int main(){ PKCS7 *p7; int len; unsigned char *der,*p; FILE *fp; X509 *x; BIO *in; X509_ALGOR *md; PKCS7_SIGNER_INFO *si; p7=PKCS7_new(); PKCS7_set_type(p7,NID_pkcs7_signed); p7->d.sign->cert=sk_X509_new_null(); in=BIO_new_file("b64cert.cer","r"); x=PEM_read_bio_X509(in,NULL,NULL,NULL); sk_X509_push(p7->d.sign->cert,x); md=X509_ALGOR_new(); md->algorithm=OBJ_nid2obj(NID_md5); sk_X509_ALGOR_push(p7->d.sign->md_algs,md); si=PKCS7_SIGNER_INFO_new(); ASN1_INTEGER_set(si->version,2); ASN1_INTEGER_set(si->issuer_and_serial->serial,333); sk_PKCS7_SIGNER_INFO_push(p7->d.sign->signer_info,si); len=i2d_PKCS7(p7,NULL); der=(unsigned char *)malloc(len); p=der; len=i2d_PKCS7(p7,&p); fp=fopen("p7_sign.cer","wb"); fwrite(der,1,len,fp); fclose(fp); free(der); PKCS7_free(p7); return 0; }
int main(){ PKCS7 *p7; int ret,len; char *der,*p; FILE *fp; p7 = PKCS7_new(); ret=PKCS7_set_type(p7,NID_pkcs7_encrypted); ASN1_INTEGER_set(p7->d.encrypted->version,3); p7->d.encrypted->enc_data->algorithm->algorithm=OBJ_nid2obj(NID_des_ede3_cbc); p7->d.encrypted->enc_data->enc_data=ASN1_OCTET_STRING_new(); ASN1_OCTET_STRING_set(p7->d.encrypted->enc_data->enc_data,(const unsigned char *)"3434",4); len=i2d_PKCS7(p7,NULL); der=(char *)malloc(len); p=der; len=i2d_PKCS7(p7,(unsigned char **)&p); fp=fopen("p7_enc.cer","wb"); fwrite(der,1,len,fp); fclose(fp); PKCS7_free(p7); free(der); return 0; }
void openssl_pkcs7_encrypt() { BIO *b; int len; FILE *fp; PKCS7 *p7; unsigned char *der, *p; const unsigned char edata[COMM_LEN] = "pkcs7 encrypt"; p7 = PKCS7_new(); PKCS7_set_type(p7, NID_pkcs7_encrypted); ASN1_INTEGER_set(p7->d.encrypted->version, 3); p7->d.encrypted->enc_data->algorithm->algorithm = OBJ_nid2obj(NID_des_ede3_cbc); p7->d.encrypted->enc_data->enc_data = ASN1_OCTET_STRING_new(); ASN1_OCTET_STRING_set(p7->d.encrypted->enc_data->enc_data, edata, 14); len = i2d_PKCS7(p7, NULL); der = (unsigned char *)malloc(len); p = der; len = i2d_PKCS7(p7, &p); fp = fopen("/tmp/test.cer", "wb"); fwrite(der, 1, len, fp); fclose(fp); PKCS7_free(p7); free(der); b = BIO_new_file("/tmp/test.pem", "r"); p7 = PEM_read_bio_PKCS7(b, NULL, NULL, NULL); BIO_free(b); PKCS7_free(p7); }
void openssl_pkcs7_sign() { int len; BIO *in; X509 *x; FILE *fp; PKCS7 *p7; X509_ALGOR *md; PKCS7_SIGNER_INFO *si; char name[MAX1_LEN], tmp[MAX1_LEN]; unsigned char *der, *p, buf[SHA_DIGEST_LENGTH] = "pkcs7 sign"; p7 = PKCS7_new(); PKCS7_set_type(p7, NID_pkcs7_data); ASN1_OCTET_STRING_set(p7->d.data, buf, SHA_DIGEST_LENGTH); len = i2d_PKCS7(p7, NULL); der = (unsigned char *)malloc(len); p = der; len = i2d_PKCS7(p7, &p); fp = fopen("/tmp/test.cer", "wb"); fwrite(der, 1, len, fp); fclose(fp); free(der); PKCS7_free(p7); p7 = PKCS7_new(); PKCS7_set_type(p7, NID_pkcs7_signed); p7->d.sign->cert = sk_X509_new_null(); in = BIO_new_file("/tmp/test.cer", "r"); x = PEM_read_bio_X509(in, NULL, NULL, NULL); sk_X509_push(p7->d.sign->cert, x); BIO_free(in); md = X509_ALGOR_new(); md->algorithm = OBJ_nid2obj(NID_md5); sk_X509_ALGOR_push(p7->d.sign->md_algs, md); si = PKCS7_SIGNER_INFO_new(); ASN1_INTEGER_set(si->version, 2); ASN1_INTEGER_set(si->issuer_and_serial->serial, 333); sk_PKCS7_SIGNER_INFO_push(p7->d.sign->signer_info, si); len = i2d_PKCS7(p7, NULL); der = (unsigned char *)malloc(len); p = der; len = i2d_PKCS7(p7, &p); fp = fopen("/tmp/test.cer", "wb"); fwrite(der, 1, len, fp); fclose(fp); free(der); fp = fopen("/tmp/test.cer", "rb"); len = fread(tmp, 1, MAX1_LEN, fp); fclose(fp); p = (unsigned char *)&tmp; d2i_PKCS7(&p7, (const unsigned char **)&p, len); OBJ_obj2txt(name, MAX1_LEN, p7->type, 0); PKCS7_free(p7); }
void openssl_pkcs7_enveloped() { int len; FILE *fp; PKCS7 *p7; PKCS7_RECIP_INFO *inf; unsigned char *der, *p; const unsigned char edata[COMM_LEN] = "info...."; const unsigned char ekeys[COMM_LEN] = "key info...."; p7 = PKCS7_new(); PKCS7_set_type(p7, NID_pkcs7_enveloped); ASN1_INTEGER_set(p7->d.enveloped->version, 3); inf = PKCS7_RECIP_INFO_new(); ASN1_INTEGER_set(inf->version, 4); ASN1_INTEGER_set(inf->issuer_and_serial->serial, 888888); inf->key_enc_algor->algorithm = OBJ_nid2obj(NID_des_ede3_cbc); ASN1_OCTET_STRING_set(inf->enc_key, ekeys, 12); sk_PKCS7_RECIP_INFO_push(p7->d.enveloped->recipientinfo, inf); p7->d.enveloped->enc_data->algorithm->algorithm = OBJ_nid2obj(NID_des_ede3_cbc); p7->d.enveloped->enc_data->enc_data = ASN1_OCTET_STRING_new(); ASN1_OCTET_STRING_set(p7->d.enveloped->enc_data->enc_data, edata, 8); len = i2d_PKCS7(p7, NULL); der = (unsigned char *)malloc(len); p = der; len = i2d_PKCS7(p7, &p); fp = fopen("/tmp/test.cer", "wb"); fwrite(der, 1, len, fp); fclose(fp); free(der); PKCS7_free(p7); p7 = PKCS7_new(); PKCS7_set_type(p7, NID_pkcs7_signedAndEnveloped); len = i2d_PKCS7(p7, NULL); der = (unsigned char *)malloc(len); p = der; len = i2d_PKCS7(p7, &p); fp = fopen("/tmp/testEnv.cer", "wb"); fwrite(der, 1, len, fp); fclose(fp); PKCS7_free(p7); free(der); }
// Verify the signed block, the first 32 bytes of the data must be the certificate hash to work. int __fastcall util_verify(char* signature, int signlen, struct util_cert* cert, char** data) { unsigned int size, r; BIO *out = NULL; PKCS7 *message = NULL; char* data2 = NULL; char hash[UTIL_HASHSIZE]; STACK_OF(X509) *st = NULL; cert->x509 = NULL; cert->pkey = NULL; *data = NULL; message = d2i_PKCS7(NULL, (const unsigned char**)&signature, signlen); if (message == NULL) goto error; out = BIO_new(BIO_s_mem()); // Lets rebuild the original message and check the size size = i2d_PKCS7(message, NULL); if (size < (unsigned int)signlen) goto error; // Check the PKCS7 signature, but not the certificate chain. r = PKCS7_verify(message, NULL, NULL, NULL, out, PKCS7_NOVERIFY); if (r == 0) goto error; // If data block contains less than 32 bytes, fail. size = BIO_get_mem_data(out, &data2); if (size <= UTIL_HASHSIZE) goto error; // Copy the data block *data = (char*)malloc(size + 1); if (*data == NULL) goto error; memcpy(*data, data2, size); (*data)[size] = 0; // Get the certificate signer st = PKCS7_get0_signers(message, NULL, PKCS7_NOVERIFY); cert->x509 = X509_dup(sk_X509_value(st, 0)); sk_X509_free(st); // Get a full certificate hash of the signer r = UTIL_HASHSIZE; X509_digest(cert->x509, EVP_sha256(), (unsigned char*)hash, &r); // Check certificate hash with first 32 bytes of data. if (memcmp(hash, *data, UTIL_HASHSIZE) != 0) goto error; // Approved, cleanup and return. BIO_free(out); PKCS7_free(message); return size; error: if (out != NULL) BIO_free(out); if (message != NULL) PKCS7_free(message); if (*data != NULL) free(*data); if (cert->x509 != NULL) { X509_free(cert->x509); cert->x509 = NULL; } return 0; }
static VALUE ossl_pkcs7_to_der(VALUE self) { PKCS7 *pkcs7; VALUE str; long len; unsigned char *p; GetPKCS7(self, pkcs7); if((len = i2d_PKCS7(pkcs7, NULL)) <= 0) ossl_raise(ePKCS7Error, NULL); str = rb_str_new(0, len); p = (unsigned char *)RSTRING_PTR(str); if(i2d_PKCS7(pkcs7, &p) <= 0) ossl_raise(ePKCS7Error, NULL); ossl_str_adjust(str, p); return str; }
static VALUE ossl_pkcs7_to_der(VALUE self) { PKCS7 *pkcs7; long len; unsigned char *p, *data; GetPKCS7(self, pkcs7); if((len = i2d_PKCS7(pkcs7, NULL)) <= 0) ossl_raise(ePKCS7Error, NULL); data = p = (unsigned char *)xmalloc(sizeof(char) * len); if(i2d_PKCS7(pkcs7, &p) <= 0) ossl_raise(ePKCS7Error, NULL); VALUE str = rb_str_new((char*)data, len); xfree(data); return str; }
void openssl_pkcs7_msg() { int len; FILE *fp; PKCS7 *p7; unsigned char *der, *p, buf[SHA_DIGEST_LENGTH] = "pkcs7 msg"; p7 = PKCS7_new(); PKCS7_set_type(p7, NID_pkcs7_data); ASN1_OCTET_STRING_set(p7->d.data, buf, SHA_DIGEST_LENGTH); len = i2d_PKCS7(p7, NULL); der = (unsigned char *)malloc(len); p = der; len = i2d_PKCS7(p7, &p); fp = fopen("/tmp/test.cer", "wb"); fwrite(der, 1, len, fp); fclose(fp); free(der); PKCS7_free(p7); }
// Sign this block of data, the first 32 bytes of the block must be avaialble to add the certificate hash. int __fastcall util_sign(struct util_cert cert, char* data, int datalen, char** signature) { int size = 0; unsigned int hashsize = UTIL_HASHSIZE; BIO *in = NULL; PKCS7 *message = NULL; *signature = NULL; if (datalen <= UTIL_HASHSIZE) return 0; // Add hash of the certificate to start of data X509_digest(cert.x509, EVP_sha256(), (unsigned char*)data, &hashsize); // Sign the block in = BIO_new_mem_buf(data, datalen); message = PKCS7_sign(cert.x509, cert.pkey, NULL, in, PKCS7_BINARY); if (message == NULL) goto error; size = i2d_PKCS7(message, (unsigned char**)signature); error: if (message != NULL) PKCS7_free(message); if (in != NULL) BIO_free(in); return size; }
// Encrypt a block of data for a target certificate int __fastcall util_encrypt(struct util_cert cert, char* data, int datalen, char** encdata) { int size = 0; BIO *in = NULL; PKCS7 *message = NULL; STACK_OF(X509) *encerts = NULL; *encdata = NULL; if (datalen == 0) return 0; // Setup certificates encerts = sk_X509_new_null(); sk_X509_push(encerts, cert.x509); // Encrypt the block *encdata = NULL; in = BIO_new_mem_buf(data, datalen); message = PKCS7_encrypt(encerts, in, EVP_aes_128_cbc(), PKCS7_BINARY); if (message == NULL) return 0; size = i2d_PKCS7(message, (unsigned char**)encdata); BIO_free(in); PKCS7_free(message); sk_X509_free(encerts); return size; }
extern "C" int32_t CryptoNative_GetPkcs7DerSize(PKCS7* p7) { return i2d_PKCS7(p7, nullptr); }
int main(int argc, char **argv) { const char *keyfilename, *certfilename; struct sign_context *ctx; uint8_t *buf, *tmp; int rc, c, sigsize; ctx = talloc_zero(NULL, struct sign_context); keyfilename = NULL; certfilename = NULL; for (;;) { int idx; c = getopt_long(argc, argv, "o:c:k:dvVh", options, &idx); if (c == -1) break; switch (c) { case 'o': ctx->outfilename = talloc_strdup(ctx, optarg); break; case 'c': certfilename = optarg; break; case 'k': keyfilename = optarg; break; case 'd': ctx->detached = 1; break; case 'v': ctx->verbose = 1; break; case 'V': version(); return EXIT_SUCCESS; case 'h': usage(); return EXIT_SUCCESS; } } if (argc != optind + 1) { usage(); return EXIT_FAILURE; } ctx->infilename = argv[optind]; if (!ctx->outfilename) set_default_outfilename(ctx); if (!certfilename) { fprintf(stderr, "error: No certificate specified (with --cert)\n"); usage(); return EXIT_FAILURE; } if (!keyfilename) { fprintf(stderr, "error: No key specified (with --key)\n"); usage(); return EXIT_FAILURE; } ctx->image = image_load(ctx->infilename); if (!ctx->image) return EXIT_FAILURE; _talloc_steal(ctx, ctx->image); ERR_load_crypto_strings(); OpenSSL_add_all_digests(); OpenSSL_add_all_ciphers(); EVP_PKEY *pkey = fileio_read_pkey(keyfilename); if (!pkey) return EXIT_FAILURE; X509 *cert = fileio_read_cert(certfilename); if (!cert) return EXIT_FAILURE; const EVP_MD *md = EVP_get_digestbyname("SHA256"); /* set up the PKCS7 object */ PKCS7 *p7 = PKCS7_new(); PKCS7_set_type(p7, NID_pkcs7_signed); PKCS7_SIGNER_INFO *si = PKCS7_sign_add_signer(p7, cert, pkey, md, PKCS7_BINARY); if (!si) { fprintf(stderr, "error in key/certificate chain\n"); ERR_print_errors_fp(stderr); return EXIT_FAILURE; } PKCS7_content_new(p7, NID_pkcs7_data); rc = IDC_set(p7, si, ctx->image); if (rc) return EXIT_FAILURE; sigsize = i2d_PKCS7(p7, NULL); tmp = buf = talloc_array(ctx->image, uint8_t, sigsize); i2d_PKCS7(p7, &tmp); ERR_print_errors_fp(stdout); image_add_signature(ctx->image, buf, sigsize); if (ctx->detached) image_write_detached(ctx->image, ctx->outfilename); else image_write(ctx->image, ctx->outfilename); talloc_free(ctx); return EXIT_SUCCESS; }
// Write signed variable EFI_STATUS SetSignedVariable(IN CHAR16 *DatabaseName, IN EFI_GUID *DatabaseGuid, IN UINT32 Attributes, IN VOID *Database, IN UINTN DatabaseSize) { EFI_STATUS Status; EFI_VARIABLE_AUTHENTICATION_2 *Authentication; UINTN Size, NameLen; UINTN DataSize = 0; EFI_TIME Timestamp; VOID *Data = NULL; BIO *BioData = NULL; PKCS7 *p7; X509 *Certificate = NULL; EVP_PKEY *PrivateKey = NULL; const EVP_MD *md; // Check parameters if ((DatabaseName == NULL) || (DatabaseGuid == NULL)) { return EFI_INVALID_PARAMETER; } DBG("Setting secure variable: %g %s 0x%X (0x%X)\n", DatabaseGuid, DatabaseName, Database, DatabaseSize); NameLen = StrLen(DatabaseName); if (NameLen == 0) { return EFI_INVALID_PARAMETER; } // Get the current time DBG("Getting timestamp ...\n"); Status = GetUTCTime(&Timestamp); if (EFI_ERROR(Status)) { return Status; } DBG("Timestamp: %t\n", Timestamp); // In user mode we need to sign the database with exchange key if (!gSettings.SecureBootSetupMode) { // Initialize the cyphers and digests ERR_load_crypto_strings(); OpenSSL_add_all_digests(); OpenSSL_add_all_ciphers(); // Create signing certificate BioData = BIO_new_mem_buf((void *)gSecureBootExchangeKey, sizeof(gSecureBootExchangeKey)); if (BioData == NULL) { return EFI_OUT_OF_RESOURCES; } Certificate = PEM_read_bio_X509(BioData, NULL, NULL, NULL); BIO_free(BioData); if (Certificate == NULL) { return EFI_OUT_OF_RESOURCES; } // Create signing private key BioData = BIO_new_mem_buf((void *)gSecureBootExchangePrivateKey, sizeof(gSecureBootExchangePrivateKey)); if (BioData == NULL) { return EFI_OUT_OF_RESOURCES; } PrivateKey = PEM_read_bio_PrivateKey(BioData, NULL, NULL, NULL); BIO_free(BioData); if (PrivateKey == NULL) { X509_free(Certificate); return EFI_OUT_OF_RESOURCES; } // Do the actual signing process BioData = BIO_new(BIO_s_mem()); BIO_write(BioData, DatabaseName, (int)StrLen(DatabaseName)); BIO_write(BioData, DatabaseGuid, sizeof(EFI_GUID)); BIO_write(BioData, &Attributes, sizeof(UINT32)); BIO_write(BioData, &Timestamp, sizeof(EFI_TIME)); BIO_write(BioData, Database, (int)DatabaseSize); md = EVP_get_digestbyname("SHA256"); p7 = PKCS7_new(); PKCS7_set_type(p7, NID_pkcs7_signed); PKCS7_content_new(p7, NID_pkcs7_data); PKCS7_sign_add_signer(p7, Certificate, PrivateKey, md, PKCS7_BINARY | PKCS7_DETACHED | PKCS7_NOSMIMECAP); PKCS7_set_detached(p7, 1); PKCS7_final(p7, BioData, PKCS7_BINARY | PKCS7_DETACHED | PKCS7_NOSMIMECAP); X509_free(Certificate); EVP_PKEY_free(PrivateKey); DataSize = i2d_PKCS7(p7, NULL); Data = AllocateZeroPool(DataSize); i2d_PKCS7(p7, (unsigned char **)&Data); PKCS7_free(p7); // Set the authentication buffer size Size = sizeof(EFI_TIME) + sizeof(EFI_GUID) + sizeof(UINT32) + sizeof(UINT16) + sizeof(UINT16) + DataSize; } else { // In setup mode we don't need to sign, so just set the database DBG("In setup mode, not signing ...\n"); Size = sizeof(EFI_TIME) + sizeof(EFI_GUID) + sizeof(UINT32) + sizeof(UINT16) + sizeof(UINT16) + DatabaseSize; } // Create the authentication buffer DBG("Creating authentication ...\n"); Authentication = (EFI_VARIABLE_AUTHENTICATION_2 *)AllocateZeroPool(Size); if (Authentication == NULL) { if (Data != NULL) { FreePool(Data); } return EFI_OUT_OF_RESOURCES; } // Set the certificate elements CopyMem(&(Authentication->TimeStamp), &Timestamp, sizeof(EFI_TIME)); Authentication->AuthInfo.Hdr.dwLength = (UINT32)(sizeof(EFI_GUID) + sizeof(UINT32) + sizeof(UINT16) + sizeof(UINT16) + DataSize); Authentication->AuthInfo.Hdr.wRevision = 0x0200; Authentication->AuthInfo.Hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID; CopyMem(&(Authentication->AuthInfo.CertType), &gEfiCertPkcs7Guid, sizeof(EFI_GUID)); // Copy the data into the authentication if (Data != NULL) { CopyMem(((UINT8 *)Authentication) + sizeof(EFI_TIME) + sizeof(EFI_GUID) + sizeof(UINT32) + sizeof(UINT16) + sizeof(UINT16), Data, DataSize); FreePool(Data); } else { CopyMem(((UINT8 *)Authentication) + sizeof(EFI_TIME) + sizeof(EFI_GUID) + sizeof(UINT32) + sizeof(UINT16) + sizeof(UINT16), Database, DatabaseSize); //Payload, PayloadSize); } DBG("Writing secure variable 0x%X (0x%X) ...\n", Authentication, Size); // Write the database variable Status = gRT->SetVariable(DatabaseName, DatabaseGuid, SET_DATABASE_ATTRIBUTES, Size, Authentication); // Cleanup the authentication buffer FreePool(Authentication); return Status; }
int create_envelope(PluginInstance *inst, u8 **data, int *datalen) { int r; PKCS7 *p7 = NULL; X509 *x509 = NULL; PKCS7_SIGNER_INFO *si = NULL; EVP_PKEY *pkey = NULL; BIO *in = NULL, *p7bio = NULL; u8 *buf; r = extract_certificate_and_pkey(inst, &x509, &pkey); if (r) goto err; p7 = PKCS7_new(); if (p7 == NULL) { r = -1; goto err; } r = PKCS7_set_type(p7, NID_pkcs7_signed); if (r != 1) { r = -1; goto err; } EVP_add_digest(EVP_sha1()); si = PKCS7_add_signature(p7, x509, pkey, EVP_sha1()); if (si == NULL) { r = -1; goto err; } PKCS7_add_signed_attribute(si, NID_pkcs9_contentType, V_ASN1_OBJECT, OBJ_nid2obj(NID_pkcs7_data)); r = PKCS7_add_certificate(p7, x509); if (r != 1) { printf("PKCS7_add_certificate failed.\n"); goto err; } PKCS7_content_new(p7, NID_pkcs7_data); p7bio = PKCS7_dataInit(p7, NULL); if (p7bio == NULL) { r = -1; goto err; } in = BIO_new_mem_buf(inst->signdata, inst->signdata_len); if (in == NULL) { r = -1; goto err; } for (;;) { char lbuf[1024]; int i = BIO_read(in, lbuf, sizeof(lbuf)); if (i <= 0) break; BIO_write(p7bio, lbuf, i); } if (!PKCS7_dataFinal(p7, p7bio)) { r = -1; goto err; } /* FIXME: remove this */ r = i2d_PKCS7(p7, NULL); if (r <= 0) { r = -1; goto err; } buf = (u8 *) malloc(r); if (buf == NULL) goto err; *data = buf; r = i2d_PKCS7(p7, &buf); *datalen = r; if (r <= 0) { free(buf); r = -1; goto err; } r = 0; err: if (p7) PKCS7_free(p7); if (in) BIO_free(in); if (p7bio) BIO_free(p7bio); #if 0 if (si) PKCS7_SIGNER_INFO_free(si); #endif if (pkey) EVP_PKEY_free(pkey); if (x509) X509_free(x509); if (r) { #if 0 ERR_load_crypto_strings(); ERR_print_errors_fp(stderr); #endif } return r; }
static int add_auth_descriptor(varsign_context *ctx, unsigned char dont_sign) { EFI_VARIABLE_AUTHENTICATION_2 *auth; int rc=0, len=0, flags=0; EFI_TIME timestamp; const EVP_MD *md; BIO *data_bio = NULL; PKCS7 *p7; UINT8 *signpkg; if (set_timestamp(×tamp)) return -1; /* create a BIO for our variable data, containing: * * Variablename (not including trailing nul) * * VendorGUID * * Attributes * * TimeStamp * * Data */ if (dont_sign == 0) { data_bio = BIO_new(BIO_s_mem()); BIO_write(data_bio, ctx->var_name, ctx->var_name_bytes); BIO_write(data_bio, &ctx->var_guid, sizeof(ctx->var_guid)); BIO_write(data_bio, &ctx->var_attrs, sizeof(ctx->var_attrs)); BIO_write(data_bio, ×tamp, sizeof(timestamp)); BIO_write(data_bio, ctx->data, ctx->data_len); md = EVP_get_digestbyname("SHA256"); p7 = PKCS7_new(); flags = PKCS7_BINARY | PKCS7_DETACHED | PKCS7_NOSMIMECAP;; PKCS7_set_type(p7, NID_pkcs7_signed); PKCS7_content_new(p7, NID_pkcs7_data); PKCS7_sign_add_signer(p7, ctx->cert, ctx->key, md, flags); PKCS7_set_detached(p7, 1); rc = PKCS7_final(p7, data_bio, flags); if (!rc) { fprintf(stderr, "Error signing variable data\n"); ERR_print_errors_fp(stderr); BIO_free_all(data_bio); return -1; } len = i2d_PKCS7(p7, NULL); } else { len = 0; } /* set up our auth descriptor */ auth = talloc_size(ctx, len + offsetof (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo.CertData)); auth->TimeStamp = timestamp; auth->AuthInfo.Hdr.dwLength = len + offsetof (WIN_CERTIFICATE_UEFI_GUID, CertData); auth->AuthInfo.Hdr.wRevision = 0x0200; auth->AuthInfo.Hdr.wCertificateType = 0x0EF1; auth->AuthInfo.CertType = cert_pkcs7_guid; if (dont_sign == 0) { signpkg = auth->AuthInfo.CertData; i2d_PKCS7(p7, &signpkg); } ctx->auth_descriptor = auth; ctx->auth_descriptor_len = len + offsetof (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo.CertData); BIO_free_all(data_bio); return 0; }
int32_t CryptoNative_GetPkcs7DerSize(PKCS7* p7) { return i2d_PKCS7(p7, NULL); }
int32_t CryptoNative_EncodePkcs7(PKCS7* p7, uint8_t* buf) { return i2d_PKCS7(p7, &buf); }
int main(int argc, char* argv[]) { PKCS7 *p7, *innerp7; FILE *fp = NULL; EVP_PKEY *pkey = NULL; PKCS7_SIGNER_INFO *p7i; PKCS7_RECIP_INFO *pri; BIO *mybio, *inbio; X509 *user; X509_ALGOR *md; int ret, len; unsigned char data[2048], *p, *buf; unsigned char* greet = "hello openssl"; unsigned long errorno; unsigned char* errordesc; OpenSSL_add_all_algorithms(); //必须要显式进行调用 inbio = BIO_new(BIO_s_mem()); ret = BIO_write(inbio, greet, strlen(greet)); p7 = PKCS7_new(); ret = PKCS7_set_type(p7, NID_pkcs7_signedAndEnveloped); //加载用户证书 fp = fopen("mycert4p12.cer", "rb"); if(fp == NULL) return 0; len = fread(data, 1, 1024, fp); fclose(fp); p = data; user = d2i_X509(NULL, (const unsigned char**)&p, len); ret = PKCS7_add_certificate(p7, user); pri = PKCS7_add_recipient(p7, user); //读取私钥 fp = fopen("myprivkey.pem", "rb"); if(fp == NULL) return 0; len = fread(data, 1, 1024, fp); fclose(fp); p = data; pkey = d2i_PrivateKey(EVP_PKEY_RSA, NULL, (const unsigned char**)&p, len); //第一个用户增加SignerInfo到列表中 p7i = PKCS7_add_signature(p7, user, pkey, EVP_md5()); //加载用户证书 fp = fopen("user2.cer", "rb"); if(fp == NULL) return 0; len = fread(data, 1, 1024, fp); fclose(fp); p = data; user = d2i_X509(NULL, (const unsigned char**)&p, len); ret = PKCS7_add_certificate(p7, user); pri = PKCS7_add_recipient(p7, user); //读取私钥 fp = fopen("user2_privatekey.pem", "rb"); if(fp == NULL) return 0; len = fread(data, 1, 1024, fp); fclose(fp); p = data; pkey = d2i_PrivateKey(EVP_PKEY_RSA, NULL, (const unsigned char**)&p, len); //第二个签名者增加到SignerInfo列表中 p7i = PKCS7_add_signature(p7, user, pkey, EVP_md5()); ret = PKCS7_set_cipher(p7, EVP_des_ede3_cbc()); ret = PKCS7_final(p7, inbio, 0); //制作数字信封 len = i2d_PKCS7(p7, NULL); p = buf = malloc(len); len = i2d_PKCS7(p7, &p); printf("in i2d len = %d\n", len); fp = fopen("p7signandenv.cer", "wb"); fwrite(buf, len, 1, fp); fclose(fp); PKCS7_free(p7); }
char * PKCS7_GetSign(char*certFile,char* pwd, char* plainText,int flag) { //取PKCS12對象 FILE* fp; if (!(fp = fopen(certFile, "rb"))) { fprintf(stderr, "Error opening file %s\n", certFile); return NULL; } PKCS12 *p12= d2i_PKCS12_fp(fp, NULL); fclose (fp); if (!p12) { fprintf(stderr, "Error reading PKCS#12 file\n"); ERR_print_errors_fp(stderr); return NULL; } //取pkey對象、X509證書、證書鏈 EVP_PKEY *pkey=NULL; X509 *x509=NULL; STACK_OF(X509) *ca = NULL; if (!PKCS12_parse(p12, pwd, &pkey, &x509, &ca)) { fprintf(stderr, "Error parsing PKCS#12 file\n"); ERR_print_errors_fp(stderr); return NULL; } PKCS12_free(p12); //明文轉為BIO對象 //《vc++网络安全编程范例(14)-openssl bio编程 》 http://www.2cto.com/kf/201112/115018.html BIO *bio = BIO_new(BIO_s_mem()); BIO_puts(bio,plainText); //數字簽名 //PKCS7_NOCHAIN:签名中不包含证书链,第三个参数为NULL值的话,可不加这个FLAG标记 //PKCS7_NOSMIMECAP:签名不需要支持SMIME PKCS7* pkcs7 = PKCS7_sign(x509,pkey, ca,bio, flag); if(pkcs7==NULL) { ERR_print_errors_fp(stderr); return NULL; } //共有两种编码,一种是ASN1,另一种是DER编码。 //取數據簽名(DER格式) //openssl学习笔记之pkcs7-data内容类型的编码解码 //http://ipedo.i.sohu.com/blog/view/114822358.htm //入口:pkcs7对象 //出口:der对象 unsigned char *der; unsigned char *derTmp; unsigned long derlen; derlen = i2d_PKCS7(pkcs7,NULL); der = (unsigned char *) malloc(derlen); memset(der,0,derlen); derTmp = der; i2d_PKCS7(pkcs7,&derTmp); //DER转BASE64 return base64(der,derlen); }