xref: /freebsd/crypto/openssl/apps/storeutl.c (revision 2a58b312b62f908ec92311d1bd8536dbaeb8e55b)
1 /*
2  * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the OpenSSL license (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 #include <openssl/opensslconf.h>
11 
12 #include "apps.h"
13 #include "progs.h"
14 #include <openssl/err.h>
15 #include <openssl/pem.h>
16 #include <openssl/store.h>
17 #include <openssl/x509v3.h>      /* s2i_ASN1_INTEGER */
18 
19 static int process(const char *uri, const UI_METHOD *uimeth, PW_CB_DATA *uidata,
20                    int expected, int criterion, OSSL_STORE_SEARCH *search,
21                    int text, int noout, int recursive, int indent, BIO *out,
22                    const char *prog);
23 
24 typedef enum OPTION_choice {
25     OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_ENGINE, OPT_OUT, OPT_PASSIN,
26     OPT_NOOUT, OPT_TEXT, OPT_RECURSIVE,
27     OPT_SEARCHFOR_CERTS, OPT_SEARCHFOR_KEYS, OPT_SEARCHFOR_CRLS,
28     OPT_CRITERION_SUBJECT, OPT_CRITERION_ISSUER, OPT_CRITERION_SERIAL,
29     OPT_CRITERION_FINGERPRINT, OPT_CRITERION_ALIAS,
30     OPT_MD
31 } OPTION_CHOICE;
32 
33 const OPTIONS storeutl_options[] = {
34     {OPT_HELP_STR, 1, '-', "Usage: %s [options] uri\nValid options are:\n"},
35     {"help", OPT_HELP, '-', "Display this summary"},
36     {"out", OPT_OUT, '>', "Output file - default stdout"},
37     {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
38     {"text", OPT_TEXT, '-', "Print a text form of the objects"},
39     {"noout", OPT_NOOUT, '-', "No PEM output, just status"},
40     {"certs", OPT_SEARCHFOR_CERTS, '-', "Search for certificates only"},
41     {"keys", OPT_SEARCHFOR_KEYS, '-', "Search for keys only"},
42     {"crls", OPT_SEARCHFOR_CRLS, '-', "Search for CRLs only"},
43     {"subject", OPT_CRITERION_SUBJECT, 's', "Search by subject"},
44     {"issuer", OPT_CRITERION_ISSUER, 's', "Search by issuer and serial, issuer name"},
45     {"serial", OPT_CRITERION_SERIAL, 's', "Search by issuer and serial, serial number"},
46     {"fingerprint", OPT_CRITERION_FINGERPRINT, 's', "Search by public key fingerprint, given in hex"},
47     {"alias", OPT_CRITERION_ALIAS, 's', "Search by alias"},
48     {"", OPT_MD, '-', "Any supported digest"},
49 #ifndef OPENSSL_NO_ENGINE
50     {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
51 #endif
52     {"r", OPT_RECURSIVE, '-', "Recurse through names"},
53     {NULL}
54 };
55 
56 int storeutl_main(int argc, char *argv[])
57 {
58     int ret = 1, noout = 0, text = 0, recursive = 0;
59     char *outfile = NULL, *passin = NULL, *passinarg = NULL;
60     BIO *out = NULL;
61     ENGINE *e = NULL;
62     OPTION_CHOICE o;
63     char *prog = opt_init(argc, argv, storeutl_options);
64     PW_CB_DATA pw_cb_data;
65     int expected = 0;
66     int criterion = 0;
67     X509_NAME *subject = NULL, *issuer = NULL;
68     ASN1_INTEGER *serial = NULL;
69     unsigned char *fingerprint = NULL;
70     size_t fingerprintlen = 0;
71     char *alias = NULL;
72     OSSL_STORE_SEARCH *search = NULL;
73     const EVP_MD *digest = NULL;
74 
75     while ((o = opt_next()) != OPT_EOF) {
76         switch (o) {
77         case OPT_EOF:
78         case OPT_ERR:
79  opthelp:
80             BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
81             goto end;
82         case OPT_HELP:
83             opt_help(storeutl_options);
84             ret = 0;
85             goto end;
86         case OPT_OUT:
87             outfile = opt_arg();
88             break;
89         case OPT_PASSIN:
90             passinarg = opt_arg();
91             break;
92         case OPT_NOOUT:
93             noout = 1;
94             break;
95         case OPT_TEXT:
96             text = 1;
97             break;
98         case OPT_RECURSIVE:
99             recursive = 1;
100             break;
101         case OPT_SEARCHFOR_CERTS:
102         case OPT_SEARCHFOR_KEYS:
103         case OPT_SEARCHFOR_CRLS:
104             if (expected != 0) {
105                 BIO_printf(bio_err, "%s: only one search type can be given.\n",
106                            prog);
107                 goto end;
108             }
109             {
110                 static const struct {
111                     enum OPTION_choice choice;
112                     int type;
113                 } map[] = {
114                     {OPT_SEARCHFOR_CERTS, OSSL_STORE_INFO_CERT},
115                     {OPT_SEARCHFOR_KEYS, OSSL_STORE_INFO_PKEY},
116                     {OPT_SEARCHFOR_CRLS, OSSL_STORE_INFO_CRL},
117                 };
118                 size_t i;
119 
120                 for (i = 0; i < OSSL_NELEM(map); i++) {
121                     if (o == map[i].choice) {
122                         expected = map[i].type;
123                         break;
124                     }
125                 }
126                 /*
127                  * If expected wasn't set at this point, it means the map
128                  * isn't synchronised with the possible options leading here.
129                  */
130                 OPENSSL_assert(expected != 0);
131             }
132             break;
133         case OPT_CRITERION_SUBJECT:
134             if (criterion != 0) {
135                 BIO_printf(bio_err, "%s: criterion already given.\n",
136                            prog);
137                 goto end;
138             }
139             criterion = OSSL_STORE_SEARCH_BY_NAME;
140             if (subject != NULL) {
141                 BIO_printf(bio_err, "%s: subject already given.\n",
142                            prog);
143                 goto end;
144             }
145             if ((subject = parse_name(opt_arg(), MBSTRING_UTF8, 1)) == NULL) {
146                 BIO_printf(bio_err, "%s: can't parse subject argument.\n",
147                            prog);
148                 goto end;
149             }
150             break;
151         case OPT_CRITERION_ISSUER:
152             if (criterion != 0
153                 || (criterion == OSSL_STORE_SEARCH_BY_ISSUER_SERIAL
154                     && issuer != NULL)) {
155                 BIO_printf(bio_err, "%s: criterion already given.\n",
156                            prog);
157                 goto end;
158             }
159             criterion = OSSL_STORE_SEARCH_BY_ISSUER_SERIAL;
160             if (issuer != NULL) {
161                 BIO_printf(bio_err, "%s: issuer already given.\n",
162                            prog);
163                 goto end;
164             }
165             if ((issuer = parse_name(opt_arg(), MBSTRING_UTF8, 1)) == NULL) {
166                 BIO_printf(bio_err, "%s: can't parse issuer argument.\n",
167                            prog);
168                 goto end;
169             }
170             break;
171         case OPT_CRITERION_SERIAL:
172             if (criterion != 0
173                 || (criterion == OSSL_STORE_SEARCH_BY_ISSUER_SERIAL
174                     && serial != NULL)) {
175                 BIO_printf(bio_err, "%s: criterion already given.\n",
176                            prog);
177                 goto end;
178             }
179             criterion = OSSL_STORE_SEARCH_BY_ISSUER_SERIAL;
180             if (serial != NULL) {
181                 BIO_printf(bio_err, "%s: serial number already given.\n",
182                            prog);
183                 goto end;
184             }
185             if ((serial = s2i_ASN1_INTEGER(NULL, opt_arg())) == NULL) {
186                 BIO_printf(bio_err, "%s: can't parse serial number argument.\n",
187                            prog);
188                 goto end;
189             }
190             break;
191         case OPT_CRITERION_FINGERPRINT:
192             if (criterion != 0
193                 || (criterion == OSSL_STORE_SEARCH_BY_KEY_FINGERPRINT
194                     && fingerprint != NULL)) {
195                 BIO_printf(bio_err, "%s: criterion already given.\n",
196                            prog);
197                 goto end;
198             }
199             criterion = OSSL_STORE_SEARCH_BY_KEY_FINGERPRINT;
200             if (fingerprint != NULL) {
201                 BIO_printf(bio_err, "%s: fingerprint already given.\n",
202                            prog);
203                 goto end;
204             }
205             {
206                 long tmplen = 0;
207 
208                 if ((fingerprint = OPENSSL_hexstr2buf(opt_arg(), &tmplen))
209                     == NULL) {
210                     BIO_printf(bio_err,
211                                "%s: can't parse fingerprint argument.\n",
212                                prog);
213                     goto end;
214                 }
215                 fingerprintlen = (size_t)tmplen;
216             }
217             break;
218         case OPT_CRITERION_ALIAS:
219             if (criterion != 0) {
220                 BIO_printf(bio_err, "%s: criterion already given.\n",
221                            prog);
222                 goto end;
223             }
224             criterion = OSSL_STORE_SEARCH_BY_ALIAS;
225             if (alias != NULL) {
226                 BIO_printf(bio_err, "%s: alias already given.\n",
227                            prog);
228                 goto end;
229             }
230             if ((alias = OPENSSL_strdup(opt_arg())) == NULL) {
231                 BIO_printf(bio_err, "%s: can't parse alias argument.\n",
232                            prog);
233                 goto end;
234             }
235             break;
236         case OPT_ENGINE:
237             e = setup_engine(opt_arg(), 0);
238             break;
239         case OPT_MD:
240             if (!opt_md(opt_unknown(), &digest))
241                 goto opthelp;
242         }
243     }
244     argc = opt_num_rest();
245     argv = opt_rest();
246 
247     if (argc == 0) {
248         BIO_printf(bio_err, "%s: No URI given, nothing to do...\n", prog);
249         goto opthelp;
250     }
251     if (argc > 1) {
252         BIO_printf(bio_err, "%s: Unknown extra parameters after URI\n", prog);
253         goto opthelp;
254     }
255 
256     if (criterion != 0) {
257         switch (criterion) {
258         case OSSL_STORE_SEARCH_BY_NAME:
259             if ((search = OSSL_STORE_SEARCH_by_name(subject)) == NULL) {
260                 ERR_print_errors(bio_err);
261                 goto end;
262             }
263             break;
264         case OSSL_STORE_SEARCH_BY_ISSUER_SERIAL:
265             if (issuer == NULL || serial == NULL) {
266                 BIO_printf(bio_err,
267                            "%s: both -issuer and -serial must be given.\n",
268                            prog);
269                 goto end;
270             }
271             if ((search = OSSL_STORE_SEARCH_by_issuer_serial(issuer, serial))
272                 == NULL) {
273                 ERR_print_errors(bio_err);
274                 goto end;
275             }
276             break;
277         case OSSL_STORE_SEARCH_BY_KEY_FINGERPRINT:
278             if ((search = OSSL_STORE_SEARCH_by_key_fingerprint(digest,
279                                                                fingerprint,
280                                                                fingerprintlen))
281                 == NULL) {
282                 ERR_print_errors(bio_err);
283                 goto end;
284             }
285             break;
286         case OSSL_STORE_SEARCH_BY_ALIAS:
287             if ((search = OSSL_STORE_SEARCH_by_alias(alias)) == NULL) {
288                 ERR_print_errors(bio_err);
289                 goto end;
290             }
291             break;
292         }
293     }
294 
295     if (!app_passwd(passinarg, NULL, &passin, NULL)) {
296         BIO_printf(bio_err, "Error getting passwords\n");
297         goto end;
298     }
299     pw_cb_data.password = passin;
300     pw_cb_data.prompt_info = argv[0];
301 
302     out = bio_open_default(outfile, 'w', FORMAT_TEXT);
303     if (out == NULL)
304         goto end;
305 
306     ret = process(argv[0], get_ui_method(), &pw_cb_data,
307                   expected, criterion, search,
308                   text, noout, recursive, 0, out, prog);
309 
310  end:
311     OPENSSL_free(fingerprint);
312     OPENSSL_free(alias);
313     ASN1_INTEGER_free(serial);
314     X509_NAME_free(subject);
315     X509_NAME_free(issuer);
316     OSSL_STORE_SEARCH_free(search);
317     BIO_free_all(out);
318     OPENSSL_free(passin);
319     release_engine(e);
320     return ret;
321 }
322 
323 static int indent_printf(int indent, BIO *bio, const char *format, ...)
324 {
325     va_list args;
326     int ret;
327 
328     va_start(args, format);
329 
330     ret = BIO_printf(bio, "%*s", indent, "") + BIO_vprintf(bio, format, args);
331 
332     va_end(args);
333     return ret;
334 }
335 
336 static int process(const char *uri, const UI_METHOD *uimeth, PW_CB_DATA *uidata,
337                    int expected, int criterion, OSSL_STORE_SEARCH *search,
338                    int text, int noout, int recursive, int indent, BIO *out,
339                    const char *prog)
340 {
341     OSSL_STORE_CTX *store_ctx = NULL;
342     int ret = 1, items = 0;
343 
344     if ((store_ctx = OSSL_STORE_open(uri, uimeth, uidata, NULL, NULL))
345         == NULL) {
346         BIO_printf(bio_err, "Couldn't open file or uri %s\n", uri);
347         ERR_print_errors(bio_err);
348         return ret;
349     }
350 
351     if (expected != 0) {
352         if (!OSSL_STORE_expect(store_ctx, expected)) {
353             ERR_print_errors(bio_err);
354             goto end2;
355         }
356     }
357 
358     if (criterion != 0) {
359         if (!OSSL_STORE_supports_search(store_ctx, criterion)) {
360             BIO_printf(bio_err,
361                        "%s: the store scheme doesn't support the given search criteria.\n",
362                        prog);
363             goto end2;
364         }
365 
366         if (!OSSL_STORE_find(store_ctx, search)) {
367             ERR_print_errors(bio_err);
368             goto end2;
369         }
370     }
371 
372     /* From here on, we count errors, and we'll return the count at the end */
373     ret = 0;
374 
375     for (;;) {
376         OSSL_STORE_INFO *info = OSSL_STORE_load(store_ctx);
377         int type = info == NULL ? 0 : OSSL_STORE_INFO_get_type(info);
378         const char *infostr =
379             info == NULL ? NULL : OSSL_STORE_INFO_type_string(type);
380 
381         if (info == NULL) {
382             if (OSSL_STORE_eof(store_ctx))
383                 break;
384 
385             if (OSSL_STORE_error(store_ctx)) {
386                 if (recursive)
387                     ERR_clear_error();
388                 else
389                     ERR_print_errors(bio_err);
390                 ret++;
391                 continue;
392             }
393 
394             BIO_printf(bio_err,
395                        "ERROR: OSSL_STORE_load() returned NULL without "
396                        "eof or error indications\n");
397             BIO_printf(bio_err, "       This is an error in the loader\n");
398             ERR_print_errors(bio_err);
399             ret++;
400             break;
401         }
402 
403         if (type == OSSL_STORE_INFO_NAME) {
404             const char *name = OSSL_STORE_INFO_get0_NAME(info);
405             const char *desc = OSSL_STORE_INFO_get0_NAME_description(info);
406             indent_printf(indent, bio_out, "%d: %s: %s\n", items, infostr,
407                           name);
408             if (desc != NULL)
409                 indent_printf(indent, bio_out, "%s\n", desc);
410         } else {
411             indent_printf(indent, bio_out, "%d: %s\n", items, infostr);
412         }
413 
414         /*
415          * Unfortunately, PEM_X509_INFO_write_bio() is sorely lacking in
416          * functionality, so we must figure out how exactly to write things
417          * ourselves...
418          */
419         switch (type) {
420         case OSSL_STORE_INFO_NAME:
421             if (recursive) {
422                 const char *suburi = OSSL_STORE_INFO_get0_NAME(info);
423                 ret += process(suburi, uimeth, uidata,
424                                expected, criterion, search,
425                                text, noout, recursive, indent + 2, out, prog);
426             }
427             break;
428         case OSSL_STORE_INFO_PARAMS:
429             if (text)
430                 EVP_PKEY_print_params(out, OSSL_STORE_INFO_get0_PARAMS(info),
431                                       0, NULL);
432             if (!noout)
433                 PEM_write_bio_Parameters(out,
434                                          OSSL_STORE_INFO_get0_PARAMS(info));
435             break;
436         case OSSL_STORE_INFO_PKEY:
437             if (text)
438                 EVP_PKEY_print_private(out, OSSL_STORE_INFO_get0_PKEY(info),
439                                        0, NULL);
440             if (!noout)
441                 PEM_write_bio_PrivateKey(out, OSSL_STORE_INFO_get0_PKEY(info),
442                                          NULL, NULL, 0, NULL, NULL);
443             break;
444         case OSSL_STORE_INFO_CERT:
445             if (text)
446                 X509_print(out, OSSL_STORE_INFO_get0_CERT(info));
447             if (!noout)
448                 PEM_write_bio_X509(out, OSSL_STORE_INFO_get0_CERT(info));
449             break;
450         case OSSL_STORE_INFO_CRL:
451             if (text)
452                 X509_CRL_print(out, OSSL_STORE_INFO_get0_CRL(info));
453             if (!noout)
454                 PEM_write_bio_X509_CRL(out, OSSL_STORE_INFO_get0_CRL(info));
455             break;
456         default:
457             BIO_printf(bio_err, "!!! Unknown code\n");
458             ret++;
459             break;
460         }
461         items++;
462         OSSL_STORE_INFO_free(info);
463     }
464     indent_printf(indent, out, "Total found: %d\n", items);
465 
466  end2:
467     if (!OSSL_STORE_close(store_ctx)) {
468         ERR_print_errors(bio_err);
469         ret++;
470     }
471 
472     return ret;
473 }
474