tor  0.4.2.0-alpha-dev
x509.c
1 /* Copyright (c) 2003, Roger Dingledine.
2  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3  * Copyright (c) 2007-2019, The Tor Project, Inc. */
4 /* See LICENSE for licensing information */
5 
12 #define TOR_X509_PRIVATE
13 #include "lib/tls/x509.h"
14 #include "lib/tls/x509_internal.h"
15 #include "lib/log/util_bug.h"
18 
20 void
21 tor_tls_pick_certificate_lifetime(time_t now,
22  unsigned int cert_lifetime,
23  time_t *start_time_out,
24  time_t *end_time_out)
25 {
26  time_t start_time, end_time;
27  /* Make sure we're part-way through the certificate lifetime, rather
28  * than having it start right now. Don't choose quite uniformly, since
29  * then we might pick a time where we're about to expire. Lastly, be
30  * sure to start on a day boundary. */
31  /* Our certificate lifetime will be cert_lifetime no matter what, but if we
32  * start cert_lifetime in the past, we'll have 0 real lifetime. instead we
33  * start up to (cert_lifetime - min_real_lifetime - start_granularity) in
34  * the past. */
35  const time_t min_real_lifetime = 24*3600;
36  const time_t start_granularity = 24*3600;
37  time_t earliest_start_time;
38  /* Don't actually start in the future! */
39  if (cert_lifetime <= min_real_lifetime + start_granularity) {
40  earliest_start_time = now - 1;
41  } else {
42  earliest_start_time = now + min_real_lifetime + start_granularity
43  - cert_lifetime;
44  }
45  start_time = crypto_rand_time_range(earliest_start_time, now);
46  /* Round the start time back to the start of a day. */
47  start_time -= start_time % start_granularity;
48 
49  end_time = start_time + cert_lifetime;
50 
51  *start_time_out = start_time;
52  *end_time_out = end_time;
53 }
54 
57 const common_digests_t *
58 tor_x509_cert_get_id_digests(const tor_x509_cert_t *cert)
59 {
60  if (cert->pkey_digests_set)
61  return &cert->pkey_digests;
62  else
63  return NULL;
64 }
65 
67 const common_digests_t *
68 tor_x509_cert_get_cert_digests(const tor_x509_cert_t *cert)
69 {
70  return &cert->cert_digests;
71 }
72 
74 void
75 tor_x509_cert_free_(tor_x509_cert_t *cert)
76 {
77  if (! cert)
78  return;
79  tor_x509_cert_impl_free(cert->cert);
80 #ifdef ENABLE_OPENSSL
81  tor_free(cert->encoded);
82 #endif
83  memwipe(cert, 0x03, sizeof(*cert));
84  /* LCOV_EXCL_BR_START since cert will never be NULL here */
85  tor_free(cert);
86  /* LCOV_EXCL_BR_STOP */
87 }
88 
94 MOCK_IMPL(tor_x509_cert_t *,
95 tor_x509_cert_new,(tor_x509_cert_impl_t *x509_cert))
96 {
97  tor_x509_cert_t *cert;
98 
99  if (!x509_cert)
100  return NULL;
101 
102  cert = tor_malloc_zero(sizeof(tor_x509_cert_t));
103  cert->cert = x509_cert;
104 
106  goto err;
107 
108  {
109  const uint8_t *encoded=NULL;
110  size_t encoded_len=0;
111  tor_x509_cert_get_der(cert, &encoded, &encoded_len);
112  tor_assert(encoded);
113  crypto_common_digests(&cert->cert_digests, (char *)encoded, encoded_len);
114  }
115 
116  {
117  crypto_pk_t *pk = tor_tls_cert_get_key(cert);
118  if (pk) {
119  if (crypto_pk_get_common_digests(pk, &cert->pkey_digests) < 0) {
120  log_warn(LD_CRYPTO, "unable to compute digests of certificate key");
121  crypto_pk_free(pk);
122  goto err;
123  }
124  }
125  cert->pkey_digests_set = 1;
126  crypto_pk_free(pk);
127  }
128 
129  return cert;
130  err:
131  log_err(LD_CRYPTO, "Couldn't wrap encoded X509 certificate.");
132  tor_x509_cert_free(cert);
133  return NULL;
134 }
135 
137 tor_x509_cert_t *
138 tor_x509_cert_dup(const tor_x509_cert_t *cert)
139 {
140  tor_assert(cert);
141  tor_assert(cert->cert);
142  return tor_x509_cert_new(tor_x509_cert_impl_dup_(cert->cert));
143 }
Common functions for using (pseudo-)random number generators.
const common_digests_t * tor_x509_cert_get_id_digests(const tor_x509_cert_t *cert)
Definition: x509.c:58
crypto_pk_t * tor_tls_cert_get_key(tor_x509_cert_t *cert)
Definition: x509_nss.c:285
#define tor_free(p)
Definition: malloc.h:52
void memwipe(void *mem, uint8_t byte, size_t sz)
Definition: crypto_util.c:57
int crypto_common_digests(common_digests_t *ds_out, const char *m, size_t len)
Definition: crypto_digest.c:30
Common functions for cryptographic routines.
tor_assert(buffer)
tor_x509_cert_t * tor_x509_cert_dup(const tor_x509_cert_t *cert)
Definition: x509.c:138
void tor_x509_cert_get_der(const tor_x509_cert_t *cert, const uint8_t **encoded_out, size_t *size_out)
Definition: x509_nss.c:216
Headers for tortls.c.
const common_digests_t * tor_x509_cert_get_cert_digests(const tor_x509_cert_t *cert)
Definition: x509.c:68
int tor_x509_cert_set_cached_der_encoding(tor_x509_cert_t *cert)
Definition: x509_openssl.c:190
int crypto_pk_get_common_digests(crypto_pk_t *pk, common_digests_t *digests_out)
Definition: crypto_rsa.c:381
time_t crypto_rand_time_range(time_t min, time_t max)
#define LD_CRYPTO
Definition: log.h:61
Macros to manage assertions, fatal and non-fatal.
void tor_x509_cert_free_(tor_x509_cert_t *cert)
Definition: x509.c:75