static int exec_addpubkey(int argc, char **argv) {
CRYPT_KEYSET keyset;
CRYPT_CERTIFICATE cert;
const char *certfilename, *keysetfilename;
void *data;
int data_len;
int status;
if (argc != 2) {
fprintf(stderr, "usage: addpubkey keyset cert\n");
return 1;
}
keysetfilename = argv[0]; certfilename = argv[1];
status = cryptKeysetOpen(&keyset, CRYPT_UNUSED, CRYPT_KEYSET_FILE, keysetfilename, CRYPT_KEYOPT_NONE);
WARN_AND_RETURN_IF(status);
data = read_full_file(certfilename, &data_len);
status = cryptImportCert(data, data_len, CRYPT_UNUSED, &cert);
WARN_AND_RETURN_IF(status);
status = cryptAddPublicKey(keyset, cert);
WARN_AND_RETURN_IF(status);
status = cryptKeysetClose(keyset);
WARN_AND_RETURN_IF(status);
free(data);
return 0;
}
static int save_ca_keypair_and_cert_to_file(CRYPT_CONTEXT ctx, CRYPT_CERTIFICATE cert, const char *filename, const char *password) {
int status;
CRYPT_KEYSET keyset;
status = cryptKeysetOpen( &keyset, CRYPT_UNUSED, CRYPT_KEYSET_FILE, filename, CRYPT_KEYOPT_CREATE );
if (!cryptStatusOK(status)) {
fprintf(stderr, "cryptlib error %d while creating ca privkey keyset file %s\n", status, filename);
return status;
}
status = cryptAddPrivateKey( keyset, ctx, password );
if (!cryptStatusOK(status)) {
fprintf(stderr, "cryptlib error %d while adding CA privkey to keyset\n", status);
goto err_keyset_exit;
}
status = cryptAddPublicKey( keyset, cert );
if (!cryptStatusOK(status)) {
fprintf(stderr, "cryptlib error %d while adding CA cert to keyset\n", status);
goto err_keyset_exit;
}
#if 0
status = cryptAddPublicKey( keyset, ctx );
if (!cryptStatusOK(status)) {
fprintf(stderr, "cryptlib error %d while adding CA pubkey to keyset\n", status);
goto err_keyset_exit;
}
#endif
status = cryptKeysetClose( keyset );
if (!cryptStatusOK(status)) {
fprintf(stderr, "cryptlib error %d while closing CA privkey keyset\n", status);
return status; /* what do we do now, close it again? */
}
return CRYPT_OK;
err_keyset_exit:
cryptKeysetClose( keyset ); return status;
}
static int updateKey( const int keyBits, const char *certFileName )
{
CRYPT_KEYSET cryptKeyset;
CRYPT_CERTIFICATE cryptCert;
char filenameBuffer[ FILENAME_BUFFER_SIZE ];
void *fileNamePtr = filenameBuffer;
int status;
/* Import the certificate from the file */
status = importCertFile( &cryptCert, certFileName );
if( cryptStatusError( status ) )
{
printf( "Couldn't import certificate from file, status %d, "
"line %d.\n", status, __LINE__ );
return( FALSE );
}
/* Add the certificate to the file */
filenameFromTemplate( filenameBuffer, SERVER_ECPRIVKEY_FILE_TEMPLATE,
keyBits );
status = cryptKeysetOpen( &cryptKeyset, CRYPT_UNUSED, CRYPT_KEYSET_FILE,
fileNamePtr, CRYPT_KEYOPT_NONE );
if( cryptStatusOK( status ) )
{
status = cryptAddPublicKey( cryptKeyset, cryptCert );
cryptKeysetClose( cryptKeyset );
}
if( cryptStatusError( status ) )
{
printf( "Couldn't update private key with certificate, status %d, "
"line %d.\n", status, __LINE__ );
return( FALSE );
}
return( TRUE );
}
static int testKeysetWrite( const CRYPT_KEYSET_TYPE keysetType,
const C_STR keysetName )
{
CRYPT_KEYSET cryptKeyset;
CRYPT_CERTIFICATE cryptCert;
CRYPT_CONTEXT pubKeyContext, privKeyContext;
C_CHR filenameBuffer[ FILENAME_BUFFER_SIZE ];
C_CHR name[ CRYPT_MAX_TEXTSIZE + 1 ];
int length, status;
/* Import the certificate from a file - this is easier than creating one
from scratch. We use one of the later certs in the test set, since
this contains an email address, which the earlier ones don't */
status = importCertFromTemplate( &cryptCert, CERT_FILE_TEMPLATE,
EMAILADDR_CERT_NO );
if( cryptStatusError( status ) )
{
printf( "Couldn't read certificate from file, status %d, line %d.\n",
status, __LINE__ );
return( FALSE );
}
/* Make sure that the certificate does actually contain an email
address */
status = cryptGetAttributeString( cryptCert, CRYPT_CERTINFO_EMAIL,
name, &length );
if( cryptStatusError( status ) )
{
printf( "Certificate doesn't contain an email address and can't be "
"used for testing,\n line %d.\n", __LINE__ );
return( FALSE );
}
/* Create the database keyset with a check to make sure this access
method exists so we can return an appropriate error message. If the
database table already exists, this will return a duplicate data
error so we retry the open with no flags to open the existing database
keyset for write access */
status = cryptKeysetOpen( &cryptKeyset, CRYPT_UNUSED, keysetType,
keysetName, CRYPT_KEYOPT_CREATE );
if( cryptStatusOK( status ) )
printf( "Created new certificate database '%s'.\n", keysetName );
if( status == CRYPT_ERROR_PARAM3 )
{
/* This type of keyset access isn't available, return a special error
code to indicate that the test wasn't performed, but that this
isn't a reason to abort processing */
cryptDestroyCert( cryptCert );
return( CRYPT_ERROR_NOTAVAIL );
}
if( status == CRYPT_ERROR_DUPLICATE )
status = cryptKeysetOpen( &cryptKeyset, CRYPT_UNUSED, keysetType,
keysetName, 0 );
if( cryptStatusError( status ) )
{
cryptDestroyCert( cryptCert );
printf( "cryptKeysetOpen() failed with error code %d, line %d.\n",
status, __LINE__ );
if( status == CRYPT_ERROR_OPEN )
return( CRYPT_ERROR_FAILED );
return( FALSE );
}
/* Write the key to the database */
puts( "Adding certificate." );
status = cryptAddPublicKey( cryptKeyset, cryptCert );
if( status == CRYPT_ERROR_DUPLICATE )
{
/* The key is already present, delete it and retry the write */
status = cryptGetAttributeString( cryptCert,
CRYPT_CERTINFO_COMMONNAME, name, &length );
if( cryptStatusOK( status ) )
{
#ifdef UNICODE_STRINGS
length /= sizeof( wchar_t );
#endif /* UNICODE_STRINGS */
name[ length ] = TEXT( '\0' );
status = cryptDeleteKey( cryptKeyset, CRYPT_KEYID_NAME, name );
}
if( cryptStatusError( status ) )
return( extErrorExit( cryptKeyset, "cryptDeleteKey()", status,
__LINE__ ) );
status = cryptAddPublicKey( cryptKeyset, cryptCert );
}
if( cryptStatusError( status ) )
{
printExtError( cryptKeyset, "cryptAddPublicKey()", status, __LINE__ );
/* LDAP writes can fail due to the chosen directory not supporting the
schema du jour, so we're a bit more careful about cleaning up since
we'll skip the error and continue processing */
cryptDestroyCert( cryptCert );
cryptKeysetClose( cryptKeyset );
return( FALSE );
}
cryptDestroyCert( cryptCert );
/* Add a second certificate with C=US so that we've got enough certs to
properly exercise the query code. This certificate is highly unusual
in that it doesn't have a DN, so we have to move up the DN looking
for higher-up values, in this case the OU */
if( keysetType != CRYPT_KEYSET_LDAP )
{
status = importCertFromTemplate( &cryptCert, CERT_FILE_TEMPLATE, 2 );
if( cryptStatusError( status ) )
{
printf( "Couldn't read certificate from file, status %d, "
"line %d.\n", status, __LINE__ );
return( FALSE );
}
status = cryptAddPublicKey( cryptKeyset, cryptCert );
if( status == CRYPT_ERROR_DUPLICATE )
{
status = cryptGetAttributeString( cryptCert,
CRYPT_CERTINFO_COMMONNAME, name, &length );
if( cryptStatusError( status ) )
status = cryptGetAttributeString( cryptCert,
CRYPT_CERTINFO_ORGANIZATIONALUNITNAME, name, &length );
if( cryptStatusOK( status ) )
{
#ifdef UNICODE_STRINGS
length /= sizeof( wchar_t );
#endif /* UNICODE_STRINGS */
name[ length ] = TEXT( '\0' );
status = cryptDeleteKey( cryptKeyset, CRYPT_KEYID_NAME, name );
}
if( cryptStatusOK( status ) )
status = cryptAddPublicKey( cryptKeyset, cryptCert );
}
if( cryptStatusError( status ) )
return( extErrorExit( cryptKeyset, "cryptAddPublicKey()",
status, __LINE__ ) );
cryptDestroyCert( cryptCert );
}
/* Add a third certificate with a DN that'll cause problems for some
storage technologies */
if( !loadRSAContexts( CRYPT_UNUSED, &pubKeyContext, &privKeyContext ) )
return( FALSE );
status = cryptCreateCert( &cryptCert, CRYPT_UNUSED,
CRYPT_CERTTYPE_CERTIFICATE );
if( cryptStatusError( status ) )
{
printf( "cryptCreateCert() failed with error code %d, line %d.\n",
status, __LINE__ );
return( FALSE );
}
status = cryptSetAttribute( cryptCert,
CRYPT_CERTINFO_SUBJECTPUBLICKEYINFO, pubKeyContext );
if( cryptStatusError( status ) )
return( attrErrorExit( cryptCert, "cryptSetAttribute()", status,
__LINE__ ) );
if( !addCertFields( cryptCert, sqlCertData, __LINE__ ) )
return( FALSE );
status = cryptSignCert( cryptCert, privKeyContext );
if( cryptStatusError( status ) )
return( attrErrorExit( cryptCert, "cryptSignCert()", status,
__LINE__ ) );
destroyContexts( CRYPT_UNUSED, pubKeyContext, privKeyContext );
status = cryptAddPublicKey( cryptKeyset, cryptCert );
if( cryptStatusError( status ) )
{
/* The key is already present, delete it and retry the write */
status = cryptGetAttributeString( cryptCert,
CRYPT_CERTINFO_COMMONNAME, name, &length );
if( cryptStatusOK( status ) )
{
#ifdef UNICODE_STRINGS
length /= sizeof( wchar_t );
#endif /* UNICODE_STRINGS */
name[ length ] = TEXT( '\0' );
status = cryptDeleteKey( cryptKeyset, CRYPT_KEYID_NAME, name );
}
if( cryptStatusError( status ) )
return( extErrorExit( cryptKeyset, "cryptDeleteKey()", status,
__LINE__ ) );
status = cryptAddPublicKey( cryptKeyset, cryptCert );
}
if( cryptStatusError( status ) )
{
return( extErrorExit( cryptKeyset, "cryptAddPublicKey()",
status, __LINE__ ) );
}
cryptDestroyCert( cryptCert );
/* Now try the same thing with a CRL. This code also tests the
duplicate-detection mechanism, if we don't get a duplicate error
there's a problem */
puts( "Adding CRL." );
status = importCertFromTemplate( &cryptCert, CRL_FILE_TEMPLATE, 1 );
if( cryptStatusError( status ) )
{
printf( "Couldn't read CRL from file, status %d, line %d.\n",
status, __LINE__ );
return( TRUE );
}
status = cryptAddPublicKey( cryptKeyset, cryptCert );
if( cryptStatusError( status ) && status != CRYPT_ERROR_DUPLICATE )
return( extErrorExit( cryptKeyset, "cryptAddPublicKey()", status,
__LINE__ ) );
status = cryptAddPublicKey( cryptKeyset, cryptCert );
if( status != CRYPT_ERROR_DUPLICATE )
{
printf( "Addition of duplicate item to keyset failed to produce "
"CRYPT_ERROR_DUPLICATE, status %d, line %d.\n", status,
__LINE__ );
return( FALSE );
}
cryptDestroyCert( cryptCert );
/* Finally, try it with a certificate chain */
puts( "Adding certificate chain." );
filenameParamFromTemplate( filenameBuffer, CERTCHAIN_FILE_TEMPLATE,
CERT_CHAIN_NO );
status = importCertFile( &cryptCert, filenameBuffer );
if( cryptStatusError( status ) )
{
printf( "Couldn't read certificate chain from file, status %d, "
"line %d.\n", status, __LINE__ );
return( FALSE );
}
status = cryptAddPublicKey( cryptKeyset, cryptCert );
if( cryptStatusError( status ) && status != CRYPT_ERROR_DUPLICATE )
return( extErrorExit( cryptKeyset, "cryptAddPublicKey()", status,
__LINE__ ) );
cryptDestroyCert( cryptCert );
/* In addition to the other certs we also add the generic user
certificate, which is used later in other tests. Since it may have
been added earlier we try and delete it first (we can't use the
existing version since the issuerAndSerialNumber won't match the one
in the private-key keyset) */
status = getPublicKey( &cryptCert, USER_PRIVKEY_FILE,
USER_PRIVKEY_LABEL );
if( cryptStatusError( status ) )
{
printf( "Couldn't read user certificate from file, status %d, line "
"%d.\n", status, __LINE__ );
return( FALSE );
}
status = cryptGetAttributeString( cryptCert, CRYPT_CERTINFO_COMMONNAME,
name, &length );
if( cryptStatusError( status ) )
return( FALSE );
#ifdef UNICODE_STRINGS
length /= sizeof( wchar_t );
#endif /* UNICODE_STRINGS */
name[ length ] = TEXT( '\0' );
do
status = cryptDeleteKey( cryptKeyset, CRYPT_KEYID_NAME, name );
while( cryptStatusOK( status ) );
status = cryptAddPublicKey( cryptKeyset, cryptCert );
if( status == CRYPT_ERROR_NOTFOUND )
{
/* This can occur if a database keyset is defined but hasn't been
initialised yet so the necessary tables don't exist, it can be
opened but an attempt to add a key will return a not found error
since it's the table itself rather than any item within it that
isn't being found */
status = CRYPT_OK;
}
if( cryptStatusError( status ) )
return( extErrorExit( cryptKeyset, "cryptAddPublicKey()", status,
__LINE__ ) );
cryptDestroyCert( cryptCert );
/* Finally, if ECC is enabled we also add ECC certificates that are used
later in other tests */
if( cryptStatusOK( cryptQueryCapability( CRYPT_ALGO_ECDSA, NULL ) ) )
{
#ifdef UNICODE_STRINGS
wchar_t wcBuffer[ FILENAME_BUFFER_SIZE ];
#endif /* UNICODE_STRINGS */
void *fileNamePtr = filenameBuffer;
/* Add the P256 certificate */
filenameFromTemplate( filenameBuffer,
SERVER_ECPRIVKEY_FILE_TEMPLATE, 256 );
#ifdef UNICODE_STRINGS
mbstowcs( wcBuffer, filenameBuffer, strlen( filenameBuffer ) + 1 );
fileNamePtr = wcBuffer;
#endif /* UNICODE_STRINGS */
status = getPublicKey( &cryptCert, fileNamePtr,
USER_PRIVKEY_LABEL );
if( cryptStatusError( status ) )
{
printf( "Couldn't read user certificate from file, status %d, "
"line %d.\n", status, __LINE__ );
return( FALSE );
}
status = cryptAddPublicKey( cryptKeyset, cryptCert );
if( cryptStatusError( status ) && status != CRYPT_ERROR_DUPLICATE )
return( extErrorExit( cryptKeyset, "cryptAddPublicKey()", status,
__LINE__ ) );
cryptDestroyCert( cryptCert );
/* Add the P384 certificate */
filenameFromTemplate( filenameBuffer,
SERVER_ECPRIVKEY_FILE_TEMPLATE, 384 );
#ifdef UNICODE_STRINGS
mbstowcs( wcBuffer, filenameBuffer, strlen( filenameBuffer ) + 1 );
fileNamePtr = wcBuffer;
#endif /* UNICODE_STRINGS */
status = getPublicKey( &cryptCert, fileNamePtr,
USER_PRIVKEY_LABEL );
if( cryptStatusError( status ) )
{
printf( "Couldn't read user certificate from file, status %d, "
"line %d.\n", status, __LINE__ );
return( FALSE );
}
status = cryptAddPublicKey( cryptKeyset, cryptCert );
if( cryptStatusError( status ) && status != CRYPT_ERROR_DUPLICATE )
return( extErrorExit( cryptKeyset, "cryptAddPublicKey()", status,
__LINE__ ) );
cryptDestroyCert( cryptCert );
}
/* Make sure the deletion code works properly. This is an artifact of
the way RDBMS' work, the delete query can execute successfully but
not delete anything so we make sure the glue code correctly
translates this into a CRYPT_DATA_NOTFOUND */
status = cryptDeleteKey( cryptKeyset, CRYPT_KEYID_NAME,
TEXT( "Mr.Not Appearing in this Keyset" ) );
if( status != CRYPT_ERROR_NOTFOUND )
{
puts( "Attempt to delete a nonexistant key reports success, the "
"database backend glue\ncode needs to be fixed to handle this "
"correctly." );
return( FALSE );
}
/* Close the keyset */
status = cryptKeysetClose( cryptKeyset );
if( cryptStatusError( status ) )
{
printf( "cryptKeysetClose() failed with error code %d, line %d.\n",
status, __LINE__ );
}
return( TRUE );
}
int main( int argc, char *argv[] )
{
int n;
FILE *f;
char *buf[8];
char *outFile;
char *keyFile;
char *certFile;
char *certData;
char *label;
char *secret;
struct stat st;
int usage;
RSA *key;
EVP_PKEY *evp;
CRYPT_KEYSET keyset;
CRYPT_CONTEXT pKey;
CRYPT_PKCINFO_RSA rsa;
CRYPT_CERTIFICATE cert;
CRYPT_KEYOPT_TYPE opt;
if ( argc != 6 ) {
fprintf( stderr,
"Syntax: %s <key> <cert> <out> <label> <secret>\n",
argv[0] );
exit( -1 );
}
keyFile = argv[1];
certFile = argv[2];
outFile = argv[3];
label = argv[4];
secret = argv[5];
if ( ( f = fopen( keyFile, "r" ) ) == NULL ||
( evp = PEM_read_PrivateKey( f, NULL, NULL, NULL ) ) == NULL ||
( key = EVP_PKEY_get1_RSA( evp ) ) == NULL )
{
fprintf( stderr, "Couldn't load private key from '%s'\n", keyFile );
if ( f ) {
ERR_print_errors_fp( stderr );
fclose( f );
}
if ( evp )
EVP_PKEY_free( evp );
exit( -1 );
}
if ( ( f = fopen( certFile, "r" ) ) == NULL ||
fstat( fileno( f ), &st ) < 0 ||
( certData = malloc( st.st_size ) ) == NULL ||
fread( certData, 1, st.st_size, f ) < st.st_size )
{
fprintf( stderr, "Couldn't load certificate from '%s'\n", certFile );
if ( f )
fclose( f );
free( certData );
exit( -1 );
}
/* Should we create a keyset, or append to an existing one? */
opt = CRYPT_KEYOPT_CREATE;
f = fopen( outFile, "r" );
if ( f != NULL ) {
opt = CRYPT_KEYOPT_NONE;
fclose( f );
}
cryptInit();
cryptInitComponents( &rsa, CRYPT_KEYTYPE_PRIVATE );
if ( ( buf[0] = malloc( BN_num_bytes( key->n ) ) ) != NULL &&
( buf[1] = malloc( BN_num_bytes( key->e ) ) ) != NULL &&
( buf[2] = malloc( BN_num_bytes( key->d ) ) ) != NULL &&
( buf[3] = malloc( BN_num_bytes( key->p ) ) ) != NULL &&
( buf[4] = malloc( BN_num_bytes( key->q ) ) ) != NULL &&
( buf[5] = malloc( BN_num_bytes( key->iqmp ) ) ) != NULL &&
( buf[6] = malloc( BN_num_bytes( key->dmp1 ) ) ) != NULL &&
( buf[7] = malloc( BN_num_bytes( key->dmq1 ) ) ) != NULL )
{
int i;
BN_bn2bin( key->n, buf[0] );
BN_bn2bin( key->e, buf[1] );
BN_bn2bin( key->d, buf[2] );
BN_bn2bin( key->p, buf[3] );
BN_bn2bin( key->q, buf[4] );
BN_bn2bin( key->iqmp, buf[5] );
BN_bn2bin( key->dmp1, buf[6] );
BN_bn2bin( key->dmq1, buf[7] );
cryptSetComponent( (&rsa)->n, buf[0], BN_num_bits( key->n ) );
cryptSetComponent( (&rsa)->e, buf[1], BN_num_bits( key->e ) );
cryptSetComponent( (&rsa)->d, buf[2], BN_num_bits( key->d ) );
cryptSetComponent( (&rsa)->p, buf[3], BN_num_bits( key->p ) );
cryptSetComponent( (&rsa)->q, buf[4], BN_num_bits( key->q ) );
cryptSetComponent( (&rsa)->u, buf[5], BN_num_bits( key->iqmp ) );
cryptSetComponent( (&rsa)->e1, buf[6], BN_num_bits( key->dmp1 ) );
cryptSetComponent( (&rsa)->e2, buf[7], BN_num_bits( key->dmq1 ) );
i = 0;
while ( i < 8 )
free( buf[i++] );
}
else {
fprintf( stderr, "Couldn't initialise PKCINFO_RSA data.\n" );
exit( -1 );
}
n = cryptCreateContext( &pKey, CRYPT_UNUSED, CRYPT_ALGO_RSA );
check( n, pKey, "cryptCreateContext" );
n = cryptSetAttributeString( pKey, CRYPT_CTXINFO_LABEL,
label, strlen( label ) );
check( n, pKey, "cryptSetAttributeString(LABEL)" );
n = cryptSetAttributeString( pKey, CRYPT_CTXINFO_KEY_COMPONENTS,
&rsa, sizeof( CRYPT_PKCINFO_RSA ) );
check( n, pKey, "cryptSetAttributeString(KEY_COMPONENTS)" );
n = cryptImportCert( certData, st.st_size, CRYPT_UNUSED, &cert );
check( n, cert, "cryptImportCert" );
n = cryptGetAttribute( cert, CRYPT_CERTINFO_KEYUSAGE, &usage );
if ( n != CRYPT_OK ) {
fprintf( stderr, "Warning: The certificate specifies no KEYUSAGE.\n"
"Cryptlib may not permit its use. See "
"<http://toroid.org/ams/pemtrans>.\n" );
}
n = cryptKeysetOpen( &keyset, CRYPT_UNUSED, CRYPT_KEYSET_FILE,
outFile, opt );
check( n, keyset, "cryptKeysetOpen" );
n = cryptAddPrivateKey( keyset, pKey, secret );
check( n, keyset, "cryptAddPrivateKey" );
n = cryptAddPublicKey( keyset, cert );
check( n, keyset, "cryptAddPublicKey" );
cryptKeysetClose( keyset );
cryptDestroyComponents( &rsa );
cryptDestroyContext( pKey );
cryptDestroyCert( cert );
exit( 0 );
}
static int exec_cmpcli_init(int argc, char **argv) {
CRYPT_SESSION session;
CRYPT_CERTIFICATE cert, cacert, req;
CRYPT_CONTEXT keypair;
CRYPT_KEYSET privkeys;
const char *cmd, *uid, *ipwd, *crtfilename, *cacrtfilename, *kpfilename;
void *crtdata;
int status, data_len;
if (argc != 6) { fprintf(stderr, "cmpcli argv!=6\n"); return 1; }
cmd = argv[0]; uid = argv[1]; ipwd = argv[2]; crtfilename=argv[3]; cacrtfilename=argv[4]; kpfilename = argv[5];
fprintf(stderr, "uid=\"%s\" ipwd=\"%s\"\n", uid, ipwd);
#if 0
crtdata = read_full_file(crtfilename, &data_len);
if (!crtdata) return 1;
status = cryptImportCert(crtdata, data_len, CRYPT_UNUSED, &cert);
WARN_AND_RETURN_IF(status);
free(crtdata);
#endif
crtdata = read_full_file(cacrtfilename, &data_len);
if (!crtdata) return 1;
status = cryptImportCert(crtdata, data_len, CRYPT_UNUSED, &cacert);
WARN_AND_RETURN_IF(status);
free(crtdata);
status = create_keypair(&keypair, DEFAULT_PRIVKEY_LABEL);
WARN_AND_RETURN_IF(status);
status = cryptKeysetOpen(&privkeys, CRYPT_UNUSED, CRYPT_KEYSET_FILE, kpfilename, CRYPT_KEYOPT_CREATE);
WARN_AND_RETURN_IF(status);
status = cryptAddPrivateKey(privkeys, keypair, DEFAULT_PASSWORD);
WARN_AND_RETURN_IF(status);
status = cryptCreateCert(&req, CRYPT_UNUSED, CRYPT_CERTTYPE_REQUEST_CERT);
WARN_AND_RETURN_IF(status);
status = cryptSetAttribute(req, CRYPT_CERTINFO_SUBJECTPUBLICKEYINFO, keypair);
WARN_AND_RETURN_IF(status);
status = cryptSignCert(req, keypair);
WARN_AND_RETURN_IF(status);
status = cryptCreateSession(&session, CRYPT_UNUSED, CRYPT_SESSION_CMP);
WARN_AND_RETURN_IF(status);
status = cryptSetAttribute(session, CRYPT_SESSINFO_CMP_REQUESTTYPE, CRYPT_REQUESTTYPE_INITIALIZATION);
WARN_AND_RETURN_IF(status);
status = cryptSetAttribute(session, CRYPT_SESSINFO_CACERTIFICATE, cacert);
WARN_AND_RETURN_IF(status);
status = cryptSetAttribute(session, CRYPT_SESSINFO_REQUEST, req);
WARN_AND_RETURN_IF(status);
status = cryptSetAttributeString(session, CRYPT_SESSINFO_USERNAME, uid, strlen(uid));
WARN_AND_RETURN_IF(status);
status = cryptSetAttributeString(session, CRYPT_SESSINFO_PASSWORD, ipwd, strlen(ipwd));
WARN_AND_RETURN_IF(status);
status = cryptSetAttributeString(session, CRYPT_SESSINFO_SERVER_NAME, "127.0.0.1", 9);
WARN_AND_RETURN_IF(status);
status = cryptSetAttribute(session, CRYPT_SESSINFO_SERVER_PORT, 65000);
WARN_AND_RETURN_IF(status);
status = cryptSetAttribute(session, CRYPT_SESSINFO_ACTIVE, 1);
WARN_AND_RETURN_IF(status);
status = cryptGetAttribute(session, CRYPT_SESSINFO_RESPONSE, &cert);
WARN_AND_RETURN_IF(status);
status = export_cert(cert, crtfilename);
WARN_AND_RETURN_IF(status);
status = cryptAddPublicKey(privkeys, cert);
WARN_AND_RETURN_IF(status);
status = cryptKeysetClose(privkeys);
WARN_AND_RETURN_IF(status);
status = cryptDestroySession(session);
WARN_AND_RETURN_IF(status);
status = cryptDestroyCert(cacert);
WARN_AND_RETURN_IF(status);
status = cryptDestroyCert(cert);
WARN_AND_RETURN_IF(status);
status = cryptDestroyCert(req);
WARN_AND_RETURN_IF(status);
status = cryptDestroyContext(keypair);
return 0;
}
static int exec_revoke(int argc, char **argv) {
const char *id, *dbfilename, *pass;
char cakeysfilename[4096];
CRYPT_KEYID_TYPE id_type;
CRYPT_KEYSET store, cakeys;
CRYPT_CERTIFICATE cert, crl;
CRYPT_CONTEXT ca_privkey;
int status;
if (argc != 4) {
fprintf(stderr, "usage: revoke dbfile (-e email | -n name) pass\n");
return 1;
}
dbfilename = argv[0];
id = argv[2];
pass = argv[3];
if (strcmp(argv[1], "-e") == 0) {
id_type = CRYPT_KEYID_EMAIL;
}
else if (strcmp(argv[1], "-n") == 0) {
id_type = CRYPT_KEYID_NAME;
}
else {
fprintf(stderr, "usage: revoke dbfile (-e email | -n name)\n");
return 1;
}
/* open store */
status = cryptKeysetOpen(&store, CRYPT_UNUSED, CRYPT_KEYSET_DATABASE_STORE, dbfilename, CRYPT_KEYOPT_NONE);
WARN_AND_RETURN_IF(status);
/* get ca privkey */
snprintf(cakeysfilename, 4095, "%s.keys", dbfilename);
status = cryptKeysetOpen(&cakeys, CRYPT_UNUSED, CRYPT_KEYSET_FILE, cakeysfilename, CRYPT_KEYOPT_NONE);
WARN_AND_RETURN_IF(status);
status = cryptGetPrivateKey(cakeys, &ca_privkey, CRYPT_KEYID_NAME, DEFAULT_CA_PRIVKEY_LABEL, DEFAULT_PASSWORD);
WARN_AND_RETURN_IF(status);
status = cryptKeysetClose(cakeys);
WARN_AND_RETURN_IF(status);
/* get cert to revoke */
status = cryptCAGetItem(store, &cert, CRYPT_CERTTYPE_CERTIFICATE, id_type, id);
WARN_AND_RETURN_IF(status);
/* create CRL */
status = cryptCreateCert(&crl, CRYPT_UNUSED, CRYPT_CERTTYPE_CRL);
WARN_AND_RETURN_IF(status);
status = cryptSetAttribute(crl, CRYPT_CERTINFO_CERTIFICATE, cert);
WARN_AND_RETURN_IF(status);
status = cryptSignCert(crl, ca_privkey);
WARN_AND_RETURN_IF(status);
status = cryptAddPublicKey(store, crl);
WARN_AND_RETURN_IF(status);
status = cryptDestroyCert(cert);
WARN_AND_RETURN_IF(status);
status = cryptDestroyCert(crl);
WARN_AND_RETURN_IF(status);
status = cryptDestroyContext(ca_privkey);
WARN_AND_RETURN_IF(status);
status = cryptKeysetClose(store);
WARN_AND_RETURN_IF(status);
return 0;
}
