From 63d58359b73197d9943db27056ad9a35bd142ff1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Sim=C3=B5es?= Date: Thu, 18 Jul 2019 13:27:42 +0100 Subject: [PATCH] Add support for X509Certificate2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Rework several functions to accept private key and password. - Add new function to parse private keys. - Add and update stubs accordingly. - Rework SslNative::InitHelper accordingly. - Update CMakes as required. - Update declaration or System.Net assembly. Signed-off-by: José Simões --- CMake/Modules/FindNF_Networking.cmake | 1 + CMake/Modules/FindSystem.Net.cmake | 1 + .../System.Net/sys_net_native.cpp | 19 +++- .../System.Net/sys_net_native.h | 20 ++++ ...t_native_System_Net_Security_SslNative.cpp | 45 ++++----- ...aphy_X509Certificates_X509Certificate2.cpp | 38 ++++++++ src/PAL/COM/sockets/Sockets_debugger.cpp | 2 +- src/PAL/COM/sockets/ssl/mbedTLS/mbedtls.h | 1 + .../ssl_decode_private_key_internal.cpp | 40 ++++++++ .../ssl/mbedTLS/ssl_exit_context_internal.cpp | 4 +- .../ssl/mbedTLS/ssl_generic_init_internal.cpp | 91 +++++++++++++------ .../ssl_decode_private_key_internal.cpp | 26 ++++++ .../ssl/openssl/ssl_generic_init_internal.cpp | 18 +++- src/PAL/COM/sockets/ssl/ssl.cpp | 29 ++++-- src/PAL/COM/sockets/ssl/ssl_functions.h | 3 +- src/PAL/COM/sockets/ssl/ssl_stubs.cpp | 24 ++++- src/PAL/Include/nanoPAL_Sockets.h | 5 +- .../TI-SimpleLink/common/ssl_simplelink.cpp | 33 ++++++- 18 files changed, 322 insertions(+), 78 deletions(-) create mode 100644 src/DeviceInterfaces/System.Net/sys_net_native_System_Security_Cryptography_X509Certificates_X509Certificate2.cpp create mode 100644 src/PAL/COM/sockets/ssl/mbedTLS/ssl_decode_private_key_internal.cpp create mode 100644 src/PAL/COM/sockets/ssl/openssl/ssl_decode_private_key_internal.cpp diff --git a/CMake/Modules/FindNF_Networking.cmake b/CMake/Modules/FindNF_Networking.cmake index 865a14127a..bf57bb8f40 100644 --- a/CMake/Modules/FindNF_Networking.cmake +++ b/CMake/Modules/FindNF_Networking.cmake @@ -36,6 +36,7 @@ set(NF_Networking_Security_SRCS ssl_add_cert_auth_internal.cpp ssl_closesocket_internal.cpp ssl_connect_internal.cpp + ssl_decode_private_key_internal.cpp ssl_exit_context_internal.cpp ssl_generic.cpp ssl_generic_init_internal.cpp diff --git a/CMake/Modules/FindSystem.Net.cmake b/CMake/Modules/FindSystem.Net.cmake index b8bf39f2e2..de99207039 100644 --- a/CMake/Modules/FindSystem.Net.cmake +++ b/CMake/Modules/FindSystem.Net.cmake @@ -20,6 +20,7 @@ set(System.Net_SRCS # System.Security.Cryptography.X509Certificates sys_net_native_System_Security_Cryptography_X509Certificates_X509Certificate.cpp + sys_net_native_System_Security_Cryptography_X509Certificates_X509Certificate2.cpp # System.Net.Security sys_net_native_System_Net_Security_SslNative.cpp diff --git a/src/DeviceInterfaces/System.Net/sys_net_native.cpp b/src/DeviceInterfaces/System.Net/sys_net_native.cpp index 9ca9506ffd..8b6c2248bf 100644 --- a/src/DeviceInterfaces/System.Net/sys_net_native.cpp +++ b/src/DeviceInterfaces/System.Net/sys_net_native.cpp @@ -237,12 +237,25 @@ static const CLR_RT_MethodHandler method_lookup[] = NULL, NULL, Library_sys_net_native_System_Security_Cryptography_X509Certificates_X509Certificate::ParseCertificate___STATIC__VOID__SZARRAY_U1__STRING__BYREF_STRING__BYREF_STRING__BYREF_mscorlibSystemDateTime__BYREF_mscorlibSystemDateTime, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + Library_sys_net_native_System_Security_Cryptography_X509Certificates_X509Certificate2::DecodePrivateKeyNative___STATIC__VOID__SZARRAY_U1__STRING, }; const CLR_RT_NativeAssemblyData g_CLR_AssemblyNative_System_Net = { "System.Net", - 0x3AD3B5E6, - method_lookup, - { 100, 1, 1, 0 } + 0x7721D4BC, + method_lookup, + { 100, 1, 2, 0 } }; diff --git a/src/DeviceInterfaces/System.Net/sys_net_native.h b/src/DeviceInterfaces/System.Net/sys_net_native.h index 39927a143b..0ef414d137 100644 --- a/src/DeviceInterfaces/System.Net/sys_net_native.h +++ b/src/DeviceInterfaces/System.Net/sys_net_native.h @@ -256,6 +256,16 @@ struct Library_sys_net_native_System_Net_Sockets_SocketException }; +struct Library_sys_net_native_System_Security_Cryptography_AsymmetricAlgorithm +{ + static const int FIELD___keySizeValue = 1; + static const int FIELD___keyPairValue = 2; + + + //--// + +}; + struct Library_sys_net_native_System_Security_Cryptography_X509Certificates_X509Certificate { static const int FIELD___certificate = 1; @@ -273,6 +283,16 @@ struct Library_sys_net_native_System_Security_Cryptography_X509Certificates_X509 }; +struct Library_sys_net_native_System_Security_Cryptography_X509Certificates_X509Certificate2 +{ + static const int FIELD___privateKey = 9; + + NANOCLR_NATIVE_DECLARE(DecodePrivateKeyNative___STATIC__VOID__SZARRAY_U1__STRING); + + //--// + +}; + extern const CLR_RT_NativeAssemblyData g_CLR_AssemblyNative_System_Net; #endif //_SYS_NET_NATIVE_H_ diff --git a/src/DeviceInterfaces/System.Net/sys_net_native_System_Net_Security_SslNative.cpp b/src/DeviceInterfaces/System.Net/sys_net_native_System_Net_Security_SslNative.cpp index 1918541c61..74cdb0af2d 100644 --- a/src/DeviceInterfaces/System.Net/sys_net_native_System_Net_Security_SslNative.cpp +++ b/src/DeviceInterfaces/System.Net/sys_net_native_System_Net_Security_SslNative.cpp @@ -457,16 +457,20 @@ HRESULT Library_sys_net_native_System_Net_Security_SslNative::InitHelper( CLR_RT NATIVE_PROFILE_CLR_NETWORK(); NANOCLR_HEADER(); + CLR_RT_TypeDef_Index x509Certificate2TypeDef; + CLR_INT32 sslContext = -1; CLR_INT32 sslMode = stack.Arg0().NumericByRef().s4; CLR_INT32 sslVerify = stack.Arg1().NumericByRef().s4; CLR_RT_HeapBlock *hbCert = stack.Arg2().Dereference(); CLR_RT_HeapBlock* caCert = stack.Arg3().Dereference(); CLR_RT_HeapBlock_Array* arrCert = NULL; + CLR_RT_HeapBlock_Array* privateKey = NULL; CLR_UINT8* sslCert = NULL; int result; bool isFirstCall = false; - const char * szPwd = ""; + const char * password = ""; + uint8_t* pk = NULL; if(!g_SSL_SeedData.Initialized) { @@ -511,45 +515,36 @@ HRESULT Library_sys_net_native_System_Net_Security_SslNative::InitHelper( CLR_RT if(hbCert != NULL) { + g_CLR_RT_TypeSystem.FindTypeDef( "X509Certificate2", "System.Security.Cryptography.X509Certificates", x509Certificate2TypeDef ); + arrCert = hbCert[ Library_sys_net_native_System_Security_Cryptography_X509Certificates_X509Certificate::FIELD___certificate ].DereferenceArray(); //FAULT_ON_NULL(arrCert); + arrCert->Pin(); - // If arrCert == NULL then the certificate is an X509Certificate2 which uses a certificate handle - if(arrCert == NULL) + // there is a client certificate, find if it's a X509Certificate2 + if(hbCert->ObjectCls().Type() == x509Certificate2TypeDef.Type()) { - arrCert = hbCert[ Library_sys_net_native_System_Security_Cryptography_X509Certificates_X509Certificate::FIELD___handle ].DereferenceArray(); FAULT_ON_NULL(arrCert); - - // pass the certificate handle as the cert data parameter - sslCert = arrCert->GetFirstElement(); - - arrCert = hbCert[ Library_sys_net_native_System_Security_Cryptography_X509Certificates_X509Certificate::FIELD___sessionHandle ].DereferenceArray(); FAULT_ON_NULL(arrCert); - - // pass the session handle as the ssl context parameter - sslContext = *(int32_t*)arrCert->GetFirstElement(); - - // the certificate has already been loaded so just pass an empty string - szPwd = ""; + // get private key + privateKey = hbCert[ Library_sys_net_native_System_Security_Cryptography_X509Certificates_X509Certificate2::FIELD___privateKey ].DereferenceArray(); + pk = privateKey->GetFirstElement(); } - else - { - arrCert->Pin(); - - sslCert = arrCert->GetFirstElement(); - CLR_RT_HeapBlock *hbPwd = hbCert[ Library_sys_net_native_System_Security_Cryptography_X509Certificates_X509Certificate::FIELD___password ].Dereference();// FAULT_ON_NULL(hbPwd); + // get certificate + sslCert = arrCert->GetFirstElement(); - szPwd = hbPwd->StringText(); - } + // get password + CLR_RT_HeapBlock *hbPwd = hbCert[ Library_sys_net_native_System_Security_Cryptography_X509Certificates_X509Certificate::FIELD___password ].Dereference();// FAULT_ON_NULL(hbPwd); + password = hbPwd->StringText(); } SSL_RegisterTimeCallback( Time_GetDateTime ); if(isServer) { - result = (SSL_ServerInit( sslMode, sslVerify, (const char*)sslCert, sslCert == NULL ? 0 : arrCert->m_numOfElements, szPwd, sslContext ) ? 0 : -1); + result = (SSL_ServerInit( sslMode, sslVerify, (const char*)sslCert, sslCert == NULL ? 0 : arrCert->m_numOfElements, pk, pk == NULL ? 0 : privateKey->m_numOfElements, password, hal_strlen_s(password), sslContext ) ? 0 : -1); } else { - result = (SSL_ClientInit( sslMode, sslVerify, (const char*)sslCert, sslCert == NULL ? 0 : arrCert->m_numOfElements, szPwd, sslContext ) ? 0 : -1); + result = (SSL_ClientInit( sslMode, sslVerify, (const char*)sslCert, sslCert == NULL ? 0 : arrCert->m_numOfElements, pk, pk == NULL ? 0 : privateKey->m_numOfElements, password, hal_strlen_s(password), sslContext ) ? 0 : -1); } NANOCLR_CHECK_HRESULT(ThrowOnError( stack, result )); diff --git a/src/DeviceInterfaces/System.Net/sys_net_native_System_Security_Cryptography_X509Certificates_X509Certificate2.cpp b/src/DeviceInterfaces/System.Net/sys_net_native_System_Security_Cryptography_X509Certificates_X509Certificate2.cpp new file mode 100644 index 0000000000..9eaa5df987 --- /dev/null +++ b/src/DeviceInterfaces/System.Net/sys_net_native_System_Security_Cryptography_X509Certificates_X509Certificate2.cpp @@ -0,0 +1,38 @@ +// +// Copyright (c) 2019 The nanoFramework project contributors +// Portions Copyright (c) Microsoft Corporation. All rights reserved. +// See LICENSE file in the project root for full license information. +// + +#include "sys_net_native.h" + +typedef Library_sys_net_native_System_Security_Cryptography_AsymmetricAlgorithm asymmetricAlgorithmType; + +HRESULT Library_sys_net_native_System_Security_Cryptography_X509Certificates_X509Certificate2::DecodePrivateKeyNative___STATIC__VOID__SZARRAY_U1__STRING( CLR_RT_StackFrame& stack ) +{ + NATIVE_PROFILE_CLR_NETWORK(); + NANOCLR_HEADER(); + + CLR_RT_HeapBlock_Array* keyData = stack.Arg0().DereferenceArray(); + CLR_UINT8* keyBuffer; + CLR_RT_HeapBlock* passwordHb = stack.Arg1().DereferenceString(); + const char* password; + + // get key buffer + keyBuffer = keyData->GetFirstElement(); + + // manage password + FAULT_ON_NULL_ARG(passwordHb); + password = passwordHb->StringText(); + + if(SSL_DecodePrivateKey( + (const unsigned char*)keyBuffer, + keyData->m_numOfElements, + (const unsigned char*)password, + hal_strlen_s(password)) < 0) + { + NANOCLR_SET_AND_LEAVE(CLR_E_INVALID_PARAMETER); + } + + NANOCLR_NOCLEANUP(); +} diff --git a/src/PAL/COM/sockets/Sockets_debugger.cpp b/src/PAL/COM/sockets/Sockets_debugger.cpp index a610d0b893..90ea61481e 100644 --- a/src/PAL/COM/sockets/Sockets_debugger.cpp +++ b/src/PAL/COM/sockets/Sockets_debugger.cpp @@ -395,7 +395,7 @@ bool Sockets_LWIP_Driver::UpgradeToSsl( int ComPortNum, const int8_t* pCACert, u if(g_Sockets_LWIP_Driver.m_usingSSL) return TRUE; // TLS only and Verify=Required --> only verify the server - if(SSL_ClientInit( 0x10, 0x04, (const char*)pDeviceCert, deviceCertLen, NULL, g_DebuggerPort_SslCtx_Handle )) + if(SSL_ClientInit( 0x10, 0x04, (const char*)pDeviceCert, deviceCertLen, NULL, 0 , NULL, 0, g_DebuggerPort_SslCtx_Handle )) { int32_t ret; diff --git a/src/PAL/COM/sockets/ssl/mbedTLS/mbedtls.h b/src/PAL/COM/sockets/ssl/mbedTLS/mbedtls.h index d4c9ff3a61..75f164ce90 100644 --- a/src/PAL/COM/sockets/ssl/mbedTLS/mbedtls.h +++ b/src/PAL/COM/sockets/ssl/mbedTLS/mbedtls.h @@ -26,6 +26,7 @@ typedef struct mbedTLS_NFContext mbedtls_ssl_context* ssl; mbedtls_net_context* server_fd; mbedtls_x509_crt* x509_crt; + mbedtls_pk_context* pk; }mbedTLS_NFContext; int net_would_block( const mbedtls_net_context *ctx ); diff --git a/src/PAL/COM/sockets/ssl/mbedTLS/ssl_decode_private_key_internal.cpp b/src/PAL/COM/sockets/ssl/mbedTLS/ssl_decode_private_key_internal.cpp new file mode 100644 index 0000000000..255aee3b13 --- /dev/null +++ b/src/PAL/COM/sockets/ssl/mbedTLS/ssl_decode_private_key_internal.cpp @@ -0,0 +1,40 @@ +// +// Copyright (c) 2018 The nanoFramework project contributors +// Portions Copyright (c) Microsoft Corporation. All rights reserved. +// See LICENSE file in the project root for full license information. +// + +#include "mbedtls.h" + +extern void SSL_GetCertDateTime_internal(DATE_TIME_INFO * dt, mbedtls_x509_time * mt ); + +int ssl_decode_private_key_internal( + const unsigned char *key, + size_t keyLength, + const unsigned char *password, + size_t passwordLength) +{ + mbedtls_pk_context pkey; + + int retCode; + + mbedtls_pk_init( &pkey ); + + ///////////////////////////////////////////////////////////////////////////////////////////////// + // developer notes: // + // this call parses certificates in both string and binary formats // + // when the formart is a string it has to include the terminator otherwise the parse will fail // + ///////////////////////////////////////////////////////////////////////////////////////////////// + retCode = mbedtls_pk_parse_key( + &pkey, + key, + keyLength, + password, + passwordLength); + + + // need to free this here + mbedtls_pk_free( &pkey ); + + return retCode; +} diff --git a/src/PAL/COM/sockets/ssl/mbedTLS/ssl_exit_context_internal.cpp b/src/PAL/COM/sockets/ssl/mbedTLS/ssl_exit_context_internal.cpp index c0891bfa97..15e8d44588 100644 --- a/src/PAL/COM/sockets/ssl/mbedTLS/ssl_exit_context_internal.cpp +++ b/src/PAL/COM/sockets/ssl/mbedTLS/ssl_exit_context_internal.cpp @@ -24,7 +24,8 @@ bool ssl_exit_context_internal(int sslContextHandle ) { return FALSE; } - + + mbedtls_pk_free(context->pk); mbedtls_net_free(context->server_fd); mbedtls_ctr_drbg_free( context->ctr_drbg ); mbedtls_entropy_free( context->entropy ); @@ -33,6 +34,7 @@ bool ssl_exit_context_internal(int sslContextHandle ) memset(context->ssl, 0, sizeof(mbedtls_ssl_context)); // free memory + platform_free(context->pk); platform_free(context->server_fd); platform_free(context->entropy); platform_free(context->ctr_drbg); diff --git a/src/PAL/COM/sockets/ssl/mbedTLS/ssl_generic_init_internal.cpp b/src/PAL/COM/sockets/ssl/mbedTLS/ssl_generic_init_internal.cpp index 3f1059b3aa..6331aceef1 100644 --- a/src/PAL/COM/sockets/ssl/mbedTLS/ssl_generic_init_internal.cpp +++ b/src/PAL/COM/sockets/ssl/mbedTLS/ssl_generic_init_internal.cpp @@ -9,16 +9,26 @@ #include "mbedtls.h" #include "mbedtls/debug.h" -bool ssl_generic_init_internal( int sslMode, int sslVerify, const char* certificate, - int certLength, const char* certPassword, int& sslContextHandle, bool isServer ) +bool ssl_generic_init_internal( + int sslMode, + int sslVerify, + const char* certificate, + int certLength, + const uint8_t* privateKey, + int privateKeyLength, + const char* password, + int passwordLength, + int& sslContextHandle, + bool isServer ) { (void)sslMode; - (void)certPassword; int sslContexIndex = -1; int authMode = MBEDTLS_SSL_VERIFY_NONE; int endpoint = 0; + mbedtls_x509_crt* ownCertificate = NULL; + // we only have one CA root bundle, so this is fixed to 0 uint32_t configIndex = 0; @@ -180,32 +190,53 @@ bool ssl_generic_init_internal( int sslMode, int sslVerify, const char* certific // parse "own" certificate if passed if(certificate != NULL && certLength > 0) { - // TODO - // this isn't required for client authentication - - // mbedtls_x509_crt_init( &clicert ); - - // ///////////////////////////////////////////////////////////////////////////////////////////////// - // // developer notes: // - // // this call parses certificates in both string and binary formats // - // // when the formart is a string it has to include the terminator otherwise the parse will fail // - // ///////////////////////////////////////////////////////////////////////////////////////////////// - // if(mbedtls_x509_crt_parse( &clicert, (const unsigned char*)certificate, certLength ) != 0) - // { - // // x509_crt_parse_failed - // goto error; - // } - - // if( mbedtls_pk_parse_key( &pkey, (const unsigned char *) mbedtls_test_cli_key, mbedtls_test_cli_key_len, NULL, 0 ) != 0) - // { - // // failed parsing the - // } - - // if( mbedtls_ssl_conf_own_cert( &conf, &clicert, &pkey ) != 0 ) - // { - // // configuring own certificate failed - // goto error; - // } + // create and init private key context + // this needs to be freed in ssl_exit_context_internal + context->pk = (mbedtls_pk_context*)platform_malloc(sizeof(mbedtls_pk_context)); + if(context->pk == NULL) + { + goto error; + } + + mbedtls_pk_init( context->pk ); + + // is there a private key? + if(privateKey != NULL && privateKeyLength > 0) + { + + if( mbedtls_pk_parse_key( + context->pk, + privateKey, + privateKeyLength, + (const unsigned char *)password, + passwordLength) < 0) + { + // private key parse failed + goto error; + } + } + + // parse certificate + ownCertificate = (mbedtls_x509_crt*)platform_malloc(sizeof(mbedtls_x509_crt)); + if(ownCertificate == NULL) + { + goto error; + } + + mbedtls_x509_crt_init( ownCertificate ); + + if( mbedtls_x509_crt_parse( ownCertificate, (const unsigned char *) certificate, certLength ) ) + { + // failed parsing own certificate failed + goto error; + } + + if( mbedtls_ssl_conf_own_cert( context->conf, ownCertificate, context->pk ) ) + { + // configuring own certificate failed + goto error; + } + } mbedtls_ssl_conf_ca_chain( context->conf, context->x509_crt, NULL ); @@ -249,6 +280,8 @@ bool ssl_generic_init_internal( int sslMode, int sslVerify, const char* certific if(context->ctr_drbg != NULL) platform_free(context->ctr_drbg); if(context->server_fd != NULL) platform_free(context->server_fd); if(context->x509_crt != NULL) platform_free(context->x509_crt); + if(context->pk != NULL) platform_free(context->pk); + if(ownCertificate != NULL) mbedtls_x509_crt_free( ownCertificate ); return FALSE; } diff --git a/src/PAL/COM/sockets/ssl/openssl/ssl_decode_private_key_internal.cpp b/src/PAL/COM/sockets/ssl/openssl/ssl_decode_private_key_internal.cpp new file mode 100644 index 0000000000..1f76d4dc72 --- /dev/null +++ b/src/PAL/COM/sockets/ssl/openssl/ssl_decode_private_key_internal.cpp @@ -0,0 +1,26 @@ +// +// Copyright (c) 2019 The nanoFramework project contributors +// Portions Copyright (c) Microsoft Corporation. All rights reserved. +// See LICENSE file in the project root for full license information. +// + +#include +#include +#include + + +// TODO FIXME +// not implemented +int ssl_decode_private_key_internal( + const unsigned char *key, + size_t keyLength, + const unsigned char *password, + size_t passwordLength) +{ + (void)key; + (void)keyLength; + (void)password; + (void)passwordLength; + + return -1; +} diff --git a/src/PAL/COM/sockets/ssl/openssl/ssl_generic_init_internal.cpp b/src/PAL/COM/sockets/ssl/openssl/ssl_generic_init_internal.cpp index 9743be9b25..c55ec53d3e 100644 --- a/src/PAL/COM/sockets/ssl/openssl/ssl_generic_init_internal.cpp +++ b/src/PAL/COM/sockets/ssl/openssl/ssl_generic_init_internal.cpp @@ -42,9 +42,21 @@ void ERR_print_errors_fp() -bool ssl_generic_init_internal( int sslMode, int sslVerify, const char* certificate, - int certLength, const char* certPassword, int& sslContextHandle, bool isServer ) +bool ssl_generic_init_internal( + int sslMode, + int sslVerify, + const char* certificate, + int certLength, + const uint8_t* privateKey, + int privateKeyLength, + const char* password, + int passwordLength, + int& sslContextHandle, + bool isServer ) { + (void)privateKeyLength; + (void)passwordLength; + SSL* ssl = NULL; SSL_CTX* ctx = NULL; SSL_METHOD* meth = NULL; @@ -149,7 +161,7 @@ bool ssl_generic_init_internal( int sslMode, int sslVerify, const char* certific } else { - cert_x509 = ssl_parse_certificate((void*)certificate, certLength, certPassword, &pkey); + cert_x509 = ssl_parse_certificate((void*)certificate, certLength, password, &pkey); if (cert_x509 == NULL || pkey == NULL) { diff --git a/src/PAL/COM/sockets/ssl/ssl.cpp b/src/PAL/COM/sockets/ssl/ssl.cpp index 1d515d2325..d03bb1bb1d 100644 --- a/src/PAL/COM/sockets/ssl/ssl.cpp +++ b/src/PAL/COM/sockets/ssl/ssl.cpp @@ -34,10 +34,10 @@ bool SSL_Uninitialize() return retVal; } -static bool SSL_GenericInit( int sslMode, int sslVerify, const char* certificate, int certLength, const char* pwd, int& sslContextHandle, bool isServer ) +static bool SSL_GenericInit( int sslMode, int sslVerify, const char* certificate, int certLength, const uint8_t* privateKey, int privateKeyLength, const char* password, int passwordLength, int& sslContextHandle, bool isServer ) { if (!s_init_done) s_init_done=ssl_initialize_internal(); - return ssl_generic_init_internal( sslMode, sslVerify, certificate, certLength, pwd, sslContextHandle, isServer ); + return ssl_generic_init_internal( sslMode, sslVerify, certificate, certLength, privateKey, privateKeyLength, password, passwordLength, sslContextHandle, isServer ); } bool SSL_ParseCertificate( const char* certificate, size_t certLength, const char* password, X509CertData* certData ) @@ -49,22 +49,39 @@ bool SSL_ParseCertificate( const char* certificate, size_t certLength, const cha (void*)password, (void*)certData); } +int SSL_DecodePrivateKey( + const unsigned char *key, + size_t keyLength, + const unsigned char *pwd, + size_t pwdLength ) +{ + if (!s_init_done) s_init_done=ssl_initialize_internal(); + + NATIVE_PROFILE_PAL_COM(); + + return ssl_decode_private_key_internal( + key, + keyLength, + pwd, + pwdLength ); +} + void SSL_RegisterTimeCallback(SSL_DATE_TIME_FUNC pfn) { NATIVE_PROFILE_PAL_COM(); g_SSL_Driver.m_pfnGetTimeFuncPtr = pfn; } -bool SSL_ServerInit( int sslMode, int sslVerify, const char* certificate, int certLength, const char* certPassword, int& sslContextHandle ) +bool SSL_ServerInit( int sslMode, int sslVerify, const char* certificate, int certLength, const uint8_t* privateKey, int privateKeyLength, const char* password, int passwordLength, int& sslContextHandle ) { NATIVE_PROFILE_PAL_COM(); - return SSL_GenericInit( sslMode, sslVerify, certificate, certLength, certPassword, sslContextHandle, TRUE ); + return SSL_GenericInit( sslMode, sslVerify, certificate, certLength, privateKey, privateKeyLength, password, passwordLength, sslContextHandle, TRUE ); } -bool SSL_ClientInit( int sslMode, int sslVerify, const char* certificate, int certLength, const char* certPassword, int& sslContextHandle ) +bool SSL_ClientInit( int sslMode, int sslVerify, const char* certificate, int certLength, const uint8_t* privateKey, int privateKeyLength, const char* password, int passwordLength, int& sslContextHandle ) { NATIVE_PROFILE_PAL_COM(); - return SSL_GenericInit( sslMode, sslVerify, certificate, certLength, certPassword, sslContextHandle, FALSE ); + return SSL_GenericInit( sslMode, sslVerify, certificate, certLength, privateKey, privateKeyLength, password, passwordLength, sslContextHandle, FALSE ); } bool SSL_AddCertificateAuthority( int sslContextHandle, const char* certificate, int certLength, const char* certPassword ) diff --git a/src/PAL/COM/sockets/ssl/ssl_functions.h b/src/PAL/COM/sockets/ssl/ssl_functions.h index 727e85074e..1b193c1312 100644 --- a/src/PAL/COM/sockets/ssl/ssl_functions.h +++ b/src/PAL/COM/sockets/ssl/ssl_functions.h @@ -49,6 +49,7 @@ enum SslVerification #define FORMAT_IISSGC 8 bool ssl_parse_certificate_internal(void* buf, size_t size, void* pwd, void* x509 ); +int ssl_decode_private_key_internal( const unsigned char *key, size_t keyLength, const unsigned char *pwd, size_t pwdLength ); int ssl_connect_internal(int sd, const char* szTargetHost, int sslContextHandle); int ssl_accept_internal( int socket, int sslContextHandle ); int ssl_read_internal( int socket, char* Data, size_t size ); @@ -56,7 +57,7 @@ int ssl_write_internal( int socket, const char* Data, size_t size); int ssl_closesocket_internal( int sd ); int ssl_pending_internal( int sd ); bool ssl_exit_context_internal(int sslContextHandle ); -bool ssl_generic_init_internal( int sslMode, int sslVerify, const char* certificate, int certLength, const char* pwd, int& sslContextHandle, bool isServer ); +bool ssl_generic_init_internal( int sslMode, int sslVerify, const char* certificate, int certLength, const uint8_t* privateKey, int privateKeyLength, const char* password, int passwordLength, int& sslContextHandle, bool isServer ); bool ssl_initialize_internal(); bool ssl_uninitialize_internal(); bool ssl_add_cert_auth_internal( int sslContextHandle, const char* certificate, int certLength, const char* certPassword ); diff --git a/src/PAL/COM/sockets/ssl/ssl_stubs.cpp b/src/PAL/COM/sockets/ssl/ssl_stubs.cpp index b72efca104..a1b056bf85 100644 --- a/src/PAL/COM/sockets/ssl/ssl_stubs.cpp +++ b/src/PAL/COM/sockets/ssl/ssl_stubs.cpp @@ -29,16 +29,16 @@ __nfweak bool SSL_Uninitialize() return TRUE; } -__nfweak bool SSL_ServerInit( int sslMode, int sslVerify, const char* certificate, int certLength, const char* certPassword, int& sslContextHandle ) +__nfweak bool SSL_ServerInit( int sslMode, int sslVerify, const char* certificate, int certLength, const uint8_t* privateKey, int privateKeyLength, const char* password, int passwordLength, int& sslContextHandle ) { - (void)sslMode; (void)sslVerify; (void)certificate; (void)certLength; (void)certPassword; (void)sslContextHandle; + (void)sslMode; (void)sslVerify; (void)certificate; (void)certLength; (void)privateKey; (void)privateKeyLength; (void)password; (void)passwordLength; (void)sslContextHandle; NATIVE_PROFILE_PAL_COM(); return TRUE; } -__nfweak bool SSL_ClientInit( int sslMode, int sslVerify, const char* certificate, int certLength, const char* certPassword, int& sslContextHandle ) +__nfweak bool SSL_ClientInit( int sslMode, int sslVerify, const char* certificate, int certLength, const uint8_t* privateKey, int privateKeyLength, const char* password, int passwordLength, int& sslContextHandle ) { - (void)sslMode; (void)sslVerify; (void)certificate; (void)certLength; (void)certPassword; (void)sslContextHandle; + (void)sslMode; (void)sslVerify; (void)certificate; (void)certLength; (void)privateKey; (void)privateKeyLength; (void)password; (void)passwordLength; (void)sslContextHandle; NATIVE_PROFILE_PAL_COM(); return TRUE; } @@ -112,6 +112,22 @@ __nfweak bool SSL_ParseCertificate( const char* certificate, size_t certLength, return TRUE; } +__nfweak int SSL_DecodePrivateKey( + const unsigned char *key, + size_t keyLength, + const unsigned char *pwd, + size_t pwdLength ) +{ + (void)key; + (void)keyLength; + (void)pwd; + (void)pwdLength; + + NATIVE_PROFILE_PAL_COM(); + + return -1; +} + __nfweak int SSL_DataAvailable( SOCK_SOCKET socket ) { (void)socket; diff --git a/src/PAL/Include/nanoPAL_Sockets.h b/src/PAL/Include/nanoPAL_Sockets.h index 9d4e3d0cf6..3f17f37b71 100644 --- a/src/PAL/Include/nanoPAL_Sockets.h +++ b/src/PAL/Include/nanoPAL_Sockets.h @@ -603,8 +603,8 @@ typedef void (*SSL_DATE_TIME_FUNC)(DATE_TIME_INFO* pdt); bool SSL_Initialize (); bool SSL_Uninitialize(); -bool SSL_ServerInit ( int sslMode, int sslVerify, const char* certificate, int certLength, const char* certPassword, int& sslContextHandle ); -bool SSL_ClientInit ( int sslMode, int sslVerify, const char* certificate, int certLength, const char* certPassword, int& sslContextHandle ); +bool SSL_ServerInit ( int sslMode, int sslVerify, const char* certificate, int certLength, const uint8_t* privateKey, int privateKeyLength, const char* password, int passwordLength, int& sslContextHandle ); +bool SSL_ClientInit ( int sslMode, int sslVerify, const char* certificate, int certLength, const uint8_t* privateKey, int privateKeyLength, const char* password, int passwordLength, int& sslContextHandle ); bool SSL_AddCertificateAuthority( int sslContextHandle, const char* certificate, int certLength, const char* certPassword ); bool SSL_ExitContext( int sslContextHandle ); int SSL_Accept ( int socket, int sslContextHandle ); @@ -615,6 +615,7 @@ int SSL_CloseSocket( int socket ); void SSL_GetTime(DATE_TIME_INFO* pdt); void SSL_RegisterTimeCallback(SSL_DATE_TIME_FUNC pfn); bool SSL_ParseCertificate( const char* certificate, size_t certLength, const char* password, X509CertData* certData ); +int SSL_DecodePrivateKey( const unsigned char *key, size_t keyLength, const unsigned char *password, size_t passwordLength ); int SSL_DataAvailable( int socket ); //--// diff --git a/targets/TI-SimpleLink/common/ssl_simplelink.cpp b/targets/TI-SimpleLink/common/ssl_simplelink.cpp index c4ccf536e1..899f00aa68 100644 --- a/targets/TI-SimpleLink/common/ssl_simplelink.cpp +++ b/targets/TI-SimpleLink/common/ssl_simplelink.cpp @@ -24,6 +24,21 @@ extern "C" // TODO bool ssl_parse_certificate_internal(void* buf, size_t size, void* pwd, void* x509 ){(void)buf;(void)size;(void)pwd;(void)x509;} + +int ssl_decode_private_key_internal( + const unsigned char *key, + size_t keyLength, + const unsigned char *password, + size_t passwordLength) +{ + (void)key; + (void)keyLength; + (void)password; + (void)passwordLength; + + return 0; +} + int ssl_accept_internal( int socket, int sslContextHandle ){(void)socket;(void)sslContextHandle;} bool ssl_add_cert_auth_internal( int sslContextHandle, const char* certificate, int certLength, const char* certPassword ){(void)sslContextHandle;(void)certificate;(void)certLength;(void)certPassword;} @@ -46,10 +61,22 @@ bool ssl_initialize_internal() return true; } -bool ssl_generic_init_internal( int sslMode, int sslVerify, const char* certificate, - int certLength, const char* certPassword, int& sslContextHandle, bool isServer ) +bool ssl_generic_init_internal( + int sslMode, + int sslVerify, + const char* certificate, + int certLength, + const uint8_t* privateKey, + int privateKeyLength, + const char* password, + int passwordLength, + int& sslContextHandle, + bool isServer ) { - (void)certPassword; + (void)password; + (void)passwordLength; + (void)privateKey; + (void)privateKeyLength; int sslContexIndex = -1;