diff --git a/.gitignore b/.gitignore index 9d0e0fe..baea115 100644 --- a/.gitignore +++ b/.gitignore @@ -73,10 +73,3 @@ tool/tests/parse_name tool/tests/parse_name.log tool/tests/parse_name.o tool/tests/parse_name.trs -tool/cmdline-signer.c -tool/cmdline-signer.h -tool/libpivsigner_cmd.la -tool/libpivsigner_cmd_la-cmdline-signer.lo -tool/libpivsigner_cmd_la-cmdline-signer.o -tool/yubico-piv-signer -tool/yubico-piv-signer.o diff --git a/tool/Makefile.am b/tool/Makefile.am index 6567ed8..0e5af5e 100644 --- a/tool/Makefile.am +++ b/tool/Makefile.am @@ -30,16 +30,12 @@ AM_CFLAGS = $(WERROR_CFLAGS) $(WARN_CFLAGS) AM_CPPFLAGS = $(OPENSSL_CFLAGS) AM_CPPFLAGS += -I$(top_srcdir)/lib -I$(top_builddir)/lib -bin_PROGRAMS = yubico-piv-tool yubico-piv-signer +bin_PROGRAMS = yubico-piv-tool yubico_piv_tool_SOURCES = yubico-piv-tool.c yubico-piv-tool.h2m yubico_piv_tool_LDADD = $(OPENSSL_LIBS) ../lib/libykpiv.la yubico_piv_tool_LDADD += libpiv_cmd.la libpiv_util.la -yubico_piv_signer_SOURCES = yubico-piv-signer.c -yubico_piv_signer_LDADD = $(OPENSSL_LIBS) ../lib/libykpiv.la -yubico_piv_signer_LDADD += libpivsigner_cmd.la libpiv_util.la - -noinst_LTLIBRARIES = libpiv_cmd.la libpiv_util.la libpivsigner_cmd.la +noinst_LTLIBRARIES = libpiv_cmd.la libpiv_util.la libpiv_cmd_la_SOURCES = cmdline.ggo cmdline.c cmdline.h libpiv_cmd_la_CFLAGS = @@ -49,12 +45,6 @@ libpiv_util_la_LIBADD = $(OPENSSL_LIBS) cmdline.c cmdline.h: cmdline.ggo Makefile.am $(GENGETOPT) --input $^ -libpivsigner_cmd_la_SOURCES = cmdline-signer.ggo cmdline-signer.c cmdline-signer.h -libpivsigner_cmd_la_CFLAGS = - -cmdline-signer.c cmdline-signer.h: cmdline-signer.ggo Makefile.am - $(GENGETOPT) --input $^ -F cmdline-signer - BUILT_SOURCES = cmdline.c cmdline.h MAINTAINERCLEANFILES = $(BUILT_SOURCES) diff --git a/tool/cmdline-signer.ggo b/tool/cmdline-signer.ggo deleted file mode 100644 index d758eb5..0000000 --- a/tool/cmdline-signer.ggo +++ /dev/null @@ -1,39 +0,0 @@ -# Copyright (c) 2014 Yubico AB -# All rights reserved. -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . -# -# Additional permission under GNU GPL version 3 section 7 -# -# If you modify this program, or any covered work, by linking or -# combining it with the OpenSSL project's OpenSSL library (or a -# modified version of that library), containing parts covered by the -# terms of the OpenSSL or SSLeay licenses, We grant you additional -# permission to convey the resulting work. Corresponding Source for a -# non-source form of such a combination shall include the source code -# for the parts of OpenSSL used as well as that of the covered work. - -option "verbose" v "Print more information" int optional default="0" argoptional -option "reader" r "Only use a matching reader" string optional default="Yubikey" -option "slot" s "What key slot to operate on" values="9a","9c","9d","9e" enum -text " - 9a is for PIV Authentication - 9c is for Digital Signature (PIN always checked) - 9d is for Key Management - 9e is for Card Authentication (PIN never checked)\n" -option "algorithm" A "What algorithm to use" values="RSA1024","RSA2048","ECCP256" enum optional default="RSA2048" -option "hash" H "Hash to use for the signature" values="SHA1","SHA256","SHA512" enum optional default="SHA1" -option "input" i "Filename to use as input, - for stdin" string optional default="-" -option "output" o "Filename to use as output, - for stdout" string optional default="-" -option "pin" P "Pin code for verification" string diff --git a/tool/cmdline.ggo b/tool/cmdline.ggo index de79960..d1734db 100644 --- a/tool/cmdline.ggo +++ b/tool/cmdline.ggo @@ -41,6 +41,7 @@ text " 9d is for Key Management 9e is for Card Authentication (PIN never checked)\n" option "algorithm" A "What algorithm to use" values="RSA1024","RSA2048","ECCP256" enum optional default="RSA2048" +option "hash" H "Hash to use for signatures" values="SHA1","SHA256","SHA512" enum optional default="SHA256" option "new-key" n "New authentication key to use" string optional option "pin-retries" - "Number of retries before the pin code is blocked" int optional dependon="puk-retries" option "puk-retries" - "Number of retries before the puk code is blocked" int optional dependon="pin-retries" @@ -54,3 +55,4 @@ text " /CN=host.example.com/OU=test/O=example.com/\n" option "pin" P "Pin/puk code for verification" string optional option "new-pin" N "New pin/puk code for changing" string optional dependon="pin" +option "sign" - "Sign data" flag off hidden diff --git a/tool/yubico-piv-signer.c b/tool/yubico-piv-signer.c deleted file mode 100644 index 3aca575..0000000 --- a/tool/yubico-piv-signer.c +++ /dev/null @@ -1,245 +0,0 @@ - /* - * Copyright (c) 2014 Yubico AB - * All rights reserved. - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - * - * Additional permission under GNU GPL version 3 section 7 - * - * If you modify this program, or any covered work, by linking or - * combining it with the OpenSSL project's OpenSSL library (or a - * modified version of that library), containing parts covered by the - * terms of the OpenSSL or SSLeay licenses, We grant you additional - * permission to convey the resulting work. Corresponding Source for a - * non-source form of such a combination shall include the source code - * for the parts of OpenSSL used as well as that of the covered work. - * - */ - -#include -#include -#include -#include - -#include "ykpiv.h" - -#ifdef _WIN32 -#include -#endif - -#include "cmdline-signer.h" -#include "util.h" - -static bool verify_pin(ykpiv_state *state, const char *pin) { - int tries = -1; - ykpiv_rc res; - int len = strlen(pin); - - if(len > 8) { - fprintf(stderr, "Maximum 8 digits of PIN supported.\n"); - } - - res = ykpiv_verify(state, pin, &tries); - if(res == YKPIV_OK) { - return true; - } else if(res == YKPIV_WRONG_PIN) { - if(tries > 0) { - fprintf(stderr, "Pin verification failed, %d tries left before pin is blocked.\n", tries); - } else { - fprintf(stderr, "Pin code blocked.\n"); - } - } else { - fprintf(stderr, "Pin code verification failed: '%s'\n", ykpiv_strerror(res)); - } - return false; -} - -static bool sign_file(ykpiv_state *state, const char *input, const char *output, - const char *slot, enum enum_algorithm algorithm, enum enum_hash hash, - int verbosity) { - FILE *input_file = NULL; - FILE *output_file = NULL; - int key; - unsigned int hash_len; - unsigned char hashed[EVP_MAX_MD_SIZE]; - bool ret = false; - int algo; - int nid; - - sscanf(slot, "%x", &key); - - input_file = open_file(input, INPUT); - if(!input_file) { - return false; - } - - output_file = open_file(output, OUTPUT); - if(!output_file) { - return false; - } - - switch(algorithm) { - case algorithm_arg_RSA2048: - algo = YKPIV_ALGO_RSA2048; - break; - case algorithm_arg_RSA1024: - algo = YKPIV_ALGO_RSA1024; - break; - case algorithm_arg_ECCP256: - algo = YKPIV_ALGO_ECCP256; - break; - case algorithm__NULL: - default: - goto out; - } - - { - const EVP_MD *md; - EVP_MD_CTX *mdctx; - - switch(hash) { - case hash_arg_SHA1: - md = EVP_sha1(); - nid = NID_sha1; - break; - case hash_arg_SHA256: - md = EVP_sha256(); - nid = NID_sha256; - break; - case hash_arg_SHA512: - md = EVP_sha512(); - nid = NID_sha512; - break; - case hash__NULL: - default: - goto out; - } - - mdctx = EVP_MD_CTX_create(); - EVP_DigestInit_ex(mdctx, md, NULL); - while(!feof(input_file)) { - char buf[1024]; - size_t len = fread(buf, 1, 1024, input_file); - EVP_DigestUpdate(mdctx, buf, len); - } - EVP_DigestFinal_ex(mdctx, hashed, &hash_len); - - if(verbosity) { - fprintf(stderr, "file hashed as: "); - dump_hex(hashed, hash_len); - fprintf(stderr, "\n"); - } - EVP_MD_CTX_destroy(mdctx); - } - - if(algo == YKPIV_ALGO_RSA1024 || algo == YKPIV_ALGO_RSA2048) { - X509_SIG digestInfo; - X509_ALGOR algor; - ASN1_TYPE parameter; - ASN1_OCTET_STRING digest; - unsigned char buf[1024]; - unsigned char *ptr = hashed; - - memcpy(buf, hashed, hash_len); - - digestInfo.algor = &algor; - digestInfo.algor->algorithm = OBJ_nid2obj(nid); - digestInfo.algor->parameter = ¶meter; - digestInfo.algor->parameter->type = V_ASN1_NULL; - digestInfo.algor->parameter->value.ptr = NULL; - digestInfo.digest = &digest; - digestInfo.digest->data = buf; - digestInfo.digest->length = (int)hash_len; - hash_len = (unsigned int)i2d_X509_SIG(&digestInfo, &ptr); - } - - { - unsigned char buf[1024]; - size_t len = sizeof(buf); - ykpiv_rc rc = ykpiv_sign_data(state, hashed, hash_len, buf, &len, algo, key); - if(rc != YKPIV_OK) { - fprintf(stderr, "failed signing file: %s\n", ykpiv_strerror(rc)); - goto out; - } - - if(verbosity) { - fprintf(stderr, "file signed as: "); - dump_hex(buf, len); - fprintf(stderr, "\n"); - } - fwrite(buf, 1, len, output_file); - ret = true; - } - -out: - if(input_file && input_file != stdin) { - fclose(input_file); - } - - if(output_file && output_file != stdout) { - fclose(output_file); - } - - return ret; -} - -int main(int argc, char *argv[]) { - struct gengetopt_args_info args_info; - ykpiv_state *state; - int verbosity; - int ret = EXIT_SUCCESS; - bool rc; - - if(cmdline_parser(argc, argv, &args_info) != 0) { - return EXIT_FAILURE; - } - - verbosity = args_info.verbose_arg + (int)args_info.verbose_given; - - if(ykpiv_init(&state, verbosity) != YKPIV_OK) { - fprintf(stderr, "Failed initializing library.\n"); - return EXIT_FAILURE; - } - - if(ykpiv_connect(state, args_info.reader_arg) != YKPIV_OK) { - fprintf(stderr, "Failed to connect to reader.\n"); - return EXIT_FAILURE; - } - - if(verify_pin(state, args_info.pin_arg)) { - if(verbosity) { - fprintf(stderr, "Successfully verified PIN.\n"); - } - } else { - return EXIT_FAILURE; - } - - /* openssl setup.. */ - OpenSSL_add_all_algorithms(); - - rc = sign_file(state, args_info.input_arg, args_info.output_arg, - args_info.slot_orig, args_info.algorithm_arg, args_info.hash_arg, - verbosity); - - if(rc == false) { - fprintf(stderr, "Failed signing!\n"); - ret = EXIT_FAILURE; - } else { - fprintf(stderr, "Signature successful!\n"); - } - - ykpiv_done(state); - EVP_cleanup(); - return ret; -} diff --git a/tool/yubico-piv-tool.c b/tool/yubico-piv-tool.c index af24e6c..9228510 100644 --- a/tool/yubico-piv-tool.c +++ b/tool/yubico-piv-tool.c @@ -59,11 +59,20 @@ unsigned const char chuid_tmpl[] = { }; #define CHUID_GUID_OFFS 28 +unsigned const char sha1oid[] = { + 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, + 0x04, 0x14 +}; + unsigned const char sha256oid[] = { 0x30, 0x31, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20 }; -#define DIGEST_LEN 32 + +unsigned const char sha512oid[] = { + 0x30, 0x51, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, + 0x02, 0x03, 0x05, 0x00, 0x04, 0x40 +}; #define KEY_LEN 24 @@ -473,20 +482,25 @@ static bool set_chuid(ykpiv_state *state, int verbose) { } static bool request_certificate(ykpiv_state *state, enum enum_key_format key_format, - const char *input_file_name, const char *slot, char *subject, + const char *input_file_name, const char *slot, char *subject, enum enum_hash hash, const char *output_file_name) { X509_REQ *req = NULL; X509_NAME *name = NULL; FILE *input_file = NULL; FILE *output_file = NULL; EVP_PKEY *public_key = NULL; + const EVP_MD *md; bool ret = false; - unsigned char digest[DIGEST_LEN + sizeof(sha256oid)]; - unsigned int digest_len = DIGEST_LEN; + unsigned char digest[EVP_MAX_MD_SIZE + sizeof(sha512oid)]; // maximum.. + unsigned int digest_len; + unsigned int md_len; unsigned char algorithm; int key = 0; unsigned char *signinput; size_t len = 0; + size_t oid_len; + const unsigned char *oid; + int nid; sscanf(slot, "%x", &key); @@ -511,6 +525,30 @@ static bool request_certificate(ykpiv_state *state, enum enum_key_format key_for goto request_out; } + switch(hash) { + case hash_arg_SHA1: + md = EVP_sha1(); + oid = sha1oid; + oid_len = sizeof(sha1oid); + break; + case hash_arg_SHA256: + md = EVP_sha256(); + oid = sha256oid; + oid_len = sizeof(sha256oid); + break; + case hash_arg_SHA512: + md = EVP_sha512(); + oid = sha512oid; + oid_len = sizeof(sha512oid); + break; + case hash__NULL: + default: + goto request_out; + } + + md_len = (unsigned int)EVP_MD_size(md); + digest_len = sizeof(digest) - md_len; + req = X509_REQ_new(); if(!req) { fprintf(stderr, "Failed to allocate request structure.\n"); @@ -534,10 +572,10 @@ static bool request_certificate(ykpiv_state *state, enum enum_key_format key_for } memset(digest, 0, sizeof(digest)); - memcpy(digest, sha256oid, sizeof(sha256oid)); + memcpy(digest, oid, oid_len); /* XXX: this should probably use X509_REQ_digest() but that's buggy */ - if(!ASN1_item_digest(ASN1_ITEM_rptr(X509_REQ_INFO), EVP_sha256(), req->req_info, - digest + sizeof(sha256oid), &digest_len)) { + if(!ASN1_item_digest(ASN1_ITEM_rptr(X509_REQ_INFO), md, req->req_info, + digest + oid_len, &digest_len)) { fprintf(stderr, "Failed doing digest of request.\n"); goto request_out; } @@ -546,23 +584,51 @@ static bool request_certificate(ykpiv_state *state, enum enum_key_format key_for case YKPIV_ALGO_RSA1024: case YKPIV_ALGO_RSA2048: signinput = digest; - len = sizeof(digest); - req->sig_alg->algorithm = OBJ_nid2obj(NID_sha256WithRSAEncryption); + len = oid_len + digest_len; + switch(hash) { + case hash_arg_SHA1: + nid = NID_sha1WithRSAEncryption; + break; + case hash_arg_SHA256: + nid = NID_sha256WithRSAEncryption; + break; + case hash_arg_SHA512: + nid = NID_sha512WithRSAEncryption; + break; + case hash__NULL: + default: + goto request_out; + } break; case YKPIV_ALGO_ECCP256: - signinput = digest + sizeof(sha256oid); - len = DIGEST_LEN; - req->sig_alg->algorithm = OBJ_nid2obj(NID_ecdsa_with_SHA256); + signinput = digest + oid_len; + len = digest_len; + switch(hash) { + case hash_arg_SHA1: + nid = NID_ecdsa_with_SHA1; + break; + case hash_arg_SHA256: + nid = NID_ecdsa_with_SHA256; + break; + case hash_arg_SHA512: + nid = NID_ecdsa_with_SHA512; + break; + case hash__NULL: + default: + goto request_out; + } break; default: fprintf(stderr, "Unsupported algorithm %x.\n", algorithm); goto request_out; } + req->sig_alg->algorithm = OBJ_nid2obj(nid); { unsigned char signature[1024]; size_t sig_len = sizeof(signature); if(ykpiv_sign_data(state, signinput, len, signature, &sig_len, algorithm, key) != YKPIV_OK) { + fprintf(stderr, "Failed signing request.\n"); goto request_out; } M_ASN1_BIT_STRING_set(req->signature, signature, sig_len); @@ -595,7 +661,7 @@ request_out: } static bool selfsign_certificate(ykpiv_state *state, enum enum_key_format key_format, - const char *input_file_name, const char *slot, char *subject, + const char *input_file_name, const char *slot, char *subject, enum enum_hash hash, const char *output_file_name) { FILE *input_file = NULL; FILE *output_file = NULL; @@ -603,12 +669,17 @@ static bool selfsign_certificate(ykpiv_state *state, enum enum_key_format key_fo EVP_PKEY *public_key = NULL; X509 *x509 = NULL; X509_NAME *name = NULL; - unsigned char digest[DIGEST_LEN + sizeof(sha256oid)]; - unsigned int digest_len = DIGEST_LEN; + const EVP_MD *md; + unsigned char digest[EVP_MAX_MD_SIZE + sizeof(sha512oid)]; + unsigned int digest_len; unsigned char algorithm; int key = 0; unsigned char *signinput; size_t len = 0; + size_t oid_len; + const unsigned char *oid; + int nid; + unsigned int md_len; sscanf(slot, "%x", &key); @@ -633,6 +704,30 @@ static bool selfsign_certificate(ykpiv_state *state, enum enum_key_format key_fo goto selfsign_out; } + switch(hash) { + case hash_arg_SHA1: + md = EVP_sha1(); + oid = sha1oid; + oid_len = sizeof(sha1oid); + break; + case hash_arg_SHA256: + md = EVP_sha256(); + oid = sha256oid; + oid_len = sizeof(sha256oid); + break; + case hash_arg_SHA512: + md = EVP_sha512(); + oid = sha512oid; + oid_len = sizeof(sha512oid); + break; + case hash__NULL: + default: + goto selfsign_out; + } + + md_len = (unsigned int)EVP_MD_size(md); + digest_len = sizeof(digest) - md_len; + x509 = X509_new(); if(!x509) { fprintf(stderr, "Failed to allocate certificate structure.\n"); @@ -675,24 +770,51 @@ static bool selfsign_certificate(ykpiv_state *state, enum enum_key_format key_fo case YKPIV_ALGO_RSA1024: case YKPIV_ALGO_RSA2048: signinput = digest; - len = sizeof(digest); - x509->sig_alg->algorithm = OBJ_nid2obj(NID_sha256WithRSAEncryption); + len = oid_len + md_len; + switch(hash) { + case hash_arg_SHA1: + nid = NID_sha1WithRSAEncryption; + break; + case hash_arg_SHA256: + nid = NID_sha256WithRSAEncryption; + break; + case hash_arg_SHA512: + nid = NID_sha512WithRSAEncryption; + break; + case hash__NULL: + default: + goto selfsign_out; + } break; case YKPIV_ALGO_ECCP256: - signinput = digest + sizeof(sha256oid); - len = DIGEST_LEN; - x509->sig_alg->algorithm = OBJ_nid2obj(NID_ecdsa_with_SHA256); + signinput = digest + oid_len; + len = md_len; + switch(hash) { + case hash_arg_SHA1: + nid = NID_ecdsa_with_SHA1; + break; + case hash_arg_SHA256: + nid = NID_ecdsa_with_SHA256; + break; + case hash_arg_SHA512: + nid = NID_ecdsa_with_SHA512; + break; + case hash__NULL: + default: + goto selfsign_out; + } break; default: fprintf(stderr, "Unsupported algorithm %x.\n", algorithm); goto selfsign_out; } + x509->sig_alg->algorithm = OBJ_nid2obj(nid); x509->cert_info->signature->algorithm = x509->sig_alg->algorithm; memset(digest, 0, sizeof(digest)); - memcpy(digest, sha256oid, sizeof(sha256oid)); + memcpy(digest, oid, oid_len); /* XXX: this should probably use X509_digest() but that looks buggy */ - if(!ASN1_item_digest(ASN1_ITEM_rptr(X509_CINF), EVP_sha256(), x509->cert_info, - digest + sizeof(sha256oid), &digest_len)) { + if(!ASN1_item_digest(ASN1_ITEM_rptr(X509_CINF), md, x509->cert_info, + digest + oid_len, &digest_len)) { fprintf(stderr, "Failed doing digest of certificate.\n"); goto selfsign_out; } @@ -701,6 +823,7 @@ static bool selfsign_certificate(ykpiv_state *state, enum enum_key_format key_fo size_t sig_len = sizeof(signature); if(ykpiv_sign_data(state, signinput, len, signature, &sig_len, algorithm, key) != YKPIV_OK) { + fprintf(stderr, "Failed signing certificate.\n"); goto selfsign_out; } M_ASN1_BIT_STRING_set(x509->signature, signature, sig_len); @@ -820,6 +943,135 @@ static bool delete_certificate(ykpiv_state *state, enum enum_slot slot) { } } +static bool sign_file(ykpiv_state *state, const char *input, const char *output, + const char *slot, enum enum_algorithm algorithm, enum enum_hash hash, + int verbosity) { + FILE *input_file = NULL; + FILE *output_file = NULL; + int key; + unsigned int hash_len; + unsigned char hashed[EVP_MAX_MD_SIZE]; + bool ret = false; + int algo; + int nid; + + sscanf(slot, "%x", &key); + + input_file = open_file(input, INPUT); + if(!input_file) { + return false; + } + + output_file = open_file(output, OUTPUT); + if(!output_file) { + return false; + } + + switch(algorithm) { + case algorithm_arg_RSA2048: + algo = YKPIV_ALGO_RSA2048; + break; + case algorithm_arg_RSA1024: + algo = YKPIV_ALGO_RSA1024; + break; + case algorithm_arg_ECCP256: + algo = YKPIV_ALGO_ECCP256; + break; + case algorithm__NULL: + default: + goto out; + } + + { + const EVP_MD *md; + EVP_MD_CTX *mdctx; + + switch(hash) { + case hash_arg_SHA1: + md = EVP_sha1(); + nid = NID_sha1; + break; + case hash_arg_SHA256: + md = EVP_sha256(); + nid = NID_sha256; + break; + case hash_arg_SHA512: + md = EVP_sha512(); + nid = NID_sha512; + break; + case hash__NULL: + default: + goto out; + } + + mdctx = EVP_MD_CTX_create(); + EVP_DigestInit_ex(mdctx, md, NULL); + while(!feof(input_file)) { + char buf[1024]; + size_t len = fread(buf, 1, 1024, input_file); + EVP_DigestUpdate(mdctx, buf, len); + } + EVP_DigestFinal_ex(mdctx, hashed, &hash_len); + + if(verbosity) { + fprintf(stderr, "file hashed as: "); + dump_hex(hashed, hash_len); + fprintf(stderr, "\n"); + } + EVP_MD_CTX_destroy(mdctx); + } + + if(algo == YKPIV_ALGO_RSA1024 || algo == YKPIV_ALGO_RSA2048) { + X509_SIG digestInfo; + X509_ALGOR algor; + ASN1_TYPE parameter; + ASN1_OCTET_STRING digest; + unsigned char buf[1024]; + unsigned char *ptr = hashed; + + memcpy(buf, hashed, hash_len); + + digestInfo.algor = &algor; + digestInfo.algor->algorithm = OBJ_nid2obj(nid); + digestInfo.algor->parameter = ¶meter; + digestInfo.algor->parameter->type = V_ASN1_NULL; + digestInfo.algor->parameter->value.ptr = NULL; + digestInfo.digest = &digest; + digestInfo.digest->data = buf; + digestInfo.digest->length = (int)hash_len; + hash_len = (unsigned int)i2d_X509_SIG(&digestInfo, &ptr); + } + + { + unsigned char buf[1024]; + size_t len = sizeof(buf); + ykpiv_rc rc = ykpiv_sign_data(state, hashed, hash_len, buf, &len, algo, key); + if(rc != YKPIV_OK) { + fprintf(stderr, "failed signing file: %s\n", ykpiv_strerror(rc)); + goto out; + } + + if(verbosity) { + fprintf(stderr, "file signed as: "); + dump_hex(buf, len); + fprintf(stderr, "\n"); + } + fwrite(buf, 1, len, output_file); + ret = true; + } + +out: + if(input_file && input_file != stdin) { + fclose(input_file); + } + + if(output_file && output_file != stdout) { + fclose(output_file); + } + + return ret; +} + int main(int argc, char *argv[]) { struct gengetopt_args_info args_info; ykpiv_state *state; @@ -846,7 +1098,7 @@ int main(int argc, char *argv[]) { for(i = 0; i < args_info.action_given; i++) { bool needs_auth = false; - action = *args_info.action_arg++; + action = *(args_info.action_arg + i); switch(action) { case action_arg_generate: case action_arg_setMINUS_mgmMINUS_key: @@ -855,6 +1107,9 @@ int main(int argc, char *argv[]) { case action_arg_importMINUS_certificate: case action_arg_setMINUS_chuid: case action_arg_deleteMINUS_certificate: + if(verbosity) { + fprintf(stderr, "Authenticating since action %d needs that.\n", action); + } needs_auth = true; break; case action_arg_version: @@ -867,6 +1122,9 @@ int main(int argc, char *argv[]) { case action_arg_selfsignMINUS_certificate: case action__NULL: default: + if(verbosity) { + fprintf(stderr, "Action %d does not need authentication.\n", action); + } continue; } if(needs_auth) { @@ -891,7 +1149,7 @@ int main(int argc, char *argv[]) { OpenSSL_add_all_algorithms(); for(i = 0; i < args_info.action_given; i++) { - action = *args_info.action_arg++; + action = *(args_info.action_arg + i); if(verbosity) { fprintf(stderr, "Now processing for action %d.\n", action); } @@ -986,7 +1244,8 @@ int main(int argc, char *argv[]) { ret = EXIT_FAILURE; } else { if(request_certificate(state, args_info.key_format_arg, args_info.input_arg, - args_info.slot_orig, args_info.subject_arg, args_info.output_arg) == false) { + args_info.slot_orig, args_info.subject_arg, args_info.hash_arg, + args_info.output_arg) == false) { ret = EXIT_FAILURE; } } @@ -1033,7 +1292,8 @@ int main(int argc, char *argv[]) { ret = EXIT_FAILURE; } else { if(selfsign_certificate(state, args_info.key_format_arg, args_info.input_arg, - args_info.slot_orig, args_info.subject_arg, args_info.output_arg) == false) { + args_info.slot_orig, args_info.subject_arg, args_info.hash_arg, + args_info.output_arg) == false) { ret = EXIT_FAILURE; } } @@ -1058,6 +1318,21 @@ int main(int argc, char *argv[]) { } } + if(ret == EXIT_SUCCESS && args_info.sign_flag) { + if(args_info.slot_arg == slot__NULL) { + fprintf(stderr, "The sign action needs a slot (-s) to operate on.\n"); + ret = EXIT_FAILURE; + } + else if(sign_file(state, args_info.input_arg, args_info.output_arg, + args_info.slot_orig, args_info.algorithm_arg, args_info.hash_arg, + verbosity)) { + fprintf(stderr, "Signature successful!\n"); + } else { + fprintf(stderr, "Failed signing!\n"); + ret = EXIT_FAILURE; + } + } + ykpiv_done(state); EVP_cleanup(); return ret;