source-git / openssl-pkcs11

Clone
Source Code
GIT

Blame tests/fork-test.c

c8 c8s master
  1.   9757296765624140ce25c0303b820c04f34a5b29
  2.   tests
  3.   fork-test.c
Blob History Raw
Packit 6b81fa 
/* libp11 example code: auth.c
Packit 6b81fa 
 *
Packit 6b81fa 
 * This examply simply connects to your smart card
Packit 6b81fa 
 * and does a public key authentication.
Packit 6b81fa 
 *
Packit 6b81fa 
 * Feel free to copy all of the code as needed.
Packit 6b81fa 
 *
Packit 6b81fa 
 */
Packit 6b81fa
Packit 6b81fa 
#include <sys/types.h>
Packit 6b81fa 
#include <sys/stat.h>
Packit 6b81fa 
#include <fcntl.h>
Packit 6b81fa 
#include <termios.h>
Packit 6b81fa 
#include <stdio.h>
Packit 6b81fa 
#include <unistd.h>
Packit 6b81fa 
#include <string.h>
Packit 6b81fa 
#include <sys/types.h>
Packit 6b81fa 
#include <sys/wait.h>
Packit 6b81fa 
#include <libp11.h>
Packit 6b81fa 
#include <unistd.h>
Packit 6b81fa
Packit 6b81fa 
#define RANDOM_SOURCE "/dev/urandom"
Packit 6b81fa 
#define RANDOM_SIZE 20
Packit 6b81fa 
#define MAX_SIGSIZE 1024
Packit 6b81fa
Packit 6b81fa 
#if OPENSSL_VERSION_NUMBER < 0x10100003L
Packit 6b81fa 
#define EVP_PKEY_get0_RSA(key) ((key)->pkey.rsa)
Packit 6b81fa 
#endif
Packit 6b81fa
Packit 6b81fa 
static void do_fork();
Packit 6b81fa 
static void error_queue(const char *name);
Packit 6b81fa
Packit 6b81fa 
int main(int argc, char *argv[])
Packit 6b81fa 
{
Packit 6b81fa 
	PKCS11_CTX *ctx;
Packit 6b81fa 
	PKCS11_SLOT *slots, *slot;
Packit 6b81fa 
	PKCS11_CERT *certs;
Packit 6b81fa
Packit 6b81fa 
	PKCS11_KEY *authkey;
Packit 6b81fa 
	PKCS11_CERT *authcert;
Packit 6b81fa 
	EVP_PKEY *privkey = NULL, *pubkey = NULL;
Packit 6b81fa 
	const EVP_MD *digest_algo = NULL;
Packit 6b81fa 
	EVP_MD_CTX *md_ctx = NULL;
Packit 6b81fa
Packit 6b81fa 
	unsigned char *random = NULL, *signature = NULL;
Packit 6b81fa
Packit 6b81fa 
	char password[20];
Packit 6b81fa 
	int rc = 0, fd;
Packit 6b81fa 
	unsigned int nslots, ncerts, siglen;
Packit 6b81fa
Packit 6b81fa 
	if (argc < 2) {
Packit 6b81fa 
		fprintf(stderr,
Packit 6b81fa 
			"usage: %s /usr/lib/opensc-pkcs11.so [PIN]\n",
Packit 6b81fa 
			argv[0]);
Packit 6b81fa 
		return 1;
Packit 6b81fa 
	}
Packit 6b81fa
Packit 6b81fa 
	do_fork();
Packit 6b81fa 
	ctx = PKCS11_CTX_new();
Packit 6b81fa 
	error_queue("PKCS11_CTX_new");
Packit 6b81fa
Packit 6b81fa 
	/* load pkcs #11 module */
Packit 6b81fa 
	do_fork();
Packit 6b81fa 
	rc = PKCS11_CTX_load(ctx, argv[1]);
Packit 6b81fa 
	error_queue("PKCS11_CTX_load");
Packit 6b81fa 
	if (rc) {
Packit 6b81fa 
		fprintf(stderr, "loading pkcs11 engine failed: %s\n",
Packit 6b81fa 
			ERR_reason_error_string(ERR_get_error()));
Packit 6b81fa 
		rc = 1;
Packit 6b81fa 
		goto nolib;
Packit 6b81fa 
	}
Packit 6b81fa
Packit 6b81fa 
	/* get information on all slots */
Packit 6b81fa 
	do_fork();
Packit 6b81fa 
	rc = PKCS11_enumerate_slots(ctx, &slots, &nslots);
Packit 6b81fa 
	error_queue("PKCS11_enumerate_slots");
Packit 6b81fa 
	if (rc < 0) {
Packit 6b81fa 
		fprintf(stderr, "no slots available\n");
Packit 6b81fa 
		rc = 2;
Packit 6b81fa 
		goto noslots;
Packit 6b81fa 
	}
Packit 6b81fa
Packit 6b81fa 
	/* get first slot with a token */
Packit 6b81fa 
	do_fork();
Packit 6b81fa 
	slot = PKCS11_find_token(ctx, slots, nslots);
Packit 6b81fa 
	error_queue("PKCS11_find_token");
Packit 6b81fa 
	if (slot == NULL || slot->token == NULL) {
Packit 6b81fa 
		fprintf(stderr, "no token available\n");
Packit 6b81fa 
		rc = 3;
Packit 6b81fa 
		goto notoken;
Packit 6b81fa 
	}
Packit 6b81fa 
	printf("Slot manufacturer......: %s\n", slot->manufacturer);
Packit 6b81fa 
	printf("Slot description.......: %s\n", slot->description);
Packit 6b81fa 
	printf("Slot token label.......: %s\n", slot->token->label);
Packit 6b81fa 
	printf("Slot token manufacturer: %s\n", slot->token->manufacturer);
Packit 6b81fa 
	printf("Slot token model.......: %s\n", slot->token->model);
Packit 6b81fa 
	printf("Slot token serialnr....: %s\n", slot->token->serialnr);
Packit 6b81fa
Packit 6b81fa 
	if (!slot->token->loginRequired)
Packit 6b81fa 
		goto loggedin;
Packit 6b81fa
Packit 6b81fa 
	/* get password */
Packit 6b81fa 
	if (argc > 2) {
Packit 6b81fa 
		strcpy(password, argv[2]);
Packit 6b81fa 
	} else {
Packit 6b81fa 
		exit(1);
Packit 6b81fa 
	}
Packit 6b81fa
Packit 6b81fa 
loggedin:
Packit 6b81fa 
	/* perform pkcs #11 login */
Packit 6b81fa 
	do_fork();
Packit 6b81fa 
	rc = PKCS11_login(slot, 0, password);
Packit 6b81fa 
	error_queue("PKCS11_login");
Packit 6b81fa 
	memset(password, 0, strlen(password));
Packit 6b81fa 
	if (rc != 0) {
Packit 6b81fa 
		fprintf(stderr, "PKCS11_login failed\n");
Packit 6b81fa 
		goto failed;
Packit 6b81fa 
	}
Packit 6b81fa
Packit 6b81fa 
	/* get all certs */
Packit 6b81fa 
	do_fork();
Packit 6b81fa 
	rc = PKCS11_enumerate_certs(slot->token, &certs, &ncerts);
Packit 6b81fa 
	error_queue("PKCS11_enumerate_certs");
Packit 6b81fa 
	if (rc) {
Packit 6b81fa 
		fprintf(stderr, "PKCS11_enumerate_certs failed\n");
Packit 6b81fa 
		goto failed;
Packit 6b81fa 
	}
Packit 6b81fa 
	if (ncerts == 0) {
Packit 6b81fa 
		fprintf(stderr, "no certificates found\n");
Packit 6b81fa 
		goto failed;
Packit 6b81fa 
	}
Packit 6b81fa
Packit 6b81fa 
	/* use the first cert */
Packit 6b81fa 
	authcert=&certs[0];
Packit 6b81fa
Packit 6b81fa 
	/* get random bytes */
Packit 6b81fa 
	random = OPENSSL_malloc(RANDOM_SIZE);
Packit 6b81fa 
	if (random == NULL)
Packit 6b81fa 
		goto failed;
Packit 6b81fa
Packit 6b81fa 
	fd = open(RANDOM_SOURCE, O_RDONLY);
Packit 6b81fa 
	if (fd < 0) {
Packit 6b81fa 
		fprintf(stderr, "fatal: cannot open RANDOM_SOURCE: %s\n",
Packit 6b81fa 
				strerror(errno));
Packit 6b81fa 
		goto failed;
Packit 6b81fa 
	}
Packit 6b81fa
Packit 6b81fa 
	rc = read(fd, random, RANDOM_SIZE);
Packit 6b81fa 
	if (rc < 0) {
Packit 6b81fa 
		fprintf(stderr, "fatal: read from random source failed: %s\n",
Packit 6b81fa 
			strerror(errno));
Packit 6b81fa 
		close(fd);
Packit 6b81fa 
		goto failed;
Packit 6b81fa 
	}
Packit 6b81fa
Packit 6b81fa 
	if (rc < RANDOM_SIZE) {
Packit 6b81fa 
		fprintf(stderr, "fatal: read returned less than %d<%d bytes\n",
Packit 6b81fa 
			rc, RANDOM_SIZE);
Packit 6b81fa 
		close(fd);
Packit 6b81fa 
		goto failed;
Packit 6b81fa 
	}
Packit 6b81fa
Packit 6b81fa 
	close(fd);
Packit 6b81fa
Packit 6b81fa 
	do_fork();
Packit 6b81fa 
	authkey = PKCS11_find_key(authcert);
Packit 6b81fa 
	error_queue("PKCS11_find_key");
Packit 6b81fa 
	if (authkey == NULL) {
Packit 6b81fa 
		fprintf(stderr, "no key matching certificate available\n");
Packit 6b81fa 
		goto failed;
Packit 6b81fa 
	}
Packit 6b81fa
Packit 6b81fa 
	/* ask for a sha1 hash of the random data, signed by the key */
Packit 6b81fa 
	siglen = MAX_SIGSIZE;
Packit 6b81fa 
	signature = OPENSSL_malloc(MAX_SIGSIZE);
Packit 6b81fa 
	if (signature == NULL)
Packit 6b81fa 
		goto failed;
Packit 6b81fa
Packit 6b81fa 
	digest_algo = EVP_get_digestbyname("sha256");
Packit 6b81fa
Packit 6b81fa 
	do_fork();
Packit 6b81fa 
	privkey = PKCS11_get_private_key(authkey);
Packit 6b81fa 
	if (privkey == NULL) {
Packit 6b81fa 
		fprintf(stderr, "Could not extract the private key\n");
Packit 6b81fa 
		goto failed;
Packit 6b81fa 
	}
Packit 6b81fa
Packit 6b81fa 
	/* sign on the PKCS#11 device */
Packit 6b81fa 
	md_ctx = EVP_MD_CTX_create();
Packit 6b81fa 
	if (EVP_DigestInit(md_ctx, digest_algo) <= 0) {
Packit 6b81fa 
		error_queue("EVP_DigestInit");
Packit 6b81fa 
		goto failed;
Packit 6b81fa 
	}
Packit 6b81fa
Packit 6b81fa 
	EVP_SignInit(md_ctx, digest_algo);
Packit 6b81fa 
	if (EVP_SignUpdate(md_ctx, random, RANDOM_SIZE) <= 0) {
Packit 6b81fa 
		error_queue("EVP_SignUpdate");
Packit 6b81fa 
		goto failed;
Packit 6b81fa 
	}
Packit 6b81fa
Packit 6b81fa 
	if (EVP_SignFinal(md_ctx, signature, &siglen, privkey) <= 0) {
Packit 6b81fa 
		error_queue("EVP_SignFinal");
Packit 6b81fa 
		goto failed;
Packit 6b81fa 
	}
Packit 6b81fa 
	EVP_MD_CTX_destroy(md_ctx);
Packit 6b81fa
Packit 6b81fa 
	printf("%u-byte signature created\n", siglen);
Packit 6b81fa
Packit 6b81fa 
	/* Get the public key for verification */
Packit 6b81fa 
	pubkey = X509_get_pubkey(authcert->x509);
Packit 6b81fa 
	if (pubkey == NULL) {
Packit 6b81fa 
		fprintf(stderr, "Could not extract the public key\n");
Packit 6b81fa 
		goto failed;
Packit 6b81fa 
	}
Packit 6b81fa
Packit 6b81fa 
	/* Now verify the result */
Packit 6b81fa 
	md_ctx = EVP_MD_CTX_create();
Packit 6b81fa 
	if (EVP_DigestInit(md_ctx, digest_algo) <= 0) {
Packit 6b81fa 
		error_queue("EVP_DigestInit");
Packit 6b81fa 
		goto failed;
Packit 6b81fa 
	}
Packit 6b81fa
Packit 6b81fa 
	EVP_VerifyInit(md_ctx, digest_algo);
Packit 6b81fa 
	if (EVP_VerifyUpdate(md_ctx, random, RANDOM_SIZE) <= 0) {
Packit 6b81fa 
		error_queue("EVP_VerifyUpdate");
Packit 6b81fa 
		goto failed;
Packit 6b81fa 
	}
Packit 6b81fa
Packit 6b81fa 
	if (EVP_VerifyFinal(md_ctx, signature, siglen, pubkey) <= 0) {
Packit 6b81fa 
		error_queue("EVP_VerifyFinal");
Packit 6b81fa 
		goto failed;
Packit 6b81fa 
	}
Packit 6b81fa 
	printf("Signature matched\n");
Packit 6b81fa
Packit 6b81fa 
	if (md_ctx != NULL)
Packit 6b81fa 
		EVP_MD_CTX_destroy(md_ctx);
Packit 6b81fa 
	if (privkey != NULL)
Packit 6b81fa 
		EVP_PKEY_free(privkey);
Packit 6b81fa 
	if (pubkey != NULL)
Packit 6b81fa 
		EVP_PKEY_free(pubkey);
Packit 6b81fa 
	if (random != NULL)
Packit 6b81fa 
		OPENSSL_free(random);
Packit 6b81fa 
	if (signature != NULL)
Packit 6b81fa 
		OPENSSL_free(signature);
Packit 6b81fa
Packit 6b81fa 
	PKCS11_release_all_slots(ctx, slots, nslots);
Packit 6b81fa 
	PKCS11_CTX_unload(ctx);
Packit 6b81fa 
	PKCS11_CTX_free(ctx);
Packit 6b81fa
Packit 6b81fa 
	printf("Cleanup complete\n");
Packit 6b81fa 
	return 0;
Packit 6b81fa
Packit 6b81fa 
failed:
Packit 6b81fa
Packit 6b81fa 
notoken:
Packit 6b81fa 
	PKCS11_release_all_slots(ctx, slots, nslots);
Packit 6b81fa
Packit 6b81fa 
noslots:
Packit 6b81fa 
	PKCS11_CTX_unload(ctx);
Packit 6b81fa
Packit 6b81fa 
nolib:
Packit 6b81fa 
	PKCS11_CTX_free(ctx);
Packit 6b81fa
Packit 6b81fa 
	printf("authentication failed.\n");
Packit 6b81fa 
	return 1;
Packit 6b81fa 
}
Packit 6b81fa
Packit 6b81fa 
static void do_fork()
Packit 6b81fa 
{
Packit 6b81fa 
	int status = 0;
Packit 6b81fa 
	pid_t pid = fork();
Packit 6b81fa 
	switch (pid) {
Packit 6b81fa 
	case -1: /* failed */
Packit 6b81fa 
		perror("fork");
Packit 6b81fa 
		exit(5);
Packit 6b81fa 
	case 0: /* child */
Packit 6b81fa 
		return;
Packit 6b81fa 
	default: /* parent */
Packit 6b81fa 
		waitpid(pid, &status, 0);
Packit 6b81fa 
		if (WIFEXITED(status))
Packit 6b81fa 
			exit(WEXITSTATUS(status));
Packit 6b81fa 
		if (WIFSIGNALED(status))
Packit 6b81fa 
			fprintf(stderr, "Child terminated by signal #%d\n",
Packit 6b81fa 
				WTERMSIG(status));
Packit 6b81fa 
		else
Packit 6b81fa 
			perror("waitpid");
Packit 6b81fa 
		exit(2);
Packit 6b81fa 
	}
Packit 6b81fa 
}
Packit 6b81fa
Packit 6b81fa 
static void error_queue(const char *name)
Packit 6b81fa 
{
Packit 6b81fa 
	if (ERR_peek_last_error()) {
Packit 6b81fa 
		fprintf(stderr, "%s generated errors:\n", name);
Packit 6b81fa 
		ERR_print_errors_fp(stderr);
Packit 6b81fa 
	}
Packit 6b81fa 
}
Packit 6b81fa
Packit 6b81fa 
/* vim: set noexpandtab: */

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation