本软件包将每个openssl的apps程序做成一个可直接运行调试的VC Console 类型应用程序
//
CA.cpp : Defines the entry point for the DLL application.
//
#define sprintf_s sprintf
#include "stdafx.h"
#include <LOCALE.H>
#include "ca.h"
#include <OPENSSL pem.h>
#include <OPENSSL x509.h>
#include <OPENSSL x509v3.h>
#include <OPENSSL pkcs12.h>
#include <OPENSSL rand.h>
#include<STDLIB.H>
#include<STDIO.H>
#include <OPENSSL engine.h>
#define EXT_COPY_NONE 0
#define EXT_COPY_ADD 1
#define EXT_COPY_ALL 2
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
return TRUE;
}
/* 此函数可以将DER、PEM、P12文件公钥读出来 */
X509 *load_cert(BIO *cert /* 输入BIO */, int format /* 格式 */, char * pwd, /* P12密码 */
char * outMsg) // 从DER、PEM、P12格式中读取公钥证书
{
X509 * x=NULL;
if (format == DER)
x=d2i_X509_bio(cert,NULL);
else if (format == PEM)
x=PEM_read_bio_X509(cert,NULL,NULL,NULL); // PEM_read_bio_X509_AUX
else if (format == P12)
{
PKCS12 *p12 = d2i_PKCS12_bio(cert, NULL);
PKCS12_parse(p12, pwd, NULL, &x, NULL);
PKCS12_free(p12);
p12 = NULL;
}
else
{
sprintf_s(outMsg,"bad input format specified for input cert\n");
goto end;
}
end:
if (x == NULL)
{
sprintf(outMsg,"unable to load certificate\n");
}
return(x);
}
X509 * LoadCert( char * cert, int certlen, char * outMsg) // 枚举DER/PEM格式
{
BIO * in=NULL;
X509 * x509=NULL;
if(certlen==0) // 输入为磁盘文件
{
if(( in=BIO_new_file(cert, "r")) == NULL)
{
sprintf(outMsg,"open CA certificate file error");
return NULL;
}
}
else // 输入为内存中文件
{
if(( in=BIO_new_mem_buf(cert,certlen))== NULL) // 只读类型
{
sprintf(outMsg,"Make Mem Bio Error");
return NULL;
}
}
if((x509=load_cert( in,DER,NULL,outMsg))==NULL) // 尝试DER
{
BIO_reset( in); // 恢复bio
x509=load_cert( in,PEM,NULL,outMsg); // 尝试PEM
}
if ( in != NULL) BIO_free( in);
return x509;
}
EVP_PKEY *load_key(BIO *bio, int format, char *pass, char * outMsg) // 枚举DER/PEM格式
{
EVP_PKEY *pkey=NULL;
if (format == DER)
{
pkey=d2i_PrivateKey_bio(bio, NULL);
}
else if (format == PEM)
{
pkey=PEM_read_bio_PrivateKey(bio,NULL,NULL,pass);
}
else if (format == P12)
{
PKCS12 *p12 = d2i_PKCS12_bio(bio, NULL);
PKCS12_parse(p12, pass, &pkey, NULL, NULL);
PKCS12_free(p12);
p12 = NULL;
}
else
{
sprintf(outMsg,"bad input format specified for key\n");
goto end;
}
end:
if (pkey == NULL)
sprintf(outMsg,"unable to load Private Key\n");
return(pkey);
}
EVP_PKEY * LoadKey( char * key, int keylen, char * pass, char * outMsg)
{
EVP_PKEY *pkey=NULL;
BIO * in=NULL;
if(keylen==0) // 输入为磁盘文件
{
if(( in=BIO_new_file(key, "r")) == NULL)
{
sprintf(outMsg,"open CA certificate file error");
return NULL;
}
}
else // 输入为内存中文件
{
if(( in=BIO_new_mem_buf(key,keylen))== NULL) // 只读类型
{
sprintf(outMsg,"Make Mem Bio Error");
return NULL;
}
}
if((pkey=load_key( in,DER,pass,outMsg))==NULL) // 尝试DER
{
BIO_reset( in); // BIO是可读写的,那么该BIO所有数据都会被清空;
// 如果该BIO是只读的,那么该操作只会简单将指
// 针指向原始位置,里面的数据可以再读.
pkey=load_key( in,PEM,pass,outMsg); // 尝试PEM
}
if ( in != NULL) BIO_free( in);
return pkey;
}
int Rand( const char *file, int dont_warn, char * outMsg) // 产生随机数,return 0 ---成功
{
int consider_randfile = (file == NULL);
char buffer[200];
RAND_screen();
if (file == NULL)
file = RAND_file_name(buffer, sizeof buffer);
else if (RAND_egd(file) > 0)
{
/* we try if the given filename is an EGD socket.
if it is, we don't write anything back to the file. */
return 1;
}
if (file == NULL || !RAND_load_file(file, -1))
{
if (RAND_status() == 0 && !dont_warn)
{
sprintf(outMsg,"unable to load 'random state'\n");
sprintf(outMsg,"This means that the random number generator has not been seeded\n");
if (consider_randfile) /* explanation does not apply when a file is explicitly named */
{
sprintf(outMsg,"Consider setting the RANDFILE environment variable to point at a file that\n");
sprintf(outMsg,"'random' data can be kept in (the file will be overwritten).\n");
}
}
return 0;
}
return 1;
}
//////////////////////// / end /////////////////////////////////////// /
///////////////////////////////////////////////////////////////////// /
//////////////////////// / begin //////////////////////////////////// //
/* Add extension using V3 code: we can set the config file as NULL
* because we wont reference any other sections.
*/
int Add_ExtCert(X509 *cert /* 正被添加的证书 */,X509 * root /* 根证书(从中得到信息) */, int nid, char *value)
{
X509_EXTENSION *ex;
X509V3_CTX ctx;
/* This sets the 'context' of the extensions. */
/* No configuration database */
// X509V3_set_ctx_nodb(&ctx);
/* Issuer and subject certs: both the target since it is self signed,
* no request and no CRL
*/
X509V3_set_ctx(&ctx,root, cert, NULL, NULL, 0);
ex = X509V3_EXT_conf_nid(NULL, &ctx, nid, value);
if (!ex)
return 0;
X509_add_ext(cert,ex,-1);
X509_EXTENSION_free(ex);
return 1;
}
bool Add_Name(X509_NAME * x509name, int type /* c\cn */, char * iput /* 中国 */,
int ilen /* 输入长度 */, char * outMsg) // 支持中文名称
{
wchar_t * ws,wc;
ASN1_STRING stmp, *str = &stmp;
UCHAR cbuf[256]={0};
int wslen, wcnt,i;
char input[256]={0};
strncpy(input, iput, ilen);
wslen = strlen(input) + 1;
if(wslen==1)
return true;
ws = new unsigned short[ sizeof(wchar_t) * wslen];
if ((wcnt = mbstowcs(ws, input, wslen)) == -1)
{
sprintf(outMsg,"mbstowcs convert error");
delete ws;
return false;
}
for(i=0;i<( int)wcslen(ws);i++)
{
wc=ws[i];
cbuf[2*i]=wc/256;
cbuf[2*i+1]=wc%256;
}
ASN1_mbstring_copy(&str, cbuf, 2*wslen, MBSTRING_BMP, B_ASN1_UTF8STRING);
X509_NAME_add_entry_by_NID(x509name,type,V_ASN1_UTF8STRING,stmp.data,stmp.length, -1, 0);
delete ws;
return true;
}
bool mkRoot(stuSUBJECT * rootInfo,X509 **x509p /* out公钥 */, EVP_PKEY **pkeyp /* out私钥 */,
int bits /* 位数 */, int serial /* 序列号 */, int days /* 有效期 */, char * out /* 操作结果 */)
{
X509 *x;
EVP_PKEY *pk;
RSA *rsa;
X509_NAME *name=NULL;
int i=0,len=0;
if ((pkeyp == NULL) || (*pkeyp == NULL))
{
if ((pk=EVP_PKEY_new()) == NULL)
{
abort();
return false;
}
}
else
pk= *pkeyp;
if ((x509p == NULL) || (*x509p == NULL))
{
if ((x=X509_new()) == NULL)
goto err;
}
else
x= *x509p;
Rand(NULL,1, out); // 产生随机数种子
rsa=RSA_generate_key(bits,RSA_F4,0 /* 回调函数callback */,NULL); // 产生密钥对, // RSA存储了公钥私钥
if (!EVP_PKEY_assign_RSA(pk,rsa)) // 完成RSA密钥的pkey结构初始工作,当pk不为NULL的时候,返回1,否则返回0
{
abort();
goto err;
}
rsa=NULL;
X509_set_version(x,2); // 版本号,显示+1
ASN1_INTEGER_set(X509_get_serialNumber(x),serial); // 序列号
X509_gmtime_adj(X509_get_notBefore(x),0); // 起始时间
X509_gmtime_adj(X509_get_notAfter(x),( long)60*60*24*days); // 结束时间
X509_set_pubkey(x,pk); // 公钥
name=X509_get_subject_name(x);
/* This function creates and adds the entry, working out the
* correct string type and performing checks on its length.
* Normally we'd check the return value for errors
*/
// C-国家,ST-省,L-城市,O-组织,OU-部门,CN-个体,T-title,D-description,G-givenName,I-initials,
// Email-emailAddress,S-surname,SN-serialNumber,dnQualifier-dnQualifier,unstructuredName,challengePassword,unstructuredAddress,
setlocale(LC_CTYPE, "");
Add_Name(name,NID_countryName,( char *)rootInfo->C, sizeof(rootInfo->C), out);
Add_Name(name,NID_stateOrProvinceName,( char *)rootInfo->ST, sizeof(rootInfo->ST), out);
Add_Name(name,NID_localityName,( char *)rootInfo->L, sizeof(rootInfo->L), out);
Add_Name(name,NID_organizationName,( char *)rootInfo->O, sizeof(rootInfo->O), out);
Add_Name(name,NID_organizationalUnitName,( char *)rootInfo->OU, sizeof(rootInfo->OU), out);
Add_Name(name,NID_commonName,( char *)rootInfo->CN, sizeof(rootInfo->CN), out);
Add_Name(name,NID_pkcs9_emailAddress,( char *)rootInfo->MAIL, sizeof(rootInfo->MAIL), out);
Add_Name(name,NID_email_protect,( char *)rootInfo->PMAIL, sizeof(rootInfo->PMAIL), out);
Add_Name(name,NID_title,( char *)rootInfo->T, sizeof(rootInfo->T), out);
Add_Name(name,NID_description,( char *)rootInfo->D, sizeof(rootInfo->D), out);
Add_Name(name,NID_givenName,( char *)rootInfo->G, sizeof(rootInfo->G), out);
Add_Name(name,NID_initials,( char *)rootInfo->I, sizeof(rootInfo->I), out);
Add_Name(name,NID_name,( char *)rootInfo->NAME, sizeof(rootInfo->NAME), out);
Add_Name(name,NID_surname,( char *)rootInfo->S, sizeof(rootInfo->S), out);
Add_Name(name,NID_dnQualifier,( char *)rootInfo->QUAL, sizeof(rootInfo->QUAL), out);
Add_Name(name,NID_pkcs9_unstructuredName,( char *)rootInfo->STN, sizeof(rootInfo->STN), out);
Add_Name(name,NID_pkcs9_challengePassword,( char *)rootInfo->PW, sizeof(rootInfo->PW), out);
Add_Name(name,NID_pkcs9_unstructuredAddress,( char *)rootInfo->ADD, sizeof(rootInfo->ADD), out);
/* Its self signed so set the issuer name to be the same as the
* subject.
*/
X509_set_issuer_name(x,name); // 设置发行者名称等同于上面的
// 加入扩展信息
/* Add various extensions: standard extensions */
Add_ExtCert(x,x,NID_basic_constraints, "critical,CA:TRUE");
// 主题密钥标示符---当发行者有多个签名密钥时
Add_ExtCert(x,x,NID_subject_key_identifier, "hash");
// 颁发机构密钥标示符
Add_ExtCert(x,x,NID_authority_key_identifier, "keyid:always");
// 密钥用法
Add_ExtCert(x,x,NID_key_usage, "nonRepudiation,digitalSignature,keyEncipherment");
Add_ExtCert(x,x,NID_domainComponent, "no");
Add_ExtCert(x,x,NID_Domain, "no");
/* Some Netscape specific extensions */
// Add_ExtCert(x, NID_netscape_cert_type, "sslCA");
// Add_ExtCert(x, NID_netscape_comment, "example comment extension"); // netscape_comment
/* Maybe even add our own extension based on existing */
// 加入自定义信息begin
// int nid;
// nid = OBJ_create("1.2.3.4.9", "Hpxs", "I love you!");
// X509V3_EXT_add_alias(nid, NID_netscape_comment);
// Add_ExtCert(x, nid, "I love you");
// 加入自定义信息end
X509V3_EXT_cleanup(); // cleanup the extension code if any custom extensions have been added
if (!X509_sign(x,pk,EVP_sha1())) // 签名算法EVP_sha1,EVP_md5,用私钥签名公钥
{
strcpy( out,"证书签名失败");
goto err;
}
*x509p=x;
*pkeyp=pk;
return true;
err:
return false;
}
BOOL MakeRoot(stuSUBJECT * rootInfo, /* 信息 */ int bits /* 位数 */, int serial /* 序列号 */,
int days /* 有效期 */, char * certFile /* 证书文件 */, char * priFile /* 私钥文件 */,
char * outMsg /* 操作结果 */, int type /* 类型pem-der */)
{
X509 *x509=NULL;
EVP_PKEY *pkey=NULL;
BIO * bcert=NULL,* bkey=NULL;
bool ret= true;
int i=0,j=0;
if(((bcert=BIO_new_file(certFile, "w"))== NULL)||((bkey=BIO_new_file(priFile, "w")) == NULL))
{
strcpy(outMsg,"Create File Error");
return false;
}
if(mkRoot(rootInfo,&x509,&pkey,bits,serial,days,outMsg))
{
if (type==DER)
{
i=i2d_X509_bio(bcert,x509); // returns 1 for success
j=i2d_PrivateKey_bio(bkey,pkey);
}
else if(type==PEM)
{
i=PEM_write_bio_X509(bcert,x509);
j=PEM_write_bio_PrivateKey(bkey,pkey,NULL,NULL,0,NULL, NULL);
}
if(!i||!j)
{
ret= false;
strcpy(outMsg,"Save Cert or Key File Error");
}
}
else
ret= false;
BIO_free(bcert);
BIO_free(bkey);
X509_free(x509);
EVP_PKEY_free(pkey);
return ret;
}
//////////////////////// / end /////////////////////////////////////// /
///////////////////////////////////////////////////////////////////// /
//////////////////////// / begin //////////////////////////////////// //
/* Add extension using V3 code: we can set the config file as NULL
* because we wont reference any other sections.
*/
int Add_ExtReq(STACK_OF(X509_REQUEST) *sk, int nid, char *value)
{
X509_EXTENSION *ex;
ex = X509V3_EXT_conf_nid(NULL, NULL, nid, value);
if (!ex)
return 0;
sk_X509_EXTENSION_push(sk, ex);
return 1;
}
int mkReq(stuSUBJECT * reqInfo,X509_REQ **req, EVP_PKEY **pkeyp, int bits, char * out)
{
X509_REQ *x;
EVP_PKEY *pk;
RSA *rsa;
X509_NAME *name=NULL;
ASN1_STRING stmp, *str = &stmp;
STACK_OF(X509_EXTENSION) *exts = NULL;
if ((pk=EVP_PKEY_new()) == NULL)
goto err;
if ((x=X509_REQ_new()) == NULL)
goto err;
Rand(NULL,1, out); // 产生随机数种子
rsa=RSA_generate_key(bits,RSA_F4,0 /* 回调函数callback */,NULL); // 产生密钥对
// PEM_write_bio_RSAPrivateKey
if (!EVP_PKEY_assign_RSA(pk,rsa))
goto err;
rsa=NULL;
X509_REQ_set_pubkey(x,pk);
name=X509_REQ_get_subject_name(x);
/* This function creates and adds the entry, working out the
* correct string type and performing checks on its length.
* Normally we'd check the return value for errors
*/
setlocale(LC_CTYPE, "");
Add_Name(name,NID_countryName,( char *)reqInfo->C, sizeof(reqInfo->C), out);
Add_Name(name,NID_stateOrProvinceName,( char *)reqInfo->ST, sizeof(reqInfo->ST), out);
Add_Name(name,NID_localityName,( char *)reqInfo->L, sizeof(reqInfo->L), out);
Add_Name(name,NID_organizationName,( char *)reqInfo->O, sizeof(reqInfo->O), out);
Add_Name(name,NID_organizationalUnitName,( char *)reqInfo->OU, sizeof(reqInfo->OU), out);
Add_Name(name,NID_commonName,( char *)reqInfo->CN, sizeof(reqInfo->CN), out);
Add_Name(name,NID_pkcs9_emailAddress,( char *)reqInfo->MAIL, sizeof(reqInfo->MAIL), out);
Add_Name(name,NID_email_protect,( char *)reqInfo->PMAIL, sizeof(reqInfo->PMAIL), out);
Add_Name(name,NID_title,( char *)reqInfo->T, sizeof(reqInfo->T), out);
Add_Name(name,NID_description,( char *)reqInfo->D, sizeof(reqInfo->D), out);
Add_Name(name,NID_givenName,( char *)reqInfo->G, sizeof(reqInfo->G), out);
Add_Name(name,NID_initials,( char *)reqInfo->I, sizeof(reqInfo->I), out);
Add_Name(name,NID_name,( char *)reqInfo->NAME, sizeof(reqInfo->NAME), out);
Add_Name(name,NID_surname,( char *)reqInfo->S, sizeof(reqInfo->S), out);
Add_Name(name,NID_dnQualifier,( char *)reqInfo->QUAL, sizeof(reqInfo->QUAL), out);
Add_Name(name,NID_pkcs9_unstructuredName,( char *)reqInfo->STN, sizeof(reqInfo->STN), out);
Add_Name(name,NID_pkcs9_challengePassword,( char *)reqInfo->PW, sizeof(reqInfo->PW), out);
Add_Name(name,NID_pkcs9_unstructuredAddress,( char *)reqInfo->ADD, sizeof(reqInfo->ADD), out);
/* Certificate requests can contain extensions, which can be used
* to indicate the extensions the requestor would like added to
* their certificate. CAs might ignore them however or even choke
* if they are present.
*/
/* For request extensions they are all packed in a single attribute.
* We save them in a STACK and add them all at once later
*/
exts = sk_X509_EXTENSION_new_null();
/* Standard extenions */
// 主题备用名称,URL: http://my.url.here/ 、支持email copy
Add_ExtReq(exts, NID_subject_alt_name, "DNS:localhost,email:[email protected],RID:1.2.3.4,URI:192.168.2.22,IP:C0A80216");
// 加入自定义扩展
int nid;
nid = OBJ_create("1.3.6.1.4.1.5315.100.2.5", "UserID", "User ID Number");
X509V3_EXT_add_alias(nid, NID_netscape_comment);
Add_ExtReq(exts, nid, "ID130203197703060618");
/* Now we've created the extensions we add them to the request */
X509_REQ_add_extensions(x, exts);
sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
X509V3_EXT_cleanup(); // cleanup the extension code if any custom extensions have been added
if (!X509_REQ_sign(x,pk,EVP_sha1())) // 用自己的公钥签名私钥
goto err;
*req=x;
*pkeyp=pk;
return(1);
err:
return(0);
}
BOOL MakeReq(stuSUBJECT * reqInfo, /* 请求信息 */ int bits /* 位数 */, char * reqFile /* 证书请求文件 */,
char * priFile /* 私钥文件 */, char * outMsg /* 操作结果 */, int type)
{
X509_REQ *req=NULL;
EVP_PKEY *pkey=NULL;
BIO * breq=NULL,* bkey=NULL;
int i=0,j=0;
if(((breq=BIO_new_file(reqFile, "w"))== NULL)||((bkey=BIO_new_file(priFile, "w")) == NULL))
{
strcpy(outMsg,"Create File Error");
return false;
}
if(!mkReq(reqInfo,&req,&pkey,bits,outMsg))
{
strcpy(outMsg,"Make CertReq Error");
return false;
}
if(type==PEM)
{
i=PEM_write_bio_X509_REQ(breq,req);
j=PEM_write_bio_PrivateKey(bkey,pkey,NULL,NULL,0,NULL, NULL);
}
else if(type==DER)
{
i=i2d_X509_REQ_bio(breq,req);
j=i2d_PrivateKey_bio(bkey,pkey);
}
BIO_free(breq);
BIO_free(bkey);
X509_REQ_free(req);
EVP_PKEY_free(pkey);
if(!i||!j)
{
strcpy(outMsg,"Save Cert or Key File Error");
return false;
}
return true;
}
//////////////////////// // end //////////////////////////////////// //
////////////////////////////////////////////////////////////////// //
/////////////////////////// begin /////////////////////////////////////// /
int copy_extensions(X509 *x, X509_REQ *req, int copy_type) // 在证书中加入req自带扩展信息
{
STACK_OF(X509_EXTENSION) *exts = NULL;
X509_EXTENSION *ext, *tmpext;
ASN1_OBJECT *obj;
int i, idx, ret = 0;
if (!x || !req || (copy_type == EXT_COPY_NONE))
return 1;
exts = X509_REQ_get_extensions(req);
for(i = 0; i < sk_X509_EXTENSION_num(exts); i++)
{
ext = sk_X509_EXTENSION_value(exts, i);
obj = X509_EXTENSION_get_object(ext);
idx = X509_get_ext_by_OBJ(x, obj, -1);
/* Does extension exist? */
if (idx != -1)
{
/* If normal copy don't override existing extension */
if (copy_type == EXT_COPY_ADD)
continue;
/* Delete all extensions of same type */
do
{
tmpext = X509_get_ext(x, idx);
X509_delete_ext(x, idx);
X509_EXTENSION_free(tmpext);
idx = X509_get_ext_by_OBJ(x, obj, -1);
} while (idx != -1);
}
if (!X509_add_ext(x, ext, -1))
goto end;
}
ret = 1;
end:
sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
return ret;
}
int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, int serial,
char *startdate, char *enddate, int days,X509_REQ * req,stuKEYUSAGE * KUSAGE,
stuEKEYUSAGE * EKUSAGE, char * outMsg)
{
X509_NAME *name=NULL,*CAname=NULL;
X509 *ret=NULL;
X509_CINF *ci;
EVP_PKEY *pktmp;
int ok= -1,i=0;
// STACK_OF (X509_EXTENSION) * req_exts; // 如何释放??
char kusage[160]={0};
char ekusage[360]={0};
name=X509_REQ_get_subject_name(req);
if ((ret=X509_new()) == NULL)
{
ok=0;
goto err;
}
ci=ret->cert_info;
/* Make it an X509 v3 certificate. 版本1扩展 */
if (!X509_set_version(ret,2L)) // 版本
{
ok=0;
goto err;
}
ASN1_INTEGER_set(X509_get_serialNumber(ret),serial); // 序列号
if (!X509_set_issuer_name(ret,X509_get_subject_name(x509))) // 发行者
{
ok=0;
goto err;
}
if (strcmp(startdate,"today") == 0)
X509_gmtime_adj(X509_get_notBefore(ret),0); // 开始日期
else ASN1_UTCTIME_set_string(X509_get_notBefore(ret),startdate);
if (enddate == NULL)
X509_gmtime_adj(X509_get_notAfter(ret),( long)60*60*24*days); // 结束日期
else ASN1_UTCTIME_set_string(X509_get_notAfter(ret),enddate);
if (!X509_set_subject_name(ret,name)) // 主体 ---所有者
{
ok=0;
goto err;
}
pktmp=X509_REQ_get_pubkey(req);
i = X509_set_pubkey(ret,pktmp); // 公钥
EVP_PKEY_free(pktmp);
if (!i)
{
ok=0;
goto err;
}
// 加入req自带扩展信息,生成REQ文件时候加入的
if (!copy_extensions(ret, req, EXT_COPY_ALL))
{
strcpy("加入自带扩展信息失败",outMsg);
goto err;
}
/* Lets add the extensions, if there are any 加入标准扩展 */
// 基本限制Note if the CA option is false the pathlen option should be omitted.
Add_ExtCert(ret,ret,NID_basic_constraints, "critical,CA:FALSE,pathlen:1");
// 主题密钥标示符--------区分拥有者多对密钥
Add_ExtCert(ret,ret,NID_subject_key_identifier, "hash");
// Authority密钥标示符----区分发行者有多个签名密钥时
Add_ExtCert(ret,x509, NID_authority_key_identifier, "keyid,issuer:always");
// 密钥用法 ----数字签名、不可否认性、密钥加密、数据加密、密钥协商、证书签名、
// CRL签名、仅仅加密、仅仅解密
if(KUSAGE->DS)
strcpy(kusage,"digitalSignature");
if(KUSAGE->NR)
if(strlen(kusage)) // 添加
strcat(kusage, ",nonRepudiation");
else
strcpy(kusage,"nonRepudiation");
if(KUSAGE->KE)
if(strlen(kusage)) // 添加
strcat(kusage, ",keyEncipherment");
else
strcpy(kusage,"keyEncipherment");
if(KUSAGE->DE)
if(strlen(kusage)) // 添加
strcat(kusage, ",dataEncipherment");
else
strcpy(kusage,"dataEncipherment");
if(KUSAGE->KA)
if(strlen(kusage)) // 添加
strcat(kusage, ",keyAgreement");
else
strcpy(kusage,"keyAgreement");
if(KUSAGE->KC)
if(strlen(kusage)) // 添加
strcat(kusage, ",keyCertSign");
else
strcpy(kusage,"keyCertSign");
if(KUSAGE->CS)
if(strlen(kusage)) // 添加
strcat(kusage, ",cRLSign");
else
strcpy(kusage,"cRLSign");
if(KUSAGE->EO)
if(strlen(kusage)) // 添加
strcat(kusage, ",encipherOnly");
else
strcpy(kusage,"encipherOnly");
if(KUSAGE->DO)
if(strlen(kusage)) // 添加
strcat(kusage, ",decipherOnly");
else
strcpy(kusage,"decipherOnly");
if(strlen(kusage))
Add_ExtCert(ret,ret, NID_key_usage, kusage);
// 增强型密钥用法--一般只用于末端证书RFC3280
// 增强用法 证书目的
// --------------------------------------------------------------------------------------------------------------
// 服务器验证 保证远程计算机的身份
// 客户端验证 向远程计算机证明您的身份
// 代码签名 确保软件来自软件发行商
// 安全电子邮件 保护软件在发行后不被改动
// 时间戳 保护电子邮件消息
// --------------------------------------------------------------------------------------------------------------
// 保证软件来自一个软件发行商
// 保护软件在发行后不被改动。
// 保证软件来自商业软件发行商
// 允许您用数字签名证书信任列表
// 允许联机事务处理/通讯的严格加密
// 允许加密磁盘上的数据
// 智能卡登录
// IP安全终端系统 允许 Internet 上的安全通讯
// IP安全隧道终止
// IP 安全用户
// --------------------------------------------------------------------------------------------------------------
if(EKUSAGE->SA)
strcpy(ekusage,"serverAuth");
if(EKUSAGE->CA)
if(strlen(ekusage)) // 添加
strcat(ekusage,",clientAuth");
else
strcpy(ekusage,"clientAuth");
if(EKUSAGE->CS)
if(strlen(ekusage)) // 添加
strcat(ekusage,",codeSigning");
else
strcpy(ekusage,"codeSigning");
if(EKUSAGE->EP)
if(strlen(ekusage)) // 添加
strcat(ekusage,",emailProtection");
else
strcpy(ekusage,"emailProtection");
if(EKUSAGE->TS)
if(strlen(ekusage)) // 添加
strcat(ekusage,",timeStamping");
else
strcpy(ekusage,"timeStamping");
if(EKUSAGE->msCC)
if(strlen(ekusage)) // 添加
strcat(ekusage,",msCodeCom");
else
strcpy(ekusage,"msCodeCom");
if(EKUSAGE->msCTLS)
if(strlen(ekusage)) // 添加
strcat(ekusage,",msCTLSign");
else
strcpy(ekusage,"msCTLSign");
if(EKUSAGE->msSGC)
if(strlen(ekusage)) // 添加
strcat(ekusage,",msSGC");
else
strcpy(ekusage,"msSGC");
if(EKUSAGE->msEFS)
if(strlen(ekusage)) // 添加
strcat(ekusage,",msEFS");
else
strcpy(ekusage,"msEFS");
if(EKUSAGE->msSC)
if(strlen(ekusage)) // 添加
strcat(ekusage,",msSmartcardLogin");
else
strcpy(ekusage,"msSmartcardLogin");
if(EKUSAGE->IP)
if(strlen(ekusage)) // 添加
strcat(ekusage,",ipsecEndSystem,ipsecTunnel,ipsecUser");
else
strcpy(ekusage,"ipsecEndSystem,ipsecTunnel,ipsecUser");
if(strlen(ekusage))
Add_ExtCert(ret,ret,NID_ext_key_usage,ekusage);
/*
Application keyUsage Values
SSL Client digitalSignature
SSL Server keyEncipherment
S/MIME Signing digitalSignature
S/MIME Encryption keyEncipherment
Certificate Signing keyCertSign
Object Signing digitalSignature */
// 颁发者备用名称,URL: http://my.url.here/ 、不支持email copy
Add_ExtCert(ret,ret, NID_issuer_alt_name, "DNS:hpxs,email:[email protected],RID:1.2.3.4,URI:https://hpxs,IP:192.168.0.22");
// 证书策略
Add_ExtCert(ret,ret,NID_certificate_policies,"OK");
// 颁发机构信息访问
Add_ExtCert(ret,ret,NID_info_access,"OCSP;URI:https://hpxs"); // 或者caIssuers;URI: http://my.ca/ca.html
// CRL分发点
Add_ExtCert(ret,x509, NID_crl_distribution_points, "URI:https://hpxs/hpxs.crl");
/* Some Netscape specific extensions */
// Add_ExtCert(ret,ret, NID_crl_number, "sslCA");
// Add_ExtCert(ret,x509, NID_netscape_comment, "See http://cert.umd.edu/root for details.");
/* In each case the 'value' of the extension is placed directly in the
extension. Currently supported extensions in this category are: nsBaseUrl,
nsRevocationUrl, nsCaRevocationUrl, nsRenewalUrl, nsCaPolicyUrl,
nsSslServerName and nsComment */
// Add_ExtCert(ret,x509, NID_netscape_cert_type, "client, server, email,objsign, reserved, sslCA,emailCA, objCA");
/* nsCertType (netscape certificate type) takes the flags: client, server, email,
objsign, reserved, sslCA, emailCA, objCA. */
/* Maybe even add our own extension based on existing */
// 加入自定义信息begin
int nid;
nid = OBJ_create("1.2.3.4.9", "Hpxs", "I love OpenSSL!");
X509V3_EXT_add_alias(nid, NID_netscape_comment);
Add_ExtCert(ret,ret, nid, "I love OpenSSL");
// 加入自定义信息end
X509V3_EXT_cleanup(); // cleanup the extension code if any custom extensions have been added
if (!X509_sign(ret,pkey,dgst)) // 加入签名,签名算法
{
ok=0;
goto err;
}
ok=1;
err:
if (CAname != NULL)
X509_NAME_free(CAname);
if (ok <= 0)
{
if (ret != NULL) X509_free(ret);
ret=NULL;
}
else
*xret=ret;
return(ok);
}
int certify(X509 **xret, X509_REQ *req, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
int serial, char *startdate, char *enddate, int days,stuKEYUSAGE * KUSAGE,
stuEKEYUSAGE * EKUSAGE, char * outMsg)
{ // 返回公钥证书,请求文件,根私钥,根公钥,
EVP_PKEY *pktmp=NULL;
int ok= -1,i=0;
if ((pktmp=X509_REQ_get_pubkey(req)) == NULL) // 得到公钥
{
sprintf(outMsg,"error unpacking public key\n");
ok=0;
goto err;
}
i=X509_REQ_verify(req,pktmp); // 证书请求里面有私要签名,这里验证一下,看此公钥主人是否持有私钥
EVP_PKEY_free(pktmp);
if (i < 0)
{
ok=0;
sprintf(outMsg,"Signature verification problems.\n");
goto err;
}
if (i == 0)
{
ok=0;
sprintf(outMsg,"Signature did not match the certificate request\n");
goto err;
}
ok=do_body(xret,pkey,x509,dgst,serial,startdate, enddate,
days,req,KUSAGE,EKUSAGE,outMsg);
err:
return(ok);
}
BOOL MakeCert( char *certfile /* 根证书公钥 */, int certlen, /* 为0则certfile为磁盘文件,否则为内存区域 */
char *keyfile /* 根证书私钥 */, int keylen, int serial /* 序列号 */, char *enddate /* 作废日期 */,
int days /* 有效期 */, char *reqfile /* 请求文件 */,stuKEYUSAGE * KUSAGE /* 密钥用法 */,
stuEKEYUSAGE * EKUSAGE /* 增强密钥用法 */, char *outfile /* 结果文件 */,
char * outMsg /* 操作结果 */, int type /* 结果类型DER,PEM */) // 通过证书请求,得到证书
{
int ret=1;
char * md=NULL;
EVP_PKEY *pkey=NULL;
X509 * x509=NULL;
X509_REQ *req=NULL;
X509 * x=NULL;
BIO * bcert=NULL,* reqbio=NULL;
int j;
const EVP_MD *dgst=NULL;
OpenSSL_add_all_digests(); // 加入签名算法
if((reqbio=BIO_new_file(reqfile, "r")) == NULL)
{
ret=0;
goto err;
}
if ((req=PEM_read_bio_X509_REQ(reqbio,NULL,NULL,NULL)) == NULL) // PEM_read_X509_REQ
{
BIO_reset(reqbio);
if ((req=d2i_X509_REQ_bio(reqbio,NULL)) == NULL)
{
sprintf(outMsg,"Error get certificate request");
ret=0;
goto err;
}
}
pkey=LoadKey(keyfile,keylen,NULL,outMsg);
if (pkey == NULL)
{
ret = 0;
goto err;
}
x509=LoadCert(certfile,certlen,outMsg);
if (x509 == NULL)
{
ret = 0;
goto err;
}
if (!X509_check_private_key(x509,pkey))
{
sprintf(outMsg,"CA certificate and CA private key do not match\n");
ret = 0;
goto err;
}
md="sha1"; ///////// /!!!!!!!!!!!!!!!!! /////////////////////////// /
if ((dgst=EVP_get_digestbyname(md)) == NULL) // return an EVP_MD structure when passed a digest name
{
sprintf(outMsg,"%s is an unsupported message digest type\n",md);
ret = 0;
goto err;
}
j=certify(&x,req,pkey,x509,dgst, // 公钥证书out,请求文件,根私钥,根公钥,
serial,"today",enddate,days,KUSAGE,EKUSAGE,outMsg);
if (j <= 0)
{
ret=0;
goto err;
}
if(((bcert=BIO_new_file(outfile, "w"))== NULL))
{
strcpy(outMsg,"Create File Error");
goto err;
}
if (type==DER)
{
i2d_X509_bio(bcert,x);
}
else if(type==PEM)
{
PEM_write_bio_X509(bcert,x);
}
err:
if (reqbio != NULL) BIO_free(reqbio);
BIO_free_all(bcert);
EVP_PKEY_free(pkey);
X509_free(x509);
X509_free(x);
if (req != NULL) X509_REQ_free(req);
EVP_cleanup(); // frees all three stacks and sets their pointers to NULL ---- EVP_CIPHER
return ret;
}
//////////////////////// / end /////////////////////////////////////// /
BOOL DirectCert( char *certfile /* 根证书公钥 */, int certlen, /* 为0则certfile为磁盘文件,否则为内存区域 */
char *keyfile /* 根证书私钥 */, int keylen, int serial /* 序列号 */, char *enddate /* 作废日期 */,
int days /* 有效期 */,stuCERT * sCERT /* 用户信息与密钥用法 */, int bits, char * cert /* 输出证书公钥 */, int * certl /* 长度 */,
char * key /* 输出证书私钥 */, int * keyl /* 长度 */, char * outMsg /* ,int type结果类型DER,PEM */) // 直接生成公私钥
{
X509_REQ * req=NULL;
EVP_PKEY * pkey=NULL, * prkey=NULL; // 证书私钥, // 根私钥
X509 * x509=NULL,* x=NULL; // 根公钥,证书公钥
BIO * memcert=NULL, * memkey=NULL; // 输出证书公私钥
BUF_MEM *bptrcert=NULL,*bptrkey=NULL;
int ret=1;
char * md=NULL;
int i=0,j=0,ok=0;
const EVP_MD *dgst=NULL;
OpenSSL_add_all_digests(); // 加入签名算法
memcert= BIO_new(BIO_s_mem());
memkey= BIO_new(BIO_s_mem());
BIO_set_close(memcert, BIO_CLOSE); /* BIO_free() free BUF_MEM */
BIO_set_close(memkey, BIO_CLOSE); /* BIO_free() free BUF_MEM */
prkey=LoadKey(keyfile,keylen,NULL,outMsg); // RAND_bytes
if (prkey == NULL)
{
ret = 0;
goto err;
}
x509=LoadCert(certfile,certlen,outMsg);
if (x509 == NULL)
{
ret = 0;
goto err;
}
if (!X509_check_private_key(x509,prkey))
{
sprintf(outMsg,"CA certificate and CA private key do not match\n");
ret = 0;
goto err;
}
if(!mkReq(&(sCERT->SUBJECT),&req,&pkey, bits,outMsg))
{
sprintf(outMsg,"Make CertReq error");
ret = 0;
goto err;
}
md="sha1"; ///////// /!!!!!!!!!!!!!!!!! /////////////////////////// /
if ((dgst=EVP_get_digestbyname(md)) == NULL) // return an EVP_MD structure when passed a digest name
{
sprintf(outMsg,"%s is an unsupported message digest type\n",md);
ret = 0;
goto err;
}
ok=certify(&x,req,prkey,x509,dgst, // 公钥证书out,请求,根私钥,根公钥,
serial,"today",enddate,days,&(sCERT->KUSAGE),&(sCERT->EKUSAGE),outMsg);
if (ok <= 0)
{
ret=0;
goto err;
}
/* if (type==DER)
{
i=i2d_X509_bio(memcert,x);
j=i2d_PrivateKey_bio(memkey,pkey);//生成的结果错误!?????????????
}
else if(type==PEM)
*/ {
i=PEM_write_bio_X509(memcert,x);
j=PEM_write_bio_PrivateKey(memkey,pkey,NULL,NULL,0,NULL, NULL);
}
if(!i||!j)
{
strcpy(outMsg,"Get Mem Cert or Key File Error");
ret=0;
goto err;
}
BIO_get_mem_ptr(memcert, &bptrcert);
*certl=bptrcert->length;
memcpy(cert,bptrcert->data,*certl);
BIO_get_mem_ptr(memkey, &bptrkey);
*keyl=bptrkey->length;
memcpy(key,bptrkey->data,*keyl);
err:
BIO_free_all(memcert);
BIO_free_all(memkey);
EVP_PKEY_free(pkey);
EVP_PKEY_free(prkey);
X509_free(x509);
X509_free(x);
if (req != NULL) X509_REQ_free(req);
EVP_cleanup(); // frees all three stacks and sets their pointers to NULL ---- EVP_CIPHER
return ret;
}
///////////////////////////////////////////////////////////////////// /
//////////////////////// / begin //////////////////////////////////// //
/* 添加链表节点 */
void AddRevoke(stuREVOKE *& Head, int index,time_t time)
{
stuREVOKE * End= new stuREVOKE(index,time); // 钥增加的节点
if(Head==NULL)
{
Head=End;
}
else
{
stuREVOKE * p=Head;
while(p->Link!=NULL)
p=p->Link;
p->Link=End;
}
return;
}
int Add_ExtCrl(X509_CRL *crl /* 正被添加的证书 */,X509 * root /* 根证书(从中得到信息) */,
int nid, char *value)
{
X509V3_CTX ctx;
X509_EXTENSION *ex;
/* This sets the 'context' of the extensions. */
/* No configuration database */
// X509V3_set_ctx_nodb(&ctx);
X509V3_set_ctx(&ctx, root, NULL, NULL, crl, 0);
// issuerAltName authorityKeyIdentifier
ex = X509V3_EXT_conf_nid(NULL, &ctx, nid, value);
if (!ex)
return 0;
X509_CRL_add_ext(crl,ex,-1);
X509_EXTENSION_free(ex);
return 1;
}
BOOL MakeCrl( char *certfile /* 根证书公钥 */, int certlen, /* 为0则certfile为磁盘文件,否则为内存区域 */
char *keyfile /* 根证书私钥 */, int keylen,
stuREVOKE * Head /* 作废链表 */,PNewCrlMem NewCrlMem /* 回调函数 */, char *& outCrl, int * crll, char * outfile /* crl文件 */,
char * outMsg /* 操作结果 */)
{
X509_CRL_INFO *ci = NULL;
X509_CRL *crl = NULL;
int ret=1,i=0;
char *key=NULL;
char *md=NULL;
EVP_PKEY *pkey=NULL;
X509 *x509=NULL;
BIO * in=NULL,* out=NULL;
const EVP_MD *dgst=NULL;
X509_REVOKED *r=NULL;
long crldays=30;
long crlhours=0;
stuREVOKE * temp =NULL;
BIO * memcrl=NULL;
BUF_MEM *bptrcrl=NULL;
OpenSSL_add_all_algorithms();
pkey=LoadKey(keyfile,keylen,NULL,outMsg);
if (pkey == NULL)
{
ret = 0;
goto err;
}
x509=LoadCert(certfile,certlen,outMsg);
if (x509 == NULL)
{
ret = 0;
goto err;
}
if (!X509_check_private_key(x509,pkey))
{
sprintf(outMsg,"CA certificate and CA private key do not match\n");
ret = 0;
goto err;
}
md="md5"; ///////// /!!!!!!!!!!!!!!!!! /////////////////////////// /
if ((dgst=EVP_get_digestbyname(md)) == NULL) // return an EVP_MD structure when passed a digest name
{
sprintf(outMsg,"%s is an unsupported message digest type\n",md);
ret = 0;
goto err;
}
if ((crl=X509_CRL_new()) == NULL)
{
ret = 0;
goto err;
}
ci=crl->crl;
X509_NAME_free(ci->issuer);
ci->issuer=X509_NAME_dup(x509->cert_info->subject);
if (ci->issuer == NULL)
{
ret = 0;
goto err;
}
X509_gmtime_adj(ci->lastUpdate,0);
if (ci->nextUpdate == NULL)
ci->nextUpdate=ASN1_UTCTIME_new();
X509_gmtime_adj(ci->nextUpdate,(crldays*24+crlhours)*60*60);
if(!ci->revoked)
ci->revoked = sk_X509_REVOKED_new_null();
while(Head!=NULL) // 遍历链表
{
temp=Head;
X509_REVOKED *r = NULL;
BIGNUM *serial_bn = NULL;
r = X509_REVOKED_new();
ASN1_TIME_set(r->revocationDate,Head->time); // 时间
char index[100];
BN_hex2bn(&serial_bn,itoa(Head->Index,index,10)); // 序号
BN_to_ASN1_INTEGER(serial_bn,r->serialNumber);
sk_X509_REVOKED_push(ci->revoked,r);
Head=Head->Link;
delete temp;
}
// sk_X509_REVOKED_sort(ci->revoked);
for (i=0; i<SK_X509_REVOKED_NUM(CI->revoked); i++)
{
r=sk_X509_REVOKED_value(ci->revoked,i);
r->sequence=i;
}
if (ci->version == NULL)
if ((ci->version=ASN1_INTEGER_new()) == NULL)
{
ret = 0;
goto err;
}
ASN1_INTEGER_set(ci->version,1);
// issuerAltName authorityKeyIdentifier
// Add_ExtCrl(crl,x509,NID_subject_alt_name,"DNS:hpxs,email:[email protected],RID:1.2.3.4,URI: https://hpxs ,IP:192.168.0.22");
Add_ExtCrl(crl,x509,NID_issuer_alt_name, "DNS:hpxs,email:[email protected],RID:1.2.3.4,URI:https://hpxs,IP:192.168.0.22");
Add_ExtCrl(crl,x509,NID_authority_key_identifier, "keyid,issuer:always");
if (!X509_CRL_sign(crl,pkey,dgst))
{
ret = 0;
goto err;
}
if(NewCrlMem) // 输出内存
{
memcrl= BIO_new(BIO_s_mem());
BIO_set_close(memcrl, BIO_CLOSE); /* BIO_free() free BUF_MEM */
PEM_write_bio_X509_CRL(memcrl,crl);
BIO_get_mem_ptr(memcrl, &bptrcrl);
*crll=bptrcrl->length;
outCrl=NewCrlMem(*crll);
memcpy(outCrl,bptrcrl->data,*crll);
}
if(outfile) // 输出文件
{
out=BIO_new_file(outfile, "w");
if( out==NULL)
{
sprintf(outMsg,"%s is error",outfile);
ret = 0;
goto err;
}
PEM_write_bio_X509_CRL( out,crl);
}
X509V3_EXT_cleanup(); // cleanup the extension code if any custom extensions have been added
err:
if( out)
BIO_free_all( out);
if(memcrl)
BIO_free_all(memcrl);
BIO_free( in);
EVP_PKEY_free(pkey);
X509_CRL_free(crl);
X509_free(x509);
EVP_cleanup(); // frees all three stacks and sets their pointers to NULL ---- EVP_CIPHER
if(ret==1)
strcpy(outMsg,"CRL制作成功");
return ret;
}
BOOL CertFormatConver( char * buf /* 文件内容或文件名称 */, int len /* 内存长度为0则buf为文件名 */,
char * pwd /* p12文件密码 */, char * pem /* 输出文件 */,
int outformat, char * out /* 操作结果 */)
{
EVP_PKEY *key=NULL;
X509 *cert=NULL;
BIO *biout=NULL;
int i=0;
// 输出文件
if ((biout=BIO_new_file(pem, "w")) == NULL)
{
return false;
}
cert = LoadCert(buf,len, out); // 首先尝试公钥,bio被改写
if(cert) // 输入文件为公钥文件
{
if (outformat == DER)
i=i2d_X509_bio(biout,cert);
else if (outformat == PEM)
{
// if (trustout) i=PEM_write_bio_X509_AUX(biout,x);
i=PEM_write_bio_X509(biout,cert);
}
if(!i) // 失败
strcpy( out,"保存公钥失败");
else
strcpy( out,"公钥证书格式转换成功");
}
else // 输入文件为私钥文件
{
key=LoadKey(buf,len,pwd, out);
if(!key)
{
strcpy( out,"不能识别的文件格式");
return false;
}
if(outformat==PEM)
{
PEM_write_bio_PrivateKey(biout, key, NULL, NULL, 0, 0, NULL);
}
if(outformat==DER)
{
i2d_PrivateKey_bio(biout,key); // 得到解密后的私钥
}
strcpy( out,"私钥证书格式转换成功");
}
if (biout != NULL) BIO_free(biout);
X509_free(cert);
EVP_PKEY_free(key);
return true;
}
// 分解p12包
BOOL ParseDB( char * strP12 /* 包文件 */, char * strPwd /* 私钥密码 */, char * strCert /* 公钥存放 */,
char * strkey /* 私钥存放 */, int outformat /* 输出格式 */, char * out /* 返回结果 */)
{
EVP_PKEY *key=NULL;
X509 *cert=NULL;
STACK_OF(X509) *ca = NULL;
BIO * bio=NULL,*bioCert=NULL,*bioKey=NULL;
PKCS12 *p12=NULL;
int i=0,j=0;
if((bio=BIO_new_file(strP12, "r")) == NULL)
{
strcpy( out,"打开文件错误");
return false;
}
SSLeay_add_all_algorithms();
p12 = d2i_PKCS12_bio(bio, NULL);
if (!PKCS12_parse(p12, strPwd, &key, &cert /* PEM */, &ca))
{
strcpy( out,"解包失败");
return false;
}
PKCS12_free(p12);
// 输出文件
if ((bioCert=BIO_new_file(strCert, "w")) == NULL)
{
return false;
}
if ((bioKey=BIO_new_file(strkey, "w")) == NULL)
{
return false;
}
if(outformat == DER)
{
i=i2d_X509_bio(bioCert,cert);
j=i2d_PrivateKey_bio(bioKey,key);
}
else if (outformat == PEM)
{
i=PEM_write_bio_X509(bioCert,cert);
j=PEM_write_bio_PrivateKey(bioKey, key, NULL, NULL, 0, 0, NULL);
}
if (bio != NULL) BIO_free(bio);
if (bioCert != NULL) BIO_free(bioCert);
if (bioKey != NULL) BIO_free(bioKey);
X509_free(cert);
EVP_PKEY_free(key);
EVP_cleanup(); // frees all three stacks and sets their pointers to NULL ---- EVP_CIPHER
if(i!=0&&j!=0)
{
strcpy( out,"分解P12成功");
return true;
}
return false;
}
// 组合p12包
BOOL CreateDB( char * strP12 /* OUT包文件 */, char * strPwd /* IN密码 */, char * strCert /* IN公钥 */,
char * strkey /* IN私钥 */, char * out /* 返回结果 */)
{
FILE *fp=NULL;
EVP_PKEY *key=NULL;
X509 *cert=NULL;
PKCS12 *p12;
cert =LoadCert(strCert,0, out);
if(!cert)
{
strcpy( out,"读取公钥文件失败");
return false;
}
key=LoadKey(strkey,0,NULL, out); // 解密后私钥
if(!key)
{
strcpy( out,"读取私钥文件失败");
return false;
}
SSLeay_add_all_algorithms();
p12 = PKCS12_create(strPwd,"(hpxs)", key, cert, NULL, 0,0,0,0,0);
if(!p12)
{
strcpy( out,"创建p12结构失败");
return false;
}
if (!(fp = fopen(strP12, "wb")))
{
strcpy( out,"保存p12文件失败");
}
i2d_PKCS12_fp(fp, p12);
PKCS12_free(p12);
fclose(fp);
strcpy( out,"合并P12成功");
X509_free(cert);
EVP_PKEY_free(key);
EVP_cleanup(); // frees all three stacks and sets their pointers to NULL ---- EVP_CIPHER
return true;
}
// 修改p12包密码
BOOL ChangePB( char * strP12 /* in包文件 */, char * strPwd /* IN原密码 */, char * strPwd2 /* IN新密码 */,
char * strOutP12 /* in包文件 */, char * out /* 返回结果 */)
{
FILE *fp=NULL;
EVP_PKEY *key=NULL;
X509 *cert=NULL;
STACK_OF(X509) *ca = NULL;
PKCS12 *p12=NULL;
int len=0,wlen=0;
SSLeay_add_all_algorithms();
if (!(fp = fopen(strP12, "rb")))
{
strcpy( out,"打开文件错误");
return false;
}
p12 = d2i_PKCS12_fp(fp, NULL);
fclose (fp);
if (!p12)
{
strcpy( out,"读取包文件错误");
return false;
}
if (!PKCS12_parse(p12, strPwd, &key, &cert, &ca))
{
strcpy( out,"解包失败");
return false;
}
PKCS12_free(p12);
fclose(fp);
p12=NULL;
///////////////////////////////////////
p12 = PKCS12_create(strPwd2,"(null)", key, cert, NULL, 0,0,0,0,0);
if(!p12)
{
strcpy( out,"创建p12结构失败");
return false;
}
if (!(fp = fopen(strOutP12, "wb")))
{
strcpy( out,"保存p12文件失败");
}
i2d_PKCS12_fp(fp, p12);
PKCS12_free(p12);
fclose(fp);
strcpy( out,"转换P12密码成功");
X509_free(cert);
EVP_PKEY_free(key);
return true;
}
BOOL CertPairCheck( char * cert, char * key, char * out) // 检验公钥、私钥是否配对
{
EVP_PKEY *pkey=NULL;
X509 *x509=NULL;
x509=LoadCert(cert,0, out);
if(x509==NULL)
{
strcpy( out,"不能打开公钥文件");
return FALSE;
}
pkey=LoadKey(key,0,NULL, out);
if(pkey==NULL)
{
strcpy( out,"不能打开私钥文件");
X509_free(x509);
return FALSE;
}
if(X509_check_private_key(x509,pkey)) // 匹配
{
X509_free(x509);
EVP_PKEY_free(pkey);
return TRUE;
}
else
{
strcpy( out,"公私钥对不匹配");
X509_free(x509);
EVP_PKEY_free(pkey);
return FALSE;
}
}
//
#define sprintf_s sprintf
#include "stdafx.h"
#include <LOCALE.H>
#include "ca.h"
#include <OPENSSL pem.h>
#include <OPENSSL x509.h>
#include <OPENSSL x509v3.h>
#include <OPENSSL pkcs12.h>
#include <OPENSSL rand.h>
#include<STDLIB.H>
#include<STDIO.H>
#include <OPENSSL engine.h>
#define EXT_COPY_NONE 0
#define EXT_COPY_ADD 1
#define EXT_COPY_ALL 2
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
return TRUE;
}
/* 此函数可以将DER、PEM、P12文件公钥读出来 */
X509 *load_cert(BIO *cert /* 输入BIO */, int format /* 格式 */, char * pwd, /* P12密码 */
char * outMsg) // 从DER、PEM、P12格式中读取公钥证书
{
X509 * x=NULL;
if (format == DER)
x=d2i_X509_bio(cert,NULL);
else if (format == PEM)
x=PEM_read_bio_X509(cert,NULL,NULL,NULL); // PEM_read_bio_X509_AUX
else if (format == P12)
{
PKCS12 *p12 = d2i_PKCS12_bio(cert, NULL);
PKCS12_parse(p12, pwd, NULL, &x, NULL);
PKCS12_free(p12);
p12 = NULL;
}
else
{
sprintf_s(outMsg,"bad input format specified for input cert\n");
goto end;
}
end:
if (x == NULL)
{
sprintf(outMsg,"unable to load certificate\n");
}
return(x);
}
X509 * LoadCert( char * cert, int certlen, char * outMsg) // 枚举DER/PEM格式
{
BIO * in=NULL;
X509 * x509=NULL;
if(certlen==0) // 输入为磁盘文件
{
if(( in=BIO_new_file(cert, "r")) == NULL)
{
sprintf(outMsg,"open CA certificate file error");
return NULL;
}
}
else // 输入为内存中文件
{
if(( in=BIO_new_mem_buf(cert,certlen))== NULL) // 只读类型
{
sprintf(outMsg,"Make Mem Bio Error");
return NULL;
}
}
if((x509=load_cert( in,DER,NULL,outMsg))==NULL) // 尝试DER
{
BIO_reset( in); // 恢复bio
x509=load_cert( in,PEM,NULL,outMsg); // 尝试PEM
}
if ( in != NULL) BIO_free( in);
return x509;
}
EVP_PKEY *load_key(BIO *bio, int format, char *pass, char * outMsg) // 枚举DER/PEM格式
{
EVP_PKEY *pkey=NULL;
if (format == DER)
{
pkey=d2i_PrivateKey_bio(bio, NULL);
}
else if (format == PEM)
{
pkey=PEM_read_bio_PrivateKey(bio,NULL,NULL,pass);
}
else if (format == P12)
{
PKCS12 *p12 = d2i_PKCS12_bio(bio, NULL);
PKCS12_parse(p12, pass, &pkey, NULL, NULL);
PKCS12_free(p12);
p12 = NULL;
}
else
{
sprintf(outMsg,"bad input format specified for key\n");
goto end;
}
end:
if (pkey == NULL)
sprintf(outMsg,"unable to load Private Key\n");
return(pkey);
}
EVP_PKEY * LoadKey( char * key, int keylen, char * pass, char * outMsg)
{
EVP_PKEY *pkey=NULL;
BIO * in=NULL;
if(keylen==0) // 输入为磁盘文件
{
if(( in=BIO_new_file(key, "r")) == NULL)
{
sprintf(outMsg,"open CA certificate file error");
return NULL;
}
}
else // 输入为内存中文件
{
if(( in=BIO_new_mem_buf(key,keylen))== NULL) // 只读类型
{
sprintf(outMsg,"Make Mem Bio Error");
return NULL;
}
}
if((pkey=load_key( in,DER,pass,outMsg))==NULL) // 尝试DER
{
BIO_reset( in); // BIO是可读写的,那么该BIO所有数据都会被清空;
// 如果该BIO是只读的,那么该操作只会简单将指
// 针指向原始位置,里面的数据可以再读.
pkey=load_key( in,PEM,pass,outMsg); // 尝试PEM
}
if ( in != NULL) BIO_free( in);
return pkey;
}
int Rand( const char *file, int dont_warn, char * outMsg) // 产生随机数,return 0 ---成功
{
int consider_randfile = (file == NULL);
char buffer[200];
RAND_screen();
if (file == NULL)
file = RAND_file_name(buffer, sizeof buffer);
else if (RAND_egd(file) > 0)
{
/* we try if the given filename is an EGD socket.
if it is, we don't write anything back to the file. */
return 1;
}
if (file == NULL || !RAND_load_file(file, -1))
{
if (RAND_status() == 0 && !dont_warn)
{
sprintf(outMsg,"unable to load 'random state'\n");
sprintf(outMsg,"This means that the random number generator has not been seeded\n");
if (consider_randfile) /* explanation does not apply when a file is explicitly named */
{
sprintf(outMsg,"Consider setting the RANDFILE environment variable to point at a file that\n");
sprintf(outMsg,"'random' data can be kept in (the file will be overwritten).\n");
}
}
return 0;
}
return 1;
}
//////////////////////// / end /////////////////////////////////////// /
///////////////////////////////////////////////////////////////////// /
//////////////////////// / begin //////////////////////////////////// //
/* Add extension using V3 code: we can set the config file as NULL
* because we wont reference any other sections.
*/
int Add_ExtCert(X509 *cert /* 正被添加的证书 */,X509 * root /* 根证书(从中得到信息) */, int nid, char *value)
{
X509_EXTENSION *ex;
X509V3_CTX ctx;
/* This sets the 'context' of the extensions. */
/* No configuration database */
// X509V3_set_ctx_nodb(&ctx);
/* Issuer and subject certs: both the target since it is self signed,
* no request and no CRL
*/
X509V3_set_ctx(&ctx,root, cert, NULL, NULL, 0);
ex = X509V3_EXT_conf_nid(NULL, &ctx, nid, value);
if (!ex)
return 0;
X509_add_ext(cert,ex,-1);
X509_EXTENSION_free(ex);
return 1;
}
bool Add_Name(X509_NAME * x509name, int type /* c\cn */, char * iput /* 中国 */,
int ilen /* 输入长度 */, char * outMsg) // 支持中文名称
{
wchar_t * ws,wc;
ASN1_STRING stmp, *str = &stmp;
UCHAR cbuf[256]={0};
int wslen, wcnt,i;
char input[256]={0};
strncpy(input, iput, ilen);
wslen = strlen(input) + 1;
if(wslen==1)
return true;
ws = new unsigned short[ sizeof(wchar_t) * wslen];
if ((wcnt = mbstowcs(ws, input, wslen)) == -1)
{
sprintf(outMsg,"mbstowcs convert error");
delete ws;
return false;
}
for(i=0;i<( int)wcslen(ws);i++)
{
wc=ws[i];
cbuf[2*i]=wc/256;
cbuf[2*i+1]=wc%256;
}
ASN1_mbstring_copy(&str, cbuf, 2*wslen, MBSTRING_BMP, B_ASN1_UTF8STRING);
X509_NAME_add_entry_by_NID(x509name,type,V_ASN1_UTF8STRING,stmp.data,stmp.length, -1, 0);
delete ws;
return true;
}
bool mkRoot(stuSUBJECT * rootInfo,X509 **x509p /* out公钥 */, EVP_PKEY **pkeyp /* out私钥 */,
int bits /* 位数 */, int serial /* 序列号 */, int days /* 有效期 */, char * out /* 操作结果 */)
{
X509 *x;
EVP_PKEY *pk;
RSA *rsa;
X509_NAME *name=NULL;
int i=0,len=0;
if ((pkeyp == NULL) || (*pkeyp == NULL))
{
if ((pk=EVP_PKEY_new()) == NULL)
{
abort();
return false;
}
}
else
pk= *pkeyp;
if ((x509p == NULL) || (*x509p == NULL))
{
if ((x=X509_new()) == NULL)
goto err;
}
else
x= *x509p;
Rand(NULL,1, out); // 产生随机数种子
rsa=RSA_generate_key(bits,RSA_F4,0 /* 回调函数callback */,NULL); // 产生密钥对, // RSA存储了公钥私钥
if (!EVP_PKEY_assign_RSA(pk,rsa)) // 完成RSA密钥的pkey结构初始工作,当pk不为NULL的时候,返回1,否则返回0
{
abort();
goto err;
}
rsa=NULL;
X509_set_version(x,2); // 版本号,显示+1
ASN1_INTEGER_set(X509_get_serialNumber(x),serial); // 序列号
X509_gmtime_adj(X509_get_notBefore(x),0); // 起始时间
X509_gmtime_adj(X509_get_notAfter(x),( long)60*60*24*days); // 结束时间
X509_set_pubkey(x,pk); // 公钥
name=X509_get_subject_name(x);
/* This function creates and adds the entry, working out the
* correct string type and performing checks on its length.
* Normally we'd check the return value for errors
*/
// C-国家,ST-省,L-城市,O-组织,OU-部门,CN-个体,T-title,D-description,G-givenName,I-initials,
// Email-emailAddress,S-surname,SN-serialNumber,dnQualifier-dnQualifier,unstructuredName,challengePassword,unstructuredAddress,
setlocale(LC_CTYPE, "");
Add_Name(name,NID_countryName,( char *)rootInfo->C, sizeof(rootInfo->C), out);
Add_Name(name,NID_stateOrProvinceName,( char *)rootInfo->ST, sizeof(rootInfo->ST), out);
Add_Name(name,NID_localityName,( char *)rootInfo->L, sizeof(rootInfo->L), out);
Add_Name(name,NID_organizationName,( char *)rootInfo->O, sizeof(rootInfo->O), out);
Add_Name(name,NID_organizationalUnitName,( char *)rootInfo->OU, sizeof(rootInfo->OU), out);
Add_Name(name,NID_commonName,( char *)rootInfo->CN, sizeof(rootInfo->CN), out);
Add_Name(name,NID_pkcs9_emailAddress,( char *)rootInfo->MAIL, sizeof(rootInfo->MAIL), out);
Add_Name(name,NID_email_protect,( char *)rootInfo->PMAIL, sizeof(rootInfo->PMAIL), out);
Add_Name(name,NID_title,( char *)rootInfo->T, sizeof(rootInfo->T), out);
Add_Name(name,NID_description,( char *)rootInfo->D, sizeof(rootInfo->D), out);
Add_Name(name,NID_givenName,( char *)rootInfo->G, sizeof(rootInfo->G), out);
Add_Name(name,NID_initials,( char *)rootInfo->I, sizeof(rootInfo->I), out);
Add_Name(name,NID_name,( char *)rootInfo->NAME, sizeof(rootInfo->NAME), out);
Add_Name(name,NID_surname,( char *)rootInfo->S, sizeof(rootInfo->S), out);
Add_Name(name,NID_dnQualifier,( char *)rootInfo->QUAL, sizeof(rootInfo->QUAL), out);
Add_Name(name,NID_pkcs9_unstructuredName,( char *)rootInfo->STN, sizeof(rootInfo->STN), out);
Add_Name(name,NID_pkcs9_challengePassword,( char *)rootInfo->PW, sizeof(rootInfo->PW), out);
Add_Name(name,NID_pkcs9_unstructuredAddress,( char *)rootInfo->ADD, sizeof(rootInfo->ADD), out);
/* Its self signed so set the issuer name to be the same as the
* subject.
*/
X509_set_issuer_name(x,name); // 设置发行者名称等同于上面的
// 加入扩展信息
/* Add various extensions: standard extensions */
Add_ExtCert(x,x,NID_basic_constraints, "critical,CA:TRUE");
// 主题密钥标示符---当发行者有多个签名密钥时
Add_ExtCert(x,x,NID_subject_key_identifier, "hash");
// 颁发机构密钥标示符
Add_ExtCert(x,x,NID_authority_key_identifier, "keyid:always");
// 密钥用法
Add_ExtCert(x,x,NID_key_usage, "nonRepudiation,digitalSignature,keyEncipherment");
Add_ExtCert(x,x,NID_domainComponent, "no");
Add_ExtCert(x,x,NID_Domain, "no");
/* Some Netscape specific extensions */
// Add_ExtCert(x, NID_netscape_cert_type, "sslCA");
// Add_ExtCert(x, NID_netscape_comment, "example comment extension"); // netscape_comment
/* Maybe even add our own extension based on existing */
// 加入自定义信息begin
// int nid;
// nid = OBJ_create("1.2.3.4.9", "Hpxs", "I love you!");
// X509V3_EXT_add_alias(nid, NID_netscape_comment);
// Add_ExtCert(x, nid, "I love you");
// 加入自定义信息end
X509V3_EXT_cleanup(); // cleanup the extension code if any custom extensions have been added
if (!X509_sign(x,pk,EVP_sha1())) // 签名算法EVP_sha1,EVP_md5,用私钥签名公钥
{
strcpy( out,"证书签名失败");
goto err;
}
*x509p=x;
*pkeyp=pk;
return true;
err:
return false;
}
BOOL MakeRoot(stuSUBJECT * rootInfo, /* 信息 */ int bits /* 位数 */, int serial /* 序列号 */,
int days /* 有效期 */, char * certFile /* 证书文件 */, char * priFile /* 私钥文件 */,
char * outMsg /* 操作结果 */, int type /* 类型pem-der */)
{
X509 *x509=NULL;
EVP_PKEY *pkey=NULL;
BIO * bcert=NULL,* bkey=NULL;
bool ret= true;
int i=0,j=0;
if(((bcert=BIO_new_file(certFile, "w"))== NULL)||((bkey=BIO_new_file(priFile, "w")) == NULL))
{
strcpy(outMsg,"Create File Error");
return false;
}
if(mkRoot(rootInfo,&x509,&pkey,bits,serial,days,outMsg))
{
if (type==DER)
{
i=i2d_X509_bio(bcert,x509); // returns 1 for success
j=i2d_PrivateKey_bio(bkey,pkey);
}
else if(type==PEM)
{
i=PEM_write_bio_X509(bcert,x509);
j=PEM_write_bio_PrivateKey(bkey,pkey,NULL,NULL,0,NULL, NULL);
}
if(!i||!j)
{
ret= false;
strcpy(outMsg,"Save Cert or Key File Error");
}
}
else
ret= false;
BIO_free(bcert);
BIO_free(bkey);
X509_free(x509);
EVP_PKEY_free(pkey);
return ret;
}
//////////////////////// / end /////////////////////////////////////// /
///////////////////////////////////////////////////////////////////// /
//////////////////////// / begin //////////////////////////////////// //
/* Add extension using V3 code: we can set the config file as NULL
* because we wont reference any other sections.
*/
int Add_ExtReq(STACK_OF(X509_REQUEST) *sk, int nid, char *value)
{
X509_EXTENSION *ex;
ex = X509V3_EXT_conf_nid(NULL, NULL, nid, value);
if (!ex)
return 0;
sk_X509_EXTENSION_push(sk, ex);
return 1;
}
int mkReq(stuSUBJECT * reqInfo,X509_REQ **req, EVP_PKEY **pkeyp, int bits, char * out)
{
X509_REQ *x;
EVP_PKEY *pk;
RSA *rsa;
X509_NAME *name=NULL;
ASN1_STRING stmp, *str = &stmp;
STACK_OF(X509_EXTENSION) *exts = NULL;
if ((pk=EVP_PKEY_new()) == NULL)
goto err;
if ((x=X509_REQ_new()) == NULL)
goto err;
Rand(NULL,1, out); // 产生随机数种子
rsa=RSA_generate_key(bits,RSA_F4,0 /* 回调函数callback */,NULL); // 产生密钥对
// PEM_write_bio_RSAPrivateKey
if (!EVP_PKEY_assign_RSA(pk,rsa))
goto err;
rsa=NULL;
X509_REQ_set_pubkey(x,pk);
name=X509_REQ_get_subject_name(x);
/* This function creates and adds the entry, working out the
* correct string type and performing checks on its length.
* Normally we'd check the return value for errors
*/
setlocale(LC_CTYPE, "");
Add_Name(name,NID_countryName,( char *)reqInfo->C, sizeof(reqInfo->C), out);
Add_Name(name,NID_stateOrProvinceName,( char *)reqInfo->ST, sizeof(reqInfo->ST), out);
Add_Name(name,NID_localityName,( char *)reqInfo->L, sizeof(reqInfo->L), out);
Add_Name(name,NID_organizationName,( char *)reqInfo->O, sizeof(reqInfo->O), out);
Add_Name(name,NID_organizationalUnitName,( char *)reqInfo->OU, sizeof(reqInfo->OU), out);
Add_Name(name,NID_commonName,( char *)reqInfo->CN, sizeof(reqInfo->CN), out);
Add_Name(name,NID_pkcs9_emailAddress,( char *)reqInfo->MAIL, sizeof(reqInfo->MAIL), out);
Add_Name(name,NID_email_protect,( char *)reqInfo->PMAIL, sizeof(reqInfo->PMAIL), out);
Add_Name(name,NID_title,( char *)reqInfo->T, sizeof(reqInfo->T), out);
Add_Name(name,NID_description,( char *)reqInfo->D, sizeof(reqInfo->D), out);
Add_Name(name,NID_givenName,( char *)reqInfo->G, sizeof(reqInfo->G), out);
Add_Name(name,NID_initials,( char *)reqInfo->I, sizeof(reqInfo->I), out);
Add_Name(name,NID_name,( char *)reqInfo->NAME, sizeof(reqInfo->NAME), out);
Add_Name(name,NID_surname,( char *)reqInfo->S, sizeof(reqInfo->S), out);
Add_Name(name,NID_dnQualifier,( char *)reqInfo->QUAL, sizeof(reqInfo->QUAL), out);
Add_Name(name,NID_pkcs9_unstructuredName,( char *)reqInfo->STN, sizeof(reqInfo->STN), out);
Add_Name(name,NID_pkcs9_challengePassword,( char *)reqInfo->PW, sizeof(reqInfo->PW), out);
Add_Name(name,NID_pkcs9_unstructuredAddress,( char *)reqInfo->ADD, sizeof(reqInfo->ADD), out);
/* Certificate requests can contain extensions, which can be used
* to indicate the extensions the requestor would like added to
* their certificate. CAs might ignore them however or even choke
* if they are present.
*/
/* For request extensions they are all packed in a single attribute.
* We save them in a STACK and add them all at once later
*/
exts = sk_X509_EXTENSION_new_null();
/* Standard extenions */
// 主题备用名称,URL: http://my.url.here/ 、支持email copy
Add_ExtReq(exts, NID_subject_alt_name, "DNS:localhost,email:[email protected],RID:1.2.3.4,URI:192.168.2.22,IP:C0A80216");
// 加入自定义扩展
int nid;
nid = OBJ_create("1.3.6.1.4.1.5315.100.2.5", "UserID", "User ID Number");
X509V3_EXT_add_alias(nid, NID_netscape_comment);
Add_ExtReq(exts, nid, "ID130203197703060618");
/* Now we've created the extensions we add them to the request */
X509_REQ_add_extensions(x, exts);
sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
X509V3_EXT_cleanup(); // cleanup the extension code if any custom extensions have been added
if (!X509_REQ_sign(x,pk,EVP_sha1())) // 用自己的公钥签名私钥
goto err;
*req=x;
*pkeyp=pk;
return(1);
err:
return(0);
}
BOOL MakeReq(stuSUBJECT * reqInfo, /* 请求信息 */ int bits /* 位数 */, char * reqFile /* 证书请求文件 */,
char * priFile /* 私钥文件 */, char * outMsg /* 操作结果 */, int type)
{
X509_REQ *req=NULL;
EVP_PKEY *pkey=NULL;
BIO * breq=NULL,* bkey=NULL;
int i=0,j=0;
if(((breq=BIO_new_file(reqFile, "w"))== NULL)||((bkey=BIO_new_file(priFile, "w")) == NULL))
{
strcpy(outMsg,"Create File Error");
return false;
}
if(!mkReq(reqInfo,&req,&pkey,bits,outMsg))
{
strcpy(outMsg,"Make CertReq Error");
return false;
}
if(type==PEM)
{
i=PEM_write_bio_X509_REQ(breq,req);
j=PEM_write_bio_PrivateKey(bkey,pkey,NULL,NULL,0,NULL, NULL);
}
else if(type==DER)
{
i=i2d_X509_REQ_bio(breq,req);
j=i2d_PrivateKey_bio(bkey,pkey);
}
BIO_free(breq);
BIO_free(bkey);
X509_REQ_free(req);
EVP_PKEY_free(pkey);
if(!i||!j)
{
strcpy(outMsg,"Save Cert or Key File Error");
return false;
}
return true;
}
//////////////////////// // end //////////////////////////////////// //
////////////////////////////////////////////////////////////////// //
/////////////////////////// begin /////////////////////////////////////// /
int copy_extensions(X509 *x, X509_REQ *req, int copy_type) // 在证书中加入req自带扩展信息
{
STACK_OF(X509_EXTENSION) *exts = NULL;
X509_EXTENSION *ext, *tmpext;
ASN1_OBJECT *obj;
int i, idx, ret = 0;
if (!x || !req || (copy_type == EXT_COPY_NONE))
return 1;
exts = X509_REQ_get_extensions(req);
for(i = 0; i < sk_X509_EXTENSION_num(exts); i++)
{
ext = sk_X509_EXTENSION_value(exts, i);
obj = X509_EXTENSION_get_object(ext);
idx = X509_get_ext_by_OBJ(x, obj, -1);
/* Does extension exist? */
if (idx != -1)
{
/* If normal copy don't override existing extension */
if (copy_type == EXT_COPY_ADD)
continue;
/* Delete all extensions of same type */
do
{
tmpext = X509_get_ext(x, idx);
X509_delete_ext(x, idx);
X509_EXTENSION_free(tmpext);
idx = X509_get_ext_by_OBJ(x, obj, -1);
} while (idx != -1);
}
if (!X509_add_ext(x, ext, -1))
goto end;
}
ret = 1;
end:
sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
return ret;
}
int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, int serial,
char *startdate, char *enddate, int days,X509_REQ * req,stuKEYUSAGE * KUSAGE,
stuEKEYUSAGE * EKUSAGE, char * outMsg)
{
X509_NAME *name=NULL,*CAname=NULL;
X509 *ret=NULL;
X509_CINF *ci;
EVP_PKEY *pktmp;
int ok= -1,i=0;
// STACK_OF (X509_EXTENSION) * req_exts; // 如何释放??
char kusage[160]={0};
char ekusage[360]={0};
name=X509_REQ_get_subject_name(req);
if ((ret=X509_new()) == NULL)
{
ok=0;
goto err;
}
ci=ret->cert_info;
/* Make it an X509 v3 certificate. 版本1扩展 */
if (!X509_set_version(ret,2L)) // 版本
{
ok=0;
goto err;
}
ASN1_INTEGER_set(X509_get_serialNumber(ret),serial); // 序列号
if (!X509_set_issuer_name(ret,X509_get_subject_name(x509))) // 发行者
{
ok=0;
goto err;
}
if (strcmp(startdate,"today") == 0)
X509_gmtime_adj(X509_get_notBefore(ret),0); // 开始日期
else ASN1_UTCTIME_set_string(X509_get_notBefore(ret),startdate);
if (enddate == NULL)
X509_gmtime_adj(X509_get_notAfter(ret),( long)60*60*24*days); // 结束日期
else ASN1_UTCTIME_set_string(X509_get_notAfter(ret),enddate);
if (!X509_set_subject_name(ret,name)) // 主体 ---所有者
{
ok=0;
goto err;
}
pktmp=X509_REQ_get_pubkey(req);
i = X509_set_pubkey(ret,pktmp); // 公钥
EVP_PKEY_free(pktmp);
if (!i)
{
ok=0;
goto err;
}
// 加入req自带扩展信息,生成REQ文件时候加入的
if (!copy_extensions(ret, req, EXT_COPY_ALL))
{
strcpy("加入自带扩展信息失败",outMsg);
goto err;
}
/* Lets add the extensions, if there are any 加入标准扩展 */
// 基本限制Note if the CA option is false the pathlen option should be omitted.
Add_ExtCert(ret,ret,NID_basic_constraints, "critical,CA:FALSE,pathlen:1");
// 主题密钥标示符--------区分拥有者多对密钥
Add_ExtCert(ret,ret,NID_subject_key_identifier, "hash");
// Authority密钥标示符----区分发行者有多个签名密钥时
Add_ExtCert(ret,x509, NID_authority_key_identifier, "keyid,issuer:always");
// 密钥用法 ----数字签名、不可否认性、密钥加密、数据加密、密钥协商、证书签名、
// CRL签名、仅仅加密、仅仅解密
if(KUSAGE->DS)
strcpy(kusage,"digitalSignature");
if(KUSAGE->NR)
if(strlen(kusage)) // 添加
strcat(kusage, ",nonRepudiation");
else
strcpy(kusage,"nonRepudiation");
if(KUSAGE->KE)
if(strlen(kusage)) // 添加
strcat(kusage, ",keyEncipherment");
else
strcpy(kusage,"keyEncipherment");
if(KUSAGE->DE)
if(strlen(kusage)) // 添加
strcat(kusage, ",dataEncipherment");
else
strcpy(kusage,"dataEncipherment");
if(KUSAGE->KA)
if(strlen(kusage)) // 添加
strcat(kusage, ",keyAgreement");
else
strcpy(kusage,"keyAgreement");
if(KUSAGE->KC)
if(strlen(kusage)) // 添加
strcat(kusage, ",keyCertSign");
else
strcpy(kusage,"keyCertSign");
if(KUSAGE->CS)
if(strlen(kusage)) // 添加
strcat(kusage, ",cRLSign");
else
strcpy(kusage,"cRLSign");
if(KUSAGE->EO)
if(strlen(kusage)) // 添加
strcat(kusage, ",encipherOnly");
else
strcpy(kusage,"encipherOnly");
if(KUSAGE->DO)
if(strlen(kusage)) // 添加
strcat(kusage, ",decipherOnly");
else
strcpy(kusage,"decipherOnly");
if(strlen(kusage))
Add_ExtCert(ret,ret, NID_key_usage, kusage);
// 增强型密钥用法--一般只用于末端证书RFC3280
// 增强用法 证书目的
// --------------------------------------------------------------------------------------------------------------
// 服务器验证 保证远程计算机的身份
// 客户端验证 向远程计算机证明您的身份
// 代码签名 确保软件来自软件发行商
// 安全电子邮件 保护软件在发行后不被改动
// 时间戳 保护电子邮件消息
// --------------------------------------------------------------------------------------------------------------
// 保证软件来自一个软件发行商
// 保护软件在发行后不被改动。
// 保证软件来自商业软件发行商
// 允许您用数字签名证书信任列表
// 允许联机事务处理/通讯的严格加密
// 允许加密磁盘上的数据
// 智能卡登录
// IP安全终端系统 允许 Internet 上的安全通讯
// IP安全隧道终止
// IP 安全用户
// --------------------------------------------------------------------------------------------------------------
if(EKUSAGE->SA)
strcpy(ekusage,"serverAuth");
if(EKUSAGE->CA)
if(strlen(ekusage)) // 添加
strcat(ekusage,",clientAuth");
else
strcpy(ekusage,"clientAuth");
if(EKUSAGE->CS)
if(strlen(ekusage)) // 添加
strcat(ekusage,",codeSigning");
else
strcpy(ekusage,"codeSigning");
if(EKUSAGE->EP)
if(strlen(ekusage)) // 添加
strcat(ekusage,",emailProtection");
else
strcpy(ekusage,"emailProtection");
if(EKUSAGE->TS)
if(strlen(ekusage)) // 添加
strcat(ekusage,",timeStamping");
else
strcpy(ekusage,"timeStamping");
if(EKUSAGE->msCC)
if(strlen(ekusage)) // 添加
strcat(ekusage,",msCodeCom");
else
strcpy(ekusage,"msCodeCom");
if(EKUSAGE->msCTLS)
if(strlen(ekusage)) // 添加
strcat(ekusage,",msCTLSign");
else
strcpy(ekusage,"msCTLSign");
if(EKUSAGE->msSGC)
if(strlen(ekusage)) // 添加
strcat(ekusage,",msSGC");
else
strcpy(ekusage,"msSGC");
if(EKUSAGE->msEFS)
if(strlen(ekusage)) // 添加
strcat(ekusage,",msEFS");
else
strcpy(ekusage,"msEFS");
if(EKUSAGE->msSC)
if(strlen(ekusage)) // 添加
strcat(ekusage,",msSmartcardLogin");
else
strcpy(ekusage,"msSmartcardLogin");
if(EKUSAGE->IP)
if(strlen(ekusage)) // 添加
strcat(ekusage,",ipsecEndSystem,ipsecTunnel,ipsecUser");
else
strcpy(ekusage,"ipsecEndSystem,ipsecTunnel,ipsecUser");
if(strlen(ekusage))
Add_ExtCert(ret,ret,NID_ext_key_usage,ekusage);
/*
Application keyUsage Values
SSL Client digitalSignature
SSL Server keyEncipherment
S/MIME Signing digitalSignature
S/MIME Encryption keyEncipherment
Certificate Signing keyCertSign
Object Signing digitalSignature */
// 颁发者备用名称,URL: http://my.url.here/ 、不支持email copy
Add_ExtCert(ret,ret, NID_issuer_alt_name, "DNS:hpxs,email:[email protected],RID:1.2.3.4,URI:https://hpxs,IP:192.168.0.22");
// 证书策略
Add_ExtCert(ret,ret,NID_certificate_policies,"OK");
// 颁发机构信息访问
Add_ExtCert(ret,ret,NID_info_access,"OCSP;URI:https://hpxs"); // 或者caIssuers;URI: http://my.ca/ca.html
// CRL分发点
Add_ExtCert(ret,x509, NID_crl_distribution_points, "URI:https://hpxs/hpxs.crl");
/* Some Netscape specific extensions */
// Add_ExtCert(ret,ret, NID_crl_number, "sslCA");
// Add_ExtCert(ret,x509, NID_netscape_comment, "See http://cert.umd.edu/root for details.");
/* In each case the 'value' of the extension is placed directly in the
extension. Currently supported extensions in this category are: nsBaseUrl,
nsRevocationUrl, nsCaRevocationUrl, nsRenewalUrl, nsCaPolicyUrl,
nsSslServerName and nsComment */
// Add_ExtCert(ret,x509, NID_netscape_cert_type, "client, server, email,objsign, reserved, sslCA,emailCA, objCA");
/* nsCertType (netscape certificate type) takes the flags: client, server, email,
objsign, reserved, sslCA, emailCA, objCA. */
/* Maybe even add our own extension based on existing */
// 加入自定义信息begin
int nid;
nid = OBJ_create("1.2.3.4.9", "Hpxs", "I love OpenSSL!");
X509V3_EXT_add_alias(nid, NID_netscape_comment);
Add_ExtCert(ret,ret, nid, "I love OpenSSL");
// 加入自定义信息end
X509V3_EXT_cleanup(); // cleanup the extension code if any custom extensions have been added
if (!X509_sign(ret,pkey,dgst)) // 加入签名,签名算法
{
ok=0;
goto err;
}
ok=1;
err:
if (CAname != NULL)
X509_NAME_free(CAname);
if (ok <= 0)
{
if (ret != NULL) X509_free(ret);
ret=NULL;
}
else
*xret=ret;
return(ok);
}
int certify(X509 **xret, X509_REQ *req, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
int serial, char *startdate, char *enddate, int days,stuKEYUSAGE * KUSAGE,
stuEKEYUSAGE * EKUSAGE, char * outMsg)
{ // 返回公钥证书,请求文件,根私钥,根公钥,
EVP_PKEY *pktmp=NULL;
int ok= -1,i=0;
if ((pktmp=X509_REQ_get_pubkey(req)) == NULL) // 得到公钥
{
sprintf(outMsg,"error unpacking public key\n");
ok=0;
goto err;
}
i=X509_REQ_verify(req,pktmp); // 证书请求里面有私要签名,这里验证一下,看此公钥主人是否持有私钥
EVP_PKEY_free(pktmp);
if (i < 0)
{
ok=0;
sprintf(outMsg,"Signature verification problems
.\n");
goto err;
}
if (i == 0)
{
ok=0;
sprintf(outMsg,"Signature did not match the certificate request\n");
goto err;
}
ok=do_body(xret,pkey,x509,dgst,serial,startdate, enddate,
days,req,KUSAGE,EKUSAGE,outMsg);
err:
return(ok);
}
BOOL MakeCert( char *certfile /* 根证书公钥 */, int certlen, /* 为0则certfile为磁盘文件,否则为内存区域 */
char *keyfile /* 根证书私钥 */, int keylen, int serial /* 序列号 */, char *enddate /* 作废日期 */,
int days /* 有效期 */, char *reqfile /* 请求文件 */,stuKEYUSAGE * KUSAGE /* 密钥用法 */,
stuEKEYUSAGE * EKUSAGE /* 增强密钥用法 */, char *outfile /* 结果文件 */,
char * outMsg /* 操作结果 */, int type /* 结果类型DER,PEM */) // 通过证书请求,得到证书
{
int ret=1;
char * md=NULL;
EVP_PKEY *pkey=NULL;
X509 * x509=NULL;
X509_REQ *req=NULL;
X509 * x=NULL;
BIO * bcert=NULL,* reqbio=NULL;
int j;
const EVP_MD *dgst=NULL;
OpenSSL_add_all_digests(); // 加入签名算法
if((reqbio=BIO_new_file(reqfile, "r")) == NULL)
{
ret=0;
goto err;
}
if ((req=PEM_read_bio_X509_REQ(reqbio,NULL,NULL,NULL)) == NULL) // PEM_read_X509_REQ
{
BIO_reset(reqbio);
if ((req=d2i_X509_REQ_bio(reqbio,NULL)) == NULL)
{
sprintf(outMsg,"Error get certificate request");
ret=0;
goto err;
}
}
pkey=LoadKey(keyfile,keylen,NULL,outMsg);
if (pkey == NULL)
{
ret = 0;
goto err;
}
x509=LoadCert(certfile,certlen,outMsg);
if (x509 == NULL)
{
ret = 0;
goto err;
}
if (!X509_check_private_key(x509,pkey))
{
sprintf(outMsg,"CA certificate and CA private key do not match\n");
ret = 0;
goto err;
}
md="sha1"; ///////// /!!!!!!!!!!!!!!!!! /////////////////////////// /
if ((dgst=EVP_get_digestbyname(md)) == NULL) // return an EVP_MD structure when passed a digest name
{
sprintf(outMsg,"%s is an unsupported message digest type\n",md);
ret = 0;
goto err;
}
j=certify(&x,req,pkey,x509,dgst, // 公钥证书out,请求文件,根私钥,根公钥,
serial,"today",enddate,days,KUSAGE,EKUSAGE,outMsg);
if (j <= 0)
{
ret=0;
goto err;
}
if(((bcert=BIO_new_file(outfile, "w"))== NULL))
{
strcpy(outMsg,"Create File Error");
goto err;
}
if (type==DER)
{
i2d_X509_bio(bcert,x);
}
else if(type==PEM)
{
PEM_write_bio_X509(bcert,x);
}
err:
if (reqbio != NULL) BIO_free(reqbio);
BIO_free_all(bcert);
EVP_PKEY_free(pkey);
X509_free(x509);
X509_free(x);
if (req != NULL) X509_REQ_free(req);
EVP_cleanup(); // frees all three stacks and sets their pointers to NULL ---- EVP_CIPHER
return ret;
}
//////////////////////// / end /////////////////////////////////////// /
BOOL DirectCert( char *certfile /* 根证书公钥 */, int certlen, /* 为0则certfile为磁盘文件,否则为内存区域 */
char *keyfile /* 根证书私钥 */, int keylen, int serial /* 序列号 */, char *enddate /* 作废日期 */,
int days /* 有效期 */,stuCERT * sCERT /* 用户信息与密钥用法 */, int bits, char * cert /* 输出证书公钥 */, int * certl /* 长度 */,
char * key /* 输出证书私钥 */, int * keyl /* 长度 */, char * outMsg /* ,int type结果类型DER,PEM */) // 直接生成公私钥
{
X509_REQ * req=NULL;
EVP_PKEY * pkey=NULL, * prkey=NULL; // 证书私钥, // 根私钥
X509 * x509=NULL,* x=NULL; // 根公钥,证书公钥
BIO * memcert=NULL, * memkey=NULL; // 输出证书公私钥
BUF_MEM *bptrcert=NULL,*bptrkey=NULL;
int ret=1;
char * md=NULL;
int i=0,j=0,ok=0;
const EVP_MD *dgst=NULL;
OpenSSL_add_all_digests(); // 加入签名算法
memcert= BIO_new(BIO_s_mem());
memkey= BIO_new(BIO_s_mem());
BIO_set_close(memcert, BIO_CLOSE); /* BIO_free() free BUF_MEM */
BIO_set_close(memkey, BIO_CLOSE); /* BIO_free() free BUF_MEM */
prkey=LoadKey(keyfile,keylen,NULL,outMsg); // RAND_bytes
if (prkey == NULL)
{
ret = 0;
goto err;
}
x509=LoadCert(certfile,certlen,outMsg);
if (x509 == NULL)
{
ret = 0;
goto err;
}
if (!X509_check_private_key(x509,prkey))
{
sprintf(outMsg,"CA certificate and CA private key do not match\n");
ret = 0;
goto err;
}
if(!mkReq(&(sCERT->SUBJECT),&req,&pkey, bits,outMsg))
{
sprintf(outMsg,"Make CertReq error");
ret = 0;
goto err;
}
md="sha1"; ///////// /!!!!!!!!!!!!!!!!! /////////////////////////// /
if ((dgst=EVP_get_digestbyname(md)) == NULL) // return an EVP_MD structure when passed a digest name
{
sprintf(outMsg,"%s is an unsupported message digest type\n",md);
ret = 0;
goto err;
}
ok=certify(&x,req,prkey,x509,dgst, // 公钥证书out,请求,根私钥,根公钥,
serial,"today",enddate,days,&(sCERT->KUSAGE),&(sCERT->EKUSAGE),outMsg);
if (ok <= 0)
{
ret=0;
goto err;
}
/* if (type==DER)
{
i=i2d_X509_bio(memcert,x);
j=i2d_PrivateKey_bio(memkey,pkey);//生成的结果错误!?????????????
}
else if(type==PEM)
*/ {
i=PEM_write_bio_X509(memcert,x);
j=PEM_write_bio_PrivateKey(memkey,pkey,NULL,NULL,0,NULL, NULL);
}
if(!i||!j)
{
strcpy(outMsg,"Get Mem Cert or Key File Error");
ret=0;
goto err;
}
BIO_get_mem_ptr(memcert, &bptrcert);
*certl=bptrcert->length;
memcpy(cert,bptrcert->data,*certl);
BIO_get_mem_ptr(memkey, &bptrkey);
*keyl=bptrkey->length;
memcpy(key,bptrkey->data,*keyl);
err:
BIO_free_all(memcert);
BIO_free_all(memkey);
EVP_PKEY_free(pkey);
EVP_PKEY_free(prkey);
X509_free(x509);
X509_free(x);
if (req != NULL) X509_REQ_free(req);
EVP_cleanup(); // frees all three stacks and sets their pointers to NULL ---- EVP_CIPHER
return ret;
}
///////////////////////////////////////////////////////////////////// /
//////////////////////// / begin //////////////////////////////////// //
/* 添加链表节点 */
void AddRevoke(stuREVOKE *& Head, int index,time_t time)
{
stuREVOKE * End= new stuREVOKE(index,time); // 钥增加的节点
if(Head==NULL)
{
Head=End;
}
else
{
stuREVOKE * p=Head;
while(p->Link!=NULL)
p=p->Link;
p->Link=End;
}
return;
}
int Add_ExtCrl(X509_CRL *crl /* 正被添加的证书 */,X509 * root /* 根证书(从中得到信息) */,
int nid, char *value)
{
X509V3_CTX ctx;
X509_EXTENSION *ex;
/* This sets the 'context' of the extensions. */
/* No configuration database */
// X509V3_set_ctx_nodb(&ctx);
X509V3_set_ctx(&ctx, root, NULL, NULL, crl, 0);
// issuerAltName authorityKeyIdentifier
ex = X509V3_EXT_conf_nid(NULL, &ctx, nid, value);
if (!ex)
return 0;
X509_CRL_add_ext(crl,ex,-1);
X509_EXTENSION_free(ex);
return 1;
}
BOOL MakeCrl( char *certfile /* 根证书公钥 */, int certlen, /* 为0则certfile为磁盘文件,否则为内存区域 */
char *keyfile /* 根证书私钥 */, int keylen,
stuREVOKE * Head /* 作废链表 */,PNewCrlMem NewCrlMem /* 回调函数 */, char *& outCrl, int * crll, char * outfile /* crl文件 */,
char * outMsg /* 操作结果 */)
{
X509_CRL_INFO *ci = NULL;
X509_CRL *crl = NULL;
int ret=1,i=0;
char *key=NULL;
char *md=NULL;
EVP_PKEY *pkey=NULL;
X509 *x509=NULL;
BIO * in=NULL,* out=NULL;
const EVP_MD *dgst=NULL;
X509_REVOKED *r=NULL;
long crldays=30;
long crlhours=0;
stuREVOKE * temp =NULL;
BIO * memcrl=NULL;
BUF_MEM *bptrcrl=NULL;
OpenSSL_add_all_algorithms();
pkey=LoadKey(keyfile,keylen,NULL,outMsg);
if (pkey == NULL)
{
ret = 0;
goto err;
}
x509=LoadCert(certfile,certlen,outMsg);
if (x509 == NULL)
{
ret = 0;
goto err;
}
if (!X509_check_private_key(x509,pkey))
{
sprintf(outMsg,"CA certificate and CA private key do not match\n");
ret = 0;
goto err;
}
md="md5"; ///////// /!!!!!!!!!!!!!!!!! /////////////////////////// /
if ((dgst=EVP_get_digestbyname(md)) == NULL) // return an EVP_MD structure when passed a digest name
{
sprintf(outMsg,"%s is an unsupported message digest type\n",md);
ret = 0;
goto err;
}
if ((crl=X509_CRL_new()) == NULL)
{
ret = 0;
goto err;
}
ci=crl->crl;
X509_NAME_free(ci->issuer);
ci->issuer=X509_NAME_dup(x509->cert_info->subject);
if (ci->issuer == NULL)
{
ret = 0;
goto err;
}
X509_gmtime_adj(ci->lastUpdate,0);
if (ci->nextUpdate == NULL)
ci->nextUpdate=ASN1_UTCTIME_new();
X509_gmtime_adj(ci->nextUpdate,(crldays*24+crlhours)*60*60);
if(!ci->revoked)
ci->revoked = sk_X509_REVOKED_new_null();
while(Head!=NULL) // 遍历链表
{
temp=Head;
X509_REVOKED *r = NULL;
BIGNUM *serial_bn = NULL;
r = X509_REVOKED_new();
ASN1_TIME_set(r->revocationDate,Head->time); // 时间
char index[100];
BN_hex2bn(&serial_bn,itoa(Head->Index,index,10)); // 序号
BN_to_ASN1_INTEGER(serial_bn,r->serialNumber);
sk_X509_REVOKED_push(ci->revoked,r);
Head=Head->Link;
delete temp;
}
// sk_X509_REVOKED_sort(ci->revoked);
for (i=0; i<SK_X509_REVOKED_NUM(CI->revoked); i++)
{
r=sk_X509_REVOKED_value(ci->revoked,i);
r->sequence=i;
}
if (ci->version == NULL)
if ((ci->version=ASN1_INTEGER_new()) == NULL)
{
ret = 0;
goto err;
}
ASN1_INTEGER_set(ci->version,1);
// issuerAltName authorityKeyIdentifier
// Add_ExtCrl(crl,x509,NID_subject_alt_name,"DNS:hpxs,email:[email protected],RID:1.2.3.4,URI: https://hpxs ,IP:192.168.0.22");
Add_ExtCrl(crl,x509,NID_issuer_alt_name, "DNS:hpxs,email:[email protected],RID:1.2.3.4,URI:https://hpxs,IP:192.168.0.22");
Add_ExtCrl(crl,x509,NID_authority_key_identifier, "keyid,issuer:always");
if (!X509_CRL_sign(crl,pkey,dgst))
{
ret = 0;
goto err;
}
if(NewCrlMem) // 输出内存
{
memcrl= BIO_new(BIO_s_mem());
BIO_set_close(memcrl, BIO_CLOSE); /* BIO_free() free BUF_MEM */
PEM_write_bio_X509_CRL(memcrl,crl);
BIO_get_mem_ptr(memcrl, &bptrcrl);
*crll=bptrcrl->length;
outCrl=NewCrlMem(*crll);
memcpy(outCrl,bptrcrl->data,*crll);
}
if(outfile) // 输出文件
{
out=BIO_new_file(outfile, "w");
if( out==NULL)
{
sprintf(outMsg,"%s is error",outfile);
ret = 0;
goto err;
}
PEM_write_bio_X509_CRL( out,crl);
}
X509V3_EXT_cleanup(); // cleanup the extension code if any custom extensions have been added
err:
if( out)
BIO_free_all( out);
if(memcrl)
BIO_free_all(memcrl);
BIO_free( in);
EVP_PKEY_free(pkey);
X509_CRL_free(crl);
X509_free(x509);
EVP_cleanup(); // frees all three stacks and sets their pointers to NULL ---- EVP_CIPHER
if(ret==1)
strcpy(outMsg,"CRL制作成功");
return ret;
}
BOOL CertFormatConver( char * buf /* 文件内容或文件名称 */, int len /* 内存长度为0则buf为文件名 */,
char * pwd /* p12文件密码 */, char * pem /* 输出文件 */,
int outformat, char * out /* 操作结果 */)
{
EVP_PKEY *key=NULL;
X509 *cert=NULL;
BIO *biout=NULL;
int i=0;
// 输出文件
if ((biout=BIO_new_file(pem, "w")) == NULL)
{
return false;
}
cert = LoadCert(buf,len, out); // 首先尝试公钥,bio被改写
if(cert) // 输入文件为公钥文件
{
if (outformat == DER)
i=i2d_X509_bio(biout,cert);
else if (outformat == PEM)
{
// if (trustout) i=PEM_write_bio_X509_AUX(biout,x);
i=PEM_write_bio_X509(biout,cert);
}
if(!i) // 失败
strcpy( out,"保存公钥失败");
else
strcpy( out,"公钥证书格式转换成功");
}
else // 输入文件为私钥文件
{
key=LoadKey(buf,len,pwd, out);
if(!key)
{
strcpy( out,"不能识别的文件格式");
return false;
}
if(outformat==PEM)
{
PEM_write_bio_PrivateKey(biout, key, NULL, NULL, 0, 0, NULL);
}
if(outformat==DER)
{
i2d_PrivateKey_bio(biout,key); // 得到解密后的私钥
}
strcpy( out,"私钥证书格式转换成功");
}
if (biout != NULL) BIO_free(biout);
X509_free(cert);
EVP_PKEY_free(key);
return true;
}
// 分解p12包
BOOL ParseDB( char * strP12 /* 包文件 */, char * strPwd /* 私钥密码 */, char * strCert /* 公钥存放 */,
char * strkey /* 私钥存放 */, int outformat /* 输出格式 */, char * out /* 返回结果 */)
{
EVP_PKEY *key=NULL;
X509 *cert=NULL;
STACK_OF(X509) *ca = NULL;
BIO * bio=NULL,*bioCert=NULL,*bioKey=NULL;
PKCS12 *p12=NULL;
int i=0,j=0;
if((bio=BIO_new_file(strP12, "r")) == NULL)
{
strcpy( out,"打开文件错误");
return false;
}
SSLeay_add_all_algorithms();
p12 = d2i_PKCS12_bio(bio, NULL);
if (!PKCS12_parse(p12, strPwd, &key, &cert /* PEM */, &ca))
{
strcpy( out,"解包失败");
return false;
}
PKCS12_free(p12);
// 输出文件
if ((bioCert=BIO_new_file(strCert, "w")) == NULL)
{
return false;
}
if ((bioKey=BIO_new_file(strkey, "w")) == NULL)
{
return false;
}
if(outformat == DER)
{
i=i2d_X509_bio(bioCert,cert);
j=i2d_PrivateKey_bio(bioKey,key);
}
else if (outformat == PEM)
{
i=PEM_write_bio_X509(bioCert,cert);
j=PEM_write_bio_PrivateKey(bioKey, key, NULL, NULL, 0, 0, NULL);
}
if (bio != NULL) BIO_free(bio);
if (bioCert != NULL) BIO_free(bioCert);
if (bioKey != NULL) BIO_free(bioKey);
X509_free(cert);
EVP_PKEY_free(key);
EVP_cleanup(); // frees all three stacks and sets their pointers to NULL ---- EVP_CIPHER
if(i!=0&&j!=0)
{
strcpy( out,"分解P12成功");
return true;
}
return false;
}
// 组合p12包
BOOL CreateDB( char * strP12 /* OUT包文件 */, char * strPwd /* IN密码 */, char * strCert /* IN公钥 */,
char * strkey /* IN私钥 */, char * out /* 返回结果 */)
{
FILE *fp=NULL;
EVP_PKEY *key=NULL;
X509 *cert=NULL;
PKCS12 *p12;
cert =LoadCert(strCert,0, out);
if(!cert)
{
strcpy( out,"读取公钥文件失败");
return false;
}
key=LoadKey(strkey,0,NULL, out); // 解密后私钥
if(!key)
{
strcpy( out,"读取私钥文件失败");
return false;
}
SSLeay_add_all_algorithms();
p12 = PKCS12_create(strPwd,"(hpxs)", key, cert, NULL, 0,0,0,0,0);
if(!p12)
{
strcpy( out,"创建p12结构失败");
return false;
}
if (!(fp = fopen(strP12, "wb")))
{
strcpy( out,"保存p12文件失败");
}
i2d_PKCS12_fp(fp, p12);
PKCS12_free(p12);
fclose(fp);
strcpy( out,"合并P12成功");
X509_free(cert);
EVP_PKEY_free(key);
EVP_cleanup(); // frees all three stacks and sets their pointers to NULL ---- EVP_CIPHER
return true;
}
// 修改p12包密码
BOOL ChangePB( char * strP12 /* in包文件 */, char * strPwd /* IN原密码 */, char * strPwd2 /* IN新密码 */,
char * strOutP12 /* in包文件 */, char * out /* 返回结果 */)
{
FILE *fp=NULL;
EVP_PKEY *key=NULL;
X509 *cert=NULL;
STACK_OF(X509) *ca = NULL;
PKCS12 *p12=NULL;
int len=0,wlen=0;
SSLeay_add_all_algorithms();
if (!(fp = fopen(strP12, "rb")))
{
strcpy( out,"打开文件错误");
return false;
}
p12 = d2i_PKCS12_fp(fp, NULL);
fclose (fp);
if (!p12)
{
strcpy( out,"读取包文件错误");
return false;
}
if (!PKCS12_parse(p12, strPwd, &key, &cert, &ca))
{
strcpy( out,"解包失败");
return false;
}
PKCS12_free(p12);
fclose(fp);
p12=NULL;
///////////////////////////////////////
p12 = PKCS12_create(strPwd2,"(null)", key, cert, NULL, 0,0,0,0,0);
if(!p12)
{
strcpy( out,"创建p12结构失败");
return false;
}
if (!(fp = fopen(strOutP12, "wb")))
{
strcpy( out,"保存p12文件失败");
}
i2d_PKCS12_fp(fp, p12);
PKCS12_free(p12);
fclose(fp);
strcpy( out,"转换P12密码成功");
X509_free(cert);
EVP_PKEY_free(key);
return true;
}
BOOL CertPairCheck( char * cert, char * key, char * out) // 检验公钥、私钥是否配对
{
EVP_PKEY *pkey=NULL;
X509 *x509=NULL;
x509=LoadCert(cert,0, out);
if(x509==NULL)
{
strcpy( out,"不能打开公钥文件");
return FALSE;
}
pkey=LoadKey(key,0,NULL, out);
if(pkey==NULL)
{
strcpy( out,"不能打开私钥文件");
X509_free(x509);
return FALSE;
}
if(X509_check_private_key(x509,pkey)) // 匹配
{
X509_free(x509);
EVP_PKEY_free(pkey);
return TRUE;
}
else
{
strcpy( out,"公私钥对不匹配");
X509_free(x509);
EVP_PKEY_free(pkey);
return FALSE;
}
}
#include
#define DER 1 // FORMAT_ASN1
#define PEM 3 /*定义格式*/
#define NET 4
#define P12 5
typedef char * (* PNewCrlMem)(UINT len);
struct stuSUBJECT // 个体信息
{
UCHAR C[4]; // 国家
UCHAR ST[4]; // 省份
UCHAR L[12]; // 城市
UCHAR O[48]; // 组织
UCHAR OU[24]; // 组织部门
UCHAR CN[12]; // 个人信息
UCHAR MAIL[24]; // 电子邮件
UCHAR PMAIL[24]; // 安全电子邮件
UCHAR T[12]; // 头衔
UCHAR D[12]; // 描述
UCHAR G[12]; // 曾用名
UCHAR I[12]; // 描述
UCHAR NAME[12]; // 描述
UCHAR S[12]; // 描述
UCHAR QUAL[12]; // 描述
UCHAR STN[12]; // 没有结构的名称
UCHAR PW[12]; // 挑战密码
UCHAR ADD[12]; // 无结构地址
stuSUBJECT()
{
memset( this,0, sizeof(stuSUBJECT));
}
};
struct stuKEYUSAGE // 密钥用途
{
BOOL DS; // Digital Signature
BOOL NR; // Non-Repudiation
BOOL KE; // Key Encipherment
BOOL DE; // Data Encipherment
BOOL KA; // keyAgreement
BOOL KC; // keyCertSign
BOOL CS; // cRLSign
BOOL EO; // Encipher Only
BOOL DO; // Decipher Only
stuKEYUSAGE()
{
memset( this,0, sizeof(stuKEYUSAGE));
}
};
struct stuEKEYUSAGE // 增强型密钥用途
{
BOOL SA; // 服务器验证
BOOL CA; // 客户端验证
BOOL CS; // 代码签名
BOOL EP; // 安全电子邮件
BOOL TS; // 时间戳
BOOL msCC; // 代码完整
BOOL msCTLS; // 可签名信任列表
BOOL msSGC; // 联机事务处理
BOOL msEFS; // 加密磁盘上的数据
BOOL msSC; // 智能卡登录
BOOL IP; // Internet
stuEKEYUSAGE()
{
memset( this,0, sizeof(stuEKEYUSAGE));
}
};
struct stuCERT // 三者之和
{
stuSUBJECT SUBJECT;
stuKEYUSAGE KUSAGE;
stuEKEYUSAGE EKUSAGE;
stuCERT()
{
memset( this,0, sizeof(stuCERT));
}
};
struct stuREVOKE // 证书作废结构链表
{
int Index; // 证书序号
time_t time; // 吊销时间
stuREVOKE * Link;
stuREVOKE()
{
memset( this,0, sizeof(stuREVOKE));
}
stuREVOKE( int index,time_t t)
{
Index=index;
time=t;;
Link=NULL;
}
};
/* 添加链表节点 */
void AddRevoke(stuREVOKE *& Head, int index,time_t time);
/* 证书格式转换函数 */
BOOL CertFormatConver( char * buf /* 内存区域,存储文件内容或文件名称 */, int len /* 内存长度==0则buf为文件名 */,
char * pwd /* p12文件密码 */, char * pem /* 输出文件 */, int outformat, char * out /* 操作结果 */);
/* 根证书生成函数,根据rootInfo信息,生成根证书公、私钥文件 */
BOOL MakeRoot(stuSUBJECT * rootInfo, /* 请求信息IN */ int bits /* 位数IN */, int serial /* 序列号IN */,
int days /* 有效期IN */, char * certFile /* 证书请求文件OUT */, char * priFile /* 私钥文件OUT */,
char * out /* 操作结果OUT */, int type=PEM /* 类型pem-der */);
/* 证书请求生成函数,根据reqInfo信息,生成用户证书私钥文件、证书请求文件 */
BOOL MakeReq(stuSUBJECT * reqInfo, /* 请求信息IN */ int bits /* 位数IN */, char * reqFile /* 证书请求文件OUT */,
char * priFile /* 私钥文件OUT */, char * out /* 操作结果OUT */, int type=PEM /* 类型pem-der */);
/* 证书生成函数,通过证书请求,生成用户证书公钥文件 */
BOOL MakeCert( char *certfile /* 根证书公钥 */, int certlen, /* 为0则certfile为磁盘文件,否则为内存区域 */
char *keyfile /* 根证书私钥 */, int keylen, int serial /* 序列号 */, char *enddate /* 作废日期 */,
int days /* 有效期 */, char *reqfile /* 请求文件 */,stuKEYUSAGE * KUSAGE /* 密钥用法 */,
stuEKEYUSAGE * EKUSAGE /* 增强密钥用法 */, char *outfile /* 结果文件 */,
char * outMsg /* 操作结果 */, int type /* 结果类型DER,PEM */); // 通过证书请求,得到证书
// 直接生成公私钥
BOOL DirectCert( char *certfile /* 根证书公钥 */, int certlen, /* 为0则certfile为磁盘文件,否则为内存区域 */
char *keyfile /* 根证书私钥 */, int keylen, int serial /* 序列号 */, char *enddate /* 作废日期 */,
int days /* 有效期 */,stuCERT * sCERT /* 用户信息与密钥用法 */, int bits, char * cert /* 输出证书公钥 */, int * certl /* 长度 */,
char * key /* 输出证书私钥 */, int * keyl /* 长度 */, char * outMsg /* ,int type结果类型DER,PEM */); // 直接生成公私钥
/* 黑名单生成函数 */
BOOL MakeCrl( char *certfile /* 根证书公钥 */, int certlen, /* 为0则certfile为磁盘文件,否则为内存区域 */
char *keyfile /* 根证书私钥 */, int keylen,
stuREVOKE * Head /* 作废链表 */,PNewCrlMem NewCrlMem /* 回调函数 */, char *& outCrl, int * crll, char * outfile /* crl文件 */,
char * outMsg /* 操作结果 */);
/* 分解p12包 */
BOOL ParseDB( char * strP12 /* 包文件 */, char * strPwd /* 解包密码 */, char * strCert /* 公钥存放 */,
char * strkey /* 私钥存放 */, int outformat /* 输出格式 */, char * out /* 返回结果 */);
/* 组合p12包 */
BOOL CreateDB( char * strP12 /* 包文件IN */, char * strPwd /* 密码IN */, char * strCert /* 公钥存放IN */,
char * strkey /* 私钥存放IN */, char * out /* 返回结果OUT */);
BOOL ChangePB( char * strP12 /* IN包文件 */, char * strPwd /* IN原密码 */, char * strPwd2 /* IN新密码 */,
char * strOutP12 /* OUT包文件 */, char * out /* 返回结果OUT */);
// 检验公钥、私钥是否配对
BOOL CertPairCheck( char * cert, char * key, char * out); // 检验公钥、私钥是否配对
#define DER 1 // FORMAT_ASN1
#define PEM 3 /*定义格式*/
#define NET 4
#define P12 5
typedef char * (* PNewCrlMem)(UINT len);
struct stuSUBJECT // 个体信息
{
UCHAR C[4]; // 国家
UCHAR ST[4]; // 省份
UCHAR L[12]; // 城市
UCHAR O[48]; // 组织
UCHAR OU[24]; // 组织部门
UCHAR CN[12]; // 个人信息
UCHAR MAIL[24]; // 电子邮件
UCHAR PMAIL[24]; // 安全电子邮件
UCHAR T[12]; // 头衔
UCHAR D[12]; // 描述
UCHAR G[12]; // 曾用名
UCHAR I[12]; // 描述
UCHAR NAME[12]; // 描述
UCHAR S[12]; // 描述
UCHAR QUAL[12]; // 描述
UCHAR STN[12]; // 没有结构的名称
UCHAR PW[12]; // 挑战密码
UCHAR ADD[12]; // 无结构地址
stuSUBJECT()
{
memset( this,0, sizeof(stuSUBJECT));
}
};
struct stuKEYUSAGE // 密钥用途
{
BOOL DS; // Digital Signature
BOOL NR; // Non-Repudiation
BOOL KE; // Key Encipherment
BOOL DE; // Data Encipherment
BOOL KA; // keyAgreement
BOOL KC; // keyCertSign
BOOL CS; // cRLSign
BOOL EO; // Encipher Only
BOOL DO; // Decipher Only
stuKEYUSAGE()
{
memset( this,0, sizeof(stuKEYUSAGE));
}
};
struct stuEKEYUSAGE // 增强型密钥用途
{
BOOL SA; // 服务器验证
BOOL CA; // 客户端验证
BOOL CS; // 代码签名
BOOL EP; // 安全电子邮件
BOOL TS; // 时间戳
BOOL msCC; // 代码完整
BOOL msCTLS; // 可签名信任列表
BOOL msSGC; // 联机事务处理
BOOL msEFS; // 加密磁盘上的数据
BOOL msSC; // 智能卡登录
BOOL IP; // Internet
stuEKEYUSAGE()
{
memset( this,0, sizeof(stuEKEYUSAGE));
}
};
struct stuCERT // 三者之和
{
stuSUBJECT SUBJECT;
stuKEYUSAGE KUSAGE;
stuEKEYUSAGE EKUSAGE;
stuCERT()
{
memset( this,0, sizeof(stuCERT));
}
};
struct stuREVOKE // 证书作废结构链表
{
int Index; // 证书序号
time_t time; // 吊销时间
stuREVOKE * Link;
stuREVOKE()
{
memset( this,0, sizeof(stuREVOKE));
}
stuREVOKE( int index,time_t t)
{
Index=index;
time=t;;
Link=NULL;
}
};
/* 添加链表节点 */
void AddRevoke(stuREVOKE *& Head, int index,time_t time);
/* 证书格式转换函数 */
BOOL CertFormatConver( char * buf /* 内存区域,存储文件内容或文件名称 */, int len /* 内存长度==0则buf为文件名 */,
char * pwd /* p12文件密码 */, char * pem /* 输出文件 */, int outformat, char * out /* 操作结果 */);
/* 根证书生成函数,根据rootInfo信息,生成根证书公、私钥文件 */
BOOL MakeRoot(stuSUBJECT * rootInfo, /* 请求信息IN */ int bits /* 位数IN */, int serial /* 序列号IN */,
int days /* 有效期IN */, char * certFile /* 证书请求文件OUT */, char * priFile /* 私钥文件OUT */,
char * out /* 操作结果OUT */, int type=PEM /* 类型pem-der */);
/* 证书请求生成函数,根据reqInfo信息,生成用户证书私钥文件、证书请求文件 */
BOOL MakeReq(stuSUBJECT * reqInfo, /* 请求信息IN */ int bits /* 位数IN */, char * reqFile /* 证书请求文件OUT */,
char * priFile /* 私钥文件OUT */, char * out /* 操作结果OUT */, int type=PEM /* 类型pem-der */);
/* 证书生成函数,通过证书请求,生成用户证书公钥文件 */
BOOL MakeCert( char *certfile /* 根证书公钥 */, int certlen, /* 为0则certfile为磁盘文件,否则为内存区域 */
char *keyfile /* 根证书私钥 */, int keylen, int serial /* 序列号 */, char *enddate /* 作废日期 */,
int days /* 有效期 */, char *reqfile /* 请求文件 */,stuKEYUSAGE * KUSAGE /* 密钥用法 */,
stuEKEYUSAGE * EKUSAGE /* 增强密钥用法 */, char *outfile /* 结果文件 */,
char * outMsg /* 操作结果 */, int type /* 结果类型DER,PEM */); // 通过证书请求,得到证书
// 直接生成公私钥
BOOL DirectCert( char *certfile /* 根证书公钥 */, int certlen, /* 为0则certfile为磁盘文件,否则为内存区域 */
char *keyfile /* 根证书私钥 */, int keylen, int serial /* 序列号 */, char *enddate /* 作废日期 */,
int days /* 有效期 */,stuCERT * sCERT /* 用户信息与密钥用法 */, int bits, char * cert /* 输出证书公钥 */, int * certl /* 长度 */,
char * key /* 输出证书私钥 */, int * keyl /* 长度 */, char * outMsg /* ,int type结果类型DER,PEM */); // 直接生成公私钥
/* 黑名单生成函数 */
BOOL MakeCrl( char *certfile /* 根证书公钥 */, int certlen, /* 为0则certfile为磁盘文件,否则为内存区域 */
char *keyfile /* 根证书私钥 */, int keylen,
stuREVOKE * Head /* 作废链表 */,PNewCrlMem NewCrlMem /* 回调函数 */, char *& outCrl, int * crll, char * outfile /* crl文件 */,
char * outMsg /* 操作结果 */);
/* 分解p12包 */
BOOL ParseDB( char * strP12 /* 包文件 */, char * strPwd /* 解包密码 */, char * strCert /* 公钥存放 */,
char * strkey /* 私钥存放 */, int outformat /* 输出格式 */, char * out /* 返回结果 */);
/* 组合p12包 */
BOOL CreateDB( char * strP12 /* 包文件IN */, char * strPwd /* 密码IN */, char * strCert /* 公钥存放IN */,
char * strkey /* 私钥存放IN */, char * out /* 返回结果OUT */);
BOOL ChangePB( char * strP12 /* IN包文件 */, char * strPwd /* IN原密码 */, char * strPwd2 /* IN新密码 */,
char * strOutP12 /* OUT包文件 */, char * out /* 返回结果OUT */);
// 检验公钥、私钥是否配对
BOOL CertPairCheck( char * cert, char * key, char * out); // 检验公钥、私钥是否配对