From e6f4832737cd2b83b010e13582f59f2b4a965ce6 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Fri, 4 Dec 2015 16:25:21 +0200 Subject: [PATCH] EST: Add CSR generation support with BoringSSL This completes EST support with hs20-osu-client when built with BoringSSL instead of OpenSSL. Signed-off-by: Jouni Malinen --- hs20/client/est.c | 44 ++++++++++++++++++++++++++++---------------- 1 file changed, 28 insertions(+), 16 deletions(-) diff --git a/hs20/client/est.c b/hs20/client/est.c index d754e6108..90a51d5ad 100644 --- a/hs20/client/est.c +++ b/hs20/client/est.c @@ -16,6 +16,9 @@ #include #include #include +#ifdef OPENSSL_IS_BORINGSSL +#include +#endif /* OPENSSL_IS_BORINGSSL */ #include "common.h" #include "utils/base64.h" @@ -238,8 +241,6 @@ ASN1_CHOICE(CsrAttrs) = { IMPLEMENT_ASN1_FUNCTIONS(CsrAttrs); -#ifndef OPENSSL_IS_BORINGSSL - static void add_csrattrs_oid(struct hs20_osu_client *ctx, ASN1_OBJECT *oid, STACK_OF(X509_EXTENSION) *exts) { @@ -334,6 +335,23 @@ static void add_csrattrs(struct hs20_osu_client *ctx, CsrAttrs *csrattrs, if (!csrattrs || ! csrattrs->attrs) return; +#ifdef OPENSSL_IS_BORINGSSL + num = sk_num(CHECKED_CAST(_STACK *, STACK_OF(AttrOrOID) *, + csrattrs->attrs)); + for (i = 0; i < num; i++) { + AttrOrOID *ao = sk_value( + CHECKED_CAST(_STACK *, const STACK_OF(AttrOrOID) *, + csrattrs->attrs), i); + switch (ao->type) { + case 0: + add_csrattrs_oid(ctx, ao->d.oid, exts); + break; + case 1: + add_csrattrs_attr(ctx, ao->d.attribute, exts); + break; + } + } +#else /* OPENSSL_IS_BORINGSSL */ num = SKM_sk_num(AttrOrOID, csrattrs->attrs); for (i = 0; i < num; i++) { AttrOrOID *ao = SKM_sk_value(AttrOrOID, csrattrs->attrs, i); @@ -346,20 +364,14 @@ static void add_csrattrs(struct hs20_osu_client *ctx, CsrAttrs *csrattrs, break; } } -} - #endif /* OPENSSL_IS_BORINGSSL */ +} static int generate_csr(struct hs20_osu_client *ctx, char *key_pem, char *csr_pem, char *est_req, char *old_cert, CsrAttrs *csrattrs) { -#ifdef OPENSSL_IS_BORINGSSL - wpa_printf(MSG_ERROR, - "EST: CSR generation not yet supported with BoringSSL"); - return -1; -#else /* OPENSSL_IS_BORINGSSL */ EVP_PKEY_CTX *pctx = NULL; EVP_PKEY *pkey = NULL; RSA *rsa; @@ -371,6 +383,7 @@ static int generate_csr(struct hs20_osu_client *ctx, char *key_pem, STACK_OF(X509_EXTENSION) *exts = NULL; X509_EXTENSION *ex; BIO *out; + CONF *ctmp = NULL; wpa_printf(MSG_INFO, "Generate RSA private key"); write_summary(ctx, "Generate RSA private key"); @@ -452,20 +465,20 @@ static int generate_csr(struct hs20_osu_client *ctx, char *key_pem, if (!exts) goto fail; - ex = X509V3_EXT_conf_nid(NULL, NULL, NID_basic_constraints, - "CA:FALSE"); + ex = X509V3_EXT_nconf_nid(ctmp, NULL, NID_basic_constraints, + "CA:FALSE"); if (ex == NULL || !sk_X509_EXTENSION_push(exts, ex)) goto fail; - ex = X509V3_EXT_conf_nid(NULL, NULL, NID_key_usage, - "nonRepudiation,digitalSignature,keyEncipherment"); + ex = X509V3_EXT_nconf_nid(ctmp, NULL, NID_key_usage, + "nonRepudiation,digitalSignature,keyEncipherment"); if (ex == NULL || !sk_X509_EXTENSION_push(exts, ex)) goto fail; - ex = X509V3_EXT_conf_nid(NULL, NULL, NID_ext_key_usage, - "1.3.6.1.4.1.40808.1.1.2"); + ex = X509V3_EXT_nconf_nid(ctmp, NULL, NID_ext_key_usage, + "1.3.6.1.4.1.40808.1.1.2"); if (ex == NULL || !sk_X509_EXTENSION_push(exts, ex)) goto fail; @@ -566,7 +579,6 @@ fail: if (pctx) EVP_PKEY_CTX_free(pctx); return ret; -#endif /* OPENSSL_IS_BORINGSSL */ }