APL_Certif *APL_Certifs::findIssuer(const CByteArray *data)
{
if(!data)
return NULL;
APL_Certif *issuer=NULL;
//First we look in the already loaded
std::map<unsigned long ,APL_Certif *>::const_iterator itr;
for(itr=m_certifs.begin();itr!=m_certifs.end();itr++)
{
issuer=itr->second;
if(m_cryptoFwk->isIssuer(*data,issuer->getData()))
return issuer;
}
//Check in the hard coded store
const unsigned char *const *pucIssuer;
int i;
//we look in the hard coded root array
for(pucIssuer=_beid_root_certs,i=0;*pucIssuer!=NULL;pucIssuer++,i++)
{
CByteArray issuer_data(*pucIssuer,_beid_root_certs_size[i]);
if(m_cryptoFwk->isIssuer(*data,issuer_data))
{
APL_Certif *issuer = addCert(issuer_data,APL_CERTIF_TYPE_ROOT,true);
return issuer;
}
}
//we look in the hard coded issuer array
for(pucIssuer=_beid_issuer_certs,i=0;*pucIssuer!=NULL;pucIssuer++,i++)
{
CByteArray issuer_data(*pucIssuer,_beid_issuer_certs_size[i]);
if(m_cryptoFwk->isIssuer(*data,issuer_data))
{
APL_Certif *issuer = addCert(issuer_data,APL_CERTIF_TYPE_CA,true);
return issuer;
}
}
//we look in the hard coded rrnca array
for(pucIssuer=_beid_rrnca_certs,i=0;*pucIssuer!=NULL;pucIssuer++,i++)
{
CByteArray issuer_data(*pucIssuer,_beid_rrnca_certs_size[i]);
if(m_cryptoFwk->isIssuer(*data,issuer_data))
{
APL_Certif *issuer = addCert(issuer_data,APL_CERTIF_TYPE_CA,true);
return issuer;
}
}
return NULL;
}
int processCommand(char* str, SSL* ssl )
{
char *cmd[10];
int i = 0;
char stcpy[5];
cmd[i] =strtok(str," ");
while (cmd[i] != NULL && i <10)
{
cmd[++i] =strtok(NULL, " ");
}
if (strcmp(cmd[0], "-a")== 0){
printf("Server: Client would like to add %s file to the server.. : \n", cmd[1]);
addFile(cmd[1] , ssl);
}
else if (strcmp(cmd[0], "-f")== 0){
printf("Server: Client would like to fetch %s file from the server.. : \n", cmd[1]);
if( sendFile(cmd[1] ,ssl) == -1 )
printf("Server: Send Failed");
}
else if (strcmp(cmd[0], "-u")== 0){
printf("Client would like to upload a certificate. : \n");
addCert(cmd[1],ssl); }
else if (strcmp(cmd[0], "-v")== 0){
printf("Client would like to Vouch for file: %s on the server.. : \n", cmd[1]);
//vouchforfile(FileName, certificate);
}
else if (strcmp(cmd[0], "-h")== 0){
printf("HostName: PortNumber: %s \n", cmd[1]);
}
else if (strcmp(cmd[0], "-l")== 0){
printf("List Files.. \n");
listAll(ssl);
}
else {
return -1;
}
//HANDLE EXIT COMMAND --No Longer Needed?
strncpy(stcpy, str, 4);
stcpy[4] = '\0' ;
if (strcmp(stcpy, "exit")== 0)
return 9;
return 0;
}
int addClientCert (ovStruct_t *ovP, char* p) {
ushort length = 0;
uchar random[32];
char cipher[3];
int cipherLen;
time_t curtime;
int i, len;
log_debug(fp, "OPENVPN SSL: Send Client Cert"); fflush(stdout);
// Record Hdr (Type, Version, Length)
p[0] = 0x16;
// SSL 3.0 is 0x0300, TLS ver 1.0 = 3.1, TLS 1.2 is 3.3,
// SSL_VERSION used here is 3.1
p[1] = SSL_VERSION_1;
p[2] = SSL_VERSION_2;
PUT_BE16(&p[3], 0); // **** fill in this later at this point
// current length, used by sendData, and also in pkt
length = RECORD_HDR_LEN;
// Note that we have done 5 bytes by now, which should be substracted
// from the pkt length for the RecordProtocol.
p[5] = 11; // certificate
length = length + 1;
p[6] = 0; // 3rd MSByte of the Length, usualy 0
p[9] = 0; // 3rd MSByte of the Length, usualy 0
p[12] = 0; // 3rd MSByte of the Length, usualy 0
length = length + 9; // 2 cert lenths
// Starting p[6,7,8], we have outer cert len
// Starting p[9,10,11], we have inner cert len
// Starting p[12,13,14], we have inner cert len
printf("\nAdding certificate"); fflush(stdout);
len = addCert(ovP, &p[15]);
length += len; // Cert contents
// length of Certificate pkt following length field = 1 byte
PUT_BE16(&p[7], length-RECORD_HDR_LEN-4);
PUT_BE16(&p[10], length-RECORD_HDR_LEN-7);
PUT_BE16(&p[13], length-RECORD_HDR_LEN-10);
// Finally fill in the length of Record headers
PUT_BE16(&p[3], length-RECORD_HDR_LEN);
return length;
}
MainWindow::MainWindow(QWidget *parent) :
QMainWindow(parent),
ui(new Ui::MainWindow),
ssl(new SSLHelper)
{
setAcceptDrops(true);
ui->setupUi(this);
connect(ui->pushButton, SIGNAL( clicked() ), this, SLOT(startDiagnosis()));
connect(ssl, SIGNAL(logging()), this, SLOT(addLog()));
connect(ui->refreshButton, SIGNAL( clicked() ), this, SLOT(refreshCAs()));
connect(ssl, SIGNAL(addCA(string,string)), this, SLOT(addToolboxItem(string,string)));
connect(ui->dumpcertsButton, SIGNAL( clicked()), this, SLOT(dumpCerts()));
connect(ui->clearlogButton, SIGNAL( clicked()), this, SLOT(clearLog()));
refreshCAs();
ui->toolBox->setAcceptDrops(true);
connect(ui->toolBox, SIGNAL(dropCert(string)), this, SLOT(addCert(string)));
connect(ssl, SIGNAL(verifiedStatus(bool)), this, SLOT(verified(bool)));
connect(ui->sendLog, SIGNAL(clicked()), this, SLOT(emailLog()));
}
/*
* CertBag parser
*/
void P12Coder::certBagParse(
const NSS_P12_SafeBag &safeBag,
SecNssCoder &localCdr)
{
p12DecodeLog("found certBag");
NSS_P12_CertBag *certBag = safeBag.bagValue.certBag;
switch(certBag->type) {
case CT_X509:
case CT_SDSI:
break;
default:
p12ErrorLog("certBagParse: unknown cert type\n");
P12_THROW_DECODE;
}
P12CertBag *p12Bag = new P12CertBag(certBag->type,
certBag->certValue,
safeBag.bagAttrs,
mCoder);
addCert(p12Bag);
}
std::shared_ptr<fizz::server::FizzServerContext> createFizzServerContext(
folly::StringPiece pemCertPath,
folly::StringPiece certData,
folly::StringPiece pemKeyPath,
folly::StringPiece keyData,
folly::StringPiece pemCaPath,
bool requireClientVerification,
wangle::TLSTicketKeySeeds* ticketKeySeeds) {
initSSL();
auto certMgr = std::make_unique<fizz::server::CertManager>();
try {
auto selfCert =
fizz::CertUtils::makeSelfCert(certData.str(), keyData.str());
// add the default cert
certMgr->addCert(std::move(selfCert), true);
} catch (const std::exception& ex) {
LOG_FAILURE(
"SSLCert",
failure::Category::kBadEnvironment,
"Failed to create self cert from \"{}\" and \"{}\". ex: {}",
pemCertPath,
pemKeyPath,
ex.what());
return nullptr;
}
auto ctx = std::make_shared<fizz::server::FizzServerContext>();
ctx->setSupportedVersions({fizz::ProtocolVersion::tls_1_3});
ctx->setSupportedPskModes(
{fizz::PskKeyExchangeMode::psk_ke, fizz::PskKeyExchangeMode::psk_dhe_ke});
ctx->setVersionFallbackEnabled(true);
ctx->setCertManager(std::move(certMgr));
if (!pemCaPath.empty()) {
auto verifier = fizz::DefaultCertificateVerifier::createFromCAFile(
fizz::VerificationContext::Server, pemCaPath.str());
ctx->setClientCertVerifier(std::move(verifier));
ctx->setClientAuthMode(fizz::server::ClientAuthMode::Optional);
}
if (requireClientVerification) {
ctx->setClientAuthMode(fizz::server::ClientAuthMode::Required);
}
// set ticket seeds
if (ticketKeySeeds) {
std::vector<folly::ByteRange> ticketSecrets;
for (const auto& secret : ticketKeySeeds->currentSeeds) {
ticketSecrets.push_back(folly::StringPiece(secret));
}
for (const auto& secret : ticketKeySeeds->oldSeeds) {
ticketSecrets.push_back(folly::StringPiece(secret));
}
for (const auto& secret : ticketKeySeeds->newSeeds) {
ticketSecrets.push_back(folly::StringPiece(secret));
}
auto cipher = std::make_shared<fizz::server::AES128TicketCipher>();
cipher->setTicketSecrets(std::move(ticketSecrets));
cipher->setValidity(std::chrono::seconds(kSessionLifeTime));
ctx->setTicketCipher(std::move(cipher));
}
// TODO: allow for custom FizzFactory
return ctx;
}
void P12Coder::addSecCert(
SecCertificateRef certRef)
{
/* get the cert's attrs and data */
/* I don't know what the format field is for */
SecKeychainAttributeInfo attrInfo;
attrInfo.count = 2;
UInt32 tags[2] = {kSecLabelItemAttr, kSecPublicKeyHashItemAttr};
attrInfo.tag = tags;
attrInfo.format = NULL; // ???
/* FIXME header says this is an IN/OUT param, but it's not */
SecKeychainAttributeList *attrList = NULL;
UInt32 certLen;
void *certData;
OSStatus ortn = SecKeychainItemCopyAttributesAndData(
(SecKeychainItemRef)certRef,
&attrInfo,
NULL, // itemClass
&attrList,
&certLen,
&certData);
if(ortn) {
p12ErrorLog("addSecCert: SecKeychainItemCopyAttributesAndData "
"error\n");
MacOSError::throwMe(ortn);
}
/* Snag the attrs, convert to something useful */
CFStringRef friendName = NULL;
CFDataRef localKeyId = NULL;
for(unsigned i=0; i<attrList->count; i++) {
SecKeychainAttribute *attr = &attrList->attr[i];
switch(attr->tag) {
case kSecPublicKeyHashItemAttr:
localKeyId = CFDataCreate(NULL, (UInt8 *)attr->data, attr->length);
break;
case kSecLabelItemAttr:
/* FIXME: always in UTF8? */
friendName = CFStringCreateWithBytes(NULL,
(UInt8 *)attr->data, attr->length, kCFStringEncodingUTF8,
false);
break;
default:
p12ErrorLog("addSecCert: unexpected attr tag\n");
MacOSError::throwMe(errSecParam);
}
}
/* Cook up a cert bag and save it */
CSSM_DATA cData = {certLen, (uint8 *)certData};
P12CertBag *certBag = new P12CertBag(CT_X509, cData, friendName,
localKeyId, NULL, mCoder);
addCert(certBag);
SecKeychainItemFreeAttributesAndData(attrList, certData);
if(friendName) {
CFRelease(friendName);
}
if(localKeyId) {
CFRelease(localKeyId);
}
}
if(cert.isNull()) {
EXIT_FAILED("TelegramBot::setHttpServerWebhook - Cert file %s is invalid, webhook installation failed...", qPrintable(pathCert))
}
if(cert.subjectInfo(QSslCertificate::CommonName).isEmpty()) {
EXIT_FAILED("TelegramBot::setHttpServerWebhook - Cert don't contain a Common Name (CN), webhook installation failed...");
}
}
// if no webserver exist, create it
else {
// create new http server and register it for auto scope deletion if an error occours
httpServer = new HttpServer;
QScopedPointer<HttpServer> scopedHttpServer(httpServer);
// handle certificates
cert = httpServer->addCert(pathCert);
if(cert.isNull()) {
EXIT_FAILED("TelegramBot::setHttpServerWebhook - Cert file %s is invalid, webhook installation failed...", qPrintable(pathCert))
}
if(cert.subjectInfo(QSslCertificate::CommonName).isEmpty()) {
EXIT_FAILED("TelegramBot::setHttpServerWebhook - Cert don't contain a Common Name (CN), webhook installation failed...")
}
if(!httpServer->setPrivateKey(pathPrivateKey)) {
EXIT_FAILED("TelegramBot::setHttpServerWebhook - Private Key file %s is invalid, webhook installation failed...", qPrintable(pathPrivateKey))
}
// permit only telegram connections
httpServer->addWhiteListHostSubnet("149.154.164.0/22");
// start listener
if(!httpServer->listen(QHostAddress::Any, port)) {
