diff options
| author | Laurent Bercot <ska-skaware@skarnet.org> | 2016-11-25 21:16:58 +0000 |
|---|---|---|
| committer | Laurent Bercot <ska-skaware@skarnet.org> | 2016-11-25 21:16:58 +0000 |
| commit | cb31c5e82982447c5036ace732feac15b8042eac (patch) | |
| tree | df6700c5747d4e29682dd02e8927a551ef81fcce /src/sbearssl | |
| parent | a6b3bddb41db1771ac9190a77caac1c7217e7e4b (diff) | |
| download | s6-networking-cb31c5e82982447c5036ace732feac15b8042eac.tar.xz | |
Add EC certificate issuer key type detection for sbearssl
Diffstat (limited to 'src/sbearssl')
| -rw-r--r-- | src/sbearssl/deps-lib/sbearssl | 1 | ||||
| -rw-r--r-- | src/sbearssl/sbearssl_ec_issuer_keytype.c | 40 | ||||
| -rw-r--r-- | src/sbearssl/sbearssl_s6tlsd.c | 13 |
3 files changed, 53 insertions, 1 deletions
diff --git a/src/sbearssl/deps-lib/sbearssl b/src/sbearssl/deps-lib/sbearssl index bace1a7..0b7b02f 100644 --- a/src/sbearssl/deps-lib/sbearssl +++ b/src/sbearssl/deps-lib/sbearssl @@ -2,6 +2,7 @@ sbearssl_append.o sbearssl_cert_from.o sbearssl_cert_readfile.o sbearssl_cert_to.o +sbearssl_ec_issuer_keytype.o sbearssl_ec_pkey_from.o sbearssl_ec_pkey_to.o sbearssl_ec_skey_from.o diff --git a/src/sbearssl/sbearssl_ec_issuer_keytype.c b/src/sbearssl/sbearssl_ec_issuer_keytype.c new file mode 100644 index 0000000..2958e8d --- /dev/null +++ b/src/sbearssl/sbearssl_ec_issuer_keytype.c @@ -0,0 +1,40 @@ +/* ISC license. */ + +#include <sys/types.h> +#include <errno.h> +#include <bearssl.h> +#include <skalibs/stralloc.h> +#include <s6-networking/sbearssl.h> +#include "sbearssl-internal.h" + +int sbearssl_ec_issuer_keytype (int *kt, br_x509_certificate const *cert) +{ + br_x509_decoder_context ctx ; + stralloc sa = STRALLOC_ZERO ; + struct sbearssl_strallocerr_s blah = { .sa = &sa } ; + int r = -1 ; + + br_x509_decoder_init(&ctx, &sbearssl_append, &blah) ; + br_x509_decoder_push(&ctx, cert->data, cert->data_len) ; + if (blah.err) + { + errno = blah.err ; + goto fail ; + } + r = br_x509_decoder_last_error(&ctx) ; + if (r) goto fail ; + r = br_x509_decoder_get_signer_key_type(&ctx) ; + if (!r) + { + r = -2 ; + goto fail ; + } + + stralloc_free(&sa) ; + *kt = r ; + return 0 ; + + fail: + stralloc_free(&sa) ; + return r ; +} diff --git a/src/sbearssl/sbearssl_s6tlsd.c b/src/sbearssl/sbearssl_s6tlsd.c index 1198349..35dd18a 100644 --- a/src/sbearssl/sbearssl_s6tlsd.c +++ b/src/sbearssl/sbearssl_s6tlsd.c @@ -66,9 +66,20 @@ int sbearssl_s6tlsd (char const *const *argv, char const *const *envp, tain_t co br_ssl_server_init_full_rsa(&sc, chain, chainlen, &key.rsa) ; break ; case BR_KEYTYPE_EC : + { + int kt, r ; sbearssl_ec_skey_to(&skey.data.ec, &key.ec, storage.s) ; - br_ssl_server_init_full_ec(&sc, chain, chainlen, BR_KEYTYPE_EC, &key.ec) ; + r = sbearssl_ec_issuer_keytype(&kt, &chain[0]) ; + switch (r) + { + case -2 : strerr_dief1x(96, "certificate issuer key type not recognized") ; + case -1 : strerr_diefu1sys(111, "get certificate issuer key type") ; + case 0 : break ; + default : strerr_diefu3x(96, "get certificate issuer key type", ": ", sbearssl_error_str(r)) ; + } + br_ssl_server_init_full_ec(&sc, chain, chainlen, kt, &key.ec) ; break ; + } default : strerr_dief1x(96, "unsupported private key type") ; } |