static VALUE
ossl_pkcs7_add_data(VALUE self, VALUE data)
{
PKCS7 *pkcs7;
BIO *out, *in;
char buf[4096];
int len;
in = ossl_obj2bio(data);
GetPKCS7(self, pkcs7);
if(PKCS7_type_is_signed(pkcs7)){
if(!PKCS7_content_new(pkcs7, NID_pkcs7_data))
ossl_raise(ePKCS7Error, NULL);
}
if(!(out = PKCS7_dataInit(pkcs7, NULL))) goto err;
for(;;){
if((len = BIO_read(in, buf, sizeof(buf))) <= 0)
break;
if(BIO_write(out, buf, len) != len)
goto err;
}
if(!PKCS7_dataFinal(pkcs7, out)) goto err;
ossl_pkcs7_set_data(self, Qnil);
err:
BIO_free(out);
BIO_free(in);
if(ERR_peek_error()){
ossl_raise(ePKCS7Error, NULL);
}
return data;
}
pki_pkcs7::pki_pkcs7(const QString name)
:pki_base(name)
{
p7 = PKCS7_new();
PKCS7_set_type(p7, NID_pkcs7_signed);
PKCS7_content_new(p7, NID_pkcs7_data);
}
Pkcs7SignedDataBuilder::Pkcs7SignedDataBuilder(MessageDigest::Algorithm mesDigAlgorithm,
Certificate &cert, PrivateKey &privKey, bool attached)
throw (Pkcs7Exception)
{
int rc;
PKCS7_SIGNER_INFO *si;
PKCS7_set_type(this->pkcs7, NID_pkcs7_signed);
PKCS7_content_new(this->pkcs7, NID_pkcs7_data);
if (!attached)
{
PKCS7_set_detached(this->pkcs7, 1);
}
si = PKCS7_add_signature(this->pkcs7, cert.getX509(), privKey.getEvpPkey(), MessageDigest::getMessageDigest(mesDigAlgorithm));
if (!si)
{
PKCS7_free(this->pkcs7);
this->pkcs7 = NULL;
throw Pkcs7Exception(Pkcs7Exception::ADDING_SIGNER, "Pkcs7SignedDataBuilder::Pkcs7SignedDataBuilder", true);
}
rc = PKCS7_add_certificate(this->pkcs7, cert.getX509());
if (!rc)
{
PKCS7_free(this->pkcs7);
this->pkcs7 = NULL;
throw Pkcs7Exception(Pkcs7Exception::ADDING_CERTIFICATE, "Pkcs7SignedDataBuilder::Pkcs7SignedDataBuilder", true);
}
this->state = Pkcs7Builder::INIT;
}
PKCS7* CryptoNative_Pkcs7CreateSigned()
{
PKCS7* pkcs7 = PKCS7_new();
if (pkcs7 == NULL)
{
return NULL;
}
if (!PKCS7_set_type(pkcs7, NID_pkcs7_signed) || !PKCS7_content_new(pkcs7, NID_pkcs7_data))
{
PKCS7_free(pkcs7);
return NULL;
}
return pkcs7;
}
extern "C" PKCS7* CryptoNative_Pkcs7CreateSigned()
{
PKCS7* pkcs7 = PKCS7_new();
if (pkcs7 == nullptr)
{
return nullptr;
}
if (!PKCS7_set_type(pkcs7, NID_pkcs7_signed) || !PKCS7_content_new(pkcs7, NID_pkcs7_data))
{
PKCS7_free(pkcs7);
return nullptr;
}
return pkcs7;
}
PKI_X509_PKCS7 *PKI_X509_PKCS7_new ( PKI_X509_PKCS7_TYPE type ) {
PKI_X509_PKCS7 *p7 = NULL;
PKI_X509_PKCS7_VALUE *value = NULL;
if((p7 = PKI_X509_new( PKI_DATATYPE_X509_PKCS7, NULL )) == NULL ) {
PKI_log_debug("PKI_X509_PKCS7_new()::Memory Error!");
return ( NULL );
}
if((value = p7->cb->create()) == NULL ) {
PKI_log_debug ("Memory Allocation Error.");
return NULL;
}
if(!PKCS7_set_type( value, type )) {
PKI_log_err( "PKI_X509_PKCS7_new()::Can not set PKCS7 type!");
return ( NULL );
}
p7->value = value;
switch ( type ) {
case PKI_X509_PKCS7_TYPE_ENCRYPTED:
case PKI_X509_PKCS7_TYPE_SIGNEDANDENCRYPTED:
if(!PKI_X509_PKCS7_set_cipher( p7,
(EVP_CIPHER *) PKI_CIPHER_AES(256,cbc))) {
PKI_log_debug("PKI_X509_PKCS7_new()::Can not set "
"cipher!");
};
break;
case PKI_X509_PKCS7_TYPE_SIGNED:
PKCS7_content_new ( value, NID_pkcs7_data );
break;
default:
break;
}
return ( p7 );
}
static LUA_FUNCTION(openssl_pkcs7_new)
{
int type = luaL_optint(L, 1, NID_pkcs7_signed);
int content_nid = luaL_optint(L, 1, NID_pkcs7_data);
PKCS7 *p7 = PKCS7_new();
if (p7)
{
int ret = 1;
ret = PKCS7_set_type(p7, type);
if (ret)
ret = PKCS7_content_new(p7, content_nid);
if (ret)
{
PUSH_OBJECT(p7, "openssl.pkcs7");
return 1;
}
else
PKCS7_free(p7);
}
return 0;
}
/* will return 0, 1, 3, or 99 */
static int
_pkgtrans(char *device1, char *device2, char **pkg, int options,
keystore_handle_t keystore, char *keystore_alias)
{
BIO *p7_bio = NULL;
EVP_PKEY *privkey = NULL;
PKCS7 *sec_pkcs7 = NULL;
PKCS7_SIGNER_INFO *sec_signerinfo = NULL;
PKG_ERR *err;
STACK_OF(X509) *cacerts = NULL;
STACK_OF(X509) *clcerts = NULL;
STACK_OF(X509) *sec_chain = NULL;
X509 *pubcert = NULL;
boolean_t making_sig = B_FALSE;
char *src, *dst;
int errflg, i, n;
struct dm_buf *hdr;
making_sig = (keystore != NULL) ? B_TRUE : B_FALSE;
if (making_sig) {
/* new error object */
err = pkgerr_new();
/* find matching cert and key */
if (find_key_cert_pair(err, keystore,
keystore_alias, &privkey, &pubcert) != 0) {
pkgerr(err);
pkgerr_free(err);
return (1);
}
/* get CA certificates */
if (find_ca_certs(err, keystore, &cacerts) != 0) {
pkgerr(err);
pkgerr_free(err);
return (1);
}
/* get CL (aka "chain") certificates */
if (find_cl_certs(err, keystore, &clcerts) != 0) {
pkgerr(err);
pkgerr_free(err);
return (1);
}
/* initialize PKCS7 object to be filled in later */
sec_pkcs7 = PKCS7_new();
(void) PKCS7_set_type(sec_pkcs7, NID_pkcs7_signed);
sec_signerinfo = PKCS7_add_signature(sec_pkcs7,
pubcert, privkey, EVP_sha1());
if (sec_signerinfo == NULL) {
progerr(gettext(ERR_SEC), keystore_alias);
ERR_print_errors_fp(stderr);
pkgerr_free(err);
return (1);
}
/* add signer cert into signature */
(void) PKCS7_add_certificate(sec_pkcs7, pubcert);
/* attempt to resolve cert chain starting at the signer cert */
if (get_cert_chain(err, pubcert, clcerts, cacerts,
&sec_chain) != 0) {
pkgerr(err);
pkgerr_free(err);
return (1);
}
/*
* add the verification chain of certs into the signature.
* The first cert is the user cert, which we don't need,
* since it's baked in already, so skip it
*/
for (i = 1; i < sk_X509_num(sec_chain); i++) {
(void) PKCS7_add_certificate(sec_pkcs7,
sk_X509_value(sec_chain, i));
}
pkgerr_free(err);
err = NULL;
}
if (signal_received > 0) {
return (1);
}
/* transfer spool to appropriate device */
if (devtype(device1, &srcdev)) {
progerr(pkg_gt(ERR_TRANSFER));
logerr(pkg_gt(MSG_BADDEV), device1);
return (1);
}
srcdev.rdonly++;
/* check for datastream */
ids_name = NULL;
if (srcdev.bdevice) {
if (n = _getvol(srcdev.bdevice, NULL, NULL,
pkg_gt("Insert %v into %p."), srcdev.norewind)) {
cleanup();
if (n == 3)
return (3);
progerr(pkg_gt(ERR_TRANSFER));
logerr(pkg_gt(MSG_GETVOL));
return (1);
}
if (ds_readbuf(srcdev.cdevice))
ids_name = srcdev.cdevice;
}
if (srcdev.cdevice && !srcdev.bdevice)
ids_name = srcdev.cdevice;
else if (srcdev.pathname) {
ids_name = srcdev.pathname;
if (access(ids_name, 0) == -1) {
progerr(ERR_TRANSFER);
logerr(pkg_gt(MSG_GETVOL));
return (1);
}
}
if (!ids_name && device2 == (char *)0) {
if (n = pkgmount(&srcdev, NULL, 1, 0, 0)) {
cleanup();
return (n);
}
if (srcdev.mount && *srcdev.mount)
pkgdir = strdup(srcdev.mount);
return (0);
}
if (ids_name && device2 == (char *)0) {
tmppath = tmpnam(NULL);
tmppath = strdup(tmppath);
if (tmppath == NULL) {
progerr(pkg_gt(ERR_TRANSFER));
logerr(pkg_gt(MSG_MEM));
return (1);
}
if (mkdir(tmppath, 0755)) {
progerr(pkg_gt(ERR_TRANSFER));
logerr(pkg_gt(MSG_MKDIR), tmppath);
return (1);
}
device2 = tmppath;
}
if (devtype(device2, &dstdev)) {
progerr(pkg_gt(ERR_TRANSFER));
logerr(pkg_gt(MSG_BADDEV), device2);
return (1);
}
if ((srcdev.cdevice && dstdev.cdevice) &&
strcmp(srcdev.cdevice, dstdev.cdevice) == 0) {
progerr(pkg_gt(ERR_TRANSFER));
logerr(pkg_gt(MSG_SAMEDEV));
return (1);
}
ods_name = NULL;
if (dstdev.cdevice && !dstdev.bdevice || dstdev.pathname)
options |= PT_ODTSTREAM;
if (options & PT_ODTSTREAM) {
if (!((ods_name = dstdev.cdevice) != NULL ||
(ods_name = dstdev.pathname) != NULL)) {
progerr(pkg_gt(ERR_TRANSFER));
logerr(pkg_gt(MSG_BADDEV), device2);
return (1);
}
if (ids_name) {
progerr(pkg_gt(ERR_TRANSFER));
logerr(pkg_gt(MSG_TWODSTREAM));
return (1);
}
} else {
/*
* output device isn't a stream. If we're making a signed
* package, then fail, since we can't make signed,
* non-stream pkgs
*/
if (making_sig) {
progerr(pkg_gt(ERR_TRANSFER));
logerr(pkg_gt(ERR_CANTSIGN));
return (1);
}
}
if ((srcdev.dirname && dstdev.dirname) &&
strcmp(srcdev.dirname, dstdev.dirname) == 0) {
progerr(pkg_gt(ERR_TRANSFER));
logerr(pkg_gt(MSG_SAMEDEV));
return (1);
}
if ((srcdev.pathname && dstdev.pathname) &&
strcmp(srcdev.pathname, dstdev.pathname) == 0) {
progerr(pkg_gt(ERR_TRANSFER));
logerr(pkg_gt(MSG_SAMEDEV));
return (1);
}
if (signal_received > 0) {
return (1);
}
if (ids_name) {
if (srcdev.cdevice && !srcdev.bdevice &&
(n = _getvol(srcdev.cdevice, NULL, NULL, NULL,
srcdev.norewind))) {
cleanup();
if (n == 3)
return (3);
progerr(pkg_gt(ERR_TRANSFER));
logerr(pkg_gt(MSG_GETVOL));
return (1);
}
if (srcdev.dirname = tmpnam(NULL))
tmpdir = srcdev.dirname = strdup(srcdev.dirname);
if ((srcdev.dirname == NULL) || mkdir(srcdev.dirname, 0755) ||
chdir(srcdev.dirname)) {
progerr(pkg_gt(ERR_TRANSFER));
logerr(pkg_gt(MSG_NOTEMP), srcdev.dirname);
cleanup();
return (1);
}
if (ds_init(ids_name, pkg, srcdev.norewind)) {
cleanup();
return (1);
}
} else if (srcdev.mount) {
if (n = pkgmount(&srcdev, NULL, 1, 0, 0)) {
cleanup();
return (n);
}
}
src = srcdev.dirname;
dst = dstdev.dirname;
if (chdir(src)) {
progerr(pkg_gt(ERR_TRANSFER));
logerr(pkg_gt(MSG_CHDIR), src);
cleanup();
return (1);
}
if (signal_received > 0) {
return (1);
}
xpkg = pkg = gpkglist(src, pkg, NULL);
if (!pkg) {
progerr(pkg_gt(ERR_TRANSFER));
logerr(pkg_gt(MSG_NOPKGS), src);
cleanup();
return (1);
}
for (nxpkg = 0; pkg[nxpkg]; /* void */) {
nxpkg++; /* count */
}
if (ids_name) {
ds_order(pkg); /* order requests */
}
if (signal_received > 0) {
return (1);
}
if (options & PT_ODTSTREAM) {
char line[128];
if (!dstdev.pathname &&
(n = _getvol(ods_name, NULL, DM_FORMAT, NULL,
dstdev.norewind))) {
cleanup();
if (n == 3)
return (3);
progerr(pkg_gt(ERR_TRANSFER));
logerr(pkg_gt(MSG_GETVOL));
return (1);
}
if ((hdr = genheader(src, pkg)) == NULL) {
cleanup();
return (1);
}
if (making_sig) {
/* start up signature data stream */
(void) PKCS7_content_new(sec_pkcs7, NID_pkcs7_data);
(void) PKCS7_set_detached(sec_pkcs7, 1);
p7_bio = PKCS7_dataInit(sec_pkcs7, NULL);
/*
* Here we generate all the data that will go into
* the package, and send it through the signature
* generator, essentially calculating the signature
* of the entire package so we can place it in the
* header. Otherwise we'd have to place it at the end
* of the pkg, which would break the ABI
*/
if (!(options & PT_SILENT)) {
(void) fprintf(stderr, pkg_gt(MSG_SIGNING),
get_subject_display_name(pubcert));
}
if (dump_hdr_and_pkgs(p7_bio, hdr, pkg) != 0) {
progerr(gettext(ERR_NOGEN));
logerr(pkg_gt(MSG_GETVOL));
cleanup();
return (1);
}
BIO_flush(p7_bio);
/*
* now generate PKCS7 signature
*/
if (!PKCS7_dataFinal(sec_pkcs7, p7_bio)) {
progerr(gettext(ERR_NOGEN));
logerr(pkg_gt(MSG_GETVOL));
cleanup();
return (1);
}
(void) BIO_free(p7_bio);
}
/* write out header to stream, which includes signature */
if (wdsheader(hdr, src, ods_name, pkg, sec_pkcs7)) {
cleanup();
return (1);
}
if (sec_pkcs7 != NULL) {
/* nuke in-memory signature for safety */
PKCS7_free(sec_pkcs7);
sec_pkcs7 = NULL;
}
ds_volno = 1; /* number of volumes in datastream */
pinput = hdrbuf.text_buffer;
/* skip past first line in header */
(void) mgets(line, 128);
}
if (signal_received > 0) {
return (1);
}
errflg = 0;
for (i = 0; pkg[i]; i++) {
if (signal_received > 0) {
return (1);
}
if (!(options & PT_ODTSTREAM) && dstdev.mount) {
if (n = pkgmount(&dstdev, NULL, 0, 0, 1)) {
cleanup();
return (n);
}
}
if (errflg = pkgxfer(pkg[i], options)) {
pkg[i] = NULL;
if ((options & PT_ODTSTREAM) || (errflg != 2))
break;
} else if (strcmp(dstinst, pkg[i]))
pkg[i] = strdup(dstinst);
}
if (!(options & PT_ODTSTREAM) && dst) {
pkgdir = strdup(dst);
}
/*
* No cleanup of temporary directories created in this
* function is done here. The calling function must do
* the cleanup.
*/
return (signal_received > 0 ? 1 : errflg);
}
/*******************************************************************************
函数名称: cert_pkcs7_wrap
功能描述: 将要发送的消息采用PKCS#7格式进行编码
输入参数: struct scep *s, SCEP操作的结构体指针。
s32 hasra, 是否使用RA证书,1,使用;0,不使用
输出参数: 无
返 回 值: 1,成功;-1,失败
--------------------------------------------------------------------------------
最近一次修改记录:
修改作者:王朝
修改目的:添加新函数
修改日期:2009年12月28日
*********************************************************************************/
s32 cert_pkcs7_wrap(struct scep *s, s32 hasra)
{
BIO *databio = NULL;
BIO *encbio = NULL;
BIO *pkcs7bio = NULL;
BIO *memorybio = NULL;
BIO *outbio = NULL;
BIO *base64bio = NULL;
u8 *buffer = NULL;
s32 len = 0;
STACK_OF(X509) *recipients = NULL;
PKCS7 *p7enc = NULL;
PKCS7_SIGNER_INFO *si = NULL;
STACK_OF(X509_ATTRIBUTE) *attributes = NULL;
X509 *signercert = NULL;
EVP_PKEY *signerkey = NULL;
s32 retval = -1;
/* sender nonce */
s->sender_nonce_len = 16;
s->sender_nonce = (u8 *)malloc((u32)s->sender_nonce_len);
RAND_bytes(s->sender_nonce, s->sender_nonce_len);
/* Prepare data payload */
switch(s->request_type)
{
case SCEP_REQUEST_PKCSREQ:
s->request_type_str = SCEP_REQUEST_PKCSREQ_STR;
/* Signer cert */
signercert = s->signercert;
signerkey = s->signerkey;
/* Read request in memory bio */
databio = BIO_new(BIO_s_mem());
if ((i2d_X509_REQ_bio(databio, cert_request)) <= 0)
{
goto end;
}
(void)BIO_flush(databio);
BIO_set_flags(databio, BIO_FLAGS_MEM_RDONLY);
break;
case SCEP_REQUEST_GETCERTINIT:
/* Set printable message type */
s->request_type_str = SCEP_REQUEST_GETCERTINIT_STR;
/* Signer cert */
signercert = s->signercert;
signerkey = s->signerkey;
/* Read data in memory bio */
databio = BIO_new(BIO_s_mem());
if ((i2d_pkcs7_issuer_and_subject_bio(databio, s->ias_getcertinit)) <= 0)
{
goto end;
}
(void)BIO_flush(databio);
BIO_set_flags(databio, BIO_FLAGS_MEM_RDONLY);
break;
default:
goto end;
}
/* Below this is the common code for all request_type */
/* Read in the payload */
s->request_len = BIO_get_mem_data(databio, &s->request_payload);
BIO_free(databio);
databio = NULL;
/* Create encryption certificate stack */
if (NULL == (recipients = sk_X509_new_null() ))
{
goto end;
}
/* Use different CA cert for encryption if requested */
if (1 == hasra)
{
if (sk_X509_push(recipients, cert_encert) <= 0)
{
goto end;
}
}
else
{
/* Use same CA cert also for encryption */
if (sk_X509_push(recipients, cert_cacert) <= 0)
{
goto end;
}
}
/* Create BIO for encryption */
if ((encbio = BIO_new_mem_buf(s->request_payload,s->request_len)) == NULL)
{
goto end;
}
/* Encrypt */
if (NULL == (p7enc = PKCS7_encrypt(recipients, encbio, cert_enc_alg, PKCS7_BINARY)))
{
goto end;
}
BIO_free(encbio);
encbio = NULL;
sk_X509_free(recipients);
recipients = NULL;
/* Write encrypted data */
memorybio = BIO_new(BIO_s_mem());
if (i2d_PKCS7_bio(memorybio, p7enc) <= 0)
{
goto end;
}
PKCS7_free(p7enc);
p7enc = NULL;
(void)BIO_flush(memorybio);
BIO_set_flags(memorybio, BIO_FLAGS_MEM_RDONLY);
len = BIO_get_mem_data(memorybio, &buffer);
/* Create outer PKCS#7 */
s->request_p7 = PKCS7_new();
if (s->request_p7 == NULL)
{
goto end;
}
if (!PKCS7_set_type(s->request_p7, NID_pkcs7_signed))
{
goto end;
}
/* Add signer certificate and signature */
PKCS7_add_certificate(s->request_p7, signercert);
if ((si = PKCS7_add_signature(s->request_p7,signercert, signerkey, cert_sig_alg)) == NULL)
{
goto end;
}
/* Set signed attributes */
attributes = sk_X509_ATTRIBUTE_new_null();
cert_add_attribute_string(attributes, nid_transId, s->transaction_id);
cert_add_attribute_string(attributes, nid_messageType, s->request_type_str);
cert_add_attribute_octet(attributes, nid_senderNonce, (s8 *)(s->sender_nonce),s->sender_nonce_len);
PKCS7_set_signed_attributes(si, attributes);
sk_X509_ATTRIBUTE_free(attributes);
attributes = NULL;
/* Add contentType */
if (!PKCS7_add_signed_attribute(si, NID_pkcs9_contentType,V_ASN1_OBJECT, OBJ_nid2obj(NID_pkcs7_data)))
{
goto end;
}
/* Create new content */
if (!PKCS7_content_new(s->request_p7, NID_pkcs7_data))
{
goto end;
}
/* Write data */
pkcs7bio = PKCS7_dataInit(s->request_p7, NULL);
if (pkcs7bio == NULL)
{
goto end;
}
if (len != BIO_write(pkcs7bio, buffer, len))
{
goto end;
}
BIO_free(memorybio);
memorybio = NULL;
/* Finalize PKCS#7 */
if (!PKCS7_dataFinal(s->request_p7, pkcs7bio))
{
goto end;
}
/* base64-encode the data */
/* Create base64 filtering bio */
memorybio = BIO_new(BIO_s_mem());
base64bio = BIO_new(BIO_f_base64());
outbio = BIO_push(base64bio, memorybio);
/* Copy PKCS#7 */
i2d_PKCS7_bio(outbio, s->request_p7);
(void)BIO_flush(outbio);
BIO_set_flags(memorybio, BIO_FLAGS_MEM_RDONLY);
s->request_len = BIO_get_mem_data(memorybio, &s->request_payload);
retval = 1;
end:
if(NULL != databio)
{
BIO_free(databio);
}
if(NULL != encbio)
{
BIO_free(encbio);
}
if(NULL != p7enc)
{
PKCS7_free(p7enc);
}
if(NULL != pkcs7bio)
{
BIO_free(pkcs7bio);
}
if(NULL != memorybio)
{
BIO_free(memorybio);
}
if(NULL != base64bio)
{
BIO_free(base64bio);
}
if(NULL != recipients)
{
sk_X509_free(recipients);
}
if(NULL != attributes)
{
sk_X509_ATTRIBUTE_free(attributes);
}
return retval;
}
int create_envelope(PluginInstance *inst, u8 **data, int *datalen)
{
int r;
PKCS7 *p7 = NULL;
X509 *x509 = NULL;
PKCS7_SIGNER_INFO *si = NULL;
EVP_PKEY *pkey = NULL;
BIO *in = NULL, *p7bio = NULL;
u8 *buf;
r = extract_certificate_and_pkey(inst, &x509, &pkey);
if (r)
goto err;
p7 = PKCS7_new();
if (p7 == NULL) {
r = -1;
goto err;
}
r = PKCS7_set_type(p7, NID_pkcs7_signed);
if (r != 1) {
r = -1;
goto err;
}
EVP_add_digest(EVP_sha1());
si = PKCS7_add_signature(p7, x509, pkey, EVP_sha1());
if (si == NULL) {
r = -1;
goto err;
}
PKCS7_add_signed_attribute(si, NID_pkcs9_contentType, V_ASN1_OBJECT,
OBJ_nid2obj(NID_pkcs7_data));
r = PKCS7_add_certificate(p7, x509);
if (r != 1) {
printf("PKCS7_add_certificate failed.\n");
goto err;
}
PKCS7_content_new(p7, NID_pkcs7_data);
p7bio = PKCS7_dataInit(p7, NULL);
if (p7bio == NULL) {
r = -1;
goto err;
}
in = BIO_new_mem_buf(inst->signdata, inst->signdata_len);
if (in == NULL) {
r = -1;
goto err;
}
for (;;) {
char lbuf[1024];
int i = BIO_read(in, lbuf, sizeof(lbuf));
if (i <= 0)
break;
BIO_write(p7bio, lbuf, i);
}
if (!PKCS7_dataFinal(p7, p7bio)) {
r = -1;
goto err;
}
/* FIXME: remove this */
r = i2d_PKCS7(p7, NULL);
if (r <= 0) {
r = -1;
goto err;
}
buf = (u8 *) malloc(r);
if (buf == NULL)
goto err;
*data = buf;
r = i2d_PKCS7(p7, &buf);
*datalen = r;
if (r <= 0) {
free(buf);
r = -1;
goto err;
}
r = 0;
err:
if (p7)
PKCS7_free(p7);
if (in)
BIO_free(in);
if (p7bio)
BIO_free(p7bio);
#if 0
if (si)
PKCS7_SIGNER_INFO_free(si);
#endif
if (pkey)
EVP_PKEY_free(pkey);
if (x509)
X509_free(x509);
if (r) {
#if 0
ERR_load_crypto_strings();
ERR_print_errors_fp(stderr);
#endif
}
return r;
}
// Write signed variable
EFI_STATUS SetSignedVariable(IN CHAR16 *DatabaseName,
IN EFI_GUID *DatabaseGuid,
IN UINT32 Attributes,
IN VOID *Database,
IN UINTN DatabaseSize)
{
EFI_STATUS Status;
EFI_VARIABLE_AUTHENTICATION_2 *Authentication;
UINTN Size, NameLen;
UINTN DataSize = 0;
EFI_TIME Timestamp;
VOID *Data = NULL;
BIO *BioData = NULL;
PKCS7 *p7;
X509 *Certificate = NULL;
EVP_PKEY *PrivateKey = NULL;
const EVP_MD *md;
// Check parameters
if ((DatabaseName == NULL) || (DatabaseGuid == NULL)) {
return EFI_INVALID_PARAMETER;
}
DBG("Setting secure variable: %g %s 0x%X (0x%X)\n", DatabaseGuid, DatabaseName, Database, DatabaseSize);
NameLen = StrLen(DatabaseName);
if (NameLen == 0) {
return EFI_INVALID_PARAMETER;
}
// Get the current time
DBG("Getting timestamp ...\n");
Status = GetUTCTime(&Timestamp);
if (EFI_ERROR(Status)) {
return Status;
}
DBG("Timestamp: %t\n", Timestamp);
// In user mode we need to sign the database with exchange key
if (!gSettings.SecureBootSetupMode) {
// Initialize the cyphers and digests
ERR_load_crypto_strings();
OpenSSL_add_all_digests();
OpenSSL_add_all_ciphers();
// Create signing certificate
BioData = BIO_new_mem_buf((void *)gSecureBootExchangeKey, sizeof(gSecureBootExchangeKey));
if (BioData == NULL) {
return EFI_OUT_OF_RESOURCES;
}
Certificate = PEM_read_bio_X509(BioData, NULL, NULL, NULL);
BIO_free(BioData);
if (Certificate == NULL) {
return EFI_OUT_OF_RESOURCES;
}
// Create signing private key
BioData = BIO_new_mem_buf((void *)gSecureBootExchangePrivateKey, sizeof(gSecureBootExchangePrivateKey));
if (BioData == NULL) {
return EFI_OUT_OF_RESOURCES;
}
PrivateKey = PEM_read_bio_PrivateKey(BioData, NULL, NULL, NULL);
BIO_free(BioData);
if (PrivateKey == NULL) {
X509_free(Certificate);
return EFI_OUT_OF_RESOURCES;
}
// Do the actual signing process
BioData = BIO_new(BIO_s_mem());
BIO_write(BioData, DatabaseName, (int)StrLen(DatabaseName));
BIO_write(BioData, DatabaseGuid, sizeof(EFI_GUID));
BIO_write(BioData, &Attributes, sizeof(UINT32));
BIO_write(BioData, &Timestamp, sizeof(EFI_TIME));
BIO_write(BioData, Database, (int)DatabaseSize);
md = EVP_get_digestbyname("SHA256");
p7 = PKCS7_new();
PKCS7_set_type(p7, NID_pkcs7_signed);
PKCS7_content_new(p7, NID_pkcs7_data);
PKCS7_sign_add_signer(p7, Certificate, PrivateKey, md, PKCS7_BINARY | PKCS7_DETACHED | PKCS7_NOSMIMECAP);
PKCS7_set_detached(p7, 1);
PKCS7_final(p7, BioData, PKCS7_BINARY | PKCS7_DETACHED | PKCS7_NOSMIMECAP);
X509_free(Certificate);
EVP_PKEY_free(PrivateKey);
DataSize = i2d_PKCS7(p7, NULL);
Data = AllocateZeroPool(DataSize);
i2d_PKCS7(p7, (unsigned char **)&Data);
PKCS7_free(p7);
// Set the authentication buffer size
Size = sizeof(EFI_TIME) + sizeof(EFI_GUID) + sizeof(UINT32) + sizeof(UINT16) + sizeof(UINT16) + DataSize;
} else {
// In setup mode we don't need to sign, so just set the database
DBG("In setup mode, not signing ...\n");
Size = sizeof(EFI_TIME) + sizeof(EFI_GUID) + sizeof(UINT32) + sizeof(UINT16) + sizeof(UINT16) + DatabaseSize;
}
// Create the authentication buffer
DBG("Creating authentication ...\n");
Authentication = (EFI_VARIABLE_AUTHENTICATION_2 *)AllocateZeroPool(Size);
if (Authentication == NULL) {
if (Data != NULL) {
FreePool(Data);
}
return EFI_OUT_OF_RESOURCES;
}
// Set the certificate elements
CopyMem(&(Authentication->TimeStamp), &Timestamp, sizeof(EFI_TIME));
Authentication->AuthInfo.Hdr.dwLength = (UINT32)(sizeof(EFI_GUID) + sizeof(UINT32) + sizeof(UINT16) + sizeof(UINT16) + DataSize);
Authentication->AuthInfo.Hdr.wRevision = 0x0200;
Authentication->AuthInfo.Hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID;
CopyMem(&(Authentication->AuthInfo.CertType), &gEfiCertPkcs7Guid, sizeof(EFI_GUID));
// Copy the data into the authentication
if (Data != NULL) {
CopyMem(((UINT8 *)Authentication) + sizeof(EFI_TIME) + sizeof(EFI_GUID) + sizeof(UINT32) + sizeof(UINT16) + sizeof(UINT16), Data, DataSize);
FreePool(Data);
} else {
CopyMem(((UINT8 *)Authentication) + sizeof(EFI_TIME) + sizeof(EFI_GUID) + sizeof(UINT32) + sizeof(UINT16) + sizeof(UINT16), Database, DatabaseSize); //Payload, PayloadSize);
}
DBG("Writing secure variable 0x%X (0x%X) ...\n", Authentication, Size);
// Write the database variable
Status = gRT->SetVariable(DatabaseName, DatabaseGuid, SET_DATABASE_ATTRIBUTES, Size, Authentication);
// Cleanup the authentication buffer
FreePool(Authentication);
return Status;
}
static int add_auth_descriptor(varsign_context *ctx, unsigned char dont_sign)
{
EFI_VARIABLE_AUTHENTICATION_2 *auth;
int rc=0, len=0, flags=0;
EFI_TIME timestamp;
const EVP_MD *md;
BIO *data_bio = NULL;
PKCS7 *p7;
UINT8 *signpkg;
if (set_timestamp(×tamp))
return -1;
/* create a BIO for our variable data, containing:
* * Variablename (not including trailing nul)
* * VendorGUID
* * Attributes
* * TimeStamp
* * Data
*/
if (dont_sign == 0)
{
data_bio = BIO_new(BIO_s_mem());
BIO_write(data_bio, ctx->var_name, ctx->var_name_bytes);
BIO_write(data_bio, &ctx->var_guid, sizeof(ctx->var_guid));
BIO_write(data_bio, &ctx->var_attrs, sizeof(ctx->var_attrs));
BIO_write(data_bio, ×tamp, sizeof(timestamp));
BIO_write(data_bio, ctx->data, ctx->data_len);
md = EVP_get_digestbyname("SHA256");
p7 = PKCS7_new();
flags = PKCS7_BINARY | PKCS7_DETACHED | PKCS7_NOSMIMECAP;;
PKCS7_set_type(p7, NID_pkcs7_signed);
PKCS7_content_new(p7, NID_pkcs7_data);
PKCS7_sign_add_signer(p7, ctx->cert, ctx->key, md, flags);
PKCS7_set_detached(p7, 1);
rc = PKCS7_final(p7, data_bio, flags);
if (!rc) {
fprintf(stderr, "Error signing variable data\n");
ERR_print_errors_fp(stderr);
BIO_free_all(data_bio);
return -1;
}
len = i2d_PKCS7(p7, NULL);
} else {
len = 0;
}
/* set up our auth descriptor */
auth = talloc_size(ctx, len + offsetof (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo.CertData));
auth->TimeStamp = timestamp;
auth->AuthInfo.Hdr.dwLength = len + offsetof (WIN_CERTIFICATE_UEFI_GUID, CertData);
auth->AuthInfo.Hdr.wRevision = 0x0200;
auth->AuthInfo.Hdr.wCertificateType = 0x0EF1;
auth->AuthInfo.CertType = cert_pkcs7_guid;
if (dont_sign == 0)
{
signpkg = auth->AuthInfo.CertData;
i2d_PKCS7(p7, &signpkg);
}
ctx->auth_descriptor = auth;
ctx->auth_descriptor_len = len + offsetof (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo.CertData);
BIO_free_all(data_bio);
return 0;
}
/*
* Wrap data in PKCS#7 envelopes and base64-encode the result.
* Data is PKCS#10 request in PKCSReq, or pkcs7_issuer_and_subject
* structure in GetCertInitial and PKCS7_ISSUER_AND_SERIAL in
* GetCert and GETCrl.
*/
int pkcs7_wrap(struct scep *s, struct sscep_ctx *ctx, struct sscep_operation_info *op_info)
{
BIO *databio = NULL;
BIO *encbio = NULL;
BIO *pkcs7bio = NULL;
BIO *memorybio = NULL;
BIO *outbio = NULL;
unsigned char *buffer = NULL;
int len = 0;
STACK_OF(X509) *recipients = NULL;
PKCS7 *p7enc = NULL;
PKCS7_SIGNER_INFO *si;
STACK_OF(X509_ATTRIBUTE) *attributes;
X509 *signercert = NULL;
EVP_PKEY *signerkey = NULL;
int ret = SCEP_PKISTATUS_P7;
char *payload = NULL;
int payload_len;
/* Create a new sender nonce for all messages
* XXXXXXXXXXXXXX should it be per transaction? */
s->sender_nonce_len = 16;
free(s->sender_nonce);/* Clean up from previous runs */
s->sender_nonce = (char *)malloc(s->sender_nonce_len * sizeof(char));
RAND_bytes((unsigned char *) s->sender_nonce, s->sender_nonce_len);
/* Prepare data payload */
switch (s->request_type) {
case SCEP_REQUEST_PKCSREQ:
/*
* Set printable message type
* We set this later as an autheticated attribute
* "messageType".
*/
s->request_type_str = SCEP_REQUEST_PKCSREQ_STR;
/* Signer cert */
signercert = s->signercert;
signerkey = s->signerkey;
/* Create inner PKCS#7 */
if (ctx->verbose){
qeo_log_i("creating inner PKCS#7");
}
/* Read request in memory bio */
databio = BIO_new(BIO_s_mem());
if (i2d_X509_REQ_bio(databio, op_info->request) <= 0) {
qeo_log_e("error writing certificate request in bio");
goto error;
}
(void)BIO_flush(databio);
break;
case SCEP_REQUEST_GETCERTINIT:
/* Set printable message type */
s->request_type_str = SCEP_REQUEST_GETCERTINIT_STR;
/* Signer cert */
signercert = s->signercert;
signerkey = s->signerkey;
/* Create inner PKCS#7 */
if (ctx->verbose){
qeo_log_i("creating inner PKCS#7");
}
/* Read data in memory bio */
databio = BIO_new(BIO_s_mem());
if (i2d_pkcs7_issuer_and_subject_bio(databio, s->ias_getcertinit)) {
qeo_log_e("error writing GetCertInitial data in bio");
goto error;
}
(void)BIO_flush(databio);
break;
}
/* Below this is the common code for all request_type */
/* Read in the payload */
payload_len = BIO_get_mem_data(databio, &payload);
if (ctx->verbose){
qeo_log_i("data payload size: %d bytes", payload_len);
}
/* Create encryption certificate stack */
if ((recipients = sk_X509_new(NULL) ) == NULL) {
qeo_log_e("error creating certificate stack");
goto error;
}
if (sk_X509_push(recipients, op_info->racert) <= 0) {
qeo_log_e("error adding recipient encryption certificate");
goto error;
}
/* Create BIO for encryption */
if ((encbio = BIO_new_mem_buf(payload, payload_len)) == NULL ) {
qeo_log_e("error creating data bio");
goto error;
}
/* Encrypt */
if (!(p7enc = PKCS7_encrypt(recipients, encbio, ctx->enc_alg, PKCS7_BINARY))) {
qeo_log_e("request payload encrypt failed");
goto error;
}
if (ctx->verbose){
qeo_log_i("successfully encrypted payload");
}
/* Write encrypted data */
memorybio = BIO_new(BIO_s_mem());
if (i2d_PKCS7_bio(memorybio, p7enc) <= 0) {
qeo_log_e("error writing encrypted data");
goto error;
}
(void)BIO_flush(memorybio);
BIO_set_flags(memorybio, BIO_FLAGS_MEM_RDONLY);
len = BIO_get_mem_data(memorybio, &buffer);
BIO_free(memorybio);
memorybio=NULL;
if (ctx->verbose){
qeo_log_i("envelope size: %d bytes", len);
}
if (ctx->debug) {
qeo_log_i("printing PEM fomatted PKCS#7");
PEM_write_PKCS7(stdout, p7enc);
}
/* Create outer PKCS#7 */
if (ctx->verbose){
qeo_log_i("creating outer PKCS#7");
}
s->request_p7 = PKCS7_new();
if (s->request_p7 == NULL ) {
qeo_log_e("failed creating PKCS#7 for signing");
goto error;
}
if (!PKCS7_set_type(s->request_p7, NID_pkcs7_signed)) {
qeo_log_e("failed setting PKCS#7 type");
goto error;
}
/* Add signer certificate and signature */
PKCS7_add_certificate(s->request_p7, signercert);
if ((si = PKCS7_add_signature(s->request_p7, signercert, signerkey, ctx->sig_alg)) == NULL ) {
qeo_log_e("error adding PKCS#7 signature");
goto error;
}
if (ctx->verbose){
qeo_log_i("signature added successfully");
}
/* Set signed attributes */
if (ctx->verbose){
qeo_log_i("adding signed attributes");
}
attributes = sk_X509_ATTRIBUTE_new_null();
add_attribute_string(attributes, ctx->nid_transId, s->transaction_id, ctx);
add_attribute_string(attributes, ctx->nid_messageType, s->request_type_str, ctx);
add_attribute_octet(attributes, ctx->nid_senderNonce, s->sender_nonce, s->sender_nonce_len, ctx);
PKCS7_set_signed_attributes(si, attributes);
sk_X509_ATTRIBUTE_pop_free(attributes, X509_ATTRIBUTE_free);
/* Add contentType */
if (!PKCS7_add_signed_attribute(si, NID_pkcs9_contentType, V_ASN1_OBJECT, OBJ_nid2obj(NID_pkcs7_data))) {
qeo_log_e("error adding NID_pkcs9_contentType");
goto error;
}
/* Create new content */
if (!PKCS7_content_new(s->request_p7, NID_pkcs7_data)) {
qeo_log_e("failed setting PKCS#7 content type");
goto error;
}
/* Write data */
pkcs7bio = PKCS7_dataInit(s->request_p7, NULL );
if (pkcs7bio == NULL ) {
qeo_log_e("error opening bio for writing PKCS#7 data");
goto error;
}
if (len != BIO_write(pkcs7bio, buffer, len)) {
qeo_log_e("error writing PKCS#7 data");
goto error;
}
if (ctx->verbose){
qeo_log_i("PKCS#7 data written successfully");
}
/* Finalize PKCS#7 */
if (!PKCS7_dataFinal(s->request_p7, pkcs7bio)) {
qeo_log_e("error finalizing outer PKCS#7");
goto error;
}
if (ctx->debug) {
qeo_log_i("printing PEM fomatted PKCS#7");
PEM_write_PKCS7(stdout, s->request_p7);
}
/* base64-encode the data */
if (ctx->verbose){
qeo_log_i("applying base64 encoding");
}
/* Create base64 filtering bio */
memorybio = BIO_new(BIO_s_mem());
outbio = BIO_push(BIO_new(BIO_f_base64()), memorybio);
/* Copy PKCS#7 */
i2d_PKCS7_bio(outbio, s->request_p7);
(void)BIO_flush(outbio);
payload_len = BIO_get_mem_data(memorybio, &payload);
s->request_payload = (char*) malloc(sizeof(char)*payload_len);
if (!s->request_payload){
goto error;
}
s->request_len = payload_len;
memcpy(s->request_payload, payload, s->request_len);
if (ctx->verbose){
qeo_log_i("base64 encoded payload size: %d bytes", payload_len);
}
ret = 0;
error:
BIO_free(databio);
BIO_free(encbio);
BIO_free_all(pkcs7bio);
BIO_free(memorybio);
BIO_free(outbio);
if (recipients != NULL){
sk_X509_free(recipients);/* Only free the stack, not the certificates */
}
PKCS7_free(p7enc);
OPENSSL_free(buffer);
return ret;
}
/*
* Wrap data in PKCS#7 envelopes and base64-encode the result.
* Data is PKCS#10 request in PKCSReq, or pkcs7_issuer_and_subject
* structure in GetCertInitial and PKCS7_ISSUER_AND_SERIAL in
* GetCert and GETCrl.
*/
int pkcs7_wrap(struct scep *s) {
BIO *databio = NULL;
BIO *encbio = NULL;
BIO *pkcs7bio = NULL;
BIO *memorybio = NULL;
BIO *outbio = NULL;
BIO *base64bio = NULL;
unsigned char *buffer = NULL;
int rc, len = 0;
STACK_OF(X509) *recipients;
PKCS7 *p7enc;
PKCS7_SIGNER_INFO *si;
STACK_OF(X509_ATTRIBUTE) *attributes;
X509 *signercert = NULL;
EVP_PKEY *signerkey = NULL;
/* Create a new sender nonce for all messages
* XXXXXXXXXXXXXX should it be per transaction? */
s->sender_nonce_len = 16;
s->sender_nonce = (unsigned char *)malloc(s->sender_nonce_len);
RAND_bytes(s->sender_nonce, s->sender_nonce_len);
/* Prepare data payload */
switch(s->request_type) {
case SCEP_REQUEST_PKCSREQ:
/*
* Set printable message type
* We set this later as an autheticated attribute
* "messageType".
*/
s->request_type_str = SCEP_REQUEST_PKCSREQ_STR;
/* Signer cert */
signercert = s->signercert;
signerkey = s->signerkey;
/* Create inner PKCS#7 */
if (v_flag)
printf("%s: creating inner PKCS#7\n", pname);
/* Read request in memory bio */
databio = BIO_new(BIO_s_mem());
if ((rc = i2d_X509_REQ_bio(databio, request)) <= 0) {
fprintf(stderr, "%s: error writing "
"certificate request in bio\n", pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
BIO_flush(databio);
BIO_set_flags(databio, BIO_FLAGS_MEM_RDONLY);
break;
case SCEP_REQUEST_GETCERTINIT:
/* Set printable message type */
s->request_type_str = SCEP_REQUEST_GETCERTINIT_STR;
/* Signer cert */
signercert = s->signercert;
signerkey = s->signerkey;
/* Create inner PKCS#7 */
if (v_flag)
printf("%s: creating inner PKCS#7\n", pname);
/* Read data in memory bio */
databio = BIO_new(BIO_s_mem());
if ((rc = i2d_pkcs7_issuer_and_subject_bio(databio,
s->ias_getcertinit)) <= 0) {
fprintf(stderr, "%s: error writing "
"GetCertInitial data in bio\n", pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
BIO_flush(databio);
BIO_set_flags(databio, BIO_FLAGS_MEM_RDONLY);
break;
case SCEP_REQUEST_GETCERT:
/* Set printable message type */
s->request_type_str = SCEP_REQUEST_GETCERT_STR;
/* Signer cert */
signercert = localcert;
signerkey = rsa;
/* Read data in memory bio */
databio = BIO_new(BIO_s_mem());
if ((rc = i2d_PKCS7_ISSUER_AND_SERIAL_bio(databio,
s->ias_getcert)) <= 0) {
fprintf(stderr, "%s: error writing "
"GetCert data in bio\n", pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
BIO_flush(databio);
BIO_set_flags(databio, BIO_FLAGS_MEM_RDONLY);
break;
case SCEP_REQUEST_GETCRL:
/* Set printable message type */
s->request_type_str = SCEP_REQUEST_GETCRL_STR;
/* Signer cert */
signercert = localcert;
signerkey = rsa;
/* Read data in memory bio */
databio = BIO_new(BIO_s_mem());
if ((rc = i2d_PKCS7_ISSUER_AND_SERIAL_bio(databio,
s->ias_getcrl)) <= 0) {
fprintf(stderr, "%s: error writing "
"GetCert data in bio\n", pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
BIO_flush(databio);
BIO_set_flags(databio, BIO_FLAGS_MEM_RDONLY);
break;
}
/* Below this is the common code for all request_type */
/* Read in the payload */
s->request_len = BIO_get_mem_data(databio, &s->request_payload);
if (v_flag)
printf("%s: data payload size: %d bytes\n", pname,
s->request_len);
BIO_free(databio);
/* Create encryption certificate stack */
if ((recipients = sk_X509_new(NULL)) == NULL) {
fprintf(stderr, "%s: error creating "
"certificate stack\n", pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
/* Use different CA cert for encryption if requested */
if (e_flag) {
if (sk_X509_push(recipients, encert) <= 0) {
fprintf(stderr, "%s: error adding recipient encryption "
"certificate\n", pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
/* Use same CA cert also for encryption */
} else {
if (sk_X509_push(recipients, cacert) <= 0) {
fprintf(stderr, "%s: error adding recipient encryption "
"certificate\n", pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
}
/* Create BIO for encryption */
if ((encbio = BIO_new_mem_buf(s->request_payload,
s->request_len)) == NULL) {
fprintf(stderr, "%s: error creating data " "bio\n", pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
/* Encrypt */
if (!(p7enc = PKCS7_encrypt(recipients, encbio,
enc_alg, PKCS7_BINARY))) {
fprintf(stderr, "%s: request payload encrypt failed\n", pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
if (v_flag)
printf("%s: successfully encrypted payload\n", pname);
/* Write encrypted data */
memorybio = BIO_new(BIO_s_mem());
if (i2d_PKCS7_bio(memorybio, p7enc) <= 0) {
fprintf(stderr, "%s: error writing encrypted data\n", pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
BIO_flush(memorybio);
BIO_set_flags(memorybio, BIO_FLAGS_MEM_RDONLY);
len = BIO_get_mem_data(memorybio, &buffer);
if (v_flag)
printf("%s: envelope size: %d bytes\n", pname, len);
if (d_flag) {
printf("%s: printing PEM fomatted PKCS#7\n", pname);
PEM_write_PKCS7(stdout, p7enc);
}
BIO_free(memorybio);
/* Create outer PKCS#7 */
if (v_flag)
printf("%s: creating outer PKCS#7\n", pname);
s->request_p7 = PKCS7_new();
if (s->request_p7 == NULL) {
fprintf(stderr, "%s: failed creating PKCS#7 for signing\n",
pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
if (!PKCS7_set_type(s->request_p7, NID_pkcs7_signed)) {
fprintf(stderr, "%s: failed setting PKCS#7 type\n", pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
/* Add signer certificate and signature */
PKCS7_add_certificate(s->request_p7, signercert);
if ((si = PKCS7_add_signature(s->request_p7,
signercert, signerkey, sig_alg)) == NULL) {
fprintf(stderr, "%s: error adding PKCS#7 signature\n", pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
if (v_flag)
printf("%s: signature added successfully\n", pname);
/* Set signed attributes */
if (v_flag)
printf("%s: adding signed attributes\n", pname);
attributes = sk_X509_ATTRIBUTE_new_null();
add_attribute_string(attributes, nid_transId, s->transaction_id);
add_attribute_string(attributes, nid_messageType, s->request_type_str);
add_attribute_octet(attributes, nid_senderNonce, s->sender_nonce,
s->sender_nonce_len);
PKCS7_set_signed_attributes(si, attributes);
/* Add contentType */
if (!PKCS7_add_signed_attribute(si, NID_pkcs9_contentType,
V_ASN1_OBJECT, OBJ_nid2obj(NID_pkcs7_data))) {
fprintf(stderr, "%s: error adding NID_pkcs9_contentType\n",
pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
/* Create new content */
if (!PKCS7_content_new(s->request_p7, NID_pkcs7_data)) {
fprintf(stderr, "%s: failed setting PKCS#7 content type\n",
pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
/* Write data */
pkcs7bio = PKCS7_dataInit(s->request_p7, NULL);
if (pkcs7bio == NULL) {
fprintf(stderr, "%s: error opening bio for writing PKCS#7 "
"data\n", pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
if (len != BIO_write(pkcs7bio, buffer, len)) {
fprintf(stderr, "%s: error writing PKCS#7 data\n", pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
if (v_flag)
printf("%s: PKCS#7 data written successfully\n", pname);
/* Finalize PKCS#7 */
if (!PKCS7_dataFinal(s->request_p7, pkcs7bio)) {
fprintf(stderr, "%s: error finalizing outer PKCS#7\n", pname);
ERR_print_errors_fp(stderr);
exit (SCEP_PKISTATUS_P7);
}
if (d_flag) {
printf("%s: printing PEM fomatted PKCS#7\n", pname);
PEM_write_PKCS7(stdout, s->request_p7);
}
/* base64-encode the data */
if (v_flag)
printf("%s: applying base64 encoding\n",pname);
/* Create base64 filtering bio */
memorybio = BIO_new(BIO_s_mem());
base64bio = BIO_new(BIO_f_base64());
outbio = BIO_push(base64bio, memorybio);
/* Copy PKCS#7 */
i2d_PKCS7_bio(outbio, s->request_p7);
BIO_flush(outbio);
BIO_set_flags(memorybio, BIO_FLAGS_MEM_RDONLY);
s->request_len = BIO_get_mem_data(memorybio, &s->request_payload);
if (v_flag)
printf("%s: base64 encoded payload size: %d bytes\n",
pname, s->request_len);
BIO_free(outbio);
return (0);
}
int main(int argc, char **argv)
{
const char *keyfilename, *certfilename;
struct sign_context *ctx;
uint8_t *buf, *tmp;
int rc, c, sigsize;
ctx = talloc_zero(NULL, struct sign_context);
keyfilename = NULL;
certfilename = NULL;
for (;;) {
int idx;
c = getopt_long(argc, argv, "o:c:k:dvVh", options, &idx);
if (c == -1)
break;
switch (c) {
case 'o':
ctx->outfilename = talloc_strdup(ctx, optarg);
break;
case 'c':
certfilename = optarg;
break;
case 'k':
keyfilename = optarg;
break;
case 'd':
ctx->detached = 1;
break;
case 'v':
ctx->verbose = 1;
break;
case 'V':
version();
return EXIT_SUCCESS;
case 'h':
usage();
return EXIT_SUCCESS;
}
}
if (argc != optind + 1) {
usage();
return EXIT_FAILURE;
}
ctx->infilename = argv[optind];
if (!ctx->outfilename)
set_default_outfilename(ctx);
if (!certfilename) {
fprintf(stderr,
"error: No certificate specified (with --cert)\n");
usage();
return EXIT_FAILURE;
}
if (!keyfilename) {
fprintf(stderr,
"error: No key specified (with --key)\n");
usage();
return EXIT_FAILURE;
}
ctx->image = image_load(ctx->infilename);
if (!ctx->image)
return EXIT_FAILURE;
_talloc_steal(ctx, ctx->image);
ERR_load_crypto_strings();
OpenSSL_add_all_digests();
OpenSSL_add_all_ciphers();
EVP_PKEY *pkey = fileio_read_pkey(keyfilename);
if (!pkey)
return EXIT_FAILURE;
X509 *cert = fileio_read_cert(certfilename);
if (!cert)
return EXIT_FAILURE;
const EVP_MD *md = EVP_get_digestbyname("SHA256");
/* set up the PKCS7 object */
PKCS7 *p7 = PKCS7_new();
PKCS7_set_type(p7, NID_pkcs7_signed);
PKCS7_SIGNER_INFO *si = PKCS7_sign_add_signer(p7, cert,
pkey, md, PKCS7_BINARY);
if (!si) {
fprintf(stderr, "error in key/certificate chain\n");
ERR_print_errors_fp(stderr);
return EXIT_FAILURE;
}
PKCS7_content_new(p7, NID_pkcs7_data);
rc = IDC_set(p7, si, ctx->image);
if (rc)
return EXIT_FAILURE;
sigsize = i2d_PKCS7(p7, NULL);
tmp = buf = talloc_array(ctx->image, uint8_t, sigsize);
i2d_PKCS7(p7, &tmp);
ERR_print_errors_fp(stdout);
image_add_signature(ctx->image, buf, sigsize);
if (ctx->detached)
image_write_detached(ctx->image, ctx->outfilename);
else
image_write(ctx->image, ctx->outfilename);
talloc_free(ctx);
return EXIT_SUCCESS;
}
/* Allocate the SCEP_MSG structures */
SCEP_MSG *SCEP_MSG_new( int messageType, X509 *cert, EVP_PKEY *pkey,
X509 *recip_cert, SCEP_MSG *inMsg, X509_REQ *req,
X509 *issued_cert, SCEP_ISSUER_AND_SUBJECT *cert_info,
PKCS7_ISSUER_AND_SERIAL *ias, X509_CRL *crl, X509 *cacert,
EVP_CIPHER cipher ) {
SCEP_MSG *msg = NULL;
PKCS7_SIGNER_INFO *si = NULL;
EVP_MD *dgst=NULL;
unsigned char *raw_data = NULL;
int envelope = 0;
long raw_len = 0;
BIO *debug_bio = NULL;
BIO *p7ebio = NULL;
BIO *inbio = NULL;
char buf[256];
if ((debug_bio=BIO_new(BIO_s_file())) != NULL)
BIO_set_fp(debug_bio,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
//if( !cert || !pkey || !recip_cert )
if( !cert || !pkey )
return NULL;
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] Generating New SCEP-Message...\n", __FILE__, __LINE__);
/* Allocate memory and initialize structures */
if((msg = SCEP_MSG_new_null()) == NULL) return NULL;
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] Allocate memory\n", __FILE__, __LINE__);
/* Signed Infos */
dgst = (EVP_MD *) EVP_get_digestbyname("md5");
if( (si = PKCS7_SIGNER_INFO_new()) == NULL ) goto err;
if(!PKCS7_SIGNER_INFO_set(si, cert, pkey, dgst)) goto err;
sk_PKCS7_SIGNER_INFO_push( msg->sk_signer_info, si );
msg->signer_ias = si->issuer_and_serial;
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] signer infos set\n", __FILE__, __LINE__);
/* If pkey, let's add to the message structure to ease
* message encryption (enveloped data content creation) */
SCEP_MSG_set_pkey ( msg, pkey );
// msg->signer_pkey = pkey;
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] encryption key set\n", __FILE__, __LINE__);
/* If not explicit, we guess the certificate to be present
* in the passed inMsg structure, if any. Otherwise ERROR! */
if( !recip_cert && inMsg ) recip_cert = inMsg->signer_cert;
/* Set the messageType */
SCEP_set_messageType ( msg, messageType );
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] message type set\n", __FILE__, __LINE__);
switch( messageType ) {
case MSG_CERTREP:
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] Actions for CERTREP\n", __FILE__, __LINE__);
msg->env_data.NID_p7data = NID_pkcs7_signed;
msg->env_data.p7 = PKCS7_new();
PKCS7_set_type( msg->env_data.p7, NID_pkcs7_signed );
PKCS7_content_new( msg->env_data.p7, NID_pkcs7_data );
if( issued_cert ) {
if (debug)
BIO_printf( debug_bio,
"%s:%d: creating inner degenerated PKCS7... \n",
__FILE__, __LINE__);
/* Adds issued certificate */
PKCS7_add_certificate( msg->env_data.p7, issued_cert );
// PKCS7_add_certificate( msg->env_data.p7, cert );
envelope = 1;
if (debug)
BIO_printf( debug_bio, "%s:%d: done \n", __FILE__, __LINE__);
} else if( crl ) {
if (debug)
BIO_printf( debug_bio,
"%s:%d: Adding CRL ... \n",
__FILE__, __LINE__);
/* Adds crl */
PKCS7_add_crl( msg->env_data.p7, crl );
envelope = 1;
if (debug)
BIO_printf( debug_bio, "%s:%d: done \n", __FILE__, __LINE__);
}
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__);
break;
case MSG_PKCSREQ:
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] Actions for PKCSREQ\n", __FILE__, __LINE__);
/* The inner pkcs7 structure is signed
* and enveloped and the data is to be
* the X509_REQ passed */
msg->env_data.NID_p7data =
NID_pkcs7_signedAndEnveloped;
if( req ) {
msg->env_data.content.req = req;
/* Ask for the data p7 to be generated and
* encrypted */
envelope = 1;
}
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__);
break;
case MSG_GETCRL:
if (debug)
{
BIO_printf( debug_bio, "%s:%d: [Debug Info] Actions for GETCRL\n", __FILE__, __LINE__);
BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__);
}
break;
case MSG_GETCERT:
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] Actions for GETCERT\n", __FILE__, __LINE__);
msg->env_data.NID_p7data =
NID_pkcs7_signedAndEnveloped;
/* If it is a query for a general certificate
* the CAcert should be included in the enveloped
* data*/
/* Otherwise, if it is a request for its own
* certificate, the self-signed certificate should
* be included */
// if( cacert )
// msg->env_data.cacert = cacert;
/* Issuer and Serial should be present ! */
if( !ias ) goto err;
msg->env_data.content.ias = ias;
envelope = 1;
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__);
break;
case MSG_GETCERTINITIAL:
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] Actions for GETCERTINITIAL\n", __FILE__, __LINE__);
msg->env_data.NID_p7data = NID_pkcs7_signed;
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__);
break;
case MSG_V2REQUEST: /* Not currently handled */
if (debug) {
BIO_printf( debug_bio, "%s:%d: [Debug Info] Actions for V2REQUEST\n", __FILE__, __LINE__);
BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__);
}
default:
goto err;
}
if (debug)
BIO_printf( debug_bio, "%s:%d: Debug ... \n", __FILE__, __LINE__);
/* If different from NULL, we have to encode something */
if( envelope == 1 ) {
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] encode\n", __FILE__, __LINE__);
/* Encrypt the message data */
if( !SCEP_MSG_encrypt( msg, recip_cert, cipher )) goto err;
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__);
}
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] add sign-cert to structure\n", __FILE__, __LINE__);
/* Signer certificate */
msg->signer_cert = cert;
if (debug)
PEM_write_bio_SCEP_MSG( debug_bio, msg, pkey );
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] add attributes\n", __FILE__, __LINE__);
/* Set message attributes, if any */
if ( inMsg ) {
char *tmp = NULL;
int len = 0;
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] take data from request\n", __FILE__, __LINE__);
switch ( msg->messageType ) {
default:
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] set transId\n", __FILE__, __LINE__);
/* The transId is ever required */
tmp = SCEP_get_string_attr_by_name( inMsg->attrs, "transId");
if( tmp ) {
SCEP_set_transId( msg, tmp, strlen(tmp));
OPENSSL_free( tmp );
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__);
}
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] set recipient nonce (sendernonce from req)\n", __FILE__, __LINE__);
/* Copy the sendernonce to the recipient nonce and
* generate a new sendernonce for the generated msg */
tmp = SCEP_get_octect_attr_by_name( inMsg->attrs,
"senderNonce", &len);
if( tmp ) {
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] %d\n", __FILE__, __LINE__, tmp);
SCEP_set_recipientNonce( msg, tmp, len );
OPENSSL_free( tmp );
}
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] set sender nonce\n", __FILE__, __LINE__);
SCEP_set_senderNonce_new(msg);
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__);
}
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] set pki_status\n", __FILE__, __LINE__);
SCEP_set_pkiStatus ( msg, PKI_PENDING );
if (debug) {
BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__);
BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__);
}
} else {
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] generate new data\n", __FILE__, __LINE__);
SCEP_set_senderNonce_new ( msg );
SCEP_set_recipientNonce_new ( msg );
SCEP_set_transId_new ( msg );
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__);
}
if (debug)
PEM_write_bio_SCEP_MSG( debug_bio, msg, pkey );
return (msg);
err:
ERR_print_errors_fp(stderr);
return(NULL);
}
