Главная Обзор Помощь
Регистрация Вход
OpenWrt
/
openwrt
зеркало из https://github.com/openwrt/openwrt.git
2
0
Ответвить 0
Файлы Задачи 0 Вики
Просмотр исходного кода

px5g-mbedtls: add subjectAltName and extendedKeyUsage to SSL certs

To better acommodate with the current browsers' requirements, also
self-signed certificates should have subjectAltName and
extendedKeyUsage defined in the self-signed x509 SSL certificates.

The following case sensitive options are now possible:
-addext subjectAltName=DNS:...
-addext subjectAltName=EMAIL:...
-addext subjectAltName=IP:...
-addext subjectAltName=URI:...
-addext extendedKeyUsage=serverAuth OR -addext extendedKeyUsage=any

Initial draft by Paul Donald <[email protected]>

Signed-off-by: Hannu Nyman <[email protected]>
Link: https://github.com/openwrt/openwrt/pull/15366
Signed-off-by: Robert Marko <[email protected]>
Hannu Nyman 1 год назад
Родитель
ccc06f6716
Сommit
efca89daef
2 измененных файлов с 67 добавлено и 2 удалено
Разделённый вид Показать статистику Diff
  1. 1 1
      package/utils/px5g-mbedtls/Makefile
  2. 66 1
      package/utils/px5g-mbedtls/px5g-mbedtls.c

+ 1 - 1
package/utils/px5g-mbedtls/Makefile
Просмотреть файл 

@@ -8,7 +8,7 @@
 
 include $(TOPDIR)/rules.mk
 
 
 PKG_NAME:=px5g-mbedtls
 
-PKG_RELEASE:=10
 
+PKG_RELEASE:=11
 
 PKG_LICENSE:=LGPL-2.1
 
 
 PKG_BUILD_FLAGS:=no-mips16

+ 66 - 1
package/utils/px5g-mbedtls/px5g-mbedtls.c
Просмотреть файл 

@@ -38,8 +38,13 @@
 
 #include <mbedtls/ecp.h>
 
 #include <mbedtls/rsa.h>
 
 #include <mbedtls/pk.h>
 
+#include <mbedtls/asn1.h>
 
+#include <mbedtls/oid.h>
 
 
-#define PX5G_VERSION "0.2"
 
+#define SET_OID(x, oid) \
 
+	do { x.len = MBEDTLS_OID_SIZE(oid); x.p = (unsigned char *) oid; } while (0)
 
+
 
+#define PX5G_VERSION "0.3"
 
 #define PX5G_COPY "Copyright (c) 2009 Steven Barth <[email protected]>"
 
 #define PX5G_LICENSE "Licensed under the GNU Lesser General Public License v2.1"
 
 
@@ -193,6 +198,16 @@ int selfsigned(char **arg)
 
 	mbedtls_pk_context key;
 
 	mbedtls_x509write_cert cert;
 
 	mbedtls_mpi serial;
 
+	mbedtls_x509_san_list *san_list = NULL, *san_prev = NULL, *san_cur = NULL;
 
+	/*support
 
+	- MBEDTLS_X509_SAN_DNS_NAME
 
+	- MBEDTLS_X509_SAN_IP_ADDRESS
 
+	- MBEDTLS_X509_SAN_RFC822_NAME
 
+	- MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER
 
+	*/
 
+	mbedtls_asn1_sequence *eku = NULL, *ext_key_usage = NULL;
 
+	char *sanval, *santype;
 
+	uint8_t ipaddr[16] = { 0 };
 
 
 	char *subject = "";
 
 	unsigned int ksize = 512;
 
@@ -267,8 +282,56 @@ int selfsigned(char **arg)
 
 				oldc = delim + 1;
 
 			} while(*delim);
 
 			arg++;
 
+		} else if (!strcmp(*arg, "-addext") && arg[1]) {
 
+			mbedtls_asn1_sequence **tail = &eku;
 
+			if (!strncmp(arg[1], "extendedKeyUsage=", strlen("extendedKeyUsage="))) {
 
+				ext_key_usage = calloc(1, sizeof(mbedtls_asn1_sequence));
 
+				ext_key_usage->buf.tag = MBEDTLS_ASN1_OID;
 
+				if (!strncmp(arg[1] + strlen("extendedKeyUsage="), "serverAuth", strlen("serverAuth"))) {
 
+					SET_OID(ext_key_usage->buf, MBEDTLS_OID_SERVER_AUTH);
 
+				} else if (!strncmp(arg[1] + strlen("extendedKeyUsage="), "any", strlen("any"))) {
 
+					SET_OID(ext_key_usage->buf, MBEDTLS_OID_ANY_EXTENDED_KEY_USAGE);
 
+				} // there are other extendedKeyUsage OIDs but none conceivably useful here
 
+				*tail = ext_key_usage;
 
+				tail = &ext_key_usage->next;
 
+				arg++;
 
+			} else if (!strncmp(arg[1], "subjectAltName=", strlen("subjectAltName=")) && strchr(arg[1], ':') != NULL) {
 
+				santype = strchr(arg[1], '=') + 1;
 
+				sanval = strchr(arg[1], ':') + 1;
 
+				//build sAN list
 
+				san_cur = calloc(1, sizeof(mbedtls_x509_san_list));
 
+				san_cur->next = NULL;
 
+				if (!strncmp(santype, "DNS:", strlen("DNS:"))) {
 
+					san_cur->node.type = MBEDTLS_X509_SAN_DNS_NAME;
 
+					san_cur->node.san.unstructured_name.p = (unsigned char *) sanval;
 
+					san_cur->node.san.unstructured_name.len = strlen(sanval);
 
+				} else if (!strncmp(santype, "EMAIL:", strlen("EMAIL:"))) {
 
+					san_cur->node.type = MBEDTLS_X509_SAN_RFC822_NAME;
 
+					san_cur->node.san.unstructured_name.p = (unsigned char *) sanval;
 
+					san_cur->node.san.unstructured_name.len = strlen(sanval);
 
+				} else if (!strncmp(santype, "IP:", strlen("IP:"))) {
 
+					san_cur->node.type = MBEDTLS_X509_SAN_IP_ADDRESS;
 
+					mbedtls_x509_crt_parse_cn_inet_pton(sanval, ipaddr);
 
+					san_cur->node.san.unstructured_name.p = (unsigned char *) ipaddr;
 
+					san_cur->node.san.unstructured_name.len = sizeof(ipaddr);
 
+				} else if (!strncmp(santype, "URI:", strlen("URI:"))) {
 
+					san_cur->node.type = MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER;
 
+					san_cur->node.san.unstructured_name.p = (unsigned char *) sanval;
 
+					san_cur->node.san.unstructured_name.len = strlen(sanval);
 
+				}
 
+				else fprintf(stderr, "No match to subjectAltName content type.\n");
 
+			arg++;
 
+			}
 
 		}
 
 		arg++;
 
+
 
+		//set the pointers in our san_list linked list
 
+		if (san_prev == NULL) {
 
+			san_list = san_cur;
 
+		} else {
 
+			san_prev->next = san_cur;
 
+		}
 
+		san_prev = san_cur;
 
 	}
 
 	gen_key(&key, rsa, ksize, exp, curve, pem);
 
 
@@ -295,6 +358,8 @@ int selfsigned(char **arg)
 
 	mbedtls_x509write_crt_set_basic_constraints(&cert, 0, -1);
 
 	mbedtls_x509write_crt_set_subject_key_identifier(&cert);
 
 	mbedtls_x509write_crt_set_authority_key_identifier(&cert);
 
+	mbedtls_x509write_crt_set_subject_alternative_name(&cert, san_list);
 
+	mbedtls_x509write_crt_set_ext_key_usage(&cert, ext_key_usage);
 
 
 	_urandom(NULL, (void *) buf, 8);
 
 	for (len = 0; len < 8; len++)