Context Navigation

source: creddy/id.c @ 0aaa651

abac0-leakabac0-meicompt_changesgec13mei-idmei-rt0-nmei_rt0mei_rt2mei_rt2_fix_1meiyap-rt1meiyap1rt2tvf-new-xml

Last change on this file since 0aaa651 was adc86c3, checked in by Mike Ryan <mikeryan@…>, 13 years ago
fetch the issuer from an attribute/ID cert see #17
Property mode set to `100644`
File size: 11.0 KB

Line
1	#include <assert.h>
2	#include <err.h>
3	#include <termios.h>
4	#include <time.h>
5
6	// include the GNU extension of asprintf
7	#define _GNU_SOURCE
8	#include <stdio.h>
9
10	#include "libcreddy_common.h"
11
12	#define KEY_SUFFIX "_private.pem"
13	#define CERT_SUFFIX "_ID.pem"
14	/* Size of password memory allocation */
15	#define PWLEN 128
16
17	//
18	// ID object
19	//
20	struct _creddy_id_t {
21	char *keyid;
22	char *cn;
23	certificate_t *cert;
24	private_key_t *key;
25
26	int refcount;
27	};
28
29	/* Callback configuration */
30	struct cb_opts {
31	bool use_prompt; /* Print a prompt to stderr */
32	bool use_echo; /* If true, turn off input echo on stdin */
33	unsigned int tries; /* Number of attempts allowed */
34	char prompt[20]; /* The prompt to display if use_echo is true */
35	};
36
37	static char _get_keyid(certificate_t cert);
38	static chunk_t _passphrase_callback(void *user, int try);
39	static private_key_t *_generate_key(void);
40	static certificate_t _generate_cert(private_key_t private, char *cn, int validity);
41	static void _encode_base64(FILE *out, chunk_t encoding);
42
43	/**
44	* Load an ID cert from a file.
45	*/
46	creddy_id_t creddy_id_from_file(char filename) {
47	libabac_init();
48
49	certificate_t *cert = lib->creds->create(lib->creds,
50	CRED_CERTIFICATE, CERT_X509,
51	BUILD_FROM_FILE, filename,
52	BUILD_X509_FLAG, X509_AA,
53	BUILD_END
54	);
55
56	if (cert == NULL)
57	return NULL;
58
59	creddy_id_t *id = creddy_xmalloc(sizeof(creddy_id_t));
60	id->keyid = NULL;
61	id->cn = NULL;
62	id->cert = cert;
63	id->key = NULL;
64
65	id->keyid = _get_keyid(id->cert);
66
67	// get the CN from the cert
68	id_part_t type;
69	chunk_t data;
70
71	identification_t *cert_id = id->cert->get_subject(id->cert);
72	enumerator_t *id_enum = cert_id->create_part_enumerator(cert_id);
73	while (id_enum->enumerate(id_enum, &type, &data))
74	if (type == ID_PART_RDN_CN) {
75	id->cn = creddy_xmalloc(data.len + 1);
76	memcpy(id->cn, data.ptr, data.len);
77	id->cn[data.len] = 0;
78	}
79	id_enum->destroy(id_enum);
80
81	id->refcount = 1;
82
83	return id;
84	}
85
86
87	/**
88	* Load private key for a cert.
89	*/
90	int creddy_id_load_privkey(creddy_id_t id, char filename) {
91	struct cb_opts c_opts = { 1, 0, 3, "Key password:" };
92
93	assert(id != NULL);
94
95	libabac_init();
96
97	// load signer key
98	private_key_t *key = lib->creds->create(lib->creds,
99	CRED_PRIVATE_KEY, KEY_RSA,
100	BUILD_FROM_FILE, filename,
101	/* Ask for password if the key's encrypted */
102	BUILD_PASSPHRASE_CALLBACK, _passphrase_callback, &c_opts,
103	BUILD_END
104	);
105	if (key == NULL)
106	return 0;
107
108	id->key = key;
109	return 1;
110	}
111
112	/**
113	* Generate an ID with the specified CN and validity.
114	*/
115	int creddy_id_generate(creddy_id_t *ret, char cn, int validity) {
116	if (cn == NULL \|\| !creddy_clean_name(cn))
117	return CREDDY_GENERATE_INVALID_CN;
118
119	if (validity < 0)
120	return CREDDY_GENERATE_INVALID_VALIDITY;
121
122	creddy_id_t *id = creddy_xmalloc(sizeof(creddy_id_t));
123
124	id->cn = creddy_xstrdup(cn);
125	id->key = _generate_key();
126	id->cert = _generate_cert(id->key, cn, validity);
127	id->keyid = _get_keyid(id->cert);
128
129	id->refcount = 1;
130
131	*ret = id;
132	return CREDDY_SUCCESS;
133	}
134
135	char creddy_id_keyid(creddy_id_t id) {
136	assert(id != NULL);
137
138	return id->keyid;
139	}
140
141	/**
142	* Get the issuer of an ID cert.
143	* Returns a malloc'd string that must be free'd.
144	*/
145	char creddy_id_issuer(creddy_id_t id) {
146	char *ret;
147	int rv = asprintf(&ret, "%Y", id->cert->get_issuer(id->cert));
148
149	if (rv < 0)
150	err(1, "couldn't malloc string for issuer\n");
151
152	return ret;
153	}
154
155	certificate_t creddy_id_cert(creddy_id_t id) {
156	assert(id != NULL);
157
158	return id->cert;
159	}
160
161	private_key_t creddy_id_privkey(creddy_id_t id) {
162	assert(id != NULL);
163
164	return id->key;
165	}
166
167	/**
168	* Get the default filename for the cert. Value must be freed by caller.
169	*/
170	char creddy_id_cert_filename(creddy_id_t id) {
171	assert(id != NULL);
172	assert(id->cn != NULL);
173
174	// malloc the filename
175	int len = strlen(id->cn) + strlen(CERT_SUFFIX) + 1;
176	char *filename = creddy_xmalloc(len);
177	sprintf(filename, "%s" CERT_SUFFIX, id->cn);
178
179	return filename;
180	}
181
182	/**
183	* Write the ID cert to an open file pointer.
184	*/
185	void creddy_id_write_cert(creddy_id_t id, FILE out) {
186	assert(id != NULL);
187
188	chunk_t encoding = id->cert->get_encoding(id->cert);
189	_encode_base64(out, encoding);
190	free(encoding.ptr);
191	}
192
193	/**
194	* Default private key filename. Value must be freed by caller.
195	*/
196	char creddy_id_privkey_filename(creddy_id_t id) {
197	assert(id != NULL);
198	assert(id->cn != NULL);
199
200	// malloc the filename
201	int len = strlen(id->cn) + strlen(KEY_SUFFIX) + 1;
202	char *filename = creddy_xmalloc(len);
203	sprintf(filename, "%s" KEY_SUFFIX, id->cn);
204
205	return filename;
206	}
207
208	/**
209	* Write the private key to a file.
210	* Returns false if there's no private key loaded
211	*/
212	int creddy_id_write_privkey(creddy_id_t id, FILE out) {
213	int ret;
214	chunk_t encoding;
215
216	assert(id != NULL);
217
218	if (id->key == NULL)
219	return 0;
220
221	ret = id->key->get_encoding(id->key, KEY_PRIV_PEM, &encoding);
222	if (!ret)
223	errx(1, "Couldn't encode private key");
224
225	fwrite(encoding.ptr, encoding.len, 1, out);
226
227	free(encoding.ptr);
228	return 1;
229	}
230
231	/**
232	* Get a DER-encoded chunk representing the cert.
233	*/
234	abac_chunk_t creddy_id_cert_chunk(creddy_id_t *id) {
235	chunk_t encoding = id->cert->get_encoding(id->cert);
236	abac_chunk_t ret = { encoding.ptr, encoding.len };
237	return ret;
238	}
239
240	/**
241	* Copy a creddy ID. Actually just increases its reference count.
242	*/
243	creddy_id_t creddy_id_dup(creddy_id_t id) {
244	++id->refcount;
245	}
246
247	void creddy_id_free(creddy_id_t *id) {
248	if (id == NULL)
249	return;
250
251	--id->refcount;
252	if (id->refcount > 0)
253	return;
254
255	// free once the reference count reaches 0
256	DESTROY_IF(id->cert);
257	DESTROY_IF(id->key);
258
259	free(id->keyid);
260	free(id);
261	}
262
263	//
264	// Helper functions below
265	//
266
267	static char _get_keyid(certificate_t cert) {
268	// get the keyid
269	x509_t x509 = (x509_t )cert;
270	chunk_t keyid = x509->get_subjectKeyIdentifier(x509);
271	chunk_t string = chunk_to_hex(keyid, NULL, 0);
272	return (char *)string.ptr;
273	}
274
275	static chunk_t _passphrase_callback(void *user, int try) {
276	/* Get a password from stdin and return it as a chunk_t. If too many tries
277	* have occurred or there is any other problem, return an empty chunk_t,
278	* which libstrongswan takes as giving up. The chunk is alloated here
279	* (inside getline), and presumably freed by libstrongswan. User points to
280	* a cb_opts struct, which affects this routine in the obvious ways.
281	*/
282	/* Configuration options */
283	struct cb_opts opts = (struct cb_opts ) user;
284	chunk_t rv = chunk_empty; /* Return value, starts empty */
285
286	if (try -1 < opts->tries ) {
287	struct termios t; /* Terminal settings */
288	size_t len = 0; /* Length of string from getline */
289	tcflag_t orig = 0; /* Holds the original local flags (echo in here) */
290
291	if (!opts->use_echo) {
292	/* Use tc{get,set}attr to turn echo off and restore the intial
293	* echo settings */
294	if (!tcgetattr(0, &t)) {
295	orig = t.c_lflag;
296
297	t.c_lflag &= ~ECHO;
298	if ( tcsetattr(0, TCSANOW, &t) ) {
299	perror("Cannot turn off echo");
300	return rv;
301	}
302	}
303	else {
304	perror("Cannot turn get attributes to off echo");
305	return rv;
306	}
307	}
308	if (opts->use_prompt) printf("%s", opts->prompt);
309
310	/* Because rv.ptr starts as NULL, getline allocates memory. The size
311	* of the allocation returns in rv.len and the size of the string
312	* (including newline and NUL) is in len. */
313	if ((rv.ptr = (u_char *) malloc(rv.len = PWLEN))) {
314	if ( fgets(rv.ptr, rv.len, stdin) ) {
315	/* Readjust the chunk_t's len field to the size of the string
316	* w/o the newline or NUL */
317	/* would prefer strnlen, but no such luck in FBSD7 or earlier*/
318	size_t len = strlen(rv.ptr);
319
320	if (rv.ptr[len-2] == '\n') rv.len = len-2;
321	else rv.len = len -1;
322	}
323	else {
324	/* Read failed. Deallocate and clear rv */
325	free(rv.ptr);
326	rv = chunk_empty;
327	}
328	}
329	else {
330	/* Failed malloc. Restore rv to empty and return it */
331	perror("malloc");
332	rv = chunk_empty;
333	return rv;
334	}
335
336	if (!opts->use_echo ) {
337	/* Pop echo beck to its original setting. */
338	t.c_lflag = orig;
339
340	if ( tcsetattr(0, TCSANOW, &t) )
341	perror("Cannot restore echo setting?");
342
343	if (opts->use_prompt) printf("\n");
344	}
345	}
346	else fprintf(stderr, "Too many tries (%d)", try-1);
347	return rv;
348	}
349
350	/**
351	* Generate a private key.
352	*/
353	static private_key_t *_generate_key(void) {
354	private_key_t *key;
355	libabac_init();
356
357	// generate the key
358	key = lib->creds->create(
359	lib->creds,
360	CRED_PRIVATE_KEY, KEY_RSA,
361	BUILD_KEY_SIZE, 2048,
362	BUILD_END
363	);
364	if (key == NULL)
365	errx(1, "Key generation failed");
366
367	return key;
368	}
369
370	static char _create_dn(char cn) {
371
372	#define DN "cn="
373
374	char *dn = creddy_xmalloc(sizeof(DN) + strlen(cn));
375	memcpy(dn, DN, sizeof(DN));
376	strcat(dn, cn);
377
378	return dn;
379	}
380
381	/**
382	* Generate certificate.
383	*/
384	static certificate_t _generate_cert(private_key_t private, char *cn, int validity) {
385	// build the DN
386	char *dn_string = _create_dn(cn);
387	libabac_init();
388
389	identification_t *id = identification_create_from_string(dn_string);
390	if (id == NULL)
391	errx(1, "couldn't create ID from DN %s", dn_string);
392	free(dn_string);
393
394	// get the public key
395	public_key_t *public = private->get_public_key(private);
396	if (public == NULL)
397	errx(1, "couldn't get public key from private key");
398
399	// create a serial (stolen from strongswan pki)
400	rng_t *rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
401	if (!rng)
402	errx(1, "no random number generator");
403
404	// random serial
405	chunk_t serial = creddy_generate_serial();
406
407	// validity period
408	time_t not_before = time(NULL);
409	time_t not_after = not_before + validity * 24 * 60 * 60;
410
411	// create!
412	certificate_t *cert = lib->creds->create(lib->creds,
413	CRED_CERTIFICATE, CERT_X509,
414	BUILD_SIGNING_KEY, private,
415	BUILD_PUBLIC_KEY, public,
416	BUILD_SUBJECT, id,
417	BUILD_NOT_BEFORE_TIME, not_before,
418	BUILD_NOT_AFTER_TIME, not_after,
419	BUILD_SERIAL, serial,
420	BUILD_DIGEST_ALG, HASH_SHA1,
421	BUILD_X509_FLAG, X509_CA,
422	BUILD_PATHLEN, X509_NO_PATH_LEN_CONSTRAINT,
423	BUILD_END
424	);
425	if (cert == NULL)
426	errx(1, "couldn't build cert :(");
427
428	DESTROY_IF(id);
429	DESTROY_IF(public);
430	free(serial.ptr);
431
432	return cert;
433	}
434
435	#define BYTES_PER_LINE 64
436
437	// thx libstrongswan
438	static void _encode_base64(FILE *out, chunk_t encoding) {
439	int start;
440
441	chunk_t b64 = chunk_to_base64(encoding, NULL);
442
443	fprintf(out, "-----BEGIN CERTIFICATE-----\n");
444
445	for (start = 0; start < b64.len; start += BYTES_PER_LINE) {
446	int left = b64.len - start;
447	int len = left < BYTES_PER_LINE ? left : BYTES_PER_LINE;
448	fwrite(b64.ptr + start, len, 1, out);
449	fprintf(out, "\n");
450	}
451
452	fprintf(out, "-----END CERTIFICATE-----\n");
453
454	free(b64.ptr);
455	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: