summaryrefslogtreecommitdiff
path: root/src/sbearssl
diff options
context:
space:
mode:
authorLaurent Bercot <ska-skaware@skarnet.org>2016-11-25 21:16:58 +0000
committerLaurent Bercot <ska-skaware@skarnet.org>2016-11-25 21:16:58 +0000
commitcb31c5e82982447c5036ace732feac15b8042eac (patch)
treedf6700c5747d4e29682dd02e8927a551ef81fcce /src/sbearssl
parenta6b3bddb41db1771ac9190a77caac1c7217e7e4b (diff)
downloads6-networking-cb31c5e82982447c5036ace732feac15b8042eac.tar.xz
Add EC certificate issuer key type detection for sbearssl
Diffstat (limited to 'src/sbearssl')
-rw-r--r--src/sbearssl/deps-lib/sbearssl1
-rw-r--r--src/sbearssl/sbearssl_ec_issuer_keytype.c40
-rw-r--r--src/sbearssl/sbearssl_s6tlsd.c13
3 files changed, 53 insertions, 1 deletions
diff --git a/src/sbearssl/deps-lib/sbearssl b/src/sbearssl/deps-lib/sbearssl
index bace1a7..0b7b02f 100644
--- a/src/sbearssl/deps-lib/sbearssl
+++ b/src/sbearssl/deps-lib/sbearssl
@@ -2,6 +2,7 @@ sbearssl_append.o
sbearssl_cert_from.o
sbearssl_cert_readfile.o
sbearssl_cert_to.o
+sbearssl_ec_issuer_keytype.o
sbearssl_ec_pkey_from.o
sbearssl_ec_pkey_to.o
sbearssl_ec_skey_from.o
diff --git a/src/sbearssl/sbearssl_ec_issuer_keytype.c b/src/sbearssl/sbearssl_ec_issuer_keytype.c
new file mode 100644
index 0000000..2958e8d
--- /dev/null
+++ b/src/sbearssl/sbearssl_ec_issuer_keytype.c
@@ -0,0 +1,40 @@
+/* ISC license. */
+
+#include <sys/types.h>
+#include <errno.h>
+#include <bearssl.h>
+#include <skalibs/stralloc.h>
+#include <s6-networking/sbearssl.h>
+#include "sbearssl-internal.h"
+
+int sbearssl_ec_issuer_keytype (int *kt, br_x509_certificate const *cert)
+{
+ br_x509_decoder_context ctx ;
+ stralloc sa = STRALLOC_ZERO ;
+ struct sbearssl_strallocerr_s blah = { .sa = &sa } ;
+ int r = -1 ;
+
+ br_x509_decoder_init(&ctx, &sbearssl_append, &blah) ;
+ br_x509_decoder_push(&ctx, cert->data, cert->data_len) ;
+ if (blah.err)
+ {
+ errno = blah.err ;
+ goto fail ;
+ }
+ r = br_x509_decoder_last_error(&ctx) ;
+ if (r) goto fail ;
+ r = br_x509_decoder_get_signer_key_type(&ctx) ;
+ if (!r)
+ {
+ r = -2 ;
+ goto fail ;
+ }
+
+ stralloc_free(&sa) ;
+ *kt = r ;
+ return 0 ;
+
+ fail:
+ stralloc_free(&sa) ;
+ return r ;
+}
diff --git a/src/sbearssl/sbearssl_s6tlsd.c b/src/sbearssl/sbearssl_s6tlsd.c
index 1198349..35dd18a 100644
--- a/src/sbearssl/sbearssl_s6tlsd.c
+++ b/src/sbearssl/sbearssl_s6tlsd.c
@@ -66,9 +66,20 @@ int sbearssl_s6tlsd (char const *const *argv, char const *const *envp, tain_t co
br_ssl_server_init_full_rsa(&sc, chain, chainlen, &key.rsa) ;
break ;
case BR_KEYTYPE_EC :
+ {
+ int kt, r ;
sbearssl_ec_skey_to(&skey.data.ec, &key.ec, storage.s) ;
- br_ssl_server_init_full_ec(&sc, chain, chainlen, BR_KEYTYPE_EC, &key.ec) ;
+ r = sbearssl_ec_issuer_keytype(&kt, &chain[0]) ;
+ switch (r)
+ {
+ case -2 : strerr_dief1x(96, "certificate issuer key type not recognized") ;
+ case -1 : strerr_diefu1sys(111, "get certificate issuer key type") ;
+ case 0 : break ;
+ default : strerr_diefu3x(96, "get certificate issuer key type", ": ", sbearssl_error_str(r)) ;
+ }
+ br_ssl_server_init_full_ec(&sc, chain, chainlen, kt, &key.ec) ;
break ;
+ }
default :
strerr_dief1x(96, "unsupported private key type") ;
}