diff options
author | Mikkel Krautz <mikkel@krautz.dk> | 2017-07-14 11:58:17 +0300 |
---|---|---|
committer | Mikkel Krautz <mikkel@krautz.dk> | 2017-07-14 11:58:17 +0300 |
commit | a69668aed1877a8851a28647f14c0679ae3f8682 (patch) | |
tree | da6a958b117196678d3508170141556e23c09c26 /src/murmur/Cert.cpp | |
parent | 49b80d86c5e3b801426b207b94c04bfbf11bed04 (diff) |
SelfSignedCertificate: new class for creation of self-signed certificates.
This moves the refactored certificate generation code from
src/murmur/Cert.cpp into its own file, src/SelfSignedCertificate.cpp.
Furthermore, the code is refactored to also be able to fulfil the duties
of Mumble's code for generating self-signed certificates.
The old code in both Mumble and Murmur is updated to call the new
SelfSignedCertificate methods for generating client and server
certificates.
This fixes the ability to build Mumble with OpenSSL 1.1.
(Previously, only Murmur could be built.)
Diffstat (limited to 'src/murmur/Cert.cpp')
-rw-r--r-- | src/murmur/Cert.cpp | 226 |
1 files changed, 2 insertions, 224 deletions
diff --git a/src/murmur/Cert.cpp b/src/murmur/Cert.cpp index d860c1caa..167013627 100644 --- a/src/murmur/Cert.cpp +++ b/src/murmur/Cert.cpp @@ -7,229 +7,7 @@ #include "Meta.h" #include "Server.h" - -#define SSL_STRING(x) QString::fromLatin1(x).toUtf8().data() - -static int add_ext(X509 * crt, int nid, char *value) { - X509V3_CTX ctx; - X509V3_set_ctx_nodb(&ctx); - X509V3_set_ctx(&ctx, crt, crt, NULL, NULL, 0); - - X509_EXTENSION *ex = X509V3_EXT_conf_nid(NULL, &ctx, nid, value); - if (ex == NULL) { - return 0; - } - - if (X509_add_ext(crt, ex, -1) == 0) { - X509_EXTENSION_free(ex); - return 0; - } - - X509_EXTENSION_free(ex); - return 1; -} - -static bool selfSignedServerCert_SHA1_RSA_2048(QSslCertificate &qscCert, QSslKey &qskKey) { - bool ok = true; - X509 *x509 = NULL; - EVP_PKEY *pkey = NULL; - RSA *rsa = NULL; - BIGNUM *e = NULL; - X509_NAME *name = NULL; - ASN1_INTEGER *serialNumber = NULL; - ASN1_TIME *notBefore = NULL; - ASN1_TIME *notAfter = NULL; - unsigned char *commonName = NULL; - - if (CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON) == -1) { - ok = false; - goto out; - } - - x509 = X509_new(); - if (x509 == NULL) { - ok = false; - goto out; - } - - pkey = EVP_PKEY_new(); - if (pkey == NULL) { - ok = false; - goto out; - } - - rsa = RSA_new(); - if (rsa == NULL) { - ok = false; - goto out; - } - - e = BN_new(); - if (e == NULL) { - ok = false; - goto out; - } - if (BN_set_word(e, 65537) == 0) { - ok = false; - goto out; - } - - if (RSA_generate_key_ex(rsa, 2048, e, NULL) == 0) { - ok = false; - goto out; - } - - if (EVP_PKEY_assign_RSA(pkey, rsa) == 0) { - ok = false; - goto out; - } - - if (X509_set_version(x509, 2) == 0) { - ok = false; - goto out; - } - - serialNumber = X509_get_serialNumber(x509); - if (serialNumber == NULL) { - ok = false; - goto out; - } - if (ASN1_INTEGER_set(serialNumber, 1) == 0) { - ok = false; - goto out; - } - - notBefore = X509_get_notBefore(x509); - if (notBefore == NULL) { - ok = false; - goto out; - } - if (X509_gmtime_adj(notBefore, 0) == NULL) { - ok = false; - goto out; - } - - notAfter = X509_get_notAfter(x509); - if (notAfter == NULL) { - ok = false; - goto out; - } - if (X509_gmtime_adj(notAfter, 60*60*24*365*20) == NULL) { - ok = false; - goto out; - } - - if (X509_set_pubkey(x509, pkey) == 0) { - ok = false; - goto out; - } - - name = X509_get_subject_name(x509); - if (name == NULL) { - ok = false; - goto out; - } - - commonName = reinterpret_cast<unsigned char *>(const_cast<char *>("Murmur Autogenerated Certificate v2")); - if (X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, commonName, -1, -1, 0) == 0) { - ok = false; - goto out; - } - - if (X509_set_issuer_name(x509, name) == 0) { - ok = false; - goto out; - } - - if (add_ext(x509, NID_basic_constraints, SSL_STRING("critical,CA:FALSE")) == 0) { - ok = false; - goto out; - } - - if (add_ext(x509, NID_ext_key_usage, SSL_STRING("serverAuth,clientAuth")) == 0) { - ok = false; - goto out; - } - - if (add_ext(x509, NID_subject_key_identifier, SSL_STRING("hash")) == 0) { - ok = false; - goto out; - } - - if (add_ext(x509, NID_netscape_comment, SSL_STRING("Generated from murmur")) == 0) { - ok = false; - goto out; - } - - if (X509_sign(x509, pkey, EVP_sha1()) == 0) { - ok = false; - goto out; - } - - { - QByteArray crt; - int len = i2d_X509(x509, NULL); - if (len <= 0) { - ok = false; - goto out; - } - crt.resize(len); - - unsigned char *dptr = reinterpret_cast<unsigned char *>(crt.data()); - if (i2d_X509(x509, &dptr) != len) { - ok = false; - goto out; - } - - qscCert = QSslCertificate(crt, QSsl::Der); - if (qscCert.isNull()) { - ok = false; - } - } - - { - QByteArray key; - int len = i2d_PrivateKey(pkey, NULL); - if (len <= 0) { - ok = false; - goto out; - } - key.resize(len); - - unsigned char *dptr = reinterpret_cast<unsigned char *>(key.data()); - if (i2d_PrivateKey(pkey, &dptr) != len) { - ok = false; - goto out; - } - - qskKey = QSslKey(key, QSsl::Rsa, QSsl::Der); - if (qskKey.isNull()) { - ok = false; - } - } - -out: - if (e) { - BN_free(e); - } - // We only need to free the pkey pointer, - // not the RSA pointer. We have assigned - // our RSA key to pkey, and it will be freed - // once we free pkey. - if (pkey) { - EVP_PKEY_free(pkey); - } - if (x509) { - X509_free(x509); - } - - if (!ok) { - qscCert = QSslCertificate(); - qskKey = QSslKey(); - } - - return ok; -} +#include "SelfSignedCertificate.h" #if defined(USE_QSSLDIFFIEHELLMANPARAMETERS) static BN_GENCB *mumble_BN_GENCB_new() { @@ -415,7 +193,7 @@ void Server::initializeCert() { if (qscCert.isNull() || qskKey.isNull()) { log("Generating new server certificate."); - if (!selfSignedServerCert_SHA1_RSA_2048(qscCert, qskKey)) { + if (!SelfSignedCertificate::generateMurmurV2Certificate(qscCert, qskKey)) { log("Certificate or key generation failed"); } |