5 #include <openssl/ssl.h>
6 #include <openssl/bio.h>
7 #include <openssl/x509v3.h>
9 X509Req::X509Req( X509_REQ* csr ) {
10 req = std::shared_ptr<X509_REQ>( csr, X509_REQ_free );
11 EVP_PKEY* pkt = X509_REQ_get_pubkey( req.get() );
14 throw "Error extracting public key";
17 pk = std::shared_ptr<EVP_PKEY>( pkt, EVP_PKEY_free );
20 int X509Req::verify() {
21 return X509_REQ_verify( req.get(), pk.get() );
24 std::shared_ptr<EVP_PKEY> X509Req::getPkey() {
28 std::shared_ptr<X509Req> X509Req::parse( std::string filename ) {
29 std::shared_ptr<BIO> in = std::shared_ptr<BIO>( BIO_new_mem_buf( const_cast<char*>( filename.c_str() ), -1 ), BIO_free );
30 X509_REQ* req = PEM_read_bio_X509_REQ( in.get(), NULL, NULL, NULL );
33 throw "Error parsing CSR";
36 return std::shared_ptr<X509Req>( new X509Req( req ) );
39 int add_ext( std::shared_ptr<X509> issuer, std::shared_ptr<X509> subj, int nid, const char* value ) {
43 /* This sets the 'context' of the extensions. */
44 /* No configuration database */
45 X509V3_set_ctx_nodb( &ctx );
47 /* Issuer and subject certs: both the target since it is self signed,
48 * no request and no CRL
50 X509V3_set_ctx( &ctx, issuer.get(), subj.get(), NULL, NULL, 0 );
51 ex = X509V3_EXT_conf_nid( NULL, &ctx, nid, const_cast<char*>( value ) );
57 X509_add_ext( subj.get(), ex, -1 );
58 X509_EXTENSION_free( ex );
63 X509Cert::X509Cert() {
67 throw "malloc failed";
70 target = std::shared_ptr<X509>( c, X509_free );
72 if( !X509_set_version( c, 2 ) ) {
73 throw "Setting X509-version to 3 failed";
77 void X509Cert::setIssuerNameFrom( std::shared_ptr<X509> caCert ) {
78 if( !X509_set_issuer_name( target.get(), X509_get_subject_name( caCert.get() ) ) ) {
79 throw "Error setting Issuer name";
83 void X509Cert::setPubkeyFrom( std::shared_ptr<X509Req> req ) {
84 std::shared_ptr<EVP_PKEY> pktmp = req->getPkey();
86 if( !X509_set_pubkey( target.get(), pktmp.get() ) ) {
87 throw "Setting public key failed.";
91 void X509Cert::setSerialNumber( int num ) {
92 ASN1_INTEGER_set( target.get()->cert_info->serialNumber, num );
95 void X509Cert::setTimes( long before, long after ) {
96 X509_gmtime_adj( X509_get_notBefore( target.get() ), before );
97 X509_gmtime_adj( X509_get_notAfter( target.get() ), after );
100 static X509_EXTENSION* do_ext_i2d( int ext_nid, int crit, ASN1_VALUE* ext_struc ) {
101 unsigned char* ext_der;
103 ASN1_OCTET_STRING* ext_oct;
105 /* Convert internal representation to DER */
107 ext_len = ASN1_item_i2d( ext_struc, &ext_der, ASN1_ITEM_ptr( ASN1_ITEM_ref( GENERAL_NAMES ) ) );
113 if( !( ext_oct = M_ASN1_OCTET_STRING_new() ) ) {
117 ext_oct->data = ext_der;
118 ext_oct->length = ext_len;
120 ext = X509_EXTENSION_create_by_NID( NULL, ext_nid, crit, ext_oct );
126 M_ASN1_OCTET_STRING_free( ext_oct );
133 void X509Cert::setExtensions( std::shared_ptr<X509> caCert, std::vector<std::shared_ptr<SAN>>& sans ) {
134 add_ext( caCert, target, NID_basic_constraints, "critical,CA:FALSE" );
135 add_ext( caCert, target, NID_subject_key_identifier, "hash" );
136 add_ext( caCert, target, NID_authority_key_identifier, "keyid,issuer:always" );
137 add_ext( caCert, target, NID_key_usage, "critical,nonRepudiation,digitalSignature,keyEncipherment" );
138 add_ext( caCert, target, NID_ext_key_usage, "clientAuth, serverAuth" );
139 add_ext( caCert, target, NID_info_access, "OCSP;URI:http://ocsp.cacert.org" );
140 add_ext( caCert, target, NID_crl_distribution_points, "URI:http://crl.cacert.org/class3-revoke.crl" );
142 std::shared_ptr<GENERAL_NAMES> gens = std::shared_ptr<GENERAL_NAMES>(
143 sk_GENERAL_NAME_new_null(),
144 []( GENERAL_NAMES * ref ) {
146 sk_GENERAL_NAME_pop_free( ref, GENERAL_NAME_free );
150 for( auto& name : sans ) {
151 GENERAL_NAME* gen = GENERAL_NAME_new();
154 throw "Malloc failure.";
157 gen->type = name->type == "DNS" ? GEN_DNS : name->type == "email" ? GEN_EMAIL : 0; // GEN_EMAIL;
160 || !( gen->d.ia5 = M_ASN1_IA5STRING_new() )
161 || !ASN1_STRING_set( gen->d.ia5, name->content.data(), name->content.size() ) ) {
162 GENERAL_NAME_free( gen );
163 throw "initing iasting5 failed";
166 sk_GENERAL_NAME_push( gens.get(), gen );
169 X509_EXTENSION* ext = do_ext_i2d( NID_subject_alt_name, 0/*critical*/, ( ASN1_VALUE* )gens.get() );
171 X509_add_ext( target.get(), ext, -1 );
172 X509_EXTENSION_free( ext );
175 std::string X509Cert::sign( std::shared_ptr<EVP_PKEY> caKey ) {
176 if( !X509_sign( target.get(), caKey.get(), EVP_sha512() ) ) {
177 throw "Signing failed.";
180 X509_print_fp( stdout, target.get() );
182 std::shared_ptr<BIO> mem = std::shared_ptr<BIO>( BIO_new( BIO_s_mem() ), BIO_free );
183 PEM_write_bio_X509( mem.get(), target.get() );
185 BIO_get_mem_ptr( mem.get(), &buf );
186 std::string output( buf->data, buf->data + buf->length );