2 * Copyright (c) 2010 .SE (The Internet Infrastructure Foundation)
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
16 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
18 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
20 * GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
21 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
22 * IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
23 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
24 * IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27 /*****************************************************************************
28 softhsm2-keyconv-ossl.cpp
30 Code specific for OpenSSL
31 *****************************************************************************/
35 #include "softhsm2-keyconv.h"
44 #include <openssl/pem.h>
45 #include <openssl/evp.h>
46 #include <openssl/err.h>
47 #include <openssl/pkcs12.h>
48 #include <openssl/dsa.h>
49 #include <openssl/rsa.h>
54 OpenSSL_add_all_algorithms();
56 if (!FIPS_mode_set(1))
58 fprintf(stderr, "ERROR: can't enter into FIPS mode.\n");
68 CRYPTO_cleanup_all_ex_data();
71 // Save the RSA key as a PKCS#8 file
72 int save_rsa_pkcs8(char* out_path, char* file_pin, key_material_t* pkey)
75 EVP_PKEY* ossl_pkey = NULL;
76 PKCS8_PRIV_KEY_INFO* p8inf = NULL;
81 // See if the key material was found.
84 pkey[TAG_MODULUS].size <= 0 ||
85 pkey[TAG_PUBEXP].size <= 0 ||
86 pkey[TAG_PRIVEXP].size <= 0 ||
87 pkey[TAG_PRIME1].size <= 0 ||
88 pkey[TAG_PRIME2].size <= 0 ||
89 pkey[TAG_EXP1].size <= 0 ||
90 pkey[TAG_EXP2].size <= 0 ||
91 pkey[TAG_COEFF].size <= 0
94 fprintf(stderr, "ERROR: Some parts of the key material is missing in the input file.\n");
99 BIGNUM* bn_p = BN_bin2bn((unsigned char*)pkey[TAG_PRIME1].big, pkey[TAG_PRIME1].size, NULL);
100 BIGNUM* bn_q = BN_bin2bn((unsigned char*)pkey[TAG_PRIME2].big, pkey[TAG_PRIME2].size, NULL);
101 BIGNUM* bn_d = BN_bin2bn((unsigned char*)pkey[TAG_PRIVEXP].big, pkey[TAG_PRIVEXP].size, NULL);
102 BIGNUM* bn_n = BN_bin2bn((unsigned char*)pkey[TAG_MODULUS].big, pkey[TAG_MODULUS].size, NULL);
103 BIGNUM* bn_e = BN_bin2bn((unsigned char*)pkey[TAG_PUBEXP].big, pkey[TAG_PUBEXP].size, NULL);
104 BIGNUM* bn_dmp1 = BN_bin2bn((unsigned char*)pkey[TAG_EXP1].big, pkey[TAG_EXP1].size, NULL);
105 BIGNUM* bn_dmq1 = BN_bin2bn((unsigned char*)pkey[TAG_EXP2].big, pkey[TAG_EXP2].size, NULL);
106 BIGNUM* bn_iqmp = BN_bin2bn((unsigned char*)pkey[TAG_COEFF].big, pkey[TAG_COEFF].size, NULL);
107 RSA_set0_factors(rsa, bn_p, bn_q);
108 RSA_set0_crt_params(rsa, bn_dmp1, bn_dmq1, bn_iqmp);
109 RSA_set0_key(rsa, bn_n, bn_e, bn_d);
111 ossl_pkey = EVP_PKEY_new();
113 // Convert RSA to EVP_PKEY
114 if (!EVP_PKEY_set1_RSA(ossl_pkey, rsa))
116 fprintf(stderr, "ERROR: Could not convert RSA key to EVP_PKEY.\n");
118 EVP_PKEY_free(ossl_pkey);
123 // Convert EVP_PKEY to PKCS#8
124 if (!(p8inf = EVP_PKEY2PKCS8(ossl_pkey)))
126 fprintf(stderr, "ERROR: Could not convert EVP_PKEY to PKCS#8.\n");
127 EVP_PKEY_free(ossl_pkey);
130 EVP_PKEY_free(ossl_pkey);
133 if (!(out = BIO_new_file (out_path, "wb")))
135 fprintf(stderr, "ERROR: Could not open the output file.\n");
136 PKCS8_PRIV_KEY_INFO_free(p8inf);
141 if (file_pin == NULL)
143 PEM_write_bio_PKCS8_PRIV_KEY_INFO(out, p8inf);
144 printf("The key has been written to %s\n", out_path);
149 if (!(p8 = PKCS8_encrypt(NID_pbeWithMD5AndDES_CBC, NULL,
150 file_pin, strlen(file_pin), NULL,
151 0, PKCS12_DEFAULT_ITER, p8inf)))
153 fprintf(stderr, "ERROR: Could not encrypt the PKCS#8 file\n");
158 PEM_write_bio_PKCS8(out, p8);
160 printf("The key has been written to %s\n", out_path);
164 PKCS8_PRIV_KEY_INFO_free(p8inf);
170 // Save the DSA key as a PKCS#8 file
171 int save_dsa_pkcs8(char* out_path, char* file_pin, key_material_t* pkey)
174 EVP_PKEY* ossl_pkey = NULL;
175 PKCS8_PRIV_KEY_INFO* p8inf = NULL;
180 // See if the key material was found.
183 pkey[TAG_PRIME].size <= 0 ||
184 pkey[TAG_SUBPRIME].size <= 0 ||
185 pkey[TAG_BASE].size <= 0 ||
186 pkey[TAG_PRIVVAL].size <= 0 ||
187 pkey[TAG_PUBVAL].size <= 0
190 fprintf(stderr, "ERROR: Some parts of the key material is missing in the input file.\n");
195 BIGNUM* bn_p = BN_bin2bn((unsigned char*)pkey[TAG_PRIME].big, pkey[TAG_PRIME].size, NULL);
196 BIGNUM* bn_q = BN_bin2bn((unsigned char*)pkey[TAG_SUBPRIME].big, pkey[TAG_SUBPRIME].size, NULL);
197 BIGNUM* bn_g = BN_bin2bn((unsigned char*)pkey[TAG_BASE].big, pkey[TAG_BASE].size, NULL);
198 BIGNUM* bn_priv_key = BN_bin2bn((unsigned char*)pkey[TAG_PRIVVAL].big, pkey[TAG_PRIVVAL].size, NULL);
199 BIGNUM* bn_pub_key = BN_bin2bn((unsigned char*)pkey[TAG_PUBVAL].big, pkey[TAG_PUBVAL].size, NULL);
201 DSA_set0_pqg(dsa, bn_p, bn_q, bn_g);
202 DSA_set0_key(dsa, bn_pub_key, bn_priv_key);
204 ossl_pkey = EVP_PKEY_new();
206 // Convert DSA to EVP_PKEY
207 if (!EVP_PKEY_set1_DSA(ossl_pkey, dsa))
209 fprintf(stderr, "ERROR: Could not convert DSA key to EVP_PKEY.\n");
211 EVP_PKEY_free(ossl_pkey);
216 // Convert EVP_PKEY to PKCS#8
217 if (!(p8inf = EVP_PKEY2PKCS8(ossl_pkey)))
219 fprintf(stderr, "ERROR: Could not convert EVP_PKEY to PKCS#8.\n");
220 EVP_PKEY_free(ossl_pkey);
223 EVP_PKEY_free(ossl_pkey);
226 if (!(out = BIO_new_file (out_path, "wb")))
228 fprintf(stderr, "ERROR: Could not open the output file.\n");
229 PKCS8_PRIV_KEY_INFO_free(p8inf);
234 if (file_pin == NULL)
236 PEM_write_bio_PKCS8_PRIV_KEY_INFO(out, p8inf);
237 printf("The key has been written to %s\n", out_path);
242 if (!(p8 = PKCS8_encrypt(NID_pbeWithMD5AndDES_CBC, NULL,
243 file_pin, strlen(file_pin), NULL,
244 0, PKCS12_DEFAULT_ITER, p8inf)))
246 fprintf(stderr, "ERROR: Could not encrypt the PKCS#8 file\n");
251 PEM_write_bio_PKCS8(out, p8);
253 printf("The key has been written to %s\n", out_path);
257 PKCS8_PRIV_KEY_INFO_free(p8inf);