📄 scert.c
字号:
"test.\n\n", protocolName );
return( CRYPT_ERROR_NOTAVAIL );
}
if( status == CRYPT_ERROR_DUPLICATE )
status = cryptKeysetOpen( cryptCertStore, CRYPT_UNUSED,
CERTSTORE_KEYSET_TYPE, CERTSTORE_KEYSET_NAME,
CRYPT_KEYOPT_NONE );
if( cryptStatusError( status ) )
{
printf( "SVR: cryptKeysetOpen() failed with error code %d, line "
"%d.\n", status, __LINE__ );
return( FALSE );
}
cryptCACertManagement( NULL, CRYPT_CERTACTION_CLEANUP, *cryptCertStore,
CRYPT_UNUSED, CRYPT_UNUSED );
/* Create the EE and CA PKI users */
puts( "Creating PKI user..." );
if( !addPKIUser( *cryptCertStore, pkiUserData,
!strcmp( protocolName, "SCEP" ) ? TRUE : FALSE ) )
return( FALSE );
if( pkiUserCAData != NULL && \
!addPKIUser( *cryptCertStore, pkiUserCAData,
!strcmp( protocolName, "SCEP" ) ? TRUE : FALSE ) )
return( FALSE );
/* Get the CA's private key */
status = getPrivateKey( cryptPrivateKey, keyFileName,
keyLabel, TEST_PRIVKEY_PASSWORD );
if( cryptStatusError( status ) )
{
printf( "SVR: CA private key read failed with error code %d, "
"line %d.\n", status, __LINE__ );
return( FALSE );
}
return( TRUE );
}
/****************************************************************************
* *
* SCEP Routines Test *
* *
****************************************************************************/
/* There are various SCEP test servers available, the following mappings
can be used to test different ones. Implementation peculiarities:
#1 - cryptlib: None.
#2 - SSH (www.ssh.com/support/testzone/pki.html): Invalid CA certs.
#3 - OpenSCEP (openscep.othello.ch): Seems to be permanently unavailable.
#4 - Entrust (freecerts.entrust.com/vpncerts/cep.htm): Only seems to be
set up to handle Cisco gear */
#define SCEP_NO 1
typedef struct {
const char *name;
const C_CHR *url, *user, *password, *caCertUrl;
} SCEP_INFO;
static const SCEP_INFO scepInfo[] = {
{ NULL }, /* Dummy so index == SCEP_NO */
{ /*1*/ "cryptlib", TEXT( "http://localhost/pkiclient.exe" ), NULL, NULL, NULL },
{ /*2*/ "SSH", TEXT( "http://pki.ssh.com:8080/scep/pkiclient.exe" ), TEXT( "ssh" ), TEXT( "ssh" ),
TEXT( "http://pki.ssh.com:8080/scep/pkiclient.exe?operation=GetCACert&message=test-ca1.ssh.com" ) },
{ /*3*/ "OpenSCEP", TEXT( "http://openscep.othello.ch/pkiclient.exe" ), TEXT( "????" ), TEXT( "????" ), NULL },
{ /*4*/ "Entrust", TEXT( "http://vpncerts.entrust.com/pkiclient.exe" ), TEXT( "????" ), TEXT( "????" ), NULL },
};
/* Cert request data for the cert from the SCEP server. Note that we have
to set the CN to the PKI user CN, for CMP ir's we just omit the DN
entirely and have the server provide it for us but since SCEP uses PKCS
#10 requests we need to provide a DN, and since we provide it it has to
match the PKI user DN */
static const CERT_DATA scepRequestData[] = {
/* Identification information */
{ CRYPT_CERTINFO_COUNTRYNAME, IS_STRING, 0, TEXT( "NZ" ) },
{ CRYPT_CERTINFO_ORGANIZATIONNAME, IS_STRING, 0, TEXT( "Dave's Wetaburgers" ) },
{ CRYPT_CERTINFO_ORGANIZATIONALUNITNAME, IS_STRING, 0, TEXT( "Procurement" ) },
{ CRYPT_CERTINFO_COMMONNAME, IS_STRING, 0, TEXT( "Test SCEP PKI user" ) },
/* Subject altName */
{ CRYPT_CERTINFO_RFC822NAME, IS_STRING, 0, TEXT( "dave@wetas-r-us.com" ) },
{ CRYPT_CERTINFO_UNIFORMRESOURCEIDENTIFIER, IS_STRING, 0, TEXT( "http://www.wetas-r-us.com" ) },
{ CRYPT_ATTRIBUTE_NONE, IS_VOID }
};
/* PKI user data to authorise the issuing of the various certs */
static const CERT_DATA scepPkiUserData[] = {
/* Identification information */
{ CRYPT_CERTINFO_COUNTRYNAME, IS_STRING, 0, TEXT( "NZ" ) },
{ CRYPT_CERTINFO_ORGANIZATIONNAME, IS_STRING, 0, TEXT( "Dave's Wetaburgers" ) },
{ CRYPT_CERTINFO_ORGANIZATIONALUNITNAME, IS_STRING, 0, TEXT( "Procurement" ) },
{ CRYPT_CERTINFO_COMMONNAME, IS_STRING, 0, TEXT( "Test SCEP PKI user" ) },
{ CRYPT_ATTRIBUTE_NONE, IS_VOID }
};
/* Get an SCEP CA cert */
static int getScepCACert( const C_STR caCertUrl,
CRYPT_CERTIFICATE *cryptCACert )
{
CRYPT_KEYSET cryptKeyset;
int status;
status = cryptKeysetOpen( &cryptKeyset, CRYPT_UNUSED, CRYPT_KEYSET_HTTP,
caCertUrl, CRYPT_KEYOPT_READONLY );
if( cryptStatusOK( status ) )
{
status = cryptGetPublicKey( cryptKeyset, cryptCACert, CRYPT_KEYID_NAME,
TEXT( "[None]" ) );
cryptKeysetClose( cryptKeyset );
}
if( cryptStatusError( status ) )
return( extErrorExit( cryptKeyset, "cryptGetPublicKey()",
status, __LINE__ ) );
return( CRYPT_OK );
}
/* Perform an SCEP test */
int testSessionSCEP( void )
{
CRYPT_SESSION cryptSession;
CRYPT_CERTIFICATE cryptRequest, cryptResponse, cryptCACert;
CRYPT_CONTEXT cryptContext;
C_CHR userID[ 64 ], password[ 64 ];
const C_STR userPtr = scepInfo[ SCEP_NO ].user;
const C_STR passwordPtr = scepInfo[ SCEP_NO ].password;
int status;
puts( "Testing SCEP session..." );
/* Make sure that the required user info is present. If it isn't, the
CA auditing will detect a request from a nonexistant user and refuse
to issue a certificate */
status = getPkiUserInfo( NULL, NULL, NULL,
TEXT( "Test SCEP PKI user" ) );
if( cryptStatusError( status ) )
{
puts( "CA certificate store doesn't contain the PKI user "
"information needed to\nauthenticate certificate issue "
"operations, can't perform SCEP test.\n" );
return( CRYPT_ERROR_NOTAVAIL );
}
/* Get the issuing CA's cert */
if( scepInfo[ SCEP_NO ].caCertUrl != NULL )
status = getScepCACert( scepInfo[ SCEP_NO ].caCertUrl,
&cryptCACert );
else
status = importCertFromTemplate( &cryptCACert, SCEP_CA_FILE_TEMPLATE,
SCEP_NO );
if( cryptStatusError( status ) )
{
printf( "Couldn't get SCEP CA certificate, status = %d, line %d.\n",
status, __LINE__ );
return( FALSE );
}
/* cryptlib implements per-user (rather than shared interop) IDs and
passwords so we need to read the user ID and password information
before we can perform any operations */
#if ( SCEP_NO == 1 )
status = getPkiUserInfo( userID, password, NULL,
TEXT( "Test SCEP PKI user" ) );
if( cryptStatusError( status ) )
{
cryptDestroyCert( cryptCACert );
return( ( status == CRYPT_ERROR_NOTAVAIL ) ? TRUE : FALSE );
}
userPtr = userID;
passwordPtr = password;
#endif /* cryptlib SCEP_NO == 1 */
/* Create the SCEP session */
status = cryptCreateSession( &cryptSession, CRYPT_UNUSED,
CRYPT_SESSION_SCEP );
if( status == CRYPT_ERROR_PARAM3 ) /* SCEP session access not available */
return( CRYPT_ERROR_NOTAVAIL );
if( cryptStatusError( status ) )
{
printf( "cryptCreateSession() failed with error code %d, line %d.\n",
status, __LINE__ );
return( FALSE );
}
/* Set up the user and server information */
status = cryptSetAttributeString( cryptSession,
CRYPT_SESSINFO_USERNAME,
userPtr, paramStrlen( userPtr ) );
if( cryptStatusOK( status ) )
status = cryptSetAttributeString( cryptSession,
CRYPT_SESSINFO_PASSWORD,
passwordPtr, paramStrlen( passwordPtr ) );
if( cryptStatusOK( status ) )
status = cryptSetAttributeString( cryptSession,
CRYPT_SESSINFO_SERVER_NAME,
scepInfo[ SCEP_NO ].url,
paramStrlen( scepInfo[ SCEP_NO ].url ) );
if( cryptStatusOK( status ) )
status = cryptSetAttribute( cryptSession,
CRYPT_SESSINFO_CACERTIFICATE,
cryptCACert );
cryptDestroyCert( cryptCACert );
if( cryptStatusError( status ) )
{
printf( "Addition of session information failed with error code %d, "
"line %d.\n", status, __LINE__ );
return( FALSE );
}
/* Create the (unsigned) PKCS #10 request */
#if ( SCEP_NO == 1 )
cryptCreateContext( &cryptContext, CRYPT_UNUSED, CRYPT_ALGO_RSA );
cryptSetAttributeString( cryptContext, CRYPT_CTXINFO_LABEL,
USER_PRIVKEY_LABEL,
paramStrlen( USER_PRIVKEY_LABEL ) );
cryptSetAttribute( cryptContext, CRYPT_CTXINFO_KEYSIZE, 64 );
status = cryptGenerateKey( cryptContext );
#else
loadRSAContextsEx( CRYPT_UNUSED, NULL, &cryptContext, NULL,
USER_PRIVKEY_LABEL );
#endif /* cryptlib SCEP_NO == 1 */
status = cryptCreateCert( &cryptRequest, CRYPT_UNUSED,
CRYPT_CERTTYPE_CERTREQUEST );
if( cryptStatusOK( status ) )
status = cryptSetAttribute( cryptRequest,
CRYPT_CERTINFO_SUBJECTPUBLICKEYINFO, cryptContext );
if( cryptStatusOK( status ) && \
!addCertFields( cryptRequest, scepRequestData ) )
status = CRYPT_ERROR_FAILED;
#if 0
if( cryptStatusOK( status ) )
status = cryptSignCert( cryptRequest, cryptContext );
#endif
if( cryptStatusError( status ) )
{
printf( "Creation of PKCS #10 request failed with error code %d, "
"line %d.\n", status, __LINE__ );
return( FALSE );
}
/* Set up the private key and request, and activate the session */
status = cryptSetAttribute( cryptSession, CRYPT_SESSINFO_PRIVATEKEY,
cryptContext );
cryptDestroyContext( cryptContext );
if( cryptStatusOK( status ) )
status = cryptSetAttribute( cryptSession, CRYPT_SESSINFO_REQUEST,
cryptRequest );
cryptDestroyCert( cryptRequest );
if( cryptStatusError( status ) )
{
printf( "cryptSetAttribute() failed with error code %d, line %d.\n",
status, __LINE__ );
return( FALSE );
}
status = cryptSetAttribute( cryptSession, CRYPT_SESSINFO_ACTIVE, TRUE );
if( cryptStatusError( status ) )
{
printExtError( cryptSession, "Attempt to activate SCEP client "
"session", status, __LINE__ );
cryptDestroySession( cryptSession );
if( status == CRYPT_ERROR_OPEN || status == CRYPT_ERROR_READ )
{
/* These servers are constantly appearing and disappearing so if
we get a straight connect error we don't treat it as a serious
failure */
puts( " (Server could be down, faking it and continuing...)\n" );
return( CRYPT_ERROR_FAILED );
}
return( FALSE );
}
/* Obtain the response information */
status = cryptGetAttribute( cryptSession, CRYPT_SESSINFO_RESPONSE,
&cryptResponse );
cryptDestroySession( cryptSession );
if( cryptStatusError( status ) )
{
printf( "cryptGetAttribute() failed with error code %d, line %d.\n",
status, __LINE__ );
return( FALSE );
}
#if ( SCEP_NO != 1 )
puts( "Returned certificate details are:" );
printCertInfo( cryptResponse );
#endif /* Keep the cryptlib results on one screen */
/* Clean up */
cryptDestroyCert( cryptResponse );
puts( "SCEP client session succeeded.\n" );
return( TRUE );
}
int testSessionSCEPServer( void )
{
CRYPT_SESSION cryptSession;
CRYPT_CONTEXT cryptCAKey;
CRYPT_KEYSET cryptCertStore;
int status;
puts( "SVR: Testing SCEP server session ..." );
/* Perform a test create of a SCEP server session to verify that we can
do this test */
status = cryptCreateSession( &cryptSession, CRYPT_UNUSED,
CRYPT_SESSION_SCEP_SERVER );
if( status == CRYPT_ERROR_PARAM3 ) /* SCEP session access not available */
return( CRYPT_ERROR_NOTAVAIL );
if( cryptStatusError( status ) )
{
printf( "SVR: cryptCreateSession() failed with error code %d, "
"line %d.\n", status, __LINE__ );
return( FALSE );
}
cryptDestroySession( cryptSession );
/* Set up the server-side objects */
if( !serverInit( &cryptCAKey, &cryptCertStore, SCEPCA_PRIVKEY_FILE,
CA_PRIVKEY_LABEL, scepPkiUserData, NULL, "SCEP" ) )
return( FALSE );
/* Create the SCEP session and add the CA key and cert store */
status = cryptCreateSession( &cryptSession, CRYPT_UNUSED,
CRYPT_SESSION_SCEP_SERVER );
if( cryptStatusError( status ) )
{
printf( "SVR: cryptCreateSession() failed with error code %d, line "
"%d.\n", status, __LINE__ );
return( FALSE );
}
status = cryptSetAttribute( cryptSession,
CRYPT_SESSINFO_PRIVATEKEY, cryptCAKey );
if( cryptStatusOK( status ) )
status = cryptSetAttribute( cryptSession,
CRYPT_SESSINFO_KEYSET, cryptCertStore );
if( cryptStatusError( status ) )
return( attrErrorExit( cryptSession, "SVR: cryptSetAttribute()",
status, __LINE__ ) );
/* Activate the session */
status = activatePersistentServerSession( cryptSession, FALSE );
if( cryptStatusError( status ) )
{
cryptKeysetClose( cryptCertStore );
cryptDestroyContext( cryptCAKey );
return( extErrorExit( cryptSession, "SVR: Attempt to activate SCEP "
"server session", status, __LINE__ ) );
}
/* Clean up */
cryptDestroySession( cryptSession );
cryptKeysetClose( cryptCertStore );
cryptDestroyContext( cryptCAKey );
puts( "SVR: SCEP session succeeded.\n" );
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -