Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / frameworks / base / 09960230bf3d46ec1e7cbcfd8b07dfe007b9fa96 / . / keystore / jni / cert.c
blob: d5d57f7f146e5101935b852449ed93c0a88757f8 [file] [log] [blame]
Chung-yih Wangeec11822009-07-02 00:22:04 +0800[diff] [blame]1/*
2**
3** Copyright 2009, The Android Open Source Project
4**
5** Licensed under the Apache License, Version 2.0 (the "License");
6** you may not use this file except in compliance with the License.
7** You may obtain a copy of the License at
8**
9** http://www.apache.org/licenses/LICENSE-2.0
10**
11** Unless required by applicable law or agreed to in writing, software
12** distributed under the License is distributed on an "AS IS" BASIS,
13** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14** See the License for the specific language governing permissions and
15** limitations under the License.
16*/
17
18#define LOG_TAG "CertTool"
19
20#include <stdio.h>
21#include <openssl/engine.h>
22#include <openssl/pem.h>
23#include <openssl/pkcs12.h>
24#include <openssl/rsa.h>
25#include <openssl/x509v3.h>
26#include <cutils/log.h>
27
28#include "cert.h"
29
30static PKEY_STORE pkey_store[KEYGEN_STORE_SIZE];
31static int store_index = 0;
32
33static char emsg[][30] = {
34 "",
35 STR(ERR_INVALID_KEY_LENGTH),
36 STR(ERR_CONSTRUCT_NEW_DATA),
37 STR(ERR_RSA_KEYGEN),
38 STR(ERR_X509_PROCESS),
Chung-yih Wang719eba52009-07-24 11:33:45 +0800[diff] [blame]39 STR(ERR_SPKAC_TOO_LONG),
40 STR(ERR_INVALID_ARGS),
Chung-yih Wangeec11822009-07-02 00:22:04 +0800[diff] [blame]41};
42
Chung-yih Wang719eba52009-07-24 11:33:45 +0800[diff] [blame]43static void save_in_store(EVP_PKEY *pkey)
Chung-yih Wangeec11822009-07-02 00:22:04 +0800[diff] [blame]44{
45 EVP_PKEY *newpkey = EVP_PKEY_new();
46 RSA *rsa = EVP_PKEY_get1_RSA(pkey);
47 EVP_PKEY_set1_RSA(newpkey, rsa);
48 PKEY_STORE_free(pkey_store[store_index]);
Chung-yih Wangfd3db872009-07-28 18:37:13 +0800[diff] [blame]49 pkey_store[store_index].key_len = i2d_RSA_PUBKEY(rsa, &pkey_store[store_index].public_key);
Chung-yih Wangeec11822009-07-02 00:22:04 +0800[diff] [blame]50 pkey_store[store_index++].pkey = newpkey;
51 store_index %= KEYGEN_STORE_SIZE;
52 RSA_free(rsa);
53}
54
55static EVP_PKEY *get_pkey_from_store(X509 *cert)
56{
57 int i, key_len;
58 unsigned char *buf = NULL;
59 if ((key_len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), &buf)) == 0) {
60 return NULL;
61 }
62 for (i = 0 ; i < KEYGEN_STORE_SIZE ; ++i) {
63 if ((key_len == pkey_store[i].key_len) &&
64 memcmp(buf, pkey_store[i].public_key, key_len) == 0) {
65 break;
66 }
67 }
68 free(buf);
69 return (i == KEYGEN_STORE_SIZE) ? NULL : pkey_store[i].pkey;
70}
71
Chung-yih Wang719eba52009-07-24 11:33:45 +0800[diff] [blame]72int gen_csr(int bits, const char *challenge, char reply[REPLY_MAX])
Chung-yih Wangeec11822009-07-02 00:22:04 +0800[diff] [blame]73{
74 int len, ret_code = 0;
75 BIGNUM *bn = NULL;
Chung-yih Wang719eba52009-07-24 11:33:45 +0800[diff] [blame]76 char *spkstr = NULL;
Chung-yih Wangeec11822009-07-02 00:22:04 +0800[diff] [blame]77 EVP_PKEY *pkey = NULL;
78 RSA *rsa = NULL;
Chung-yih Wang719eba52009-07-24 11:33:45 +0800[diff] [blame]79 NETSCAPE_SPKI *req = NULL;
Chung-yih Wangeec11822009-07-02 00:22:04 +0800[diff] [blame]80
Chung-yih Wang719eba52009-07-24 11:33:45 +0800[diff] [blame]81 if (challenge == NULL) {
82 ret_code = ERR_INVALID_ARGS;
83 goto err;
84 }
Chung-yih Wangeec11822009-07-02 00:22:04 +0800[diff] [blame]85
86 if ((bits != KEYLENGTH_MEDIUM) && (bits != KEYLENGTH_MAXIMUM)) {
87 ret_code = ERR_INVALID_KEY_LENGTH;
88 goto err;
89 }
90
91 if (((pkey = EVP_PKEY_new()) == NULL) ||
Chung-yih Wang719eba52009-07-24 11:33:45 +0800[diff] [blame]92 ((req = NETSCAPE_SPKI_new()) == NULL) ||
Chung-yih Wangeec11822009-07-02 00:22:04 +0800[diff] [blame]93 ((rsa = RSA_new()) == NULL) || ((bn = BN_new()) == NULL)) {
94 ret_code = ERR_CONSTRUCT_NEW_DATA;
95 goto err;
96 }
97
98 if (!BN_set_word(bn, RSA_F4) ||
99 !RSA_generate_key_ex(rsa, bits, bn, NULL) ||
100 !EVP_PKEY_assign_RSA(pkey, rsa)) {
101 ret_code = ERR_RSA_KEYGEN;
102 goto err;
103 }
104
Chung-yih Wangeec11822009-07-02 00:22:04 +0800[diff] [blame]105 rsa = NULL;
Chung-yih Wang719eba52009-07-24 11:33:45 +0800[diff] [blame]106 ASN1_STRING_set(req->spkac->challenge, challenge, (int)strlen(challenge));
107 NETSCAPE_SPKI_set_pubkey(req, pkey);
108 NETSCAPE_SPKI_sign(req, pkey, EVP_md5());
109 spkstr = NETSCAPE_SPKI_b64_encode(req);
Chung-yih Wangeec11822009-07-02 00:22:04 +0800[diff] [blame]110
Chung-yih Wang719eba52009-07-24 11:33:45 +0800[diff] [blame]111 if ((strlcpy(reply, spkstr, REPLY_MAX)) < REPLY_MAX) {
112 save_in_store(pkey);
Chung-yih Wangeec11822009-07-02 00:22:04 +0800[diff] [blame]113 } else {
Chung-yih Wang719eba52009-07-24 11:33:45 +0800[diff] [blame]114 ret_code = ERR_SPKAC_TOO_LONG;
Chung-yih Wangeec11822009-07-02 00:22:04 +0800[diff] [blame]115 }
116
117err:
118 if (rsa) RSA_free(rsa);
119 if (bn) BN_free(bn);
Chung-yih Wang719eba52009-07-24 11:33:45 +0800[diff] [blame]120 if (req) NETSCAPE_SPKI_free(req);
Chung-yih Wangeec11822009-07-02 00:22:04 +0800[diff] [blame]121 if (pkey) EVP_PKEY_free(pkey);
Chung-yih Wang719eba52009-07-24 11:33:45 +0800[diff] [blame]122 if (spkstr) OPENSSL_free(spkstr);
Chung-yih Wangeec11822009-07-02 00:22:04 +0800[diff] [blame]123 if ((ret_code > 0) && (ret_code < ERR_MAXIMUM)) LOGE(emsg[ret_code]);
Chung-yih Wang719eba52009-07-24 11:33:45 +0800[diff] [blame]124 return -ret_code;
Chung-yih Wangeec11822009-07-02 00:22:04 +0800[diff] [blame]125}
126
Chung-yih Wangc9c119e2009-07-16 19:54:33 +0800[diff] [blame]127PKCS12 *get_p12_handle(const char *buf, int bufLen)
Chung-yih Wangeec11822009-07-02 00:22:04 +0800[diff] [blame]128{
Chung-yih Wangeec11822009-07-02 00:22:04 +0800[diff] [blame]129 BIO *bp = NULL;
130 PKCS12 *p12 = NULL;
131
Chung-yih Wangc9c119e2009-07-16 19:54:33 +0800[diff] [blame]132 if (!buf || (bufLen < 1) || (buf[0] != 48)) goto err;
Chung-yih Wangeec11822009-07-02 00:22:04 +0800[diff] [blame]133
Chung-yih Wangbf20b992009-07-02 23:42:12 +0800[diff] [blame]134 bp = BIO_new(BIO_s_mem());
135 if (!bp) goto err;
136
Chung-yih Wangeec11822009-07-02 00:22:04 +0800[diff] [blame]137 if (!BIO_write(bp, buf, bufLen)) goto err;
138
Chung-yih Wangc9c119e2009-07-16 19:54:33 +0800[diff] [blame]139 p12 = d2i_PKCS12_bio(bp, NULL);
140
Chung-yih Wangeec11822009-07-02 00:22:04 +0800[diff] [blame]141err:
142 if (bp) BIO_free(bp);
Chung-yih Wangc9c119e2009-07-16 19:54:33 +0800[diff] [blame]143 return p12;
144}
145
146PKCS12_KEYSTORE *get_pkcs12_keystore_handle(const char *buf, int bufLen,
147 const char *passwd)
148{
149 PKCS12_KEYSTORE *p12store = NULL;
150 EVP_PKEY *pkey = NULL;
151 X509 *cert = NULL;
152 STACK_OF(X509) *certs = NULL;
153 PKCS12 *p12 = get_p12_handle(buf, bufLen);
154
155 if (p12 == NULL) return NULL;
156 if (!PKCS12_parse(p12, passwd, &pkey, &cert, &certs)) {
157 LOGE("Can not parse PKCS12 content");
158 PKCS12_free(p12);
159 return NULL;
160 }
161 if ((p12store = malloc(sizeof(PKCS12_KEYSTORE))) == NULL) {
162 if (cert) X509_free(cert);
163 if (pkey) EVP_PKEY_free(pkey);
164 if (certs) sk_X509_free(certs);
165 }
166 p12store->p12 = p12;
167 p12store->pkey = pkey;
168 p12store->cert = cert;
169 p12store->certs = certs;
170 return p12store;
171}
172
173void free_pkcs12_keystore(PKCS12_KEYSTORE *p12store)
174{
175 if (p12store != NULL) {
176 if (p12store->cert) X509_free(p12store->cert);
177 if (p12store->pkey) EVP_PKEY_free(p12store->pkey);
178 if (p12store->certs) sk_X509_free(p12store->certs);
179 free(p12store);
180 }
181}
182
183int is_pkcs12(const char *buf, int bufLen)
184{
185 int ret = 0;
186 PKCS12 *p12 = get_p12_handle(buf, bufLen);
187 if (p12 != NULL) ret = 1;
188 PKCS12_free(p12);
Chung-yih Wangeec11822009-07-02 00:22:04 +0800[diff] [blame]189 return ret;
190}
191
Chung-yih Wangc9c119e2009-07-16 19:54:33 +0800[diff] [blame]192static int convert_to_pem(void *data, int is_cert, char *buf, int size)
193{
194 int len = 0;
195 BIO *bio = NULL;
196
197 if (data == NULL) return -1;
198
199 if ((bio = BIO_new(BIO_s_mem())) == NULL) goto err;
200 if (is_cert) {
201 if ((len = PEM_write_bio_X509(bio, (X509*)data)) == 0) {
202 goto err;
203 }
204 } else {
205 if ((len = PEM_write_bio_PrivateKey(bio, (EVP_PKEY *)data, NULL,
206 NULL, 0, NULL, NULL)) == 0) {
207 goto err;
208 }
209 }
210 if (len < size && (len = BIO_read(bio, buf, size - 1)) > 0) {
211 buf[len] = 0;
212 }
213err:
214 if (bio) BIO_free(bio);
Chung-yih Wang09960232009-09-01 16:45:13 +0800[diff] [blame^]215 return len;
Chung-yih Wangc9c119e2009-07-16 19:54:33 +0800[diff] [blame]216}
217
218int get_pkcs12_certificate(PKCS12_KEYSTORE *p12store, char *buf, int size)
219{
220 if ((p12store != NULL) && (p12store->cert != NULL)) {
Chung-yih Wang09960232009-09-01 16:45:13 +0800[diff] [blame^]221 int len = convert_to_pem((void*)p12store->cert, 1, buf, size);
222 return (len == 0) ? -1 : 0;
Chung-yih Wangc9c119e2009-07-16 19:54:33 +0800[diff] [blame]223 }
224 return -1;
225}
226
227int get_pkcs12_private_key(PKCS12_KEYSTORE *p12store, char *buf, int size)
228{
229 if ((p12store != NULL) && (p12store->pkey != NULL)) {
Chung-yih Wang09960232009-09-01 16:45:13 +0800[diff] [blame^]230 int len = convert_to_pem((void*)p12store->pkey, 0, buf, size);
231 return (len == 0) ? -1 : 0;
Chung-yih Wangc9c119e2009-07-16 19:54:33 +0800[diff] [blame]232 }
233 return -1;
234}
235
236int pop_pkcs12_certs_stack(PKCS12_KEYSTORE *p12store, char *buf, int size)
237{
238 X509 *cert = NULL;
Chung-yih Wang09960232009-09-01 16:45:13 +0800[diff] [blame^]239 int len = 0;
Chung-yih Wangc9c119e2009-07-16 19:54:33 +0800[diff] [blame]240
Chung-yih Wang09960232009-09-01 16:45:13 +0800[diff] [blame^]241 if ((p12store != NULL) && (p12store->certs != NULL)) {
242 while (((cert = sk_X509_pop(p12store->certs)) != NULL) && (len < size)) {
243 int s = convert_to_pem((void*)cert, 1, buf + len, size - len);
244 if (s == 0) return -1;
245 len += s;
246 X509_free(cert);
247 }
248 return (len == 0) ? -1 : 0;
Chung-yih Wangc9c119e2009-07-16 19:54:33 +0800[diff] [blame]249 }
250 return -1;
251}
252
Chung-yih Wangeec11822009-07-02 00:22:04 +0800[diff] [blame]253X509* parse_cert(const char *buf, int bufLen)
254{
255 X509 *cert = NULL;
256 BIO *bp = NULL;
257
258 if(!buf || bufLen < 1)
259 return NULL;
260
261 bp = BIO_new(BIO_s_mem());
262 if (!bp) goto err;
263
264 if (!BIO_write(bp, buf, bufLen)) goto err;
265
266 cert = PEM_read_bio_X509(bp, NULL, NULL, NULL);
267 if (!cert) {
268 BIO_free(bp);
269 if((bp = BIO_new(BIO_s_mem())) == NULL) goto err;
270
271 if(!BIO_write(bp, (char *) buf, bufLen)) goto err;
272 cert = d2i_X509_bio(bp, NULL);
273 }
274
275err:
276 if (bp) BIO_free(bp);
277 return cert;
278}
279
280static int get_distinct_name(X509_NAME *dname, char *buf, int size)
281{
282 int i, len;
283 char *p, *name;
284
285 if (X509_NAME_oneline(dname, buf, size) == NULL) {
286 return -1;
287 }
288 name = strstr(buf, "/CN=");
289 p = name = name ? (name + 4) : buf;
290 while (*p != 0) {
291 if (*p == ' ') *p = '_';
292 if (*p == '/') {
293 *p = 0;
294 break;
295 }
296 ++p;
297 }
298 return 0;
299}
300
301int get_cert_name(X509 *cert, char *buf, int size)
302{
303 if (!cert) return -1;
304 return get_distinct_name(X509_get_subject_name(cert), buf, size);
305}
306
307int get_issuer_name(X509 *cert, char *buf, int size)
308{
309 if (!cert) return -1;
310 return get_distinct_name(X509_get_issuer_name(cert), buf, size);
311}
312
313int is_ca_cert(X509 *cert)
314{
315 int ret = 0;
316 BASIC_CONSTRAINTS *bs = (BASIC_CONSTRAINTS *)
317 X509_get_ext_d2i(cert, NID_basic_constraints, NULL, NULL);
318 if (bs != NULL) ret = bs->ca;
319 if (bs) BASIC_CONSTRAINTS_free(bs);
320 return ret;
321}
322
323int get_private_key_pem(X509 *cert, char *buf, int size)
324{
325 int len = 0;
326 BIO *bio = NULL;
327 EVP_PKEY *pkey = get_pkey_from_store(cert);
328
329 if (pkey == NULL) return -1;
330
331 bio = BIO_new(BIO_s_mem());
332 if ((bio = BIO_new(BIO_s_mem())) == NULL) goto err;
333 if (!PEM_write_bio_PrivateKey(bio, pkey, NULL,NULL,0,NULL, NULL)) {
334 goto err;
335 }
336 if ((len = BIO_read(bio, buf, size - 1)) > 0) {
337 buf[len] = 0;
338 }
339err:
340 if (bio) BIO_free(bio);
341 return (len == 0) ? -1 : 0;
342}