x509test.c

PGP SDK 包括大范围的标准加密、数字签名和编解码技术

done:
  		
	 
	if( PGPKeyIterRefIsValid( iter ) )
		PGPFreeKeyIter( iter );
 	 
 	if( PGPKeySetRefIsValid (keyset) )
		PGPFreeKeySet(keyset);
		
		
   	if( PGPKeyDBRefIsValid( keyDB ) )
		PGPFreeKeyDB( keyDB );
 
   	if( PGPKeyDBRefIsValid( keyDB1 ) )
		PGPFreeKeyDB( keyDB1 );
		
   	if( PGPKeyDBRefIsValid( keyDB2 ) )
		PGPFreeKeyDB( keyDB2 );
 
	     return err;

};



PGPError  doX509Functions( PGPContextRef context )
{
	PGPError			err			= kPGPError_NoErr;
 	PGPKeyDBRef			keyDB	 	= kInvalidPGPKeyDBRef;
	PGPKeySetRef		keyset		= kInvalidPGPKeySetRef;
 	PGPKeyIterRef		iter	 	= kInvalidPGPKeyIterRef;
	
  	PGPKeyDBObjRef		rootKey		= kInvalidPGPKeyDBObjRef;
  	PGPKeyDBObjRef		theKey		= kInvalidPGPKeyDBObjRef;
  	PGPKeyDBObjRef		otherKey	= kInvalidPGPKeyDBObjRef;
  	PGPKeyDBObjRef		newSig		= kInvalidPGPKeyDBObjRef;
  	PGPKeyDBObjRef		cert		= kInvalidPGPKeyDBObjRef;
	PGPKeyDBObjRef		sigRoot		= kInvalidPGPKeyDBObjRef;
	PGPKeyID			theKeyID;
 	PGPBoolean			bCAIsKnown	= FALSE;
	
	PGPAttributeValue		av[10];
	PGPSize					numAVs	= 0;
 	PGPByte					keyBytes[8];
 	PGPSize					numKeyIDBytes = 0;
	
  	PGPSize					outLen	= 0;
 	PGPByte*				outBuf = NULL;
	PGPUInt32				count;
	int						i;
	
	DecodeInfo		decodeInfo;

	InitDecodeInfo(&decodeInfo);
 	decodeInfo.option = kDecode_NoOption;

	/* Read in the test keys and get a ref to it */
 	err = importKeys(context,gTestKeysPath, kPGPInputFormat_PGP, &keyDB); CKERR;
	
	/* create a keyset to later use for revokation */
	err = PGPNewEmptyKeySet(keyDB, &keyset); CKERR;
	
	/* Find a key to sign the cert req with */
	err =  PGPNewKeyIDFromString( kRSATestKeyIDString,  kPGPPublicKeyAlgorithm_Invalid,  &theKeyID); CKERR;
	err =  PGPFindKeyByKeyID( keyDB, &theKeyID, &rootKey); CKERR;
	printKeyName("\tFind a Key Suitable for CA - ", rootKey);

	/* Create a list of Attribute/value pairs for self signed CA */
	numAVs = 0;
  	numAVs += addAV(kPGPAVAttribute_CommonName,			"Optest X.509 CA",	&av[numAVs]);
	numAVs += addAV(kPGPAVAttribute_OrganizationName,	"FIPS Optest Co",	&av[numAVs]);
	numAVs += addAV(kPGPAVAttribute_Locality,			"Cryptoland",		&av[numAVs]);
	numAVs += addAV(kPGPAVAttribute_State,				"State of Jefferson", &av[numAVs]);
	numAVs += addAV(kPGPAVAttribute_Country,			"US",				&av[numAVs]);
	numAVs += addAV(kPGPAVAttribute_Email,				"optestCA@optest.co", &av[numAVs]);

 	/* Add a self signed x.509 cert */
	OPTESTPrintF("\tAdd a self signed x.509 cert named \"Optest X.509\"\n");
	err = PGPCreateSelfSignedX509Certificate(rootKey,
			&cert,
			PGPOAttributeValue(context, av, numAVs),
			PGPOPassphrase(context, kRSATestKeyPassPhrase),
 			PGPOExpiration(context, 30),
			PGPOLastOption(context)); CKERR;
			
	/* print out self certed key details */
	if(gVerbose_flag) 
		{
			OPTESTPrintF("\n");
			err = printKeyDetails( "    ", FALSE,rootKey);CKERR;		}
		else
		{
			printKeyName( "    ",rootKey);
		}

    	
	OPTESTPrintF("\tExport self-signed certificate in PEM format.\n ");
	err = PGPExport(context,
		PGPOExportKeyDBObj(context, cert),
		PGPOAllocatedOutputBuffer(context,  (void*) &outBuf, MAX_PGPSize, &outLen),
		PGPOExportFormat(context, kPGPExportFormat_X509Cert),
		PGPOExportPrivateKeys(context, FALSE),
		PGPOArmorOutput(context, TRUE),
 		PGPOLastOption(context));
	if(gVerbose_flag) OPTESTPrintF("\n%s", (char*)outBuf); 
	PGPFreeData(outBuf); outBuf= NULL;
	OPTESTPrintF("\n");
 
	/* Find test Key, note that we only support X.509 certs on RSA keys  */
 	err =  PGPNewKeyIDFromString( kOptestTestKey2IDString,  kPGPPublicKeyAlgorithm_Invalid,  &theKeyID); CKERR;
	err =  PGPFindKeyByKeyID( keyDB, &theKeyID, &otherKey); CKERR;
	printKeyName("\tFind key - ", otherKey);
 	 
	 /* Create a list of Attribute/value pairs for Cert Request */
	numAVs = 0;
  	numAVs += addAV(kPGPAVAttribute_CommonName,			"Optest Certed User",		&av[numAVs]);
	numAVs += addAV(kPGPAVAttribute_OrganizationName,	"FIPS Optest Co",			&av[numAVs]);
	numAVs += addAV(kPGPAVAttribute_Locality,			"Cryptoland",				&av[numAVs]);
	numAVs += addAV(kPGPAVAttribute_State,				"State of Jefferson",		&av[numAVs]);
	numAVs += addAV(kPGPAVAttribute_Country,			"US",						&av[numAVs]);
	numAVs += addAV(kPGPAVAttribute_Email,				"bozo1@optest.co",			&av[numAVs]);

 	/* Add the KeyID to the av pairs to facilitate key lookup later */
	if(IsntPGPError( PGPGetKeyIDBytes( &theKeyID, keyBytes, &numKeyIDBytes ) ))
	{
		av[numAVs].attribute = kPGPAVAttribute_KeyID;
		av[numAVs].size = numKeyIDBytes;
		av[numAVs].value.pointervalue = (char *) keyBytes;
		numAVs++;
 	}
   
  	/* create new cert */
	printKeyName("\tCreate X.509 Certificate using ", rootKey);
 	err = PGPCreateX509Certificate(cert, rootKey, &newSig,
				PGPOAttributeValue(context, av, numAVs),
				PGPOExpiration(context, 5),
				PGPOKeyFlags( context,	kPGPKeyPropertyFlags_UsageSignMessages
										| kPGPKeyPropertyFlags_UsageEncrypt ),
				PGPOSigTrust(context, 0, kPGPKeyTrust_Complete),
				PGPOPassphrase(context, kRSATestKeyPassPhrase),
				PGPOLastOption(context));
 
	/* check for the top sig */
	OPTESTPrintF("\tCheck top sig of new Certificate \n");
	err = PGPGetSigX509TopSig (newSig, kInvalidPGPKeyDBRef, keyDB, &bCAIsKnown, &sigRoot); CKERR;
	if(! bCAIsKnown || (sigRoot != cert)) FAIL("PGPGetSigX509TopSig failed");

  	err = PGPGetSigCertifierKey (newSig, keyDB,  &theKey); CKERR;
	printKeyName("\tVerify certified by key - ", theKey);
 	
   /* add key to revokation set */
	err = PGPAddKey(otherKey, keyset); CKERR;

	/* print out resultant key */
 	if(gVerbose_flag) 
	{
		OPTESTPrintF("\n");
		err = printKeyDetails(  "    ", FALSE,otherKey);CKERR; 
	}
	OPTESTPrintF("\n");
  	
	// test key functions
	err = sTestX509Key(context, rootKey, cert,  kRSATestKeyPassPhrase); CKERR;
  	 				
	/* Find test Key, note that we only support X.509 certs on RSA keys  */
 	err =  PGPNewKeyIDFromString( kOptestTestKeyIDString,  kPGPPublicKeyAlgorithm_Invalid,  &theKeyID); CKERR;
	err =  PGPFindKeyByKeyID( keyDB, &theKeyID, &theKey); CKERR;
	printKeyName("\n\tFind key - ", theKey);
	 
	 /* Create a list of Attribute/value pairs for Cert Request */
	numAVs = 0;
  	numAVs += addAV(kPGPAVAttribute_CommonName,		"Optest User",		&av[numAVs]);
	numAVs += addAV(kPGPAVAttribute_OrganizationName,	"FIPS Optest Co",	&av[numAVs]);
	numAVs += addAV(kPGPAVAttribute_Locality,			"Cryptoland",		&av[numAVs]);
	numAVs += addAV(kPGPAVAttribute_State,				"State of Jefferson", &av[numAVs]);
	numAVs += addAV(kPGPAVAttribute_Country,			"US",				&av[numAVs]);
	numAVs += addAV(kPGPAVAttribute_Email,				"bozo@optest.co",	&av[numAVs]);

 	/* Add the KeyID to the av pairs to facilitate key lookup later */
	if(IsntPGPError( PGPGetKeyIDBytes( &theKeyID, keyBytes, &numKeyIDBytes ) ))
	{
		av[numAVs].attribute = kPGPAVAttribute_KeyID;
		av[numAVs].size = numKeyIDBytes;
		av[numAVs].value.pointervalue = (char *) keyBytes;
		numAVs++;
 	}
   
	 /* Export the Cert Request */
  	OPTESTPrintF("\tCreate certificate Request for Optest User.\n ");
	err = PGPExport(context,
		PGPOExportKeyDBObj(context, theKey),
		PGPOAllocatedOutputBuffer(context,  (void*) &outBuf, MAX_PGPSize, &outLen),
		PGPOExportFormat(context, kPGPExportFormat_X509CertReq),
		PGPOAttributeValue(context, av, numAVs),
		PGPOPassphrase(context, kOptestTestKeyPassPhrase),
		PGPOArmorOutput(context, TRUE),
		PGPOLastOption(context));CKERR;
	if(gVerbose_flag) OPTESTPrintF("\n%s\n", (char*)outBuf); 
;
 	printKeyName("\tImport certificate request and sign using ", rootKey);

	/* Sign with Proper X.509 CA */
  	err = PGPCreateX509CertificateFromRequest(cert, &newSig,
			PGPOInputBuffer(context, outBuf, outLen),
			PGPOExpiration(context, 5),
			PGPOCreationDate(context, PGPGetTime()),
			PGPOAttributeValue(context, av, numAVs),
			PGPOPassphrase(context, kRSATestKeyPassPhrase),
			PGPOLastOption(context));CKERR;
 	PGPFreeData(outBuf); outBuf= NULL;
  
  /* add key to revokation set */
 	err = PGPAddKey(theKey, keyset); CKERR;

	/* print out resultant key */
	if(gVerbose_flag) 
	{
		OPTESTPrintF("\n");
		err = printKeyDetails(  "    ", FALSE,theKey);CKERR; 
	}
  	
 	OPTESTPrintF("\tExport signed certificate in PEM format.\n ");
	err = PGPExport(context,
		PGPOExportKeyDBObj(context, newSig),
		PGPOAllocatedOutputBuffer(context,  (void*) &outBuf, MAX_PGPSize, &outLen),
		PGPOExportFormat(context, kPGPExportFormat_X509Cert),
		PGPOExportPrivateKeys(context, FALSE),
		PGPOArmorOutput(context, TRUE),
 		PGPOLastOption(context));
  	if(gVerbose_flag) 	OPTESTPrintF("\n%s\n", (char*)outBuf); 
    	
	OPTESTPrintF("\n\tFree key DataBase and create new one.\n");
	PGPFreeKeySet(keyset);	keyset = kInvalidPGPKeySetRef;
	PGPFreeKeyDB( keyDB );	keyDB = kInvalidPGPKeyDBRef;
 
 	OPTESTPrintF("\tRe-import PEM cert.\n");
	err = PGPImport( context, &keyDB,
			PGPOInputBuffer(context, outBuf, outLen),
 			PGPOInputFormat(context, kPGPInputFormat_PEMEncodedX509Cert),
			PGPOLastOption(context)); CKERR;

	err = PGPCountKeysInKeyDB(keyDB, &count); CKERR;
	if(count != 1) FAIL("cert import failed\n");
 
 /* Iterate through each key */
	{
 		err = PGPNewKeyIterFromKeyDB( keyDB, &iter); CKERR;
		for(i = 1;  IsntPGPError( PGPKeyIterNextKeyDBObj( iter, kPGPKeyDBObjType_Key, &theKey) ); i++)
		{
 			if(gVerbose_flag) 
				printKeyDetails( "      ", FALSE,theKey);
			else
				printKeyName("      ", theKey);
		}
	}
 

done:
 	if(outBuf) PGPFreeData(outBuf); 
 	 
	if( PGPKeyIterRefIsValid( iter ) )
		PGPFreeKeyIter( iter );
 	 
	if( PGPKeySetRefIsValid (keyset) )
		PGPFreeKeySet(keyset);
		
   	if( PGPKeyDBRefIsValid( keyDB ) )
		PGPFreeKeyDB( keyDB );
 
	     return err;

};


PGPError  TestX509( PGPContextRef context )
{
	PGPError	err 			= kPGPError_NoErr;

	err = CountKnownCAs(context , FALSE); CKERR;
	err = doX509Functions(context); CKERR;
	err = makeX509KeyBundle(context); CKERR;
 	err = makeCRL(context); CKERR;
 	
done:
  
    return err;

};