int signRequest(char* pemRequest, int days, char* pemCAKey, char* pemCaCert, int certType, char *url, char* result) {
BIO* bioReq = BIO_new_mem_buf(pemRequest, -1);
BIO* bioCAKey = BIO_new_mem_buf(pemCAKey, -1);
BIO* bioCert = BIO_new_mem_buf(pemCaCert, -1);
X509* caCert = PEM_read_bio_X509(bioCert, NULL, NULL, NULL);
int err = 0;
X509_REQ *req=NULL;
if (!(req=PEM_read_bio_X509_REQ(bioReq, NULL, NULL, NULL))) {
BIO_free(bioReq);
BIO_free(bioCert);
BIO_free(bioCAKey);
return ERR_peek_error();
}
EVP_PKEY* caKey = PEM_read_bio_PrivateKey(bioCAKey, NULL, NULL, NULL);
if (!caKey) {
BIO_free(bioReq);
BIO_free(bioCert);
BIO_free(bioCAKey);
return ERR_peek_error();
}
X509* cert = X509_new();
EVP_PKEY* reqPub;
if(!(err = X509_set_version(cert, 2)))
{
BIO_free(bioReq);
BIO_free(bioCAKey);
return ERR_peek_error();
}
//redo all the certificate details, because OpenSSL wants us to work hard
X509_set_issuer_name(cert, X509_get_subject_name(caCert));
ASN1_UTCTIME *s=ASN1_UTCTIME_new();
// Jira-issue: WP-37
// This is temp solution for putting pzp validity 5 minutes before current time
// If there is a small clock difference between machines, it results in cert_not_yet_valid
// It does set GMT time but is relevant to machine time.
// A better solution would be to have ntp server contacted to get a proper time.
if(certType == 2) {
X509_gmtime_adj(s, long(0-300));
}
else {
X509_gmtime_adj(s, long(0));
}
// End of WP-37
X509_set_notBefore(cert, s);
X509_gmtime_adj(s, (long)60*60*24*days);
X509_set_notAfter(cert, s);
ASN1_UTCTIME_free(s);
X509_set_subject_name(cert, X509_REQ_get_subject_name(req));
reqPub = X509_REQ_get_pubkey(req);
X509_set_pubkey(cert,reqPub);
EVP_PKEY_free(reqPub);
//create a serial number at random
ASN1_INTEGER* serial = getRandomSN();
X509_set_serialNumber(cert, serial);
X509_EXTENSION *ex;
X509V3_CTX ctx;
X509V3_set_ctx_nodb(&ctx);
X509V3_set_ctx(&ctx, cert, cert, NULL, NULL, 0);
char *str = (char*)malloc(strlen("caIssuers;") + strlen(url) + 1);
if (str == NULL) {
return -10;
}
strcpy(str, "caIssuers;");
strcat(str, url);
if(!(ex = X509V3_EXT_conf_nid(NULL, &ctx, NID_info_access, (char*)str))) {
free(str);
return ERR_peek_error();
} else {
X509_add_ext(cert, ex, -1);
}
free(str);
if(!(ex = X509V3_EXT_conf_nid(NULL, &ctx, NID_subject_alt_name, (char*)url))) {
return ERR_peek_error();
} else {
X509_add_ext(cert, ex, -1);
}
if(!(ex = X509V3_EXT_conf_nid(NULL, &ctx, NID_issuer_alt_name, (char*)"issuer:copy"))) {
return ERR_peek_error();
} else {
X509_add_ext(cert, ex, -1);
}
if(!(ex = X509V3_EXT_conf_nid(NULL, &ctx, NID_subject_key_identifier, (char*)"hash"))) {
return ERR_peek_error();
} else {
X509_add_ext(cert, ex, -1);
}
if( certType == 1) {
if(!(ex = X509V3_EXT_conf_nid(NULL, &ctx, NID_basic_constraints, (char*)"critical, CA:FALSE"))) {
return ERR_peek_error();
} else {
X509_add_ext(cert, ex, -1);
}
if(!(ex = X509V3_EXT_conf_nid(NULL, &ctx, NID_ext_key_usage, (char*)"critical, clientAuth, serverAuth"))) {
return ERR_peek_error();
} else {
X509_add_ext(cert, ex, -1);
}
} else if( certType == 2) {
if(!(ex = X509V3_EXT_conf_nid(NULL, &ctx, NID_basic_constraints, (char*)"critical, CA:FALSE"))) {
return ERR_peek_error();
} else {
X509_add_ext(cert, ex, -1);
}
if(!(ex = X509V3_EXT_conf_nid(NULL, &ctx, NID_ext_key_usage, (char*)"critical, clientAuth, serverAuth"))) {
return ERR_peek_error();
} else {
X509_add_ext(cert, ex, -1);
}
}
if (!(err = X509_sign(cert,caKey,EVP_sha1())))
{
BIO_free(bioReq);
BIO_free(bioCert);
BIO_free(bioCAKey);
return err;
}
BIO *mem = BIO_new(BIO_s_mem());
PEM_write_bio_X509(mem,cert);
BUF_MEM *bptr;
BIO_get_mem_ptr(mem, &bptr);
BIO_read(mem, result, bptr->length);
BIO_free(mem);
BIO_free(bioReq);
BIO_free(bioCert);
BIO_free(bioCAKey);
return 0;
}
int selfSignRequest(char* pemRequest, int days, char* pemCAKey, int certType, char *url, char* result) {
BIO* bioReq = BIO_new_mem_buf(pemRequest, -1);
BIO* bioCAKey = BIO_new_mem_buf(pemCAKey, -1);
int err = 0;
X509_REQ *req=NULL;
if (!(req=PEM_read_bio_X509_REQ(bioReq, NULL, NULL, NULL))) {
BIO_free(bioReq);
BIO_free(bioCAKey);
return -5;
}
EVP_PKEY* caKey = PEM_read_bio_PrivateKey(bioCAKey, NULL, NULL, NULL);
if (!caKey) {
BIO_free(bioReq);
BIO_free(bioCAKey);
return -6;
}
X509* cert = X509_new();
EVP_PKEY* reqPub;
//redo all the certificate details, because OpenSSL wants us to work hard
if(!(err = X509_set_version(cert, 2)))
{
BIO_free(bioReq);
BIO_free(bioCAKey);
return err;
}
if(!(err = X509_set_issuer_name(cert, X509_REQ_get_subject_name(req))))
{
BIO_free(bioReq);
BIO_free(bioCAKey);
return err;
}
ASN1_UTCTIME *s=ASN1_UTCTIME_new();
// Jira-issue: WP-37
// This is temp solution for putting pzp validity 5 minutes before current time
// If there is a small clock difference between machines, it results in cert_not_yet_valid
// It does set GMT time but is relevant to machine time.
// A better solution would be to have ntp server contacted to get proper time.
if(certType == 2) {
X509_gmtime_adj(s, long(0-300));
}
else {
X509_gmtime_adj(s, long(0));
}
// End of WP-37
X509_set_notBefore(cert, s);
X509_gmtime_adj(s, (long)60*60*24*days);
X509_set_notAfter(cert, s);
ASN1_UTCTIME_free(s);
if(!(err = X509_set_subject_name(cert, X509_REQ_get_subject_name(req)))) {
BIO_free(bioReq);
BIO_free(bioCAKey);
return err;
}
if (!(reqPub = X509_REQ_get_pubkey(req))) {
BIO_free(bioReq);
BIO_free(bioCAKey);
return -7;
}
err = X509_set_pubkey(cert,reqPub);
EVP_PKEY_free(reqPub);
if (!err) {
return err; // an error occurred, this is terrible style.
}
//create a serial number at random
ASN1_INTEGER* serial = getRandomSN();
X509_set_serialNumber(cert, serial);
// V3 extensions
X509_EXTENSION *ex;
X509V3_CTX ctx;
X509V3_set_ctx_nodb(&ctx);
X509V3_set_ctx(&ctx, cert, cert, NULL, NULL, 0);
if(!(ex = X509V3_EXT_conf_nid(NULL, &ctx, NID_subject_alt_name, (char*)url))) {
return ERR_peek_error();
} else {
X509_add_ext(cert, ex, -1);
}
if(!(ex = X509V3_EXT_conf_nid(NULL, &ctx, NID_subject_key_identifier, (char*)"hash"))) {
return ERR_peek_error();
} else {
X509_add_ext(cert, ex, -1);
}
if( certType == 0) {
if(!(ex = X509V3_EXT_conf_nid(NULL, &ctx, NID_basic_constraints, (char*)"critical, CA:TRUE"))) {
return ERR_peek_error();
} else {
X509_add_ext(cert, ex, -1);
}
if(!(ex = X509V3_EXT_conf_nid(NULL, &ctx, NID_key_usage, (char*)"critical, keyCertSign, digitalSignature, cRLSign"))) { /* critical, keyCertSign,cRLSign, nonRepudiation,*/
return ERR_peek_error();
} else {
X509_add_ext(cert, ex, -1);
}
if(!(ex = X509V3_EXT_conf_nid(NULL, &ctx, NID_ext_key_usage, (char*)"critical, serverAuth"))) {
return ERR_peek_error();
} else {
X509_add_ext(cert, ex, -1);
}
if(!(ex = X509V3_EXT_conf_nid(NULL, &ctx, NID_inhibit_any_policy, (char*)"0"))) {
return ERR_peek_error();
} else {
X509_add_ext(cert, ex, -1);
}
if(!(ex = X509V3_EXT_conf_nid(NULL, &ctx, NID_crl_distribution_points, (char*)url))) {
return ERR_peek_error();
} else {
X509_add_ext(cert, ex, -1);
}
}
if (!(err = X509_sign(cert,caKey,EVP_sha1()))) {
BIO_free(bioReq);
BIO_free(bioCAKey);
return err;
}
BIO *mem = BIO_new(BIO_s_mem());
PEM_write_bio_X509(mem,cert);
BUF_MEM *bptr;
BIO_get_mem_ptr(mem, &bptr);
BIO_read(mem, result, bptr->length);
BIO_free(mem);
BIO_free(bioReq);
BIO_free(bioCAKey);
return 0;
}
ASN1_UTCTIME *ASN1_UTCTIME_adj(ASN1_UTCTIME *s, time_t t,
int offset_day, long offset_sec)
{
char *p;
struct tm *ts;
struct tm data;
size_t len = 20;
int free_s = 0;
if (s == NULL) {
s = ASN1_UTCTIME_new();
if (s == NULL)
goto err;
free_s = 1;
}
ts = OPENSSL_gmtime(&t, &data);
if (ts == NULL)
goto err;
if (offset_day || offset_sec) {
if (!OPENSSL_gmtime_adj(ts, offset_day, offset_sec))
goto err;
}
if ((ts->tm_year < 50) || (ts->tm_year >= 150))
goto err;
p = (char *)s->data;
if ((p == NULL) || ((size_t)s->length < len)) {
p = OPENSSL_malloc(len);
if (p == NULL) {
ASN1err(ASN1_F_ASN1_UTCTIME_ADJ, ERR_R_MALLOC_FAILURE);
goto err;
}
OPENSSL_free(s->data);
s->data = (unsigned char *)p;
}
BIO_snprintf(p, len, "%02d%02d%02d%02d%02d%02dZ", ts->tm_year % 100,
ts->tm_mon + 1, ts->tm_mday, ts->tm_hour, ts->tm_min,
ts->tm_sec);
s->length = strlen(p);
s->type = V_ASN1_UTCTIME;
#ifdef CHARSET_EBCDIC_not
ebcdic2ascii(s->data, s->data, s->length);
#endif
return (s);
err:
if (free_s)
ASN1_UTCTIME_free(s);
return NULL;
}
ASN1_UTCTIME *
ASN1_UTCTIME_adj(ASN1_UTCTIME *s, time_t t, int offset_day, long offset_sec)
{
ASN1_UTCTIME *tmp = NULL, *ret;
if (s == NULL) {
tmp = ASN1_UTCTIME_new();
if (tmp == NULL)
return NULL;
s = tmp;
}
ret = ASN1_UTCTIME_adj_internal(s, t, offset_day, offset_sec);
if (ret == NULL && tmp != NULL)
ASN1_UTCTIME_free(tmp);
return ret;
}
static int
get_times(glite_renewal_core_context ctx, char *proxy_file,
time_t *not_after_x509, time_t *not_after_voms)
{
X509 *cert = NULL;
STACK_OF(X509) *chain = NULL;
int ret, i;
time_t now, end_time, end_time_x509;
struct vomsdata *voms_data = NULL;
struct voms **voms_cert = NULL;
ASN1_UTCTIME *t;
char *s, *c;
ret = load_proxy(ctx, proxy_file, &cert, NULL, &chain, NULL);
if (ret)
return ret;
ret = get_voms_cert(ctx, cert, chain, &voms_data);
if (ret)
goto end;
end_time = 0;
if (voms_data != NULL) {
for (voms_cert = voms_data->data; voms_cert && *voms_cert; voms_cert++) {
t = ASN1_UTCTIME_new();
if (t == NULL) {
glite_renewal_core_set_err(ctx, "ASN1_UTCTIME_new() failed");
ret = 1;
goto end;
}
/* date2 contains a GENERALIZEDTIME format (YYYYMMDDHHSS[.fff]Z)
* value, which must be converted to the UTC (YYMMDDHHSSZ) format */
s = strdup((*voms_cert)->date2 + 2);
if (s == NULL) {
glite_renewal_core_set_err(ctx, "Not enough memory");
ret = ENOMEM;
goto end;
}
c = strchr(s, '.');
if (c) {
*c++ = 'Z';
*c = '\0';
}
ret = ASN1_UTCTIME_set_string(t, s);
if (ret == 0) {
glite_renewal_core_set_err(ctx, "ASN1_UTCTIME_set_string() failed\n");
ret = 1;
free(s);
goto end;
}
if (end_time == 0 || ASN1_UTCTIME_cmp_time_t(t, end_time) < 0)
globus_gsi_cert_utils_make_time(t, &end_time);
ASN1_UTCTIME_free(t);
free(s);
}
}
globus_gsi_cert_utils_make_time(X509_get_notAfter(cert), &end_time_x509);
now = time(NULL);
if (end_time_x509 + RENEWAL_CLOCK_SKEW < now) {
glite_renewal_core_set_err(ctx, "Expired proxy in %s", proxy_file);
ret = EDG_WLPR_PROXY_EXPIRED;
goto end;
}
/* Myproxy seems not to do check on expiration and return expired proxies
if credentials in repository are expired */
for (i = 0; i < sk_X509_num(chain); i++) {
t = X509_get_notAfter(sk_X509_value(chain, i));
if (ASN1_UTCTIME_cmp_time_t(t, now - RENEWAL_CLOCK_SKEW) < 0) {
glite_renewal_core_set_err(ctx, "Expired proxy in %s", proxy_file);
ret = EDG_WLPR_PROXY_EXPIRED;
goto end;
}
}
*not_after_voms = end_time;
*not_after_x509 = end_time_x509;
ret = 0;
end:
if (voms_data)
VOMS_Destroy(voms_data);
if (chain)
sk_X509_pop_free(chain, X509_free);
if (cert)
X509_free(cert);
return ret;
}
ASN1_STRING *str,*str2;
ASN1_OBJECT *obj;
X509 *ret=NULL;
X509_CINF *ci;
X509_NAME_ENTRY *ne;
X509_NAME_ENTRY *tne,*push;
EVP_PKEY *pktmp;
int ok= -1,i,j,last,nid;
const char *p;
CONF_VALUE *cv;
OPENSSL_STRING row[DB_NUMBER];
OPENSSL_STRING *irow=NULL;
OPENSSL_STRING *rrow=NULL;
char buf[25];
tmptm=ASN1_UTCTIME_new();
if (tmptm == NULL)
{
BIO_printf(bio_err,"malloc error\n");
return(0);
}
for (i=0; i<DB_NUMBER; i++)
row[i]=NULL;
if (subj)
{
X509_NAME *n = parse_name(subj, chtype, multirdn);
if (!n)
{
int file_select(const struct dirent *entry) {
cert = X509_new();
certsubject = X509_NAME_new();
int i = 0;
char buf[80] = "";
/* check for "." and ".." directory entries */
if(entry->d_name[0]=='.') return 0;
/* Check for <id>.pem file name extensions */
if(strstr(entry->d_name, ".pem") == NULL) return 0;
/* generate the full file name and path to open it */
snprintf(certfilestr, sizeof(certfilestr), "%s/%s",
CACERTSTORE, entry->d_name);
/* if we cannot open the file, we move on to the next */
if ((certfile = fopen(certfilestr, "r")) == NULL) return 0;
/* now we load the certificate data */
if (! (cert = PEM_read_X509(certfile,NULL,NULL,NULL))) return 0;
/* if search type is dn, check if dn field contains the search value */
if (strcmp(search, "dn") == 0) {
/* get the subject information to compare the entries in it */
if (! (certsubject = X509_get_subject_name(cert))) return 0;
/* now we cycle through all entries of the subject */
for (i = 0; i < X509_NAME_entry_count(certsubject); i++) {
e = X509_NAME_get_entry(certsubject, i);
OBJ_obj2txt(buf, 80, X509_NAME_ENTRY_get_object(e), 0);
/* when the search file matches the cert subject field */
/* check if the field value is equal the search value */
if(strstr(buf, field) != NULL)
if(strstr( (char *) X509_NAME_ENTRY_get_data(e), dnvalue) != NULL) return 1;
}
}
/* if search type is exp, check expiration date is between start and end date */
if (strcmp(search, "exp") == 0) {
/* get the certificates expiration date */
expiration_date = X509_get_notAfter(cert);
/* copy the certificate expiration date into a string */
membio = BIO_new(BIO_s_mem());
ASN1_TIME_print(membio, expiration_date);
BIO_gets(membio, membio_buf, sizeof(membio_buf));
BIO_free(membio);
//int_error(membio_buf); /* debug correct time parsing */
/* parse the expiration date string into a time struct */
memset (&expiration_tm, '\0', sizeof(expiration_tm));
strptime(membio_buf, "%h %d %T %Y %z", &expiration_tm);
// int_error(asctime(&expiration_tm)); /* debug correct time parsing */
/* parse the CGI start date string into the start_tm struct */
memset (&start_tm, '\0', sizeof(start_tm));
strptime(exp_startstr, "%d.%m.%Y %R", &start_tm);
// int_error(asctime(&start_tm)); /* debug correct time parsing */
/* parse the CGI end date string into the end_tm struct */
memset (&end_tm, '\0', sizeof(end_tm));
strptime(exp_endstr, "%d.%m.%Y %R", &end_tm);
// int_error(asctime(&end_tm)); /* debug correct time parsing */
/* check if expiration date >= start date and <= end date */
if ( difftime(mktime(&start_tm), mktime(&expiration_tm)) <=0 &&
difftime(mktime(&end_tm), mktime(&expiration_tm)) >= 0 ) return 1;
}
/* if search type is ena, check enable date is between start and end date */
if (strcmp(search, "ena") == 0) {
/* get the certificates enable date */
start_date = X509_get_notBefore(cert);
/* copy the certificate expiration date into a string */
membio = BIO_new(BIO_s_mem());
ASN1_TIME_print(membio, start_date);
BIO_gets(membio, membio_buf, sizeof(membio_buf));
BIO_free(membio);
/* parse the expiration date string into a time struct */
memset (&enable_tm, '\0', sizeof(enable_tm));
strptime(membio_buf, "%h %d %T %Y %z", &enable_tm);
// int_error(asctime(&enable_tm)); /* debug correct time parsing */
/* parse the CGI start date string into the start_tm struct */
memset (&start_tm, '\0', sizeof(start_tm));
strptime(ena_startstr, "%d.%m.%Y %R", &start_tm);
// int_error(asctime(&start_tm)); /* debug correct time parsing */
/* parse the CGI end date string into the end_tm struct */
memset (&end_tm, '\0', sizeof(end_tm));
strptime(ena_endstr, "%d.%m.%Y %R", &end_tm);
// int_error(asctime(&end_tm)); /* debug correct time parsing */
/* check if expiration date >= start date and <= end date */
if ( difftime(mktime(&start_tm), mktime(&enable_tm)) <=0 &&
difftime(mktime(&end_tm), mktime(&enable_tm)) >= 0 ) return 1;
}
/* if search type is rev, check if cert was revoked between start and end date */
if (strcmp(search, "rev") == 0) {
/* ---------------------------------------------------------- *
* Parse the CGI start date string into the start_tm struct *
* ---------------------------------------------------------- */
memset (&start_tm, '\0', sizeof(start_tm));
strptime(rev_startstr, "%d.%m.%Y %R", &start_tm);
/* ---------------------------------------------------------- *
* Parse the CGI end date string into the end_tm struct *
* ---------------------------------------------------------- */
memset (&end_tm, '\0', sizeof(end_tm));
strptime(rev_endstr, "%d.%m.%Y %R", &end_tm);
/* ---------------------------------------------------------- *
* Get all revoked certificates from revocation DB index.txt *
* ---------------------------------------------------------- */
CA_DB *db = NULL;
DB_ATTR db_attr;
if((db = load_index(INDEXFILE, &db_attr)) == NULL)
int_error("Error cannot load CRL certificate database file");
/* ---------------------------------------------------------- *
* Get the certs serial number, convert it into a hex string *
* -----------------------------------------------------------*/
BIGNUM *bn = NULL;
bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(cert), NULL);
if (!bn)
int_error("Cannot extract serial number from cert into BIGNUM");
char *serialstr = BN_bn2hex(bn);
/* ---------------------------------------------------------- *
* Check if the cert is revoked, looking up its serial in DB *
* -----------------------------------------------------------*/
char *const *pp;
int i;
for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) {
pp = sk_OPENSSL_PSTRING_value(db->db->data, i);
if ( (strcmp(pp[DB_serial], serialstr) == 0)
&& (pp[DB_type][0] == DB_TYPE_REV) ) {
/* ---------------------------------------------------------- *
* Revoked, get the certs revocation date from the database *
* -----------------------------------------------------------*/
char *p = strchr(pp[DB_rev_date], ',');
if (p) *p = '\0'; // if revocation reason is given, terminate before
char *revokedstr = BUF_strdup(pp[DB_rev_date]);
revocation_date = ASN1_UTCTIME_new();
ASN1_UTCTIME_set_string(revocation_date, revokedstr);
//int_error(revokedstr); /* debug correct time parsing */
/* copy the certificate revocation date into a string */
membio = BIO_new(BIO_s_mem());
ASN1_TIME_print(membio, revocation_date);
BIO_gets(membio, membio_buf, sizeof(membio_buf));
BIO_free(membio);
//int_error(membio_buf);
/* parse the revocation date string into a time struct */
memset (&revoked_tm, '\0', sizeof(revoked_tm));
strptime(membio_buf, "%h %d %T %Y %z", &revoked_tm);
//int_error(asctime(&revoked_tm)); /* debug correct time parsing */
/* ---------------------------------------------------------- *
* Check if revocation date >= start date and <= end date *
* -----------------------------------------------------------*/
if ( difftime(mktime(&start_tm), mktime(&revoked_tm)) <=0 &&
difftime(mktime(&end_tm), mktime(&revoked_tm)) >= 0 ) return 1;
}
}
BN_free(bn);
}
/* if search type is ser, check if serial is between start and end serial */
if (strcmp(search, "ser") == 0) {
/* convert the serial strings to BIGNUM */
BN_dec2bn(&startserialbn, startserstr);
BN_dec2bn(&endserialbn, endserstr);
/* get the certificates serial number and convert it to BIGNUM */
if ((certserial = X509_get_serialNumber(cert)) == NULL)
int_error("Error: Getting certificate serial number in ASN1 format.");
if ((certserialbn = ASN1_INTEGER_to_BN(certserial, NULL)) == NULL)
int_error("Error: converting certserial number from ASN1 to BIGNUM.");
/* debugging output to see values of BIGNUM */
//membio = BIO_new(BIO_s_mem());
//BN_print(membio, endserialbn);
//BIO_gets(membio, membio_buf, sizeof(membio_buf));
//BIO_free(membio);
//int_error(membio_buf);
/* check if certserial >= startserial and <= endserial */
if ( BN_cmp(startserialbn, certserialbn) <= 0 &&
BN_cmp(endserialbn, certserialbn) >= 0 ) return 1;
}
return 0;
}
KSSLCertificate*
KSSLCertificateFactory::generateSelfSigned(KSSLKeyType /*keytype*/) {
#if 0
//#ifdef KSSL_HAVE_SSL
X509_NAME *x509name = X509_NAME_new();
X509 *x509;
ASN1_UTCTIME *beforeafter;
KSSLCertificate *newcert;
int rc;
// FIXME: generate the private key
if (keytype == KEYTYPE_UNKNOWN || (key=EVP_PKEY_new()) == NULL) {
X509_NAME_free(x509name);
return NULL;
}
switch(keytype) {
case KEYTYPE_RSA:
if (!EVP_PKEY_assign_RSA(key, RSA_generate_key(newkey,0x10001,
req_cb,bio_err))) {
}
break;
case KEYTYPE_DSA:
if (!DSA_generate_key(dsa_params)) goto end;
if (!EVP_PKEY_assign_DSA(pkey,dsa_params)) goto end;
dsa_params=NULL;
if (pkey->type == EVP_PKEY_DSA)
digest=EVP_dss1();
break;
}
// FIXME: dn doesn't exist
// FIXME: allow the notAfter value to be parameterized
// FIXME: allow a password to lock the key with
// Fill in the certificate
X509_NAME_add_entry_by_NID(x509name, OBJ_txt2nid("CN"), 0x1001,
(unsigned char *) dn, -1, -1, 0);
x509 = X509_new();
rc = X509_set_issuer_name(x509, x509name);
if (rc != 0) {
X509_free(x509);
X509_NAME_free(x509name);
return NULL;
}
rc = X509_set_subject_name(x509, x509name);
if (rc != 0) {
X509_free(x509);
X509_NAME_free(x509name);
return NULL;
}
ASN1_INTEGER_set(X509_get_serialNumber(*x509), 0);
X509_NAME_free(x509name);
// Make it a 1 year certificate
beforeafter = ASN1_UTCTIME_new();
if (!X509_gmtime_adj(beforeafter, -60*60*24)) { // yesterday
X509_free(x509);
return NULL;
}
if (!X509_set_notBefore(x509, beforeafter)) {
X509_free(x509);
return NULL;
}
if (!X509_gmtime_adj(beforeafter, 60*60*24*364)) { // a year from yesterday
X509_free(x509);
return NULL;
}
if (!X509_set_notAfter(x509, beforeafter)) {
X509_free(x509);
return NULL;
}
ASN1_UTCTIME_free(beforeafter);
if (!X509_set_pubkey(x509, key)) {
X509_free(x509);
return NULL;
}
rc = X509_sign(x509, key, EVP_sha1());
if (rc != 0) {
X509_free(x509);
return NULL;
}
newCert = new KSSLCertificate;
newCert->setCert(x509);
return newCert;
#else
return NULL;
#endif
}
inline utctime utctime::create()
{
return take_ownership(ASN1_UTCTIME_new());
}
