static int /* O - 1 on success, 0 on failure */
make_certificate(cupsd_client_t *con) /* I - Client connection */
{
+#if 1
int pid, /* Process ID of command */
status; /* Status of command */
char command[1024], /* Command */
}
return (!status);
+#else
+ int status = 0; /* Return status */
+ OSStatus err; /* Error code (if any) */
+# if defined(HAVE_DNSSD) || defined(HAVE_AVAHI)
+ char localname[1024];/* Local hostname */
+# endif /* HAVE_DNSSD || HAVE_AVAHI */
+ const char *servername; /* Name of server in cert */
+ CFStringRef cfservername = NULL;
+ /* CF string for server name */
+ SecIdentityRef ident = NULL; /* Identity */
+ SecKeyRef publicKey = NULL,
+ /* Public key */
+ privateKey = NULL;
+ /* Private key */
+ CFDictionaryRef keyParams = NULL;
+ /* Key generation parameters */
+
+
+# if defined(HAVE_DNSSD) || defined(HAVE_AVAHI)
+ if (con->servername && isdigit(con->servername[0] & 255) && DNSSDHostName)
+ {
+ snprintf(localname, sizeof(localname), "%s.local", DNSSDHostName);
+ servername = localname;
+ }
+ else
+# endif /* HAVE_DNSSD || HAVE_AVAHI */
+ servername = con->servername;
+
+ cfservername = CFStringCreateFromCString(kCFAllocatorDefault, servername,
+ kCFStringEncodingUTF8);
+ if (!cfservername)
+ goto cleanup;
+
+ /*
+ * Create a public/private key pair...
+ */
+
+ keyParams = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
+ &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks)))
+ if (!keyParams)
+ goto cleanup;
+
+ CFDictionaryAddValue(keyParams, kSecAttrKeyType, kSecAttrKeyTypeRSA);
+ CFDictionaryAddValue(keyParams, kSecAttrKeySizeInBits, CFSTR("2048"));
+ CFDictionaryAddValue(keyParams, kSecAttrLabel,
+ CFSTR("CUPS Self-Signed Certificate"));
+
+ err = SecKeyGeneratePair(keyParams, &publicKey, &privateKey);
+ if (err != noErr)
+ {
+ cupsdLogMessage(CUPSD_LOG_DEBUG, "SecKeyGeneratePair returned %ld.",
+ (long)err);
+ goto cleanup;
+ }
+
+ /*
+ * Create a self-signed certificate...
+ */
+
+ CE_DataAndType exts[2],
+ *extp = exts;
+ unsigned numExts = 0;
+ CSSM_DATA refId; // mallocd by CSSM_TP_SubmitCredRequest
+ CSSM_APPLE_TP_CERT_REQUEST certReq;
+ CSSM_TP_REQUEST_SET reqSet;
+ sint32 estTime;
+ CSSM_BOOL confirmRequired;
+ CSSM_TP_RESULT_SET_PTR resultSet;
+ CSSM_ENCODED_CERT *encCert;
+ CSSM_APPLE_TP_NAME_OID subjectNames[MAX_NAMES];
+ uint32 numNames = 0;
+ CSSM_TP_CALLERAUTH_CONTEXT CallerAuthContext;
+ CSSM_FIELD policyId;
+
+ certReq.challengeString = NULL;
+
+ extp->type = DT_KeyUsage;
+ extp->critical = CSSM_FALSE;
+ extp->extension.keyUsage = CE_KU_DigitalSignature | CE_KU_KeyCertSign |
+ CE_KU_KeyEncipherment | CE_KU_DataEncipherment;
+ extp ++;
+ numExts ++;
+
+ extp->type = DT_BasicConstraints;
+ extp->critical = CSSM_TRUE;
+ extp->extension.basicConstraints.cA = CSSM_FALSE;
+ extp->extension.basicConstraints.pathLenConstraintPresent = CSSM_FALSE;
+ extp ++;
+ numExts ++;
+
+ subjectNames[0].string = servername;
+ subjectNames[0].oid = &CSSMOID_CommonName;
+ subjectNames[1].string = "";
+ subjectNames[1].oid = &CSSMOID_OrganizationName;
+ subjectNames[2].string = "";
+ subjectNames[2].oid = &CSSMOID_CountryName;
+ subjectNames[3].string = "";
+ subjectNames[3].oid = &CSSMOID_StateProvinceName;
+ numNames = 4;
+
+ /* certReq */
+ certReq.cspHand = cspHand;
+ certReq.clHand = clHand;
+ certReq.serialNumber = 0x12345678; // TBD - random? From user?
+ certReq.numSubjectNames = numNames;
+ certReq.subjectNames = subjectNames;
+ certReq.numIssuerNames = 0;
+ certReq.issuerNames = NULL;
+ certReq.issuerNameX509 = NULL;
+ certReq.certPublicKey = subjPubKey;
+ certReq.issuerPrivateKey = signerPrivKey;
+ certReq.signatureAlg = sigAlg;
+ certReq.signatureOid = *sigOid;
+ certReq.notBefore = 0; // TBD - from user
+ certReq.notAfter = 10 * 365 * 86400;
+ certReq.numExtensions = numExts;
+ certReq.extensions = exts;
+ reqSet.NumberOfRequests = 1;
+ reqSet.Requests = &certReq;
+
+ memset(&CallerAuthContext, 0, sizeof(CSSM_TP_CALLERAUTH_CONTEXT));
+
+ memset(&policyId, 0, sizeof(CSSM_FIELD));
+ policyId.FieldOid = CSSMOID_APPLE_TP_LOCAL_CERT_GEN;
+
+ CallerAuthContext.Policy.NumberOfPolicyIds = 1;
+ CallerAuthContext.Policy.PolicyIds = &policyId;
+
+ CSSM_RETURN crtn = CSSM_TP_SubmitCredRequest(tpHand,
+ NULL, // PreferredAuthority
+ CSSM_TP_AUTHORITY_REQUEST_CERTISSUE,
+ &reqSet,
+ &CallerAuthContext,
+ &estTime,
+ &refId);
+ /* before proceeding, free resources allocated thus far */
+#if CERT_TOOL
+ if (!useAllDefaults) {
+ freeNameOids(subjectNames, numNames);
+ }
+#endif
+
+ if (crtn) {
+ cuPrintError("CSSM_TP_SubmitCredRequest", crtn);
+ return crtn;
+ }
+ crtn = CSSM_TP_RetrieveCredResult(tpHand,
+ &refId,
+ NULL, // CallerAuthCredentials
+ &estTime,
+ &confirmRequired,
+ &resultSet);
+ if (crtn) {
+ cuPrintError("CSSM_TP_RetrieveCredResult", crtn);
+ return crtn;
+ }
+ if (resultSet == NULL) {
+ coreLog("httpserver", "***CSSM_TP_RetrieveCredResult returned NULL result set.\n");
+ return ioErr;
+ }
+ encCert = (CSSM_ENCODED_CERT *)resultSet->Results;
+ *certData = encCert->CertBlob;
+ /* free resources allocated by TP */
+ APP_FREE(refId.Data);
+ APP_FREE(encCert);
+ APP_FREE(resultSet);
+ return noErr;
+
+ /*
+ * Cleanup and return...
+ */
+
+cleanup:
+
+ if (cfservername)
+ CFRelease(cfservername);
+
+ if (keyParams)
+ CFRelease(keyParams);
+
+ if (ident)
+ CFRelease(ident);
+
+ if (publicKey)
+ CFRelease(publicKey);
+
+ if (privateKey)
+ CFRelease(publicKey);
+
+ if (!status)
+ cupsdLogMessage(CUPSD_LOG_ERROR,
+ "Unable to create SSL server key and certificate.");
+
+ return (status);
+#endif // 0
}