SoftHSMv2/src/bin/keyconv/softhsm2-keyconv-ossl.cpp

   1 /*
   2  * Copyright (c) 2010 .SE (The Internet Infrastructure Foundation)
   3  * All rights reserved.
   4  *
   5  * Redistribution and use in source and binary forms, with or without
   6  * modification, are permitted provided that the following conditions
   7  * are met:
   8  * 1. Redistributions of source code must retain the above copyright
   9  *    notice, this list of conditions and the following disclaimer.
  10  * 2. Redistributions in binary form must reproduce the above copyright
  11  *    notice, this list of conditions and the following disclaimer in the
  12  *    documentation and/or other materials provided with the distribution.
  13  *
  14  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
  15  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
  16  * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  17  * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
  18  * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  19  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
  20  * GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
  21  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
  22  * IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
  23  * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
  24  * IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  25  */
  26
  27 /*****************************************************************************
  28  softhsm2-keyconv-ossl.cpp
  29
  30  Code specific for OpenSSL
  31  *****************************************************************************/
  32
  33 #include <config.h>
  34 #define KEYCONV_OSSL
  35 #include "softhsm2-keyconv.h"
  36 #include "OSSLComp.h"
  37
  38 #include <stdio.h>
  39 #include <stdlib.h>
  40 #include <string.h>
  41 #include <iostream>
  42 #include <fstream>
  43
  44 #include <openssl/pem.h>
  45 #include <openssl/evp.h>
  46 #include <openssl/err.h>
  47 #include <openssl/pkcs12.h>
  48 #include <openssl/dsa.h>
  49 #include <openssl/rsa.h>
  50
  51 // Init OpenSSL
  52 void crypto_init()
  53 {
  54         OpenSSL_add_all_algorithms();
  55 #ifdef WITH_FIPS
  56         if (!FIPS_mode_set(1))
  57         {
  58                 fprintf(stderr, "ERROR: can't enter into FIPS mode.\n");
  59                 exit(0);
  60         }
  61 #endif
  62 }
  63
  64 // Final OpenSSL
  65 void crypto_final()
  66 {
  67         EVP_cleanup();
  68         CRYPTO_cleanup_all_ex_data();
  69 }
  70
  71 // Save the RSA key as a PKCS#8 file
  72 int save_rsa_pkcs8(char* out_path, char* file_pin, key_material_t* pkey)
  73 {
  74         RSA* rsa = NULL;
  75         EVP_PKEY* ossl_pkey = NULL;
  76         PKCS8_PRIV_KEY_INFO* p8inf = NULL;
  77         BIO* out = NULL;
  78         X509_SIG* p8 = NULL;
  79         int result = 0;
  80
  81         // See if the key material was found.
  82         if
  83         (
  84                 pkey[TAG_MODULUS].size <= 0 ||
  85                 pkey[TAG_PUBEXP].size <= 0 ||
  86                 pkey[TAG_PRIVEXP].size <= 0 ||
  87                 pkey[TAG_PRIME1].size <= 0 ||
  88                 pkey[TAG_PRIME2].size <= 0 ||
  89                 pkey[TAG_EXP1].size <= 0 ||
  90                 pkey[TAG_EXP2].size <= 0 ||
  91                 pkey[TAG_COEFF].size <= 0
  92         )
  93         {
  94                 fprintf(stderr, "ERROR: Some parts of the key material is missing in the input file.\n");
  95                 return 1;
  96         }
  97
  98         rsa = RSA_new();
  99         BIGNUM* bn_p =    BN_bin2bn((unsigned char*)pkey[TAG_PRIME1].big,  pkey[TAG_PRIME1].size, NULL);
 100         BIGNUM* bn_q =    BN_bin2bn((unsigned char*)pkey[TAG_PRIME2].big,  pkey[TAG_PRIME2].size, NULL);
 101         BIGNUM* bn_d =    BN_bin2bn((unsigned char*)pkey[TAG_PRIVEXP].big, pkey[TAG_PRIVEXP].size, NULL);
 102         BIGNUM* bn_n =    BN_bin2bn((unsigned char*)pkey[TAG_MODULUS].big, pkey[TAG_MODULUS].size, NULL);
 103         BIGNUM* bn_e =    BN_bin2bn((unsigned char*)pkey[TAG_PUBEXP].big,  pkey[TAG_PUBEXP].size, NULL);
 104         BIGNUM* bn_dmp1 = BN_bin2bn((unsigned char*)pkey[TAG_EXP1].big,    pkey[TAG_EXP1].size, NULL);
 105         BIGNUM* bn_dmq1 = BN_bin2bn((unsigned char*)pkey[TAG_EXP2].big,    pkey[TAG_EXP2].size, NULL);
 106         BIGNUM* bn_iqmp = BN_bin2bn((unsigned char*)pkey[TAG_COEFF].big,   pkey[TAG_COEFF].size, NULL);
 107         RSA_set0_factors(rsa, bn_p, bn_q);
 108         RSA_set0_crt_params(rsa, bn_dmp1, bn_dmq1, bn_iqmp);
 109         RSA_set0_key(rsa, bn_n, bn_e, bn_d);
 110
 111         ossl_pkey = EVP_PKEY_new();
 112
 113         // Convert RSA to EVP_PKEY
 114         if (!EVP_PKEY_set1_RSA(ossl_pkey, rsa))
 115         {
 116                 fprintf(stderr, "ERROR: Could not convert RSA key to EVP_PKEY.\n");
 117                 RSA_free(rsa);
 118                 EVP_PKEY_free(ossl_pkey);
 119                 return 1;
 120         }
 121         RSA_free(rsa);
 122
 123         // Convert EVP_PKEY to PKCS#8
 124         if (!(p8inf = EVP_PKEY2PKCS8(ossl_pkey)))
 125         {
 126                 fprintf(stderr, "ERROR: Could not convert EVP_PKEY to PKCS#8.\n");
 127                 EVP_PKEY_free(ossl_pkey);
 128                 return 1;
 129         }
 130         EVP_PKEY_free(ossl_pkey);
 131
 132         // Open output file
 133         if (!(out = BIO_new_file (out_path, "wb")))
 134         {
 135                 fprintf(stderr, "ERROR: Could not open the output file.\n");
 136                 PKCS8_PRIV_KEY_INFO_free(p8inf);
 137                 return 1;
 138         }
 139
 140         // Write to disk
 141         if (file_pin == NULL)
 142         {
 143                 PEM_write_bio_PKCS8_PRIV_KEY_INFO(out, p8inf);
 144                 printf("The key has been written to %s\n", out_path);
 145         }
 146         else
 147         {
 148                 // Encrypt p8
 149                 if (!(p8 = PKCS8_encrypt(NID_pbeWithMD5AndDES_CBC, NULL,
 150                                         file_pin, strlen(file_pin), NULL,
 151                                         0, PKCS12_DEFAULT_ITER, p8inf)))
 152                 {
 153                         fprintf(stderr, "ERROR: Could not encrypt the PKCS#8 file\n");
 154                         result = 1;
 155                 }
 156                 else
 157                 {
 158                         PEM_write_bio_PKCS8(out, p8);
 159                         X509_SIG_free(p8);
 160                         printf("The key has been written to %s\n", out_path);
 161                 }
 162         }
 163
 164         PKCS8_PRIV_KEY_INFO_free(p8inf);
 165         BIO_free_all(out);
 166
 167         return result;
 168 }
 169
 170 // Save the DSA key as a PKCS#8 file
 171 int save_dsa_pkcs8(char* out_path, char* file_pin, key_material_t* pkey)
 172 {
 173         DSA* dsa = NULL;
 174         EVP_PKEY* ossl_pkey = NULL;
 175         PKCS8_PRIV_KEY_INFO* p8inf = NULL;
 176         BIO* out = NULL;
 177         X509_SIG* p8 = NULL;
 178         int result = 0;
 179
 180         // See if the key material was found.
 181         if
 182         (
 183                 pkey[TAG_PRIME].size <= 0 ||
 184                 pkey[TAG_SUBPRIME].size <= 0 ||
 185                 pkey[TAG_BASE].size <= 0 ||
 186                 pkey[TAG_PRIVVAL].size <= 0 ||
 187                 pkey[TAG_PUBVAL].size <= 0
 188         )
 189         {
 190                 fprintf(stderr, "ERROR: Some parts of the key material is missing in the input file.\n");
 191                 return 1;
 192         }
 193
 194         dsa = DSA_new();
 195         BIGNUM* bn_p =        BN_bin2bn((unsigned char*)pkey[TAG_PRIME].big,    pkey[TAG_PRIME].size, NULL);
 196         BIGNUM* bn_q =        BN_bin2bn((unsigned char*)pkey[TAG_SUBPRIME].big, pkey[TAG_SUBPRIME].size, NULL);
 197         BIGNUM* bn_g =        BN_bin2bn((unsigned char*)pkey[TAG_BASE].big,     pkey[TAG_BASE].size, NULL);
 198         BIGNUM* bn_priv_key = BN_bin2bn((unsigned char*)pkey[TAG_PRIVVAL].big,  pkey[TAG_PRIVVAL].size, NULL);
 199         BIGNUM* bn_pub_key =  BN_bin2bn((unsigned char*)pkey[TAG_PUBVAL].big,   pkey[TAG_PUBVAL].size, NULL);
 200
 201         DSA_set0_pqg(dsa, bn_p, bn_q, bn_g);
 202         DSA_set0_key(dsa, bn_pub_key, bn_priv_key);
 203
 204         ossl_pkey = EVP_PKEY_new();
 205
 206         // Convert DSA to EVP_PKEY
 207         if (!EVP_PKEY_set1_DSA(ossl_pkey, dsa))
 208         {
 209                 fprintf(stderr, "ERROR: Could not convert DSA key to EVP_PKEY.\n");
 210                 DSA_free(dsa);
 211                 EVP_PKEY_free(ossl_pkey);
 212                 return 1;
 213         }
 214         DSA_free(dsa);
 215
 216         // Convert EVP_PKEY to PKCS#8
 217         if (!(p8inf = EVP_PKEY2PKCS8(ossl_pkey)))
 218         {
 219                 fprintf(stderr, "ERROR: Could not convert EVP_PKEY to PKCS#8.\n");
 220                 EVP_PKEY_free(ossl_pkey);
 221                 return 1;
 222         }
 223         EVP_PKEY_free(ossl_pkey);
 224
 225         // Open output file
 226         if (!(out = BIO_new_file (out_path, "wb")))
 227         {
 228                 fprintf(stderr, "ERROR: Could not open the output file.\n");
 229                 PKCS8_PRIV_KEY_INFO_free(p8inf);
 230                 return 1;
 231         }
 232
 233         // Write to disk
 234         if (file_pin == NULL)
 235         {
 236                 PEM_write_bio_PKCS8_PRIV_KEY_INFO(out, p8inf);
 237                 printf("The key has been written to %s\n", out_path);
 238         }
 239         else
 240         {
 241                 // Encrypt p8
 242                 if (!(p8 = PKCS8_encrypt(NID_pbeWithMD5AndDES_CBC, NULL,
 243                                         file_pin, strlen(file_pin), NULL,
 244                                         0, PKCS12_DEFAULT_ITER, p8inf)))
 245                 {
 246                         fprintf(stderr, "ERROR: Could not encrypt the PKCS#8 file\n");
 247                         result = 1;
 248                 }
 249                 else
 250                 {
 251                         PEM_write_bio_PKCS8(out, p8);
 252                         X509_SIG_free(p8);
 253                         printf("The key has been written to %s\n", out_path);
 254                 }
 255         }
 256
 257         PKCS8_PRIV_KEY_INFO_free(p8inf);
 258         BIO_free_all(out);
 259
 260         return result;
 261 }