source: creddy/id.c @ b19d1f0

abac0-leakabac0-meicompt_changesgec13mei-idmei-rt0-nmei_rt0mei_rt2mei_rt2_fix_1meiyap-rt1meiyap1rt2tvf-new-xml
Last change on this file since b19d1f0 was b19d1f0, checked in by Mike Ryan <mikeryan@…>, 13 years ago

show subject of ID/Attr cert
see #17
  • Property mode set to 100644
File size: 11.4 KB
Line 
1#include <assert.h>
2#include <err.h>
3#include <termios.h>
4#include <time.h>
5
6// include the GNU extension of asprintf
7#define _GNU_SOURCE
8#include <stdio.h>
9
10#include "libcreddy_common.h"
11
12#define KEY_SUFFIX  "_private.pem"
13#define CERT_SUFFIX "_ID.pem"
14/* Size of password memory allocation */
15#define PWLEN 128
16
17//
18// ID object
19//
20struct _creddy_id_t {
21    char *keyid;
22    char *cn;
23    certificate_t *cert;
24    private_key_t *key;
25
26    int refcount;
27}; 
28
29/* Callback configuration */
30struct cb_opts {
31    bool use_prompt;    /* Print a prompt to stderr */
32    bool use_echo;      /* If true, turn off input echo on stdin */
33    unsigned int tries; /* Number of attempts allowed */
34    char prompt[20];    /* The prompt to display if use_echo is true */
35};
36
37static char *_get_keyid(certificate_t *cert);
38static chunk_t _passphrase_callback(void *user, int try);
39static private_key_t *_generate_key(void);
40static certificate_t *_generate_cert(private_key_t *private, char *cn, int validity);
41static void _encode_base64(FILE *out, chunk_t encoding);
42
43/**
44 * Load an ID cert from a file.
45 */
46creddy_id_t *creddy_id_from_file(char *filename) {
47    libabac_init();
48
49    certificate_t *cert = lib->creds->create(lib->creds,
50        CRED_CERTIFICATE, CERT_X509,
51        BUILD_FROM_FILE, filename,
52        BUILD_X509_FLAG, X509_AA,
53        BUILD_END
54    );
55
56    if (cert == NULL)
57        return NULL;
58
59    creddy_id_t *id = creddy_xmalloc(sizeof(creddy_id_t));
60    id->keyid = NULL;
61    id->cn = NULL;
62    id->cert = cert;
63    id->key = NULL;
64
65    id->keyid = _get_keyid(id->cert);
66
67    // get the CN from the cert
68    id_part_t type;
69    chunk_t data;
70
71    identification_t *cert_id = id->cert->get_subject(id->cert);
72    enumerator_t *id_enum = cert_id->create_part_enumerator(cert_id);
73    while (id_enum->enumerate(id_enum, &type, &data))
74        if (type == ID_PART_RDN_CN) {
75            id->cn = creddy_xmalloc(data.len + 1);
76            memcpy(id->cn, data.ptr, data.len);
77            id->cn[data.len] = 0;
78        }
79    id_enum->destroy(id_enum);
80
81    id->refcount = 1;
82
83    return id;
84}
85
86
87/**
88 * Load private key for a cert.
89 */
90int creddy_id_load_privkey(creddy_id_t *id, char *filename) {
91    struct cb_opts c_opts = { 1, 0, 3, "Key password:" };
92
93    assert(id != NULL);
94
95    libabac_init();
96
97    // load signer key
98    private_key_t *key = lib->creds->create(lib->creds,
99        CRED_PRIVATE_KEY, KEY_RSA,
100        BUILD_FROM_FILE, filename,
101        /* Ask for password if the key's encrypted */
102        BUILD_PASSPHRASE_CALLBACK, _passphrase_callback, &c_opts, 
103        BUILD_END
104    );
105    if (key == NULL)
106        return 0;
107
108    id->key = key;
109    return 1;
110}
111
112/**
113 * Generate an ID with the specified CN and validity.
114 */
115int creddy_id_generate(creddy_id_t **ret, char *cn, int validity) {
116    if (cn == NULL || !creddy_clean_name(cn))
117        return CREDDY_GENERATE_INVALID_CN;
118
119    if (validity < 0)
120        return CREDDY_GENERATE_INVALID_VALIDITY;
121
122    creddy_id_t *id = creddy_xmalloc(sizeof(creddy_id_t));
123
124    id->cn = creddy_xstrdup(cn);
125    id->key = _generate_key();
126    id->cert = _generate_cert(id->key, cn, validity);
127    id->keyid = _get_keyid(id->cert);
128
129    id->refcount = 1;
130
131    *ret = id;
132    return CREDDY_SUCCESS;
133}
134
135char *creddy_id_keyid(creddy_id_t *id) {
136    assert(id != NULL);
137
138    return id->keyid;
139}
140
141/**
142 * Get the issuer of an ID cert.
143 * Returns a malloc'd string that must be free'd.
144 */
145char *creddy_id_issuer(creddy_id_t *id) {
146    char *ret;
147    int rv = asprintf(&ret, "%Y", id->cert->get_issuer(id->cert));
148
149    if (rv < 0)
150        err(1, "couldn't malloc string for issuer\n");
151
152    return ret;
153}
154
155/**
156 * Gets the subject DN of an ID cert.
157 * Returns a malloc'd string that must be free'd.
158 */
159char *creddy_id_subject(creddy_id_t *id) {
160    char *ret;
161    int rv = asprintf(&ret, "%Y", id->cert->get_subject(id->cert));
162
163    if (rv < 0)
164        err(1, "couldn't malloc string for subject\n");
165
166    return ret;
167}
168
169/**
170 * Get the validity period.
171 */
172void creddy_id_validity(creddy_id_t *id, time_t *not_before, time_t *not_after) {
173    id->cert->get_validity(id->cert, NULL, not_before, not_after);
174}
175
176certificate_t *creddy_id_cert(creddy_id_t *id) {
177    assert(id != NULL);
178
179    return id->cert;
180}
181
182private_key_t *creddy_id_privkey(creddy_id_t *id) {
183    assert(id != NULL);
184
185    return id->key;
186}
187
188/**
189 * Get the default filename for the cert. Value must be freed by caller.
190 */
191char *creddy_id_cert_filename(creddy_id_t *id) {
192    assert(id != NULL);
193    assert(id->cn != NULL);
194
195    // malloc the filename
196    int len = strlen(id->cn) + strlen(CERT_SUFFIX) + 1;
197    char *filename = creddy_xmalloc(len);
198    sprintf(filename, "%s" CERT_SUFFIX, id->cn);
199
200    return filename;
201}
202
203/**
204 * Write the ID cert to an open file pointer.
205 */
206void creddy_id_write_cert(creddy_id_t *id, FILE *out) {
207    assert(id != NULL);
208
209    chunk_t encoding = id->cert->get_encoding(id->cert);
210    _encode_base64(out, encoding);
211    free(encoding.ptr);
212}
213
214/**
215 * Default private key filename. Value must be freed by caller.
216 */
217char *creddy_id_privkey_filename(creddy_id_t *id) {
218    assert(id != NULL);
219    assert(id->cn != NULL);
220
221    // malloc the filename
222    int len = strlen(id->cn) + strlen(KEY_SUFFIX) + 1;
223    char *filename = creddy_xmalloc(len);
224    sprintf(filename, "%s" KEY_SUFFIX, id->cn);
225
226    return filename;
227}
228
229/**
230 * Write the private key to a file.
231 * Returns false if there's no private key loaded
232 */
233int creddy_id_write_privkey(creddy_id_t *id, FILE *out) {
234    int ret;
235    chunk_t encoding;
236
237    assert(id != NULL);
238
239    if (id->key == NULL)
240        return 0;
241
242    ret = id->key->get_encoding(id->key, KEY_PRIV_PEM, &encoding);
243    if (!ret)
244        errx(1, "Couldn't encode private key");
245
246    fwrite(encoding.ptr, encoding.len, 1, out);
247
248    free(encoding.ptr);
249    return 1;
250}
251
252/**
253 * Get a DER-encoded chunk representing the cert.
254 */
255abac_chunk_t creddy_id_cert_chunk(creddy_id_t *id) {
256    chunk_t encoding = id->cert->get_encoding(id->cert);
257    abac_chunk_t ret = { encoding.ptr, encoding.len };
258    return ret;
259}
260
261/**
262 * Copy a creddy ID. Actually just increases its reference count.
263 */
264creddy_id_t *creddy_id_dup(creddy_id_t *id) {
265    ++id->refcount;
266}
267
268void creddy_id_free(creddy_id_t *id) {
269    if (id == NULL)
270        return;
271
272    --id->refcount;
273    if (id->refcount > 0)
274        return;
275
276    // free once the reference count reaches 0
277    DESTROY_IF(id->cert);
278    DESTROY_IF(id->key);
279
280    free(id->keyid);
281    free(id);
282}
283
284//
285// Helper functions below
286//
287
288static char *_get_keyid(certificate_t *cert) {
289    // get the keyid
290    x509_t *x509 = (x509_t *)cert;
291    chunk_t keyid = x509->get_subjectKeyIdentifier(x509);
292    chunk_t string = chunk_to_hex(keyid, NULL, 0);
293    return (char *)string.ptr;
294}
295
296static chunk_t _passphrase_callback(void *user, int try) {
297    /* Get a password from stdin and return it as a chunk_t.  If too many tries
298     * have occurred or there is any other problem, return an empty chunk_t,
299     * which libstrongswan takes as giving up.  The chunk is alloated here
300     * (inside getline), and presumably freed by libstrongswan. User points to
301     * a cb_opts struct, which affects this routine in the obvious ways.
302     */
303    /* Configuration options */
304    struct cb_opts *opts = (struct cb_opts *) user;
305    chunk_t rv = chunk_empty;   /* Return value, starts empty */
306
307    if (try -1 < opts->tries ) {
308        struct termios t;   /* Terminal settings */
309        size_t len = 0;     /* Length of string from getline */
310        tcflag_t orig = 0;  /* Holds the original local flags (echo in here) */
311
312        if (!opts->use_echo) {
313            /* Use tc{get,set}attr to turn echo off and restore the intial
314             * echo settings */
315            if (!tcgetattr(0, &t)) { 
316                orig = t.c_lflag;
317
318                t.c_lflag &= ~ECHO;
319                if ( tcsetattr(0, TCSANOW, &t) ) { 
320                    perror("Cannot turn off echo"); 
321                    return rv;
322                }
323            }
324            else {
325                perror("Cannot turn get attributes to off echo"); 
326                return rv;
327            }
328        }
329        if (opts->use_prompt) printf("%s", opts->prompt);
330
331        /* Because rv.ptr starts as NULL, getline allocates memory.  The size
332         * of the allocation returns in rv.len and the size of the string
333         * (including newline and NUL) is in len.  */
334        if ((rv.ptr = (u_char *) malloc(rv.len = PWLEN))) {
335            if ( fgets(rv.ptr, rv.len, stdin) ) {
336                /* Readjust the chunk_t's len field to the size of the string
337                 * w/o the newline or NUL */
338                /* would prefer strnlen, but no such luck in FBSD7 or earlier*/
339                size_t len = strlen(rv.ptr);
340
341                if (rv.ptr[len-2] == '\n') rv.len = len-2;
342                else rv.len = len -1;
343            }
344            else {
345                /* Read failed.  Deallocate and clear rv */
346                free(rv.ptr);
347                rv = chunk_empty;
348            }
349        }
350        else {
351            /* Failed malloc.  Restore rv to empty and return it */
352            perror("malloc");
353            rv = chunk_empty;
354            return rv;
355        }
356
357        if (!opts->use_echo ) {
358            /* Pop echo beck to its original setting. */
359            t.c_lflag = orig;
360
361            if ( tcsetattr(0, TCSANOW, &t) ) 
362                perror("Cannot restore echo setting?"); 
363
364            if (opts->use_prompt) printf("\n");
365        }
366    }
367    else fprintf(stderr, "Too many tries (%d)", try-1);
368    return rv;
369}
370
371/**
372 * Generate a private key.
373 */
374static private_key_t *_generate_key(void) {
375    private_key_t *key;
376    libabac_init();
377
378    // generate the key
379    key = lib->creds->create(
380        lib->creds,
381        CRED_PRIVATE_KEY, KEY_RSA,
382        BUILD_KEY_SIZE, 2048,
383        BUILD_END
384    );
385    if (key == NULL)
386        errx(1, "Key generation failed");
387
388    return key;
389}
390
391static char *_create_dn(char *cn) {
392
393#define DN "cn="
394
395    char *dn = creddy_xmalloc(sizeof(DN) + strlen(cn));
396    memcpy(dn, DN, sizeof(DN));
397    strcat(dn, cn);
398
399    return dn;
400}
401
402/**
403 * Generate certificate.
404 */
405static certificate_t *_generate_cert(private_key_t *private, char *cn, int validity) {
406    // build the DN
407    char *dn_string = _create_dn(cn);
408    libabac_init();
409
410    identification_t *id = identification_create_from_string(dn_string);
411    if (id == NULL)
412        errx(1, "couldn't create ID from DN %s", dn_string);
413    free(dn_string);
414
415    // get the public key
416    public_key_t *public = private->get_public_key(private);
417    if (public == NULL)
418        errx(1, "couldn't get public key from private key");
419
420    // create a serial (stolen from strongswan pki)
421    rng_t *rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
422    if (!rng)
423        errx(1, "no random number generator");
424
425    // random serial
426    chunk_t serial = creddy_generate_serial();
427
428    // validity period
429    time_t not_before = time(NULL);
430    time_t not_after = not_before + validity * 24 * 60 * 60;
431
432    // create!
433    certificate_t *cert = lib->creds->create(lib->creds,
434        CRED_CERTIFICATE, CERT_X509,
435        BUILD_SIGNING_KEY, private,
436        BUILD_PUBLIC_KEY, public,
437        BUILD_SUBJECT, id,
438        BUILD_NOT_BEFORE_TIME, not_before,
439        BUILD_NOT_AFTER_TIME, not_after,
440        BUILD_SERIAL, serial,
441        BUILD_DIGEST_ALG, HASH_SHA1,
442        BUILD_X509_FLAG, X509_CA,
443        BUILD_PATHLEN, X509_NO_PATH_LEN_CONSTRAINT,
444        BUILD_END
445    );
446    if (cert == NULL)
447        errx(1, "couldn't build cert :(");
448
449    DESTROY_IF(id);
450    DESTROY_IF(public);
451    free(serial.ptr);
452
453    return cert;
454}
455
456#define BYTES_PER_LINE 64
457
458// thx libstrongswan
459static void _encode_base64(FILE *out, chunk_t encoding) {
460    int start;
461
462    chunk_t b64 = chunk_to_base64(encoding, NULL);
463
464    fprintf(out, "-----BEGIN CERTIFICATE-----\n");
465
466    for (start = 0; start < b64.len; start += BYTES_PER_LINE) {
467        int left = b64.len - start;
468        int len = left < BYTES_PER_LINE ? left : BYTES_PER_LINE;
469        fwrite(b64.ptr + start, len, 1, out);
470        fprintf(out, "\n");
471    }
472
473    fprintf(out, "-----END CERTIFICATE-----\n");
474
475    free(b64.ptr);
476}
Note: See TracBrowser for help on using the repository browser.