mailiverse/cpp/Lib/xcode-botan/Botan-1.10.3/checks/x509.cpp
2013-07-25 22:51:23 -04:00

249 lines
6.8 KiB
C++

/*
* (C) 2009 Jack Lloyd
*
* Distributed under the terms of the Botan license
*/
#include <botan/filters.h>
#if defined(BOTAN_HAS_RSA)
#include <botan/rsa.h>
#endif
#if defined(BOTAN_HAS_DSA)
#include <botan/dsa.h>
#endif
#if defined(BOTAN_HAS_ECDSA)
#include <botan/ecdsa.h>
#endif
#if defined(BOTAN_HAS_X509_CERTIFICATES)
#include <botan/x509self.h>
#include <botan/x509stor.h>
#include <botan/x509_ca.h>
#include <botan/pkcs10.h>
#endif
using namespace Botan;
#include <iostream>
#include <memory>
#include "validate.h"
#include "common.h"
#if defined(BOTAN_HAS_X509_CERTIFICATES) && \
defined(BOTAN_HAS_RSA) && \
defined(BOTAN_HAS_DSA)
namespace {
u64bit key_id(const Public_Key* key)
{
Pipe pipe(new Hash_Filter("SHA-1", 8));
pipe.start_msg();
pipe.write(key->algo_name());
pipe.write(key->algorithm_identifier().parameters);
pipe.write(key->x509_subject_public_key());
pipe.end_msg();
SecureVector<byte> output = pipe.read_all();
if(output.size() != 8)
throw Internal_Error("Public_Key::key_id: Incorrect output size");
u64bit id = 0;
for(u32bit j = 0; j != 8; ++j)
id = (id << 8) | output[j];
return id;
}
/* Return some option sets */
X509_Cert_Options ca_opts()
{
X509_Cert_Options opts("Test CA/US/Botan Project/Testing");
opts.uri = "http://botan.randombit.net";
opts.dns = "botan.randombit.net";
opts.email = "testing@randombit.net";
opts.CA_key(1);
return opts;
}
X509_Cert_Options req_opts1()
{
X509_Cert_Options opts("Test User 1/US/Botan Project/Testing");
opts.uri = "http://botan.randombit.net";
opts.dns = "botan.randombit.net";
opts.email = "testing@randombit.net";
return opts;
}
X509_Cert_Options req_opts2()
{
X509_Cert_Options opts("Test User 2/US/Botan Project/Testing");
opts.uri = "http://botan.randombit.net";
opts.dns = "botan.randombit.net";
opts.email = "testing@randombit.net";
opts.add_ex_constraint("PKIX.EmailProtection");
return opts;
}
u32bit check_against_copy(const Private_Key& orig,
RandomNumberGenerator& rng)
{
Private_Key* copy_priv = PKCS8::copy_key(orig, rng);
Public_Key* copy_pub = X509::copy_key(orig);
const std::string passphrase= "I need work! -Mr. T";
DataSource_Memory enc_source(PKCS8::PEM_encode(orig, rng, passphrase));
Private_Key* copy_priv_enc = PKCS8::load_key(enc_source, rng,
passphrase);
u64bit orig_id = key_id(&orig);
u64bit pub_id = key_id(copy_pub);
u64bit priv_id = key_id(copy_priv);
u64bit priv_enc_id = key_id(copy_priv_enc);
delete copy_pub;
delete copy_priv;
delete copy_priv_enc;
if(orig_id != pub_id || orig_id != priv_id || orig_id != priv_enc_id)
{
std::cout << "Failed copy check for " << orig.algo_name() << "\n";
return 1;
}
return 0;
}
}
void do_x509_tests(RandomNumberGenerator& rng)
{
std::cout << "Testing X.509 CA/CRL/cert/cert request: " << std::flush;
std::string hash_fn = "SHA-256";
/* Create the CA's key and self-signed cert */
std::cout << '.' << std::flush;
RSA_PrivateKey ca_key(rng, 1024);
std::cout << '.' << std::flush;
X509_Certificate ca_cert = X509::create_self_signed_cert(ca_opts(),
ca_key,
hash_fn,
rng);
std::cout << '.' << std::flush;
/* Create user #1's key and cert request */
std::cout << '.' << std::flush;
DSA_PrivateKey user1_key(rng, DL_Group("dsa/jce/1024"));
std::cout << '.' << std::flush;
PKCS10_Request user1_req = X509::create_cert_req(req_opts1(),
user1_key,
"SHA-1",
rng);
/* Create user #2's key and cert request */
std::cout << '.' << std::flush;
#if defined(BOTAN_HAS_ECDSA)
EC_Group ecc_domain(OID("1.2.840.10045.3.1.7"));
ECDSA_PrivateKey user2_key(rng, ecc_domain);
#else
RSA_PrivateKey user2_key(rng, 1024);
#endif
std::cout << '.' << std::flush;
PKCS10_Request user2_req = X509::create_cert_req(req_opts2(),
user2_key,
hash_fn,
rng);
/* Create the CA object */
std::cout << '.' << std::flush;
X509_CA ca(ca_cert, ca_key, hash_fn);
std::cout << '.' << std::flush;
/* Sign the requests to create the certs */
std::cout << '.' << std::flush;
X509_Certificate user1_cert =
ca.sign_request(user1_req, rng,
X509_Time("2008-01-01"), X509_Time("2100-01-01"));
std::cout << '.' << std::flush;
X509_Certificate user2_cert = ca.sign_request(user2_req, rng,
X509_Time("2008-01-01"),
X509_Time("2100-01-01"));
std::cout << '.' << std::flush;
X509_CRL crl1 = ca.new_crl(rng);
/* Verify the certs */
X509_Store store;
store.add_cert(ca_cert, true); // second arg == true: trusted CA cert
std::cout << '.' << std::flush;
if(store.validate_cert(user1_cert) != VERIFIED)
std::cout << "\nFAILED: User cert #1 did not validate" << std::endl;
if(store.validate_cert(user2_cert) != VERIFIED)
std::cout << "\nFAILED: User cert #2 did not validate" << std::endl;
if(store.add_crl(crl1) != VERIFIED)
std::cout << "\nFAILED: CRL #1 did not validate" << std::endl;
std::vector<CRL_Entry> revoked;
revoked.push_back(CRL_Entry(user1_cert, CESSATION_OF_OPERATION));
revoked.push_back(user2_cert);
X509_CRL crl2 = ca.update_crl(crl1, revoked, rng);
if(store.add_crl(crl2) != VERIFIED)
std::cout << "\nFAILED: CRL #2 did not validate" << std::endl;
if(store.validate_cert(user1_cert) != CERT_IS_REVOKED)
std::cout << "\nFAILED: User cert #1 was not revoked" << std::endl;
if(store.validate_cert(user2_cert) != CERT_IS_REVOKED)
std::cout << "\nFAILED: User cert #2 was not revoked" << std::endl;
revoked.clear();
revoked.push_back(CRL_Entry(user1_cert, REMOVE_FROM_CRL));
X509_CRL crl3 = ca.update_crl(crl2, revoked, rng);
if(store.add_crl(crl3) != VERIFIED)
std::cout << "\nFAILED: CRL #3 did not validate" << std::endl;
if(store.validate_cert(user1_cert) != VERIFIED)
std::cout << "\nFAILED: User cert #1 was not un-revoked" << std::endl;
check_against_copy(ca_key, rng);
check_against_copy(user1_key, rng);
check_against_copy(user2_key, rng);
std::cout << std::endl;
}
#else
void do_x509_tests(RandomNumberGenerator&)
{
std::cout << "Skipping Botan X.509 tests (disabled in build)\n";
}
#endif