certcgi.c

来自「支持SSL v2/v3, TLS, PKCS #5, PKCS #7, PKCS」· C语言 代码 · 共 2,362 行 · 第 1/5 页

		PORT_Strcpy(name, (*issuerCert).subjectName);
		PORT_Strcat(name, " - 5");
	    }
	} else {
	    which = make_copy_string("IssuerAltNameSelect0", 20,'\0');
	    genName = MakeAltName(data, which, arena);
	}
    }
    if (type == 0) {
	EncodeAndAddExtensionValue(arena, extHandle, genName, 
				   find_field_bool(data, "SubAltName-crit", 
						   PR_TRUE), 
				   SEC_OID_X509_SUBJECT_ALT_NAME, 
				   (EXTEN_VALUE_ENCODER)
				   CERT_EncodeAltNameExtension);

    } else {
	if (autoIssuer && (name == NULL)) {
	    rv = CERT_AddExtension
		(extHandle, SEC_OID_X509_ISSUER_ALT_NAME, issuersAltName,
		 find_field_bool(data, "IssuerAltName-crit", PR_TRUE), PR_TRUE);
	} else {
	    EncodeAndAddExtensionValue(arena, extHandle, genName, 
				       find_field_bool(data, 
						       "IssuerAltName-crit", 
						       PR_TRUE), 
				       SEC_OID_X509_ISSUER_ALT_NAME, 
				       (EXTEN_VALUE_ENCODER)
				       CERT_EncodeAltNameExtension);
	}
    }
    if (which != NULL) {
	PORT_Free(which);
    }
    if (issuerCert != NULL) {
	CERT_DestroyCertificate(issuerCert);
    }
    if (arena != NULL) {
	PORT_ArenaRelease (arena, mark);
    }
    return rv;
}


static SECStatus
AddNameConstraints(void  *extHandle,
		   Pair  *data)
{
    PRBool              autoIssuer = PR_FALSE;
    PRArenaPool         *arena = NULL;
    CERTNameConstraints *constraints = NULL;
    char                *constraint = NULL;
    SECStatus           rv = SECSuccess;


    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
    if (arena == NULL) {
	error_allocate();
    }
    constraints = MakeNameConstraints(data, arena);
    if (constraints != NULL) {
	EncodeAndAddExtensionValue(arena, extHandle, constraints, PR_TRUE, 
				   SEC_OID_X509_NAME_CONSTRAINTS, 
				   (EXTEN_VALUE_ENCODER)
				   CERT_EncodeNameConstraintsExtension);
    }
    if (arena != NULL) {
	PORT_ArenaRelease (arena, NULL);
    }
    return rv;
}


static SECStatus
add_extensions(CERTCertificate   *subjectCert, 
	       Pair              *data, 
	       char              *issuerNameStr, 
	       CERTCertDBHandle  *handle)
{
    void                         *extHandle;
    SECStatus                    rv = SECSuccess;


    extHandle = CERT_StartCertExtensions (subjectCert);
    if (extHandle == NULL) {
	error_out("ERROR: Unable to get certificates extension handle");
    }
    if (find_field_bool(data, "keyUsage", PR_TRUE)) {
	rv = AddKeyUsage(extHandle, data);
	if (rv != SECSuccess) {
	    error_out("ERROR: Unable to add Key Usage extension");
	}
    }

    if( find_field_bool(data, "extKeyUsage", PR_TRUE) ) {
      rv = AddExtKeyUsage(extHandle, data);
      if( SECSuccess != rv ) {
        error_out("ERROR: Unable to add Extended Key Usage extension");
      }
    }

    if (find_field_bool(data, "basicConstraints", PR_TRUE)) {
	rv = AddBasicConstraint(extHandle, data);
	if (rv != SECSuccess) {
	    error_out("ERROR: Unable to add Basic Constraint extension");
	}
    }
    if (find_field_bool(data, "subjectKeyIdentifier", PR_TRUE)) {
	rv = AddSubKeyID(extHandle, data, subjectCert);
	if (rv != SECSuccess) {
	    error_out("ERROR: Unable to add Subject Key Identifier Extension");
	}
    }
    if (find_field_bool(data, "authorityKeyIdentifier", PR_TRUE)) {
	rv = AddAuthKeyID (extHandle, data, issuerNameStr, handle);
	if (rv != SECSuccess) {
	    error_out("ERROR: Unable to add Authority Key Identifier extension");
	}
    }
    if (find_field_bool(data, "privKeyUsagePeriod", PR_TRUE)) {
	rv = AddPrivKeyUsagePeriod (extHandle, data, subjectCert);
	if (rv != SECSuccess) {
	    error_out("ERROR: Unable to add Private Key Usage Period extension");
	}
    }
    if (find_field_bool(data, "SubAltName", PR_TRUE)) {
	rv = AddAltName (extHandle, data, NULL, NULL, 0);
	if (rv != SECSuccess) {
	    error_out("ERROR: Unable to add Subject Alternative Name extension");
	}
    }
    if (find_field_bool(data, "IssuerAltName", PR_TRUE)) {
	rv = AddAltName (extHandle, data, issuerNameStr, handle, 1);
	if (rv != SECSuccess) {
	    error_out("ERROR: Unable to add Issuer Alternative Name Extension");
	}
    }
    if (find_field_bool(data, "NameConstraints", PR_TRUE)) {
	rv = AddNameConstraints(extHandle, data);
	if (rv != SECSuccess) {
	    error_out("ERROR: Unable to add Name Constraints Extension");
	}
    }
    if (find_field_bool(data, "netscape-cert-type", PR_TRUE)) {
	rv = AddNscpCertType(extHandle, data);
	if (rv != SECSuccess) {
	    error_out("ERROR: Unable to add Netscape Certificate Type Extension");
	}
    }
    if (find_field_bool(data, "netscape-base-url", PR_TRUE)) {
	rv = add_IA5StringExtension(extHandle, 
				    find_field(data, "netscape-base-url-text", 
					       PR_TRUE), 
				    find_field_bool(data, 
						    "netscape-base-url-crit", 
						    PR_TRUE),
				    SEC_OID_NS_CERT_EXT_BASE_URL);
	if (rv != SECSuccess) {
	    error_out("ERROR: Unable to add Netscape Base URL Extension");
	}
    }
    if (find_field_bool(data, "netscape-revocation-url", PR_TRUE)) {
	rv = add_IA5StringExtension(extHandle, 
				    find_field(data, 
					       "netscape-revocation-url-text", 
					       PR_TRUE), 
				    find_field_bool
				       (data, "netscape-revocation-url-crit", 
					PR_TRUE),
				    SEC_OID_NS_CERT_EXT_REVOCATION_URL);
	if (rv != SECSuccess) {
	    error_out("ERROR: Unable to add Netscape Revocation URL Extension");
	}
    }
    if (find_field_bool(data, "netscape-ca-revocation-url", PR_TRUE)) {
	rv = add_IA5StringExtension(extHandle, 
				    find_field(data, 
					      "netscape-ca-revocation-url-text",
					       PR_TRUE), 
				    find_field_bool
				        (data, "netscape-ca-revocation-url-crit"
					 , PR_TRUE),
				    SEC_OID_NS_CERT_EXT_CA_REVOCATION_URL);
	if (rv != SECSuccess) {
	    error_out("ERROR: Unable to add Netscape CA Revocation URL Extension");
	}
    }
    if (find_field_bool(data, "netscape-cert-renewal-url", PR_TRUE)) {
	rv = add_IA5StringExtension(extHandle, 
				    find_field(data, 
					       "netscape-cert-renewal-url-text",
					       PR_TRUE), 
				    find_field_bool
				        (data, "netscape-cert-renewal-url-crit",
					 PR_TRUE),
				    SEC_OID_NS_CERT_EXT_CERT_RENEWAL_URL);
	if (rv != SECSuccess) {
	    error_out("ERROR: Unable to add Netscape Certificate Renewal URL Extension");
	}
    }
    if (find_field_bool(data, "netscape-ca-policy-url", PR_TRUE)) {
	rv = add_IA5StringExtension(extHandle, 
				    find_field(data, 
					       "netscape-ca-policy-url-text", 
					       PR_TRUE), 
				    find_field_bool
				         (data, "netscape-ca-policy-url-crit", 
					  PR_TRUE),
				    SEC_OID_NS_CERT_EXT_CA_POLICY_URL);
	if (rv != SECSuccess) {
	    error_out("ERROR: Unable to add Netscape CA Policy URL Extension");
	}
    }
    if (find_field_bool(data, "netscape-ssl-server-name", PR_TRUE)) {
	rv = add_IA5StringExtension(extHandle, 
				    find_field(data, 
					       "netscape-ssl-server-name-text", 
					       PR_TRUE), 
				    find_field_bool
				         (data, "netscape-ssl-server-name-crit",
					  PR_TRUE),
				    SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME);
	if (rv != SECSuccess) {
	    error_out("ERROR: Unable to add Netscape SSL Server Name Extension");
	}
    }
    if (find_field_bool(data, "netscape-comment", PR_TRUE)) {
	rv = add_IA5StringExtension(extHandle, 
				    find_field(data, "netscape-comment-text", 
					       PR_TRUE), 
				    find_field_bool(data, 
						    "netscape-comment-crit", 
						    PR_TRUE),
				    SEC_OID_NS_CERT_EXT_COMMENT);
	if (rv != SECSuccess) {
	    error_out("ERROR: Unable to add Netscape Comment Extension");
	}
    }
    CERT_FinishExtensions(extHandle);
    return (rv);
}



char *
return_dbpasswd(PK11SlotInfo *slot, PRBool retry, void *data)
{
    char *rv;

    /* don't clobber our poor smart card */
    if (retry == PR_TRUE) {
	return NULL;
    }
    rv = PORT_Alloc(sizeof(char) * 4);
    PORT_Strcpy(rv, "foo");
    return rv;
}


SECKEYPrivateKey *
FindPrivateKeyFromNameStr(char              *name, 
			  CERTCertDBHandle  *certHandle)
{
    SECKEYPrivateKey                        *key;
    CERTCertificate                         *cert;
    SECStatus                               status = SECSuccess;


    cert = CERT_FindCertByNameString(certHandle, name);
    if (cert == NULL) {
	error_out("ERROR: Unable to retrieve issuers certificate");
    }
    key = PK11_FindKeyByAnyCert(cert, NULL);
    return key;
}

static SECItem *
SignCert(CERTCertificate   *cert,
	 char              *issuerNameStr,
	 Pair              *data,
	 CERTCertDBHandle  *handle,
         int               which_key)
{
    SECItem                der;
    SECItem                *result = NULL;
    SECKEYPrivateKey       *caPrivateKey = NULL;
    SECStatus              rv;
    PRArenaPool            *arena;
    SECOidTag              algID;

    if (which_key == 0) {
	caPrivateKey = FindPrivateKeyFromNameStr(issuerNameStr, handle); 
    } else {
	caPrivateKey = privkeys[which_key - 1];
    }
    if (caPrivateKey == NULL) {
	error_out("ERROR: unable to retrieve issuers key");
    }
	
    arena = cert->arena;

    switch(caPrivateKey->keyType) {
      case rsaKey:
	algID = SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION;
	break;
      case dsaKey:
	algID = SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST;
	break;
      default:
	error_out("ERROR: Unknown key type for issuer.");
	goto done;
	break;
    }

    rv = SECOID_SetAlgorithmID(arena, &cert->signature, algID, 0);
    if (rv != SECSuccess) {
	error_out("ERROR: Could not set signature algorithm id.");
    }

    if (find_field_bool(data,"ver-1", PR_TRUE)) {
	*(cert->version.data) = 0;
	cert->version.len = 1;
    } else {
	*(cert->version.data) = 2;
	cert->version.len = 1;
    }
    der.data = NULL;
    der.len = 0;
    (void) SEC_ASN1EncodeItem (arena, &der, cert, CERT_CertificateTemplate);
    if (der.data == NULL) {
	error_out("ERROR: Could not encode certificate.\n");
    }
    rv = SEC_DerSignData (arena, &(cert->derCert), der.data, der.len, caPrivateKey,
			  algID);
    if (rv != SECSuccess) {
	error_out("ERROR: Could not sign encoded certificate data.\n");
    }
done:
    SECKEY_DestroyPrivateKey(caPrivateKey);
    return &(cert->derCert);
}


void
main()
{
    int                    length = 500;
    int                    remaining = 500;
    int                    n;
    int                    fields = 3;
    int                    i;
    int                    serial;
    int                    chainLen;
    int                    which_key;
    char                   *pos;
#ifdef OFFLINE
    char                   *form_output = "key=MIIBPTCBpzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA7SLqjWBL9Wl11Vlg%0AaMqZCvcQOL%2FnvSqYPPRP0XZy9SoAeyWzQnBOiCm2t8H5mK7r2jnKdAQOmfhjaJil%0A3hNVu3SekHOXF6Ze7bkWa6%2FSGVcY%2FojkydxFSgY43nd1iydzPQDp8WWLL%2BpVpt%2B%2B%0ATRhFtVXbF0fQI03j9h3BoTgP2lkCAwEAARYDZm9vMA0GCSqGSIb3DQEBBAUAA4GB%0AAJ8UfRKJ0GtG%2B%2BufCC6tAfTzKrq3CTBHnom55EyXcsAsv6WbDqI%2F0rLAPkn2Xo1r%0AnNhtMxIuj441blMt%2Fa3AGLOy5zmC7Qawt8IytvQikQ1XTpTBCXevytrmLjCmlURr%0ANJryTM48WaMQHiMiJpbXCqVJC1d%2FpEWBtqvALzZaOOIy&subject=CN%3D%22test%22%26serial-auto%3Dtrue%26serial_value%3D%26ver-1%3Dtrue%26ver-3%3Dfalse%26caChoiceradio-SignWithDefaultkey%3Dtrue%26caChoiceradio-SignWithRandomChain%3Dfalse%26autoCAs%3D%26caChoiceradio-SignWithSpecifiedChain%3Dfalse%26manCAs%3D%26%24";
#else
    char                   *form_output;
#endif
    char                   *issuerNameStr;
    char                   *certName;
    char                   *DBdir = DB_DIRECTORY;
    char                   *prefixs[10] = {"CA#1-", "CA#2-", "CA#3-", 
					   "CA#4-", "CA#5-", "CA#6-", 
					   "CA#7-", "CA#8-", "CA#9-", ""};
    Pair                   *form_data;
    CERTCertificate        *cert;
    CERTCertDBHandle       *handle;
    CERTCertificateRequest *certReq = NULL;
    int                    warpmonths = 0;
    SECItem                *certDER;
#ifdef FILEOUT
    FILE                   *outfile;
#endif
    SECStatus              status = SECSuccess;
    extern                 char prefix[PREFIX_LEN];
    SEC_PKCS7ContentInfo   *certChain;
    SECItem                *encodedCertChain;
    PRBool                 UChain = PR_FALSE;



#ifdef TEST
    sleep(20);
#endif
    RNG_SystemInfoForRNG();
    SECU_ConfigDirectory(DBdir);

    PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);

    SECU_PKCS11Init(PR_FALSE);     
    SEC_Init();
    PK11_SetPasswordFunc(return_dbpasswd);
    handle = NULL;
    handle = OpenCertDB();
    if (handle == NULL) {
	error_out("Error: Unable to open certificate database");
    }
    prefix[0]= '\0';
#if !defined(OFFLINE)
    form_output = (char*) PORT_Alloc(length);
    if (form_output == NULL) {
	error_allocate();
    }
    pos = form_output;
    while (feof(stdin) == 0 ) {
	if (remaining <= 1) {
	    remaining += length;
	    length = length * 2;
	    form_output = PORT_Realloc(form_output, (length));
	    if (form_output == NULL) {
		error_allocate();
	    }
	    pos = form_output + length - remaining;
	}
	n = fread(pos, sizeof(char), (size_t) (remaining - 1), stdin);
	pos += n;
	remaining -= n;
    }
    *pos = '&';
    pos++;
    length = pos - form_output;
#else
    length = PORT_Strlen(form_output);
#endif
#ifdef FILEOUT
    printf("Content-type: text/plain\n\n");
    fwrite(form_output, sizeof(char), (size_t)length, stdout);
    printf("\n");
#endif
#ifdef FILEOUT
    fwrite(form_output, sizeof(char), (size_t)length, stdout);
    printf("\n");
    fflush(stdout);
#endif
    form_data = make_datastruct(form_output, length);
    status = clean_input(form_data);
#if !defined(OFFLINE)
    PORT_Free(form_output);
#endif
#ifdef FILEOUT
    i = 0;
    while(return_name(form_data, i) != NULL) {
        printf("%s",return_name(form_data,i));
        printf("=\n");
        printf("%s",return_data(form_data,i));
        printf("\n");
	i++;
    }
    printf("I got that done, woo hoo\n");
    fflush(stdout);
#endif
    issuerNameStr = PORT_Alloc(35 * sizeof(char));
    if (find_field_bool(form_data, "caChoiceradio-SignWithSpecifiedChain",
			PR_FALSE)) {
	UChain = PR_TRUE;
	chainLen = atoi(find_field(form_data, "manCAs", PR_FALSE));
	PORT_Strcpy(prefix, prefixs[0]);
	issuerNameStr = PORT_Strcpy(issuerNameStr,
			       "CN=Cert-O-Matic II, O=Cert-O-Matic II");
	if (chainLen == 0) {
	    UChain =  PR_FALSE;
	}
    } else {
	if (find_field_bool(form_data, "caChoiceradio-SignWithRandomChain", 
			    PR_FALSE)) {
	    PORT_Strcpy(prefix,prefixs[9]);
	    chainLen = atoi(find_field(form_data, "autoCAs", PR_FALSE));
	    if (chainLen < 1 |