pkcs12.c 34 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060
  1. /* pkcs12.c */
  2. /*
  3. * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  4. * project.
  5. */
  6. /* ====================================================================
  7. * Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved.
  8. *
  9. * Redistribution and use in source and binary forms, with or without
  10. * modification, are permitted provided that the following conditions
  11. * are met:
  12. *
  13. * 1. Redistributions of source code must retain the above copyright
  14. * notice, this list of conditions and the following disclaimer.
  15. *
  16. * 2. Redistributions in binary form must reproduce the above copyright
  17. * notice, this list of conditions and the following disclaimer in
  18. * the documentation and/or other materials provided with the
  19. * distribution.
  20. *
  21. * 3. All advertising materials mentioning features or use of this
  22. * software must display the following acknowledgment:
  23. * "This product includes software developed by the OpenSSL Project
  24. * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
  25. *
  26. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  27. * endorse or promote products derived from this software without
  28. * prior written permission. For written permission, please contact
  29. * licensing@OpenSSL.org.
  30. *
  31. * 5. Products derived from this software may not be called "OpenSSL"
  32. * nor may "OpenSSL" appear in their names without prior written
  33. * permission of the OpenSSL Project.
  34. *
  35. * 6. Redistributions of any form whatsoever must retain the following
  36. * acknowledgment:
  37. * "This product includes software developed by the OpenSSL Project
  38. * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
  39. *
  40. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  41. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  42. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  43. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  44. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  45. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  46. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  47. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  48. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  49. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  50. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  51. * OF THE POSSIBILITY OF SUCH DAMAGE.
  52. * ====================================================================
  53. *
  54. * This product includes cryptographic software written by Eric Young
  55. * (eay@cryptsoft.com). This product includes software written by Tim
  56. * Hudson (tjh@cryptsoft.com).
  57. *
  58. */
  59. #include <openssl/opensslconf.h>
  60. #if !defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_SHA1)
  61. # include <stdio.h>
  62. # include <stdlib.h>
  63. # include <string.h>
  64. # include "apps.h"
  65. # include <openssl/crypto.h>
  66. # include <openssl/err.h>
  67. # include <openssl/pem.h>
  68. # include <openssl/pkcs12.h>
  69. # ifdef OPENSSL_SYS_NETWARE
  70. /* Rename these functions to avoid name clashes on NetWare OS */
  71. # define uni2asc OPENSSL_uni2asc
  72. # define asc2uni OPENSSL_asc2uni
  73. # endif
  74. # define PROG pkcs12_main
  75. const EVP_CIPHER *enc;
  76. # define NOKEYS 0x1
  77. # define NOCERTS 0x2
  78. # define INFO 0x4
  79. # define CLCERTS 0x8
  80. # define CACERTS 0x10
  81. int get_cert_chain(X509 *cert, X509_STORE *store, STACK_OF(X509) **chain);
  82. int dump_certs_keys_p12(BIO *out, PKCS12 *p12, char *pass, int passlen,
  83. int options, char *pempass);
  84. int dump_certs_pkeys_bags(BIO *out, STACK_OF(PKCS12_SAFEBAG) *bags,
  85. char *pass, int passlen, int options,
  86. char *pempass);
  87. int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bags, char *pass,
  88. int passlen, int options, char *pempass);
  89. int print_attribs(BIO *out, STACK_OF(X509_ATTRIBUTE) *attrlst,
  90. const char *name);
  91. void hex_prin(BIO *out, unsigned char *buf, int len);
  92. int alg_print(BIO *x, X509_ALGOR *alg);
  93. int cert_load(BIO *in, STACK_OF(X509) *sk);
  94. int MAIN(int, char **);
  95. int MAIN(int argc, char **argv)
  96. {
  97. ENGINE *e = NULL;
  98. char *infile = NULL, *outfile = NULL, *keyname = NULL;
  99. char *certfile = NULL;
  100. BIO *in = NULL, *out = NULL;
  101. char **args;
  102. char *name = NULL;
  103. char *csp_name = NULL;
  104. int add_lmk = 0;
  105. PKCS12 *p12 = NULL;
  106. char pass[50], macpass[50];
  107. int export_cert = 0;
  108. int options = 0;
  109. int chain = 0;
  110. int badarg = 0;
  111. int iter = PKCS12_DEFAULT_ITER;
  112. int maciter = PKCS12_DEFAULT_ITER;
  113. int twopass = 0;
  114. int keytype = 0;
  115. int cert_pbe;
  116. int key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
  117. int ret = 1;
  118. int macver = 1;
  119. int noprompt = 0;
  120. STACK *canames = NULL;
  121. char *cpass = NULL, *mpass = NULL;
  122. char *passargin = NULL, *passargout = NULL, *passarg = NULL;
  123. char *passin = NULL, *passout = NULL;
  124. char *inrand = NULL;
  125. char *CApath = NULL, *CAfile = NULL;
  126. # ifndef OPENSSL_NO_ENGINE
  127. char *engine = NULL;
  128. # endif
  129. apps_startup();
  130. # ifdef OPENSSL_FIPS
  131. if (FIPS_mode())
  132. cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
  133. else
  134. # endif
  135. cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
  136. enc = EVP_des_ede3_cbc();
  137. if (bio_err == NULL)
  138. bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
  139. if (!load_config(bio_err, NULL))
  140. goto end;
  141. args = argv + 1;
  142. while (*args) {
  143. if (*args[0] == '-') {
  144. if (!strcmp(*args, "-nokeys"))
  145. options |= NOKEYS;
  146. else if (!strcmp(*args, "-keyex"))
  147. keytype = KEY_EX;
  148. else if (!strcmp(*args, "-keysig"))
  149. keytype = KEY_SIG;
  150. else if (!strcmp(*args, "-nocerts"))
  151. options |= NOCERTS;
  152. else if (!strcmp(*args, "-clcerts"))
  153. options |= CLCERTS;
  154. else if (!strcmp(*args, "-cacerts"))
  155. options |= CACERTS;
  156. else if (!strcmp(*args, "-noout"))
  157. options |= (NOKEYS | NOCERTS);
  158. else if (!strcmp(*args, "-info"))
  159. options |= INFO;
  160. else if (!strcmp(*args, "-chain"))
  161. chain = 1;
  162. else if (!strcmp(*args, "-twopass"))
  163. twopass = 1;
  164. else if (!strcmp(*args, "-nomacver"))
  165. macver = 0;
  166. else if (!strcmp(*args, "-descert"))
  167. cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
  168. else if (!strcmp(*args, "-export"))
  169. export_cert = 1;
  170. else if (!strcmp(*args, "-des"))
  171. enc = EVP_des_cbc();
  172. else if (!strcmp(*args, "-des3"))
  173. enc = EVP_des_ede3_cbc();
  174. # ifndef OPENSSL_NO_IDEA
  175. else if (!strcmp(*args, "-idea"))
  176. enc = EVP_idea_cbc();
  177. # endif
  178. # ifndef OPENSSL_NO_SEED
  179. else if (!strcmp(*args, "-seed"))
  180. enc = EVP_seed_cbc();
  181. # endif
  182. # ifndef OPENSSL_NO_AES
  183. else if (!strcmp(*args, "-aes128"))
  184. enc = EVP_aes_128_cbc();
  185. else if (!strcmp(*args, "-aes192"))
  186. enc = EVP_aes_192_cbc();
  187. else if (!strcmp(*args, "-aes256"))
  188. enc = EVP_aes_256_cbc();
  189. # endif
  190. # ifndef OPENSSL_NO_CAMELLIA
  191. else if (!strcmp(*args, "-camellia128"))
  192. enc = EVP_camellia_128_cbc();
  193. else if (!strcmp(*args, "-camellia192"))
  194. enc = EVP_camellia_192_cbc();
  195. else if (!strcmp(*args, "-camellia256"))
  196. enc = EVP_camellia_256_cbc();
  197. # endif
  198. else if (!strcmp(*args, "-noiter"))
  199. iter = 1;
  200. else if (!strcmp(*args, "-maciter"))
  201. maciter = PKCS12_DEFAULT_ITER;
  202. else if (!strcmp(*args, "-nomaciter"))
  203. maciter = 1;
  204. else if (!strcmp(*args, "-nomac"))
  205. maciter = -1;
  206. else if (!strcmp(*args, "-nodes"))
  207. enc = NULL;
  208. else if (!strcmp(*args, "-certpbe")) {
  209. if (args[1]) {
  210. args++;
  211. if (!strcmp(*args, "NONE"))
  212. cert_pbe = -1;
  213. else
  214. cert_pbe = OBJ_txt2nid(*args);
  215. if (cert_pbe == NID_undef) {
  216. BIO_printf(bio_err,
  217. "Unknown PBE algorithm %s\n", *args);
  218. badarg = 1;
  219. }
  220. } else
  221. badarg = 1;
  222. } else if (!strcmp(*args, "-keypbe")) {
  223. if (args[1]) {
  224. args++;
  225. if (!strcmp(*args, "NONE"))
  226. key_pbe = -1;
  227. else
  228. key_pbe = OBJ_txt2nid(*args);
  229. if (key_pbe == NID_undef) {
  230. BIO_printf(bio_err,
  231. "Unknown PBE algorithm %s\n", *args);
  232. badarg = 1;
  233. }
  234. } else
  235. badarg = 1;
  236. } else if (!strcmp(*args, "-rand")) {
  237. if (args[1]) {
  238. args++;
  239. inrand = *args;
  240. } else
  241. badarg = 1;
  242. } else if (!strcmp(*args, "-inkey")) {
  243. if (args[1]) {
  244. args++;
  245. keyname = *args;
  246. } else
  247. badarg = 1;
  248. } else if (!strcmp(*args, "-certfile")) {
  249. if (args[1]) {
  250. args++;
  251. certfile = *args;
  252. } else
  253. badarg = 1;
  254. } else if (!strcmp(*args, "-name")) {
  255. if (args[1]) {
  256. args++;
  257. name = *args;
  258. } else
  259. badarg = 1;
  260. } else if (!strcmp(*args, "-LMK"))
  261. add_lmk = 1;
  262. else if (!strcmp(*args, "-CSP")) {
  263. if (args[1]) {
  264. args++;
  265. csp_name = *args;
  266. } else
  267. badarg = 1;
  268. } else if (!strcmp(*args, "-caname")) {
  269. if (args[1]) {
  270. args++;
  271. if (!canames)
  272. canames = sk_new_null();
  273. sk_push(canames, *args);
  274. } else
  275. badarg = 1;
  276. } else if (!strcmp(*args, "-in")) {
  277. if (args[1]) {
  278. args++;
  279. infile = *args;
  280. } else
  281. badarg = 1;
  282. } else if (!strcmp(*args, "-out")) {
  283. if (args[1]) {
  284. args++;
  285. outfile = *args;
  286. } else
  287. badarg = 1;
  288. } else if (!strcmp(*args, "-passin")) {
  289. if (args[1]) {
  290. args++;
  291. passargin = *args;
  292. } else
  293. badarg = 1;
  294. } else if (!strcmp(*args, "-passout")) {
  295. if (args[1]) {
  296. args++;
  297. passargout = *args;
  298. } else
  299. badarg = 1;
  300. } else if (!strcmp(*args, "-password")) {
  301. if (args[1]) {
  302. args++;
  303. passarg = *args;
  304. noprompt = 1;
  305. } else
  306. badarg = 1;
  307. } else if (!strcmp(*args, "-CApath")) {
  308. if (args[1]) {
  309. args++;
  310. CApath = *args;
  311. } else
  312. badarg = 1;
  313. } else if (!strcmp(*args, "-CAfile")) {
  314. if (args[1]) {
  315. args++;
  316. CAfile = *args;
  317. } else
  318. badarg = 1;
  319. # ifndef OPENSSL_NO_ENGINE
  320. } else if (!strcmp(*args, "-engine")) {
  321. if (args[1]) {
  322. args++;
  323. engine = *args;
  324. } else
  325. badarg = 1;
  326. # endif
  327. } else
  328. badarg = 1;
  329. } else
  330. badarg = 1;
  331. args++;
  332. }
  333. if (badarg) {
  334. BIO_printf(bio_err, "Usage: pkcs12 [options]\n");
  335. BIO_printf(bio_err, "where options are\n");
  336. BIO_printf(bio_err, "-export output PKCS12 file\n");
  337. BIO_printf(bio_err, "-chain add certificate chain\n");
  338. BIO_printf(bio_err, "-inkey file private key if not infile\n");
  339. BIO_printf(bio_err, "-certfile f add all certs in f\n");
  340. BIO_printf(bio_err, "-CApath arg - PEM format directory of CA's\n");
  341. BIO_printf(bio_err, "-CAfile arg - PEM format file of CA's\n");
  342. BIO_printf(bio_err, "-name \"name\" use name as friendly name\n");
  343. BIO_printf(bio_err,
  344. "-caname \"nm\" use nm as CA friendly name (can be used more than once).\n");
  345. BIO_printf(bio_err, "-in infile input filename\n");
  346. BIO_printf(bio_err, "-out outfile output filename\n");
  347. BIO_printf(bio_err,
  348. "-noout don't output anything, just verify.\n");
  349. BIO_printf(bio_err, "-nomacver don't verify MAC.\n");
  350. BIO_printf(bio_err, "-nocerts don't output certificates.\n");
  351. BIO_printf(bio_err,
  352. "-clcerts only output client certificates.\n");
  353. BIO_printf(bio_err, "-cacerts only output CA certificates.\n");
  354. BIO_printf(bio_err, "-nokeys don't output private keys.\n");
  355. BIO_printf(bio_err,
  356. "-info give info about PKCS#12 structure.\n");
  357. BIO_printf(bio_err, "-des encrypt private keys with DES\n");
  358. BIO_printf(bio_err,
  359. "-des3 encrypt private keys with triple DES (default)\n");
  360. # ifndef OPENSSL_NO_IDEA
  361. BIO_printf(bio_err, "-idea encrypt private keys with idea\n");
  362. # endif
  363. # ifndef OPENSSL_NO_SEED
  364. BIO_printf(bio_err, "-seed encrypt private keys with seed\n");
  365. # endif
  366. # ifndef OPENSSL_NO_AES
  367. BIO_printf(bio_err, "-aes128, -aes192, -aes256\n");
  368. BIO_printf(bio_err,
  369. " encrypt PEM output with cbc aes\n");
  370. # endif
  371. # ifndef OPENSSL_NO_CAMELLIA
  372. BIO_printf(bio_err, "-camellia128, -camellia192, -camellia256\n");
  373. BIO_printf(bio_err,
  374. " encrypt PEM output with cbc camellia\n");
  375. # endif
  376. BIO_printf(bio_err, "-nodes don't encrypt private keys\n");
  377. BIO_printf(bio_err, "-noiter don't use encryption iteration\n");
  378. BIO_printf(bio_err, "-maciter use MAC iteration\n");
  379. BIO_printf(bio_err,
  380. "-twopass separate MAC, encryption passwords\n");
  381. BIO_printf(bio_err,
  382. "-descert encrypt PKCS#12 certificates with triple DES (default RC2-40)\n");
  383. BIO_printf(bio_err,
  384. "-certpbe alg specify certificate PBE algorithm (default RC2-40)\n");
  385. BIO_printf(bio_err,
  386. "-keypbe alg specify private key PBE algorithm (default 3DES)\n");
  387. BIO_printf(bio_err, "-keyex set MS key exchange type\n");
  388. BIO_printf(bio_err, "-keysig set MS key signature type\n");
  389. BIO_printf(bio_err,
  390. "-password p set import/export password source\n");
  391. BIO_printf(bio_err, "-passin p input file pass phrase source\n");
  392. BIO_printf(bio_err, "-passout p output file pass phrase source\n");
  393. # ifndef OPENSSL_NO_ENGINE
  394. BIO_printf(bio_err,
  395. "-engine e use engine e, possibly a hardware device.\n");
  396. # endif
  397. BIO_printf(bio_err, "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR,
  398. LIST_SEPARATOR_CHAR);
  399. BIO_printf(bio_err,
  400. " load the file (or the files in the directory) into\n");
  401. BIO_printf(bio_err, " the random number generator\n");
  402. BIO_printf(bio_err, "-CSP name Microsoft CSP name\n");
  403. BIO_printf(bio_err,
  404. "-LMK Add local machine keyset attribute to private key\n");
  405. goto end;
  406. }
  407. # ifndef OPENSSL_NO_ENGINE
  408. e = setup_engine(bio_err, engine, 0);
  409. # endif
  410. if (passarg) {
  411. if (export_cert)
  412. passargout = passarg;
  413. else
  414. passargin = passarg;
  415. }
  416. if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
  417. BIO_printf(bio_err, "Error getting passwords\n");
  418. goto end;
  419. }
  420. if (!cpass) {
  421. if (export_cert)
  422. cpass = passout;
  423. else
  424. cpass = passin;
  425. }
  426. if (cpass) {
  427. mpass = cpass;
  428. noprompt = 1;
  429. } else {
  430. cpass = pass;
  431. mpass = macpass;
  432. }
  433. if (export_cert || inrand) {
  434. app_RAND_load_file(NULL, bio_err, (inrand != NULL));
  435. if (inrand != NULL)
  436. BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
  437. app_RAND_load_files(inrand));
  438. }
  439. ERR_load_crypto_strings();
  440. # ifdef CRYPTO_MDEBUG
  441. CRYPTO_push_info("read files");
  442. # endif
  443. if (!infile)
  444. in = BIO_new_fp(stdin, BIO_NOCLOSE);
  445. else
  446. in = BIO_new_file(infile, "rb");
  447. if (!in) {
  448. BIO_printf(bio_err, "Error opening input file %s\n",
  449. infile ? infile : "<stdin>");
  450. perror(infile);
  451. goto end;
  452. }
  453. # ifdef CRYPTO_MDEBUG
  454. CRYPTO_pop_info();
  455. CRYPTO_push_info("write files");
  456. # endif
  457. if (!outfile) {
  458. out = BIO_new_fp(stdout, BIO_NOCLOSE);
  459. # ifdef OPENSSL_SYS_VMS
  460. {
  461. BIO *tmpbio = BIO_new(BIO_f_linebuffer());
  462. out = BIO_push(tmpbio, out);
  463. }
  464. # endif
  465. } else
  466. out = BIO_new_file(outfile, "wb");
  467. if (!out) {
  468. BIO_printf(bio_err, "Error opening output file %s\n",
  469. outfile ? outfile : "<stdout>");
  470. perror(outfile);
  471. goto end;
  472. }
  473. if (twopass) {
  474. # ifdef CRYPTO_MDEBUG
  475. CRYPTO_push_info("read MAC password");
  476. # endif
  477. if (EVP_read_pw_string
  478. (macpass, sizeof macpass, "Enter MAC Password:", export_cert)) {
  479. BIO_printf(bio_err, "Can't read Password\n");
  480. goto end;
  481. }
  482. # ifdef CRYPTO_MDEBUG
  483. CRYPTO_pop_info();
  484. # endif
  485. }
  486. if (export_cert) {
  487. EVP_PKEY *key = NULL;
  488. X509 *ucert = NULL, *x = NULL;
  489. STACK_OF(X509) *certs = NULL;
  490. unsigned char *catmp = NULL;
  491. int i;
  492. if ((options & (NOCERTS | NOKEYS)) == (NOCERTS | NOKEYS)) {
  493. BIO_printf(bio_err, "Nothing to do!\n");
  494. goto export_end;
  495. }
  496. if (options & NOCERTS)
  497. chain = 0;
  498. # ifdef CRYPTO_MDEBUG
  499. CRYPTO_push_info("process -export_cert");
  500. CRYPTO_push_info("reading private key");
  501. # endif
  502. if (!(options & NOKEYS)) {
  503. key = load_key(bio_err, keyname ? keyname : infile,
  504. FORMAT_PEM, 1, passin, e, "private key");
  505. if (!key)
  506. goto export_end;
  507. }
  508. # ifdef CRYPTO_MDEBUG
  509. CRYPTO_pop_info();
  510. CRYPTO_push_info("reading certs from input");
  511. # endif
  512. /* Load in all certs in input file */
  513. if (!(options & NOCERTS)) {
  514. certs = load_certs(bio_err, infile, FORMAT_PEM, NULL, e,
  515. "certificates");
  516. if (!certs)
  517. goto export_end;
  518. if (key) {
  519. /* Look for matching private key */
  520. for (i = 0; i < sk_X509_num(certs); i++) {
  521. x = sk_X509_value(certs, i);
  522. if (X509_check_private_key(x, key)) {
  523. ucert = x;
  524. /* Zero keyid and alias */
  525. X509_keyid_set1(ucert, NULL, 0);
  526. X509_alias_set1(ucert, NULL, 0);
  527. /* Remove from list */
  528. (void)sk_X509_delete(certs, i);
  529. break;
  530. }
  531. }
  532. if (!ucert) {
  533. BIO_printf(bio_err,
  534. "No certificate matches private key\n");
  535. goto export_end;
  536. }
  537. }
  538. }
  539. # ifdef CRYPTO_MDEBUG
  540. CRYPTO_pop_info();
  541. CRYPTO_push_info("reading certs from input 2");
  542. # endif
  543. /* Add any more certificates asked for */
  544. if (certfile) {
  545. STACK_OF(X509) *morecerts = NULL;
  546. if (!(morecerts = load_certs(bio_err, certfile, FORMAT_PEM,
  547. NULL, e,
  548. "certificates from certfile")))
  549. goto export_end;
  550. while (sk_X509_num(morecerts) > 0)
  551. sk_X509_push(certs, sk_X509_shift(morecerts));
  552. sk_X509_free(morecerts);
  553. }
  554. # ifdef CRYPTO_MDEBUG
  555. CRYPTO_pop_info();
  556. CRYPTO_push_info("reading certs from certfile");
  557. # endif
  558. # ifdef CRYPTO_MDEBUG
  559. CRYPTO_pop_info();
  560. CRYPTO_push_info("building chain");
  561. # endif
  562. /* If chaining get chain from user cert */
  563. if (chain) {
  564. int vret;
  565. STACK_OF(X509) *chain2;
  566. X509_STORE *store = X509_STORE_new();
  567. if (!store) {
  568. BIO_printf(bio_err, "Memory allocation error\n");
  569. goto export_end;
  570. }
  571. if (!X509_STORE_load_locations(store, CAfile, CApath))
  572. X509_STORE_set_default_paths(store);
  573. vret = get_cert_chain(ucert, store, &chain2);
  574. X509_STORE_free(store);
  575. if (!vret) {
  576. /* Exclude verified certificate */
  577. for (i = 1; i < sk_X509_num(chain2); i++)
  578. sk_X509_push(certs, sk_X509_value(chain2, i));
  579. /* Free first certificate */
  580. X509_free(sk_X509_value(chain2, 0));
  581. sk_X509_free(chain2);
  582. } else {
  583. if (vret >= 0)
  584. BIO_printf(bio_err, "Error %s getting chain.\n",
  585. X509_verify_cert_error_string(vret));
  586. else
  587. ERR_print_errors(bio_err);
  588. goto export_end;
  589. }
  590. }
  591. /* Add any CA names */
  592. for (i = 0; i < sk_num(canames); i++) {
  593. catmp = (unsigned char *)sk_value(canames, i);
  594. X509_alias_set1(sk_X509_value(certs, i), catmp, -1);
  595. }
  596. if (csp_name && key)
  597. EVP_PKEY_add1_attr_by_NID(key, NID_ms_csp_name,
  598. MBSTRING_ASC, (unsigned char *)csp_name,
  599. -1);
  600. if (add_lmk && key)
  601. EVP_PKEY_add1_attr_by_NID(key, NID_LocalKeySet, 0, NULL, -1);
  602. # ifdef CRYPTO_MDEBUG
  603. CRYPTO_pop_info();
  604. CRYPTO_push_info("reading password");
  605. # endif
  606. if (!noprompt &&
  607. EVP_read_pw_string(pass, sizeof pass, "Enter Export Password:",
  608. 1)) {
  609. BIO_printf(bio_err, "Can't read Password\n");
  610. goto export_end;
  611. }
  612. if (!twopass)
  613. BUF_strlcpy(macpass, pass, sizeof macpass);
  614. # ifdef CRYPTO_MDEBUG
  615. CRYPTO_pop_info();
  616. CRYPTO_push_info("creating PKCS#12 structure");
  617. # endif
  618. p12 = PKCS12_create(cpass, name, key, ucert, certs,
  619. key_pbe, cert_pbe, iter, -1, keytype);
  620. if (!p12) {
  621. ERR_print_errors(bio_err);
  622. goto export_end;
  623. }
  624. if (maciter != -1)
  625. PKCS12_set_mac(p12, mpass, -1, NULL, 0, maciter, NULL);
  626. # ifdef CRYPTO_MDEBUG
  627. CRYPTO_pop_info();
  628. CRYPTO_push_info("writing pkcs12");
  629. # endif
  630. i2d_PKCS12_bio(out, p12);
  631. ret = 0;
  632. export_end:
  633. # ifdef CRYPTO_MDEBUG
  634. CRYPTO_pop_info();
  635. CRYPTO_pop_info();
  636. CRYPTO_push_info("process -export_cert: freeing");
  637. # endif
  638. if (key)
  639. EVP_PKEY_free(key);
  640. if (certs)
  641. sk_X509_pop_free(certs, X509_free);
  642. if (ucert)
  643. X509_free(ucert);
  644. # ifdef CRYPTO_MDEBUG
  645. CRYPTO_pop_info();
  646. # endif
  647. goto end;
  648. }
  649. if (!(p12 = d2i_PKCS12_bio(in, NULL))) {
  650. ERR_print_errors(bio_err);
  651. goto end;
  652. }
  653. # ifdef CRYPTO_MDEBUG
  654. CRYPTO_push_info("read import password");
  655. # endif
  656. if (!noprompt
  657. && EVP_read_pw_string(pass, sizeof pass, "Enter Import Password:",
  658. 0)) {
  659. BIO_printf(bio_err, "Can't read Password\n");
  660. goto end;
  661. }
  662. # ifdef CRYPTO_MDEBUG
  663. CRYPTO_pop_info();
  664. # endif
  665. if (!twopass)
  666. BUF_strlcpy(macpass, pass, sizeof macpass);
  667. if ((options & INFO) && p12->mac)
  668. BIO_printf(bio_err, "MAC Iteration %ld\n",
  669. p12->mac->iter ? ASN1_INTEGER_get(p12->mac->iter) : 1);
  670. if (macver) {
  671. # ifdef CRYPTO_MDEBUG
  672. CRYPTO_push_info("verify MAC");
  673. # endif
  674. /* If we enter empty password try no password first */
  675. if (!mpass[0] && PKCS12_verify_mac(p12, NULL, 0)) {
  676. /* If mac and crypto pass the same set it to NULL too */
  677. if (!twopass)
  678. cpass = NULL;
  679. } else if (!PKCS12_verify_mac(p12, mpass, -1)) {
  680. BIO_printf(bio_err, "Mac verify error: invalid password?\n");
  681. ERR_print_errors(bio_err);
  682. goto end;
  683. }
  684. BIO_printf(bio_err, "MAC verified OK\n");
  685. # ifdef CRYPTO_MDEBUG
  686. CRYPTO_pop_info();
  687. # endif
  688. }
  689. # ifdef CRYPTO_MDEBUG
  690. CRYPTO_push_info("output keys and certificates");
  691. # endif
  692. if (!dump_certs_keys_p12(out, p12, cpass, -1, options, passout)) {
  693. BIO_printf(bio_err, "Error outputting keys and certificates\n");
  694. ERR_print_errors(bio_err);
  695. goto end;
  696. }
  697. # ifdef CRYPTO_MDEBUG
  698. CRYPTO_pop_info();
  699. # endif
  700. ret = 0;
  701. end:
  702. if (p12)
  703. PKCS12_free(p12);
  704. if (export_cert || inrand)
  705. app_RAND_write_file(NULL, bio_err);
  706. # ifdef CRYPTO_MDEBUG
  707. CRYPTO_remove_all_info();
  708. # endif
  709. BIO_free(in);
  710. BIO_free_all(out);
  711. if (canames)
  712. sk_free(canames);
  713. if (passin)
  714. OPENSSL_free(passin);
  715. if (passout)
  716. OPENSSL_free(passout);
  717. apps_shutdown();
  718. OPENSSL_EXIT(ret);
  719. }
  720. int dump_certs_keys_p12(BIO *out, PKCS12 *p12, char *pass,
  721. int passlen, int options, char *pempass)
  722. {
  723. STACK_OF(PKCS7) *asafes = NULL;
  724. STACK_OF(PKCS12_SAFEBAG) *bags;
  725. int i, bagnid;
  726. int ret = 0;
  727. PKCS7 *p7;
  728. if (!(asafes = PKCS12_unpack_authsafes(p12)))
  729. return 0;
  730. for (i = 0; i < sk_PKCS7_num(asafes); i++) {
  731. p7 = sk_PKCS7_value(asafes, i);
  732. bagnid = OBJ_obj2nid(p7->type);
  733. if (bagnid == NID_pkcs7_data) {
  734. bags = PKCS12_unpack_p7data(p7);
  735. if (options & INFO)
  736. BIO_printf(bio_err, "PKCS7 Data\n");
  737. } else if (bagnid == NID_pkcs7_encrypted) {
  738. if (options & INFO) {
  739. BIO_printf(bio_err, "PKCS7 Encrypted data: ");
  740. alg_print(bio_err, p7->d.encrypted->enc_data->algorithm);
  741. }
  742. bags = PKCS12_unpack_p7encdata(p7, pass, passlen);
  743. } else
  744. continue;
  745. if (!bags)
  746. goto err;
  747. if (!dump_certs_pkeys_bags(out, bags, pass, passlen,
  748. options, pempass)) {
  749. sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
  750. goto err;
  751. }
  752. sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
  753. bags = NULL;
  754. }
  755. ret = 1;
  756. err:
  757. if (asafes)
  758. sk_PKCS7_pop_free(asafes, PKCS7_free);
  759. return ret;
  760. }
  761. int dump_certs_pkeys_bags(BIO *out, STACK_OF(PKCS12_SAFEBAG) *bags,
  762. char *pass, int passlen, int options, char *pempass)
  763. {
  764. int i;
  765. for (i = 0; i < sk_PKCS12_SAFEBAG_num(bags); i++) {
  766. if (!dump_certs_pkeys_bag(out,
  767. sk_PKCS12_SAFEBAG_value(bags, i),
  768. pass, passlen, options, pempass))
  769. return 0;
  770. }
  771. return 1;
  772. }
  773. int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bag, char *pass,
  774. int passlen, int options, char *pempass)
  775. {
  776. EVP_PKEY *pkey;
  777. PKCS8_PRIV_KEY_INFO *p8;
  778. X509 *x509;
  779. switch (M_PKCS12_bag_type(bag)) {
  780. case NID_keyBag:
  781. if (options & INFO)
  782. BIO_printf(bio_err, "Key bag\n");
  783. if (options & NOKEYS)
  784. return 1;
  785. print_attribs(out, bag->attrib, "Bag Attributes");
  786. p8 = bag->value.keybag;
  787. if (!(pkey = EVP_PKCS82PKEY(p8)))
  788. return 0;
  789. print_attribs(out, p8->attributes, "Key Attributes");
  790. PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, pempass);
  791. EVP_PKEY_free(pkey);
  792. break;
  793. case NID_pkcs8ShroudedKeyBag:
  794. if (options & INFO) {
  795. BIO_printf(bio_err, "Shrouded Keybag: ");
  796. alg_print(bio_err, bag->value.shkeybag->algor);
  797. }
  798. if (options & NOKEYS)
  799. return 1;
  800. print_attribs(out, bag->attrib, "Bag Attributes");
  801. if (!(p8 = PKCS12_decrypt_skey(bag, pass, passlen)))
  802. return 0;
  803. if (!(pkey = EVP_PKCS82PKEY(p8))) {
  804. PKCS8_PRIV_KEY_INFO_free(p8);
  805. return 0;
  806. }
  807. print_attribs(out, p8->attributes, "Key Attributes");
  808. PKCS8_PRIV_KEY_INFO_free(p8);
  809. PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, pempass);
  810. EVP_PKEY_free(pkey);
  811. break;
  812. case NID_certBag:
  813. if (options & INFO)
  814. BIO_printf(bio_err, "Certificate bag\n");
  815. if (options & NOCERTS)
  816. return 1;
  817. if (PKCS12_get_attr(bag, NID_localKeyID)) {
  818. if (options & CACERTS)
  819. return 1;
  820. } else if (options & CLCERTS)
  821. return 1;
  822. print_attribs(out, bag->attrib, "Bag Attributes");
  823. if (M_PKCS12_cert_bag_type(bag) != NID_x509Certificate)
  824. return 1;
  825. if (!(x509 = PKCS12_certbag2x509(bag)))
  826. return 0;
  827. dump_cert_text(out, x509);
  828. PEM_write_bio_X509(out, x509);
  829. X509_free(x509);
  830. break;
  831. case NID_safeContentsBag:
  832. if (options & INFO)
  833. BIO_printf(bio_err, "Safe Contents bag\n");
  834. print_attribs(out, bag->attrib, "Bag Attributes");
  835. return dump_certs_pkeys_bags(out, bag->value.safes, pass,
  836. passlen, options, pempass);
  837. default:
  838. BIO_printf(bio_err, "Warning unsupported bag type: ");
  839. i2a_ASN1_OBJECT(bio_err, bag->type);
  840. BIO_printf(bio_err, "\n");
  841. return 1;
  842. break;
  843. }
  844. return 1;
  845. }
  846. /* Given a single certificate return a verified chain or NULL if error */
  847. /* Hope this is OK .... */
  848. int get_cert_chain(X509 *cert, X509_STORE *store, STACK_OF(X509) **chain)
  849. {
  850. X509_STORE_CTX store_ctx;
  851. STACK_OF(X509) *chn;
  852. int i = 0;
  853. /*
  854. * FIXME: Should really check the return status of X509_STORE_CTX_init
  855. * for an error, but how that fits into the return value of this function
  856. * is less obvious.
  857. */
  858. X509_STORE_CTX_init(&store_ctx, store, cert, NULL);
  859. if (X509_verify_cert(&store_ctx) <= 0) {
  860. i = X509_STORE_CTX_get_error(&store_ctx);
  861. if (i == 0)
  862. /*
  863. * avoid returning 0 if X509_verify_cert() did not set an
  864. * appropriate error value in the context
  865. */
  866. i = -1;
  867. chn = NULL;
  868. goto err;
  869. } else
  870. chn = X509_STORE_CTX_get1_chain(&store_ctx);
  871. err:
  872. X509_STORE_CTX_cleanup(&store_ctx);
  873. *chain = chn;
  874. return i;
  875. }
  876. int alg_print(BIO *x, X509_ALGOR *alg)
  877. {
  878. PBEPARAM *pbe;
  879. const unsigned char *p;
  880. p = alg->parameter->value.sequence->data;
  881. pbe = d2i_PBEPARAM(NULL, &p, alg->parameter->value.sequence->length);
  882. if (!pbe)
  883. return 1;
  884. BIO_printf(bio_err, "%s, Iteration %ld\n",
  885. OBJ_nid2ln(OBJ_obj2nid(alg->algorithm)),
  886. ASN1_INTEGER_get(pbe->iter));
  887. PBEPARAM_free(pbe);
  888. return 1;
  889. }
  890. /* Load all certificates from a given file */
  891. int cert_load(BIO *in, STACK_OF(X509) *sk)
  892. {
  893. int ret;
  894. X509 *cert;
  895. ret = 0;
  896. # ifdef CRYPTO_MDEBUG
  897. CRYPTO_push_info("cert_load(): reading one cert");
  898. # endif
  899. while ((cert = PEM_read_bio_X509(in, NULL, NULL, NULL))) {
  900. # ifdef CRYPTO_MDEBUG
  901. CRYPTO_pop_info();
  902. # endif
  903. ret = 1;
  904. sk_X509_push(sk, cert);
  905. # ifdef CRYPTO_MDEBUG
  906. CRYPTO_push_info("cert_load(): reading one cert");
  907. # endif
  908. }
  909. # ifdef CRYPTO_MDEBUG
  910. CRYPTO_pop_info();
  911. # endif
  912. if (ret)
  913. ERR_clear_error();
  914. return ret;
  915. }
  916. /* Generalised attribute print: handle PKCS#8 and bag attributes */
  917. int print_attribs(BIO *out, STACK_OF(X509_ATTRIBUTE) *attrlst,
  918. const char *name)
  919. {
  920. X509_ATTRIBUTE *attr;
  921. ASN1_TYPE *av;
  922. char *value;
  923. int i, attr_nid;
  924. if (!attrlst) {
  925. BIO_printf(out, "%s: <No Attributes>\n", name);
  926. return 1;
  927. }
  928. if (!sk_X509_ATTRIBUTE_num(attrlst)) {
  929. BIO_printf(out, "%s: <Empty Attributes>\n", name);
  930. return 1;
  931. }
  932. BIO_printf(out, "%s\n", name);
  933. for (i = 0; i < sk_X509_ATTRIBUTE_num(attrlst); i++) {
  934. attr = sk_X509_ATTRIBUTE_value(attrlst, i);
  935. attr_nid = OBJ_obj2nid(attr->object);
  936. BIO_printf(out, " ");
  937. if (attr_nid == NID_undef) {
  938. i2a_ASN1_OBJECT(out, attr->object);
  939. BIO_printf(out, ": ");
  940. } else
  941. BIO_printf(out, "%s: ", OBJ_nid2ln(attr_nid));
  942. if (sk_ASN1_TYPE_num(attr->value.set)) {
  943. av = sk_ASN1_TYPE_value(attr->value.set, 0);
  944. switch (av->type) {
  945. case V_ASN1_BMPSTRING:
  946. value = uni2asc(av->value.bmpstring->data,
  947. av->value.bmpstring->length);
  948. BIO_printf(out, "%s\n", value);
  949. OPENSSL_free(value);
  950. break;
  951. case V_ASN1_OCTET_STRING:
  952. hex_prin(out, av->value.octet_string->data,
  953. av->value.octet_string->length);
  954. BIO_printf(out, "\n");
  955. break;
  956. case V_ASN1_BIT_STRING:
  957. hex_prin(out, av->value.bit_string->data,
  958. av->value.bit_string->length);
  959. BIO_printf(out, "\n");
  960. break;
  961. default:
  962. BIO_printf(out, "<Unsupported tag %d>\n", av->type);
  963. break;
  964. }
  965. } else
  966. BIO_printf(out, "<No Values>\n");
  967. }
  968. return 1;
  969. }
  970. void hex_prin(BIO *out, unsigned char *buf, int len)
  971. {
  972. int i;
  973. for (i = 0; i < len; i++)
  974. BIO_printf(out, "%02X ", buf[i]);
  975. }
  976. #endif