diff options
| author | Jouni Malinen <jouni@qca.qualcomm.com> | 2015-12-04 16:25:21 +0200 |
|---|---|---|
| committer | Vidyullatha Kanchanapally <vidyullatha@codeaurora.org> | 2016-01-11 08:06:48 +0530 |
| commit | 5743cf04ad3c3b52e7fa2fd1191327322fe7390f (patch) | |
| tree | 0d9b0059b6128c530ff7b4a0cbf2c624ff963185 /hs20/client | |
| parent | 4ac7e187cd4821e7b183875a54c3d707bb7ecd95 (diff) | |
| download | android_external_wpa_supplicant_8-5743cf04ad3c3b52e7fa2fd1191327322fe7390f.tar.gz android_external_wpa_supplicant_8-5743cf04ad3c3b52e7fa2fd1191327322fe7390f.tar.bz2 android_external_wpa_supplicant_8-5743cf04ad3c3b52e7fa2fd1191327322fe7390f.zip | |
EST: Add CSR generation support with BoringSSL
This completes EST support with hs20-osu-client when built with
BoringSSL instead of OpenSSL.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Git-commit: e6f4832737cd2b83b010e13582f59f2b4a965ce6
Git-repo : git://w1.fi/srv/git/hostap.git
Change-Id: I9830f94663dfaf0c8d66027c9f7e2c03ab4401db
CRs-fixed: 960177
Diffstat (limited to 'hs20/client')
| -rw-r--r-- | hs20/client/est.c | 44 |
1 files changed, 28 insertions, 16 deletions
diff --git a/hs20/client/est.c b/hs20/client/est.c index d754e610..90a51d5a 100644 --- a/hs20/client/est.c +++ b/hs20/client/est.c @@ -16,6 +16,9 @@ #include <openssl/asn1t.h> #include <openssl/x509.h> #include <openssl/x509v3.h> +#ifdef OPENSSL_IS_BORINGSSL +#include <openssl/buf.h> +#endif /* OPENSSL_IS_BORINGSSL */ #include "common.h" #include "utils/base64.h" @@ -238,8 +241,6 @@ ASN1_CHOICE(CsrAttrs) = { IMPLEMENT_ASN1_FUNCTIONS(CsrAttrs); -#ifndef OPENSSL_IS_BORINGSSL - static void add_csrattrs_oid(struct hs20_osu_client *ctx, ASN1_OBJECT *oid, STACK_OF(X509_EXTENSION) *exts) { @@ -334,6 +335,23 @@ static void add_csrattrs(struct hs20_osu_client *ctx, CsrAttrs *csrattrs, if (!csrattrs || ! csrattrs->attrs) return; +#ifdef OPENSSL_IS_BORINGSSL + num = sk_num(CHECKED_CAST(_STACK *, STACK_OF(AttrOrOID) *, + csrattrs->attrs)); + for (i = 0; i < num; i++) { + AttrOrOID *ao = sk_value( + CHECKED_CAST(_STACK *, const STACK_OF(AttrOrOID) *, + csrattrs->attrs), i); + switch (ao->type) { + case 0: + add_csrattrs_oid(ctx, ao->d.oid, exts); + break; + case 1: + add_csrattrs_attr(ctx, ao->d.attribute, exts); + break; + } + } +#else /* OPENSSL_IS_BORINGSSL */ num = SKM_sk_num(AttrOrOID, csrattrs->attrs); for (i = 0; i < num; i++) { AttrOrOID *ao = SKM_sk_value(AttrOrOID, csrattrs->attrs, i); @@ -346,20 +364,14 @@ static void add_csrattrs(struct hs20_osu_client *ctx, CsrAttrs *csrattrs, break; } } -} - #endif /* OPENSSL_IS_BORINGSSL */ +} static int generate_csr(struct hs20_osu_client *ctx, char *key_pem, char *csr_pem, char *est_req, char *old_cert, CsrAttrs *csrattrs) { -#ifdef OPENSSL_IS_BORINGSSL - wpa_printf(MSG_ERROR, - "EST: CSR generation not yet supported with BoringSSL"); - return -1; -#else /* OPENSSL_IS_BORINGSSL */ EVP_PKEY_CTX *pctx = NULL; EVP_PKEY *pkey = NULL; RSA *rsa; @@ -371,6 +383,7 @@ static int generate_csr(struct hs20_osu_client *ctx, char *key_pem, STACK_OF(X509_EXTENSION) *exts = NULL; X509_EXTENSION *ex; BIO *out; + CONF *ctmp = NULL; wpa_printf(MSG_INFO, "Generate RSA private key"); write_summary(ctx, "Generate RSA private key"); @@ -452,20 +465,20 @@ static int generate_csr(struct hs20_osu_client *ctx, char *key_pem, if (!exts) goto fail; - ex = X509V3_EXT_conf_nid(NULL, NULL, NID_basic_constraints, - "CA:FALSE"); + ex = X509V3_EXT_nconf_nid(ctmp, NULL, NID_basic_constraints, + "CA:FALSE"); if (ex == NULL || !sk_X509_EXTENSION_push(exts, ex)) goto fail; - ex = X509V3_EXT_conf_nid(NULL, NULL, NID_key_usage, - "nonRepudiation,digitalSignature,keyEncipherment"); + ex = X509V3_EXT_nconf_nid(ctmp, NULL, NID_key_usage, + "nonRepudiation,digitalSignature,keyEncipherment"); if (ex == NULL || !sk_X509_EXTENSION_push(exts, ex)) goto fail; - ex = X509V3_EXT_conf_nid(NULL, NULL, NID_ext_key_usage, - "1.3.6.1.4.1.40808.1.1.2"); + ex = X509V3_EXT_nconf_nid(ctmp, NULL, NID_ext_key_usage, + "1.3.6.1.4.1.40808.1.1.2"); if (ex == NULL || !sk_X509_EXTENSION_push(exts, ex)) goto fail; @@ -566,7 +579,6 @@ fail: if (pctx) EVP_PKEY_CTX_free(pctx); return ret; -#endif /* OPENSSL_IS_BORINGSSL */ } |