projects / strongswan.git / blob
? search:


9f167d3768fe1b11d0a600e2edfe9fdc804b8055
[strongswan.git] / src / pki / commands / pkcs7.c
1 /*
2 * Copyright (C) 2012 Martin Willi
3 * Copyright (C) 2012 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "pki.h"
17
18 #include <asn1/oid.h>
19 #include <asn1/asn1.h>
20 #include <credentials/containers/pkcs7.h>
21 #include <credentials/sets/mem_cred.h>
22
23 /**
24 * Read input data as chunk
25 */
26 static chunk_t read_from_stream(FILE *stream)
27 {
28 char buf[8096];
29 size_t len, total = 0;
30
31 while (TRUE)
32 {
33 len = fread(buf + total, 1, sizeof(buf) - total, stream);
34 if (len < 0)
35 {
36 return chunk_empty;
37 }
38 if (len == 0)
39 {
40 return chunk_clone(chunk_create(buf, total));
41 }
42 total += len;
43 if (total == sizeof(buf))
44 {
45 fprintf(stderr, "buffer too small to read input!\n");
46 return chunk_empty;
47 }
48 }
49 }
50
51 /**
52 * Write output data from chunk to stream
53 */
54 static bool write_to_stream(FILE *stream, chunk_t data)
55 {
56 size_t len, total = 0;
57
58 while (total < data.len)
59 {
60 len = fwrite(data.ptr + total, 1, data.len - total, stream);
61 if (len <= 0)
62 {
63 return FALSE;
64 }
65 total += len;
66 }
67 return TRUE;
68 }
69
70 /**
71 * Verify PKCS#7 signed-data
72 */
73 static int verify(chunk_t chunk)
74 {
75 container_t *container;
76 pkcs7_t *pkcs7;
77 enumerator_t *enumerator;
78 certificate_t *cert;
79 auth_cfg_t *auth;
80 chunk_t data;
81 time_t t;
82 bool verified = FALSE;
83
84 container = lib->creds->create(lib->creds, CRED_CONTAINER, CONTAINER_PKCS7,
85 BUILD_BLOB_ASN1_DER, chunk, BUILD_END);
86 if (!container)
87 {
88 return 1;
89 }
90
91 if (container->get_type(container) != CONTAINER_PKCS7_SIGNED_DATA)
92 {
93 fprintf(stderr, "verification failed, container is %N\n",
94 container_type_names, container->get_type(container));
95 container->destroy(container);
96 return 1;
97 }
98
99 pkcs7 = (pkcs7_t*)container;
100 enumerator = container->create_signature_enumerator(container);
101 while (enumerator->enumerate(enumerator, &auth))
102 {
103 verified = TRUE;
104 cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
105 if (cert)
106 {
107 fprintf(stderr, "signed by '%Y'", cert->get_subject(cert));
108
109 if (pkcs7->get_attribute(pkcs7, OID_PKCS9_SIGNING_TIME,
110 enumerator, &data))
111 {
112 t = asn1_to_time(&data, ASN1_UTCTIME);
113 if (t != UNDEFINED_TIME)
114 {
115 fprintf(stderr, " at %T", &t, FALSE);
116 }
117 free(data.ptr);
118 }
119 fprintf(stderr, "\n");
120 }
121 }
122 enumerator->destroy(enumerator);
123
124 if (!verified)
125 {
126 fprintf(stderr, "no trusted signature found\n");
127 }
128
129 if (verified)
130 {
131 if (container->get_data(container, &data))
132 {
133 write_to_stream(stdout, data);
134 free(data.ptr);
135 }
136 else
137 {
138 verified = FALSE;
139 }
140 }
141 container->destroy(container);
142
143 return verified ? 0 : 1;
144 }
145
146 /**
147 * Sign data into PKCS#7 signed-data
148 */
149 static int sign(chunk_t chunk, certificate_t *cert, private_key_t *key)
150 {
151 container_t *container;
152 chunk_t encoding;
153 int res = 1;
154
155 container = lib->creds->create(lib->creds,
156 CRED_CONTAINER, CONTAINER_PKCS7_SIGNED_DATA,
157 BUILD_BLOB, chunk,
158 BUILD_SIGNING_CERT, cert,
159 BUILD_SIGNING_KEY, key,
160 BUILD_END);
161 if (container)
162 {
163 if (container->get_encoding(container, &encoding))
164 {
165 write_to_stream(stdout, encoding);
166 free(encoding.ptr);
167 }
168 container->destroy(container);
169 }
170 return res;
171 }
172
173 /**
174 * Encrypt data to a PKCS#7 enveloped-data
175 */
176 static int encrypt(chunk_t chunk, certificate_t *cert)
177 {
178 container_t *container;
179 chunk_t encoding;
180 int res = 1;
181
182 container = lib->creds->create(lib->creds,
183 CRED_CONTAINER, CONTAINER_PKCS7_ENVELOPED_DATA,
184 BUILD_BLOB, chunk, BUILD_CERT, cert,
185 BUILD_END);
186 if (container)
187 {
188 if (container->get_encoding(container, &encoding))
189 {
190 write_to_stream(stdout, encoding);
191 free(encoding.ptr);
192 }
193 container->destroy(container);
194 }
195 return res;
196 }
197
198 /**
199 * Decrypt PKCS#7 enveloped-data
200 */
201 static int decrypt(chunk_t chunk)
202 {
203 container_t *container;
204 chunk_t data;
205
206 container = lib->creds->create(lib->creds, CRED_CONTAINER, CONTAINER_PKCS7,
207 BUILD_BLOB_ASN1_DER, chunk, BUILD_END);
208 if (!container)
209 {
210 return 1;
211 }
212 if (container->get_type(container) != CONTAINER_PKCS7_ENVELOPED_DATA)
213 {
214 fprintf(stderr, "decryption failed, container is %N\n",
215 container_type_names, container->get_type(container));
216 container->destroy(container);
217 return 1;
218 }
219 if (!container->get_data(container, &data))
220 {
221 fprintf(stderr, "PKCS#7 decryption failed\n");
222 container->destroy(container);
223 return 1;
224 }
225 container->destroy(container);
226
227 write_to_stream(stdout, data);
228 free(data.ptr);
229
230 return 0;
231 }
232
233 /**
234 * Show info about PKCS#7 container
235 */
236 static int show(chunk_t chunk)
237 {
238 container_t *container;
239 pkcs7_t *pkcs7;
240 enumerator_t *enumerator;
241 certificate_t *cert;
242 chunk_t data;
243
244 container = lib->creds->create(lib->creds, CRED_CONTAINER, CONTAINER_PKCS7,
245 BUILD_BLOB_ASN1_DER, chunk, BUILD_END);
246 if (!container)
247 {
248 return 1;
249 }
250 fprintf(stderr, "%N\n", container_type_names, container->get_type(container));
251
252 if (container->get_type(container) == CONTAINER_PKCS7_SIGNED_DATA)
253 {
254 pkcs7 = (pkcs7_t*)container;
255 enumerator = pkcs7->create_cert_enumerator(pkcs7);
256 while (enumerator->enumerate(enumerator, &cert))
257 {
258 if (cert->get_encoding(cert, CERT_PEM, &data))
259 {
260 printf("%.*s", (int)data.len, data.ptr);
261 free(data.ptr);
262 }
263 }
264 enumerator->destroy(enumerator);
265 }
266 container->destroy(container);
267 return 0;
268 }
269
270 /**
271 * Wrap/Unwrap PKCs#7 containers
272 */
273 static int pkcs7()
274 {
275 char *arg, *file = NULL;
276 private_key_t *key = NULL;
277 certificate_t *cert = NULL;
278 chunk_t data = chunk_empty;
279 mem_cred_t *creds;
280 int res = 1;
281 FILE *in;
282 enum {
283 OP_NONE,
284 OP_SIGN,
285 OP_VERIFY,
286 OP_ENCRYPT,
287 OP_DECRYPT,
288 OP_SHOW,
289 } op = OP_NONE;
290
291 creds = mem_cred_create();
292
293 while (TRUE)
294 {
295 switch (command_getopt(&arg))
296 {
297 case 'h':
298 creds->destroy(creds);
299 return command_usage(NULL);
300 case 'i':
301 file = arg;
302 continue;
303 case 's':
304 if (op != OP_NONE)
305 {
306 goto invalid;
307 }
308 op = OP_SIGN;
309 continue;
310 case 'u':
311 if (op != OP_NONE)
312 {
313 goto invalid;
314 }
315 op = OP_VERIFY;
316 continue;
317 case 'e':
318 if (op != OP_NONE)
319 {
320 goto invalid;
321 }
322 op = OP_ENCRYPT;
323 continue;
324 case 'd':
325 if (op != OP_NONE)
326 {
327 goto invalid;
328 }
329 op = OP_DECRYPT;
330 continue;
331 case 'p':
332 if (op != OP_NONE)
333 {
334 goto invalid;
335 }
336 op = OP_SHOW;
337 continue;
338 case 'k':
339 key = lib->creds->create(lib->creds,
340 CRED_PRIVATE_KEY, KEY_RSA,
341 BUILD_FROM_FILE, arg, BUILD_END);
342 if (!key)
343 {
344 fprintf(stderr, "parsing private key failed\n");
345 goto end;
346 }
347 creds->add_key(creds, key);
348 continue;
349 case 'c':
350 cert = lib->creds->create(lib->creds,
351 CRED_CERTIFICATE, CERT_X509,
352 BUILD_FROM_FILE, arg, BUILD_END);
353 if (!cert)
354 {
355 fprintf(stderr, "parsing certificate failed\n");
356 goto end;
357 }
358 creds->add_cert(creds, TRUE, cert);
359 continue;
360 case EOF:
361 break;
362 default:
363 invalid:
364 creds->destroy(creds);
365 return command_usage("invalid --pkcs7 option");
366 }
367 break;
368 }
369
370 if (file)
371 {
372 in = fopen(file, "r");
373 if (in)
374 {
375 data = read_from_stream(in);
376 fclose(in);
377 }
378 }
379 else
380 {
381 data = read_from_stream(stdin);
382 }
383
384 if (!data.len)
385 {
386 fprintf(stderr, "reading input failed!\n");
387 goto end;
388 }
389 if (op != OP_SHOW && !cert)
390 {
391 fprintf(stderr, "requiring a certificate!\n");
392 goto end;
393 }
394
395 lib->credmgr->add_local_set(lib->credmgr, &creds->set, FALSE);
396
397 switch (op)
398 {
399 case OP_SIGN:
400 if (!key)
401 {
402 fprintf(stderr, "signing requires a private key\n");
403 res = 1;
404 break;
405 }
406 res = sign(data, cert, key);
407 break;
408 case OP_VERIFY:
409 res = verify(data);
410 break;
411 case OP_ENCRYPT:
412 res = encrypt(data, cert);
413 break;
414 case OP_DECRYPT:
415 if (!key)
416 {
417 fprintf(stderr, "decryption requires a private key\n");
418 res = 1;
419 break;
420 }
421 res = decrypt(data);
422 break;
423 case OP_SHOW:
424 res = show(data);
425 break;
426 default:
427 res = 1;
428 break;
429 }
430 lib->credmgr->remove_local_set(lib->credmgr, &creds->set);
431
432 end:
433 creds->destroy(creds);
434 free(data.ptr);
435 return res;
436 }
437
438 /**
439 * Register the command.
440 */
441 static void __attribute__ ((constructor))reg()
442 {
443 command_register((command_t) {
444 pkcs7, '7', "pkcs7", "PKCS#7 wrap/unwrap functions",
445 {"--sign | --verify | --encrypt | --decrypt",
446 "--certificate+ [--key]"},
447 {
448 {"help", 'h', 0, "show usage information"},
449 {"sign", 's', 0, "create PKCS#7 signed-data"},
450 {"verify", 'u', 0, "verify PKCS#7 signed-data"},
451 {"encrypt", 'e', 0, "create PKCS#7 enveloped-data"},
452 {"decrypt", 'd', 0, "decrypt PKCS#7 enveloped-data"},
453 {"show", 'p', 0, "show info about PKCS#7, print certificates"},
454 {"in", 'i', 1, "input file, default: stdin"},
455 {"key", 'k', 1, "path to private key for sign/decryp"},
456 {"cert", 'c', 1, "path to certificate for sign/verify/encryp"},
457 }
458 });
459 }
strongSwan - IPsec VPN