From: Michael Friedrich Date: Wed, 2 May 2018 14:39:01 +0000 (+0200) Subject: Revert "Implement support for ECC certificates" X-Git-Tag: v2.9.0~69^2 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=1102f60b433fb6f0c8060bc583c4c7d3377bf992;p=icinga2 Revert "Implement support for ECC certificates" This reverts commit 10691db5b1297caaff15a2470575d34c29bd00e2. refs #5555 refs #6200 --- diff --git a/lib/base/tlsutility.cpp b/lib/base/tlsutility.cpp index 6ad0c5ad2..895582c62 100644 --- a/lib/base/tlsutility.cpp +++ b/lib/base/tlsutility.cpp @@ -89,17 +89,6 @@ std::shared_ptr MakeSSLContext(const String& pubkey, const String& priv std::shared_ptr sslContext = std::shared_ptr(SSL_CTX_new(SSLv23_method()), SSL_CTX_free); - EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_secp384r1); - - if (!ecdh) - Log(LogWarning, "SSL", "Failed to generate EC private key using EC_KEY_new_by_curve_name()."); - else { - if (SSL_CTX_set_tmp_ecdh(sslContext.get(), ecdh) != 1) - Log(LogWarning, "SSL", "Failed to set ECDH parameters for SSL context using SSL_CTX_set_tmp_ecdh."); - } - - EC_KEY_free(ecdh); - long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_CIPHER_SERVER_PREFERENCE; #ifdef SSL_OP_NO_COMPRESSION @@ -336,31 +325,7 @@ int MakeX509CSR(const String& cn, const String& keyfile, const String& csrfile, InitializeOpenSSL(); - EC_KEY *eckey = EC_KEY_new_by_curve_name(NID_secp384r1); - EC_KEY_set_asn1_flag(eckey, OPENSSL_EC_NAMED_CURVE); - - if (!EC_KEY_generate_key(eckey)) { - EC_KEY_free(eckey); - - Log(LogCritical, "SSL") - << "Error while generating EC key pair: " << ERR_peek_error() << ", \"" << ERR_error_string(ERR_peek_error(), errbuf) << "\""; - BOOST_THROW_EXCEPTION(openssl_error() - << boost::errinfo_api_function("EC_KEY_generate_key") - << errinfo_openssl_error(ERR_peek_error())); - } - - EVP_PKEY *key = EVP_PKEY_new(); - - if (!EVP_PKEY_assign_EC_KEY(key, eckey)) { - EVP_PKEY_free(key); - EC_KEY_free(eckey); - - Log(LogCritical, "SSL") - << "Error while assigning EC key to EVP_PKEY structure: " << ERR_peek_error() << ", \"" << ERR_error_string(ERR_peek_error(), errbuf) << "\""; - BOOST_THROW_EXCEPTION(openssl_error() - << boost::errinfo_api_function("EC_KEY_generate_key") - << errinfo_openssl_error(ERR_peek_error())); - } + RSA *rsa = RSA_generate_key(4096, RSA_F4, nullptr, nullptr); Log(LogInformation, "base") << "Writing private key to '" << keyfile << "'."; @@ -368,26 +333,19 @@ int MakeX509CSR(const String& cn, const String& keyfile, const String& csrfile, BIO *bio = BIO_new_file(const_cast(keyfile.CStr()), "w"); if (!bio) { - EVP_PKEY_free(key); - EC_KEY_free(eckey); - Log(LogCritical, "SSL") - << "Error while opening private key file '" << keyfile << "': " << ERR_peek_error() << ", \"" << ERR_error_string(ERR_peek_error(), errbuf) << "\""; + << "Error while opening private RSA key file '" << keyfile << "': " << ERR_peek_error() << ", \"" << ERR_error_string(ERR_peek_error(), errbuf) << "\""; BOOST_THROW_EXCEPTION(openssl_error() << boost::errinfo_api_function("BIO_new_file") << errinfo_openssl_error(ERR_peek_error()) << boost::errinfo_file_name(keyfile)); } - if (!PEM_write_bio_PrivateKey(bio, key, nullptr, nullptr, 0, nullptr, nullptr)) { - EVP_PKEY_free(key); - EC_KEY_free(eckey); - BIO_free(bio); - + if (!PEM_write_bio_RSAPrivateKey(bio, rsa, nullptr, nullptr, 0, nullptr, nullptr)) { Log(LogCritical, "SSL") - << "Error while writing private key to file '" << keyfile << "': " << ERR_peek_error() << ", \"" << ERR_error_string(ERR_peek_error(), errbuf) << "\""; + << "Error while writing private RSA key to file '" << keyfile << "': " << ERR_peek_error() << ", \"" << ERR_error_string(ERR_peek_error(), errbuf) << "\""; BOOST_THROW_EXCEPTION(openssl_error() - << boost::errinfo_api_function("PEM_write_bio_PrivateKey") + << boost::errinfo_api_function("PEM_write_bio_RSAPrivateKey") << errinfo_openssl_error(ERR_peek_error()) << boost::errinfo_file_name(keyfile)); } @@ -398,6 +356,9 @@ int MakeX509CSR(const String& cn, const String& keyfile, const String& csrfile, chmod(keyfile.CStr(), 0600); #endif /* _WIN32 */ + EVP_PKEY *key = EVP_PKEY_new(); + EVP_PKEY_assign_RSA(key, rsa); + if (!certfile.IsEmpty()) { X509_NAME *subject = X509_NAME_new(); X509_NAME_add_entry_by_txt(subject, "CN", MBSTRING_ASC, (unsigned char *)cn.CStr(), -1, -1, 0); @@ -584,6 +545,8 @@ std::shared_ptr CreateCertIcingaCA(EVP_PKEY *pubkey, X509_NAME *subject) String cakeyfile = cadir + "/ca.key"; + RSA *rsa; + BIO *cakeybio = BIO_new_file(const_cast(cakeyfile.CStr()), "r"); if (!cakeybio) { @@ -592,11 +555,11 @@ std::shared_ptr CreateCertIcingaCA(EVP_PKEY *pubkey, X509_NAME *subject) return std::shared_ptr(); } - EVP_PKEY *privkey = PEM_read_bio_PrivateKey(cakeybio, nullptr, nullptr, nullptr); + rsa = PEM_read_bio_RSAPrivateKey(cakeybio, nullptr, nullptr, nullptr); - if (!privkey) { + if (!rsa) { Log(LogCritical, "SSL") - << "Could not read private key from CA key file '" << cakeyfile << "': " << ERR_peek_error() << ", \"" << ERR_error_string(ERR_peek_error(), errbuf) << "\""; + << "Could not read RSA key from CA key file '" << cakeyfile << "': " << ERR_peek_error() << ", \"" << ERR_error_string(ERR_peek_error(), errbuf) << "\""; return std::shared_ptr(); } @@ -606,6 +569,9 @@ std::shared_ptr CreateCertIcingaCA(EVP_PKEY *pubkey, X509_NAME *subject) std::shared_ptr cacert = GetX509Certificate(cacertfile); + EVP_PKEY *privkey = EVP_PKEY_new(); + EVP_PKEY_assign_RSA(privkey, rsa); + return CreateCert(pubkey, subject, X509_get_subject_name(cacert.get()), privkey, false); }