X-Git-Url: https://code.wpia.club/?a=blobdiff_plain;f=src%2Fcrypto%2FX509.cpp;h=aad5c8f900dd68789015baa107cc50a60b81f6b1;hb=da9f337a893bd317460118f89efa83a3427f797f;hp=37bb900ff6f281f293dc0489105fbb285eabe94b;hpb=3a45e813dfbb75ac7f9069b9799d2c5ac9e47140;p=cassiopeia.git diff --git a/src/crypto/X509.cpp b/src/crypto/X509.cpp index 37bb900..aad5c8f 100644 --- a/src/crypto/X509.cpp +++ b/src/crypto/X509.cpp @@ -7,11 +7,11 @@ #include #include -X509Req::X509Req( X509_REQ* csr ) : req( csr, X509_REQ_free ) { - EVP_PKEY* pkt = X509_REQ_get_pubkey( req.get() ); +X509Req::X509Req( X509_REQ *csr ) : req( csr, X509_REQ_free ) { + EVP_PKEY *pkt = X509_REQ_get_pubkey( req.get() ); if( !pkt ) { - throw std::runtime_error("Error extracting public key"); + throw std::runtime_error( "Error extracting public key" ); } pk = std::shared_ptr( pkt, EVP_PKEY_free ); @@ -19,21 +19,21 @@ X509Req::X509Req( X509_REQ* csr ) : req( csr, X509_REQ_free ) { X509Req::X509Req( std::string spkac ) { if( spkac.compare( 0, 6, "SPKAC=" ) != 0 ) { - throw std::runtime_error("Error: not a SPKAC"); + throw std::runtime_error( "Error: not a SPKAC" ); } spkac = spkac.substr( 6 ); - NETSCAPE_SPKI* spki_p = NETSCAPE_SPKI_b64_decode( spkac.c_str(), spkac.size() ); + NETSCAPE_SPKI *spki_p = NETSCAPE_SPKI_b64_decode( spkac.c_str(), spkac.size() ); if( !spki_p ) { - throw std::runtime_error("Error: decode failed"); + throw std::runtime_error( "Error: decode failed" ); } spki = std::shared_ptr( spki_p, NETSCAPE_SPKI_free ); - EVP_PKEY* pkt_p = NETSCAPE_SPKI_get_pubkey( spki.get() ); + EVP_PKEY *pkt_p = NETSCAPE_SPKI_get_pubkey( spki.get() ); if( !pkt_p ) { - throw std::runtime_error("Error: reading SPKAC Pubkey failed"); + throw std::runtime_error( "Error: reading SPKAC Pubkey failed" ); } pk = std::shared_ptr( pkt_p, EVP_PKEY_free ); @@ -52,22 +52,22 @@ std::shared_ptr X509Req::getPkey() const { } std::shared_ptr X509Req::parseCSR( std::string content ) { - std::shared_ptr in = std::shared_ptr( BIO_new_mem_buf( const_cast( content.c_str() ), -1 ), BIO_free ); - X509_REQ* req = PEM_read_bio_X509_REQ( in.get(), NULL, NULL, NULL ); + std::shared_ptr in = std::shared_ptr( BIO_new_mem_buf( const_cast( content.c_str() ), -1 ), BIO_free ); + X509_REQ *req = PEM_read_bio_X509_REQ( in.get(), NULL, NULL, NULL ); if( !req ) { - throw std::runtime_error("Error parsing CSR"); + throw std::runtime_error( "Error parsing CSR" ); } - return std::shared_ptr( new X509Req( req )); // TODO ask + return std::shared_ptr( new X509Req( req ) ); // TODO ask } std::shared_ptr X509Req::parseSPKAC( std::string content ) { return std::shared_ptr( new X509Req( content ) ); } -int add_ext( std::shared_ptr issuer, std::shared_ptr subj, int nid, const char* value ) { - X509_EXTENSION* ex; +int add_ext( std::shared_ptr issuer, std::shared_ptr subj, int nid, const char *value ) { + X509_EXTENSION *ex; X509V3_CTX ctx; /* This sets the 'context' of the extensions. */ @@ -78,7 +78,7 @@ int add_ext( std::shared_ptr issuer, std::shared_ptr subj, int nid, * no request and no CRL */ X509V3_set_ctx( &ctx, issuer.get(), subj.get(), NULL, NULL, 0 ); - ex = X509V3_EXT_conf_nid( NULL, &ctx, nid, const_cast( value ) ); + ex = X509V3_EXT_conf_nid( NULL, &ctx, nid, const_cast( value ) ); if( !ex ) { return 0; @@ -91,36 +91,36 @@ int add_ext( std::shared_ptr issuer, std::shared_ptr subj, int nid, } X509Cert::X509Cert() { - X509* c = X509_new(); + X509 *c = X509_new(); if( !c ) { - throw std::runtime_error("malloc failed"); + throw std::runtime_error( "malloc failed" ); } target = std::shared_ptr( c, X509_free ); if( !X509_set_version( c, 2 ) ) { - throw std::runtime_error("Setting X509-version to 3 failed"); + throw std::runtime_error( "Setting X509-version to 3 failed" ); } - X509_NAME* subjectP = X509_NAME_new(); + X509_NAME *subjectP = X509_NAME_new(); if( !subjectP ) { - throw std::runtime_error("malloc failure in construct."); + throw std::runtime_error( "malloc failure in construct." ); } subject = std::shared_ptr( subjectP, X509_NAME_free ); } void X509Cert::addRDN( int nid, std::string data ) { - if( ! X509_NAME_add_entry_by_NID( subject.get(), nid, MBSTRING_UTF8, ( unsigned char* )const_cast( data.data() ), data.size(), -1, 0 ) ) { - throw std::runtime_error("malloc failure in RDN"); + if( ! X509_NAME_add_entry_by_NID( subject.get(), nid, MBSTRING_UTF8, ( unsigned char * )const_cast( data.data() ), data.size(), -1, 0 ) ) { + throw std::runtime_error( "malloc failure in RDN" ); } } void X509Cert::setIssuerNameFrom( std::shared_ptr caCert ) { if( !X509_set_issuer_name( target.get(), X509_get_subject_name( caCert.get() ) ) ) { - throw std::runtime_error("Error setting Issuer name"); + throw std::runtime_error( "Error setting Issuer name" ); } } @@ -128,14 +128,14 @@ void X509Cert::setPubkeyFrom( std::shared_ptr req ) { std::shared_ptr pktmp = req->getPkey(); if( !X509_set_pubkey( target.get(), pktmp.get() ) ) { - throw std::runtime_error("Setting public key failed."); + throw std::runtime_error( "Setting public key failed." ); } } -void X509Cert::setSerialNumber( BIGNUM* num ) { - ASN1_INTEGER *i = BN_to_ASN1_INTEGER( num, NULL); - X509_set_serialNumber(target.get(), i); - ASN1_INTEGER_free(i); +void X509Cert::setSerialNumber( BIGNUM *num ) { + ASN1_INTEGER *i = BN_to_ASN1_INTEGER( num, NULL ); + X509_set_serialNumber( target.get(), i ); + ASN1_INTEGER_free( i ); } void X509Cert::setTimes( uint32_t before, uint32_t after ) { @@ -143,11 +143,11 @@ void X509Cert::setTimes( uint32_t before, uint32_t after ) { ASN1_TIME_set( X509_get_notAfter( target.get() ), after ); } -static X509_EXTENSION* do_ext_i2d( int ext_nid, int crit, ASN1_VALUE* ext_struc ) { - unsigned char* ext_der; +static X509_EXTENSION *do_ext_i2d( int ext_nid, int crit, ASN1_VALUE *ext_struc ) { + unsigned char *ext_der; int ext_len; - ASN1_OCTET_STRING* ext_oct; - X509_EXTENSION* ext; + ASN1_OCTET_STRING *ext_oct; + X509_EXTENSION *ext; /* Convert internal representation to DER */ ext_der = NULL; ext_len = ASN1_item_i2d( ext_struc, &ext_der, ASN1_ITEM_ptr( ASN1_ITEM_ref( GENERAL_NAMES ) ) ); @@ -173,7 +173,7 @@ static X509_EXTENSION* do_ext_i2d( int ext_nid, int crit, ASN1_VALUE* ext_struc return ext; merr: - throw std::runtime_error("memerr"); + throw std::runtime_error( "memerr" ); } void X509Cert::setExtensions( std::shared_ptr caCert, std::vector>& sans, Profile& prof, std::string crlURL, std::string crtURL ) { @@ -183,8 +183,8 @@ void X509Cert::setExtensions( std::shared_ptr caCert, std::vector caCert, std::vectortype = name->type == "DNS" ? GEN_DNS : name->type == "email" ? GEN_EMAIL : 0; // GEN_EMAIL; @@ -211,13 +211,13 @@ void X509Cert::setExtensions( std::shared_ptr caCert, std::vectord.ia5 = ASN1_IA5STRING_new() ) || !ASN1_STRING_set( gen->d.ia5, name->content.data(), name->content.size() ) ) { GENERAL_NAME_free( gen ); - throw std::runtime_error("initing iasting5 failed"); + throw std::runtime_error( "initing iasting5 failed" ); } sk_GENERAL_NAME_push( gens.get(), gen ); } - X509_EXTENSION* ext = do_ext_i2d( NID_subject_alt_name, 0/*critical*/, ( ASN1_VALUE* )gens.get() ); + X509_EXTENSION *ext = do_ext_i2d( NID_subject_alt_name, 0/*critical*/, ( ASN1_VALUE * )gens.get() ); X509_add_ext( target.get(), ext, -1 ); X509_EXTENSION_free( ext ); @@ -225,10 +225,10 @@ void X509Cert::setExtensions( std::shared_ptr caCert, std::vector X509Cert::sign( std::shared_ptr caKey, std::string signAlg ) { if( !X509_set_subject_name( target.get(), subject.get() ) ) { - throw std::runtime_error("error setting subject"); + throw std::runtime_error( "error setting subject" ); } - const EVP_MD* md; + const EVP_MD *md; if( signAlg == "sha512" ) { md = EVP_sha512(); @@ -237,13 +237,15 @@ std::shared_ptr X509Cert::sign( std::shared_ptr caK } else if( signAlg == "sha256" ) { md = EVP_sha256(); } else if( signAlg == "sha1" ) { - md = EVP_sha1(); + throw std::runtime_error( "Refusing to sign with weak signature algorithm (SHA-1)." ); + } else if( signAlg == "md5" ) { + throw std::runtime_error( "Refusing to sign with weak signature algorithm (MD5)." ); } else { - throw std::runtime_error("Unknown md-type"); + throw std::runtime_error( "Unknown signature algorithm" ); } if( !X509_sign( target.get(), caKey.get(), md ) ) { - throw std::runtime_error("Signing failed."); + throw std::runtime_error( "Signing failed." ); } //X509_print_fp( stdout, target.get() ); @@ -251,21 +253,21 @@ std::shared_ptr X509Cert::sign( std::shared_ptr caK std::shared_ptr mem = std::shared_ptr( BIO_new( BIO_s_mem() ), BIO_free ); if( !mem ) { - throw std::runtime_error("Failed to allocate memory for the signed certificate."); + throw std::runtime_error( "Failed to allocate memory for the signed certificate." ); } PEM_write_bio_X509( mem.get(), target.get() ); - BUF_MEM* buf = NULL; + BUF_MEM *buf = NULL; BIO_get_mem_ptr( mem.get(), &buf ); auto res = std::make_shared(); res->certificate = std::string( buf->data, buf->data + buf->length ); - std::shared_ptr ser( ASN1_INTEGER_to_BN( X509_get_serialNumber(target.get()), NULL ), BN_free ); + std::shared_ptr ser( ASN1_INTEGER_to_BN( X509_get_serialNumber( target.get() ), NULL ), BN_free ); if( !ser ) { - throw std::runtime_error("Failed to retrieve certificate serial of signed certificate."); + throw std::runtime_error( "Failed to retrieve certificate serial of signed certificate." ); } std::shared_ptr serStr(