📄 s_cmp.c
字号:
/****************************************************************************
* *
* cryptlib CMP Session Test Routines *
* Copyright Peter Gutmann 1998-2005 *
* *
****************************************************************************/
#include "cryptlib.h"
#include "test/test.h"
#if defined( __MVS__ ) || defined( __VMCMS__ )
/* Suspend conversion of literals to ASCII. */
#pragma convlit( suspend )
#endif /* IBM big iron */
#if defined( __ILEC400__ )
#pragma convert( 0 )
#endif /* IBM medium iron */
/* If we're running the test with a crypto device, we have to set an extended
timeout because of the long time it takes many devices to generate keys */
#define NET_TIMEOUT 180
#if defined( TEST_SESSION ) || defined( TEST_SESSION_LOOPBACK )
/****************************************************************************
* *
* CMP Test Data *
* *
****************************************************************************/
/* There are various CMP test CAs available, the following mappings can be
used to test different ones. Implementation peculiarities:
#1 - cryptlib: Implicitly revokes cert being replaced during a kur (this
is a requirement for maintaining cert store consistency).
Tested: ir, cr/kur, rr
#2 - cryptlib with PKIBoot/PnP PKI functionality, otherwise as for #1.
#3 - Certicom: Requires signature for revocation rather than MAC,
requires that all certs created after the ir one have the same
DN as the ir cert.
Tested: ir, cr/kur, rr
#4 - ssh old: None (recently re-issued their CA cert which is broken, CA
couldn't be re-tested. In addition since CMP identifies the
sender by DN the new cert can't be distinguished from the old
one, causing all sig checks to fail).
Tested (late 2000): ir, cr/kur, rr
#5 - ssh new:
#6 - Entrust: Won't allow altNames, changes sender and request DN,
returns rejected response under an altered DN belonging to a
completely different EE for anything but ir.
Tested: ir
#7 - Trustcenter: Requires HTTPS and pre-existing trusted private key
distributed as PKCS #12 file, couldn't be tested.
#8 - Baltimore: Server unavailable for testing.
Tested: -
#9 - Initech: Needs DN cn=CryptLIB EE 1,o=INITECH,c=KR.
Tested: ir, cr/kur, rr
#10 - RSA labs: Rejects signed requests, couldn't be tested beyond initial
(MACd) ir. Attempt to revoke newly-issued cert with MACd rr
returns error indicating that the cert is already revoked.
Tested: ir
#11 - Cylink: Invalid CA root cert, requires use of DN from RA rather
than CA when communicating with server.
Tested: -
#12 - Insta-Certifier: Returns garbled bits of the "tcp" protocol
header */
#define CA_CRYPTLIB 1
#define CA_CRYPTLIB_PNPPKI 2
#define CA_NO CA_CRYPTLIB
typedef struct {
const char FAR_BSS *name;
const C_CHR FAR_BSS *url, FAR_BSS *user, FAR_BSS *password;
} CA_INFO;
static const CA_INFO FAR_BSS caInfo[] = {
{ NULL }, /* Dummy so index == CA_NO */
{ /*1*/ "cryptlib", TEXT( "http://localhost" ), TEXT( "interop" ), TEXT( "interop" ) },
{ /*2*/ "cryptlib/PKIBoot", /*"_pkiboot._tcp.cryptoapps.com"*/TEXT( "http://localhost" ), TEXT( "interop" ), TEXT( "interop" ) },
{ /*3*/ "Certicom", TEXT( "cmp://gandalf.trustpoint.com:8081" ), TEXT( "interop" ), TEXT( "interop" ) },
{ /*4*/ "ssh", TEXT( "cmp://interop-ca.ssh.com:8290" ), TEXT( "123456" ), TEXT( "interop" ) },
{ /*5*/ "ssh", TEXT( "http://pki.ssh.com:8080/pkix/" ), TEXT( "62154" ), TEXT( "ssh" ) },
{ /*6*/ "Entrust", TEXT( "cmp://204.101.128.45:829" ), TEXT( "39141091" ), TEXT( "ABCDEFGHIJK" ) },
{ /*7*/ "Trustcenter", TEXT( "cmp://demo.trustcenter.de/cgi-bin/cmp:829" ), TEXT( "interop" ), TEXT( "interop" ) },
{ /*8*/ "Baltimore", TEXT( "cmp://hip.baltimore.ie:8290" ), TEXT( "pgutmann" ), TEXT( "the-magical-land-near-oz" ) },
{ /*9*/ "Initech", TEXT( "cmp://61.74.133.49:8290" ), TEXT( "interop" ), TEXT( "interop" ) },
{ /*A*/ "RSA", TEXT( "cmp://ca1.kcspilot.com:32829" ), TEXT( "interop" ), TEXT( "interop" ) },
{ /*B*/ "Cylink", TEXT( "cmp://216.252.217.227:8082" ), TEXT( "3986" ), TEXT( "11002" ) /* "3987", "6711" */ },
{ /*C*/ "Insta-Certifier", TEXT( "http://pki.certificate.fi:8700/pkix/" ), TEXT( "3078" ), TEXT( "insta" ) }
};
/* Enable additional tests if we're using cryptlib as the server */
#if ( CA_NO == CA_CRYPTLIB ) || ( CA_NO == CA_CRYPTLIB_PNPPKI )
#define SERVER_IS_CRYPTLIB
#if ( CA_NO == CA_CRYPTLIB_PNPPKI )
#define SERVER_PKIBOOT
#endif /* cryptlib PKIBoot server */
#endif /* Extra tests for cryptib CA */
/* Define the following to work around CA bugs/quirks */
#if ( CA_NO == 3 ) /* Certicom */
#define SERVER_IR_DN
#endif /* CA that requires same DN in cr as ir */
#if ( CA_NO == 6 ) /* Entrust */
#define SERVER_NO_ALTNAMES
#endif /* CAs that won't allow altNames in requests */
#if ( CA_NO == 9 ) /* Initech */
#define SERVER_FIXED_DN
#endif /* CAs that require a fixed DN in requests */
/* The following defines can be used to selectively enable or disable some
of the test (for example to do an ir + rr, or ir + kur + rr) */
#ifdef SERVER_IS_CRYPTLIB
#define TEST_IR
/*#define TEST_DUP_IR */
#define TEST_KUR
#define TEST_CR
#define TEST_RR
/* 3 cert reqs, 1 rev.req (kur = impl.rev) plus duplicate ir to check for
rejection of second request for same user. The duplicate-ir check is
currently disabled because it's enforced via database transaction
constraints, which means that once the initial ir has been recorded all
further issue operations with the same ID are excluded by the presence
of the ID for the ir. This is a strong guarantee that subsequent
requests with the same ID will be disallowed, but not terribly useful
for self-test purposes */
#define NO_CA_REQUESTS ( 4 + 0 )
#else
#define TEST_IR
#define TEST_KUR
#define TEST_CR
#define TEST_RR
/* Loopback test requires SERVER_IS_CRYPTLIB */
#define NO_CA_REQUESTS 0
#endif /* SERVER_IS_CRYPTLIB */
/* Define the following to enable testing of servers where the initial DN
(and optional additional information like the altName) is supplied by the
server (i.e. the user supplies a null DN) */
#ifdef SERVER_IS_CRYPTLIB
#define SERVER_PROVIDES_DN
#endif /* CAs where the server provides the DN */
/* Cert request data for the various types of certs that a CMP CA can return */
static const CERT_DATA FAR_BSS cmpRsaSignRequestData[] = {
/* Identification information */
#ifdef SERVER_FIXED_DN
{ CRYPT_CERTINFO_COUNTRYNAME, IS_STRING, 0, TEXT( "KR" ) },
{ CRYPT_CERTINFO_ORGANIZATIONNAME, IS_STRING, 0, TEXT( "INITECH" ) },
{ CRYPT_CERTINFO_COMMONNAME, IS_STRING, 0, TEXT( "CryptLIB EE 1" ) },
#else
{ CRYPT_CERTINFO_COUNTRYNAME, IS_STRING, 0, TEXT( "NZ" ) },
{ CRYPT_CERTINFO_ORGANIZATIONNAME, IS_STRING, 0, TEXT( "Dave's Wetaburgers" ) },
{ CRYPT_CERTINFO_ORGANIZATIONALUNITNAME, IS_STRING, 0, TEXT( "Procurement" ) },
{ CRYPT_CERTINFO_COMMONNAME, IS_STRING, 0, TEXT( "Dave's Signature Key" ) },
#endif /* CAs that require a fixed DN in requests */
/* Subject altName */
#ifndef SERVER_NO_ALTNAMES
{ CRYPT_CERTINFO_RFC822NAME, IS_STRING, 0, TEXT( "dave@wetas-r-us.com" ) },
{ CRYPT_CERTINFO_UNIFORMRESOURCEIDENTIFIER, IS_STRING, 0, TEXT( "http://www.wetas-r-us.com" ) },
#endif /* CAs that won't allow altNames in requests */
/* Signature-only key */
{ CRYPT_CERTINFO_KEYUSAGE, IS_NUMERIC, CRYPT_KEYUSAGE_DIGITALSIGNATURE },
{ CRYPT_ATTRIBUTE_NONE, IS_VOID }
};
static const CERT_DATA FAR_BSS cmpRsaSignRequestNoDNData[] = {
/* Identification information - none, it's provided by the server */
/* Subject altName - none, it's provided by the server */
/* Signature-only key */
{ CRYPT_CERTINFO_KEYUSAGE, IS_NUMERIC, CRYPT_KEYUSAGE_DIGITALSIGNATURE },
{ CRYPT_ATTRIBUTE_NONE, IS_VOID }
};
static const CERT_DATA FAR_BSS cmpRsaEncryptRequestData[] = {
/* Identification information */
#ifdef SERVER_FIXED_DN
{ CRYPT_CERTINFO_COUNTRYNAME, IS_STRING, 0, TEXT( "KR" ) },
{ CRYPT_CERTINFO_ORGANIZATIONNAME, IS_STRING, 0, TEXT( "INITECH" ) },
{ CRYPT_CERTINFO_COMMONNAME, IS_STRING, 0, TEXT( "CryptLIB EE 1" ) },
#else
{ CRYPT_CERTINFO_COUNTRYNAME, IS_STRING, 0, TEXT( "NZ" ) },
{ CRYPT_CERTINFO_ORGANIZATIONNAME, IS_STRING, 0, TEXT( "Dave's Wetaburgers" ) },
{ CRYPT_CERTINFO_ORGANIZATIONALUNITNAME, IS_STRING, 0, TEXT( "Procurement" ) },
{ CRYPT_CERTINFO_COMMONNAME, IS_STRING, 0, TEXT( "Dave's Encryption Key" ) },
#endif /* CAs that require a fixed DN in requests */
/* Subject altName */
#ifndef SERVER_NO_ALTNAMES
{ CRYPT_CERTINFO_RFC822NAME, IS_STRING, 0, TEXT( "dave@wetas-r-us.com" ) },
{ CRYPT_CERTINFO_UNIFORMRESOURCEIDENTIFIER, IS_STRING, 0, TEXT( "http://www.wetas-r-us.com" ) },
#endif /* CAs that won't allow altNames in requests */
/* Encryption-only key */
{ CRYPT_CERTINFO_KEYUSAGE, IS_NUMERIC, CRYPT_KEYUSAGE_KEYENCIPHERMENT },
{ CRYPT_ATTRIBUTE_NONE, IS_VOID }
};
static const CERT_DATA FAR_BSS cmpRsaCaRequestData[] = {
/* Identification information */
{ CRYPT_CERTINFO_COUNTRYNAME, IS_STRING, 0, TEXT( "NZ" ) },
{ CRYPT_CERTINFO_ORGANIZATIONNAME, IS_STRING, 0, TEXT( "Dave's Wetaburgers" ) },
{ CRYPT_CERTINFO_ORGANIZATIONALUNITNAME, IS_STRING, 0, TEXT( "Procurement" ) },
{ CRYPT_CERTINFO_COMMONNAME, IS_STRING, 0, TEXT( "Dave's Intermediate CA Key" ) },
/* Subject altName */
{ CRYPT_CERTINFO_RFC822NAME, IS_STRING, 0, TEXT( "dave-ca@wetas-r-us.com" ) },
{ CRYPT_CERTINFO_UNIFORMRESOURCEIDENTIFIER, IS_STRING, 0, TEXT( "http://www.wetas-r-us.com" ) },
/* CA key */
{ CRYPT_CERTINFO_CA, IS_NUMERIC, TRUE },
{ CRYPT_ATTRIBUTE_NONE, IS_VOID }
};
static const CERT_DATA FAR_BSS cmpDsaRequestData[] = {
/* Identification information */
#ifdef SERVER_FIXED_DN
{ CRYPT_CERTINFO_COUNTRYNAME, IS_STRING, 0, TEXT( "KR" ) },
{ CRYPT_CERTINFO_ORGANIZATIONNAME, IS_STRING, 0, TEXT( "INITECH" ) },
{ CRYPT_CERTINFO_COMMONNAME, IS_STRING, 0, TEXT( "CryptLIB EE 1" ) },
#else
{ CRYPT_CERTINFO_COUNTRYNAME, IS_STRING, 0, TEXT( "NZ" ) },
{ CRYPT_CERTINFO_ORGANIZATIONNAME, IS_STRING, 0, TEXT( "Dave's Wetaburgers" ) },
{ CRYPT_CERTINFO_ORGANIZATIONALUNITNAME, IS_STRING, 0, TEXT( "Procurement" ) },
#ifdef SERVER_IR_DN
{ CRYPT_CERTINFO_COMMONNAME, IS_STRING, 0, TEXT( "Dave's Signature Key" ) },
#else
{ CRYPT_CERTINFO_COMMONNAME, IS_STRING, 0, TEXT( "Dave's DSA Key" ) },
#endif /* CA that requires same DN in cr as ir */
#endif /* CAs that require a fixed DN in requests */
/* Subject altName */
#ifndef SERVER_NO_ALTNAMES
{ CRYPT_CERTINFO_RFC822NAME, IS_STRING, 0, TEXT( "dave@wetas-r-us.com" ) },
{ CRYPT_CERTINFO_UNIFORMRESOURCEIDENTIFIER, IS_STRING, 0, TEXT( "http://www.wetas-r-us.com" ) },
#endif /* CAs that won't allow altNames in requests */
{ CRYPT_ATTRIBUTE_NONE, IS_VOID }
};
/* PKI user data to authorise the issuing of the various certs */
static const CERT_DATA FAR_BSS cmpPkiUserData[] = {
/* Identification information */
{ CRYPT_CERTINFO_COUNTRYNAME, IS_STRING, 0, TEXT( "NZ" ) },
{ CRYPT_CERTINFO_ORGANIZATIONNAME, IS_STRING, 0, TEXT( "Dave's Wetaburgers" ) },
{ CRYPT_CERTINFO_ORGANIZATIONALUNITNAME, IS_STRING, 0, TEXT( "Procurement" ) },
{ CRYPT_CERTINFO_COMMONNAME, IS_STRING, 0, TEXT( "Test PKI user" ) },
/* Subject altName */
{ CRYPT_CERTINFO_RFC822NAME, IS_STRING, 0, TEXT( "dave@wetas-r-us.com" ) },
{ CRYPT_ATTRIBUTE_NONE, IS_VOID }
};
static const CERT_DATA FAR_BSS cmpPkiUserCaData[] = {
/* Identification information */
{ CRYPT_CERTINFO_COUNTRYNAME, IS_STRING, 0, TEXT( "NZ" ) },
{ CRYPT_CERTINFO_ORGANIZATIONNAME, IS_STRING, 0, TEXT( "Dave's Wetaburgers" ) },
{ CRYPT_CERTINFO_ORGANIZATIONALUNITNAME, IS_STRING, 0, TEXT( "Procurement" ) },
{ CRYPT_CERTINFO_COMMONNAME, IS_STRING, 0, TEXT( "Test CA PKI user" ) },
/* Subject altName */
{ CRYPT_CERTINFO_RFC822NAME, IS_STRING, 0, TEXT( "dave@ca.wetas-r-us.com" ) },
/* CA extensions */
{ CRYPT_CERTINFO_KEYUSAGE, IS_NUMERIC,
CRYPT_KEYUSAGE_KEYCERTSIGN | CRYPT_KEYUSAGE_CRLSIGN },
{ CRYPT_CERTINFO_CA, IS_NUMERIC, TRUE },
{ CRYPT_ATTRIBUTE_NONE, IS_VOID }
};
/****************************************************************************
* *
* CMP Routines Test *
* *
****************************************************************************/
/* Create various CMP objects */
static int createCmpRequest( const CERT_DATA *requestData,
const CRYPT_CONTEXT privateKey,
const CRYPT_ALGO_TYPE cryptAlgo,
const BOOLEAN useFixedKey,
const CRYPT_KEYSET cryptKeyset )
{
CRYPT_CERTIFICATE cryptRequest;
int status;
/* Create the CMP (CRMF) request */
if( privateKey != CRYPT_UNUSED )
{
time_t startTime;
int dummy;
/* If we're updating an existing cert we have to vary something in
the request to make sure that the result doesn't duplicate an
existing cert, to do this we fiddle the start time */
status = cryptGetAttributeString( privateKey, CRYPT_CERTINFO_VALIDFROM,
&startTime, &dummy );
if( cryptStatusError( status ) )
return( FALSE );
startTime++;
/* It's an update of existing information, sign the request with the
given private key */
status = cryptCreateCert( &cryptRequest, CRYPT_UNUSED,
CRYPT_CERTTYPE_REQUEST_CERT );
if( cryptStatusOK( status ) )
status = cryptSetAttribute( cryptRequest,
CRYPT_CERTINFO_CERTIFICATE, privateKey );
if( cryptStatusOK( status ) )
status = cryptSetAttributeString( cryptRequest,
CRYPT_CERTINFO_VALIDFROM, &startTime, sizeof( time_t ) );
if( cryptStatusOK( status ) )
status = cryptSignCert( cryptRequest, privateKey );
if( cryptKeyset != CRYPT_UNUSED )
{
if( cryptStatusError( \
cryptAddPrivateKey( cryptKeyset, privateKey,
TEST_PRIVKEY_PASSWORD ) ) )
return( FALSE );
}
}
else
{
CRYPT_CONTEXT cryptContext;
/* It's a new request, generate a private key and create a self-
signed request */
if( useFixedKey )
{
/* Use a fixed private key, for testing purposes */
if( cryptAlgo == CRYPT_ALGO_RSA )
loadRSAContextsEx( CRYPT_UNUSED, NULL, &cryptContext, NULL,
USER_PRIVKEY_LABEL, FALSE, FALSE );
else
loadDSAContextsEx( CRYPT_UNUSED, &cryptContext, NULL,
USER_PRIVKEY_LABEL, NULL );
status = CRYPT_OK;
}
else
{
status = cryptCreateContext( &cryptContext, CRYPT_UNUSED,
cryptAlgo );
if( cryptStatusError( status ) )
return( FALSE );
cryptSetAttributeString( cryptContext, CRYPT_CTXINFO_LABEL,
USER_PRIVKEY_LABEL,
paramStrlen( USER_PRIVKEY_LABEL ) );
status = cryptGenerateKey( cryptContext );
}
if( cryptStatusOK( status ) )
status = cryptCreateCert( &cryptRequest, CRYPT_UNUSED,
CRYPT_CERTTYPE_REQUEST_CERT );
if( cryptStatusOK( status ) )
status = cryptSetAttribute( cryptRequest,
CRYPT_CERTINFO_SUBJECTPUBLICKEYINFO, cryptContext );
if( cryptStatusOK( status ) && \
!addCertFields( cryptRequest, requestData, __LINE__ ) )
status = CRYPT_ERROR_FAILED;
if( cryptStatusOK( status ) )
status = cryptSignCert( cryptRequest, cryptContext );
if( cryptKeyset != CRYPT_UNUSED )
{
if( cryptStatusError( \
cryptAddPrivateKey( cryptKeyset, cryptContext,
TEST_PRIVKEY_PASSWORD ) ) )
return( FALSE );
}
cryptDestroyContext( cryptContext );
}
if( cryptStatusError( status ) )
{
printf( "Creation of CMP request failed with error code %d, line "
"%d.\n", status, __LINE__ );
return( FALSE );
}
return( cryptRequest );
}
static int createCmpRevRequest( const CRYPT_CERTIFICATE cryptCert )
{
CRYPT_CERTIFICATE cryptRequest;
int status;
/* Create the CMP (CRMF) revocation request */
status = cryptCreateCert( &cryptRequest, CRYPT_UNUSED,
CRYPT_CERTTYPE_REQUEST_REVOCATION );
if( cryptStatusOK( status ) )
status = cryptSetAttribute( cryptRequest, CRYPT_CERTINFO_CERTIFICATE,
cryptCert );
if( cryptStatusError( status ) )
{
printf( "Creation of CMP revocation request failed with error code "
"%d, line %d.\n", status, __LINE__ );
return( FALSE );
}
return( cryptRequest );
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -