lib/libtls/tls_keypair.c

   1 /* $OpenBSD: tls_keypair.c,v 1.6 2018/04/07 16:35:34 jsing Exp $ */
   2 /*
   3  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
   4  *
   5  * Permission to use, copy, modify, and distribute this software for any
   6  * purpose with or without fee is hereby granted, provided that the above
   7  * copyright notice and this permission notice appear in all copies.
   8  *
   9  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
  10  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
  11  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
  12  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
  13  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  14  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  15  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  16  */
  17
  18 #include <openssl/bio.h>
  19 #include <openssl/err.h>
  20 #include <openssl/pem.h>
  21
  22 #include <tls.h>
  23
  24 #include "tls_internal.h"
  25
  26 struct tls_keypair *
  27 tls_keypair_new(void)
  28 {
  29         return calloc(1, sizeof(struct tls_keypair));
  30 }
  31
  32 static int
  33 tls_keypair_pubkey_hash(struct tls_keypair *keypair, struct tls_error *error)
  34 {
  35         X509 *cert = NULL;
  36         int rv = -1;
  37
  38         free(keypair->pubkey_hash);
  39         keypair->pubkey_hash = NULL;
  40
  41         if (keypair->cert_mem == NULL) {
  42                 rv = 0;
  43                 goto done;
  44         }
  45
  46         if (tls_keypair_load_cert(keypair, error, &cert) == -1)
  47                 goto err;
  48         if (tls_cert_pubkey_hash(cert, &keypair->pubkey_hash) == -1)
  49                 goto err;
  50
  51         rv = 0;
  52
  53  err:
  54         X509_free(cert);
  55  done:
  56         return (rv);
  57 }
  58
  59 void
  60 tls_keypair_clear_key(struct tls_keypair *keypair)
  61 {
  62         freezero(keypair->key_mem, keypair->key_len);
  63         keypair->key_mem = NULL;
  64         keypair->key_len = 0;
  65 }
  66
  67 int
  68 tls_keypair_set_cert_file(struct tls_keypair *keypair, struct tls_error *error,
  69     const char *cert_file)
  70 {
  71         if (tls_config_load_file(error, "certificate", cert_file,
  72             &keypair->cert_mem, &keypair->cert_len) == -1)
  73                 return -1;
  74         return tls_keypair_pubkey_hash(keypair, error);
  75 }
  76
  77 int
  78 tls_keypair_set_cert_mem(struct tls_keypair *keypair, struct tls_error *error,
  79     const uint8_t *cert, size_t len)
  80 {
  81         if (tls_set_mem(&keypair->cert_mem, &keypair->cert_len, cert, len) == -1)
  82                 return -1;
  83         return tls_keypair_pubkey_hash(keypair, error);
  84 }
  85
  86 int
  87 tls_keypair_set_key_file(struct tls_keypair *keypair, struct tls_error *error,
  88     const char *key_file)
  89 {
  90         tls_keypair_clear_key(keypair);
  91         return tls_config_load_file(error, "key", key_file,
  92             &keypair->key_mem, &keypair->key_len);
  93 }
  94
  95 int
  96 tls_keypair_set_key_mem(struct tls_keypair *keypair, struct tls_error *error,
  97     const uint8_t *key, size_t len)
  98 {
  99         tls_keypair_clear_key(keypair);
 100         return tls_set_mem(&keypair->key_mem, &keypair->key_len, key, len);
 101 }
 102
 103 int
 104 tls_keypair_set_ocsp_staple_file(struct tls_keypair *keypair,
 105     struct tls_error *error, const char *ocsp_file)
 106 {
 107         return tls_config_load_file(error, "ocsp", ocsp_file,
 108             &keypair->ocsp_staple, &keypair->ocsp_staple_len);
 109 }
 110
 111 int
 112 tls_keypair_set_ocsp_staple_mem(struct tls_keypair *keypair,
 113     struct tls_error *error, const uint8_t *staple, size_t len)
 114 {
 115         return tls_set_mem(&keypair->ocsp_staple, &keypair->ocsp_staple_len,
 116             staple, len);
 117 }
 118
 119 void
 120 tls_keypair_free(struct tls_keypair *keypair)
 121 {
 122         if (keypair == NULL)
 123                 return;
 124
 125         tls_keypair_clear_key(keypair);
 126
 127         free(keypair->cert_mem);
 128         free(keypair->ocsp_staple);
 129         free(keypair->pubkey_hash);
 130
 131         free(keypair);
 132 }
 133
 134 int
 135 tls_keypair_load_cert(struct tls_keypair *keypair, struct tls_error *error,
 136     X509 **cert)
 137 {
 138         char *errstr = "unknown";
 139         BIO *cert_bio = NULL;
 140         int ssl_err;
 141         int rv = -1;
 142
 143         X509_free(*cert);
 144         *cert = NULL;
 145
 146         if (keypair->cert_mem == NULL) {
 147                 tls_error_set(error, "keypair has no certificate");
 148                 goto err;
 149         }
 150         if ((cert_bio = BIO_new_mem_buf(keypair->cert_mem,
 151             keypair->cert_len)) == NULL) {
 152                 tls_error_set(error, "failed to create certificate bio");
 153                 goto err;
 154         }
 155         if ((*cert = PEM_read_bio_X509(cert_bio, NULL, tls_password_cb,
 156             NULL)) == NULL) {
 157                 if ((ssl_err = ERR_peek_error()) != 0)
 158                     errstr = ERR_error_string(ssl_err, NULL);
 159                 tls_error_set(error, "failed to load certificate: %s", errstr);
 160                 goto err;
 161         }
 162
 163         rv = 0;
 164
 165  err:
 166         BIO_free(cert_bio);
 167
 168         return (rv);
 169 }