1/* pkcs12.c */ 2/* 3 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 4 * project. 5 */ 6/* ==================================================================== 7 * Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in 18 * the documentation and/or other materials provided with the 19 * distribution. 20 * 21 * 3. All advertising materials mentioning features or use of this 22 * software must display the following acknowledgment: 23 * "This product includes software developed by the OpenSSL Project 24 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 25 * 26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 27 * endorse or promote products derived from this software without 28 * prior written permission. For written permission, please contact 29 * licensing@OpenSSL.org. 30 * 31 * 5. Products derived from this software may not be called "OpenSSL" 32 * nor may "OpenSSL" appear in their names without prior written 33 * permission of the OpenSSL Project. 34 * 35 * 6. Redistributions of any form whatsoever must retain the following 36 * acknowledgment: 37 * "This product includes software developed by the OpenSSL Project 38 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 51 * OF THE POSSIBILITY OF SUCH DAMAGE. 52 * ==================================================================== 53 * 54 * This product includes cryptographic software written by Eric Young 55 * (eay@cryptsoft.com). This product includes software written by Tim 56 * Hudson (tjh@cryptsoft.com). 57 * 58 */ 59 60#include <openssl/opensslconf.h> 61#if !defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_SHA1) 62 63# include <stdio.h> 64# include <stdlib.h> 65# include <string.h> 66# include "apps.h" 67# include <openssl/crypto.h> 68# include <openssl/err.h> 69# include <openssl/pem.h> 70# include <openssl/pkcs12.h> 71 72# ifdef OPENSSL_SYS_NETWARE 73/* Rename these functions to avoid name clashes on NetWare OS */ 74# define uni2asc OPENSSL_uni2asc 75# define asc2uni OPENSSL_asc2uni 76# endif 77 78# define PROG pkcs12_main 79 80const EVP_CIPHER *enc; 81 82# define NOKEYS 0x1 83# define NOCERTS 0x2 84# define INFO 0x4 85# define CLCERTS 0x8 86# define CACERTS 0x10 87 88int get_cert_chain(X509 *cert, X509_STORE *store, STACK_OF(X509) **chain); 89int dump_certs_keys_p12(BIO *out, PKCS12 *p12, char *pass, int passlen, 90 int options, char *pempass); 91int dump_certs_pkeys_bags(BIO *out, STACK_OF(PKCS12_SAFEBAG) *bags, 92 char *pass, int passlen, int options, 93 char *pempass); 94int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bags, char *pass, 95 int passlen, int options, char *pempass); 96int print_attribs(BIO *out, STACK_OF(X509_ATTRIBUTE) *attrlst, 97 const char *name); 98void hex_prin(BIO *out, unsigned char *buf, int len); 99int alg_print(BIO *x, X509_ALGOR *alg); 100int cert_load(BIO *in, STACK_OF(X509) *sk); 101 102int MAIN(int, char **); 103 104int MAIN(int argc, char **argv) 105{ 106 ENGINE *e = NULL; 107 char *infile = NULL, *outfile = NULL, *keyname = NULL; 108 char *certfile = NULL; 109 BIO *in = NULL, *out = NULL; 110 char **args; 111 char *name = NULL; 112 char *csp_name = NULL; 113 int add_lmk = 0; 114 PKCS12 *p12 = NULL; 115 char pass[50], macpass[50]; 116 int export_cert = 0; 117 int options = 0; 118 int chain = 0; 119 int badarg = 0; 120 int iter = PKCS12_DEFAULT_ITER; 121 int maciter = PKCS12_DEFAULT_ITER; 122 int twopass = 0; 123 int keytype = 0; 124 int cert_pbe; 125 int key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; 126 int ret = 1; 127 int macver = 1; 128 int noprompt = 0; 129 STACK *canames = NULL; 130 char *cpass = NULL, *mpass = NULL; 131 char *passargin = NULL, *passargout = NULL, *passarg = NULL; 132 char *passin = NULL, *passout = NULL; 133 char *inrand = NULL; 134 char *CApath = NULL, *CAfile = NULL; 135# ifndef OPENSSL_NO_ENGINE 136 char *engine = NULL; 137# endif 138 139 apps_startup(); 140 141# ifdef OPENSSL_FIPS 142 if (FIPS_mode()) 143 cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; 144 else 145# endif 146 cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC; 147 148 enc = EVP_des_ede3_cbc(); 149 if (bio_err == NULL) 150 bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); 151 152 if (!load_config(bio_err, NULL)) 153 goto end; 154 155 args = argv + 1; 156 157 while (*args) { 158 if (*args[0] == '-') { 159 if (!strcmp(*args, "-nokeys")) 160 options |= NOKEYS; 161 else if (!strcmp(*args, "-keyex")) 162 keytype = KEY_EX; 163 else if (!strcmp(*args, "-keysig")) 164 keytype = KEY_SIG; 165 else if (!strcmp(*args, "-nocerts")) 166 options |= NOCERTS; 167 else if (!strcmp(*args, "-clcerts")) 168 options |= CLCERTS; 169 else if (!strcmp(*args, "-cacerts")) 170 options |= CACERTS; 171 else if (!strcmp(*args, "-noout")) 172 options |= (NOKEYS | NOCERTS); 173 else if (!strcmp(*args, "-info")) 174 options |= INFO; 175 else if (!strcmp(*args, "-chain")) 176 chain = 1; 177 else if (!strcmp(*args, "-twopass")) 178 twopass = 1; 179 else if (!strcmp(*args, "-nomacver")) 180 macver = 0; 181 else if (!strcmp(*args, "-descert")) 182 cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; 183 else if (!strcmp(*args, "-export")) 184 export_cert = 1; 185 else if (!strcmp(*args, "-des")) 186 enc = EVP_des_cbc(); 187 else if (!strcmp(*args, "-des3")) 188 enc = EVP_des_ede3_cbc(); 189# ifndef OPENSSL_NO_IDEA 190 else if (!strcmp(*args, "-idea")) 191 enc = EVP_idea_cbc(); 192# endif 193# ifndef OPENSSL_NO_SEED 194 else if (!strcmp(*args, "-seed")) 195 enc = EVP_seed_cbc(); 196# endif 197# ifndef OPENSSL_NO_AES 198 else if (!strcmp(*args, "-aes128")) 199 enc = EVP_aes_128_cbc(); 200 else if (!strcmp(*args, "-aes192")) 201 enc = EVP_aes_192_cbc(); 202 else if (!strcmp(*args, "-aes256")) 203 enc = EVP_aes_256_cbc(); 204# endif 205# ifndef OPENSSL_NO_CAMELLIA 206 else if (!strcmp(*args, "-camellia128")) 207 enc = EVP_camellia_128_cbc(); 208 else if (!strcmp(*args, "-camellia192")) 209 enc = EVP_camellia_192_cbc(); 210 else if (!strcmp(*args, "-camellia256")) 211 enc = EVP_camellia_256_cbc(); 212# endif 213 else if (!strcmp(*args, "-noiter")) 214 iter = 1; 215 else if (!strcmp(*args, "-maciter")) 216 maciter = PKCS12_DEFAULT_ITER; 217 else if (!strcmp(*args, "-nomaciter")) 218 maciter = 1; 219 else if (!strcmp(*args, "-nomac")) 220 maciter = -1; 221 else if (!strcmp(*args, "-nodes")) 222 enc = NULL; 223 else if (!strcmp(*args, "-certpbe")) { 224 if (args[1]) { 225 args++; 226 if (!strcmp(*args, "NONE")) 227 cert_pbe = -1; 228 else 229 cert_pbe = OBJ_txt2nid(*args); 230 if (cert_pbe == NID_undef) { 231 BIO_printf(bio_err, 232 "Unknown PBE algorithm %s\n", *args); 233 badarg = 1; 234 } 235 } else 236 badarg = 1; 237 } else if (!strcmp(*args, "-keypbe")) { 238 if (args[1]) { 239 args++; 240 if (!strcmp(*args, "NONE")) 241 key_pbe = -1; 242 else 243 key_pbe = OBJ_txt2nid(*args); 244 if (key_pbe == NID_undef) { 245 BIO_printf(bio_err, 246 "Unknown PBE algorithm %s\n", *args); 247 badarg = 1; 248 } 249 } else 250 badarg = 1; 251 } else if (!strcmp(*args, "-rand")) { 252 if (args[1]) { 253 args++; 254 inrand = *args; 255 } else 256 badarg = 1; 257 } else if (!strcmp(*args, "-inkey")) { 258 if (args[1]) { 259 args++; 260 keyname = *args; 261 } else 262 badarg = 1; 263 } else if (!strcmp(*args, "-certfile")) { 264 if (args[1]) { 265 args++; 266 certfile = *args; 267 } else 268 badarg = 1; 269 } else if (!strcmp(*args, "-name")) { 270 if (args[1]) { 271 args++; 272 name = *args; 273 } else 274 badarg = 1; 275 } else if (!strcmp(*args, "-LMK")) 276 add_lmk = 1; 277 else if (!strcmp(*args, "-CSP")) { 278 if (args[1]) { 279 args++; 280 csp_name = *args; 281 } else 282 badarg = 1; 283 } else if (!strcmp(*args, "-caname")) { 284 if (args[1]) { 285 args++; 286 if (!canames) 287 canames = sk_new_null(); 288 sk_push(canames, *args); 289 } else 290 badarg = 1; 291 } else if (!strcmp(*args, "-in")) { 292 if (args[1]) { 293 args++; 294 infile = *args; 295 } else 296 badarg = 1; 297 } else if (!strcmp(*args, "-out")) { 298 if (args[1]) { 299 args++; 300 outfile = *args; 301 } else 302 badarg = 1; 303 } else if (!strcmp(*args, "-passin")) { 304 if (args[1]) { 305 args++; 306 passargin = *args; 307 } else 308 badarg = 1; 309 } else if (!strcmp(*args, "-passout")) { 310 if (args[1]) { 311 args++; 312 passargout = *args; 313 } else 314 badarg = 1; 315 } else if (!strcmp(*args, "-password")) { 316 if (args[1]) { 317 args++; 318 passarg = *args; 319 noprompt = 1; 320 } else 321 badarg = 1; 322 } else if (!strcmp(*args, "-CApath")) { 323 if (args[1]) { 324 args++; 325 CApath = *args; 326 } else 327 badarg = 1; 328 } else if (!strcmp(*args, "-CAfile")) { 329 if (args[1]) { 330 args++; 331 CAfile = *args; 332 } else 333 badarg = 1; 334# ifndef OPENSSL_NO_ENGINE 335 } else if (!strcmp(*args, "-engine")) { 336 if (args[1]) { 337 args++; 338 engine = *args; 339 } else 340 badarg = 1; 341# endif 342 } else 343 badarg = 1; 344 345 } else 346 badarg = 1; 347 args++; 348 } 349 350 if (badarg) { 351 BIO_printf(bio_err, "Usage: pkcs12 [options]\n"); 352 BIO_printf(bio_err, "where options are\n"); 353 BIO_printf(bio_err, "-export output PKCS12 file\n"); 354 BIO_printf(bio_err, "-chain add certificate chain\n"); 355 BIO_printf(bio_err, "-inkey file private key if not infile\n"); 356 BIO_printf(bio_err, "-certfile f add all certs in f\n"); 357 BIO_printf(bio_err, "-CApath arg - PEM format directory of CA's\n"); 358 BIO_printf(bio_err, "-CAfile arg - PEM format file of CA's\n"); 359 BIO_printf(bio_err, "-name \"name\" use name as friendly name\n"); 360 BIO_printf(bio_err, 361 "-caname \"nm\" use nm as CA friendly name (can be used more than once).\n"); 362 BIO_printf(bio_err, "-in infile input filename\n"); 363 BIO_printf(bio_err, "-out outfile output filename\n"); 364 BIO_printf(bio_err, 365 "-noout don't output anything, just verify.\n"); 366 BIO_printf(bio_err, "-nomacver don't verify MAC.\n"); 367 BIO_printf(bio_err, "-nocerts don't output certificates.\n"); 368 BIO_printf(bio_err, 369 "-clcerts only output client certificates.\n"); 370 BIO_printf(bio_err, "-cacerts only output CA certificates.\n"); 371 BIO_printf(bio_err, "-nokeys don't output private keys.\n"); 372 BIO_printf(bio_err, 373 "-info give info about PKCS#12 structure.\n"); 374 BIO_printf(bio_err, "-des encrypt private keys with DES\n"); 375 BIO_printf(bio_err, 376 "-des3 encrypt private keys with triple DES (default)\n"); 377# ifndef OPENSSL_NO_IDEA 378 BIO_printf(bio_err, "-idea encrypt private keys with idea\n"); 379# endif 380# ifndef OPENSSL_NO_SEED 381 BIO_printf(bio_err, "-seed encrypt private keys with seed\n"); 382# endif 383# ifndef OPENSSL_NO_AES 384 BIO_printf(bio_err, "-aes128, -aes192, -aes256\n"); 385 BIO_printf(bio_err, 386 " encrypt PEM output with cbc aes\n"); 387# endif 388# ifndef OPENSSL_NO_CAMELLIA 389 BIO_printf(bio_err, "-camellia128, -camellia192, -camellia256\n"); 390 BIO_printf(bio_err, 391 " encrypt PEM output with cbc camellia\n"); 392# endif 393 BIO_printf(bio_err, "-nodes don't encrypt private keys\n"); 394 BIO_printf(bio_err, "-noiter don't use encryption iteration\n"); 395 BIO_printf(bio_err, "-maciter use MAC iteration\n"); 396 BIO_printf(bio_err, 397 "-twopass separate MAC, encryption passwords\n"); 398 BIO_printf(bio_err, 399 "-descert encrypt PKCS#12 certificates with triple DES (default RC2-40)\n"); 400 BIO_printf(bio_err, 401 "-certpbe alg specify certificate PBE algorithm (default RC2-40)\n"); 402 BIO_printf(bio_err, 403 "-keypbe alg specify private key PBE algorithm (default 3DES)\n"); 404 BIO_printf(bio_err, "-keyex set MS key exchange type\n"); 405 BIO_printf(bio_err, "-keysig set MS key signature type\n"); 406 BIO_printf(bio_err, 407 "-password p set import/export password source\n"); 408 BIO_printf(bio_err, "-passin p input file pass phrase source\n"); 409 BIO_printf(bio_err, "-passout p output file pass phrase source\n"); 410# ifndef OPENSSL_NO_ENGINE 411 BIO_printf(bio_err, 412 "-engine e use engine e, possibly a hardware device.\n"); 413# endif 414 BIO_printf(bio_err, "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, 415 LIST_SEPARATOR_CHAR); 416 BIO_printf(bio_err, 417 " load the file (or the files in the directory) into\n"); 418 BIO_printf(bio_err, " the random number generator\n"); 419 BIO_printf(bio_err, "-CSP name Microsoft CSP name\n"); 420 BIO_printf(bio_err, 421 "-LMK Add local machine keyset attribute to private key\n"); 422 goto end; 423 } 424# ifndef OPENSSL_NO_ENGINE 425 e = setup_engine(bio_err, engine, 0); 426# endif 427 428 if (passarg) { 429 if (export_cert) 430 passargout = passarg; 431 else 432 passargin = passarg; 433 } 434 435 if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) { 436 BIO_printf(bio_err, "Error getting passwords\n"); 437 goto end; 438 } 439 440 if (!cpass) { 441 if (export_cert) 442 cpass = passout; 443 else 444 cpass = passin; 445 } 446 447 if (cpass) { 448 mpass = cpass; 449 noprompt = 1; 450 } else { 451 cpass = pass; 452 mpass = macpass; 453 } 454 455 if (export_cert || inrand) { 456 app_RAND_load_file(NULL, bio_err, (inrand != NULL)); 457 if (inrand != NULL) 458 BIO_printf(bio_err, "%ld semi-random bytes loaded\n", 459 app_RAND_load_files(inrand)); 460 } 461 ERR_load_crypto_strings(); 462 463# ifdef CRYPTO_MDEBUG 464 CRYPTO_push_info("read files"); 465# endif 466 467 if (!infile) 468 in = BIO_new_fp(stdin, BIO_NOCLOSE); 469 else 470 in = BIO_new_file(infile, "rb"); 471 if (!in) { 472 BIO_printf(bio_err, "Error opening input file %s\n", 473 infile ? infile : "<stdin>"); 474 perror(infile); 475 goto end; 476 } 477# ifdef CRYPTO_MDEBUG 478 CRYPTO_pop_info(); 479 CRYPTO_push_info("write files"); 480# endif 481 482 if (!outfile) { 483 out = BIO_new_fp(stdout, BIO_NOCLOSE); 484# ifdef OPENSSL_SYS_VMS 485 { 486 BIO *tmpbio = BIO_new(BIO_f_linebuffer()); 487 out = BIO_push(tmpbio, out); 488 } 489# endif 490 } else 491 out = BIO_new_file(outfile, "wb"); 492 if (!out) { 493 BIO_printf(bio_err, "Error opening output file %s\n", 494 outfile ? outfile : "<stdout>"); 495 perror(outfile); 496 goto end; 497 } 498 if (twopass) { 499# ifdef CRYPTO_MDEBUG 500 CRYPTO_push_info("read MAC password"); 501# endif 502 if (EVP_read_pw_string 503 (macpass, sizeof macpass, "Enter MAC Password:", export_cert)) { 504 BIO_printf(bio_err, "Can't read Password\n"); 505 goto end; 506 } 507# ifdef CRYPTO_MDEBUG 508 CRYPTO_pop_info(); 509# endif 510 } 511 512 if (export_cert) { 513 EVP_PKEY *key = NULL; 514 X509 *ucert = NULL, *x = NULL; 515 STACK_OF(X509) *certs = NULL; 516 unsigned char *catmp = NULL; 517 int i; 518 519 if ((options & (NOCERTS | NOKEYS)) == (NOCERTS | NOKEYS)) { 520 BIO_printf(bio_err, "Nothing to do!\n"); 521 goto export_end; 522 } 523 524 if (options & NOCERTS) 525 chain = 0; 526 527# ifdef CRYPTO_MDEBUG 528 CRYPTO_push_info("process -export_cert"); 529 CRYPTO_push_info("reading private key"); 530# endif 531 if (!(options & NOKEYS)) { 532 key = load_key(bio_err, keyname ? keyname : infile, 533 FORMAT_PEM, 1, passin, e, "private key"); 534 if (!key) 535 goto export_end; 536 } 537# ifdef CRYPTO_MDEBUG 538 CRYPTO_pop_info(); 539 CRYPTO_push_info("reading certs from input"); 540# endif 541 542 /* Load in all certs in input file */ 543 if (!(options & NOCERTS)) { 544 certs = load_certs(bio_err, infile, FORMAT_PEM, NULL, e, 545 "certificates"); 546 if (!certs) 547 goto export_end; 548 549 if (key) { 550 /* Look for matching private key */ 551 for (i = 0; i < sk_X509_num(certs); i++) { 552 x = sk_X509_value(certs, i); 553 if (X509_check_private_key(x, key)) { 554 ucert = x; 555 /* Zero keyid and alias */ 556 X509_keyid_set1(ucert, NULL, 0); 557 X509_alias_set1(ucert, NULL, 0); 558 /* Remove from list */ 559 (void)sk_X509_delete(certs, i); 560 break; 561 } 562 } 563 if (!ucert) { 564 BIO_printf(bio_err, 565 "No certificate matches private key\n"); 566 goto export_end; 567 } 568 } 569 570 } 571# ifdef CRYPTO_MDEBUG 572 CRYPTO_pop_info(); 573 CRYPTO_push_info("reading certs from input 2"); 574# endif 575 576 /* Add any more certificates asked for */ 577 if (certfile) { 578 STACK_OF(X509) *morecerts = NULL; 579 if (!(morecerts = load_certs(bio_err, certfile, FORMAT_PEM, 580 NULL, e, 581 "certificates from certfile"))) 582 goto export_end; 583 while (sk_X509_num(morecerts) > 0) 584 sk_X509_push(certs, sk_X509_shift(morecerts)); 585 sk_X509_free(morecerts); 586 } 587# ifdef CRYPTO_MDEBUG 588 CRYPTO_pop_info(); 589 CRYPTO_push_info("reading certs from certfile"); 590# endif 591 592# ifdef CRYPTO_MDEBUG 593 CRYPTO_pop_info(); 594 CRYPTO_push_info("building chain"); 595# endif 596 597 /* If chaining get chain from user cert */ 598 if (chain) { 599 int vret; 600 STACK_OF(X509) *chain2; 601 X509_STORE *store = X509_STORE_new(); 602 if (!store) { 603 BIO_printf(bio_err, "Memory allocation error\n"); 604 goto export_end; 605 } 606 if (!X509_STORE_load_locations(store, CAfile, CApath)) 607 X509_STORE_set_default_paths(store); 608 609 vret = get_cert_chain(ucert, store, &chain2); 610 X509_STORE_free(store); 611 612 if (!vret) { 613 /* Exclude verified certificate */ 614 for (i = 1; i < sk_X509_num(chain2); i++) 615 sk_X509_push(certs, sk_X509_value(chain2, i)); 616 /* Free first certificate */ 617 X509_free(sk_X509_value(chain2, 0)); 618 sk_X509_free(chain2); 619 } else { 620 if (vret >= 0) 621 BIO_printf(bio_err, "Error %s getting chain.\n", 622 X509_verify_cert_error_string(vret)); 623 else 624 ERR_print_errors(bio_err); 625 goto export_end; 626 } 627 } 628 629 /* Add any CA names */ 630 631 for (i = 0; i < sk_num(canames); i++) { 632 catmp = (unsigned char *)sk_value(canames, i); 633 X509_alias_set1(sk_X509_value(certs, i), catmp, -1); 634 } 635 636 if (csp_name && key) 637 EVP_PKEY_add1_attr_by_NID(key, NID_ms_csp_name, 638 MBSTRING_ASC, (unsigned char *)csp_name, 639 -1); 640 641 if (add_lmk && key) 642 EVP_PKEY_add1_attr_by_NID(key, NID_LocalKeySet, 0, NULL, -1); 643 644# ifdef CRYPTO_MDEBUG 645 CRYPTO_pop_info(); 646 CRYPTO_push_info("reading password"); 647# endif 648 649 if (!noprompt && 650 EVP_read_pw_string(pass, sizeof pass, "Enter Export Password:", 651 1)) { 652 BIO_printf(bio_err, "Can't read Password\n"); 653 goto export_end; 654 } 655 if (!twopass) 656 BUF_strlcpy(macpass, pass, sizeof macpass); 657 658# ifdef CRYPTO_MDEBUG 659 CRYPTO_pop_info(); 660 CRYPTO_push_info("creating PKCS#12 structure"); 661# endif 662 663 p12 = PKCS12_create(cpass, name, key, ucert, certs, 664 key_pbe, cert_pbe, iter, -1, keytype); 665 666 if (!p12) { 667 ERR_print_errors(bio_err); 668 goto export_end; 669 } 670 671 if (maciter != -1) 672 PKCS12_set_mac(p12, mpass, -1, NULL, 0, maciter, NULL); 673 674# ifdef CRYPTO_MDEBUG 675 CRYPTO_pop_info(); 676 CRYPTO_push_info("writing pkcs12"); 677# endif 678 679 i2d_PKCS12_bio(out, p12); 680 681 ret = 0; 682 683 export_end: 684# ifdef CRYPTO_MDEBUG 685 CRYPTO_pop_info(); 686 CRYPTO_pop_info(); 687 CRYPTO_push_info("process -export_cert: freeing"); 688# endif 689 690 if (key) 691 EVP_PKEY_free(key); 692 if (certs) 693 sk_X509_pop_free(certs, X509_free); 694 if (ucert) 695 X509_free(ucert); 696 697# ifdef CRYPTO_MDEBUG 698 CRYPTO_pop_info(); 699# endif 700 goto end; 701 702 } 703 704 if (!(p12 = d2i_PKCS12_bio(in, NULL))) { 705 ERR_print_errors(bio_err); 706 goto end; 707 } 708# ifdef CRYPTO_MDEBUG 709 CRYPTO_push_info("read import password"); 710# endif 711 if (!noprompt 712 && EVP_read_pw_string(pass, sizeof pass, "Enter Import Password:", 713 0)) { 714 BIO_printf(bio_err, "Can't read Password\n"); 715 goto end; 716 } 717# ifdef CRYPTO_MDEBUG 718 CRYPTO_pop_info(); 719# endif 720 721 if (!twopass) 722 BUF_strlcpy(macpass, pass, sizeof macpass); 723 724 if ((options & INFO) && p12->mac) 725 BIO_printf(bio_err, "MAC Iteration %ld\n", 726 p12->mac->iter ? ASN1_INTEGER_get(p12->mac->iter) : 1); 727 if (macver) { 728# ifdef CRYPTO_MDEBUG 729 CRYPTO_push_info("verify MAC"); 730# endif 731 /* If we enter empty password try no password first */ 732 if (!mpass[0] && PKCS12_verify_mac(p12, NULL, 0)) { 733 /* If mac and crypto pass the same set it to NULL too */ 734 if (!twopass) 735 cpass = NULL; 736 } else if (!PKCS12_verify_mac(p12, mpass, -1)) { 737 BIO_printf(bio_err, "Mac verify error: invalid password?\n"); 738 ERR_print_errors(bio_err); 739 goto end; 740 } 741 BIO_printf(bio_err, "MAC verified OK\n"); 742# ifdef CRYPTO_MDEBUG 743 CRYPTO_pop_info(); 744# endif 745 } 746# ifdef CRYPTO_MDEBUG 747 CRYPTO_push_info("output keys and certificates"); 748# endif 749 if (!dump_certs_keys_p12(out, p12, cpass, -1, options, passout)) { 750 BIO_printf(bio_err, "Error outputting keys and certificates\n"); 751 ERR_print_errors(bio_err); 752 goto end; 753 } 754# ifdef CRYPTO_MDEBUG 755 CRYPTO_pop_info(); 756# endif 757 ret = 0; 758 end: 759 if (p12) 760 PKCS12_free(p12); 761 if (export_cert || inrand) 762 app_RAND_write_file(NULL, bio_err); 763# ifdef CRYPTO_MDEBUG 764 CRYPTO_remove_all_info(); 765# endif 766 BIO_free(in); 767 BIO_free_all(out); 768 if (canames) 769 sk_free(canames); 770 if (passin) 771 OPENSSL_free(passin); 772 if (passout) 773 OPENSSL_free(passout); 774 apps_shutdown(); 775 OPENSSL_EXIT(ret); 776} 777 778int dump_certs_keys_p12(BIO *out, PKCS12 *p12, char *pass, 779 int passlen, int options, char *pempass) 780{ 781 STACK_OF(PKCS7) *asafes = NULL; 782 STACK_OF(PKCS12_SAFEBAG) *bags; 783 int i, bagnid; 784 int ret = 0; 785 PKCS7 *p7; 786 787 if (!(asafes = PKCS12_unpack_authsafes(p12))) 788 return 0; 789 for (i = 0; i < sk_PKCS7_num(asafes); i++) { 790 p7 = sk_PKCS7_value(asafes, i); 791 bagnid = OBJ_obj2nid(p7->type); 792 if (bagnid == NID_pkcs7_data) { 793 bags = PKCS12_unpack_p7data(p7); 794 if (options & INFO) 795 BIO_printf(bio_err, "PKCS7 Data\n"); 796 } else if (bagnid == NID_pkcs7_encrypted) { 797 if (options & INFO) { 798 BIO_printf(bio_err, "PKCS7 Encrypted data: "); 799 alg_print(bio_err, p7->d.encrypted->enc_data->algorithm); 800 } 801 bags = PKCS12_unpack_p7encdata(p7, pass, passlen); 802 } else 803 continue; 804 if (!bags) 805 goto err; 806 if (!dump_certs_pkeys_bags(out, bags, pass, passlen, 807 options, pempass)) { 808 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); 809 goto err; 810 } 811 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); 812 bags = NULL; 813 } 814 ret = 1; 815 816 err: 817 818 if (asafes) 819 sk_PKCS7_pop_free(asafes, PKCS7_free); 820 return ret; 821} 822 823int dump_certs_pkeys_bags(BIO *out, STACK_OF(PKCS12_SAFEBAG) *bags, 824 char *pass, int passlen, int options, char *pempass) 825{ 826 int i; 827 for (i = 0; i < sk_PKCS12_SAFEBAG_num(bags); i++) { 828 if (!dump_certs_pkeys_bag(out, 829 sk_PKCS12_SAFEBAG_value(bags, i), 830 pass, passlen, options, pempass)) 831 return 0; 832 } 833 return 1; 834} 835 836int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bag, char *pass, 837 int passlen, int options, char *pempass) 838{ 839 EVP_PKEY *pkey; 840 PKCS8_PRIV_KEY_INFO *p8; 841 X509 *x509; 842 843 switch (M_PKCS12_bag_type(bag)) { 844 case NID_keyBag: 845 if (options & INFO) 846 BIO_printf(bio_err, "Key bag\n"); 847 if (options & NOKEYS) 848 return 1; 849 print_attribs(out, bag->attrib, "Bag Attributes"); 850 p8 = bag->value.keybag; 851 if (!(pkey = EVP_PKCS82PKEY(p8))) 852 return 0; 853 print_attribs(out, p8->attributes, "Key Attributes"); 854 PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, pempass); 855 EVP_PKEY_free(pkey); 856 break; 857 858 case NID_pkcs8ShroudedKeyBag: 859 if (options & INFO) { 860 BIO_printf(bio_err, "Shrouded Keybag: "); 861 alg_print(bio_err, bag->value.shkeybag->algor); 862 } 863 if (options & NOKEYS) 864 return 1; 865 print_attribs(out, bag->attrib, "Bag Attributes"); 866 if (!(p8 = PKCS12_decrypt_skey(bag, pass, passlen))) 867 return 0; 868 if (!(pkey = EVP_PKCS82PKEY(p8))) { 869 PKCS8_PRIV_KEY_INFO_free(p8); 870 return 0; 871 } 872 print_attribs(out, p8->attributes, "Key Attributes"); 873 PKCS8_PRIV_KEY_INFO_free(p8); 874 PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, pempass); 875 EVP_PKEY_free(pkey); 876 break; 877 878 case NID_certBag: 879 if (options & INFO) 880 BIO_printf(bio_err, "Certificate bag\n"); 881 if (options & NOCERTS) 882 return 1; 883 if (PKCS12_get_attr(bag, NID_localKeyID)) { 884 if (options & CACERTS) 885 return 1; 886 } else if (options & CLCERTS) 887 return 1; 888 print_attribs(out, bag->attrib, "Bag Attributes"); 889 if (M_PKCS12_cert_bag_type(bag) != NID_x509Certificate) 890 return 1; 891 if (!(x509 = PKCS12_certbag2x509(bag))) 892 return 0; 893 dump_cert_text(out, x509); 894 PEM_write_bio_X509(out, x509); 895 X509_free(x509); 896 break; 897 898 case NID_safeContentsBag: 899 if (options & INFO) 900 BIO_printf(bio_err, "Safe Contents bag\n"); 901 print_attribs(out, bag->attrib, "Bag Attributes"); 902 return dump_certs_pkeys_bags(out, bag->value.safes, pass, 903 passlen, options, pempass); 904 905 default: 906 BIO_printf(bio_err, "Warning unsupported bag type: "); 907 i2a_ASN1_OBJECT(bio_err, bag->type); 908 BIO_printf(bio_err, "\n"); 909 return 1; 910 break; 911 } 912 return 1; 913} 914 915/* Given a single certificate return a verified chain or NULL if error */ 916 917/* Hope this is OK .... */ 918 919int get_cert_chain(X509 *cert, X509_STORE *store, STACK_OF(X509) **chain) 920{ 921 X509_STORE_CTX store_ctx; 922 STACK_OF(X509) *chn; 923 int i = 0; 924 925 /* 926 * FIXME: Should really check the return status of X509_STORE_CTX_init 927 * for an error, but how that fits into the return value of this function 928 * is less obvious. 929 */ 930 X509_STORE_CTX_init(&store_ctx, store, cert, NULL); 931 if (X509_verify_cert(&store_ctx) <= 0) { 932 i = X509_STORE_CTX_get_error(&store_ctx); 933 if (i == 0) 934 /* 935 * avoid returning 0 if X509_verify_cert() did not set an 936 * appropriate error value in the context 937 */ 938 i = -1; 939 chn = NULL; 940 goto err; 941 } else 942 chn = X509_STORE_CTX_get1_chain(&store_ctx); 943 err: 944 X509_STORE_CTX_cleanup(&store_ctx); 945 *chain = chn; 946 947 return i; 948} 949 950int alg_print(BIO *x, X509_ALGOR *alg) 951{ 952 PBEPARAM *pbe; 953 const unsigned char *p; 954 p = alg->parameter->value.sequence->data; 955 pbe = d2i_PBEPARAM(NULL, &p, alg->parameter->value.sequence->length); 956 if (!pbe) 957 return 1; 958 BIO_printf(bio_err, "%s, Iteration %ld\n", 959 OBJ_nid2ln(OBJ_obj2nid(alg->algorithm)), 960 ASN1_INTEGER_get(pbe->iter)); 961 PBEPARAM_free(pbe); 962 return 1; 963} 964 965/* Load all certificates from a given file */ 966 967int cert_load(BIO *in, STACK_OF(X509) *sk) 968{ 969 int ret; 970 X509 *cert; 971 ret = 0; 972# ifdef CRYPTO_MDEBUG 973 CRYPTO_push_info("cert_load(): reading one cert"); 974# endif 975 while ((cert = PEM_read_bio_X509(in, NULL, NULL, NULL))) { 976# ifdef CRYPTO_MDEBUG 977 CRYPTO_pop_info(); 978# endif 979 ret = 1; 980 sk_X509_push(sk, cert); 981# ifdef CRYPTO_MDEBUG 982 CRYPTO_push_info("cert_load(): reading one cert"); 983# endif 984 } 985# ifdef CRYPTO_MDEBUG 986 CRYPTO_pop_info(); 987# endif 988 if (ret) 989 ERR_clear_error(); 990 return ret; 991} 992 993/* Generalised attribute print: handle PKCS#8 and bag attributes */ 994 995int print_attribs(BIO *out, STACK_OF(X509_ATTRIBUTE) *attrlst, 996 const char *name) 997{ 998 X509_ATTRIBUTE *attr; 999 ASN1_TYPE *av; 1000 char *value; 1001 int i, attr_nid; 1002 if (!attrlst) { 1003 BIO_printf(out, "%s: <No Attributes>\n", name); 1004 return 1; 1005 } 1006 if (!sk_X509_ATTRIBUTE_num(attrlst)) { 1007 BIO_printf(out, "%s: <Empty Attributes>\n", name); 1008 return 1; 1009 } 1010 BIO_printf(out, "%s\n", name); 1011 for (i = 0; i < sk_X509_ATTRIBUTE_num(attrlst); i++) { 1012 attr = sk_X509_ATTRIBUTE_value(attrlst, i); 1013 attr_nid = OBJ_obj2nid(attr->object); 1014 BIO_printf(out, " "); 1015 if (attr_nid == NID_undef) { 1016 i2a_ASN1_OBJECT(out, attr->object); 1017 BIO_printf(out, ": "); 1018 } else 1019 BIO_printf(out, "%s: ", OBJ_nid2ln(attr_nid)); 1020 1021 if (sk_ASN1_TYPE_num(attr->value.set)) { 1022 av = sk_ASN1_TYPE_value(attr->value.set, 0); 1023 switch (av->type) { 1024 case V_ASN1_BMPSTRING: 1025 value = uni2asc(av->value.bmpstring->data, 1026 av->value.bmpstring->length); 1027 BIO_printf(out, "%s\n", value); 1028 OPENSSL_free(value); 1029 break; 1030 1031 case V_ASN1_OCTET_STRING: 1032 hex_prin(out, av->value.octet_string->data, 1033 av->value.octet_string->length); 1034 BIO_printf(out, "\n"); 1035 break; 1036 1037 case V_ASN1_BIT_STRING: 1038 hex_prin(out, av->value.bit_string->data, 1039 av->value.bit_string->length); 1040 BIO_printf(out, "\n"); 1041 break; 1042 1043 default: 1044 BIO_printf(out, "<Unsupported tag %d>\n", av->type); 1045 break; 1046 } 1047 } else 1048 BIO_printf(out, "<No Values>\n"); 1049 } 1050 return 1; 1051} 1052 1053void hex_prin(BIO *out, unsigned char *buf, int len) 1054{ 1055 int i; 1056 for (i = 0; i < len; i++) 1057 BIO_printf(out, "%02X ", buf[i]); 1058} 1059 1060#endif 1061