PKCS7_SIGNER_INFO *PKCS7_add_signature(PKCS7 *p7, X509 *x509, EVP_PKEY *pkey,
const EVP_MD *dgst)
{
PKCS7_SIGNER_INFO *si = NULL;
if (dgst == NULL) {
int def_nid;
if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) <= 0)
goto err;
dgst = EVP_get_digestbynid(def_nid);
if (dgst == NULL) {
PKCS7err(PKCS7_F_PKCS7_ADD_SIGNATURE, PKCS7_R_NO_DEFAULT_DIGEST);
goto err;
}
}
if ((si = PKCS7_SIGNER_INFO_new()) == NULL)
goto err;
if (!PKCS7_SIGNER_INFO_set(si, x509, pkey, dgst))
goto err;
if (!PKCS7_add_signer(p7, si))
goto err;
return (si);
err:
PKCS7_SIGNER_INFO_free(si);
return (NULL);
}
PKCS7_SIGNER_INFO *PKCS7_add_signature(PKCS7 *p7, X509 *x509, EVP_PKEY *pkey,
EVP_MD *dgst)
{
PKCS7_SIGNER_INFO *si;
if ((si=PKCS7_SIGNER_INFO_new()) == NULL) goto err;
if (!PKCS7_SIGNER_INFO_set(si,x509,pkey,dgst)) goto err;
if (!PKCS7_add_signer(p7,si)) goto err;
return(si);
err:
return(NULL);
}
static VALUE
ossl_pkcs7si_initialize(VALUE self, VALUE cert, VALUE key, VALUE digest)
{
PKCS7_SIGNER_INFO *p7si;
EVP_PKEY *pkey;
X509 *x509;
const EVP_MD *md;
pkey = GetPrivPKeyPtr(key); /* NO NEED TO DUP */
x509 = GetX509CertPtr(cert); /* NO NEED TO DUP */
md = GetDigestPtr(digest);
GetPKCS7si(self, p7si);
if (!(PKCS7_SIGNER_INFO_set(p7si, x509, pkey, (EVP_MD*)md))) {
ossl_raise(ePKCS7Error, NULL);
}
return self;
}
/* Allocate the SCEP_MSG structures */
SCEP_MSG *SCEP_MSG_new( int messageType, X509 *cert, EVP_PKEY *pkey,
X509 *recip_cert, SCEP_MSG *inMsg, X509_REQ *req,
X509 *issued_cert, SCEP_ISSUER_AND_SUBJECT *cert_info,
PKCS7_ISSUER_AND_SERIAL *ias, X509_CRL *crl, X509 *cacert,
EVP_CIPHER cipher ) {
SCEP_MSG *msg = NULL;
PKCS7_SIGNER_INFO *si = NULL;
EVP_MD *dgst=NULL;
unsigned char *raw_data = NULL;
int envelope = 0;
long raw_len = 0;
BIO *debug_bio = NULL;
BIO *p7ebio = NULL;
BIO *inbio = NULL;
char buf[256];
if ((debug_bio=BIO_new(BIO_s_file())) != NULL)
BIO_set_fp(debug_bio,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
//if( !cert || !pkey || !recip_cert )
if( !cert || !pkey )
return NULL;
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] Generating New SCEP-Message...\n", __FILE__, __LINE__);
/* Allocate memory and initialize structures */
if((msg = SCEP_MSG_new_null()) == NULL) return NULL;
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] Allocate memory\n", __FILE__, __LINE__);
/* Signed Infos */
dgst = (EVP_MD *) EVP_get_digestbyname("md5");
if( (si = PKCS7_SIGNER_INFO_new()) == NULL ) goto err;
if(!PKCS7_SIGNER_INFO_set(si, cert, pkey, dgst)) goto err;
sk_PKCS7_SIGNER_INFO_push( msg->sk_signer_info, si );
msg->signer_ias = si->issuer_and_serial;
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] signer infos set\n", __FILE__, __LINE__);
/* If pkey, let's add to the message structure to ease
* message encryption (enveloped data content creation) */
SCEP_MSG_set_pkey ( msg, pkey );
// msg->signer_pkey = pkey;
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] encryption key set\n", __FILE__, __LINE__);
/* If not explicit, we guess the certificate to be present
* in the passed inMsg structure, if any. Otherwise ERROR! */
if( !recip_cert && inMsg ) recip_cert = inMsg->signer_cert;
/* Set the messageType */
SCEP_set_messageType ( msg, messageType );
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] message type set\n", __FILE__, __LINE__);
switch( messageType ) {
case MSG_CERTREP:
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] Actions for CERTREP\n", __FILE__, __LINE__);
msg->env_data.NID_p7data = NID_pkcs7_signed;
msg->env_data.p7 = PKCS7_new();
PKCS7_set_type( msg->env_data.p7, NID_pkcs7_signed );
PKCS7_content_new( msg->env_data.p7, NID_pkcs7_data );
if( issued_cert ) {
if (debug)
BIO_printf( debug_bio,
"%s:%d: creating inner degenerated PKCS7... \n",
__FILE__, __LINE__);
/* Adds issued certificate */
PKCS7_add_certificate( msg->env_data.p7, issued_cert );
// PKCS7_add_certificate( msg->env_data.p7, cert );
envelope = 1;
if (debug)
BIO_printf( debug_bio, "%s:%d: done \n", __FILE__, __LINE__);
} else if( crl ) {
if (debug)
BIO_printf( debug_bio,
"%s:%d: Adding CRL ... \n",
__FILE__, __LINE__);
/* Adds crl */
PKCS7_add_crl( msg->env_data.p7, crl );
envelope = 1;
if (debug)
BIO_printf( debug_bio, "%s:%d: done \n", __FILE__, __LINE__);
}
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__);
break;
case MSG_PKCSREQ:
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] Actions for PKCSREQ\n", __FILE__, __LINE__);
/* The inner pkcs7 structure is signed
* and enveloped and the data is to be
* the X509_REQ passed */
msg->env_data.NID_p7data =
NID_pkcs7_signedAndEnveloped;
if( req ) {
msg->env_data.content.req = req;
/* Ask for the data p7 to be generated and
* encrypted */
envelope = 1;
}
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__);
break;
case MSG_GETCRL:
if (debug)
{
BIO_printf( debug_bio, "%s:%d: [Debug Info] Actions for GETCRL\n", __FILE__, __LINE__);
BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__);
}
break;
case MSG_GETCERT:
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] Actions for GETCERT\n", __FILE__, __LINE__);
msg->env_data.NID_p7data =
NID_pkcs7_signedAndEnveloped;
/* If it is a query for a general certificate
* the CAcert should be included in the enveloped
* data*/
/* Otherwise, if it is a request for its own
* certificate, the self-signed certificate should
* be included */
// if( cacert )
// msg->env_data.cacert = cacert;
/* Issuer and Serial should be present ! */
if( !ias ) goto err;
msg->env_data.content.ias = ias;
envelope = 1;
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__);
break;
case MSG_GETCERTINITIAL:
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] Actions for GETCERTINITIAL\n", __FILE__, __LINE__);
msg->env_data.NID_p7data = NID_pkcs7_signed;
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__);
break;
case MSG_V2REQUEST: /* Not currently handled */
if (debug) {
BIO_printf( debug_bio, "%s:%d: [Debug Info] Actions for V2REQUEST\n", __FILE__, __LINE__);
BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__);
}
default:
goto err;
}
if (debug)
BIO_printf( debug_bio, "%s:%d: Debug ... \n", __FILE__, __LINE__);
/* If different from NULL, we have to encode something */
if( envelope == 1 ) {
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] encode\n", __FILE__, __LINE__);
/* Encrypt the message data */
if( !SCEP_MSG_encrypt( msg, recip_cert, cipher )) goto err;
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__);
}
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] add sign-cert to structure\n", __FILE__, __LINE__);
/* Signer certificate */
msg->signer_cert = cert;
if (debug)
PEM_write_bio_SCEP_MSG( debug_bio, msg, pkey );
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] add attributes\n", __FILE__, __LINE__);
/* Set message attributes, if any */
if ( inMsg ) {
char *tmp = NULL;
int len = 0;
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] take data from request\n", __FILE__, __LINE__);
switch ( msg->messageType ) {
default:
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] set transId\n", __FILE__, __LINE__);
/* The transId is ever required */
tmp = SCEP_get_string_attr_by_name( inMsg->attrs, "transId");
if( tmp ) {
SCEP_set_transId( msg, tmp, strlen(tmp));
OPENSSL_free( tmp );
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__);
}
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] set recipient nonce (sendernonce from req)\n", __FILE__, __LINE__);
/* Copy the sendernonce to the recipient nonce and
* generate a new sendernonce for the generated msg */
tmp = SCEP_get_octect_attr_by_name( inMsg->attrs,
"senderNonce", &len);
if( tmp ) {
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] %d\n", __FILE__, __LINE__, tmp);
SCEP_set_recipientNonce( msg, tmp, len );
OPENSSL_free( tmp );
}
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] set sender nonce\n", __FILE__, __LINE__);
SCEP_set_senderNonce_new(msg);
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__);
}
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] set pki_status\n", __FILE__, __LINE__);
SCEP_set_pkiStatus ( msg, PKI_PENDING );
if (debug) {
BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__);
BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__);
}
} else {
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] generate new data\n", __FILE__, __LINE__);
SCEP_set_senderNonce_new ( msg );
SCEP_set_recipientNonce_new ( msg );
SCEP_set_transId_new ( msg );
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__);
}
if (debug)
PEM_write_bio_SCEP_MSG( debug_bio, msg, pkey );
return (msg);
err:
ERR_print_errors_fp(stderr);
return(NULL);
}
