void openssl_pkcs7_sign()
{
int len;
BIO *in;
X509 *x;
FILE *fp;
PKCS7 *p7;
X509_ALGOR *md;
PKCS7_SIGNER_INFO *si;
char name[MAX1_LEN], tmp[MAX1_LEN];
unsigned char *der, *p, buf[SHA_DIGEST_LENGTH] = "pkcs7 sign";
p7 = PKCS7_new();
PKCS7_set_type(p7, NID_pkcs7_data);
ASN1_OCTET_STRING_set(p7->d.data, buf, SHA_DIGEST_LENGTH);
len = i2d_PKCS7(p7, NULL);
der = (unsigned char *)malloc(len);
p = der;
len = i2d_PKCS7(p7, &p);
fp = fopen("/tmp/test.cer", "wb");
fwrite(der, 1, len, fp);
fclose(fp);
free(der);
PKCS7_free(p7);
p7 = PKCS7_new();
PKCS7_set_type(p7, NID_pkcs7_signed);
p7->d.sign->cert = sk_X509_new_null();
in = BIO_new_file("/tmp/test.cer", "r");
x = PEM_read_bio_X509(in, NULL, NULL, NULL);
sk_X509_push(p7->d.sign->cert, x);
BIO_free(in);
md = X509_ALGOR_new();
md->algorithm = OBJ_nid2obj(NID_md5);
sk_X509_ALGOR_push(p7->d.sign->md_algs, md);
si = PKCS7_SIGNER_INFO_new();
ASN1_INTEGER_set(si->version, 2);
ASN1_INTEGER_set(si->issuer_and_serial->serial, 333);
sk_PKCS7_SIGNER_INFO_push(p7->d.sign->signer_info, si);
len = i2d_PKCS7(p7, NULL);
der = (unsigned char *)malloc(len);
p = der;
len = i2d_PKCS7(p7, &p);
fp = fopen("/tmp/test.cer", "wb");
fwrite(der, 1, len, fp);
fclose(fp);
free(der);
fp = fopen("/tmp/test.cer", "rb");
len = fread(tmp, 1, MAX1_LEN, fp);
fclose(fp);
p = (unsigned char *)&tmp;
d2i_PKCS7(&p7, (const unsigned char **)&p, len);
OBJ_obj2txt(name, MAX1_LEN, p7->type, 0);
PKCS7_free(p7);
}
void openssl_pkcs7_enveloped()
{
int len;
FILE *fp;
PKCS7 *p7;
PKCS7_RECIP_INFO *inf;
unsigned char *der, *p;
const unsigned char edata[COMM_LEN] = "info....";
const unsigned char ekeys[COMM_LEN] = "key info....";
p7 = PKCS7_new();
PKCS7_set_type(p7, NID_pkcs7_enveloped);
ASN1_INTEGER_set(p7->d.enveloped->version, 3);
inf = PKCS7_RECIP_INFO_new();
ASN1_INTEGER_set(inf->version, 4);
ASN1_INTEGER_set(inf->issuer_and_serial->serial, 888888);
inf->key_enc_algor->algorithm = OBJ_nid2obj(NID_des_ede3_cbc);
ASN1_OCTET_STRING_set(inf->enc_key, ekeys, 12);
sk_PKCS7_RECIP_INFO_push(p7->d.enveloped->recipientinfo, inf);
p7->d.enveloped->enc_data->algorithm->algorithm =
OBJ_nid2obj(NID_des_ede3_cbc);
p7->d.enveloped->enc_data->enc_data = ASN1_OCTET_STRING_new();
ASN1_OCTET_STRING_set(p7->d.enveloped->enc_data->enc_data, edata, 8);
len = i2d_PKCS7(p7, NULL);
der = (unsigned char *)malloc(len);
p = der;
len = i2d_PKCS7(p7, &p);
fp = fopen("/tmp/test.cer", "wb");
fwrite(der, 1, len, fp);
fclose(fp);
free(der);
PKCS7_free(p7);
p7 = PKCS7_new();
PKCS7_set_type(p7, NID_pkcs7_signedAndEnveloped);
len = i2d_PKCS7(p7, NULL);
der = (unsigned char *)malloc(len);
p = der;
len = i2d_PKCS7(p7, &p);
fp = fopen("/tmp/testEnv.cer", "wb");
fwrite(der, 1, len, fp);
fclose(fp);
PKCS7_free(p7);
free(der);
}
int main(){
PKCS7 *p7;
int ret,len;
char *der,*p;
FILE *fp;
p7 = PKCS7_new();
ret=PKCS7_set_type(p7,NID_pkcs7_encrypted);
ASN1_INTEGER_set(p7->d.encrypted->version,3);
p7->d.encrypted->enc_data->algorithm->algorithm=OBJ_nid2obj(NID_des_ede3_cbc);
p7->d.encrypted->enc_data->enc_data=ASN1_OCTET_STRING_new();
ASN1_OCTET_STRING_set(p7->d.encrypted->enc_data->enc_data,(const
unsigned char *)"3434",4);
len=i2d_PKCS7(p7,NULL);
der=(char *)malloc(len);
p=der;
len=i2d_PKCS7(p7,(unsigned char **)&p);
fp=fopen("p7_enc.cer","wb");
fwrite(der,1,len,fp);
fclose(fp);
PKCS7_free(p7);
free(der);
return 0;
}
int main(){
PKCS7 *p7;
int len;
unsigned char *der,*p;
FILE *fp;
X509 *x;
BIO *in;
X509_ALGOR *md;
PKCS7_SIGNER_INFO *si;
p7=PKCS7_new();
PKCS7_set_type(p7,NID_pkcs7_signed);
p7->d.sign->cert=sk_X509_new_null();
in=BIO_new_file("b64cert.cer","r");
x=PEM_read_bio_X509(in,NULL,NULL,NULL);
sk_X509_push(p7->d.sign->cert,x);
md=X509_ALGOR_new();
md->algorithm=OBJ_nid2obj(NID_md5);
sk_X509_ALGOR_push(p7->d.sign->md_algs,md);
si=PKCS7_SIGNER_INFO_new();
ASN1_INTEGER_set(si->version,2);
ASN1_INTEGER_set(si->issuer_and_serial->serial,333);
sk_PKCS7_SIGNER_INFO_push(p7->d.sign->signer_info,si);
len=i2d_PKCS7(p7,NULL);
der=(unsigned char *)malloc(len);
p=der;
len=i2d_PKCS7(p7,&p);
fp=fopen("p7_sign.cer","wb");
fwrite(der,1,len,fp);
fclose(fp);
free(der);
PKCS7_free(p7);
return 0;
}
pki_pkcs7::pki_pkcs7(const QString name)
:pki_base(name)
{
p7 = PKCS7_new();
PKCS7_set_type(p7, NID_pkcs7_signed);
PKCS7_content_new(p7, NID_pkcs7_data);
}
void openssl_pkcs7_encrypt()
{
BIO *b;
int len;
FILE *fp;
PKCS7 *p7;
unsigned char *der, *p;
const unsigned char edata[COMM_LEN] = "pkcs7 encrypt";
p7 = PKCS7_new();
PKCS7_set_type(p7, NID_pkcs7_encrypted);
ASN1_INTEGER_set(p7->d.encrypted->version, 3);
p7->d.encrypted->enc_data->algorithm->algorithm =
OBJ_nid2obj(NID_des_ede3_cbc);
p7->d.encrypted->enc_data->enc_data = ASN1_OCTET_STRING_new();
ASN1_OCTET_STRING_set(p7->d.encrypted->enc_data->enc_data, edata, 14);
len = i2d_PKCS7(p7, NULL);
der = (unsigned char *)malloc(len);
p = der;
len = i2d_PKCS7(p7, &p);
fp = fopen("/tmp/test.cer", "wb");
fwrite(der, 1, len, fp);
fclose(fp);
PKCS7_free(p7);
free(der);
b = BIO_new_file("/tmp/test.pem", "r");
p7 = PEM_read_bio_PKCS7(b, NULL, NULL, NULL);
BIO_free(b);
PKCS7_free(p7);
}
int PKCS7_content_new(PKCS7 *p7, int type)
{
PKCS7 *ret=NULL;
if ((ret=PKCS7_new()) == NULL) goto err;
if (!PKCS7_set_type(ret,type)) goto err;
if (!PKCS7_set_content(p7,ret)) goto err;
return(1);
err:
if (ret != NULL) PKCS7_free(ret);
return(0);
}
static VALUE
ossl_pkcs7_alloc(VALUE klass)
{
PKCS7 *pkcs7;
VALUE obj;
if (!(pkcs7 = PKCS7_new())) {
ossl_raise(ePKCS7Error, NULL);
}
WrapPKCS7(klass, obj, pkcs7);
return obj;
}
PKCS7* CryptoNative_Pkcs7CreateSigned()
{
PKCS7* pkcs7 = PKCS7_new();
if (pkcs7 == NULL)
{
return NULL;
}
if (!PKCS7_set_type(pkcs7, NID_pkcs7_signed) || !PKCS7_content_new(pkcs7, NID_pkcs7_data))
{
PKCS7_free(pkcs7);
return NULL;
}
return pkcs7;
}
extern "C" PKCS7* CryptoNative_Pkcs7CreateSigned()
{
PKCS7* pkcs7 = PKCS7_new();
if (pkcs7 == nullptr)
{
return nullptr;
}
if (!PKCS7_set_type(pkcs7, NID_pkcs7_signed) || !PKCS7_content_new(pkcs7, NID_pkcs7_data))
{
PKCS7_free(pkcs7);
return nullptr;
}
return pkcs7;
}
static LUA_FUNCTION(openssl_pkcs7_new)
{
int type = luaL_optint(L, 1, NID_pkcs7_signed);
int content_nid = luaL_optint(L, 1, NID_pkcs7_data);
PKCS7 *p7 = PKCS7_new();
if (p7)
{
int ret = 1;
ret = PKCS7_set_type(p7, type);
if (ret)
ret = PKCS7_content_new(p7, content_nid);
if (ret)
{
PUSH_OBJECT(p7, "openssl.pkcs7");
return 1;
}
else
PKCS7_free(p7);
}
return 0;
}
void openssl_pkcs7_msg()
{
int len;
FILE *fp;
PKCS7 *p7;
unsigned char *der, *p, buf[SHA_DIGEST_LENGTH] = "pkcs7 msg";
p7 = PKCS7_new();
PKCS7_set_type(p7, NID_pkcs7_data);
ASN1_OCTET_STRING_set(p7->d.data, buf, SHA_DIGEST_LENGTH);
len = i2d_PKCS7(p7, NULL);
der = (unsigned char *)malloc(len);
p = der;
len = i2d_PKCS7(p7, &p);
fp = fopen("/tmp/test.cer", "wb");
fwrite(der, 1, len, fp);
fclose(fp);
free(der);
PKCS7_free(p7);
}
void Pkcs7SignedDataBuilder::init(MessageDigest::Algorithm mesDigAlgorithm, Certificate &cert,
PrivateKey &privKey, bool attached)
throw (Pkcs7Exception)
{
int rc;
if (this->state != Pkcs7Builder::NO_INIT)
{
PKCS7_free(this->pkcs7);
this->pkcs7 = NULL;
if (this->state == Pkcs7Builder::UPDATE)
{
BIO_free(this->p7bio);
this->p7bio = NULL;
}
}
this->pkcs7 = PKCS7_new();
PKCS7_set_type(this->pkcs7, NID_pkcs7_signed);
if (!attached)
{
PKCS7_set_detached(this->pkcs7, 1);
}
if (!PKCS7_add_signature(this->pkcs7, cert.getX509(), privKey.getEvpPkey(), MessageDigest::getMessageDigest(mesDigAlgorithm)))
{
PKCS7_free(this->pkcs7);
this->pkcs7 = NULL;
throw Pkcs7Exception(Pkcs7Exception::ADDING_SIGNER, "Pkcs7SignedDataBuilder::Pkcs7SignedDataBuilder", true);
}
rc = PKCS7_add_certificate(this->pkcs7, cert.getX509());
if (!rc)//inversor adicionado (martin 28/11/07)
{
PKCS7_free(this->pkcs7);
this->pkcs7 = NULL;
throw Pkcs7Exception(Pkcs7Exception::ADDING_CERTIFICATE, "Pkcs7SignedDataBuilder::Pkcs7SignedDataBuilder", true);
}
this->state = Pkcs7Builder::INIT;
}
int create_envelope(PluginInstance *inst, u8 **data, int *datalen)
{
int r;
PKCS7 *p7 = NULL;
X509 *x509 = NULL;
PKCS7_SIGNER_INFO *si = NULL;
EVP_PKEY *pkey = NULL;
BIO *in = NULL, *p7bio = NULL;
u8 *buf;
r = extract_certificate_and_pkey(inst, &x509, &pkey);
if (r)
goto err;
p7 = PKCS7_new();
if (p7 == NULL) {
r = -1;
goto err;
}
r = PKCS7_set_type(p7, NID_pkcs7_signed);
if (r != 1) {
r = -1;
goto err;
}
EVP_add_digest(EVP_sha1());
si = PKCS7_add_signature(p7, x509, pkey, EVP_sha1());
if (si == NULL) {
r = -1;
goto err;
}
PKCS7_add_signed_attribute(si, NID_pkcs9_contentType, V_ASN1_OBJECT,
OBJ_nid2obj(NID_pkcs7_data));
r = PKCS7_add_certificate(p7, x509);
if (r != 1) {
printf("PKCS7_add_certificate failed.\n");
goto err;
}
PKCS7_content_new(p7, NID_pkcs7_data);
p7bio = PKCS7_dataInit(p7, NULL);
if (p7bio == NULL) {
r = -1;
goto err;
}
in = BIO_new_mem_buf(inst->signdata, inst->signdata_len);
if (in == NULL) {
r = -1;
goto err;
}
for (;;) {
char lbuf[1024];
int i = BIO_read(in, lbuf, sizeof(lbuf));
if (i <= 0)
break;
BIO_write(p7bio, lbuf, i);
}
if (!PKCS7_dataFinal(p7, p7bio)) {
r = -1;
goto err;
}
/* FIXME: remove this */
r = i2d_PKCS7(p7, NULL);
if (r <= 0) {
r = -1;
goto err;
}
buf = (u8 *) malloc(r);
if (buf == NULL)
goto err;
*data = buf;
r = i2d_PKCS7(p7, &buf);
*datalen = r;
if (r <= 0) {
free(buf);
r = -1;
goto err;
}
r = 0;
err:
if (p7)
PKCS7_free(p7);
if (in)
BIO_free(in);
if (p7bio)
BIO_free(p7bio);
#if 0
if (si)
PKCS7_SIGNER_INFO_free(si);
#endif
if (pkey)
EVP_PKEY_free(pkey);
if (x509)
X509_free(x509);
if (r) {
#if 0
ERR_load_crypto_strings();
ERR_print_errors_fp(stderr);
#endif
}
return r;
}
// Write signed variable
EFI_STATUS SetSignedVariable(IN CHAR16 *DatabaseName,
IN EFI_GUID *DatabaseGuid,
IN UINT32 Attributes,
IN VOID *Database,
IN UINTN DatabaseSize)
{
EFI_STATUS Status;
EFI_VARIABLE_AUTHENTICATION_2 *Authentication;
UINTN Size, NameLen;
UINTN DataSize = 0;
EFI_TIME Timestamp;
VOID *Data = NULL;
BIO *BioData = NULL;
PKCS7 *p7;
X509 *Certificate = NULL;
EVP_PKEY *PrivateKey = NULL;
const EVP_MD *md;
// Check parameters
if ((DatabaseName == NULL) || (DatabaseGuid == NULL)) {
return EFI_INVALID_PARAMETER;
}
DBG("Setting secure variable: %g %s 0x%X (0x%X)\n", DatabaseGuid, DatabaseName, Database, DatabaseSize);
NameLen = StrLen(DatabaseName);
if (NameLen == 0) {
return EFI_INVALID_PARAMETER;
}
// Get the current time
DBG("Getting timestamp ...\n");
Status = GetUTCTime(&Timestamp);
if (EFI_ERROR(Status)) {
return Status;
}
DBG("Timestamp: %t\n", Timestamp);
// In user mode we need to sign the database with exchange key
if (!gSettings.SecureBootSetupMode) {
// Initialize the cyphers and digests
ERR_load_crypto_strings();
OpenSSL_add_all_digests();
OpenSSL_add_all_ciphers();
// Create signing certificate
BioData = BIO_new_mem_buf((void *)gSecureBootExchangeKey, sizeof(gSecureBootExchangeKey));
if (BioData == NULL) {
return EFI_OUT_OF_RESOURCES;
}
Certificate = PEM_read_bio_X509(BioData, NULL, NULL, NULL);
BIO_free(BioData);
if (Certificate == NULL) {
return EFI_OUT_OF_RESOURCES;
}
// Create signing private key
BioData = BIO_new_mem_buf((void *)gSecureBootExchangePrivateKey, sizeof(gSecureBootExchangePrivateKey));
if (BioData == NULL) {
return EFI_OUT_OF_RESOURCES;
}
PrivateKey = PEM_read_bio_PrivateKey(BioData, NULL, NULL, NULL);
BIO_free(BioData);
if (PrivateKey == NULL) {
X509_free(Certificate);
return EFI_OUT_OF_RESOURCES;
}
// Do the actual signing process
BioData = BIO_new(BIO_s_mem());
BIO_write(BioData, DatabaseName, (int)StrLen(DatabaseName));
BIO_write(BioData, DatabaseGuid, sizeof(EFI_GUID));
BIO_write(BioData, &Attributes, sizeof(UINT32));
BIO_write(BioData, &Timestamp, sizeof(EFI_TIME));
BIO_write(BioData, Database, (int)DatabaseSize);
md = EVP_get_digestbyname("SHA256");
p7 = PKCS7_new();
PKCS7_set_type(p7, NID_pkcs7_signed);
PKCS7_content_new(p7, NID_pkcs7_data);
PKCS7_sign_add_signer(p7, Certificate, PrivateKey, md, PKCS7_BINARY | PKCS7_DETACHED | PKCS7_NOSMIMECAP);
PKCS7_set_detached(p7, 1);
PKCS7_final(p7, BioData, PKCS7_BINARY | PKCS7_DETACHED | PKCS7_NOSMIMECAP);
X509_free(Certificate);
EVP_PKEY_free(PrivateKey);
DataSize = i2d_PKCS7(p7, NULL);
Data = AllocateZeroPool(DataSize);
i2d_PKCS7(p7, (unsigned char **)&Data);
PKCS7_free(p7);
// Set the authentication buffer size
Size = sizeof(EFI_TIME) + sizeof(EFI_GUID) + sizeof(UINT32) + sizeof(UINT16) + sizeof(UINT16) + DataSize;
} else {
// In setup mode we don't need to sign, so just set the database
DBG("In setup mode, not signing ...\n");
Size = sizeof(EFI_TIME) + sizeof(EFI_GUID) + sizeof(UINT32) + sizeof(UINT16) + sizeof(UINT16) + DatabaseSize;
}
// Create the authentication buffer
DBG("Creating authentication ...\n");
Authentication = (EFI_VARIABLE_AUTHENTICATION_2 *)AllocateZeroPool(Size);
if (Authentication == NULL) {
if (Data != NULL) {
FreePool(Data);
}
return EFI_OUT_OF_RESOURCES;
}
// Set the certificate elements
CopyMem(&(Authentication->TimeStamp), &Timestamp, sizeof(EFI_TIME));
Authentication->AuthInfo.Hdr.dwLength = (UINT32)(sizeof(EFI_GUID) + sizeof(UINT32) + sizeof(UINT16) + sizeof(UINT16) + DataSize);
Authentication->AuthInfo.Hdr.wRevision = 0x0200;
Authentication->AuthInfo.Hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID;
CopyMem(&(Authentication->AuthInfo.CertType), &gEfiCertPkcs7Guid, sizeof(EFI_GUID));
// Copy the data into the authentication
if (Data != NULL) {
CopyMem(((UINT8 *)Authentication) + sizeof(EFI_TIME) + sizeof(EFI_GUID) + sizeof(UINT32) + sizeof(UINT16) + sizeof(UINT16), Data, DataSize);
FreePool(Data);
} else {
CopyMem(((UINT8 *)Authentication) + sizeof(EFI_TIME) + sizeof(EFI_GUID) + sizeof(UINT32) + sizeof(UINT16) + sizeof(UINT16), Database, DatabaseSize); //Payload, PayloadSize);
}
DBG("Writing secure variable 0x%X (0x%X) ...\n", Authentication, Size);
// Write the database variable
Status = gRT->SetVariable(DatabaseName, DatabaseGuid, SET_DATABASE_ATTRIBUTES, Size, Authentication);
// Cleanup the authentication buffer
FreePool(Authentication);
return Status;
}
int crl2pkcs7_main(int argc, char **argv)
{
BIO *in = NULL, *out = NULL;
PKCS7 *p7 = NULL;
PKCS7_SIGNED *p7s = NULL;
STACK_OF(OPENSSL_STRING) *certflst = NULL;
STACK_OF(X509) *cert_stack = NULL;
STACK_OF(X509_CRL) *crl_stack = NULL;
X509_CRL *crl = NULL;
char *infile = NULL, *outfile = NULL, *prog, *certfile;
int i = 0, informat = FORMAT_PEM, outformat = FORMAT_PEM, ret = 1, nocrl =
0;
OPTION_CHOICE o;
prog = opt_init(argc, argv, crl2pkcs7_options);
while ((o = opt_next()) != OPT_EOF) {
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
opt_help(crl2pkcs7_options);
ret = 0;
goto end;
case OPT_INFORM:
if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
goto opthelp;
break;
case OPT_OUTFORM:
if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat))
goto opthelp;
break;
case OPT_IN:
infile = opt_arg();
break;
case OPT_OUT:
outfile = opt_arg();
break;
case OPT_NOCRL:
nocrl = 1;
break;
case OPT_CERTFILE:
if ((certflst == NULL)
&& (certflst = sk_OPENSSL_STRING_new_null()) == NULL)
goto end;
if (!sk_OPENSSL_STRING_push(certflst, *(++argv))) {
sk_OPENSSL_STRING_free(certflst);
goto end;
}
break;
}
}
argc = opt_num_rest();
argv = opt_rest();
if (!app_load_modules(NULL))
goto end;
if (!nocrl) {
in = bio_open_default(infile, RB(informat));
if (in == NULL)
goto end;
if (informat == FORMAT_ASN1)
crl = d2i_X509_CRL_bio(in, NULL);
else if (informat == FORMAT_PEM)
crl = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL);
if (crl == NULL) {
BIO_printf(bio_err, "unable to load CRL\n");
ERR_print_errors(bio_err);
goto end;
}
}
if ((p7 = PKCS7_new()) == NULL)
goto end;
if ((p7s = PKCS7_SIGNED_new()) == NULL)
goto end;
p7->type = OBJ_nid2obj(NID_pkcs7_signed);
p7->d.sign = p7s;
p7s->contents->type = OBJ_nid2obj(NID_pkcs7_data);
if (!ASN1_INTEGER_set(p7s->version, 1))
goto end;
if ((crl_stack = sk_X509_CRL_new_null()) == NULL)
goto end;
p7s->crl = crl_stack;
if (crl != NULL) {
sk_X509_CRL_push(crl_stack, crl);
crl = NULL; /* now part of p7 for OPENSSL_freeing */
}
if ((cert_stack = sk_X509_new_null()) == NULL)
goto end;
p7s->cert = cert_stack;
if (certflst)
for (i = 0; i < sk_OPENSSL_STRING_num(certflst); i++) {
certfile = sk_OPENSSL_STRING_value(certflst, i);
if (add_certs_from_file(cert_stack, certfile) < 0) {
BIO_printf(bio_err, "error loading certificates\n");
ERR_print_errors(bio_err);
goto end;
}
}
sk_OPENSSL_STRING_free(certflst);
out = bio_open_default(outfile, WB(outformat));
if (out == NULL)
goto end;
if (outformat == FORMAT_ASN1)
i = i2d_PKCS7_bio(out, p7);
else if (outformat == FORMAT_PEM)
i = PEM_write_bio_PKCS7(out, p7);
if (!i) {
BIO_printf(bio_err, "unable to write pkcs7 object\n");
ERR_print_errors(bio_err);
goto end;
}
ret = 0;
end:
BIO_free(in);
BIO_free_all(out);
PKCS7_free(p7);
X509_CRL_free(crl);
return (ret);
}
/*
* Wrap data in PKCS#7 envelopes and base64-encode the result.
* Data is PKCS#10 request in PKCSReq, or pkcs7_issuer_and_subject
* structure in GetCertInitial and PKCS7_ISSUER_AND_SERIAL in
* GetCert and GETCrl.
*/
int pkcs7_wrap(struct scep *s, struct sscep_ctx *ctx, struct sscep_operation_info *op_info)
{
BIO *databio = NULL;
BIO *encbio = NULL;
BIO *pkcs7bio = NULL;
BIO *memorybio = NULL;
BIO *outbio = NULL;
unsigned char *buffer = NULL;
int len = 0;
STACK_OF(X509) *recipients = NULL;
PKCS7 *p7enc = NULL;
PKCS7_SIGNER_INFO *si;
STACK_OF(X509_ATTRIBUTE) *attributes;
X509 *signercert = NULL;
EVP_PKEY *signerkey = NULL;
int ret = SCEP_PKISTATUS_P7;
char *payload = NULL;
int payload_len;
/* Create a new sender nonce for all messages
* XXXXXXXXXXXXXX should it be per transaction? */
s->sender_nonce_len = 16;
free(s->sender_nonce);/* Clean up from previous runs */
s->sender_nonce = (char *)malloc(s->sender_nonce_len * sizeof(char));
RAND_bytes((unsigned char *) s->sender_nonce, s->sender_nonce_len);
/* Prepare data payload */
switch (s->request_type) {
case SCEP_REQUEST_PKCSREQ:
/*
* Set printable message type
* We set this later as an autheticated attribute
* "messageType".
*/
s->request_type_str = SCEP_REQUEST_PKCSREQ_STR;
/* Signer cert */
signercert = s->signercert;
signerkey = s->signerkey;
/* Create inner PKCS#7 */
if (ctx->verbose){
qeo_log_i("creating inner PKCS#7");
}
/* Read request in memory bio */
databio = BIO_new(BIO_s_mem());
if (i2d_X509_REQ_bio(databio, op_info->request) <= 0) {
qeo_log_e("error writing certificate request in bio");
goto error;
}
(void)BIO_flush(databio);
break;
case SCEP_REQUEST_GETCERTINIT:
/* Set printable message type */
s->request_type_str = SCEP_REQUEST_GETCERTINIT_STR;
/* Signer cert */
signercert = s->signercert;
signerkey = s->signerkey;
/* Create inner PKCS#7 */
if (ctx->verbose){
qeo_log_i("creating inner PKCS#7");
}
/* Read data in memory bio */
databio = BIO_new(BIO_s_mem());
if (i2d_pkcs7_issuer_and_subject_bio(databio, s->ias_getcertinit)) {
qeo_log_e("error writing GetCertInitial data in bio");
goto error;
}
(void)BIO_flush(databio);
break;
}
/* Below this is the common code for all request_type */
/* Read in the payload */
payload_len = BIO_get_mem_data(databio, &payload);
if (ctx->verbose){
qeo_log_i("data payload size: %d bytes", payload_len);
}
/* Create encryption certificate stack */
if ((recipients = sk_X509_new(NULL) ) == NULL) {
qeo_log_e("error creating certificate stack");
goto error;
}
if (sk_X509_push(recipients, op_info->racert) <= 0) {
qeo_log_e("error adding recipient encryption certificate");
goto error;
}
/* Create BIO for encryption */
if ((encbio = BIO_new_mem_buf(payload, payload_len)) == NULL ) {
qeo_log_e("error creating data bio");
goto error;
}
/* Encrypt */
if (!(p7enc = PKCS7_encrypt(recipients, encbio, ctx->enc_alg, PKCS7_BINARY))) {
qeo_log_e("request payload encrypt failed");
goto error;
}
if (ctx->verbose){
qeo_log_i("successfully encrypted payload");
}
/* Write encrypted data */
memorybio = BIO_new(BIO_s_mem());
if (i2d_PKCS7_bio(memorybio, p7enc) <= 0) {
qeo_log_e("error writing encrypted data");
goto error;
}
(void)BIO_flush(memorybio);
BIO_set_flags(memorybio, BIO_FLAGS_MEM_RDONLY);
len = BIO_get_mem_data(memorybio, &buffer);
BIO_free(memorybio);
memorybio=NULL;
if (ctx->verbose){
qeo_log_i("envelope size: %d bytes", len);
}
if (ctx->debug) {
qeo_log_i("printing PEM fomatted PKCS#7");
PEM_write_PKCS7(stdout, p7enc);
}
/* Create outer PKCS#7 */
if (ctx->verbose){
qeo_log_i("creating outer PKCS#7");
}
s->request_p7 = PKCS7_new();
if (s->request_p7 == NULL ) {
qeo_log_e("failed creating PKCS#7 for signing");
goto error;
}
if (!PKCS7_set_type(s->request_p7, NID_pkcs7_signed)) {
qeo_log_e("failed setting PKCS#7 type");
goto error;
}
/* Add signer certificate and signature */
PKCS7_add_certificate(s->request_p7, signercert);
if ((si = PKCS7_add_signature(s->request_p7, signercert, signerkey, ctx->sig_alg)) == NULL ) {
qeo_log_e("error adding PKCS#7 signature");
goto error;
}
if (ctx->verbose){
qeo_log_i("signature added successfully");
}
/* Set signed attributes */
if (ctx->verbose){
qeo_log_i("adding signed attributes");
}
attributes = sk_X509_ATTRIBUTE_new_null();
add_attribute_string(attributes, ctx->nid_transId, s->transaction_id, ctx);
add_attribute_string(attributes, ctx->nid_messageType, s->request_type_str, ctx);
add_attribute_octet(attributes, ctx->nid_senderNonce, s->sender_nonce, s->sender_nonce_len, ctx);
PKCS7_set_signed_attributes(si, attributes);
sk_X509_ATTRIBUTE_pop_free(attributes, X509_ATTRIBUTE_free);
/* Add contentType */
if (!PKCS7_add_signed_attribute(si, NID_pkcs9_contentType, V_ASN1_OBJECT, OBJ_nid2obj(NID_pkcs7_data))) {
qeo_log_e("error adding NID_pkcs9_contentType");
goto error;
}
/* Create new content */
if (!PKCS7_content_new(s->request_p7, NID_pkcs7_data)) {
qeo_log_e("failed setting PKCS#7 content type");
goto error;
}
/* Write data */
pkcs7bio = PKCS7_dataInit(s->request_p7, NULL );
if (pkcs7bio == NULL ) {
qeo_log_e("error opening bio for writing PKCS#7 data");
goto error;
}
if (len != BIO_write(pkcs7bio, buffer, len)) {
qeo_log_e("error writing PKCS#7 data");
goto error;
}
if (ctx->verbose){
qeo_log_i("PKCS#7 data written successfully");
}
/* Finalize PKCS#7 */
if (!PKCS7_dataFinal(s->request_p7, pkcs7bio)) {
qeo_log_e("error finalizing outer PKCS#7");
goto error;
}
if (ctx->debug) {
qeo_log_i("printing PEM fomatted PKCS#7");
PEM_write_PKCS7(stdout, s->request_p7);
}
/* base64-encode the data */
if (ctx->verbose){
qeo_log_i("applying base64 encoding");
}
/* Create base64 filtering bio */
memorybio = BIO_new(BIO_s_mem());
outbio = BIO_push(BIO_new(BIO_f_base64()), memorybio);
/* Copy PKCS#7 */
i2d_PKCS7_bio(outbio, s->request_p7);
(void)BIO_flush(outbio);
payload_len = BIO_get_mem_data(memorybio, &payload);
s->request_payload = (char*) malloc(sizeof(char)*payload_len);
if (!s->request_payload){
goto error;
}
s->request_len = payload_len;
memcpy(s->request_payload, payload, s->request_len);
if (ctx->verbose){
qeo_log_i("base64 encoded payload size: %d bytes", payload_len);
}
ret = 0;
error:
BIO_free(databio);
BIO_free(encbio);
BIO_free_all(pkcs7bio);
BIO_free(memorybio);
BIO_free(outbio);
if (recipients != NULL){
sk_X509_free(recipients);/* Only free the stack, not the certificates */
}
PKCS7_free(p7enc);
OPENSSL_free(buffer);
return ret;
}
static int add_auth_descriptor(varsign_context *ctx, unsigned char dont_sign)
{
EFI_VARIABLE_AUTHENTICATION_2 *auth;
int rc=0, len=0, flags=0;
EFI_TIME timestamp;
const EVP_MD *md;
BIO *data_bio = NULL;
PKCS7 *p7;
UINT8 *signpkg;
if (set_timestamp(×tamp))
return -1;
/* create a BIO for our variable data, containing:
* * Variablename (not including trailing nul)
* * VendorGUID
* * Attributes
* * TimeStamp
* * Data
*/
if (dont_sign == 0)
{
data_bio = BIO_new(BIO_s_mem());
BIO_write(data_bio, ctx->var_name, ctx->var_name_bytes);
BIO_write(data_bio, &ctx->var_guid, sizeof(ctx->var_guid));
BIO_write(data_bio, &ctx->var_attrs, sizeof(ctx->var_attrs));
BIO_write(data_bio, ×tamp, sizeof(timestamp));
BIO_write(data_bio, ctx->data, ctx->data_len);
md = EVP_get_digestbyname("SHA256");
p7 = PKCS7_new();
flags = PKCS7_BINARY | PKCS7_DETACHED | PKCS7_NOSMIMECAP;;
PKCS7_set_type(p7, NID_pkcs7_signed);
PKCS7_content_new(p7, NID_pkcs7_data);
PKCS7_sign_add_signer(p7, ctx->cert, ctx->key, md, flags);
PKCS7_set_detached(p7, 1);
rc = PKCS7_final(p7, data_bio, flags);
if (!rc) {
fprintf(stderr, "Error signing variable data\n");
ERR_print_errors_fp(stderr);
BIO_free_all(data_bio);
return -1;
}
len = i2d_PKCS7(p7, NULL);
} else {
len = 0;
}
/* set up our auth descriptor */
auth = talloc_size(ctx, len + offsetof (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo.CertData));
auth->TimeStamp = timestamp;
auth->AuthInfo.Hdr.dwLength = len + offsetof (WIN_CERTIFICATE_UEFI_GUID, CertData);
auth->AuthInfo.Hdr.wRevision = 0x0200;
auth->AuthInfo.Hdr.wCertificateType = 0x0EF1;
auth->AuthInfo.CertType = cert_pkcs7_guid;
if (dont_sign == 0)
{
signpkg = auth->AuthInfo.CertData;
i2d_PKCS7(p7, &signpkg);
}
ctx->auth_descriptor = auth;
ctx->auth_descriptor_len = len + offsetof (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo.CertData);
BIO_free_all(data_bio);
return 0;
}
int main(int argc, char **argv)
{
const char *keyfilename, *certfilename;
struct sign_context *ctx;
uint8_t *buf, *tmp;
int rc, c, sigsize;
ctx = talloc_zero(NULL, struct sign_context);
keyfilename = NULL;
certfilename = NULL;
for (;;) {
int idx;
c = getopt_long(argc, argv, "o:c:k:dvVh", options, &idx);
if (c == -1)
break;
switch (c) {
case 'o':
ctx->outfilename = talloc_strdup(ctx, optarg);
break;
case 'c':
certfilename = optarg;
break;
case 'k':
keyfilename = optarg;
break;
case 'd':
ctx->detached = 1;
break;
case 'v':
ctx->verbose = 1;
break;
case 'V':
version();
return EXIT_SUCCESS;
case 'h':
usage();
return EXIT_SUCCESS;
}
}
if (argc != optind + 1) {
usage();
return EXIT_FAILURE;
}
ctx->infilename = argv[optind];
if (!ctx->outfilename)
set_default_outfilename(ctx);
if (!certfilename) {
fprintf(stderr,
"error: No certificate specified (with --cert)\n");
usage();
return EXIT_FAILURE;
}
if (!keyfilename) {
fprintf(stderr,
"error: No key specified (with --key)\n");
usage();
return EXIT_FAILURE;
}
ctx->image = image_load(ctx->infilename);
if (!ctx->image)
return EXIT_FAILURE;
_talloc_steal(ctx, ctx->image);
ERR_load_crypto_strings();
OpenSSL_add_all_digests();
OpenSSL_add_all_ciphers();
EVP_PKEY *pkey = fileio_read_pkey(keyfilename);
if (!pkey)
return EXIT_FAILURE;
X509 *cert = fileio_read_cert(certfilename);
if (!cert)
return EXIT_FAILURE;
const EVP_MD *md = EVP_get_digestbyname("SHA256");
/* set up the PKCS7 object */
PKCS7 *p7 = PKCS7_new();
PKCS7_set_type(p7, NID_pkcs7_signed);
PKCS7_SIGNER_INFO *si = PKCS7_sign_add_signer(p7, cert,
pkey, md, PKCS7_BINARY);
if (!si) {
fprintf(stderr, "error in key/certificate chain\n");
ERR_print_errors_fp(stderr);
return EXIT_FAILURE;
}
PKCS7_content_new(p7, NID_pkcs7_data);
rc = IDC_set(p7, si, ctx->image);
if (rc)
return EXIT_FAILURE;
sigsize = i2d_PKCS7(p7, NULL);
tmp = buf = talloc_array(ctx->image, uint8_t, sigsize);
i2d_PKCS7(p7, &tmp);
ERR_print_errors_fp(stdout);
image_add_signature(ctx->image, buf, sigsize);
if (ctx->detached)
image_write_detached(ctx->image, ctx->outfilename);
else
image_write(ctx->image, ctx->outfilename);
talloc_free(ctx);
return EXIT_SUCCESS;
}
char* sign_and_encrypt(const char *data, RSA *rsa, X509 *x509, X509 *PPx509, int verbose)
/* sign and encrypt button data for safe delivery to paypal */
{
char *ret = NULL;
EVP_PKEY *pkey;
PKCS7 *p7 = NULL;
BIO *p7bio = NULL;
BIO *bio = NULL;
PKCS7_SIGNER_INFO* si;
int len;
char *str;
pkey = EVP_PKEY_new();
if (EVP_PKEY_set1_RSA(pkey, rsa) == 0)
{
fprintf(stderr,"Fatal Error: Unable to create EVP_KEY from RSA key\n");fflush(stderr);
goto end;
} else if (verbose) {
printf("Successfully created EVP_KEY from RSA key\n");
}
/* Create a signed and enveloped PKCS7 */
p7 = PKCS7_new();
PKCS7_set_type(p7, NID_pkcs7_signedAndEnveloped);
si = PKCS7_add_signature(p7, x509, pkey, EVP_sha1());
if (si) {
if (PKCS7_add_signed_attribute(si, NID_pkcs9_contentType, V_ASN1_OBJECT,
OBJ_nid2obj(NID_pkcs7_data)) <= 0)
{
fprintf(stderr,"Fatal Error: Unable to add signed attribute to certificate\n");
fprintf(stderr,"OpenSSL Error: %s\n", ERR_error_string(ERR_get_error(), NULL));
fflush(stderr);
goto end;
} else if (verbose) {
printf("Successfully added signed attribute to certificate\n");
}
} else {
fprintf(stderr,"Fatal Error: Failed to sign PKCS7\n");fflush(stderr);
goto end;
}
/* Encryption */
if (PKCS7_set_cipher(p7, EVP_des_ede3_cbc()) <= 0)
{
fprintf(stderr,"Fatal Error: Failed to set encryption algorithm\n");
fprintf(stderr,"OpenSSL Error: %s\n", ERR_error_string(ERR_get_error(), NULL));
fflush(stderr);
goto end;
} else if (verbose) {
printf("Successfully added encryption algorithm\n");
}
if (PKCS7_add_recipient(p7, PPx509) <= 0)
{
fprintf(stderr,"Fatal Error: Failed to add PKCS7 recipient\n");
fprintf(stderr,"OpenSSL Error: %s\n", ERR_error_string(ERR_get_error(), NULL));
fflush(stderr);
goto end;
} else if (verbose) {
printf("Successfully added recipient\n");
}
if (PKCS7_add_certificate(p7, x509) <= 0)
{
fprintf(stderr,"Fatal Error: Failed to add PKCS7 certificate\n");
fprintf(stderr,"OpenSSL Error: %s\n", ERR_error_string(ERR_get_error(), NULL));
fflush(stderr);
goto end;
} else if (verbose) {
printf("Successfully added certificate\n");
}
p7bio = PKCS7_dataInit(p7, NULL);
if (!p7bio) {
fprintf(stderr,"OpenSSL Error: %s\n", ERR_error_string(ERR_get_error(), NULL));
fflush(stderr);
goto end;
}
/* Pump data to special PKCS7 BIO. This encrypts and signs it. */
BIO_write(p7bio, data, strlen(data));
BIO_flush(p7bio);
PKCS7_dataFinal(p7, p7bio);
/* Write PEM encoded PKCS7 */
bio = BIO_new(BIO_s_mem());
if (!bio || (PEM_write_bio_PKCS7(bio, p7) == 0))
{
fprintf(stderr,"Fatal Error: Failed to create PKCS7 PEM\n");fflush(stderr);
} else if (verbose) {
printf("Successfully created PKCS7 PEM\n");
}
BIO_flush(bio);
len = BIO_get_mem_data(bio, &str);
ret = malloc(sizeof(char)*(len+1));
memcpy(ret, str, len);
ret[len] = 0;
end:
/* Free everything */
if (bio)
BIO_free_all(bio);
if (p7bio)
BIO_free_all(p7bio);
if (p7)
PKCS7_free(p7);
if (pkey)
EVP_PKEY_free(pkey);
return ret;
}
/*
* Wrap data in PKCS#7 envelopes and base64-encode the result.
* Data is PKCS#10 request in PKCSReq, or pkcs7_issuer_and_subject
* structure in GetCertInitial and PKCS7_ISSUER_AND_SERIAL in
* GetCert and GETCrl.
*/
int pkcs7_wrap(struct scep *s) {
BIO *databio = NULL;
BIO *encbio = NULL;
BIO *pkcs7bio = NULL;
BIO *memorybio = NULL;
BIO *outbio = NULL;
BIO *base64bio = NULL;
unsigned char *buffer = NULL;
int rc, len = 0;
STACK_OF(X509) *recipients;
PKCS7 *p7enc;
PKCS7_SIGNER_INFO *si;
STACK_OF(X509_ATTRIBUTE) *attributes;
X509 *signercert = NULL;
EVP_PKEY *signerkey = NULL;
/* Create a new sender nonce for all messages
* XXXXXXXXXXXXXX should it be per transaction? */
s->sender_nonce_len = 16;
s->sender_nonce = (unsigned char *)malloc(s->sender_nonce_len);
RAND_bytes(s->sender_nonce, s->sender_nonce_len);
/* Prepare data payload */
switch(s->request_type) {
case SCEP_REQUEST_PKCSREQ:
/*
* Set printable message type
* We set this later as an autheticated attribute
* "messageType".
*/
s->request_type_str = SCEP_REQUEST_PKCSREQ_STR;
/* Signer cert */
signercert = s->signercert;
signerkey = s->signerkey;
/* Create inner PKCS#7 */
if (v_flag)
printf("%s: creating inner PKCS#7\n", pname);
/* Read request in memory bio */
databio = BIO_new(BIO_s_mem());
if ((rc = i2d_X509_REQ_bio(databio, request)) <= 0) {
fprintf(stderr, "%s: error writing "
"certificate request in bio\n", pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
BIO_flush(databio);
BIO_set_flags(databio, BIO_FLAGS_MEM_RDONLY);
break;
case SCEP_REQUEST_GETCERTINIT:
/* Set printable message type */
s->request_type_str = SCEP_REQUEST_GETCERTINIT_STR;
/* Signer cert */
signercert = s->signercert;
signerkey = s->signerkey;
/* Create inner PKCS#7 */
if (v_flag)
printf("%s: creating inner PKCS#7\n", pname);
/* Read data in memory bio */
databio = BIO_new(BIO_s_mem());
if ((rc = i2d_pkcs7_issuer_and_subject_bio(databio,
s->ias_getcertinit)) <= 0) {
fprintf(stderr, "%s: error writing "
"GetCertInitial data in bio\n", pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
BIO_flush(databio);
BIO_set_flags(databio, BIO_FLAGS_MEM_RDONLY);
break;
case SCEP_REQUEST_GETCERT:
/* Set printable message type */
s->request_type_str = SCEP_REQUEST_GETCERT_STR;
/* Signer cert */
signercert = localcert;
signerkey = rsa;
/* Read data in memory bio */
databio = BIO_new(BIO_s_mem());
if ((rc = i2d_PKCS7_ISSUER_AND_SERIAL_bio(databio,
s->ias_getcert)) <= 0) {
fprintf(stderr, "%s: error writing "
"GetCert data in bio\n", pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
BIO_flush(databio);
BIO_set_flags(databio, BIO_FLAGS_MEM_RDONLY);
break;
case SCEP_REQUEST_GETCRL:
/* Set printable message type */
s->request_type_str = SCEP_REQUEST_GETCRL_STR;
/* Signer cert */
signercert = localcert;
signerkey = rsa;
/* Read data in memory bio */
databio = BIO_new(BIO_s_mem());
if ((rc = i2d_PKCS7_ISSUER_AND_SERIAL_bio(databio,
s->ias_getcrl)) <= 0) {
fprintf(stderr, "%s: error writing "
"GetCert data in bio\n", pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
BIO_flush(databio);
BIO_set_flags(databio, BIO_FLAGS_MEM_RDONLY);
break;
}
/* Below this is the common code for all request_type */
/* Read in the payload */
s->request_len = BIO_get_mem_data(databio, &s->request_payload);
if (v_flag)
printf("%s: data payload size: %d bytes\n", pname,
s->request_len);
BIO_free(databio);
/* Create encryption certificate stack */
if ((recipients = sk_X509_new(NULL)) == NULL) {
fprintf(stderr, "%s: error creating "
"certificate stack\n", pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
/* Use different CA cert for encryption if requested */
if (e_flag) {
if (sk_X509_push(recipients, encert) <= 0) {
fprintf(stderr, "%s: error adding recipient encryption "
"certificate\n", pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
/* Use same CA cert also for encryption */
} else {
if (sk_X509_push(recipients, cacert) <= 0) {
fprintf(stderr, "%s: error adding recipient encryption "
"certificate\n", pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
}
/* Create BIO for encryption */
if ((encbio = BIO_new_mem_buf(s->request_payload,
s->request_len)) == NULL) {
fprintf(stderr, "%s: error creating data " "bio\n", pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
/* Encrypt */
if (!(p7enc = PKCS7_encrypt(recipients, encbio,
enc_alg, PKCS7_BINARY))) {
fprintf(stderr, "%s: request payload encrypt failed\n", pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
if (v_flag)
printf("%s: successfully encrypted payload\n", pname);
/* Write encrypted data */
memorybio = BIO_new(BIO_s_mem());
if (i2d_PKCS7_bio(memorybio, p7enc) <= 0) {
fprintf(stderr, "%s: error writing encrypted data\n", pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
BIO_flush(memorybio);
BIO_set_flags(memorybio, BIO_FLAGS_MEM_RDONLY);
len = BIO_get_mem_data(memorybio, &buffer);
if (v_flag)
printf("%s: envelope size: %d bytes\n", pname, len);
if (d_flag) {
printf("%s: printing PEM fomatted PKCS#7\n", pname);
PEM_write_PKCS7(stdout, p7enc);
}
BIO_free(memorybio);
/* Create outer PKCS#7 */
if (v_flag)
printf("%s: creating outer PKCS#7\n", pname);
s->request_p7 = PKCS7_new();
if (s->request_p7 == NULL) {
fprintf(stderr, "%s: failed creating PKCS#7 for signing\n",
pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
if (!PKCS7_set_type(s->request_p7, NID_pkcs7_signed)) {
fprintf(stderr, "%s: failed setting PKCS#7 type\n", pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
/* Add signer certificate and signature */
PKCS7_add_certificate(s->request_p7, signercert);
if ((si = PKCS7_add_signature(s->request_p7,
signercert, signerkey, sig_alg)) == NULL) {
fprintf(stderr, "%s: error adding PKCS#7 signature\n", pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
if (v_flag)
printf("%s: signature added successfully\n", pname);
/* Set signed attributes */
if (v_flag)
printf("%s: adding signed attributes\n", pname);
attributes = sk_X509_ATTRIBUTE_new_null();
add_attribute_string(attributes, nid_transId, s->transaction_id);
add_attribute_string(attributes, nid_messageType, s->request_type_str);
add_attribute_octet(attributes, nid_senderNonce, s->sender_nonce,
s->sender_nonce_len);
PKCS7_set_signed_attributes(si, attributes);
/* Add contentType */
if (!PKCS7_add_signed_attribute(si, NID_pkcs9_contentType,
V_ASN1_OBJECT, OBJ_nid2obj(NID_pkcs7_data))) {
fprintf(stderr, "%s: error adding NID_pkcs9_contentType\n",
pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
/* Create new content */
if (!PKCS7_content_new(s->request_p7, NID_pkcs7_data)) {
fprintf(stderr, "%s: failed setting PKCS#7 content type\n",
pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
/* Write data */
pkcs7bio = PKCS7_dataInit(s->request_p7, NULL);
if (pkcs7bio == NULL) {
fprintf(stderr, "%s: error opening bio for writing PKCS#7 "
"data\n", pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
if (len != BIO_write(pkcs7bio, buffer, len)) {
fprintf(stderr, "%s: error writing PKCS#7 data\n", pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
if (v_flag)
printf("%s: PKCS#7 data written successfully\n", pname);
/* Finalize PKCS#7 */
if (!PKCS7_dataFinal(s->request_p7, pkcs7bio)) {
fprintf(stderr, "%s: error finalizing outer PKCS#7\n", pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
if (d_flag) {
printf("%s: printing PEM fomatted PKCS#7\n", pname);
PEM_write_PKCS7(stdout, s->request_p7);
}
/* base64-encode the data */
if (v_flag)
printf("%s: applying base64 encoding\n",pname);
/* Create base64 filtering bio */
memorybio = BIO_new(BIO_s_mem());
base64bio = BIO_new(BIO_f_base64());
outbio = BIO_push(base64bio, memorybio);
/* Copy PKCS#7 */
i2d_PKCS7_bio(outbio, s->request_p7);
BIO_flush(outbio);
BIO_set_flags(memorybio, BIO_FLAGS_MEM_RDONLY);
s->request_len = BIO_get_mem_data(memorybio, &s->request_payload);
if (v_flag)
printf("%s: base64 encoded payload size: %d bytes\n",
pname, s->request_len);
BIO_free(outbio);
return (0);
}
/*******************************************************************************
函数名称: cert_pkcs7_wrap
功能描述: 将要发送的消息采用PKCS#7格式进行编码
输入参数: struct scep *s, SCEP操作的结构体指针。
s32 hasra, 是否使用RA证书,1,使用;0,不使用
输出参数: 无
返 回 值: 1,成功;-1,失败
--------------------------------------------------------------------------------
最近一次修改记录:
修改作者:王朝
修改目的:添加新函数
修改日期:2009年12月28日
*********************************************************************************/
s32 cert_pkcs7_wrap(struct scep *s, s32 hasra)
{
BIO *databio = NULL;
BIO *encbio = NULL;
BIO *pkcs7bio = NULL;
BIO *memorybio = NULL;
BIO *outbio = NULL;
BIO *base64bio = NULL;
u8 *buffer = NULL;
s32 len = 0;
STACK_OF(X509) *recipients = NULL;
PKCS7 *p7enc = NULL;
PKCS7_SIGNER_INFO *si = NULL;
STACK_OF(X509_ATTRIBUTE) *attributes = NULL;
X509 *signercert = NULL;
EVP_PKEY *signerkey = NULL;
s32 retval = -1;
/* sender nonce */
s->sender_nonce_len = 16;
s->sender_nonce = (u8 *)malloc((u32)s->sender_nonce_len);
RAND_bytes(s->sender_nonce, s->sender_nonce_len);
/* Prepare data payload */
switch(s->request_type)
{
case SCEP_REQUEST_PKCSREQ:
s->request_type_str = SCEP_REQUEST_PKCSREQ_STR;
/* Signer cert */
signercert = s->signercert;
signerkey = s->signerkey;
/* Read request in memory bio */
databio = BIO_new(BIO_s_mem());
if ((i2d_X509_REQ_bio(databio, cert_request)) <= 0)
{
goto end;
}
(void)BIO_flush(databio);
BIO_set_flags(databio, BIO_FLAGS_MEM_RDONLY);
break;
case SCEP_REQUEST_GETCERTINIT:
/* Set printable message type */
s->request_type_str = SCEP_REQUEST_GETCERTINIT_STR;
/* Signer cert */
signercert = s->signercert;
signerkey = s->signerkey;
/* Read data in memory bio */
databio = BIO_new(BIO_s_mem());
if ((i2d_pkcs7_issuer_and_subject_bio(databio, s->ias_getcertinit)) <= 0)
{
goto end;
}
(void)BIO_flush(databio);
BIO_set_flags(databio, BIO_FLAGS_MEM_RDONLY);
break;
default:
goto end;
}
/* Below this is the common code for all request_type */
/* Read in the payload */
s->request_len = BIO_get_mem_data(databio, &s->request_payload);
BIO_free(databio);
databio = NULL;
/* Create encryption certificate stack */
if (NULL == (recipients = sk_X509_new_null() ))
{
goto end;
}
/* Use different CA cert for encryption if requested */
if (1 == hasra)
{
if (sk_X509_push(recipients, cert_encert) <= 0)
{
goto end;
}
}
else
{
/* Use same CA cert also for encryption */
if (sk_X509_push(recipients, cert_cacert) <= 0)
{
goto end;
}
}
/* Create BIO for encryption */
if ((encbio = BIO_new_mem_buf(s->request_payload,s->request_len)) == NULL)
{
goto end;
}
/* Encrypt */
if (NULL == (p7enc = PKCS7_encrypt(recipients, encbio, cert_enc_alg, PKCS7_BINARY)))
{
goto end;
}
BIO_free(encbio);
encbio = NULL;
sk_X509_free(recipients);
recipients = NULL;
/* Write encrypted data */
memorybio = BIO_new(BIO_s_mem());
if (i2d_PKCS7_bio(memorybio, p7enc) <= 0)
{
goto end;
}
PKCS7_free(p7enc);
p7enc = NULL;
(void)BIO_flush(memorybio);
BIO_set_flags(memorybio, BIO_FLAGS_MEM_RDONLY);
len = BIO_get_mem_data(memorybio, &buffer);
/* Create outer PKCS#7 */
s->request_p7 = PKCS7_new();
if (s->request_p7 == NULL)
{
goto end;
}
if (!PKCS7_set_type(s->request_p7, NID_pkcs7_signed))
{
goto end;
}
/* Add signer certificate and signature */
PKCS7_add_certificate(s->request_p7, signercert);
if ((si = PKCS7_add_signature(s->request_p7,signercert, signerkey, cert_sig_alg)) == NULL)
{
goto end;
}
/* Set signed attributes */
attributes = sk_X509_ATTRIBUTE_new_null();
cert_add_attribute_string(attributes, nid_transId, s->transaction_id);
cert_add_attribute_string(attributes, nid_messageType, s->request_type_str);
cert_add_attribute_octet(attributes, nid_senderNonce, (s8 *)(s->sender_nonce),s->sender_nonce_len);
PKCS7_set_signed_attributes(si, attributes);
sk_X509_ATTRIBUTE_free(attributes);
attributes = NULL;
/* Add contentType */
if (!PKCS7_add_signed_attribute(si, NID_pkcs9_contentType,V_ASN1_OBJECT, OBJ_nid2obj(NID_pkcs7_data)))
{
goto end;
}
/* Create new content */
if (!PKCS7_content_new(s->request_p7, NID_pkcs7_data))
{
goto end;
}
/* Write data */
pkcs7bio = PKCS7_dataInit(s->request_p7, NULL);
if (pkcs7bio == NULL)
{
goto end;
}
if (len != BIO_write(pkcs7bio, buffer, len))
{
goto end;
}
BIO_free(memorybio);
memorybio = NULL;
/* Finalize PKCS#7 */
if (!PKCS7_dataFinal(s->request_p7, pkcs7bio))
{
goto end;
}
/* base64-encode the data */
/* Create base64 filtering bio */
memorybio = BIO_new(BIO_s_mem());
base64bio = BIO_new(BIO_f_base64());
outbio = BIO_push(base64bio, memorybio);
/* Copy PKCS#7 */
i2d_PKCS7_bio(outbio, s->request_p7);
(void)BIO_flush(outbio);
BIO_set_flags(memorybio, BIO_FLAGS_MEM_RDONLY);
s->request_len = BIO_get_mem_data(memorybio, &s->request_payload);
retval = 1;
end:
if(NULL != databio)
{
BIO_free(databio);
}
if(NULL != encbio)
{
BIO_free(encbio);
}
if(NULL != p7enc)
{
PKCS7_free(p7enc);
}
if(NULL != pkcs7bio)
{
BIO_free(pkcs7bio);
}
if(NULL != memorybio)
{
BIO_free(memorybio);
}
if(NULL != base64bio)
{
BIO_free(base64bio);
}
if(NULL != recipients)
{
sk_X509_free(recipients);
}
if(NULL != attributes)
{
sk_X509_ATTRIBUTE_free(attributes);
}
return retval;
}
/* will return 0, 1, 3, or 99 */
static int
_pkgtrans(char *device1, char *device2, char **pkg, int options,
keystore_handle_t keystore, char *keystore_alias)
{
BIO *p7_bio = NULL;
EVP_PKEY *privkey = NULL;
PKCS7 *sec_pkcs7 = NULL;
PKCS7_SIGNER_INFO *sec_signerinfo = NULL;
PKG_ERR *err;
STACK_OF(X509) *cacerts = NULL;
STACK_OF(X509) *clcerts = NULL;
STACK_OF(X509) *sec_chain = NULL;
X509 *pubcert = NULL;
boolean_t making_sig = B_FALSE;
char *src, *dst;
int errflg, i, n;
struct dm_buf *hdr;
making_sig = (keystore != NULL) ? B_TRUE : B_FALSE;
if (making_sig) {
/* new error object */
err = pkgerr_new();
/* find matching cert and key */
if (find_key_cert_pair(err, keystore,
keystore_alias, &privkey, &pubcert) != 0) {
pkgerr(err);
pkgerr_free(err);
return (1);
}
/* get CA certificates */
if (find_ca_certs(err, keystore, &cacerts) != 0) {
pkgerr(err);
pkgerr_free(err);
return (1);
}
/* get CL (aka "chain") certificates */
if (find_cl_certs(err, keystore, &clcerts) != 0) {
pkgerr(err);
pkgerr_free(err);
return (1);
}
/* initialize PKCS7 object to be filled in later */
sec_pkcs7 = PKCS7_new();
(void) PKCS7_set_type(sec_pkcs7, NID_pkcs7_signed);
sec_signerinfo = PKCS7_add_signature(sec_pkcs7,
pubcert, privkey, EVP_sha1());
if (sec_signerinfo == NULL) {
progerr(gettext(ERR_SEC), keystore_alias);
ERR_print_errors_fp(stderr);
pkgerr_free(err);
return (1);
}
/* add signer cert into signature */
(void) PKCS7_add_certificate(sec_pkcs7, pubcert);
/* attempt to resolve cert chain starting at the signer cert */
if (get_cert_chain(err, pubcert, clcerts, cacerts,
&sec_chain) != 0) {
pkgerr(err);
pkgerr_free(err);
return (1);
}
/*
* add the verification chain of certs into the signature.
* The first cert is the user cert, which we don't need,
* since it's baked in already, so skip it
*/
for (i = 1; i < sk_X509_num(sec_chain); i++) {
(void) PKCS7_add_certificate(sec_pkcs7,
sk_X509_value(sec_chain, i));
}
pkgerr_free(err);
err = NULL;
}
if (signal_received > 0) {
return (1);
}
/* transfer spool to appropriate device */
if (devtype(device1, &srcdev)) {
progerr(pkg_gt(ERR_TRANSFER));
logerr(pkg_gt(MSG_BADDEV), device1);
return (1);
}
srcdev.rdonly++;
/* check for datastream */
ids_name = NULL;
if (srcdev.bdevice) {
if (n = _getvol(srcdev.bdevice, NULL, NULL,
pkg_gt("Insert %v into %p."), srcdev.norewind)) {
cleanup();
if (n == 3)
return (3);
progerr(pkg_gt(ERR_TRANSFER));
logerr(pkg_gt(MSG_GETVOL));
return (1);
}
if (ds_readbuf(srcdev.cdevice))
ids_name = srcdev.cdevice;
}
if (srcdev.cdevice && !srcdev.bdevice)
ids_name = srcdev.cdevice;
else if (srcdev.pathname) {
ids_name = srcdev.pathname;
if (access(ids_name, 0) == -1) {
progerr(ERR_TRANSFER);
logerr(pkg_gt(MSG_GETVOL));
return (1);
}
}
if (!ids_name && device2 == (char *)0) {
if (n = pkgmount(&srcdev, NULL, 1, 0, 0)) {
cleanup();
return (n);
}
if (srcdev.mount && *srcdev.mount)
pkgdir = strdup(srcdev.mount);
return (0);
}
if (ids_name && device2 == (char *)0) {
tmppath = tmpnam(NULL);
tmppath = strdup(tmppath);
if (tmppath == NULL) {
progerr(pkg_gt(ERR_TRANSFER));
logerr(pkg_gt(MSG_MEM));
return (1);
}
if (mkdir(tmppath, 0755)) {
progerr(pkg_gt(ERR_TRANSFER));
logerr(pkg_gt(MSG_MKDIR), tmppath);
return (1);
}
device2 = tmppath;
}
if (devtype(device2, &dstdev)) {
progerr(pkg_gt(ERR_TRANSFER));
logerr(pkg_gt(MSG_BADDEV), device2);
return (1);
}
if ((srcdev.cdevice && dstdev.cdevice) &&
strcmp(srcdev.cdevice, dstdev.cdevice) == 0) {
progerr(pkg_gt(ERR_TRANSFER));
logerr(pkg_gt(MSG_SAMEDEV));
return (1);
}
ods_name = NULL;
if (dstdev.cdevice && !dstdev.bdevice || dstdev.pathname)
options |= PT_ODTSTREAM;
if (options & PT_ODTSTREAM) {
if (!((ods_name = dstdev.cdevice) != NULL ||
(ods_name = dstdev.pathname) != NULL)) {
progerr(pkg_gt(ERR_TRANSFER));
logerr(pkg_gt(MSG_BADDEV), device2);
return (1);
}
if (ids_name) {
progerr(pkg_gt(ERR_TRANSFER));
logerr(pkg_gt(MSG_TWODSTREAM));
return (1);
}
} else {
/*
* output device isn't a stream. If we're making a signed
* package, then fail, since we can't make signed,
* non-stream pkgs
*/
if (making_sig) {
progerr(pkg_gt(ERR_TRANSFER));
logerr(pkg_gt(ERR_CANTSIGN));
return (1);
}
}
if ((srcdev.dirname && dstdev.dirname) &&
strcmp(srcdev.dirname, dstdev.dirname) == 0) {
progerr(pkg_gt(ERR_TRANSFER));
logerr(pkg_gt(MSG_SAMEDEV));
return (1);
}
if ((srcdev.pathname && dstdev.pathname) &&
strcmp(srcdev.pathname, dstdev.pathname) == 0) {
progerr(pkg_gt(ERR_TRANSFER));
logerr(pkg_gt(MSG_SAMEDEV));
return (1);
}
if (signal_received > 0) {
return (1);
}
if (ids_name) {
if (srcdev.cdevice && !srcdev.bdevice &&
(n = _getvol(srcdev.cdevice, NULL, NULL, NULL,
srcdev.norewind))) {
cleanup();
if (n == 3)
return (3);
progerr(pkg_gt(ERR_TRANSFER));
logerr(pkg_gt(MSG_GETVOL));
return (1);
}
if (srcdev.dirname = tmpnam(NULL))
tmpdir = srcdev.dirname = strdup(srcdev.dirname);
if ((srcdev.dirname == NULL) || mkdir(srcdev.dirname, 0755) ||
chdir(srcdev.dirname)) {
progerr(pkg_gt(ERR_TRANSFER));
logerr(pkg_gt(MSG_NOTEMP), srcdev.dirname);
cleanup();
return (1);
}
if (ds_init(ids_name, pkg, srcdev.norewind)) {
cleanup();
return (1);
}
} else if (srcdev.mount) {
if (n = pkgmount(&srcdev, NULL, 1, 0, 0)) {
cleanup();
return (n);
}
}
src = srcdev.dirname;
dst = dstdev.dirname;
if (chdir(src)) {
progerr(pkg_gt(ERR_TRANSFER));
logerr(pkg_gt(MSG_CHDIR), src);
cleanup();
return (1);
}
if (signal_received > 0) {
return (1);
}
xpkg = pkg = gpkglist(src, pkg, NULL);
if (!pkg) {
progerr(pkg_gt(ERR_TRANSFER));
logerr(pkg_gt(MSG_NOPKGS), src);
cleanup();
return (1);
}
for (nxpkg = 0; pkg[nxpkg]; /* void */) {
nxpkg++; /* count */
}
if (ids_name) {
ds_order(pkg); /* order requests */
}
if (signal_received > 0) {
return (1);
}
if (options & PT_ODTSTREAM) {
char line[128];
if (!dstdev.pathname &&
(n = _getvol(ods_name, NULL, DM_FORMAT, NULL,
dstdev.norewind))) {
cleanup();
if (n == 3)
return (3);
progerr(pkg_gt(ERR_TRANSFER));
logerr(pkg_gt(MSG_GETVOL));
return (1);
}
if ((hdr = genheader(src, pkg)) == NULL) {
cleanup();
return (1);
}
if (making_sig) {
/* start up signature data stream */
(void) PKCS7_content_new(sec_pkcs7, NID_pkcs7_data);
(void) PKCS7_set_detached(sec_pkcs7, 1);
p7_bio = PKCS7_dataInit(sec_pkcs7, NULL);
/*
* Here we generate all the data that will go into
* the package, and send it through the signature
* generator, essentially calculating the signature
* of the entire package so we can place it in the
* header. Otherwise we'd have to place it at the end
* of the pkg, which would break the ABI
*/
if (!(options & PT_SILENT)) {
(void) fprintf(stderr, pkg_gt(MSG_SIGNING),
get_subject_display_name(pubcert));
}
if (dump_hdr_and_pkgs(p7_bio, hdr, pkg) != 0) {
progerr(gettext(ERR_NOGEN));
logerr(pkg_gt(MSG_GETVOL));
cleanup();
return (1);
}
BIO_flush(p7_bio);
/*
* now generate PKCS7 signature
*/
if (!PKCS7_dataFinal(sec_pkcs7, p7_bio)) {
progerr(gettext(ERR_NOGEN));
logerr(pkg_gt(MSG_GETVOL));
cleanup();
return (1);
}
(void) BIO_free(p7_bio);
}
/* write out header to stream, which includes signature */
if (wdsheader(hdr, src, ods_name, pkg, sec_pkcs7)) {
cleanup();
return (1);
}
if (sec_pkcs7 != NULL) {
/* nuke in-memory signature for safety */
PKCS7_free(sec_pkcs7);
sec_pkcs7 = NULL;
}
ds_volno = 1; /* number of volumes in datastream */
pinput = hdrbuf.text_buffer;
/* skip past first line in header */
(void) mgets(line, 128);
}
if (signal_received > 0) {
return (1);
}
errflg = 0;
for (i = 0; pkg[i]; i++) {
if (signal_received > 0) {
return (1);
}
if (!(options & PT_ODTSTREAM) && dstdev.mount) {
if (n = pkgmount(&dstdev, NULL, 0, 0, 1)) {
cleanup();
return (n);
}
}
if (errflg = pkgxfer(pkg[i], options)) {
pkg[i] = NULL;
if ((options & PT_ODTSTREAM) || (errflg != 2))
break;
} else if (strcmp(dstinst, pkg[i]))
pkg[i] = strdup(dstinst);
}
if (!(options & PT_ODTSTREAM) && dst) {
pkgdir = strdup(dst);
}
/*
* No cleanup of temporary directories created in this
* function is done here. The calling function must do
* the cleanup.
*/
return (signal_received > 0 ? 1 : errflg);
}
int main(int argc, char* argv[])
{
PKCS7 *p7, *innerp7;
FILE *fp = NULL;
EVP_PKEY *pkey = NULL;
PKCS7_SIGNER_INFO *p7i;
PKCS7_RECIP_INFO *pri;
BIO *mybio, *inbio;
X509 *user;
X509_ALGOR *md;
int ret, len;
unsigned char data[2048], *p, *buf;
unsigned char* greet = "hello openssl";
unsigned long errorno;
unsigned char* errordesc;
OpenSSL_add_all_algorithms(); //必须要显式进行调用
inbio = BIO_new(BIO_s_mem());
ret = BIO_write(inbio, greet, strlen(greet));
p7 = PKCS7_new();
ret = PKCS7_set_type(p7, NID_pkcs7_signedAndEnveloped);
//加载用户证书
fp = fopen("mycert4p12.cer", "rb");
if(fp == NULL) return 0;
len = fread(data, 1, 1024, fp);
fclose(fp);
p = data;
user = d2i_X509(NULL, (const unsigned char**)&p, len);
ret = PKCS7_add_certificate(p7, user);
pri = PKCS7_add_recipient(p7, user);
//读取私钥
fp = fopen("myprivkey.pem", "rb");
if(fp == NULL) return 0;
len = fread(data, 1, 1024, fp);
fclose(fp);
p = data;
pkey = d2i_PrivateKey(EVP_PKEY_RSA, NULL, (const unsigned char**)&p, len);
//第一个用户增加SignerInfo到列表中
p7i = PKCS7_add_signature(p7, user, pkey, EVP_md5());
//加载用户证书
fp = fopen("user2.cer", "rb");
if(fp == NULL) return 0;
len = fread(data, 1, 1024, fp);
fclose(fp);
p = data;
user = d2i_X509(NULL, (const unsigned char**)&p, len);
ret = PKCS7_add_certificate(p7, user);
pri = PKCS7_add_recipient(p7, user);
//读取私钥
fp = fopen("user2_privatekey.pem", "rb");
if(fp == NULL) return 0;
len = fread(data, 1, 1024, fp);
fclose(fp);
p = data;
pkey = d2i_PrivateKey(EVP_PKEY_RSA, NULL, (const unsigned char**)&p, len);
//第二个签名者增加到SignerInfo列表中
p7i = PKCS7_add_signature(p7, user, pkey, EVP_md5());
ret = PKCS7_set_cipher(p7, EVP_des_ede3_cbc());
ret = PKCS7_final(p7, inbio, 0); //制作数字信封
len = i2d_PKCS7(p7, NULL);
p = buf = malloc(len);
len = i2d_PKCS7(p7, &p);
printf("in i2d len = %d\n", len);
fp = fopen("p7signandenv.cer", "wb");
fwrite(buf, len, 1, fp);
fclose(fp);
PKCS7_free(p7);
}
/* will return 0, 1, 3, or 99 */
static int
_pkgtrans(char *device1, char *device2, char **pkg, int options,
keystore_handle_t keystore, char *keystore_alias)
{
#ifdef USE_KEYSTORE
BIO *p7_bio = NULL;
EVP_PKEY *privkey = NULL;
#endif
PKCS7 *sec_pkcs7 = NULL;
#ifdef USE_KEYSTORE
PKCS7_SIGNER_INFO *sec_signerinfo = NULL;
PKG_ERR *err;
STACK_OF(X509) *cacerts = NULL;
STACK_OF(X509) *clcerts = NULL;
STACK_OF(X509) *sec_chain = NULL;
X509 *pubcert = NULL;
#endif
boolean_t making_sig = B_FALSE;
char *src, *dst;
int errflg, i, n;
struct dm_buf *hdr;
making_sig = (keystore != NULL) ? B_TRUE : B_FALSE;
#ifdef USE_KEYSTORE
if (making_sig) {
/* new error object */
err = pkgerr_new();
/* find matching cert and key */
if (find_key_cert_pair(err, keystore,
keystore_alias, &privkey, &pubcert) != 0) {
pkgerr(err);
pkgerr_free(err);
return (1);
}
/* get CA certificates */
if (find_ca_certs(err, keystore, &cacerts) != 0) {
pkgerr(err);
pkgerr_free(err);
return (1);
}
/* get CL (aka "chain") certificates */
if (find_cl_certs(err, keystore, &clcerts) != 0) {
pkgerr(err);
pkgerr_free(err);
return (1);
}
/* initialize PKCS7 object to be filled in later */
sec_pkcs7 = PKCS7_new();
PKCS7_set_type(sec_pkcs7, NID_pkcs7_signed);
sec_signerinfo = PKCS7_add_signature(sec_pkcs7,
pubcert, privkey, EVP_sha1());
if (sec_signerinfo == NULL) {
progerr(gettext(ERR_SEC), keystore_alias);
ERR_print_errors_fp(stderr);
pkgerr_free(err);
return (1);
}
/* add signer cert into signature */
PKCS7_add_certificate(sec_pkcs7, pubcert);
/* attempt to resolve cert chain starting at the signer cert */
if (get_cert_chain(err, pubcert, clcerts, cacerts,
&sec_chain) != 0) {
pkgerr(err);
pkgerr_free(err);
return (1);
}
/*
* add the verification chain of certs into the signature.
* The first cert is the user cert, which we don't need,
* since it's baked in already, so skip it
*/
for (i = 1; i < sk_X509_num(sec_chain); i++) {
PKCS7_add_certificate(sec_pkcs7,
sk_X509_value(sec_chain, i));
}
pkgerr_free(err);
err = NULL;
}
#endif /* USE_KEYSTORE */
if (signal_received > 0) {
return (1);
}
/* transfer spool to appropriate device */
if (devtype(device1, &srcdev)) {
progerr(pkg_gt(ERR_TRANSFER));
logerr(pkg_gt(MSG_BADDEV), device1);
return (1);
}
srcdev.rdonly++;
/* check for datastream */
ids_name = NULL;
if (srcdev.bdevice) {
if (ds_readbuf(srcdev.cdevice))
ids_name = srcdev.cdevice;
}
if (srcdev.cdevice && !srcdev.bdevice)
ids_name = srcdev.cdevice;
else if (srcdev.pathname) {
ids_name = srcdev.pathname;
if (access(ids_name, 0) == -1) {
progerr(ERR_TRANSFER);
logerr(pkg_gt(MSG_GETVOL));
return (1);
}
}
if (!ids_name && device2 == (char *)0) {
if (n = pkgmount(&srcdev, NULL, 1, 0, 0)) {
cleanup();
return (n);
}
if (srcdev.mount && *srcdev.mount)
pkgdir = strdup(srcdev.mount);
return (0);
}
if (ids_name && device2 == (char *)0) {
char template[] = "/var/tmp/ptXXXXXX";
int MAIN(int argc, char **argv)
{
int i, badops = 0;
BIO *in = NULL, *out = NULL;
int informat, outformat;
char *infile, *outfile, *prog, *certfile;
PKCS7 *p7 = NULL;
PKCS7_SIGNED *p7s = NULL;
X509_CRL *crl = NULL;
STACK_OF(OPENSSL_STRING) *certflst = NULL;
STACK_OF(X509_CRL) *crl_stack = NULL;
STACK_OF(X509) *cert_stack = NULL;
int ret = 1, nocrl = 0;
apps_startup();
if (bio_err == NULL)
if ((bio_err = BIO_new(BIO_s_file())) != NULL)
BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
infile = NULL;
outfile = NULL;
informat = FORMAT_PEM;
outformat = FORMAT_PEM;
prog = argv[0];
argc--;
argv++;
while (argc >= 1) {
if (strcmp(*argv, "-inform") == 0) {
if (--argc < 1)
goto bad;
informat = str2fmt(*(++argv));
} else if (strcmp(*argv, "-outform") == 0) {
if (--argc < 1)
goto bad;
outformat = str2fmt(*(++argv));
} else if (strcmp(*argv, "-in") == 0) {
if (--argc < 1)
goto bad;
infile = *(++argv);
} else if (strcmp(*argv, "-nocrl") == 0) {
nocrl = 1;
} else if (strcmp(*argv, "-out") == 0) {
if (--argc < 1)
goto bad;
outfile = *(++argv);
} else if (strcmp(*argv, "-certfile") == 0) {
if (--argc < 1)
goto bad;
if (!certflst)
certflst = sk_OPENSSL_STRING_new_null();
if (!certflst)
goto end;
if (!sk_OPENSSL_STRING_push(certflst, *(++argv))) {
sk_OPENSSL_STRING_free(certflst);
goto end;
}
} else {
BIO_printf(bio_err, "unknown option %s\n", *argv);
badops = 1;
break;
}
argc--;
argv++;
}
if (badops) {
bad:
BIO_printf(bio_err, "%s [options] <infile >outfile\n", prog);
BIO_printf(bio_err, "where options are\n");
BIO_printf(bio_err, " -inform arg input format - DER or PEM\n");
BIO_printf(bio_err, " -outform arg output format - DER or PEM\n");
BIO_printf(bio_err, " -in arg input file\n");
BIO_printf(bio_err, " -out arg output file\n");
BIO_printf(bio_err,
" -certfile arg certificates file of chain to a trusted CA\n");
BIO_printf(bio_err, " (can be used more than once)\n");
BIO_printf(bio_err,
" -nocrl no crl to load, just certs from '-certfile'\n");
ret = 1;
goto end;
}
ERR_load_crypto_strings();
in = BIO_new(BIO_s_file());
out = BIO_new(BIO_s_file());
if ((in == NULL) || (out == NULL)) {
ERR_print_errors(bio_err);
goto end;
}
if (!nocrl) {
if (infile == NULL)
BIO_set_fp(in, stdin, BIO_NOCLOSE);
else {
if (BIO_read_filename(in, infile) <= 0) {
perror(infile);
goto end;
}
}
if (informat == FORMAT_ASN1)
crl = d2i_X509_CRL_bio(in, NULL);
else if (informat == FORMAT_PEM)
crl = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL);
else {
BIO_printf(bio_err, "bad input format specified for input crl\n");
goto end;
}
if (crl == NULL) {
BIO_printf(bio_err, "unable to load CRL\n");
ERR_print_errors(bio_err);
goto end;
}
}
if ((p7 = PKCS7_new()) == NULL)
goto end;
if ((p7s = PKCS7_SIGNED_new()) == NULL)
goto end;
p7->type = OBJ_nid2obj(NID_pkcs7_signed);
p7->d.sign = p7s;
p7s->contents->type = OBJ_nid2obj(NID_pkcs7_data);
if (!ASN1_INTEGER_set(p7s->version, 1))
goto end;
if ((crl_stack = sk_X509_CRL_new_null()) == NULL)
goto end;
p7s->crl = crl_stack;
if (crl != NULL) {
sk_X509_CRL_push(crl_stack, crl);
crl = NULL; /* now part of p7 for OPENSSL_freeing */
}
if ((cert_stack = sk_X509_new_null()) == NULL)
goto end;
p7s->cert = cert_stack;
if (certflst)
for (i = 0; i < sk_OPENSSL_STRING_num(certflst); i++) {
certfile = sk_OPENSSL_STRING_value(certflst, i);
if (add_certs_from_file(cert_stack, certfile) < 0) {
BIO_printf(bio_err, "error loading certificates\n");
ERR_print_errors(bio_err);
goto end;
}
}
sk_OPENSSL_STRING_free(certflst);
if (outfile == NULL) {
BIO_set_fp(out, stdout, BIO_NOCLOSE);
#ifdef OPENSSL_SYS_VMS
{
BIO *tmpbio = BIO_new(BIO_f_linebuffer());
out = BIO_push(tmpbio, out);
}
#endif
} else {
if (BIO_write_filename(out, outfile) <= 0) {
perror(outfile);
goto end;
}
}
if (outformat == FORMAT_ASN1)
i = i2d_PKCS7_bio(out, p7);
else if (outformat == FORMAT_PEM)
i = PEM_write_bio_PKCS7(out, p7);
else {
BIO_printf(bio_err, "bad output format specified for outfile\n");
goto end;
}
if (!i) {
BIO_printf(bio_err, "unable to write pkcs7 object\n");
ERR_print_errors(bio_err);
goto end;
}
ret = 0;
end:
if (in != NULL)
BIO_free(in);
if (out != NULL)
BIO_free_all(out);
if (p7 != NULL)
PKCS7_free(p7);
if (crl != NULL)
X509_CRL_free(crl);
apps_shutdown();
OPENSSL_EXIT(ret);
}
/* Allocate the SCEP_MSG structures */
SCEP_MSG *SCEP_MSG_new( int messageType, X509 *cert, EVP_PKEY *pkey,
X509 *recip_cert, SCEP_MSG *inMsg, X509_REQ *req,
X509 *issued_cert, SCEP_ISSUER_AND_SUBJECT *cert_info,
PKCS7_ISSUER_AND_SERIAL *ias, X509_CRL *crl, X509 *cacert,
EVP_CIPHER cipher ) {
SCEP_MSG *msg = NULL;
PKCS7_SIGNER_INFO *si = NULL;
EVP_MD *dgst=NULL;
unsigned char *raw_data = NULL;
int envelope = 0;
long raw_len = 0;
BIO *debug_bio = NULL;
BIO *p7ebio = NULL;
BIO *inbio = NULL;
char buf[256];
if ((debug_bio=BIO_new(BIO_s_file())) != NULL)
BIO_set_fp(debug_bio,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
//if( !cert || !pkey || !recip_cert )
if( !cert || !pkey )
return NULL;
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] Generating New SCEP-Message...\n", __FILE__, __LINE__);
/* Allocate memory and initialize structures */
if((msg = SCEP_MSG_new_null()) == NULL) return NULL;
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] Allocate memory\n", __FILE__, __LINE__);
/* Signed Infos */
dgst = (EVP_MD *) EVP_get_digestbyname("md5");
if( (si = PKCS7_SIGNER_INFO_new()) == NULL ) goto err;
if(!PKCS7_SIGNER_INFO_set(si, cert, pkey, dgst)) goto err;
sk_PKCS7_SIGNER_INFO_push( msg->sk_signer_info, si );
msg->signer_ias = si->issuer_and_serial;
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] signer infos set\n", __FILE__, __LINE__);
/* If pkey, let's add to the message structure to ease
* message encryption (enveloped data content creation) */
SCEP_MSG_set_pkey ( msg, pkey );
// msg->signer_pkey = pkey;
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] encryption key set\n", __FILE__, __LINE__);
/* If not explicit, we guess the certificate to be present
* in the passed inMsg structure, if any. Otherwise ERROR! */
if( !recip_cert && inMsg ) recip_cert = inMsg->signer_cert;
/* Set the messageType */
SCEP_set_messageType ( msg, messageType );
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] message type set\n", __FILE__, __LINE__);
switch( messageType ) {
case MSG_CERTREP:
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] Actions for CERTREP\n", __FILE__, __LINE__);
msg->env_data.NID_p7data = NID_pkcs7_signed;
msg->env_data.p7 = PKCS7_new();
PKCS7_set_type( msg->env_data.p7, NID_pkcs7_signed );
PKCS7_content_new( msg->env_data.p7, NID_pkcs7_data );
if( issued_cert ) {
if (debug)
BIO_printf( debug_bio,
"%s:%d: creating inner degenerated PKCS7... \n",
__FILE__, __LINE__);
/* Adds issued certificate */
PKCS7_add_certificate( msg->env_data.p7, issued_cert );
// PKCS7_add_certificate( msg->env_data.p7, cert );
envelope = 1;
if (debug)
BIO_printf( debug_bio, "%s:%d: done \n", __FILE__, __LINE__);
} else if( crl ) {
if (debug)
BIO_printf( debug_bio,
"%s:%d: Adding CRL ... \n",
__FILE__, __LINE__);
/* Adds crl */
PKCS7_add_crl( msg->env_data.p7, crl );
envelope = 1;
if (debug)
BIO_printf( debug_bio, "%s:%d: done \n", __FILE__, __LINE__);
}
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__);
break;
case MSG_PKCSREQ:
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] Actions for PKCSREQ\n", __FILE__, __LINE__);
/* The inner pkcs7 structure is signed
* and enveloped and the data is to be
* the X509_REQ passed */
msg->env_data.NID_p7data =
NID_pkcs7_signedAndEnveloped;
if( req ) {
msg->env_data.content.req = req;
/* Ask for the data p7 to be generated and
* encrypted */
envelope = 1;
}
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__);
break;
case MSG_GETCRL:
if (debug)
{
BIO_printf( debug_bio, "%s:%d: [Debug Info] Actions for GETCRL\n", __FILE__, __LINE__);
BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__);
}
break;
case MSG_GETCERT:
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] Actions for GETCERT\n", __FILE__, __LINE__);
msg->env_data.NID_p7data =
NID_pkcs7_signedAndEnveloped;
/* If it is a query for a general certificate
* the CAcert should be included in the enveloped
* data*/
/* Otherwise, if it is a request for its own
* certificate, the self-signed certificate should
* be included */
// if( cacert )
// msg->env_data.cacert = cacert;
/* Issuer and Serial should be present ! */
if( !ias ) goto err;
msg->env_data.content.ias = ias;
envelope = 1;
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__);
break;
case MSG_GETCERTINITIAL:
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] Actions for GETCERTINITIAL\n", __FILE__, __LINE__);
msg->env_data.NID_p7data = NID_pkcs7_signed;
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__);
break;
case MSG_V2REQUEST: /* Not currently handled */
if (debug) {
BIO_printf( debug_bio, "%s:%d: [Debug Info] Actions for V2REQUEST\n", __FILE__, __LINE__);
BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__);
}
default:
goto err;
}
if (debug)
BIO_printf( debug_bio, "%s:%d: Debug ... \n", __FILE__, __LINE__);
/* If different from NULL, we have to encode something */
if( envelope == 1 ) {
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] encode\n", __FILE__, __LINE__);
/* Encrypt the message data */
if( !SCEP_MSG_encrypt( msg, recip_cert, cipher )) goto err;
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__);
}
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] add sign-cert to structure\n", __FILE__, __LINE__);
/* Signer certificate */
msg->signer_cert = cert;
if (debug)
PEM_write_bio_SCEP_MSG( debug_bio, msg, pkey );
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] add attributes\n", __FILE__, __LINE__);
/* Set message attributes, if any */
if ( inMsg ) {
char *tmp = NULL;
int len = 0;
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] take data from request\n", __FILE__, __LINE__);
switch ( msg->messageType ) {
default:
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] set transId\n", __FILE__, __LINE__);
/* The transId is ever required */
tmp = SCEP_get_string_attr_by_name( inMsg->attrs, "transId");
if( tmp ) {
SCEP_set_transId( msg, tmp, strlen(tmp));
OPENSSL_free( tmp );
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__);
}
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] set recipient nonce (sendernonce from req)\n", __FILE__, __LINE__);
/* Copy the sendernonce to the recipient nonce and
* generate a new sendernonce for the generated msg */
tmp = SCEP_get_octect_attr_by_name( inMsg->attrs,
"senderNonce", &len);
if( tmp ) {
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] %d\n", __FILE__, __LINE__, tmp);
SCEP_set_recipientNonce( msg, tmp, len );
OPENSSL_free( tmp );
}
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] set sender nonce\n", __FILE__, __LINE__);
SCEP_set_senderNonce_new(msg);
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__);
}
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] set pki_status\n", __FILE__, __LINE__);
SCEP_set_pkiStatus ( msg, PKI_PENDING );
if (debug) {
BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__);
BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__);
}
} else {
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] generate new data\n", __FILE__, __LINE__);
SCEP_set_senderNonce_new ( msg );
SCEP_set_recipientNonce_new ( msg );
SCEP_set_transId_new ( msg );
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__);
}
if (debug)
PEM_write_bio_SCEP_MSG( debug_bio, msg, pkey );
return (msg);
err:
ERR_print_errors_fp(stderr);
return(NULL);
}