fix: misc ssl changes
This commit is contained in:
+34
-19
@@ -62,10 +62,17 @@ WOLFSSL_CTX* CertificateManager::createHostContext(const std::string& host)
|
||||
memset(cert.get(), 0, sizeof(Cert));
|
||||
wc_InitCert(cert.get());
|
||||
|
||||
cert->isCA = 0;
|
||||
cert->basicConstSet = 1;
|
||||
cert->basicConstCrit = 0;
|
||||
|
||||
cert->version = 2;
|
||||
cert->sigType = CTC_SHA256wRSA;
|
||||
cert->daysValid = 365;
|
||||
|
||||
cert->keyUsage = KEYUSE_DIGITAL_SIG | KEYUSE_KEY_ENCIPHER;
|
||||
cert->extKeyUsage = EXTKEYUSE_SERVER_AUTH;
|
||||
|
||||
strncpy_s(cert->subject.commonName, sizeof(cert->subject.commonName), hostTrimmed.c_str(), _TRUNCATE);
|
||||
wc_SetIssuerBuffer(cert.get(), _caCertDer.data(), (int)_caCertDer.size());
|
||||
|
||||
@@ -78,41 +85,41 @@ WOLFSSL_CTX* CertificateManager::createHostContext(const std::string& host)
|
||||
cert->serial[3] = hash & 0xFF;
|
||||
|
||||
// SAN
|
||||
std::vector<unsigned char> sanDer;
|
||||
sanDer.push_back(0x30);
|
||||
sanDer.push_back(static_cast<unsigned char>(hostTrimmed.length() + 2));
|
||||
sanDer.push_back(0x82);
|
||||
sanDer.push_back(static_cast<unsigned char>(hostTrimmed.length()));
|
||||
sanDer.insert(sanDer.end(), hostTrimmed.begin(), hostTrimmed.end());
|
||||
strncpy_s(reinterpret_cast<char*>(cert->altNames), sizeof(cert->altNames), hostTrimmed.c_str(), _TRUNCATE);
|
||||
cert->altNamesSz = static_cast<word16>(hostTrimmed.length());
|
||||
|
||||
memcpy(cert->altNames, sanDer.data(), sanDer.size());
|
||||
cert->altNamesSz = static_cast<word16>(sanDer.size());
|
||||
wc_SetSubjectKeyIdFromPublicKey(cert.get(), _sessionKey.get(), nullptr);
|
||||
wc_SetAuthKeyIdFromCert(cert.get(), _caCertDer.data(), _caCertDer.size());
|
||||
|
||||
/*
|
||||
cert sign
|
||||
*/
|
||||
std::vector<unsigned char> hostCertDer(4096);
|
||||
int certLen =
|
||||
wc_MakeCert(cert.get(), hostCertDer.data(), static_cast<word32>(hostCertDer.size()), _sessionKey.get(), nullptr, _rng.get());
|
||||
std::vector<unsigned char> hostCertDer(8192);
|
||||
int certLen = wc_MakeCert(cert.get(), hostCertDer.data(), static_cast<word32>(hostCertDer.size()),
|
||||
_sessionKey.get(), nullptr, _rng.get());
|
||||
if (certLen < 0) return nullptr;
|
||||
|
||||
certLen = wc_SignCert(cert->bodySz, cert->sigType, hostCertDer.data(), static_cast<word32>(hostCertDer.size()), _caKey.get(),
|
||||
nullptr, _rng.get());
|
||||
hostCertDer.resize(certLen);
|
||||
int signedLen = wc_SignCert(cert->bodySz, cert->sigType, hostCertDer.data(),
|
||||
static_cast<word32>(hostCertDer.size()), _caKey.get(), nullptr, _rng.get());
|
||||
if (signedLen < 0) return nullptr;
|
||||
hostCertDer.resize(signedLen);
|
||||
|
||||
/*
|
||||
context setup
|
||||
*/
|
||||
WOLFSSL_CTX* ctx = wolfSSL_CTX_new(wolfSSLv23_server_method());
|
||||
WOLFSSL_CTX* ctx = wolfSSL_CTX_new(wolfTLS_server_method());
|
||||
if (!ctx) return nullptr;
|
||||
if (wolfSSL_CTX_use_certificate_buffer(ctx, hostCertDer.data(), static_cast<long>(hostCertDer.size()), WOLFSSL_FILETYPE_ASN1) !=
|
||||
WOLFSSL_SUCCESS ||
|
||||
if (wolfSSL_CTX_use_certificate_buffer(ctx, hostCertDer.data(), static_cast<long>(hostCertDer.size()),
|
||||
WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS ||
|
||||
wolfSSL_CTX_use_PrivateKey_buffer(ctx, _sessionKeyDer.data(), static_cast<long>(_sessionKeyDer.size()),
|
||||
WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS)
|
||||
{
|
||||
wolfSSL_CTX_free(ctx);
|
||||
return nullptr;
|
||||
}
|
||||
|
||||
_hostContexts[host] = ctx;
|
||||
|
||||
return ctx;
|
||||
}
|
||||
|
||||
@@ -172,10 +179,15 @@ bool CertificateManager::generateAndSaveCA(const char* caName, int days, const s
|
||||
cert->sigType = CTC_SHA256wRSA;
|
||||
cert->daysValid = days;
|
||||
cert->keyUsage = KEYUSE_KEY_CERT_SIGN | KEYUSE_CRL_SIGN;
|
||||
cert->pathLenSet = 0;
|
||||
cert->pathLen = 0;
|
||||
|
||||
cert->serialSz = 1;
|
||||
cert->serial[0] = 1;
|
||||
|
||||
wc_SetSubjectKeyIdFromPublicKey(cert.get(), _caKey.get(), 0);
|
||||
wc_SetAuthKeyIdFromCert(cert.get(), _caCertDer.data(), _caCertDer.size());
|
||||
|
||||
/*
|
||||
CA sign
|
||||
*/
|
||||
@@ -239,7 +251,8 @@ bool CertificateManager::loadCA(const char* certPath, const char* keyPath)
|
||||
std::vector<unsigned char> keyDer;
|
||||
DerBuffer* derBuff = nullptr;
|
||||
|
||||
int ret = wc_PemToDer(certPem.data(), static_cast<long>(certPem.size()), CERT_TYPE, &derBuff, nullptr, nullptr, nullptr);
|
||||
int ret =
|
||||
wc_PemToDer(certPem.data(), static_cast<long>(certPem.size()), CERT_TYPE, &derBuff, nullptr, nullptr, nullptr);
|
||||
if (ret == 0 && derBuff)
|
||||
{
|
||||
certDer.assign(derBuff->buffer, derBuff->buffer + derBuff->length);
|
||||
@@ -249,7 +262,8 @@ bool CertificateManager::loadCA(const char* certPath, const char* keyPath)
|
||||
return false;
|
||||
|
||||
derBuff = nullptr;
|
||||
ret = wc_PemToDer(keyPem.data(), static_cast<long>(keyPem.size()), PRIVATEKEY_TYPE, &derBuff, nullptr, nullptr, nullptr);
|
||||
ret = wc_PemToDer(keyPem.data(), static_cast<long>(keyPem.size()), PRIVATEKEY_TYPE, &derBuff, nullptr, nullptr,
|
||||
nullptr);
|
||||
if (ret == 0 && derBuff)
|
||||
{
|
||||
keyDer.assign(derBuff->buffer, derBuff->buffer + derBuff->length);
|
||||
@@ -260,6 +274,7 @@ bool CertificateManager::loadCA(const char* certPath, const char* keyPath)
|
||||
|
||||
return decodeCA(certDer, keyDer);
|
||||
}
|
||||
|
||||
bool CertificateManager::decodeCA(const std::vector<unsigned char>& certDer, const std::vector<unsigned char>& keyDer)
|
||||
{
|
||||
if (certDer.empty() || keyDer.empty()) return false;
|
||||
|
||||
Reference in New Issue
Block a user