search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Try another fix for wvlinkerhack and static libraries.
[wvstreams.git] / crypto / wvx509mgr.cc
blobbcb5247490d7dc8215d63e3fca8a1aa91d67b75c
1 #include "wvbase64.h"
2 #include "wvsslhacks.h"
3 #include "wvx509mgr.h"
4
5 #include <openssl/pem.h>
6 #include <openssl/x509v3.h>
7 #include <openssl/err.h>
8 #include <openssl/ssl.h>
9 #include <openssl/sha.h>
10 #include <openssl/pkcs12.h>
11
12
13 namespace {
14 class AutoClose {
15 public:
16 AutoClose(FILE *fp): fp(fp) { }
17 ~AutoClose()
18 {
19 if (fp)
20 fclose(fp);
21 }
22
23 operator FILE *() const
24 {
25 return fp;
26 }
27
28 private:
29 FILE *fp;
30 };
31 } // anomymous namespace...
32
33
34 WvX509Mgr::WvX509Mgr()
35 : WvX509(),
36 debug("X509 Manager", WvLog::Debug5)
37 {
38 rsa = NULL;
39 }
40
41
42 WvX509Mgr::WvX509Mgr(WvStringParm _dname, WvRSAKey *_rsa, bool ca)
43 : WvX509(),
44 debug("X509 Manager", WvLog::Debug5)
45 {
46 debug("Creating new certificate+key pair for %s.\n", _dname);
47 rsa = _rsa;
48
49 if (!!_dname)
50 {
51 create_selfissued(_dname, ca);
52 debug("Ok - Parameters set... now signing certificate.\n");
53 signcert(*this);
54 }
55 else
56 debug("Sorry, can't create an anonymous certificate.");
57 }
58
59
60 WvX509Mgr::WvX509Mgr(WvStringParm _dname, int bits, bool ca)
61 : WvX509(),
62 debug("X509 Manager", WvLog::Debug5)
63 {
64 debug("Creating new certificate+key pair for %s.\n", _dname);
65 rsa = NULL;
66
67 if (!!_dname)
68 {
69 rsa = new WvRSAKey(bits);
70 create_selfissued(_dname, ca);
71 debug("Ok - Parameters set... now signing certificate.\n");
72 signcert(*this);
73 }
74 else
75 debug("Sorry, can't create an anonymous certificate.");
76 }
77
78
79 void WvX509Mgr::create_selfissued(WvStringParm dname, bool is_ca)
80 {
81 if (cert)
82 {
83 debug("Replacing already existant certificate...\n");
84 X509_free(cert);
85 cert = NULL;
86 }
87
88 // double check RSA key
89 if (rsa->isok())
90 debug("RSA Key is fine.\n");
91 else
92 return;
93
94 if ((cert = X509_new()) == NULL)
95 return;
96
97 // Completely broken in my mind - this sets the version
98 // string to '3' (I guess version starts at 0)
99 set_version();
100
101 // RFC2459 says that this number must be unique for each certificate
102 // issued by a CA. It may be that some web browsers get confused if
103 // more than one cert with the same name has the same serial number, so
104 // let's be careful.
105 srand(time(NULL));
106 int serial = rand();
107 set_serial(serial);
108
109 // 10 years...
110 set_lifetime(60*60*24*3650);
111
112 set_pubkey(*rsa);
113
114 set_issuer(dname);
115 set_subject(dname);
116 set_ski();
117
118 if (is_ca)
119 {
120 debug("Setting Extensions with CA Parameters.\n");
121 debug("Setting Key Usage.\n");
122 set_key_usage("critical, keyCertSign, cRLSign");
123 debug("Setting Basic Constraints.\n");
124 set_extension(NID_basic_constraints, "critical, CA:TRUE");
125 debug("Setting Netscape Certificate Type.\n");
126 set_extension(NID_netscape_cert_type, "SSL CA, S/MIME CA, Object Signing CA");
127 // debug("Setting Constraints.\n");
128 // set_constraints("requireExplicitPolicy");
129 }
130 else
131 {
132 debug("Setting Key Usage with normal server parameters\n");
133 set_nsserver(dname);
134 set_key_usage("critical, digitalSignature, keyEncipherment, keyAgreement");
135 set_extension(NID_basic_constraints, "CA:FALSE");
136 set_ext_key_usage("TLS Web Server Authentication,"
137 "TLS Web Client Authentication");
138 }
139
140 // we do not actually sign the certificate here: that must be done by the
141 // user (WvX509Mgr most likely)
142
143 debug("Certificate for %s created\n", dname);
144 }
145
146
147 WvX509Mgr::~WvX509Mgr()
148 {
149 debug("Deleting.\n");
150 WVDELETE(rsa);
151 wvssl_free();
152 }
153
154
155 bool WvX509Mgr::isok() const
156 {
157 return WvX509::isok() && rsa && rsa->isok() && test();
158 }
159
160
161 WvString WvX509Mgr::errstr() const
162 {
163 if (!WvX509::isok())
164 return WvX509::errstr();
165
166 if (!rsa)
167 return "No RSA key set.";
168 else if (!rsa->isok())
169 return "RSA key not valid.";
170 else if (!test())
171 return "RSA key and certificate do not match.";
172
173 return WvString::empty;
174 }
175
176
177 bool WvX509Mgr::bind_ssl(SSL_CTX *ctx)
178 {
179 if (SSL_CTX_use_certificate(ctx, get_cert()) <= 0)
180 {
181 return false;
182 }
183 debug("Certificate activated.\n");
184
185 if (SSL_CTX_use_RSAPrivateKey(ctx, rsa->rsa) <= 0)
186 {
187 return false;
188 }
189 debug("RSA private key activated.\n");
190 return true;
191 }
192
193
194 bool WvX509Mgr::test() const
195 {
196 if (!cert)
197 {
198 debug("No X509 certificate: test fails.\n");
199 return false;
200 }
201
202 if (rsa)
203 {
204 EVP_PKEY *pk = EVP_PKEY_new();
205 assert(pk);
206
207 if (!EVP_PKEY_set1_RSA(pk, rsa->rsa))
208 {
209 debug("Error setting RSA keys: test fails.\n");
210 EVP_PKEY_free(pk);
211 return false;
212 }
213
214 bool bad = false;
215 int verify_return = X509_verify(cert, pk);
216
217 if (verify_return != 1) // only '1' means okay
218 {
219 // However let's double check:
220 WvString rsapub = rsa->encode(WvRSAKey::RsaPubPEM);
221 WvRSAKey *temprsa = get_rsa_pub();
222 WvString certpub = temprsa->encode(WvRSAKey::RsaPubPEM);
223 delete temprsa;
224 // debug("rsapub:\n%s\n", rsapub);
225 // debug("certpub:\n%s\n", certpub);
226 if (certpub == rsapub)
227 ; // do nothing, since OpenSSL is lying
228 else
229 {
230 // I guess that it really did fail.
231 debug("Certificate test failed: %s\n", wvssl_errstr());
232 bad = true;
233 }
234 }
235
236 EVP_PKEY_free(pk);
237 return !bad;
238 }
239
240 return false;
241 }
242
243
244 WvString WvX509Mgr::signreq(WvStringParm pkcs10req) const
245 {
246 debug("Signing a certificate request with: %s\n", get_subject());
247 if (!isok())
248 {
249 debug(WvLog::Warning, "Asked to sign certificate request, but not ok! "
250 "Aborting.\n");
251 return false;
252 }
253
254 // Break this next part out into a de-pemify section, since that is what
255 // this part up until the FIXME: is about.
256 WvString pkcs10(pkcs10req);
257
258 char *begin = strstr(pkcs10.edit(), "\nMII");
259 if (!begin)
260 {
261 debug("This doesn't look like PEM Encoded information...\n");
262 return WvString::null;
263 }
264 char *end = strstr(begin + 1, "\n---");
265 if (!end)
266 {
267 debug("Is this a complete certificate request?\n");
268 return WvString::null;
269 }
270 *++end = '\0';
271 WvString body(begin); // just the PKCS#10 request,
272 // without the ---BEGIN and ---END
273
274 WvDynBuf reqbuf;
275 WvBase64Decoder dec;
276 dec.flushstrbuf(body, reqbuf, true);
277
278 // FIXME: Duplicates code from cert_selfsign
279 size_t reqlen = reqbuf.used();
280 const unsigned char *req = reqbuf.get(reqlen);
281 X509_REQ *certreq = wv_d2i_X509_REQ(NULL, &req, reqlen);
282 if (certreq)
283 {
284 WvX509 newcert(X509_new());
285
286 newcert.set_subject(X509_REQ_get_subject_name(certreq));
287 newcert.set_version();
288
289 // Set the Serial Number for the certificate
290 srand(time(NULL));
291 int serial = rand();
292 newcert.set_serial(serial);
293
294 newcert.set_lifetime(60*60*24*3650);
295
296 // The public key of the new cert should be the same as that from
297 // the request.
298 EVP_PKEY *pk = X509_REQ_get_pubkey(certreq);
299 X509_set_pubkey(newcert.get_cert(), pk);
300 EVP_PKEY_free(pk);
301
302 // every good cert needs an ski+aki
303 newcert.set_ski();
304 newcert.set_aki(*this);
305
306 // The Issuer name is the subject name of the current cert
307 newcert.set_issuer(*this);
308
309 X509_EXTENSION *ex = NULL;
310 // Set the RFC2459-mandated keyUsage field to critical, and restrict
311 // the usage of this cert to digital signature and key encipherment.
312 newcert.set_key_usage("critical, digitalSignature, keyEncipherment");
313
314 // This could cause Netscape to barf because if we set basicConstraints
315 // to critical, we break RFC2459 compliance. Why they chose to enforce
316 // that bit, and not the rest is beyond me... but oh well...
317 ex = X509V3_EXT_conf_nid(NULL, NULL, NID_basic_constraints,
318 (char*)"CA:FALSE");
319
320 X509_add_ext(newcert.get_cert(), ex, -1);
321 X509_EXTENSION_free(ex);
322
323 newcert.set_ext_key_usage("critical, TLS Web Client Authentication");
324
325 signcert(newcert);
326
327 X509_REQ_free(certreq);
328 return WvString(newcert.encode(WvX509::CertPEM));
329 }
330 else
331 {
332 debug("Can't decode Certificate Request\n");
333 return WvString::null;
334 }
335 }
336
337
338 bool WvX509Mgr::signcert(WvX509 &unsignedcert) const
339 {
340 if (!isok())
341 {
342 debug(WvLog::Warning, "Asked to sign certificate, but not ok! "
343 "Aborting.\n");
344 return false;
345 }
346
347 if (cert == unsignedcert.cert)
348 {
349 debug("Self Signing!\n");
350 }
351 else if (!X509_check_ca(cert))
352 {
353 debug("This certificate is not a CA, and is thus not allowed to sign "
354 "certificates!\n");
355 return false;
356 }
357 else if (!((cert->ex_flags & EXFLAG_KUSAGE) &&
358 (cert->ex_kusage & KU_KEY_CERT_SIGN)))
359 {
360 debug("This Certificate is not allowed to sign certificates!\n");
361 return false;
362 }
363
364 debug("Ok, now sign the new cert with the current RSA key.\n");
365 EVP_PKEY *certkey = EVP_PKEY_new();
366 bool cakeyok = EVP_PKEY_set1_RSA(certkey, rsa->rsa);
367 if (cakeyok)
368 {
369 X509_sign(unsignedcert.get_cert(), certkey, EVP_sha1());
370 }
371 else
372 {
373 debug("No keys??\n");
374 EVP_PKEY_free(certkey);
375 return false;
376 }
377
378 EVP_PKEY_free(certkey);
379 return true;
380 }
381
382
383 bool WvX509Mgr::signcrl(WvCRL &crl) const
384 {
385 if (!isok() || !crl.isok())
386 {
387 debug(WvLog::Warning, "Asked to sign CRL, but certificate or CRL (or "
388 "both) not ok! Aborting.\n");
389 return false;
390 }
391 else if (!X509_check_ca(cert))
392 {
393 debug("This certificate is not a CA, and is thus not allowed to sign "
394 "CRLs!\n");
395 return false;
396 }
397 else if (!((cert->ex_flags & EXFLAG_KUSAGE) &&
398 (cert->ex_kusage & KU_CRL_SIGN)))
399 {
400 debug("Certificate not allowed to sign CRLs! (%s %s)\n",
401 (cert->ex_flags & EXFLAG_KUSAGE), (cert->ex_kusage & KU_CRL_SIGN));
402 return false;
403 }
404
405 EVP_PKEY *certkey = EVP_PKEY_new();
406 bool cakeyok = EVP_PKEY_set1_RSA(certkey, rsa->rsa);
407 if (cakeyok)
408 {
409 // Use Version 2 CRLs - Of COURSE that means
410 // to set it to 1 here... grumble..
411 X509_CRL_set_version(crl.getcrl(), 1);
412
413 X509_CRL_set_issuer_name(crl.getcrl(), X509_get_subject_name(cert));
414
415 ASN1_TIME *tmptm = ASN1_TIME_new();
416 // Set the LastUpdate time to now.
417 X509_gmtime_adj(tmptm, 0);
418 X509_CRL_set_lastUpdate(crl.getcrl(), tmptm);
419 // CRL's are valid for 30 days
420 X509_gmtime_adj(tmptm, (long)60*60*24*30);
421 X509_CRL_set_nextUpdate(crl.getcrl(), tmptm);
422 ASN1_TIME_free(tmptm);
423
424 // OK - now sign it...
425 X509_CRL_sign(crl.getcrl(), certkey, EVP_sha1());
426 }
427 else
428 {
429 debug(WvLog::Warning, "Asked to sign CRL, but no RSA key associated "
430 "with certificate. Aborting.\n");
431 EVP_PKEY_free(certkey);
432 return false;
433 }
434 EVP_PKEY_free(certkey);
435
436 return true;
437 }
438
439
440 WvString WvX509Mgr::sign(WvStringParm data) const
441 {
442 WvDynBuf buf;
443 buf.putstr(data);
444 return sign(buf);
445 }
446
447
448 WvString WvX509Mgr::sign(WvBuf &data) const
449 {
450 assert(rsa);
451
452 EVP_MD_CTX sig_ctx;
453 unsigned char sig_buf[4096];
454
455 EVP_PKEY *pk = EVP_PKEY_new();
456 assert(pk); // OOM
457
458 if (!EVP_PKEY_set1_RSA(pk, rsa->rsa))
459 {
460 debug("Error setting RSA keys.\n");
461 EVP_PKEY_free(pk);
462 return WvString::null;
463 }
464
465 EVP_SignInit(&sig_ctx, EVP_sha1());
466 EVP_SignUpdate(&sig_ctx, data.peek(0, data.used()), data.used());
467 unsigned int sig_len = sizeof(sig_buf);
468 int sig_err = EVP_SignFinal(&sig_ctx, sig_buf,
469 &sig_len, pk);
470 if (sig_err != 1)
471 {
472 debug("Error while signing.\n");
473 EVP_PKEY_free(pk);
474 return WvString::null;
475 }
476
477 EVP_PKEY_free(pk);
478 EVP_MD_CTX_cleanup(&sig_ctx); // this isn't my fault ://
479 WvDynBuf buf;
480 buf.put(sig_buf, sig_len);
481 debug("Signature size: %s\n", buf.used());
482 return WvBase64Encoder().strflushbuf(buf, true);
483 }
484
485
486 bool WvX509Mgr::write_p12(WvStringParm _fname, WvStringParm _pkcs12pass) const
487 {
488 debug("Dumping RSA Key and X509 Cert to PKCS12 structure.\n");
489
490 AutoClose fp = fopen(_fname, "wb");
491
492 if (!fp)
493 {
494 debug(WvLog::Warning, "Unable to open file. Error: %s\n", strerror(errno));
495 return false;
496 }
497
498 if (!!_pkcs12pass)
499 {
500 if (rsa && cert)
501 {
502 EVP_PKEY *pk = EVP_PKEY_new();
503 assert(pk); // OOM
504
505 if (!EVP_PKEY_set1_RSA(pk, rsa->rsa))
506 {
507 debug("Error setting RSA keys.\n");
508 EVP_PKEY_free(pk);
509 return false;
510 }
511 else
512 {
513 WvString pkcs12pass(_pkcs12pass);
514 PKCS12 *pkg = PKCS12_create(pkcs12pass.edit(), (char*)"foo", pk,
515 cert, NULL, 0, 0, 0,
516 0, 0);
517 if (pkg)
518 {
519 debug("Writing the PKCS12 object out...\n");
520 i2d_PKCS12_fp(fp, pkg);
521 PKCS12_free(pkg);
522 EVP_PKEY_free(pk);
523 }
524 else
525 {
526 debug(WvLog::Warning, "Unable to create PKCS12 object.");
527 EVP_PKEY_free(pk);
528 return false;
529 }
530 }
531 }
532 else
533 {
534 debug(WvLog::Warning, "The RSA key or the certificate is not present.");
535 return false;
536 }
537 }
538 else
539 {
540 debug(WvLog::Warning, "No password specified for PKCS12 dump.");
541 return false;
542 }
543
544 return true;
545 }
546
547
548 void WvX509Mgr::read_p12(WvStringParm _fname, WvStringParm _pkcs12pass)
549 {
550 debug("Reading Certificate and Private Key from PKCS12 file: %s\n", _fname);
551
552 if (rsa)
553 WVDELETE(rsa);
554
555 AutoClose fp = fopen(_fname, "r");
556
557 if (!fp)
558 {
559 debug("Unable to open file '%s'!\n", _fname);
560 return;
561 }
562
563 if (!!_pkcs12pass)
564 {
565 PKCS12 *pkg = d2i_PKCS12_fp(fp, NULL);
566 if (pkg)
567 {
568 EVP_PKEY *pk = NULL;
569
570 // Parse out the bits out the PKCS12 package.
571 X509 *x;
572 PKCS12_parse(pkg, _pkcs12pass, &pk, &x, NULL);
573 PKCS12_free(pkg);
574 if (!pk || !x)
575 {
576 debug("Could not decode pkcs12 file.\n");
577 EVP_PKEY_free(pk);
578 return;
579 }
580
581 cert = x;
582
583 // Now, cert should be OK, let's try and set up the RSA stuff
584 // since we've essentially got a PKEY, and not a WvRSAKey
585 // We need to create a new WvRSAKey from the PKEY...
586 rsa = new WvRSAKey(EVP_PKEY_get1_RSA(pk), true);
587 EVP_PKEY_free(pk);
588
589 // Now that we have both, check to make sure that they match
590 if (!test())
591 {
592 debug("Could not fill in RSA and certificate with matching "
593 "values! Expect problems.\n");
594 return;
595 }
596 }
597 else
598 {
599 debug("Read in of PKCS12 file '%s' failed", _fname);
600 return;
601 }
602 }
603 else
604 {
605 debug("No password specified for PKCS12 file\n");
606 return;
607 }
608 }
609
610
611 WvString WvX509Mgr::encode(const WvRSAKey::DumpMode mode) const
612 {
613 if (rsa)
614 return rsa->encode(mode);
615 return "";
616 }
617
618
619 WvString WvX509Mgr::encode(const WvX509::DumpMode mode) const
620 {
621 return WvX509::encode(mode);
622 }
623
624
625 void WvX509Mgr::encode(const WvRSAKey::DumpMode mode, WvBuf &buf) const
626 {
627 if (rsa)
628 rsa->encode(mode, buf);
629 }
630
631
632 void WvX509Mgr::encode(const WvX509::DumpMode mode, WvBuf &buf) const
633 {
634 WvX509::encode(mode, buf);
635 }
636
637
638 void WvX509Mgr::decode(const WvRSAKey::DumpMode mode, WvStringParm encoded)
639 {
640 if (rsa)
641 rsa->decode(mode, encoded);
642 else
643 {
644 rsa = new WvRSAKey();
645 rsa->decode(mode, encoded);
646 }
647 }
648
649
650 void WvX509Mgr::decode(const WvX509::DumpMode mode, WvStringParm encoded)
651 {
652 WvX509::decode(mode, encoded);
653 }
654
655
656 void WvX509Mgr::decode(const WvRSAKey::DumpMode mode, WvBuf &encoded)
657 {
658 if (rsa)
659 rsa->decode(mode, encoded);
660 else
661 {
662 rsa = new WvRSAKey();
663 rsa->decode(mode, encoded);
664 }
665 }
666
667
668 void WvX509Mgr::decode(const WvX509::DumpMode mode, WvBuf &encoded)
669 {
670 WvX509::decode(mode, encoded);
671 }
C++ networking library optimized for simplicity and performance