Re: Open PKCS12 file and extract public and private keys

[nvanwyen]

Attached

-- 
-- 
You received this message because you are subscribed to the "Crypto++ Users" 
Google Group.
To unsubscribe, send an email to cryptopp-users-unsubscr...@googlegroups.com.
More information about Crypto++ and this group is available at 
http://www.cryptopp.com.
--- 
You received this message because you are subscribed to the Google Groups 
"Crypto++ Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cryptopp-users+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

/*
    p12sign.c - example how to open a pkcs12 file, like *.pfx or 
                an oracle ewallet.p12 file, extract the private and 
                public keys and use them to digitally sign a message
*/

#include <stdio.h>
#include <stdlib.h>

#include <openssl/pem.h>
#include <openssl/err.h>
#include <openssl/pkcs7.h>
#include <openssl/pkcs12.h>

//
int main( int argc, char** argv )
{
    BIO* in              = NULL;
    BIO* out             = NULL;

    X509*     cert       = NULL;
    EVP_PKEY* key        = NULL;
    STACK_OF( X509 )* ca = NULL;

    PKCS7*    p7         = NULL;
    PKCS12*   p12        = NULL;

    FILE*     fp         = NULL;

    int rc               = 0;

    /*
     * For simple S/MIME signing use PKCS7_DETACHED. On OpenSSL 0.9.9 only:
     * for streaming detached set PKCS7_DETACHED|PKCS7_STREAM for streaming
     * non-detached set PKCS7_STREAM
    */
    int flags = PKCS7_DETACHED | PKCS7_STREAM;

    //
    if ( argc != 4 )
    {
        fprintf( stderr, "Usage: p12sign file passwd message\n" );
        goto end;
    }

    // load edfaults
    OpenSSL_add_all_algorithms();
    ERR_load_crypto_strings();

    // open pfx/p12 file for reading
    if ( ! ( fp = fopen( argv[ 1 ], "rb" ) ) )
        goto err;

    // get the PKCS12 format data
    if ( ! ( p12 = d2i_PKCS12_fp( fp, NULL ) ) )
        goto err;
    else
        fclose( fp );   // close the temporary file point, no longer needed`

    // parse the PKCS12 buffer, into private key, public cert and trusted certs
    if ( ! PKCS12_parse( p12, argv[ 2 ], &key, &cert, &ca ) )
        goto err;

    // free the buffer, no longer needed
    PKCS12_free( p12 );

    // open content being signed
    if ( ! ( in = BIO_new_file( argv[ 3 ], "r" ) ) )
        goto err;

    // sign content
    if ( ! ( p7 = PKCS7_sign( cert, key, NULL, in, flags ) ) )
        goto err;

    // write the results to stdout
    if ( ! ( out = BIO_new_fp( stdout, BIO_NOCLOSE ) ) )
        goto err;

    // ireinitialize state, rewinding file pointer
    if ( !( flags & PKCS7_STREAM ) )
        BIO_reset( in );

    // write out s/mime message
    if ( !SMIME_write_PKCS7( out, p7, in, flags ) )
        goto err;

    rc = 0; goto end;

// on errors
err:
    //
    rc = 1;
    fprintf( stderr, "Error Signing Data\n" );
    ERR_print_errors_fp( stderr );

// cleanup
end:
    //
    if ( p7 )
        PKCS7_free( p7 );

    //
    if ( cert )
        X509_free( cert );

    //
    if ( key )
        EVP_PKEY_free( key );

    //
    if ( in )
        BIO_free( in );

    //
    if ( out )
        BIO_free( out );

    //
    return rc;
}

/*
 * compile: gcc -o p12sign p12sign.c -lcrypto
 * run:     ./p12sign ewallet.p12 "`cat ewallet.pwd`" message.txt > message.signed
 *
 * verify:  ./p12verify message.signed
 *          openssl smime -verify -noverify -in message.signed
*/

/*
    p12verify.c - Example showing how to verify a signed document
                  from ./p12sign. This programitically demonstrates
                  the same command as:

                      openssl smime -verify -noverify -in <signed.file>
*/

#include <stdio.h>
#include <stdlib.h>

#include <openssl/pem.h>
#include <openssl/pkcs7.h>
#include <openssl/err.h>

//
int main( int argc, char **argv )
{
    BIO* in         = NULL;
    BIO* out        = NULL;
    BIO* dat        = NULL;

    X509_STORE* sto = NULL;
    PKCS7*      p7  = NULL;

    int rc = 1;

    //
    if ( argc != 2 )
    {
        fprintf( stderr, "Usage: p12verify message\n" );
        goto end;
    }

    // load edfaults
    OpenSSL_add_all_algorithms();
    ERR_load_crypto_strings();

    // set up trusted ca certificate store
    sto = X509_STORE_new();

    // open content being signed
    if ( ! ( in = BIO_new_file( argv[ 1 ], "r" ) ) )
        goto err;

    // load sign content
    if ( ! ( p7 = SMIME_read_PKCS7( in, &dat ) ) )
        goto err;

    // write the results to stdout
    if ( ! ( out = BIO_new_fp( stdout, BIO_NOCLOSE ) ) )
        goto err;

    //
    if ( ! PKCS7_verify( p7, NULL, sto, dat, out, PKCS7_NOVERIFY ) )
    {
        fprintf( stderr, "Verification Failure\n" );
        goto err;
    }

    //
    fprintf( stderr, "Verification Successful\n" );

    rc = 0; goto end;

// on errors
err:
    //
    rc = 1;
    fprintf( stderr, "Error Verifying Data\n" );
    ERR_print_errors_fp( stderr );

// cleanup
end:
    //
    if ( p7 )
        PKCS7_free( p7 );

    //
    if ( in )
        BIO_free( in );

    //
    if ( out )
        BIO_free( out );

    //
    return rc;
}

/*
 * compile: gcc -o p12verify p12verify.c -lcrypto
 * run:     ./p12verify message.signed
 *
 * sign:    ./p12sign ewallet.p12 "`cat ewallet.pwd`" message.txt > message.signed
*/