From bf01e8179cbb2be476805340636098deda7e1366 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 8 May 2015 09:02:26 +0200 Subject: certs: add PEM/DER conversion utilities MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Related to https://fedorahosted.org/sssd/ticket/2596 Reviewed-by: Pavel Březina --- src/util/cert.h | 47 ++++++++++++ src/util/cert/cert_common.c | 154 +++++++++++++++++++++++++++++++++++++ src/util/cert/libcrypto/cert.c | 168 +++++++++++++++++++++++++++++++++++++++++ 3 files changed, 369 insertions(+) create mode 100644 src/util/cert.h create mode 100644 src/util/cert/cert_common.c create mode 100644 src/util/cert/libcrypto/cert.c (limited to 'src/util') diff --git a/src/util/cert.h b/src/util/cert.h new file mode 100644 index 000000000..79ea1a4ab --- /dev/null +++ b/src/util/cert.h @@ -0,0 +1,47 @@ +/* + SSSD - certificate handling utils - openssl version + + Copyright (C) Sumit Bose 2015 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "util/util.h" + +#ifndef __CERT_H__ +#define __CERT_H__ + +errno_t sss_cert_der_to_pem(TALLOC_CTX *mem_ctx, const uint8_t *der_blob, + size_t der_size, char **pem, size_t *pem_size); + +errno_t sss_cert_pem_to_der(TALLOC_CTX *mem_ctx, const char *pem, + uint8_t **der_blob, size_t *der_size); + +errno_t sss_cert_derb64_to_pem(TALLOC_CTX *mem_ctx, const char *derb64, + char **pem, size_t *pem_size); + +errno_t sss_cert_pem_to_derb64(TALLOC_CTX *mem_ctx, const char *pem, + char **derb64); + +errno_t sss_cert_derb64_to_ldap_filter(TALLOC_CTX *mem_ctx, const char *derb64, + const char *attr_name, + char **ldap_filter); + +errno_t bin_to_ldap_filter_value(TALLOC_CTX *mem_ctx, + const uint8_t *blob, size_t blob_size, + char **_str); +#endif /* __CERT_H__ */ diff --git a/src/util/cert/cert_common.c b/src/util/cert/cert_common.c new file mode 100644 index 000000000..a29696ed3 --- /dev/null +++ b/src/util/cert/cert_common.c @@ -0,0 +1,154 @@ +/* + SSSD - certificate handling utils + + Copyright (C) Sumit Bose 2015 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "util/cert.h" +#include "util/crypto/sss_crypto.h" + +errno_t sss_cert_derb64_to_pem(TALLOC_CTX *mem_ctx, const char *derb64, + char **pem, size_t *pem_size) +{ + int ret; + unsigned char *der; + size_t der_size; + + if (derb64 == NULL) { + return EINVAL; + } + + der = sss_base64_decode(mem_ctx, derb64, &der_size); + if (der == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sss_base64_decode failed.\n"); + return EINVAL; + } + + ret = sss_cert_der_to_pem(mem_ctx, der, der_size, pem, pem_size); + talloc_free(der); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sss_cert_der_to_pem failed.\n"); + } + + return ret; +} + +errno_t sss_cert_pem_to_derb64(TALLOC_CTX *mem_ctx, const char *pem, + char **derb64) +{ + int ret; + uint8_t *der; + size_t der_size; + + ret = sss_cert_pem_to_der(mem_ctx, pem, &der, &der_size); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sss_cert_pem_to_der failed.\n"); + return ret; + } + + *derb64 = sss_base64_encode(mem_ctx, der, der_size); + talloc_free(der); + if (*derb64 == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sss_base64_encode failed.\n"); + return EINVAL; + } + + return EOK; +} + +errno_t sss_cert_derb64_to_ldap_filter(TALLOC_CTX *mem_ctx, const char *derb64, + const char *attr_name, + char **ldap_filter) +{ + int ret; + unsigned char *der; + size_t der_size; + char *val; + + if (derb64 == NULL || attr_name == NULL) { + return EINVAL; + } + + der = sss_base64_decode(mem_ctx, derb64, &der_size); + if (der == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sss_base64_decode failed.\n"); + return EINVAL; + } + + ret = bin_to_ldap_filter_value(mem_ctx, der, der_size, &val); + talloc_free(der); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "bin_to_ldap_filter_value failed.\n"); + return ret; + } + + *ldap_filter = talloc_asprintf(mem_ctx, "(%s=%s)", attr_name, val); + talloc_free(val); + if (*ldap_filter == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n"); + return ENOMEM; + } + + return EOK; +} + +errno_t bin_to_ldap_filter_value(TALLOC_CTX *mem_ctx, + const uint8_t *blob, size_t blob_size, + char **_str) +{ + int ret; + size_t c; + size_t len; + char *str = NULL; + char *p; + + if (blob == NULL || blob_size == 0 || _str == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Missing input parameter.\n"); + return EINVAL; + } + + len = (blob_size * 3) + 1; + str = talloc_size(mem_ctx, len); + if (str == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_size failed.\n"); + return ENOMEM; + } + str[len - 1] = '\0'; + + p = str; + for (c = 0; c < blob_size; c++) { + ret = snprintf(p, 4, "\\%02x", blob[c]); + if (ret != 3) { + DEBUG(SSSDBG_OP_FAILURE, "snprintf failed.\n"); + ret = EIO; + goto done; + } + + p += 3; + } + + ret = EOK; + +done: + if (ret == EOK) { + *_str = str; + } else { + talloc_free(str); + } + + return ret; +} diff --git a/src/util/cert/libcrypto/cert.c b/src/util/cert/libcrypto/cert.c new file mode 100644 index 000000000..1a250f60d --- /dev/null +++ b/src/util/cert/libcrypto/cert.c @@ -0,0 +1,168 @@ +/* + SSSD - certificate handling utils - openssl version + + Copyright (C) Sumit Bose 2015 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include "util/util.h" + +errno_t sss_cert_der_to_pem(TALLOC_CTX *mem_ctx, const uint8_t *der_blob, + size_t der_size, char **pem, size_t *pem_size) +{ + X509 *x509 = NULL; + BIO *bio_mem = NULL; + const unsigned char *d; + int ret; + long p_size; + char *p; + + if (der_blob == NULL || der_size == 0) { + return EINVAL; + } + + d = (const unsigned char *) der_blob; + + x509 = d2i_X509(NULL, &d, (int) der_size); + if (x509 == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "d2i_X509 failed.\n"); + return EINVAL; + } + + bio_mem = BIO_new(BIO_s_mem()); + if (bio_mem == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "BIO_new failed.\n"); + ret = ENOMEM; + goto done; + } + + ret = PEM_write_bio_X509(bio_mem, x509); + if (ret != 1) { + DEBUG(SSSDBG_OP_FAILURE, "PEM_write_bio_X509 failed.\n"); + ret = EIO; + goto done; + } + + p_size = BIO_get_mem_data(bio_mem, &p); + if (p_size == 0) { + DEBUG(SSSDBG_OP_FAILURE, "Unexpected PEM size [%ld].\n", p_size); + ret = EINVAL; + goto done; + } + + if (pem != NULL) { + *pem = talloc_strndup(mem_ctx, p, p_size); + if (*pem == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_memdup failed.\n"); + ret = ENOMEM; + goto done; + } + } + + if (pem_size != NULL) { + *pem_size = p_size; + } + + ret = EOK; + +done: + X509_free(x509); + BIO_free_all(bio_mem); + + return ret; +} + +errno_t sss_cert_pem_to_der(TALLOC_CTX *mem_ctx, const char *pem, + uint8_t **_der_blob, size_t *_der_size) +{ + X509 *x509 = NULL; + BIO *bio_mem = NULL; + int ret; + unsigned char *buf; + int buf_size; + uint8_t *der_blob; + size_t der_size; + + if (pem == NULL) { + return EINVAL; + } + + bio_mem = BIO_new(BIO_s_mem()); + if (bio_mem == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "BIO_new failed.\n"); + ret = ENOMEM; + goto done; + } + + ret = BIO_puts(bio_mem, pem); + if (ret <= 0) { + DEBUG(SSSDBG_OP_FAILURE, "BIO_puts failed.\n"); + ret = EIO; + goto done; + } + + x509 = PEM_read_bio_X509(bio_mem, NULL, NULL, NULL); + if (x509 == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "PEM_read_bio_X509 failed.\n"); + ret = EIO; + goto done; + } + + buf_size = i2d_X509(x509, NULL); + if (buf_size <= 0) { + DEBUG(SSSDBG_OP_FAILURE, "i2d_X509 failed.\n"); + ret = EIO; + goto done; + } + + if (_der_blob != NULL) { + buf = talloc_size(mem_ctx, buf_size); + if (buf == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_size failed.\n"); + ret = ENOMEM; + goto done; + } + + der_blob = buf; + + der_size = i2d_X509(x509, &buf); + if (der_size != buf_size) { + talloc_free(der_blob); + DEBUG(SSSDBG_CRIT_FAILURE, + "i2d_X509 size mismatch between two calls.\n"); + ret = EIO; + goto done; + } + + *_der_blob = der_blob; + } + + if (_der_size != NULL) { + *_der_size = buf_size; + } + + ret = EOK; + +done: + X509_free(x509); + BIO_free_all(bio_mem); + + return ret; + +} -- cgit