curlx.c 16 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513
  1. /*
  2. curlx.c Authors: Peter Sylvester, Jean-Paul Merlin
  3. This is a little program to demonstrate the usage of
  4. - an ssl initialisation callback setting a user key and trustbases
  5. coming from a pkcs12 file
  6. - using an ssl application callback to find a URI in the
  7. certificate presented during ssl session establishment.
  8. */
  9. /*
  10. * Copyright (c) 2003 The OpenEvidence Project. All rights reserved.
  11. *
  12. * Redistribution and use in source and binary forms, with or without
  13. * modification, are permitted provided that the following conditions
  14. * are met:
  15. *
  16. * 1. Redistributions of source code must retain the above copyright
  17. * notice, this list of conditions, the following disclaimer,
  18. * and the original OpenSSL and SSLeay Licences below.
  19. *
  20. * 2. Redistributions in binary form must reproduce the above copyright
  21. * notice, this list of conditions, the following disclaimer
  22. * and the original OpenSSL and SSLeay Licences below in
  23. * the documentation and/or other materials provided with the
  24. * distribution.
  25. *
  26. * 3. All advertising materials mentioning features or use of this
  27. * software must display the following acknowledgments:
  28. * "This product includes software developed by the Openevidence Project
  29. * for use in the OpenEvidence Toolkit. (http://www.openevidence.org/)"
  30. * This product includes software developed by the OpenSSL Project
  31. * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
  32. * This product includes cryptographic software written by Eric Young
  33. * (eay@cryptsoft.com). This product includes software written by Tim
  34. * Hudson (tjh@cryptsoft.com)."
  35. *
  36. * 4. The names "OpenEvidence Toolkit" and "OpenEvidence Project" must not be
  37. * used to endorse or promote products derived from this software without
  38. * prior written permission. For written permission, please contact
  39. * openevidence-core@openevidence.org.
  40. *
  41. * 5. Products derived from this software may not be called "OpenEvidence"
  42. * nor may "OpenEvidence" appear in their names without prior written
  43. * permission of the OpenEvidence Project.
  44. *
  45. * 6. Redistributions of any form whatsoever must retain the following
  46. * acknowledgments:
  47. * "This product includes software developed by the OpenEvidence Project
  48. * for use in the OpenEvidence Toolkit (http://www.openevidence.org/)
  49. * This product includes software developed by the OpenSSL Project
  50. * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
  51. * This product includes cryptographic software written by Eric Young
  52. * (eay@cryptsoft.com). This product includes software written by Tim
  53. * Hudson (tjh@cryptsoft.com)."
  54. *
  55. * THIS SOFTWARE IS PROVIDED BY THE OpenEvidence PROJECT ``AS IS'' AND ANY
  56. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  57. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  58. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenEvidence PROJECT OR
  59. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  60. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  61. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  62. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  63. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  64. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  65. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  66. * OF THE POSSIBILITY OF SUCH DAMAGE.
  67. * ====================================================================
  68. *
  69. * This product includes software developed by the OpenSSL Project
  70. * for use in the OpenSSL Toolkit (http://www.openssl.org/)
  71. * This product includes cryptographic software written by Eric Young
  72. * (eay@cryptsoft.com). This product includes software written by Tim
  73. * Hudson (tjh@cryptsoft.com).
  74. *
  75. */
  76. #include <stdio.h>
  77. #include <stdlib.h>
  78. #include <string.h>
  79. #include <curl/curl.h>
  80. #include <openssl/x509v3.h>
  81. #include <openssl/x509_vfy.h>
  82. #include <openssl/crypto.h>
  83. #include <openssl/lhash.h>
  84. #include <openssl/objects.h>
  85. #include <openssl/err.h>
  86. #include <openssl/evp.h>
  87. #include <openssl/x509.h>
  88. #include <openssl/pkcs12.h>
  89. #include <openssl/bio.h>
  90. #include <openssl/ssl.h>
  91. static const char *curlx_usage[]={
  92. "usage: curlx args\n",
  93. " -p12 arg - tia file ",
  94. " -envpass arg - environement variable which content the tia private key password",
  95. " -out arg - output file (response)- default stdout",
  96. " -in arg - input file (request)- default stdin",
  97. " -connect arg - URL of the server for the connection ex: www.openevidence.org",
  98. " -mimetype arg - MIME type for data in ex : application/timestamp-query or application/dvcs -default application/timestamp-query",
  99. " -acceptmime arg - MIME type acceptable for the response ex : application/timestamp-response or application/dvcs -default none",
  100. " -accesstype arg - an Object identifier in an AIA/SIA method, e.g. AD_DVCS or ad_timestamping",
  101. NULL
  102. };
  103. /*
  104. ./curlx -p12 psy.p12 -envpass XX -in request -verbose -accesstype AD_DVCS
  105. -mimetype application/dvcs -acceptmime application/dvcs -out response
  106. */
  107. /*
  108. * We use this ZERO_NULL to avoid picky compiler warnings,
  109. * when assigning a NULL pointer to a function pointer var.
  110. */
  111. #define ZERO_NULL 0
  112. /* This is a context that we pass to all callbacks */
  113. typedef struct sslctxparm_st {
  114. unsigned char * p12file ;
  115. const char * pst ;
  116. PKCS12 * p12 ;
  117. EVP_PKEY * pkey ;
  118. X509 * usercert ;
  119. STACK_OF(X509) * ca ;
  120. CURL * curl;
  121. BIO * errorbio;
  122. int accesstype ;
  123. int verbose;
  124. } sslctxparm;
  125. /* some helper function. */
  126. static char *i2s_ASN1_IA5STRING( ASN1_IA5STRING *ia5)
  127. {
  128. char *tmp;
  129. if(!ia5 || !ia5->length)
  130. return NULL;
  131. tmp = OPENSSL_malloc(ia5->length + 1);
  132. memcpy(tmp, ia5->data, ia5->length);
  133. tmp[ia5->length] = 0;
  134. return tmp;
  135. }
  136. /* A conveniance routine to get an access URI. */
  137. static unsigned char *my_get_ext(X509 * cert, const int type, int extensiontype) {
  138. int i;
  139. STACK_OF(ACCESS_DESCRIPTION) * accessinfo ;
  140. accessinfo = X509_get_ext_d2i(cert, extensiontype, NULL, NULL) ;
  141. if (!sk_ACCESS_DESCRIPTION_num(accessinfo))
  142. return NULL;
  143. for (i = 0; i < sk_ACCESS_DESCRIPTION_num(accessinfo); i++) {
  144. ACCESS_DESCRIPTION * ad = sk_ACCESS_DESCRIPTION_value(accessinfo, i);
  145. if (OBJ_obj2nid(ad->method) == type) {
  146. if (ad->location->type == GEN_URI) {
  147. return i2s_ASN1_IA5STRING(ad->location->d.ia5);
  148. }
  149. return NULL;
  150. }
  151. }
  152. return NULL;
  153. }
  154. /* This is an application verification call back, it does not
  155. perform any addition verification but tries to find a URL
  156. in the presented certificat. If found, this will become
  157. the URL to be used in the POST.
  158. */
  159. static int ssl_app_verify_callback(X509_STORE_CTX *ctx, void *arg)
  160. {
  161. sslctxparm * p = (sslctxparm *) arg;
  162. int ok;
  163. if (p->verbose > 2)
  164. BIO_printf(p->errorbio,"entering ssl_app_verify_callback\n");
  165. if ((ok= X509_verify_cert(ctx)) && ctx->cert) {
  166. unsigned char * accessinfo ;
  167. if (p->verbose > 1)
  168. X509_print_ex(p->errorbio,ctx->cert,0,0);
  169. if (accessinfo = my_get_ext(ctx->cert,p->accesstype ,NID_sinfo_access)) {
  170. if (p->verbose)
  171. BIO_printf(p->errorbio,"Setting URL from SIA to: %s\n", accessinfo);
  172. curl_easy_setopt(p->curl, CURLOPT_URL,accessinfo);
  173. }
  174. else if (accessinfo = my_get_ext(ctx->cert,p->accesstype,
  175. NID_info_access)) {
  176. if (p->verbose)
  177. BIO_printf(p->errorbio,"Setting URL from AIA to: %s\n", accessinfo);
  178. curl_easy_setopt(p->curl, CURLOPT_URL,accessinfo);
  179. }
  180. }
  181. if (p->verbose > 2)
  182. BIO_printf(p->errorbio,"leaving ssl_app_verify_callback with %d\n", ok);
  183. return(ok);
  184. }
  185. /* This is an example of an curl SSL initialisation call back. The callback sets:
  186. - a private key and certificate
  187. - a trusted ca certificate
  188. - a preferred cipherlist
  189. - an application verification callback (the function above)
  190. */
  191. static CURLcode sslctxfun(CURL * curl, void * sslctx, void * parm) {
  192. sslctxparm * p = (sslctxparm *) parm;
  193. SSL_CTX * ctx = (SSL_CTX *) sslctx ;
  194. if (!SSL_CTX_use_certificate(ctx,p->usercert)) {
  195. BIO_printf(p->errorbio, "SSL_CTX_use_certificate problem\n"); goto err;
  196. }
  197. if (!SSL_CTX_use_PrivateKey(ctx,p->pkey)) {
  198. BIO_printf(p->errorbio, "SSL_CTX_use_PrivateKey\n"); goto err;
  199. }
  200. if (!SSL_CTX_check_private_key(ctx)) {
  201. BIO_printf(p->errorbio, "SSL_CTX_check_private_key\n"); goto err;
  202. }
  203. SSL_CTX_set_quiet_shutdown(ctx,1);
  204. SSL_CTX_set_cipher_list(ctx,"RC4-MD5");
  205. SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
  206. X509_STORE_add_cert(SSL_CTX_get_cert_store(ctx), sk_X509_value(p->ca, sk_X509_num(p->ca)-1));
  207. SSL_CTX_set_verify_depth(ctx,2);
  208. SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER,ZERO_NULL);
  209. SSL_CTX_set_cert_verify_callback(ctx, ssl_app_verify_callback, parm);
  210. return CURLE_OK ;
  211. err:
  212. ERR_print_errors(p->errorbio);
  213. return CURLE_SSL_CERTPROBLEM;
  214. }
  215. int main(int argc, char **argv) {
  216. BIO* in=NULL;
  217. BIO* out=NULL;
  218. char * outfile = NULL;
  219. char * infile = NULL ;
  220. int tabLength=100;
  221. char *binaryptr;
  222. char* mimetype;
  223. char* mimetypeaccept=NULL;
  224. char* contenttype;
  225. const char** pp;
  226. unsigned char* hostporturl = NULL;
  227. BIO * p12bio ;
  228. char **args = argv + 1;
  229. unsigned char * serverurl;
  230. sslctxparm p;
  231. char *response;
  232. CURLcode res;
  233. struct curl_slist * headers=NULL;
  234. int badarg=0;
  235. binaryptr = malloc(tabLength);
  236. p.verbose = 0;
  237. p.errorbio = BIO_new_fp (stderr, BIO_NOCLOSE);
  238. curl_global_init(CURL_GLOBAL_DEFAULT);
  239. /* we need some more for the P12 decoding */
  240. OpenSSL_add_all_ciphers();
  241. OpenSSL_add_all_digests();
  242. ERR_load_crypto_strings();
  243. while (*args && *args[0] == '-') {
  244. if (!strcmp (*args, "-in")) {
  245. if (args[1]) {
  246. infile=*(++args);
  247. } else badarg=1;
  248. } else if (!strcmp (*args, "-out")) {
  249. if (args[1]) {
  250. outfile=*(++args);
  251. } else badarg=1;
  252. } else if (!strcmp (*args, "-p12")) {
  253. if (args[1]) {
  254. p.p12file = *(++args);
  255. } else badarg=1;
  256. } else if (strcmp(*args,"-envpass") == 0) {
  257. if (args[1]) {
  258. p.pst = getenv(*(++args));
  259. } else badarg=1;
  260. } else if (strcmp(*args,"-connect") == 0) {
  261. if (args[1]) {
  262. hostporturl = *(++args);
  263. } else badarg=1;
  264. } else if (strcmp(*args,"-mimetype") == 0) {
  265. if (args[1]) {
  266. mimetype = *(++args);
  267. } else badarg=1;
  268. } else if (strcmp(*args,"-acceptmime") == 0) {
  269. if (args[1]) {
  270. mimetypeaccept = *(++args);
  271. } else badarg=1;
  272. } else if (strcmp(*args,"-accesstype") == 0) {
  273. if (args[1]) {
  274. if ((p.accesstype = OBJ_obj2nid(OBJ_txt2obj(*++args,0))) == 0) badarg=1;
  275. } else badarg=1;
  276. } else if (strcmp(*args,"-verbose") == 0) {
  277. p.verbose++;
  278. } else badarg=1;
  279. args++;
  280. }
  281. if (mimetype==NULL || mimetypeaccept == NULL) badarg = 1;
  282. if (badarg) {
  283. for (pp=curlx_usage; (*pp != NULL); pp++)
  284. BIO_printf(p.errorbio,"%s\n",*pp);
  285. BIO_printf(p.errorbio,"\n");
  286. goto err;
  287. }
  288. /* set input */
  289. if ((in=BIO_new(BIO_s_file())) == NULL) {
  290. BIO_printf(p.errorbio, "Error setting input bio\n");
  291. goto err;
  292. } else if (infile == NULL)
  293. BIO_set_fp(in,stdin,BIO_NOCLOSE|BIO_FP_TEXT);
  294. else if (BIO_read_filename(in,infile) <= 0) {
  295. BIO_printf(p.errorbio, "Error opening input file %s\n", infile);
  296. BIO_free(in);
  297. goto err;
  298. }
  299. /* set output */
  300. if ((out=BIO_new(BIO_s_file())) == NULL) {
  301. BIO_printf(p.errorbio, "Error setting output bio.\n");
  302. goto err;
  303. } else if (outfile == NULL)
  304. BIO_set_fp(out,stdout,BIO_NOCLOSE|BIO_FP_TEXT);
  305. else if (BIO_write_filename(out,outfile) <= 0) {
  306. BIO_printf(p.errorbio, "Error opening output file %s\n", outfile);
  307. BIO_free(out);
  308. goto err;
  309. }
  310. p.errorbio = BIO_new_fp (stderr, BIO_NOCLOSE);
  311. if (!(p.curl = curl_easy_init())) {
  312. BIO_printf(p.errorbio, "Cannot init curl lib\n");
  313. goto err;
  314. }
  315. if (!(p12bio = BIO_new_file(p.p12file , "rb"))) {
  316. BIO_printf(p.errorbio, "Error opening P12 file %s\n", p.p12file); goto err;
  317. }
  318. if (!(p.p12 = d2i_PKCS12_bio (p12bio, NULL))) {
  319. BIO_printf(p.errorbio, "Cannot decode P12 structure %s\n", p.p12file); goto err;
  320. }
  321. p.ca= NULL;
  322. if (!(PKCS12_parse (p.p12, p.pst, &(p.pkey), &(p.usercert), &(p.ca) ) )) {
  323. BIO_printf(p.errorbio,"Invalid P12 structure in %s\n", p.p12file); goto err;
  324. }
  325. if (sk_X509_num(p.ca) <= 0) {
  326. BIO_printf(p.errorbio,"No trustworthy CA given.%s\n", p.p12file); goto err;
  327. }
  328. if (p.verbose > 1)
  329. X509_print_ex(p.errorbio,p.usercert,0,0);
  330. /* determine URL to go */
  331. if (hostporturl) {
  332. serverurl = malloc(9+strlen(hostporturl));
  333. sprintf(serverurl,"https://%s",hostporturl);
  334. }
  335. else if (p.accesstype != 0) { /* see whether we can find an AIA or SIA for a given access type */
  336. if (!(serverurl = my_get_ext(p.usercert,p.accesstype,NID_info_access))) {
  337. int j=0;
  338. BIO_printf(p.errorbio,"no service URL in user cert "
  339. "cherching in others certificats\n");
  340. for (j=0;j<sk_X509_num(p.ca);j++) {
  341. if ((serverurl = my_get_ext(sk_X509_value(p.ca,j),p.accesstype,
  342. NID_info_access)))
  343. break;
  344. if ((serverurl = my_get_ext(sk_X509_value(p.ca,j),p.accesstype,
  345. NID_sinfo_access)))
  346. break;
  347. }
  348. }
  349. }
  350. if (!serverurl) {
  351. BIO_printf(p.errorbio, "no service URL in certificats,"
  352. " check '-accesstype (AD_DVCS | ad_timestamping)'"
  353. " or use '-connect'\n");
  354. goto err;
  355. }
  356. if (p.verbose)
  357. BIO_printf(p.errorbio, "Service URL: <%s>\n", serverurl);
  358. curl_easy_setopt(p.curl, CURLOPT_URL, serverurl);
  359. /* Now specify the POST binary data */
  360. curl_easy_setopt(p.curl, CURLOPT_POSTFIELDS, binaryptr);
  361. curl_easy_setopt(p.curl, CURLOPT_POSTFIELDSIZE,(long)tabLength);
  362. /* pass our list of custom made headers */
  363. contenttype = malloc(15+strlen(mimetype));
  364. sprintf(contenttype,"Content-type: %s",mimetype);
  365. headers = curl_slist_append(headers,contenttype);
  366. curl_easy_setopt(p.curl, CURLOPT_HTTPHEADER, headers);
  367. if (p.verbose)
  368. BIO_printf(p.errorbio, "Service URL: <%s>\n", serverurl);
  369. {
  370. FILE *outfp;
  371. BIO_get_fp(out,&outfp);
  372. curl_easy_setopt(p.curl, CURLOPT_WRITEDATA, outfp);
  373. }
  374. res = curl_easy_setopt(p.curl, CURLOPT_SSL_CTX_FUNCTION, sslctxfun) ;
  375. if (res != CURLE_OK)
  376. BIO_printf(p.errorbio,"%d %s=%d %d\n", __LINE__, "CURLOPT_SSL_CTX_FUNCTION",CURLOPT_SSL_CTX_FUNCTION,res);
  377. curl_easy_setopt(p.curl, CURLOPT_SSL_CTX_DATA, &p);
  378. {
  379. int lu; int i=0;
  380. while ((lu = BIO_read (in,&binaryptr[i],tabLength-i)) >0 ) {
  381. i+=lu;
  382. if (i== tabLength) {
  383. tabLength+=100;
  384. binaryptr=realloc(binaryptr,tabLength); /* should be more careful */
  385. }
  386. }
  387. tabLength = i;
  388. }
  389. /* Now specify the POST binary data */
  390. curl_easy_setopt(p.curl, CURLOPT_POSTFIELDS, binaryptr);
  391. curl_easy_setopt(p.curl, CURLOPT_POSTFIELDSIZE,(long)tabLength);
  392. /* Perform the request, res will get the return code */
  393. BIO_printf(p.errorbio,"%d %s %d\n", __LINE__, "curl_easy_perform",
  394. res = curl_easy_perform(p.curl));
  395. {
  396. int result =curl_easy_getinfo(p.curl,CURLINFO_CONTENT_TYPE,&response);
  397. if( mimetypeaccept && p.verbose)
  398. if(!strcmp(mimetypeaccept,response))
  399. BIO_printf(p.errorbio,"the response has a correct mimetype : %s\n",
  400. response);
  401. else
  402. BIO_printf(p.errorbio,"the reponse doesn\'t has an acceptable "
  403. "mime type, it is %s instead of %s\n",
  404. response,mimetypeaccept);
  405. }
  406. /*** code d'erreur si accept mime ***, egalement code return HTTP != 200 ***/
  407. /* free the header list*/
  408. curl_slist_free_all(headers);
  409. /* always cleanup */
  410. curl_easy_cleanup(p.curl);
  411. BIO_free(in);
  412. BIO_free(out);
  413. return (EXIT_SUCCESS);
  414. err: BIO_printf(p.errorbio,"error");
  415. exit(1);
  416. }