649
650
int hip_cert_x509v3_handle_request_to_sign(struct hip_common *msg)
651
int err = 0, i = 0, nid = 0, ret = 0, secs = 0, algo = 0;
652
int err = 0, i = 0, ret = 0, secs = 0, algo = 0;
653
654
CONF_VALUE *item;
654
STACK_OF(CONF_VALUE) * sec_general = NULL;
655
STACK_OF(CONF_VALUE) * sec_name = NULL;
656
STACK_OF(CONF_VALUE) * sec_ext = NULL;
655
STACK_OF(CONF_VALUE) *sec_general = NULL;
656
STACK_OF(CONF_VALUE) *sec_name = NULL;
657
STACK_OF(CONF_VALUE) *sec_ext = NULL;
658
X509_NAME *issuer = NULL;
659
X509_NAME *subj = NULL;
660
X509_EXTENSION *ext = NULL;
661
STACK_OF(X509_EXTENSION) * extlist = NULL;
662
X509_NAME_ENTRY *ent;
659
X509_NAME *issuer = NULL;
660
X509_NAME *subj = NULL;
661
X509_EXTENSION *ext = NULL;
662
STACK_OF(X509_EXTENSION) *extlist = NULL;
663
X509_NAME_ENTRY *ent = NULL;
664
EVP_PKEY *pkey = NULL;
664
665
/** XX TODO THIS should come from a configuration file
665
666
* monotonically increasing counter */
670
671
const struct hip_cert_x509_req *subject;
671
char subject_hit[41];
675
struct in6_addr *issuer_hit_n;
676
struct hip_host_id *host_id;
672
char subject_hit[INET6_ADDRSTRLEN];
673
char issuer_hit[INET6_ADDRSTRLEN];
674
char ialtname[INET6_ADDRSTRLEN + 3];
675
char saltname[INET6_ADDRSTRLEN + 3];
676
hip_hit_t *issuer_hit_n = NULL;
677
struct hip_host_id *host_id = NULL;
679
680
unsigned char *der_cert = NULL;
680
681
int der_cert_len = 0;
684
HIP_IFEL(!(issuer_hit_n = malloc(sizeof(struct in6_addr))), -1,
684
const struct hip_tlv_common *validity_param = NULL;
685
time_t expiry_time = 0;
688
HIP_IFEL(!(issuer_hit_n = malloc(sizeof(hip_hit_t))), -1,
685
689
"Malloc for subject failed\n");
686
690
HIP_IFEL(!(pkey = malloc(sizeof(EVP_PKEY))), -1,
687
691
"Malloc for pkey failed\n");
689
OpenSSL_add_all_algorithms();
693
// OpenSSL_add_all_algorithms();
690
694
ERR_load_crypto_strings();
692
696
HIP_DEBUG("Reading configuration file (%s)\n", HIP_CERT_CONF_PATH);
704
707
"Failed to load issuer naming information for the certificate\n");
706
709
/* Issuer naming */
707
if (sec_general != NULL) {
708
/* Loop through the conf stack for general information */
709
extlist = sk_X509_EXTENSION_new_null();
710
for (i = 0; i < sk_CONF_VALUE_num(sec_general); i++) {
711
item = sk_CONF_VALUE_value(sec_general, i);
712
if (!strcmp(item->name, "issuerhit")) {
713
strcpy(issuer_hit, item->value);
714
ret = inet_pton(AF_INET6, item->value, issuer_hit_n);
715
HIP_IFEL(ret < 0 && errno == EAFNOSUPPORT, -1,
716
"Failed to convert issuer HIT to hip_hit_t\n");
717
HIP_DEBUG_HIT("Issuer HIT", issuer_hit_n);
718
HIP_IFEL(!inet_ntop(AF_INET6, issuer_hit_n,
719
issuer_hit, sizeof(issuer_hit)),
720
-1, "Failed to convert subject hit to "
721
"presentation format\n");
723
if (!strcmp(item->name, "days")) {
724
secs = HIP_CERT_DAY * atoi(item->value);
710
/* Loop through the conf stack for general information */
711
for (i = 0; i < sk_CONF_VALUE_num(sec_general); i++) {
712
item = sk_CONF_VALUE_value(sec_general, i);
713
if (!strcmp(item->name, "issuerhit")) {
714
ret = inet_pton(AF_INET6, item->value, issuer_hit_n);
715
HIP_IFEL(ret != 1, -1,
716
"Failed to convert issuer HIT to hip_hit_t\n");
717
HIP_DEBUG_HIT("Issuer HIT", issuer_hit_n);
718
hip_convert_hit_to_str(issuer_hit_n, NULL, issuer_hit);
720
if (!strcmp(item->name, "days")) {
721
secs = HIP_CERT_DAY * atoi(item->value);
728
HIP_IFEL(!(issuer = X509_NAME_new()), -1, "Failed to set create issuer name");
729
nid = OBJ_txt2nid("commonName");
730
HIP_IFEL(nid == NID_undef, -1, "NID text not defined\n");
731
HIP_IFEL(!(ent = X509_NAME_ENTRY_create_by_NID(NULL, nid, MBSTRING_ASC,
725
HIP_IFEL(!(issuer = X509_NAME_new()), -1, "Failed to create issuer name");
727
HIP_IFEL(!(ent = X509_NAME_ENTRY_create_by_NID(NULL, NID_commonName, MBSTRING_ASC,
732
728
(unsigned char *) issuer_hit, -1)), -1,
733
729
"Failed to create name entry for issuer\n");
734
730
HIP_IFEL(X509_NAME_add_entry(issuer, ent, -1, 0) != 1, -1,
735
731
"Failed to add entry to issuer name\n");
733
X509_NAME_ENTRY_free(ent); /* "ent" var will be re-used */
737
736
/* Subject naming */
738
737
/* Get the subject hit from msg */
739
738
HIP_IFEL(!(subject = hip_get_param(msg, HIP_PARAM_CERT_X509_REQ)),
740
-1, "No cert_info struct found\n");
739
-1, "No cert_x509_req struct found\n");
741
740
HIP_IFEL(!ipv6_addr_is_hit(&subject->addr),
742
741
-1, "Address in certificate request is no HIT.\n");
743
HIP_IFEL(!inet_ntop(AF_INET6, &subject->addr, subject_hit, sizeof(subject_hit)),
744
-1, "Failed to convert subject hit to presentation format\n");
745
HIP_IFEL(!(subj = X509_NAME_new()), -1, "Failed to set create subject name");
746
nid = OBJ_txt2nid("commonName");
747
HIP_IFEL(nid == NID_undef, -1, "NID text not defined\n");
748
HIP_IFEL(!(ent = X509_NAME_ENTRY_create_by_NID(NULL, nid, MBSTRING_ASC,
742
HIP_DEBUG_HIT("Subject HIT", &subject->addr);
743
hip_convert_hit_to_str(&subject->addr, NULL, subject_hit);
745
HIP_IFEL(!(subj = X509_NAME_new()), -1, "Failed to create subject name");
747
HIP_IFEL(!(ent = X509_NAME_ENTRY_create_by_NID(NULL, NID_commonName, MBSTRING_ASC,
749
748
(unsigned char *) subject_hit, -1)), -1,
750
749
"Failed to create name entry for subject\n");
751
750
HIP_IFEL(X509_NAME_add_entry(subj, ent, -1, 0) != 1, -1,
752
751
"Failed to add entry to subject name\n");
753
/* were we sent a timestamp which indicates a requested cert validity? */
754
validity_param = hip_get_param(msg, HIP_PARAM_UINT);
756
if (validity_param) {
757
const uint32_t valid_until_n = *(const uint32_t *) hip_get_param_contents_direct(validity_param);
758
const uint32_t valid_until_h = ntohl(valid_until_n);
760
/* if time_t is only 32 bits wide and signed, we cannot
761
* copy a value of valid_until_h which has its MSB set since
762
* it would be misunderstood as being negative; so, only
763
* take over the value if this is not the case */
764
if (!(sizeof(time_t) == 4 && ((time_t) -1 < 0) &&
765
(0x80000000 & valid_until_h))) {
766
expiry_time = valid_until_h;
768
HIP_OUT_ERR(-1, "Received invalid timestamp parameter.\n");
754
772
/* XX TODO add a check to skip subjectAltName and issuerAltName because they are
755
773
* already in use by with IP:<hit> stuff */
756
774
if (sec_ext != NULL) {
780
798
"Failed to set subject name of certificate\n");
781
799
HIP_IFEL(X509_set_issuer_name(cert, issuer) != 1, -1,
782
800
"Failed to set issuer name of certificate\n");
783
HIP_IFEL(!X509_gmtime_adj(X509_get_notBefore(cert), 0), -1,
784
"Error setting beginning time of the certificate");
785
HIP_IFEL(!X509_gmtime_adj(X509_get_notAfter(cert), secs), -1,
786
"Error setting ending time of the certificate");
802
X509_get_notBefore(cert)->type = V_ASN1_GENERALIZEDTIME;
803
X509_get_notAfter(cert)->type = V_ASN1_GENERALIZEDTIME;
806
const time_t now = time(NULL);
807
time_t starttime = 0;
809
time_t *starttime_p = NULL;
810
time_t *endtime_p = NULL;
813
/* a specific expiry time is demanded by the caller */
814
if (now < expiry_time) {
815
/* just set it up as wanted */
817
endtime = expiry_time;
819
/* just make the start time be one second before
820
* the expiry time; this yields a - syntactically -
821
* valid certificate; it's not our task to second-guess the
822
* motives for requesting an expiry time from the past */
823
if (expiry_time == 1) {
824
expiry_time++; /* another pathological case */
826
starttime = expiry_time - 1;
827
endtime = expiry_time;
830
starttime_p = &starttime;
831
endtime_p = &endtime;
838
HIP_IFEL(!X509_time_adj(X509_get_notBefore(cert), 0, starttime_p), -1,
839
"Error setting beginning time of the certificate");
840
HIP_IFEL(!X509_time_adj(X509_get_notAfter(cert), secs, endtime_p), -1,
841
"Error setting ending time of the certificate");
788
844
HIP_DEBUG("Getting the key\n");