diff options
Diffstat (limited to 'checks/x509.cpp')
-rw-r--r-- | checks/x509.cpp | 147 |
1 files changed, 147 insertions, 0 deletions
diff --git a/checks/x509.cpp b/checks/x509.cpp new file mode 100644 index 000000000..0a75d28e3 --- /dev/null +++ b/checks/x509.cpp @@ -0,0 +1,147 @@ +/* This file is in the public domain */ +#include <botan/x509self.h> +#include <botan/x509stor.h> +#include <botan/x509_ca.h> +#include <botan/pkcs10.h> +#include <botan/rsa.h> +#include <botan/dsa.h> +using namespace Botan; + +#include <iostream> + +X509_Cert_Options ca_opts(); +X509_Cert_Options req_opts1(); +X509_Cert_Options req_opts2(); + +u32bit check_against_copy(const PKCS8_PrivateKey& orig) + { + PKCS8_PrivateKey* copy_priv = PKCS8::copy_key(orig); + X509_PublicKey* copy_pub = X509::copy_key(orig); + + const std::string passphrase= "I need work! -Mr. T"; // Me too... + DataSource_Memory enc_source(PKCS8::PEM_encode(orig, passphrase)); + PKCS8_PrivateKey* copy_priv_enc = PKCS8::load_key(enc_source, passphrase); + + u64bit orig_id = orig.key_id(); + u64bit pub_id = copy_pub->key_id(); + u64bit priv_id = copy_priv->key_id(); + u64bit priv_enc_id = copy_priv_enc->key_id(); + + delete copy_pub; + delete copy_priv; + delete copy_priv_enc; + + if(orig_id != pub_id || orig_id != priv_id || orig_id != priv_enc_id) + { + printf("FAILED!!\n"); + return 1; + } + return 0; + } + +void do_x509_tests() + { + std::cout << "Testing X.509 CA/CRL/cert/cert request: " << std::flush; + + /* Create the CA's key and self-signed cert */ + std::cout << '.' << std::flush; + RSA_PrivateKey ca_key(1024); + + std::cout << '.' << std::flush; + X509_Certificate ca_cert = X509::create_self_signed_cert(ca_opts(), ca_key); + std::cout << '.' << std::flush; + + /* Create user #1's key and cert request */ + std::cout << '.' << std::flush; + DSA_PrivateKey user1_key(DL_Group("dsa/jce/1024")); + std::cout << '.' << std::flush; + PKCS10_Request user1_req = X509::create_cert_req(req_opts1(), user1_key); + + /* Create user #2's key and cert request */ + std::cout << '.' << std::flush; + RSA_PrivateKey user2_key(768); + std::cout << '.' << std::flush; + PKCS10_Request user2_req = X509::create_cert_req(req_opts2(), user2_key); + + /* Create the CA object */ + std::cout << '.' << std::flush; + X509_CA ca(ca_cert, ca_key); + std::cout << '.' << std::flush; + + /* Sign the requests to create the certs */ + std::cout << '.' << std::flush; + X509_Certificate user1_cert = ca.sign_request(user1_req); + std::cout << '.' << std::flush; + X509_Certificate user2_cert = ca.sign_request(user2_req); + std::cout << '.' << std::flush; + + X509_CRL crl1 = ca.new_crl(); + + /* Verify the certs */ + X509_Store store; + + store.add_cert(ca_cert, true); // second arg == true: trusted CA cert + + std::cout << '.' << std::flush; + if(store.validate_cert(user1_cert) != VERIFIED) + std::cout << "\nFAILED: User cert #1 did not validate" << std::endl; + + if(store.validate_cert(user2_cert) != VERIFIED) + std::cout << "\nFAILED: User cert #2 did not validate" << std::endl; + + if(store.add_crl(crl1) != VERIFIED) + std::cout << "\nFAILED: CRL #1 did not validate" << std::endl; + + std::vector<CRL_Entry> revoked; + revoked.push_back(user2_cert); + + X509_CRL crl2 = ca.update_crl(crl1, revoked); + + if(store.add_crl(crl2) != VERIFIED) + std::cout << "\nFAILED: CRL #2 did not validate" << std::endl; + + if(store.validate_cert(user2_cert) != CERT_IS_REVOKED) + std::cout << "\nFAILED: User cert #2 was not revoked" << std::endl; + + check_against_copy(ca_key); + check_against_copy(user1_key); + check_against_copy(user2_key); + + std::cout << std::endl; + } + +/* Return some option sets */ +X509_Cert_Options ca_opts() + { + X509_Cert_Options opts("Test CA/US/Botan Project/Testing"); + + opts.uri = "http://botan.randombit.net"; + opts.dns = "botan.randombit.net"; + opts.email = "[email protected]"; + + opts.CA_key(1); + + return opts; + } + +X509_Cert_Options req_opts1() + { + X509_Cert_Options opts("Test User 1/US/Botan Project/Testing"); + + opts.uri = "http://botan.randombit.net"; + opts.dns = "botan.randombit.net"; + opts.email = "[email protected]"; + + return opts; + } + +X509_Cert_Options req_opts2() + { + X509_Cert_Options opts("Test User 2/US/Botan Project/Testing"); + + opts.uri = "http://botan.randombit.net"; + opts.dns = "botan.randombit.net"; + opts.email = "[email protected]"; + + return opts; + } |