int PKI_X509_PKCS7_add_signer ( PKI_X509_PKCS7 *p7, PKI_X509_CERT *signer, PKI_X509_KEYPAIR *k, PKI_DIGEST_ALG *md ) { PKCS7_SIGNER_INFO *signerInfo = NULL; if ( !p7 || !signer || !k ) { if ( !p7 ) PKI_log_debug ( "!p7"); if ( !signer ) PKI_log_debug ( "!signer"); if ( !k ) PKI_log_debug ( "!key"); return PKI_ERR; } if ( !p7->value || !signer->value || !k->value ) { if ( !p7->value ) PKI_log_debug ( "!p7->value"); if ( !signer->value ) PKI_log_debug ( "!signer->value"); if ( !k->value ) PKI_log_debug ( "!key->value"); return PKI_ERR; } if( !md ) md = PKI_DIGEST_ALG_DEFAULT; if((signerInfo = PKCS7_add_signature( p7->value, signer->value, k->value, md)) == NULL) { return ( PKI_ERR ); } PKCS7_add_certificate ( p7->value, signer->value ); return ( PKI_OK ); }
Pkcs7SignedDataBuilder::Pkcs7SignedDataBuilder(MessageDigest::Algorithm mesDigAlgorithm, Certificate &cert, PrivateKey &privKey, bool attached) throw (Pkcs7Exception) { int rc; PKCS7_SIGNER_INFO *si; PKCS7_set_type(this->pkcs7, NID_pkcs7_signed); PKCS7_content_new(this->pkcs7, NID_pkcs7_data); if (!attached) { PKCS7_set_detached(this->pkcs7, 1); } si = PKCS7_add_signature(this->pkcs7, cert.getX509(), privKey.getEvpPkey(), MessageDigest::getMessageDigest(mesDigAlgorithm)); if (!si) { PKCS7_free(this->pkcs7); this->pkcs7 = NULL; throw Pkcs7Exception(Pkcs7Exception::ADDING_SIGNER, "Pkcs7SignedDataBuilder::Pkcs7SignedDataBuilder", true); } rc = PKCS7_add_certificate(this->pkcs7, cert.getX509()); if (!rc) { PKCS7_free(this->pkcs7); this->pkcs7 = NULL; throw Pkcs7Exception(Pkcs7Exception::ADDING_CERTIFICATE, "Pkcs7SignedDataBuilder::Pkcs7SignedDataBuilder", true); } this->state = Pkcs7Builder::INIT; }
void Pkcs7SignedDataBuilder::addSigner(MessageDigest::Algorithm mesDigAlgorithm, Certificate &cert, PrivateKey &privKey) throw (Pkcs7Exception, InvalidStateException) { int rc; if (this->state != Pkcs7Builder::INIT) { throw InvalidStateException("Pkcs7SignedDataBuilder::addSigner"); } if (!PKCS7_add_signature(this->pkcs7, cert.getX509(), privKey.getEvpPkey(), MessageDigest::getMessageDigest(mesDigAlgorithm))) { PKCS7_free(this->pkcs7); this->pkcs7 = NULL; throw Pkcs7Exception(Pkcs7Exception::ADDING_SIGNER, "Pkcs7SignedDataBuilder::addSigner", true); } rc = PKCS7_add_certificate(this->pkcs7, cert.getX509()); if (!rc)//inversor adicionado (martin 28/11/07) { PKCS7_free(this->pkcs7); this->pkcs7 = NULL; throw Pkcs7Exception(Pkcs7Exception::ADDING_CERTIFICATE, "Pkcs7SignedDataBuilder::addSigner", true); } }
void Pkcs7SignedDataBuilder::init(MessageDigest::Algorithm mesDigAlgorithm, Certificate &cert, PrivateKey &privKey, bool attached) throw (Pkcs7Exception) { int rc; if (this->state != Pkcs7Builder::NO_INIT) { PKCS7_free(this->pkcs7); this->pkcs7 = NULL; if (this->state == Pkcs7Builder::UPDATE) { BIO_free(this->p7bio); this->p7bio = NULL; } } this->pkcs7 = PKCS7_new(); PKCS7_set_type(this->pkcs7, NID_pkcs7_signed); if (!attached) { PKCS7_set_detached(this->pkcs7, 1); } if (!PKCS7_add_signature(this->pkcs7, cert.getX509(), privKey.getEvpPkey(), MessageDigest::getMessageDigest(mesDigAlgorithm))) { PKCS7_free(this->pkcs7); this->pkcs7 = NULL; throw Pkcs7Exception(Pkcs7Exception::ADDING_SIGNER, "Pkcs7SignedDataBuilder::Pkcs7SignedDataBuilder", true); } rc = PKCS7_add_certificate(this->pkcs7, cert.getX509()); if (!rc)//inversor adicionado (martin 28/11/07) { PKCS7_free(this->pkcs7); this->pkcs7 = NULL; throw Pkcs7Exception(Pkcs7Exception::ADDING_CERTIFICATE, "Pkcs7SignedDataBuilder::Pkcs7SignedDataBuilder", true); } this->state = Pkcs7Builder::INIT; }
/* will return 0, 1, 3, or 99 */ static int _pkgtrans(char *device1, char *device2, char **pkg, int options, keystore_handle_t keystore, char *keystore_alias) { BIO *p7_bio = NULL; EVP_PKEY *privkey = NULL; PKCS7 *sec_pkcs7 = NULL; PKCS7_SIGNER_INFO *sec_signerinfo = NULL; PKG_ERR *err; STACK_OF(X509) *cacerts = NULL; STACK_OF(X509) *clcerts = NULL; STACK_OF(X509) *sec_chain = NULL; X509 *pubcert = NULL; boolean_t making_sig = B_FALSE; char *src, *dst; int errflg, i, n; struct dm_buf *hdr; making_sig = (keystore != NULL) ? B_TRUE : B_FALSE; if (making_sig) { /* new error object */ err = pkgerr_new(); /* find matching cert and key */ if (find_key_cert_pair(err, keystore, keystore_alias, &privkey, &pubcert) != 0) { pkgerr(err); pkgerr_free(err); return (1); } /* get CA certificates */ if (find_ca_certs(err, keystore, &cacerts) != 0) { pkgerr(err); pkgerr_free(err); return (1); } /* get CL (aka "chain") certificates */ if (find_cl_certs(err, keystore, &clcerts) != 0) { pkgerr(err); pkgerr_free(err); return (1); } /* initialize PKCS7 object to be filled in later */ sec_pkcs7 = PKCS7_new(); (void) PKCS7_set_type(sec_pkcs7, NID_pkcs7_signed); sec_signerinfo = PKCS7_add_signature(sec_pkcs7, pubcert, privkey, EVP_sha1()); if (sec_signerinfo == NULL) { progerr(gettext(ERR_SEC), keystore_alias); ERR_print_errors_fp(stderr); pkgerr_free(err); return (1); } /* add signer cert into signature */ (void) PKCS7_add_certificate(sec_pkcs7, pubcert); /* attempt to resolve cert chain starting at the signer cert */ if (get_cert_chain(err, pubcert, clcerts, cacerts, &sec_chain) != 0) { pkgerr(err); pkgerr_free(err); return (1); } /* * add the verification chain of certs into the signature. * The first cert is the user cert, which we don't need, * since it's baked in already, so skip it */ for (i = 1; i < sk_X509_num(sec_chain); i++) { (void) PKCS7_add_certificate(sec_pkcs7, sk_X509_value(sec_chain, i)); } pkgerr_free(err); err = NULL; } if (signal_received > 0) { return (1); } /* transfer spool to appropriate device */ if (devtype(device1, &srcdev)) { progerr(pkg_gt(ERR_TRANSFER)); logerr(pkg_gt(MSG_BADDEV), device1); return (1); } srcdev.rdonly++; /* check for datastream */ ids_name = NULL; if (srcdev.bdevice) { if (n = _getvol(srcdev.bdevice, NULL, NULL, pkg_gt("Insert %v into %p."), srcdev.norewind)) { cleanup(); if (n == 3) return (3); progerr(pkg_gt(ERR_TRANSFER)); logerr(pkg_gt(MSG_GETVOL)); return (1); } if (ds_readbuf(srcdev.cdevice)) ids_name = srcdev.cdevice; } if (srcdev.cdevice && !srcdev.bdevice) ids_name = srcdev.cdevice; else if (srcdev.pathname) { ids_name = srcdev.pathname; if (access(ids_name, 0) == -1) { progerr(ERR_TRANSFER); logerr(pkg_gt(MSG_GETVOL)); return (1); } } if (!ids_name && device2 == (char *)0) { if (n = pkgmount(&srcdev, NULL, 1, 0, 0)) { cleanup(); return (n); } if (srcdev.mount && *srcdev.mount) pkgdir = strdup(srcdev.mount); return (0); } if (ids_name && device2 == (char *)0) { tmppath = tmpnam(NULL); tmppath = strdup(tmppath); if (tmppath == NULL) { progerr(pkg_gt(ERR_TRANSFER)); logerr(pkg_gt(MSG_MEM)); return (1); } if (mkdir(tmppath, 0755)) { progerr(pkg_gt(ERR_TRANSFER)); logerr(pkg_gt(MSG_MKDIR), tmppath); return (1); } device2 = tmppath; } if (devtype(device2, &dstdev)) { progerr(pkg_gt(ERR_TRANSFER)); logerr(pkg_gt(MSG_BADDEV), device2); return (1); } if ((srcdev.cdevice && dstdev.cdevice) && strcmp(srcdev.cdevice, dstdev.cdevice) == 0) { progerr(pkg_gt(ERR_TRANSFER)); logerr(pkg_gt(MSG_SAMEDEV)); return (1); } ods_name = NULL; if (dstdev.cdevice && !dstdev.bdevice || dstdev.pathname) options |= PT_ODTSTREAM; if (options & PT_ODTSTREAM) { if (!((ods_name = dstdev.cdevice) != NULL || (ods_name = dstdev.pathname) != NULL)) { progerr(pkg_gt(ERR_TRANSFER)); logerr(pkg_gt(MSG_BADDEV), device2); return (1); } if (ids_name) { progerr(pkg_gt(ERR_TRANSFER)); logerr(pkg_gt(MSG_TWODSTREAM)); return (1); } } else { /* * output device isn't a stream. If we're making a signed * package, then fail, since we can't make signed, * non-stream pkgs */ if (making_sig) { progerr(pkg_gt(ERR_TRANSFER)); logerr(pkg_gt(ERR_CANTSIGN)); return (1); } } if ((srcdev.dirname && dstdev.dirname) && strcmp(srcdev.dirname, dstdev.dirname) == 0) { progerr(pkg_gt(ERR_TRANSFER)); logerr(pkg_gt(MSG_SAMEDEV)); return (1); } if ((srcdev.pathname && dstdev.pathname) && strcmp(srcdev.pathname, dstdev.pathname) == 0) { progerr(pkg_gt(ERR_TRANSFER)); logerr(pkg_gt(MSG_SAMEDEV)); return (1); } if (signal_received > 0) { return (1); } if (ids_name) { if (srcdev.cdevice && !srcdev.bdevice && (n = _getvol(srcdev.cdevice, NULL, NULL, NULL, srcdev.norewind))) { cleanup(); if (n == 3) return (3); progerr(pkg_gt(ERR_TRANSFER)); logerr(pkg_gt(MSG_GETVOL)); return (1); } if (srcdev.dirname = tmpnam(NULL)) tmpdir = srcdev.dirname = strdup(srcdev.dirname); if ((srcdev.dirname == NULL) || mkdir(srcdev.dirname, 0755) || chdir(srcdev.dirname)) { progerr(pkg_gt(ERR_TRANSFER)); logerr(pkg_gt(MSG_NOTEMP), srcdev.dirname); cleanup(); return (1); } if (ds_init(ids_name, pkg, srcdev.norewind)) { cleanup(); return (1); } } else if (srcdev.mount) { if (n = pkgmount(&srcdev, NULL, 1, 0, 0)) { cleanup(); return (n); } } src = srcdev.dirname; dst = dstdev.dirname; if (chdir(src)) { progerr(pkg_gt(ERR_TRANSFER)); logerr(pkg_gt(MSG_CHDIR), src); cleanup(); return (1); } if (signal_received > 0) { return (1); } xpkg = pkg = gpkglist(src, pkg, NULL); if (!pkg) { progerr(pkg_gt(ERR_TRANSFER)); logerr(pkg_gt(MSG_NOPKGS), src); cleanup(); return (1); } for (nxpkg = 0; pkg[nxpkg]; /* void */) { nxpkg++; /* count */ } if (ids_name) { ds_order(pkg); /* order requests */ } if (signal_received > 0) { return (1); } if (options & PT_ODTSTREAM) { char line[128]; if (!dstdev.pathname && (n = _getvol(ods_name, NULL, DM_FORMAT, NULL, dstdev.norewind))) { cleanup(); if (n == 3) return (3); progerr(pkg_gt(ERR_TRANSFER)); logerr(pkg_gt(MSG_GETVOL)); return (1); } if ((hdr = genheader(src, pkg)) == NULL) { cleanup(); return (1); } if (making_sig) { /* start up signature data stream */ (void) PKCS7_content_new(sec_pkcs7, NID_pkcs7_data); (void) PKCS7_set_detached(sec_pkcs7, 1); p7_bio = PKCS7_dataInit(sec_pkcs7, NULL); /* * Here we generate all the data that will go into * the package, and send it through the signature * generator, essentially calculating the signature * of the entire package so we can place it in the * header. Otherwise we'd have to place it at the end * of the pkg, which would break the ABI */ if (!(options & PT_SILENT)) { (void) fprintf(stderr, pkg_gt(MSG_SIGNING), get_subject_display_name(pubcert)); } if (dump_hdr_and_pkgs(p7_bio, hdr, pkg) != 0) { progerr(gettext(ERR_NOGEN)); logerr(pkg_gt(MSG_GETVOL)); cleanup(); return (1); } BIO_flush(p7_bio); /* * now generate PKCS7 signature */ if (!PKCS7_dataFinal(sec_pkcs7, p7_bio)) { progerr(gettext(ERR_NOGEN)); logerr(pkg_gt(MSG_GETVOL)); cleanup(); return (1); } (void) BIO_free(p7_bio); } /* write out header to stream, which includes signature */ if (wdsheader(hdr, src, ods_name, pkg, sec_pkcs7)) { cleanup(); return (1); } if (sec_pkcs7 != NULL) { /* nuke in-memory signature for safety */ PKCS7_free(sec_pkcs7); sec_pkcs7 = NULL; } ds_volno = 1; /* number of volumes in datastream */ pinput = hdrbuf.text_buffer; /* skip past first line in header */ (void) mgets(line, 128); } if (signal_received > 0) { return (1); } errflg = 0; for (i = 0; pkg[i]; i++) { if (signal_received > 0) { return (1); } if (!(options & PT_ODTSTREAM) && dstdev.mount) { if (n = pkgmount(&dstdev, NULL, 0, 0, 1)) { cleanup(); return (n); } } if (errflg = pkgxfer(pkg[i], options)) { pkg[i] = NULL; if ((options & PT_ODTSTREAM) || (errflg != 2)) break; } else if (strcmp(dstinst, pkg[i])) pkg[i] = strdup(dstinst); } if (!(options & PT_ODTSTREAM) && dst) { pkgdir = strdup(dst); } /* * No cleanup of temporary directories created in this * function is done here. The calling function must do * the cleanup. */ return (signal_received > 0 ? 1 : errflg); }
/******************************************************************************* 函数名称: cert_pkcs7_wrap 功能描述: 将要发送的消息采用PKCS#7格式进行编码 输入参数: struct scep *s, SCEP操作的结构体指针。 s32 hasra, 是否使用RA证书,1,使用;0,不使用 输出参数: 无 返 回 值: 1,成功;-1,失败 -------------------------------------------------------------------------------- 最近一次修改记录: 修改作者:王朝 修改目的:添加新函数 修改日期:2009年12月28日 *********************************************************************************/ s32 cert_pkcs7_wrap(struct scep *s, s32 hasra) { BIO *databio = NULL; BIO *encbio = NULL; BIO *pkcs7bio = NULL; BIO *memorybio = NULL; BIO *outbio = NULL; BIO *base64bio = NULL; u8 *buffer = NULL; s32 len = 0; STACK_OF(X509) *recipients = NULL; PKCS7 *p7enc = NULL; PKCS7_SIGNER_INFO *si = NULL; STACK_OF(X509_ATTRIBUTE) *attributes = NULL; X509 *signercert = NULL; EVP_PKEY *signerkey = NULL; s32 retval = -1; /* sender nonce */ s->sender_nonce_len = 16; s->sender_nonce = (u8 *)malloc((u32)s->sender_nonce_len); RAND_bytes(s->sender_nonce, s->sender_nonce_len); /* Prepare data payload */ switch(s->request_type) { case SCEP_REQUEST_PKCSREQ: s->request_type_str = SCEP_REQUEST_PKCSREQ_STR; /* Signer cert */ signercert = s->signercert; signerkey = s->signerkey; /* Read request in memory bio */ databio = BIO_new(BIO_s_mem()); if ((i2d_X509_REQ_bio(databio, cert_request)) <= 0) { goto end; } (void)BIO_flush(databio); BIO_set_flags(databio, BIO_FLAGS_MEM_RDONLY); break; case SCEP_REQUEST_GETCERTINIT: /* Set printable message type */ s->request_type_str = SCEP_REQUEST_GETCERTINIT_STR; /* Signer cert */ signercert = s->signercert; signerkey = s->signerkey; /* Read data in memory bio */ databio = BIO_new(BIO_s_mem()); if ((i2d_pkcs7_issuer_and_subject_bio(databio, s->ias_getcertinit)) <= 0) { goto end; } (void)BIO_flush(databio); BIO_set_flags(databio, BIO_FLAGS_MEM_RDONLY); break; default: goto end; } /* Below this is the common code for all request_type */ /* Read in the payload */ s->request_len = BIO_get_mem_data(databio, &s->request_payload); BIO_free(databio); databio = NULL; /* Create encryption certificate stack */ if (NULL == (recipients = sk_X509_new_null() )) { goto end; } /* Use different CA cert for encryption if requested */ if (1 == hasra) { if (sk_X509_push(recipients, cert_encert) <= 0) { goto end; } } else { /* Use same CA cert also for encryption */ if (sk_X509_push(recipients, cert_cacert) <= 0) { goto end; } } /* Create BIO for encryption */ if ((encbio = BIO_new_mem_buf(s->request_payload,s->request_len)) == NULL) { goto end; } /* Encrypt */ if (NULL == (p7enc = PKCS7_encrypt(recipients, encbio, cert_enc_alg, PKCS7_BINARY))) { goto end; } BIO_free(encbio); encbio = NULL; sk_X509_free(recipients); recipients = NULL; /* Write encrypted data */ memorybio = BIO_new(BIO_s_mem()); if (i2d_PKCS7_bio(memorybio, p7enc) <= 0) { goto end; } PKCS7_free(p7enc); p7enc = NULL; (void)BIO_flush(memorybio); BIO_set_flags(memorybio, BIO_FLAGS_MEM_RDONLY); len = BIO_get_mem_data(memorybio, &buffer); /* Create outer PKCS#7 */ s->request_p7 = PKCS7_new(); if (s->request_p7 == NULL) { goto end; } if (!PKCS7_set_type(s->request_p7, NID_pkcs7_signed)) { goto end; } /* Add signer certificate and signature */ PKCS7_add_certificate(s->request_p7, signercert); if ((si = PKCS7_add_signature(s->request_p7,signercert, signerkey, cert_sig_alg)) == NULL) { goto end; } /* Set signed attributes */ attributes = sk_X509_ATTRIBUTE_new_null(); cert_add_attribute_string(attributes, nid_transId, s->transaction_id); cert_add_attribute_string(attributes, nid_messageType, s->request_type_str); cert_add_attribute_octet(attributes, nid_senderNonce, (s8 *)(s->sender_nonce),s->sender_nonce_len); PKCS7_set_signed_attributes(si, attributes); sk_X509_ATTRIBUTE_free(attributes); attributes = NULL; /* Add contentType */ if (!PKCS7_add_signed_attribute(si, NID_pkcs9_contentType,V_ASN1_OBJECT, OBJ_nid2obj(NID_pkcs7_data))) { goto end; } /* Create new content */ if (!PKCS7_content_new(s->request_p7, NID_pkcs7_data)) { goto end; } /* Write data */ pkcs7bio = PKCS7_dataInit(s->request_p7, NULL); if (pkcs7bio == NULL) { goto end; } if (len != BIO_write(pkcs7bio, buffer, len)) { goto end; } BIO_free(memorybio); memorybio = NULL; /* Finalize PKCS#7 */ if (!PKCS7_dataFinal(s->request_p7, pkcs7bio)) { goto end; } /* base64-encode the data */ /* Create base64 filtering bio */ memorybio = BIO_new(BIO_s_mem()); base64bio = BIO_new(BIO_f_base64()); outbio = BIO_push(base64bio, memorybio); /* Copy PKCS#7 */ i2d_PKCS7_bio(outbio, s->request_p7); (void)BIO_flush(outbio); BIO_set_flags(memorybio, BIO_FLAGS_MEM_RDONLY); s->request_len = BIO_get_mem_data(memorybio, &s->request_payload); retval = 1; end: if(NULL != databio) { BIO_free(databio); } if(NULL != encbio) { BIO_free(encbio); } if(NULL != p7enc) { PKCS7_free(p7enc); } if(NULL != pkcs7bio) { BIO_free(pkcs7bio); } if(NULL != memorybio) { BIO_free(memorybio); } if(NULL != base64bio) { BIO_free(base64bio); } if(NULL != recipients) { sk_X509_free(recipients); } if(NULL != attributes) { sk_X509_ATTRIBUTE_free(attributes); } return retval; }
int create_envelope(PluginInstance *inst, u8 **data, int *datalen) { int r; PKCS7 *p7 = NULL; X509 *x509 = NULL; PKCS7_SIGNER_INFO *si = NULL; EVP_PKEY *pkey = NULL; BIO *in = NULL, *p7bio = NULL; u8 *buf; r = extract_certificate_and_pkey(inst, &x509, &pkey); if (r) goto err; p7 = PKCS7_new(); if (p7 == NULL) { r = -1; goto err; } r = PKCS7_set_type(p7, NID_pkcs7_signed); if (r != 1) { r = -1; goto err; } EVP_add_digest(EVP_sha1()); si = PKCS7_add_signature(p7, x509, pkey, EVP_sha1()); if (si == NULL) { r = -1; goto err; } PKCS7_add_signed_attribute(si, NID_pkcs9_contentType, V_ASN1_OBJECT, OBJ_nid2obj(NID_pkcs7_data)); r = PKCS7_add_certificate(p7, x509); if (r != 1) { printf("PKCS7_add_certificate failed.\n"); goto err; } PKCS7_content_new(p7, NID_pkcs7_data); p7bio = PKCS7_dataInit(p7, NULL); if (p7bio == NULL) { r = -1; goto err; } in = BIO_new_mem_buf(inst->signdata, inst->signdata_len); if (in == NULL) { r = -1; goto err; } for (;;) { char lbuf[1024]; int i = BIO_read(in, lbuf, sizeof(lbuf)); if (i <= 0) break; BIO_write(p7bio, lbuf, i); } if (!PKCS7_dataFinal(p7, p7bio)) { r = -1; goto err; } /* FIXME: remove this */ r = i2d_PKCS7(p7, NULL); if (r <= 0) { r = -1; goto err; } buf = (u8 *) malloc(r); if (buf == NULL) goto err; *data = buf; r = i2d_PKCS7(p7, &buf); *datalen = r; if (r <= 0) { free(buf); r = -1; goto err; } r = 0; err: if (p7) PKCS7_free(p7); if (in) BIO_free(in); if (p7bio) BIO_free(p7bio); #if 0 if (si) PKCS7_SIGNER_INFO_free(si); #endif if (pkey) EVP_PKEY_free(pkey); if (x509) X509_free(x509); if (r) { #if 0 ERR_load_crypto_strings(); ERR_print_errors_fp(stderr); #endif } return r; }
/* * Wrap data in PKCS#7 envelopes and base64-encode the result. * Data is PKCS#10 request in PKCSReq, or pkcs7_issuer_and_subject * structure in GetCertInitial and PKCS7_ISSUER_AND_SERIAL in * GetCert and GETCrl. */ int pkcs7_wrap(struct scep *s, struct sscep_ctx *ctx, struct sscep_operation_info *op_info) { BIO *databio = NULL; BIO *encbio = NULL; BIO *pkcs7bio = NULL; BIO *memorybio = NULL; BIO *outbio = NULL; unsigned char *buffer = NULL; int len = 0; STACK_OF(X509) *recipients = NULL; PKCS7 *p7enc = NULL; PKCS7_SIGNER_INFO *si; STACK_OF(X509_ATTRIBUTE) *attributes; X509 *signercert = NULL; EVP_PKEY *signerkey = NULL; int ret = SCEP_PKISTATUS_P7; char *payload = NULL; int payload_len; /* Create a new sender nonce for all messages * XXXXXXXXXXXXXX should it be per transaction? */ s->sender_nonce_len = 16; free(s->sender_nonce);/* Clean up from previous runs */ s->sender_nonce = (char *)malloc(s->sender_nonce_len * sizeof(char)); RAND_bytes((unsigned char *) s->sender_nonce, s->sender_nonce_len); /* Prepare data payload */ switch (s->request_type) { case SCEP_REQUEST_PKCSREQ: /* * Set printable message type * We set this later as an autheticated attribute * "messageType". */ s->request_type_str = SCEP_REQUEST_PKCSREQ_STR; /* Signer cert */ signercert = s->signercert; signerkey = s->signerkey; /* Create inner PKCS#7 */ if (ctx->verbose){ qeo_log_i("creating inner PKCS#7"); } /* Read request in memory bio */ databio = BIO_new(BIO_s_mem()); if (i2d_X509_REQ_bio(databio, op_info->request) <= 0) { qeo_log_e("error writing certificate request in bio"); goto error; } (void)BIO_flush(databio); break; case SCEP_REQUEST_GETCERTINIT: /* Set printable message type */ s->request_type_str = SCEP_REQUEST_GETCERTINIT_STR; /* Signer cert */ signercert = s->signercert; signerkey = s->signerkey; /* Create inner PKCS#7 */ if (ctx->verbose){ qeo_log_i("creating inner PKCS#7"); } /* Read data in memory bio */ databio = BIO_new(BIO_s_mem()); if (i2d_pkcs7_issuer_and_subject_bio(databio, s->ias_getcertinit)) { qeo_log_e("error writing GetCertInitial data in bio"); goto error; } (void)BIO_flush(databio); break; } /* Below this is the common code for all request_type */ /* Read in the payload */ payload_len = BIO_get_mem_data(databio, &payload); if (ctx->verbose){ qeo_log_i("data payload size: %d bytes", payload_len); } /* Create encryption certificate stack */ if ((recipients = sk_X509_new(NULL) ) == NULL) { qeo_log_e("error creating certificate stack"); goto error; } if (sk_X509_push(recipients, op_info->racert) <= 0) { qeo_log_e("error adding recipient encryption certificate"); goto error; } /* Create BIO for encryption */ if ((encbio = BIO_new_mem_buf(payload, payload_len)) == NULL ) { qeo_log_e("error creating data bio"); goto error; } /* Encrypt */ if (!(p7enc = PKCS7_encrypt(recipients, encbio, ctx->enc_alg, PKCS7_BINARY))) { qeo_log_e("request payload encrypt failed"); goto error; } if (ctx->verbose){ qeo_log_i("successfully encrypted payload"); } /* Write encrypted data */ memorybio = BIO_new(BIO_s_mem()); if (i2d_PKCS7_bio(memorybio, p7enc) <= 0) { qeo_log_e("error writing encrypted data"); goto error; } (void)BIO_flush(memorybio); BIO_set_flags(memorybio, BIO_FLAGS_MEM_RDONLY); len = BIO_get_mem_data(memorybio, &buffer); BIO_free(memorybio); memorybio=NULL; if (ctx->verbose){ qeo_log_i("envelope size: %d bytes", len); } if (ctx->debug) { qeo_log_i("printing PEM fomatted PKCS#7"); PEM_write_PKCS7(stdout, p7enc); } /* Create outer PKCS#7 */ if (ctx->verbose){ qeo_log_i("creating outer PKCS#7"); } s->request_p7 = PKCS7_new(); if (s->request_p7 == NULL ) { qeo_log_e("failed creating PKCS#7 for signing"); goto error; } if (!PKCS7_set_type(s->request_p7, NID_pkcs7_signed)) { qeo_log_e("failed setting PKCS#7 type"); goto error; } /* Add signer certificate and signature */ PKCS7_add_certificate(s->request_p7, signercert); if ((si = PKCS7_add_signature(s->request_p7, signercert, signerkey, ctx->sig_alg)) == NULL ) { qeo_log_e("error adding PKCS#7 signature"); goto error; } if (ctx->verbose){ qeo_log_i("signature added successfully"); } /* Set signed attributes */ if (ctx->verbose){ qeo_log_i("adding signed attributes"); } attributes = sk_X509_ATTRIBUTE_new_null(); add_attribute_string(attributes, ctx->nid_transId, s->transaction_id, ctx); add_attribute_string(attributes, ctx->nid_messageType, s->request_type_str, ctx); add_attribute_octet(attributes, ctx->nid_senderNonce, s->sender_nonce, s->sender_nonce_len, ctx); PKCS7_set_signed_attributes(si, attributes); sk_X509_ATTRIBUTE_pop_free(attributes, X509_ATTRIBUTE_free); /* Add contentType */ if (!PKCS7_add_signed_attribute(si, NID_pkcs9_contentType, V_ASN1_OBJECT, OBJ_nid2obj(NID_pkcs7_data))) { qeo_log_e("error adding NID_pkcs9_contentType"); goto error; } /* Create new content */ if (!PKCS7_content_new(s->request_p7, NID_pkcs7_data)) { qeo_log_e("failed setting PKCS#7 content type"); goto error; } /* Write data */ pkcs7bio = PKCS7_dataInit(s->request_p7, NULL ); if (pkcs7bio == NULL ) { qeo_log_e("error opening bio for writing PKCS#7 data"); goto error; } if (len != BIO_write(pkcs7bio, buffer, len)) { qeo_log_e("error writing PKCS#7 data"); goto error; } if (ctx->verbose){ qeo_log_i("PKCS#7 data written successfully"); } /* Finalize PKCS#7 */ if (!PKCS7_dataFinal(s->request_p7, pkcs7bio)) { qeo_log_e("error finalizing outer PKCS#7"); goto error; } if (ctx->debug) { qeo_log_i("printing PEM fomatted PKCS#7"); PEM_write_PKCS7(stdout, s->request_p7); } /* base64-encode the data */ if (ctx->verbose){ qeo_log_i("applying base64 encoding"); } /* Create base64 filtering bio */ memorybio = BIO_new(BIO_s_mem()); outbio = BIO_push(BIO_new(BIO_f_base64()), memorybio); /* Copy PKCS#7 */ i2d_PKCS7_bio(outbio, s->request_p7); (void)BIO_flush(outbio); payload_len = BIO_get_mem_data(memorybio, &payload); s->request_payload = (char*) malloc(sizeof(char)*payload_len); if (!s->request_payload){ goto error; } s->request_len = payload_len; memcpy(s->request_payload, payload, s->request_len); if (ctx->verbose){ qeo_log_i("base64 encoded payload size: %d bytes", payload_len); } ret = 0; error: BIO_free(databio); BIO_free(encbio); BIO_free_all(pkcs7bio); BIO_free(memorybio); BIO_free(outbio); if (recipients != NULL){ sk_X509_free(recipients);/* Only free the stack, not the certificates */ } PKCS7_free(p7enc); OPENSSL_free(buffer); return ret; }
/* * Wrap data in PKCS#7 envelopes and base64-encode the result. * Data is PKCS#10 request in PKCSReq, or pkcs7_issuer_and_subject * structure in GetCertInitial and PKCS7_ISSUER_AND_SERIAL in * GetCert and GETCrl. */ int pkcs7_wrap(struct scep *s) { BIO *databio = NULL; BIO *encbio = NULL; BIO *pkcs7bio = NULL; BIO *memorybio = NULL; BIO *outbio = NULL; BIO *base64bio = NULL; unsigned char *buffer = NULL; int rc, len = 0; STACK_OF(X509) *recipients; PKCS7 *p7enc; PKCS7_SIGNER_INFO *si; STACK_OF(X509_ATTRIBUTE) *attributes; X509 *signercert = NULL; EVP_PKEY *signerkey = NULL; /* Create a new sender nonce for all messages * XXXXXXXXXXXXXX should it be per transaction? */ s->sender_nonce_len = 16; s->sender_nonce = (unsigned char *)malloc(s->sender_nonce_len); RAND_bytes(s->sender_nonce, s->sender_nonce_len); /* Prepare data payload */ switch(s->request_type) { case SCEP_REQUEST_PKCSREQ: /* * Set printable message type * We set this later as an autheticated attribute * "messageType". */ s->request_type_str = SCEP_REQUEST_PKCSREQ_STR; /* Signer cert */ signercert = s->signercert; signerkey = s->signerkey; /* Create inner PKCS#7 */ if (v_flag) printf("%s: creating inner PKCS#7\n", pname); /* Read request in memory bio */ databio = BIO_new(BIO_s_mem()); if ((rc = i2d_X509_REQ_bio(databio, request)) <= 0) { fprintf(stderr, "%s: error writing " "certificate request in bio\n", pname); ERR_print_errors_fp(stderr); exit (SCEP_PKISTATUS_P7); } BIO_flush(databio); BIO_set_flags(databio, BIO_FLAGS_MEM_RDONLY); break; case SCEP_REQUEST_GETCERTINIT: /* Set printable message type */ s->request_type_str = SCEP_REQUEST_GETCERTINIT_STR; /* Signer cert */ signercert = s->signercert; signerkey = s->signerkey; /* Create inner PKCS#7 */ if (v_flag) printf("%s: creating inner PKCS#7\n", pname); /* Read data in memory bio */ databio = BIO_new(BIO_s_mem()); if ((rc = i2d_pkcs7_issuer_and_subject_bio(databio, s->ias_getcertinit)) <= 0) { fprintf(stderr, "%s: error writing " "GetCertInitial data in bio\n", pname); ERR_print_errors_fp(stderr); exit (SCEP_PKISTATUS_P7); } BIO_flush(databio); BIO_set_flags(databio, BIO_FLAGS_MEM_RDONLY); break; case SCEP_REQUEST_GETCERT: /* Set printable message type */ s->request_type_str = SCEP_REQUEST_GETCERT_STR; /* Signer cert */ signercert = localcert; signerkey = rsa; /* Read data in memory bio */ databio = BIO_new(BIO_s_mem()); if ((rc = i2d_PKCS7_ISSUER_AND_SERIAL_bio(databio, s->ias_getcert)) <= 0) { fprintf(stderr, "%s: error writing " "GetCert data in bio\n", pname); ERR_print_errors_fp(stderr); exit (SCEP_PKISTATUS_P7); } BIO_flush(databio); BIO_set_flags(databio, BIO_FLAGS_MEM_RDONLY); break; case SCEP_REQUEST_GETCRL: /* Set printable message type */ s->request_type_str = SCEP_REQUEST_GETCRL_STR; /* Signer cert */ signercert = localcert; signerkey = rsa; /* Read data in memory bio */ databio = BIO_new(BIO_s_mem()); if ((rc = i2d_PKCS7_ISSUER_AND_SERIAL_bio(databio, s->ias_getcrl)) <= 0) { fprintf(stderr, "%s: error writing " "GetCert data in bio\n", pname); ERR_print_errors_fp(stderr); exit (SCEP_PKISTATUS_P7); } BIO_flush(databio); BIO_set_flags(databio, BIO_FLAGS_MEM_RDONLY); break; } /* Below this is the common code for all request_type */ /* Read in the payload */ s->request_len = BIO_get_mem_data(databio, &s->request_payload); if (v_flag) printf("%s: data payload size: %d bytes\n", pname, s->request_len); BIO_free(databio); /* Create encryption certificate stack */ if ((recipients = sk_X509_new(NULL)) == NULL) { fprintf(stderr, "%s: error creating " "certificate stack\n", pname); ERR_print_errors_fp(stderr); exit (SCEP_PKISTATUS_P7); } /* Use different CA cert for encryption if requested */ if (e_flag) { if (sk_X509_push(recipients, encert) <= 0) { fprintf(stderr, "%s: error adding recipient encryption " "certificate\n", pname); ERR_print_errors_fp(stderr); exit (SCEP_PKISTATUS_P7); } /* Use same CA cert also for encryption */ } else { if (sk_X509_push(recipients, cacert) <= 0) { fprintf(stderr, "%s: error adding recipient encryption " "certificate\n", pname); ERR_print_errors_fp(stderr); exit (SCEP_PKISTATUS_P7); } } /* Create BIO for encryption */ if ((encbio = BIO_new_mem_buf(s->request_payload, s->request_len)) == NULL) { fprintf(stderr, "%s: error creating data " "bio\n", pname); ERR_print_errors_fp(stderr); exit (SCEP_PKISTATUS_P7); } /* Encrypt */ if (!(p7enc = PKCS7_encrypt(recipients, encbio, enc_alg, PKCS7_BINARY))) { fprintf(stderr, "%s: request payload encrypt failed\n", pname); ERR_print_errors_fp(stderr); exit (SCEP_PKISTATUS_P7); } if (v_flag) printf("%s: successfully encrypted payload\n", pname); /* Write encrypted data */ memorybio = BIO_new(BIO_s_mem()); if (i2d_PKCS7_bio(memorybio, p7enc) <= 0) { fprintf(stderr, "%s: error writing encrypted data\n", pname); ERR_print_errors_fp(stderr); exit (SCEP_PKISTATUS_P7); } BIO_flush(memorybio); BIO_set_flags(memorybio, BIO_FLAGS_MEM_RDONLY); len = BIO_get_mem_data(memorybio, &buffer); if (v_flag) printf("%s: envelope size: %d bytes\n", pname, len); if (d_flag) { printf("%s: printing PEM fomatted PKCS#7\n", pname); PEM_write_PKCS7(stdout, p7enc); } BIO_free(memorybio); /* Create outer PKCS#7 */ if (v_flag) printf("%s: creating outer PKCS#7\n", pname); s->request_p7 = PKCS7_new(); if (s->request_p7 == NULL) { fprintf(stderr, "%s: failed creating PKCS#7 for signing\n", pname); ERR_print_errors_fp(stderr); exit (SCEP_PKISTATUS_P7); } if (!PKCS7_set_type(s->request_p7, NID_pkcs7_signed)) { fprintf(stderr, "%s: failed setting PKCS#7 type\n", pname); ERR_print_errors_fp(stderr); exit (SCEP_PKISTATUS_P7); } /* Add signer certificate and signature */ PKCS7_add_certificate(s->request_p7, signercert); if ((si = PKCS7_add_signature(s->request_p7, signercert, signerkey, sig_alg)) == NULL) { fprintf(stderr, "%s: error adding PKCS#7 signature\n", pname); ERR_print_errors_fp(stderr); exit (SCEP_PKISTATUS_P7); } if (v_flag) printf("%s: signature added successfully\n", pname); /* Set signed attributes */ if (v_flag) printf("%s: adding signed attributes\n", pname); attributes = sk_X509_ATTRIBUTE_new_null(); add_attribute_string(attributes, nid_transId, s->transaction_id); add_attribute_string(attributes, nid_messageType, s->request_type_str); add_attribute_octet(attributes, nid_senderNonce, s->sender_nonce, s->sender_nonce_len); PKCS7_set_signed_attributes(si, attributes); /* Add contentType */ if (!PKCS7_add_signed_attribute(si, NID_pkcs9_contentType, V_ASN1_OBJECT, OBJ_nid2obj(NID_pkcs7_data))) { fprintf(stderr, "%s: error adding NID_pkcs9_contentType\n", pname); ERR_print_errors_fp(stderr); exit (SCEP_PKISTATUS_P7); } /* Create new content */ if (!PKCS7_content_new(s->request_p7, NID_pkcs7_data)) { fprintf(stderr, "%s: failed setting PKCS#7 content type\n", pname); ERR_print_errors_fp(stderr); exit (SCEP_PKISTATUS_P7); } /* Write data */ pkcs7bio = PKCS7_dataInit(s->request_p7, NULL); if (pkcs7bio == NULL) { fprintf(stderr, "%s: error opening bio for writing PKCS#7 " "data\n", pname); ERR_print_errors_fp(stderr); exit (SCEP_PKISTATUS_P7); } if (len != BIO_write(pkcs7bio, buffer, len)) { fprintf(stderr, "%s: error writing PKCS#7 data\n", pname); ERR_print_errors_fp(stderr); exit (SCEP_PKISTATUS_P7); } if (v_flag) printf("%s: PKCS#7 data written successfully\n", pname); /* Finalize PKCS#7 */ if (!PKCS7_dataFinal(s->request_p7, pkcs7bio)) { fprintf(stderr, "%s: error finalizing outer PKCS#7\n", pname); ERR_print_errors_fp(stderr); exit (SCEP_PKISTATUS_P7); } if (d_flag) { printf("%s: printing PEM fomatted PKCS#7\n", pname); PEM_write_PKCS7(stdout, s->request_p7); } /* base64-encode the data */ if (v_flag) printf("%s: applying base64 encoding\n",pname); /* Create base64 filtering bio */ memorybio = BIO_new(BIO_s_mem()); base64bio = BIO_new(BIO_f_base64()); outbio = BIO_push(base64bio, memorybio); /* Copy PKCS#7 */ i2d_PKCS7_bio(outbio, s->request_p7); BIO_flush(outbio); BIO_set_flags(memorybio, BIO_FLAGS_MEM_RDONLY); s->request_len = BIO_get_mem_data(memorybio, &s->request_payload); if (v_flag) printf("%s: base64 encoded payload size: %d bytes\n", pname, s->request_len); BIO_free(outbio); return (0); }
char* sign_and_encrypt(const char *data, RSA *rsa, X509 *x509, X509 *PPx509, int verbose) /* sign and encrypt button data for safe delivery to paypal */ { char *ret = NULL; EVP_PKEY *pkey; PKCS7 *p7 = NULL; BIO *p7bio = NULL; BIO *bio = NULL; PKCS7_SIGNER_INFO* si; int len; char *str; pkey = EVP_PKEY_new(); if (EVP_PKEY_set1_RSA(pkey, rsa) == 0) { fprintf(stderr,"Fatal Error: Unable to create EVP_KEY from RSA key\n");fflush(stderr); goto end; } else if (verbose) { printf("Successfully created EVP_KEY from RSA key\n"); } /* Create a signed and enveloped PKCS7 */ p7 = PKCS7_new(); PKCS7_set_type(p7, NID_pkcs7_signedAndEnveloped); si = PKCS7_add_signature(p7, x509, pkey, EVP_sha1()); if (si) { if (PKCS7_add_signed_attribute(si, NID_pkcs9_contentType, V_ASN1_OBJECT, OBJ_nid2obj(NID_pkcs7_data)) <= 0) { fprintf(stderr,"Fatal Error: Unable to add signed attribute to certificate\n"); fprintf(stderr,"OpenSSL Error: %s\n", ERR_error_string(ERR_get_error(), NULL)); fflush(stderr); goto end; } else if (verbose) { printf("Successfully added signed attribute to certificate\n"); } } else { fprintf(stderr,"Fatal Error: Failed to sign PKCS7\n");fflush(stderr); goto end; } /* Encryption */ if (PKCS7_set_cipher(p7, EVP_des_ede3_cbc()) <= 0) { fprintf(stderr,"Fatal Error: Failed to set encryption algorithm\n"); fprintf(stderr,"OpenSSL Error: %s\n", ERR_error_string(ERR_get_error(), NULL)); fflush(stderr); goto end; } else if (verbose) { printf("Successfully added encryption algorithm\n"); } if (PKCS7_add_recipient(p7, PPx509) <= 0) { fprintf(stderr,"Fatal Error: Failed to add PKCS7 recipient\n"); fprintf(stderr,"OpenSSL Error: %s\n", ERR_error_string(ERR_get_error(), NULL)); fflush(stderr); goto end; } else if (verbose) { printf("Successfully added recipient\n"); } if (PKCS7_add_certificate(p7, x509) <= 0) { fprintf(stderr,"Fatal Error: Failed to add PKCS7 certificate\n"); fprintf(stderr,"OpenSSL Error: %s\n", ERR_error_string(ERR_get_error(), NULL)); fflush(stderr); goto end; } else if (verbose) { printf("Successfully added certificate\n"); } p7bio = PKCS7_dataInit(p7, NULL); if (!p7bio) { fprintf(stderr,"OpenSSL Error: %s\n", ERR_error_string(ERR_get_error(), NULL)); fflush(stderr); goto end; } /* Pump data to special PKCS7 BIO. This encrypts and signs it. */ BIO_write(p7bio, data, strlen(data)); BIO_flush(p7bio); PKCS7_dataFinal(p7, p7bio); /* Write PEM encoded PKCS7 */ bio = BIO_new(BIO_s_mem()); if (!bio || (PEM_write_bio_PKCS7(bio, p7) == 0)) { fprintf(stderr,"Fatal Error: Failed to create PKCS7 PEM\n");fflush(stderr); } else if (verbose) { printf("Successfully created PKCS7 PEM\n"); } BIO_flush(bio); len = BIO_get_mem_data(bio, &str); ret = malloc(sizeof(char)*(len+1)); memcpy(ret, str, len); ret[len] = 0; end: /* Free everything */ if (bio) BIO_free_all(bio); if (p7bio) BIO_free_all(p7bio); if (p7) PKCS7_free(p7); if (pkey) EVP_PKEY_free(pkey); return ret; }
/* will return 0, 1, 3, or 99 */ static int _pkgtrans(char *device1, char *device2, char **pkg, int options, keystore_handle_t keystore, char *keystore_alias) { #ifdef USE_KEYSTORE BIO *p7_bio = NULL; EVP_PKEY *privkey = NULL; #endif PKCS7 *sec_pkcs7 = NULL; #ifdef USE_KEYSTORE PKCS7_SIGNER_INFO *sec_signerinfo = NULL; PKG_ERR *err; STACK_OF(X509) *cacerts = NULL; STACK_OF(X509) *clcerts = NULL; STACK_OF(X509) *sec_chain = NULL; X509 *pubcert = NULL; #endif boolean_t making_sig = B_FALSE; char *src, *dst; int errflg, i, n; struct dm_buf *hdr; making_sig = (keystore != NULL) ? B_TRUE : B_FALSE; #ifdef USE_KEYSTORE if (making_sig) { /* new error object */ err = pkgerr_new(); /* find matching cert and key */ if (find_key_cert_pair(err, keystore, keystore_alias, &privkey, &pubcert) != 0) { pkgerr(err); pkgerr_free(err); return (1); } /* get CA certificates */ if (find_ca_certs(err, keystore, &cacerts) != 0) { pkgerr(err); pkgerr_free(err); return (1); } /* get CL (aka "chain") certificates */ if (find_cl_certs(err, keystore, &clcerts) != 0) { pkgerr(err); pkgerr_free(err); return (1); } /* initialize PKCS7 object to be filled in later */ sec_pkcs7 = PKCS7_new(); PKCS7_set_type(sec_pkcs7, NID_pkcs7_signed); sec_signerinfo = PKCS7_add_signature(sec_pkcs7, pubcert, privkey, EVP_sha1()); if (sec_signerinfo == NULL) { progerr(gettext(ERR_SEC), keystore_alias); ERR_print_errors_fp(stderr); pkgerr_free(err); return (1); } /* add signer cert into signature */ PKCS7_add_certificate(sec_pkcs7, pubcert); /* attempt to resolve cert chain starting at the signer cert */ if (get_cert_chain(err, pubcert, clcerts, cacerts, &sec_chain) != 0) { pkgerr(err); pkgerr_free(err); return (1); } /* * add the verification chain of certs into the signature. * The first cert is the user cert, which we don't need, * since it's baked in already, so skip it */ for (i = 1; i < sk_X509_num(sec_chain); i++) { PKCS7_add_certificate(sec_pkcs7, sk_X509_value(sec_chain, i)); } pkgerr_free(err); err = NULL; } #endif /* USE_KEYSTORE */ if (signal_received > 0) { return (1); } /* transfer spool to appropriate device */ if (devtype(device1, &srcdev)) { progerr(pkg_gt(ERR_TRANSFER)); logerr(pkg_gt(MSG_BADDEV), device1); return (1); } srcdev.rdonly++; /* check for datastream */ ids_name = NULL; if (srcdev.bdevice) { if (ds_readbuf(srcdev.cdevice)) ids_name = srcdev.cdevice; } if (srcdev.cdevice && !srcdev.bdevice) ids_name = srcdev.cdevice; else if (srcdev.pathname) { ids_name = srcdev.pathname; if (access(ids_name, 0) == -1) { progerr(ERR_TRANSFER); logerr(pkg_gt(MSG_GETVOL)); return (1); } } if (!ids_name && device2 == (char *)0) { if (n = pkgmount(&srcdev, NULL, 1, 0, 0)) { cleanup(); return (n); } if (srcdev.mount && *srcdev.mount) pkgdir = strdup(srcdev.mount); return (0); } if (ids_name && device2 == (char *)0) { char template[] = "/var/tmp/ptXXXXXX";
int main(int argc, char* argv[]) { PKCS7 *p7, *innerp7; FILE *fp = NULL; EVP_PKEY *pkey = NULL; PKCS7_SIGNER_INFO *p7i; PKCS7_RECIP_INFO *pri; BIO *mybio, *inbio; X509 *user; X509_ALGOR *md; int ret, len; unsigned char data[2048], *p, *buf; unsigned char* greet = "hello openssl"; unsigned long errorno; unsigned char* errordesc; OpenSSL_add_all_algorithms(); //必须要显式进行调用 inbio = BIO_new(BIO_s_mem()); ret = BIO_write(inbio, greet, strlen(greet)); p7 = PKCS7_new(); ret = PKCS7_set_type(p7, NID_pkcs7_signedAndEnveloped); //加载用户证书 fp = fopen("mycert4p12.cer", "rb"); if(fp == NULL) return 0; len = fread(data, 1, 1024, fp); fclose(fp); p = data; user = d2i_X509(NULL, (const unsigned char**)&p, len); ret = PKCS7_add_certificate(p7, user); pri = PKCS7_add_recipient(p7, user); //读取私钥 fp = fopen("myprivkey.pem", "rb"); if(fp == NULL) return 0; len = fread(data, 1, 1024, fp); fclose(fp); p = data; pkey = d2i_PrivateKey(EVP_PKEY_RSA, NULL, (const unsigned char**)&p, len); //第一个用户增加SignerInfo到列表中 p7i = PKCS7_add_signature(p7, user, pkey, EVP_md5()); //加载用户证书 fp = fopen("user2.cer", "rb"); if(fp == NULL) return 0; len = fread(data, 1, 1024, fp); fclose(fp); p = data; user = d2i_X509(NULL, (const unsigned char**)&p, len); ret = PKCS7_add_certificate(p7, user); pri = PKCS7_add_recipient(p7, user); //读取私钥 fp = fopen("user2_privatekey.pem", "rb"); if(fp == NULL) return 0; len = fread(data, 1, 1024, fp); fclose(fp); p = data; pkey = d2i_PrivateKey(EVP_PKEY_RSA, NULL, (const unsigned char**)&p, len); //第二个签名者增加到SignerInfo列表中 p7i = PKCS7_add_signature(p7, user, pkey, EVP_md5()); ret = PKCS7_set_cipher(p7, EVP_des_ede3_cbc()); ret = PKCS7_final(p7, inbio, 0); //制作数字信封 len = i2d_PKCS7(p7, NULL); p = buf = malloc(len); len = i2d_PKCS7(p7, &p); printf("in i2d len = %d\n", len); fp = fopen("p7signandenv.cer", "wb"); fwrite(buf, len, 1, fp); fclose(fp); PKCS7_free(p7); }