|
Packit |
6b81fa |
/*
|
|
Packit |
6b81fa |
* Copyright (c) 2015 Red Hat, Inc.
|
|
Packit |
6b81fa |
* All rights reserved.
|
|
Packit |
6b81fa |
*
|
|
Packit |
6b81fa |
* Redistribution and use in source and binary forms, with or without
|
|
Packit |
6b81fa |
* modification, are permitted provided that the following conditions
|
|
Packit |
6b81fa |
* are met:
|
|
Packit |
6b81fa |
* 1. Redistributions of source code must retain the above copyright
|
|
Packit |
6b81fa |
* notice, this list of conditions and the following disclaimer.
|
|
Packit |
6b81fa |
* 2. Redistributions in binary form must reproduce the above copyright
|
|
Packit |
6b81fa |
* notice, this list of conditions and the following disclaimer in the
|
|
Packit |
6b81fa |
* documentation and/or other materials provided with the distribution.
|
|
Packit |
6b81fa |
*
|
|
Packit |
6b81fa |
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
|
Packit |
6b81fa |
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
Packit |
6b81fa |
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
Packit |
6b81fa |
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
|
Packit |
6b81fa |
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
Packit |
6b81fa |
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
Packit |
6b81fa |
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
Packit |
6b81fa |
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
Packit |
6b81fa |
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
Packit |
6b81fa |
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
Packit |
6b81fa |
* SUCH DAMAGE.
|
|
Packit |
6b81fa |
*
|
|
Packit |
6b81fa |
*/
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
#include <stdio.h>
|
|
Packit |
6b81fa |
#include <stdlib.h>
|
|
Packit |
6b81fa |
#include <stdint.h>
|
|
Packit |
6b81fa |
#include <stdbool.h>
|
|
Packit |
6b81fa |
#include <string.h>
|
|
Packit |
6b81fa |
#include <getopt.h>
|
|
Packit |
6b81fa |
#include <err.h>
|
|
Packit |
6b81fa |
#include <arpa/inet.h>
|
|
Packit |
6b81fa |
#include <openssl/evp.h>
|
|
Packit |
6b81fa |
#include <openssl/pem.h>
|
|
Packit |
6b81fa |
#include <openssl/err.h>
|
|
Packit |
6b81fa |
#include <openssl/engine.h>
|
|
Packit |
6b81fa |
#include <openssl/conf.h>
|
|
Packit |
6b81fa |
#include <openssl/ui.h>
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/* UI method that's only used to fail if get_pin inside engine_pkcs11
|
|
Packit |
6b81fa |
* has failed to pick up in a PIN sent in with ENGINE_ctrl_cmd_string */
|
|
Packit |
6b81fa |
static UI_METHOD *ui_detect_failed_ctrl = NULL;
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
static int ui_open_fail(UI *ui)
|
|
Packit |
6b81fa |
{
|
|
Packit |
6b81fa |
(void) ui;
|
|
Packit |
6b81fa |
fprintf(stderr, "It seems like get_pin fell through even though the pin should already be set!\n");
|
|
Packit |
6b81fa |
return 0;
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/* method that's to be used for prompting with a default (which is an
|
|
Packit |
6b81fa |
* alternative to sending in a PIN sent in with ENGINE_ctrl_cmd_string) */
|
|
Packit |
6b81fa |
static UI_METHOD *ui_console_with_default = NULL;
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
static int ui_read(UI *ui, UI_STRING *uis)
|
|
Packit |
6b81fa |
{
|
|
Packit |
6b81fa |
if (UI_get_input_flags(uis) & UI_INPUT_FLAG_DEFAULT_PWD &&
|
|
Packit |
6b81fa |
UI_get0_user_data(ui)) {
|
|
Packit |
6b81fa |
switch (UI_get_string_type(uis)) {
|
|
Packit |
6b81fa |
case UIT_PROMPT:
|
|
Packit |
6b81fa |
case UIT_VERIFY:
|
|
Packit |
6b81fa |
{
|
|
Packit |
6b81fa |
/* If there is a default PIN, use it
|
|
Packit |
6b81fa |
* instead of reading from the console */
|
|
Packit |
6b81fa |
const char *password =
|
|
Packit |
6b81fa |
((const char *)UI_get0_user_data(ui));
|
|
Packit |
6b81fa |
if (password && password[0] != '\0') {
|
|
Packit |
6b81fa |
UI_set_result(ui, uis, password);
|
|
Packit |
6b81fa |
return 1;
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
default:
|
|
Packit |
6b81fa |
break;
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
return UI_method_get_reader(UI_OpenSSL())(ui, uis);
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
static int ui_write(UI *ui, UI_STRING *uis)
|
|
Packit |
6b81fa |
{
|
|
Packit |
6b81fa |
if (UI_get_input_flags(uis) & UI_INPUT_FLAG_DEFAULT_PWD &&
|
|
Packit |
6b81fa |
UI_get0_user_data(ui)) {
|
|
Packit |
6b81fa |
switch (UI_get_string_type(uis)) {
|
|
Packit |
6b81fa |
case UIT_PROMPT:
|
|
Packit |
6b81fa |
case UIT_VERIFY:
|
|
Packit |
6b81fa |
{
|
|
Packit |
6b81fa |
/* If there is a default PIN, just
|
|
Packit |
6b81fa |
* return without outputing any prompt */
|
|
Packit |
6b81fa |
const char *password =
|
|
Packit |
6b81fa |
((const char *)UI_get0_user_data(ui));
|
|
Packit |
6b81fa |
if (password && password[0] != '\0')
|
|
Packit |
6b81fa |
return 1;
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
default:
|
|
Packit |
6b81fa |
break;
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
return UI_method_get_writer(UI_OpenSSL())(ui, uis);
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
static void setup_ui()
|
|
Packit |
6b81fa |
{
|
|
Packit |
6b81fa |
UI_METHOD *default_method = UI_OpenSSL();
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
ui_detect_failed_ctrl = UI_create_method("Fail if used");
|
|
Packit |
6b81fa |
UI_method_set_opener(ui_detect_failed_ctrl, ui_open_fail);
|
|
Packit |
6b81fa |
/* No other functions need setting, as the UI will never use them */
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
ui_console_with_default = UI_create_method("Reader with possible default");
|
|
Packit |
6b81fa |
UI_method_set_opener(ui_console_with_default,
|
|
Packit |
6b81fa |
UI_method_get_opener(default_method));
|
|
Packit |
6b81fa |
UI_method_set_reader(ui_console_with_default, ui_read);
|
|
Packit |
6b81fa |
UI_method_set_writer(ui_console_with_default, ui_write);
|
|
Packit |
6b81fa |
UI_method_set_flusher(ui_console_with_default,
|
|
Packit |
6b81fa |
UI_method_get_flusher(default_method));
|
|
Packit |
6b81fa |
UI_method_set_closer(ui_console_with_default,
|
|
Packit |
6b81fa |
UI_method_get_closer(default_method));
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
static void display_openssl_errors(int l)
|
|
Packit |
6b81fa |
{
|
|
Packit |
6b81fa |
const char *file;
|
|
Packit |
6b81fa |
char buf[120];
|
|
Packit |
6b81fa |
int e, line;
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
if (ERR_peek_error() == 0)
|
|
Packit |
6b81fa |
return;
|
|
Packit |
6b81fa |
fprintf(stderr, "At main.c:%d:\n", l);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
while ((e = ERR_get_error_line(&file, &line))) {
|
|
Packit |
6b81fa |
ERR_error_string(e, buf);
|
|
Packit |
6b81fa |
fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line);
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
int main(int argc, char **argv)
|
|
Packit |
6b81fa |
{
|
|
Packit |
6b81fa |
char *private_key_name, *public_key_name;
|
|
Packit |
6b81fa |
unsigned char buf[4096];
|
|
Packit |
6b81fa |
const EVP_MD *digest_algo;
|
|
Packit |
6b81fa |
EVP_PKEY *private_key, *public_key;
|
|
Packit |
6b81fa |
char *key_pass = NULL;
|
|
Packit |
6b81fa |
unsigned n;
|
|
Packit |
6b81fa |
int ret;
|
|
Packit |
6b81fa |
ENGINE *e;
|
|
Packit |
6b81fa |
EVP_MD_CTX *ctx;
|
|
Packit |
6b81fa |
const char *module_path, *efile;
|
|
Packit |
6b81fa |
enum { NONE, BY_DEFAULT, BY_CTRL } pin_method = NONE;
|
|
Packit |
6b81fa |
UI_METHOD *ui_method = NULL;
|
|
Packit |
6b81fa |
void *ui_extra = NULL;
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
if (argc < 5) {
|
|
Packit |
6b81fa |
fprintf(stderr, "usage: %s [PIN setting method] [PIN] [CONF] [private key URL] [public key URL] [module]\n", argv[0]);
|
|
Packit |
6b81fa |
fprintf(stderr, "\n");
|
|
Packit |
6b81fa |
fprintf(stderr, "PIN setting method can be 'default' or 'ctrl'\n");
|
|
Packit |
6b81fa |
exit(1);
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
if (strcmp(argv[1], "default") == 0)
|
|
Packit |
6b81fa |
pin_method = BY_DEFAULT;
|
|
Packit |
6b81fa |
else if (strcmp(argv[1], "ctrl") == 0)
|
|
Packit |
6b81fa |
pin_method = BY_CTRL;
|
|
Packit |
6b81fa |
else {
|
|
Packit |
6b81fa |
fprintf(stderr, "First argument MUST be 'default' or 'ctrl'\n");
|
|
Packit |
6b81fa |
exit(1);
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
key_pass = argv[2];
|
|
Packit |
6b81fa |
efile = argv[3];
|
|
Packit |
6b81fa |
private_key_name = argv[4];
|
|
Packit |
6b81fa |
public_key_name = argv[5];
|
|
Packit |
6b81fa |
module_path = argv[6];
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
setup_ui();
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
ret = CONF_modules_load_file(efile, "engines", 0);
|
|
Packit |
6b81fa |
if (ret <= 0) {
|
|
Packit |
6b81fa |
fprintf(stderr, "cannot load %s\n", efile);
|
|
Packit |
6b81fa |
display_openssl_errors(__LINE__);
|
|
Packit |
6b81fa |
exit(1);
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
ENGINE_add_conf_module();
|
|
Packit |
6b81fa |
#if OPENSSL_VERSION_NUMBER>=0x10100000
|
|
Packit |
6b81fa |
OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS \
|
|
Packit |
6b81fa |
| OPENSSL_INIT_ADD_ALL_DIGESTS \
|
|
Packit |
6b81fa |
| OPENSSL_INIT_LOAD_CONFIG, NULL);
|
|
Packit |
6b81fa |
#else
|
|
Packit |
6b81fa |
OpenSSL_add_all_algorithms();
|
|
Packit |
6b81fa |
OpenSSL_add_all_digests();
|
|
Packit |
6b81fa |
ERR_load_crypto_strings();
|
|
Packit |
6b81fa |
#endif
|
|
Packit |
6b81fa |
ERR_clear_error();
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
ENGINE_load_builtin_engines();
|
|
Packit |
6b81fa |
e = ENGINE_by_id("pkcs11");
|
|
Packit |
6b81fa |
if (e == NULL) {
|
|
Packit |
6b81fa |
display_openssl_errors(__LINE__);
|
|
Packit |
6b81fa |
exit(1);
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
if (!ENGINE_ctrl_cmd_string(e, "VERBOSE", NULL, 0)) {
|
|
Packit |
6b81fa |
display_openssl_errors(__LINE__);
|
|
Packit |
6b81fa |
exit(1);
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
if (!ENGINE_ctrl_cmd_string(e, "MODULE_PATH", module_path, 0)) {
|
|
Packit |
6b81fa |
display_openssl_errors(__LINE__);
|
|
Packit |
6b81fa |
exit(1);
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
if (!ENGINE_init(e)) {
|
|
Packit |
6b81fa |
display_openssl_errors(__LINE__);
|
|
Packit |
6b81fa |
exit(1);
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
switch (pin_method) {
|
|
Packit |
6b81fa |
case BY_DEFAULT:
|
|
Packit |
6b81fa |
ui_method = ui_console_with_default;
|
|
Packit |
6b81fa |
ui_extra = key_pass;
|
|
Packit |
6b81fa |
break;
|
|
Packit |
6b81fa |
case BY_CTRL:
|
|
Packit |
6b81fa |
ui_method = ui_detect_failed_ctrl;
|
|
Packit |
6b81fa |
ui_extra = NULL;
|
|
Packit |
6b81fa |
if (key_pass && !ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0)) {
|
|
Packit |
6b81fa |
display_openssl_errors(__LINE__);
|
|
Packit |
6b81fa |
exit(1);
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
default: /* NONE */
|
|
Packit |
6b81fa |
break;
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
private_key = ENGINE_load_private_key(e, private_key_name,
|
|
Packit |
6b81fa |
ui_method, ui_extra);
|
|
Packit |
6b81fa |
if (private_key == NULL) {
|
|
Packit |
6b81fa |
fprintf(stderr, "cannot load: %s\n", private_key_name);
|
|
Packit |
6b81fa |
display_openssl_errors(__LINE__);
|
|
Packit |
6b81fa |
exit(1);
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
public_key = ENGINE_load_public_key(e, public_key_name,
|
|
Packit |
6b81fa |
ui_method, ui_extra);
|
|
Packit |
6b81fa |
if (public_key == NULL) {
|
|
Packit |
6b81fa |
fprintf(stderr, "cannot load: %s\n", public_key_name);
|
|
Packit |
6b81fa |
display_openssl_errors(__LINE__);
|
|
Packit |
6b81fa |
exit(1);
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
digest_algo = EVP_get_digestbyname("sha1");
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
ctx = EVP_MD_CTX_create();
|
|
Packit |
6b81fa |
if (EVP_DigestInit(ctx, digest_algo) <= 0) {
|
|
Packit |
6b81fa |
display_openssl_errors(__LINE__);
|
|
Packit |
6b81fa |
exit(1);
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
EVP_SignInit(ctx, digest_algo);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
#define TEST_DATA "test data"
|
|
Packit |
6b81fa |
if (EVP_SignUpdate(ctx, TEST_DATA, sizeof(TEST_DATA)) <= 0) {
|
|
Packit |
6b81fa |
display_openssl_errors(__LINE__);
|
|
Packit |
6b81fa |
exit(1);
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
n = sizeof(buf);
|
|
Packit |
6b81fa |
if (EVP_SignFinal(ctx, buf, &n, private_key) <= 0) {
|
|
Packit |
6b81fa |
display_openssl_errors(__LINE__);
|
|
Packit |
6b81fa |
exit(1);
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
EVP_MD_CTX_destroy(ctx);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
printf("Signature created\n");
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
#if OPENSSL_VERSION_NUMBER >= 0x1000000fL
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
ctx = EVP_MD_CTX_create();
|
|
Packit |
6b81fa |
if (EVP_DigestInit(ctx, digest_algo) <= 0) {
|
|
Packit |
6b81fa |
display_openssl_errors(__LINE__);
|
|
Packit |
6b81fa |
exit(1);
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
if (EVP_DigestVerifyInit(ctx, NULL, digest_algo, NULL, public_key) <= 0) {
|
|
Packit |
6b81fa |
display_openssl_errors(__LINE__);
|
|
Packit |
6b81fa |
exit(1);
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
if (EVP_DigestVerifyUpdate(ctx, TEST_DATA, sizeof(TEST_DATA)) <= 0) {
|
|
Packit |
6b81fa |
display_openssl_errors(__LINE__);
|
|
Packit |
6b81fa |
exit(1);
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
if (EVP_DigestVerifyFinal(ctx, buf, n) <= 0) {
|
|
Packit |
6b81fa |
display_openssl_errors(__LINE__);
|
|
Packit |
6b81fa |
exit(1);
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
EVP_MD_CTX_destroy(ctx);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
printf("Signature verified\n");
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
#else /* OPENSSL_VERSION_NUMBER >= 0x1000000fL */
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
printf("Unable to verify signature with %s\n", OPENSSL_VERSION_TEXT);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
#endif /* OPENSSL_VERSION_NUMBER >= 0x1000000fL */
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
ENGINE_finish(e);
|
|
Packit |
6b81fa |
CONF_modules_unload(1);
|
|
Packit |
6b81fa |
return 0;
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/* vim: set noexpandtab: */
|