add mkfingerprint program

This commit is contained in:
Simon Arlott 2016-04-26 20:21:23 +01:00
parent f018ed844d
commit 0346918701
No known key found for this signature in database
GPG key ID: C8975F2043CA5D24
9 changed files with 258 additions and 91 deletions

1
.gitignore vendored
View file

@ -57,6 +57,7 @@ ssld/ssld
wsockd/wsockd
testsuite/ircd.pid.*
tools/charybdis-mkpasswd
tools/charybdis-mkfingerprint
tools/genssl
tools/mkpasswd
tools/viconf

View file

@ -156,6 +156,7 @@ int rb_fd_ssl(rb_fde_t *F);
rb_platform_fd_t rb_get_fd(rb_fde_t *F);
const char *rb_get_ssl_strerror(rb_fde_t *F);
int rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method);
int rb_get_ssl_certfp_file(const char *filename, uint8_t certfp[RB_SSL_CERTFP_LEN], int method);
rb_fde_t *rb_get_fde(rb_platform_fd_t fd);

View file

@ -59,6 +59,7 @@ rb_get_iotype
rb_get_random
rb_get_sockerr
rb_get_ssl_certfp
rb_get_ssl_certfp_file
rb_get_ssl_strerror
rb_get_type
rb_getmaxconnect

View file

@ -602,37 +602,14 @@ rb_get_ssl_strerror(rb_fde_t *F)
return gnutls_strerror(F->ssl_errno);
}
int
rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
static unsigned int
make_certfp(gnutls_x509_crt_t cert, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
{
gnutls_x509_crt_t cert;
gnutls_digest_algorithm_t algo;
unsigned int cert_list_size;
const gnutls_datum_t *cert_list;
uint8_t digest[RB_SSL_CERTFP_LEN * 2];
size_t digest_size;
int len;
bool spki = false;
if (gnutls_certificate_type_get(SSL_P(F)) != GNUTLS_CRT_X509)
return 0;
if (gnutls_x509_crt_init(&cert) < 0)
return 0;
cert_list_size = 0;
cert_list = gnutls_certificate_get_peers(SSL_P(F), &cert_list_size);
if (cert_list == NULL)
{
gnutls_x509_crt_deinit(cert);
return 0;
}
if (gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER) < 0)
{
gnutls_x509_crt_deinit(cert);
return 0;
}
unsigned int len;
switch(method)
{
@ -701,7 +678,59 @@ rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
if (len)
memcpy(certfp, digest, len);
return len;
}
int
rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
{
gnutls_x509_crt_t cert;
unsigned int cert_list_size;
const gnutls_datum_t *cert_list;
int len;
if (gnutls_certificate_type_get(SSL_P(F)) != GNUTLS_CRT_X509)
return 0;
if (gnutls_x509_crt_init(&cert) < 0)
return 0;
cert_list_size = 0;
cert_list = gnutls_certificate_get_peers(SSL_P(F), &cert_list_size);
if (cert_list == NULL)
{
gnutls_x509_crt_deinit(cert);
return 0;
}
if (gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER) < 0)
{
gnutls_x509_crt_deinit(cert);
return 0;
}
len = make_certfp(cert, certfp, method);
gnutls_x509_crt_deinit(cert);
return len;
}
int
rb_get_ssl_certfp_file(const char *filename, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
{
gnutls_x509_crt_t cert;
gnutls_datum_t *d_cert;
unsigned int len;
if ((d_cert = rb_load_file_into_datum_t(filename)) == NULL)
return -1;
if (gnutls_x509_crt_init(&cert) < 0)
return -1;
if (gnutls_x509_crt_import(cert, d_cert, GNUTLS_X509_FMT_PEM) != 0)
return -1;
len = make_certfp(cert, certfp, method);
gnutls_x509_crt_deinit(cert);
return len;
}

View file

@ -537,53 +537,47 @@ rb_get_ssl_strerror(rb_fde_t *F)
#endif
}
int
rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
static size_t
make_certfp(const mbedtls_x509_crt *peer_cert, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
{
const mbedtls_x509_crt *peer_cert;
uint8_t hash[RB_SSL_CERTFP_LEN];
size_t hashlen;
const mbedtls_md_info_t *md_info;
mbedtls_md_type_t md_type;
int ret;
bool spki = false;
int ret;
size_t len;
switch (method)
{
case RB_SSL_CERTFP_METH_CERT_SHA1:
md_type = MBEDTLS_MD_SHA1;
hashlen = RB_SSL_CERTFP_LEN_SHA1;
len = RB_SSL_CERTFP_LEN_SHA1;
break;
case RB_SSL_CERTFP_METH_SPKI_SHA256:
spki = true;
case RB_SSL_CERTFP_METH_CERT_SHA256:
md_type = MBEDTLS_MD_SHA256;
hashlen = RB_SSL_CERTFP_LEN_SHA256;
len = RB_SSL_CERTFP_LEN_SHA256;
break;
case RB_SSL_CERTFP_METH_SPKI_SHA512:
spki = true;
case RB_SSL_CERTFP_METH_CERT_SHA512:
md_type = MBEDTLS_MD_SHA512;
hashlen = RB_SSL_CERTFP_LEN_SHA512;
len = RB_SSL_CERTFP_LEN_SHA512;
break;
default:
return 0;
}
peer_cert = mbedtls_ssl_get_peer_cert(SSL_P(F));
if (peer_cert == NULL)
return 0;
md_info = mbedtls_md_info_from_type(md_type);
if (md_info == NULL)
return 0;
if (!spki)
{
if ((ret = mbedtls_md(md_info, peer_cert->raw.p, peer_cert->raw.len, hash)) != 0)
if ((ret = mbedtls_md(md_info, peer_cert->raw.p, peer_cert->raw.len, certfp)) != 0)
{
rb_lib_log("rb_get_ssl_certfp: unable to get certfp for F: %p, -0x%x", -ret);
hashlen = 0;
len = 0;
}
}
else
@ -596,21 +590,45 @@ rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
if (der_pubkey_len < 0)
{
rb_lib_log("rb_get_ssl_certfp: unable to get pubkey for F: %p, -0x%x", -der_pubkey_len);
hashlen = 0;
len = 0;
}
else if ((ret = mbedtls_md(md_info, der_pubkey+(der_pubkey_bufsz-der_pubkey_len), der_pubkey_len, hash)) != 0)
else if ((ret = mbedtls_md(md_info, der_pubkey+(der_pubkey_bufsz-der_pubkey_len), der_pubkey_len, certfp)) != 0)
{
rb_lib_log("rb_get_ssl_certfp: unable to get certfp for F: %p, -0x%x", -ret);
hashlen = 0;
len = 0;
}
rb_free(der_pubkey);
}
if (hashlen)
memcpy(certfp, hash, hashlen);
return len;
}
return hashlen;
int
rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
{
const mbedtls_x509_crt *peer_cert;
peer_cert = mbedtls_ssl_get_peer_cert(SSL_P(F));
if (peer_cert == NULL)
return 0;
return make_certfp(peer_cert, certfp, method);
}
int
rb_get_ssl_certfp_file(const char *filename, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
{
mbedtls_x509_crt cert;
int ret;
mbedtls_x509_crt_init(&cert);
ret = mbedtls_x509_crt_parse_file(&cert, filename);
if (ret != 0)
return -1;
return make_certfp(&cert, certfp, method);
}
int

View file

@ -98,6 +98,12 @@ rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
return 0;
}
int
rb_get_ssl_certfp_file(const char *filename, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
{
return 0;
}
void
rb_ssl_start_accepted(rb_fde_t *new_F, ACCB * cb, void *data, int timeout)
{

View file

@ -685,29 +685,9 @@ rb_get_ssl_strerror(rb_fde_t *F)
return get_ssl_error(F->ssl_errno);
}
int
rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
static unsigned int
make_certfp(X509 *cert, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
{
X509 *cert;
int res;
if (F->ssl == NULL)
return 0;
cert = SSL_get_peer_certificate((SSL *) F->ssl);
if(cert != NULL)
{
res = SSL_get_verify_result((SSL *) F->ssl);
if(
res == X509_V_OK ||
res == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN ||
res == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE ||
res == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT ||
res == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
res == X509_V_ERR_CERT_UNTRUSTED ||
res == X509_V_ERR_CERT_NOT_YET_VALID ||
res == X509_V_ERR_CERT_HAS_EXPIRED)
{
const ASN1_ITEM *it;
const EVP_MD *evp;
void *data;
@ -751,6 +731,33 @@ rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
if (ASN1_item_digest(it, evp, data, certfp, &len) != 1)
len = 0;
return len;
}
int
rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
{
X509 *cert;
int res;
if (F->ssl == NULL)
return 0;
cert = SSL_get_peer_certificate((SSL *) F->ssl);
if(cert != NULL)
{
res = SSL_get_verify_result((SSL *) F->ssl);
if(
res == X509_V_OK ||
res == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN ||
res == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE ||
res == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT ||
res == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
res == X509_V_ERR_CERT_UNTRUSTED ||
res == X509_V_ERR_CERT_NOT_YET_VALID ||
res == X509_V_ERR_CERT_HAS_EXPIRED)
{
unsigned int len = make_certfp(cert, certfp, method);
X509_free(cert);
return len;
}
@ -760,6 +767,26 @@ rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
return 0;
}
int
rb_get_ssl_certfp_file(const char *filename, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
{
X509 *cert;
FILE *f = fopen(filename, "r");
if (!f)
return -1;
cert = PEM_read_X509(f, NULL, NULL, NULL);
fclose(f);
if (cert) {
unsigned int len = make_certfp(cert, certfp, method);
X509_free(cert);
return len;
}
return 0;
}
int
rb_supports_ssl(void)
{

View file

@ -1,6 +1,9 @@
bin_PROGRAMS = charybdis-mkpasswd
bin_PROGRAMS = charybdis-mkpasswd charybdis-mkfingerprint
AM_CFLAGS=$(WARNFLAGS)
AM_CPPFLAGS = $(DEFAULT_INCLUDES) -I../librb/include -I.
charybdis_mkpasswd_SOURCES = mkpasswd.c
charybdis_mkpasswd_LDADD = ../librb/src/librb.la
charybdis_mkfingerprint_SOURCES = mkfingerprint.c
charybdis_mkfingerprint_LDADD = ../librb/src/librb.la

81
tools/mkfingerprint.c Normal file
View file

@ -0,0 +1,81 @@
/*
* mkfingerprint.c: Create certificate fingerprints using librb
* Copyright 2016 simon Arlott
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
* USA
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include "rb_lib.h"
#include "certfp.h"
int main(int argc, char *argv[])
{
uint8_t certfp[RB_SSL_CERTFP_LEN+1] = { 0 };
const char *method_str;
const char *filename;
int method;
const char *prefix;
int ret;
int i;
if (argc != 3) {
printf("mkfingerprint <method> <filename>\n");
printf(" Valid methods: sha1, sha256, sha512, spki_sha256, spki_sha512\n");
return 1;
}
method_str = argv[1];
filename = argv[2];
if (!strcmp(method_str, "sha1")) {
method = RB_SSL_CERTFP_METH_CERT_SHA1;
prefix = CERTFP_PREFIX_CERT_SHA1;
} else if (!strcmp(method_str, "sha256")) {
method = RB_SSL_CERTFP_METH_CERT_SHA256;
prefix = CERTFP_PREFIX_CERT_SHA256;
} else if (!strcmp(method_str, "sha512")) {
method = RB_SSL_CERTFP_METH_CERT_SHA512;
prefix = CERTFP_PREFIX_CERT_SHA512;
} else if (!strcmp(method_str, "spki_sha256")) {
method = RB_SSL_CERTFP_METH_SPKI_SHA256;
prefix = CERTFP_PREFIX_SPKI_SHA256;
} else if (!strcmp(method_str, "spki_sha512")) {
method = RB_SSL_CERTFP_METH_SPKI_SHA512;
prefix = CERTFP_PREFIX_SPKI_SHA512;
} else {
printf("Unknown method: %s\n", method_str);
return 1;
}
ret = rb_get_ssl_certfp_file(filename, certfp, method);
if (ret < 0) {
perror(filename);
return 1;
} else if (ret == 0) {
fprintf(stderr, "Unknown error\n");
return 1;
}
printf("%s", prefix);
for (i = 0; i < strlen(certfp); i++) {
printf("%02x", certfp[i]);
}
printf("\n");
return 0;
}