Commit 52941566 authored by PhoeniX's avatar PhoeniX

Multi-certificate server support

parent ea511460
......@@ -27,8 +27,8 @@
#include <openssl/pkcs7.h>
#include <openssl/rand.h>
EVP_PKEY *cakey;
X509 *cacer;
EVP_PKEY *cakey, *enkey, *dskey;
X509 *cacer, *encer, *dscer;
int sock;
static char *decoding_table = NULL;
......@@ -160,17 +160,6 @@ void do_certReq(int sock, const char* req, size_t len, const char* trans, X509*
}
sk_free(&list->stack);
}
int idx = X509_get_ext_by_NID(cacer, NID_subject_key_identifier, -1);
if (idx != -1) {
X509_EXTENSION *e = X509_get_ext(cacer, idx);
int len = ASN1_STRING_length(e->value);
char buf[len+6];
strncpy(buf, "keyid:", 6);
strncpy(&buf[6], (char*)ASN1_STRING_data(e->value), len);
ASN1_OCTET_STRING *str = ASN1_OCTET_STRING_new();
ASN1_OCTET_STRING_set(str, (unsigned char*)buf, len+6);
X509_add_ext(ncert, X509_EXTENSION_create_by_NID(NULL, NID_authority_key_identifier, 255, str), 0);
}
}
pub = X509_REQ_get_pubkey(r);
X509_set_pubkey(ncert,pub);
......@@ -293,7 +282,7 @@ void do_pki_op(int sock, const unsigned char *msg, size_t len)
d2i_PKCS7_bio(bio, &dt);
BIO_reset(bio);
if (!PKCS7_decrypt(dt, cakey, cacer, bio, 0)) goto err;
if (!PKCS7_decrypt(dt, enkey, encer, bio, 0)) goto err;
BIO_get_mem_ptr(bio, &ptr);
switch (msgtype) {
case 19:
......@@ -322,8 +311,15 @@ void do_op(int sock, const char* op, const unsigned char* msg, size_t len) {
}
if (strcmp(op, "GetCACert")==0) {
unsigned char* buf = 0;
size_t len = i2d_X509(cacer, &buf);
do_resp(sock,"application/x-x509-ca-cert",buf,len);
PKCS7 *pkcs = PKCS7_new();
PKCS7_set_type(pkcs, NID_pkcs7_signed);
PKCS7_content_new(pkcs, NID_pkcs7_data);
PKCS7_add_certificate(pkcs, encer);
PKCS7_add_certificate(pkcs, dscer);
PKCS7_add_certificate(pkcs, cacer);
size_t len = i2d_PKCS7(pkcs, &buf);
PKCS7_free(pkcs);
do_resp(sock,"application/x-x509-ca-ra-cert",buf,len);
free(buf);
return;
}
......@@ -437,17 +433,22 @@ static void* socket_proc (void* arg) {
int main(int argc, const char * argv[]) {
CFAbsoluteTimeGetCurrent();
const char *cacerf, *cakeyf, *sockf;
if (argc == 4) {
const char *cacerf, *cakeyf, *dscerf, *dskeyf, *encerf, *enkeyf, *sockf;
if (argc == 8) {
cacerf = argv[1];
cakeyf = argv[2];
sockf = argv[3];
dscerf = argv[3];
dskeyf = argv[4];
encerf = argv[5];
enkeyf = argv[6];
sockf = argv[7];
} else return 1;
OPENSSL_init();
OpenSSL_add_all_algorithms();
printf("Loading keys...");
{
FILE *fp;
fp = fopen(cacerf, "r");
if (!fp) {
printf(" cert error %d (%s)\n",errno,cacerf);
......@@ -466,6 +467,45 @@ int main(int argc, const char * argv[]) {
if (!cakey) d2i_PrivateKey_fp(fp, &cakey);
if (!cakey) return 1;
fclose(fp);
fp = fopen(dscerf, "r");
if (!fp) {
printf(" cert error %d (%s)\n",errno,dscerf);
return 1;
}
PEM_read_X509(fp, &dscer, 0, 0);
if (!dscer) d2i_X509_fp(fp, &dscer);
if (!dscer) return 1;
fclose(fp);
fp = fopen(dskeyf, "r");
if (!fp) {
printf(" key error %d (%s)\n",errno,dscerf);
return 1;
}
PEM_read_PrivateKey(fp, &dskey, 0, 0);
if (!dskey) d2i_PrivateKey_fp(fp, &dskey);
if (!dskey) return 1;
fclose(fp);
fp = fopen(encerf, "r");
if (!fp) {
printf(" cert error %d (%s)\n",errno,encerf);
return 1;
}
PEM_read_X509(fp, &encer, 0, 0);
if (!encer) d2i_X509_fp(fp, &encer);
if (!encer) return 1;
fclose(fp);
fp = fopen(enkeyf, "r");
if (!fp) {
printf(" key error %d (%s)\n",errno,encerf);
return 1;
}
PEM_read_PrivateKey(fp, &enkey, 0, 0);
if (!enkey) d2i_PrivateKey_fp(fp, &enkey);
if (!enkey) return 1;
fclose(fp);
printf(" [ DONE ]\n");
}
printf("Starting server...");
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment