1 f9ab77a8 2023-08-23 op /* $OpenBSD: tls_keypair.c,v 1.8 2021/01/05 17:37:12 jsing Exp $ */
3 f9ab77a8 2023-08-23 op * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
5 f9ab77a8 2023-08-23 op * Permission to use, copy, modify, and distribute this software for any
6 f9ab77a8 2023-08-23 op * purpose with or without fee is hereby granted, provided that the above
7 f9ab77a8 2023-08-23 op * copyright notice and this permission notice appear in all copies.
9 f9ab77a8 2023-08-23 op * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 f9ab77a8 2023-08-23 op * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 f9ab77a8 2023-08-23 op * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 f9ab77a8 2023-08-23 op * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 f9ab77a8 2023-08-23 op * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 f9ab77a8 2023-08-23 op * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 f9ab77a8 2023-08-23 op * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 f9ab77a8 2023-08-23 op #include "config.h"
20 f9ab77a8 2023-08-23 op #include <openssl/bio.h>
21 f9ab77a8 2023-08-23 op #include <openssl/err.h>
22 f9ab77a8 2023-08-23 op #include <openssl/pem.h>
24 f9ab77a8 2023-08-23 op #include <tls.h>
26 f9ab77a8 2023-08-23 op #include "tls_internal.h"
28 f9ab77a8 2023-08-23 op struct tls_keypair *
29 f9ab77a8 2023-08-23 op tls_keypair_new(void)
31 f9ab77a8 2023-08-23 op return calloc(1, sizeof(struct tls_keypair));
35 f9ab77a8 2023-08-23 op tls_keypair_pubkey_hash(struct tls_keypair *keypair, struct tls_error *error)
37 f9ab77a8 2023-08-23 op X509 *cert = NULL;
40 f9ab77a8 2023-08-23 op free(keypair->pubkey_hash);
41 f9ab77a8 2023-08-23 op keypair->pubkey_hash = NULL;
43 f9ab77a8 2023-08-23 op if (keypair->cert_mem == NULL) {
48 f9ab77a8 2023-08-23 op if (tls_keypair_load_cert(keypair, error, &cert) == -1)
50 f9ab77a8 2023-08-23 op if (tls_cert_pubkey_hash(cert, &keypair->pubkey_hash) == -1)
56 f9ab77a8 2023-08-23 op X509_free(cert);
62 f9ab77a8 2023-08-23 op tls_keypair_clear_key(struct tls_keypair *keypair)
64 f9ab77a8 2023-08-23 op freezero(keypair->key_mem, keypair->key_len);
65 f9ab77a8 2023-08-23 op keypair->key_mem = NULL;
66 f9ab77a8 2023-08-23 op keypair->key_len = 0;
70 f9ab77a8 2023-08-23 op tls_keypair_set_cert_file(struct tls_keypair *keypair, struct tls_error *error,
71 f9ab77a8 2023-08-23 op const char *cert_file)
73 f9ab77a8 2023-08-23 op if (tls_config_load_file(error, "certificate", cert_file,
74 f9ab77a8 2023-08-23 op &keypair->cert_mem, &keypair->cert_len) == -1)
76 f9ab77a8 2023-08-23 op return tls_keypair_pubkey_hash(keypair, error);
80 f9ab77a8 2023-08-23 op tls_keypair_set_cert_mem(struct tls_keypair *keypair, struct tls_error *error,
81 f9ab77a8 2023-08-23 op const uint8_t *cert, size_t len)
83 f9ab77a8 2023-08-23 op if (tls_set_mem(&keypair->cert_mem, &keypair->cert_len, cert, len) == -1)
85 f9ab77a8 2023-08-23 op return tls_keypair_pubkey_hash(keypair, error);
89 f9ab77a8 2023-08-23 op tls_keypair_set_key_file(struct tls_keypair *keypair, struct tls_error *error,
90 f9ab77a8 2023-08-23 op const char *key_file)
92 f9ab77a8 2023-08-23 op tls_keypair_clear_key(keypair);
93 f9ab77a8 2023-08-23 op return tls_config_load_file(error, "key", key_file,
94 f9ab77a8 2023-08-23 op &keypair->key_mem, &keypair->key_len);
98 f9ab77a8 2023-08-23 op tls_keypair_set_key_mem(struct tls_keypair *keypair, struct tls_error *error,
99 f9ab77a8 2023-08-23 op const uint8_t *key, size_t len)
101 f9ab77a8 2023-08-23 op tls_keypair_clear_key(keypair);
102 f9ab77a8 2023-08-23 op return tls_set_mem(&keypair->key_mem, &keypair->key_len, key, len);
106 f9ab77a8 2023-08-23 op tls_keypair_set_ocsp_staple_file(struct tls_keypair *keypair,
107 f9ab77a8 2023-08-23 op struct tls_error *error, const char *ocsp_file)
109 f9ab77a8 2023-08-23 op return tls_config_load_file(error, "ocsp", ocsp_file,
110 f9ab77a8 2023-08-23 op &keypair->ocsp_staple, &keypair->ocsp_staple_len);
114 f9ab77a8 2023-08-23 op tls_keypair_set_ocsp_staple_mem(struct tls_keypair *keypair,
115 f9ab77a8 2023-08-23 op struct tls_error *error, const uint8_t *staple, size_t len)
117 f9ab77a8 2023-08-23 op return tls_set_mem(&keypair->ocsp_staple, &keypair->ocsp_staple_len,
118 f9ab77a8 2023-08-23 op staple, len);
122 f9ab77a8 2023-08-23 op tls_keypair_free(struct tls_keypair *keypair)
124 f9ab77a8 2023-08-23 op if (keypair == NULL)
127 f9ab77a8 2023-08-23 op tls_keypair_clear_key(keypair);
129 f9ab77a8 2023-08-23 op free(keypair->cert_mem);
130 f9ab77a8 2023-08-23 op free(keypair->ocsp_staple);
131 f9ab77a8 2023-08-23 op free(keypair->pubkey_hash);
133 f9ab77a8 2023-08-23 op free(keypair);
137 f9ab77a8 2023-08-23 op tls_keypair_load_cert(struct tls_keypair *keypair, struct tls_error *error,
140 f9ab77a8 2023-08-23 op char *errstr = "unknown";
141 f9ab77a8 2023-08-23 op BIO *cert_bio = NULL;
142 f9ab77a8 2023-08-23 op unsigned long ssl_err;
145 f9ab77a8 2023-08-23 op X509_free(*cert);
146 f9ab77a8 2023-08-23 op *cert = NULL;
148 f9ab77a8 2023-08-23 op if (keypair->cert_mem == NULL) {
149 f9ab77a8 2023-08-23 op tls_error_set(error, "keypair has no certificate");
152 f9ab77a8 2023-08-23 op if ((cert_bio = BIO_new_mem_buf(keypair->cert_mem,
153 f9ab77a8 2023-08-23 op keypair->cert_len)) == NULL) {
154 f9ab77a8 2023-08-23 op tls_error_set(error, "failed to create certificate bio");
157 f9ab77a8 2023-08-23 op if ((*cert = PEM_read_bio_X509(cert_bio, NULL, tls_password_cb,
158 f9ab77a8 2023-08-23 op NULL)) == NULL) {
159 f9ab77a8 2023-08-23 op if ((ssl_err = ERR_peek_error()) != 0)
160 f9ab77a8 2023-08-23 op errstr = ERR_error_string(ssl_err, NULL);
161 f9ab77a8 2023-08-23 op tls_error_set(error, "failed to load certificate: %s", errstr);
168 f9ab77a8 2023-08-23 op BIO_free(cert_bio);