aboutsummaryrefslogtreecommitdiffstats
path: root/checks/x509.cpp
blob: 05c2239376f70a933c8abe8039ad2d8d47099631 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
/* This file is in the public domain */
#include <botan/x509self.h>
#include <botan/x509stor.h>
#include <botan/x509_ca.h>
#include <botan/pkcs10.h>
#include <botan/rsa.h>
#include <botan/dsa.h>
using namespace Botan;

#include <iostream>

X509_Cert_Options ca_opts();
X509_Cert_Options req_opts1();
X509_Cert_Options req_opts2();

u32bit check_against_copy(const PKCS8_PrivateKey& orig)
   {
   PKCS8_PrivateKey* copy_priv = PKCS8::copy_key(orig);
   X509_PublicKey* copy_pub = X509::copy_key(orig);

   const std::string passphrase= "I need work! -Mr. T"; // Me too...
   DataSource_Memory enc_source(PKCS8::PEM_encode(orig, passphrase));
   PKCS8_PrivateKey* copy_priv_enc = PKCS8::load_key(enc_source, passphrase);

   u64bit orig_id = orig.key_id();
   u64bit pub_id = copy_pub->key_id();
   u64bit priv_id = copy_priv->key_id();
   u64bit priv_enc_id = copy_priv_enc->key_id();

   delete copy_pub;
   delete copy_priv;
   delete copy_priv_enc;

   if(orig_id != pub_id || orig_id != priv_id || orig_id != priv_enc_id)
      {
      printf("FAILED!!\n");
      return 1;
      }
   return 0;
   }

void do_x509_tests()
   {
   std::cout << "Testing X.509 CA/CRL/cert/cert request: " << std::flush;

   /* Create the CA's key and self-signed cert */
   std::cout << '.' << std::flush;
   RSA_PrivateKey ca_key(1024);

   std::cout << '.' << std::flush;
   X509_Certificate ca_cert = X509::create_self_signed_cert(ca_opts(), ca_key);
   std::cout << '.' << std::flush;

   /* Create user #1's key and cert request */
   std::cout << '.' << std::flush;
   DSA_PrivateKey user1_key(DL_Group("dsa/jce/1024"));
   std::cout << '.' << std::flush;
   PKCS10_Request user1_req = X509::create_cert_req(req_opts1(), user1_key);

   /* Create user #2's key and cert request */
   std::cout << '.' << std::flush;
   RSA_PrivateKey user2_key(768);
   std::cout << '.' << std::flush;
   PKCS10_Request user2_req = X509::create_cert_req(req_opts2(), user2_key);

   /* Create the CA object */
   std::cout << '.' << std::flush;
   X509_CA ca(ca_cert, ca_key);
   std::cout << '.' << std::flush;

   /* Sign the requests to create the certs */
   std::cout << '.' << std::flush;
   X509_Certificate user1_cert = ca.sign_request(user1_req);
   std::cout << '.' << std::flush;
   X509_Certificate user2_cert = ca.sign_request(user2_req);
   std::cout << '.' << std::flush;

   X509_CRL crl1 = ca.new_crl();

   /* Verify the certs */
   X509_Store store;

   store.add_cert(ca_cert, true); // second arg == true: trusted CA cert

   std::cout << '.' << std::flush;
   if(store.validate_cert(user1_cert) != VERIFIED)
      std::cout << "\nFAILED: User cert #1 did not validate" << std::endl;

   if(store.validate_cert(user2_cert) != VERIFIED)
      std::cout << "\nFAILED: User cert #2 did not validate" << std::endl;

   if(store.add_crl(crl1) != VERIFIED)
      std::cout << "\nFAILED: CRL #1 did not validate" << std::endl;

   std::vector<CRL_Entry> revoked;
   revoked.push_back(user2_cert);

   X509_CRL crl2 = ca.update_crl(crl1, revoked);

   if(store.add_crl(crl2) != VERIFIED)
      std::cout << "\nFAILED: CRL #2 did not validate" << std::endl;

   if(store.validate_cert(user2_cert) != CERT_IS_REVOKED)
      std::cout << "\nFAILED: User cert #2 was not revoked" << std::endl;

   check_against_copy(ca_key);
   check_against_copy(user1_key);
   check_against_copy(user2_key);

   std::cout << std::endl;
   }

/* Return some option sets */
X509_Cert_Options ca_opts()
   {
   X509_Cert_Options opts("Test CA/US/Botan Project/Testing");

   opts.uri = "http://botan.randombit.net";
   opts.dns = "botan.randombit.net";
   opts.email = "testing@randombit.net";

   opts.CA_key(1);

   return opts;
   }

X509_Cert_Options req_opts1()
   {
   X509_Cert_Options opts("Test User 1/US/Botan Project/Testing");

   opts.uri = "http://botan.randombit.net";
   opts.dns = "botan.randombit.net";
   opts.email = "testing@randombit.net";

   return opts;
   }

X509_Cert_Options req_opts2()
   {
   X509_Cert_Options opts("Test User 2/US/Botan Project/Testing");

   opts.uri = "http://botan.randombit.net";
   opts.dns = "botan.randombit.net";
   opts.email = "testing@randombit.net";

   opts.add_ex_constraint("PKIX.EmailProtection");

   return opts;
   }