1999-03-30 01:50:26 +08:00
|
|
|
/* pkcs12.c */
|
2015-01-22 11:29:12 +08:00
|
|
|
/*
|
|
|
|
|
* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
|
2002-10-04 07:53:52 +08:00
|
|
|
* project.
|
1999-03-30 01:50:26 +08:00
|
|
|
*/
|
|
|
|
|
/* ====================================================================
|
2006-06-09 23:44:59 +08:00
|
|
|
* Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved.
|
1999-03-30 01:50:26 +08:00
|
|
|
*
|
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
|
* are met:
|
|
|
|
|
*
|
|
|
|
|
* 1. Redistributions of source code must retain the above copyright
|
2015-01-22 11:29:12 +08:00
|
|
|
* notice, this list of conditions and the following disclaimer.
|
1999-03-30 01:50:26 +08:00
|
|
|
*
|
|
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
|
* notice, this list of conditions and the following disclaimer in
|
|
|
|
|
* the documentation and/or other materials provided with the
|
|
|
|
|
* distribution.
|
|
|
|
|
*
|
|
|
|
|
* 3. All advertising materials mentioning features or use of this
|
|
|
|
|
* software must display the following acknowledgment:
|
|
|
|
|
* "This product includes software developed by the OpenSSL Project
|
|
|
|
|
* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
|
|
|
|
|
*
|
|
|
|
|
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
|
|
|
|
|
* endorse or promote products derived from this software without
|
|
|
|
|
* prior written permission. For written permission, please contact
|
|
|
|
|
* licensing@OpenSSL.org.
|
|
|
|
|
*
|
|
|
|
|
* 5. Products derived from this software may not be called "OpenSSL"
|
|
|
|
|
* nor may "OpenSSL" appear in their names without prior written
|
|
|
|
|
* permission of the OpenSSL Project.
|
|
|
|
|
*
|
|
|
|
|
* 6. Redistributions of any form whatsoever must retain the following
|
|
|
|
|
* acknowledgment:
|
|
|
|
|
* "This product includes software developed by the OpenSSL Project
|
|
|
|
|
* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
|
|
|
|
|
*
|
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
|
|
|
|
|
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
|
|
|
|
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
|
|
|
|
|
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
|
|
|
|
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
|
|
|
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
|
|
|
|
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
|
|
|
|
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
|
|
|
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
|
|
|
|
* OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
|
* ====================================================================
|
|
|
|
|
*
|
|
|
|
|
* This product includes cryptographic software written by Eric Young
|
|
|
|
|
* (eay@cryptsoft.com). This product includes software written by Tim
|
|
|
|
|
* Hudson (tjh@cryptsoft.com).
|
|
|
|
|
*
|
|
|
|
|
*/
|
|
|
|
|
|
2005-06-01 01:36:06 +08:00
|
|
|
#include <openssl/opensslconf.h>
|
|
|
|
|
#if !defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_SHA1)
|
|
|
|
|
|
2015-01-22 11:29:12 +08:00
|
|
|
# include <stdio.h>
|
|
|
|
|
# include <stdlib.h>
|
|
|
|
|
# include <string.h>
|
|
|
|
|
# include "apps.h"
|
|
|
|
|
# include <openssl/crypto.h>
|
|
|
|
|
# include <openssl/err.h>
|
|
|
|
|
# include <openssl/pem.h>
|
|
|
|
|
# include <openssl/pkcs12.h>
|
1999-03-30 01:50:26 +08:00
|
|
|
|
2015-01-22 11:29:12 +08:00
|
|
|
# define PROG pkcs12_main
|
1999-03-30 01:50:26 +08:00
|
|
|
|
2001-03-09 10:51:02 +08:00
|
|
|
const EVP_CIPHER *enc;
|
1999-03-30 01:50:26 +08:00
|
|
|
|
2015-01-22 11:29:12 +08:00
|
|
|
# define NOKEYS 0x1
|
|
|
|
|
# define NOCERTS 0x2
|
|
|
|
|
# define INFO 0x4
|
|
|
|
|
# define CLCERTS 0x8
|
|
|
|
|
# define CACERTS 0x10
|
|
|
|
|
|
2016-01-01 13:51:12 +08:00
|
|
|
static int get_cert_chain(X509 *cert, X509_STORE *store,
|
|
|
|
|
STACK_OF(X509) **chain);
|
2015-01-22 11:29:12 +08:00
|
|
|
int dump_certs_keys_p12(BIO *out, PKCS12 *p12, char *pass, int passlen,
|
|
|
|
|
int options, char *pempass);
|
|
|
|
|
int dump_certs_pkeys_bags(BIO *out, STACK_OF(PKCS12_SAFEBAG) *bags,
|
|
|
|
|
char *pass, int passlen, int options,
|
|
|
|
|
char *pempass);
|
|
|
|
|
int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bags, char *pass,
|
|
|
|
|
int passlen, int options, char *pempass);
|
|
|
|
|
int print_attribs(BIO *out, STACK_OF(X509_ATTRIBUTE) *attrlst,
|
|
|
|
|
const char *name);
|
1999-03-30 01:50:26 +08:00
|
|
|
void hex_prin(BIO *out, unsigned char *buf, int len);
|
|
|
|
|
int alg_print(BIO *x, X509_ALGOR *alg);
|
1999-06-05 06:23:10 +08:00
|
|
|
int cert_load(BIO *in, STACK_OF(X509) *sk);
|
2006-05-15 21:23:15 +08:00
|
|
|
static int set_pbe(BIO *err, int *ppbe, const char *str);
|
2000-02-11 17:47:18 +08:00
|
|
|
|
|
|
|
|
int MAIN(int, char **);
|
|
|
|
|
|
1999-04-20 05:31:43 +08:00
|
|
|
int MAIN(int argc, char **argv)
|
1999-03-30 01:50:26 +08:00
|
|
|
{
|
2000-10-27 05:07:28 +08:00
|
|
|
ENGINE *e = NULL;
|
2015-01-22 11:29:12 +08:00
|
|
|
char *infile = NULL, *outfile = NULL, *keyname = NULL;
|
|
|
|
|
char *certfile = NULL;
|
|
|
|
|
BIO *in = NULL, *out = NULL;
|
1999-03-30 01:50:26 +08:00
|
|
|
char **args;
|
|
|
|
|
char *name = NULL;
|
2001-06-11 08:43:20 +08:00
|
|
|
char *csp_name = NULL;
|
2008-06-27 07:27:31 +08:00
|
|
|
int add_lmk = 0;
|
1999-03-30 01:50:26 +08:00
|
|
|
PKCS12 *p12 = NULL;
|
|
|
|
|
char pass[50], macpass[50];
|
|
|
|
|
int export_cert = 0;
|
|
|
|
|
int options = 0;
|
|
|
|
|
int chain = 0;
|
|
|
|
|
int badarg = 0;
|
1999-05-19 20:45:16 +08:00
|
|
|
int iter = PKCS12_DEFAULT_ITER;
|
2000-01-08 11:16:04 +08:00
|
|
|
int maciter = PKCS12_DEFAULT_ITER;
|
1999-03-30 01:50:26 +08:00
|
|
|
int twopass = 0;
|
|
|
|
|
int keytype = 0;
|
2013-05-31 04:39:50 +08:00
|
|
|
int cert_pbe;
|
1999-12-23 10:02:42 +08:00
|
|
|
int key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
|
1999-03-30 01:50:26 +08:00
|
|
|
int ret = 1;
|
|
|
|
|
int macver = 1;
|
1999-05-08 20:59:50 +08:00
|
|
|
int noprompt = 0;
|
2009-07-28 05:08:53 +08:00
|
|
|
STACK_OF(OPENSSL_STRING) *canames = NULL;
|
1999-05-08 20:59:50 +08:00
|
|
|
char *cpass = NULL, *mpass = NULL;
|
2000-02-17 07:16:01 +08:00
|
|
|
char *passargin = NULL, *passargout = NULL, *passarg = NULL;
|
2000-02-08 09:34:59 +08:00
|
|
|
char *passin = NULL, *passout = NULL;
|
2000-06-29 00:47:45 +08:00
|
|
|
char *inrand = NULL;
|
2006-05-18 02:46:22 +08:00
|
|
|
char *macalg = NULL;
|
2000-08-12 03:43:20 +08:00
|
|
|
char *CApath = NULL, *CAfile = NULL;
|
2015-01-22 11:29:12 +08:00
|
|
|
char *engine = NULL;
|
1999-03-30 01:50:26 +08:00
|
|
|
|
|
|
|
|
apps_startup();
|
|
|
|
|
|
|
|
|
|
enc = EVP_des_ede3_cbc();
|
2015-01-22 11:29:12 +08:00
|
|
|
if (bio_err == NULL)
|
|
|
|
|
bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
|
1999-03-30 01:50:26 +08:00
|
|
|
|
2015-01-22 11:29:12 +08:00
|
|
|
if (!load_config(bio_err, NULL))
|
|
|
|
|
goto end;
|
2002-02-22 22:01:21 +08:00
|
|
|
|
2015-09-12 07:44:07 +08:00
|
|
|
# ifdef OPENSSL_FIPS
|
|
|
|
|
if (FIPS_mode())
|
|
|
|
|
cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
|
|
|
|
|
else
|
|
|
|
|
# endif
|
|
|
|
|
cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
|
|
|
|
|
|
1999-03-30 01:50:26 +08:00
|
|
|
args = argv + 1;
|
|
|
|
|
|
|
|
|
|
while (*args) {
|
2015-01-22 11:29:12 +08:00
|
|
|
if (*args[0] == '-') {
|
|
|
|
|
if (!strcmp(*args, "-nokeys"))
|
|
|
|
|
options |= NOKEYS;
|
|
|
|
|
else if (!strcmp(*args, "-keyex"))
|
|
|
|
|
keytype = KEY_EX;
|
|
|
|
|
else if (!strcmp(*args, "-keysig"))
|
|
|
|
|
keytype = KEY_SIG;
|
|
|
|
|
else if (!strcmp(*args, "-nocerts"))
|
|
|
|
|
options |= NOCERTS;
|
|
|
|
|
else if (!strcmp(*args, "-clcerts"))
|
|
|
|
|
options |= CLCERTS;
|
|
|
|
|
else if (!strcmp(*args, "-cacerts"))
|
|
|
|
|
options |= CACERTS;
|
|
|
|
|
else if (!strcmp(*args, "-noout"))
|
|
|
|
|
options |= (NOKEYS | NOCERTS);
|
|
|
|
|
else if (!strcmp(*args, "-info"))
|
|
|
|
|
options |= INFO;
|
|
|
|
|
else if (!strcmp(*args, "-chain"))
|
|
|
|
|
chain = 1;
|
|
|
|
|
else if (!strcmp(*args, "-twopass"))
|
|
|
|
|
twopass = 1;
|
|
|
|
|
else if (!strcmp(*args, "-nomacver"))
|
|
|
|
|
macver = 0;
|
|
|
|
|
else if (!strcmp(*args, "-descert"))
|
|
|
|
|
cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
|
|
|
|
|
else if (!strcmp(*args, "-export"))
|
|
|
|
|
export_cert = 1;
|
|
|
|
|
else if (!strcmp(*args, "-des"))
|
|
|
|
|
enc = EVP_des_cbc();
|
|
|
|
|
else if (!strcmp(*args, "-des3"))
|
|
|
|
|
enc = EVP_des_ede3_cbc();
|
|
|
|
|
# ifndef OPENSSL_NO_IDEA
|
|
|
|
|
else if (!strcmp(*args, "-idea"))
|
|
|
|
|
enc = EVP_idea_cbc();
|
|
|
|
|
# endif
|
|
|
|
|
# ifndef OPENSSL_NO_SEED
|
|
|
|
|
else if (!strcmp(*args, "-seed"))
|
|
|
|
|
enc = EVP_seed_cbc();
|
|
|
|
|
# endif
|
|
|
|
|
# ifndef OPENSSL_NO_AES
|
|
|
|
|
else if (!strcmp(*args, "-aes128"))
|
|
|
|
|
enc = EVP_aes_128_cbc();
|
|
|
|
|
else if (!strcmp(*args, "-aes192"))
|
|
|
|
|
enc = EVP_aes_192_cbc();
|
|
|
|
|
else if (!strcmp(*args, "-aes256"))
|
|
|
|
|
enc = EVP_aes_256_cbc();
|
|
|
|
|
# endif
|
|
|
|
|
# ifndef OPENSSL_NO_CAMELLIA
|
|
|
|
|
else if (!strcmp(*args, "-camellia128"))
|
|
|
|
|
enc = EVP_camellia_128_cbc();
|
|
|
|
|
else if (!strcmp(*args, "-camellia192"))
|
|
|
|
|
enc = EVP_camellia_192_cbc();
|
|
|
|
|
else if (!strcmp(*args, "-camellia256"))
|
|
|
|
|
enc = EVP_camellia_256_cbc();
|
|
|
|
|
# endif
|
|
|
|
|
else if (!strcmp(*args, "-noiter"))
|
|
|
|
|
iter = 1;
|
|
|
|
|
else if (!strcmp(*args, "-maciter"))
|
|
|
|
|
maciter = PKCS12_DEFAULT_ITER;
|
|
|
|
|
else if (!strcmp(*args, "-nomaciter"))
|
|
|
|
|
maciter = 1;
|
|
|
|
|
else if (!strcmp(*args, "-nomac"))
|
|
|
|
|
maciter = -1;
|
|
|
|
|
else if (!strcmp(*args, "-macalg"))
|
|
|
|
|
if (args[1]) {
|
|
|
|
|
args++;
|
|
|
|
|
macalg = *args;
|
|
|
|
|
} else
|
|
|
|
|
badarg = 1;
|
|
|
|
|
else if (!strcmp(*args, "-nodes"))
|
|
|
|
|
enc = NULL;
|
|
|
|
|
else if (!strcmp(*args, "-certpbe")) {
|
|
|
|
|
if (!set_pbe(bio_err, &cert_pbe, *++args))
|
|
|
|
|
badarg = 1;
|
|
|
|
|
} else if (!strcmp(*args, "-keypbe")) {
|
|
|
|
|
if (!set_pbe(bio_err, &key_pbe, *++args))
|
|
|
|
|
badarg = 1;
|
|
|
|
|
} else if (!strcmp(*args, "-rand")) {
|
|
|
|
|
if (args[1]) {
|
|
|
|
|
args++;
|
|
|
|
|
inrand = *args;
|
|
|
|
|
} else
|
|
|
|
|
badarg = 1;
|
|
|
|
|
} else if (!strcmp(*args, "-inkey")) {
|
|
|
|
|
if (args[1]) {
|
|
|
|
|
args++;
|
|
|
|
|
keyname = *args;
|
|
|
|
|
} else
|
|
|
|
|
badarg = 1;
|
|
|
|
|
} else if (!strcmp(*args, "-certfile")) {
|
|
|
|
|
if (args[1]) {
|
|
|
|
|
args++;
|
|
|
|
|
certfile = *args;
|
|
|
|
|
} else
|
|
|
|
|
badarg = 1;
|
|
|
|
|
} else if (!strcmp(*args, "-name")) {
|
|
|
|
|
if (args[1]) {
|
|
|
|
|
args++;
|
|
|
|
|
name = *args;
|
|
|
|
|
} else
|
|
|
|
|
badarg = 1;
|
|
|
|
|
} else if (!strcmp(*args, "-LMK"))
|
|
|
|
|
add_lmk = 1;
|
|
|
|
|
else if (!strcmp(*args, "-CSP")) {
|
|
|
|
|
if (args[1]) {
|
|
|
|
|
args++;
|
|
|
|
|
csp_name = *args;
|
|
|
|
|
} else
|
|
|
|
|
badarg = 1;
|
|
|
|
|
} else if (!strcmp(*args, "-caname")) {
|
|
|
|
|
if (args[1]) {
|
|
|
|
|
args++;
|
|
|
|
|
if (!canames)
|
|
|
|
|
canames = sk_OPENSSL_STRING_new_null();
|
|
|
|
|
sk_OPENSSL_STRING_push(canames, *args);
|
|
|
|
|
} else
|
|
|
|
|
badarg = 1;
|
|
|
|
|
} else if (!strcmp(*args, "-in")) {
|
|
|
|
|
if (args[1]) {
|
|
|
|
|
args++;
|
|
|
|
|
infile = *args;
|
|
|
|
|
} else
|
|
|
|
|
badarg = 1;
|
|
|
|
|
} else if (!strcmp(*args, "-out")) {
|
|
|
|
|
if (args[1]) {
|
|
|
|
|
args++;
|
|
|
|
|
outfile = *args;
|
|
|
|
|
} else
|
|
|
|
|
badarg = 1;
|
|
|
|
|
} else if (!strcmp(*args, "-passin")) {
|
|
|
|
|
if (args[1]) {
|
|
|
|
|
args++;
|
|
|
|
|
passargin = *args;
|
|
|
|
|
} else
|
|
|
|
|
badarg = 1;
|
|
|
|
|
} else if (!strcmp(*args, "-passout")) {
|
|
|
|
|
if (args[1]) {
|
|
|
|
|
args++;
|
|
|
|
|
passargout = *args;
|
|
|
|
|
} else
|
|
|
|
|
badarg = 1;
|
|
|
|
|
} else if (!strcmp(*args, "-password")) {
|
|
|
|
|
if (args[1]) {
|
|
|
|
|
args++;
|
|
|
|
|
passarg = *args;
|
|
|
|
|
noprompt = 1;
|
|
|
|
|
} else
|
|
|
|
|
badarg = 1;
|
|
|
|
|
} else if (!strcmp(*args, "-CApath")) {
|
|
|
|
|
if (args[1]) {
|
|
|
|
|
args++;
|
|
|
|
|
CApath = *args;
|
|
|
|
|
} else
|
|
|
|
|
badarg = 1;
|
|
|
|
|
} else if (!strcmp(*args, "-CAfile")) {
|
|
|
|
|
if (args[1]) {
|
|
|
|
|
args++;
|
|
|
|
|
CAfile = *args;
|
|
|
|
|
} else
|
|
|
|
|
badarg = 1;
|
|
|
|
|
# ifndef OPENSSL_NO_ENGINE
|
|
|
|
|
} else if (!strcmp(*args, "-engine")) {
|
|
|
|
|
if (args[1]) {
|
|
|
|
|
args++;
|
|
|
|
|
engine = *args;
|
|
|
|
|
} else
|
|
|
|
|
badarg = 1;
|
|
|
|
|
# endif
|
|
|
|
|
} else
|
|
|
|
|
badarg = 1;
|
|
|
|
|
|
|
|
|
|
} else
|
|
|
|
|
badarg = 1;
|
|
|
|
|
args++;
|
1999-03-30 01:50:26 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (badarg) {
|
2015-01-22 11:29:12 +08:00
|
|
|
BIO_printf(bio_err, "Usage: pkcs12 [options]\n");
|
|
|
|
|
BIO_printf(bio_err, "where options are\n");
|
|
|
|
|
BIO_printf(bio_err, "-export output PKCS12 file\n");
|
|
|
|
|
BIO_printf(bio_err, "-chain add certificate chain\n");
|
|
|
|
|
BIO_printf(bio_err, "-inkey file private key if not infile\n");
|
|
|
|
|
BIO_printf(bio_err, "-certfile f add all certs in f\n");
|
|
|
|
|
BIO_printf(bio_err, "-CApath arg - PEM format directory of CA's\n");
|
|
|
|
|
BIO_printf(bio_err, "-CAfile arg - PEM format file of CA's\n");
|
|
|
|
|
BIO_printf(bio_err, "-name \"name\" use name as friendly name\n");
|
|
|
|
|
BIO_printf(bio_err,
|
|
|
|
|
"-caname \"nm\" use nm as CA friendly name (can be used more than once).\n");
|
|
|
|
|
BIO_printf(bio_err, "-in infile input filename\n");
|
|
|
|
|
BIO_printf(bio_err, "-out outfile output filename\n");
|
|
|
|
|
BIO_printf(bio_err,
|
|
|
|
|
"-noout don't output anything, just verify.\n");
|
|
|
|
|
BIO_printf(bio_err, "-nomacver don't verify MAC.\n");
|
|
|
|
|
BIO_printf(bio_err, "-nocerts don't output certificates.\n");
|
|
|
|
|
BIO_printf(bio_err,
|
|
|
|
|
"-clcerts only output client certificates.\n");
|
|
|
|
|
BIO_printf(bio_err, "-cacerts only output CA certificates.\n");
|
|
|
|
|
BIO_printf(bio_err, "-nokeys don't output private keys.\n");
|
|
|
|
|
BIO_printf(bio_err,
|
|
|
|
|
"-info give info about PKCS#12 structure.\n");
|
|
|
|
|
BIO_printf(bio_err, "-des encrypt private keys with DES\n");
|
|
|
|
|
BIO_printf(bio_err,
|
|
|
|
|
"-des3 encrypt private keys with triple DES (default)\n");
|
|
|
|
|
# ifndef OPENSSL_NO_IDEA
|
|
|
|
|
BIO_printf(bio_err, "-idea encrypt private keys with idea\n");
|
|
|
|
|
# endif
|
|
|
|
|
# ifndef OPENSSL_NO_SEED
|
|
|
|
|
BIO_printf(bio_err, "-seed encrypt private keys with seed\n");
|
|
|
|
|
# endif
|
|
|
|
|
# ifndef OPENSSL_NO_AES
|
|
|
|
|
BIO_printf(bio_err, "-aes128, -aes192, -aes256\n");
|
|
|
|
|
BIO_printf(bio_err,
|
|
|
|
|
" encrypt PEM output with cbc aes\n");
|
|
|
|
|
# endif
|
|
|
|
|
# ifndef OPENSSL_NO_CAMELLIA
|
|
|
|
|
BIO_printf(bio_err, "-camellia128, -camellia192, -camellia256\n");
|
|
|
|
|
BIO_printf(bio_err,
|
|
|
|
|
" encrypt PEM output with cbc camellia\n");
|
|
|
|
|
# endif
|
|
|
|
|
BIO_printf(bio_err, "-nodes don't encrypt private keys\n");
|
|
|
|
|
BIO_printf(bio_err, "-noiter don't use encryption iteration\n");
|
|
|
|
|
BIO_printf(bio_err, "-nomaciter don't use MAC iteration\n");
|
|
|
|
|
BIO_printf(bio_err, "-maciter use MAC iteration\n");
|
|
|
|
|
BIO_printf(bio_err, "-nomac don't generate MAC\n");
|
|
|
|
|
BIO_printf(bio_err,
|
|
|
|
|
"-twopass separate MAC, encryption passwords\n");
|
|
|
|
|
BIO_printf(bio_err,
|
|
|
|
|
"-descert encrypt PKCS#12 certificates with triple DES (default RC2-40)\n");
|
|
|
|
|
BIO_printf(bio_err,
|
|
|
|
|
"-certpbe alg specify certificate PBE algorithm (default RC2-40)\n");
|
|
|
|
|
BIO_printf(bio_err,
|
|
|
|
|
"-keypbe alg specify private key PBE algorithm (default 3DES)\n");
|
|
|
|
|
BIO_printf(bio_err,
|
|
|
|
|
"-macalg alg digest algorithm used in MAC (default SHA1)\n");
|
|
|
|
|
BIO_printf(bio_err, "-keyex set MS key exchange type\n");
|
|
|
|
|
BIO_printf(bio_err, "-keysig set MS key signature type\n");
|
|
|
|
|
BIO_printf(bio_err,
|
|
|
|
|
"-password p set import/export password source\n");
|
|
|
|
|
BIO_printf(bio_err, "-passin p input file pass phrase source\n");
|
|
|
|
|
BIO_printf(bio_err, "-passout p output file pass phrase source\n");
|
|
|
|
|
# ifndef OPENSSL_NO_ENGINE
|
|
|
|
|
BIO_printf(bio_err,
|
|
|
|
|
"-engine e use engine e, possibly a hardware device.\n");
|
|
|
|
|
# endif
|
|
|
|
|
BIO_printf(bio_err, "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR,
|
|
|
|
|
LIST_SEPARATOR_CHAR);
|
|
|
|
|
BIO_printf(bio_err,
|
|
|
|
|
" load the file (or the files in the directory) into\n");
|
|
|
|
|
BIO_printf(bio_err, " the random number generator\n");
|
|
|
|
|
BIO_printf(bio_err, "-CSP name Microsoft CSP name\n");
|
|
|
|
|
BIO_printf(bio_err,
|
|
|
|
|
"-LMK Add local machine keyset attribute to private key\n");
|
|
|
|
|
goto end;
|
1999-03-30 01:50:26 +08:00
|
|
|
}
|
2001-06-18 14:22:33 +08:00
|
|
|
e = setup_engine(bio_err, engine, 0);
|
2000-10-27 05:07:28 +08:00
|
|
|
|
2015-01-22 11:29:12 +08:00
|
|
|
if (passarg) {
|
|
|
|
|
if (export_cert)
|
|
|
|
|
passargout = passarg;
|
|
|
|
|
else
|
|
|
|
|
passargin = passarg;
|
2000-02-17 07:16:01 +08:00
|
|
|
}
|
|
|
|
|
|
2015-01-22 11:29:12 +08:00
|
|
|
if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
|
|
|
|
|
BIO_printf(bio_err, "Error getting passwords\n");
|
|
|
|
|
goto end;
|
2000-02-17 07:16:01 +08:00
|
|
|
}
|
|
|
|
|
|
2015-01-22 11:29:12 +08:00
|
|
|
if (!cpass) {
|
|
|
|
|
if (export_cert)
|
|
|
|
|
cpass = passout;
|
|
|
|
|
else
|
|
|
|
|
cpass = passin;
|
2000-02-08 09:34:59 +08:00
|
|
|
}
|
|
|
|
|
|
2015-01-22 11:29:12 +08:00
|
|
|
if (cpass) {
|
|
|
|
|
mpass = cpass;
|
|
|
|
|
noprompt = 1;
|
2000-02-08 09:34:59 +08:00
|
|
|
} else {
|
2015-01-22 11:29:12 +08:00
|
|
|
cpass = pass;
|
|
|
|
|
mpass = macpass;
|
1999-05-08 20:59:50 +08:00
|
|
|
}
|
|
|
|
|
|
2015-01-22 11:29:12 +08:00
|
|
|
if (export_cert || inrand) {
|
|
|
|
|
app_RAND_load_file(NULL, bio_err, (inrand != NULL));
|
2000-02-12 11:03:04 +08:00
|
|
|
if (inrand != NULL)
|
2015-01-22 11:29:12 +08:00
|
|
|
BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
|
|
|
|
|
app_RAND_load_files(inrand));
|
2000-02-12 11:03:04 +08:00
|
|
|
}
|
1999-03-30 01:50:26 +08:00
|
|
|
ERR_load_crypto_strings();
|
|
|
|
|
|
2015-01-22 11:29:12 +08:00
|
|
|
# ifdef CRYPTO_MDEBUG
|
2000-01-14 05:10:43 +08:00
|
|
|
CRYPTO_push_info("read files");
|
2015-01-22 11:29:12 +08:00
|
|
|
# endif
|
2000-01-14 05:10:43 +08:00
|
|
|
|
2015-01-22 11:29:12 +08:00
|
|
|
if (!infile)
|
|
|
|
|
in = BIO_new_fp(stdin, BIO_NOCLOSE);
|
|
|
|
|
else
|
|
|
|
|
in = BIO_new_file(infile, "rb");
|
1999-07-30 05:50:34 +08:00
|
|
|
if (!in) {
|
2015-01-22 11:29:12 +08:00
|
|
|
BIO_printf(bio_err, "Error opening input file %s\n",
|
|
|
|
|
infile ? infile : "<stdin>");
|
|
|
|
|
perror(infile);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
# ifdef CRYPTO_MDEBUG
|
2000-01-14 05:10:43 +08:00
|
|
|
CRYPTO_pop_info();
|
|
|
|
|
CRYPTO_push_info("write files");
|
2015-01-22 11:29:12 +08:00
|
|
|
# endif
|
2000-01-14 05:10:43 +08:00
|
|
|
|
On VMS, stdout may very well lead to a file that is written to in a
record-oriented fashion. That means that every write() will write a
separate record, which will be read separately by the programs trying
to read from it. This can be very confusing.
The solution is to put a BIO filter in the way that will buffer text
until a linefeed is reached, and then write everything a line at a
time, so every record written will be an actual line, not chunks of
lines and not (usually doesn't happen, but I've seen it once) several
lines in one record. Voila, BIO_f_linebuffer() is born.
Since we're so close to release time, I'm making this VMS-only for
now, just to make sure no code is needlessly broken by this. After
the release, this BIO method will be enabled on all other platforms as
well.
2000-09-20 21:55:50 +08:00
|
|
|
if (!outfile) {
|
2015-01-22 11:29:12 +08:00
|
|
|
out = BIO_new_fp(stdout, BIO_NOCLOSE);
|
|
|
|
|
# ifdef OPENSSL_SYS_VMS
|
|
|
|
|
{
|
|
|
|
|
BIO *tmpbio = BIO_new(BIO_f_linebuffer());
|
|
|
|
|
out = BIO_push(tmpbio, out);
|
|
|
|
|
}
|
|
|
|
|
# endif
|
|
|
|
|
} else
|
|
|
|
|
out = BIO_new_file(outfile, "wb");
|
1999-07-30 05:50:34 +08:00
|
|
|
if (!out) {
|
2015-01-22 11:29:12 +08:00
|
|
|
BIO_printf(bio_err, "Error opening output file %s\n",
|
|
|
|
|
outfile ? outfile : "<stdout>");
|
|
|
|
|
perror(outfile);
|
|
|
|
|
goto end;
|
1999-03-30 01:50:26 +08:00
|
|
|
}
|
|
|
|
|
if (twopass) {
|
2015-01-22 11:29:12 +08:00
|
|
|
# ifdef CRYPTO_MDEBUG
|
|
|
|
|
CRYPTO_push_info("read MAC password");
|
|
|
|
|
# endif
|
|
|
|
|
if (EVP_read_pw_string
|
2017-12-09 04:08:43 +08:00
|
|
|
(macpass, sizeof(macpass), "Enter MAC Password:", export_cert)) {
|
2015-01-22 11:29:12 +08:00
|
|
|
BIO_printf(bio_err, "Can't read Password\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
# ifdef CRYPTO_MDEBUG
|
|
|
|
|
CRYPTO_pop_info();
|
|
|
|
|
# endif
|
1999-03-30 01:50:26 +08:00
|
|
|
}
|
|
|
|
|
|
1999-10-05 20:57:50 +08:00
|
|
|
if (export_cert) {
|
2015-01-22 11:29:12 +08:00
|
|
|
EVP_PKEY *key = NULL;
|
|
|
|
|
X509 *ucert = NULL, *x = NULL;
|
|
|
|
|
STACK_OF(X509) *certs = NULL;
|
|
|
|
|
const EVP_MD *macmd = NULL;
|
|
|
|
|
unsigned char *catmp = NULL;
|
|
|
|
|
int i;
|
|
|
|
|
|
|
|
|
|
if ((options & (NOCERTS | NOKEYS)) == (NOCERTS | NOKEYS)) {
|
|
|
|
|
BIO_printf(bio_err, "Nothing to do!\n");
|
|
|
|
|
goto export_end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (options & NOCERTS)
|
|
|
|
|
chain = 0;
|
|
|
|
|
|
|
|
|
|
# ifdef CRYPTO_MDEBUG
|
|
|
|
|
CRYPTO_push_info("process -export_cert");
|
|
|
|
|
CRYPTO_push_info("reading private key");
|
|
|
|
|
# endif
|
|
|
|
|
if (!(options & NOKEYS)) {
|
|
|
|
|
key = load_key(bio_err, keyname ? keyname : infile,
|
|
|
|
|
FORMAT_PEM, 1, passin, e, "private key");
|
|
|
|
|
if (!key)
|
|
|
|
|
goto export_end;
|
|
|
|
|
}
|
|
|
|
|
# ifdef CRYPTO_MDEBUG
|
|
|
|
|
CRYPTO_pop_info();
|
|
|
|
|
CRYPTO_push_info("reading certs from input");
|
|
|
|
|
# endif
|
|
|
|
|
|
|
|
|
|
/* Load in all certs in input file */
|
|
|
|
|
if (!(options & NOCERTS)) {
|
|
|
|
|
certs = load_certs(bio_err, infile, FORMAT_PEM, NULL, e,
|
|
|
|
|
"certificates");
|
|
|
|
|
if (!certs)
|
|
|
|
|
goto export_end;
|
|
|
|
|
|
|
|
|
|
if (key) {
|
|
|
|
|
/* Look for matching private key */
|
|
|
|
|
for (i = 0; i < sk_X509_num(certs); i++) {
|
|
|
|
|
x = sk_X509_value(certs, i);
|
|
|
|
|
if (X509_check_private_key(x, key)) {
|
|
|
|
|
ucert = x;
|
|
|
|
|
/* Zero keyid and alias */
|
|
|
|
|
X509_keyid_set1(ucert, NULL, 0);
|
|
|
|
|
X509_alias_set1(ucert, NULL, 0);
|
|
|
|
|
/* Remove from list */
|
|
|
|
|
(void)sk_X509_delete(certs, i);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (!ucert) {
|
|
|
|
|
BIO_printf(bio_err,
|
|
|
|
|
"No certificate matches private key\n");
|
|
|
|
|
goto export_end;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
# ifdef CRYPTO_MDEBUG
|
|
|
|
|
CRYPTO_pop_info();
|
|
|
|
|
CRYPTO_push_info("reading certs from input 2");
|
|
|
|
|
# endif
|
|
|
|
|
|
|
|
|
|
/* Add any more certificates asked for */
|
|
|
|
|
if (certfile) {
|
|
|
|
|
STACK_OF(X509) *morecerts = NULL;
|
|
|
|
|
if (!(morecerts = load_certs(bio_err, certfile, FORMAT_PEM,
|
|
|
|
|
NULL, e,
|
|
|
|
|
"certificates from certfile")))
|
|
|
|
|
goto export_end;
|
|
|
|
|
while (sk_X509_num(morecerts) > 0)
|
|
|
|
|
sk_X509_push(certs, sk_X509_shift(morecerts));
|
|
|
|
|
sk_X509_free(morecerts);
|
|
|
|
|
}
|
|
|
|
|
# ifdef CRYPTO_MDEBUG
|
|
|
|
|
CRYPTO_pop_info();
|
|
|
|
|
CRYPTO_push_info("reading certs from certfile");
|
|
|
|
|
# endif
|
|
|
|
|
|
|
|
|
|
# ifdef CRYPTO_MDEBUG
|
|
|
|
|
CRYPTO_pop_info();
|
|
|
|
|
CRYPTO_push_info("building chain");
|
|
|
|
|
# endif
|
|
|
|
|
|
|
|
|
|
/* If chaining get chain from user cert */
|
|
|
|
|
if (chain) {
|
|
|
|
|
int vret;
|
|
|
|
|
STACK_OF(X509) *chain2;
|
|
|
|
|
X509_STORE *store = X509_STORE_new();
|
|
|
|
|
if (!store) {
|
|
|
|
|
BIO_printf(bio_err, "Memory allocation error\n");
|
|
|
|
|
goto export_end;
|
|
|
|
|
}
|
|
|
|
|
if (!X509_STORE_load_locations(store, CAfile, CApath))
|
|
|
|
|
X509_STORE_set_default_paths(store);
|
|
|
|
|
|
|
|
|
|
vret = get_cert_chain(ucert, store, &chain2);
|
|
|
|
|
X509_STORE_free(store);
|
|
|
|
|
|
2016-01-01 13:51:12 +08:00
|
|
|
if (vret == X509_V_OK) {
|
2015-01-22 11:29:12 +08:00
|
|
|
/* Exclude verified certificate */
|
|
|
|
|
for (i = 1; i < sk_X509_num(chain2); i++)
|
|
|
|
|
sk_X509_push(certs, sk_X509_value(chain2, i));
|
|
|
|
|
/* Free first certificate */
|
|
|
|
|
X509_free(sk_X509_value(chain2, 0));
|
|
|
|
|
sk_X509_free(chain2);
|
|
|
|
|
} else {
|
2016-01-01 13:51:12 +08:00
|
|
|
if (vret != X509_V_ERR_UNSPECIFIED)
|
2015-01-22 11:29:12 +08:00
|
|
|
BIO_printf(bio_err, "Error %s getting chain.\n",
|
|
|
|
|
X509_verify_cert_error_string(vret));
|
|
|
|
|
else
|
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
goto export_end;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Add any CA names */
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < sk_OPENSSL_STRING_num(canames); i++) {
|
|
|
|
|
catmp = (unsigned char *)sk_OPENSSL_STRING_value(canames, i);
|
|
|
|
|
X509_alias_set1(sk_X509_value(certs, i), catmp, -1);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (csp_name && key)
|
|
|
|
|
EVP_PKEY_add1_attr_by_NID(key, NID_ms_csp_name,
|
|
|
|
|
MBSTRING_ASC, (unsigned char *)csp_name,
|
|
|
|
|
-1);
|
|
|
|
|
|
|
|
|
|
if (add_lmk && key)
|
|
|
|
|
EVP_PKEY_add1_attr_by_NID(key, NID_LocalKeySet, 0, NULL, -1);
|
|
|
|
|
|
|
|
|
|
# ifdef CRYPTO_MDEBUG
|
|
|
|
|
CRYPTO_pop_info();
|
|
|
|
|
CRYPTO_push_info("reading password");
|
|
|
|
|
# endif
|
|
|
|
|
|
|
|
|
|
if (!noprompt &&
|
2017-12-09 04:08:43 +08:00
|
|
|
EVP_read_pw_string(pass, sizeof(pass), "Enter Export Password:",
|
2015-01-22 11:29:12 +08:00
|
|
|
1)) {
|
|
|
|
|
BIO_printf(bio_err, "Can't read Password\n");
|
|
|
|
|
goto export_end;
|
|
|
|
|
}
|
|
|
|
|
if (!twopass)
|
2017-12-09 04:08:43 +08:00
|
|
|
BUF_strlcpy(macpass, pass, sizeof(macpass));
|
2015-01-22 11:29:12 +08:00
|
|
|
|
|
|
|
|
# ifdef CRYPTO_MDEBUG
|
|
|
|
|
CRYPTO_pop_info();
|
|
|
|
|
CRYPTO_push_info("creating PKCS#12 structure");
|
|
|
|
|
# endif
|
|
|
|
|
|
|
|
|
|
p12 = PKCS12_create(cpass, name, key, ucert, certs,
|
|
|
|
|
key_pbe, cert_pbe, iter, -1, keytype);
|
|
|
|
|
|
|
|
|
|
if (!p12) {
|
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
goto export_end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (macalg) {
|
|
|
|
|
macmd = EVP_get_digestbyname(macalg);
|
|
|
|
|
if (!macmd) {
|
|
|
|
|
BIO_printf(bio_err, "Unknown digest algorithm %s\n", macalg);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (maciter != -1)
|
|
|
|
|
PKCS12_set_mac(p12, mpass, -1, NULL, 0, maciter, macmd);
|
|
|
|
|
|
|
|
|
|
# ifdef CRYPTO_MDEBUG
|
|
|
|
|
CRYPTO_pop_info();
|
|
|
|
|
CRYPTO_push_info("writing pkcs12");
|
|
|
|
|
# endif
|
|
|
|
|
|
|
|
|
|
i2d_PKCS12_bio(out, p12);
|
|
|
|
|
|
|
|
|
|
ret = 0;
|
|
|
|
|
|
|
|
|
|
export_end:
|
|
|
|
|
# ifdef CRYPTO_MDEBUG
|
|
|
|
|
CRYPTO_pop_info();
|
|
|
|
|
CRYPTO_pop_info();
|
|
|
|
|
CRYPTO_push_info("process -export_cert: freeing");
|
|
|
|
|
# endif
|
|
|
|
|
|
|
|
|
|
if (key)
|
|
|
|
|
EVP_PKEY_free(key);
|
|
|
|
|
if (certs)
|
|
|
|
|
sk_X509_pop_free(certs, X509_free);
|
|
|
|
|
if (ucert)
|
|
|
|
|
X509_free(ucert);
|
|
|
|
|
|
|
|
|
|
# ifdef CRYPTO_MDEBUG
|
|
|
|
|
CRYPTO_pop_info();
|
|
|
|
|
# endif
|
|
|
|
|
goto end;
|
2000-08-12 05:41:08 +08:00
|
|
|
|
1999-05-16 20:01:49 +08:00
|
|
|
}
|
1999-03-30 01:50:26 +08:00
|
|
|
|
2015-01-22 11:29:12 +08:00
|
|
|
if (!(p12 = d2i_PKCS12_bio(in, NULL))) {
|
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
goto end;
|
1999-03-30 01:50:26 +08:00
|
|
|
}
|
2015-01-22 11:29:12 +08:00
|
|
|
# ifdef CRYPTO_MDEBUG
|
2000-01-14 05:10:43 +08:00
|
|
|
CRYPTO_push_info("read import password");
|
2015-01-22 11:29:12 +08:00
|
|
|
# endif
|
|
|
|
|
if (!noprompt
|
2017-12-09 04:08:43 +08:00
|
|
|
&& EVP_read_pw_string(pass, sizeof(pass), "Enter Import Password:",
|
2015-01-22 11:29:12 +08:00
|
|
|
0)) {
|
|
|
|
|
BIO_printf(bio_err, "Can't read Password\n");
|
|
|
|
|
goto end;
|
1999-03-30 01:50:26 +08:00
|
|
|
}
|
2015-01-22 11:29:12 +08:00
|
|
|
# ifdef CRYPTO_MDEBUG
|
2000-01-14 05:10:43 +08:00
|
|
|
CRYPTO_pop_info();
|
2015-01-22 11:29:12 +08:00
|
|
|
# endif
|
|
|
|
|
|
|
|
|
|
if (!twopass)
|
2017-12-09 04:08:43 +08:00
|
|
|
BUF_strlcpy(macpass, pass, sizeof(macpass));
|
2015-01-22 11:29:12 +08:00
|
|
|
|
|
|
|
|
if ((options & INFO) && p12->mac)
|
|
|
|
|
BIO_printf(bio_err, "MAC Iteration %ld\n",
|
|
|
|
|
p12->mac->iter ? ASN1_INTEGER_get(p12->mac->iter) : 1);
|
|
|
|
|
if (macver) {
|
|
|
|
|
# ifdef CRYPTO_MDEBUG
|
|
|
|
|
CRYPTO_push_info("verify MAC");
|
|
|
|
|
# endif
|
|
|
|
|
/* If we enter empty password try no password first */
|
|
|
|
|
if (!mpass[0] && PKCS12_verify_mac(p12, NULL, 0)) {
|
|
|
|
|
/* If mac and crypto pass the same set it to NULL too */
|
|
|
|
|
if (!twopass)
|
|
|
|
|
cpass = NULL;
|
|
|
|
|
} else if (!PKCS12_verify_mac(p12, mpass, -1)) {
|
|
|
|
|
BIO_printf(bio_err, "Mac verify error: invalid password?\n");
|
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
BIO_printf(bio_err, "MAC verified OK\n");
|
|
|
|
|
# ifdef CRYPTO_MDEBUG
|
|
|
|
|
CRYPTO_pop_info();
|
|
|
|
|
# endif
|
1999-03-30 01:50:26 +08:00
|
|
|
}
|
2015-01-22 11:29:12 +08:00
|
|
|
# ifdef CRYPTO_MDEBUG
|
2000-01-14 05:10:43 +08:00
|
|
|
CRYPTO_push_info("output keys and certificates");
|
2015-01-22 11:29:12 +08:00
|
|
|
# endif
|
|
|
|
|
if (!dump_certs_keys_p12(out, p12, cpass, -1, options, passout)) {
|
|
|
|
|
BIO_printf(bio_err, "Error outputting keys and certificates\n");
|
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
goto end;
|
1999-03-30 01:50:26 +08:00
|
|
|
}
|
2015-01-22 11:29:12 +08:00
|
|
|
# ifdef CRYPTO_MDEBUG
|
2000-01-14 05:10:43 +08:00
|
|
|
CRYPTO_pop_info();
|
2015-01-22 11:29:12 +08:00
|
|
|
# endif
|
1999-03-30 01:50:26 +08:00
|
|
|
ret = 0;
|
2000-08-12 03:43:20 +08:00
|
|
|
end:
|
2015-01-22 11:29:12 +08:00
|
|
|
if (p12)
|
|
|
|
|
PKCS12_free(p12);
|
|
|
|
|
if (export_cert || inrand)
|
|
|
|
|
app_RAND_write_file(NULL, bio_err);
|
|
|
|
|
# ifdef CRYPTO_MDEBUG
|
2000-01-14 05:10:43 +08:00
|
|
|
CRYPTO_remove_all_info();
|
If an engine comes up explicitely, it must also come down explicitely
In apps/apps.c, one can set up an engine with setup_engine().
However, we freed the structural reference immediately, which means
that for engines that don't already have a structural reference
somewhere else (because it has registered at least one cipher or digest
algorithm method, and therefore gets a functional reference through the
ENGINE_set_default() call), we end up returning an invalid reference.
Instead, the function release_engine() is added, and called at the end
of the routines that call setup_engine().
Originally, the ENGINE API wasn't designed for this to happen, an
engine had to register at least one algorithm method, and was
especially expected to register the algorithms corresponding to the
key types that could be stored and hidden in hardware. However, it
turns out that some engines will not register those algorithms with
the ENGINE_set_{algo}, ENGINE_set_cipher or ENGINE_set_digest
functions, as they only want the methods to be used for keys, not as
general crypto accelerator methods. That may cause ENGINE_set_default()
to do nothing, and no functional reference is therefore made, leading
to a premature deallocation of the engine and it thereby becoming
unavailable when trying to fetch a key.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1644)
2016-09-29 06:40:20 +08:00
|
|
|
# endif
|
2016-10-20 01:46:38 +08:00
|
|
|
release_engine(e);
|
2000-01-14 05:10:43 +08:00
|
|
|
BIO_free(in);
|
On VMS, stdout may very well lead to a file that is written to in a
record-oriented fashion. That means that every write() will write a
separate record, which will be read separately by the programs trying
to read from it. This can be very confusing.
The solution is to put a BIO filter in the way that will buffer text
until a linefeed is reached, and then write everything a line at a
time, so every record written will be an actual line, not chunks of
lines and not (usually doesn't happen, but I've seen it once) several
lines in one record. Voila, BIO_f_linebuffer() is born.
Since we're so close to release time, I'm making this VMS-only for
now, just to make sure no code is needlessly broken by this. After
the release, this BIO method will be enabled on all other platforms as
well.
2000-09-20 21:55:50 +08:00
|
|
|
BIO_free_all(out);
|
2015-01-22 11:29:12 +08:00
|
|
|
if (canames)
|
|
|
|
|
sk_OPENSSL_STRING_free(canames);
|
|
|
|
|
if (passin)
|
|
|
|
|
OPENSSL_free(passin);
|
|
|
|
|
if (passout)
|
|
|
|
|
OPENSSL_free(passout);
|
2001-06-25 22:00:47 +08:00
|
|
|
apps_shutdown();
|
2002-12-04 00:33:03 +08:00
|
|
|
OPENSSL_EXIT(ret);
|
1999-03-30 01:50:26 +08:00
|
|
|
}
|
|
|
|
|
|
2015-01-22 11:29:12 +08:00
|
|
|
int dump_certs_keys_p12(BIO *out, PKCS12 *p12, char *pass,
|
|
|
|
|
int passlen, int options, char *pempass)
|
1999-03-30 01:50:26 +08:00
|
|
|
{
|
2015-01-22 11:29:12 +08:00
|
|
|
STACK_OF(PKCS7) *asafes = NULL;
|
|
|
|
|
STACK_OF(PKCS12_SAFEBAG) *bags;
|
|
|
|
|
int i, bagnid;
|
|
|
|
|
int ret = 0;
|
|
|
|
|
PKCS7 *p7;
|
|
|
|
|
|
|
|
|
|
if (!(asafes = PKCS12_unpack_authsafes(p12)))
|
|
|
|
|
return 0;
|
|
|
|
|
for (i = 0; i < sk_PKCS7_num(asafes); i++) {
|
|
|
|
|
p7 = sk_PKCS7_value(asafes, i);
|
|
|
|
|
bagnid = OBJ_obj2nid(p7->type);
|
|
|
|
|
if (bagnid == NID_pkcs7_data) {
|
|
|
|
|
bags = PKCS12_unpack_p7data(p7);
|
|
|
|
|
if (options & INFO)
|
|
|
|
|
BIO_printf(bio_err, "PKCS7 Data\n");
|
|
|
|
|
} else if (bagnid == NID_pkcs7_encrypted) {
|
|
|
|
|
if (options & INFO) {
|
|
|
|
|
BIO_printf(bio_err, "PKCS7 Encrypted data: ");
|
|
|
|
|
alg_print(bio_err, p7->d.encrypted->enc_data->algorithm);
|
|
|
|
|
}
|
|
|
|
|
bags = PKCS12_unpack_p7encdata(p7, pass, passlen);
|
|
|
|
|
} else
|
|
|
|
|
continue;
|
|
|
|
|
if (!bags)
|
|
|
|
|
goto err;
|
|
|
|
|
if (!dump_certs_pkeys_bags(out, bags, pass, passlen,
|
|
|
|
|
options, pempass)) {
|
|
|
|
|
sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
|
|
|
|
|
bags = NULL;
|
|
|
|
|
}
|
|
|
|
|
ret = 1;
|
|
|
|
|
|
|
|
|
|
err:
|
|
|
|
|
|
|
|
|
|
if (asafes)
|
|
|
|
|
sk_PKCS7_pop_free(asafes, PKCS7_free);
|
|
|
|
|
return ret;
|
1999-03-30 01:50:26 +08:00
|
|
|
}
|
|
|
|
|
|
2015-01-22 11:29:12 +08:00
|
|
|
int dump_certs_pkeys_bags(BIO *out, STACK_OF(PKCS12_SAFEBAG) *bags,
|
|
|
|
|
char *pass, int passlen, int options, char *pempass)
|
1999-03-30 01:50:26 +08:00
|
|
|
{
|
2015-01-22 11:29:12 +08:00
|
|
|
int i;
|
|
|
|
|
for (i = 0; i < sk_PKCS12_SAFEBAG_num(bags); i++) {
|
|
|
|
|
if (!dump_certs_pkeys_bag(out,
|
|
|
|
|
sk_PKCS12_SAFEBAG_value(bags, i),
|
|
|
|
|
pass, passlen, options, pempass))
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
return 1;
|
1999-03-30 01:50:26 +08:00
|
|
|
}
|
|
|
|
|
|
2015-01-22 11:29:12 +08:00
|
|
|
int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bag, char *pass,
|
|
|
|
|
int passlen, int options, char *pempass)
|
1999-03-30 01:50:26 +08:00
|
|
|
{
|
2015-01-22 11:29:12 +08:00
|
|
|
EVP_PKEY *pkey;
|
|
|
|
|
PKCS8_PRIV_KEY_INFO *p8;
|
|
|
|
|
X509 *x509;
|
2016-05-04 20:44:10 +08:00
|
|
|
int ret = 0;
|
2015-01-22 11:29:12 +08:00
|
|
|
|
|
|
|
|
switch (M_PKCS12_bag_type(bag)) {
|
|
|
|
|
case NID_keyBag:
|
|
|
|
|
if (options & INFO)
|
|
|
|
|
BIO_printf(bio_err, "Key bag\n");
|
|
|
|
|
if (options & NOKEYS)
|
|
|
|
|
return 1;
|
|
|
|
|
print_attribs(out, bag->attrib, "Bag Attributes");
|
|
|
|
|
p8 = bag->value.keybag;
|
|
|
|
|
if (!(pkey = EVP_PKCS82PKEY(p8)))
|
|
|
|
|
return 0;
|
|
|
|
|
print_attribs(out, p8->attributes, "Key Attributes");
|
2016-05-04 20:44:10 +08:00
|
|
|
ret = PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, pempass);
|
2015-01-22 11:29:12 +08:00
|
|
|
EVP_PKEY_free(pkey);
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case NID_pkcs8ShroudedKeyBag:
|
|
|
|
|
if (options & INFO) {
|
|
|
|
|
BIO_printf(bio_err, "Shrouded Keybag: ");
|
|
|
|
|
alg_print(bio_err, bag->value.shkeybag->algor);
|
|
|
|
|
}
|
|
|
|
|
if (options & NOKEYS)
|
|
|
|
|
return 1;
|
|
|
|
|
print_attribs(out, bag->attrib, "Bag Attributes");
|
|
|
|
|
if (!(p8 = PKCS12_decrypt_skey(bag, pass, passlen)))
|
|
|
|
|
return 0;
|
|
|
|
|
if (!(pkey = EVP_PKCS82PKEY(p8))) {
|
|
|
|
|
PKCS8_PRIV_KEY_INFO_free(p8);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
print_attribs(out, p8->attributes, "Key Attributes");
|
|
|
|
|
PKCS8_PRIV_KEY_INFO_free(p8);
|
2016-05-04 20:44:10 +08:00
|
|
|
ret = PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, pempass);
|
2015-01-22 11:29:12 +08:00
|
|
|
EVP_PKEY_free(pkey);
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case NID_certBag:
|
|
|
|
|
if (options & INFO)
|
|
|
|
|
BIO_printf(bio_err, "Certificate bag\n");
|
|
|
|
|
if (options & NOCERTS)
|
|
|
|
|
return 1;
|
|
|
|
|
if (PKCS12_get_attr(bag, NID_localKeyID)) {
|
|
|
|
|
if (options & CACERTS)
|
|
|
|
|
return 1;
|
|
|
|
|
} else if (options & CLCERTS)
|
|
|
|
|
return 1;
|
|
|
|
|
print_attribs(out, bag->attrib, "Bag Attributes");
|
|
|
|
|
if (M_PKCS12_cert_bag_type(bag) != NID_x509Certificate)
|
|
|
|
|
return 1;
|
|
|
|
|
if (!(x509 = PKCS12_certbag2x509(bag)))
|
|
|
|
|
return 0;
|
|
|
|
|
dump_cert_text(out, x509);
|
2016-05-04 20:44:10 +08:00
|
|
|
ret = PEM_write_bio_X509(out, x509);
|
2015-01-22 11:29:12 +08:00
|
|
|
X509_free(x509);
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case NID_safeContentsBag:
|
|
|
|
|
if (options & INFO)
|
|
|
|
|
BIO_printf(bio_err, "Safe Contents bag\n");
|
|
|
|
|
print_attribs(out, bag->attrib, "Bag Attributes");
|
|
|
|
|
return dump_certs_pkeys_bags(out, bag->value.safes, pass,
|
|
|
|
|
passlen, options, pempass);
|
|
|
|
|
|
|
|
|
|
default:
|
|
|
|
|
BIO_printf(bio_err, "Warning unsupported bag type: ");
|
|
|
|
|
i2a_ASN1_OBJECT(bio_err, bag->type);
|
|
|
|
|
BIO_printf(bio_err, "\n");
|
|
|
|
|
return 1;
|
|
|
|
|
break;
|
|
|
|
|
}
|
2016-05-04 20:44:10 +08:00
|
|
|
return ret;
|
1999-03-30 01:50:26 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Given a single certificate return a verified chain or NULL if error */
|
|
|
|
|
|
2016-01-01 13:51:12 +08:00
|
|
|
static int get_cert_chain(X509 *cert, X509_STORE *store,
|
|
|
|
|
STACK_OF(X509) **chain)
|
1999-03-30 01:50:26 +08:00
|
|
|
{
|
2015-01-22 11:29:12 +08:00
|
|
|
X509_STORE_CTX store_ctx;
|
2016-01-01 13:51:12 +08:00
|
|
|
STACK_OF(X509) *chn = NULL;
|
2015-01-22 11:29:12 +08:00
|
|
|
int i = 0;
|
|
|
|
|
|
2016-01-01 13:51:12 +08:00
|
|
|
if (!X509_STORE_CTX_init(&store_ctx, store, cert, NULL)) {
|
|
|
|
|
*chain = NULL;
|
|
|
|
|
return X509_V_ERR_UNSPECIFIED;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (X509_verify_cert(&store_ctx) > 0)
|
2015-01-22 11:29:12 +08:00
|
|
|
chn = X509_STORE_CTX_get1_chain(&store_ctx);
|
2016-01-01 13:51:12 +08:00
|
|
|
else if ((i = X509_STORE_CTX_get_error(&store_ctx)) == 0)
|
|
|
|
|
i = X509_V_ERR_UNSPECIFIED;
|
|
|
|
|
|
2015-01-22 11:29:12 +08:00
|
|
|
X509_STORE_CTX_cleanup(&store_ctx);
|
|
|
|
|
*chain = chn;
|
|
|
|
|
return i;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int alg_print(BIO *x, X509_ALGOR *alg)
|
1999-03-30 01:50:26 +08:00
|
|
|
{
|
2016-07-19 19:32:05 +08:00
|
|
|
int pbenid, aparamtype;
|
|
|
|
|
ASN1_OBJECT *aoid;
|
|
|
|
|
void *aparam;
|
|
|
|
|
PBEPARAM *pbe = NULL;
|
|
|
|
|
|
|
|
|
|
X509_ALGOR_get0(&aoid, &aparamtype, &aparam, alg);
|
|
|
|
|
|
|
|
|
|
pbenid = OBJ_obj2nid(aoid);
|
|
|
|
|
|
|
|
|
|
BIO_printf(x, "%s", OBJ_nid2ln(pbenid));
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* If PBE algorithm is PBES2 decode algorithm parameters
|
|
|
|
|
* for additional details.
|
|
|
|
|
*/
|
|
|
|
|
if (pbenid == NID_pbes2) {
|
|
|
|
|
PBE2PARAM *pbe2 = NULL;
|
|
|
|
|
int encnid;
|
|
|
|
|
if (aparamtype == V_ASN1_SEQUENCE)
|
|
|
|
|
pbe2 = ASN1_item_unpack(aparam, ASN1_ITEM_rptr(PBE2PARAM));
|
|
|
|
|
if (pbe2 == NULL) {
|
|
|
|
|
BIO_puts(x, "<unsupported parameters>");
|
|
|
|
|
goto done;
|
|
|
|
|
}
|
|
|
|
|
X509_ALGOR_get0(&aoid, &aparamtype, &aparam, pbe2->keyfunc);
|
|
|
|
|
pbenid = OBJ_obj2nid(aoid);
|
|
|
|
|
X509_ALGOR_get0(&aoid, NULL, NULL, pbe2->encryption);
|
|
|
|
|
encnid = OBJ_obj2nid(aoid);
|
|
|
|
|
BIO_printf(x, ", %s, %s", OBJ_nid2ln(pbenid),
|
|
|
|
|
OBJ_nid2sn(encnid));
|
|
|
|
|
/* If KDF is PBKDF2 decode parameters */
|
|
|
|
|
if (pbenid == NID_id_pbkdf2) {
|
|
|
|
|
PBKDF2PARAM *kdf = NULL;
|
|
|
|
|
int prfnid;
|
|
|
|
|
if (aparamtype == V_ASN1_SEQUENCE)
|
|
|
|
|
kdf = ASN1_item_unpack(aparam, ASN1_ITEM_rptr(PBKDF2PARAM));
|
|
|
|
|
if (kdf == NULL) {
|
|
|
|
|
BIO_puts(x, "<unsupported parameters>");
|
|
|
|
|
goto done;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (kdf->prf == NULL) {
|
|
|
|
|
prfnid = NID_hmacWithSHA1;
|
|
|
|
|
} else {
|
|
|
|
|
X509_ALGOR_get0(&aoid, NULL, NULL, kdf->prf);
|
|
|
|
|
prfnid = OBJ_obj2nid(aoid);
|
|
|
|
|
}
|
|
|
|
|
BIO_printf(x, ", Iteration %ld, PRF %s",
|
|
|
|
|
ASN1_INTEGER_get(kdf->iter), OBJ_nid2sn(prfnid));
|
|
|
|
|
PBKDF2PARAM_free(kdf);
|
|
|
|
|
}
|
|
|
|
|
PBE2PARAM_free(pbe2);
|
|
|
|
|
} else {
|
|
|
|
|
if (aparamtype == V_ASN1_SEQUENCE)
|
|
|
|
|
pbe = ASN1_item_unpack(aparam, ASN1_ITEM_rptr(PBEPARAM));
|
|
|
|
|
if (pbe == NULL) {
|
|
|
|
|
BIO_puts(x, "<unsupported parameters>");
|
|
|
|
|
goto done;
|
|
|
|
|
}
|
|
|
|
|
BIO_printf(x, ", Iteration %ld", ASN1_INTEGER_get(pbe->iter));
|
|
|
|
|
PBEPARAM_free(pbe);
|
|
|
|
|
}
|
|
|
|
|
done:
|
|
|
|
|
BIO_puts(x, "\n");
|
2015-01-22 11:29:12 +08:00
|
|
|
return 1;
|
1999-03-30 01:50:26 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Load all certificates from a given file */
|
|
|
|
|
|
1999-06-05 06:23:10 +08:00
|
|
|
int cert_load(BIO *in, STACK_OF(X509) *sk)
|
1999-03-30 01:50:26 +08:00
|
|
|
{
|
2015-01-22 11:29:12 +08:00
|
|
|
int ret;
|
|
|
|
|
X509 *cert;
|
|
|
|
|
ret = 0;
|
|
|
|
|
# ifdef CRYPTO_MDEBUG
|
|
|
|
|
CRYPTO_push_info("cert_load(): reading one cert");
|
|
|
|
|
# endif
|
|
|
|
|
while ((cert = PEM_read_bio_X509(in, NULL, NULL, NULL))) {
|
|
|
|
|
# ifdef CRYPTO_MDEBUG
|
|
|
|
|
CRYPTO_pop_info();
|
|
|
|
|
# endif
|
|
|
|
|
ret = 1;
|
|
|
|
|
sk_X509_push(sk, cert);
|
|
|
|
|
# ifdef CRYPTO_MDEBUG
|
|
|
|
|
CRYPTO_push_info("cert_load(): reading one cert");
|
|
|
|
|
# endif
|
|
|
|
|
}
|
|
|
|
|
# ifdef CRYPTO_MDEBUG
|
|
|
|
|
CRYPTO_pop_info();
|
|
|
|
|
# endif
|
|
|
|
|
if (ret)
|
|
|
|
|
ERR_clear_error();
|
|
|
|
|
return ret;
|
1999-03-30 01:50:26 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Generalised attribute print: handle PKCS#8 and bag attributes */
|
|
|
|
|
|
2015-01-22 11:29:12 +08:00
|
|
|
int print_attribs(BIO *out, STACK_OF(X509_ATTRIBUTE) *attrlst,
|
|
|
|
|
const char *name)
|
1999-03-30 01:50:26 +08:00
|
|
|
{
|
2015-01-22 11:29:12 +08:00
|
|
|
X509_ATTRIBUTE *attr;
|
|
|
|
|
ASN1_TYPE *av;
|
|
|
|
|
char *value;
|
|
|
|
|
int i, attr_nid;
|
|
|
|
|
if (!attrlst) {
|
|
|
|
|
BIO_printf(out, "%s: <No Attributes>\n", name);
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
if (!sk_X509_ATTRIBUTE_num(attrlst)) {
|
|
|
|
|
BIO_printf(out, "%s: <Empty Attributes>\n", name);
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
BIO_printf(out, "%s\n", name);
|
|
|
|
|
for (i = 0; i < sk_X509_ATTRIBUTE_num(attrlst); i++) {
|
|
|
|
|
attr = sk_X509_ATTRIBUTE_value(attrlst, i);
|
|
|
|
|
attr_nid = OBJ_obj2nid(attr->object);
|
|
|
|
|
BIO_printf(out, " ");
|
|
|
|
|
if (attr_nid == NID_undef) {
|
|
|
|
|
i2a_ASN1_OBJECT(out, attr->object);
|
|
|
|
|
BIO_printf(out, ": ");
|
|
|
|
|
} else
|
|
|
|
|
BIO_printf(out, "%s: ", OBJ_nid2ln(attr_nid));
|
|
|
|
|
|
|
|
|
|
if (sk_ASN1_TYPE_num(attr->value.set)) {
|
|
|
|
|
av = sk_ASN1_TYPE_value(attr->value.set, 0);
|
|
|
|
|
switch (av->type) {
|
|
|
|
|
case V_ASN1_BMPSTRING:
|
|
|
|
|
value = OPENSSL_uni2asc(av->value.bmpstring->data,
|
|
|
|
|
av->value.bmpstring->length);
|
|
|
|
|
BIO_printf(out, "%s\n", value);
|
|
|
|
|
OPENSSL_free(value);
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case V_ASN1_OCTET_STRING:
|
|
|
|
|
hex_prin(out, av->value.octet_string->data,
|
|
|
|
|
av->value.octet_string->length);
|
|
|
|
|
BIO_printf(out, "\n");
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case V_ASN1_BIT_STRING:
|
|
|
|
|
hex_prin(out, av->value.bit_string->data,
|
|
|
|
|
av->value.bit_string->length);
|
|
|
|
|
BIO_printf(out, "\n");
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
default:
|
|
|
|
|
BIO_printf(out, "<Unsupported tag %d>\n", av->type);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
} else
|
|
|
|
|
BIO_printf(out, "<No Values>\n");
|
|
|
|
|
}
|
|
|
|
|
return 1;
|
1999-03-30 01:50:26 +08:00
|
|
|
}
|
|
|
|
|
|
1999-04-20 05:31:43 +08:00
|
|
|
void hex_prin(BIO *out, unsigned char *buf, int len)
|
1999-03-30 01:50:26 +08:00
|
|
|
{
|
2015-01-22 11:29:12 +08:00
|
|
|
int i;
|
|
|
|
|
for (i = 0; i < len; i++)
|
|
|
|
|
BIO_printf(out, "%02X ", buf[i]);
|
1999-03-30 01:50:26 +08:00
|
|
|
}
|
1999-08-03 05:44:49 +08:00
|
|
|
|
2006-05-15 21:23:15 +08:00
|
|
|
static int set_pbe(BIO *err, int *ppbe, const char *str)
|
2015-01-22 11:29:12 +08:00
|
|
|
{
|
|
|
|
|
if (!str)
|
|
|
|
|
return 0;
|
|
|
|
|
if (!strcmp(str, "NONE")) {
|
|
|
|
|
*ppbe = -1;
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
*ppbe = OBJ_txt2nid(str);
|
|
|
|
|
if (*ppbe == NID_undef) {
|
|
|
|
|
BIO_printf(bio_err, "Unknown PBE algorithm %s\n", str);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
2016-10-20 04:54:06 +08:00
|
|
|
#else
|
|
|
|
|
static void *dummy = &dummy;
|
1999-08-03 05:44:49 +08:00
|
|
|
#endif
|
