initial commit
diff --git a/src/ssl_key_handler.hpp b/src/ssl_key_handler.hpp
new file mode 100644
index 0000000..a658d9c
--- /dev/null
+++ b/src/ssl_key_handler.hpp
@@ -0,0 +1,182 @@
+#pragma once
+
+#include <openssl/bio.h>
+#include <openssl/dh.h>
+#include <openssl/dsa.h>
+#include <openssl/dsa.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/pem.h>
+#include <openssl/rand.h>
+#include <openssl/rsa.h>
+#include <openssl/ssl.h>
+
+namespace ensuressl
+{
+static void init_openssl(void);
+static void cleanup_openssl(void);
+static EVP_PKEY *create_rsa_key(void);
+static void handle_openssl_error(void);
+
+inline bool verify_openssl_key_cert(const std::string &filepath)
+{
+ bool private_key_valid = false;
+ bool cert_valid = false;
+ FILE *file = fopen(filepath.c_str(), "r");
+ if (file != NULL){
+ EVP_PKEY *pkey = PEM_read_PrivateKey(file, NULL, NULL, NULL);
+ int rc;
+ if (pkey) {
+ int type = EVP_PKEY_type(pkey->type);
+ switch (type) {
+ case EVP_PKEY_RSA:
+ case EVP_PKEY_RSA2: {
+ RSA *rsa = EVP_PKEY_get1_RSA(pkey);
+ rc = RSA_check_key(rsa);
+ if (rc == 1) {
+ private_key_valid = true;
+ }
+
+ //RSA_free(rsa);
+
+ break;
+ }
+ default:
+ break;
+ }
+
+ if (private_key_valid) {
+ X509 *x509 = PEM_read_X509(file, NULL, NULL, NULL);
+ unsigned long err = ERR_get_error();
+
+ rc = X509_verify(x509, pkey);
+ err = ERR_get_error();
+ if (err == 0 && rc == 1) {
+ cert_valid = true;
+ }
+ }
+
+ EVP_PKEY_free(pkey);
+ }
+ fclose(file);
+ }
+ return cert_valid;
+}
+
+inline void generate_ssl_certificate(const std::string &filepath)
+{
+ EVP_PKEY *pPrivKey = NULL;
+ FILE *pFile = NULL;
+ init_openssl();
+
+ pPrivKey = create_rsa_key();
+
+ // Use this code to directly generate a certificate
+ X509 *x509;
+ x509 = X509_new();
+ if (x509) {
+ // TODO get actually random int
+ ASN1_INTEGER_set(X509_get_serialNumber(x509), 1584);
+
+ // not before this moment
+ X509_gmtime_adj(X509_get_notBefore(x509), 0);
+ // Cert is valid for 10 years
+ X509_gmtime_adj(X509_get_notAfter(x509), 60L * 60L * 24L * 365L * 10L);
+
+ // set the public key to the key we just generated
+ X509_set_pubkey(x509, pPrivKey);
+
+ // Get the subject name
+ X509_NAME *name;
+ name = X509_get_subject_name(x509);
+
+ X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC, (unsigned char *)"US", -1,
+ -1, 0);
+ X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC,
+ (unsigned char *)"Intel BMC", -1, -1, 0);
+ X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
+ (unsigned char *)"testhost", -1, -1, 0);
+ // set the CSR options
+ X509_set_issuer_name(x509, name);
+
+ // Sign the certificate with our private key
+ X509_sign(x509, pPrivKey, EVP_sha256());
+
+ pFile = fopen(filepath.c_str(), "wt");
+
+ if (pFile) {
+ PEM_write_PrivateKey(pFile, pPrivKey, NULL, NULL, 0, 0, NULL);
+ PEM_write_X509(pFile, x509);
+ fclose(pFile);
+ pFile = NULL;
+ }
+
+ X509_free(x509);
+ }
+
+ if (pPrivKey) {
+ EVP_PKEY_free(pPrivKey);
+ pPrivKey = NULL;
+ }
+
+ //cleanup_openssl();
+}
+
+EVP_PKEY *create_rsa_key(void)
+{
+ RSA *pRSA = NULL;
+ EVP_PKEY *pKey = NULL;
+ pRSA = RSA_generate_key(2048, RSA_3, NULL, NULL);
+ pKey = EVP_PKEY_new();
+ if (pRSA && pKey && EVP_PKEY_assign_RSA(pKey, pRSA)) {
+ /* pKey owns pRSA from now */
+ if (RSA_check_key(pRSA) <= 0) {
+ fprintf(stderr, "RSA_check_key failed.\n");
+ handle_openssl_error();
+ EVP_PKEY_free(pKey);
+ pKey = NULL;
+ }
+ } else {
+ handle_openssl_error();
+ if (pRSA) {
+ RSA_free(pRSA);
+ pRSA = NULL;
+ }
+ if (pKey) {
+ EVP_PKEY_free(pKey);
+ pKey = NULL;
+ }
+ }
+ return pKey;
+}
+
+void init_openssl(void)
+{
+ if (SSL_library_init()) {
+ SSL_load_error_strings();
+ OpenSSL_add_all_algorithms();
+ RAND_load_file("/dev/urandom", 1024);
+ } else
+ exit(EXIT_FAILURE);
+}
+
+void cleanup_openssl(void)
+{
+ CRYPTO_cleanup_all_ex_data();
+ ERR_free_strings();
+ ERR_remove_thread_state(0);
+ EVP_cleanup();
+}
+
+void handle_openssl_error(void) { ERR_print_errors_fp(stderr); }
+inline void ensure_openssl_key_present_and_valid(const std::string &filepath)
+{
+ bool pem_file_valid = false;
+
+ pem_file_valid = verify_openssl_key_cert(filepath);
+
+ if (!pem_file_valid) {
+ generate_ssl_certificate(filepath);
+ }
+}
+}
\ No newline at end of file