static int set_altname(X509 *crt, ...)
{
int ret = 0;
GENERAL_NAMES *gens = NULL;
GENERAL_NAME *gen = NULL;
ASN1_IA5STRING *ia5 = NULL;
va_list ap;
va_start(ap, crt);
gens = sk_GENERAL_NAME_new_null();
if (gens == NULL)
goto out;
while (1) {
int type;
const char *name;
type = va_arg(ap, int);
if (type == 0)
break;
name = va_arg(ap, const char *);
gen = GENERAL_NAME_new();
if (gen == NULL)
goto out;
ia5 = ASN1_IA5STRING_new();
if (ia5 == NULL)
goto out;
if (!ASN1_STRING_set(ia5, name, -1))
goto out;
switch (type)
{
case GEN_EMAIL:
case GEN_DNS:
GENERAL_NAME_set0_value(gen, type, ia5);
ia5 = NULL;
break;
default:
abort();
}
sk_GENERAL_NAME_push(gens, gen);
gen = NULL;
}
if (!X509_add1_ext_i2d(crt, NID_subject_alt_name, gens, 0, 0))
goto out;
ret = 1;
out:
ASN1_IA5STRING_free(ia5);
GENERAL_NAME_free(gen);
GENERAL_NAMES_free(gens);
va_end(ap);
return ret;
}
void *targets_s2i(UNUSED(struct v3_ext_method *method), UNUSED(struct v3_ext_ctx *ctx), char *data)
{
char *pos;
char *list = strdup(data);
char *back = list;
AC_TARGETS *a = AC_TARGETS_new();
int attlist;
do {
pos = strchr(list, ',');
if (pos)
*pos = '\0';
{
GENERAL_NAME *g = GENERAL_NAME_new();
ASN1_IA5STRING *tmpr = ASN1_IA5STRING_new();
AC_TARGET *targ = AC_TARGET_new();
if (!g || !tmpr || !targ) {
GENERAL_NAME_free(g);
ASN1_IA5STRING_free(tmpr);
AC_TARGET_free(targ);
goto err;
}
ASN1_STRING_set(tmpr, list, strlen(list));
g->type = GEN_URI;
g->d.ia5 = tmpr;
targ->name = g;
sk_AC_TARGET_push(a->targets, targ);
attlist++;
}
if (pos)
list = ++pos;
} while (pos);
free(back);
return a;
err:
free(back);
AC_TARGETS_free(a);
return NULL;
}
static ASN1_IA5STRING *
s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str)
{
ASN1_IA5STRING *ia5;
if (!str) {
X509V3error(X509V3_R_INVALID_NULL_ARGUMENT);
return NULL;
}
if (!(ia5 = ASN1_IA5STRING_new()))
goto err;
if (!ASN1_STRING_set((ASN1_STRING *)ia5, (unsigned char*)str,
strlen(str))) {
ASN1_IA5STRING_free(ia5);
goto err;
}
return ia5;
err:
X509V3error(ERR_R_MALLOC_FAILURE);
return NULL;
}
ASN1_IA5STRING *s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method,
X509V3_CTX *ctx, char *str)
{
ASN1_IA5STRING *ia5;
if (!str) {
X509V3err(X509V3_F_S2I_ASN1_IA5STRING,
X509V3_R_INVALID_NULL_ARGUMENT);
return NULL;
}
if ((ia5 = ASN1_IA5STRING_new()) == NULL)
goto err;
if (!ASN1_STRING_set((ASN1_STRING *)ia5, (unsigned char *)str,
strlen(str))) {
ASN1_IA5STRING_free(ia5);
goto err;
}
#ifdef CHARSET_EBCDIC
ebcdic2ascii(ia5->data, ia5->data, ia5->length);
#endif /* CHARSET_EBCDIC */
return ia5;
err:
X509V3err(X509V3_F_S2I_ASN1_IA5STRING, ERR_R_MALLOC_FAILURE);
return NULL;
}
LWS_VISIBLE LWS_EXTERN int
lws_tls_acme_sni_cert_create(struct lws_vhost *vhost, const char *san_a,
const char *san_b)
{
GENERAL_NAMES *gens = sk_GENERAL_NAME_new_null();
GENERAL_NAME *gen = NULL;
ASN1_IA5STRING *ia5 = NULL;
X509_NAME *name;
if (!gens)
return 1;
vhost->tls.ss = lws_zalloc(sizeof(*vhost->tls.ss), "sni cert");
if (!vhost->tls.ss) {
GENERAL_NAMES_free(gens);
return 1;
}
vhost->tls.ss->x509 = X509_new();
if (!vhost->tls.ss->x509)
goto bail;
ASN1_INTEGER_set(X509_get_serialNumber(vhost->tls.ss->x509), 1);
X509_gmtime_adj(X509_get_notBefore(vhost->tls.ss->x509), 0);
X509_gmtime_adj(X509_get_notAfter(vhost->tls.ss->x509), 3600);
vhost->tls.ss->pkey = EVP_PKEY_new();
if (!vhost->tls.ss->pkey)
goto bail0;
if (lws_tls_openssl_rsa_new_key(&vhost->tls.ss->rsa, 4096))
goto bail1;
if (!EVP_PKEY_assign_RSA(vhost->tls.ss->pkey, vhost->tls.ss->rsa))
goto bail2;
X509_set_pubkey(vhost->tls.ss->x509, vhost->tls.ss->pkey);
name = X509_get_subject_name(vhost->tls.ss->x509);
X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC,
(unsigned char *)"GB", -1, -1, 0);
X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC,
(unsigned char *)"somecompany", -1, -1, 0);
if (X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_UTF8,
(unsigned char *)"temp.acme.invalid",
-1, -1, 0) != 1) {
lwsl_notice("failed to add CN\n");
goto bail2;
}
X509_set_issuer_name(vhost->tls.ss->x509, name);
/* add the SAN payloads */
gen = GENERAL_NAME_new();
ia5 = ASN1_IA5STRING_new();
if (!ASN1_STRING_set(ia5, san_a, -1)) {
lwsl_notice("failed to set ia5\n");
GENERAL_NAME_free(gen);
goto bail2;
}
GENERAL_NAME_set0_value(gen, GEN_DNS, ia5);
sk_GENERAL_NAME_push(gens, gen);
if (X509_add1_ext_i2d(vhost->tls.ss->x509, NID_subject_alt_name,
gens, 0, X509V3_ADD_APPEND) != 1)
goto bail2;
GENERAL_NAMES_free(gens);
if (san_b && san_b[0]) {
gens = sk_GENERAL_NAME_new_null();
gen = GENERAL_NAME_new();
ia5 = ASN1_IA5STRING_new();
if (!ASN1_STRING_set(ia5, san_a, -1)) {
lwsl_notice("failed to set ia5\n");
GENERAL_NAME_free(gen);
goto bail2;
}
GENERAL_NAME_set0_value(gen, GEN_DNS, ia5);
sk_GENERAL_NAME_push(gens, gen);
if (X509_add1_ext_i2d(vhost->tls.ss->x509, NID_subject_alt_name,
gens, 0, X509V3_ADD_APPEND) != 1)
goto bail2;
GENERAL_NAMES_free(gens);
}
/* sign it with our private key */
if (!X509_sign(vhost->tls.ss->x509, vhost->tls.ss->pkey, EVP_sha256()))
goto bail2;
#if 0
{/* useful to take a sample of a working cert for mbedtls to crib */
FILE *fp = fopen("/tmp/acme-temp-cert", "w+");
i2d_X509_fp(fp, vhost->tls.ss->x509);
fclose(fp);
}
#endif
/* tell the vhost to use our crafted certificate */
SSL_CTX_use_certificate(vhost->tls.ssl_ctx, vhost->tls.ss->x509);
/* and to use our generated private key */
SSL_CTX_use_PrivateKey(vhost->tls.ssl_ctx, vhost->tls.ss->pkey);
return 0;
bail2:
RSA_free(vhost->tls.ss->rsa);
bail1:
EVP_PKEY_free(vhost->tls.ss->pkey);
bail0:
X509_free(vhost->tls.ss->x509);
bail:
lws_free(vhost->tls.ss);
GENERAL_NAMES_free(gens);
return 1;
}