pkeyutl.c 13 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567
  1. /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
  2. * project 2006.
  3. */
  4. /* ====================================================================
  5. * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
  6. *
  7. * Redistribution and use in source and binary forms, with or without
  8. * modification, are permitted provided that the following conditions
  9. * are met:
  10. *
  11. * 1. Redistributions of source code must retain the above copyright
  12. * notice, this list of conditions and the following disclaimer.
  13. *
  14. * 2. Redistributions in binary form must reproduce the above copyright
  15. * notice, this list of conditions and the following disclaimer in
  16. * the documentation and/or other materials provided with the
  17. * distribution.
  18. *
  19. * 3. All advertising materials mentioning features or use of this
  20. * software must display the following acknowledgment:
  21. * "This product includes software developed by the OpenSSL Project
  22. * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
  23. *
  24. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  25. * endorse or promote products derived from this software without
  26. * prior written permission. For written permission, please contact
  27. * licensing@OpenSSL.org.
  28. *
  29. * 5. Products derived from this software may not be called "OpenSSL"
  30. * nor may "OpenSSL" appear in their names without prior written
  31. * permission of the OpenSSL Project.
  32. *
  33. * 6. Redistributions of any form whatsoever must retain the following
  34. * acknowledgment:
  35. * "This product includes software developed by the OpenSSL Project
  36. * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
  37. *
  38. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  39. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  40. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  41. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  42. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  43. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  44. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  45. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  46. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  47. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  48. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  49. * OF THE POSSIBILITY OF SUCH DAMAGE.
  50. * ====================================================================
  51. *
  52. * This product includes cryptographic software written by Eric Young
  53. * (eay@cryptsoft.com). This product includes software written by Tim
  54. * Hudson (tjh@cryptsoft.com).
  55. *
  56. */
  57. #include "apps.h"
  58. #include <string.h>
  59. #include <openssl/err.h>
  60. #include <openssl/pem.h>
  61. #include <openssl/evp.h>
  62. #define KEY_PRIVKEY 1
  63. #define KEY_PUBKEY 2
  64. #define KEY_CERT 3
  65. static void usage(void);
  66. #undef PROG
  67. #define PROG pkeyutl_main
  68. static EVP_PKEY_CTX *init_ctx(int *pkeysize,
  69. char *keyfile, int keyform, int key_type,
  70. char *passargin, int pkey_op, ENGINE *e);
  71. static int setup_peer(BIO *err, EVP_PKEY_CTX *ctx, int peerform,
  72. const char *file);
  73. static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op,
  74. unsigned char *out, size_t *poutlen,
  75. unsigned char *in, size_t inlen);
  76. int MAIN(int argc, char **);
  77. int MAIN(int argc, char **argv)
  78. {
  79. BIO *in = NULL, *out = NULL;
  80. char *infile = NULL, *outfile = NULL, *sigfile = NULL;
  81. ENGINE *e = NULL;
  82. int pkey_op = EVP_PKEY_OP_SIGN, key_type = KEY_PRIVKEY;
  83. int keyform = FORMAT_PEM, peerform = FORMAT_PEM;
  84. char badarg = 0, rev = 0;
  85. char hexdump = 0, asn1parse = 0;
  86. EVP_PKEY_CTX *ctx = NULL;
  87. char *passargin = NULL;
  88. int keysize = -1;
  89. unsigned char *buf_in = NULL, *buf_out = NULL, *sig = NULL;
  90. int buf_inlen = 0, buf_outlen, siglen = -1;
  91. int ret = 1, rv = -1;
  92. argc--;
  93. argv++;
  94. if(!bio_err) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
  95. if (!load_config(bio_err, NULL))
  96. goto end;
  97. ERR_load_crypto_strings();
  98. OpenSSL_add_all_algorithms();
  99. while(argc >= 1)
  100. {
  101. if (!strcmp(*argv,"-in"))
  102. {
  103. if (--argc < 1) badarg = 1;
  104. infile= *(++argv);
  105. }
  106. else if (!strcmp(*argv,"-out"))
  107. {
  108. if (--argc < 1) badarg = 1;
  109. outfile= *(++argv);
  110. }
  111. else if (!strcmp(*argv,"-sigfile"))
  112. {
  113. if (--argc < 1) badarg = 1;
  114. sigfile= *(++argv);
  115. }
  116. else if(!strcmp(*argv, "-inkey"))
  117. {
  118. if (--argc < 1)
  119. badarg = 1;
  120. else
  121. {
  122. ctx = init_ctx(&keysize,
  123. *(++argv), keyform, key_type,
  124. passargin, pkey_op, e);
  125. if (!ctx)
  126. {
  127. BIO_puts(bio_err,
  128. "Error initializing context\n");
  129. ERR_print_errors(bio_err);
  130. badarg = 1;
  131. }
  132. }
  133. }
  134. else if (!strcmp(*argv,"-peerkey"))
  135. {
  136. if (--argc < 1)
  137. badarg = 1;
  138. else if (!setup_peer(bio_err, ctx, peerform, *(++argv)))
  139. badarg = 1;
  140. }
  141. else if (!strcmp(*argv,"-passin"))
  142. {
  143. if (--argc < 1) badarg = 1;
  144. passargin= *(++argv);
  145. }
  146. else if (strcmp(*argv,"-peerform") == 0)
  147. {
  148. if (--argc < 1) badarg = 1;
  149. peerform=str2fmt(*(++argv));
  150. }
  151. else if (strcmp(*argv,"-keyform") == 0)
  152. {
  153. if (--argc < 1) badarg = 1;
  154. keyform=str2fmt(*(++argv));
  155. }
  156. #ifndef OPENSSL_NO_ENGINE
  157. else if(!strcmp(*argv, "-engine"))
  158. {
  159. if (--argc < 1)
  160. badarg = 1;
  161. else
  162. e = setup_engine(bio_err, *(++argv), 0);
  163. }
  164. #endif
  165. else if(!strcmp(*argv, "-pubin"))
  166. key_type = KEY_PUBKEY;
  167. else if(!strcmp(*argv, "-certin"))
  168. key_type = KEY_CERT;
  169. else if(!strcmp(*argv, "-asn1parse"))
  170. asn1parse = 1;
  171. else if(!strcmp(*argv, "-hexdump"))
  172. hexdump = 1;
  173. else if(!strcmp(*argv, "-sign"))
  174. pkey_op = EVP_PKEY_OP_SIGN;
  175. else if(!strcmp(*argv, "-verify"))
  176. pkey_op = EVP_PKEY_OP_VERIFY;
  177. else if(!strcmp(*argv, "-verifyrecover"))
  178. pkey_op = EVP_PKEY_OP_VERIFYRECOVER;
  179. else if(!strcmp(*argv, "-rev"))
  180. rev = 1;
  181. else if(!strcmp(*argv, "-encrypt"))
  182. pkey_op = EVP_PKEY_OP_ENCRYPT;
  183. else if(!strcmp(*argv, "-decrypt"))
  184. pkey_op = EVP_PKEY_OP_DECRYPT;
  185. else if(!strcmp(*argv, "-derive"))
  186. pkey_op = EVP_PKEY_OP_DERIVE;
  187. else if (strcmp(*argv,"-pkeyopt") == 0)
  188. {
  189. if (--argc < 1)
  190. badarg = 1;
  191. else if (!ctx)
  192. {
  193. BIO_puts(bio_err,
  194. "-pkeyopt command before -inkey\n");
  195. badarg = 1;
  196. }
  197. else if (pkey_ctrl_string(ctx, *(++argv)) <= 0)
  198. {
  199. BIO_puts(bio_err, "parameter setting error\n");
  200. ERR_print_errors(bio_err);
  201. goto end;
  202. }
  203. }
  204. else badarg = 1;
  205. if(badarg)
  206. {
  207. usage();
  208. goto end;
  209. }
  210. argc--;
  211. argv++;
  212. }
  213. if (!ctx)
  214. {
  215. usage();
  216. goto end;
  217. }
  218. if (sigfile && (pkey_op != EVP_PKEY_OP_VERIFY))
  219. {
  220. BIO_puts(bio_err, "Signature file specified for non verify\n");
  221. goto end;
  222. }
  223. if (!sigfile && (pkey_op == EVP_PKEY_OP_VERIFY))
  224. {
  225. BIO_puts(bio_err, "No signature file specified for verify\n");
  226. goto end;
  227. }
  228. /* FIXME: seed PRNG only if needed */
  229. app_RAND_load_file(NULL, bio_err, 0);
  230. if (pkey_op != EVP_PKEY_OP_DERIVE)
  231. {
  232. if(infile)
  233. {
  234. if(!(in = BIO_new_file(infile, "rb")))
  235. {
  236. BIO_puts(bio_err,
  237. "Error Opening Input File\n");
  238. ERR_print_errors(bio_err);
  239. goto end;
  240. }
  241. }
  242. else
  243. in = BIO_new_fp(stdin, BIO_NOCLOSE);
  244. }
  245. if(outfile)
  246. {
  247. if(!(out = BIO_new_file(outfile, "wb")))
  248. {
  249. BIO_printf(bio_err, "Error Creating Output File\n");
  250. ERR_print_errors(bio_err);
  251. goto end;
  252. }
  253. }
  254. else
  255. {
  256. out = BIO_new_fp(stdout, BIO_NOCLOSE);
  257. #ifdef OPENSSL_SYS_VMS
  258. {
  259. BIO *tmpbio = BIO_new(BIO_f_linebuffer());
  260. out = BIO_push(tmpbio, out);
  261. }
  262. #endif
  263. }
  264. if (sigfile)
  265. {
  266. BIO *sigbio = BIO_new_file(sigfile, "rb");
  267. if (!sigbio)
  268. {
  269. BIO_printf(bio_err, "Can't open signature file %s\n",
  270. sigfile);
  271. goto end;
  272. }
  273. siglen = bio_to_mem(&sig, keysize * 10, sigbio);
  274. BIO_free(sigbio);
  275. if (siglen <= 0)
  276. {
  277. BIO_printf(bio_err, "Error reading signature data\n");
  278. goto end;
  279. }
  280. }
  281. if (in)
  282. {
  283. /* Read the input data */
  284. buf_inlen = bio_to_mem(&buf_in, keysize * 10, in);
  285. if(buf_inlen <= 0)
  286. {
  287. BIO_printf(bio_err, "Error reading input Data\n");
  288. exit(1);
  289. }
  290. if(rev)
  291. {
  292. int i;
  293. unsigned char ctmp;
  294. for(i = 0; i < buf_inlen/2; i++)
  295. {
  296. ctmp = buf_in[i];
  297. buf_in[i] = buf_in[buf_inlen - 1 - i];
  298. buf_in[buf_inlen - 1 - i] = ctmp;
  299. }
  300. }
  301. }
  302. if(pkey_op == EVP_PKEY_OP_VERIFY)
  303. {
  304. rv = EVP_PKEY_verify(ctx, sig, siglen, buf_in, buf_inlen);
  305. if (rv == 0)
  306. BIO_puts(out, "Signature Verification Failure\n");
  307. else if (rv == 1)
  308. BIO_puts(out, "Signature Verified Successfully\n");
  309. if (rv >= 0)
  310. goto end;
  311. }
  312. else
  313. {
  314. rv = do_keyop(ctx, pkey_op, NULL, (size_t *)&buf_outlen,
  315. buf_in, buf_inlen);
  316. if (rv > 0)
  317. {
  318. buf_out = OPENSSL_malloc(buf_outlen);
  319. if (!buf_out)
  320. rv = -1;
  321. else
  322. rv = do_keyop(ctx, pkey_op,
  323. buf_out, (size_t *)&buf_outlen,
  324. buf_in, buf_inlen);
  325. }
  326. }
  327. if(rv <= 0)
  328. {
  329. BIO_printf(bio_err, "Public Key operation error\n");
  330. ERR_print_errors(bio_err);
  331. goto end;
  332. }
  333. ret = 0;
  334. if(asn1parse)
  335. {
  336. if(!ASN1_parse_dump(out, buf_out, buf_outlen, 1, -1))
  337. ERR_print_errors(bio_err);
  338. }
  339. else if(hexdump)
  340. BIO_dump(out, (char *)buf_out, buf_outlen);
  341. else
  342. BIO_write(out, buf_out, buf_outlen);
  343. end:
  344. if (ctx)
  345. EVP_PKEY_CTX_free(ctx);
  346. BIO_free(in);
  347. BIO_free_all(out);
  348. if (buf_in)
  349. OPENSSL_free(buf_in);
  350. if (buf_out)
  351. OPENSSL_free(buf_out);
  352. if (sig)
  353. OPENSSL_free(sig);
  354. return ret;
  355. }
  356. static void usage()
  357. {
  358. BIO_printf(bio_err, "Usage: pkeyutl [options]\n");
  359. BIO_printf(bio_err, "-in file input file\n");
  360. BIO_printf(bio_err, "-out file output file\n");
  361. BIO_printf(bio_err, "-signature file signature file (verify operation only)\n");
  362. BIO_printf(bio_err, "-inkey file input key\n");
  363. BIO_printf(bio_err, "-keyform arg private key format - default PEM\n");
  364. BIO_printf(bio_err, "-pubin input is a public key\n");
  365. BIO_printf(bio_err, "-certin input is a certificate carrying a public key\n");
  366. BIO_printf(bio_err, "-pkeyopt X:Y public key options\n");
  367. BIO_printf(bio_err, "-sign sign with private key\n");
  368. BIO_printf(bio_err, "-verify verify with public key\n");
  369. BIO_printf(bio_err, "-verifyrecover verify with public key, recover original data\n");
  370. BIO_printf(bio_err, "-encrypt encrypt with public key\n");
  371. BIO_printf(bio_err, "-decrypt decrypt with private key\n");
  372. BIO_printf(bio_err, "-derive derive shared secret\n");
  373. BIO_printf(bio_err, "-hexdump hex dump output\n");
  374. #ifndef OPENSSL_NO_ENGINE
  375. BIO_printf(bio_err, "-engine e use engine e, possibly a hardware device.\n");
  376. #endif
  377. BIO_printf(bio_err, "-passin arg pass phrase source\n");
  378. }
  379. static EVP_PKEY_CTX *init_ctx(int *pkeysize,
  380. char *keyfile, int keyform, int key_type,
  381. char *passargin, int pkey_op, ENGINE *e)
  382. {
  383. EVP_PKEY *pkey = NULL;
  384. EVP_PKEY_CTX *ctx = NULL;
  385. char *passin = NULL;
  386. int rv = -1;
  387. X509 *x;
  388. if(((pkey_op == EVP_PKEY_OP_SIGN) || (pkey_op == EVP_PKEY_OP_DECRYPT)
  389. || (pkey_op == EVP_PKEY_OP_DERIVE))
  390. && (key_type != KEY_PRIVKEY))
  391. {
  392. BIO_printf(bio_err, "A private key is needed for this operation\n");
  393. goto end;
  394. }
  395. if(!app_passwd(bio_err, passargin, NULL, &passin, NULL))
  396. {
  397. BIO_printf(bio_err, "Error getting password\n");
  398. goto end;
  399. }
  400. switch(key_type)
  401. {
  402. case KEY_PRIVKEY:
  403. pkey = load_key(bio_err, keyfile, keyform, 0,
  404. passin, e, "Private Key");
  405. break;
  406. case KEY_PUBKEY:
  407. pkey = load_pubkey(bio_err, keyfile, keyform, 0,
  408. NULL, e, "Public Key");
  409. break;
  410. case KEY_CERT:
  411. x = load_cert(bio_err, keyfile, keyform,
  412. NULL, e, "Certificate");
  413. if(x)
  414. {
  415. pkey = X509_get_pubkey(x);
  416. X509_free(x);
  417. }
  418. break;
  419. }
  420. *pkeysize = EVP_PKEY_size(pkey);
  421. if (!pkey)
  422. goto end;
  423. ctx = EVP_PKEY_CTX_new(pkey, e);
  424. EVP_PKEY_free(pkey);
  425. if (!ctx)
  426. goto end;
  427. switch(pkey_op)
  428. {
  429. case EVP_PKEY_OP_SIGN:
  430. rv = EVP_PKEY_sign_init(ctx);
  431. break;
  432. case EVP_PKEY_OP_VERIFY:
  433. rv = EVP_PKEY_verify_init(ctx);
  434. break;
  435. case EVP_PKEY_OP_VERIFYRECOVER:
  436. rv = EVP_PKEY_verify_recover_init(ctx);
  437. break;
  438. case EVP_PKEY_OP_ENCRYPT:
  439. rv = EVP_PKEY_encrypt_init(ctx);
  440. break;
  441. case EVP_PKEY_OP_DECRYPT:
  442. rv = EVP_PKEY_decrypt_init(ctx);
  443. break;
  444. case EVP_PKEY_OP_DERIVE:
  445. rv = EVP_PKEY_derive_init(ctx);
  446. break;
  447. }
  448. if (rv <= 0)
  449. {
  450. EVP_PKEY_CTX_free(ctx);
  451. ctx = NULL;
  452. }
  453. end:
  454. if (passin)
  455. OPENSSL_free(passin);
  456. return ctx;
  457. }
  458. static int setup_peer(BIO *err, EVP_PKEY_CTX *ctx, int peerform,
  459. const char *file)
  460. {
  461. EVP_PKEY *peer = NULL;
  462. int ret;
  463. if (!ctx)
  464. {
  465. BIO_puts(err, "-peerkey command before -inkey\n");
  466. return 0;
  467. }
  468. peer = load_pubkey(bio_err, file, peerform, 0, NULL, NULL, "Peer Key");
  469. if (!peer)
  470. {
  471. BIO_printf(bio_err, "Error reading peer key %s\n", file);
  472. ERR_print_errors(err);
  473. return 0;
  474. }
  475. ret = EVP_PKEY_derive_set_peer(ctx, peer);
  476. EVP_PKEY_free(peer);
  477. if (ret <= 0)
  478. ERR_print_errors(err);
  479. return ret;
  480. }
  481. static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op,
  482. unsigned char *out, size_t *poutlen,
  483. unsigned char *in, size_t inlen)
  484. {
  485. int rv = 0;
  486. switch(pkey_op)
  487. {
  488. case EVP_PKEY_OP_VERIFYRECOVER:
  489. rv = EVP_PKEY_verify_recover(ctx, out, poutlen, in, inlen);
  490. break;
  491. case EVP_PKEY_OP_SIGN:
  492. rv = EVP_PKEY_sign(ctx, out, poutlen, in, inlen);
  493. break;
  494. case EVP_PKEY_OP_ENCRYPT:
  495. rv = EVP_PKEY_encrypt(ctx, out, poutlen, in, inlen);
  496. break;
  497. case EVP_PKEY_OP_DECRYPT:
  498. rv = EVP_PKEY_decrypt(ctx, out, poutlen, in, inlen);
  499. break;
  500. case EVP_PKEY_OP_DERIVE:
  501. rv = EVP_PKEY_derive(ctx, out, poutlen);
  502. break;
  503. }
  504. return rv;
  505. }