int main(int argc, char *argv[]) { PKCS11_CTX *ctx=NULL; PKCS11_SLOT *slots=NULL, *slot; PKCS11_KEY *keys; unsigned int nslots, nkeys; char password[20]; int rc = 0; if (argc < 2) { fprintf(stderr, "usage: %s /usr/lib/opensc-pkcs11.so [PIN]\n", argv[0]); return 1; } ctx = PKCS11_CTX_new(); error_queue("PKCS11_CTX_new"); /* load pkcs #11 module */ rc = PKCS11_CTX_load(ctx, argv[1]); error_queue("PKCS11_CTX_load"); CHECK_ERR(rc < 0, "loading pkcs11 engine failed", 1); /* get information on all slots */ rc = PKCS11_enumerate_slots(ctx, &slots, &nslots); error_queue("PKCS11_enumerate_slots"); CHECK_ERR(rc < 0, "no slots available", 2); /* get first slot with a token */ slot = PKCS11_find_token(ctx, slots, nslots); error_queue("PKCS11_find_token"); CHECK_ERR(!slot || !slot->token, "no token available", 3); printf("Slot manufacturer......: %s\n", slot->manufacturer); printf("Slot description.......: %s\n", slot->description); printf("Slot token label.......: %s\n", slot->token->label); printf("Slot token manufacturer: %s\n", slot->token->manufacturer); printf("Slot token model.......: %s\n", slot->token->model); printf("Slot token serialnr....: %s\n", slot->token->serialnr); /* get public keys */ rc = PKCS11_enumerate_public_keys(slot->token, &keys, &nkeys); error_queue("PKCS11_enumerate_public_keys"); CHECK_ERR(rc < 0, "PKCS11_enumerate_public_keys failed", 4); CHECK_ERR(nkeys == 0, "No public keys found", 5); list_keys("Public keys", keys, nkeys); if (slot->token->loginRequired && argc > 2) { strcpy(password, argv[2]); /* perform pkcs #11 login */ rc = PKCS11_login(slot, 0, password); error_queue("PKCS11_login"); memset(password, 0, strlen(password)); CHECK_ERR(rc < 0, "PKCS11_login failed", 6); } /* get private keys */ rc = PKCS11_enumerate_keys(slot->token, &keys, &nkeys); error_queue("PKCS11_enumerate_keys"); CHECK_ERR(rc < 0, "PKCS11_enumerate_keys failed", 7); CHECK_ERR(nkeys == 0, "No private keys found", 8); list_keys("Private keys", keys, nkeys); end: if (slots) PKCS11_release_all_slots(ctx, slots, nslots); if (ctx) { PKCS11_CTX_unload(ctx); PKCS11_CTX_free(ctx); } CRYPTO_cleanup_all_ex_data(); ERR_free_strings(); if (rc) printf("Failed (error code %d).\n", rc); else printf("Success.\n"); return rc; }
int main(int argc, char *argv[]) { PKCS11_CTX *ctx; PKCS11_SLOT *slots, *slot; PKCS11_CERT *certs; PKCS11_KEY *authkey; PKCS11_CERT *authcert; EVP_PKEY *pubkey = NULL; unsigned char *random = NULL, *signature = NULL; char password[20]; int rc = 0, fd; unsigned int nslots, ncerts, siglen; if (argc < 2) { fprintf(stderr, "usage: %s /usr/lib/opensc-pkcs11.so [PIN]\n", argv[0]); return 1; } do_fork(); ctx = PKCS11_CTX_new(); error_queue("PKCS11_CTX_new"); /* load pkcs #11 module */ do_fork(); rc = PKCS11_CTX_load(ctx, argv[1]); error_queue("PKCS11_CTX_load"); if (rc) { fprintf(stderr, "loading pkcs11 engine failed: %s\n", ERR_reason_error_string(ERR_get_error())); rc = 1; goto nolib; } /* get information on all slots */ do_fork(); rc = PKCS11_enumerate_slots(ctx, &slots, &nslots); error_queue("PKCS11_enumerate_slots"); if (rc < 0) { fprintf(stderr, "no slots available\n"); rc = 2; goto noslots; } /* get first slot with a token */ do_fork(); slot = PKCS11_find_token(ctx, slots, nslots); error_queue("PKCS11_find_token"); if (slot == NULL || slot->token == NULL) { fprintf(stderr, "no token available\n"); rc = 3; goto notoken; } printf("Slot manufacturer......: %s\n", slot->manufacturer); printf("Slot description.......: %s\n", slot->description); printf("Slot token label.......: %s\n", slot->token->label); printf("Slot token manufacturer: %s\n", slot->token->manufacturer); printf("Slot token model.......: %s\n", slot->token->model); printf("Slot token serialnr....: %s\n", slot->token->serialnr); if (!slot->token->loginRequired) goto loggedin; /* get password */ if (argc > 2) { strcpy(password, argv[2]); } else { exit(1); } loggedin: /* perform pkcs #11 login */ do_fork(); rc = PKCS11_login(slot, 0, password); error_queue("PKCS11_login"); memset(password, 0, strlen(password)); if (rc != 0) { fprintf(stderr, "PKCS11_login failed\n"); goto failed; } /* get all certs */ do_fork(); rc = PKCS11_enumerate_certs(slot->token, &certs, &ncerts); error_queue("PKCS11_enumerate_certs"); if (rc) { fprintf(stderr, "PKCS11_enumerate_certs failed\n"); goto failed; } if (ncerts <= 0) { fprintf(stderr, "no certificates found\n"); goto failed; } /* use the first cert */ authcert=&certs[0]; /* get random bytes */ random = OPENSSL_malloc(RANDOM_SIZE); if (random == NULL) goto failed; fd = open(RANDOM_SOURCE, O_RDONLY); if (fd < 0) { fprintf(stderr, "fatal: cannot open RANDOM_SOURCE: %s\n", strerror(errno)); goto failed; } rc = read(fd, random, RANDOM_SIZE); if (rc < 0) { fprintf(stderr, "fatal: read from random source failed: %s\n", strerror(errno)); close(fd); goto failed; } if (rc < RANDOM_SIZE) { fprintf(stderr, "fatal: read returned less than %d<%d bytes\n", rc, RANDOM_SIZE); close(fd); goto failed; } close(fd); do_fork(); authkey = PKCS11_find_key(authcert); error_queue("PKCS11_find_key"); if (authkey == NULL) { fprintf(stderr, "no key matching certificate available\n"); goto failed; } /* ask for a sha1 hash of the random data, signed by the key */ siglen = MAX_SIGSIZE; signature = OPENSSL_malloc(MAX_SIGSIZE); if (signature == NULL) goto failed; /* do the operations in child */ do_fork(); rc = PKCS11_sign(NID_sha1, random, RANDOM_SIZE, signature, &siglen, authkey); error_queue("PKCS11_sign"); if (rc != 1) { fprintf(stderr, "fatal: pkcs11_sign failed\n"); goto failed; } /* verify the signature */ pubkey = X509_get_pubkey(authcert->x509); if (pubkey == NULL) { fprintf(stderr, "could not extract public key\n"); goto failed; } /* now verify the result */ rc = RSA_verify(NID_sha1, random, RANDOM_SIZE, signature, siglen, pubkey->pkey.rsa); if (rc != 1) { fprintf(stderr, "fatal: RSA_verify failed\n"); goto failed; } if (pubkey != NULL) EVP_PKEY_free(pubkey); if (random != NULL) OPENSSL_free(random); if (signature != NULL) OPENSSL_free(signature); PKCS11_release_all_slots(ctx, slots, nslots); PKCS11_CTX_unload(ctx); PKCS11_CTX_free(ctx); CRYPTO_cleanup_all_ex_data(); ERR_free_strings(); printf("authentication successfull.\n"); return 0; failed: notoken: PKCS11_release_all_slots(ctx, slots, nslots); noslots: PKCS11_CTX_unload(ctx); nolib: PKCS11_CTX_free(ctx); printf("authentication failed.\n"); return 1; }
int main(int argc, char *argv[]) { const EVP_MD *digest_algo = NULL; EVP_PKEY *pkey = NULL; EVP_MD_CTX *md_ctx = NULL; ENGINE *engine = NULL; unsigned char random[RANDOM_SIZE], signature[MAX_SIGSIZE]; unsigned int siglen = MAX_SIGSIZE; int ret, num_processes = 2; pid_t pid; int rv = 1; /* Check arguments */ if (argc < 2) { fprintf(stderr, "Missing required arguments\n"); usage(argv[0]); goto failed; } if (argc > 4) { fprintf(stderr, "Too many arguments\n"); usage(argv[0]); goto failed; } /* Check PKCS#11 URL */ if (strncmp(argv[1], "pkcs11:", 7)) { fprintf(stderr, "fatal: invalid PKCS#11 URL\n"); usage(argv[0]); goto failed; } pid = getpid(); printf("pid %d is the parent\n", pid); /* Load configuration file, if provided */ if (argc >= 3) { ret = CONF_modules_load_file(argv[2], "engines", 0); if (ret <= 0) { fprintf(stderr, "cannot load %s\n", argv[2]); error_queue("CONF_modules_load_file", pid); goto failed; } ENGINE_add_conf_module(); } ENGINE_add_conf_module(); #if OPENSSL_VERSION_NUMBER>=0x10100000 OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS \ | OPENSSL_INIT_ADD_ALL_DIGESTS \ | OPENSSL_INIT_LOAD_CONFIG, NULL); #else OpenSSL_add_all_algorithms(); ERR_load_crypto_strings(); #endif ERR_clear_error(); ENGINE_load_builtin_engines(); /* Get structural reference */ engine = ENGINE_by_id("pkcs11"); if (engine == NULL) { fprintf(stderr, "fatal: engine \"pkcs11\" not available\n"); error_queue("ENGINE_by_id", pid); goto failed; } /* Set the used */ if (argc >= 4) { ENGINE_ctrl_cmd(engine, "MODULE_PATH", 0, argv[3], NULL, 1); } /* Initialize to get the engine functional reference */ if (ENGINE_init(engine)) { pkey = ENGINE_load_private_key(engine, argv[1], 0, 0); if (pkey == NULL) { error_queue("ENGINE_load_private_key", pid); goto failed; } ENGINE_free(engine); engine = NULL; } else { error_queue("ENGINE_init", pid); goto failed; } /* Spawn processes and check child return */ if (spawn_processes(num_processes)) { goto failed; } pid = getpid(); /* Generate random data */ if (!RAND_bytes(random, RANDOM_SIZE)){ error_queue("RAND_bytes", pid); goto failed; } /* Create context to sign the random data */ digest_algo = EVP_get_digestbyname("sha256"); md_ctx = EVP_MD_CTX_create(); if (EVP_DigestInit(md_ctx, digest_algo) <= 0) { error_queue("EVP_DigestInit", pid); goto failed; } EVP_SignInit(md_ctx, digest_algo); if (EVP_SignUpdate(md_ctx, random, RANDOM_SIZE) <= 0) { error_queue("EVP_SignUpdate", pid); goto failed; } if (EVP_SignFinal(md_ctx, signature, &siglen, pkey) <= 0) { error_queue("EVP_SignFinal", pid); goto failed; } EVP_MD_CTX_destroy(md_ctx); printf("pid %d: %u-byte signature created\n", pid, siglen); /* Now verify the result */ md_ctx = EVP_MD_CTX_create(); if (EVP_DigestInit(md_ctx, digest_algo) <= 0) { error_queue("EVP_DigestInit", pid); goto failed; } EVP_VerifyInit(md_ctx, digest_algo); if (EVP_VerifyUpdate(md_ctx, random, RANDOM_SIZE) <= 0) { error_queue("EVP_VerifyUpdate", pid); goto failed; } if (EVP_VerifyFinal(md_ctx, signature, siglen, pkey) <= 0) { error_queue("EVP_VerifyFinal", pid); goto failed; } printf("pid %d: Signature matched\n", pid); rv = 0; failed: if (md_ctx != NULL) EVP_MD_CTX_destroy(md_ctx); if (pkey != NULL) EVP_PKEY_free(pkey); if (engine != NULL) ENGINE_free(engine); return rv; }