From cb31c5e82982447c5036ace732feac15b8042eac Mon Sep 17 00:00:00 2001
From: Laurent Bercot <ska-skaware@skarnet.org>
Date: Fri, 25 Nov 2016 21:16:58 +0000
Subject:  Add EC certificate issuer key type detection for sbearssl

---
 package/deps.mak                          |  5 ++--
 src/include/s6-networking/sbearssl.h      | 32 ++++++++++++-------------
 src/sbearssl/deps-lib/sbearssl            |  1 +
 src/sbearssl/sbearssl_ec_issuer_keytype.c | 40 +++++++++++++++++++++++++++++++
 src/sbearssl/sbearssl_s6tlsd.c            | 13 +++++++++-
 5 files changed, 72 insertions(+), 19 deletions(-)
 create mode 100644 src/sbearssl/sbearssl_ec_issuer_keytype.c

diff --git a/package/deps.mak b/package/deps.mak
index f56b053..7173855 100644
--- a/package/deps.mak
+++ b/package/deps.mak
@@ -35,6 +35,7 @@ src/sbearssl/sbearssl_append.o src/sbearssl/sbearssl_append.lo: src/sbearssl/sbe
 src/sbearssl/sbearssl_cert_from.o src/sbearssl/sbearssl_cert_from.lo: src/sbearssl/sbearssl_cert_from.c src/include/s6-networking/sbearssl.h
 src/sbearssl/sbearssl_cert_readfile.o src/sbearssl/sbearssl_cert_readfile.lo: src/sbearssl/sbearssl_cert_readfile.c src/include/s6-networking/sbearssl.h
 src/sbearssl/sbearssl_cert_to.o src/sbearssl/sbearssl_cert_to.lo: src/sbearssl/sbearssl_cert_to.c src/include/s6-networking/sbearssl.h
+src/sbearssl/sbearssl_ec_issuer_keytype.o src/sbearssl/sbearssl_ec_issuer_keytype.lo: src/sbearssl/sbearssl_ec_issuer_keytype.c src/include/s6-networking/sbearssl.h src/sbearssl/sbearssl-internal.h
 src/sbearssl/sbearssl_ec_pkey_from.o src/sbearssl/sbearssl_ec_pkey_from.lo: src/sbearssl/sbearssl_ec_pkey_from.c src/include/s6-networking/sbearssl.h
 src/sbearssl/sbearssl_ec_pkey_to.o src/sbearssl/sbearssl_ec_pkey_to.lo: src/sbearssl/sbearssl_ec_pkey_to.c src/include/s6-networking/sbearssl.h
 src/sbearssl/sbearssl_ec_skey_from.o src/sbearssl/sbearssl_ec_skey_from.lo: src/sbearssl/sbearssl_ec_skey_from.c src/include/s6-networking/sbearssl.h
@@ -111,9 +112,9 @@ libs6net.so.xyzzy: EXTRA_LIBS := -lskarnet
 libs6net.so.xyzzy: src/libs6net/s6net_ident_client.lo src/libs6net/s6net_ident_reply_get.lo src/libs6net/s6net_ident_reply_parse.lo src/libs6net/s6net_ident_error.lo
 minidentd: EXTRA_LIBS := ${SOCKET_LIB} ${TAINNOW_LIB}
 minidentd: src/minidentd/minidentd.o src/minidentd/mgetuid.o -lskarnet
-libsbearssl.a.xyzzy: src/sbearssl/sbearssl_append.o src/sbearssl/sbearssl_cert_from.o src/sbearssl/sbearssl_cert_readfile.o src/sbearssl/sbearssl_cert_to.o src/sbearssl/sbearssl_ec_pkey_from.o src/sbearssl/sbearssl_ec_pkey_to.o src/sbearssl/sbearssl_ec_skey_from.o src/sbearssl/sbearssl_ec_skey_to.o src/sbearssl/sbearssl_error_str.o src/sbearssl/sbearssl_isder.o src/sbearssl/sbearssl_pem_decode_from_buffer.o src/sbearssl/sbearssl_pem_decode_from_string.o src/sbearssl/sbearssl_pem_push.o src/sbearssl/sbearssl_pkey_from.o src/sbearssl/sbearssl_pkey_to.o src/sbearssl/sbearssl_rsa_pkey_from.o src/sbearssl/sbearssl_rsa_pkey_to.o src/sbearssl/sbearssl_rsa_skey_from.o src/sbearssl/sbearssl_rsa_skey_to.o src/sbearssl/sbearssl_run.o src/sbearssl/sbearssl_skey_from.o src/sbearssl/sbearssl_skey_readfile.o src/sbearssl/sbearssl_skey_to.o src/sbearssl/sbearssl_ta_cert.o src/sbearssl/sbearssl_ta_from.o src/sbearssl/sbearssl_ta_readdir.o src/sbearssl/sbearssl_ta_readfile.o src/sbearssl/sbearssl_ta_readfile_internal.o src/sbearssl/sbearssl_ta_to.o src/sbearssl/sbearssl_s6tlsc.o src/sbearssl/sbearssl_s6tlsd.o
+libsbearssl.a.xyzzy: src/sbearssl/sbearssl_append.o src/sbearssl/sbearssl_cert_from.o src/sbearssl/sbearssl_cert_readfile.o src/sbearssl/sbearssl_cert_to.o src/sbearssl/sbearssl_ec_issuer_keytype.o src/sbearssl/sbearssl_ec_pkey_from.o src/sbearssl/sbearssl_ec_pkey_to.o src/sbearssl/sbearssl_ec_skey_from.o src/sbearssl/sbearssl_ec_skey_to.o src/sbearssl/sbearssl_error_str.o src/sbearssl/sbearssl_isder.o src/sbearssl/sbearssl_pem_decode_from_buffer.o src/sbearssl/sbearssl_pem_decode_from_string.o src/sbearssl/sbearssl_pem_push.o src/sbearssl/sbearssl_pkey_from.o src/sbearssl/sbearssl_pkey_to.o src/sbearssl/sbearssl_rsa_pkey_from.o src/sbearssl/sbearssl_rsa_pkey_to.o src/sbearssl/sbearssl_rsa_skey_from.o src/sbearssl/sbearssl_rsa_skey_to.o src/sbearssl/sbearssl_run.o src/sbearssl/sbearssl_skey_from.o src/sbearssl/sbearssl_skey_readfile.o src/sbearssl/sbearssl_skey_to.o src/sbearssl/sbearssl_ta_cert.o src/sbearssl/sbearssl_ta_from.o src/sbearssl/sbearssl_ta_readdir.o src/sbearssl/sbearssl_ta_readfile.o src/sbearssl/sbearssl_ta_readfile_internal.o src/sbearssl/sbearssl_ta_to.o src/sbearssl/sbearssl_s6tlsc.o src/sbearssl/sbearssl_s6tlsd.o
 libsbearssl.so.xyzzy: EXTRA_LIBS := -lbearssl -lskarnet
-libsbearssl.so.xyzzy: src/sbearssl/sbearssl_append.lo src/sbearssl/sbearssl_cert_from.lo src/sbearssl/sbearssl_cert_readfile.lo src/sbearssl/sbearssl_cert_to.lo src/sbearssl/sbearssl_ec_pkey_from.lo src/sbearssl/sbearssl_ec_pkey_to.lo src/sbearssl/sbearssl_ec_skey_from.lo src/sbearssl/sbearssl_ec_skey_to.lo src/sbearssl/sbearssl_error_str.lo src/sbearssl/sbearssl_isder.lo src/sbearssl/sbearssl_pem_decode_from_buffer.lo src/sbearssl/sbearssl_pem_decode_from_string.lo src/sbearssl/sbearssl_pem_push.lo src/sbearssl/sbearssl_pkey_from.lo src/sbearssl/sbearssl_pkey_to.lo src/sbearssl/sbearssl_rsa_pkey_from.lo src/sbearssl/sbearssl_rsa_pkey_to.lo src/sbearssl/sbearssl_rsa_skey_from.lo src/sbearssl/sbearssl_rsa_skey_to.lo src/sbearssl/sbearssl_run.lo src/sbearssl/sbearssl_skey_from.lo src/sbearssl/sbearssl_skey_readfile.lo src/sbearssl/sbearssl_skey_to.lo src/sbearssl/sbearssl_ta_cert.lo src/sbearssl/sbearssl_ta_from.lo src/sbearssl/sbearssl_ta_readdir.lo src/sbearssl/sbearssl_ta_readfile.lo src/sbearssl/sbearssl_ta_readfile_internal.lo src/sbearssl/sbearssl_ta_to.lo src/sbearssl/sbearssl_s6tlsc.lo src/sbearssl/sbearssl_s6tlsd.lo
+libsbearssl.so.xyzzy: src/sbearssl/sbearssl_append.lo src/sbearssl/sbearssl_cert_from.lo src/sbearssl/sbearssl_cert_readfile.lo src/sbearssl/sbearssl_cert_to.lo src/sbearssl/sbearssl_ec_issuer_keytype.lo src/sbearssl/sbearssl_ec_pkey_from.lo src/sbearssl/sbearssl_ec_pkey_to.lo src/sbearssl/sbearssl_ec_skey_from.lo src/sbearssl/sbearssl_ec_skey_to.lo src/sbearssl/sbearssl_error_str.lo src/sbearssl/sbearssl_isder.lo src/sbearssl/sbearssl_pem_decode_from_buffer.lo src/sbearssl/sbearssl_pem_decode_from_string.lo src/sbearssl/sbearssl_pem_push.lo src/sbearssl/sbearssl_pkey_from.lo src/sbearssl/sbearssl_pkey_to.lo src/sbearssl/sbearssl_rsa_pkey_from.lo src/sbearssl/sbearssl_rsa_pkey_to.lo src/sbearssl/sbearssl_rsa_skey_from.lo src/sbearssl/sbearssl_rsa_skey_to.lo src/sbearssl/sbearssl_run.lo src/sbearssl/sbearssl_skey_from.lo src/sbearssl/sbearssl_skey_readfile.lo src/sbearssl/sbearssl_skey_to.lo src/sbearssl/sbearssl_ta_cert.lo src/sbearssl/sbearssl_ta_from.lo src/sbearssl/sbearssl_ta_readdir.lo src/sbearssl/sbearssl_ta_readfile.lo src/sbearssl/sbearssl_ta_readfile_internal.lo src/sbearssl/sbearssl_ta_to.lo src/sbearssl/sbearssl_s6tlsc.lo src/sbearssl/sbearssl_s6tlsd.lo
 libstls.a.xyzzy: src/stls/stls_run.o src/stls/stls_s6tlsc.o src/stls/stls_s6tlsd.o
 libstls.so.xyzzy: EXTRA_LIBS := -ltls -lskarnet
 libstls.so.xyzzy: src/stls/stls_run.lo src/stls/stls_s6tlsc.lo src/stls/stls_s6tlsd.lo
diff --git a/src/include/s6-networking/sbearssl.h b/src/include/s6-networking/sbearssl.h
index 4589822..d8f9021 100644
--- a/src/include/s6-networking/sbearssl.h
+++ b/src/include/s6-networking/sbearssl.h
@@ -25,6 +25,21 @@
 extern int sbearssl_isder (unsigned char const *, size_t) ;
 
 
+ /* Certificates (x509-encoded) */
+
+typedef struct sbearssl_cert_s sbearssl_cert, *sbearssl_cert_ref ;
+struct sbearssl_cert_s
+{
+  size_t data ;
+  size_t datalen ;
+} ;
+
+extern int sbearssl_cert_from (sbearssl_cert *, br_x509_certificate const *, stralloc *) ;
+extern void sbearssl_cert_to (sbearssl_cert const *, br_x509_certificate *, char *) ;
+
+extern int sbearssl_cert_readfile (char const *, genalloc *, stralloc *) ;
+
+
  /* Private keys */
 
 typedef struct sbearssl_rsa_skey_s sbearssl_rsa_skey, *sbearssl_rsa_skey_ref ;
@@ -57,7 +72,7 @@ struct sbearssl_ec_skey_s
 
 extern int sbearssl_ec_skey_from (sbearssl_ec_skey *, br_ec_private_key const *, stralloc *) ;
 extern void sbearssl_ec_skey_to (sbearssl_ec_skey const *, br_ec_private_key *, char *) ;
-
+extern int sbearssl_ec_issuer_keytype (int *, br_x509_certificate const *) ;
 
 union sbearssl_skey_u
 {
@@ -135,21 +150,6 @@ extern int sbearssl_pkey_from (sbearssl_pkey *, br_x509_pkey const *, stralloc *
 extern int sbearssl_pkey_to (sbearssl_pkey const *, br_x509_pkey *, char *) ;
 
 
- /* Certificates (x509-encoded) */
-
-typedef struct sbearssl_cert_s sbearssl_cert, *sbearssl_cert_ref ;
-struct sbearssl_cert_s
-{
-  size_t data ;
-  size_t datalen ;
-} ;
-
-extern int sbearssl_cert_from (sbearssl_cert *, br_x509_certificate const *, stralloc *) ;
-extern void sbearssl_cert_to (sbearssl_cert const *, br_x509_certificate *, char *) ;
-
-extern int sbearssl_cert_readfile (char const *, genalloc *, stralloc *) ;
-
-
  /* Generic PEM */
 
 typedef struct sbearssl_pemobject_s sbearssl_pemobject, *sbearssl_pemobject_ref ;
diff --git a/src/sbearssl/deps-lib/sbearssl b/src/sbearssl/deps-lib/sbearssl
index bace1a7..0b7b02f 100644
--- a/src/sbearssl/deps-lib/sbearssl
+++ b/src/sbearssl/deps-lib/sbearssl
@@ -2,6 +2,7 @@ sbearssl_append.o
 sbearssl_cert_from.o
 sbearssl_cert_readfile.o
 sbearssl_cert_to.o
+sbearssl_ec_issuer_keytype.o
 sbearssl_ec_pkey_from.o
 sbearssl_ec_pkey_to.o
 sbearssl_ec_skey_from.o
diff --git a/src/sbearssl/sbearssl_ec_issuer_keytype.c b/src/sbearssl/sbearssl_ec_issuer_keytype.c
new file mode 100644
index 0000000..2958e8d
--- /dev/null
+++ b/src/sbearssl/sbearssl_ec_issuer_keytype.c
@@ -0,0 +1,40 @@
+/* ISC license. */
+
+#include <sys/types.h>
+#include <errno.h>
+#include <bearssl.h>
+#include <skalibs/stralloc.h>
+#include <s6-networking/sbearssl.h>
+#include "sbearssl-internal.h"
+
+int sbearssl_ec_issuer_keytype (int *kt, br_x509_certificate const *cert)
+{
+  br_x509_decoder_context ctx ;
+  stralloc sa = STRALLOC_ZERO ;
+  struct sbearssl_strallocerr_s blah = { .sa = &sa } ;
+  int r = -1 ;
+
+  br_x509_decoder_init(&ctx, &sbearssl_append, &blah) ;
+  br_x509_decoder_push(&ctx, cert->data, cert->data_len) ;
+  if (blah.err)
+  {
+    errno = blah.err ;
+    goto fail ;
+  }
+  r = br_x509_decoder_last_error(&ctx) ;
+  if (r) goto fail ;
+  r = br_x509_decoder_get_signer_key_type(&ctx) ;
+  if (!r)
+  {
+    r = -2 ;
+    goto fail ;
+  }
+
+  stralloc_free(&sa) ;
+  *kt = r ;
+  return 0 ;
+
+ fail:
+  stralloc_free(&sa) ;
+  return r ;
+}
diff --git a/src/sbearssl/sbearssl_s6tlsd.c b/src/sbearssl/sbearssl_s6tlsd.c
index 1198349..35dd18a 100644
--- a/src/sbearssl/sbearssl_s6tlsd.c
+++ b/src/sbearssl/sbearssl_s6tlsd.c
@@ -66,9 +66,20 @@ int sbearssl_s6tlsd (char const *const *argv, char const *const *envp, tain_t co
         br_ssl_server_init_full_rsa(&sc, chain, chainlen, &key.rsa) ;
         break ;
       case BR_KEYTYPE_EC :
+      {
+        int kt, r ;
         sbearssl_ec_skey_to(&skey.data.ec, &key.ec, storage.s) ;
-        br_ssl_server_init_full_ec(&sc, chain, chainlen, BR_KEYTYPE_EC, &key.ec) ;
+        r = sbearssl_ec_issuer_keytype(&kt, &chain[0]) ;
+        switch (r)
+        {
+          case -2 : strerr_dief1x(96, "certificate issuer key type not recognized") ;
+          case -1 : strerr_diefu1sys(111, "get certificate issuer key type") ;
+          case 0 : break ;
+          default : strerr_diefu3x(96, "get certificate issuer key type", ": ", sbearssl_error_str(r)) ;
+        }
+        br_ssl_server_init_full_ec(&sc, chain, chainlen, kt, &key.ec) ;
         break ;
+      }
       default :
       strerr_dief1x(96, "unsupported private key type") ;
     }
-- 
cgit v1.2.3