[rs-commit] r329 - in /mod_csr/trunk: ChangeLog mod_csr.c
rs-commit at redwax.eu
rs-commit at redwax.eu
Sun Mar 1 14:58:21 CET 2020
Author: minfrin at redwax.eu
Date: Sun Mar 1 14:58:19 2020
New Revision: 329
Log:
Add a temporary signature to the certificate sign request that is
passed for signing.
Modified:
mod_csr/trunk/ChangeLog
mod_csr/trunk/mod_csr.c
Modified: mod_csr/trunk/ChangeLog
==============================================================================
--- mod_csr/trunk/ChangeLog (original)
+++ mod_csr/trunk/ChangeLog Sun Mar 1 14:58:19 2020
@@ -1,5 +1,8 @@
Changes with v0.2.4
+
+ *) Add a temporary signature to the certificate sign request that is
+ passed for signing. [Graham Leggett]
*) Don't try and free an algorithm if unset. [Graham Leggett]
Modified: mod_csr/trunk/mod_csr.c
==============================================================================
--- mod_csr/trunk/mod_csr.c (original)
+++ mod_csr/trunk/mod_csr.c Sun Mar 1 14:58:19 2020
@@ -55,9 +55,10 @@
#define DEFAULT_FRESHNESS 2
#define DEFAULT_FRESHNESS_MAX 3600*24
-#include "openssl_setter_compat.h"
-
module AP_MODULE_DECLARE_DATA csr_module;
+
+EVP_PKEY *pknull;
+const EVP_MD *mdnull;
typedef struct
{
@@ -907,14 +908,11 @@
}
X509_REQ_set_pubkey(creq, pktmp);
+ /* sign the X509_REQ with a dummy signature to work around serialisation bugs in openssl */
+ X509_REQ_sign(creq, pknull, mdnull);
+
/* duplicate the signature algorithm */
-#if HAVE_X509_REQ_GET0_SIGNATURE && HAVE_X509_REQ_SET1_SIGNATURE
- const X509_ALGOR *psigalg;
- X509_REQ_get0_signature(req, NULL, &psigalg);
- X509_REQ_set1_signature(creq, X509_ALGOR_dup((X509_ALGOR*)psigalg));
-#else
- creq->sig_alg = X509_ALGOR_dup(req->sig_alg);
-#endif
+ // creq->sig_alg = X509_ALGOR_dup(req->sig_alg);
/* extract the param_challenge, if present */
idx = X509_REQ_get_attr_by_NID(req, OBJ_sn2nid("challengePassword"), -1);
@@ -1090,7 +1088,10 @@
static apr_status_t csr_cleanup(void *data)
{
- ERR_free_strings();
+ EVP_PKEY_free(pknull);
+ pknull = NULL;
+
+ ERR_free_strings();
EVP_cleanup();
return APR_SUCCESS;
}
@@ -1098,10 +1099,40 @@
static int csr_pre_config(apr_pool_t *pconf, apr_pool_t *plog,
apr_pool_t *ptemp)
{
+ EVP_PKEY_CTX *ctx;
+ int rv;
+
OpenSSL_add_all_algorithms();
ERR_load_crypto_strings();
apr_pool_cleanup_register(pconf, NULL, csr_cleanup, apr_pool_cleanup_null);
+
+ /* create a once off null key for signing X509_REQ structures where a key is not available */
+ ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL);
+ if (!ctx) {
+ ap_log_error(APLOG_MARK,APLOG_CRIT, 0, NULL,
+ "EVP_PKEY_CTX_new_id() returned a NULL context, aborting");
+ return DONE;
+ }
+ if ((rv = EVP_PKEY_keygen_init(ctx)) <= 0) {
+ ap_log_error(APLOG_MARK,APLOG_CRIT, 0, NULL,
+ "EVP_PKEY_keygen_init() returned %d, aborting", rv);
+ return DONE;
+ }
+ if ((rv = EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, 2048)) <= 0) {
+ ap_log_error(APLOG_MARK,APLOG_CRIT, 0, NULL,
+ "EVP_PKEY_CTX_set_rsa_keygen_bits() returned %d, aborting", rv);
+ return DONE;
+ }
+
+ /* Generate key */
+ if ((rv = EVP_PKEY_keygen(ctx, &pknull)) <= 0) {
+ ap_log_error(APLOG_MARK,APLOG_CRIT, 0, NULL,
+ "EVP_PKEY_keygen() returned %d, aborting", rv);
+ return DONE;
+ }
+
+ mdnull = EVP_sha256();
return APR_SUCCESS;
}
More information about the rs-commit
mailing list