static VALUE
ossl_pkcs7_set_cipher(VALUE self, VALUE cipher)
{
PKCS7 *pkcs7;
GetPKCS7(self, pkcs7);
if (!PKCS7_set_cipher(pkcs7, GetCipherPtr(cipher))) {
ossl_raise(ePKCS7Error, NULL);
}
return cipher;
}
int PKI_X509_PKCS7_set_cipher ( PKI_X509_PKCS7 *p7, PKI_CIPHER *cipher ) {
int type;
if( !p7 || !p7->value || !cipher ) return ( PKI_ERR );
type = PKI_X509_PKCS7_get_type ( p7 );
switch ( type ) {
case PKI_X509_PKCS7_TYPE_ENCRYPTED:
case PKI_X509_PKCS7_TYPE_SIGNEDANDENCRYPTED:
break;
default:
return PKI_ERR;
}
if(!PKCS7_set_cipher(p7->value, cipher)) {
PKI_log_debug("PKI_X509_PKCS7_set_cipher()::Error setting Cipher "
"[%s]", ERR_error_string(ERR_get_error(), NULL));
return ( PKI_ERR );
}
return PKI_OK;
}
char* sign_and_encrypt(const char *data, RSA *rsa, X509 *x509, X509 *PPx509, int verbose)
/* sign and encrypt button data for safe delivery to paypal */
{
char *ret = NULL;
EVP_PKEY *pkey;
PKCS7 *p7 = NULL;
BIO *p7bio = NULL;
BIO *bio = NULL;
PKCS7_SIGNER_INFO* si;
int len;
char *str;
pkey = EVP_PKEY_new();
if (EVP_PKEY_set1_RSA(pkey, rsa) == 0)
{
fprintf(stderr,"Fatal Error: Unable to create EVP_KEY from RSA key\n");fflush(stderr);
goto end;
} else if (verbose) {
printf("Successfully created EVP_KEY from RSA key\n");
}
/* Create a signed and enveloped PKCS7 */
p7 = PKCS7_new();
PKCS7_set_type(p7, NID_pkcs7_signedAndEnveloped);
si = PKCS7_add_signature(p7, x509, pkey, EVP_sha1());
if (si) {
if (PKCS7_add_signed_attribute(si, NID_pkcs9_contentType, V_ASN1_OBJECT,
OBJ_nid2obj(NID_pkcs7_data)) <= 0)
{
fprintf(stderr,"Fatal Error: Unable to add signed attribute to certificate\n");
fprintf(stderr,"OpenSSL Error: %s\n", ERR_error_string(ERR_get_error(), NULL));
fflush(stderr);
goto end;
} else if (verbose) {
printf("Successfully added signed attribute to certificate\n");
}
} else {
fprintf(stderr,"Fatal Error: Failed to sign PKCS7\n");fflush(stderr);
goto end;
}
/* Encryption */
if (PKCS7_set_cipher(p7, EVP_des_ede3_cbc()) <= 0)
{
fprintf(stderr,"Fatal Error: Failed to set encryption algorithm\n");
fprintf(stderr,"OpenSSL Error: %s\n", ERR_error_string(ERR_get_error(), NULL));
fflush(stderr);
goto end;
} else if (verbose) {
printf("Successfully added encryption algorithm\n");
}
if (PKCS7_add_recipient(p7, PPx509) <= 0)
{
fprintf(stderr,"Fatal Error: Failed to add PKCS7 recipient\n");
fprintf(stderr,"OpenSSL Error: %s\n", ERR_error_string(ERR_get_error(), NULL));
fflush(stderr);
goto end;
} else if (verbose) {
printf("Successfully added recipient\n");
}
if (PKCS7_add_certificate(p7, x509) <= 0)
{
fprintf(stderr,"Fatal Error: Failed to add PKCS7 certificate\n");
fprintf(stderr,"OpenSSL Error: %s\n", ERR_error_string(ERR_get_error(), NULL));
fflush(stderr);
goto end;
} else if (verbose) {
printf("Successfully added certificate\n");
}
p7bio = PKCS7_dataInit(p7, NULL);
if (!p7bio) {
fprintf(stderr,"OpenSSL Error: %s\n", ERR_error_string(ERR_get_error(), NULL));
fflush(stderr);
goto end;
}
/* Pump data to special PKCS7 BIO. This encrypts and signs it. */
BIO_write(p7bio, data, strlen(data));
BIO_flush(p7bio);
PKCS7_dataFinal(p7, p7bio);
/* Write PEM encoded PKCS7 */
bio = BIO_new(BIO_s_mem());
if (!bio || (PEM_write_bio_PKCS7(bio, p7) == 0))
{
fprintf(stderr,"Fatal Error: Failed to create PKCS7 PEM\n");fflush(stderr);
} else if (verbose) {
printf("Successfully created PKCS7 PEM\n");
}
BIO_flush(bio);
len = BIO_get_mem_data(bio, &str);
ret = malloc(sizeof(char)*(len+1));
memcpy(ret, str, len);
ret[len] = 0;
end:
/* Free everything */
if (bio)
BIO_free_all(bio);
if (p7bio)
BIO_free_all(p7bio);
if (p7)
PKCS7_free(p7);
if (pkey)
EVP_PKEY_free(pkey);
return ret;
}
int main(int argc, char* argv[])
{
PKCS7 *p7, *innerp7;
FILE *fp = NULL;
EVP_PKEY *pkey = NULL;
PKCS7_SIGNER_INFO *p7i;
PKCS7_RECIP_INFO *pri;
BIO *mybio, *inbio;
X509 *user;
X509_ALGOR *md;
int ret, len;
unsigned char data[2048], *p, *buf;
unsigned char* greet = "hello openssl";
unsigned long errorno;
unsigned char* errordesc;
OpenSSL_add_all_algorithms(); //必须要显式进行调用
inbio = BIO_new(BIO_s_mem());
ret = BIO_write(inbio, greet, strlen(greet));
p7 = PKCS7_new();
ret = PKCS7_set_type(p7, NID_pkcs7_signedAndEnveloped);
//加载用户证书
fp = fopen("mycert4p12.cer", "rb");
if(fp == NULL) return 0;
len = fread(data, 1, 1024, fp);
fclose(fp);
p = data;
user = d2i_X509(NULL, (const unsigned char**)&p, len);
ret = PKCS7_add_certificate(p7, user);
pri = PKCS7_add_recipient(p7, user);
//读取私钥
fp = fopen("myprivkey.pem", "rb");
if(fp == NULL) return 0;
len = fread(data, 1, 1024, fp);
fclose(fp);
p = data;
pkey = d2i_PrivateKey(EVP_PKEY_RSA, NULL, (const unsigned char**)&p, len);
//第一个用户增加SignerInfo到列表中
p7i = PKCS7_add_signature(p7, user, pkey, EVP_md5());
//加载用户证书
fp = fopen("user2.cer", "rb");
if(fp == NULL) return 0;
len = fread(data, 1, 1024, fp);
fclose(fp);
p = data;
user = d2i_X509(NULL, (const unsigned char**)&p, len);
ret = PKCS7_add_certificate(p7, user);
pri = PKCS7_add_recipient(p7, user);
//读取私钥
fp = fopen("user2_privatekey.pem", "rb");
if(fp == NULL) return 0;
len = fread(data, 1, 1024, fp);
fclose(fp);
p = data;
pkey = d2i_PrivateKey(EVP_PKEY_RSA, NULL, (const unsigned char**)&p, len);
//第二个签名者增加到SignerInfo列表中
p7i = PKCS7_add_signature(p7, user, pkey, EVP_md5());
ret = PKCS7_set_cipher(p7, EVP_des_ede3_cbc());
ret = PKCS7_final(p7, inbio, 0); //制作数字信封
len = i2d_PKCS7(p7, NULL);
p = buf = malloc(len);
len = i2d_PKCS7(p7, &p);
printf("in i2d len = %d\n", len);
fp = fopen("p7signandenv.cer", "wb");
fwrite(buf, len, 1, fp);
fclose(fp);
PKCS7_free(p7);
}
