- add custom extension support

- add support to retrive custom extension value
- add support to add custom protocol for protocol negotiation

Signed-off-by: Tiger <rbalajis25@gmail.com>
This commit is contained in:
Tiger 2020-05-23 17:24:57 +05:30
parent 5f2730c458
commit 09d72588f7
6 changed files with 134 additions and 3 deletions

22
cert.go
View File

@ -331,6 +331,14 @@ func (c *Certificate) AddExtension(nid NID, value string) error {
return nil
}
// AddCustomExtension add custom extenstion to the certificate.
func (c *Certificate) AddCustomExtension(nid NID, value []byte) error {
if int(C.add_custom_ext(c.x, C.int(nid), (*C.char)(C.CBytes(value)), C.int(len(value)))) == 0 {
return errors.New("Unable to add extension")
}
return nil
}
// Wraps AddExtension using a map of NID to text extension.
// Will return without finishing if it encounters an error.
func (c *Certificate) AddExtensions(extensions map[NID]string) error {
@ -413,3 +421,17 @@ func (c *Certificate) SetVersion(version X509_Version) error {
}
return nil
}
// GetExtensionValue returns the value of the given NID's extension.
func (c *Certificate) GetExtensionValue(nid NID) []byte {
dataLength := C.int(0)
val := C.get_extention(c.x, C.int(nid), &dataLength)
return charToBytes(val, int(dataLength))
}
// charToBytes converts c unisgned char to golang bytes
func charToBytes(src *C.uchar, sz int) []byte {
dest := make([]byte, sz)
copy(dest, (*(*[1024]byte)(unsafe.Pointer(src)))[:sz:sz])
return dest
}

23
ctx.go
View File

@ -522,6 +522,29 @@ func (c *Ctx) SetCipherList(list string) error {
return nil
}
// SetNextProtos sets Negotiation protocol to the ctx.
func (c *Ctx) SetNextProtos(protos []string) error {
if len(protos) == 0 {
return nil
}
vector := make([]byte, 0)
for _, proto := range protos {
if len(proto) > 255 {
return fmt.Errorf(
"Proto length can't be more than 255. But got a proto %s with length %d",
proto, len(proto))
}
vector = append(vector, byte(uint8(len(proto))))
vector = append(vector, []byte(proto)...)
}
ret := int(C.SSL_CTX_set_alpn_protos(c.ctx, (*C.uchar)(unsafe.Pointer(&vector[0])),
C.uint(len(vector))))
if ret != 0 {
return errors.New("Error while setting protos to ctx")
}
return nil
}
type SessionCacheModes int
const (

40
exntension.c Normal file
View File

@ -0,0 +1,40 @@
#include <openssl/x509v3.h>
#include <string.h>
const unsigned char * get_extention(X509 *x, int NID, int *data_len){
int loc;
ASN1_OCTET_STRING *octet_str;
long xlen;
int tag, xclass;
loc = X509_get_ext_by_NID( x, NID, -1);
X509_EXTENSION *ex = X509_get_ext(x, loc);
octet_str = X509_EXTENSION_get_data(ex);
*data_len = octet_str->length;
return octet_str->data;
}
// Copied from https://github.com/libtor/openssl/blob/master/demos/x509/mkcert.c#L153
int add_custom_ext(X509 *cert, int nid,unsigned char *value, int len)
{
X509_EXTENSION *ex;
ASN1_OCTET_STRING *os = ASN1_OCTET_STRING_new();
ASN1_OCTET_STRING_set(os,value,len);
X509V3_CTX ctx;
/* This sets the 'context' of the extensions. */
/* No configuration database */
X509V3_set_ctx_nodb(&ctx);
/* Issuer and subject certs: both the target since it is self signed,
* no request and no CRL
*/
X509V3_set_ctx(&ctx, cert, cert, NULL, NULL, 0);
// ref http://openssl.6102.n7.nabble.com/Adding-a-custom-extension-to-a-CSR-td47446.html
ex = X509_EXTENSION_create_by_NID( NULL, nid, 0, os);
if (!X509_add_ext(cert,ex,-1))
return 0;
X509_EXTENSION_free(ex);
return 1;
}

40
extension.c Normal file
View File

@ -0,0 +1,40 @@
#include <openssl/x509v3.h>
#include <string.h>
const unsigned char * get_extention(X509 *x, int NID, int *data_len){
int loc;
ASN1_OCTET_STRING *octet_str;
long xlen;
int tag, xclass;
loc = X509_get_ext_by_NID( x, NID, -1);
X509_EXTENSION *ex = X509_get_ext(x, loc);
octet_str = X509_EXTENSION_get_data(ex);
*data_len = octet_str->length;
return octet_str->data;
}
// Copied from https://github.com/libtor/openssl/blob/master/demos/x509/mkcert.c#L153
int add_custom_ext(X509 *cert, int nid,unsigned char *value, int len)
{
X509_EXTENSION *ex;
ASN1_OCTET_STRING *os = ASN1_OCTET_STRING_new();
ASN1_OCTET_STRING_set(os,value,len);
X509V3_CTX ctx;
/* This sets the 'context' of the extensions. */
/* No configuration database */
X509V3_set_ctx_nodb(&ctx);
/* Issuer and subject certs: both the target since it is self signed,
* no request and no CRL
*/
X509V3_set_ctx(&ctx, cert, cert, NULL, NULL, 0);
// ref http://openssl.6102.n7.nabble.com/Adding-a-custom-extension-to-a-CSR-td47446.html
ex = X509_EXTENSION_create_by_NID( NULL, nid, 0, os);
if (!X509_add_ext(cert,ex,-1))
return 0;
X509_EXTENSION_free(ex);
return 1;
}

View File

@ -19,6 +19,6 @@ import "C"
// CreateObjectIdentifier creates ObjectIdentifier and returns NID for the created
// ObjectIdentifier
func CreateObjectIdentifier(oid string, shortName string, longName string) int {
return int(C.OBJ_create(C.CString(oid), C.CString(shortName), C.CString(longName)))
func CreateObjectIdentifier(oid string, shortName string, longName string) NID {
return NID(C.OBJ_create(C.CString(oid), C.CString(shortName), C.CString(longName)))
}

8
shim.h
View File

@ -90,6 +90,8 @@ extern int X_SSL_CTX_set_tlsext_ticket_key_cb(SSL_CTX *sslctx,
extern int X_SSL_CTX_ticket_key_cb(SSL *s, unsigned char key_name[16],
unsigned char iv[EVP_MAX_IV_LENGTH],
EVP_CIPHER_CTX *cctx, HMAC_CTX *hctx, int enc);
extern int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos,
unsigned int protos_len);
/* BIO methods */
extern int X_BIO_get_flags(BIO *b);
@ -173,4 +175,8 @@ extern int X_X509_set_version(X509 *x, long version);
extern int X_PEM_write_bio_PrivateKey_traditional(BIO *bio, EVP_PKEY *key, const EVP_CIPHER *enc, unsigned char *kstr, int klen, pem_password_cb *cb, void *u);
/* Object methods */
extern int OBJ_create(const char *oid,const char *sn,const char *ln);
extern int OBJ_create(const char *oid,const char *sn,const char *ln);
/* Extension helper method */
extern const unsigned char * get_extention(X509 *x, int NID, int *data_len);
extern int add_custom_ext(X509 *cert, int nid, char *value, int len);