static gnutls_x509_crt generate_ca_certificate(requiem_client_profile_t *cp, gnutls_x509_privkey key)
{
int ret;
gnutls_x509_crt crt;
unsigned int usage = 0;
crt = generate_certificate(cp, key, authority_certificate_lifetime);
if ( ! crt )
return NULL;
usage |= GNUTLS_KEY_CRL_SIGN;
usage |= GNUTLS_KEY_KEY_CERT_SIGN;
usage |= GNUTLS_KEY_KEY_AGREEMENT;
usage |= GNUTLS_KEY_KEY_ENCIPHERMENT;
usage |= GNUTLS_KEY_DATA_ENCIPHERMENT;
usage |= GNUTLS_KEY_DIGITAL_SIGNATURE;
gnutls_x509_crt_set_ca_status(crt, 1);
gnutls_x509_crt_set_key_usage(crt, usage);
ret = gnutls_x509_crt_sign(crt, crt, key);
if ( ret < 0 ) {
fprintf(stderr, "error self-signing certificate: %s.\n", gnutls_strerror(ret));
gnutls_x509_crt_deinit(crt);
return NULL;
}
return crt;
}
NaiveCertificateManager::NaiveCertificateManager(const Clock::time_point& time_now) :
m_time_now(time_now),
m_root_key_pair(root_key_pair()),
m_root_certificate_hash(HashedId8 {{ 0x17, 0x5c, 0x33, 0x48, 0x25, 0xdc, 0x7f, 0xab }}),
m_own_key_pair(m_crypto_backend.generate_key_pair()),
m_own_certificate(generate_certificate(m_own_key_pair))
{
// TODO: root certifiate hash is arbitrarily chosen for now (no root certificate exists)
}
int main() {
time_t t;
srand((unsigned) time(&t));
unsigned int id = rand(), i;
char cname[CNAME_MAX_SIZE], time[TIME_BUFFER_SIZE], valid[TIME_BUFFER_SIZE], csr[CSR_MAX_SIZE], csr_cpy[CSR_MAX_SIZE], certificate[CERTIFICATE_MAX_SIZE], certificate_cpy[CERTIFICATE_MAX_SIZE];
unsigned char auth_key[SMQV_PKEY_SIZE], token_keypair[MSS_SKEY_SIZE + MSS_PKEY_SIZE], token_skey[MSS_SKEY_SIZE], token_pkey[MSS_PKEY_SIZE], csr_signature[MSS_SIGNATURE_SIZE], signature[ECDSA_SIGNATURE_SIZE];
// valid: 3333XXXXXXXXXX
now(&valid);
valid[0] = '3';
valid[1] = '3';
valid[2] = '3';
valid[3] = '3';
sprintf(cname, "TESTE do CERTIFICATE");
unsigned char seed[LEN_BYTES(MSS_SEC_LVL)] = {0x30,0x31,0x32,0x33,0x34,0x35,0x36,0x37,0x38,0x39,0x3A,0x3B,0x3C,0x3D,0x3E,0x3F};
memcpy(token_keypair, mss_keygen(seed), MSS_SKEY_SIZE + MSS_PKEY_SIZE);
memcpy(token_skey, token_keypair, MSS_SKEY_SIZE);
memcpy(token_pkey, token_keypair + MSS_SKEY_SIZE, MSS_PKEY_SIZE);
for(i = 0; i < SMQV_PKEY_SIZE; i++)
auth_key[i] = rand();
/**
* CSR
*/
generate_csr(id, cname, auth_key, token_pkey, token_skey, csr);
if(read_csr(&id, cname, time, auth_key, token_pkey, csr_signature, csr))
printf("CSR generation/read - OK\n");
else
printf("CSR generation/read - Fail\n");
printf("\n");
/**
* CERTIFICATE
*/
unsigned char ca_skey[ECDSA_SKEY_SIZE], ca_pkey[ECDSA_PKEY_SIZE];
ecdsa_keygen(ca_skey, ca_pkey);
generate_certificate(csr, valid, ca_skey, certificate);
if(read_certificate(&id, cname, time, valid, auth_key, token_pkey, signature, ca_pkey, certificate))
printf("CERTIFICATE generation/read - OK\n");
else
printf("CERTIFICATE generation/read - Fail\n");
printf("\n");
return 0;
}
static gnutls_x509_crt generate_signed_certificate(requiem_client_profile_t *cp,
uint64_t analyzerid,
gnutls_x509_crt ca_crt,
gnutls_x509_privkey ca_key,
gnutls_x509_crq crq)
{
int ret;
gnutls_x509_crt crt;
unsigned char buf[65535];
size_t size = sizeof(buf);
crt = generate_certificate(cp, NULL, generated_certificate_lifetime);
if ( ! crt )
return NULL;
ret = gnutls_x509_crt_set_crq(crt, crq);
if ( ret < 0 ) {
fprintf(stderr, "error associating certificate with CRQ: %s.\n", gnutls_strerror(ret));
goto err;
}
ret = gnutls_x509_crt_set_serial(crt, &analyzerid, sizeof(analyzerid));
if ( ret < 0 ) {
fprintf(stderr, "error setting certificate serial: %s.\n", gnutls_strerror(ret));
goto err;
}
ret = gnutls_x509_crt_get_key_id(ca_crt, 0, buf, &size);
if ( ret < 0 ) {
fprintf(stderr, "error getting CA key ID: %s.\n", gnutls_strerror(ret));
goto err;
}
ret = gnutls_x509_crt_set_authority_key_id(crt, buf, size);
if ( ret < 0 ) {
fprintf(stderr, "error setting authority key ID: %s?\n", gnutls_strerror(ret));
goto err;
}
ret = gnutls_x509_crt_sign(crt, ca_crt, ca_key);
if ( ret < 0 ) {
fprintf(stderr, "error signing certificate: %s.\n", gnutls_strerror(ret));
goto err;
}
return crt;
err:
gnutls_x509_crt_deinit(crt);
return NULL;
}
const Certificate& NaiveCertificateManager::own_certificate()
{
// renew certificate if necessary
for (auto& validity_restriction : m_own_certificate.validity_restriction) {
auto start_and_end = boost::get<StartAndEndValidity>(&validity_restriction);
auto renewal_deadline = convert_time32(m_time_now + std::chrono::hours(1));
if (start_and_end && start_and_end->end_validity < renewal_deadline) {
m_own_certificate = generate_certificate(m_own_key_pair);
break;
}
}
return m_own_certificate;
}
/** Entry point to tor-gencert */
int
main(int argc, char **argv)
{
int r = 1;
init_logging(1);
/* Don't bother using acceleration. */
if (crypto_global_init(0, NULL, NULL)) {
fprintf(stderr, "Couldn't initialize crypto library.\n");
return 1;
}
if (crypto_seed_rng()) {
fprintf(stderr, "Couldn't seed RNG.\n");
goto done;
}
/* Make sure that files are made private. */
umask(0077);
if (parse_commandline(argc, argv))
goto done;
if (load_identity_key())
goto done;
if (reuse_signing_key) {
if (load_signing_key())
goto done;
} else {
if (generate_signing_key())
goto done;
}
if (generate_certificate())
goto done;
r = 0;
done:
clear_passphrase();
if (identity_key)
EVP_PKEY_free(identity_key);
if (signing_key)
EVP_PKEY_free(signing_key);
tor_free(address);
tor_free(identity_key_file);
tor_free(signing_key_file);
tor_free(certificate_file);
tor_free(address);
crypto_global_cleanup();
return r;
}
int main()
{
srand(time(NULL));
Keypair *t = generate_keypair(); // Trent
Keypair *kp1 = generate_keypair(); // Alice
/* Alice's certificate */
Certificate *c = generate_certificate("Alice", kp1->public_key,
t->private_key);
/* Bob's u */
rsa_int u = generate_random_u(c);
/* Alice computes h(u) and v */
rsa_int hu = rsa_int_hash(u);
rsa_int v = crypt(hu, kp1->private_key, 0);
/* Alice sends v to Bob
* Bob encrypts v with Alice's public key,
* and checks whether it is h(u)
* */
rsa_int r = crypt(v, kp1->public_key, 1); // E(e, v)
assert(r == hu);
/* Trace begins */
trace("204-206:u: %d", u);
trace("Sequence of bits for u");
trace_int_bits(u, "u");
trace("204-206:h(u): %d", hu);
trace("Sequence of bits for h(u)");
trace_int_bits(hu, "h(u)");
trace("204-206:v: %d", v);
trace("Sequence of bits for v");
trace_int_bits(v, "v");
trace("204-206:E(e, v): %d", r);
trace("Sequence of bits for E(e, v)");
trace_int_bits(r, "E(e, v)");
/* Trace ends */
destroy_certificate(c);
destroy_keypair(kp1);
destroy_keypair(t);
return 0;
}
int main(int argc, const char *argv[])
{
int cert_fd, issuer_fd;
int nwrites;
s_certificate cert, issuer;
if (argc != 2 && argc != 3) {
print_usage(argv[0]);
exit(EXIT_FAILURE);
}
ecc_init();
/* for critically secure code, you would need a better seed */
srand(time(NULL));
memset(&cert, 0, sizeof(cert));
memset(&issuer, 0, sizeof(cert));
/* open the new file */
cert_fd = open(argv[1], O_WRONLY | O_CREAT, S_IRUSR|S_IWUSR);
if (cert_fd == -1) {
fprintf(stderr, "unable to open %s\n", argv[1]);
perror("open");
exit(EXIT_FAILURE);
}
/* generate the certificate */
generate_certificate(&cert);
if (argc == 3) {
int nreads = 0;
/* open the issuer certificate */
issuer_fd = open(argv[2], O_RDONLY);
if (issuer_fd == -1) {
fprintf(stderr, "unable to open %s\n", argv[2]);
perror("open");
goto cleanup;
}
nreads = read(issuer_fd, &issuer, sizeof(issuer));
if (nreads != sizeof(issuer)) {
fprintf(stderr, "'%s' does not contain a valid certificate\n", argv[2]);
perror("read");
goto cleanup;
}
/* sign the new certificate */
sign_certificate(&issuer, &cert);
if (verify_certificate(&issuer.pub_cert, &cert.pub_cert)) {
fprintf(stderr, "unable to verify generated signature\n");
goto cleanup;
}
close(issuer_fd);
}
/* store the certificate */
nwrites = write(cert_fd, &cert, sizeof(cert));
if (nwrites != sizeof(cert)) {
fprintf(stderr, "unable to write the certificate\n");
perror("write");
goto cleanup;
}
close(cert_fd);
return 0;
cleanup:
unlink(argv[2]);
close(cert_fd);
exit(EXIT_FAILURE);
}
