1 /* Written by Dr Stephen N Henson (steve (at) openssl.org) for the OpenSSL 2 * project 2006. 3 */ 4 /* ==================================================================== 5 * Copyright (c) 2006 The OpenSSL Project. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in 16 * the documentation and/or other materials provided with the 17 * distribution. 18 * 19 * 3. All advertising materials mentioning features or use of this 20 * software must display the following acknowledgment: 21 * "This product includes software developed by the OpenSSL Project 22 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 23 * 24 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 25 * endorse or promote products derived from this software without 26 * prior written permission. For written permission, please contact 27 * licensing (at) OpenSSL.org. 28 * 29 * 5. Products derived from this software may not be called "OpenSSL" 30 * nor may "OpenSSL" appear in their names without prior written 31 * permission of the OpenSSL Project. 32 * 33 * 6. Redistributions of any form whatsoever must retain the following 34 * acknowledgment: 35 * "This product includes software developed by the OpenSSL Project 36 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 37 * 38 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 39 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 40 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 41 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 42 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 43 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 44 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 45 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 46 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 47 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 48 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 49 * OF THE POSSIBILITY OF SUCH DAMAGE. 50 * ==================================================================== 51 * 52 * This product includes cryptographic software written by Eric Young 53 * (eay (at) cryptsoft.com). This product includes software written by Tim 54 * Hudson (tjh (at) cryptsoft.com). 55 * 56 */ 57 58 59 #include "apps.h" 60 #include <string.h> 61 #include <openssl/err.h> 62 #include <openssl/pem.h> 63 #include <openssl/evp.h> 64 65 #define KEY_PRIVKEY 1 66 #define KEY_PUBKEY 2 67 #define KEY_CERT 3 68 69 static void usage(void); 70 71 #undef PROG 72 73 #define PROG pkeyutl_main 74 75 static EVP_PKEY_CTX *init_ctx(int *pkeysize, 76 char *keyfile, int keyform, int key_type, 77 char *passargin, int pkey_op, ENGINE *e); 78 79 static int setup_peer(BIO *err, EVP_PKEY_CTX *ctx, int peerform, 80 const char *file); 81 82 static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op, 83 unsigned char *out, size_t *poutlen, 84 unsigned char *in, size_t inlen); 85 86 int MAIN(int argc, char **); 87 88 int MAIN(int argc, char **argv) 89 { 90 BIO *in = NULL, *out = NULL; 91 char *infile = NULL, *outfile = NULL, *sigfile = NULL; 92 ENGINE *e = NULL; 93 int pkey_op = EVP_PKEY_OP_SIGN, key_type = KEY_PRIVKEY; 94 int keyform = FORMAT_PEM, peerform = FORMAT_PEM; 95 char badarg = 0, rev = 0; 96 char hexdump = 0, asn1parse = 0; 97 EVP_PKEY_CTX *ctx = NULL; 98 char *passargin = NULL; 99 int keysize = -1; 100 101 unsigned char *buf_in = NULL, *buf_out = NULL, *sig = NULL; 102 size_t buf_outlen; 103 int buf_inlen = 0, siglen = -1; 104 105 int ret = 1, rv = -1; 106 107 argc--; 108 argv++; 109 110 if(!bio_err) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); 111 112 if (!load_config(bio_err, NULL)) 113 goto end; 114 ERR_load_crypto_strings(); 115 OpenSSL_add_all_algorithms(); 116 117 while(argc >= 1) 118 { 119 if (!strcmp(*argv,"-in")) 120 { 121 if (--argc < 1) badarg = 1; 122 else infile= *(++argv); 123 } 124 else if (!strcmp(*argv,"-out")) 125 { 126 if (--argc < 1) badarg = 1; 127 else outfile= *(++argv); 128 } 129 else if (!strcmp(*argv,"-sigfile")) 130 { 131 if (--argc < 1) badarg = 1; 132 else sigfile= *(++argv); 133 } 134 else if(!strcmp(*argv, "-inkey")) 135 { 136 if (--argc < 1) 137 badarg = 1; 138 else 139 { 140 ctx = init_ctx(&keysize, 141 *(++argv), keyform, key_type, 142 passargin, pkey_op, e); 143 if (!ctx) 144 { 145 BIO_puts(bio_err, 146 "Error initializing context\n"); 147 ERR_print_errors(bio_err); 148 badarg = 1; 149 } 150 } 151 } 152 else if (!strcmp(*argv,"-peerkey")) 153 { 154 if (--argc < 1) 155 badarg = 1; 156 else if (!setup_peer(bio_err, ctx, peerform, *(++argv))) 157 badarg = 1; 158 } 159 else if (!strcmp(*argv,"-passin")) 160 { 161 if (--argc < 1) badarg = 1; 162 else passargin= *(++argv); 163 } 164 else if (strcmp(*argv,"-peerform") == 0) 165 { 166 if (--argc < 1) badarg = 1; 167 else peerform=str2fmt(*(++argv)); 168 } 169 else if (strcmp(*argv,"-keyform") == 0) 170 { 171 if (--argc < 1) badarg = 1; 172 else keyform=str2fmt(*(++argv)); 173 } 174 #ifndef OPENSSL_NO_ENGINE 175 else if(!strcmp(*argv, "-engine")) 176 { 177 if (--argc < 1) 178 badarg = 1; 179 else 180 e = setup_engine(bio_err, *(++argv), 0); 181 } 182 #endif 183 else if(!strcmp(*argv, "-pubin")) 184 key_type = KEY_PUBKEY; 185 else if(!strcmp(*argv, "-certin")) 186 key_type = KEY_CERT; 187 else if(!strcmp(*argv, "-asn1parse")) 188 asn1parse = 1; 189 else if(!strcmp(*argv, "-hexdump")) 190 hexdump = 1; 191 else if(!strcmp(*argv, "-sign")) 192 pkey_op = EVP_PKEY_OP_SIGN; 193 else if(!strcmp(*argv, "-verify")) 194 pkey_op = EVP_PKEY_OP_VERIFY; 195 else if(!strcmp(*argv, "-verifyrecover")) 196 pkey_op = EVP_PKEY_OP_VERIFYRECOVER; 197 else if(!strcmp(*argv, "-rev")) 198 rev = 1; 199 else if(!strcmp(*argv, "-encrypt")) 200 pkey_op = EVP_PKEY_OP_ENCRYPT; 201 else if(!strcmp(*argv, "-decrypt")) 202 pkey_op = EVP_PKEY_OP_DECRYPT; 203 else if(!strcmp(*argv, "-derive")) 204 pkey_op = EVP_PKEY_OP_DERIVE; 205 else if (strcmp(*argv,"-pkeyopt") == 0) 206 { 207 if (--argc < 1) 208 badarg = 1; 209 else if (!ctx) 210 { 211 BIO_puts(bio_err, 212 "-pkeyopt command before -inkey\n"); 213 badarg = 1; 214 } 215 else if (pkey_ctrl_string(ctx, *(++argv)) <= 0) 216 { 217 BIO_puts(bio_err, "parameter setting error\n"); 218 ERR_print_errors(bio_err); 219 goto end; 220 } 221 } 222 else badarg = 1; 223 if(badarg) 224 { 225 usage(); 226 goto end; 227 } 228 argc--; 229 argv++; 230 } 231 232 if (!ctx) 233 { 234 usage(); 235 goto end; 236 } 237 238 if (sigfile && (pkey_op != EVP_PKEY_OP_VERIFY)) 239 { 240 BIO_puts(bio_err, "Signature file specified for non verify\n"); 241 goto end; 242 } 243 244 if (!sigfile && (pkey_op == EVP_PKEY_OP_VERIFY)) 245 { 246 BIO_puts(bio_err, "No signature file specified for verify\n"); 247 goto end; 248 } 249 250 /* FIXME: seed PRNG only if needed */ 251 app_RAND_load_file(NULL, bio_err, 0); 252 253 if (pkey_op != EVP_PKEY_OP_DERIVE) 254 { 255 if(infile) 256 { 257 if(!(in = BIO_new_file(infile, "rb"))) 258 { 259 BIO_puts(bio_err, 260 "Error Opening Input File\n"); 261 ERR_print_errors(bio_err); 262 goto end; 263 } 264 } 265 else 266 in = BIO_new_fp(stdin, BIO_NOCLOSE); 267 } 268 269 if(outfile) 270 { 271 if(!(out = BIO_new_file(outfile, "wb"))) 272 { 273 BIO_printf(bio_err, "Error Creating Output File\n"); 274 ERR_print_errors(bio_err); 275 goto end; 276 } 277 } 278 else 279 { 280 out = BIO_new_fp(stdout, BIO_NOCLOSE); 281 #ifdef OPENSSL_SYS_VMS 282 { 283 BIO *tmpbio = BIO_new(BIO_f_linebuffer()); 284 out = BIO_push(tmpbio, out); 285 } 286 #endif 287 } 288 289 if (sigfile) 290 { 291 BIO *sigbio = BIO_new_file(sigfile, "rb"); 292 if (!sigbio) 293 { 294 BIO_printf(bio_err, "Can't open signature file %s\n", 295 sigfile); 296 goto end; 297 } 298 siglen = bio_to_mem(&sig, keysize * 10, sigbio); 299 BIO_free(sigbio); 300 if (siglen <= 0) 301 { 302 BIO_printf(bio_err, "Error reading signature data\n"); 303 goto end; 304 } 305 } 306 307 if (in) 308 { 309 /* Read the input data */ 310 buf_inlen = bio_to_mem(&buf_in, keysize * 10, in); 311 if(buf_inlen <= 0) 312 { 313 BIO_printf(bio_err, "Error reading input Data\n"); 314 exit(1); 315 } 316 if(rev) 317 { 318 size_t i; 319 unsigned char ctmp; 320 size_t l = (size_t)buf_inlen; 321 for(i = 0; i < l/2; i++) 322 { 323 ctmp = buf_in[i]; 324 buf_in[i] = buf_in[l - 1 - i]; 325 buf_in[l - 1 - i] = ctmp; 326 } 327 } 328 } 329 330 if(pkey_op == EVP_PKEY_OP_VERIFY) 331 { 332 rv = EVP_PKEY_verify(ctx, sig, (size_t)siglen, 333 buf_in, (size_t)buf_inlen); 334 if (rv == 0) 335 BIO_puts(out, "Signature Verification Failure\n"); 336 else if (rv == 1) 337 BIO_puts(out, "Signature Verified Successfully\n"); 338 if (rv >= 0) 339 goto end; 340 } 341 else 342 { 343 rv = do_keyop(ctx, pkey_op, NULL, (size_t *)&buf_outlen, 344 buf_in, (size_t)buf_inlen); 345 if (rv > 0) 346 { 347 buf_out = OPENSSL_malloc(buf_outlen); 348 if (!buf_out) 349 rv = -1; 350 else 351 rv = do_keyop(ctx, pkey_op, 352 buf_out, (size_t *)&buf_outlen, 353 buf_in, (size_t)buf_inlen); 354 } 355 } 356 357 if(rv <= 0) 358 { 359 BIO_printf(bio_err, "Public Key operation error\n"); 360 ERR_print_errors(bio_err); 361 goto end; 362 } 363 ret = 0; 364 if(asn1parse) 365 { 366 if(!ASN1_parse_dump(out, buf_out, buf_outlen, 1, -1)) 367 ERR_print_errors(bio_err); 368 } 369 else if(hexdump) 370 BIO_dump(out, (char *)buf_out, buf_outlen); 371 else 372 BIO_write(out, buf_out, buf_outlen); 373 374 end: 375 if (ctx) 376 EVP_PKEY_CTX_free(ctx); 377 BIO_free(in); 378 BIO_free_all(out); 379 if (buf_in) 380 OPENSSL_free(buf_in); 381 if (buf_out) 382 OPENSSL_free(buf_out); 383 if (sig) 384 OPENSSL_free(sig); 385 return ret; 386 } 387 388 static void usage() 389 { 390 BIO_printf(bio_err, "Usage: pkeyutl [options]\n"); 391 BIO_printf(bio_err, "-in file input file\n"); 392 BIO_printf(bio_err, "-out file output file\n"); 393 BIO_printf(bio_err, "-sigfile file signature file (verify operation only)\n"); 394 BIO_printf(bio_err, "-inkey file input key\n"); 395 BIO_printf(bio_err, "-keyform arg private key format - default PEM\n"); 396 BIO_printf(bio_err, "-pubin input is a public key\n"); 397 BIO_printf(bio_err, "-certin input is a certificate carrying a public key\n"); 398 BIO_printf(bio_err, "-pkeyopt X:Y public key options\n"); 399 BIO_printf(bio_err, "-sign sign with private key\n"); 400 BIO_printf(bio_err, "-verify verify with public key\n"); 401 BIO_printf(bio_err, "-verifyrecover verify with public key, recover original data\n"); 402 BIO_printf(bio_err, "-encrypt encrypt with public key\n"); 403 BIO_printf(bio_err, "-decrypt decrypt with private key\n"); 404 BIO_printf(bio_err, "-derive derive shared secret\n"); 405 BIO_printf(bio_err, "-hexdump hex dump output\n"); 406 #ifndef OPENSSL_NO_ENGINE 407 BIO_printf(bio_err, "-engine e use engine e, possibly a hardware device.\n"); 408 #endif 409 BIO_printf(bio_err, "-passin arg pass phrase source\n"); 410 411 } 412 413 static EVP_PKEY_CTX *init_ctx(int *pkeysize, 414 char *keyfile, int keyform, int key_type, 415 char *passargin, int pkey_op, ENGINE *e) 416 { 417 EVP_PKEY *pkey = NULL; 418 EVP_PKEY_CTX *ctx = NULL; 419 char *passin = NULL; 420 int rv = -1; 421 X509 *x; 422 if(((pkey_op == EVP_PKEY_OP_SIGN) || (pkey_op == EVP_PKEY_OP_DECRYPT) 423 || (pkey_op == EVP_PKEY_OP_DERIVE)) 424 && (key_type != KEY_PRIVKEY)) 425 { 426 BIO_printf(bio_err, "A private key is needed for this operation\n"); 427 goto end; 428 } 429 if(!app_passwd(bio_err, passargin, NULL, &passin, NULL)) 430 { 431 BIO_printf(bio_err, "Error getting password\n"); 432 goto end; 433 } 434 switch(key_type) 435 { 436 case KEY_PRIVKEY: 437 pkey = load_key(bio_err, keyfile, keyform, 0, 438 passin, e, "Private Key"); 439 break; 440 441 case KEY_PUBKEY: 442 pkey = load_pubkey(bio_err, keyfile, keyform, 0, 443 NULL, e, "Public Key"); 444 break; 445 446 case KEY_CERT: 447 x = load_cert(bio_err, keyfile, keyform, 448 NULL, e, "Certificate"); 449 if(x) 450 { 451 pkey = X509_get_pubkey(x); 452 X509_free(x); 453 } 454 break; 455 456 } 457 458 *pkeysize = EVP_PKEY_size(pkey); 459 460 if (!pkey) 461 goto end; 462 463 ctx = EVP_PKEY_CTX_new(pkey, e); 464 465 EVP_PKEY_free(pkey); 466 467 if (!ctx) 468 goto end; 469 470 switch(pkey_op) 471 { 472 case EVP_PKEY_OP_SIGN: 473 rv = EVP_PKEY_sign_init(ctx); 474 break; 475 476 case EVP_PKEY_OP_VERIFY: 477 rv = EVP_PKEY_verify_init(ctx); 478 break; 479 480 case EVP_PKEY_OP_VERIFYRECOVER: 481 rv = EVP_PKEY_verify_recover_init(ctx); 482 break; 483 484 case EVP_PKEY_OP_ENCRYPT: 485 rv = EVP_PKEY_encrypt_init(ctx); 486 break; 487 488 case EVP_PKEY_OP_DECRYPT: 489 rv = EVP_PKEY_decrypt_init(ctx); 490 break; 491 492 case EVP_PKEY_OP_DERIVE: 493 rv = EVP_PKEY_derive_init(ctx); 494 break; 495 } 496 497 if (rv <= 0) 498 { 499 EVP_PKEY_CTX_free(ctx); 500 ctx = NULL; 501 } 502 503 end: 504 505 if (passin) 506 OPENSSL_free(passin); 507 508 return ctx; 509 510 511 } 512 513 static int setup_peer(BIO *err, EVP_PKEY_CTX *ctx, int peerform, 514 const char *file) 515 { 516 EVP_PKEY *peer = NULL; 517 int ret; 518 if (!ctx) 519 { 520 BIO_puts(err, "-peerkey command before -inkey\n"); 521 return 0; 522 } 523 524 peer = load_pubkey(bio_err, file, peerform, 0, NULL, NULL, "Peer Key"); 525 526 if (!peer) 527 { 528 BIO_printf(bio_err, "Error reading peer key %s\n", file); 529 ERR_print_errors(err); 530 return 0; 531 } 532 533 ret = EVP_PKEY_derive_set_peer(ctx, peer); 534 535 EVP_PKEY_free(peer); 536 if (ret <= 0) 537 ERR_print_errors(err); 538 return ret; 539 } 540 541 static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op, 542 unsigned char *out, size_t *poutlen, 543 unsigned char *in, size_t inlen) 544 { 545 int rv = 0; 546 switch(pkey_op) 547 { 548 case EVP_PKEY_OP_VERIFYRECOVER: 549 rv = EVP_PKEY_verify_recover(ctx, out, poutlen, in, inlen); 550 break; 551 552 case EVP_PKEY_OP_SIGN: 553 rv = EVP_PKEY_sign(ctx, out, poutlen, in, inlen); 554 break; 555 556 case EVP_PKEY_OP_ENCRYPT: 557 rv = EVP_PKEY_encrypt(ctx, out, poutlen, in, inlen); 558 break; 559 560 case EVP_PKEY_OP_DECRYPT: 561 rv = EVP_PKEY_decrypt(ctx, out, poutlen, in, inlen); 562 break; 563 564 case EVP_PKEY_OP_DERIVE: 565 rv = EVP_PKEY_derive(ctx, out, poutlen); 566 break; 567 568 } 569 return rv; 570 } 571
