[rs-commit] r284 - in /mod_scep/trunk: ChangeLog mod_scep.c

rs-commit at redwax.eu rs-commit at redwax.eu
Sat Feb 15 22:47:20 CET 2020


Author: minfrin at redwax.eu
Date: Sat Feb 15 22:47:19 2020
New Revision: 284

Log:
Add a temporary signature to the certificate sign request that is
passed for signing.

Modified:
    mod_scep/trunk/ChangeLog
    mod_scep/trunk/mod_scep.c

Modified: mod_scep/trunk/ChangeLog
==============================================================================
--- mod_scep/trunk/ChangeLog	(original)
+++ mod_scep/trunk/ChangeLog	Sat Feb 15 22:47:19 2020
@@ -1,7 +1,8 @@
 
 Changes with v0.2.4
 
- *) Don't try and free an algorithm if unset. [Graham Leggett]
+ *) Add a temporary signature to the certificate sign request that is
+    passed for signing. [Graham Leggett]
 
  *) Change the order of processing PKIOPeration requests so that PKCS7
     POST bodies are parsed first before interpreting a message parameter.

Modified: mod_scep/trunk/mod_scep.c
==============================================================================
--- mod_scep/trunk/mod_scep.c	(original)
+++ mod_scep/trunk/mod_scep.c	Sat Feb 15 22:47:19 2020
@@ -69,6 +69,9 @@
 
 
 module AP_MODULE_DECLARE_DATA scep_module;
+
+EVP_PKEY *pknull;
+const EVP_MD *mdnull;
 
 typedef struct
 {
@@ -2012,14 +2015,11 @@
     }
     X509_REQ_set_pubkey(creq, pktmp);
 
+    /* sign the X509_REQ with a dummy signature to work around serialisation bugs in openssl */
+    X509_REQ_sign(creq, pknull, mdnull);
+
     /* duplicate the signature algorithm */
-#if HAVE_X509_REQ_GET0_SIGNATURE && HAVE_X509_REQ_SET1_SIGNATURE
-    const X509_ALGOR *psigalg;
-    X509_REQ_get0_signature(req, NULL, &psigalg);
-    X509_REQ_set1_signature(creq, X509_ALGOR_dup((X509_ALGOR*)psigalg));
-#else
-    creq->sig_alg = X509_ALGOR_dup(req->sig_alg);
-#endif
+    // creq->sig_alg = X509_ALGOR_dup(req->sig_alg);
 
     /* handle the challenge */
     idx = X509_REQ_get_attr_by_NID(req, OBJ_sn2nid("challengePassword"), -1);
@@ -2927,6 +2927,9 @@
 
 static apr_status_t scep_cleanup(void *data)
 {
+    EVP_PKEY_free(pknull);
+    pknull = NULL;
+
     ERR_free_strings();
     EVP_cleanup();
     return APR_SUCCESS;
@@ -2935,6 +2938,9 @@
 static int scep_pre_config(apr_pool_t *pconf, apr_pool_t *plog,
         apr_pool_t *ptemp)
 {
+    EVP_PKEY_CTX *ctx;
+    int rv;
+
     OpenSSL_add_all_algorithms();
     ERR_load_crypto_strings();
 
@@ -2948,6 +2954,33 @@
                     scep_oid_def[i].name1, scep_oid_def[i].name2);
         }
     }
+
+    /* create a once off null key for signing X509_REQ structures where a key is not available */
+    ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL);
+    if (!ctx) {
+        ap_log_error(APLOG_MARK,APLOG_CRIT, 0, NULL,
+                     "EVP_PKEY_CTX_new_id() returned a NULL context, aborting");
+        return DONE;
+    }
+    if ((rv = EVP_PKEY_keygen_init(ctx)) <= 0) {
+        ap_log_error(APLOG_MARK,APLOG_CRIT, 0, NULL,
+                     "EVP_PKEY_keygen_init() returned %d, aborting", rv);
+        return DONE;
+    }
+    if ((rv = EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, 2048)) <= 0) {
+        ap_log_error(APLOG_MARK,APLOG_CRIT, 0, NULL,
+                     "EVP_PKEY_CTX_set_rsa_keygen_bits() returned %d, aborting", rv);
+        return DONE;
+    }
+
+    /* Generate key */
+    if ((rv = EVP_PKEY_keygen(ctx, &pknull)) <= 0) {
+        ap_log_error(APLOG_MARK,APLOG_CRIT, 0, NULL,
+                     "EVP_PKEY_keygen() returned %d, aborting", rv);
+        return DONE;
+    }
+
+    mdnull = EVP_sha256();
 
     return APR_SUCCESS;
 }



More information about the rs-commit mailing list