certraw.c

提供了很多种加密算法和CA认证及相关服务如CMP、OCSP等的开发

							  &createInfo, OBJECT_TYPE_CONTEXT );
	if( cryptStatusOK( status ) )
		{
		RESOURCE_DATA msgData;

		setResourceData( &msgData, "interop interop interop ", 24 );
		status = krnlSendMessage( createInfo.cryptHandle,
								  RESOURCE_IMESSAGE_SETATTRIBUTE_S, 
								  &msgData, CRYPT_CTXINFO_KEY );
		if( cryptStatusOK( status ) )
			status = krnlSendMessage( createInfo.cryptHandle, 
									  RESOURCE_IMESSAGE_CLONE,
									  &iCryptContext, 0 );
		krnlSendNotifier( createInfo.cryptHandle, 
						  RESOURCE_IMESSAGE_DECREFCOUNT );
		}
	if( cryptStatusOK( status ) )
		{
		RESOURCE_DATA msgData;

		setResourceData( &msgData, queryInfo.iv, queryInfo.ivLength );
		krnlSendMessage( iCryptContext,RESOURCE_IMESSAGE_SETATTRIBUTE_S, 
						 &msgData, CRYPT_CTXINFO_IV );
		status = krnlSendMessage( iCryptContext, 
								  RESOURCE_IMESSAGE_CTX_DECRYPT, 
								  userInfo, userInfoSize );
		krnlSendNotifier( iCryptContext, 
						  RESOURCE_IMESSAGE_DECREFCOUNT );
		}
	if( cryptStatusError( status ) )
		return( status );

	/* Read the user info.  If we get a bad data error at this point we 
	   report it as a wrong decryption key rather than bad data since it's 
	   more likely to be the former */
	sMemConnect( &userInfoStream, userInfo, userInfoSize );
	readSequence( &userInfoStream, NULL );
	readOctetString( &userInfoStream, userInfoPtr->pkiIssuePW, &length,
					 PKIUSER_AUTHENTICATOR_SIZE );
	status = readOctetString( &userInfoStream, userInfoPtr->pkiRevPW, 
							  &length, PKIUSER_AUTHENTICATOR_SIZE );
	sMemClose( &userInfoStream );
	if( cryptStatusError( status ) )
		return( CRYPT_ERROR_WRONGKEY );

	/* Read the user ID and any other attributes */
	return( readAttributes( stream, &userInfoPtr->attributes, 
					CRYPT_CERTTYPE_PKIUSER, sMemDataLeft( stream ),
					&userInfoPtr->errorLocus, &userInfoPtr->errorType ) );
	}

/* Write PKI user info */

int writePKIUserInfo( STREAM *stream, CERT_INFO *userInfoPtr, 
					  const CERT_INFO *issuerCertInfoPtr,
					  const CRYPT_CONTEXT iIssuerCryptContext )
	{
	BYTE userInfo[ 128 ], algoID[ 128 ];
	int extensionSize, userInfoSize, algoIDsize, status;

	UNUSED( issuerCertInfoPtr );

	if( sIsNullStream( stream ) )
		{
		BYTE keyID[ 16 ];
		int keyIDlength;

		/* Generate the key identifier.  Once it's in user-encoded form the 
		   full identifier can't quite fit so we adjust the size to the 
		   maximum amount we can encode.  This is necessary because it's 
		   also used to locate the user info in a key store, if we used the
		   un-adjusted form for the key ID we couldn't locate the stored 
		   user info using the adjusted form */
		getNonce( keyID, 16 );
		keyIDlength = adjustUserValue( keyID, 3 );
		addAttributeField( &userInfoPtr->attributes, 
						   CRYPT_CERTINFO_SUBJECTKEYIDENTIFIER, 
						   CRYPT_ATTRIBUTE_NONE, keyID, keyIDlength, 
						   ATTR_FLAG_NONE, NULL, NULL );
		status = checkAttributes( ATTRIBUTE_CERTIFICATE,
								  userInfoPtr->attributes,
								  &userInfoPtr->errorLocus,
								  &userInfoPtr->errorType );
		if( cryptStatusError( status ) )
			return( status );

		/* We can't generate the user info yet since we're doing the pre-
		   encoding pass and writing to a null stream so we leave it for the
		   actual encoding pass and only provide a size estimate for now */
		userInfoSize = ENCRYPTED_AUTHENTICATOR_SIZE;

		/* Since we can't use the fixed CA key yet, we set the algo ID size 
		   to the size of the info for the fixed 3DES key */
		algoIDsize = 22;
		}
	else
		{
		CRYPT_CONTEXT iCryptContext;
		MESSAGE_CREATEOBJECT_INFO createInfo;

		/* Create an RC4 context and use it to generate the user passwords.  
		   These aren't encryption keys but just authenticators used for 
		   MACing so we don't go to the usual extremes to protect them */
		setMessageCreateObjectInfo( &createInfo, CRYPT_ALGO_RC4 );
		status = krnlSendMessage( SYSTEM_OBJECT_HANDLE,
								  RESOURCE_IMESSAGE_DEV_CREATEOBJECT,
								  &createInfo, OBJECT_TYPE_CONTEXT );
		if( cryptStatusOK( status ) )
			{
			STREAM userInfoStream;

			sMemOpen( &userInfoStream, userInfo, 128 );
			writeSequence( &userInfoStream, 
						   2 * sizeofObject( PKIUSER_AUTHENTICATOR_SIZE ) );
			status = krnlSendMessage( createInfo.cryptHandle, 
									  RESOURCE_IMESSAGE_CTX_GENKEY, 
									  NULL, FALSE );
			if( cryptStatusOK( status ) )
				{
				krnlSendMessage( createInfo.cryptHandle, 
								 RESOURCE_IMESSAGE_CTX_ENCRYPT, 
								 userInfoPtr->pkiIssuePW, 
								 PKIUSER_AUTHENTICATOR_SIZE );
				writeOctetString( &userInfoStream, userInfoPtr->pkiIssuePW, 
								  PKIUSER_AUTHENTICATOR_SIZE, DEFAULT_TAG );
				status = krnlSendMessage( createInfo.cryptHandle, 
										  RESOURCE_IMESSAGE_CTX_ENCRYPT, 
										  userInfoPtr->pkiRevPW, 
										  PKIUSER_AUTHENTICATOR_SIZE );
				writeOctetString( &userInfoStream, userInfoPtr->pkiRevPW, 
								  PKIUSER_AUTHENTICATOR_SIZE, DEFAULT_TAG );
				userInfoSize = stell( &userInfoStream );
				}
			krnlSendNotifier( createInfo.cryptHandle, 
							  RESOURCE_IMESSAGE_DECREFCOUNT );
			sMemDisconnect( &userInfoStream );
			}
		if( cryptStatusError( status ) )
			return( status );

		/* Clone the CA key for our own use, force the use of a fresh IV, and 
		   use the cloned context to encrypt the user info.  We need to do 
		   this to prevent problems if multiple threads try to simultaneously 
		   encrypt with the CA key.  Since user objects aren't fully 
		   implemented yet, we use a fixed key as the CA key for now */
		setMessageCreateObjectInfo( &createInfo, CRYPT_ALGO_3DES );
		status = krnlSendMessage( SYSTEM_OBJECT_HANDLE, 
								  RESOURCE_IMESSAGE_DEV_CREATEOBJECT,
								  &createInfo, OBJECT_TYPE_CONTEXT );
		if( cryptStatusOK( status ) )
			{
			RESOURCE_DATA msgData;

			setResourceData( &msgData, "interop interop interop ", 24 );
			status = krnlSendMessage( createInfo.cryptHandle,
									  RESOURCE_IMESSAGE_SETATTRIBUTE_S, 
									  &msgData, CRYPT_CTXINFO_KEY );
			if( cryptStatusOK( status ) )
				status = krnlSendMessage( createInfo.cryptHandle, 
										  RESOURCE_IMESSAGE_CLONE,
										  &iCryptContext, 0 );
			krnlSendNotifier( createInfo.cryptHandle, 
							  RESOURCE_IMESSAGE_DECREFCOUNT );
			}
		if( cryptStatusOK( status ) )
			{
			int i;

			/* Add PKCS #5 padding to the end of the user info and encrypt 
			   it */
			assert( userInfoSize + 2 == ENCRYPTED_AUTHENTICATOR_SIZE );
			for( i = 0; i < 2; i++ )
				userInfo[ userInfoSize++ ] = 2;
			krnlSendNotifier( iCryptContext, RESOURCE_IMESSAGE_CTX_GENIV );
			status = krnlSendMessage( iCryptContext, 
									  RESOURCE_IMESSAGE_CTX_ENCRYPT, 
									  userInfo, userInfoSize );
			if( cryptStatusOK( status ) )
				{
				STREAM algoIDstream;

				sMemOpen( &algoIDstream, algoID, 128 );
				status = writeContextAlgoID( &algoIDstream, iCryptContext,
											 CRYPT_ALGO_NONE, 
											 ALGOID_FLAG_NONE );
				algoIDsize = stell( &algoIDstream );
				sMemDisconnect( &algoIDstream );
				}
			krnlSendNotifier( iCryptContext, 
							  RESOURCE_IMESSAGE_DECREFCOUNT );
			}
		if( cryptStatusError( status ) )
			return( status );
		}

	/* Write the user DN, encrypted user info, and any supplementary 
	   information */
	extensionSize = sizeofAttributes( userInfoPtr->attributes );
	writeDN( stream, userInfoPtr->subjectName, DEFAULT_TAG );
	swrite( stream, algoID, algoIDsize );
	writeOctetString( stream, userInfo, userInfoSize, DEFAULT_TAG );
	return( writeAttributes( stream, userInfoPtr->attributes,
							 CRYPT_CERTTYPE_PKIUSER, extensionSize ) );
	}