MeshCentral/MeshAgent
1
0
Fork 0
mirror of https://github.com/Ylianst/MeshAgent synced 2025-12-06 00:13:33 +00:00
Code Issues Releases Wiki Activity

Added workaround for Chrome v75+ bug with self-signed certificates, by adding options for specifying alternate keyUsages

Browse Source
This commit is contained in:
Bryan Roe
2022-06-06 13:25:14 -07:00
parent a1271b27b3
commit d8e6e7f3ab
3 changed files with 21 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
microscript/ILibDuktape_net.c
View File

@@ -2679,8 +2679,16 @@ duk_ret_t ILibDuktape_TLS_generateCertificate(duk_context *ctx)
int len; int len;
struct util_cert cert; struct util_cert cert;
char *data; char *data;
int noUsages = 0;
int certType = CERTIFICATE_TLS_CLIENT;
len = util_mkCert(NULL, &(cert), 3072, 10000, "localhost", CERTIFICATE_TLS_CLIENT, NULL); if (!duk_is_null_or_undefined(ctx, 1) && duk_is_object(ctx, 1))
{
certType = Duktape_GetIntPropertyValue(ctx, 1, "certType", CERTIFICATE_TLS_CLIENT);
noUsages = Duktape_GetIntPropertyValue(ctx, 1, "noUsages", 0);
}
len = util_mkCertEx(NULL, &(cert), 3072, 10000, "localhost", certType, NULL, noUsages);
len = util_to_p12(cert, passphrase, &data); len = util_to_p12(cert, passphrase, &data);
duk_push_fixed_buffer(ctx, len); duk_push_fixed_buffer(ctx, len);
@@ -2788,7 +2796,7 @@ void ILibDuktape_tls_PUSH(duk_context *ctx, void *chain)
ILibDuktape_CreateInstanceMethodWithIntProperty(ctx, "tls", 1, "createServer", ILibDuktape_net_createServer, DUK_VARARGS); ILibDuktape_CreateInstanceMethodWithIntProperty(ctx, "tls", 1, "createServer", ILibDuktape_net_createServer, DUK_VARARGS);
ILibDuktape_CreateInstanceMethod(ctx, "connect", ILibDuktape_TLS_connect, DUK_VARARGS); ILibDuktape_CreateInstanceMethod(ctx, "connect", ILibDuktape_TLS_connect, DUK_VARARGS);
ILibDuktape_CreateInstanceMethod(ctx, "createSecureContext", ILibDuktape_TLS_createSecureContext, 1); ILibDuktape_CreateInstanceMethod(ctx, "createSecureContext", ILibDuktape_TLS_createSecureContext, 1);
ILibDuktape_CreateInstanceMethod(ctx, "generateCertificate", ILibDuktape_TLS_generateCertificate, 1); ILibDuktape_CreateInstanceMethod(ctx, "generateCertificate", ILibDuktape_TLS_generateCertificate, DUK_VARARGS);
ILibDuktape_CreateInstanceMethod(ctx, "loadCertificate", ILibDuktape_TLS_loadCertificate, 1); ILibDuktape_CreateInstanceMethod(ctx, "loadCertificate", ILibDuktape_TLS_loadCertificate, 1);
ILibDuktape_CreateInstanceMethod(ctx, "loadpkcs7b", ILibDuktape_TLS_loadpkcs7b, 1); ILibDuktape_CreateInstanceMethod(ctx, "loadpkcs7b", ILibDuktape_TLS_loadpkcs7b, 1);

8
microstack/ILibCrypto.c
View File

@@ -682,7 +682,7 @@ void __fastcall util_printcert_pk(struct util_cert cert)
// Creates a X509 certificate, if rootcert is NULL this creates a root (self-signed) certificate. // Creates a X509 certificate, if rootcert is NULL this creates a root (self-signed) certificate.
// Is the name parameter is NULL, the hex value of the hash of the public key will be the subject name. // Is the name parameter is NULL, the hex value of the hash of the public key will be the subject name.
int __fastcall util_mkCert(struct util_cert *rootcert, struct util_cert* cert, int bits, int days, char* name, enum CERTIFICATE_TYPES certtype, struct util_cert* initialcert) int __fastcall util_mkCertEx(struct util_cert *rootcert, struct util_cert* cert, int bits, int days, char* name, enum CERTIFICATE_TYPES certtype, struct util_cert* initialcert, int noUsages)
{ {
X509 *x = NULL; X509 *x = NULL;
X509_EXTENSION *ex = NULL; X509_EXTENSION *ex = NULL;
@@ -762,8 +762,7 @@ int __fastcall util_mkCert(struct util_cert *rootcert, struct util_cert* cert, i
// Add various extensions: standard extensions // Add various extensions: standard extensions
util_add_ext(x, NID_basic_constraints, "critical,CA:TRUE"); util_add_ext(x, NID_basic_constraints, "critical,CA:TRUE");
util_add_ext(x, NID_key_usage, "critical,keyCertSign,cRLSign"); if (noUsages == 0) { util_add_ext(x, NID_key_usage, "critical,keyCertSign,cRLSign"); }
util_add_ext(x, NID_subject_key_identifier, "hash"); util_add_ext(x, NID_subject_key_identifier, "hash");
//util_add_ext(x, NID_netscape_cert_type, "sslCA"); //util_add_ext(x, NID_netscape_cert_type, "sslCA");
//util_add_ext(x, NID_netscape_comment, "example comment extension"); //util_add_ext(x, NID_netscape_comment, "example comment extension");
@@ -777,9 +776,12 @@ int __fastcall util_mkCert(struct util_cert *rootcert, struct util_cert* cert, i
X509_set_issuer_name(x, cname); X509_set_issuer_name(x, cname);
// Add usual cert stuff // Add usual cert stuff
if (noUsages == 0)
{
ex = X509V3_EXT_conf_nid(NULL, NULL, NID_key_usage, "digitalSignature, keyEncipherment, keyAgreement"); ex = X509V3_EXT_conf_nid(NULL, NULL, NID_key_usage, "digitalSignature, keyEncipherment, keyAgreement");
X509_add_ext(x, ex, -1); X509_add_ext(x, ex, -1);
X509_EXTENSION_free(ex); X509_EXTENSION_free(ex);
}
// Add usages: TLS server, TLS client, Intel(R) AMT Console // Add usages: TLS server, TLS client, Intel(R) AMT Console
//ex = X509V3_EXT_conf_nid(NULL, NULL, NID_ext_key_usage, "TLS Web Server Authentication, TLS Web Client Authentication, 2.16.840.1.113741.1.2.1, 2.16.840.1.113741.1.2.2"); //ex = X509V3_EXT_conf_nid(NULL, NULL, NID_ext_key_usage, "TLS Web Server Authentication, TLS Web Client Authentication, 2.16.840.1.113741.1.2.1, 2.16.840.1.113741.1.2.2");

4
microstack/ILibCrypto.h
View File

@@ -154,7 +154,9 @@ int __fastcall util_from_cer(char* data, int datalen, struct util_cert* cert);
int __fastcall util_from_pem(char* filename, struct util_cert* cert); int __fastcall util_from_pem(char* filename, struct util_cert* cert);
int __fastcall util_from_pem_string(char *data, int datalen, struct util_cert* cert); int __fastcall util_from_pem_string(char *data, int datalen, struct util_cert* cert);
int __fastcall util_from_pkcs7b_string(char *data, int datalen, char *out, int outLen); int __fastcall util_from_pkcs7b_string(char *data, int datalen, char *out, int outLen);
int __fastcall util_mkCert(struct util_cert *rootcert, struct util_cert* cert, int bits, int days, char* name, enum CERTIFICATE_TYPES certtype, struct util_cert* initialcert); int __fastcall util_mkCertEx(struct util_cert *rootcert, struct util_cert* cert, int bits, int days, char* name, enum CERTIFICATE_TYPES certtype, struct util_cert* initialcert, int noUsages);
#define util_mkCert(rootcert, cert, bits, days, name, certtype, initialcert) util_mkCertEx(rootcert, cert, bits, days, name, certtype, initialcert,0)
void __fastcall util_printcert(struct util_cert cert); void __fastcall util_printcert(struct util_cert cert);
void __fastcall util_printcert_pk(struct util_cert cert); void __fastcall util_printcert_pk(struct util_cert cert);