/*
* Given a X509_NAME object and a name identifier, set the corresponding
* attribute to the given string. Used by the setattr function.
*
* Arguments: name - The X509_NAME object
* nid - The name identifier
* value - The string to set
* Returns: 0 for success, -1 on failure
*/
static int
set_name_by_nid(X509_NAME *name, int nid, char *utf8string)
{
X509_NAME_ENTRY *ne;
int i, entry_count, temp_nid;
/* If there's an old entry for this NID, remove it */
entry_count = X509_NAME_entry_count(name);
for (i = 0; i < entry_count; i++)
{
ne = X509_NAME_get_entry(name, i);
temp_nid = OBJ_obj2nid(X509_NAME_ENTRY_get_object(ne));
if (temp_nid == nid)
{
ne = X509_NAME_delete_entry(name, i);
X509_NAME_ENTRY_free(ne);
break;
}
}
/* Add the new entry */
if (!X509_NAME_add_entry_by_NID(name, nid, MBSTRING_UTF8,
(unsigned char *)utf8string,
-1, -1, 0))
{
exception_from_error_queue(crypto_Error);
return -1;
}
return 0;
}
X509_NAME* cnhelper_create_dn(const qeo_platform_device_info *info)
{
X509_NAME* dn = NULL;
do {
dn = X509_NAME_new();
if (dn) {
char devicename[MAX_CN_LENGTH];
strncpy(devicename, info->userFriendlyName, sizeof(devicename));
if (devicename[sizeof(devicename)-1] != '\0'){
strncpy(&devicename[sizeof(devicename)-4], "...", 4);
qeo_log_w("Device name exceeds the maximal allowed length of <%d> characters, cutting it off to <%s>.", sizeof(devicename)-1, devicename);
}
//TODO: now only the friendly name is forwarded to the server, in the future this needs to be extended
if (!X509_NAME_add_entry_by_NID(dn, NID_commonName, MBSTRING_ASC, (unsigned char* ) devicename, -1, -1, 0)) {
X509_NAME_free(dn);
dn = NULL;
break;
}
}
qeo_log_d("created DN for device");
} while (0);
return dn;
}
static int set_cn(X509 *crt, ...)
{
int ret = 0;
X509_NAME *n = NULL;
va_list ap;
va_start(ap, crt);
n = X509_NAME_new();
if (n == NULL)
goto out;
while (1) {
int nid;
const char *name;
nid = va_arg(ap, int);
if (nid == 0)
break;
name = va_arg(ap, const char *);
if (!X509_NAME_add_entry_by_NID(n, nid, MBSTRING_ASC,
(unsigned char *)name, -1, -1, 1))
goto out;
}
if (!X509_set_subject_name(crt, n))
goto out;
ret = 1;
out:
X509_NAME_free(n);
va_end(ap);
return ret;
}
// Generate a self-signed certificate, with the public key from the
// given key pair. Caller is responsible for freeing the returned object.
static X509* MakeCertificate(EVP_PKEY* pkey, const char* common_name) {
LOG(LS_INFO) << "Making certificate for " << common_name;
X509* x509 = NULL;
BIGNUM* serial_number = NULL;
X509_NAME* name = NULL;
if ((x509=X509_new()) == NULL)
goto error;
if (!X509_set_pubkey(x509, pkey))
goto error;
// serial number
// temporary reference to serial number inside x509 struct
ASN1_INTEGER* asn1_serial_number;
if (!(serial_number = BN_new()) ||
!BN_pseudo_rand(serial_number, SERIAL_RAND_BITS, 0, 0) ||
!(asn1_serial_number = X509_get_serialNumber(x509)) ||
!BN_to_ASN1_INTEGER(serial_number, asn1_serial_number))
goto error;
if (!X509_set_version(x509, 0L)) // version 1
goto error;
// There are a lot of possible components for the name entries. In
// our P2P SSL mode however, the certificates are pre-exchanged
// (through the secure XMPP channel), and so the certificate
// identification is arbitrary. It can't be empty, so we set some
// arbitrary common_name. Note that this certificate goes out in
// clear during SSL negotiation, so there may be a privacy issue in
// putting anything recognizable here.
if (!(name = X509_NAME_new()) ||
!X509_NAME_add_entry_by_NID(name, NID_commonName, MBSTRING_UTF8,
(unsigned char*)common_name, -1, -1, 0) ||
!X509_set_subject_name(x509, name) ||
!X509_set_issuer_name(x509, name))
goto error;
if (!X509_gmtime_adj(X509_get_notBefore(x509), 0) ||
!X509_gmtime_adj(X509_get_notAfter(x509), CERTIFICATE_LIFETIME))
goto error;
if (!X509_sign(x509, pkey, EVP_sha1()))
goto error;
BN_free(serial_number);
X509_NAME_free(name);
LOG(LS_INFO) << "Returning certificate";
return x509;
error:
BN_free(serial_number);
X509_NAME_free(name);
X509_free(x509);
return NULL;
}
/** Return a newly allocated X509 name with commonName <b>cname</b>. */
static X509_NAME *
tor_x509_name_new(const char *cname)
{
int nid;
X509_NAME *name;
if (!(name = X509_NAME_new()))
return NULL;
if ((nid = OBJ_txt2nid("commonName")) == NID_undef) goto error;
if (!(X509_NAME_add_entry_by_NID(name, nid, MBSTRING_ASC,
(unsigned char*)cname, -1, -1, 0)))
goto error;
return name;
error:
X509_NAME_free(name);
return NULL;
}
static X509 *
gen_cert(EVP_PKEY* pkey, const char *common, int days) {
X509 *x509 = NULL;
BIGNUM *serial_number = NULL;
X509_NAME *name = NULL;
if ((x509 = X509_new()) == NULL)
return NULL;
if (!X509_set_pubkey(x509, pkey))
return NULL;
ASN1_INTEGER* asn1_serial_number;
if ((serial_number = BN_new()) == NULL ||
!BN_pseudo_rand(serial_number, 64, 0, 0) ||
(asn1_serial_number = X509_get_serialNumber(x509)) == NULL ||
!BN_to_ASN1_INTEGER(serial_number, asn1_serial_number))
goto cert_err;
if (!X509_set_version(x509, 0L)) // version 1
goto cert_err;
if ((name = X509_NAME_new()) == NULL ||
!X509_NAME_add_entry_by_NID(
name, NID_commonName, MBSTRING_UTF8,
(unsigned char*)common, -1, -1, 0) ||
!X509_set_subject_name(x509, name) ||
!X509_set_issuer_name(x509, name))
goto cert_err;
if (!X509_gmtime_adj(X509_get_notBefore(x509), 0) ||
!X509_gmtime_adj(X509_get_notAfter(x509), days * 24 * 3600))
goto cert_err;
if (!X509_sign(x509, pkey, EVP_sha1()))
goto cert_err;
if (0) {
cert_err:
X509_free(x509);
x509 = NULL;
}
BN_free(serial_number);
X509_NAME_free(name);
return x509;
}
static int openssl_xname_add_entry(lua_State*L)
{
X509_NAME* xn = CHECK_OBJECT(1, X509_NAME, "openssl.x509_name");
int nid = openssl_get_nid(L, 2);
size_t size;
const char*value = luaL_checklstring(L, 3, &size);
int utf8 = lua_isnoneornil(L, 4) ? 1 : lua_toboolean(L, 4);
int ret;
if (nid==NID_undef) {
lua_pushfstring(L, "(%s) is not a valid object identity", lua_tostring(L,2));
luaL_argerror(L, 2, lua_tostring(L, -1));
}
ret = X509_NAME_add_entry_by_NID(xn, nid, utf8 ? MBSTRING_UTF8 : MBSTRING_ASC, (unsigned char*)value, (int)size,-1, 0);
if (ret!=1)
{
luaL_error(L, "%s=%s can't add to X509 name", lua_tostring(L,2),value);
};
return openssl_pushresult(L, ret);
};
static X509 *
getcert(void)
{
/* Dummy code to make a quick-and-dirty valid certificate with
OpenSSL. Don't copy this code into your own program! It does a
number of things in a stupid and insecure way. */
X509 *x509 = NULL;
X509_NAME *name = NULL;
EVP_PKEY *key = getkey();
int nid;
time_t now = time(NULL);
tt_assert(key);
x509 = X509_new();
tt_assert(x509);
tt_assert(0 != X509_set_version(x509, 2));
tt_assert(0 != ASN1_INTEGER_set(X509_get_serialNumber(x509),
(long)now));
name = X509_NAME_new();
tt_assert(name);
nid = OBJ_txt2nid("commonName");
tt_assert(NID_undef != nid);
tt_assert(0 != X509_NAME_add_entry_by_NID(
name, nid, MBSTRING_ASC, (unsigned char*)"example.com",
-1, -1, 0));
X509_set_subject_name(x509, name);
X509_set_issuer_name(x509, name);
X509_time_adj(X509_get_notBefore(x509), 0, &now);
now += 3600;
X509_time_adj(X509_get_notAfter(x509), 0, &now);
X509_set_pubkey(x509, key);
tt_assert(0 != X509_sign(x509, key, EVP_sha1()));
return x509;
end:
X509_free(x509);
return NULL;
}
/** Return a newly allocated X509 name with commonName <b>cname</b>. */
static X509_NAME *
tor_x509_name_new(const char *cname)
{
int nid;
X509_NAME *name;
/* LCOV_EXCL_BR_START : these branches will only fail on OOM errors */
if (!(name = X509_NAME_new()))
return NULL;
if ((nid = OBJ_txt2nid("commonName")) == NID_undef) goto error;
if (!(X509_NAME_add_entry_by_NID(name, nid, MBSTRING_ASC,
(unsigned char*)cname, -1, -1, 0)))
goto error;
/* LCOV_EXCL_BR_STOP */
return name;
/* LCOV_EXCL_START : these lines will only execute on out of memory errors*/
error:
X509_NAME_free(name);
return NULL;
/* LCOV_EXCL_STOP */
}
static int openssl_new_xname(lua_State*L, X509_NAME* xname, int idx, int utf8)
{
int i, n;
luaL_checktable(L, idx);
luaL_argcheck(L, lua_istable(L, idx) && lua_rawlen(L, idx) > 0, idx,
"must be not empty table as array");
n = lua_rawlen(L, idx);
for (i = 0; i < n; i++)
{
lua_rawgeti(L, idx, i + 1);
lua_pushnil(L);
while (lua_next(L, -2) != 0)
{
size_t size;
const char *value;
int ret;
int nid = openssl_get_nid(L, -2);
value = luaL_checklstring(L, -1, &size);
if (nid == NID_undef)
{
lua_pushfstring(L, "node at %d which key (%s) is not a valid object identity",
i + 1, lua_tostring(L, -2));
luaL_argerror(L, idx, lua_tostring(L, -1));
}
ret = X509_NAME_add_entry_by_NID(xname, nid, utf8 ? MBSTRING_UTF8 : MBSTRING_ASC, (unsigned char*)value, (int)size, -1, 0);
if (ret != 1)
{
lua_pushfstring(L, "node at %d which %s=%s can't add to X509 name",
i + 1, lua_tostring(L, -2), value);
luaL_argerror(L, idx, lua_tostring(L, -1));
}
lua_pop(L, 1);
}
}
return 0;
}
static OCSP_BASICRESP *make_dummy_resp(void)
{
const unsigned char namestr[] = "openssl.example.com";
unsigned char keybytes[128] = {7};
OCSP_BASICRESP *bs = OCSP_BASICRESP_new();
OCSP_BASICRESP *bs_out = NULL;
OCSP_CERTID *cid = NULL;
ASN1_TIME *thisupd = ASN1_TIME_set(NULL, time(NULL));
ASN1_TIME *nextupd = ASN1_TIME_set(NULL, time(NULL) + 200);
X509_NAME *name = X509_NAME_new();
ASN1_BIT_STRING *key = ASN1_BIT_STRING_new();
ASN1_INTEGER *serial = ASN1_INTEGER_new();
if (!X509_NAME_add_entry_by_NID(name, NID_commonName, MBSTRING_ASC,
namestr, -1, -1, 1)
|| !ASN1_BIT_STRING_set(key, keybytes, sizeof(keybytes))
|| !ASN1_INTEGER_set_uint64(serial, (uint64_t)1))
goto err;
cid = OCSP_cert_id_new(EVP_sha256(), name, key, serial);
if (!TEST_ptr(bs)
|| !TEST_ptr(thisupd)
|| !TEST_ptr(nextupd)
|| !TEST_ptr(cid)
|| !TEST_true(OCSP_basic_add1_status(bs, cid,
V_OCSP_CERTSTATUS_UNKNOWN,
0, NULL, thisupd, nextupd)))
goto err;
bs_out = bs;
bs = NULL;
err:
ASN1_TIME_free(thisupd);
ASN1_TIME_free(nextupd);
ASN1_BIT_STRING_free(key);
ASN1_INTEGER_free(serial);
OCSP_CERTID_free(cid);
OCSP_BASICRESP_free(bs);
X509_NAME_free(name);
return bs_out;
}
CPK_MASTER_SECRET *CPK_MASTER_SECRET_create(const char *domain_id,
EVP_PKEY *pkey, X509_ALGOR *map_algor)
{
int e = 1;
CPK_MASTER_SECRET *master = NULL;
BIGNUM *bn = NULL, *order = NULL;
X509_PUBKEY *pubkey = NULL;
int pkey_type;
int i, bn_size, num_factors;
unsigned char *bn_ptr;
if (strlen(domain_id) <= 0 || strlen(domain_id) > CPK_MAX_ID_LENGTH) {
CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, CPK_R_INVALID_ID_LENGTH);
goto err;
}
pkey_type = EVP_PKEY_id(pkey);
if (pkey_type == EVP_PKEY_DSA) {
if (!(order = ((DSA *)EVP_PKEY_get0(pkey))->q)) {
CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, CPK_R_BAD_ARGUMENT);
goto err;
}
} else if (pkey_type == EVP_PKEY_EC) {
const EC_GROUP *ec_group;
if (!(order = BN_new())) {
CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, ERR_R_MALLOC_FAILURE);
goto err;
}
ec_group = EC_KEY_get0_group((EC_KEY *)EVP_PKEY_get0(pkey));
if (!EC_GROUP_get_order(ec_group, order, NULL)) {
CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, ERR_R_X509_LIB);
goto err;
}
//FIXME OPENSSL_assert
assert(EC_KEY_get0_public_key((EC_KEY *)EVP_PKEY_get0(pkey)) != NULL);
} else {
CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, CPK_R_INVALID_PKEY_TYPE);
goto err;
}
if (!(master = CPK_MASTER_SECRET_new())) {
CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, ERR_R_MALLOC_FAILURE);
goto err;
}
master->version = 1;
if (!X509_NAME_add_entry_by_NID(master->id, NID_organizationName,
MBSTRING_UTF8, (unsigned char *)domain_id, -1, -1, 0)) {
CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, ERR_R_X509_LIB);
goto err;
}
/*
* convert EVP_PKEY to X509_ALGOR through X509_PUBKEY_set
* X509_ALGOR_set0() is another choice but require more code
*/
// FIXME: X509_PUBKEY require pkey has a public key
if (!X509_PUBKEY_set(&pubkey, pkey)) {
CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, ERR_R_X509_LIB);
goto err;
}
X509_ALGOR_free(master->pkey_algor);
if (!(master->pkey_algor = X509_ALGOR_dup(pubkey->algor))) {
CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, ERR_R_X509_LIB);
goto err;
}
//FIXME: check the validity of CPK_MAP
X509_ALGOR_free(master->map_algor);
if (!(master->map_algor = X509_ALGOR_dup(map_algor))) {
CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, ERR_R_MALLOC_FAILURE);
goto err;
}
if ((num_factors = CPK_MAP_num_factors(map_algor)) <= 0) {
CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, CPK_R_INVALID_MAP_ALGOR);
goto err;
}
/*
* create secret factors, for both DSA and EC,
* the private keys are both big integers,
*/
bn_size = BN_num_bytes(order);
if (!ASN1_STRING_set(master->secret_factors, NULL, bn_size * num_factors)) {
CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, ERR_R_ASN1_LIB);
goto err;
}
bn_ptr = M_ASN1_STRING_data(master->secret_factors);
memset(bn_ptr, 0, M_ASN1_STRING_length(master->secret_factors));
if (!(bn = BN_new())) {
CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, ERR_R_MALLOC_FAILURE);
goto err;
}
for (i = 0; i < num_factors; i++) {
do {
if (!BN_rand_range(bn, order)) {
CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE,
ERR_R_RAND_LIB);
goto err;
}
} while (BN_is_zero(bn));
if (!BN_bn2bin(bn, bn_ptr + bn_size - BN_num_bytes(bn))) {
CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, ERR_R_BN_LIB);
goto err;
}
bn_ptr += bn_size;
}
e = 0;
err:
if (e && master) {
CPK_MASTER_SECRET_free(master);
master = NULL;
}
if (pubkey) X509_PUBKEY_free(pubkey);
if (order && pkey_type == EVP_PKEY_EC) BN_free(order);
if (bn) BN_free(bn);
return master;
}
static int cert_init() {
X509 *x509 = NULL;
EVP_PKEY *pkey = NULL;
BIGNUM *exponent = NULL, *serial_number = NULL;
RSA *rsa = NULL;
ASN1_INTEGER *asn1_serial_number;
X509_NAME *name;
struct dtls_cert *new_cert;
ilog(LOG_INFO, "Generating new DTLS certificate");
/* objects */
pkey = EVP_PKEY_new();
exponent = BN_new();
rsa = RSA_new();
serial_number = BN_new();
name = X509_NAME_new();
x509 = X509_new();
if (!exponent || !pkey || !rsa || !serial_number || !name || !x509)
goto err;
/* key */
if (!BN_set_word(exponent, 0x10001))
goto err;
if (!RSA_generate_key_ex(rsa, 1024, exponent, NULL))
goto err;
if (!EVP_PKEY_assign_RSA(pkey, rsa))
goto err;
/* x509 cert */
if (!X509_set_pubkey(x509, pkey))
goto err;
/* serial */
if (!BN_pseudo_rand(serial_number, 64, 0, 0))
goto err;
asn1_serial_number = X509_get_serialNumber(x509);
if (!asn1_serial_number)
goto err;
if (!BN_to_ASN1_INTEGER(serial_number, asn1_serial_number))
goto err;
/* version 1 */
if (!X509_set_version(x509, 0L))
goto err;
/* common name */
if (!X509_NAME_add_entry_by_NID(name, NID_commonName, MBSTRING_UTF8,
(unsigned char *) "rtpengine", -1, -1, 0))
goto err;
if (!X509_set_subject_name(x509, name))
goto err;
if (!X509_set_issuer_name(x509, name))
goto err;
/* cert lifetime */
if (!X509_gmtime_adj(X509_get_notBefore(x509), -60*60*24))
goto err;
if (!X509_gmtime_adj(X509_get_notAfter(x509), CERT_EXPIRY_TIME))
goto err;
/* sign it */
if (!X509_sign(x509, pkey, EVP_sha1()))
goto err;
/* digest */
new_cert = obj_alloc0("dtls_cert", sizeof(*new_cert), cert_free);
new_cert->fingerprint.hash_func = &hash_funcs[0];
dtls_fingerprint_hash(&new_cert->fingerprint, x509);
new_cert->x509 = x509;
new_cert->pkey = pkey;
new_cert->expires = time(NULL) + CERT_EXPIRY_TIME;
dump_cert(new_cert);
/* swap out certs */
rwlock_lock_w(&__dtls_cert_lock);
if (__dtls_cert)
obj_put(__dtls_cert);
__dtls_cert = new_cert;
rwlock_unlock_w(&__dtls_cert_lock);
/* cleanup */
BN_free(exponent);
BN_free(serial_number);
X509_NAME_free(name);
return 0;
err:
ilog(LOG_ERROR, "Failed to generate DTLS certificate");
if (pkey)
EVP_PKEY_free(pkey);
if (exponent)
BN_free(exponent);
if (rsa)
RSA_free(rsa);
if (x509)
X509_free(x509);
if (serial_number)
BN_free(serial_number);
return -1;
}
wi_x509_t * wi_x509_init_with_common_name(wi_x509_t *x509, wi_rsa_t *rsa, wi_string_t *common_name) {
X509_REQ *req;
EVP_PKEY *pkey = NULL;
X509_NAME *name = NULL;
BIGNUM *bn = NULL;
req = X509_REQ_new();
if(!req)
goto err;
if(X509_REQ_set_version(req, 0) != 1)
goto err;
name = X509_NAME_new();
if(X509_NAME_add_entry_by_NID(name,
NID_commonName,
MBSTRING_ASC,
(unsigned char *) wi_string_cstring(common_name),
-1,
-1,
0) != 1)
goto err;
if(X509_REQ_set_subject_name(req, name) != 1)
goto err;
pkey = EVP_PKEY_new();
EVP_PKEY_set1_RSA(pkey, wi_rsa_rsa(rsa));
if(X509_REQ_set_pubkey(req, pkey) != 1)
goto err;
x509->x509 = X509_new();
if(!x509->x509)
goto err;
bn = BN_new();
if(!bn)
goto err;
if(BN_pseudo_rand(bn, 64, 0, 0) != 1)
goto err;
if(!BN_to_ASN1_INTEGER(bn, X509_get_serialNumber(x509->x509)))
goto err;
if(X509_set_issuer_name(x509->x509, X509_REQ_get_subject_name(req)) != 1)
goto err;
if(!X509_gmtime_adj(X509_get_notBefore(x509->x509), 0))
goto err;
if(!X509_gmtime_adj(X509_get_notAfter(x509->x509), 3600 * 24 * 365))
goto err;
if(X509_set_subject_name(x509->x509, X509_REQ_get_subject_name(req)) != 1)
goto end;
if(X509_set_pubkey(x509->x509, pkey) != 1)
goto err;
if(X509_sign(x509->x509, pkey, EVP_sha1()) == 0)
goto err;
goto end;
err:
wi_error_set_openssl_error();
wi_release(x509);
x509 = NULL;
end:
if(req)
X509_REQ_free(req);
if(pkey)
EVP_PKEY_free(pkey);
if(name)
X509_NAME_free(name);
if(bn)
BN_free(bn);
return x509;
}
void openssl_x509_crl()
{
RSA *r;
BIO *bp;
int len;
FILE *fp;
BIGNUM *bne;
X509_CRL *crl;
EVP_PKEY *pkey;
X509_NAME *issuer;
ASN1_INTEGER *serial;
X509_REVOKED *revoked;
ASN1_TIME *lastUpdate, *nextUpdate, *rvTime;
unsigned char *buf, *p, tmp[MAX1_LEN] = "crl cert";
printf("\nX509_CRL info:\n");
bne = BN_new();
BN_set_word(bne, RSA_3);
r = RSA_new();
RSA_generate_key_ex(r, MAX1_LEN, bne, NULL);
pkey = EVP_PKEY_new();
EVP_PKEY_assign_RSA(pkey, r);
crl = X509_CRL_new();
X509_CRL_set_version(crl, 3);
issuer = X509_NAME_new();
X509_NAME_add_entry_by_NID(issuer, NID_commonName,
V_ASN1_PRINTABLESTRING, tmp, 10, -1, 0);
X509_CRL_set_issuer_name(crl, issuer);
lastUpdate = ASN1_TIME_new();
ASN1_TIME_set(lastUpdate, time(NULL));
X509_CRL_set_lastUpdate(crl, lastUpdate);
nextUpdate = ASN1_TIME_new();
ASN1_TIME_set(nextUpdate, time(NULL) + 1280);
X509_CRL_set_nextUpdate(crl, nextUpdate);
revoked = X509_REVOKED_new();
serial = ASN1_INTEGER_new();
ASN1_INTEGER_set(serial, 1280);
X509_REVOKED_set_serialNumber(revoked, serial);
rvTime = ASN1_TIME_new();
ASN1_TIME_set(rvTime, time(NULL) + 2000);
X509_CRL_set_nextUpdate(crl, rvTime);
X509_REVOKED_set_revocationDate(revoked, rvTime);
X509_CRL_add0_revoked(crl, revoked);
X509_CRL_sort(crl);
X509_CRL_sign(crl, pkey, EVP_md5());
bp = BIO_new(BIO_s_file());
BIO_set_fp(bp, stdout, BIO_NOCLOSE);
X509_CRL_print(bp, crl);
len = i2d_X509_CRL(crl, NULL);
buf = (unsigned char *)malloc(len + 10);
p = buf;
len = i2d_X509_CRL(crl, &p);
fp = fopen("/tmp/crl.crl", "wb");
fwrite(buf, 1, len, fp);
fclose(fp);
free(buf);
BIO_free(bp);
X509_CRL_free(crl);
}
static inline int X509_NAME_add_entry_by_NID(X509_NAME *subj, int nid, std::string value)
{
return X509_NAME_add_entry_by_NID(subj, nid, MBSTRING_UTF8, (unsigned char*) value.data(), -1, -1 , 0);
}
bool avjackif::async_register_new_user(std::string user_name, boost::asio::yield_context yield_context)
{
// 先发 client_hello
if( m_shared_key.empty())
async_client_hello(yield_context);
auto digest = EVP_sha1();
// 先生成 RSA 密钥
_rsa.reset(RSA_generate_key(2048, 65537, 0, 0), RSA_free);
// 然后生成 CSR
boost::shared_ptr<X509_REQ> csr(X509_REQ_new(), X509_REQ_free);
boost::shared_ptr<EVP_PKEY> pkey(EVP_PKEY_new(), EVP_PKEY_free);
EVP_PKEY_set1_RSA(pkey.get(), _rsa.get());
// 添加证书申请信息
auto subj =X509_REQ_get_subject_name(csr.get());
/* X509_NAME_add_entry_by_NID(subj, NID_countryName, "CN");
X509_NAME_add_entry_by_NID(subj, NID_stateOrProvinceName, "Shanghai");
X509_NAME_add_entry_by_NID(subj, NID_localityName, "Shanghai");
X509_NAME_add_entry_by_NID(subj, NID_organizationName, "avplayer");
X509_NAME_add_entry_by_NID(subj, NID_organizationalUnitName, "sales");
*/ X509_NAME_add_entry_by_NID(subj, NID_commonName, user_name);
// X509_NAME_add_entry_by_NID(subj, NID_pkcs9_emailAddress, "test-client");
X509_REQ_set_pubkey(csr.get(), pkey.get());
// 签出 CSR
X509_REQ_sign(csr.get(), pkey.get(), digest);
unsigned char * out = NULL;
auto csr_out_len = i2d_X509_REQ(csr.get(), &out);
std::string csrout((char*)out, csr_out_len);
OPENSSL_free(out);
out = NULL;
auto rsa_key_out_len = i2d_RSA_PUBKEY(_rsa.get(), &out);
std::string rsa_key((char*)out, rsa_key_out_len);
OPENSSL_free(out);
PEM_write_X509_REQ(stderr, csr.get());
// 然后发送 注册信息
proto::user_register user_register;
user_register.set_user_name(user_name);
user_register.set_rsa_pubkey(rsa_key);
user_register.set_csr(csrout);
boost::asio::async_write(*m_sock, boost::asio::buffer(av_router::encode(user_register)), yield_context);
// 读取应答
std::unique_ptr<proto::user_register_result> user_register_result((proto::user_register_result*)async_read_protobuf_message(*m_sock, yield_context));
return user_register_result->result() == proto::user_register_result::REGISTER_SUCCEED;
}
KSSLCertificate*
KSSLCertificateFactory::generateSelfSigned(KSSLKeyType /*keytype*/) {
#if 0
//#ifdef KSSL_HAVE_SSL
X509_NAME *x509name = X509_NAME_new();
X509 *x509;
ASN1_UTCTIME *beforeafter;
KSSLCertificate *newcert;
int rc;
// FIXME: generate the private key
if (keytype == KEYTYPE_UNKNOWN || (key=EVP_PKEY_new()) == NULL) {
X509_NAME_free(x509name);
return NULL;
}
switch(keytype) {
case KEYTYPE_RSA:
if (!EVP_PKEY_assign_RSA(key, RSA_generate_key(newkey,0x10001,
req_cb,bio_err))) {
}
break;
case KEYTYPE_DSA:
if (!DSA_generate_key(dsa_params)) goto end;
if (!EVP_PKEY_assign_DSA(pkey,dsa_params)) goto end;
dsa_params=NULL;
if (pkey->type == EVP_PKEY_DSA)
digest=EVP_dss1();
break;
}
// FIXME: dn doesn't exist
// FIXME: allow the notAfter value to be parameterized
// FIXME: allow a password to lock the key with
// Fill in the certificate
X509_NAME_add_entry_by_NID(x509name, OBJ_txt2nid("CN"), 0x1001,
(unsigned char *) dn, -1, -1, 0);
x509 = X509_new();
rc = X509_set_issuer_name(x509, x509name);
if (rc != 0) {
X509_free(x509);
X509_NAME_free(x509name);
return NULL;
}
rc = X509_set_subject_name(x509, x509name);
if (rc != 0) {
X509_free(x509);
X509_NAME_free(x509name);
return NULL;
}
ASN1_INTEGER_set(X509_get_serialNumber(*x509), 0);
X509_NAME_free(x509name);
// Make it a 1 year certificate
beforeafter = ASN1_UTCTIME_new();
if (!X509_gmtime_adj(beforeafter, -60*60*24)) { // yesterday
X509_free(x509);
return NULL;
}
if (!X509_set_notBefore(x509, beforeafter)) {
X509_free(x509);
return NULL;
}
if (!X509_gmtime_adj(beforeafter, 60*60*24*364)) { // a year from yesterday
X509_free(x509);
return NULL;
}
if (!X509_set_notAfter(x509, beforeafter)) {
X509_free(x509);
return NULL;
}
ASN1_UTCTIME_free(beforeafter);
if (!X509_set_pubkey(x509, key)) {
X509_free(x509);
return NULL;
}
rc = X509_sign(x509, key, EVP_sha1());
if (rc != 0) {
X509_free(x509);
return NULL;
}
newCert = new KSSLCertificate;
newCert->setCert(x509);
return newCert;
#else
return NULL;
#endif
}
CertificateRequestSPKAC* CertificateRequestFactory::fromSPKAC(std::string &path)
throw (EncodeException, RandomException, NetscapeSPKIException)
{
STACK_OF(CONF_VALUE) *sk=NULL;
LHASH_OF(CONF_VALUE) *parms=NULL;
X509_REQ *req=NULL;
CONF_VALUE *cv=NULL;
NETSCAPE_SPKI *spki = NULL;
X509_REQ_INFO *ri;
char *type,*buf;
EVP_PKEY *pktmp=NULL;
X509_NAME *n=NULL;
unsigned long chtype = MBSTRING_ASC;
int i;
long errline;
int nid;
CertificateRequestSPKAC* ret=NULL;
/*
* Load input file into a hash table. (This is just an easy
* way to read and parse the file, then put it into a convenient
* STACK format).
*/
parms=CONF_load(NULL,path.c_str(),&errline);
if (parms == NULL)
{
throw EncodeException(EncodeException::BUFFER_READING, "CertificateRequestFactory::fromSPKAC");
}
sk=CONF_get_section(parms, "default");
if (sk_CONF_VALUE_num(sk) == 0)
{
if (parms != NULL) CONF_free(parms);
throw EncodeException(EncodeException::BUFFER_READING, "CertificateRequestFactory::fromSPKAC");
}
/*
* Now create a dummy X509 request structure. We don't actually
* have an X509 request, but we have many of the components
* (a public key, various DN components). The idea is that we
* put these components into the right X509 request structure
* and we can use the same code as if you had a real X509 request.
*/
req=X509_REQ_new();
if (req == NULL)
{
if (parms != NULL) CONF_free(parms);
throw RandomException(RandomException::INTERNAL_ERROR, "CertificateRequestFactory::fromSPKAC");
}
/*
* Build up the subject name set.
*/
ri=req->req_info;
n = ri->subject;
for (i = 0; ; i++)
{
if (sk_CONF_VALUE_num(sk) <= i) break;
cv=sk_CONF_VALUE_value(sk,i);
type=cv->name;
/* Skip past any leading X. X: X, etc to allow for
* multiple instances
*/
for (buf = cv->name; *buf ; buf++)
if ((*buf == ':') || (*buf == ',') || (*buf == '.'))
{
buf++;
if (*buf) type = buf;
break;
}
buf=cv->value;
if ((nid=OBJ_txt2nid(type)) == NID_undef)
{
if (strcmp(type, "SPKAC") == 0)
{
spki = NETSCAPE_SPKI_b64_decode(cv->value, -1);
if (spki == NULL)
{
if (parms != NULL) CONF_free(parms);
throw EncodeException(EncodeException::BASE64_DECODE, "CertificateRequestFactory::fromSPKAC");
}
}
continue;
}
if (!X509_NAME_add_entry_by_NID(n, nid, chtype, (unsigned char *)buf, -1, -1, 0))
{
if (parms != NULL) CONF_free(parms);
if (spki != NULL) NETSCAPE_SPKI_free(spki);
throw RandomException(RandomException::INTERNAL_ERROR, "CertificateRequestFactory::fromSPKAC");
}
}
if (spki == NULL)
{
if (parms != NULL) CONF_free(parms);
throw NetscapeSPKIException(NetscapeSPKIException::SET_NO_VALUE, "CertificateRequestFactory::fromSPKAC");
}
/*
* Now extract the key from the SPKI structure.
*/
if ((pktmp=NETSCAPE_SPKI_get_pubkey(spki)) == NULL)
{
if (parms != NULL) CONF_free(parms);
if (spki != NULL) NETSCAPE_SPKI_free(spki);
throw NetscapeSPKIException(NetscapeSPKIException::SET_NO_VALUE, "CertificateRequestFactory::fromSPKAC");
}
X509_REQ_set_pubkey(req,pktmp);
EVP_PKEY_free(pktmp);
ret = new CertificateRequestSPKAC(req, spki);
return ret;
}
