pkeyutl.c 13 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570
  1. /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  2. * project 2006.
  3. */
  4. /* ====================================================================
  5. * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
  6. *
  7. * Redistribution and use in source and binary forms, with or without
  8. * modification, are permitted provided that the following conditions
  9. * are met:
  10. *
  11. * 1. Redistributions of source code must retain the above copyright
  12. * notice, this list of conditions and the following disclaimer.
  13. *
  14. * 2. Redistributions in binary form must reproduce the above copyright
  15. * notice, this list of conditions and the following disclaimer in
  16. * the documentation and/or other materials provided with the
  17. * distribution.
  18. *
  19. * 3. All advertising materials mentioning features or use of this
  20. * software must display the following acknowledgment:
  21. * "This product includes software developed by the OpenSSL Project
  22. * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
  23. *
  24. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  25. * endorse or promote products derived from this software without
  26. * prior written permission. For written permission, please contact
  27. * licensing@OpenSSL.org.
  28. *
  29. * 5. Products derived from this software may not be called "OpenSSL"
  30. * nor may "OpenSSL" appear in their names without prior written
  31. * permission of the OpenSSL Project.
  32. *
  33. * 6. Redistributions of any form whatsoever must retain the following
  34. * acknowledgment:
  35. * "This product includes software developed by the OpenSSL Project
  36. * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
  37. *
  38. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  39. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  40. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  41. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  42. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  43. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  44. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  45. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  46. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  47. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  48. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  49. * OF THE POSSIBILITY OF SUCH DAMAGE.
  50. * ====================================================================
  51. *
  52. * This product includes cryptographic software written by Eric Young
  53. * (eay@cryptsoft.com). This product includes software written by Tim
  54. * Hudson (tjh@cryptsoft.com).
  55. *
  56. */
  57. #include "apps.h"
  58. #include <string.h>
  59. #include <openssl/err.h>
  60. #include <openssl/pem.h>
  61. #include <openssl/evp.h>
  62. #define KEY_PRIVKEY 1
  63. #define KEY_PUBKEY 2
  64. #define KEY_CERT 3
  65. static void usage(void);
  66. #undef PROG
  67. #define PROG pkeyutl_main
  68. static EVP_PKEY_CTX *init_ctx(int *pkeysize,
  69. char *keyfile, int keyform, int key_type,
  70. char *passargin, int pkey_op, ENGINE *e);
  71. static int setup_peer(BIO *err, EVP_PKEY_CTX *ctx, int peerform,
  72. const char *file);
  73. static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op,
  74. unsigned char *out, size_t *poutlen,
  75. unsigned char *in, size_t inlen);
  76. int MAIN(int argc, char **);
  77. int MAIN(int argc, char **argv)
  78. {
  79. BIO *in = NULL, *out = NULL;
  80. char *infile = NULL, *outfile = NULL, *sigfile = NULL;
  81. ENGINE *e = NULL;
  82. int pkey_op = EVP_PKEY_OP_SIGN, key_type = KEY_PRIVKEY;
  83. int keyform = FORMAT_PEM, peerform = FORMAT_PEM;
  84. char badarg = 0, rev = 0;
  85. char hexdump = 0, asn1parse = 0;
  86. EVP_PKEY_CTX *ctx = NULL;
  87. char *passargin = NULL;
  88. int keysize = -1;
  89. unsigned char *buf_in = NULL, *buf_out = NULL, *sig = NULL;
  90. size_t buf_outlen;
  91. int buf_inlen = 0, siglen = -1;
  92. int ret = 1, rv = -1;
  93. argc--;
  94. argv++;
  95. if(!bio_err) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
  96. if (!load_config(bio_err, NULL))
  97. goto end;
  98. ERR_load_crypto_strings();
  99. OpenSSL_add_all_algorithms();
  100. while(argc >= 1)
  101. {
  102. if (!strcmp(*argv,"-in"))
  103. {
  104. if (--argc < 1) badarg = 1;
  105. infile= *(++argv);
  106. }
  107. else if (!strcmp(*argv,"-out"))
  108. {
  109. if (--argc < 1) badarg = 1;
  110. outfile= *(++argv);
  111. }
  112. else if (!strcmp(*argv,"-sigfile"))
  113. {
  114. if (--argc < 1) badarg = 1;
  115. sigfile= *(++argv);
  116. }
  117. else if(!strcmp(*argv, "-inkey"))
  118. {
  119. if (--argc < 1)
  120. badarg = 1;
  121. else
  122. {
  123. ctx = init_ctx(&keysize,
  124. *(++argv), keyform, key_type,
  125. passargin, pkey_op, e);
  126. if (!ctx)
  127. {
  128. BIO_puts(bio_err,
  129. "Error initializing context\n");
  130. ERR_print_errors(bio_err);
  131. badarg = 1;
  132. }
  133. }
  134. }
  135. else if (!strcmp(*argv,"-peerkey"))
  136. {
  137. if (--argc < 1)
  138. badarg = 1;
  139. else if (!setup_peer(bio_err, ctx, peerform, *(++argv)))
  140. badarg = 1;
  141. }
  142. else if (!strcmp(*argv,"-passin"))
  143. {
  144. if (--argc < 1) badarg = 1;
  145. passargin= *(++argv);
  146. }
  147. else if (strcmp(*argv,"-peerform") == 0)
  148. {
  149. if (--argc < 1) badarg = 1;
  150. peerform=str2fmt(*(++argv));
  151. }
  152. else if (strcmp(*argv,"-keyform") == 0)
  153. {
  154. if (--argc < 1) badarg = 1;
  155. keyform=str2fmt(*(++argv));
  156. }
  157. #ifndef OPENSSL_NO_ENGINE
  158. else if(!strcmp(*argv, "-engine"))
  159. {
  160. if (--argc < 1)
  161. badarg = 1;
  162. else
  163. e = setup_engine(bio_err, *(++argv), 0);
  164. }
  165. #endif
  166. else if(!strcmp(*argv, "-pubin"))
  167. key_type = KEY_PUBKEY;
  168. else if(!strcmp(*argv, "-certin"))
  169. key_type = KEY_CERT;
  170. else if(!strcmp(*argv, "-asn1parse"))
  171. asn1parse = 1;
  172. else if(!strcmp(*argv, "-hexdump"))
  173. hexdump = 1;
  174. else if(!strcmp(*argv, "-sign"))
  175. pkey_op = EVP_PKEY_OP_SIGN;
  176. else if(!strcmp(*argv, "-verify"))
  177. pkey_op = EVP_PKEY_OP_VERIFY;
  178. else if(!strcmp(*argv, "-verifyrecover"))
  179. pkey_op = EVP_PKEY_OP_VERIFYRECOVER;
  180. else if(!strcmp(*argv, "-rev"))
  181. rev = 1;
  182. else if(!strcmp(*argv, "-encrypt"))
  183. pkey_op = EVP_PKEY_OP_ENCRYPT;
  184. else if(!strcmp(*argv, "-decrypt"))
  185. pkey_op = EVP_PKEY_OP_DECRYPT;
  186. else if(!strcmp(*argv, "-derive"))
  187. pkey_op = EVP_PKEY_OP_DERIVE;
  188. else if (strcmp(*argv,"-pkeyopt") == 0)
  189. {
  190. if (--argc < 1)
  191. badarg = 1;
  192. else if (!ctx)
  193. {
  194. BIO_puts(bio_err,
  195. "-pkeyopt command before -inkey\n");
  196. badarg = 1;
  197. }
  198. else if (pkey_ctrl_string(ctx, *(++argv)) <= 0)
  199. {
  200. BIO_puts(bio_err, "parameter setting error\n");
  201. ERR_print_errors(bio_err);
  202. goto end;
  203. }
  204. }
  205. else badarg = 1;
  206. if(badarg)
  207. {
  208. usage();
  209. goto end;
  210. }
  211. argc--;
  212. argv++;
  213. }
  214. if (!ctx)
  215. {
  216. usage();
  217. goto end;
  218. }
  219. if (sigfile && (pkey_op != EVP_PKEY_OP_VERIFY))
  220. {
  221. BIO_puts(bio_err, "Signature file specified for non verify\n");
  222. goto end;
  223. }
  224. if (!sigfile && (pkey_op == EVP_PKEY_OP_VERIFY))
  225. {
  226. BIO_puts(bio_err, "No signature file specified for verify\n");
  227. goto end;
  228. }
  229. /* FIXME: seed PRNG only if needed */
  230. app_RAND_load_file(NULL, bio_err, 0);
  231. if (pkey_op != EVP_PKEY_OP_DERIVE)
  232. {
  233. if(infile)
  234. {
  235. if(!(in = BIO_new_file(infile, "rb")))
  236. {
  237. BIO_puts(bio_err,
  238. "Error Opening Input File\n");
  239. ERR_print_errors(bio_err);
  240. goto end;
  241. }
  242. }
  243. else
  244. in = BIO_new_fp(stdin, BIO_NOCLOSE);
  245. }
  246. if(outfile)
  247. {
  248. if(!(out = BIO_new_file(outfile, "wb")))
  249. {
  250. BIO_printf(bio_err, "Error Creating Output File\n");
  251. ERR_print_errors(bio_err);
  252. goto end;
  253. }
  254. }
  255. else
  256. {
  257. out = BIO_new_fp(stdout, BIO_NOCLOSE);
  258. #ifdef OPENSSL_SYS_VMS
  259. {
  260. BIO *tmpbio = BIO_new(BIO_f_linebuffer());
  261. out = BIO_push(tmpbio, out);
  262. }
  263. #endif
  264. }
  265. if (sigfile)
  266. {
  267. BIO *sigbio = BIO_new_file(sigfile, "rb");
  268. if (!sigbio)
  269. {
  270. BIO_printf(bio_err, "Can't open signature file %s\n",
  271. sigfile);
  272. goto end;
  273. }
  274. siglen = bio_to_mem(&sig, keysize * 10, sigbio);
  275. BIO_free(sigbio);
  276. if (siglen <= 0)
  277. {
  278. BIO_printf(bio_err, "Error reading signature data\n");
  279. goto end;
  280. }
  281. }
  282. if (in)
  283. {
  284. /* Read the input data */
  285. buf_inlen = bio_to_mem(&buf_in, keysize * 10, in);
  286. if(buf_inlen <= 0)
  287. {
  288. BIO_printf(bio_err, "Error reading input Data\n");
  289. exit(1);
  290. }
  291. if(rev)
  292. {
  293. size_t i;
  294. unsigned char ctmp;
  295. size_t l = (size_t)buf_inlen;
  296. for(i = 0; i < l/2; i++)
  297. {
  298. ctmp = buf_in[i];
  299. buf_in[i] = buf_in[l - 1 - i];
  300. buf_in[l - 1 - i] = ctmp;
  301. }
  302. }
  303. }
  304. if(pkey_op == EVP_PKEY_OP_VERIFY)
  305. {
  306. rv = EVP_PKEY_verify(ctx, sig, (size_t)siglen,
  307. buf_in, (size_t)buf_inlen);
  308. if (rv == 0)
  309. BIO_puts(out, "Signature Verification Failure\n");
  310. else if (rv == 1)
  311. BIO_puts(out, "Signature Verified Successfully\n");
  312. if (rv >= 0)
  313. goto end;
  314. }
  315. else
  316. {
  317. rv = do_keyop(ctx, pkey_op, NULL, (size_t *)&buf_outlen,
  318. buf_in, (size_t)buf_inlen);
  319. if (rv > 0)
  320. {
  321. buf_out = OPENSSL_malloc(buf_outlen);
  322. if (!buf_out)
  323. rv = -1;
  324. else
  325. rv = do_keyop(ctx, pkey_op,
  326. buf_out, (size_t *)&buf_outlen,
  327. buf_in, (size_t)buf_inlen);
  328. }
  329. }
  330. if(rv <= 0)
  331. {
  332. BIO_printf(bio_err, "Public Key operation error\n");
  333. ERR_print_errors(bio_err);
  334. goto end;
  335. }
  336. ret = 0;
  337. if(asn1parse)
  338. {
  339. if(!ASN1_parse_dump(out, buf_out, buf_outlen, 1, -1))
  340. ERR_print_errors(bio_err);
  341. }
  342. else if(hexdump)
  343. BIO_dump(out, (char *)buf_out, buf_outlen);
  344. else
  345. BIO_write(out, buf_out, buf_outlen);
  346. end:
  347. if (ctx)
  348. EVP_PKEY_CTX_free(ctx);
  349. BIO_free(in);
  350. BIO_free_all(out);
  351. if (buf_in)
  352. OPENSSL_free(buf_in);
  353. if (buf_out)
  354. OPENSSL_free(buf_out);
  355. if (sig)
  356. OPENSSL_free(sig);
  357. return ret;
  358. }
  359. static void usage()
  360. {
  361. BIO_printf(bio_err, "Usage: pkeyutl [options]\n");
  362. BIO_printf(bio_err, "-in file input file\n");
  363. BIO_printf(bio_err, "-out file output file\n");
  364. BIO_printf(bio_err, "-sigfile file signature file (verify operation only)\n");
  365. BIO_printf(bio_err, "-inkey file input key\n");
  366. BIO_printf(bio_err, "-keyform arg private key format - default PEM\n");
  367. BIO_printf(bio_err, "-pubin input is a public key\n");
  368. BIO_printf(bio_err, "-certin input is a certificate carrying a public key\n");
  369. BIO_printf(bio_err, "-pkeyopt X:Y public key options\n");
  370. BIO_printf(bio_err, "-sign sign with private key\n");
  371. BIO_printf(bio_err, "-verify verify with public key\n");
  372. BIO_printf(bio_err, "-verifyrecover verify with public key, recover original data\n");
  373. BIO_printf(bio_err, "-encrypt encrypt with public key\n");
  374. BIO_printf(bio_err, "-decrypt decrypt with private key\n");
  375. BIO_printf(bio_err, "-derive derive shared secret\n");
  376. BIO_printf(bio_err, "-hexdump hex dump output\n");
  377. #ifndef OPENSSL_NO_ENGINE
  378. BIO_printf(bio_err, "-engine e use engine e, possibly a hardware device.\n");
  379. #endif
  380. BIO_printf(bio_err, "-passin arg pass phrase source\n");
  381. }
  382. static EVP_PKEY_CTX *init_ctx(int *pkeysize,
  383. char *keyfile, int keyform, int key_type,
  384. char *passargin, int pkey_op, ENGINE *e)
  385. {
  386. EVP_PKEY *pkey = NULL;
  387. EVP_PKEY_CTX *ctx = NULL;
  388. char *passin = NULL;
  389. int rv = -1;
  390. X509 *x;
  391. if(((pkey_op == EVP_PKEY_OP_SIGN) || (pkey_op == EVP_PKEY_OP_DECRYPT)
  392. || (pkey_op == EVP_PKEY_OP_DERIVE))
  393. && (key_type != KEY_PRIVKEY))
  394. {
  395. BIO_printf(bio_err, "A private key is needed for this operation\n");
  396. goto end;
  397. }
  398. if(!app_passwd(bio_err, passargin, NULL, &passin, NULL))
  399. {
  400. BIO_printf(bio_err, "Error getting password\n");
  401. goto end;
  402. }
  403. switch(key_type)
  404. {
  405. case KEY_PRIVKEY:
  406. pkey = load_key(bio_err, keyfile, keyform, 0,
  407. passin, e, "Private Key");
  408. break;
  409. case KEY_PUBKEY:
  410. pkey = load_pubkey(bio_err, keyfile, keyform, 0,
  411. NULL, e, "Public Key");
  412. break;
  413. case KEY_CERT:
  414. x = load_cert(bio_err, keyfile, keyform,
  415. NULL, e, "Certificate");
  416. if(x)
  417. {
  418. pkey = X509_get_pubkey(x);
  419. X509_free(x);
  420. }
  421. break;
  422. }
  423. *pkeysize = EVP_PKEY_size(pkey);
  424. if (!pkey)
  425. goto end;
  426. ctx = EVP_PKEY_CTX_new(pkey, e);
  427. EVP_PKEY_free(pkey);
  428. if (!ctx)
  429. goto end;
  430. switch(pkey_op)
  431. {
  432. case EVP_PKEY_OP_SIGN:
  433. rv = EVP_PKEY_sign_init(ctx);
  434. break;
  435. case EVP_PKEY_OP_VERIFY:
  436. rv = EVP_PKEY_verify_init(ctx);
  437. break;
  438. case EVP_PKEY_OP_VERIFYRECOVER:
  439. rv = EVP_PKEY_verify_recover_init(ctx);
  440. break;
  441. case EVP_PKEY_OP_ENCRYPT:
  442. rv = EVP_PKEY_encrypt_init(ctx);
  443. break;
  444. case EVP_PKEY_OP_DECRYPT:
  445. rv = EVP_PKEY_decrypt_init(ctx);
  446. break;
  447. case EVP_PKEY_OP_DERIVE:
  448. rv = EVP_PKEY_derive_init(ctx);
  449. break;
  450. }
  451. if (rv <= 0)
  452. {
  453. EVP_PKEY_CTX_free(ctx);
  454. ctx = NULL;
  455. }
  456. end:
  457. if (passin)
  458. OPENSSL_free(passin);
  459. return ctx;
  460. }
  461. static int setup_peer(BIO *err, EVP_PKEY_CTX *ctx, int peerform,
  462. const char *file)
  463. {
  464. EVP_PKEY *peer = NULL;
  465. int ret;
  466. if (!ctx)
  467. {
  468. BIO_puts(err, "-peerkey command before -inkey\n");
  469. return 0;
  470. }
  471. peer = load_pubkey(bio_err, file, peerform, 0, NULL, NULL, "Peer Key");
  472. if (!peer)
  473. {
  474. BIO_printf(bio_err, "Error reading peer key %s\n", file);
  475. ERR_print_errors(err);
  476. return 0;
  477. }
  478. ret = EVP_PKEY_derive_set_peer(ctx, peer);
  479. EVP_PKEY_free(peer);
  480. if (ret <= 0)
  481. ERR_print_errors(err);
  482. return ret;
  483. }
  484. static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op,
  485. unsigned char *out, size_t *poutlen,
  486. unsigned char *in, size_t inlen)
  487. {
  488. int rv = 0;
  489. switch(pkey_op)
  490. {
  491. case EVP_PKEY_OP_VERIFYRECOVER:
  492. rv = EVP_PKEY_verify_recover(ctx, out, poutlen, in, inlen);
  493. break;
  494. case EVP_PKEY_OP_SIGN:
  495. rv = EVP_PKEY_sign(ctx, out, poutlen, in, inlen);
  496. break;
  497. case EVP_PKEY_OP_ENCRYPT:
  498. rv = EVP_PKEY_encrypt(ctx, out, poutlen, in, inlen);
  499. break;
  500. case EVP_PKEY_OP_DECRYPT:
  501. rv = EVP_PKEY_decrypt(ctx, out, poutlen, in, inlen);
  502. break;
  503. case EVP_PKEY_OP_DERIVE:
  504. rv = EVP_PKEY_derive(ctx, out, poutlen);
  505. break;
  506. }
  507. return rv;
  508. }