1 /* 2 * Copyright 1999-2025 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <openssl/opensslconf.h> 11 12 #include <stdio.h> 13 #include <stdlib.h> 14 #include <string.h> 15 #include "apps.h" 16 #include "progs.h" 17 #include <openssl/asn1.h> 18 #include <openssl/crypto.h> 19 #include <openssl/err.h> 20 #include <openssl/pem.h> 21 #include <openssl/pkcs12.h> 22 #include <openssl/provider.h> 23 #include <openssl/kdf.h> 24 #include <openssl/rand.h> 25 26 #define NOKEYS 0x1 27 #define NOCERTS 0x2 28 #define INFO 0x4 29 #define CLCERTS 0x8 30 #define CACERTS 0x10 31 32 #define PASSWD_BUF_SIZE 2048 33 34 #define WARN_EXPORT(opt) \ 35 BIO_printf(bio_err, "Warning: -%s option ignored with -export\n", opt); 36 #define WARN_NO_EXPORT(opt) \ 37 BIO_printf(bio_err, "Warning: -%s option ignored without -export\n", opt); 38 39 static int get_cert_chain(X509 *cert, X509_STORE *store, 40 STACK_OF(X509) *untrusted_certs, 41 STACK_OF(X509) **chain); 42 int dump_certs_keys_p12(BIO *out, const PKCS12 *p12, 43 const char *pass, int passlen, int options, 44 char *pempass, const EVP_CIPHER *enc); 45 int dump_certs_pkeys_bags(BIO *out, const STACK_OF(PKCS12_SAFEBAG) *bags, 46 const char *pass, int passlen, int options, 47 char *pempass, const EVP_CIPHER *enc); 48 int dump_certs_pkeys_bag(BIO *out, const PKCS12_SAFEBAG *bags, 49 const char *pass, int passlen, 50 int options, char *pempass, const EVP_CIPHER *enc); 51 void print_attribute(BIO *out, const ASN1_TYPE *av); 52 int print_attribs(BIO *out, const STACK_OF(X509_ATTRIBUTE) *attrlst, 53 const char *name); 54 void hex_prin(BIO *out, unsigned char *buf, int len); 55 static int alg_print(const X509_ALGOR *alg); 56 int cert_load(BIO *in, STACK_OF(X509) *sk); 57 static int set_pbe(int *ppbe, const char *str); 58 static int jdk_trust(PKCS12_SAFEBAG *bag, void *cbarg); 59 60 typedef enum OPTION_choice { 61 OPT_COMMON, 62 OPT_CIPHER, OPT_NOKEYS, OPT_KEYEX, OPT_KEYSIG, OPT_NOCERTS, OPT_CLCERTS, 63 OPT_CACERTS, OPT_NOOUT, OPT_INFO, OPT_CHAIN, OPT_TWOPASS, OPT_NOMACVER, 64 #ifndef OPENSSL_NO_DES 65 OPT_DESCERT, 66 #endif 67 OPT_EXPORT, OPT_ITER, OPT_NOITER, OPT_MACITER, OPT_NOMACITER, OPT_MACSALTLEN, 68 OPT_NOMAC, OPT_LMK, OPT_NODES, OPT_NOENC, OPT_MACALG, OPT_CERTPBE, OPT_KEYPBE, 69 OPT_INKEY, OPT_CERTFILE, OPT_UNTRUSTED, OPT_PASSCERTS, 70 OPT_NAME, OPT_CSP, OPT_CANAME, 71 OPT_IN, OPT_OUT, OPT_PASSIN, OPT_PASSOUT, OPT_PASSWORD, OPT_CAPATH, 72 OPT_CAFILE, OPT_CASTORE, OPT_NOCAPATH, OPT_NOCAFILE, OPT_NOCASTORE, OPT_ENGINE, 73 OPT_R_ENUM, OPT_PROV_ENUM, OPT_JDKTRUST, OPT_PBMAC1_PBKDF2, OPT_PBMAC1_PBKDF2_MD, 74 #ifndef OPENSSL_NO_DES 75 OPT_LEGACY_ALG 76 #endif 77 } OPTION_CHOICE; 78 79 const OPTIONS pkcs12_options[] = { 80 OPT_SECTION("General"), 81 {"help", OPT_HELP, '-', "Display this summary"}, 82 {"in", OPT_IN, '<', "Input file"}, 83 {"out", OPT_OUT, '>', "Output file"}, 84 {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, 85 {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, 86 {"password", OPT_PASSWORD, 's', "Set PKCS#12 import/export password source"}, 87 {"twopass", OPT_TWOPASS, '-', "Separate MAC, encryption passwords"}, 88 {"nokeys", OPT_NOKEYS, '-', "Don't output private keys"}, 89 {"nocerts", OPT_NOCERTS, '-', "Don't output certificates"}, 90 {"noout", OPT_NOOUT, '-', "Don't output anything, just verify PKCS#12 input"}, 91 #ifndef OPENSSL_NO_DES 92 {"legacy", OPT_LEGACY_ALG, '-', 93 # ifdef OPENSSL_NO_RC2 94 "Use legacy encryption algorithm 3DES_CBC for keys and certs" 95 # else 96 "Use legacy encryption: 3DES_CBC for keys, RC2_CBC for certs" 97 # endif 98 }, 99 #endif 100 #ifndef OPENSSL_NO_ENGINE 101 {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, 102 #endif 103 OPT_PROV_OPTIONS, 104 OPT_R_OPTIONS, 105 106 OPT_SECTION("PKCS#12 import (parsing PKCS#12)"), 107 {"info", OPT_INFO, '-', "Print info about PKCS#12 structure"}, 108 {"nomacver", OPT_NOMACVER, '-', "Don't verify integrity MAC"}, 109 {"clcerts", OPT_CLCERTS, '-', "Only output client certificates"}, 110 {"cacerts", OPT_CACERTS, '-', "Only output CA certificates"}, 111 {"", OPT_CIPHER, '-', "Any supported cipher for output encryption"}, 112 {"noenc", OPT_NOENC, '-', "Don't encrypt private keys"}, 113 {"nodes", OPT_NODES, '-', "Don't encrypt private keys; deprecated"}, 114 115 OPT_SECTION("PKCS#12 output (export)"), 116 {"export", OPT_EXPORT, '-', "Create PKCS12 file"}, 117 {"inkey", OPT_INKEY, 's', "Private key, else read from -in input file"}, 118 {"certfile", OPT_CERTFILE, '<', "Extra certificates for PKCS12 output"}, 119 {"passcerts", OPT_PASSCERTS, 's', "Certificate file pass phrase source"}, 120 {"chain", OPT_CHAIN, '-', "Build and add certificate chain for EE cert,"}, 121 {OPT_MORE_STR, 0, 0, 122 "which is the 1st cert from -in matching the private key (if given)"}, 123 {"untrusted", OPT_UNTRUSTED, '<', "Untrusted certificates for chain building"}, 124 {"CAfile", OPT_CAFILE, '<', "PEM-format file of CA's"}, 125 {"CApath", OPT_CAPATH, '/', "PEM-format directory of CA's"}, 126 {"CAstore", OPT_CASTORE, ':', "URI to store of CA's"}, 127 {"no-CAfile", OPT_NOCAFILE, '-', 128 "Do not load the default certificates file"}, 129 {"no-CApath", OPT_NOCAPATH, '-', 130 "Do not load certificates from the default certificates directory"}, 131 {"no-CAstore", OPT_NOCASTORE, '-', 132 "Do not load certificates from the default certificates store"}, 133 {"name", OPT_NAME, 's', "Use name as friendly name"}, 134 {"caname", OPT_CANAME, 's', 135 "Use name as CA friendly name (can be repeated)"}, 136 {"CSP", OPT_CSP, 's', "Microsoft CSP name"}, 137 {"LMK", OPT_LMK, '-', 138 "Add local machine keyset attribute to private key"}, 139 {"keyex", OPT_KEYEX, '-', "Set key type to MS key exchange"}, 140 {"keysig", OPT_KEYSIG, '-', "Set key type to MS key signature"}, 141 {"keypbe", OPT_KEYPBE, 's', "Private key PBE algorithm (default AES-256 CBC)"}, 142 {"certpbe", OPT_CERTPBE, 's', 143 "Certificate PBE algorithm (default PBES2 with PBKDF2 and AES-256 CBC)"}, 144 #ifndef OPENSSL_NO_DES 145 {"descert", OPT_DESCERT, '-', 146 "Encrypt output with 3DES (default PBES2 with PBKDF2 and AES-256 CBC)"}, 147 #endif 148 {"macalg", OPT_MACALG, 's', 149 "Digest algorithm to use in MAC (default SHA256)"}, 150 {"pbmac1_pbkdf2", OPT_PBMAC1_PBKDF2, '-', "Use PBMAC1 with PBKDF2 instead of MAC"}, 151 {"pbmac1_pbkdf2_md", OPT_PBMAC1_PBKDF2_MD, 's', "Digest to use for PBMAC1 KDF (default SHA256)"}, 152 {"iter", OPT_ITER, 'p', "Specify the iteration count for encryption and MAC"}, 153 {"noiter", OPT_NOITER, '-', "Don't use encryption iteration"}, 154 {"nomaciter", OPT_NOMACITER, '-', "Don't use MAC iteration)"}, 155 {"maciter", OPT_MACITER, '-', "Unused, kept for backwards compatibility"}, 156 {"macsaltlen", OPT_MACSALTLEN, 'p', "Specify the salt len for MAC"}, 157 {"nomac", OPT_NOMAC, '-', "Don't generate MAC"}, 158 {"jdktrust", OPT_JDKTRUST, 's', "Mark certificate in PKCS#12 store as trusted for JDK compatibility"}, 159 {NULL} 160 }; 161 162 int pkcs12_main(int argc, char **argv) 163 { 164 char *infile = NULL, *outfile = NULL, *keyname = NULL, *certfile = NULL; 165 char *untrusted = NULL, *ciphername = NULL, *enc_name = NULL; 166 char *passcertsarg = NULL, *passcerts = NULL; 167 char *name = NULL, *csp_name = NULL; 168 char pass[PASSWD_BUF_SIZE] = "", macpass[PASSWD_BUF_SIZE] = ""; 169 int export_pkcs12 = 0, options = 0, chain = 0, twopass = 0, keytype = 0; 170 char *jdktrust = NULL; 171 #ifndef OPENSSL_NO_DES 172 int use_legacy = 0; 173 #endif 174 /* use library defaults for the iter, maciter, cert, and key PBE */ 175 int iter = 0, maciter = 0, pbmac1_pbkdf2 = 0; 176 int macsaltlen = PKCS12_SALT_LEN; 177 int cert_pbe = NID_undef; 178 int key_pbe = NID_undef; 179 int ret = 1, macver = 1, add_lmk = 0, private = 0; 180 int noprompt = 0; 181 char *passinarg = NULL, *passoutarg = NULL, *passarg = NULL; 182 char *passin = NULL, *passout = NULL, *macalg = NULL, *pbmac1_pbkdf2_md = NULL; 183 char *cpass = NULL, *mpass = NULL, *badpass = NULL; 184 const char *CApath = NULL, *CAfile = NULL, *CAstore = NULL, *prog; 185 int noCApath = 0, noCAfile = 0, noCAstore = 0; 186 ENGINE *e = NULL; 187 BIO *in = NULL, *out = NULL; 188 PKCS12 *p12 = NULL; 189 STACK_OF(OPENSSL_STRING) *canames = NULL; 190 EVP_CIPHER *default_enc = (EVP_CIPHER *)EVP_aes_256_cbc(); 191 EVP_CIPHER *enc = (EVP_CIPHER *)default_enc; 192 OPTION_CHOICE o; 193 194 opt_set_unknown_name("cipher"); 195 prog = opt_init(argc, argv, pkcs12_options); 196 while ((o = opt_next()) != OPT_EOF) { 197 switch (o) { 198 case OPT_EOF: 199 case OPT_ERR: 200 opthelp: 201 BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); 202 goto end; 203 case OPT_HELP: 204 opt_help(pkcs12_options); 205 ret = 0; 206 goto end; 207 case OPT_NOKEYS: 208 options |= NOKEYS; 209 break; 210 case OPT_KEYEX: 211 keytype = KEY_EX; 212 break; 213 case OPT_KEYSIG: 214 keytype = KEY_SIG; 215 break; 216 case OPT_NOCERTS: 217 options |= NOCERTS; 218 break; 219 case OPT_CLCERTS: 220 options |= CLCERTS; 221 break; 222 case OPT_CACERTS: 223 options |= CACERTS; 224 break; 225 case OPT_NOOUT: 226 options |= (NOKEYS | NOCERTS); 227 break; 228 case OPT_JDKTRUST: 229 jdktrust = opt_arg(); 230 /* Adding jdk trust implies nokeys */ 231 options |= NOKEYS; 232 break; 233 case OPT_INFO: 234 options |= INFO; 235 break; 236 case OPT_CHAIN: 237 chain = 1; 238 break; 239 case OPT_TWOPASS: 240 twopass = 1; 241 break; 242 case OPT_NOMACVER: 243 macver = 0; 244 break; 245 #ifndef OPENSSL_NO_DES 246 case OPT_DESCERT: 247 cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; 248 break; 249 #endif 250 case OPT_EXPORT: 251 export_pkcs12 = 1; 252 break; 253 case OPT_NODES: 254 case OPT_NOENC: 255 /* 256 * |enc_name| stores the name of the option used so it 257 * can be printed if an error message is output. 258 */ 259 enc_name = opt_flag() + 1; 260 enc = NULL; 261 ciphername = NULL; 262 break; 263 case OPT_CIPHER: 264 enc_name = ciphername = opt_unknown(); 265 break; 266 case OPT_ITER: 267 maciter = iter = opt_int_arg(); 268 break; 269 case OPT_NOITER: 270 iter = 1; 271 break; 272 case OPT_MACITER: 273 /* no-op */ 274 break; 275 case OPT_NOMACITER: 276 maciter = 1; 277 break; 278 case OPT_MACSALTLEN: 279 macsaltlen = opt_int_arg(); 280 break; 281 case OPT_NOMAC: 282 cert_pbe = -1; 283 maciter = -1; 284 break; 285 case OPT_MACALG: 286 macalg = opt_arg(); 287 break; 288 case OPT_PBMAC1_PBKDF2: 289 pbmac1_pbkdf2 = 1; 290 break; 291 case OPT_PBMAC1_PBKDF2_MD: 292 pbmac1_pbkdf2_md = opt_arg(); 293 break; 294 case OPT_CERTPBE: 295 if (!set_pbe(&cert_pbe, opt_arg())) 296 goto opthelp; 297 break; 298 case OPT_KEYPBE: 299 if (!set_pbe(&key_pbe, opt_arg())) 300 goto opthelp; 301 break; 302 case OPT_R_CASES: 303 if (!opt_rand(o)) 304 goto end; 305 break; 306 case OPT_INKEY: 307 keyname = opt_arg(); 308 break; 309 case OPT_CERTFILE: 310 certfile = opt_arg(); 311 break; 312 case OPT_UNTRUSTED: 313 untrusted = opt_arg(); 314 break; 315 case OPT_PASSCERTS: 316 passcertsarg = opt_arg(); 317 break; 318 case OPT_NAME: 319 name = opt_arg(); 320 break; 321 case OPT_LMK: 322 add_lmk = 1; 323 break; 324 case OPT_CSP: 325 csp_name = opt_arg(); 326 break; 327 case OPT_CANAME: 328 if (canames == NULL 329 && (canames = sk_OPENSSL_STRING_new_null()) == NULL) 330 goto end; 331 if (sk_OPENSSL_STRING_push(canames, opt_arg()) <= 0) 332 goto end; 333 break; 334 case OPT_IN: 335 infile = opt_arg(); 336 break; 337 case OPT_OUT: 338 outfile = opt_arg(); 339 break; 340 case OPT_PASSIN: 341 passinarg = opt_arg(); 342 break; 343 case OPT_PASSOUT: 344 passoutarg = opt_arg(); 345 break; 346 case OPT_PASSWORD: 347 passarg = opt_arg(); 348 break; 349 case OPT_CAPATH: 350 CApath = opt_arg(); 351 break; 352 case OPT_CASTORE: 353 CAstore = opt_arg(); 354 break; 355 case OPT_CAFILE: 356 CAfile = opt_arg(); 357 break; 358 case OPT_NOCAPATH: 359 noCApath = 1; 360 break; 361 case OPT_NOCASTORE: 362 noCAstore = 1; 363 break; 364 case OPT_NOCAFILE: 365 noCAfile = 1; 366 break; 367 case OPT_ENGINE: 368 e = setup_engine(opt_arg(), 0); 369 break; 370 #ifndef OPENSSL_NO_DES 371 case OPT_LEGACY_ALG: 372 use_legacy = 1; 373 break; 374 #endif 375 case OPT_PROV_CASES: 376 if (!opt_provider(o)) 377 goto end; 378 break; 379 } 380 } 381 382 /* No extra arguments. */ 383 if (!opt_check_rest_arg(NULL)) 384 goto opthelp; 385 386 if (!app_RAND_load()) 387 goto end; 388 389 if (!opt_cipher_any(ciphername, &enc)) 390 goto opthelp; 391 if (export_pkcs12) { 392 if ((options & INFO) != 0) 393 WARN_EXPORT("info"); 394 if (macver == 0) 395 WARN_EXPORT("nomacver"); 396 if ((options & CLCERTS) != 0) 397 WARN_EXPORT("clcerts"); 398 if ((options & CACERTS) != 0) 399 WARN_EXPORT("cacerts"); 400 if (enc != default_enc) 401 BIO_printf(bio_err, 402 "Warning: output encryption option -%s ignored with -export\n", enc_name); 403 } else { 404 if (keyname != NULL) 405 WARN_NO_EXPORT("inkey"); 406 if (certfile != NULL) 407 WARN_NO_EXPORT("certfile"); 408 if (passcertsarg != NULL) 409 WARN_NO_EXPORT("passcerts"); 410 if (chain) 411 WARN_NO_EXPORT("chain"); 412 if (untrusted != NULL) 413 WARN_NO_EXPORT("untrusted"); 414 if (CAfile != NULL) 415 WARN_NO_EXPORT("CAfile"); 416 if (CApath != NULL) 417 WARN_NO_EXPORT("CApath"); 418 if (CAstore != NULL) 419 WARN_NO_EXPORT("CAstore"); 420 if (noCAfile) 421 WARN_NO_EXPORT("no-CAfile"); 422 if (noCApath) 423 WARN_NO_EXPORT("no-CApath"); 424 if (noCAstore) 425 WARN_NO_EXPORT("no-CAstore"); 426 if (name != NULL) 427 WARN_NO_EXPORT("name"); 428 if (canames != NULL) 429 WARN_NO_EXPORT("caname"); 430 if (csp_name != NULL) 431 WARN_NO_EXPORT("CSP"); 432 if (add_lmk) 433 WARN_NO_EXPORT("LMK"); 434 if (keytype == KEY_EX) 435 WARN_NO_EXPORT("keyex"); 436 if (keytype == KEY_SIG) 437 WARN_NO_EXPORT("keysig"); 438 if (key_pbe != NID_undef) 439 WARN_NO_EXPORT("keypbe"); 440 if (cert_pbe != NID_undef && cert_pbe != -1) 441 WARN_NO_EXPORT("certpbe and -descert"); 442 if (macalg != NULL) 443 WARN_NO_EXPORT("macalg"); 444 if (iter != 0) 445 WARN_NO_EXPORT("iter and -noiter"); 446 if (maciter == 1) 447 WARN_NO_EXPORT("nomaciter"); 448 if (cert_pbe == -1 && maciter == -1) 449 WARN_NO_EXPORT("nomac"); 450 if (macsaltlen != PKCS12_SALT_LEN) 451 WARN_NO_EXPORT("macsaltlen"); 452 } 453 #ifndef OPENSSL_NO_DES 454 if (use_legacy) { 455 /* load the legacy provider if not loaded already*/ 456 if (!OSSL_PROVIDER_available(app_get0_libctx(), "legacy")) { 457 if (!app_provider_load(app_get0_libctx(), "legacy")) 458 goto end; 459 /* load the default provider explicitly */ 460 if (!app_provider_load(app_get0_libctx(), "default")) 461 goto end; 462 } 463 if (cert_pbe == NID_undef) { 464 /* Adapt default algorithm */ 465 # ifndef OPENSSL_NO_RC2 466 cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC; 467 # else 468 cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; 469 # endif 470 } 471 472 if (key_pbe == NID_undef) 473 key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; 474 if (enc == default_enc) 475 enc = (EVP_CIPHER *)EVP_des_ede3_cbc(); 476 if (macalg == NULL) 477 macalg = "sha1"; 478 } 479 #endif 480 481 private = 1; 482 483 if (!app_passwd(passcertsarg, NULL, &passcerts, NULL)) { 484 BIO_printf(bio_err, "Error getting certificate file password\n"); 485 goto end; 486 } 487 488 if (passarg != NULL) { 489 if (export_pkcs12) 490 passoutarg = passarg; 491 else 492 passinarg = passarg; 493 } 494 495 if (!app_passwd(passinarg, passoutarg, &passin, &passout)) { 496 BIO_printf(bio_err, "Error getting passwords\n"); 497 goto end; 498 } 499 500 if (cpass == NULL) { 501 if (export_pkcs12) 502 cpass = passout; 503 else 504 cpass = passin; 505 } 506 507 if (cpass != NULL) { 508 mpass = cpass; 509 noprompt = 1; 510 if (twopass) { 511 if (export_pkcs12) 512 BIO_printf(bio_err, "Option -twopass cannot be used with -passout or -password\n"); 513 else 514 BIO_printf(bio_err, "Option -twopass cannot be used with -passin or -password\n"); 515 goto end; 516 } 517 } else { 518 cpass = pass; 519 mpass = macpass; 520 } 521 522 if (twopass) { 523 /* To avoid bit rot */ 524 if (1) { 525 #ifndef OPENSSL_NO_UI_CONSOLE 526 if (EVP_read_pw_string( 527 macpass, sizeof(macpass), "Enter MAC Password:", export_pkcs12)) { 528 BIO_printf(bio_err, "Can't read Password\n"); 529 goto end; 530 } 531 } else { 532 #endif 533 BIO_printf(bio_err, "Unsupported option -twopass\n"); 534 goto end; 535 } 536 } 537 538 if (export_pkcs12) { 539 EVP_PKEY *key = NULL; 540 X509 *ee_cert = NULL, *x = NULL; 541 STACK_OF(X509) *certs = NULL; 542 STACK_OF(X509) *untrusted_certs = NULL; 543 EVP_MD *macmd = NULL; 544 unsigned char *catmp = NULL; 545 int i; 546 ASN1_OBJECT *obj = NULL; 547 548 if ((options & (NOCERTS | NOKEYS)) == (NOCERTS | NOKEYS)) { 549 BIO_printf(bio_err, "Nothing to export due to -noout or -nocerts and -nokeys\n"); 550 goto export_end; 551 } 552 553 if ((options & NOCERTS) != 0) { 554 chain = 0; 555 BIO_printf(bio_err, "Warning: -chain option ignored with -nocerts\n"); 556 } 557 558 if (!(options & NOKEYS)) { 559 key = load_key(keyname ? keyname : infile, 560 FORMAT_PEM, 1, passin, e, 561 keyname ? 562 "private key from -inkey file" : 563 "private key from -in file"); 564 if (key == NULL) 565 goto export_end; 566 } 567 568 /* Load all certs in input file */ 569 if (!(options & NOCERTS)) { 570 if (!load_certs(infile, 1, &certs, passin, 571 "certificates from -in file")) 572 goto export_end; 573 if (sk_X509_num(certs) < 1) { 574 BIO_printf(bio_err, "No certificate in -in file %s\n", infile); 575 goto export_end; 576 } 577 578 if (key != NULL) { 579 /* Look for matching private key */ 580 for (i = 0; i < sk_X509_num(certs); i++) { 581 x = sk_X509_value(certs, i); 582 if (cert_matches_key(x, key)) { 583 ee_cert = x; 584 /* Zero keyid and alias */ 585 X509_keyid_set1(ee_cert, NULL, 0); 586 X509_alias_set1(ee_cert, NULL, 0); 587 /* Remove from list */ 588 (void)sk_X509_delete(certs, i); 589 break; 590 } 591 } 592 if (ee_cert == NULL) { 593 BIO_printf(bio_err, 594 "No cert in -in file '%s' matches private key\n", 595 infile); 596 goto export_end; 597 } 598 } 599 } 600 601 /* Load any untrusted certificates for chain building */ 602 if (untrusted != NULL) { 603 if (!load_certs(untrusted, 0, &untrusted_certs, passcerts, 604 "untrusted certificates")) 605 goto export_end; 606 } 607 608 /* If chaining get chain from end entity cert */ 609 if (chain) { 610 int vret; 611 STACK_OF(X509) *chain2; 612 X509_STORE *store; 613 X509 *ee_cert_tmp = ee_cert; 614 615 /* Assume the first cert if we haven't got anything else */ 616 if (ee_cert_tmp == NULL && certs != NULL) 617 ee_cert_tmp = sk_X509_value(certs, 0); 618 619 if (ee_cert_tmp == NULL) { 620 BIO_printf(bio_err, 621 "No end entity certificate to check with -chain\n"); 622 goto export_end; 623 } 624 625 if ((store = setup_verify(CAfile, noCAfile, CApath, noCApath, 626 CAstore, noCAstore)) 627 == NULL) 628 goto export_end; 629 630 vret = get_cert_chain(ee_cert_tmp, store, untrusted_certs, &chain2); 631 X509_STORE_free(store); 632 633 if (vret == X509_V_OK) { 634 int add_certs; 635 /* Remove from chain2 the first (end entity) certificate */ 636 X509_free(sk_X509_shift(chain2)); 637 /* Add the remaining certs (except for duplicates) */ 638 add_certs = X509_add_certs(certs, chain2, X509_ADD_FLAG_UP_REF 639 | X509_ADD_FLAG_NO_DUP); 640 OSSL_STACK_OF_X509_free(chain2); 641 if (!add_certs) 642 goto export_end; 643 } else { 644 if (vret != X509_V_ERR_UNSPECIFIED) 645 BIO_printf(bio_err, "Error getting chain: %s\n", 646 X509_verify_cert_error_string(vret)); 647 goto export_end; 648 } 649 } 650 651 /* Add any extra certificates asked for */ 652 if (certfile != NULL) { 653 if (!load_certs(certfile, 0, &certs, passcerts, 654 "extra certificates from -certfile")) 655 goto export_end; 656 } 657 658 /* Add any CA names */ 659 for (i = 0; i < sk_OPENSSL_STRING_num(canames); i++) { 660 catmp = (unsigned char *)sk_OPENSSL_STRING_value(canames, i); 661 X509_alias_set1(sk_X509_value(certs, i), catmp, -1); 662 } 663 664 if (csp_name != NULL && key != NULL) 665 EVP_PKEY_add1_attr_by_NID(key, NID_ms_csp_name, 666 MBSTRING_ASC, (unsigned char *)csp_name, 667 -1); 668 669 if (add_lmk && key != NULL) 670 EVP_PKEY_add1_attr_by_NID(key, NID_LocalKeySet, 0, NULL, -1); 671 672 if (!noprompt && !(enc == NULL && maciter == -1)) { 673 /* To avoid bit rot */ 674 if (1) { 675 #ifndef OPENSSL_NO_UI_CONSOLE 676 if (EVP_read_pw_string(pass, sizeof(pass), 677 "Enter Export Password:", 1)) { 678 BIO_printf(bio_err, "Can't read Password\n"); 679 goto export_end; 680 } 681 } else { 682 #endif 683 BIO_printf(bio_err, "Password required\n"); 684 goto export_end; 685 } 686 } 687 688 if (!twopass) 689 OPENSSL_strlcpy(macpass, pass, sizeof(macpass)); 690 691 if (jdktrust != NULL) { 692 obj = OBJ_txt2obj(jdktrust, 0); 693 } 694 695 p12 = PKCS12_create_ex2(cpass, name, key, ee_cert, certs, 696 key_pbe, cert_pbe, iter, -1, keytype, 697 app_get0_libctx(), app_get0_propq(), 698 jdk_trust, (void*)obj); 699 700 if (p12 == NULL) { 701 BIO_printf(bio_err, "Error creating PKCS12 structure for %s\n", 702 outfile); 703 goto export_end; 704 } 705 706 if (macalg != NULL) { 707 if (!opt_md(macalg, &macmd)) 708 goto opthelp; 709 } 710 711 if (maciter != -1) { 712 if (pbmac1_pbkdf2 == 1) { 713 if (!PKCS12_set_pbmac1_pbkdf2(p12, mpass, -1, NULL, 714 macsaltlen, maciter, 715 macmd, pbmac1_pbkdf2_md)) { 716 BIO_printf(bio_err, "Error creating PBMAC1\n"); 717 goto export_end; 718 } 719 } else { 720 if (!PKCS12_set_mac(p12, mpass, -1, NULL, macsaltlen, maciter, macmd)) { 721 BIO_printf(bio_err, "Error creating PKCS12 MAC; no PKCS12KDF support?\n"); 722 BIO_printf(bio_err, 723 "Use -nomac or -pbmac1_pbkdf2 if PKCS12KDF support not available\n"); 724 goto export_end; 725 } 726 } 727 } 728 assert(private); 729 730 out = bio_open_owner(outfile, FORMAT_PKCS12, private); 731 if (out == NULL) 732 goto end; 733 734 i2d_PKCS12_bio(out, p12); 735 736 ret = 0; 737 738 export_end: 739 740 EVP_PKEY_free(key); 741 EVP_MD_free(macmd); 742 OSSL_STACK_OF_X509_free(certs); 743 OSSL_STACK_OF_X509_free(untrusted_certs); 744 X509_free(ee_cert); 745 ASN1_OBJECT_free(obj); 746 ERR_print_errors(bio_err); 747 goto end; 748 749 } 750 751 in = bio_open_default(infile, 'r', FORMAT_PKCS12); 752 if (in == NULL) 753 goto end; 754 755 p12 = PKCS12_init_ex(NID_pkcs7_data, app_get0_libctx(), app_get0_propq()); 756 if (p12 == NULL) { 757 ERR_print_errors(bio_err); 758 goto end; 759 } 760 if ((p12 = d2i_PKCS12_bio(in, &p12)) == NULL) { 761 ERR_print_errors(bio_err); 762 goto end; 763 } 764 765 if (!noprompt) { 766 if (1) { 767 #ifndef OPENSSL_NO_UI_CONSOLE 768 if (EVP_read_pw_string(pass, sizeof(pass), "Enter Import Password:", 769 0)) { 770 BIO_printf(bio_err, "Can't read Password\n"); 771 goto end; 772 } 773 } else { 774 #endif 775 BIO_printf(bio_err, "Password required\n"); 776 goto end; 777 } 778 } 779 780 if (!twopass) 781 OPENSSL_strlcpy(macpass, pass, sizeof(macpass)); 782 783 if ((options & INFO) && PKCS12_mac_present(p12)) { 784 const ASN1_INTEGER *tmaciter; 785 const X509_ALGOR *macalgid; 786 const ASN1_OBJECT *macobj; 787 const ASN1_OCTET_STRING *tmac; 788 const ASN1_OCTET_STRING *tsalt; 789 790 PKCS12_get0_mac(&tmac, &macalgid, &tsalt, &tmaciter, p12); 791 /* current hash algorithms do not use parameters so extract just name, 792 in future alg_print() may be needed */ 793 X509_ALGOR_get0(&macobj, NULL, NULL, macalgid); 794 BIO_puts(bio_err, "MAC: "); 795 i2a_ASN1_OBJECT(bio_err, macobj); 796 if (OBJ_obj2nid(macobj) == NID_pbmac1) { 797 PBKDF2PARAM *pbkdf2_param = PBMAC1_get1_pbkdf2_param(macalgid); 798 799 if (pbkdf2_param == NULL) { 800 BIO_printf(bio_err, ", Unsupported KDF or params for PBMAC1\n"); 801 } else { 802 const ASN1_OBJECT *prfobj; 803 int prfnid; 804 805 BIO_printf(bio_err, " using PBKDF2, Iteration %ld\n", 806 ASN1_INTEGER_get(pbkdf2_param->iter)); 807 BIO_printf(bio_err, "Key length: %ld, Salt length: %d\n", 808 ASN1_INTEGER_get(pbkdf2_param->keylength), 809 ASN1_STRING_length(pbkdf2_param->salt->value.octet_string)); 810 if (pbkdf2_param->prf == NULL) { 811 prfnid = NID_hmacWithSHA1; 812 } else { 813 X509_ALGOR_get0(&prfobj, NULL, NULL, pbkdf2_param->prf); 814 prfnid = OBJ_obj2nid(prfobj); 815 } 816 BIO_printf(bio_err, "PBKDF2 PRF: %s\n", OBJ_nid2sn(prfnid)); 817 } 818 PBKDF2PARAM_free(pbkdf2_param); 819 } else { 820 BIO_printf(bio_err, ", Iteration %ld\n", 821 tmaciter != NULL ? ASN1_INTEGER_get(tmaciter) : 1L); 822 BIO_printf(bio_err, "MAC length: %ld, salt length: %ld\n", 823 tmac != NULL ? ASN1_STRING_length(tmac) : 0L, 824 tsalt != NULL ? ASN1_STRING_length(tsalt) : 0L); 825 } 826 } 827 828 if (macver) { 829 const X509_ALGOR *macalgid; 830 const ASN1_OBJECT *macobj; 831 832 PKCS12_get0_mac(NULL, &macalgid, NULL, NULL, p12); 833 834 if (macalgid == NULL) { 835 BIO_printf(bio_err, "Warning: MAC is absent!\n"); 836 goto dump; 837 } 838 839 X509_ALGOR_get0(&macobj, NULL, NULL, macalgid); 840 841 if (OBJ_obj2nid(macobj) != NID_pbmac1) { 842 EVP_KDF *pkcs12kdf; 843 844 pkcs12kdf = EVP_KDF_fetch(app_get0_libctx(), "PKCS12KDF", 845 app_get0_propq()); 846 if (pkcs12kdf == NULL) { 847 BIO_printf(bio_err, "Error verifying PKCS12 MAC; no PKCS12KDF support.\n"); 848 BIO_printf(bio_err, "Use -nomacver if MAC verification is not required.\n"); 849 goto end; 850 } 851 EVP_KDF_free(pkcs12kdf); 852 } 853 854 /* If we enter empty password try no password first */ 855 if (!mpass[0] && PKCS12_verify_mac(p12, NULL, 0)) { 856 /* If mac and crypto pass the same set it to NULL too */ 857 if (!twopass) 858 cpass = NULL; 859 } else if (!PKCS12_verify_mac(p12, mpass, -1)) { 860 /* 861 * May be UTF8 from previous version of OpenSSL: 862 * convert to a UTF8 form which will translate 863 * to the same Unicode password. 864 */ 865 unsigned char *utmp; 866 int utmplen; 867 unsigned long err = ERR_peek_error(); 868 869 if (ERR_GET_LIB(err) == ERR_LIB_PKCS12 870 && ERR_GET_REASON(err) == PKCS12_R_MAC_ABSENT) { 871 BIO_printf(bio_err, "Warning: MAC is absent!\n"); 872 goto dump; 873 } 874 875 utmp = OPENSSL_asc2uni(mpass, -1, NULL, &utmplen); 876 if (utmp == NULL) 877 goto end; 878 badpass = OPENSSL_uni2utf8(utmp, utmplen); 879 OPENSSL_free(utmp); 880 if (!PKCS12_verify_mac(p12, badpass, -1)) { 881 BIO_printf(bio_err, "Mac verify error: invalid password?\n"); 882 ERR_print_errors(bio_err); 883 goto end; 884 } else { 885 BIO_printf(bio_err, "Warning: using broken algorithm\n"); 886 if (!twopass) 887 cpass = badpass; 888 } 889 } 890 } 891 892 dump: 893 assert(private); 894 895 out = bio_open_owner(outfile, FORMAT_PEM, private); 896 if (out == NULL) 897 goto end; 898 899 if (!dump_certs_keys_p12(out, p12, cpass, -1, options, passout, enc)) { 900 BIO_printf(bio_err, "Error outputting keys and certificates\n"); 901 ERR_print_errors(bio_err); 902 goto end; 903 } 904 ret = 0; 905 end: 906 PKCS12_free(p12); 907 release_engine(e); 908 BIO_free(in); 909 BIO_free_all(out); 910 sk_OPENSSL_STRING_free(canames); 911 OPENSSL_free(badpass); 912 OPENSSL_free(passcerts); 913 OPENSSL_free(passin); 914 OPENSSL_free(passout); 915 return ret; 916 } 917 918 static int jdk_trust(PKCS12_SAFEBAG *bag, void *cbarg) 919 { 920 STACK_OF(X509_ATTRIBUTE) *attrs = NULL; 921 X509_ATTRIBUTE *attr = NULL; 922 923 /* Nothing to do */ 924 if (cbarg == NULL) 925 return 1; 926 927 /* Get the current attrs */ 928 attrs = (STACK_OF(X509_ATTRIBUTE)*)PKCS12_SAFEBAG_get0_attrs(bag); 929 930 /* Create a new attr for the JDK Trusted Usage and add it */ 931 attr = X509_ATTRIBUTE_create(NID_oracle_jdk_trustedkeyusage, V_ASN1_OBJECT, (ASN1_OBJECT*)cbarg); 932 933 /* Add the new attr, if attrs is NULL, it'll be initialised */ 934 X509at_add1_attr(&attrs, attr); 935 936 /* Set the bag attrs */ 937 PKCS12_SAFEBAG_set0_attrs(bag, attrs); 938 939 X509_ATTRIBUTE_free(attr); 940 return 1; 941 } 942 943 int dump_certs_keys_p12(BIO *out, const PKCS12 *p12, const char *pass, 944 int passlen, int options, char *pempass, 945 const EVP_CIPHER *enc) 946 { 947 STACK_OF(PKCS7) *asafes = NULL; 948 int i, bagnid; 949 int ret = 0; 950 PKCS7 *p7; 951 952 if ((asafes = PKCS12_unpack_authsafes(p12)) == NULL) 953 return 0; 954 for (i = 0; i < sk_PKCS7_num(asafes); i++) { 955 STACK_OF(PKCS12_SAFEBAG) *bags; 956 957 p7 = sk_PKCS7_value(asafes, i); 958 bagnid = OBJ_obj2nid(p7->type); 959 if (bagnid == NID_pkcs7_data) { 960 bags = PKCS12_unpack_p7data(p7); 961 if (options & INFO) 962 BIO_printf(bio_err, "PKCS7 Data\n"); 963 } else if (bagnid == NID_pkcs7_encrypted) { 964 if (options & INFO) { 965 BIO_printf(bio_err, "PKCS7 Encrypted data: "); 966 if (p7->d.encrypted == NULL) { 967 BIO_printf(bio_err, "<no data>\n"); 968 } else { 969 alg_print(p7->d.encrypted->enc_data->algorithm); 970 } 971 } 972 bags = PKCS12_unpack_p7encdata(p7, pass, passlen); 973 } else { 974 continue; 975 } 976 if (bags == NULL) 977 goto err; 978 if (!dump_certs_pkeys_bags(out, bags, pass, passlen, 979 options, pempass, enc)) { 980 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); 981 goto err; 982 } 983 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); 984 } 985 ret = 1; 986 987 err: 988 sk_PKCS7_pop_free(asafes, PKCS7_free); 989 return ret; 990 } 991 992 int dump_certs_pkeys_bags(BIO *out, const STACK_OF(PKCS12_SAFEBAG) *bags, 993 const char *pass, int passlen, int options, 994 char *pempass, const EVP_CIPHER *enc) 995 { 996 int i; 997 for (i = 0; i < sk_PKCS12_SAFEBAG_num(bags); i++) { 998 if (!dump_certs_pkeys_bag(out, 999 sk_PKCS12_SAFEBAG_value(bags, i), 1000 pass, passlen, options, pempass, enc)) 1001 return 0; 1002 } 1003 return 1; 1004 } 1005 1006 int dump_certs_pkeys_bag(BIO *out, const PKCS12_SAFEBAG *bag, 1007 const char *pass, int passlen, int options, 1008 char *pempass, const EVP_CIPHER *enc) 1009 { 1010 EVP_PKEY *pkey; 1011 PKCS8_PRIV_KEY_INFO *p8; 1012 const PKCS8_PRIV_KEY_INFO *p8c; 1013 X509 *x509; 1014 const STACK_OF(X509_ATTRIBUTE) *attrs; 1015 int ret = 0; 1016 1017 attrs = PKCS12_SAFEBAG_get0_attrs(bag); 1018 1019 switch (PKCS12_SAFEBAG_get_nid(bag)) { 1020 case NID_keyBag: 1021 if (options & INFO) 1022 BIO_printf(bio_err, "Key bag\n"); 1023 if (options & NOKEYS) 1024 return 1; 1025 print_attribs(out, attrs, "Bag Attributes"); 1026 p8c = PKCS12_SAFEBAG_get0_p8inf(bag); 1027 if ((pkey = EVP_PKCS82PKEY(p8c)) == NULL) 1028 return 0; 1029 print_attribs(out, PKCS8_pkey_get0_attrs(p8c), "Key Attributes"); 1030 ret = PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, pempass); 1031 EVP_PKEY_free(pkey); 1032 break; 1033 1034 case NID_pkcs8ShroudedKeyBag: 1035 if (options & INFO) { 1036 const X509_SIG *tp8; 1037 const X509_ALGOR *tp8alg; 1038 1039 BIO_printf(bio_err, "Shrouded Keybag: "); 1040 tp8 = PKCS12_SAFEBAG_get0_pkcs8(bag); 1041 X509_SIG_get0(tp8, &tp8alg, NULL); 1042 alg_print(tp8alg); 1043 } 1044 if (options & NOKEYS) 1045 return 1; 1046 print_attribs(out, attrs, "Bag Attributes"); 1047 if ((p8 = PKCS12_decrypt_skey(bag, pass, passlen)) == NULL) 1048 return 0; 1049 if ((pkey = EVP_PKCS82PKEY(p8)) == NULL) { 1050 PKCS8_PRIV_KEY_INFO_free(p8); 1051 return 0; 1052 } 1053 print_attribs(out, PKCS8_pkey_get0_attrs(p8), "Key Attributes"); 1054 PKCS8_PRIV_KEY_INFO_free(p8); 1055 ret = PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, pempass); 1056 EVP_PKEY_free(pkey); 1057 break; 1058 1059 case NID_certBag: 1060 if (options & INFO) 1061 BIO_printf(bio_err, "Certificate bag\n"); 1062 if (options & NOCERTS) 1063 return 1; 1064 if (PKCS12_SAFEBAG_get0_attr(bag, NID_localKeyID)) { 1065 if (options & CACERTS) 1066 return 1; 1067 } else if (options & CLCERTS) 1068 return 1; 1069 print_attribs(out, attrs, "Bag Attributes"); 1070 if (PKCS12_SAFEBAG_get_bag_nid(bag) != NID_x509Certificate) 1071 return 1; 1072 if ((x509 = PKCS12_SAFEBAG_get1_cert(bag)) == NULL) 1073 return 0; 1074 dump_cert_text(out, x509); 1075 ret = PEM_write_bio_X509(out, x509); 1076 X509_free(x509); 1077 break; 1078 1079 case NID_secretBag: 1080 if (options & INFO) 1081 BIO_printf(bio_err, "Secret bag\n"); 1082 print_attribs(out, attrs, "Bag Attributes"); 1083 BIO_printf(bio_err, "Bag Type: "); 1084 i2a_ASN1_OBJECT(bio_err, PKCS12_SAFEBAG_get0_bag_type(bag)); 1085 BIO_printf(bio_err, "\nBag Value: "); 1086 print_attribute(out, PKCS12_SAFEBAG_get0_bag_obj(bag)); 1087 return 1; 1088 1089 case NID_safeContentsBag: 1090 if (options & INFO) 1091 BIO_printf(bio_err, "Safe Contents bag\n"); 1092 print_attribs(out, attrs, "Bag Attributes"); 1093 return dump_certs_pkeys_bags(out, PKCS12_SAFEBAG_get0_safes(bag), 1094 pass, passlen, options, pempass, enc); 1095 1096 default: 1097 BIO_printf(bio_err, "Warning unsupported bag type: "); 1098 i2a_ASN1_OBJECT(bio_err, PKCS12_SAFEBAG_get0_type(bag)); 1099 BIO_printf(bio_err, "\n"); 1100 return 1; 1101 } 1102 return ret; 1103 } 1104 1105 /* Given a single certificate return a verified chain or NULL if error */ 1106 1107 static int get_cert_chain(X509 *cert, X509_STORE *store, 1108 STACK_OF(X509) *untrusted_certs, 1109 STACK_OF(X509) **chain) 1110 { 1111 X509_STORE_CTX *store_ctx = NULL; 1112 STACK_OF(X509) *chn = NULL; 1113 int i = 0; 1114 1115 store_ctx = X509_STORE_CTX_new_ex(app_get0_libctx(), app_get0_propq()); 1116 if (store_ctx == NULL) { 1117 i = X509_V_ERR_UNSPECIFIED; 1118 goto end; 1119 } 1120 if (!X509_STORE_CTX_init(store_ctx, store, cert, untrusted_certs)) { 1121 i = X509_V_ERR_UNSPECIFIED; 1122 goto end; 1123 } 1124 1125 1126 if (X509_verify_cert(store_ctx) > 0) 1127 chn = X509_STORE_CTX_get1_chain(store_ctx); 1128 else if ((i = X509_STORE_CTX_get_error(store_ctx)) == 0) 1129 i = X509_V_ERR_UNSPECIFIED; 1130 1131 end: 1132 X509_STORE_CTX_free(store_ctx); 1133 *chain = chn; 1134 return i; 1135 } 1136 1137 static int alg_print(const X509_ALGOR *alg) 1138 { 1139 int pbenid, aparamtype; 1140 const ASN1_OBJECT *aoid; 1141 const void *aparam; 1142 PBEPARAM *pbe = NULL; 1143 1144 X509_ALGOR_get0(&aoid, &aparamtype, &aparam, alg); 1145 1146 pbenid = OBJ_obj2nid(aoid); 1147 1148 BIO_printf(bio_err, "%s", OBJ_nid2ln(pbenid)); 1149 1150 /* 1151 * If PBE algorithm is PBES2 decode algorithm parameters 1152 * for additional details. 1153 */ 1154 if (pbenid == NID_pbes2) { 1155 PBE2PARAM *pbe2 = NULL; 1156 int encnid; 1157 if (aparamtype == V_ASN1_SEQUENCE) 1158 pbe2 = ASN1_item_unpack(aparam, ASN1_ITEM_rptr(PBE2PARAM)); 1159 if (pbe2 == NULL) { 1160 BIO_puts(bio_err, ", <unsupported parameters>"); 1161 goto done; 1162 } 1163 X509_ALGOR_get0(&aoid, &aparamtype, &aparam, pbe2->keyfunc); 1164 pbenid = OBJ_obj2nid(aoid); 1165 X509_ALGOR_get0(&aoid, NULL, NULL, pbe2->encryption); 1166 encnid = OBJ_obj2nid(aoid); 1167 BIO_printf(bio_err, ", %s, %s", OBJ_nid2ln(pbenid), 1168 OBJ_nid2sn(encnid)); 1169 /* If KDF is PBKDF2 decode parameters */ 1170 if (pbenid == NID_id_pbkdf2) { 1171 PBKDF2PARAM *kdf = NULL; 1172 int prfnid; 1173 if (aparamtype == V_ASN1_SEQUENCE) 1174 kdf = ASN1_item_unpack(aparam, ASN1_ITEM_rptr(PBKDF2PARAM)); 1175 if (kdf == NULL) { 1176 BIO_puts(bio_err, ", <unsupported parameters>"); 1177 goto done; 1178 } 1179 1180 if (kdf->prf == NULL) { 1181 prfnid = NID_hmacWithSHA1; 1182 } else { 1183 X509_ALGOR_get0(&aoid, NULL, NULL, kdf->prf); 1184 prfnid = OBJ_obj2nid(aoid); 1185 } 1186 BIO_printf(bio_err, ", Iteration %ld, PRF %s", 1187 ASN1_INTEGER_get(kdf->iter), OBJ_nid2sn(prfnid)); 1188 PBKDF2PARAM_free(kdf); 1189 #ifndef OPENSSL_NO_SCRYPT 1190 } else if (pbenid == NID_id_scrypt) { 1191 SCRYPT_PARAMS *kdf = NULL; 1192 1193 if (aparamtype == V_ASN1_SEQUENCE) 1194 kdf = ASN1_item_unpack(aparam, ASN1_ITEM_rptr(SCRYPT_PARAMS)); 1195 if (kdf == NULL) { 1196 BIO_puts(bio_err, ", <unsupported parameters>"); 1197 goto done; 1198 } 1199 BIO_printf(bio_err, ", Salt length: %d, Cost(N): %ld, " 1200 "Block size(r): %ld, Parallelism(p): %ld", 1201 ASN1_STRING_length(kdf->salt), 1202 ASN1_INTEGER_get(kdf->costParameter), 1203 ASN1_INTEGER_get(kdf->blockSize), 1204 ASN1_INTEGER_get(kdf->parallelizationParameter)); 1205 SCRYPT_PARAMS_free(kdf); 1206 #endif 1207 } 1208 PBE2PARAM_free(pbe2); 1209 } else { 1210 if (aparamtype == V_ASN1_SEQUENCE) 1211 pbe = ASN1_item_unpack(aparam, ASN1_ITEM_rptr(PBEPARAM)); 1212 if (pbe == NULL) { 1213 BIO_puts(bio_err, ", <unsupported parameters>"); 1214 goto done; 1215 } 1216 BIO_printf(bio_err, ", Iteration %ld", ASN1_INTEGER_get(pbe->iter)); 1217 PBEPARAM_free(pbe); 1218 } 1219 done: 1220 BIO_puts(bio_err, "\n"); 1221 return 1; 1222 } 1223 1224 /* Load all certificates from a given file */ 1225 1226 int cert_load(BIO *in, STACK_OF(X509) *sk) 1227 { 1228 int ret = 0; 1229 X509 *cert; 1230 1231 while ((cert = PEM_read_bio_X509(in, NULL, NULL, NULL))) { 1232 ret = 1; 1233 if (!sk_X509_push(sk, cert)) 1234 return 0; 1235 } 1236 if (ret) 1237 ERR_clear_error(); 1238 return ret; 1239 } 1240 1241 /* Generalised x509 attribute value print */ 1242 1243 void print_attribute(BIO *out, const ASN1_TYPE *av) 1244 { 1245 char *value; 1246 const char *ln; 1247 char objbuf[80]; 1248 1249 switch (av->type) { 1250 case V_ASN1_BMPSTRING: 1251 value = OPENSSL_uni2asc(av->value.bmpstring->data, 1252 av->value.bmpstring->length); 1253 BIO_printf(out, "%s\n", value); 1254 OPENSSL_free(value); 1255 break; 1256 1257 case V_ASN1_UTF8STRING: 1258 BIO_printf(out, "%.*s\n", av->value.utf8string->length, 1259 av->value.utf8string->data); 1260 break; 1261 1262 case V_ASN1_OCTET_STRING: 1263 hex_prin(out, av->value.octet_string->data, 1264 av->value.octet_string->length); 1265 BIO_printf(out, "\n"); 1266 break; 1267 1268 case V_ASN1_BIT_STRING: 1269 hex_prin(out, av->value.bit_string->data, 1270 av->value.bit_string->length); 1271 BIO_printf(out, "\n"); 1272 break; 1273 1274 case V_ASN1_OBJECT: 1275 ln = OBJ_nid2ln(OBJ_obj2nid(av->value.object)); 1276 if (!ln) 1277 ln = ""; 1278 OBJ_obj2txt(objbuf, sizeof(objbuf), av->value.object, 1); 1279 BIO_printf(out, "%s (%s)", ln, objbuf); 1280 BIO_printf(out, "\n"); 1281 break; 1282 1283 default: 1284 BIO_printf(out, "<Unsupported tag %d>\n", av->type); 1285 break; 1286 } 1287 } 1288 1289 /* Generalised attribute print: handle PKCS#8 and bag attributes */ 1290 1291 int print_attribs(BIO *out, const STACK_OF(X509_ATTRIBUTE) *attrlst, 1292 const char *name) 1293 { 1294 X509_ATTRIBUTE *attr; 1295 ASN1_TYPE *av; 1296 int i, j, attr_nid; 1297 if (!attrlst) { 1298 BIO_printf(out, "%s: <No Attributes>\n", name); 1299 return 1; 1300 } 1301 if (!sk_X509_ATTRIBUTE_num(attrlst)) { 1302 BIO_printf(out, "%s: <Empty Attributes>\n", name); 1303 return 1; 1304 } 1305 BIO_printf(out, "%s\n", name); 1306 for (i = 0; i < sk_X509_ATTRIBUTE_num(attrlst); i++) { 1307 ASN1_OBJECT *attr_obj; 1308 attr = sk_X509_ATTRIBUTE_value(attrlst, i); 1309 attr_obj = X509_ATTRIBUTE_get0_object(attr); 1310 attr_nid = OBJ_obj2nid(attr_obj); 1311 BIO_printf(out, " "); 1312 if (attr_nid == NID_undef) { 1313 i2a_ASN1_OBJECT(out, attr_obj); 1314 BIO_printf(out, ": "); 1315 } else { 1316 BIO_printf(out, "%s: ", OBJ_nid2ln(attr_nid)); 1317 } 1318 1319 if (X509_ATTRIBUTE_count(attr)) { 1320 for (j = 0; j < X509_ATTRIBUTE_count(attr); j++) { 1321 av = X509_ATTRIBUTE_get0_type(attr, j); 1322 print_attribute(out, av); 1323 } 1324 } else { 1325 BIO_printf(out, "<No Values>\n"); 1326 } 1327 } 1328 return 1; 1329 } 1330 1331 void hex_prin(BIO *out, unsigned char *buf, int len) 1332 { 1333 int i; 1334 for (i = 0; i < len; i++) 1335 BIO_printf(out, "%02X ", buf[i]); 1336 } 1337 1338 static int set_pbe(int *ppbe, const char *str) 1339 { 1340 if (!str) 1341 return 0; 1342 if (strcmp(str, "NONE") == 0) { 1343 *ppbe = -1; 1344 return 1; 1345 } 1346 *ppbe = OBJ_txt2nid(str); 1347 if (*ppbe == NID_undef) { 1348 BIO_printf(bio_err, "Unknown PBE algorithm %s\n", str); 1349 return 0; 1350 } 1351 return 1; 1352 } 1353