static int test_access_description(int testcase)
{
ACCESS_DESCRIPTION *ad = ACCESS_DESCRIPTION_new();
int ret = 0;
if (!TEST_ptr(ad))
goto err;
switch (testcase) {
case 0: /* no change */
break;
case 1: /* check and release current location */
if (!TEST_ptr(ad->location))
goto err;
GENERAL_NAME_free(ad->location);
ad->location = NULL;
break;
case 2: /* replace current location */
GENERAL_NAME_free(ad->location);
ad->location = GENERAL_NAME_new();
if (!TEST_ptr(ad->location))
goto err;
break;
}
ACCESS_DESCRIPTION_free(ad);
ret = 1;
err:
return ret;
}
static int set_altname(X509 *crt, ...)
{
int ret = 0;
GENERAL_NAMES *gens = NULL;
GENERAL_NAME *gen = NULL;
ASN1_IA5STRING *ia5 = NULL;
va_list ap;
va_start(ap, crt);
gens = sk_GENERAL_NAME_new_null();
if (gens == NULL)
goto out;
while (1) {
int type;
const char *name;
type = va_arg(ap, int);
if (type == 0)
break;
name = va_arg(ap, const char *);
gen = GENERAL_NAME_new();
if (gen == NULL)
goto out;
ia5 = ASN1_IA5STRING_new();
if (ia5 == NULL)
goto out;
if (!ASN1_STRING_set(ia5, name, -1))
goto out;
switch (type)
{
case GEN_EMAIL:
case GEN_DNS:
GENERAL_NAME_set0_value(gen, type, ia5);
ia5 = NULL;
break;
default:
abort();
}
sk_GENERAL_NAME_push(gens, gen);
gen = NULL;
}
if (!X509_add1_ext_i2d(crt, NID_subject_alt_name, gens, 0, 0))
goto out;
ret = 1;
out:
ASN1_IA5STRING_free(ia5);
GENERAL_NAME_free(gen);
GENERAL_NAMES_free(gens);
va_end(ap);
return ret;
}
int OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm)
{
GENERAL_NAME *gen;
gen = GENERAL_NAME_new();
if (gen == NULL)
return 0;
if (!X509_NAME_set(&gen->d.directoryName, nm)) {
GENERAL_NAME_free(gen);
return 0;
}
gen->type = GEN_DIRNAME;
if (req->tbsRequest->requestorName)
GENERAL_NAME_free(req->tbsRequest->requestorName);
req->tbsRequest->requestorName = gen;
return 1;
}
void *targets_s2i(UNUSED(struct v3_ext_method *method), UNUSED(struct v3_ext_ctx *ctx), char *data)
{
char *pos;
char *list = strdup(data);
char *back = list;
AC_TARGETS *a = AC_TARGETS_new();
int attlist;
do {
pos = strchr(list, ',');
if (pos)
*pos = '\0';
{
GENERAL_NAME *g = GENERAL_NAME_new();
ASN1_IA5STRING *tmpr = ASN1_IA5STRING_new();
AC_TARGET *targ = AC_TARGET_new();
if (!g || !tmpr || !targ) {
GENERAL_NAME_free(g);
ASN1_IA5STRING_free(tmpr);
AC_TARGET_free(targ);
goto err;
}
ASN1_STRING_set(tmpr, list, strlen(list));
g->type = GEN_URI;
g->d.ia5 = tmpr;
targ->name = g;
sk_AC_TARGET_push(a->targets, targ);
attlist++;
}
if (pos)
list = ++pos;
} while (pos);
free(back);
return a;
err:
free(back);
AC_TARGETS_free(a);
return NULL;
}
LWS_VISIBLE LWS_EXTERN int
lws_tls_acme_sni_cert_create(struct lws_vhost *vhost, const char *san_a,
const char *san_b)
{
GENERAL_NAMES *gens = sk_GENERAL_NAME_new_null();
GENERAL_NAME *gen = NULL;
ASN1_IA5STRING *ia5 = NULL;
X509_NAME *name;
if (!gens)
return 1;
vhost->tls.ss = lws_zalloc(sizeof(*vhost->tls.ss), "sni cert");
if (!vhost->tls.ss) {
GENERAL_NAMES_free(gens);
return 1;
}
vhost->tls.ss->x509 = X509_new();
if (!vhost->tls.ss->x509)
goto bail;
ASN1_INTEGER_set(X509_get_serialNumber(vhost->tls.ss->x509), 1);
X509_gmtime_adj(X509_get_notBefore(vhost->tls.ss->x509), 0);
X509_gmtime_adj(X509_get_notAfter(vhost->tls.ss->x509), 3600);
vhost->tls.ss->pkey = EVP_PKEY_new();
if (!vhost->tls.ss->pkey)
goto bail0;
if (lws_tls_openssl_rsa_new_key(&vhost->tls.ss->rsa, 4096))
goto bail1;
if (!EVP_PKEY_assign_RSA(vhost->tls.ss->pkey, vhost->tls.ss->rsa))
goto bail2;
X509_set_pubkey(vhost->tls.ss->x509, vhost->tls.ss->pkey);
name = X509_get_subject_name(vhost->tls.ss->x509);
X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC,
(unsigned char *)"GB", -1, -1, 0);
X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC,
(unsigned char *)"somecompany", -1, -1, 0);
if (X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_UTF8,
(unsigned char *)"temp.acme.invalid",
-1, -1, 0) != 1) {
lwsl_notice("failed to add CN\n");
goto bail2;
}
X509_set_issuer_name(vhost->tls.ss->x509, name);
/* add the SAN payloads */
gen = GENERAL_NAME_new();
ia5 = ASN1_IA5STRING_new();
if (!ASN1_STRING_set(ia5, san_a, -1)) {
lwsl_notice("failed to set ia5\n");
GENERAL_NAME_free(gen);
goto bail2;
}
GENERAL_NAME_set0_value(gen, GEN_DNS, ia5);
sk_GENERAL_NAME_push(gens, gen);
if (X509_add1_ext_i2d(vhost->tls.ss->x509, NID_subject_alt_name,
gens, 0, X509V3_ADD_APPEND) != 1)
goto bail2;
GENERAL_NAMES_free(gens);
if (san_b && san_b[0]) {
gens = sk_GENERAL_NAME_new_null();
gen = GENERAL_NAME_new();
ia5 = ASN1_IA5STRING_new();
if (!ASN1_STRING_set(ia5, san_a, -1)) {
lwsl_notice("failed to set ia5\n");
GENERAL_NAME_free(gen);
goto bail2;
}
GENERAL_NAME_set0_value(gen, GEN_DNS, ia5);
sk_GENERAL_NAME_push(gens, gen);
if (X509_add1_ext_i2d(vhost->tls.ss->x509, NID_subject_alt_name,
gens, 0, X509V3_ADD_APPEND) != 1)
goto bail2;
GENERAL_NAMES_free(gens);
}
/* sign it with our private key */
if (!X509_sign(vhost->tls.ss->x509, vhost->tls.ss->pkey, EVP_sha256()))
goto bail2;
#if 0
{/* useful to take a sample of a working cert for mbedtls to crib */
FILE *fp = fopen("/tmp/acme-temp-cert", "w+");
i2d_X509_fp(fp, vhost->tls.ss->x509);
fclose(fp);
}
#endif
/* tell the vhost to use our crafted certificate */
SSL_CTX_use_certificate(vhost->tls.ssl_ctx, vhost->tls.ss->x509);
/* and to use our generated private key */
SSL_CTX_use_PrivateKey(vhost->tls.ssl_ctx, vhost->tls.ss->pkey);
return 0;
bail2:
RSA_free(vhost->tls.ss->rsa);
bail1:
EVP_PKEY_free(vhost->tls.ss->pkey);
bail0:
X509_free(vhost->tls.ss->x509);
bail:
lws_free(vhost->tls.ss);
GENERAL_NAMES_free(gens);
return 1;
}
/*
* Create a fake X509v3 certificate, signed by the provided CA,
* based on the original certificate retrieved from the real server.
* The returned certificate is created using X509_new() and thus must
* be freed by the caller using X509_free().
* The optional argument extraname is added to subjectAltNames if provided.
*/
X509 *
ssl_x509_forge(X509 *cacrt, EVP_PKEY *cakey, X509 *origcrt,
const char *extraname, EVP_PKEY *key)
{
X509_NAME *subject, *issuer;
GENERAL_NAMES *names;
GENERAL_NAME *gn;
X509 *crt;
subject = X509_get_subject_name(origcrt);
issuer = X509_get_subject_name(cacrt);
if (!subject || !issuer)
return NULL;
crt = X509_new();
if (!crt)
return NULL;
if (!X509_set_version(crt, 0x02) ||
!X509_set_subject_name(crt, subject) ||
!X509_set_issuer_name(crt, issuer) ||
ssl_x509_serial_copyrand(crt, origcrt) == -1 ||
!X509_gmtime_adj(X509_get_notBefore(crt), (long)-60*60*24) ||
!X509_gmtime_adj(X509_get_notAfter(crt), (long)60*60*24*364) ||
!X509_set_pubkey(crt, key))
goto errout;
/* add standard v3 extensions; cf. RFC 2459 */
X509V3_CTX ctx;
X509V3_set_ctx(&ctx, cacrt, crt, NULL, NULL, 0);
if (ssl_x509_v3ext_add(&ctx, crt, "basicConstraints",
"CA:FALSE") == -1 ||
ssl_x509_v3ext_add(&ctx, crt, "keyUsage",
"digitalSignature,"
"keyEncipherment") == -1 ||
ssl_x509_v3ext_add(&ctx, crt, "extendedKeyUsage",
"serverAuth") == -1 ||
ssl_x509_v3ext_add(&ctx, crt, "subjectKeyIdentifier",
"hash") == -1 ||
ssl_x509_v3ext_add(&ctx, crt, "authorityKeyIdentifier",
"keyid,issuer:always") == -1)
goto errout;
if (!extraname) {
/* no extraname provided: copy original subjectAltName ext */
if (ssl_x509_v3ext_copy_by_nid(crt, origcrt,
NID_subject_alt_name) == -1)
goto errout;
} else {
names = X509_get_ext_d2i(origcrt, NID_subject_alt_name, 0, 0);
if (!names) {
/* no subjectAltName present: add new one */
char *cfval;
if (asprintf(&cfval, "DNS:%s", extraname) < 0)
goto errout;
if (ssl_x509_v3ext_add(&ctx, crt, "subjectAltName",
cfval) == -1) {
free(cfval);
goto errout;
}
free(cfval);
} else {
/* add extraname to original subjectAltName
* and add it to the new certificate */
gn = GENERAL_NAME_new();
if (!gn)
goto errout2;
gn->type = GEN_DNS;
gn->d.dNSName = M_ASN1_IA5STRING_new();
if (!gn->d.dNSName)
goto errout3;
ASN1_STRING_set(gn->d.dNSName,
(unsigned char *)extraname,
strlen(extraname));
sk_GENERAL_NAME_push(names, gn);
X509_EXTENSION *ext = X509V3_EXT_i2d(
NID_subject_alt_name, 0, names);
if (!X509_add_ext(crt, ext, -1)) {
if (ext) {
X509_EXTENSION_free(ext);
}
goto errout3;
}
X509_EXTENSION_free(ext);
sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
}
}
#ifdef DEBUG_CERTIFICATE
ssl_x509_v3ext_add(&ctx, crt, "nsComment", "Generated by " PNAME);
#endif /* DEBUG_CERTIFICATE */
const EVP_MD *md;
switch (EVP_PKEY_type(cakey->type)) {
#ifndef OPENSSL_NO_RSA
case EVP_PKEY_RSA:
md = EVP_sha1();
break;
#endif /* !OPENSSL_NO_RSA */
#ifndef OPENSSL_NO_DSA
case EVP_PKEY_DSA:
md = EVP_dss1();
break;
#endif /* !OPENSSL_NO_DSA */
#ifndef OPENSSL_NO_ECDSA
case EVP_PKEY_EC:
md = EVP_ecdsa();
break;
#endif /* !OPENSSL_NO_ECDSA */
default:
goto errout;
}
if (!X509_sign(crt, cakey, md))
goto errout;
return crt;
errout3:
GENERAL_NAME_free(gn);
errout2:
sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
errout:
X509_free(crt);
return NULL;
}
