1 /* 2 * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <stdio.h> 11 #include <stdlib.h> 12 #include <string.h> 13 #include <time.h> 14 #include "apps.h" 15 #include "progs.h" 16 #include <openssl/bio.h> 17 #include <openssl/conf.h> 18 #include <openssl/err.h> 19 #include <openssl/evp.h> 20 #include <openssl/x509.h> 21 #include <openssl/pem.h> 22 23 typedef enum OPTION_choice { 24 OPT_COMMON, 25 OPT_NOOUT, OPT_PUBKEY, OPT_VERIFY, OPT_IN, OPT_OUT, 26 OPT_ENGINE, OPT_KEY, OPT_CHALLENGE, OPT_PASSIN, OPT_SPKAC, 27 OPT_SPKSECT, OPT_KEYFORM, OPT_DIGEST, 28 OPT_PROV_ENUM 29 } OPTION_CHOICE; 30 31 const OPTIONS spkac_options[] = { 32 OPT_SECTION("General"), 33 {"help", OPT_HELP, '-', "Display this summary"}, 34 {"spksect", OPT_SPKSECT, 's', 35 "Specify the name of an SPKAC-dedicated section of configuration"}, 36 #ifndef OPENSSL_NO_ENGINE 37 {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, 38 #endif 39 40 OPT_SECTION("Input"), 41 {"in", OPT_IN, '<', "Input file"}, 42 {"key", OPT_KEY, '<', "Create SPKAC using private key"}, 43 {"keyform", OPT_KEYFORM, 'f', "Private key file format (ENGINE, other values ignored)"}, 44 {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, 45 {"challenge", OPT_CHALLENGE, 's', "Challenge string"}, 46 {"spkac", OPT_SPKAC, 's', "Alternative SPKAC name"}, 47 48 OPT_SECTION("Output"), 49 {"digest", OPT_DIGEST, 's', "Sign new SPKAC with the specified digest (default: MD5)" }, 50 {"out", OPT_OUT, '>', "Output file"}, 51 {"noout", OPT_NOOUT, '-', "Don't print SPKAC"}, 52 {"pubkey", OPT_PUBKEY, '-', "Output public key"}, 53 {"verify", OPT_VERIFY, '-', "Verify SPKAC signature"}, 54 55 OPT_PROV_OPTIONS, 56 {NULL} 57 }; 58 59 int spkac_main(int argc, char **argv) 60 { 61 BIO *out = NULL; 62 CONF *conf = NULL; 63 ENGINE *e = NULL; 64 EVP_PKEY *pkey = NULL; 65 NETSCAPE_SPKI *spki = NULL; 66 char *challenge = NULL, *keyfile = NULL; 67 char *infile = NULL, *outfile = NULL, *passinarg = NULL, *passin = NULL; 68 char *spkstr = NULL, *prog; 69 const char *spkac = "SPKAC", *spksect = "default"; 70 const char *digest = "MD5"; 71 EVP_MD *md = NULL; 72 int i, ret = 1, verify = 0, noout = 0, pubkey = 0; 73 int keyformat = FORMAT_UNDEF; 74 OPTION_CHOICE o; 75 76 prog = opt_init(argc, argv, spkac_options); 77 while ((o = opt_next()) != OPT_EOF) { 78 switch (o) { 79 case OPT_EOF: 80 case OPT_ERR: 81 opthelp: 82 BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); 83 goto end; 84 case OPT_HELP: 85 opt_help(spkac_options); 86 ret = 0; 87 goto end; 88 case OPT_IN: 89 infile = opt_arg(); 90 break; 91 case OPT_OUT: 92 outfile = opt_arg(); 93 break; 94 case OPT_NOOUT: 95 noout = 1; 96 break; 97 case OPT_PUBKEY: 98 pubkey = 1; 99 break; 100 case OPT_VERIFY: 101 verify = 1; 102 break; 103 case OPT_PASSIN: 104 passinarg = opt_arg(); 105 break; 106 case OPT_KEY: 107 keyfile = opt_arg(); 108 break; 109 case OPT_KEYFORM: 110 if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyformat)) 111 goto opthelp; 112 break; 113 case OPT_CHALLENGE: 114 challenge = opt_arg(); 115 break; 116 case OPT_SPKAC: 117 spkac = opt_arg(); 118 break; 119 case OPT_SPKSECT: 120 spksect = opt_arg(); 121 break; 122 case OPT_DIGEST: 123 digest = opt_arg(); 124 break; 125 case OPT_ENGINE: 126 e = setup_engine(opt_arg(), 0); 127 break; 128 case OPT_PROV_CASES: 129 if (!opt_provider(o)) 130 goto end; 131 break; 132 } 133 } 134 135 /* No extra arguments. */ 136 argc = opt_num_rest(); 137 if (argc != 0) 138 goto opthelp; 139 140 if (!app_passwd(passinarg, NULL, &passin, NULL)) { 141 BIO_printf(bio_err, "Error getting password\n"); 142 goto end; 143 } 144 145 if (keyfile != NULL) { 146 if (!opt_md(digest, &md)) 147 goto end; 148 149 pkey = load_key(strcmp(keyfile, "-") ? keyfile : NULL, 150 keyformat, 1, passin, e, "private key"); 151 if (pkey == NULL) 152 goto end; 153 spki = NETSCAPE_SPKI_new(); 154 if (spki == NULL) 155 goto end; 156 if (challenge != NULL) 157 ASN1_STRING_set(spki->spkac->challenge, 158 challenge, (int)strlen(challenge)); 159 if (!NETSCAPE_SPKI_set_pubkey(spki, pkey)) { 160 BIO_printf(bio_err, "Error setting public key\n"); 161 goto end; 162 } 163 i = NETSCAPE_SPKI_sign(spki, pkey, md); 164 if (i <= 0) { 165 BIO_printf(bio_err, "Error signing SPKAC\n"); 166 goto end; 167 } 168 spkstr = NETSCAPE_SPKI_b64_encode(spki); 169 if (spkstr == NULL) 170 goto end; 171 172 out = bio_open_default(outfile, 'w', FORMAT_TEXT); 173 if (out == NULL) { 174 OPENSSL_free(spkstr); 175 goto end; 176 } 177 BIO_printf(out, "SPKAC=%s\n", spkstr); 178 OPENSSL_free(spkstr); 179 ret = 0; 180 goto end; 181 } 182 183 if ((conf = app_load_config(infile)) == NULL) 184 goto end; 185 186 spkstr = NCONF_get_string(conf, spksect, spkac); 187 188 if (spkstr == NULL) { 189 BIO_printf(bio_err, "Can't find SPKAC called \"%s\"\n", spkac); 190 ERR_print_errors(bio_err); 191 goto end; 192 } 193 194 spki = NETSCAPE_SPKI_b64_decode(spkstr, -1); 195 196 if (spki == NULL) { 197 BIO_printf(bio_err, "Error loading SPKAC\n"); 198 ERR_print_errors(bio_err); 199 goto end; 200 } 201 202 out = bio_open_default(outfile, 'w', FORMAT_TEXT); 203 if (out == NULL) 204 goto end; 205 206 if (!noout) 207 NETSCAPE_SPKI_print(out, spki); 208 pkey = NETSCAPE_SPKI_get_pubkey(spki); 209 if (verify) { 210 i = NETSCAPE_SPKI_verify(spki, pkey); 211 if (i > 0) { 212 BIO_printf(bio_err, "Signature OK\n"); 213 } else { 214 BIO_printf(bio_err, "Signature Failure\n"); 215 ERR_print_errors(bio_err); 216 goto end; 217 } 218 } 219 if (pubkey) 220 PEM_write_bio_PUBKEY(out, pkey); 221 222 ret = 0; 223 224 end: 225 EVP_MD_free(md); 226 NCONF_free(conf); 227 NETSCAPE_SPKI_free(spki); 228 BIO_free_all(out); 229 EVP_PKEY_free(pkey); 230 release_engine(e); 231 OPENSSL_free(passin); 232 return ret; 233 } 234