static int autoca_signcert(X509 *cert, EVP_PKEY *pkey)
{
EVP_MD_CTX *ctx = EVP_MD_CTX_create();
EVP_PKEY_CTX *pkctx = NULL;
int rc = -1;
if ( ctx == NULL )
return -1;
if (EVP_DigestSignInit(ctx, &pkctx, NULL, NULL, pkey))
{
rc = X509_sign_ctx(cert, ctx);
}
EVP_MD_CTX_destroy(ctx);
return rc;
}
void SecureServer::generateCertificate(const std::string& publicKey, const std::string& privateKey, const std::string& password,
const long& secsValid, const std::vector<std::pair<std::string,std::string> >& x509Entries,
const std::string& x509Filename) throw (boost::system::system_error) {
std::cerr << "generating certificate" << std::endl;
std::unique_ptr<X509,void (*)(X509*)> x509(X509_new(), &X509_free);
if(ASN1_INTEGER_set(X509_get_serialNumber(x509.get()), std::time(nullptr)) != 1){
throw_system_error_ssl("Could not set X509 parameters");
}
X509_gmtime_adj(X509_get_notBefore(x509.get()), 0);
X509_gmtime_adj(X509_get_notAfter(x509.get()), secsValid);
std::unique_ptr<EVP_PKEY,void(*)(EVP_PKEY*)> privKey(EVP_PKEY_new(), &EVP_PKEY_free);
std::unique_ptr<EVP_PKEY,void(*)(EVP_PKEY*)> pubKey(EVP_PKEY_new(), &EVP_PKEY_free);
std::unique_ptr<BIO,void (*)(BIO*)> privateBIO(BIO_new_file(privateKey.c_str(), "r"), &BIO_free_all);
if(!privateBIO){
throw_system_error_ssl("Could not open "+privateKey+" for reading");
}
pem_password_cb* password_cb(nullptr);
void *password_u(nullptr);
if(!password.empty()){
password_cb = &pemPasswordCBFromString;
password_u = (void*)&password;
}
std::unique_ptr<RSA,void(*)(RSA*)> rsa(PEM_read_bio_RSAPrivateKey(privateBIO.get(), nullptr, password_cb, password_u),&RSA_free);
if(!rsa){
throw_system_error_ssl("Could not read PEM RSA private key from "+privateKey);
}
std::cerr << "read " << privateKey << std::endl;
if(EVP_PKEY_set1_RSA(privKey.get(), rsa.get()) != 1){
throw_system_error_ssl("Could not assign EVP_PKEY from RSA private key");
}
std::cerr << "assigned EVP_PKEY" << std::endl;
std::unique_ptr<BIO,void (*)(BIO*)> publicBIO(BIO_new_file(publicKey.c_str(), "r"), &BIO_free_all);
if(!publicBIO){
throw_system_error_ssl("Could not open "+publicKey+" for reading");
}
RSA *ptr = rsa.get();
if(PEM_read_bio_RSAPublicKey(publicBIO.get(),&ptr,nullptr,nullptr) == nullptr){
throw_system_error_ssl("Could not read PEM RSA public key from "+publicKey);
}
std::cerr << "read " << publicKey << std::endl;
if(EVP_PKEY_set1_RSA(pubKey.get(), rsa.get()) != 1){
throw_system_error_ssl("Could not assign EVP_PKEY from RSA public key");
}
if(X509_set_pubkey(x509.get(), pubKey.get()) != 1){
throw_system_error_ssl("Could nost assign X509 public key from EVP_PKEY");
}
X509_NAME *name = X509_get_subject_name(x509.get());
std::cerr << "got subject name" << std::endl;
for(const std::pair<std::string,std::string>& entry : x509Entries){
if(X509_NAME_add_entry_by_txt(name, entry.first.c_str(), MBSTRING_ASC, (const unsigned char*)entry.second.c_str(), entry.second.length(), -1, 0) != 1){
throw_system_error_ssl("Could not add X509 entry /"+entry.first+"/ = \""+entry.second+'"');
}
std::cerr << "added entry /" << entry.first << "/ = \"" << entry.second << '"' << std::endl;
}
if(X509_set_issuer_name(x509.get(),name) != 1){
throw_system_error_ssl("Could not set X509 issuer name");
}
std::cerr << "set issuer name" << std::endl;
std::unique_ptr<EVP_MD_CTX,void(*)(EVP_MD_CTX*)> mctx(EVP_MD_CTX_create(),&EVP_MD_CTX_destroy);
// EVP_PKEY_CTX *pkctx(nullptr);
if(EVP_DigestSignInit(mctx.get(),nullptr,EVP_sha256(),nullptr,privKey.get()) != 1){
throw_system_error_ssl("Could not init EVP Digest Sign");
}
std::cerr << "initialized EVP MD CTX" << std::endl;
if(X509_sign_ctx(x509.get(),mctx.get()) <= 0){
throw_system_error_ssl("Could not sign certificate");
}
std::cerr << "signed" << std::endl;
std::unique_ptr<BIO,void(*)(BIO*)> x509BIO(BIO_new_file(x509Filename.c_str(),"w"),&BIO_free_all);
if(PEM_write_bio_X509(x509BIO.get(),x509.get()) != 1){
throw_system_error_ssl("Could not write X509 certificate");
}
std::cerr << "written to " << x509Filename << std::endl;
}
