Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/workflows/linux.yml
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ jobs:
- fedora:42
- fedora:43
- fedora:44
- fedora:45

- opensuse/leap:15.6
- opensuse/leap:16.0
Expand Down
29 changes: 23 additions & 6 deletions lib/base/tlsutility.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -403,7 +403,7 @@ void AddCRLToSSLContext(X509_STORE *x509_store, const String& crlPath)
X509_VERIFY_PARAM_free(param);
}

static String GetX509NameCN(X509_NAME *name)
static String GetX509NameCN(X509NameConstPtr name)
{
char errbuf[256];
char buffer[256];
Expand Down Expand Up @@ -598,8 +598,25 @@ int MakeX509CSR(
X509_REQ_set_version(req, 0);
X509_REQ_set_pubkey(req, key);

X509_NAME *name = X509_REQ_get_subject_name(req);
X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, (unsigned char *)cn.CStr(), -1, -1, 0);
std::unique_ptr<X509_NAME, decltype(&X509_NAME_free)> name{X509_NAME_new(), &X509_NAME_free};
if (!name) {
unsigned long err = ERR_peek_error();
BOOST_THROW_EXCEPTION(openssl_error()
<< boost::errinfo_api_function("X509_NAME_new")
<< errinfo_openssl_error(err));
}

X509_NAME_add_entry_by_txt(name.get(), "CN", MBSTRING_ASC, (unsigned char *)cn.CStr(), -1, -1, 0);

if (!X509_REQ_set_subject_name(req, name.get())) {
unsigned long err = ERR_peek_error();
ERR_error_string_n(err, errbuf, sizeof errbuf);
Log(LogCritical, "SSL")
<< "Error while setting CSR subject name: " << err << ", \"" << errbuf << "\"";
BOOST_THROW_EXCEPTION(openssl_error()
<< boost::errinfo_api_function("X509_REQ_set_subject_name")
<< errinfo_openssl_error(err));
}

if (!ca) {
String san = "DNS:" + cn;
Expand Down Expand Up @@ -652,8 +669,8 @@ int MakeX509CSR(

std::shared_ptr<X509> CreateCert(
EVP_PKEY* pubkey,
X509_NAME* subject,
X509_NAME* issuer,
X509NameConstPtr subject,
X509NameConstPtr issuer,
EVP_PKEY* cakey,
long validFrom,
long validFor,
Expand Down Expand Up @@ -746,7 +763,7 @@ String GetIcingaCADir()
return Configuration::DataDir + "/ca";
}

std::shared_ptr<X509> CreateCertIcingaCA(EVP_PKEY *pubkey, X509_NAME *subject, long validFrom, long validFor, bool ca)
std::shared_ptr<X509> CreateCertIcingaCA(EVP_PKEY *pubkey, X509NameConstPtr subject, long validFrom, long validFor, bool ca)
{
char errbuf[256];

Expand Down
11 changes: 8 additions & 3 deletions lib/base/tlsutility.hpp
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,11 @@ const auto LEAF_VALID_FOR = 60 * 60 * 24 * 397;
const auto RENEW_THRESHOLD = 60 * 60 * 24 * 30;
const auto RENEW_INTERVAL = 60 * 60 * 24;

// Tracks the constness of X509_NAME* across OpenSSL versions: on 1.x getters return X509_NAME* and
// setters expect X509_NAME*; on 4.x both sides became const X509_NAME*. Using decltype on the getter
// gives us the right type automatically, so we can accept getter results and pass to setters cast-free.
using X509NameConstPtr = decltype(X509_get_subject_name(nullptr));

void InitializeOpenSSL();

String GetOpenSSLVersion();
Expand Down Expand Up @@ -66,8 +71,8 @@ int MakeX509CSR(
);
std::shared_ptr<X509> CreateCert(
EVP_PKEY* pubkey,
X509_NAME* subject,
X509_NAME* issuer,
X509NameConstPtr subject,
X509NameConstPtr issuer,
EVP_PKEY* cakey,
long validFrom,
long validFor,
Expand All @@ -83,7 +88,7 @@ inline String CertificateToString(const std::shared_ptr<X509>& cert)
}

std::shared_ptr<X509> StringToCertificate(const String& cert);
std::shared_ptr<X509> CreateCertIcingaCA(EVP_PKEY *pubkey, X509_NAME *subject, long validFrom, long validFor, bool ca = false);
std::shared_ptr<X509> CreateCertIcingaCA(EVP_PKEY *pubkey, X509NameConstPtr subject, long validFrom, long validFor, bool ca = false);
std::shared_ptr<X509> CreateCertIcingaCA(const std::shared_ptr<X509>& cert, long validFrom = 0, long validFor = LEAF_VALID_FOR);
bool IsCertUptodate(const std::shared_ptr<X509>& cert);
bool IsCaUptodate(X509* cert);
Expand Down
6 changes: 2 additions & 4 deletions lib/remote/pkiutility.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -345,10 +345,8 @@ String PkiUtility::GetCertificateInformation(const std::shared_ptr<X509>& cert)

pre = "\n Serial: ";
BIO_write(out, pre.CStr(), pre.GetLength());
ASN1_INTEGER *asn1_serial = X509_get_serialNumber(cert.get());
for (int i = 0; i < asn1_serial->length; i++) {
BIO_printf(out, "%02x%c", asn1_serial->data[i], ((i + 1 == asn1_serial->length) ? '\n' : ':'));
}
i2a_ASN1_INTEGER(out, X509_get0_serialNumber(cert.get()));
BIO_write(out, "\n", 1);
Comment on lines -348 to +349

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This changes the output format slightly, from

 Serial:              39:7b:66:7a:3b:d2:73:49:1b:3f:a1:8c:83:a7:15:e5:07:38:91:1e

to

 Serial:              397B667A3BD273491B3FA18C83A715E50738911E

I'm willing to accept that if that makes our lives here easier. This is just the serial, not something you need to compare (things would look different if this was the fingerprint that you would want to compare for security reasons).

I've also looked if I could find another easy way to print an ASN1_INTEGER, but without success. However, I think I have an idea of what might have served as an inspiration for the old implementation.


pre = "\n Signature Algorithm: " + GetSignatureAlgorithm(cert);
BIO_write(out, pre.CStr(), pre.GetLength());
Expand Down
Loading