Macros | Functions
x509_openssl.c File Reference
#include "lib/tls/x509.h"
#include "lib/tls/x509_internal.h"
#include "lib/tls/tortls.h"
#include "lib/crypt_ops/crypto_rand.h"
#include "lib/crypt_ops/crypto_util.h"
#include "lib/crypt_ops/compat_openssl.h"
#include <openssl/opensslv.h>
#include <openssl/err.h>
#include <openssl/asn1.h>
#include <openssl/bio.h>
#include <openssl/bn.h>
#include <openssl/evp.h>
#include <openssl/objects.h>
#include <openssl/rsa.h>
#include <openssl/x509.h>
#include "lib/log/log.h"
#include "lib/log/util_bug.h"
#include "lib/ctime/di_ops.h"
#include "lib/encoding/time_fmt.h"
#include <stdlib.h>
#include <string.h>

Go to the source code of this file.


#define TOR_X509_PRIVATE
#define X509_get_notBefore_const(cert)   ((const ASN1_TIME*) X509_get_notBefore((X509 *)cert))
#define X509_get_notAfter_const(cert)   ((const ASN1_TIME*) X509_get_notAfter((X509 *)cert))


static X509_NAME * tor_x509_name_new (const char *cname)
 MOCK_IMPL (X509 *, tor_tls_create_certificate,(crypto_pk_t *rsa, crypto_pk_t *rsa_sign, const char *cname, const char *cname_sign, unsigned int cert_lifetime))
int tor_x509_cert_set_cached_der_encoding (tor_x509_cert_t *cert)
void tor_x509_cert_impl_free_ (tor_x509_cert_impl_t *cert)
tor_x509_cert_impl_t * tor_x509_cert_impl_dup_ (tor_x509_cert_impl_t *cert)
void tor_x509_cert_get_der (const tor_x509_cert_t *cert, const uint8_t **encoded_out, size_t *size_out)
tor_x509_cert_t * tor_x509_cert_decode (const uint8_t *certificate, size_t certificate_len)
crypto_pk_ttor_tls_cert_get_key (tor_x509_cert_t *cert)
int tor_tls_cert_is_valid (int severity, const tor_x509_cert_t *cert, const tor_x509_cert_t *signing_cert, time_t now, int check_rsa_1024)
static void log_cert_lifetime (int severity, const X509 *cert, const char *problem, time_t now)
int tor_x509_check_cert_lifetime_internal (int severity, const X509 *cert, time_t now, int past_tolerance, int future_tolerance)

Detailed Description

Wrapper functions to present a consistent interface to X.509 functions.

Wrapper functions to present a consistent interface to X.509 functions from OpenSSL.

Definition in file x509_openssl.c.

Function Documentation

◆ log_cert_lifetime()

static void log_cert_lifetime ( int  severity,
const X509 *  cert,
const char *  problem,
time_t  now 

Warn that a certificate lifetime extends through a certain range.

Definition at line 367 of file x509_openssl.c.

References LD_GENERAL, and tor_log().


MOCK_IMPL ( X509 *  ,
tor_tls_create_certificate  ,
(crypto_pk_t *rsa, crypto_pk_t *rsa_sign, const char *cname, const char *cname_sign, unsigned int cert_lifetime)   

Generate and sign an X509 certificate with the public key rsa, signed by the private key rsa_sign. The commonName of the certificate will be cname; the commonName of the issuer will be cname_sign. The cert will be valid for cert_lifetime seconds, starting from some time in the past.

Return a certificate on success, NULL on failure.

Definition at line 100 of file x509_openssl.c.

◆ tor_tls_cert_get_key()

crypto_pk_t* tor_tls_cert_get_key ( tor_x509_cert_t *  cert)

Return a newly allocated copy of the public key that a certificate certifies. Watch out! This returns NULL if the cert's key is not RSA.

Definition at line 278 of file x509_openssl.c.

Referenced by tor_tls_verify().

◆ tor_tls_cert_is_valid()

int tor_tls_cert_is_valid ( int  severity,
const tor_x509_cert_t *  cert,
const tor_x509_cert_t *  signing_cert,
time_t  now,
int  check_rsa_1024 

Check whether cert is well-formed, currently live, and correctly signed by the public key in signing_cert. If check_rsa_1024, make sure that it has an RSA key with 1024 bits; otherwise, just check that the key is long enough. Return 1 if the cert is good, and 0 if it's bad or we couldn't check it.

Definition at line 301 of file x509_openssl.c.

Referenced by tor_tls_verify().

◆ tor_x509_cert_decode()

tor_x509_cert_t* tor_x509_cert_decode ( const uint8_t *  certificate,
size_t  certificate_len 

Read a DER-encoded X509 cert, of length exactly certificate_len, from a certificate. Return a newly allocated tor_x509_cert_t on success and NULL on failure.

Definition at line 238 of file x509_openssl.c.

References tor_assert().

◆ tor_x509_cert_get_der()

void tor_x509_cert_get_der ( const tor_x509_cert_t *  cert,
const uint8_t **  encoded_out,
size_t *  size_out 

Set *encoded_out and *size_out to cert's encoded DER representation and length, respectively.

Definition at line 224 of file x509_openssl.c.

References tor_assert().

Referenced by add_x509_cert().

◆ tor_x509_cert_set_cached_der_encoding()

int tor_x509_cert_set_cached_der_encoding ( tor_x509_cert_t *  cert)

Set the 'encoded' and 'encoded_len' fields of "cert" from cert->cert.

Definition at line 190 of file x509_openssl.c.

◆ tor_x509_check_cert_lifetime_internal()

int tor_x509_check_cert_lifetime_internal ( int  severity,
const X509 *  cert,
time_t  now,
int  past_tolerance,
int  future_tolerance 

Helper: check whether cert is expired give or take past_tolerance seconds, or not-yet-valid give or take future_tolerance seconds. (Relative to the current time now.) If it is live, return 0. If it is not live, log a message and return -1.

Definition at line 428 of file x509_openssl.c.

◆ tor_x509_name_new()

static X509_NAME* tor_x509_name_new ( const char *  cname)

Return a newly allocated X509 name with commonName cname.

Definition at line 71 of file x509_openssl.c.