📄 testcert.c
字号:
&cryptCRL );
if( cryptStatusError( status ) )
{
printf( "cryptImportCert() failed with error code %d, line %d.\n",
status, __LINE__ );
return( FALSE );
}
status = cryptCheckCert( cryptCRL, cryptCAKey );
if( cryptStatusError( status ) )
return( attrErrorExit( cryptCRL, "cryptCheckCert()", status,
__LINE__ ) );
cryptDestroyCert( cryptCRL );
cryptDestroyContext( cryptCAKey );
/* Clean up */
puts( "CRL creation succeeded.\n" );
return( TRUE );
}
/* Test complex CRL code */
static const CERT_DATA complexCRLData[] = {
/* Next update time */
{ CRYPT_CERTINFO_NEXTUPDATE, IS_TIME, 0, NULL, 0x42000000L },
/* CRL number and delta CRL indicator */
{ CRYPT_CERTINFO_CRLNUMBER, IS_NUMERIC, 1 },
{ CRYPT_CERTINFO_DELTACRLINDICATOR, IS_NUMERIC, 2 },
/* Issuing distribution points. Note the two-stage selection process,
first we select the GeneralName with
CRYPT_CERTINFO_ISSUINGDIST_FULLNAME, then we access the URI in the
GeneralName with CRYPT_CERTINFO_UNIFORMRESOURCEIDENTIFIER */
{ CRYPT_CERTINFO_ISSUINGDIST_FULLNAME, IS_NUMERIC, CRYPT_UNUSED },
{ CRYPT_CERTINFO_UNIFORMRESOURCEIDENTIFIER, IS_STRING, 0, "http://www.wetas-r-us.com" },
{ CRYPT_CERTINFO_ISSUINGDIST_USERCERTSONLY, IS_NUMERIC, TRUE },
{ CRYPT_ATTRIBUTE_NONE, IS_VOID }
};
int testComplexCRL( void )
{
CRYPT_CERTIFICATE cryptCRL, cryptRevokeCert;
CRYPT_CONTEXT cryptCAKey;
time_t revocationTime;
int revocationReason, dummy, status;
puts( "Testing complex CRL creation/export..." );
/* Get the CA's private key */
status = getPrivateKey( &cryptCAKey, CA_PRIVKEY_FILE,
CA_PRIVKEY_LABEL, TEST_PRIVKEY_PASSWORD );
if( cryptStatusError( status ) )
{
printf( "CA private key read failed with error code %d, line %d.\n",
status, __LINE__ );
return( FALSE );
}
/* Create the CRL */
status = cryptCreateCert( &cryptCRL, CRYPT_UNUSED, CRYPT_CERTTYPE_CRL );
if( cryptStatusError( status ) )
{
printf( "cryptCreateCert() failed with error code %d, line %d.\n",
status, __LINE__ );
return( FALSE );
}
/* Add some CRL components with per-entry attributes. In this case the
CA is revoking its own key because it was compromised (would you trust
this CRL?) and some keys from test certs */
if( !addCertFields( cryptCRL, complexCRLData ) )
return( FALSE );
status = cryptSetAttribute( cryptCRL,
CRYPT_CERTINFO_USERCERTIFICATE,
cryptCAKey );
if( cryptStatusOK( status ) )
/* The CA key was compromised */
status = cryptSetAttribute( cryptCRL,
CRYPT_CERTINFO_CRLREASON,
CRYPT_CRLREASON_CACOMPROMISE );
if( cryptStatusOK( status ) )
status = importCertFromTemplate( &cryptRevokeCert,
CRLCERT_FILE_TEMPLATE, 1 );
if( cryptStatusOK( status ) )
{
status = cryptSetAttribute( cryptCRL,
CRYPT_CERTINFO_USERCERTIFICATE,
cryptRevokeCert );
cryptDestroyCert( cryptRevokeCert );
}
if( cryptStatusOK( status ) )
{
/* Hold cert, call issuer for details */
status = cryptSetAttribute( cryptCRL,
CRYPT_CERTINFO_CRLREASON,
CRYPT_CRLREASON_CERTIFICATEHOLD );
if( cryptStatusOK( status ) )
status = cryptSetAttribute( cryptCRL,
CRYPT_CERTINFO_HOLDINSTRUCTIONCODE,
CRYPT_HOLDINSTRUCTION_CALLISSUER );
}
if( cryptStatusOK( status ) )
status = importCertFromTemplate( &cryptRevokeCert,
CRLCERT_FILE_TEMPLATE, 2 );
if( cryptStatusOK( status ) )
{
status = cryptSetAttribute( cryptCRL,
CRYPT_CERTINFO_USERCERTIFICATE, cryptRevokeCert );
cryptDestroyCert( cryptRevokeCert );
}
if( cryptStatusOK( status ) )
{
const time_t invalidityDate = 0x2C000000L;
/* The private key was invalid ages ago */
status = cryptSetAttributeString( cryptCRL,
CRYPT_CERTINFO_INVALIDITYDATE, &invalidityDate,
sizeof( time_t ) );
}
if( cryptStatusError( status ) )
return( attrErrorExit( cryptCRL, "cryptSetAttribute()", status,
__LINE__ ) );
/* Sign the CRL */
status = cryptSignCert( cryptCRL, cryptCAKey );
if( cryptStatusError( status ) )
return( attrErrorExit( cryptCRL, "cryptSignCert()", status,
__LINE__ ) );
/* Print information on what we've got */
if( !printCertInfo( cryptCRL ) )
return( FALSE );
/* Check the signature. Since we have the CA private key handy, we
use that to check the signature */
status = cryptCheckCert( cryptCRL, cryptCAKey );
if( cryptStatusError( status ) )
return( attrErrorExit( cryptCRL, "cryptCheckCert()", status,
__LINE__ ) );
/* Export the CRL */
status = cryptExportCert( certBuffer, &certificateLength,
CRYPT_CERTFORMAT_CERTIFICATE, cryptCRL );
if( cryptStatusError( status ) )
return( attrErrorExit( cryptCRL, "cryptExportCert()", status,
__LINE__ ) );
printf( "Exported CRL is %d bytes long.\n", certificateLength );
debugDump( "crlc", certBuffer, certificateLength );
/* Destroy the CRL */
status = cryptDestroyCert( cryptCRL );
if( cryptStatusError( status ) )
{
printf( "cryptDestroyCert() failed with error code %d, line %d.\n",
status, __LINE__ );
return( FALSE );
}
/* Make sure we can read what we created */
status = cryptImportCert( certBuffer, certificateLength, CRYPT_UNUSED,
&cryptCRL );
if( cryptStatusError( status ) )
{
printf( "cryptImportCert() failed with error code %d, line %d.\n",
status, __LINE__ );
return( FALSE );
}
status = cryptCheckCert( cryptCRL, cryptCAKey );
if( cryptStatusError( status ) )
return( attrErrorExit( cryptCRL, "cryptCheckCert()", status,
__LINE__ ) );
/* Check the newly-revoked CA key agains the CRL */
status = cryptCheckCert( cryptCAKey, cryptCRL );
if( status != CRYPT_ERROR_INVALID )
{
printf( "Revoked cert wasn't reported as being revoked, line %d.\n",
__LINE__ );
return( FALSE );
}
status = cryptGetAttributeString( cryptCRL, CRYPT_CERTINFO_REVOCATIONDATE,
&revocationTime, &dummy );
if( cryptStatusOK( status ) )
status = cryptGetAttribute( cryptCRL, CRYPT_CERTINFO_CRLREASON,
&revocationReason );
if( cryptStatusError( status ) )
return( attrErrorExit( cryptCRL, "cryptGetAttribute()", status,
__LINE__ ) );
if( revocationReason != CRYPT_CRLREASON_CACOMPROMISE )
{
printf( "Revocation reason was %d, should have been %d.\n",
revocationReason, CRYPT_CRLREASON_CACOMPROMISE );
return( FALSE );
}
/* Clean up */
cryptDestroyCert( cryptCRL );
cryptDestroyContext( cryptCAKey );
puts( "CRL creation succeeded.\n" );
return( TRUE );
}
/* Test revocation request code */
static const CERT_DATA revRequestData[] = {
/* Revocation reason */
{ CRYPT_CERTINFO_CRLREASON, IS_NUMERIC, CRYPT_CRLREASON_SUPERSEDED },
/* Invalidity date */
{ CRYPT_CERTINFO_INVALIDITYDATE, IS_TIME, 0, NULL, 0x42000000L },
{ CRYPT_ATTRIBUTE_NONE, IS_VOID }
};
int testRevRequest( void )
{
CRYPT_CERTIFICATE cryptCert, cryptRequest;
FILE *filePtr;
BYTE buffer[ BUFFER_SIZE ];
int count, status;
puts( "Testing revocation request creation/export..." );
filenameFromTemplate( buffer, CERT_FILE_TEMPLATE, 1 );
if( ( filePtr = fopen( buffer, "rb" ) ) == NULL )
{
puts( "Couldn't find certificate file for revocation request test." );
return( FALSE );
}
count = fread( buffer, 1, BUFFER_SIZE, filePtr );
fclose( filePtr );
status = cryptImportCert( buffer, count, CRYPT_UNUSED, &cryptCert );
if( cryptStatusError( status ) )
{
puts( "Cert import failed, skipping test of revocation request..." );
return( TRUE );
}
/* Create the certificate object and add the certificate details and
revocation info */
status = cryptCreateCert( &cryptRequest, CRYPT_UNUSED,
CRYPT_CERTTYPE_REQUEST_REVOCATION );
if( cryptStatusError( status ) )
{
printf( "cryptCreateCert() failed with error code %d, line %d.\n",
status, __LINE__ );
return( FALSE );
}
status = cryptSetAttribute( cryptRequest, CRYPT_CERTINFO_CERTIFICATE,
cryptCert );
cryptDestroyCert( cryptCert );
if( cryptStatusError( status ) )
return( attrErrorExit( cryptRequest, "cryptSetAttribute()", status,
__LINE__ ) );
if( !addCertFields( cryptRequest, revRequestData ) )
return( FALSE );
/* Print information on what we've got */
if( !printCertInfo( cryptRequest ) )
return( FALSE );
#if 0 /* CMP doesn't currently allow revocation requests to be signed, so
it's treated like CMS attributes as a series of uninitialised
attributes */
/* Export the cert */
status = cryptExportCert( certBuffer, &certificateLength,
CRYPT_CERTFORMAT_CERTIFICATE, cryptRequest );
if( cryptStatusError( status ) )
return( attrErrorExit( cryptRequest, "cryptExportCert()", status,
__LINE__ ) );
printf( "Exported revocation request is %d bytes long.\n",
certificateLength );
debugDump( "req_rev", certBuffer, certificateLength );
/* Destroy the certificate */
status = cryptDestroyCert( cryptRequest );
if( cryptStatusError( status ) )
{
printf( "cryptDestroyCert() failed with error code %d, line %d.\n",
status, __LINE__ );
return( FALSE );
}
/* Make sure we can read what we created */
status = cryptImportCert( certBuffer, certificateLength, CRYPT_UNUSED,
&cryptRequest );
if( cryptStatusError( status ) )
{
printf( "cryptImportCert() failed with error code %d, line %d.\n",
status, __LINE__ );
return( FALSE );
}
#endif /* 0 */
cryptDestroyCert( cryptRequest );
/* Clean up */
puts( "Revocation request creation succeeded.\n" );
return( TRUE );
}
/* Test cert chain creation */
int testCertChain( void )
{
CRYPT_CERTIFICATE cryptCertChain, cryptCertRequest;
CRYPT_CONTEXT pubKeyContext, privKeyContext;
CRYPT_CONTEXT cryptCAKey;
int value, status;
puts( "Testing certificate chain creation/export..." );
/* Get the CA's private key */
status = getPrivateKey( &cryptCAKey, CA_PRIVKEY_FILE,
CA_PRIVKEY_LABEL, TEST_PRIVKEY_PASSWORD );
if( cryptStatusError( status ) )
{
printf( "CA private key read failed with error code %d, line %d.\n",
status, __LINE__ );
return( FALSE );
}
/* Create the cert chain */
status = cryptCreateCert( &cryptCertChain, CRYPT_UNUSED,
CRYPT_CERTTYPE_CERTCHAIN );
if( cryptStatusError( status ) )
{
printf( "cryptCreateCert() failed with error code %d, line %d.\n",
status, __LINE__ );
return( FALSE );
}
/* Create a simple cert request to turn into the end-user cert */
if( !loadRSAContexts( CRYPT_UNUSED, &pubKeyContext, &privKeyContext ) )
return( FALSE );
status = cryptCreateCert( &cryptCertRequest, CRYPT_UNUSED,
CRYPT_CERTTYPE_CERTREQUEST );
if( cryptStatusOK( status ) )
status = cryptSetAttribute( cryptCertRequest,
CRYPT_CERTINFO_SUBJECTPUBLICKEYINFO, pubKeyContext );
if( cryptStatusOK( status ) && \
!addCertFields( cryptCertRequest, certRequestData ) )
return( FALSE );
destroyContexts( CRYPT_UNUSED, pubKeyContext, privKeyContext );
if( cryptStatusError( status ) )
{
printf( "Certificate creation failed, line %d.\n", status, __LINE__ );
return( FALSE );
}
/* Add the end-user cert to the chain */
status = cryptSetAttribute( cryptCertChain,
CRYPT_CERTINFO_CERTREQUEST, cryptCertRequest );
if( cryptStatusError( status ) )
return( attrErrorExit( cryptCertChain, "cryptSetAttribute()", status,
__LINE__ ) );
cryptDestroyCert( cryptCertRequest );
/* Sign the cert chain */
status = cryptSignCert( cryptCertChain, cryptCAKey );
if( cryptStatusError( status ) )
return( attrErrorExit( cryptCertChain, "cryptSignCert()", status,
__LINE__ ) );
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -