curlx.c 16 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514
  1. /*
  2. curlx.c Authors: Peter Sylvester, Jean-Paul Merlin
  3. This is a little program to demonstrate the usage of
  4. - an ssl initialisation callback setting a user key and trustbases
  5. coming from a pkcs12 file
  6. - using an ssl application callback to find a URI in the
  7. certificate presented during ssl session establishment.
  8. */
  9. /*
  10. * Copyright (c) 2003 The OpenEvidence Project. All rights reserved.
  11. *
  12. * Redistribution and use in source and binary forms, with or without
  13. * modification, are permitted provided that the following conditions
  14. * are met:
  15. *
  16. * 1. Redistributions of source code must retain the above copyright
  17. * notice, this list of conditions, the following disclaimer,
  18. * and the original OpenSSL and SSLeay Licences below.
  19. *
  20. * 2. Redistributions in binary form must reproduce the above copyright
  21. * notice, this list of conditions, the following disclaimer
  22. * and the original OpenSSL and SSLeay Licences below in
  23. * the documentation and/or other materials provided with the
  24. * distribution.
  25. *
  26. * 3. All advertising materials mentioning features or use of this
  27. * software must display the following acknowledgments:
  28. * "This product includes software developed by the Openevidence Project
  29. * for use in the OpenEvidence Toolkit. (http://www.openevidence.org/)"
  30. * This product includes software developed by the OpenSSL Project
  31. * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
  32. * This product includes cryptographic software written by Eric Young
  33. * (eay@cryptsoft.com). This product includes software written by Tim
  34. * Hudson (tjh@cryptsoft.com)."
  35. *
  36. * 4. The names "OpenEvidence Toolkit" and "OpenEvidence Project" must not be
  37. * used to endorse or promote products derived from this software without
  38. * prior written permission. For written permission, please contact
  39. * openevidence-core@openevidence.org.
  40. *
  41. * 5. Products derived from this software may not be called "OpenEvidence"
  42. * nor may "OpenEvidence" appear in their names without prior written
  43. * permission of the OpenEvidence Project.
  44. *
  45. * 6. Redistributions of any form whatsoever must retain the following
  46. * acknowledgments:
  47. * "This product includes software developed by the OpenEvidence Project
  48. * for use in the OpenEvidence Toolkit (http://www.openevidence.org/)
  49. * This product includes software developed by the OpenSSL Project
  50. * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
  51. * This product includes cryptographic software written by Eric Young
  52. * (eay@cryptsoft.com). This product includes software written by Tim
  53. * Hudson (tjh@cryptsoft.com)."
  54. *
  55. * THIS SOFTWARE IS PROVIDED BY THE OpenEvidence PROJECT ``AS IS'' AND ANY
  56. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  57. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  58. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenEvidence PROJECT OR
  59. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  60. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  61. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  62. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  63. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  64. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  65. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  66. * OF THE POSSIBILITY OF SUCH DAMAGE.
  67. * ====================================================================
  68. *
  69. * This product includes software developed by the OpenSSL Project
  70. * for use in the OpenSSL Toolkit (http://www.openssl.org/)
  71. * This product includes cryptographic software written by Eric Young
  72. * (eay@cryptsoft.com). This product includes software written by Tim
  73. * Hudson (tjh@cryptsoft.com).
  74. *
  75. */
  76. #include <stdio.h>
  77. #include <stdlib.h>
  78. #include <string.h>
  79. #include <curl/curl.h>
  80. #include <openssl/x509v3.h>
  81. #include <openssl/x509_vfy.h>
  82. #include <openssl/crypto.h>
  83. #include <openssl/lhash.h>
  84. #include <openssl/objects.h>
  85. #include <openssl/err.h>
  86. #include <openssl/evp.h>
  87. #include <openssl/x509.h>
  88. #include <openssl/pkcs12.h>
  89. #include <openssl/bio.h>
  90. #include <openssl/ssl.h>
  91. static const char *curlx_usage[]={
  92. "usage: curlx args\n",
  93. " -p12 arg - tia file ",
  94. " -envpass arg - environement variable which content the tia private key password",
  95. " -out arg - output file (response)- default stdout",
  96. " -in arg - input file (request)- default stdin",
  97. " -connect arg - URL of the server for the connection ex: www.openevidence.org",
  98. " -mimetype arg - MIME type for data in ex : application/timestamp-query or application/dvcs -default application/timestamp-query",
  99. " -acceptmime arg - MIME type acceptable for the response ex : application/timestamp-response or application/dvcs -default none",
  100. " -accesstype arg - an Object identifier in an AIA/SIA method, e.g. AD_DVCS or ad_timestamping",
  101. NULL
  102. };
  103. /*
  104. ./curlx -p12 psy.p12 -envpass XX -in request -verbose -accesstype AD_DVCS
  105. -mimetype application/dvcs -acceptmime application/dvcs -out response
  106. */
  107. /*
  108. * We use this ZERO_NULL to avoid picky compiler warnings,
  109. * when assigning a NULL pointer to a function pointer var.
  110. */
  111. #define ZERO_NULL 0
  112. /* This is a context that we pass to all callbacks */
  113. typedef struct sslctxparm_st {
  114. unsigned char * p12file ;
  115. const char * pst ;
  116. PKCS12 * p12 ;
  117. EVP_PKEY * pkey ;
  118. X509 * usercert ;
  119. STACK_OF(X509) * ca ;
  120. CURL * curl;
  121. BIO * errorbio;
  122. int accesstype ;
  123. int verbose;
  124. } sslctxparm;
  125. /* some helper function. */
  126. static char *i2s_ASN1_IA5STRING( ASN1_IA5STRING *ia5)
  127. {
  128. char *tmp;
  129. if(!ia5 || !ia5->length)
  130. return NULL;
  131. tmp = OPENSSL_malloc(ia5->length + 1);
  132. memcpy(tmp, ia5->data, ia5->length);
  133. tmp[ia5->length] = 0;
  134. return tmp;
  135. }
  136. /* A conveniance routine to get an access URI. */
  137. static unsigned char *my_get_ext(X509 * cert, const int type, int extensiontype) {
  138. int i;
  139. STACK_OF(ACCESS_DESCRIPTION) * accessinfo ;
  140. accessinfo = X509_get_ext_d2i(cert, extensiontype, NULL, NULL) ;
  141. if (!sk_ACCESS_DESCRIPTION_num(accessinfo))
  142. return NULL;
  143. for (i = 0; i < sk_ACCESS_DESCRIPTION_num(accessinfo); i++) {
  144. ACCESS_DESCRIPTION * ad = sk_ACCESS_DESCRIPTION_value(accessinfo, i);
  145. if (OBJ_obj2nid(ad->method) == type) {
  146. if (ad->location->type == GEN_URI) {
  147. return i2s_ASN1_IA5STRING(ad->location->d.ia5);
  148. }
  149. return NULL;
  150. }
  151. }
  152. return NULL;
  153. }
  154. /* This is an application verification call back, it does not
  155. perform any addition verification but tries to find a URL
  156. in the presented certificat. If found, this will become
  157. the URL to be used in the POST.
  158. */
  159. static int ssl_app_verify_callback(X509_STORE_CTX *ctx, void *arg)
  160. {
  161. sslctxparm * p = (sslctxparm *) arg;
  162. int ok;
  163. if (p->verbose > 2)
  164. BIO_printf(p->errorbio,"entering ssl_app_verify_callback\n");
  165. if ((ok= X509_verify_cert(ctx)) && ctx->cert) {
  166. unsigned char * accessinfo ;
  167. if (p->verbose > 1)
  168. X509_print_ex(p->errorbio,ctx->cert,0,0);
  169. if (accessinfo = my_get_ext(ctx->cert,p->accesstype ,NID_sinfo_access)) {
  170. if (p->verbose)
  171. BIO_printf(p->errorbio,"Setting URL from SIA to: %s\n", accessinfo);
  172. curl_easy_setopt(p->curl, CURLOPT_URL,accessinfo);
  173. }
  174. else if (accessinfo = my_get_ext(ctx->cert,p->accesstype,
  175. NID_info_access)) {
  176. if (p->verbose)
  177. BIO_printf(p->errorbio,"Setting URL from AIA to: %s\n", accessinfo);
  178. curl_easy_setopt(p->curl, CURLOPT_URL,accessinfo);
  179. }
  180. }
  181. if (p->verbose > 2)
  182. BIO_printf(p->errorbio,"leaving ssl_app_verify_callback with %d\n", ok);
  183. return(ok);
  184. }
  185. /* This is an example of an curl SSL initialisation call back. The callback sets:
  186. - a private key and certificate
  187. - a trusted ca certificate
  188. - a preferred cipherlist
  189. - an application verification callback (the function above)
  190. */
  191. static CURLcode sslctxfun(CURL * curl, void * sslctx, void * parm) {
  192. sslctxparm * p = (sslctxparm *) parm;
  193. SSL_CTX * ctx = (SSL_CTX *) sslctx ;
  194. if (!SSL_CTX_use_certificate(ctx,p->usercert)) {
  195. BIO_printf(p->errorbio, "SSL_CTX_use_certificate problem\n"); goto err;
  196. }
  197. if (!SSL_CTX_use_PrivateKey(ctx,p->pkey)) {
  198. BIO_printf(p->errorbio, "SSL_CTX_use_PrivateKey\n"); goto err;
  199. }
  200. if (!SSL_CTX_check_private_key(ctx)) {
  201. BIO_printf(p->errorbio, "SSL_CTX_check_private_key\n"); goto err;
  202. }
  203. SSL_CTX_set_quiet_shutdown(ctx,1);
  204. SSL_CTX_set_cipher_list(ctx,"RC4-MD5");
  205. SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
  206. X509_STORE_add_cert(ctx->cert_store,sk_X509_value(p->ca,
  207. sk_X509_num(p->ca)-1));
  208. SSL_CTX_set_verify_depth(ctx,2);
  209. SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER,ZERO_NULL);
  210. SSL_CTX_set_cert_verify_callback(ctx, ssl_app_verify_callback, parm);
  211. return CURLE_OK ;
  212. err:
  213. ERR_print_errors(p->errorbio);
  214. return CURLE_SSL_CERTPROBLEM;
  215. }
  216. int main(int argc, char **argv) {
  217. BIO* in=NULL;
  218. BIO* out=NULL;
  219. char * outfile = NULL;
  220. char * infile = NULL ;
  221. int tabLength=100;
  222. char *binaryptr;
  223. char* mimetype;
  224. char* mimetypeaccept=NULL;
  225. char* contenttype;
  226. const char** pp;
  227. unsigned char* hostporturl = NULL;
  228. BIO * p12bio ;
  229. char **args = argv + 1;
  230. unsigned char * serverurl;
  231. sslctxparm p;
  232. char *response;
  233. CURLcode res;
  234. struct curl_slist * headers=NULL;
  235. int badarg=0;
  236. binaryptr = malloc(tabLength);
  237. p.verbose = 0;
  238. p.errorbio = BIO_new_fp (stderr, BIO_NOCLOSE);
  239. curl_global_init(CURL_GLOBAL_DEFAULT);
  240. /* we need some more for the P12 decoding */
  241. OpenSSL_add_all_ciphers();
  242. OpenSSL_add_all_digests();
  243. ERR_load_crypto_strings();
  244. while (*args && *args[0] == '-') {
  245. if (!strcmp (*args, "-in")) {
  246. if (args[1]) {
  247. infile=*(++args);
  248. } else badarg=1;
  249. } else if (!strcmp (*args, "-out")) {
  250. if (args[1]) {
  251. outfile=*(++args);
  252. } else badarg=1;
  253. } else if (!strcmp (*args, "-p12")) {
  254. if (args[1]) {
  255. p.p12file = *(++args);
  256. } else badarg=1;
  257. } else if (strcmp(*args,"-envpass") == 0) {
  258. if (args[1]) {
  259. p.pst = getenv(*(++args));
  260. } else badarg=1;
  261. } else if (strcmp(*args,"-connect") == 0) {
  262. if (args[1]) {
  263. hostporturl = *(++args);
  264. } else badarg=1;
  265. } else if (strcmp(*args,"-mimetype") == 0) {
  266. if (args[1]) {
  267. mimetype = *(++args);
  268. } else badarg=1;
  269. } else if (strcmp(*args,"-acceptmime") == 0) {
  270. if (args[1]) {
  271. mimetypeaccept = *(++args);
  272. } else badarg=1;
  273. } else if (strcmp(*args,"-accesstype") == 0) {
  274. if (args[1]) {
  275. if ((p.accesstype = OBJ_obj2nid(OBJ_txt2obj(*++args,0))) == 0) badarg=1;
  276. } else badarg=1;
  277. } else if (strcmp(*args,"-verbose") == 0) {
  278. p.verbose++;
  279. } else badarg=1;
  280. args++;
  281. }
  282. if (mimetype==NULL || mimetypeaccept == NULL) badarg = 1;
  283. if (badarg) {
  284. for (pp=curlx_usage; (*pp != NULL); pp++)
  285. BIO_printf(p.errorbio,"%s\n",*pp);
  286. BIO_printf(p.errorbio,"\n");
  287. goto err;
  288. }
  289. /* set input */
  290. if ((in=BIO_new(BIO_s_file())) == NULL) {
  291. BIO_printf(p.errorbio, "Error setting input bio\n");
  292. goto err;
  293. } else if (infile == NULL)
  294. BIO_set_fp(in,stdin,BIO_NOCLOSE|BIO_FP_TEXT);
  295. else if (BIO_read_filename(in,infile) <= 0) {
  296. BIO_printf(p.errorbio, "Error opening input file %s\n", infile);
  297. BIO_free(in);
  298. goto err;
  299. }
  300. /* set output */
  301. if ((out=BIO_new(BIO_s_file())) == NULL) {
  302. BIO_printf(p.errorbio, "Error setting output bio.\n");
  303. goto err;
  304. } else if (outfile == NULL)
  305. BIO_set_fp(out,stdout,BIO_NOCLOSE|BIO_FP_TEXT);
  306. else if (BIO_write_filename(out,outfile) <= 0) {
  307. BIO_printf(p.errorbio, "Error opening output file %s\n", outfile);
  308. BIO_free(out);
  309. goto err;
  310. }
  311. p.errorbio = BIO_new_fp (stderr, BIO_NOCLOSE);
  312. if (!(p.curl = curl_easy_init())) {
  313. BIO_printf(p.errorbio, "Cannot init curl lib\n");
  314. goto err;
  315. }
  316. if (!(p12bio = BIO_new_file(p.p12file , "rb"))) {
  317. BIO_printf(p.errorbio, "Error opening P12 file %s\n", p.p12file); goto err;
  318. }
  319. if (!(p.p12 = d2i_PKCS12_bio (p12bio, NULL))) {
  320. BIO_printf(p.errorbio, "Cannot decode P12 structure %s\n", p.p12file); goto err;
  321. }
  322. p.ca= NULL;
  323. if (!(PKCS12_parse (p.p12, p.pst, &(p.pkey), &(p.usercert), &(p.ca) ) )) {
  324. BIO_printf(p.errorbio,"Invalid P12 structure in %s\n", p.p12file); goto err;
  325. }
  326. if (sk_X509_num(p.ca) <= 0) {
  327. BIO_printf(p.errorbio,"No trustworthy CA given.%s\n", p.p12file); goto err;
  328. }
  329. if (p.verbose > 1)
  330. X509_print_ex(p.errorbio,p.usercert,0,0);
  331. /* determine URL to go */
  332. if (hostporturl) {
  333. serverurl = malloc(9+strlen(hostporturl));
  334. sprintf(serverurl,"https://%s",hostporturl);
  335. }
  336. else if (p.accesstype != 0) { /* see whether we can find an AIA or SIA for a given access type */
  337. if (!(serverurl = my_get_ext(p.usercert,p.accesstype,NID_info_access))) {
  338. int j=0;
  339. BIO_printf(p.errorbio,"no service URL in user cert "
  340. "cherching in others certificats\n");
  341. for (j=0;j<sk_X509_num(p.ca);j++) {
  342. if ((serverurl = my_get_ext(sk_X509_value(p.ca,j),p.accesstype,
  343. NID_info_access)))
  344. break;
  345. if ((serverurl = my_get_ext(sk_X509_value(p.ca,j),p.accesstype,
  346. NID_sinfo_access)))
  347. break;
  348. }
  349. }
  350. }
  351. if (!serverurl) {
  352. BIO_printf(p.errorbio, "no service URL in certificats,"
  353. " check '-accesstype (AD_DVCS | ad_timestamping)'"
  354. " or use '-connect'\n");
  355. goto err;
  356. }
  357. if (p.verbose)
  358. BIO_printf(p.errorbio, "Service URL: <%s>\n", serverurl);
  359. curl_easy_setopt(p.curl, CURLOPT_URL, serverurl);
  360. /* Now specify the POST binary data */
  361. curl_easy_setopt(p.curl, CURLOPT_POSTFIELDS, binaryptr);
  362. curl_easy_setopt(p.curl, CURLOPT_POSTFIELDSIZE,(long)tabLength);
  363. /* pass our list of custom made headers */
  364. contenttype = malloc(15+strlen(mimetype));
  365. sprintf(contenttype,"Content-type: %s",mimetype);
  366. headers = curl_slist_append(headers,contenttype);
  367. curl_easy_setopt(p.curl, CURLOPT_HTTPHEADER, headers);
  368. if (p.verbose)
  369. BIO_printf(p.errorbio, "Service URL: <%s>\n", serverurl);
  370. {
  371. FILE *outfp;
  372. BIO_get_fp(out,&outfp);
  373. curl_easy_setopt(p.curl, CURLOPT_WRITEDATA, outfp);
  374. }
  375. res = curl_easy_setopt(p.curl, CURLOPT_SSL_CTX_FUNCTION, sslctxfun) ;
  376. if (res != CURLE_OK)
  377. BIO_printf(p.errorbio,"%d %s=%d %d\n", __LINE__, "CURLOPT_SSL_CTX_FUNCTION",CURLOPT_SSL_CTX_FUNCTION,res);
  378. curl_easy_setopt(p.curl, CURLOPT_SSL_CTX_DATA, &p);
  379. {
  380. int lu; int i=0;
  381. while ((lu = BIO_read (in,&binaryptr[i],tabLength-i)) >0 ) {
  382. i+=lu;
  383. if (i== tabLength) {
  384. tabLength+=100;
  385. binaryptr=realloc(binaryptr,tabLength); /* should be more careful */
  386. }
  387. }
  388. tabLength = i;
  389. }
  390. /* Now specify the POST binary data */
  391. curl_easy_setopt(p.curl, CURLOPT_POSTFIELDS, binaryptr);
  392. curl_easy_setopt(p.curl, CURLOPT_POSTFIELDSIZE,(long)tabLength);
  393. /* Perform the request, res will get the return code */
  394. BIO_printf(p.errorbio,"%d %s %d\n", __LINE__, "curl_easy_perform",
  395. res = curl_easy_perform(p.curl));
  396. {
  397. int result =curl_easy_getinfo(p.curl,CURLINFO_CONTENT_TYPE,&response);
  398. if( mimetypeaccept && p.verbose)
  399. if(!strcmp(mimetypeaccept,response))
  400. BIO_printf(p.errorbio,"the response has a correct mimetype : %s\n",
  401. response);
  402. else
  403. BIO_printf(p.errorbio,"the reponse doesn\'t has an acceptable "
  404. "mime type, it is %s instead of %s\n",
  405. response,mimetypeaccept);
  406. }
  407. /*** code d'erreur si accept mime ***, egalement code return HTTP != 200 ***/
  408. /* free the header list*/
  409. curl_slist_free_all(headers);
  410. /* always cleanup */
  411. curl_easy_cleanup(p.curl);
  412. BIO_free(in);
  413. BIO_free(out);
  414. return (EXIT_SUCCESS);
  415. err: BIO_printf(p.errorbio,"error");
  416. exit(1);
  417. }