_EXTENSION_push(sk, nvctr_ext); CHECK_OID(pk_nid, BL31_CONTENT_CERT_PK_OID); CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT, keys[BL31_KEY].key)); sk_X509_EXTENSION_push(sk, trusted_key_ext); if (!cert_new(&certs[BL31_KEY_CERT], VAL_DAYS, 0, sk)) { ERROR("Cannot create %s\n", certs[BL31_KEY_CERT].cn); exit(1); } sk_X509_EXTENSION_free(sk); /* ********************************************************************* * BL31 certificate (SOC Firmware Content certificate): * - Signed with Trusted World Key * - Extensions: * - TrustedFirmwareNVCounter (TODO) * - BL31 hash **********************************************************************/ CHECK_NULL(sk, sk_X509_EXTENSION_new_null()); CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT, tf_nvcounter)); sk_X509_EXTENSION_push(sk, nvctr_ext); if (!sha_file(certs[BL31_CERT].bin, md)) { ERROR("Cannot calculate the hash of %s\n", certs[BL31_CERT].bin); exit(1); } CHECK_OID(hash_nid, BL31_HASH_OID); CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info, md, SHA256_DIGEST_LENGTH)); sk_X509_EXTENSION_push(sk, hash_ext); if (!cert_new(&certs[BL31_CERT], VAL_DAYS, 0, sk)) { ERROR("Cannot create %s\n", certs[BL31_CERT].cn); exit(1); } sk_X509_EXTENSION_free(sk); /* ********************************************************************* * BL32 Key certificate (Trusted OS Firmware Key certificate): * - Self-signed with Trusted World key * - Extensions: * - TrustedFirmwareNVCounter (TODO) * - TrustedOSFirmwareContentCertPK **********************************************************************/ if (bl32_present) { CHECK_NULL(sk, sk_X509_EXTENSION_new_null()); CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT, tf_nvcounter)); sk_X509_EXTENSION_push(sk, nvctr_ext); CHECK_OID(pk_nid, BL32_CONTENT_CERT_PK_OID); CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT, keys[BL32_KEY].key)); sk_X509_EXTENSION_push(sk, trusted_key_ext); if (!cert_new(&certs[BL32_KEY_CERT], VAL_DAYS, 0, sk)) { ERROR("Cannot create %s\n", certs[BL32_KEY_CERT].cn); exit(1); } sk_X509_EXTENSION_free(sk); } /* ********************************************************************* * BL32 certificate (TrustedOS Firmware Content certificate): * - Signed with Trusted World Key * - Extensions: * - TrustedFirmwareNVCounter (TODO) * - BL32 hash **********************************************************************/ if (bl32_present) { CHECK_NULL(sk, sk_X509_EXTENSION_new_null()); CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT, tf_nvcounter)); sk_X509_EXTENSION_push(sk, nvctr_ext); if (!sha_file(certs[BL32_CERT].bin, md)) { ERROR("Cannot calculate the hash of %s\n", certs[BL32_CERT].bin); exit(1); } CHECK_OID(hash_nid, BL32_HASH_OID); CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info, md, SHA256_DIGEST_LENGTH)); sk_X509_EXTENSION_push(sk, hash_ext); if (!cert_new(&certs[BL32_CERT], VAL_DAYS, 0, sk)) { ERROR("Cannot create %s\n", certs[BL32_CERT].cn); exit(1); } sk_X509_EXTENSION_free(sk); } /* ********************************************************************* * BL33 Key certificate (Non Trusted Firmware Key certificate): * - Self-signed with Non Trusted World key * - Extensions: * - NonTrustedFirmwareNVCounter (TODO) * - NonTrustedFirmwareContentCertPK **********************************************************************/ CHECK_NULL(sk, sk_X509_EXTENSION_new_null()); CHECK_NULL(nvctr_ext, ext_new_nvcounter(ntz_nvctr_nid, EXT_CRIT, non_tf_nvcounter)); sk_X509_EXTENSION_push(sk, nvctr_ext); CHECK_OID(pk_nid, BL33_CONTENT_CERT_PK_OID); CHECK_NULL(non_trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT, keys[BL33_KEY].key)); sk_X509_EXTENSION_push(sk, non_trusted_key_ext); if (!cert_new(&certs[BL33_KEY_CERT], VAL_DAYS, 0, sk)) { ERROR("Cannot create %s\n", certs[BL33_KEY_CERT].cn); exit(1); } sk_X509_EXTENSION_free(sk); /* ********************************************************************* * BL33 certificate (Non-Trusted World Content certificate): * - Signed with Non-Trusted World Key * - Extensions: * - NonTrustedFirmwareNVCounter (TODO) * - BL33 hash **********************************************************************/ CHECK_NULL(sk, sk_X509_EXTENSION_new_null()); CHECK_NULL(nvctr_ext, ext_new_nvcounter(ntz_nvctr_nid, EXT_CRIT, non_tf_nvcounter)); sk_X509_EXTENSION_push(sk, nvctr_ext); if (!sha_file(certs[BL33_CERT].bin, md)) { ERROR("Cannot calculate the hash of %s\n", certs[BL33_CERT].bin); exit(1); } CHECK_OID(hash_nid, BL33_HASH_OID); CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info, md, SHA256_DIGEST_LENGTH)); sk_X509_EXTENSION_push(sk, hash_ext); if (!cert_new(&certs[BL33_CERT], VAL_DAYS, 0, sk)) { ERROR("Cannot create %s\n", certs[BL33_CERT].cn); exit(1); } sk_X509_EXTENSION_free(sk); /* Print the certificates */ if (print_cert) { for (i = 0 ; i < NUM_CERTIFICATES ; i++) { if (!certs[i].x) { continue; } printf("\n\n=====================================\n\n"); X509_print_fp(stdout, certs[i].x); } } /* Save created certificates to files */ for (i = 0 ; i < NUM_CERTIFICATES ; i++) { if (certs[i].x && certs[i].fn) { file = fopen(certs[i].fn, "w"); if (file != NULL) { i2d_X509_fp(file, certs[i].x); fclose(file); } else { ERROR("Cannot create file %s\n", certs[i].fn); } } } /* Save keys */ if (save_keys) { for (i = 0 ; i < NUM_KEYS ; i++) { if (!key_store(&keys[i])) { ERROR("Cannot save %s\n", keys[i].desc); } } } X509_EXTENSION_free(hash_ext); X509_EXTENSION_free(nvctr_ext); X509_EXTENSION_free(trusted_key_ext); X509_EXTENSION_free(non_trusted_key_ext); #ifndef OPENSSL_NO_ENGINE ENGINE_cleanup(); #endif CRYPTO_cleanup_all_ex_data(); return 0; }
static int pkcs7_to_cert(struct hs20_osu_client *ctx, const u8 *pkcs7, size_t len, char *pem_file, char *der_file) { #ifdef OPENSSL_IS_BORINGSSL CBS pkcs7_cbs; #else /* OPENSSL_IS_BORINGSSL */ PKCS7 *p7 = NULL; const unsigned char *p = pkcs7; #endif /* OPENSSL_IS_BORINGSSL */ STACK_OF(X509) *certs; int i, num, ret = -1; BIO *out = NULL; #ifdef OPENSSL_IS_BORINGSSL certs = sk_X509_new_null(); if (!certs) goto fail; CBS_init(&pkcs7_cbs, pkcs7, len); if (!PKCS7_get_certificates(certs, &pkcs7_cbs)) { wpa_printf(MSG_INFO, "Could not parse PKCS#7 object: %s", ERR_error_string(ERR_get_error(), NULL)); write_result(ctx, "Could not parse PKCS#7 object from EST"); goto fail; } #else /* OPENSSL_IS_BORINGSSL */ p7 = d2i_PKCS7(NULL, &p, len); if (p7 == NULL) { wpa_printf(MSG_INFO, "Could not parse PKCS#7 object: %s", ERR_error_string(ERR_get_error(), NULL)); write_result(ctx, "Could not parse PKCS#7 object from EST"); goto fail; } switch (OBJ_obj2nid(p7->type)) { case NID_pkcs7_signed: certs = p7->d.sign->cert; break; case NID_pkcs7_signedAndEnveloped: certs = p7->d.signed_and_enveloped->cert; break; default: certs = NULL; break; } #endif /* OPENSSL_IS_BORINGSSL */ if (!certs || ((num = sk_X509_num(certs)) == 0)) { wpa_printf(MSG_INFO, "No certificates found in PKCS#7 object"); write_result(ctx, "No certificates found in PKCS#7 object"); goto fail; } if (der_file) { FILE *f = fopen(der_file, "wb"); if (f == NULL) goto fail; i2d_X509_fp(f, sk_X509_value(certs, 0)); fclose(f); } if (pem_file) { out = BIO_new(BIO_s_file()); if (out == NULL || BIO_write_filename(out, pem_file) <= 0) goto fail; for (i = 0; i < num; i++) { X509 *cert = sk_X509_value(certs, i); X509_print(out, cert); PEM_write_bio_X509(out, cert); BIO_puts(out, "\n"); } } ret = 0; fail: #ifdef OPENSSL_IS_BORINGSSL if (certs) sk_X509_pop_free(certs, X509_free); #else /* OPENSSL_IS_BORINGSSL */ PKCS7_free(p7); #endif /* OPENSSL_IS_BORINGSSL */ if (out) BIO_free_all(out); return ret; }
/* ToDo: Create Access to OpenSSL certificate store => Only API to In-Memory-Store is available for version 0.9.8x => Wait until Directory- and/or File-Store is available */ OpcUa_StatusCode OpcUa_P_OpenSSL_PKI_SaveCertificate( OpcUa_PKIProvider* a_pProvider, OpcUa_ByteString* a_pCertificate, OpcUa_Void* a_pCertificateStore, OpcUa_Void* a_pSaveHandle) /* Index or number within store/destination filepath */ { X509* pX509Certificate = OpcUa_Null; FILE* pCertificateFile = OpcUa_Null; const unsigned char* p; OpcUa_UInt32 i; OpcUa_InitializeStatus(OpcUa_Module_P_OpenSSL, "PKI_SaveCertificate"); OpcUa_ReturnErrorIfArgumentNull(a_pProvider); OpcUa_ReturnErrorIfArgumentNull(a_pProvider->Handle); OpcUa_ReturnErrorIfArgumentNull(a_pCertificate); OpcUa_ReturnErrorIfArgumentNull(a_pCertificateStore); OpcUa_ReturnErrorIfArgumentNull(a_pSaveHandle); /* save DER certificate */ pCertificateFile = fopen((const char*)a_pSaveHandle, "w"); /* check for valid file handle */ OpcUa_GotoErrorIfTrue((pCertificateFile == OpcUa_Null), OpcUa_BadInvalidArgument); /* convert openssl X509 certificate to DER encoded bytestring certificate */ p = a_pCertificate->Data; while (p < a_pCertificate->Data + a_pCertificate->Length) { if(!(pX509Certificate = d2i_X509((X509**)OpcUa_Null, &p, a_pCertificate->Data + a_pCertificate->Length - p))) { fclose(pCertificateFile); uStatus = OpcUa_Bad; OpcUa_GotoErrorIfBad(uStatus); } i = i2d_X509_fp(pCertificateFile, pX509Certificate); if(i < 1) { fclose(pCertificateFile); uStatus = OpcUa_Bad; OpcUa_GotoErrorIfBad(uStatus); } X509_free(pX509Certificate); pX509Certificate = OpcUa_Null; } if(fclose(pCertificateFile) != 0) { uStatus = OpcUa_Bad; OpcUa_GotoErrorIfBad(uStatus); } OpcUa_ReturnStatusCode; OpcUa_BeginErrorHandling; if (pX509Certificate != OpcUa_Null) { X509_free(pX509Certificate); } OpcUa_FinishErrorHandling; }
LWS_VISIBLE LWS_EXTERN int lws_tls_acme_sni_cert_create(struct lws_vhost *vhost, const char *san_a, const char *san_b) { GENERAL_NAMES *gens = sk_GENERAL_NAME_new_null(); GENERAL_NAME *gen = NULL; ASN1_IA5STRING *ia5 = NULL; X509_NAME *name; if (!gens) return 1; vhost->tls.ss = lws_zalloc(sizeof(*vhost->tls.ss), "sni cert"); if (!vhost->tls.ss) { GENERAL_NAMES_free(gens); return 1; } vhost->tls.ss->x509 = X509_new(); if (!vhost->tls.ss->x509) goto bail; ASN1_INTEGER_set(X509_get_serialNumber(vhost->tls.ss->x509), 1); X509_gmtime_adj(X509_get_notBefore(vhost->tls.ss->x509), 0); X509_gmtime_adj(X509_get_notAfter(vhost->tls.ss->x509), 3600); vhost->tls.ss->pkey = EVP_PKEY_new(); if (!vhost->tls.ss->pkey) goto bail0; if (lws_tls_openssl_rsa_new_key(&vhost->tls.ss->rsa, 4096)) goto bail1; if (!EVP_PKEY_assign_RSA(vhost->tls.ss->pkey, vhost->tls.ss->rsa)) goto bail2; X509_set_pubkey(vhost->tls.ss->x509, vhost->tls.ss->pkey); name = X509_get_subject_name(vhost->tls.ss->x509); X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC, (unsigned char *)"GB", -1, -1, 0); X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC, (unsigned char *)"somecompany", -1, -1, 0); if (X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_UTF8, (unsigned char *)"temp.acme.invalid", -1, -1, 0) != 1) { lwsl_notice("failed to add CN\n"); goto bail2; } X509_set_issuer_name(vhost->tls.ss->x509, name); /* add the SAN payloads */ gen = GENERAL_NAME_new(); ia5 = ASN1_IA5STRING_new(); if (!ASN1_STRING_set(ia5, san_a, -1)) { lwsl_notice("failed to set ia5\n"); GENERAL_NAME_free(gen); goto bail2; } GENERAL_NAME_set0_value(gen, GEN_DNS, ia5); sk_GENERAL_NAME_push(gens, gen); if (X509_add1_ext_i2d(vhost->tls.ss->x509, NID_subject_alt_name, gens, 0, X509V3_ADD_APPEND) != 1) goto bail2; GENERAL_NAMES_free(gens); if (san_b && san_b[0]) { gens = sk_GENERAL_NAME_new_null(); gen = GENERAL_NAME_new(); ia5 = ASN1_IA5STRING_new(); if (!ASN1_STRING_set(ia5, san_a, -1)) { lwsl_notice("failed to set ia5\n"); GENERAL_NAME_free(gen); goto bail2; } GENERAL_NAME_set0_value(gen, GEN_DNS, ia5); sk_GENERAL_NAME_push(gens, gen); if (X509_add1_ext_i2d(vhost->tls.ss->x509, NID_subject_alt_name, gens, 0, X509V3_ADD_APPEND) != 1) goto bail2; GENERAL_NAMES_free(gens); } /* sign it with our private key */ if (!X509_sign(vhost->tls.ss->x509, vhost->tls.ss->pkey, EVP_sha256())) goto bail2; #if 0 {/* useful to take a sample of a working cert for mbedtls to crib */ FILE *fp = fopen("/tmp/acme-temp-cert", "w+"); i2d_X509_fp(fp, vhost->tls.ss->x509); fclose(fp); } #endif /* tell the vhost to use our crafted certificate */ SSL_CTX_use_certificate(vhost->tls.ssl_ctx, vhost->tls.ss->x509); /* and to use our generated private key */ SSL_CTX_use_PrivateKey(vhost->tls.ssl_ctx, vhost->tls.ss->pkey); return 0; bail2: RSA_free(vhost->tls.ss->rsa); bail1: EVP_PKEY_free(vhost->tls.ss->pkey); bail0: X509_free(vhost->tls.ss->x509); bail: lws_free(vhost->tls.ss); GENERAL_NAMES_free(gens); return 1; }
/* Creates an X509 certificate from a certificate request. */ EXPORT int IssueUserCertificate(unsigned char *certbuf, int *certlen, unsigned char *reqbuf, int reqlen) { X509_REQ *req = NULL; EVP_PKEY *cakey = NULL, *rakey = NULL, *usrkey = NULL; X509 *cacert = NULL, *racert = NULL, *usrcert = NULL; X509_NAME *subject = NULL, *issuer = NULL; unsigned char *p = NULL; int ret = OPENSSLCA_NO_ERR, len; if (certbuf == NULL || certlen == NULL || reqbuf == NULL || reqlen == 0) return OPENSSLCA_ERR_ARGS; /* Decode request */ if ((req = X509_REQ_new()) == NULL) { ret = OPENSSLCA_ERR_REQ_NEW; goto err; } p = reqbuf; if (d2i_X509_REQ(&req, &p, reqlen) == NULL) { ret = OPENSSLCA_ERR_REQ_DECODE; goto err; } /* Get public key from request */ if ((usrkey = X509_REQ_get_pubkey(req)) == NULL) { ret = OPENSSLCA_ERR_REQ_GET_PUBKEY; goto err; } if (caIni.verifyRequests) { /* Get RA's public key */ /* TODO: Validate RA certificate */ ret = read_cert(&racert, CA_PATH(caIni.raCertFile)); if (ret != OPENSSLCA_NO_ERR) goto err; if ((rakey = X509_get_pubkey(racert)) == NULL) { ret = OPENSSLCA_ERR_CERT_GET_PUBKEY; goto err; } /* Verify signature on request */ if (X509_REQ_verify(req, rakey) != 1) { ret = OPENSSLCA_ERR_REQ_VERIFY; goto err; } } /* Get CA certificate */ /* TODO: Validate CA certificate */ ret = read_cert(&cacert, CA_PATH(caIni.caCertFile)); if (ret != OPENSSLCA_NO_ERR) goto err; /* Get CA private key */ ret = read_key(&cakey, CA_PATH(caIni.caKeyFile), caIni.caKeyPasswd); if (ret != OPENSSLCA_NO_ERR) goto err; /* Create user certificate */ if ((usrcert = X509_new()) == NULL) return OPENSSLCA_ERR_CERT_NEW; /* Set version and serial number for certificate */ if (X509_set_version(usrcert, 2) != 1) { /* V3 */ ret = OPENSSLCA_ERR_CERT_SET_VERSION; goto err; } if (ASN1_INTEGER_set(X509_get_serialNumber(usrcert), get_serial()) != 1) { ret = OPENSSLCA_ERR_CERT_SET_SERIAL; goto err; } /* Set duration for certificate */ if (X509_gmtime_adj(X509_get_notBefore(usrcert), 0) == NULL) { ret = OPENSSLCA_ERR_CERT_SET_NOTBEFORE; goto err; } if (X509_gmtime_adj(X509_get_notAfter(usrcert), EXPIRE_SECS(caIni.daysTillExpire)) == NULL) { ret = OPENSSLCA_ERR_CERT_SET_NOTAFTER; goto err; } /* Set public key */ if (X509_set_pubkey(usrcert, usrkey) != 1) { ret = OPENSSLCA_ERR_CERT_SET_PUBKEY; goto err; } /* Set subject name */ subject = X509_REQ_get_subject_name(req); if (subject == NULL) { ret = OPENSSLCA_ERR_REQ_GET_SUBJECT; goto err; } if (X509_set_subject_name(usrcert, subject) != 1) { ret = OPENSSLCA_ERR_CERT_SET_SUBJECT; goto err; } /* Set issuer name */ issuer = X509_get_issuer_name(cacert); if (issuer == NULL) { ret = OPENSSLCA_ERR_CERT_GET_ISSUER; goto err; } if (X509_set_issuer_name(usrcert, issuer) != 1) { ret = OPENSSLCA_ERR_CERT_SET_ISSUER; goto err; } /* Add extensions */ ret = add_ext(cacert, usrcert); if (ret != OPENSSLCA_NO_ERR) goto err; /* Sign user certificate with CA's private key */ if (!X509_sign(usrcert, cakey, EVP_sha1())) return OPENSSLCA_ERR_CERT_SIGN; if (caIni.verifyAfterSign) { if (X509_verify(usrcert, cakey) != 1) { ret = OPENSSLCA_ERR_CERT_VERIFY; goto err; } } #ifdef _DEBUG /* Output certificate in DER and PEM format */ { FILE *fp = fopen(DBG_PATH("usrcert.der"), "wb"); if (fp != NULL) { i2d_X509_fp(fp, usrcert); fclose(fp); } fp = fopen(DBG_PATH("usrcert.pem"), "w"); if (fp != NULL) { X509_print_fp(fp, usrcert); PEM_write_X509(fp, usrcert); fclose(fp); } } #endif /* Encode user certificate into DER format */ len = i2d_X509(usrcert, NULL); if (len < 0) { ret = OPENSSLCA_ERR_CERT_ENCODE; goto err; } if (len > *certlen) { ret = OPENSSLCA_ERR_BUF_TOO_SMALL; goto err; } *certlen = len; p = certbuf; i2d_X509(usrcert, &p); if (caIni.addToIndex) add_to_index(usrcert); if (caIni.addToNewCerts) write_cert(usrcert); err: print_err("IssueUserCertificate()", ret); /* Clean up */ if (cacert) X509_free(cacert); if (cakey) EVP_PKEY_free(cakey); if (racert) X509_free(racert); if (rakey) EVP_PKEY_free(rakey); if (req) X509_REQ_free(req); if (usrcert != NULL) X509_free(usrcert); if (usrkey) EVP_PKEY_free(usrkey); return ret; }