PKI MSG objects

From OpenCA::Wiki

The PKI_MSG interface is an abstraction layer that let the developer generate/load messages to provide communication between an application and a CA. After the message is created it can be encoded according to the protocol supported by the CA you want to communicate with.

By combining this abstraction layer with the PKI Resource Query Protocol (PRQP), applications could easily interact with Certificate Service Providers for certificate issuing, renewal, revokation, etc. without requiring any configuration from the user or the system administrators.

There are two main type of messages: PKI_MSG_REQ and PKI_MSG_RESP.


[edit]

Generating a new Certification Request

This example shows how to generate a new certificate request, set the encoding protocol (in this case Cisco's SCEP), and send it to a known url (the SCEP's interface of the CA). 

  #include <libpki/pki.h>
  
  int main () {
  
       PKI_MSG_REQ *msg = NULL;
       PKI_MSG_RESP *r = NULL;
       PKI_X509_CERT *cacert = NULL;
       PKI_TOKEN *tk = NULL;
       PKI_MEM_STACK *mem_sk = NULL;
  
       char * gw_s = NULL;
       char get_ca[2048];
  
       char *subject = "DC=openca,DC=org,O=OpenCA,ST=NH,L=Hanover,CN=SCEP Max Test";
       char *url_s = NULL;
  
       /* --------------------------- Initialization ---------------------------- */
  
       PKI_init_all();
   
       if(( PKI_log_init (PKI_LOG_TYPE_STDERR, PKI_LOG_INFO, NULL,
                       PKI_LOG_FLAGS_ENABLE_DEBUG, NULL )) == PKI_ERR ) {
               exit(1);
       }
   
       if((cacert = PKI_X509_CERT_get( "cacert.crt", NULL, NULL )) == NULL ){
               printf("ERROR, can not load cacert.crt!\n\n");
               exit(1);
       }
  
       /* ------------------------ Generate a new Token ------------------------- */
  
       if((tk = PKI_TOKEN_new_null()) == NULL ) {
               printf("ERROR, can not create a new token!\n");
               exit ( 1 );
       }
 
       if((PKI_TOKEN_new_keypair(tk, 1024, NULL)) == PKI_ERR){
               printf("ERROR, can not generate new keypair!\n");
               exit(1);
       }
  
       /* --------------------- Generate a new PKI_MSG_REQ ---------------------- */
  
       if((msg = PKI_MSG_REQ_new ( PKI_MSG_REQ_ACTION_CERTREQ,
               subject, NULL, tk->keypair, NULL, cacert )) == NULL ) {
               PKI_log_err ("Can not generate a new PKI_MSG!");
               exit(1);
       }
   
       // Set the LOA and CertificateTemplate extensions
       PKI_MSG_REQ_set_loa ( msg, "2");
       PKI_MSG_REQ_set_template ( msg, "CA Operator");
      
       // Set the encoding protocol (SCEP)
       PKI_MSG_REQ_set_proto( msg, PKI_MSG_PROTO_SCEP );
  
       // Sends the message to the URL. If (as in this case) the URL is NULL, the
       // appropriate URL is searched by using the PRQP protocol
       if(( r = PKI_MSG_REQ_send ( msg, NULL, url_s )) == NULL ) {
               PKI_log_err ("ERROR::Can not get Response!");
               return 1;
       }
   
       /* ----------------------- Saving Info ------------------------------------ */
  
       // Saves the message request into "request.pem" file
       PKI_MSG_REQ_put ( msg, PKI_DATA_FORMAT_PEM, "request.pem",
               NULL, NULL, NULL, 0 );
       // Saves the response received into "response.pem" file
       PKI_MSG_RESP_put ( r, PKI_DATA_FORMAT_PEM, "response.pem",
               NULL, NULL, NULL );
   
       return(0);
    }
Retrieved from "http://wiki.openca.org/wiki/index.php/PKI_MSG_objects"