/* * Given a X509_NAME object and a name identifier, set the corresponding * attribute to the given string. Used by the setattr function. * * Arguments: name - The X509_NAME object * nid - The name identifier * value - The string to set * Returns: 0 for success, -1 on failure */ static int set_name_by_nid(X509_NAME *name, int nid, char *utf8string) { X509_NAME_ENTRY *ne; int i, entry_count, temp_nid; /* If there's an old entry for this NID, remove it */ entry_count = X509_NAME_entry_count(name); for (i = 0; i < entry_count; i++) { ne = X509_NAME_get_entry(name, i); temp_nid = OBJ_obj2nid(X509_NAME_ENTRY_get_object(ne)); if (temp_nid == nid) { ne = X509_NAME_delete_entry(name, i); X509_NAME_ENTRY_free(ne); break; } } /* Add the new entry */ if (!X509_NAME_add_entry_by_NID(name, nid, MBSTRING_UTF8, (unsigned char *)utf8string, -1, -1, 0)) { exception_from_error_queue(crypto_Error); return -1; } return 0; }
X509_NAME* cnhelper_create_dn(const qeo_platform_device_info *info) { X509_NAME* dn = NULL; do { dn = X509_NAME_new(); if (dn) { char devicename[MAX_CN_LENGTH]; strncpy(devicename, info->userFriendlyName, sizeof(devicename)); if (devicename[sizeof(devicename)-1] != '\0'){ strncpy(&devicename[sizeof(devicename)-4], "...", 4); qeo_log_w("Device name exceeds the maximal allowed length of <%d> characters, cutting it off to <%s>.", sizeof(devicename)-1, devicename); } //TODO: now only the friendly name is forwarded to the server, in the future this needs to be extended if (!X509_NAME_add_entry_by_NID(dn, NID_commonName, MBSTRING_ASC, (unsigned char* ) devicename, -1, -1, 0)) { X509_NAME_free(dn); dn = NULL; break; } } qeo_log_d("created DN for device"); } while (0); return dn; }
static int set_cn(X509 *crt, ...) { int ret = 0; X509_NAME *n = NULL; va_list ap; va_start(ap, crt); n = X509_NAME_new(); if (n == NULL) goto out; while (1) { int nid; const char *name; nid = va_arg(ap, int); if (nid == 0) break; name = va_arg(ap, const char *); if (!X509_NAME_add_entry_by_NID(n, nid, MBSTRING_ASC, (unsigned char *)name, -1, -1, 1)) goto out; } if (!X509_set_subject_name(crt, n)) goto out; ret = 1; out: X509_NAME_free(n); va_end(ap); return ret; }
// Generate a self-signed certificate, with the public key from the // given key pair. Caller is responsible for freeing the returned object. static X509* MakeCertificate(EVP_PKEY* pkey, const char* common_name) { LOG(LS_INFO) << "Making certificate for " << common_name; X509* x509 = NULL; BIGNUM* serial_number = NULL; X509_NAME* name = NULL; if ((x509=X509_new()) == NULL) goto error; if (!X509_set_pubkey(x509, pkey)) goto error; // serial number // temporary reference to serial number inside x509 struct ASN1_INTEGER* asn1_serial_number; if (!(serial_number = BN_new()) || !BN_pseudo_rand(serial_number, SERIAL_RAND_BITS, 0, 0) || !(asn1_serial_number = X509_get_serialNumber(x509)) || !BN_to_ASN1_INTEGER(serial_number, asn1_serial_number)) goto error; if (!X509_set_version(x509, 0L)) // version 1 goto error; // There are a lot of possible components for the name entries. In // our P2P SSL mode however, the certificates are pre-exchanged // (through the secure XMPP channel), and so the certificate // identification is arbitrary. It can't be empty, so we set some // arbitrary common_name. Note that this certificate goes out in // clear during SSL negotiation, so there may be a privacy issue in // putting anything recognizable here. if (!(name = X509_NAME_new()) || !X509_NAME_add_entry_by_NID(name, NID_commonName, MBSTRING_UTF8, (unsigned char*)common_name, -1, -1, 0) || !X509_set_subject_name(x509, name) || !X509_set_issuer_name(x509, name)) goto error; if (!X509_gmtime_adj(X509_get_notBefore(x509), 0) || !X509_gmtime_adj(X509_get_notAfter(x509), CERTIFICATE_LIFETIME)) goto error; if (!X509_sign(x509, pkey, EVP_sha1())) goto error; BN_free(serial_number); X509_NAME_free(name); LOG(LS_INFO) << "Returning certificate"; return x509; error: BN_free(serial_number); X509_NAME_free(name); X509_free(x509); return NULL; }
/** Return a newly allocated X509 name with commonName <b>cname</b>. */ static X509_NAME * tor_x509_name_new(const char *cname) { int nid; X509_NAME *name; if (!(name = X509_NAME_new())) return NULL; if ((nid = OBJ_txt2nid("commonName")) == NID_undef) goto error; if (!(X509_NAME_add_entry_by_NID(name, nid, MBSTRING_ASC, (unsigned char*)cname, -1, -1, 0))) goto error; return name; error: X509_NAME_free(name); return NULL; }
static X509 * gen_cert(EVP_PKEY* pkey, const char *common, int days) { X509 *x509 = NULL; BIGNUM *serial_number = NULL; X509_NAME *name = NULL; if ((x509 = X509_new()) == NULL) return NULL; if (!X509_set_pubkey(x509, pkey)) return NULL; ASN1_INTEGER* asn1_serial_number; if ((serial_number = BN_new()) == NULL || !BN_pseudo_rand(serial_number, 64, 0, 0) || (asn1_serial_number = X509_get_serialNumber(x509)) == NULL || !BN_to_ASN1_INTEGER(serial_number, asn1_serial_number)) goto cert_err; if (!X509_set_version(x509, 0L)) // version 1 goto cert_err; if ((name = X509_NAME_new()) == NULL || !X509_NAME_add_entry_by_NID( name, NID_commonName, MBSTRING_UTF8, (unsigned char*)common, -1, -1, 0) || !X509_set_subject_name(x509, name) || !X509_set_issuer_name(x509, name)) goto cert_err; if (!X509_gmtime_adj(X509_get_notBefore(x509), 0) || !X509_gmtime_adj(X509_get_notAfter(x509), days * 24 * 3600)) goto cert_err; if (!X509_sign(x509, pkey, EVP_sha1())) goto cert_err; if (0) { cert_err: X509_free(x509); x509 = NULL; } BN_free(serial_number); X509_NAME_free(name); return x509; }
static int openssl_xname_add_entry(lua_State*L) { X509_NAME* xn = CHECK_OBJECT(1, X509_NAME, "openssl.x509_name"); int nid = openssl_get_nid(L, 2); size_t size; const char*value = luaL_checklstring(L, 3, &size); int utf8 = lua_isnoneornil(L, 4) ? 1 : lua_toboolean(L, 4); int ret; if (nid==NID_undef) { lua_pushfstring(L, "(%s) is not a valid object identity", lua_tostring(L,2)); luaL_argerror(L, 2, lua_tostring(L, -1)); } ret = X509_NAME_add_entry_by_NID(xn, nid, utf8 ? MBSTRING_UTF8 : MBSTRING_ASC, (unsigned char*)value, (int)size,-1, 0); if (ret!=1) { luaL_error(L, "%s=%s can't add to X509 name", lua_tostring(L,2),value); }; return openssl_pushresult(L, ret); };
static X509 * getcert(void) { /* Dummy code to make a quick-and-dirty valid certificate with OpenSSL. Don't copy this code into your own program! It does a number of things in a stupid and insecure way. */ X509 *x509 = NULL; X509_NAME *name = NULL; EVP_PKEY *key = getkey(); int nid; time_t now = time(NULL); tt_assert(key); x509 = X509_new(); tt_assert(x509); tt_assert(0 != X509_set_version(x509, 2)); tt_assert(0 != ASN1_INTEGER_set(X509_get_serialNumber(x509), (long)now)); name = X509_NAME_new(); tt_assert(name); nid = OBJ_txt2nid("commonName"); tt_assert(NID_undef != nid); tt_assert(0 != X509_NAME_add_entry_by_NID( name, nid, MBSTRING_ASC, (unsigned char*)"example.com", -1, -1, 0)); X509_set_subject_name(x509, name); X509_set_issuer_name(x509, name); X509_time_adj(X509_get_notBefore(x509), 0, &now); now += 3600; X509_time_adj(X509_get_notAfter(x509), 0, &now); X509_set_pubkey(x509, key); tt_assert(0 != X509_sign(x509, key, EVP_sha1())); return x509; end: X509_free(x509); return NULL; }
/** Return a newly allocated X509 name with commonName <b>cname</b>. */ static X509_NAME * tor_x509_name_new(const char *cname) { int nid; X509_NAME *name; /* LCOV_EXCL_BR_START : these branches will only fail on OOM errors */ if (!(name = X509_NAME_new())) return NULL; if ((nid = OBJ_txt2nid("commonName")) == NID_undef) goto error; if (!(X509_NAME_add_entry_by_NID(name, nid, MBSTRING_ASC, (unsigned char*)cname, -1, -1, 0))) goto error; /* LCOV_EXCL_BR_STOP */ return name; /* LCOV_EXCL_START : these lines will only execute on out of memory errors*/ error: X509_NAME_free(name); return NULL; /* LCOV_EXCL_STOP */ }
static int openssl_new_xname(lua_State*L, X509_NAME* xname, int idx, int utf8) { int i, n; luaL_checktable(L, idx); luaL_argcheck(L, lua_istable(L, idx) && lua_rawlen(L, idx) > 0, idx, "must be not empty table as array"); n = lua_rawlen(L, idx); for (i = 0; i < n; i++) { lua_rawgeti(L, idx, i + 1); lua_pushnil(L); while (lua_next(L, -2) != 0) { size_t size; const char *value; int ret; int nid = openssl_get_nid(L, -2); value = luaL_checklstring(L, -1, &size); if (nid == NID_undef) { lua_pushfstring(L, "node at %d which key (%s) is not a valid object identity", i + 1, lua_tostring(L, -2)); luaL_argerror(L, idx, lua_tostring(L, -1)); } ret = X509_NAME_add_entry_by_NID(xname, nid, utf8 ? MBSTRING_UTF8 : MBSTRING_ASC, (unsigned char*)value, (int)size, -1, 0); if (ret != 1) { lua_pushfstring(L, "node at %d which %s=%s can't add to X509 name", i + 1, lua_tostring(L, -2), value); luaL_argerror(L, idx, lua_tostring(L, -1)); } lua_pop(L, 1); } } return 0; }
static OCSP_BASICRESP *make_dummy_resp(void) { const unsigned char namestr[] = "openssl.example.com"; unsigned char keybytes[128] = {7}; OCSP_BASICRESP *bs = OCSP_BASICRESP_new(); OCSP_BASICRESP *bs_out = NULL; OCSP_CERTID *cid = NULL; ASN1_TIME *thisupd = ASN1_TIME_set(NULL, time(NULL)); ASN1_TIME *nextupd = ASN1_TIME_set(NULL, time(NULL) + 200); X509_NAME *name = X509_NAME_new(); ASN1_BIT_STRING *key = ASN1_BIT_STRING_new(); ASN1_INTEGER *serial = ASN1_INTEGER_new(); if (!X509_NAME_add_entry_by_NID(name, NID_commonName, MBSTRING_ASC, namestr, -1, -1, 1) || !ASN1_BIT_STRING_set(key, keybytes, sizeof(keybytes)) || !ASN1_INTEGER_set_uint64(serial, (uint64_t)1)) goto err; cid = OCSP_cert_id_new(EVP_sha256(), name, key, serial); if (!TEST_ptr(bs) || !TEST_ptr(thisupd) || !TEST_ptr(nextupd) || !TEST_ptr(cid) || !TEST_true(OCSP_basic_add1_status(bs, cid, V_OCSP_CERTSTATUS_UNKNOWN, 0, NULL, thisupd, nextupd))) goto err; bs_out = bs; bs = NULL; err: ASN1_TIME_free(thisupd); ASN1_TIME_free(nextupd); ASN1_BIT_STRING_free(key); ASN1_INTEGER_free(serial); OCSP_CERTID_free(cid); OCSP_BASICRESP_free(bs); X509_NAME_free(name); return bs_out; }
CPK_MASTER_SECRET *CPK_MASTER_SECRET_create(const char *domain_id, EVP_PKEY *pkey, X509_ALGOR *map_algor) { int e = 1; CPK_MASTER_SECRET *master = NULL; BIGNUM *bn = NULL, *order = NULL; X509_PUBKEY *pubkey = NULL; int pkey_type; int i, bn_size, num_factors; unsigned char *bn_ptr; if (strlen(domain_id) <= 0 || strlen(domain_id) > CPK_MAX_ID_LENGTH) { CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, CPK_R_INVALID_ID_LENGTH); goto err; } pkey_type = EVP_PKEY_id(pkey); if (pkey_type == EVP_PKEY_DSA) { if (!(order = ((DSA *)EVP_PKEY_get0(pkey))->q)) { CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, CPK_R_BAD_ARGUMENT); goto err; } } else if (pkey_type == EVP_PKEY_EC) { const EC_GROUP *ec_group; if (!(order = BN_new())) { CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, ERR_R_MALLOC_FAILURE); goto err; } ec_group = EC_KEY_get0_group((EC_KEY *)EVP_PKEY_get0(pkey)); if (!EC_GROUP_get_order(ec_group, order, NULL)) { CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, ERR_R_X509_LIB); goto err; } //FIXME OPENSSL_assert assert(EC_KEY_get0_public_key((EC_KEY *)EVP_PKEY_get0(pkey)) != NULL); } else { CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, CPK_R_INVALID_PKEY_TYPE); goto err; } if (!(master = CPK_MASTER_SECRET_new())) { CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, ERR_R_MALLOC_FAILURE); goto err; } master->version = 1; if (!X509_NAME_add_entry_by_NID(master->id, NID_organizationName, MBSTRING_UTF8, (unsigned char *)domain_id, -1, -1, 0)) { CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, ERR_R_X509_LIB); goto err; } /* * convert EVP_PKEY to X509_ALGOR through X509_PUBKEY_set * X509_ALGOR_set0() is another choice but require more code */ // FIXME: X509_PUBKEY require pkey has a public key if (!X509_PUBKEY_set(&pubkey, pkey)) { CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, ERR_R_X509_LIB); goto err; } X509_ALGOR_free(master->pkey_algor); if (!(master->pkey_algor = X509_ALGOR_dup(pubkey->algor))) { CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, ERR_R_X509_LIB); goto err; } //FIXME: check the validity of CPK_MAP X509_ALGOR_free(master->map_algor); if (!(master->map_algor = X509_ALGOR_dup(map_algor))) { CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, ERR_R_MALLOC_FAILURE); goto err; } if ((num_factors = CPK_MAP_num_factors(map_algor)) <= 0) { CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, CPK_R_INVALID_MAP_ALGOR); goto err; } /* * create secret factors, for both DSA and EC, * the private keys are both big integers, */ bn_size = BN_num_bytes(order); if (!ASN1_STRING_set(master->secret_factors, NULL, bn_size * num_factors)) { CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, ERR_R_ASN1_LIB); goto err; } bn_ptr = M_ASN1_STRING_data(master->secret_factors); memset(bn_ptr, 0, M_ASN1_STRING_length(master->secret_factors)); if (!(bn = BN_new())) { CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, ERR_R_MALLOC_FAILURE); goto err; } for (i = 0; i < num_factors; i++) { do { if (!BN_rand_range(bn, order)) { CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, ERR_R_RAND_LIB); goto err; } } while (BN_is_zero(bn)); if (!BN_bn2bin(bn, bn_ptr + bn_size - BN_num_bytes(bn))) { CPKerr(CPK_F_CPK_MASTER_SECRET_CREATE, ERR_R_BN_LIB); goto err; } bn_ptr += bn_size; } e = 0; err: if (e && master) { CPK_MASTER_SECRET_free(master); master = NULL; } if (pubkey) X509_PUBKEY_free(pubkey); if (order && pkey_type == EVP_PKEY_EC) BN_free(order); if (bn) BN_free(bn); return master; }
static int cert_init() { X509 *x509 = NULL; EVP_PKEY *pkey = NULL; BIGNUM *exponent = NULL, *serial_number = NULL; RSA *rsa = NULL; ASN1_INTEGER *asn1_serial_number; X509_NAME *name; struct dtls_cert *new_cert; ilog(LOG_INFO, "Generating new DTLS certificate"); /* objects */ pkey = EVP_PKEY_new(); exponent = BN_new(); rsa = RSA_new(); serial_number = BN_new(); name = X509_NAME_new(); x509 = X509_new(); if (!exponent || !pkey || !rsa || !serial_number || !name || !x509) goto err; /* key */ if (!BN_set_word(exponent, 0x10001)) goto err; if (!RSA_generate_key_ex(rsa, 1024, exponent, NULL)) goto err; if (!EVP_PKEY_assign_RSA(pkey, rsa)) goto err; /* x509 cert */ if (!X509_set_pubkey(x509, pkey)) goto err; /* serial */ if (!BN_pseudo_rand(serial_number, 64, 0, 0)) goto err; asn1_serial_number = X509_get_serialNumber(x509); if (!asn1_serial_number) goto err; if (!BN_to_ASN1_INTEGER(serial_number, asn1_serial_number)) goto err; /* version 1 */ if (!X509_set_version(x509, 0L)) goto err; /* common name */ if (!X509_NAME_add_entry_by_NID(name, NID_commonName, MBSTRING_UTF8, (unsigned char *) "rtpengine", -1, -1, 0)) goto err; if (!X509_set_subject_name(x509, name)) goto err; if (!X509_set_issuer_name(x509, name)) goto err; /* cert lifetime */ if (!X509_gmtime_adj(X509_get_notBefore(x509), -60*60*24)) goto err; if (!X509_gmtime_adj(X509_get_notAfter(x509), CERT_EXPIRY_TIME)) goto err; /* sign it */ if (!X509_sign(x509, pkey, EVP_sha1())) goto err; /* digest */ new_cert = obj_alloc0("dtls_cert", sizeof(*new_cert), cert_free); new_cert->fingerprint.hash_func = &hash_funcs[0]; dtls_fingerprint_hash(&new_cert->fingerprint, x509); new_cert->x509 = x509; new_cert->pkey = pkey; new_cert->expires = time(NULL) + CERT_EXPIRY_TIME; dump_cert(new_cert); /* swap out certs */ rwlock_lock_w(&__dtls_cert_lock); if (__dtls_cert) obj_put(__dtls_cert); __dtls_cert = new_cert; rwlock_unlock_w(&__dtls_cert_lock); /* cleanup */ BN_free(exponent); BN_free(serial_number); X509_NAME_free(name); return 0; err: ilog(LOG_ERROR, "Failed to generate DTLS certificate"); if (pkey) EVP_PKEY_free(pkey); if (exponent) BN_free(exponent); if (rsa) RSA_free(rsa); if (x509) X509_free(x509); if (serial_number) BN_free(serial_number); return -1; }
wi_x509_t * wi_x509_init_with_common_name(wi_x509_t *x509, wi_rsa_t *rsa, wi_string_t *common_name) { X509_REQ *req; EVP_PKEY *pkey = NULL; X509_NAME *name = NULL; BIGNUM *bn = NULL; req = X509_REQ_new(); if(!req) goto err; if(X509_REQ_set_version(req, 0) != 1) goto err; name = X509_NAME_new(); if(X509_NAME_add_entry_by_NID(name, NID_commonName, MBSTRING_ASC, (unsigned char *) wi_string_cstring(common_name), -1, -1, 0) != 1) goto err; if(X509_REQ_set_subject_name(req, name) != 1) goto err; pkey = EVP_PKEY_new(); EVP_PKEY_set1_RSA(pkey, wi_rsa_rsa(rsa)); if(X509_REQ_set_pubkey(req, pkey) != 1) goto err; x509->x509 = X509_new(); if(!x509->x509) goto err; bn = BN_new(); if(!bn) goto err; if(BN_pseudo_rand(bn, 64, 0, 0) != 1) goto err; if(!BN_to_ASN1_INTEGER(bn, X509_get_serialNumber(x509->x509))) goto err; if(X509_set_issuer_name(x509->x509, X509_REQ_get_subject_name(req)) != 1) goto err; if(!X509_gmtime_adj(X509_get_notBefore(x509->x509), 0)) goto err; if(!X509_gmtime_adj(X509_get_notAfter(x509->x509), 3600 * 24 * 365)) goto err; if(X509_set_subject_name(x509->x509, X509_REQ_get_subject_name(req)) != 1) goto end; if(X509_set_pubkey(x509->x509, pkey) != 1) goto err; if(X509_sign(x509->x509, pkey, EVP_sha1()) == 0) goto err; goto end; err: wi_error_set_openssl_error(); wi_release(x509); x509 = NULL; end: if(req) X509_REQ_free(req); if(pkey) EVP_PKEY_free(pkey); if(name) X509_NAME_free(name); if(bn) BN_free(bn); return x509; }
void openssl_x509_crl() { RSA *r; BIO *bp; int len; FILE *fp; BIGNUM *bne; X509_CRL *crl; EVP_PKEY *pkey; X509_NAME *issuer; ASN1_INTEGER *serial; X509_REVOKED *revoked; ASN1_TIME *lastUpdate, *nextUpdate, *rvTime; unsigned char *buf, *p, tmp[MAX1_LEN] = "crl cert"; printf("\nX509_CRL info:\n"); bne = BN_new(); BN_set_word(bne, RSA_3); r = RSA_new(); RSA_generate_key_ex(r, MAX1_LEN, bne, NULL); pkey = EVP_PKEY_new(); EVP_PKEY_assign_RSA(pkey, r); crl = X509_CRL_new(); X509_CRL_set_version(crl, 3); issuer = X509_NAME_new(); X509_NAME_add_entry_by_NID(issuer, NID_commonName, V_ASN1_PRINTABLESTRING, tmp, 10, -1, 0); X509_CRL_set_issuer_name(crl, issuer); lastUpdate = ASN1_TIME_new(); ASN1_TIME_set(lastUpdate, time(NULL)); X509_CRL_set_lastUpdate(crl, lastUpdate); nextUpdate = ASN1_TIME_new(); ASN1_TIME_set(nextUpdate, time(NULL) + 1280); X509_CRL_set_nextUpdate(crl, nextUpdate); revoked = X509_REVOKED_new(); serial = ASN1_INTEGER_new(); ASN1_INTEGER_set(serial, 1280); X509_REVOKED_set_serialNumber(revoked, serial); rvTime = ASN1_TIME_new(); ASN1_TIME_set(rvTime, time(NULL) + 2000); X509_CRL_set_nextUpdate(crl, rvTime); X509_REVOKED_set_revocationDate(revoked, rvTime); X509_CRL_add0_revoked(crl, revoked); X509_CRL_sort(crl); X509_CRL_sign(crl, pkey, EVP_md5()); bp = BIO_new(BIO_s_file()); BIO_set_fp(bp, stdout, BIO_NOCLOSE); X509_CRL_print(bp, crl); len = i2d_X509_CRL(crl, NULL); buf = (unsigned char *)malloc(len + 10); p = buf; len = i2d_X509_CRL(crl, &p); fp = fopen("/tmp/crl.crl", "wb"); fwrite(buf, 1, len, fp); fclose(fp); free(buf); BIO_free(bp); X509_CRL_free(crl); }
static inline int X509_NAME_add_entry_by_NID(X509_NAME *subj, int nid, std::string value) { return X509_NAME_add_entry_by_NID(subj, nid, MBSTRING_UTF8, (unsigned char*) value.data(), -1, -1 , 0); }
bool avjackif::async_register_new_user(std::string user_name, boost::asio::yield_context yield_context) { // 先发 client_hello if( m_shared_key.empty()) async_client_hello(yield_context); auto digest = EVP_sha1(); // 先生成 RSA 密钥 _rsa.reset(RSA_generate_key(2048, 65537, 0, 0), RSA_free); // 然后生成 CSR boost::shared_ptr<X509_REQ> csr(X509_REQ_new(), X509_REQ_free); boost::shared_ptr<EVP_PKEY> pkey(EVP_PKEY_new(), EVP_PKEY_free); EVP_PKEY_set1_RSA(pkey.get(), _rsa.get()); // 添加证书申请信息 auto subj =X509_REQ_get_subject_name(csr.get()); /* X509_NAME_add_entry_by_NID(subj, NID_countryName, "CN"); X509_NAME_add_entry_by_NID(subj, NID_stateOrProvinceName, "Shanghai"); X509_NAME_add_entry_by_NID(subj, NID_localityName, "Shanghai"); X509_NAME_add_entry_by_NID(subj, NID_organizationName, "avplayer"); X509_NAME_add_entry_by_NID(subj, NID_organizationalUnitName, "sales"); */ X509_NAME_add_entry_by_NID(subj, NID_commonName, user_name); // X509_NAME_add_entry_by_NID(subj, NID_pkcs9_emailAddress, "test-client"); X509_REQ_set_pubkey(csr.get(), pkey.get()); // 签出 CSR X509_REQ_sign(csr.get(), pkey.get(), digest); unsigned char * out = NULL; auto csr_out_len = i2d_X509_REQ(csr.get(), &out); std::string csrout((char*)out, csr_out_len); OPENSSL_free(out); out = NULL; auto rsa_key_out_len = i2d_RSA_PUBKEY(_rsa.get(), &out); std::string rsa_key((char*)out, rsa_key_out_len); OPENSSL_free(out); PEM_write_X509_REQ(stderr, csr.get()); // 然后发送 注册信息 proto::user_register user_register; user_register.set_user_name(user_name); user_register.set_rsa_pubkey(rsa_key); user_register.set_csr(csrout); boost::asio::async_write(*m_sock, boost::asio::buffer(av_router::encode(user_register)), yield_context); // 读取应答 std::unique_ptr<proto::user_register_result> user_register_result((proto::user_register_result*)async_read_protobuf_message(*m_sock, yield_context)); return user_register_result->result() == proto::user_register_result::REGISTER_SUCCEED; }
KSSLCertificate* KSSLCertificateFactory::generateSelfSigned(KSSLKeyType /*keytype*/) { #if 0 //#ifdef KSSL_HAVE_SSL X509_NAME *x509name = X509_NAME_new(); X509 *x509; ASN1_UTCTIME *beforeafter; KSSLCertificate *newcert; int rc; // FIXME: generate the private key if (keytype == KEYTYPE_UNKNOWN || (key=EVP_PKEY_new()) == NULL) { X509_NAME_free(x509name); return NULL; } switch(keytype) { case KEYTYPE_RSA: if (!EVP_PKEY_assign_RSA(key, RSA_generate_key(newkey,0x10001, req_cb,bio_err))) { } break; case KEYTYPE_DSA: if (!DSA_generate_key(dsa_params)) goto end; if (!EVP_PKEY_assign_DSA(pkey,dsa_params)) goto end; dsa_params=NULL; if (pkey->type == EVP_PKEY_DSA) digest=EVP_dss1(); break; } // FIXME: dn doesn't exist // FIXME: allow the notAfter value to be parameterized // FIXME: allow a password to lock the key with // Fill in the certificate X509_NAME_add_entry_by_NID(x509name, OBJ_txt2nid("CN"), 0x1001, (unsigned char *) dn, -1, -1, 0); x509 = X509_new(); rc = X509_set_issuer_name(x509, x509name); if (rc != 0) { X509_free(x509); X509_NAME_free(x509name); return NULL; } rc = X509_set_subject_name(x509, x509name); if (rc != 0) { X509_free(x509); X509_NAME_free(x509name); return NULL; } ASN1_INTEGER_set(X509_get_serialNumber(*x509), 0); X509_NAME_free(x509name); // Make it a 1 year certificate beforeafter = ASN1_UTCTIME_new(); if (!X509_gmtime_adj(beforeafter, -60*60*24)) { // yesterday X509_free(x509); return NULL; } if (!X509_set_notBefore(x509, beforeafter)) { X509_free(x509); return NULL; } if (!X509_gmtime_adj(beforeafter, 60*60*24*364)) { // a year from yesterday X509_free(x509); return NULL; } if (!X509_set_notAfter(x509, beforeafter)) { X509_free(x509); return NULL; } ASN1_UTCTIME_free(beforeafter); if (!X509_set_pubkey(x509, key)) { X509_free(x509); return NULL; } rc = X509_sign(x509, key, EVP_sha1()); if (rc != 0) { X509_free(x509); return NULL; } newCert = new KSSLCertificate; newCert->setCert(x509); return newCert; #else return NULL; #endif }
CertificateRequestSPKAC* CertificateRequestFactory::fromSPKAC(std::string &path) throw (EncodeException, RandomException, NetscapeSPKIException) { STACK_OF(CONF_VALUE) *sk=NULL; LHASH_OF(CONF_VALUE) *parms=NULL; X509_REQ *req=NULL; CONF_VALUE *cv=NULL; NETSCAPE_SPKI *spki = NULL; X509_REQ_INFO *ri; char *type,*buf; EVP_PKEY *pktmp=NULL; X509_NAME *n=NULL; unsigned long chtype = MBSTRING_ASC; int i; long errline; int nid; CertificateRequestSPKAC* ret=NULL; /* * Load input file into a hash table. (This is just an easy * way to read and parse the file, then put it into a convenient * STACK format). */ parms=CONF_load(NULL,path.c_str(),&errline); if (parms == NULL) { throw EncodeException(EncodeException::BUFFER_READING, "CertificateRequestFactory::fromSPKAC"); } sk=CONF_get_section(parms, "default"); if (sk_CONF_VALUE_num(sk) == 0) { if (parms != NULL) CONF_free(parms); throw EncodeException(EncodeException::BUFFER_READING, "CertificateRequestFactory::fromSPKAC"); } /* * Now create a dummy X509 request structure. We don't actually * have an X509 request, but we have many of the components * (a public key, various DN components). The idea is that we * put these components into the right X509 request structure * and we can use the same code as if you had a real X509 request. */ req=X509_REQ_new(); if (req == NULL) { if (parms != NULL) CONF_free(parms); throw RandomException(RandomException::INTERNAL_ERROR, "CertificateRequestFactory::fromSPKAC"); } /* * Build up the subject name set. */ ri=req->req_info; n = ri->subject; for (i = 0; ; i++) { if (sk_CONF_VALUE_num(sk) <= i) break; cv=sk_CONF_VALUE_value(sk,i); type=cv->name; /* Skip past any leading X. X: X, etc to allow for * multiple instances */ for (buf = cv->name; *buf ; buf++) if ((*buf == ':') || (*buf == ',') || (*buf == '.')) { buf++; if (*buf) type = buf; break; } buf=cv->value; if ((nid=OBJ_txt2nid(type)) == NID_undef) { if (strcmp(type, "SPKAC") == 0) { spki = NETSCAPE_SPKI_b64_decode(cv->value, -1); if (spki == NULL) { if (parms != NULL) CONF_free(parms); throw EncodeException(EncodeException::BASE64_DECODE, "CertificateRequestFactory::fromSPKAC"); } } continue; } if (!X509_NAME_add_entry_by_NID(n, nid, chtype, (unsigned char *)buf, -1, -1, 0)) { if (parms != NULL) CONF_free(parms); if (spki != NULL) NETSCAPE_SPKI_free(spki); throw RandomException(RandomException::INTERNAL_ERROR, "CertificateRequestFactory::fromSPKAC"); } } if (spki == NULL) { if (parms != NULL) CONF_free(parms); throw NetscapeSPKIException(NetscapeSPKIException::SET_NO_VALUE, "CertificateRequestFactory::fromSPKAC"); } /* * Now extract the key from the SPKI structure. */ if ((pktmp=NETSCAPE_SPKI_get_pubkey(spki)) == NULL) { if (parms != NULL) CONF_free(parms); if (spki != NULL) NETSCAPE_SPKI_free(spki); throw NetscapeSPKIException(NetscapeSPKIException::SET_NO_VALUE, "CertificateRequestFactory::fromSPKAC"); } X509_REQ_set_pubkey(req,pktmp); EVP_PKEY_free(pktmp); ret = new CertificateRequestSPKAC(req, spki); return ret; }