tor-gencert.c 10 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386
  1. /* Copyright 2007 Roger Dingledine, Nick Mathewson */
  2. /* See LICENSE for licensing information */
  3. /* $Id: /tor/trunk/src/tools/tor-resolve.c 12481 2007-04-21T17:27:19.371353Z nickm $ */
  4. #include "orconfig.h"
  5. #include <stdio.h>
  6. #include <string.h>
  7. #include <sys/types.h>
  8. #include <sys/stat.h>
  9. #include <fcntl.h>
  10. #include <unistd.h>
  11. #include <openssl/evp.h>
  12. #include <openssl/pem.h>
  13. #include <openssl/objects.h>
  14. #include <openssl/obj_mac.h>
  15. #include <openssl/err.h>
  16. #include <errno.h>
  17. #if 0
  18. #include <stdlib.h>
  19. #include <stdarg.h>
  20. #include <assert.h>
  21. #endif
  22. #define CRYPTO_PRIVATE
  23. #include "compat.h"
  24. #include "util.h"
  25. #include "log.h"
  26. #include "crypto.h"
  27. #define IDENTITY_KEY_BITS 3072
  28. #define SIGNING_KEY_BITS 1024
  29. #define DEFAULT_LIFETIME 12
  30. char *identity_key_file = NULL;
  31. char *signing_key_file = NULL;
  32. char *certificate_file = NULL;
  33. int verbose = 0;
  34. int make_new_id = 0;
  35. int months_lifetime = DEFAULT_LIFETIME;
  36. EVP_PKEY *identity_key = NULL;
  37. EVP_PKEY *signing_key = NULL;
  38. /* DOCDOC */
  39. static void
  40. show_help(void)
  41. {
  42. fprintf(stderr, "Syntax:\n"
  43. "tor-gencert [-h|--help] [-v] [--create-identity-key] "
  44. "[-i identity_key_file]\n"
  45. " [-s signing_key_file] [-c certificate_file]\n");
  46. }
  47. /* XXXX copied from crypto.c */
  48. static void
  49. crypto_log_errors(int severity, const char *doing)
  50. {
  51. unsigned int err;
  52. const char *msg, *lib, *func;
  53. while ((err = ERR_get_error()) != 0) {
  54. msg = (const char*)ERR_reason_error_string(err);
  55. lib = (const char*)ERR_lib_error_string(err);
  56. func = (const char*)ERR_func_error_string(err);
  57. if (!msg) msg = "(null)";
  58. if (!lib) lib = "(null)";
  59. if (!func) func = "(null)";
  60. if (doing) {
  61. log(severity, LD_CRYPTO, "crypto error while %s: %s (in %s:%s)",
  62. doing, msg, lib, func);
  63. } else {
  64. log(severity, LD_CRYPTO, "crypto error: %s (in %s:%s)", msg, lib, func);
  65. }
  66. }
  67. }
  68. /** DOCDOC */
  69. static int
  70. parse_commandline(int argc, char **argv)
  71. {
  72. int i;
  73. for (i = 1; i < argc; ++i) {
  74. if (!strcmp(argv[i], "--help") || !strcmp(argv[i], "-h")) {
  75. show_help();
  76. return 1;
  77. } else if (!strcmp(argv[i], "-i")) {
  78. if (i+1>=argc) {
  79. fprintf(stderr, "No argument to -i\n");
  80. return 1;
  81. }
  82. identity_key_file = tor_strdup(argv[++i]);
  83. } else if (!strcmp(argv[i], "-c")) {
  84. if (i+1>=argc) {
  85. fprintf(stderr, "No argument to -c\n");
  86. return 1;
  87. }
  88. certificate_file = tor_strdup(argv[++i]);
  89. } else if (!strcmp(argv[i], "-m")) {
  90. if (i+1>=argc) {
  91. fprintf(stderr, "No argument to -m\n");
  92. return 1;
  93. }
  94. months_lifetime = atoi(argv[++i]);
  95. if (months_lifetime > 24 || months_lifetime < 0) {
  96. fprintf(stderr, "Lifetime (in months) was out of range.");
  97. return 1;
  98. }
  99. } else if (!strcmp(argv[i], "-v")) {
  100. verbose = 1;
  101. } else if (!strcmp(argv[i], "--create-identity-key")) {
  102. make_new_id = 1;
  103. } else {
  104. fprintf(stderr, "Unrecognized option %s\n", argv[i]);
  105. return 1;
  106. }
  107. }
  108. if (verbose) {
  109. add_stream_log(LOG_INFO, LOG_ERR, "<stderr>", stderr);
  110. } else {
  111. add_stream_log(LOG_NOTICE, LOG_ERR, "<stderr>", stderr);
  112. }
  113. if (!identity_key_file) {
  114. identity_key_file = tor_strdup("./authority_identity_key");
  115. log_info(LD_GENERAL, "No identity key file given; defaulting to %s",
  116. identity_key_file);
  117. }
  118. if (!signing_key_file) {
  119. signing_key_file = tor_strdup("./authority_signing_key");
  120. log_info(LD_GENERAL, "No signing key file given; defaulting to %s",
  121. signing_key_file);
  122. }
  123. if (!certificate_file) {
  124. certificate_file = tor_strdup("./authority_certificate");
  125. log_info(LD_GENERAL, "No signing key file given; defaulting to %s",
  126. signing_key_file);
  127. }
  128. return 0;
  129. }
  130. /** DOCDOC */
  131. static int
  132. load_identity_key(void)
  133. {
  134. file_status_t status = file_status(identity_key_file);
  135. FILE *f;
  136. if (make_new_id) {
  137. open_file_t *open_file = NULL;
  138. RSA *key;
  139. if (status != FN_NOENT) {
  140. log_err(LD_GENERAL, "--create-identity-key was specified, but %s "
  141. "already exists.", identity_key_file);
  142. return 1;
  143. }
  144. log_notice(LD_GENERAL, "Generating %d-bit RSA identity key.",
  145. IDENTITY_KEY_BITS);
  146. if (!(key = RSA_generate_key(IDENTITY_KEY_BITS, 65537, NULL, NULL))) {
  147. log_err(LD_GENERAL, "Couldn't generate identity key.");
  148. crypto_log_errors(LOG_ERR, "Generating identity key");
  149. return 1;
  150. }
  151. identity_key = EVP_PKEY_new();
  152. if (!(EVP_PKEY_assign_RSA(identity_key, key))) {
  153. log_err(LD_GENERAL, "Couldn't assign identity key.");
  154. return 1;
  155. }
  156. if (!(f = start_writing_to_stdio_file(identity_key_file,
  157. OPEN_FLAGS_REPLACE, 0400,
  158. &open_file)))
  159. return 1;
  160. if (!PEM_write_PKCS8PrivateKey_nid(f, identity_key,
  161. NID_pbe_WithSHA1And3_Key_TripleDES_CBC,
  162. NULL, 0, /* no password here. */
  163. NULL, NULL)) {
  164. log_err(LD_GENERAL, "Couldn't write identity key to %s",
  165. identity_key_file);
  166. crypto_log_errors(LOG_ERR, "Writing identity key");
  167. abort_writing_to_file(open_file);
  168. return 1;
  169. }
  170. finish_writing_to_file(open_file);
  171. } else {
  172. if (status != FN_FILE) {
  173. log_err(LD_GENERAL,
  174. "No identity key found in %s. To specify a location "
  175. "for an identity key, use -i. To generate a new identity key, "
  176. "use --create-identity-key.", identity_key_file);
  177. return 1;
  178. }
  179. if (!(f = fopen(identity_key_file, "r"))) {
  180. log_err(LD_GENERAL, "Couldn't open %s for reading: %s",
  181. identity_key_file, strerror(errno));
  182. return 1;
  183. }
  184. identity_key = PEM_read_PrivateKey(f, NULL, NULL, NULL);
  185. if (!identity_key) {
  186. log_err(LD_GENERAL, "Couldn't read identity key from %s",
  187. identity_key_file);
  188. return 1;
  189. }
  190. fclose(f);
  191. }
  192. return 0;
  193. }
  194. /** DOCDOC */
  195. static int
  196. generate_signing_key(void)
  197. {
  198. open_file_t *open_file;
  199. FILE *f;
  200. RSA *key;
  201. log_notice(LD_GENERAL, "Generating %d-bit RSA signing key.",
  202. SIGNING_KEY_BITS);
  203. if (!(key = RSA_generate_key(SIGNING_KEY_BITS, 65537, NULL, NULL))) {
  204. log_err(LD_GENERAL, "Couldn't generate signing key.");
  205. crypto_log_errors(LOG_ERR, "Generating signing key");
  206. return 1;
  207. }
  208. signing_key = EVP_PKEY_new();
  209. if (!(EVP_PKEY_assign_RSA(signing_key, key))) {
  210. log_err(LD_GENERAL, "Couldn't assign signing key.");
  211. return 1;
  212. }
  213. if (!(f = start_writing_to_stdio_file(signing_key_file,
  214. OPEN_FLAGS_REPLACE, 0600,
  215. &open_file)))
  216. return 1;
  217. /* Write signing key with no encryption. */
  218. if (!PEM_write_RSAPrivateKey(f, key, NULL, NULL, 0, NULL, NULL)) {
  219. crypto_log_errors(LOG_WARN, "writing signing key");
  220. abort_writing_to_file(open_file);
  221. return 1;
  222. }
  223. finish_writing_to_file(open_file);
  224. return 0;
  225. }
  226. static char *
  227. key_to_string(EVP_PKEY *key)
  228. {
  229. BUF_MEM *buf;
  230. BIO *b;
  231. RSA *rsa = EVP_PKEY_get1_RSA(key);
  232. char *result;
  233. if (!rsa)
  234. return NULL;
  235. b = BIO_new(BIO_s_mem());
  236. if (!PEM_write_bio_RSAPublicKey(b, rsa)) {
  237. crypto_log_errors(LOG_WARN, "writing public key to string");
  238. return NULL;
  239. }
  240. BIO_get_mem_ptr(b, &buf);
  241. (void) BIO_set_close(b, BIO_NOCLOSE);
  242. BIO_free(b);
  243. result = tor_malloc(buf->length + 1);
  244. memcpy(result, buf->data, buf->length);
  245. result[buf->length] = 0;
  246. BUF_MEM_free(buf);
  247. return result;
  248. }
  249. static int
  250. get_fingerprint(EVP_PKEY *pkey, char *out)
  251. {
  252. int r = 1;
  253. crypto_pk_env_t *pk = _crypto_new_pk_env_rsa(EVP_PKEY_get1_RSA(pkey));
  254. if (pk) {
  255. r = crypto_pk_get_fingerprint(pk, out, 0);
  256. crypto_free_pk_env(pk);
  257. }
  258. return r;
  259. }
  260. static int
  261. generate_certificate(void)
  262. {
  263. char buf[8192];
  264. time_t now = time(NULL);
  265. struct tm tm;
  266. char published[ISO_TIME_LEN+1];
  267. char expires[ISO_TIME_LEN+1];
  268. char fingerprint[FINGERPRINT_LEN+1];
  269. char *ident = key_to_string(identity_key);
  270. char *signing = key_to_string(signing_key);
  271. FILE *f;
  272. size_t signed_len;
  273. char digest[DIGEST_LEN];
  274. char signature[1024]; /* handles up to 8192-bit keys. */
  275. int r;
  276. get_fingerprint(identity_key, fingerprint);
  277. tor_localtime_r(&now, &tm);
  278. tm.tm_mon += months_lifetime;
  279. format_iso_time(published, now);
  280. format_iso_time(expires, mktime(&tm));
  281. tor_snprintf(buf, sizeof(buf),
  282. "dir-key-certificate-version 3\n"
  283. "fingerprint %s\n"
  284. "dir-key-published %s\n"
  285. "dir-key-expires %s\n"
  286. "dir-identity-key\n%s"
  287. "dir-signing-key\n%s"
  288. "dir-key-certification\n",
  289. fingerprint, published, expires, ident, signing);
  290. signed_len = strlen(buf);
  291. SHA1((const unsigned char*)buf,signed_len,(unsigned char*)digest);
  292. r = RSA_private_encrypt(DIGEST_LEN, (unsigned char*)digest,
  293. (unsigned char*)signature,
  294. EVP_PKEY_get1_RSA(identity_key),
  295. RSA_PKCS1_PADDING);
  296. strlcat(buf, "-----BEGIN SIGNATURE-----\n", sizeof(buf));
  297. signed_len = strlen(buf);
  298. base64_encode(buf+signed_len, sizeof(buf)-signed_len, signature, r);
  299. strlcat(buf, "-----END SIGNATURE-----\n", sizeof(buf));
  300. if (!(f = fopen(certificate_file, "w"))) {
  301. log_err(LD_GENERAL, "Couldn't open %s for writing: %s",
  302. certificate_file, strerror(errno));
  303. return 1;
  304. }
  305. fputs(buf, f);
  306. fclose(f);
  307. return 0;
  308. }
  309. /** Entry point to tor-gencert */
  310. int
  311. main(int argc, char **argv)
  312. {
  313. int r = 1;
  314. /* Don't bother using acceleration. */
  315. if (crypto_global_init(0)) {
  316. fprintf(stderr, "Couldn't initialize crypto library.\n");
  317. return 1;
  318. }
  319. if (crypto_seed_rng()) {
  320. fprintf(stderr, "Couldn't seed RNG.\n");
  321. goto done;
  322. }
  323. /* Make sure that files are made private. */
  324. umask(0077);
  325. if (parse_commandline(argc, argv))
  326. goto done;
  327. if (load_identity_key())
  328. goto done;
  329. if (generate_signing_key())
  330. goto done;
  331. if (generate_certificate())
  332. goto done;
  333. r = 0;
  334. done:
  335. if (identity_key)
  336. EVP_PKEY_free(identity_key);
  337. if (signing_key)
  338. EVP_PKEY_free(signing_key);
  339. crypto_global_cleanup();
  340. return r;
  341. }