kore

An easy to use, scalable and secure web application framework for writing web APIs in C.
Commits | Files | Refs | README | LICENSE | git clone https://git.kore.io/kore.git

commit bb39643b487ba518e95e92afae15975dd73f737c
parent c78535aa5dd2ff82fa8c8d86b132d14cfa25b081
Author: Joris Vink <joris@coders.se>
Date:   Thu,  7 Nov 2019 07:56:13 +0100

small acme fixes.

- don't create the NID for the acme extension several times
- add missing pledges for openbsd keymgr (it will write+create files)

Diffstat:
src/keymgr.c | 23+++++++++++++++++------
1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/src/keymgr.c b/src/keymgr.c @@ -168,6 +168,9 @@ static int acmeproc_ready = 0; /* Renewal timer for all domains under acme control. */ static struct kore_timer *acme_renewal = NULL; +/* oid for acme extension. */ +static int acme_oid = -1; + struct acme_order { int state; struct kore_timer *timer; @@ -226,6 +229,12 @@ int keymgr_active = 0; char *keymgr_root_path = NULL; char *keymgr_runas_user = NULL; +#if defined(KORE_USE_ACME) +static const char *keymgr_pledges = "stdio rpath wpath cpath"; +#else +static const char *keymgr_pledges = "stdio rpath"; +#endif + void kore_keymgr_run(void) { @@ -278,10 +287,15 @@ kore_keymgr_run(void) keymgr_reload(); #if defined(__OpenBSD__) - if (pledge("stdio rpath", NULL) == -1) + if (pledge(keymgr_pledges, NULL) == -1) fatalx("failed to pledge keymgr process"); #endif +#if defined(KORE_USE_ACME) + acme_oid = OBJ_create(ACME_TLS_ALPN_01_OID, "acme", "acmeIdentifier"); + X509V3_EXT_add_alias(acme_oid, NID_subject_key_identifier); +#endif + while (quit != 1) { now = kore_time_ms(); if ((now - last_seed) > RAND_POLL_INTERVAL) { @@ -1059,8 +1073,8 @@ keymgr_acme_challenge_cert(const void *data, size_t len, struct key *key) X509_NAME *name; X509 *x509; const u_int8_t *digest; + int slen, i; u_int8_t *cert, *uptr; - int slen, acme, i; char hex[(SHA256_DIGEST_LENGTH * 2) + 1]; kore_log(LOG_INFO, "[%s] generating tls-alpn-01 challenge cert", @@ -1107,11 +1121,8 @@ keymgr_acme_challenge_cert(const void *data, size_t len, struct key *key) if (!X509_set_issuer_name(x509, name)) fatalx("X509_set_issuer_name(): %s", ssl_errno_s); - acme = OBJ_create(ACME_TLS_ALPN_01_OID, "acme", "acmeIdentifier"); - X509V3_EXT_add_alias(acme, NID_subject_key_identifier); - sk = sk_X509_EXTENSION_new_null(); - keymgr_x509_ext(sk, acme, "critical,%s", hex); + keymgr_x509_ext(sk, acme_oid, "critical,%s", hex); keymgr_x509_ext(sk, NID_subject_alt_name, "DNS:%s", key->dom->domain); for (i = 0; i < sk_X509_EXTENSION_num(sk); i++) {