aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorIngela Anderton Andin <[email protected]>2013-08-28 15:20:31 +0200
committerIngela Anderton Andin <[email protected]>2013-08-29 11:47:20 +0200
commit7e04cc90295eb62e2d88a36d3b950de989a6611a (patch)
tree946c2c4120a95e2a4be90d4d4258091431606386
parent6fc94ba0b93488e46429dd4e71d11ebfe3b62792 (diff)
downloadotp-7e04cc90295eb62e2d88a36d3b950de989a6611a.tar.gz
otp-7e04cc90295eb62e2d88a36d3b950de989a6611a.tar.bz2
otp-7e04cc90295eb62e2d88a36d3b950de989a6611a.zip
public_key: Add support for "Simple Certificate Enrollment Protocol" to PKCS-7
-rw-r--r--lib/public_key/asn1/PKCS-7.asn176
-rw-r--r--lib/public_key/test/public_key_SUITE.erl67
-rw-r--r--lib/public_key/test/public_key_SUITE_data/pkcs7_ext.pem62
3 files changed, 155 insertions, 50 deletions
diff --git a/lib/public_key/asn1/PKCS-7.asn1 b/lib/public_key/asn1/PKCS-7.asn1
index a6dfd57d80..e76f928acb 100644
--- a/lib/public_key/asn1/PKCS-7.asn1
+++ b/lib/public_key/asn1/PKCS-7.asn1
@@ -78,6 +78,49 @@ signingTime ATTRIBUTE ::= {
SigningTime ::= Time -- imported from ISO/IEC 9594-8
+-- begin added for VCE SCEP-support
+transactionID ATTRIBUTE ::= {
+ WITH SYNTAX PrintableString
+ ID id-transId
+}
+
+messageType ATTRIBUTE ::= {
+ WITH SYNTAX PrintableString
+ ID id-messageType
+}
+
+pkiStatus ATTRIBUTE ::= {
+ WITH SYNTAX PrintableString
+ ID id-pkiStatus
+}
+
+failInfo ATTRIBUTE ::= {
+ WITH SYNTAX PrintableString
+ ID id-failInfo
+}
+
+senderNonce ATTRIBUTE ::= {
+ WITH SYNTAX OCTET STRING
+ ID id-senderNonce
+}
+
+recipientNonce ATTRIBUTE ::= {
+ WITH SYNTAX OCTET STRING
+ ID id-recipientNonce
+}
+
+-- This is the authenticatedAttributes -member from SignerInfo
+-- added here to generate decode/encode functions for it which are
+-- needed to build the pkcs-7 used by SCEP, the resulting encoding are
+-- used to make a signed digest
+SignerInfoAuthenticatedAttributes ::= CHOICE {
+ aaSet [0] IMPLICIT SET OF AttributePKCS-7 {{Authenticated}},
+ aaSequence [2] EXPLICIT SEQUENCE OF AttributePKCS-7 {{Authenticated}}
+ -- Explicit because easier to compute digest on sequence of attributes and then reuse
+ -- encoded sequence in aaSequence.
+ }
+-- end added for VCE SCEP-support
+
-- Also defined in X.509
-- Redeclared here as a parameterized type
@@ -224,12 +267,9 @@ SignerInfo ::= SEQUENCE {
issuerAndSerialNumber
IssuerAndSerialNumber,
digestAlgorithm DigestAlgorithmIdentifier,
- authenticatedAttributes CHOICE {
- aaSet [0] IMPLICIT SET OF AttributePKCS-7 {{Authenticated}},
- aaSequence [2] EXPLICIT SEQUENCE OF AttributePKCS-7 {{Authenticated}}
- -- Explicit because easier to compute digest on sequence of attributes and then reuse
- -- encoded sequence in aaSequence.
- } OPTIONAL,
+ -- Added explicit type for authenticatedAttributes to be able to
+ -- encode/decode this type separately
+ authenticatedAttributes SignerInfoAuthenticatedAttributes OPTIONAL,
digestEncryptionAlgorithm
DigestEncryptionAlgorithmIdentifier,
encryptedDigest EncryptedDigest,
@@ -247,7 +287,15 @@ SignerInfo ::= SEQUENCE {
Authenticated ATTRIBUTE ::= {
contentType |
- messageDigest,
+ messageDigest |
+-- begin added for VCE SCEP-support
+ transactionID |
+ messageType |
+ pkiStatus |
+ failInfo |
+ senderNonce |
+ recipientNonce,
+-- end added for VCE SCEP-support
..., -- add application-specific attributes here
signingTime
}
@@ -384,4 +432,18 @@ signedAndEnvelopedData OBJECT IDENTIFIER ::= { pkcs-7 4 }
digestedData OBJECT IDENTIFIER ::= { pkcs-7 5 }
encryptedData OBJECT IDENTIFIER ::= { pkcs-7 6 }
+-- begin added for VCE SCEP-support
+id-VeriSign OBJECT IDENTIFIER ::= {2 16 us(840) 1 veriSign(113733)}
+id-pki OBJECT IDENTIFIER ::= {id-VeriSign pki(1)}
+id-attributes OBJECT IDENTIFIER ::= {id-pki attributes(9)}
+id-messageType OBJECT IDENTIFIER ::= {id-attributes messageType(2)}
+id-pkiStatus OBJECT IDENTIFIER ::= {id-attributes pkiStatus(3)}
+id-failInfo OBJECT IDENTIFIER ::= {id-attributes failInfo(4)}
+id-senderNonce OBJECT IDENTIFIER ::= {id-attributes senderNonce(5)}
+id-recipientNonce OBJECT IDENTIFIER ::= {id-attributes recipientNonce(6)}
+id-transId OBJECT IDENTIFIER ::= {id-attributes transId(7)}
+id-extensionReq OBJECT IDENTIFIER ::= {id-attributes extensionReq(8)}
+-- end added for VCE SCEP-support
+
+
END
diff --git a/lib/public_key/test/public_key_SUITE.erl b/lib/public_key/test/public_key_SUITE.erl
index c3aa2e2366..f8d167e770 100644
--- a/lib/public_key/test/public_key_SUITE.erl
+++ b/lib/public_key/test/public_key_SUITE.erl
@@ -46,7 +46,7 @@ all() ->
groups() ->
[{pem_decode_encode, [], [dsa_pem, rsa_pem, encrypted_pem,
- dh_pem, cert_pem, pkcs10_pem]},
+ dh_pem, cert_pem, pkcs7_pem, pkcs10_pem]},
{ssh_public_key_decode_encode, [],
[ssh_rsa_public_key, ssh_dsa_public_key, ssh_rfc4716_rsa_comment,
ssh_rfc4716_dsa_comment, ssh_rfc4716_rsa_subject, ssh_known_hosts,
@@ -188,15 +188,9 @@ dh_pem() ->
[{doc, "DH parametrs PEM-file decode/encode"}].
dh_pem(Config) when is_list(Config) ->
Datadir = ?config(data_dir, Config),
- [{'DHParameter', DerDH, not_encrypted} = Entry] =
+ [{'DHParameter', _DerDH, not_encrypted} = Entry] =
erl_make_certs:pem_to_der(filename:join(Datadir, "dh.pem")),
-
- erl_make_certs:der_to_pem(filename:join(Datadir, "new_dh.pem"), [Entry]),
-
- DHParameter = public_key:der_decode('DHParameter', DerDH),
- DHParameter = public_key:pem_entry_decode(Entry),
-
- Entry = public_key:pem_entry_encode('DHParameter', DHParameter).
+ asn1_encode_decode(Entry).
%%--------------------------------------------------------------------
@@ -204,57 +198,38 @@ pkcs10_pem() ->
[{doc, "PKCS-10 PEM-file decode/encode"}].
pkcs10_pem(Config) when is_list(Config) ->
Datadir = ?config(data_dir, Config),
- [{'CertificationRequest', DerPKCS10, not_encrypted} = Entry] =
+ [{'CertificationRequest', _DerPKCS10, not_encrypted} = Entry] =
erl_make_certs:pem_to_der(filename:join(Datadir, "req.pem")),
-
- erl_make_certs:der_to_pem(filename:join(Datadir, "new_req.pem"), [Entry]),
-
- PKCS10 = public_key:der_decode('CertificationRequest', DerPKCS10),
- PKCS10 = public_key:pem_entry_decode(Entry),
-
- Entry = public_key:pem_entry_encode('CertificationRequest', PKCS10).
-
+ asn1_encode_decode(Entry).
%%--------------------------------------------------------------------
pkcs7_pem() ->
[{doc, "PKCS-7 PEM-file decode/encode"}].
pkcs7_pem(Config) when is_list(Config) ->
Datadir = ?config(data_dir, Config),
- [{'ContentInfo', DerPKCS7, not_encrypted} = Entry] =
+ [{'ContentInfo', _, not_encrypted} = Entry0] =
erl_make_certs:pem_to_der(filename:join(Datadir, "pkcs7_cert.pem")),
-
- erl_make_certs:der_to_pem(filename:join(Datadir, "new_pkcs7_cert.pem"), [Entry]),
-
- PKCS7 = public_key:der_decode('ContentInfo', DerPKCS7),
- PKCS7 = public_key:pem_entry_decode(Entry),
-
- Entry = public_key:pem_entry_encode('ContentInfo', PKCS7).
-
+ [{'ContentInfo', _, not_encrypted} = Entry1] =
+ erl_make_certs:pem_to_der(filename:join(Datadir, "pkcs7_ext.pem")),
+ asn1_encode_decode(Entry0),
+ asn1_encode_decode(Entry1).
+
%%--------------------------------------------------------------------
cert_pem() ->
[{doc, "Certificate PEM-file decode/encode"}].
cert_pem(Config) when is_list(Config) ->
Datadir = ?config(data_dir, Config),
-
- [Entry0] =
- erl_make_certs:pem_to_der(filename:join(Datadir, "dsa.pem")),
-
- [{'Certificate', DerCert, not_encrypted} = Entry7] =
+
+ [{'Certificate', _, not_encrypted} = Entry0] =
erl_make_certs:pem_to_der(filename:join(Datadir, "client_cert.pem")),
- Cert = public_key:der_decode('Certificate', DerCert),
- Cert = public_key:pem_entry_decode(Entry7),
+ asn1_encode_decode(Entry0),
- CertEntries = [{'Certificate', _, not_encrypted} = CertEntry0,
- {'Certificate', _, not_encrypted} = CertEntry1] =
+ [{'Certificate', _, not_encrypted} = Entry1,
+ {'Certificate', _, not_encrypted} = Entry2] =
erl_make_certs:pem_to_der(filename:join(Datadir, "cacerts.pem")),
-
- ok = erl_make_certs:der_to_pem(filename:join(Datadir, "wcacerts.pem"), CertEntries),
- ok = erl_make_certs:der_to_pem(filename:join(Datadir, "wdsa.pem"), [Entry0]),
- NewCertEntries = erl_make_certs:pem_to_der(filename:join(Datadir, "wcacerts.pem")),
- true = lists:member(CertEntry0, NewCertEntries),
- true = lists:member(CertEntry1, NewCertEntries),
- [Entry0] = erl_make_certs:pem_to_der(filename:join(Datadir, "wdsa.pem")).
+ asn1_encode_decode(Entry1),
+ asn1_encode_decode(Entry2).
%%--------------------------------------------------------------------
ssh_rsa_public_key() ->
@@ -720,6 +695,12 @@ pkix_iso_dsa_oid(Config) when is_list(Config) ->
%%--------------------------------------------------------------------
%% Internal functions ------------------------------------------------
%%--------------------------------------------------------------------
+asn1_encode_decode({Asn1Type, Der, not_encrypted} = Entry) ->
+ Decoded = public_key:der_decode(Asn1Type, Der),
+ Decoded = public_key:pem_entry_decode(Entry),
+ Entry = public_key:pem_entry_encode(Asn1Type, Decoded),
+ ok.
+
check_countryname({rdnSequence,DirName}) ->
do_check_countryname(DirName).
do_check_countryname([]) ->
diff --git a/lib/public_key/test/public_key_SUITE_data/pkcs7_ext.pem b/lib/public_key/test/public_key_SUITE_data/pkcs7_ext.pem
new file mode 100644
index 0000000000..d7a1d01fe1
--- /dev/null
+++ b/lib/public_key/test/public_key_SUITE_data/pkcs7_ext.pem
@@ -0,0 +1,62 @@
+-----BEGIN PKCS7-----
+MIILCAYJKoZIhvcNAQcCoIIK+TCCCvUCAQExDjAMBggqhkiG9w0CBQUAMIIFmwYJ
+KoZIhvcNAQcBoIIFjASCBYgwggWEBgkqhkiG9w0BBwOgggV1MIIFcQIBADGCAmQw
+ggJgAgEAMEgwPDELMAkGA1UEBhMCU0UxETAPBgNVBAoMCEVyaWNzc29uMRowGAYD
+VQQDDBFWQ19SQlNfU3ViQ0FfVjNfMQIIcw3ZS5VSTIwwDQYJKoZIhvcNAQEBBQAE
+ggIAFW0vd8wY2FJ87KVyUqcdK5uCmnjwC6uPbypDqnL44Fe4iAAiNOvmqt1Crm46
+pg9gOq50NbrRb+PY+UUM7lEUNNKZ61cul2iwGwp6r41l05EbMqgfsNoJkH+bTM8Y
+YhME4sT+AzdmPHIg1PGoM+pAMHzpjcdnaHFSlfSmwq5xfZwWelR2TDz7arO+AKCk
+DVIEnG9qHBrUWvDoT23VDVQQXP5Uja0Nml7B7Jt2RW2EKAiCAYDujkjIWcGy3F3X
+2Q+Nm4K2nJKnkdMI5kS0Eu9uHp24VHn98sEyqn8rDiLFOaj5BskQIVMDN6npssgr
+X4ChmBiVcquaxCoHMqQYGa/Jrd66C8WK2lQH3NpDCsULS+m6Z76bvXDFyL0K6rEP
+sOcn8J91LfB5jXeSvS3vi7zk07M/IwAL03fVKvqiKU65D4859AOgbjkGyytWG1iv
+t7ENh6GYHGJj71L+OlZZH25cJQ/2gGsYs4IYrT6w4Z1X5TscOL/tBiCDdTwcdT0q
++YdkL9ZONouHvgszb9IFvfFErzmmG7jTHwC/TzR0nC8vPog9+y05G4vnD1h7lzH7
+8xDsGrn86gcjYXXRPfc4AxDZfmaM8S0SFmd+O7B24sUKmSyxF3A7OVnb0/rTMuez
+Izoy6RW9WQpCJM5R9k7YFDI5lQI+PiKT8GqzQuFIFXRYwOIwggMCBgkqhkiG9w0B
+BwEwEQYFKw4DAgcECLsGKZ/iQ1HBgIIC4J1lxb/gn6EosJyMrTV8KnJxvD+Garzp
+zmrDNvl9Q7CHmpNLuW3dngU5JcB5dElq7B+j6+RXNkupcrd2dvllAmwfPpFblmNp
+Snsn99TTwDYv4LrpxNCcoIKSm93H28wfszhPv75zD9+/aIy4JK4UwYuv+p5JHfLW
+EhvWO4pxUc2YpB8jiUVKTJJcRohry/lwvXu5s8VjmpoADSflHtAA4DUhFKX2fafu
+Ux7muxbh7xFViNY6laQ/tuZuxxjs2Eb5aWWizO00cyLP2724vFQL+lnvyAvtSmcD
+z2hOeOvvch6sJ4krx/gFznqe/lVksPyJQOj+Or8RTbC26kV4GQwiuGqgp6zhNjYe
+4niPvGxVAFz8Qdv8Zu47fSHgI2nz5YlWuE2NiQ1qtCbMsf2k/NnZrTgx2oZxnZvL
+B2We2D0u6BRZo4XMvGUqOLlGIV5scusv39/sBblJGOwNjtekG/pIRmiHXuI+RQOX
+yr4tLR8clylf/HEMmYn2UVxXXuWsEr6zdBB3u3JhXhq+YmDpYYnTkxZq4nTz7oMY
+MicrF0+iUrun6lIAXEU6yOSPehje5PfZW5PqKlpugKYIQSsbuJ4t/8n/MczHbRk9
+CcIX05OeWUdxRPKYa7Jt8umXnuIqWu7s7uZpbiB/tmuW4Cp16xUv53SgrTm4tiMq
+b7O3ftMmEiFZ+uXds/ODfh7bTe4YlWdyimkCcyI4dcIjLxe+ifx4T+b4LktIc5Pd
+5MHwAN+F1yIWnPxi8Nep9Pnw4HiX/ZkL0jHG0msZgZ60jb1U3LV4w3VI1WrsjvJM
+6M+l7HM3xeTl9posjVQPxb7kyX5s6gDe4IaatPrNYcsDJ4t43v/se/nvlrQtkJzv
+D4S2a9l833kYIC0MvoT8dqJuwySPZxjK0Io69sd6Af1BTGBoSQL75pOntrQUhICl
+/kfjBkG5h6tpJFSZQEReK3Kg9rKIax5VwgQUte2yVu3EYARd3YZ7On+gggMTMIID
+DzCCAfegAwIBAgITAkxY3LTPyvVkS5SUobGvznBgQDANBgkqhkiG9w0BAQUFADBC
+MQswCQYDVQQGEwJTRTERMA8GA1UEChMIRXJpY3Nzb24xIDAeBgNVBAMTF0M4MjYx
+MjQ1ODEuZXJpY3Nzb24uY29tMB4XDTEzMDgyMTE1MTcwM1oXDTE0MDgyMTE1MTcw
+M1owQjELMAkGA1UEBhMCU0UxETAPBgNVBAoTCEVyaWNzc29uMSAwHgYDVQQDExdD
+ODI2MTI0NTgxLmVyaWNzc29uLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBAPgg9zlAP6Z8vDMq+Ux0mq1RPLLtG2kByeauGvKdzbRLxtiyyKlknFQ8
+jdn8w3NrQiXTYSEcR0eDWjpLiwvkW2WC+lARIHUWQjRJWQIaSQ1lu9rDHlMYr2xm
+6EF6QDgr/9fqkY1IrF/gEAwnNQhT44qCzSr/jqmf5phd5qslzYlpYY97yeEihiCT
+wa/BNl1puS3+ayXI9e73Fpeysd0+TFjgbUwhUZn8kcKnDiynb19cyKzk4F1MQHwu
+QDFUkxtFcKMW8GikjEYy0Gw8CJUPl4SedtwoU4PGhWqgA/vYOPhdP6LfSBhTmU3s
+tUrFxUuMAiRF24JHdTj2bv+huDotWu0CAwEAATANBgkqhkiG9w0BAQUFAAOCAQEA
+PtB1eG9FbriUPD79Kb5uyt15JoROPDBc3voR9HffqDsANyEJ3VPlvAFEyrQzbdnA
+V5slZRR7M5AJBha1K3BIR7Cs74BlCXiiuWi358HnPGsHqqJjKVxlTKJksrRLvUr4
+K2bG1kBniQU/PkSZjB1DbSwAqw4So9BKLbzQFE8888/yETeCIEWnG2YMiRe1GB0r
+P/88QJctNrsT5oLdZ9E4igcAoGna6UR71PJSFCBoJ5WsnofMf44gZr7bgg2szoZr
+KDPnrlsi9SM4nWzTaxSTjEp3397QMwEHosJxwXv/Zy5QyGBDYfynaTRUVS2BwIfo
+AqRdylyrbv/+3NBQxdERRjGCAigwggIkAgEBMFkwQjELMAkGA1UEBhMCU0UxETAP
+BgNVBAoTCEVyaWNzc29uMSAwHgYDVQQDExdDODI2MTI0NTgxLmVyaWNzc29uLmNv
+bQITAkxY3LTPyvVkS5SUobGvznBgQDAMBggqhkiG9w0CBQUAoIGiMBIGCmCGSAGG
++EUBCQIxBBMCMTkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAfBgkqhkiG9w0B
+CQQxEgQQaEUDvpv6H163UM7zAQiMvDAgBgpghkgBhvhFAQkFMRIEEN4FI8tal3of
+ZTXKi1Ny2cswLwYKYIZIAYb4RQEJBzEhEx8yOUFBQjJFNTY5OUY1QjI1QTJEQUI3
+NDlGN0Q0QTFBMA0GCSqGSIb3DQEBAQUABIIBACnR54LqeHZ0u8bSErSnGupEytHK
+xbfShraXl3DFPnIZYs0HUuuriw5/BhkFHBsSXO8Oqm759/UgxOjnCUD2AKHenGoK
+LB0yqLGe/USBs0IkBv6lXg7HJhSDNqAPES6a5iUVIRv+M40Ldob570MKjZhERVPN
+AVSHMJHKmtVTZGt/VqiVk0qqZeV9nqhaSPFyW9pQU0PKep0lFltnwCHUTZiiqHuk
+SIpZFCmIgahAUcl/WrxiW4xC9L5+wBgsuaUU5LqLZwg3AFua0aaDs6NZXpSE0A43
+zm5whhmkVePjnSUUr78AoBRalsBdMkDwLoUZZ1Hhq+/WH+WW7TQ96zm+uzE=
+-----END PKCS7-----
+