Re: How do you use SSLeay binaries to request a certificate netscape-style? Eric Young (eay@cryptsoft.com) Tue, 18 Mar 1997 15:55:04 +1000 (EST) * Messages sorted by: [ date ][ thread ][ subject ][ author ] * Next message: Greg Stark: "Re: How do you use SSLeay binaries to request a certificate netscape-style?" * Previous message: Eric Young: "Re: How do you use SSLeay binaries to request a certificate netscape-style?" On Mon, 17 Mar 1997, Greg Stark wrote: > > I've appended a demo program that generates spkac objects. There are a > > few things missing from the current public release of SSLeay but this demo > > has the missing bits included. > The only problem is that i will of course need the private key saved somewhere > to use for making connectins later. I can think of two ways of going about > this, either have spkigen save the private key in a file, or have spkigen read > a private key generated by genrsa beforehand. damn, forgot about the most obvious thing :-), patches appended, new version available on request. It reads from file or outputs to stdout. > I basically just used the following few lines instead of generating a key: > privkey=fopen(argv[1], "r"); > if (!privkey) goto err; > PEM_read_RSAPrivateKey(privkey, rsa, NULL); > So i have no idea how it's connected with the segmentation fault later. The problem is that I use macros, so you are not getting pulled up on the fact that you need to be passing &rsa, not rsa. Basically the 'function' is RSA *PEM_read_RSAPrivateKey(FILE *in,RSA **rsa,int (*cb)()) where cb is used to get passwords. The function returns the new RSA structure or NULL if there is an error. if the rsa parameter is NULL, it is not used. If *rsa == NULL, the RSA structure returned is also assigned to *rsa, and if *rsa != NULL, the RSA pointed to is populated with the new values and then returned. This convention is used by a large part of SSLeay and is usefull when ASN1 loading structures since one just calls a sub function with func(...,&struct->filed) and it will be created if it is NULL. > Also, i think you want to cut the \n off the end of the challenge string. woops :-). my 'quick little demo hack' may actually turn into something usefull :-) Since the 'diff -b -C 3' is about the same size as the actuall file, here it is again with changes genrsa -des -out privkey.pem 1024 spkigen privkey.pem > spki.pem spkigen > spki.pem /* WARNING - this will leave the new RSA private key * unecrypted in spki.pem along with the spki structure. */ /* demos/spkigen.c * 18-Mar-1997 - eay - A quick hack :-) * version 1.1, it would probably help to save or load the * private key. */ #include #include #include "err.h" #include "asn1.h" #include "objects.h" #include "envelope.h" #include "x509.h" #include "pem.h" /* The following two don't exist in SSLeay but they are in here as * examples */ #define PEM_write_SPKI(fp,x) \ PEM_ASN1_write((int (*)())i2d_NETSCAPE_SPKI,"SPKI",fp,\ (char *)x,NULL,NULL,0,NULL) int SPKI_set_pubkey(NETSCAPE_SPKI *x, EVP_PKEY *pkey); /* These are defined in the next version of SSLeay */ int EVP_PKEY_assign(EVP_PKEY *pkey, int type,char *key); #define RSA_F4 0x10001 #define EVP_PKEY_assign_RSA(pkey,rsa) EVP_PKEY_assign((pkey),EVP_PKEY_RSA,\ (char *)(rsa)) int main(argc,argv) int argc; char *argv[]; { RSA *rsa=NULL; NETSCAPE_SPKI *spki=NULL; EVP_PKEY *pkey=NULL; char buf[128]; int ok=0,i; FILE *fp; pkey=EVP_PKEY_new(); if (argc < 2) { /* Generate an RSA key, the random state should have been seeded * with lots of calls to RAND_seed(....) */ fprintf(stderr,"generating RSA key, could take some time...\n"); if ((rsa=RSA_generate_key(512,RSA_F4,NULL)) == NULL) goto err; } else { if ((fp=fopen(argv[1],"r")) == NULL) { perror(argv[1]); goto err; } if ((rsa=PEM_read_RSAPrivateKey(fp,NULL,NULL)) == NULL) goto err; fclose(fp); } if (!EVP_PKEY_assign_RSA(pkey,rsa)) goto err; rsa=NULL; /* lets make the spki and set the public key and challenge */ if ((spki=NETSCAPE_SPKI_new()) == NULL) goto err; if (!SPKI_set_pubkey(spki,pkey)) goto err; fprintf(stderr,"please enter challenge string:"); fflush(stderr); fgets(buf,120,stdin); i=strlen(buf); if (i > 0) buf[--i]='\0'; if (!ASN1_STRING_set((ASN1_STRING *)spki->spkac->challenge, buf,i)) goto err; if (!NETSCAPE_SPKI_sign(spki,pkey,EVP_md5())) goto err; PEM_write_SPKI(stdout,spki); if (argc < 2) PEM_write_RSAPrivateKey(stdout,pkey->pkey.rsa,NULL,NULL,0,NULL); ok=1; err: if (!ok) { fprintf(stderr,"something bad happened...."); ERR_print_errors_fp(stderr); } NETSCAPE_SPKI_free(spki); EVP_PKEY_free(pkey); exit(!ok); } /* This function is in the next version of SSLeay */ int EVP_PKEY_assign(pkey,type,key) EVP_PKEY *pkey; int type; char *key; { if (pkey == NULL) return(0); if (pkey->pkey.ptr != NULL) { if (pkey->type == EVP_PKEY_RSA) RSA_free(pkey->pkey.rsa); /* else memory leak */ } pkey->type=type; pkey->pkey.ptr=key; return(1); } /* While I have a * X509_set_pubkey() and X509_REQ_set_pubkey(), SPKI_set_pubkey() does * not currently exist so here is a version of it. * The next SSLeay release will probably have * X509_set_pubkey(), * X509_REQ_set_pubkey() and * NETSCAPE_SPKI_set_pubkey() * as macros calling the same function */ int SPKI_set_pubkey(x,pkey) NETSCAPE_SPKI *x; EVP_PKEY *pkey; { int ok=0; X509_PUBKEY *pk; X509_ALGOR *a; ASN1_OBJECT *o; unsigned char *s,*p; int i; if (x == NULL) return(0); if ((pk=X509_PUBKEY_new()) == NULL) goto err; a=pk->algor; /* set the algorithm id */ if ((o=OBJ_nid2obj(pkey->type)) == NULL) goto err; ASN1_OBJECT_free(a->algorithm); a->algorithm=o; /* Set the parameter list */ if ((a->parameter == NULL) || (a->parameter->type != V_ASN1_NULL)) { ASN1_TYPE_free(a->parameter); a->parameter=ASN1_TYPE_new(); a->parameter->type=V_ASN1_NULL; } i=i2d_PublicKey(pkey,NULL); if ((s=(unsigned char *)malloc(i+1)) == NULL) goto err; p=s; i2d_PublicKey(pkey,&p); if (!ASN1_BIT_STRING_set(pk->public_key,s,i)) goto err; free(s); X509_PUBKEY_free(x->spkac->pubkey); x->spkac->pubkey=pk; pk=NULL; ok=1; err: if (pk != NULL) X509_PUBKEY_free(pk); return(ok); } * Next message: Greg Stark: "Re: How do you use SSLeay binaries to request a certificate netscape-style?" * Previous message: Eric Young: "Re: How do you use SSLeay binaries to request a certificate netscape-style?"