chg: Make the signer actively reject MD5 and SHA1

[cassiopeia.git] / src / crypto / X509.cpp

diff --git a/src/crypto/X509.cpp b/src/crypto/X509.cpp
index 7a4314deab9d830a79dfff527afeec82802206d8..f9dbc7a7ff65aef55e4fefd0edd4d01ba1ae8d4a 100644 (file)
--- a/src/crypto/X509.cpp
+++ b/src/crypto/X509.cpp
@@ -133,7 +133,9 @@ void X509Cert::setPubkeyFrom( std::shared_ptr<X509Req> req ) {
 }
 
 void X509Cert::setSerialNumber( BIGNUM* num ) {
-    BN_to_ASN1_INTEGER( num , target->cert_info->serialNumber );
+    ASN1_INTEGER *i = BN_to_ASN1_INTEGER( num, NULL);
+    X509_set_serialNumber(target.get(), i);
+    ASN1_INTEGER_free(i);
 }
 
 void X509Cert::setTimes( uint32_t before, uint32_t after ) {
@@ -154,7 +156,7 @@ static X509_EXTENSION* do_ext_i2d( int ext_nid, int crit, ASN1_VALUE* ext_struc
         goto merr;
     }
 
-    if( !( ext_oct = M_ASN1_OCTET_STRING_new() ) ) {
+    if( !( ext_oct = ASN1_OCTET_STRING_new() ) ) {
         goto merr;
     }
 
@@ -167,7 +169,7 @@ static X509_EXTENSION* do_ext_i2d( int ext_nid, int crit, ASN1_VALUE* ext_struc
         goto merr;
     }
 
-    M_ASN1_OCTET_STRING_free( ext_oct );
+    ASN1_OCTET_STRING_free( ext_oct );
     return ext;
 
 merr:
@@ -177,7 +179,7 @@ merr:
 void X509Cert::setExtensions( std::shared_ptr<X509> caCert, std::vector<std::shared_ptr<SAN>>& sans, Profile& prof, std::string crlURL, std::string crtURL ) {
     add_ext( caCert, target, NID_basic_constraints, "critical,CA:FALSE" );
     add_ext( caCert, target, NID_subject_key_identifier, "hash" );
-    add_ext( caCert, target, NID_authority_key_identifier, "keyid,issuer:always" );
+    add_ext( caCert, target, NID_authority_key_identifier, "keyid:always" );
     std::string ku = std::string( "critical," ) + prof.ku;
     add_ext( caCert, target, NID_key_usage, ku.c_str() );
     add_ext( caCert, target, NID_ext_key_usage, prof.eku.c_str() );
@@ -206,7 +208,7 @@ void X509Cert::setExtensions( std::shared_ptr<X509> caCert, std::vector<std::sha
         gen->type = name->type == "DNS" ? GEN_DNS : name->type == "email" ? GEN_EMAIL : 0; // GEN_EMAIL;
 
         if( !gen->type
-                || !( gen->d.ia5 = M_ASN1_IA5STRING_new() )
+                || !( gen->d.ia5 = ASN1_IA5STRING_new() )
                 || !ASN1_STRING_set( gen->d.ia5, name->content.data(), name->content.size() ) ) {
             GENERAL_NAME_free( gen );
             throw std::runtime_error("initing iasting5 failed");
@@ -235,9 +237,11 @@ std::shared_ptr<SignedCertificate> X509Cert::sign( std::shared_ptr<EVP_PKEY> caK
     } else if( signAlg == "sha256" ) {
         md = EVP_sha256();
     } else if( signAlg == "sha1" ) {
-        md = EVP_sha1();
+        throw std::runtime_error("Refusing to sign with weak signature algorithm (SHA-1).");
+    } else if( signAlg == "md5" ) {
+        throw std::runtime_error("Refusing to sign with weak signature algorithm (MD5).");
     } else {
-        throw std::runtime_error("Unknown md-type");
+        throw std::runtime_error("Unknown signature algorithm");
     }
 
     if( !X509_sign( target.get(), caKey.get(), md ) ) {
@@ -260,7 +264,7 @@ std::shared_ptr<SignedCertificate> X509Cert::sign( std::shared_ptr<EVP_PKEY> caK
     auto res = std::make_shared<SignedCertificate>();
     res->certificate = std::string( buf->data, buf->data + buf->length );
 
-    std::shared_ptr<BIGNUM> ser( ASN1_INTEGER_to_BN( target->cert_info->serialNumber, NULL ), BN_free );
+    std::shared_ptr<BIGNUM> ser( ASN1_INTEGER_to_BN( X509_get_serialNumber(target.get()), NULL ), BN_free );
 
     if( !ser ) {
         throw std::runtime_error("Failed to retrieve certificate serial of signed certificate.");