You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
124 lines
3.8 KiB
124 lines
3.8 KiB
/*
|
|
* Copyright (C) 2019 The Android Open Source Project
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
#include "adb/crypto/x509_generator.h"
|
|
|
|
#include <vector>
|
|
|
|
#include <android-base/logging.h>
|
|
#include <crypto_utils/android_pubkey.h>
|
|
#include <openssl/bn.h>
|
|
#include <openssl/pem.h>
|
|
#include <openssl/rsa.h>
|
|
|
|
namespace adb {
|
|
namespace crypto {
|
|
|
|
namespace {
|
|
|
|
const char kBasicConstraints[] = "critical,CA:TRUE";
|
|
const char kKeyUsage[] = "critical,keyCertSign,cRLSign,digitalSignature";
|
|
const char kSubjectKeyIdentifier[] = "hash";
|
|
constexpr int kCertLifetimeSeconds = 10 * 365 * 24 * 60 * 60;
|
|
|
|
bool add_ext(X509* cert, int nid, const char* value) {
|
|
size_t len = strlen(value) + 1;
|
|
std::vector<char> mutableValue(value, value + len);
|
|
X509V3_CTX context;
|
|
|
|
X509V3_set_ctx_nodb(&context);
|
|
|
|
X509V3_set_ctx(&context, cert, cert, nullptr, nullptr, 0);
|
|
X509_EXTENSION* ex = X509V3_EXT_nconf_nid(nullptr, &context, nid, mutableValue.data());
|
|
if (!ex) {
|
|
return false;
|
|
}
|
|
|
|
X509_add_ext(cert, ex, -1);
|
|
X509_EXTENSION_free(ex);
|
|
return true;
|
|
}
|
|
|
|
} // namespace
|
|
|
|
bssl::UniquePtr<X509> GenerateX509Certificate(EVP_PKEY* pkey) {
|
|
CHECK(pkey);
|
|
bssl::UniquePtr<X509> x509(X509_new());
|
|
if (!x509) {
|
|
LOG(ERROR) << "Unable to allocate x509 container";
|
|
return nullptr;
|
|
}
|
|
X509_set_version(x509.get(), 2);
|
|
|
|
ASN1_INTEGER_set(X509_get_serialNumber(x509.get()), 1);
|
|
X509_gmtime_adj(X509_get_notBefore(x509.get()), 0);
|
|
X509_gmtime_adj(X509_get_notAfter(x509.get()), kCertLifetimeSeconds);
|
|
|
|
if (!X509_set_pubkey(x509.get(), pkey)) {
|
|
LOG(ERROR) << "Unable to set x509 public key";
|
|
return nullptr;
|
|
}
|
|
|
|
X509_NAME* name = X509_get_subject_name(x509.get());
|
|
if (!name) {
|
|
LOG(ERROR) << "Unable to get x509 subject name";
|
|
return nullptr;
|
|
}
|
|
X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC,
|
|
reinterpret_cast<const unsigned char*>("US"), -1, -1, 0);
|
|
X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC,
|
|
reinterpret_cast<const unsigned char*>("Android"), -1, -1, 0);
|
|
X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
|
|
reinterpret_cast<const unsigned char*>("Adb"), -1, -1, 0);
|
|
if (!X509_set_issuer_name(x509.get(), name)) {
|
|
LOG(ERROR) << "Unable to set x509 issuer name";
|
|
return nullptr;
|
|
}
|
|
|
|
add_ext(x509.get(), NID_basic_constraints, kBasicConstraints);
|
|
add_ext(x509.get(), NID_key_usage, kKeyUsage);
|
|
add_ext(x509.get(), NID_subject_key_identifier, kSubjectKeyIdentifier);
|
|
|
|
int bytes = X509_sign(x509.get(), pkey, EVP_sha256());
|
|
if (bytes <= 0) {
|
|
LOG(ERROR) << "Unable to sign x509 certificate";
|
|
return nullptr;
|
|
}
|
|
|
|
return x509;
|
|
}
|
|
|
|
std::string X509ToPEMString(X509* x509) {
|
|
bssl::UniquePtr<BIO> bio(BIO_new(BIO_s_mem()));
|
|
int rc = PEM_write_bio_X509(bio.get(), x509);
|
|
if (rc != 1) {
|
|
LOG(ERROR) << "PEM_write_bio_X509 failed";
|
|
return "";
|
|
}
|
|
|
|
BUF_MEM* mem = nullptr;
|
|
BIO_get_mem_ptr(bio.get(), &mem);
|
|
if (!mem || !mem->data || !mem->length) {
|
|
LOG(ERROR) << "BIO_get_mem_ptr failed";
|
|
return "";
|
|
}
|
|
|
|
return std::string(mem->data, mem->length);
|
|
}
|
|
|
|
} // namespace crypto
|
|
} // namespace adb
|