nbsvtool.c revision 1.1
1 1.1 joerg /* $NetBSD: nbsvtool.c,v 1.1 2008/05/11 17:58:09 joerg Exp $ */ 2 1.1 joerg 3 1.1 joerg /*- 4 1.1 joerg * Copyright (c) 2004, 2008 The NetBSD Foundation, Inc. 5 1.1 joerg * All rights reserved. 6 1.1 joerg * 7 1.1 joerg * This code is derived from software contributed to The NetBSD Foundation 8 1.1 joerg * by Love Hrnquist strand <lha (at) it.su.se> 9 1.1 joerg * 10 1.1 joerg * Redistribution and use in source and binary forms, with or without 11 1.1 joerg * modification, are permitted provided that the following conditions 12 1.1 joerg * are met: 13 1.1 joerg * 1. Redistributions of source code must retain the above copyright 14 1.1 joerg * notice, this list of conditions and the following disclaimer. 15 1.1 joerg * 2. Redistributions in binary form must reproduce the above copyright 16 1.1 joerg * notice, this list of conditions and the following disclaimer in the 17 1.1 joerg * documentation and/or other materials provided with the distribution. 18 1.1 joerg * 19 1.1 joerg * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 20 1.1 joerg * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 21 1.1 joerg * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 22 1.1 joerg * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 23 1.1 joerg * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 24 1.1 joerg * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 25 1.1 joerg * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 26 1.1 joerg * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 27 1.1 joerg * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 28 1.1 joerg * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 1.1 joerg * POSSIBILITY OF SUCH DAMAGE. 30 1.1 joerg */ 31 1.1 joerg 32 1.1 joerg #include <err.h> 33 1.1 joerg #include <stdio.h> 34 1.1 joerg #include <stdlib.h> 35 1.1 joerg #include <string.h> 36 1.1 joerg #include <unistd.h> 37 1.1 joerg 38 1.1 joerg #include <openssl/pkcs7.h> 39 1.1 joerg #include <openssl/evp.h> 40 1.1 joerg #include <openssl/x509.h> 41 1.1 joerg #include <openssl/x509v3.h> 42 1.1 joerg #include <openssl/pem.h> 43 1.1 joerg #include <openssl/err.h> 44 1.1 joerg #include <openssl/ui.h> 45 1.1 joerg 46 1.1 joerg static int verbose_flag; 47 1.1 joerg static unsigned long key_usage = 0; 48 1.1 joerg 49 1.1 joerg /* 50 1.1 joerg * openssl command line equivalents 51 1.1 joerg * 52 1.1 joerg * openssl smime -verify \ 53 1.1 joerg * -inform PEM -in nbsvtool.c.sig -content nbsvtool.c \ 54 1.1 joerg * -CAfile /secure/lha/su/CA/swupki-pca.crt -out /dev/null 55 1.1 joerg * openssl smime -sign \ 56 1.1 joerg * -noattr -binary -outform PEM -out nbsvtool.c.sig \ 57 1.1 joerg * -in nbsvtool.c -signer /secure/lha/su/CA/lha.crt \ 58 1.1 joerg * -certfile /secure/lha/su/CA/lha-chain \ 59 1.1 joerg * -inkey /secure/lha/su/CA/lha.key 60 1.1 joerg */ 61 1.1 joerg 62 1.1 joerg /* 63 1.1 joerg * Create a detach PEM signature of file `infile' and store it in 64 1.1 joerg * `outfile'. The signer certificate `cert' and private key 65 1.1 joerg * `private_key' must be given. An additional hint to the verifier how 66 1.1 joerg * to find the path from the `cert' to the x509 anchor can be passed 67 1.1 joerg * in `cert_chain'. 68 1.1 joerg */ 69 1.1 joerg 70 1.1 joerg static void 71 1.1 joerg sign_file(X509 *cert, EVP_PKEY *private_key, STACK_OF(X509) *cert_chain, 72 1.1 joerg const char *infile, const char *outfile) 73 1.1 joerg { 74 1.1 joerg BIO *out, *in; 75 1.1 joerg PKCS7 *p7; 76 1.1 joerg 77 1.1 joerg out = BIO_new_file(outfile, "w"); 78 1.1 joerg if (out == NULL) 79 1.1 joerg err(EXIT_FAILURE, "Failed to open signature output file: %s", 80 1.1 joerg outfile); 81 1.1 joerg 82 1.1 joerg in = BIO_new_file(infile, "r"); 83 1.1 joerg if (in == NULL) 84 1.1 joerg err(EXIT_FAILURE, "Failed to input file: %s", infile); 85 1.1 joerg 86 1.1 joerg p7 = PKCS7_sign(cert, private_key, cert_chain, in, 87 1.1 joerg PKCS7_DETACHED|PKCS7_NOATTR|PKCS7_BINARY); 88 1.1 joerg if (p7 == NULL) 89 1.1 joerg errx(EXIT_FAILURE, "Failed to create signature structure"); 90 1.1 joerg 91 1.1 joerg PEM_write_bio_PKCS7(out, p7); 92 1.1 joerg 93 1.1 joerg PKCS7_free(p7); 94 1.1 joerg BIO_free(in); 95 1.1 joerg BIO_free_all(out); 96 1.1 joerg } 97 1.1 joerg 98 1.1 joerg /* 99 1.1 joerg * Verifies a detached PEM signature in the file `sigfile' of file 100 1.1 joerg * `infile'. The trust anchor file `anchor' to the trust anchors must 101 1.1 joerg * be given. If its suspended that the sender didn't inlude the whole 102 1.1 joerg * path from the signing certificate to the given trust anchor, extra 103 1.1 joerg * certificates can be passed in `cert_chain'. 104 1.1 joerg */ 105 1.1 joerg 106 1.1 joerg static void 107 1.1 joerg verify_file(STACK_OF(X509) *cert_chain, const char *anchor, 108 1.1 joerg const char *infile, const char *sigfile) 109 1.1 joerg { 110 1.1 joerg STACK_OF(X509) *signers; 111 1.1 joerg X509_STORE *store; 112 1.1 joerg BIO *sig, *in; 113 1.1 joerg PKCS7 *p7; 114 1.1 joerg int ret, i; 115 1.1 joerg 116 1.1 joerg store = X509_STORE_new(); 117 1.1 joerg if (store == NULL) 118 1.1 joerg err(1, "Failed to create store"); 119 1.1 joerg 120 1.1 joerg X509_STORE_load_locations(store, anchor, NULL); 121 1.1 joerg 122 1.1 joerg in = BIO_new_file(infile, "r"); 123 1.1 joerg if (in == NULL) 124 1.1 joerg err(EXIT_FAILURE, "Failed to open input data file: %s", infile); 125 1.1 joerg 126 1.1 joerg sig = BIO_new_file(sigfile, "r"); 127 1.1 joerg if (sig == NULL) 128 1.1 joerg err(EXIT_FAILURE, "Failed to open signature input file: %s", 129 1.1 joerg sigfile); 130 1.1 joerg 131 1.1 joerg p7 = PEM_read_bio_PKCS7(sig, NULL, NULL, NULL); 132 1.1 joerg if (p7 == NULL) 133 1.1 joerg errx(EXIT_FAILURE, "Failed to parse the signature file %s", 134 1.1 joerg sigfile); 135 1.1 joerg 136 1.1 joerg ret = PKCS7_verify(p7, cert_chain, store, in, NULL, 0); 137 1.1 joerg if (ret != 1) 138 1.1 joerg errx(EXIT_FAILURE, "Failed to verify signature"); 139 1.1 joerg 140 1.1 joerg signers = PKCS7_get0_signers(p7, NULL, 0); 141 1.1 joerg if (signers == NULL) 142 1.1 joerg errx(EXIT_FAILURE, "Failed to get signers"); 143 1.1 joerg 144 1.1 joerg if (sk_X509_num(signers) == 0) 145 1.1 joerg errx(EXIT_FAILURE, "No signers ?"); 146 1.1 joerg 147 1.1 joerg if (verbose_flag) 148 1.1 joerg printf("Sigature ok, signed by:\n"); 149 1.1 joerg 150 1.1 joerg for (i = 0; i < sk_X509_num(signers); i++) { 151 1.1 joerg X509_NAME *name; 152 1.1 joerg char *subject; 153 1.1 joerg name = X509_get_subject_name(sk_X509_value(signers, i)); 154 1.1 joerg subject = X509_NAME_oneline(name, NULL, 0); 155 1.1 joerg 156 1.1 joerg if (key_usage != 0 && 157 1.1 joerg (sk_X509_value(signers, i)->ex_xkusage & key_usage) == 0) 158 1.1 joerg errx(EXIT_FAILURE, 159 1.1 joerg "Key doesn't match required key usage: %s", 160 1.1 joerg subject); 161 1.1 joerg 162 1.1 joerg if (verbose_flag) 163 1.1 joerg printf("\t%s\n", subject); 164 1.1 joerg 165 1.1 joerg OPENSSL_free(subject); 166 1.1 joerg } 167 1.1 joerg 168 1.1 joerg PKCS7_free(p7); 169 1.1 joerg BIO_free(in); 170 1.1 joerg BIO_free(sig); 171 1.1 joerg } 172 1.1 joerg 173 1.1 joerg /* 174 1.1 joerg * Parse and return a list PEM encoded certificates in the file 175 1.1 joerg * `file'. In case of error or an empty file, and error text will be 176 1.1 joerg * printed and the function will exit(3). 177 1.1 joerg */ 178 1.1 joerg 179 1.1 joerg static STACK_OF(X509) * 180 1.1 joerg file_to_certs(const char *file) 181 1.1 joerg { 182 1.1 joerg STACK_OF(X509) *certs; 183 1.1 joerg FILE *f; 184 1.1 joerg 185 1.1 joerg f = fopen(file, "r"); 186 1.1 joerg if (f == NULL) 187 1.1 joerg err(EXIT_FAILURE, "Cannot open certificate file %s", file); 188 1.1 joerg certs = sk_X509_new_null(); 189 1.1 joerg while (1) { 190 1.1 joerg X509 *cert; 191 1.1 joerg 192 1.1 joerg cert = PEM_read_X509(f, NULL, NULL, NULL); 193 1.1 joerg if (cert == NULL) { 194 1.1 joerg unsigned long ret; 195 1.1 joerg 196 1.1 joerg ret = ERR_GET_REASON(ERR_peek_error()); 197 1.1 joerg if (ret == PEM_R_NO_START_LINE) { 198 1.1 joerg /* End of file reached. no error */ 199 1.1 joerg ERR_clear_error(); 200 1.1 joerg break; 201 1.1 joerg } 202 1.1 joerg errx(EXIT_FAILURE, "Can't read certificate file %s", 203 1.1 joerg file); 204 1.1 joerg } 205 1.1 joerg sk_X509_insert(certs, cert, sk_X509_num(certs)); 206 1.1 joerg } 207 1.1 joerg fclose(f); 208 1.1 joerg if (sk_X509_num(certs) == 0) 209 1.1 joerg errx(EXIT_FAILURE, "No certificate found file %s", file); 210 1.1 joerg 211 1.1 joerg return certs; 212 1.1 joerg } 213 1.1 joerg 214 1.1 joerg static int 215 1.1 joerg ssl_pass_cb(char *buf, int size, int rwflag, void *u) 216 1.1 joerg { 217 1.1 joerg 218 1.1 joerg if (UI_UTIL_read_pw_string(buf, size, "Passphrase: ", 0)) 219 1.1 joerg return 0; 220 1.1 joerg return strlen(buf); 221 1.1 joerg } 222 1.1 joerg 223 1.1 joerg static struct { 224 1.1 joerg X509 *certificate; 225 1.1 joerg STACK_OF(X509) *cert_chain; 226 1.1 joerg EVP_PKEY *private_key; 227 1.1 joerg } crypto_state; 228 1.1 joerg 229 1.1 joerg /* 230 1.1 joerg * Load the certificate file `cert_file' with the associated private 231 1.1 joerg * key file `key_file'. The private key is checked to make sure it 232 1.1 joerg * matches the certificate. The optional hints for the path to the CA 233 1.1 joerg * is stored in `chain_file'. 234 1.1 joerg */ 235 1.1 joerg 236 1.1 joerg static void 237 1.1 joerg load_keys(const char *cert_file, const char *chain_file, const char *key_file) 238 1.1 joerg { 239 1.1 joerg STACK_OF(X509) *c; 240 1.1 joerg FILE *f; 241 1.1 joerg int ret; 242 1.1 joerg 243 1.1 joerg if (cert_file == NULL) 244 1.1 joerg errx(EXIT_FAILURE, "No certificate file given"); 245 1.1 joerg if (key_file == NULL) 246 1.1 joerg errx(EXIT_FAILURE, "No private key file given"); 247 1.1 joerg 248 1.1 joerg c = file_to_certs(cert_file); 249 1.1 joerg 250 1.1 joerg if (sk_X509_num(c) != 1) 251 1.1 joerg errx(EXIT_FAILURE, 252 1.1 joerg "More then one certificate in the certificate file"); 253 1.1 joerg crypto_state.certificate = sk_X509_value(c, 0); 254 1.1 joerg 255 1.1 joerg if (chain_file) 256 1.1 joerg crypto_state.cert_chain = file_to_certs(chain_file); 257 1.1 joerg 258 1.1 joerg /* load private key */ 259 1.1 joerg f = fopen(key_file, "r"); 260 1.1 joerg if (f == NULL) 261 1.1 joerg errx(1, "Failed to open private key file %s", key_file); 262 1.1 joerg 263 1.1 joerg crypto_state.private_key = 264 1.1 joerg PEM_read_PrivateKey(f, NULL, ssl_pass_cb, NULL); 265 1.1 joerg fclose(f); 266 1.1 joerg if (crypto_state.private_key == NULL) 267 1.1 joerg errx(EXIT_FAILURE, "Can't read private key %s", key_file); 268 1.1 joerg 269 1.1 joerg ret = X509_check_private_key(crypto_state.certificate, 270 1.1 joerg crypto_state.private_key); 271 1.1 joerg if (ret != 1) 272 1.1 joerg errx(EXIT_FAILURE, 273 1.1 joerg "The private key %s doesn't match the certificate %s", 274 1.1 joerg key_file, cert_file); 275 1.1 joerg } 276 1.1 joerg 277 1.1 joerg static void __dead 278 1.1 joerg usage(int exit_code) 279 1.1 joerg { 280 1.1 joerg 281 1.1 joerg printf("%s usage\n", getprogname()); 282 1.1 joerg printf("%s -k keyfile -c cert-chain [-f cert-chain] sign file\n", 283 1.1 joerg getprogname()); 284 1.1 joerg printf("%s [-u code|...] [-a x509-anchor-file] verify filename.sp7\n", 285 1.1 joerg getprogname()); 286 1.1 joerg printf("%s [-u code|...] [-a x509-anchor-file] verify filename otherfilename.sp7\n", 287 1.1 joerg getprogname()); 288 1.1 joerg printf("%s [-u code|...] [-a x509-anchor-file] verify-code file ...\n", 289 1.1 joerg getprogname()); 290 1.1 joerg exit(exit_code); 291 1.1 joerg } 292 1.1 joerg 293 1.1 joerg int 294 1.1 joerg main(int argc, char **argv) 295 1.1 joerg { 296 1.1 joerg const char *anchors = NULL; 297 1.1 joerg const char *cert_file = NULL, *key_file = NULL, *chain_file = NULL; 298 1.1 joerg const char *file; 299 1.1 joerg char *sigfile; 300 1.1 joerg int ch; 301 1.1 joerg 302 1.1 joerg setprogname(argv[0]); 303 1.1 joerg 304 1.1 joerg OpenSSL_add_all_algorithms(); 305 1.1 joerg ERR_load_crypto_strings(); 306 1.1 joerg 307 1.1 joerg while ((ch = getopt(argc, argv, "a:c:f:hk:u:v")) != -1) { 308 1.1 joerg switch (ch) { 309 1.1 joerg case 'a': 310 1.1 joerg anchors = optarg; 311 1.1 joerg break; 312 1.1 joerg case 'f': 313 1.1 joerg chain_file = optarg; 314 1.1 joerg break; 315 1.1 joerg case 'k': 316 1.1 joerg key_file = optarg; 317 1.1 joerg break; 318 1.1 joerg case 'c': 319 1.1 joerg cert_file = optarg; 320 1.1 joerg break; 321 1.1 joerg case 'u': 322 1.1 joerg if (strcmp("ssl-server", optarg) == 0) 323 1.1 joerg key_usage |= XKU_SSL_SERVER; 324 1.1 joerg else if (strcmp("ssl-client", optarg) == 0) 325 1.1 joerg key_usage |= XKU_SSL_CLIENT; 326 1.1 joerg else if (strcmp("code", optarg) == 0) 327 1.1 joerg key_usage |= XKU_CODE_SIGN; 328 1.1 joerg else if (strcmp("smime", optarg) == 0) 329 1.1 joerg key_usage |= XKU_SMIME; 330 1.1 joerg else 331 1.1 joerg errx(1, "Unknown keyusage: %s", optarg); 332 1.1 joerg break; 333 1.1 joerg case 'v': 334 1.1 joerg verbose_flag = 1; 335 1.1 joerg break; 336 1.1 joerg case 'h': 337 1.1 joerg usage(EXIT_SUCCESS); 338 1.1 joerg default: 339 1.1 joerg usage(EXIT_FAILURE); 340 1.1 joerg } 341 1.1 joerg } 342 1.1 joerg 343 1.1 joerg argc -= optind; 344 1.1 joerg argv += optind; 345 1.1 joerg 346 1.1 joerg if (argc < 1) { 347 1.1 joerg fprintf(stderr, "Command missing [sign|verify]\n"); 348 1.1 joerg usage(EXIT_FAILURE); 349 1.1 joerg } 350 1.1 joerg 351 1.1 joerg if (strcmp(argv[0], "sign") == 0) { 352 1.1 joerg 353 1.1 joerg if (argc < 2) 354 1.1 joerg usage(1); 355 1.1 joerg 356 1.1 joerg file = argv[1]; 357 1.1 joerg 358 1.1 joerg asprintf(&sigfile, "%s.sp7", file); 359 1.1 joerg if (sigfile == NULL) 360 1.1 joerg err(EXIT_FAILURE, "asprintf failed"); 361 1.1 joerg 362 1.1 joerg load_keys(cert_file, chain_file, key_file); 363 1.1 joerg 364 1.1 joerg sign_file(crypto_state.certificate, 365 1.1 joerg crypto_state.private_key, 366 1.1 joerg crypto_state.cert_chain, 367 1.1 joerg file, 368 1.1 joerg sigfile); 369 1.1 joerg 370 1.1 joerg } else if (strcmp(argv[0], "verify") == 0 371 1.1 joerg || strcmp(argv[0], "verify-code") == 0) { 372 1.1 joerg 373 1.1 joerg if (strcmp(argv[0], "verify-code") == 0) 374 1.1 joerg key_usage |= XKU_CODE_SIGN; 375 1.1 joerg 376 1.1 joerg if (argc < 2) 377 1.1 joerg usage(1); 378 1.1 joerg else if (argc < 3) { 379 1.1 joerg char *dot; 380 1.1 joerg 381 1.1 joerg sigfile = argv[1]; 382 1.1 joerg 383 1.1 joerg file = strdup(sigfile); 384 1.1 joerg if (file == NULL) 385 1.1 joerg err(1, "strdup failed"); 386 1.1 joerg 387 1.1 joerg dot = strrchr(file, '.'); 388 1.1 joerg if (dot == NULL || strchr(dot, '/') != NULL) 389 1.1 joerg errx(EXIT_FAILURE, 390 1.1 joerg "File name missing suffix"); 391 1.1 joerg if (strcmp(".sp7", dot) != 0) 392 1.1 joerg errx(EXIT_FAILURE, 393 1.1 joerg "File name bad suffix (%s)", dot); 394 1.1 joerg *dot = '\0'; 395 1.1 joerg } else { 396 1.1 joerg file = argv[1]; 397 1.1 joerg sigfile = argv[2]; 398 1.1 joerg } 399 1.1 joerg verify_file(crypto_state.cert_chain, anchors, file, sigfile); 400 1.1 joerg } else { 401 1.1 joerg fprintf(stderr, "Unknown command: %s\n", argv[0]); 402 1.1 joerg usage(EXIT_FAILURE); 403 1.1 joerg } 404 1.1 joerg 405 1.1 joerg return 0; 406 1.1 joerg } 407
Indexes created Fri Sep 26 08:10:20 GMT 2025