📄 x509test.c
字号:
if( cBuf != NULL)
PGPFreeData(cBuf);
return err;
}
PGPError makeCRL( PGPContextRef context )
{
PGPError err = kPGPError_NoErr;
PGPKeyDBRef keyDB = kInvalidPGPKeyDBRef;
PGPKeyDBRef keyDB1 = kInvalidPGPKeyDBRef;
PGPKeySetRef keyset = kInvalidPGPKeySetRef;
PGPKeyIterRef iter = kInvalidPGPKeyIterRef;
PGPKeyDBObjRef key1 = kInvalidPGPKeyDBObjRef;
PGPKeyDBObjRef key1Sig = kInvalidPGPKeyDBObjRef;
PGPKeyDBObjRef key2 = kInvalidPGPKeyDBObjRef;
PGPKeyDBObjRef key2Sig = kInvalidPGPKeyDBObjRef;
PGPKeyDBObjRef signerKey = kInvalidPGPKeyDBObjRef;
PGPKeyDBObjRef signerSig = kInvalidPGPKeyDBObjRef;
PGPBoolean revoked1;
PGPBoolean revoked2;
PGPKeyID theKeyID;
// read in test cert
OPTESTPrintF("\n\tCRL Test \n");
OPTESTPrintF("\tImport P12 cert.\n");
err = PGPImport( context, &keyDB,
PGPOInputBuffer(context, P12Certs, sizeof(P12Certs)),
PGPOX509Encoding(context, TRUE),
PGPOInputFormat(context, kPGPInputFormat_PKCS12),
PGPOPassphraseBuffer( context, (const char *) "1", 1 ),
PGPOLastOption(context)); CKERR;
OPTESTPrintF("\tImport User 1 DER.\n");
err = PGPImport( context, &keyDB1,
PGPOInputBuffer(context, key1DER, sizeof(key1DER)),
PGPOX509Encoding(context, TRUE),
PGPOInputFormat(context, kPGPInputFormat_PEMEncodedX509Cert),
PGPOLastOption(context)); CKERR;
// copy user1 euroCert, certVerisign
err = PGPNewKeyIterFromKeyDB (keyDB1, &iter); CKERR;
err = PGPKeyIterNextKeyDBObj( iter, kPGPKeyDBObjType_Signature, &key1); CKERR;
err = PGPCopyKeyDBObj( key1, keyDB, NULL );
PGPFreeKeyIter(iter);
iter = kInvalidPGPKeyIterRef;
PGPFreeKeyDB(keyDB1);
keyDB1 = kInvalidPGPKeyDBRef;
OPTESTPrintF("\tImport User 2 DER.\n");
err = PGPImport( context, &keyDB1,
PGPOInputBuffer(context, key2DER, sizeof(key2DER)),
PGPOX509Encoding(context, TRUE),
PGPOInputFormat(context, kPGPInputFormat_PEMEncodedX509Cert),
PGPOLastOption(context)); CKERR;
// copy user2 cert
err = PGPNewKeyIterFromKeyDB (keyDB1, &iter); CKERR;
err = PGPKeyIterNextKeyDBObj( iter, kPGPKeyDBObjType_Signature, &key2); CKERR;
err = PGPCopyKeyDBObj( key2, keyDB, NULL );
PGPFreeKeyIter(iter);
iter = kInvalidPGPKeyIterRef;
PGPFreeKeyDB(keyDB1);
keyDB1 = kInvalidPGPKeyDBRef;
// find keys and signatures
// we have 3 keys: 1. signature key, 2. cert, 3. cert
err = PGPNewKeyIDFromString( kCAKeyIDString,kPGPPublicKeyAlgorithm_Invalid, &theKeyID); CKERR;
err = PGPFindKeyByKeyID( keyDB, &theKeyID, &signerKey); CKERR;
err = PGPNewKeyIDFromString( kKey1KeyIDString,kPGPPublicKeyAlgorithm_Invalid, &theKeyID); CKERR;
err = PGPFindKeyByKeyID( keyDB, &theKeyID, &key1); CKERR;
err = PGPNewKeyIDFromString( kKey2KeyIDString,kPGPPublicKeyAlgorithm_Invalid, &theKeyID); CKERR;
err = PGPFindKeyByKeyID( keyDB, &theKeyID, &key2); CKERR;
err = PGPNewKeyIterFromKeyDB (keyDB, &iter); CKERR;
PGPKeyIterSeek( iter, signerKey);
err = PGPKeyIterNextKeyDBObj( iter, kPGPKeyDBObjType_Signature, &signerSig); CKERR;
err = PGPKeyIterRewind(iter, kPGPKeyDBObjType_Key);CKERR;
PGPKeyIterSeek( iter, key1);
err = PGPKeyIterNextKeyDBObj( iter, kPGPKeyDBObjType_Signature, &key1Sig); CKERR;
err = PGPKeyIterRewind(iter, kPGPKeyDBObjType_Key);CKERR;
PGPKeyIterSeek( iter, key2);
err = PGPKeyIterNextKeyDBObj( iter, kPGPKeyDBObjType_Signature, &key2Sig); CKERR;
PGPFreeKeyIter(iter);
iter = kInvalidPGPKeyIterRef;
if(gVerbose_flag)
{
OPTESTPrintF("\tFound Keys\n");
printKeyName( " ",signerKey);
OPTESTPrintF("\n");
printKeyName( " ",key1);
printSigInfo( " ",key1Sig);
OPTESTPrintF("\n");
printKeyName( " ",key2);
printSigInfo( " ",key2Sig);
OPTESTPrintF("\n");
}
//Signatgure should be OK
err = PGPGetKeyDBObjBooleanProperty(key1Sig, kPGPSigProperty_IsRevoked, &revoked1);CKERR;
if(revoked1)
{
printKeyName( " ",key1);
printSigInfo( " ",key1Sig);
OPTESTPrintF("\tSignature already Revoked!\n");
RETERR(kPGPError_SelfTestFailed);
}
OPTESTPrintF("\tRevoke First Certificate ...");
// revoke first certificate
err = PGPNewEmptyKeySet(keyDB, &keyset); CKERR;
err = PGPAddKey(key1, keyset); CKERR;
// crl with one entry
err = PGPCreateX509CRL(signerSig, keyset,
PGPOPassphrase(context, (const char *) "1"),
PGPOStartSerialNumberNumeric(context, 12345),
PGPOExpiration(context, 1),
PGPOLastOption(context)); CKERR;
// add signer key to verify chain
err = PGPAddKey(signerSig, keyset); CKERR;
err = PGPCheckKeyRingSigs(keyset, NULL, TRUE, NULL, NULL); CKERR;
//Signature should be revoked
err = PGPGetKeyDBObjBooleanProperty(key1Sig, kPGPSigProperty_IsRevoked, &revoked1);CKERR;
if(revoked1)
{
OPTESTPrintF("OK\n");
}
else
{
OPTESTPrintF("FAILED!\n");
printKeyName( " ",key1);
printSigInfo( " ",key1Sig);
RETERR(kPGPError_SelfTestFailed);
}
OPTESTPrintF("\tRevoke Second Certificate ...");
// revoke second certificate
PGPFreeKeySet(keyset);
keyset = kInvalidPGPKeySetRef;
// crl with one entry
err = PGPNewEmptyKeySet(keyDB, &keyset); CKERR;
err = PGPAddKey(key1, keyset); CKERR;
err = PGPAddKey(key2, keyset); CKERR;
// generate new crl with two entries
err = PGPCreateX509CRL(signerSig, keyset,
PGPOPassphrase(context, (const char *) "1"),
PGPOExpiration(context, 1),
PGPOLastOption(context)); CKERR;
// add signer key to verify chain
err = PGPAddKey(signerSig, keyset); CKERR;
err = PGPCheckKeyRingSigs(keyset, NULL, TRUE, NULL, NULL); CKERR;
//Signatures should be revoked
err = PGPGetKeyDBObjBooleanProperty(key1Sig, kPGPSigProperty_IsRevoked, &revoked1);CKERR;
err = PGPGetKeyDBObjBooleanProperty(key1Sig, kPGPSigProperty_IsRevoked, &revoked2);CKERR;
if(revoked1 && revoked2)
{
OPTESTPrintF("OK\n");
}
else
{
OPTESTPrintF("FAILED!\n");
printKeyName( " ",key1);
printSigInfo( " ",key1Sig);
OPTESTPrintF("\n");
printKeyName( " ",key2);
printSigInfo( " ",key2Sig);
RETERR(kPGPError_SelfTestFailed);
}
#if 0
// this function is not implemented in SDK 3.7.1
OPTESTPrintF("\tRemove one entry (second certificate) ...");
// remove one entry (second certificate)
PGPFreeKeySet(keyset);
keyset = kInvalidPGPKeySetRef;
err = PGPNewEmptyKeySet(keyDB, &keyset); CKERR;
err = PGPAddKey(key2, keyset); CKERR;
// generate new crl with two entries
err = PGPCreateX509CRL(signerSig, NULL,
PGPOPassphrase(context, (const char *) "1"),
PGPOExcludeKeySet(context, keyset),
PGPOLastOption(context)); CKERR;
OPTESTPrintF("OK\n");
#endif
done:
if( PGPKeySetRefIsValid (keyset) )
PGPFreeKeySet(keyset);
if( PGPKeyDBRefIsValid( keyDB ) )
PGPFreeKeyDB( keyDB );
if( PGPKeyDBRefIsValid( keyDB1 ) )
PGPFreeKeyDB( keyDB1 );
return err;
};
PGPError makeX509KeyBundle( PGPContextRef context )
{
PGPError err = kPGPError_NoErr;
PGPKeyDBRef keyDB = kInvalidPGPKeyDBRef;
PGPKeyDBRef keyDB1 = kInvalidPGPKeyDBRef;
PGPKeyDBRef keyDB2 = kInvalidPGPKeyDBRef;
PGPKeySetRef keyset = kInvalidPGPKeySetRef;
PGPKeyIterRef iter = kInvalidPGPKeyIterRef;
PGPKeyDBObjRef theKey = kInvalidPGPKeyDBObjRef;
PGPKeyDBObjRef masterKey = kInvalidPGPKeyDBObjRef;
PGPKeyID theKeyID;
PGPUInt32 count;
PGPUInt32 entropyNeeded;
OPTESTPrintF("\n\tKeyBundle Test \n");
/* Read in the test keys and get a ref to it */
err = importKeys(context,gTestKeysPath, kPGPInputFormat_PGP, &keyDB); CKERR;
/* Find first X509 Key Key */
err = PGPNewKeyIDFromString( kOptestEOKeyIDString, kPGPPublicKeyAlgorithm_Invalid, &theKeyID); CKERR;
err = PGPFindKeyByKeyID( keyDB, &theKeyID, &theKey); CKERR;
printKeyName("\tMake Key Bundle with subkey - ", theKey);
err = PGPChangePassphrase(theKey,
PGPOPassphrase( context, kOptestEOKeyPassPhrase),
PGPOPassphrase( context, kOptestBundlePassPhrase),
PGPOLastOption( context )); CKERR;
err = PGPNewOneKeySet(theKey, &keyset); CKERR;
/* Check for sufficient random bits */
entropyNeeded = PGPGetKeyEntropyNeeded(context,
PGPOKeyGenParams(context,kPGPPublicKeyAlgorithm_RSA, 1024),
PGPOLastOption( context ) );
/* make Key Bundle */
err = ConsoleAcquireEntropy(context, entropyNeeded/8, NULL, FALSE); CKERR;
err = PGPCreateKeyBundle(keyset, &keyDB1,
PGPOKeyGenParams(context,kPGPPublicKeyAlgorithm_RSA, 1024),
PGPOKeyGenUseExistingEntropy(context, FALSE),
PGPOPassphrase( context, kOptestBundlePassPhrase) ,
PGPOLastOption( context )); CKERR;
err = PGPCountKeysInKeyDB(keyDB1, &count); CKERR;
if(count != 1) FAIL("PGPCreateKeyBundle failed\n");
/* extract key from keydb */
err = PGPNewKeyIterFromKeyDB( keyDB1, &iter); CKERR;
err = PGPKeyIterNextKeyDBObj( iter, kPGPKeyDBObjType_Key, &masterKey); CKERR;
PGPFreeKeySet(keyset); keyset = kInvalidPGPKeySetRef;
PGPFreeKeyIter( iter ); iter = kInvalidPGPKeyIterRef;
/* Find second X509 Key Key */
err = PGPNewKeyIDFromString( kOptestSOKeyIDString, kPGPPublicKeyAlgorithm_Invalid, &theKeyID); CKERR;
err = PGPFindKeyByKeyID( keyDB, &theKeyID, &theKey); CKERR;
printKeyName("\tAdd subkey - ", theKey);
err = PGPChangePassphrase(theKey,
PGPOPassphrase( context, kOptestSOKeyPassPhrase),
PGPOPassphrase( context, kOptestBundlePassPhrase),
PGPOLastOption( context )); CKERR;
err = PGPNewOneKeySet(theKey, &keyset); CKERR;
/* add to Key Bundle */
err = PGPCreateKeyBundle(keyset, &keyDB2,
PGPOKeyGenMasterKey(context, masterKey),
PGPOPassphrase( context, kOptestBundlePassPhrase) ,
PGPOLastOption( context )); CKERR;
/* extract key from keydb */
err = PGPNewKeyIterFromKeyDB( keyDB2, &iter); CKERR;
err = PGPKeyIterNextKeyDBObj( iter, kPGPKeyDBObjType_Key, &masterKey); CKERR;
OPTESTPrintF("\tDisplay new key bundle \n");
printKeyDetails( " ", FALSE,masterKey);
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -