x509packagecertificaterequest.c

vc环境下的pgp源码

#if 0
		if (encryptTo)
		{
			EncryptRecipient	 recipEntry;
			List		 recipientCertificates;
			const char		*encryptAlgString;

			switch (encryptAlg)
			{
				case kPGPCipherAlgorithm_3DES:
					encryptAlgString = SM_OID_ALG_3DES;
					break;
				default:
					return kPGPError_BadSessionKeyAlgorithm;
			}

			pgpData.key = encryptTo;

			memset (&recipientCertificates, 0, sizeof (List));
			recipientCertificates.data = (void *) &recipEntry;

			memset (&recipEntry, 0, sizeof (EncryptRecipient));

			err = PGPNewSingletonKeySet (encryptTo, &keyset);
			err = PGPExportKeySet (keyset,
				PGPOAllocatedOutputBuffer (context, (void **) &cert, 4096, &certLength),
				PGPOExportFormat (pgpData.context, kPGPExportFormat_X509Cert),
				PGPOLastOption (pgpData.context));
			PGPFreeKeySet (keyset);
			PKIUnpackCertificate (&asnContext,
				&recipEntry.certificate,
				cert,
				certLength,
				&asnError);
			PGPFreeData (cert);
			if (asnError)
			{
			}

			result = sm_EncryptMessage (certReqOut,
				certReqOutSize,
				certReqIn,
				certReqInSize,
				(signWith != NULL),
				SM_OID_CONTENT_DATA,
				encryptAlgString,
				&recipientCertificates,
				pkcs7EncryptCallback,
				(void *) &pgpData,
				&asnContext);
			if (result != PKCS7_OK)
			{
			}
			PKIFreeCertificate (&asnContext, recipEntry.certificate);
			PGPFreeData (cert);

			inputData = *certReqOut;
			inputDataSize = *certReqOutSize;
		}
#endif /* encryptTo */

		if (signWith)
		{
			/* algs hard hardcoded for now */
			const char	*digestAlgString;
			const char	*signatureAlgString;
			PGPInt32	keyAlgID;
			char		rsaSigParam[2] = { 0x05, 0x00 };
			char		*sigParam = NULL;
			size_t		sigParamSize = 0;
			char		md5param[2] = { 0x05, 0x00 };
			char		*digestParam = NULL;
			size_t		digestParamSize = 0;

			PKIINTEGER	*type;
			PKIOCTET_STRING	*nonce;
			PGPByte		*val;
			PGPSize		len;

			pgpData.key = signWith;

			/* determine pub key algorithm */
			err = PGPGetKeyNumber (signWith, kPGPKeyPropAlgID, &keyAlgID);
			if (IsPGPError (err))
				goto error_exit;
			switch (keyAlgID)
			{
				case kPGPPublicKeyAlgorithm_DSA:
					digestAlgString = SM_OID_ALG_SHA;
					signatureAlgString = SM_OID_ALG_DSA;
					break;
				case kPGPPublicKeyAlgorithm_RSA:
				case kPGPPublicKeyAlgorithm_RSASignOnly:
				case kPGPPublicKeyAlgorithm_RSAEncryptOnly:
					digestAlgString = SM_OID_ALG_MD5;
					signatureAlgString = SM_OID_ALG_RSA;
					/* VeriSign requires the parameters for the digestAlg
					   and sigAlg to be explicitly encoded as ASN.1 NULL
					   rather than be omitted */
					sigParam = rsaSigParam;
					sigParamSize = sizeof rsaSigParam;
					digestParam = md5param;
					digestParamSize = sizeof md5param;
					break;
				default:
					err = kPGPError_UnknownPublicKeyAlgorithm;
					goto error_exit;
			}

			/* Verisign requires self-signed messages */
			if ( !(format==kPGPOutputFormat_VerisignV1_GetCertInitialInPKCS7 ||
				   format==kPGPOutputFormat_VerisignV1_GetCRLInPKCS7 ) )
			{
				err = x509ExtractCertificate (context,
					signWith,
					&asnContext,
					&sigCert);

				/* TODO: presumably we must check the error for the case where
				   no certificate for the key exists? */
				if (IsPGPError (err))
					goto error_exit;
			}

			if (!sigCert)
			{
				/* no certificate for this key, assume we need to generate
				   a temporary self-signed certificate for this message,
				   as prescribed by the VeriSign CRS specification */

				/* if this is a PKCSReq message, use the information in the
				   PKCS-10 request as the basis for the DN for the self-signed
				   cert.  otherwise generate a simple certificate. */
				err = x509CreateSelfSignedCertificate (signWith,
					&asnContext,
					&pgpData,
					isCertReq ? certReqIn : NULL,
					isCertReq ? certReqInSize : 0,
					&sigCert);
				if (IsPGPError (err))
					goto error_exit;
			}

			if( sigCert )
			{
				includeCerts = PGPNewData (mem, sizeof (List),
										   kPGPMemoryMgrFlags_Clear);
				if (!includeCerts)
				{
					err = kPGPError_OutOfMemory;
					goto error_exit;
				}
				includeCerts->data = (void *) sigCert;
			}

			/* ----- begin building up the pkcs-7 message ----- */

			attr = PKINewAttributes (&asnContext);

			/* add the message-type attribute */
			type = PKINewINTEGER (&asnContext);
			
			msgtype = isCertReq ? 19 /* PKCSReq */ : (isGetCertInitial ? 20 /* GetCertInitial */ : 22 /* GetCRL */);

#ifdef X509_ENTRUST_HACK
			if (isEntrust) {
				char str[3];
				
				i=0;
				if(msgtype>10)
					str[i++]=msgtype/10+'0';
				str[i++]=msgtype%10+'0';
				str[i]=0;
				PKIPutStrVal(&asnContext, type, str);
				len=PKISizeofPrintableString(&asnContext, type, 1);
				val=PGPNewData(mem,len,0);
				if(!val) {
					err=kPGPError_OutOfMemory;
					goto error_exit;
				}
				PKIPackPrintableString(&asnContext, val, len, type, &asnError);
			} else {
#endif /* X509_ENTRUST_HACK */
				PKIPutIntVal (&asnContext, type, msgtype);
				len = PKISizeofINTEGER (&asnContext, type, 1);
				val = PGPNewData (mem, len, 0);
				PKIPackINTEGER (&asnContext, val, len, type, &asnError);
#ifdef X509_ENTRUST_HACK
			}
#endif
			PKIFreeINTEGER (&asnContext, type);
			if (asnError)
				err = kPGPError_ASNPackFailure;

			if (IsPGPError (err)) {
				PGPFreeData (val);
				goto error_exit;
			}

			err = x509AddAuthAttribute (&asnContext,
				PKIat_pki_message_type_OID,
				PKIat_pki_message_type_OID_LEN,
				val,
				len,
				attr);

			PGPFreeData (val);

			if (IsPGPError (err))
				goto error_exit;

			/* add the sendernonce attribute */
			nonce = PKINewOCTET_STRING (&asnContext);
			nonce->len = 16;
			nonce->val = PGPNewData (mem, nonce->len, 0);
			err = PGPContextGetRandomBytes (context,
				nonce->val,
				nonce->len);
			if (IsPGPError (err))
			{
				PKIFreeOCTET_STRING (&asnContext, nonce);
				goto error_exit;
			}
			len = PKISizeofOCTET_STRING (&asnContext, nonce, 1);
			val = PGPNewData (mem, len, 0);
			PKIPackOCTET_STRING (&asnContext, val, len, nonce, &asnError);
			PKIFreeOCTET_STRING (&asnContext, nonce);
			if (!asnError)
				err = x509AddAuthAttribute (&asnContext,
					PKIat_pki_sendernonce_OID,
					PKIat_pki_sendernonce_OID_LEN,
					val,
					len,
					attr);
			else
				err = kPGPError_ASNPackFailure;

			PGPFreeData (val);

			if (IsPGPError (err))
				goto error_exit;

			/* add the transactionid attribute */
			err = x509HashPublicKey (&asnContext,
				&sigCert->tbsCertificate.subjectPublicKeyInfo,
				&val,
				&len);
			if (IsPGPError (err))
				goto error_exit;

			type = PKINewINTEGER (&asnContext);
#ifdef X509_ENTRUST_HACK
			if (isEntrust) {
				type->len=len*2;
				type->val=PGPNewData(mem, type->len + 1, 0);
				for(i=0;i<len;i++)
					sprintf(type->val + (2 * i), "%2.2X", (unsigned int) val[i]);
				PGPFreeData (val);

				len = PKISizeofPrintableString (&asnContext, type, 1);
				val = PGPNewData (mem, len, 0);
				PKIPackPrintableString (&asnContext, val, len, type, &asnError);
			} else {
#endif /* X509_ENTRUST_HACK */
				PKIPutUIntBytes (&asnContext, type, val, len);
				PGPFreeData (val);
				len = PKISizeofINTEGER (&asnContext, type, 1);
				val = PGPNewData (mem, len, 0);
				PKIPackINTEGER (&asnContext, val, len, type, &asnError);
#ifdef X509_ENTRUST_HACK
			}
#endif
			PKIFreeINTEGER (&asnContext, type);
			if (asnError)
				err = kPGPError_ASNPackFailure;
			if (IsPGPError (err)) {
				PGPFreeData (val);
				goto error_exit;
			}

			err = x509AddAuthAttribute (&asnContext,
				PKIat_pki_transactionid_OID,
				PKIat_pki_transactionid_OID_LEN,
				val,
				len,
				attr);

			PGPFreeData (val);

			if (IsPGPError (err))
				goto error_exit;

			result = sm_SignMessage (certReqOut,
				certReqOutSize,
				inputData,
				inputDataSize,
				0,			/* not nested, outer content type */
				encryptTo ? SM_OID_CONTENT_ENVELOPED_DATA : SM_OID_CONTENT_DATA,
				digestAlgString,
				(uchar *) digestParam,
				digestParamSize,
				signatureAlgString,
				(uchar *) sigParam,
				sigParamSize,
				sigCert,
				attr,		/* signed attributes */
				includeCerts,	/* certs to include in PKCS7 message */
				pkcs7HashCallback,
				(void *) &pgpData,
				pkcs7SignCallback,
				(void *) &pgpData,
				&asnContext);
			if (result != PKCS7_OK)
			{
				err = kPGPError_PKCS7SignFailure;
				goto error_exit;
			}
		}
	}
	else if (format == kPGPOutputFormat_NetToolsCAV1_CertReqInPKCS7) /* jason: what if we ever want */
	{																 /* to create a real PKCS7 cert? */
		/* no extra encoding required, just return what we were given */

		*certReqOutSize = certReqInSize;
		*certReqOut = PGPNewData (PGPGetContextMemoryMgr (context),
			*certReqOutSize,
			0);
		memcpy (*certReqOut, certReqIn, *certReqOutSize);
	}
	else
		return kPGPError_InvalidOutputFormat;

	err = kPGPError_NoErr;

error_exit:

	if (attr)
		PKIFreeAttributes (&asnContext, attr);
	if (sigCert)
		PKIFreeCertificate (&asnContext, sigCert);
	if (includeCerts)
		PGPFreeData (includeCerts);

	if (inputData != certReqIn)
	{
		/* free intermediate data */
		PKIFree (asnContext.memMgr, inputData);
	}

	if (IsPGPError (err))
	{
		/* clean up allocated data on failure */
		if (*certReqOut)
		{
			PGPFreeData (*certReqOut);
			*certReqOut = NULL;
			*certReqOutSize = 0;
		}
	}

	/* callback functions just make a copy of this since we could possible
	   use it more than once, so free the master copy */
	PGPFreeOptionList (passphrase);

	return (err); /* success */
}

/* vim:ts=4:sw=4:
 */