static VALUE
ossl_pkcs7_add_data(VALUE self, VALUE data)
{
PKCS7 *pkcs7;
BIO *out, *in;
char buf[4096];
int len;
in = ossl_obj2bio(data);
GetPKCS7(self, pkcs7);
if(PKCS7_type_is_signed(pkcs7)){
if(!PKCS7_content_new(pkcs7, NID_pkcs7_data))
ossl_raise(ePKCS7Error, NULL);
}
if(!(out = PKCS7_dataInit(pkcs7, NULL))) goto err;
for(;;){
if((len = BIO_read(in, buf, sizeof(buf))) <= 0)
break;
if(BIO_write(out, buf, len) != len)
goto err;
}
if(!PKCS7_dataFinal(pkcs7, out)) goto err;
ossl_pkcs7_set_data(self, Qnil);
err:
BIO_free(out);
BIO_free(in);
if(ERR_peek_error()){
ossl_raise(ePKCS7Error, NULL);
}
return data;
}
Pkcs7SignedData* Pkcs7SignedDataBuilder::doFinal()
throw (InvalidStateException, Pkcs7Exception)
{
int rc;
Pkcs7SignedData *ret;
if (this->state != Pkcs7Builder::UPDATE)
{
throw InvalidStateException("Pkcs7SignedDataBuilder::dofinal");
}
rc = BIO_flush(this->p7bio);
if (!rc)
{
BIO_free(this->p7bio);
this->p7bio = NULL;
this->state = Pkcs7Builder::NO_INIT;
throw Pkcs7Exception(Pkcs7Exception::INTERNAL_ERROR, "Pkcs7SignedDataBuilder::dofinal", true);
}
rc = PKCS7_dataFinal(this->pkcs7, this->p7bio);
if (!rc)
{
BIO_free(this->p7bio);
this->p7bio = NULL;
PKCS7_free(this->pkcs7);
this->pkcs7 = NULL;
this->state = Pkcs7Builder::NO_INIT;
throw Pkcs7Exception(Pkcs7Exception::INTERNAL_ERROR, "Pkcs7SignedDataBuilder::dofinal", true);
}
this->state = Pkcs7Builder::NO_INIT;
BIO_free(this->p7bio);
this->p7bio = NULL;
ret = new Pkcs7SignedData(this->pkcs7);
this->pkcs7 = NULL;
return ret;
}
int PKI_X509_PKCS7_encode ( PKI_X509_PKCS7 *p7, unsigned char *data,
size_t size ) {
int type = NID_pkcs7_signed;
PKCS7_SIGNER_INFO *signerInfo = NULL;
BIO *bio = NULL;
if( !p7 || !p7->value ) return ( PKI_ERR );
type = PKI_X509_PKCS7_get_type ( p7 );
if (( type == PKI_X509_PKCS7_TYPE_ENCRYPTED )
|| (type == PKI_X509_PKCS7_TYPE_SIGNEDANDENCRYPTED)) {
if ( PKI_X509_PKCS7_has_recipients ( p7 ) == PKI_ERR ) {
PKI_log_debug ( "PKI_X509_PKCS7_encode()::Missing "
"Recipients!");
return PKI_ERR;
}
}
if ( (type == PKI_X509_PKCS7_TYPE_SIGNED) ||
(type == PKI_X509_PKCS7_TYPE_SIGNEDANDENCRYPTED )) {
if(( signerInfo = PKI_X509_PKCS7_get_signer_info( p7,
-1 )) == NULL ) {
return ( PKI_ERR );
}
PKCS7_add_signed_attribute ( signerInfo, NID_pkcs9_contentType,
V_ASN1_OBJECT, OBJ_nid2obj(NID_pkcs7_data));
}
if((bio = PKCS7_dataInit(p7->value, NULL)) == NULL ) {
PKI_log_err("PKI_X509_PKCS7_sign()::Error dataInit [%s]",
ERR_error_string(ERR_get_error(),NULL));
return ( PKI_ERR );
}
if( BIO_write( bio, data, (int) size ) <= 0 ) {
PKI_log_err("PKI_X509_PKCS7_sign()::Error dataSign [%s]",
ERR_error_string(ERR_get_error(),NULL));
return ( PKI_ERR );
}
(void)BIO_flush(bio);
if(!PKCS7_dataFinal( p7->value, bio )) {
PKI_log_err("PKI_X509_PKCS7_sign()::Error End dataSign [%s]",
ERR_error_string(ERR_get_error(),NULL));
return ( PKI_ERR );
};
if( bio ) BIO_free_all ( bio );
return ( PKI_OK );
}
/* will return 0, 1, 3, or 99 */
static int
_pkgtrans(char *device1, char *device2, char **pkg, int options,
keystore_handle_t keystore, char *keystore_alias)
{
BIO *p7_bio = NULL;
EVP_PKEY *privkey = NULL;
PKCS7 *sec_pkcs7 = NULL;
PKCS7_SIGNER_INFO *sec_signerinfo = NULL;
PKG_ERR *err;
STACK_OF(X509) *cacerts = NULL;
STACK_OF(X509) *clcerts = NULL;
STACK_OF(X509) *sec_chain = NULL;
X509 *pubcert = NULL;
boolean_t making_sig = B_FALSE;
char *src, *dst;
int errflg, i, n;
struct dm_buf *hdr;
making_sig = (keystore != NULL) ? B_TRUE : B_FALSE;
if (making_sig) {
/* new error object */
err = pkgerr_new();
/* find matching cert and key */
if (find_key_cert_pair(err, keystore,
keystore_alias, &privkey, &pubcert) != 0) {
pkgerr(err);
pkgerr_free(err);
return (1);
}
/* get CA certificates */
if (find_ca_certs(err, keystore, &cacerts) != 0) {
pkgerr(err);
pkgerr_free(err);
return (1);
}
/* get CL (aka "chain") certificates */
if (find_cl_certs(err, keystore, &clcerts) != 0) {
pkgerr(err);
pkgerr_free(err);
return (1);
}
/* initialize PKCS7 object to be filled in later */
sec_pkcs7 = PKCS7_new();
(void) PKCS7_set_type(sec_pkcs7, NID_pkcs7_signed);
sec_signerinfo = PKCS7_add_signature(sec_pkcs7,
pubcert, privkey, EVP_sha1());
if (sec_signerinfo == NULL) {
progerr(gettext(ERR_SEC), keystore_alias);
ERR_print_errors_fp(stderr);
pkgerr_free(err);
return (1);
}
/* add signer cert into signature */
(void) PKCS7_add_certificate(sec_pkcs7, pubcert);
/* attempt to resolve cert chain starting at the signer cert */
if (get_cert_chain(err, pubcert, clcerts, cacerts,
&sec_chain) != 0) {
pkgerr(err);
pkgerr_free(err);
return (1);
}
/*
* add the verification chain of certs into the signature.
* The first cert is the user cert, which we don't need,
* since it's baked in already, so skip it
*/
for (i = 1; i < sk_X509_num(sec_chain); i++) {
(void) PKCS7_add_certificate(sec_pkcs7,
sk_X509_value(sec_chain, i));
}
pkgerr_free(err);
err = NULL;
}
if (signal_received > 0) {
return (1);
}
/* transfer spool to appropriate device */
if (devtype(device1, &srcdev)) {
progerr(pkg_gt(ERR_TRANSFER));
logerr(pkg_gt(MSG_BADDEV), device1);
return (1);
}
srcdev.rdonly++;
/* check for datastream */
ids_name = NULL;
if (srcdev.bdevice) {
if (n = _getvol(srcdev.bdevice, NULL, NULL,
pkg_gt("Insert %v into %p."), srcdev.norewind)) {
cleanup();
if (n == 3)
return (3);
progerr(pkg_gt(ERR_TRANSFER));
logerr(pkg_gt(MSG_GETVOL));
return (1);
}
if (ds_readbuf(srcdev.cdevice))
ids_name = srcdev.cdevice;
}
if (srcdev.cdevice && !srcdev.bdevice)
ids_name = srcdev.cdevice;
else if (srcdev.pathname) {
ids_name = srcdev.pathname;
if (access(ids_name, 0) == -1) {
progerr(ERR_TRANSFER);
logerr(pkg_gt(MSG_GETVOL));
return (1);
}
}
if (!ids_name && device2 == (char *)0) {
if (n = pkgmount(&srcdev, NULL, 1, 0, 0)) {
cleanup();
return (n);
}
if (srcdev.mount && *srcdev.mount)
pkgdir = strdup(srcdev.mount);
return (0);
}
if (ids_name && device2 == (char *)0) {
tmppath = tmpnam(NULL);
tmppath = strdup(tmppath);
if (tmppath == NULL) {
progerr(pkg_gt(ERR_TRANSFER));
logerr(pkg_gt(MSG_MEM));
return (1);
}
if (mkdir(tmppath, 0755)) {
progerr(pkg_gt(ERR_TRANSFER));
logerr(pkg_gt(MSG_MKDIR), tmppath);
return (1);
}
device2 = tmppath;
}
if (devtype(device2, &dstdev)) {
progerr(pkg_gt(ERR_TRANSFER));
logerr(pkg_gt(MSG_BADDEV), device2);
return (1);
}
if ((srcdev.cdevice && dstdev.cdevice) &&
strcmp(srcdev.cdevice, dstdev.cdevice) == 0) {
progerr(pkg_gt(ERR_TRANSFER));
logerr(pkg_gt(MSG_SAMEDEV));
return (1);
}
ods_name = NULL;
if (dstdev.cdevice && !dstdev.bdevice || dstdev.pathname)
options |= PT_ODTSTREAM;
if (options & PT_ODTSTREAM) {
if (!((ods_name = dstdev.cdevice) != NULL ||
(ods_name = dstdev.pathname) != NULL)) {
progerr(pkg_gt(ERR_TRANSFER));
logerr(pkg_gt(MSG_BADDEV), device2);
return (1);
}
if (ids_name) {
progerr(pkg_gt(ERR_TRANSFER));
logerr(pkg_gt(MSG_TWODSTREAM));
return (1);
}
} else {
/*
* output device isn't a stream. If we're making a signed
* package, then fail, since we can't make signed,
* non-stream pkgs
*/
if (making_sig) {
progerr(pkg_gt(ERR_TRANSFER));
logerr(pkg_gt(ERR_CANTSIGN));
return (1);
}
}
if ((srcdev.dirname && dstdev.dirname) &&
strcmp(srcdev.dirname, dstdev.dirname) == 0) {
progerr(pkg_gt(ERR_TRANSFER));
logerr(pkg_gt(MSG_SAMEDEV));
return (1);
}
if ((srcdev.pathname && dstdev.pathname) &&
strcmp(srcdev.pathname, dstdev.pathname) == 0) {
progerr(pkg_gt(ERR_TRANSFER));
logerr(pkg_gt(MSG_SAMEDEV));
return (1);
}
if (signal_received > 0) {
return (1);
}
if (ids_name) {
if (srcdev.cdevice && !srcdev.bdevice &&
(n = _getvol(srcdev.cdevice, NULL, NULL, NULL,
srcdev.norewind))) {
cleanup();
if (n == 3)
return (3);
progerr(pkg_gt(ERR_TRANSFER));
logerr(pkg_gt(MSG_GETVOL));
return (1);
}
if (srcdev.dirname = tmpnam(NULL))
tmpdir = srcdev.dirname = strdup(srcdev.dirname);
if ((srcdev.dirname == NULL) || mkdir(srcdev.dirname, 0755) ||
chdir(srcdev.dirname)) {
progerr(pkg_gt(ERR_TRANSFER));
logerr(pkg_gt(MSG_NOTEMP), srcdev.dirname);
cleanup();
return (1);
}
if (ds_init(ids_name, pkg, srcdev.norewind)) {
cleanup();
return (1);
}
} else if (srcdev.mount) {
if (n = pkgmount(&srcdev, NULL, 1, 0, 0)) {
cleanup();
return (n);
}
}
src = srcdev.dirname;
dst = dstdev.dirname;
if (chdir(src)) {
progerr(pkg_gt(ERR_TRANSFER));
logerr(pkg_gt(MSG_CHDIR), src);
cleanup();
return (1);
}
if (signal_received > 0) {
return (1);
}
xpkg = pkg = gpkglist(src, pkg, NULL);
if (!pkg) {
progerr(pkg_gt(ERR_TRANSFER));
logerr(pkg_gt(MSG_NOPKGS), src);
cleanup();
return (1);
}
for (nxpkg = 0; pkg[nxpkg]; /* void */) {
nxpkg++; /* count */
}
if (ids_name) {
ds_order(pkg); /* order requests */
}
if (signal_received > 0) {
return (1);
}
if (options & PT_ODTSTREAM) {
char line[128];
if (!dstdev.pathname &&
(n = _getvol(ods_name, NULL, DM_FORMAT, NULL,
dstdev.norewind))) {
cleanup();
if (n == 3)
return (3);
progerr(pkg_gt(ERR_TRANSFER));
logerr(pkg_gt(MSG_GETVOL));
return (1);
}
if ((hdr = genheader(src, pkg)) == NULL) {
cleanup();
return (1);
}
if (making_sig) {
/* start up signature data stream */
(void) PKCS7_content_new(sec_pkcs7, NID_pkcs7_data);
(void) PKCS7_set_detached(sec_pkcs7, 1);
p7_bio = PKCS7_dataInit(sec_pkcs7, NULL);
/*
* Here we generate all the data that will go into
* the package, and send it through the signature
* generator, essentially calculating the signature
* of the entire package so we can place it in the
* header. Otherwise we'd have to place it at the end
* of the pkg, which would break the ABI
*/
if (!(options & PT_SILENT)) {
(void) fprintf(stderr, pkg_gt(MSG_SIGNING),
get_subject_display_name(pubcert));
}
if (dump_hdr_and_pkgs(p7_bio, hdr, pkg) != 0) {
progerr(gettext(ERR_NOGEN));
logerr(pkg_gt(MSG_GETVOL));
cleanup();
return (1);
}
BIO_flush(p7_bio);
/*
* now generate PKCS7 signature
*/
if (!PKCS7_dataFinal(sec_pkcs7, p7_bio)) {
progerr(gettext(ERR_NOGEN));
logerr(pkg_gt(MSG_GETVOL));
cleanup();
return (1);
}
(void) BIO_free(p7_bio);
}
/* write out header to stream, which includes signature */
if (wdsheader(hdr, src, ods_name, pkg, sec_pkcs7)) {
cleanup();
return (1);
}
if (sec_pkcs7 != NULL) {
/* nuke in-memory signature for safety */
PKCS7_free(sec_pkcs7);
sec_pkcs7 = NULL;
}
ds_volno = 1; /* number of volumes in datastream */
pinput = hdrbuf.text_buffer;
/* skip past first line in header */
(void) mgets(line, 128);
}
if (signal_received > 0) {
return (1);
}
errflg = 0;
for (i = 0; pkg[i]; i++) {
if (signal_received > 0) {
return (1);
}
if (!(options & PT_ODTSTREAM) && dstdev.mount) {
if (n = pkgmount(&dstdev, NULL, 0, 0, 1)) {
cleanup();
return (n);
}
}
if (errflg = pkgxfer(pkg[i], options)) {
pkg[i] = NULL;
if ((options & PT_ODTSTREAM) || (errflg != 2))
break;
} else if (strcmp(dstinst, pkg[i]))
pkg[i] = strdup(dstinst);
}
if (!(options & PT_ODTSTREAM) && dst) {
pkgdir = strdup(dst);
}
/*
* No cleanup of temporary directories created in this
* function is done here. The calling function must do
* the cleanup.
*/
return (signal_received > 0 ? 1 : errflg);
}
/*******************************************************************************
函数名称: cert_pkcs7_wrap
功能描述: 将要发送的消息采用PKCS#7格式进行编码
输入参数: struct scep *s, SCEP操作的结构体指针。
s32 hasra, 是否使用RA证书,1,使用;0,不使用
输出参数: 无
返 回 值: 1,成功;-1,失败
--------------------------------------------------------------------------------
最近一次修改记录:
修改作者:王朝
修改目的:添加新函数
修改日期:2009年12月28日
*********************************************************************************/
s32 cert_pkcs7_wrap(struct scep *s, s32 hasra)
{
BIO *databio = NULL;
BIO *encbio = NULL;
BIO *pkcs7bio = NULL;
BIO *memorybio = NULL;
BIO *outbio = NULL;
BIO *base64bio = NULL;
u8 *buffer = NULL;
s32 len = 0;
STACK_OF(X509) *recipients = NULL;
PKCS7 *p7enc = NULL;
PKCS7_SIGNER_INFO *si = NULL;
STACK_OF(X509_ATTRIBUTE) *attributes = NULL;
X509 *signercert = NULL;
EVP_PKEY *signerkey = NULL;
s32 retval = -1;
/* sender nonce */
s->sender_nonce_len = 16;
s->sender_nonce = (u8 *)malloc((u32)s->sender_nonce_len);
RAND_bytes(s->sender_nonce, s->sender_nonce_len);
/* Prepare data payload */
switch(s->request_type)
{
case SCEP_REQUEST_PKCSREQ:
s->request_type_str = SCEP_REQUEST_PKCSREQ_STR;
/* Signer cert */
signercert = s->signercert;
signerkey = s->signerkey;
/* Read request in memory bio */
databio = BIO_new(BIO_s_mem());
if ((i2d_X509_REQ_bio(databio, cert_request)) <= 0)
{
goto end;
}
(void)BIO_flush(databio);
BIO_set_flags(databio, BIO_FLAGS_MEM_RDONLY);
break;
case SCEP_REQUEST_GETCERTINIT:
/* Set printable message type */
s->request_type_str = SCEP_REQUEST_GETCERTINIT_STR;
/* Signer cert */
signercert = s->signercert;
signerkey = s->signerkey;
/* Read data in memory bio */
databio = BIO_new(BIO_s_mem());
if ((i2d_pkcs7_issuer_and_subject_bio(databio, s->ias_getcertinit)) <= 0)
{
goto end;
}
(void)BIO_flush(databio);
BIO_set_flags(databio, BIO_FLAGS_MEM_RDONLY);
break;
default:
goto end;
}
/* Below this is the common code for all request_type */
/* Read in the payload */
s->request_len = BIO_get_mem_data(databio, &s->request_payload);
BIO_free(databio);
databio = NULL;
/* Create encryption certificate stack */
if (NULL == (recipients = sk_X509_new_null() ))
{
goto end;
}
/* Use different CA cert for encryption if requested */
if (1 == hasra)
{
if (sk_X509_push(recipients, cert_encert) <= 0)
{
goto end;
}
}
else
{
/* Use same CA cert also for encryption */
if (sk_X509_push(recipients, cert_cacert) <= 0)
{
goto end;
}
}
/* Create BIO for encryption */
if ((encbio = BIO_new_mem_buf(s->request_payload,s->request_len)) == NULL)
{
goto end;
}
/* Encrypt */
if (NULL == (p7enc = PKCS7_encrypt(recipients, encbio, cert_enc_alg, PKCS7_BINARY)))
{
goto end;
}
BIO_free(encbio);
encbio = NULL;
sk_X509_free(recipients);
recipients = NULL;
/* Write encrypted data */
memorybio = BIO_new(BIO_s_mem());
if (i2d_PKCS7_bio(memorybio, p7enc) <= 0)
{
goto end;
}
PKCS7_free(p7enc);
p7enc = NULL;
(void)BIO_flush(memorybio);
BIO_set_flags(memorybio, BIO_FLAGS_MEM_RDONLY);
len = BIO_get_mem_data(memorybio, &buffer);
/* Create outer PKCS#7 */
s->request_p7 = PKCS7_new();
if (s->request_p7 == NULL)
{
goto end;
}
if (!PKCS7_set_type(s->request_p7, NID_pkcs7_signed))
{
goto end;
}
/* Add signer certificate and signature */
PKCS7_add_certificate(s->request_p7, signercert);
if ((si = PKCS7_add_signature(s->request_p7,signercert, signerkey, cert_sig_alg)) == NULL)
{
goto end;
}
/* Set signed attributes */
attributes = sk_X509_ATTRIBUTE_new_null();
cert_add_attribute_string(attributes, nid_transId, s->transaction_id);
cert_add_attribute_string(attributes, nid_messageType, s->request_type_str);
cert_add_attribute_octet(attributes, nid_senderNonce, (s8 *)(s->sender_nonce),s->sender_nonce_len);
PKCS7_set_signed_attributes(si, attributes);
sk_X509_ATTRIBUTE_free(attributes);
attributes = NULL;
/* Add contentType */
if (!PKCS7_add_signed_attribute(si, NID_pkcs9_contentType,V_ASN1_OBJECT, OBJ_nid2obj(NID_pkcs7_data)))
{
goto end;
}
/* Create new content */
if (!PKCS7_content_new(s->request_p7, NID_pkcs7_data))
{
goto end;
}
/* Write data */
pkcs7bio = PKCS7_dataInit(s->request_p7, NULL);
if (pkcs7bio == NULL)
{
goto end;
}
if (len != BIO_write(pkcs7bio, buffer, len))
{
goto end;
}
BIO_free(memorybio);
memorybio = NULL;
/* Finalize PKCS#7 */
if (!PKCS7_dataFinal(s->request_p7, pkcs7bio))
{
goto end;
}
/* base64-encode the data */
/* Create base64 filtering bio */
memorybio = BIO_new(BIO_s_mem());
base64bio = BIO_new(BIO_f_base64());
outbio = BIO_push(base64bio, memorybio);
/* Copy PKCS#7 */
i2d_PKCS7_bio(outbio, s->request_p7);
(void)BIO_flush(outbio);
BIO_set_flags(memorybio, BIO_FLAGS_MEM_RDONLY);
s->request_len = BIO_get_mem_data(memorybio, &s->request_payload);
retval = 1;
end:
if(NULL != databio)
{
BIO_free(databio);
}
if(NULL != encbio)
{
BIO_free(encbio);
}
if(NULL != p7enc)
{
PKCS7_free(p7enc);
}
if(NULL != pkcs7bio)
{
BIO_free(pkcs7bio);
}
if(NULL != memorybio)
{
BIO_free(memorybio);
}
if(NULL != base64bio)
{
BIO_free(base64bio);
}
if(NULL != recipients)
{
sk_X509_free(recipients);
}
if(NULL != attributes)
{
sk_X509_ATTRIBUTE_free(attributes);
}
return retval;
}
int create_envelope(PluginInstance *inst, u8 **data, int *datalen)
{
int r;
PKCS7 *p7 = NULL;
X509 *x509 = NULL;
PKCS7_SIGNER_INFO *si = NULL;
EVP_PKEY *pkey = NULL;
BIO *in = NULL, *p7bio = NULL;
u8 *buf;
r = extract_certificate_and_pkey(inst, &x509, &pkey);
if (r)
goto err;
p7 = PKCS7_new();
if (p7 == NULL) {
r = -1;
goto err;
}
r = PKCS7_set_type(p7, NID_pkcs7_signed);
if (r != 1) {
r = -1;
goto err;
}
EVP_add_digest(EVP_sha1());
si = PKCS7_add_signature(p7, x509, pkey, EVP_sha1());
if (si == NULL) {
r = -1;
goto err;
}
PKCS7_add_signed_attribute(si, NID_pkcs9_contentType, V_ASN1_OBJECT,
OBJ_nid2obj(NID_pkcs7_data));
r = PKCS7_add_certificate(p7, x509);
if (r != 1) {
printf("PKCS7_add_certificate failed.\n");
goto err;
}
PKCS7_content_new(p7, NID_pkcs7_data);
p7bio = PKCS7_dataInit(p7, NULL);
if (p7bio == NULL) {
r = -1;
goto err;
}
in = BIO_new_mem_buf(inst->signdata, inst->signdata_len);
if (in == NULL) {
r = -1;
goto err;
}
for (;;) {
char lbuf[1024];
int i = BIO_read(in, lbuf, sizeof(lbuf));
if (i <= 0)
break;
BIO_write(p7bio, lbuf, i);
}
if (!PKCS7_dataFinal(p7, p7bio)) {
r = -1;
goto err;
}
/* FIXME: remove this */
r = i2d_PKCS7(p7, NULL);
if (r <= 0) {
r = -1;
goto err;
}
buf = (u8 *) malloc(r);
if (buf == NULL)
goto err;
*data = buf;
r = i2d_PKCS7(p7, &buf);
*datalen = r;
if (r <= 0) {
free(buf);
r = -1;
goto err;
}
r = 0;
err:
if (p7)
PKCS7_free(p7);
if (in)
BIO_free(in);
if (p7bio)
BIO_free(p7bio);
#if 0
if (si)
PKCS7_SIGNER_INFO_free(si);
#endif
if (pkey)
EVP_PKEY_free(pkey);
if (x509)
X509_free(x509);
if (r) {
#if 0
ERR_load_crypto_strings();
ERR_print_errors_fp(stderr);
#endif
}
return r;
}
/*
* Wrap data in PKCS#7 envelopes and base64-encode the result.
* Data is PKCS#10 request in PKCSReq, or pkcs7_issuer_and_subject
* structure in GetCertInitial and PKCS7_ISSUER_AND_SERIAL in
* GetCert and GETCrl.
*/
int pkcs7_wrap(struct scep *s, struct sscep_ctx *ctx, struct sscep_operation_info *op_info)
{
BIO *databio = NULL;
BIO *encbio = NULL;
BIO *pkcs7bio = NULL;
BIO *memorybio = NULL;
BIO *outbio = NULL;
unsigned char *buffer = NULL;
int len = 0;
STACK_OF(X509) *recipients = NULL;
PKCS7 *p7enc = NULL;
PKCS7_SIGNER_INFO *si;
STACK_OF(X509_ATTRIBUTE) *attributes;
X509 *signercert = NULL;
EVP_PKEY *signerkey = NULL;
int ret = SCEP_PKISTATUS_P7;
char *payload = NULL;
int payload_len;
/* Create a new sender nonce for all messages
* XXXXXXXXXXXXXX should it be per transaction? */
s->sender_nonce_len = 16;
free(s->sender_nonce);/* Clean up from previous runs */
s->sender_nonce = (char *)malloc(s->sender_nonce_len * sizeof(char));
RAND_bytes((unsigned char *) s->sender_nonce, s->sender_nonce_len);
/* Prepare data payload */
switch (s->request_type) {
case SCEP_REQUEST_PKCSREQ:
/*
* Set printable message type
* We set this later as an autheticated attribute
* "messageType".
*/
s->request_type_str = SCEP_REQUEST_PKCSREQ_STR;
/* Signer cert */
signercert = s->signercert;
signerkey = s->signerkey;
/* Create inner PKCS#7 */
if (ctx->verbose){
qeo_log_i("creating inner PKCS#7");
}
/* Read request in memory bio */
databio = BIO_new(BIO_s_mem());
if (i2d_X509_REQ_bio(databio, op_info->request) <= 0) {
qeo_log_e("error writing certificate request in bio");
goto error;
}
(void)BIO_flush(databio);
break;
case SCEP_REQUEST_GETCERTINIT:
/* Set printable message type */
s->request_type_str = SCEP_REQUEST_GETCERTINIT_STR;
/* Signer cert */
signercert = s->signercert;
signerkey = s->signerkey;
/* Create inner PKCS#7 */
if (ctx->verbose){
qeo_log_i("creating inner PKCS#7");
}
/* Read data in memory bio */
databio = BIO_new(BIO_s_mem());
if (i2d_pkcs7_issuer_and_subject_bio(databio, s->ias_getcertinit)) {
qeo_log_e("error writing GetCertInitial data in bio");
goto error;
}
(void)BIO_flush(databio);
break;
}
/* Below this is the common code for all request_type */
/* Read in the payload */
payload_len = BIO_get_mem_data(databio, &payload);
if (ctx->verbose){
qeo_log_i("data payload size: %d bytes", payload_len);
}
/* Create encryption certificate stack */
if ((recipients = sk_X509_new(NULL) ) == NULL) {
qeo_log_e("error creating certificate stack");
goto error;
}
if (sk_X509_push(recipients, op_info->racert) <= 0) {
qeo_log_e("error adding recipient encryption certificate");
goto error;
}
/* Create BIO for encryption */
if ((encbio = BIO_new_mem_buf(payload, payload_len)) == NULL ) {
qeo_log_e("error creating data bio");
goto error;
}
/* Encrypt */
if (!(p7enc = PKCS7_encrypt(recipients, encbio, ctx->enc_alg, PKCS7_BINARY))) {
qeo_log_e("request payload encrypt failed");
goto error;
}
if (ctx->verbose){
qeo_log_i("successfully encrypted payload");
}
/* Write encrypted data */
memorybio = BIO_new(BIO_s_mem());
if (i2d_PKCS7_bio(memorybio, p7enc) <= 0) {
qeo_log_e("error writing encrypted data");
goto error;
}
(void)BIO_flush(memorybio);
BIO_set_flags(memorybio, BIO_FLAGS_MEM_RDONLY);
len = BIO_get_mem_data(memorybio, &buffer);
BIO_free(memorybio);
memorybio=NULL;
if (ctx->verbose){
qeo_log_i("envelope size: %d bytes", len);
}
if (ctx->debug) {
qeo_log_i("printing PEM fomatted PKCS#7");
PEM_write_PKCS7(stdout, p7enc);
}
/* Create outer PKCS#7 */
if (ctx->verbose){
qeo_log_i("creating outer PKCS#7");
}
s->request_p7 = PKCS7_new();
if (s->request_p7 == NULL ) {
qeo_log_e("failed creating PKCS#7 for signing");
goto error;
}
if (!PKCS7_set_type(s->request_p7, NID_pkcs7_signed)) {
qeo_log_e("failed setting PKCS#7 type");
goto error;
}
/* Add signer certificate and signature */
PKCS7_add_certificate(s->request_p7, signercert);
if ((si = PKCS7_add_signature(s->request_p7, signercert, signerkey, ctx->sig_alg)) == NULL ) {
qeo_log_e("error adding PKCS#7 signature");
goto error;
}
if (ctx->verbose){
qeo_log_i("signature added successfully");
}
/* Set signed attributes */
if (ctx->verbose){
qeo_log_i("adding signed attributes");
}
attributes = sk_X509_ATTRIBUTE_new_null();
add_attribute_string(attributes, ctx->nid_transId, s->transaction_id, ctx);
add_attribute_string(attributes, ctx->nid_messageType, s->request_type_str, ctx);
add_attribute_octet(attributes, ctx->nid_senderNonce, s->sender_nonce, s->sender_nonce_len, ctx);
PKCS7_set_signed_attributes(si, attributes);
sk_X509_ATTRIBUTE_pop_free(attributes, X509_ATTRIBUTE_free);
/* Add contentType */
if (!PKCS7_add_signed_attribute(si, NID_pkcs9_contentType, V_ASN1_OBJECT, OBJ_nid2obj(NID_pkcs7_data))) {
qeo_log_e("error adding NID_pkcs9_contentType");
goto error;
}
/* Create new content */
if (!PKCS7_content_new(s->request_p7, NID_pkcs7_data)) {
qeo_log_e("failed setting PKCS#7 content type");
goto error;
}
/* Write data */
pkcs7bio = PKCS7_dataInit(s->request_p7, NULL );
if (pkcs7bio == NULL ) {
qeo_log_e("error opening bio for writing PKCS#7 data");
goto error;
}
if (len != BIO_write(pkcs7bio, buffer, len)) {
qeo_log_e("error writing PKCS#7 data");
goto error;
}
if (ctx->verbose){
qeo_log_i("PKCS#7 data written successfully");
}
/* Finalize PKCS#7 */
if (!PKCS7_dataFinal(s->request_p7, pkcs7bio)) {
qeo_log_e("error finalizing outer PKCS#7");
goto error;
}
if (ctx->debug) {
qeo_log_i("printing PEM fomatted PKCS#7");
PEM_write_PKCS7(stdout, s->request_p7);
}
/* base64-encode the data */
if (ctx->verbose){
qeo_log_i("applying base64 encoding");
}
/* Create base64 filtering bio */
memorybio = BIO_new(BIO_s_mem());
outbio = BIO_push(BIO_new(BIO_f_base64()), memorybio);
/* Copy PKCS#7 */
i2d_PKCS7_bio(outbio, s->request_p7);
(void)BIO_flush(outbio);
payload_len = BIO_get_mem_data(memorybio, &payload);
s->request_payload = (char*) malloc(sizeof(char)*payload_len);
if (!s->request_payload){
goto error;
}
s->request_len = payload_len;
memcpy(s->request_payload, payload, s->request_len);
if (ctx->verbose){
qeo_log_i("base64 encoded payload size: %d bytes", payload_len);
}
ret = 0;
error:
BIO_free(databio);
BIO_free(encbio);
BIO_free_all(pkcs7bio);
BIO_free(memorybio);
BIO_free(outbio);
if (recipients != NULL){
sk_X509_free(recipients);/* Only free the stack, not the certificates */
}
PKCS7_free(p7enc);
OPENSSL_free(buffer);
return ret;
}
/*
* We need to replace a standard chunk of PKCS7 signature with one mandated
* by Authenticode. Problem is, replacing it just like that and then calling
* PKCS7_final() would make OpenSSL segfault somewhere in PKCS7_dataFinal().
* So, instead, we call PKCS7_dataInit(), then put our Authenticode-specific
* data into BIO it returned, then call PKCS7_dataFinal() - which now somehow
* does not panic - and _then_ we replace it in the signature. This technique
* was used in sbsigntool by Jeremy Kerr, and might have originated in
* osslsigncode.
*/
static void
magic(PKCS7 *pkcs7, const char *digest, size_t digest_len)
{
BIO *bio, *t_bio;
ASN1_TYPE *t;
ASN1_STRING *s;
CONF *cnf;
unsigned char *buf, *tmp;
char *digest_hex, *magic_conf, *str;
int len, nid, ok;
digest_hex = bin2hex(digest, digest_len);
/*
* Construct the SpcIndirectDataContent chunk.
*/
nid = OBJ_create("1.3.6.1.4.1.311.2.1.4", NULL, NULL);
asprintf(&magic_conf, magic_fmt, digest_hex);
if (magic_conf == NULL)
err(1, "asprintf");
bio = BIO_new_mem_buf((void *)magic_conf, -1);
if (bio == NULL) {
ERR_print_errors_fp(stderr);
errx(1, "BIO_new_mem_buf(3) failed");
}
cnf = NCONF_new(NULL);
if (cnf == NULL) {
ERR_print_errors_fp(stderr);
errx(1, "NCONF_new(3) failed");
}
ok = NCONF_load_bio(cnf, bio, NULL);
if (ok == 0) {
ERR_print_errors_fp(stderr);
errx(1, "NCONF_load_bio(3) failed");
}
str = NCONF_get_string(cnf, "default", "asn1");
if (str == NULL) {
ERR_print_errors_fp(stderr);
errx(1, "NCONF_get_string(3) failed");
}
t = ASN1_generate_nconf(str, cnf);
if (t == NULL) {
ERR_print_errors_fp(stderr);
errx(1, "ASN1_generate_nconf(3) failed");
}
/*
* We now have our proprietary piece of ASN.1. Let's do
* the actual signing.
*/
len = i2d_ASN1_TYPE(t, NULL);
tmp = buf = calloc(1, len);
if (tmp == NULL)
err(1, "calloc");
i2d_ASN1_TYPE(t, &tmp);
/*
* We now have contents of 't' stuffed into memory buffer 'buf'.
*/
tmp = NULL;
t = NULL;
t_bio = PKCS7_dataInit(pkcs7, NULL);
if (t_bio == NULL) {
ERR_print_errors_fp(stderr);
errx(1, "PKCS7_dataInit(3) failed");
}
BIO_write(t_bio, buf + 2, len - 2);
ok = PKCS7_dataFinal(pkcs7, t_bio);
if (ok == 0) {
ERR_print_errors_fp(stderr);
errx(1, "PKCS7_dataFinal(3) failed");
}
t = ASN1_TYPE_new();
s = ASN1_STRING_new();
ASN1_STRING_set(s, buf, len);
ASN1_TYPE_set(t, V_ASN1_SEQUENCE, s);
PKCS7_set0_type_other(pkcs7->d.sign->contents, nid, t);
}
/*
* Wrap data in PKCS#7 envelopes and base64-encode the result.
* Data is PKCS#10 request in PKCSReq, or pkcs7_issuer_and_subject
* structure in GetCertInitial and PKCS7_ISSUER_AND_SERIAL in
* GetCert and GETCrl.
*/
int pkcs7_wrap(struct scep *s) {
BIO *databio = NULL;
BIO *encbio = NULL;
BIO *pkcs7bio = NULL;
BIO *memorybio = NULL;
BIO *outbio = NULL;
BIO *base64bio = NULL;
unsigned char *buffer = NULL;
int rc, len = 0;
STACK_OF(X509) *recipients;
PKCS7 *p7enc;
PKCS7_SIGNER_INFO *si;
STACK_OF(X509_ATTRIBUTE) *attributes;
X509 *signercert = NULL;
EVP_PKEY *signerkey = NULL;
/* Create a new sender nonce for all messages
* XXXXXXXXXXXXXX should it be per transaction? */
s->sender_nonce_len = 16;
s->sender_nonce = (unsigned char *)malloc(s->sender_nonce_len);
RAND_bytes(s->sender_nonce, s->sender_nonce_len);
/* Prepare data payload */
switch(s->request_type) {
case SCEP_REQUEST_PKCSREQ:
/*
* Set printable message type
* We set this later as an autheticated attribute
* "messageType".
*/
s->request_type_str = SCEP_REQUEST_PKCSREQ_STR;
/* Signer cert */
signercert = s->signercert;
signerkey = s->signerkey;
/* Create inner PKCS#7 */
if (v_flag)
printf("%s: creating inner PKCS#7\n", pname);
/* Read request in memory bio */
databio = BIO_new(BIO_s_mem());
if ((rc = i2d_X509_REQ_bio(databio, request)) <= 0) {
fprintf(stderr, "%s: error writing "
"certificate request in bio\n", pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
BIO_flush(databio);
BIO_set_flags(databio, BIO_FLAGS_MEM_RDONLY);
break;
case SCEP_REQUEST_GETCERTINIT:
/* Set printable message type */
s->request_type_str = SCEP_REQUEST_GETCERTINIT_STR;
/* Signer cert */
signercert = s->signercert;
signerkey = s->signerkey;
/* Create inner PKCS#7 */
if (v_flag)
printf("%s: creating inner PKCS#7\n", pname);
/* Read data in memory bio */
databio = BIO_new(BIO_s_mem());
if ((rc = i2d_pkcs7_issuer_and_subject_bio(databio,
s->ias_getcertinit)) <= 0) {
fprintf(stderr, "%s: error writing "
"GetCertInitial data in bio\n", pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
BIO_flush(databio);
BIO_set_flags(databio, BIO_FLAGS_MEM_RDONLY);
break;
case SCEP_REQUEST_GETCERT:
/* Set printable message type */
s->request_type_str = SCEP_REQUEST_GETCERT_STR;
/* Signer cert */
signercert = localcert;
signerkey = rsa;
/* Read data in memory bio */
databio = BIO_new(BIO_s_mem());
if ((rc = i2d_PKCS7_ISSUER_AND_SERIAL_bio(databio,
s->ias_getcert)) <= 0) {
fprintf(stderr, "%s: error writing "
"GetCert data in bio\n", pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
BIO_flush(databio);
BIO_set_flags(databio, BIO_FLAGS_MEM_RDONLY);
break;
case SCEP_REQUEST_GETCRL:
/* Set printable message type */
s->request_type_str = SCEP_REQUEST_GETCRL_STR;
/* Signer cert */
signercert = localcert;
signerkey = rsa;
/* Read data in memory bio */
databio = BIO_new(BIO_s_mem());
if ((rc = i2d_PKCS7_ISSUER_AND_SERIAL_bio(databio,
s->ias_getcrl)) <= 0) {
fprintf(stderr, "%s: error writing "
"GetCert data in bio\n", pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
BIO_flush(databio);
BIO_set_flags(databio, BIO_FLAGS_MEM_RDONLY);
break;
}
/* Below this is the common code for all request_type */
/* Read in the payload */
s->request_len = BIO_get_mem_data(databio, &s->request_payload);
if (v_flag)
printf("%s: data payload size: %d bytes\n", pname,
s->request_len);
BIO_free(databio);
/* Create encryption certificate stack */
if ((recipients = sk_X509_new(NULL)) == NULL) {
fprintf(stderr, "%s: error creating "
"certificate stack\n", pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
/* Use different CA cert for encryption if requested */
if (e_flag) {
if (sk_X509_push(recipients, encert) <= 0) {
fprintf(stderr, "%s: error adding recipient encryption "
"certificate\n", pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
/* Use same CA cert also for encryption */
} else {
if (sk_X509_push(recipients, cacert) <= 0) {
fprintf(stderr, "%s: error adding recipient encryption "
"certificate\n", pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
}
/* Create BIO for encryption */
if ((encbio = BIO_new_mem_buf(s->request_payload,
s->request_len)) == NULL) {
fprintf(stderr, "%s: error creating data " "bio\n", pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
/* Encrypt */
if (!(p7enc = PKCS7_encrypt(recipients, encbio,
enc_alg, PKCS7_BINARY))) {
fprintf(stderr, "%s: request payload encrypt failed\n", pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
if (v_flag)
printf("%s: successfully encrypted payload\n", pname);
/* Write encrypted data */
memorybio = BIO_new(BIO_s_mem());
if (i2d_PKCS7_bio(memorybio, p7enc) <= 0) {
fprintf(stderr, "%s: error writing encrypted data\n", pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
BIO_flush(memorybio);
BIO_set_flags(memorybio, BIO_FLAGS_MEM_RDONLY);
len = BIO_get_mem_data(memorybio, &buffer);
if (v_flag)
printf("%s: envelope size: %d bytes\n", pname, len);
if (d_flag) {
printf("%s: printing PEM fomatted PKCS#7\n", pname);
PEM_write_PKCS7(stdout, p7enc);
}
BIO_free(memorybio);
/* Create outer PKCS#7 */
if (v_flag)
printf("%s: creating outer PKCS#7\n", pname);
s->request_p7 = PKCS7_new();
if (s->request_p7 == NULL) {
fprintf(stderr, "%s: failed creating PKCS#7 for signing\n",
pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
if (!PKCS7_set_type(s->request_p7, NID_pkcs7_signed)) {
fprintf(stderr, "%s: failed setting PKCS#7 type\n", pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
/* Add signer certificate and signature */
PKCS7_add_certificate(s->request_p7, signercert);
if ((si = PKCS7_add_signature(s->request_p7,
signercert, signerkey, sig_alg)) == NULL) {
fprintf(stderr, "%s: error adding PKCS#7 signature\n", pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
if (v_flag)
printf("%s: signature added successfully\n", pname);
/* Set signed attributes */
if (v_flag)
printf("%s: adding signed attributes\n", pname);
attributes = sk_X509_ATTRIBUTE_new_null();
add_attribute_string(attributes, nid_transId, s->transaction_id);
add_attribute_string(attributes, nid_messageType, s->request_type_str);
add_attribute_octet(attributes, nid_senderNonce, s->sender_nonce,
s->sender_nonce_len);
PKCS7_set_signed_attributes(si, attributes);
/* Add contentType */
if (!PKCS7_add_signed_attribute(si, NID_pkcs9_contentType,
V_ASN1_OBJECT, OBJ_nid2obj(NID_pkcs7_data))) {
fprintf(stderr, "%s: error adding NID_pkcs9_contentType\n",
pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
/* Create new content */
if (!PKCS7_content_new(s->request_p7, NID_pkcs7_data)) {
fprintf(stderr, "%s: failed setting PKCS#7 content type\n",
pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
/* Write data */
pkcs7bio = PKCS7_dataInit(s->request_p7, NULL);
if (pkcs7bio == NULL) {
fprintf(stderr, "%s: error opening bio for writing PKCS#7 "
"data\n", pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
if (len != BIO_write(pkcs7bio, buffer, len)) {
fprintf(stderr, "%s: error writing PKCS#7 data\n", pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
if (v_flag)
printf("%s: PKCS#7 data written successfully\n", pname);
/* Finalize PKCS#7 */
if (!PKCS7_dataFinal(s->request_p7, pkcs7bio)) {
fprintf(stderr, "%s: error finalizing outer PKCS#7\n", pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
if (d_flag) {
printf("%s: printing PEM fomatted PKCS#7\n", pname);
PEM_write_PKCS7(stdout, s->request_p7);
}
/* base64-encode the data */
if (v_flag)
printf("%s: applying base64 encoding\n",pname);
/* Create base64 filtering bio */
memorybio = BIO_new(BIO_s_mem());
base64bio = BIO_new(BIO_f_base64());
outbio = BIO_push(base64bio, memorybio);
/* Copy PKCS#7 */
i2d_PKCS7_bio(outbio, s->request_p7);
BIO_flush(outbio);
BIO_set_flags(memorybio, BIO_FLAGS_MEM_RDONLY);
s->request_len = BIO_get_mem_data(memorybio, &s->request_payload);
if (v_flag)
printf("%s: base64 encoded payload size: %d bytes\n",
pname, s->request_len);
BIO_free(outbio);
return (0);
}
char* sign_and_encrypt(const char *data, RSA *rsa, X509 *x509, X509 *PPx509, int verbose)
/* sign and encrypt button data for safe delivery to paypal */
{
char *ret = NULL;
EVP_PKEY *pkey;
PKCS7 *p7 = NULL;
BIO *p7bio = NULL;
BIO *bio = NULL;
PKCS7_SIGNER_INFO* si;
int len;
char *str;
pkey = EVP_PKEY_new();
if (EVP_PKEY_set1_RSA(pkey, rsa) == 0)
{
fprintf(stderr,"Fatal Error: Unable to create EVP_KEY from RSA key\n");fflush(stderr);
goto end;
} else if (verbose) {
printf("Successfully created EVP_KEY from RSA key\n");
}
/* Create a signed and enveloped PKCS7 */
p7 = PKCS7_new();
PKCS7_set_type(p7, NID_pkcs7_signedAndEnveloped);
si = PKCS7_add_signature(p7, x509, pkey, EVP_sha1());
if (si) {
if (PKCS7_add_signed_attribute(si, NID_pkcs9_contentType, V_ASN1_OBJECT,
OBJ_nid2obj(NID_pkcs7_data)) <= 0)
{
fprintf(stderr,"Fatal Error: Unable to add signed attribute to certificate\n");
fprintf(stderr,"OpenSSL Error: %s\n", ERR_error_string(ERR_get_error(), NULL));
fflush(stderr);
goto end;
} else if (verbose) {
printf("Successfully added signed attribute to certificate\n");
}
} else {
fprintf(stderr,"Fatal Error: Failed to sign PKCS7\n");fflush(stderr);
goto end;
}
/* Encryption */
if (PKCS7_set_cipher(p7, EVP_des_ede3_cbc()) <= 0)
{
fprintf(stderr,"Fatal Error: Failed to set encryption algorithm\n");
fprintf(stderr,"OpenSSL Error: %s\n", ERR_error_string(ERR_get_error(), NULL));
fflush(stderr);
goto end;
} else if (verbose) {
printf("Successfully added encryption algorithm\n");
}
if (PKCS7_add_recipient(p7, PPx509) <= 0)
{
fprintf(stderr,"Fatal Error: Failed to add PKCS7 recipient\n");
fprintf(stderr,"OpenSSL Error: %s\n", ERR_error_string(ERR_get_error(), NULL));
fflush(stderr);
goto end;
} else if (verbose) {
printf("Successfully added recipient\n");
}
if (PKCS7_add_certificate(p7, x509) <= 0)
{
fprintf(stderr,"Fatal Error: Failed to add PKCS7 certificate\n");
fprintf(stderr,"OpenSSL Error: %s\n", ERR_error_string(ERR_get_error(), NULL));
fflush(stderr);
goto end;
} else if (verbose) {
printf("Successfully added certificate\n");
}
p7bio = PKCS7_dataInit(p7, NULL);
if (!p7bio) {
fprintf(stderr,"OpenSSL Error: %s\n", ERR_error_string(ERR_get_error(), NULL));
fflush(stderr);
goto end;
}
/* Pump data to special PKCS7 BIO. This encrypts and signs it. */
BIO_write(p7bio, data, strlen(data));
BIO_flush(p7bio);
PKCS7_dataFinal(p7, p7bio);
/* Write PEM encoded PKCS7 */
bio = BIO_new(BIO_s_mem());
if (!bio || (PEM_write_bio_PKCS7(bio, p7) == 0))
{
fprintf(stderr,"Fatal Error: Failed to create PKCS7 PEM\n");fflush(stderr);
} else if (verbose) {
printf("Successfully created PKCS7 PEM\n");
}
BIO_flush(bio);
len = BIO_get_mem_data(bio, &str);
ret = malloc(sizeof(char)*(len+1));
memcpy(ret, str, len);
ret[len] = 0;
end:
/* Free everything */
if (bio)
BIO_free_all(bio);
if (p7bio)
BIO_free_all(p7bio);
if (p7)
PKCS7_free(p7);
if (pkey)
EVP_PKEY_free(pkey);
return ret;
}
