static int cardfingerprint(void *ctx,char *file,void *out)
{
int r=NOCARD;
int len;
EVP_PKEY *key;
RSA *rsa=NULL;
EC_KEY *ec=NULL;
ENGINE *e=(ENGINE *)ctx;
unsigned char bfr[2048];
unsigned char *p=bfr;
resume_engine(e,engbits);
if(!(key=ENGINE_load_public_key(e,file,NULL,NULL)))goto err1;
r=CRYPTOFAIL;
#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
if(EVP_PKEY_get0_RSA(key))
{
if(!(rsa=EVP_PKEY_get1_RSA(key)))goto err2;
if((len=i2d_RSA_PUBKEY(rsa,NULL))>sizeof(bfr))goto err3;
if(i2d_RSA_PUBKEY(rsa,&p)!=len)goto err3;
}
else if(EVP_PKEY_get0_EC_KEY(key))
{
if(!(ec=EVP_PKEY_get1_EC_KEY(key)))goto err2;
if((len=i2d_EC_PUBKEY(ec,NULL))>sizeof(bfr))goto err3;
if(i2d_EC_PUBKEY(ec,&p)!=len)goto err3;
}
else goto err2;
#else
switch(EVP_PKEY_type(key->type))
{
case EVP_PKEY_RSA:
if(!(rsa=EVP_PKEY_get1_RSA(key)))goto err2;
if((len=i2d_RSA_PUBKEY(rsa,NULL))>sizeof(bfr))goto err3;
if(i2d_RSA_PUBKEY(rsa,&p)!=len)goto err3;
break;
case EVP_PKEY_EC:
if(!(ec=EVP_PKEY_get1_EC_KEY(key)))goto err2;
if((len=i2d_EC_PUBKEY(ec,NULL))>sizeof(bfr))goto err3;
if(i2d_EC_PUBKEY(ec,&p)!=len)goto err3;
break;
default:goto err2;
}
#endif
if(out)sha256(bfr,len,out);
r=OK;
err3: if(rsa)RSA_free(rsa);
if(ec)EC_KEY_free(ec);
memclear(bfr,0,sizeof(bfr));
err2: EVP_PKEY_free(key);
err1: suspend_engine(e,&engbits);
return r;
}
static VALUE
ossl_engine_load_pubkey(int argc, VALUE *argv, VALUE self)
{
ENGINE *e;
EVP_PKEY *pkey;
VALUE id, data;
char *sid, *sdata;
rb_scan_args(argc, argv, "02", &id, &data);
sid = NIL_P(id) ? NULL : StringValuePtr(id);
sdata = NIL_P(data) ? NULL : StringValuePtr(data);
GetEngine(self, e);
#if OPENSSL_VERSION_NUMBER < 0x00907000L
pkey = ENGINE_load_public_key(e, sid, sdata);
#else
pkey = ENGINE_load_public_key(e, sid, NULL, sdata);
#endif
if (!pkey) ossl_raise(eEngineError, NULL);
return ossl_pkey_new(pkey);
}
static int hascard(void *ctx,char *file)
{
int r=NOCARD;
ENGINE *e=(ENGINE *)ctx;
EVP_PKEY *key;
resume_engine(e,engbits);
if(!(key=ENGINE_load_public_key(e,file,NULL,NULL)))goto err1;
EVP_PKEY_free(key);
r=OK;
err1: suspend_engine(e,&engbits);
return r;
}
static EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin,
const char *pass, ENGINE *e, const char *key_descrip)
{
BIO *key=NULL;
EVP_PKEY *pkey=NULL;
PW_CB_DATA cb_data;
cb_data.password = pass;
cb_data.prompt_info = file;
if (file == NULL && (!maybe_stdin || format == FORMAT_ENGINE))
{
BIO_printf(err,"no keyfile specified\n");
goto end;
}
#ifndef OPENSSL_NO_ENGINE
if (format == FORMAT_ENGINE)
{
if (!e)
BIO_printf(bio_err,"no engine specified\n");
else
pkey = ENGINE_load_public_key(e, file,
ui_method, &cb_data);
goto end;
}
#endif
key=BIO_new(BIO_s_file());
if (key == NULL)
{
ERR_print_errors(err);
goto end;
}
if (file == NULL && maybe_stdin)
{
setvbuf(stdin, NULL, _IONBF, 0);
BIO_set_fp(key,stdin,BIO_NOCLOSE);
}
else if (BIO_read_filename(key,file) <= 0)
{
BIO_printf(err, "Error opening %s %s\n",
key_descrip, file);
ERR_print_errors(err);
goto end;
}
if (format == FORMAT_ASN1)
{
pkey=d2i_PUBKEY_bio(key, NULL);
}
else if (format == FORMAT_PEM)
{
pkey=PEM_read_bio_PUBKEY(key,NULL,
(pem_password_cb *)password_callback, &cb_data);
}
#if defined(PACS_USING_FORMAT_NETSCAPE_OR_PKCS12)
#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA)
else if (format == FORMAT_NETSCAPE || format == FORMAT_IISSGC)
pkey = load_netscape_key(err, key, file, key_descrip, format);
#endif
#endif
else
{
BIO_printf(err,"bad input format specified for key file\n");
goto end;
}
end:
if (key != NULL) BIO_free(key);
if (pkey == NULL)
BIO_printf(err,"unable to load %s\n", key_descrip);
return(pkey);
}
static isc_result_t
opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
const char *pin)
{
#ifdef USE_ENGINE
ENGINE *e = NULL;
isc_result_t ret;
EVP_PKEY *pkey = NULL;
RSA *rsa = NULL, *pubrsa = NULL;
char *colon;
UNUSED(pin);
if (engine == NULL)
DST_RET(DST_R_NOENGINE);
e = dst__openssl_getengine(engine);
if (e == NULL)
DST_RET(DST_R_NOENGINE);
pkey = ENGINE_load_public_key(e, label, NULL, NULL);
if (pkey != NULL) {
pubrsa = EVP_PKEY_get1_RSA(pkey);
EVP_PKEY_free(pkey);
if (pubrsa == NULL)
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
}
pkey = ENGINE_load_private_key(e, label, NULL, NULL);
if (pkey == NULL)
DST_RET(dst__openssl_toresult2("ENGINE_load_private_key",
ISC_R_NOTFOUND));
if (engine != NULL) {
key->engine = isc_mem_strdup(key->mctx, engine);
if (key->engine == NULL)
DST_RET(ISC_R_NOMEMORY);
} else {
key->engine = isc_mem_strdup(key->mctx, label);
if (key->engine == NULL)
DST_RET(ISC_R_NOMEMORY);
colon = strchr(key->engine, ':');
if (colon != NULL)
*colon = '\0';
}
key->label = isc_mem_strdup(key->mctx, label);
if (key->label == NULL)
DST_RET(ISC_R_NOMEMORY);
rsa = EVP_PKEY_get1_RSA(pkey);
if (rsa == NULL)
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
if (rsa_check(rsa, pubrsa) != ISC_R_SUCCESS)
DST_RET(DST_R_INVALIDPRIVATEKEY);
if (pubrsa != NULL)
RSA_free(pubrsa);
key->key_size = EVP_PKEY_bits(pkey);
#if USE_EVP
key->keydata.pkey = pkey;
RSA_free(rsa);
#else
key->keydata.rsa = rsa;
EVP_PKEY_free(pkey);
#endif
return (ISC_R_SUCCESS);
err:
if (rsa != NULL)
RSA_free(rsa);
if (pubrsa != NULL)
RSA_free(pubrsa);
if (pkey != NULL)
EVP_PKEY_free(pkey);
return (ret);
#else
UNUSED(key);
UNUSED(engine);
UNUSED(label);
UNUSED(pin);
return(DST_R_NOENGINE);
#endif
}
int main(int argc, char **argv)
{
EVP_PKEY *private_key, *public_key;
EVP_PKEY_CTX *pkey_ctx;
EVP_MD_CTX *md_ctx;
const EVP_MD *digest_algo;
char *private_key_name, *public_key_name;
unsigned char sig[4096];
size_t sig_len;
unsigned char md[128];
size_t md_len;
unsigned digest_len;
char *key_pass = NULL;
const char *module_path, *efile;
ENGINE *e;
int ret;
if (argc < 5) {
fprintf(stderr, "usage: %s [PIN] [CONF] [private key URL] [public key URL] [module]\n", argv[0]);
fprintf(stderr, "\n");
exit(1);
}
key_pass = argv[1];
efile = argv[2];
private_key_name = argv[3];
public_key_name = argv[4];
module_path = argv[5];
ret = CONF_modules_load_file(efile, "engines", 0);
if (ret <= 0) {
fprintf(stderr, "cannot load %s\n", efile);
display_openssl_errors(__LINE__);
exit(1);
}
ENGINE_add_conf_module();
#if OPENSSL_VERSION_NUMBER>=0x10100000
OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS \
| OPENSSL_INIT_ADD_ALL_DIGESTS \
| OPENSSL_INIT_LOAD_CONFIG, NULL);
#else
OpenSSL_add_all_algorithms();
OpenSSL_add_all_digests();
ERR_load_crypto_strings();
#endif
ERR_clear_error();
ENGINE_load_builtin_engines();
e = ENGINE_by_id("pkcs11");
if (e == NULL) {
display_openssl_errors(__LINE__);
exit(1);
}
if (!ENGINE_ctrl_cmd_string(e, "VERBOSE", NULL, 0)) {
display_openssl_errors(__LINE__);
exit(1);
}
if (!ENGINE_ctrl_cmd_string(e, "MODULE_PATH", module_path, 0)) {
display_openssl_errors(__LINE__);
exit(1);
}
if (!ENGINE_init(e)) {
display_openssl_errors(__LINE__);
exit(1);
}
if (key_pass && !ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0)) {
display_openssl_errors(__LINE__);
exit(1);
}
private_key = ENGINE_load_private_key(e, private_key_name, NULL, NULL);
if (private_key == NULL) {
fprintf(stderr, "cannot load: %s\n", private_key_name);
display_openssl_errors(__LINE__);
exit(1);
}
public_key = ENGINE_load_public_key(e, public_key_name, NULL, NULL);
if (public_key == NULL) {
fprintf(stderr, "cannot load: %s\n", public_key_name);
display_openssl_errors(__LINE__);
exit(1);
}
digest_algo = EVP_get_digestbyname("sha256");
#define TEST_DATA "test data"
md_ctx = EVP_MD_CTX_create();
if (EVP_DigestInit(md_ctx, digest_algo) <= 0) {
display_openssl_errors(__LINE__);
exit(1);
}
if (EVP_DigestUpdate(md_ctx, TEST_DATA, sizeof(TEST_DATA)) <= 0) {
display_openssl_errors(__LINE__);
exit(1);
}
digest_len = sizeof(md);
if (EVP_DigestFinal(md_ctx, md, &digest_len) <= 0) {
display_openssl_errors(__LINE__);
exit(1);
}
md_len = digest_len;
EVP_MD_CTX_destroy(md_ctx);
/* Sign the hash */
pkey_ctx = EVP_PKEY_CTX_new(private_key, e);
if (pkey_ctx == NULL) {
fprintf(stderr, "Could not create context\n");
display_openssl_errors(__LINE__);
exit(1);
}
if (EVP_PKEY_sign_init(pkey_ctx) <= 0) {
fprintf(stderr, "Could not init signature\n");
display_openssl_errors(__LINE__);
exit(1);
}
if (EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING) <= 0) {
fprintf(stderr, "Could not set padding\n");
display_openssl_errors(__LINE__);
exit(1);
}
if (EVP_PKEY_CTX_set_signature_md(pkey_ctx, digest_algo) <= 0) {
fprintf(stderr, "Could not set message digest algorithm\n");
display_openssl_errors(__LINE__);
exit(1);
}
sig_len = sizeof(sig);
if (EVP_PKEY_sign(pkey_ctx, sig, &sig_len, md,
EVP_MD_size(digest_algo)) <= 0) {
display_openssl_errors(__LINE__);
exit(1);
}
EVP_PKEY_CTX_free(pkey_ctx);
printf("Signature created\n");
#if OPENSSL_VERSION_NUMBER >= 0x1000000fL
pkey_ctx = EVP_PKEY_CTX_new(public_key, e);
if (pkey_ctx == NULL) {
fprintf(stderr, "Could not create context\n");
display_openssl_errors(__LINE__);
exit(1);
}
if (EVP_PKEY_verify_init(pkey_ctx) <= 0) {
fprintf(stderr, "Could not init verify\n");
display_openssl_errors(__LINE__);
exit(1);
}
if (EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING) <= 0) {
fprintf(stderr, "Could not set padding\n");
display_openssl_errors(__LINE__);
exit(1);
}
if (EVP_PKEY_CTX_set_signature_md(pkey_ctx, digest_algo) <= 0) {
fprintf(stderr, "Could not set message digest algorithm\n");
display_openssl_errors(__LINE__);
exit(1);
}
ret = EVP_PKEY_verify(pkey_ctx, sig, sig_len, md, md_len);
if (ret < 0) {
display_openssl_errors(__LINE__);
exit(1);
}
EVP_PKEY_CTX_free(pkey_ctx);
if (ret == 1) {
printf("Signature verified\n");
}
else {
printf("Verification failed\n");
display_openssl_errors(__LINE__);
exit(1);
}
#else /* OPENSSL_VERSION_NUMBER >= 0x1000000fL */
printf("Unable to verify signature with %s\n", OPENSSL_VERSION_TEXT);
#endif /* OPENSSL_VERSION_NUMBER >= 0x1000000fL */
ENGINE_finish(e);
CONF_modules_unload(1);
return 0;
}
int
main(int argc, char *argv[])
{
ENGINE *e;
EVP_PKEY *pub_key;
FILE *fp;
char *engine = NULL;
char *pin = NULL;
char *keyname = NULL;
char *filename = NULL;
int c, errflg = 0;
extern char *optarg;
extern int optopt;
while ((c = getopt(argc, argv, ":e:p:k:f:")) != -1) {
switch (c) {
case 'e':
engine = optarg;
break;
case 'p':
pin = optarg;
break;
case 'k':
keyname = optarg;
break;
case 'f':
filename = optarg;
break;
case ':':
fprintf(stderr, "Option -%c requires an operand\n", optopt);
errflg++;
break;
case '?':
default:
fprintf(stderr, "Unrecognised option: -%c\n", optopt);
errflg++;
}
}
if ((errflg) || (!engine) || (!filename) || (!keyname)) {
fprintf(stderr,
"usage: PEM_write_pubkey -e engine [-p pin] "
"-k keyname -f filename\n");
exit(1);
}
/* Load the config file */
OPENSSL_config(NULL);
/* Register engine */
e = ENGINE_by_id(engine);
if (!e) {
/* the engine isn't available */
printf("The engine isn't available\n");
ERR_print_errors_fp(stderr);
exit(1);
}
/* Send PIN to engine */
if (pin && !ENGINE_ctrl_cmd_string(e, "PIN", pin, 0)){
printf("Error sending PIN to engine\n");
ERR_print_errors_fp(stderr);
ENGINE_free(e);
exit(1);
}
if (!ENGINE_init(e)) {
/* the engine couldn't initialise, release 'e' */
printf("The engine couldn't initialise\n");
ERR_print_errors_fp(stderr);
ENGINE_free(e);
exit(1);
}
if (!ENGINE_register_RSA(e)){
/* This should only happen when 'e' can't initialise, but the previous
* statement suggests it did. */
printf("This should not happen\n");
ERR_print_errors_fp(stderr);
exit(1);
}
/* Load public key */
pub_key = ENGINE_load_public_key(e, keyname, NULL, NULL);
if (pub_key == NULL) {
/* No public key */
printf("Error loading public key\n");
ERR_print_errors_fp(stderr);
ENGINE_free(e);
exit(1);
}
/* write public key to file in PEM format */
fp = fopen(filename, "w");
if (fp == NULL) {
printf("Error opening output file.\n");
ENGINE_free(e);
exit(1);
}
if (!PEM_write_PUBKEY(fp, pub_key)) {
/* Error writing public key */
printf("Error writing public key");
ERR_print_errors_fp(stderr);
ENGINE_free(e);
exit(1);
}
fclose(fp);
exit(0);
}
