VirtualBox

source: vbox/trunk/src/VBox/Runtime/common/crypto/x509-create-sign.cpp@ 104757

Last change on this file since 104757 was 104757, checked in by vboxsync, 6 months ago

IPRT: RTCrX509Certificate_GenerateSelfSignedRsa build fix for OpenSSL 1.0.x. [2nd try] bugref:10310

  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 8.7 KB
Line 
1/* $Id: x509-create-sign.cpp 104757 2024-05-22 12:14:16Z vboxsync $ */
2/** @file
3 * IPRT - Crypto - X.509, Certificate Creation.
4 */
5
6/*
7 * Copyright (C) 2024 Oracle and/or its affiliates.
8 *
9 * This file is part of VirtualBox base platform packages, as
10 * available from https://www.virtualbox.org.
11 *
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation, in version 3 of the
15 * License.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
20 * General Public License for more details.
21 *
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, see <https://www.gnu.org/licenses>.
24 *
25 * The contents of this file may alternatively be used under the terms
26 * of the Common Development and Distribution License Version 1.0
27 * (CDDL), a copy of it is provided in the "COPYING.CDDL" file included
28 * in the VirtualBox distribution, in which case the provisions of the
29 * CDDL are applicable instead of those of the GPL.
30 *
31 * You may elect to license modified versions of this file under the
32 * terms and conditions of either the GPL or the CDDL or both.
33 *
34 * SPDX-License-Identifier: GPL-3.0-only OR CDDL-1.0
35 */
36
37
38/*********************************************************************************************************************************
39* Header Files *
40*********************************************************************************************************************************/
41#include "internal/iprt.h"
42#include <iprt/crypto/x509.h>
43
44#ifdef IPRT_WITH_OPENSSL
45# include <iprt/err.h>
46# include <iprt/file.h>
47# include <iprt/rand.h>
48
49# include "internal/iprt-openssl.h"
50# include "internal/openssl-pre.h"
51# include <openssl/evp.h>
52# include <openssl/pem.h>
53# include <openssl/x509.h>
54# include <openssl/bio.h>
55# include "internal/openssl-post.h"
56
57# if OPENSSL_VERSION_NUMBER < 0x1010000f
58# define BIO_s_secmem BIO_s_mem
59# endif
60
61
62
63RTDECL(int) RTCrX509Certificate_GenerateSelfSignedRsa(RTDIGESTTYPE enmDigestType, uint32_t cBits, uint32_t cSecsValidFor,
64 uint32_t fKeyUsage, uint64_t fExtKeyUsage, void *pvSubjectTodo,
65 const char *pszCertFile, const char *pszPrivateKeyFile, PRTERRINFO pErrInfo)
66{
67 AssertReturn(cSecsValidFor <= (uint32_t)INT32_MAX, VERR_OUT_OF_RANGE); /* larger values are not portable (win) */
68 AssertReturn(!fKeyUsage, VERR_NOT_IMPLEMENTED);
69 AssertReturn(!fExtKeyUsage, VERR_NOT_IMPLEMENTED);
70 AssertReturn(pvSubjectTodo == NULL, VERR_NOT_IMPLEMENTED);
71
72 /*
73 * Translate enmDigestType.
74 */
75 const EVP_MD * const pEvpDigest = (const EVP_MD *)rtCrOpenSslConvertDigestType(enmDigestType, pErrInfo);
76 AssertReturn(pEvpDigest, pErrInfo ? pErrInfo->rc : VERR_CR_DIGEST_NOT_SUPPORTED);
77
78 /*
79 * Create a new RSA private key.
80 */
81# if OPENSSL_VERSION_NUMBER >= 0x30000000 /* RSA_generate_key is depreated in v3 */
82 EVP_PKEY * const pPrivateKey = EVP_RSA_gen(cBits);
83 if (!pPrivateKey)
84 return RTErrInfoSetF(pErrInfo, VERR_CR_KEY_GEN_FAILED_RSA, "EVP_RSA_gen(%u) failed", cBits);
85# else
86 RSA * const pRsaKey = RSA_generate_key(
87 cBits, /* Number of bits for the key */
88 RSA_F4, /* Exponent - RSA_F4 is defined as 0x10001L */
89 NULL, /* Callback */
90 NULL /* Callback argument */
91 );
92 if (!pRsaKey)
93 return RTErrInfoSetF(pErrInfo, VERR_CR_KEY_GEN_FAILED_RSA, "RSA_generate_key(%u,RSA_F4,,) failed", cBits);
94
95 EVP_PKEY * const pPrivateKey = EVP_PKEY_new();
96 if (pPrivateKey)
97 EVP_PKEY_assign_RSA(pPrivateKey, pRsaKey); /* Takes ownership of pRsaKey. */
98 else
99 {
100 RSA_free(pRsaKey);
101 return RTErrInfoSet(pErrInfo, VERR_NO_MEMORY, "EVP_PKEY_new failed");
102 }
103# endif
104
105 /*
106 * Construct the certificate.
107 */
108 int rc = VINF_SUCCESS;
109 X509 *pNewCert = X509_new();
110 if (pNewCert)
111 {
112 int rcOssl;
113
114 /* Set to X509 version 1: */
115# if 0
116 if (fKeyUsage || fExtKeyUsage)
117 rcOssl = X509_set_version(pNewCert, RTCRX509TBSCERTIFICATE_V3);
118 else
119# endif
120 rcOssl = X509_set_version(pNewCert, RTCRX509TBSCERTIFICATE_V1);
121 AssertStmt(rcOssl > 0, rc = RTErrInfoSet(pErrInfo, VERR_GENERAL_FAILURE, "X509_set_version failed"));
122
123 /* Set the serial number to a random number in the 1 - 1G range: */
124 rcOssl = ASN1_INTEGER_set(X509_get_serialNumber(pNewCert), RTRandU32Ex(1, UINT32_MAX / 4));
125 AssertStmt(rcOssl > 0, rc = RTErrInfoSet(pErrInfo, VERR_GENERAL_FAILURE, "X509_set_version failed"));
126
127 /* The certificate is valid from now and the specifice number of seconds forwards: */
128# if OPENSSL_VERSION_NUMBER >= 0x1010000f
129 AssertStmt(X509_gmtime_adj(X509_getm_notBefore(pNewCert), 0),
130 rc = RTErrInfoSet(pErrInfo, VERR_GENERAL_FAILURE, "X509_gmtime_adj/before failed"));
131 AssertStmt(X509_gmtime_adj(X509_getm_notAfter(pNewCert), cSecsValidFor),
132 rc = RTErrInfoSet(pErrInfo, VERR_GENERAL_FAILURE, "X509_gmtime_adj/after failed"));
133# else
134 AssertStmt(X509_gmtime_adj(X509_get_notBefore(pNewCert), 0),
135 rc = RTErrInfoSet(pErrInfo, VERR_GENERAL_FAILURE, "X509_gmtime_adj/before failed"));
136 AssertStmt(X509_gmtime_adj(X509_get_notAfter(pNewCert), cSecsValidFor),
137 rc = RTErrInfoSet(pErrInfo, VERR_GENERAL_FAILURE, "X509_gmtime_adj/after failed"));
138# endif
139
140 /* Set the public key (part of the private): */
141 rcOssl = X509_set_pubkey(pNewCert, pPrivateKey);
142 AssertStmt(rcOssl > 0, rc = RTErrInfoSet(pErrInfo, VERR_GENERAL_FAILURE, "X509_set_pubkey failed"));
143
144# if 0
145 /* Set key usage. */
146 if (fKeyUsage)
147 {
148 }
149 /* Set extended key usage. */
150 if (fExtKeyUsage)
151 {
152 }
153# endif
154 /** @todo set other certificate attributes? */
155
156
157 /** @todo check what the subject name is... Offer way to specify it? */
158
159 /* Make it self signed: */
160 X509_NAME *pX509Name = X509_get_subject_name(pNewCert);
161 rcOssl = X509_set_issuer_name(pNewCert, pX509Name);
162 AssertStmt(rcOssl > 0, rc = RTErrInfoSet(pErrInfo, VERR_GENERAL_FAILURE, "X509_set_issuer_name failed"));
163
164 if (RT_SUCCESS(rc))
165 {
166 /*
167 * Sign the certificate.
168 */
169 rcOssl = X509_sign(pNewCert, pPrivateKey, pEvpDigest);
170 if (rcOssl > 0)
171 {
172 /*
173 * Write out the result to the two files.
174 */
175 /* The certificate (not security sensitive). */
176 BIO * const pCertBio = BIO_new(BIO_s_mem());
177 if (pCertBio)
178 {
179 rcOssl = PEM_write_bio_X509(pCertBio, pNewCert);
180 if (rcOssl > 0)
181 rc = rtCrOpenSslWriteMemBioToNewFile(pCertBio, pszCertFile, pErrInfo);
182 else
183 rc = RTErrInfoSet(pErrInfo, VERR_CR_KEY_GEN_FAILED_RSA, "PEM_write_bio_X509 failed");
184 BIO_free(pCertBio);
185 }
186 else
187 rc = VERR_NO_MEMORY;
188
189 if (RT_SUCCESS(rc))
190 {
191 /* The private key as plain text (security sensitive, thus last). */
192 BIO * const pPkBio = BIO_new(BIO_s_secmem());
193 if (pPkBio)
194 {
195 rcOssl = PEM_write_bio_PrivateKey(pPkBio, pPrivateKey,
196 NULL /*enc*/, NULL /*kstr*/, 0 /*klen*/, NULL /*cb*/, NULL /*u*/);
197 if (rcOssl > 0)
198 rc = rtCrOpenSslWriteMemBioToNewFile(pPkBio, pszPrivateKeyFile, pErrInfo);
199 else
200 rc = RTErrInfoSet(pErrInfo, VERR_CR_KEY_GEN_FAILED_RSA, "PEM_write_bio_PrivateKey failed");
201 BIO_free(pPkBio);
202 }
203 else
204 rc = VERR_NO_MEMORY;
205 if (RT_FAILURE(rc))
206 RTFileDelete(pszCertFile);
207 }
208 }
209 else
210 rc = RTErrInfoSet(pErrInfo, VERR_CR_KEY_GEN_FAILED_RSA, "X509_sign failed");
211 }
212
213 X509_free(pNewCert);
214 }
215 else
216 rc = RTErrInfoSet(pErrInfo, VERR_NO_MEMORY, "X509_new failed");
217
218 EVP_PKEY_free(pPrivateKey);
219 return rc;
220}
221
222#endif /* IPRT_WITH_OPENSSL */
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette