/*
This function take a user certificate and a private key in x509 format and
convert it into pkcs12 format. This function returns -1 if a problem occurs, 0 otherwise
*/
int convert_x509_to_p12(char *privkey, char *clicert, char *p12cert)
{
X509 *cert;
PKCS12 *p12;
EVP_PKEY *cert_privkey;
FILE *certfile, *keyfile, *p12file;
int bytes = 0;
OpenSSL_add_all_algorithms();
ERR_load_crypto_strings();
/* Read the private key file */
if ((cert_privkey = EVP_PKEY_new()) == NULL){
printf("Error creating EVP_PKEY structure.\n");
return -1;
}
if (! (keyfile = fopen(privkey, "r"))){
printf("Error cant read certificate private key file.\n");
return -1;
}
if (! (cert_privkey = PEM_read_PrivateKey(keyfile, NULL, NULL, NULL))){
printf("Error loading certificate private key content.\n");
return -1;
}
fclose(keyfile);
/* Read the user certificate */
if (! (certfile = fopen(clicert, "r"))){
printf("Error cant read certificate file.\n");
return -1;
}
if (! (cert = PEM_read_X509(certfile, NULL, NULL, NULL))){
printf("Error loading cert into memory.\n");
return -1;
}
fclose(certfile);
/* Generate the p12 certificate */
if ((p12 = PKCS12_new()) == NULL){
printf("Error creating PKCS12 structure.\n");
return -1;}
p12 = PKCS12_create(NULL, NULL, cert_privkey, cert, NULL, 0, 0, 0, 0, 0);
if ( p12 == NULL){
printf("Error generating a valid PKCS12 certificate.\n");
return -1;
}
if (! (p12file = fopen(p12cert, "w"))){
printf("Error cant open pkcs12 certificate file for writing.\n");
return -1;
}
bytes = i2d_PKCS12_fp(p12file, p12);
if (bytes <= 0){
printf("Error writing PKCS12 certificate.\n");
return -1;
}
fclose(p12file);
PKCS12_free(p12);
X509_free(cert);
EVP_PKEY_free(cert_privkey);
return 0;
}
SM_MEDIA_HANDLE Flash2AppSMGenerateHashOpen(void)
{
SM_MEDIA_HANDLE h;
h = (SM_MEDIA_HANDLE)malloc(sizeof(*h));
if (h)
{
/* Just load the crypto library error strings,
* SSL_load_error_strings() loads the crypto AND the SSL ones */
/* SSL_load_error_strings();*/
//ERR_load_crypto_strings();
{
FILE* fp;
/* Read private key */
fp = fopen(KEYF, "r");
if (fp == NULL)
{
printf("error opening keyfile\n");
free(h);
return NULL;
}
h->pkey = PEM_read_PrivateKey(fp, NULL, NULL, NULL);
fclose(fp);
}
if (h->pkey == NULL)
{
printf("error reading key\n");
free(h);
return NULL;
}
/* Do the signature */
EVP_SignInit(&h->md_ctx, SM_HASH_FUNCTION);
}
return h;
}
VALUE
ossl_pkey_new_from_file(VALUE filename)
{
FILE *fp;
EVP_PKEY *pkey;
SafeStringValue(filename);
if (!(fp = fopen(RSTRING_PTR(filename), "r"))) {
ossl_raise(ePKeyError, "%s", strerror(errno));
}
pkey = PEM_read_PrivateKey(fp, NULL, ossl_pem_passwd_cb, NULL);
fclose(fp);
if (!pkey) {
ossl_raise(ePKeyError, NULL);
}
return ossl_pkey_new(pkey);
}
extern void *
crypto_read_private_key(const char *path)
{
FILE *fp = NULL;
EVP_PKEY *pk = NULL;
xassert(path != NULL);
if (!(fp = fopen(path, "r")))
return NULL;
if (!PEM_read_PrivateKey(fp, &pk, NULL, NULL)) {
fclose(fp);
return NULL;
}
fclose(fp);
return (void *) pk;
}
void signMessage(int message, char* keyfile, unsigned char* signature) {
int err;
unsigned int sig_len;
static char data[100];
EVP_MD_CTX md_ctx;
EVP_PKEY* pkey;
FILE * fp;
X509 * x509;
memset(&data, '\0', sizeof(data));
sprintf(data, "%d", message);
ERR_load_crypto_strings();
/* Read private key */
fp = fopen(keyfile, "r");
if (fp == NULL) {
perror("File error");
printf("Key file not found\n");
exit(1);
}
pkey = PEM_read_PrivateKey(fp, NULL, NULL, NULL);
fclose(fp);
if (pkey == NULL) {
printf("Error in claiming private key\n");
ERR_print_errors_fp (stderr);
exit(1);
}
/* Do the signature */
EVP_SignInit(&md_ctx, EVP_sha1());
EVP_SignUpdate(&md_ctx, data, strlen(data));
sig_len = sizeof(signature);
err = EVP_SignFinal(&md_ctx, signature, &sig_len, pkey);
if (err != 1) {
printf("Error in signing\n");
ERR_print_errors_fp(stderr);
exit(1);
}
EVP_PKEY_free(pkey);
}
bool SSL_CTX_use_PrivateKey_file(::SSL_CTX* ctx, const char* file, int /*type*/)
{
FILE* f = dcpp_fopen(file, "r");
if (!f)
{
return false;
}
::EVP_PKEY* tmpKey = nullptr;
PEM_read_PrivateKey(f, &tmpKey, nullptr, nullptr);
fclose(f);
if (!tmpKey)
{
return false;
}
EVP_PKEY key(tmpKey);
return SSL_CTX_use_PrivateKey(ctx, key) == SSL_SUCCESS;
}
static int janus_dtls_load_keys(const char *server_pem, const char *server_key, const char *password,
X509 **certificate, EVP_PKEY **private_key) {
FILE *f = NULL;
f = fopen(server_pem, "r");
if(!f) {
JANUS_LOG(LOG_FATAL, "Error opening certificate file\n");
goto error;
}
*certificate = PEM_read_X509(f, NULL, NULL, NULL);
if(!*certificate) {
JANUS_LOG(LOG_FATAL, "PEM_read_X509 failed\n");
goto error;
}
fclose(f);
f = fopen(server_key, "r");
if(!f) {
JANUS_LOG(LOG_FATAL, "Error opening key file\n");
goto error;
}
*private_key = PEM_read_PrivateKey(f, NULL, NULL, (void *)password);
if(!*private_key) {
JANUS_LOG(LOG_FATAL, "PEM_read_PrivateKey failed\n");
goto error;
}
fclose(f);
return 0;
error:
if(*certificate) {
X509_free(*certificate);
*certificate = NULL;
}
if(*private_key) {
EVP_PKEY_free(*private_key);
*private_key = NULL;
}
return -1;
}
int __fastcall util_from_pem(char* filename, struct util_cert* cert)
{
FILE *pFile = NULL;
if (filename == NULL) return -1;
#ifdef WIN32
fopen_s(&pFile, filename,"rb");
#else
pFile = fopen(filename,"rb");
#endif
if (pFile == NULL) goto error;
if ((cert->pkey = PEM_read_PrivateKey(pFile, NULL, 0, NULL)) == NULL) goto error;
if ((cert->x509 = PEM_read_X509(pFile, NULL, 0, NULL)) == NULL) goto error;
fclose(pFile);
return 0;
error:
if (pFile != NULL) fclose(pFile);
return -1;
}
/* This function signs the buffer passed as argument, returns the length of the signature
* else -1 on error
* It leaves the sign in **sign_buf (which is allocated)
*/
int sign_hello(unsigned char* hello_buf,unsigned int hello_len,unsigned char** sign_buf){
EVP_MD_CTX* ctx = NULL;
unsigned int sign_len;
EVP_PKEY* evp = EVP_PKEY_new();
FILE* fp;
*sign_buf = NULL;
ctx = (EVP_MD_CTX*)calloc(1,sizeof(EVP_MD_CTX));
EVP_MD_CTX_init(ctx);
OpenSSL_add_all_algorithms();
if((fp=fopen(PRIV_KEY,"r"))==NULL){
goto fail;
}
if((evp=PEM_read_PrivateKey(fp,NULL,NULL,NULL))==NULL){
goto fail;
}
*sign_buf = (unsigned char*)calloc(1,EVP_PKEY_size(evp));
if(EVP_SignInit(ctx,EVP_sha512())==0){
goto fail;
}
if(EVP_SignUpdate(ctx,hello_buf,hello_len)==0){
goto fail;
}
if(EVP_SignFinal(ctx,*sign_buf,&sign_len,evp)==0){
goto fail;
}
EVP_MD_CTX_cleanup(ctx);
free(ctx);
EVP_PKEY_free(evp);
return sign_len;
fail:
EVP_MD_CTX_cleanup(ctx);
free(ctx);
if (*sign_buf != NULL) {
free(*sign_buf);
}
return -1;
}
void DtlsTransport::ReadCertificateAndPrivateKeyFromFiles()
{
MS_TRACE();
FILE* file = nullptr;
file = fopen(Settings::configuration.dtlsCertificateFile.c_str(), "r");
if (!file)
{
MS_ERROR("error reading DTLS certificate file: %s", std::strerror(errno));
goto error;
}
DtlsTransport::certificate = PEM_read_X509(file, nullptr, nullptr, nullptr);
if (!DtlsTransport::certificate)
{
LOG_OPENSSL_ERROR("PEM_read_X509() failed");
goto error;
}
fclose(file);
file = fopen(Settings::configuration.dtlsPrivateKeyFile.c_str(), "r");
if (!file)
{
MS_ERROR("error reading DTLS private key file: %s", std::strerror(errno));
goto error;
}
DtlsTransport::privateKey = PEM_read_PrivateKey(file, nullptr, nullptr, nullptr);
if (!DtlsTransport::privateKey)
{
LOG_OPENSSL_ERROR("PEM_read_PrivateKey() failed");
goto error;
}
fclose(file);
return;
error:
MS_THROW_ERROR("error reading DTLS certificate and private key PEM files");
}
BOOL readCertificateHome(unsigned long hash, X509 **x509, EVP_PKEY **pkey)
{
FILE * fcrt = NULL;
FILE * fkey = NULL;
bool result = false;
char *buf1 = new char[4096];
char *buf2 = new char[4096];
if (! buf1 && buf2)
return false;
char* dir = get_current_dir_name();
if(dir) {
snprintf(buf1, 4095, "%s/.mDolphin/certs/%lx.%s", dir, hash, "crt");
snprintf(buf2, 4095, "%s/.mDolphin/certs/%lx.%s", dir, hash, "key");
free(dir);
fcrt = fopen(buf1, "r");
fkey = fopen(buf2, "r");
if (fcrt == NULL || fkey == NULL){
printf("No certificate or private key file!\n");
goto err;
}
if (PEM_read_X509(fcrt, x509, NULL, NULL) && PEM_read_PrivateKey(fkey, pkey, NULL, NULL))
result = true;
else
ERR_clear_error();
err:
if (fcrt)
fclose(fcrt);
if (fkey)
fclose(fkey);
}
delete[] buf1;
delete[] buf2;
return result;
}
/* Reads in a private key from a PEM file. */
int read_key(EVP_PKEY **key, const char *filename, char *passwd)
{
EVP_PKEY *k = NULL;
FILE *fp = NULL;
if (key == NULL)
return OPENSSLCA_ERR_ARGS;
fp = fopen(filename, "r");
if (fp == NULL)
return OPENSSLCA_ERR_KEY_OPEN;
k = PEM_read_PrivateKey(fp, NULL, NULL, passwd);
if (k == NULL) {
fclose(fp);
return OPENSSLCA_ERR_KEY_READ;
}
*key = k;
fclose(fp);
return OPENSSLCA_NO_ERR;
}
uint32 CRegProtocol::GetPublicKey(char *Name,
EVP_PKEY **key)
{
TU_RET err;
FILE *fp;
err = TU_ERROR_CRYPTO_FAILED;
fp = fopen(NAME_BUF, "r");
if(!fp)
{
err = TU_ERROR_FILEOPEN;
goto EXIT;
}
if(!(*key = PEM_read_PUBKEY(fp, NULL, NULL, NULL)))
{
ERR_print_errors_fp(stdout);
//If we can't read the Public key, try reading the pvt key.
//The above function might give an error if we use it to
//read a private key file
rewind(fp);
if(!(*key = PEM_read_PrivateKey(fp, NULL, NULL, NULL)))
{
ERR_print_errors_fp(stdout);
goto EXIT_FILE;
}
}
err = TU_SUCCESS;
EXIT_FILE:
if(fp)
fclose(fp);
EXIT:
return err;
}
static Eina_Bool
_ecore_con_ssl_server_privkey_add_openssl(Ecore_Con_Server *svr,
const char *key_file)
{
FILE *fp = NULL;
EVP_PKEY *privkey = NULL;
if (!(fp = fopen(key_file, "r")))
goto error;
SSL_ERROR_CHECK_GOTO_ERROR(!(privkey = PEM_read_PrivateKey(fp, NULL, NULL, NULL)));
fclose(fp);
SSL_ERROR_CHECK_GOTO_ERROR(SSL_CTX_use_PrivateKey(svr->ssl_ctx, privkey) < 1);
SSL_ERROR_CHECK_GOTO_ERROR(SSL_CTX_check_private_key(svr->ssl_ctx) < 1);
return EINA_TRUE;
error:
if (fp)
fclose(fp);
_openssl_print_errors();
return EINA_FALSE;
}
void openssl_pkcs12_cert()
{
FILE *tmpfile;
PKCS12 *pkcs12s;
EVP_PKEY *certprk;
X509 *cscert, *cacert;
STACK_OF(X509) * cacerts;
OpenSSL_add_all_algorithms();
ERR_load_crypto_strings();
certprk = EVP_PKEY_new();
tmpfile = fopen(PKEYF, "r");
certprk = PEM_read_PrivateKey(tmpfile, NULL, NULL, NULL);
fclose(tmpfile);
tmpfile = fopen(PCERTF, "r");
cscert = PEM_read_X509(tmpfile, NULL, NULL, NULL);
fclose(tmpfile);
tmpfile = fopen(RCERTF, "r");
cacert = PEM_read_X509(tmpfile, NULL, NULL, NULL);
fclose(tmpfile);
pkcs12s = PKCS12_new();
cacerts = sk_X509_new_null();
sk_X509_push(cacerts, cacert);
pkcs12s = PKCS12_create("beike2012", "mypkcs12", certprk, cscert,
cacerts, 0, 0, 0, 0, 0);
tmpfile = fopen(PKCS12F, "w");
if (i2d_PKCS12_fp(tmpfile, pkcs12s) <= 0)
openssl_error_show("i2d_PKCS12_fp", 1);
fclose(tmpfile);
sk_X509_free(cacerts);
PKCS12_free(pkcs12s);
}
int main(int argc, char **argv)
{
FILE *fp;
EVP_PKEY *pkey;
X509 *cert;
PKCS12 *p12;
if (argc != 5) {
fprintf(stderr, "Usage: pkwrite infile password name p12file\n");
exit(1);
}
SSLeay_add_all_algorithms();
ERR_load_crypto_strings();
if (!(fp = fopen(argv[1], "r"))) {
fprintf(stderr, "Error opening file %s\n", argv[1]);
exit(1);
}
cert = PEM_read_X509(fp, NULL, NULL, NULL);
rewind(fp);
pkey = PEM_read_PrivateKey(fp, NULL, NULL, NULL);
fclose(fp);
p12 = PKCS12_create(argv[2], argv[3], pkey, cert, NULL, 0,0,0,0,0);
if(!p12) {
fprintf(stderr, "Error creating PKCS#12 structure\n");
ERR_print_errors_fp(stderr);
exit(1);
}
if (!(fp = fopen(argv[4], "wb"))) {
fprintf(stderr, "Error opening file %s\n", argv[1]);
ERR_print_errors_fp(stderr);
exit(1);
}
i2d_PKCS12_fp(fp, p12);
PKCS12_free(p12);
fclose(fp);
return 0;
}
char *uwsgi_rsa_sign(char *algo_key, char *message, size_t message_len, unsigned int *s_len) {
// openssl could not be initialized
if (!uwsgi.ssl_initialized) {
uwsgi_ssl_init();
}
*s_len = 0;
EVP_PKEY *pk = NULL;
char *algo = uwsgi_str(algo_key);
char *colon = strchr(algo, ':');
if (!colon) {
uwsgi_log("invalid RSA signature syntax, must be: <digest>:<pemfile>\n");
free(algo);
return NULL;
}
*colon = 0;
char *keyfile = colon + 1;
char *signature = NULL;
FILE *kf = fopen(keyfile, "r");
if (!kf) {
uwsgi_error_open(keyfile);
free(algo);
return NULL;
}
if (PEM_read_PrivateKey(kf, &pk, NULL, NULL) == 0) {
uwsgi_log("unable to load private key: %s\n", keyfile);
free(algo);
fclose(kf);
return NULL;
}
fclose(kf);
EVP_MD_CTX *ctx = EVP_MD_CTX_create();
if (!ctx) {
free(algo);
EVP_PKEY_free(pk);
return NULL;
}
const EVP_MD *md = EVP_get_digestbyname(algo);
if (!md) {
uwsgi_log("unknown digest algo: %s\n", algo);
free(algo);
EVP_PKEY_free(pk);
EVP_MD_CTX_destroy(ctx);
return NULL;
}
*s_len = EVP_PKEY_size(pk);
signature = uwsgi_malloc(*s_len);
if (EVP_SignInit_ex(ctx, md, NULL) == 0) {
ERR_print_errors_fp(stderr);
free(signature);
signature = NULL;
*s_len = 0;
goto clear;
}
if (EVP_SignUpdate(ctx, message, message_len) == 0) {
ERR_print_errors_fp(stderr);
free(signature);
signature = NULL;
*s_len = 0;
goto clear;
}
if (EVP_SignFinal(ctx, (unsigned char *) signature, s_len, pk) == 0) {
ERR_print_errors_fp(stderr);
free(signature);
signature = NULL;
*s_len = 0;
goto clear;
}
clear:
free(algo);
EVP_PKEY_free(pk);
EVP_MD_CTX_destroy(ctx);
return signature;
}
int main()
{
int err;
int sig_len;
unsigned char sig_buf[4096];
static char certfile[] = "cert.pem";
static char keyfile[] = "key.pem";
static char data[] = "I owe you...";
EVP_MD_CTX md_ctx;
EVP_PKEY *pkey;
FILE *fp;
X509 *x509;
/*
* Just load the crypto library error strings, SSL_load_error_strings()
* loads the crypto AND the SSL ones
*/
/* SSL_load_error_strings(); */
ERR_load_crypto_strings();
/* Read private key */
fp = fopen(keyfile, "r");
if (fp == NULL)
exit(1);
pkey = PEM_read_PrivateKey(fp, NULL, NULL, NULL);
fclose(fp);
if (pkey == NULL) {
ERR_print_errors_fp(stderr);
exit(1);
}
/* Do the signature */
EVP_SignInit(&md_ctx, EVP_sha1());
EVP_SignUpdate(&md_ctx, data, strlen(data));
sig_len = sizeof(sig_buf);
err = EVP_SignFinal(&md_ctx, sig_buf, &sig_len, pkey);
if (err != 1) {
ERR_print_errors_fp(stderr);
exit(1);
}
EVP_PKEY_free(pkey);
/* Read public key */
fp = fopen(certfile, "r");
if (fp == NULL)
exit(1);
x509 = PEM_read_X509(fp, NULL, NULL, NULL);
fclose(fp);
if (x509 == NULL) {
ERR_print_errors_fp(stderr);
exit(1);
}
/* Get public key - eay */
pkey = X509_get_pubkey(x509);
if (pkey == NULL) {
ERR_print_errors_fp(stderr);
exit(1);
}
/* Verify the signature */
EVP_VerifyInit(&md_ctx, EVP_sha1());
EVP_VerifyUpdate(&md_ctx, data, strlen((char *)data));
err = EVP_VerifyFinal(&md_ctx, sig_buf, sig_len, pkey);
EVP_PKEY_free(pkey);
if (err != 1) {
ERR_print_errors_fp(stderr);
exit(1);
}
printf("Signature Verified Ok.\n");
return (0);
}
/** Try to read the identity key from <b>identity_key_file</b>. If no such
* file exists and create_identity_key is set, make a new identity key and
* store it. Return 0 on success, nonzero on failure.
*/
static int
load_identity_key(void)
{
file_status_t status = file_status(identity_key_file);
FILE *f;
if (make_new_id) {
open_file_t *open_file = NULL;
RSA *key;
if (status != FN_NOENT) {
log_err(LD_GENERAL, "--create-identity-key was specified, but %s "
"already exists.", identity_key_file);
return 1;
}
log_notice(LD_GENERAL, "Generating %d-bit RSA identity key.",
IDENTITY_KEY_BITS);
if (!(key = generate_key(IDENTITY_KEY_BITS))) {
log_err(LD_GENERAL, "Couldn't generate identity key.");
crypto_log_errors(LOG_ERR, "Generating identity key");
return 1;
}
identity_key = EVP_PKEY_new();
if (!(EVP_PKEY_assign_RSA(identity_key, key))) {
log_err(LD_GENERAL, "Couldn't assign identity key.");
return 1;
}
if (!(f = start_writing_to_stdio_file(identity_key_file,
OPEN_FLAGS_REPLACE | O_TEXT, 0400,
&open_file)))
return 1;
/* Write the key to the file. If passphrase is not set, takes it from
* the terminal. */
if (!PEM_write_PKCS8PrivateKey_nid(f, identity_key,
NID_pbe_WithSHA1And3_Key_TripleDES_CBC,
passphrase, (int)passphrase_len,
NULL, NULL)) {
log_err(LD_GENERAL, "Couldn't write identity key to %s",
identity_key_file);
crypto_log_errors(LOG_ERR, "Writing identity key");
abort_writing_to_file(open_file);
return 1;
}
finish_writing_to_file(open_file);
} else {
if (status != FN_FILE) {
log_err(LD_GENERAL,
"No identity key found in %s. To specify a location "
"for an identity key, use -i. To generate a new identity key, "
"use --create-identity-key.", identity_key_file);
return 1;
}
if (!(f = fopen(identity_key_file, "r"))) {
log_err(LD_GENERAL, "Couldn't open %s for reading: %s",
identity_key_file, strerror(errno));
return 1;
}
/* Read the key. If passphrase is not set, takes it from the terminal. */
identity_key = PEM_read_PrivateKey(f, NULL, NULL, passphrase);
if (!identity_key) {
log_err(LD_GENERAL, "Couldn't read identity key from %s",
identity_key_file);
return 1;
}
fclose(f);
}
return 0;
}
int
read_key_pem(FILE *fp, PyObject **py_private_key_ndn,
PyObject **py_public_key_ndn, PyObject **py_public_key_digest,
int *public_key_digest_len,
char *password)
{
struct ndn_pkey *private_key = NULL;
PyObject *py_private_key = NULL, *py_public_key = NULL;
unsigned long err, reason;
fpos_t fpos;
int r;
int public_only;
r = fgetpos(fp, &fpos);
JUMP_IF_NEG(r, errno_error);
private_key = (struct ndn_pkey *)PEM_read_PrivateKey(fp, NULL, NULL, password);
if (private_key) {
public_only = 0;
goto success;
}
err = ERR_get_error();
reason = ERR_GET_REASON(err);
/* 108 was meaning that start line isn't recognized */
if (reason == 108) {
r = fsetpos(fp, &fpos);
JUMP_IF_NEG(r, errno_error);
private_key = (struct ndn_pkey *)PEM_read_PUBKEY (fp, NULL, NULL, NULL);
if (private_key) {
public_only = 1;
goto success;
}
err = ERR_get_error();
reason = ERR_GET_REASON(err);
}
{
char buf[256];
ERR_error_string_n(err, buf, sizeof(buf));
PyErr_Format(g_PyExc_NDNKeyError, "Unable to read Private Key: %s",
buf);
goto error;
}
success:
r = ndn_keypair(public_only, private_key, py_private_key_ndn,
py_public_key_ndn);
JUMP_IF_NEG(r, error);
r = create_public_key_digest(private_key, py_public_key_digest,
public_key_digest_len);
JUMP_IF_NEG(r, error);
return 0;
errno_error:
PyErr_SetFromErrno(PyExc_IOError);
error:
Py_XDECREF(py_private_key);
Py_XDECREF(py_public_key);
if (private_key)
EVP_PKEY_free((EVP_PKEY *)private_key);
return -1;
}
static int ctx_set_cert(SSL_CTX *ctx, const char *cert, const char *key)
{
FILE *fp = NULL;
X509 *x509 = NULL;
EVP_PKEY *pkey = NULL;
int toret = 0; /* Assume an error */
/* cert */
if (cert) {
if ((fp = fopen(cert, "r")) == NULL) {
fprintf(stderr, "Error opening cert file '%s'\n", cert);
goto err;
}
if (!PEM_read_X509(fp, &x509, NULL, NULL)) {
fprintf(stderr, "Error reading PEM cert from '%s'\n", cert);
goto err;
}
if (!SSL_CTX_use_certificate(ctx, x509)) {
fprintf(stderr, "Error, cert in '%s' can not be used\n", cert);
goto err;
}
/* Clear the FILE* for reuse in the "key" code */
fclose(fp);
fp = NULL;
fprintf(stderr, "Info, operating with cert in '%s'\n", cert);
/*
* If a cert was given without matching key, we assume the same file
* contains the required key.
*/
if (!key)
key = cert;
} else {
if (key)
fprintf(stderr, "Error, can't specify a key without a "
"corresponding certificate\n");
else
fprintf(stderr, "Error, ctx_set_cert called with " "NULLs!\n");
goto err;
}
/* key */
if (key) {
if ((fp = fopen(key, "r")) == NULL) {
fprintf(stderr, "Error opening key file '%s'\n", key);
goto err;
}
if (!PEM_read_PrivateKey(fp, &pkey, NULL, NULL)) {
fprintf(stderr, "Error reading PEM key from '%s'\n", key);
goto err;
}
if (!SSL_CTX_use_PrivateKey(ctx, pkey)) {
fprintf(stderr, "Error, key in '%s' can not be used\n", key);
goto err;
}
fprintf(stderr, "Info, operating with key in '%s'\n", key);
} else
fprintf(stderr, "Info, operating without a cert or key\n");
/* Success */
toret = 1;
err:
if (x509)
X509_free(x509);
if (pkey)
EVP_PKEY_free(pkey);
if (fp)
fclose(fp);
return toret;
}
/* ChangePasswordPEM() returns:
* -1 Wrong password
* 0 Changing password failed for unknown reason
* 1 Password changed successfully
*/
int ChangePasswordPEM(HWND hwndDlg)
{
char keyfile[MAX_PATH];
char oldpsw[50];
char newpsw[50];
WCHAR oldpsw_unicode[50];
WCHAR newpsw_unicode[50];
FILE *fp;
EVP_PKEY *privkey;
/* Get filename, old_psw and new_psw from Dialog */
GetDlgItemText(hwndDlg, TEXT_KEYFILE, keyfile, sizeof(keyfile) - 1);
GetDlgItemTextW(hwndDlg, EDIT_PSW_CURRENT, oldpsw_unicode, sizeof(oldpsw_unicode)/2 - 1);
GetDlgItemTextW(hwndDlg, EDIT_PSW_NEW, newpsw_unicode, sizeof(newpsw_unicode)/2 - 1);
/* Convert Unicode to ASCII (CP850) */
ConvertUnicode2Ascii(oldpsw_unicode, oldpsw, sizeof(oldpsw));
if (!ConvertUnicode2Ascii(newpsw_unicode, newpsw, sizeof(newpsw)))
{
ShowLocalizedMsg(GUI_NAME, ERR_INVALID_CHARS_IN_PSW, "");
return(-1);
}
privkey = EVP_PKEY_new();
/* Open old keyfile for reading */
if (! (fp = fopen (keyfile, "r")))
{
/* can't open key file */
ShowLocalizedMsg(GUI_NAME, ERR_OPEN_PRIVATE_KEY_FILE, keyfile);
return(0);
}
/* Import old key */
if (! (privkey = PEM_read_PrivateKey (fp, NULL, NULL, oldpsw)))
{
/* wrong password */
ShowLocalizedMsg(GUI_NAME, ERR_OLD_PWD_INCORRECT, "");
fclose(fp);
return(-1);
}
fclose(fp);
/* Open keyfile for writing */
if (! (fp = fopen (keyfile, "w")))
{
/* can't open file rw */
ShowLocalizedMsg(GUI_NAME, ERR_OPEN_WRITE_KEY, keyfile);
EVP_PKEY_free(privkey);
return(0);
}
/* Write new key to file */
if (strlen(newpsw) == 0)
{
/* No passphrase */
if ( !(PEM_write_PrivateKey(fp, privkey, \
NULL, NULL, /* Use NO encryption */
0, 0, NULL)))
{
/* error writing new key */
ShowLocalizedMsg(GUI_NAME, ERR_WRITE_NEW_KEY, keyfile);
EVP_PKEY_free(privkey);
fclose(fp);
return(0);
}
}
else
{
/* Use passphrase */
if ( !(PEM_write_PrivateKey(fp, privkey, \
EVP_des_ede3_cbc(), /* Use 3DES encryption */
newpsw, (int) strlen(newpsw), 0, NULL)))
{
/* can't write new key */
ShowLocalizedMsg(GUI_NAME, ERR_WRITE_NEW_KEY, keyfile);
EVP_PKEY_free(privkey);
fclose(fp);
return(0);
}
}
EVP_PKEY_free(privkey);
fclose(fp);
/* signal success to user */
ShowLocalizedMsg(GUI_NAME, INFO_PWD_CHANGED, "");
return(1);
}
int
easy_pkcs7_sign(const char *content, size_t len,
char **signature, size_t *signature_len,
const char *key_file, const char *cert_file)
{
FILE *f;
X509 *certificate;
STACK_OF(X509) *c, *cert_chain;
EVP_PKEY *private_key;
char *tmp_sig;
BIO *out, *in;
PKCS7 *p7;
int status;
OpenSSL_add_all_algorithms();
ERR_load_crypto_strings();
status = -1;
private_key = NULL;
cert_chain = NULL;
in = NULL;
c = file_to_certs(cert_file);
if (sk_X509_num(c) != 1) {
warnx("More then one certificate in the certificate file");
goto cleanup;
}
certificate = sk_X509_value(c, 0);
/* Compute ex_kusage */
X509_check_purpose(certificate, -1, 0);
if (check_ca(certificate)) {
warnx("CA keys are not valid for signatures");
goto cleanup;
}
if (certificate->ex_xkusage != pkg_key_usage) {
warnx("Certificate must have CODE SIGNING "
"and EMAIL PROTECTION property");
goto cleanup;
}
if (cert_chain_file)
cert_chain = file_to_certs(cert_chain_file);
if ((f = fopen(key_file, "r")) == NULL) {
warn("Failed to open private key file %s", key_file);
goto cleanup;
}
private_key = PEM_read_PrivateKey(f, NULL, ssl_pass_cb, NULL);
fclose(f);
if (private_key == NULL) {
warnx("Can't read private key: %s", key_file);
goto cleanup;
}
if (X509_check_private_key(certificate, private_key) != 1) {
warnx("The private key %s doesn't match the certificate %s",
key_file, cert_file);
goto cleanup;
}
in = BIO_new_mem_buf(__UNCONST(content), len);
p7 = PKCS7_sign(certificate, private_key, cert_chain, in,
PKCS7_DETACHED|PKCS7_NOATTR|PKCS7_BINARY);
if (p7 == NULL) {
warnx("Failed to create signature structure");
goto cleanup;
}
out = BIO_new(BIO_s_mem());
PEM_write_bio_PKCS7(out, p7);
*signature_len = BIO_get_mem_data(out, &tmp_sig);
*signature = xmalloc(*signature_len);
memcpy(*signature, tmp_sig, *signature_len);
BIO_free_all(out);
PKCS7_free(p7);
status = 0;
cleanup:
sk_X509_free(c);
sk_X509_free(cert_chain);
EVP_PKEY_free(private_key);
BIO_free(in);
return status;
}
EAPI Eet_Key *
eet_identity_open(const char *certificate_file,
const char *private_key_file,
Eet_Key_Password_Callback cb)
{
#ifdef HAVE_SIGNATURE
/* Signature declarations */
Eet_Key *key = NULL;
# ifdef HAVE_GNUTLS
/* Gnutls private declarations */
Eina_File *f = NULL;
void *data = NULL;
gnutls_datum_t load_file = { NULL, 0 };
char pass[1024];
if (!emile_cipher_init()) return NULL;
/* Init */
if (!(key = malloc(sizeof(Eet_Key))))
goto on_error;
key->references = 1;
if (gnutls_x509_crt_init(&(key->certificate)))
goto on_error;
if (gnutls_x509_privkey_init(&(key->private_key)))
goto on_error;
/* Mmap certificate_file */
f = eina_file_open(certificate_file, 0);
if (!f)
goto on_error;
/* let's make mmap safe and just get 0 pages for IO erro */
eina_mmap_safety_enabled_set(EINA_TRUE);
data = eina_file_map_all(f, EINA_FILE_SEQUENTIAL);
if (!data) goto on_error;
/* Import the certificate in Eet_Key structure */
load_file.data = data;
load_file.size = eina_file_size_get(f);
if (gnutls_x509_crt_import(key->certificate, &load_file,
GNUTLS_X509_FMT_PEM) < 0)
goto on_error;
eina_file_map_free(f, data);
/* Reset values */
eina_file_close(f);
f = NULL;
data = NULL;
load_file.data = NULL;
load_file.size = 0;
/* Mmap private_key_file */
f = eina_file_open(private_key_file, 0);
if (!f)
goto on_error;
/* let's make mmap safe and just get 0 pages for IO erro */
eina_mmap_safety_enabled_set(EINA_TRUE);
data = eina_file_map_all(f, EINA_FILE_SEQUENTIAL);
if (!data)
goto on_error;
/* Import the private key in Eet_Key structure */
load_file.data = data;
load_file.size = eina_file_size_get(f);
/* Try to directly import the PEM encoded private key */
if (gnutls_x509_privkey_import(key->private_key, &load_file,
GNUTLS_X509_FMT_PEM) < 0)
{
/* Else ask for the private key pass */
if (cb && cb(pass, 1024, 0, NULL))
{
/* If pass then try to decode the pkcs 8 private key */
if (gnutls_x509_privkey_import_pkcs8(key->private_key, &load_file,
GNUTLS_X509_FMT_PEM, pass, 0))
goto on_error;
}
else
/* Else try to import the pkcs 8 private key without pass */
if (gnutls_x509_privkey_import_pkcs8(key->private_key, &load_file,
GNUTLS_X509_FMT_PEM, NULL, 1))
goto on_error;
}
eina_file_map_free(f, data);
eina_file_close(f);
return key;
on_error:
if (data) eina_file_map_free(f, data);
if (f) eina_file_close(f);
if (key)
{
if (key->certificate)
gnutls_x509_crt_deinit(key->certificate);
if (key->private_key)
gnutls_x509_privkey_deinit(key->private_key);
free(key);
}
# else /* ifdef HAVE_GNUTLS */
/* Openssl private declarations */
FILE *fp;
EVP_PKEY *pkey = NULL;
X509 *cert = NULL;
if (!emile_cipher_init()) return NULL;
/* Load the X509 certificate in memory. */
fp = fopen(certificate_file, "rb");
if (!fp)
return NULL;
cert = PEM_read_X509(fp, NULL, NULL, NULL);
fclose(fp);
if (!cert)
goto on_error;
/* Check the presence of the public key. Just in case. */
pkey = X509_get_pubkey(cert);
if (!pkey)
goto on_error;
/* Load the private key in memory. */
fp = fopen(private_key_file, "rb");
if (!fp)
goto on_error;
pkey = PEM_read_PrivateKey(fp, NULL, cb, NULL);
fclose(fp);
if (!pkey)
goto on_error;
/* Load the certificate and the private key in Eet_Key structure */
key = malloc(sizeof(Eet_Key));
if (!key)
goto on_error;
key->references = 1;
key->certificate = cert;
key->private_key = pkey;
return key;
on_error:
if (cert)
X509_free(cert);
if (pkey)
EVP_PKEY_free(pkey);
# endif /* ifdef HAVE_GNUTLS */
#else
(void) certificate_file;
(void) private_key_file;
(void) cb;
#endif /* ifdef HAVE_SIGNATURE */
return NULL;
}
int main (int argc, const char *argv [])
{
unsigned char *cert_file = NULL, *key_file = NULL;
unsigned char *cert;
unsigned char *key;
size_t cert_len = 0, key_len = 0;
X509 *cert_ptr = NULL;
STACK_OF(X509) *chain;
EVP_PKEY *pkey = NULL;
FILE *fp;
DDS_Credentials credential;
/* Test DDS_Credentials in DDS_SSL_BASED format */
fp = fopen (argv [1], "rb");
chain = sk_X509_new_null ();
while ((cert_ptr = PEM_read_X509(fp, NULL, NULL, NULL)) != NULL)
sk_X509_push (chain, cert_ptr);
fp = fopen (argv [2], "rb");
pkey = PEM_read_PrivateKey(fp ,NULL, NULL, NULL);
credential.credentialKind = DDS_SSL_BASED;
credential.info.sslData.certificate_list = chain;
credential.info.sslData.private_key = pkey;
sp_extract_pem (&credential,
&cert, &cert_len,
&key, &key_len);
readFile (argv [1], &cert_file);
readFile (argv [2], &key_file);
if (!compare (cert_file, strlen (cert_file),
cert, cert_len)) {
printf ("compare problem \r\n");
exit (1);
}
if (!compare (key_file, strlen (key_file),
key, key_len)) {
printf ("compare problem \r\n");
exit (1);
}
free (cert);
free (key);
/* Test DDS_Credentials in DDS_DATA_BASED PEM format */
credential.credentialKind = DDS_DATA_BASED;
credential.info.data.private_key.format = DDS_FORMAT_PEM;
credential.info.data.private_key.data = key_file;
credential.info.data.private_key.length = strlen (key_file);
credential.info.data.num_certificates = 1;
credential.info.data.certificates [0].format = DDS_FORMAT_PEM;
credential.info.data.certificates [0].data = cert_file;
credential.info.data.certificates [0].length = strlen (cert_file);
cert_len = 0;
key_len = 0;
sp_extract_pem (&credential,
&cert, &cert_len,
&key, &key_len);
if (!compare (cert_file, strlen (cert_file),
cert, cert_len)) {
printf ("compare problem \r\n");
exit (1);
}
if (!compare (key_file, strlen (key_file),
key, key_len)) {
printf ("compare problem \r\n");
exit (1);
}
if (sp_add_credential (1, "fake_name", cert, cert_len,
key, key_len))
exit (1);
if (!sp_get_name (1))
exit (1);
if (!sp_get_cert (1, &cert_len))
exit (1);
if (!sp_get_key (1, &key_len))
exit (1);
if (sp_remove_credential (1))
exit (1);
free (cert_file);
free (key_file);
free (cert);
free (key);
sk_X509_free (chain);
printf ("Test succeeded\r\n");
}
int main(int argc, char **argv)
{ struct soap *soap;
int server = 0;
int text = 0;
int port = 0;
FILE *fd;
double result;
char *user;
int runs = 1;
/* create context */
soap = soap_new();
/* register wsse plugin */
soap_register_plugin_arg(soap, soap_wsse, (void*)token_handler);
/* options */
if (argc >= 2)
{ if (strchr(argv[1], 'c'))
soap_set_omode(soap, SOAP_IO_CHUNK);
else if (strchr(argv[1], 'y'))
soap_set_omode(soap, SOAP_IO_STORE);
if (strchr(argv[1], 'i'))
soap_set_omode(soap, SOAP_XML_INDENT);
if (strchr(argv[1], 'n'))
soap_set_omode(soap, SOAP_XML_CANONICAL);
if (strchr(argv[1], 'a'))
aes = 1;
if (strchr(argv[1], 'o'))
oaep = 1;
if (strchr(argv[1], 'd'))
sym = 1;
if (strchr(argv[1], 'e'))
enc = 1;
if (strchr(argv[1], 'f'))
addenc = 1;
/* if (strchr(argv[1], 'F'))
addenca = 1; */
if (strchr(argv[1], 'h'))
hmac = 1;
if (strchr(argv[1], 'k'))
nokey = 1;
if (strchr(argv[1], 's'))
server = 1;
if (strchr(argv[1], 't'))
text = 1;
if (strchr(argv[1], 'g'))
addsig = 1;
if (strchr(argv[1], 'b'))
nobody = 1;
if (strchr(argv[1], 'x'))
nohttp = 1;
if (strchr(argv[1], 'z'))
soap_set_mode(soap, SOAP_ENC_ZLIB);
if (isdigit(argv[1][strlen(argv[1])-1]))
{ runs = argv[1][strlen(argv[1])-1] - '0';
soap_set_mode(soap, SOAP_IO_KEEPALIVE);
}
}
/* soap->actor = "..."; */ /* set only when required */
user = getenv("USER");
if (!user)
user = "******";
/* read RSA private key for signing */
if ((fd = fopen("server.pem", "r")))
{ rsa_privk = PEM_read_PrivateKey(fd, NULL, NULL, (void*)"password");
fclose(fd);
if (!rsa_privk)
{ fprintf(stderr, "Could not read private RSA key from server.pem\n");
exit(1);
}
}
else
fprintf(stderr, "Could not read server.pem\n");
/* read certificate (more efficient is to keep certificate in memory)
to obtain public key for encryption and signature verification */
if ((fd = fopen("servercert.pem", "r")))
{ cert = PEM_read_X509(fd, NULL, NULL, NULL);
fclose(fd);
if (!cert)
{ fprintf(stderr, "Could not read certificate from servercert.pem\n");
exit(1);
}
}
else
fprintf(stderr, "Could not read server.pem\n");
rsa_pubk = X509_get_pubkey(cert);
if (!rsa_pubk)
{ fprintf(stderr, "Could not get public key from certificate\n");
exit(1);
}
/* port argument */
if (argc >= 3)
port = atoi(argv[2]);
/* need cacert to verify certificates with CA (cacert.pem for testing and
cacerts.pem for production, which contains the trusted CA certificates) */
soap->cafile = "cacert.pem";
/* server or client/ */
if (server)
{ if (port)
{ /* stand-alone server serving messages over port */
if (!soap_valid_socket(soap_bind(soap, NULL, port, 100)))
{ soap_print_fault(soap, stderr);
exit(1);
}
printf("Server started at port %d\n", port);
while (soap_valid_socket(soap_accept(soap)))
{ if (hmac)
soap_wsse_verify_auto(soap, SOAP_SMD_HMAC_SHA1, hmac_key, sizeof(hmac_key));
else if (nokey)
soap_wsse_verify_auto(soap, SOAP_SMD_VRFY_RSA_SHA1, rsa_pubk, 0);
else
soap_wsse_verify_auto(soap, SOAP_SMD_NONE, NULL, 0);
if (sym)
{ if (aes)
soap_wsse_decrypt_auto(soap, SOAP_MEC_DEC_AES256_CBC, aes_key, sizeof(aes_key));
else
soap_wsse_decrypt_auto(soap, SOAP_MEC_DEC_DES_CBC, des_key, sizeof(des_key));
}
else if (enc)
soap_wsse_decrypt_auto(soap, SOAP_MEC_ENV_DEC_DES_CBC, rsa_privk, 0);
if (soap_serve(soap))
{ soap_wsse_delete_Security(soap);
soap_print_fault(soap, stderr);
soap_print_fault_location(soap, stderr);
}
soap_destroy(soap);
soap_end(soap);
}
soap_print_fault(soap, stderr);
exit(1);
}
else
{ /* CGI-style server serving messages over stdin/out */
if (hmac)
soap_wsse_verify_auto(soap, SOAP_SMD_HMAC_SHA1, hmac_key, sizeof(hmac_key));
else if (nokey)
soap_wsse_verify_auto(soap, SOAP_SMD_VRFY_RSA_SHA1, rsa_pubk, 0);
else
soap_wsse_verify_auto(soap, SOAP_SMD_NONE, NULL, 0);
if (sym)
{ if (aes)
soap_wsse_decrypt_auto(soap, SOAP_MEC_DEC_AES256_CBC, aes_key, sizeof(aes_key));
else
soap_wsse_decrypt_auto(soap, SOAP_MEC_DEC_DES_CBC, des_key, sizeof(des_key));
}
else if (enc)
soap_wsse_decrypt_auto(soap, SOAP_MEC_ENV_DEC_DES_CBC, rsa_privk, 0);
if (soap_serve(soap))
{ soap_wsse_delete_Security(soap);
soap_print_fault(soap, stderr);
soap_print_fault_location(soap, stderr);
}
soap_destroy(soap);
soap_end(soap);
}
}
else /* client */
{ int run;
char endpoint[80];
/* ns1:test data */
struct ns1__add a;
struct ns1__sub b;
a.a = 123;
a.b = 456;
b.a = 789;
b.b = -99999;
/* client sending messages to stdout or over port */
if (port)
sprintf(endpoint, "http://localhost:%d", port);
else if (nohttp)
strcpy(endpoint, "");
else
strcpy(endpoint, "http://");
for (run = 0; run < runs; run++)
{
/* message lifetime of 60 seconds */
soap_wsse_add_Timestamp(soap, "Time", 60);
/* add user name with text or digest password */
if (text)
soap_wsse_add_UsernameTokenText(soap, "User", user, "userPass");
else
soap_wsse_add_UsernameTokenDigest(soap, "User", user, "userPass");
if (sym)
{ if (aes)
{ /* symmetric encryption with AES */
soap_wsse_add_EncryptedData_KeyInfo_KeyName(soap, "My AES Key");
if (soap_wsse_encrypt_body(soap, SOAP_MEC_ENC_AES256_CBC, aes_key, sizeof(aes_key)))
soap_print_fault(soap, stderr);
soap_wsse_decrypt_auto(soap, SOAP_MEC_DEC_AES256_CBC, aes_key, sizeof(aes_key));
}
else
{ /* symmetric encryption with DES */
soap_wsse_add_EncryptedData_KeyInfo_KeyName(soap, "My DES Key");
if (soap_wsse_encrypt_body(soap, SOAP_MEC_ENC_DES_CBC, des_key, sizeof(des_key)))
soap_print_fault(soap, stderr);
soap_wsse_decrypt_auto(soap, SOAP_MEC_DEC_DES_CBC, des_key, sizeof(des_key));
}
}
else if (addenc || addenca)
{ /* RSA encryption of the <ns1:add> element */
const char *SubjectKeyId = NULL; /* set to non-NULL to use SubjectKeyIdentifier in Header rather than a full cert key */
/* MUST set wsu:Id of the elements to encrypt */
if (addenc) /* encrypt element <ns1:add> */
{ soap_wsse_set_wsu_id(soap, "ns1:add");
if (soap_wsse_add_EncryptedKey_encrypt_only(soap, SOAP_MEC_ENV_ENC_DES_CBC, "Cert", cert, SubjectKeyId, NULL, NULL, "ns1:add"))
soap_print_fault(soap, stderr);
}
else /* encrypt element <a> */
{ soap_wsse_set_wsu_id(soap, "a");
if (soap_wsse_add_EncryptedKey_encrypt_only(soap, SOAP_MEC_ENV_ENC_DES_CBC, "Cert", cert, SubjectKeyId, NULL, NULL, "a"))
soap_print_fault(soap, stderr);
}
soap_wsse_decrypt_auto(soap, SOAP_MEC_ENV_DEC_DES_CBC, rsa_privk, 0);
}
else if (enc)
{ /* RSA encryption of the SOAP Body */
const char *SubjectKeyId = NULL; /* set to non-NULL to use SubjectKeyIdentifier in Header rather than a full cert key */
if (oaep)
{ if (soap_wsse_add_EncryptedKey(soap, SOAP_MEC_ENV_ENC_AES256_CBC | SOAP_MEC_OAEP, "Cert", cert, SubjectKeyId, NULL, NULL))
soap_print_fault(soap, stderr);
}
else if (aes)
{ if (soap_wsse_add_EncryptedKey(soap, SOAP_MEC_ENV_ENC_AES256_CBC, "Cert", cert, SubjectKeyId, NULL, NULL))
soap_print_fault(soap, stderr);
}
else
{ if (soap_wsse_add_EncryptedKey(soap, SOAP_MEC_ENV_ENC_DES_CBC, "Cert", cert, SubjectKeyId, NULL, NULL))
soap_print_fault(soap, stderr);
}
soap_wsse_decrypt_auto(soap, SOAP_MEC_ENV_DEC_DES_CBC, rsa_privk, 0);
}
if (hmac)
{ /* symmetric signature */
if (nobody)
soap_wsse_sign(soap, SOAP_SMD_HMAC_SHA1, hmac_key, sizeof(hmac_key));
else
soap_wsse_sign_body(soap, SOAP_SMD_HMAC_SHA1, hmac_key, sizeof(hmac_key));
/* WS-SecureConversation contect token */
soap_wsse_add_SecurityContextToken(soap, "SCT", contextId);
}
else
{ if (nokey)
soap_wsse_add_KeyInfo_KeyName(soap, "MyKey");
else
{ soap_wsse_add_BinarySecurityTokenX509(soap, "X509Token", cert);
soap_wsse_add_KeyInfo_SecurityTokenReferenceX509(soap, "#X509Token");
}
if (nobody || addsig) /* do not sign body */
soap_wsse_sign(soap, SOAP_SMD_SIGN_RSA_SHA1, rsa_privk, 0);
else
soap_wsse_sign_body(soap, SOAP_SMD_SIGN_RSA_SHA256, rsa_privk, 0);
}
/* enable automatic signature verification of server responses */
if (hmac)
soap_wsse_verify_auto(soap, SOAP_SMD_HMAC_SHA1, hmac_key, sizeof(hmac_key));
else if (nokey)
soap_wsse_verify_auto(soap, SOAP_SMD_VRFY_RSA_SHA1, rsa_pubk, 0);
else
soap_wsse_verify_auto(soap, SOAP_SMD_NONE, NULL, 0);
/* sign the response message in unsigned body? If so, set wsu:Id */
if (addsig)
{ soap_wsse_set_wsu_id(soap, "ns1:add");
soap_wsse_sign_only(soap, "User ns1:add");
}
/* invoke the server. You can choose add, sub, mul, or div operations
* that show different security aspects (intentional message rejections)
* for demonstration purposes (see server operations below) */
if (!soap_call_ns1__add(soap, endpoint, NULL, 1.0, 2.0, &result))
{ if (!soap_wsse_verify_Timestamp(soap))
{ const char *servername = soap_wsse_get_Username(soap);
if (servername
&& !strcmp(servername, "server")
&& !soap_wsse_verify_Password(soap, "serverPass"))
printf("Result = %g\n", result);
else
{ fprintf(stderr, "Server authentication failed\n");
soap_print_fault(soap, stderr);
}
}
else
{ fprintf(stderr, "Server response expired\n");
soap_print_fault(soap, stderr);
}
}
else
{ soap_print_fault(soap, stderr);
soap_print_fault_location(soap, stderr);
}
/* clean up security header */
soap_wsse_delete_Security(soap);
/* disable soap_wsse_verify_auto */
soap_wsse_verify_done(soap);
} /* run */
}
/* clean up keys */
if (rsa_privk)
EVP_PKEY_free(rsa_privk);
if (rsa_pubk)
EVP_PKEY_free(rsa_pubk);
if (cert)
X509_free(cert);
/* clean up gSOAP engine */
soap_destroy(soap);
soap_end(soap);
soap_done(soap);
free(soap);
/* done */
return 0;
}
DSA *PEM_read_DSAPrivateKey(FILE *fp, DSA **dsa, pem_password_cb *cb, void *u)
{
EVP_PKEY *pktmp;
pktmp = PEM_read_PrivateKey(fp, NULL, cb, u);
return pkey_get_dsa(pktmp, dsa); /* will free pktmp */
}
int
main(int argc, char **argv)
{
int ch, error;
bool Vflag = false, vflag = false;
const char *certpath = NULL, *keypath = NULL, *outpath = NULL, *inpath = NULL;
FILE *certfp = NULL, *keyfp = NULL;
X509 *cert = NULL;
EVP_PKEY *key = NULL;
pid_t pid;
int pipefds[2];
while ((ch = getopt(argc, argv, "Vc:k:o:v")) != -1) {
switch (ch) {
case 'V':
Vflag = true;
break;
case 'c':
certpath = checked_strdup(optarg);
break;
case 'k':
keypath = checked_strdup(optarg);
break;
case 'o':
outpath = checked_strdup(optarg);
break;
case 'v':
vflag = true;
break;
default:
usage();
}
}
argc -= optind;
argv += optind;
if (argc != 1)
usage();
if (Vflag) {
if (certpath != NULL)
errx(1, "-V and -c are mutually exclusive");
if (keypath != NULL)
errx(1, "-V and -k are mutually exclusive");
if (outpath != NULL)
errx(1, "-V and -o are mutually exclusive");
} else {
if (certpath == NULL)
errx(1, "-c option is mandatory");
if (keypath == NULL)
errx(1, "-k option is mandatory");
if (outpath == NULL)
errx(1, "-o option is mandatory");
}
inpath = argv[0];
OPENSSL_config(NULL);
ERR_load_crypto_strings();
OpenSSL_add_all_algorithms();
error = pipe(pipefds);
if (error != 0)
err(1, "pipe");
pid = fork();
if (pid < 0)
err(1, "fork");
if (pid == 0)
return (child(inpath, outpath, pipefds[1], Vflag, vflag));
if (!Vflag) {
certfp = checked_fopen(certpath, "r");
cert = PEM_read_X509(certfp, NULL, NULL, NULL);
if (cert == NULL) {
ERR_print_errors_fp(stderr);
errx(1, "failed to load certificate from %s", certpath);
}
keyfp = checked_fopen(keypath, "r");
key = PEM_read_PrivateKey(keyfp, NULL, NULL, NULL);
if (key == NULL) {
ERR_print_errors_fp(stderr);
errx(1, "failed to load private key from %s", keypath);
}
sign(cert, key, pipefds[0]);
}
return (wait_for_child(pid));
}
RSA *PEM_read_RSAPrivateKey(FILE *fp, RSA **rsa, pem_password_cb *cb, void *u)
{
EVP_PKEY *pktmp;
pktmp = PEM_read_PrivateKey(fp, NULL, cb, u);
return pkey_get_rsa(pktmp, rsa);
}
as_status
as_tls_context_setup(as_config_tls* tlscfg, as_tls_context* ctx, as_error* errp)
{
// Clear the destination, in case we don't make it.
ctx->ssl_ctx = NULL;
ctx->pkey = NULL;
ctx->cert_blacklist = NULL;
ctx->log_session_info = tlscfg->log_session_info;
ctx->for_login_only = tlscfg->for_login_only;
as_tls_check_init();
pthread_mutex_init(&ctx->lock, NULL);
if (tlscfg->cert_blacklist) {
ctx->cert_blacklist = cert_blacklist_read(tlscfg->cert_blacklist);
if (! ctx->cert_blacklist) {
as_tls_context_destroy(ctx);
return as_error_update(errp, AEROSPIKE_ERR_TLS_ERROR,
"Failed to read certificate blacklist: %s",
tlscfg->cert_blacklist);
}
}
uint16_t protocols = AS_TLS_PROTOCOL_NONE;
as_status status = protocols_parse(tlscfg, &protocols, errp);
if (status != AEROSPIKE_OK) {
as_tls_context_destroy(ctx);
return status;
}
const SSL_METHOD* method = NULL;
// If the selected protocol set is a single protocol we can use a specific method.
if (protocols == AS_TLS_PROTOCOL_TLSV1) {
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
method = TLS_client_method();
#else
method = TLSv1_client_method();
#endif
}
else if (protocols == AS_TLS_PROTOCOL_TLSV1_1) {
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
method = TLS_client_method();
#else
method = TLSv1_1_client_method();
#endif
}
else if (protocols == AS_TLS_PROTOCOL_TLSV1_2) {
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
method = TLS_client_method();
#else
method = TLSv1_2_client_method();
#endif
}
else {
// Multiple protocols are enabled, use a flexible method.
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
method = TLS_client_method();
#else
method = SSLv23_client_method();
#endif
}
ctx->ssl_ctx = SSL_CTX_new(method);
if (ctx->ssl_ctx == NULL) {
as_tls_context_destroy(ctx);
unsigned long errcode = ERR_get_error();
char errbuf[1024];
ERR_error_string_n(errcode, errbuf, sizeof(errbuf));
return as_error_update(errp, AEROSPIKE_ERR_TLS_ERROR,
"Failed to create new TLS context: %s", errbuf);
}
/* always disable SSLv2, as per RFC 6176 */
SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv2);
SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv3);
// Turn off non-enabled protocols.
if (! (protocols & AS_TLS_PROTOCOL_TLSV1)) {
SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1);
}
if (! (protocols & AS_TLS_PROTOCOL_TLSV1_1)) {
SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_1);
}
if (! (protocols & AS_TLS_PROTOCOL_TLSV1_2)) {
SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_2);
}
if (tlscfg->cafile || tlscfg->capath) {
int rv = SSL_CTX_load_verify_locations(ctx->ssl_ctx, tlscfg->cafile, tlscfg->capath);
if (rv != 1) {
as_tls_context_destroy(ctx);
char errbuf[1024];
unsigned long errcode = ERR_get_error();
if (errcode != 0) {
ERR_error_string_n(errcode, errbuf, sizeof(errbuf));
return as_error_update(errp, AEROSPIKE_ERR_TLS_ERROR,
"Failed to load CAFile: %s", errbuf);
}
return as_error_set_message(errp, AEROSPIKE_ERR_TLS_ERROR,
"Unknown failure loading CAFile");
}
}
if (tlscfg->certfile) {
int rv = SSL_CTX_use_certificate_chain_file(ctx->ssl_ctx, tlscfg->certfile);
if (rv != 1) {
// We seem to be seeing this bug:
// https://groups.google.com/
// forum/#!topic/mailing.openssl.users/nRvRzmKnEQA
// If the rv is not 1 check the error stack; if it doesn't have an
// error assume we are OK.
//
unsigned long errcode = ERR_peek_error();
if (errcode != SSL_ERROR_NONE) {
// There *was* an error after all.
as_tls_context_destroy(ctx);
unsigned long errcode = ERR_get_error();
char errbuf[1024];
ERR_error_string_n(errcode, errbuf, sizeof(errbuf));
return as_error_update(errp, AEROSPIKE_ERR_TLS_ERROR,
"SSL_CTX_use_certificate_chain_file failed: %s",
errbuf);
}
}
}
if (tlscfg->keyfile) {
bool ok = false;
FILE *fh = fopen(tlscfg->keyfile, "r");
if (fh == NULL) {
as_error_update(errp, AEROSPIKE_ERR_TLS_ERROR,
"failed to open key file %s: %s", tlscfg->keyfile,
strerror(errno));
}
else {
EVP_PKEY *pkey = PEM_read_PrivateKey(fh, NULL, password_cb,
tlscfg->keyfile_pw);
if (pkey == NULL) {
unsigned long errcode = ERR_get_error();
if (ERR_GET_REASON(errcode) == PEM_R_BAD_PASSWORD_READ) {
if (tlscfg->keyfile_pw == NULL) {
as_error_update(errp, AEROSPIKE_ERR_TLS_ERROR,
"key file %s requires a password",
tlscfg->keyfile);
}
else {
as_error_update(errp, AEROSPIKE_ERR_TLS_ERROR,
"password for key file %s too long",
tlscfg->keyfile);
}
}
else if (ERR_GET_REASON(errcode) == EVP_R_BAD_DECRYPT) {
as_error_update(errp, AEROSPIKE_ERR_TLS_ERROR,
"invalid password for key file %s",
tlscfg->keyfile);
}
else {
char errbuf[1024];
ERR_error_string_n(errcode, errbuf, sizeof(errbuf));
as_error_update(errp, AEROSPIKE_ERR_TLS_ERROR,
"PEM_read_PrivateKey failed: %s", errbuf);
}
}
else {
ctx->pkey = pkey;
SSL_CTX_use_PrivateKey(ctx->ssl_ctx, pkey);
ok = true;
}
fclose(fh);
}
if (!ok) {
as_tls_context_destroy(ctx);
return AEROSPIKE_ERR_TLS_ERROR;
}
}
if (tlscfg->cipher_suite) {
int rv = SSL_CTX_set_cipher_list(ctx->ssl_ctx, tlscfg->cipher_suite);
if (rv != 1) {
as_tls_context_destroy(ctx);
return as_error_set_message(errp, AEROSPIKE_ERR_TLS_ERROR,
"no compatible cipher found");
}
// It's bogus that we have to create an SSL just to get the
// cipher list, but SSL_CTX_get_ciphers doesn't appear to
// exist ...
SSL* ssl = SSL_new(ctx->ssl_ctx);
for (int prio = 0; true; ++prio) {
char const * cipherstr = SSL_get_cipher_list(ssl, prio);
if (!cipherstr) {
break;
}
as_log_info("cipher %d: %s", prio+1, cipherstr);
}
SSL_free(ssl);
}
if (tlscfg->crl_check || tlscfg->crl_check_all) {
X509_VERIFY_PARAM* param = X509_VERIFY_PARAM_new();
unsigned long flags = X509_V_FLAG_CRL_CHECK;
if (tlscfg->crl_check_all) {
flags |= X509_V_FLAG_CRL_CHECK_ALL;
}
X509_VERIFY_PARAM_set_flags(param, flags);
SSL_CTX_set1_param(ctx->ssl_ctx, param);
X509_VERIFY_PARAM_free(param);
}
SSL_CTX_set_verify(ctx->ssl_ctx, SSL_VERIFY_PEER, verify_callback);
manage_sigpipe();
return AEROSPIKE_OK;
}
