ECDSA certificate generation
This commit is contained in:
@@ -105,35 +105,27 @@ static EVP_PKEY* GenerateRsaKey(int bits, BN_ULONG uPublicKey)
|
|||||||
|
|
||||||
// Generates EC keypair
|
// Generates EC keypair
|
||||||
//
|
//
|
||||||
static EVP_PKEY* GenerateEcKey(int bits, BN_ULONG uPublicKey)
|
static EVP_PKEY* GenerateEcKey(int nid = NID_X9_62_prime256v1)
|
||||||
{
|
{
|
||||||
EVP_PKEY *evpPrivKey = NULL;
|
EVP_PKEY *evpPrivKey = NULL;
|
||||||
|
EC_KEY *privKey = EC_KEY_new_by_curve_name(nid);
|
||||||
BIGNUM *pubKey = BN_new();
|
if (privKey)
|
||||||
if (pubKey)
|
|
||||||
{
|
{
|
||||||
if (BN_set_word(pubKey, uPublicKey))
|
EC_KEY_set_asn1_flag(privKey, OPENSSL_EC_NAMED_CURVE);
|
||||||
|
if (EC_KEY_generate_key(privKey))
|
||||||
{
|
{
|
||||||
EC_KEY *privKey = EC_KEY_new_by_curve_name(NID_secp256k1);
|
if ((evpPrivKey = EVP_PKEY_new()))
|
||||||
if (privKey)
|
|
||||||
{
|
{
|
||||||
if (EC_KEY_generate_key(privKey))
|
if (!EVP_PKEY_assign_EC_KEY(evpPrivKey, privKey))
|
||||||
{
|
{
|
||||||
if ((evpPrivKey = EVP_PKEY_new()))
|
EVP_PKEY_free(evpPrivKey);
|
||||||
{
|
evpPrivKey = NULL;
|
||||||
if (!EVP_PKEY_assign_EC_KEY(evpPrivKey, privKey))
|
|
||||||
{
|
|
||||||
EVP_PKEY_free(evpPrivKey);
|
|
||||||
evpPrivKey = NULL;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if(!evpPrivKey)
|
|
||||||
EC_KEY_free(privKey);
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
BN_free(pubKey);
|
|
||||||
|
if(!evpPrivKey)
|
||||||
|
EC_KEY_free(privKey);
|
||||||
}
|
}
|
||||||
|
|
||||||
return evpPrivKey;
|
return evpPrivKey;
|
||||||
@@ -349,6 +341,7 @@ static bool CheckCredentials(EVP_PKEY *key, X509 *cert)
|
|||||||
bIsOk = (EC_KEY_check_key(eccKey) == 1);
|
bIsOk = (EC_KEY_check_key(eccKey) == 1);
|
||||||
EC_KEY_free(eccKey);
|
EC_KEY_free(eccKey);
|
||||||
}
|
}
|
||||||
|
break;
|
||||||
}
|
}
|
||||||
// Currently only RSA & EC keys are supported.
|
// Currently only RSA & EC keys are supported.
|
||||||
// Other key types can be added here in further.
|
// Other key types can be added here in further.
|
||||||
@@ -408,7 +401,9 @@ bool GenerateCredentials(
|
|||||||
|
|
||||||
// Generating RSA key and the self-signed certificate for it
|
// Generating RSA key and the self-signed certificate for it
|
||||||
//
|
//
|
||||||
key = GenerateRsaKey(TLS_RSA_KEY_SIZE, RSA_F4);
|
//key = GenerateRsaKey(TLS_RSA_KEY_SIZE, RSA_F4);
|
||||||
|
//key = GenerateEcKey(NID_secp256k1);
|
||||||
|
key = GenerateEcKey();
|
||||||
if (key)
|
if (key)
|
||||||
{
|
{
|
||||||
cert = GenerateCertificate(key);
|
cert = GenerateCertificate(key);
|
||||||
|
|||||||
16
src/net.cpp
16
src/net.cpp
@@ -70,10 +70,10 @@ using namespace hush;
|
|||||||
|
|
||||||
#define USE_TLS
|
#define USE_TLS
|
||||||
|
|
||||||
#if defined(USE_TLS) && !defined(TLS1_2_VERSION)
|
#if defined(USE_TLS) && !defined(TLS1_3_VERSION)
|
||||||
// minimum secure protocol is 1.2
|
// minimum secure protocol is 1.3
|
||||||
// TLS1_2_VERSION is defined in openssl/tls1.h
|
// TLS1_3_VERSION is defined in openssl/tls1.h
|
||||||
#error "ERROR: Your OpenSSL version does not support TLS v1.2"
|
#error "ERROR: Your OpenSSL version does not support TLS v1.3"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
|
||||||
@@ -456,7 +456,8 @@ CNode* ConnectNode(CAddress addrConnect, const char *pszDest)
|
|||||||
|
|
||||||
NODE_ADDR nodeAddr(addrConnect.ToStringIP());
|
NODE_ADDR nodeAddr(addrConnect.ToStringIP());
|
||||||
|
|
||||||
bool bUseTLS = (find(vNonTLSNodesOutbound.begin(),
|
bool bUseTLS = ((GetBoolArg("-tls", true) || GetArg("-tls", "") == "only")
|
||||||
|
&& find(vNonTLSNodesOutbound.begin(),
|
||||||
vNonTLSNodesOutbound.end(),
|
vNonTLSNodesOutbound.end(),
|
||||||
nodeAddr) == vNonTLSNodesOutbound.end());
|
nodeAddr) == vNonTLSNodesOutbound.end());
|
||||||
unsigned long err_code = 0;
|
unsigned long err_code = 0;
|
||||||
@@ -1208,7 +1209,8 @@ static void AcceptConnection(const ListenSocket& hListenSocket) {
|
|||||||
|
|
||||||
NODE_ADDR nodeAddr(addr.ToStringIP());
|
NODE_ADDR nodeAddr(addr.ToStringIP());
|
||||||
|
|
||||||
bool bUseTLS = (find(vNonTLSNodesInbound.begin(),
|
bool bUseTLS = ((GetBoolArg("-tls", true) || GetArg("-tls", "") == "only")
|
||||||
|
&& find(vNonTLSNodesInbound.begin(),
|
||||||
vNonTLSNodesInbound.end(),
|
vNonTLSNodesInbound.end(),
|
||||||
nodeAddr) == vNonTLSNodesInbound.end());
|
nodeAddr) == vNonTLSNodesInbound.end());
|
||||||
unsigned long err_code = 0;
|
unsigned long err_code = 0;
|
||||||
@@ -2450,7 +2452,7 @@ bool CNode::GetTlsFallbackNonTls()
|
|||||||
if (tlsFallbackNonTls == eTlsOption::FALLBACK_UNSET)
|
if (tlsFallbackNonTls == eTlsOption::FALLBACK_UNSET)
|
||||||
{
|
{
|
||||||
// one time only setting of static class attribute
|
// one time only setting of static class attribute
|
||||||
if ( GetBoolArg("-tlsfallbacknontls", true))
|
if ( GetArg("-tls", "") != "only" )
|
||||||
{
|
{
|
||||||
LogPrint("tls", "%s():%d - Non-TLS connections will be used in case of failure of TLS\n",
|
LogPrint("tls", "%s():%d - Non-TLS connections will be used in case of failure of TLS\n",
|
||||||
__func__, __LINE__);
|
__func__, __LINE__);
|
||||||
|
|||||||
Reference in New Issue
Block a user