summaryrefslogtreecommitdiff
path: root/include/ssl_key_handler.hpp
diff options
context:
space:
mode:
Diffstat (limited to 'include/ssl_key_handler.hpp')
-rw-r--r--include/ssl_key_handler.hpp274
1 files changed, 132 insertions, 142 deletions
diff --git a/include/ssl_key_handler.hpp b/include/ssl_key_handler.hpp
index a658d9cb0e..69eae13dbb 100644
--- a/include/ssl_key_handler.hpp
+++ b/include/ssl_key_handler.hpp
@@ -11,172 +11,162 @@
#include <openssl/rsa.h>
#include <openssl/ssl.h>
-namespace ensuressl
-{
+namespace ensuressl {
static void init_openssl(void);
static void cleanup_openssl(void);
static EVP_PKEY *create_rsa_key(void);
static void handle_openssl_error(void);
-inline bool verify_openssl_key_cert(const std::string &filepath)
-{
- bool private_key_valid = false;
- bool cert_valid = false;
- FILE *file = fopen(filepath.c_str(), "r");
- if (file != NULL){
- EVP_PKEY *pkey = PEM_read_PrivateKey(file, NULL, NULL, NULL);
- int rc;
- if (pkey) {
- int type = EVP_PKEY_type(pkey->type);
- switch (type) {
- case EVP_PKEY_RSA:
- case EVP_PKEY_RSA2: {
- RSA *rsa = EVP_PKEY_get1_RSA(pkey);
- rc = RSA_check_key(rsa);
- if (rc == 1) {
- private_key_valid = true;
- }
-
- //RSA_free(rsa);
-
- break;
- }
- default:
- break;
- }
-
- if (private_key_valid) {
- X509 *x509 = PEM_read_X509(file, NULL, NULL, NULL);
- unsigned long err = ERR_get_error();
-
- rc = X509_verify(x509, pkey);
- err = ERR_get_error();
- if (err == 0 && rc == 1) {
- cert_valid = true;
- }
- }
-
- EVP_PKEY_free(pkey);
+inline bool verify_openssl_key_cert(const std::string &filepath) {
+ bool private_key_valid = false;
+ bool cert_valid = false;
+ FILE *file = fopen(filepath.c_str(), "r");
+ if (file != NULL) {
+ EVP_PKEY *pkey = PEM_read_PrivateKey(file, NULL, NULL, NULL);
+ int rc;
+ if (pkey) {
+ int type = EVP_PKEY_type(pkey->type);
+ switch (type) {
+ case EVP_PKEY_RSA:
+ case EVP_PKEY_RSA2: {
+ RSA *rsa = EVP_PKEY_get1_RSA(pkey);
+ rc = RSA_check_key(rsa);
+ if (rc == 1) {
+ private_key_valid = true;
+ }
+
+ // RSA_free(rsa);
+
+ break;
}
- fclose(file);
+ default:
+ break;
+ }
+
+ if (private_key_valid) {
+ X509 *x509 = PEM_read_X509(file, NULL, NULL, NULL);
+ unsigned long err = ERR_get_error();
+
+ rc = X509_verify(x509, pkey);
+ err = ERR_get_error();
+ if (err == 0 && rc == 1) {
+ cert_valid = true;
+ }
+ }
+
+ EVP_PKEY_free(pkey);
}
- return cert_valid;
+ fclose(file);
+ }
+ return cert_valid;
}
-inline void generate_ssl_certificate(const std::string &filepath)
-{
- EVP_PKEY *pPrivKey = NULL;
- FILE *pFile = NULL;
- init_openssl();
-
- pPrivKey = create_rsa_key();
-
- // Use this code to directly generate a certificate
- X509 *x509;
- x509 = X509_new();
- if (x509) {
- // TODO get actually random int
- ASN1_INTEGER_set(X509_get_serialNumber(x509), 1584);
-
- // not before this moment
- X509_gmtime_adj(X509_get_notBefore(x509), 0);
- // Cert is valid for 10 years
- X509_gmtime_adj(X509_get_notAfter(x509), 60L * 60L * 24L * 365L * 10L);
-
- // set the public key to the key we just generated
- X509_set_pubkey(x509, pPrivKey);
-
- // Get the subject name
- X509_NAME *name;
- name = X509_get_subject_name(x509);
-
- X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC, (unsigned char *)"US", -1,
- -1, 0);
- X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC,
- (unsigned char *)"Intel BMC", -1, -1, 0);
- X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
- (unsigned char *)"testhost", -1, -1, 0);
- // set the CSR options
- X509_set_issuer_name(x509, name);
-
- // Sign the certificate with our private key
- X509_sign(x509, pPrivKey, EVP_sha256());
-
- pFile = fopen(filepath.c_str(), "wt");
-
- if (pFile) {
- PEM_write_PrivateKey(pFile, pPrivKey, NULL, NULL, 0, 0, NULL);
- PEM_write_X509(pFile, x509);
- fclose(pFile);
- pFile = NULL;
- }
+inline void generate_ssl_certificate(const std::string &filepath) {
+ EVP_PKEY *pPrivKey = NULL;
+ FILE *pFile = NULL;
+ init_openssl();
- X509_free(x509);
- }
+ pPrivKey = create_rsa_key();
+
+ // Use this code to directly generate a certificate
+ X509 *x509;
+ x509 = X509_new();
+ if (x509) {
+ // TODO get actually random int
+ ASN1_INTEGER_set(X509_get_serialNumber(x509), 1584);
+
+ // not before this moment
+ X509_gmtime_adj(X509_get_notBefore(x509), 0);
+ // Cert is valid for 10 years
+ X509_gmtime_adj(X509_get_notAfter(x509), 60L * 60L * 24L * 365L * 10L);
+
+ // set the public key to the key we just generated
+ X509_set_pubkey(x509, pPrivKey);
+
+ // Get the subject name
+ X509_NAME *name;
+ name = X509_get_subject_name(x509);
+
+ X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC, (unsigned char *)"US", -1, -1, 0);
+ X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC, (unsigned char *)"Intel BMC", -1, -1, 0);
+ X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, (unsigned char *)"testhost", -1, -1, 0);
+ // set the CSR options
+ X509_set_issuer_name(x509, name);
+
+ // Sign the certificate with our private key
+ X509_sign(x509, pPrivKey, EVP_sha256());
- if (pPrivKey) {
- EVP_PKEY_free(pPrivKey);
- pPrivKey = NULL;
+ pFile = fopen(filepath.c_str(), "wt");
+
+ if (pFile) {
+ PEM_write_PrivateKey(pFile, pPrivKey, NULL, NULL, 0, 0, NULL);
+ PEM_write_X509(pFile, x509);
+ fclose(pFile);
+ pFile = NULL;
}
- //cleanup_openssl();
+ X509_free(x509);
+ }
+
+ if (pPrivKey) {
+ EVP_PKEY_free(pPrivKey);
+ pPrivKey = NULL;
+ }
+
+ // cleanup_openssl();
}
-EVP_PKEY *create_rsa_key(void)
-{
- RSA *pRSA = NULL;
- EVP_PKEY *pKey = NULL;
- pRSA = RSA_generate_key(2048, RSA_3, NULL, NULL);
- pKey = EVP_PKEY_new();
- if (pRSA && pKey && EVP_PKEY_assign_RSA(pKey, pRSA)) {
- /* pKey owns pRSA from now */
- if (RSA_check_key(pRSA) <= 0) {
- fprintf(stderr, "RSA_check_key failed.\n");
- handle_openssl_error();
- EVP_PKEY_free(pKey);
- pKey = NULL;
- }
- } else {
- handle_openssl_error();
- if (pRSA) {
- RSA_free(pRSA);
- pRSA = NULL;
- }
- if (pKey) {
- EVP_PKEY_free(pKey);
- pKey = NULL;
- }
+EVP_PKEY *create_rsa_key(void) {
+ RSA *pRSA = NULL;
+ EVP_PKEY *pKey = NULL;
+ pRSA = RSA_generate_key(2048, RSA_3, NULL, NULL);
+ pKey = EVP_PKEY_new();
+ if (pRSA && pKey && EVP_PKEY_assign_RSA(pKey, pRSA)) {
+ /* pKey owns pRSA from now */
+ if (RSA_check_key(pRSA) <= 0) {
+ fprintf(stderr, "RSA_check_key failed.\n");
+ handle_openssl_error();
+ EVP_PKEY_free(pKey);
+ pKey = NULL;
+ }
+ } else {
+ handle_openssl_error();
+ if (pRSA) {
+ RSA_free(pRSA);
+ pRSA = NULL;
}
- return pKey;
+ if (pKey) {
+ EVP_PKEY_free(pKey);
+ pKey = NULL;
+ }
+ }
+ return pKey;
}
-void init_openssl(void)
-{
- if (SSL_library_init()) {
- SSL_load_error_strings();
- OpenSSL_add_all_algorithms();
- RAND_load_file("/dev/urandom", 1024);
- } else
- exit(EXIT_FAILURE);
+void init_openssl(void) {
+ if (SSL_library_init()) {
+ SSL_load_error_strings();
+ OpenSSL_add_all_algorithms();
+ RAND_load_file("/dev/urandom", 1024);
+ } else
+ exit(EXIT_FAILURE);
}
-void cleanup_openssl(void)
-{
- CRYPTO_cleanup_all_ex_data();
- ERR_free_strings();
- ERR_remove_thread_state(0);
- EVP_cleanup();
+void cleanup_openssl(void) {
+ CRYPTO_cleanup_all_ex_data();
+ ERR_free_strings();
+ ERR_remove_thread_state(0);
+ EVP_cleanup();
}
void handle_openssl_error(void) { ERR_print_errors_fp(stderr); }
-inline void ensure_openssl_key_present_and_valid(const std::string &filepath)
-{
- bool pem_file_valid = false;
+inline void ensure_openssl_key_present_and_valid(const std::string &filepath) {
+ bool pem_file_valid = false;
- pem_file_valid = verify_openssl_key_cert(filepath);
+ pem_file_valid = verify_openssl_key_cert(filepath);
- if (!pem_file_valid) {
- generate_ssl_certificate(filepath);
- }
+ if (!pem_file_valid) {
+ generate_ssl_certificate(filepath);
+ }
}
} \ No newline at end of file
generated by cgit v1.2.3 (git 2.39.0) at 2024-06-18 16:35:28 +0300