From faa7eef9a4e2ae350c1d7bf33ed8368130e50b21 Mon Sep 17 00:00:00 2001 From: Cameron Gutman Date: Sat, 24 Jul 2021 07:21:52 -0500 Subject: [PATCH] Don't add X509v3 extensions There is something wrong with the combination of extension we add that causes OpenSSL to believe these certificates were issued by a CA and fail to validate them because it can't find the issuing CA cert. The certificates work fine without the extensions, so just don't add them (which is what other Moonlight clients do). --- libgamestream/mkcert.c | 32 -------------------------------- 1 file changed, 32 deletions(-) diff --git a/libgamestream/mkcert.c b/libgamestream/mkcert.c index 0665825..2f8007d 100644 --- a/libgamestream/mkcert.c +++ b/libgamestream/mkcert.c @@ -32,7 +32,6 @@ static const int SERIAL = 0; static const int NUM_YEARS = 10; int mkcert(X509 **x509p, EVP_PKEY **pkeyp, int bits, int serial, int years); -int add_ext(X509 *cert, int nid, char *value); CERT_KEY_PAIR mkcert_generate() { BIO *bio_err; @@ -142,11 +141,6 @@ int mkcert(X509 **x509p, EVP_PKEY **pkeyp, int bits, int serial, int years) { */ X509_set_issuer_name(x, name); - /* Add various extensions: standard extensions */ - add_ext(x, NID_key_usage, "critical,digitalSignature,keyEncipherment"); - - add_ext(x, NID_subject_key_identifier, "hash"); - if (!X509_sign(x, pk, EVP_sha256())) { goto err; } @@ -158,29 +152,3 @@ int mkcert(X509 **x509p, EVP_PKEY **pkeyp, int bits, int serial, int years) { err: return(0); } - -/* Add extension using V3 code: we can set the config file as NULL - * because we wont reference any other sections. - */ - -int add_ext(X509 *cert, int nid, char *value) -{ - X509_EXTENSION *ex; - X509V3_CTX ctx; - /* This sets the 'context' of the extensions. */ - /* No configuration database */ - X509V3_set_ctx_nodb(&ctx); - /* Issuer and subject certs: both the target since it is self signed, - * no request and no CRL - */ - X509V3_set_ctx(&ctx, cert, cert, NULL, NULL, 0); - ex = X509V3_EXT_conf_nid(NULL, &ctx, nid, value); - if (!ex) { - return 0; - } - - X509_add_ext(cert, ex, -1); - X509_EXTENSION_free(ex); - return 1; -} -