int main(int argc, char *argv[])
{
PKCS11_CTX *ctx=NULL;
PKCS11_SLOT *slots=NULL, *slot;
PKCS11_KEY *keys;
unsigned int nslots, nkeys;
char password[20];
int rc = 0;
if (argc < 2) {
fprintf(stderr,
"usage: %s /usr/lib/opensc-pkcs11.so [PIN]\n",
argv[0]);
return 1;
}
ctx = PKCS11_CTX_new();
error_queue("PKCS11_CTX_new");
/* load pkcs #11 module */
rc = PKCS11_CTX_load(ctx, argv[1]);
error_queue("PKCS11_CTX_load");
CHECK_ERR(rc < 0, "loading pkcs11 engine failed", 1);
/* get information on all slots */
rc = PKCS11_enumerate_slots(ctx, &slots, &nslots);
error_queue("PKCS11_enumerate_slots");
CHECK_ERR(rc < 0, "no slots available", 2);
/* get first slot with a token */
slot = PKCS11_find_token(ctx, slots, nslots);
error_queue("PKCS11_find_token");
CHECK_ERR(!slot || !slot->token, "no token available", 3);
printf("Slot manufacturer......: %s\n", slot->manufacturer);
printf("Slot description.......: %s\n", slot->description);
printf("Slot token label.......: %s\n", slot->token->label);
printf("Slot token manufacturer: %s\n", slot->token->manufacturer);
printf("Slot token model.......: %s\n", slot->token->model);
printf("Slot token serialnr....: %s\n", slot->token->serialnr);
/* get public keys */
rc = PKCS11_enumerate_public_keys(slot->token, &keys, &nkeys);
error_queue("PKCS11_enumerate_public_keys");
CHECK_ERR(rc < 0, "PKCS11_enumerate_public_keys failed", 4);
CHECK_ERR(nkeys == 0, "No public keys found", 5);
list_keys("Public keys", keys, nkeys);
if (slot->token->loginRequired && argc > 2) {
strcpy(password, argv[2]);
/* perform pkcs #11 login */
rc = PKCS11_login(slot, 0, password);
error_queue("PKCS11_login");
memset(password, 0, strlen(password));
CHECK_ERR(rc < 0, "PKCS11_login failed", 6);
}
/* get private keys */
rc = PKCS11_enumerate_keys(slot->token, &keys, &nkeys);
error_queue("PKCS11_enumerate_keys");
CHECK_ERR(rc < 0, "PKCS11_enumerate_keys failed", 7);
CHECK_ERR(nkeys == 0, "No private keys found", 8);
list_keys("Private keys", keys, nkeys);
end:
if (slots)
PKCS11_release_all_slots(ctx, slots, nslots);
if (ctx) {
PKCS11_CTX_unload(ctx);
PKCS11_CTX_free(ctx);
}
CRYPTO_cleanup_all_ex_data();
ERR_free_strings();
if (rc)
printf("Failed (error code %d).\n", rc);
else
printf("Success.\n");
return rc;
}
int main(int argc, char *argv[])
{
PKCS11_CTX *ctx;
PKCS11_SLOT *slots, *slot;
PKCS11_CERT *certs;
PKCS11_KEY *authkey;
PKCS11_CERT *authcert;
EVP_PKEY *pubkey = NULL;
unsigned char *random = NULL, *signature = NULL;
char password[20];
int rc = 0, fd;
unsigned int nslots, ncerts, siglen;
if (argc < 2) {
fprintf(stderr,
"usage: %s /usr/lib/opensc-pkcs11.so [PIN]\n",
argv[0]);
return 1;
}
do_fork();
ctx = PKCS11_CTX_new();
error_queue("PKCS11_CTX_new");
/* load pkcs #11 module */
do_fork();
rc = PKCS11_CTX_load(ctx, argv[1]);
error_queue("PKCS11_CTX_load");
if (rc) {
fprintf(stderr, "loading pkcs11 engine failed: %s\n",
ERR_reason_error_string(ERR_get_error()));
rc = 1;
goto nolib;
}
/* get information on all slots */
do_fork();
rc = PKCS11_enumerate_slots(ctx, &slots, &nslots);
error_queue("PKCS11_enumerate_slots");
if (rc < 0) {
fprintf(stderr, "no slots available\n");
rc = 2;
goto noslots;
}
/* get first slot with a token */
do_fork();
slot = PKCS11_find_token(ctx, slots, nslots);
error_queue("PKCS11_find_token");
if (slot == NULL || slot->token == NULL) {
fprintf(stderr, "no token available\n");
rc = 3;
goto notoken;
}
printf("Slot manufacturer......: %s\n", slot->manufacturer);
printf("Slot description.......: %s\n", slot->description);
printf("Slot token label.......: %s\n", slot->token->label);
printf("Slot token manufacturer: %s\n", slot->token->manufacturer);
printf("Slot token model.......: %s\n", slot->token->model);
printf("Slot token serialnr....: %s\n", slot->token->serialnr);
if (!slot->token->loginRequired)
goto loggedin;
/* get password */
if (argc > 2) {
strcpy(password, argv[2]);
} else {
exit(1);
}
loggedin:
/* perform pkcs #11 login */
do_fork();
rc = PKCS11_login(slot, 0, password);
error_queue("PKCS11_login");
memset(password, 0, strlen(password));
if (rc != 0) {
fprintf(stderr, "PKCS11_login failed\n");
goto failed;
}
/* get all certs */
do_fork();
rc = PKCS11_enumerate_certs(slot->token, &certs, &ncerts);
error_queue("PKCS11_enumerate_certs");
if (rc) {
fprintf(stderr, "PKCS11_enumerate_certs failed\n");
goto failed;
}
if (ncerts <= 0) {
fprintf(stderr, "no certificates found\n");
goto failed;
}
/* use the first cert */
authcert=&certs[0];
/* get random bytes */
random = OPENSSL_malloc(RANDOM_SIZE);
if (random == NULL)
goto failed;
fd = open(RANDOM_SOURCE, O_RDONLY);
if (fd < 0) {
fprintf(stderr, "fatal: cannot open RANDOM_SOURCE: %s\n",
strerror(errno));
goto failed;
}
rc = read(fd, random, RANDOM_SIZE);
if (rc < 0) {
fprintf(stderr, "fatal: read from random source failed: %s\n",
strerror(errno));
close(fd);
goto failed;
}
if (rc < RANDOM_SIZE) {
fprintf(stderr, "fatal: read returned less than %d<%d bytes\n",
rc, RANDOM_SIZE);
close(fd);
goto failed;
}
close(fd);
do_fork();
authkey = PKCS11_find_key(authcert);
error_queue("PKCS11_find_key");
if (authkey == NULL) {
fprintf(stderr, "no key matching certificate available\n");
goto failed;
}
/* ask for a sha1 hash of the random data, signed by the key */
siglen = MAX_SIGSIZE;
signature = OPENSSL_malloc(MAX_SIGSIZE);
if (signature == NULL)
goto failed;
/* do the operations in child */
do_fork();
rc = PKCS11_sign(NID_sha1, random, RANDOM_SIZE, signature, &siglen,
authkey);
error_queue("PKCS11_sign");
if (rc != 1) {
fprintf(stderr, "fatal: pkcs11_sign failed\n");
goto failed;
}
/* verify the signature */
pubkey = X509_get_pubkey(authcert->x509);
if (pubkey == NULL) {
fprintf(stderr, "could not extract public key\n");
goto failed;
}
/* now verify the result */
rc = RSA_verify(NID_sha1, random, RANDOM_SIZE,
signature, siglen, pubkey->pkey.rsa);
if (rc != 1) {
fprintf(stderr, "fatal: RSA_verify failed\n");
goto failed;
}
if (pubkey != NULL)
EVP_PKEY_free(pubkey);
if (random != NULL)
OPENSSL_free(random);
if (signature != NULL)
OPENSSL_free(signature);
PKCS11_release_all_slots(ctx, slots, nslots);
PKCS11_CTX_unload(ctx);
PKCS11_CTX_free(ctx);
CRYPTO_cleanup_all_ex_data();
ERR_free_strings();
printf("authentication successfull.\n");
return 0;
failed:
notoken:
PKCS11_release_all_slots(ctx, slots, nslots);
noslots:
PKCS11_CTX_unload(ctx);
nolib:
PKCS11_CTX_free(ctx);
printf("authentication failed.\n");
return 1;
}
int main(int argc, char *argv[])
{
const EVP_MD *digest_algo = NULL;
EVP_PKEY *pkey = NULL;
EVP_MD_CTX *md_ctx = NULL;
ENGINE *engine = NULL;
unsigned char random[RANDOM_SIZE], signature[MAX_SIGSIZE];
unsigned int siglen = MAX_SIGSIZE;
int ret, num_processes = 2;
pid_t pid;
int rv = 1;
/* Check arguments */
if (argc < 2) {
fprintf(stderr, "Missing required arguments\n");
usage(argv[0]);
goto failed;
}
if (argc > 4) {
fprintf(stderr, "Too many arguments\n");
usage(argv[0]);
goto failed;
}
/* Check PKCS#11 URL */
if (strncmp(argv[1], "pkcs11:", 7)) {
fprintf(stderr, "fatal: invalid PKCS#11 URL\n");
usage(argv[0]);
goto failed;
}
pid = getpid();
printf("pid %d is the parent\n", pid);
/* Load configuration file, if provided */
if (argc >= 3) {
ret = CONF_modules_load_file(argv[2], "engines", 0);
if (ret <= 0) {
fprintf(stderr, "cannot load %s\n", argv[2]);
error_queue("CONF_modules_load_file", pid);
goto failed;
}
ENGINE_add_conf_module();
}
ENGINE_add_conf_module();
#if OPENSSL_VERSION_NUMBER>=0x10100000
OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS \
| OPENSSL_INIT_ADD_ALL_DIGESTS \
| OPENSSL_INIT_LOAD_CONFIG, NULL);
#else
OpenSSL_add_all_algorithms();
ERR_load_crypto_strings();
#endif
ERR_clear_error();
ENGINE_load_builtin_engines();
/* Get structural reference */
engine = ENGINE_by_id("pkcs11");
if (engine == NULL) {
fprintf(stderr, "fatal: engine \"pkcs11\" not available\n");
error_queue("ENGINE_by_id", pid);
goto failed;
}
/* Set the used */
if (argc >= 4) {
ENGINE_ctrl_cmd(engine, "MODULE_PATH", 0, argv[3], NULL, 1);
}
/* Initialize to get the engine functional reference */
if (ENGINE_init(engine)) {
pkey = ENGINE_load_private_key(engine, argv[1], 0, 0);
if (pkey == NULL) {
error_queue("ENGINE_load_private_key", pid);
goto failed;
}
ENGINE_free(engine);
engine = NULL;
}
else {
error_queue("ENGINE_init", pid);
goto failed;
}
/* Spawn processes and check child return */
if (spawn_processes(num_processes)) {
goto failed;
}
pid = getpid();
/* Generate random data */
if (!RAND_bytes(random, RANDOM_SIZE)){
error_queue("RAND_bytes", pid);
goto failed;
}
/* Create context to sign the random data */
digest_algo = EVP_get_digestbyname("sha256");
md_ctx = EVP_MD_CTX_create();
if (EVP_DigestInit(md_ctx, digest_algo) <= 0) {
error_queue("EVP_DigestInit", pid);
goto failed;
}
EVP_SignInit(md_ctx, digest_algo);
if (EVP_SignUpdate(md_ctx, random, RANDOM_SIZE) <= 0) {
error_queue("EVP_SignUpdate", pid);
goto failed;
}
if (EVP_SignFinal(md_ctx, signature, &siglen, pkey) <= 0) {
error_queue("EVP_SignFinal", pid);
goto failed;
}
EVP_MD_CTX_destroy(md_ctx);
printf("pid %d: %u-byte signature created\n", pid, siglen);
/* Now verify the result */
md_ctx = EVP_MD_CTX_create();
if (EVP_DigestInit(md_ctx, digest_algo) <= 0) {
error_queue("EVP_DigestInit", pid);
goto failed;
}
EVP_VerifyInit(md_ctx, digest_algo);
if (EVP_VerifyUpdate(md_ctx, random, RANDOM_SIZE) <= 0) {
error_queue("EVP_VerifyUpdate", pid);
goto failed;
}
if (EVP_VerifyFinal(md_ctx, signature, siglen, pkey) <= 0) {
error_queue("EVP_VerifyFinal", pid);
goto failed;
}
printf("pid %d: Signature matched\n", pid);
rv = 0;
failed:
if (md_ctx != NULL)
EVP_MD_CTX_destroy(md_ctx);
if (pkey != NULL)
EVP_PKEY_free(pkey);
if (engine != NULL)
ENGINE_free(engine);
return rv;
}
