void OPENSSL_load_builtin_modules(void)
{
/* Add builtin modules here */
ASN1_add_oid_module();
#ifndef OPENSSL_NO_ENGINE
ENGINE_add_conf_module();
#endif
}
int main(int argc, char *argv[])
{
ENGINE *engine;
EVP_PKEY *pkey;
X509 *cert;
FILE *cert_fp;
const char *module, *efile, *certfile, *privkey;
int ret = 0;
if (argc < 4){
printf("Too few arguments\n");
usage(argv);
return 1;
}
certfile = argv[1];
privkey = argv[2];
module = argv[3];
efile = argv[4];
cert_fp = fopen(certfile, "rb");
if (!cert_fp) {
fprintf(stderr, "%s:%d Could not open file %s\n", __FILE__, __LINE__, certfile);
ret = 1;
goto end;
}
cert = PEM_read_X509(cert_fp, NULL, NULL, NULL);
if (!cert) {
fprintf(stderr, "%s:%d Could not read certificate file"
"(must be PEM format)\n", __FILE__, __LINE__);
}
if (cert_fp) {
fclose(cert_fp);
}
ret = CONF_modules_load_file(efile, "engines", 0);
if (ret <= 0) {
fprintf(stderr, "%s:%d cannot load %s\n", __FILE__, __LINE__, efile);
display_openssl_errors(__LINE__);
exit(1);
}
ENGINE_add_conf_module();
#if OPENSSL_VERSION_NUMBER>=0x10100000
OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS \
| OPENSSL_INIT_ADD_ALL_DIGESTS \
| OPENSSL_INIT_LOAD_CONFIG, NULL);
#else
OpenSSL_add_all_algorithms();
OpenSSL_add_all_digests();
ERR_load_crypto_strings();
#endif
ERR_clear_error();
ENGINE_load_builtin_engines();
engine = ENGINE_by_id("pkcs11");
if (engine == NULL) {
printf("%s:%d Could not get engine\n", __FILE__, __LINE__);
display_openssl_errors(__LINE__);
ret = 1;
goto end;
}
if (!ENGINE_ctrl_cmd_string(engine, "VERBOSE", NULL, 0)) {
display_openssl_errors(__LINE__);
exit(1);
}
if (!ENGINE_ctrl_cmd_string(engine, "MODULE_PATH", module, 0)) {
display_openssl_errors(__LINE__);
exit(1);
}
if (!ENGINE_init(engine)) {
printf("Could not initialize engine\n");
display_openssl_errors(__LINE__);
ret = 1;
goto end;
}
pkey = ENGINE_load_private_key(engine, privkey, 0, 0);
if (pkey == NULL) {
printf("%s:%d Could not load key\n", __FILE__, __LINE__);
display_openssl_errors(__LINE__);
ret = 1;
goto end;
}
ret = X509_check_private_key(cert, pkey);
if (!ret) {
printf("%s:%d Could not check private key\n", __FILE__, __LINE__);
display_openssl_errors(__LINE__);
ret = 1;
goto end;
}
printf("Key and certificate matched\n");
ret = 0;
CONF_modules_unload(1);
end:
X509_free(cert);
EVP_PKEY_free(pkey);
ENGINE_finish(engine);
return ret;
}
int main(int argc, char **argv)
{
EVP_PKEY *private_key, *public_key;
EVP_PKEY_CTX *pkey_ctx;
EVP_MD_CTX *md_ctx;
const EVP_MD *digest_algo;
char *private_key_name, *public_key_name;
unsigned char sig[4096];
size_t sig_len;
unsigned char md[128];
size_t md_len;
unsigned digest_len;
char *key_pass = NULL;
const char *module_path, *efile;
ENGINE *e;
int ret;
if (argc < 5) {
fprintf(stderr, "usage: %s [PIN] [CONF] [private key URL] [public key URL] [module]\n", argv[0]);
fprintf(stderr, "\n");
exit(1);
}
key_pass = argv[1];
efile = argv[2];
private_key_name = argv[3];
public_key_name = argv[4];
module_path = argv[5];
ret = CONF_modules_load_file(efile, "engines", 0);
if (ret <= 0) {
fprintf(stderr, "cannot load %s\n", efile);
display_openssl_errors(__LINE__);
exit(1);
}
ENGINE_add_conf_module();
#if OPENSSL_VERSION_NUMBER>=0x10100000
OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS \
| OPENSSL_INIT_ADD_ALL_DIGESTS \
| OPENSSL_INIT_LOAD_CONFIG, NULL);
#else
OpenSSL_add_all_algorithms();
OpenSSL_add_all_digests();
ERR_load_crypto_strings();
#endif
ERR_clear_error();
ENGINE_load_builtin_engines();
e = ENGINE_by_id("pkcs11");
if (e == NULL) {
display_openssl_errors(__LINE__);
exit(1);
}
if (!ENGINE_ctrl_cmd_string(e, "VERBOSE", NULL, 0)) {
display_openssl_errors(__LINE__);
exit(1);
}
if (!ENGINE_ctrl_cmd_string(e, "MODULE_PATH", module_path, 0)) {
display_openssl_errors(__LINE__);
exit(1);
}
if (!ENGINE_init(e)) {
display_openssl_errors(__LINE__);
exit(1);
}
if (key_pass && !ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0)) {
display_openssl_errors(__LINE__);
exit(1);
}
private_key = ENGINE_load_private_key(e, private_key_name, NULL, NULL);
if (private_key == NULL) {
fprintf(stderr, "cannot load: %s\n", private_key_name);
display_openssl_errors(__LINE__);
exit(1);
}
public_key = ENGINE_load_public_key(e, public_key_name, NULL, NULL);
if (public_key == NULL) {
fprintf(stderr, "cannot load: %s\n", public_key_name);
display_openssl_errors(__LINE__);
exit(1);
}
digest_algo = EVP_get_digestbyname("sha256");
#define TEST_DATA "test data"
md_ctx = EVP_MD_CTX_create();
if (EVP_DigestInit(md_ctx, digest_algo) <= 0) {
display_openssl_errors(__LINE__);
exit(1);
}
if (EVP_DigestUpdate(md_ctx, TEST_DATA, sizeof(TEST_DATA)) <= 0) {
display_openssl_errors(__LINE__);
exit(1);
}
digest_len = sizeof(md);
if (EVP_DigestFinal(md_ctx, md, &digest_len) <= 0) {
display_openssl_errors(__LINE__);
exit(1);
}
md_len = digest_len;
EVP_MD_CTX_destroy(md_ctx);
/* Sign the hash */
pkey_ctx = EVP_PKEY_CTX_new(private_key, e);
if (pkey_ctx == NULL) {
fprintf(stderr, "Could not create context\n");
display_openssl_errors(__LINE__);
exit(1);
}
if (EVP_PKEY_sign_init(pkey_ctx) <= 0) {
fprintf(stderr, "Could not init signature\n");
display_openssl_errors(__LINE__);
exit(1);
}
if (EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING) <= 0) {
fprintf(stderr, "Could not set padding\n");
display_openssl_errors(__LINE__);
exit(1);
}
if (EVP_PKEY_CTX_set_signature_md(pkey_ctx, digest_algo) <= 0) {
fprintf(stderr, "Could not set message digest algorithm\n");
display_openssl_errors(__LINE__);
exit(1);
}
sig_len = sizeof(sig);
if (EVP_PKEY_sign(pkey_ctx, sig, &sig_len, md,
EVP_MD_size(digest_algo)) <= 0) {
display_openssl_errors(__LINE__);
exit(1);
}
EVP_PKEY_CTX_free(pkey_ctx);
printf("Signature created\n");
#if OPENSSL_VERSION_NUMBER >= 0x1000000fL
pkey_ctx = EVP_PKEY_CTX_new(public_key, e);
if (pkey_ctx == NULL) {
fprintf(stderr, "Could not create context\n");
display_openssl_errors(__LINE__);
exit(1);
}
if (EVP_PKEY_verify_init(pkey_ctx) <= 0) {
fprintf(stderr, "Could not init verify\n");
display_openssl_errors(__LINE__);
exit(1);
}
if (EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING) <= 0) {
fprintf(stderr, "Could not set padding\n");
display_openssl_errors(__LINE__);
exit(1);
}
if (EVP_PKEY_CTX_set_signature_md(pkey_ctx, digest_algo) <= 0) {
fprintf(stderr, "Could not set message digest algorithm\n");
display_openssl_errors(__LINE__);
exit(1);
}
ret = EVP_PKEY_verify(pkey_ctx, sig, sig_len, md, md_len);
if (ret < 0) {
display_openssl_errors(__LINE__);
exit(1);
}
EVP_PKEY_CTX_free(pkey_ctx);
if (ret == 1) {
printf("Signature verified\n");
}
else {
printf("Verification failed\n");
display_openssl_errors(__LINE__);
exit(1);
}
#else /* OPENSSL_VERSION_NUMBER >= 0x1000000fL */
printf("Unable to verify signature with %s\n", OPENSSL_VERSION_TEXT);
#endif /* OPENSSL_VERSION_NUMBER >= 0x1000000fL */
ENGINE_finish(e);
CONF_modules_unload(1);
return 0;
}
int main(int argc, char *argv[])
{
const EVP_MD *digest_algo = NULL;
EVP_PKEY *pkey = NULL;
EVP_MD_CTX *md_ctx = NULL;
ENGINE *engine = NULL;
unsigned char random[RANDOM_SIZE], signature[MAX_SIGSIZE];
unsigned int siglen = MAX_SIGSIZE;
int ret, num_processes = 2;
pid_t pid;
int rv = 1;
/* Check arguments */
if (argc < 2) {
fprintf(stderr, "Missing required arguments\n");
usage(argv[0]);
goto failed;
}
if (argc > 4) {
fprintf(stderr, "Too many arguments\n");
usage(argv[0]);
goto failed;
}
/* Check PKCS#11 URL */
if (strncmp(argv[1], "pkcs11:", 7)) {
fprintf(stderr, "fatal: invalid PKCS#11 URL\n");
usage(argv[0]);
goto failed;
}
pid = getpid();
printf("pid %d is the parent\n", pid);
/* Load configuration file, if provided */
if (argc >= 3) {
ret = CONF_modules_load_file(argv[2], "engines", 0);
if (ret <= 0) {
fprintf(stderr, "cannot load %s\n", argv[2]);
error_queue("CONF_modules_load_file", pid);
goto failed;
}
ENGINE_add_conf_module();
}
ENGINE_add_conf_module();
#if OPENSSL_VERSION_NUMBER>=0x10100000
OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS \
| OPENSSL_INIT_ADD_ALL_DIGESTS \
| OPENSSL_INIT_LOAD_CONFIG, NULL);
#else
OpenSSL_add_all_algorithms();
ERR_load_crypto_strings();
#endif
ERR_clear_error();
ENGINE_load_builtin_engines();
/* Get structural reference */
engine = ENGINE_by_id("pkcs11");
if (engine == NULL) {
fprintf(stderr, "fatal: engine \"pkcs11\" not available\n");
error_queue("ENGINE_by_id", pid);
goto failed;
}
/* Set the used */
if (argc >= 4) {
ENGINE_ctrl_cmd(engine, "MODULE_PATH", 0, argv[3], NULL, 1);
}
/* Initialize to get the engine functional reference */
if (ENGINE_init(engine)) {
pkey = ENGINE_load_private_key(engine, argv[1], 0, 0);
if (pkey == NULL) {
error_queue("ENGINE_load_private_key", pid);
goto failed;
}
ENGINE_free(engine);
engine = NULL;
}
else {
error_queue("ENGINE_init", pid);
goto failed;
}
/* Spawn processes and check child return */
if (spawn_processes(num_processes)) {
goto failed;
}
pid = getpid();
/* Generate random data */
if (!RAND_bytes(random, RANDOM_SIZE)){
error_queue("RAND_bytes", pid);
goto failed;
}
/* Create context to sign the random data */
digest_algo = EVP_get_digestbyname("sha256");
md_ctx = EVP_MD_CTX_create();
if (EVP_DigestInit(md_ctx, digest_algo) <= 0) {
error_queue("EVP_DigestInit", pid);
goto failed;
}
EVP_SignInit(md_ctx, digest_algo);
if (EVP_SignUpdate(md_ctx, random, RANDOM_SIZE) <= 0) {
error_queue("EVP_SignUpdate", pid);
goto failed;
}
if (EVP_SignFinal(md_ctx, signature, &siglen, pkey) <= 0) {
error_queue("EVP_SignFinal", pid);
goto failed;
}
EVP_MD_CTX_destroy(md_ctx);
printf("pid %d: %u-byte signature created\n", pid, siglen);
/* Now verify the result */
md_ctx = EVP_MD_CTX_create();
if (EVP_DigestInit(md_ctx, digest_algo) <= 0) {
error_queue("EVP_DigestInit", pid);
goto failed;
}
EVP_VerifyInit(md_ctx, digest_algo);
if (EVP_VerifyUpdate(md_ctx, random, RANDOM_SIZE) <= 0) {
error_queue("EVP_VerifyUpdate", pid);
goto failed;
}
if (EVP_VerifyFinal(md_ctx, signature, siglen, pkey) <= 0) {
error_queue("EVP_VerifyFinal", pid);
goto failed;
}
printf("pid %d: Signature matched\n", pid);
rv = 0;
failed:
if (md_ctx != NULL)
EVP_MD_CTX_destroy(md_ctx);
if (pkey != NULL)
EVP_PKEY_free(pkey);
if (engine != NULL)
ENGINE_free(engine);
return rv;
}
