Bläddra i källkod

reworked certificate generation, UaExpert still misses revocatio lists etc, but creating a full CA will be to complex ATM

Stasik0 10 år sedan
förälder
incheckning
44971d3fad

+ 5 - 4
CMakeLists.txt

@@ -62,11 +62,12 @@ set(generate_src_options) # the options for the tools that generate code from xm
 option(ENABLE_SELFSIGNED "Enable self-signed certificates" OFF)
 if(ENABLE_SELFSIGNED)
     message(STATUS "Enabling self-signed certificates")
-    SET(lib_sources ${lib_sources} ${PROJECT_BINARY_DIR}/localhost.der)
+    SET(lib_sources ${lib_sources} ${PROJECT_BINARY_DIR}/localhost.der ${PROJECT_BINARY_DIR}/ca.crt)
     add_custom_command(OUTPUT ${PROJECT_BINARY_DIR}/localhost.der
-                   COMMAND sh ${PROJECT_SOURCE_DIR}/certs/create_self-signed.sh ${PROJECT_BINARY_DIR}
-                   DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/certs/create_self-signed.sh
-                           ${CMAKE_CURRENT_SOURCE_DIR}/certs/localhost.cnf)
+                              ${PROJECT_BINARY_DIR}/ca.crt
+                   COMMAND python ${PROJECT_SOURCE_DIR}/tools/certs/create_self-signed.py ${PROJECT_BINARY_DIR}
+                   DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/tools/certs/create_self-signed.py
+                           ${CMAKE_CURRENT_SOURCE_DIR}/tools/certs/localhost.cnf)
 endif(ENABLE_SELFSIGNED)
 
 

+ 0 - 35
certs/create_self-signed.sh

@@ -1,35 +0,0 @@
-#!/bin/sh
-
-if [ -z "$1" ]
-then 
-	echo "Generates a self-signed DER certificate for localhost\n"
-	echo "usage ./create_self-signed.sh <output directory>"
-	exit 1
-fi
-
-#cd in the directory where script is located
-cd "$(dirname "$0")"
-
-openssl req \
-    -new \
-    -newkey rsa:1024 \
-    -nodes \
-    -subj "/C=DE/ST=/L=/O=open62541/CN=open62541Server@localhost" \
-    -config localhost.cnf \
-    -keyout localhost.key \
-    -out localhost.csr
-openssl x509 -req \
-	-days 3650 \
-	-in localhost.csr \
-	-signkey localhost.key \
-	-out localhost.crt \
-	-extensions v3_req \
-	-extfile localhost.cnf
-openssl x509 -in localhost.crt -outform der -out localhost.der
-rm localhost.key #we will need it later
-rm localhost.crt
-rm localhost.csr
-if [ -n "$1" ]
-then
-	mv localhost.der $1
-fi

+ 36 - 2
src/server/ua_services_discovery.c

@@ -1,7 +1,11 @@
 #include "ua_services.h"
+#include "errno.h"
+#include "ua_base64.h"
 UA_Int32 Service_GetEndpoints(SL_Channel *channel,
 		const UA_GetEndpointsRequest* request,
 		UA_GetEndpointsResponse *response) {
+#define RETURN free(certificate_base64_without_lb); fclose(fp); return
+
 #ifdef DEBUG
 	UA_String_printx("endpointUrl=", &request->endpointUrl);
 #endif
@@ -35,10 +39,10 @@ UA_Int32 Service_GetEndpoints(SL_Channel *channel,
 	token->securityPolicyUri = (UA_String ) { -1, UA_NULL };
 
 	UA_String_copy(&request->endpointUrl, &response->endpoints[0].endpointUrl);
-	UA_String_copycstring("http://open62541.info/product/release",
+	UA_String_copycstring("http://open62541.org/product/release",
 			&(response->endpoints[0].server.productUri));
 	// FIXME: This information should be provided by the application, preferably in the address space
-	UA_String_copycstring("http://open62541.info/applications/4711",
+	UA_String_copycstring("urn:localhost:open6251:open62541Server",
 			&(response->endpoints[0].server.applicationUri));
 	UA_LocalizedText_copycstring("The open62541 application",
 			&(response->endpoints[0].server.applicationName));
@@ -46,5 +50,35 @@ UA_Int32 Service_GetEndpoints(SL_Channel *channel,
 	response->endpoints[0].server.applicationType = UA_APPLICATIONTYPE_SERVER;
 	// all the other strings are empty by initialization
 
+	FILE *fp = UA_NULL;
+	UA_UInt32 certificate_size=0;
+	UA_Byte* certificate= UA_NULL;
+	//FIXME: a potiential bug of locating the certificate, we need to get the path from the server's config
+	//FIXME: we need to read file only once
+	fp=fopen("localhost.der", "rb");
+	if (fp == NULL) {
+			//printf("Opening the certificate file failed, errno = %d\n", errno);
+	        //RETURN UA_ERROR;
+	}else{
+		fseek(fp, 0, SEEK_END);
+		certificate_size = ftell(fp);
+
+		UA_alloc((void**)&certificate, certificate_size*sizeof(UA_Byte));
+		//read certificate without linebreaks
+		fseek(fp, 0, SEEK_SET);
+		fread(certificate, sizeof(UA_Byte), certificate_size, fp);
+
+		UA_String certificate_binary;
+		certificate_binary.length = certificate_size;
+		certificate_binary.data = certificate;
+
+		fclose(fp);
+		//The standard says "the HostName specified in the Server Certificate is the same as the HostName contained in the
+		//endpointUrl provided in the EndpointDescription;"
+
+		UA_String_copy(&certificate_binary, &response->endpoints[0].serverCertificate);
+		UA_String_deleteMembers(&certificate_binary);
+	}
+
 	return UA_SUCCESS;
 }

+ 48 - 0
tools/certs/create_self-signed.py

@@ -0,0 +1,48 @@
+import sys
+import os
+import shutil
+
+if len(sys.argv) < 2:
+    sys.exit('Usage: %s directory to output certificates' % sys.argv[0])
+
+if not os.path.exists(sys.argv[1]):
+    sys.exit('ERROR: Directory %s was not found!' % sys.argv[1])
+    
+os.chdir(os.path.dirname(os.path.abspath(__file__)))
+
+os.system("""openssl genrsa -out ca.key 2048""")
+os.system("""openssl req \
+	-x509 \
+	-new \
+	-nodes \
+	-key ca.key \
+	-days 3650 \
+	-subj "/C=DE/O=open62541/CN=open62541.org" \
+	-out ca.crt""")
+os.system("""openssl req \
+    -new \
+    -newkey rsa:2048 \
+    -nodes \
+    -subj "/C=DE/O=open62541/CN=open62541Server@localhost" \
+    -config localhost.cnf \
+    -keyout localhost.key \
+    -out localhost.csr""")
+os.system("""openssl x509 -req \
+	-days 3650 \
+	-in localhost.csr \
+	-CA ca.crt \
+	-CAkey ca.key \
+	-CAcreateserial \
+	-out localhost.crt \
+	-extensions v3_ca \
+	-extfile localhost.cnf""")
+os.system("""openssl x509 -in localhost.crt -outform der -out localhost.der""")
+#we will need these files later
+os.remove("localhost.key") #we will need it later
+os.remove("localhost.crt")
+os.remove("localhost.csr")
+os.remove("ca.key")
+os.remove("ca.srl")
+
+shutil.move("localhost.der", sys.argv[1])
+shutil.move("ca.crt", sys.argv[1])

+ 13 - 8
certs/localhost.cnf

@@ -39,21 +39,21 @@ default_ca	= CA_default		# The default ca section
 ####################################################################
 [ CA_default ]
 
-dir		= ./demoCA		# Where everything is kept
+dir		= ./ca/			# Where everything is kept
 certs		= $dir/certs		# Where the issued certs are kept
 crl_dir		= $dir/crl		# Where the issued crl are kept
-database	= $dir/index.txt	# database index file.
+database	= $dir/database.txt	# database index file.
 #unique_subject	= no			# Set to 'no' to allow creation of
 					# several ctificates with same subject.
 new_certs_dir	= $dir/newcerts		# default place for new certs.
 
-certificate	= $dir/cacert.pem 	# The CA certificate
+certificate	= $dir/ca.crt	 	# The CA certificate
 serial		= $dir/serial 		# The current serial number
 crlnumber	= $dir/crlnumber	# the current crl number
 					# must be commented out to leave a V1 CRL
 crl		= $dir/crl.pem 		# The current CRL
-private_key	= $dir/private/cakey.pem# The private key
-RANDFILE	= $dir/private/.rand	# private random number file
+private_key	= $dir/ca.key 		# The private key
+RANDFILE	= $dir/.rand		# private random number file
 
 x509_extensions	= usr_cert		# The extentions to add to the cert
 
@@ -68,7 +68,7 @@ cert_opt 	= ca_default		# Certificate field options
 # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
 # so this is commented out by default to leave a V1 CRL.
 # crlnumber must also be commented out to leave a V1 CRL.
-# crl_extensions	= crl_ext
+crl_extensions	= crl_ext
 
 default_days	= 365			# how long to certify for
 default_crl_days= 30			# how long before next CRL
@@ -212,7 +212,7 @@ authorityKeyIdentifier=keyid,issuer
 #nsSslServerName
 
 # This is required for TSA certificates.
-# extendedKeyUsage = critical,timeStamping
+extendedKeyUsage = critical,timeStamping
 
 [ v3_req ]
 
@@ -243,13 +243,16 @@ authorityKeyIdentifier=keyid:always,issuer
 # extensions.
 #basicConstraints = critical,CA:true
 # So we do this instead.
-basicConstraints = CA:true
+basicConstraints = CA:false
 
 # Key usage: this is typical for a CA certificate. However since it will
 # prevent it being used as an test self-signed certificate it is best
 # left out by default.
 # keyUsage = cRLSign, keyCertSign
 
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = TLS Web Server Authentication, TLS Web Client Authentication
+
 # Some might want this also
 # nsCertType = sslCA, emailCA
 
@@ -264,6 +267,8 @@ basicConstraints = CA:true
 # You can even override a supported extension:
 # basicConstraints= critical, DER:30:03:01:01:FF
 
+subjectAltName         = @alt_names
+
 [ crl_ext ]
 
 # CRL extensions.