add mkfingerprint program

2016-04-26 20:21:23 +01:00 · 2016-04-26 20:21:23 +01:00 · 0346918701
commit 0346918701
parent f018ed844d
9 changed files with 258 additions and 91 deletions
--- a/.gitignore
+++ b/.gitignore
@ -57,6 +57,7 @@ ssld/ssld
 wsockd/wsockd
 testsuite/ircd.pid.*
 tools/charybdis-mkpasswd
+tools/charybdis-mkfingerprint
 tools/genssl
 tools/mkpasswd
 tools/viconf
--- a/librb/include/rb_commio.h
+++ b/librb/include/rb_commio.h
@ -156,6 +156,7 @@ int rb_fd_ssl(rb_fde_t *F);
 rb_platform_fd_t rb_get_fd(rb_fde_t *F);
 const char *rb_get_ssl_strerror(rb_fde_t *F);
 int rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method);
+int rb_get_ssl_certfp_file(const char *filename, uint8_t certfp[RB_SSL_CERTFP_LEN], int method);

 rb_fde_t *rb_get_fde(rb_platform_fd_t fd);

--- a/librb/src/export-syms.txt
+++ b/librb/src/export-syms.txt
@ -59,6 +59,7 @@ rb_get_iotype
 rb_get_random
 rb_get_sockerr
 rb_get_ssl_certfp
+rb_get_ssl_certfp_file
 rb_get_ssl_strerror
 rb_get_type
 rb_getmaxconnect
--- a/librb/src/gnutls.c
+++ b/librb/src/gnutls.c
@ -602,37 +602,14 @@ rb_get_ssl_strerror(rb_fde_t *F)
 	return gnutls_strerror(F->ssl_errno);
 }

-int
-rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
+static unsigned int
+make_certfp(gnutls_x509_crt_t cert, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
 {
-	gnutls_x509_crt_t cert;
 	gnutls_digest_algorithm_t algo;
-	unsigned int cert_list_size;
-	const gnutls_datum_t *cert_list;
 	uint8_t digest[RB_SSL_CERTFP_LEN * 2];
 	size_t digest_size;
-	int len;
 	bool spki = false;
-
-	if (gnutls_certificate_type_get(SSL_P(F)) != GNUTLS_CRT_X509)
-		return 0;
-
-	if (gnutls_x509_crt_init(&cert) < 0)
-		return 0;
-
-	cert_list_size = 0;
-	cert_list = gnutls_certificate_get_peers(SSL_P(F), &cert_list_size);
-	if (cert_list == NULL)
-	{
-		gnutls_x509_crt_deinit(cert);
-		return 0;
-	}
-
-	if (gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER) < 0)
-	{
-		gnutls_x509_crt_deinit(cert);
-		return 0;
-	}
+	unsigned int len;

 	switch(method)
 	{
@ -701,7 +678,59 @@ rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)

 	if (len)
 		memcpy(certfp, digest, len);
+	return len;
+}

+int
+rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
+{
+	gnutls_x509_crt_t cert;
+	unsigned int cert_list_size;
+	const gnutls_datum_t *cert_list;
+	int len;
+
+	if (gnutls_certificate_type_get(SSL_P(F)) != GNUTLS_CRT_X509)
+		return 0;
+
+	if (gnutls_x509_crt_init(&cert) < 0)
+		return 0;
+
+	cert_list_size = 0;
+	cert_list = gnutls_certificate_get_peers(SSL_P(F), &cert_list_size);
+	if (cert_list == NULL)
+	{
+		gnutls_x509_crt_deinit(cert);
+		return 0;
+	}
+
+	if (gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER) < 0)
+	{
+		gnutls_x509_crt_deinit(cert);
+		return 0;
+	}
+
+	len = make_certfp(cert, certfp, method);
+	gnutls_x509_crt_deinit(cert);
+	return len;
+}
+
+int
+rb_get_ssl_certfp_file(const char *filename, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
+{
+	gnutls_x509_crt_t cert;
+	gnutls_datum_t *d_cert;
+	unsigned int len;
+
+	if ((d_cert = rb_load_file_into_datum_t(filename)) == NULL)
+		return -1;
+
+	if (gnutls_x509_crt_init(&cert) < 0)
+		return -1;
+
+	if (gnutls_x509_crt_import(cert, d_cert, GNUTLS_X509_FMT_PEM) != 0)
+		return -1;
+
+	len = make_certfp(cert, certfp, method);
 	gnutls_x509_crt_deinit(cert);
 	return len;
 }
--- a/librb/src/mbedtls.c
+++ b/librb/src/mbedtls.c
@ -537,53 +537,47 @@ rb_get_ssl_strerror(rb_fde_t *F)
 #endif
 }

-int
-rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
+static size_t
+make_certfp(const mbedtls_x509_crt *peer_cert, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
 {
-	const mbedtls_x509_crt *peer_cert;
-	uint8_t hash[RB_SSL_CERTFP_LEN];
-	size_t hashlen;
 	const mbedtls_md_info_t *md_info;
 	mbedtls_md_type_t md_type;
-	int ret;
 	bool spki = false;
+	int ret;
+	size_t len;

 	switch (method)
 	{
 	case RB_SSL_CERTFP_METH_CERT_SHA1:
 		md_type = MBEDTLS_MD_SHA1;
-		hashlen = RB_SSL_CERTFP_LEN_SHA1;
+		len = RB_SSL_CERTFP_LEN_SHA1;
 		break;
 	case RB_SSL_CERTFP_METH_SPKI_SHA256:
 		spki = true;
 	case RB_SSL_CERTFP_METH_CERT_SHA256:
 		md_type = MBEDTLS_MD_SHA256;
-		hashlen = RB_SSL_CERTFP_LEN_SHA256;
+		len = RB_SSL_CERTFP_LEN_SHA256;
 		break;
 	case RB_SSL_CERTFP_METH_SPKI_SHA512:
 		spki = true;
 	case RB_SSL_CERTFP_METH_CERT_SHA512:
 		md_type = MBEDTLS_MD_SHA512;
-		hashlen = RB_SSL_CERTFP_LEN_SHA512;
+		len = RB_SSL_CERTFP_LEN_SHA512;
 		break;
 	default:
 		return 0;
 	}

-	peer_cert = mbedtls_ssl_get_peer_cert(SSL_P(F));
-	if (peer_cert == NULL)
-		return 0;
-
 	md_info = mbedtls_md_info_from_type(md_type);
 	if (md_info == NULL)
 		return 0;

 	if (!spki)
 	{
-		if ((ret = mbedtls_md(md_info, peer_cert->raw.p, peer_cert->raw.len, hash)) != 0)
+		if ((ret = mbedtls_md(md_info, peer_cert->raw.p, peer_cert->raw.len, certfp)) != 0)
 		{
 			rb_lib_log("rb_get_ssl_certfp: unable to get certfp for F: %p, -0x%x", -ret);
-			hashlen = 0;
+			len = 0;
 		}
 	}
 	else
@ -596,21 +590,45 @@ rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
 		if (der_pubkey_len < 0)
 		{
 			rb_lib_log("rb_get_ssl_certfp: unable to get pubkey for F: %p, -0x%x", -der_pubkey_len);
-			hashlen = 0;
+			len = 0;
 		}
-		else if ((ret = mbedtls_md(md_info, der_pubkey+(der_pubkey_bufsz-der_pubkey_len), der_pubkey_len, hash)) != 0)
+		else if ((ret = mbedtls_md(md_info, der_pubkey+(der_pubkey_bufsz-der_pubkey_len), der_pubkey_len, certfp)) != 0)
 		{
 			rb_lib_log("rb_get_ssl_certfp: unable to get certfp for F: %p, -0x%x", -ret);
-			hashlen = 0;
+			len = 0;
 		}

 		rb_free(der_pubkey);
 	}

-	if (hashlen)
-		memcpy(certfp, hash, hashlen);
+	return len;
+}

-	return hashlen;
+int
+rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
+{
+	const mbedtls_x509_crt *peer_cert;
+
+	peer_cert = mbedtls_ssl_get_peer_cert(SSL_P(F));
+	if (peer_cert == NULL)
+		return 0;
+
+	return make_certfp(peer_cert, certfp, method);
+}
+
+int
+rb_get_ssl_certfp_file(const char *filename, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
+{
+	mbedtls_x509_crt cert;
+	int ret;
+
+	mbedtls_x509_crt_init(&cert);
+
+	ret = mbedtls_x509_crt_parse_file(&cert, filename);
+	if (ret != 0)
+		return -1;
+
+	return make_certfp(&cert, certfp, method);
 }

 int
--- a/librb/src/nossl.c
+++ b/librb/src/nossl.c
@ -98,6 +98,12 @@ rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
 	return 0;
 }

+int
+rb_get_ssl_certfp_file(const char *filename, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
+{
+	return 0;
+}
+
 void
 rb_ssl_start_accepted(rb_fde_t *new_F, ACCB * cb, void *data, int timeout)
 {
--- a/librb/src/openssl.c
+++ b/librb/src/openssl.c
@ -685,29 +685,9 @@ rb_get_ssl_strerror(rb_fde_t *F)
 	return get_ssl_error(F->ssl_errno);
 }

-int
-rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
+static unsigned int
+make_certfp(X509 *cert, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
 {
-	X509 *cert;
-	int res;
-
-	if (F->ssl == NULL)
-		return 0;
-
-	cert = SSL_get_peer_certificate((SSL *) F->ssl);
-	if(cert != NULL)
-	{
-		res = SSL_get_verify_result((SSL *) F->ssl);
-		if(
-			res == X509_V_OK ||
-			res == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN ||
-			res == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE ||
-			res == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT ||
-			res == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
-			res == X509_V_ERR_CERT_UNTRUSTED ||
-			res == X509_V_ERR_CERT_NOT_YET_VALID ||
-			res == X509_V_ERR_CERT_HAS_EXPIRED)
-		{
 	const ASN1_ITEM *it;
 	const EVP_MD *evp;
 	void *data;
@ -751,6 +731,33 @@ rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)

 	if (ASN1_item_digest(it, evp, data, certfp, &len) != 1)
 		len = 0;
+	return len;
+}
+
+int
+rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
+{
+	X509 *cert;
+	int res;
+
+	if (F->ssl == NULL)
+		return 0;
+
+	cert = SSL_get_peer_certificate((SSL *) F->ssl);
+	if(cert != NULL)
+	{
+		res = SSL_get_verify_result((SSL *) F->ssl);
+		if(
+			res == X509_V_OK ||
+			res == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN ||
+			res == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE ||
+			res == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT ||
+			res == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
+			res == X509_V_ERR_CERT_UNTRUSTED ||
+			res == X509_V_ERR_CERT_NOT_YET_VALID ||
+			res == X509_V_ERR_CERT_HAS_EXPIRED)
+		{
+			unsigned int len = make_certfp(cert, certfp, method);
 			X509_free(cert);
 			return len;
 		}
@ -760,6 +767,26 @@ rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
 	return 0;
 }

+int
+rb_get_ssl_certfp_file(const char *filename, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
+{
+	X509 *cert;
+	FILE *f = fopen(filename, "r");
+
+	if (!f)
+		return -1;
+
+	cert = PEM_read_X509(f, NULL, NULL, NULL);
+	fclose(f);
+
+	if (cert) {
+		unsigned int len = make_certfp(cert, certfp, method);
+		X509_free(cert);
+		return len;
+	}
+	return 0;
+}
+
 int
 rb_supports_ssl(void)
 {
--- a/tools/Makefile.am
+++ b/tools/Makefile.am
@ -1,6 +1,9 @@
-bin_PROGRAMS = charybdis-mkpasswd
+bin_PROGRAMS = charybdis-mkpasswd charybdis-mkfingerprint
 AM_CFLAGS=$(WARNFLAGS)
 AM_CPPFLAGS = $(DEFAULT_INCLUDES) -I../librb/include -I.

 charybdis_mkpasswd_SOURCES = mkpasswd.c
 charybdis_mkpasswd_LDADD = ../librb/src/librb.la
+
+charybdis_mkfingerprint_SOURCES = mkfingerprint.c
+charybdis_mkfingerprint_LDADD = ../librb/src/librb.la
--- a/tools/mkfingerprint.c
+++ b/tools/mkfingerprint.c
@ -0,0 +1,81 @@
+/*
+ *  mkfingerprint.c: Create certificate fingerprints using librb
+ *  Copyright 2016 simon Arlott
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, write to the Free Software
+ *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301
+ *  USA
+ */
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include "rb_lib.h"
+#include "certfp.h"
+
+int main(int argc, char *argv[])
+{
+	uint8_t certfp[RB_SSL_CERTFP_LEN+1] = { 0 };
+	const char *method_str;
+	const char *filename;
+	int method;
+	const char *prefix;
+	int ret;
+	int i;
+
+	if (argc != 3) {
+		printf("mkfingerprint <method> <filename>\n");
+		printf("  Valid methods: sha1, sha256, sha512, spki_sha256, spki_sha512\n");
+		return 1;
+	}
+
+	method_str = argv[1];
+	filename = argv[2];
+
+	if (!strcmp(method_str, "sha1")) {
+		method = RB_SSL_CERTFP_METH_CERT_SHA1;
+		prefix = CERTFP_PREFIX_CERT_SHA1;
+	} else if (!strcmp(method_str, "sha256")) {
+		method = RB_SSL_CERTFP_METH_CERT_SHA256;
+		prefix = CERTFP_PREFIX_CERT_SHA256;
+	} else if (!strcmp(method_str, "sha512")) {
+		method = RB_SSL_CERTFP_METH_CERT_SHA512;
+		prefix = CERTFP_PREFIX_CERT_SHA512;
+	} else if (!strcmp(method_str, "spki_sha256")) {
+		method = RB_SSL_CERTFP_METH_SPKI_SHA256;
+		prefix = CERTFP_PREFIX_SPKI_SHA256;
+	} else if (!strcmp(method_str, "spki_sha512")) {
+		method = RB_SSL_CERTFP_METH_SPKI_SHA512;
+		prefix = CERTFP_PREFIX_SPKI_SHA512;
+	} else {
+		printf("Unknown method: %s\n", method_str);
+		return 1;
+	}
+
+	ret = rb_get_ssl_certfp_file(filename, certfp, method);
+	if (ret < 0) {
+		perror(filename);
+		return 1;
+	} else if (ret == 0) {
+		fprintf(stderr, "Unknown error\n");
+		return 1;
+	}
+
+	printf("%s", prefix);
+	for (i = 0; i < strlen(certfp); i++) {
+		printf("%02x", certfp[i]);
+	}
+	printf("\n");
+	return 0;
+}