// Encode into PKCS#8 DER
ByteString OSSLECPrivateKey::PKCS8Encode()
{
ByteString der;
if (eckey == NULL) return der;
EVP_PKEY* pkey = EVP_PKEY_new();
if (pkey == NULL) return der;
if (!EVP_PKEY_set1_EC_KEY(pkey, eckey))
{
EVP_PKEY_free(pkey);
return der;
}
PKCS8_PRIV_KEY_INFO* p8inf = EVP_PKEY2PKCS8(pkey);
EVP_PKEY_free(pkey);
if (p8inf == NULL) return der;
int len = i2d_PKCS8_PRIV_KEY_INFO(p8inf, NULL);
if (len < 0)
{
PKCS8_PRIV_KEY_INFO_free(p8inf);
return der;
}
der.resize(len);
unsigned char* priv = &der[0];
int len2 = i2d_PKCS8_PRIV_KEY_INFO(p8inf, &priv);
PKCS8_PRIV_KEY_INFO_free(p8inf);
if (len2 != len) der.wipe();
return der;
}
int i2d_PrivateKey(EVP_PKEY *a, unsigned char **pp)
{
if (a->ameth && a->ameth->old_priv_encode)
{
return a->ameth->old_priv_encode(a, pp);
}
if (a->ameth && a->ameth->priv_encode) {
PKCS8_PRIV_KEY_INFO *p8 = EVP_PKEY2PKCS8(a);
int ret = i2d_PKCS8_PRIV_KEY_INFO(p8,pp);
PKCS8_PRIV_KEY_INFO_free(p8);
return ret;
}
ASN1err(ASN1_F_I2D_PRIVATEKEY,ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE);
return(-1);
}
static int autoca_gencert( Operation *op, genargs *args )
{
X509_NAME *subj_name, *issuer_name;
X509 *subj_cert;
struct berval derdn;
unsigned char *pp;
EVP_PKEY *evpk = NULL;
int rc;
if ((subj_cert = X509_new()) == NULL)
return -1;
autoca_dnbv2der( op, args->subjectDN, &derdn );
pp = (unsigned char *)derdn.bv_val;
subj_name = d2i_X509_NAME( NULL, (const unsigned char **)&pp, derdn.bv_len );
op->o_tmpfree( derdn.bv_val, op->o_tmpmemctx );
if ( subj_name == NULL )
{
fail1:
X509_free( subj_cert );
return -1;
}
rc = autoca_genpkey( args->keybits, &evpk );
if ( rc <= 0 )
{
fail2:
if ( subj_name ) X509_NAME_free( subj_name );
goto fail1;
}
/* encode DER in PKCS#8 */
{
PKCS8_PRIV_KEY_INFO *p8inf;
if (( p8inf = EVP_PKEY2PKCS8( evpk )) == NULL )
goto fail2;
args->derpkey.bv_len = i2d_PKCS8_PRIV_KEY_INFO( p8inf, NULL );
args->derpkey.bv_val = op->o_tmpalloc( args->derpkey.bv_len, op->o_tmpmemctx );
pp = (unsigned char *)args->derpkey.bv_val;
i2d_PKCS8_PRIV_KEY_INFO( p8inf, &pp );
PKCS8_PRIV_KEY_INFO_free( p8inf );
}
args->newpkey = evpk;
/* set random serial */
{
BIGNUM *bn = BN_new();
if ( bn == NULL )
{
fail3:
EVP_PKEY_free( evpk );
goto fail2;
}
if (!BN_pseudo_rand(bn, SERIAL_BITS, 0, 0))
{
BN_free( bn );
goto fail3;
}
if (!BN_to_ASN1_INTEGER(bn, X509_get_serialNumber(subj_cert)))
{
BN_free( bn );
goto fail3;
}
BN_free(bn);
}
if (args->issuer_cert) {
issuer_name = X509_get_subject_name(args->issuer_cert);
} else {
issuer_name = subj_name;
args->issuer_cert = subj_cert;
args->issuer_pkey = evpk;
}
if (!X509_set_version(subj_cert, 2) || /* set version to V3 */
!X509_set_issuer_name(subj_cert, issuer_name) ||
!X509_set_subject_name(subj_cert, subj_name) ||
!X509_gmtime_adj(X509_get_notBefore(subj_cert), 0) ||
!X509_time_adj_ex(X509_get_notAfter(subj_cert), args->days, 0, NULL) ||
!X509_set_pubkey(subj_cert, evpk))
{
goto fail3;
}
X509_NAME_free(subj_name);
subj_name = NULL;
/* set cert extensions */
{
X509V3_CTX ctx;
X509_EXTENSION *ext;
int i;
X509V3_set_ctx(&ctx, args->issuer_cert, subj_cert, NULL, NULL, 0);
for (i=0; args->cert_exts[i].name; i++) {
ext = X509V3_EXT_nconf(NULL, &ctx, args->cert_exts[i].name, args->cert_exts[i].value);
if ( ext == NULL )
goto fail3;
rc = X509_add_ext(subj_cert, ext, -1);
X509_EXTENSION_free(ext);
if ( !rc )
goto fail3;
}
if (args->more_exts) {
for (i=0; args->more_exts[i].name; i++) {
ext = X509V3_EXT_nconf(NULL, &ctx, args->more_exts[i].name, args->more_exts[i].value);
if ( ext == NULL )
goto fail3;
rc = X509_add_ext(subj_cert, ext, -1);
X509_EXTENSION_free(ext);
if ( !rc )
goto fail3;
}
}
}
rc = autoca_signcert( subj_cert, args->issuer_pkey );
if ( rc < 0 )
goto fail3;
args->dercert.bv_len = i2d_X509( subj_cert, NULL );
args->dercert.bv_val = op->o_tmpalloc( args->dercert.bv_len, op->o_tmpmemctx );
pp = (unsigned char *)args->dercert.bv_val;
i2d_X509( subj_cert, &pp );
args->newcert = subj_cert;
return 0;
}
