2 * Copyright (c) 2012, 2013 Samsung Electronics Co., Ltd.
4 * Licensed under the Flora License, Version 1.1 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://floralicense.org/license/
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 #include <openssl/evp.h>
19 #include <openssl/engine.h>
20 #include <openssl/pkcs12.h>
21 #include <openssl/pem.h>
23 #include "net_nfc_typedef_internal.h"
24 #include "net_nfc_debug_internal.h"
25 #include "net_nfc_util_internal.h"
26 #include "net_nfc_util_openssl_internal.h"
28 //static X509 *_load_certificate_from_file(const char *file)
33 // cert = BIO_new(BIO_s_file());
36 // if (BIO_read_filename(cert, file) > 0)
38 // x509 = PEM_read_bio_X509_AUX(cert, NULL, NULL, NULL);
47 static X509 *_load_certificate_from_mem(int format, uint8_t *buffer,
48 uint32_t length, char *password)
53 mem = BIO_new_mem_buf(buffer, length);
59 x509 = d2i_X509_bio(mem, NULL);
63 x509 = PEM_read_bio_X509(mem, NULL, NULL, NULL);
68 PKCS12 *p12 = d2i_PKCS12_bio(mem, NULL);
69 PKCS12_parse(p12, password, NULL, &x509, NULL);
79 NFC_ERR("X509_LOOKUP_load_file failed");
85 //int net_nfc_util_openssl_verify_certificate(const char* certfile, const char* CAfile)
88 // X509_STORE *cert_ctx = NULL;
89 // X509_LOOKUP *lookup = NULL;
91 // cert_ctx = X509_STORE_new();
92 // if (cert_ctx != NULL)
94 // OpenSSL_add_all_algorithms();
96 // lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_file());
97 // if (lookup != NULL)
99 // if (X509_LOOKUP_load_file(lookup, CAfile, X509_FILETYPE_PEM) == true)
101 // lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_hash_dir());
102 // if (lookup != NULL)
104 // X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);
106 // ret = _verify_certificate_file(cert_ctx, certfile);
110 // NFC_ERR("X509_STORE_add_lookup failed");
115 // NFC_ERR("X509_LOOKUP_load_file failed");
120 // NFC_ERR("X509_STORE_add_lookup failed");
123 // X509_STORE_free(cert_ctx);
127 // NFC_ERR("X509_STORE_new failed");
133 net_nfc_openssl_verify_context_s *net_nfc_util_openssl_init_verify_certificate(void)
135 net_nfc_openssl_verify_context_s *result = NULL;
137 _net_nfc_util_alloc_mem(result, sizeof(net_nfc_openssl_verify_context_s));
140 result->store = X509_STORE_new();
141 if (result->store != NULL)
142 OpenSSL_add_all_algorithms();
144 NFC_ERR("X509_STORE_new failed");
148 NFC_ERR("alloc failed [%d]", sizeof(net_nfc_openssl_verify_context_s));
154 void net_nfc_util_openssl_release_verify_certificate(
155 net_nfc_openssl_verify_context_s *context)
159 if (context->signer_cert != NULL)
160 X509_free(context->signer_cert);
162 if (context->store != NULL)
163 X509_STORE_free(context->store);
165 _net_nfc_util_free_mem(context);
169 bool net_nfc_util_openssl_add_certificate_of_signer(
170 net_nfc_openssl_verify_context_s *context, uint8_t *buffer, uint32_t length)
174 if (context->signer_cert != NULL)
176 X509_free(context->signer_cert);
177 context->signer_cert = NULL;
180 context->signer_cert = _load_certificate_from_mem(1, buffer, length, NULL);
181 if (context->signer_cert != NULL)
187 bool net_nfc_util_openssl_add_certificate_of_ca(
188 net_nfc_openssl_verify_context_s *context, uint8_t *buffer, uint32_t length)
193 x509 = _load_certificate_from_mem(1, buffer, length, NULL);
196 if (X509_STORE_add_cert(context->store, x509))
203 int net_nfc_util_openssl_verify_certificate(
204 net_nfc_openssl_verify_context_s *context)
207 X509_STORE_CTX *store_ctx = NULL;
209 store_ctx = X509_STORE_CTX_new();
210 if (store_ctx != NULL)
212 X509_STORE_set_flags(context->store, 0);
213 if (X509_STORE_CTX_init(store_ctx, context->store, context->signer_cert, 0) == true)
214 result = X509_verify_cert(store_ctx);
216 NFC_ERR("X509_STORE_CTX_init failed");
218 X509_STORE_CTX_free(store_ctx);
222 NFC_ERR("X509_STORE_CTX_new failed");
228 int _password_callback(char *buf, int bufsiz, int verify, void *data)
231 const char *password = (char *)data;
235 res = strlen(password);
238 memcpy(buf, password, res);
245 static int _load_pkcs12(BIO *in, const char *password, EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca)
250 if ((p12 = d2i_PKCS12_bio(in, NULL)) != NULL)
252 if (PKCS12_verify_mac(p12, password, strlen(password)) == true)
253 ret = PKCS12_parse(p12, password, pkey, cert, ca);
255 NFC_ERR("Mac verify error (wrong password?) in PKCS12 file");
261 NFC_ERR("Error loading PKCS12 file");
267 EVP_PKEY *_load_key(const char *file, int format, const char *pass, ENGINE *e)
270 EVP_PKEY *pkey = NULL;
274 NFC_ERR("no keyfile specified\n");
278 if (OPENSSL_FORMAT_ENGINE == format)
282 pkey = ENGINE_load_private_key(e, file, NULL/*ui_method*/, (void *)pass);
284 NFC_ERR("cannot load key from engine");
288 NFC_ERR("no engine specified");
293 if ((key = BIO_new(BIO_s_file())) != NULL)
295 if (BIO_read_filename(key,file) > 0)
299 case OPENSSL_FORMAT_ASN1 :
300 pkey = d2i_PrivateKey_bio(key, NULL);
303 case OPENSSL_FORMAT_PEM :
304 pkey = PEM_read_bio_PrivateKey(key, NULL,
305 (pem_password_cb *)_password_callback, (void *)pass);
308 case OPENSSL_FORMAT_PKCS12 :
309 if (_load_pkcs12(key, pass, &pkey, NULL, NULL) == false)
310 NFC_ERR("_load_pkcs12 failed");
313 case OPENSSL_FORMAT_MSBLOB :
314 pkey = b2i_PrivateKey_bio(key);
317 case OPENSSL_FORMAT_PVK :
318 pkey = b2i_PVK_bio(key, (pem_password_cb *)_password_callback,
323 NFC_ERR("bad input format specified for key file");
329 NFC_ERR("Error opening %s", file);
336 NFC_ERR("BIO_new failed");
343 EVP_PKEY *_load_pubkey(const char *file, int format,
344 const char *pass, ENGINE *e, const char *key_descrip)
347 EVP_PKEY *pkey = NULL;
351 NFC_ERR("no keyfile specified");
355 if (OPENSSL_FORMAT_ENGINE == format)
358 pkey = ENGINE_load_public_key(e, file, NULL/*ui_method*/, (void *)pass);
360 NFC_ERR("no engine specified");
364 if ((key = BIO_new(BIO_s_file())) != NULL)
366 if (BIO_read_filename(key,file) <= 0)
370 case OPENSSL_FORMAT_ASN1 :
371 pkey = d2i_PUBKEY_bio(key, NULL);
374 case OPENSSL_FORMAT_ASN1RSA :
377 rsa = d2i_RSAPublicKey_bio(key, NULL);
380 pkey = EVP_PKEY_new();
382 EVP_PKEY_set1_RSA(pkey, rsa);
390 case OPENSSL_FORMAT_PEMRSA :
393 rsa = PEM_read_bio_RSAPublicKey(key, NULL,
394 (pem_password_cb *)_password_callback, (void *)pass);
397 pkey = EVP_PKEY_new();
399 EVP_PKEY_set1_RSA(pkey, rsa);
407 case OPENSSL_FORMAT_PEM :
408 pkey = PEM_read_bio_PUBKEY(key, NULL,
409 (pem_password_cb *)_password_callback, (void *)pass);
412 case OPENSSL_FORMAT_MSBLOB :
413 pkey = b2i_PublicKey_bio(key);
417 NFC_ERR("bad input format specified for key file");
423 NFC_ERR("Error opening %s %s", key_descrip, file);
430 NFC_ERR("BIO_new failed");
437 int net_nfc_util_openssl_sign_buffer(uint32_t type, uint8_t *buffer,
438 uint32_t length, char *key_file, char *password, uint8_t *sign, uint32_t *sign_len)
443 const EVP_MD *md = NULL;
445 OpenSSL_add_all_algorithms();
448 EVP_MD_CTX ctx = { 0, };
449 EVP_PKEY_CTX *pctx = NULL;
457 /* RSASSA-PSS, RSASSA-PKCS1-v1_5 */
461 md = EVP_get_digestbyname("sha1");
464 engine = ENGINE_get_default_RSA();
470 //md = EVP_get_digestbyname("sha1");
472 engine = ENGINE_get_default_DSA();
478 md = EVP_get_digestbyname("sha1");
481 engine = ENGINE_get_default_ECDSA();
490 pkey = _load_key(key_file, OPENSSL_FORMAT_PKCS12, password, NULL);
492 EVP_DigestSignInit(&ctx, &pctx, md, engine, pkey);
493 EVP_DigestSignUpdate(&ctx, buffer, length);
494 EVP_DigestSignFinal(&ctx, sign, sign_len);
499 int net_nfc_util_openssl_verify_signature(uint32_t type, uint8_t *buffer,
500 uint32_t length, uint8_t *cert, uint32_t cert_len, uint8_t *sign, uint32_t sign_len)
505 const EVP_MD *md = NULL;
507 OpenSSL_add_all_algorithms();
510 EVP_MD_CTX ctx = { 0, };
511 EVP_PKEY_CTX *pctx = NULL;
519 /* RSASSA-PSS, RSASSA-PKCS1-v1_5 */
523 md = EVP_get_digestbyname("sha1");
526 engine = ENGINE_get_default_RSA();
532 //md = EVP_get_digestbyname("sha1");
534 engine = ENGINE_get_default_DSA();
540 md = EVP_get_digestbyname("sha1");
543 engine = ENGINE_get_default_ECDSA();
552 X509 *x509 = _load_certificate_from_mem(0, cert, cert_len, NULL);
553 pkey = X509_PUBKEY_get(X509_get_X509_PUBKEY(x509));
556 EVP_DigestVerifyInit(&ctx, &pctx, md, engine, pkey);
557 EVP_DigestVerifyUpdate(&ctx, buffer, length);
558 result = EVP_DigestVerifyFinal(&ctx, sign, sign_len);
560 NFC_DBG("EVP_DigestVerifyFinal returns %d", result);
566 int net_nfc_util_get_cert_list_from_file(char *file_name, char *password, uint8_t **buffer, uint32_t *length, uint32_t *cert_count)
571 bio = BIO_new(BIO_s_file());
574 if (BIO_read_filename(bio, file_name) > 0)
576 STACK_OF(X509_INFO) *xis = NULL;
578 if ((xis = PEM_X509_INFO_read_bio(bio, NULL, (pem_password_cb *)_password_callback, password)) != NULL)
582 uint32_t temp_len = 0;
583 uint8_t *temp_buf = NULL;
587 for (i = 0; i < sk_X509_INFO_num(xis); i++)
589 xi = sk_X509_INFO_value(xis, i);
594 if ((ret = i2d_X509(xi->x509, NULL)) > 0)
596 temp_len += (ret + 2);
601 NFC_DBG("count = %d, length = %d", sk_X509_INFO_num(xis), temp_len);
603 _net_nfc_util_alloc_mem(*buffer, temp_len);
605 for (i = 0; i < sk_X509_INFO_num(xis); i++)
607 xi = sk_X509_INFO_value(xis, i);
612 if ((temp_len = i2d_X509(xi->x509, &temp_buf)) > 0)
614 *(uint16_t *)(*buffer + offset) = temp_len;
615 offset += sizeof(uint16_t);
617 memcpy(*buffer + offset, temp_buf, temp_len);
627 sk_X509_INFO_pop_free(xis, X509_INFO_free);
631 NFC_ERR("PEM_X509_INFO_read_bio failed");
642 /* TODO : DER?? PEM?? */
643 int net_nfc_util_get_cert_list_from_file(char *file_name, char *password,
644 uint8_t **buffer, uint32_t *length, uint32_t *cert_count)
649 bio = BIO_new(BIO_s_file());
652 if (BIO_read_filename(bio, file_name) > 0)
654 EVP_PKEY *pkey = NULL;
656 STACK_OF(X509) *ca = NULL;
658 if (_load_pkcs12(bio, password, &pkey, &x509, &ca) != 0)
665 uint32_t temp_len = 0;
666 uint8_t *temp_buf = NULL;
668 if ((ret = i2d_X509(x509, NULL)) > 0)
670 temp_len += (ret + 2);
673 for (i = 0; i < sk_X509_num(ca); i++)
675 temp_x509 = sk_X509_value(ca, i);
678 if ((ret = i2d_X509(temp_x509, NULL)) > 0)
680 temp_len += (ret + 2);
685 NFC_DBG("count = %d, length = %d", sk_X509_num(ca) + 1, temp_len);
687 _net_nfc_util_alloc_mem(*buffer, temp_len);
689 if ((temp_len = i2d_X509(x509, &temp_buf)) > 0)
691 *(uint16_t *)(*buffer + offset) = temp_len;
692 offset += sizeof(uint16_t);
694 memcpy(*buffer + offset, temp_buf, temp_len);
700 for (i = 0; i < sk_X509_num(ca); i++)
702 temp_x509 = sk_X509_value(ca, i);
707 if ((temp_len = i2d_X509(temp_x509, &temp_buf)) > 0)
709 *(uint16_t *)(*buffer + offset) = temp_len;
710 offset += sizeof(uint16_t);
712 memcpy(*buffer + offset, temp_buf, temp_len);
722 sk_X509_pop_free(ca, X509_free);
726 NFC_ERR("PEM_X509_INFO_read_bio failed");
736 bool net_nfc_util_openssl_encode_base64(const uint8_t *buffer,
737 const uint32_t buf_len, char *result, uint32_t max_len, bool new_line_char)
743 RETV_IF(0 == buf_len, ret);
744 RETV_IF(NULL == buffer, ret);
746 b64 = BIO_new(BIO_f_base64());
747 bmem = BIO_new(BIO_s_mem());
749 if (false == new_line_char)
750 BIO_set_flags(b64, BIO_FLAGS_BASE64_NO_NL);
752 b64 = BIO_push(b64, bmem);
754 BIO_write(b64, buffer, buf_len);
756 BIO_get_mem_ptr(b64, &bptr);
758 if (max_len >= bptr->length)
760 memcpy(result, bptr->data, bptr->length);
761 result[bptr->length] = 0;
766 NFC_ERR("not enough result buffer");
774 bool net_nfc_util_openssl_decode_base64(const char *buffer, uint8_t *result,
775 uint32_t *out_len, bool new_line_char)
779 unsigned int length = 0;
781 RETV_IF(NULL == buffer, ret);
782 RETV_IF((length = strlen(buffer)) == 0, ret);
784 _net_nfc_util_alloc_mem(temp, length);
789 b64 = BIO_new(BIO_f_base64());
790 bmem = BIO_new_mem_buf((void *)buffer, length);
791 if (false == new_line_char)
792 BIO_set_flags(b64, BIO_FLAGS_BASE64_NO_NL);
793 bmem = BIO_push(b64, bmem);
795 length = BIO_read(bmem, temp, length);
799 if (*out_len > length)
802 memcpy(result, temp, *out_len);
807 NFC_ERR("not enough result buffer");
810 _net_nfc_util_free_mem(temp);
814 NFC_ERR("alloc failed");
820 bool net_nfc_util_openssl_digest(const char *algorithm, const uint8_t *buffer,
821 const uint32_t buf_len, uint8_t *result, uint32_t *out_len)
827 RETV_IF(0 == buf_len, ret);
828 RETV_IF(buffer == NULL, ret);
829 RETV_IF(algorithm == NULL, ret);
831 OpenSSL_add_all_digests();
833 if ((md = EVP_get_digestbyname(algorithm)) != NULL)
835 _net_nfc_util_alloc_mem(temp, EVP_MAX_MD_SIZE);
839 unsigned int resultLen = 0;
841 memset(temp, 0, EVP_MAX_MD_SIZE);
843 EVP_DigestInit(&mdCtx, md);
844 if (EVP_DigestUpdate(&mdCtx, buffer, buf_len) != 0)
845 NFC_ERR("EVP_DigestUpdate failed");
847 EVP_DigestFinal(&mdCtx, temp, &resultLen);
849 if (*out_len >= resultLen)
851 *out_len = resultLen;
852 memcpy(result, temp, *out_len);
857 NFC_ERR("not enough result buffer");
860 _net_nfc_util_free_mem(temp);
864 NFC_ERR("alloc failed");
869 NFC_ERR("EVP_get_digestbyname(\"%s\") returns NULL", algorithm);