Beispiel #1
0
int
X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey)
{
	if ((x == NULL) || (x->req_info == NULL))
		return (0);
	return (X509_PUBKEY_set(&x->req_info->pubkey, pkey));
}
Beispiel #2
0
int
X509_set_pubkey(X509 *x, EVP_PKEY *pkey)
{
	if ((x == NULL) || (x->cert_info == NULL))
		return (0);
	return (X509_PUBKEY_set(&(x->cert_info->key), pkey));
}
Beispiel #3
0
ByteArray PublicKey::getKeyIdentifier() throw (EncodeException)
{
	ByteArray ret;
	unsigned int size;
	X509_PUBKEY *pubkey = NULL;
	
	if(X509_PUBKEY_set(&pubkey, this->key) == 0)
	{
		throw EncodeException(EncodeException::UNKNOWN, "PublicKey::getKeyIdentifier");
	}
			
	ret = ByteArray(EVP_MAX_MD_SIZE);
	EVP_Digest(pubkey->public_key->data, pubkey->public_key->length, ret.getDataPointer(), &size, EVP_sha1(), NULL);
	ret = ByteArray(ret.getDataPointer(), size);

	X509_PUBKEY_free(pubkey);
	
	return ret;
	
	//return ByteArray(digest, digestLen);

	/*	ByteArray der = this->getDerEncoded();
	MessageDigest md(MessageDigest::SHA1);
	
	MessageDigest::loadMessageDigestAlgorithms();
	
	return md.doFinal(der);*/
}
Beispiel #4
0
int
NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *x, EVP_PKEY *pkey)
{
	if ((x == NULL) || (x->spkac == NULL))
		return (0);
	return (X509_PUBKEY_set(&(x->spkac->pubkey), pkey));
}
Beispiel #5
0
PKI_DIGEST *PKI_X509_KEYPAIR_VALUE_pub_digest ( PKI_X509_KEYPAIR_VALUE *pkey,
							PKI_DIGEST_ALG *md ) {

	X509_PUBKEY *xpk = NULL;
	ASN1_BIT_STRING *key = NULL;
	PKI_DIGEST * ret = NULL;

	if (!pkey) return NULL;

	if( !md ) md = PKI_DIGEST_ALG_DEFAULT;

	if(!X509_PUBKEY_set(&xpk, pkey )) {
		PKI_log_debug("PKI_X509_KEYPAIR_pub_digest()::Error building X509 "
			"PUBKEY data");
		return NULL;
	}
	if((key = xpk->public_key ) == NULL ) {
		PKI_log_debug("PKI_X509_KEYPAIR_pub_digest()::No pubkey found!");
		return ( NULL );
	}

	if( key->length < 1 ) {
		PKI_log_debug("PKI_X509_KEYPAIR_pub_digest()::Pubkey len is 0!");
		return ( NULL );
	}

	if(( ret = PKI_DIGEST_new( md, key->data, 
					(size_t) key->length )) == NULL ) {
		PKI_log_debug("PKI_X509_KEYPAIR_pub_digest()::%s",
			ERR_error_string( ERR_get_error(), NULL ));
		return ( NULL );
	}

	return ( ret );
}
Beispiel #6
0
int X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey)
{
    if (x == NULL)
        return (0);
    x->req_info.enc.modified = 1;
    return (X509_PUBKEY_set(&x->req_info.pubkey, pkey));
}
Beispiel #7
0
uint8_t *
cga_key2der(EVP_PKEY *k, int *dlen)
{
	uint8_t *p;
	uint8_t *der = NULL;
	X509_PUBKEY *pki = NULL;
	
	if (X509_PUBKEY_set(&pki, k) == 0) {
		ssl_err(__FUNCTION__, "X509_PUBKEY_set() failed");
		goto done;
	}

	if ((*dlen = i2d_X509_PUBKEY(pki, NULL)) < 0) {
		ssl_err(__FUNCTION__, "i2d_PublicKey failed");
		goto done;
	}
	if ((der = malloc(*dlen)) == NULL) {
		APPLOG_NOMEM();
		goto done;
	}

	p = der;
	if (i2d_X509_PUBKEY(pki, &p) < 0) {
		ssl_err(__FUNCTION__, "i2d_PublicKey failed");
		free(der);
		der = NULL;
	}
	DBG(&dbg_asn1, "DER-encoded key is %d bytes", *dlen);

done:
	if (pki) X509_PUBKEY_free(pki);
	return (der);
}
Beispiel #8
0
int i2d_PUBKEY(EVP_PKEY *a, unsigned char **pp)
	{
	X509_PUBKEY *xpk=NULL;
	int ret;
	if(!a) return 0;
	if(!X509_PUBKEY_set(&xpk, a)) return 0;
	ret = i2d_X509_PUBKEY(xpk, pp);
	X509_PUBKEY_free(xpk);
	return ret;
	}
Beispiel #9
0
int PKI_X509_CERT_check_pubkey(PKI_X509_CERT *x, PKI_X509_KEYPAIR *k)
{
	int ret = 0;

	X509_PUBKEY *pub_key = NULL;
	PKI_X509_KEYPAIR_VALUE *k_val = NULL;

	PKI_STRING *c_pubkey = NULL;
	PKI_STRING *k_pubkey = NULL;

	// Input checks
	if (!x || !x->value || !k || !k->value) return -1;

	// Gets the certificate's public key bits
	c_pubkey = PKI_X509_CERT_get_data(x, PKI_X509_DATA_PUBKEY_BITSTRING);
	if (!c_pubkey) return -99;

	// Gets the Key Value from the KeyPair
	k_val = PKI_X509_get_value(k);
	if (!k_val) 
	{
		// Let's return ok, because in HSMs we might not have
		// access to the pubkey data
		return 0;
	}

	// Gets the KeyPair public key bits
	if (!X509_PUBKEY_set(&pub_key, k_val)) return -99;

	// Now let's point to tke KeyPair's public key
	k_pubkey = pub_key->public_key;

	// Compares the two bit strings
	ret = PKI_STRING_cmp(c_pubkey, k_pubkey);
	
	// Frees the memory
	X509_PUBKEY_free(pub_key);

	// Let's return the result of the operation
	return ret;
}
Beispiel #10
0
int pkey_GOST01cp_encrypt(EVP_PKEY_CTX *pctx, unsigned char *out,
                          size_t *out_len, const unsigned char *key,
                          size_t key_len)
{
    GOST_KEY_TRANSPORT *gkt = NULL;
    EVP_PKEY *pubk = EVP_PKEY_CTX_get0_pkey(pctx);
    struct gost_pmeth_data *data = EVP_PKEY_CTX_get_data(pctx);
    const struct gost_cipher_info *param = get_encryption_params(NULL);
    unsigned char ukm[8], shared_key[32], crypted_key[44];
    int ret = 0;
    int key_is_ephemeral = 1;
    gost_ctx cctx;
    EVP_PKEY *sec_key = EVP_PKEY_CTX_get0_peerkey(pctx);
    if (data->shared_ukm) {
        memcpy(ukm, data->shared_ukm, 8);
    } else if (out) {

        if (RAND_bytes(ukm, 8) <= 0) {
            GOSTerr(GOST_F_PKEY_GOST01CP_ENCRYPT,
                    GOST_R_RANDOM_GENERATOR_FAILURE);
            return 0;
        }
    }
    /* Check for private key in the peer_key of context */
    if (sec_key) {
        key_is_ephemeral = 0;
        if (!gost_get0_priv_key(sec_key)) {
            GOSTerr(GOST_F_PKEY_GOST01CP_ENCRYPT,
                    GOST_R_NO_PRIVATE_PART_OF_NON_EPHEMERAL_KEYPAIR);
            goto err;
        }
    } else {
        key_is_ephemeral = 1;
        if (out) {
            sec_key = EVP_PKEY_new();
            EVP_PKEY_assign(sec_key, EVP_PKEY_base_id(pubk), EC_KEY_new());
            EVP_PKEY_copy_parameters(sec_key, pubk);
            if (!gost2001_keygen(EVP_PKEY_get0(sec_key))) {
                goto err;
            }
        }
    }
    if (!get_gost_engine_param(GOST_PARAM_CRYPT_PARAMS)
        && param == gost_cipher_list) {
        param = gost_cipher_list + 1;
    }
    if (out) {
        VKO_compute_key(shared_key, 32,
                        EC_KEY_get0_public_key(EVP_PKEY_get0(pubk)),
                        EVP_PKEY_get0(sec_key), ukm);
        gost_init(&cctx, param->sblock);
        keyWrapCryptoPro(&cctx, shared_key, ukm, key, crypted_key);
    }
    gkt = GOST_KEY_TRANSPORT_new();
    if (!gkt) {
        goto err;
    }
    if (!ASN1_OCTET_STRING_set(gkt->key_agreement_info->eph_iv, ukm, 8)) {
        goto err;
    }
    if (!ASN1_OCTET_STRING_set(gkt->key_info->imit, crypted_key + 40, 4)) {
        goto err;
    }
    if (!ASN1_OCTET_STRING_set
        (gkt->key_info->encrypted_key, crypted_key + 8, 32)) {
        goto err;
    }
    if (key_is_ephemeral) {
        if (!X509_PUBKEY_set
            (&gkt->key_agreement_info->ephem_key, out ? sec_key : pubk)) {
            GOSTerr(GOST_F_PKEY_GOST01CP_ENCRYPT,
                    GOST_R_CANNOT_PACK_EPHEMERAL_KEY);
            goto err;
        }
    }
    ASN1_OBJECT_free(gkt->key_agreement_info->cipher);
    gkt->key_agreement_info->cipher = OBJ_nid2obj(param->nid);
    if (key_is_ephemeral)
        EVP_PKEY_free(sec_key);
    if (!key_is_ephemeral) {
        /* Set control "public key from client certificate used" */
        if (EVP_PKEY_CTX_ctrl(pctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 3, NULL)
            <= 0) {
            GOSTerr(GOST_F_PKEY_GOST01CP_ENCRYPT, GOST_R_CTRL_CALL_FAILED);
            goto err;
        }
    }
    if ((*out_len = i2d_GOST_KEY_TRANSPORT(gkt, out ? &out : NULL)) > 0)
        ret = 1;
    GOST_KEY_TRANSPORT_free(gkt);
    return ret;
 err:
    if (key_is_ephemeral)
        EVP_PKEY_free(sec_key);
    GOST_KEY_TRANSPORT_free(gkt);
    return -1;
}
Beispiel #11
0
int X509_set_pubkey(X509 *x, EVP_PKEY *pkey)
{
    if (x == NULL)
        return 0;
    return X509_PUBKEY_set(&(x->cert_info.key), pkey);
}
int pkey_GOST94cp_encrypt(EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen, const unsigned char* key, size_t key_len ) 
	{
	GOST_KEY_TRANSPORT *gkt=NULL;
	unsigned char shared_key[32], ukm[8],crypted_key[44];
	const struct gost_cipher_info *param=get_encryption_params(NULL);
	EVP_PKEY *pubk = EVP_PKEY_CTX_get0_pkey(ctx);
	struct gost_pmeth_data *data = (gost_pmeth_data*)EVP_PKEY_CTX_get_data(ctx);
	gost_ctx cctx;
	int key_is_ephemeral=1;
	EVP_PKEY *mykey = EVP_PKEY_CTX_get0_peerkey(ctx);

	/* Do not use vizir cipher parameters with cryptopro */
	if (!get_gost_engine_param(GOST_PARAM_CRYPT_PARAMS) && param ==  gost_cipher_list)
		{
		param= gost_cipher_list+1;
		}	

	if (mykey) 
		{
		/* If key already set, it is not ephemeral */
		key_is_ephemeral=0;
		if (!gost_get0_priv_key(mykey)) 
			{
			GOSTerr(GOST_F_PKEY_GOST94CP_ENCRYPT,
			GOST_R_NO_PRIVATE_PART_OF_NON_EPHEMERAL_KEYPAIR);
			goto err;
			}	
		} 
	else 
		{
		/* Otherwise generate ephemeral key */
		key_is_ephemeral = 1;
		if (out) 
			{
			mykey = EVP_PKEY_new();
			EVP_PKEY_assign(mykey, EVP_PKEY_base_id(pubk),DSA_new());
			EVP_PKEY_copy_parameters(mykey,pubk);
			if (!gost_sign_keygen((DSA*)EVP_PKEY_get0(mykey))) 
				{
				goto err;
				}	
			}
		}	
	if (out)
		make_cp_exchange_key(gost_get0_priv_key(mykey),pubk,shared_key);
	if (data->shared_ukm) 
		{
		TINYCLR_SSL_MEMCPY(ukm,data->shared_ukm,8);
		}
	else if (out) 
		{	
		if (RAND_bytes(ukm,8)<=0)
			{
			GOSTerr(GOST_F_PKEY_GOST94CP_ENCRYPT,
					GOST_R_RANDOM_GENERATOR_FAILURE);
			goto err;
			}	
		}
		
	if (out) {
		gost_init(&cctx,param->sblock);
		keyWrapCryptoPro(&cctx,shared_key,ukm,key,crypted_key);
	}	
	gkt = GOST_KEY_TRANSPORT_new();
	if (!gkt)
		{
		goto memerr;
		}	
	if(!ASN1_OCTET_STRING_set(gkt->key_agreement_info->eph_iv,
			ukm,8))
		{
		goto memerr;
		}	
	if (!ASN1_OCTET_STRING_set(gkt->key_info->imit,crypted_key+40,4))
		{
		goto memerr;
		}
	if (!ASN1_OCTET_STRING_set(gkt->key_info->encrypted_key,crypted_key+8,32))
		{
		goto memerr;
		}
	if (key_is_ephemeral) {	
	if (!X509_PUBKEY_set(&gkt->key_agreement_info->ephem_key,out?mykey:pubk))
		{
		GOSTerr(GOST_F_PKEY_GOST94CP_ENCRYPT,GOST_R_CANNOT_PACK_EPHEMERAL_KEY);
		goto err;
		}
		if (out) EVP_PKEY_free(mykey);
	}	
	ASN1_OBJECT_free(gkt->key_agreement_info->cipher);
	gkt->key_agreement_info->cipher = OBJ_nid2obj(param->nid);
	*outlen = i2d_GOST_KEY_TRANSPORT(gkt,out?&out:NULL);
	if (*outlen == 0)
		{
		GOSTerr(GOST_F_PKEY_GOST94CP_ENCRYPT,GOST_R_ERROR_PACKING_KEY_TRANSPORT_INFO);
		goto err;
		}
	if (!key_is_ephemeral)
		{
		/* Set control "public key from client certificate used" */
		if (EVP_PKEY_CTX_ctrl(ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 3, NULL) <= 0)
			{
			GOSTerr(GOST_F_PKEY_GOST94CP_ENCRYPT,
				GOST_R_CTRL_CALL_FAILED);
			goto err;
			}
		}
	GOST_KEY_TRANSPORT_free(gkt);
	return 1;	
	memerr:
		if (key_is_ephemeral) {
			EVP_PKEY_free(mykey);
		}	
	GOSTerr(GOST_F_PKEY_GOST94CP_ENCRYPT,
		GOST_R_MALLOC_FAILURE);
	err:		
	GOST_KEY_TRANSPORT_free(gkt);
	return -1;
	}
Beispiel #13
0
int SCT_validate(SCT *sct, const CT_POLICY_EVAL_CTX *ctx)
{
    int is_sct_valid = -1;
    SCT_CTX *sctx = NULL;
    X509_PUBKEY *pub = NULL, *log_pkey = NULL;
    const CTLOG *log;

    /*
     * With an unrecognized SCT version we don't know what such an SCT means,
     * let alone validate one.  So we return validation failure (0).
     */
    if (sct->version != SCT_VERSION_V1) {
        sct->validation_status = SCT_VALIDATION_STATUS_UNKNOWN_VERSION;
        return 0;
    }

    log = CTLOG_STORE_get0_log_by_id(ctx->log_store,
                                     sct->log_id, sct->log_id_len);

    /* Similarly, an SCT from an unknown log also cannot be validated. */
    if (log == NULL) {
        sct->validation_status = SCT_VALIDATION_STATUS_UNKNOWN_LOG;
        return 0;
    }

    sctx = SCT_CTX_new();
    if (sctx == NULL)
        goto err;

    if (X509_PUBKEY_set(&log_pkey, CTLOG_get0_public_key(log)) != 1)
        goto err;
    if (SCT_CTX_set1_pubkey(sctx, log_pkey) != 1)
        goto err;

    if (SCT_get_log_entry_type(sct) == CT_LOG_ENTRY_TYPE_PRECERT) {
        EVP_PKEY *issuer_pkey;

        if (ctx->issuer == NULL) {
            sct->validation_status = SCT_VALIDATION_STATUS_UNVERIFIED;
            goto end;
        }

        issuer_pkey = X509_get0_pubkey(ctx->issuer);

        if (X509_PUBKEY_set(&pub, issuer_pkey) != 1)
            goto err;
        if (SCT_CTX_set1_issuer_pubkey(sctx, pub) != 1)
            goto err;
    }

    /*
     * XXX: Potential for optimization.  This repeats some idempotent heavy
     * lifting on the certificate for each candidate SCT, and appears to not
     * use any information in the SCT itself, only the certificate is
     * processed.  So it may make more sense to to do this just once, perhaps
     * associated with the shared (by all SCTs) policy eval ctx.
     *
     * XXX: Failure here is global (SCT independent) and represents either an
     * issue with the certificate (e.g. duplicate extensions) or an out of
     * memory condition.  When the certificate is incompatible with CT, we just
     * mark the SCTs invalid, rather than report a failure to determine the
     * validation status.  That way, callbacks that want to do "soft" SCT
     * processing will not abort handshakes with false positive internal
     * errors.  Since the function does not distinguish between certificate
     * issues (peer's fault) and internal problems (out fault) the safe thing
     * to do is to report a validation failure and let the callback or
     * application decide what to do.
     */
    if (SCT_CTX_set1_cert(sctx, ctx->cert, NULL) != 1)
        sct->validation_status = SCT_VALIDATION_STATUS_UNVERIFIED;
    else
        sct->validation_status = SCT_verify(sctx, sct) == 1 ?
            SCT_VALIDATION_STATUS_VALID : SCT_VALIDATION_STATUS_INVALID;

end:
    is_sct_valid = sct->validation_status == SCT_VALIDATION_STATUS_VALID;
err:
    X509_PUBKEY_free(pub);
    X509_PUBKEY_free(log_pkey);
    SCT_CTX_free(sctx);

    return is_sct_valid;
}
Beispiel #14
0
CPK_MASTER_SECRET *CPK_MASTER_SECRET_create(const char *domain_id,
	EVP_PKEY *pkey, X509_ALGOR *map_algor)
{
	int e = 1;
	CPK_MASTER_SECRET *master = NULL;
	BIGNUM *bn = NULL, *order = NULL;
	X509_PUBKEY *pubkey = NULL;
	int pkey_type;
	int i, bn_size, num_factors;
	unsigned char *bn_ptr;
	
	if (strlen(domain_id) <= 0 || strlen(domain_id) > CPK_MAX_ID_LENGTH) {
		CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, CPK_R_INVALID_ID_LENGTH);
		goto err;
	}
	
	pkey_type = EVP_PKEY_id(pkey);
	if (pkey_type == EVP_PKEY_DSA) {
		if (!(order = ((DSA *)EVP_PKEY_get0(pkey))->q)) {
			CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, CPK_R_BAD_ARGUMENT);
			goto err;
		}
	} else if (pkey_type == EVP_PKEY_EC) {
		const EC_GROUP *ec_group;
		if (!(order = BN_new())) {
			CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, ERR_R_MALLOC_FAILURE);
			goto err;
		}
		ec_group = EC_KEY_get0_group((EC_KEY *)EVP_PKEY_get0(pkey));
		if (!EC_GROUP_get_order(ec_group, order, NULL)) {
			CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, ERR_R_X509_LIB);
			goto err;
		}
		//FIXME OPENSSL_assert
		assert(EC_KEY_get0_public_key((EC_KEY *)EVP_PKEY_get0(pkey)) != NULL);
	} else {
		CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, CPK_R_INVALID_PKEY_TYPE);
		goto err;		
	}

	if (!(master = CPK_MASTER_SECRET_new())) {
		CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, ERR_R_MALLOC_FAILURE);
		goto err;
	}
	
	master->version = 1;
	if (!X509_NAME_add_entry_by_NID(master->id, NID_organizationName,
		MBSTRING_UTF8, (unsigned char *)domain_id, -1, -1, 0)) {
		CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, ERR_R_X509_LIB);
		goto err;
	}
	
	/* 
	 * convert EVP_PKEY to X509_ALGOR through X509_PUBKEY_set
	 * X509_ALGOR_set0() is another choice but require more code
	 */
	// FIXME: X509_PUBKEY require pkey has a public key
	if (!X509_PUBKEY_set(&pubkey, pkey)) {
		CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, ERR_R_X509_LIB);
		goto err;
	}
	X509_ALGOR_free(master->pkey_algor);
	if (!(master->pkey_algor = X509_ALGOR_dup(pubkey->algor))) {
		CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, ERR_R_X509_LIB);
		goto err;
	}
		
	//FIXME: check the validity of CPK_MAP
	X509_ALGOR_free(master->map_algor);
	if (!(master->map_algor = X509_ALGOR_dup(map_algor))) {
		CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, ERR_R_MALLOC_FAILURE);
		goto err;
	}
	if ((num_factors = CPK_MAP_num_factors(map_algor)) <= 0) {
		CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, CPK_R_INVALID_MAP_ALGOR);
		goto err;
	}
	
	/*
	 * create secret factors, for both DSA and EC,
	 * the private keys are both big integers, 
	 */
	bn_size = BN_num_bytes(order);
	if (!ASN1_STRING_set(master->secret_factors, NULL, bn_size * num_factors)) {
		CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, ERR_R_ASN1_LIB);
		goto err;
	}
	bn_ptr = M_ASN1_STRING_data(master->secret_factors);
	memset(bn_ptr, 0, M_ASN1_STRING_length(master->secret_factors));
	
	if (!(bn = BN_new())) {
		CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, ERR_R_MALLOC_FAILURE);
		goto err;
	}
	for (i = 0; i < num_factors; i++) {
		do {
			if (!BN_rand_range(bn, order)) {
				CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE,
					ERR_R_RAND_LIB);
				goto err;
			}
		} while (BN_is_zero(bn));
		
		if (!BN_bn2bin(bn, bn_ptr + bn_size - BN_num_bytes(bn))) {
			CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, ERR_R_BN_LIB);
			goto err;
		}
		bn_ptr += bn_size;
	}
	
	e = 0;
err:
	if (e && master) {
		CPK_MASTER_SECRET_free(master);
		master = NULL;
	}
	if (pubkey) X509_PUBKEY_free(pubkey);
	if (order && pkey_type == EVP_PKEY_EC) BN_free(order);
	if (bn) BN_free(bn);
	return master;
}