view ui/sslhelp.cpp @ 999:daa9448b64f5

(issue90) Use certificate pinning and forced ciphersuites for curl
author Andre Heinecke <andre.heinecke@intevation.de>
date Mon, 01 Sep 2014 19:49:54 +0200
parents 6c4f526a4c5b
children c8a6a3e6bdeb
line wrap: on
line source
/* Copyright (C) 2014 by Bundesamt für Sicherheit in der Informationstechnik
 * Software engineering by Intevation GmbH
 *
 * This file is Free Software under the GNU GPL (v>=2)
 * and comes with ABSOLUTELY NO WARRANTY!
 * See LICENSE.txt for details.
 */
#include "sslhelp.h"
#include <polarssl/sha256.h>
#include <polarssl/pk.h>
#include <polarssl/entropy.h>
#include <polarssl/ctr_drbg.h>
#include <QApplication>
#include <QUuid>
#include <QDebug>

QString getPolarSSLErrorMsg(int ret)
{
    char errbuf[1020];
    polarssl_strerror(ret, errbuf, 1020);
    errbuf[1019] = '\0'; /* Just to be sure */
    return QString::fromLatin1(errbuf);
}

QByteArray sha256sum(const QByteArray& data)
{
    unsigned char output[32];
    sha256((unsigned char *)data.constData(), (size_t)data.size(), output, 0);
    return QByteArray((const char *)output, 32);
}

QByteArray rsaSignSHA256Hash(const QByteArray& hash, pk_context *pk)
{
    int ret = 0;
    unsigned char sig[POLARSSL_MPI_MAX_SIZE];
    size_t sig_len;
    entropy_context entropy;
    ctr_drbg_context ctr_drbg;

    entropy_init(&entropy);

    QUuid uuid = QUuid::createUuid();
    QString personalString = QApplication::applicationName() + uuid.toString();
    QByteArray personalBa = personalString.toLocal8Bit();

    /*
    * Initialize random generator.
    * Personalisation string, does not need to be random but
    * should be unique according to documentation.
    *
    * the ctr_drbg structure does not need to be freed explicitly.
    */
    ret = ctr_drbg_init(&ctr_drbg, entropy_func, &entropy,
                        (const unsigned char*) personalBa.constData(),
                        personalBa.size());
    if (ret != 0) {
        qDebug() << "Failed to initialize drbg: " << getPolarSSLErrorMsg(ret);
        entropy_free (&entropy);
        return QByteArray();
    }

    ret = pk_sign(pk, POLARSSL_MD_SHA256, (const unsigned char*) hash.constData(),
                  hash.size(), sig, &sig_len, ctr_drbg_random, &ctr_drbg);
    entropy_free (&entropy);

    if (ret != 0) {
        qDebug() << "Failed to sign: " << getPolarSSLErrorMsg(ret);
        return QByteArray();
    }

    if (sig_len != 3072 / 8) {
        qDebug() << "Invalid size of signature: " << sig_len;
        return QByteArray();
    }

    return QByteArray((const char *)sig, (int)sig_len);
}

http://wald.intevation.org/projects/trustbridge/