/*
* Copyright (c) 2008-2009 Nokia Corporation and/or its subsidiary(-ies).
* All rights reserved.
* This component and the accompanying materials are made available
* under the terms of the License "Eclipse Public License v1.0"
* which accompanies this distribution, and is available
* at the URL "http://www.eclipse.org/legal/epl-v10.html".
*
* Initial Contributors:
* Nokia Corporation - initial contribution.
*
* Contributors:
*
* Description:
*
*/
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/pem.h>
#include "encdec.h"
#include "x509utils.h"
#include "logger.h"
//
// TKeyIdentifier
//
void EncodeHuman(REncodeWriteStream& aStream,const KeyIdentifierObject &aKeyId)
{
if(aKeyId.iAutoKey)
{
aStream.WriteCStr("auto");
if(aKeyId.iHash.Length() == 0)
{
return; // Empty value so no point in including it in a comment...
}
if(!aStream.Verbose())
{
return; // auto, and not in verbose mode so do not write value in comment
}
aStream.WriteCStr(" # ");
}
aStream.WriteByte('\'');
const TUint8 *ptr = aKeyId.iHash.Ptr();
TInt len = aKeyId.iHash.Length();
while(len--)
{
TUint8 byte = *ptr++;
TUint8 buf[2];
TUint8 ch = ((byte & 0xf0) >> 4);
ch = (ch<=9) ? (ch +'0') : (ch - 10 +'A');
// Write MSB char of byte
buf[0] = ch;
ch = (byte & 0x0f);
ch = (ch<=9) ? (ch +'0') : (ch - 10 +'A');
// Write LSB char of byte
buf[1] = ch;
aStream.WriteBin(buf, sizeof(buf));
if(len)
{
aStream.WriteByte(':');
}
}
aStream.WriteByte('\'');
}
void DecodeHuman(RDecodeReadStream& aStream, KeyIdentifierObject &aKeyId)
{
aStream.ReadNextToken();
std::string tok = aStream.Token();
if(tok == "auto")
{
aKeyId.iAutoKey = true;
aKeyId.iHash.SetLength(0);
return;
}
aKeyId.iAutoKey = false;
if((tok[0] != '\'') || (tok[tok.size()-1] != '\'') || (tok.size() < 2))
{
dbg << Log::Indent() << "KeyIdentifier not enclosed in single quotes, or contains spaces - " << tok << Log::Endl();
FatalError();
}
tok.erase(0,1);
tok.erase(tok.size()-1,1);
if(tok.size() == 0)
{
aKeyId.iHash.SetLength(0);
return;
}
if(TInt(tok.size()) != (aKeyId.iHash.MaxLength()*2) + (aKeyId.iHash.MaxLength()-1))
{
dbg << Log::Indent() << "WARNING: KeyIdentifier length not " << aKeyId.iHash.MaxLength()*2 << " hex digits" << Log::Endl();
dbg << Log::Indent() << "KeyIdentifier is '" << tok << "'" << Log::Endl();
}
bool bad = false;
TInt bytesRead = 0;
const char *hexDigit = tok.data();
TInt charsToRead = tok.size();
TUint8 *dest = const_cast<TUint8 *>(aKeyId.iHash.Ptr());
while(charsToRead)
{
// Read MSB char
TUint8 byte = fromHex(*hexDigit++);
byte <<= 4;
--charsToRead;
// Read LSB char
if(charsToRead == 0)
{
bad = true;
break;
}
byte |= fromHex(*hexDigit++);
--charsToRead;
// Save decoded byte
*dest++ = byte;
++bytesRead;
if(charsToRead != 0)
{
// Consume : separator
if(*hexDigit++ != ':')
{
bad = true;
break;
}
--charsToRead;
}
}
if(bytesRead > aKeyId.iHash.MaxLength())
{
dbg << Log::Indent() << "Key Identifiier is too long" << Log::Endl();
bad = true;
}
if(bad)
{
dbg << Log::Indent() << "KeyIdentifier invalid - It should be a single quoted string containing a series of 0 or more 2 digit hex numbers separated by : chars." << Log::Endl();
dbg << Log::Indent() << "This field should normally be set to auto or omitted" << Log::Endl();
dbg << Log::Indent() << "KeyIdentifier is '" << tok << "'" << Log::Endl();
FatalError();
}
aKeyId.iHash.SetLength(bytesRead);
return;
}
RWriteStream& operator<<(RWriteStream& aStream,const KeyIdentifierObject& aKeyId)
{
aStream << aKeyId.iHash;
return aStream;
}
RReadStream& operator>>(RReadStream& aStream, KeyIdentifierObject& aKeyId)
{
aKeyId.iAutoKey = false;
aStream >> aKeyId.iHash;
return aStream;
}
// It is illegal to pass a "X **" ptr to a function taking a "const X
// **" argument. This is because the function could change the callers
// pointer to point at a const object which the caller might then
// accidentally write to!
//
// Unfortunately openssl 0.9.7* defines d2i_X509 to take an "unsigned
// char **" and 0.9.8 takes "const unsigned char **", so neither
// caller choice will compile for both....
#if OPENSSL_VERSION_NUMBER >= 0x00908000L
#define D2I_CONST const
#else
#define D2I_CONST
#endif
bool X509SubjectKeyId(EUseCertificateExtension aUseExtension, bool aUseRfc3280Algorithm,
bool aIsCa, const std::string &aCert,
std::string &aSubject, TKeyIdentifier &aSubjectKeyId)
{
bool done = false;
prog << Log::Indent() << "X509SubjectKeyId - aUseExtension " << aUseExtension << " aUseRfc3280Algorithm " << aUseRfc3280Algorithm << " :-" << Log::Endl();
AutoIndent ai(prog); // IncIndent, will DecIndent when it leaves scope
// decode DER certificate into X509 structure
D2I_CONST unsigned char *p = (D2I_CONST unsigned char *)aCert.data();
X509 *x509 = d2i_X509(NULL, &p, aCert.size());
if(!x509 || ((const char *)p != aCert.data() + aCert.size()))
{
dbg << Log::Indent() << "openssl failed to decode certificate" << Log::Endl();
FatalError();
}
// Return the Subject Name
prog << Log::Indent() << "Cert subject is '" << x509->name << "'" << Log::Endl();
aSubject = std::string(x509->name);
TUint32 ver = X509_get_version(x509);
prog << Log::Indent() << "Cert version is '" << ver << "'" << Log::Endl();
// if the ver is a v1 or v2 type then there is no way of knowing which is a CA, treat all certs as CA as done in the certificate recognizer.
bool treatAsCa = false;
if ( ver < 3 || aIsCa )
{
treatAsCa = true;
}
if(treatAsCa && aUseExtension)
{
// Attempt to read Subject Key Id extension
ASN1_OCTET_STRING *subKeyId = (ASN1_OCTET_STRING *) X509_get_ext_d2i(x509, NID_subject_key_identifier, NULL, NULL);
if(subKeyId)
{
prog << Log::Indent() << "Found SubjectKeyId extension" << Log::Endl();
if(subKeyId->length <= aSubjectKeyId.MaxLength())
{
aSubjectKeyId = TPtrC8(subKeyId->data, subKeyId->length);
done = true;
}
else
{
prog << Log::Indent() << "but SubjectKeyId > 160 bits so ignoring it" << Log::Endl();
}
ASN1_OCTET_STRING_free(subKeyId);
}
}
if(!done)
{
// Subject Key Id extension was ignored, missing or too long...
if(aUseRfc3280Algorithm)
{
// We do not need to decode the public key just hash its
// data as per rfc3280 4.2.1.2 method 1
prog << Log::Indent() << "Calculating SubjectKeyId using RFC3280 4.2.1.2 method 1" << Log::Endl();
unsigned char sha1hash[SHA_DIGEST_LENGTH];
SHA1(x509->cert_info->key->public_key->data, x509->cert_info->key->public_key->length,
sha1hash);
aSubjectKeyId = TPtrC8(sha1hash, SHA_DIGEST_LENGTH);
done = true;
}
else
{
// Calculate SubjectKeyId via Symbian algorithm
prog << Log::Indent() << "Calculating SubjectKeyId using Symbian algorithm" << Log::Endl();
EVP_PKEY *key = X509_PUBKEY_get(x509->cert_info->key);
if(!key)
{
dbg << Log::Indent() << "openssl failed to decode certificate public key" << Log::Endl();
FatalError();
}
switch(key->type)
{
case EVP_PKEY_RSA:
{
TUint32 len = key->pkey.rsa->n->top*sizeof(BN_ULONG);
TUint8 *buf = new TUint8[len];
for(TUint32 i=0; i<len; ++i)
{
buf[i] = ((TUint8 *)key->pkey.rsa->n->d)[len-i-1];
}
unsigned char sha1hash[SHA_DIGEST_LENGTH];
SHA1(buf, len, sha1hash);
delete [] buf;
aSubjectKeyId = TPtrC8(sha1hash, SHA_DIGEST_LENGTH);
done = true;
break;
}
case EVP_PKEY_DSA:
{
TUint32 len = key->pkey.dsa->pub_key->top*sizeof(BN_ULONG);
TUint8 *buf = new TUint8[len];
for(TUint32 i=0; i<len; ++i)
{
buf[i] = ((TUint8 *)key->pkey.dsa->pub_key->d)[len-i-1];
}
unsigned char sha1hash[SHA_DIGEST_LENGTH];
SHA1(buf, len, sha1hash);
delete [] buf;
aSubjectKeyId = TPtrC8(sha1hash, SHA_DIGEST_LENGTH);
done = true;
break;
}
default:
// Unknown public key type.
prog << Log::Indent() << "Unknown public key type " << key->type << Log::Endl();
break;
}
EVP_PKEY_free(key);
}
}
X509_free(x509);
return done;
}
bool X509IssuerKeyId(EUseCertificateExtension aUseExtension,
const TUint8 *aCert, TUint32 aCertLength,
std::string &aIssuer, TKeyIdentifier &aIssuerKeyId)
{
prog << Log::Indent() << "X509IssuerKeyId :-" << Log::Endl();
AutoIndent ai(prog); // IncIndent, will DecIndent when it leaves scope
bool done = false;
// decode DER certificate into X509 structure
D2I_CONST unsigned char *p = (D2I_CONST unsigned char *)aCert;
X509 *x509 = d2i_X509(NULL, &p, aCertLength);
if(!x509 || (p != aCert+aCertLength))
{
dbg << Log::Indent() << "openssl failed to decode certificate" << Log::Endl();
FatalError();
}
// Return the Subject Name
prog << Log::Indent() << "Cert subject is '" << x509->name << "'" << Log::Endl();
char *issuerOne = X509_NAME_oneline(X509_get_issuer_name(x509),0,0);
prog << Log::Indent() << "Cert issuer is '" << issuerOne << "'" << Log::Endl();
aIssuer = issuerOne;
OPENSSL_free(issuerOne);
if(aUseExtension)
{
// Attempt to read Subject Key Id extension
AUTHORITY_KEYID *authKeyId = (AUTHORITY_KEYID *) X509_get_ext_d2i(x509, NID_authority_key_identifier, NULL, NULL);
if(authKeyId)
{
prog << Log::Indent() << "Found AuthorityKeyId extension" << Log::Endl();
if(authKeyId->keyid)
{
if(authKeyId->keyid->length <= aIssuerKeyId.MaxLength())
{
aIssuerKeyId = TPtrC8(authKeyId->keyid->data, authKeyId->keyid->length);
done = true;
}
else
{
prog << Log::Indent() << "but AuthroityKeyId > 160 bits so ignoring it" << Log::Endl();
}
}
else
{
prog << Log::Indent() << "but it does not include a key id, so ignoring it" << Log::Endl();
}
AUTHORITY_KEYID_free(authKeyId);
}
}
X509_free(x509);
return done;
}
void Der2Pem(const std::string &aDerCert, std::string &aPemCert)
{
prog << Log::Indent() << "Converting DER to PEM:-" << Log::Endl();
AutoIndent ai(prog); // IncIndent, will DecIndent when it leaves scope
// decode DER certificate into X509 structure
D2I_CONST unsigned char *p = (D2I_CONST unsigned char *)aDerCert.data();
X509 *x509 = d2i_X509(NULL, &p, aDerCert.size());
if(!x509 || ((const char *)p != aDerCert.data()+aDerCert.size()))
{
dbg << Log::Indent() << "openssl failed to decode certificate" << Log::Endl();
FatalError();
}
BIO *memBio = BIO_new(BIO_s_mem());
BULLSEYE_OFF
if(!memBio)
{
dbg << Log::Indent() << "openssl failed to create BIO" << Log::Endl();
FatalError();
}
if(!PEM_write_bio_X509(memBio, x509))
{
dbg << Log::Indent() << "openssl failed to convert to PEM" << Log::Endl();
FatalError();
}
BULLSEYE_RESTORE
long pemCertLen = 0;
char *pemCertData = 0;
pemCertLen = BIO_get_mem_data(memBio, &pemCertData);
// Return the PEM cert
aPemCert.assign(pemCertData, pemCertLen);
BIO_free(memBio);
X509_free(x509);
prog << Log::Indent() << "Conversion ok" << Log::Endl();
return;
}
static const char utf8Header[] =
{
0xef, 0xbb, 0xbf
};
bool Pem2Der(const std::string &aPemCert, std::string &aDerCert)
{
prog << Log::Indent() << "Try PEM to DER coversion :-" << Log::Endl();
AutoIndent ai(prog); // IncIndent, will DecIndent when it leaves scope
TUint32 pemLength=aPemCert.size();
const char *pemData=aPemCert.data();
if((pemLength >= 3) && (memcmp(aPemCert.data(), utf8Header, sizeof(utf8Header)) == 0))
{
// PEM cert has a UTF8 header, so strip it
prog << Log::Indent() << "Certificate data file has a UTF-8 header" << Log::Endl();
pemLength -= sizeof(utf8Header);
pemData += sizeof(utf8Header);
}
//
// Read PEM to internal
//
BIO *memBioIn = BIO_new_mem_buf((void *)pemData, pemLength);
BULLSEYE_OFF
if(!memBioIn)
{
dbg << Log::Indent() << "openssl failed to create BIO for reading PEM" << Log::Endl();
FatalError();
}
BULLSEYE_RESTORE
X509 *x509 = PEM_read_bio_X509(memBioIn, NULL, 0, NULL);
if(!x509)
{
prog << Log::Indent() << "Conversion failed - presumably DER" << Log::Endl();
return false;
}
BIO_free(memBioIn);
memBioIn = 0;
//
// Write internal to DER
//
unsigned char *derCert = 0;
int derLen = i2d_X509(x509, &derCert);
if(derLen <=0 )
{
dbg << Log::Indent() << "openssl failed to convert to DER" << Log::Endl();
FatalError();
}
// Return the DER cert
aDerCert.assign((char *)derCert, derLen);
X509_free(x509);
prog << Log::Indent() << "Conversion ok" << Log::Endl();
return true;
}
// End of file