From cb31c5e82982447c5036ace732feac15b8042eac Mon Sep 17 00:00:00 2001 From: Laurent Bercot Date: Fri, 25 Nov 2016 21:16:58 +0000 Subject: Add EC certificate issuer key type detection for sbearssl --- package/deps.mak | 5 ++-- src/include/s6-networking/sbearssl.h | 32 ++++++++++++------------- src/sbearssl/deps-lib/sbearssl | 1 + src/sbearssl/sbearssl_ec_issuer_keytype.c | 40 +++++++++++++++++++++++++++++++ src/sbearssl/sbearssl_s6tlsd.c | 13 +++++++++- 5 files changed, 72 insertions(+), 19 deletions(-) create mode 100644 src/sbearssl/sbearssl_ec_issuer_keytype.c diff --git a/package/deps.mak b/package/deps.mak index f56b053..7173855 100644 --- a/package/deps.mak +++ b/package/deps.mak @@ -35,6 +35,7 @@ src/sbearssl/sbearssl_append.o src/sbearssl/sbearssl_append.lo: src/sbearssl/sbe src/sbearssl/sbearssl_cert_from.o src/sbearssl/sbearssl_cert_from.lo: src/sbearssl/sbearssl_cert_from.c src/include/s6-networking/sbearssl.h src/sbearssl/sbearssl_cert_readfile.o src/sbearssl/sbearssl_cert_readfile.lo: src/sbearssl/sbearssl_cert_readfile.c src/include/s6-networking/sbearssl.h src/sbearssl/sbearssl_cert_to.o src/sbearssl/sbearssl_cert_to.lo: src/sbearssl/sbearssl_cert_to.c src/include/s6-networking/sbearssl.h +src/sbearssl/sbearssl_ec_issuer_keytype.o src/sbearssl/sbearssl_ec_issuer_keytype.lo: src/sbearssl/sbearssl_ec_issuer_keytype.c src/include/s6-networking/sbearssl.h src/sbearssl/sbearssl-internal.h src/sbearssl/sbearssl_ec_pkey_from.o src/sbearssl/sbearssl_ec_pkey_from.lo: src/sbearssl/sbearssl_ec_pkey_from.c src/include/s6-networking/sbearssl.h src/sbearssl/sbearssl_ec_pkey_to.o src/sbearssl/sbearssl_ec_pkey_to.lo: src/sbearssl/sbearssl_ec_pkey_to.c src/include/s6-networking/sbearssl.h src/sbearssl/sbearssl_ec_skey_from.o src/sbearssl/sbearssl_ec_skey_from.lo: src/sbearssl/sbearssl_ec_skey_from.c src/include/s6-networking/sbearssl.h @@ -111,9 +112,9 @@ libs6net.so.xyzzy: EXTRA_LIBS := -lskarnet libs6net.so.xyzzy: src/libs6net/s6net_ident_client.lo src/libs6net/s6net_ident_reply_get.lo src/libs6net/s6net_ident_reply_parse.lo src/libs6net/s6net_ident_error.lo minidentd: EXTRA_LIBS := ${SOCKET_LIB} ${TAINNOW_LIB} minidentd: src/minidentd/minidentd.o src/minidentd/mgetuid.o -lskarnet -libsbearssl.a.xyzzy: src/sbearssl/sbearssl_append.o src/sbearssl/sbearssl_cert_from.o src/sbearssl/sbearssl_cert_readfile.o src/sbearssl/sbearssl_cert_to.o src/sbearssl/sbearssl_ec_pkey_from.o src/sbearssl/sbearssl_ec_pkey_to.o src/sbearssl/sbearssl_ec_skey_from.o src/sbearssl/sbearssl_ec_skey_to.o src/sbearssl/sbearssl_error_str.o src/sbearssl/sbearssl_isder.o src/sbearssl/sbearssl_pem_decode_from_buffer.o src/sbearssl/sbearssl_pem_decode_from_string.o src/sbearssl/sbearssl_pem_push.o src/sbearssl/sbearssl_pkey_from.o src/sbearssl/sbearssl_pkey_to.o src/sbearssl/sbearssl_rsa_pkey_from.o src/sbearssl/sbearssl_rsa_pkey_to.o src/sbearssl/sbearssl_rsa_skey_from.o src/sbearssl/sbearssl_rsa_skey_to.o src/sbearssl/sbearssl_run.o src/sbearssl/sbearssl_skey_from.o src/sbearssl/sbearssl_skey_readfile.o src/sbearssl/sbearssl_skey_to.o src/sbearssl/sbearssl_ta_cert.o src/sbearssl/sbearssl_ta_from.o src/sbearssl/sbearssl_ta_readdir.o src/sbearssl/sbearssl_ta_readfile.o src/sbearssl/sbearssl_ta_readfile_internal.o src/sbearssl/sbearssl_ta_to.o src/sbearssl/sbearssl_s6tlsc.o src/sbearssl/sbearssl_s6tlsd.o +libsbearssl.a.xyzzy: src/sbearssl/sbearssl_append.o src/sbearssl/sbearssl_cert_from.o src/sbearssl/sbearssl_cert_readfile.o src/sbearssl/sbearssl_cert_to.o src/sbearssl/sbearssl_ec_issuer_keytype.o src/sbearssl/sbearssl_ec_pkey_from.o src/sbearssl/sbearssl_ec_pkey_to.o src/sbearssl/sbearssl_ec_skey_from.o src/sbearssl/sbearssl_ec_skey_to.o src/sbearssl/sbearssl_error_str.o src/sbearssl/sbearssl_isder.o src/sbearssl/sbearssl_pem_decode_from_buffer.o src/sbearssl/sbearssl_pem_decode_from_string.o src/sbearssl/sbearssl_pem_push.o src/sbearssl/sbearssl_pkey_from.o src/sbearssl/sbearssl_pkey_to.o src/sbearssl/sbearssl_rsa_pkey_from.o src/sbearssl/sbearssl_rsa_pkey_to.o src/sbearssl/sbearssl_rsa_skey_from.o src/sbearssl/sbearssl_rsa_skey_to.o src/sbearssl/sbearssl_run.o src/sbearssl/sbearssl_skey_from.o src/sbearssl/sbearssl_skey_readfile.o src/sbearssl/sbearssl_skey_to.o src/sbearssl/sbearssl_ta_cert.o src/sbearssl/sbearssl_ta_from.o src/sbearssl/sbearssl_ta_readdir.o src/sbearssl/sbearssl_ta_readfile.o src/sbearssl/sbearssl_ta_readfile_internal.o src/sbearssl/sbearssl_ta_to.o src/sbearssl/sbearssl_s6tlsc.o src/sbearssl/sbearssl_s6tlsd.o libsbearssl.so.xyzzy: EXTRA_LIBS := -lbearssl -lskarnet -libsbearssl.so.xyzzy: src/sbearssl/sbearssl_append.lo src/sbearssl/sbearssl_cert_from.lo src/sbearssl/sbearssl_cert_readfile.lo src/sbearssl/sbearssl_cert_to.lo src/sbearssl/sbearssl_ec_pkey_from.lo src/sbearssl/sbearssl_ec_pkey_to.lo src/sbearssl/sbearssl_ec_skey_from.lo src/sbearssl/sbearssl_ec_skey_to.lo src/sbearssl/sbearssl_error_str.lo src/sbearssl/sbearssl_isder.lo src/sbearssl/sbearssl_pem_decode_from_buffer.lo src/sbearssl/sbearssl_pem_decode_from_string.lo src/sbearssl/sbearssl_pem_push.lo src/sbearssl/sbearssl_pkey_from.lo src/sbearssl/sbearssl_pkey_to.lo src/sbearssl/sbearssl_rsa_pkey_from.lo src/sbearssl/sbearssl_rsa_pkey_to.lo src/sbearssl/sbearssl_rsa_skey_from.lo src/sbearssl/sbearssl_rsa_skey_to.lo src/sbearssl/sbearssl_run.lo src/sbearssl/sbearssl_skey_from.lo src/sbearssl/sbearssl_skey_readfile.lo src/sbearssl/sbearssl_skey_to.lo src/sbearssl/sbearssl_ta_cert.lo src/sbearssl/sbearssl_ta_from.lo src/sbearssl/sbearssl_ta_readdir.lo src/sbearssl/sbearssl_ta_readfile.lo src/sbearssl/sbearssl_ta_readfile_internal.lo src/sbearssl/sbearssl_ta_to.lo src/sbearssl/sbearssl_s6tlsc.lo src/sbearssl/sbearssl_s6tlsd.lo +libsbearssl.so.xyzzy: src/sbearssl/sbearssl_append.lo src/sbearssl/sbearssl_cert_from.lo src/sbearssl/sbearssl_cert_readfile.lo src/sbearssl/sbearssl_cert_to.lo src/sbearssl/sbearssl_ec_issuer_keytype.lo src/sbearssl/sbearssl_ec_pkey_from.lo src/sbearssl/sbearssl_ec_pkey_to.lo src/sbearssl/sbearssl_ec_skey_from.lo src/sbearssl/sbearssl_ec_skey_to.lo src/sbearssl/sbearssl_error_str.lo src/sbearssl/sbearssl_isder.lo src/sbearssl/sbearssl_pem_decode_from_buffer.lo src/sbearssl/sbearssl_pem_decode_from_string.lo src/sbearssl/sbearssl_pem_push.lo src/sbearssl/sbearssl_pkey_from.lo src/sbearssl/sbearssl_pkey_to.lo src/sbearssl/sbearssl_rsa_pkey_from.lo src/sbearssl/sbearssl_rsa_pkey_to.lo src/sbearssl/sbearssl_rsa_skey_from.lo src/sbearssl/sbearssl_rsa_skey_to.lo src/sbearssl/sbearssl_run.lo src/sbearssl/sbearssl_skey_from.lo src/sbearssl/sbearssl_skey_readfile.lo src/sbearssl/sbearssl_skey_to.lo src/sbearssl/sbearssl_ta_cert.lo src/sbearssl/sbearssl_ta_from.lo src/sbearssl/sbearssl_ta_readdir.lo src/sbearssl/sbearssl_ta_readfile.lo src/sbearssl/sbearssl_ta_readfile_internal.lo src/sbearssl/sbearssl_ta_to.lo src/sbearssl/sbearssl_s6tlsc.lo src/sbearssl/sbearssl_s6tlsd.lo libstls.a.xyzzy: src/stls/stls_run.o src/stls/stls_s6tlsc.o src/stls/stls_s6tlsd.o libstls.so.xyzzy: EXTRA_LIBS := -ltls -lskarnet libstls.so.xyzzy: src/stls/stls_run.lo src/stls/stls_s6tlsc.lo src/stls/stls_s6tlsd.lo diff --git a/src/include/s6-networking/sbearssl.h b/src/include/s6-networking/sbearssl.h index 4589822..d8f9021 100644 --- a/src/include/s6-networking/sbearssl.h +++ b/src/include/s6-networking/sbearssl.h @@ -25,6 +25,21 @@ extern int sbearssl_isder (unsigned char const *, size_t) ; + /* Certificates (x509-encoded) */ + +typedef struct sbearssl_cert_s sbearssl_cert, *sbearssl_cert_ref ; +struct sbearssl_cert_s +{ + size_t data ; + size_t datalen ; +} ; + +extern int sbearssl_cert_from (sbearssl_cert *, br_x509_certificate const *, stralloc *) ; +extern void sbearssl_cert_to (sbearssl_cert const *, br_x509_certificate *, char *) ; + +extern int sbearssl_cert_readfile (char const *, genalloc *, stralloc *) ; + + /* Private keys */ typedef struct sbearssl_rsa_skey_s sbearssl_rsa_skey, *sbearssl_rsa_skey_ref ; @@ -57,7 +72,7 @@ struct sbearssl_ec_skey_s extern int sbearssl_ec_skey_from (sbearssl_ec_skey *, br_ec_private_key const *, stralloc *) ; extern void sbearssl_ec_skey_to (sbearssl_ec_skey const *, br_ec_private_key *, char *) ; - +extern int sbearssl_ec_issuer_keytype (int *, br_x509_certificate const *) ; union sbearssl_skey_u { @@ -135,21 +150,6 @@ extern int sbearssl_pkey_from (sbearssl_pkey *, br_x509_pkey const *, stralloc * extern int sbearssl_pkey_to (sbearssl_pkey const *, br_x509_pkey *, char *) ; - /* Certificates (x509-encoded) */ - -typedef struct sbearssl_cert_s sbearssl_cert, *sbearssl_cert_ref ; -struct sbearssl_cert_s -{ - size_t data ; - size_t datalen ; -} ; - -extern int sbearssl_cert_from (sbearssl_cert *, br_x509_certificate const *, stralloc *) ; -extern void sbearssl_cert_to (sbearssl_cert const *, br_x509_certificate *, char *) ; - -extern int sbearssl_cert_readfile (char const *, genalloc *, stralloc *) ; - - /* Generic PEM */ typedef struct sbearssl_pemobject_s sbearssl_pemobject, *sbearssl_pemobject_ref ; diff --git a/src/sbearssl/deps-lib/sbearssl b/src/sbearssl/deps-lib/sbearssl index bace1a7..0b7b02f 100644 --- a/src/sbearssl/deps-lib/sbearssl +++ b/src/sbearssl/deps-lib/sbearssl @@ -2,6 +2,7 @@ sbearssl_append.o sbearssl_cert_from.o sbearssl_cert_readfile.o sbearssl_cert_to.o +sbearssl_ec_issuer_keytype.o sbearssl_ec_pkey_from.o sbearssl_ec_pkey_to.o sbearssl_ec_skey_from.o diff --git a/src/sbearssl/sbearssl_ec_issuer_keytype.c b/src/sbearssl/sbearssl_ec_issuer_keytype.c new file mode 100644 index 0000000..2958e8d --- /dev/null +++ b/src/sbearssl/sbearssl_ec_issuer_keytype.c @@ -0,0 +1,40 @@ +/* ISC license. */ + +#include +#include +#include +#include +#include +#include "sbearssl-internal.h" + +int sbearssl_ec_issuer_keytype (int *kt, br_x509_certificate const *cert) +{ + br_x509_decoder_context ctx ; + stralloc sa = STRALLOC_ZERO ; + struct sbearssl_strallocerr_s blah = { .sa = &sa } ; + int r = -1 ; + + br_x509_decoder_init(&ctx, &sbearssl_append, &blah) ; + br_x509_decoder_push(&ctx, cert->data, cert->data_len) ; + if (blah.err) + { + errno = blah.err ; + goto fail ; + } + r = br_x509_decoder_last_error(&ctx) ; + if (r) goto fail ; + r = br_x509_decoder_get_signer_key_type(&ctx) ; + if (!r) + { + r = -2 ; + goto fail ; + } + + stralloc_free(&sa) ; + *kt = r ; + return 0 ; + + fail: + stralloc_free(&sa) ; + return r ; +} diff --git a/src/sbearssl/sbearssl_s6tlsd.c b/src/sbearssl/sbearssl_s6tlsd.c index 1198349..35dd18a 100644 --- a/src/sbearssl/sbearssl_s6tlsd.c +++ b/src/sbearssl/sbearssl_s6tlsd.c @@ -66,9 +66,20 @@ int sbearssl_s6tlsd (char const *const *argv, char const *const *envp, tain_t co br_ssl_server_init_full_rsa(&sc, chain, chainlen, &key.rsa) ; break ; case BR_KEYTYPE_EC : + { + int kt, r ; sbearssl_ec_skey_to(&skey.data.ec, &key.ec, storage.s) ; - br_ssl_server_init_full_ec(&sc, chain, chainlen, BR_KEYTYPE_EC, &key.ec) ; + r = sbearssl_ec_issuer_keytype(&kt, &chain[0]) ; + switch (r) + { + case -2 : strerr_dief1x(96, "certificate issuer key type not recognized") ; + case -1 : strerr_diefu1sys(111, "get certificate issuer key type") ; + case 0 : break ; + default : strerr_diefu3x(96, "get certificate issuer key type", ": ", sbearssl_error_str(r)) ; + } + br_ssl_server_init_full_ec(&sc, chain, chainlen, kt, &key.ec) ; break ; + } default : strerr_dief1x(96, "unsupported private key type") ; } -- cgit v1.2.3