EST: Add CSR generation support with BoringSSL

This completes EST support with hs20-osu-client when built with
BoringSSL instead of OpenSSL.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

diff --git a/hs20/client/est.c b/hs20/client/est.c
index d754e61..90a51d5 100644 (file)
--- a/hs20/client/est.c
+++ b/hs20/client/est.c
@@ -16,6 +16,9 @@
 #include <openssl/asn1t.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
+#ifdef OPENSSL_IS_BORINGSSL
+#include <openssl/buf.h>
+#endif /* OPENSSL_IS_BORINGSSL */
 
 #include "common.h"
 #include "utils/base64.h"
@@ -238,8 +241,6 @@ ASN1_CHOICE(CsrAttrs) = {
 IMPLEMENT_ASN1_FUNCTIONS(CsrAttrs);
 
 
-#ifndef OPENSSL_IS_BORINGSSL
-
 static void add_csrattrs_oid(struct hs20_osu_client *ctx, ASN1_OBJECT *oid,
                             STACK_OF(X509_EXTENSION) *exts)
 {
@@ -334,6 +335,23 @@ static void add_csrattrs(struct hs20_osu_client *ctx, CsrAttrs *csrattrs,
        if (!csrattrs || ! csrattrs->attrs)
                return;
 
+#ifdef OPENSSL_IS_BORINGSSL
+       num = sk_num(CHECKED_CAST(_STACK *, STACK_OF(AttrOrOID) *,
+                                 csrattrs->attrs));
+       for (i = 0; i < num; i++) {
+               AttrOrOID *ao = sk_value(
+                       CHECKED_CAST(_STACK *, const STACK_OF(AttrOrOID) *,
+                                    csrattrs->attrs), i);
+               switch (ao->type) {
+               case 0:
+                       add_csrattrs_oid(ctx, ao->d.oid, exts);
+                       break;
+               case 1:
+                       add_csrattrs_attr(ctx, ao->d.attribute, exts);
+                       break;
+               }
+       }
+#else /* OPENSSL_IS_BORINGSSL */
        num = SKM_sk_num(AttrOrOID, csrattrs->attrs);
        for (i = 0; i < num; i++) {
                AttrOrOID *ao = SKM_sk_value(AttrOrOID, csrattrs->attrs, i);
@@ -346,20 +364,14 @@ static void add_csrattrs(struct hs20_osu_client *ctx, CsrAttrs *csrattrs,
                        break;
                }
        }
-}
-
 #endif /* OPENSSL_IS_BORINGSSL */
+}
 
 
 static int generate_csr(struct hs20_osu_client *ctx, char *key_pem,
                        char *csr_pem, char *est_req, char *old_cert,
                        CsrAttrs *csrattrs)
 {
-#ifdef OPENSSL_IS_BORINGSSL
-       wpa_printf(MSG_ERROR,
-               "EST: CSR generation not yet supported with BoringSSL");
-       return -1;
-#else /* OPENSSL_IS_BORINGSSL */
        EVP_PKEY_CTX *pctx = NULL;
        EVP_PKEY *pkey = NULL;
        RSA *rsa;
@@ -371,6 +383,7 @@ static int generate_csr(struct hs20_osu_client *ctx, char *key_pem,
        STACK_OF(X509_EXTENSION) *exts = NULL;
        X509_EXTENSION *ex;
        BIO *out;
+       CONF *ctmp = NULL;
 
        wpa_printf(MSG_INFO, "Generate RSA private key");
        write_summary(ctx, "Generate RSA private key");
@@ -452,20 +465,20 @@ static int generate_csr(struct hs20_osu_client *ctx, char *key_pem,
        if (!exts)
                goto fail;
 
-       ex = X509V3_EXT_conf_nid(NULL, NULL, NID_basic_constraints,
-                                "CA:FALSE");
+       ex = X509V3_EXT_nconf_nid(ctmp, NULL, NID_basic_constraints,
+                                 "CA:FALSE");
        if (ex == NULL ||
            !sk_X509_EXTENSION_push(exts, ex))
                goto fail;
 
-       ex = X509V3_EXT_conf_nid(NULL, NULL, NID_key_usage,
-                                "nonRepudiation,digitalSignature,keyEncipherment");
+       ex = X509V3_EXT_nconf_nid(ctmp, NULL, NID_key_usage,
+                                 "nonRepudiation,digitalSignature,keyEncipherment");
        if (ex == NULL ||
            !sk_X509_EXTENSION_push(exts, ex))
                goto fail;
 
-       ex = X509V3_EXT_conf_nid(NULL, NULL, NID_ext_key_usage,
-                                "1.3.6.1.4.1.40808.1.1.2");
+       ex = X509V3_EXT_nconf_nid(ctmp, NULL, NID_ext_key_usage,
+                                 "1.3.6.1.4.1.40808.1.1.2");
        if (ex == NULL ||
            !sk_X509_EXTENSION_push(exts, ex))
                goto fail;
@@ -566,7 +579,6 @@ fail:
        if (pctx)
                EVP_PKEY_CTX_free(pctx);
        return ret;
-#endif /* OPENSSL_IS_BORINGSSL */
 }