Context Navigation

source: trunk/third/openssl/apps/pkcs12.c @ 18442

Visit:

Revision 18442, 27.4 KB checked in by zacheiss, 21 years ago (diff)
This commit was generated by cvs2svn to compensate for changes in r18441, which included commits to RCS files with non-trunk default branches.

Line
1	/* pkcs12.c */
2	#if !defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_SHA1)
3
4	/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
5	* project 1999.
6	*/
7	/* ====================================================================
8	* Copyright (c) 1999 The OpenSSL Project. All rights reserved.
9	*
10	* Redistribution and use in source and binary forms, with or without
11	* modification, are permitted provided that the following conditions
12	* are met:
13	*
14	* 1. Redistributions of source code must retain the above copyright
15	* notice, this list of conditions and the following disclaimer.
16	*
17	* 2. Redistributions in binary form must reproduce the above copyright
18	* notice, this list of conditions and the following disclaimer in
19	* the documentation and/or other materials provided with the
20	* distribution.
21	*
22	* 3. All advertising materials mentioning features or use of this
23	* software must display the following acknowledgment:
24	* "This product includes software developed by the OpenSSL Project
25	* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
26	*
27	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
28	* endorse or promote products derived from this software without
29	* prior written permission. For written permission, please contact
30	* licensing@OpenSSL.org.
31	*
32	* 5. Products derived from this software may not be called "OpenSSL"
33	* nor may "OpenSSL" appear in their names without prior written
34	* permission of the OpenSSL Project.
35	*
36	* 6. Redistributions of any form whatsoever must retain the following
37	* acknowledgment:
38	* "This product includes software developed by the OpenSSL Project
39	* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
40	*
41	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
42	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
44	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
45	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
46	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
47	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
48	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
49	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
50	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
51	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
52	* OF THE POSSIBILITY OF SUCH DAMAGE.
53	* ====================================================================
54	*
55	* This product includes cryptographic software written by Eric Young
56	* (eay@cryptsoft.com). This product includes software written by Tim
57	* Hudson (tjh@cryptsoft.com).
58	*
59	*/
60
61	#include <stdio.h>
62	#include <stdlib.h>
63	#include <string.h>
64	#include "apps.h"
65	#include <openssl/crypto.h>
66	#include <openssl/err.h>
67	#include <openssl/pem.h>
68	#include <openssl/pkcs12.h>
69
70	#define PROG pkcs12_main
71
72	const EVP_CIPHER *enc;
73
74
75	#define NOKEYS 0x1
76	#define NOCERTS 0x2
77	#define INFO 0x4
78	#define CLCERTS 0x8
79	#define CACERTS 0x10
80
81	int get_cert_chain (X509 cert, X509_STORE store, STACK_OF(X509) **chain);
82	int dump_certs_keys_p12(BIO out, PKCS12 p12, char pass, int passlen, int options, char pempass);
83	int dump_certs_pkeys_bags(BIO out, STACK_OF(PKCS12_SAFEBAG) bags, char *pass,
84	int passlen, int options, char *pempass);
85	int dump_certs_pkeys_bag(BIO out, PKCS12_SAFEBAG bags, char pass, int passlen, int options, char pempass);
86	int print_attribs(BIO out, STACK_OF(X509_ATTRIBUTE) attrlst, char *name);
87	void hex_prin(BIO out, unsigned char buf, int len);
88	int alg_print(BIO x, X509_ALGOR alg);
89	int cert_load(BIO in, STACK_OF(X509) sk);
90
91	int MAIN(int, char **);
92
93	int MAIN(int argc, char **argv)
94	{
95	ENGINE *e = NULL;
96	char infile=NULL, outfile=NULL, *keyname = NULL;
97	char *certfile=NULL;
98	BIO in=NULL, out = NULL;
99	char **args;
100	char *name = NULL;
101	char *csp_name = NULL;
102	PKCS12 *p12 = NULL;
103	char pass[50], macpass[50];
104	int export_cert = 0;
105	int options = 0;
106	int chain = 0;
107	int badarg = 0;
108	int iter = PKCS12_DEFAULT_ITER;
109	int maciter = PKCS12_DEFAULT_ITER;
110	int twopass = 0;
111	int keytype = 0;
112	int cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
113	int key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
114	int ret = 1;
115	int macver = 1;
116	int noprompt = 0;
117	STACK *canames = NULL;
118	char cpass = NULL, mpass = NULL;
119	char passargin = NULL, passargout = NULL, *passarg = NULL;
120	char passin = NULL, passout = NULL;
121	char *inrand = NULL;
122	char CApath = NULL, CAfile = NULL;
123	char *engine=NULL;
124
125	apps_startup();
126
127	enc = EVP_des_ede3_cbc();
128	if (bio_err == NULL ) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
129
130	if (!load_config(bio_err, NULL))
131	goto end;
132
133	args = argv + 1;
134
135
136	while (*args) {
137	if (*args[0] == '-') {
138	if (!strcmp (*args, "-nokeys")) options \|= NOKEYS;
139	else if (!strcmp (*args, "-keyex")) keytype = KEY_EX;
140	else if (!strcmp (*args, "-keysig")) keytype = KEY_SIG;
141	else if (!strcmp (*args, "-nocerts")) options \|= NOCERTS;
142	else if (!strcmp (*args, "-clcerts")) options \|= CLCERTS;
143	else if (!strcmp (*args, "-cacerts")) options \|= CACERTS;
144	else if (!strcmp (*args, "-noout")) options \|= (NOKEYS\|NOCERTS);
145	else if (!strcmp (*args, "-info")) options \|= INFO;
146	else if (!strcmp (*args, "-chain")) chain = 1;
147	else if (!strcmp (*args, "-twopass")) twopass = 1;
148	else if (!strcmp (*args, "-nomacver")) macver = 0;
149	else if (!strcmp (*args, "-descert"))
150	cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
151	else if (!strcmp (*args, "-export")) export_cert = 1;
152	else if (!strcmp (*args, "-des")) enc=EVP_des_cbc();
153	#ifndef OPENSSL_NO_IDEA
154	else if (!strcmp (*args, "-idea")) enc=EVP_idea_cbc();
155	#endif
156	else if (!strcmp (*args, "-des3")) enc = EVP_des_ede3_cbc();
157	#ifndef OPENSSL_NO_AES
158	else if (!strcmp(*args,"-aes128")) enc=EVP_aes_128_cbc();
159	else if (!strcmp(*args,"-aes192")) enc=EVP_aes_192_cbc();
160	else if (!strcmp(*args,"-aes256")) enc=EVP_aes_256_cbc();
161	#endif
162	else if (!strcmp (*args, "-noiter")) iter = 1;
163	else if (!strcmp (*args, "-maciter"))
164	maciter = PKCS12_DEFAULT_ITER;
165	else if (!strcmp (*args, "-nomaciter"))
166	maciter = 1;
167	else if (!strcmp (*args, "-nodes")) enc=NULL;
168	else if (!strcmp (*args, "-certpbe")) {
169	if (args[1]) {
170	args++;
171	cert_pbe=OBJ_txt2nid(*args);
172	if(cert_pbe == NID_undef) {
173	BIO_printf(bio_err,
174	"Unknown PBE algorithm %s\n", *args);
175	badarg = 1;
176	}
177	} else badarg = 1;
178	} else if (!strcmp (*args, "-keypbe")) {
179	if (args[1]) {
180	args++;
181	key_pbe=OBJ_txt2nid(*args);
182	if(key_pbe == NID_undef) {
183	BIO_printf(bio_err,
184	"Unknown PBE algorithm %s\n", *args);
185	badarg = 1;
186	}
187	} else badarg = 1;
188	} else if (!strcmp (*args, "-rand")) {
189	if (args[1]) {
190	args++;
191	inrand = *args;
192	} else badarg = 1;
193	} else if (!strcmp (*args, "-inkey")) {
194	if (args[1]) {
195	args++;
196	keyname = *args;
197	} else badarg = 1;
198	} else if (!strcmp (*args, "-certfile")) {
199	if (args[1]) {
200	args++;
201	certfile = *args;
202	} else badarg = 1;
203	} else if (!strcmp (*args, "-name")) {
204	if (args[1]) {
205	args++;
206	name = *args;
207	} else badarg = 1;
208	} else if (!strcmp (*args, "-CSP")) {
209	if (args[1]) {
210	args++;
211	csp_name = *args;
212	} else badarg = 1;
213	} else if (!strcmp (*args, "-caname")) {
214	if (args[1]) {
215	args++;
216	if (!canames) canames = sk_new_null();
217	sk_push(canames, *args);
218	} else badarg = 1;
219	} else if (!strcmp (*args, "-in")) {
220	if (args[1]) {
221	args++;
222	infile = *args;
223	} else badarg = 1;
224	} else if (!strcmp (*args, "-out")) {
225	if (args[1]) {
226	args++;
227	outfile = *args;
228	} else badarg = 1;
229	} else if (!strcmp(*args,"-passin")) {
230	if (args[1]) {
231	args++;
232	passargin = *args;
233	} else badarg = 1;
234	} else if (!strcmp(*args,"-passout")) {
235	if (args[1]) {
236	args++;
237	passargout = *args;
238	} else badarg = 1;
239	} else if (!strcmp (*args, "-password")) {
240	if (args[1]) {
241	args++;
242	passarg = *args;
243	noprompt = 1;
244	} else badarg = 1;
245	} else if (!strcmp(*args,"-CApath")) {
246	if (args[1]) {
247	args++;
248	CApath = *args;
249	} else badarg = 1;
250	} else if (!strcmp(*args,"-CAfile")) {
251	if (args[1]) {
252	args++;
253	CAfile = *args;
254	} else badarg = 1;
255	} else if (!strcmp(*args,"-engine")) {
256	if (args[1]) {
257	args++;
258	engine = *args;
259	} else badarg = 1;
260	} else badarg = 1;
261
262	} else badarg = 1;
263	args++;
264	}
265
266	if (badarg) {
267	BIO_printf (bio_err, "Usage: pkcs12 [options]\n");
268	BIO_printf (bio_err, "where options are\n");
269	BIO_printf (bio_err, "-export output PKCS12 file\n");
270	BIO_printf (bio_err, "-chain add certificate chain\n");
271	BIO_printf (bio_err, "-inkey file private key if not infile\n");
272	BIO_printf (bio_err, "-certfile f add all certs in f\n");
273	BIO_printf (bio_err, "-CApath arg - PEM format directory of CA's\n");
274	BIO_printf (bio_err, "-CAfile arg - PEM format file of CA's\n");
275	BIO_printf (bio_err, "-name \"name\" use name as friendly name\n");
276	BIO_printf (bio_err, "-caname \"nm\" use nm as CA friendly name (can be used more than once).\n");
277	BIO_printf (bio_err, "-in infile input filename\n");
278	BIO_printf (bio_err, "-out outfile output filename\n");
279	BIO_printf (bio_err, "-noout don't output anything, just verify.\n");
280	BIO_printf (bio_err, "-nomacver don't verify MAC.\n");
281	BIO_printf (bio_err, "-nocerts don't output certificates.\n");
282	BIO_printf (bio_err, "-clcerts only output client certificates.\n");
283	BIO_printf (bio_err, "-cacerts only output CA certificates.\n");
284	BIO_printf (bio_err, "-nokeys don't output private keys.\n");
285	BIO_printf (bio_err, "-info give info about PKCS#12 structure.\n");
286	BIO_printf (bio_err, "-des encrypt private keys with DES\n");
287	BIO_printf (bio_err, "-des3 encrypt private keys with triple DES (default)\n");
288	#ifndef OPENSSL_NO_IDEA
289	BIO_printf (bio_err, "-idea encrypt private keys with idea\n");
290	#endif
291	#ifndef OPENSSL_NO_AES
292	BIO_printf (bio_err, "-aes128, -aes192, -aes256\n");
293	BIO_printf (bio_err, " encrypt PEM output with cbc aes\n");
294	#endif
295	BIO_printf (bio_err, "-nodes don't encrypt private keys\n");
296	BIO_printf (bio_err, "-noiter don't use encryption iteration\n");
297	BIO_printf (bio_err, "-maciter use MAC iteration\n");
298	BIO_printf (bio_err, "-twopass separate MAC, encryption passwords\n");
299	BIO_printf (bio_err, "-descert encrypt PKCS#12 certificates with triple DES (default RC2-40)\n");
300	BIO_printf (bio_err, "-certpbe alg specify certificate PBE algorithm (default RC2-40)\n");
301	BIO_printf (bio_err, "-keypbe alg specify private key PBE algorithm (default 3DES)\n");
302	BIO_printf (bio_err, "-keyex set MS key exchange type\n");
303	BIO_printf (bio_err, "-keysig set MS key signature type\n");
304	BIO_printf (bio_err, "-password p set import/export password source\n");
305	BIO_printf (bio_err, "-passin p input file pass phrase source\n");
306	BIO_printf (bio_err, "-passout p output file pass phrase source\n");
307	BIO_printf (bio_err, "-engine e use engine e, possibly a hardware device.\n");
308	BIO_printf(bio_err, "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
309	BIO_printf(bio_err, " load the file (or the files in the directory) into\n");
310	BIO_printf(bio_err, " the random number generator\n");
311	goto end;
312	}
313
314	e = setup_engine(bio_err, engine, 0);
315
316	if(passarg) {
317	if(export_cert) passargout = passarg;
318	else passargin = passarg;
319	}
320
321	if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
322	BIO_printf(bio_err, "Error getting passwords\n");
323	goto end;
324	}
325
326	if(!cpass) {
327	if(export_cert) cpass = passout;
328	else cpass = passin;
329	}
330
331	if(cpass) {
332	mpass = cpass;
333	noprompt = 1;
334	} else {
335	cpass = pass;
336	mpass = macpass;
337	}
338
339	if(export_cert \|\| inrand) {
340	app_RAND_load_file(NULL, bio_err, (inrand != NULL));
341	if (inrand != NULL)
342	BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
343	app_RAND_load_files(inrand));
344	}
345	ERR_load_crypto_strings();
346
347	#ifdef CRYPTO_MDEBUG
348	CRYPTO_push_info("read files");
349	#endif
350
351	if (!infile) in = BIO_new_fp(stdin, BIO_NOCLOSE);
352	else in = BIO_new_file(infile, "rb");
353	if (!in) {
354	BIO_printf(bio_err, "Error opening input file %s\n",
355	infile ? infile : "<stdin>");
356	perror (infile);
357	goto end;
358	}
359
360	#if 0
361	if (certfile) {
362	if(!(certsin = BIO_new_file(certfile, "r"))) {
363	BIO_printf(bio_err, "Can't open certificate file %s\n", certfile);
364	perror (certfile);
365	goto end;
366	}
367	}
368
369	if (keyname) {
370	if(!(inkey = BIO_new_file(keyname, "r"))) {
371	BIO_printf(bio_err, "Can't key certificate file %s\n", keyname);
372	perror (keyname);
373	goto end;
374	}
375	}
376	#endif
377
378	#ifdef CRYPTO_MDEBUG
379	CRYPTO_pop_info();
380	CRYPTO_push_info("write files");
381	#endif
382
383	if (!outfile) {
384	out = BIO_new_fp(stdout, BIO_NOCLOSE);
385	#ifdef OPENSSL_SYS_VMS
386	{
387	BIO *tmpbio = BIO_new(BIO_f_linebuffer());
388	out = BIO_push(tmpbio, out);
389	}
390	#endif
391	} else out = BIO_new_file(outfile, "wb");
392	if (!out) {
393	BIO_printf(bio_err, "Error opening output file %s\n",
394	outfile ? outfile : "<stdout>");
395	perror (outfile);
396	goto end;
397	}
398	if (twopass) {
399	#ifdef CRYPTO_MDEBUG
400	CRYPTO_push_info("read MAC password");
401	#endif
402	if(EVP_read_pw_string (macpass, sizeof macpass, "Enter MAC Password:", export_cert))
403	{
404	BIO_printf (bio_err, "Can't read Password\n");
405	goto end;
406	}
407	#ifdef CRYPTO_MDEBUG
408	CRYPTO_pop_info();
409	#endif
410	}
411
412	if (export_cert) {
413	EVP_PKEY *key = NULL;
414	STACK_OF(PKCS12_SAFEBAG) *bags = NULL;
415	STACK_OF(PKCS7) *safes = NULL;
416	PKCS12_SAFEBAG *bag = NULL;
417	PKCS8_PRIV_KEY_INFO *p8 = NULL;
418	PKCS7 *authsafe = NULL;
419	X509 *ucert = NULL;
420	STACK_OF(X509) *certs=NULL;
421	char *catmp = NULL;
422	int i;
423	unsigned char keyid[EVP_MAX_MD_SIZE];
424	unsigned int keyidlen = 0;
425
426	#ifdef CRYPTO_MDEBUG
427	CRYPTO_push_info("process -export_cert");
428	CRYPTO_push_info("reading private key");
429	#endif
430	key = load_key(bio_err, keyname ? keyname : infile, FORMAT_PEM, 1,
431	passin, e, "private key");
432	if (!key) {
433	goto export_end;
434	}
435
436	#ifdef CRYPTO_MDEBUG
437	CRYPTO_pop_info();
438	CRYPTO_push_info("reading certs from input");
439	#endif
440
441	/* Load in all certs in input file */
442	if(!(certs = load_certs(bio_err, infile, FORMAT_PEM, NULL, e,
443	"certificates"))) {
444	goto export_end;
445	}
446
447	#ifdef CRYPTO_MDEBUG
448	CRYPTO_pop_info();
449	CRYPTO_push_info("reading certs from input 2");
450	#endif
451
452	for(i = 0; i < sk_X509_num(certs); i++) {
453	ucert = sk_X509_value(certs, i);
454	if(X509_check_private_key(ucert, key)) {
455	X509_digest(ucert, EVP_sha1(), keyid, &keyidlen);
456	break;
457	}
458	}
459	if(!keyidlen) {
460	ucert = NULL;
461	BIO_printf(bio_err, "No certificate matches private key\n");
462	goto export_end;
463	}
464
465	#ifdef CRYPTO_MDEBUG
466	CRYPTO_pop_info();
467	CRYPTO_push_info("reading certs from certfile");
468	#endif
469
470	bags = sk_PKCS12_SAFEBAG_new_null ();
471
472	/* Add any more certificates asked for */
473	if (certfile) {
474	STACK_OF(X509) *morecerts=NULL;
475	if(!(morecerts = load_certs(bio_err, certfile, FORMAT_PEM,
476	NULL, e,
477	"certificates from certfile"))) {
478	goto export_end;
479	}
480	while(sk_X509_num(morecerts) > 0) {
481	sk_X509_push(certs, sk_X509_shift(morecerts));
482	}
483	sk_X509_free(morecerts);
484	}
485
486	#ifdef CRYPTO_MDEBUG
487	CRYPTO_pop_info();
488	CRYPTO_push_info("building chain");
489	#endif
490
491	/* If chaining get chain from user cert */
492	if (chain) {
493	int vret;
494	STACK_OF(X509) *chain2;
495	X509_STORE *store = X509_STORE_new();
496	if (!store)
497	{
498	BIO_printf (bio_err, "Memory allocation error\n");
499	goto export_end;
500	}
501	if (!X509_STORE_load_locations(store, CAfile, CApath))
502	X509_STORE_set_default_paths (store);
503
504	vret = get_cert_chain (ucert, store, &chain2);
505	X509_STORE_free(store);
506
507	if (!vret) {
508	/* Exclude verified certificate */
509	for (i = 1; i < sk_X509_num (chain2) ; i++)
510	sk_X509_push(certs, sk_X509_value (chain2, i));
511	/* Free first certificate */
512	X509_free(sk_X509_value(chain2, 0));
513	sk_X509_free(chain2);
514	} else {
515	BIO_printf (bio_err, "Error %s getting chain.\n",
516	X509_verify_cert_error_string(vret));
517	goto export_end;
518	}
519	}
520
521	#ifdef CRYPTO_MDEBUG
522	CRYPTO_pop_info();
523	CRYPTO_push_info("building bags");
524	#endif
525
526	/* We now have loads of certificates: include them all */
527	for(i = 0; i < sk_X509_num(certs); i++) {
528	X509 *cert = NULL;
529	cert = sk_X509_value(certs, i);
530	bag = PKCS12_x5092certbag(cert);
531	/* If it matches private key set id */
532	if(cert == ucert) {
533	if(name) PKCS12_add_friendlyname(bag, name, -1);
534	PKCS12_add_localkeyid(bag, keyid, keyidlen);
535	} else if((catmp = sk_shift(canames)))
536	PKCS12_add_friendlyname(bag, catmp, -1);
537	sk_PKCS12_SAFEBAG_push(bags, bag);
538	}
539	sk_X509_pop_free(certs, X509_free);
540	certs = NULL;
541
542	#ifdef CRYPTO_MDEBUG
543	CRYPTO_pop_info();
544	CRYPTO_push_info("encrypting bags");
545	#endif
546
547	if(!noprompt &&
548	EVP_read_pw_string(pass, sizeof pass, "Enter Export Password:", 1)) {
549	BIO_printf (bio_err, "Can't read Password\n");
550	goto export_end;
551	}
552	if (!twopass) strcpy(macpass, pass);
553	/* Turn certbags into encrypted authsafe */
554	authsafe = PKCS12_pack_p7encdata(cert_pbe, cpass, -1, NULL, 0,
555	iter, bags);
556	sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
557	bags = NULL;
558
559	if (!authsafe) {
560	ERR_print_errors (bio_err);
561	goto export_end;
562	}
563
564	safes = sk_PKCS7_new_null ();
565	sk_PKCS7_push (safes, authsafe);
566
567	#ifdef CRYPTO_MDEBUG
568	CRYPTO_pop_info();
569	CRYPTO_push_info("building shrouded key bag");
570	#endif
571
572	/* Make a shrouded key bag */
573	p8 = EVP_PKEY2PKCS8 (key);
574	if(keytype) PKCS8_add_keyusage(p8, keytype);
575	bag = PKCS12_MAKE_SHKEYBAG(key_pbe, cpass, -1, NULL, 0, iter, p8);
576	PKCS8_PRIV_KEY_INFO_free(p8);
577	p8 = NULL;
578	if (name) PKCS12_add_friendlyname (bag, name, -1);
579	if(csp_name) PKCS12_add_CSPName_asc(bag, csp_name, -1);
580	PKCS12_add_localkeyid (bag, keyid, keyidlen);
581	bags = sk_PKCS12_SAFEBAG_new_null();
582	sk_PKCS12_SAFEBAG_push (bags, bag);
583
584	#ifdef CRYPTO_MDEBUG
585	CRYPTO_pop_info();
586	CRYPTO_push_info("encrypting shrouded key bag");
587	#endif
588
589	/* Turn it into unencrypted safe bag */
590	authsafe = PKCS12_pack_p7data (bags);
591	sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
592	bags = NULL;
593	sk_PKCS7_push (safes, authsafe);
594
595	#ifdef CRYPTO_MDEBUG
596	CRYPTO_pop_info();
597	CRYPTO_push_info("building pkcs12");
598	#endif
599
600	p12 = PKCS12_init(NID_pkcs7_data);
601
602	PKCS12_pack_authsafes(p12, safes);
603
604	sk_PKCS7_pop_free(safes, PKCS7_free);
605	safes = NULL;
606
607	PKCS12_set_mac (p12, mpass, -1, NULL, 0, maciter, NULL);
608
609	#ifdef CRYPTO_MDEBUG
610	CRYPTO_pop_info();
611	CRYPTO_push_info("writing pkcs12");
612	#endif
613
614	i2d_PKCS12_bio (out, p12);
615
616	ret = 0;
617
618	export_end:
619	#ifdef CRYPTO_MDEBUG
620	CRYPTO_pop_info();
621	CRYPTO_pop_info();
622	CRYPTO_push_info("process -export_cert: freeing");
623	#endif
624
625	if (key) EVP_PKEY_free(key);
626	if (certs) sk_X509_pop_free(certs, X509_free);
627	if (safes) sk_PKCS7_pop_free(safes, PKCS7_free);
628	if (bags) sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
629
630	#ifdef CRYPTO_MDEBUG
631	CRYPTO_pop_info();
632	#endif
633	goto end;
634
635	}
636
637	if (!(p12 = d2i_PKCS12_bio (in, NULL))) {
638	ERR_print_errors(bio_err);
639	goto end;
640	}
641
642	#ifdef CRYPTO_MDEBUG
643	CRYPTO_push_info("read import password");
644	#endif
645	if(!noprompt && EVP_read_pw_string(pass, sizeof pass, "Enter Import Password:", 0)) {
646	BIO_printf (bio_err, "Can't read Password\n");
647	goto end;
648	}
649	#ifdef CRYPTO_MDEBUG
650	CRYPTO_pop_info();
651	#endif
652
653	if (!twopass) strcpy(macpass, pass);
654
655	if (options & INFO) BIO_printf (bio_err, "MAC Iteration %ld\n", p12->mac->iter ? ASN1_INTEGER_get (p12->mac->iter) : 1);
656	if(macver) {
657	#ifdef CRYPTO_MDEBUG
658	CRYPTO_push_info("verify MAC");
659	#endif
660	/* If we enter empty password try no password first */
661	if(!macpass[0] && PKCS12_verify_mac(p12, NULL, 0)) {
662	/* If mac and crypto pass the same set it to NULL too */
663	if(!twopass) cpass = NULL;
664	} else if (!PKCS12_verify_mac(p12, mpass, -1)) {
665	BIO_printf (bio_err, "Mac verify error: invalid password?\n");
666	ERR_print_errors (bio_err);
667	goto end;
668	}
669	BIO_printf (bio_err, "MAC verified OK\n");
670	#ifdef CRYPTO_MDEBUG
671	CRYPTO_pop_info();
672	#endif
673	}
674
675	#ifdef CRYPTO_MDEBUG
676	CRYPTO_push_info("output keys and certificates");
677	#endif
678	if (!dump_certs_keys_p12 (out, p12, cpass, -1, options, passout)) {
679	BIO_printf(bio_err, "Error outputting keys and certificates\n");
680	ERR_print_errors (bio_err);
681	goto end;
682	}
683	#ifdef CRYPTO_MDEBUG
684	CRYPTO_pop_info();
685	#endif
686	ret = 0;
687	end:
688	if (p12) PKCS12_free(p12);
689	if(export_cert \|\| inrand) app_RAND_write_file(NULL, bio_err);
690	#ifdef CRYPTO_MDEBUG
691	CRYPTO_remove_all_info();
692	#endif
693	BIO_free(in);
694	BIO_free_all(out);
695	if (canames) sk_free(canames);
696	if(passin) OPENSSL_free(passin);
697	if(passout) OPENSSL_free(passout);
698	apps_shutdown();
699	OPENSSL_EXIT(ret);
700	}
701
702	int dump_certs_keys_p12 (BIO out, PKCS12 p12, char *pass,
703	int passlen, int options, char *pempass)
704	{
705	STACK_OF(PKCS7) *asafes;
706	STACK_OF(PKCS12_SAFEBAG) *bags;
707	int i, bagnid;
708	PKCS7 *p7;
709
710	if (!( asafes = PKCS12_unpack_authsafes(p12))) return 0;
711	for (i = 0; i < sk_PKCS7_num (asafes); i++) {
712	p7 = sk_PKCS7_value (asafes, i);
713	bagnid = OBJ_obj2nid (p7->type);
714	if (bagnid == NID_pkcs7_data) {
715	bags = PKCS12_unpack_p7data(p7);
716	if (options & INFO) BIO_printf (bio_err, "PKCS7 Data\n");
717	} else if (bagnid == NID_pkcs7_encrypted) {
718	if (options & INFO) {
719	BIO_printf(bio_err, "PKCS7 Encrypted data: ");
720	alg_print(bio_err,
721	p7->d.encrypted->enc_data->algorithm);
722	}
723	bags = PKCS12_unpack_p7encdata(p7, pass, passlen);
724	} else continue;
725	if (!bags) return 0;
726	if (!dump_certs_pkeys_bags (out, bags, pass, passlen,
727	options, pempass)) {
728	sk_PKCS12_SAFEBAG_pop_free (bags, PKCS12_SAFEBAG_free);
729	return 0;
730	}
731	sk_PKCS12_SAFEBAG_pop_free (bags, PKCS12_SAFEBAG_free);
732	}
733	sk_PKCS7_pop_free (asafes, PKCS7_free);
734	return 1;
735	}
736
737	int dump_certs_pkeys_bags (BIO out, STACK_OF(PKCS12_SAFEBAG) bags,
738	char pass, int passlen, int options, char pempass)
739	{
740	int i;
741	for (i = 0; i < sk_PKCS12_SAFEBAG_num (bags); i++) {
742	if (!dump_certs_pkeys_bag (out,
743	sk_PKCS12_SAFEBAG_value (bags, i),
744	pass, passlen,
745	options, pempass))
746	return 0;
747	}
748	return 1;
749	}
750
751	int dump_certs_pkeys_bag (BIO out, PKCS12_SAFEBAG bag, char *pass,
752	int passlen, int options, char *pempass)
753	{
754	EVP_PKEY *pkey;
755	PKCS8_PRIV_KEY_INFO *p8;
756	X509 *x509;
757
758	switch (M_PKCS12_bag_type(bag))
759	{
760	case NID_keyBag:
761	if (options & INFO) BIO_printf (bio_err, "Key bag\n");
762	if (options & NOKEYS) return 1;
763	print_attribs (out, bag->attrib, "Bag Attributes");
764	p8 = bag->value.keybag;
765	if (!(pkey = EVP_PKCS82PKEY (p8))) return 0;
766	print_attribs (out, p8->attributes, "Key Attributes");
767	PEM_write_bio_PrivateKey (out, pkey, enc, NULL, 0, NULL, pempass);
768	EVP_PKEY_free(pkey);
769	break;
770
771	case NID_pkcs8ShroudedKeyBag:
772	if (options & INFO) {
773	BIO_printf (bio_err, "Shrouded Keybag: ");
774	alg_print (bio_err, bag->value.shkeybag->algor);
775	}
776	if (options & NOKEYS) return 1;
777	print_attribs (out, bag->attrib, "Bag Attributes");
778	if (!(p8 = PKCS12_decrypt_skey(bag, pass, passlen)))
779	return 0;
780	if (!(pkey = EVP_PKCS82PKEY (p8))) {
781	PKCS8_PRIV_KEY_INFO_free(p8);
782	return 0;
783	}
784	print_attribs (out, p8->attributes, "Key Attributes");
785	PKCS8_PRIV_KEY_INFO_free(p8);
786	PEM_write_bio_PrivateKey (out, pkey, enc, NULL, 0, NULL, pempass);
787	EVP_PKEY_free(pkey);
788	break;
789
790	case NID_certBag:
791	if (options & INFO) BIO_printf (bio_err, "Certificate bag\n");
792	if (options & NOCERTS) return 1;
793	if (PKCS12_get_attr(bag, NID_localKeyID)) {
794	if (options & CACERTS) return 1;
795	} else if (options & CLCERTS) return 1;
796	print_attribs (out, bag->attrib, "Bag Attributes");
797	if (M_PKCS12_cert_bag_type(bag) != NID_x509Certificate )
798	return 1;
799	if (!(x509 = PKCS12_certbag2x509(bag))) return 0;
800	dump_cert_text (out, x509);
801	PEM_write_bio_X509 (out, x509);
802	X509_free(x509);
803	break;
804
805	case NID_safeContentsBag:
806	if (options & INFO) BIO_printf (bio_err, "Safe Contents bag\n");
807	print_attribs (out, bag->attrib, "Bag Attributes");
808	return dump_certs_pkeys_bags (out, bag->value.safes, pass,
809	passlen, options, pempass);
810
811	default:
812	BIO_printf (bio_err, "Warning unsupported bag type: ");
813	i2a_ASN1_OBJECT (bio_err, bag->type);
814	BIO_printf (bio_err, "\n");
815	return 1;
816	break;
817	}
818	return 1;
819	}
820
821	/* Given a single certificate return a verified chain or NULL if error */
822
823	/* Hope this is OK .... */
824
825	int get_cert_chain (X509 cert, X509_STORE store, STACK_OF(X509) **chain)
826	{
827	X509_STORE_CTX store_ctx;
828	STACK_OF(X509) *chn;
829	int i;
830
831	/* FIXME: Should really check the return status of X509_STORE_CTX_init
832	* for an error, but how that fits into the return value of this
833	* function is less obvious. */
834	X509_STORE_CTX_init(&store_ctx, store, cert, NULL);
835	if (X509_verify_cert(&store_ctx) <= 0) {
836	i = X509_STORE_CTX_get_error (&store_ctx);
837	goto err;
838	}
839	chn = X509_STORE_CTX_get1_chain(&store_ctx);
840	i = 0;
841	*chain = chn;
842	err:
843	X509_STORE_CTX_cleanup(&store_ctx);
844
845	return i;
846	}
847
848	int alg_print (BIO x, X509_ALGOR alg)
849	{
850	PBEPARAM *pbe;
851	unsigned char *p;
852	p = alg->parameter->value.sequence->data;
853	pbe = d2i_PBEPARAM (NULL, &p, alg->parameter->value.sequence->length);
854	BIO_printf (bio_err, "%s, Iteration %d\n",
855	OBJ_nid2ln(OBJ_obj2nid(alg->algorithm)), ASN1_INTEGER_get(pbe->iter));
856	PBEPARAM_free (pbe);
857	return 0;
858	}
859
860	/* Load all certificates from a given file */
861
862	int cert_load(BIO in, STACK_OF(X509) sk)
863	{
864	int ret;
865	X509 *cert;
866	ret = 0;
867	#ifdef CRYPTO_MDEBUG
868	CRYPTO_push_info("cert_load(): reading one cert");
869	#endif
870	while((cert = PEM_read_bio_X509(in, NULL, NULL, NULL))) {
871	#ifdef CRYPTO_MDEBUG
872	CRYPTO_pop_info();
873	#endif
874	ret = 1;
875	sk_X509_push(sk, cert);
876	#ifdef CRYPTO_MDEBUG
877	CRYPTO_push_info("cert_load(): reading one cert");
878	#endif
879	}
880	#ifdef CRYPTO_MDEBUG
881	CRYPTO_pop_info();
882	#endif
883	if(ret) ERR_clear_error();
884	return ret;
885	}
886
887	/* Generalised attribute print: handle PKCS#8 and bag attributes */
888
889	int print_attribs (BIO out, STACK_OF(X509_ATTRIBUTE) attrlst, char *name)
890	{
891	X509_ATTRIBUTE *attr;
892	ASN1_TYPE *av;
893	char *value;
894	int i, attr_nid;
895	if(!attrlst) {
896	BIO_printf(out, "%s: <No Attributes>\n", name);
897	return 1;
898	}
899	if(!sk_X509_ATTRIBUTE_num(attrlst)) {
900	BIO_printf(out, "%s: <Empty Attributes>\n", name);
901	return 1;
902	}
903	BIO_printf(out, "%s\n", name);
904	for(i = 0; i < sk_X509_ATTRIBUTE_num(attrlst); i++) {
905	attr = sk_X509_ATTRIBUTE_value(attrlst, i);
906	attr_nid = OBJ_obj2nid(attr->object);
907	BIO_printf(out, " ");
908	if(attr_nid == NID_undef) {
909	i2a_ASN1_OBJECT (out, attr->object);
910	BIO_printf(out, ": ");
911	} else BIO_printf(out, "%s: ", OBJ_nid2ln(attr_nid));
912
913	if(sk_ASN1_TYPE_num(attr->value.set)) {
914	av = sk_ASN1_TYPE_value(attr->value.set, 0);
915	switch(av->type) {
916	case V_ASN1_BMPSTRING:
917	value = uni2asc(av->value.bmpstring->data,
918	av->value.bmpstring->length);
919	BIO_printf(out, "%s\n", value);
920	OPENSSL_free(value);
921	break;
922
923	case V_ASN1_OCTET_STRING:
924	hex_prin(out, av->value.octet_string->data,
925	av->value.octet_string->length);
926	BIO_printf(out, "\n");
927	break;
928
929	case V_ASN1_BIT_STRING:
930	hex_prin(out, av->value.bit_string->data,
931	av->value.bit_string->length);
932	BIO_printf(out, "\n");
933	break;
934
935	default:
936	BIO_printf(out, "<Unsupported tag %d>\n", av->type);
937	break;
938	}
939	} else BIO_printf(out, "<No Values>\n");
940	}
941	return 1;
942	}
943
944	void hex_prin(BIO out, unsigned char buf, int len)
945	{
946	int i;
947	for (i = 0; i < len; i++) BIO_printf (out, "%02X ", buf[i]);
948	}
949
950	#endif

Note: See TracBrowser for help on using the repository browser.

Download in other formats: