int main(){
PKCS7 *p7;
int len;
unsigned char *der,*p;
FILE *fp;
X509 *x;
BIO *in;
X509_ALGOR *md;
PKCS7_SIGNER_INFO *si;
p7=PKCS7_new();
PKCS7_set_type(p7,NID_pkcs7_signed);
p7->d.sign->cert=sk_X509_new_null();
in=BIO_new_file("b64cert.cer","r");
x=PEM_read_bio_X509(in,NULL,NULL,NULL);
sk_X509_push(p7->d.sign->cert,x);
md=X509_ALGOR_new();
md->algorithm=OBJ_nid2obj(NID_md5);
sk_X509_ALGOR_push(p7->d.sign->md_algs,md);
si=PKCS7_SIGNER_INFO_new();
ASN1_INTEGER_set(si->version,2);
ASN1_INTEGER_set(si->issuer_and_serial->serial,333);
sk_PKCS7_SIGNER_INFO_push(p7->d.sign->signer_info,si);
len=i2d_PKCS7(p7,NULL);
der=(unsigned char *)malloc(len);
p=der;
len=i2d_PKCS7(p7,&p);
fp=fopen("p7_sign.cer","wb");
fwrite(der,1,len,fp);
fclose(fp);
free(der);
PKCS7_free(p7);
return 0;
}
int main(){
PKCS7 *p7;
int ret,len;
char *der,*p;
FILE *fp;
p7 = PKCS7_new();
ret=PKCS7_set_type(p7,NID_pkcs7_encrypted);
ASN1_INTEGER_set(p7->d.encrypted->version,3);
p7->d.encrypted->enc_data->algorithm->algorithm=OBJ_nid2obj(NID_des_ede3_cbc);
p7->d.encrypted->enc_data->enc_data=ASN1_OCTET_STRING_new();
ASN1_OCTET_STRING_set(p7->d.encrypted->enc_data->enc_data,(const
unsigned char *)"3434",4);
len=i2d_PKCS7(p7,NULL);
der=(char *)malloc(len);
p=der;
len=i2d_PKCS7(p7,(unsigned char **)&p);
fp=fopen("p7_enc.cer","wb");
fwrite(der,1,len,fp);
fclose(fp);
PKCS7_free(p7);
free(der);
return 0;
}
void openssl_pkcs7_encrypt()
{
BIO *b;
int len;
FILE *fp;
PKCS7 *p7;
unsigned char *der, *p;
const unsigned char edata[COMM_LEN] = "pkcs7 encrypt";
p7 = PKCS7_new();
PKCS7_set_type(p7, NID_pkcs7_encrypted);
ASN1_INTEGER_set(p7->d.encrypted->version, 3);
p7->d.encrypted->enc_data->algorithm->algorithm =
OBJ_nid2obj(NID_des_ede3_cbc);
p7->d.encrypted->enc_data->enc_data = ASN1_OCTET_STRING_new();
ASN1_OCTET_STRING_set(p7->d.encrypted->enc_data->enc_data, edata, 14);
len = i2d_PKCS7(p7, NULL);
der = (unsigned char *)malloc(len);
p = der;
len = i2d_PKCS7(p7, &p);
fp = fopen("/tmp/test.cer", "wb");
fwrite(der, 1, len, fp);
fclose(fp);
PKCS7_free(p7);
free(der);
b = BIO_new_file("/tmp/test.pem", "r");
p7 = PEM_read_bio_PKCS7(b, NULL, NULL, NULL);
BIO_free(b);
PKCS7_free(p7);
}
void openssl_pkcs7_sign()
{
int len;
BIO *in;
X509 *x;
FILE *fp;
PKCS7 *p7;
X509_ALGOR *md;
PKCS7_SIGNER_INFO *si;
char name[MAX1_LEN], tmp[MAX1_LEN];
unsigned char *der, *p, buf[SHA_DIGEST_LENGTH] = "pkcs7 sign";
p7 = PKCS7_new();
PKCS7_set_type(p7, NID_pkcs7_data);
ASN1_OCTET_STRING_set(p7->d.data, buf, SHA_DIGEST_LENGTH);
len = i2d_PKCS7(p7, NULL);
der = (unsigned char *)malloc(len);
p = der;
len = i2d_PKCS7(p7, &p);
fp = fopen("/tmp/test.cer", "wb");
fwrite(der, 1, len, fp);
fclose(fp);
free(der);
PKCS7_free(p7);
p7 = PKCS7_new();
PKCS7_set_type(p7, NID_pkcs7_signed);
p7->d.sign->cert = sk_X509_new_null();
in = BIO_new_file("/tmp/test.cer", "r");
x = PEM_read_bio_X509(in, NULL, NULL, NULL);
sk_X509_push(p7->d.sign->cert, x);
BIO_free(in);
md = X509_ALGOR_new();
md->algorithm = OBJ_nid2obj(NID_md5);
sk_X509_ALGOR_push(p7->d.sign->md_algs, md);
si = PKCS7_SIGNER_INFO_new();
ASN1_INTEGER_set(si->version, 2);
ASN1_INTEGER_set(si->issuer_and_serial->serial, 333);
sk_PKCS7_SIGNER_INFO_push(p7->d.sign->signer_info, si);
len = i2d_PKCS7(p7, NULL);
der = (unsigned char *)malloc(len);
p = der;
len = i2d_PKCS7(p7, &p);
fp = fopen("/tmp/test.cer", "wb");
fwrite(der, 1, len, fp);
fclose(fp);
free(der);
fp = fopen("/tmp/test.cer", "rb");
len = fread(tmp, 1, MAX1_LEN, fp);
fclose(fp);
p = (unsigned char *)&tmp;
d2i_PKCS7(&p7, (const unsigned char **)&p, len);
OBJ_obj2txt(name, MAX1_LEN, p7->type, 0);
PKCS7_free(p7);
}
void openssl_pkcs7_enveloped()
{
int len;
FILE *fp;
PKCS7 *p7;
PKCS7_RECIP_INFO *inf;
unsigned char *der, *p;
const unsigned char edata[COMM_LEN] = "info....";
const unsigned char ekeys[COMM_LEN] = "key info....";
p7 = PKCS7_new();
PKCS7_set_type(p7, NID_pkcs7_enveloped);
ASN1_INTEGER_set(p7->d.enveloped->version, 3);
inf = PKCS7_RECIP_INFO_new();
ASN1_INTEGER_set(inf->version, 4);
ASN1_INTEGER_set(inf->issuer_and_serial->serial, 888888);
inf->key_enc_algor->algorithm = OBJ_nid2obj(NID_des_ede3_cbc);
ASN1_OCTET_STRING_set(inf->enc_key, ekeys, 12);
sk_PKCS7_RECIP_INFO_push(p7->d.enveloped->recipientinfo, inf);
p7->d.enveloped->enc_data->algorithm->algorithm =
OBJ_nid2obj(NID_des_ede3_cbc);
p7->d.enveloped->enc_data->enc_data = ASN1_OCTET_STRING_new();
ASN1_OCTET_STRING_set(p7->d.enveloped->enc_data->enc_data, edata, 8);
len = i2d_PKCS7(p7, NULL);
der = (unsigned char *)malloc(len);
p = der;
len = i2d_PKCS7(p7, &p);
fp = fopen("/tmp/test.cer", "wb");
fwrite(der, 1, len, fp);
fclose(fp);
free(der);
PKCS7_free(p7);
p7 = PKCS7_new();
PKCS7_set_type(p7, NID_pkcs7_signedAndEnveloped);
len = i2d_PKCS7(p7, NULL);
der = (unsigned char *)malloc(len);
p = der;
len = i2d_PKCS7(p7, &p);
fp = fopen("/tmp/testEnv.cer", "wb");
fwrite(der, 1, len, fp);
fclose(fp);
PKCS7_free(p7);
free(der);
}
// Verify the signed block, the first 32 bytes of the data must be the certificate hash to work.
int __fastcall util_verify(char* signature, int signlen, struct util_cert* cert, char** data)
{
unsigned int size, r;
BIO *out = NULL;
PKCS7 *message = NULL;
char* data2 = NULL;
char hash[UTIL_HASHSIZE];
STACK_OF(X509) *st = NULL;
cert->x509 = NULL;
cert->pkey = NULL;
*data = NULL;
message = d2i_PKCS7(NULL, (const unsigned char**)&signature, signlen);
if (message == NULL) goto error;
out = BIO_new(BIO_s_mem());
// Lets rebuild the original message and check the size
size = i2d_PKCS7(message, NULL);
if (size < (unsigned int)signlen) goto error;
// Check the PKCS7 signature, but not the certificate chain.
r = PKCS7_verify(message, NULL, NULL, NULL, out, PKCS7_NOVERIFY);
if (r == 0) goto error;
// If data block contains less than 32 bytes, fail.
size = BIO_get_mem_data(out, &data2);
if (size <= UTIL_HASHSIZE) goto error;
// Copy the data block
*data = (char*)malloc(size + 1);
if (*data == NULL) goto error;
memcpy(*data, data2, size);
(*data)[size] = 0;
// Get the certificate signer
st = PKCS7_get0_signers(message, NULL, PKCS7_NOVERIFY);
cert->x509 = X509_dup(sk_X509_value(st, 0));
sk_X509_free(st);
// Get a full certificate hash of the signer
r = UTIL_HASHSIZE;
X509_digest(cert->x509, EVP_sha256(), (unsigned char*)hash, &r);
// Check certificate hash with first 32 bytes of data.
if (memcmp(hash, *data, UTIL_HASHSIZE) != 0) goto error;
// Approved, cleanup and return.
BIO_free(out);
PKCS7_free(message);
return size;
error:
if (out != NULL) BIO_free(out);
if (message != NULL) PKCS7_free(message);
if (*data != NULL) free(*data);
if (cert->x509 != NULL) { X509_free(cert->x509); cert->x509 = NULL; }
return 0;
}
static VALUE
ossl_pkcs7_to_der(VALUE self)
{
PKCS7 *pkcs7;
VALUE str;
long len;
unsigned char *p;
GetPKCS7(self, pkcs7);
if((len = i2d_PKCS7(pkcs7, NULL)) <= 0)
ossl_raise(ePKCS7Error, NULL);
str = rb_str_new(0, len);
p = (unsigned char *)RSTRING_PTR(str);
if(i2d_PKCS7(pkcs7, &p) <= 0)
ossl_raise(ePKCS7Error, NULL);
ossl_str_adjust(str, p);
return str;
}
static VALUE
ossl_pkcs7_to_der(VALUE self)
{
PKCS7 *pkcs7;
long len;
unsigned char *p, *data;
GetPKCS7(self, pkcs7);
if((len = i2d_PKCS7(pkcs7, NULL)) <= 0)
ossl_raise(ePKCS7Error, NULL);
data = p = (unsigned char *)xmalloc(sizeof(char) * len);
if(i2d_PKCS7(pkcs7, &p) <= 0)
ossl_raise(ePKCS7Error, NULL);
VALUE str = rb_str_new((char*)data, len);
xfree(data);
return str;
}
void openssl_pkcs7_msg()
{
int len;
FILE *fp;
PKCS7 *p7;
unsigned char *der, *p, buf[SHA_DIGEST_LENGTH] = "pkcs7 msg";
p7 = PKCS7_new();
PKCS7_set_type(p7, NID_pkcs7_data);
ASN1_OCTET_STRING_set(p7->d.data, buf, SHA_DIGEST_LENGTH);
len = i2d_PKCS7(p7, NULL);
der = (unsigned char *)malloc(len);
p = der;
len = i2d_PKCS7(p7, &p);
fp = fopen("/tmp/test.cer", "wb");
fwrite(der, 1, len, fp);
fclose(fp);
free(der);
PKCS7_free(p7);
}
// Sign this block of data, the first 32 bytes of the block must be avaialble to add the certificate hash.
int __fastcall util_sign(struct util_cert cert, char* data, int datalen, char** signature)
{
int size = 0;
unsigned int hashsize = UTIL_HASHSIZE;
BIO *in = NULL;
PKCS7 *message = NULL;
*signature = NULL;
if (datalen <= UTIL_HASHSIZE) return 0;
// Add hash of the certificate to start of data
X509_digest(cert.x509, EVP_sha256(), (unsigned char*)data, &hashsize);
// Sign the block
in = BIO_new_mem_buf(data, datalen);
message = PKCS7_sign(cert.x509, cert.pkey, NULL, in, PKCS7_BINARY);
if (message == NULL) goto error;
size = i2d_PKCS7(message, (unsigned char**)signature);
error:
if (message != NULL) PKCS7_free(message);
if (in != NULL) BIO_free(in);
return size;
}
// Encrypt a block of data for a target certificate
int __fastcall util_encrypt(struct util_cert cert, char* data, int datalen, char** encdata)
{
int size = 0;
BIO *in = NULL;
PKCS7 *message = NULL;
STACK_OF(X509) *encerts = NULL;
*encdata = NULL;
if (datalen == 0) return 0;
// Setup certificates
encerts = sk_X509_new_null();
sk_X509_push(encerts, cert.x509);
// Encrypt the block
*encdata = NULL;
in = BIO_new_mem_buf(data, datalen);
message = PKCS7_encrypt(encerts, in, EVP_aes_128_cbc(), PKCS7_BINARY);
if (message == NULL) return 0;
size = i2d_PKCS7(message, (unsigned char**)encdata);
BIO_free(in);
PKCS7_free(message);
sk_X509_free(encerts);
return size;
}
extern "C" int32_t CryptoNative_GetPkcs7DerSize(PKCS7* p7)
{
return i2d_PKCS7(p7, nullptr);
}
int main(int argc, char **argv)
{
const char *keyfilename, *certfilename;
struct sign_context *ctx;
uint8_t *buf, *tmp;
int rc, c, sigsize;
ctx = talloc_zero(NULL, struct sign_context);
keyfilename = NULL;
certfilename = NULL;
for (;;) {
int idx;
c = getopt_long(argc, argv, "o:c:k:dvVh", options, &idx);
if (c == -1)
break;
switch (c) {
case 'o':
ctx->outfilename = talloc_strdup(ctx, optarg);
break;
case 'c':
certfilename = optarg;
break;
case 'k':
keyfilename = optarg;
break;
case 'd':
ctx->detached = 1;
break;
case 'v':
ctx->verbose = 1;
break;
case 'V':
version();
return EXIT_SUCCESS;
case 'h':
usage();
return EXIT_SUCCESS;
}
}
if (argc != optind + 1) {
usage();
return EXIT_FAILURE;
}
ctx->infilename = argv[optind];
if (!ctx->outfilename)
set_default_outfilename(ctx);
if (!certfilename) {
fprintf(stderr,
"error: No certificate specified (with --cert)\n");
usage();
return EXIT_FAILURE;
}
if (!keyfilename) {
fprintf(stderr,
"error: No key specified (with --key)\n");
usage();
return EXIT_FAILURE;
}
ctx->image = image_load(ctx->infilename);
if (!ctx->image)
return EXIT_FAILURE;
_talloc_steal(ctx, ctx->image);
ERR_load_crypto_strings();
OpenSSL_add_all_digests();
OpenSSL_add_all_ciphers();
EVP_PKEY *pkey = fileio_read_pkey(keyfilename);
if (!pkey)
return EXIT_FAILURE;
X509 *cert = fileio_read_cert(certfilename);
if (!cert)
return EXIT_FAILURE;
const EVP_MD *md = EVP_get_digestbyname("SHA256");
/* set up the PKCS7 object */
PKCS7 *p7 = PKCS7_new();
PKCS7_set_type(p7, NID_pkcs7_signed);
PKCS7_SIGNER_INFO *si = PKCS7_sign_add_signer(p7, cert,
pkey, md, PKCS7_BINARY);
if (!si) {
fprintf(stderr, "error in key/certificate chain\n");
ERR_print_errors_fp(stderr);
return EXIT_FAILURE;
}
PKCS7_content_new(p7, NID_pkcs7_data);
rc = IDC_set(p7, si, ctx->image);
if (rc)
return EXIT_FAILURE;
sigsize = i2d_PKCS7(p7, NULL);
tmp = buf = talloc_array(ctx->image, uint8_t, sigsize);
i2d_PKCS7(p7, &tmp);
ERR_print_errors_fp(stdout);
image_add_signature(ctx->image, buf, sigsize);
if (ctx->detached)
image_write_detached(ctx->image, ctx->outfilename);
else
image_write(ctx->image, ctx->outfilename);
talloc_free(ctx);
return EXIT_SUCCESS;
}
// Write signed variable
EFI_STATUS SetSignedVariable(IN CHAR16 *DatabaseName,
IN EFI_GUID *DatabaseGuid,
IN UINT32 Attributes,
IN VOID *Database,
IN UINTN DatabaseSize)
{
EFI_STATUS Status;
EFI_VARIABLE_AUTHENTICATION_2 *Authentication;
UINTN Size, NameLen;
UINTN DataSize = 0;
EFI_TIME Timestamp;
VOID *Data = NULL;
BIO *BioData = NULL;
PKCS7 *p7;
X509 *Certificate = NULL;
EVP_PKEY *PrivateKey = NULL;
const EVP_MD *md;
// Check parameters
if ((DatabaseName == NULL) || (DatabaseGuid == NULL)) {
return EFI_INVALID_PARAMETER;
}
DBG("Setting secure variable: %g %s 0x%X (0x%X)\n", DatabaseGuid, DatabaseName, Database, DatabaseSize);
NameLen = StrLen(DatabaseName);
if (NameLen == 0) {
return EFI_INVALID_PARAMETER;
}
// Get the current time
DBG("Getting timestamp ...\n");
Status = GetUTCTime(&Timestamp);
if (EFI_ERROR(Status)) {
return Status;
}
DBG("Timestamp: %t\n", Timestamp);
// In user mode we need to sign the database with exchange key
if (!gSettings.SecureBootSetupMode) {
// Initialize the cyphers and digests
ERR_load_crypto_strings();
OpenSSL_add_all_digests();
OpenSSL_add_all_ciphers();
// Create signing certificate
BioData = BIO_new_mem_buf((void *)gSecureBootExchangeKey, sizeof(gSecureBootExchangeKey));
if (BioData == NULL) {
return EFI_OUT_OF_RESOURCES;
}
Certificate = PEM_read_bio_X509(BioData, NULL, NULL, NULL);
BIO_free(BioData);
if (Certificate == NULL) {
return EFI_OUT_OF_RESOURCES;
}
// Create signing private key
BioData = BIO_new_mem_buf((void *)gSecureBootExchangePrivateKey, sizeof(gSecureBootExchangePrivateKey));
if (BioData == NULL) {
return EFI_OUT_OF_RESOURCES;
}
PrivateKey = PEM_read_bio_PrivateKey(BioData, NULL, NULL, NULL);
BIO_free(BioData);
if (PrivateKey == NULL) {
X509_free(Certificate);
return EFI_OUT_OF_RESOURCES;
}
// Do the actual signing process
BioData = BIO_new(BIO_s_mem());
BIO_write(BioData, DatabaseName, (int)StrLen(DatabaseName));
BIO_write(BioData, DatabaseGuid, sizeof(EFI_GUID));
BIO_write(BioData, &Attributes, sizeof(UINT32));
BIO_write(BioData, &Timestamp, sizeof(EFI_TIME));
BIO_write(BioData, Database, (int)DatabaseSize);
md = EVP_get_digestbyname("SHA256");
p7 = PKCS7_new();
PKCS7_set_type(p7, NID_pkcs7_signed);
PKCS7_content_new(p7, NID_pkcs7_data);
PKCS7_sign_add_signer(p7, Certificate, PrivateKey, md, PKCS7_BINARY | PKCS7_DETACHED | PKCS7_NOSMIMECAP);
PKCS7_set_detached(p7, 1);
PKCS7_final(p7, BioData, PKCS7_BINARY | PKCS7_DETACHED | PKCS7_NOSMIMECAP);
X509_free(Certificate);
EVP_PKEY_free(PrivateKey);
DataSize = i2d_PKCS7(p7, NULL);
Data = AllocateZeroPool(DataSize);
i2d_PKCS7(p7, (unsigned char **)&Data);
PKCS7_free(p7);
// Set the authentication buffer size
Size = sizeof(EFI_TIME) + sizeof(EFI_GUID) + sizeof(UINT32) + sizeof(UINT16) + sizeof(UINT16) + DataSize;
} else {
// In setup mode we don't need to sign, so just set the database
DBG("In setup mode, not signing ...\n");
Size = sizeof(EFI_TIME) + sizeof(EFI_GUID) + sizeof(UINT32) + sizeof(UINT16) + sizeof(UINT16) + DatabaseSize;
}
// Create the authentication buffer
DBG("Creating authentication ...\n");
Authentication = (EFI_VARIABLE_AUTHENTICATION_2 *)AllocateZeroPool(Size);
if (Authentication == NULL) {
if (Data != NULL) {
FreePool(Data);
}
return EFI_OUT_OF_RESOURCES;
}
// Set the certificate elements
CopyMem(&(Authentication->TimeStamp), &Timestamp, sizeof(EFI_TIME));
Authentication->AuthInfo.Hdr.dwLength = (UINT32)(sizeof(EFI_GUID) + sizeof(UINT32) + sizeof(UINT16) + sizeof(UINT16) + DataSize);
Authentication->AuthInfo.Hdr.wRevision = 0x0200;
Authentication->AuthInfo.Hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID;
CopyMem(&(Authentication->AuthInfo.CertType), &gEfiCertPkcs7Guid, sizeof(EFI_GUID));
// Copy the data into the authentication
if (Data != NULL) {
CopyMem(((UINT8 *)Authentication) + sizeof(EFI_TIME) + sizeof(EFI_GUID) + sizeof(UINT32) + sizeof(UINT16) + sizeof(UINT16), Data, DataSize);
FreePool(Data);
} else {
CopyMem(((UINT8 *)Authentication) + sizeof(EFI_TIME) + sizeof(EFI_GUID) + sizeof(UINT32) + sizeof(UINT16) + sizeof(UINT16), Database, DatabaseSize); //Payload, PayloadSize);
}
DBG("Writing secure variable 0x%X (0x%X) ...\n", Authentication, Size);
// Write the database variable
Status = gRT->SetVariable(DatabaseName, DatabaseGuid, SET_DATABASE_ATTRIBUTES, Size, Authentication);
// Cleanup the authentication buffer
FreePool(Authentication);
return Status;
}
int create_envelope(PluginInstance *inst, u8 **data, int *datalen)
{
int r;
PKCS7 *p7 = NULL;
X509 *x509 = NULL;
PKCS7_SIGNER_INFO *si = NULL;
EVP_PKEY *pkey = NULL;
BIO *in = NULL, *p7bio = NULL;
u8 *buf;
r = extract_certificate_and_pkey(inst, &x509, &pkey);
if (r)
goto err;
p7 = PKCS7_new();
if (p7 == NULL) {
r = -1;
goto err;
}
r = PKCS7_set_type(p7, NID_pkcs7_signed);
if (r != 1) {
r = -1;
goto err;
}
EVP_add_digest(EVP_sha1());
si = PKCS7_add_signature(p7, x509, pkey, EVP_sha1());
if (si == NULL) {
r = -1;
goto err;
}
PKCS7_add_signed_attribute(si, NID_pkcs9_contentType, V_ASN1_OBJECT,
OBJ_nid2obj(NID_pkcs7_data));
r = PKCS7_add_certificate(p7, x509);
if (r != 1) {
printf("PKCS7_add_certificate failed.\n");
goto err;
}
PKCS7_content_new(p7, NID_pkcs7_data);
p7bio = PKCS7_dataInit(p7, NULL);
if (p7bio == NULL) {
r = -1;
goto err;
}
in = BIO_new_mem_buf(inst->signdata, inst->signdata_len);
if (in == NULL) {
r = -1;
goto err;
}
for (;;) {
char lbuf[1024];
int i = BIO_read(in, lbuf, sizeof(lbuf));
if (i <= 0)
break;
BIO_write(p7bio, lbuf, i);
}
if (!PKCS7_dataFinal(p7, p7bio)) {
r = -1;
goto err;
}
/* FIXME: remove this */
r = i2d_PKCS7(p7, NULL);
if (r <= 0) {
r = -1;
goto err;
}
buf = (u8 *) malloc(r);
if (buf == NULL)
goto err;
*data = buf;
r = i2d_PKCS7(p7, &buf);
*datalen = r;
if (r <= 0) {
free(buf);
r = -1;
goto err;
}
r = 0;
err:
if (p7)
PKCS7_free(p7);
if (in)
BIO_free(in);
if (p7bio)
BIO_free(p7bio);
#if 0
if (si)
PKCS7_SIGNER_INFO_free(si);
#endif
if (pkey)
EVP_PKEY_free(pkey);
if (x509)
X509_free(x509);
if (r) {
#if 0
ERR_load_crypto_strings();
ERR_print_errors_fp(stderr);
#endif
}
return r;
}
static int add_auth_descriptor(varsign_context *ctx, unsigned char dont_sign)
{
EFI_VARIABLE_AUTHENTICATION_2 *auth;
int rc=0, len=0, flags=0;
EFI_TIME timestamp;
const EVP_MD *md;
BIO *data_bio = NULL;
PKCS7 *p7;
UINT8 *signpkg;
if (set_timestamp(×tamp))
return -1;
/* create a BIO for our variable data, containing:
* * Variablename (not including trailing nul)
* * VendorGUID
* * Attributes
* * TimeStamp
* * Data
*/
if (dont_sign == 0)
{
data_bio = BIO_new(BIO_s_mem());
BIO_write(data_bio, ctx->var_name, ctx->var_name_bytes);
BIO_write(data_bio, &ctx->var_guid, sizeof(ctx->var_guid));
BIO_write(data_bio, &ctx->var_attrs, sizeof(ctx->var_attrs));
BIO_write(data_bio, ×tamp, sizeof(timestamp));
BIO_write(data_bio, ctx->data, ctx->data_len);
md = EVP_get_digestbyname("SHA256");
p7 = PKCS7_new();
flags = PKCS7_BINARY | PKCS7_DETACHED | PKCS7_NOSMIMECAP;;
PKCS7_set_type(p7, NID_pkcs7_signed);
PKCS7_content_new(p7, NID_pkcs7_data);
PKCS7_sign_add_signer(p7, ctx->cert, ctx->key, md, flags);
PKCS7_set_detached(p7, 1);
rc = PKCS7_final(p7, data_bio, flags);
if (!rc) {
fprintf(stderr, "Error signing variable data\n");
ERR_print_errors_fp(stderr);
BIO_free_all(data_bio);
return -1;
}
len = i2d_PKCS7(p7, NULL);
} else {
len = 0;
}
/* set up our auth descriptor */
auth = talloc_size(ctx, len + offsetof (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo.CertData));
auth->TimeStamp = timestamp;
auth->AuthInfo.Hdr.dwLength = len + offsetof (WIN_CERTIFICATE_UEFI_GUID, CertData);
auth->AuthInfo.Hdr.wRevision = 0x0200;
auth->AuthInfo.Hdr.wCertificateType = 0x0EF1;
auth->AuthInfo.CertType = cert_pkcs7_guid;
if (dont_sign == 0)
{
signpkg = auth->AuthInfo.CertData;
i2d_PKCS7(p7, &signpkg);
}
ctx->auth_descriptor = auth;
ctx->auth_descriptor_len = len + offsetof (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo.CertData);
BIO_free_all(data_bio);
return 0;
}
int32_t CryptoNative_GetPkcs7DerSize(PKCS7* p7)
{
return i2d_PKCS7(p7, NULL);
}
int32_t CryptoNative_EncodePkcs7(PKCS7* p7, uint8_t* buf)
{
return i2d_PKCS7(p7, &buf);
}
int main(int argc, char* argv[])
{
PKCS7 *p7, *innerp7;
FILE *fp = NULL;
EVP_PKEY *pkey = NULL;
PKCS7_SIGNER_INFO *p7i;
PKCS7_RECIP_INFO *pri;
BIO *mybio, *inbio;
X509 *user;
X509_ALGOR *md;
int ret, len;
unsigned char data[2048], *p, *buf;
unsigned char* greet = "hello openssl";
unsigned long errorno;
unsigned char* errordesc;
OpenSSL_add_all_algorithms(); //必须要显式进行调用
inbio = BIO_new(BIO_s_mem());
ret = BIO_write(inbio, greet, strlen(greet));
p7 = PKCS7_new();
ret = PKCS7_set_type(p7, NID_pkcs7_signedAndEnveloped);
//加载用户证书
fp = fopen("mycert4p12.cer", "rb");
if(fp == NULL) return 0;
len = fread(data, 1, 1024, fp);
fclose(fp);
p = data;
user = d2i_X509(NULL, (const unsigned char**)&p, len);
ret = PKCS7_add_certificate(p7, user);
pri = PKCS7_add_recipient(p7, user);
//读取私钥
fp = fopen("myprivkey.pem", "rb");
if(fp == NULL) return 0;
len = fread(data, 1, 1024, fp);
fclose(fp);
p = data;
pkey = d2i_PrivateKey(EVP_PKEY_RSA, NULL, (const unsigned char**)&p, len);
//第一个用户增加SignerInfo到列表中
p7i = PKCS7_add_signature(p7, user, pkey, EVP_md5());
//加载用户证书
fp = fopen("user2.cer", "rb");
if(fp == NULL) return 0;
len = fread(data, 1, 1024, fp);
fclose(fp);
p = data;
user = d2i_X509(NULL, (const unsigned char**)&p, len);
ret = PKCS7_add_certificate(p7, user);
pri = PKCS7_add_recipient(p7, user);
//读取私钥
fp = fopen("user2_privatekey.pem", "rb");
if(fp == NULL) return 0;
len = fread(data, 1, 1024, fp);
fclose(fp);
p = data;
pkey = d2i_PrivateKey(EVP_PKEY_RSA, NULL, (const unsigned char**)&p, len);
//第二个签名者增加到SignerInfo列表中
p7i = PKCS7_add_signature(p7, user, pkey, EVP_md5());
ret = PKCS7_set_cipher(p7, EVP_des_ede3_cbc());
ret = PKCS7_final(p7, inbio, 0); //制作数字信封
len = i2d_PKCS7(p7, NULL);
p = buf = malloc(len);
len = i2d_PKCS7(p7, &p);
printf("in i2d len = %d\n", len);
fp = fopen("p7signandenv.cer", "wb");
fwrite(buf, len, 1, fp);
fclose(fp);
PKCS7_free(p7);
}
char * PKCS7_GetSign(char*certFile,char* pwd, char* plainText,int flag)
{
//取PKCS12對象
FILE* fp;
if (!(fp = fopen(certFile, "rb")))
{
fprintf(stderr, "Error opening file %s\n", certFile);
return NULL;
}
PKCS12 *p12= d2i_PKCS12_fp(fp, NULL);
fclose (fp);
if (!p12) {
fprintf(stderr, "Error reading PKCS#12 file\n");
ERR_print_errors_fp(stderr);
return NULL;
}
//取pkey對象、X509證書、證書鏈
EVP_PKEY *pkey=NULL;
X509 *x509=NULL;
STACK_OF(X509) *ca = NULL;
if (!PKCS12_parse(p12, pwd, &pkey, &x509, &ca)) {
fprintf(stderr, "Error parsing PKCS#12 file\n");
ERR_print_errors_fp(stderr);
return NULL;
}
PKCS12_free(p12);
//明文轉為BIO對象
//《vc++网络安全编程范例(14)-openssl bio编程 》 http://www.2cto.com/kf/201112/115018.html
BIO *bio = BIO_new(BIO_s_mem());
BIO_puts(bio,plainText);
//數字簽名
//PKCS7_NOCHAIN:签名中不包含证书链,第三个参数为NULL值的话,可不加这个FLAG标记
//PKCS7_NOSMIMECAP:签名不需要支持SMIME
PKCS7* pkcs7 = PKCS7_sign(x509,pkey, ca,bio, flag);
if(pkcs7==NULL)
{
ERR_print_errors_fp(stderr);
return NULL;
}
//共有两种编码,一种是ASN1,另一种是DER编码。
//取數據簽名(DER格式)
//openssl学习笔记之pkcs7-data内容类型的编码解码
//http://ipedo.i.sohu.com/blog/view/114822358.htm
//入口:pkcs7对象
//出口:der对象
unsigned char *der;
unsigned char *derTmp;
unsigned long derlen;
derlen = i2d_PKCS7(pkcs7,NULL);
der = (unsigned char *) malloc(derlen);
memset(der,0,derlen);
derTmp = der;
i2d_PKCS7(pkcs7,&derTmp);
//DER转BASE64
return base64(der,derlen);
}
