diff options
| author | Chung-yih Wang <cywang@google.com> | 2009-07-24 11:33:45 +0800 |
|---|---|---|
| committer | Chung-yih Wang <cywang@google.com> | 2009-07-24 11:33:45 +0800 |
| commit | 719eba5bb1fbc72e3b55450f16b38a6be5640055 (patch) | |
| tree | edd5b5178e70733642d9d5275d6a6102bcd657f3 /keystore | |
| parent | 75b681639d3945d22d4ab90856a65a05405d2538 (diff) | |
| download | frameworks_base-719eba5bb1fbc72e3b55450f16b38a6be5640055.zip frameworks_base-719eba5bb1fbc72e3b55450f16b38a6be5640055.tar.gz frameworks_base-719eba5bb1fbc72e3b55450f16b38a6be5640055.tar.bz2 | |
Change to SPKAC certificate request format for keygen.
Diffstat (limited to 'keystore')
| -rw-r--r-- | keystore/java/android/security/CertTool.java | 4 | ||||
| -rw-r--r-- | keystore/jni/cert.c | 56 | ||||
| -rw-r--r-- | keystore/jni/cert.h | 5 |
3 files changed, 27 insertions, 38 deletions
diff --git a/keystore/java/android/security/CertTool.java b/keystore/java/android/security/CertTool.java index 79418bd..1de007d 100644 --- a/keystore/java/android/security/CertTool.java +++ b/keystore/java/android/security/CertTool.java @@ -72,7 +72,7 @@ public class CertTool { private native String getPkcs12PrivateKey(int handle); private native String popPkcs12CertificateStack(int handle); private native void freePkcs12Handle(int handle); - private native String generateCertificateRequest(int bits, String subject); + private native String generateCertificateRequest(int bits, String challenge); private native boolean isPkcs12Keystore(byte[] data); private native int generateX509Certificate(byte[] data); private native boolean isCaCertificate(int handle); @@ -124,7 +124,7 @@ public class CertTool { public String generateKeyPair(int keyStrengthIndex, String challenge, String dirName) { return generateCertificateRequest(getKeyLength(keyStrengthIndex), - dirName); + challenge); } private Intent prepareIntent(String title, byte[] data, String namespace, diff --git a/keystore/jni/cert.c b/keystore/jni/cert.c index 0db28fd..ea21b7d 100644 --- a/keystore/jni/cert.c +++ b/keystore/jni/cert.c @@ -36,17 +36,17 @@ static char emsg[][30] = { STR(ERR_CONSTRUCT_NEW_DATA), STR(ERR_RSA_KEYGEN), STR(ERR_X509_PROCESS), - STR(ERR_BIO_READ), + STR(ERR_SPKAC_TOO_LONG), + STR(ERR_INVALID_ARGS), }; -static void save_in_store(X509_REQ *req, EVP_PKEY *pkey) +static void save_in_store(EVP_PKEY *pkey) { EVP_PKEY *newpkey = EVP_PKEY_new(); RSA *rsa = EVP_PKEY_get1_RSA(pkey); EVP_PKEY_set1_RSA(newpkey, rsa); PKEY_STORE_free(pkey_store[store_index]); - pkey_store[store_index].key_len = - i2d_X509_PUBKEY(req->req_info->pubkey, &pkey_store[store_index].public_key); + pkey_store[store_index].key_len = i2d_RSAPublicKey(rsa, &pkey_store[store_index].public_key); pkey_store[store_index++].pkey = newpkey; store_index %= KEYGEN_STORE_SIZE; RSA_free(rsa); @@ -69,17 +69,19 @@ static EVP_PKEY *get_pkey_from_store(X509 *cert) return (i == KEYGEN_STORE_SIZE) ? NULL : pkey_store[i].pkey; } -int gen_csr(int bits, const char *organizations, char reply[REPLY_MAX]) +int gen_csr(int bits, const char *challenge, char reply[REPLY_MAX]) { int len, ret_code = 0; BIGNUM *bn = NULL; - BIO *bio = NULL; + char *spkstr = NULL; EVP_PKEY *pkey = NULL; RSA *rsa = NULL; - X509_REQ *req = NULL; - X509_NAME *name = NULL; + NETSCAPE_SPKI *req = NULL; - if ((bio = BIO_new(BIO_s_mem())) == NULL) goto err; + if (challenge == NULL) { + ret_code = ERR_INVALID_ARGS; + goto err; + } if ((bits != KEYLENGTH_MEDIUM) && (bits != KEYLENGTH_MAXIMUM)) { ret_code = ERR_INVALID_KEY_LENGTH; @@ -87,7 +89,7 @@ int gen_csr(int bits, const char *organizations, char reply[REPLY_MAX]) } if (((pkey = EVP_PKEY_new()) == NULL) || - ((req = X509_REQ_new()) == NULL) || + ((req = NETSCAPE_SPKI_new()) == NULL) || ((rsa = RSA_new()) == NULL) || ((bn = BN_new()) == NULL)) { ret_code = ERR_CONSTRUCT_NEW_DATA; goto err; @@ -100,40 +102,26 @@ int gen_csr(int bits, const char *organizations, char reply[REPLY_MAX]) goto err; } - // rsa will be part of the req, it will be freed in X509_REQ_free(req) rsa = NULL; + ASN1_STRING_set(req->spkac->challenge, challenge, (int)strlen(challenge)); + NETSCAPE_SPKI_set_pubkey(req, pkey); + NETSCAPE_SPKI_sign(req, pkey, EVP_md5()); + spkstr = NETSCAPE_SPKI_b64_encode(req); - X509_REQ_set_pubkey(req, pkey); - name = X509_REQ_get_subject_name(req); - - X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC, - (const unsigned char *)"US", -1, -1, 0); - X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, - (const unsigned char *) ANDROID_KEYSTORE, - -1, -1, 0); - X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC, - (const unsigned char *)organizations, -1, -1, 0); - - if (!X509_REQ_sign(req, pkey, EVP_md5()) || - (PEM_write_bio_X509_REQ(bio, req) <= 0)) { - ret_code = ERR_X509_PROCESS; - goto err; - } - if ((len = BIO_read(bio, reply, REPLY_MAX - 1)) > 0) { - reply[len] = 0; - save_in_store(req, pkey); + if ((strlcpy(reply, spkstr, REPLY_MAX)) < REPLY_MAX) { + save_in_store(pkey); } else { - ret_code = ERR_BIO_READ; + ret_code = ERR_SPKAC_TOO_LONG; } err: if (rsa) RSA_free(rsa); if (bn) BN_free(bn); - if (req) X509_REQ_free(req); + if (req) NETSCAPE_SPKI_free(req); if (pkey) EVP_PKEY_free(pkey); - if (bio) BIO_free(bio); + if (spkstr) OPENSSL_free(spkstr); if ((ret_code > 0) && (ret_code < ERR_MAXIMUM)) LOGE(emsg[ret_code]); - return ret_code; + return -ret_code; } PKCS12 *get_p12_handle(const char *buf, int bufLen) diff --git a/keystore/jni/cert.h b/keystore/jni/cert.h index aaa7602..a9e1a9e 100644 --- a/keystore/jni/cert.h +++ b/keystore/jni/cert.h @@ -32,8 +32,9 @@ #define ERR_CONSTRUCT_NEW_DATA 2 #define ERR_RSA_KEYGEN 3 #define ERR_X509_PROCESS 4 -#define ERR_BIO_READ 5 -#define ERR_MAXIMUM 6 +#define ERR_SPKAC_TOO_LONG 5 +#define ERR_INVALID_ARGS 6 +#define ERR_MAXIMUM 7 typedef struct { EVP_PKEY *pkey; |