static void ssl_certificate_save(SSLCertificate *cert)
{
char *file, *port;
FILE *fp;
file = g_strconcat(config_dir, G_DIR_SEPARATOR_S,
"certs", G_DIR_SEPARATOR_S, NULL);
if (!is_dir_exist(file))
mkdir(file, S_IRWXU);
g_free(file);
port = g_strdup_printf("%d", cert->port);
file = g_strconcat(config_dir, G_DIR_SEPARATOR_S,
"certs", G_DIR_SEPARATOR_S,
cert->host, ".", port, ".cert", NULL);
g_free(port);
fp = fopen(file, "wb");
if (fp == NULL) {
g_free(file);
eb_debug(DBG_CORE, "Can't save certificate !\n");
return;
}
i2d_X509_fp(fp, cert->x509_cert);
g_free(file);
fclose(fp);
}
void CertificateDialog::save()
{
QString file = QFileDialog::getSaveFileName( this,
tr("Guardar certificado"),
QString( "%1%2%3.pem" )
.arg( QDesktopServices::storageLocation( QDesktopServices::DocumentsLocation ) )
.arg( QDir::separator() )
.arg( "" ),
tr("Certificados (*.cer *.crt *.pem)") );
if( file.isEmpty() )
return;
//X509 * cert = getSignerCertData(index);
FILE *fp;
char *_a = "a", *_w="w", *p = _w;
//if (append) p=_a;
fp = fopen(qPrintable(file) , p);
if (fp != NULL) {
if (d->internalCert){
//if (PEM)
if ((QFileInfo( file ).suffix().toLower() == "pem") || (QFileInfo( file ).suffix().toLower() == "crt"))
PEM_write_X509(fp, d->internalCert);
else
i2d_X509_fp(fp, d->internalCert);
openssl_error("");
}
}
//else fopen_error(file);
else
QMessageBox::warning( this, tr("Guardar certificado"), tr("Error al guardar archivo") );
fclose(fp);
/*
QFile f( file );
if( f.open( QIODevice::WriteOnly ) )
{
f.write( QFileInfo( file ).suffix().toLower() == "pem" ? d->cert.toPem() : d->cert.toDer() );
f.close();
}
else
QMessageBox::warning( this, tr("Guardar certificado"), tr("Error al guardar archivo") );
*/
}
int main(int argc, char *argv[])
{
STACK_OF(X509_EXTENSION) * sk = NULL;
X509_EXTENSION *hash_ext = NULL;
X509_EXTENSION *nvctr_ext = NULL;
X509_EXTENSION *trusted_key_ext = NULL;
X509_EXTENSION *non_trusted_key_ext = NULL;
FILE *file = NULL;
int i, tz_nvctr_nid, ntz_nvctr_nid, hash_nid, pk_nid;
int c, opt_idx = 0;
unsigned int err_code;
unsigned char md[SHA256_DIGEST_LENGTH];
const EVP_MD *md_info;
NOTICE("CoT Generation Tool: %s\n", build_msg);
NOTICE("Target platform: %s\n", platform_msg);
/* Set default options */
key_alg = KEY_ALG_RSA;
while (1) {
/* getopt_long stores the option index here. */
c = getopt_long(argc, argv, "ahknp", long_opt, &opt_idx);
/* Detect the end of the options. */
if (c == -1) {
break;
}
switch (c) {
case 'a':
key_alg = get_key_alg(optarg);
if (key_alg < 0) {
ERROR("Invalid key algorithm '%s'\n", optarg);
exit(1);
}
break;
case 'h':
print_help(argv[0]);
break;
case 'k':
save_keys = 1;
break;
case 'n':
new_keys = 1;
break;
case 'p':
print_cert = 1;
break;
case BL2_ID:
certs[BL2_CERT].bin = strdup(optarg);
break;
case BL30_ID:
certs[BL30_CERT].bin = strdup(optarg);
break;
case BL31_ID:
certs[BL31_CERT].bin = strdup(optarg);
break;
case BL32_ID:
certs[BL32_CERT].bin = strdup(optarg);
break;
case BL33_ID:
certs[BL33_CERT].bin = strdup(optarg);
break;
case BL2_CERT_ID:
certs[BL2_CERT].fn = strdup(optarg);
break;
case TRUSTED_KEY_CERT_ID:
certs[TRUSTED_KEY_CERT].fn = strdup(optarg);
break;
case BL30_KEY_CERT_ID:
certs[BL30_KEY_CERT].fn = strdup(optarg);
break;
case BL30_CERT_ID:
certs[BL30_CERT].fn = strdup(optarg);
break;
case BL31_KEY_CERT_ID:
certs[BL31_KEY_CERT].fn = strdup(optarg);
break;
case BL31_CERT_ID:
certs[BL31_CERT].fn = strdup(optarg);
break;
case BL32_KEY_CERT_ID:
certs[BL32_KEY_CERT].fn = strdup(optarg);
break;
case BL32_CERT_ID:
certs[BL32_CERT].fn = strdup(optarg);
break;
case BL33_KEY_CERT_ID:
certs[BL33_KEY_CERT].fn = strdup(optarg);
break;
case BL33_CERT_ID:
certs[BL33_CERT].fn = strdup(optarg);
break;
case ROT_KEY_ID:
keys[ROT_KEY].fn = strdup(optarg);
break;
case TRUSTED_WORLD_KEY_ID:
keys[TRUSTED_WORLD_KEY].fn = strdup(optarg);
break;
case NON_TRUSTED_WORLD_KEY_ID:
keys[NON_TRUSTED_WORLD_KEY].fn = strdup(optarg);
break;
case BL30_KEY_ID:
keys[BL30_KEY].fn = strdup(optarg);
break;
case BL31_KEY_ID:
keys[BL31_KEY].fn = strdup(optarg);
break;
case BL32_KEY_ID:
keys[BL32_KEY].fn = strdup(optarg);
break;
case BL33_KEY_ID:
keys[BL33_KEY].fn = strdup(optarg);
break;
case '?':
default:
printf("%s\n", optarg);
exit(1);
}
}
/* Set the value of the NVCounters */
tf_nvcounter = NVCOUNTER_VALUE;
non_tf_nvcounter = NVCOUNTER_VALUE;
/* Check command line arguments */
check_cmd_params();
/* Register the new types and OIDs for the extensions */
if (ext_init(tbb_ext) != 0) {
ERROR("Cannot initialize TBB extensions\n");
exit(1);
}
/* Indicate SHA256 as image hash algorithm in the certificate
* extension */
md_info = EVP_sha256();
/* Get non-volatile counters NIDs */
CHECK_OID(tz_nvctr_nid, TZ_FW_NVCOUNTER_OID);
CHECK_OID(ntz_nvctr_nid, NTZ_FW_NVCOUNTER_OID);
/* Load private keys from files (or generate new ones) */
for (i = 0 ; i < NUM_KEYS ; i++) {
/* First try to load the key from disk */
if (key_load(&keys[i], &err_code)) {
/* Key loaded successfully */
continue;
}
/* Key not loaded. Check the error code */
if (err_code == KEY_ERR_MALLOC) {
/* Cannot allocate memory. Abort. */
ERROR("Malloc error while loading '%s'\n", keys[i].fn);
exit(1);
} else if (err_code == KEY_ERR_LOAD) {
/* File exists, but it does not contain a valid private
* key. Abort. */
ERROR("Error loading '%s'\n", keys[i].fn);
exit(1);
}
/* File does not exist, could not be opened or no filename was
* given */
if (new_keys) {
/* Try to create a new key */
NOTICE("Creating new key for '%s'\n", keys[i].desc);
if (!key_create(&keys[i], key_alg)) {
ERROR("Error creating key '%s'\n", keys[i].desc);
exit(1);
}
} else {
if (err_code == KEY_ERR_OPEN) {
ERROR("Error opening '%s'\n", keys[i].fn);
} else {
ERROR("Key '%s' not specified\n", keys[i].desc);
}
exit(1);
}
}
/* *********************************************************************
* BL2 certificate (Trusted Boot Firmware certificate):
* - Self-signed with OEM ROT private key
* - Extensions:
* - TrustedFirmwareNVCounter (TODO)
* - BL2 hash
**********************************************************************/
CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
/* Add the NVCounter as a critical extension */
CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
tf_nvcounter));
sk_X509_EXTENSION_push(sk, nvctr_ext);
/* Add hash of BL2 as an extension */
if (!sha_file(certs[BL2_CERT].bin, md)) {
ERROR("Cannot calculate the hash of %s\n", certs[BL2_CERT].bin);
exit(1);
}
CHECK_OID(hash_nid, BL2_HASH_OID);
CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info, md,
SHA256_DIGEST_LENGTH));
sk_X509_EXTENSION_push(sk, hash_ext);
/* Create certificate. Signed with ROT key */
if (!cert_new(&certs[BL2_CERT], VAL_DAYS, 0, sk)) {
ERROR("Cannot create %s\n", certs[BL2_CERT].cn);
exit(1);
}
sk_X509_EXTENSION_free(sk);
/* *********************************************************************
* Trusted Key certificate:
* - Self-signed with OEM ROT private key
* - Extensions:
* - TrustedFirmwareNVCounter (TODO)
* - TrustedWorldPK
* - NonTrustedWorldPK
**********************************************************************/
CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
tf_nvcounter));
sk_X509_EXTENSION_push(sk, nvctr_ext);
CHECK_OID(pk_nid, TZ_WORLD_PK_OID);
CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
keys[TRUSTED_WORLD_KEY].key));
sk_X509_EXTENSION_push(sk, trusted_key_ext);
CHECK_OID(pk_nid, NTZ_WORLD_PK_OID);
CHECK_NULL(non_trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
keys[NON_TRUSTED_WORLD_KEY].key));
sk_X509_EXTENSION_push(sk, non_trusted_key_ext);
if (!cert_new(&certs[TRUSTED_KEY_CERT], VAL_DAYS, 0, sk)) {
ERROR("Cannot create %s\n", certs[TRUSTED_KEY_CERT].cn);
exit(1);
}
sk_X509_EXTENSION_free(sk);
/* *********************************************************************
* BL30 Key certificate (Trusted SCP Firmware Key certificate):
* - Self-signed with Trusted World key
* - Extensions:
* - TrustedFirmwareNVCounter (TODO)
* - SCPFirmwareContentCertPK
**********************************************************************/
if (bl30_present) {
CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
tf_nvcounter));
sk_X509_EXTENSION_push(sk, nvctr_ext);
CHECK_OID(pk_nid, BL30_CONTENT_CERT_PK_OID);
CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
keys[BL30_KEY].key));
sk_X509_EXTENSION_push(sk, trusted_key_ext);
if (!cert_new(&certs[BL30_KEY_CERT], VAL_DAYS, 0, sk)) {
ERROR("Cannot create %s\n", certs[BL30_KEY_CERT].cn);
exit(1);
}
sk_X509_EXTENSION_free(sk);
}
/* *********************************************************************
* BL30 certificate (SCP Firmware Content certificate):
* - Signed with Trusted World Key
* - Extensions:
* - TrustedFirmwareNVCounter (TODO)
* - SCPFirmwareHash
**********************************************************************/
if (bl30_present) {
CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
tf_nvcounter));
sk_X509_EXTENSION_push(sk, nvctr_ext);
if (!sha_file(certs[BL30_CERT].bin, md)) {
ERROR("Cannot calculate the hash of %s\n",
certs[BL30_CERT].bin);
exit(1);
}
CHECK_OID(hash_nid, BL30_HASH_OID);
CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info,
md, SHA256_DIGEST_LENGTH));
sk_X509_EXTENSION_push(sk, hash_ext);
if (!cert_new(&certs[BL30_CERT], VAL_DAYS, 0, sk)) {
ERROR("Cannot create %s\n", certs[BL30_CERT].cn);
exit(1);
}
sk_X509_EXTENSION_free(sk);
}
/* *********************************************************************
* BL31 Key certificate (Trusted SoC Firmware Key certificate):
* - Self-signed with Trusted World key
* - Extensions:
* - TrustedFirmwareNVCounter (TODO)
* - SoCFirmwareContentCertPK
**********************************************************************/
CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
tf_nvcounter));
sk_X509_EXTENSION_push(sk, nvctr_ext);
CHECK_OID(pk_nid, BL31_CONTENT_CERT_PK_OID);
CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
keys[BL31_KEY].key));
sk_X509_EXTENSION_push(sk, trusted_key_ext);
if (!cert_new(&certs[BL31_KEY_CERT], VAL_DAYS, 0, sk)) {
ERROR("Cannot create %s\n", certs[BL31_KEY_CERT].cn);
exit(1);
}
sk_X509_EXTENSION_free(sk);
/* *********************************************************************
* BL31 certificate (SOC Firmware Content certificate):
* - Signed with Trusted World Key
* - Extensions:
* - TrustedFirmwareNVCounter (TODO)
* - BL31 hash
**********************************************************************/
CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
tf_nvcounter));
sk_X509_EXTENSION_push(sk, nvctr_ext);
if (!sha_file(certs[BL31_CERT].bin, md)) {
ERROR("Cannot calculate the hash of %s\n", certs[BL31_CERT].bin);
exit(1);
}
CHECK_OID(hash_nid, BL31_HASH_OID);
CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info, md,
SHA256_DIGEST_LENGTH));
sk_X509_EXTENSION_push(sk, hash_ext);
if (!cert_new(&certs[BL31_CERT], VAL_DAYS, 0, sk)) {
ERROR("Cannot create %s\n", certs[BL31_CERT].cn);
exit(1);
}
sk_X509_EXTENSION_free(sk);
/* *********************************************************************
* BL32 Key certificate (Trusted OS Firmware Key certificate):
* - Self-signed with Trusted World key
* - Extensions:
* - TrustedFirmwareNVCounter (TODO)
* - TrustedOSFirmwareContentCertPK
**********************************************************************/
if (bl32_present) {
CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
tf_nvcounter));
sk_X509_EXTENSION_push(sk, nvctr_ext);
CHECK_OID(pk_nid, BL32_CONTENT_CERT_PK_OID);
CHECK_NULL(trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
keys[BL32_KEY].key));
sk_X509_EXTENSION_push(sk, trusted_key_ext);
if (!cert_new(&certs[BL32_KEY_CERT], VAL_DAYS, 0, sk)) {
ERROR("Cannot create %s\n", certs[BL32_KEY_CERT].cn);
exit(1);
}
sk_X509_EXTENSION_free(sk);
}
/* *********************************************************************
* BL32 certificate (TrustedOS Firmware Content certificate):
* - Signed with Trusted World Key
* - Extensions:
* - TrustedFirmwareNVCounter (TODO)
* - BL32 hash
**********************************************************************/
if (bl32_present) {
CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
CHECK_NULL(nvctr_ext, ext_new_nvcounter(tz_nvctr_nid, EXT_CRIT,
tf_nvcounter));
sk_X509_EXTENSION_push(sk, nvctr_ext);
if (!sha_file(certs[BL32_CERT].bin, md)) {
ERROR("Cannot calculate the hash of %s\n",
certs[BL32_CERT].bin);
exit(1);
}
CHECK_OID(hash_nid, BL32_HASH_OID);
CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info,
md, SHA256_DIGEST_LENGTH));
sk_X509_EXTENSION_push(sk, hash_ext);
if (!cert_new(&certs[BL32_CERT], VAL_DAYS, 0, sk)) {
ERROR("Cannot create %s\n", certs[BL32_CERT].cn);
exit(1);
}
sk_X509_EXTENSION_free(sk);
}
/* *********************************************************************
* BL33 Key certificate (Non Trusted Firmware Key certificate):
* - Self-signed with Non Trusted World key
* - Extensions:
* - NonTrustedFirmwareNVCounter (TODO)
* - NonTrustedFirmwareContentCertPK
**********************************************************************/
CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
CHECK_NULL(nvctr_ext, ext_new_nvcounter(ntz_nvctr_nid, EXT_CRIT,
non_tf_nvcounter));
sk_X509_EXTENSION_push(sk, nvctr_ext);
CHECK_OID(pk_nid, BL33_CONTENT_CERT_PK_OID);
CHECK_NULL(non_trusted_key_ext, ext_new_key(pk_nid, EXT_CRIT,
keys[BL33_KEY].key));
sk_X509_EXTENSION_push(sk, non_trusted_key_ext);
if (!cert_new(&certs[BL33_KEY_CERT], VAL_DAYS, 0, sk)) {
ERROR("Cannot create %s\n", certs[BL33_KEY_CERT].cn);
exit(1);
}
sk_X509_EXTENSION_free(sk);
/* *********************************************************************
* BL33 certificate (Non-Trusted World Content certificate):
* - Signed with Non-Trusted World Key
* - Extensions:
* - NonTrustedFirmwareNVCounter (TODO)
* - BL33 hash
**********************************************************************/
CHECK_NULL(sk, sk_X509_EXTENSION_new_null());
CHECK_NULL(nvctr_ext, ext_new_nvcounter(ntz_nvctr_nid, EXT_CRIT,
non_tf_nvcounter));
sk_X509_EXTENSION_push(sk, nvctr_ext);
if (!sha_file(certs[BL33_CERT].bin, md)) {
ERROR("Cannot calculate the hash of %s\n", certs[BL33_CERT].bin);
exit(1);
}
CHECK_OID(hash_nid, BL33_HASH_OID);
CHECK_NULL(hash_ext, ext_new_hash(hash_nid, EXT_CRIT, md_info, md,
SHA256_DIGEST_LENGTH));
sk_X509_EXTENSION_push(sk, hash_ext);
if (!cert_new(&certs[BL33_CERT], VAL_DAYS, 0, sk)) {
ERROR("Cannot create %s\n", certs[BL33_CERT].cn);
exit(1);
}
sk_X509_EXTENSION_free(sk);
/* Print the certificates */
if (print_cert) {
for (i = 0 ; i < NUM_CERTIFICATES ; i++) {
if (!certs[i].x) {
continue;
}
printf("\n\n=====================================\n\n");
X509_print_fp(stdout, certs[i].x);
}
}
/* Save created certificates to files */
for (i = 0 ; i < NUM_CERTIFICATES ; i++) {
if (certs[i].x && certs[i].fn) {
file = fopen(certs[i].fn, "w");
if (file != NULL) {
i2d_X509_fp(file, certs[i].x);
fclose(file);
} else {
ERROR("Cannot create file %s\n", certs[i].fn);
}
}
}
/* Save keys */
if (save_keys) {
for (i = 0 ; i < NUM_KEYS ; i++) {
if (!key_store(&keys[i])) {
ERROR("Cannot save %s\n", keys[i].desc);
}
}
}
X509_EXTENSION_free(hash_ext);
X509_EXTENSION_free(nvctr_ext);
X509_EXTENSION_free(trusted_key_ext);
X509_EXTENSION_free(non_trusted_key_ext);
#ifndef OPENSSL_NO_ENGINE
ENGINE_cleanup();
#endif
CRYPTO_cleanup_all_ex_data();
return 0;
}
static int pkcs7_to_cert(struct hs20_osu_client *ctx, const u8 *pkcs7,
size_t len, char *pem_file, char *der_file)
{
#ifdef OPENSSL_IS_BORINGSSL
CBS pkcs7_cbs;
#else /* OPENSSL_IS_BORINGSSL */
PKCS7 *p7 = NULL;
const unsigned char *p = pkcs7;
#endif /* OPENSSL_IS_BORINGSSL */
STACK_OF(X509) *certs;
int i, num, ret = -1;
BIO *out = NULL;
#ifdef OPENSSL_IS_BORINGSSL
certs = sk_X509_new_null();
if (!certs)
goto fail;
CBS_init(&pkcs7_cbs, pkcs7, len);
if (!PKCS7_get_certificates(certs, &pkcs7_cbs)) {
wpa_printf(MSG_INFO, "Could not parse PKCS#7 object: %s",
ERR_error_string(ERR_get_error(), NULL));
write_result(ctx, "Could not parse PKCS#7 object from EST");
goto fail;
}
#else /* OPENSSL_IS_BORINGSSL */
p7 = d2i_PKCS7(NULL, &p, len);
if (p7 == NULL) {
wpa_printf(MSG_INFO, "Could not parse PKCS#7 object: %s",
ERR_error_string(ERR_get_error(), NULL));
write_result(ctx, "Could not parse PKCS#7 object from EST");
goto fail;
}
switch (OBJ_obj2nid(p7->type)) {
case NID_pkcs7_signed:
certs = p7->d.sign->cert;
break;
case NID_pkcs7_signedAndEnveloped:
certs = p7->d.signed_and_enveloped->cert;
break;
default:
certs = NULL;
break;
}
#endif /* OPENSSL_IS_BORINGSSL */
if (!certs || ((num = sk_X509_num(certs)) == 0)) {
wpa_printf(MSG_INFO, "No certificates found in PKCS#7 object");
write_result(ctx, "No certificates found in PKCS#7 object");
goto fail;
}
if (der_file) {
FILE *f = fopen(der_file, "wb");
if (f == NULL)
goto fail;
i2d_X509_fp(f, sk_X509_value(certs, 0));
fclose(f);
}
if (pem_file) {
out = BIO_new(BIO_s_file());
if (out == NULL ||
BIO_write_filename(out, pem_file) <= 0)
goto fail;
for (i = 0; i < num; i++) {
X509 *cert = sk_X509_value(certs, i);
X509_print(out, cert);
PEM_write_bio_X509(out, cert);
BIO_puts(out, "\n");
}
}
ret = 0;
fail:
#ifdef OPENSSL_IS_BORINGSSL
if (certs)
sk_X509_pop_free(certs, X509_free);
#else /* OPENSSL_IS_BORINGSSL */
PKCS7_free(p7);
#endif /* OPENSSL_IS_BORINGSSL */
if (out)
BIO_free_all(out);
return ret;
}
/*
ToDo: Create Access to OpenSSL certificate store
=> Only API to In-Memory-Store is available for version 0.9.8x
=> Wait until Directory- and/or File-Store is available
*/
OpcUa_StatusCode OpcUa_P_OpenSSL_PKI_SaveCertificate(
OpcUa_PKIProvider* a_pProvider,
OpcUa_ByteString* a_pCertificate,
OpcUa_Void* a_pCertificateStore,
OpcUa_Void* a_pSaveHandle) /* Index or number within store/destination filepath */
{
X509* pX509Certificate = OpcUa_Null;
FILE* pCertificateFile = OpcUa_Null;
const unsigned char* p;
OpcUa_UInt32 i;
OpcUa_InitializeStatus(OpcUa_Module_P_OpenSSL, "PKI_SaveCertificate");
OpcUa_ReturnErrorIfArgumentNull(a_pProvider);
OpcUa_ReturnErrorIfArgumentNull(a_pProvider->Handle);
OpcUa_ReturnErrorIfArgumentNull(a_pCertificate);
OpcUa_ReturnErrorIfArgumentNull(a_pCertificateStore);
OpcUa_ReturnErrorIfArgumentNull(a_pSaveHandle);
/* save DER certificate */
pCertificateFile = fopen((const char*)a_pSaveHandle, "w");
/* check for valid file handle */
OpcUa_GotoErrorIfTrue((pCertificateFile == OpcUa_Null), OpcUa_BadInvalidArgument);
/* convert openssl X509 certificate to DER encoded bytestring certificate */
p = a_pCertificate->Data;
while (p < a_pCertificate->Data + a_pCertificate->Length)
{
if(!(pX509Certificate = d2i_X509((X509**)OpcUa_Null, &p, a_pCertificate->Data + a_pCertificate->Length - p)))
{
fclose(pCertificateFile);
uStatus = OpcUa_Bad;
OpcUa_GotoErrorIfBad(uStatus);
}
i = i2d_X509_fp(pCertificateFile, pX509Certificate);
if(i < 1)
{
fclose(pCertificateFile);
uStatus = OpcUa_Bad;
OpcUa_GotoErrorIfBad(uStatus);
}
X509_free(pX509Certificate);
pX509Certificate = OpcUa_Null;
}
if(fclose(pCertificateFile) != 0)
{
uStatus = OpcUa_Bad;
OpcUa_GotoErrorIfBad(uStatus);
}
OpcUa_ReturnStatusCode;
OpcUa_BeginErrorHandling;
if (pX509Certificate != OpcUa_Null)
{
X509_free(pX509Certificate);
}
OpcUa_FinishErrorHandling;
}
LWS_VISIBLE LWS_EXTERN int
lws_tls_acme_sni_cert_create(struct lws_vhost *vhost, const char *san_a,
const char *san_b)
{
GENERAL_NAMES *gens = sk_GENERAL_NAME_new_null();
GENERAL_NAME *gen = NULL;
ASN1_IA5STRING *ia5 = NULL;
X509_NAME *name;
if (!gens)
return 1;
vhost->tls.ss = lws_zalloc(sizeof(*vhost->tls.ss), "sni cert");
if (!vhost->tls.ss) {
GENERAL_NAMES_free(gens);
return 1;
}
vhost->tls.ss->x509 = X509_new();
if (!vhost->tls.ss->x509)
goto bail;
ASN1_INTEGER_set(X509_get_serialNumber(vhost->tls.ss->x509), 1);
X509_gmtime_adj(X509_get_notBefore(vhost->tls.ss->x509), 0);
X509_gmtime_adj(X509_get_notAfter(vhost->tls.ss->x509), 3600);
vhost->tls.ss->pkey = EVP_PKEY_new();
if (!vhost->tls.ss->pkey)
goto bail0;
if (lws_tls_openssl_rsa_new_key(&vhost->tls.ss->rsa, 4096))
goto bail1;
if (!EVP_PKEY_assign_RSA(vhost->tls.ss->pkey, vhost->tls.ss->rsa))
goto bail2;
X509_set_pubkey(vhost->tls.ss->x509, vhost->tls.ss->pkey);
name = X509_get_subject_name(vhost->tls.ss->x509);
X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC,
(unsigned char *)"GB", -1, -1, 0);
X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC,
(unsigned char *)"somecompany", -1, -1, 0);
if (X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_UTF8,
(unsigned char *)"temp.acme.invalid",
-1, -1, 0) != 1) {
lwsl_notice("failed to add CN\n");
goto bail2;
}
X509_set_issuer_name(vhost->tls.ss->x509, name);
/* add the SAN payloads */
gen = GENERAL_NAME_new();
ia5 = ASN1_IA5STRING_new();
if (!ASN1_STRING_set(ia5, san_a, -1)) {
lwsl_notice("failed to set ia5\n");
GENERAL_NAME_free(gen);
goto bail2;
}
GENERAL_NAME_set0_value(gen, GEN_DNS, ia5);
sk_GENERAL_NAME_push(gens, gen);
if (X509_add1_ext_i2d(vhost->tls.ss->x509, NID_subject_alt_name,
gens, 0, X509V3_ADD_APPEND) != 1)
goto bail2;
GENERAL_NAMES_free(gens);
if (san_b && san_b[0]) {
gens = sk_GENERAL_NAME_new_null();
gen = GENERAL_NAME_new();
ia5 = ASN1_IA5STRING_new();
if (!ASN1_STRING_set(ia5, san_a, -1)) {
lwsl_notice("failed to set ia5\n");
GENERAL_NAME_free(gen);
goto bail2;
}
GENERAL_NAME_set0_value(gen, GEN_DNS, ia5);
sk_GENERAL_NAME_push(gens, gen);
if (X509_add1_ext_i2d(vhost->tls.ss->x509, NID_subject_alt_name,
gens, 0, X509V3_ADD_APPEND) != 1)
goto bail2;
GENERAL_NAMES_free(gens);
}
/* sign it with our private key */
if (!X509_sign(vhost->tls.ss->x509, vhost->tls.ss->pkey, EVP_sha256()))
goto bail2;
#if 0
{/* useful to take a sample of a working cert for mbedtls to crib */
FILE *fp = fopen("/tmp/acme-temp-cert", "w+");
i2d_X509_fp(fp, vhost->tls.ss->x509);
fclose(fp);
}
#endif
/* tell the vhost to use our crafted certificate */
SSL_CTX_use_certificate(vhost->tls.ssl_ctx, vhost->tls.ss->x509);
/* and to use our generated private key */
SSL_CTX_use_PrivateKey(vhost->tls.ssl_ctx, vhost->tls.ss->pkey);
return 0;
bail2:
RSA_free(vhost->tls.ss->rsa);
bail1:
EVP_PKEY_free(vhost->tls.ss->pkey);
bail0:
X509_free(vhost->tls.ss->x509);
bail:
lws_free(vhost->tls.ss);
GENERAL_NAMES_free(gens);
return 1;
}
/* Creates an X509 certificate from a certificate request. */
EXPORT int IssueUserCertificate(unsigned char *certbuf, int *certlen, unsigned char *reqbuf, int reqlen)
{
X509_REQ *req = NULL;
EVP_PKEY *cakey = NULL, *rakey = NULL, *usrkey = NULL;
X509 *cacert = NULL, *racert = NULL, *usrcert = NULL;
X509_NAME *subject = NULL, *issuer = NULL;
unsigned char *p = NULL;
int ret = OPENSSLCA_NO_ERR, len;
if (certbuf == NULL || certlen == NULL || reqbuf == NULL || reqlen == 0)
return OPENSSLCA_ERR_ARGS;
/* Decode request */
if ((req = X509_REQ_new()) == NULL) {
ret = OPENSSLCA_ERR_REQ_NEW;
goto err;
}
p = reqbuf;
if (d2i_X509_REQ(&req, &p, reqlen) == NULL) {
ret = OPENSSLCA_ERR_REQ_DECODE;
goto err;
}
/* Get public key from request */
if ((usrkey = X509_REQ_get_pubkey(req)) == NULL) {
ret = OPENSSLCA_ERR_REQ_GET_PUBKEY;
goto err;
}
if (caIni.verifyRequests) {
/* Get RA's public key */
/* TODO: Validate RA certificate */
ret = read_cert(&racert, CA_PATH(caIni.raCertFile));
if (ret != OPENSSLCA_NO_ERR)
goto err;
if ((rakey = X509_get_pubkey(racert)) == NULL) {
ret = OPENSSLCA_ERR_CERT_GET_PUBKEY;
goto err;
}
/* Verify signature on request */
if (X509_REQ_verify(req, rakey) != 1) {
ret = OPENSSLCA_ERR_REQ_VERIFY;
goto err;
}
}
/* Get CA certificate */
/* TODO: Validate CA certificate */
ret = read_cert(&cacert, CA_PATH(caIni.caCertFile));
if (ret != OPENSSLCA_NO_ERR)
goto err;
/* Get CA private key */
ret = read_key(&cakey, CA_PATH(caIni.caKeyFile), caIni.caKeyPasswd);
if (ret != OPENSSLCA_NO_ERR)
goto err;
/* Create user certificate */
if ((usrcert = X509_new()) == NULL)
return OPENSSLCA_ERR_CERT_NEW;
/* Set version and serial number for certificate */
if (X509_set_version(usrcert, 2) != 1) { /* V3 */
ret = OPENSSLCA_ERR_CERT_SET_VERSION;
goto err;
}
if (ASN1_INTEGER_set(X509_get_serialNumber(usrcert), get_serial()) != 1) {
ret = OPENSSLCA_ERR_CERT_SET_SERIAL;
goto err;
}
/* Set duration for certificate */
if (X509_gmtime_adj(X509_get_notBefore(usrcert), 0) == NULL) {
ret = OPENSSLCA_ERR_CERT_SET_NOTBEFORE;
goto err;
}
if (X509_gmtime_adj(X509_get_notAfter(usrcert), EXPIRE_SECS(caIni.daysTillExpire)) == NULL) {
ret = OPENSSLCA_ERR_CERT_SET_NOTAFTER;
goto err;
}
/* Set public key */
if (X509_set_pubkey(usrcert, usrkey) != 1) {
ret = OPENSSLCA_ERR_CERT_SET_PUBKEY;
goto err;
}
/* Set subject name */
subject = X509_REQ_get_subject_name(req);
if (subject == NULL) {
ret = OPENSSLCA_ERR_REQ_GET_SUBJECT;
goto err;
}
if (X509_set_subject_name(usrcert, subject) != 1) {
ret = OPENSSLCA_ERR_CERT_SET_SUBJECT;
goto err;
}
/* Set issuer name */
issuer = X509_get_issuer_name(cacert);
if (issuer == NULL) {
ret = OPENSSLCA_ERR_CERT_GET_ISSUER;
goto err;
}
if (X509_set_issuer_name(usrcert, issuer) != 1) {
ret = OPENSSLCA_ERR_CERT_SET_ISSUER;
goto err;
}
/* Add extensions */
ret = add_ext(cacert, usrcert);
if (ret != OPENSSLCA_NO_ERR)
goto err;
/* Sign user certificate with CA's private key */
if (!X509_sign(usrcert, cakey, EVP_sha1()))
return OPENSSLCA_ERR_CERT_SIGN;
if (caIni.verifyAfterSign) {
if (X509_verify(usrcert, cakey) != 1) {
ret = OPENSSLCA_ERR_CERT_VERIFY;
goto err;
}
}
#ifdef _DEBUG /* Output certificate in DER and PEM format */
{
FILE *fp = fopen(DBG_PATH("usrcert.der"), "wb");
if (fp != NULL) {
i2d_X509_fp(fp, usrcert);
fclose(fp);
}
fp = fopen(DBG_PATH("usrcert.pem"), "w");
if (fp != NULL) {
X509_print_fp(fp, usrcert);
PEM_write_X509(fp, usrcert);
fclose(fp);
}
}
#endif
/* Encode user certificate into DER format */
len = i2d_X509(usrcert, NULL);
if (len < 0) {
ret = OPENSSLCA_ERR_CERT_ENCODE;
goto err;
}
if (len > *certlen) {
ret = OPENSSLCA_ERR_BUF_TOO_SMALL;
goto err;
}
*certlen = len;
p = certbuf;
i2d_X509(usrcert, &p);
if (caIni.addToIndex)
add_to_index(usrcert);
if (caIni.addToNewCerts)
write_cert(usrcert);
err:
print_err("IssueUserCertificate()", ret);
/* Clean up */
if (cacert)
X509_free(cacert);
if (cakey)
EVP_PKEY_free(cakey);
if (racert)
X509_free(racert);
if (rakey)
EVP_PKEY_free(rakey);
if (req)
X509_REQ_free(req);
if (usrcert != NULL)
X509_free(usrcert);
if (usrkey)
EVP_PKEY_free(usrkey);
return ret;
}
