Certificate handling.
More...
#include "compile_time.h"
#include "src/lib/cert.h"
#include "src/lib/filehandler.h"
#include "src/lib/list.h"
#include "src/lib/log.h"
#include "src/lib/sds_extras.h"
#include <arpa/inet.h>
#include <errno.h>
#include <ifaddrs.h>
#include <netdb.h>
#include <netinet/in.h>
#include <openssl/bn.h>
#include <openssl/conf.h>
#include <openssl/ec.h>
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/opensslv.h>
#include <openssl/pem.h>
#include <openssl/rand.h>
#include <openssl/rsa.h>
#include <openssl/x509v3.h>
#include <string.h>
#include <sys/socket.h>
#include <unistd.h>
|
| static sds | print_asn1_time (sds buffer, const ASN1_TIME *time) |
| |
| static sds | print_x509_subject (sds buffer, X509 *cert) |
| |
| static bool | certificates_create (sds dir, sds custom_san) |
| |
| static void | push_san (struct t_list *san_list, const char *san) |
| |
| static sds | get_san (sds buffer) |
| |
| static bool | generate_set_random_serial (X509 *cert) |
| |
| static X509_REQ * | generate_request (EVP_PKEY *pkey) |
| |
| static void | add_extension (X509V3_CTX *ctx, X509 *cert, int nid, const char *value) |
| |
| static X509 * | sign_certificate_request (EVP_PKEY *ca_key, X509 *ca_cert, X509_REQ *req, sds san) |
| |
| static EVP_PKEY * | generate_keypair (int key_type, unsigned key_bits) |
| |
| static X509 * | generate_selfsigned_cert (EVP_PKEY *pkey) |
| |
| static bool | write_to_disk (sds key_file, EVP_PKEY *pkey, sds cert_file, X509 *cert) |
| |
| static bool | load_certificate (sds key_file, EVP_PKEY **key, sds cert_file, X509 **cert) |
| |
| static bool | create_ca_certificate (sds cakey_file, EVP_PKEY **ca_key, sds cacert_file, X509 **ca_cert) |
| |
| static bool | create_server_certificate (sds serverkey_file, EVP_PKEY **server_key, sds servercert_file, X509 **server_cert, sds custom_san, EVP_PKEY **ca_key, X509 **ca_cert) |
| |
| static int | check_expiration (X509 *cert, sds cert_file, int min_days, int max_days) |
| |
| static bool | certificates_cleanup (sds dir, const char *name) |
| |
| bool | certificates_check (sds workdir, sds ssl_san) |
| |
| sds | certificate_get_detail (sds cert_content) |
| |
◆ expire_check_rcs
Expiration state of certificates
| Enumerator |
|---|
| CERT_EXPIRE_ERROR | Error condition.
|
| CERT_EXPIRE_OK | Certificate is valid.
|
| CERT_EXPIRE_RENEW | Certificate should be renewed.
|
◆ add_extension()
| static void add_extension |
( |
X509V3_CTX * |
ctx, |
|
|
X509 * |
cert, |
|
|
int |
nid, |
|
|
const char * |
value |
|
) |
| |
|
static |
Adds X509V3 extension to the certificate
- Parameters
-
| ctx | pointer to already creates X509V3_CTX struct |
| cert | pointer to X509 struct to add the extension |
| nid | X509V3 extension to set |
| value | value for the extension nid |
◆ certificate_get_detail()
| sds certificate_get_detail |
( |
sds |
cert_content | ) |
|
Returns the certificate details
- Parameters
-
| cert_content | the certificate as pem encoded sds |
- Returns
- certificate details as newly allocated sds
◆ certificates_check()
| bool certificates_check |
( |
sds |
workdir, |
|
|
sds |
ssl_san |
|
) |
| |
Public functions Creates the ssl directory, ca and cert and renews before expired
- Parameters
-
| workdir | myMPD working directory |
| ssl_san | Additional subject alternative names |
- Returns
- true on success else false
◆ certificates_cleanup()
| static bool certificates_cleanup |
( |
sds |
dir, |
|
|
const char * |
name |
|
) |
| |
|
static |
Deletes the key and certificate by name
- Parameters
-
| dir | key and certificate directory |
| name | basename |
- Returns
- true on success else false
◆ certificates_create()
| static bool certificates_create |
( |
sds |
dir, |
|
|
sds |
custom_san |
|
) |
| |
|
static |
Creates the ca and cert and renews before expired
- Parameters
-
| dir | key and certificate directory |
| custom_san | Additional subject alternative names |
- Returns
- true on success else false
◆ check_expiration()
| static int check_expiration |
( |
X509 * |
cert, |
|
|
sds |
cert_file, |
|
|
int |
min_days, |
|
|
int |
max_days |
|
) |
| |
|
static |
Checks the expiration date of a certificate
- Parameters
-
| cert | pointer to X509 struct |
| cert_file | filename of the certificate |
| min_days | |
| max_days | |
- Returns
- CERT_EXPIRE_OK if cert is valid gt min_days and lt max_days CERT_EXPIRE_ERROR on error reading certificate CERT_EXPIRE_RENEW cert must be renewed
◆ create_ca_certificate()
| static bool create_ca_certificate |
( |
sds |
cakey_file, |
|
|
EVP_PKEY ** |
ca_key, |
|
|
sds |
cacert_file, |
|
|
X509 ** |
ca_cert |
|
) |
| |
|
static |
Creates a self-signed CA certificate
- Parameters
-
| cakey_file | filename to save the key |
| ca_key | pointer to EVP_KEY struct to populate |
| cacert_file | filename to save the cert |
| ca_cert | pointer to X509 struct to populate |
- Returns
- true on success else false
◆ create_server_certificate()
| static bool create_server_certificate |
( |
sds |
serverkey_file, |
|
|
EVP_PKEY ** |
server_key, |
|
|
sds |
servercert_file, |
|
|
X509 ** |
server_cert, |
|
|
sds |
custom_san, |
|
|
EVP_PKEY ** |
ca_key, |
|
|
X509 ** |
ca_cert |
|
) |
| |
|
static |
Creates the server certificate and signs it with the CA
- Parameters
-
| serverkey_file | filename to save the key |
| server_key | pointer to EVP_KEY struct to populate |
| servercert_file | filename to save the cert |
| server_cert | pointer to X509 struct to populate |
| custom_san | SAN to append |
| ca_key | CA key for signing |
| ca_cert | CA cert for signing |
- Returns
- true on success else false
◆ generate_keypair()
| static EVP_PKEY * generate_keypair |
( |
int |
key_type, |
|
|
unsigned |
key_bits |
|
) |
| |
|
static |
Generates a private/public key pair
- Parameters
-
| key_type | key type: EVP_PKEY_RSA or EVP_PKEY_EC |
| key_bits | number of bits for the key |
- Returns
- newly allocated key or NULL on error
◆ generate_request()
| static X509_REQ * generate_request |
( |
EVP_PKEY * |
pkey | ) |
|
|
static |
Generates a certificate signing request
- Parameters
-
| pkey | pointer to private key |
- Returns
- certificate signing request as X509_REQ struct
◆ generate_selfsigned_cert()
| static X509 * generate_selfsigned_cert |
( |
EVP_PKEY * |
pkey | ) |
|
|
static |
Generates a self-signed x509 certificate.
- Parameters
-
| pkey | pointer to the private key |
- Returns
- newly allocated cert or NULL
◆ generate_set_random_serial()
| static bool generate_set_random_serial |
( |
X509 * |
cert | ) |
|
|
static |
Generates a 20 byte random serial number and sets it in the certificate.
- Parameters
-
| cert | pointer to X509 struct to set the serial |
- Returns
- true on success else false
◆ get_san()
| static sds get_san |
( |
sds |
buffer | ) |
|
|
static |
Gets local hostnames and ips for subject alternative names
- Parameters
-
| buffer | sds string to populate |
- Returns
- pointer to buffer
◆ load_certificate()
| static bool load_certificate |
( |
sds |
key_file, |
|
|
EVP_PKEY ** |
key, |
|
|
sds |
cert_file, |
|
|
X509 ** |
cert |
|
) |
| |
|
static |
Loads the key and cert from the filesystem
- Parameters
-
| key_file | filename for the key |
| key | pointer to EVP_KEY struct to populate |
| cert_file | filename for the cert |
| cert | pointer to X509 struct to populate |
- Returns
- true on success, else false
◆ print_asn1_time()
| static sds print_asn1_time |
( |
sds |
buffer, |
|
|
const ASN1_TIME * |
time |
|
) |
| |
|
static |
Private functions Prints an asn1 time struct to buffer
- Parameters
-
| buffer | already allocated sds string |
| time | asn1 time struct to print |
- Returns
- pointer to buffer
◆ print_x509_subject()
| static sds print_x509_subject |
( |
sds |
buffer, |
|
|
X509 * |
cert |
|
) |
| |
|
static |
Prints x509 subject to buffer
- Parameters
-
| buffer | already allocated sds string |
| cert | x509 certificate |
- Returns
- pointer to buffer
◆ push_san()
| static void push_san |
( |
struct t_list * |
san_list, |
|
|
const char * |
san |
|
) |
| |
|
static |
Adds a uniq string to the san list
- Parameters
-
| san_list | pointer to the san list |
| san | string to add |
◆ sign_certificate_request()
| static X509 * sign_certificate_request |
( |
EVP_PKEY * |
ca_key, |
|
|
X509 * |
ca_cert, |
|
|
X509_REQ * |
req, |
|
|
sds |
san |
|
) |
| |
|
static |
Signs the certificate request
- Parameters
-
| ca_key | CA key for signing |
| ca_cert | CA cert for signing |
| req | pointer to the certificate signing request |
| san | Subject Alternative Name to set |
- Returns
- on success a pointer to allocated X509 struct else NULL
◆ write_to_disk()
| static bool write_to_disk |
( |
sds |
key_file, |
|
|
EVP_PKEY * |
pkey, |
|
|
sds |
cert_file, |
|
|
X509 * |
cert |
|
) |
| |
|
static |
Writes the private key and cert to disc
- Parameters
-
| key_file | filename to save the key |
| pkey | pointer to the private key |
| cert_file | filename to save the cert |
| cert | pointer to the cert |
- Returns
- true on success else false
