osptnepenroll.c

radius协议源码÷The Radius Stack will connect to a Radius Server. This stack implementation is built upo

        if ( retVal != OSPC_ERR_NO_ERROR )
        {
            OSPM_DBGERRORLOG( 
                retVal,
                 "Invalid X.509 certificate returned.\n" );
        }
    }

    /* Now get the public key out of the certificate that was 
     * retrieved so that we can compare it to the public key that
     * was used in the certificate request.
     */
    if ( retVal == OSPC_ERR_NO_ERROR )
    {
        OSPM_DBGMISC(( "getting public key info..\n" ));
        retVal = OSPPGetPublicKeyInfoFromCert( x509CertOut, &certOutPublicKey );

        if ( retVal != OSPC_ERR_NO_ERROR )
        {
            OSPM_DBGERRORLOG( 
                retVal, 
                "Unable to retrieve public key from certificate retrieved.\n" );
        }
    }

    /* Now compare the two public keys: */
    if ( retVal == OSPC_ERR_NO_ERROR )
    {
        OSPM_DBGMISC(( "comparing asn1..\n" ));
        retVal = OSPPASN1Compare( &certOutPublicKey, ospvRequestPublicKeyIn );

        if ( retVal != OSPC_ERR_NO_ERROR )
        {
            OSPM_DBGERRORLOG( 
                retVal, 
                "Public Key in certificate does not match public key in request.\n" );
        }
    }

    /* 
     * The public key is ok, so now make sure that the authority
     * certificate ( or CA certificate ) is in fact the certificate
     * used for signing the certificate we received. If not, then
     * we'll fail the enrollment.
     */
    if ( retVal == OSPC_ERR_NO_ERROR )
    {
        OSPM_DBGMISC(( "validating cert..\n" ));
        retVal = 
            OSPPX509CertValidateCertificate( 
                x509CertOut, 
                ospvSecIn->AuthorityCertInfo,
                ospvSecIn->NumberOfAuthorityCertificates,
                &caCertIndex );

        if ( retVal != OSPC_ERR_NO_ERROR )
        {
            OSPM_DBGERRORLOG( 
                retVal, 
                "The certificate returned was not signed by the given CA certificate.\n" );
        }
    }

    /* Now let's make sure that the contents are valid. Let's decode it and make
     * sure that the certificate is signed by the CA certificate. If it's not,
     * then we'll set an error code and return. If it is, then we'll need to
     * check the public key ( although that's not done right now, but it should be. )
     */
    if ( retVal == OSPC_ERR_NO_ERROR )
    {
        OSPM_DBGMISC(( "certificate returned:\n" ));
        OSPPDumpHex( 
            x509CertOut->ElementInfo->Element, 
            x509CertOut->ElementInfo->ElementLength ); 
    }

    /* Delete the X.509 cert object; we only needed it for validation: */
    if ( x509CertOut != OSPC_ERR_NO_ERROR )
    {
        OSPPASN1ObjectDelete( &x509CertOut );
    }        

    /* Delete the element info and parse results of the certOutPublicKey,
     * which was only needed as a comparison tool for the subjectPublicKeyInfo
     * in the certificate request.
     */
    if ( certOutPublicKey.ElementInfo != OSPC_OSNULL )
    {
        OSPPASN1ElementDelete( &(certOutPublicKey.ElementInfo), 0 );
    }

    if ( certOutPublicKey.ParseResults != OSPC_OSNULL )
    {
        PTPResultsDelete( &(certOutPublicKey.ParseResults) );
    }

    OSPM_DBGMISC(( "done!\n" ));

    OSPM_DBGEXIT(( "EXIT: OSPPValidateDeviceCert\n" ));

    return retVal;

}

/*
 * Compare the two ASN1 objects. Returns OSPC_ERR_NO_ERROR if they're the
 * same, and a non-zero value otherwise.
 *
 * Input:
 *   ospvLHSObject: a pointer to an ASN1 Object ( the LeftHand Side )
 *   ospvRHSObject: a pointer to an ASN1 Object ( the RightHand Side )
 *
 * Output:
 *   OSPC_ERR_NO_ERROR if the two are the same, or some other value otherwise.
 *
 * Errors: Errors will be returned when
 *   o at least one of the parameters is null ( OSPC_ERR_ENROLL_INVALID_PARAMS )
 *   o the two have different lengths ( OSPC_ERR_ENROLL_LENGTH_MISMATCH );
 *   o the two have different contents ( OSPC_ERR_ENROLL_CONTENT_MISMATCH );
 */
int OSPPASN1Compare (
    OSPTASN1OBJECT* ospvLHSObject,
    OSPTASN1OBJECT* ospvRHSObject
)
{
    int retVal = OSPC_ERR_NO_ERROR;


    OSPM_DBGENTER(( "ENTER: OSPPASN1Compare\n" ));

    /* If ( either of the parameters are null ) then
     *  o set an error code and complain.
     */
    if ( ( ospvLHSObject == OSPC_OSNULL ) ||
         ( ospvRHSObject == OSPC_OSNULL ) ||
         ( ospvLHSObject->ElementInfo == OSPC_OSNULL ) ||
         ( ospvRHSObject->ElementInfo == OSPC_OSNULL ) ||
         ( ospvLHSObject->ElementInfo->Element == OSPC_OSNULL ) ||
         ( ospvRHSObject->ElementInfo->Element == OSPC_OSNULL ) 
        )
    {
        retVal = OSPC_ERR_ENROLL_INVALID_ARG;
        OSPM_DBGERRORLOG( 
            retVal, 
            "At least one of the ASN1 objects being compared is invalid.\n" );

        if ( ospvLHSObject == OSPC_OSNULL )
        {
            OSPM_DBGERRORLOG( 
                retVal,
                 "The first parameter to OSPPASN1Compare is null.\n" );
        }

        if ( ospvRHSObject == OSPC_OSNULL )
        {
            OSPM_DBGERRORLOG( 
                retVal,
                 "The second parameter to OSPPASN1Compare is null.\n" );
        }

        if ( ospvLHSObject->ElementInfo == OSPC_OSNULL )
        {
            OSPM_DBGERRORLOG( 
                retVal,
                 "The first parameter's element info  is null.\n" );
        }

        if ( ospvRHSObject->ElementInfo == OSPC_OSNULL )
        {
            OSPM_DBGERRORLOG( 
                retVal,
                 "The second parameter's element info  is null.\n" );
        }

        if ( ospvLHSObject->ElementInfo->Element == OSPC_OSNULL )
        {
            OSPM_DBGERRORLOG( 
                retVal,
                 "The first parameter's element info content  is null.\n" );
        }

        if ( ospvRHSObject->ElementInfo->Element == OSPC_OSNULL )
        {
            OSPM_DBGERRORLOG( 
                retVal,
                 "The second parameter's element info content  is null.\n" );
        }
    }

    /* If ( there haven't been any problems ) then
     *  o if ( the two objects have different lengths ) then
     *      o set the error code and complain
     */
    if ( retVal == OSPC_ERR_NO_ERROR )
    {
        if ( (ospvLHSObject->ElementInfo)->ElementLength !=
             (ospvRHSObject->ElementInfo)->ElementLength )
        {
            retVal = OSPC_ERR_ENROLL_ASN1_CMP_LENGTH_MISMATCH;
            OSPM_DBGERRORLOG( 
                retVal,
                 "The lengths of the two objects compared are different\n" );
            OSPM_DBGMISC(( "Length of content of LHS: %d\n", (ospvLHSObject->ElementInfo)->ElementLength ));
            OSPM_DBGMISC(( "Length of content of RHS: %d\n", (ospvRHSObject->ElementInfo)->ElementLength ));
            OSPM_DBGMISC(( "LHS: \n" ));
            OSPPDumpHex( 
                (ospvLHSObject->ElementInfo)->Element,
                (ospvLHSObject->ElementInfo)->ElementLength );
            OSPPDumpHex( 
                (ospvRHSObject->ElementInfo)->Element,
                (ospvRHSObject->ElementInfo)->ElementLength );
        }
    }

    /* If ( there still aren't any errors ) then
     *  o if ( the two objects have different contents ) then
     *      o set the error code and complain
     */
    if ( retVal == OSPC_ERR_NO_ERROR )
    {
        retVal = 
            OSPM_STRNCMP(
                (const char *)((ospvLHSObject->ElementInfo)->Element),
                (const char *)((ospvRHSObject->ElementInfo)->Element),
                (ospvLHSObject->ElementInfo)->ElementLength );
        if ( retVal != 0 )
        {
            retVal = OSPC_ERR_ENROLL_ASN1_CMP_MISMATCH;
            OSPM_DBGERRORLOG( 
                retVal,
                 "The two ASN1 objects are of unequal value.\n" );
        }
    }

    OSPM_DBGEXIT(( "EXIT: OSPPASN1Compare\n" ));

    return retVal;

}

/* Given an ASN1 object that represents an X.509 certificate, store its
 * subjectPublicKeyInfo in the outbound ospvPublicKeyOut structure.
 * This subjectPublicKeyInfo will be compared against what we get from
 * the server in the form of a certificate; if they match, then the
 * certificate may be ok - otherwise, the certificate is bogus.
 *
 * Input: references to the input certificate and the outgoing 
 *        subjectPublicKeyInfo
 *
 * Output: If the subjectPublicKeyInfo can be found, then it should be
 *         stored in *ospvPublicKeyOut and the return value will be
 *         OSPC_ERR_NO_ERROR. Otherwise, the return value will be
 *         something other than OSPC_ERR_NO_ERROR.
 */
int OSPPGetPublicKeyInfoFromCert( 
    OSPTASN1OBJECT*  ospvCertIn, 
    OSPTASN1OBJECT*  ospvPublicKeyOut 
)
{
    int retVal = OSPC_ERR_NO_ERROR;
    OSPTASN1ELEMENTINFO*  publicKeyInfoElementInfo  = OSPC_OSNULL;
    OSPTASN1PARSERESULT*  publicKeyInfoParseResults = OSPC_OSNULL;

    if ( ( ospvCertIn == OSPC_OSNULL ) || 
         ( ospvPublicKeyOut == OSPC_OSNULL ) )
    {
        retVal = OSPC_ERR_ENROLL_INVALID_ARG;
        if ( ospvCertIn == OSPC_OSNULL )
        {
            OSPM_DBGERRORLOG( 
                retVal,
                 "The certificate passed in is null.\n" );
        }

        if ( ospvPublicKeyOut == OSPC_OSNULL )
        {
            OSPM_DBGERRORLOG( 
                retVal,
                 "The public key reference passed in is null.\n" );
        }
    }

    /* Now parse the certificate's contents for the subjectPublicKeyInfo,
     * using the formulation for an X.509 subjectPublicKeyInfo that's 
     * readily available in the OSP:
     */
    if  ( retVal == OSPC_ERR_NO_ERROR )
    {
        retVal = 
            OSPPASN1ObjectGetElementByDataRef ( 
                ospvCertIn,
                &publicKeyInfoElementInfo, 
                OSPEDRID_CERT_SUBJPUBKEYINFO );

        if ( retVal != OSPC_ERR_NO_ERROR )
        {
            OSPM_DBGERRORLOG( 
                retVal,
                 "Unable to find subjectPublicKeyInfo in certificate\n" );
            retVal = OSPC_ERR_ENROLL_BAD_CERT;
        }
    }

    /* Now generate some parse results so that the element information can
     * be turned into a "complete" OSPTASN1OBJECT:
     */
    if ( retVal == OSPC_ERR_NO_ERROR )
    {
        retVal = 
            PTPResultsCreate( 
                &publicKeyInfoParseResults, 
                publicKeyInfoElementInfo, 
                OSPEDRID_CERT_SUBJPUBKEYINFO );

        if ( retVal != OSPC_ERR_NO_ERROR )
        {
            OSPM_DBGERRORLOG( 
                retVal,
                 "Unable to reverse-engineer parse results from the given subjectPublicKeyInfo\n" );
            retVal = OSPC_ERR_ENROLL_ASN1_PARSE;
        }
    }

    /* If ( we could finish generating the ASN1 object for the
     *      subjectPublicKeyInfo ) then
     *   o finish the generation of the public key by assigning the 
     *     contents we created to the outgoing public key info:
     */
    if ( retVal == OSPC_ERR_NO_ERROR )
    {
        ospvPublicKeyOut->ElementInfo  = publicKeyInfoElementInfo;
        ospvPublicKeyOut->ParseResults = publicKeyInfoParseResults;
    }

    /* Else ( we ran into  some problems ) so
     *  o delete the element info and parse results we created: 
     */
    else
    {
        if ( publicKeyInfoElementInfo != OSPC_OSNULL )
        {
            OSPPASN1ElementDelete( &publicKeyInfoElementInfo, 0 );
        }

        if ( publicKeyInfoParseResults != OSPC_OSNULL )
        {
            PTPResultsDelete( &publicKeyInfoParseResults );    
        }
    }

    return retVal;

}

/* Given a binary string that represents a PKCS#10 request, create an
 * ASN1 object that contains the subjectPublicKeyInfo of the certificate
 * request. The subjectPublicKeyInfo is found as follows:
 *
 * SEQUENCE          -- Certificate request
 *     SEQUENCE      -- Certificate request info
 *         INTEGER   -- version
 *         SEQUENCE  -- subject name
 *         SEQUENCE  -- subject public key info
 *         SEQUENCE  -- optional attributes
 *     OID           -- signature algorithm
 *     BIT STRING    -- signature
 *
 * We'll use the ASN1 module from the OSP to decode the binary string
 * and extract the public key from the certificate request.
 *
 * Input: string representing a PKCS#10 certificate request, and a pointer
 *        to an ASN1 object for storing its subjectPublicKeyInfo.
 *
 * Output: the subjectPublicKeyInfo should be found, in which case we'll
 *         return OSPC_ERR_NO_ERROR. Otherwise, a different error code will
 *         be returned.
 */
int OSPPGetPublicKeyInfoFromCertReq(
    unsigned char*   ospvCertReqB64In, 
    OSPTASN1OBJECT*  ospvPublicKeyOut 
) 
{
    int retVal = OSPC_ERR_NO_ERROR;

    /* This represents the length of the base64-encoded request passed in: */
    unsigned              certReqB64LenIn           = 0;

    /* This will be the binary for storing the base64-decoded certificate 
     * request; it should be deleted at the end of this function:
     */