1 /* pkcs12.c */ 2 /* 3 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 4 * project. 5 */ 6 /* ==================================================================== 7 * Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in 18 * the documentation and/or other materials provided with the 19 * distribution. 20 * 21 * 3. All advertising materials mentioning features or use of this 22 * software must display the following acknowledgment: 23 * "This product includes software developed by the OpenSSL Project 24 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 25 * 26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 27 * endorse or promote products derived from this software without 28 * prior written permission. For written permission, please contact 29 * licensing@OpenSSL.org. 30 * 31 * 5. Products derived from this software may not be called "OpenSSL" 32 * nor may "OpenSSL" appear in their names without prior written 33 * permission of the OpenSSL Project. 34 * 35 * 6. Redistributions of any form whatsoever must retain the following 36 * acknowledgment: 37 * "This product includes software developed by the OpenSSL Project 38 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 51 * OF THE POSSIBILITY OF SUCH DAMAGE. 52 * ==================================================================== 53 * 54 * This product includes cryptographic software written by Eric Young 55 * (eay@cryptsoft.com). This product includes software written by Tim 56 * Hudson (tjh@cryptsoft.com). 57 * 58 */ 59 60 #include <openssl/opensslconf.h> 61 #if !defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_SHA1) 62 63 # include <stdio.h> 64 # include <stdlib.h> 65 # include <string.h> 66 # include "apps.h" 67 # include <openssl/crypto.h> 68 # include <openssl/err.h> 69 # include <openssl/pem.h> 70 # include <openssl/pkcs12.h> 71 72 # define PROG pkcs12_main 73 74 const EVP_CIPHER *enc; 75 76 # define NOKEYS 0x1 77 # define NOCERTS 0x2 78 # define INFO 0x4 79 # define CLCERTS 0x8 80 # define CACERTS 0x10 81 82 static int get_cert_chain(X509 *cert, X509_STORE *store, 83 STACK_OF(X509) **chain); 84 int dump_certs_keys_p12(BIO *out, PKCS12 *p12, char *pass, int passlen, 85 int options, char *pempass); 86 int dump_certs_pkeys_bags(BIO *out, STACK_OF(PKCS12_SAFEBAG) *bags, 87 char *pass, int passlen, int options, 88 char *pempass); 89 int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bags, char *pass, 90 int passlen, int options, char *pempass); 91 int print_attribs(BIO *out, STACK_OF(X509_ATTRIBUTE) *attrlst, 92 const char *name); 93 void hex_prin(BIO *out, unsigned char *buf, int len); 94 int alg_print(BIO *x, X509_ALGOR *alg); 95 int cert_load(BIO *in, STACK_OF(X509) *sk); 96 static int set_pbe(BIO *err, int *ppbe, const char *str); 97 98 int MAIN(int, char **); 99 100 int MAIN(int argc, char **argv) 101 { 102 ENGINE *e = NULL; 103 char *infile = NULL, *outfile = NULL, *keyname = NULL; 104 char *certfile = NULL; 105 BIO *in = NULL, *out = NULL; 106 char **args; 107 char *name = NULL; 108 char *csp_name = NULL; 109 int add_lmk = 0; 110 PKCS12 *p12 = NULL; 111 char pass[50], macpass[50]; 112 int export_cert = 0; 113 int options = 0; 114 int chain = 0; 115 int badarg = 0; 116 int iter = PKCS12_DEFAULT_ITER; 117 int maciter = PKCS12_DEFAULT_ITER; 118 int twopass = 0; 119 int keytype = 0; 120 int cert_pbe; 121 int key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; 122 int ret = 1; 123 int macver = 1; 124 int noprompt = 0; 125 STACK_OF(OPENSSL_STRING) *canames = NULL; 126 char *cpass = NULL, *mpass = NULL; 127 char *passargin = NULL, *passargout = NULL, *passarg = NULL; 128 char *passin = NULL, *passout = NULL; 129 char *inrand = NULL; 130 char *macalg = NULL; 131 char *CApath = NULL, *CAfile = NULL; 132 # ifndef OPENSSL_NO_ENGINE 133 char *engine = NULL; 134 # endif 135 136 apps_startup(); 137 138 enc = EVP_des_ede3_cbc(); 139 if (bio_err == NULL) 140 bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); 141 142 if (!load_config(bio_err, NULL)) 143 goto end; 144 145 # ifdef OPENSSL_FIPS 146 if (FIPS_mode()) 147 cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; 148 else 149 # endif 150 cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC; 151 152 args = argv + 1; 153 154 while (*args) { 155 if (*args[0] == '-') { 156 if (!strcmp(*args, "-nokeys")) 157 options |= NOKEYS; 158 else if (!strcmp(*args, "-keyex")) 159 keytype = KEY_EX; 160 else if (!strcmp(*args, "-keysig")) 161 keytype = KEY_SIG; 162 else if (!strcmp(*args, "-nocerts")) 163 options |= NOCERTS; 164 else if (!strcmp(*args, "-clcerts")) 165 options |= CLCERTS; 166 else if (!strcmp(*args, "-cacerts")) 167 options |= CACERTS; 168 else if (!strcmp(*args, "-noout")) 169 options |= (NOKEYS | NOCERTS); 170 else if (!strcmp(*args, "-info")) 171 options |= INFO; 172 else if (!strcmp(*args, "-chain")) 173 chain = 1; 174 else if (!strcmp(*args, "-twopass")) 175 twopass = 1; 176 else if (!strcmp(*args, "-nomacver")) 177 macver = 0; 178 else if (!strcmp(*args, "-descert")) 179 cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; 180 else if (!strcmp(*args, "-export")) 181 export_cert = 1; 182 else if (!strcmp(*args, "-des")) 183 enc = EVP_des_cbc(); 184 else if (!strcmp(*args, "-des3")) 185 enc = EVP_des_ede3_cbc(); 186 # ifndef OPENSSL_NO_IDEA 187 else if (!strcmp(*args, "-idea")) 188 enc = EVP_idea_cbc(); 189 # endif 190 # ifndef OPENSSL_NO_SEED 191 else if (!strcmp(*args, "-seed")) 192 enc = EVP_seed_cbc(); 193 # endif 194 # ifndef OPENSSL_NO_AES 195 else if (!strcmp(*args, "-aes128")) 196 enc = EVP_aes_128_cbc(); 197 else if (!strcmp(*args, "-aes192")) 198 enc = EVP_aes_192_cbc(); 199 else if (!strcmp(*args, "-aes256")) 200 enc = EVP_aes_256_cbc(); 201 # endif 202 # ifndef OPENSSL_NO_CAMELLIA 203 else if (!strcmp(*args, "-camellia128")) 204 enc = EVP_camellia_128_cbc(); 205 else if (!strcmp(*args, "-camellia192")) 206 enc = EVP_camellia_192_cbc(); 207 else if (!strcmp(*args, "-camellia256")) 208 enc = EVP_camellia_256_cbc(); 209 # endif 210 else if (!strcmp(*args, "-noiter")) 211 iter = 1; 212 else if (!strcmp(*args, "-maciter")) 213 maciter = PKCS12_DEFAULT_ITER; 214 else if (!strcmp(*args, "-nomaciter")) 215 maciter = 1; 216 else if (!strcmp(*args, "-nomac")) 217 maciter = -1; 218 else if (!strcmp(*args, "-macalg")) 219 if (args[1]) { 220 args++; 221 macalg = *args; 222 } else 223 badarg = 1; 224 else if (!strcmp(*args, "-nodes")) 225 enc = NULL; 226 else if (!strcmp(*args, "-certpbe")) { 227 if (!set_pbe(bio_err, &cert_pbe, *++args)) 228 badarg = 1; 229 } else if (!strcmp(*args, "-keypbe")) { 230 if (!set_pbe(bio_err, &key_pbe, *++args)) 231 badarg = 1; 232 } else if (!strcmp(*args, "-rand")) { 233 if (args[1]) { 234 args++; 235 inrand = *args; 236 } else 237 badarg = 1; 238 } else if (!strcmp(*args, "-inkey")) { 239 if (args[1]) { 240 args++; 241 keyname = *args; 242 } else 243 badarg = 1; 244 } else if (!strcmp(*args, "-certfile")) { 245 if (args[1]) { 246 args++; 247 certfile = *args; 248 } else 249 badarg = 1; 250 } else if (!strcmp(*args, "-name")) { 251 if (args[1]) { 252 args++; 253 name = *args; 254 } else 255 badarg = 1; 256 } else if (!strcmp(*args, "-LMK")) 257 add_lmk = 1; 258 else if (!strcmp(*args, "-CSP")) { 259 if (args[1]) { 260 args++; 261 csp_name = *args; 262 } else 263 badarg = 1; 264 } else if (!strcmp(*args, "-caname")) { 265 if (args[1]) { 266 args++; 267 if (!canames) 268 canames = sk_OPENSSL_STRING_new_null(); 269 sk_OPENSSL_STRING_push(canames, *args); 270 } else 271 badarg = 1; 272 } else if (!strcmp(*args, "-in")) { 273 if (args[1]) { 274 args++; 275 infile = *args; 276 } else 277 badarg = 1; 278 } else if (!strcmp(*args, "-out")) { 279 if (args[1]) { 280 args++; 281 outfile = *args; 282 } else 283 badarg = 1; 284 } else if (!strcmp(*args, "-passin")) { 285 if (args[1]) { 286 args++; 287 passargin = *args; 288 } else 289 badarg = 1; 290 } else if (!strcmp(*args, "-passout")) { 291 if (args[1]) { 292 args++; 293 passargout = *args; 294 } else 295 badarg = 1; 296 } else if (!strcmp(*args, "-password")) { 297 if (args[1]) { 298 args++; 299 passarg = *args; 300 noprompt = 1; 301 } else 302 badarg = 1; 303 } else if (!strcmp(*args, "-CApath")) { 304 if (args[1]) { 305 args++; 306 CApath = *args; 307 } else 308 badarg = 1; 309 } else if (!strcmp(*args, "-CAfile")) { 310 if (args[1]) { 311 args++; 312 CAfile = *args; 313 } else 314 badarg = 1; 315 # ifndef OPENSSL_NO_ENGINE 316 } else if (!strcmp(*args, "-engine")) { 317 if (args[1]) { 318 args++; 319 engine = *args; 320 } else 321 badarg = 1; 322 # endif 323 } else 324 badarg = 1; 325 326 } else 327 badarg = 1; 328 args++; 329 } 330 331 if (badarg) { 332 BIO_printf(bio_err, "Usage: pkcs12 [options]\n"); 333 BIO_printf(bio_err, "where options are\n"); 334 BIO_printf(bio_err, "-export output PKCS12 file\n"); 335 BIO_printf(bio_err, "-chain add certificate chain\n"); 336 BIO_printf(bio_err, "-inkey file private key if not infile\n"); 337 BIO_printf(bio_err, "-certfile f add all certs in f\n"); 338 BIO_printf(bio_err, "-CApath arg - PEM format directory of CA's\n"); 339 BIO_printf(bio_err, "-CAfile arg - PEM format file of CA's\n"); 340 BIO_printf(bio_err, "-name \"name\" use name as friendly name\n"); 341 BIO_printf(bio_err, 342 "-caname \"nm\" use nm as CA friendly name (can be used more than once).\n"); 343 BIO_printf(bio_err, "-in infile input filename\n"); 344 BIO_printf(bio_err, "-out outfile output filename\n"); 345 BIO_printf(bio_err, 346 "-noout don't output anything, just verify.\n"); 347 BIO_printf(bio_err, "-nomacver don't verify MAC.\n"); 348 BIO_printf(bio_err, "-nocerts don't output certificates.\n"); 349 BIO_printf(bio_err, 350 "-clcerts only output client certificates.\n"); 351 BIO_printf(bio_err, "-cacerts only output CA certificates.\n"); 352 BIO_printf(bio_err, "-nokeys don't output private keys.\n"); 353 BIO_printf(bio_err, 354 "-info give info about PKCS#12 structure.\n"); 355 BIO_printf(bio_err, "-des encrypt private keys with DES\n"); 356 BIO_printf(bio_err, 357 "-des3 encrypt private keys with triple DES (default)\n"); 358 # ifndef OPENSSL_NO_IDEA 359 BIO_printf(bio_err, "-idea encrypt private keys with idea\n"); 360 # endif 361 # ifndef OPENSSL_NO_SEED 362 BIO_printf(bio_err, "-seed encrypt private keys with seed\n"); 363 # endif 364 # ifndef OPENSSL_NO_AES 365 BIO_printf(bio_err, "-aes128, -aes192, -aes256\n"); 366 BIO_printf(bio_err, 367 " encrypt PEM output with cbc aes\n"); 368 # endif 369 # ifndef OPENSSL_NO_CAMELLIA 370 BIO_printf(bio_err, "-camellia128, -camellia192, -camellia256\n"); 371 BIO_printf(bio_err, 372 " encrypt PEM output with cbc camellia\n"); 373 # endif 374 BIO_printf(bio_err, "-nodes don't encrypt private keys\n"); 375 BIO_printf(bio_err, "-noiter don't use encryption iteration\n"); 376 BIO_printf(bio_err, "-nomaciter don't use MAC iteration\n"); 377 BIO_printf(bio_err, "-maciter use MAC iteration\n"); 378 BIO_printf(bio_err, "-nomac don't generate MAC\n"); 379 BIO_printf(bio_err, 380 "-twopass separate MAC, encryption passwords\n"); 381 BIO_printf(bio_err, 382 "-descert encrypt PKCS#12 certificates with triple DES (default RC2-40)\n"); 383 BIO_printf(bio_err, 384 "-certpbe alg specify certificate PBE algorithm (default RC2-40)\n"); 385 BIO_printf(bio_err, 386 "-keypbe alg specify private key PBE algorithm (default 3DES)\n"); 387 BIO_printf(bio_err, 388 "-macalg alg digest algorithm used in MAC (default SHA1)\n"); 389 BIO_printf(bio_err, "-keyex set MS key exchange type\n"); 390 BIO_printf(bio_err, "-keysig set MS key signature type\n"); 391 BIO_printf(bio_err, 392 "-password p set import/export password source\n"); 393 BIO_printf(bio_err, "-passin p input file pass phrase source\n"); 394 BIO_printf(bio_err, "-passout p output file pass phrase source\n"); 395 # ifndef OPENSSL_NO_ENGINE 396 BIO_printf(bio_err, 397 "-engine e use engine e, possibly a hardware device.\n"); 398 # endif 399 BIO_printf(bio_err, "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, 400 LIST_SEPARATOR_CHAR); 401 BIO_printf(bio_err, 402 " load the file (or the files in the directory) into\n"); 403 BIO_printf(bio_err, " the random number generator\n"); 404 BIO_printf(bio_err, "-CSP name Microsoft CSP name\n"); 405 BIO_printf(bio_err, 406 "-LMK Add local machine keyset attribute to private key\n"); 407 goto end; 408 } 409 # ifndef OPENSSL_NO_ENGINE 410 e = setup_engine(bio_err, engine, 0); 411 # endif 412 413 if (passarg) { 414 if (export_cert) 415 passargout = passarg; 416 else 417 passargin = passarg; 418 } 419 420 if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) { 421 BIO_printf(bio_err, "Error getting passwords\n"); 422 goto end; 423 } 424 425 if (!cpass) { 426 if (export_cert) 427 cpass = passout; 428 else 429 cpass = passin; 430 } 431 432 if (cpass) { 433 mpass = cpass; 434 noprompt = 1; 435 } else { 436 cpass = pass; 437 mpass = macpass; 438 } 439 440 if (export_cert || inrand) { 441 app_RAND_load_file(NULL, bio_err, (inrand != NULL)); 442 if (inrand != NULL) 443 BIO_printf(bio_err, "%ld semi-random bytes loaded\n", 444 app_RAND_load_files(inrand)); 445 } 446 ERR_load_crypto_strings(); 447 448 # ifdef CRYPTO_MDEBUG 449 CRYPTO_push_info("read files"); 450 # endif 451 452 if (!infile) 453 in = BIO_new_fp(stdin, BIO_NOCLOSE); 454 else 455 in = BIO_new_file(infile, "rb"); 456 if (!in) { 457 BIO_printf(bio_err, "Error opening input file %s\n", 458 infile ? infile : "<stdin>"); 459 perror(infile); 460 goto end; 461 } 462 # ifdef CRYPTO_MDEBUG 463 CRYPTO_pop_info(); 464 CRYPTO_push_info("write files"); 465 # endif 466 467 if (!outfile) { 468 out = BIO_new_fp(stdout, BIO_NOCLOSE); 469 # ifdef OPENSSL_SYS_VMS 470 { 471 BIO *tmpbio = BIO_new(BIO_f_linebuffer()); 472 out = BIO_push(tmpbio, out); 473 } 474 # endif 475 } else 476 out = BIO_new_file(outfile, "wb"); 477 if (!out) { 478 BIO_printf(bio_err, "Error opening output file %s\n", 479 outfile ? outfile : "<stdout>"); 480 perror(outfile); 481 goto end; 482 } 483 if (twopass) { 484 # ifdef CRYPTO_MDEBUG 485 CRYPTO_push_info("read MAC password"); 486 # endif 487 if (EVP_read_pw_string 488 (macpass, sizeof macpass, "Enter MAC Password:", export_cert)) { 489 BIO_printf(bio_err, "Can't read Password\n"); 490 goto end; 491 } 492 # ifdef CRYPTO_MDEBUG 493 CRYPTO_pop_info(); 494 # endif 495 } 496 497 if (export_cert) { 498 EVP_PKEY *key = NULL; 499 X509 *ucert = NULL, *x = NULL; 500 STACK_OF(X509) *certs = NULL; 501 const EVP_MD *macmd = NULL; 502 unsigned char *catmp = NULL; 503 int i; 504 505 if ((options & (NOCERTS | NOKEYS)) == (NOCERTS | NOKEYS)) { 506 BIO_printf(bio_err, "Nothing to do!\n"); 507 goto export_end; 508 } 509 510 if (options & NOCERTS) 511 chain = 0; 512 513 # ifdef CRYPTO_MDEBUG 514 CRYPTO_push_info("process -export_cert"); 515 CRYPTO_push_info("reading private key"); 516 # endif 517 if (!(options & NOKEYS)) { 518 key = load_key(bio_err, keyname ? keyname : infile, 519 FORMAT_PEM, 1, passin, e, "private key"); 520 if (!key) 521 goto export_end; 522 } 523 # ifdef CRYPTO_MDEBUG 524 CRYPTO_pop_info(); 525 CRYPTO_push_info("reading certs from input"); 526 # endif 527 528 /* Load in all certs in input file */ 529 if (!(options & NOCERTS)) { 530 certs = load_certs(bio_err, infile, FORMAT_PEM, NULL, e, 531 "certificates"); 532 if (!certs) 533 goto export_end; 534 535 if (key) { 536 /* Look for matching private key */ 537 for (i = 0; i < sk_X509_num(certs); i++) { 538 x = sk_X509_value(certs, i); 539 if (X509_check_private_key(x, key)) { 540 ucert = x; 541 /* Zero keyid and alias */ 542 X509_keyid_set1(ucert, NULL, 0); 543 X509_alias_set1(ucert, NULL, 0); 544 /* Remove from list */ 545 (void)sk_X509_delete(certs, i); 546 break; 547 } 548 } 549 if (!ucert) { 550 BIO_printf(bio_err, 551 "No certificate matches private key\n"); 552 goto export_end; 553 } 554 } 555 556 } 557 # ifdef CRYPTO_MDEBUG 558 CRYPTO_pop_info(); 559 CRYPTO_push_info("reading certs from input 2"); 560 # endif 561 562 /* Add any more certificates asked for */ 563 if (certfile) { 564 STACK_OF(X509) *morecerts = NULL; 565 if (!(morecerts = load_certs(bio_err, certfile, FORMAT_PEM, 566 NULL, e, 567 "certificates from certfile"))) 568 goto export_end; 569 while (sk_X509_num(morecerts) > 0) 570 sk_X509_push(certs, sk_X509_shift(morecerts)); 571 sk_X509_free(morecerts); 572 } 573 # ifdef CRYPTO_MDEBUG 574 CRYPTO_pop_info(); 575 CRYPTO_push_info("reading certs from certfile"); 576 # endif 577 578 # ifdef CRYPTO_MDEBUG 579 CRYPTO_pop_info(); 580 CRYPTO_push_info("building chain"); 581 # endif 582 583 /* If chaining get chain from user cert */ 584 if (chain) { 585 int vret; 586 STACK_OF(X509) *chain2; 587 X509_STORE *store = X509_STORE_new(); 588 if (!store) { 589 BIO_printf(bio_err, "Memory allocation error\n"); 590 goto export_end; 591 } 592 if (!X509_STORE_load_locations(store, CAfile, CApath)) 593 X509_STORE_set_default_paths(store); 594 595 vret = get_cert_chain(ucert, store, &chain2); 596 X509_STORE_free(store); 597 598 if (vret == X509_V_OK) { 599 /* Exclude verified certificate */ 600 for (i = 1; i < sk_X509_num(chain2); i++) 601 sk_X509_push(certs, sk_X509_value(chain2, i)); 602 /* Free first certificate */ 603 X509_free(sk_X509_value(chain2, 0)); 604 sk_X509_free(chain2); 605 } else { 606 if (vret != X509_V_ERR_UNSPECIFIED) 607 BIO_printf(bio_err, "Error %s getting chain.\n", 608 X509_verify_cert_error_string(vret)); 609 else 610 ERR_print_errors(bio_err); 611 goto export_end; 612 } 613 } 614 615 /* Add any CA names */ 616 617 for (i = 0; i < sk_OPENSSL_STRING_num(canames); i++) { 618 catmp = (unsigned char *)sk_OPENSSL_STRING_value(canames, i); 619 X509_alias_set1(sk_X509_value(certs, i), catmp, -1); 620 } 621 622 if (csp_name && key) 623 EVP_PKEY_add1_attr_by_NID(key, NID_ms_csp_name, 624 MBSTRING_ASC, (unsigned char *)csp_name, 625 -1); 626 627 if (add_lmk && key) 628 EVP_PKEY_add1_attr_by_NID(key, NID_LocalKeySet, 0, NULL, -1); 629 630 # ifdef CRYPTO_MDEBUG 631 CRYPTO_pop_info(); 632 CRYPTO_push_info("reading password"); 633 # endif 634 635 if (!noprompt && 636 EVP_read_pw_string(pass, sizeof pass, "Enter Export Password:", 637 1)) { 638 BIO_printf(bio_err, "Can't read Password\n"); 639 goto export_end; 640 } 641 if (!twopass) 642 BUF_strlcpy(macpass, pass, sizeof macpass); 643 644 # ifdef CRYPTO_MDEBUG 645 CRYPTO_pop_info(); 646 CRYPTO_push_info("creating PKCS#12 structure"); 647 # endif 648 649 p12 = PKCS12_create(cpass, name, key, ucert, certs, 650 key_pbe, cert_pbe, iter, -1, keytype); 651 652 if (!p12) { 653 ERR_print_errors(bio_err); 654 goto export_end; 655 } 656 657 if (macalg) { 658 macmd = EVP_get_digestbyname(macalg); 659 if (!macmd) { 660 BIO_printf(bio_err, "Unknown digest algorithm %s\n", macalg); 661 } 662 } 663 664 if (maciter != -1) 665 PKCS12_set_mac(p12, mpass, -1, NULL, 0, maciter, macmd); 666 667 # ifdef CRYPTO_MDEBUG 668 CRYPTO_pop_info(); 669 CRYPTO_push_info("writing pkcs12"); 670 # endif 671 672 i2d_PKCS12_bio(out, p12); 673 674 ret = 0; 675 676 export_end: 677 # ifdef CRYPTO_MDEBUG 678 CRYPTO_pop_info(); 679 CRYPTO_pop_info(); 680 CRYPTO_push_info("process -export_cert: freeing"); 681 # endif 682 683 if (key) 684 EVP_PKEY_free(key); 685 if (certs) 686 sk_X509_pop_free(certs, X509_free); 687 if (ucert) 688 X509_free(ucert); 689 690 # ifdef CRYPTO_MDEBUG 691 CRYPTO_pop_info(); 692 # endif 693 goto end; 694 695 } 696 697 if (!(p12 = d2i_PKCS12_bio(in, NULL))) { 698 ERR_print_errors(bio_err); 699 goto end; 700 } 701 # ifdef CRYPTO_MDEBUG 702 CRYPTO_push_info("read import password"); 703 # endif 704 if (!noprompt 705 && EVP_read_pw_string(pass, sizeof pass, "Enter Import Password:", 706 0)) { 707 BIO_printf(bio_err, "Can't read Password\n"); 708 goto end; 709 } 710 # ifdef CRYPTO_MDEBUG 711 CRYPTO_pop_info(); 712 # endif 713 714 if (!twopass) 715 BUF_strlcpy(macpass, pass, sizeof macpass); 716 717 if ((options & INFO) && p12->mac) 718 BIO_printf(bio_err, "MAC Iteration %ld\n", 719 p12->mac->iter ? ASN1_INTEGER_get(p12->mac->iter) : 1); 720 if (macver) { 721 # ifdef CRYPTO_MDEBUG 722 CRYPTO_push_info("verify MAC"); 723 # endif 724 /* If we enter empty password try no password first */ 725 if (!mpass[0] && PKCS12_verify_mac(p12, NULL, 0)) { 726 /* If mac and crypto pass the same set it to NULL too */ 727 if (!twopass) 728 cpass = NULL; 729 } else if (!PKCS12_verify_mac(p12, mpass, -1)) { 730 BIO_printf(bio_err, "Mac verify error: invalid password?\n"); 731 ERR_print_errors(bio_err); 732 goto end; 733 } 734 BIO_printf(bio_err, "MAC verified OK\n"); 735 # ifdef CRYPTO_MDEBUG 736 CRYPTO_pop_info(); 737 # endif 738 } 739 # ifdef CRYPTO_MDEBUG 740 CRYPTO_push_info("output keys and certificates"); 741 # endif 742 if (!dump_certs_keys_p12(out, p12, cpass, -1, options, passout)) { 743 BIO_printf(bio_err, "Error outputting keys and certificates\n"); 744 ERR_print_errors(bio_err); 745 goto end; 746 } 747 # ifdef CRYPTO_MDEBUG 748 CRYPTO_pop_info(); 749 # endif 750 ret = 0; 751 end: 752 if (p12) 753 PKCS12_free(p12); 754 if (export_cert || inrand) 755 app_RAND_write_file(NULL, bio_err); 756 # ifdef CRYPTO_MDEBUG 757 CRYPTO_remove_all_info(); 758 # endif 759 BIO_free(in); 760 BIO_free_all(out); 761 if (canames) 762 sk_OPENSSL_STRING_free(canames); 763 if (passin) 764 OPENSSL_free(passin); 765 if (passout) 766 OPENSSL_free(passout); 767 apps_shutdown(); 768 OPENSSL_EXIT(ret); 769 } 770 771 int dump_certs_keys_p12(BIO *out, PKCS12 *p12, char *pass, 772 int passlen, int options, char *pempass) 773 { 774 STACK_OF(PKCS7) *asafes = NULL; 775 STACK_OF(PKCS12_SAFEBAG) *bags; 776 int i, bagnid; 777 int ret = 0; 778 PKCS7 *p7; 779 780 if (!(asafes = PKCS12_unpack_authsafes(p12))) 781 return 0; 782 for (i = 0; i < sk_PKCS7_num(asafes); i++) { 783 p7 = sk_PKCS7_value(asafes, i); 784 bagnid = OBJ_obj2nid(p7->type); 785 if (bagnid == NID_pkcs7_data) { 786 bags = PKCS12_unpack_p7data(p7); 787 if (options & INFO) 788 BIO_printf(bio_err, "PKCS7 Data\n"); 789 } else if (bagnid == NID_pkcs7_encrypted) { 790 if (options & INFO) { 791 BIO_printf(bio_err, "PKCS7 Encrypted data: "); 792 alg_print(bio_err, p7->d.encrypted->enc_data->algorithm); 793 } 794 bags = PKCS12_unpack_p7encdata(p7, pass, passlen); 795 } else 796 continue; 797 if (!bags) 798 goto err; 799 if (!dump_certs_pkeys_bags(out, bags, pass, passlen, 800 options, pempass)) { 801 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); 802 goto err; 803 } 804 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); 805 bags = NULL; 806 } 807 ret = 1; 808 809 err: 810 811 if (asafes) 812 sk_PKCS7_pop_free(asafes, PKCS7_free); 813 return ret; 814 } 815 816 int dump_certs_pkeys_bags(BIO *out, STACK_OF(PKCS12_SAFEBAG) *bags, 817 char *pass, int passlen, int options, char *pempass) 818 { 819 int i; 820 for (i = 0; i < sk_PKCS12_SAFEBAG_num(bags); i++) { 821 if (!dump_certs_pkeys_bag(out, 822 sk_PKCS12_SAFEBAG_value(bags, i), 823 pass, passlen, options, pempass)) 824 return 0; 825 } 826 return 1; 827 } 828 829 int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bag, char *pass, 830 int passlen, int options, char *pempass) 831 { 832 EVP_PKEY *pkey; 833 PKCS8_PRIV_KEY_INFO *p8; 834 X509 *x509; 835 int ret = 0; 836 837 switch (M_PKCS12_bag_type(bag)) { 838 case NID_keyBag: 839 if (options & INFO) 840 BIO_printf(bio_err, "Key bag\n"); 841 if (options & NOKEYS) 842 return 1; 843 print_attribs(out, bag->attrib, "Bag Attributes"); 844 p8 = bag->value.keybag; 845 if (!(pkey = EVP_PKCS82PKEY(p8))) 846 return 0; 847 print_attribs(out, p8->attributes, "Key Attributes"); 848 ret = PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, pempass); 849 EVP_PKEY_free(pkey); 850 break; 851 852 case NID_pkcs8ShroudedKeyBag: 853 if (options & INFO) { 854 BIO_printf(bio_err, "Shrouded Keybag: "); 855 alg_print(bio_err, bag->value.shkeybag->algor); 856 } 857 if (options & NOKEYS) 858 return 1; 859 print_attribs(out, bag->attrib, "Bag Attributes"); 860 if (!(p8 = PKCS12_decrypt_skey(bag, pass, passlen))) 861 return 0; 862 if (!(pkey = EVP_PKCS82PKEY(p8))) { 863 PKCS8_PRIV_KEY_INFO_free(p8); 864 return 0; 865 } 866 print_attribs(out, p8->attributes, "Key Attributes"); 867 PKCS8_PRIV_KEY_INFO_free(p8); 868 ret = PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, pempass); 869 EVP_PKEY_free(pkey); 870 break; 871 872 case NID_certBag: 873 if (options & INFO) 874 BIO_printf(bio_err, "Certificate bag\n"); 875 if (options & NOCERTS) 876 return 1; 877 if (PKCS12_get_attr(bag, NID_localKeyID)) { 878 if (options & CACERTS) 879 return 1; 880 } else if (options & CLCERTS) 881 return 1; 882 print_attribs(out, bag->attrib, "Bag Attributes"); 883 if (M_PKCS12_cert_bag_type(bag) != NID_x509Certificate) 884 return 1; 885 if (!(x509 = PKCS12_certbag2x509(bag))) 886 return 0; 887 dump_cert_text(out, x509); 888 ret = PEM_write_bio_X509(out, x509); 889 X509_free(x509); 890 break; 891 892 case NID_safeContentsBag: 893 if (options & INFO) 894 BIO_printf(bio_err, "Safe Contents bag\n"); 895 print_attribs(out, bag->attrib, "Bag Attributes"); 896 return dump_certs_pkeys_bags(out, bag->value.safes, pass, 897 passlen, options, pempass); 898 899 default: 900 BIO_printf(bio_err, "Warning unsupported bag type: "); 901 i2a_ASN1_OBJECT(bio_err, bag->type); 902 BIO_printf(bio_err, "\n"); 903 return 1; 904 break; 905 } 906 return ret; 907 } 908 909 /* Given a single certificate return a verified chain or NULL if error */ 910 911 static int get_cert_chain(X509 *cert, X509_STORE *store, 912 STACK_OF(X509) **chain) 913 { 914 X509_STORE_CTX store_ctx; 915 STACK_OF(X509) *chn = NULL; 916 int i = 0; 917 918 if (!X509_STORE_CTX_init(&store_ctx, store, cert, NULL)) { 919 *chain = NULL; 920 return X509_V_ERR_UNSPECIFIED; 921 } 922 923 if (X509_verify_cert(&store_ctx) > 0) 924 chn = X509_STORE_CTX_get1_chain(&store_ctx); 925 else if ((i = X509_STORE_CTX_get_error(&store_ctx)) == 0) 926 i = X509_V_ERR_UNSPECIFIED; 927 928 X509_STORE_CTX_cleanup(&store_ctx); 929 *chain = chn; 930 return i; 931 } 932 933 int alg_print(BIO *x, X509_ALGOR *alg) 934 { 935 int pbenid, aparamtype; 936 ASN1_OBJECT *aoid; 937 void *aparam; 938 PBEPARAM *pbe = NULL; 939 940 X509_ALGOR_get0(&aoid, &aparamtype, &aparam, alg); 941 942 pbenid = OBJ_obj2nid(aoid); 943 944 BIO_printf(x, "%s", OBJ_nid2ln(pbenid)); 945 946 /* 947 * If PBE algorithm is PBES2 decode algorithm parameters 948 * for additional details. 949 */ 950 if (pbenid == NID_pbes2) { 951 PBE2PARAM *pbe2 = NULL; 952 int encnid; 953 if (aparamtype == V_ASN1_SEQUENCE) 954 pbe2 = ASN1_item_unpack(aparam, ASN1_ITEM_rptr(PBE2PARAM)); 955 if (pbe2 == NULL) { 956 BIO_puts(x, "<unsupported parameters>"); 957 goto done; 958 } 959 X509_ALGOR_get0(&aoid, &aparamtype, &aparam, pbe2->keyfunc); 960 pbenid = OBJ_obj2nid(aoid); 961 X509_ALGOR_get0(&aoid, NULL, NULL, pbe2->encryption); 962 encnid = OBJ_obj2nid(aoid); 963 BIO_printf(x, ", %s, %s", OBJ_nid2ln(pbenid), 964 OBJ_nid2sn(encnid)); 965 /* If KDF is PBKDF2 decode parameters */ 966 if (pbenid == NID_id_pbkdf2) { 967 PBKDF2PARAM *kdf = NULL; 968 int prfnid; 969 if (aparamtype == V_ASN1_SEQUENCE) 970 kdf = ASN1_item_unpack(aparam, ASN1_ITEM_rptr(PBKDF2PARAM)); 971 if (kdf == NULL) { 972 BIO_puts(x, "<unsupported parameters>"); 973 goto done; 974 } 975 976 if (kdf->prf == NULL) { 977 prfnid = NID_hmacWithSHA1; 978 } else { 979 X509_ALGOR_get0(&aoid, NULL, NULL, kdf->prf); 980 prfnid = OBJ_obj2nid(aoid); 981 } 982 BIO_printf(x, ", Iteration %ld, PRF %s", 983 ASN1_INTEGER_get(kdf->iter), OBJ_nid2sn(prfnid)); 984 PBKDF2PARAM_free(kdf); 985 } 986 PBE2PARAM_free(pbe2); 987 } else { 988 if (aparamtype == V_ASN1_SEQUENCE) 989 pbe = ASN1_item_unpack(aparam, ASN1_ITEM_rptr(PBEPARAM)); 990 if (pbe == NULL) { 991 BIO_puts(x, "<unsupported parameters>"); 992 goto done; 993 } 994 BIO_printf(x, ", Iteration %ld", ASN1_INTEGER_get(pbe->iter)); 995 PBEPARAM_free(pbe); 996 } 997 done: 998 BIO_puts(x, "\n"); 999 return 1; 1000 } 1001 1002 /* Load all certificates from a given file */ 1003 1004 int cert_load(BIO *in, STACK_OF(X509) *sk) 1005 { 1006 int ret; 1007 X509 *cert; 1008 ret = 0; 1009 # ifdef CRYPTO_MDEBUG 1010 CRYPTO_push_info("cert_load(): reading one cert"); 1011 # endif 1012 while ((cert = PEM_read_bio_X509(in, NULL, NULL, NULL))) { 1013 # ifdef CRYPTO_MDEBUG 1014 CRYPTO_pop_info(); 1015 # endif 1016 ret = 1; 1017 sk_X509_push(sk, cert); 1018 # ifdef CRYPTO_MDEBUG 1019 CRYPTO_push_info("cert_load(): reading one cert"); 1020 # endif 1021 } 1022 # ifdef CRYPTO_MDEBUG 1023 CRYPTO_pop_info(); 1024 # endif 1025 if (ret) 1026 ERR_clear_error(); 1027 return ret; 1028 } 1029 1030 /* Generalised attribute print: handle PKCS#8 and bag attributes */ 1031 1032 int print_attribs(BIO *out, STACK_OF(X509_ATTRIBUTE) *attrlst, 1033 const char *name) 1034 { 1035 X509_ATTRIBUTE *attr; 1036 ASN1_TYPE *av; 1037 char *value; 1038 int i, attr_nid; 1039 if (!attrlst) { 1040 BIO_printf(out, "%s: <No Attributes>\n", name); 1041 return 1; 1042 } 1043 if (!sk_X509_ATTRIBUTE_num(attrlst)) { 1044 BIO_printf(out, "%s: <Empty Attributes>\n", name); 1045 return 1; 1046 } 1047 BIO_printf(out, "%s\n", name); 1048 for (i = 0; i < sk_X509_ATTRIBUTE_num(attrlst); i++) { 1049 attr = sk_X509_ATTRIBUTE_value(attrlst, i); 1050 attr_nid = OBJ_obj2nid(attr->object); 1051 BIO_printf(out, " "); 1052 if (attr_nid == NID_undef) { 1053 i2a_ASN1_OBJECT(out, attr->object); 1054 BIO_printf(out, ": "); 1055 } else 1056 BIO_printf(out, "%s: ", OBJ_nid2ln(attr_nid)); 1057 1058 if (sk_ASN1_TYPE_num(attr->value.set)) { 1059 av = sk_ASN1_TYPE_value(attr->value.set, 0); 1060 switch (av->type) { 1061 case V_ASN1_BMPSTRING: 1062 value = OPENSSL_uni2asc(av->value.bmpstring->data, 1063 av->value.bmpstring->length); 1064 BIO_printf(out, "%s\n", value); 1065 OPENSSL_free(value); 1066 break; 1067 1068 case V_ASN1_OCTET_STRING: 1069 hex_prin(out, av->value.octet_string->data, 1070 av->value.octet_string->length); 1071 BIO_printf(out, "\n"); 1072 break; 1073 1074 case V_ASN1_BIT_STRING: 1075 hex_prin(out, av->value.bit_string->data, 1076 av->value.bit_string->length); 1077 BIO_printf(out, "\n"); 1078 break; 1079 1080 default: 1081 BIO_printf(out, "<Unsupported tag %d>\n", av->type); 1082 break; 1083 } 1084 } else 1085 BIO_printf(out, "<No Values>\n"); 1086 } 1087 return 1; 1088 } 1089 1090 void hex_prin(BIO *out, unsigned char *buf, int len) 1091 { 1092 int i; 1093 for (i = 0; i < len; i++) 1094 BIO_printf(out, "%02X ", buf[i]); 1095 } 1096 1097 static int set_pbe(BIO *err, int *ppbe, const char *str) 1098 { 1099 if (!str) 1100 return 0; 1101 if (!strcmp(str, "NONE")) { 1102 *ppbe = -1; 1103 return 1; 1104 } 1105 *ppbe = OBJ_txt2nid(str); 1106 if (*ppbe == NID_undef) { 1107 BIO_printf(bio_err, "Unknown PBE algorithm %s\n", str); 1108 return 0; 1109 } 1110 return 1; 1111 } 1112 1113 #endif 1114