summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/include/s6-networking/sbearssl.h32
-rw-r--r--src/sbearssl/deps-lib/sbearssl1
-rw-r--r--src/sbearssl/sbearssl_ec_issuer_keytype.c40
-rw-r--r--src/sbearssl/sbearssl_s6tlsd.c13
4 files changed, 69 insertions, 17 deletions
diff --git a/src/include/s6-networking/sbearssl.h b/src/include/s6-networking/sbearssl.h
index 4589822..d8f9021 100644
--- a/src/include/s6-networking/sbearssl.h
+++ b/src/include/s6-networking/sbearssl.h
@@ -25,6 +25,21 @@
extern int sbearssl_isder (unsigned char const *, size_t) ;
+ /* Certificates (x509-encoded) */
+
+typedef struct sbearssl_cert_s sbearssl_cert, *sbearssl_cert_ref ;
+struct sbearssl_cert_s
+{
+ size_t data ;
+ size_t datalen ;
+} ;
+
+extern int sbearssl_cert_from (sbearssl_cert *, br_x509_certificate const *, stralloc *) ;
+extern void sbearssl_cert_to (sbearssl_cert const *, br_x509_certificate *, char *) ;
+
+extern int sbearssl_cert_readfile (char const *, genalloc *, stralloc *) ;
+
+
/* Private keys */
typedef struct sbearssl_rsa_skey_s sbearssl_rsa_skey, *sbearssl_rsa_skey_ref ;
@@ -57,7 +72,7 @@ struct sbearssl_ec_skey_s
extern int sbearssl_ec_skey_from (sbearssl_ec_skey *, br_ec_private_key const *, stralloc *) ;
extern void sbearssl_ec_skey_to (sbearssl_ec_skey const *, br_ec_private_key *, char *) ;
-
+extern int sbearssl_ec_issuer_keytype (int *, br_x509_certificate const *) ;
union sbearssl_skey_u
{
@@ -135,21 +150,6 @@ extern int sbearssl_pkey_from (sbearssl_pkey *, br_x509_pkey const *, stralloc *
extern int sbearssl_pkey_to (sbearssl_pkey const *, br_x509_pkey *, char *) ;
- /* Certificates (x509-encoded) */
-
-typedef struct sbearssl_cert_s sbearssl_cert, *sbearssl_cert_ref ;
-struct sbearssl_cert_s
-{
- size_t data ;
- size_t datalen ;
-} ;
-
-extern int sbearssl_cert_from (sbearssl_cert *, br_x509_certificate const *, stralloc *) ;
-extern void sbearssl_cert_to (sbearssl_cert const *, br_x509_certificate *, char *) ;
-
-extern int sbearssl_cert_readfile (char const *, genalloc *, stralloc *) ;
-
-
/* Generic PEM */
typedef struct sbearssl_pemobject_s sbearssl_pemobject, *sbearssl_pemobject_ref ;
diff --git a/src/sbearssl/deps-lib/sbearssl b/src/sbearssl/deps-lib/sbearssl
index bace1a7..0b7b02f 100644
--- a/src/sbearssl/deps-lib/sbearssl
+++ b/src/sbearssl/deps-lib/sbearssl
@@ -2,6 +2,7 @@ sbearssl_append.o
sbearssl_cert_from.o
sbearssl_cert_readfile.o
sbearssl_cert_to.o
+sbearssl_ec_issuer_keytype.o
sbearssl_ec_pkey_from.o
sbearssl_ec_pkey_to.o
sbearssl_ec_skey_from.o
diff --git a/src/sbearssl/sbearssl_ec_issuer_keytype.c b/src/sbearssl/sbearssl_ec_issuer_keytype.c
new file mode 100644
index 0000000..2958e8d
--- /dev/null
+++ b/src/sbearssl/sbearssl_ec_issuer_keytype.c
@@ -0,0 +1,40 @@
+/* ISC license. */
+
+#include <sys/types.h>
+#include <errno.h>
+#include <bearssl.h>
+#include <skalibs/stralloc.h>
+#include <s6-networking/sbearssl.h>
+#include "sbearssl-internal.h"
+
+int sbearssl_ec_issuer_keytype (int *kt, br_x509_certificate const *cert)
+{
+ br_x509_decoder_context ctx ;
+ stralloc sa = STRALLOC_ZERO ;
+ struct sbearssl_strallocerr_s blah = { .sa = &sa } ;
+ int r = -1 ;
+
+ br_x509_decoder_init(&ctx, &sbearssl_append, &blah) ;
+ br_x509_decoder_push(&ctx, cert->data, cert->data_len) ;
+ if (blah.err)
+ {
+ errno = blah.err ;
+ goto fail ;
+ }
+ r = br_x509_decoder_last_error(&ctx) ;
+ if (r) goto fail ;
+ r = br_x509_decoder_get_signer_key_type(&ctx) ;
+ if (!r)
+ {
+ r = -2 ;
+ goto fail ;
+ }
+
+ stralloc_free(&sa) ;
+ *kt = r ;
+ return 0 ;
+
+ fail:
+ stralloc_free(&sa) ;
+ return r ;
+}
diff --git a/src/sbearssl/sbearssl_s6tlsd.c b/src/sbearssl/sbearssl_s6tlsd.c
index 1198349..35dd18a 100644
--- a/src/sbearssl/sbearssl_s6tlsd.c
+++ b/src/sbearssl/sbearssl_s6tlsd.c
@@ -66,9 +66,20 @@ int sbearssl_s6tlsd (char const *const *argv, char const *const *envp, tain_t co
br_ssl_server_init_full_rsa(&sc, chain, chainlen, &key.rsa) ;
break ;
case BR_KEYTYPE_EC :
+ {
+ int kt, r ;
sbearssl_ec_skey_to(&skey.data.ec, &key.ec, storage.s) ;
- br_ssl_server_init_full_ec(&sc, chain, chainlen, BR_KEYTYPE_EC, &key.ec) ;
+ r = sbearssl_ec_issuer_keytype(&kt, &chain[0]) ;
+ switch (r)
+ {
+ case -2 : strerr_dief1x(96, "certificate issuer key type not recognized") ;
+ case -1 : strerr_diefu1sys(111, "get certificate issuer key type") ;
+ case 0 : break ;
+ default : strerr_diefu3x(96, "get certificate issuer key type", ": ", sbearssl_error_str(r)) ;
+ }
+ br_ssl_server_init_full_ec(&sc, chain, chainlen, kt, &key.ec) ;
break ;
+ }
default :
strerr_dief1x(96, "unsupported private key type") ;
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-10 16:56:24 +0000