projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Properly read data from stream in pki --pkcs7
[strongswan.git] / src / pki / commands / pkcs7.c
1 /*
2 * Copyright (C) 2012 Martin Willi
3 * Copyright (C) 2012 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "pki.h"
17
18 #include <asn1/oid.h>
19 #include <asn1/asn1.h>
20 #include <credentials/containers/pkcs7.h>
21 #include <credentials/sets/mem_cred.h>
22
23 /**
24 * Read input data as chunk
25 */
26 static chunk_t read_from_stream(FILE *stream)
27 {
28 char buf[8096];
29 size_t len, total = 0;
30
31 while (TRUE)
32 {
33 len = fread(buf + total, 1, sizeof(buf) - total, stream);
34 if (len < (sizeof(buf) - total))
35 {
36 if (ferror(stream))
37 {
38 return chunk_empty;
39 }
40 if (feof(stream))
41 {
42 return chunk_clone(chunk_create(buf, total + len));
43 }
44 }
45 total += len;
46 if (total == sizeof(buf))
47 {
48 fprintf(stderr, "buffer too small to read input!\n");
49 return chunk_empty;
50 }
51 }
52 }
53
54 /**
55 * Write output data from chunk to stream
56 */
57 static bool write_to_stream(FILE *stream, chunk_t data)
58 {
59 size_t len, total = 0;
60
61 while (total < data.len)
62 {
63 len = fwrite(data.ptr + total, 1, data.len - total, stream);
64 if (len <= 0)
65 {
66 return FALSE;
67 }
68 total += len;
69 }
70 return TRUE;
71 }
72
73 /**
74 * Verify PKCS#7 signed-data
75 */
76 static int verify(chunk_t chunk)
77 {
78 container_t *container;
79 pkcs7_t *pkcs7;
80 enumerator_t *enumerator;
81 certificate_t *cert;
82 auth_cfg_t *auth;
83 chunk_t data;
84 time_t t;
85 bool verified = FALSE;
86
87 container = lib->creds->create(lib->creds, CRED_CONTAINER, CONTAINER_PKCS7,
88 BUILD_BLOB_ASN1_DER, chunk, BUILD_END);
89 if (!container)
90 {
91 return 1;
92 }
93
94 if (container->get_type(container) != CONTAINER_PKCS7_SIGNED_DATA)
95 {
96 fprintf(stderr, "verification failed, container is %N\n",
97 container_type_names, container->get_type(container));
98 container->destroy(container);
99 return 1;
100 }
101
102 pkcs7 = (pkcs7_t*)container;
103 enumerator = container->create_signature_enumerator(container);
104 while (enumerator->enumerate(enumerator, &auth))
105 {
106 verified = TRUE;
107 cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
108 if (cert)
109 {
110 fprintf(stderr, "signed by '%Y'", cert->get_subject(cert));
111
112 if (pkcs7->get_attribute(pkcs7, OID_PKCS9_SIGNING_TIME,
113 enumerator, &data))
114 {
115 t = asn1_to_time(&data, ASN1_UTCTIME);
116 if (t != UNDEFINED_TIME)
117 {
118 fprintf(stderr, " at %T", &t, FALSE);
119 }
120 free(data.ptr);
121 }
122 fprintf(stderr, "\n");
123 }
124 }
125 enumerator->destroy(enumerator);
126
127 if (!verified)
128 {
129 fprintf(stderr, "no trusted signature found\n");
130 }
131
132 if (verified)
133 {
134 if (container->get_data(container, &data))
135 {
136 write_to_stream(stdout, data);
137 free(data.ptr);
138 }
139 else
140 {
141 verified = FALSE;
142 }
143 }
144 container->destroy(container);
145
146 return verified ? 0 : 1;
147 }
148
149 /**
150 * Sign data into PKCS#7 signed-data
151 */
152 static int sign(chunk_t chunk, certificate_t *cert, private_key_t *key)
153 {
154 container_t *container;
155 chunk_t encoding;
156 int res = 1;
157
158 container = lib->creds->create(lib->creds,
159 CRED_CONTAINER, CONTAINER_PKCS7_SIGNED_DATA,
160 BUILD_BLOB, chunk,
161 BUILD_SIGNING_CERT, cert,
162 BUILD_SIGNING_KEY, key,
163 BUILD_END);
164 if (container)
165 {
166 if (container->get_encoding(container, &encoding))
167 {
168 write_to_stream(stdout, encoding);
169 free(encoding.ptr);
170 }
171 container->destroy(container);
172 }
173 return res;
174 }
175
176 /**
177 * Encrypt data to a PKCS#7 enveloped-data
178 */
179 static int encrypt(chunk_t chunk, certificate_t *cert)
180 {
181 container_t *container;
182 chunk_t encoding;
183 int res = 1;
184
185 container = lib->creds->create(lib->creds,
186 CRED_CONTAINER, CONTAINER_PKCS7_ENVELOPED_DATA,
187 BUILD_BLOB, chunk, BUILD_CERT, cert,
188 BUILD_END);
189 if (container)
190 {
191 if (container->get_encoding(container, &encoding))
192 {
193 write_to_stream(stdout, encoding);
194 free(encoding.ptr);
195 }
196 container->destroy(container);
197 }
198 return res;
199 }
200
201 /**
202 * Decrypt PKCS#7 enveloped-data
203 */
204 static int decrypt(chunk_t chunk)
205 {
206 container_t *container;
207 chunk_t data;
208
209 container = lib->creds->create(lib->creds, CRED_CONTAINER, CONTAINER_PKCS7,
210 BUILD_BLOB_ASN1_DER, chunk, BUILD_END);
211 if (!container)
212 {
213 return 1;
214 }
215 if (container->get_type(container) != CONTAINER_PKCS7_ENVELOPED_DATA)
216 {
217 fprintf(stderr, "decryption failed, container is %N\n",
218 container_type_names, container->get_type(container));
219 container->destroy(container);
220 return 1;
221 }
222 if (!container->get_data(container, &data))
223 {
224 fprintf(stderr, "PKCS#7 decryption failed\n");
225 container->destroy(container);
226 return 1;
227 }
228 container->destroy(container);
229
230 write_to_stream(stdout, data);
231 free(data.ptr);
232
233 return 0;
234 }
235
236 /**
237 * Show info about PKCS#7 container
238 */
239 static int show(chunk_t chunk)
240 {
241 container_t *container;
242 pkcs7_t *pkcs7;
243 enumerator_t *enumerator;
244 certificate_t *cert;
245 chunk_t data;
246
247 container = lib->creds->create(lib->creds, CRED_CONTAINER, CONTAINER_PKCS7,
248 BUILD_BLOB_ASN1_DER, chunk, BUILD_END);
249 if (!container)
250 {
251 return 1;
252 }
253 fprintf(stderr, "%N\n", container_type_names, container->get_type(container));
254
255 if (container->get_type(container) == CONTAINER_PKCS7_SIGNED_DATA)
256 {
257 pkcs7 = (pkcs7_t*)container;
258 enumerator = pkcs7->create_cert_enumerator(pkcs7);
259 while (enumerator->enumerate(enumerator, &cert))
260 {
261 if (cert->get_encoding(cert, CERT_PEM, &data))
262 {
263 printf("%.*s", (int)data.len, data.ptr);
264 free(data.ptr);
265 }
266 }
267 enumerator->destroy(enumerator);
268 }
269 container->destroy(container);
270 return 0;
271 }
272
273 /**
274 * Wrap/Unwrap PKCs#7 containers
275 */
276 static int pkcs7()
277 {
278 char *arg, *file = NULL;
279 private_key_t *key = NULL;
280 certificate_t *cert = NULL;
281 chunk_t data = chunk_empty;
282 mem_cred_t *creds;
283 int res = 1;
284 FILE *in;
285 enum {
286 OP_NONE,
287 OP_SIGN,
288 OP_VERIFY,
289 OP_ENCRYPT,
290 OP_DECRYPT,
291 OP_SHOW,
292 } op = OP_NONE;
293
294 creds = mem_cred_create();
295
296 while (TRUE)
297 {
298 switch (command_getopt(&arg))
299 {
300 case 'h':
301 creds->destroy(creds);
302 return command_usage(NULL);
303 case 'i':
304 file = arg;
305 continue;
306 case 's':
307 if (op != OP_NONE)
308 {
309 goto invalid;
310 }
311 op = OP_SIGN;
312 continue;
313 case 'u':
314 if (op != OP_NONE)
315 {
316 goto invalid;
317 }
318 op = OP_VERIFY;
319 continue;
320 case 'e':
321 if (op != OP_NONE)
322 {
323 goto invalid;
324 }
325 op = OP_ENCRYPT;
326 continue;
327 case 'd':
328 if (op != OP_NONE)
329 {
330 goto invalid;
331 }
332 op = OP_DECRYPT;
333 continue;
334 case 'p':
335 if (op != OP_NONE)
336 {
337 goto invalid;
338 }
339 op = OP_SHOW;
340 continue;
341 case 'k':
342 key = lib->creds->create(lib->creds,
343 CRED_PRIVATE_KEY, KEY_RSA,
344 BUILD_FROM_FILE, arg, BUILD_END);
345 if (!key)
346 {
347 fprintf(stderr, "parsing private key failed\n");
348 goto end;
349 }
350 creds->add_key(creds, key);
351 continue;
352 case 'c':
353 cert = lib->creds->create(lib->creds,
354 CRED_CERTIFICATE, CERT_X509,
355 BUILD_FROM_FILE, arg, BUILD_END);
356 if (!cert)
357 {
358 fprintf(stderr, "parsing certificate failed\n");
359 goto end;
360 }
361 creds->add_cert(creds, TRUE, cert);
362 continue;
363 case EOF:
364 break;
365 default:
366 invalid:
367 creds->destroy(creds);
368 return command_usage("invalid --pkcs7 option");
369 }
370 break;
371 }
372
373 if (file)
374 {
375 in = fopen(file, "r");
376 if (in)
377 {
378 data = read_from_stream(in);
379 fclose(in);
380 }
381 }
382 else
383 {
384 data = read_from_stream(stdin);
385 }
386
387 if (!data.len)
388 {
389 fprintf(stderr, "reading input failed!\n");
390 goto end;
391 }
392 if (op != OP_SHOW && !cert)
393 {
394 fprintf(stderr, "requiring a certificate!\n");
395 goto end;
396 }
397
398 lib->credmgr->add_local_set(lib->credmgr, &creds->set, FALSE);
399
400 switch (op)
401 {
402 case OP_SIGN:
403 if (!key)
404 {
405 fprintf(stderr, "signing requires a private key\n");
406 res = 1;
407 break;
408 }
409 res = sign(data, cert, key);
410 break;
411 case OP_VERIFY:
412 res = verify(data);
413 break;
414 case OP_ENCRYPT:
415 res = encrypt(data, cert);
416 break;
417 case OP_DECRYPT:
418 if (!key)
419 {
420 fprintf(stderr, "decryption requires a private key\n");
421 res = 1;
422 break;
423 }
424 res = decrypt(data);
425 break;
426 case OP_SHOW:
427 res = show(data);
428 break;
429 default:
430 res = 1;
431 break;
432 }
433 lib->credmgr->remove_local_set(lib->credmgr, &creds->set);
434
435 end:
436 creds->destroy(creds);
437 free(data.ptr);
438 return res;
439 }
440
441 /**
442 * Register the command.
443 */
444 static void __attribute__ ((constructor))reg()
445 {
446 command_register((command_t) {
447 pkcs7, '7', "pkcs7", "PKCS#7 wrap/unwrap functions",
448 {"--sign | --verify | --encrypt | --decrypt",
449 "--certificate+ [--key]"},
450 {
451 {"help", 'h', 0, "show usage information"},
452 {"sign", 's', 0, "create PKCS#7 signed-data"},
453 {"verify", 'u', 0, "verify PKCS#7 signed-data"},
454 {"encrypt", 'e', 0, "create PKCS#7 enveloped-data"},
455 {"decrypt", 'd', 0, "decrypt PKCS#7 enveloped-data"},
456 {"show", 'p', 0, "show info about PKCS#7, print certificates"},
457 {"in", 'i', 1, "input file, default: stdin"},
458 {"key", 'k', 1, "path to private key for sign/decryp"},
459 {"cert", 'c', 1, "path to certificate for sign/verify/encryp"},
460 }
461 });
462 }
strongSwan - IPsec VPN