Chung-yih Wang | eec1182 | 2009-07-02 00:22:04 +0800 | [diff] [blame] | 1 | /* |
| 2 | ** |
| 3 | ** Copyright 2009, The Android Open Source Project |
| 4 | ** |
| 5 | ** Licensed under the Apache License, Version 2.0 (the "License"); |
| 6 | ** you may not use this file except in compliance with the License. |
| 7 | ** You may obtain a copy of the License at |
| 8 | ** |
| 9 | ** http://www.apache.org/licenses/LICENSE-2.0 |
| 10 | ** |
| 11 | ** Unless required by applicable law or agreed to in writing, software |
| 12 | ** distributed under the License is distributed on an "AS IS" BASIS, |
| 13 | ** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 14 | ** See the License for the specific language governing permissions and |
| 15 | ** limitations under the License. |
| 16 | */ |
| 17 | |
| 18 | #define LOG_TAG "CertTool" |
| 19 | |
| 20 | #include <stdio.h> |
| 21 | #include <openssl/engine.h> |
| 22 | #include <openssl/pem.h> |
| 23 | #include <openssl/pkcs12.h> |
| 24 | #include <openssl/rsa.h> |
| 25 | #include <openssl/x509v3.h> |
| 26 | #include <cutils/log.h> |
| 27 | |
| 28 | #include "cert.h" |
| 29 | |
| 30 | static PKEY_STORE pkey_store[KEYGEN_STORE_SIZE]; |
| 31 | static int store_index = 0; |
| 32 | |
| 33 | static char emsg[][30] = { |
| 34 | "", |
| 35 | STR(ERR_INVALID_KEY_LENGTH), |
| 36 | STR(ERR_CONSTRUCT_NEW_DATA), |
| 37 | STR(ERR_RSA_KEYGEN), |
| 38 | STR(ERR_X509_PROCESS), |
| 39 | STR(ERR_BIO_READ), |
| 40 | }; |
| 41 | |
| 42 | static void save_in_store(X509_REQ *req, EVP_PKEY *pkey) |
| 43 | { |
| 44 | EVP_PKEY *newpkey = EVP_PKEY_new(); |
| 45 | RSA *rsa = EVP_PKEY_get1_RSA(pkey); |
| 46 | EVP_PKEY_set1_RSA(newpkey, rsa); |
| 47 | PKEY_STORE_free(pkey_store[store_index]); |
| 48 | pkey_store[store_index].key_len = |
| 49 | i2d_X509_PUBKEY(req->req_info->pubkey, &pkey_store[store_index].public_key); |
| 50 | pkey_store[store_index++].pkey = newpkey; |
| 51 | store_index %= KEYGEN_STORE_SIZE; |
| 52 | RSA_free(rsa); |
| 53 | } |
| 54 | |
| 55 | static EVP_PKEY *get_pkey_from_store(X509 *cert) |
| 56 | { |
| 57 | int i, key_len; |
| 58 | unsigned char *buf = NULL; |
| 59 | if ((key_len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), &buf)) == 0) { |
| 60 | return NULL; |
| 61 | } |
| 62 | for (i = 0 ; i < KEYGEN_STORE_SIZE ; ++i) { |
| 63 | if ((key_len == pkey_store[i].key_len) && |
| 64 | memcmp(buf, pkey_store[i].public_key, key_len) == 0) { |
| 65 | break; |
| 66 | } |
| 67 | } |
| 68 | free(buf); |
| 69 | return (i == KEYGEN_STORE_SIZE) ? NULL : pkey_store[i].pkey; |
| 70 | } |
| 71 | |
| 72 | int gen_csr(int bits, const char *organizations, char reply[REPLY_MAX]) |
| 73 | { |
| 74 | int len, ret_code = 0; |
| 75 | BIGNUM *bn = NULL; |
| 76 | BIO *bio = NULL; |
| 77 | EVP_PKEY *pkey = NULL; |
| 78 | RSA *rsa = NULL; |
| 79 | X509_REQ *req = NULL; |
| 80 | X509_NAME *name = NULL; |
| 81 | |
| 82 | if ((bio = BIO_new(BIO_s_mem())) == NULL) goto err; |
| 83 | |
| 84 | if ((bits != KEYLENGTH_MEDIUM) && (bits != KEYLENGTH_MAXIMUM)) { |
| 85 | ret_code = ERR_INVALID_KEY_LENGTH; |
| 86 | goto err; |
| 87 | } |
| 88 | |
| 89 | if (((pkey = EVP_PKEY_new()) == NULL) || |
| 90 | ((req = X509_REQ_new()) == NULL) || |
| 91 | ((rsa = RSA_new()) == NULL) || ((bn = BN_new()) == NULL)) { |
| 92 | ret_code = ERR_CONSTRUCT_NEW_DATA; |
| 93 | goto err; |
| 94 | } |
| 95 | |
| 96 | if (!BN_set_word(bn, RSA_F4) || |
| 97 | !RSA_generate_key_ex(rsa, bits, bn, NULL) || |
| 98 | !EVP_PKEY_assign_RSA(pkey, rsa)) { |
| 99 | ret_code = ERR_RSA_KEYGEN; |
| 100 | goto err; |
| 101 | } |
| 102 | |
| 103 | // rsa will be part of the req, it will be freed in X509_REQ_free(req) |
| 104 | rsa = NULL; |
| 105 | |
| 106 | X509_REQ_set_pubkey(req, pkey); |
| 107 | name = X509_REQ_get_subject_name(req); |
| 108 | |
| 109 | X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC, |
| 110 | (const unsigned char *)"US", -1, -1, 0); |
| 111 | X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, |
| 112 | (const unsigned char *) ANDROID_KEYSTORE, |
| 113 | -1, -1, 0); |
| 114 | X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC, |
| 115 | (const unsigned char *)organizations, -1, -1, 0); |
| 116 | |
| 117 | if (!X509_REQ_sign(req, pkey, EVP_md5()) || |
| 118 | (PEM_write_bio_X509_REQ(bio, req) <= 0)) { |
| 119 | ret_code = ERR_X509_PROCESS; |
| 120 | goto err; |
| 121 | } |
| 122 | if ((len = BIO_read(bio, reply, REPLY_MAX - 1)) > 0) { |
| 123 | reply[len] = 0; |
| 124 | save_in_store(req, pkey); |
| 125 | } else { |
| 126 | ret_code = ERR_BIO_READ; |
| 127 | } |
| 128 | |
| 129 | err: |
| 130 | if (rsa) RSA_free(rsa); |
| 131 | if (bn) BN_free(bn); |
| 132 | if (req) X509_REQ_free(req); |
| 133 | if (pkey) EVP_PKEY_free(pkey); |
| 134 | if (bio) BIO_free(bio); |
| 135 | if ((ret_code > 0) && (ret_code < ERR_MAXIMUM)) LOGE(emsg[ret_code]); |
| 136 | return ret_code; |
| 137 | } |
| 138 | |
Chung-yih Wang | c9c119e | 2009-07-16 19:54:33 +0800 | [diff] [blame^] | 139 | PKCS12 *get_p12_handle(const char *buf, int bufLen) |
Chung-yih Wang | eec1182 | 2009-07-02 00:22:04 +0800 | [diff] [blame] | 140 | { |
Chung-yih Wang | eec1182 | 2009-07-02 00:22:04 +0800 | [diff] [blame] | 141 | BIO *bp = NULL; |
| 142 | PKCS12 *p12 = NULL; |
| 143 | |
Chung-yih Wang | c9c119e | 2009-07-16 19:54:33 +0800 | [diff] [blame^] | 144 | if (!buf || (bufLen < 1) || (buf[0] != 48)) goto err; |
Chung-yih Wang | eec1182 | 2009-07-02 00:22:04 +0800 | [diff] [blame] | 145 | |
Chung-yih Wang | bf20b99 | 2009-07-02 23:42:12 +0800 | [diff] [blame] | 146 | bp = BIO_new(BIO_s_mem()); |
| 147 | if (!bp) goto err; |
| 148 | |
Chung-yih Wang | eec1182 | 2009-07-02 00:22:04 +0800 | [diff] [blame] | 149 | if (!BIO_write(bp, buf, bufLen)) goto err; |
| 150 | |
Chung-yih Wang | c9c119e | 2009-07-16 19:54:33 +0800 | [diff] [blame^] | 151 | p12 = d2i_PKCS12_bio(bp, NULL); |
| 152 | |
Chung-yih Wang | eec1182 | 2009-07-02 00:22:04 +0800 | [diff] [blame] | 153 | err: |
| 154 | if (bp) BIO_free(bp); |
Chung-yih Wang | c9c119e | 2009-07-16 19:54:33 +0800 | [diff] [blame^] | 155 | return p12; |
| 156 | } |
| 157 | |
| 158 | PKCS12_KEYSTORE *get_pkcs12_keystore_handle(const char *buf, int bufLen, |
| 159 | const char *passwd) |
| 160 | { |
| 161 | PKCS12_KEYSTORE *p12store = NULL; |
| 162 | EVP_PKEY *pkey = NULL; |
| 163 | X509 *cert = NULL; |
| 164 | STACK_OF(X509) *certs = NULL; |
| 165 | PKCS12 *p12 = get_p12_handle(buf, bufLen); |
| 166 | |
| 167 | if (p12 == NULL) return NULL; |
| 168 | if (!PKCS12_parse(p12, passwd, &pkey, &cert, &certs)) { |
| 169 | LOGE("Can not parse PKCS12 content"); |
| 170 | PKCS12_free(p12); |
| 171 | return NULL; |
| 172 | } |
| 173 | if ((p12store = malloc(sizeof(PKCS12_KEYSTORE))) == NULL) { |
| 174 | if (cert) X509_free(cert); |
| 175 | if (pkey) EVP_PKEY_free(pkey); |
| 176 | if (certs) sk_X509_free(certs); |
| 177 | } |
| 178 | p12store->p12 = p12; |
| 179 | p12store->pkey = pkey; |
| 180 | p12store->cert = cert; |
| 181 | p12store->certs = certs; |
| 182 | return p12store; |
| 183 | } |
| 184 | |
| 185 | void free_pkcs12_keystore(PKCS12_KEYSTORE *p12store) |
| 186 | { |
| 187 | if (p12store != NULL) { |
| 188 | if (p12store->cert) X509_free(p12store->cert); |
| 189 | if (p12store->pkey) EVP_PKEY_free(p12store->pkey); |
| 190 | if (p12store->certs) sk_X509_free(p12store->certs); |
| 191 | free(p12store); |
| 192 | } |
| 193 | } |
| 194 | |
| 195 | int is_pkcs12(const char *buf, int bufLen) |
| 196 | { |
| 197 | int ret = 0; |
| 198 | PKCS12 *p12 = get_p12_handle(buf, bufLen); |
| 199 | if (p12 != NULL) ret = 1; |
| 200 | PKCS12_free(p12); |
Chung-yih Wang | eec1182 | 2009-07-02 00:22:04 +0800 | [diff] [blame] | 201 | return ret; |
| 202 | } |
| 203 | |
Chung-yih Wang | c9c119e | 2009-07-16 19:54:33 +0800 | [diff] [blame^] | 204 | static int convert_to_pem(void *data, int is_cert, char *buf, int size) |
| 205 | { |
| 206 | int len = 0; |
| 207 | BIO *bio = NULL; |
| 208 | |
| 209 | if (data == NULL) return -1; |
| 210 | |
| 211 | if ((bio = BIO_new(BIO_s_mem())) == NULL) goto err; |
| 212 | if (is_cert) { |
| 213 | if ((len = PEM_write_bio_X509(bio, (X509*)data)) == 0) { |
| 214 | goto err; |
| 215 | } |
| 216 | } else { |
| 217 | if ((len = PEM_write_bio_PrivateKey(bio, (EVP_PKEY *)data, NULL, |
| 218 | NULL, 0, NULL, NULL)) == 0) { |
| 219 | goto err; |
| 220 | } |
| 221 | } |
| 222 | if (len < size && (len = BIO_read(bio, buf, size - 1)) > 0) { |
| 223 | buf[len] = 0; |
| 224 | } |
| 225 | err: |
| 226 | if (bio) BIO_free(bio); |
| 227 | return (len == 0) ? -1 : 0; |
| 228 | } |
| 229 | |
| 230 | int get_pkcs12_certificate(PKCS12_KEYSTORE *p12store, char *buf, int size) |
| 231 | { |
| 232 | if ((p12store != NULL) && (p12store->cert != NULL)) { |
| 233 | return convert_to_pem((void*)p12store->cert, 1, buf, size); |
| 234 | } |
| 235 | return -1; |
| 236 | } |
| 237 | |
| 238 | int get_pkcs12_private_key(PKCS12_KEYSTORE *p12store, char *buf, int size) |
| 239 | { |
| 240 | if ((p12store != NULL) && (p12store->pkey != NULL)) { |
| 241 | return convert_to_pem((void*)p12store->pkey, 0, buf, size); |
| 242 | } |
| 243 | return -1; |
| 244 | } |
| 245 | |
| 246 | int pop_pkcs12_certs_stack(PKCS12_KEYSTORE *p12store, char *buf, int size) |
| 247 | { |
| 248 | X509 *cert = NULL; |
| 249 | |
| 250 | if ((p12store != NULL) && (p12store->certs != NULL) && |
| 251 | ((cert = sk_X509_pop(p12store->certs)) != NULL)) { |
| 252 | int ret = convert_to_pem((void*)cert, 1, buf, size); |
| 253 | X509_free(cert); |
| 254 | return ret; |
| 255 | } |
| 256 | return -1; |
| 257 | } |
| 258 | |
Chung-yih Wang | eec1182 | 2009-07-02 00:22:04 +0800 | [diff] [blame] | 259 | X509* parse_cert(const char *buf, int bufLen) |
| 260 | { |
| 261 | X509 *cert = NULL; |
| 262 | BIO *bp = NULL; |
| 263 | |
| 264 | if(!buf || bufLen < 1) |
| 265 | return NULL; |
| 266 | |
| 267 | bp = BIO_new(BIO_s_mem()); |
| 268 | if (!bp) goto err; |
| 269 | |
| 270 | if (!BIO_write(bp, buf, bufLen)) goto err; |
| 271 | |
| 272 | cert = PEM_read_bio_X509(bp, NULL, NULL, NULL); |
| 273 | if (!cert) { |
| 274 | BIO_free(bp); |
| 275 | if((bp = BIO_new(BIO_s_mem())) == NULL) goto err; |
| 276 | |
| 277 | if(!BIO_write(bp, (char *) buf, bufLen)) goto err; |
| 278 | cert = d2i_X509_bio(bp, NULL); |
| 279 | } |
| 280 | |
| 281 | err: |
| 282 | if (bp) BIO_free(bp); |
| 283 | return cert; |
| 284 | } |
| 285 | |
| 286 | static int get_distinct_name(X509_NAME *dname, char *buf, int size) |
| 287 | { |
| 288 | int i, len; |
| 289 | char *p, *name; |
| 290 | |
| 291 | if (X509_NAME_oneline(dname, buf, size) == NULL) { |
| 292 | return -1; |
| 293 | } |
| 294 | name = strstr(buf, "/CN="); |
| 295 | p = name = name ? (name + 4) : buf; |
| 296 | while (*p != 0) { |
| 297 | if (*p == ' ') *p = '_'; |
| 298 | if (*p == '/') { |
| 299 | *p = 0; |
| 300 | break; |
| 301 | } |
| 302 | ++p; |
| 303 | } |
| 304 | return 0; |
| 305 | } |
| 306 | |
| 307 | int get_cert_name(X509 *cert, char *buf, int size) |
| 308 | { |
| 309 | if (!cert) return -1; |
| 310 | return get_distinct_name(X509_get_subject_name(cert), buf, size); |
| 311 | } |
| 312 | |
| 313 | int get_issuer_name(X509 *cert, char *buf, int size) |
| 314 | { |
| 315 | if (!cert) return -1; |
| 316 | return get_distinct_name(X509_get_issuer_name(cert), buf, size); |
| 317 | } |
| 318 | |
| 319 | int is_ca_cert(X509 *cert) |
| 320 | { |
| 321 | int ret = 0; |
| 322 | BASIC_CONSTRAINTS *bs = (BASIC_CONSTRAINTS *) |
| 323 | X509_get_ext_d2i(cert, NID_basic_constraints, NULL, NULL); |
| 324 | if (bs != NULL) ret = bs->ca; |
| 325 | if (bs) BASIC_CONSTRAINTS_free(bs); |
| 326 | return ret; |
| 327 | } |
| 328 | |
| 329 | int get_private_key_pem(X509 *cert, char *buf, int size) |
| 330 | { |
| 331 | int len = 0; |
| 332 | BIO *bio = NULL; |
| 333 | EVP_PKEY *pkey = get_pkey_from_store(cert); |
| 334 | |
| 335 | if (pkey == NULL) return -1; |
| 336 | |
| 337 | bio = BIO_new(BIO_s_mem()); |
| 338 | if ((bio = BIO_new(BIO_s_mem())) == NULL) goto err; |
| 339 | if (!PEM_write_bio_PrivateKey(bio, pkey, NULL,NULL,0,NULL, NULL)) { |
| 340 | goto err; |
| 341 | } |
| 342 | if ((len = BIO_read(bio, buf, size - 1)) > 0) { |
| 343 | buf[len] = 0; |
| 344 | } |
| 345 | err: |
| 346 | if (bio) BIO_free(bio); |
| 347 | return (len == 0) ? -1 : 0; |
| 348 | } |