« back to all changes in this revision
Viewing changes to hipd/pisa_community_operator.c
- browse files at revision 6020
- compare with another revision
- download diff
- download tarball
- view history from revision 6020
- Committer: Henrik Ziegeldorf
- Date: 2011-11-15 08:47:07 UTC
- Revision ID: henrik.ziegeldorf@rwth-aachen.de-20111115084707-nfkgp8k1m2vemse8
Applied patch by Christoph Viethen.
added
removed
hipd/pisa_community_operator.c
52
52
#include "lib/core/common.h"
53
53
#include "lib/core/crypto.h"
54
54
#include "lib/core/debug.h"
55
#include "lib/core/hit.h"
55
56
#include "lib/core/ife.h"
56
57
#include "lib/core/protodefs.h"
57
58
#include "lib/core/straddr.h"
648
649
*/
649
650
int hip_cert_x509v3_handle_request_to_sign(struct hip_common *msg)
650
651
{
651
int err = 0, i = 0, nid = 0, ret = 0, secs = 0, algo = 0;
652
CONF *conf;
652
int err = 0, i = 0, ret = 0, secs = 0, algo = 0;
653
CONF *conf = NULL;
653
654
CONF_VALUE *item;
654
STACK_OF(CONF_VALUE) * sec_general = NULL;
655
STACK_OF(CONF_VALUE) * sec_name = NULL;
656
STACK_OF(CONF_VALUE) * sec_ext = NULL;
655
STACK_OF(CONF_VALUE) *sec_general = NULL;
656
STACK_OF(CONF_VALUE) *sec_name = NULL;
657
STACK_OF(CONF_VALUE) *sec_ext = NULL;
657
658
658
X509_NAME *issuer = NULL;
659
X509_NAME *subj = NULL;
660
X509_EXTENSION *ext = NULL;
661
STACK_OF(X509_EXTENSION) * extlist = NULL;
662
X509_NAME_ENTRY *ent;
663
EVP_PKEY *pkey;
659
X509_NAME *issuer = NULL;
660
X509_NAME *subj = NULL;
661
X509_EXTENSION *ext = NULL;
662
STACK_OF(X509_EXTENSION) *extlist = NULL;
663
X509_NAME_ENTRY *ent = NULL;
664
EVP_PKEY *pkey = NULL;
664
665
/** XX TODO THIS should come from a configuration file
665
666
* monotonically increasing counter */
666
667
long serial = 0;
668
669
X509 *cert;
669
670
X509V3_CTX ctx;
670
671
const struct hip_cert_x509_req *subject;
671
char subject_hit[41];
672
char issuer_hit[41];
673
char ialtname[45];
674
char saltname[45];
675
struct in6_addr *issuer_hit_n;
676
struct hip_host_id *host_id;
672
char subject_hit[INET6_ADDRSTRLEN];
673
char issuer_hit[INET6_ADDRSTRLEN];
674
char ialtname[INET6_ADDRSTRLEN + 3];
675
char saltname[INET6_ADDRSTRLEN + 3];
676
hip_hit_t *issuer_hit_n = NULL;
677
struct hip_host_id *host_id = NULL;
677
678
RSA *rsa = NULL;
678
679
DSA *dsa = NULL;
679
680
unsigned char *der_cert = NULL;
680
681
int der_cert_len = 0;
681
682
char arg1[21];
682
683
char arg2[21];
683
684
HIP_IFEL(!(issuer_hit_n = malloc(sizeof(struct in6_addr))), -1,
684
const struct hip_tlv_common *validity_param = NULL;
685
time_t expiry_time = 0;
686
687
688
HIP_IFEL(!(issuer_hit_n = malloc(sizeof(hip_hit_t))), -1,
685
689
"Malloc for subject failed\n");
686
690
HIP_IFEL(!(pkey = malloc(sizeof(EVP_PKEY))), -1,
687
691
"Malloc for pkey failed\n");
688
692
689
OpenSSL_add_all_algorithms();
693
// OpenSSL_add_all_algorithms();
690
694
ERR_load_crypto_strings();
691
695
692
696
HIP_DEBUG("Reading configuration file (%s)\n", HIP_CERT_CONF_PATH);
694
698
sec_general = hip_cert_read_conf_section("hip_x509v3", conf);
695
699
sec_name = hip_cert_read_conf_section("hip_x509v3_name", conf);
696
700
sec_ext = hip_cert_read_conf_section("hip_x509v3_extensions", conf);
697
NCONF_free(conf);
698
701
699
/* Get the general information */
702
/* Fail if the hip_x509v3 or hip_x509v3_name sections are not found */
700
703
HIP_IFEL(sec_general == NULL, -1,
701
704
"Failed to load general certificate information\n");
702
705
704
707
"Failed to load issuer naming information for the certificate\n");
705
708
706
709
/* Issuer naming */
707
if (sec_general != NULL) {
708
/* Loop through the conf stack for general information */
709
extlist = sk_X509_EXTENSION_new_null();
710
for (i = 0; i < sk_CONF_VALUE_num(sec_general); i++) {
711
item = sk_CONF_VALUE_value(sec_general, i);
712
if (!strcmp(item->name, "issuerhit")) {
713
strcpy(issuer_hit, item->value);
714
ret = inet_pton(AF_INET6, item->value, issuer_hit_n);
715
HIP_IFEL(ret < 0 && errno == EAFNOSUPPORT, -1,
716
"Failed to convert issuer HIT to hip_hit_t\n");
717
HIP_DEBUG_HIT("Issuer HIT", issuer_hit_n);
718
HIP_IFEL(!inet_ntop(AF_INET6, issuer_hit_n,
719
issuer_hit, sizeof(issuer_hit)),
720
-1, "Failed to convert subject hit to "
721
"presentation format\n");
722
}
723
if (!strcmp(item->name, "days")) {
724
secs = HIP_CERT_DAY * atoi(item->value);
725
}
710
/* Loop through the conf stack for general information */
711
for (i = 0; i < sk_CONF_VALUE_num(sec_general); i++) {
712
item = sk_CONF_VALUE_value(sec_general, i);
713
if (!strcmp(item->name, "issuerhit")) {
714
ret = inet_pton(AF_INET6, item->value, issuer_hit_n);
715
HIP_IFEL(ret != 1, -1,
716
"Failed to convert issuer HIT to hip_hit_t\n");
717
HIP_DEBUG_HIT("Issuer HIT", issuer_hit_n);
718
hip_convert_hit_to_str(issuer_hit_n, NULL, issuer_hit);
719
}
720
if (!strcmp(item->name, "days")) {
721
secs = HIP_CERT_DAY * atoi(item->value);
726
722
}
727
723
}
728
HIP_IFEL(!(issuer = X509_NAME_new()), -1, "Failed to set create issuer name");
729
nid = OBJ_txt2nid("commonName");
730
HIP_IFEL(nid == NID_undef, -1, "NID text not defined\n");
731
HIP_IFEL(!(ent = X509_NAME_ENTRY_create_by_NID(NULL, nid, MBSTRING_ASC,
724
725
HIP_IFEL(!(issuer = X509_NAME_new()), -1, "Failed to create issuer name");
726
727
HIP_IFEL(!(ent = X509_NAME_ENTRY_create_by_NID(NULL, NID_commonName, MBSTRING_ASC,
732
728
(unsigned char *) issuer_hit, -1)), -1,
733
729
"Failed to create name entry for issuer\n");
734
730
HIP_IFEL(X509_NAME_add_entry(issuer, ent, -1, 0) != 1, -1,
735
731
"Failed to add entry to issuer name\n");
736
732
733
X509_NAME_ENTRY_free(ent); /* "ent" var will be re-used */
734
ent = NULL;
735
737
736
/* Subject naming */
738
737
/* Get the subject hit from msg */
739
738
HIP_IFEL(!(subject = hip_get_param(msg, HIP_PARAM_CERT_X509_REQ)),
740
-1, "No cert_info struct found\n");
739
-1, "No cert_x509_req struct found\n");
741
740
HIP_IFEL(!ipv6_addr_is_hit(&subject->addr),
742
741
-1, "Address in certificate request is no HIT.\n");
743
HIP_IFEL(!inet_ntop(AF_INET6, &subject->addr, subject_hit, sizeof(subject_hit)),
744
-1, "Failed to convert subject hit to presentation format\n");
745
HIP_IFEL(!(subj = X509_NAME_new()), -1, "Failed to set create subject name");
746
nid = OBJ_txt2nid("commonName");
747
HIP_IFEL(nid == NID_undef, -1, "NID text not defined\n");
748
HIP_IFEL(!(ent = X509_NAME_ENTRY_create_by_NID(NULL, nid, MBSTRING_ASC,
742
HIP_DEBUG_HIT("Subject HIT", &subject->addr);
743
hip_convert_hit_to_str(&subject->addr, NULL, subject_hit);
744
745
HIP_IFEL(!(subj = X509_NAME_new()), -1, "Failed to create subject name");
746
747
HIP_IFEL(!(ent = X509_NAME_ENTRY_create_by_NID(NULL, NID_commonName, MBSTRING_ASC,
749
748
(unsigned char *) subject_hit, -1)), -1,
750
749
"Failed to create name entry for subject\n");
751
750
HIP_IFEL(X509_NAME_add_entry(subj, ent, -1, 0) != 1, -1,
752
751
"Failed to add entry to subject name\n");
753
752
753
/* were we sent a timestamp which indicates a requested cert validity? */
754
validity_param = hip_get_param(msg, HIP_PARAM_UINT);
755
756
if (validity_param) {
757
const uint32_t valid_until_n = *(const uint32_t *) hip_get_param_contents_direct(validity_param);
758
const uint32_t valid_until_h = ntohl(valid_until_n);
759
760
/* if time_t is only 32 bits wide and signed, we cannot
761
* copy a value of valid_until_h which has its MSB set since
762
* it would be misunderstood as being negative; so, only
763
* take over the value if this is not the case */
764
if (!(sizeof(time_t) == 4 && ((time_t) -1 < 0) &&
765
(0x80000000 & valid_until_h))) {
766
expiry_time = valid_until_h;
767
} else {
768
HIP_OUT_ERR(-1, "Received invalid timestamp parameter.\n");
769
}
770
}
771
754
772
/* XX TODO add a check to skip subjectAltName and issuerAltName because they are
755
773
* already in use by with IP:<hit> stuff */
756
774
if (sec_ext != NULL) {
780
798
"Failed to set subject name of certificate\n");
781
799
HIP_IFEL(X509_set_issuer_name(cert, issuer) != 1, -1,
782
800
"Failed to set issuer name of certificate\n");
783
HIP_IFEL(!X509_gmtime_adj(X509_get_notBefore(cert), 0), -1,
784
"Error setting beginning time of the certificate");
785
HIP_IFEL(!X509_gmtime_adj(X509_get_notAfter(cert), secs), -1,
786
"Error setting ending time of the certificate");
801
802
X509_get_notBefore(cert)->type = V_ASN1_GENERALIZEDTIME;
803
X509_get_notAfter(cert)->type = V_ASN1_GENERALIZEDTIME;
804
805
{
806
const time_t now = time(NULL);
807
time_t starttime = 0;
808
time_t endtime = 0;
809
time_t *starttime_p = NULL;
810
time_t *endtime_p = NULL;
811
812
if (expiry_time) {
813
/* a specific expiry time is demanded by the caller */
814
if (now < expiry_time) {
815
/* just set it up as wanted */
816
starttime = now;
817
endtime = expiry_time;
818
} else {
819
/* just make the start time be one second before
820
* the expiry time; this yields a - syntactically -
821
* valid certificate; it's not our task to second-guess the
822
* motives for requesting an expiry time from the past */
823
if (expiry_time == 1) {
824
expiry_time++; /* another pathological case */
825
}
826
starttime = expiry_time - 1;
827
endtime = expiry_time;
828
}
829
830
starttime_p = &starttime;
831
endtime_p = &endtime;
832
secs = 0;
833
} else {
834
starttime_p = NULL;
835
endtime_p = NULL;
836
}
837
838
HIP_IFEL(!X509_time_adj(X509_get_notBefore(cert), 0, starttime_p), -1,
839
"Error setting beginning time of the certificate");
840
HIP_IFEL(!X509_time_adj(X509_get_notAfter(cert), secs, endtime_p), -1,
841
"Error setting ending time of the certificate");
842
}
787
843
788
844
HIP_DEBUG("Getting the key\n");
789
845
917
973
out_err:
918
974
free(host_id);
919
975
sk_X509_EXTENSION_pop_free(extlist, X509_EXTENSION_free);
976
X509_NAME_ENTRY_free(ent);
977
X509_NAME_free(subj);
978
X509_NAME_free(issuer);
979
NCONF_free(conf);
980
ERR_free_strings();
981
free(pkey);
982
free(issuer_hit_n);
920
983
return err;
921
984
}
922
985
957
1020
der_cert = (unsigned char *) &p->der;
958
1021
959
1022
vessel = p->der;
960
HIP_IFEL((cert = d2i_X509(NULL, &vessel, verify.der_len)) == NULL, -1,
1023
HIP_IFEL((cert = d2i_X509(NULL, &vessel, ntohl(verify.der_len))) == NULL, -1,
961
1024
"Failed to convert cert from DER to internal format\n");
962
1025
/*
963
1026
* HIP_IFEL(!X509_print_fp(stdout, cert), -1,
Loggerhead is a web-based interface for Breezy
Version: 2.0.1