📄 s_scep.c
字号:
/****************************************************************************
* *
* cryptlib Cert Management Session Test Routines *
* Copyright Peter Gutmann 1998-2005 *
* *
****************************************************************************/
#include "cryptlib.h"
#include "test/test.h"
#if defined( __MVS__ ) || defined( __VMCMS__ )
/* Suspend conversion of literals to ASCII. */
#pragma convlit( suspend )
#endif /* IBM big iron */
#if defined( __ILEC400__ )
#pragma convert( 0 )
#endif /* IBM medium iron */
#if defined( TEST_SESSION ) || defined( TEST_SESSION_LOOPBACK )
/****************************************************************************
* *
* SCEP Test Data *
* *
****************************************************************************/
/* There are various SCEP test servers available, the following mappings
can be used to test different ones. Implementation peculiarities:
#1 - cryptlib: None.
#2 - SSH (www.ssh.com/support/testzone/pki.html): Invalid CA certs.
#3 - OpenSCEP (openscep.othello.ch): Seems to be permanently unavailable.
#4 - Entrust (freecerts.entrust.com/vpncerts/cep.htm): Only seems to be
set up to handle Cisco gear.
#5 - EJBCA: */
#define SCEP_NO 1
typedef struct {
const char FAR_BSS *name;
const C_CHR FAR_BSS *url, FAR_BSS *user, FAR_BSS *password, FAR_BSS *caCertUrl;
} SCEP_INFO;
static const SCEP_INFO FAR_BSS scepInfo[] = {
{ NULL }, /* Dummy so index == SCEP_NO */
{ /*1*/ "cryptlib", TEXT( "http://localhost/pkiclient.exe" ), NULL, NULL, NULL },
{ /*2*/ "SSH", TEXT( "http://pki.ssh.com:8080/scep/pkiclient.exe" ), TEXT( "ssh" ), TEXT( "ssh" ),
TEXT( "http://pki.ssh.com:8080/scep/pkiclient.exe?operation=GetCACert&message=test-ca1.ssh.com" ) },
{ /*3*/ "OpenSCEP", TEXT( "http://openscep.othello.ch/pkiclient.exe" ), TEXT( "????" ), TEXT( "????" ), NULL },
{ /*4*/ "Entrust", TEXT( "http://vpncerts.entrust.com/pkiclient.exe" ), TEXT( "????" ), TEXT( "????" ), NULL },
{ /*5*/ "EJBCA", TEXT( "http://q-rl-xp:8080/ejbca/publicweb/apply/scep/pkiclient.exe" ),
TEXT("test2"), TEXT("test2"),
TEXT( "http://q-rl-xp:8080/ejbca/publicweb/webdist/certdist?cmd=nscacert&issuer=O=Test&+level=1" ) },
};
/* Cert request data for the cert from the SCEP server. Note that we have
to set the CN to the PKI user CN, for CMP ir's we just omit the DN
entirely and have the server provide it for us but since SCEP uses PKCS
#10 requests we need to provide a DN, and since we provide it it has to
match the PKI user DN */
static const CERT_DATA FAR_BSS scepRequestData[] = {
/* Identification information */
{ CRYPT_CERTINFO_COUNTRYNAME, IS_STRING, 0, TEXT( "NZ" ) },
{ CRYPT_CERTINFO_ORGANIZATIONNAME, IS_STRING, 0, TEXT( "Dave's Wetaburgers" ) },
{ CRYPT_CERTINFO_ORGANIZATIONALUNITNAME, IS_STRING, 0, TEXT( "Procurement" ) },
{ CRYPT_CERTINFO_COMMONNAME, IS_STRING, 0, TEXT( "Test SCEP PKI user" ) },
/* Subject altName */
{ CRYPT_CERTINFO_RFC822NAME, IS_STRING, 0, TEXT( "dave@wetas-r-us.com" ) },
{ CRYPT_CERTINFO_UNIFORMRESOURCEIDENTIFIER, IS_STRING, 0, TEXT( "http://www.wetas-r-us.com" ) },
{ CRYPT_ATTRIBUTE_NONE, IS_VOID }
};
/* PKI user data to authorise the issuing of the various certs */
static const CERT_DATA FAR_BSS scepPkiUserData[] = {
/* Identification information */
{ CRYPT_CERTINFO_COUNTRYNAME, IS_STRING, 0, TEXT( "NZ" ) },
{ CRYPT_CERTINFO_ORGANIZATIONNAME, IS_STRING, 0, TEXT( "Dave's Wetaburgers" ) },
{ CRYPT_CERTINFO_ORGANIZATIONALUNITNAME, IS_STRING, 0, TEXT( "Procurement" ) },
{ CRYPT_CERTINFO_COMMONNAME, IS_STRING, 0, TEXT( "Test SCEP PKI user" ) },
{ CRYPT_ATTRIBUTE_NONE, IS_VOID }
};
/****************************************************************************
* *
* Utility Functions *
* *
****************************************************************************/
/* Add a PKI user to the cert store */
static int addPKIUser( const CRYPT_KEYSET cryptCertStore,
const CERT_DATA *pkiUserData,
const BOOLEAN isSCEP )
{
CRYPT_CERTIFICATE cryptPKIUser;
CRYPT_SESSION cryptSession;
C_CHR userID[ CRYPT_MAX_TEXTSIZE + 1 ], issuePW[ CRYPT_MAX_TEXTSIZE + 1 ];
int length, status;
/* Create the PKI user object and add the user's identification
information */
status = cryptCreateCert( &cryptPKIUser, CRYPT_UNUSED,
CRYPT_CERTTYPE_PKIUSER );
if( cryptStatusError( status ) )
{
printf( "cryptCreateCert() failed with error code %d, line %d.\n",
status, __LINE__ );
return( FALSE );
}
if( !addCertFields( cryptPKIUser, pkiUserData, __LINE__ ) )
return( FALSE );
/* Add the user info to the cert store */
status = cryptCAAddItem( cryptCertStore, cryptPKIUser );
if( status == CRYPT_ERROR_DUPLICATE )
{
C_CHR userCN[ CRYPT_MAX_TEXTSIZE + 1 ];
/* Get the name of the duplicate user */
status = cryptGetAttributeString( cryptPKIUser,
CRYPT_CERTINFO_COMMONNAME,
userCN, &length );
if( cryptStatusError( status ) )
return( attrErrorExit( cryptPKIUser, "cryptGetAttribute()",
status, __LINE__ ) );
#ifdef UNICODE_STRINGS
length /= sizeof( wchar_t );
#endif /* UNICODE_STRINGS */
userCN[ length ] = TEXT( '\0' );
/* The PKI user info was already present, for SCEP this isn't a
problem since we can just re-use the existing info, but for CMP
we can only authorise a single cert issue per user so we have
to delete the existing user info and try again */
if( isSCEP )
{
/* The PKI user info is already present from a previous run, get
the existing info */
puts( "PKI user information is already present from a previous "
"run, reusing existing\n PKI user data..." );
cryptDestroyCert( cryptPKIUser );
status = cryptCAGetItem( cryptCertStore, &cryptPKIUser,
CRYPT_CERTTYPE_PKIUSER, CRYPT_KEYID_NAME,
userCN );
}
else
{
puts( "PKI user information is already present from a previous "
"run, deleting existing\n PKI user data..." );
status = cryptCADeleteItem( cryptCertStore, CRYPT_CERTTYPE_PKIUSER,
CRYPT_KEYID_NAME, userCN );
if( cryptStatusError( status ) )
return( extErrorExit( cryptCertStore, "cryptCADeleteItem()",
status, __LINE__ ) );
status = cryptCAAddItem( cryptCertStore, cryptPKIUser );
}
}
if( cryptStatusError( status ) )
return( extErrorExit( cryptCertStore, "cryptCAAdd/GetItem()", status,
__LINE__ ) );
/* Display the information for the new user and make sure that the
error-checking in the user information works. We have to check both
passwords to reduce false positives since it's just a simple
integrity check meant to catch typing errors rather than a
cryptographically strong check */
if( !printCertInfo( cryptPKIUser ) )
return( FALSE );
status = cryptGetAttributeString( cryptPKIUser,
CRYPT_CERTINFO_PKIUSER_ID,
userID, &length );
if( cryptStatusOK( status ) )
{
#ifdef UNICODE_STRINGS
length /= sizeof( wchar_t );
#endif /* UNICODE_STRINGS */
userID[ length ] = '\0';
status = cryptGetAttributeString( cryptPKIUser,
CRYPT_CERTINFO_PKIUSER_ISSUEPASSWORD,
issuePW, &length );
}
if( cryptStatusOK( status ) )
{
#ifdef UNICODE_STRINGS
length /= sizeof( wchar_t );
#endif /* UNICODE_STRINGS */
issuePW[ length ] = '\0';
}
else
return( attrErrorExit( cryptPKIUser, "cryptGetAttribute()", status,
__LINE__ ) );
status = cryptCreateSession( &cryptSession, CRYPT_UNUSED,
CRYPT_SESSION_CMP );
if( cryptStatusError( status ) )
return( FALSE );
if( userID[ 2 ] >= TEXT( 'A' ) && userID[ 2 ] < TEXT( 'Z' ) )
userID[ 2 ]++;
else
userID[ 2 ] = TEXT( 'A' );
if( issuePW[ 8 ] >= TEXT( 'A' ) && issuePW[ 8 ] < TEXT( 'Z' ) )
issuePW[ 8 ]++;
else
issuePW[ 8 ] = TEXT( 'A' );
status = cryptSetAttributeString( cryptSession, CRYPT_SESSINFO_USERNAME,
userID, paramStrlen( userID ) );
if( cryptStatusOK( status ) )
status = cryptSetAttributeString( cryptSession, CRYPT_SESSINFO_PASSWORD,
issuePW, paramStrlen( issuePW ) );
if( cryptStatusOK( status ) )
{
puts( "Integrity check of user ID and password failed to catch "
"errors in the data.\n(This check isn't foolproof and is "
"intended only to catch typing errors when\nentering the "
"data. Try running the test again to see if the problem "
"still\noccurs)." );
return( FALSE );
}
cryptDestroySession( cryptSession );
/* Clean up */
cryptDestroyCert( cryptPKIUser );
return( TRUE );
}
/* Get information on a PKI user */
int pkiGetUserInfo( C_STR userID, C_STR issuePW, C_STR revPW, C_STR userName )
{
CRYPT_KEYSET cryptCertStore;
CRYPT_CERTIFICATE cryptPKIUser;
int length, status;
/* cryptlib implements per-user (rather than shared interop) IDs and
passwords so we need to read the user ID and password information
before we can perform any operations. First we get the PkiUser
object */
status = cryptKeysetOpen( &cryptCertStore, CRYPT_UNUSED,
CERTSTORE_KEYSET_TYPE, CERTSTORE_KEYSET_NAME,
CRYPT_KEYOPT_NONE );
if( status == CRYPT_ERROR_PARAM3 )
{
/* This type of keyset access isn't available, return a special error
code to indicate that the test wasn't performed, but that this
isn't a reason to abort processing */
puts( "No certificate store available, aborting CMP test.\n" );
return( CRYPT_ERROR_NOTAVAIL );
}
if( cryptStatusError( status ) )
{
printf( "cryptKeysetOpen() failed with error code %d, line %d.\n",
status, __LINE__ );
return( FALSE );
}
status = cryptCAGetItem( cryptCertStore, &cryptPKIUser,
CRYPT_CERTTYPE_PKIUSER, CRYPT_KEYID_NAME,
userName );
cryptKeysetClose( cryptCertStore );
if( cryptStatusError( status ) )
{
/* Only report error info if it's not a basic presence check */
if( userID != NULL )
extErrorExit( cryptCertStore, "cryptCAGetItem()", status, __LINE__ );
return( FALSE );
}
/* If it's a presence check only, we're done */
if( userID == NULL )
{
cryptDestroyCert( cryptPKIUser );
return( TRUE );
}
/* Then we extract the information from the PkiUser object */
status = cryptGetAttributeString( cryptPKIUser,
CRYPT_CERTINFO_PKIUSER_ID,
userID, &length );
if( cryptStatusOK( status ) )
{
userID[ length ] = '\0';
status = cryptGetAttributeString( cryptPKIUser,
CRYPT_CERTINFO_PKIUSER_ISSUEPASSWORD,
issuePW, &length );
}
if( cryptStatusOK( status ) )
issuePW[ length ] = '\0';
if( cryptStatusOK( status ) && revPW != NULL )
{
status = cryptGetAttributeString( cryptPKIUser,
CRYPT_CERTINFO_PKIUSER_REVPASSWORD,
revPW, &length );
if( cryptStatusOK( status ) )
revPW[ length ] = '\0';
}
cryptDestroyCert( cryptPKIUser );
if( cryptStatusError( status ) )
{
attrErrorExit( cryptPKIUser, "cryptGetAttribute()", status,
__LINE__ );
return( FALSE );
}
/* We've got what we need, tell the user what we're doing */
printf( "Using user name %s, password %s.\n", userID, issuePW );
return( TRUE );
}
/* Set up objects and information needed by a server-side PKI session */
int pkiServerInit( CRYPT_CONTEXT *cryptPrivateKey,
CRYPT_KEYSET *cryptCertStore, const C_STR keyFileName,
const C_STR keyLabel, const CERT_DATA *pkiUserData,
const CERT_DATA *pkiUserCAData, const char *protocolName )
{
int status;
/* Get the cert store to use with the session. Before we use the store
we perform a cleanup action to remove any leftover requests from
previous runs */
status = cryptKeysetOpen( cryptCertStore, CRYPT_UNUSED,
CERTSTORE_KEYSET_TYPE, CERTSTORE_KEYSET_NAME,
CRYPT_KEYOPT_CREATE );
if( status == CRYPT_ERROR_PARAM3 )
{
/* This type of keyset access isn't available, return a special error
code to indicate that the test wasn't performed, but that this
isn't a reason to abort processing */
printf( "SVR: No certificate store available, aborting %s server "
"test.\n\n", protocolName );
return( CRYPT_ERROR_NOTAVAIL );
}
if( status == CRYPT_ERROR_DUPLICATE )
status = cryptKeysetOpen( cryptCertStore, CRYPT_UNUSED,
CERTSTORE_KEYSET_TYPE, CERTSTORE_KEYSET_NAME,
CRYPT_KEYOPT_NONE );
if( cryptStatusError( status ) )
{
printf( "SVR: cryptKeysetOpen() failed with error code %d, line "
"%d.\n", status, __LINE__ );
return( FALSE );
}
status = cryptCACertManagement( NULL, CRYPT_CERTACTION_CLEANUP,
*cryptCertStore, CRYPT_UNUSED,
CRYPT_UNUSED );
if( cryptStatusError( status ) )
{
printf( "SVR: CA cert store cleanup failed with error code %d, "
"line %d.\n", status, __LINE__ );
return( FALSE );
}
/* Create the EE and CA PKI users */
puts( "Creating PKI user..." );
if( !addPKIUser( *cryptCertStore, pkiUserData,
!strcmp( protocolName, "SCEP" ) ? TRUE : FALSE ) )
return( FALSE );
if( pkiUserCAData != NULL && \
!addPKIUser( *cryptCertStore, pkiUserCAData,
!strcmp( protocolName, "SCEP" ) ? TRUE : FALSE ) )
return( FALSE );
/* Get the CA's private key */
status = getPrivateKey( cryptPrivateKey, keyFileName,
keyLabel, TEST_PRIVKEY_PASSWORD );
if( cryptStatusError( status ) )
{
printf( "SVR: CA private key read failed with error code %d, "
"line %d.\n", status, __LINE__ );
return( FALSE );
}
return( TRUE );
}
/****************************************************************************
* *
* SCEP Routines Test *
* *
****************************************************************************/
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -