[+] Missing x509 members

[*] Added POSIX-like rng fd close on deinit
[*] Added verbose arg checks for unix env vars
This commit is contained in:
Reece Wilson 2023-07-10 20:56:45 +01:00
parent c90a13ad95
commit 66b948697b
6 changed files with 98 additions and 30 deletions

View File

@ -22,8 +22,9 @@ namespace Aurora::Crypto::X509
// metadata --
Hashing::EHashType digest;
AuUInt8 uVersion { 3 };
bool bIsCA {};
bool bSubjectKeyId {};
bool bIsCA { };
AuInt8 iMaxPathLength { -1 };
bool bSubjectKeyId { };
AuList<EExtendedUsage> usage;
AuUInt8 uSerialRadix { 10 };
AuString sSerial { "69420" };

View File

@ -7,62 +7,68 @@
***/
#pragma once
#include "ESignatureAlgorithm.hpp"
#include "EExtendedUsage.hpp"
namespace Aurora::Crypto::X509
{
// yes, these structure completely disregards the principles of the x509 structure and the rationales behind certain extensions
// however, this is not intended to be a grandiose TLS stack
//
// PKSC#1 and #8, and x509 extensions (ie: rfc5280 key-ids, v3 exts) are not supported in our deps
// we had to reimplement them ourselves >:(
// lets worry about the more important issues
struct CertName
{
AU_COPY_MOVE_DEF(CertName);
AuString commonName; // Tbs
AuString commonName;
AuString department; // Tbs
AuString organization; // Tbs
AuString state; // Tbs
AuString countryCode; // Tbs
AuString department;
AuString organization;
AuString address;
AuString locality;
AuString state;
AuString countryCode;
AuString postcode;
AuString name; // Tbs
AuString email; // Tbs
AuString title; // Tbs
AuString name;
AuString email;
AuString title;
};
struct DecodedCertificate
{
AU_COPY_MOVE_DEF(DecodedCertificate);
// TODO:
//SignatureAlgorithm signature;
int version {};
struct Issuer : CertName
{
AU_COPY_MOVE_DEF(Issuer);
Memory::ByteBuffer id;
} issuer;
struct Subject : CertName
{
AU_COPY_MOVE_DEF(Subject);
Memory::ByteBuffer id;
} subject;
struct Vaildity // Tbs
{ // Tbs
struct Vaildity
{
AU_COPY_MOVE_DEF(Vaildity);
AuUInt issued; // Tbs
AuUInt expire; // Tbs
} validity; // Tbs
AuList<AuUInt8> serialNumber; // Tbs
AuList<AuUInt8> algorithmOid; // Tbs
// TODO: usage // extension
AuUInt issued;
AuUInt expire;
} validity;
AuList<AuUInt8> serialNumber;
AuList<AuUInt8> algorithmOid;
AuList<AuString> AIAs;
// TODO: AuString CRL;
// TODO: AuList<String> subjectNames;
Hashing::EHashType digest;
AuList<EExtendedUsage> usage;
int iMaxPath {};
bool bIsCA {};
// TODO: ...
};
AUKN_SYM bool Decode(const Certificate &der, DecodedCertificate &out);

View File

@ -156,6 +156,9 @@ namespace Aurora::Crypto::X509
_WRITE_ISSUER(MBEDTLS_OID_PKCS9_EMAIL, request.name.email);
_WRITE_ISSUER(MBEDTLS_OID_AT_TITLE, request.name.title);
_WRITE_ISSUER(MBEDTLS_OID_AT_GIVEN_NAME, request.name.name);
_WRITE_ISSUER(MBEDTLS_OID_AT_POSTAL_CODE, request.name.postcode);
_WRITE_ISSUER(MBEDTLS_OID_AT_POSTAL_ADDRESS, request.name.address);
_WRITE_ISSUER(MBEDTLS_OID_AT_LOCALITY, request.name.locality);
#undef _WRITE_ISSUER
if (request.pSigningChain)
@ -223,6 +226,15 @@ namespace Aurora::Crypto::X509
}
}
if (request.uVersion == 3)
{
if (::mbedtls_x509write_crt_set_basic_constraints(&crt, request.bIsCA, request.iMaxPathLength) != 0)
{
SysPushErrorCrypto("Couldn't set basic constraints");
goto out;
}
}
if (request.usage.size())
{
mbedtls_asn1_sequence *tail {};

View File

@ -316,6 +316,9 @@ namespace Aurora::Crypto::X509
find_oid_value_in_name(&name, MBEDTLS_OID_PKCS9_EMAIL, out.email);
find_oid_value_in_name(&name, MBEDTLS_OID_AT_TITLE, out.title);
find_oid_value_in_name(&name, MBEDTLS_OID_AT_GIVEN_NAME, out.name);
find_oid_value_in_name(&name, MBEDTLS_OID_AT_POSTAL_CODE, out.postcode);
find_oid_value_in_name(&name, MBEDTLS_OID_AT_POSTAL_ADDRESS, out.address);
find_oid_value_in_name(&name, MBEDTLS_OID_AT_LOCALITY, out.locality);
}
static bool ParseCert(const Certificate &der, AuFunction<void(mbedtls_x509_crt &crt)> cb)
@ -351,11 +354,47 @@ namespace Aurora::Crypto::X509
return AuTime::FromCivilTime(tm, true);
}
static void FindUsage(DecodedCertificate &out,
const mbedtls_x509_sequence *extended_key_usage)
{
const mbedtls_x509_sequence *pCur = extended_key_usage;
while (pCur)
{
#define CHECK_CHECK(enum, oid) \
if (pCur->buf.len == sizeof(oid) - 1) \
{ \
if (!AuMemcmp(oid, pCur->buf.p, pCur->buf.len)) \
{ \
out.usage.push_back(enum); \
} \
}
CHECK_CHECK(EExtendedUsage::eServerAuth, MBEDTLS_OID_SERVER_AUTH);
CHECK_CHECK(EExtendedUsage::eClientAuth, MBEDTLS_OID_CLIENT_AUTH);
CHECK_CHECK(EExtendedUsage::eCodeSigning, MBEDTLS_OID_CODE_SIGNING);
CHECK_CHECK(EExtendedUsage::eEmailProtection, MBEDTLS_OID_EMAIL_PROTECTION);
CHECK_CHECK(EExtendedUsage::eTimeStamping, MBEDTLS_OID_TIME_STAMPING);
CHECK_CHECK(EExtendedUsage::eOCSPSigning, MBEDTLS_OID_OCSP_SIGNING);
#undef CHECK_CHECK
pCur = pCur->next;
}
}
void DecodeInternal(const mbedtls_x509_crt &crt, DecodedCertificate &out)
{
auto &issuer = crt.issuer;
auto &subject = crt.subject;
out.version = crt.version;
out.iMaxPath = crt.private_max_pathlen;
out.bIsCA = crt.private_ca_istrue;
FindUsage(out, &crt.ext_key_usage);
FindCommonNames(issuer, out.issuer);
FindCommonNames(subject, out.subject);

View File

@ -38,6 +38,7 @@ namespace Aurora::Process
if (key.empty())
{
SysPushErrorArg("Missing key");
return false;
}
@ -48,9 +49,16 @@ namespace Aurora::Process
AUKN_SYM bool EnvironmentSetOne(const AuString &key, const AuString &value)
{
AU_LOCK_GUARD(gEnvMutex);
if (key.empty())
{
SysPushErrorArg("Missing key");
return false;
}
if (value.empty())
{
SysPushErrorArg("Missing value");
return false;
}
@ -63,6 +71,7 @@ namespace Aurora::Process
if (key.empty())
{
SysPushErrorArg("Missing key");
return false;
}

View File

@ -39,7 +39,7 @@
namespace Aurora::RNG
{
#if defined(AURORA_IS_POSIX_DERIVED)
static int gDevURand;
static int gDevURand { -1 };
void EntropyInit()
{
@ -207,6 +207,7 @@ namespace Aurora::RNG
if (gDevURand > 0)
{
::close(gDevURand);
gDevURand = -1;
}
#elif defined(AURORA_IS_MODERNNT_DERIVED) && defined(USE_OLD_NTCRYPT)
if (pBCryptGenRandom)