gui: Regenerate certificate if it's invalid or the key is too small
This commit is contained in:
parent
7210bfa615
commit
345bb4b62b
|
@ -22,7 +22,7 @@ add_executable (barrier WIN32
|
||||||
|
|
||||||
include_directories (./src)
|
include_directories (./src)
|
||||||
|
|
||||||
target_link_libraries (barrier Qt5::Core Qt5::Widgets Qt5::Network)
|
target_link_libraries (barrier Qt5::Core Qt5::Widgets Qt5::Network ${OPENSSL_LIBS})
|
||||||
target_compile_definitions (barrier PRIVATE -DBARRIER_VERSION_STAGE="${BARRIER_VERSION_STAGE}")
|
target_compile_definitions (barrier PRIVATE -DBARRIER_VERSION_STAGE="${BARRIER_VERSION_STAGE}")
|
||||||
target_compile_definitions (barrier PRIVATE -DBARRIER_REVISION="${BARRIER_REVISION}")
|
target_compile_definitions (barrier PRIVATE -DBARRIER_REVISION="${BARRIER_REVISION}")
|
||||||
|
|
||||||
|
|
|
@ -23,6 +23,12 @@
|
||||||
#include <QDir>
|
#include <QDir>
|
||||||
#include <QCoreApplication>
|
#include <QCoreApplication>
|
||||||
|
|
||||||
|
#include <openssl/bio.h>
|
||||||
|
#include <openssl/err.h>
|
||||||
|
#include <openssl/evp.h>
|
||||||
|
#include <openssl/pem.h>
|
||||||
|
#include <openssl/x509.h>
|
||||||
|
|
||||||
static const char kCertificateLifetime[] = "365";
|
static const char kCertificateLifetime[] = "365";
|
||||||
static const char kCertificateSubjectInfo[] = "/CN=Barrier";
|
static const char kCertificateSubjectInfo[] = "/CN=Barrier";
|
||||||
static const char kCertificateFilename[] = "Barrier.pem";
|
static const char kCertificateFilename[] = "Barrier.pem";
|
||||||
|
@ -94,7 +100,7 @@ void SslCertificate::generateCertificate()
|
||||||
auto filename = QString::fromStdString(getCertificatePath());
|
auto filename = QString::fromStdString(getCertificatePath());
|
||||||
|
|
||||||
QFile file(filename);
|
QFile file(filename);
|
||||||
if (!file.exists()) {
|
if (!file.exists() || !isCertificateValid(filename)) {
|
||||||
QStringList arguments;
|
QStringList arguments;
|
||||||
|
|
||||||
// self signed certificate
|
// self signed certificate
|
||||||
|
@ -183,3 +189,58 @@ std::string SslCertificate::getCertificateDirectory()
|
||||||
{
|
{
|
||||||
return m_ProfileDir + QDir::separator().toLatin1() + kSslDir;
|
return m_ProfileDir + QDir::separator().toLatin1() + kSslDir;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
bool SslCertificate::isCertificateValid(const QString& path)
|
||||||
|
{
|
||||||
|
OpenSSL_add_all_algorithms();
|
||||||
|
ERR_load_BIO_strings();
|
||||||
|
ERR_load_crypto_strings();
|
||||||
|
|
||||||
|
BIO* bio = BIO_new(BIO_s_file());
|
||||||
|
|
||||||
|
auto ret = BIO_read_filename(bio, path.toStdString().c_str());
|
||||||
|
if (!ret) {
|
||||||
|
emit info(tr("Could not read from default certificate file."));
|
||||||
|
BIO_free_all(bio);
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
X509* cert = PEM_read_bio_X509(bio, NULL, 0, NULL);
|
||||||
|
if (!cert) {
|
||||||
|
emit info(tr("Error loading default certificate file to memory."));
|
||||||
|
BIO_free_all(bio);
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
EVP_PKEY* pubkey = X509_get_pubkey(cert);
|
||||||
|
if (!pubkey) {
|
||||||
|
emit info(tr("Default certificate key file does not contain valid public key"));
|
||||||
|
X509_free(cert);
|
||||||
|
BIO_free_all(bio);
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
auto type = EVP_PKEY_type(EVP_PKEY_id(pubkey));
|
||||||
|
if (type != EVP_PKEY_RSA && type != EVP_PKEY_DSA) {
|
||||||
|
emit info(tr("Public key in default certificate key file is not RSA or DSA"));
|
||||||
|
EVP_PKEY_free(pubkey);
|
||||||
|
X509_free(cert);
|
||||||
|
BIO_free_all(bio);
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
auto bits = EVP_PKEY_bits(pubkey);
|
||||||
|
if (bits < 2048) {
|
||||||
|
// We could have small keys in old barrier installations
|
||||||
|
emit info(tr("Public key in default certificate key file is too small."));
|
||||||
|
EVP_PKEY_free(pubkey);
|
||||||
|
X509_free(cert);
|
||||||
|
BIO_free_all(bio);
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
EVP_PKEY_free(pubkey);
|
||||||
|
X509_free(cert);
|
||||||
|
BIO_free_all(bio);
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
|
@ -42,6 +42,7 @@ private:
|
||||||
std::string getCertificatePath();
|
std::string getCertificatePath();
|
||||||
std::string getCertificateDirectory();
|
std::string getCertificateDirectory();
|
||||||
|
|
||||||
|
bool isCertificateValid(const QString& path);
|
||||||
private:
|
private:
|
||||||
std::string m_ProfileDir;
|
std::string m_ProfileDir;
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in New Issue