Early SSL Certificates creation work done

Yaip is now able to generate simple SSL certificates for a given host. I don't currently add any extensions to the certificates (such as alternative names). When I get to testing it with a browser I'll see what browsers require. However, I think I'll probably generate certificates for each host, including sub domains, to make life easier searching. I've also added a util function to count lines in a file that was used for testing some of the ssl functions.
3 years ago · 1beca38af6
parent bb62ed3b1f
commit 1beca38af6
9 changed files with 375 additions and 30 deletions
--- a/src/main.c
+++ b/src/main.c
@ -68,6 +68,7 @@ int startListener(unsigned int port){
 int main(int argc, char**argv){
 	Config *config = configDefaults();
 	int listener;
 	CertList *certs = NULL;
 	for ( unsigned int i = 1; i < argc; i++ ){
@ -150,7 +151,7 @@ int main(int argc, char**argv){
 			// necesarily the hosts header
 			webserverRequest(request, client);
 		} else {
-			proxyRequest(request, client);
+			proxyRequest(request, client, certs);
 		}
 		close(client);
--- a/src/proxy.c
+++ b/src/proxy.c
@ -38,7 +38,7 @@ Response *upstreamGetResponse(Request *request){
 }
-void proxyRequest(Request *request, int client){
+void proxyRequest(Request *request, int client, CertList *certs){
 	if ( strcmp( request->method, "CONNECT" ) == 0 ){
 		// If it is a connect request, we are dealing with https
--- a/src/proxy.h
+++ b/src/proxy.h
@ -14,9 +14,10 @@
 #include "request.h"
 #include "response.h"
 #include "webserver.h"
 #include "ssl.h"
 Response *upstreamGetResponse(Request *request);
-void proxyRequest(Request *request, int client);
+void proxyRequest(Request *request, int client, CertList *certs);
 #endif /* ifndef PROXY_H */
--- a/src/ssl.c
+++ b/src/ssl.c
@ -1,6 +1,7 @@
 #include "ssl.h"
 SSL_CTX* InitServerCTX(Config *config) {
 	const SSL_METHOD *method;
 	SSL_CTX *ctx;
@ -25,11 +26,10 @@ SSL_CTX* InitServerCTX(Config *config) {
 		abort();
 	}
 	//verify private key
-    if ( !SSL_CTX_check_private_key(ctx) )
+    if ( !SSL_CTX_check_private_key(ctx) ) {
-    {
+		fprintf(stderr, "Private key does not match the public certificate\n");
-        fprintf(stderr, "Private key does not match the public certificate\n");
+		abort();
-        abort();
+	}
    }
 	return ctx;
 }
@ -71,7 +71,7 @@ X509* generate_ca_cert(EVP_PKEY * pkey) {
 		return NULL;
 	}
-	// Set the serial number.
+	
 	ASN1_INTEGER_set(X509_get_serialNumber(x509), 1);
 	// This certificate is valid from now until exactly one year from now.
@ -87,7 +87,10 @@ X509* generate_ca_cert(EVP_PKEY * pkey) {
 	// Set the country code and common name.
 	X509_NAME_add_entry_by_txt(name, "C",  MBSTRING_ASC, (unsigned char *)"UK",        -1, -1, 0);
 	X509_NAME_add_entry_by_txt(name, "O",  MBSTRING_ASC, (unsigned char *)"Yet Another Intercepting Proxy", -1, -1, 0);
-	X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, (unsigned char *)"jn.hn", -1, -1, 0);
+	//I want this to be a fake domain because CAs can't sign certificates with
 	//the same domain. I thought about using jn.hn but I want to test using
 	//that.
 	X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, (unsigned char *)"yaip.yaip", -1, -1, 0);
 	// Now set the issuer name.
 	X509_set_issuer_name(x509, name);
@ -98,8 +101,7 @@ X509* generate_ca_cert(EVP_PKEY * pkey) {
 	// Actually sign the certificate with our key.
-	if(!X509_sign(x509, pkey, EVP_sha1()))
+	if(!X509_sign(x509, pkey, EVP_sha1())) {
 	{
 		perror( "Error signing certificate.\n");
 		X509_free(x509);
 		return NULL;
@ -110,6 +112,46 @@ X509* generate_ca_cert(EVP_PKEY * pkey) {
 	return x509;
 }
 X509* generate_site_cert( EVP_PKEY *pkey, X509 *caCert, char *host ){
 	X509 *hostCert = X509_new();
 	if(!hostCert) {
 		perror( "Unable to create X509 structure.\n");
 		return NULL;
 	}
 	ASN1_INTEGER_set(X509_get_serialNumber(hostCert), 1);
 	// This certificate is valid from now until exactly one year from now.
 	X509_gmtime_adj(X509_get_notBefore(hostCert), 0);
 	X509_gmtime_adj(X509_get_notAfter(hostCert), 31536000L);
 	// Set the public key for our certificate.
 	X509_set_pubkey(hostCert, pkey);
 	// We want to copy the subject name of the ca to the issuer of the new
 	// certificate
 	X509_NAME *ca_sn = X509_get_subject_name(caCert);
 	X509_NAME *host_in = X509_NAME_dup( ca_sn );
 	X509_set_issuer_name(hostCert, host_in);
 	X509_NAME *host_sn = X509_get_subject_name(hostCert);
 	// Set the country code and common name.
 	X509_NAME_add_entry_by_txt(host_sn, "C",  MBSTRING_ASC, (unsigned char *)"UK",        -1, -1, 0);
 	X509_NAME_add_entry_by_txt(host_sn, "O",  MBSTRING_ASC, (unsigned char *)"Yet Another Intercepting Proxy", -1, -1, 0);
 	X509_NAME_add_entry_by_txt(host_sn, "CN", MBSTRING_ASC, (unsigned char *)strdup(host), -1, -1, 0);
 	if(!X509_sign(hostCert, pkey, EVP_sha1())) {
 		perror( "Error signing certificate.\n");
 		X509_free(hostCert);
 		return NULL;
 	}
 	return hostCert;
 }
 bool create_and_save_key(char keyfile[]) {
 	// Generate the key
 	EVP_PKEY *pkey = generate_ca_key();
@ -135,24 +177,6 @@ bool create_and_save_key(char keyfile[]) {
 	return true;
 }
 EVP_PKEY* read_private_key(char keyfile[]){
 	FILE *fp;
 	EVP_PKEY *pkey;
 	if (! (fp = fopen(keyfile, "r"))){
 		perror("Error cant open certificate private key file.\n");
 		return NULL;
 	}
 	pkey = PEM_read_PrivateKey( fp, NULL, NULL, NULL );
 	if ( pkey == NULL ){
 		perror("Error cant read certificate private key file.\n");
 	}
 	return pkey;
 }
 bool create_and_save_cert(char certfile[], EVP_PKEY *pkey) {
    // Open the PEM file for writing the certificate to disk.
@ -178,3 +202,46 @@ bool create_and_save_cert(char certfile[], EVP_PKEY *pkey) {
    }
 	return true;
 }
 EVP_PKEY* read_private_key(char keyfile[]){
 	FILE *fp;
 	EVP_PKEY *pkey;
 	if (! (fp = fopen(keyfile, "r"))){
 		perror("Error cant open certificate private key file.\n");
 		return NULL;
 	}
 	pkey = PEM_read_PrivateKey( fp, NULL, NULL, NULL );
 	if ( pkey == NULL ){
 		perror("Error cant read certificate private key file.\n");
 	}
 	return pkey;
 }
 CertList *newCertListItem(char *host, EVP_PKEY *key, X509 *cert){
 	CertList *item = malloc(sizeof( CertList ));
 	item->host = host;
 	item->key = key;
 	item->cert = cert;
 	item->next = NULL;
 	return item;
 }
 CertList *getLastCertListItem(CertList *item){
 	if ( item == NULL ) return NULL;
 	while ( item->next != NULL ) item=item->next;
 	return item;
 }
 unsigned int countCertListItems(CertList *item){
 	unsigned int count = 0;
 	while ( item != NULL ){
 		count++;
 		item = item->next;
 	}
 	return count;
 }
--- a/src/ssl.h
+++ b/src/ssl.h
@ -1,19 +1,35 @@
 #ifndef SSL_H
 #define SSL_H
 #include <openssl/ossl_typ.h>
 #include <openssl/ssl.h>
 #include <openssl/err.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 #include <stdlib.h>
 #include "config.h"
 typedef struct CertList CertList;
 struct CertList {
 	char *host;
 	EVP_PKEY *key;
 	X509 *cert;
 	CertList *next;
 };
 SSL_CTX* InitServerCTX(Config *config);
 EVP_PKEY* generate_ca_key();
 X509* generate_ca_cert(EVP_PKEY * pkey);
 X509* generate_site_cert( EVP_PKEY *pkey, X509 *caCert, char *host );
 bool create_and_save_key(char keyfile[]);
 bool create_and_save_cert(char keyfile[], EVP_PKEY *pkey);
 EVP_PKEY* read_private_key(char keyfile[]);
 CertList *newCertListItem(char *host, EVP_PKEY *key, X509 *cert);
 CertList *getLastCertListItem(CertList *item);
 unsigned int countCertListItems(CertList *item);
 CertList *findCertListItem( CertList *first, char *hostname );
 #endif /* ifndef SSL_ */
--- a/src/util.c
+++ b/src/util.c
@ -5,3 +5,22 @@ int strpos(char *haystack, char *needle) {
 	if ( p != NULL ) return p - haystack;
 	return -1;
 }
 int countLines(char fileName[]){
 	FILE *fp;
 	char ch;
 	int linesCount = 0;
 	fp=fopen(fileName,"r");
 	if(fp==NULL) {
 		printf("File \"%s\" does not exist!!!\n",fileName);
 		return -1;
 	}
 	//read character by character and check for new line
 	while((ch=fgetc(fp))!=EOF) {
 		if(ch=='\n')
 		linesCount++;
 	}
 	//close the file
 	fclose(fp);
 	return linesCount;
 }
--- a/src/util.h
+++ b/src/util.h
@ -5,5 +5,6 @@
 #include <string.h>
 int strpos(char *haystack, char *needle);
 int countLines(char fileName[]);
 #endif
--- a/tests/ssl.test.c
+++ b/tests/ssl.test.c
@ -0,0 +1,206 @@
 #ifndef SSL_TEST
 #define SSL_TEST
 #include "munit/munit.h"
 #include "../src/ssl.h"
 #include "../src/util.h"
 MunitResult testNewRsaKeySave(const MunitParameter params[],
 		void* user_data_or_fixture){
 	char keyFile[] = "/tmp/yaip-test-keyfile";
 	create_and_save_key( keyFile );
 	//TODO: make better tests.
 	// For now checking there is at least 3 lines seems ok
 	munit_assert_int( 3, <, countLines(keyFile) );
 	remove(keyFile);
 	return MUNIT_OK;
 }
 MunitResult testNewCACertificate(const MunitParameter params[],
 		void* user_data_or_fixture){
 	EVP_PKEY *key = generate_ca_key();
 	const char *nameEntry =munit_parameters_get(params, "Name Entry" );
 	X509 *x509 = generate_ca_cert(key);
 	munit_assert_not_null( x509 );
 	X509_NAME *name = X509_get_subject_name(x509);
 	munit_assert_not_null( name );
 	char buff[200] = {'\0'};
 	if ( strcmp( nameEntry, "C" ) == 0 ){
 		X509_NAME_get_text_by_NID( name, NID_countryName, buff, 200 );
 		munit_assert_string_equal( buff, "UK");
 	} else if ( strcmp( nameEntry, "O" ) == 0 ){
 		X509_NAME_get_text_by_NID( name, NID_organizationName, buff, 200 );
 		munit_assert_string_equal( buff, "Yet Another Intercepting Proxy");
 	} else if ( strcmp( nameEntry, "CN" ) == 0 ){
 		X509_NAME_get_text_by_NID( name, NID_commonName, buff, 200 );
 		munit_assert_string_equal( buff, "yaip.yaip");
 	}
 	return MUNIT_OK;
 }
 MunitResult testNewCertificateSave(const MunitParameter params[],
 		void* user_data_or_fixture){
 	char certFile[] = "/tmp/yaip-test-certfile";
 	EVP_PKEY *key = generate_ca_key();
 	create_and_save_cert( certFile, key );
 	//TODO: make better tests.
 	// For now checking there is at least 3 lines seems ok
 	munit_assert_int( 3, <, countLines(certFile) );
 	remove( certFile );
 	return MUNIT_OK;
 }
 MunitResult testCerlistCount(const MunitParameter params[],
 		void* user_data_or_fixture){
 	CertList *head = NULL;
 	CertList *last = head;
 	unsigned int count = atoi(munit_parameters_get(params, "Count" ));
 	for ( unsigned int i = 0; i < count; i++ ){
 		CertList *newItem = malloc(sizeof( CertList ));
 		newItem->next = NULL;
 		if ( head == NULL ){
 			head = newItem;
 			last = newItem;
 		} else {
 			last->next = newItem;
 			last = last->next;
 		}
 	}
 	munit_assert_int( countCertListItems(head), ==, count );
 	return MUNIT_OK;
 }
 MunitResult testCerlistLast(const MunitParameter params[],
 		void* user_data_or_fixture){
 	const char *countstr = munit_parameters_get(params, "Count" );
 	//const char *countstr = "2";
 	const unsigned int count = atoi(countstr);
 	CertList *head = NULL;
 	CertList *last = head;
 	for ( unsigned int i = 0; i < count; i++ ){
 		CertList *newItem = malloc(sizeof( CertList ));
 		char str[5] = {'\0'};
 		sprintf(str, "%d", i+1);
 		newItem->next = NULL;
 		newItem->host = strdup(str);
 		if ( head == NULL ){
 			head = newItem;
 			last = newItem;
 		} else {
 			last->next = newItem;
 			last = last->next;
 		}
 	}
 	CertList *lastCert = getLastCertListItem(head);
 	if ( count == 0 ){
 		munit_assert_null( lastCert );
 	} else {
 		munit_assert_int( countCertListItems(head), ==, count );
 		munit_assert_string_equal( countstr, lastCert->host );
 	}
 	return MUNIT_OK;
 }
 MunitResult testNewHostCertificate(const MunitParameter params[],
 		void* user_data_or_fixture){
 	EVP_PKEY *key = generate_ca_key();
 	X509 *x509 = generate_ca_cert(key);
 	X509 *siteCert = generate_site_cert( key, x509, "example.com" );
 	const char *nameType = munit_parameters_get(params, "Name" );
 	X509_NAME *name;
 	char buff[200] = {'\0'};
 	if ( strcmp( nameType, "subject" ) ){
 		name = X509_get_subject_name(siteCert);
 		X509_NAME_get_text_by_NID( name, NID_commonName, buff, 200 );
 		munit_assert_string_equal( buff, "example.com" );
 	} else if ( strcmp( nameType, "issuer" ) ){
 		name = X509_get_issuer_name(siteCert);
 		X509_NAME_get_text_by_NID( name, NID_commonName, buff, 200 );
 		munit_assert_string_equal( buff, "yaip.yaip" );
 	} else {
 		return MUNIT_ERROR;
 	}
 	//FILE * pkey_file = fopen("examplecert.pem", "wb");
    //// Write the cert to disk.
 	//PEM_write_X509( pkey_file, siteCert );
    //fclose(pkey_file);
 	return MUNIT_OK;
 }
 static char* count_parameters[] = {
  "0", "1", "2", "10", "50", NULL
 };
 static char* x509_name_parameters[] = {
  "C", "O", "CN", NULL
 };
 static char* x509_issuer_subject_parameters[] = {
  "issuer", "subject", NULL
 };
 static MunitParameterEnum count_params[] = {
  { "Count", count_parameters },
  { NULL, NULL },
 };
 static MunitParameterEnum x509_name_params[] = {
  { "Name Entry", x509_name_parameters },
  { NULL, NULL },
 };
 static MunitParameterEnum x509_issuer_subject_params[] = {
  { "Name", x509_issuer_subject_parameters },
  { NULL, NULL },
 };
 static MunitTest ssl_tests[] = {
 	//   name        test                setup tear_down   options                 parameters
 	{ "/ca/rsa_key/save", testNewRsaKeySave,      NULL, NULL,       MUNIT_TEST_OPTION_NONE, NULL },
 	{ "/ca/cert/new",    testNewCACertificate, NULL, NULL,       MUNIT_TEST_OPTION_NONE, x509_name_params },
 	{ "/ca/cert/save",    testNewCertificateSave, NULL, NULL,       MUNIT_TEST_OPTION_NONE, NULL },
 	{ "/CertList/count",    testCerlistCount, NULL, NULL,       MUNIT_TEST_OPTION_NONE, count_params },
 	{ "/CertList/last",    testCerlistLast, NULL, NULL,       MUNIT_TEST_OPTION_NONE, count_params },
 	{ "/hostcert/new",    testNewHostCertificate, NULL, NULL,       MUNIT_TEST_OPTION_NONE, x509_issuer_subject_params },
 /* Mark the end of the array with an entry where the test
 * function is NULL */
 	{ NULL, NULL, NULL, NULL, MUNIT_TEST_OPTION_NONE, NULL }
 };
 MunitSuite ssl_test_suite = {
 	"/ssl", /* name */
 	ssl_tests, /* tests */
 	NULL, /* suites */
 	1, /* iterations */
 	MUNIT_SUITE_OPTION_NONE /* options */
 };
 #ifndef MAINTEST
 #define MAINTEST
 int main (int argc, char* argv[]) {
 	return munit_suite_main(&ssl_test_suite, NULL, argc, argv);
 }
 #endif /* ifndef MAINTEST */
 #endif
--- a/tests/util.test.c
+++ b/tests/util.test.c
@ -17,6 +17,33 @@ MunitResult testStrPos(const MunitParameter params[],
 	return MUNIT_OK;
 }
 MunitResult testCountLines(const MunitParameter params[],
 		void* user_data_or_fixture){
 	char filename[] = "/tmp/yaip-test-file";
 	FILE *fp = fopen(filename, "w");
 	if ( fp == NULL ){
 		printf("Cannot open file %s\n", filename);
 		return MUNIT_ERROR;
 	}
 	fprintf( fp, "test\n" );
 	fclose(fp);
 	munit_assert_int( 1, ==, countLines(filename) );
 	fp = fopen(filename, "w");
 	if ( fp == NULL ){
 		printf("Cannot open file %s\n", filename);
 		return MUNIT_ERROR;
 	}
 	fprintf( fp, "test2\ntest3\n" );
 	fclose(fp);
 	munit_assert_int( 2, ==, countLines(filename) );
 	remove(filename);
 	return MUNIT_OK;
 }
 static MunitTest util_tests[] = {
 	{
@ -26,6 +53,13 @@ static MunitTest util_tests[] = {
 		NULL, /* tear_down */
 		MUNIT_TEST_OPTION_NONE, /* options */
 		NULL /* parameters */
 	}, {
 		"/util/countLines", /* name */
 		testCountLines, /* test */
 		NULL, /* setup */
 		NULL, /* tear_down */
 		MUNIT_TEST_OPTION_NONE, /* options */
 		NULL /* parameters */
 	},
 /* Mark the end of the array with an entry where the test
 * function is NULL */