Exemple #1
0
APL_Certif *APL_Certifs::findIssuer(const CByteArray *data)
{
	if(!data)
		return NULL;

	APL_Certif *issuer=NULL;

	//First we look in the already loaded
	std::map<unsigned long ,APL_Certif *>::const_iterator itr;
	for(itr=m_certifs.begin();itr!=m_certifs.end();itr++)
	{
		issuer=itr->second;
		if(m_cryptoFwk->isIssuer(*data,issuer->getData()))
			return issuer;
	}

	//Check in the hard coded store
	const unsigned char *const *pucIssuer;
	int i;

	//we look in the hard coded root array
	for(pucIssuer=_beid_root_certs,i=0;*pucIssuer!=NULL;pucIssuer++,i++)
	{
		CByteArray issuer_data(*pucIssuer,_beid_root_certs_size[i]);

		if(m_cryptoFwk->isIssuer(*data,issuer_data))
		{
			APL_Certif *issuer = addCert(issuer_data,APL_CERTIF_TYPE_ROOT,true);
			return issuer;
		}
	}

	//we look in the hard coded issuer array
	for(pucIssuer=_beid_issuer_certs,i=0;*pucIssuer!=NULL;pucIssuer++,i++)
	{
		CByteArray issuer_data(*pucIssuer,_beid_issuer_certs_size[i]);

		if(m_cryptoFwk->isIssuer(*data,issuer_data))
		{
			APL_Certif *issuer = addCert(issuer_data,APL_CERTIF_TYPE_CA,true);
			return issuer;
		}
	}


	//we look in the hard coded rrnca array
	for(pucIssuer=_beid_rrnca_certs,i=0;*pucIssuer!=NULL;pucIssuer++,i++)
	{
		CByteArray issuer_data(*pucIssuer,_beid_rrnca_certs_size[i]);

		if(m_cryptoFwk->isIssuer(*data,issuer_data))
		{
			APL_Certif *issuer = addCert(issuer_data,APL_CERTIF_TYPE_CA,true);
			return issuer;
		}
	}
	return NULL;
}
Exemple #2
0
int processCommand(char* str, SSL* ssl )
{

 char *cmd[10];
 int i = 0;
 char stcpy[5];


  cmd[i] =strtok(str," ");
  while (cmd[i] != NULL && i <10)
 {
   cmd[++i] =strtok(NULL, " ");
 }

    if (strcmp(cmd[0], "-a")== 0){
    printf("Server: Client would like to add %s file to the server.. : \n", cmd[1]);
    addFile(cmd[1] , ssl);
    }
                                          
    else if (strcmp(cmd[0], "-f")== 0){
    printf("Server: Client would like to fetch %s file from the server.. : \n", cmd[1]);
    if( sendFile(cmd[1] ,ssl) == -1 )
    printf("Server: Send Failed");
    }
    else if (strcmp(cmd[0], "-u")== 0){
    printf("Client would like to upload a certificate. : \n");
           addCert(cmd[1],ssl);                           }

    else if (strcmp(cmd[0], "-v")== 0){
    printf("Client would like to Vouch for  file: %s on the server.. : \n", cmd[1]);
    //vouchforfile(FileName, certificate);
    }

    else if (strcmp(cmd[0], "-h")== 0){
    printf("HostName: PortNumber: %s \n", cmd[1]);
    }

    else if (strcmp(cmd[0], "-l")== 0){
    printf("List Files.. \n");
    listAll(ssl);
    }

    else {
    return -1;
    }

    //HANDLE EXIT COMMAND --No Longer Needed?
    strncpy(stcpy, str, 4);
    stcpy[4] = '\0' ;
    if (strcmp(stcpy, "exit")== 0)
    return 9;

return 0;

}
Exemple #3
0
int addClientCert (ovStruct_t *ovP, char* p) {
    ushort length = 0;
	uchar random[32];
    char cipher[3];
    int cipherLen;
    time_t curtime;
    int i, len;

    log_debug(fp, "OPENVPN SSL: Send Client Cert"); fflush(stdout);

    // Record Hdr (Type, Version, Length)
    p[0] = 0x16;
    // SSL 3.0 is 0x0300, TLS ver 1.0 = 3.1, TLS 1.2 is 3.3, 
    // SSL_VERSION used here is 3.1
    p[1] = SSL_VERSION_1;
    p[2] = SSL_VERSION_2;
    PUT_BE16(&p[3], 0); // **** fill in this later at this point
    // current length, used by sendData, and also in pkt
    length = RECORD_HDR_LEN;

    // Note that we have done 5 bytes by now, which should be substracted
    // from the pkt length for the RecordProtocol.

    p[5] = 11; // certificate
    length = length + 1;
    p[6] = 0;  // 3rd MSByte of the Length, usualy 0
    p[9] = 0;  // 3rd MSByte of the Length, usualy 0
    p[12] = 0;  // 3rd MSByte of the Length, usualy 0
    length = length + 9; // 2 cert lenths

    // Starting p[6,7,8], we have outer cert len
    // Starting p[9,10,11], we have inner cert len
    // Starting p[12,13,14], we have inner cert len
    printf("\nAdding certificate"); fflush(stdout);
	len = addCert(ovP, &p[15]);
	length += len; // Cert contents
    // length of Certificate pkt following length field = 1 byte
    PUT_BE16(&p[7], length-RECORD_HDR_LEN-4);
    PUT_BE16(&p[10], length-RECORD_HDR_LEN-7);
    PUT_BE16(&p[13], length-RECORD_HDR_LEN-10);
    // Finally fill in the length of Record headers
    PUT_BE16(&p[3], length-RECORD_HDR_LEN);
	return length;
}
Exemple #4
0
MainWindow::MainWindow(QWidget *parent) :
    QMainWindow(parent),
    ui(new Ui::MainWindow),
    ssl(new SSLHelper)
{
    setAcceptDrops(true);
    ui->setupUi(this);
    connect(ui->pushButton, SIGNAL( clicked() ), this, SLOT(startDiagnosis()));
    connect(ssl, SIGNAL(logging()), this, SLOT(addLog()));
    connect(ui->refreshButton, SIGNAL( clicked() ), this, SLOT(refreshCAs()));
    connect(ssl, SIGNAL(addCA(string,string)), this, SLOT(addToolboxItem(string,string)));
    connect(ui->dumpcertsButton, SIGNAL( clicked()), this, SLOT(dumpCerts()));
    connect(ui->clearlogButton, SIGNAL( clicked()), this, SLOT(clearLog()));
    refreshCAs();
    ui->toolBox->setAcceptDrops(true);
    connect(ui->toolBox, SIGNAL(dropCert(string)), this, SLOT(addCert(string)));
    connect(ssl, SIGNAL(verifiedStatus(bool)), this, SLOT(verified(bool)));
    connect(ui->sendLog, SIGNAL(clicked()), this, SLOT(emailLog()));
}
/*
 * CertBag parser
 */
void P12Coder::certBagParse(
	const NSS_P12_SafeBag &safeBag,
	SecNssCoder &localCdr)
{
	p12DecodeLog("found certBag");
	NSS_P12_CertBag *certBag = safeBag.bagValue.certBag;
	switch(certBag->type) {
		case CT_X509:
		case CT_SDSI:
			break;
		default:
			p12ErrorLog("certBagParse: unknown cert type\n");
			P12_THROW_DECODE;
	}
	P12CertBag *p12Bag = new P12CertBag(certBag->type, 
		certBag->certValue,
		safeBag.bagAttrs,
		mCoder);
	addCert(p12Bag);
}
std::shared_ptr<fizz::server::FizzServerContext> createFizzServerContext(
    folly::StringPiece pemCertPath,
    folly::StringPiece certData,
    folly::StringPiece pemKeyPath,
    folly::StringPiece keyData,
    folly::StringPiece pemCaPath,
    bool requireClientVerification,
    wangle::TLSTicketKeySeeds* ticketKeySeeds) {
  initSSL();
  auto certMgr = std::make_unique<fizz::server::CertManager>();
  try {
    auto selfCert =
        fizz::CertUtils::makeSelfCert(certData.str(), keyData.str());
    // add the default cert
    certMgr->addCert(std::move(selfCert), true);
  } catch (const std::exception& ex) {
    LOG_FAILURE(
        "SSLCert",
        failure::Category::kBadEnvironment,
        "Failed to create self cert from \"{}\" and \"{}\".  ex: {}",
        pemCertPath,
        pemKeyPath,
        ex.what());
    return nullptr;
  }

  auto ctx = std::make_shared<fizz::server::FizzServerContext>();
  ctx->setSupportedVersions({fizz::ProtocolVersion::tls_1_3});
  ctx->setSupportedPskModes(
      {fizz::PskKeyExchangeMode::psk_ke, fizz::PskKeyExchangeMode::psk_dhe_ke});
  ctx->setVersionFallbackEnabled(true);
  ctx->setCertManager(std::move(certMgr));
  if (!pemCaPath.empty()) {
    auto verifier = fizz::DefaultCertificateVerifier::createFromCAFile(
        fizz::VerificationContext::Server, pemCaPath.str());
    ctx->setClientCertVerifier(std::move(verifier));
    ctx->setClientAuthMode(fizz::server::ClientAuthMode::Optional);
  }
  if (requireClientVerification) {
    ctx->setClientAuthMode(fizz::server::ClientAuthMode::Required);
  }

  // set ticket seeds
  if (ticketKeySeeds) {
    std::vector<folly::ByteRange> ticketSecrets;
    for (const auto& secret : ticketKeySeeds->currentSeeds) {
      ticketSecrets.push_back(folly::StringPiece(secret));
    }
    for (const auto& secret : ticketKeySeeds->oldSeeds) {
      ticketSecrets.push_back(folly::StringPiece(secret));
    }
    for (const auto& secret : ticketKeySeeds->newSeeds) {
      ticketSecrets.push_back(folly::StringPiece(secret));
    }
    auto cipher = std::make_shared<fizz::server::AES128TicketCipher>();
    cipher->setTicketSecrets(std::move(ticketSecrets));
    cipher->setValidity(std::chrono::seconds(kSessionLifeTime));
    ctx->setTicketCipher(std::move(cipher));
  }
  // TODO: allow for custom FizzFactory
  return ctx;
}
void P12Coder::addSecCert(
	SecCertificateRef	certRef)
{
	/* get the cert's attrs and data */
	/* I don't know what the format field is for */
	SecKeychainAttributeInfo attrInfo;
	attrInfo.count = 2;
	UInt32 tags[2] = {kSecLabelItemAttr, kSecPublicKeyHashItemAttr};
	attrInfo.tag = tags;
	attrInfo.format = NULL;	// ???
	
	/* FIXME header says this is an IN/OUT param, but it's not */
	SecKeychainAttributeList *attrList = NULL;
	UInt32 certLen;
	void *certData;
	
	OSStatus ortn = SecKeychainItemCopyAttributesAndData(
		(SecKeychainItemRef)certRef, 
		&attrInfo,
		NULL,			// itemClass
		&attrList, 
		&certLen,	
		&certData);
	if(ortn) {
		p12ErrorLog("addSecCert: SecKeychainItemCopyAttributesAndData "
			"error\n");
		MacOSError::throwMe(ortn);		
	}
	
	/* Snag the attrs, convert to something useful */
	CFStringRef friendName = NULL;
	CFDataRef localKeyId = NULL;
	for(unsigned i=0; i<attrList->count; i++) {
		SecKeychainAttribute *attr = &attrList->attr[i];
		switch(attr->tag) {
			case kSecPublicKeyHashItemAttr:
				localKeyId = CFDataCreate(NULL, (UInt8 *)attr->data, attr->length);
				break;
			case kSecLabelItemAttr:
				/* FIXME: always in UTF8? */
				friendName = CFStringCreateWithBytes(NULL, 
					(UInt8 *)attr->data, attr->length, kCFStringEncodingUTF8,
					false);
				break;
			default:
				p12ErrorLog("addSecCert: unexpected attr tag\n");
				MacOSError::throwMe(errSecParam);		
			
		}
	}
	
	/* Cook up a cert bag and save it */
	CSSM_DATA cData = {certLen, (uint8 *)certData};
	P12CertBag *certBag = new P12CertBag(CT_X509, cData, friendName,
		localKeyId, NULL, mCoder);
	addCert(certBag);
	SecKeychainItemFreeAttributesAndData(attrList, certData);
	if(friendName) {
		CFRelease(friendName);
	}
	if(localKeyId) {
		CFRelease(localKeyId);
	}
}
        if(cert.isNull()) {
            EXIT_FAILED("TelegramBot::setHttpServerWebhook - Cert file %s is invalid, webhook installation failed...", qPrintable(pathCert))
        }
        if(cert.subjectInfo(QSslCertificate::CommonName).isEmpty()) {
            EXIT_FAILED("TelegramBot::setHttpServerWebhook - Cert don't contain a Common Name (CN), webhook installation failed...");
        }
    }

    // if no webserver exist, create it
    else {
        // create new http server and register it for auto scope deletion if an error occours
        httpServer = new HttpServer;
        QScopedPointer<HttpServer> scopedHttpServer(httpServer);

        // handle certificates
        cert = httpServer->addCert(pathCert);
        if(cert.isNull()) {
            EXIT_FAILED("TelegramBot::setHttpServerWebhook - Cert file %s is invalid, webhook installation failed...", qPrintable(pathCert))
        }
        if(cert.subjectInfo(QSslCertificate::CommonName).isEmpty()) {
            EXIT_FAILED("TelegramBot::setHttpServerWebhook - Cert don't contain a Common Name (CN), webhook installation failed...")
        }
        if(!httpServer->setPrivateKey(pathPrivateKey)) {
            EXIT_FAILED("TelegramBot::setHttpServerWebhook - Private Key file %s is invalid, webhook installation failed...", qPrintable(pathPrivateKey))
        }

        // permit only telegram connections
        httpServer->addWhiteListHostSubnet("149.154.164.0/22");

        // start listener
        if(!httpServer->listen(QHostAddress::Any, port)) {