From bd5df3a9ea985d3e1989a8a841d517109d24edde Mon Sep 17 00:00:00 2001 From: joss17 Date: Wed, 13 Jan 2010 20:52:31 +0000 Subject: [PATCH] first separation between authSSL and authGPG git-svn-id: http://svn.code.sf.net/p/retroshare/code/trunk@1999 b45a01b8-16f6-495d-af2f-9b41ad6348cc --- libretroshare/src/pqi/authgpg.cc | 633 ++------------------------- libretroshare/src/pqi/authgpg.h | 171 ++------ libretroshare/src/pqi/authssl.cc | 313 ++++++++++++- libretroshare/src/pqi/authssl.h | 16 + libretroshare/src/rsserver/rsinit.cc | 13 +- 5 files changed, 399 insertions(+), 747 deletions(-) diff --git a/libretroshare/src/pqi/authgpg.cc b/libretroshare/src/pqi/authgpg.cc index 8f5d17772..a00ef1a65 100644 --- a/libretroshare/src/pqi/authgpg.cc +++ b/libretroshare/src/pqi/authgpg.cc @@ -57,6 +57,7 @@ #include #include #include +#include /* Turn a set of parameters into a string */ static std::string setKeyPairParams(bool useRsa, unsigned int blen, @@ -76,14 +77,6 @@ static void ProcessPGPmeError(gpgme_error_t ERR); /* Function to sign X509_REQ via GPGme. */ -// the single instance of this, but only when SSL Only -static GPGAuthMgr instance_gpgroot; - -p3AuthMgr *getAuthMgr() -{ - return &instance_gpgroot; -} - gpgcert::gpgcert() :key(NULL) { @@ -705,217 +698,6 @@ bool GPGAuthMgr::printKeys() return printOwnKeys_locked(); } -X509 *GPGAuthMgr::SignX509Req(X509_REQ *req, long days, std::string gpg_passwd) -{ - RsStackMutex stack(pgpMtx); /******* LOCKED ******/ - - /* Transform the X509_REQ into a suitable format to - * generate DIGEST hash. (for SSL to do grunt work) - */ - - -#define SERIAL_RAND_BITS 64 - - const EVP_MD *digest = EVP_sha1(); - ASN1_INTEGER *serial = ASN1_INTEGER_new(); - EVP_PKEY *tmppkey; - X509 *x509 = X509_new(); - if (x509 == NULL) - { - std::cerr << "GPGAuthMgr::SignX509Req() FAIL" << std::endl; - return NULL; - } - - long version = 0x00; - unsigned long chtype = MBSTRING_ASC; - X509_NAME *issuer_name = X509_NAME_new(); - X509_NAME_add_entry_by_txt(issuer_name, "CN", chtype, - (unsigned char *) mOwnId.c_str(), -1, -1, 0); -/**** - X509_NAME_add_entry_by_NID(issuer_name, 48, 0, - (unsigned char *) "email@email.com", -1, -1, 0); - X509_NAME_add_entry_by_txt(issuer_name, "O", chtype, - (unsigned char *) "org", -1, -1, 0); - X509_NAME_add_entry_by_txt(x509_name, "L", chtype, - (unsigned char *) "loc", -1, -1, 0); -****/ - - std::cerr << "GPGAuthMgr::SignX509Req() Issuer name: " << mOwnId << std::endl; - - BIGNUM *btmp = BN_new(); - if (!BN_pseudo_rand(btmp, SERIAL_RAND_BITS, 0, 0)) - { - std::cerr << "GPGAuthMgr::SignX509Req() rand FAIL" << std::endl; - return NULL; - } - if (!BN_to_ASN1_INTEGER(btmp, serial)) - { - std::cerr << "GPGAuthMgr::SignX509Req() asn1 FAIL" << std::endl; - return NULL; - } - BN_free(btmp); - - if (!X509_set_serialNumber(x509, serial)) - { - std::cerr << "GPGAuthMgr::SignX509Req() serial FAIL" << std::endl; - return NULL; - } - ASN1_INTEGER_free(serial); - - /* Generate SUITABLE issuer name. - * Must reference OpenPGP key, that is used to verify it - */ - - if (!X509_set_issuer_name(x509, issuer_name)) - { - std::cerr << "GPGAuthMgr::SignX509Req() issue FAIL" << std::endl; - return NULL; - } - X509_NAME_free(issuer_name); - - - if (!X509_gmtime_adj(X509_get_notBefore(x509),0)) - { - std::cerr << "GPGAuthMgr::SignX509Req() notbefore FAIL" << std::endl; - return NULL; - } - - if (!X509_gmtime_adj(X509_get_notAfter(x509), (long)60*60*24*days)) - { - std::cerr << "GPGAuthMgr::SignX509Req() notafter FAIL" << std::endl; - return NULL; - } - - if (!X509_set_subject_name(x509, X509_REQ_get_subject_name(req))) - { - std::cerr << "GPGAuthMgr::SignX509Req() sub FAIL" << std::endl; - return NULL; - } - - tmppkey = X509_REQ_get_pubkey(req); - if (!tmppkey || !X509_set_pubkey(x509,tmppkey)) - { - std::cerr << "GPGAuthMgr::SignX509Req() pub FAIL" << std::endl; - return NULL; - } - - std::cerr << "X509 Cert, prepared for signing" << std::endl; - - /*** NOW The Manual signing bit (HACKED FROM asn1/a_sign.c) ***/ - int (*i2d)(X509_CINF*, unsigned char**) = i2d_X509_CINF; - X509_ALGOR *algor1 = x509->cert_info->signature; - X509_ALGOR *algor2 = x509->sig_alg; - ASN1_BIT_STRING *signature = x509->signature; - X509_CINF *data = x509->cert_info; - EVP_PKEY *pkey = NULL; - const EVP_MD *type = EVP_sha1(); - - EVP_MD_CTX ctx; - unsigned char *p,*buf_in=NULL; - unsigned char *buf_hashout=NULL,*buf_sigout=NULL; - int i,inl=0,hashoutl=0,hashoutll=0; - int sigoutl=0,sigoutll=0; - X509_ALGOR *a; - - EVP_MD_CTX_init(&ctx); - - /* FIX ALGORITHMS */ - - a = algor1; - ASN1_TYPE_free(a->parameter); - a->parameter=ASN1_TYPE_new(); - a->parameter->type=V_ASN1_NULL; - - ASN1_OBJECT_free(a->algorithm); - a->algorithm=OBJ_nid2obj(type->pkey_type); - - a = algor2; - ASN1_TYPE_free(a->parameter); - a->parameter=ASN1_TYPE_new(); - a->parameter->type=V_ASN1_NULL; - - ASN1_OBJECT_free(a->algorithm); - a->algorithm=OBJ_nid2obj(type->pkey_type); - - - std::cerr << "Algorithms Fixed" << std::endl; - - /* input buffer */ - inl=i2d(data,NULL); - buf_in=(unsigned char *)OPENSSL_malloc((unsigned int)inl); - - hashoutll=hashoutl=EVP_MD_size(type); - buf_hashout=(unsigned char *)OPENSSL_malloc((unsigned int)hashoutl); - - sigoutll=sigoutl=2048; // hashoutl; //EVP_PKEY_size(pkey); - buf_sigout=(unsigned char *)OPENSSL_malloc((unsigned int)sigoutl); - - if ((buf_in == NULL) || (buf_hashout == NULL) || (buf_sigout == NULL)) - { - hashoutl=0; - sigoutl=0; - fprintf(stderr, "GPGAuthMgr::SignX509Req: ASN1err(ASN1_F_ASN1_SIGN,ERR_R_MALLOC_FAILURE)\n"); - goto err; - } - p=buf_in; - - std::cerr << "Buffers Allocated" << std::endl; - - i2d(data,&p); - /* data in buf_in, ready to be hashed */ - EVP_DigestInit_ex(&ctx,type, NULL); - EVP_DigestUpdate(&ctx,(unsigned char *)buf_in,inl); - if (!EVP_DigestFinal(&ctx,(unsigned char *)buf_hashout, - (unsigned int *)&hashoutl)) - { - hashoutl=0; - fprintf(stderr, "GPGAuthMgr::SignX509Req: ASN1err(ASN1_F_ASN1_SIGN,ERR_R_EVP_LIB)\n"); - goto err; - } - - std::cerr << "Digest Applied: len: " << hashoutl << std::endl; - - /* NOW Sign via GPG Functions */ - if (!DoOwnSignature_locked(buf_hashout, hashoutl, buf_sigout, (unsigned int *) &sigoutl)) - { - sigoutl = 0; - goto err; - } - - std::cerr << "Buffer Sizes: in: " << inl; - std::cerr << " HashOut: " << hashoutl; - std::cerr << " SigOut: " << sigoutl; - std::cerr << std::endl; - - //passphrase = "NULL"; - - std::cerr << "Signature done: len:" << sigoutl << std::endl; - - /* ADD Signature back into Cert... Signed!. */ - - if (signature->data != NULL) OPENSSL_free(signature->data); - signature->data=buf_sigout; - buf_sigout=NULL; - signature->length=sigoutl; - /* In the interests of compatibility, I'll make sure that - * the bit string has a 'not-used bits' value of 0 - */ - signature->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); - signature->flags|=ASN1_STRING_FLAG_BITS_LEFT; - - std::cerr << "Certificate Complete" << std::endl; - - return x509; - - - err: - /* cleanup */ - std::cerr << "GPGAuthMgr::SignX509Req() err: FAIL" << std::endl; - - return NULL; -} - - #if 0 int ASN1_sign(int (*i2d)(), X509_ALGOR *algor1, X509_ALGOR *algor2, @@ -931,93 +713,6 @@ X509 *GPGAuthMgr::SignX509Req(X509_REQ *req, long days, std::string gpg_passwd) } #endif - -bool GPGAuthMgr::AuthX509(X509 *x509) -{ - RsStackMutex stack(pgpMtx); /******* LOCKED ******/ - - /* extract CN for peer Id */ - X509_NAME *issuer = X509_get_issuer_name(x509); - std::string id = ""; - - /* verify signature */ - - /*** NOW The Manual signing bit (HACKED FROM asn1/a_sign.c) ***/ - int (*i2d)(X509_CINF*, unsigned char**) = i2d_X509_CINF; - ASN1_BIT_STRING *signature = x509->signature; - X509_CINF *data = x509->cert_info; - EVP_PKEY *pkey = NULL; - const EVP_MD *type = EVP_sha1(); - - EVP_MD_CTX ctx; - unsigned char *p,*buf_in=NULL; - unsigned char *buf_hashout=NULL,*buf_sigout=NULL; - int i,inl=0,hashoutl=0,hashoutll=0; - int sigoutl=0,sigoutll=0; - X509_ALGOR *a; - - fprintf(stderr, "GPGAuthMgr::AuthX509()\n"); - - EVP_MD_CTX_init(&ctx); - - /* input buffer */ - inl=i2d(data,NULL); - buf_in=(unsigned char *)OPENSSL_malloc((unsigned int)inl); - - hashoutll=hashoutl=EVP_MD_size(type); - buf_hashout=(unsigned char *)OPENSSL_malloc((unsigned int)hashoutl); - - sigoutll=sigoutl=2048; //hashoutl; //EVP_PKEY_size(pkey); - buf_sigout=(unsigned char *)OPENSSL_malloc((unsigned int)sigoutl); - - std::cerr << "Buffer Sizes: in: " << inl; - std::cerr << " HashOut: " << hashoutl; - std::cerr << " SigOut: " << sigoutl; - std::cerr << std::endl; - - if ((buf_in == NULL) || (buf_hashout == NULL) || (buf_sigout == NULL)) - { - hashoutl=0; - sigoutl=0; - fprintf(stderr, "GPGAuthMgr::AuthX509: ASN1err(ASN1_F_ASN1_SIGN,ERR_R_MALLOC_FAILURE)\n"); - goto err; - } - p=buf_in; - - std::cerr << "Buffers Allocated" << std::endl; - - i2d(data,&p); - /* data in buf_in, ready to be hashed */ - EVP_DigestInit_ex(&ctx,type, NULL); - EVP_DigestUpdate(&ctx,(unsigned char *)buf_in,inl); - if (!EVP_DigestFinal(&ctx,(unsigned char *)buf_hashout, - (unsigned int *)&hashoutl)) - { - hashoutl=0; - fprintf(stderr, "GPGAuthMgr::AuthX509: ASN1err(ASN1_F_ASN1_SIGN,ERR_R_EVP_LIB)\n"); - goto err; - } - - std::cerr << "Digest Applied: len: " << hashoutl << std::endl; - - /* copy data into signature */ - sigoutl = signature->length; - memmove(buf_sigout, signature->data, sigoutl); - - /* NOW Sign via GPG Functions */ - if (!VerifySignature_locked(id, buf_hashout, hashoutl, buf_sigout, (unsigned int) sigoutl)) - { - sigoutl = 0; - goto err; - } - - return true; - - err: - return false; -} - - void ProcessPGPmeError(gpgme_error_t ERR) { gpgme_err_code_t code = gpgme_err_code(ERR); @@ -1055,7 +750,7 @@ void print_pgpme_verify_summary(unsigned int summary) } -bool GPGAuthMgr::DoOwnSignature_locked(void *data, unsigned int datalen, void *buf_sigout, unsigned int *outl) +bool GPGAuthMgr::DoOwnSignature_locked(const void *data, unsigned int datalen, void *buf_sigout, unsigned int *outl) { /* setup signers */ gpgme_signers_clear(CTX); @@ -1137,8 +832,7 @@ bool GPGAuthMgr::DoOwnSignature_locked(void *data, unsigned int datalen, void *b /* import to GnuPG and other Certificates */ -bool GPGAuthMgr::VerifySignature_locked(std::string id, void *data, int datalen, - void *sig, unsigned int siglen) +bool GPGAuthMgr::VerifySignature_locked(const void *data, int datalen, const void *sig, unsigned int siglen) { gpgme_data_t gpgmeSig; gpgme_data_t gpgmeData; @@ -1222,19 +916,10 @@ bool GPGAuthMgr::active() return ((gpgmeInit) && (gpgmeKeySelected) && (gpgmeX509Selected)); } -int GPGAuthMgr::InitAuth(const char *srvr_cert, const char *priv_key, - const char *passwd) +int GPGAuthMgr::InitAuth() { - std::cerr << "GPGAuthMgr::InitAuth() called." << std::endl; - /* Initialise the SSL part */ - if (AuthSSL::InitAuth(srvr_cert, priv_key, passwd)) - { - RsStackMutex stack(pgpMtx); /******* LOCKED ******/ - gpgmeX509Selected = true; - return 1; - } - - return 0; + gpgmeX509Selected = true; + return 1; } bool GPGAuthMgr::CloseAuth() @@ -1251,63 +936,8 @@ int GPGAuthMgr::setConfigDirectories(std::string confFile, std::string neigh #endif -/**** The standard versions of the OwnId/get*List ... return SSL ids - * There are alternative functions for gpg ids. - ****/ - -std::string GPGAuthMgr::OwnId() -{ - /* to the external libretroshare world, we are our SSL id */ - return AuthSSL::OwnId(); -} - -bool GPGAuthMgr::getAllList(std::list &ids) -{ - /* get all of the certificates */ - return AuthSSL::getAllList(ids); -} - -bool GPGAuthMgr::getAuthenticatedList(std::list &ids) -{ - return AuthSSL::getAuthenticatedList(ids); -} - -bool GPGAuthMgr::getUnknownList(std::list &ids) -{ - return AuthSSL::getUnknownList(ids); -} - -/*******************************/ - -bool GPGAuthMgr::isValid(std::string id) -{ - return AuthSSL::isValid(id); -} - -bool GPGAuthMgr::isAuthenticated(std::string id) -{ - /* This must be handled at PGP level */ - - /* get pgpid */ - std::string pgpid = getIssuerName(id); - - return isPGPAuthenticated(pgpid); - //return AuthSSL::isAuthenticated(id); -} - -bool GPGAuthMgr::isTrustingMe(std::string) -{ - return false; -} - -void GPGAuthMgr::addTrustingPeer(std::string) -{ - - -} - /**** These Two are common */ -std::string GPGAuthMgr::getPGPName(std::string id) +std::string GPGAuthMgr::getPGPName(GPG_id id) { RsStackMutex stack(pgpMtx); /******* LOCKED ******/ @@ -1318,55 +948,23 @@ std::string GPGAuthMgr::getPGPName(std::string id) return std::string(); } -bool GPGAuthMgr::getDetails(std::string id, pqiAuthDetails &details) +bool GPGAuthMgr::getDetails(GPG_id id, pqiAuthDetails &details) { - /**** GPG Details. - * Ids are the SSL id cert ids, so we have to get issuer id (pgpid) - * before we can add any gpg details - ****/ -#ifdef AUTHGPG_DEBUG - std::cerr << "GPGAuthMgr::getDetails() \"" << id << "\""; - std::cerr << std::endl; -#endif - - if (AuthSSL::getDetails(id, details)) - { - //RsStackMutex stack(pgpMtx); /******* LOCKED ******/ - if(pgpMtx.trylock()) - { - certmap::iterator it; - if (mKeyList.end() != (it = mKeyList.find(details.issuer))) - { - /* what do we want from the gpg mgr */ - details.location = details.location; - details.name = it->second.user.name; - details.email = it->second.user.email; - - //details = it->second.user; - } - pgpMtx.unlock() ; - return true; - } - return false ; - } - else - { - //RsStackMutex stack(pgpMtx); /******* LOCKED ******/ - if(pgpMtx.trylock()) - { - /* if we cannot find a ssl cert - might be a pgp cert */ - certmap::iterator it; - if (mKeyList.end() != (it = mKeyList.find(id))) - { - /* what do we want from the gpg mgr */ - details = it->second.user; - pgpMtx.unlock() ; - return true; - } - pgpMtx.unlock() ; - } - return false; - } + //RsStackMutex stack(pgpMtx); /******* LOCKED ******/ + if(pgpMtx.trylock()) + { + /* if we cannot find a ssl cert - might be a pgp cert */ + certmap::iterator it; + if (mKeyList.end() != (it = mKeyList.find(id))) + { + /* what do we want from the gpg mgr */ + details = it->second.user; + pgpMtx.unlock() ; + return true; + } + pgpMtx.unlock() ; + } + return false; } @@ -1456,7 +1054,7 @@ bool GPGAuthMgr::getPGPUnknownList(std::list &ids) } -bool GPGAuthMgr::isPGPValid(std::string id) +bool GPGAuthMgr::isPGPValid(GPG_id id) { RsStackMutex stack(pgpMtx); /******* LOCKED ******/ @@ -1465,7 +1063,7 @@ bool GPGAuthMgr::isPGPValid(std::string id) } -bool GPGAuthMgr::isPGPAuthenticated(std::string id) +bool GPGAuthMgr::isPGPAuthenticated(GPG_id id) { RsStackMutex stack(pgpMtx); /******* LOCKED ******/ @@ -1526,16 +1124,7 @@ bool GPGAuthMgr::loadCertificates() std::string GPGAuthMgr::SaveCertificateToString(std::string id) { - if (!isPGPValid(id)) - { - std::cerr << "GPGAuthMgr::SaveCertificateToString() Id is Not PGP" << std::endl; - /* check if it is a SSL Certificate */ - if (isValid(id)) - { - std::cerr << "GPGAuthMgr::SaveCertificateToString() is SSLID!" << std::endl; - std::string sslcert = AuthSSL::SaveCertificateToString(id); - return sslcert; - } + if (!isPGPValid(id)) { std::cerr << "GPGAuthMgr::SaveCertificateToString() unknown ID" << std::endl; std::string emptystr; return emptystr; @@ -1582,18 +1171,9 @@ std::string GPGAuthMgr::SaveCertificateToString(std::string id) } /* import to GnuPG and other Certificates */ -bool GPGAuthMgr::LoadCertificateFromString(std::string str, std::string &id) +bool GPGAuthMgr::LoadCertificateFromString(std::string str) { - /* catch SSL Certs and pass to AuthSSL. */ - std::string sslmarker("-----BEGIN CERTIFICATE-----"); - size_t pos = str.find(sslmarker); - if (pos != std::string::npos) - { - return AuthSSL::LoadCertificateFromString(str, id); - } - - /* otherwise assume it is a PGP cert */ RsStackMutex stack(pgpMtx); /******* LOCKED ******/ gpgme_data_t gpgmeData; @@ -1635,27 +1215,6 @@ bool GPGAuthMgr::LoadCertificateFromString(std::string str, std::string &id) return true; } -/*** These are passed to SSL ****/ -bool GPGAuthMgr::LoadCertificateFromFile(std::string filename, std::string &id) -{ - return false; -} - -bool GPGAuthMgr::SaveCertificateToFile(std::string id, std::string filename) -{ - return false; -} - -bool GPGAuthMgr::LoadCertificateFromBinary(const uint8_t *ptr, uint32_t len, std::string &id) -{ - return AuthSSL::LoadCertificateFromBinary(ptr, len, id); -} - -bool GPGAuthMgr::SaveCertificateToBinary(std::string id, uint8_t **ptr, uint32_t *len) -{ - return AuthSSL::SaveCertificateToBinary(id, ptr, len); -} - /***************************************************************** * Auth...? Signing, Revoke, Trust are all done at * the PGP level.... @@ -1670,17 +1229,8 @@ bool GPGAuthMgr::SaveCertificateToBinary(std::string id, uint8_t **ptr, uint32_t /*************************************/ /* Auth takes SSL Certificate */ -bool GPGAuthMgr::AuthCertificate(std::string id) +bool GPGAuthMgr::AuthCertificate(GPG_id pgpid) { - /** - * we are passed an SSL cert, check if the cert is signed - * by an already authed peer. - **/ - std::cerr << "GPGAuthMgr::AuthCertificate(" << id << ")"; - std::cerr << std::endl; - - std::string pgpid = AuthSSL::getIssuerName(id); - if (isPGPAuthenticated(pgpid)) { return true; @@ -1695,14 +1245,14 @@ bool GPGAuthMgr::AuthCertificate(std::string id) } /* These take PGP Ids */ -bool GPGAuthMgr::SignCertificate(std::string id) +bool GPGAuthMgr::SignCertificate(GPG_id id) { std::cerr << "GPGAuthMgr::SignCertificate(" << id << ")"; std::cerr << std::endl; - if (1 != signCertificate(id)) + if (1 != privateSignCertificate(id)) { return false; } @@ -1735,13 +1285,6 @@ bool GPGAuthMgr::TrustCertificate(std::string id, bool trust) return false; } -/***************************************************************** - * Signing data is done by the SSL certificate. - * - */ - -#if 0 - bool GPGAuthMgr::SignData(std::string input, std::string &sign) { return false; @@ -1758,118 +1301,20 @@ bool GPGAuthMgr::SignDataBin(std::string input, unsigned char *sign, unsigned in return false; } -bool GPGAuthMgr::SignDataBin(const void *data, const uint32_t len, - unsigned char *sign, unsigned int *signlen) -{ - return false; +bool GPGAuthMgr::SignDataBin(const void *data, unsigned int datalen, unsigned char *sign, unsigned int *signlen) { + return DoOwnSignature_locked(data, datalen, + sign, signlen); } -#endif - - - /************* Virtual Functions from AuthSSL *************/ - -bool GPGAuthMgr::ValidateCertificate(X509 *x509, std::string &peerId) -{ - std::cerr << "GPGAuthMgr::ValidateCertificate()"; - std::cerr << std::endl; - - bool val = AuthX509(x509); - if (val) - { - return getX509id(x509, peerId); - } - /* be sure to get the id anyway */ - getX509id(x509, peerId); - - return false; +bool GPGAuthMgr::VerifySignBin(const void *data, uint32_t datalen, unsigned char *sign, unsigned int signlen) { + return VerifySignature_locked(data, datalen, + sign, signlen); } -int GPGAuthMgr::VerifyX509Callback(int preverify_ok, X509_STORE_CTX *ctx) -{ - char buf[256]; - X509 *err_cert; - int err, depth; - - err_cert = X509_STORE_CTX_get_current_cert(ctx); - err = X509_STORE_CTX_get_error(ctx); - depth = X509_STORE_CTX_get_error_depth(ctx); - - std::cerr << "GPGAuthMgr::VerifyX509Callback(preverify_ok: " << preverify_ok - << " Err: " << err << " Depth: " << depth; - std::cerr << std::endl; - - /* - * Retrieve the pointer to the SSL of the connection currently treated - * and the application specific data stored into the SSL object. - */ - - X509_NAME_oneline(X509_get_subject_name(err_cert), buf, 256); - - std::cerr << "GPGAuthMgr::VerifyX509Callback: depth: " << depth << ":" << buf; - std::cerr << std::endl; - - - if (!preverify_ok) { - fprintf(stderr, "Verify error:num=%d:%s:depth=%d:%s\n", err, - X509_verify_cert_error_string(err), depth, buf); - } - - /* - * At this point, err contains the last verification error. We can use - * it for something special - */ - - if (!preverify_ok) - { - if ((err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT) || - (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)) - { - X509_NAME_oneline(X509_get_issuer_name(X509_STORE_CTX_get_current_cert(ctx)), buf, 256); - printf("issuer= %s\n", buf); - - fprintf(stderr, "Doing REAL PGP Certificates\n"); - /* do the REAL Authentication */ - if (!AuthX509(X509_STORE_CTX_get_current_cert(ctx))) - { - return false; - } - std::string pgpid = getX509CNString(X509_STORE_CTX_get_current_cert(ctx)->cert_info->issuer); - if (!isPGPAuthenticated(pgpid)) - { - return false; - } - preverify_ok = true; - } - else if ((err == X509_V_ERR_CERT_UNTRUSTED) || - (err == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) - { - std::string pgpid = getX509CNString(X509_STORE_CTX_get_current_cert(ctx)->cert_info->issuer); - if (!isPGPAuthenticated(pgpid)) - { - return false; - } - preverify_ok = true; - } - } - else - { - fprintf(stderr, "Failing Normal Certificate!!!\n"); - preverify_ok = false; - } - - return preverify_ok; -} - - - /************* Virtual Functions from AuthSSL *************/ - - - /* Sign/Trust stuff */ -int GPGAuthMgr::signCertificate(std::string id) +int GPGAuthMgr::privateSignCertificate(std::string id) { RsStackMutex stack(pgpMtx); /******* LOCKED ******/ @@ -1912,14 +1357,14 @@ int GPGAuthMgr::signCertificate(std::string id) } /* revoke the signature on Certificate */ -int GPGAuthMgr::revokeCertificate(std::string id) +int GPGAuthMgr::privateRevokeCertificate(std::string id) { RsStackMutex stack(pgpMtx); /******* LOCKED ******/ return 0; } -int GPGAuthMgr::trustCertificate(std::string id, int trustlvl) +int GPGAuthMgr::privateTrustCertificate(std::string id, int trustlvl) { RsStackMutex stack(pgpMtx); /******* LOCKED ******/ diff --git a/libretroshare/src/pqi/authgpg.h b/libretroshare/src/pqi/authgpg.h index aa3759c88..f36aa3a66 100644 --- a/libretroshare/src/pqi/authgpg.h +++ b/libretroshare/src/pqi/authgpg.h @@ -30,14 +30,17 @@ #ifndef RS_GPG_AUTH_HEADER #define RS_GPG_AUTH_HEADER -//#include "p3authmgr.h" -#include "authssl.h" #include +#include "pqi/p3authmgr.h" +#include +#include +#include "util/rsthreads.h" + +#define GPG_id std::string /* gpgcert is the identifier for a person. * It is a wrapper class for a GPGme OpenPGP certificate. */ - class gpgcert { public: @@ -53,17 +56,21 @@ class gpgcert */ typedef std::map certmap; -class GPGAuthMgr: public AuthSSL +class GPGAuthMgr { private: /* Internal functions */ bool setPGPPassword_locked(std::string pwd); - bool DoOwnSignature_locked(void *, unsigned int, void *, unsigned int *); - bool VerifySignature_locked(std::string id, void *data, int datalen, - void *sig, unsigned int siglen); + bool DoOwnSignature_locked(const void *, unsigned int, void *, unsigned int *); + bool VerifySignature_locked(const void *data, int datalen, const void *sig, unsigned int siglen); - // store all keys in map mKeyList to avoid calling gpgme exe repeatedly + /* Sign/Trust stuff */ + int privateSignCertificate(GPG_id id); + int privateRevokeCertificate(GPG_id id); /* revoke the signature on Certificate */ + int privateTrustCertificate(GPG_id id, int trustlvl); + + // store all keys in map mKeyList to avoid calling gpgme exe repeatedly bool storeAllKeys_locked(); bool updateTrustAllKeys_locked(); @@ -75,11 +82,6 @@ class GPGAuthMgr: public AuthSSL GPGAuthMgr(); ~GPGAuthMgr(); - - X509* SignX509Req(X509_REQ *req, long days, std::string); - bool AuthX509(X509 *x509); - - bool availablePGPCertificates(std::list &ids); //get the pgpg engine used by the pgp functions @@ -91,11 +93,6 @@ class GPGAuthMgr: public AuthSSL int LoadGPGPassword(std::string pwd); - /* Sign/Trust stuff */ - int signCertificate(std::string id); - int revokeCertificate(std::string id); /* revoke the signature on Certificate */ - int trustCertificate(std::string id, int trustlvl); - /* SKTAN */ void showData(gpgme_data_t dh); void createDummyFriends(void); //NYI @@ -119,34 +116,11 @@ class GPGAuthMgr: public AuthSSL /* initialisation -> done by derived classes */ bool active(); - /* Init by generating new Own PGP Cert, or selecting existing PGP Cert - */ - - /* Arguments passed on to AuthSSL */ - int InitAuth(const char *srvr_cert, const char *priv_key, - const char *passwd); + /* Init by generating new Own PGP Cert, or selecting existing PGP Cert */ + int InitAuth(); bool CloseAuth(); - // int setConfigDirectories(std::string confFile, std::string neighDir); - -/*********************************************************************************/ -/************************* STAGE 2 ***********************************************/ -/*********************************************************************************/ -/***** - * STAGE 2: These are some of the most commonly used functions in Retroshare. - * - * provide access to the cache list that was created in stage 1. - * - ****/ - - /* get Certificate Ids */ - - std::string OwnId(); - bool getAllList(std::list &ids); - bool getAuthenticatedList(std::list &ids); - bool getUnknownList(std::list &ids); - /*********************************************************************************/ /************************* STAGE 3 ***********************************************/ /*********************************************************************************/ @@ -159,28 +133,20 @@ class GPGAuthMgr: public AuthSSL * ****/ - /* get Details from the Certificates */ - - bool isValid(std::string id); - bool isAuthenticated(std::string id); - std::string getPGPName(std::string pgp_id); - bool getDetails(std::string id, pqiAuthDetails &details); - - virtual bool isTrustingMe(std::string); - virtual void addTrustingPeer(std::string); + /* get Details from the Certificates */ + bool isAuthenticated(std::string id); + std::string getPGPName(GPG_id pgp_id); + bool getDetails(std::string id, pqiAuthDetails &details); - /* PGP versions of Certificate Fns */ - - std::string PGPOwnId(); - bool getPGPAllList(std::list &ids); - bool getPGPAuthenticatedList(std::list &ids); - bool getPGPUnknownList(std::list &ids); - bool isPGPValid(std::string id); - bool isPGPAuthenticated(std::string id); - bool getPGPDetails(std::string id, pqiAuthDetails &details); - bool decryptText(gpgme_data_t CIPHER, gpgme_data_t PLAIN); - bool encryptText(gpgme_data_t PLAIN, gpgme_data_t CIPHER); + /* PGP versions of Certificate Fns */ + GPG_id PGPOwnId(); + bool getPGPAllList(std::list &ids); + bool getPGPAuthenticatedList(std::list &ids); + bool getPGPUnknownList(std::list &ids); + bool isPGPValid(std::string id); + bool isPGPAuthenticated(std::string id); + bool getPGPDetails(std::string id, pqiAuthDetails &details); /*********************************************************************************/ /************************* STAGE 4 ***********************************************/ @@ -192,25 +158,8 @@ class GPGAuthMgr: public AuthSSL /* Load/Save certificates */ - bool LoadCertificateFromString(std::string pem, std::string &id); + bool LoadCertificateFromString(std::string pem); std::string SaveCertificateToString(std::string id); - bool LoadCertificateFromFile(std::string filename, std::string &id); - bool SaveCertificateToFile(std::string id, std::string filename); - -/*********************************************************************************/ -/************************* STAGE 5 ***********************************************/ -/*********************************************************************************/ -/***** - * STAGE 5: Loading and Saving Certificates (Binary) - * - * The existing function arguments are based on OpenSSL functions. - * Feel free to change this format if required. - * - ****/ - - - bool LoadCertificateFromBinary(const uint8_t *ptr, uint32_t len, std::string &id); - bool SaveCertificateToBinary(std::string id, uint8_t **ptr, uint32_t *len); /*********************************************************************************/ /************************* STAGE 6 ***********************************************/ @@ -226,7 +175,7 @@ class GPGAuthMgr: public AuthSSL /* Signatures */ bool AuthCertificate(std::string uid); bool SignCertificate(std::string id); - bool RevokeCertificate(std::string id); /* Particularly hard - leave for later */ + bool RevokeCertificate(std::string id); /* Particularly hard - leave for later */ bool TrustCertificate(std::string id, bool trust); /*********************************************************************************/ @@ -239,55 +188,25 @@ class GPGAuthMgr: public AuthSSL * ****/ -#if 0 -virtual bool SignData(std::string input, std::string &sign); -virtual bool SignData(const void *data, const uint32_t len, std::string &sign); -virtual bool SignDataBin(std::string input, unsigned char *sign, unsigned int *signlen); -virtual bool SignDataBin(const void *data, const uint32_t len, - unsigned char *sign, unsigned int *signlen); -virtual bool VerifySignBin(std::string, const void*, uint32_t, unsigned char*, unsigned int); -#endif + bool SignData(std::string input, std::string &sign); + bool SignData(const void *data, const uint32_t len, std::string &sign); + bool SignDataBin(std::string input, unsigned char *sign, unsigned int *signlen); + bool SignDataBin(const void *data, const uint32_t len, unsigned char *sign, unsigned int *signlen); + bool VerifySignBin(const void*, uint32_t, unsigned char*, unsigned int); + bool decryptText(gpgme_data_t CIPHER, gpgme_data_t PLAIN); + bool encryptText(gpgme_data_t PLAIN, gpgme_data_t CIPHER); /*********************************************************************************/ /************************* PGP Specific functions ********************************/ /*********************************************************************************/ -/* - * These support the authentication process. - * - */ - - /************* Virtual Functions from AuthSSL *************/ -virtual bool ValidateCertificate(X509 *x509, std::string &peerId); -virtual int VerifyX509Callback(int preverify_ok, X509_STORE_CTX *ctx); - /************* Virtual Functions from AuthSSL *************/ - -/* - * - */ bool checkSignature(std::string id, std::string hash, std::string signature); - - -/*********************************************************************************/ -/************************* OTHER FUNCTIONS ***************************************/ -/*********************************************************************************/ - - /* High Level Load/Save Configuration */ -/***** - * These functions call straight through to AuthSSL. - * We don't need these functions here - as GPG stores the keys for us. - bool FinalSaveCertificates(); - bool CheckSaveCertificates(); - bool saveCertificates(); - bool loadCertificates(); - ****/ - - private: + private: RsMutex pgpMtx; /* Below is protected via the mutex */ @@ -309,13 +228,13 @@ bool checkSignature(std::string id, std::string hash, std::string signature); std::string passphrase; }; -/***** - * - * Support Functions for OpenSSL verification. - * - */ +// the single instance of this +static GPGAuthMgr instance_gpgroot; -//int verify_pgp_callback(int preverify_ok, X509_STORE_CTX *ctx); +GPGAuthMgr *getAuthGPG() +{ + return &instance_gpgroot; +} /* Sign a key */ diff --git a/libretroshare/src/pqi/authssl.cc b/libretroshare/src/pqi/authssl.cc index 52d965169..d19dc7877 100644 --- a/libretroshare/src/pqi/authssl.cc +++ b/libretroshare/src/pqi/authssl.cc @@ -50,23 +50,6 @@ static int verify_x509_callback(int preverify_ok, X509_STORE_CTX *ctx); -/*********** - ** #define AUTHSSL_DEBUG 1 - **********/ - -#ifdef PQI_USE_SSLONLY - -// the single instance of this, but only when SSL Only -static AuthSSL instance_sslroot; - -p3AuthMgr *getAuthMgr() -{ - return &instance_sslroot; -} - -#endif - - sslcert::sslcert(X509 *x509, std::string pid) { certificate = x509; @@ -803,6 +786,10 @@ std::string AuthSSL::getIssuerName(std::string id) return issuer; } +GPG_id AuthSSL::getGPGId(SSL_id id) { + return getIssuerName(id); +} + bool AuthSSL::getDetails(std::string id, pqiAuthDetails &details) { #ifdef AUTHSSL_DEBUG @@ -1755,8 +1742,300 @@ bool getX509id(X509 *x509, std::string &xid) return true; } +X509 *AuthSSL::SignX509Req(X509_REQ *req, long days) +{ + RsStackMutex stack(sslMtx); /******* LOCKED ******/ + + /* Transform the X509_REQ into a suitable format to + * generate DIGEST hash. (for SSL to do grunt work) + */ +#define SERIAL_RAND_BITS 64 + + const EVP_MD *digest = EVP_sha1(); + ASN1_INTEGER *serial = ASN1_INTEGER_new(); + EVP_PKEY *tmppkey; + X509 *x509 = X509_new(); + if (x509 == NULL) + { + std::cerr << "GPGAuthMgr::SignX509Req() FAIL" << std::endl; + return NULL; + } + + long version = 0x00; + unsigned long chtype = MBSTRING_ASC; + X509_NAME *issuer_name = X509_NAME_new(); + X509_NAME_add_entry_by_txt(issuer_name, "CN", chtype, + (unsigned char *) mOwnId.c_str(), -1, -1, 0); +/**** + X509_NAME_add_entry_by_NID(issuer_name, 48, 0, + (unsigned char *) "email@email.com", -1, -1, 0); + X509_NAME_add_entry_by_txt(issuer_name, "O", chtype, + (unsigned char *) "org", -1, -1, 0); + X509_NAME_add_entry_by_txt(x509_name, "L", chtype, + (unsigned char *) "loc", -1, -1, 0); +****/ + + std::cerr << "GPGAuthMgr::SignX509Req() Issuer name: " << mOwnId << std::endl; + + BIGNUM *btmp = BN_new(); + if (!BN_pseudo_rand(btmp, SERIAL_RAND_BITS, 0, 0)) + { + std::cerr << "GPGAuthMgr::SignX509Req() rand FAIL" << std::endl; + return NULL; + } + if (!BN_to_ASN1_INTEGER(btmp, serial)) + { + std::cerr << "GPGAuthMgr::SignX509Req() asn1 FAIL" << std::endl; + return NULL; + } + BN_free(btmp); + + if (!X509_set_serialNumber(x509, serial)) + { + std::cerr << "GPGAuthMgr::SignX509Req() serial FAIL" << std::endl; + return NULL; + } + ASN1_INTEGER_free(serial); + + /* Generate SUITABLE issuer name. + * Must reference OpenPGP key, that is used to verify it + */ + + if (!X509_set_issuer_name(x509, issuer_name)) + { + std::cerr << "GPGAuthMgr::SignX509Req() issue FAIL" << std::endl; + return NULL; + } + X509_NAME_free(issuer_name); + + + if (!X509_gmtime_adj(X509_get_notBefore(x509),0)) + { + std::cerr << "GPGAuthMgr::SignX509Req() notbefore FAIL" << std::endl; + return NULL; + } + + if (!X509_gmtime_adj(X509_get_notAfter(x509), (long)60*60*24*days)) + { + std::cerr << "GPGAuthMgr::SignX509Req() notafter FAIL" << std::endl; + return NULL; + } + + if (!X509_set_subject_name(x509, X509_REQ_get_subject_name(req))) + { + std::cerr << "GPGAuthMgr::SignX509Req() sub FAIL" << std::endl; + return NULL; + } + + tmppkey = X509_REQ_get_pubkey(req); + if (!tmppkey || !X509_set_pubkey(x509,tmppkey)) + { + std::cerr << "GPGAuthMgr::SignX509Req() pub FAIL" << std::endl; + return NULL; + } + + std::cerr << "X509 Cert, prepared for signing" << std::endl; + + /*** NOW The Manual signing bit (HACKED FROM asn1/a_sign.c) ***/ + int (*i2d)(X509_CINF*, unsigned char**) = i2d_X509_CINF; + X509_ALGOR *algor1 = x509->cert_info->signature; + X509_ALGOR *algor2 = x509->sig_alg; + ASN1_BIT_STRING *signature = x509->signature; + X509_CINF *data = x509->cert_info; + EVP_PKEY *pkey = NULL; + const EVP_MD *type = EVP_sha1(); + + EVP_MD_CTX ctx; + unsigned char *p,*buf_in=NULL; + unsigned char *buf_hashout=NULL,*buf_sigout=NULL; + int i,inl=0,hashoutl=0,hashoutll=0; + int sigoutl=0,sigoutll=0; + X509_ALGOR *a; + + EVP_MD_CTX_init(&ctx); + + /* FIX ALGORITHMS */ + + a = algor1; + ASN1_TYPE_free(a->parameter); + a->parameter=ASN1_TYPE_new(); + a->parameter->type=V_ASN1_NULL; + + ASN1_OBJECT_free(a->algorithm); + a->algorithm=OBJ_nid2obj(type->pkey_type); + + a = algor2; + ASN1_TYPE_free(a->parameter); + a->parameter=ASN1_TYPE_new(); + a->parameter->type=V_ASN1_NULL; + + ASN1_OBJECT_free(a->algorithm); + a->algorithm=OBJ_nid2obj(type->pkey_type); + + + std::cerr << "Algorithms Fixed" << std::endl; + + /* input buffer */ + inl=i2d(data,NULL); + buf_in=(unsigned char *)OPENSSL_malloc((unsigned int)inl); + + hashoutll=hashoutl=EVP_MD_size(type); + buf_hashout=(unsigned char *)OPENSSL_malloc((unsigned int)hashoutl); + + sigoutll=sigoutl=2048; // hashoutl; //EVP_PKEY_size(pkey); + buf_sigout=(unsigned char *)OPENSSL_malloc((unsigned int)sigoutl); + + if ((buf_in == NULL) || (buf_hashout == NULL) || (buf_sigout == NULL)) + { + hashoutl=0; + sigoutl=0; + fprintf(stderr, "GPGAuthMgr::SignX509Req: ASN1err(ASN1_F_ASN1_SIGN,ERR_R_MALLOC_FAILURE)\n"); + goto err; + } + p=buf_in; + + std::cerr << "Buffers Allocated" << std::endl; + + i2d(data,&p); + /* data in buf_in, ready to be hashed */ + EVP_DigestInit_ex(&ctx,type, NULL); + EVP_DigestUpdate(&ctx,(unsigned char *)buf_in,inl); + if (!EVP_DigestFinal(&ctx,(unsigned char *)buf_hashout, + (unsigned int *)&hashoutl)) + { + hashoutl=0; + fprintf(stderr, "GPGAuthMgr::SignX509Req: ASN1err(ASN1_F_ASN1_SIGN,ERR_R_EVP_LIB)\n"); + goto err; + } + + std::cerr << "Digest Applied: len: " << hashoutl << std::endl; + + /* NOW Sign via GPG Functions */ + if (!getAuthGPG()->SignDataBin(buf_hashout, hashoutl, buf_sigout, (unsigned int *) &sigoutl)) + { + sigoutl = 0; + goto err; + } + + std::cerr << "Buffer Sizes: in: " << inl; + std::cerr << " HashOut: " << hashoutl; + std::cerr << " SigOut: " << sigoutl; + std::cerr << std::endl; + + //passphrase = "NULL"; + + std::cerr << "Signature done: len:" << sigoutl << std::endl; + + /* ADD Signature back into Cert... Signed!. */ + + if (signature->data != NULL) OPENSSL_free(signature->data); + signature->data=buf_sigout; + buf_sigout=NULL; + signature->length=sigoutl; + /* In the interests of compatibility, I'll make sure that + * the bit string has a 'not-used bits' value of 0 + */ + signature->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); + signature->flags|=ASN1_STRING_FLAG_BITS_LEFT; + + std::cerr << "Certificate Complete" << std::endl; + + return x509; + + + err: + /* cleanup */ + std::cerr << "GPGAuthMgr::SignX509Req() err: FAIL" << std::endl; + + return NULL; +} + +bool AuthSSL::AuthX509(X509 *x509) +{ + RsStackMutex stack(sslMtx); /******* LOCKED ******/ + + /* extract CN for peer Id */ + X509_NAME *issuer = X509_get_issuer_name(x509); + std::string id = ""; + + /* verify signature */ + + /*** NOW The Manual signing bit (HACKED FROM asn1/a_sign.c) ***/ + int (*i2d)(X509_CINF*, unsigned char**) = i2d_X509_CINF; + ASN1_BIT_STRING *signature = x509->signature; + X509_CINF *data = x509->cert_info; + EVP_PKEY *pkey = NULL; + const EVP_MD *type = EVP_sha1(); + + EVP_MD_CTX ctx; + unsigned char *p,*buf_in=NULL; + unsigned char *buf_hashout=NULL,*buf_sigout=NULL; + int i,inl=0,hashoutl=0,hashoutll=0; + int sigoutl=0,sigoutll=0; + X509_ALGOR *a; + + fprintf(stderr, "GPGAuthMgr::AuthX509()\n"); + + EVP_MD_CTX_init(&ctx); + + /* input buffer */ + inl=i2d(data,NULL); + buf_in=(unsigned char *)OPENSSL_malloc((unsigned int)inl); + + hashoutll=hashoutl=EVP_MD_size(type); + buf_hashout=(unsigned char *)OPENSSL_malloc((unsigned int)hashoutl); + + sigoutll=sigoutl=2048; //hashoutl; //EVP_PKEY_size(pkey); + buf_sigout=(unsigned char *)OPENSSL_malloc((unsigned int)sigoutl); + + std::cerr << "Buffer Sizes: in: " << inl; + std::cerr << " HashOut: " << hashoutl; + std::cerr << " SigOut: " << sigoutl; + std::cerr << std::endl; + + if ((buf_in == NULL) || (buf_hashout == NULL) || (buf_sigout == NULL)) + { + hashoutl=0; + sigoutl=0; + fprintf(stderr, "GPGAuthMgr::AuthX509: ASN1err(ASN1_F_ASN1_SIGN,ERR_R_MALLOC_FAILURE)\n"); + goto err; + } + p=buf_in; + + std::cerr << "Buffers Allocated" << std::endl; + + i2d(data,&p); + /* data in buf_in, ready to be hashed */ + EVP_DigestInit_ex(&ctx,type, NULL); + EVP_DigestUpdate(&ctx,(unsigned char *)buf_in,inl); + if (!EVP_DigestFinal(&ctx,(unsigned char *)buf_hashout, + (unsigned int *)&hashoutl)) + { + hashoutl=0; + fprintf(stderr, "GPGAuthMgr::AuthX509: ASN1err(ASN1_F_ASN1_SIGN,ERR_R_EVP_LIB)\n"); + goto err; + } + + std::cerr << "Digest Applied: len: " << hashoutl << std::endl; + + /* copy data into signature */ + sigoutl = signature->length; + memmove(buf_sigout, signature->data, sigoutl); + + /* NOW Sign via GPG Functions */ + if (!getAuthGPG()->VerifySignBin(buf_hashout, hashoutl, buf_sigout, (unsigned int) sigoutl)) + { + sigoutl = 0; + goto err; + } + + return true; + + err: + return false; +} /* validate + get id */ bool AuthSSL::ValidateCertificate(X509 *x509, std::string &peerId) { diff --git a/libretroshare/src/pqi/authssl.h b/libretroshare/src/pqi/authssl.h index 5f0ed1df5..dab1d7c45 100644 --- a/libretroshare/src/pqi/authssl.h +++ b/libretroshare/src/pqi/authssl.h @@ -48,12 +48,16 @@ #include #include +#include "authgpg.h" + #include "util/rsthreads.h" #include "pqi/pqi_base.h" #include "pqi/pqinetwork.h" #include "pqi/p3authmgr.h" +typedef std::string SSL_id; + class AuthSSL; class sslcert @@ -111,6 +115,7 @@ virtual bool isValid(std::string id); virtual bool isAuthenticated(std::string id); virtual std::string getName(std::string id); virtual std::string getIssuerName(std::string id); +virtual GPG_id getGPGId(SSL_id id); virtual bool getDetails(std::string id, pqiAuthDetails &details); /* first party trust info (dummy) */ @@ -159,6 +164,9 @@ bool decrypt(void *&out, int &outlen, const void *in, int inlen); //return t /*********** Overloaded Functions from p3AuthMgr **********/ /************* Virtual Functions from AuthSSL *************/ +X509* SignX509Req(X509_REQ *req, long days); +bool AuthX509(X509 *x509); + virtual int VerifyX509Callback(int preverify_ok, X509_STORE_CTX *ctx); virtual bool ValidateCertificate(X509 *x509, std::string &peerId); /* validate + get id */ @@ -214,6 +222,14 @@ bool locked_FindCert(std::string id, sslcert **cert); }; +// the single instance of this, but only when SSL Only +static AuthSSL instance_sslroot; + +AuthSSL *getAuthSSL() +{ + return &instance_sslroot; +} + X509_REQ *GenerateX509Req( std::string pkey_file, std::string passwd, diff --git a/libretroshare/src/rsserver/rsinit.cc b/libretroshare/src/rsserver/rsinit.cc index 05f2dded5..50fe20361 100644 --- a/libretroshare/src/rsserver/rsinit.cc +++ b/libretroshare/src/rsserver/rsinit.cc @@ -46,14 +46,8 @@ // for blocking signals #include -#if defined(PQI_USE_SSLONLY) - #include "pqi/authssl.h" -#else /* X509 Certificates */ -/**************** PQI_USE_SSLONLY ***************/ -/**************** SSL + OPENPGP *****************/ - #include "pqi/authgpg.h" - #include "pqi/authssl.h" -#endif /* X509 Certificates */ +#include "pqi/authgpg.h" +#include "pqi/authssl.h" class accountId { @@ -1022,9 +1016,8 @@ bool RsInit::GenerateSSLCertificate(std::string name, std::string org, std:: country.c_str(), nbits, errString); - GPGAuthMgr *mgr = (GPGAuthMgr *) getAuthMgr(); long days = 3000; - X509 *x509 = mgr->SignX509Req(req, days, "dummypassword"); + X509 *x509 = getAuthSSL()->SignX509Req(req, days); X509_REQ_free(req); if (x509 == NULL) {