ECDSA certificate generation

This commit is contained in:
miodragpop
2020-10-27 13:45:55 +01:00
parent eaed7355c6
commit 6aac6ed3d7
2 changed files with 25 additions and 28 deletions

View File

@@ -105,35 +105,27 @@ static EVP_PKEY* GenerateRsaKey(int bits, BN_ULONG uPublicKey)
// Generates EC keypair // Generates EC keypair
// //
static EVP_PKEY* GenerateEcKey(int bits, BN_ULONG uPublicKey) static EVP_PKEY* GenerateEcKey(int nid = NID_X9_62_prime256v1)
{ {
EVP_PKEY *evpPrivKey = NULL; EVP_PKEY *evpPrivKey = NULL;
EC_KEY *privKey = EC_KEY_new_by_curve_name(nid);
BIGNUM *pubKey = BN_new(); if (privKey)
if (pubKey)
{ {
if (BN_set_word(pubKey, uPublicKey)) EC_KEY_set_asn1_flag(privKey, OPENSSL_EC_NAMED_CURVE);
if (EC_KEY_generate_key(privKey))
{ {
EC_KEY *privKey = EC_KEY_new_by_curve_name(NID_secp256k1); if ((evpPrivKey = EVP_PKEY_new()))
if (privKey)
{ {
if (EC_KEY_generate_key(privKey)) if (!EVP_PKEY_assign_EC_KEY(evpPrivKey, privKey))
{ {
if ((evpPrivKey = EVP_PKEY_new())) EVP_PKEY_free(evpPrivKey);
{ evpPrivKey = NULL;
if (!EVP_PKEY_assign_EC_KEY(evpPrivKey, privKey))
{
EVP_PKEY_free(evpPrivKey);
evpPrivKey = NULL;
}
}
} }
if(!evpPrivKey)
EC_KEY_free(privKey);
} }
} }
BN_free(pubKey);
if(!evpPrivKey)
EC_KEY_free(privKey);
} }
return evpPrivKey; return evpPrivKey;
@@ -349,6 +341,7 @@ static bool CheckCredentials(EVP_PKEY *key, X509 *cert)
bIsOk = (EC_KEY_check_key(eccKey) == 1); bIsOk = (EC_KEY_check_key(eccKey) == 1);
EC_KEY_free(eccKey); EC_KEY_free(eccKey);
} }
break;
} }
// Currently only RSA & EC keys are supported. // Currently only RSA & EC keys are supported.
// Other key types can be added here in further. // Other key types can be added here in further.
@@ -408,7 +401,9 @@ bool GenerateCredentials(
// Generating RSA key and the self-signed certificate for it // Generating RSA key and the self-signed certificate for it
// //
key = GenerateRsaKey(TLS_RSA_KEY_SIZE, RSA_F4); //key = GenerateRsaKey(TLS_RSA_KEY_SIZE, RSA_F4);
//key = GenerateEcKey(NID_secp256k1);
key = GenerateEcKey();
if (key) if (key)
{ {
cert = GenerateCertificate(key); cert = GenerateCertificate(key);

View File

@@ -70,10 +70,10 @@ using namespace hush;
#define USE_TLS #define USE_TLS
#if defined(USE_TLS) && !defined(TLS1_2_VERSION) #if defined(USE_TLS) && !defined(TLS1_3_VERSION)
// minimum secure protocol is 1.2 // minimum secure protocol is 1.3
// TLS1_2_VERSION is defined in openssl/tls1.h // TLS1_3_VERSION is defined in openssl/tls1.h
#error "ERROR: Your OpenSSL version does not support TLS v1.2" #error "ERROR: Your OpenSSL version does not support TLS v1.3"
#endif #endif
@@ -456,7 +456,8 @@ CNode* ConnectNode(CAddress addrConnect, const char *pszDest)
NODE_ADDR nodeAddr(addrConnect.ToStringIP()); NODE_ADDR nodeAddr(addrConnect.ToStringIP());
bool bUseTLS = (find(vNonTLSNodesOutbound.begin(), bool bUseTLS = ((GetBoolArg("-tls", true) || GetArg("-tls", "") == "only")
&& find(vNonTLSNodesOutbound.begin(),
vNonTLSNodesOutbound.end(), vNonTLSNodesOutbound.end(),
nodeAddr) == vNonTLSNodesOutbound.end()); nodeAddr) == vNonTLSNodesOutbound.end());
unsigned long err_code = 0; unsigned long err_code = 0;
@@ -1208,7 +1209,8 @@ static void AcceptConnection(const ListenSocket& hListenSocket) {
NODE_ADDR nodeAddr(addr.ToStringIP()); NODE_ADDR nodeAddr(addr.ToStringIP());
bool bUseTLS = (find(vNonTLSNodesInbound.begin(), bool bUseTLS = ((GetBoolArg("-tls", true) || GetArg("-tls", "") == "only")
&& find(vNonTLSNodesInbound.begin(),
vNonTLSNodesInbound.end(), vNonTLSNodesInbound.end(),
nodeAddr) == vNonTLSNodesInbound.end()); nodeAddr) == vNonTLSNodesInbound.end());
unsigned long err_code = 0; unsigned long err_code = 0;
@@ -2450,7 +2452,7 @@ bool CNode::GetTlsFallbackNonTls()
if (tlsFallbackNonTls == eTlsOption::FALLBACK_UNSET) if (tlsFallbackNonTls == eTlsOption::FALLBACK_UNSET)
{ {
// one time only setting of static class attribute // one time only setting of static class attribute
if ( GetBoolArg("-tlsfallbacknontls", true)) if ( GetArg("-tls", "") != "only" )
{ {
LogPrint("tls", "%s():%d - Non-TLS connections will be used in case of failure of TLS\n", LogPrint("tls", "%s():%d - Non-TLS connections will be used in case of failure of TLS\n",
__func__, __LINE__); __func__, __LINE__);