static gnutls_x509_crt generate_ca_certificate(requiem_client_profile_t *cp, gnutls_x509_privkey key) { int ret; gnutls_x509_crt crt; unsigned int usage = 0; crt = generate_certificate(cp, key, authority_certificate_lifetime); if ( ! crt ) return NULL; usage |= GNUTLS_KEY_CRL_SIGN; usage |= GNUTLS_KEY_KEY_CERT_SIGN; usage |= GNUTLS_KEY_KEY_AGREEMENT; usage |= GNUTLS_KEY_KEY_ENCIPHERMENT; usage |= GNUTLS_KEY_DATA_ENCIPHERMENT; usage |= GNUTLS_KEY_DIGITAL_SIGNATURE; gnutls_x509_crt_set_ca_status(crt, 1); gnutls_x509_crt_set_key_usage(crt, usage); ret = gnutls_x509_crt_sign(crt, crt, key); if ( ret < 0 ) { fprintf(stderr, "error self-signing certificate: %s.\n", gnutls_strerror(ret)); gnutls_x509_crt_deinit(crt); return NULL; } return crt; }
NaiveCertificateManager::NaiveCertificateManager(const Clock::time_point& time_now) : m_time_now(time_now), m_root_key_pair(root_key_pair()), m_root_certificate_hash(HashedId8 {{ 0x17, 0x5c, 0x33, 0x48, 0x25, 0xdc, 0x7f, 0xab }}), m_own_key_pair(m_crypto_backend.generate_key_pair()), m_own_certificate(generate_certificate(m_own_key_pair)) { // TODO: root certifiate hash is arbitrarily chosen for now (no root certificate exists) }
int main() { time_t t; srand((unsigned) time(&t)); unsigned int id = rand(), i; char cname[CNAME_MAX_SIZE], time[TIME_BUFFER_SIZE], valid[TIME_BUFFER_SIZE], csr[CSR_MAX_SIZE], csr_cpy[CSR_MAX_SIZE], certificate[CERTIFICATE_MAX_SIZE], certificate_cpy[CERTIFICATE_MAX_SIZE]; unsigned char auth_key[SMQV_PKEY_SIZE], token_keypair[MSS_SKEY_SIZE + MSS_PKEY_SIZE], token_skey[MSS_SKEY_SIZE], token_pkey[MSS_PKEY_SIZE], csr_signature[MSS_SIGNATURE_SIZE], signature[ECDSA_SIGNATURE_SIZE]; // valid: 3333XXXXXXXXXX now(&valid); valid[0] = '3'; valid[1] = '3'; valid[2] = '3'; valid[3] = '3'; sprintf(cname, "TESTE do CERTIFICATE"); unsigned char seed[LEN_BYTES(MSS_SEC_LVL)] = {0x30,0x31,0x32,0x33,0x34,0x35,0x36,0x37,0x38,0x39,0x3A,0x3B,0x3C,0x3D,0x3E,0x3F}; memcpy(token_keypair, mss_keygen(seed), MSS_SKEY_SIZE + MSS_PKEY_SIZE); memcpy(token_skey, token_keypair, MSS_SKEY_SIZE); memcpy(token_pkey, token_keypair + MSS_SKEY_SIZE, MSS_PKEY_SIZE); for(i = 0; i < SMQV_PKEY_SIZE; i++) auth_key[i] = rand(); /** * CSR */ generate_csr(id, cname, auth_key, token_pkey, token_skey, csr); if(read_csr(&id, cname, time, auth_key, token_pkey, csr_signature, csr)) printf("CSR generation/read - OK\n"); else printf("CSR generation/read - Fail\n"); printf("\n"); /** * CERTIFICATE */ unsigned char ca_skey[ECDSA_SKEY_SIZE], ca_pkey[ECDSA_PKEY_SIZE]; ecdsa_keygen(ca_skey, ca_pkey); generate_certificate(csr, valid, ca_skey, certificate); if(read_certificate(&id, cname, time, valid, auth_key, token_pkey, signature, ca_pkey, certificate)) printf("CERTIFICATE generation/read - OK\n"); else printf("CERTIFICATE generation/read - Fail\n"); printf("\n"); return 0; }
static gnutls_x509_crt generate_signed_certificate(requiem_client_profile_t *cp, uint64_t analyzerid, gnutls_x509_crt ca_crt, gnutls_x509_privkey ca_key, gnutls_x509_crq crq) { int ret; gnutls_x509_crt crt; unsigned char buf[65535]; size_t size = sizeof(buf); crt = generate_certificate(cp, NULL, generated_certificate_lifetime); if ( ! crt ) return NULL; ret = gnutls_x509_crt_set_crq(crt, crq); if ( ret < 0 ) { fprintf(stderr, "error associating certificate with CRQ: %s.\n", gnutls_strerror(ret)); goto err; } ret = gnutls_x509_crt_set_serial(crt, &analyzerid, sizeof(analyzerid)); if ( ret < 0 ) { fprintf(stderr, "error setting certificate serial: %s.\n", gnutls_strerror(ret)); goto err; } ret = gnutls_x509_crt_get_key_id(ca_crt, 0, buf, &size); if ( ret < 0 ) { fprintf(stderr, "error getting CA key ID: %s.\n", gnutls_strerror(ret)); goto err; } ret = gnutls_x509_crt_set_authority_key_id(crt, buf, size); if ( ret < 0 ) { fprintf(stderr, "error setting authority key ID: %s?\n", gnutls_strerror(ret)); goto err; } ret = gnutls_x509_crt_sign(crt, ca_crt, ca_key); if ( ret < 0 ) { fprintf(stderr, "error signing certificate: %s.\n", gnutls_strerror(ret)); goto err; } return crt; err: gnutls_x509_crt_deinit(crt); return NULL; }
const Certificate& NaiveCertificateManager::own_certificate() { // renew certificate if necessary for (auto& validity_restriction : m_own_certificate.validity_restriction) { auto start_and_end = boost::get<StartAndEndValidity>(&validity_restriction); auto renewal_deadline = convert_time32(m_time_now + std::chrono::hours(1)); if (start_and_end && start_and_end->end_validity < renewal_deadline) { m_own_certificate = generate_certificate(m_own_key_pair); break; } } return m_own_certificate; }
/** Entry point to tor-gencert */ int main(int argc, char **argv) { int r = 1; init_logging(1); /* Don't bother using acceleration. */ if (crypto_global_init(0, NULL, NULL)) { fprintf(stderr, "Couldn't initialize crypto library.\n"); return 1; } if (crypto_seed_rng()) { fprintf(stderr, "Couldn't seed RNG.\n"); goto done; } /* Make sure that files are made private. */ umask(0077); if (parse_commandline(argc, argv)) goto done; if (load_identity_key()) goto done; if (reuse_signing_key) { if (load_signing_key()) goto done; } else { if (generate_signing_key()) goto done; } if (generate_certificate()) goto done; r = 0; done: clear_passphrase(); if (identity_key) EVP_PKEY_free(identity_key); if (signing_key) EVP_PKEY_free(signing_key); tor_free(address); tor_free(identity_key_file); tor_free(signing_key_file); tor_free(certificate_file); tor_free(address); crypto_global_cleanup(); return r; }
int main() { srand(time(NULL)); Keypair *t = generate_keypair(); // Trent Keypair *kp1 = generate_keypair(); // Alice /* Alice's certificate */ Certificate *c = generate_certificate("Alice", kp1->public_key, t->private_key); /* Bob's u */ rsa_int u = generate_random_u(c); /* Alice computes h(u) and v */ rsa_int hu = rsa_int_hash(u); rsa_int v = crypt(hu, kp1->private_key, 0); /* Alice sends v to Bob * Bob encrypts v with Alice's public key, * and checks whether it is h(u) * */ rsa_int r = crypt(v, kp1->public_key, 1); // E(e, v) assert(r == hu); /* Trace begins */ trace("204-206:u: %d", u); trace("Sequence of bits for u"); trace_int_bits(u, "u"); trace("204-206:h(u): %d", hu); trace("Sequence of bits for h(u)"); trace_int_bits(hu, "h(u)"); trace("204-206:v: %d", v); trace("Sequence of bits for v"); trace_int_bits(v, "v"); trace("204-206:E(e, v): %d", r); trace("Sequence of bits for E(e, v)"); trace_int_bits(r, "E(e, v)"); /* Trace ends */ destroy_certificate(c); destroy_keypair(kp1); destroy_keypair(t); return 0; }
int main(int argc, const char *argv[]) { int cert_fd, issuer_fd; int nwrites; s_certificate cert, issuer; if (argc != 2 && argc != 3) { print_usage(argv[0]); exit(EXIT_FAILURE); } ecc_init(); /* for critically secure code, you would need a better seed */ srand(time(NULL)); memset(&cert, 0, sizeof(cert)); memset(&issuer, 0, sizeof(cert)); /* open the new file */ cert_fd = open(argv[1], O_WRONLY | O_CREAT, S_IRUSR|S_IWUSR); if (cert_fd == -1) { fprintf(stderr, "unable to open %s\n", argv[1]); perror("open"); exit(EXIT_FAILURE); } /* generate the certificate */ generate_certificate(&cert); if (argc == 3) { int nreads = 0; /* open the issuer certificate */ issuer_fd = open(argv[2], O_RDONLY); if (issuer_fd == -1) { fprintf(stderr, "unable to open %s\n", argv[2]); perror("open"); goto cleanup; } nreads = read(issuer_fd, &issuer, sizeof(issuer)); if (nreads != sizeof(issuer)) { fprintf(stderr, "'%s' does not contain a valid certificate\n", argv[2]); perror("read"); goto cleanup; } /* sign the new certificate */ sign_certificate(&issuer, &cert); if (verify_certificate(&issuer.pub_cert, &cert.pub_cert)) { fprintf(stderr, "unable to verify generated signature\n"); goto cleanup; } close(issuer_fd); } /* store the certificate */ nwrites = write(cert_fd, &cert, sizeof(cert)); if (nwrites != sizeof(cert)) { fprintf(stderr, "unable to write the certificate\n"); perror("write"); goto cleanup; } close(cert_fd); return 0; cleanup: unlink(argv[2]); close(cert_fd); exit(EXIT_FAILURE); }