diff --git a/private/self-signed-cert.rkt b/private/self-signed-cert.rkt index 5462f14..3077f5e 100644 --- a/private/self-signed-cert.rkt +++ b/private/self-signed-cert.rkt @@ -141,6 +141,8 @@ (define EVP_PKEY_RSA NID_rsaEncryption) (define V_ASN1_OCTET_STRING 4) (define NID_subject_alt_name 85) +(define NID_netscape_comment 78) +(define X509_VERSION_3 2) ;; See OpenSSL documentation (define _string/utf-8-pointer (_ptr o _string/utf-8)) @@ -170,6 +172,7 @@ (X509_new (_fun -> _X509-pointer)) (X509_free (_fun _X509-pointer -> _void)) + (X509_set_version (_fun _X509-pointer _int -> _int)) (X509_get_serialNumber (_fun _X509-pointer -> _ASN1_INTEGER-pointer)) (X509_get0_notBefore (_fun _X509-pointer -> _ASN1_TIME-pointer)) (X509_get0_notAfter (_fun _X509-pointer -> _ASN1_TIME-pointer)) @@ -179,6 +182,7 @@ (X509_NAME_add_entry_by_txt (_fun _X509_NAME-pointer _string/utf-8 _int _string/utf-8 _int _int _int -> _int)) (X509_set_issuer_name (_fun _X509-pointer _X509_NAME-pointer -> _int)) (X509_sign (_fun _X509-pointer _EVP_PKEY-pointer _EVP_MD-pointer -> _int)) + (X509V3_EXT_conf_nid (_fun _pointer _pointer _int _string/utf-8 -> _X509_EXTENSION-pointer)) (X509_EXTENSION_create_by_NID (_fun _pointer ; could also be, (ep : (_ptr o _X509_EXTENSION-pointer)), but works fine when #f is provided _int _int _ASN1_STRING-pointer -> (p : _X509_EXTENSION-pointer) -> p)) @@ -220,6 +224,8 @@ ;; Provided function ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +(define gen-san #t) + (version-define 1 (generate-key (λ (bits) @@ -240,6 +246,7 @@ (when (eq? x509 #f) (error "Unable to create X509 structure")) + (X509_set_version x509 X509_VERSION_3) (ASN1_INTEGER_set (X509_get_serialNumber x509) 1) (X509_gmtime_adj (X509_get0_notBefore x509) 0) (X509_gmtime_adj (X509_get0_notAfter x509) (* duration-in-days 24 3600)) @@ -255,33 +262,22 @@ "CN" MBSTRING_UTF8 first-host -1 -1 0) (X509_set_issuer_name x509 x509-name) - ;(let* ((alt-name (string-join - ; (map make-alt-entry hosts) ", ")) - ; (ext-san #f) - ; (subj-alt-name-asn1 #f) - ; ) - ; - ; (set! subj-alt-name-asn1 (ASN1_OCTET_STRING_new)) - ; (when (eq? subj-alt-name-asn1 #f) - ; (error "Cannot allocate Subject Alt Name ASN1 string")) - ; - ; (ASN1_OCTET_STRING_set subj-alt-name-asn1 - ; alt-name (string-length alt-name)) - ; - ; (let ((r (X509_EXTENSION_create_by_NID #f NID_subject_alt_name 0 subj-alt-name-asn1))) - ; (when (eq? r #f) - ; (error "Cannot allocate X509 Extenstion for Subject Alt Name")) - ; - ; (let* ((extension_san r) - ; (re (X509_add_ext x509 extension_san -1))) - ; (when (= re 0) - ; (error "Cannot add extension to X509")) - ; - ; (X509_EXTENSION_free extension_san))) - ; - ; (ASN1_STRING_free subj-alt-name-asn1) - ; ) - ) + (when gen-san + (let* ((alt-name (string-join + (map make-alt-entry hosts) ",")) + ) + + (let ((ex (X509V3_EXT_conf_nid #f #f NID_subject_alt_name alt-name))) + (X509_add_ext x509 ex -1) + (X509_EXTENSION_free ex)) + + (let ((ex (X509V3_EXT_conf_nid #f #f NID_netscape_comment "Created by Racket Self Signed Certificate module, see https://pkgd.racket-lang.org/pkgn/package/racket-self-signed-cert"))) + (X509_add_ext x509 ex -1) + (X509_EXTENSION_free ex)) + + ) + ) + (when (= (X509_sign x509 pkey (EVP_sha1)) 0) (X509_free x509) @@ -318,14 +314,7 @@ (EVP_PKEY_free pkey) (X509_free x509) - ;(displayln pkey-data) - ;(displayln x509-data) - ;(displayln (format "pkey: ~a" (bytes->string/utf-8 pkey-data))) - ;(displayln (format "cert: ~a" (bytes->string/utf-8 x509-data))) - (make-self-signed-cert pkey-data x509-data) - ;(bytes->string/utf-8 pkey-data) - ; (bytes->string/utf-8 x509-data)) ) ) )