From 053f654ab84091ec7780b0b46f9b38a37bad5bb7 Mon Sep 17 00:00:00 2001 From: Ben Toews Date: Fri, 9 Jun 2017 08:45:40 -0600 Subject: [PATCH] simplify self signed cert --- SelfSignedCertificate/SelfSignedCertificate.m | 120 ++++++++---------- SelfSignedCertificate/public.h | 5 +- SoftU2FTool/U2FAuthenticator.swift | 6 +- 3 files changed, 57 insertions(+), 74 deletions(-) diff --git a/SelfSignedCertificate/SelfSignedCertificate.m b/SelfSignedCertificate/SelfSignedCertificate.m index 7e1fb24..5108770 100644 --- a/SelfSignedCertificate/SelfSignedCertificate.m +++ b/SelfSignedCertificate/SelfSignedCertificate.m @@ -6,8 +6,6 @@ // Copyright © 2017 GitHub, inc. All rights reserved. // -// http://opensource.apple.com/source/OpenSSL/OpenSSL-22/openssl/demos/x509/mkcert.c - #import "private.h" #import "public.h" @@ -44,109 +42,97 @@ const int priv_len = 121; const int cert_len = 281; -@implementation SelfSignedCertificate { - EVP_PKEY *pkey; - X509 *x509; -} - -- (id)init { - self = [super init]; - if (self) { - if ([self generateKeyPair] && [self generateX509]) { - printf("SelfSignedCertificate initialized\n"); - } else { - printf("Error initializing SelfSignedCertificate\n"); - } - } - return self; -} +@implementation SelfSignedCertificate {} -- (int)generateX509 { - self->x509 = d2i_X509(NULL, &cert, cert_len); - if (self->x509 == NULL) { ++ (NSData *)toDer { + int len; + unsigned char *buf; + X509 *x509; + + x509 = d2i_X509(NULL, &cert, cert_len); + if (x509 == NULL) { printf("failed to parse cert\n"); - return 0; + return nil; } - return 1; + buf = NULL; + len = i2d_X509(x509, &buf); + if (len < 0) { + printf("failed to export cert\n"); + X509_free(x509); + return nil; + } + + X509_free(x509); + + return [[NSData alloc] initWithBytes:buf length:len]; } -- (int)generateKeyPair { - EC_KEY *ec = d2i_ECPrivateKey(NULL, &priv, priv_len); ++ (NSData *)signData:(NSData *)msg { + EVP_MD_CTX ctx; + const unsigned char *cmsg = (const unsigned char *)[msg bytes]; + unsigned char *sig; + unsigned int len; + EC_KEY *ec; + EVP_PKEY *pkey; + + ec = d2i_ECPrivateKey(NULL, &priv, priv_len); if (ec == NULL) { printf("error importing private key\n"); - return 0; + return nil; } - + if (EC_KEY_check_key(ec) != 1) { printf("error checking key\n"); EC_KEY_free(ec); - return 0; + return nil; } - - self->pkey = EVP_PKEY_new(); - if (self->pkey == NULL) { + + pkey = EVP_PKEY_new(); + if (pkey == NULL) { printf("failed to init pkey\n"); EC_KEY_free(ec); - return 0; + return nil; } - if (EVP_PKEY_assign_EC_KEY(self->pkey, ec) != 1) { + if (EVP_PKEY_assign_EC_KEY(pkey, ec) != 1) { printf("failed to assing ec to pkey\n"); EC_KEY_free(ec); - EVP_PKEY_free(self->pkey); - self->pkey = NULL; - return 0; + EVP_PKEY_free(pkey); + return nil; } - - return 1; -} - -- (NSData *)toDer { - unsigned char *buf = NULL; - unsigned int len = i2d_X509(self->x509, &buf); - return [[NSData alloc] initWithBytes:buf length:len]; -} - -- (NSData *)signData:(NSData *)msg { - EVP_MD_CTX ctx; - const unsigned char *cmsg = (const unsigned char *)[msg bytes]; - unsigned char *sig = (unsigned char *)malloc(EVP_PKEY_size(self->pkey)); - unsigned int len; + + // `ec` memory is managed by `pkey` from here. if (EVP_SignInit(&ctx, EVP_sha256()) != 1) { - free(sig); printf("failed to init signing context\n"); + EVP_PKEY_free(pkey); return nil; }; if (EVP_SignUpdate(&ctx, cmsg, (unsigned int)[msg length]) != 1) { - free(sig); printf("failed to update digest\n"); + EVP_PKEY_free(pkey); + return nil; + } + + sig = (unsigned char *)malloc(EVP_PKEY_size(pkey)); + if (sig == NULL) { + printf("failed to malloc for sig\n"); + EVP_PKEY_free(pkey); return nil; } - if (EVP_SignFinal(&ctx, sig, &len, self->pkey) != 1) { - free(sig); + if (EVP_SignFinal(&ctx, sig, &len, pkey) != 1) { printf("failed to finalize digest\n"); + free(sig); + EVP_PKEY_free(pkey); return nil; } return [[NSData alloc] initWithBytes:sig length:len]; } -- (void)dealloc { - if (self->x509 != NULL) { - X509_free(self->x509); - self->x509 = NULL; - } - - if (self->pkey != NULL) { - EVP_PKEY_free(self->pkey); - self->pkey = NULL; - } -} - + (bool)parseX509:(NSData *)data consumed:(NSInteger *)consumed; { X509 *crt = NULL; diff --git a/SelfSignedCertificate/public.h b/SelfSignedCertificate/public.h index 545af3f..33d02ba 100644 --- a/SelfSignedCertificate/public.h +++ b/SelfSignedCertificate/public.h @@ -13,9 +13,8 @@ @interface SelfSignedCertificate : NSObject -- (id)init; -- (NSData *)toDer; -- (NSData *)signData:(NSData *)msg; ++ (NSData *)toDer; ++ (NSData *)signData:(NSData *)msg; + (bool)parseX509:(NSData *)data consumed:(NSInteger *)consumed; @end diff --git a/SoftU2FTool/U2FAuthenticator.swift b/SoftU2FTool/U2FAuthenticator.swift index 9f1ce3d..b360b20 100644 --- a/SoftU2FTool/U2FAuthenticator.swift +++ b/SoftU2FTool/U2FAuthenticator.swift @@ -26,8 +26,6 @@ class U2FAuthenticator { return ua.stop() } - let certificate = SelfSignedCertificate()! - init?() { guard let uh: U2FHID = U2FHID.shared else { return nil } @@ -103,13 +101,13 @@ class U2FAuthenticator { sigPayload.append(reg.keyHandle) sigPayload.append(publicKey) - guard let sig = self.certificate.sign(sigPayload) else { + guard let sig = SelfSignedCertificate.sign(sigPayload) else { print("Error signing with certificate") self.sendError(status: .OtherError, cid: cid) return } - let resp = RegisterResponse(publicKey: publicKey, keyHandle: reg.keyHandle, certificate: self.certificate.toDer(), signature: sig) + let resp = RegisterResponse(publicKey: publicKey, keyHandle: reg.keyHandle, certificate: SelfSignedCertificate.toDer(), signature: sig) self.sendMsg(msg: resp, cid: cid) }