EST: Add CSR generation support with BoringSSL

This completes EST support with hs20-osu-client when built with BoringSSL instead of OpenSSL. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-04 16:25:21 +02:00 · 2015-12-04 16:25:21 +02:00 · e6f4832737
commit e6f4832737
parent ed2566ac9b
1 changed files with 28 additions and 16 deletions
--- a/hs20/client/est.c
+++ b/hs20/client/est.c
@ -16,6 +16,9 @@
 #include <openssl/asn1t.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 #ifdef OPENSSL_IS_BORINGSSL
 #include <openssl/buf.h>
 #endif /* OPENSSL_IS_BORINGSSL */
 #include "common.h"
 #include "utils/base64.h"
@ -238,8 +241,6 @@ ASN1_CHOICE(CsrAttrs) = {
 IMPLEMENT_ASN1_FUNCTIONS(CsrAttrs);
 #ifndef OPENSSL_IS_BORINGSSL
 static void add_csrattrs_oid(struct hs20_osu_client *ctx, ASN1_OBJECT *oid,
 			     STACK_OF(X509_EXTENSION) *exts)
 {
@ -334,6 +335,23 @@ static void add_csrattrs(struct hs20_osu_client *ctx, CsrAttrs *csrattrs,
 	if (!csrattrs || ! csrattrs->attrs)
 		return;
 #ifdef OPENSSL_IS_BORINGSSL
 	num = sk_num(CHECKED_CAST(_STACK *, STACK_OF(AttrOrOID) *,
 				  csrattrs->attrs));
 	for (i = 0; i < num; i++) {
 		AttrOrOID *ao = sk_value(
 			CHECKED_CAST(_STACK *, const STACK_OF(AttrOrOID) *,
 				     csrattrs->attrs), i);
 		switch (ao->type) {
 		case 0:
 			add_csrattrs_oid(ctx, ao->d.oid, exts);
 			break;
 		case 1:
 			add_csrattrs_attr(ctx, ao->d.attribute, exts);
 			break;
 		}
 	}
 #else /* OPENSSL_IS_BORINGSSL */
 	num = SKM_sk_num(AttrOrOID, csrattrs->attrs);
 	for (i = 0; i < num; i++) {
 		AttrOrOID *ao = SKM_sk_value(AttrOrOID, csrattrs->attrs, i);
@ -346,20 +364,14 @@ static void add_csrattrs(struct hs20_osu_client *ctx, CsrAttrs *csrattrs,
 			break;
 		}
 	}
 }
 #endif /* OPENSSL_IS_BORINGSSL */
 }
 static int generate_csr(struct hs20_osu_client *ctx, char *key_pem,
 			char *csr_pem, char *est_req, char *old_cert,
 			CsrAttrs *csrattrs)
 {
 #ifdef OPENSSL_IS_BORINGSSL
 	wpa_printf(MSG_ERROR,
 		"EST: CSR generation not yet supported with BoringSSL");
 	return -1;
 #else /* OPENSSL_IS_BORINGSSL */
 	EVP_PKEY_CTX *pctx = NULL;
 	EVP_PKEY *pkey = NULL;
 	RSA *rsa;
@ -371,6 +383,7 @@ static int generate_csr(struct hs20_osu_client *ctx, char *key_pem,
 	STACK_OF(X509_EXTENSION) *exts = NULL;
 	X509_EXTENSION *ex;
 	BIO *out;
 	CONF *ctmp = NULL;
 	wpa_printf(MSG_INFO, "Generate RSA private key");
 	write_summary(ctx, "Generate RSA private key");
@ -452,20 +465,20 @@ static int generate_csr(struct hs20_osu_client *ctx, char *key_pem,
 	if (!exts)
 		goto fail;
-	ex = X509V3_EXT_conf_nid(NULL, NULL, NID_basic_constraints,
+	ex = X509V3_EXT_nconf_nid(ctmp, NULL, NID_basic_constraints,
-				 "CA:FALSE");
+				  "CA:FALSE");
 	if (ex == NULL ||
 	    !sk_X509_EXTENSION_push(exts, ex))
 		goto fail;
-	ex = X509V3_EXT_conf_nid(NULL, NULL, NID_key_usage,
+	ex = X509V3_EXT_nconf_nid(ctmp, NULL, NID_key_usage,
-				 "nonRepudiation,digitalSignature,keyEncipherment");
+				  "nonRepudiation,digitalSignature,keyEncipherment");
 	if (ex == NULL ||
 	    !sk_X509_EXTENSION_push(exts, ex))
 		goto fail;
-	ex = X509V3_EXT_conf_nid(NULL, NULL, NID_ext_key_usage,
+	ex = X509V3_EXT_nconf_nid(ctmp, NULL, NID_ext_key_usage,
-				 "1.3.6.1.4.1.40808.1.1.2");
+				  "1.3.6.1.4.1.40808.1.1.2");
 	if (ex == NULL ||
 	    !sk_X509_EXTENSION_push(exts, ex))
 		goto fail;
@ -566,7 +579,6 @@ fail:
 	if (pctx)
 		EVP_PKEY_CTX_free(pctx);
 	return ret;
 #endif /* OPENSSL_IS_BORINGSSL */
 }