add mkfingerprint program
This commit is contained in:
parent
f018ed844d
commit
0346918701
9 changed files with 258 additions and 91 deletions
1
.gitignore
vendored
1
.gitignore
vendored
|
@ -57,6 +57,7 @@ ssld/ssld
|
|||
wsockd/wsockd
|
||||
testsuite/ircd.pid.*
|
||||
tools/charybdis-mkpasswd
|
||||
tools/charybdis-mkfingerprint
|
||||
tools/genssl
|
||||
tools/mkpasswd
|
||||
tools/viconf
|
||||
|
|
|
@ -156,6 +156,7 @@ int rb_fd_ssl(rb_fde_t *F);
|
|||
rb_platform_fd_t rb_get_fd(rb_fde_t *F);
|
||||
const char *rb_get_ssl_strerror(rb_fde_t *F);
|
||||
int rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method);
|
||||
int rb_get_ssl_certfp_file(const char *filename, uint8_t certfp[RB_SSL_CERTFP_LEN], int method);
|
||||
|
||||
rb_fde_t *rb_get_fde(rb_platform_fd_t fd);
|
||||
|
||||
|
|
|
@ -59,6 +59,7 @@ rb_get_iotype
|
|||
rb_get_random
|
||||
rb_get_sockerr
|
||||
rb_get_ssl_certfp
|
||||
rb_get_ssl_certfp_file
|
||||
rb_get_ssl_strerror
|
||||
rb_get_type
|
||||
rb_getmaxconnect
|
||||
|
|
|
@ -602,37 +602,14 @@ rb_get_ssl_strerror(rb_fde_t *F)
|
|||
return gnutls_strerror(F->ssl_errno);
|
||||
}
|
||||
|
||||
int
|
||||
rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
|
||||
static unsigned int
|
||||
make_certfp(gnutls_x509_crt_t cert, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
|
||||
{
|
||||
gnutls_x509_crt_t cert;
|
||||
gnutls_digest_algorithm_t algo;
|
||||
unsigned int cert_list_size;
|
||||
const gnutls_datum_t *cert_list;
|
||||
uint8_t digest[RB_SSL_CERTFP_LEN * 2];
|
||||
size_t digest_size;
|
||||
int len;
|
||||
bool spki = false;
|
||||
|
||||
if (gnutls_certificate_type_get(SSL_P(F)) != GNUTLS_CRT_X509)
|
||||
return 0;
|
||||
|
||||
if (gnutls_x509_crt_init(&cert) < 0)
|
||||
return 0;
|
||||
|
||||
cert_list_size = 0;
|
||||
cert_list = gnutls_certificate_get_peers(SSL_P(F), &cert_list_size);
|
||||
if (cert_list == NULL)
|
||||
{
|
||||
gnutls_x509_crt_deinit(cert);
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER) < 0)
|
||||
{
|
||||
gnutls_x509_crt_deinit(cert);
|
||||
return 0;
|
||||
}
|
||||
unsigned int len;
|
||||
|
||||
switch(method)
|
||||
{
|
||||
|
@ -701,7 +678,59 @@ rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
|
|||
|
||||
if (len)
|
||||
memcpy(certfp, digest, len);
|
||||
return len;
|
||||
}
|
||||
|
||||
int
|
||||
rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
|
||||
{
|
||||
gnutls_x509_crt_t cert;
|
||||
unsigned int cert_list_size;
|
||||
const gnutls_datum_t *cert_list;
|
||||
int len;
|
||||
|
||||
if (gnutls_certificate_type_get(SSL_P(F)) != GNUTLS_CRT_X509)
|
||||
return 0;
|
||||
|
||||
if (gnutls_x509_crt_init(&cert) < 0)
|
||||
return 0;
|
||||
|
||||
cert_list_size = 0;
|
||||
cert_list = gnutls_certificate_get_peers(SSL_P(F), &cert_list_size);
|
||||
if (cert_list == NULL)
|
||||
{
|
||||
gnutls_x509_crt_deinit(cert);
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER) < 0)
|
||||
{
|
||||
gnutls_x509_crt_deinit(cert);
|
||||
return 0;
|
||||
}
|
||||
|
||||
len = make_certfp(cert, certfp, method);
|
||||
gnutls_x509_crt_deinit(cert);
|
||||
return len;
|
||||
}
|
||||
|
||||
int
|
||||
rb_get_ssl_certfp_file(const char *filename, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
|
||||
{
|
||||
gnutls_x509_crt_t cert;
|
||||
gnutls_datum_t *d_cert;
|
||||
unsigned int len;
|
||||
|
||||
if ((d_cert = rb_load_file_into_datum_t(filename)) == NULL)
|
||||
return -1;
|
||||
|
||||
if (gnutls_x509_crt_init(&cert) < 0)
|
||||
return -1;
|
||||
|
||||
if (gnutls_x509_crt_import(cert, d_cert, GNUTLS_X509_FMT_PEM) != 0)
|
||||
return -1;
|
||||
|
||||
len = make_certfp(cert, certfp, method);
|
||||
gnutls_x509_crt_deinit(cert);
|
||||
return len;
|
||||
}
|
||||
|
|
|
@ -537,53 +537,47 @@ rb_get_ssl_strerror(rb_fde_t *F)
|
|||
#endif
|
||||
}
|
||||
|
||||
int
|
||||
rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
|
||||
static size_t
|
||||
make_certfp(const mbedtls_x509_crt *peer_cert, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
|
||||
{
|
||||
const mbedtls_x509_crt *peer_cert;
|
||||
uint8_t hash[RB_SSL_CERTFP_LEN];
|
||||
size_t hashlen;
|
||||
const mbedtls_md_info_t *md_info;
|
||||
mbedtls_md_type_t md_type;
|
||||
int ret;
|
||||
bool spki = false;
|
||||
int ret;
|
||||
size_t len;
|
||||
|
||||
switch (method)
|
||||
{
|
||||
case RB_SSL_CERTFP_METH_CERT_SHA1:
|
||||
md_type = MBEDTLS_MD_SHA1;
|
||||
hashlen = RB_SSL_CERTFP_LEN_SHA1;
|
||||
len = RB_SSL_CERTFP_LEN_SHA1;
|
||||
break;
|
||||
case RB_SSL_CERTFP_METH_SPKI_SHA256:
|
||||
spki = true;
|
||||
case RB_SSL_CERTFP_METH_CERT_SHA256:
|
||||
md_type = MBEDTLS_MD_SHA256;
|
||||
hashlen = RB_SSL_CERTFP_LEN_SHA256;
|
||||
len = RB_SSL_CERTFP_LEN_SHA256;
|
||||
break;
|
||||
case RB_SSL_CERTFP_METH_SPKI_SHA512:
|
||||
spki = true;
|
||||
case RB_SSL_CERTFP_METH_CERT_SHA512:
|
||||
md_type = MBEDTLS_MD_SHA512;
|
||||
hashlen = RB_SSL_CERTFP_LEN_SHA512;
|
||||
len = RB_SSL_CERTFP_LEN_SHA512;
|
||||
break;
|
||||
default:
|
||||
return 0;
|
||||
}
|
||||
|
||||
peer_cert = mbedtls_ssl_get_peer_cert(SSL_P(F));
|
||||
if (peer_cert == NULL)
|
||||
return 0;
|
||||
|
||||
md_info = mbedtls_md_info_from_type(md_type);
|
||||
if (md_info == NULL)
|
||||
return 0;
|
||||
|
||||
if (!spki)
|
||||
{
|
||||
if ((ret = mbedtls_md(md_info, peer_cert->raw.p, peer_cert->raw.len, hash)) != 0)
|
||||
if ((ret = mbedtls_md(md_info, peer_cert->raw.p, peer_cert->raw.len, certfp)) != 0)
|
||||
{
|
||||
rb_lib_log("rb_get_ssl_certfp: unable to get certfp for F: %p, -0x%x", -ret);
|
||||
hashlen = 0;
|
||||
len = 0;
|
||||
}
|
||||
}
|
||||
else
|
||||
|
@ -596,21 +590,45 @@ rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
|
|||
if (der_pubkey_len < 0)
|
||||
{
|
||||
rb_lib_log("rb_get_ssl_certfp: unable to get pubkey for F: %p, -0x%x", -der_pubkey_len);
|
||||
hashlen = 0;
|
||||
len = 0;
|
||||
}
|
||||
else if ((ret = mbedtls_md(md_info, der_pubkey+(der_pubkey_bufsz-der_pubkey_len), der_pubkey_len, hash)) != 0)
|
||||
else if ((ret = mbedtls_md(md_info, der_pubkey+(der_pubkey_bufsz-der_pubkey_len), der_pubkey_len, certfp)) != 0)
|
||||
{
|
||||
rb_lib_log("rb_get_ssl_certfp: unable to get certfp for F: %p, -0x%x", -ret);
|
||||
hashlen = 0;
|
||||
len = 0;
|
||||
}
|
||||
|
||||
rb_free(der_pubkey);
|
||||
}
|
||||
|
||||
if (hashlen)
|
||||
memcpy(certfp, hash, hashlen);
|
||||
return len;
|
||||
}
|
||||
|
||||
return hashlen;
|
||||
int
|
||||
rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
|
||||
{
|
||||
const mbedtls_x509_crt *peer_cert;
|
||||
|
||||
peer_cert = mbedtls_ssl_get_peer_cert(SSL_P(F));
|
||||
if (peer_cert == NULL)
|
||||
return 0;
|
||||
|
||||
return make_certfp(peer_cert, certfp, method);
|
||||
}
|
||||
|
||||
int
|
||||
rb_get_ssl_certfp_file(const char *filename, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
|
||||
{
|
||||
mbedtls_x509_crt cert;
|
||||
int ret;
|
||||
|
||||
mbedtls_x509_crt_init(&cert);
|
||||
|
||||
ret = mbedtls_x509_crt_parse_file(&cert, filename);
|
||||
if (ret != 0)
|
||||
return -1;
|
||||
|
||||
return make_certfp(&cert, certfp, method);
|
||||
}
|
||||
|
||||
int
|
||||
|
|
|
@ -98,6 +98,12 @@ rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
|
|||
return 0;
|
||||
}
|
||||
|
||||
int
|
||||
rb_get_ssl_certfp_file(const char *filename, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
|
||||
void
|
||||
rb_ssl_start_accepted(rb_fde_t *new_F, ACCB * cb, void *data, int timeout)
|
||||
{
|
||||
|
|
|
@ -685,29 +685,9 @@ rb_get_ssl_strerror(rb_fde_t *F)
|
|||
return get_ssl_error(F->ssl_errno);
|
||||
}
|
||||
|
||||
int
|
||||
rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
|
||||
static unsigned int
|
||||
make_certfp(X509 *cert, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
|
||||
{
|
||||
X509 *cert;
|
||||
int res;
|
||||
|
||||
if (F->ssl == NULL)
|
||||
return 0;
|
||||
|
||||
cert = SSL_get_peer_certificate((SSL *) F->ssl);
|
||||
if(cert != NULL)
|
||||
{
|
||||
res = SSL_get_verify_result((SSL *) F->ssl);
|
||||
if(
|
||||
res == X509_V_OK ||
|
||||
res == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN ||
|
||||
res == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE ||
|
||||
res == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT ||
|
||||
res == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
|
||||
res == X509_V_ERR_CERT_UNTRUSTED ||
|
||||
res == X509_V_ERR_CERT_NOT_YET_VALID ||
|
||||
res == X509_V_ERR_CERT_HAS_EXPIRED)
|
||||
{
|
||||
const ASN1_ITEM *it;
|
||||
const EVP_MD *evp;
|
||||
void *data;
|
||||
|
@ -751,6 +731,33 @@ rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
|
|||
|
||||
if (ASN1_item_digest(it, evp, data, certfp, &len) != 1)
|
||||
len = 0;
|
||||
return len;
|
||||
}
|
||||
|
||||
int
|
||||
rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
|
||||
{
|
||||
X509 *cert;
|
||||
int res;
|
||||
|
||||
if (F->ssl == NULL)
|
||||
return 0;
|
||||
|
||||
cert = SSL_get_peer_certificate((SSL *) F->ssl);
|
||||
if(cert != NULL)
|
||||
{
|
||||
res = SSL_get_verify_result((SSL *) F->ssl);
|
||||
if(
|
||||
res == X509_V_OK ||
|
||||
res == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN ||
|
||||
res == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE ||
|
||||
res == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT ||
|
||||
res == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
|
||||
res == X509_V_ERR_CERT_UNTRUSTED ||
|
||||
res == X509_V_ERR_CERT_NOT_YET_VALID ||
|
||||
res == X509_V_ERR_CERT_HAS_EXPIRED)
|
||||
{
|
||||
unsigned int len = make_certfp(cert, certfp, method);
|
||||
X509_free(cert);
|
||||
return len;
|
||||
}
|
||||
|
@ -760,6 +767,26 @@ rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
|
|||
return 0;
|
||||
}
|
||||
|
||||
int
|
||||
rb_get_ssl_certfp_file(const char *filename, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
|
||||
{
|
||||
X509 *cert;
|
||||
FILE *f = fopen(filename, "r");
|
||||
|
||||
if (!f)
|
||||
return -1;
|
||||
|
||||
cert = PEM_read_X509(f, NULL, NULL, NULL);
|
||||
fclose(f);
|
||||
|
||||
if (cert) {
|
||||
unsigned int len = make_certfp(cert, certfp, method);
|
||||
X509_free(cert);
|
||||
return len;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
int
|
||||
rb_supports_ssl(void)
|
||||
{
|
||||
|
|
|
@ -1,6 +1,9 @@
|
|||
bin_PROGRAMS = charybdis-mkpasswd
|
||||
bin_PROGRAMS = charybdis-mkpasswd charybdis-mkfingerprint
|
||||
AM_CFLAGS=$(WARNFLAGS)
|
||||
AM_CPPFLAGS = $(DEFAULT_INCLUDES) -I../librb/include -I.
|
||||
|
||||
charybdis_mkpasswd_SOURCES = mkpasswd.c
|
||||
charybdis_mkpasswd_LDADD = ../librb/src/librb.la
|
||||
|
||||
charybdis_mkfingerprint_SOURCES = mkfingerprint.c
|
||||
charybdis_mkfingerprint_LDADD = ../librb/src/librb.la
|
||||
|
|
81
tools/mkfingerprint.c
Normal file
81
tools/mkfingerprint.c
Normal file
|
@ -0,0 +1,81 @@
|
|||
/*
|
||||
* mkfingerprint.c: Create certificate fingerprints using librb
|
||||
* Copyright 2016 simon Arlott
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation; either version 2 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
|
||||
* USA
|
||||
*/
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
#include "rb_lib.h"
|
||||
#include "certfp.h"
|
||||
|
||||
int main(int argc, char *argv[])
|
||||
{
|
||||
uint8_t certfp[RB_SSL_CERTFP_LEN+1] = { 0 };
|
||||
const char *method_str;
|
||||
const char *filename;
|
||||
int method;
|
||||
const char *prefix;
|
||||
int ret;
|
||||
int i;
|
||||
|
||||
if (argc != 3) {
|
||||
printf("mkfingerprint <method> <filename>\n");
|
||||
printf(" Valid methods: sha1, sha256, sha512, spki_sha256, spki_sha512\n");
|
||||
return 1;
|
||||
}
|
||||
|
||||
method_str = argv[1];
|
||||
filename = argv[2];
|
||||
|
||||
if (!strcmp(method_str, "sha1")) {
|
||||
method = RB_SSL_CERTFP_METH_CERT_SHA1;
|
||||
prefix = CERTFP_PREFIX_CERT_SHA1;
|
||||
} else if (!strcmp(method_str, "sha256")) {
|
||||
method = RB_SSL_CERTFP_METH_CERT_SHA256;
|
||||
prefix = CERTFP_PREFIX_CERT_SHA256;
|
||||
} else if (!strcmp(method_str, "sha512")) {
|
||||
method = RB_SSL_CERTFP_METH_CERT_SHA512;
|
||||
prefix = CERTFP_PREFIX_CERT_SHA512;
|
||||
} else if (!strcmp(method_str, "spki_sha256")) {
|
||||
method = RB_SSL_CERTFP_METH_SPKI_SHA256;
|
||||
prefix = CERTFP_PREFIX_SPKI_SHA256;
|
||||
} else if (!strcmp(method_str, "spki_sha512")) {
|
||||
method = RB_SSL_CERTFP_METH_SPKI_SHA512;
|
||||
prefix = CERTFP_PREFIX_SPKI_SHA512;
|
||||
} else {
|
||||
printf("Unknown method: %s\n", method_str);
|
||||
return 1;
|
||||
}
|
||||
|
||||
ret = rb_get_ssl_certfp_file(filename, certfp, method);
|
||||
if (ret < 0) {
|
||||
perror(filename);
|
||||
return 1;
|
||||
} else if (ret == 0) {
|
||||
fprintf(stderr, "Unknown error\n");
|
||||
return 1;
|
||||
}
|
||||
|
||||
printf("%s", prefix);
|
||||
for (i = 0; i < strlen(certfp); i++) {
|
||||
printf("%02x", certfp[i]);
|
||||
}
|
||||
printf("\n");
|
||||
return 0;
|
||||
}
|
Loading…
Reference in a new issue