From patchwork Wed Dec 6 12:27:00 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "plaisthos (Code Review)" X-Patchwork-Id: 3502 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:8d12:b0:fc:24ac:f0cb with SMTP id i18csp2156354dys; Wed, 6 Dec 2023 04:28:09 -0800 (PST) X-Google-Smtp-Source: AGHT+IG6KRI4f0g2US9RN+sKEdu5oy9ri3NyYgzU114o8YHx4Y7X6FZtacG+2k+SXEAvbVpQRxCD X-Received: by 2002:a05:6a21:187:b0:18b:2020:8cd1 with SMTP id le7-20020a056a21018700b0018b20208cd1mr1837814pzb.3.1701865689170; Wed, 06 Dec 2023 04:28:09 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1701865689; cv=none; d=google.com; s=arc-20160816; b=qduQqOXzwkEbbevcj/9PzPNQwcZ+yCnLQaf0Odj/rQvSXjqlg5IFWVNekfXjt8QjtW sd2Nlzq+8lTOO0utGRtpjejaxztbSHVTp2NZlxh2a03h8ysPG1GGHsp+rKjzuGkvHtwD ZwF913it6xkS0RdlyXn6Xdwrqv/vzIPwAC2juAu8HrRvwEyngjMXoKiIo0VplyGk/U8a IMmfzwAeHETv0aU4nvoTqt2j7F6m3I9N9AwQzX6rCu1zi5d7s6K80Qtl86haqNgSjDRh clB2CMplseqlAEnggWyJkLE3PvwHLPwOksNdgWOs7CPAtbBt3Uc0hwdMDgZMl45QFP0N BvlA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:cc:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent :mime-version:message-id:references:auto-submitted:to:date:from :dkim-signature:dkim-signature:dkim-signature; bh=yPX0lqNjdNZCQSvFBkriNSoaBvEpsvSaclseqeDWD/8=; fh=lm0MLPW7DntlrDqRECIiC9JlE1uPxhepE0URYHIf+eE=; b=LEjlXoU295ARqmr98YC3xpw0dkDDkzOTN/Oj1EbfdmOCmxdKm+40zpz9z/MONw1+FK vOT4VcFYQ95zSVBYCbG5aDrjBzU5fFKDFF27WeyFizDR65BDlaF6FHbhEDhWzBEjU8v5 GrHyRcqFXv7BkQV4vCsID3icOI/4huzZkVGkG9vV7IDPoGeoD0hsdCDSBHYPEh+hTNOj 0wxUjatRcnKoz9rzSBim9EUu1M5TP65qiKOJST8BB0aPWtuVLXhXxfoVqwKzui+2c0KH DE7/4Py3Yg8Tn8UgAb0/R5ioHE7qQR+6VtrmT7OG6CL1cB3CFgS/Zonbk5VStnuk5FyG ei5w== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=WxUWQC4Q; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=MCayo+To; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=IBhOpHg4; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id f15-20020a056a00238f00b006cdff9ab05fsi2414934pfc.50.2023.12.06.04.28.08 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 06 Dec 2023 04:28:09 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=WxUWQC4Q; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=MCayo+To; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=IBhOpHg4; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1rAqzm-0003iW-IO; Wed, 06 Dec 2023 12:27:17 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1rAqzl-0003iQ-Lf for openvpn-devel@lists.sourceforge.net; Wed, 06 Dec 2023 12:27:16 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date: From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help: List-Subscribe:List-Post:List-Owner:List-Archive; bh=gAlbaWIfkxExGswV2dPRD8a2B0YJTxqtg7axLFH6UB8=; b=WxUWQC4QW+J7onYw9ayCXSCEKh vuuB5MrL1WlNk+luEftIcco6V1kscEDz0K2aqHrdepU1jMCY09liBl52y3AorvAVTfydwK8eURUju YYZen8QLWAs7I+Pp0M9YBkuKR9B4+03kySt3uBZARO4tMeKuFoEVqhlZuE2RbpaZ7GiE=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To: References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post: List-Owner:List-Archive; bh=gAlbaWIfkxExGswV2dPRD8a2B0YJTxqtg7axLFH6UB8=; b=M Cayo+ToGdcmfme12Qs+cj0KYf6vh3/Dnej9d9KHQTyg8ujKJ+jrpHQktRqqFi6naxBTlt6zaP522h JhjSMicZAjhTQT0KOyr7Ylc+OdQvEitEcIPdFd5fu6tpIRyB22g6YQcK0H3PaWPq9lCakm1SZCoTm Uot0CxVD7eQ0cVgE=; Received: from mail-wm1-f46.google.com ([209.85.128.46]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1rAqzh-00038k-UF for openvpn-devel@lists.sourceforge.net; Wed, 06 Dec 2023 12:27:16 +0000 Received: by mail-wm1-f46.google.com with SMTP id 5b1f17b1804b1-40c09b021daso42395045e9.0 for ; Wed, 06 Dec 2023 04:27:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openvpn.net; s=google; t=1701865622; x=1702470422; darn=lists.sourceforge.net; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc :subject:date:message-id:reply-to; bh=gAlbaWIfkxExGswV2dPRD8a2B0YJTxqtg7axLFH6UB8=; b=IBhOpHg4W5gjCAaVjvx85QjTyBv5BCOIdgv1Do930xscmy06n5v2N83u+X44GM7RST g/sOYuPxJHTGbyYYlHHR3tiewl2EQPhDO7jVSawJ85TXSTiCT5RT4+DGGTZL1Kk2emT1 JXirzUmbUWq3nGWYeOwKJdWMLDfc42bUVse7DP7SjSI+y5pkjG55A1LbviHWtp36SEgx qnkexbqyR2uq41dsoP8mwb5COeK9dZO910RQ2L0yAU2DUydKmGaU0BxiA4t5n1tNWDgH Bxq/xDwoYIwAtRC29Kf8r0fk2cVih7kynX/lbno6eXyKzD8GJ5yVD4M85PFSRI9AdHhu EnrA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701865622; x=1702470422; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=gAlbaWIfkxExGswV2dPRD8a2B0YJTxqtg7axLFH6UB8=; b=wDmh/XYklkufTkVrBMUDnhD/sz75Ig4bJqeaLoK6+ikGoV9NoJi9Ehgsyk+yHB/CSx O4l2spQGH6lwF3PPqjA2nP1fElR8cUSPBcKeF9dt8z0dJ4tSsEDRY/gucugBAnGbWlsJ WruhvpEV1Q77yOeeojdIb4tN71IAMWx8jyYlxUS3+r8sFUuBw17EhS73fm6AKBwqZdLU 9cPwDXfOwvN7geXzESpv54+4Y8q4MEfHwKGVnk1oDq3Dx1fwWp67Bnp9A1zuXvzCsoPy Q78COTfBhu8msKn/gDW6U7FuAsypxDOBL5HNmWEg271ZMTTNI/75GSPtbAM6WnQaugV7 EycA== X-Gm-Message-State: AOJu0YxHm4sDdWMPHUm65bbErk5FH/fHyrZYTQCy+t14i1lL8DAsVAH5 2Kwpnvh6cZUgSB4n3wM+4uqBFGFsTowqmUqeVYs= X-Received: by 2002:a05:600c:540f:b0:40c:24a2:6b05 with SMTP id he15-20020a05600c540f00b0040c24a26b05mr124163wmb.206.1701865621680; Wed, 06 Dec 2023 04:27:01 -0800 (PST) Received: from gerrit.openvpn.in (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78]) by smtp.gmail.com with ESMTPSA id bg24-20020a05600c3c9800b0040b3d33ab55sm25724751wmb.47.2023.12.06.04.27.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Dec 2023 04:27:01 -0800 (PST) From: "plaisthos (Code Review)" X-Google-Original-From: "plaisthos (Code Review)" X-Gerrit-PatchSet: 1 Date: Wed, 6 Dec 2023 12:27:00 +0000 To: flichtenheld Auto-Submitted: auto-generated X-Gerrit-MessageType: newchange X-Gerrit-Change-Id: Ia9b3f1813d2d0d492d17c87348b4cebd0bf19ce2 X-Gerrit-Change-Number: 466 X-Gerrit-Project: openvpn X-Gerrit-ChangeURL: X-Gerrit-Commit: 549b9cb9e1a55a010100802c689336a067d21d58 References: Message-ID: <2d201f77fcf376860e98766576c6237cacb64600-HTML@gerrit.openvpn.net> MIME-Version: 1.0 User-Agent: Gerrit/3.8.2 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Attention is currently required from: flichtenheld. Hello flichtenheld, I'd like you to do a code review. Please visit Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.128.46 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.128.46 listed in wl.mailspike.net] 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: openvpn.net] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.0 WEIRD_PORT URI: Uses non-standard port number for HTTP 0.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1rAqzh-00038k-UF Subject: [Openvpn-devel] [M] Change in openvpn[master]: Implement the --export-peer-cert feature X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: arne-openvpn@rfc2549.org, openvpn-devel@lists.sourceforge.net, frank@lichtenheld.com Cc: openvpn-devel Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1784535517068222147?= X-GMAIL-MSGID: =?utf-8?q?1784535517068222147?= X-getmail-filter-classifier: gerrit message type newchange Attention is currently required from: flichtenheld. Hello flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/466?usp=email to review the following change. Change subject: Implement the --export-peer-cert feature ...................................................................... Implement the --export-peer-cert feature This is a re-implementation of the --export-peer-cert feature. This was necessary to due to missing approval to re-license the old (now removed) code. The re-implementation is based on the following description of the feature provided by David: Add an option to export certificate in PEM format of the remote peer to a given directory. For example: --export-peer-cert /var/tmp This option should use a randomised filename, which is provided via a "peer_cert" environment variable for the --tls-verify script or the OPENVPN_PLUGIN_TLS_VERIFY plug-in hook. Once the script or plugin call has completed, OpenVPN should delete this file. Change-Id: Ia9b3f1813d2d0d492d17c87348b4cebd0bf19ce2 Signed-off-by: Arne Schwabe --- M doc/man-sections/script-options.rst M src/openvpn/init.c M src/openvpn/options.c M src/openvpn/options.h M src/openvpn/ssl_common.h M src/openvpn/ssl_verify.c M src/openvpn/ssl_verify_backend.h M src/openvpn/ssl_verify_mbedtls.c M src/openvpn/ssl_verify_openssl.c 9 files changed, 152 insertions(+), 4 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/66/466/1 diff --git a/doc/man-sections/script-options.rst b/doc/man-sections/script-options.rst index 38dcfa2..edf636d 100644 --- a/doc/man-sections/script-options.rst +++ b/doc/man-sections/script-options.rst @@ -423,6 +423,15 @@ See the `Environmental Variables`_ section below for additional parameters passed as environmental variables. +--export-peer-cert-path dir + Adds a an environment variables ``peer_cert_{x}`` (and an alias + ``peer_cert`` for ``peer_cert_0`` for compatibility) when calling the + ``--tls-verify`` script or executing the OPENVPN_PLUGIN_TLS_VERIFY plugin + hook to verify the certificate. + + The environment variable contains the path to a PEM encoded certificate + of the current peer certificate in the directory ``dir``. + --up cmd Run command ``cmd`` after successful TUN/TAP device open (pre ``--user`` UID change). @@ -763,6 +772,14 @@ modifier is specified, and deleted from the environment after the script returns. +:code:`peer_cert_{n}` + If the option ``--export-peer-cert`` is enabled, this option contains + the path to the current peer certificate to be verified in PEM format + where ``n`` is the verification level. + +:code:`peer_cert` identical to `peer_cert_0` for compatibility with older + versions. + :code:`proto` The ``--proto`` parameter. Set on program initiation and reset on SIGHUP. diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 9e2b3845..917ae33 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3336,6 +3336,7 @@ to.auth_user_pass_verify_script_via_file = options->auth_user_pass_verify_script_via_file; to.client_crresponse_script = options->client_crresponse_script; to.tmp_dir = options->tmp_dir; + to.export_peer_cert_dir = options->tls_export_peer_cert_path; if (options->ccd_exclusive) { to.client_config_dir_exclusive = options->client_config_dir; diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 1521872..e63ef84 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1986,6 +1986,7 @@ SHOW_STR(cipher_list_tls13); SHOW_STR(tls_cert_profile); SHOW_STR(tls_verify); + SHOW_STR(tls_export_peer_cert_path); SHOW_INT(verify_x509_type); SHOW_STR(verify_x509_name); SHOW_STR_INLINE(crl_file); @@ -3048,6 +3049,7 @@ MUST_BE_UNDEF(cipher_list_tls13); MUST_BE_UNDEF(tls_cert_profile); MUST_BE_UNDEF(tls_verify); + MUST_BE_UNDEF(tls_export_peer_cert_path); MUST_BE_UNDEF(verify_x509_name); MUST_BE_UNDEF(tls_timeout); MUST_BE_UNDEF(renegotiate_bytes); @@ -4053,6 +4055,13 @@ R_OK, "--crl-verify"); } + if (options->tls_export_peer_cert_path) + { + errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, + options->tls_export_peer_cert_path, + W_OK, "--export-peer-cert"); + } + ASSERT(options->connection_list); for (int i = 0; i < options->connection_list->len; ++i) { @@ -8998,6 +9007,11 @@ string_substitute(p[1], ',', ' ', &options->gc), "tls-verify", true); } + else if (streq(p[0], "export-peer-cert") && p[1] && !p[2]) + { + VERIFY_PERMISSION(OPT_P_SCRIPT); + options->tls_export_peer_cert_path = p[1]; + } else if (streq(p[0], "compat-names")) { VERIFY_PERMISSION(OPT_P_GENERAL); diff --git a/src/openvpn/options.h b/src/openvpn/options.h index c4514e1..3b9a7f6 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -592,6 +592,7 @@ const char *tls_cert_profile; const char *ecdh_curve; const char *tls_verify; + const char *tls_export_peer_cert_path; int verify_x509_type; const char *verify_x509_name; const char *crl_file; diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index 925660b..f085e0d 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -374,6 +374,7 @@ const char *client_crresponse_script; bool auth_user_pass_verify_script_via_file; const char *tmp_dir; + const char *export_peer_cert_dir; const char *auth_user_pass_file; bool auth_user_pass_file_inline; diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index bd7e512..3d794cc 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -457,6 +457,32 @@ gc_free(&gc); } +static bool +verify_cert_cert_export_env(struct env_set *es, openvpn_x509_cert_t *peer_cert, + int cert_depth, const char *pem_export_fn) +{ + char envname[64]; + struct gc_arena gc = gc_new(); + /* export the certificate itself as pem when the enabled */ + openvpn_snprintf(envname, sizeof(envname), "peer_cert_%d", cert_depth); + setenv_str(es, envname, pem_export_fn); + + /* compatibility with older scripts/plugins that expect peer_cert without + * suffix */ + if (cert_depth == 0) + { + setenv_str(es, "peer_cert", pem_export_fn); + } + + bool ret = true; + + ret = (backend_x509_write_pem(peer_cert, pem_export_fn) == SUCCESS); + + gc_free(&gc); + return ret; +} + + /* * call --tls-verify plug-in(s) */ @@ -572,18 +598,19 @@ result_t verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_depth) { + /* need to define these variables here so goto cleanup will always have + * these variables defined */ result_t ret = FAILURE; - char *subject = NULL; - const struct tls_options *opt; struct gc_arena gc = gc_new(); + const char *pem_export_fn = NULL; - opt = session->opt; + const struct tls_options *opt = session->opt; ASSERT(opt); session->verified = false; /* get the X509 name */ - subject = x509_get_subject(cert, &gc); + char *subject = x509_get_subject(cert, &gc); if (!subject) { msg(D_TLS_ERRORS, "VERIFY ERROR: depth=%d, could not extract X509 " @@ -706,6 +733,19 @@ session->verify_maxlevel = max_int(session->verify_maxlevel, cert_depth); + if (opt->export_peer_cert_dir) + { + pem_export_fn = platform_create_temp_file(opt->export_peer_cert_dir, + "pef", &gc); + + if (!pem_export_fn + || !verify_cert_cert_export_env(opt->es, cert, cert_depth, pem_export_fn)) + { + msg(D_TLS_ERRORS, "TLS Error: Failed to export certificate for " + "--export-peer-cert in %s", opt->export_peer_cert_dir); + goto cleanup; + } + } /* export certificate values to the environment */ verify_cert_set_env(opt->es, cert, cert_depth, subject, common_name, opt->x509_track); @@ -763,6 +803,11 @@ tls_clear_error(); /* always? */ session->verified = false; /* double sure? */ } + if (pem_export_fn) + { + platform_unlink(pem_export_fn); + } + gc_free(&gc); return ret; diff --git a/src/openvpn/ssl_verify_backend.h b/src/openvpn/ssl_verify_backend.h index d402b1f..5301a51 100644 --- a/src/openvpn/ssl_verify_backend.h +++ b/src/openvpn/ssl_verify_backend.h @@ -161,6 +161,17 @@ struct gc_arena *gc); /* + * Write the certificate to the file in PEM format. + * + * + * @param cert Certificate to serialise. + * + * @return \c FAILURE, \c or SUCCESS + */ +result_t backend_x509_write_pem(openvpn_x509_cert_t *cert, + const char *filename); + +/* * Save X509 fields to environment, using the naming convention: * * X509_{cert_depth}_{name}={value} diff --git a/src/openvpn/ssl_verify_mbedtls.c b/src/openvpn/ssl_verify_mbedtls.c index 5612139..a48526e 100644 --- a/src/openvpn/ssl_verify_mbedtls.c +++ b/src/openvpn/ssl_verify_mbedtls.c @@ -218,6 +218,41 @@ return buf; } +result_t +backend_x509_write_pem(openvpn_x509_cert_t *cert, const char *filename) +{ + /* mbed TLS does not make it easy to write a certificate in PEM format. + * The only way to is directly access the DER encoded raw certificate + * and PEM encode it ourselves */ + + struct gc_arena gc = gc_new(); + /* just do a very loose upper bound for the base64 based PEM encoding + * using needing 3 times the space for the base64 and 100 bytes for the + * headers and footer */ + struct buffer pem = alloc_buf_gc(cert->raw.len * 3 + 100, &gc); + + struct buffer der = {}; + buf_set_read(&der, cert->raw.p, cert->raw.len); + + if (!crypto_pem_encode("CERTIFICATE", &pem, &der, &gc)) + { + goto err; + } + + if (!buffer_write_file(filename, &pem)) + { + goto err; + } + + gc_free(&gc); + return SUCCESS; +err: + msg(D_TLS_DEBUG_LOW, "Error writing X509 certificate to file %s", + filename); + gc_free(&gc); + return FAILURE; +} + static struct buffer x509_get_fingerprint(const mbedtls_md_info_t *md_info, mbedtls_x509_crt *cert, struct gc_arena *gc) diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index 5afffc1..00fdec3 100644 --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn/ssl_verify_openssl.c @@ -320,6 +320,29 @@ return format_hex_ex(asn1_i->data, asn1_i->length, 0, 1, ":", gc); } +result_t +backend_x509_write_pem(openvpn_x509_cert_t *cert, const char *filename) +{ + BIO *out = BIO_new_file(filename, "w"); + if (!out) + { + goto err; + } + + if (!PEM_write_bio_X509(out, cert)) + { + goto err; + } + BIO_free(out); + + return SUCCESS; +err: + BIO_free(out); + crypto_msg(D_TLS_DEBUG_LOW, "Error writing X509 certificate to file %s", + filename); + return FAILURE; +} + struct buffer x509_get_sha1_fingerprint(X509 *cert, struct gc_arena *gc) {