1 /* pkcs8.c */ 2 /* 3 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project 4 * 1999-2004. 5 */ 6 /* ==================================================================== 7 * Copyright (c) 1999 The OpenSSL Project. All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in 18 * the documentation and/or other materials provided with the 19 * distribution. 20 * 21 * 3. All advertising materials mentioning features or use of this 22 * software must display the following acknowledgment: 23 * "This product includes software developed by the OpenSSL Project 24 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 25 * 26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 27 * endorse or promote products derived from this software without 28 * prior written permission. For written permission, please contact 29 * licensing@OpenSSL.org. 30 * 31 * 5. Products derived from this software may not be called "OpenSSL" 32 * nor may "OpenSSL" appear in their names without prior written 33 * permission of the OpenSSL Project. 34 * 35 * 6. Redistributions of any form whatsoever must retain the following 36 * acknowledgment: 37 * "This product includes software developed by the OpenSSL Project 38 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 51 * OF THE POSSIBILITY OF SUCH DAMAGE. 52 * ==================================================================== 53 * 54 * This product includes cryptographic software written by Eric Young 55 * (eay@cryptsoft.com). This product includes software written by Tim 56 * Hudson (tjh@cryptsoft.com). 57 * 58 */ 59 #include <stdio.h> 60 #include <string.h> 61 #include "apps.h" 62 #include <openssl/pem.h> 63 #include <openssl/err.h> 64 #include <openssl/evp.h> 65 #include <openssl/pkcs12.h> 66 67 #define PROG pkcs8_main 68 69 int MAIN(int, char **); 70 71 int MAIN(int argc, char **argv) 72 { 73 ENGINE *e = NULL; 74 char **args, *infile = NULL, *outfile = NULL; 75 char *passargin = NULL, *passargout = NULL; 76 BIO *in = NULL, *out = NULL; 77 int topk8 = 0; 78 int pbe_nid = -1; 79 const EVP_CIPHER *cipher = NULL; 80 int iter = PKCS12_DEFAULT_ITER; 81 int informat, outformat; 82 int p8_broken = PKCS8_OK; 83 int nocrypt = 0; 84 X509_SIG *p8 = NULL; 85 PKCS8_PRIV_KEY_INFO *p8inf = NULL; 86 EVP_PKEY *pkey = NULL; 87 char pass[50], *passin = NULL, *passout = NULL, *p8pass = NULL; 88 int badarg = 0; 89 int ret = 1; 90 #ifndef OPENSSL_NO_ENGINE 91 char *engine = NULL; 92 #endif 93 94 if (bio_err == NULL) 95 bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); 96 97 if (!load_config(bio_err, NULL)) 98 goto end; 99 100 informat = FORMAT_PEM; 101 outformat = FORMAT_PEM; 102 103 ERR_load_crypto_strings(); 104 OpenSSL_add_all_algorithms(); 105 args = argv + 1; 106 while (!badarg && *args && *args[0] == '-') { 107 if (!strcmp(*args, "-v2")) { 108 if (args[1]) { 109 args++; 110 cipher = EVP_get_cipherbyname(*args); 111 if (!cipher) { 112 BIO_printf(bio_err, "Unknown cipher %s\n", *args); 113 badarg = 1; 114 } 115 } else 116 badarg = 1; 117 } else if (!strcmp(*args, "-v1")) { 118 if (args[1]) { 119 args++; 120 pbe_nid = OBJ_txt2nid(*args); 121 if (pbe_nid == NID_undef) { 122 BIO_printf(bio_err, "Unknown PBE algorithm %s\n", *args); 123 badarg = 1; 124 } 125 } else 126 badarg = 1; 127 } else if (!strcmp(*args, "-inform")) { 128 if (args[1]) { 129 args++; 130 informat = str2fmt(*args); 131 } else 132 badarg = 1; 133 } else if (!strcmp(*args, "-outform")) { 134 if (args[1]) { 135 args++; 136 outformat = str2fmt(*args); 137 } else 138 badarg = 1; 139 } else if (!strcmp(*args, "-topk8")) 140 topk8 = 1; 141 else if (!strcmp(*args, "-noiter")) 142 iter = 1; 143 else if (!strcmp(*args, "-nocrypt")) 144 nocrypt = 1; 145 else if (!strcmp(*args, "-nooct")) 146 p8_broken = PKCS8_NO_OCTET; 147 else if (!strcmp(*args, "-nsdb")) 148 p8_broken = PKCS8_NS_DB; 149 else if (!strcmp(*args, "-embed")) 150 p8_broken = PKCS8_EMBEDDED_PARAM; 151 else if (!strcmp(*args, "-passin")) { 152 if (!args[1]) 153 goto bad; 154 passargin = *(++args); 155 } else if (!strcmp(*args, "-passout")) { 156 if (!args[1]) 157 goto bad; 158 passargout = *(++args); 159 } 160 #ifndef OPENSSL_NO_ENGINE 161 else if (strcmp(*args, "-engine") == 0) { 162 if (!args[1]) 163 goto bad; 164 engine = *(++args); 165 } 166 #endif 167 else if (!strcmp(*args, "-in")) { 168 if (args[1]) { 169 args++; 170 infile = *args; 171 } else 172 badarg = 1; 173 } else if (!strcmp(*args, "-out")) { 174 if (args[1]) { 175 args++; 176 outfile = *args; 177 } else 178 badarg = 1; 179 } else 180 badarg = 1; 181 args++; 182 } 183 184 if (badarg) { 185 bad: 186 BIO_printf(bio_err, "Usage pkcs8 [options]\n"); 187 BIO_printf(bio_err, "where options are\n"); 188 BIO_printf(bio_err, "-in file input file\n"); 189 BIO_printf(bio_err, "-inform X input format (DER or PEM)\n"); 190 BIO_printf(bio_err, 191 "-passin arg input file pass phrase source\n"); 192 BIO_printf(bio_err, "-outform X output format (DER or PEM)\n"); 193 BIO_printf(bio_err, "-out file output file\n"); 194 BIO_printf(bio_err, 195 "-passout arg output file pass phrase source\n"); 196 BIO_printf(bio_err, "-topk8 output PKCS8 file\n"); 197 BIO_printf(bio_err, 198 "-nooct use (nonstandard) no octet format\n"); 199 BIO_printf(bio_err, 200 "-embed use (nonstandard) embedded DSA parameters format\n"); 201 BIO_printf(bio_err, 202 "-nsdb use (nonstandard) DSA Netscape DB format\n"); 203 BIO_printf(bio_err, "-noiter use 1 as iteration count\n"); 204 BIO_printf(bio_err, 205 "-nocrypt use or expect unencrypted private key\n"); 206 BIO_printf(bio_err, 207 "-v2 alg use PKCS#5 v2.0 and cipher \"alg\"\n"); 208 BIO_printf(bio_err, 209 "-v1 obj use PKCS#5 v1.5 and cipher \"alg\"\n"); 210 #ifndef OPENSSL_NO_ENGINE 211 BIO_printf(bio_err, 212 " -engine e use engine e, possibly a hardware device.\n"); 213 #endif 214 goto end; 215 } 216 #ifndef OPENSSL_NO_ENGINE 217 e = setup_engine(bio_err, engine, 0); 218 #endif 219 220 if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) { 221 BIO_printf(bio_err, "Error getting passwords\n"); 222 goto end; 223 } 224 225 if ((pbe_nid == -1) && !cipher) 226 pbe_nid = NID_pbeWithMD5AndDES_CBC; 227 228 if (infile) { 229 if (!(in = BIO_new_file(infile, "rb"))) { 230 BIO_printf(bio_err, "Can't open input file %s\n", infile); 231 goto end; 232 } 233 } else 234 in = BIO_new_fp(stdin, BIO_NOCLOSE); 235 236 if (outfile) { 237 if (!(out = BIO_new_file(outfile, "wb"))) { 238 BIO_printf(bio_err, "Can't open output file %s\n", outfile); 239 goto end; 240 } 241 } else { 242 out = BIO_new_fp(stdout, BIO_NOCLOSE); 243 #ifdef OPENSSL_SYS_VMS 244 { 245 BIO *tmpbio = BIO_new(BIO_f_linebuffer()); 246 out = BIO_push(tmpbio, out); 247 } 248 #endif 249 } 250 if (topk8) { 251 pkey = load_key(bio_err, infile, informat, 1, passin, e, "key"); 252 if (!pkey) 253 goto end; 254 if (!(p8inf = EVP_PKEY2PKCS8_broken(pkey, p8_broken))) { 255 BIO_printf(bio_err, "Error converting key\n"); 256 ERR_print_errors(bio_err); 257 goto end; 258 } 259 if (nocrypt) { 260 if (outformat == FORMAT_PEM) 261 PEM_write_bio_PKCS8_PRIV_KEY_INFO(out, p8inf); 262 else if (outformat == FORMAT_ASN1) 263 i2d_PKCS8_PRIV_KEY_INFO_bio(out, p8inf); 264 else { 265 BIO_printf(bio_err, "Bad format specified for key\n"); 266 goto end; 267 } 268 } else { 269 if (passout) 270 p8pass = passout; 271 else { 272 p8pass = pass; 273 if (EVP_read_pw_string 274 (pass, sizeof pass, "Enter Encryption Password:", 1)) 275 goto end; 276 } 277 app_RAND_load_file(NULL, bio_err, 0); 278 if (!(p8 = PKCS8_encrypt(pbe_nid, cipher, 279 p8pass, strlen(p8pass), 280 NULL, 0, iter, p8inf))) { 281 BIO_printf(bio_err, "Error encrypting key\n"); 282 ERR_print_errors(bio_err); 283 goto end; 284 } 285 app_RAND_write_file(NULL, bio_err); 286 if (outformat == FORMAT_PEM) 287 PEM_write_bio_PKCS8(out, p8); 288 else if (outformat == FORMAT_ASN1) 289 i2d_PKCS8_bio(out, p8); 290 else { 291 BIO_printf(bio_err, "Bad format specified for key\n"); 292 goto end; 293 } 294 } 295 296 ret = 0; 297 goto end; 298 } 299 300 if (nocrypt) { 301 if (informat == FORMAT_PEM) 302 p8inf = PEM_read_bio_PKCS8_PRIV_KEY_INFO(in, NULL, NULL, NULL); 303 else if (informat == FORMAT_ASN1) 304 p8inf = d2i_PKCS8_PRIV_KEY_INFO_bio(in, NULL); 305 else { 306 BIO_printf(bio_err, "Bad format specified for key\n"); 307 goto end; 308 } 309 } else { 310 if (informat == FORMAT_PEM) 311 p8 = PEM_read_bio_PKCS8(in, NULL, NULL, NULL); 312 else if (informat == FORMAT_ASN1) 313 p8 = d2i_PKCS8_bio(in, NULL); 314 else { 315 BIO_printf(bio_err, "Bad format specified for key\n"); 316 goto end; 317 } 318 319 if (!p8) { 320 BIO_printf(bio_err, "Error reading key\n"); 321 ERR_print_errors(bio_err); 322 goto end; 323 } 324 if (passin) 325 p8pass = passin; 326 else { 327 p8pass = pass; 328 EVP_read_pw_string(pass, sizeof pass, "Enter Password:", 0); 329 } 330 p8inf = PKCS8_decrypt(p8, p8pass, strlen(p8pass)); 331 } 332 333 if (!p8inf) { 334 BIO_printf(bio_err, "Error decrypting key\n"); 335 ERR_print_errors(bio_err); 336 goto end; 337 } 338 339 if (!(pkey = EVP_PKCS82PKEY(p8inf))) { 340 BIO_printf(bio_err, "Error converting key\n"); 341 ERR_print_errors(bio_err); 342 goto end; 343 } 344 345 if (p8inf->broken) { 346 BIO_printf(bio_err, "Warning: broken key encoding: "); 347 switch (p8inf->broken) { 348 case PKCS8_NO_OCTET: 349 BIO_printf(bio_err, "No Octet String in PrivateKey\n"); 350 break; 351 352 case PKCS8_EMBEDDED_PARAM: 353 BIO_printf(bio_err, "DSA parameters included in PrivateKey\n"); 354 break; 355 356 case PKCS8_NS_DB: 357 BIO_printf(bio_err, "DSA public key include in PrivateKey\n"); 358 break; 359 360 case PKCS8_NEG_PRIVKEY: 361 BIO_printf(bio_err, "DSA private key value is negative\n"); 362 break; 363 364 default: 365 BIO_printf(bio_err, "Unknown broken type\n"); 366 break; 367 } 368 } 369 370 if (outformat == FORMAT_PEM) 371 PEM_write_bio_PrivateKey(out, pkey, NULL, NULL, 0, NULL, passout); 372 else if (outformat == FORMAT_ASN1) 373 i2d_PrivateKey_bio(out, pkey); 374 else { 375 BIO_printf(bio_err, "Bad format specified for key\n"); 376 goto end; 377 } 378 ret = 0; 379 380 end: 381 X509_SIG_free(p8); 382 PKCS8_PRIV_KEY_INFO_free(p8inf); 383 EVP_PKEY_free(pkey); 384 BIO_free_all(out); 385 BIO_free(in); 386 if (passin) 387 OPENSSL_free(passin); 388 if (passout) 389 OPENSSL_free(passout); 390 391 return ret; 392 } 393