Merge branch 'master' of github.com:Yubico/yubico-piv-tool

This commit is contained in:
Simon Josefsson
2014-10-07 09:34:03 +02:00
6 changed files with 306 additions and 330 deletions
-7
View File
@@ -73,10 +73,3 @@ tool/tests/parse_name
tool/tests/parse_name.log tool/tests/parse_name.log
tool/tests/parse_name.o tool/tests/parse_name.o
tool/tests/parse_name.trs tool/tests/parse_name.trs
tool/cmdline-signer.c
tool/cmdline-signer.h
tool/libpivsigner_cmd.la
tool/libpivsigner_cmd_la-cmdline-signer.lo
tool/libpivsigner_cmd_la-cmdline-signer.o
tool/yubico-piv-signer
tool/yubico-piv-signer.o
+2 -12
View File
@@ -30,16 +30,12 @@ AM_CFLAGS = $(WERROR_CFLAGS) $(WARN_CFLAGS)
AM_CPPFLAGS = $(OPENSSL_CFLAGS) AM_CPPFLAGS = $(OPENSSL_CFLAGS)
AM_CPPFLAGS += -I$(top_srcdir)/lib -I$(top_builddir)/lib AM_CPPFLAGS += -I$(top_srcdir)/lib -I$(top_builddir)/lib
bin_PROGRAMS = yubico-piv-tool yubico-piv-signer bin_PROGRAMS = yubico-piv-tool
yubico_piv_tool_SOURCES = yubico-piv-tool.c yubico-piv-tool.h2m yubico_piv_tool_SOURCES = yubico-piv-tool.c yubico-piv-tool.h2m
yubico_piv_tool_LDADD = $(OPENSSL_LIBS) ../lib/libykpiv.la yubico_piv_tool_LDADD = $(OPENSSL_LIBS) ../lib/libykpiv.la
yubico_piv_tool_LDADD += libpiv_cmd.la libpiv_util.la yubico_piv_tool_LDADD += libpiv_cmd.la libpiv_util.la
yubico_piv_signer_SOURCES = yubico-piv-signer.c noinst_LTLIBRARIES = libpiv_cmd.la libpiv_util.la
yubico_piv_signer_LDADD = $(OPENSSL_LIBS) ../lib/libykpiv.la
yubico_piv_signer_LDADD += libpivsigner_cmd.la libpiv_util.la
noinst_LTLIBRARIES = libpiv_cmd.la libpiv_util.la libpivsigner_cmd.la
libpiv_cmd_la_SOURCES = cmdline.ggo cmdline.c cmdline.h libpiv_cmd_la_SOURCES = cmdline.ggo cmdline.c cmdline.h
libpiv_cmd_la_CFLAGS = libpiv_cmd_la_CFLAGS =
@@ -49,12 +45,6 @@ libpiv_util_la_LIBADD = $(OPENSSL_LIBS)
cmdline.c cmdline.h: cmdline.ggo Makefile.am cmdline.c cmdline.h: cmdline.ggo Makefile.am
$(GENGETOPT) --input $^ $(GENGETOPT) --input $^
libpivsigner_cmd_la_SOURCES = cmdline-signer.ggo cmdline-signer.c cmdline-signer.h
libpivsigner_cmd_la_CFLAGS =
cmdline-signer.c cmdline-signer.h: cmdline-signer.ggo Makefile.am
$(GENGETOPT) --input $^ -F cmdline-signer
BUILT_SOURCES = cmdline.c cmdline.h BUILT_SOURCES = cmdline.c cmdline.h
MAINTAINERCLEANFILES = $(BUILT_SOURCES) MAINTAINERCLEANFILES = $(BUILT_SOURCES)
-39
View File
@@ -1,39 +0,0 @@
# Copyright (c) 2014 Yubico AB
# All rights reserved.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
# Additional permission under GNU GPL version 3 section 7
#
# If you modify this program, or any covered work, by linking or
# combining it with the OpenSSL project's OpenSSL library (or a
# modified version of that library), containing parts covered by the
# terms of the OpenSSL or SSLeay licenses, We grant you additional
# permission to convey the resulting work. Corresponding Source for a
# non-source form of such a combination shall include the source code
# for the parts of OpenSSL used as well as that of the covered work.
option "verbose" v "Print more information" int optional default="0" argoptional
option "reader" r "Only use a matching reader" string optional default="Yubikey"
option "slot" s "What key slot to operate on" values="9a","9c","9d","9e" enum
text "
9a is for PIV Authentication
9c is for Digital Signature (PIN always checked)
9d is for Key Management
9e is for Card Authentication (PIN never checked)\n"
option "algorithm" A "What algorithm to use" values="RSA1024","RSA2048","ECCP256" enum optional default="RSA2048"
option "hash" H "Hash to use for the signature" values="SHA1","SHA256","SHA512" enum optional default="SHA1"
option "input" i "Filename to use as input, - for stdin" string optional default="-"
option "output" o "Filename to use as output, - for stdout" string optional default="-"
option "pin" P "Pin code for verification" string
+2
View File
@@ -41,6 +41,7 @@ text "
9d is for Key Management 9d is for Key Management
9e is for Card Authentication (PIN never checked)\n" 9e is for Card Authentication (PIN never checked)\n"
option "algorithm" A "What algorithm to use" values="RSA1024","RSA2048","ECCP256" enum optional default="RSA2048" option "algorithm" A "What algorithm to use" values="RSA1024","RSA2048","ECCP256" enum optional default="RSA2048"
option "hash" H "Hash to use for signatures" values="SHA1","SHA256","SHA512" enum optional default="SHA256"
option "new-key" n "New authentication key to use" string optional option "new-key" n "New authentication key to use" string optional
option "pin-retries" - "Number of retries before the pin code is blocked" int optional dependon="puk-retries" option "pin-retries" - "Number of retries before the pin code is blocked" int optional dependon="puk-retries"
option "puk-retries" - "Number of retries before the puk code is blocked" int optional dependon="pin-retries" option "puk-retries" - "Number of retries before the puk code is blocked" int optional dependon="pin-retries"
@@ -54,3 +55,4 @@ text "
/CN=host.example.com/OU=test/O=example.com/\n" /CN=host.example.com/OU=test/O=example.com/\n"
option "pin" P "Pin/puk code for verification" string optional option "pin" P "Pin/puk code for verification" string optional
option "new-pin" N "New pin/puk code for changing" string optional dependon="pin" option "new-pin" N "New pin/puk code for changing" string optional dependon="pin"
option "sign" - "Sign data" flag off hidden
-245
View File
@@ -1,245 +0,0 @@
/*
* Copyright (c) 2014 Yubico AB
* All rights reserved.
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
* Additional permission under GNU GPL version 3 section 7
*
* If you modify this program, or any covered work, by linking or
* combining it with the OpenSSL project's OpenSSL library (or a
* modified version of that library), containing parts covered by the
* terms of the OpenSSL or SSLeay licenses, We grant you additional
* permission to convey the resulting work. Corresponding Source for a
* non-source form of such a combination shall include the source code
* for the parts of OpenSSL used as well as that of the covered work.
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <stdbool.h>
#include <string.h>
#include "ykpiv.h"
#ifdef _WIN32
#include <windows.h>
#endif
#include "cmdline-signer.h"
#include "util.h"
static bool verify_pin(ykpiv_state *state, const char *pin) {
int tries = -1;
ykpiv_rc res;
int len = strlen(pin);
if(len > 8) {
fprintf(stderr, "Maximum 8 digits of PIN supported.\n");
}
res = ykpiv_verify(state, pin, &tries);
if(res == YKPIV_OK) {
return true;
} else if(res == YKPIV_WRONG_PIN) {
if(tries > 0) {
fprintf(stderr, "Pin verification failed, %d tries left before pin is blocked.\n", tries);
} else {
fprintf(stderr, "Pin code blocked.\n");
}
} else {
fprintf(stderr, "Pin code verification failed: '%s'\n", ykpiv_strerror(res));
}
return false;
}
static bool sign_file(ykpiv_state *state, const char *input, const char *output,
const char *slot, enum enum_algorithm algorithm, enum enum_hash hash,
int verbosity) {
FILE *input_file = NULL;
FILE *output_file = NULL;
int key;
unsigned int hash_len;
unsigned char hashed[EVP_MAX_MD_SIZE];
bool ret = false;
int algo;
int nid;
sscanf(slot, "%x", &key);
input_file = open_file(input, INPUT);
if(!input_file) {
return false;
}
output_file = open_file(output, OUTPUT);
if(!output_file) {
return false;
}
switch(algorithm) {
case algorithm_arg_RSA2048:
algo = YKPIV_ALGO_RSA2048;
break;
case algorithm_arg_RSA1024:
algo = YKPIV_ALGO_RSA1024;
break;
case algorithm_arg_ECCP256:
algo = YKPIV_ALGO_ECCP256;
break;
case algorithm__NULL:
default:
goto out;
}
{
const EVP_MD *md;
EVP_MD_CTX *mdctx;
switch(hash) {
case hash_arg_SHA1:
md = EVP_sha1();
nid = NID_sha1;
break;
case hash_arg_SHA256:
md = EVP_sha256();
nid = NID_sha256;
break;
case hash_arg_SHA512:
md = EVP_sha512();
nid = NID_sha512;
break;
case hash__NULL:
default:
goto out;
}
mdctx = EVP_MD_CTX_create();
EVP_DigestInit_ex(mdctx, md, NULL);
while(!feof(input_file)) {
char buf[1024];
size_t len = fread(buf, 1, 1024, input_file);
EVP_DigestUpdate(mdctx, buf, len);
}
EVP_DigestFinal_ex(mdctx, hashed, &hash_len);
if(verbosity) {
fprintf(stderr, "file hashed as: ");
dump_hex(hashed, hash_len);
fprintf(stderr, "\n");
}
EVP_MD_CTX_destroy(mdctx);
}
if(algo == YKPIV_ALGO_RSA1024 || algo == YKPIV_ALGO_RSA2048) {
X509_SIG digestInfo;
X509_ALGOR algor;
ASN1_TYPE parameter;
ASN1_OCTET_STRING digest;
unsigned char buf[1024];
unsigned char *ptr = hashed;
memcpy(buf, hashed, hash_len);
digestInfo.algor = &algor;
digestInfo.algor->algorithm = OBJ_nid2obj(nid);
digestInfo.algor->parameter = &parameter;
digestInfo.algor->parameter->type = V_ASN1_NULL;
digestInfo.algor->parameter->value.ptr = NULL;
digestInfo.digest = &digest;
digestInfo.digest->data = buf;
digestInfo.digest->length = (int)hash_len;
hash_len = (unsigned int)i2d_X509_SIG(&digestInfo, &ptr);
}
{
unsigned char buf[1024];
size_t len = sizeof(buf);
ykpiv_rc rc = ykpiv_sign_data(state, hashed, hash_len, buf, &len, algo, key);
if(rc != YKPIV_OK) {
fprintf(stderr, "failed signing file: %s\n", ykpiv_strerror(rc));
goto out;
}
if(verbosity) {
fprintf(stderr, "file signed as: ");
dump_hex(buf, len);
fprintf(stderr, "\n");
}
fwrite(buf, 1, len, output_file);
ret = true;
}
out:
if(input_file && input_file != stdin) {
fclose(input_file);
}
if(output_file && output_file != stdout) {
fclose(output_file);
}
return ret;
}
int main(int argc, char *argv[]) {
struct gengetopt_args_info args_info;
ykpiv_state *state;
int verbosity;
int ret = EXIT_SUCCESS;
bool rc;
if(cmdline_parser(argc, argv, &args_info) != 0) {
return EXIT_FAILURE;
}
verbosity = args_info.verbose_arg + (int)args_info.verbose_given;
if(ykpiv_init(&state, verbosity) != YKPIV_OK) {
fprintf(stderr, "Failed initializing library.\n");
return EXIT_FAILURE;
}
if(ykpiv_connect(state, args_info.reader_arg) != YKPIV_OK) {
fprintf(stderr, "Failed to connect to reader.\n");
return EXIT_FAILURE;
}
if(verify_pin(state, args_info.pin_arg)) {
if(verbosity) {
fprintf(stderr, "Successfully verified PIN.\n");
}
} else {
return EXIT_FAILURE;
}
/* openssl setup.. */
OpenSSL_add_all_algorithms();
rc = sign_file(state, args_info.input_arg, args_info.output_arg,
args_info.slot_orig, args_info.algorithm_arg, args_info.hash_arg,
verbosity);
if(rc == false) {
fprintf(stderr, "Failed signing!\n");
ret = EXIT_FAILURE;
} else {
fprintf(stderr, "Signature successful!\n");
}
ykpiv_done(state);
EVP_cleanup();
return ret;
}
+302 -27
View File
@@ -59,11 +59,20 @@ unsigned const char chuid_tmpl[] = {
}; };
#define CHUID_GUID_OFFS 28 #define CHUID_GUID_OFFS 28
unsigned const char sha1oid[] = {
0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00,
0x04, 0x14
};
unsigned const char sha256oid[] = { unsigned const char sha256oid[] = {
0x30, 0x31, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x30, 0x31, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04,
0x02, 0x01, 0x05, 0x00, 0x04, 0x20 0x02, 0x01, 0x05, 0x00, 0x04, 0x20
}; };
#define DIGEST_LEN 32
unsigned const char sha512oid[] = {
0x30, 0x51, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04,
0x02, 0x03, 0x05, 0x00, 0x04, 0x40
};
#define KEY_LEN 24 #define KEY_LEN 24
@@ -473,20 +482,25 @@ static bool set_chuid(ykpiv_state *state, int verbose) {
} }
static bool request_certificate(ykpiv_state *state, enum enum_key_format key_format, static bool request_certificate(ykpiv_state *state, enum enum_key_format key_format,
const char *input_file_name, const char *slot, char *subject, const char *input_file_name, const char *slot, char *subject, enum enum_hash hash,
const char *output_file_name) { const char *output_file_name) {
X509_REQ *req = NULL; X509_REQ *req = NULL;
X509_NAME *name = NULL; X509_NAME *name = NULL;
FILE *input_file = NULL; FILE *input_file = NULL;
FILE *output_file = NULL; FILE *output_file = NULL;
EVP_PKEY *public_key = NULL; EVP_PKEY *public_key = NULL;
const EVP_MD *md;
bool ret = false; bool ret = false;
unsigned char digest[DIGEST_LEN + sizeof(sha256oid)]; unsigned char digest[EVP_MAX_MD_SIZE + sizeof(sha512oid)]; // maximum..
unsigned int digest_len = DIGEST_LEN; unsigned int digest_len;
unsigned int md_len;
unsigned char algorithm; unsigned char algorithm;
int key = 0; int key = 0;
unsigned char *signinput; unsigned char *signinput;
size_t len = 0; size_t len = 0;
size_t oid_len;
const unsigned char *oid;
int nid;
sscanf(slot, "%x", &key); sscanf(slot, "%x", &key);
@@ -511,6 +525,30 @@ static bool request_certificate(ykpiv_state *state, enum enum_key_format key_for
goto request_out; goto request_out;
} }
switch(hash) {
case hash_arg_SHA1:
md = EVP_sha1();
oid = sha1oid;
oid_len = sizeof(sha1oid);
break;
case hash_arg_SHA256:
md = EVP_sha256();
oid = sha256oid;
oid_len = sizeof(sha256oid);
break;
case hash_arg_SHA512:
md = EVP_sha512();
oid = sha512oid;
oid_len = sizeof(sha512oid);
break;
case hash__NULL:
default:
goto request_out;
}
md_len = (unsigned int)EVP_MD_size(md);
digest_len = sizeof(digest) - md_len;
req = X509_REQ_new(); req = X509_REQ_new();
if(!req) { if(!req) {
fprintf(stderr, "Failed to allocate request structure.\n"); fprintf(stderr, "Failed to allocate request structure.\n");
@@ -534,10 +572,10 @@ static bool request_certificate(ykpiv_state *state, enum enum_key_format key_for
} }
memset(digest, 0, sizeof(digest)); memset(digest, 0, sizeof(digest));
memcpy(digest, sha256oid, sizeof(sha256oid)); memcpy(digest, oid, oid_len);
/* XXX: this should probably use X509_REQ_digest() but that's buggy */ /* XXX: this should probably use X509_REQ_digest() but that's buggy */
if(!ASN1_item_digest(ASN1_ITEM_rptr(X509_REQ_INFO), EVP_sha256(), req->req_info, if(!ASN1_item_digest(ASN1_ITEM_rptr(X509_REQ_INFO), md, req->req_info,
digest + sizeof(sha256oid), &digest_len)) { digest + oid_len, &digest_len)) {
fprintf(stderr, "Failed doing digest of request.\n"); fprintf(stderr, "Failed doing digest of request.\n");
goto request_out; goto request_out;
} }
@@ -546,23 +584,51 @@ static bool request_certificate(ykpiv_state *state, enum enum_key_format key_for
case YKPIV_ALGO_RSA1024: case YKPIV_ALGO_RSA1024:
case YKPIV_ALGO_RSA2048: case YKPIV_ALGO_RSA2048:
signinput = digest; signinput = digest;
len = sizeof(digest); len = oid_len + digest_len;
req->sig_alg->algorithm = OBJ_nid2obj(NID_sha256WithRSAEncryption); switch(hash) {
case hash_arg_SHA1:
nid = NID_sha1WithRSAEncryption;
break;
case hash_arg_SHA256:
nid = NID_sha256WithRSAEncryption;
break;
case hash_arg_SHA512:
nid = NID_sha512WithRSAEncryption;
break;
case hash__NULL:
default:
goto request_out;
}
break; break;
case YKPIV_ALGO_ECCP256: case YKPIV_ALGO_ECCP256:
signinput = digest + sizeof(sha256oid); signinput = digest + oid_len;
len = DIGEST_LEN; len = digest_len;
req->sig_alg->algorithm = OBJ_nid2obj(NID_ecdsa_with_SHA256); switch(hash) {
case hash_arg_SHA1:
nid = NID_ecdsa_with_SHA1;
break;
case hash_arg_SHA256:
nid = NID_ecdsa_with_SHA256;
break;
case hash_arg_SHA512:
nid = NID_ecdsa_with_SHA512;
break;
case hash__NULL:
default:
goto request_out;
}
break; break;
default: default:
fprintf(stderr, "Unsupported algorithm %x.\n", algorithm); fprintf(stderr, "Unsupported algorithm %x.\n", algorithm);
goto request_out; goto request_out;
} }
req->sig_alg->algorithm = OBJ_nid2obj(nid);
{ {
unsigned char signature[1024]; unsigned char signature[1024];
size_t sig_len = sizeof(signature); size_t sig_len = sizeof(signature);
if(ykpiv_sign_data(state, signinput, len, signature, &sig_len, algorithm, key) if(ykpiv_sign_data(state, signinput, len, signature, &sig_len, algorithm, key)
!= YKPIV_OK) { != YKPIV_OK) {
fprintf(stderr, "Failed signing request.\n");
goto request_out; goto request_out;
} }
M_ASN1_BIT_STRING_set(req->signature, signature, sig_len); M_ASN1_BIT_STRING_set(req->signature, signature, sig_len);
@@ -595,7 +661,7 @@ request_out:
} }
static bool selfsign_certificate(ykpiv_state *state, enum enum_key_format key_format, static bool selfsign_certificate(ykpiv_state *state, enum enum_key_format key_format,
const char *input_file_name, const char *slot, char *subject, const char *input_file_name, const char *slot, char *subject, enum enum_hash hash,
const char *output_file_name) { const char *output_file_name) {
FILE *input_file = NULL; FILE *input_file = NULL;
FILE *output_file = NULL; FILE *output_file = NULL;
@@ -603,12 +669,17 @@ static bool selfsign_certificate(ykpiv_state *state, enum enum_key_format key_fo
EVP_PKEY *public_key = NULL; EVP_PKEY *public_key = NULL;
X509 *x509 = NULL; X509 *x509 = NULL;
X509_NAME *name = NULL; X509_NAME *name = NULL;
unsigned char digest[DIGEST_LEN + sizeof(sha256oid)]; const EVP_MD *md;
unsigned int digest_len = DIGEST_LEN; unsigned char digest[EVP_MAX_MD_SIZE + sizeof(sha512oid)];
unsigned int digest_len;
unsigned char algorithm; unsigned char algorithm;
int key = 0; int key = 0;
unsigned char *signinput; unsigned char *signinput;
size_t len = 0; size_t len = 0;
size_t oid_len;
const unsigned char *oid;
int nid;
unsigned int md_len;
sscanf(slot, "%x", &key); sscanf(slot, "%x", &key);
@@ -633,6 +704,30 @@ static bool selfsign_certificate(ykpiv_state *state, enum enum_key_format key_fo
goto selfsign_out; goto selfsign_out;
} }
switch(hash) {
case hash_arg_SHA1:
md = EVP_sha1();
oid = sha1oid;
oid_len = sizeof(sha1oid);
break;
case hash_arg_SHA256:
md = EVP_sha256();
oid = sha256oid;
oid_len = sizeof(sha256oid);
break;
case hash_arg_SHA512:
md = EVP_sha512();
oid = sha512oid;
oid_len = sizeof(sha512oid);
break;
case hash__NULL:
default:
goto selfsign_out;
}
md_len = (unsigned int)EVP_MD_size(md);
digest_len = sizeof(digest) - md_len;
x509 = X509_new(); x509 = X509_new();
if(!x509) { if(!x509) {
fprintf(stderr, "Failed to allocate certificate structure.\n"); fprintf(stderr, "Failed to allocate certificate structure.\n");
@@ -675,24 +770,51 @@ static bool selfsign_certificate(ykpiv_state *state, enum enum_key_format key_fo
case YKPIV_ALGO_RSA1024: case YKPIV_ALGO_RSA1024:
case YKPIV_ALGO_RSA2048: case YKPIV_ALGO_RSA2048:
signinput = digest; signinput = digest;
len = sizeof(digest); len = oid_len + md_len;
x509->sig_alg->algorithm = OBJ_nid2obj(NID_sha256WithRSAEncryption); switch(hash) {
case hash_arg_SHA1:
nid = NID_sha1WithRSAEncryption;
break;
case hash_arg_SHA256:
nid = NID_sha256WithRSAEncryption;
break;
case hash_arg_SHA512:
nid = NID_sha512WithRSAEncryption;
break;
case hash__NULL:
default:
goto selfsign_out;
}
break; break;
case YKPIV_ALGO_ECCP256: case YKPIV_ALGO_ECCP256:
signinput = digest + sizeof(sha256oid); signinput = digest + oid_len;
len = DIGEST_LEN; len = md_len;
x509->sig_alg->algorithm = OBJ_nid2obj(NID_ecdsa_with_SHA256); switch(hash) {
case hash_arg_SHA1:
nid = NID_ecdsa_with_SHA1;
break;
case hash_arg_SHA256:
nid = NID_ecdsa_with_SHA256;
break;
case hash_arg_SHA512:
nid = NID_ecdsa_with_SHA512;
break;
case hash__NULL:
default:
goto selfsign_out;
}
break; break;
default: default:
fprintf(stderr, "Unsupported algorithm %x.\n", algorithm); fprintf(stderr, "Unsupported algorithm %x.\n", algorithm);
goto selfsign_out; goto selfsign_out;
} }
x509->sig_alg->algorithm = OBJ_nid2obj(nid);
x509->cert_info->signature->algorithm = x509->sig_alg->algorithm; x509->cert_info->signature->algorithm = x509->sig_alg->algorithm;
memset(digest, 0, sizeof(digest)); memset(digest, 0, sizeof(digest));
memcpy(digest, sha256oid, sizeof(sha256oid)); memcpy(digest, oid, oid_len);
/* XXX: this should probably use X509_digest() but that looks buggy */ /* XXX: this should probably use X509_digest() but that looks buggy */
if(!ASN1_item_digest(ASN1_ITEM_rptr(X509_CINF), EVP_sha256(), x509->cert_info, if(!ASN1_item_digest(ASN1_ITEM_rptr(X509_CINF), md, x509->cert_info,
digest + sizeof(sha256oid), &digest_len)) { digest + oid_len, &digest_len)) {
fprintf(stderr, "Failed doing digest of certificate.\n"); fprintf(stderr, "Failed doing digest of certificate.\n");
goto selfsign_out; goto selfsign_out;
} }
@@ -701,6 +823,7 @@ static bool selfsign_certificate(ykpiv_state *state, enum enum_key_format key_fo
size_t sig_len = sizeof(signature); size_t sig_len = sizeof(signature);
if(ykpiv_sign_data(state, signinput, len, signature, &sig_len, algorithm, key) if(ykpiv_sign_data(state, signinput, len, signature, &sig_len, algorithm, key)
!= YKPIV_OK) { != YKPIV_OK) {
fprintf(stderr, "Failed signing certificate.\n");
goto selfsign_out; goto selfsign_out;
} }
M_ASN1_BIT_STRING_set(x509->signature, signature, sig_len); M_ASN1_BIT_STRING_set(x509->signature, signature, sig_len);
@@ -820,6 +943,135 @@ static bool delete_certificate(ykpiv_state *state, enum enum_slot slot) {
} }
} }
static bool sign_file(ykpiv_state *state, const char *input, const char *output,
const char *slot, enum enum_algorithm algorithm, enum enum_hash hash,
int verbosity) {
FILE *input_file = NULL;
FILE *output_file = NULL;
int key;
unsigned int hash_len;
unsigned char hashed[EVP_MAX_MD_SIZE];
bool ret = false;
int algo;
int nid;
sscanf(slot, "%x", &key);
input_file = open_file(input, INPUT);
if(!input_file) {
return false;
}
output_file = open_file(output, OUTPUT);
if(!output_file) {
return false;
}
switch(algorithm) {
case algorithm_arg_RSA2048:
algo = YKPIV_ALGO_RSA2048;
break;
case algorithm_arg_RSA1024:
algo = YKPIV_ALGO_RSA1024;
break;
case algorithm_arg_ECCP256:
algo = YKPIV_ALGO_ECCP256;
break;
case algorithm__NULL:
default:
goto out;
}
{
const EVP_MD *md;
EVP_MD_CTX *mdctx;
switch(hash) {
case hash_arg_SHA1:
md = EVP_sha1();
nid = NID_sha1;
break;
case hash_arg_SHA256:
md = EVP_sha256();
nid = NID_sha256;
break;
case hash_arg_SHA512:
md = EVP_sha512();
nid = NID_sha512;
break;
case hash__NULL:
default:
goto out;
}
mdctx = EVP_MD_CTX_create();
EVP_DigestInit_ex(mdctx, md, NULL);
while(!feof(input_file)) {
char buf[1024];
size_t len = fread(buf, 1, 1024, input_file);
EVP_DigestUpdate(mdctx, buf, len);
}
EVP_DigestFinal_ex(mdctx, hashed, &hash_len);
if(verbosity) {
fprintf(stderr, "file hashed as: ");
dump_hex(hashed, hash_len);
fprintf(stderr, "\n");
}
EVP_MD_CTX_destroy(mdctx);
}
if(algo == YKPIV_ALGO_RSA1024 || algo == YKPIV_ALGO_RSA2048) {
X509_SIG digestInfo;
X509_ALGOR algor;
ASN1_TYPE parameter;
ASN1_OCTET_STRING digest;
unsigned char buf[1024];
unsigned char *ptr = hashed;
memcpy(buf, hashed, hash_len);
digestInfo.algor = &algor;
digestInfo.algor->algorithm = OBJ_nid2obj(nid);
digestInfo.algor->parameter = &parameter;
digestInfo.algor->parameter->type = V_ASN1_NULL;
digestInfo.algor->parameter->value.ptr = NULL;
digestInfo.digest = &digest;
digestInfo.digest->data = buf;
digestInfo.digest->length = (int)hash_len;
hash_len = (unsigned int)i2d_X509_SIG(&digestInfo, &ptr);
}
{
unsigned char buf[1024];
size_t len = sizeof(buf);
ykpiv_rc rc = ykpiv_sign_data(state, hashed, hash_len, buf, &len, algo, key);
if(rc != YKPIV_OK) {
fprintf(stderr, "failed signing file: %s\n", ykpiv_strerror(rc));
goto out;
}
if(verbosity) {
fprintf(stderr, "file signed as: ");
dump_hex(buf, len);
fprintf(stderr, "\n");
}
fwrite(buf, 1, len, output_file);
ret = true;
}
out:
if(input_file && input_file != stdin) {
fclose(input_file);
}
if(output_file && output_file != stdout) {
fclose(output_file);
}
return ret;
}
int main(int argc, char *argv[]) { int main(int argc, char *argv[]) {
struct gengetopt_args_info args_info; struct gengetopt_args_info args_info;
ykpiv_state *state; ykpiv_state *state;
@@ -846,7 +1098,7 @@ int main(int argc, char *argv[]) {
for(i = 0; i < args_info.action_given; i++) { for(i = 0; i < args_info.action_given; i++) {
bool needs_auth = false; bool needs_auth = false;
action = *args_info.action_arg++; action = *(args_info.action_arg + i);
switch(action) { switch(action) {
case action_arg_generate: case action_arg_generate:
case action_arg_setMINUS_mgmMINUS_key: case action_arg_setMINUS_mgmMINUS_key:
@@ -855,6 +1107,9 @@ int main(int argc, char *argv[]) {
case action_arg_importMINUS_certificate: case action_arg_importMINUS_certificate:
case action_arg_setMINUS_chuid: case action_arg_setMINUS_chuid:
case action_arg_deleteMINUS_certificate: case action_arg_deleteMINUS_certificate:
if(verbosity) {
fprintf(stderr, "Authenticating since action %d needs that.\n", action);
}
needs_auth = true; needs_auth = true;
break; break;
case action_arg_version: case action_arg_version:
@@ -867,6 +1122,9 @@ int main(int argc, char *argv[]) {
case action_arg_selfsignMINUS_certificate: case action_arg_selfsignMINUS_certificate:
case action__NULL: case action__NULL:
default: default:
if(verbosity) {
fprintf(stderr, "Action %d does not need authentication.\n", action);
}
continue; continue;
} }
if(needs_auth) { if(needs_auth) {
@@ -891,7 +1149,7 @@ int main(int argc, char *argv[]) {
OpenSSL_add_all_algorithms(); OpenSSL_add_all_algorithms();
for(i = 0; i < args_info.action_given; i++) { for(i = 0; i < args_info.action_given; i++) {
action = *args_info.action_arg++; action = *(args_info.action_arg + i);
if(verbosity) { if(verbosity) {
fprintf(stderr, "Now processing for action %d.\n", action); fprintf(stderr, "Now processing for action %d.\n", action);
} }
@@ -986,7 +1244,8 @@ int main(int argc, char *argv[]) {
ret = EXIT_FAILURE; ret = EXIT_FAILURE;
} else { } else {
if(request_certificate(state, args_info.key_format_arg, args_info.input_arg, if(request_certificate(state, args_info.key_format_arg, args_info.input_arg,
args_info.slot_orig, args_info.subject_arg, args_info.output_arg) == false) { args_info.slot_orig, args_info.subject_arg, args_info.hash_arg,
args_info.output_arg) == false) {
ret = EXIT_FAILURE; ret = EXIT_FAILURE;
} }
} }
@@ -1033,7 +1292,8 @@ int main(int argc, char *argv[]) {
ret = EXIT_FAILURE; ret = EXIT_FAILURE;
} else { } else {
if(selfsign_certificate(state, args_info.key_format_arg, args_info.input_arg, if(selfsign_certificate(state, args_info.key_format_arg, args_info.input_arg,
args_info.slot_orig, args_info.subject_arg, args_info.output_arg) == false) { args_info.slot_orig, args_info.subject_arg, args_info.hash_arg,
args_info.output_arg) == false) {
ret = EXIT_FAILURE; ret = EXIT_FAILURE;
} }
} }
@@ -1058,6 +1318,21 @@ int main(int argc, char *argv[]) {
} }
} }
if(ret == EXIT_SUCCESS && args_info.sign_flag) {
if(args_info.slot_arg == slot__NULL) {
fprintf(stderr, "The sign action needs a slot (-s) to operate on.\n");
ret = EXIT_FAILURE;
}
else if(sign_file(state, args_info.input_arg, args_info.output_arg,
args_info.slot_orig, args_info.algorithm_arg, args_info.hash_arg,
verbosity)) {
fprintf(stderr, "Signature successful!\n");
} else {
fprintf(stderr, "Failed signing!\n");
ret = EXIT_FAILURE;
}
}
ykpiv_done(state); ykpiv_done(state);
EVP_cleanup(); EVP_cleanup();
return ret; return ret;