ca.c

小型ca.命令行方式.可以生成ca .请求,发放证书,crl等.

}


/* Add extension using V3 code: we can set the config file as NULL
 * because we wont reference any other sections.
 */
int Add_ExtReq(STACK_OF(X509_REQUEST) *sk, int nid, char *value)
{
	X509_EXTENSION *ex;
	ex = X509V3_EXT_conf_nid(NULL, NULL, nid, value);
	if (!ex)
		return 0;
	sk_X509_EXTENSION_push(sk, ex);
	
	return 1;
}
	
int mkReq(stuSUBJECT * reqInfo,X509_REQ **req, EVP_PKEY **pkeyp, int bits)
{
	X509_REQ *x;
	EVP_PKEY *pk;
	RSA *rsa;
	X509_NAME *name=NULL;
	ASN1_STRING stmp, *str = &stmp;
	
	STACK_OF(X509_EXTENSION) *exts = NULL;
	
	if ((pk=EVP_PKEY_new()) == NULL)
		return 0;
	
	if ((x=X509_REQ_new()) == NULL)
		return 0;
	Rand(NULL,1);
	rsa=RSA_generate_key(bits,RSA_F4,0,NULL);

	if (!EVP_PKEY_assign_RSA(pk,rsa))
		return 0;
	
	rsa=NULL;
	
	X509_REQ_set_pubkey(x,pk);
	
	name=X509_REQ_get_subject_name(x);
	
	/* This function creates and adds the entry, working out the
	* correct string type and performing checks on its length.
	* Normally we'd check the return value for errors...
	*/


	setlocale(LC_CTYPE, "");
#if(0)
	
	
	
	X509_NAME_add_entry_by_txt(name,"C",
		MBSTRING_ASC, reqInfo->C, -1, -1, 0);
	X509_NAME_add_entry_by_txt(name,"ST",
		MBSTRING_ASC, reqInfo->ST, -1, -1, 0);
	X509_NAME_add_entry_by_txt(name,"L",
		MBSTRING_ASC, reqInfo->L, -1, -1, 0);
	X509_NAME_add_entry_by_txt(name,"O",
		MBSTRING_ASC, reqInfo->O, -1, -1, 0);
	X509_NAME_add_entry_by_txt(name,"OU",
		MBSTRING_ASC, reqInfo->OU, -1, -1, 0);
	X509_NAME_add_entry_by_txt(name,"CN",
		MBSTRING_ASC, reqInfo->CN, -1, -1, 0);
	X509_NAME_add_entry_by_txt(name,"MAIL",
		MBSTRING_ASC, reqInfo->MAIL, -1, -1, 0);
	X509_NAME_add_entry_by_txt(name,"PMAIL",
		MBSTRING_ASC, reqInfo->PMAIL, -1, -1, 0);
#else
	Add_Name(name,NID_countryName,(char *)reqInfo->C,sizeof(reqInfo->C));
	Add_Name(name,NID_stateOrProvinceName,(char *)reqInfo->ST,sizeof(reqInfo->ST));
	Add_Name(name,NID_localityName,(char *)reqInfo->L,sizeof(reqInfo->L));
	Add_Name(name,NID_organizationName,(char *)reqInfo->O,sizeof(reqInfo->O));
	Add_Name(name,NID_organizationalUnitName,(char *)reqInfo->OU,sizeof(reqInfo->OU));
	Add_Name(name,NID_commonName,(char *)reqInfo->CN,sizeof(reqInfo->CN));
	Add_Name(name,NID_pkcs9_emailAddress,(char *)reqInfo->MAIL,sizeof(reqInfo->MAIL));
	Add_Name(name,NID_email_protect,(char *)reqInfo->PMAIL,sizeof(reqInfo->PMAIL));

	Add_Name(name,NID_title,(char *)reqInfo->T,sizeof(reqInfo->T));
	Add_Name(name,NID_description,(char *)reqInfo->D,sizeof(reqInfo->D));
	Add_Name(name,NID_givenName,(char *)reqInfo->G,sizeof(reqInfo->G));
	Add_Name(name,NID_initials,(char *)reqInfo->I,sizeof(reqInfo->I));
	Add_Name(name,NID_name,(char *)reqInfo->NAME,sizeof(reqInfo->NAME));	
	Add_Name(name,NID_surname,(char *)reqInfo->S,sizeof(reqInfo->S));
	Add_Name(name,NID_dnQualifier,(char *)reqInfo->QUAL,sizeof(reqInfo->QUAL));
	Add_Name(name,NID_pkcs9_unstructuredName,(char *)reqInfo->STN,sizeof(reqInfo->STN));
	Add_Name(name,NID_pkcs9_challengePassword,(char *)reqInfo->PW,sizeof(reqInfo->PW));
	Add_Name(name,NID_pkcs9_unstructuredAddress,(char *)reqInfo->ADD,sizeof(reqInfo->ADD));
#endif

	
/*
	exts = sk_X509_EXTENSION_new_null();
	// Standard extenions 
	
	Add_ExtReq(exts, NID_subject_alt_name, "DNS:localhost,email:jianglei@hotmail.com,RID:1.2.3.4,URI:192.168.2.22,IP:C0A80216");

	
	int nid;
	nid = OBJ_create("1.3.6.1.4.1.5315.100.2.5", "UserID", "User ID Number");
	X509V3_EXT_add_alias(nid, NID_netscape_comment);
	Add_ExtReq(exts, nid, "ID130203197703060618");
	

	X509_REQ_add_extensions(x, exts);
	sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);	
*/
	X509V3_EXT_cleanup();//cleanup the extension code if any custom extensions have been added
	
	if (!X509_REQ_sign(x,pk,EVP_sha1()))
		return 0;
	
	*req=x;
	*pkeyp=pk;
	return(1);

}

long MakeReq(stuSUBJECT * reqInfo,int bits,char * reqFile,
			 char * priFile,int type)
{
	X509_REQ *req=NULL;
	EVP_PKEY *pkey=NULL;
	BIO * breq=NULL,* bkey=NULL;
	int i=0,j=0;
	if(((breq=BIO_new_file(reqFile, "w"))== NULL)||((bkey=BIO_new_file(priFile, "w")) == NULL))
	{
	
		return 0;
	}
	if(!mkReq(reqInfo,&req,&pkey,bits))
	{
	
		return 0;
	}

	if(type==PEM)
	{
		i=PEM_write_bio_X509_REQ(breq,req);		
		j=PEM_write_bio_PrivateKey(bkey,pkey,NULL,NULL,0,NULL, NULL);
	}
	else if(type==DER)
	{
		i=i2d_X509_REQ_bio(breq,req);
		j=i2d_PrivateKey_bio(bkey,pkey);
	}
	BIO_free(breq);
	BIO_free(bkey);
	X509_REQ_free(req);
	EVP_PKEY_free(pkey);
	if(!i||!j)
	{
	
		return 0;
	}
	return  1 ;
}
////////////////////////// end //////////////////////////////////////
////////////////////////////////////////////////////////////////////
/////////////////////////// begin ////////////////////////////////////////
int copy_extensions(X509 *x, X509_REQ *req, int copy_type)
{
	STACK_OF(X509_EXTENSION) *exts = NULL;
	X509_EXTENSION *ext, *tmpext;
	ASN1_OBJECT *obj;
	int i, idx, ret = 0;
	if (!x || !req || (copy_type == EXT_COPY_NONE))
		return 1;
	exts = X509_REQ_get_extensions(req);
	
	for(i = 0; i < sk_X509_EXTENSION_num(exts); i++)
	{
		ext = sk_X509_EXTENSION_value(exts, i);
		obj = X509_EXTENSION_get_object(ext);
		idx = X509_get_ext_by_OBJ(x, obj, -1);
		/* Does extension exist? */
		if (idx != -1) 
		{
			/* If normal copy don't override existing extension */
			if (copy_type == EXT_COPY_ADD)
				continue;
			/* Delete all extensions of same type */
			do
			{
				tmpext = X509_get_ext(x, idx);
				X509_delete_ext(x, idx);
				X509_EXTENSION_free(tmpext);
				idx = X509_get_ext_by_OBJ(x, obj, -1);
			} while (idx != -1);
		}
		if (!X509_add_ext(x, ext, -1))
		{
		    sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
	
 		    return ret;
		    
        }
	}
	
	ret = 1;
	return ret;
	

}


int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,int serial,
			char *startdate, char *enddate, int days,X509_REQ * req,stuKEYUSAGE * KUSAGE,
			stuEKEYUSAGE * EKUSAGE)
{
	X509_NAME *name=NULL,*CAname=NULL;
	X509 *ret=NULL;
	X509_CINF *ci;
	EVP_PKEY *pktmp;
	int ok= -1,i=0;
//	STACK_OF (X509_EXTENSION) * req_exts;//how to release
	char kusage[160]={0};
	char ekusage[360]={0};
	name=X509_REQ_get_subject_name(req);
	if ((ret=X509_new()) == NULL) 
	{
		ok=0;
		goto err;
	}
	ci=ret->cert_info;

	
	if (!X509_set_version(ret,2L))
	{
		ok=0;
		goto err;
	}
	
	ASN1_INTEGER_set(X509_get_serialNumber(ret),serial);

	if (!X509_set_issuer_name(ret,X509_get_subject_name(x509)))
	{
		ok=0;
		goto err;
	}
	
	if (strcmp(startdate,"today") == 0)
		X509_gmtime_adj(X509_get_notBefore(ret),0);
	else ASN1_UTCTIME_set_string(X509_get_notBefore(ret),startdate);
	
	if (enddate == NULL)
		X509_gmtime_adj(X509_get_notAfter(ret),(long)60*60*24*days);
	else ASN1_UTCTIME_set_string(X509_get_notAfter(ret),enddate);
	
	if (!X509_set_subject_name(ret,name))
	{
		ok=0;
		goto err;
	}
	
	pktmp=X509_REQ_get_pubkey(req);
	i = X509_set_pubkey(ret,pktmp);
	EVP_PKEY_free(pktmp);
	if (!i) 
	{
		ok=0;
		goto err;
	}
	
	
	if (!copy_extensions(ret, req, EXT_COPY_ALL))
	{
	
		goto err;
	}

	
	Add_ExtCert(ret,ret,NID_basic_constraints, "critical,CA:FALSE,pathlen:1");

	
	Add_ExtCert(ret,ret,NID_subject_key_identifier, "hash");

	
	Add_ExtCert(ret,x509, NID_authority_key_identifier, "keyid,issuer:always");
	

	
		
	if(KUSAGE->DS)
		strcpy(kusage,"digitalSignature");
	if(KUSAGE->NR)
		if(strlen(kusage))
			strcat(kusage, ",nonRepudiation");
		else
			strcpy(kusage,"nonRepudiation");
	if(KUSAGE->KE)
		if(strlen(kusage))
			strcat(kusage, ",keyEncipherment");
		else
			strcpy(kusage,"keyEncipherment");
	if(KUSAGE->DE)
		if(strlen(kusage))
			strcat(kusage, ",dataEncipherment");
		else
			strcpy(kusage,"dataEncipherment");
	if(KUSAGE->KA)
		if(strlen(kusage))
			strcat(kusage, ",keyAgreement");
		else
			strcpy(kusage,"keyAgreement");
	if(KUSAGE->KC)
		if(strlen(kusage))
			strcat(kusage, ",keyCertSign");
		else
			strcpy(kusage,"keyCertSign");
	if(KUSAGE->CS)
		if(strlen(kusage))
			strcat(kusage, ",cRLSign");
		else
			strcpy(kusage,"cRLSign");
	if(KUSAGE->EO)
		if(strlen(kusage))
			strcat(kusage, ",encipherOnly");
		else
			strcpy(kusage,"encipherOnly");
	if(KUSAGE->DO)
		if(strlen(kusage))
			strcat(kusage, ",decipherOnly");
		else
			strcpy(kusage,"decipherOnly");
	if(strlen(kusage))
		Add_ExtCert(ret,ret, NID_key_usage, kusage);


	if(EKUSAGE->SA)
		strcpy(ekusage,"serverAuth");
	if(EKUSAGE->CA)
		if(strlen(ekusage))
			strcat(ekusage,",clientAuth");
		else
			strcpy(ekusage,"clientAuth");
	if(EKUSAGE->CS)
		if(strlen(ekusage))
			strcat(ekusage,",codeSigning");
		else
			strcpy(ekusage,"codeSigning");
	if(EKUSAGE->EP)
		if(strlen(ekusage))
			strcat(ekusage,",emailProtection");
		else
			strcpy(ekusage,"emailProtection");
	if(EKUSAGE->TS)
		if(strlen(ekusage))
			strcat(ekusage,",timeStamping");
		else
			strcpy(ekusage,"timeStamping");
	if(EKUSAGE->msCC)
		if(strlen(ekusage))
			strcat(ekusage,",msCodeCom");
		else
			strcpy(ekusage,"msCodeCom");
	if(EKUSAGE->msCTLS)
		if(strlen(ekusage))
			strcat(ekusage,",msCTLSign");
		else
			strcpy(ekusage,"msCTLSign");
	if(EKUSAGE->msSGC)
		if(strlen(ekusage))
			strcat(ekusage,",msSGC");
		else
			strcpy(ekusage,"msSGC");
	if(EKUSAGE->msEFS)
		if(strlen(ekusage))
			strcat(ekusage,",msEFS");
		else
			strcpy(ekusage,"msEFS");
	if(EKUSAGE->msSC)
		if(strlen(ekusage))
			strcat(ekusage,",msSmartcardLogin");
		else
			strcpy(ekusage,"msSmartcardLogin");
	if(EKUSAGE->IP)
		if(strlen(ekusage))
			strcat(ekusage,",ipsecEndSystem,ipsecTunnel,ipsecUser");
		else
			strcpy(ekusage,"ipsecEndSystem,ipsecTunnel,ipsecUser");
	if(strlen(ekusage))
	Add_ExtCert(ret,ret,NID_ext_key_usage,ekusage);

	
/*
	
	Add_ExtCert(ret,ret, NID_issuer_alt_name, "DNS:jl,email:jianglei@hotmail.com,RID:1.2.3.4,URI:https://192.168.19.219,IP:192.168.0.22");


	Add_ExtCert(ret,ret,NID_certificate_policies,"OK");
	
	Add_ExtCert(ret,ret,NID_info_access,"OCSP;URI:https://192.168.19.219");
	
	Add_ExtCert(ret,x509, NID_crl_distribution_points, "https://192.168.19.219/new.crl");


	

	
*/	
	X509V3_EXT_cleanup();

	if (!X509_sign(ret,pkey,dgst))
	{
		ok=0;
		goto err;
	}
	ok=1;
err:
	if (CAname != NULL)
		X509_NAME_free(CAname);
	if (ok <= 0)
	{
		if (ret != NULL) X509_free(ret);
		ret=NULL;
	}
	else
		*xret=ret;
	return(ok);
}

int certify(X509 **xret, X509_REQ *req, EVP_PKEY *pkey, X509 *x509,const EVP_MD *dgst,
				   int serial, char *startdate, char *enddate, int days,stuKEYUSAGE * KUSAGE,
				   stuEKEYUSAGE * EKUSAGE)
{
	EVP_PKEY *pktmp=NULL;
	int ret= -1,i=0;	
	if ((pktmp=X509_REQ_get_pubkey(req)) == NULL)
	  return 0;
	  
	i=X509_REQ_verify(req,pktmp);
	EVP_PKEY_free(pktmp);
	if (i < 0)
	  return 0;
	if (i == 0)
	  return 0;
	
	ret=do_body(xret,pkey,x509,dgst,serial,startdate, enddate,
		days,req,KUSAGE,EKUSAGE);
	

	return ret;
}


long MakeCert(char *certfile,int certlen,
			  char *keyfile,int keylen,int serial,char *enddate,
			  int days, char *reqfile,stuKEYUSAGE * KUSAGE,
			  stuEKEYUSAGE * EKUSAGE,char *outfile,
			  int type)
{	int ret=1;
	char * md=NULL;
	EVP_PKEY *pkey=NULL;
	X509 * x509=NULL;
	X509_REQ *req=NULL;
	X509 * x=NULL;
	BIO * bcert=NULL,* reqbio=NULL;
	int j;
	const EVP_MD *dgst=NULL;

	OpenSSL_add_all_digests();

	if((reqbio=BIO_new_file(reqfile, "r")) == NULL)
	  return 0;
	
	if ((req=PEM_read_bio_X509_REQ(reqbio,NULL,NULL,NULL)) == NULL)//PEM_read_X509_REQ 
	{
		BIO_reset(reqbio);
		if ((req=d2i_X509_REQ_bio(reqbio,NULL)) == NULL)
		{
	
			ret=0;
			goto err;
		}
	}
	return -1;
	pkey=LoadKey(keyfile,keylen,NULL);
	if (pkey == NULL)
	{
		ret = 0;
		goto err;
	}

	x509=LoadCert(certfile,certlen);
	if (x509 == NULL)
	{
		ret = 0;
		goto err;
	}
	
	if (!X509_check_private_key(x509,pkey))
	{

		ret = 0;
		goto err;
	}
	md="sha1";//////////!!!!!!!!!!!!!!!!!////////////////////////////
	if ((dgst=EVP_get_digestbyname(md)) == NULL)
	{
	
		ret = 0;
		goto err;
	}
	j=certify(&x,req,pkey,x509,dgst,
		serial,"today",enddate,days,KUSAGE,EKUSAGE);
	if (j <= 0) 
	{
		ret=0;
		goto err;
	}

	if(((bcert=BIO_new_file(outfile, "w"))== NULL))
	{
	
		goto err;
	}
	if (type==DER)
	{
		i2d_X509_bio(bcert,x);
	}
	else if(type==PEM)
	{
		PEM_write_bio_X509(bcert,x);
	}
err:
	if (reqbio != NULL) BIO_free(reqbio);
	BIO_free_all(bcert);
	EVP_PKEY_free(pkey);
	X509_free(x509);
	X509_free(x);
	if (req != NULL) X509_REQ_free(req);
	EVP_cleanup();//frees all three stacks and sets their pointers to NULL ---- EVP_CIPHER
	return ret;

}
///////////////////////// end ////////////////////////////////////////
long DirectCert(char *certfile,int certlen,
			 char *keyfile,int keylen,int serial,char *enddate,
			 int days,stuCERT * sCERT,int bits,char * cert,int * certl,
			 char * key,int * keyl, char * pwd, char *enc_key/*,int typeDER,PEM*/)
{