1 /*
2 * Copyright (C) 2019 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include "adb/crypto/x509_generator.h"
18
19 #include <vector>
20
21 #include <android-base/logging.h>
22 #include <crypto_utils/android_pubkey.h>
23 #include <openssl/bn.h>
24 #include <openssl/pem.h>
25 #include <openssl/rsa.h>
26
27 #include <string.h>
28
29 namespace adb {
30 namespace crypto {
31
32 namespace {
33
34 const char kBasicConstraints[] = "critical,CA:TRUE";
35 const char kKeyUsage[] = "critical,keyCertSign,cRLSign,digitalSignature";
36 const char kSubjectKeyIdentifier[] = "hash";
37 constexpr int kCertLifetimeSeconds = 10 * 365 * 24 * 60 * 60;
38
add_ext(X509 * cert,int nid,const char * value)39 bool add_ext(X509* cert, int nid, const char* value) {
40 size_t len = strlen(value) + 1;
41 std::vector<char> mutableValue(value, value + len);
42 X509V3_CTX context;
43
44 X509V3_set_ctx_nodb(&context);
45
46 X509V3_set_ctx(&context, cert, cert, nullptr, nullptr, 0);
47 X509_EXTENSION* ex = X509V3_EXT_nconf_nid(nullptr, &context, nid, mutableValue.data());
48 if (!ex) {
49 return false;
50 }
51
52 X509_add_ext(cert, ex, -1);
53 X509_EXTENSION_free(ex);
54 return true;
55 }
56
57 } // namespace
58
GenerateX509Certificate(EVP_PKEY * pkey)59 bssl::UniquePtr<X509> GenerateX509Certificate(EVP_PKEY* pkey) {
60 CHECK(pkey);
61 bssl::UniquePtr<X509> x509(X509_new());
62 if (!x509) {
63 LOG(ERROR) << "Unable to allocate x509 container";
64 return nullptr;
65 }
66 X509_set_version(x509.get(), 2);
67
68 ASN1_INTEGER_set(X509_get_serialNumber(x509.get()), 1);
69 X509_gmtime_adj(X509_get_notBefore(x509.get()), 0);
70 X509_gmtime_adj(X509_get_notAfter(x509.get()), kCertLifetimeSeconds);
71
72 if (!X509_set_pubkey(x509.get(), pkey)) {
73 LOG(ERROR) << "Unable to set x509 public key";
74 return nullptr;
75 }
76
77 X509_NAME* name = X509_get_subject_name(x509.get());
78 if (!name) {
79 LOG(ERROR) << "Unable to get x509 subject name";
80 return nullptr;
81 }
82 X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC,
83 reinterpret_cast<const unsigned char*>("US"), -1, -1, 0);
84 X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC,
85 reinterpret_cast<const unsigned char*>("Android"), -1, -1, 0);
86 X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
87 reinterpret_cast<const unsigned char*>("Adb"), -1, -1, 0);
88 if (!X509_set_issuer_name(x509.get(), name)) {
89 LOG(ERROR) << "Unable to set x509 issuer name";
90 return nullptr;
91 }
92
93 add_ext(x509.get(), NID_basic_constraints, kBasicConstraints);
94 add_ext(x509.get(), NID_key_usage, kKeyUsage);
95 add_ext(x509.get(), NID_subject_key_identifier, kSubjectKeyIdentifier);
96
97 int bytes = X509_sign(x509.get(), pkey, EVP_sha256());
98 if (bytes <= 0) {
99 LOG(ERROR) << "Unable to sign x509 certificate";
100 return nullptr;
101 }
102
103 return x509;
104 }
105
X509ToPEMString(X509 * x509)106 std::string X509ToPEMString(X509* x509) {
107 bssl::UniquePtr<BIO> bio(BIO_new(BIO_s_mem()));
108 int rc = PEM_write_bio_X509(bio.get(), x509);
109 if (rc != 1) {
110 LOG(ERROR) << "PEM_write_bio_X509 failed";
111 return "";
112 }
113
114 BUF_MEM* mem = nullptr;
115 BIO_get_mem_ptr(bio.get(), &mem);
116 if (!mem || !mem->data || !mem->length) {
117 LOG(ERROR) << "BIO_get_mem_ptr failed";
118 return "";
119 }
120
121 return std::string(mem->data, mem->length);
122 }
123
124 } // namespace crypto
125 } // namespace adb
126