12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112 |
- /* pkcs12.c */
- /*
- * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * project.
- */
- /* ====================================================================
- * Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
- #include <openssl/opensslconf.h>
- #if !defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_SHA1)
- # include <stdio.h>
- # include <stdlib.h>
- # include <string.h>
- # include "apps.h"
- # include <openssl/crypto.h>
- # include <openssl/err.h>
- # include <openssl/pem.h>
- # include <openssl/pkcs12.h>
- # define PROG pkcs12_main
- const EVP_CIPHER *enc;
- # define NOKEYS 0x1
- # define NOCERTS 0x2
- # define INFO 0x4
- # define CLCERTS 0x8
- # define CACERTS 0x10
- static int get_cert_chain(X509 *cert, X509_STORE *store,
- STACK_OF(X509) **chain);
- int dump_certs_keys_p12(BIO *out, PKCS12 *p12, char *pass, int passlen,
- int options, char *pempass);
- int dump_certs_pkeys_bags(BIO *out, STACK_OF(PKCS12_SAFEBAG) *bags,
- char *pass, int passlen, int options,
- char *pempass);
- int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bags, char *pass,
- int passlen, int options, char *pempass);
- int print_attribs(BIO *out, STACK_OF(X509_ATTRIBUTE) *attrlst,
- const char *name);
- void hex_prin(BIO *out, unsigned char *buf, int len);
- int alg_print(BIO *x, X509_ALGOR *alg);
- int cert_load(BIO *in, STACK_OF(X509) *sk);
- static int set_pbe(BIO *err, int *ppbe, const char *str);
- int MAIN(int, char **);
- int MAIN(int argc, char **argv)
- {
- ENGINE *e = NULL;
- char *infile = NULL, *outfile = NULL, *keyname = NULL;
- char *certfile = NULL;
- BIO *in = NULL, *out = NULL;
- char **args;
- char *name = NULL;
- char *csp_name = NULL;
- int add_lmk = 0;
- PKCS12 *p12 = NULL;
- char pass[50], macpass[50];
- int export_cert = 0;
- int options = 0;
- int chain = 0;
- int badarg = 0;
- int iter = PKCS12_DEFAULT_ITER;
- int maciter = PKCS12_DEFAULT_ITER;
- int twopass = 0;
- int keytype = 0;
- int cert_pbe;
- int key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
- int ret = 1;
- int macver = 1;
- int noprompt = 0;
- STACK_OF(OPENSSL_STRING) *canames = NULL;
- char *cpass = NULL, *mpass = NULL;
- char *passargin = NULL, *passargout = NULL, *passarg = NULL;
- char *passin = NULL, *passout = NULL;
- char *inrand = NULL;
- char *macalg = NULL;
- char *CApath = NULL, *CAfile = NULL;
- char *engine = NULL;
- apps_startup();
- enc = EVP_des_ede3_cbc();
- if (bio_err == NULL)
- bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
- if (!load_config(bio_err, NULL))
- goto end;
- # ifdef OPENSSL_FIPS
- if (FIPS_mode())
- cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
- else
- # endif
- cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
- args = argv + 1;
- while (*args) {
- if (*args[0] == '-') {
- if (!strcmp(*args, "-nokeys"))
- options |= NOKEYS;
- else if (!strcmp(*args, "-keyex"))
- keytype = KEY_EX;
- else if (!strcmp(*args, "-keysig"))
- keytype = KEY_SIG;
- else if (!strcmp(*args, "-nocerts"))
- options |= NOCERTS;
- else if (!strcmp(*args, "-clcerts"))
- options |= CLCERTS;
- else if (!strcmp(*args, "-cacerts"))
- options |= CACERTS;
- else if (!strcmp(*args, "-noout"))
- options |= (NOKEYS | NOCERTS);
- else if (!strcmp(*args, "-info"))
- options |= INFO;
- else if (!strcmp(*args, "-chain"))
- chain = 1;
- else if (!strcmp(*args, "-twopass"))
- twopass = 1;
- else if (!strcmp(*args, "-nomacver"))
- macver = 0;
- else if (!strcmp(*args, "-descert"))
- cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
- else if (!strcmp(*args, "-export"))
- export_cert = 1;
- else if (!strcmp(*args, "-des"))
- enc = EVP_des_cbc();
- else if (!strcmp(*args, "-des3"))
- enc = EVP_des_ede3_cbc();
- # ifndef OPENSSL_NO_IDEA
- else if (!strcmp(*args, "-idea"))
- enc = EVP_idea_cbc();
- # endif
- # ifndef OPENSSL_NO_SEED
- else if (!strcmp(*args, "-seed"))
- enc = EVP_seed_cbc();
- # endif
- # ifndef OPENSSL_NO_AES
- else if (!strcmp(*args, "-aes128"))
- enc = EVP_aes_128_cbc();
- else if (!strcmp(*args, "-aes192"))
- enc = EVP_aes_192_cbc();
- else if (!strcmp(*args, "-aes256"))
- enc = EVP_aes_256_cbc();
- # endif
- # ifndef OPENSSL_NO_CAMELLIA
- else if (!strcmp(*args, "-camellia128"))
- enc = EVP_camellia_128_cbc();
- else if (!strcmp(*args, "-camellia192"))
- enc = EVP_camellia_192_cbc();
- else if (!strcmp(*args, "-camellia256"))
- enc = EVP_camellia_256_cbc();
- # endif
- else if (!strcmp(*args, "-noiter"))
- iter = 1;
- else if (!strcmp(*args, "-maciter"))
- maciter = PKCS12_DEFAULT_ITER;
- else if (!strcmp(*args, "-nomaciter"))
- maciter = 1;
- else if (!strcmp(*args, "-nomac"))
- maciter = -1;
- else if (!strcmp(*args, "-macalg"))
- if (args[1]) {
- args++;
- macalg = *args;
- } else
- badarg = 1;
- else if (!strcmp(*args, "-nodes"))
- enc = NULL;
- else if (!strcmp(*args, "-certpbe")) {
- if (!set_pbe(bio_err, &cert_pbe, *++args))
- badarg = 1;
- } else if (!strcmp(*args, "-keypbe")) {
- if (!set_pbe(bio_err, &key_pbe, *++args))
- badarg = 1;
- } else if (!strcmp(*args, "-rand")) {
- if (args[1]) {
- args++;
- inrand = *args;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-inkey")) {
- if (args[1]) {
- args++;
- keyname = *args;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-certfile")) {
- if (args[1]) {
- args++;
- certfile = *args;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-name")) {
- if (args[1]) {
- args++;
- name = *args;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-LMK"))
- add_lmk = 1;
- else if (!strcmp(*args, "-CSP")) {
- if (args[1]) {
- args++;
- csp_name = *args;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-caname")) {
- if (args[1]) {
- args++;
- if (!canames)
- canames = sk_OPENSSL_STRING_new_null();
- sk_OPENSSL_STRING_push(canames, *args);
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-in")) {
- if (args[1]) {
- args++;
- infile = *args;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-out")) {
- if (args[1]) {
- args++;
- outfile = *args;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-passin")) {
- if (args[1]) {
- args++;
- passargin = *args;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-passout")) {
- if (args[1]) {
- args++;
- passargout = *args;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-password")) {
- if (args[1]) {
- args++;
- passarg = *args;
- noprompt = 1;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-CApath")) {
- if (args[1]) {
- args++;
- CApath = *args;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-CAfile")) {
- if (args[1]) {
- args++;
- CAfile = *args;
- } else
- badarg = 1;
- # ifndef OPENSSL_NO_ENGINE
- } else if (!strcmp(*args, "-engine")) {
- if (args[1]) {
- args++;
- engine = *args;
- } else
- badarg = 1;
- # endif
- } else
- badarg = 1;
- } else
- badarg = 1;
- args++;
- }
- if (badarg) {
- BIO_printf(bio_err, "Usage: pkcs12 [options]\n");
- BIO_printf(bio_err, "where options are\n");
- BIO_printf(bio_err, "-export output PKCS12 file\n");
- BIO_printf(bio_err, "-chain add certificate chain\n");
- BIO_printf(bio_err, "-inkey file private key if not infile\n");
- BIO_printf(bio_err, "-certfile f add all certs in f\n");
- BIO_printf(bio_err, "-CApath arg - PEM format directory of CA's\n");
- BIO_printf(bio_err, "-CAfile arg - PEM format file of CA's\n");
- BIO_printf(bio_err, "-name \"name\" use name as friendly name\n");
- BIO_printf(bio_err,
- "-caname \"nm\" use nm as CA friendly name (can be used more than once).\n");
- BIO_printf(bio_err, "-in infile input filename\n");
- BIO_printf(bio_err, "-out outfile output filename\n");
- BIO_printf(bio_err,
- "-noout don't output anything, just verify.\n");
- BIO_printf(bio_err, "-nomacver don't verify MAC.\n");
- BIO_printf(bio_err, "-nocerts don't output certificates.\n");
- BIO_printf(bio_err,
- "-clcerts only output client certificates.\n");
- BIO_printf(bio_err, "-cacerts only output CA certificates.\n");
- BIO_printf(bio_err, "-nokeys don't output private keys.\n");
- BIO_printf(bio_err,
- "-info give info about PKCS#12 structure.\n");
- BIO_printf(bio_err, "-des encrypt private keys with DES\n");
- BIO_printf(bio_err,
- "-des3 encrypt private keys with triple DES (default)\n");
- # ifndef OPENSSL_NO_IDEA
- BIO_printf(bio_err, "-idea encrypt private keys with idea\n");
- # endif
- # ifndef OPENSSL_NO_SEED
- BIO_printf(bio_err, "-seed encrypt private keys with seed\n");
- # endif
- # ifndef OPENSSL_NO_AES
- BIO_printf(bio_err, "-aes128, -aes192, -aes256\n");
- BIO_printf(bio_err,
- " encrypt PEM output with cbc aes\n");
- # endif
- # ifndef OPENSSL_NO_CAMELLIA
- BIO_printf(bio_err, "-camellia128, -camellia192, -camellia256\n");
- BIO_printf(bio_err,
- " encrypt PEM output with cbc camellia\n");
- # endif
- BIO_printf(bio_err, "-nodes don't encrypt private keys\n");
- BIO_printf(bio_err, "-noiter don't use encryption iteration\n");
- BIO_printf(bio_err, "-nomaciter don't use MAC iteration\n");
- BIO_printf(bio_err, "-maciter use MAC iteration\n");
- BIO_printf(bio_err, "-nomac don't generate MAC\n");
- BIO_printf(bio_err,
- "-twopass separate MAC, encryption passwords\n");
- BIO_printf(bio_err,
- "-descert encrypt PKCS#12 certificates with triple DES (default RC2-40)\n");
- BIO_printf(bio_err,
- "-certpbe alg specify certificate PBE algorithm (default RC2-40)\n");
- BIO_printf(bio_err,
- "-keypbe alg specify private key PBE algorithm (default 3DES)\n");
- BIO_printf(bio_err,
- "-macalg alg digest algorithm used in MAC (default SHA1)\n");
- BIO_printf(bio_err, "-keyex set MS key exchange type\n");
- BIO_printf(bio_err, "-keysig set MS key signature type\n");
- BIO_printf(bio_err,
- "-password p set import/export password source\n");
- BIO_printf(bio_err, "-passin p input file pass phrase source\n");
- BIO_printf(bio_err, "-passout p output file pass phrase source\n");
- # ifndef OPENSSL_NO_ENGINE
- BIO_printf(bio_err,
- "-engine e use engine e, possibly a hardware device.\n");
- # endif
- BIO_printf(bio_err, "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR,
- LIST_SEPARATOR_CHAR);
- BIO_printf(bio_err,
- " load the file (or the files in the directory) into\n");
- BIO_printf(bio_err, " the random number generator\n");
- BIO_printf(bio_err, "-CSP name Microsoft CSP name\n");
- BIO_printf(bio_err,
- "-LMK Add local machine keyset attribute to private key\n");
- goto end;
- }
- e = setup_engine(bio_err, engine, 0);
- if (passarg) {
- if (export_cert)
- passargout = passarg;
- else
- passargin = passarg;
- }
- if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
- BIO_printf(bio_err, "Error getting passwords\n");
- goto end;
- }
- if (!cpass) {
- if (export_cert)
- cpass = passout;
- else
- cpass = passin;
- }
- if (cpass) {
- mpass = cpass;
- noprompt = 1;
- } else {
- cpass = pass;
- mpass = macpass;
- }
- if (export_cert || inrand) {
- app_RAND_load_file(NULL, bio_err, (inrand != NULL));
- if (inrand != NULL)
- BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
- app_RAND_load_files(inrand));
- }
- ERR_load_crypto_strings();
- # ifdef CRYPTO_MDEBUG
- CRYPTO_push_info("read files");
- # endif
- if (!infile)
- in = BIO_new_fp(stdin, BIO_NOCLOSE);
- else
- in = BIO_new_file(infile, "rb");
- if (!in) {
- BIO_printf(bio_err, "Error opening input file %s\n",
- infile ? infile : "<stdin>");
- perror(infile);
- goto end;
- }
- # ifdef CRYPTO_MDEBUG
- CRYPTO_pop_info();
- CRYPTO_push_info("write files");
- # endif
- if (!outfile) {
- out = BIO_new_fp(stdout, BIO_NOCLOSE);
- # ifdef OPENSSL_SYS_VMS
- {
- BIO *tmpbio = BIO_new(BIO_f_linebuffer());
- out = BIO_push(tmpbio, out);
- }
- # endif
- } else
- out = BIO_new_file(outfile, "wb");
- if (!out) {
- BIO_printf(bio_err, "Error opening output file %s\n",
- outfile ? outfile : "<stdout>");
- perror(outfile);
- goto end;
- }
- if (twopass) {
- # ifdef CRYPTO_MDEBUG
- CRYPTO_push_info("read MAC password");
- # endif
- if (EVP_read_pw_string
- (macpass, sizeof macpass, "Enter MAC Password:", export_cert)) {
- BIO_printf(bio_err, "Can't read Password\n");
- goto end;
- }
- # ifdef CRYPTO_MDEBUG
- CRYPTO_pop_info();
- # endif
- }
- if (export_cert) {
- EVP_PKEY *key = NULL;
- X509 *ucert = NULL, *x = NULL;
- STACK_OF(X509) *certs = NULL;
- const EVP_MD *macmd = NULL;
- unsigned char *catmp = NULL;
- int i;
- if ((options & (NOCERTS | NOKEYS)) == (NOCERTS | NOKEYS)) {
- BIO_printf(bio_err, "Nothing to do!\n");
- goto export_end;
- }
- if (options & NOCERTS)
- chain = 0;
- # ifdef CRYPTO_MDEBUG
- CRYPTO_push_info("process -export_cert");
- CRYPTO_push_info("reading private key");
- # endif
- if (!(options & NOKEYS)) {
- key = load_key(bio_err, keyname ? keyname : infile,
- FORMAT_PEM, 1, passin, e, "private key");
- if (!key)
- goto export_end;
- }
- # ifdef CRYPTO_MDEBUG
- CRYPTO_pop_info();
- CRYPTO_push_info("reading certs from input");
- # endif
- /* Load in all certs in input file */
- if (!(options & NOCERTS)) {
- certs = load_certs(bio_err, infile, FORMAT_PEM, NULL, e,
- "certificates");
- if (!certs)
- goto export_end;
- if (key) {
- /* Look for matching private key */
- for (i = 0; i < sk_X509_num(certs); i++) {
- x = sk_X509_value(certs, i);
- if (X509_check_private_key(x, key)) {
- ucert = x;
- /* Zero keyid and alias */
- X509_keyid_set1(ucert, NULL, 0);
- X509_alias_set1(ucert, NULL, 0);
- /* Remove from list */
- (void)sk_X509_delete(certs, i);
- break;
- }
- }
- if (!ucert) {
- BIO_printf(bio_err,
- "No certificate matches private key\n");
- goto export_end;
- }
- }
- }
- # ifdef CRYPTO_MDEBUG
- CRYPTO_pop_info();
- CRYPTO_push_info("reading certs from input 2");
- # endif
- /* Add any more certificates asked for */
- if (certfile) {
- STACK_OF(X509) *morecerts = NULL;
- if (!(morecerts = load_certs(bio_err, certfile, FORMAT_PEM,
- NULL, e,
- "certificates from certfile")))
- goto export_end;
- while (sk_X509_num(morecerts) > 0)
- sk_X509_push(certs, sk_X509_shift(morecerts));
- sk_X509_free(morecerts);
- }
- # ifdef CRYPTO_MDEBUG
- CRYPTO_pop_info();
- CRYPTO_push_info("reading certs from certfile");
- # endif
- # ifdef CRYPTO_MDEBUG
- CRYPTO_pop_info();
- CRYPTO_push_info("building chain");
- # endif
- /* If chaining get chain from user cert */
- if (chain) {
- int vret;
- STACK_OF(X509) *chain2;
- X509_STORE *store = X509_STORE_new();
- if (!store) {
- BIO_printf(bio_err, "Memory allocation error\n");
- goto export_end;
- }
- if (!X509_STORE_load_locations(store, CAfile, CApath))
- X509_STORE_set_default_paths(store);
- vret = get_cert_chain(ucert, store, &chain2);
- X509_STORE_free(store);
- if (vret == X509_V_OK) {
- /* Exclude verified certificate */
- for (i = 1; i < sk_X509_num(chain2); i++)
- sk_X509_push(certs, sk_X509_value(chain2, i));
- /* Free first certificate */
- X509_free(sk_X509_value(chain2, 0));
- sk_X509_free(chain2);
- } else {
- if (vret != X509_V_ERR_UNSPECIFIED)
- BIO_printf(bio_err, "Error %s getting chain.\n",
- X509_verify_cert_error_string(vret));
- else
- ERR_print_errors(bio_err);
- goto export_end;
- }
- }
- /* Add any CA names */
- for (i = 0; i < sk_OPENSSL_STRING_num(canames); i++) {
- catmp = (unsigned char *)sk_OPENSSL_STRING_value(canames, i);
- X509_alias_set1(sk_X509_value(certs, i), catmp, -1);
- }
- if (csp_name && key)
- EVP_PKEY_add1_attr_by_NID(key, NID_ms_csp_name,
- MBSTRING_ASC, (unsigned char *)csp_name,
- -1);
- if (add_lmk && key)
- EVP_PKEY_add1_attr_by_NID(key, NID_LocalKeySet, 0, NULL, -1);
- # ifdef CRYPTO_MDEBUG
- CRYPTO_pop_info();
- CRYPTO_push_info("reading password");
- # endif
- if (!noprompt &&
- EVP_read_pw_string(pass, sizeof pass, "Enter Export Password:",
- 1)) {
- BIO_printf(bio_err, "Can't read Password\n");
- goto export_end;
- }
- if (!twopass)
- BUF_strlcpy(macpass, pass, sizeof macpass);
- # ifdef CRYPTO_MDEBUG
- CRYPTO_pop_info();
- CRYPTO_push_info("creating PKCS#12 structure");
- # endif
- p12 = PKCS12_create(cpass, name, key, ucert, certs,
- key_pbe, cert_pbe, iter, -1, keytype);
- if (!p12) {
- ERR_print_errors(bio_err);
- goto export_end;
- }
- if (macalg) {
- macmd = EVP_get_digestbyname(macalg);
- if (!macmd) {
- BIO_printf(bio_err, "Unknown digest algorithm %s\n", macalg);
- }
- }
- if (maciter != -1)
- PKCS12_set_mac(p12, mpass, -1, NULL, 0, maciter, macmd);
- # ifdef CRYPTO_MDEBUG
- CRYPTO_pop_info();
- CRYPTO_push_info("writing pkcs12");
- # endif
- i2d_PKCS12_bio(out, p12);
- ret = 0;
- export_end:
- # ifdef CRYPTO_MDEBUG
- CRYPTO_pop_info();
- CRYPTO_pop_info();
- CRYPTO_push_info("process -export_cert: freeing");
- # endif
- if (key)
- EVP_PKEY_free(key);
- if (certs)
- sk_X509_pop_free(certs, X509_free);
- if (ucert)
- X509_free(ucert);
- # ifdef CRYPTO_MDEBUG
- CRYPTO_pop_info();
- # endif
- goto end;
- }
- if (!(p12 = d2i_PKCS12_bio(in, NULL))) {
- ERR_print_errors(bio_err);
- goto end;
- }
- # ifdef CRYPTO_MDEBUG
- CRYPTO_push_info("read import password");
- # endif
- if (!noprompt
- && EVP_read_pw_string(pass, sizeof pass, "Enter Import Password:",
- 0)) {
- BIO_printf(bio_err, "Can't read Password\n");
- goto end;
- }
- # ifdef CRYPTO_MDEBUG
- CRYPTO_pop_info();
- # endif
- if (!twopass)
- BUF_strlcpy(macpass, pass, sizeof macpass);
- if ((options & INFO) && p12->mac)
- BIO_printf(bio_err, "MAC Iteration %ld\n",
- p12->mac->iter ? ASN1_INTEGER_get(p12->mac->iter) : 1);
- if (macver) {
- # ifdef CRYPTO_MDEBUG
- CRYPTO_push_info("verify MAC");
- # endif
- /* If we enter empty password try no password first */
- if (!mpass[0] && PKCS12_verify_mac(p12, NULL, 0)) {
- /* If mac and crypto pass the same set it to NULL too */
- if (!twopass)
- cpass = NULL;
- } else if (!PKCS12_verify_mac(p12, mpass, -1)) {
- BIO_printf(bio_err, "Mac verify error: invalid password?\n");
- ERR_print_errors(bio_err);
- goto end;
- }
- BIO_printf(bio_err, "MAC verified OK\n");
- # ifdef CRYPTO_MDEBUG
- CRYPTO_pop_info();
- # endif
- }
- # ifdef CRYPTO_MDEBUG
- CRYPTO_push_info("output keys and certificates");
- # endif
- if (!dump_certs_keys_p12(out, p12, cpass, -1, options, passout)) {
- BIO_printf(bio_err, "Error outputting keys and certificates\n");
- ERR_print_errors(bio_err);
- goto end;
- }
- # ifdef CRYPTO_MDEBUG
- CRYPTO_pop_info();
- # endif
- ret = 0;
- end:
- if (p12)
- PKCS12_free(p12);
- if (export_cert || inrand)
- app_RAND_write_file(NULL, bio_err);
- # ifdef CRYPTO_MDEBUG
- CRYPTO_remove_all_info();
- # endif
- release_engine(e);
- BIO_free(in);
- BIO_free_all(out);
- if (canames)
- sk_OPENSSL_STRING_free(canames);
- if (passin)
- OPENSSL_free(passin);
- if (passout)
- OPENSSL_free(passout);
- apps_shutdown();
- OPENSSL_EXIT(ret);
- }
- int dump_certs_keys_p12(BIO *out, PKCS12 *p12, char *pass,
- int passlen, int options, char *pempass)
- {
- STACK_OF(PKCS7) *asafes = NULL;
- STACK_OF(PKCS12_SAFEBAG) *bags;
- int i, bagnid;
- int ret = 0;
- PKCS7 *p7;
- if (!(asafes = PKCS12_unpack_authsafes(p12)))
- return 0;
- for (i = 0; i < sk_PKCS7_num(asafes); i++) {
- p7 = sk_PKCS7_value(asafes, i);
- bagnid = OBJ_obj2nid(p7->type);
- if (bagnid == NID_pkcs7_data) {
- bags = PKCS12_unpack_p7data(p7);
- if (options & INFO)
- BIO_printf(bio_err, "PKCS7 Data\n");
- } else if (bagnid == NID_pkcs7_encrypted) {
- if (options & INFO) {
- BIO_printf(bio_err, "PKCS7 Encrypted data: ");
- alg_print(bio_err, p7->d.encrypted->enc_data->algorithm);
- }
- bags = PKCS12_unpack_p7encdata(p7, pass, passlen);
- } else
- continue;
- if (!bags)
- goto err;
- if (!dump_certs_pkeys_bags(out, bags, pass, passlen,
- options, pempass)) {
- sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
- goto err;
- }
- sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
- bags = NULL;
- }
- ret = 1;
- err:
- if (asafes)
- sk_PKCS7_pop_free(asafes, PKCS7_free);
- return ret;
- }
- int dump_certs_pkeys_bags(BIO *out, STACK_OF(PKCS12_SAFEBAG) *bags,
- char *pass, int passlen, int options, char *pempass)
- {
- int i;
- for (i = 0; i < sk_PKCS12_SAFEBAG_num(bags); i++) {
- if (!dump_certs_pkeys_bag(out,
- sk_PKCS12_SAFEBAG_value(bags, i),
- pass, passlen, options, pempass))
- return 0;
- }
- return 1;
- }
- int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bag, char *pass,
- int passlen, int options, char *pempass)
- {
- EVP_PKEY *pkey;
- PKCS8_PRIV_KEY_INFO *p8;
- X509 *x509;
- int ret = 0;
- switch (M_PKCS12_bag_type(bag)) {
- case NID_keyBag:
- if (options & INFO)
- BIO_printf(bio_err, "Key bag\n");
- if (options & NOKEYS)
- return 1;
- print_attribs(out, bag->attrib, "Bag Attributes");
- p8 = bag->value.keybag;
- if (!(pkey = EVP_PKCS82PKEY(p8)))
- return 0;
- print_attribs(out, p8->attributes, "Key Attributes");
- ret = PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, pempass);
- EVP_PKEY_free(pkey);
- break;
- case NID_pkcs8ShroudedKeyBag:
- if (options & INFO) {
- BIO_printf(bio_err, "Shrouded Keybag: ");
- alg_print(bio_err, bag->value.shkeybag->algor);
- }
- if (options & NOKEYS)
- return 1;
- print_attribs(out, bag->attrib, "Bag Attributes");
- if (!(p8 = PKCS12_decrypt_skey(bag, pass, passlen)))
- return 0;
- if (!(pkey = EVP_PKCS82PKEY(p8))) {
- PKCS8_PRIV_KEY_INFO_free(p8);
- return 0;
- }
- print_attribs(out, p8->attributes, "Key Attributes");
- PKCS8_PRIV_KEY_INFO_free(p8);
- ret = PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, pempass);
- EVP_PKEY_free(pkey);
- break;
- case NID_certBag:
- if (options & INFO)
- BIO_printf(bio_err, "Certificate bag\n");
- if (options & NOCERTS)
- return 1;
- if (PKCS12_get_attr(bag, NID_localKeyID)) {
- if (options & CACERTS)
- return 1;
- } else if (options & CLCERTS)
- return 1;
- print_attribs(out, bag->attrib, "Bag Attributes");
- if (M_PKCS12_cert_bag_type(bag) != NID_x509Certificate)
- return 1;
- if (!(x509 = PKCS12_certbag2x509(bag)))
- return 0;
- dump_cert_text(out, x509);
- ret = PEM_write_bio_X509(out, x509);
- X509_free(x509);
- break;
- case NID_safeContentsBag:
- if (options & INFO)
- BIO_printf(bio_err, "Safe Contents bag\n");
- print_attribs(out, bag->attrib, "Bag Attributes");
- return dump_certs_pkeys_bags(out, bag->value.safes, pass,
- passlen, options, pempass);
- default:
- BIO_printf(bio_err, "Warning unsupported bag type: ");
- i2a_ASN1_OBJECT(bio_err, bag->type);
- BIO_printf(bio_err, "\n");
- return 1;
- break;
- }
- return ret;
- }
- /* Given a single certificate return a verified chain or NULL if error */
- static int get_cert_chain(X509 *cert, X509_STORE *store,
- STACK_OF(X509) **chain)
- {
- X509_STORE_CTX store_ctx;
- STACK_OF(X509) *chn = NULL;
- int i = 0;
- if (!X509_STORE_CTX_init(&store_ctx, store, cert, NULL)) {
- *chain = NULL;
- return X509_V_ERR_UNSPECIFIED;
- }
- if (X509_verify_cert(&store_ctx) > 0)
- chn = X509_STORE_CTX_get1_chain(&store_ctx);
- else if ((i = X509_STORE_CTX_get_error(&store_ctx)) == 0)
- i = X509_V_ERR_UNSPECIFIED;
- X509_STORE_CTX_cleanup(&store_ctx);
- *chain = chn;
- return i;
- }
- int alg_print(BIO *x, X509_ALGOR *alg)
- {
- int pbenid, aparamtype;
- ASN1_OBJECT *aoid;
- void *aparam;
- PBEPARAM *pbe = NULL;
- X509_ALGOR_get0(&aoid, &aparamtype, &aparam, alg);
- pbenid = OBJ_obj2nid(aoid);
- BIO_printf(x, "%s", OBJ_nid2ln(pbenid));
- /*
- * If PBE algorithm is PBES2 decode algorithm parameters
- * for additional details.
- */
- if (pbenid == NID_pbes2) {
- PBE2PARAM *pbe2 = NULL;
- int encnid;
- if (aparamtype == V_ASN1_SEQUENCE)
- pbe2 = ASN1_item_unpack(aparam, ASN1_ITEM_rptr(PBE2PARAM));
- if (pbe2 == NULL) {
- BIO_puts(x, "<unsupported parameters>");
- goto done;
- }
- X509_ALGOR_get0(&aoid, &aparamtype, &aparam, pbe2->keyfunc);
- pbenid = OBJ_obj2nid(aoid);
- X509_ALGOR_get0(&aoid, NULL, NULL, pbe2->encryption);
- encnid = OBJ_obj2nid(aoid);
- BIO_printf(x, ", %s, %s", OBJ_nid2ln(pbenid),
- OBJ_nid2sn(encnid));
- /* If KDF is PBKDF2 decode parameters */
- if (pbenid == NID_id_pbkdf2) {
- PBKDF2PARAM *kdf = NULL;
- int prfnid;
- if (aparamtype == V_ASN1_SEQUENCE)
- kdf = ASN1_item_unpack(aparam, ASN1_ITEM_rptr(PBKDF2PARAM));
- if (kdf == NULL) {
- BIO_puts(x, "<unsupported parameters>");
- goto done;
- }
- if (kdf->prf == NULL) {
- prfnid = NID_hmacWithSHA1;
- } else {
- X509_ALGOR_get0(&aoid, NULL, NULL, kdf->prf);
- prfnid = OBJ_obj2nid(aoid);
- }
- BIO_printf(x, ", Iteration %ld, PRF %s",
- ASN1_INTEGER_get(kdf->iter), OBJ_nid2sn(prfnid));
- PBKDF2PARAM_free(kdf);
- }
- PBE2PARAM_free(pbe2);
- } else {
- if (aparamtype == V_ASN1_SEQUENCE)
- pbe = ASN1_item_unpack(aparam, ASN1_ITEM_rptr(PBEPARAM));
- if (pbe == NULL) {
- BIO_puts(x, "<unsupported parameters>");
- goto done;
- }
- BIO_printf(x, ", Iteration %ld", ASN1_INTEGER_get(pbe->iter));
- PBEPARAM_free(pbe);
- }
- done:
- BIO_puts(x, "\n");
- return 1;
- }
- /* Load all certificates from a given file */
- int cert_load(BIO *in, STACK_OF(X509) *sk)
- {
- int ret;
- X509 *cert;
- ret = 0;
- # ifdef CRYPTO_MDEBUG
- CRYPTO_push_info("cert_load(): reading one cert");
- # endif
- while ((cert = PEM_read_bio_X509(in, NULL, NULL, NULL))) {
- # ifdef CRYPTO_MDEBUG
- CRYPTO_pop_info();
- # endif
- ret = 1;
- sk_X509_push(sk, cert);
- # ifdef CRYPTO_MDEBUG
- CRYPTO_push_info("cert_load(): reading one cert");
- # endif
- }
- # ifdef CRYPTO_MDEBUG
- CRYPTO_pop_info();
- # endif
- if (ret)
- ERR_clear_error();
- return ret;
- }
- /* Generalised attribute print: handle PKCS#8 and bag attributes */
- int print_attribs(BIO *out, STACK_OF(X509_ATTRIBUTE) *attrlst,
- const char *name)
- {
- X509_ATTRIBUTE *attr;
- ASN1_TYPE *av;
- char *value;
- int i, attr_nid;
- if (!attrlst) {
- BIO_printf(out, "%s: <No Attributes>\n", name);
- return 1;
- }
- if (!sk_X509_ATTRIBUTE_num(attrlst)) {
- BIO_printf(out, "%s: <Empty Attributes>\n", name);
- return 1;
- }
- BIO_printf(out, "%s\n", name);
- for (i = 0; i < sk_X509_ATTRIBUTE_num(attrlst); i++) {
- attr = sk_X509_ATTRIBUTE_value(attrlst, i);
- attr_nid = OBJ_obj2nid(attr->object);
- BIO_printf(out, " ");
- if (attr_nid == NID_undef) {
- i2a_ASN1_OBJECT(out, attr->object);
- BIO_printf(out, ": ");
- } else
- BIO_printf(out, "%s: ", OBJ_nid2ln(attr_nid));
- if (sk_ASN1_TYPE_num(attr->value.set)) {
- av = sk_ASN1_TYPE_value(attr->value.set, 0);
- switch (av->type) {
- case V_ASN1_BMPSTRING:
- value = OPENSSL_uni2asc(av->value.bmpstring->data,
- av->value.bmpstring->length);
- BIO_printf(out, "%s\n", value);
- OPENSSL_free(value);
- break;
- case V_ASN1_OCTET_STRING:
- hex_prin(out, av->value.octet_string->data,
- av->value.octet_string->length);
- BIO_printf(out, "\n");
- break;
- case V_ASN1_BIT_STRING:
- hex_prin(out, av->value.bit_string->data,
- av->value.bit_string->length);
- BIO_printf(out, "\n");
- break;
- default:
- BIO_printf(out, "<Unsupported tag %d>\n", av->type);
- break;
- }
- } else
- BIO_printf(out, "<No Values>\n");
- }
- return 1;
- }
- void hex_prin(BIO *out, unsigned char *buf, int len)
- {
- int i;
- for (i = 0; i < len; i++)
- BIO_printf(out, "%02X ", buf[i]);
- }
- static int set_pbe(BIO *err, int *ppbe, const char *str)
- {
- if (!str)
- return 0;
- if (!strcmp(str, "NONE")) {
- *ppbe = -1;
- return 1;
- }
- *ppbe = OBJ_txt2nid(str);
- if (*ppbe == NID_undef) {
- BIO_printf(bio_err, "Unknown PBE algorithm %s\n", str);
- return 0;
- }
- return 1;
- }
- #else
- static void *dummy = &dummy;
- #endif
|