2023-07-12 17:54:16 +01:00
|
|
|
/**
|
|
|
|
* SPDX-FileCopyrightText: 2023 Albert Vaca <albertvaka@gmail.com>
|
2023-07-15 20:23:15 +01:00
|
|
|
* SPDX-FileCopyrightText: 2023 Edward Kigwana <ekigwana@gmail.com>
|
2023-07-12 17:54:16 +01:00
|
|
|
*
|
|
|
|
* SPDX-License-Identifier: GPL-2.0-only OR GPL-3.0-only OR LicenseRef-KDE-Accepted-GPL
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include "sslhelper.h"
|
2023-07-15 20:23:15 +01:00
|
|
|
#include "core_debug.h"
|
|
|
|
|
|
|
|
extern "C" {
|
2023-07-15 21:10:19 +01:00
|
|
|
#include <openssl/bn.h>
|
|
|
|
#include <openssl/err.h>
|
|
|
|
#include <openssl/evp.h>
|
|
|
|
#include <openssl/pem.h>
|
|
|
|
#include <openssl/rsa.h>
|
|
|
|
#include <openssl/x509.h>
|
2023-07-15 20:23:15 +01:00
|
|
|
}
|
2023-07-12 17:54:16 +01:00
|
|
|
|
|
|
|
namespace SslHelper
|
|
|
|
{
|
|
|
|
|
2023-07-15 20:23:15 +01:00
|
|
|
QString getSslError()
|
|
|
|
{
|
|
|
|
char buf[256];
|
|
|
|
ERR_error_string_n(ERR_get_error(), buf, sizeof(buf));
|
|
|
|
return QString::fromLatin1(buf);
|
|
|
|
}
|
|
|
|
|
2023-07-12 18:27:05 +01:00
|
|
|
QSslKey generateRsaPrivateKey()
|
|
|
|
{
|
2023-07-15 20:26:39 +01:00
|
|
|
// Initialize context.
|
2023-07-15 21:10:19 +01:00
|
|
|
auto pctxRaw = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL);
|
|
|
|
auto pctx = std::unique_ptr<EVP_PKEY_CTX, decltype(&::EVP_PKEY_CTX_free)>(pctxRaw, ::EVP_PKEY_CTX_free);
|
2023-07-15 20:26:39 +01:00
|
|
|
if (!pctx) {
|
|
|
|
qCWarning(KDECONNECT_CORE) << "Generate RSA Private Key failed to allocate context " << getSslError();
|
|
|
|
return QSslKey();
|
|
|
|
}
|
|
|
|
|
|
|
|
if (EVP_PKEY_keygen_init(pctx.get()) <= 0) {
|
|
|
|
qCWarning(KDECONNECT_CORE) << "Generate RSA Private Key failed to initialize context " << getSslError();
|
|
|
|
return QSslKey();
|
|
|
|
}
|
|
|
|
|
|
|
|
// Set key bits.
|
|
|
|
if (EVP_PKEY_CTX_set_rsa_keygen_bits(pctx.get(), 2048) <= 0) {
|
|
|
|
qCWarning(KDECONNECT_CORE) << "Generate RSA Private Key failed to set key bits " << getSslError();
|
|
|
|
return QSslKey();
|
|
|
|
}
|
|
|
|
|
|
|
|
// Generate private key.
|
2023-07-15 21:10:19 +01:00
|
|
|
auto pkey = std::unique_ptr<EVP_PKEY, decltype(&::EVP_PKEY_free)>(EVP_PKEY_new(), ::EVP_PKEY_free);
|
2023-07-15 20:26:39 +01:00
|
|
|
if (!pkey) {
|
|
|
|
qCWarning(KDECONNECT_CORE) << "Generate RSA Private Key failed to allocate private key " << getSslError();
|
|
|
|
return QSslKey();
|
|
|
|
}
|
|
|
|
|
|
|
|
auto pkey_raw = pkey.get();
|
|
|
|
if (EVP_PKEY_keygen(pctx.get(), &pkey_raw) <= 0) {
|
|
|
|
qCWarning(KDECONNECT_CORE) << "Generate RSA Private Key failed to generate private key " << getSslError();
|
|
|
|
return QSslKey();
|
|
|
|
}
|
|
|
|
|
|
|
|
// Convert private key format to PEM as required by QSslKey.
|
2023-07-15 21:10:19 +01:00
|
|
|
auto bio = std::unique_ptr<BIO, decltype(&::BIO_free_all)>(BIO_new(BIO_s_mem()), ::BIO_free_all);
|
2023-07-15 20:26:39 +01:00
|
|
|
if (!bio) {
|
|
|
|
qCWarning(KDECONNECT_CORE) << "Generate RSA Private Key failed to allocate I/O abstraction " << getSslError();
|
|
|
|
return QSslKey();
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!PEM_write_bio_PrivateKey(bio.get(), pkey_raw, nullptr, nullptr, 0, nullptr, nullptr)) {
|
|
|
|
qCWarning(KDECONNECT_CORE) << "Generate RSA Private Key failed write PEM format private key to BIO " << getSslError();
|
|
|
|
return QSslKey();
|
|
|
|
}
|
|
|
|
|
2023-07-15 21:10:19 +01:00
|
|
|
BUF_MEM *mem = nullptr;
|
|
|
|
if (!BIO_get_mem_ptr(bio.get(), &mem)) {
|
2023-07-15 20:26:39 +01:00
|
|
|
qCWarning(KDECONNECT_CORE) << "Generate RSA Private Key failed get PEM format address " << getSslError();
|
|
|
|
return QSslKey();
|
|
|
|
}
|
|
|
|
|
|
|
|
return QSslKey(QByteArray(mem->data, mem->length), QSsl::KeyAlgorithm::Rsa);
|
2023-07-12 18:27:05 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
QSslCertificate generateSelfSignedCertificate(const QSslKey &qtPrivateKey, const QString &commonName)
|
2023-07-12 17:54:16 +01:00
|
|
|
{
|
2023-07-15 20:26:39 +01:00
|
|
|
// Create certificate.
|
2023-07-15 21:10:19 +01:00
|
|
|
auto x509 = std::unique_ptr<X509, decltype(&::X509_free)>(X509_new(), ::X509_free);
|
2023-07-15 20:26:39 +01:00
|
|
|
if (!x509) {
|
|
|
|
qCWarning(KDECONNECT_CORE) << "Generate Self Signed Certificate failed to allocate certifcate " << getSslError();
|
|
|
|
return QSslCertificate();
|
|
|
|
}
|
|
|
|
|
2023-07-15 21:10:19 +01:00
|
|
|
if (!X509_set_version(x509.get(), 2)) {
|
2023-07-15 20:26:39 +01:00
|
|
|
qCWarning(KDECONNECT_CORE) << "Generate Self Signed Certificate failed to set version " << getSslError();
|
|
|
|
return QSslCertificate();
|
|
|
|
}
|
|
|
|
|
|
|
|
// Generate a random serial number for the certificate.
|
2023-07-15 21:10:19 +01:00
|
|
|
auto sn = std::unique_ptr<BIGNUM, decltype(&::BN_free)>(BN_new(), ::BN_free);
|
2023-07-15 20:26:39 +01:00
|
|
|
if (!sn) {
|
|
|
|
qCWarning(KDECONNECT_CORE) << "Generate Self Signed Certificate failed to allocate big number structure " << getSslError();
|
|
|
|
return QSslCertificate();
|
|
|
|
}
|
|
|
|
|
2023-07-15 21:10:19 +01:00
|
|
|
if (!BN_rand(sn.get(), 160, -1, 0)) { // as per rfc3280, serial numbers must be 20 bytes (160 bits) or less
|
2023-07-15 20:26:39 +01:00
|
|
|
qCWarning(KDECONNECT_CORE) << "Generate Self Signed Certificate failed to generate random number " << getSslError();
|
|
|
|
return QSslCertificate();
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!BN_to_ASN1_INTEGER(sn.get(), X509_get_serialNumber(x509.get()))) {
|
|
|
|
qCWarning(KDECONNECT_CORE) << "Generate Self Signed Certificate failed to convert number structure to integer" << getSslError();
|
|
|
|
return QSslCertificate();
|
|
|
|
}
|
|
|
|
|
|
|
|
// Set the certificate subject and issuer (self-signed).
|
|
|
|
auto name = X509_get_subject_name(x509.get());
|
2023-07-15 21:10:19 +01:00
|
|
|
QByteArray commonNameBytes = commonName.toLatin1();
|
|
|
|
const unsigned char *commonNameCStr = reinterpret_cast<const unsigned char *>(commonNameBytes.data());
|
|
|
|
if (!X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, commonNameCStr, -1, -1, 0)) { // Common Name
|
2023-07-15 20:26:39 +01:00
|
|
|
qCWarning(KDECONNECT_CORE) << "Generate Self Signed Certificate failed to set common name to " << commonName << " " << getSslError();
|
|
|
|
return QSslCertificate();
|
|
|
|
}
|
|
|
|
|
2023-07-15 21:10:19 +01:00
|
|
|
const unsigned char *organizationCStr = reinterpret_cast<const unsigned char *>("KDE");
|
|
|
|
if (!X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC, organizationCStr, -1, -1, 0)) { // Organization
|
2023-07-15 20:26:39 +01:00
|
|
|
qCWarning(KDECONNECT_CORE) << "Generate Self Signed Certificate failed to set organization " << getSslError();
|
|
|
|
return QSslCertificate();
|
|
|
|
}
|
|
|
|
|
2023-07-15 21:10:19 +01:00
|
|
|
const unsigned char *organizationalUnitCStr = reinterpret_cast<const unsigned char *>("KDE Connect");
|
|
|
|
if (!X509_NAME_add_entry_by_txt(name, "OU", MBSTRING_ASC, organizationalUnitCStr, -1, -1, 0)) { // Organizational Unit
|
2023-07-15 20:26:39 +01:00
|
|
|
qCWarning(KDECONNECT_CORE) << "Generate Self Signed Certificate failed to set organizational unit " << getSslError();
|
|
|
|
return QSslCertificate();
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!X509_set_subject_name(x509.get(), name)) {
|
|
|
|
qCWarning(KDECONNECT_CORE) << "Generate Self Signed Certificate failed to set subject name" << getSslError();
|
|
|
|
return QSslCertificate();
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!X509_set_issuer_name(x509.get(), name)) {
|
|
|
|
qCWarning(KDECONNECT_CORE) << "Generate Self Signed Certificate failed to set issuer name" << getSslError();
|
|
|
|
return QSslCertificate();
|
|
|
|
}
|
|
|
|
|
|
|
|
// Set the certificate validity period.
|
2023-07-12 17:54:16 +01:00
|
|
|
int a_year_in_seconds = 356 * 24 * 60 * 60;
|
2023-07-15 20:26:39 +01:00
|
|
|
X509_gmtime_adj(X509_getm_notBefore(x509.get()), -a_year_in_seconds);
|
|
|
|
X509_gmtime_adj(X509_getm_notAfter(x509.get()), 10 * a_year_in_seconds);
|
|
|
|
|
|
|
|
// Convert the QSslKey to the OpenSSL private key format.
|
2023-07-15 21:10:19 +01:00
|
|
|
QByteArray keyPemData = qtPrivateKey.toPem();
|
|
|
|
auto bio = std::unique_ptr<BIO, decltype(&::BIO_free_all)>(BIO_new_mem_buf(keyPemData.data(), -1), ::BIO_free_all);
|
2023-07-15 20:26:39 +01:00
|
|
|
if (!bio) {
|
|
|
|
qCWarning(KDECONNECT_CORE) << "Generate Self Signed Certificate failed to allocate I/O abstraction " << getSslError();
|
|
|
|
return QSslCertificate();
|
|
|
|
}
|
|
|
|
|
|
|
|
auto pkeyRaw = PEM_read_bio_PrivateKey(bio.get(), NULL, NULL, NULL);
|
2023-07-15 21:10:19 +01:00
|
|
|
auto pkey = std::unique_ptr<EVP_PKEY, decltype(&::EVP_PKEY_free)>(pkeyRaw, ::EVP_PKEY_free);
|
2023-07-15 20:26:39 +01:00
|
|
|
if (!pkey) {
|
|
|
|
qCWarning(KDECONNECT_CORE) << "Generate Self Signed Certificate failed to read private key " << getSslError();
|
|
|
|
return QSslCertificate();
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!X509_set_pubkey(x509.get(), pkey.get())) {
|
|
|
|
qCWarning(KDECONNECT_CORE) << "Generate Self Signed Certificate failed to set private key " << getSslError();
|
|
|
|
return QSslCertificate();
|
|
|
|
}
|
|
|
|
|
|
|
|
// Sign the certificate with private key.
|
|
|
|
if (!X509_sign(x509.get(), pkey.get(), EVP_sha256())) {
|
|
|
|
qCWarning(KDECONNECT_CORE) << "Generate Self Signed Certificate failed to sign certificate " << getSslError();
|
|
|
|
return QSslCertificate();
|
|
|
|
}
|
|
|
|
|
|
|
|
// Convert to PEM which is the format needed for QSslCertificate.
|
2023-07-15 21:10:19 +01:00
|
|
|
bio = std::unique_ptr<BIO, decltype(&::BIO_free_all)>(BIO_new(BIO_s_mem()), ::BIO_free_all);
|
2023-07-15 20:26:39 +01:00
|
|
|
if (!bio) {
|
|
|
|
qCWarning(KDECONNECT_CORE) << "Generate Self Signed Certificate failed to allocate I/O abstraction " << getSslError();
|
|
|
|
return QSslCertificate();
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!PEM_write_bio_X509(bio.get(), x509.get())) {
|
|
|
|
qCWarning(KDECONNECT_CORE) << "Generate Self Signed Certificate failed write PEM format certificate to BIO " << getSslError();
|
|
|
|
return QSslCertificate();
|
|
|
|
}
|
|
|
|
|
|
|
|
BUF_MEM *pem = nullptr;
|
|
|
|
if (!BIO_get_mem_ptr(bio.get(), &pem)) {
|
|
|
|
qCWarning(KDECONNECT_CORE) << "Generate Self Signed Certificate failed get PEM format address " << getSslError();
|
2023-07-15 21:10:19 +01:00
|
|
|
return QSslCertificate();
|
2023-07-15 20:26:39 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
return QSslCertificate(QByteArray(pem->data, pem->length));
|
2023-07-12 17:54:16 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
} // namespace SslHelper
|