1: /*
2: * Copyright (C) 2012 Martin Willi
3: * Copyright (C) 2012 revosec AG
4: *
5: * This program is free software; you can redistribute it and/or modify it
6: * under the terms of the GNU General Public License as published by the
7: * Free Software Foundation; either version 2 of the License, or (at your
8: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9: *
10: * This program is distributed in the hope that it will be useful, but
11: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13: * for more details.
14: */
15:
16: #include "pki.h"
17:
18: #include <asn1/oid.h>
19: #include <asn1/asn1.h>
20: #include <credentials/containers/pkcs7.h>
21: #include <credentials/sets/mem_cred.h>
22:
23: /**
24: * Read input data as chunk
25: */
26: static chunk_t read_from_stream(FILE *stream)
27: {
28: char buf[8096];
29: size_t len, total = 0;
30:
31: while (TRUE)
32: {
33: len = fread(buf + total, 1, sizeof(buf) - total, stream);
34: if (len < (sizeof(buf) - total))
35: {
36: if (ferror(stream))
37: {
38: return chunk_empty;
39: }
40: if (feof(stream))
41: {
42: return chunk_clone(chunk_create(buf, total + len));
43: }
44: }
45: total += len;
46: if (total == sizeof(buf))
47: {
48: fprintf(stderr, "buffer too small to read input!\n");
49: return chunk_empty;
50: }
51: }
52: }
53:
54: /**
55: * Write output data from chunk to stream
56: */
57: static bool write_to_stream(FILE *stream, chunk_t data)
58: {
59: size_t len, total = 0;
60:
61: set_file_mode(stream, CERT_ASN1_DER);
62: while (total < data.len)
63: {
64: len = fwrite(data.ptr + total, 1, data.len - total, stream);
65: if (len <= 0)
66: {
67: return FALSE;
68: }
69: total += len;
70: }
71: return TRUE;
72: }
73:
74: /**
75: * Verify PKCS#7 signed-data
76: */
77: static int verify(chunk_t chunk)
78: {
79: container_t *container;
80: pkcs7_t *pkcs7;
81: enumerator_t *enumerator;
82: certificate_t *cert;
83: auth_cfg_t *auth;
84: chunk_t data;
85: time_t t;
86: bool verified = FALSE;
87:
88: container = lib->creds->create(lib->creds, CRED_CONTAINER, CONTAINER_PKCS7,
89: BUILD_BLOB_ASN1_DER, chunk, BUILD_END);
90: if (!container)
91: {
92: return 1;
93: }
94:
95: if (container->get_type(container) != CONTAINER_PKCS7_SIGNED_DATA)
96: {
97: fprintf(stderr, "verification failed, container is %N\n",
98: container_type_names, container->get_type(container));
99: container->destroy(container);
100: return 1;
101: }
102:
103: pkcs7 = (pkcs7_t*)container;
104: enumerator = container->create_signature_enumerator(container);
105: while (enumerator->enumerate(enumerator, &auth))
106: {
107: verified = TRUE;
108: cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
109: if (cert)
110: {
111: fprintf(stderr, "signed by '%Y'", cert->get_subject(cert));
112:
113: if (pkcs7->get_attribute(pkcs7, OID_PKCS9_SIGNING_TIME,
114: enumerator, &data))
115: {
116: t = asn1_to_time(&data, ASN1_UTCTIME);
117: if (t != UNDEFINED_TIME)
118: {
119: fprintf(stderr, " at %T", &t, FALSE);
120: }
121: free(data.ptr);
122: }
123: fprintf(stderr, "\n");
124: }
125: }
126: enumerator->destroy(enumerator);
127:
128: if (!verified)
129: {
130: fprintf(stderr, "no trusted signature found\n");
131: }
132:
133: if (verified)
134: {
135: if (container->get_data(container, &data))
136: {
137: write_to_stream(stdout, data);
138: free(data.ptr);
139: }
140: else
141: {
142: verified = FALSE;
143: }
144: }
145: container->destroy(container);
146:
147: return verified ? 0 : 1;
148: }
149:
150: /**
151: * Sign data into PKCS#7 signed-data
152: */
153: static int sign(chunk_t chunk, certificate_t *cert, private_key_t *key)
154: {
155: container_t *container;
156: chunk_t encoding;
157: int res = 1;
158:
159: container = lib->creds->create(lib->creds,
160: CRED_CONTAINER, CONTAINER_PKCS7_SIGNED_DATA,
161: BUILD_BLOB, chunk,
162: BUILD_SIGNING_CERT, cert,
163: BUILD_SIGNING_KEY, key,
164: BUILD_END);
165: if (container)
166: {
167: if (container->get_encoding(container, &encoding))
168: {
169: write_to_stream(stdout, encoding);
170: free(encoding.ptr);
171: }
172: container->destroy(container);
173: }
174: return res;
175: }
176:
177: /**
178: * Encrypt data to a PKCS#7 enveloped-data
179: */
180: static int encrypt(chunk_t chunk, certificate_t *cert)
181: {
182: container_t *container;
183: chunk_t encoding;
184: int res = 1;
185:
186: container = lib->creds->create(lib->creds,
187: CRED_CONTAINER, CONTAINER_PKCS7_ENVELOPED_DATA,
188: BUILD_BLOB, chunk, BUILD_CERT, cert,
189: BUILD_END);
190: if (container)
191: {
192: if (container->get_encoding(container, &encoding))
193: {
194: write_to_stream(stdout, encoding);
195: free(encoding.ptr);
196: }
197: container->destroy(container);
198: }
199: return res;
200: }
201:
202: /**
203: * Decrypt PKCS#7 enveloped-data
204: */
205: static int decrypt(chunk_t chunk)
206: {
207: container_t *container;
208: chunk_t data;
209:
210: container = lib->creds->create(lib->creds, CRED_CONTAINER, CONTAINER_PKCS7,
211: BUILD_BLOB_ASN1_DER, chunk, BUILD_END);
212: if (!container)
213: {
214: return 1;
215: }
216: if (container->get_type(container) != CONTAINER_PKCS7_ENVELOPED_DATA)
217: {
218: fprintf(stderr, "decryption failed, container is %N\n",
219: container_type_names, container->get_type(container));
220: container->destroy(container);
221: return 1;
222: }
223: if (!container->get_data(container, &data))
224: {
225: fprintf(stderr, "PKCS#7 decryption failed\n");
226: container->destroy(container);
227: return 1;
228: }
229: container->destroy(container);
230:
231: write_to_stream(stdout, data);
232: free(data.ptr);
233:
234: return 0;
235: }
236:
237: /**
238: * Show info about PKCS#7 container
239: */
240: static int show(chunk_t chunk)
241: {
242: container_t *container;
243: pkcs7_t *pkcs7;
244: enumerator_t *enumerator;
245: certificate_t *cert;
246: chunk_t data;
247:
248: container = lib->creds->create(lib->creds, CRED_CONTAINER, CONTAINER_PKCS7,
249: BUILD_BLOB_ASN1_DER, chunk, BUILD_END);
250: if (!container)
251: {
252: return 1;
253: }
254: fprintf(stderr, "%N\n", container_type_names, container->get_type(container));
255:
256: if (container->get_type(container) == CONTAINER_PKCS7_SIGNED_DATA)
257: {
258: pkcs7 = (pkcs7_t*)container;
259: enumerator = pkcs7->create_cert_enumerator(pkcs7);
260: while (enumerator->enumerate(enumerator, &cert))
261: {
262: if (cert->get_encoding(cert, CERT_PEM, &data))
263: {
264: printf("%.*s", (int)data.len, data.ptr);
265: free(data.ptr);
266: }
267: }
268: enumerator->destroy(enumerator);
269: }
270: container->destroy(container);
271: return 0;
272: }
273:
274: /**
275: * Wrap/Unwrap PKCs#7 containers
276: */
277: static int pkcs7()
278: {
279: char *arg, *file = NULL;
280: private_key_t *key = NULL;
281: certificate_t *cert = NULL;
282: chunk_t data = chunk_empty;
283: mem_cred_t *creds;
284: int res = 1;
285: FILE *in;
286: enum {
287: OP_NONE,
288: OP_SIGN,
289: OP_VERIFY,
290: OP_ENCRYPT,
291: OP_DECRYPT,
292: OP_SHOW,
293: } op = OP_NONE;
294:
295: creds = mem_cred_create();
296:
297: while (TRUE)
298: {
299: switch (command_getopt(&arg))
300: {
301: case 'h':
302: creds->destroy(creds);
303: return command_usage(NULL);
304: case 'i':
305: file = arg;
306: continue;
307: case 's':
308: if (op != OP_NONE)
309: {
310: goto invalid;
311: }
312: op = OP_SIGN;
313: continue;
314: case 'u':
315: if (op != OP_NONE)
316: {
317: goto invalid;
318: }
319: op = OP_VERIFY;
320: continue;
321: case 'e':
322: if (op != OP_NONE)
323: {
324: goto invalid;
325: }
326: op = OP_ENCRYPT;
327: continue;
328: case 'd':
329: if (op != OP_NONE)
330: {
331: goto invalid;
332: }
333: op = OP_DECRYPT;
334: continue;
335: case 'p':
336: if (op != OP_NONE)
337: {
338: goto invalid;
339: }
340: op = OP_SHOW;
341: continue;
342: case 'k':
343: key = lib->creds->create(lib->creds,
344: CRED_PRIVATE_KEY, KEY_RSA,
345: BUILD_FROM_FILE, arg, BUILD_END);
346: if (!key)
347: {
348: fprintf(stderr, "parsing private key failed\n");
349: goto end;
350: }
351: creds->add_key(creds, key);
352: continue;
353: case 'c':
354: cert = lib->creds->create(lib->creds,
355: CRED_CERTIFICATE, CERT_X509,
356: BUILD_FROM_FILE, arg, BUILD_END);
357: if (!cert)
358: {
359: fprintf(stderr, "parsing certificate failed\n");
360: goto end;
361: }
362: creds->add_cert(creds, TRUE, cert);
363: continue;
364: case EOF:
365: break;
366: default:
367: invalid:
368: creds->destroy(creds);
369: return command_usage("invalid --pkcs7 option");
370: }
371: break;
372: }
373:
374: if (file)
375: {
376: in = fopen(file, "r");
377: if (in)
378: {
379: data = read_from_stream(in);
380: fclose(in);
381: }
382: }
383: else
384: {
385: data = read_from_stream(stdin);
386: }
387:
388: if (!data.len)
389: {
390: fprintf(stderr, "reading input failed!\n");
391: goto end;
392: }
393: if (op != OP_SHOW && !cert)
394: {
395: fprintf(stderr, "requiring a certificate!\n");
396: goto end;
397: }
398:
399: lib->credmgr->add_local_set(lib->credmgr, &creds->set, FALSE);
400:
401: switch (op)
402: {
403: case OP_SIGN:
404: if (!key)
405: {
406: fprintf(stderr, "signing requires a private key\n");
407: res = 1;
408: break;
409: }
410: res = sign(data, cert, key);
411: break;
412: case OP_VERIFY:
413: res = verify(data);
414: break;
415: case OP_ENCRYPT:
416: res = encrypt(data, cert);
417: break;
418: case OP_DECRYPT:
419: if (!key)
420: {
421: fprintf(stderr, "decryption requires a private key\n");
422: res = 1;
423: break;
424: }
425: res = decrypt(data);
426: break;
427: case OP_SHOW:
428: res = show(data);
429: break;
430: default:
431: res = 1;
432: break;
433: }
434: lib->credmgr->remove_local_set(lib->credmgr, &creds->set);
435:
436: end:
437: creds->destroy(creds);
438: free(data.ptr);
439: return res;
440: }
441:
442: /**
443: * Register the command.
444: */
445: static void __attribute__ ((constructor))reg()
446: {
447: command_register((command_t) {
448: pkcs7, '7', "pkcs7", "PKCS#7 wrap/unwrap functions",
449: {"--sign|--verify|--encrypt|--decrypt|--show",
450: "[--in file] [--cert file]+ [--key file]"},
451: {
452: {"help", 'h', 0, "show usage information"},
453: {"sign", 's', 0, "create PKCS#7 signed-data"},
454: {"verify", 'u', 0, "verify PKCS#7 signed-data"},
455: {"encrypt", 'e', 0, "create PKCS#7 enveloped-data"},
456: {"decrypt", 'd', 0, "decrypt PKCS#7 enveloped-data"},
457: {"show", 'p', 0, "show info about PKCS#7, print certificates"},
458: {"in", 'i', 1, "input file, default: stdin"},
459: {"key", 'k', 1, "path to private key for sign/decrypt"},
460: {"cert", 'c', 1, "path to certificate for sign/verify/encrypt"},
461: }
462: });
463: }
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to pkcs7.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / pki / commands