Merge branch 'mysql-5.7' into mysql-trunk

HopHippy · Aug 24, 2017 · 6dc5cde · 6dc5cde
2 parents 948d2eb + 1c582ac
commit 6dc5cde
Show file tree

Hide file tree

Showing 2 changed files with 141 additions and 19 deletions.
diff --git a/client/mysql_ssl_rsa_setup.cc b/client/mysql_ssl_rsa_setup.cc
@@ -72,6 +72,12 @@ enum certs
   OPENSSL_RND
 };
 
+enum extfiles
+{
+  CAV3_EXT=0,
+  CERTV3_EXT
+};
+
 Sql_string_t cert_files[] =
 {
   create_string("ca.pem"),
@@ -88,6 +94,12 @@ Sql_string_t cert_files[] =
   create_string(".rnd")
 };
 
+Sql_string_t ext_files[] =
+{
+  create_string("cav3.ext"),
+  create_string("certv3.ext")
+};
+
 #define MAX_PATH_LEN  (FN_REFLEN - strlen(FN_DIRSEP) \
                        - cert_files[SERVER_CERT].length() - 1)
 /*
@@ -312,6 +324,49 @@ class X509_key
   stringstream m_subj_prefix;
 };
 
+class X509v3_ext_writer
+{
+public:
+  X509v3_ext_writer()
+  {
+    m_cav3_ext_options << "basicConstraints=CA:TRUE" << std::endl;
+
+    m_certv3_ext_options << "basicConstraints=CA:FALSE" << std::endl;
+  }
+  ~X509v3_ext_writer() {};
+
+  bool operator()(const Sql_string_t &cav3_ext_file,
+                  const Sql_string_t &certv3_ext_file)
+  {
+    if (!cav3_ext_file.length() ||
+        !certv3_ext_file.length())
+      return true;
+
+    std::ofstream ext_file;
+
+    ext_file.open(cav3_ext_file.c_str(),
+                  std::ios::out|std::ios::trunc);
+    if (!ext_file.is_open())
+      return true;
+    ext_file << m_cav3_ext_options.str();
+    ext_file.close();
+
+    ext_file.open(certv3_ext_file.c_str(),
+                  std::ios::out|std::ios::trunc);
+    if (!ext_file.is_open())
+    {
+      remove_file(cav3_ext_file.c_str(), false);
+      return true;
+    }
+    ext_file << m_certv3_ext_options.str();
+    ext_file.close();
+
+    return false;
+  }
+private:
+  stringstream m_cav3_ext_options;
+  stringstream m_certv3_ext_options;
+};
 
 class X509_cert
 {
@@ -326,15 +381,17 @@ class X509_cert
                           uint32_t serial,
                           bool self_signed,
                           const Sql_string_t &sign_key_file,
-                          const Sql_string_t &sign_cert_file)
+                          const Sql_string_t &sign_cert_file,
+                          const Sql_string_t &ext_file)
   {
     stringstream command;
     command << "openssl x509 -sha256 -days " << m_validity;
-    command << " -set_serial " << serial << " -req -in " << req_file << " ";
+    command << " -extfile " << ext_file;
+    command << " -set_serial " << serial << " -req -in " << req_file;
     if (self_signed)
-      command << "-signkey " << sign_key_file;
+      command << " -signkey " << sign_key_file;
     else
-      command << "-CA " << sign_cert_file << " -CAkey " << sign_key_file;
+      command << " -CA " << sign_cert_file << " -CAkey " << sign_key_file;
     command << " -out " << cert_file;
 
     return command.str();
@@ -539,6 +596,7 @@ int main(int argc, char *argv[])
       Sql_string_t empty_string("");
       X509_key x509_key(suffix_string);
       X509_cert x509_cert;
+      X509v3_ext_writer x509v3_ext_writer;
 
       /* Delete existing files if any */
       remove_file(cert_files[CA_REQ], false);
@@ -548,14 +606,23 @@ int main(int argc, char *argv[])
       remove_file(cert_files[CLIENT_KEY], false);
       remove_file(cert_files[OPENSSL_RND], false);
 
+      /* Remove existing v3 extension files */
+      remove_file(ext_files[CAV3_EXT], false);
+      remove_file(ext_files[CERTV3_EXT], false);
+
+      /* Create v3 extension files */
+      if (x509v3_ext_writer(ext_files[CAV3_EXT], ext_files[CERTV3_EXT]))
+        goto end;
+
       /* Generate CA Key and Certificate */
       if ((ret_val= execute_command(x509_key("_Auto_Generated_CA_Certificate",
                                              cert_files[CA_KEY], cert_files[CA_REQ]),
                                     "Error generating ca_key.pem and ca_req.pem")))
         goto end;
 
       if ((ret_val= execute_command(x509_cert(cert_files[CA_REQ], cert_files[CA_CERT], 1,
-                                              true, cert_files[CA_KEY], empty_string),
+                                              true, cert_files[CA_KEY], empty_string,
+                                              ext_files[CAV3_EXT]),
                                     "Error generating ca_cert.pem")))
         goto end;
 
@@ -566,7 +633,8 @@ int main(int argc, char *argv[])
         goto end;
 
       if ((ret_val= execute_command(x509_cert(cert_files[SERVER_REQ], cert_files[SERVER_CERT], 2,
-                                              false, cert_files[CA_KEY], cert_files[CA_CERT]),
+                                              false, cert_files[CA_KEY], cert_files[CA_CERT],
+                                              ext_files[CERTV3_EXT]),
                                     "Error generating server_cert.pem")))
         goto end;
 
@@ -577,7 +645,8 @@ int main(int argc, char *argv[])
         goto end;
 
       if ((ret_val= execute_command(x509_cert(cert_files[CLIENT_REQ], cert_files[CLIENT_CERT], 3,
-                                              false, cert_files[CA_KEY], cert_files[CA_CERT]),
+                                              false, cert_files[CA_KEY], cert_files[CA_CERT],
+                                              ext_files[CERTV3_EXT]),
                                     "Error generating client_cert.pem")))
         goto end;
 
@@ -610,6 +679,11 @@ int main(int argc, char *argv[])
         goto end;
 
       remove_file(cert_files[OPENSSL_RND], false);
+
+      /* Remove existing v3 extension files */
+      remove_file(ext_files[CAV3_EXT], false);
+      remove_file(ext_files[CERTV3_EXT], false);
+
     }
 
     /*

diff --git a/sql/auth/sql_authentication.cc b/sql/auth/sql_authentication.cc
@@ -83,6 +83,7 @@
 #include <openssl/err.h>
 #include <openssl/pem.h>
 #include <openssl/rsa.h>
+#include <openssl/x509v3.h>
 #else
 #include <openssl/ssl.h>
 #endif /* HAVE_YASSL */
@@ -3772,21 +3773,68 @@ class X509_gen
                     EVP_PKEY *ca_pkey= NULL)
   {
     X509 *x509= X509_new();
+    X509_EXTENSION *ext= 0;
+    X509V3_CTX v3ctx;
+    X509_NAME *name= 0;
+
     DBUG_ASSERT(cn.length() <= MAX_CN_NAME_LENGTH);
-    ASN1_INTEGER_set(X509_get_serialNumber(x509), serial);
-    X509_gmtime_adj(X509_get_notBefore(x509), notbefore);
-    X509_gmtime_adj(X509_get_notAfter(x509), notafter);
-    /* Set public key */
-    X509_set_pubkey(x509, pkey);
-    X509_NAME *name= X509_get_subject_name(x509);
-    X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
-      (const unsigned char *)cn.c_str(), -1, -1, 0);
-
-    X509_set_issuer_name(x509,
-                         self_sign ? name : X509_get_subject_name(ca_x509));
-    X509_sign(x509, self_sign ? pkey : ca_pkey, EVP_sha256());
+    DBUG_ASSERT(serial != 0);
+    DBUG_ASSERT(self_sign || (ca_x509 != NULL && ca_pkey != NULL));
+    if (!x509)
+      goto err;
+
+    /** Set certificate version */
+    if (!X509_set_version(x509, 2))
+      goto err;
+
+    /** Set serial number */
+    if (!ASN1_INTEGER_set(X509_get_serialNumber(x509), serial))
+      goto err;
+
+    /** Set certificate validity */
+    if (!X509_gmtime_adj(X509_get_notBefore(x509), notbefore) ||
+        !X509_gmtime_adj(X509_get_notAfter(x509), notafter))
+      goto err;
+
+    /** Set public key */
+    if (!X509_set_pubkey(x509, pkey))
+      goto err;
+
+    /** Set CN value in subject */
+    name= X509_get_subject_name(x509);
+    if (!name)
+      goto err;
+
+    if (!X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
+                                    (const unsigned char *)cn.c_str(),
+                                    -1, -1, 0))
+      goto err;
+
+    /** Set Issuer */
+    if (!X509_set_issuer_name(x509, self_sign ? name :
+                                      X509_get_subject_name(ca_x509)))
+      goto err;
+
+    /** Add X509v3 extensions */
+    X509V3_set_ctx(&v3ctx, self_sign ? x509 : ca_x509, x509, NULL, NULL, 0);
+
+    /** Add CA:TRUE / CA:FALSE inforamation */
+    if (!(ext= X509V3_EXT_conf_nid(NULL, &v3ctx, NID_basic_constraints,
+                                   self_sign ?(char *)"critical,CA:TRUE" :
+                                              (char *)"critical,CA:FALSE")))
+      goto err;
+    X509_add_ext(x509, ext, -1);
+    X509_EXTENSION_free(ext);
+
+    /** Sign using SHA256 */
+    if (!X509_sign(x509, self_sign ? pkey : ca_pkey, EVP_sha256()))
+      goto err;
 
     return x509;
+err:
+    if (x509)
+      X509_free(x509);
+    return 0;
   }
 };