Blob
Date:
Tue Apr 12 17:40:58 2022 UTC
Message:
log when the certificate was successfully generated 
1
/*

2
 * Copyright (c) 2021 Omar Polo <op@omarpolo.com>

3
 *

4
 * Permission to use, copy, modify, and distribute this software for any

5
 * purpose with or without fee is hereby granted, provided that the above

6
 * copyright notice and this permission notice appear in all copies.

7
 *

8
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

9
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

10
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR

11
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

12
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN

13
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF

14
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

15
 */

17
#include "gmid.h"

19
#include <errno.h>

20
#include <string.h>

22
#include <openssl/bn.h>

23
#include <openssl/pem.h>

24
#include <openssl/x509_vfy.h>

25
#include <openssl/x509v3.h>

27
int

28
starts_with(const char *str, const char *prefix)

29
{

30
	size_t i;

32
	if (prefix == NULL)

33
		return 0;

35
	for (i = 0; prefix[i] != '\0'; ++i)

36
		if (str[i] != prefix[i])

37
			return 0;

38
	return 1;

39
}

41
int

42
ends_with(const char *str, const char *sufx)

43
{

44
	size_t i, j;

46
	i = strlen(str);

47
	j = strlen(sufx);

49
	if (j > i)

50
		return 0;

52
	i -= j;

53
	for (j = 0; str[i] != '\0'; i++, j++)

54
		if (str[i] != sufx[j])

55
			return 0;

56
	return 1;

57
}

59
ssize_t

60
filesize(int fd)

61
{

62
	ssize_t len;

64
	if ((len = lseek(fd, 0, SEEK_END)) == -1)

65
		return -1;

66
	if (lseek(fd, 0, SEEK_SET) == -1)

67
		return -1;

68
	return len;

69
}

71
char *

72
absolutify_path(const char *path)

73
{

74
	char *wd, *r;

76
	if (*path == '/') {

77
		if ((r = strdup(path)) == NULL)

78
			err(1, "strdup");

79
		return r;

80
	}

82
	wd = getcwd(NULL, 0);

83
	if (asprintf(&r, "%s/%s", wd, path) == -1)

84
		err(1, "asprintf");

85
	free(wd);

86
	return r;

87
}

89
char *

90
xstrdup(const char *s)

91
{

92
	char *d;

94
	if ((d = strdup(s)) == NULL)

95
		err(1, "strdup");

96
	return d;

97
}

99
void *

100
xcalloc(size_t nmemb, size_t size)

101
{

102
	void *d;

104
	if ((d = calloc(nmemb, size)) == NULL)

105
		err(1, "calloc");

106
	return d;

107
}

109
void

110
gen_certificate(const char *hostname, const char *certpath, const char *keypath)

111
{

112
	BIGNUM		*e;

113
	EVP_PKEY	*pkey;

114
	RSA		*rsa;

115
	X509		*x509;

116
	X509_NAME	*name;

117
	FILE		*f;

118
	const unsigned char *host = (const unsigned char*)hostname;

120
	log_notice(NULL,

121
	    "generating new certificate for %s (it could take a while)",

122
	    host);

124
	if ((pkey = EVP_PKEY_new()) == NULL)

125
		fatal("couldn't create a new private key");

127
	if ((rsa = RSA_new()) == NULL)

128
		fatal("couldn't generate rsa");

130
	if ((e = BN_new()) == NULL)

131
		fatal("couldn't allocate a bignum");

133
	BN_set_word(e, RSA_F4);

134
	if (!RSA_generate_key_ex(rsa, 4096, e, NULL))

135
		fatal("couldn't generate a rsa key");

137
	if (!EVP_PKEY_assign_RSA(pkey, rsa))

138
		fatal("couldn't assign the key");

140
	if ((x509 = X509_new()) == NULL)

141
		fatal("couldn't generate the X509 certificate");

143
	ASN1_INTEGER_set(X509_get_serialNumber(x509), 0);

144
	X509_gmtime_adj(X509_get_notBefore(x509), 0);

145
	X509_gmtime_adj(X509_get_notAfter(x509), 315360000L); /* 10 years */

146
	X509_set_version(x509, 3);

148
	if (!X509_set_pubkey(x509, pkey))

149
		fatal("couldn't set the public key");

151
	name = X509_get_subject_name(x509);

152
	if (!X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, host, -1, -1, 0))

153
		fatal("couldn't add CN to cert");

154
	X509_set_issuer_name(x509, name);

156
	if (!X509_sign(x509, pkey, EVP_sha256()))

157
		fatal("couldn't sign the certificate");

159
	if ((f = fopen(keypath, "w")) == NULL)

160
		fatal("fopen(%s): %s", keypath, strerror(errno));

161
	if (!PEM_write_PrivateKey(f, pkey, NULL, NULL, 0, NULL, NULL))

162
		fatal("couldn't write private key");

163
	fclose(f);

165
	if ((f = fopen(certpath, "w")) == NULL)

166
		fatal("fopen(%s): %s", certpath, strerror(errno));

167
	if (!PEM_write_X509(f, x509))

168
		fatal("couldn't write cert");

169
	fclose(f);

171
	BN_free(e);

172
	X509_free(x509);

173
	RSA_free(rsa);

175
	log_notice(NULL, "certificate successfully generated");

176
}

178
X509_STORE *

179
load_ca(const char *path)

180
{

181
	FILE		*f = NULL;

182
	X509		*x = NULL;

183
	X509_STORE	*store;

185
	if ((store = X509_STORE_new()) == NULL)

186
		return NULL;

188
	if ((f = fopen(path, "r")) == NULL)

189
		goto err;

191
	if ((x = PEM_read_X509(f, NULL, NULL, NULL)) == NULL)

192
		goto err;

194
	if (X509_check_ca(x) == 0)

195
		goto err;

197
	if (!X509_STORE_add_cert(store, x))

198
		goto err;

200
	X509_free(x);

201
	fclose(f);

202
	return store;

204
err:

205
	X509_STORE_free(store);

206
	if (x != NULL)

207
		X509_free(x);

208
	if (f != NULL)

209
		fclose(f);

210
	return NULL;

211
}

213
int

214
validate_against_ca(X509_STORE *ca, const uint8_t *chain, size_t len)

215
{

216
	X509		*client;

217
	BIO		*m;

218
	X509_STORE_CTX	*ctx = NULL;

219
	int		 ret = 0;

221
	if ((m = BIO_new_mem_buf(chain, len)) == NULL)

222
		return 0;

224
	if ((client = PEM_read_bio_X509(m, NULL, NULL, NULL)) == NULL)

225
		goto end;

227
	if ((ctx = X509_STORE_CTX_new()) == NULL)

228
		goto end;

230
	if (!X509_STORE_CTX_init(ctx, ca, client, NULL))

231
		goto end;

233
	ret = X509_verify_cert(ctx);

235
end:

236
	BIO_free(m);

237
	if (client != NULL)

238
		X509_free(client);

239
	if (ctx != NULL)

240
		X509_STORE_CTX_free(ctx);

241
	return ret;

242
}

244
void

245
dispatch_imsg(struct imsgbuf *ibuf, imsg_handlerfn **handlers, size_t size)

246
{

247
	struct imsg	imsg;

248
	size_t		datalen, i;

249
	ssize_t		n;

251
	if ((n = imsg_read(ibuf)) == -1) {

252
		if (errno == EAGAIN || errno == EWOULDBLOCK)

253
			return;

254
		_exit(1);

255
	}

257
	if (n == 0)

258
		_exit(1);

260
	for (;;) {

261
		if ((n = imsg_get(ibuf, &imsg)) == -1)

262
			_exit(1);

263
		if (n == 0)

264
			return;

265
		datalen = imsg.hdr.len - IMSG_HEADER_SIZE;

266
		i = imsg.hdr.type;

267
		if (i > (size / sizeof(imsg_handlerfn*)) || handlers[i] == NULL)

268
			abort();

269
		handlers[i](ibuf, &imsg, datalen);

270
		imsg_free(&imsg);

271
	}

272
}
Omar Polo