main3()
{
FILE *in;
unsigned char buf[10240],buf2[10240],*p;
int num,i;
X509_REQ *nx=NULL,*mx=NULL;
in=fopen("req.der","r");
if (in == NULL)
{
perror("req.der");
exit(1);
}
num=fread(buf,1,10240,in);
fclose(in);
p=buf;
if (d2i_X509_REQ(&nx,&p,num) == NULL) goto err;
printf("num=%d p-buf=%d\n",num,p-buf);
p=buf2;
num=i2d_X509_REQ(nx,&p);
printf("num=%d p-buf=%d\n",num,p-buf2);
if (memcmp(buf,buf2,num) != 0)
{
fprintf(stderr,"data difference\n");
for (i=0; i<num; i++)
fprintf(stderr,"%c%03d <%02X-%02X>\n",
(buf[i] == buf2[i])?' ':'*',i,
buf[i],buf2[i]);
fprintf(stderr,"\n");
exit(1);
}
return(1);
err:
ERR_load_crypto_strings();
ERR_print_errors(stderr);
return(0);
}
unsigned long OPF_SM2SignCSR(OPT_HCONTAINER hContainer,
const unsigned char *pbCSR, unsigned long ulCSR,unsigned long ulAlg,
unsigned char * pbCSRSigned, unsigned long * pulCSRSignedLen)
{
unsigned long rv = -1;
X509_REQ * req = NULL;
unsigned char sig_value[BUFFER_LEN_1K] = {0};
unsigned long sig_len = BUFFER_LEN_1K;
unsigned long encode_len = BUFFER_LEN_1K;
unsigned char encode_value[BUFFER_LEN_1K] = {0};
unsigned char reg_info_value[BUFFER_LEN_1K * 4] = {0};
unsigned long reg_info_len = BUFFER_LEN_1K * 4;
const unsigned char * ptr_in = NULL;
unsigned char * ptr_out = NULL;
ptr_in = pbCSR;
req = d2i_X509_REQ(NULL, &ptr_in, ulCSR);
if (NULL == req)
{
goto err;
}
ptr_out = reg_info_value;
reg_info_len = i2d_X509_REQ_INFO(req->req_info, &ptr_out);
// sign req
rv = PKCS11_SM2SignMSG(hContainer, reg_info_value,reg_info_len,ulAlg, sig_value, &sig_len);
if(rv)
{
goto err;
}
rv = SM2SignAsn1Convert(sig_value,SM2_BYTES_LEN, sig_value + SM2_BYTES_LEN,SM2_BYTES_LEN, encode_value, &encode_len);
FILE_LOG_STRING(file_log_name, "rv");
FILE_LOG_NUMBER(file_log_name, rv);
FILE_LOG_STRING(file_log_name, "encode_value");
FILE_LOG_HEX(file_log_name, encode_value, encode_len);
if (rv)
{
goto err;
}
ASN1_BIT_STRING_set(req->signature,encode_value, encode_len);
req->signature->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07);
req->signature->flags|=ASN1_STRING_FLAG_BITS_LEFT;
ptr_out = pbCSRSigned;
*pulCSRSignedLen = i2d_X509_REQ(req, &ptr_out);
rv = 0;
err:
if(req)
{
X509_REQ_free(req);
}
return rv;
}
int openssl_x509_cert()
{
BIO *b;
FILE *fp;
RSA *rsa;
EVP_PKEY *pkey;
X509_NAME *name;
const EVP_MD *md;
X509_REQ *req, **req2;
X509_NAME_ENTRY *entry;
unsigned int len;
char bytes[COMM_LEN];
const unsigned char *pp;
unsigned char *p, *der, *mdout, buf[MAX1_LEN];
OpenSSL_add_all_algorithms();
printf("\nX509_Cert info:\n");
return -1;
req = X509_REQ_new();
X509_REQ_set_version(req, 1);
name = X509_NAME_new();
strcpy(bytes, "beike");
entry = X509_NAME_ENTRY_create_by_txt(&entry, "commonName",
V_ASN1_UTF8STRING, (unsigned char *)bytes, strlen(bytes));
X509_NAME_add_entry(name, entry, 0, -1);
strcpy(bytes, "BEIJING");
entry = X509_NAME_ENTRY_create_by_txt(&entry, "countryName",
V_ASN1_UTF8STRING, (unsigned char *)bytes, strlen(bytes));
X509_NAME_add_entry(name, entry, 1, -1);
X509_REQ_set_subject_name(req, name);
pkey = EVP_PKEY_new();
rsa = RSA_generate_key(LINE_LEN, RSA_3, NULL, NULL);
EVP_PKEY_assign_RSA(pkey, rsa);
X509_REQ_set_pubkey(req, pkey);
strcpy(bytes, "USTB");
X509_REQ_add1_attr_by_txt(req, "organizationName",
V_ASN1_UTF8STRING, (unsigned char *)bytes, strlen(bytes));
strcpy(bytes, "TECH");
X509_REQ_add1_attr_by_txt(req, "organizationalUnitName",
V_ASN1_UTF8STRING, (unsigned char *)bytes, strlen(bytes));
md = EVP_sha1();
X509_REQ_digest(req, md, mdout, &len);
X509_REQ_sign(req, pkey, md);
b = BIO_new_file("/tmp/certreq.txt", "w");
PEM_write_bio_X509_REQ(b, req);
BIO_free(b);
len = i2d_X509_REQ(req, NULL);
der = (unsigned char *)malloc(len);
p = der;
len = i2d_X509_REQ(req, &p);
X509_REQ_verify(req, pkey);
fp = fopen("/tmp/certder.txt", "wb");
fwrite(der, 1, len, fp);
fclose(fp);
free(der);
X509_REQ_free(req);
b = BIO_new_file("/tmp/certreq.txt", "r");
PEM_read_bio_X509_REQ(b, NULL, NULL, NULL);
fp = fopen("/tmp/certder.txt", "r");
len = fread(buf, 1, MAX1_LEN, fp);
fclose(fp);
pp = buf;
req2 = (X509_REQ **) malloc(sizeof(X509_REQ *));
d2i_X509_REQ(req2, &pp, len);
free(req2);
X509_REQ_free(*req2);
return 0;
}
/* Creates an X509 certificate from a certificate request. */
EXPORT int IssueUserCertificate(unsigned char *certbuf, int *certlen, unsigned char *reqbuf, int reqlen)
{
X509_REQ *req = NULL;
EVP_PKEY *cakey = NULL, *rakey = NULL, *usrkey = NULL;
X509 *cacert = NULL, *racert = NULL, *usrcert = NULL;
X509_NAME *subject = NULL, *issuer = NULL;
unsigned char *p = NULL;
int ret = OPENSSLCA_NO_ERR, len;
if (certbuf == NULL || certlen == NULL || reqbuf == NULL || reqlen == 0)
return OPENSSLCA_ERR_ARGS;
/* Decode request */
if ((req = X509_REQ_new()) == NULL) {
ret = OPENSSLCA_ERR_REQ_NEW;
goto err;
}
p = reqbuf;
if (d2i_X509_REQ(&req, &p, reqlen) == NULL) {
ret = OPENSSLCA_ERR_REQ_DECODE;
goto err;
}
/* Get public key from request */
if ((usrkey = X509_REQ_get_pubkey(req)) == NULL) {
ret = OPENSSLCA_ERR_REQ_GET_PUBKEY;
goto err;
}
if (caIni.verifyRequests) {
/* Get RA's public key */
/* TODO: Validate RA certificate */
ret = read_cert(&racert, CA_PATH(caIni.raCertFile));
if (ret != OPENSSLCA_NO_ERR)
goto err;
if ((rakey = X509_get_pubkey(racert)) == NULL) {
ret = OPENSSLCA_ERR_CERT_GET_PUBKEY;
goto err;
}
/* Verify signature on request */
if (X509_REQ_verify(req, rakey) != 1) {
ret = OPENSSLCA_ERR_REQ_VERIFY;
goto err;
}
}
/* Get CA certificate */
/* TODO: Validate CA certificate */
ret = read_cert(&cacert, CA_PATH(caIni.caCertFile));
if (ret != OPENSSLCA_NO_ERR)
goto err;
/* Get CA private key */
ret = read_key(&cakey, CA_PATH(caIni.caKeyFile), caIni.caKeyPasswd);
if (ret != OPENSSLCA_NO_ERR)
goto err;
/* Create user certificate */
if ((usrcert = X509_new()) == NULL)
return OPENSSLCA_ERR_CERT_NEW;
/* Set version and serial number for certificate */
if (X509_set_version(usrcert, 2) != 1) { /* V3 */
ret = OPENSSLCA_ERR_CERT_SET_VERSION;
goto err;
}
if (ASN1_INTEGER_set(X509_get_serialNumber(usrcert), get_serial()) != 1) {
ret = OPENSSLCA_ERR_CERT_SET_SERIAL;
goto err;
}
/* Set duration for certificate */
if (X509_gmtime_adj(X509_get_notBefore(usrcert), 0) == NULL) {
ret = OPENSSLCA_ERR_CERT_SET_NOTBEFORE;
goto err;
}
if (X509_gmtime_adj(X509_get_notAfter(usrcert), EXPIRE_SECS(caIni.daysTillExpire)) == NULL) {
ret = OPENSSLCA_ERR_CERT_SET_NOTAFTER;
goto err;
}
/* Set public key */
if (X509_set_pubkey(usrcert, usrkey) != 1) {
ret = OPENSSLCA_ERR_CERT_SET_PUBKEY;
goto err;
}
/* Set subject name */
subject = X509_REQ_get_subject_name(req);
if (subject == NULL) {
ret = OPENSSLCA_ERR_REQ_GET_SUBJECT;
goto err;
}
if (X509_set_subject_name(usrcert, subject) != 1) {
ret = OPENSSLCA_ERR_CERT_SET_SUBJECT;
goto err;
}
/* Set issuer name */
issuer = X509_get_issuer_name(cacert);
if (issuer == NULL) {
ret = OPENSSLCA_ERR_CERT_GET_ISSUER;
goto err;
}
if (X509_set_issuer_name(usrcert, issuer) != 1) {
ret = OPENSSLCA_ERR_CERT_SET_ISSUER;
goto err;
}
/* Add extensions */
ret = add_ext(cacert, usrcert);
if (ret != OPENSSLCA_NO_ERR)
goto err;
/* Sign user certificate with CA's private key */
if (!X509_sign(usrcert, cakey, EVP_sha1()))
return OPENSSLCA_ERR_CERT_SIGN;
if (caIni.verifyAfterSign) {
if (X509_verify(usrcert, cakey) != 1) {
ret = OPENSSLCA_ERR_CERT_VERIFY;
goto err;
}
}
#ifdef _DEBUG /* Output certificate in DER and PEM format */
{
FILE *fp = fopen(DBG_PATH("usrcert.der"), "wb");
if (fp != NULL) {
i2d_X509_fp(fp, usrcert);
fclose(fp);
}
fp = fopen(DBG_PATH("usrcert.pem"), "w");
if (fp != NULL) {
X509_print_fp(fp, usrcert);
PEM_write_X509(fp, usrcert);
fclose(fp);
}
}
#endif
/* Encode user certificate into DER format */
len = i2d_X509(usrcert, NULL);
if (len < 0) {
ret = OPENSSLCA_ERR_CERT_ENCODE;
goto err;
}
if (len > *certlen) {
ret = OPENSSLCA_ERR_BUF_TOO_SMALL;
goto err;
}
*certlen = len;
p = certbuf;
i2d_X509(usrcert, &p);
if (caIni.addToIndex)
add_to_index(usrcert);
if (caIni.addToNewCerts)
write_cert(usrcert);
err:
print_err("IssueUserCertificate()", ret);
/* Clean up */
if (cacert)
X509_free(cacert);
if (cakey)
EVP_PKEY_free(cakey);
if (racert)
X509_free(racert);
if (rakey)
EVP_PKEY_free(rakey);
if (req)
X509_REQ_free(req);
if (usrcert != NULL)
X509_free(usrcert);
if (usrkey)
EVP_PKEY_free(usrkey);
return ret;
}
inline certificate_request certificate_request::from_der(const void* buf, size_t buf_len)
{
const unsigned char* pbuf = static_cast<const unsigned char*>(buf);
return take_ownership(d2i_X509_REQ(NULL, &pbuf, static_cast<long>(buf_len)));
}
