pkcs8.c 14 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411
  1. /* pkcs8.c */
  2. /*
  3. * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
  4. * 1999-2004.
  5. */
  6. /* ====================================================================
  7. * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
  8. *
  9. * Redistribution and use in source and binary forms, with or without
  10. * modification, are permitted provided that the following conditions
  11. * are met:
  12. *
  13. * 1. Redistributions of source code must retain the above copyright
  14. * notice, this list of conditions and the following disclaimer.
  15. *
  16. * 2. Redistributions in binary form must reproduce the above copyright
  17. * notice, this list of conditions and the following disclaimer in
  18. * the documentation and/or other materials provided with the
  19. * distribution.
  20. *
  21. * 3. All advertising materials mentioning features or use of this
  22. * software must display the following acknowledgment:
  23. * "This product includes software developed by the OpenSSL Project
  24. * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
  25. *
  26. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  27. * endorse or promote products derived from this software without
  28. * prior written permission. For written permission, please contact
  29. * licensing@OpenSSL.org.
  30. *
  31. * 5. Products derived from this software may not be called "OpenSSL"
  32. * nor may "OpenSSL" appear in their names without prior written
  33. * permission of the OpenSSL Project.
  34. *
  35. * 6. Redistributions of any form whatsoever must retain the following
  36. * acknowledgment:
  37. * "This product includes software developed by the OpenSSL Project
  38. * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
  39. *
  40. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  41. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  42. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  43. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  44. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  45. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  46. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  47. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  48. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  49. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  50. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  51. * OF THE POSSIBILITY OF SUCH DAMAGE.
  52. * ====================================================================
  53. *
  54. * This product includes cryptographic software written by Eric Young
  55. * (eay@cryptsoft.com). This product includes software written by Tim
  56. * Hudson (tjh@cryptsoft.com).
  57. *
  58. */
  59. #include <stdio.h>
  60. #include <string.h>
  61. #include "apps.h"
  62. #include <openssl/pem.h>
  63. #include <openssl/err.h>
  64. #include <openssl/evp.h>
  65. #include <openssl/pkcs12.h>
  66. #define PROG pkcs8_main
  67. int MAIN(int, char **);
  68. int MAIN(int argc, char **argv)
  69. {
  70. ENGINE *e = NULL;
  71. char **args, *infile = NULL, *outfile = NULL;
  72. char *passargin = NULL, *passargout = NULL;
  73. BIO *in = NULL, *out = NULL;
  74. int topk8 = 0;
  75. int pbe_nid = -1;
  76. const EVP_CIPHER *cipher = NULL;
  77. int iter = PKCS12_DEFAULT_ITER;
  78. int informat, outformat;
  79. int p8_broken = PKCS8_OK;
  80. int nocrypt = 0;
  81. X509_SIG *p8;
  82. PKCS8_PRIV_KEY_INFO *p8inf;
  83. EVP_PKEY *pkey = NULL;
  84. char pass[50], *passin = NULL, *passout = NULL, *p8pass = NULL;
  85. int badarg = 0;
  86. #ifndef OPENSSL_NO_ENGINE
  87. char *engine = NULL;
  88. #endif
  89. if (bio_err == NULL)
  90. bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
  91. if (!load_config(bio_err, NULL))
  92. goto end;
  93. informat = FORMAT_PEM;
  94. outformat = FORMAT_PEM;
  95. ERR_load_crypto_strings();
  96. OpenSSL_add_all_algorithms();
  97. args = argv + 1;
  98. while (!badarg && *args && *args[0] == '-') {
  99. if (!strcmp(*args, "-v2")) {
  100. if (args[1]) {
  101. args++;
  102. cipher = EVP_get_cipherbyname(*args);
  103. if (!cipher) {
  104. BIO_printf(bio_err, "Unknown cipher %s\n", *args);
  105. badarg = 1;
  106. }
  107. } else
  108. badarg = 1;
  109. } else if (!strcmp(*args, "-v1")) {
  110. if (args[1]) {
  111. args++;
  112. pbe_nid = OBJ_txt2nid(*args);
  113. if (pbe_nid == NID_undef) {
  114. BIO_printf(bio_err, "Unknown PBE algorithm %s\n", *args);
  115. badarg = 1;
  116. }
  117. } else
  118. badarg = 1;
  119. } else if (!strcmp(*args, "-inform")) {
  120. if (args[1]) {
  121. args++;
  122. informat = str2fmt(*args);
  123. } else
  124. badarg = 1;
  125. } else if (!strcmp(*args, "-outform")) {
  126. if (args[1]) {
  127. args++;
  128. outformat = str2fmt(*args);
  129. } else
  130. badarg = 1;
  131. } else if (!strcmp(*args, "-topk8"))
  132. topk8 = 1;
  133. else if (!strcmp(*args, "-noiter"))
  134. iter = 1;
  135. else if (!strcmp(*args, "-nocrypt"))
  136. nocrypt = 1;
  137. else if (!strcmp(*args, "-nooct"))
  138. p8_broken = PKCS8_NO_OCTET;
  139. else if (!strcmp(*args, "-nsdb"))
  140. p8_broken = PKCS8_NS_DB;
  141. else if (!strcmp(*args, "-embed"))
  142. p8_broken = PKCS8_EMBEDDED_PARAM;
  143. else if (!strcmp(*args, "-passin")) {
  144. if (!args[1])
  145. goto bad;
  146. passargin = *(++args);
  147. } else if (!strcmp(*args, "-passout")) {
  148. if (!args[1])
  149. goto bad;
  150. passargout = *(++args);
  151. }
  152. #ifndef OPENSSL_NO_ENGINE
  153. else if (strcmp(*args, "-engine") == 0) {
  154. if (!args[1])
  155. goto bad;
  156. engine = *(++args);
  157. }
  158. #endif
  159. else if (!strcmp(*args, "-in")) {
  160. if (args[1]) {
  161. args++;
  162. infile = *args;
  163. } else
  164. badarg = 1;
  165. } else if (!strcmp(*args, "-out")) {
  166. if (args[1]) {
  167. args++;
  168. outfile = *args;
  169. } else
  170. badarg = 1;
  171. } else
  172. badarg = 1;
  173. args++;
  174. }
  175. if (badarg) {
  176. bad:
  177. BIO_printf(bio_err, "Usage pkcs8 [options]\n");
  178. BIO_printf(bio_err, "where options are\n");
  179. BIO_printf(bio_err, "-in file input file\n");
  180. BIO_printf(bio_err, "-inform X input format (DER or PEM)\n");
  181. BIO_printf(bio_err,
  182. "-passin arg input file pass phrase source\n");
  183. BIO_printf(bio_err, "-outform X output format (DER or PEM)\n");
  184. BIO_printf(bio_err, "-out file output file\n");
  185. BIO_printf(bio_err,
  186. "-passout arg output file pass phrase source\n");
  187. BIO_printf(bio_err, "-topk8 output PKCS8 file\n");
  188. BIO_printf(bio_err,
  189. "-nooct use (nonstandard) no octet format\n");
  190. BIO_printf(bio_err,
  191. "-embed use (nonstandard) embedded DSA parameters format\n");
  192. BIO_printf(bio_err,
  193. "-nsdb use (nonstandard) DSA Netscape DB format\n");
  194. BIO_printf(bio_err, "-noiter use 1 as iteration count\n");
  195. BIO_printf(bio_err,
  196. "-nocrypt use or expect unencrypted private key\n");
  197. BIO_printf(bio_err,
  198. "-v2 alg use PKCS#5 v2.0 and cipher \"alg\"\n");
  199. BIO_printf(bio_err,
  200. "-v1 obj use PKCS#5 v1.5 and cipher \"alg\"\n");
  201. #ifndef OPENSSL_NO_ENGINE
  202. BIO_printf(bio_err,
  203. " -engine e use engine e, possibly a hardware device.\n");
  204. #endif
  205. return 1;
  206. }
  207. #ifndef OPENSSL_NO_ENGINE
  208. e = setup_engine(bio_err, engine, 0);
  209. #endif
  210. if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
  211. BIO_printf(bio_err, "Error getting passwords\n");
  212. return 1;
  213. }
  214. if ((pbe_nid == -1) && !cipher)
  215. pbe_nid = NID_pbeWithMD5AndDES_CBC;
  216. if (infile) {
  217. if (!(in = BIO_new_file(infile, "rb"))) {
  218. BIO_printf(bio_err, "Can't open input file %s\n", infile);
  219. return (1);
  220. }
  221. } else
  222. in = BIO_new_fp(stdin, BIO_NOCLOSE);
  223. if (outfile) {
  224. if (!(out = BIO_new_file(outfile, "wb"))) {
  225. BIO_printf(bio_err, "Can't open output file %s\n", outfile);
  226. return (1);
  227. }
  228. } else {
  229. out = BIO_new_fp(stdout, BIO_NOCLOSE);
  230. #ifdef OPENSSL_SYS_VMS
  231. {
  232. BIO *tmpbio = BIO_new(BIO_f_linebuffer());
  233. out = BIO_push(tmpbio, out);
  234. }
  235. #endif
  236. }
  237. if (topk8) {
  238. BIO_free(in); /* Not needed in this section */
  239. pkey = load_key(bio_err, infile, informat, 1, passin, e, "key");
  240. if (!pkey) {
  241. BIO_free_all(out);
  242. return 1;
  243. }
  244. if (!(p8inf = EVP_PKEY2PKCS8_broken(pkey, p8_broken))) {
  245. BIO_printf(bio_err, "Error converting key\n");
  246. ERR_print_errors(bio_err);
  247. EVP_PKEY_free(pkey);
  248. BIO_free_all(out);
  249. return 1;
  250. }
  251. if (nocrypt) {
  252. if (outformat == FORMAT_PEM)
  253. PEM_write_bio_PKCS8_PRIV_KEY_INFO(out, p8inf);
  254. else if (outformat == FORMAT_ASN1)
  255. i2d_PKCS8_PRIV_KEY_INFO_bio(out, p8inf);
  256. else {
  257. BIO_printf(bio_err, "Bad format specified for key\n");
  258. PKCS8_PRIV_KEY_INFO_free(p8inf);
  259. EVP_PKEY_free(pkey);
  260. BIO_free_all(out);
  261. return (1);
  262. }
  263. } else {
  264. if (passout)
  265. p8pass = passout;
  266. else {
  267. p8pass = pass;
  268. if (EVP_read_pw_string
  269. (pass, sizeof pass, "Enter Encryption Password:", 1)) {
  270. PKCS8_PRIV_KEY_INFO_free(p8inf);
  271. EVP_PKEY_free(pkey);
  272. BIO_free_all(out);
  273. return (1);
  274. }
  275. }
  276. app_RAND_load_file(NULL, bio_err, 0);
  277. if (!(p8 = PKCS8_encrypt(pbe_nid, cipher,
  278. p8pass, strlen(p8pass),
  279. NULL, 0, iter, p8inf))) {
  280. BIO_printf(bio_err, "Error encrypting key\n");
  281. ERR_print_errors(bio_err);
  282. PKCS8_PRIV_KEY_INFO_free(p8inf);
  283. EVP_PKEY_free(pkey);
  284. BIO_free_all(out);
  285. return (1);
  286. }
  287. app_RAND_write_file(NULL, bio_err);
  288. if (outformat == FORMAT_PEM)
  289. PEM_write_bio_PKCS8(out, p8);
  290. else if (outformat == FORMAT_ASN1)
  291. i2d_PKCS8_bio(out, p8);
  292. else {
  293. BIO_printf(bio_err, "Bad format specified for key\n");
  294. PKCS8_PRIV_KEY_INFO_free(p8inf);
  295. EVP_PKEY_free(pkey);
  296. BIO_free_all(out);
  297. return (1);
  298. }
  299. X509_SIG_free(p8);
  300. }
  301. PKCS8_PRIV_KEY_INFO_free(p8inf);
  302. EVP_PKEY_free(pkey);
  303. BIO_free_all(out);
  304. if (passin)
  305. OPENSSL_free(passin);
  306. if (passout)
  307. OPENSSL_free(passout);
  308. return (0);
  309. }
  310. if (nocrypt) {
  311. if (informat == FORMAT_PEM)
  312. p8inf = PEM_read_bio_PKCS8_PRIV_KEY_INFO(in, NULL, NULL, NULL);
  313. else if (informat == FORMAT_ASN1)
  314. p8inf = d2i_PKCS8_PRIV_KEY_INFO_bio(in, NULL);
  315. else {
  316. BIO_printf(bio_err, "Bad format specified for key\n");
  317. return (1);
  318. }
  319. } else {
  320. if (informat == FORMAT_PEM)
  321. p8 = PEM_read_bio_PKCS8(in, NULL, NULL, NULL);
  322. else if (informat == FORMAT_ASN1)
  323. p8 = d2i_PKCS8_bio(in, NULL);
  324. else {
  325. BIO_printf(bio_err, "Bad format specified for key\n");
  326. return (1);
  327. }
  328. if (!p8) {
  329. BIO_printf(bio_err, "Error reading key\n");
  330. ERR_print_errors(bio_err);
  331. return (1);
  332. }
  333. if (passin)
  334. p8pass = passin;
  335. else {
  336. p8pass = pass;
  337. EVP_read_pw_string(pass, sizeof pass, "Enter Password:", 0);
  338. }
  339. p8inf = PKCS8_decrypt(p8, p8pass, strlen(p8pass));
  340. X509_SIG_free(p8);
  341. }
  342. if (!p8inf) {
  343. BIO_printf(bio_err, "Error decrypting key\n");
  344. ERR_print_errors(bio_err);
  345. return (1);
  346. }
  347. if (!(pkey = EVP_PKCS82PKEY(p8inf))) {
  348. BIO_printf(bio_err, "Error converting key\n");
  349. ERR_print_errors(bio_err);
  350. return (1);
  351. }
  352. if (p8inf->broken) {
  353. BIO_printf(bio_err, "Warning: broken key encoding: ");
  354. switch (p8inf->broken) {
  355. case PKCS8_NO_OCTET:
  356. BIO_printf(bio_err, "No Octet String in PrivateKey\n");
  357. break;
  358. case PKCS8_EMBEDDED_PARAM:
  359. BIO_printf(bio_err, "DSA parameters included in PrivateKey\n");
  360. break;
  361. case PKCS8_NS_DB:
  362. BIO_printf(bio_err, "DSA public key include in PrivateKey\n");
  363. break;
  364. default:
  365. BIO_printf(bio_err, "Unknown broken type\n");
  366. break;
  367. }
  368. }
  369. PKCS8_PRIV_KEY_INFO_free(p8inf);
  370. if (outformat == FORMAT_PEM)
  371. PEM_write_bio_PrivateKey(out, pkey, NULL, NULL, 0, NULL, passout);
  372. else if (outformat == FORMAT_ASN1)
  373. i2d_PrivateKey_bio(out, pkey);
  374. else {
  375. BIO_printf(bio_err, "Bad format specified for key\n");
  376. return (1);
  377. }
  378. end:
  379. EVP_PKEY_free(pkey);
  380. BIO_free_all(out);
  381. BIO_free(in);
  382. if (passin)
  383. OPENSSL_free(passin);
  384. if (passout)
  385. OPENSSL_free(passout);
  386. return (0);
  387. }