Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- void certificates_changed(Variable.Variable|void ignored,
- void|int ignore_eaddrinuse)
- {
- int old_cert_failure = cert_failure;
- string raw_keydata;
- array(string) certificates = ({});
- array(object) decoded_certs = ({});
- Variable.Variable Certificates = getvar("ssl_cert_file");
- object privs = Privs("Reading cert file");
- foreach(map(Certificates->query(), String.trim_whites), string cert_file) {
- string raw_cert;
- SSL3_WERR (sprintf ("Reading cert file %O", cert_file));
- if( catch{ raw_cert = lopen(cert_file, "r")->read(); } )
- {
- CERT_WARNING (Certificates,
- LOC_M(8, "Reading certificate file %O failed: %s\n"),
- cert_file, strerror (errno()));
- continue;
- }
- object msg = Tools.PEM.pem_msg()->init( raw_cert );
- object part = msg->parts["CERTIFICATE"] ||
- msg->parts["X509 CERTIFICATE"];
- string cert;
- if (msg->parts["RSA PRIVATE KEY"] ||
- msg->parts["DSA PRIVATE KEY"]) {
- raw_keydata = raw_cert;
- }
- if (!part || !(cert = part->decoded_body()))
- {
- CERT_WARNING (Certificates,
- LOC_M(10, "No certificate found in %O.\n"),
- cert_file);
- continue;
- }
- certificates += ({ cert });
- // FIXME: Support PKCS7
- object tbs = Tools.X509.decode_certificate (cert);
- if (!tbs) {
- CERT_WARNING (Certificates,
- LOC_M(13, "Certificate not valid (DER).\n"));
- continue;
- }
- decoded_certs += ({tbs});
- }
- if (!sizeof(decoded_certs)) {
- report_error ("TLS port %s: %s", get_url(),
- LOC_M(63,"No certificates found.\n"));
- cert_err_unbind();
- cert_failure = 1;
- return;
- }
- Variable.Variable KeyFile = getvar("ssl_key_file");
- if( strlen(KeyFile->query())) {
- SSL3_WERR (sprintf ("Reading key file %O", KeyFile->query()));
- if (catch{ raw_keydata = lopen(KeyFile->query(), "r")->read(); } )
- CERT_ERROR (KeyFile,
- LOC_M(9, "Reading key file %O failed: %s\n"),
- KeyFile->query(), strerror (errno()));
- }
- else
- KeyFile = Certificates;
- privs = 0;
- if (!raw_keydata)
- CERT_ERROR (KeyFile, LOC_M (17,"No private key found.\n"));
- object msg = Tools.PEM.pem_msg()->init( raw_keydata );
- SSL3_WERR(sprintf("key file contains: %O", indices(msg->parts)));
- object part;
- if (part = msg->parts["RSA PRIVATE KEY"])
- {
- string key;
- if (!(key = part->decoded_body()))
- CERT_ERROR (KeyFile,
- LOC_M(11,"Private rsa key not valid")+" (PEM).\n");
- object rsa = Standards.PKCS.RSA.parse_private_key(key);
- if (!rsa)
- CERT_ERROR (KeyFile,
- LOC_M(11,"Private rsa key not valid")+" (DER).\n");
- ctx->rsa = rsa;
- SSL3_WERR(sprintf("RSA key size: %d bits", rsa->rsa_size()));
- if (rsa->rsa_size() > 512)
- {
- /* Too large for export */
- ctx->short_rsa = Crypto.RSA()->generate_key(512, ctx->random);
- // ctx->long_rsa = Crypto.RSA()->generate_key(rsa->rsa_size(), ctx->random);
- }
- ctx->rsa_mode();
- filter_preferred_suites();
- array(int) key_matches =
- map(decoded_certs,
- lambda (object tbs) {
- return tbs->public_key->rsa->public_key_equal (rsa);
- });
- int num_key_matches;
- // DWIM: Make sure the main cert comes first.
- array(string) new_certificates = allocate(sizeof(certificates));
- int i,j;
- for (i=0; i < sizeof(certificates); i++) {
- if (key_matches[i]) {
- new_certificates[j++] = certificates[i];
- num_key_matches++;
- }
- }
- for (i=0; i < sizeof(certificates); i++) {
- if (!key_matches[i]) {
- new_certificates[j++] = certificates[i];
- }
- }
- if( !num_key_matches )
- CERT_ERROR (KeyFile,
- LOC_M(14, "Certificate and private key do not match.\n"));
- ctx->certificates = new_certificates;
- }
- else if (part = msg->parts["DSA PRIVATE KEY"])
- {
- string key;
- if (!(key = part->decoded_body()))
- CERT_ERROR (KeyFile,
- LOC_M(15,"Private dsa key not valid")+" (PEM).\n");
- object dsa = Standards.PKCS.DSA.parse_private_key(key);
- if (!dsa)
- CERT_ERROR (KeyFile,
- LOC_M(15,"Private dsa key not valid")+" (DER).\n");
- SSL3_WERR(sprintf("Using DSA key."));
- //dsa->use_random(ctx->random);
- ctx->dsa = dsa;
- /* Use default DH parameters */
- #if constant(SSL.Cipher)
- ctx->dh_params = SSL.Cipher.DHParameters();
- #else
- ctx->dh_params = SSL.cipher()->dh_parameters();
- #endif
- ctx->dhe_dss_mode();
- filter_preferred_suites();
- // FIXME: Add cert <-> private key check.
- ctx->certificates = certificates;
- }
- else
- CERT_ERROR (KeyFile, LOC_M(17,"No private key found.\n"));
- #if EXPORT
- ctx->export_mode();
- #endif
- if (!bound) {
- bind (ignore_eaddrinuse);
- if (old_cert_failure && bound)
- report_notice (LOC_M(64, "TLS port %s opened.\n"), get_url());
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement