WolfSSL
/
wolfssl-examples
mirror of https://github.com/wolfSSL/wolfssl-examples.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #379 from JacobBarthelmeh/PKCS7 

add example to generate smime
pull/427/head
Chris Conlon 2024-02-21 11:49:21 -07:00 committed by GitHub
parent e23490c0d6 e73bc9578d
commit 7afa73de2d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 544 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
pkcs7/Makefile
View File

@ -55,4 +55,5 @@ clean:
envelopedDataPWRI.der envelopedDataORI.der envelopedDataKEKRI.der \
authEnvelopedDataKARI.der authEnvelopedDataKTRI.der \
authEnvelopedDataORI.der authEnvelopedDataPWRI.der encryptedData.der \
authEnvelopedDataKEKRI.der compressedData.der
authEnvelopedDataKEKRI.der compressedData.der \
smime-created.p7s

20
pkcs7/README.md
View File

@ -685,6 +685,26 @@ Q31HIqX6H6JYdgtwHB1ZHaq+XS0lfLEGtsCqKKqTfNC9Q62RUBx7TfPk1w==
-----END CERTIFICATE-----
```
### Creating an SMIME bundle and verifying it
In these example cases the content will be overridden by the content found in the
SMIME bundle. The smime application creates both a detatched
(detatched-smime-created.p7s) and a non detatched bundle (smime-created.p7s).
Creating RSA signed bundles:
```
./smime ../certs/client-key.der ../certs/client-cert.der
./smime-verify smime-created.p7s ../certs/client-cert.der content.txt
```
Creating ECC signed bundles:
```
./smime ../certs/ecc-client-key.der ../certs/client-ecc-cert.der
./smime-verify detached-smime-created.p7s ../certs/client-ecc-cert.der content.txt
```
## Support
Please email wolfSSL support at support@wolfssl.com with any questions about

263
pkcs7/smime-verify.c 100644
View File

@ -0,0 +1,263 @@
/* smime-verify.c
*
* Copyright (C) 2006-2020 wolfSSL Inc.
*
* This file is part of wolfSSL. (formerly known as CyaSSL)
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
*/
#include <wolfssl/options.h>
#include <wolfssl/wolfcrypt/settings.h>
#include <wolfssl/ssl.h>
#include <wolfssl/wolfcrypt/pkcs7.h>
#include <wolfssl/wolfcrypt/error-crypt.h>
#include <wolfssl/wolfcrypt/logging.h>
#ifdef HAVE_SMIME
static int Verify(byte* smime, int smimeSz, byte* ca, int caSz, byte* contentIn, int contentInSz, int detached)
{
WOLFSSL_PKCS7* pkcs7Compat = NULL;
WOLFSSL_BIO *in, *content = NULL;
WOLFSSL_BIO *multi = NULL;
WOLFSSL_X509* x509 = NULL;
WOLFSSL_X509_STORE* store = NULL;
int ret = 0;
in = wolfSSL_BIO_new(wolfSSL_BIO_s_mem());
if (in == NULL) {
ret = MEMORY_E;
}
if (ret == 0) {
wolfSSL_BIO_write(in, smime, smimeSz);
pkcs7Compat = (WOLFSSL_PKCS7*)wolfSSL_SMIME_read_PKCS7(in, &multi);
if (pkcs7Compat == NULL) {
printf("Error parsing SMIME\n");
ret = -1;
}
if (multi != NULL) {
byte* pt;
int ptSz, i;
printf("Multi part message, signed data is : ");
ptSz = wolfSSL_BIO_get_mem_data(multi, &pt);
for (i = 0; i < ptSz; i ++)
printf("%02X", pt[i]);
printf("\n");
}
}
if (ret == 0) {
const unsigned char* pt;
/* set devID */
pkcs7Compat->pkcs7.devId = INVALID_DEVID;
pt = ca;
x509 = wolfSSL_d2i_X509(NULL, &pt, caSz);
if (x509 == NULL) {
printf("Error decoding signer\n");
ret = -1;
}
}
if (ret == 0) {
store = wolfSSL_X509_STORE_new();
if (store == NULL) {
printf("Error creating cert store\n");
ret = MEMORY_E;
}
else {
wolfSSL_X509_STORE_add_cert(store, x509);
}
}
if (ret == 0 && contentIn != NULL) {
pkcs7Compat->pkcs7.content = contentIn;
pkcs7Compat->pkcs7.contentSz = contentInSz;
wc_PKCS7_SetDetached(&pkcs7Compat->pkcs7, 1);
}
if (ret == 0) {
content = wolfSSL_BIO_new(wolfSSL_BIO_s_mem());
ret = wolfSSL_PKCS7_verify((PKCS7*)pkcs7Compat, NULL, store, multi,
content, detached);
if (ret == WOLFSSL_SUCCESS) {
ret = 0;
}
else {
/* print out certificate that could not be verified */
int i;
byte* pt = pkcs7Compat->pkcs7.verifyCert;
printf("Could not verify certificate :");
for (i = 0; i < pkcs7Compat->pkcs7.verifyCertSz; i++) {
printf("%02X", pt[i]);
}
printf("\n");
ret = -1;
}
}
if (ret == 0 && content != NULL) {
byte* pt;
int ptSz, i;
printf("Content found on verify : ");
ptSz = wolfSSL_BIO_get_mem_data(content, &pt);
for (i = 0; i < ptSz; i ++)
printf("%c", pt[i]);
printf("\n");
}
wolfSSL_BIO_free(in);
wolfSSL_BIO_free(content);
wolfSSL_BIO_free(multi);
wolfSSL_PKCS7_free((PKCS7*)pkcs7Compat);
wolfSSL_X509_free(x509);
wolfSSL_X509_STORE_free(store);
return ret;
}
/* read private smime and signer certificate in DER format */
static int ReadSmimeAndCert(char* smimeFile, char* certFile, char* contentFile,
byte* smime,
int* smimeSz, byte* cert, int* certSz, byte* content, int* contentSz)
{
int ret;
XFILE f;
f = XFOPEN(smimeFile, "rb");
if (f == NULL) {
printf("Error opening file %s\n", smimeFile);
return -1;
}
else {
ret = XFREAD(smime, 1, *smimeSz, f);
if (ret >= 0) {
if (ret == *smimeSz) {
printf("smime read in was larger than buffer\n");
XFCLOSE(f);
return -1;
}
else {
*smimeSz = ret;
ret = 0;
XFCLOSE(f);
}
}
}
f = XFOPEN(certFile, "rb");
if (f == NULL) {
printf("Error opening file %s\n", certFile);
return -1;
}
else {
ret = XFREAD(cert, 1, *certSz, f);
if (ret >= 0) {
if (ret == *certSz) {
printf("Cert read in was larger than buffer\n");
XFCLOSE(f);
return -1;
}
else {
*certSz = ret;
ret = 0;
XFCLOSE(f);
}
}
}
f = XFOPEN(contentFile, "rb");
if (f == NULL) {
printf("Error opening file %s\n", contentFile);
return -1;
}
else {
ret = XFREAD(content, 1, *contentSz, f);
if (ret >= 0) {
if (ret == *contentSz) {
printf("Cert read in was larger than buffer\n");
XFCLOSE(f);
return -1;
}
else {
*contentSz = ret;
ret = 0;
XFCLOSE(f);
}
}
}
return ret;
}
int main(int argc, char** argv)
{
byte cert[4096];
int certSz = 4096;
byte smime[10000];
int smimeSz = 10000;
byte content[10000];
int contentSz = 10000;
int ret;
if (argc != 4) {
printf("Use ./smime-verify <smime file> <der cert file> <content file>\n");
return -1;
}
#ifdef DEBUG_WOLFSSL
wolfSSL_Debugging_ON();
#endif
if (wolfSSL_Init() != WOLFSSL_SUCCESS) {
printf("Failure to initialize wolfSSL library\n");
return -1;
}
ret = ReadSmimeAndCert(argv[1], argv[2], argv[3], smime, &smimeSz, cert,
&certSz, content, &contentSz);
if (ret == 0) {
ret = Verify(smime, smimeSz, cert, certSz, content, contentSz, 0);
if (ret == 0) {
printf("Verify Success\n");
}
else {
printf("Verify Failed\n");
}
}
wolfSSL_Cleanup();
return ret;
}
#else
int main()
{
printf("wolfSSL was compiled with out HAVE_SMIME support\n");
return 0;
}
#endif

259
pkcs7/smime.c 100644
View File

@ -0,0 +1,259 @@
/* smime.c
*
* Copyright (C) 2006-2020 wolfSSL Inc.
*
* This file is part of wolfSSL. (formerly known as CyaSSL)
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
*/
#include <wolfssl/options.h>
#include <wolfssl/wolfcrypt/settings.h>
#include <wolfssl/ssl.h>
#include <wolfssl/wolfcrypt/pkcs7.h>
#include <wolfssl/wolfcrypt/error-crypt.h>
#include <wolfssl/wolfcrypt/logging.h>
#ifdef HAVE_SMIME
/* Create an SMIME bundle, uses steps similar to PKCS7_sign() but this is
* with native PKCS7 API allowing for control over the devID set */
static int Create(byte* smime, int* smimeSz, byte* key, int keySz,
byte* signer, int signerSz, byte* content, int contentSz, int detatched)
{
WOLFSSL_BIO *out, *in;
WOLFSSL_PKCS7* pkcs7Compat;
PKCS7* pkcs7;
int ret = 0;
out = wolfSSL_BIO_new(wolfSSL_BIO_s_mem());
in = wolfSSL_BIO_new(wolfSSL_BIO_s_mem());
if (out == NULL || in == NULL) {
printf("Failed to create bio's\n");
return -1;
}
pkcs7Compat = (WOLFSSL_PKCS7*)wolfSSL_PKCS7_new();
if (pkcs7Compat == NULL) {
ret = MEMORY_E;
}
else {
pkcs7 = &(pkcs7Compat->pkcs7);
/* can change devID here and set signer */
ret = wc_PKCS7_Init(pkcs7, NULL, INVALID_DEVID);
}
if (ret == 0) {
ret = wc_PKCS7_InitWithCert(pkcs7, signer, signerSz);
}
if (ret == 0) {
/* set signer private key, data types, defaults */
pkcs7->privateKey = key;
pkcs7->privateKeySz = keySz;
pkcs7->contentOID = DATA; /* inner content default is DATA */
pkcs7->hashOID = SHA256h; /* default to SHA-256 hash type */
pkcs7->signedAttribs = NULL;
pkcs7->signedAttribsSz = 0;
#ifndef NO_AES
pkcs7->keyWrapOID = AES256_WRAP;
pkcs7->keyAgreeOID = dhSinglePass_stdDH_sha256kdf_scheme;
#endif
/* type of SMIME */
pkcs7Compat->type = SIGNED_DATA;
/* add additional chain certs if provided */
/* wc_PKCS7_AddCertificate(pkcs7, additionalCert, additionalCertSz); */
/* set detached flag */
if (detatched & PKCS7_DETACHED) {
ret = wc_PKCS7_SetDetached(pkcs7, 1);
}
/* setup content to sign */
if (ret == 0) {
if (wolfSSL_BIO_write(in, content, contentSz) != contentSz) {
ret = -1;
}
}
if (ret == 0) {
if (wolfSSL_SMIME_write_PKCS7(out, (PKCS7*)pkcs7Compat, in,
detatched) != WOLFSSL_SUCCESS) {
printf("SMIME write failed!\n");
ret = -1;
}
}
}
if (ret == 0) {
ret = wolfSSL_BIO_read(out, smime, *smimeSz);
if (ret > 0) {
if (ret == *smimeSz) {
printf("output smime buffer too small\n");
ret = -1;
}
else {
*smimeSz = ret;
ret = 0;
}
}
else {
ret = -1;
}
}
wolfSSL_BIO_free(in);
wolfSSL_BIO_free(out);
wolfSSL_PKCS7_free((PKCS7*)pkcs7Compat);
return ret;
}
/* read private key and signer certificate in DER format */
static int ReadKeyAndCert(char* keyFile, char* certFile, byte* key, int* keySz,
byte* cert, int* certSz)
{
int ret;
XFILE f;
f = XFOPEN(keyFile, "rb");
if (f == NULL) {
printf("Error opening file %s\n", keyFile);
return -1;
}
else {
ret = XFREAD(key, 1, *keySz, f);
if (ret >= 0) {
if (ret == *keySz) {
printf("Key read in is larger than buffer\n");
XFCLOSE(f);
return -1;
}
else {
*keySz = ret;
ret = 0;
XFCLOSE(f);
}
}
}
f = XFOPEN(certFile, "rb");
if (f == NULL) {
printf("Error opening file %s\n", certFile);
return -1;
}
else {
ret = XFREAD(cert, 1, *certSz, f);
if (ret >= 0) {
if (ret == *certSz) {
printf("Cert read in is larger than buffer\n");
XFCLOSE(f);
return -1;
}
else {
*certSz = ret;
ret = 0;
XFCLOSE(f);
}
}
}
return ret;
}
int main(int argc, char** argv)
{
byte key[2048];
int keySz = 2048;
byte cert[2048];
int certSz = 2048;
byte smime[4096];
int smimeSz = 4096;
byte content[] = "Test content to sign";
int contentSz = sizeof(content);
int ret;
int i;
if (argc != 3) {
printf("Use ./smime <der key file> <der cert file>\n");
return -1;
}
#ifdef DEBUG_WOLFSSL
wolfSSL_Debugging_ON();
#endif
if (wolfSSL_Init() != WOLFSSL_SUCCESS) {
printf("Failure to initialize wolfSSL library\n");
return -1;
}
ret = ReadKeyAndCert(argv[1], argv[2], key, &keySz, cert, &certSz);
if (ret == 0)
ret = Create(smime, &smimeSz, key, keySz, cert, certSz,
content, contentSz, 0);
if (ret == 0) {
FILE* f;
printf("Generated SMIME : ");
for (i = 0; i < smimeSz; i++)
printf("%02X", smime[i]);
printf("\n");
printf("output to file ./smime-created.p7s\n");
f = fopen("./smime-created.p7s", "wb");
if (f != NULL) {
fwrite(smime, 1, smimeSz, f);
fclose(f);
}
}
/* create detached pkcs7 smime bundle */
printf("\n");
smimeSz = sizeof(smime);
memset(smime, 0, smimeSz);
if (ret == 0)
ret = Create(smime, &smimeSz, key, keySz, cert, certSz,
content, contentSz, PKCS7_DETACHED);
if (ret == 0) {
FILE* f;
printf("Generated SMIME : ");
for (i = 0; i < smimeSz; i++)
printf("%02X", smime[i]);
printf("\n");
printf("output to file ./detached-smime-created.p7s\n");
f = fopen("./detached-smime-created.p7s", "wb");
if (f != NULL) {
fwrite(smime, 1, smimeSz, f);
fclose(f);
}
}
wolfSSL_Cleanup();
return ret;
}
#else
int main()
{
printf("wolfSSL was compiled with out HAVE_SMIME support\n");
return 0;
}
#endif