Blob

Date:
Message:
tweak certificate generation log messages
Actions:
History | Blame | Raw File
1 /*

2  * Copyright (c) 2021, 2023 Omar Polo <op@omarpolo.com>

3  * Copyright (c) 2019 Renaud Allard <renaud@allard.it>

4  * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>

5  * Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org>

6  * Copyright (c) 2008 Reyk Floeter <reyk@openbsd.org>

7  *

8  * Permission to use, copy, modify, and distribute this software for any

9  * purpose with or without fee is hereby granted, provided that the above

10  * copyright notice and this permission notice appear in all copies.

11  *

12  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

13  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

14  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR

15  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

16  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN

17  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF

18  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

19  */

21 #include "gmid.h"

23 #include <errno.h>

24 #include <string.h>

26 #include <openssl/ec.h>

27 #include <openssl/err.h>

28 #include <openssl/evp.h>

29 #include <openssl/obj_mac.h>

30 #include <openssl/pem.h>

31 #include <openssl/rsa.h>

32 #include <openssl/x509_vfy.h>

33 #include <openssl/x509v3.h>

35 #include "log.h"

37 /*

38  * Default number of bits when creating a new RSA key.

39  */

40 #define KBITS 4096

42 const char *

43 strip_path(const char *path, int strip)

44 {

45 	char *t;

47 	while (strip > 0) {

48 		if ((t = strchr(path, '/')) == NULL) {

49 			path = strchr(path, '\0');

50 			break;

51 		}

52 		path = t;

53 		strip--;

54 	}

56 	return path;

57 }

59 int

60 ends_with(const char *str, const char *sufx)

61 {

62 	size_t i, j;

64 	i = strlen(str);

65 	j = strlen(sufx);

67 	if (j > i)

68 		return 0;

70 	i -= j;

71 	for (j = 0; str[i] != '\0'; i++, j++)

72 		if (str[i] != sufx[j])

73 			return 0;

74 	return 1;

75 }

77 char *

78 absolutify_path(const char *path)

79 {

80 	char wd[PATH_MAX], *r;

82 	if (*path == '/') {

83 		if ((r = strdup(path)) == NULL)

84 			fatal("strdup");

85 		return r;

86 	}

88 	if (getcwd(wd, sizeof(wd)) == NULL)

89 		fatal("getcwd");

90 	if (asprintf(&r, "%s/%s", wd, path) == -1)

91 		fatal("asprintf");

92 	return r;

93 }

95 char *

96 xstrdup(const char *s)

97 {

98 	char *d;

100 	if ((d = strdup(s)) == NULL)

101 		fatal("strdup");

102 	return d;

105 void *

106 xcalloc(size_t nmemb, size_t size)

108 	void *d;

110 	if ((d = calloc(nmemb, size)) == NULL)

111 		fatal("calloc");

112 	return d;

115 static EVP_PKEY *

116 rsa_key_create(FILE *f, const char *fname)

118 	EVP_PKEY_CTX	*ctx = NULL;

119 	EVP_PKEY	*pkey = NULL;

120 	int		 ret = -1;

122 	/* First, create the context and the key. */

124 	if ((ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL)) == NULL) {

125 		log_warnx("EVP_PKEY_CTX_new_id failed");

126 		ssl_error("EVP_PKEY_CTX_new_id");

127 		goto done;

129 	if (EVP_PKEY_keygen_init(ctx) <= 0) {

130 		log_warnx("EVP_PKEY_keygen_init failed");

131 		ssl_error("EVP_PKEY_keygen_init");

132 		goto done;

134 	if (EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, KBITS) <= 0) {

135 		log_warnx("EVP_PKEY_CTX_set_rsa_keygen_bits failed");

136 		ssl_error("EVP_PKEY_CTX_set_rsa_keygen_bits");

137 		goto done;

139 	if (EVP_PKEY_keygen(ctx, &pkey) <= 0) {

140 		log_warnx("EVP_PKEY_keygen failed");

141 		ssl_error("EVP_PKEY_keygen");

142 		goto done;

145 	/* Serialize the key to the disc. */

146 	if (!PEM_write_PrivateKey(f, pkey, NULL, NULL, 0, NULL, NULL)) {

147 		log_warnx("PEM_write_PrivateKey failed");

148 		ssl_error("PEM_write_PrivateKey");

149 		goto done;

152 	ret = 0;

153  done:

154 	if (ret == -1) {

155 		EVP_PKEY_free(pkey);

156 		pkey = NULL;

158 	EVP_PKEY_CTX_free(ctx);

159 	return pkey;

162 static EVP_PKEY *

163 ec_key_create(FILE *f, const char *fname)

165 	EC_KEY		*eckey = NULL;

166 	EVP_PKEY	*pkey = NULL;

167 	int		 ret = -1;

169 	if ((eckey = EC_KEY_new_by_curve_name(NID_secp384r1)) == NULL) {

170 		log_warnx("EC_KEY_new_by_curve_name failed");

171 		ssl_error("EC_KEY_new_by_curve_name");

172 		goto done;

175 	if (!EC_KEY_generate_key(eckey)) {

176 		log_warnx("EC_KEY_generate_key failed");

177 		ssl_error("EC_KEY_generate_key");

178 		goto done;

181 	/* Serialise the key to the disc in EC format */

182 	if (!PEM_write_ECPrivateKey(f, eckey, NULL, NULL, 0, NULL, NULL)) {

183 		log_warnx("PEM_write_ECPrivateKey failed");

184 		ssl_error("PEM_write_ECPrivateKey");

185 		goto done;

188 	/* Convert the EC key into a PKEY structure */

189 	if ((pkey = EVP_PKEY_new()) == NULL) {

190 		log_warnx("EVP_PKEY_new failed");

191 		ssl_error("EVP_PKEY_new");

192 		goto done;

194 	if (!EVP_PKEY_set1_EC_KEY(pkey, eckey)) {

195 		log_warnx("EVP_PKEY_set1_EC_KEY failed");

196 		ssl_error("EVP_PKEY_set1_EC_KEY");

197 		goto done;

200 	ret = 0;

201  done:

202 	if (ret == -1) {

203 		EVP_PKEY_free(pkey);

204 		pkey = NULL;

205 		log_warnx("WOOOPS");

207 	EC_KEY_free(eckey);

208 	return pkey;

211 void

212 gencert(const char *hostname, const char *certpath, const char *keypath,

213     int eckey)

215 	EVP_PKEY	*pkey;

216 	X509		*x509;

217 	X509_NAME	*name;

218 	FILE		*f;

219 	const unsigned char *host = (const unsigned char*)hostname;

221 	log_info("Generating new %s key for %s (it could take a while)",

222 	    eckey ? "EC" : "RSA", host);

224 	if ((f = fopen(keypath, "w")) == NULL) {

225 		log_warn("can't open %s", keypath);

226 		goto err;

228 	if (eckey)

229 		pkey = ec_key_create(f, keypath);

230 	else

231 		pkey = rsa_key_create(f, keypath);

232 	if (pkey == NULL) {

233 		log_warnx("failed to generate a private key");

234 		goto err;

236 	if (fflush(f) == EOF || fclose(f) == EOF) {

237 		log_warn("failed to flush or close the private key");

238 		goto err;

241 	if ((x509 = X509_new()) == NULL) {

242 		log_warnx("couldn't generate the X509 certificate");

243 		ssl_error("X509_new");

244 		goto err;

247 	ASN1_INTEGER_set(X509_get_serialNumber(x509), 0);

248 	X509_gmtime_adj(X509_get_notBefore(x509), 0);

249 	X509_gmtime_adj(X509_get_notAfter(x509), 315360000L); /* 10 years */

250 	X509_set_version(x509, 2); // v3

252 	if (!X509_set_pubkey(x509, pkey)) {

253 		log_warnx("couldn't set the public key");

254 		ssl_error("X509_set_pubkey");

255 		goto err;

258 	if ((name = X509_NAME_new()) == NULL) {

259 		log_warnx("X509_NAME_new failed");

260 		ssl_error("X509_NAME_new");

261 		goto err;

264 	if (!X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, host,

265 	    -1, -1, 0)) {

266 		log_warnx("couldn't add CN to cert");

267 		ssl_error("X509_NAME_add_entry_by_txt");

268 		goto err;

270 	X509_set_subject_name(x509, name);

271 	X509_set_issuer_name(x509, name);

273 	if (!X509_sign(x509, pkey, EVP_sha256())) {

274 		log_warnx("failed to sign the certificate");

275 		ssl_error("X509_sign");

276 		goto err;

279 	if ((f = fopen(certpath, "w")) == NULL) {

280 		log_warn("can't open %s", certpath);

281 		goto err;

283 	if (!PEM_write_X509(f, x509)) {

284 		log_warnx("couldn't write cert");

285 		ssl_error("PEM_write_X509");

286 		goto err;

288 	if (fflush(f) == EOF || fclose(f) == EOF) {

289 		log_warn("failed to flush or close the private key");

290 		goto err;

293 	X509_free(x509);

294 	EVP_PKEY_free(pkey);

295 	log_info("Certificate for %s successfully generated", host);

296 	return;

298  err:

299 	(void) unlink(certpath);

300 	(void) unlink(keypath);

301 	exit(1);

304 X509_STORE *

305 load_ca(uint8_t *d, size_t len)

307 	BIO		*in;

308 	X509		*x = NULL;

309 	X509_STORE	*store;

311 	if ((store = X509_STORE_new()) == NULL) {

312 		log_warnx("%s: X509_STORE_new failed", __func__);

313 		return NULL;

316 	if ((in = BIO_new_mem_buf(d, len)) == NULL) {

317 		log_warnx("%s: BIO_new_mem_buf failed", __func__);

318 		goto err;

321 	if ((x = PEM_read_bio_X509(in, NULL, NULL, NULL)) == NULL) {

322 		log_warnx("%s: PEM_read_bio_X509 failed", __func__);

323 		ssl_error("PEM_read_bio_X509");

324 		goto err;

327 	if (X509_check_ca(x) == 0) {

328 		ssl_error("X509_check_ca");

329 		goto err;

332 	if (!X509_STORE_add_cert(store, x)) {

333 		ssl_error("X509_STORE_add_cert");

334 		goto err;

337 	X509_free(x);

338 	BIO_free(in);

339 	return store;

341 err:

342 	X509_STORE_free(store);

343 	if (x != NULL)

344 		X509_free(x);

345 	if (in != NULL)

346 		BIO_free(in);

347 	return NULL;

350 int

351 validate_against_ca(X509_STORE *ca, const uint8_t *chain, size_t len)

353 	X509		*client;

354 	BIO		*m;

355 	X509_STORE_CTX	*ctx = NULL;

356 	int		 ret = 0;

358 	if ((m = BIO_new_mem_buf(chain, len)) == NULL)

359 		return 0;

361 	if ((client = PEM_read_bio_X509(m, NULL, NULL, NULL)) == NULL)

362 		goto end;

364 	if ((ctx = X509_STORE_CTX_new()) == NULL)

365 		goto end;

367 	if (!X509_STORE_CTX_init(ctx, ca, client, NULL))

368 		goto end;

370 	ret = X509_verify_cert(ctx);

372 end:

373 	BIO_free(m);

374 	if (client != NULL)

375 		X509_free(client);

376 	if (ctx != NULL)

377 		X509_STORE_CTX_free(ctx);

378 	return ret;

381 void

382 ssl_error(const char *where)

384 	unsigned long	 code;

385 	char		 errbuf[128];

387 	while ((code = ERR_get_error()) != 0) {

388 		ERR_error_string_n(code, errbuf, sizeof(errbuf));

389 		log_debug("debug: SSL library error: %s: %s", where, errbuf);

393 char *

394 ssl_pubkey_hash(const uint8_t *buf, size_t len)

396 	static const char hex[] = "0123456789abcdef";

397 	BIO		*in;

398 	X509		*x509 = NULL;

399 	char		*hash = NULL;

400 	size_t		 off;

401 	unsigned char	 digest[EVP_MAX_MD_SIZE];

402 	unsigned int	 dlen, i;

404 	if ((in = BIO_new_mem_buf(buf, len)) == NULL) {

405 		log_warnx("%s: BIO_new_mem_buf failed", __func__);

406 		return NULL;

409 	if ((x509 = PEM_read_bio_X509(in, NULL, NULL, NULL)) == NULL) {

410 		log_warnx("%s: PEM_read_bio_X509 failed", __func__);

411 		ssl_error("PEM_read_bio_X509");

412 		goto fail;

415 	if ((hash = malloc(TLS_CERT_HASH_SIZE)) == NULL) {

416 		log_warn("%s: malloc", __func__);

417 		goto fail;

420 	if (X509_pubkey_digest(x509, EVP_sha256(), digest, &dlen) != 1) {

421 		log_warnx("%s: X509_pubkey_digest failed", __func__);

422 		ssl_error("X509_pubkey_digest");

423 		free(hash);

424 		hash = NULL;

425 		goto fail;

428 	if (TLS_CERT_HASH_SIZE < 2 * dlen + sizeof("SHA256:"))

429 		fatalx("%s: hash buffer too small", __func__);

431 	off = strlcpy(hash, "SHA256:", TLS_CERT_HASH_SIZE);

432 	for (i = 0; i < dlen; ++i) {

433 		hash[off++] = hex[(digest[i] >> 4) & 0xf];

434 		hash[off++] = hex[digest[i] & 0xf];

436 	hash[off] = '\0';

438  fail:

439 	BIO_free(in);

440 	if (x509)

441 		X509_free(x509);

442 	return hash;

445 EVP_PKEY *

446 ssl_load_pkey(const uint8_t *buf, size_t len)

448 	BIO		*in;

449 	EVP_PKEY	*pkey;

451 	if ((in = BIO_new_mem_buf(buf, len)) == NULL) {

452 		log_warnx("%s: BIO_new_mem_buf failed", __func__);

453 		return NULL;

456 	if ((pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL)) == NULL) {

457 		log_warnx("%s: PEM_read_bio_PrivateKey failed", __func__);

458 		ssl_error("PEM_read_bio_PrivateKey");

461 	BIO_free(in);

462 	return pkey;

465 struct vhost *

466 new_vhost(void)

468 	struct vhost *h;

470 	h = xcalloc(1, sizeof(*h));

471 	TAILQ_INIT(&h->addrs);

472 	TAILQ_INIT(&h->locations);

473 	TAILQ_INIT(&h->aliases);

474 	TAILQ_INIT(&h->proxies);

475 	return h;

478 struct location *

479 new_location(void)

481 	struct location *l;

483 	l = xcalloc(1, sizeof(*l));

484 	l->dirfd = -1;

485 	l->fcgi = -1;

486 	TAILQ_INIT(&l->params);

487 	return l;

490 struct proxy *

491 new_proxy(void)

493 	struct proxy *p;

495 	p = xcalloc(1, sizeof(*p));

496 	p->protocols = TLS_PROTOCOLS_DEFAULT;

497 	return p;