~graywolf/acme-client-portable

ref: openbsd acme-client-portable/certproc.c -rw-r--r-- 3.0 KiB
d43c6d31Wolf Update from openbsd (2021-07-25 16:17:33 UTC) a day ago
                                                                                
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
/*	$Id: certproc.c,v 1.13 2020/09/14 15:58:50 florian Exp $ */
/*
 * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

#include <err.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#include <openssl/pem.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/err.h>

#include "extern.h"

#define BEGIN_MARKER "-----BEGIN CERTIFICATE-----"
#define END_MARKER "-----END CERTIFICATE-----"

int
certproc(int netsock, int filesock)
{
	char		*csr = NULL, *chain = NULL, *url = NULL;
	char		*chaincp;
	size_t		 csrsz, chainsz;
	int		 rc = 0, cc;
	enum certop	 op;
	long		 lval;

	if (pledge("stdio", NULL) == -1) {
		warn("pledge");
		goto out;
	}

	/* Read what the netproc wants us to do. */

	op = CERT__MAX;
	if ((lval = readop(netsock, COMM_CSR_OP)) == 0)
		op = CERT_STOP;
	else if (lval == CERT_REVOKE || lval == CERT_UPDATE)
		op = lval;

	if (CERT_STOP == op) {
		rc = 1;
		goto out;
	} else if (CERT__MAX == op) {
		warnx("unknown operation from netproc");
		goto out;
	}

	/*
	 * Pass revocation right through to fileproc.
	 * If the reader is terminated, ignore it.
	 */

	if (CERT_REVOKE == op) {
		if (writeop(filesock, COMM_CHAIN_OP, FILE_REMOVE) >= 0)
			rc = 1;
		goto out;
	}

	/*
	 * Wait until we receive the DER encoded (signed) certificate
	 * from the network process.
	 * Then convert the DER encoding into an X509 certificate.
	 */

	if ((csr = readbuf(netsock, COMM_CSR, &csrsz)) == NULL)
		goto out;

	if (csrsz < strlen(END_MARKER)) {
		warnx("invalid cert");
		goto out;
	}

	chaincp = strstr(csr, END_MARKER);

	if (chaincp == NULL) {
		warnx("invalid cert");
		goto out;
	}

	chaincp += strlen(END_MARKER);

	if ((chaincp = strstr(chaincp, BEGIN_MARKER)) == NULL) {
		warnx("invalid certificate chain");
		goto out;
	}

	if ((chain = strdup(chaincp)) == NULL) {
		warn("strdup");
		goto out;
	}

	*chaincp = '\0';
	chainsz = strlen(chain);
	csrsz = strlen(csr);

	/* Allow reader termination to just push us out. */

	if ((cc = writeop(filesock, COMM_CHAIN_OP, FILE_CREATE)) == 0)
		rc = 1;
	if (cc <= 0)
		goto out;
	if ((cc = writebuf(filesock, COMM_CHAIN, chain, chainsz)) == 0)
		rc = 1;
	if (cc <= 0)
		goto out;

	if (writebuf(filesock, COMM_CSR, csr, csrsz) < 0)
		goto out;

	rc = 1;
out:
	close(netsock);
	close(filesock);
	free(csr);
	free(url);
	free(chain);
	return rc;
}