diff options
Diffstat (limited to 'src/components/security_manager/src/crypto_manager_impl.cc')
-rw-r--r-- | src/components/security_manager/src/crypto_manager_impl.cc | 63 |
1 files changed, 36 insertions, 27 deletions
diff --git a/src/components/security_manager/src/crypto_manager_impl.cc b/src/components/security_manager/src/crypto_manager_impl.cc index f44198953b..6bee28a976 100644 --- a/src/components/security_manager/src/crypto_manager_impl.cc +++ b/src/components/security_manager/src/crypto_manager_impl.cc @@ -93,6 +93,7 @@ CryptoManagerImpl::CryptoManagerImpl( OpenSSL_add_all_algorithms(); SSL_library_init(); } + InitCertExpTime(); } CryptoManagerImpl::~CryptoManagerImpl() { @@ -295,41 +296,30 @@ const CryptoManagerSettings& CryptoManagerImpl::get_settings() const { } bool CryptoManagerImpl::set_certificate(const std::string& cert_data) { + LOG4CXX_AUTO_TRACE(logger_); + if (cert_data.empty()) { LOG4CXX_WARN(logger_, "Empty certificate"); return false; } - BIO* bio = BIO_new(BIO_f_base64()); - BIO* bmem = BIO_new_mem_buf((char*)cert_data.c_str(), cert_data.length()); - bmem = BIO_push(bio, bmem); - - char* buf = new char[cert_data.length()]; - int len = BIO_read(bmem, buf, cert_data.length()); - - BIO* bio_cert = BIO_new(BIO_s_mem()); - if (NULL == bio_cert) { - LOG4CXX_WARN(logger_, "Unable to update certificate. BIO not created"); - return false; - } + BIO* bio_cert = + BIO_new_mem_buf(const_cast<char*>(cert_data.c_str()), cert_data.length()); utils::ScopeGuard bio_guard = utils::MakeGuard(BIO_free, bio_cert); UNUSED(bio_guard) - int k = 0; - if ((k = BIO_write(bio_cert, buf, len)) <= 0) { - LOG4CXX_WARN(logger_, "Unable to write into BIO"); - return false; - } - PKCS12* p12 = d2i_PKCS12_bio(bio_cert, NULL); - if (NULL == p12) { - LOG4CXX_ERROR(logger_, "Unable to parse certificate"); - return false; - } + X509* cert = NULL; + PEM_read_bio_X509(bio_cert, &cert, 0, 0); EVP_PKEY* pkey = NULL; - X509* cert = NULL; - PKCS12_parse(p12, NULL, &pkey, &cert, NULL); + if (1 == BIO_reset(bio_cert)) { + PEM_read_bio_PrivateKey(bio_cert, &pkey, 0, 0); + } else { + LOG4CXX_WARN(logger_, + "Unabled to reset BIO in order to read private key, " + << LastError()); + } if (NULL == cert || NULL == pkey) { LOG4CXX_WARN(logger_, "Either certificate or key not valid."); @@ -337,20 +327,35 @@ bool CryptoManagerImpl::set_certificate(const std::string& cert_data) { } if (!SSL_CTX_use_certificate(context_, cert)) { - LOG4CXX_WARN(logger_, "Could not use certificate"); + LOG4CXX_WARN(logger_, "Could not use certificate: " << LastError()); return false; } asn1_time_to_tm(X509_get_notAfter(cert)); if (!SSL_CTX_use_PrivateKey(context_, pkey)) { - LOG4CXX_ERROR(logger_, "Could not use key"); + LOG4CXX_ERROR(logger_, "Could not use key: " << LastError()); return false; } + if (!SSL_CTX_check_private_key(context_)) { - LOG4CXX_ERROR(logger_, "Could not use certificate "); + LOG4CXX_ERROR(logger_, "Could not use certificate: " << LastError()); return false; } + + X509_STORE* store = SSL_CTX_get_cert_store(context_); + if (store) { + X509* extra_cert = NULL; + while ((extra_cert = PEM_read_bio_X509(bio_cert, NULL, 0, 0))) { + if (extra_cert != cert) { + LOG4CXX_DEBUG(logger_, + "Added new certificate to store: " << extra_cert); + X509_STORE_add_cert(store, extra_cert); + } + } + } + + LOG4CXX_DEBUG(logger_, "Certificate and key successfully updated"); return true; } @@ -397,4 +402,8 @@ void CryptoManagerImpl::asn1_time_to_tm(ASN1_TIME* time) { } } +void CryptoManagerImpl::InitCertExpTime() { + strptime("1 Jan 1970 00:00:00", "%d %b %Y %H:%M:%S", &expiration_time_); +} + } // namespace security_manager |