VirtualBox

source: vbox/trunk/src/VBox/Runtime/common/crypto/x509-create-sign.cpp@ 105589

Last change on this file since 105589 was 105124, checked in by vboxsync, 5 months ago

Certificate repair function added - bugref:10310

  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 8.8 KB
Line 
1/* $Id: x509-create-sign.cpp 105124 2024-07-03 17:50:46Z vboxsync $ */
2/** @file
3 * IPRT - Crypto - X.509, Certificate Creation.
4 */
5
6/*
7 * Copyright (C) 2024 Oracle and/or its affiliates.
8 *
9 * This file is part of VirtualBox base platform packages, as
10 * available from https://www.virtualbox.org.
11 *
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation, in version 3 of the
15 * License.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
20 * General Public License for more details.
21 *
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, see <https://www.gnu.org/licenses>.
24 *
25 * The contents of this file may alternatively be used under the terms
26 * of the Common Development and Distribution License Version 1.0
27 * (CDDL), a copy of it is provided in the "COPYING.CDDL" file included
28 * in the VirtualBox distribution, in which case the provisions of the
29 * CDDL are applicable instead of those of the GPL.
30 *
31 * You may elect to license modified versions of this file under the
32 * terms and conditions of either the GPL or the CDDL or both.
33 *
34 * SPDX-License-Identifier: GPL-3.0-only OR CDDL-1.0
35 */
36
37
38/*********************************************************************************************************************************
39* Header Files *
40*********************************************************************************************************************************/
41#include "internal/iprt.h"
42#include <iprt/crypto/x509.h>
43
44#ifdef IPRT_WITH_OPENSSL
45# include <iprt/err.h>
46# include <iprt/file.h>
47# include <iprt/rand.h>
48
49# include "internal/iprt-openssl.h"
50# include "internal/openssl-pre.h"
51# include <openssl/evp.h>
52# include <openssl/pem.h>
53# include <openssl/x509.h>
54# include <openssl/bio.h>
55# include "internal/openssl-post.h"
56
57# if OPENSSL_VERSION_NUMBER < 0x1010000f
58# define BIO_s_secmem BIO_s_mem
59# endif
60
61
62
63RTDECL(int) RTCrX509Certificate_GenerateSelfSignedRsa(RTDIGESTTYPE enmDigestType, uint32_t cBits, uint32_t cSecsValidFor,
64 uint32_t fKeyUsage, uint64_t fExtKeyUsage, const char *pvSubject,
65 const char *pszCertFile, const char *pszPrivateKeyFile, PRTERRINFO pErrInfo)
66{
67 AssertReturn(cSecsValidFor <= (uint32_t)INT32_MAX, VERR_OUT_OF_RANGE); /* larger values are not portable (win) */
68 AssertReturn(!fKeyUsage, VERR_NOT_IMPLEMENTED);
69 AssertReturn(!fExtKeyUsage, VERR_NOT_IMPLEMENTED);
70
71 /*
72 * Translate enmDigestType.
73 */
74 const EVP_MD * const pEvpDigest = (const EVP_MD *)rtCrOpenSslConvertDigestType(enmDigestType, pErrInfo);
75 AssertReturn(pEvpDigest, pErrInfo ? pErrInfo->rc : VERR_CR_DIGEST_NOT_SUPPORTED);
76
77 /*
78 * Create a new RSA private key.
79 */
80# if OPENSSL_VERSION_NUMBER >= 0x30000000 /* RSA_generate_key is depreated in v3 */
81 EVP_PKEY * const pPrivateKey = EVP_RSA_gen(cBits);
82 if (!pPrivateKey)
83 return RTErrInfoSetF(pErrInfo, VERR_CR_KEY_GEN_FAILED_RSA, "EVP_RSA_gen(%u) failed", cBits);
84# else
85 RSA * const pRsaKey = RSA_generate_key(
86 cBits, /* Number of bits for the key */
87 RSA_F4, /* Exponent - RSA_F4 is defined as 0x10001L */
88 NULL, /* Callback */
89 NULL /* Callback argument */
90 );
91 if (!pRsaKey)
92 return RTErrInfoSetF(pErrInfo, VERR_CR_KEY_GEN_FAILED_RSA, "RSA_generate_key(%u,RSA_F4,,) failed", cBits);
93
94 EVP_PKEY * const pPrivateKey = EVP_PKEY_new();
95 if (pPrivateKey)
96 EVP_PKEY_assign_RSA(pPrivateKey, pRsaKey); /* Takes ownership of pRsaKey. */
97 else
98 {
99 RSA_free(pRsaKey);
100 return RTErrInfoSet(pErrInfo, VERR_NO_MEMORY, "EVP_PKEY_new failed");
101 }
102# endif
103
104 /*
105 * Construct the certificate.
106 */
107 int rc = VINF_SUCCESS;
108 X509 *pNewCert = X509_new();
109 if (pNewCert)
110 {
111 int rcOssl;
112
113 /* Set to X509 version 1: */
114# if 0
115 if (fKeyUsage || fExtKeyUsage)
116 rcOssl = X509_set_version(pNewCert, RTCRX509TBSCERTIFICATE_V3);
117 else
118# endif
119 rcOssl = X509_set_version(pNewCert, RTCRX509TBSCERTIFICATE_V1);
120 AssertStmt(rcOssl > 0, rc = RTErrInfoSet(pErrInfo, VERR_GENERAL_FAILURE, "X509_set_version failed"));
121
122 /* Set the serial number to a random number in the 1 - 1G range: */
123 rcOssl = ASN1_INTEGER_set(X509_get_serialNumber(pNewCert), RTRandU32Ex(1, UINT32_MAX / 4));
124 AssertStmt(rcOssl > 0, rc = RTErrInfoSet(pErrInfo, VERR_GENERAL_FAILURE, "X509_set_version failed"));
125
126 /* The certificate is valid from now and the specifice number of seconds forwards: */
127# if OPENSSL_VERSION_NUMBER >= 0x1010000f
128 AssertStmt(X509_gmtime_adj(X509_getm_notBefore(pNewCert), 0),
129 rc = RTErrInfoSet(pErrInfo, VERR_GENERAL_FAILURE, "X509_gmtime_adj/before failed"));
130 AssertStmt(X509_gmtime_adj(X509_getm_notAfter(pNewCert), cSecsValidFor),
131 rc = RTErrInfoSet(pErrInfo, VERR_GENERAL_FAILURE, "X509_gmtime_adj/after failed"));
132# else
133 AssertStmt(X509_gmtime_adj(X509_get_notBefore(pNewCert), 0),
134 rc = RTErrInfoSet(pErrInfo, VERR_GENERAL_FAILURE, "X509_gmtime_adj/before failed"));
135 AssertStmt(X509_gmtime_adj(X509_get_notAfter(pNewCert), cSecsValidFor),
136 rc = RTErrInfoSet(pErrInfo, VERR_GENERAL_FAILURE, "X509_gmtime_adj/after failed"));
137# endif
138
139 /* Set the public key (part of the private): */
140 rcOssl = X509_set_pubkey(pNewCert, pPrivateKey);
141 AssertStmt(rcOssl > 0, rc = RTErrInfoSet(pErrInfo, VERR_GENERAL_FAILURE, "X509_set_pubkey failed"));
142
143# if 0
144 /* Set key usage. */
145 if (fKeyUsage)
146 {
147 }
148 /* Set extended key usage. */
149 if (fExtKeyUsage)
150 {
151 }
152# endif
153 /** @todo set other certificate attributes? */
154
155
156 /** @todo check what the subject name is... Offer way to specify it? */
157
158 /* Make it self signed: */
159 X509_NAME *pX509Name = X509_get_subject_name(pNewCert);
160 rcOssl = X509_NAME_add_entry_by_txt(pX509Name, "CN", MBSTRING_ASC, (unsigned char *) pvSubject, -1, -1, 0);
161 AssertStmt(rcOssl > 0, rc = RTErrInfoSet(pErrInfo, VERR_GENERAL_FAILURE, "X509_NAME_add_entry_by_txt failed"));
162 rcOssl = X509_set_issuer_name(pNewCert, pX509Name);
163 AssertStmt(rcOssl > 0, rc = RTErrInfoSet(pErrInfo, VERR_GENERAL_FAILURE, "X509_set_issuer_name failed"));
164
165 if (RT_SUCCESS(rc))
166 {
167 /*
168 * Sign the certificate.
169 */
170 rcOssl = X509_sign(pNewCert, pPrivateKey, pEvpDigest);
171 if (rcOssl > 0)
172 {
173 /*
174 * Write out the result to the two files.
175 */
176 /* The certificate (not security sensitive). */
177 BIO * const pCertBio = BIO_new(BIO_s_mem());
178 if (pCertBio)
179 {
180 rcOssl = PEM_write_bio_X509(pCertBio, pNewCert);
181 if (rcOssl > 0)
182 rc = rtCrOpenSslWriteMemBioToNewFile(pCertBio, pszCertFile, pErrInfo);
183 else
184 rc = RTErrInfoSet(pErrInfo, VERR_CR_KEY_GEN_FAILED_RSA, "PEM_write_bio_X509 failed");
185 BIO_free(pCertBio);
186 }
187 else
188 rc = VERR_NO_MEMORY;
189
190 if (RT_SUCCESS(rc))
191 {
192 /* The private key as plain text (security sensitive, thus last). */
193 BIO * const pPkBio = BIO_new(BIO_s_secmem());
194 if (pPkBio)
195 {
196 rcOssl = PEM_write_bio_PrivateKey(pPkBio, pPrivateKey,
197 NULL /*enc*/, NULL /*kstr*/, 0 /*klen*/, NULL /*cb*/, NULL /*u*/);
198 if (rcOssl > 0)
199 rc = rtCrOpenSslWriteMemBioToNewFile(pPkBio, pszPrivateKeyFile, pErrInfo);
200 else
201 rc = RTErrInfoSet(pErrInfo, VERR_CR_KEY_GEN_FAILED_RSA, "PEM_write_bio_PrivateKey failed");
202 BIO_free(pPkBio);
203 }
204 else
205 rc = VERR_NO_MEMORY;
206 if (RT_FAILURE(rc))
207 RTFileDelete(pszCertFile);
208 }
209 }
210 else
211 rc = RTErrInfoSet(pErrInfo, VERR_CR_KEY_GEN_FAILED_RSA, "X509_sign failed");
212 }
213
214 X509_free(pNewCert);
215 }
216 else
217 rc = RTErrInfoSet(pErrInfo, VERR_NO_MEMORY, "X509_new failed");
218
219 EVP_PKEY_free(pPrivateKey);
220 return rc;
221}
222
223#endif /* IPRT_WITH_OPENSSL */
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette