Hi All,
I have a requirement to get unique certificate for each user.
To achieve that I am modifying the CN field of CERT subject name by appending
the user index to CN field.
Eg.
If CN=sanjay
For userIndex 1, I want to modify it like CN=sanjay000001, considering the user
count to 1 Lakh.
I have the below code to achieve the above requirement.
But I am memory dump in below line:
if (!X509_NAME_add_entry(target_sub_name, target_entry, -1,
0))
{
LOG_EVENT(LOG_LEVEL_ERROR, FACILITY_IKEV2, "Failed
adding entry to certificate");
}
.
Seems it this doesn't allow to increment the length of CN field(look like array
overflow).
Any help to achieve the above requirement or any other way of doing the same ?
Thanks,
Sanjay
Function used to modify the CN field in certificate:
int Certificateclass::generate_cert(X509 *x509, uint32_t user_id, uint8_t
**user_cert, EVP_PKEY *cakey, uint32_t usr_cert_len)
{
unsigned char *ptr = NULL, *temp = NULL, target_cn_value[EAY_MAX_CN_LEN] =
{'\0'};
int len = 0, nid = 0;
uint8_t entry_count = 0, i = 0;
char sub_name_str[EAY_MAX_CN_LEN] = {'\0'}; /*used for logging purpose*/
X509_NAME *base_sub_name = NULL, *target_sub_name = NULL;
X509_NAME_ENTRY *entry = NULL, *target_entry = NULL;
ASN1_OBJECT *entry_obj = NULL;
ASN1_STRING *entry_string = NULL;
char *dataStart = NULL;
long nameLength = 0;
BIO *subjectBio = BIO_new(BIO_s_mem());
char temp_cn[EAY_MAX_CN_LEN]= {'\0'};
base_sub_name = X509_get_subject_name(x509);
entry_count = X509_NAME_entry_count(base_sub_name);
target_sub_name = X509_NAME_new();
X509_NAME_print_ex(subjectBio, base_sub_name, 0, XN_FLAG_ONELINE);
nameLength = BIO_get_mem_data(subjectBio, &dataStart);
memcpy(sub_name_str, dataStart, nameLength);
sub_name_str[nameLength] = '\0';
for (i = 0; i < entry_count; i++)
{
entry = X509_NAME_get_entry(base_sub_name, i); /*Get all element from
cert sub name*/
if (entry)
{
entry_obj = X509_NAME_ENTRY_get_object(entry);
if (entry_obj)
{
nid = OBJ_obj2nid(entry_obj);
if (NID_commonName == nid)
{
/* if entry NID is CN then append user index, else simply
add to target_sub_name */
if( NULL == commonName)
{
if(NULL != sub_name_str){
LOG_EVENT (LOG_LEVEL_INFO, FACILITY_IKEV2,
"Certificate subject name received:%s", sub_name_str);
}
commonName = (uint8_t *)calloc(1, EAY_MAX_CN_LEN);
X509_NAME_get_text_by_NID(base_sub_name, nid, (char
*)commonName, EAY_MAX_CN_LEN);
}
{
/*Modifying the certificate subject name */
memcpy(temp_cn, commonName, strlen((char *)commonName));
snprintf((char *)target_cn_value, EAY_MAX_CN_LEN,
"%s%06d", temp_cn, user_id);
}
/*adding the new subject to target Enrty*/
target_entry = X509_NAME_ENTRY_create_by_NID(NULL, nid,
MBSTRING_ASC, target_cn_value, -1);
if(NULL == target_entry)
LOG_EVENT(LOG_LEVEL_ERROR, FACILITY_IKEV2, "Failed to
create target_entry, it is NULL");
if (!X509_NAME_add_entry(target_sub_name, target_entry, -1,
0))
{
LOG_EVENT(LOG_LEVEL_ERROR, FACILITY_IKEV2, "Failed
adding entry to certificate");
}
}
else
{
if (!X509_NAME_add_entry(target_sub_name, entry, -1, 0))
{
LOG_EVENT(LOG_LEVEL_ERROR, FACILITY_IKEV2, "Failed
adding entry to certificate");
}
}
}
}
}
X509_set_subject_name(x509, target_sub_name);
BIO_free(subjectBio);
subjectBio = BIO_new(BIO_s_mem());
X509_NAME_print_ex(subjectBio, target_sub_name, 0, XN_FLAG_ONELINE);
nameLength = BIO_get_mem_data(subjectBio, &dataStart);
memcpy(sub_name_str, dataStart, nameLength);
sub_name_str[nameLength] = '\0';
if(NULL != sub_name_str)
{
LOG_EVENT (LOG_LEVEL_INFO, FACILITY_IKEV2, "Certificate subject name
updated to:%s for user_id:%d", sub_name_str, user_id);
}
X509_NAME_free(target_sub_name);
BIO_free(subjectBio);
if (!(X509_sign(x509, cakey, EVP_sha1())))
{
LOG_EVENT(LOG_LEVEL_ERROR, FACILITY_IKEV2, "failed to sign the
certificate");
return 0;
}
*user_cert= (unsigned char *) calloc(1, usr_cert_len + 1);
ptr = *user_cert;
temp = ptr;
i2d_X509(x509,(unsigned char **)&ptr);
len = (ptr - temp);
return len;
}
