#include <iostream>
#include "crypto/CRL.h"
+#include "log/logger.hpp"
std::shared_ptr<int> ssl_lib_ref(
new int( SSL_library_init() ),
} );
std::shared_ptr<X509> loadX509FromFile( const std::string& filename ) {
- FILE* f = fopen( filename.c_str(), "r" );
+ std::shared_ptr<FILE> f( fopen( filename.c_str(), "r" ), fclose );
if( !f ) {
return std::shared_ptr<X509>();
}
- X509* key = PEM_read_X509( f, NULL, NULL, 0 );
- fclose( f );
+ X509* key = PEM_read_X509( f.get(), NULL, NULL, 0 );
if( !key ) {
return std::shared_ptr<X509>();
return std::shared_ptr<X509>(
key,
- []( X509 * ref ) {
+ []( X509* ref ) {
X509_free( ref );
} );
}
std::shared_ptr<EVP_PKEY> loadPkeyFromFile( const std::string& filename ) {
- FILE* f = fopen( filename.c_str(), "r" );
+ std::shared_ptr<FILE> f(
+ fopen( filename.c_str(), "r" ),
+ []( FILE* ptr ) {
+ if( ptr ) {
+ fclose( ptr );
+ }
+ } );
if( !f ) {
return std::shared_ptr<EVP_PKEY>();
}
- EVP_PKEY* key = PEM_read_PrivateKey( f, NULL, NULL, 0 );
- fclose( f );
+ EVP_PKEY* key = PEM_read_PrivateKey( f.get(), NULL, NULL, 0 );
if( !key ) {
return std::shared_ptr<EVP_PKEY>();
return std::shared_ptr<EVP_PKEY>(
key,
- []( EVP_PKEY * ref ) {
+ []( EVP_PKEY* ref ) {
EVP_PKEY_free( ref );
} );
}
( void ) a;
( void ) b;
( void ) g;
+
std::cout << ( a == 0 ? "." : "+" ) << std::flush;
+
return 1;
}
//X509_print_ex(o, cert, XN_FLAG_COMPAT, X509_FLAG_COMPAT);
//BIO_free(o);
- std::cout << "Verification failed: " << preverify_ok << " because " << X509_STORE_CTX_get_error( ctx ) << std::endl;
+ logger::errorf( "Verification failed: %s because %s", preverify_ok, X509_STORE_CTX_get_error( ctx ) );
}
return preverify_ok;
static std::shared_ptr<DH> dh_param;
std::shared_ptr<SSL_CTX> generateSSLContext( bool server ) {
- std::shared_ptr<SSL_CTX> ctx = std::shared_ptr<SSL_CTX>( SSL_CTX_new( TLSv1_2_method() ), []( SSL_CTX * p ) {
- SSL_CTX_free( p );
- } );
+ std::shared_ptr<SSL_CTX> ctx = std::shared_ptr<SSL_CTX>(
+ SSL_CTX_new( TLS_method() ),
+ []( SSL_CTX* p ) {
+ SSL_CTX_free( p );
+ } );
if( !SSL_CTX_set_cipher_list( ctx.get(), "HIGH:+CAMELLIA256:!eNull:!aNULL:!ADH:!MD5:-RSA+AES+SHA1:!RC4:!DES:!3DES:!SEED:!EXP:!AES128:!CAMELLIA128" ) ) {
- throw "Cannot set cipher list. Your source is broken.";
+ throw std::runtime_error( "Cannot set cipher list. Your source is broken." );
}
SSL_CTX_set_verify( ctx.get(), SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback );
SSL_CTX_use_certificate_file( ctx.get(), server ? "keys/signer_server.crt" : "keys/signer_client.crt", SSL_FILETYPE_PEM );
SSL_CTX_use_PrivateKey_file( ctx.get(), server ? "keys/signer_server.key" : "keys/signer_client.key", SSL_FILETYPE_PEM );
+
if( 1 != SSL_CTX_load_verify_locations( ctx.get(), "keys/ca.crt", 0 ) ) {
- throw "Cannot load CA store for certificate validation.";
+ throw std::runtime_error( "Cannot load CA store for certificate validation." );
}
if( server ) {
}
if( !dh_param ) {
- FILE* paramfile = fopen( "dh_param.pem", "r" );
+ std::shared_ptr<FILE> paramfile( fopen( "dh_param.pem", "r" ), fclose );
if( paramfile ) {
- dh_param = std::shared_ptr<DH>( PEM_read_DHparams( paramfile, NULL, NULL, NULL ), DH_free );
- fclose( paramfile );
+ dh_param = std::shared_ptr<DH>( PEM_read_DHparams( paramfile.get(), NULL, NULL, NULL ), DH_free );
} else {
dh_param = std::shared_ptr<DH>( DH_new(), DH_free );
- std::cout << "Generating DH params" << std::endl;
- BN_GENCB cb;
- cb.ver = 2;
- cb.arg = 0;
- cb.cb.cb_2 = gencb;
-
- if( !DH_generate_parameters_ex( dh_param.get(), 2048, 5, &cb ) ) {
- throw "DH generation failed";
+ logger::note( "Generating DH params" );
+ BN_GENCB *cb = BN_GENCB_new();
+ BN_GENCB_set( cb, gencb, NULL );
+
+ if( !DH_generate_parameters_ex( dh_param.get(), 2048, 5, cb ) ) {
+ throw std::runtime_error( "DH generation failed" );
}
+ BN_GENCB_free( cb );
+
std::cout << std::endl;
- paramfile = fopen( "dh_param.pem", "w" );
+ paramfile = std::shared_ptr<FILE>( fopen( "dh_param.pem", "w" ), fclose );
if( paramfile ) {
- PEM_write_DHparams( paramfile, dh_param.get() );
- fclose( paramfile );
+ PEM_write_DHparams( paramfile.get(), dh_param.get() );
}
}
}
if( !SSL_CTX_set_tmp_dh( ctx.get(), dh_param.get() ) ) {
- throw "Cannot set tmp dh.";
+ throw std::runtime_error( "Cannot set tmp dh." );
}
}
return ctx;
}
-void setupSerial( FILE* f ) {
+void setupSerial( std::shared_ptr<FILE> f ) {
struct termios attr;
- if( tcgetattr( fileno( f ), &attr ) ) {
- throw "failed to get attrs";
+ if( tcgetattr( fileno( f.get() ), &attr ) ) {
+ throw std::runtime_error( "failed to get attrs" );
}
attr.c_iflag &= ~( IGNBRK | BRKINT | PARMRK | ISTRIP | INLCR | IGNCR | ICRNL | IXON );
cfsetispeed( &attr, B115200 );
cfsetospeed( &attr, B115200 );
- if( tcsetattr( fileno( f ), TCSANOW, &attr ) ) {
- throw "failed to get attrs";
+ if( tcsetattr( fileno( f.get() ), TCSANOW, &attr ) ) {
+ throw std::runtime_error( "failed to get attrs" );
}
}
std::shared_ptr<BIO> openSerial( const std::string& name ) {
- FILE* f = fopen( name.c_str(), "r+" );
+ std::shared_ptr<FILE> f( fopen( name.c_str(), "r+" ), fclose );
if( !f ) {
- std::cout << "Opening serial device failed" << std::endl;
+ logger::error( "Opening serial device failed." );
return std::shared_ptr<BIO>();
}
setupSerial( f );
- std::shared_ptr<BIO> b( BIO_new_fd( fileno( f ), 0 ), BIO_free );
- return b;
+ return std::shared_ptr<BIO>(
+ BIO_new_fd( fileno( f.get() ), 0 ),
+ [f]( BIO* b ) {
+ BIO_free( b );
+ } );
}
+extern std::string crlPrefix;
+extern std::string crtPrefix;
+
CAConfig::CAConfig( const std::string& name ) : path( "ca/" + name ), name( name ) {
ca = loadX509FromFile( path + "/ca.crt" );
+
+ if( !ca ) {
+ throw new std::invalid_argument( "ca name: " + name + " contains unreadable certificate." );
+ }
+
caKey = loadPkeyFromFile( path + "/ca.key" );
- ASN1_TIME* tm = X509_get_notBefore( ca );
- notBefore = std::shared_ptr<ASN1_TIME>( tm, ASN1_TIME_free );
+
+ ASN1_TIME* tm = X509_get_notBefore( ca.get() ); // tm MUST NOT be free'd; duplicate for owning copy.
+ notBefore = std::shared_ptr<ASN1_TIME>( ASN1_STRING_dup( tm ), ASN1_TIME_free );
+
+ std::size_t pos = name.find( "_" );
+
+ if( pos == std::string::npos ) {
+ throw new std::invalid_argument( "ca name: " + name + " is malformed." );
+ }
+
+ std::size_t pos2 = name.find( "_", pos + 1 );
+
+ if( pos2 == std::string::npos ) {
+ throw new std::invalid_argument( "ca name: " + name + " is malformed." );
+ }
+
+ crlURL = crlPrefix + "/g2/" + name.substr( pos + 1, pos2 - pos - 1 ) + "/" + name.substr( 0, pos ) + "-" + name.substr( pos2 + 1 ) + ".crl";
+ crtURL = crtPrefix + "/g2/" + name.substr( pos + 1, pos2 - pos - 1 ) + "/" + name.substr( 0, pos ) + "-" + name.substr( pos2 + 1 ) + ".crt";
}
std::string timeToString( std::shared_ptr<ASN1_TIME> time ) {
- std::shared_ptr<ASN1_GENERALIZEDTIME> gtime( ASN1_TIME_to_generalizedtime( time.get(), 0 ) );
- std::string strdate( ( char* ) ASN1_STRING_data( gtime.get() ), ASN1_STRING_length( gtime.get() ) );
+ std::shared_ptr<ASN1_GENERALIZEDTIME> gtime( ASN1_TIME_to_generalizedtime( time.get(), 0 ), ASN1_GENERALIZEDTIME_free );
+ std::string strdate( ( char* ) ASN1_STRING_get0_data( gtime.get() ), ASN1_STRING_length( gtime.get() ) );
+
+ logger::notef( "openssl formatted me a date: %s", strdate );
if( strdate[strdate.size() - 1] != 'Z' ) {
- throw "Got invalid date?";
+ throw std::runtime_error( "Got invalid date?" );
}
return strdate.substr( 0, strdate.size() - 1 );
}
void extractTimes( std::shared_ptr<X509> target, std::shared_ptr<SignedCertificate> cert ) {
- cert->before = timeToString( std::shared_ptr<ASN1_TIME>( X509_get_notBefore( target.get() ), ASN1_TIME_free ) );
- cert->after = timeToString( std::shared_ptr<ASN1_TIME>( X509_get_notAfter( target.get() ), ASN1_TIME_free ) );
+ cert->before = timeToString( std::shared_ptr<ASN1_TIME>( X509_get_notBefore( target.get() ), [target](auto p){(void)p;} ) );
+ cert->after = timeToString( std::shared_ptr<ASN1_TIME>( X509_get_notAfter( target.get() ), [target](auto p){(void)p;} ) );
}
bool CAConfig::crlNeedsResign() {
- std::shared_ptr<CRL> crl( new CRL( path + "/ca.crl" ) );
+ auto crl = std::make_shared<CRL>( path + "/ca.crl" );
return crl->needsResign();
}
projects / cassiopeia.git / blobdiff