void openssl_pkcs7_sign() { int len; BIO *in; X509 *x; FILE *fp; PKCS7 *p7; X509_ALGOR *md; PKCS7_SIGNER_INFO *si; char name[MAX1_LEN], tmp[MAX1_LEN]; unsigned char *der, *p, buf[SHA_DIGEST_LENGTH] = "pkcs7 sign"; p7 = PKCS7_new(); PKCS7_set_type(p7, NID_pkcs7_data); ASN1_OCTET_STRING_set(p7->d.data, buf, SHA_DIGEST_LENGTH); len = i2d_PKCS7(p7, NULL); der = (unsigned char *)malloc(len); p = der; len = i2d_PKCS7(p7, &p); fp = fopen("/tmp/test.cer", "wb"); fwrite(der, 1, len, fp); fclose(fp); free(der); PKCS7_free(p7); p7 = PKCS7_new(); PKCS7_set_type(p7, NID_pkcs7_signed); p7->d.sign->cert = sk_X509_new_null(); in = BIO_new_file("/tmp/test.cer", "r"); x = PEM_read_bio_X509(in, NULL, NULL, NULL); sk_X509_push(p7->d.sign->cert, x); BIO_free(in); md = X509_ALGOR_new(); md->algorithm = OBJ_nid2obj(NID_md5); sk_X509_ALGOR_push(p7->d.sign->md_algs, md); si = PKCS7_SIGNER_INFO_new(); ASN1_INTEGER_set(si->version, 2); ASN1_INTEGER_set(si->issuer_and_serial->serial, 333); sk_PKCS7_SIGNER_INFO_push(p7->d.sign->signer_info, si); len = i2d_PKCS7(p7, NULL); der = (unsigned char *)malloc(len); p = der; len = i2d_PKCS7(p7, &p); fp = fopen("/tmp/test.cer", "wb"); fwrite(der, 1, len, fp); fclose(fp); free(der); fp = fopen("/tmp/test.cer", "rb"); len = fread(tmp, 1, MAX1_LEN, fp); fclose(fp); p = (unsigned char *)&tmp; d2i_PKCS7(&p7, (const unsigned char **)&p, len); OBJ_obj2txt(name, MAX1_LEN, p7->type, 0); PKCS7_free(p7); }
void openssl_pkcs7_enveloped() { int len; FILE *fp; PKCS7 *p7; PKCS7_RECIP_INFO *inf; unsigned char *der, *p; const unsigned char edata[COMM_LEN] = "info...."; const unsigned char ekeys[COMM_LEN] = "key info...."; p7 = PKCS7_new(); PKCS7_set_type(p7, NID_pkcs7_enveloped); ASN1_INTEGER_set(p7->d.enveloped->version, 3); inf = PKCS7_RECIP_INFO_new(); ASN1_INTEGER_set(inf->version, 4); ASN1_INTEGER_set(inf->issuer_and_serial->serial, 888888); inf->key_enc_algor->algorithm = OBJ_nid2obj(NID_des_ede3_cbc); ASN1_OCTET_STRING_set(inf->enc_key, ekeys, 12); sk_PKCS7_RECIP_INFO_push(p7->d.enveloped->recipientinfo, inf); p7->d.enveloped->enc_data->algorithm->algorithm = OBJ_nid2obj(NID_des_ede3_cbc); p7->d.enveloped->enc_data->enc_data = ASN1_OCTET_STRING_new(); ASN1_OCTET_STRING_set(p7->d.enveloped->enc_data->enc_data, edata, 8); len = i2d_PKCS7(p7, NULL); der = (unsigned char *)malloc(len); p = der; len = i2d_PKCS7(p7, &p); fp = fopen("/tmp/test.cer", "wb"); fwrite(der, 1, len, fp); fclose(fp); free(der); PKCS7_free(p7); p7 = PKCS7_new(); PKCS7_set_type(p7, NID_pkcs7_signedAndEnveloped); len = i2d_PKCS7(p7, NULL); der = (unsigned char *)malloc(len); p = der; len = i2d_PKCS7(p7, &p); fp = fopen("/tmp/testEnv.cer", "wb"); fwrite(der, 1, len, fp); fclose(fp); PKCS7_free(p7); free(der); }
int main(){ PKCS7 *p7; int ret,len; char *der,*p; FILE *fp; p7 = PKCS7_new(); ret=PKCS7_set_type(p7,NID_pkcs7_encrypted); ASN1_INTEGER_set(p7->d.encrypted->version,3); p7->d.encrypted->enc_data->algorithm->algorithm=OBJ_nid2obj(NID_des_ede3_cbc); p7->d.encrypted->enc_data->enc_data=ASN1_OCTET_STRING_new(); ASN1_OCTET_STRING_set(p7->d.encrypted->enc_data->enc_data,(const unsigned char *)"3434",4); len=i2d_PKCS7(p7,NULL); der=(char *)malloc(len); p=der; len=i2d_PKCS7(p7,(unsigned char **)&p); fp=fopen("p7_enc.cer","wb"); fwrite(der,1,len,fp); fclose(fp); PKCS7_free(p7); free(der); return 0; }
int main(){ PKCS7 *p7; int len; unsigned char *der,*p; FILE *fp; X509 *x; BIO *in; X509_ALGOR *md; PKCS7_SIGNER_INFO *si; p7=PKCS7_new(); PKCS7_set_type(p7,NID_pkcs7_signed); p7->d.sign->cert=sk_X509_new_null(); in=BIO_new_file("b64cert.cer","r"); x=PEM_read_bio_X509(in,NULL,NULL,NULL); sk_X509_push(p7->d.sign->cert,x); md=X509_ALGOR_new(); md->algorithm=OBJ_nid2obj(NID_md5); sk_X509_ALGOR_push(p7->d.sign->md_algs,md); si=PKCS7_SIGNER_INFO_new(); ASN1_INTEGER_set(si->version,2); ASN1_INTEGER_set(si->issuer_and_serial->serial,333); sk_PKCS7_SIGNER_INFO_push(p7->d.sign->signer_info,si); len=i2d_PKCS7(p7,NULL); der=(unsigned char *)malloc(len); p=der; len=i2d_PKCS7(p7,&p); fp=fopen("p7_sign.cer","wb"); fwrite(der,1,len,fp); fclose(fp); free(der); PKCS7_free(p7); return 0; }
pki_pkcs7::pki_pkcs7(const QString name) :pki_base(name) { p7 = PKCS7_new(); PKCS7_set_type(p7, NID_pkcs7_signed); PKCS7_content_new(p7, NID_pkcs7_data); }
void openssl_pkcs7_encrypt() { BIO *b; int len; FILE *fp; PKCS7 *p7; unsigned char *der, *p; const unsigned char edata[COMM_LEN] = "pkcs7 encrypt"; p7 = PKCS7_new(); PKCS7_set_type(p7, NID_pkcs7_encrypted); ASN1_INTEGER_set(p7->d.encrypted->version, 3); p7->d.encrypted->enc_data->algorithm->algorithm = OBJ_nid2obj(NID_des_ede3_cbc); p7->d.encrypted->enc_data->enc_data = ASN1_OCTET_STRING_new(); ASN1_OCTET_STRING_set(p7->d.encrypted->enc_data->enc_data, edata, 14); len = i2d_PKCS7(p7, NULL); der = (unsigned char *)malloc(len); p = der; len = i2d_PKCS7(p7, &p); fp = fopen("/tmp/test.cer", "wb"); fwrite(der, 1, len, fp); fclose(fp); PKCS7_free(p7); free(der); b = BIO_new_file("/tmp/test.pem", "r"); p7 = PEM_read_bio_PKCS7(b, NULL, NULL, NULL); BIO_free(b); PKCS7_free(p7); }
int PKCS7_content_new(PKCS7 *p7, int type) { PKCS7 *ret=NULL; if ((ret=PKCS7_new()) == NULL) goto err; if (!PKCS7_set_type(ret,type)) goto err; if (!PKCS7_set_content(p7,ret)) goto err; return(1); err: if (ret != NULL) PKCS7_free(ret); return(0); }
static VALUE ossl_pkcs7_alloc(VALUE klass) { PKCS7 *pkcs7; VALUE obj; if (!(pkcs7 = PKCS7_new())) { ossl_raise(ePKCS7Error, NULL); } WrapPKCS7(klass, obj, pkcs7); return obj; }
PKCS7* CryptoNative_Pkcs7CreateSigned() { PKCS7* pkcs7 = PKCS7_new(); if (pkcs7 == NULL) { return NULL; } if (!PKCS7_set_type(pkcs7, NID_pkcs7_signed) || !PKCS7_content_new(pkcs7, NID_pkcs7_data)) { PKCS7_free(pkcs7); return NULL; } return pkcs7; }
extern "C" PKCS7* CryptoNative_Pkcs7CreateSigned() { PKCS7* pkcs7 = PKCS7_new(); if (pkcs7 == nullptr) { return nullptr; } if (!PKCS7_set_type(pkcs7, NID_pkcs7_signed) || !PKCS7_content_new(pkcs7, NID_pkcs7_data)) { PKCS7_free(pkcs7); return nullptr; } return pkcs7; }
static LUA_FUNCTION(openssl_pkcs7_new) { int type = luaL_optint(L, 1, NID_pkcs7_signed); int content_nid = luaL_optint(L, 1, NID_pkcs7_data); PKCS7 *p7 = PKCS7_new(); if (p7) { int ret = 1; ret = PKCS7_set_type(p7, type); if (ret) ret = PKCS7_content_new(p7, content_nid); if (ret) { PUSH_OBJECT(p7, "openssl.pkcs7"); return 1; } else PKCS7_free(p7); } return 0; }
void openssl_pkcs7_msg() { int len; FILE *fp; PKCS7 *p7; unsigned char *der, *p, buf[SHA_DIGEST_LENGTH] = "pkcs7 msg"; p7 = PKCS7_new(); PKCS7_set_type(p7, NID_pkcs7_data); ASN1_OCTET_STRING_set(p7->d.data, buf, SHA_DIGEST_LENGTH); len = i2d_PKCS7(p7, NULL); der = (unsigned char *)malloc(len); p = der; len = i2d_PKCS7(p7, &p); fp = fopen("/tmp/test.cer", "wb"); fwrite(der, 1, len, fp); fclose(fp); free(der); PKCS7_free(p7); }
void Pkcs7SignedDataBuilder::init(MessageDigest::Algorithm mesDigAlgorithm, Certificate &cert, PrivateKey &privKey, bool attached) throw (Pkcs7Exception) { int rc; if (this->state != Pkcs7Builder::NO_INIT) { PKCS7_free(this->pkcs7); this->pkcs7 = NULL; if (this->state == Pkcs7Builder::UPDATE) { BIO_free(this->p7bio); this->p7bio = NULL; } } this->pkcs7 = PKCS7_new(); PKCS7_set_type(this->pkcs7, NID_pkcs7_signed); if (!attached) { PKCS7_set_detached(this->pkcs7, 1); } if (!PKCS7_add_signature(this->pkcs7, cert.getX509(), privKey.getEvpPkey(), MessageDigest::getMessageDigest(mesDigAlgorithm))) { PKCS7_free(this->pkcs7); this->pkcs7 = NULL; throw Pkcs7Exception(Pkcs7Exception::ADDING_SIGNER, "Pkcs7SignedDataBuilder::Pkcs7SignedDataBuilder", true); } rc = PKCS7_add_certificate(this->pkcs7, cert.getX509()); if (!rc)//inversor adicionado (martin 28/11/07) { PKCS7_free(this->pkcs7); this->pkcs7 = NULL; throw Pkcs7Exception(Pkcs7Exception::ADDING_CERTIFICATE, "Pkcs7SignedDataBuilder::Pkcs7SignedDataBuilder", true); } this->state = Pkcs7Builder::INIT; }
int create_envelope(PluginInstance *inst, u8 **data, int *datalen) { int r; PKCS7 *p7 = NULL; X509 *x509 = NULL; PKCS7_SIGNER_INFO *si = NULL; EVP_PKEY *pkey = NULL; BIO *in = NULL, *p7bio = NULL; u8 *buf; r = extract_certificate_and_pkey(inst, &x509, &pkey); if (r) goto err; p7 = PKCS7_new(); if (p7 == NULL) { r = -1; goto err; } r = PKCS7_set_type(p7, NID_pkcs7_signed); if (r != 1) { r = -1; goto err; } EVP_add_digest(EVP_sha1()); si = PKCS7_add_signature(p7, x509, pkey, EVP_sha1()); if (si == NULL) { r = -1; goto err; } PKCS7_add_signed_attribute(si, NID_pkcs9_contentType, V_ASN1_OBJECT, OBJ_nid2obj(NID_pkcs7_data)); r = PKCS7_add_certificate(p7, x509); if (r != 1) { printf("PKCS7_add_certificate failed.\n"); goto err; } PKCS7_content_new(p7, NID_pkcs7_data); p7bio = PKCS7_dataInit(p7, NULL); if (p7bio == NULL) { r = -1; goto err; } in = BIO_new_mem_buf(inst->signdata, inst->signdata_len); if (in == NULL) { r = -1; goto err; } for (;;) { char lbuf[1024]; int i = BIO_read(in, lbuf, sizeof(lbuf)); if (i <= 0) break; BIO_write(p7bio, lbuf, i); } if (!PKCS7_dataFinal(p7, p7bio)) { r = -1; goto err; } /* FIXME: remove this */ r = i2d_PKCS7(p7, NULL); if (r <= 0) { r = -1; goto err; } buf = (u8 *) malloc(r); if (buf == NULL) goto err; *data = buf; r = i2d_PKCS7(p7, &buf); *datalen = r; if (r <= 0) { free(buf); r = -1; goto err; } r = 0; err: if (p7) PKCS7_free(p7); if (in) BIO_free(in); if (p7bio) BIO_free(p7bio); #if 0 if (si) PKCS7_SIGNER_INFO_free(si); #endif if (pkey) EVP_PKEY_free(pkey); if (x509) X509_free(x509); if (r) { #if 0 ERR_load_crypto_strings(); ERR_print_errors_fp(stderr); #endif } return r; }
// Write signed variable EFI_STATUS SetSignedVariable(IN CHAR16 *DatabaseName, IN EFI_GUID *DatabaseGuid, IN UINT32 Attributes, IN VOID *Database, IN UINTN DatabaseSize) { EFI_STATUS Status; EFI_VARIABLE_AUTHENTICATION_2 *Authentication; UINTN Size, NameLen; UINTN DataSize = 0; EFI_TIME Timestamp; VOID *Data = NULL; BIO *BioData = NULL; PKCS7 *p7; X509 *Certificate = NULL; EVP_PKEY *PrivateKey = NULL; const EVP_MD *md; // Check parameters if ((DatabaseName == NULL) || (DatabaseGuid == NULL)) { return EFI_INVALID_PARAMETER; } DBG("Setting secure variable: %g %s 0x%X (0x%X)\n", DatabaseGuid, DatabaseName, Database, DatabaseSize); NameLen = StrLen(DatabaseName); if (NameLen == 0) { return EFI_INVALID_PARAMETER; } // Get the current time DBG("Getting timestamp ...\n"); Status = GetUTCTime(&Timestamp); if (EFI_ERROR(Status)) { return Status; } DBG("Timestamp: %t\n", Timestamp); // In user mode we need to sign the database with exchange key if (!gSettings.SecureBootSetupMode) { // Initialize the cyphers and digests ERR_load_crypto_strings(); OpenSSL_add_all_digests(); OpenSSL_add_all_ciphers(); // Create signing certificate BioData = BIO_new_mem_buf((void *)gSecureBootExchangeKey, sizeof(gSecureBootExchangeKey)); if (BioData == NULL) { return EFI_OUT_OF_RESOURCES; } Certificate = PEM_read_bio_X509(BioData, NULL, NULL, NULL); BIO_free(BioData); if (Certificate == NULL) { return EFI_OUT_OF_RESOURCES; } // Create signing private key BioData = BIO_new_mem_buf((void *)gSecureBootExchangePrivateKey, sizeof(gSecureBootExchangePrivateKey)); if (BioData == NULL) { return EFI_OUT_OF_RESOURCES; } PrivateKey = PEM_read_bio_PrivateKey(BioData, NULL, NULL, NULL); BIO_free(BioData); if (PrivateKey == NULL) { X509_free(Certificate); return EFI_OUT_OF_RESOURCES; } // Do the actual signing process BioData = BIO_new(BIO_s_mem()); BIO_write(BioData, DatabaseName, (int)StrLen(DatabaseName)); BIO_write(BioData, DatabaseGuid, sizeof(EFI_GUID)); BIO_write(BioData, &Attributes, sizeof(UINT32)); BIO_write(BioData, &Timestamp, sizeof(EFI_TIME)); BIO_write(BioData, Database, (int)DatabaseSize); md = EVP_get_digestbyname("SHA256"); p7 = PKCS7_new(); PKCS7_set_type(p7, NID_pkcs7_signed); PKCS7_content_new(p7, NID_pkcs7_data); PKCS7_sign_add_signer(p7, Certificate, PrivateKey, md, PKCS7_BINARY | PKCS7_DETACHED | PKCS7_NOSMIMECAP); PKCS7_set_detached(p7, 1); PKCS7_final(p7, BioData, PKCS7_BINARY | PKCS7_DETACHED | PKCS7_NOSMIMECAP); X509_free(Certificate); EVP_PKEY_free(PrivateKey); DataSize = i2d_PKCS7(p7, NULL); Data = AllocateZeroPool(DataSize); i2d_PKCS7(p7, (unsigned char **)&Data); PKCS7_free(p7); // Set the authentication buffer size Size = sizeof(EFI_TIME) + sizeof(EFI_GUID) + sizeof(UINT32) + sizeof(UINT16) + sizeof(UINT16) + DataSize; } else { // In setup mode we don't need to sign, so just set the database DBG("In setup mode, not signing ...\n"); Size = sizeof(EFI_TIME) + sizeof(EFI_GUID) + sizeof(UINT32) + sizeof(UINT16) + sizeof(UINT16) + DatabaseSize; } // Create the authentication buffer DBG("Creating authentication ...\n"); Authentication = (EFI_VARIABLE_AUTHENTICATION_2 *)AllocateZeroPool(Size); if (Authentication == NULL) { if (Data != NULL) { FreePool(Data); } return EFI_OUT_OF_RESOURCES; } // Set the certificate elements CopyMem(&(Authentication->TimeStamp), &Timestamp, sizeof(EFI_TIME)); Authentication->AuthInfo.Hdr.dwLength = (UINT32)(sizeof(EFI_GUID) + sizeof(UINT32) + sizeof(UINT16) + sizeof(UINT16) + DataSize); Authentication->AuthInfo.Hdr.wRevision = 0x0200; Authentication->AuthInfo.Hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID; CopyMem(&(Authentication->AuthInfo.CertType), &gEfiCertPkcs7Guid, sizeof(EFI_GUID)); // Copy the data into the authentication if (Data != NULL) { CopyMem(((UINT8 *)Authentication) + sizeof(EFI_TIME) + sizeof(EFI_GUID) + sizeof(UINT32) + sizeof(UINT16) + sizeof(UINT16), Data, DataSize); FreePool(Data); } else { CopyMem(((UINT8 *)Authentication) + sizeof(EFI_TIME) + sizeof(EFI_GUID) + sizeof(UINT32) + sizeof(UINT16) + sizeof(UINT16), Database, DatabaseSize); //Payload, PayloadSize); } DBG("Writing secure variable 0x%X (0x%X) ...\n", Authentication, Size); // Write the database variable Status = gRT->SetVariable(DatabaseName, DatabaseGuid, SET_DATABASE_ATTRIBUTES, Size, Authentication); // Cleanup the authentication buffer FreePool(Authentication); return Status; }
int crl2pkcs7_main(int argc, char **argv) { BIO *in = NULL, *out = NULL; PKCS7 *p7 = NULL; PKCS7_SIGNED *p7s = NULL; STACK_OF(OPENSSL_STRING) *certflst = NULL; STACK_OF(X509) *cert_stack = NULL; STACK_OF(X509_CRL) *crl_stack = NULL; X509_CRL *crl = NULL; char *infile = NULL, *outfile = NULL, *prog, *certfile; int i = 0, informat = FORMAT_PEM, outformat = FORMAT_PEM, ret = 1, nocrl = 0; OPTION_CHOICE o; prog = opt_init(argc, argv, crl2pkcs7_options); while ((o = opt_next()) != OPT_EOF) { switch (o) { case OPT_EOF: case OPT_ERR: opthelp: BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); goto end; case OPT_HELP: opt_help(crl2pkcs7_options); ret = 0; goto end; case OPT_INFORM: if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat)) goto opthelp; break; case OPT_OUTFORM: if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat)) goto opthelp; break; case OPT_IN: infile = opt_arg(); break; case OPT_OUT: outfile = opt_arg(); break; case OPT_NOCRL: nocrl = 1; break; case OPT_CERTFILE: if ((certflst == NULL) && (certflst = sk_OPENSSL_STRING_new_null()) == NULL) goto end; if (!sk_OPENSSL_STRING_push(certflst, *(++argv))) { sk_OPENSSL_STRING_free(certflst); goto end; } break; } } argc = opt_num_rest(); argv = opt_rest(); if (!app_load_modules(NULL)) goto end; if (!nocrl) { in = bio_open_default(infile, RB(informat)); if (in == NULL) goto end; if (informat == FORMAT_ASN1) crl = d2i_X509_CRL_bio(in, NULL); else if (informat == FORMAT_PEM) crl = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL); if (crl == NULL) { BIO_printf(bio_err, "unable to load CRL\n"); ERR_print_errors(bio_err); goto end; } } if ((p7 = PKCS7_new()) == NULL) goto end; if ((p7s = PKCS7_SIGNED_new()) == NULL) goto end; p7->type = OBJ_nid2obj(NID_pkcs7_signed); p7->d.sign = p7s; p7s->contents->type = OBJ_nid2obj(NID_pkcs7_data); if (!ASN1_INTEGER_set(p7s->version, 1)) goto end; if ((crl_stack = sk_X509_CRL_new_null()) == NULL) goto end; p7s->crl = crl_stack; if (crl != NULL) { sk_X509_CRL_push(crl_stack, crl); crl = NULL; /* now part of p7 for OPENSSL_freeing */ } if ((cert_stack = sk_X509_new_null()) == NULL) goto end; p7s->cert = cert_stack; if (certflst) for (i = 0; i < sk_OPENSSL_STRING_num(certflst); i++) { certfile = sk_OPENSSL_STRING_value(certflst, i); if (add_certs_from_file(cert_stack, certfile) < 0) { BIO_printf(bio_err, "error loading certificates\n"); ERR_print_errors(bio_err); goto end; } } sk_OPENSSL_STRING_free(certflst); out = bio_open_default(outfile, WB(outformat)); if (out == NULL) goto end; if (outformat == FORMAT_ASN1) i = i2d_PKCS7_bio(out, p7); else if (outformat == FORMAT_PEM) i = PEM_write_bio_PKCS7(out, p7); if (!i) { BIO_printf(bio_err, "unable to write pkcs7 object\n"); ERR_print_errors(bio_err); goto end; } ret = 0; end: BIO_free(in); BIO_free_all(out); PKCS7_free(p7); X509_CRL_free(crl); return (ret); }
/* * Wrap data in PKCS#7 envelopes and base64-encode the result. * Data is PKCS#10 request in PKCSReq, or pkcs7_issuer_and_subject * structure in GetCertInitial and PKCS7_ISSUER_AND_SERIAL in * GetCert and GETCrl. */ int pkcs7_wrap(struct scep *s, struct sscep_ctx *ctx, struct sscep_operation_info *op_info) { BIO *databio = NULL; BIO *encbio = NULL; BIO *pkcs7bio = NULL; BIO *memorybio = NULL; BIO *outbio = NULL; unsigned char *buffer = NULL; int len = 0; STACK_OF(X509) *recipients = NULL; PKCS7 *p7enc = NULL; PKCS7_SIGNER_INFO *si; STACK_OF(X509_ATTRIBUTE) *attributes; X509 *signercert = NULL; EVP_PKEY *signerkey = NULL; int ret = SCEP_PKISTATUS_P7; char *payload = NULL; int payload_len; /* Create a new sender nonce for all messages * XXXXXXXXXXXXXX should it be per transaction? */ s->sender_nonce_len = 16; free(s->sender_nonce);/* Clean up from previous runs */ s->sender_nonce = (char *)malloc(s->sender_nonce_len * sizeof(char)); RAND_bytes((unsigned char *) s->sender_nonce, s->sender_nonce_len); /* Prepare data payload */ switch (s->request_type) { case SCEP_REQUEST_PKCSREQ: /* * Set printable message type * We set this later as an autheticated attribute * "messageType". */ s->request_type_str = SCEP_REQUEST_PKCSREQ_STR; /* Signer cert */ signercert = s->signercert; signerkey = s->signerkey; /* Create inner PKCS#7 */ if (ctx->verbose){ qeo_log_i("creating inner PKCS#7"); } /* Read request in memory bio */ databio = BIO_new(BIO_s_mem()); if (i2d_X509_REQ_bio(databio, op_info->request) <= 0) { qeo_log_e("error writing certificate request in bio"); goto error; } (void)BIO_flush(databio); break; case SCEP_REQUEST_GETCERTINIT: /* Set printable message type */ s->request_type_str = SCEP_REQUEST_GETCERTINIT_STR; /* Signer cert */ signercert = s->signercert; signerkey = s->signerkey; /* Create inner PKCS#7 */ if (ctx->verbose){ qeo_log_i("creating inner PKCS#7"); } /* Read data in memory bio */ databio = BIO_new(BIO_s_mem()); if (i2d_pkcs7_issuer_and_subject_bio(databio, s->ias_getcertinit)) { qeo_log_e("error writing GetCertInitial data in bio"); goto error; } (void)BIO_flush(databio); break; } /* Below this is the common code for all request_type */ /* Read in the payload */ payload_len = BIO_get_mem_data(databio, &payload); if (ctx->verbose){ qeo_log_i("data payload size: %d bytes", payload_len); } /* Create encryption certificate stack */ if ((recipients = sk_X509_new(NULL) ) == NULL) { qeo_log_e("error creating certificate stack"); goto error; } if (sk_X509_push(recipients, op_info->racert) <= 0) { qeo_log_e("error adding recipient encryption certificate"); goto error; } /* Create BIO for encryption */ if ((encbio = BIO_new_mem_buf(payload, payload_len)) == NULL ) { qeo_log_e("error creating data bio"); goto error; } /* Encrypt */ if (!(p7enc = PKCS7_encrypt(recipients, encbio, ctx->enc_alg, PKCS7_BINARY))) { qeo_log_e("request payload encrypt failed"); goto error; } if (ctx->verbose){ qeo_log_i("successfully encrypted payload"); } /* Write encrypted data */ memorybio = BIO_new(BIO_s_mem()); if (i2d_PKCS7_bio(memorybio, p7enc) <= 0) { qeo_log_e("error writing encrypted data"); goto error; } (void)BIO_flush(memorybio); BIO_set_flags(memorybio, BIO_FLAGS_MEM_RDONLY); len = BIO_get_mem_data(memorybio, &buffer); BIO_free(memorybio); memorybio=NULL; if (ctx->verbose){ qeo_log_i("envelope size: %d bytes", len); } if (ctx->debug) { qeo_log_i("printing PEM fomatted PKCS#7"); PEM_write_PKCS7(stdout, p7enc); } /* Create outer PKCS#7 */ if (ctx->verbose){ qeo_log_i("creating outer PKCS#7"); } s->request_p7 = PKCS7_new(); if (s->request_p7 == NULL ) { qeo_log_e("failed creating PKCS#7 for signing"); goto error; } if (!PKCS7_set_type(s->request_p7, NID_pkcs7_signed)) { qeo_log_e("failed setting PKCS#7 type"); goto error; } /* Add signer certificate and signature */ PKCS7_add_certificate(s->request_p7, signercert); if ((si = PKCS7_add_signature(s->request_p7, signercert, signerkey, ctx->sig_alg)) == NULL ) { qeo_log_e("error adding PKCS#7 signature"); goto error; } if (ctx->verbose){ qeo_log_i("signature added successfully"); } /* Set signed attributes */ if (ctx->verbose){ qeo_log_i("adding signed attributes"); } attributes = sk_X509_ATTRIBUTE_new_null(); add_attribute_string(attributes, ctx->nid_transId, s->transaction_id, ctx); add_attribute_string(attributes, ctx->nid_messageType, s->request_type_str, ctx); add_attribute_octet(attributes, ctx->nid_senderNonce, s->sender_nonce, s->sender_nonce_len, ctx); PKCS7_set_signed_attributes(si, attributes); sk_X509_ATTRIBUTE_pop_free(attributes, X509_ATTRIBUTE_free); /* Add contentType */ if (!PKCS7_add_signed_attribute(si, NID_pkcs9_contentType, V_ASN1_OBJECT, OBJ_nid2obj(NID_pkcs7_data))) { qeo_log_e("error adding NID_pkcs9_contentType"); goto error; } /* Create new content */ if (!PKCS7_content_new(s->request_p7, NID_pkcs7_data)) { qeo_log_e("failed setting PKCS#7 content type"); goto error; } /* Write data */ pkcs7bio = PKCS7_dataInit(s->request_p7, NULL ); if (pkcs7bio == NULL ) { qeo_log_e("error opening bio for writing PKCS#7 data"); goto error; } if (len != BIO_write(pkcs7bio, buffer, len)) { qeo_log_e("error writing PKCS#7 data"); goto error; } if (ctx->verbose){ qeo_log_i("PKCS#7 data written successfully"); } /* Finalize PKCS#7 */ if (!PKCS7_dataFinal(s->request_p7, pkcs7bio)) { qeo_log_e("error finalizing outer PKCS#7"); goto error; } if (ctx->debug) { qeo_log_i("printing PEM fomatted PKCS#7"); PEM_write_PKCS7(stdout, s->request_p7); } /* base64-encode the data */ if (ctx->verbose){ qeo_log_i("applying base64 encoding"); } /* Create base64 filtering bio */ memorybio = BIO_new(BIO_s_mem()); outbio = BIO_push(BIO_new(BIO_f_base64()), memorybio); /* Copy PKCS#7 */ i2d_PKCS7_bio(outbio, s->request_p7); (void)BIO_flush(outbio); payload_len = BIO_get_mem_data(memorybio, &payload); s->request_payload = (char*) malloc(sizeof(char)*payload_len); if (!s->request_payload){ goto error; } s->request_len = payload_len; memcpy(s->request_payload, payload, s->request_len); if (ctx->verbose){ qeo_log_i("base64 encoded payload size: %d bytes", payload_len); } ret = 0; error: BIO_free(databio); BIO_free(encbio); BIO_free_all(pkcs7bio); BIO_free(memorybio); BIO_free(outbio); if (recipients != NULL){ sk_X509_free(recipients);/* Only free the stack, not the certificates */ } PKCS7_free(p7enc); OPENSSL_free(buffer); return ret; }
static int add_auth_descriptor(varsign_context *ctx, unsigned char dont_sign) { EFI_VARIABLE_AUTHENTICATION_2 *auth; int rc=0, len=0, flags=0; EFI_TIME timestamp; const EVP_MD *md; BIO *data_bio = NULL; PKCS7 *p7; UINT8 *signpkg; if (set_timestamp(×tamp)) return -1; /* create a BIO for our variable data, containing: * * Variablename (not including trailing nul) * * VendorGUID * * Attributes * * TimeStamp * * Data */ if (dont_sign == 0) { data_bio = BIO_new(BIO_s_mem()); BIO_write(data_bio, ctx->var_name, ctx->var_name_bytes); BIO_write(data_bio, &ctx->var_guid, sizeof(ctx->var_guid)); BIO_write(data_bio, &ctx->var_attrs, sizeof(ctx->var_attrs)); BIO_write(data_bio, ×tamp, sizeof(timestamp)); BIO_write(data_bio, ctx->data, ctx->data_len); md = EVP_get_digestbyname("SHA256"); p7 = PKCS7_new(); flags = PKCS7_BINARY | PKCS7_DETACHED | PKCS7_NOSMIMECAP;; PKCS7_set_type(p7, NID_pkcs7_signed); PKCS7_content_new(p7, NID_pkcs7_data); PKCS7_sign_add_signer(p7, ctx->cert, ctx->key, md, flags); PKCS7_set_detached(p7, 1); rc = PKCS7_final(p7, data_bio, flags); if (!rc) { fprintf(stderr, "Error signing variable data\n"); ERR_print_errors_fp(stderr); BIO_free_all(data_bio); return -1; } len = i2d_PKCS7(p7, NULL); } else { len = 0; } /* set up our auth descriptor */ auth = talloc_size(ctx, len + offsetof (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo.CertData)); auth->TimeStamp = timestamp; auth->AuthInfo.Hdr.dwLength = len + offsetof (WIN_CERTIFICATE_UEFI_GUID, CertData); auth->AuthInfo.Hdr.wRevision = 0x0200; auth->AuthInfo.Hdr.wCertificateType = 0x0EF1; auth->AuthInfo.CertType = cert_pkcs7_guid; if (dont_sign == 0) { signpkg = auth->AuthInfo.CertData; i2d_PKCS7(p7, &signpkg); } ctx->auth_descriptor = auth; ctx->auth_descriptor_len = len + offsetof (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo.CertData); BIO_free_all(data_bio); return 0; }
int main(int argc, char **argv) { const char *keyfilename, *certfilename; struct sign_context *ctx; uint8_t *buf, *tmp; int rc, c, sigsize; ctx = talloc_zero(NULL, struct sign_context); keyfilename = NULL; certfilename = NULL; for (;;) { int idx; c = getopt_long(argc, argv, "o:c:k:dvVh", options, &idx); if (c == -1) break; switch (c) { case 'o': ctx->outfilename = talloc_strdup(ctx, optarg); break; case 'c': certfilename = optarg; break; case 'k': keyfilename = optarg; break; case 'd': ctx->detached = 1; break; case 'v': ctx->verbose = 1; break; case 'V': version(); return EXIT_SUCCESS; case 'h': usage(); return EXIT_SUCCESS; } } if (argc != optind + 1) { usage(); return EXIT_FAILURE; } ctx->infilename = argv[optind]; if (!ctx->outfilename) set_default_outfilename(ctx); if (!certfilename) { fprintf(stderr, "error: No certificate specified (with --cert)\n"); usage(); return EXIT_FAILURE; } if (!keyfilename) { fprintf(stderr, "error: No key specified (with --key)\n"); usage(); return EXIT_FAILURE; } ctx->image = image_load(ctx->infilename); if (!ctx->image) return EXIT_FAILURE; _talloc_steal(ctx, ctx->image); ERR_load_crypto_strings(); OpenSSL_add_all_digests(); OpenSSL_add_all_ciphers(); EVP_PKEY *pkey = fileio_read_pkey(keyfilename); if (!pkey) return EXIT_FAILURE; X509 *cert = fileio_read_cert(certfilename); if (!cert) return EXIT_FAILURE; const EVP_MD *md = EVP_get_digestbyname("SHA256"); /* set up the PKCS7 object */ PKCS7 *p7 = PKCS7_new(); PKCS7_set_type(p7, NID_pkcs7_signed); PKCS7_SIGNER_INFO *si = PKCS7_sign_add_signer(p7, cert, pkey, md, PKCS7_BINARY); if (!si) { fprintf(stderr, "error in key/certificate chain\n"); ERR_print_errors_fp(stderr); return EXIT_FAILURE; } PKCS7_content_new(p7, NID_pkcs7_data); rc = IDC_set(p7, si, ctx->image); if (rc) return EXIT_FAILURE; sigsize = i2d_PKCS7(p7, NULL); tmp = buf = talloc_array(ctx->image, uint8_t, sigsize); i2d_PKCS7(p7, &tmp); ERR_print_errors_fp(stdout); image_add_signature(ctx->image, buf, sigsize); if (ctx->detached) image_write_detached(ctx->image, ctx->outfilename); else image_write(ctx->image, ctx->outfilename); talloc_free(ctx); return EXIT_SUCCESS; }
char* sign_and_encrypt(const char *data, RSA *rsa, X509 *x509, X509 *PPx509, int verbose) /* sign and encrypt button data for safe delivery to paypal */ { char *ret = NULL; EVP_PKEY *pkey; PKCS7 *p7 = NULL; BIO *p7bio = NULL; BIO *bio = NULL; PKCS7_SIGNER_INFO* si; int len; char *str; pkey = EVP_PKEY_new(); if (EVP_PKEY_set1_RSA(pkey, rsa) == 0) { fprintf(stderr,"Fatal Error: Unable to create EVP_KEY from RSA key\n");fflush(stderr); goto end; } else if (verbose) { printf("Successfully created EVP_KEY from RSA key\n"); } /* Create a signed and enveloped PKCS7 */ p7 = PKCS7_new(); PKCS7_set_type(p7, NID_pkcs7_signedAndEnveloped); si = PKCS7_add_signature(p7, x509, pkey, EVP_sha1()); if (si) { if (PKCS7_add_signed_attribute(si, NID_pkcs9_contentType, V_ASN1_OBJECT, OBJ_nid2obj(NID_pkcs7_data)) <= 0) { fprintf(stderr,"Fatal Error: Unable to add signed attribute to certificate\n"); fprintf(stderr,"OpenSSL Error: %s\n", ERR_error_string(ERR_get_error(), NULL)); fflush(stderr); goto end; } else if (verbose) { printf("Successfully added signed attribute to certificate\n"); } } else { fprintf(stderr,"Fatal Error: Failed to sign PKCS7\n");fflush(stderr); goto end; } /* Encryption */ if (PKCS7_set_cipher(p7, EVP_des_ede3_cbc()) <= 0) { fprintf(stderr,"Fatal Error: Failed to set encryption algorithm\n"); fprintf(stderr,"OpenSSL Error: %s\n", ERR_error_string(ERR_get_error(), NULL)); fflush(stderr); goto end; } else if (verbose) { printf("Successfully added encryption algorithm\n"); } if (PKCS7_add_recipient(p7, PPx509) <= 0) { fprintf(stderr,"Fatal Error: Failed to add PKCS7 recipient\n"); fprintf(stderr,"OpenSSL Error: %s\n", ERR_error_string(ERR_get_error(), NULL)); fflush(stderr); goto end; } else if (verbose) { printf("Successfully added recipient\n"); } if (PKCS7_add_certificate(p7, x509) <= 0) { fprintf(stderr,"Fatal Error: Failed to add PKCS7 certificate\n"); fprintf(stderr,"OpenSSL Error: %s\n", ERR_error_string(ERR_get_error(), NULL)); fflush(stderr); goto end; } else if (verbose) { printf("Successfully added certificate\n"); } p7bio = PKCS7_dataInit(p7, NULL); if (!p7bio) { fprintf(stderr,"OpenSSL Error: %s\n", ERR_error_string(ERR_get_error(), NULL)); fflush(stderr); goto end; } /* Pump data to special PKCS7 BIO. This encrypts and signs it. */ BIO_write(p7bio, data, strlen(data)); BIO_flush(p7bio); PKCS7_dataFinal(p7, p7bio); /* Write PEM encoded PKCS7 */ bio = BIO_new(BIO_s_mem()); if (!bio || (PEM_write_bio_PKCS7(bio, p7) == 0)) { fprintf(stderr,"Fatal Error: Failed to create PKCS7 PEM\n");fflush(stderr); } else if (verbose) { printf("Successfully created PKCS7 PEM\n"); } BIO_flush(bio); len = BIO_get_mem_data(bio, &str); ret = malloc(sizeof(char)*(len+1)); memcpy(ret, str, len); ret[len] = 0; end: /* Free everything */ if (bio) BIO_free_all(bio); if (p7bio) BIO_free_all(p7bio); if (p7) PKCS7_free(p7); if (pkey) EVP_PKEY_free(pkey); return ret; }
/* * Wrap data in PKCS#7 envelopes and base64-encode the result. * Data is PKCS#10 request in PKCSReq, or pkcs7_issuer_and_subject * structure in GetCertInitial and PKCS7_ISSUER_AND_SERIAL in * GetCert and GETCrl. */ int pkcs7_wrap(struct scep *s) { BIO *databio = NULL; BIO *encbio = NULL; BIO *pkcs7bio = NULL; BIO *memorybio = NULL; BIO *outbio = NULL; BIO *base64bio = NULL; unsigned char *buffer = NULL; int rc, len = 0; STACK_OF(X509) *recipients; PKCS7 *p7enc; PKCS7_SIGNER_INFO *si; STACK_OF(X509_ATTRIBUTE) *attributes; X509 *signercert = NULL; EVP_PKEY *signerkey = NULL; /* Create a new sender nonce for all messages * XXXXXXXXXXXXXX should it be per transaction? */ s->sender_nonce_len = 16; s->sender_nonce = (unsigned char *)malloc(s->sender_nonce_len); RAND_bytes(s->sender_nonce, s->sender_nonce_len); /* Prepare data payload */ switch(s->request_type) { case SCEP_REQUEST_PKCSREQ: /* * Set printable message type * We set this later as an autheticated attribute * "messageType". */ s->request_type_str = SCEP_REQUEST_PKCSREQ_STR; /* Signer cert */ signercert = s->signercert; signerkey = s->signerkey; /* Create inner PKCS#7 */ if (v_flag) printf("%s: creating inner PKCS#7\n", pname); /* Read request in memory bio */ databio = BIO_new(BIO_s_mem()); if ((rc = i2d_X509_REQ_bio(databio, request)) <= 0) { fprintf(stderr, "%s: error writing " "certificate request in bio\n", pname); ERR_print_errors_fp(stderr); exit (SCEP_PKISTATUS_P7); } BIO_flush(databio); BIO_set_flags(databio, BIO_FLAGS_MEM_RDONLY); break; case SCEP_REQUEST_GETCERTINIT: /* Set printable message type */ s->request_type_str = SCEP_REQUEST_GETCERTINIT_STR; /* Signer cert */ signercert = s->signercert; signerkey = s->signerkey; /* Create inner PKCS#7 */ if (v_flag) printf("%s: creating inner PKCS#7\n", pname); /* Read data in memory bio */ databio = BIO_new(BIO_s_mem()); if ((rc = i2d_pkcs7_issuer_and_subject_bio(databio, s->ias_getcertinit)) <= 0) { fprintf(stderr, "%s: error writing " "GetCertInitial data in bio\n", pname); ERR_print_errors_fp(stderr); exit (SCEP_PKISTATUS_P7); } BIO_flush(databio); BIO_set_flags(databio, BIO_FLAGS_MEM_RDONLY); break; case SCEP_REQUEST_GETCERT: /* Set printable message type */ s->request_type_str = SCEP_REQUEST_GETCERT_STR; /* Signer cert */ signercert = localcert; signerkey = rsa; /* Read data in memory bio */ databio = BIO_new(BIO_s_mem()); if ((rc = i2d_PKCS7_ISSUER_AND_SERIAL_bio(databio, s->ias_getcert)) <= 0) { fprintf(stderr, "%s: error writing " "GetCert data in bio\n", pname); ERR_print_errors_fp(stderr); exit (SCEP_PKISTATUS_P7); } BIO_flush(databio); BIO_set_flags(databio, BIO_FLAGS_MEM_RDONLY); break; case SCEP_REQUEST_GETCRL: /* Set printable message type */ s->request_type_str = SCEP_REQUEST_GETCRL_STR; /* Signer cert */ signercert = localcert; signerkey = rsa; /* Read data in memory bio */ databio = BIO_new(BIO_s_mem()); if ((rc = i2d_PKCS7_ISSUER_AND_SERIAL_bio(databio, s->ias_getcrl)) <= 0) { fprintf(stderr, "%s: error writing " "GetCert data in bio\n", pname); ERR_print_errors_fp(stderr); exit (SCEP_PKISTATUS_P7); } BIO_flush(databio); BIO_set_flags(databio, BIO_FLAGS_MEM_RDONLY); break; } /* Below this is the common code for all request_type */ /* Read in the payload */ s->request_len = BIO_get_mem_data(databio, &s->request_payload); if (v_flag) printf("%s: data payload size: %d bytes\n", pname, s->request_len); BIO_free(databio); /* Create encryption certificate stack */ if ((recipients = sk_X509_new(NULL)) == NULL) { fprintf(stderr, "%s: error creating " "certificate stack\n", pname); ERR_print_errors_fp(stderr); exit (SCEP_PKISTATUS_P7); } /* Use different CA cert for encryption if requested */ if (e_flag) { if (sk_X509_push(recipients, encert) <= 0) { fprintf(stderr, "%s: error adding recipient encryption " "certificate\n", pname); ERR_print_errors_fp(stderr); exit (SCEP_PKISTATUS_P7); } /* Use same CA cert also for encryption */ } else { if (sk_X509_push(recipients, cacert) <= 0) { fprintf(stderr, "%s: error adding recipient encryption " "certificate\n", pname); ERR_print_errors_fp(stderr); exit (SCEP_PKISTATUS_P7); } } /* Create BIO for encryption */ if ((encbio = BIO_new_mem_buf(s->request_payload, s->request_len)) == NULL) { fprintf(stderr, "%s: error creating data " "bio\n", pname); ERR_print_errors_fp(stderr); exit (SCEP_PKISTATUS_P7); } /* Encrypt */ if (!(p7enc = PKCS7_encrypt(recipients, encbio, enc_alg, PKCS7_BINARY))) { fprintf(stderr, "%s: request payload encrypt failed\n", pname); ERR_print_errors_fp(stderr); exit (SCEP_PKISTATUS_P7); } if (v_flag) printf("%s: successfully encrypted payload\n", pname); /* Write encrypted data */ memorybio = BIO_new(BIO_s_mem()); if (i2d_PKCS7_bio(memorybio, p7enc) <= 0) { fprintf(stderr, "%s: error writing encrypted data\n", pname); ERR_print_errors_fp(stderr); exit (SCEP_PKISTATUS_P7); } BIO_flush(memorybio); BIO_set_flags(memorybio, BIO_FLAGS_MEM_RDONLY); len = BIO_get_mem_data(memorybio, &buffer); if (v_flag) printf("%s: envelope size: %d bytes\n", pname, len); if (d_flag) { printf("%s: printing PEM fomatted PKCS#7\n", pname); PEM_write_PKCS7(stdout, p7enc); } BIO_free(memorybio); /* Create outer PKCS#7 */ if (v_flag) printf("%s: creating outer PKCS#7\n", pname); s->request_p7 = PKCS7_new(); if (s->request_p7 == NULL) { fprintf(stderr, "%s: failed creating PKCS#7 for signing\n", pname); ERR_print_errors_fp(stderr); exit (SCEP_PKISTATUS_P7); } if (!PKCS7_set_type(s->request_p7, NID_pkcs7_signed)) { fprintf(stderr, "%s: failed setting PKCS#7 type\n", pname); ERR_print_errors_fp(stderr); exit (SCEP_PKISTATUS_P7); } /* Add signer certificate and signature */ PKCS7_add_certificate(s->request_p7, signercert); if ((si = PKCS7_add_signature(s->request_p7, signercert, signerkey, sig_alg)) == NULL) { fprintf(stderr, "%s: error adding PKCS#7 signature\n", pname); ERR_print_errors_fp(stderr); exit (SCEP_PKISTATUS_P7); } if (v_flag) printf("%s: signature added successfully\n", pname); /* Set signed attributes */ if (v_flag) printf("%s: adding signed attributes\n", pname); attributes = sk_X509_ATTRIBUTE_new_null(); add_attribute_string(attributes, nid_transId, s->transaction_id); add_attribute_string(attributes, nid_messageType, s->request_type_str); add_attribute_octet(attributes, nid_senderNonce, s->sender_nonce, s->sender_nonce_len); PKCS7_set_signed_attributes(si, attributes); /* Add contentType */ if (!PKCS7_add_signed_attribute(si, NID_pkcs9_contentType, V_ASN1_OBJECT, OBJ_nid2obj(NID_pkcs7_data))) { fprintf(stderr, "%s: error adding NID_pkcs9_contentType\n", pname); ERR_print_errors_fp(stderr); exit (SCEP_PKISTATUS_P7); } /* Create new content */ if (!PKCS7_content_new(s->request_p7, NID_pkcs7_data)) { fprintf(stderr, "%s: failed setting PKCS#7 content type\n", pname); ERR_print_errors_fp(stderr); exit (SCEP_PKISTATUS_P7); } /* Write data */ pkcs7bio = PKCS7_dataInit(s->request_p7, NULL); if (pkcs7bio == NULL) { fprintf(stderr, "%s: error opening bio for writing PKCS#7 " "data\n", pname); ERR_print_errors_fp(stderr); exit (SCEP_PKISTATUS_P7); } if (len != BIO_write(pkcs7bio, buffer, len)) { fprintf(stderr, "%s: error writing PKCS#7 data\n", pname); ERR_print_errors_fp(stderr); exit (SCEP_PKISTATUS_P7); } if (v_flag) printf("%s: PKCS#7 data written successfully\n", pname); /* Finalize PKCS#7 */ if (!PKCS7_dataFinal(s->request_p7, pkcs7bio)) { fprintf(stderr, "%s: error finalizing outer PKCS#7\n", pname); ERR_print_errors_fp(stderr); exit (SCEP_PKISTATUS_P7); } if (d_flag) { printf("%s: printing PEM fomatted PKCS#7\n", pname); PEM_write_PKCS7(stdout, s->request_p7); } /* base64-encode the data */ if (v_flag) printf("%s: applying base64 encoding\n",pname); /* Create base64 filtering bio */ memorybio = BIO_new(BIO_s_mem()); base64bio = BIO_new(BIO_f_base64()); outbio = BIO_push(base64bio, memorybio); /* Copy PKCS#7 */ i2d_PKCS7_bio(outbio, s->request_p7); BIO_flush(outbio); BIO_set_flags(memorybio, BIO_FLAGS_MEM_RDONLY); s->request_len = BIO_get_mem_data(memorybio, &s->request_payload); if (v_flag) printf("%s: base64 encoded payload size: %d bytes\n", pname, s->request_len); BIO_free(outbio); return (0); }
/******************************************************************************* 函数名称: cert_pkcs7_wrap 功能描述: 将要发送的消息采用PKCS#7格式进行编码 输入参数: struct scep *s, SCEP操作的结构体指针。 s32 hasra, 是否使用RA证书,1,使用;0,不使用 输出参数: 无 返 回 值: 1,成功;-1,失败 -------------------------------------------------------------------------------- 最近一次修改记录: 修改作者:王朝 修改目的:添加新函数 修改日期:2009年12月28日 *********************************************************************************/ s32 cert_pkcs7_wrap(struct scep *s, s32 hasra) { BIO *databio = NULL; BIO *encbio = NULL; BIO *pkcs7bio = NULL; BIO *memorybio = NULL; BIO *outbio = NULL; BIO *base64bio = NULL; u8 *buffer = NULL; s32 len = 0; STACK_OF(X509) *recipients = NULL; PKCS7 *p7enc = NULL; PKCS7_SIGNER_INFO *si = NULL; STACK_OF(X509_ATTRIBUTE) *attributes = NULL; X509 *signercert = NULL; EVP_PKEY *signerkey = NULL; s32 retval = -1; /* sender nonce */ s->sender_nonce_len = 16; s->sender_nonce = (u8 *)malloc((u32)s->sender_nonce_len); RAND_bytes(s->sender_nonce, s->sender_nonce_len); /* Prepare data payload */ switch(s->request_type) { case SCEP_REQUEST_PKCSREQ: s->request_type_str = SCEP_REQUEST_PKCSREQ_STR; /* Signer cert */ signercert = s->signercert; signerkey = s->signerkey; /* Read request in memory bio */ databio = BIO_new(BIO_s_mem()); if ((i2d_X509_REQ_bio(databio, cert_request)) <= 0) { goto end; } (void)BIO_flush(databio); BIO_set_flags(databio, BIO_FLAGS_MEM_RDONLY); break; case SCEP_REQUEST_GETCERTINIT: /* Set printable message type */ s->request_type_str = SCEP_REQUEST_GETCERTINIT_STR; /* Signer cert */ signercert = s->signercert; signerkey = s->signerkey; /* Read data in memory bio */ databio = BIO_new(BIO_s_mem()); if ((i2d_pkcs7_issuer_and_subject_bio(databio, s->ias_getcertinit)) <= 0) { goto end; } (void)BIO_flush(databio); BIO_set_flags(databio, BIO_FLAGS_MEM_RDONLY); break; default: goto end; } /* Below this is the common code for all request_type */ /* Read in the payload */ s->request_len = BIO_get_mem_data(databio, &s->request_payload); BIO_free(databio); databio = NULL; /* Create encryption certificate stack */ if (NULL == (recipients = sk_X509_new_null() )) { goto end; } /* Use different CA cert for encryption if requested */ if (1 == hasra) { if (sk_X509_push(recipients, cert_encert) <= 0) { goto end; } } else { /* Use same CA cert also for encryption */ if (sk_X509_push(recipients, cert_cacert) <= 0) { goto end; } } /* Create BIO for encryption */ if ((encbio = BIO_new_mem_buf(s->request_payload,s->request_len)) == NULL) { goto end; } /* Encrypt */ if (NULL == (p7enc = PKCS7_encrypt(recipients, encbio, cert_enc_alg, PKCS7_BINARY))) { goto end; } BIO_free(encbio); encbio = NULL; sk_X509_free(recipients); recipients = NULL; /* Write encrypted data */ memorybio = BIO_new(BIO_s_mem()); if (i2d_PKCS7_bio(memorybio, p7enc) <= 0) { goto end; } PKCS7_free(p7enc); p7enc = NULL; (void)BIO_flush(memorybio); BIO_set_flags(memorybio, BIO_FLAGS_MEM_RDONLY); len = BIO_get_mem_data(memorybio, &buffer); /* Create outer PKCS#7 */ s->request_p7 = PKCS7_new(); if (s->request_p7 == NULL) { goto end; } if (!PKCS7_set_type(s->request_p7, NID_pkcs7_signed)) { goto end; } /* Add signer certificate and signature */ PKCS7_add_certificate(s->request_p7, signercert); if ((si = PKCS7_add_signature(s->request_p7,signercert, signerkey, cert_sig_alg)) == NULL) { goto end; } /* Set signed attributes */ attributes = sk_X509_ATTRIBUTE_new_null(); cert_add_attribute_string(attributes, nid_transId, s->transaction_id); cert_add_attribute_string(attributes, nid_messageType, s->request_type_str); cert_add_attribute_octet(attributes, nid_senderNonce, (s8 *)(s->sender_nonce),s->sender_nonce_len); PKCS7_set_signed_attributes(si, attributes); sk_X509_ATTRIBUTE_free(attributes); attributes = NULL; /* Add contentType */ if (!PKCS7_add_signed_attribute(si, NID_pkcs9_contentType,V_ASN1_OBJECT, OBJ_nid2obj(NID_pkcs7_data))) { goto end; } /* Create new content */ if (!PKCS7_content_new(s->request_p7, NID_pkcs7_data)) { goto end; } /* Write data */ pkcs7bio = PKCS7_dataInit(s->request_p7, NULL); if (pkcs7bio == NULL) { goto end; } if (len != BIO_write(pkcs7bio, buffer, len)) { goto end; } BIO_free(memorybio); memorybio = NULL; /* Finalize PKCS#7 */ if (!PKCS7_dataFinal(s->request_p7, pkcs7bio)) { goto end; } /* base64-encode the data */ /* Create base64 filtering bio */ memorybio = BIO_new(BIO_s_mem()); base64bio = BIO_new(BIO_f_base64()); outbio = BIO_push(base64bio, memorybio); /* Copy PKCS#7 */ i2d_PKCS7_bio(outbio, s->request_p7); (void)BIO_flush(outbio); BIO_set_flags(memorybio, BIO_FLAGS_MEM_RDONLY); s->request_len = BIO_get_mem_data(memorybio, &s->request_payload); retval = 1; end: if(NULL != databio) { BIO_free(databio); } if(NULL != encbio) { BIO_free(encbio); } if(NULL != p7enc) { PKCS7_free(p7enc); } if(NULL != pkcs7bio) { BIO_free(pkcs7bio); } if(NULL != memorybio) { BIO_free(memorybio); } if(NULL != base64bio) { BIO_free(base64bio); } if(NULL != recipients) { sk_X509_free(recipients); } if(NULL != attributes) { sk_X509_ATTRIBUTE_free(attributes); } return retval; }
/* will return 0, 1, 3, or 99 */ static int _pkgtrans(char *device1, char *device2, char **pkg, int options, keystore_handle_t keystore, char *keystore_alias) { BIO *p7_bio = NULL; EVP_PKEY *privkey = NULL; PKCS7 *sec_pkcs7 = NULL; PKCS7_SIGNER_INFO *sec_signerinfo = NULL; PKG_ERR *err; STACK_OF(X509) *cacerts = NULL; STACK_OF(X509) *clcerts = NULL; STACK_OF(X509) *sec_chain = NULL; X509 *pubcert = NULL; boolean_t making_sig = B_FALSE; char *src, *dst; int errflg, i, n; struct dm_buf *hdr; making_sig = (keystore != NULL) ? B_TRUE : B_FALSE; if (making_sig) { /* new error object */ err = pkgerr_new(); /* find matching cert and key */ if (find_key_cert_pair(err, keystore, keystore_alias, &privkey, &pubcert) != 0) { pkgerr(err); pkgerr_free(err); return (1); } /* get CA certificates */ if (find_ca_certs(err, keystore, &cacerts) != 0) { pkgerr(err); pkgerr_free(err); return (1); } /* get CL (aka "chain") certificates */ if (find_cl_certs(err, keystore, &clcerts) != 0) { pkgerr(err); pkgerr_free(err); return (1); } /* initialize PKCS7 object to be filled in later */ sec_pkcs7 = PKCS7_new(); (void) PKCS7_set_type(sec_pkcs7, NID_pkcs7_signed); sec_signerinfo = PKCS7_add_signature(sec_pkcs7, pubcert, privkey, EVP_sha1()); if (sec_signerinfo == NULL) { progerr(gettext(ERR_SEC), keystore_alias); ERR_print_errors_fp(stderr); pkgerr_free(err); return (1); } /* add signer cert into signature */ (void) PKCS7_add_certificate(sec_pkcs7, pubcert); /* attempt to resolve cert chain starting at the signer cert */ if (get_cert_chain(err, pubcert, clcerts, cacerts, &sec_chain) != 0) { pkgerr(err); pkgerr_free(err); return (1); } /* * add the verification chain of certs into the signature. * The first cert is the user cert, which we don't need, * since it's baked in already, so skip it */ for (i = 1; i < sk_X509_num(sec_chain); i++) { (void) PKCS7_add_certificate(sec_pkcs7, sk_X509_value(sec_chain, i)); } pkgerr_free(err); err = NULL; } if (signal_received > 0) { return (1); } /* transfer spool to appropriate device */ if (devtype(device1, &srcdev)) { progerr(pkg_gt(ERR_TRANSFER)); logerr(pkg_gt(MSG_BADDEV), device1); return (1); } srcdev.rdonly++; /* check for datastream */ ids_name = NULL; if (srcdev.bdevice) { if (n = _getvol(srcdev.bdevice, NULL, NULL, pkg_gt("Insert %v into %p."), srcdev.norewind)) { cleanup(); if (n == 3) return (3); progerr(pkg_gt(ERR_TRANSFER)); logerr(pkg_gt(MSG_GETVOL)); return (1); } if (ds_readbuf(srcdev.cdevice)) ids_name = srcdev.cdevice; } if (srcdev.cdevice && !srcdev.bdevice) ids_name = srcdev.cdevice; else if (srcdev.pathname) { ids_name = srcdev.pathname; if (access(ids_name, 0) == -1) { progerr(ERR_TRANSFER); logerr(pkg_gt(MSG_GETVOL)); return (1); } } if (!ids_name && device2 == (char *)0) { if (n = pkgmount(&srcdev, NULL, 1, 0, 0)) { cleanup(); return (n); } if (srcdev.mount && *srcdev.mount) pkgdir = strdup(srcdev.mount); return (0); } if (ids_name && device2 == (char *)0) { tmppath = tmpnam(NULL); tmppath = strdup(tmppath); if (tmppath == NULL) { progerr(pkg_gt(ERR_TRANSFER)); logerr(pkg_gt(MSG_MEM)); return (1); } if (mkdir(tmppath, 0755)) { progerr(pkg_gt(ERR_TRANSFER)); logerr(pkg_gt(MSG_MKDIR), tmppath); return (1); } device2 = tmppath; } if (devtype(device2, &dstdev)) { progerr(pkg_gt(ERR_TRANSFER)); logerr(pkg_gt(MSG_BADDEV), device2); return (1); } if ((srcdev.cdevice && dstdev.cdevice) && strcmp(srcdev.cdevice, dstdev.cdevice) == 0) { progerr(pkg_gt(ERR_TRANSFER)); logerr(pkg_gt(MSG_SAMEDEV)); return (1); } ods_name = NULL; if (dstdev.cdevice && !dstdev.bdevice || dstdev.pathname) options |= PT_ODTSTREAM; if (options & PT_ODTSTREAM) { if (!((ods_name = dstdev.cdevice) != NULL || (ods_name = dstdev.pathname) != NULL)) { progerr(pkg_gt(ERR_TRANSFER)); logerr(pkg_gt(MSG_BADDEV), device2); return (1); } if (ids_name) { progerr(pkg_gt(ERR_TRANSFER)); logerr(pkg_gt(MSG_TWODSTREAM)); return (1); } } else { /* * output device isn't a stream. If we're making a signed * package, then fail, since we can't make signed, * non-stream pkgs */ if (making_sig) { progerr(pkg_gt(ERR_TRANSFER)); logerr(pkg_gt(ERR_CANTSIGN)); return (1); } } if ((srcdev.dirname && dstdev.dirname) && strcmp(srcdev.dirname, dstdev.dirname) == 0) { progerr(pkg_gt(ERR_TRANSFER)); logerr(pkg_gt(MSG_SAMEDEV)); return (1); } if ((srcdev.pathname && dstdev.pathname) && strcmp(srcdev.pathname, dstdev.pathname) == 0) { progerr(pkg_gt(ERR_TRANSFER)); logerr(pkg_gt(MSG_SAMEDEV)); return (1); } if (signal_received > 0) { return (1); } if (ids_name) { if (srcdev.cdevice && !srcdev.bdevice && (n = _getvol(srcdev.cdevice, NULL, NULL, NULL, srcdev.norewind))) { cleanup(); if (n == 3) return (3); progerr(pkg_gt(ERR_TRANSFER)); logerr(pkg_gt(MSG_GETVOL)); return (1); } if (srcdev.dirname = tmpnam(NULL)) tmpdir = srcdev.dirname = strdup(srcdev.dirname); if ((srcdev.dirname == NULL) || mkdir(srcdev.dirname, 0755) || chdir(srcdev.dirname)) { progerr(pkg_gt(ERR_TRANSFER)); logerr(pkg_gt(MSG_NOTEMP), srcdev.dirname); cleanup(); return (1); } if (ds_init(ids_name, pkg, srcdev.norewind)) { cleanup(); return (1); } } else if (srcdev.mount) { if (n = pkgmount(&srcdev, NULL, 1, 0, 0)) { cleanup(); return (n); } } src = srcdev.dirname; dst = dstdev.dirname; if (chdir(src)) { progerr(pkg_gt(ERR_TRANSFER)); logerr(pkg_gt(MSG_CHDIR), src); cleanup(); return (1); } if (signal_received > 0) { return (1); } xpkg = pkg = gpkglist(src, pkg, NULL); if (!pkg) { progerr(pkg_gt(ERR_TRANSFER)); logerr(pkg_gt(MSG_NOPKGS), src); cleanup(); return (1); } for (nxpkg = 0; pkg[nxpkg]; /* void */) { nxpkg++; /* count */ } if (ids_name) { ds_order(pkg); /* order requests */ } if (signal_received > 0) { return (1); } if (options & PT_ODTSTREAM) { char line[128]; if (!dstdev.pathname && (n = _getvol(ods_name, NULL, DM_FORMAT, NULL, dstdev.norewind))) { cleanup(); if (n == 3) return (3); progerr(pkg_gt(ERR_TRANSFER)); logerr(pkg_gt(MSG_GETVOL)); return (1); } if ((hdr = genheader(src, pkg)) == NULL) { cleanup(); return (1); } if (making_sig) { /* start up signature data stream */ (void) PKCS7_content_new(sec_pkcs7, NID_pkcs7_data); (void) PKCS7_set_detached(sec_pkcs7, 1); p7_bio = PKCS7_dataInit(sec_pkcs7, NULL); /* * Here we generate all the data that will go into * the package, and send it through the signature * generator, essentially calculating the signature * of the entire package so we can place it in the * header. Otherwise we'd have to place it at the end * of the pkg, which would break the ABI */ if (!(options & PT_SILENT)) { (void) fprintf(stderr, pkg_gt(MSG_SIGNING), get_subject_display_name(pubcert)); } if (dump_hdr_and_pkgs(p7_bio, hdr, pkg) != 0) { progerr(gettext(ERR_NOGEN)); logerr(pkg_gt(MSG_GETVOL)); cleanup(); return (1); } BIO_flush(p7_bio); /* * now generate PKCS7 signature */ if (!PKCS7_dataFinal(sec_pkcs7, p7_bio)) { progerr(gettext(ERR_NOGEN)); logerr(pkg_gt(MSG_GETVOL)); cleanup(); return (1); } (void) BIO_free(p7_bio); } /* write out header to stream, which includes signature */ if (wdsheader(hdr, src, ods_name, pkg, sec_pkcs7)) { cleanup(); return (1); } if (sec_pkcs7 != NULL) { /* nuke in-memory signature for safety */ PKCS7_free(sec_pkcs7); sec_pkcs7 = NULL; } ds_volno = 1; /* number of volumes in datastream */ pinput = hdrbuf.text_buffer; /* skip past first line in header */ (void) mgets(line, 128); } if (signal_received > 0) { return (1); } errflg = 0; for (i = 0; pkg[i]; i++) { if (signal_received > 0) { return (1); } if (!(options & PT_ODTSTREAM) && dstdev.mount) { if (n = pkgmount(&dstdev, NULL, 0, 0, 1)) { cleanup(); return (n); } } if (errflg = pkgxfer(pkg[i], options)) { pkg[i] = NULL; if ((options & PT_ODTSTREAM) || (errflg != 2)) break; } else if (strcmp(dstinst, pkg[i])) pkg[i] = strdup(dstinst); } if (!(options & PT_ODTSTREAM) && dst) { pkgdir = strdup(dst); } /* * No cleanup of temporary directories created in this * function is done here. The calling function must do * the cleanup. */ return (signal_received > 0 ? 1 : errflg); }
int main(int argc, char* argv[]) { PKCS7 *p7, *innerp7; FILE *fp = NULL; EVP_PKEY *pkey = NULL; PKCS7_SIGNER_INFO *p7i; PKCS7_RECIP_INFO *pri; BIO *mybio, *inbio; X509 *user; X509_ALGOR *md; int ret, len; unsigned char data[2048], *p, *buf; unsigned char* greet = "hello openssl"; unsigned long errorno; unsigned char* errordesc; OpenSSL_add_all_algorithms(); //必须要显式进行调用 inbio = BIO_new(BIO_s_mem()); ret = BIO_write(inbio, greet, strlen(greet)); p7 = PKCS7_new(); ret = PKCS7_set_type(p7, NID_pkcs7_signedAndEnveloped); //加载用户证书 fp = fopen("mycert4p12.cer", "rb"); if(fp == NULL) return 0; len = fread(data, 1, 1024, fp); fclose(fp); p = data; user = d2i_X509(NULL, (const unsigned char**)&p, len); ret = PKCS7_add_certificate(p7, user); pri = PKCS7_add_recipient(p7, user); //读取私钥 fp = fopen("myprivkey.pem", "rb"); if(fp == NULL) return 0; len = fread(data, 1, 1024, fp); fclose(fp); p = data; pkey = d2i_PrivateKey(EVP_PKEY_RSA, NULL, (const unsigned char**)&p, len); //第一个用户增加SignerInfo到列表中 p7i = PKCS7_add_signature(p7, user, pkey, EVP_md5()); //加载用户证书 fp = fopen("user2.cer", "rb"); if(fp == NULL) return 0; len = fread(data, 1, 1024, fp); fclose(fp); p = data; user = d2i_X509(NULL, (const unsigned char**)&p, len); ret = PKCS7_add_certificate(p7, user); pri = PKCS7_add_recipient(p7, user); //读取私钥 fp = fopen("user2_privatekey.pem", "rb"); if(fp == NULL) return 0; len = fread(data, 1, 1024, fp); fclose(fp); p = data; pkey = d2i_PrivateKey(EVP_PKEY_RSA, NULL, (const unsigned char**)&p, len); //第二个签名者增加到SignerInfo列表中 p7i = PKCS7_add_signature(p7, user, pkey, EVP_md5()); ret = PKCS7_set_cipher(p7, EVP_des_ede3_cbc()); ret = PKCS7_final(p7, inbio, 0); //制作数字信封 len = i2d_PKCS7(p7, NULL); p = buf = malloc(len); len = i2d_PKCS7(p7, &p); printf("in i2d len = %d\n", len); fp = fopen("p7signandenv.cer", "wb"); fwrite(buf, len, 1, fp); fclose(fp); PKCS7_free(p7); }
/* will return 0, 1, 3, or 99 */ static int _pkgtrans(char *device1, char *device2, char **pkg, int options, keystore_handle_t keystore, char *keystore_alias) { #ifdef USE_KEYSTORE BIO *p7_bio = NULL; EVP_PKEY *privkey = NULL; #endif PKCS7 *sec_pkcs7 = NULL; #ifdef USE_KEYSTORE PKCS7_SIGNER_INFO *sec_signerinfo = NULL; PKG_ERR *err; STACK_OF(X509) *cacerts = NULL; STACK_OF(X509) *clcerts = NULL; STACK_OF(X509) *sec_chain = NULL; X509 *pubcert = NULL; #endif boolean_t making_sig = B_FALSE; char *src, *dst; int errflg, i, n; struct dm_buf *hdr; making_sig = (keystore != NULL) ? B_TRUE : B_FALSE; #ifdef USE_KEYSTORE if (making_sig) { /* new error object */ err = pkgerr_new(); /* find matching cert and key */ if (find_key_cert_pair(err, keystore, keystore_alias, &privkey, &pubcert) != 0) { pkgerr(err); pkgerr_free(err); return (1); } /* get CA certificates */ if (find_ca_certs(err, keystore, &cacerts) != 0) { pkgerr(err); pkgerr_free(err); return (1); } /* get CL (aka "chain") certificates */ if (find_cl_certs(err, keystore, &clcerts) != 0) { pkgerr(err); pkgerr_free(err); return (1); } /* initialize PKCS7 object to be filled in later */ sec_pkcs7 = PKCS7_new(); PKCS7_set_type(sec_pkcs7, NID_pkcs7_signed); sec_signerinfo = PKCS7_add_signature(sec_pkcs7, pubcert, privkey, EVP_sha1()); if (sec_signerinfo == NULL) { progerr(gettext(ERR_SEC), keystore_alias); ERR_print_errors_fp(stderr); pkgerr_free(err); return (1); } /* add signer cert into signature */ PKCS7_add_certificate(sec_pkcs7, pubcert); /* attempt to resolve cert chain starting at the signer cert */ if (get_cert_chain(err, pubcert, clcerts, cacerts, &sec_chain) != 0) { pkgerr(err); pkgerr_free(err); return (1); } /* * add the verification chain of certs into the signature. * The first cert is the user cert, which we don't need, * since it's baked in already, so skip it */ for (i = 1; i < sk_X509_num(sec_chain); i++) { PKCS7_add_certificate(sec_pkcs7, sk_X509_value(sec_chain, i)); } pkgerr_free(err); err = NULL; } #endif /* USE_KEYSTORE */ if (signal_received > 0) { return (1); } /* transfer spool to appropriate device */ if (devtype(device1, &srcdev)) { progerr(pkg_gt(ERR_TRANSFER)); logerr(pkg_gt(MSG_BADDEV), device1); return (1); } srcdev.rdonly++; /* check for datastream */ ids_name = NULL; if (srcdev.bdevice) { if (ds_readbuf(srcdev.cdevice)) ids_name = srcdev.cdevice; } if (srcdev.cdevice && !srcdev.bdevice) ids_name = srcdev.cdevice; else if (srcdev.pathname) { ids_name = srcdev.pathname; if (access(ids_name, 0) == -1) { progerr(ERR_TRANSFER); logerr(pkg_gt(MSG_GETVOL)); return (1); } } if (!ids_name && device2 == (char *)0) { if (n = pkgmount(&srcdev, NULL, 1, 0, 0)) { cleanup(); return (n); } if (srcdev.mount && *srcdev.mount) pkgdir = strdup(srcdev.mount); return (0); } if (ids_name && device2 == (char *)0) { char template[] = "/var/tmp/ptXXXXXX";
int MAIN(int argc, char **argv) { int i, badops = 0; BIO *in = NULL, *out = NULL; int informat, outformat; char *infile, *outfile, *prog, *certfile; PKCS7 *p7 = NULL; PKCS7_SIGNED *p7s = NULL; X509_CRL *crl = NULL; STACK_OF(OPENSSL_STRING) *certflst = NULL; STACK_OF(X509_CRL) *crl_stack = NULL; STACK_OF(X509) *cert_stack = NULL; int ret = 1, nocrl = 0; apps_startup(); if (bio_err == NULL) if ((bio_err = BIO_new(BIO_s_file())) != NULL) BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT); infile = NULL; outfile = NULL; informat = FORMAT_PEM; outformat = FORMAT_PEM; prog = argv[0]; argc--; argv++; while (argc >= 1) { if (strcmp(*argv, "-inform") == 0) { if (--argc < 1) goto bad; informat = str2fmt(*(++argv)); } else if (strcmp(*argv, "-outform") == 0) { if (--argc < 1) goto bad; outformat = str2fmt(*(++argv)); } else if (strcmp(*argv, "-in") == 0) { if (--argc < 1) goto bad; infile = *(++argv); } else if (strcmp(*argv, "-nocrl") == 0) { nocrl = 1; } else if (strcmp(*argv, "-out") == 0) { if (--argc < 1) goto bad; outfile = *(++argv); } else if (strcmp(*argv, "-certfile") == 0) { if (--argc < 1) goto bad; if (!certflst) certflst = sk_OPENSSL_STRING_new_null(); if (!certflst) goto end; if (!sk_OPENSSL_STRING_push(certflst, *(++argv))) { sk_OPENSSL_STRING_free(certflst); goto end; } } else { BIO_printf(bio_err, "unknown option %s\n", *argv); badops = 1; break; } argc--; argv++; } if (badops) { bad: BIO_printf(bio_err, "%s [options] <infile >outfile\n", prog); BIO_printf(bio_err, "where options are\n"); BIO_printf(bio_err, " -inform arg input format - DER or PEM\n"); BIO_printf(bio_err, " -outform arg output format - DER or PEM\n"); BIO_printf(bio_err, " -in arg input file\n"); BIO_printf(bio_err, " -out arg output file\n"); BIO_printf(bio_err, " -certfile arg certificates file of chain to a trusted CA\n"); BIO_printf(bio_err, " (can be used more than once)\n"); BIO_printf(bio_err, " -nocrl no crl to load, just certs from '-certfile'\n"); ret = 1; goto end; } ERR_load_crypto_strings(); in = BIO_new(BIO_s_file()); out = BIO_new(BIO_s_file()); if ((in == NULL) || (out == NULL)) { ERR_print_errors(bio_err); goto end; } if (!nocrl) { if (infile == NULL) BIO_set_fp(in, stdin, BIO_NOCLOSE); else { if (BIO_read_filename(in, infile) <= 0) { perror(infile); goto end; } } if (informat == FORMAT_ASN1) crl = d2i_X509_CRL_bio(in, NULL); else if (informat == FORMAT_PEM) crl = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL); else { BIO_printf(bio_err, "bad input format specified for input crl\n"); goto end; } if (crl == NULL) { BIO_printf(bio_err, "unable to load CRL\n"); ERR_print_errors(bio_err); goto end; } } if ((p7 = PKCS7_new()) == NULL) goto end; if ((p7s = PKCS7_SIGNED_new()) == NULL) goto end; p7->type = OBJ_nid2obj(NID_pkcs7_signed); p7->d.sign = p7s; p7s->contents->type = OBJ_nid2obj(NID_pkcs7_data); if (!ASN1_INTEGER_set(p7s->version, 1)) goto end; if ((crl_stack = sk_X509_CRL_new_null()) == NULL) goto end; p7s->crl = crl_stack; if (crl != NULL) { sk_X509_CRL_push(crl_stack, crl); crl = NULL; /* now part of p7 for OPENSSL_freeing */ } if ((cert_stack = sk_X509_new_null()) == NULL) goto end; p7s->cert = cert_stack; if (certflst) for (i = 0; i < sk_OPENSSL_STRING_num(certflst); i++) { certfile = sk_OPENSSL_STRING_value(certflst, i); if (add_certs_from_file(cert_stack, certfile) < 0) { BIO_printf(bio_err, "error loading certificates\n"); ERR_print_errors(bio_err); goto end; } } sk_OPENSSL_STRING_free(certflst); if (outfile == NULL) { BIO_set_fp(out, stdout, BIO_NOCLOSE); #ifdef OPENSSL_SYS_VMS { BIO *tmpbio = BIO_new(BIO_f_linebuffer()); out = BIO_push(tmpbio, out); } #endif } else { if (BIO_write_filename(out, outfile) <= 0) { perror(outfile); goto end; } } if (outformat == FORMAT_ASN1) i = i2d_PKCS7_bio(out, p7); else if (outformat == FORMAT_PEM) i = PEM_write_bio_PKCS7(out, p7); else { BIO_printf(bio_err, "bad output format specified for outfile\n"); goto end; } if (!i) { BIO_printf(bio_err, "unable to write pkcs7 object\n"); ERR_print_errors(bio_err); goto end; } ret = 0; end: if (in != NULL) BIO_free(in); if (out != NULL) BIO_free_all(out); if (p7 != NULL) PKCS7_free(p7); if (crl != NULL) X509_CRL_free(crl); apps_shutdown(); OPENSSL_EXIT(ret); }
/* Allocate the SCEP_MSG structures */ SCEP_MSG *SCEP_MSG_new( int messageType, X509 *cert, EVP_PKEY *pkey, X509 *recip_cert, SCEP_MSG *inMsg, X509_REQ *req, X509 *issued_cert, SCEP_ISSUER_AND_SUBJECT *cert_info, PKCS7_ISSUER_AND_SERIAL *ias, X509_CRL *crl, X509 *cacert, EVP_CIPHER cipher ) { SCEP_MSG *msg = NULL; PKCS7_SIGNER_INFO *si = NULL; EVP_MD *dgst=NULL; unsigned char *raw_data = NULL; int envelope = 0; long raw_len = 0; BIO *debug_bio = NULL; BIO *p7ebio = NULL; BIO *inbio = NULL; char buf[256]; if ((debug_bio=BIO_new(BIO_s_file())) != NULL) BIO_set_fp(debug_bio,stderr,BIO_NOCLOSE|BIO_FP_TEXT); //if( !cert || !pkey || !recip_cert ) if( !cert || !pkey ) return NULL; if (debug) BIO_printf( debug_bio, "%s:%d: [Debug Info] Generating New SCEP-Message...\n", __FILE__, __LINE__); /* Allocate memory and initialize structures */ if((msg = SCEP_MSG_new_null()) == NULL) return NULL; if (debug) BIO_printf( debug_bio, "%s:%d: [Debug Info] Allocate memory\n", __FILE__, __LINE__); /* Signed Infos */ dgst = (EVP_MD *) EVP_get_digestbyname("md5"); if( (si = PKCS7_SIGNER_INFO_new()) == NULL ) goto err; if(!PKCS7_SIGNER_INFO_set(si, cert, pkey, dgst)) goto err; sk_PKCS7_SIGNER_INFO_push( msg->sk_signer_info, si ); msg->signer_ias = si->issuer_and_serial; if (debug) BIO_printf( debug_bio, "%s:%d: [Debug Info] signer infos set\n", __FILE__, __LINE__); /* If pkey, let's add to the message structure to ease * message encryption (enveloped data content creation) */ SCEP_MSG_set_pkey ( msg, pkey ); // msg->signer_pkey = pkey; if (debug) BIO_printf( debug_bio, "%s:%d: [Debug Info] encryption key set\n", __FILE__, __LINE__); /* If not explicit, we guess the certificate to be present * in the passed inMsg structure, if any. Otherwise ERROR! */ if( !recip_cert && inMsg ) recip_cert = inMsg->signer_cert; /* Set the messageType */ SCEP_set_messageType ( msg, messageType ); if (debug) BIO_printf( debug_bio, "%s:%d: [Debug Info] message type set\n", __FILE__, __LINE__); switch( messageType ) { case MSG_CERTREP: if (debug) BIO_printf( debug_bio, "%s:%d: [Debug Info] Actions for CERTREP\n", __FILE__, __LINE__); msg->env_data.NID_p7data = NID_pkcs7_signed; msg->env_data.p7 = PKCS7_new(); PKCS7_set_type( msg->env_data.p7, NID_pkcs7_signed ); PKCS7_content_new( msg->env_data.p7, NID_pkcs7_data ); if( issued_cert ) { if (debug) BIO_printf( debug_bio, "%s:%d: creating inner degenerated PKCS7... \n", __FILE__, __LINE__); /* Adds issued certificate */ PKCS7_add_certificate( msg->env_data.p7, issued_cert ); // PKCS7_add_certificate( msg->env_data.p7, cert ); envelope = 1; if (debug) BIO_printf( debug_bio, "%s:%d: done \n", __FILE__, __LINE__); } else if( crl ) { if (debug) BIO_printf( debug_bio, "%s:%d: Adding CRL ... \n", __FILE__, __LINE__); /* Adds crl */ PKCS7_add_crl( msg->env_data.p7, crl ); envelope = 1; if (debug) BIO_printf( debug_bio, "%s:%d: done \n", __FILE__, __LINE__); } if (debug) BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__); break; case MSG_PKCSREQ: if (debug) BIO_printf( debug_bio, "%s:%d: [Debug Info] Actions for PKCSREQ\n", __FILE__, __LINE__); /* The inner pkcs7 structure is signed * and enveloped and the data is to be * the X509_REQ passed */ msg->env_data.NID_p7data = NID_pkcs7_signedAndEnveloped; if( req ) { msg->env_data.content.req = req; /* Ask for the data p7 to be generated and * encrypted */ envelope = 1; } if (debug) BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__); break; case MSG_GETCRL: if (debug) { BIO_printf( debug_bio, "%s:%d: [Debug Info] Actions for GETCRL\n", __FILE__, __LINE__); BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__); } break; case MSG_GETCERT: if (debug) BIO_printf( debug_bio, "%s:%d: [Debug Info] Actions for GETCERT\n", __FILE__, __LINE__); msg->env_data.NID_p7data = NID_pkcs7_signedAndEnveloped; /* If it is a query for a general certificate * the CAcert should be included in the enveloped * data*/ /* Otherwise, if it is a request for its own * certificate, the self-signed certificate should * be included */ // if( cacert ) // msg->env_data.cacert = cacert; /* Issuer and Serial should be present ! */ if( !ias ) goto err; msg->env_data.content.ias = ias; envelope = 1; if (debug) BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__); break; case MSG_GETCERTINITIAL: if (debug) BIO_printf( debug_bio, "%s:%d: [Debug Info] Actions for GETCERTINITIAL\n", __FILE__, __LINE__); msg->env_data.NID_p7data = NID_pkcs7_signed; if (debug) BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__); break; case MSG_V2REQUEST: /* Not currently handled */ if (debug) { BIO_printf( debug_bio, "%s:%d: [Debug Info] Actions for V2REQUEST\n", __FILE__, __LINE__); BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__); } default: goto err; } if (debug) BIO_printf( debug_bio, "%s:%d: Debug ... \n", __FILE__, __LINE__); /* If different from NULL, we have to encode something */ if( envelope == 1 ) { if (debug) BIO_printf( debug_bio, "%s:%d: [Debug Info] encode\n", __FILE__, __LINE__); /* Encrypt the message data */ if( !SCEP_MSG_encrypt( msg, recip_cert, cipher )) goto err; if (debug) BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__); } if (debug) BIO_printf( debug_bio, "%s:%d: [Debug Info] add sign-cert to structure\n", __FILE__, __LINE__); /* Signer certificate */ msg->signer_cert = cert; if (debug) PEM_write_bio_SCEP_MSG( debug_bio, msg, pkey ); if (debug) BIO_printf( debug_bio, "%s:%d: [Debug Info] add attributes\n", __FILE__, __LINE__); /* Set message attributes, if any */ if ( inMsg ) { char *tmp = NULL; int len = 0; if (debug) BIO_printf( debug_bio, "%s:%d: [Debug Info] take data from request\n", __FILE__, __LINE__); switch ( msg->messageType ) { default: if (debug) BIO_printf( debug_bio, "%s:%d: [Debug Info] set transId\n", __FILE__, __LINE__); /* The transId is ever required */ tmp = SCEP_get_string_attr_by_name( inMsg->attrs, "transId"); if( tmp ) { SCEP_set_transId( msg, tmp, strlen(tmp)); OPENSSL_free( tmp ); if (debug) BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__); } if (debug) BIO_printf( debug_bio, "%s:%d: [Debug Info] set recipient nonce (sendernonce from req)\n", __FILE__, __LINE__); /* Copy the sendernonce to the recipient nonce and * generate a new sendernonce for the generated msg */ tmp = SCEP_get_octect_attr_by_name( inMsg->attrs, "senderNonce", &len); if( tmp ) { if (debug) BIO_printf( debug_bio, "%s:%d: [Debug Info] %d\n", __FILE__, __LINE__, tmp); SCEP_set_recipientNonce( msg, tmp, len ); OPENSSL_free( tmp ); } if (debug) BIO_printf( debug_bio, "%s:%d: [Debug Info] set sender nonce\n", __FILE__, __LINE__); SCEP_set_senderNonce_new(msg); if (debug) BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__); } if (debug) BIO_printf( debug_bio, "%s:%d: [Debug Info] set pki_status\n", __FILE__, __LINE__); SCEP_set_pkiStatus ( msg, PKI_PENDING ); if (debug) { BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__); BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__); } } else { if (debug) BIO_printf( debug_bio, "%s:%d: [Debug Info] generate new data\n", __FILE__, __LINE__); SCEP_set_senderNonce_new ( msg ); SCEP_set_recipientNonce_new ( msg ); SCEP_set_transId_new ( msg ); if (debug) BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__); } if (debug) PEM_write_bio_SCEP_MSG( debug_bio, msg, pkey ); return (msg); err: ERR_print_errors_fp(stderr); return(NULL); }