18 #if defined( USE_CMP ) || defined( USE_SCEP )
38 const int labelLength;
39 const int actionPerms;
44 {
"Encryption key", 14,
48 {
"Signature key", 13,
79 REQUIRES_V( keyType > KEY_TYPE_NONE && keyType < KEY_TYPE_LAST );
95 keyInfo[ keyType ].labelLength, NULL, 0,
112 &streamState,
sizeof(
int ) );
120 IN_ENUM( KEY_TYPE )
const KEY_TYPE keyType )
128 REQUIRES_B( keyType > KEY_TYPE_NONE && keyType < KEY_TYPE_LAST );
131 keyLabelLength, NULL, 0,
138 keyLabelLength, NULL, 0,
157 assert( ( certID == NULL && certIDlength == 0 ) || \
161 REQUIRES( ( certID == NULL && certIDlength == 0 ) || \
162 ( certID != NULL && certIDlength ==
KEYID_SIZE ) );
182 if( certIDlength > 0 )
208 ENSURES( iterationCount < FAILSAFE_ITERATIONS_MED );
217 CRYPT_IATTRIBUTE_CERTCOPY ) );
235 IN_ENUM( KEY_TYPE )
const KEY_TYPE keyType )
248 REQUIRES( keyType > KEY_TYPE_NONE && keyType < KEY_TYPE_LAST );
282 substitutedAlgorithm =
TRUE;
289 case KEY_TYPE_ENCRYPTION:
299 return( substitutedAlgorithm ? \
303 case KEY_TYPE_SIGNATURE:
335 keyInfo[ keyType ].labelLength );
352 (
int * ) &
keyInfo[ keyType ].actionPerms,
353 CRYPT_IATTRIBUTE_ACTIONPERMS );
373 IN_ENUM( KEY_TYPE )
const KEY_TYPE keyType )
384 REQUIRES( keyType > KEY_TYPE_NONE && keyType < KEY_TYPE_LAST );
404 (
int * ) &iPrivateKey,
408 (
int * ) &
keyInfo[ keyType ].keyUsage,
412 (
int * ) &iSubjDNCert,
439 assert(
isReadPtr( password, passwordLength ) );
451 &objectType, CRYPT_IATTRIBUTE_TYPE );
482 int iterationCount,
status;
487 for( status =
CRYPT_OK, iterationCount = 0;
505 ENSURES( iterationCount < FAILSAFE_ITERATIONS_MED );
526 findSessionInfo( sessionInfoPtr->attributeList,
529 KEY_TYPE_SIGNATURE : KEY_TYPE_BOTH;
530 const char *storageObjectName =
"keyset";
542 CRYPT_IATTRIBUTE_TYPE );
547 iCryptDevice = sessionInfoPtr->privKeyset;
548 storageObjectName =
"device";
553 if( isNamedObjectPresent( sessionInfoPtr->privKeyset, keyType ) )
557 "%s is already present in %s",
558 ( keyType == KEY_TYPE_SIGNATURE ) ? \
559 "Signature key" :
"Key", storageObjectName ) );
563 if( isNamedObjectPresent( sessionInfoPtr->privKeyset,
564 KEY_TYPE_ENCRYPTION ) )
568 "Encryption key is already present in %s",
569 storageObjectName ) );
581 status = sessionInfoPtr->transactFunction( sessionInfoPtr );
584 if( !isConnectionOpen( sessionInfoPtr ) )
596 "Server closed connection after PKIBoot phase before any "
597 "certificates could be issued" ) );
604 if( attributeListPtr != NULL )
606 status = getCACert( &iCACert, sessionInfoPtr->iCertResponse,
607 attributeListPtr->value,
612 status = getCACert( &iCACert, sessionInfoPtr->iCertResponse,
621 "Couldn't read CA/RA certificate from returned "
622 "certificate trust list" ) );
624 sessionInfoPtr->iAuthInContext = iCACert;
627 status = generateKey( &iPrivateKey1, sessionInfoPtr->ownerHandle,
628 iCryptDevice, keyType );
631 ENSURES( status != OK_SPECIAL );
634 ( keyType == KEY_TYPE_SIGNATURE ) ? \
635 "signature" :
"private" ) );
637 status = createCertRequest( &iCertReq, iPrivateKey1,
CRYPT_UNUSED,
641 cleanupObject( iPrivateKey1, keyType );
644 "Couldn't create %skey certificate request",
645 ( keyType == KEY_TYPE_SIGNATURE ) ? \
646 "signature " :
"" ) );
654 sessionInfoPtr->sessionCMP->requestType = \
655 CRYPT_REQUESTTYPE_INITIALISATION;
657 sessionInfoPtr->iCertRequest = iCertReq;
658 status = sessionInfoPtr->transactFunction( sessionInfoPtr );
663 cleanupObject( iPrivateKey1, keyType );
683 !isConnectionOpen( sessionInfoPtr ) && !isCAcert )
685 cleanupObject( iPrivateKey1, keyType );
691 "Server closed connection before second (encryption) "
692 "certificate could be issued" ) );
696 status = updateKeys( sessionInfoPtr->privKeyset, iPrivateKey1,
697 sessionInfoPtr->iCertResponse,
715 CRYPT_IATTRIBUTE_CERTCOPY_DATAONLY );
724 cleanupObject( iPrivateKey1, keyType );
729 "Couldn't update %s with %skey/certificate",
730 storageObjectName, isCAcert ?
"CA " : \
731 ( keyType == KEY_TYPE_SIGNATURE ) ?
"signature " :
"" ) );
737 if( keyType == KEY_TYPE_BOTH || isCAcert )
739 updateTrustedCerts( sessionInfoPtr->privKeyset, iPrivateKey1 );
749 status = generateKey( &iPrivateKey2, sessionInfoPtr->ownerHandle,
750 iCryptDevice, KEY_TYPE_ENCRYPTION );
751 if( status == OK_SPECIAL )
756 updateTrustedCerts( sessionInfoPtr->privKeyset, iPrivateKey1 );
762 cleanupObject( iPrivateKey1, KEY_TYPE_SIGNATURE );
765 "Couldn't create encryption key" ) );
767 status = createCertRequest( &iCertReq, iPrivateKey2, iPrivateKey1,
768 KEY_TYPE_ENCRYPTION );
771 cleanupObject( iPrivateKey1, KEY_TYPE_SIGNATURE );
772 cleanupObject( iPrivateKey2, KEY_TYPE_ENCRYPTION );
775 "Couldn't create encryption key certificate request" ) );
786 sessionInfoPtr->iCertRequest = iCertReq;
787 sessionInfoPtr->privateKey = iPrivateKey2;
788 sessionInfoPtr->iAuthOutContext = iPrivateKey1;
789 status = sessionInfoPtr->transactFunction( sessionInfoPtr );
796 cleanupObject( iPrivateKey1, KEY_TYPE_SIGNATURE );
797 cleanupObject( iPrivateKey2, KEY_TYPE_ENCRYPTION );
802 status = updateKeys( sessionInfoPtr->privKeyset, iPrivateKey2,
803 sessionInfoPtr->iCertResponse,
809 cleanupObject( iPrivateKey1, KEY_TYPE_SIGNATURE );
810 cleanupObject( iPrivateKey2, KEY_TYPE_ENCRYPTION );
813 "Couldn't update %s with encryption key/certificate",
814 storageObjectName ) );
824 updateTrustedCerts( sessionInfoPtr->privKeyset, iPrivateKey1 );