From 57a8e57f54ff2cfa514d3555c846cb8bc378186f Mon Sep 17 00:00:00 2001
From: "7u83@mail.ru" <7u83@mail.ru@noemail.net>
Date: Mon, 9 Feb 2015 21:04:54 +0000
Subject: [PATCH] Certificate stuff

FossilOrigin-Name: f5efe9f37f9bcc74b5f814cdb48dd4986ccbc6088bf5431f4a51583b97e182e3
---
 src/ac/wtpman.c          | 19 +++++++++++++++++++
 src/capwap/Makefile      |  3 ++-
 src/capwap/dtls.h        | 16 ++++++++++++++--
 src/capwap/dtls_gnutls.h |  1 +
 ssl/mkcert.sh            | 10 ++++++++--
 ssl/mkrootca.sh          |  3 ++-
 6 files changed, 46 insertions(+), 6 deletions(-)

diff --git a/src/ac/wtpman.c b/src/ac/wtpman.c
index f965ba98..bc94c5dc 100644
--- a/src/ac/wtpman.c
+++ b/src/ac/wtpman.c
@@ -490,6 +490,25 @@ static int wtpman_establish_dtls(void *arg)
 	cw_dbg(DBG_DTLS,"DTLS session established with %s, cipher=%s", CLIENT_IP,dtls_get_cipher(wtpman->conn));
 	/* DTLS handshake done */
 
+
+	int cert_len;
+	struct dtls_ssl_cert cert;
+
+	FILE *f;
+	f = fopen ("pcert.der","wb");
+
+	printf("Calling peers cert\n");
+	cert = dtls_get_peers_cert(wtpman->conn,0);
+	printf("Back from peers cert\n");
+	
+	printf("Have Peers Cert: %p, %d\n",cert.data,cert.size);
+	fwrite(cert.data,1,cert.size,f);
+	
+
+	exit(0);
+
+//	dtls_get_peers_cert(cert_len,&cert_len);
+
 	return 1;
 }
 
diff --git a/src/capwap/Makefile b/src/capwap/Makefile
index ae3d71f8..f64b30f7 100644
--- a/src/capwap/Makefile
+++ b/src/capwap/Makefile
@@ -156,7 +156,8 @@ DTLSOBJS+= dtls_gnutls.o \
 	dtls_gnutls_accept.o \
 	dtls_gnutls_connect.o \
 	dtls_gnutls_bio.o \
-	dtls_gnutls_get_cipher.o
+	dtls_gnutls_get_cipher.o \
+	dtls_gnutls_get_peers_cert.o
 endif
 
 DTLSOBJS+=dtls_bio.o 
diff --git a/src/capwap/dtls.h b/src/capwap/dtls.h
index 310d2260..c76a9556 100644
--- a/src/capwap/dtls.h
+++ b/src/capwap/dtls.h
@@ -19,6 +19,19 @@
 #ifndef __DTLS_H
 #define __DTLS_H
 
+struct dtls_ssl_cert 
+{
+	int size;
+	int type;
+	uint8_t * data;
+};
+
+extern int dtls_bio_read(struct conn *conn, char *out, int maxlen);
+extern int dtls_bio_write(struct conn * conn, const char *data, int len);
+
+
+
+
 #ifdef WITH_GNUTLS
 	#include "dtls_gnutls.h"
 	#define dtls_init dtls_gnutls_init
@@ -26,6 +39,7 @@
 	#define dtls_connect dtls_gnutls_connect
 	#define dtls_shutdown dtls_gnutls_shutdown
 	#define dtls_get_cipher dtls_gnutls_get_cipher
+	#define dtls_get_peers_cert dtls_gnutls_get_peers_cert
 
 #else
 	#include "dtls_openssl.h"
@@ -37,8 +51,6 @@
 
 #endif
 
-extern int dtls_bio_read(struct conn *conn, char *out, int maxlen);
-extern int dtls_bio_write(struct conn * conn, const char *data, int len);
 
 
 #endif
diff --git a/src/capwap/dtls_gnutls.h b/src/capwap/dtls_gnutls.h
index 6140ed63..2b3a8076 100644
--- a/src/capwap/dtls_gnutls.h
+++ b/src/capwap/dtls_gnutls.h
@@ -32,6 +32,7 @@ extern int dtls_gnutls_init();
 extern int dtls_gnutls_accept(struct conn * conn);
 extern int dtls_gnutls_connect(struct conn * conn);
 extern const char * dtls_gnutls_get_cipher(struct conn * conn);
+struct dtls_ssl_cert dtls_gnutls_get_peers_cert(struct conn * conn,unsigned int n);
 
 
 /* functions used only by capwap libray */
diff --git a/ssl/mkcert.sh b/ssl/mkcert.sh
index 0616aeef..00906ee3 100755
--- a/ssl/mkcert.sh
+++ b/ssl/mkcert.sh
@@ -38,7 +38,7 @@ createcert()
        		 -subj "$SUBJ"
 
 
-	$OPENSSL ca -config openssl-int.cnf  \
+	$OPENSSL ca -config openssl-crt.cnf  \
 		   -keyfile $INT_CA_DIR/${PREF}int-ca.key \
 		   -cert $INT_CA_DIR/${PREF}int-ca.crt \
 		   -batch \
@@ -48,7 +48,12 @@ createcert()
 	$OPENSSL x509 -in $DIR/$NAME.crt -out $DIR/$NAME.pem
 	cat $INT_CA_DIR/${PREF}int-ca.crt >> $DIR/$NAME.pem
 	cat $ROOT_CA_DIR/${PREF}root-ca.crt >> $DIR/$NAME.pem
+	echo "Root finger print:"
+	$OPENSSL x509 -in $ROOT_CA_DIR/${PREF}root-ca.crt -noout -sha1 -fingerprint
+	echo "Int finger print:"
 	$OPENSSL x509 -in $INT_CA_DIR/${PREF}int-ca.crt -noout -sha1 -fingerprint
+	echo "Cert finger print:"
+	$OPENSSL x509 -in $DIR/${NAME}.crt -noout -sha1 -fingerprint
 
 }
 
@@ -76,7 +81,8 @@ then
 	#SUBJ="/ST=California/L=San Jose/C=US/O=Cisco Systems/CN=C1130-c80aa9cd7fa4/emailAddress=support@cisco.com"
 #	SUBJ="/C=US/ST=California/L=San Jose/O=airespace Inc/CN=C1130-f866f2a342fc/emailAddress=support@airespace.com"
 #	SUBJ="/C=US/ST=California/L=San Jose/O=Cisco Systems/CN=C1200-c80aa9cd7fa4/emailAddress=support@cisco.com"
-	SUBJ="/C=US/ST=California/L=San Jose/O=Cisco Systems/CN=C1130-c80aa9cd7fa4/emailAddress=support@cisco.com"
+#	SUBJ="/C=US/ST=California/L=San Jose/O=Cisco Systems/CN=C1130-c80aa9cd7fa4/emailAddress=support@cisco.com"
+	SUBJ="/C=US/ST=California/L=San Jose/O=Cisco Systems/CN=C1130-0019dbe09327/emailAddress=support@cisco.com"
 	createcert "$SUBJ"
 
 
diff --git a/ssl/mkrootca.sh b/ssl/mkrootca.sh
index c28f535d..fb4bddaf 100755
--- a/ssl/mkrootca.sh
+++ b/ssl/mkrootca.sh
@@ -83,7 +83,8 @@ mkrootca "$ROOT_SUBJ" "$INT_SUBJ" cisco-ac
 #ROOT_SUBJ="/C=US/ST=California/L=San Jose/O=Cisco Systems/CN=C1200-c80aa9cd7fa4/emailAddress=support@cisco.com"
 #ROOT_SUBJ="/C=US/ST=California/L=San Jose/O=Cisco Systems/CN=Cisrot/emailAddress=support@cisco.com"
 
-ROOT_SUBJ="/C=US/ST=California/L=San Jose/O=Cisco Systems/CN=C1130-c80aa9cd7fa4/emailAddress=support@cisco.com"
+#ROOT_SUBJ="/C=US/ST=California/L=San Jose/O=Cisco Systems/CN=C1130-c80aa9cd7fa4/emailAddress=support@cisco.com"
+ROOT_SUBJ="/C=US/ST=California/L=San Jose/O=Cisco Systems/CN=C1130-0019dbe09327/emailAddress=support@cisco.com"
 INT_SUBJ="$ROOT_SUBJ"
 mkrootca "$ROOT_SUBJ" "$INT_SUBJ" cisco-ap