1 | /* $Id: x509-create-sign.cpp 105124 2024-07-03 17:50:46Z vboxsync $ */
|
---|
2 | /** @file
|
---|
3 | * IPRT - Crypto - X.509, Certificate Creation.
|
---|
4 | */
|
---|
5 |
|
---|
6 | /*
|
---|
7 | * Copyright (C) 2024 Oracle and/or its affiliates.
|
---|
8 | *
|
---|
9 | * This file is part of VirtualBox base platform packages, as
|
---|
10 | * available from https://www.virtualbox.org.
|
---|
11 | *
|
---|
12 | * This program is free software; you can redistribute it and/or
|
---|
13 | * modify it under the terms of the GNU General Public License
|
---|
14 | * as published by the Free Software Foundation, in version 3 of the
|
---|
15 | * License.
|
---|
16 | *
|
---|
17 | * This program is distributed in the hope that it will be useful, but
|
---|
18 | * WITHOUT ANY WARRANTY; without even the implied warranty of
|
---|
19 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
---|
20 | * General Public License for more details.
|
---|
21 | *
|
---|
22 | * You should have received a copy of the GNU General Public License
|
---|
23 | * along with this program; if not, see <https://www.gnu.org/licenses>.
|
---|
24 | *
|
---|
25 | * The contents of this file may alternatively be used under the terms
|
---|
26 | * of the Common Development and Distribution License Version 1.0
|
---|
27 | * (CDDL), a copy of it is provided in the "COPYING.CDDL" file included
|
---|
28 | * in the VirtualBox distribution, in which case the provisions of the
|
---|
29 | * CDDL are applicable instead of those of the GPL.
|
---|
30 | *
|
---|
31 | * You may elect to license modified versions of this file under the
|
---|
32 | * terms and conditions of either the GPL or the CDDL or both.
|
---|
33 | *
|
---|
34 | * SPDX-License-Identifier: GPL-3.0-only OR CDDL-1.0
|
---|
35 | */
|
---|
36 |
|
---|
37 |
|
---|
38 | /*********************************************************************************************************************************
|
---|
39 | * Header Files *
|
---|
40 | *********************************************************************************************************************************/
|
---|
41 | #include "internal/iprt.h"
|
---|
42 | #include <iprt/crypto/x509.h>
|
---|
43 |
|
---|
44 | #ifdef IPRT_WITH_OPENSSL
|
---|
45 | # include <iprt/err.h>
|
---|
46 | # include <iprt/file.h>
|
---|
47 | # include <iprt/rand.h>
|
---|
48 |
|
---|
49 | # include "internal/iprt-openssl.h"
|
---|
50 | # include "internal/openssl-pre.h"
|
---|
51 | # include <openssl/evp.h>
|
---|
52 | # include <openssl/pem.h>
|
---|
53 | # include <openssl/x509.h>
|
---|
54 | # include <openssl/bio.h>
|
---|
55 | # include "internal/openssl-post.h"
|
---|
56 |
|
---|
57 | # if OPENSSL_VERSION_NUMBER < 0x1010000f
|
---|
58 | # define BIO_s_secmem BIO_s_mem
|
---|
59 | # endif
|
---|
60 |
|
---|
61 |
|
---|
62 |
|
---|
63 | RTDECL(int) RTCrX509Certificate_GenerateSelfSignedRsa(RTDIGESTTYPE enmDigestType, uint32_t cBits, uint32_t cSecsValidFor,
|
---|
64 | uint32_t fKeyUsage, uint64_t fExtKeyUsage, const char *pvSubject,
|
---|
65 | const char *pszCertFile, const char *pszPrivateKeyFile, PRTERRINFO pErrInfo)
|
---|
66 | {
|
---|
67 | AssertReturn(cSecsValidFor <= (uint32_t)INT32_MAX, VERR_OUT_OF_RANGE); /* larger values are not portable (win) */
|
---|
68 | AssertReturn(!fKeyUsage, VERR_NOT_IMPLEMENTED);
|
---|
69 | AssertReturn(!fExtKeyUsage, VERR_NOT_IMPLEMENTED);
|
---|
70 |
|
---|
71 | /*
|
---|
72 | * Translate enmDigestType.
|
---|
73 | */
|
---|
74 | const EVP_MD * const pEvpDigest = (const EVP_MD *)rtCrOpenSslConvertDigestType(enmDigestType, pErrInfo);
|
---|
75 | AssertReturn(pEvpDigest, pErrInfo ? pErrInfo->rc : VERR_CR_DIGEST_NOT_SUPPORTED);
|
---|
76 |
|
---|
77 | /*
|
---|
78 | * Create a new RSA private key.
|
---|
79 | */
|
---|
80 | # if OPENSSL_VERSION_NUMBER >= 0x30000000 /* RSA_generate_key is depreated in v3 */
|
---|
81 | EVP_PKEY * const pPrivateKey = EVP_RSA_gen(cBits);
|
---|
82 | if (!pPrivateKey)
|
---|
83 | return RTErrInfoSetF(pErrInfo, VERR_CR_KEY_GEN_FAILED_RSA, "EVP_RSA_gen(%u) failed", cBits);
|
---|
84 | # else
|
---|
85 | RSA * const pRsaKey = RSA_generate_key(
|
---|
86 | cBits, /* Number of bits for the key */
|
---|
87 | RSA_F4, /* Exponent - RSA_F4 is defined as 0x10001L */
|
---|
88 | NULL, /* Callback */
|
---|
89 | NULL /* Callback argument */
|
---|
90 | );
|
---|
91 | if (!pRsaKey)
|
---|
92 | return RTErrInfoSetF(pErrInfo, VERR_CR_KEY_GEN_FAILED_RSA, "RSA_generate_key(%u,RSA_F4,,) failed", cBits);
|
---|
93 |
|
---|
94 | EVP_PKEY * const pPrivateKey = EVP_PKEY_new();
|
---|
95 | if (pPrivateKey)
|
---|
96 | EVP_PKEY_assign_RSA(pPrivateKey, pRsaKey); /* Takes ownership of pRsaKey. */
|
---|
97 | else
|
---|
98 | {
|
---|
99 | RSA_free(pRsaKey);
|
---|
100 | return RTErrInfoSet(pErrInfo, VERR_NO_MEMORY, "EVP_PKEY_new failed");
|
---|
101 | }
|
---|
102 | # endif
|
---|
103 |
|
---|
104 | /*
|
---|
105 | * Construct the certificate.
|
---|
106 | */
|
---|
107 | int rc = VINF_SUCCESS;
|
---|
108 | X509 *pNewCert = X509_new();
|
---|
109 | if (pNewCert)
|
---|
110 | {
|
---|
111 | int rcOssl;
|
---|
112 |
|
---|
113 | /* Set to X509 version 1: */
|
---|
114 | # if 0
|
---|
115 | if (fKeyUsage || fExtKeyUsage)
|
---|
116 | rcOssl = X509_set_version(pNewCert, RTCRX509TBSCERTIFICATE_V3);
|
---|
117 | else
|
---|
118 | # endif
|
---|
119 | rcOssl = X509_set_version(pNewCert, RTCRX509TBSCERTIFICATE_V1);
|
---|
120 | AssertStmt(rcOssl > 0, rc = RTErrInfoSet(pErrInfo, VERR_GENERAL_FAILURE, "X509_set_version failed"));
|
---|
121 |
|
---|
122 | /* Set the serial number to a random number in the 1 - 1G range: */
|
---|
123 | rcOssl = ASN1_INTEGER_set(X509_get_serialNumber(pNewCert), RTRandU32Ex(1, UINT32_MAX / 4));
|
---|
124 | AssertStmt(rcOssl > 0, rc = RTErrInfoSet(pErrInfo, VERR_GENERAL_FAILURE, "X509_set_version failed"));
|
---|
125 |
|
---|
126 | /* The certificate is valid from now and the specifice number of seconds forwards: */
|
---|
127 | # if OPENSSL_VERSION_NUMBER >= 0x1010000f
|
---|
128 | AssertStmt(X509_gmtime_adj(X509_getm_notBefore(pNewCert), 0),
|
---|
129 | rc = RTErrInfoSet(pErrInfo, VERR_GENERAL_FAILURE, "X509_gmtime_adj/before failed"));
|
---|
130 | AssertStmt(X509_gmtime_adj(X509_getm_notAfter(pNewCert), cSecsValidFor),
|
---|
131 | rc = RTErrInfoSet(pErrInfo, VERR_GENERAL_FAILURE, "X509_gmtime_adj/after failed"));
|
---|
132 | # else
|
---|
133 | AssertStmt(X509_gmtime_adj(X509_get_notBefore(pNewCert), 0),
|
---|
134 | rc = RTErrInfoSet(pErrInfo, VERR_GENERAL_FAILURE, "X509_gmtime_adj/before failed"));
|
---|
135 | AssertStmt(X509_gmtime_adj(X509_get_notAfter(pNewCert), cSecsValidFor),
|
---|
136 | rc = RTErrInfoSet(pErrInfo, VERR_GENERAL_FAILURE, "X509_gmtime_adj/after failed"));
|
---|
137 | # endif
|
---|
138 |
|
---|
139 | /* Set the public key (part of the private): */
|
---|
140 | rcOssl = X509_set_pubkey(pNewCert, pPrivateKey);
|
---|
141 | AssertStmt(rcOssl > 0, rc = RTErrInfoSet(pErrInfo, VERR_GENERAL_FAILURE, "X509_set_pubkey failed"));
|
---|
142 |
|
---|
143 | # if 0
|
---|
144 | /* Set key usage. */
|
---|
145 | if (fKeyUsage)
|
---|
146 | {
|
---|
147 | }
|
---|
148 | /* Set extended key usage. */
|
---|
149 | if (fExtKeyUsage)
|
---|
150 | {
|
---|
151 | }
|
---|
152 | # endif
|
---|
153 | /** @todo set other certificate attributes? */
|
---|
154 |
|
---|
155 |
|
---|
156 | /** @todo check what the subject name is... Offer way to specify it? */
|
---|
157 |
|
---|
158 | /* Make it self signed: */
|
---|
159 | X509_NAME *pX509Name = X509_get_subject_name(pNewCert);
|
---|
160 | rcOssl = X509_NAME_add_entry_by_txt(pX509Name, "CN", MBSTRING_ASC, (unsigned char *) pvSubject, -1, -1, 0);
|
---|
161 | AssertStmt(rcOssl > 0, rc = RTErrInfoSet(pErrInfo, VERR_GENERAL_FAILURE, "X509_NAME_add_entry_by_txt failed"));
|
---|
162 | rcOssl = X509_set_issuer_name(pNewCert, pX509Name);
|
---|
163 | AssertStmt(rcOssl > 0, rc = RTErrInfoSet(pErrInfo, VERR_GENERAL_FAILURE, "X509_set_issuer_name failed"));
|
---|
164 |
|
---|
165 | if (RT_SUCCESS(rc))
|
---|
166 | {
|
---|
167 | /*
|
---|
168 | * Sign the certificate.
|
---|
169 | */
|
---|
170 | rcOssl = X509_sign(pNewCert, pPrivateKey, pEvpDigest);
|
---|
171 | if (rcOssl > 0)
|
---|
172 | {
|
---|
173 | /*
|
---|
174 | * Write out the result to the two files.
|
---|
175 | */
|
---|
176 | /* The certificate (not security sensitive). */
|
---|
177 | BIO * const pCertBio = BIO_new(BIO_s_mem());
|
---|
178 | if (pCertBio)
|
---|
179 | {
|
---|
180 | rcOssl = PEM_write_bio_X509(pCertBio, pNewCert);
|
---|
181 | if (rcOssl > 0)
|
---|
182 | rc = rtCrOpenSslWriteMemBioToNewFile(pCertBio, pszCertFile, pErrInfo);
|
---|
183 | else
|
---|
184 | rc = RTErrInfoSet(pErrInfo, VERR_CR_KEY_GEN_FAILED_RSA, "PEM_write_bio_X509 failed");
|
---|
185 | BIO_free(pCertBio);
|
---|
186 | }
|
---|
187 | else
|
---|
188 | rc = VERR_NO_MEMORY;
|
---|
189 |
|
---|
190 | if (RT_SUCCESS(rc))
|
---|
191 | {
|
---|
192 | /* The private key as plain text (security sensitive, thus last). */
|
---|
193 | BIO * const pPkBio = BIO_new(BIO_s_secmem());
|
---|
194 | if (pPkBio)
|
---|
195 | {
|
---|
196 | rcOssl = PEM_write_bio_PrivateKey(pPkBio, pPrivateKey,
|
---|
197 | NULL /*enc*/, NULL /*kstr*/, 0 /*klen*/, NULL /*cb*/, NULL /*u*/);
|
---|
198 | if (rcOssl > 0)
|
---|
199 | rc = rtCrOpenSslWriteMemBioToNewFile(pPkBio, pszPrivateKeyFile, pErrInfo);
|
---|
200 | else
|
---|
201 | rc = RTErrInfoSet(pErrInfo, VERR_CR_KEY_GEN_FAILED_RSA, "PEM_write_bio_PrivateKey failed");
|
---|
202 | BIO_free(pPkBio);
|
---|
203 | }
|
---|
204 | else
|
---|
205 | rc = VERR_NO_MEMORY;
|
---|
206 | if (RT_FAILURE(rc))
|
---|
207 | RTFileDelete(pszCertFile);
|
---|
208 | }
|
---|
209 | }
|
---|
210 | else
|
---|
211 | rc = RTErrInfoSet(pErrInfo, VERR_CR_KEY_GEN_FAILED_RSA, "X509_sign failed");
|
---|
212 | }
|
---|
213 |
|
---|
214 | X509_free(pNewCert);
|
---|
215 | }
|
---|
216 | else
|
---|
217 | rc = RTErrInfoSet(pErrInfo, VERR_NO_MEMORY, "X509_new failed");
|
---|
218 |
|
---|
219 | EVP_PKEY_free(pPrivateKey);
|
---|
220 | return rc;
|
---|
221 | }
|
---|
222 |
|
---|
223 | #endif /* IPRT_WITH_OPENSSL */
|
---|