openssl主要流程程序代码
// CA.cpp : Defines the entry point for the DLL application. // #define sprintf_s sprintf #include "stdafx.h" #include <LOCALE.H> #include "ca.h" #include <OPENSSL pem.h> #include <OPENSSL x509.h> #include <OPENSSL x509v3.h> #include <OPENSSL pkcs12.h> #include <OPENSSL rand.h> #include<STDLIB.H> #include<STDIO.H> #include <OPENSSL engine.h> #define EXT_COPY_NONE 0 #define EXT_COPY_ADD 1 #define EXT_COPY_ALL 2 BOOL APIENTRY DllMain( HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { return TRUE; } /*此函数可以将DER、PEM、P12文件公钥读出来*/ X509 *load_cert(BIO *cert/*输入BIO*/, int format/*格式*/,char * pwd,/*P12密码*/ char * outMsg) //从DER、PEM、P12格式中读取公钥证书 { X509 * x=NULL; if (format == DER) x=d2i_X509_bio(cert,NULL); else if (format == PEM) x=PEM_read_bio_X509(cert,NULL,NULL,NULL);//PEM_read_bio_X509_AUX else if (format == P12) { PKCS12 *p12 = d2i_PKCS12_bio(cert, NULL); PKCS12_parse(p12, pwd, NULL, &x, NULL); PKCS12_free(p12); p12 = NULL; } else { sprintf_s(outMsg,"bad input format specified for input cert\n"); goto end; } end: if (x == NULL) { sprintf(outMsg,"unable to load certificate\n"); } return(x); } X509 * LoadCert(char * cert,int certlen,char * outMsg)//枚举DER/PEM格式 { BIO * in=NULL; X509 * x509=NULL; if(certlen==0)//输入为磁盘文件 { if((in=BIO_new_file(cert, "r")) == NULL) { sprintf(outMsg,"open CA certificate file error"); return NULL; } } else//输入为内存中文件 { if((in=BIO_new_mem_buf(cert,certlen))== NULL)//只读类型 { sprintf(outMsg,"Make Mem Bio Error"); return NULL; } } if((x509=load_cert(in,DER,NULL,outMsg))==NULL)//尝试DER { BIO_reset(in);//恢复bio x509=load_cert(in,PEM,NULL,outMsg);//尝试PEM } if (in != NULL) BIO_free(in); return x509; } EVP_PKEY *load_key(BIO *bio, int format, char *pass,char * outMsg)//枚举DER/PEM格式 { EVP_PKEY *pkey=NULL; if (format == DER) { pkey=d2i_PrivateKey_bio(bio, NULL); } else if (format == PEM) { pkey=PEM_read_bio_PrivateKey(bio,NULL,NULL,pass); } else if (format == P12) { PKCS12 *p12 = d2i_PKCS12_bio(bio, NULL); PKCS12_parse(p12, pass, &pkey, NULL, NULL); PKCS12_free(p12); p12 = NULL; } else { sprintf(outMsg,"bad input format specified for key\n"); goto end; } end: if (pkey == NULL) sprintf(outMsg,"unable to load Private Key\n"); return(pkey); } EVP_PKEY * LoadKey(char * key,int keylen,char * pass,char * outMsg) { EVP_PKEY *pkey=NULL; BIO * in=NULL; if(keylen==0)//输入为磁盘文件 { if((in=BIO_new_file(key, "r")) == NULL) { sprintf(outMsg,"open CA certificate file error"); return NULL; } } else//输入为内存中文件 { if((in=BIO_new_mem_buf(key,keylen))== NULL)//只读类型 { sprintf(outMsg,"Make Mem Bio Error"); return NULL; } } if((pkey=load_key(in,DER,pass,outMsg))==NULL)//尝试DER { BIO_reset(in);//BIO是可读写的,那么该BIO所有数据都会被清空; //如果该BIO是只读的,那么该操作只会简单将指 //针指向原始位置,里面的数据可以再读. pkey=load_key(in,PEM,pass,outMsg);//尝试PEM } if (in != NULL) BIO_free(in); return pkey; } int Rand(const char *file,int dont_warn,char * outMsg)//产生随机数,return 0 ---成功 { int consider_randfile = (file == NULL); char buffer[200]; RAND_screen(); if (file == NULL) file = RAND_file_name(buffer, sizeof buffer); else if (RAND_egd(file) > 0) { /* we try if the given filename is an EGD socket. if it is, we don't write anything back to the file. */ return 1; } if (file == NULL || !RAND_load_file(file, -1)) { if (RAND_status() == 0 && !dont_warn) { sprintf(outMsg,"unable to load 'random state'\n"); sprintf(outMsg,"This means that the random number generator has not been seeded\n"); if (consider_randfile) /* explanation does not apply when a file is explicitly named */ { sprintf(outMsg,"Consider setting the RANDFILE environment variable to point at a file that\n"); sprintf(outMsg,"'random' data can be kept in (the file will be overwritten).\n"); } } return 0; } return 1; } ///////////////////////// end //////////////////////////////////////// ////////////////////////////////////////////////////////////////////// ///////////////////////// begin ////////////////////////////////////// /* Add extension using V3 code: we can set the config file as NULL * because we wont reference any other sections. */ int Add_ExtCert(X509 *cert/*正被添加的证书*/,X509 * root/*根证书(从中得到信息)*/, int nid, char *value) { X509_EXTENSION *ex; X509V3_CTX ctx; /* This sets the 'context' of the extensions. */ /* No configuration database */ // X509V3_set_ctx_nodb(&ctx); /* Issuer and subject certs: both the target since it is self signed, * no request and no CRL */ X509V3_set_ctx(&ctx,root, cert, NULL, NULL, 0); ex = X509V3_EXT_conf_nid(NULL, &ctx, nid, value); if (!ex) return 0; X509_add_ext(cert,ex,-1); X509_EXTENSION_free(ex); return 1; } bool Add_Name(X509_NAME * x509name,int type/*c\cn*/,char * iput/*中国*/, int ilen/*输入长度*/,char * outMsg)//支持中文名称 { wchar_t * ws,wc; ASN1_STRING stmp, *str = &stmp; UCHAR cbuf[256]={0}; int wslen, wcnt,i; char input[256]={0}; strncpy(input, iput, ilen); wslen = strlen(input) + 1; if(wslen==1) return true; ws =new unsigned short[sizeof(wchar_t) * wslen]; if ((wcnt = mbstowcs(ws, input, wslen)) == -1) { sprintf(outMsg,"mbstowcs convert error"); delete ws; return false; } for(i=0;i<(int)wcslen(ws);i++) { wc=ws[i]; cbuf[2*i]=wc/256; cbuf[2*i+1]=wc%256; } ASN1_mbstring_copy(&str, cbuf, 2*wslen, MBSTRING_BMP, B_ASN1_UTF8STRING); X509_NAME_add_entry_by_NID(x509name,type,V_ASN1_UTF8STRING,stmp.data,stmp.length, -1, 0); delete ws; return true; } bool mkRoot(stuSUBJECT * rootInfo,X509 **x509p/*out公钥*/, EVP_PKEY **pkeyp/*out私钥*/, int bits/*位数*/, int serial/*序列号*/, int days/*有效期*/,char * out/*操作结果*/) { X509 *x; EVP_PKEY *pk; RSA *rsa; X509_NAME *name=NULL; int i=0,len=0; if ((pkeyp == NULL) || (*pkeyp == NULL)) { if ((pk=EVP_PKEY_new()) == NULL) { abort(); return false; } } else pk= *pkeyp; if ((x509p == NULL) || (*x509p == NULL)) { if ((x=X509_new()) == NULL) goto err; } else x= *x509p; Rand(NULL,1,out);//产生随机数种子 rsa=RSA_generate_key(bits,RSA_F4,0/*回调函数callback*/,NULL);//产生密钥对,//RSA存储了公钥私钥 if (!EVP_PKEY_assign_RSA(pk,rsa))//完成RSA密钥的pkey结构初始工作,当pk不为NULL的时候,返回1,否则返回0 { abort(); goto err; } rsa=NULL; X509_set_version(x,2);//版本号,显示+1 ASN1_INTEGER_set(X509_get_serialNumber(x),serial);//序列号 X509_gmtime_adj(X509_get_notBefore(x),0);//起始时间 X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days);//结束时间 X509_set_pubkey(x,pk);//公钥 name=X509_get_subject_name(x); /* This function creates and adds the entry, working out the * correct string type and performing checks on its length. * Normally we'd check the return value for errors */ //C-国家,ST-省,L-城市,O-组织,OU-部门,CN-个体,T-title,D-description,G-givenName,I-initials, //Email-emailAddress,S-surname,SN-serialNumber,dnQualifier-dnQualifier,unstructuredName,challengePassword,unstructuredAddress, setlocale(LC_CTYPE, ""); Add_Name(name,NID_countryName,(char *)rootInfo->C,sizeof(rootInfo->C),out); Add_Name(name,NID_stateOrProvinceName,(char *)rootInfo->ST,sizeof(rootInfo->ST),out); Add_Name(name,NID_localityName,(char *)rootInfo->L,sizeof(rootInfo->L),out); Add_Name(name,NID_organizationName,(char *)rootInfo->O,sizeof(rootInfo->O),out); Add_Name(name,NID_organizationalUnitName,(char *)rootInfo->OU,sizeof(rootInfo->OU),out); Add_Name(name,NID_commonName,(char *)rootInfo->CN,sizeof(rootInfo->CN),out); Add_Name(name,NID_pkcs9_emailAddress,(char *)rootInfo->MAIL,sizeof(rootInfo->MAIL),out); Add_Name(name,NID_email_protect,(char *)rootInfo->PMAIL,sizeof(rootInfo->PMAIL),out); Add_Name(name,NID_title,(char *)rootInfo->T,sizeof(rootInfo->T),out); Add_Name(name,NID_description,(char *)rootInfo->D,sizeof(rootInfo->D),out); Add_Name(name,NID_givenName,(char *)rootInfo->G,sizeof(rootInfo->G),out); Add_Name(name,NID_initials,(char *)rootInfo->I,sizeof(rootInfo->I),out); Add_Name(name,NID_name,(char *)rootInfo->NAME,sizeof(rootInfo->NAME),out); Add_Name(name,NID_surname,(char *)rootInfo->S,sizeof(rootInfo->S),out); Add_Name(name,NID_dnQualifier,(char *)rootInfo->QUAL,sizeof(rootInfo->QUAL),out); Add_Name(name,NID_pkcs9_unstructuredName,(char *)rootInfo->STN,sizeof(rootInfo->STN),out); Add_Name(name,NID_pkcs9_challengePassword,(char *)rootInfo->PW,sizeof(rootInfo->PW),out); Add_Name(name,NID_pkcs9_unstructuredAddress,(char *)rootInfo->ADD,sizeof(rootInfo->ADD),out); /* Its self signed so set the issuer name to be the same as the * subject. */ X509_set_issuer_name(x,name);//设置发行者名称等同于上面的 //加入扩展信息 /* Add various extensions: standard extensions */ Add_ExtCert(x,x,NID_basic_constraints, "critical,CA:TRUE"); //主题密钥标示符---当发行者有多个签名密钥时 Add_ExtCert(x,x,NID_subject_key_identifier, "hash"); //颁发机构密钥标示符 Add_ExtCert(x,x,NID_authority_key_identifier, "keyid:always"); //密钥用法 Add_ExtCert(x,x,NID_key_usage, "nonRepudiation,digitalSignature,keyEncipherment"); Add_ExtCert(x,x,NID_domainComponent, "no"); Add_ExtCert(x,x,NID_Domain, "no"); /* Some Netscape specific extensions */ // Add_ExtCert(x, NID_netscape_cert_type, "sslCA"); // Add_ExtCert(x, NID_netscape_comment, "example comment extension");//netscape_comment /* Maybe even add our own extension based on existing */ //加入自定义信息begin // int nid; // nid = OBJ_create("1.2.3.4.9", "Hpxs", "I love you!"); // X509V3_EXT_add_alias(nid, NID_netscape_comment); // Add_ExtCert(x, nid, "I love you"); //加入自定义信息end X509V3_EXT_cleanup();//cleanup the extension code if any custom extensions have been added if (!X509_sign(x,pk,EVP_sha1()))//签名算法EVP_sha1,EVP_md5,用私钥签名公钥 { strcpy(out,"证书签名失败"); goto err; } *x509p=x; *pkeyp=pk; return true; err: return false; } BOOL MakeRoot(stuSUBJECT * rootInfo,/*信息*/int bits/*位数*/, int serial/*序列号*/, int days/*有效期*/,char * certFile/*证书文件*/,char * priFile/*私钥文件*/, char * outMsg/*操作结果*/,int type/*类型pem-der*/) { X509 *x509=NULL; EVP_PKEY *pkey=NULL; BIO * bcert=NULL,* bkey=NULL; bool ret=true; int i=0,j=0; if(((bcert=BIO_new_file(certFile, "w"))== NULL)||((bkey=BIO_new_file(priFile, "w")) == NULL)) { strcpy(outMsg,"Create File Error"); return false; } if(mkRoot(rootInfo,&x509,&pkey,bits,serial,days,outMsg)) { if (type==DER) { i=i2d_X509_bio(bcert,x509);//returns 1 for success j=i2d_PrivateKey_bio(bkey,pkey); } else if(type==PEM) { i=PEM_write_bio_X509(bcert,x509); j=PEM_write_bio_PrivateKey(bkey,pkey,NULL,NULL,0,NULL, NULL); } if(!i||!j) { ret=false; strcpy(outMsg,"Save Cert or Key File Error"); } } else ret=false; BIO_free(bcert); BIO_free(bkey); X509_free(x509); EVP_PKEY_free(pkey); return ret; } ///////////////////////// end //////////////////////////////////////// ////////////////////////////////////////////////////////////////////// ///////////////////////// begin ////////////////////////////////////// /* Add extension using V3 code: we can set the config file as NULL * because we wont reference any other sections. */ int Add_ExtReq(STACK_OF(X509_REQUEST) *sk, int nid, char *value) { X509_EXTENSION *ex; ex = X509V3_EXT_conf_nid(NULL, NULL, nid, value); if (!ex) return 0; sk_X509_EXTENSION_push(sk, ex); return 1; } int mkReq(stuSUBJECT * reqInfo,X509_REQ **req, EVP_PKEY **pkeyp, int bits,char * out) { X509_REQ *x; EVP_PKEY *pk; RSA *rsa; X509_NAME *name=NULL; ASN1_STRING stmp, *str = &stmp; STACK_OF(X509_EXTENSION) *exts = NULL; if ((pk=EVP_PKEY_new()) == NULL) goto err; if ((x=X509_REQ_new()) == NULL) goto err; Rand(NULL,1,out);//产生随机数种子 rsa=RSA_generate_key(bits,RSA_F4,0/*回调函数callback*/,NULL);//产生密钥对 //PEM_write_bio_RSAPrivateKey if (!EVP_PKEY_assign_RSA(pk,rsa)) goto err; rsa=NULL; X509_REQ_set_pubkey(x,pk); name=X509_REQ_get_subject_name(x); /* This function creates and adds the entry, working out the * correct string type and performing checks on its length. * Normally we'd check the return value for errors */ setlocale(LC_CTYPE, ""); Add_Name(name,NID_countryName,(char *)reqInfo->C,sizeof(reqInfo->C),out); Add_Name(name,NID_stateOrProvinceName,(char *)reqInfo->ST,sizeof(reqInfo->ST),out); Add_Name(name,NID_localityName,(char *)reqInfo->L,sizeof(reqInfo->L),out); Add_Name(name,NID_organizationName,(char *)reqInfo->O,sizeof(reqInfo->O),out); Add_Name(name,NID_organizationalUnitName,(char *)reqInfo->OU,sizeof(reqInfo->OU),out); Add_Name(name,NID_commonName,(char *)reqInfo->CN,sizeof(reqInfo->CN),out); Add_Name(name,NID_pkcs9_emailAddress,(char *)reqInfo->MAIL,sizeof(reqInfo->MAIL),out); Add_Name(name,NID_email_protect,(char *)reqInfo->PMAIL,sizeof(reqInfo->PMAIL),out); Add_Name(name,NID_title,(char *)reqInfo->T,sizeof(reqInfo->T),out); Add_Name(name,NID_description,(char *)reqInfo->D,sizeof(reqInfo->D),out); Add_Name(name,NID_givenName,(char *)reqInfo->G,sizeof(reqInfo->G),out); Add_Name(name,NID_initials,(char *)reqInfo->I,sizeof(reqInfo->I),out); Add_Name(name,NID_name,(char *)reqInfo->NAME,sizeof(reqInfo->NAME),out); Add_Name(name,NID_surname,(char *)reqInfo->S,sizeof(reqInfo->S),out); Add_Name(name,NID_dnQualifier,(char *)reqInfo->QUAL,sizeof(reqInfo->QUAL),out); Add_Name(name,NID_pkcs9_unstructuredName,(char *)reqInfo->STN,sizeof(reqInfo->STN),out); Add_Name(name,NID_pkcs9_challengePassword,(char *)reqInfo->PW,sizeof(reqInfo->PW),out); Add_Name(name,NID_pkcs9_unstructuredAddress,(char *)reqInfo->ADD,sizeof(reqInfo->ADD),out); /* Certificate requests can contain extensions, which can be used * to indicate the extensions the requestor would like added to * their certificate. CAs might ignore them however or even choke * if they are present. */ /* For request extensions they are all packed in a single attribute. * We save them in a STACK and add them all at once later */ exts = sk_X509_EXTENSION_new_null(); /* Standard extenions */ //主题备用名称,URL:http://my.url.here/、支持email copy Add_ExtReq(exts, NID_subject_alt_name, "DNS:localhost,email:hpxs@hotmail.com,RID:1.2.3.4,URI:192.168.2.22,IP:C0A80216"); //加入自定义扩展 int nid; nid = OBJ_create("1.3.6.1.4.1.5315.100.2.5", "UserID", "User ID Number"); X509V3_EXT_add_alias(nid, NID_netscape_comment); Add_ExtReq(exts, nid, "ID130203197703060618"); /* Now we've created the extensions we add them to the request */ X509_REQ_add_extensions(x, exts); sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); X509V3_EXT_cleanup();//cleanup the extension code if any custom extensions have been added if (!X509_REQ_sign(x,pk,EVP_sha1()))//用自己的公钥签名私钥 goto err; *req=x; *pkeyp=pk; return(1); err: return(0); } BOOL MakeReq(stuSUBJECT * reqInfo,/*请求信息*/int bits/*位数*/,char * reqFile/*证书请求文件*/, char * priFile/*私钥文件*/,char * outMsg/*操作结果*/,int type) { X509_REQ *req=NULL; EVP_PKEY *pkey=NULL; BIO * breq=NULL,* bkey=NULL; int i=0,j=0; if(((breq=BIO_new_file(reqFile, "w"))== NULL)||((bkey=BIO_new_file(priFile, "w")) == NULL)) { strcpy(outMsg,"Create File Error"); return false; } if(!mkReq(reqInfo,&req,&pkey,bits,outMsg)) { strcpy(outMsg,"Make CertReq Error"); return false; } if(type==PEM) { i=PEM_write_bio_X509_REQ(breq,req); j=PEM_write_bio_PrivateKey(bkey,pkey,NULL,NULL,0,NULL, NULL); } else if(type==DER) { i=i2d_X509_REQ_bio(breq,req); j=i2d_PrivateKey_bio(bkey,pkey); } BIO_free(breq); BIO_free(bkey); X509_REQ_free(req); EVP_PKEY_free(pkey); if(!i||!j) { strcpy(outMsg,"Save Cert or Key File Error"); return false; } return true; } ////////////////////////// end ////////////////////////////////////// //////////////////////////////////////////////////////////////////// /////////////////////////// begin //////////////////////////////////////// int copy_extensions(X509 *x, X509_REQ *req, int copy_type)//在证书中加入req自带扩展信息 { STACK_OF(X509_EXTENSION) *exts = NULL; X509_EXTENSION *ext, *tmpext; ASN1_OBJECT *obj; int i, idx, ret = 0; if (!x || !req || (copy_type == EXT_COPY_NONE)) return 1; exts = X509_REQ_get_extensions(req); for(i = 0; i < sk_X509_EXTENSION_num(exts); i++) { ext = sk_X509_EXTENSION_value(exts, i); obj = X509_EXTENSION_get_object(ext); idx = X509_get_ext_by_OBJ(x, obj, -1); /* Does extension exist? */ if (idx != -1) { /* If normal copy don't override existing extension */ if (copy_type == EXT_COPY_ADD) continue; /* Delete all extensions of same type */ do { tmpext = X509_get_ext(x, idx); X509_delete_ext(x, idx); X509_EXTENSION_free(tmpext); idx = X509_get_ext_by_OBJ(x, obj, -1); } while (idx != -1); } if (!X509_add_ext(x, ext, -1)) goto end; } ret = 1; end: sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); return ret; } int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,int serial, char *startdate, char *enddate, int days,X509_REQ * req,stuKEYUSAGE * KUSAGE, stuEKEYUSAGE * EKUSAGE,char * outMsg) { X509_NAME *name=NULL,*CAname=NULL; X509 *ret=NULL; X509_CINF *ci; EVP_PKEY *pktmp; int ok= -1,i=0; // STACK_OF (X509_EXTENSION) * req_exts;//如何释放?? char kusage[160]={0}; char ekusage[360]={0}; name=X509_REQ_get_subject_name(req); if ((ret=X509_new()) == NULL) { ok=0; goto err; } ci=ret->cert_info; /* Make it an X509 v3 certificate. 版本1扩展*/ if (!X509_set_version(ret,2L)) //版本 { ok=0; goto err; } ASN1_INTEGER_set(X509_get_serialNumber(ret),serial);//序列号 if (!X509_set_issuer_name(ret,X509_get_subject_name(x509)))//发行者 { ok=0; goto err; } if (strcmp(startdate,"today") == 0) X509_gmtime_adj(X509_get_notBefore(ret),0);//开始日期 else ASN1_UTCTIME_set_string(X509_get_notBefore(ret),startdate); if (enddate == NULL) X509_gmtime_adj(X509_get_notAfter(ret),(long)60*60*24*days);//结束日期 else ASN1_UTCTIME_set_string(X509_get_notAfter(ret),enddate); if (!X509_set_subject_name(ret,name)) //主体 ---所有者 { ok=0; goto err; } pktmp=X509_REQ_get_pubkey(req); i = X509_set_pubkey(ret,pktmp);//公钥 EVP_PKEY_free(pktmp); if (!i) { ok=0; goto err; } //加入req自带扩展信息,生成REQ文件时候加入的 if (!copy_extensions(ret, req, EXT_COPY_ALL)) { strcpy("加入自带扩展信息失败",outMsg); goto err; } /* Lets add the extensions, if there are any 加入标准扩展*/ //基本限制Note if the CA option is false the pathlen option should be omitted. Add_ExtCert(ret,ret,NID_basic_constraints, "critical,CA:FALSE,pathlen:1"); //主题密钥标示符--------区分拥有者多对密钥 Add_ExtCert(ret,ret,NID_subject_key_identifier, "hash"); //Authority密钥标示符----区分发行者有多个签名密钥时 Add_ExtCert(ret,x509, NID_authority_key_identifier, "keyid,issuer:always"); //密钥用法 ----数字签名、不可否认性、密钥加密、数据加密、密钥协商、证书签名、 //CRL签名、仅仅加密、仅仅解密 if(KUSAGE->DS) strcpy(kusage,"digitalSignature"); if(KUSAGE->NR) if(strlen(kusage))//添加 strcat(kusage, ",nonRepudiation"); else strcpy(kusage,"nonRepudiation"); if(KUSAGE->KE) if(strlen(kusage))//添加 strcat(kusage, ",keyEncipherment"); else strcpy(kusage,"keyEncipherment"); if(KUSAGE->DE) if(strlen(kusage))//添加 strcat(kusage, ",dataEncipherment"); else strcpy(kusage,"dataEncipherment"); if(KUSAGE->KA) if(strlen(kusage))//添加 strcat(kusage, ",keyAgreement"); else strcpy(kusage,"keyAgreement"); if(KUSAGE->KC) if(strlen(kusage))//添加 strcat(kusage, ",keyCertSign"); else strcpy(kusage,"keyCertSign"); if(KUSAGE->CS) if(strlen(kusage))//添加 strcat(kusage, ",cRLSign"); else strcpy(kusage,"cRLSign"); if(KUSAGE->EO) if(strlen(kusage))//添加 strcat(kusage, ",encipherOnly"); else strcpy(kusage,"encipherOnly"); if(KUSAGE->DO) if(strlen(kusage))//添加 strcat(kusage, ",decipherOnly"); else strcpy(kusage,"decipherOnly"); if(strlen(kusage)) Add_ExtCert(ret,ret, NID_key_usage, kusage); //增强型密钥用法--一般只用于末端证书RFC3280 //增强用法 证书目的 //-------------------------------------------------------------------------------------------------------------- //服务器验证 保证远程计算机的身份 //客户端验证 向远程计算机证明您的身份 //代码签名 确保软件来自软件发行商 //安全电子邮件 保护软件在发行后不被改动 //时间戳 保护电子邮件消息 //-------------------------------------------------------------------------------------------------------------- // 保证软件来自一个软件发行商 // 保护软件在发行后不被改动。 // 保证软件来自商业软件发行商 // 允许您用数字签名证书信任列表 // 允许联机事务处理/通讯的严格加密 // 允许加密磁盘上的数据 // 智能卡登录 //IP安全终端系统 允许 Internet 上的安全通讯 //IP安全隧道终止 //IP 安全用户 //-------------------------------------------------------------------------------------------------------------- if(EKUSAGE->SA) strcpy(ekusage,"serverAuth"); if(EKUSAGE->CA) if(strlen(ekusage))//添加 strcat(ekusage,",clientAuth"); else strcpy(ekusage,"clientAuth"); if(EKUSAGE->CS) if(strlen(ekusage))//添加 strcat(ekusage,",codeSigning"); else strcpy(ekusage,"codeSigning"); if(EKUSAGE->EP) if(strlen(ekusage))//添加 strcat(ekusage,",emailProtection"); else strcpy(ekusage,"emailProtection"); if(EKUSAGE->TS) if(strlen(ekusage))//添加 strcat(ekusage,",timeStamping"); else strcpy(ekusage,"timeStamping"); if(EKUSAGE->msCC) if(strlen(ekusage))//添加 strcat(ekusage,",msCodeCom"); else strcpy(ekusage,"msCodeCom"); if(EKUSAGE->msCTLS) if(strlen(ekusage))//添加 strcat(ekusage,",msCTLSign"); else strcpy(ekusage,"msCTLSign"); if(EKUSAGE->msSGC) if(strlen(ekusage))//添加 strcat(ekusage,",msSGC"); else strcpy(ekusage,"msSGC"); if(EKUSAGE->msEFS) if(strlen(ekusage))//添加 strcat(ekusage,",msEFS"); else strcpy(ekusage,"msEFS"); if(EKUSAGE->msSC) if(strlen(ekusage))//添加 strcat(ekusage,",msSmartcardLogin"); else strcpy(ekusage,"msSmartcardLogin"); if(EKUSAGE->IP) if(strlen(ekusage))//添加 strcat(ekusage,",ipsecEndSystem,ipsecTunnel,ipsecUser"); else strcpy(ekusage,"ipsecEndSystem,ipsecTunnel,ipsecUser"); if(strlen(ekusage)) Add_ExtCert(ret,ret,NID_ext_key_usage,ekusage); /* Application keyUsage Values SSL Client digitalSignature SSL Server keyEncipherment S/MIME Signing digitalSignature S/MIME Encryption keyEncipherment Certificate Signing keyCertSign Object Signing digitalSignature */ //颁发者备用名称,URL:http://my.url.here/、不支持email copy Add_ExtCert(ret,ret, NID_issuer_alt_name, "DNS:hpxs,email:hpxs@hotmail.com,RID:1.2.3.4,URI:https://hpxs,IP:192.168.0.22"); //证书策略 Add_ExtCert(ret,ret,NID_certificate_policies,"OK"); //颁发机构信息访问 Add_ExtCert(ret,ret,NID_info_access,"OCSP;URI:https://hpxs");//或者caIssuers;URI:http://my.ca/ca.html //CRL分发点 Add_ExtCert(ret,x509, NID_crl_distribution_points, "URI:https://hpxs/hpxs.crl"); /* Some Netscape specific extensions */ // Add_ExtCert(ret,ret, NID_crl_number, "sslCA"); // Add_ExtCert(ret,x509, NID_netscape_comment, "See http://cert.umd.edu/root for details."); /* In each case the 'value' of the extension is placed directly in the extension. Currently supported extensions in this category are: nsBaseUrl, nsRevocationUrl, nsCaRevocationUrl, nsRenewalUrl, nsCaPolicyUrl, nsSslServerName and nsComment */ // Add_ExtCert(ret,x509, NID_netscape_cert_type, "client, server, email,objsign, reserved, sslCA,emailCA, objCA"); /*nsCertType (netscape certificate type) takes the flags: client, server, email, objsign, reserved, sslCA, emailCA, objCA.*/ /* Maybe even add our own extension based on existing */ //加入自定义信息begin int nid; nid = OBJ_create("1.2.3.4.9", "Hpxs", "I love OpenSSL!"); X509V3_EXT_add_alias(nid, NID_netscape_comment); Add_ExtCert(ret,ret, nid, "I love OpenSSL"); //加入自定义信息end X509V3_EXT_cleanup();//cleanup the extension code if any custom extensions have been added if (!X509_sign(ret,pkey,dgst))//加入签名,签名算法 { ok=0; goto err; } ok=1; err: if (CAname != NULL) X509_NAME_free(CAname); if (ok <= 0) { if (ret != NULL) X509_free(ret); ret=NULL; } else *xret=ret; return(ok); } int certify(X509 **xret, X509_REQ *req, EVP_PKEY *pkey, X509 *x509,const EVP_MD *dgst, int serial, char *startdate, char *enddate, int days,stuKEYUSAGE * KUSAGE, stuEKEYUSAGE * EKUSAGE,char * outMsg) {//返回公钥证书,请求文件,根私钥,根公钥, EVP_PKEY *pktmp=NULL; int ok= -1,i=0; if ((pktmp=X509_REQ_get_pubkey(req)) == NULL)//得到公钥 { sprintf(outMsg,"error unpacking public key\n"); ok=0; goto err; } i=X509_REQ_verify(req,pktmp);//证书请求里面有私要签名,这里验证一下,看此公钥主人是否持有私钥 EVP_PKEY_free(pktmp); if (i < 0) { ok=0; sprintf(outMsg,"Signature verification problems.\n"); goto err; } if (i == 0) { ok=0; sprintf(outMsg,"Signature did not match the certificate request\n"); goto err; } ok=do_body(xret,pkey,x509,dgst,serial,startdate, enddate, days,req,KUSAGE,EKUSAGE,outMsg); err: return(ok); } BOOL MakeCert(char *certfile/*根证书公钥*/,int certlen,/*为0则certfile为磁盘文件,否则为内存区域*/ char *keyfile/*根证书私钥*/,int keylen,int serial/*序列号*/,char *enddate/*作废日期*/, int days/*有效期*/, char *reqfile/*请求文件*/,stuKEYUSAGE * KUSAGE/*密钥用法*/, stuEKEYUSAGE * EKUSAGE/*增强密钥用法*/,char *outfile/*结果文件*/, char * outMsg/*操作结果*/,int type/*结果类型DER,PEM*/)//通过证书请求,得到证书 { int ret=1; char * md=NULL; EVP_PKEY *pkey=NULL; X509 * x509=NULL; X509_REQ *req=NULL; X509 * x=NULL; BIO * bcert=NULL,* reqbio=NULL; int j; const EVP_MD *dgst=NULL; OpenSSL_add_all_digests();//加入签名算法 if((reqbio=BIO_new_file(reqfile, "r")) == NULL) { ret=0; goto err; } if ((req=PEM_read_bio_X509_REQ(reqbio,NULL,NULL,NULL)) == NULL)//PEM_read_X509_REQ { BIO_reset(reqbio); if ((req=d2i_X509_REQ_bio(reqbio,NULL)) == NULL) { sprintf(outMsg,"Error get certificate request"); ret=0; goto err; } } pkey=LoadKey(keyfile,keylen,NULL,outMsg); if (pkey == NULL) { ret = 0; goto err; } x509=LoadCert(certfile,certlen,outMsg); if (x509 == NULL) { ret = 0; goto err; } if (!X509_check_private_key(x509,pkey)) { sprintf(outMsg,"CA certificate and CA private key do not match\n"); ret = 0; goto err; } md="sha1";//////////!!!!!!!!!!!!!!!!!//////////////////////////// if ((dgst=EVP_get_digestbyname(md)) == NULL)//return an EVP_MD structure when passed a digest name { sprintf(outMsg,"%s is an unsupported message digest type\n",md); ret = 0; goto err; } j=certify(&x,req,pkey,x509,dgst,//公钥证书out,请求文件,根私钥,根公钥, serial,"today",enddate,days,KUSAGE,EKUSAGE,outMsg); if (j <= 0) { ret=0; goto err; } if(((bcert=BIO_new_file(outfile, "w"))== NULL)) { strcpy(outMsg,"Create File Error"); goto err; } if (type==DER) { i2d_X509_bio(bcert,x); } else if(type==PEM) { PEM_write_bio_X509(bcert,x); } err: if (reqbio != NULL) BIO_free(reqbio); BIO_free_all(bcert); EVP_PKEY_free(pkey); X509_free(x509); X509_free(x); if (req != NULL) X509_REQ_free(req); EVP_cleanup();//frees all three stacks and sets their pointers to NULL ---- EVP_CIPHER return ret; } ///////////////////////// end //////////////////////////////////////// BOOL DirectCert(char *certfile/*根证书公钥*/,int certlen,/*为0则certfile为磁盘文件,否则为内存区域*/ char *keyfile/*根证书私钥*/,int keylen,int serial/*序列号*/,char *enddate/*作废日期*/, int days/*有效期*/,stuCERT * sCERT/*用户信息与密钥用法*/,int bits,char * cert/*输出证书公钥*/,int * certl/*长度*/, char * key/*输出证书私钥*/,int * keyl/*长度*/,char * outMsg/*,int type结果类型DER,PEM*/)//直接生成公私钥 { X509_REQ * req=NULL; EVP_PKEY * pkey=NULL, * prkey=NULL;//证书私钥,//根私钥 X509 * x509=NULL,* x=NULL;//根公钥,证书公钥 BIO * memcert=NULL, * memkey=NULL;//输出证书公私钥 BUF_MEM *bptrcert=NULL,*bptrkey=NULL; int ret=1; char * md=NULL; int i=0,j=0,ok=0; const EVP_MD *dgst=NULL; OpenSSL_add_all_digests();//加入签名算法 memcert= BIO_new(BIO_s_mem()); memkey= BIO_new(BIO_s_mem()); BIO_set_close(memcert, BIO_CLOSE); /* BIO_free() free BUF_MEM */ BIO_set_close(memkey, BIO_CLOSE); /* BIO_free() free BUF_MEM */ prkey=LoadKey(keyfile,keylen,NULL,outMsg);//RAND_bytes if (prkey == NULL) { ret = 0; goto err; } x509=LoadCert(certfile,certlen,outMsg); if (x509 == NULL) { ret = 0; goto err; } if (!X509_check_private_key(x509,prkey)) { sprintf(outMsg,"CA certificate and CA private key do not match\n"); ret = 0; goto err; } if(!mkReq(&(sCERT->SUBJECT),&req,&pkey, bits,outMsg)) { sprintf(outMsg,"Make CertReq error"); ret = 0; goto err; } md="sha1";//////////!!!!!!!!!!!!!!!!!//////////////////////////// if ((dgst=EVP_get_digestbyname(md)) == NULL)//return an EVP_MD structure when passed a digest name { sprintf(outMsg,"%s is an unsupported message digest type\n",md); ret = 0; goto err; } ok=certify(&x,req,prkey,x509,dgst,//公钥证书out,请求,根私钥,根公钥, serial,"today",enddate,days,&(sCERT->KUSAGE),&(sCERT->EKUSAGE),outMsg); if (ok <= 0) { ret=0; goto err; } /* if (type==DER) { i=i2d_X509_bio(memcert,x); j=i2d_PrivateKey_bio(memkey,pkey);//生成的结果错误!????????????? } else if(type==PEM) */ { i=PEM_write_bio_X509(memcert,x); j=PEM_write_bio_PrivateKey(memkey,pkey,NULL,NULL,0,NULL, NULL); } if(!i||!j) { strcpy(outMsg,"Get Mem Cert or Key File Error"); ret=0; goto err; } BIO_get_mem_ptr(memcert, &bptrcert); *certl=bptrcert->length; memcpy(cert,bptrcert->data,*certl); BIO_get_mem_ptr(memkey, &bptrkey); *keyl=bptrkey->length; memcpy(key,bptrkey->data,*keyl); err: BIO_free_all(memcert); BIO_free_all(memkey); EVP_PKEY_free(pkey); EVP_PKEY_free(prkey); X509_free(x509); X509_free(x); if (req != NULL) X509_REQ_free(req); EVP_cleanup();//frees all three stacks and sets their pointers to NULL ---- EVP_CIPHER return ret; } ////////////////////////////////////////////////////////////////////// ///////////////////////// begin ////////////////////////////////////// /*添加链表节点*/ void AddRevoke(stuREVOKE *& Head,int index,time_t time) { stuREVOKE * End=new stuREVOKE(index,time);//钥增加的节点 if(Head==NULL) { Head=End; } else { stuREVOKE * p=Head; while(p->Link!=NULL) p=p->Link; p->Link=End; } return; } int Add_ExtCrl(X509_CRL *crl/*正被添加的证书*/,X509 * root/*根证书(从中得到信息)*/, int nid, char *value) { X509V3_CTX ctx; X509_EXTENSION *ex; /* This sets the 'context' of the extensions. */ /* No configuration database */ // X509V3_set_ctx_nodb(&ctx); X509V3_set_ctx(&ctx, root, NULL, NULL, crl, 0); // issuerAltName authorityKeyIdentifier ex = X509V3_EXT_conf_nid(NULL, &ctx, nid, value); if (!ex) return 0; X509_CRL_add_ext(crl,ex,-1); X509_EXTENSION_free(ex); return 1; } BOOL MakeCrl(char *certfile/*根证书公钥*/,int certlen,/*为0则certfile为磁盘文件,否则为内存区域*/ char *keyfile/*根证书私钥*/,int keylen, stuREVOKE * Head/*作废链表*/,PNewCrlMem NewCrlMem/*回调函数*/,char *& outCrl,int * crll,char * outfile/*crl文件*/, char * outMsg/*操作结果*/) { X509_CRL_INFO *ci = NULL; X509_CRL *crl = NULL; int ret=1,i=0; char *key=NULL; char *md=NULL; EVP_PKEY *pkey=NULL; X509 *x509=NULL; BIO *in=NULL,*out=NULL; const EVP_MD *dgst=NULL; X509_REVOKED *r=NULL; long crldays=30; long crlhours=0; stuREVOKE * temp =NULL; BIO * memcrl=NULL; BUF_MEM *bptrcrl=NULL; OpenSSL_add_all_algorithms(); pkey=LoadKey(keyfile,keylen,NULL,outMsg); if (pkey == NULL) { ret = 0; goto err; } x509=LoadCert(certfile,certlen,outMsg); if (x509 == NULL) { ret = 0; goto err; } if (!X509_check_private_key(x509,pkey)) { sprintf(outMsg,"CA certificate and CA private key do not match\n"); ret = 0; goto err; } md="md5";//////////!!!!!!!!!!!!!!!!!//////////////////////////// if ((dgst=EVP_get_digestbyname(md)) == NULL)//return an EVP_MD structure when passed a digest name { sprintf(outMsg,"%s is an unsupported message digest type\n",md); ret = 0; goto err; } if ((crl=X509_CRL_new()) == NULL) { ret = 0; goto err; } ci=crl->crl; X509_NAME_free(ci->issuer); ci->issuer=X509_NAME_dup(x509->cert_info->subject); if (ci->issuer == NULL) { ret = 0; goto err; } X509_gmtime_adj(ci->lastUpdate,0); if (ci->nextUpdate == NULL) ci->nextUpdate=ASN1_UTCTIME_new(); X509_gmtime_adj(ci->nextUpdate,(crldays*24+crlhours)*60*60); if(!ci->revoked) ci->revoked = sk_X509_REVOKED_new_null(); while(Head!=NULL)//遍历链表 { temp=Head; X509_REVOKED *r = NULL; BIGNUM *serial_bn = NULL; r = X509_REVOKED_new(); ASN1_TIME_set(r->revocationDate,Head->time);//时间 char index[100]; BN_hex2bn(&serial_bn,itoa(Head->Index,index,10));//序号 BN_to_ASN1_INTEGER(serial_bn,r->serialNumber); sk_X509_REVOKED_push(ci->revoked,r); Head=Head->Link; delete temp; } // sk_X509_REVOKED_sort(ci->revoked); for (i=0; i<SK_X509_REVOKED_NUM(CI->revoked); i++) { r=sk_X509_REVOKED_value(ci->revoked,i); r->sequence=i; } if (ci->version == NULL) if ((ci->version=ASN1_INTEGER_new()) == NULL) { ret = 0; goto err; } ASN1_INTEGER_set(ci->version,1); // issuerAltName authorityKeyIdentifier // Add_ExtCrl(crl,x509,NID_subject_alt_name,"DNS:hpxs,email:hpxs@hotmail.com,RID:1.2.3.4,URI:https://hpxs,IP:192.168.0.22"); Add_ExtCrl(crl,x509,NID_issuer_alt_name, "DNS:hpxs,email:hpxs@hotmail.com,RID:1.2.3.4,URI:https://hpxs,IP:192.168.0.22"); Add_ExtCrl(crl,x509,NID_authority_key_identifier, "keyid,issuer:always"); if (!X509_CRL_sign(crl,pkey,dgst)) { ret = 0; goto err; } if(NewCrlMem)//输出内存 { memcrl= BIO_new(BIO_s_mem()); BIO_set_close(memcrl, BIO_CLOSE); /* BIO_free() free BUF_MEM */ PEM_write_bio_X509_CRL(memcrl,crl); BIO_get_mem_ptr(memcrl, &bptrcrl); *crll=bptrcrl->length; outCrl=NewCrlMem(*crll); memcpy(outCrl,bptrcrl->data,*crll); } if(outfile)//输出文件 { out=BIO_new_file(outfile, "w"); if(out==NULL) { sprintf(outMsg,"%s is error",outfile); ret = 0; goto err; } PEM_write_bio_X509_CRL(out,crl); } X509V3_EXT_cleanup();//cleanup the extension code if any custom extensions have been added err: if(out) BIO_free_all(out); if(memcrl) BIO_free_all(memcrl); BIO_free(in); EVP_PKEY_free(pkey); X509_CRL_free(crl); X509_free(x509); EVP_cleanup();//frees all three stacks and sets their pointers to NULL ---- EVP_CIPHER if(ret==1) strcpy(outMsg,"CRL制作成功"); return ret; } BOOL CertFormatConver(char * buf/*文件内容或文件名称*/,int len/*内存长度为0则buf为文件名*/, char * pwd/*p12文件密码*/,char * pem/*输出文件*/, int outformat,char * out/*操作结果*/) { EVP_PKEY *key=NULL; X509 *cert=NULL; BIO *biout=NULL; int i=0; //输出文件 if ((biout=BIO_new_file(pem, "w")) == NULL) { return false; } cert = LoadCert(buf,len,out);//首先尝试公钥,bio被改写 if(cert)//输入文件为公钥文件 { if (outformat == DER) i=i2d_X509_bio(biout,cert); else if (outformat == PEM) { // if (trustout) i=PEM_write_bio_X509_AUX(biout,x); i=PEM_write_bio_X509(biout,cert); } if(!i)//失败 strcpy(out,"保存公钥失败"); else strcpy(out,"公钥证书格式转换成功"); } else//输入文件为私钥文件 { key=LoadKey(buf,len,pwd,out); if(!key) { strcpy(out,"不能识别的文件格式"); return false; } if(outformat==PEM) { PEM_write_bio_PrivateKey(biout, key, NULL, NULL, 0, 0, NULL); } if(outformat==DER) { i2d_PrivateKey_bio(biout,key);//得到解密后的私钥 } strcpy(out,"私钥证书格式转换成功"); } if (biout != NULL) BIO_free(biout); X509_free(cert); EVP_PKEY_free(key); return true; } //分解p12包 BOOL ParseDB(char * strP12/*包文件*/,char * strPwd/*私钥密码*/,char * strCert/*公钥存放*/, char * strkey/*私钥存放*/,int outformat/*输出格式*/,char * out/*返回结果*/) { EVP_PKEY *key=NULL; X509 *cert=NULL; STACK_OF(X509) *ca = NULL; BIO * bio=NULL,*bioCert=NULL,*bioKey=NULL; PKCS12 *p12=NULL; int i=0,j=0; if((bio=BIO_new_file(strP12, "r")) == NULL) { strcpy(out,"打开文件错误"); return false; } SSLeay_add_all_algorithms(); p12 = d2i_PKCS12_bio(bio, NULL); if (!PKCS12_parse(p12, strPwd, &key, &cert/*PEM*/, &ca)) { strcpy(out,"解包失败"); return false; } PKCS12_free(p12); //输出文件 if ((bioCert=BIO_new_file(strCert, "w")) == NULL) { return false; } if ((bioKey=BIO_new_file(strkey, "w")) == NULL) { return false; } if(outformat == DER) { i=i2d_X509_bio(bioCert,cert); j=i2d_PrivateKey_bio(bioKey,key); } else if (outformat == PEM) { i=PEM_write_bio_X509(bioCert,cert); j=PEM_write_bio_PrivateKey(bioKey, key, NULL, NULL, 0, 0, NULL); } if (bio != NULL) BIO_free(bio); if (bioCert != NULL) BIO_free(bioCert); if (bioKey != NULL) BIO_free(bioKey); X509_free(cert); EVP_PKEY_free(key); EVP_cleanup();//frees all three stacks and sets their pointers to NULL ---- EVP_CIPHER if(i!=0&&j!=0) { strcpy(out,"分解P12成功"); return true; } return false; } //组合p12包 BOOL CreateDB(char * strP12/*OUT包文件*/,char * strPwd/*IN密码*/,char * strCert/*IN公钥*/, char * strkey/*IN私钥*/,char * out/*返回结果*/) { FILE *fp=NULL; EVP_PKEY *key=NULL; X509 *cert=NULL; PKCS12 *p12; cert =LoadCert(strCert,0,out); if(!cert) { strcpy(out,"读取公钥文件失败"); return false; } key=LoadKey(strkey,0,NULL,out);//解密后私钥 if(!key) { strcpy(out,"读取私钥文件失败"); return false; } SSLeay_add_all_algorithms(); p12 = PKCS12_create(strPwd,"(hpxs)", key, cert, NULL, 0,0,0,0,0); if(!p12) { strcpy(out,"创建p12结构失败"); return false; } if (!(fp = fopen(strP12, "wb"))) { strcpy(out,"保存p12文件失败"); } i2d_PKCS12_fp(fp, p12); PKCS12_free(p12); fclose(fp); strcpy(out,"合并P12成功"); X509_free(cert); EVP_PKEY_free(key); EVP_cleanup();//frees all three stacks and sets their pointers to NULL ---- EVP_CIPHER return true; } //修改p12包密码 BOOL ChangePB(char * strP12/*in包文件*/,char * strPwd/*IN原密码*/,char * strPwd2/*IN新密码*/, char * strOutP12/*in包文件*/,char * out/*返回结果*/) { FILE *fp=NULL; EVP_PKEY *key=NULL; X509 *cert=NULL; STACK_OF(X509) *ca = NULL; PKCS12 *p12=NULL; int len=0,wlen=0; SSLeay_add_all_algorithms(); if (!(fp = fopen(strP12, "rb"))) { strcpy(out,"打开文件错误"); return false; } p12 = d2i_PKCS12_fp(fp, NULL); fclose (fp); if (!p12) { strcpy(out,"读取包文件错误"); return false; } if (!PKCS12_parse(p12, strPwd, &key, &cert, &ca)) { strcpy(out,"解包失败"); return false; } PKCS12_free(p12); fclose(fp); p12=NULL; /////////////////////////////////////// p12 = PKCS12_create(strPwd2,"(null)", key, cert, NULL, 0,0,0,0,0); if(!p12) { strcpy(out,"创建p12结构失败"); return false; } if (!(fp = fopen(strOutP12, "wb"))) { strcpy(out,"保存p12文件失败"); } i2d_PKCS12_fp(fp, p12); PKCS12_free(p12); fclose(fp); strcpy(out,"转换P12密码成功"); X509_free(cert); EVP_PKEY_free(key); return true; } BOOL CertPairCheck(char * cert,char * key,char * out)//检验公钥、私钥是否配对 { EVP_PKEY *pkey=NULL; X509 *x509=NULL; x509=LoadCert(cert,0,out); if(x509==NULL) { strcpy(out,"不能打开公钥文件"); return FALSE; } pkey=LoadKey(key,0,NULL,out); if(pkey==NULL) { strcpy(out,"不能打开私钥文件"); X509_free(x509); return FALSE; } if(X509_check_private_key(x509,pkey))//匹配 { X509_free(x509); EVP_PKEY_free(pkey); return TRUE; } else { strcpy(out,"公私钥对不匹配"); X509_free(x509); EVP_PKEY_free(pkey); return FALSE; } } #include #define DER 1 //FORMAT_ASN1 #define PEM 3 /*定义格式*/ #define NET 4 #define P12 5 typedef char * (* PNewCrlMem)(UINT len); struct stuSUBJECT//个体信息 { UCHAR C[4];//国家 UCHAR ST[4];//省份 UCHAR L[12];//城市 UCHAR O[48];//组织 UCHAR OU[24];//组织部门 UCHAR CN[12];//个人信息 UCHAR MAIL[24];//电子邮件 UCHAR PMAIL[24];//安全电子邮件 UCHAR T[12];//头衔 UCHAR D[12];//描述 UCHAR G[12];//曾用名 UCHAR I[12];//描述 UCHAR NAME[12];//描述 UCHAR S[12];//描述 UCHAR QUAL[12];//描述 UCHAR STN[12];//没有结构的名称 UCHAR PW[12];//挑战密码 UCHAR ADD[12];//无结构地址 stuSUBJECT() { memset(this,0,sizeof(stuSUBJECT)); } }; struct stuKEYUSAGE//密钥用途 { BOOL DS;//Digital Signature BOOL NR;//Non-Repudiation BOOL KE;//Key Encipherment BOOL DE;//Data Encipherment BOOL KA;//keyAgreement BOOL KC;//keyCertSign BOOL CS;//cRLSign BOOL EO;//Encipher Only BOOL DO;//Decipher Only stuKEYUSAGE() { memset(this,0,sizeof(stuKEYUSAGE)); } }; struct stuEKEYUSAGE//增强型密钥用途 { BOOL SA;//服务器验证 BOOL CA;//客户端验证 BOOL CS;//代码签名 BOOL EP;//安全电子邮件 BOOL TS;//时间戳 BOOL msCC;//代码完整 BOOL msCTLS;//可签名信任列表 BOOL msSGC;//联机事务处理 BOOL msEFS;//加密磁盘上的数据 BOOL msSC;//智能卡登录 BOOL IP;//Internet stuEKEYUSAGE() { memset(this,0,sizeof(stuEKEYUSAGE)); } }; struct stuCERT//三者之和 { stuSUBJECT SUBJECT; stuKEYUSAGE KUSAGE; stuEKEYUSAGE EKUSAGE; stuCERT() { memset(this,0,sizeof(stuCERT)); } }; struct stuREVOKE//证书作废结构链表 { int Index;//证书序号 time_t time;//吊销时间 stuREVOKE * Link; stuREVOKE() { memset(this,0,sizeof(stuREVOKE)); } stuREVOKE(int index,time_t t) { Index=index; time=t;; Link=NULL; } }; /*添加链表节点*/ void AddRevoke(stuREVOKE *& Head,int index,time_t time); /*证书格式转换函数*/ BOOL CertFormatConver(char * buf/*内存区域,存储文件内容或文件名称*/,int len/*内存长度==0则buf为文件名*/, char * pwd/*p12文件密码*/,char * pem/*输出文件*/,int outformat,char * out/*操作结果*/); /*根证书生成函数,根据rootInfo信息,生成根证书公、私钥文件*/ BOOL MakeRoot(stuSUBJECT * rootInfo,/*请求信息IN*/int bits/*位数IN*/, int serial/*序列号IN*/, int days/*有效期IN*/,char * certFile/*证书请求文件OUT*/,char * priFile/*私钥文件OUT*/, char * out/*操作结果OUT*/,int type=PEM/*类型pem-der*/); /*证书请求生成函数,根据reqInfo信息,生成用户证书私钥文件、证书请求文件*/ BOOL MakeReq(stuSUBJECT * reqInfo,/*请求信息IN*/int bits/*位数IN*/, char * reqFile/*证书请求文件OUT*/, char * priFile/*私钥文件OUT*/,char * out/*操作结果OUT*/,int type=PEM/*类型pem-der*/); /*证书生成函数,通过证书请求,生成用户证书公钥文件*/ BOOL MakeCert(char *certfile/*根证书公钥*/,int certlen,/*为0则certfile为磁盘文件,否则为内存区域*/ char *keyfile/*根证书私钥*/,int keylen,int serial/*序列号*/,char *enddate/*作废日期*/, int days/*有效期*/, char *reqfile/*请求文件*/,stuKEYUSAGE * KUSAGE/*密钥用法*/, stuEKEYUSAGE * EKUSAGE/*增强密钥用法*/,char *outfile/*结果文件*/, char * outMsg/*操作结果*/,int type/*结果类型DER,PEM*/);//通过证书请求,得到证书 //直接生成公私钥 BOOL DirectCert(char *certfile/*根证书公钥*/,int certlen,/*为0则certfile为磁盘文件,否则为内存区域*/ char *keyfile/*根证书私钥*/,int keylen,int serial/*序列号*/,char *enddate/*作废日期*/, int days/*有效期*/,stuCERT * sCERT/*用户信息与密钥用法*/,int bits,char * cert/*输出证书公钥*/,int * certl/*长度*/, char * key/*输出证书私钥*/,int * keyl/*长度*/,char * outMsg/*,int type结果类型DER,PEM*/);//直接生成公私钥 /*黑名单生成函数*/ BOOL MakeCrl(char *certfile/*根证书公钥*/,int certlen,/*为0则certfile为磁盘文件,否则为内存区域*/ char *keyfile/*根证书私钥*/,int keylen, stuREVOKE * Head/*作废链表*/,PNewCrlMem NewCrlMem/*回调函数*/,char *& outCrl,int * crll,char * outfile/*crl文件*/, char * outMsg/*操作结果*/); /*分解p12包*/ BOOL ParseDB(char * strP12/*包文件*/,char * strPwd/*解包密码*/,char * strCert/*公钥存放*/, char * strkey/*私钥存放*/,int outformat/*输出格式*/,char * out/*返回结果*/); /*组合p12包*/ BOOL CreateDB(char * strP12/*包文件IN*/,char * strPwd/*密码IN*/,char * strCert/*公钥存放IN*/, char * strkey/*私钥存放IN*/,char * out/*返回结果OUT*/); BOOL ChangePB(char * strP12/*IN包文件*/,char * strPwd/*IN原密码*/,char * strPwd2/*IN新密码*/, char * strOutP12/*OUT包文件*/,char * out/*返回结果OUT*/); //检验公钥、私钥是否配对 BOOL CertPairCheck(char * cert,char * key,char * out);//检验公钥、私钥是否配对