2 Copyright (C) 2013 Carl Hetherington <cth@carlh.net>
4 This program is free software; you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation; either version 2 of the License, or
7 (at your option) any later version.
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
14 You should have received a copy of the GNU General Public License
15 along with this program; if not, write to the Free Software
16 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22 #include <boost/filesystem.hpp>
23 #include <boost/algorithm/string.hpp>
24 #include <openssl/sha.h>
25 #include <openssl/bio.h>
26 #include <openssl/evp.h>
28 #include "signer_chain.h"
29 #include "exceptions.h"
35 using std::stringstream;
38 static void command (string c)
40 int const r = system (c.c_str ());
44 if (WEXITSTATUS (r)) {
47 s << "error in " << c << "\n";
48 throw libdcp::MiscError (s.str());
52 /** Extract a public key from a private key and create a SHA1 digest of it.
53 * @param key Private key
54 * @param openssl openssl binary name (or full path if openssl is not on the system path).
55 * @return SHA1 digest of corresponding public key, with escaped / characters.
59 public_key_digest (boost::filesystem::path private_key, boost::filesystem::path openssl)
61 boost::filesystem::path public_name = private_key.string() + ".public";
63 /* Create the public key from the private key */
65 s << openssl.string() << " rsa -outform PEM -pubout -in " << private_key.string() << " > " << public_name.string ();
66 command (s.str().c_str ());
68 /* Read in the public key from the file */
71 ifstream f (public_name.string().c_str ());
77 if (line.length() >= 10 && line.substr(0, 10) == "-----BEGIN") {
79 } else if (line.length() >= 8 && line.substr(0, 8) == "-----END") {
86 /* Decode the base64 of the public key */
88 unsigned char buffer[512];
89 int const N = libdcp::base64_decode (pub, buffer, 1024);
91 /* Hash it with SHA1 (without the first 24 bytes, for reasons that are not entirely clear) */
94 if (!SHA1_Init (&context)) {
95 throw libdcp::MiscError ("could not init SHA1 context");
98 if (!SHA1_Update (&context, buffer + 24, N - 24)) {
99 throw libdcp::MiscError ("could not update SHA1 digest");
102 unsigned char digest[SHA_DIGEST_LENGTH];
103 if (!SHA1_Final (digest, &context)) {
104 throw libdcp::MiscError ("could not finish SHA1 digest");
107 char digest_base64[64];
108 string dig = Kumu::base64encode (digest, SHA_DIGEST_LENGTH, digest_base64, 64);
109 #ifdef LIBDCP_WINDOWS
110 boost::replace_all (dig, "/", "\\/");
112 boost::replace_all (dig, "/", "\\\\/");
118 libdcp::make_signer_chain (boost::filesystem::path directory, boost::filesystem::path openssl)
120 boost::filesystem::path const cwd = boost::filesystem::current_path ();
122 boost::filesystem::current_path (directory);
123 command (openssl.string() + " genrsa -out ca.key 2048");
126 ofstream f ("ca.cnf");
128 << "distinguished_name = req_distinguished_name\n"
129 << "x509_extensions = v3_ca\n"
131 << "basicConstraints = critical,CA:true,pathlen:3\n"
132 << "keyUsage = keyCertSign,cRLSign\n"
133 << "subjectKeyIdentifier = hash\n"
134 << "authorityKeyIdentifier = keyid:always,issuer:always\n"
135 << "[ req_distinguished_name ]\n"
136 << "O = Unique organization name\n"
137 << "OU = Organization unit\n"
138 << "CN = Entity and dnQualifier\n";
141 string const ca_subject = "/O=example.org/OU=example.org/CN=.smpte-430-2.ROOT.NOT_FOR_PRODUCTION/dnQualifier=" + public_key_digest ("ca.key", openssl);
145 c << openssl.string()
146 << " req -new -x509 -sha256 -config ca.cnf -days 3650 -set_serial 5"
147 << " -subj " << ca_subject << " -key ca.key -outform PEM -out ca.self-signed.pem";
148 command (c.str().c_str());
151 command (openssl.string() + " genrsa -out intermediate.key 2048");
154 ofstream f ("intermediate.cnf");
156 << "distinguished_name = req_distinguished_name\n"
157 << "x509_extensions = v3_ca\n"
159 << "basicConstraints = critical,CA:true,pathlen:2\n"
160 << "keyUsage = keyCertSign,cRLSign\n"
161 << "subjectKeyIdentifier = hash\n"
162 << "authorityKeyIdentifier = keyid:always,issuer:always\n"
163 << "[ req_distinguished_name ]\n"
164 << "O = Unique organization name\n"
165 << "OU = Organization unit\n"
166 << "CN = Entity and dnQualifier\n";
169 string const inter_subject = "/O=example.org/OU=example.org/CN=.smpte-430-2.INTERMEDIATE.NOT_FOR_PRODUCTION/dnQualifier="
170 + public_key_digest ("intermediate.key", openssl);
174 s << openssl.string() << " req -new -config intermediate.cnf -days 3649 -subj " << inter_subject << " -key intermediate.key -out intermediate.csr";
175 command (s.str().c_str());
181 " x509 -req -sha256 -days 3649 -CA ca.self-signed.pem -CAkey ca.key -set_serial 6"
182 " -in intermediate.csr -extfile intermediate.cnf -extensions v3_ca -out intermediate.signed.pem"
185 command (openssl.string() + " genrsa -out leaf.key 2048");
188 ofstream f ("leaf.cnf");
190 << "distinguished_name = req_distinguished_name\n"
191 << "x509_extensions = v3_ca\n"
193 << "basicConstraints = critical,CA:false\n"
194 << "keyUsage = digitalSignature,keyEncipherment\n"
195 << "subjectKeyIdentifier = hash\n"
196 << "authorityKeyIdentifier = keyid,issuer:always\n"
197 << "[ req_distinguished_name ]\n"
198 << "O = Unique organization name\n"
199 << "OU = Organization unit\n"
200 << "CN = Entity and dnQualifier\n";
203 string const leaf_subject = "/O=example.org/OU=example.org/CN=CS.smpte-430-2.LEAF.NOT_FOR_PRODUCTION/dnQualifier="
204 + public_key_digest ("leaf.key", openssl);
208 s << openssl.string() << " req -new -config leaf.cnf -days 3648 -subj " << leaf_subject << " -key leaf.key -outform PEM -out leaf.csr";
209 command (s.str().c_str());
214 " x509 -req -sha256 -days 3648 -CA intermediate.signed.pem -CAkey intermediate.key"
215 " -set_serial 7 -in leaf.csr -extfile leaf.cnf -extensions v3_ca -out leaf.signed.pem"
218 boost::filesystem::current_path (cwd);