X-Git-Url: https://code.wpia.club/?a=blobdiff_plain;f=src%2Fcrypto%2FsslUtil.cpp;h=687387c1573c7d9c615fdcfcff78cb3ab838b9d6;hb=160ba9d844500d1e553a0dab21a4a2a7fabc60d5;hp=9487e42a7253a98d581f7509498e477b8f314da4;hpb=56358cbe81dd0d11267a06133ce227c2c53f10f7;p=cassiopeia.git diff --git a/src/crypto/sslUtil.cpp b/src/crypto/sslUtil.cpp index 9487e42..687387c 100644 --- a/src/crypto/sslUtil.cpp +++ b/src/crypto/sslUtil.cpp @@ -3,8 +3,12 @@ #include #include #include + #include +#include "crypto/CRL.h" +#include "log/logger.hpp" + std::shared_ptr ssl_lib_ref( new int( SSL_library_init() ), []( int* ref ) { @@ -14,15 +18,14 @@ std::shared_ptr ssl_lib_ref( CRYPTO_cleanup_all_ex_data(); } ); -std::shared_ptr loadX509FromFile( std::string filename ) { - FILE* f = fopen( filename.c_str(), "r" ); +std::shared_ptr loadX509FromFile( const std::string& filename ) { + std::shared_ptr f( fopen( filename.c_str(), "r" ), fclose ); if( !f ) { return std::shared_ptr(); } - X509* key = PEM_read_X509( f, NULL, NULL, 0 ); - fclose( f ); + X509* key = PEM_read_X509( f.get(), NULL, NULL, 0 ); if( !key ) { return std::shared_ptr(); @@ -30,20 +33,25 @@ std::shared_ptr loadX509FromFile( std::string filename ) { return std::shared_ptr( key, - []( X509 * ref ) { + []( X509* ref ) { X509_free( ref ); } ); } -std::shared_ptr loadPkeyFromFile( std::string filename ) { - FILE* f = fopen( filename.c_str(), "r" ); +std::shared_ptr loadPkeyFromFile( const std::string& filename ) { + std::shared_ptr f( + fopen( filename.c_str(), "r" ), + []( FILE* ptr ) { + if( ptr ) { + fclose( ptr ); + } + } ); if( !f ) { return std::shared_ptr(); } - EVP_PKEY* key = PEM_read_PrivateKey( f, NULL, NULL, 0 ); - fclose( f ); + EVP_PKEY* key = PEM_read_PrivateKey( f.get(), NULL, NULL, 0 ); if( !key ) { return std::shared_ptr(); @@ -51,7 +59,7 @@ std::shared_ptr loadPkeyFromFile( std::string filename ) { return std::shared_ptr( key, - []( EVP_PKEY * ref ) { + []( EVP_PKEY* ref ) { EVP_PKEY_free( ref ); } ); } @@ -60,7 +68,9 @@ int gencb( int a, int b, BN_GENCB* g ) { ( void ) a; ( void ) b; ( void ) g; + std::cout << ( a == 0 ? "." : "+" ) << std::flush; + return 1; } @@ -71,7 +81,7 @@ static int verify_callback( int preverify_ok, X509_STORE_CTX* ctx ) { //X509_print_ex(o, cert, XN_FLAG_COMPAT, X509_FLAG_COMPAT); //BIO_free(o); - std::cout << "Verification failed: " << preverify_ok << " because " << X509_STORE_CTX_get_error( ctx ) << std::endl; + logger::errorf( "Verification failed: %s because %s", preverify_ok, X509_STORE_CTX_get_error( ctx ) ); } return preverify_ok; @@ -80,9 +90,11 @@ static int verify_callback( int preverify_ok, X509_STORE_CTX* ctx ) { static std::shared_ptr dh_param; std::shared_ptr generateSSLContext( bool server ) { - std::shared_ptr ctx = std::shared_ptr( SSL_CTX_new( TLSv1_2_method() ), []( SSL_CTX * p ) { - SSL_CTX_free( p ); - } ); + std::shared_ptr ctx = std::shared_ptr( + SSL_CTX_new( TLSv1_2_method() ), + []( SSL_CTX* p ) { + SSL_CTX_free( p ); + } ); if( !SSL_CTX_set_cipher_list( ctx.get(), "HIGH:+CAMELLIA256:!eNull:!aNULL:!ADH:!MD5:-RSA+AES+SHA1:!RC4:!DES:!3DES:!SEED:!EXP:!AES128:!CAMELLIA128" ) ) { throw "Cannot set cipher list. Your source is broken."; @@ -91,7 +103,10 @@ std::shared_ptr generateSSLContext( bool server ) { SSL_CTX_set_verify( ctx.get(), SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback ); SSL_CTX_use_certificate_file( ctx.get(), server ? "keys/signer_server.crt" : "keys/signer_client.crt", SSL_FILETYPE_PEM ); SSL_CTX_use_PrivateKey_file( ctx.get(), server ? "keys/signer_server.key" : "keys/signer_client.key", SSL_FILETYPE_PEM ); - SSL_CTX_load_verify_locations( ctx.get(), "keys/ca.crt", 0 ); + + if( 1 != SSL_CTX_load_verify_locations( ctx.get(), "keys/ca.crt", 0 ) ) { + throw "Cannot load CA store for certificate validation."; + } if( server ) { STACK_OF( X509_NAME ) *names = SSL_load_client_CA_file( "keys/env.crt" ); @@ -103,14 +118,13 @@ std::shared_ptr generateSSLContext( bool server ) { } if( !dh_param ) { - FILE* paramfile = fopen( "dh_param.pem", "r" ); + std::shared_ptr paramfile( fopen( "dh_param.pem", "r" ), fclose ); if( paramfile ) { - dh_param = std::shared_ptr( PEM_read_DHparams( paramfile, NULL, NULL, NULL ), DH_free ); - fclose( paramfile ); + dh_param = std::shared_ptr( PEM_read_DHparams( paramfile.get(), NULL, NULL, NULL ), DH_free ); } else { dh_param = std::shared_ptr( DH_new(), DH_free ); - std::cout << "Generating DH params" << std::endl; + logger::note( "Generating DH params" ); BN_GENCB cb; cb.ver = 2; cb.arg = 0; @@ -121,11 +135,10 @@ std::shared_ptr generateSSLContext( bool server ) { } std::cout << std::endl; - paramfile = fopen( "dh_param.pem", "w" ); + paramfile = std::shared_ptr( fopen( "dh_param.pem", "w" ), fclose ); if( paramfile ) { - PEM_write_DHparams( paramfile, dh_param.get() ); - fclose( paramfile ); + PEM_write_DHparams( paramfile.get(), dh_param.get() ); } } } @@ -138,10 +151,10 @@ std::shared_ptr generateSSLContext( bool server ) { return ctx; } -void setupSerial( FILE* f ) { +void setupSerial( std::shared_ptr f ) { struct termios attr; - if( tcgetattr( fileno( f ), &attr ) ) { + if( tcgetattr( fileno( f.get() ), &attr ) ) { throw "failed to get attrs"; } @@ -154,29 +167,65 @@ void setupSerial( FILE* f ) { cfsetispeed( &attr, B115200 ); cfsetospeed( &attr, B115200 ); - if( tcsetattr( fileno( f ), TCSANOW, &attr ) ) { + if( tcsetattr( fileno( f.get() ), TCSANOW, &attr ) ) { throw "failed to get attrs"; } } -std::shared_ptr openSerial( const std::string name ) { - FILE* f = fopen( name.c_str(), "r+" ); +std::shared_ptr openSerial( const std::string& name ) { + std::shared_ptr f( fopen( name.c_str(), "r+" ), fclose ); if( !f ) { - std::cout << "Opening serial device failed" << std::endl; + logger::error( "Opening serial device failed." ); return std::shared_ptr(); } setupSerial( f ); - std::shared_ptr b( BIO_new_fd( fileno( f ), 0 ), BIO_free ); - return b; + return std::shared_ptr( + BIO_new_fd( fileno( f.get() ), 0 ), + [f]( BIO* b ) { + BIO_free( b ); + } ); } -CAConfig::CAConfig( std::string name ) { - this->name = name; - this->path = "ca/" + name; +extern std::string crlPrefix; +extern std::string crtPrefix; + +CAConfig::CAConfig( const std::string& name ) : path( "ca/" + name ), name( name ) { ca = loadX509FromFile( path + "/ca.crt" ); caKey = loadPkeyFromFile( path + "/ca.key" ); ASN1_TIME* tm = X509_get_notBefore( ca ); notBefore = std::shared_ptr( tm, ASN1_TIME_free ); + std::size_t pos = name.find("_"); + if (pos == std::string::npos) { + throw new std::invalid_argument("ca name: " + name + " is malformed."); + } + std::size_t pos2 = name.find("_", pos + 1); + if (pos2 == std::string::npos) { + throw new std::invalid_argument("ca name: " + name + " is malformed."); + } + crlURL = crlPrefix + "/g2/" + name.substr(pos+1, pos2-pos - 1) + "/" + name.substr(0,pos) + "-" + name.substr(pos2+1) + ".crl"; + crtURL = crtPrefix + "/g2/" + name.substr(pos+1, pos2-pos - 1) + "/" + name.substr(0,pos) + "-" + name.substr(pos2+1) + ".crt"; +} + +std::string timeToString( std::shared_ptr time ) { + std::shared_ptr gtime( ASN1_TIME_to_generalizedtime( time.get(), 0 ) ); + std::string strdate( ( char* ) ASN1_STRING_data( gtime.get() ), ASN1_STRING_length( gtime.get() ) ); + + logger::notef("openssl formatted me a date: %s", strdate); + if( strdate[strdate.size() - 1] != 'Z' ) { + throw "Got invalid date?"; + } + + return strdate.substr( 0, strdate.size() - 1 ); +} + +void extractTimes( std::shared_ptr target, std::shared_ptr cert ) { + cert->before = timeToString( std::shared_ptr( X509_get_notBefore( target.get() ), ASN1_TIME_free ) ); + cert->after = timeToString( std::shared_ptr( X509_get_notAfter( target.get() ), ASN1_TIME_free ) ); +} + +bool CAConfig::crlNeedsResign() { + auto crl = std::make_shared( path + "/ca.crl" ); + return crl->needsResign(); }