Annotation of embedaddon/axTLS/ssl/gen_cert.c, revision 1.1
1.1 ! misho 1: /*
! 2: * Copyright (c) 2007, Cameron Rich
! 3: *
! 4: * All rights reserved.
! 5: *
! 6: * Redistribution and use in source and binary forms, with or without
! 7: * modification, are permitted provided that the following conditions are met:
! 8: *
! 9: * * Redistributions of source code must retain the above copyright notice,
! 10: * this list of conditions and the following disclaimer.
! 11: * * Redistributions in binary form must reproduce the above copyright notice,
! 12: * this list of conditions and the following disclaimer in the documentation
! 13: * and/or other materials provided with the distribution.
! 14: * * Neither the name of the axTLS project nor the names of its contributors
! 15: * may be used to endorse or promote products derived from this software
! 16: * without specific prior written permission.
! 17: *
! 18: * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
! 19: * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
! 20: * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
! 21: * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
! 22: * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
! 23: * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
! 24: * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
! 25: * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
! 26: * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
! 27: * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
! 28: * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
! 29: */
! 30:
! 31: #include "config.h"
! 32:
! 33: #ifdef CONFIG_SSL_GENERATE_X509_CERT
! 34: #include <string.h>
! 35: #include <stdlib.h>
! 36: #include "os_port.h"
! 37: #include "ssl.h"
! 38:
! 39: /**
! 40: * Generate a basic X.509 certificate
! 41: */
! 42:
! 43: static uint8_t set_gen_length(int len, uint8_t *buf, int *offset)
! 44: {
! 45: if (len < 0x80) /* short form */
! 46: {
! 47: buf[(*offset)++] = len;
! 48: return 1;
! 49: }
! 50: else /* long form */
! 51: {
! 52: int i, length_bytes = 0;
! 53:
! 54: if (len & 0x00FF0000)
! 55: length_bytes = 3;
! 56: else if (len & 0x0000FF00)
! 57: length_bytes = 2;
! 58: else if (len & 0x000000FF)
! 59: length_bytes = 1;
! 60:
! 61: buf[(*offset)++] = 0x80 + length_bytes;
! 62:
! 63: for (i = length_bytes-1; i >= 0; i--)
! 64: {
! 65: buf[*offset+i] = len & 0xFF;
! 66: len >>= 8;
! 67: }
! 68:
! 69: *offset += length_bytes;
! 70: return length_bytes+1;
! 71: }
! 72: }
! 73:
! 74: static int pre_adjust_with_size(uint8_t type,
! 75: int *seq_offset, uint8_t *buf, int *offset)
! 76: {
! 77: buf[(*offset)++] = type;
! 78: *seq_offset = *offset;
! 79: *offset += 4; /* fill in later */
! 80: return *offset;
! 81: }
! 82:
! 83: static void adjust_with_size(int seq_size, int seq_start,
! 84: uint8_t *buf, int *offset)
! 85: {
! 86: uint8_t seq_byte_size;
! 87: int orig_seq_size = seq_size;
! 88: int orig_seq_start = seq_start;
! 89:
! 90: seq_size = *offset-seq_size;
! 91: seq_byte_size = set_gen_length(seq_size, buf, &seq_start);
! 92:
! 93: if (seq_byte_size != 4)
! 94: {
! 95: memmove(&buf[orig_seq_start+seq_byte_size],
! 96: &buf[orig_seq_size], seq_size);
! 97: *offset -= 4-seq_byte_size;
! 98: }
! 99: }
! 100:
! 101: static void gen_serial_number(uint8_t *buf, int *offset)
! 102: {
! 103: static const uint8_t ser_oid[] = { ASN1_INTEGER, 1, 0x7F };
! 104: memcpy(&buf[*offset], ser_oid , sizeof(ser_oid));
! 105: *offset += sizeof(ser_oid);
! 106: }
! 107:
! 108: static void gen_signature_alg(uint8_t *buf, int *offset)
! 109: {
! 110: /* OBJECT IDENTIFIER sha1withRSAEncryption (1 2 840 113549 1 1 5) */
! 111: static const uint8_t sig_oid[] =
! 112: {
! 113: ASN1_SEQUENCE, 0x0d, ASN1_OID, 0x09,
! 114: 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05,
! 115: ASN1_NULL, 0x00
! 116: };
! 117:
! 118: memcpy(&buf[*offset], sig_oid, sizeof(sig_oid));
! 119: *offset += sizeof(sig_oid);
! 120: }
! 121:
! 122: static int gen_dn(const char *name, uint8_t dn_type,
! 123: uint8_t *buf, int *offset)
! 124: {
! 125: int ret = X509_OK;
! 126: int name_size = strlen(name);
! 127:
! 128: if (name_size > 0x70) /* just too big */
! 129: {
! 130: ret = X509_NOT_OK;
! 131: goto error;
! 132: }
! 133:
! 134: buf[(*offset)++] = ASN1_SET;
! 135: set_gen_length(9+name_size, buf, offset);
! 136: buf[(*offset)++] = ASN1_SEQUENCE;
! 137: set_gen_length(7+name_size, buf, offset);
! 138: buf[(*offset)++] = ASN1_OID;
! 139: buf[(*offset)++] = 3;
! 140: buf[(*offset)++] = 0x55;
! 141: buf[(*offset)++] = 0x04;
! 142: buf[(*offset)++] = dn_type;
! 143: buf[(*offset)++] = ASN1_PRINTABLE_STR;
! 144: buf[(*offset)++] = name_size;
! 145: strcpy(&buf[*offset], name);
! 146: *offset += name_size;
! 147:
! 148: error:
! 149: return ret;
! 150: }
! 151:
! 152: static int gen_issuer(const char * dn[], uint8_t *buf, int *offset)
! 153: {
! 154: int ret = X509_OK;
! 155: int seq_offset;
! 156: int seq_size = pre_adjust_with_size(
! 157: ASN1_SEQUENCE, &seq_offset, buf, offset);
! 158: char fqdn[128];
! 159:
! 160: /* we need the common name, so if not configured, work out the fully
! 161: * qualified domain name */
! 162: if (dn[X509_COMMON_NAME] == NULL || strlen(dn[X509_COMMON_NAME]) == 0)
! 163: {
! 164: int fqdn_len;
! 165: gethostname(fqdn, sizeof(fqdn));
! 166: fqdn_len = strlen(fqdn);
! 167: fqdn[fqdn_len++] = '.';
! 168: getdomainname(&fqdn[fqdn_len], sizeof(fqdn)-fqdn_len);
! 169: fqdn_len = strlen(fqdn);
! 170:
! 171: if (fqdn[fqdn_len-1] == '.') /* ensure '.' is not last char */
! 172: fqdn[fqdn_len-1] = 0;
! 173:
! 174: dn[X509_COMMON_NAME] = fqdn;
! 175: }
! 176:
! 177: if ((ret = gen_dn(dn[X509_COMMON_NAME], 3, buf, offset)))
! 178: goto error;
! 179:
! 180: if (dn[X509_ORGANIZATION] != NULL && strlen(dn[X509_ORGANIZATION]) > 0)
! 181: {
! 182: if ((ret = gen_dn(dn[X509_ORGANIZATION], 10, buf, offset)))
! 183: goto error;
! 184: }
! 185:
! 186: if (dn[X509_ORGANIZATIONAL_UNIT] != NULL &&
! 187: strlen(dn[X509_ORGANIZATIONAL_UNIT]) > 0)
! 188: {
! 189: if ((ret = gen_dn(dn[X509_ORGANIZATIONAL_UNIT], 11, buf, offset)))
! 190: goto error;
! 191: }
! 192:
! 193: adjust_with_size(seq_size, seq_offset, buf, offset);
! 194:
! 195: error:
! 196: return ret;
! 197: }
! 198:
! 199: static void gen_utc_time(uint8_t *buf, int *offset)
! 200: {
! 201: static const uint8_t time_seq[] =
! 202: {
! 203: ASN1_SEQUENCE, 30,
! 204: ASN1_UTC_TIME, 13,
! 205: '0', '7', '0', '1', '0', '1', '0', '0', '0', '0', '0', '0', 'Z',
! 206: ASN1_UTC_TIME, 13, /* make it good for 30 or so years */
! 207: '3', '8', '0', '1', '0', '1', '0', '0', '0', '0', '0', '0', 'Z'
! 208: };
! 209:
! 210: /* fixed time */
! 211: memcpy(&buf[*offset], time_seq, sizeof(time_seq));
! 212: *offset += sizeof(time_seq);
! 213: }
! 214:
! 215: static void gen_pub_key2(const RSA_CTX *rsa_ctx, uint8_t *buf, int *offset)
! 216: {
! 217: static const uint8_t pub_key_seq[] =
! 218: {
! 219: ASN1_INTEGER, 0x03, 0x01, 0x00, 0x01 /* INTEGER 65537 */
! 220: };
! 221:
! 222: int seq_offset;
! 223: int pub_key_size = rsa_ctx->num_octets;
! 224: uint8_t *block = (uint8_t *)alloca(pub_key_size);
! 225: int seq_size = pre_adjust_with_size(
! 226: ASN1_SEQUENCE, &seq_offset, buf, offset);
! 227: buf[(*offset)++] = ASN1_INTEGER;
! 228: bi_export(rsa_ctx->bi_ctx, rsa_ctx->m, block, pub_key_size);
! 229:
! 230: if (*block & 0x80) /* make integer positive */
! 231: {
! 232: set_gen_length(pub_key_size+1, buf, offset);
! 233: buf[(*offset)++] = 0;
! 234: }
! 235: else
! 236: set_gen_length(pub_key_size, buf, offset);
! 237:
! 238: memcpy(&buf[*offset], block, pub_key_size);
! 239: *offset += pub_key_size;
! 240: memcpy(&buf[*offset], pub_key_seq, sizeof(pub_key_seq));
! 241: *offset += sizeof(pub_key_seq);
! 242: adjust_with_size(seq_size, seq_offset, buf, offset);
! 243: }
! 244:
! 245: static void gen_pub_key1(const RSA_CTX *rsa_ctx, uint8_t *buf, int *offset)
! 246: {
! 247: int seq_offset;
! 248: int seq_size = pre_adjust_with_size(
! 249: ASN1_BIT_STRING, &seq_offset, buf, offset);
! 250: buf[(*offset)++] = 0; /* bit string is multiple of 8 */
! 251: gen_pub_key2(rsa_ctx, buf, offset);
! 252: adjust_with_size(seq_size, seq_offset, buf, offset);
! 253: }
! 254:
! 255: static void gen_pub_key(const RSA_CTX *rsa_ctx, uint8_t *buf, int *offset)
! 256: {
! 257: /* OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1) */
! 258: static const uint8_t rsa_enc_oid[] =
! 259: {
! 260: ASN1_SEQUENCE, 0x0d, ASN1_OID, 0x09,
! 261: 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01,
! 262: ASN1_NULL, 0x00
! 263: };
! 264:
! 265: int seq_offset;
! 266: int seq_size = pre_adjust_with_size(
! 267: ASN1_SEQUENCE, &seq_offset, buf, offset);
! 268:
! 269: memcpy(&buf[*offset], rsa_enc_oid, sizeof(rsa_enc_oid));
! 270: *offset += sizeof(rsa_enc_oid);
! 271: gen_pub_key1(rsa_ctx, buf, offset);
! 272: adjust_with_size(seq_size, seq_offset, buf, offset);
! 273: }
! 274:
! 275: static void gen_signature(const RSA_CTX *rsa_ctx, const uint8_t *sha_dgst,
! 276: uint8_t *buf, int *offset)
! 277: {
! 278: static const uint8_t asn1_sig[] =
! 279: {
! 280: ASN1_SEQUENCE, 0x21, ASN1_SEQUENCE, 0x09, ASN1_OID, 0x05,
! 281: 0x2b, 0x0e, 0x03, 0x02, 0x1a, /* sha1 (1 3 14 3 2 26) */
! 282: ASN1_NULL, 0x00, ASN1_OCTET_STRING, 0x14
! 283: };
! 284:
! 285: uint8_t *enc_block = (uint8_t *)alloca(rsa_ctx->num_octets);
! 286: uint8_t *block = (uint8_t *)alloca(sizeof(asn1_sig) + SHA1_SIZE);
! 287: int sig_size;
! 288:
! 289: /* add the digest as an embedded asn.1 sequence */
! 290: memcpy(block, asn1_sig, sizeof(asn1_sig));
! 291: memcpy(&block[sizeof(asn1_sig)], sha_dgst, SHA1_SIZE);
! 292:
! 293: sig_size = RSA_encrypt(rsa_ctx, block,
! 294: sizeof(asn1_sig) + SHA1_SIZE, enc_block, 1);
! 295:
! 296: buf[(*offset)++] = ASN1_BIT_STRING;
! 297: set_gen_length(sig_size+1, buf, offset);
! 298: buf[(*offset)++] = 0; /* bit string is multiple of 8 */
! 299: memcpy(&buf[*offset], enc_block, sig_size);
! 300: *offset += sig_size;
! 301: }
! 302:
! 303: static int gen_tbs_cert(const char * dn[],
! 304: const RSA_CTX *rsa_ctx, uint8_t *buf, int *offset,
! 305: uint8_t *sha_dgst)
! 306: {
! 307: int ret = X509_OK;
! 308: SHA1_CTX sha_ctx;
! 309: int seq_offset;
! 310: int begin_tbs = *offset;
! 311: int seq_size = pre_adjust_with_size(
! 312: ASN1_SEQUENCE, &seq_offset, buf, offset);
! 313:
! 314: gen_serial_number(buf, offset);
! 315: gen_signature_alg(buf, offset);
! 316:
! 317: /* CA certicate issuer */
! 318: if ((ret = gen_issuer(dn, buf, offset)))
! 319: goto error;
! 320:
! 321: gen_utc_time(buf, offset);
! 322:
! 323: /* certificate issuer */
! 324: if ((ret = gen_issuer(dn, buf, offset)))
! 325: goto error;
! 326:
! 327: gen_pub_key(rsa_ctx, buf, offset);
! 328: adjust_with_size(seq_size, seq_offset, buf, offset);
! 329:
! 330: SHA1_Init(&sha_ctx);
! 331: SHA1_Update(&sha_ctx, &buf[begin_tbs], *offset-begin_tbs);
! 332: SHA1_Final(sha_dgst, &sha_ctx);
! 333:
! 334: error:
! 335: return ret;
! 336: }
! 337:
! 338: /**
! 339: * Create a new certificate.
! 340: */
! 341: EXP_FUNC int STDCALL ssl_x509_create(SSL_CTX *ssl_ctx, uint32_t options, const char * dn[], uint8_t **cert_data)
! 342: {
! 343: int ret = X509_OK, offset = 0, seq_offset;
! 344: /* allocate enough space to load a new certificate */
! 345: uint8_t *buf = (uint8_t *)alloca(ssl_ctx->rsa_ctx->num_octets*2 + 512);
! 346: uint8_t sha_dgst[SHA1_SIZE];
! 347: int seq_size = pre_adjust_with_size(ASN1_SEQUENCE,
! 348: &seq_offset, buf, &offset);
! 349:
! 350: if ((ret = gen_tbs_cert(dn, ssl_ctx->rsa_ctx, buf, &offset, sha_dgst)) < 0)
! 351: goto error;
! 352:
! 353: gen_signature_alg(buf, &offset);
! 354: gen_signature(ssl_ctx->rsa_ctx, sha_dgst, buf, &offset);
! 355: adjust_with_size(seq_size, seq_offset, buf, &offset);
! 356: *cert_data = (uint8_t *)malloc(offset); /* create the exact memory for it */
! 357: memcpy(*cert_data, buf, offset);
! 358:
! 359: error:
! 360: return ret < 0 ? ret : offset;
! 361: }
! 362:
! 363: #endif
! 364:
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to gen_cert.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / axTLS / ssl