labs-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dr...@apache.org
Subject svn commit: r603742 - in /labs/badca: build/ssl.m4 configure.ac openssl/ openssl/Makefile.in openssl/cert.c openssl/certmodule.c openssl/certmodule_c.c openssl/setup.py openssl/setup.py.in
Date Wed, 12 Dec 2007 21:03:53 GMT
Author: dreid
Date: Wed Dec 12 13:03:52 2007
New Revision: 603742

URL: http://svn.apache.org/viewvc?rev=603742&view=rev
Log:
Get ssl detection working more reliably
Add a simple "pure C" test app/lib that allowed me to find and debug
a nasty little bug - hence it may be useful for others!
Change configure.ac to include new tests
Generate setup.py using the supplied values

Hopefully this will allow us to work on mre platforms?


Added:
    labs/badca/openssl/Makefile.in
    labs/badca/openssl/cert.c
    labs/badca/openssl/certmodule_c.c
    labs/badca/openssl/setup.py.in
Removed:
    labs/badca/openssl/setup.py
Modified:
    labs/badca/build/ssl.m4
    labs/badca/configure.ac
    labs/badca/openssl/   (props changed)
    labs/badca/openssl/certmodule.c

Modified: labs/badca/build/ssl.m4
URL: http://svn.apache.org/viewvc/labs/badca/build/ssl.m4?rev=603742&r1=603741&r2=603742&view=diff
==============================================================================
--- labs/badca/build/ssl.m4 (original)
+++ labs/badca/build/ssl.m4 Wed Dec 12 13:03:52 2007
@@ -15,99 +15,119 @@
 dnl limitations under the License.
 
 dnl
-dnl SSL module
+dnl SSL autoconf functions
 dnl
 
+dnl Look for OpenSSL libraries and headers
 dnl
-dnl BADCA_FIND_SSL: look for ssl libraries and headers
-dnl
-AC_DEFUN([BADCA_FIND_SSL], [
-  badca_have_ssl=0
-
-  AC_ARG_WITH([ssl], [APR_HELP_STRING([--with-ssl], [enable SSL support])],
+AC_DEFUN([BADCA_CHECK_OPENSSL],
   [
-    if test "$withval" = "yes"; then
-      BADCA_CHECK_OPENSSL
-      dnl add checks for other varieties of ssl here
-    fi
-  ], [
-      badca_have_ssl=0
-  ])
-
-  if test "$badca_have_ssl" = "1"; then
-    AC_DEFINE([BADCA_HAVE_SSL], 1, [Define that we have SSL capability])
-  fi
-
-])
-dnl
+    badca_have_openssl=0
 
-AC_DEFUN([BADCA_CHECK_OPENSSL], [
-  badca_have_openssl=0
-  openssl_have_headers=0
-  openssl_have_libs=0
+    mydirs="/usr /usr/local /usr/sfw"
 
-  AC_ARG_WITH([openssl], 
-  [APR_HELP_STRING([--with-openssl=DIR], [specify location of OpenSSL])],
-  [
-    if test "$withval" = "yes"; then
-      AC_CHECK_HEADERS(openssl/x509.h, [openssl_have_headers=1])
-      AC_CHECK_LIB(crypto, BN_init, AC_CHECK_LIB(ssl, SSL_accept, [openssl_have_libs=1],,-lcrypto))
-      if test "$openssl_have_headers" != "0" && test "$openssl_have_libs" != "0";
then
-        badca_have_openssl=1
+    AC_ARG_WITH([openssl], 
+    [  --with-openssl=DIR     specify location of OpenSSL],
+    [
+      if test "$withval" = "no"; then
+        AC_ERROR("OpenSSL is required for BaDCA")
+      elif test "$withval" = "yes"; then
+        for d in $mydirs; do
+          BADCA_CHECK_OPENSSL_PATH($d)
+        done
+      else
+        BADCA_CHECK_OPENSSL_PATH($withval)
       fi
-    elif test "$withval" = "no"; then
-      badca_have_openssl=0
-    else
-      old_cppflags="$CPPFLAGS"
-      old_ldflags="$LDFLAGS"
+    ], [
+      for d in $mydirs; do
+        BADCA_CHECK_OPENSSL_PATH($d)
+        if test "$badca_have_openssl" = "1"; then break; fi  
+      done
+
+    ])
+
+    
+    if test "$badca_have_openssl" = "1"; then
+      openssl_CPPFLAGS="-I$openssl_DIR/include"
+      AC_SUBST(openssl_CPPFLAGS)
+      openssl_LDFLAGS="-L$openssl_DIR/lib"
+      AC_SUBST(openssl_LDFLAGS)
+      openssl_LIBS="-lssl -lcrypto"
+      AC_SUBST(openssl_LIBS)
+
+      # These are meant for use in setup.py!
+      openssl_INCDIR="$openssl_DIR/include"
+      AC_SUBST(openssl_INCDIR)
+      openssl_LIBDIR="$openssl_DIR/lib"
+      AC_SUBST(openssl_LIBDIR)
+      openssl_LIBSONLY="ssl crypto"
+      AC_SUBST(openssl_LIBSONLY)
+    fi  
+  ]
+) 
 
-      openssl_CPPFLAGS="-I$withval/include"
-      openssl_LDFLAGS="-L$withval/lib "
 
-      APR_ADDTO(CPPFLAGS, [$openssl_CPPFLAGS])
-      APR_ADDTO(LDFLAGS, [$openssl_LDFLAGS])
-
-      AC_MSG_NOTICE(checking for openssl in $withval)
-      AC_CHECK_HEADERS(openssl/x509.h, [openssl_have_headers=1])
-      AC_CHECK_LIB(crypto, BN_init, AC_CHECK_LIB(ssl, SSL_accept, [openssl_have_libs=1],,-lcrypto))
-      if test "$openssl_have_headers" != "0" && test "$openssl_have_libs" != "0";
then
+dnl Look for OpenSSL libraries and headers...
+AC_DEFUN([BADCA_CHECK_OPENSSL_PATH],
+  [
+    openssl_have_headers=0
+    openssl_have_libs=0
+    dir=$1
+
+    if test -d $1; then
+      AC_MSG_CHECKING([for OpenSSL in $1])
+      CHECK_OPENSSL("$1")
+      if test "$openssl_have_headers" = "1" && \
+         test "$openssl_have_libs" = "1"; then
+        AC_MSG_RESULT([yes, in $1])
+        openssl_DIR=$1
         badca_have_openssl=1
-        APR_ADDTO(APRUTIL_LDFLAGS, [-L$withval/lib])
-        APR_ADDTO(APRUTIL_INCLUDES, [-I$withval/include])
+      else
+        AC_MSG_RESULT([no])
       fi
-
-      if test "$badca_have_openssl" != "1"; then
-        AC_CHECK_HEADERS(openssl/x509.h, [openssl_have_headers=1])
-        AC_CHECK_LIB(crypto, BN_init, AC_CHECK_LIB(ssl, SSL_accept, [openssl_have_libs=1],,-lcrypto))
-        if test "$openssl_have_headers" != "0" && test "$openssl_have_libs" != "0";
then
-          badca_have_openssl=1
-          APR_ADDTO(APRUTIL_LDFLAGS, [-L$withval/lib])
-          APR_ADDTO(APRUTIL_INCLUDES, [-I$withval/include])
-        fi
-      fi
-
-      AC_CHECK_DECLS([EVP_PKEY_CTX_new], [], [],
-                     [#include <openssl/evp.h>])
-
-      CPPFLAGS="$old_cppflags"
-      LDFLAGS="$old_ldflags"
-    fi
-  ], [
-    AC_CHECK_HEADERS(openssl/x509.h, [openssl_have_headers=1])
-    AC_CHECK_LIB(crypto, BN_init, AC_CHECK_LIB(ssl, SSL_accept, [openssl_have_libs=1],,-lcrypto))
-    if test "$openssl_have_headers" != "0" && test "$openssl_have_libs" != "0"; then
-      badca_have_openssl=1
+    else
+      echo "skipping directory $1 as it doesn't exist!"
     fi
-  ])
+  ]
+)
+dnl
 
-  AC_SUBST(badca_have_openssl)
+dnl CHECK_OPENSSL
+dnl Check if we have a valid path by trying to compile and run some
+dnl test code.
+dnl This simply sets some variables for the caller to check and act on
+dnl accordingly.
+dnl BIGNUM check allows us to check -lcrypto
+dnl X509 check is for -lssl
+AC_DEFUN([CHECK_OPENSSL],
+  [
+    orig_LDFLAGS="$LDFLAGS"
+    orig_CPPFLAGS="$CPPFLAGS"
 
-  dnl Add the libraries we will need now that we have set badca_have_openssl correctly
-  if test "$badca_have_openssl" = "1"; then
-    AC_DEFINE([BADCA_HAVE_OPENSSL], 1, [Define that we have OpenSSL available])
-    APR_ADDTO(APRUTIL_EXPORT_LIBS,[-lssl -lcrypto])
-    APR_ADDTO(APRUTIL_LIBS,[-lssl -lcrypto])
-    badca_have_ssl=1
-  fi
-])
-dnl
+    CPPFLAGS="-I$1/include $CPPFLAGS"
+    LDFLAGS="-L$1/lib -lssl -lcrypto $LDFLAGS"
+
+    AC_TRY_RUN([
+#include "openssl/x509.h"
+int main(void) {
+    X509 *cert = NULL;
+    BIGNUM *bn = BN_new();
+
+    BN_free(bn);
+
+    return (0);
+}
+    ], [
+      openssl_have_headers=1
+      openssl_have_libs=1
+    ], [
+      openssl_have_headers=0
+      openssl_have_libs=0
+    ], [
+      openssl_have_headers=0
+      openssl_have_libs=0
+    ])
+    LDFLAGS="$orig_LDFLAGS"
+    CPPFLAGS="$orig_CPPFLAGS"
+  ]
+)

Modified: labs/badca/configure.ac
URL: http://svn.apache.org/viewvc/labs/badca/configure.ac?rev=603742&r1=603741&r2=603742&view=diff
==============================================================================
--- labs/badca/configure.ac (original)
+++ labs/badca/configure.ac Wed Dec 12 13:03:52 2007
@@ -4,6 +4,7 @@
 top_srcdir=`pwd`
 
 sinclude(./build/python.m4)
+sinclude(./build/ssl.m4)
 
 AC_PREFIX_DEFAULT(/usr/local/badca)
 
@@ -19,8 +20,7 @@
 
 AC_CHECK_HEADER(Python.h)
 
-AC_CHECK_LIB(crypto, BN_init)
-AC_CHECK_LIB(ssl, SSL_accept)
+BADCA_CHECK_OPENSSL
 
 dnl Use a simple paython script to find the path that our extensions
 dnl will be built in. This is used to allow tests to be run without the
@@ -31,7 +31,9 @@
 
 AC_SUBST(top_srcdir)
 
-AC_CONFIG_FILES([Makefile])
+AC_CONFIG_FILES([Makefile
+                 openssl/setup.py
+                 openssl/Makefile])
 AC_OUTPUT()
 
 echo "

Propchange: labs/badca/openssl/
------------------------------------------------------------------------------
--- svn:ignore (original)
+++ svn:ignore Wed Dec 12 13:03:52 2007
@@ -1,2 +1,7 @@
 build
+setup.py
+Makefile
+*.o
+*.a
+cert
 

Added: labs/badca/openssl/Makefile.in
URL: http://svn.apache.org/viewvc/labs/badca/openssl/Makefile.in?rev=603742&view=auto
==============================================================================
--- labs/badca/openssl/Makefile.in (added)
+++ labs/badca/openssl/Makefile.in Wed Dec 12 13:03:52 2007
@@ -0,0 +1,17 @@
+LIB_OBJ=certmodule_c.o
+APP_OBJ=cert.o
+
+INCLUDES=-I. 
+CPPFLAGS=@CPPFLAGS@ @openssl_CPPFLAGS@
+LDFLAGS=@LDFLAGS@ @openssl_LDFLAGS@
+LIBS=@LIBS@ @openssl_LIBS@
+
+all:	$(LIB_OBJ) $(APP_OBJ)
+	$(AR) -rs libcertmodule_c.a certmodule_c.o
+	$(CC) -o cert cert.o libcertmodule_c.a $(LDFLAGS) $(LIBS)
+
+clean:
+	rm -f *.a *.o cert
+
+.c.o:
+	@$(CC) $(CPPFLAGS) $(CFLAGS) $(PICFLAGS) -c $< -o $@

Added: labs/badca/openssl/cert.c
URL: http://svn.apache.org/viewvc/labs/badca/openssl/cert.c?rev=603742&view=auto
==============================================================================
--- labs/badca/openssl/cert.c (added)
+++ labs/badca/openssl/cert.c Wed Dec 12 13:03:52 2007
@@ -0,0 +1,47 @@
+#include <stdio.h>
+
+#include <openssl/asn1.h>
+#include <openssl/rsa.h>
+#include <openssl/err.h>
+#include <openssl/ssl.h>
+#include <openssl/pem.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+
+X509 *readCert(const char *);
+
+int main(int argc, char **argv)
+{
+    X509 *cert = NULL, *newcert = NULL;
+    X509_REQ *csr = NULL;
+    RSA *key = NULL;
+
+    printf("init'ing OpenSSL\n");
+
+    CRYPTO_malloc_init();
+    ERR_load_crypto_strings(); 
+    OpenSSL_add_all_algorithms();
+
+    printf("Trying to read test CA certificate...\n");
+    cert = readCert("../tests/certs/ca1.pem");
+    printf("cert = %p\n", cert);
+
+    printf("Reading CSR...\n");
+    csr = readCSR("../tests/csr/test2.csr");
+    printf("csr = %p\n", csr);
+
+    printf("Reading key...\n");
+    key = readRSA("../tests/keys/private/7c51d0ac629a02cf64429bc8677428189c4be60d.key");
+    printf("key = %p\n", key);
+
+    printf("Trying to create new certificate...\n");
+    newcert = signRequestWithCertificate(cert, csr, key);
+    printf("newcert = %p\n", newcert);
+
+    X509_free(newcert);
+    X509_REQ_free(csr);
+    X509_free(cert);
+
+    return 0;
+}
+

Modified: labs/badca/openssl/certmodule.c
URL: http://svn.apache.org/viewvc/labs/badca/openssl/certmodule.c?rev=603742&r1=603741&r2=603742&view=diff
==============================================================================
--- labs/badca/openssl/certmodule.c (original)
+++ labs/badca/openssl/certmodule.c Wed Dec 12 13:03:52 2007
@@ -561,13 +561,10 @@
         if (X509_set_issuer_name(cert, issuerSubject) != 1) {
             PyErr_SetString(PyExc_RuntimeError, "Unable to set the issuer "
                                          "name of the new certificate");
-            X509_NAME_free(issuerSubject);
             goto out;
         }
 
-        subject = X509_NAME_dup(issuerSubject);
-        X509_NAME_free(issuerSubject);
-        
+        subject = X509_NAME_dup(issuerSubject);       
 
         if (! subject) {
             PyErr_SetString(PyExc_RuntimeError, "Unable to duplicate the "
@@ -621,7 +618,6 @@
             goto out;
         }
     }
-    X509_NAME_free(xn_req);
 
     if (X509_set_subject_name(cert, subject) != 1) {
         PyErr_SetString(PyExc_RuntimeError, "Unable to set the subject "

Added: labs/badca/openssl/certmodule_c.c
URL: http://svn.apache.org/viewvc/labs/badca/openssl/certmodule_c.c?rev=603742&view=auto
==============================================================================
--- labs/badca/openssl/certmodule_c.c (added)
+++ labs/badca/openssl/certmodule_c.c Wed Dec 12 13:03:52 2007
@@ -0,0 +1,396 @@
+#include <openssl/asn1.h>
+#include <openssl/rsa.h>
+#include <openssl/err.h>
+#include <openssl/ssl.h>
+#include <openssl/pem.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+
+#define MINBITS 1024
+#define MAXBITS 8196
+
+#define SERIAL_RAND_BITS  128
+
+/* Presently this just uses a random number, but a more appealling solution
+ * is to switch to using a hash of certain key elements. Apparently Verisign do
+ * something similar and it seems like a damned good idea. The suggested
+ * fields to hash are
+ * - subject
+ * - notBefore
+ * - not After
+ * The reason for this function is to allow easier abstraction :-)
+ */
+static int 
+certificate_set_serial(X509 *cert)
+{
+    ASN1_INTEGER *sno = ASN1_INTEGER_new();
+    BIGNUM *bn = NULL;
+    int rv = 0;
+
+    if (!sno) {
+        printf("Unable to allocate memory for "
+                                           "an ASN1 object");
+        return 0;
+    }
+    bn=BN_new();
+    if (!bn) {
+        ASN1_INTEGER_free(sno);
+        printf("Unable to allocate memory "
+                                           "for an BIGNUM object");
+        return 0;
+    }
+
+    if (BN_pseudo_rand(bn, SERIAL_RAND_BITS, 0, 0) == 1 &&
+        (sno = BN_to_ASN1_INTEGER(bn,sno)) != NULL &&
+        X509_set_serialNumber(cert, sno) == 1)
+        rv = 1;
+    else
+        printf("Unable to create or set the serial number");
+    BN_free(bn);
+    ASN1_INTEGER_free(sno);
+    return rv;
+}
+
+static int 
+certificateAddExtension(X509 *cert, X509V3_CTX *ctx, char *key, char *val)
+{
+    X509_EXTENSION * ext = NULL;
+    int rv;
+
+    if (!(ext = X509V3_EXT_conf(NULL, ctx, key, val))) {
+        printf("Unable to create X509 "
+                   "v3 extension (key = %s, val = %s)", key, val);
+        return 0;
+    }
+    rv = X509_add_ext(cert, ext, -1);
+    X509_EXTENSION_free(ext);
+    if (rv != 1) {
+        printf("Unable to set X509 "
+                   "v3 extension (key = %s, val = %s)", key, val);
+        return 0;
+    }
+    return 1;
+}
+
+static int 
+signCertificateWithKey(X509 *cert, RSA *rsa)
+{
+    int rv = 1;
+    const EVP_MD *digest = EVP_sha1();
+    EVP_PKEY *pkey = EVP_PKEY_new();
+
+    if (!digest) {
+        printf("Unable to get a digest object\n");
+        return 0;
+    }
+
+    if (!pkey) {
+        printf("Unable to create a new EVP_PKEY object\n");
+        return 0;
+    }
+    EVP_PKEY_assign_RSA(pkey, rsa); 
+
+    /* need to verify here that the key we have was the one used to 
+     * create the certificate, or we get some very "odd" results.
+     * Not cool!
+     */
+    if (X509_check_private_key(cert, pkey) == 1) {
+        if (X509_sign(cert, pkey, digest))
+            rv = 1;
+        else
+            printf("Error signing the "
+                                      "certificate using supplied key");
+    } else
+        printf("Private key supplied is NOT "
+                       "the key used to create the certificate!");
+
+    EVP_PKEY_free(pkey);
+    return rv;
+}
+
+RSA *readRSA(const char *fn)
+{
+    RSA *rsa = NULL;
+    EVP_PKEY *pkey = NULL;
+    BIO *in = BIO_new(BIO_s_file());
+
+    if (!in) {
+        printf("Unable to create a BIO object");
+        return NULL;
+    }
+
+    if (BIO_read_filename(in, fn) == 1) {
+        pkey=PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
+
+        if (pkey) {
+            rsa = EVP_PKEY_get1_RSA(pkey);
+            EVP_PKEY_free(pkey);
+        } else
+            printf("Unable to get public RSA key from file");
+    } else
+        printf("Unable to read from file supplied");
+
+    (void)BIO_free_all(in);
+
+    if (rsa) {
+        int strength = BN_num_bits(rsa->n);
+        if (strength < MINBITS || strength > MAXBITS) {
+            RSA_free(rsa);
+            rsa = NULL;
+            printf("Invalid key strength");
+        }
+    }
+
+    return rsa;
+}
+
+X509_REQ *readCSR(const char *fn)
+{
+    X509_REQ *req=NULL;
+    BIO *in = NULL;
+
+    if (! fn)
+        return NULL;
+
+    in = BIO_new(BIO_s_file());
+    if (!in) {
+        printf("Unable to create a BIO object");
+        return NULL;
+    }
+    
+    if (BIO_read_filename(in, fn) <= 0) {
+        BIO_free_all(in);
+        printf("Unable to read CSR from filename");
+        return NULL;
+    }
+
+    /* We expect the CSR to be in PEM format, so try that first... */
+    req=PEM_read_bio_X509_REQ(in, NULL, NULL, NULL);
+    /* If that fails, see if it was in ASN1 format */
+    if (!req)
+        req=d2i_X509_REQ_bio(in, NULL);
+
+    BIO_free_all(in);
+
+    if (!req) {
+        printf("Unable to get REQ object from file");
+        return NULL;
+    }
+    return req;
+}
+
+X509 *
+readCert(const char *fn)
+{
+    X509 *cert = NULL;
+    BIO *in = NULL;
+
+    if (!fn) {
+        printf("Filename MUST be supplied\n");
+        return NULL;
+    }
+
+    in = BIO_new(BIO_s_file());
+    if (!in) {
+        printf("failed to create a BIO\n");
+        return NULL;
+    }
+    BIO_read_filename(in, fn);
+    cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL);
+    (void) BIO_free_all(in);
+
+    if (cert)
+        return cert;
+
+    printf("Failed to read certificate file\n");
+    return NULL;
+}
+
+X509 *signRequestWithCertificate(X509 *issuer, X509_REQ *req, RSA *key)
+{
+    X509 *cert = NULL;
+    X509V3_CTX ctx;
+    X509_NAME *xn_req = NULL, *subject = NULL;
+    EVP_PKEY *pkey = NULL;
+    void *tmp[2];
+    int i, rv;
+    int remove_nids[] = { NID_commonName, NID_pkcs9_emailAddress, -1 };
+    int ignore_nids[] = { NID_countryName, NID_organizationName, 
+                          NID_organizationalUnitName, -1 };
+
+    if (!issuer || !req || !key) {
+        return NULL;
+    }
+
+    cert = X509_new();
+    if (!cert) {
+        return NULL;
+    }
+
+    /* Make it a V3 certificate. */
+    if (X509_set_version(cert, 2L) != 1) {
+        goto out;
+    }
+
+    /* The certificate has 2 X509_NAMEstructures, one for the issuer and one
+     * for the certificate (termed the subject). We now create these and set
+     * them into the certificate.
+     *
+     *   1) copy the subject from the issuing certificate
+     *   2) delete the CN and emailAddress from the issuer subject
+     *   3) add fields from the request that we permit (basically anything other
+     *      than CN, O & OU)
+     */
+
+    {
+        X509_NAME *issuerSubject = X509_get_subject_name(issuer);
+
+        if (! issuerSubject) {
+            printf("Unable to get the "
+                                        "subject name from the issuer");
+            goto out;
+        }
+
+        /* Set the issuing certificate subject as the issuer subject for
+         * the new certificate.
+         */
+        if (X509_set_issuer_name(cert, issuerSubject) != 1) {
+            printf("Unable to set the issuer "
+                                         "name of the new certificate");
+//            X509_NAME_free(issuerSubject);
+            goto out;
+        }
+
+        subject = X509_NAME_dup(issuerSubject);
+//        X509_NAME_free(issuerSubject);
+        
+
+        if (! subject) {
+            printf("Unable to duplicate the "
+                                        "subject name from the issuer");
+            goto out;
+        }
+    }
+
+    /* remove some uneeded fields */
+    for (i = 0; remove_nids[i] != -1; i++) {
+        int pos = -1;
+        while ((pos = X509_NAME_get_index_by_NID(subject, 
+                remove_nids[i], pos)) != -1) {
+            X509_NAME_ENTRY *ne = X509_NAME_delete_entry(subject, pos);
+            if (ne)
+                X509_NAME_ENTRY_free(ne);
+        }
+    }
+
+    /* go through the fields present in the request and add those that
+     * we need for the final certificate.
+     */
+    if (!(xn_req = X509_REQ_get_subject_name(req))) {
+        printf("Unable to get the "
+                                    "subject name from the request");
+        goto out;
+    }
+
+    for (i = 0; i < X509_NAME_entry_count(xn_req); i++) {
+        int j;
+        int skip = 0;
+        X509_NAME_ENTRY *ne = X509_NAME_get_entry(xn_req, i);
+        for (j = 0; ignore_nids[j] != -1; j++) {
+            int pos = -1;
+
+            /* The OU may be set in the request, but unless the certificate
+             * will be used for signing we want to set the OU from the
+             * issuing certificate.
+             */
+            do {
+                pos = X509_NAME_get_index_by_NID(xn_req, ignore_nids[j], pos);
+                if (pos == i)
+                    skip = 1;
+            } while (pos != -1);
+        }
+        if (skip)
+            continue;
+        if (!(X509_NAME_add_entry(subject, ne, -1, 0))) {
+            printf("Unable to adjust the "
+                                 "subject for the new certificate");
+            goto out;
+        }
+    }
+//    X509_NAME_free(xn_req);
+
+    if (X509_set_subject_name(cert, subject) != 1) {
+        printf("Unable to set the subject "
+                                      "name of the new certificate");
+        X509_NAME_free(subject);
+        goto out;
+    }
+    X509_NAME_free(subject);
+
+    /* The public key associated with the generated certificate is the
+     * one that was used to create the signing request. Extract the 
+     * public key from the request and set it into the new certificate.
+     */
+    pkey = X509_REQ_get_pubkey(req);
+    if (!pkey) {
+        printf("Unable to get the public key "
+                "from the supplied request");
+        goto out;
+    }
+    rv = X509_set_pubkey(cert, pkey);
+    EVP_PKEY_free(pkey);
+
+    if (rv != 1) {
+        printf("Unable to set the public "
+                                      "key of the new certificate");
+        goto out;
+    }
+	
+    /* Set the initial date/times */
+    if (!(X509_gmtime_adj(X509_get_notBefore(cert), 0))) {
+        printf("Unable to set notBefore time");
+        goto out;
+    }
+    if (!(X509_gmtime_adj(X509_get_notAfter(cert), 36400))) {
+        printf("Unable to set notAfter time");
+        goto out;
+    }
+
+    /* Set the serial number of the certificate. */
+    if (certificate_set_serial(cert) == 0)
+        goto out;
+
+    /* Add the X509_v3 extensions we need to set */
+/*
+    X509V3_set_ctx(&ctx, isroot ? cert : ca_cert, cert, NULL, NULL, 0);
+    for (i = 0; always_add[i].left; i++) {
+        if (certificate_add_extension(cac, cert, &ctx, always_add[i].left,
+                                      always_add[i].right) != 0)
+            goto out;
+    }
+
+    if (cac->ca_extensions) {
+        for (i = 0; i < cac->ca_ext_count; i++) {
+            if (certificate_add_extension(cac, cert, &ctx, cac->ca_extensions[i].key,
+                                          cac->ca_extensions[i].value) != 0)
+                goto out;
+        }
+    }
+*/
+
+    /* Claim credit for the creation... */
+    certificateAddExtension(cert, &ctx, "nsComment", "Created by BaDCA");
+
+    if (signCertificateWithKey(cert, key) == 0)
+        goto out;
+printf("cert = %p\n", cert);
+    /* All is well, we have a new certificate, so return it! */
+    return cert;
+
+    /* below this is used for error cases */
+out:
+    if (cert)
+        X509_free(cert);
+    return NULL;
+}
+

Added: labs/badca/openssl/setup.py.in
URL: http://svn.apache.org/viewvc/labs/badca/openssl/setup.py.in?rev=603742&view=auto
==============================================================================
--- labs/badca/openssl/setup.py.in (added)
+++ labs/badca/openssl/setup.py.in Wed Dec 12 13:03:52 2007
@@ -0,0 +1,29 @@
+from distutils.core import setup, Extension
+
+rsaModule = Extension('rsa',
+                      extra_link_args = ['-shared'],   
+                      include_dirs= [ @openssl_INCDIR@ ],
+                      library_dirs= [ @openssl_LIBDIR@ ],
+                      libraries = [ @openssl_LIBSONLY@ ],
+                      sources = ['rsamodule.c']
+                     )
+csrModule = Extension('csr',
+                      extra_link_args = ['-shared'],
+                      include_dirs= [ @openssl_INCDIR@ ],
+                      library_dirs= [ @openssl_LIBDIR@ ],
+                      libraries = [ @openssl_LIBSONLY@ ],
+                      sources = ['csrmodule.c']
+                     )
+certModule = Extension('cert',
+                       extra_link_args = ['-shared'],
+                       include_dirs= [ @openssl_INCDIR@ ],
+                       library_dirs= [ @openssl_LIBDIR@ ],
+                       libraries = [ @openssl_LIBSONLY@ ],
+                       sources = ['certmodule.c']
+                      )
+
+setup (name = 'OpenSSL',
+       version = '0.1',
+       description = 'OpenSSL Wrapper Package',
+       ext_modules = [rsaModule, csrModule, certModule]
+      )



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@labs.apache.org
For additional commands, e-mail: commits-help@labs.apache.org


Mime
View raw message