kore

Kore is a web application platform for writing scalable, concurrent web based processes in C or Python.
Commits | Files | Refs | README | LICENSE | git clone https://git.kore.io/kore.git
commit bb39643b487ba518e95e92afae15975dd73f737c
parent c78535aa5dd2ff82fa8c8d86b132d14cfa25b081
Author: Joris Vink <joris@coders.se>
Date:   Thu,  7 Nov 2019 07:56:13 +0100

small acme fixes.

- don't create the NID for the acme extension several times
- add missing pledges for openbsd keymgr (it will write+create files)

Diffstat:

src/keymgr.c | 23+++++++++++++++++------


1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/src/keymgr.c b/src/keymgr.c
@@ -168,6 +168,9 @@ static int			acmeproc_ready = 0;
 /* Renewal timer for all domains under acme control. */
 static struct kore_timer	*acme_renewal = NULL;
 
+/* oid for acme extension. */
+static int			acme_oid = -1;
+
 struct acme_order {
 	int			state;
 	struct kore_timer	*timer;
@@ -226,6 +229,12 @@ int	keymgr_active = 0;
 char	*keymgr_root_path = NULL;
 char	*keymgr_runas_user = NULL;
 
+#if defined(KORE_USE_ACME)
+static const char *keymgr_pledges = "stdio rpath wpath cpath";
+#else
+static const char *keymgr_pledges = "stdio rpath";
+#endif
+
 void
 kore_keymgr_run(void)
 {
@@ -278,10 +287,15 @@ kore_keymgr_run(void)
 	keymgr_reload();
 
 #if defined(__OpenBSD__)
-	if (pledge("stdio rpath", NULL) == -1)
+	if (pledge(keymgr_pledges, NULL) == -1)
 		fatalx("failed to pledge keymgr process");
 #endif
 
+#if defined(KORE_USE_ACME)
+	acme_oid = OBJ_create(ACME_TLS_ALPN_01_OID, "acme", "acmeIdentifier");
+	X509V3_EXT_add_alias(acme_oid, NID_subject_key_identifier);
+#endif
+
 	while (quit != 1) {
 		now = kore_time_ms();
 		if ((now - last_seed) > RAND_POLL_INTERVAL) {
@@ -1059,8 +1073,8 @@ keymgr_acme_challenge_cert(const void *data, size_t len, struct key *key)
 	X509_NAME			*name;
 	X509				*x509;
 	const u_int8_t			*digest;
+	int				slen, i;
 	u_int8_t			*cert, *uptr;
-	int				slen, acme, i;
 	char				hex[(SHA256_DIGEST_LENGTH * 2) + 1];
 
 	kore_log(LOG_INFO, "[%s] generating tls-alpn-01 challenge cert",
@@ -1107,11 +1121,8 @@ keymgr_acme_challenge_cert(const void *data, size_t len, struct key *key)
 	if (!X509_set_issuer_name(x509, name))
 		fatalx("X509_set_issuer_name(): %s", ssl_errno_s);
 
-	acme = OBJ_create(ACME_TLS_ALPN_01_OID, "acme", "acmeIdentifier");
-	X509V3_EXT_add_alias(acme, NID_subject_key_identifier);
-
 	sk = sk_X509_EXTENSION_new_null();
-	keymgr_x509_ext(sk, acme, "critical,%s", hex);
+	keymgr_x509_ext(sk, acme_oid, "critical,%s", hex);
 	keymgr_x509_ext(sk, NID_subject_alt_name, "DNS:%s", key->dom->domain);
 
 	for (i = 0; i < sk_X509_EXTENSION_num(sk); i++) {