static int key_create_ecdsa(key_t *key) { EC_KEY *ec = NULL; ec = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); if (ec == NULL) { printf("Cannot create EC key\n"); goto err; } if (!EC_KEY_generate_key(ec)) { printf("Cannot generate EC key\n"); goto err; } EC_KEY_set_flags(ec, EC_PKEY_NO_PARAMETERS); EC_KEY_set_asn1_flag(ec, OPENSSL_EC_NAMED_CURVE); if (!EVP_PKEY_assign_EC_KEY(key->key, ec)) { printf("Cannot assign EC key\n"); goto err; } return 1; err: EC_KEY_free(ec); return 0; }
void makeecreq256(char* commonname) { EC_KEY *key; EVP_PKEY *pkey; X509_REQ *req; FILE *out; key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); EC_KEY_generate_key(key); EC_KEY_set_asn1_flag(key, OPENSSL_EC_NAMED_CURVE); pkey = EVP_PKEY_new(); EVP_PKEY_set1_EC_KEY(pkey, key); req = makereq(pkey, commonname, EVP_sha256()); out = fopen("ec256_req.pem", "w"); if (out == NULL) exit(-1); PEM_write_X509_REQ(out, req); fclose(out); out = fopen("ec256_req_key.pem", "w"); if (out == NULL) exit(-1); PEM_write_ECPrivateKey(out, key, NULL, NULL, 0, NULL, NULL); fclose(out); }
/* * Creates a new EC_KEY on the EC group obj. arg can be an EC::Group or a String * representing an OID. */ static EC_KEY * ec_key_new_from_group(VALUE arg) { EC_KEY *ec; if (rb_obj_is_kind_of(arg, cEC_GROUP)) { EC_GROUP *group; SafeRequire_EC_GROUP(arg, group); if (!(ec = EC_KEY_new())) ossl_raise(eECError, NULL); if (!EC_KEY_set_group(ec, group)) { EC_KEY_free(ec); ossl_raise(eECError, NULL); } } else { int nid = OBJ_sn2nid(StringValueCStr(arg)); if (nid == NID_undef) ossl_raise(eECError, "invalid curve name"); if (!(ec = EC_KEY_new_by_curve_name(nid))) ossl_raise(eECError, NULL); EC_KEY_set_asn1_flag(ec, OPENSSL_EC_NAMED_CURVE); EC_KEY_set_conv_form(ec, POINT_CONVERSION_UNCOMPRESSED); } return ec; }
void crypt_ec_helper::save_key_pair(std::string path, EC_KEY *keypair) { BIO *out; int i; FILE* outfile; EVP_PKEY *pkey = NULL; ERR_load_BIO_strings(); ERR_load_crypto_strings(); pkey = EVP_PKEY_new(); EVP_PKEY_assign_EC_KEY(pkey, keypair); EC_GROUP *ecgroup = EC_GROUP_new_by_curve_name(NID_secp256k1); outfile = fopen(path.c_str(), "w"); out = BIO_new(BIO_s_file()); out = BIO_new_fp(outfile, BIO_NOCLOSE); EC_KEY_set_asn1_flag(keypair, OPENSSL_EC_NAMED_CURVE); i = PEM_write_bio_PrivateKey(out, pkey, NULL, NULL, 0, 0, NULL); fclose(outfile); EC_GROUP_free(ecgroup); EVP_PKEY_free(pkey); BIO_free_all(out); }
QPair<QByteArray*, QByteArray*> generateECKeypair() { EC_KEY* keyPair = EC_KEY_new_by_curve_name(NID_secp256k1); QPair<QByteArray*, QByteArray*> retval{}; EC_KEY_set_asn1_flag(keyPair, OPENSSL_EC_NAMED_CURVE); if (!EC_KEY_generate_key(keyPair)) { qCDebug(commerce) << "Error generating EC Keypair -" << ERR_get_error(); return retval; } // grab the public key and private key from the file unsigned char* publicKeyDER = NULL; int publicKeyLength = i2d_EC_PUBKEY(keyPair, &publicKeyDER); unsigned char* privateKeyDER = NULL; int privateKeyLength = i2d_ECPrivateKey(keyPair, &privateKeyDER); if (publicKeyLength <= 0 || privateKeyLength <= 0) { qCDebug(commerce) << "Error getting DER public or private key from EC struct -" << ERR_get_error(); // cleanup the EC struct EC_KEY_free(keyPair); // cleanup the public and private key DER data, if required if (publicKeyLength > 0) { OPENSSL_free(publicKeyDER); } if (privateKeyLength > 0) { OPENSSL_free(privateKeyDER); } return retval; } if (!writeKeys(keyFilePath().toStdString().c_str(), keyPair)) { qCDebug(commerce) << "couldn't save keys!"; return retval; } EC_KEY_free(keyPair); // prepare the return values. TODO: Fix this - we probably don't really even want the // private key at all (better to read it when we need it?). Or maybe we do, when we have // multiple keys? retval.first = new QByteArray(reinterpret_cast<char*>(publicKeyDER), publicKeyLength); retval.second = new QByteArray(reinterpret_cast<char*>(privateKeyDER), privateKeyLength); // cleanup the publicKeyDER and publicKeyDER data OPENSSL_free(publicKeyDER); OPENSSL_free(privateKeyDER); return retval; }
u2fs_rc extract_EC_KEY_from_X509(const u2fs_X509_t * cert, u2fs_EC_KEY_t ** key) { if (cert == NULL || key == NULL) return U2FS_MEMORY_ERROR; EVP_PKEY *pkey = X509_get_pubkey((X509 *) cert); if (pkey == NULL) { if (debug) { unsigned long err = 0; err = ERR_get_error(); fprintf(stderr, "Error: %s, %s, %s\n", ERR_lib_error_string(err), ERR_func_error_string(err), ERR_reason_error_string(err)); } return U2FS_CRYPTO_ERROR; } *key = (u2fs_EC_KEY_t *) EVP_PKEY_get1_EC_KEY(pkey); EVP_PKEY_free(pkey); pkey = NULL; if (*key == NULL) { if (debug) { unsigned long err = 0; err = ERR_get_error(); fprintf(stderr, "Error: %s, %s, %s\n", ERR_lib_error_string(err), ERR_func_error_string(err), ERR_reason_error_string(err)); } return U2FS_CRYPTO_ERROR; } EC_GROUP *ecg = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1); EC_KEY_set_asn1_flag((EC_KEY *) * key, OPENSSL_EC_NAMED_CURVE); EC_KEY_set_group((EC_KEY *) * key, ecg); EC_GROUP_free(ecg); ecg = NULL; return U2FS_OK; }
SEXP R_ecdsa_pubkey_build(SEXP x, SEXP y, SEXP nist){ #ifndef OPENSSL_NO_EC int nid = my_nist2nid(CHAR(STRING_ELT(nist, 0))); bail(nid); EC_KEY *pubkey = EC_KEY_new_by_curve_name(nid); EC_KEY_set_asn1_flag(pubkey, OPENSSL_EC_NAMED_CURVE); if(!EC_KEY_set_public_key_affine_coordinates(pubkey, new_bignum_from_r(x), new_bignum_from_r(y))) error("Failed to construct EC key. Perhaps invalid point or curve."); unsigned char *buf = NULL; int len = i2d_EC_PUBKEY(pubkey, &buf); bail(len); EC_KEY_free(pubkey); SEXP res = allocVector(RAWSXP, len); memcpy(RAW(res), buf, len); OPENSSL_free(buf); return res; #else //OPENSSL_NO_EC Rf_error("OpenSSL has been configured without EC support"); #endif //OPENSSL_NO_EC }
ECDSAKeyPair::ECDSAKeyPair(AsymmetricKey::Curve curve, bool named) throw (AsymmetricKeyException) { EC_KEY *eckey; this->key = NULL; this->engine = NULL; eckey = NULL; eckey = EC_KEY_new_by_curve_name(curve); if (named) EC_KEY_set_asn1_flag(eckey, OPENSSL_EC_NAMED_CURVE); EC_KEY_generate_key(eckey); if (!eckey) { throw AsymmetricKeyException(AsymmetricKeyException::INTERNAL_ERROR, "ECDSAKeyPair::ECDSAKeyPair"); } this->key = EVP_PKEY_new(); EVP_PKEY_assign_EC_KEY(this->key, eckey); if (!this->key) { throw AsymmetricKeyException(AsymmetricKeyException::INTERNAL_ERROR, "ECDSAKeyPair::ECDSAKeyPair"); } }
/* call-seq: * OpenSSL::PKey::EC.new() * OpenSSL::PKey::EC.new(ec_key) * OpenSSL::PKey::EC.new(ec_group) * OpenSSL::PKey::EC.new("secp112r1") * OpenSSL::PKey::EC.new(pem_string) * OpenSSL::PKey::EC.new(pem_string [, pwd]) * OpenSSL::PKey::EC.new(der_string) * * See the OpenSSL documentation for: * EC_KEY_* */ static VALUE ossl_ec_key_initialize(int argc, VALUE *argv, VALUE self) { EVP_PKEY *pkey; EC_KEY *ec = NULL; VALUE arg, pass; VALUE group = Qnil; char *passwd = NULL; GetPKey(self, pkey); if (pkey->pkey.ec) rb_raise(eECError, "EC_KEY already initialized"); rb_scan_args(argc, argv, "02", &arg, &pass); if (NIL_P(arg)) { ec = EC_KEY_new(); } else { if (rb_obj_is_kind_of(arg, cEC)) { EC_KEY *other_ec = NULL; SafeRequire_EC_KEY(arg, other_ec); ec = EC_KEY_dup(other_ec); } else if (rb_obj_is_kind_of(arg, cEC_GROUP)) { ec = EC_KEY_new(); group = arg; } else { BIO *in = ossl_obj2bio(arg); if (!NIL_P(pass)) { passwd = StringValuePtr(pass); } ec = PEM_read_bio_ECPrivateKey(in, NULL, ossl_pem_passwd_cb, passwd); if (!ec) { (void)BIO_reset(in); (void)ERR_get_error(); ec = PEM_read_bio_EC_PUBKEY(in, NULL, ossl_pem_passwd_cb, passwd); } if (!ec) { (void)BIO_reset(in); (void)ERR_get_error(); ec = d2i_ECPrivateKey_bio(in, NULL); } if (!ec) { (void)BIO_reset(in); (void)ERR_get_error(); ec = d2i_EC_PUBKEY_bio(in, NULL); } BIO_free(in); if (ec == NULL) { const char *name = StringValueCStr(arg); int nid = OBJ_sn2nid(name); (void)ERR_get_error(); if (nid == NID_undef) ossl_raise(eECError, "unknown curve name (%s)\n", name); if ((ec = EC_KEY_new_by_curve_name(nid)) == NULL) ossl_raise(eECError, "unable to create curve (%s)\n", name); EC_KEY_set_asn1_flag(ec, OPENSSL_EC_NAMED_CURVE); EC_KEY_set_conv_form(ec, POINT_CONVERSION_UNCOMPRESSED); } } } if (ec == NULL) ossl_raise(eECError, NULL); if (!EVP_PKEY_assign_EC_KEY(pkey, ec)) { EC_KEY_free(ec); ossl_raise(eECError, "EVP_PKEY_assign_EC_KEY"); } rb_iv_set(self, "@group", Qnil); if (!NIL_P(group)) rb_funcall(self, rb_intern("group="), 1, arg); return self; }
int MAIN(int argc, char **argv) { int ret = 1; EC_KEY *eckey = NULL; const EC_GROUP *group; int i, badops = 0; const EVP_CIPHER *enc = NULL; BIO *in = NULL, *out = NULL; int informat, outformat, text = 0, noout = 0; int pubin = 0, pubout = 0, param_out = 0; char *infile, *outfile, *prog, *engine; char *passargin = NULL, *passargout = NULL; char *passin = NULL, *passout = NULL; point_conversion_form_t form = POINT_CONVERSION_UNCOMPRESSED; int new_form = 0; int asn1_flag = OPENSSL_EC_NAMED_CURVE; int new_asn1_flag = 0; apps_startup(); if (bio_err == NULL) if ((bio_err = BIO_new(BIO_s_file())) != NULL) BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT); if (!load_config(bio_err, NULL)) goto end; engine = NULL; infile = NULL; outfile = NULL; informat = FORMAT_PEM; outformat = FORMAT_PEM; prog = argv[0]; argc--; argv++; while (argc >= 1) { if (strcmp(*argv, "-inform") == 0) { if (--argc < 1) goto bad; informat = str2fmt(*(++argv)); } else if (strcmp(*argv, "-outform") == 0) { if (--argc < 1) goto bad; outformat = str2fmt(*(++argv)); } else if (strcmp(*argv, "-in") == 0) { if (--argc < 1) goto bad; infile = *(++argv); } else if (strcmp(*argv, "-out") == 0) { if (--argc < 1) goto bad; outfile = *(++argv); } else if (strcmp(*argv, "-passin") == 0) { if (--argc < 1) goto bad; passargin = *(++argv); } else if (strcmp(*argv, "-passout") == 0) { if (--argc < 1) goto bad; passargout = *(++argv); } else if (strcmp(*argv, "-engine") == 0) { if (--argc < 1) goto bad; engine = *(++argv); } else if (strcmp(*argv, "-noout") == 0) noout = 1; else if (strcmp(*argv, "-text") == 0) text = 1; else if (strcmp(*argv, "-conv_form") == 0) { if (--argc < 1) goto bad; ++argv; new_form = 1; if (strcmp(*argv, "compressed") == 0) form = POINT_CONVERSION_COMPRESSED; else if (strcmp(*argv, "uncompressed") == 0) form = POINT_CONVERSION_UNCOMPRESSED; else if (strcmp(*argv, "hybrid") == 0) form = POINT_CONVERSION_HYBRID; else goto bad; } else if (strcmp(*argv, "-param_enc") == 0) { if (--argc < 1) goto bad; ++argv; new_asn1_flag = 1; if (strcmp(*argv, "named_curve") == 0) asn1_flag = OPENSSL_EC_NAMED_CURVE; else if (strcmp(*argv, "explicit") == 0) asn1_flag = 0; else goto bad; } else if (strcmp(*argv, "-param_out") == 0) param_out = 1; else if (strcmp(*argv, "-pubin") == 0) pubin = 1; else if (strcmp(*argv, "-pubout") == 0) pubout = 1; else if ((enc = EVP_get_cipherbyname(&(argv[0][1]))) == NULL) { BIO_printf(bio_err, "unknown option %s\n", *argv); badops = 1; break; } argc--; argv++; } if (badops) { bad: BIO_printf(bio_err, "%s [options] <infile >outfile\n", prog); BIO_printf(bio_err, "where options are\n"); BIO_printf(bio_err, " -inform arg input format - " "DER or PEM\n"); BIO_printf(bio_err, " -outform arg output format - " "DER or PEM\n"); BIO_printf(bio_err, " -in arg input file\n"); BIO_printf(bio_err, " -passin arg input file pass " "phrase source\n"); BIO_printf(bio_err, " -out arg output file\n"); BIO_printf(bio_err, " -passout arg output file pass " "phrase source\n"); BIO_printf(bio_err, " -engine e use engine e, " "possibly a hardware device.\n"); BIO_printf(bio_err, " -des encrypt PEM output, " "instead of 'des' every other \n" " cipher " "supported by OpenSSL can be used\n"); BIO_printf(bio_err, " -text print the key\n"); BIO_printf(bio_err, " -noout don't print key out\n"); BIO_printf(bio_err, " -param_out print the elliptic " "curve parameters\n"); BIO_printf(bio_err, " -conv_form arg specifies the " "point conversion form \n"); BIO_printf(bio_err, " possible values:" " compressed\n"); BIO_printf(bio_err, " " " uncompressed (default)\n"); BIO_printf(bio_err, " " " hybrid\n"); BIO_printf(bio_err, " -param_enc arg specifies the way" " the ec parameters are encoded\n"); BIO_printf(bio_err, " in the asn1 der " "encoding\n"); BIO_printf(bio_err, " possible values:" " named_curve (default)\n"); BIO_printf(bio_err, " " "explicit\n"); goto end; } ERR_load_crypto_strings(); # ifndef OPENSSL_NO_ENGINE setup_engine(bio_err, engine, 0); # endif if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) { BIO_printf(bio_err, "Error getting passwords\n"); goto end; } in = BIO_new(BIO_s_file()); out = BIO_new(BIO_s_file()); if ((in == NULL) || (out == NULL)) { ERR_print_errors(bio_err); goto end; } if (infile == NULL) BIO_set_fp(in, stdin, BIO_NOCLOSE); else { if (BIO_read_filename(in, infile) <= 0) { perror(infile); goto end; } } BIO_printf(bio_err, "read EC key\n"); if (informat == FORMAT_ASN1) { if (pubin) eckey = d2i_EC_PUBKEY_bio(in, NULL); else eckey = d2i_ECPrivateKey_bio(in, NULL); } else if (informat == FORMAT_PEM) { if (pubin) eckey = PEM_read_bio_EC_PUBKEY(in, NULL, NULL, NULL); else eckey = PEM_read_bio_ECPrivateKey(in, NULL, NULL, passin); } else { BIO_printf(bio_err, "bad input format specified for key\n"); goto end; } if (eckey == NULL) { BIO_printf(bio_err, "unable to load Key\n"); ERR_print_errors(bio_err); goto end; } if (outfile == NULL) { BIO_set_fp(out, stdout, BIO_NOCLOSE); # ifdef OPENSSL_SYS_VMS { BIO *tmpbio = BIO_new(BIO_f_linebuffer()); out = BIO_push(tmpbio, out); } # endif } else { if (BIO_write_filename(out, outfile) <= 0) { perror(outfile); goto end; } } group = EC_KEY_get0_group(eckey); if (new_form) EC_KEY_set_conv_form(eckey, form); if (new_asn1_flag) EC_KEY_set_asn1_flag(eckey, asn1_flag); if (text) if (!EC_KEY_print(out, eckey, 0)) { perror(outfile); ERR_print_errors(bio_err); goto end; } if (noout) { ret = 0; goto end; } BIO_printf(bio_err, "writing EC key\n"); if (outformat == FORMAT_ASN1) { if (param_out) i = i2d_ECPKParameters_bio(out, group); else if (pubin || pubout) i = i2d_EC_PUBKEY_bio(out, eckey); else i = i2d_ECPrivateKey_bio(out, eckey); } else if (outformat == FORMAT_PEM) { if (param_out) i = PEM_write_bio_ECPKParameters(out, group); else if (pubin || pubout) i = PEM_write_bio_EC_PUBKEY(out, eckey); else i = PEM_write_bio_ECPrivateKey(out, eckey, enc, NULL, 0, NULL, passout); } else { BIO_printf(bio_err, "bad output format specified for " "outfile\n"); goto end; } if (!i) { BIO_printf(bio_err, "unable to write private key\n"); ERR_print_errors(bio_err); } else ret = 0; end: if (in) BIO_free(in); if (out) BIO_free_all(out); if (eckey) EC_KEY_free(eckey); if (passin) OPENSSL_free(passin); if (passout) OPENSSL_free(passout); apps_shutdown(); OPENSSL_EXIT(ret); }
PKI_X509_CERT * PKI_X509_CERT_new (const PKI_X509_CERT * ca_cert, const PKI_X509_KEYPAIR * kPair, const PKI_X509_REQ * req, const char * subj_s, const char * serial_s, uint64_t validity, const PKI_X509_PROFILE * conf, const PKI_ALGOR * algor, const PKI_CONFIG * oids, HSM *hsm ) { PKI_X509_CERT *ret = NULL; PKI_X509_CERT_VALUE *val = NULL; PKI_X509_NAME *subj = NULL; PKI_X509_NAME *issuer = NULL; PKI_DIGEST_ALG *digest = NULL; PKI_X509_KEYPAIR_VALUE *signingKey = NULL; PKI_TOKEN *tk = NULL; PKI_X509_KEYPAIR_VALUE *certPubKeyVal = NULL; int rv = 0; int ver = 2; int64_t notBeforeVal = 0; ASN1_INTEGER *serial = NULL; char *ver_s = NULL; /* Check if the REQUIRED PKEY has been passed */ if (!kPair || !kPair->value) { PKI_ERROR(PKI_ERR_PARAM_NULL, NULL); return (NULL); }; signingKey = kPair->value; /* TODO: This has to be fixed, to work on every option */ if ( subj_s ) { subj = PKI_X509_NAME_new ( subj_s ); } else if (conf || req) { char *tmp_s = NULL; // Let's use the configuration option first if (conf) { // Get the value of the DN, if present if ((tmp_s = PKI_CONFIG_get_value( conf, "/profile/subject/dn")) != NULL ) { // Builds from the DN in the config subj = PKI_X509_NAME_new(tmp_s); PKI_Free ( tmp_s ); } } // If we still do not have a name, let's check // the request for one if (req && !subj) { const PKI_X509_NAME * req_subj = NULL; // Copy the name from the request if ((req_subj = PKI_X509_REQ_get_data(req, PKI_X509_DATA_SUBJECT)) != NULL) { subj = PKI_X509_NAME_dup(req_subj); } } // If no name is provided, let's use an empty one // TODO: Shall we remove this and fail instead ? if (!subj) subj = PKI_X509_NAME_new( "" ); } else { struct utsname myself; char tmp_name[1024]; if (uname(&myself) < 0) { subj = PKI_X509_NAME_new( "" ); } else { sprintf( tmp_name, "CN=%s", myself.nodename ); subj = PKI_X509_NAME_new( tmp_name ); } } if (!subj) { PKI_ERROR(PKI_ERR_X509_CERT_CREATE_SUBJECT, subj_s ); goto err; } if( ca_cert ) { const PKI_X509_NAME *ca_subject = NULL; /* Let's get the ca_cert subject and dup that data */ // ca_subject = (PKI_X509_NAME *) // X509_get_subject_name( (X509 *) ca_cert ); ca_subject = PKI_X509_CERT_get_data( ca_cert, PKI_X509_DATA_SUBJECT ); if( ca_subject ) { issuer = (PKI_X509_NAME *) X509_NAME_dup((X509_NAME *)ca_subject); } else { PKI_ERROR(PKI_ERR_X509_CERT_CREATE_ISSUER, NULL); goto err; } } else { issuer = (PKI_X509_NAME *) X509_NAME_dup((X509_NAME *) subj); } if( !issuer ) { PKI_ERROR(PKI_ERR_X509_CERT_CREATE_ISSUER, NULL); goto err; } if(( ret = PKI_X509_CERT_new_null()) == NULL ) { PKI_ERROR(PKI_ERR_OBJECT_CREATE, NULL); goto err; } /* Alloc memory structure for the Certificate */ if((ret->value = ret->cb->create()) == NULL ) { PKI_ERROR(PKI_ERR_OBJECT_CREATE, NULL); return (NULL); } val = ret->value; if(( ver_s = PKI_CONFIG_get_value( conf, "/profile/version")) != NULL ) { ver = atoi( ver_s ) - 1; if ( ver < 0 ) ver = 0; PKI_Free ( ver_s ); } else { ver = 2; }; if (!X509_set_version(val,ver)) { PKI_ERROR(PKI_ERR_X509_CERT_CREATE_VERSION, NULL); goto err; } if (serial_s) { char * tmp_s = (char *) serial_s; serial = s2i_ASN1_INTEGER(NULL, tmp_s); } else { // If cacert we assume it is a normal cert - let's create a // random serial number, otherwise - it's a self-signed, use // the usual 'fake' 0 if ( ca_cert ) { unsigned char bytes[11]; RAND_bytes(bytes, sizeof(bytes)); bytes[0] = 0; serial = PKI_INTEGER_new_bin(bytes, sizeof(bytes)); } else { serial = s2i_ASN1_INTEGER( NULL, "0"); }; }; if(!X509_set_serialNumber( val, serial )) { PKI_ERROR(PKI_ERR_X509_CERT_CREATE_SERIAL, serial_s); goto err; } /* Set the issuer Name */ // rv = X509_set_issuer_name((X509 *) ret, (X509_NAME *) issuer); if(!X509_set_issuer_name( val, (X509_NAME *) issuer)) { PKI_ERROR(PKI_ERR_X509_CERT_CREATE_ISSUER, NULL); goto err; } /* Set the subject Name */ if(!X509_set_subject_name(val, (X509_NAME *) subj)) { PKI_ERROR(PKI_ERR_X509_CERT_CREATE_SUBJECT, NULL); goto err; } /* Set the start date (notBefore) */ if (conf) { int years = 0; int days = 0; int hours = 0; int mins = 0; int secs = 0; char *tmp_s = NULL; if(( tmp_s = PKI_CONFIG_get_value( conf, "/profile/notBefore/years")) != NULL ) { years = atoi( tmp_s ); PKI_Free ( tmp_s ); }; if(( tmp_s = PKI_CONFIG_get_value( conf, "/profile/notBefore/days")) != NULL ) { days = atoi( tmp_s ); PKI_Free ( tmp_s ); }; if(( tmp_s = PKI_CONFIG_get_value( conf, "/profile/notBefore/hours")) != NULL ) { hours = atoi( tmp_s ); PKI_Free ( tmp_s ); }; if(( tmp_s = PKI_CONFIG_get_value( conf, "/profile/notBefore/minutes")) != NULL ) { mins = atoi( tmp_s ); PKI_Free ( tmp_s ); }; if(( tmp_s = PKI_CONFIG_get_value( conf, "/profile/notBefore/seconds")) != NULL ) { secs = atoi( tmp_s ); PKI_Free ( tmp_s ); }; notBeforeVal = secs + ( mins * 60 ) + ( hours * 3600 ) + ( days * 3600 * 24 ) + ( years * 3600 * 24 * 365 ); }; /* Set the validity (notAfter) */ if( conf && validity == 0 ) { long long years = 0; long long days = 0; long long hours = 0; long long mins = 0; long long secs = 0; char *tmp_s = NULL; if(( tmp_s = PKI_CONFIG_get_value( conf, "/profile/validity/years")) != NULL ) { years = atoll( tmp_s ); PKI_Free ( tmp_s ); }; if(( tmp_s = PKI_CONFIG_get_value( conf, "/profile/validity/days")) != NULL ) { days = atoll( tmp_s ); PKI_Free ( tmp_s ); }; if(( tmp_s = PKI_CONFIG_get_value( conf, "/profile/validity/hours")) != NULL ) { hours = atoll( tmp_s ); PKI_Free ( tmp_s ); }; if(( tmp_s = PKI_CONFIG_get_value( conf, "/profile/validity/minutes")) != NULL ) { mins = atoll( tmp_s ); PKI_Free ( tmp_s ); }; if(( tmp_s = PKI_CONFIG_get_value( conf, "/profile/validity/minutes")) != NULL ) { secs = atoll( tmp_s ); PKI_Free ( tmp_s ); }; validity = (unsigned long long) secs + (unsigned long long) ( mins * 60 ) + (unsigned long long) ( hours * 3600 ) + (unsigned long long) ( days * 3600 * 24 ) + (unsigned long long) ( years * 3600 * 24 * 365 ); }; if (validity <= 0) validity = 30 * 3600 * 24; #if ( LIBPKI_OS_BITS == LIBPKI_OS32 ) long notBeforeVal32 = (long) notBeforeVal; if (X509_gmtime_adj(X509_get_notBefore(val), notBeforeVal32 ) == NULL) { #else if (X509_gmtime_adj(X509_get_notBefore(val), notBeforeVal ) == NULL) { #endif PKI_ERROR(PKI_ERR_X509_CERT_CREATE_NOTBEFORE, NULL); goto err; } /* Set the end date in a year */ if (X509_gmtime_adj(X509_get_notAfter(val),(long int) validity) == NULL) { PKI_DEBUG("ERROR: can not set notAfter field!"); goto err; } /* Copy the PKEY if it is in the request, otherwise use the public part of the PKI_X509_CERT */ if (req) { certPubKeyVal = (PKI_X509_KEYPAIR_VALUE *) PKI_X509_REQ_get_data(req, PKI_X509_DATA_KEYPAIR_VALUE); if( !certPubKeyVal ) { PKI_DEBUG("ERROR, can not get pubkey from req!"); goto err; } } else { /* Self Signed -- Same Public Key! */ certPubKeyVal = signingKey; } if (!ca_cert && conf) { char *tmp_s = NULL; if(( tmp_s = PKI_X509_PROFILE_get_value( conf, "/profile/keyParams/algorithm")) != NULL ) { PKI_ALGOR *myAlg = NULL; PKI_DIGEST_ALG *dgst = NULL; if((myAlg = PKI_ALGOR_get_by_name( tmp_s )) != NULL ) { if(!algor) algor = myAlg; if((dgst = PKI_ALGOR_get_digest( myAlg )) != NULL ) { PKI_DEBUG("Got Signing Algorithm: %s, %s", PKI_DIGEST_ALG_get_parsed(dgst), PKI_ALGOR_get_parsed(myAlg)); digest = dgst; } else { PKI_DEBUG("Can not parse digest algorithm from %s", tmp_s); } } else { PKI_DEBUG("Can not parse key algorithm from %s", tmp_s); } PKI_Free ( tmp_s ); } } if (conf) { PKI_KEYPARAMS *kParams = NULL; PKI_SCHEME_ID scheme; scheme = PKI_ALGOR_get_scheme( algor ); kParams = PKI_KEYPARAMS_new(scheme, conf); if (kParams) { /* Sets the point compression */ switch ( kParams->scheme ) { #ifdef ENABLE_ECDSA case PKI_SCHEME_ECDSA: if ( (int) kParams->ec.form > 0 ) { # if OPENSSL_VERSION_NUMBER < 0x1010000fL EC_KEY_set_conv_form(certPubKeyVal->pkey.ec, (point_conversion_form_t) kParams->ec.form); # else EC_KEY_set_conv_form(EVP_PKEY_get0_EC_KEY(certPubKeyVal), (point_conversion_form_t) kParams->ec.form); # endif } if ( kParams->ec.asn1flags > -1 ) { # if OPENSSL_VERSION_NUMBER < 0x1010000fL EC_KEY_set_asn1_flag(certPubKeyVal->pkey.ec, kParams->ec.asn1flags ); # else EC_KEY_set_asn1_flag(EVP_PKEY_get0_EC_KEY(certPubKeyVal), kParams->ec.asn1flags ); # endif } break; #endif case PKI_SCHEME_RSA: case PKI_SCHEME_DSA: break; default: // Nothing to do PKI_ERROR(PKI_ERR_GENERAL, "Signing Scheme Uknown %d!", kParams->scheme); break; } } } if (!X509_set_pubkey(val, certPubKeyVal)) { PKI_DEBUG("ERROR, can not set pubkey in cert!"); goto err; } if (conf) { if((tk = PKI_TOKEN_new_null()) == NULL ) { PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL); goto err; } PKI_TOKEN_set_cert(tk, ret); if (ca_cert) { PKI_TOKEN_set_cacert(tk, (PKI_X509_CERT *)ca_cert); } else { PKI_TOKEN_set_cacert(tk, (PKI_X509_CERT *)ret); } if (req) PKI_TOKEN_set_req(tk, (PKI_X509_REQ *)req ); if (kPair) PKI_TOKEN_set_keypair ( tk, (PKI_X509_KEYPAIR *)kPair ); rv = PKI_X509_EXTENSIONS_cert_add_profile(conf, oids, ret, tk); if (rv != PKI_OK) { PKI_DEBUG( "ERROR, can not set extensions!"); tk->cert = NULL; tk->cacert = NULL; tk->req = NULL; tk->keypair = NULL; PKI_TOKEN_free ( tk ); goto err; } // Cleanup for the token (used only to add extensions) tk->cert = NULL; tk->cacert = NULL; tk->req = NULL; tk->keypair = NULL; PKI_TOKEN_free ( tk ); } if (!digest) { if (!algor) { PKI_log_debug("Getting the Digest Algorithm from the CA cert"); // Let's get the Digest Algorithm from the CA Cert if (ca_cert) { if((algor = PKI_X509_CERT_get_data(ca_cert, PKI_X509_DATA_ALGORITHM )) == NULL) { PKI_log_err("Can not retrieve DATA algorithm from CA cert"); } } } // If we have an Algor from either the passed argument or // the CA Certificate, extract the digest from it. Otherwise // get the digest from the signing key if (algor) { if((digest = PKI_ALGOR_get_digest(algor)) == NULL ) { PKI_log_err("Can not get digest from algor"); } } // Check, if still no digest, let's try from the signing Key if (digest == NULL) { if ((digest = PKI_DIGEST_ALG_get_by_key( kPair )) == NULL) { PKI_log_err("Can not infer digest algor from the key pair"); } } } // No Digest Here ? We failed... if (digest == NULL) { PKI_log_err("PKI_X509_CERT_new()::Can not get the digest!"); return( NULL ); } // Sign the data if (PKI_X509_sign(ret, digest, kPair) == PKI_ERR) { PKI_log_err ("Can not sign certificate [%s]", ERR_error_string(ERR_get_error(), NULL )); PKI_X509_CERT_free ( ret ); return NULL; } #if ( OPENSSL_VERSION_NUMBER >= 0x0090900f ) # if OPENSSL_VERSION_NUMBER < 0x1010000fL PKI_X509_CERT_VALUE *cVal = (PKI_X509_CERT_VALUE *) ret->value; if (cVal && cVal->cert_info) { PKI_log_debug("Signature = %s", PKI_ALGOR_get_parsed(cVal->cert_info->signature)); } # endif // PKI_X509_CINF_FULL *cFull = NULL; // cFull = (PKI_X509_CINF_FULL *) cVal->cert_info; // cFull->enc.modified = 1; #endif return ret; err: if (ret) PKI_X509_CERT_free(ret); if (subj) PKI_X509_NAME_free(subj); if (issuer) PKI_X509_NAME_free(issuer); return NULL; } /*! * \brief Signs a PKI_X509_CERT */ int PKI_X509_CERT_sign(PKI_X509_CERT *cert, PKI_X509_KEYPAIR *kp, PKI_DIGEST_ALG *digest) { const PKI_ALGOR *alg = NULL; if( !cert || !cert->value || !kp || !kp->value ) { PKI_ERROR(PKI_ERR_PARAM_NULL, NULL); return PKI_ERR; } if(!digest) { if((alg = PKI_X509_CERT_get_data(cert, PKI_X509_DATA_ALGORITHM))!=NULL) { digest = PKI_ALGOR_get_digest ( alg ); } } if(!digest) { if((digest = PKI_DIGEST_ALG_get_by_key(kp)) == NULL) { PKI_log_err("PKI_X509_CERT_new()::Can not get digest algor " "from key"); return PKI_ERR; } } if( PKI_X509_sign(cert, digest, kp) == PKI_ERR) { PKI_log_err ("PKI_X509_CERT_new()::Can not sign certificate [%s]", ERR_error_string(ERR_get_error(), NULL )); return PKI_ERR; } return PKI_OK; }; /*! * \brief Signs a PKI_X509_CERT by using a configured PKI_TOKEN */ int PKI_X509_CERT_sign_tk ( PKI_X509_CERT *cert, PKI_TOKEN *tk, PKI_DIGEST_ALG *digest) { PKI_X509_KEYPAIR *kp = NULL; if( !cert || !cert->value || !tk ) { PKI_ERROR(PKI_ERR_PARAM_NULL, NULL); return PKI_ERR; }; if( PKI_TOKEN_login( tk ) == PKI_ERR ) { PKI_ERROR(PKI_ERR_HSM_LOGIN, NULL); return PKI_ERR; }; if((kp = PKI_TOKEN_get_keypair( tk )) == NULL ) { return PKI_ERR; }; return PKI_X509_CERT_sign ( cert, kp, digest ); };
/* * Create identity */ int build_identity(void) { EVP_PKEY * pkey ; RSA * rsa ; EC_KEY * ecc ; X509 * cert ; X509_NAME * name ; identity ca ; char filename[FIELD_SZ+5]; FILE * pem ; /* Check before overwriting */ sprintf(filename, "%s.crt", certinfo.cn); if (access(filename, F_OK)!=-1) { fprintf(stderr, "identity named %s already exists in this directory. Exiting now\n", filename); return -1 ; } sprintf(filename, "%s.key", certinfo.cn); if (access(filename, F_OK)!=-1) { fprintf(stderr, "identity named %s already exists in this directory. Exiting now\n", filename); return -1 ; } switch (certinfo.profile) { case PROFILE_ROOT_CA: strcpy(certinfo.ou, "Root"); break; case PROFILE_SUB_CA: strcpy(certinfo.ou, "Sub"); break; case PROFILE_SERVER: strcpy(certinfo.ou, "Server"); break; case PROFILE_CLIENT: strcpy(certinfo.ou, "Client"); break; case PROFILE_WWW: strcpy(certinfo.ou, "Server"); break; default: fprintf(stderr, "Unknown profile: aborting\n"); return -1 ; } if (certinfo.ec_name[0] && certinfo.profile!=PROFILE_CLIENT) { fprintf(stderr, "ECC keys are only supported for clients\n"); return -1 ; } if (certinfo.profile != PROFILE_ROOT_CA) { /* Need to load signing CA */ if (load_ca(certinfo.signing_ca, &ca)!=0) { fprintf(stderr, "Cannot find CA key or certificate\n"); return -1 ; } /* Organization is the same as root */ X509_NAME_get_text_by_NID(X509_get_subject_name(ca.cert), NID_organizationName, certinfo.o, FIELD_SZ); } /* Generate key pair */ if (certinfo.ec_name[0]) { printf("Generating EC key [%s]\n", certinfo.ec_name); ecc = EC_KEY_new_by_curve_name(OBJ_txt2nid(certinfo.ec_name)); if (!ecc) { fprintf(stderr, "Unknown curve: [%s]\n", certinfo.ec_name); return -1 ; } EC_KEY_set_asn1_flag(ecc, OPENSSL_EC_NAMED_CURVE); EC_KEY_generate_key(ecc); pkey = EVP_PKEY_new(); EVP_PKEY_assign_EC_KEY(pkey, ecc); } else { printf("Generating RSA-%d key\n", certinfo.rsa_keysz); pkey = EVP_PKEY_new(); rsa = RSA_generate_key(certinfo.rsa_keysz, RSA_F4, progress, 0); EVP_PKEY_assign_RSA(pkey, rsa); } /* Assign all certificate fields */ cert = X509_new(); X509_set_version(cert, 2); set_serial128(cert); X509_gmtime_adj(X509_get_notBefore(cert), 0); X509_gmtime_adj(X509_get_notAfter(cert), certinfo.days * 24*60*60); X509_set_pubkey(cert, pkey); name = X509_get_subject_name(cert); if (certinfo.c[0]) { X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC, (unsigned char*)certinfo.c, -1, -1, 0); } X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC, (unsigned char*)certinfo.o, -1, -1, 0); X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, (unsigned char*)certinfo.cn, -1, -1, 0); X509_NAME_add_entry_by_txt(name, "OU", MBSTRING_ASC, (unsigned char*)certinfo.ou, -1, -1, 0); if (certinfo.l[0]) { X509_NAME_add_entry_by_txt(name, "L", MBSTRING_ASC, (unsigned char *)certinfo.l, -1, -1, 0); } if (certinfo.st[0]) { X509_NAME_add_entry_by_txt(name, "ST", MBSTRING_ASC, (unsigned char *)certinfo.st, -1, -1, 0); } /* Set extensions according to profile */ switch (certinfo.profile) { case PROFILE_ROOT_CA: /* CA profiles can issue certs and sign CRLS */ set_extension(cert, cert, NID_basic_constraints, "critical,CA:TRUE"); set_extension(cert, cert, NID_key_usage, "critical,keyCertSign,cRLSign"); set_extension(cert, cert, NID_subject_key_identifier, "hash"); set_extension(cert, cert, NID_authority_key_identifier, "keyid:always"); break ; case PROFILE_SUB_CA: /* CA profiles can issue certs and sign CRLS */ set_extension(ca.cert, cert, NID_basic_constraints, "critical,CA:TRUE"); set_extension(ca.cert, cert, NID_key_usage, "critical,keyCertSign,cRLSign"); set_extension(ca.cert, cert, NID_subject_key_identifier, "hash"); set_extension(ca.cert, cert, NID_authority_key_identifier, "keyid:always"); break; case PROFILE_CLIENT: if (certinfo.san[0]) { set_extension(ca.cert, cert, NID_subject_alt_name, certinfo.san); } set_extension(ca.cert, cert, NID_basic_constraints, "CA:FALSE"); set_extension(ca.cert, cert, NID_anyExtendedKeyUsage, "clientAuth"); set_extension(ca.cert, cert, NID_key_usage, "digitalSignature"); set_extension(ca.cert, cert, NID_subject_key_identifier, "hash"); set_extension(ca.cert, cert, NID_authority_key_identifier, "issuer:always,keyid:always"); break ; case PROFILE_SERVER: if (certinfo.san[0]) { set_extension(ca.cert, cert, NID_subject_alt_name, certinfo.san); } set_extension(ca.cert, cert, NID_basic_constraints, "CA:FALSE"); set_extension(ca.cert, cert, NID_netscape_cert_type, "server"); set_extension(ca.cert, cert, NID_anyExtendedKeyUsage, "serverAuth"); set_extension(ca.cert, cert, NID_key_usage, "digitalSignature,keyEncipherment"); set_extension(ca.cert, cert, NID_subject_key_identifier, "hash"); set_extension(ca.cert, cert, NID_authority_key_identifier, "issuer:always,keyid:always"); break ; case PROFILE_WWW: if (certinfo.san[0]) { set_extension(ca.cert, cert, NID_subject_alt_name, certinfo.san); } set_extension(ca.cert, cert, NID_basic_constraints, "CA:FALSE"); set_extension(ca.cert, cert, NID_netscape_cert_type, "server"); set_extension(ca.cert, cert, NID_anyExtendedKeyUsage, "serverAuth,clientAuth"); set_extension(ca.cert, cert, NID_key_usage, "digitalSignature,keyEncipherment"); set_extension(ca.cert, cert, NID_subject_key_identifier, "hash"); set_extension(ca.cert, cert, NID_authority_key_identifier, "issuer:always,keyid:always"); break; case PROFILE_UNKNOWN: default: break ; } /* Set issuer */ if (certinfo.profile==PROFILE_ROOT_CA) { /* Self-signed */ X509_set_issuer_name(cert, name); X509_sign(cert, pkey, EVP_sha256()); } else { /* Signed by parent CA */ X509_set_issuer_name(cert, X509_get_subject_name(ca.cert)); X509_sign(cert, ca.key, EVP_sha256()); } printf("Saving results to %s.[crt|key]\n", certinfo.cn); pem = fopen(filename, "wb"); PEM_write_PrivateKey(pem, pkey, NULL, NULL, 0, NULL, NULL); fclose(pem); sprintf(filename, "%s.crt", certinfo.cn); pem = fopen(filename, "wb"); PEM_write_X509(pem, cert); fclose(pem); X509_free(cert); EVP_PKEY_free(pkey); if (certinfo.profile!=PROFILE_ROOT_CA) { X509_free(ca.cert); EVP_PKEY_free(ca.key); } printf("done\n"); return 0; }