From 2019ff9752f33c463c1016a8102f84871232c100 Mon Sep 17 00:00:00 2001 From: Timothy Legge Date: Sun, 25 Jun 2023 17:10:28 -0300 Subject: [PATCH 1/2] More updates for openssl versions --- Makefile.PL | 2 +- SignCSR.xs | 34 +++++++++++++++++++++------------- lib/Crypt/OpenSSL/SignCSR.pm | 2 +- 3 files changed, 23 insertions(+), 15 deletions(-) diff --git a/Makefile.PL b/Makefile.PL index 2b581bb..6152101 100644 --- a/Makefile.PL +++ b/Makefile.PL @@ -81,7 +81,7 @@ my %WriteMakefileArgs = ( "File::Slurper" => "0.012", "File::Which" => 0 }, - "VERSION" => "0.04", + "VERSION" => "0.05", "test" => { "TESTS" => "t/*.t" } diff --git a/SignCSR.xs b/SignCSR.xs index 1251687..8d7b8e5 100644 --- a/SignCSR.xs +++ b/SignCSR.xs @@ -31,7 +31,7 @@ # define SERIAL_RAND_BITS 159 BIO *bio_err; -#if OPENSSL_API_COMPAT >= 30000 +#if OPENSSL_API_COMPAT >= 30101 OSSL_LIB_CTX *libctx = NULL; #endif static const char *propq = NULL; @@ -77,14 +77,22 @@ int set_cert_times(X509 *x, const char *startdate, const char *enddate, if (X509_gmtime_adj(X509_getm_notBefore(x), 0) == NULL) return 0; } else { +#if OPENSSL_API_COMPAT >= 10100 if (!ASN1_TIME_set_string_X509(X509_getm_notBefore(x), startdate)) +#else + if (!ASN1_TIME_set_string(X509_getm_notBefore(x), startdate)) +#endif return 0; } if (enddate == NULL) { if (X509_time_adj_ex(X509_getm_notAfter(x), days, 0, NULL) == NULL) return 0; +#if OPENSSL_API_COMPAT >= 10100 } else if (!ASN1_TIME_set_string_X509(X509_getm_notAfter(x), enddate)) { +#else + } else if (!ASN1_TIME_set_string(X509_getm_notAfter(x), enddate)) { +#endif return 0; } return 1; @@ -167,10 +175,10 @@ int do_X509_REQ_verify(X509_REQ *x, EVP_PKEY *pkey, STACK_OF(OPENSSL_STRING) *vf int rv = 0; if (do_x509_req_init(x, vfyopts) > 0){ -#if OPENSSL_API_COMPAT <= 10100 - rv = X509_REQ_verify(x, pkey); -#else +#if OPENSSL_API_COMPAT >= 30101 rv = X509_REQ_verify_ex(x, pkey, libctx, propq); +#else + rv = X509_REQ_verify(x, pkey); #endif } else @@ -248,14 +256,14 @@ unsigned long get_nameopt(void) nmflag_set ? nmflag : XN_FLAG_SEP_CPLUS_SPC | ASN1_STRFLGS_UTF8_CONVERT; } -#if OPENSSL_API_COMPAT >= 30000 +#if OPENSSL_API_COMPAT >= 30101 static int do_sign_init(EVP_MD_CTX *ctx, EVP_PKEY *pkey, const char *md, STACK_OF(OPENSSL_STRING) *sigopts) #else static int do_sign_init(EVP_MD_CTX *ctx, EVP_PKEY *pkey, const EVP_MD *md, STACK_OF(OPENSSL_STRING) *sigopts) #endif { EVP_PKEY_CTX *pkctx = NULL; -#if OPENSSL_API_COMPAT >= 30000 +#if OPENSSL_API_COMPAT >= 30101 char def_md[80]; #else int def_nid; @@ -267,7 +275,7 @@ static int do_sign_init(EVP_MD_CTX *ctx, EVP_PKEY *pkey, const EVP_MD *md, STACK * EVP_PKEY_get_default_digest_name() returns 2 if the digest is mandatory * for this algorithm. */ -#if OPENSSL_API_COMPAT >= 30000 +#if OPENSSL_API_COMPAT >= 30101 if (EVP_PKEY_get_default_digest_name(pkey, def_md, sizeof(def_md)) == 2 && strcmp(def_md, "UNDEF") == 0) { #else @@ -278,7 +286,7 @@ static int do_sign_init(EVP_MD_CTX *ctx, EVP_PKEY *pkey, const EVP_MD *md, STACK md = NULL; } -#if OPENSSL_API_COMPAT >= 30000 +#if OPENSSL_API_COMPAT >= 30101 int val = EVP_DigestSignInit_ex(ctx, &pkctx, md, libctx, propq, pkey, NULL); #else @@ -435,10 +443,10 @@ SV * sign(self, request_SV, days, name_SV, text, sigopts) // Create a new certificate store X509 * x; -#if OPENSSL_API_COMPAT <= 10100 - if ((x = X509_new()) == NULL) -#else +#if OPENSSL_API_COMPAT >= 30101 if ((x = X509_new_ex(libctx, propq)) == NULL) +#else + if ((x = X509_new()) == NULL) #endif croak("X509_new_ex failed ...\n"); @@ -506,7 +514,7 @@ SV * sign(self, request_SV, days, name_SV, text, sigopts) croak("X509_set_version cannot set version 3\n"); // Get digestname parameter - verify that it is valid -#if OPENSSL_API_COMPAT >= 30300 +#if OPENSSL_API_COMPAT >= 30101 const EVP_MD *dgst; #else EVP_MD * md; @@ -522,7 +530,7 @@ SV * sign(self, request_SV, days, name_SV, text, sigopts) mctx = EVP_MD_CTX_new(); // Sign the new certificate -#if OPENSSL_API_COMPAT >= 30000 +#if OPENSSL_API_COMPAT >= 30101 if (mctx != NULL && do_sign_init(mctx, private_key, digestname, NULL /*sigopts*/) > 0) #else if (mctx != NULL && do_sign_init(mctx, private_key, md, NULL /*sigopts*/) > 0) diff --git a/lib/Crypt/OpenSSL/SignCSR.pm b/lib/Crypt/OpenSSL/SignCSR.pm index f745c60..cb1220b 100644 --- a/lib/Crypt/OpenSSL/SignCSR.pm +++ b/lib/Crypt/OpenSSL/SignCSR.pm @@ -7,7 +7,7 @@ use warnings; require Exporter; -our $VERSION = "0.04"; +our $VERSION = "0.05"; our @ISA = qw(Exporter); From 12c800f2b42e8954fe61244a6158e0e91a1924ec Mon Sep 17 00:00:00 2001 From: Timothy Legge Date: Sun, 25 Jun 2023 22:26:20 -0300 Subject: [PATCH 2/2] ssl3 --- SignCSR.xs | 43 ++++++++++++++++++++----------------------- 1 file changed, 20 insertions(+), 23 deletions(-) diff --git a/SignCSR.xs b/SignCSR.xs index 8d7b8e5..5290231 100644 --- a/SignCSR.xs +++ b/SignCSR.xs @@ -33,8 +33,8 @@ BIO *bio_err; #if OPENSSL_API_COMPAT >= 30101 OSSL_LIB_CTX *libctx = NULL; -#endif static const char *propq = NULL; +#endif static unsigned long nmflag = 0; static char nmflag_set = 0; @@ -77,7 +77,7 @@ int set_cert_times(X509 *x, const char *startdate, const char *enddate, if (X509_gmtime_adj(X509_getm_notBefore(x), 0) == NULL) return 0; } else { -#if OPENSSL_API_COMPAT >= 10100 +#if OPENSSL_API_COMPAT >= 10101 if (!ASN1_TIME_set_string_X509(X509_getm_notBefore(x), startdate)) #else if (!ASN1_TIME_set_string(X509_getm_notBefore(x), startdate)) @@ -147,21 +147,21 @@ int cert_matches_key(const X509 *cert, const EVP_PKEY *pkey) static int do_x509_req_init(X509_REQ *x, STACK_OF(OPENSSL_STRING) *opts) { - int i; + //int i; opts = NULL; if (opts == NULL) return 1; - for (i = 0; i < sk_OPENSSL_STRING_num(opts); i++) { - char *opt = sk_OPENSSL_STRING_value(opts, i); + //for (i = 0; i < sk_OPENSSL_STRING_num(opts); i++) { + // char *opt = sk_OPENSSL_STRING_value(opts, i); - //if (x509_req_ctrl_string(x, opt) <= 0) { - // croak("parameter error "); //$, n", opt); - // ERR_print_errors(bio_err); - // return 0; - //} - } + // if (x509_req_ctrl_string(x, opt) <= 0) { + // croak("parameter error "); //$, n", opt); + // ERR_print_errors(bio_err); + // return 0; + // } + //} return 1; } @@ -379,10 +379,8 @@ SV * sign(self, request_SV, days, name_SV, text, sigopts) IV text; PREINIT: - char * req; - char *name; EVP_MD_CTX *mctx; - STACK_OF(OPENSSL_STRING) *sigopts; + STACK_OF(OPENSSL_STRING) *sigopts = NULL; CODE: @@ -395,7 +393,6 @@ SV * sign(self, request_SV, days, name_SV, text, sigopts) unsigned char* request; //BIO *bio; BIO *csrbio; - BIO *finbio; char * digestname; STRLEN digestname_length; @@ -464,13 +461,13 @@ SV * sign(self, request_SV, days, name_SV, text, sigopts) croak("X509_set_pubkey cannot set public key\n"); // FIXME need to look at this - for (int i = X509_get_ext_count(x) - 1; i >= 0; i--) { - X509_EXTENSION *ex = X509_get_ext(x, i); - const char *sn = OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(ex))); + //for (int i = X509_get_ext_count(x) - 1; i >= 0; i--) { + // X509_EXTENSION *ex = X509_get_ext(x, i); + // const char *sn = OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(ex))); - //if (clrext || (ext_names != NULL && strstr(ext_names, sn) == NULL)) - // X509_EXTENSION_free(X509_delete_ext(x, i)); - } + // if (clrext || (ext_names != NULL && strstr(ext_names, sn) == NULL)) + // X509_EXTENSION_free(X509_delete_ext(x, i)); + //} // FIXME - this may need to change to support signing by different certificates if (private_key != NULL && !cert_matches_key(x, private_key)) @@ -531,9 +528,9 @@ SV * sign(self, request_SV, days, name_SV, text, sigopts) // Sign the new certificate #if OPENSSL_API_COMPAT >= 30101 - if (mctx != NULL && do_sign_init(mctx, private_key, digestname, NULL /*sigopts*/) > 0) + if (mctx != NULL && do_sign_init(mctx, private_key, digestname, sigopts) > 0) #else - if (mctx != NULL && do_sign_init(mctx, private_key, md, NULL /*sigopts*/) > 0) + if (mctx != NULL && do_sign_init(mctx, private_key, md, sigopts) > 0) #endif rv = (X509_sign_ctx(x, mctx) > 0);