1 #include "simpleOpensslSigner.h"
5 #include <openssl/ssl.h>
6 #include <openssl/err.h>
7 #include <openssl/bio.h>
8 #include <openssl/bn.h>
9 #include <openssl/engine.h>
10 #include <openssl/x509v3.h>
15 extern std::vector<Profile> profiles;
17 std::shared_ptr<int> SimpleOpensslSigner::lib_ref(
18 new int( SSL_library_init() ),
23 CRYPTO_cleanup_all_ex_data();
26 std::shared_ptr<X509> loadX509FromFile( std::string filename ) {
27 FILE* f = fopen( filename.c_str(), "r" );
30 return std::shared_ptr<X509>();
33 X509* key = PEM_read_X509( f, NULL, NULL, 0 );
37 return std::shared_ptr<X509>();
40 return std::shared_ptr<X509>(
47 std::shared_ptr<EVP_PKEY> loadPkeyFromFile( std::string filename ) {
48 FILE* f = fopen( filename.c_str(), "r" );
51 return std::shared_ptr<EVP_PKEY>();
54 EVP_PKEY* key = PEM_read_PrivateKey( f, NULL, NULL, 0 );
58 return std::shared_ptr<EVP_PKEY>();
61 return std::shared_ptr<EVP_PKEY>(
63 []( EVP_PKEY * ref ) {
68 SimpleOpensslSigner::SimpleOpensslSigner() {
69 caCert = loadX509FromFile( profiles[0].cert );
70 caKey = loadPkeyFromFile( profiles[0].key );
73 SimpleOpensslSigner::~SimpleOpensslSigner() {
76 std::shared_ptr<BIGNUM> SimpleOpensslSigner::nextSerial( uint16_t profile ) {
77 std::string res = readFile( "serial" );
85 throw "Initing serial failed";
88 if( !BN_hex2bn( &bn, res.c_str() + 1 ) ) {
89 throw "Parsing serial failed.";
93 std::shared_ptr<BIGNUM> serial = std::shared_ptr<BIGNUM>( bn, BN_free );
95 std::shared_ptr<unsigned char> data = std::shared_ptr<unsigned char>( ( unsigned char* ) malloc( BN_num_bytes( serial.get() ) + 20 ), free );
96 int len = BN_bn2bin( serial.get(), data.get() );
98 data.get()[len] = 0x0;
99 data.get()[len + 1] = 0x0; // signer id
101 data.get()[len + 2] = profile >> 8;
102 data.get()[len + 3] = profile & 0xFF; // profile id
104 if( !RAND_bytes( data.get() + len + 4, 16 ) || !BN_add_word( serial.get(), 1 ) ) {
105 throw "Big number math failed while calcing serials.";
108 std::shared_ptr<char> serStr = std::shared_ptr<char>(
109 BN_bn2hex( serial.get() ),
113 writeFile( "serial", serStr.get() );
115 return std::shared_ptr<BIGNUM>( BN_bin2bn( data.get(), len + 4 + 16 , 0 ), BN_free );
118 std::shared_ptr<SignedCertificate> SimpleOpensslSigner::sign( std::shared_ptr<TBSCertificate> cert ) {
120 throw "CA-key not found";
123 std::shared_ptr<X509Req> req;
125 if( cert->csr_type == "SPKAC" ) {
126 req = X509Req::parseSPKAC( cert->csr_content );
127 } else if( cert->csr_type == "CSR" ) {
128 req = X509Req::parseCSR( cert->csr_content );
130 throw "Error, unknown REQ rype " + ( cert->csr_type );
133 int i = req->verify();
136 throw "Signature problems ... ";
137 } else if( i == 0 ) {
138 throw "Signature did not match";
140 std::cerr << "Signature ok" << std::endl;
143 // Construct the Certificate
144 X509Cert c = X509Cert();
145 std::shared_ptr<X509> retsh = std::shared_ptr<X509>( X509_new(), X509_free );
146 X509* ret = retsh.get();
149 throw "Creating X509 failed.";
152 X509_NAME* subjectP = X509_NAME_new();
155 throw "malloc failure";
158 for( std::shared_ptr<AVA> a : cert->AVAs ) {
159 if( a->name == "CN" ) {
160 c.addRDN( NID_commonName, a->value );
161 } else if( a->name == "EMAIL" ) {
162 c.addRDN( NID_pkcs9_emailAddress, a->value );
163 } else if( a->name == "C" ) {
164 c.addRDN( NID_countryName, a->value );
165 } else if( a->name == "L" ) {
166 c.addRDN( NID_localityName, a->value );
167 } else if( a->name == "ST" ) {
168 c.addRDN( NID_stateOrProvinceName, a->value );
169 } else if( a->name == "O" ) {
170 c.addRDN( NID_organizationName, a->value );
171 } else if( a->name == "OU" ) {
172 c.addRDN( NID_organizationalUnitName, a->value );
174 throw "unknown AVA-type";
178 c.setIssuerNameFrom( caCert );
179 c.setPubkeyFrom( req );
180 long int profile = strtol( cert->profile.c_str(), 0, 10 );
182 if( profile > 0xFFFF || profile < 0 || ( profile == 0 && cert->profile != "0" ) ) {
183 throw "invalid profile id";
186 std::shared_ptr<BIGNUM> ser = nextSerial( profile );
187 c.setSerialNumber( ser.get() );
188 c.setTimes( 0, 60 * 60 * 24 * 10 );
189 c.setExtensions( caCert, cert->SANs );
191 std::shared_ptr<SignedCertificate> output = c.sign( caKey, cert->md );