示例#1
0
文件: mkreq.c 项目: LucidOne/Rovio
int main(int argc, char **argv)
	{
	BIO *bio_err;
	X509_REQ *req=NULL;
	EVP_PKEY *pkey=NULL;

	CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);

	bio_err=BIO_new_fp(stderr, BIO_NOCLOSE);

	mkreq(&req,&pkey,512,0,365);

	RSA_print_fp(stdout,pkey->pkey.rsa,0);
	X509_REQ_print_fp(stdout,req);

	PEM_write_X509_REQ(stdout,req);

	X509_REQ_free(req);
	EVP_PKEY_free(pkey);

#ifndef OPENSSL_NO_ENGINE
	ENGINE_cleanup();
#endif
	CRYPTO_cleanup_all_ex_data();

	CRYPTO_mem_leaks(bio_err);
	BIO_free(bio_err);
	return(0);
	}
示例#2
0
int main(int argc, char **argv)
{
	if (argc > 2) {
		printf("usage: %s [passwd]\n", argv[0]);
		return -1;
	}

	BIO* bio_err;
	X509_REQ* req = NULL;
	EVP_PKEY* pkey = NULL;

	CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);

	bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);

	mkreq(&req, &pkey, 1024, 0, 365);
	if (argc == 1) {
		mkcert(req, "rootkey.pem", "rootcert.pem", NULL);
	} else if (argc == 2) {
		mkcert(req, "rootkey.pem", "rootcert.pem", argv[1]);
	}

	RSA_print_fp(stdout, pkey->pkey.rsa, 0);
	X509_REQ_print_fp(stdout, req);
	PEM_write_X509_REQ(stdout, req);

	X509_REQ_free(req);
	EVP_PKEY_free(pkey);

	CRYPTO_cleanup_all_ex_data();
	CRYPTO_mem_leaks(bio_err);
	BIO_free(bio_err);

	return 0;
}
示例#3
0
static int regular_enroll_attempt (EST_CTX *ectx)
{
    int pkcs7_len = 0;
    int rv;
    char file_name[MAX_FILENAME_LEN];
    unsigned char *new_client_cert;
    unsigned char *attr_data = NULL;
    unsigned char *der_ptr = NULL;
    int attr_len, der_len, nid;
    X509_REQ *csr;

    /*
     * We need to get the CSR attributes first, which allows libest
     * to know if the challengePassword needs to be included in the
     * CSR.
     */
    rv = est_client_get_csrattrs(ectx, &attr_data, &attr_len);
    if (rv != EST_ERR_NONE) {
        printf("\nWarning: CSR attributes were not available");
        return (rv);
    }

    /* Generate a CSR */
    csr = X509_REQ_new();

    if (csr == NULL) {
        printf("\nFailed to get X509_REQ");
        return (EST_ERR_NO_CSR);
    }
    rv = populate_x509_csr(csr, priv_key, "EST-client");

    if (rv) {
        printf("\nFailed to populate X509_REQ");
        return (EST_ERR_X509_PUBKEY);
    }


    rv = est_decode_attributes_helper((char*)attr_data, attr_len, &der_ptr, &der_len);
    if (rv != EST_ERR_NONE) {
        printf("\nFailed to decode attributes");
        return (rv);
    }

    while (der_len) {
        rv = est_get_attributes_helper(&der_ptr, &der_len, &nid);

        if (rv == EST_ERR_NONE) {
            /*
             * This switch can be enhanced to include all NID values
             * of interest by the client/server.  In addition the last
             * parameter can be enhanced to provide the character string
             * type information that is included with the NID.
             *
             * Presently only character string types are supported, but at
             * some point OID or groups of strings/OIDs may need to be
             * supported.
             *
             * Note that challenge password should not be included here
             * as it is handled by libest client code.
             */
            switch (nid) {
            case NID_commonName:
                /* add the attribute to the request */
                rv = est_add_attributes_helper(csr, nid, "test\n", 0);
                break;
            case NID_pkcs9_emailAddress:
                /* add the attribute to the request */
                rv = est_add_attributes_helper(csr, nid, "[email protected]\0", 0);
                break;
            case NID_undef:
                printf("\nNID is undefined; skipping it\n");
                break;
            default:
                rv = est_add_attributes_helper(csr, nid, "", 0);
                break;
            }
            if (rv != EST_ERR_NONE) {
                printf("\n Error adding NID=%d", nid);
            }
        }
    }

    X509_REQ_print_fp(stderr, csr);

    rv = est_client_enroll_csr(ectx, csr, &pkcs7_len, priv_key);

    if (verbose) {
        printf("\nenrollment rv = %d (%s) with pkcs7 length = %d\n",
               rv, EST_ERR_NUM_TO_STR(rv), pkcs7_len);
    }
    if (rv == EST_ERR_NONE) {
        /*
         * client library has obtained the new client certificate.
         * now retrieve it from the library
         */
        new_client_cert = malloc(pkcs7_len);
        if (new_client_cert == NULL) {
            if (verbose) {
                printf("\nmalloc of destination buffer for enrollment cert failed\n");
            }
            return (EST_ERR_MALLOC);
        }

        rv = est_client_copy_enrolled_cert(ectx, new_client_cert);
        if (verbose) {
            printf("\nenrollment copy rv = %d\n", rv);
        }
        if (rv == EST_ERR_NONE) {
            /*
             * Enrollment copy worked, dump the pkcs7 cert to stdout
             */
            if (verbose) {
                dumpbin(new_client_cert, pkcs7_len);
            }
        }

        snprintf(file_name, MAX_FILENAME_LEN, "%s/newcert", out_dir);
        save_cert(file_name, new_client_cert, pkcs7_len);
        free(new_client_cert);
    }

    return (rv);
}
示例#4
0
/* Creates an X509 certificate request (2nd stage). */
int MakeCertificateRequest2(unsigned char *reqbuf, int *reqlen, char *x500dn, EVP_PKEY *usrkey)
{
	X509 *racert = NULL;
	EVP_PKEY *rakey = NULL;
	X509_REQ *x = NULL;
	X509_NAME *subject = NULL;
	unsigned char *p = NULL;
	int ret, len;

	if (reqbuf == NULL || reqlen == NULL || x500dn == NULL || usrkey == NULL)
		return OPENSSLCA_ERR_ARGS;

	/* Create new request */
	if ((x = X509_REQ_new()) == NULL) {
		ret = OPENSSLCA_ERR_REQ_NEW;
		goto err;
	}

	/* Set public key in request */
	if (X509_REQ_set_pubkey(x, usrkey) != 1) {
		ret = OPENSSLCA_ERR_REQ_SET_PUBKEY;
		goto err;
	}

	/* Set subject name */
	subject = X509_REQ_get_subject_name(x);
	if (subject == NULL) {
		ret = OPENSSLCA_ERR_REQ_GET_SUBJECT;
		goto err;
	}
	ret = dn2subject(x500dn, subject);
	if (ret != OPENSSLCA_NO_ERR)
		goto err;

	if (caIni.signRequests) {
		/* Sign request with RA's private key */
		ret = read_key(&rakey, CA_PATH(caIni.raKeyFile), caIni.raKeyPasswd);
		if (ret != OPENSSLCA_NO_ERR)
			goto err;
		if (!X509_REQ_sign(x, rakey, EVP_sha1())) {
			ret = OPENSSLCA_ERR_REQ_SIGN;
			goto err;
		}

		if (caIni.verifyAfterSign) {
			/* Get RA's public key */
			/* TODO: Validate RA certificate */
			ret = read_cert(&racert, CA_PATH(caIni.raCertFile));
			if (ret != OPENSSLCA_NO_ERR)
				goto err;

			EVP_PKEY_free(rakey);
			if ((rakey = X509_get_pubkey(racert)) == NULL) {
				ret = OPENSSLCA_ERR_CERT_GET_PUBKEY;
				goto err;
			}

			/* Verify signature on request */
			if (X509_REQ_verify(x, rakey) != 1) {
				ret = OPENSSLCA_ERR_REQ_VERIFY;
				goto err;
			}
		}
	}

#ifdef _DEBUG /* Output request in PEM format */
	{
		FILE *fp = fopen(DBG_PATH("request.pem"), "w");
		if (fp != NULL) {
			X509_REQ_print_fp(fp, x);
			PEM_write_X509_REQ(fp, x);
			fclose(fp);
		}
	}
#endif

	/* Encode request into DER format */
	len = i2d_X509_REQ(x, NULL);
	if (len < 0) {
		ret = OPENSSLCA_ERR_REQ_ENCODE;
		goto err;
	}
	if (len > *reqlen) {
		ret = OPENSSLCA_ERR_BUF_TOO_SMALL;
		goto err;
	}
	*reqlen = len;
	p = reqbuf;
	i2d_X509_REQ(x, &p);

err:
	if (racert)
		X509_free(racert);
	if (rakey)
		EVP_PKEY_free(rakey);
	if (x)
		X509_REQ_free(x);

	return ret;
}