mirror of
https://github.com/openwrt/openwrt.git
synced 2024-12-19 21:58:04 +00:00
px5g-mbedtls: add subjectAltName and extendedKeyUsage to SSL certs
To better acommodate with the current browsers' requirements, also self-signed certificates should have subjectAltName and extendedKeyUsage defined in the self-signed x509 SSL certificates. The following case sensitive options are now possible: -addext subjectAltName=DNS:... -addext subjectAltName=EMAIL:... -addext subjectAltName=IP:... -addext subjectAltName=URI:... -addext extendedKeyUsage=serverAuth OR -addext extendedKeyUsage=any Initial draft by Paul Donald <newtwen@gmail.com> Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi> Link: https://github.com/openwrt/openwrt/pull/15366 Signed-off-by: Robert Marko <robimarko@gmail.com>
This commit is contained in:
parent
ccc06f6716
commit
efca89daef
@ -8,7 +8,7 @@
|
||||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=px5g-mbedtls
|
||||
PKG_RELEASE:=10
|
||||
PKG_RELEASE:=11
|
||||
PKG_LICENSE:=LGPL-2.1
|
||||
|
||||
PKG_BUILD_FLAGS:=no-mips16
|
||||
|
@ -38,8 +38,13 @@
|
||||
#include <mbedtls/ecp.h>
|
||||
#include <mbedtls/rsa.h>
|
||||
#include <mbedtls/pk.h>
|
||||
#include <mbedtls/asn1.h>
|
||||
#include <mbedtls/oid.h>
|
||||
|
||||
#define PX5G_VERSION "0.2"
|
||||
#define SET_OID(x, oid) \
|
||||
do { x.len = MBEDTLS_OID_SIZE(oid); x.p = (unsigned char *) oid; } while (0)
|
||||
|
||||
#define PX5G_VERSION "0.3"
|
||||
#define PX5G_COPY "Copyright (c) 2009 Steven Barth <steven@midlink.org>"
|
||||
#define PX5G_LICENSE "Licensed under the GNU Lesser General Public License v2.1"
|
||||
|
||||
@ -193,6 +198,16 @@ int selfsigned(char **arg)
|
||||
mbedtls_pk_context key;
|
||||
mbedtls_x509write_cert cert;
|
||||
mbedtls_mpi serial;
|
||||
mbedtls_x509_san_list *san_list = NULL, *san_prev = NULL, *san_cur = NULL;
|
||||
/*support
|
||||
- MBEDTLS_X509_SAN_DNS_NAME
|
||||
- MBEDTLS_X509_SAN_IP_ADDRESS
|
||||
- MBEDTLS_X509_SAN_RFC822_NAME
|
||||
- MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER
|
||||
*/
|
||||
mbedtls_asn1_sequence *eku = NULL, *ext_key_usage = NULL;
|
||||
char *sanval, *santype;
|
||||
uint8_t ipaddr[16] = { 0 };
|
||||
|
||||
char *subject = "";
|
||||
unsigned int ksize = 512;
|
||||
@ -267,8 +282,56 @@ int selfsigned(char **arg)
|
||||
oldc = delim + 1;
|
||||
} while(*delim);
|
||||
arg++;
|
||||
} else if (!strcmp(*arg, "-addext") && arg[1]) {
|
||||
mbedtls_asn1_sequence **tail = &eku;
|
||||
if (!strncmp(arg[1], "extendedKeyUsage=", strlen("extendedKeyUsage="))) {
|
||||
ext_key_usage = calloc(1, sizeof(mbedtls_asn1_sequence));
|
||||
ext_key_usage->buf.tag = MBEDTLS_ASN1_OID;
|
||||
if (!strncmp(arg[1] + strlen("extendedKeyUsage="), "serverAuth", strlen("serverAuth"))) {
|
||||
SET_OID(ext_key_usage->buf, MBEDTLS_OID_SERVER_AUTH);
|
||||
} else if (!strncmp(arg[1] + strlen("extendedKeyUsage="), "any", strlen("any"))) {
|
||||
SET_OID(ext_key_usage->buf, MBEDTLS_OID_ANY_EXTENDED_KEY_USAGE);
|
||||
} // there are other extendedKeyUsage OIDs but none conceivably useful here
|
||||
*tail = ext_key_usage;
|
||||
tail = &ext_key_usage->next;
|
||||
arg++;
|
||||
} else if (!strncmp(arg[1], "subjectAltName=", strlen("subjectAltName=")) && strchr(arg[1], ':') != NULL) {
|
||||
santype = strchr(arg[1], '=') + 1;
|
||||
sanval = strchr(arg[1], ':') + 1;
|
||||
//build sAN list
|
||||
san_cur = calloc(1, sizeof(mbedtls_x509_san_list));
|
||||
san_cur->next = NULL;
|
||||
if (!strncmp(santype, "DNS:", strlen("DNS:"))) {
|
||||
san_cur->node.type = MBEDTLS_X509_SAN_DNS_NAME;
|
||||
san_cur->node.san.unstructured_name.p = (unsigned char *) sanval;
|
||||
san_cur->node.san.unstructured_name.len = strlen(sanval);
|
||||
} else if (!strncmp(santype, "EMAIL:", strlen("EMAIL:"))) {
|
||||
san_cur->node.type = MBEDTLS_X509_SAN_RFC822_NAME;
|
||||
san_cur->node.san.unstructured_name.p = (unsigned char *) sanval;
|
||||
san_cur->node.san.unstructured_name.len = strlen(sanval);
|
||||
} else if (!strncmp(santype, "IP:", strlen("IP:"))) {
|
||||
san_cur->node.type = MBEDTLS_X509_SAN_IP_ADDRESS;
|
||||
mbedtls_x509_crt_parse_cn_inet_pton(sanval, ipaddr);
|
||||
san_cur->node.san.unstructured_name.p = (unsigned char *) ipaddr;
|
||||
san_cur->node.san.unstructured_name.len = sizeof(ipaddr);
|
||||
} else if (!strncmp(santype, "URI:", strlen("URI:"))) {
|
||||
san_cur->node.type = MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER;
|
||||
san_cur->node.san.unstructured_name.p = (unsigned char *) sanval;
|
||||
san_cur->node.san.unstructured_name.len = strlen(sanval);
|
||||
}
|
||||
else fprintf(stderr, "No match to subjectAltName content type.\n");
|
||||
arg++;
|
||||
}
|
||||
}
|
||||
arg++;
|
||||
|
||||
//set the pointers in our san_list linked list
|
||||
if (san_prev == NULL) {
|
||||
san_list = san_cur;
|
||||
} else {
|
||||
san_prev->next = san_cur;
|
||||
}
|
||||
san_prev = san_cur;
|
||||
}
|
||||
gen_key(&key, rsa, ksize, exp, curve, pem);
|
||||
|
||||
@ -295,6 +358,8 @@ int selfsigned(char **arg)
|
||||
mbedtls_x509write_crt_set_basic_constraints(&cert, 0, -1);
|
||||
mbedtls_x509write_crt_set_subject_key_identifier(&cert);
|
||||
mbedtls_x509write_crt_set_authority_key_identifier(&cert);
|
||||
mbedtls_x509write_crt_set_subject_alternative_name(&cert, san_list);
|
||||
mbedtls_x509write_crt_set_ext_key_usage(&cert, ext_key_usage);
|
||||
|
||||
_urandom(NULL, (void *) buf, 8);
|
||||
for (len = 0; len < 8; len++)
|
||||
|
Loading…
Reference in New Issue
Block a user