2
0

curlx.c 16 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574
  1. /*
  2. curlx.c Authors: Peter Sylvester, Jean-Paul Merlin
  3. This is a little program to demonstrate the usage of
  4. - an ssl initialisation callback setting a user key and trustbases
  5. coming from a pkcs12 file
  6. - using an ssl application callback to find a URI in the
  7. certificate presented during ssl session establishment.
  8. */
  9. /* <DESC>
  10. * demonstrates use of SSL context callback, requires OpenSSL
  11. * </DESC>
  12. */
  13. /*
  14. * Copyright (c) 2003 - 2019 The OpenEvidence Project. All rights reserved.
  15. *
  16. * Redistribution and use in source and binary forms, with or without
  17. * modification, are permitted provided that the following conditions
  18. * are met:
  19. *
  20. * 1. Redistributions of source code must retain the above copyright
  21. * notice, this list of conditions, the following disclaimer,
  22. * and the original OpenSSL and SSLeay Licences below.
  23. *
  24. * 2. Redistributions in binary form must reproduce the above copyright
  25. * notice, this list of conditions, the following disclaimer
  26. * and the original OpenSSL and SSLeay Licences below in
  27. * the documentation and/or other materials provided with the
  28. * distribution.
  29. *
  30. * 3. All advertising materials mentioning features or use of this
  31. * software must display the following acknowledgments:
  32. * "This product includes software developed by the Openevidence Project
  33. * for use in the OpenEvidence Toolkit. (http://www.openevidence.org/)"
  34. * This product includes software developed by the OpenSSL Project
  35. * for use in the OpenSSL Toolkit (https://www.openssl.org/)"
  36. * This product includes cryptographic software written by Eric Young
  37. * (eay@cryptsoft.com). This product includes software written by Tim
  38. * Hudson (tjh@cryptsoft.com)."
  39. *
  40. * 4. The names "OpenEvidence Toolkit" and "OpenEvidence Project" must not be
  41. * used to endorse or promote products derived from this software without
  42. * prior written permission. For written permission, please contact
  43. * openevidence-core@openevidence.org.
  44. *
  45. * 5. Products derived from this software may not be called "OpenEvidence"
  46. * nor may "OpenEvidence" appear in their names without prior written
  47. * permission of the OpenEvidence Project.
  48. *
  49. * 6. Redistributions of any form whatsoever must retain the following
  50. * acknowledgments:
  51. * "This product includes software developed by the OpenEvidence Project
  52. * for use in the OpenEvidence Toolkit (http://www.openevidence.org/)
  53. * This product includes software developed by the OpenSSL Project
  54. * for use in the OpenSSL Toolkit (https://www.openssl.org/)"
  55. * This product includes cryptographic software written by Eric Young
  56. * (eay@cryptsoft.com). This product includes software written by Tim
  57. * Hudson (tjh@cryptsoft.com)."
  58. *
  59. * THIS SOFTWARE IS PROVIDED BY THE OpenEvidence PROJECT ``AS IS'' AND ANY
  60. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  61. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  62. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenEvidence PROJECT OR
  63. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  64. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  65. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  66. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  67. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  68. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  69. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  70. * OF THE POSSIBILITY OF SUCH DAMAGE.
  71. * ====================================================================
  72. *
  73. * This product includes software developed by the OpenSSL Project
  74. * for use in the OpenSSL Toolkit (https://www.openssl.org/)
  75. * This product includes cryptographic software written by Eric Young
  76. * (eay@cryptsoft.com). This product includes software written by Tim
  77. * Hudson (tjh@cryptsoft.com).
  78. *
  79. */
  80. #include <stdio.h>
  81. #include <stdlib.h>
  82. #include <string.h>
  83. #include <curl/curl.h>
  84. #include <openssl/x509v3.h>
  85. #include <openssl/x509_vfy.h>
  86. #include <openssl/crypto.h>
  87. #include <openssl/lhash.h>
  88. #include <openssl/objects.h>
  89. #include <openssl/err.h>
  90. #include <openssl/evp.h>
  91. #include <openssl/x509.h>
  92. #include <openssl/pkcs12.h>
  93. #include <openssl/bio.h>
  94. #include <openssl/ssl.h>
  95. static const char *curlx_usage[]={
  96. "usage: curlx args\n",
  97. " -p12 arg - tia file ",
  98. " -envpass arg - environment variable which content the tia private"
  99. " key password",
  100. " -out arg - output file (response)- default stdout",
  101. " -in arg - input file (request)- default stdin",
  102. " -connect arg - URL of the server for the connection ex:"
  103. " www.openevidence.org",
  104. " -mimetype arg - MIME type for data in ex : application/timestamp-query"
  105. " or application/dvcs -default application/timestamp-query",
  106. " -acceptmime arg - MIME type acceptable for the response ex : "
  107. "application/timestamp-response or application/dvcs -default none",
  108. " -accesstype arg - an Object identifier in an AIA/SIA method, e.g."
  109. " AD_DVCS or ad_timestamping",
  110. NULL
  111. };
  112. /*
  113. ./curlx -p12 psy.p12 -envpass XX -in request -verbose -accesstype AD_DVCS
  114. -mimetype application/dvcs -acceptmime application/dvcs -out response
  115. */
  116. /*
  117. * We use this ZERO_NULL to avoid picky compiler warnings,
  118. * when assigning a NULL pointer to a function pointer var.
  119. */
  120. #define ZERO_NULL 0
  121. /* This is a context that we pass to all callbacks */
  122. typedef struct sslctxparm_st {
  123. unsigned char *p12file;
  124. const char *pst;
  125. PKCS12 *p12;
  126. EVP_PKEY *pkey;
  127. X509 *usercert;
  128. STACK_OF(X509) * ca;
  129. CURL *curl;
  130. BIO *errorbio;
  131. int accesstype;
  132. int verbose;
  133. } sslctxparm;
  134. /* some helper function. */
  135. static char *ia5string(ASN1_IA5STRING *ia5)
  136. {
  137. char *tmp;
  138. if(!ia5 || !ia5->length)
  139. return NULL;
  140. tmp = OPENSSL_malloc(ia5->length + 1);
  141. memcpy(tmp, ia5->data, ia5->length);
  142. tmp[ia5->length] = 0;
  143. return tmp;
  144. }
  145. /* A convenience routine to get an access URI. */
  146. static unsigned char *my_get_ext(X509 *cert, const int type,
  147. int extensiontype)
  148. {
  149. int i;
  150. STACK_OF(ACCESS_DESCRIPTION) * accessinfo;
  151. accessinfo = X509_get_ext_d2i(cert, extensiontype, NULL, NULL);
  152. if(!sk_ACCESS_DESCRIPTION_num(accessinfo))
  153. return NULL;
  154. for(i = 0; i < sk_ACCESS_DESCRIPTION_num(accessinfo); i++) {
  155. ACCESS_DESCRIPTION * ad = sk_ACCESS_DESCRIPTION_value(accessinfo, i);
  156. if(OBJ_obj2nid(ad->method) == type) {
  157. if(ad->location->type == GEN_URI) {
  158. return ia5string(ad->location->d.ia5);
  159. }
  160. return NULL;
  161. }
  162. }
  163. return NULL;
  164. }
  165. /* This is an application verification call back, it does not
  166. perform any addition verification but tries to find a URL
  167. in the presented certificate. If found, this will become
  168. the URL to be used in the POST.
  169. */
  170. static int ssl_app_verify_callback(X509_STORE_CTX *ctx, void *arg)
  171. {
  172. sslctxparm * p = (sslctxparm *) arg;
  173. int ok;
  174. if(p->verbose > 2)
  175. BIO_printf(p->errorbio, "entering ssl_app_verify_callback\n");
  176. ok = X509_verify_cert(ctx);
  177. if(ok && ctx->cert) {
  178. unsigned char *accessinfo;
  179. if(p->verbose > 1)
  180. X509_print_ex(p->errorbio, ctx->cert, 0, 0);
  181. accessinfo = my_get_ext(ctx->cert, p->accesstype, NID_sinfo_access);
  182. if(accessinfo) {
  183. if(p->verbose)
  184. BIO_printf(p->errorbio, "Setting URL from SIA to: %s\n", accessinfo);
  185. curl_easy_setopt(p->curl, CURLOPT_URL, accessinfo);
  186. }
  187. else if(accessinfo = my_get_ext(ctx->cert, p->accesstype,
  188. NID_info_access)) {
  189. if(p->verbose)
  190. BIO_printf(p->errorbio, "Setting URL from AIA to: %s\n", accessinfo);
  191. curl_easy_setopt(p->curl, CURLOPT_URL, accessinfo);
  192. }
  193. }
  194. if(p->verbose > 2)
  195. BIO_printf(p->errorbio, "leaving ssl_app_verify_callback with %d\n", ok);
  196. return ok;
  197. }
  198. /* The SSL initialisation callback. The callback sets:
  199. - a private key and certificate
  200. - a trusted ca certificate
  201. - a preferred cipherlist
  202. - an application verification callback (the function above)
  203. */
  204. static CURLcode sslctxfun(CURL *curl, void *sslctx, void *parm)
  205. {
  206. sslctxparm *p = (sslctxparm *) parm;
  207. SSL_CTX *ctx = (SSL_CTX *) sslctx;
  208. if(!SSL_CTX_use_certificate(ctx, p->usercert)) {
  209. BIO_printf(p->errorbio, "SSL_CTX_use_certificate problem\n");
  210. goto err;
  211. }
  212. if(!SSL_CTX_use_PrivateKey(ctx, p->pkey)) {
  213. BIO_printf(p->errorbio, "SSL_CTX_use_PrivateKey\n");
  214. goto err;
  215. }
  216. if(!SSL_CTX_check_private_key(ctx)) {
  217. BIO_printf(p->errorbio, "SSL_CTX_check_private_key\n");
  218. goto err;
  219. }
  220. SSL_CTX_set_quiet_shutdown(ctx, 1);
  221. SSL_CTX_set_cipher_list(ctx, "RC4-MD5");
  222. SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
  223. X509_STORE_add_cert(SSL_CTX_get_cert_store(ctx),
  224. sk_X509_value(p->ca, sk_X509_num(p->ca)-1));
  225. SSL_CTX_set_verify_depth(ctx, 2);
  226. SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, ZERO_NULL);
  227. SSL_CTX_set_cert_verify_callback(ctx, ssl_app_verify_callback, parm);
  228. return CURLE_OK;
  229. err:
  230. ERR_print_errors(p->errorbio);
  231. return CURLE_SSL_CERTPROBLEM;
  232. }
  233. int main(int argc, char **argv)
  234. {
  235. BIO* in = NULL;
  236. BIO* out = NULL;
  237. char *outfile = NULL;
  238. char *infile = NULL;
  239. int tabLength = 100;
  240. char *binaryptr;
  241. char *mimetype = NULL;
  242. char *mimetypeaccept = NULL;
  243. char *contenttype;
  244. const char **pp;
  245. unsigned char *hostporturl = NULL;
  246. BIO *p12bio;
  247. char **args = argv + 1;
  248. unsigned char *serverurl;
  249. sslctxparm p;
  250. char *response;
  251. CURLcode res;
  252. struct curl_slist *headers = NULL;
  253. int badarg = 0;
  254. binaryptr = malloc(tabLength);
  255. memset(&p, '\0', sizeof(p));
  256. p.errorbio = BIO_new_fp(stderr, BIO_NOCLOSE);
  257. curl_global_init(CURL_GLOBAL_DEFAULT);
  258. /* we need some more for the P12 decoding */
  259. OpenSSL_add_all_ciphers();
  260. OpenSSL_add_all_digests();
  261. ERR_load_crypto_strings();
  262. while(*args && *args[0] == '-') {
  263. if(!strcmp (*args, "-in")) {
  264. if(args[1]) {
  265. infile = *(++args);
  266. }
  267. else
  268. badarg = 1;
  269. }
  270. else if(!strcmp (*args, "-out")) {
  271. if(args[1]) {
  272. outfile = *(++args);
  273. }
  274. else
  275. badarg = 1;
  276. }
  277. else if(!strcmp (*args, "-p12")) {
  278. if(args[1]) {
  279. p.p12file = *(++args);
  280. }
  281. else
  282. badarg = 1;
  283. }
  284. else if(strcmp(*args, "-envpass") == 0) {
  285. if(args[1]) {
  286. p.pst = getenv(*(++args));
  287. }
  288. else
  289. badarg = 1;
  290. }
  291. else if(strcmp(*args, "-connect") == 0) {
  292. if(args[1]) {
  293. hostporturl = *(++args);
  294. }
  295. else
  296. badarg = 1;
  297. }
  298. else if(strcmp(*args, "-mimetype") == 0) {
  299. if(args[1]) {
  300. mimetype = *(++args);
  301. }
  302. else
  303. badarg = 1;
  304. }
  305. else if(strcmp(*args, "-acceptmime") == 0) {
  306. if(args[1]) {
  307. mimetypeaccept = *(++args);
  308. }
  309. else
  310. badarg = 1;
  311. }
  312. else if(strcmp(*args, "-accesstype") == 0) {
  313. if(args[1]) {
  314. p.accesstype = OBJ_obj2nid(OBJ_txt2obj(*++args, 0));
  315. if(p.accesstype == 0)
  316. badarg = 1;
  317. }
  318. else
  319. badarg = 1;
  320. }
  321. else if(strcmp(*args, "-verbose") == 0) {
  322. p.verbose++;
  323. }
  324. else
  325. badarg = 1;
  326. args++;
  327. }
  328. if(mimetype == NULL || mimetypeaccept == NULL || p.p12file == NULL)
  329. badarg = 1;
  330. if(badarg) {
  331. for(pp = curlx_usage; (*pp != NULL); pp++)
  332. BIO_printf(p.errorbio, "%s\n", *pp);
  333. BIO_printf(p.errorbio, "\n");
  334. goto err;
  335. }
  336. /* set input */
  337. in = BIO_new(BIO_s_file());
  338. if(in == NULL) {
  339. BIO_printf(p.errorbio, "Error setting input bio\n");
  340. goto err;
  341. }
  342. else if(infile == NULL)
  343. BIO_set_fp(in, stdin, BIO_NOCLOSE|BIO_FP_TEXT);
  344. else if(BIO_read_filename(in, infile) <= 0) {
  345. BIO_printf(p.errorbio, "Error opening input file %s\n", infile);
  346. BIO_free(in);
  347. goto err;
  348. }
  349. /* set output */
  350. out = BIO_new(BIO_s_file());
  351. if(out == NULL) {
  352. BIO_printf(p.errorbio, "Error setting output bio.\n");
  353. goto err;
  354. }
  355. else if(outfile == NULL)
  356. BIO_set_fp(out, stdout, BIO_NOCLOSE|BIO_FP_TEXT);
  357. else if(BIO_write_filename(out, outfile) <= 0) {
  358. BIO_printf(p.errorbio, "Error opening output file %s\n", outfile);
  359. BIO_free(out);
  360. goto err;
  361. }
  362. p.errorbio = BIO_new_fp(stderr, BIO_NOCLOSE);
  363. p.curl = curl_easy_init();
  364. if(!p.curl) {
  365. BIO_printf(p.errorbio, "Cannot init curl lib\n");
  366. goto err;
  367. }
  368. p12bio = BIO_new_file(p.p12file, "rb");
  369. if(!p12bio) {
  370. BIO_printf(p.errorbio, "Error opening P12 file %s\n", p.p12file);
  371. goto err;
  372. }
  373. p.p12 = d2i_PKCS12_bio(p12bio, NULL);
  374. if(!p.p12) {
  375. BIO_printf(p.errorbio, "Cannot decode P12 structure %s\n", p.p12file);
  376. goto err;
  377. }
  378. p.ca = NULL;
  379. if(!(PKCS12_parse (p.p12, p.pst, &(p.pkey), &(p.usercert), &(p.ca) ) )) {
  380. BIO_printf(p.errorbio, "Invalid P12 structure in %s\n", p.p12file);
  381. goto err;
  382. }
  383. if(sk_X509_num(p.ca) <= 0) {
  384. BIO_printf(p.errorbio, "No trustworthy CA given.%s\n", p.p12file);
  385. goto err;
  386. }
  387. if(p.verbose > 1)
  388. X509_print_ex(p.errorbio, p.usercert, 0, 0);
  389. /* determine URL to go */
  390. if(hostporturl) {
  391. size_t len = strlen(hostporturl) + 9;
  392. serverurl = malloc(len);
  393. snprintf(serverurl, len, "https://%s", hostporturl);
  394. }
  395. else if(p.accesstype != 0) { /* see whether we can find an AIA or SIA for a
  396. given access type */
  397. serverurl = my_get_ext(p.usercert, p.accesstype, NID_info_access);
  398. if(!serverurl) {
  399. int j = 0;
  400. BIO_printf(p.errorbio, "no service URL in user cert "
  401. "cherching in others certificats\n");
  402. for(j = 0; j<sk_X509_num(p.ca); j++) {
  403. serverurl = my_get_ext(sk_X509_value(p.ca, j), p.accesstype,
  404. NID_info_access);
  405. if(serverurl)
  406. break;
  407. serverurl = my_get_ext(sk_X509_value(p.ca, j), p.accesstype,
  408. NID_sinfo_access);
  409. if(serverurl)
  410. break;
  411. }
  412. }
  413. }
  414. if(!serverurl) {
  415. BIO_printf(p.errorbio, "no service URL in certificats,"
  416. " check '-accesstype (AD_DVCS | ad_timestamping)'"
  417. " or use '-connect'\n");
  418. goto err;
  419. }
  420. if(p.verbose)
  421. BIO_printf(p.errorbio, "Service URL: <%s>\n", serverurl);
  422. curl_easy_setopt(p.curl, CURLOPT_URL, serverurl);
  423. /* Now specify the POST binary data */
  424. curl_easy_setopt(p.curl, CURLOPT_POSTFIELDS, binaryptr);
  425. curl_easy_setopt(p.curl, CURLOPT_POSTFIELDSIZE, (long)tabLength);
  426. /* pass our list of custom made headers */
  427. contenttype = malloc(15 + strlen(mimetype));
  428. snprintf(contenttype, 15 + strlen(mimetype), "Content-type: %s", mimetype);
  429. headers = curl_slist_append(headers, contenttype);
  430. curl_easy_setopt(p.curl, CURLOPT_HTTPHEADER, headers);
  431. if(p.verbose)
  432. BIO_printf(p.errorbio, "Service URL: <%s>\n", serverurl);
  433. {
  434. FILE *outfp;
  435. BIO_get_fp(out, &outfp);
  436. curl_easy_setopt(p.curl, CURLOPT_WRITEDATA, outfp);
  437. }
  438. res = curl_easy_setopt(p.curl, CURLOPT_SSL_CTX_FUNCTION, sslctxfun);
  439. if(res != CURLE_OK)
  440. BIO_printf(p.errorbio, "%d %s=%d %d\n", __LINE__,
  441. "CURLOPT_SSL_CTX_FUNCTION", CURLOPT_SSL_CTX_FUNCTION, res);
  442. curl_easy_setopt(p.curl, CURLOPT_SSL_CTX_DATA, &p);
  443. {
  444. char *ptr;
  445. int lu; int i = 0;
  446. while((lu = BIO_read(in, &binaryptr[i], tabLength-i)) >0) {
  447. i += lu;
  448. if(i == tabLength) {
  449. tabLength += 100;
  450. ptr = realloc(binaryptr, tabLength); /* should be more careful */
  451. if(!ptr) {
  452. /* out of memory */
  453. BIO_printf(p.errorbio, "out of memory (realloc returned NULL)\n");
  454. goto fail;
  455. }
  456. binaryptr = ptr;
  457. ptr = NULL;
  458. }
  459. }
  460. tabLength = i;
  461. }
  462. /* Now specify the POST binary data */
  463. curl_easy_setopt(p.curl, CURLOPT_POSTFIELDS, binaryptr);
  464. curl_easy_setopt(p.curl, CURLOPT_POSTFIELDSIZE, (long)tabLength);
  465. /* Perform the request, res will get the return code */
  466. BIO_printf(p.errorbio, "%d %s %d\n", __LINE__, "curl_easy_perform",
  467. res = curl_easy_perform(p.curl));
  468. {
  469. curl_easy_getinfo(p.curl, CURLINFO_CONTENT_TYPE, &response);
  470. if(mimetypeaccept && p.verbose) {
  471. if(!strcmp(mimetypeaccept, response))
  472. BIO_printf(p.errorbio, "the response has a correct mimetype : %s\n",
  473. response);
  474. else
  475. BIO_printf(p.errorbio, "the response doesn\'t have an acceptable "
  476. "mime type, it is %s instead of %s\n",
  477. response, mimetypeaccept);
  478. }
  479. }
  480. /*** code d'erreur si accept mime ***, egalement code return HTTP != 200 ***/
  481. /* free the header list*/
  482. fail:
  483. curl_slist_free_all(headers);
  484. /* always cleanup */
  485. curl_easy_cleanup(p.curl);
  486. BIO_free(in);
  487. BIO_free(out);
  488. return (EXIT_SUCCESS);
  489. err: BIO_printf(p.errorbio, "error");
  490. exit(1);
  491. }