|
Packit |
6b81fa |
/* libp11 example code: auth.c
|
|
Packit |
6b81fa |
*
|
|
Packit |
6b81fa |
* This examply simply connects to your smart card
|
|
Packit |
6b81fa |
* and does a public key authentication.
|
|
Packit |
6b81fa |
*
|
|
Packit |
6b81fa |
* Feel free to copy all of the code as needed.
|
|
Packit |
6b81fa |
*
|
|
Packit |
6b81fa |
*/
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
#include <sys/types.h>
|
|
Packit |
6b81fa |
#include <sys/stat.h>
|
|
Packit |
6b81fa |
#include <fcntl.h>
|
|
Packit |
6b81fa |
#include <termios.h>
|
|
Packit |
6b81fa |
#include <stdio.h>
|
|
Packit |
6b81fa |
#include <unistd.h>
|
|
Packit |
6b81fa |
#include <string.h>
|
|
Packit |
6b81fa |
#include <sys/types.h>
|
|
Packit |
6b81fa |
#include <sys/wait.h>
|
|
Packit |
6b81fa |
#include <libp11.h>
|
|
Packit |
6b81fa |
#include <unistd.h>
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
#define RANDOM_SOURCE "/dev/urandom"
|
|
Packit |
6b81fa |
#define RANDOM_SIZE 20
|
|
Packit |
6b81fa |
#define MAX_SIGSIZE 1024
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
#if OPENSSL_VERSION_NUMBER < 0x10100003L
|
|
Packit |
6b81fa |
#define EVP_PKEY_get0_RSA(key) ((key)->pkey.rsa)
|
|
Packit |
6b81fa |
#endif
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
static void do_fork();
|
|
Packit |
6b81fa |
static void error_queue(const char *name);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
int main(int argc, char *argv[])
|
|
Packit |
6b81fa |
{
|
|
Packit |
6b81fa |
PKCS11_CTX *ctx;
|
|
Packit |
6b81fa |
PKCS11_SLOT *slots, *slot;
|
|
Packit |
6b81fa |
PKCS11_CERT *certs;
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
PKCS11_KEY *authkey;
|
|
Packit |
6b81fa |
PKCS11_CERT *authcert;
|
|
Packit |
6b81fa |
EVP_PKEY *privkey = NULL, *pubkey = NULL;
|
|
Packit |
6b81fa |
const EVP_MD *digest_algo = NULL;
|
|
Packit |
6b81fa |
EVP_MD_CTX *md_ctx = NULL;
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
unsigned char *random = NULL, *signature = NULL;
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
char password[20];
|
|
Packit |
6b81fa |
int rc = 0, fd;
|
|
Packit |
6b81fa |
unsigned int nslots, ncerts, siglen;
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
if (argc < 2) {
|
|
Packit |
6b81fa |
fprintf(stderr,
|
|
Packit |
6b81fa |
"usage: %s /usr/lib/opensc-pkcs11.so [PIN]\n",
|
|
Packit |
6b81fa |
argv[0]);
|
|
Packit |
6b81fa |
return 1;
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
do_fork();
|
|
Packit |
6b81fa |
ctx = PKCS11_CTX_new();
|
|
Packit |
6b81fa |
error_queue("PKCS11_CTX_new");
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/* load pkcs #11 module */
|
|
Packit |
6b81fa |
do_fork();
|
|
Packit |
6b81fa |
rc = PKCS11_CTX_load(ctx, argv[1]);
|
|
Packit |
6b81fa |
error_queue("PKCS11_CTX_load");
|
|
Packit |
6b81fa |
if (rc) {
|
|
Packit |
6b81fa |
fprintf(stderr, "loading pkcs11 engine failed: %s\n",
|
|
Packit |
6b81fa |
ERR_reason_error_string(ERR_get_error()));
|
|
Packit |
6b81fa |
rc = 1;
|
|
Packit |
6b81fa |
goto nolib;
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/* get information on all slots */
|
|
Packit |
6b81fa |
do_fork();
|
|
Packit |
6b81fa |
rc = PKCS11_enumerate_slots(ctx, &slots, &nslots);
|
|
Packit |
6b81fa |
error_queue("PKCS11_enumerate_slots");
|
|
Packit |
6b81fa |
if (rc < 0) {
|
|
Packit |
6b81fa |
fprintf(stderr, "no slots available\n");
|
|
Packit |
6b81fa |
rc = 2;
|
|
Packit |
6b81fa |
goto noslots;
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/* get first slot with a token */
|
|
Packit |
6b81fa |
do_fork();
|
|
Packit |
6b81fa |
slot = PKCS11_find_token(ctx, slots, nslots);
|
|
Packit |
6b81fa |
error_queue("PKCS11_find_token");
|
|
Packit |
6b81fa |
if (slot == NULL || slot->token == NULL) {
|
|
Packit |
6b81fa |
fprintf(stderr, "no token available\n");
|
|
Packit |
6b81fa |
rc = 3;
|
|
Packit |
6b81fa |
goto notoken;
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
printf("Slot manufacturer......: %s\n", slot->manufacturer);
|
|
Packit |
6b81fa |
printf("Slot description.......: %s\n", slot->description);
|
|
Packit |
6b81fa |
printf("Slot token label.......: %s\n", slot->token->label);
|
|
Packit |
6b81fa |
printf("Slot token manufacturer: %s\n", slot->token->manufacturer);
|
|
Packit |
6b81fa |
printf("Slot token model.......: %s\n", slot->token->model);
|
|
Packit |
6b81fa |
printf("Slot token serialnr....: %s\n", slot->token->serialnr);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
if (!slot->token->loginRequired)
|
|
Packit |
6b81fa |
goto loggedin;
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/* get password */
|
|
Packit |
6b81fa |
if (argc > 2) {
|
|
Packit |
6b81fa |
strcpy(password, argv[2]);
|
|
Packit |
6b81fa |
} else {
|
|
Packit |
6b81fa |
exit(1);
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
loggedin:
|
|
Packit |
6b81fa |
/* perform pkcs #11 login */
|
|
Packit |
6b81fa |
do_fork();
|
|
Packit |
6b81fa |
rc = PKCS11_login(slot, 0, password);
|
|
Packit |
6b81fa |
error_queue("PKCS11_login");
|
|
Packit |
6b81fa |
memset(password, 0, strlen(password));
|
|
Packit |
6b81fa |
if (rc != 0) {
|
|
Packit |
6b81fa |
fprintf(stderr, "PKCS11_login failed\n");
|
|
Packit |
6b81fa |
goto failed;
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/* get all certs */
|
|
Packit |
6b81fa |
do_fork();
|
|
Packit |
6b81fa |
rc = PKCS11_enumerate_certs(slot->token, &certs, &ncerts);
|
|
Packit |
6b81fa |
error_queue("PKCS11_enumerate_certs");
|
|
Packit |
6b81fa |
if (rc) {
|
|
Packit |
6b81fa |
fprintf(stderr, "PKCS11_enumerate_certs failed\n");
|
|
Packit |
6b81fa |
goto failed;
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
if (ncerts == 0) {
|
|
Packit |
6b81fa |
fprintf(stderr, "no certificates found\n");
|
|
Packit |
6b81fa |
goto failed;
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/* use the first cert */
|
|
Packit |
6b81fa |
authcert=&certs[0];
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/* get random bytes */
|
|
Packit |
6b81fa |
random = OPENSSL_malloc(RANDOM_SIZE);
|
|
Packit |
6b81fa |
if (random == NULL)
|
|
Packit |
6b81fa |
goto failed;
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
fd = open(RANDOM_SOURCE, O_RDONLY);
|
|
Packit |
6b81fa |
if (fd < 0) {
|
|
Packit |
6b81fa |
fprintf(stderr, "fatal: cannot open RANDOM_SOURCE: %s\n",
|
|
Packit |
6b81fa |
strerror(errno));
|
|
Packit |
6b81fa |
goto failed;
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
rc = read(fd, random, RANDOM_SIZE);
|
|
Packit |
6b81fa |
if (rc < 0) {
|
|
Packit |
6b81fa |
fprintf(stderr, "fatal: read from random source failed: %s\n",
|
|
Packit |
6b81fa |
strerror(errno));
|
|
Packit |
6b81fa |
close(fd);
|
|
Packit |
6b81fa |
goto failed;
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
if (rc < RANDOM_SIZE) {
|
|
Packit |
6b81fa |
fprintf(stderr, "fatal: read returned less than %d<%d bytes\n",
|
|
Packit |
6b81fa |
rc, RANDOM_SIZE);
|
|
Packit |
6b81fa |
close(fd);
|
|
Packit |
6b81fa |
goto failed;
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
close(fd);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
do_fork();
|
|
Packit |
6b81fa |
authkey = PKCS11_find_key(authcert);
|
|
Packit |
6b81fa |
error_queue("PKCS11_find_key");
|
|
Packit |
6b81fa |
if (authkey == NULL) {
|
|
Packit |
6b81fa |
fprintf(stderr, "no key matching certificate available\n");
|
|
Packit |
6b81fa |
goto failed;
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/* ask for a sha1 hash of the random data, signed by the key */
|
|
Packit |
6b81fa |
siglen = MAX_SIGSIZE;
|
|
Packit |
6b81fa |
signature = OPENSSL_malloc(MAX_SIGSIZE);
|
|
Packit |
6b81fa |
if (signature == NULL)
|
|
Packit |
6b81fa |
goto failed;
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
digest_algo = EVP_get_digestbyname("sha256");
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
do_fork();
|
|
Packit |
6b81fa |
privkey = PKCS11_get_private_key(authkey);
|
|
Packit |
6b81fa |
if (privkey == NULL) {
|
|
Packit |
6b81fa |
fprintf(stderr, "Could not extract the private key\n");
|
|
Packit |
6b81fa |
goto failed;
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/* sign on the PKCS#11 device */
|
|
Packit |
6b81fa |
md_ctx = EVP_MD_CTX_create();
|
|
Packit |
6b81fa |
if (EVP_DigestInit(md_ctx, digest_algo) <= 0) {
|
|
Packit |
6b81fa |
error_queue("EVP_DigestInit");
|
|
Packit |
6b81fa |
goto failed;
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
EVP_SignInit(md_ctx, digest_algo);
|
|
Packit |
6b81fa |
if (EVP_SignUpdate(md_ctx, random, RANDOM_SIZE) <= 0) {
|
|
Packit |
6b81fa |
error_queue("EVP_SignUpdate");
|
|
Packit |
6b81fa |
goto failed;
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
if (EVP_SignFinal(md_ctx, signature, &siglen, privkey) <= 0) {
|
|
Packit |
6b81fa |
error_queue("EVP_SignFinal");
|
|
Packit |
6b81fa |
goto failed;
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
EVP_MD_CTX_destroy(md_ctx);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
printf("%u-byte signature created\n", siglen);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/* Get the public key for verification */
|
|
Packit |
6b81fa |
pubkey = X509_get_pubkey(authcert->x509);
|
|
Packit |
6b81fa |
if (pubkey == NULL) {
|
|
Packit |
6b81fa |
fprintf(stderr, "Could not extract the public key\n");
|
|
Packit |
6b81fa |
goto failed;
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/* Now verify the result */
|
|
Packit |
6b81fa |
md_ctx = EVP_MD_CTX_create();
|
|
Packit |
6b81fa |
if (EVP_DigestInit(md_ctx, digest_algo) <= 0) {
|
|
Packit |
6b81fa |
error_queue("EVP_DigestInit");
|
|
Packit |
6b81fa |
goto failed;
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
EVP_VerifyInit(md_ctx, digest_algo);
|
|
Packit |
6b81fa |
if (EVP_VerifyUpdate(md_ctx, random, RANDOM_SIZE) <= 0) {
|
|
Packit |
6b81fa |
error_queue("EVP_VerifyUpdate");
|
|
Packit |
6b81fa |
goto failed;
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
if (EVP_VerifyFinal(md_ctx, signature, siglen, pubkey) <= 0) {
|
|
Packit |
6b81fa |
error_queue("EVP_VerifyFinal");
|
|
Packit |
6b81fa |
goto failed;
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
printf("Signature matched\n");
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
if (md_ctx != NULL)
|
|
Packit |
6b81fa |
EVP_MD_CTX_destroy(md_ctx);
|
|
Packit |
6b81fa |
if (privkey != NULL)
|
|
Packit |
6b81fa |
EVP_PKEY_free(privkey);
|
|
Packit |
6b81fa |
if (pubkey != NULL)
|
|
Packit |
6b81fa |
EVP_PKEY_free(pubkey);
|
|
Packit |
6b81fa |
if (random != NULL)
|
|
Packit |
6b81fa |
OPENSSL_free(random);
|
|
Packit |
6b81fa |
if (signature != NULL)
|
|
Packit |
6b81fa |
OPENSSL_free(signature);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
PKCS11_release_all_slots(ctx, slots, nslots);
|
|
Packit |
6b81fa |
PKCS11_CTX_unload(ctx);
|
|
Packit |
6b81fa |
PKCS11_CTX_free(ctx);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
printf("Cleanup complete\n");
|
|
Packit |
6b81fa |
return 0;
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
failed:
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
notoken:
|
|
Packit |
6b81fa |
PKCS11_release_all_slots(ctx, slots, nslots);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
noslots:
|
|
Packit |
6b81fa |
PKCS11_CTX_unload(ctx);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
nolib:
|
|
Packit |
6b81fa |
PKCS11_CTX_free(ctx);
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
printf("authentication failed.\n");
|
|
Packit |
6b81fa |
return 1;
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
static void do_fork()
|
|
Packit |
6b81fa |
{
|
|
Packit |
6b81fa |
int status = 0;
|
|
Packit |
6b81fa |
pid_t pid = fork();
|
|
Packit |
6b81fa |
switch (pid) {
|
|
Packit |
6b81fa |
case -1: /* failed */
|
|
Packit |
6b81fa |
perror("fork");
|
|
Packit |
6b81fa |
exit(5);
|
|
Packit |
6b81fa |
case 0: /* child */
|
|
Packit |
6b81fa |
return;
|
|
Packit |
6b81fa |
default: /* parent */
|
|
Packit |
6b81fa |
waitpid(pid, &status, 0);
|
|
Packit |
6b81fa |
if (WIFEXITED(status))
|
|
Packit |
6b81fa |
exit(WEXITSTATUS(status));
|
|
Packit |
6b81fa |
if (WIFSIGNALED(status))
|
|
Packit |
6b81fa |
fprintf(stderr, "Child terminated by signal #%d\n",
|
|
Packit |
6b81fa |
WTERMSIG(status));
|
|
Packit |
6b81fa |
else
|
|
Packit |
6b81fa |
perror("waitpid");
|
|
Packit |
6b81fa |
exit(2);
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
static void error_queue(const char *name)
|
|
Packit |
6b81fa |
{
|
|
Packit |
6b81fa |
if (ERR_peek_last_error()) {
|
|
Packit |
6b81fa |
fprintf(stderr, "%s generated errors:\n", name);
|
|
Packit |
6b81fa |
ERR_print_errors_fp(stderr);
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
}
|
|
Packit |
6b81fa |
|
|
Packit |
6b81fa |
/* vim: set noexpandtab: */
|