search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Restore support for openssl 0.9.7 (Debian Sarge).
[wvstreams.git] / crypto / wvx509mgr.cc
blobd974ecfe9b0587a789846620d78e28fb22b8727f
1 #include "wvbase64.h"
2 #include "wvsslhacks.h"
3 #include "wvx509mgr.h"
4 #include "wvautoconf.h"
5
6 #include <openssl/pem.h>
7 #include <openssl/x509v3.h>
8 #include <openssl/err.h>
9 #include <openssl/ssl.h>
10 #include <openssl/sha.h>
11 #include <openssl/pkcs12.h>
12
13
14 namespace {
15 class AutoClose {
16 public:
17 AutoClose(FILE *fp): fp(fp) { }
18 ~AutoClose()
19 {
20 if (fp)
21 fclose(fp);
22 }
23
24 operator FILE *() const
25 {
26 return fp;
27 }
28
29 private:
30 FILE *fp;
31 };
32 } // anomymous namespace...
33
34
35 WvX509Mgr::WvX509Mgr()
36 : WvX509(),
37 debug("X509 Manager", WvLog::Debug5)
38 {
39 rsa = NULL;
40 }
41
42
43 WvX509Mgr::WvX509Mgr(WvStringParm _dname, WvRSAKey *_rsa, bool ca)
44 : WvX509(),
45 debug("X509 Manager", WvLog::Debug5)
46 {
47 debug("Creating new certificate+key pair for %s.\n", _dname);
48 rsa = _rsa;
49
50 if (!!_dname)
51 {
52 create_selfissued(_dname, ca);
53 debug("Ok - Parameters set... now signing certificate.\n");
54 signcert(*this);
55 }
56 else
57 debug("Sorry, can't create an anonymous certificate.");
58 }
59
60
61 WvX509Mgr::WvX509Mgr(WvStringParm _dname, int bits, bool ca)
62 : WvX509(),
63 debug("X509 Manager", WvLog::Debug5)
64 {
65 debug("Creating new certificate+key pair for %s.\n", _dname);
66 rsa = NULL;
67
68 if (!!_dname)
69 {
70 rsa = new WvRSAKey(bits);
71 create_selfissued(_dname, ca);
72 debug("Ok - Parameters set... now signing certificate.\n");
73 signcert(*this);
74 }
75 else
76 debug("Sorry, can't create an anonymous certificate.");
77 }
78
79
80 void WvX509Mgr::create_selfissued(WvStringParm dname, bool is_ca)
81 {
82 if (cert)
83 {
84 debug("Replacing already existant certificate...\n");
85 X509_free(cert);
86 cert = NULL;
87 }
88
89 // double check RSA key
90 if (rsa->isok())
91 debug("RSA Key is fine.\n");
92 else
93 return;
94
95 if ((cert = X509_new()) == NULL)
96 return;
97
98 // Completely broken in my mind - this sets the version
99 // string to '3' (I guess version starts at 0)
100 set_version();
101
102 // RFC2459 says that this number must be unique for each certificate
103 // issued by a CA. It may be that some web browsers get confused if
104 // more than one cert with the same name has the same serial number, so
105 // let's be careful.
106 srand(time(NULL));
107 int serial = rand();
108 set_serial(serial);
109
110 // 10 years...
111 set_lifetime(60*60*24*3650);
112
113 set_pubkey(*rsa);
114
115 set_issuer(dname);
116 set_subject(dname);
117 set_ski();
118
119 if (is_ca)
120 {
121 debug("Setting Extensions with CA Parameters.\n");
122 debug("Setting Key Usage.\n");
123 set_key_usage("critical, keyCertSign, cRLSign");
124 debug("Setting Basic Constraints.\n");
125 set_extension(NID_basic_constraints, "critical, CA:TRUE");
126 debug("Setting Netscape Certificate Type.\n");
127 set_extension(NID_netscape_cert_type, "SSL CA, S/MIME CA, Object Signing CA");
128 // debug("Setting Constraints.\n");
129 // set_constraints("requireExplicitPolicy");
130 }
131 else
132 {
133 debug("Setting Key Usage with normal server parameters\n");
134 set_nsserver(dname);
135 set_key_usage("critical, digitalSignature, keyEncipherment, keyAgreement");
136 set_extension(NID_basic_constraints, "CA:FALSE");
137 set_ext_key_usage("TLS Web Server Authentication,"
138 "TLS Web Client Authentication");
139 }
140
141 // we do not actually sign the certificate here: that must be done by the
142 // user (WvX509Mgr most likely)
143
144 debug("Certificate for %s created\n", dname);
145 }
146
147
148 WvX509Mgr::~WvX509Mgr()
149 {
150 debug("Deleting.\n");
151 WVDELETE(rsa);
152 wvssl_free();
153 }
154
155
156 bool WvX509Mgr::isok() const
157 {
158 return WvX509::isok() && rsa && rsa->isok() && test();
159 }
160
161
162 WvString WvX509Mgr::errstr() const
163 {
164 if (!WvX509::isok())
165 return WvX509::errstr();
166
167 if (!rsa)
168 return "No RSA key set.";
169 else if (!rsa->isok())
170 return "RSA key not valid.";
171 else if (!test())
172 return "RSA key and certificate do not match.";
173
174 return WvString::empty;
175 }
176
177
178 bool WvX509Mgr::bind_ssl(SSL_CTX *ctx)
179 {
180 if (SSL_CTX_use_certificate(ctx, get_cert()) <= 0)
181 {
182 return false;
183 }
184 debug("Certificate activated.\n");
185
186 if (SSL_CTX_use_RSAPrivateKey(ctx, rsa->rsa) <= 0)
187 {
188 return false;
189 }
190 debug("RSA private key activated.\n");
191 return true;
192 }
193
194
195 bool WvX509Mgr::test() const
196 {
197 if (!cert)
198 {
199 debug("No X509 certificate: test fails.\n");
200 return false;
201 }
202
203 if (rsa)
204 {
205 EVP_PKEY *pk = EVP_PKEY_new();
206 assert(pk);
207
208 if (!EVP_PKEY_set1_RSA(pk, rsa->rsa))
209 {
210 debug("Error setting RSA keys: test fails.\n");
211 EVP_PKEY_free(pk);
212 return false;
213 }
214
215 bool bad = false;
216 int verify_return = X509_verify(cert, pk);
217
218 if (verify_return != 1) // only '1' means okay
219 {
220 // However let's double check:
221 WvString rsapub = rsa->encode(WvRSAKey::RsaPubPEM);
222 WvRSAKey *temprsa = get_rsa_pub();
223 WvString certpub = temprsa->encode(WvRSAKey::RsaPubPEM);
224 delete temprsa;
225 // debug("rsapub:\n%s\n", rsapub);
226 // debug("certpub:\n%s\n", certpub);
227 if (certpub == rsapub)
228 ; // do nothing, since OpenSSL is lying
229 else
230 {
231 // I guess that it really did fail.
232 debug("Certificate test failed: %s\n", wvssl_errstr());
233 bad = true;
234 }
235 }
236
237 EVP_PKEY_free(pk);
238 return !bad;
239 }
240
241 return false;
242 }
243
244
245 WvString WvX509Mgr::signreq(WvStringParm pkcs10req) const
246 {
247 debug("Signing a certificate request with: %s\n", get_subject());
248 if (!isok())
249 {
250 debug(WvLog::Warning, "Asked to sign certificate request, but not ok! "
251 "Aborting.\n");
252 return false;
253 }
254
255 // Break this next part out into a de-pemify section, since that is what
256 // this part up until the FIXME: is about.
257 WvString pkcs10(pkcs10req);
258
259 char *begin = strstr(pkcs10.edit(), "\nMII");
260 if (!begin)
261 {
262 debug("This doesn't look like PEM Encoded information...\n");
263 return WvString::null;
264 }
265 char *end = strstr(begin + 1, "\n---");
266 if (!end)
267 {
268 debug("Is this a complete certificate request?\n");
269 return WvString::null;
270 }
271 *++end = '\0';
272 WvString body(begin); // just the PKCS#10 request,
273 // without the ---BEGIN and ---END
274
275 WvDynBuf reqbuf;
276 WvBase64Decoder dec;
277 dec.flushstrbuf(body, reqbuf, true);
278
279 // FIXME: Duplicates code from cert_selfsign
280 size_t reqlen = reqbuf.used();
281 const unsigned char *req = reqbuf.get(reqlen);
282 X509_REQ *certreq = wv_d2i_X509_REQ(NULL, &req, reqlen);
283 if (certreq)
284 {
285 WvX509 newcert(X509_new());
286
287 newcert.set_subject(X509_REQ_get_subject_name(certreq));
288 newcert.set_version();
289
290 // Set the Serial Number for the certificate
291 srand(time(NULL));
292 int serial = rand();
293 newcert.set_serial(serial);
294
295 newcert.set_lifetime(60*60*24*3650);
296
297 // The public key of the new cert should be the same as that from
298 // the request.
299 EVP_PKEY *pk = X509_REQ_get_pubkey(certreq);
300 X509_set_pubkey(newcert.get_cert(), pk);
301 EVP_PKEY_free(pk);
302
303 // every good cert needs an ski+aki
304 newcert.set_ski();
305 newcert.set_aki(*this);
306
307 // The Issuer name is the subject name of the current cert
308 newcert.set_issuer(*this);
309
310 X509_EXTENSION *ex = NULL;
311 // Set the RFC2459-mandated keyUsage field to critical, and restrict
312 // the usage of this cert to digital signature and key encipherment.
313 newcert.set_key_usage("critical, digitalSignature, keyEncipherment");
314
315 // This could cause Netscape to barf because if we set basicConstraints
316 // to critical, we break RFC2459 compliance. Why they chose to enforce
317 // that bit, and not the rest is beyond me... but oh well...
318 ex = X509V3_EXT_conf_nid(NULL, NULL, NID_basic_constraints,
319 (char*)"CA:FALSE");
320
321 X509_add_ext(newcert.get_cert(), ex, -1);
322 X509_EXTENSION_free(ex);
323
324 newcert.set_ext_key_usage("critical, TLS Web Client Authentication");
325
326 signcert(newcert);
327
328 X509_REQ_free(certreq);
329 return WvString(newcert.encode(WvX509::CertPEM));
330 }
331 else
332 {
333 debug("Can't decode Certificate Request\n");
334 return WvString::null;
335 }
336 }
337
338
339 bool WvX509Mgr::signcert(WvX509 &unsignedcert) const
340 {
341 if (!isok())
342 {
343 debug(WvLog::Warning, "Asked to sign certificate, but not ok! "
344 "Aborting.\n");
345 return false;
346 }
347
348 if (cert == unsignedcert.cert)
349 {
350 debug("Self Signing!\n");
351 }
352 #ifdef HAVE_OPENSSL_POLICY_MAPPING
353 else if (!X509_check_ca(cert))
354 {
355 debug("This certificate is not a CA, and is thus not allowed to sign "
356 "certificates!\n");
357 return false;
358 }
359 #endif
360 else if (!((cert->ex_flags & EXFLAG_KUSAGE) &&
361 (cert->ex_kusage & KU_KEY_CERT_SIGN)))
362 {
363 debug("This Certificate is not allowed to sign certificates!\n");
364 return false;
365 }
366
367 debug("Ok, now sign the new cert with the current RSA key.\n");
368 EVP_PKEY *certkey = EVP_PKEY_new();
369 bool cakeyok = EVP_PKEY_set1_RSA(certkey, rsa->rsa);
370 if (cakeyok)
371 {
372 X509_sign(unsignedcert.get_cert(), certkey, EVP_sha1());
373 }
374 else
375 {
376 debug("No keys??\n");
377 EVP_PKEY_free(certkey);
378 return false;
379 }
380
381 EVP_PKEY_free(certkey);
382 return true;
383 }
384
385
386 bool WvX509Mgr::signcrl(WvCRL &crl) const
387 {
388 if (!isok() || !crl.isok())
389 {
390 debug(WvLog::Warning, "Asked to sign CRL, but certificate or CRL (or "
391 "both) not ok! Aborting.\n");
392 return false;
393 }
394 #ifdef HAVE_OPENSSL_POLICY_MAPPING
395 else if (!X509_check_ca(cert))
396 {
397 debug("This certificate is not a CA, and is thus not allowed to sign "
398 "CRLs!\n");
399 return false;
400 }
401 #endif
402 else if (!((cert->ex_flags & EXFLAG_KUSAGE) &&
403 (cert->ex_kusage & KU_CRL_SIGN)))
404 {
405 debug("Certificate not allowed to sign CRLs! (%s %s)\n",
406 (cert->ex_flags & EXFLAG_KUSAGE), (cert->ex_kusage & KU_CRL_SIGN));
407 return false;
408 }
409
410 EVP_PKEY *certkey = EVP_PKEY_new();
411 bool cakeyok = EVP_PKEY_set1_RSA(certkey, rsa->rsa);
412 if (cakeyok)
413 {
414 // Use Version 2 CRLs - Of COURSE that means
415 // to set it to 1 here... grumble..
416 X509_CRL_set_version(crl.getcrl(), 1);
417
418 X509_CRL_set_issuer_name(crl.getcrl(), X509_get_subject_name(cert));
419
420 ASN1_TIME *tmptm = ASN1_TIME_new();
421 // Set the LastUpdate time to now.
422 X509_gmtime_adj(tmptm, 0);
423 X509_CRL_set_lastUpdate(crl.getcrl(), tmptm);
424 // CRL's are valid for 30 days
425 X509_gmtime_adj(tmptm, (long)60*60*24*30);
426 X509_CRL_set_nextUpdate(crl.getcrl(), tmptm);
427 ASN1_TIME_free(tmptm);
428
429 // OK - now sign it...
430 X509_CRL_sign(crl.getcrl(), certkey, EVP_sha1());
431 }
432 else
433 {
434 debug(WvLog::Warning, "Asked to sign CRL, but no RSA key associated "
435 "with certificate. Aborting.\n");
436 EVP_PKEY_free(certkey);
437 return false;
438 }
439 EVP_PKEY_free(certkey);
440
441 return true;
442 }
443
444
445 WvString WvX509Mgr::sign(WvStringParm data) const
446 {
447 WvDynBuf buf;
448 buf.putstr(data);
449 return sign(buf);
450 }
451
452
453 WvString WvX509Mgr::sign(WvBuf &data) const
454 {
455 assert(rsa);
456
457 EVP_MD_CTX sig_ctx;
458 unsigned char sig_buf[4096];
459
460 EVP_PKEY *pk = EVP_PKEY_new();
461 assert(pk); // OOM
462
463 if (!EVP_PKEY_set1_RSA(pk, rsa->rsa))
464 {
465 debug("Error setting RSA keys.\n");
466 EVP_PKEY_free(pk);
467 return WvString::null;
468 }
469
470 EVP_SignInit(&sig_ctx, EVP_sha1());
471 EVP_SignUpdate(&sig_ctx, data.peek(0, data.used()), data.used());
472 unsigned int sig_len = sizeof(sig_buf);
473 int sig_err = EVP_SignFinal(&sig_ctx, sig_buf,
474 &sig_len, pk);
475 if (sig_err != 1)
476 {
477 debug("Error while signing.\n");
478 EVP_PKEY_free(pk);
479 return WvString::null;
480 }
481
482 EVP_PKEY_free(pk);
483 EVP_MD_CTX_cleanup(&sig_ctx); // this isn't my fault ://
484 WvDynBuf buf;
485 buf.put(sig_buf, sig_len);
486 debug("Signature size: %s\n", buf.used());
487 return WvBase64Encoder().strflushbuf(buf, true);
488 }
489
490
491 bool WvX509Mgr::write_p12(WvStringParm _fname, WvStringParm _pkcs12pass) const
492 {
493 debug("Dumping RSA Key and X509 Cert to PKCS12 structure.\n");
494
495 AutoClose fp = fopen(_fname, "wb");
496
497 if (!fp)
498 {
499 debug(WvLog::Warning, "Unable to open file. Error: %s\n", strerror(errno));
500 return false;
501 }
502
503 if (!!_pkcs12pass)
504 {
505 if (rsa && cert)
506 {
507 EVP_PKEY *pk = EVP_PKEY_new();
508 assert(pk); // OOM
509
510 if (!EVP_PKEY_set1_RSA(pk, rsa->rsa))
511 {
512 debug("Error setting RSA keys.\n");
513 EVP_PKEY_free(pk);
514 return false;
515 }
516 else
517 {
518 WvString pkcs12pass(_pkcs12pass);
519 PKCS12 *pkg = PKCS12_create(pkcs12pass.edit(), (char*)"foo", pk,
520 cert, NULL, 0, 0, 0,
521 0, 0);
522 if (pkg)
523 {
524 debug("Writing the PKCS12 object out...\n");
525 i2d_PKCS12_fp(fp, pkg);
526 PKCS12_free(pkg);
527 EVP_PKEY_free(pk);
528 }
529 else
530 {
531 debug(WvLog::Warning, "Unable to create PKCS12 object.");
532 EVP_PKEY_free(pk);
533 return false;
534 }
535 }
536 }
537 else
538 {
539 debug(WvLog::Warning, "The RSA key or the certificate is not present.");
540 return false;
541 }
542 }
543 else
544 {
545 debug(WvLog::Warning, "No password specified for PKCS12 dump.");
546 return false;
547 }
548
549 return true;
550 }
551
552
553 void WvX509Mgr::read_p12(WvStringParm _fname, WvStringParm _pkcs12pass)
554 {
555 debug("Reading Certificate and Private Key from PKCS12 file: %s\n", _fname);
556
557 if (rsa)
558 WVDELETE(rsa);
559
560 AutoClose fp = fopen(_fname, "r");
561
562 if (!fp)
563 {
564 debug("Unable to open file '%s'!\n", _fname);
565 return;
566 }
567
568 if (!!_pkcs12pass)
569 {
570 PKCS12 *pkg = d2i_PKCS12_fp(fp, NULL);
571 if (pkg)
572 {
573 EVP_PKEY *pk = NULL;
574
575 // Parse out the bits out the PKCS12 package.
576 X509 *x;
577 PKCS12_parse(pkg, _pkcs12pass, &pk, &x, NULL);
578 PKCS12_free(pkg);
579 if (!pk || !x)
580 {
581 debug("Could not decode pkcs12 file.\n");
582 EVP_PKEY_free(pk);
583 return;
584 }
585
586 cert = x;
587
588 // Now, cert should be OK, let's try and set up the RSA stuff
589 // since we've essentially got a PKEY, and not a WvRSAKey
590 // We need to create a new WvRSAKey from the PKEY...
591 rsa = new WvRSAKey(EVP_PKEY_get1_RSA(pk), true);
592 EVP_PKEY_free(pk);
593
594 // Now that we have both, check to make sure that they match
595 if (!test())
596 {
597 debug("Could not fill in RSA and certificate with matching "
598 "values! Expect problems.\n");
599 return;
600 }
601 }
602 else
603 {
604 debug("Read in of PKCS12 file '%s' failed", _fname);
605 return;
606 }
607 }
608 else
609 {
610 debug("No password specified for PKCS12 file\n");
611 return;
612 }
613 }
614
615
616 WvString WvX509Mgr::encode(const WvRSAKey::DumpMode mode) const
617 {
618 if (rsa)
619 return rsa->encode(mode);
620 return "";
621 }
622
623
624 WvString WvX509Mgr::encode(const WvX509::DumpMode mode) const
625 {
626 return WvX509::encode(mode);
627 }
628
629
630 void WvX509Mgr::encode(const WvRSAKey::DumpMode mode, WvBuf &buf) const
631 {
632 if (rsa)
633 rsa->encode(mode, buf);
634 }
635
636
637 void WvX509Mgr::encode(const WvX509::DumpMode mode, WvBuf &buf) const
638 {
639 WvX509::encode(mode, buf);
640 }
641
642
643 void WvX509Mgr::decode(const WvRSAKey::DumpMode mode, WvStringParm encoded)
644 {
645 if (rsa)
646 rsa->decode(mode, encoded);
647 else
648 {
649 rsa = new WvRSAKey();
650 rsa->decode(mode, encoded);
651 }
652 }
653
654
655 void WvX509Mgr::decode(const WvX509::DumpMode mode, WvStringParm encoded)
656 {
657 WvX509::decode(mode, encoded);
658 }
659
660
661 void WvX509Mgr::decode(const WvRSAKey::DumpMode mode, WvBuf &encoded)
662 {
663 if (rsa)
664 rsa->decode(mode, encoded);
665 else
666 {
667 rsa = new WvRSAKey();
668 rsa->decode(mode, encoded);
669 }
670 }
671
672
673 void WvX509Mgr::decode(const WvX509::DumpMode mode, WvBuf &encoded)
674 {
675 WvX509::decode(mode, encoded);
676 }
C++ networking library optimized for simplicity and performance