]> git.ipfire.org Git - thirdparty/openssl.git/blob - apps/pkeyutl.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Restore module loading
[thirdparty/openssl.git] / apps / pkeyutl.c
1 /*
2 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
3 * 2006.
4 */
5 /* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59 #include "apps.h"
60 #include <string.h>
61 #include <openssl/err.h>
62 #include <openssl/pem.h>
63 #include <openssl/evp.h>
64
65 #define KEY_PRIVKEY 1
66 #define KEY_PUBKEY 2
67 #define KEY_CERT 3
68
69 static EVP_PKEY_CTX *init_ctx(int *pkeysize,
70 char *keyfile, int keyform, int key_type,
71 char *passinarg, int pkey_op, ENGINE *e);
72
73 static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file);
74
75 static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op,
76 unsigned char *out, size_t *poutlen,
77 unsigned char *in, size_t inlen);
78
79 typedef enum OPTION_choice {
80 OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
81 OPT_ENGINE, OPT_IN, OPT_OUT,
82 OPT_PUBIN, OPT_CERTIN, OPT_ASN1PARSE, OPT_HEXDUMP, OPT_SIGN,
83 OPT_VERIFY, OPT_VERIFYRECOVER, OPT_REV, OPT_ENCRYPT, OPT_DECRYPT,
84 OPT_DERIVE, OPT_SIGFILE, OPT_INKEY, OPT_PEERKEY, OPT_PASSIN,
85 OPT_PEERFORM, OPT_KEYFORM, OPT_PKEYOPT
86 } OPTION_CHOICE;
87
88 OPTIONS pkeyutl_options[] = {
89 {"help", OPT_HELP, '-', "Display this summary"},
90 {"in", OPT_IN, '<', "Input file"},
91 {"out", OPT_OUT, '>', "Output file"},
92 {"pubin", OPT_PUBIN, '-', "Input is a public key"},
93 {"certin", OPT_CERTIN, '-', "Input is a cert with a public key"},
94 {"asn1parse", OPT_ASN1PARSE, '-'},
95 {"hexdump", OPT_HEXDUMP, '-', "Hex dump output"},
96 {"sign", OPT_SIGN, '-', "Sign with private key"},
97 {"verify", OPT_VERIFY, '-', "Verify with public key"},
98 {"verifyrecover", OPT_VERIFYRECOVER, '-',
99 "Verify with public key, recover original data"},
100 {"rev", OPT_REV, '-'},
101 {"encrypt", OPT_ENCRYPT, '-', "Encrypt with public key"},
102 {"decrypt", OPT_DECRYPT, '-', "Decrypt with private key"},
103 {"derive", OPT_DERIVE, '-', "Derive shared secret"},
104 {"sigfile", OPT_SIGFILE, '<', "Signature file (verify operation only)"},
105 {"inkey", OPT_INKEY, 's', "Input key"},
106 {"peerkey", OPT_PEERKEY, 's'},
107 {"passin", OPT_PASSIN, 's', "Pass phrase source"},
108 {"peerform", OPT_PEERFORM, 'F'},
109 {"keyform", OPT_KEYFORM, 'F', "Private key format - default PEM"},
110 {"pkeyopt", OPT_PKEYOPT, 's', "Public key options as opt:value"},
111 #ifndef OPENSSL_NO_ENGINE
112 {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
113 #endif
114 {NULL}
115 };
116
117 int pkeyutl_main(int argc, char **argv)
118 {
119 BIO *in = NULL, *out = NULL;
120 ENGINE *e = NULL;
121 EVP_PKEY_CTX *ctx = NULL;
122 char *infile = NULL, *outfile = NULL, *sigfile = NULL, *passinarg = NULL;
123 char hexdump = 0, asn1parse = 0, rev = 0, *prog;
124 unsigned char *buf_in = NULL, *buf_out = NULL, *sig = NULL;
125 OPTION_CHOICE o;
126 int buf_inlen = 0, siglen = -1, keyform = FORMAT_PEM, peerform =
127 FORMAT_PEM;
128 int keysize = -1, pkey_op = EVP_PKEY_OP_SIGN, key_type = KEY_PRIVKEY;
129 int ret = 1, rv = -1;
130 size_t buf_outlen;
131
132 prog = opt_init(argc, argv, pkeyutl_options);
133 while ((o = opt_next()) != OPT_EOF) {
134 switch (o) {
135 case OPT_EOF:
136 case OPT_ERR:
137 opthelp:
138 BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
139 goto end;
140 case OPT_HELP:
141 opt_help(pkeyutl_options);
142 ret = 0;
143 goto end;
144 case OPT_IN:
145 infile = opt_arg();
146 break;
147 case OPT_OUT:
148 outfile = opt_arg();
149 break;
150 case OPT_SIGFILE:
151 sigfile = opt_arg();
152 break;
153 case OPT_INKEY:
154 ctx = init_ctx(&keysize, opt_arg(), keyform, key_type,
155 passinarg, pkey_op, e);
156 if (ctx == NULL) {
157 BIO_puts(bio_err, "%s: Error initializing context\n");
158 ERR_print_errors(bio_err);
159 goto opthelp;
160 }
161 break;
162 case OPT_PEERKEY:
163 if (!setup_peer(ctx, peerform, opt_arg()))
164 goto opthelp;
165 break;
166 case OPT_PASSIN:
167 passinarg = opt_arg();
168 break;
169 case OPT_PEERFORM:
170 if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &peerform))
171 goto opthelp;
172 break;
173 case OPT_KEYFORM:
174 if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &keyform))
175 goto opthelp;
176 break;
177 case OPT_ENGINE:
178 e = setup_engine(opt_arg(), 0);
179 break;
180 case OPT_PUBIN:
181 key_type = KEY_PUBKEY;
182 break;
183 case OPT_CERTIN:
184 key_type = KEY_CERT;
185 break;
186 case OPT_ASN1PARSE:
187 asn1parse = 1;
188 break;
189 case OPT_HEXDUMP:
190 hexdump = 1;
191 break;
192 case OPT_SIGN:
193 pkey_op = EVP_PKEY_OP_SIGN;
194 break;
195 case OPT_VERIFY:
196 pkey_op = EVP_PKEY_OP_VERIFY;
197 break;
198 case OPT_VERIFYRECOVER:
199 pkey_op = EVP_PKEY_OP_VERIFYRECOVER;
200 break;
201 case OPT_REV:
202 rev = 1;
203 case OPT_ENCRYPT:
204 pkey_op = EVP_PKEY_OP_ENCRYPT;
205 break;
206 case OPT_DECRYPT:
207 pkey_op = EVP_PKEY_OP_DECRYPT;
208 break;
209 case OPT_DERIVE:
210 pkey_op = EVP_PKEY_OP_DERIVE;
211 break;
212 case OPT_PKEYOPT:
213 if (ctx == NULL) {
214 BIO_printf(bio_err,
215 "%s: Must have -inkey before -pkeyopt\n", prog);
216 goto opthelp;
217 }
218 if (pkey_ctrl_string(ctx, opt_arg()) <= 0) {
219 BIO_printf(bio_err, "%s: Can't set parameter:\n", prog);
220 ERR_print_errors(bio_err);
221 goto end;
222 }
223 break;
224 }
225 }
226 argc = opt_num_rest();
227 argv = opt_rest();
228
229 if (ctx == NULL)
230 goto opthelp;
231
232 if (!app_load_modules(NULL))
233 goto end;
234
235 if (sigfile && (pkey_op != EVP_PKEY_OP_VERIFY)) {
236 BIO_printf(bio_err,
237 "%s: Signature file specified for non verify\n", prog);
238 goto end;
239 }
240
241 if (!sigfile && (pkey_op == EVP_PKEY_OP_VERIFY)) {
242 BIO_printf(bio_err,
243 "%s: No signature file specified for verify\n", prog);
244 goto end;
245 }
246
247 /* FIXME: seed PRNG only if needed */
248 app_RAND_load_file(NULL, 0);
249
250 if (pkey_op != EVP_PKEY_OP_DERIVE) {
251 in = bio_open_default(infile, "rb");
252 if (in == NULL)
253 goto end;
254 }
255 out = bio_open_default(outfile, "wb");
256 if (out == NULL)
257 goto end;
258
259 if (sigfile) {
260 BIO *sigbio = BIO_new_file(sigfile, "rb");
261 if (!sigbio) {
262 BIO_printf(bio_err, "Can't open signature file %s\n", sigfile);
263 goto end;
264 }
265 siglen = bio_to_mem(&sig, keysize * 10, sigbio);
266 BIO_free(sigbio);
267 if (siglen <= 0) {
268 BIO_printf(bio_err, "Error reading signature data\n");
269 goto end;
270 }
271 }
272
273 if (in) {
274 /* Read the input data */
275 buf_inlen = bio_to_mem(&buf_in, keysize * 10, in);
276 if (buf_inlen <= 0) {
277 BIO_printf(bio_err, "Error reading input Data\n");
278 exit(1);
279 }
280 if (rev) {
281 size_t i;
282 unsigned char ctmp;
283 size_t l = (size_t)buf_inlen;
284 for (i = 0; i < l / 2; i++) {
285 ctmp = buf_in[i];
286 buf_in[i] = buf_in[l - 1 - i];
287 buf_in[l - 1 - i] = ctmp;
288 }
289 }
290 }
291
292 if (pkey_op == EVP_PKEY_OP_VERIFY) {
293 rv = EVP_PKEY_verify(ctx, sig, (size_t)siglen,
294 buf_in, (size_t)buf_inlen);
295 if (rv == 1) {
296 BIO_puts(out, "Signature Verified Successfully\n");
297 ret = 0;
298 } else
299 BIO_puts(out, "Signature Verification Failure\n");
300 goto end;
301 }
302 rv = do_keyop(ctx, pkey_op, NULL, (size_t *)&buf_outlen,
303 buf_in, (size_t)buf_inlen);
304 if (rv > 0) {
305 buf_out = app_malloc(buf_outlen, "buffer output");
306 rv = do_keyop(ctx, pkey_op,
307 buf_out, (size_t *)&buf_outlen,
308 buf_in, (size_t)buf_inlen);
309 }
310 if (rv <= 0) {
311 ERR_print_errors(bio_err);
312 goto end;
313 }
314 ret = 0;
315
316 if (asn1parse) {
317 if (!ASN1_parse_dump(out, buf_out, buf_outlen, 1, -1))
318 ERR_print_errors(bio_err);
319 } else if (hexdump)
320 BIO_dump(out, (char *)buf_out, buf_outlen);
321 else
322 BIO_write(out, buf_out, buf_outlen);
323
324 end:
325 EVP_PKEY_CTX_free(ctx);
326 BIO_free(in);
327 BIO_free_all(out);
328 OPENSSL_free(buf_in);
329 OPENSSL_free(buf_out);
330 OPENSSL_free(sig);
331 return ret;
332 }
333
334 static EVP_PKEY_CTX *init_ctx(int *pkeysize,
335 char *keyfile, int keyform, int key_type,
336 char *passinarg, int pkey_op, ENGINE *e)
337 {
338 EVP_PKEY *pkey = NULL;
339 EVP_PKEY_CTX *ctx = NULL;
340 char *passin = NULL;
341 int rv = -1;
342 X509 *x;
343 if (((pkey_op == EVP_PKEY_OP_SIGN) || (pkey_op == EVP_PKEY_OP_DECRYPT)
344 || (pkey_op == EVP_PKEY_OP_DERIVE))
345 && (key_type != KEY_PRIVKEY)) {
346 BIO_printf(bio_err, "A private key is needed for this operation\n");
347 goto end;
348 }
349 if (!app_passwd(passinarg, NULL, &passin, NULL)) {
350 BIO_printf(bio_err, "Error getting password\n");
351 goto end;
352 }
353 switch (key_type) {
354 case KEY_PRIVKEY:
355 pkey = load_key(keyfile, keyform, 0, passin, e, "Private Key");
356 break;
357
358 case KEY_PUBKEY:
359 pkey = load_pubkey(keyfile, keyform, 0, NULL, e, "Public Key");
360 break;
361
362 case KEY_CERT:
363 x = load_cert(keyfile, keyform, NULL, e, "Certificate");
364 if (x) {
365 pkey = X509_get_pubkey(x);
366 X509_free(x);
367 }
368 break;
369
370 }
371
372 *pkeysize = EVP_PKEY_size(pkey);
373
374 if (!pkey)
375 goto end;
376
377 ctx = EVP_PKEY_CTX_new(pkey, e);
378
379 EVP_PKEY_free(pkey);
380
381 if (!ctx)
382 goto end;
383
384 switch (pkey_op) {
385 case EVP_PKEY_OP_SIGN:
386 rv = EVP_PKEY_sign_init(ctx);
387 break;
388
389 case EVP_PKEY_OP_VERIFY:
390 rv = EVP_PKEY_verify_init(ctx);
391 break;
392
393 case EVP_PKEY_OP_VERIFYRECOVER:
394 rv = EVP_PKEY_verify_recover_init(ctx);
395 break;
396
397 case EVP_PKEY_OP_ENCRYPT:
398 rv = EVP_PKEY_encrypt_init(ctx);
399 break;
400
401 case EVP_PKEY_OP_DECRYPT:
402 rv = EVP_PKEY_decrypt_init(ctx);
403 break;
404
405 case EVP_PKEY_OP_DERIVE:
406 rv = EVP_PKEY_derive_init(ctx);
407 break;
408 }
409
410 if (rv <= 0) {
411 EVP_PKEY_CTX_free(ctx);
412 ctx = NULL;
413 }
414
415 end:
416 OPENSSL_free(passin);
417 return ctx;
418
419 }
420
421 static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file)
422 {
423 EVP_PKEY *peer = NULL;
424 int ret;
425 if (!ctx) {
426 BIO_puts(bio_err, "-peerkey command before -inkey\n");
427 return 0;
428 }
429
430 peer = load_pubkey(file, peerform, 0, NULL, NULL, "Peer Key");
431
432 if (!peer) {
433 BIO_printf(bio_err, "Error reading peer key %s\n", file);
434 ERR_print_errors(bio_err);
435 return 0;
436 }
437
438 ret = EVP_PKEY_derive_set_peer(ctx, peer);
439
440 EVP_PKEY_free(peer);
441 if (ret <= 0)
442 ERR_print_errors(bio_err);
443 return ret;
444 }
445
446 static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op,
447 unsigned char *out, size_t *poutlen,
448 unsigned char *in, size_t inlen)
449 {
450 int rv = 0;
451 switch (pkey_op) {
452 case EVP_PKEY_OP_VERIFYRECOVER:
453 rv = EVP_PKEY_verify_recover(ctx, out, poutlen, in, inlen);
454 break;
455
456 case EVP_PKEY_OP_SIGN:
457 rv = EVP_PKEY_sign(ctx, out, poutlen, in, inlen);
458 break;
459
460 case EVP_PKEY_OP_ENCRYPT:
461 rv = EVP_PKEY_encrypt(ctx, out, poutlen, in, inlen);
462 break;
463
464 case EVP_PKEY_OP_DECRYPT:
465 rv = EVP_PKEY_decrypt(ctx, out, poutlen, in, inlen);
466 break;
467
468 case EVP_PKEY_OP_DERIVE:
469 rv = EVP_PKEY_derive(ctx, out, poutlen);
470 break;
471
472 }
473 return rv;
474 }
A mirror of the official openssl repository