/** Generate a new certificate for our loaded or generated keys, and write it * to disk. Return 0 on success, nonzero on failure. */ static int generate_certificate(void) { char buf[8192]; time_t now = time(NULL); struct tm tm; char published[ISO_TIME_LEN+1]; char expires[ISO_TIME_LEN+1]; char fingerprint[FINGERPRINT_LEN+1]; char *ident = key_to_string(identity_key); char *signing = key_to_string(signing_key); FILE *f; size_t signed_len; char digest[DIGEST_LEN]; char signature[1024]; /* handles up to 8192-bit keys. */ int r; get_fingerprint(identity_key, fingerprint); tor_localtime_r(&now, &tm); tm.tm_mon += months_lifetime; format_iso_time(published, now); format_iso_time(expires, mktime(&tm)); tor_snprintf(buf, sizeof(buf), "dir-key-certificate-version 3" "%s%s" "\nfingerprint %s\n" "dir-key-published %s\n" "dir-key-expires %s\n" "dir-identity-key\n%s" "dir-signing-key\n%s" "dir-key-certification\n", address?"\ndir-address ":"", address?address:"", fingerprint, published, expires, ident, signing); tor_free(ident); tor_free(signing); signed_len = strlen(buf); SHA1((const unsigned char*)buf,signed_len,(unsigned char*)digest); r = RSA_private_encrypt(DIGEST_LEN, (unsigned char*)digest, (unsigned char*)signature, EVP_PKEY_get1_RSA(identity_key), RSA_PKCS1_PADDING); strlcat(buf, "-----BEGIN SIGNATURE-----\n", sizeof(buf)); signed_len = strlen(buf); base64_encode(buf+signed_len, sizeof(buf)-signed_len, signature, r); strlcat(buf, "-----END SIGNATURE-----\n", sizeof(buf)); if (!(f = fopen(certificate_file, "w"))) { log_err(LD_GENERAL, "Couldn't open %s for writing: %s", certificate_file, strerror(errno)); return 1; } fputs(buf, f); fclose(f); return 0; }
void definition_cache::add(environment const & env, name const & n, expr const & pre_type, expr const & pre_value, level_param_names const & ls, expr const & type, expr const & value, bool is_trusted) { dependencies deps; collect_dependencies(env, type, deps); collect_dependencies(env, value, deps); uint64 fingerprint = get_fingerprint(env); lock_guard<mutex> lc(m_mutex); add_core(n, pre_type, pre_value, ls, type, value, deps, fingerprint, is_trusted); }
static void ssl_manager_load_certs (void) { GDir *dir; const gchar *d; GError *error = NULL; gchar *path; int row = 0; GtkListStore *store; store = GTK_LIST_STORE(gtk_tree_view_get_model (GTK_TREE_VIEW(manager.certlist))); gtk_list_store_clear(store); path = g_strconcat(get_rc_dir(), G_DIR_SEPARATOR_S, "certs", G_DIR_SEPARATOR_S, NULL); if((dir = g_dir_open(path, 0, &error)) == NULL) { debug_print("couldn't open dir '%s': %s (%d)\n", path, error->message, error->code); g_error_free(error); return; } while ((d = g_dir_read_name(dir)) != NULL) { gchar *server = NULL, *port = NULL, *fp = NULL; SSLCertificate *cert; if(strstr(d, ".cert") != d + (strlen(d) - strlen(".cert"))) continue; get_serverport(d, &server, &port); fp = get_fingerprint(d); if (server != NULL && port != NULL) { gint portnum = atoi(port); if (portnum > 0 && portnum <= 65535) { cert = ssl_certificate_find(server, portnum, fp); ssl_manager_list_view_insert_cert(manager.certlist, NULL, server, port, cert); } } g_free(server); g_free(port); g_free(fp); row++; } g_dir_close(dir); g_free(path); }
static void ssl_manager_load_certs (void) { DIR *dir; struct dirent *d; gchar *path; int row = 0; GtkListStore *store; store = GTK_LIST_STORE(gtk_tree_view_get_model (GTK_TREE_VIEW(manager.certlist))); gtk_list_store_clear(store); path = g_strconcat(get_rc_dir(), G_DIR_SEPARATOR_S, "certs", G_DIR_SEPARATOR_S, NULL); if((dir = opendir(path)) == NULL) { perror("opendir"); return; } while ((d = readdir(dir)) != NULL) { gchar *server, *port, *fp; SSLCertificate *cert; if(!strstr(d->d_name, ".cert")) continue; server = get_server(d->d_name); port = get_port(d->d_name); fp = get_fingerprint(d->d_name); cert = ssl_certificate_find(server, atoi(port), fp); ssl_manager_list_view_insert_cert(manager.certlist, NULL, server, port, cert); g_free(server); g_free(port); g_free(fp); row++; } closedir(dir); g_free(path); }
optional<std::tuple<level_param_names, expr, expr>> definition_cache::find(environment const & env, name const & n, expr const & pre_type, expr const & pre_value, bool is_trusted) { entry e; { lock_guard<mutex> lc(m_mutex); if (auto it = m_definitions.find(n)) { e = *it; } else { return optional<std::tuple<level_param_names, expr, expr>>(); } } level_param_names ls; if (e.m_is_trusted == is_trusted && expr_eq_modulo_placeholders_fn()(e.m_pre_type, pre_type) && expr_eq_modulo_placeholders_fn()(e.m_pre_value, pre_value) && get_fingerprint(env) == e.m_fingerprint && check_dependencies(env, e.m_dependencies)) { return some(std::make_tuple(e.m_params, e.m_type, e.m_value)); } else { return optional<std::tuple<level_param_names, expr, expr>>(); } }
/* We have parsed a 'certif:' attribute from a 'key-cert' object. * Now perform the check to make sure the hexid specified in the * 'key-cert:' attribute matches the hexid from the 'certif:' * attribute. We perform this check (and others) by adding the * 'certif:' attribute/PGP key block to a temp ring and parsing * the output from PGP. Additionally, we check the following: * * 1. make sure there is only 1 hexid in the key * 2. make sure there is at least 1 owner/uid specified * 3. make sure we get a 'Successful' return string from PGP * 4. call get_fingerprint () to get the key fingerprint * which checks to make sure there is only 1 fingerprint * * Return: * * file name of key certificate file if there were no errors found * - the file can then be used to easily add the PGP key to the * local ring * - the key fingerprint and owner(s)/uid(s) are saved to be * used for the corresponding 'key-cert' auto-generated fields * NULL otherwise */ char *hexid_check (parse_info_t *o) { #ifdef PGP char pgpinfn[256], tmp_pgp_dir[256], ebuf[1024]; FILE *pgpin; char_list_t *p; pgp_data_t pdat; int pgp_errors = 0, fd; #endif /* If we don't have PGP installed then there is nothing to do. */ #ifndef PGP error_msg_queue (o, "PGP is not installed on the system. Cannot perform operation.", ERROR_MSG); return NULL; #else /* make a tmp directory for the pgp rings */ umask (0022); strcpy (tmp_pgp_dir, "/var/tmp/pgp.XXXXXX"); if (mkdtemp (tmp_pgp_dir) == NULL) { error_msg_queue (o, "Internal error. Couldn't create temp directory for PGP\n", ERROR_MSG); return NULL; } /* create a file and put the key certificate into it */ strcpy (pgpinfn, "/var/tmp/irrsyntax.XXXXXX"); fd = mkstemp (pgpinfn); if ((pgpin = fdopen (fd, "w")) == NULL) { error_msg_queue (o, "Internal error. Could not check 'key-cert:' temp file creation error", ERROR_MSG); goto pgp_errors_jump; } fwrite (o->u.kc.certif, sizeof (char), strlen (o->u.kc.certif), pgpin); fclose (pgpin); /* add the certificate to a temp ring */ if (!pgp_add (default_trace, tmp_pgp_dir, pgpinfn, &pdat)) { error_msg_queue (o, "Couldn't add key-cert to ring. Didn't get successful reply from PGP", ERROR_MSG); goto pgp_errors_jump; } /* certificate checks */ /* do we have more than 1 hex ID? */ if (pdat.hex_cnt > 1) { error_msg_queue (o, "Too many public keys in certificate", ERROR_MSG); pgp_errors = 1; } /* does the hex ID of the 'key-cert' attr match the certificate hex ID ? */ else if (strcmp (pdat.hex_first->key, o->u.kc.kchexid)) { snprintf (ebuf, 1024, "Hex-ID mistmatch: 'key-cert:' (%s) 'certif:' (%s)\n", o->u.kc.kchexid, pdat.hex_first->key); error_msg_queue (o, ebuf, ERROR_MSG); pgp_errors = 1; } /* owner check */ else if (pdat.owner_first == NULL) { error_msg_queue (o, "No uid's/owners found in certificate", ERROR_MSG); pgp_errors = 1; } /* grab all the owners */ else { o->u.kc.owner_count = pdat.owner_cnt; for (p = pdat.owner_first; p != NULL; p = p->next) o->u.kc.owner = my_concat (o->u.kc.owner, p->key, 0); } /* get the key fingerprint */ if (!pgp_errors && !get_fingerprint (o, tmp_pgp_dir, &pdat)) pgp_errors = 1; if (o->u.kc.owner != NULL) if (verbose) fprintf (dfile, "owner count (%d) owner (%s)\n", o->u.kc.owner_count, o->u.kc.owner); if (o->u.kc.fingerpr != NULL) if (verbose) fprintf (dfile, "fingerpr (%s)\n", o->u.kc.fingerpr); /* end debug */ /* clean up */ pgp_free (&pdat); /* if we have errors then we won't need the key file */ if (pgp_errors) { pgp_errors_jump: rm_tmpdir (tmp_pgp_dir); /* can get rid of temporary directory */ remove (pgpinfn); return NULL; } rm_tmpdir (tmp_pgp_dir); /* can get rid of temporary directory */ /* leave pgp key for possible addition to local ring */ return strdup (pgpinfn); #endif }
void output_cert_info(X509 *cert, gf_io_t pc) { char buf[256]; STORE_S *left,*right; gf_io_t spc; int len; left = so_get(CharStar, NULL, EDIT_ACCESS); right = so_get(CharStar, NULL, EDIT_ACCESS); if(!(left && right)) return; gf_set_so_writec(&spc, left); if(!cert->cert_info){ gf_puts("Couldn't find certificate info.", spc); gf_puts(NEWLINE, spc); } else{ gf_puts_uline("Subject (whose certificate it is)", spc); gf_puts(NEWLINE, spc); output_X509_NAME(cert->cert_info->subject, spc); gf_puts(NEWLINE, spc); gf_puts_uline("Serial Number", spc); gf_puts(NEWLINE, spc); snprintf(buf, sizeof(buf), "%ld", ASN1_INTEGER_get(cert->cert_info->serialNumber)); gf_puts(buf, spc); gf_puts(NEWLINE, spc); gf_puts(NEWLINE, spc); gf_puts_uline("Validity", spc); gf_puts(NEWLINE, spc); { BIO *mb = BIO_new(BIO_s_mem()); char iobuf[4096]; gf_puts("Not Before: ", spc); (void) BIO_reset(mb); ASN1_UTCTIME_print(mb, cert->cert_info->validity->notBefore); (void) BIO_flush(mb); while((len = BIO_read(mb, iobuf, sizeof(iobuf))) > 0) gf_nputs(iobuf, len, spc); gf_puts(NEWLINE, spc); gf_puts("Not After: ", spc); (void) BIO_reset(mb); ASN1_UTCTIME_print(mb, cert->cert_info->validity->notAfter); (void) BIO_flush(mb); while((len = BIO_read(mb, iobuf, sizeof(iobuf))) > 0) gf_nputs(iobuf, len, spc); gf_puts(NEWLINE, spc); gf_puts(NEWLINE, spc); BIO_free(mb); } } gf_clear_so_writec(left); gf_set_so_writec(&spc, right); if(!cert->cert_info){ gf_puts(_("Couldn't find certificate info."), spc); gf_puts(NEWLINE, spc); } else{ gf_puts_uline("Issuer", spc); gf_puts(NEWLINE, spc); output_X509_NAME(cert->cert_info->issuer, spc); gf_puts(NEWLINE, spc); } gf_clear_so_writec(right); side_by_side(left, right, pc); gf_puts_uline("SHA1 Fingerprint", pc); gf_puts(NEWLINE, pc); get_fingerprint(cert, EVP_sha1(), buf, sizeof(buf)); gf_puts(buf, pc); gf_puts(NEWLINE, pc); gf_puts_uline("MD5 Fingerprint", pc); gf_puts(NEWLINE, pc); get_fingerprint(cert, EVP_md5(), buf, sizeof(buf)); gf_puts(buf, pc); gf_puts(NEWLINE, pc); so_give(&left); so_give(&right); }