[rs-commit] r284 - in /mod_scep/trunk: ChangeLog mod_scep.c
rs-commit at redwax.eu
rs-commit at redwax.eu
Sat Feb 15 22:47:20 CET 2020
Author: minfrin at redwax.eu
Date: Sat Feb 15 22:47:19 2020
New Revision: 284
Log:
Add a temporary signature to the certificate sign request that is
passed for signing.
Modified:
mod_scep/trunk/ChangeLog
mod_scep/trunk/mod_scep.c
Modified: mod_scep/trunk/ChangeLog
==============================================================================
--- mod_scep/trunk/ChangeLog (original)
+++ mod_scep/trunk/ChangeLog Sat Feb 15 22:47:19 2020
@@ -1,7 +1,8 @@
Changes with v0.2.4
- *) Don't try and free an algorithm if unset. [Graham Leggett]
+ *) Add a temporary signature to the certificate sign request that is
+ passed for signing. [Graham Leggett]
*) Change the order of processing PKIOPeration requests so that PKCS7
POST bodies are parsed first before interpreting a message parameter.
Modified: mod_scep/trunk/mod_scep.c
==============================================================================
--- mod_scep/trunk/mod_scep.c (original)
+++ mod_scep/trunk/mod_scep.c Sat Feb 15 22:47:19 2020
@@ -69,6 +69,9 @@
module AP_MODULE_DECLARE_DATA scep_module;
+
+EVP_PKEY *pknull;
+const EVP_MD *mdnull;
typedef struct
{
@@ -2012,14 +2015,11 @@
}
X509_REQ_set_pubkey(creq, pktmp);
+ /* sign the X509_REQ with a dummy signature to work around serialisation bugs in openssl */
+ X509_REQ_sign(creq, pknull, mdnull);
+
/* duplicate the signature algorithm */
-#if HAVE_X509_REQ_GET0_SIGNATURE && HAVE_X509_REQ_SET1_SIGNATURE
- const X509_ALGOR *psigalg;
- X509_REQ_get0_signature(req, NULL, &psigalg);
- X509_REQ_set1_signature(creq, X509_ALGOR_dup((X509_ALGOR*)psigalg));
-#else
- creq->sig_alg = X509_ALGOR_dup(req->sig_alg);
-#endif
+ // creq->sig_alg = X509_ALGOR_dup(req->sig_alg);
/* handle the challenge */
idx = X509_REQ_get_attr_by_NID(req, OBJ_sn2nid("challengePassword"), -1);
@@ -2927,6 +2927,9 @@
static apr_status_t scep_cleanup(void *data)
{
+ EVP_PKEY_free(pknull);
+ pknull = NULL;
+
ERR_free_strings();
EVP_cleanup();
return APR_SUCCESS;
@@ -2935,6 +2938,9 @@
static int scep_pre_config(apr_pool_t *pconf, apr_pool_t *plog,
apr_pool_t *ptemp)
{
+ EVP_PKEY_CTX *ctx;
+ int rv;
+
OpenSSL_add_all_algorithms();
ERR_load_crypto_strings();
@@ -2948,6 +2954,33 @@
scep_oid_def[i].name1, scep_oid_def[i].name2);
}
}
+
+ /* create a once off null key for signing X509_REQ structures where a key is not available */
+ ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL);
+ if (!ctx) {
+ ap_log_error(APLOG_MARK,APLOG_CRIT, 0, NULL,
+ "EVP_PKEY_CTX_new_id() returned a NULL context, aborting");
+ return DONE;
+ }
+ if ((rv = EVP_PKEY_keygen_init(ctx)) <= 0) {
+ ap_log_error(APLOG_MARK,APLOG_CRIT, 0, NULL,
+ "EVP_PKEY_keygen_init() returned %d, aborting", rv);
+ return DONE;
+ }
+ if ((rv = EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, 2048)) <= 0) {
+ ap_log_error(APLOG_MARK,APLOG_CRIT, 0, NULL,
+ "EVP_PKEY_CTX_set_rsa_keygen_bits() returned %d, aborting", rv);
+ return DONE;
+ }
+
+ /* Generate key */
+ if ((rv = EVP_PKEY_keygen(ctx, &pknull)) <= 0) {
+ ap_log_error(APLOG_MARK,APLOG_CRIT, 0, NULL,
+ "EVP_PKEY_keygen() returned %d, aborting", rv);
+ return DONE;
+ }
+
+ mdnull = EVP_sha256();
return APR_SUCCESS;
}
More information about the rs-commit
mailing list