tyler.durden
/
icinga2
mirror of https://github.com/Icinga/icinga2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Make sure the serial number field is always initialized 

fixes #9947
This commit is contained in:
Gunnar Beutner 2015-08-18 14:40:23 +02:00
parent bd5f70f92c
commit 6ffdbce213
3 changed files with 33 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
lib/base/tlsutility.cpp
View File

@ -21,6 +21,7 @@
#include "base/convert.hpp" #include "base/convert.hpp"
#include "base/logger.hpp" #include "base/logger.hpp"
#include "base/context.hpp" #include "base/context.hpp"
#include "base/utility.hpp"
#include "base/application.hpp" #include "base/application.hpp"
#include "base/exception.hpp" #include "base/exception.hpp"
#include <fstream> #include <fstream>
@ -246,7 +247,7 @@ boost::shared_ptr<X509> GetX509Certificate(const String& pemfile)
return boost::shared_ptr<X509>(cert, X509_free); return boost::shared_ptr<X509>(cert, X509_free);
} }
int MakeX509CSR(const String& cn, const String& keyfile, const String& csrfile, const String& certfile, bool ca) int MakeX509CSR(const String& cn, const String& keyfile, const String& csrfile, const String& certfile, const String& serialfile, bool ca)
{ {
char errbuf[120]; char errbuf[120];
@ -290,7 +291,7 @@ int MakeX509CSR(const String& cn, const String& keyfile, const String& csrfile,
X509_NAME *subject = X509_NAME_new(); X509_NAME *subject = X509_NAME_new();
X509_NAME_add_entry_by_txt(subject, "CN", MBSTRING_ASC, (unsigned char *)cn.CStr(), -1, -1, 0); X509_NAME_add_entry_by_txt(subject, "CN", MBSTRING_ASC, (unsigned char *)cn.CStr(), -1, -1, 0);
boost::shared_ptr<X509> cert = CreateCert(key, subject, subject, key, ca); boost::shared_ptr<X509> cert = CreateCert(key, subject, subject, key, ca, serialfile);
X509_NAME_free(subject); X509_NAME_free(subject);
@ -378,9 +379,10 @@ boost::shared_ptr<X509> CreateCert(EVP_PKEY *pubkey, X509_NAME *subject, X509_NA
X509_set_subject_name(cert, subject); X509_set_subject_name(cert, subject);
X509_set_issuer_name(cert, issuer); X509_set_issuer_name(cert, issuer);
if (!serialfile.IsEmpty()) { int serial = 1;
int serial = 0;
if (!serialfile.IsEmpty()) {
if (Utility::PathExists(serialfile)) {
std::ifstream ifp; std::ifstream ifp;
ifp.open(serialfile.CStr()); ifp.open(serialfile.CStr());
ifp >> std::hex >> serial; ifp >> std::hex >> serial;
@ -388,6 +390,7 @@ boost::shared_ptr<X509> CreateCert(EVP_PKEY *pubkey, X509_NAME *subject, X509_NA
if (ifp.fail()) if (ifp.fail())
BOOST_THROW_EXCEPTION(std::runtime_error("Could not read serial file.")); BOOST_THROW_EXCEPTION(std::runtime_error("Could not read serial file."));
}
std::ofstream ofp; std::ofstream ofp;
ofp.open(serialfile.CStr()); ofp.open(serialfile.CStr());
@ -396,22 +399,28 @@ boost::shared_ptr<X509> CreateCert(EVP_PKEY *pubkey, X509_NAME *subject, X509_NA
if (ofp.fail()) if (ofp.fail())
BOOST_THROW_EXCEPTION(std::runtime_error("Could not update serial file.")); BOOST_THROW_EXCEPTION(std::runtime_error("Could not update serial file."));
ASN1_INTEGER_set(X509_get_serialNumber(cert), serial);
} }
if (ca) { ASN1_INTEGER_set(X509_get_serialNumber(cert), serial);
X509_EXTENSION *ext; X509_EXTENSION *ext;
X509V3_CTX ctx; X509V3_CTX ctx;
X509V3_set_ctx_nodb(&ctx); X509V3_set_ctx_nodb(&ctx);
X509V3_set_ctx(&ctx, cert, cert, NULL, NULL, 0); X509V3_set_ctx(&ctx, cert, cert, NULL, NULL, 0);
ext = X509V3_EXT_conf_nid(NULL, &ctx, NID_basic_constraints, const_cast<char *>("critical,CA:TRUE"));
const char *attr;
if (ca)
attr = "critical,CA:TRUE";
else
attr = "critical,CA:FALSE";
ext = X509V3_EXT_conf_nid(NULL, &ctx, NID_basic_constraints, const_cast<char *>(attr));
if (ext) if (ext)
X509_add_ext(cert, ext, -1); X509_add_ext(cert, ext, -1);
X509_EXTENSION_free(ext); X509_EXTENSION_free(ext);
}
X509_sign(cert, cakey, EVP_sha256()); X509_sign(cert, cakey, EVP_sha256());

2
lib/base/tlsutility.hpp
View File

@ -42,7 +42,7 @@ boost::shared_ptr<SSL_CTX> I2_BASE_API MakeSSLContext(const String& pubkey, cons
void I2_BASE_API AddCRLToSSLContext(const boost::shared_ptr<SSL_CTX>& context, const String& crlPath); void I2_BASE_API AddCRLToSSLContext(const boost::shared_ptr<SSL_CTX>& context, const String& crlPath);
String I2_BASE_API GetCertificateCN(const boost::shared_ptr<X509>& certificate); String I2_BASE_API GetCertificateCN(const boost::shared_ptr<X509>& certificate);
boost::shared_ptr<X509> I2_BASE_API GetX509Certificate(const String& pemfile); boost::shared_ptr<X509> I2_BASE_API GetX509Certificate(const String& pemfile);
int I2_BASE_API MakeX509CSR(const String& cn, const String& keyfile, const String& csrfile = String(), const String& certfile = String(), bool ca = false); int I2_BASE_API MakeX509CSR(const String& cn, const String& keyfile, const String& csrfile = String(), const String& certfile = String(), const String& serialFile = String(), bool ca = false);
boost::shared_ptr<X509> I2_BASE_API CreateCert(EVP_PKEY *pubkey, X509_NAME *subject, X509_NAME *issuer, EVP_PKEY *cakey, bool ca, const String& serialfile = String()); boost::shared_ptr<X509> I2_BASE_API CreateCert(EVP_PKEY *pubkey, X509_NAME *subject, X509_NAME *issuer, EVP_PKEY *cakey, bool ca, const String& serialfile = String());
String I2_BASE_API GetIcingaCADir(void); String I2_BASE_API GetIcingaCADir(void);
String I2_BASE_API CertificateToString(const boost::shared_ptr<X509>& cert); String I2_BASE_API CertificateToString(const boost::shared_ptr<X509>& cert);

18
lib/cli/pkiutility.cpp
View File

@ -59,23 +59,7 @@ int PkiUtility::NewCa(void)
return 1; return 1;
} }
MakeX509CSR("Icinga CA", cadir + "/ca.key", String(), cadir + "/ca.crt", true); MakeX509CSR("Icinga CA", cadir + "/ca.key", String(), cadir + "/ca.crt", cadir + "/serial.txt", true);
String serialpath = cadir + "/serial.txt";
Log(LogInformation, "cli")
<< "Initializing serial file in '" << serialpath << "'.";
std::ofstream fp;
fp.open(serialpath.CStr());
fp << "01";
fp.close();
if (fp.fail()) {
Log(LogCritical, "cli")
<< "Could not create serial file '" << serialpath << "'";
return 1;
}
return 0; return 0;
} }