v4.10-9505-beta

src/Mayaqua/Encrypt.c

@@ -1805,6 +1805,77 @@ X *NewRootX(K *pub, K *priv, NAME *name, UINT days, X_SERIAL *serial)
 	return x2;
 }
 
+// Create new X509 basic & extended key usage
+void AddKeyUsageX509(EXTENDED_KEY_USAGE *ex, int nid)
+{
+	ASN1_OBJECT *obj;
+	// Validate arguments
+	if (ex == NULL)
+	{
+		return;
+	}
+
+	obj = OBJ_nid2obj(nid);
+	if (obj != NULL)
+	{
+		sk_ASN1_OBJECT_push(ex, obj);
+	}
+}
+X509_EXTENSION *NewExtendedKeyUsageForX509()
+{
+	EXTENDED_KEY_USAGE *ex = sk_ASN1_OBJECT_new_null();
+	X509_EXTENSION *ret;
+
+	AddKeyUsageX509(ex, NID_server_auth);
+	AddKeyUsageX509(ex, NID_client_auth);
+	AddKeyUsageX509(ex, NID_code_sign);
+	AddKeyUsageX509(ex, NID_email_protect);
+	AddKeyUsageX509(ex, NID_ipsecEndSystem);
+	AddKeyUsageX509(ex, NID_ipsecTunnel);
+	AddKeyUsageX509(ex, NID_ipsecUser);
+	AddKeyUsageX509(ex, NID_time_stamp);
+	AddKeyUsageX509(ex, NID_OCSP_sign);
+
+	ret = X509V3_EXT_i2d(NID_ext_key_usage, 0, ex);
+
+	sk_ASN1_OBJECT_pop_free(ex, ASN1_OBJECT_free);
+
+	return ret;
+}
+void BitStringSetBit(ASN1_BIT_STRING *str, int bit)
+{
+	// Validate arguments
+	if (str == NULL)
+	{
+		return;
+	}
+
+	ASN1_BIT_STRING_set_bit(str, bit, 1);
+}
+X509_EXTENSION *NewBasicKeyUsageForX509()
+{
+	X509_EXTENSION *ret = NULL;
+	ASN1_BIT_STRING *str;
+
+	str = ASN1_BIT_STRING_new();
+	if (str != NULL)
+	{
+		BitStringSetBit(str, 0);	// KU_DIGITAL_SIGNATURE
+		BitStringSetBit(str, 1);	// KU_NON_REPUDIATION
+		BitStringSetBit(str, 2);	// KU_KEY_ENCIPHERMENT
+		BitStringSetBit(str, 3);	// KU_DATA_ENCIPHERMENT
+		//BitStringSetBit(str, 4);	// KU_KEY_AGREEMENT
+		BitStringSetBit(str, 5);	// KU_KEY_CERT_SIGN
+		BitStringSetBit(str, 6);	// KU_CRL_SIGN
+
+		ret = X509V3_EXT_i2d(NID_key_usage, 0, str);
+
+		ASN1_BIT_STRING_free(str);
+	}
+
+	return ret;
+}
+
 // Issue an X509 certificate
 X509 *NewX509(K *pub, K *priv, X *ca, NAME *name, UINT days, X_SERIAL *serial)
 {
@@ -1812,6 +1883,9 @@ X509 *NewX509(K *pub, K *priv, X *ca, NAME *name, UINT days, X_SERIAL *serial)
 	UINT64 notBefore, notAfter;
 	ASN1_TIME *t1, *t2;
 	X509_NAME *subject_name, *issuer_name;
+	X509_EXTENSION *ex = NULL;
+	X509_EXTENSION *eku = NULL;
+	X509_EXTENSION *busage = NULL;
 	// Validate arguments
 	if (pub == NULL || name == NULL || ca == NULL)
 	{
@@ -1892,6 +1966,29 @@ X509 *NewX509(K *pub, K *priv, X *ca, NAME *name, UINT days, X_SERIAL *serial)
 		s->length = serial->size;
 	}
 
+	/*
+	// Extensions
+	ex = X509V3_EXT_conf_nid(NULL, NULL, NID_basic_constraints,	"critical,CA:TRUE");
+	X509_add_ext(x509, ex, -1);
+	X509_EXTENSION_free(ex);
+*/
+
+	// Basic usage
+	busage = NewBasicKeyUsageForX509();
+	if (busage != NULL)
+	{
+		X509_add_ext(x509, busage, -1);
+		X509_EXTENSION_free(busage);
+	}
+
+	// EKU
+	eku = NewExtendedKeyUsageForX509();
+	if (eku != NULL)
+	{
+		X509_add_ext(x509, eku, -1);
+		X509_EXTENSION_free(eku);
+	}
+
 	Lock(openssl_lock);
 	{
 		// Set the public key
@@ -1914,6 +2011,8 @@ X509 *NewRootX509(K *pub, K *priv, NAME *name, UINT days, X_SERIAL *serial)
 	ASN1_TIME *t1, *t2;
 	X509_NAME *subject_name, *issuer_name;
 	X509_EXTENSION *ex = NULL;
+	X509_EXTENSION *eku = NULL;
+	X509_EXTENSION *busage = NULL;
 	// Validate arguments
 	if (pub == NULL || name == NULL || priv == NULL)
 	{
@@ -2004,6 +2103,22 @@ X509 *NewRootX509(K *pub, K *priv, NAME *name, UINT days, X_SERIAL *serial)
 	X509_add_ext(x509, ex, -1);
 	X509_EXTENSION_free(ex);
 
+	// Basic usage
+	busage = NewBasicKeyUsageForX509();
+	if (busage != NULL)
+	{
+		X509_add_ext(x509, busage, -1);
+		X509_EXTENSION_free(busage);
+	}
+
+	// EKU
+	eku = NewExtendedKeyUsageForX509();
+	if (eku != NULL)
+	{
+		X509_add_ext(x509, eku, -1);
+		X509_EXTENSION_free(eku);
+	}
+
 	Lock(openssl_lock);
 	{
 		// Set the public key
@@ -4105,7 +4220,7 @@ CRYPT *NewCrypt(void *key, UINT size)
 {
 	CRYPT *c = ZeroMalloc(sizeof(CRYPT));
 
-	c->Rc4Key = ZeroMalloc(sizeof(struct rc4_key_st));
+	c->Rc4Key = Malloc(sizeof(struct rc4_key_st));
 
 	RC4_set_key(c->Rc4Key, size, (UCHAR *)key);