[+] Missing x509 members
[*] Added POSIX-like rng fd close on deinit [*] Added verbose arg checks for unix env vars
This commit is contained in:
parent
c90a13ad95
commit
66b948697b
@ -22,8 +22,9 @@ namespace Aurora::Crypto::X509
|
||||
// metadata --
|
||||
Hashing::EHashType digest;
|
||||
AuUInt8 uVersion { 3 };
|
||||
bool bIsCA {};
|
||||
bool bSubjectKeyId {};
|
||||
bool bIsCA { };
|
||||
AuInt8 iMaxPathLength { -1 };
|
||||
bool bSubjectKeyId { };
|
||||
AuList<EExtendedUsage> usage;
|
||||
AuUInt8 uSerialRadix { 10 };
|
||||
AuString sSerial { "69420" };
|
||||
|
@ -7,62 +7,68 @@
|
||||
***/
|
||||
#pragma once
|
||||
|
||||
#include "ESignatureAlgorithm.hpp"
|
||||
#include "EExtendedUsage.hpp"
|
||||
|
||||
namespace Aurora::Crypto::X509
|
||||
{
|
||||
// yes, these structure completely disregards the principles of the x509 structure and the rationales behind certain extensions
|
||||
// however, this is not intended to be a grandiose TLS stack
|
||||
//
|
||||
// PKSC#1 and #8, and x509 extensions (ie: rfc5280 key-ids, v3 exts) are not supported in our deps
|
||||
// we had to reimplement them ourselves >:(
|
||||
// lets worry about the more important issues
|
||||
|
||||
struct CertName
|
||||
{
|
||||
AU_COPY_MOVE_DEF(CertName);
|
||||
AuString commonName; // Tbs
|
||||
AuString commonName;
|
||||
|
||||
AuString department; // Tbs
|
||||
AuString organization; // Tbs
|
||||
AuString state; // Tbs
|
||||
AuString countryCode; // Tbs
|
||||
AuString department;
|
||||
AuString organization;
|
||||
AuString address;
|
||||
AuString locality;
|
||||
AuString state;
|
||||
AuString countryCode;
|
||||
AuString postcode;
|
||||
|
||||
AuString name; // Tbs
|
||||
AuString email; // Tbs
|
||||
AuString title; // Tbs
|
||||
AuString name;
|
||||
AuString email;
|
||||
AuString title;
|
||||
};
|
||||
|
||||
struct DecodedCertificate
|
||||
{
|
||||
AU_COPY_MOVE_DEF(DecodedCertificate);
|
||||
// TODO:
|
||||
//SignatureAlgorithm signature;
|
||||
int version {};
|
||||
|
||||
struct Issuer : CertName
|
||||
{
|
||||
AU_COPY_MOVE_DEF(Issuer);
|
||||
Memory::ByteBuffer id;
|
||||
} issuer;
|
||||
|
||||
struct Subject : CertName
|
||||
{
|
||||
AU_COPY_MOVE_DEF(Subject);
|
||||
Memory::ByteBuffer id;
|
||||
} subject;
|
||||
struct Vaildity // Tbs
|
||||
{ // Tbs
|
||||
|
||||
struct Vaildity
|
||||
{
|
||||
AU_COPY_MOVE_DEF(Vaildity);
|
||||
AuUInt issued; // Tbs
|
||||
AuUInt expire; // Tbs
|
||||
} validity; // Tbs
|
||||
AuList<AuUInt8> serialNumber; // Tbs
|
||||
AuList<AuUInt8> algorithmOid; // Tbs
|
||||
// TODO: usage // extension
|
||||
AuUInt issued;
|
||||
AuUInt expire;
|
||||
} validity;
|
||||
|
||||
AuList<AuUInt8> serialNumber;
|
||||
AuList<AuUInt8> algorithmOid;
|
||||
|
||||
AuList<AuString> AIAs;
|
||||
// TODO: AuString CRL;
|
||||
|
||||
// TODO: AuList<String> subjectNames;
|
||||
|
||||
Hashing::EHashType digest;
|
||||
|
||||
AuList<EExtendedUsage> usage;
|
||||
|
||||
int iMaxPath {};
|
||||
bool bIsCA {};
|
||||
|
||||
// TODO: ...
|
||||
};
|
||||
|
||||
AUKN_SYM bool Decode(const Certificate &der, DecodedCertificate &out);
|
||||
|
@ -156,6 +156,9 @@ namespace Aurora::Crypto::X509
|
||||
_WRITE_ISSUER(MBEDTLS_OID_PKCS9_EMAIL, request.name.email);
|
||||
_WRITE_ISSUER(MBEDTLS_OID_AT_TITLE, request.name.title);
|
||||
_WRITE_ISSUER(MBEDTLS_OID_AT_GIVEN_NAME, request.name.name);
|
||||
_WRITE_ISSUER(MBEDTLS_OID_AT_POSTAL_CODE, request.name.postcode);
|
||||
_WRITE_ISSUER(MBEDTLS_OID_AT_POSTAL_ADDRESS, request.name.address);
|
||||
_WRITE_ISSUER(MBEDTLS_OID_AT_LOCALITY, request.name.locality);
|
||||
#undef _WRITE_ISSUER
|
||||
|
||||
if (request.pSigningChain)
|
||||
@ -223,6 +226,15 @@ namespace Aurora::Crypto::X509
|
||||
}
|
||||
}
|
||||
|
||||
if (request.uVersion == 3)
|
||||
{
|
||||
if (::mbedtls_x509write_crt_set_basic_constraints(&crt, request.bIsCA, request.iMaxPathLength) != 0)
|
||||
{
|
||||
SysPushErrorCrypto("Couldn't set basic constraints");
|
||||
goto out;
|
||||
}
|
||||
}
|
||||
|
||||
if (request.usage.size())
|
||||
{
|
||||
mbedtls_asn1_sequence *tail {};
|
||||
|
@ -316,6 +316,9 @@ namespace Aurora::Crypto::X509
|
||||
find_oid_value_in_name(&name, MBEDTLS_OID_PKCS9_EMAIL, out.email);
|
||||
find_oid_value_in_name(&name, MBEDTLS_OID_AT_TITLE, out.title);
|
||||
find_oid_value_in_name(&name, MBEDTLS_OID_AT_GIVEN_NAME, out.name);
|
||||
find_oid_value_in_name(&name, MBEDTLS_OID_AT_POSTAL_CODE, out.postcode);
|
||||
find_oid_value_in_name(&name, MBEDTLS_OID_AT_POSTAL_ADDRESS, out.address);
|
||||
find_oid_value_in_name(&name, MBEDTLS_OID_AT_LOCALITY, out.locality);
|
||||
}
|
||||
|
||||
static bool ParseCert(const Certificate &der, AuFunction<void(mbedtls_x509_crt &crt)> cb)
|
||||
@ -351,11 +354,47 @@ namespace Aurora::Crypto::X509
|
||||
return AuTime::FromCivilTime(tm, true);
|
||||
}
|
||||
|
||||
static void FindUsage(DecodedCertificate &out,
|
||||
const mbedtls_x509_sequence *extended_key_usage)
|
||||
{
|
||||
const mbedtls_x509_sequence *pCur = extended_key_usage;
|
||||
|
||||
while (pCur)
|
||||
{
|
||||
|
||||
#define CHECK_CHECK(enum, oid) \
|
||||
if (pCur->buf.len == sizeof(oid) - 1) \
|
||||
{ \
|
||||
if (!AuMemcmp(oid, pCur->buf.p, pCur->buf.len)) \
|
||||
{ \
|
||||
out.usage.push_back(enum); \
|
||||
} \
|
||||
}
|
||||
|
||||
CHECK_CHECK(EExtendedUsage::eServerAuth, MBEDTLS_OID_SERVER_AUTH);
|
||||
CHECK_CHECK(EExtendedUsage::eClientAuth, MBEDTLS_OID_CLIENT_AUTH);
|
||||
CHECK_CHECK(EExtendedUsage::eCodeSigning, MBEDTLS_OID_CODE_SIGNING);
|
||||
CHECK_CHECK(EExtendedUsage::eEmailProtection, MBEDTLS_OID_EMAIL_PROTECTION);
|
||||
CHECK_CHECK(EExtendedUsage::eTimeStamping, MBEDTLS_OID_TIME_STAMPING);
|
||||
CHECK_CHECK(EExtendedUsage::eOCSPSigning, MBEDTLS_OID_OCSP_SIGNING);
|
||||
|
||||
#undef CHECK_CHECK
|
||||
|
||||
pCur = pCur->next;
|
||||
}
|
||||
}
|
||||
|
||||
void DecodeInternal(const mbedtls_x509_crt &crt, DecodedCertificate &out)
|
||||
{
|
||||
auto &issuer = crt.issuer;
|
||||
auto &subject = crt.subject;
|
||||
|
||||
out.version = crt.version;
|
||||
out.iMaxPath = crt.private_max_pathlen;
|
||||
out.bIsCA = crt.private_ca_istrue;
|
||||
|
||||
FindUsage(out, &crt.ext_key_usage);
|
||||
|
||||
FindCommonNames(issuer, out.issuer);
|
||||
FindCommonNames(subject, out.subject);
|
||||
|
||||
|
@ -38,6 +38,7 @@ namespace Aurora::Process
|
||||
|
||||
if (key.empty())
|
||||
{
|
||||
SysPushErrorArg("Missing key");
|
||||
return false;
|
||||
}
|
||||
|
||||
@ -48,9 +49,16 @@ namespace Aurora::Process
|
||||
AUKN_SYM bool EnvironmentSetOne(const AuString &key, const AuString &value)
|
||||
{
|
||||
AU_LOCK_GUARD(gEnvMutex);
|
||||
|
||||
|
||||
if (key.empty())
|
||||
{
|
||||
SysPushErrorArg("Missing key");
|
||||
return false;
|
||||
}
|
||||
|
||||
if (value.empty())
|
||||
{
|
||||
SysPushErrorArg("Missing value");
|
||||
return false;
|
||||
}
|
||||
|
||||
@ -63,6 +71,7 @@ namespace Aurora::Process
|
||||
|
||||
if (key.empty())
|
||||
{
|
||||
SysPushErrorArg("Missing key");
|
||||
return false;
|
||||
}
|
||||
|
||||
|
@ -39,7 +39,7 @@
|
||||
namespace Aurora::RNG
|
||||
{
|
||||
#if defined(AURORA_IS_POSIX_DERIVED)
|
||||
static int gDevURand;
|
||||
static int gDevURand { -1 };
|
||||
|
||||
void EntropyInit()
|
||||
{
|
||||
@ -207,6 +207,7 @@ namespace Aurora::RNG
|
||||
if (gDevURand > 0)
|
||||
{
|
||||
::close(gDevURand);
|
||||
gDevURand = -1;
|
||||
}
|
||||
#elif defined(AURORA_IS_MODERNNT_DERIVED) && defined(USE_OLD_NTCRYPT)
|
||||
if (pBCryptGenRandom)
|
||||
|
Loading…
Reference in New Issue
Block a user