[Osiris-devel]osirismd cert generation complete

Brian Wotring brian at shmoo.com
Thu Aug 1 18:52:37 EDT 2002 

The management daemon now tries to load the cert and private key, if the 
cert is there, it fails.  If no cert is there, an 2048 bit RSA 
self-signed cert is generated and loaded with default values for CN, C, 
and OU and written to disk.  The implementation is below.

I didn't generate a serial for this cert, is this necessary, pablos?

/*************************************************************************
*************
**
**    Function: make_certificate
**
**    Purpose:  generate an X509 certificate and private key for use with
**		osirismd, this will be just default values for the fields
**		so that this daemon can start and serve requests.
**
**************************************************************************
************/

bool make_certificate( X509 **x509p, EVP_PKEY **pkeyp, int bits, int 
serial, int days )
{
     X509 *x;
     EVP_PKEY *pk;
     RSA *rsa;
     X509_NAME *name = NULL;
	
     if( ( pkeyp == NULL ) ||( (*pkeyp) == NULL ) )
     {
         if( ( pk = EVP_PKEY_new() ) == NULL )
         {
             return FALSE;
         }
     }

     else
     {
         pk= (*pkeyp);
     }

     if ((x509p == NULL) || (*x509p == NULL))
     {
         if( ( x = X509_new() ) == NULL )
         {
             goto error;
         }
     }

     else
     {
         x = (*x509p);
     }

     log_message( "Generating RSA key, 2048 bit long modulus." );
     fprintf( stdout, "Generating RSA key, 2048 bit long modulus.\n" );

     rsa = RSA_generate_key( bits, RSA_F4, genrsa_cb, NULL );

     if( !EVP_PKEY_assign_RSA( pk, rsa ) )
     {
         goto error;
     }

     rsa = NULL;

     X509_set_version( x, 3 );

     ASN1_INTEGER_set( X509_get_serialNumber(x), serial);
     X509_gmtime_adj( X509_get_notBefore(x), 0 );
     X509_gmtime_adj( X509_get_notAfter(x), (long)( 60*60*24*days ) );

     X509_set_pubkey( x, pk);
     name = X509_get_subject_name( x );

     /* setup default values for cert fields. */

     X509_NAME_add_entry_by_txt( name,"C", MBSTRING_ASC, DEFAULT_CERT_C, 
-1, -1, 0 );
     X509_NAME_add_entry_by_txt( name,"CN", MBSTRING_ASC, 
DEFAULT_CERT_CN, -1, -1, 0 );
     X509_NAME_add_entry_by_txt( name,"OU", MBSTRING_ASC, 
DEFAULT_CERT_OU, -1, -1, 0 );

     /* self signed, so we set issuer to be the same as the subject. */

     X509_set_issuer_name( x, name );

     /* TODO: add extension here. */

     /* sign this certificate. */
     	
     if( !X509_sign( x, pk, EVP_md5() ) )
     {
         goto error;
     }

     /* pass values back from this function. */

     (*x509p) = x;
     (*pkeyp) = pk;

     return TRUE;

error:

     return FALSE;
}

--
     Brian Wotring  ( brian at shmoo.com )
     PGP KeyID: 0x9674763D

More information about the osiris-devel mailing list