X-Git-Url: https://git.openssl.org/?a=blobdiff_plain;f=apps%2Fpkcs12.c;h=c2448a74f56e2092eb73405c0e881ae1ef9684ed;hb=4b1fe471ac99b9f8692be85dcbcbf6977eb35c78;hp=9449679cea6495e3cbc390749b78e970f4e18e38;hpb=48feaceb53fa6ae924e298b8eba0e247019313e4;p=openssl.git diff --git a/apps/pkcs12.c b/apps/pkcs12.c index 9449679cea..c2448a74f5 100644 --- a/apps/pkcs12.c +++ b/apps/pkcs12.c @@ -1,7 +1,7 @@ /* - * Copyright 1999-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved. * - * Licensed under the OpenSSL license (the "License"). You may not use + * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html @@ -16,6 +16,7 @@ NON_EMPTY_TRANSLATION_UNIT # include # include # include "apps.h" +# include "progs.h" # include # include # include @@ -27,6 +28,8 @@ NON_EMPTY_TRANSLATION_UNIT # define CLCERTS 0x8 # define CACERTS 0x10 +#define PASSWD_BUF_SIZE 2048 + static int get_cert_chain(X509 *cert, X509_STORE *store, STACK_OF(X509) **chain); int dump_certs_keys_p12(BIO *out, const PKCS12 *p12, @@ -38,6 +41,7 @@ int dump_certs_pkeys_bags(BIO *out, const STACK_OF(PKCS12_SAFEBAG) *bags, int dump_certs_pkeys_bag(BIO *out, const PKCS12_SAFEBAG *bags, const char *pass, int passlen, int options, char *pempass, const EVP_CIPHER *enc); +void print_attribute(BIO *out, const ASN1_TYPE *av); int print_attribs(BIO *out, const STACK_OF(X509_ATTRIBUTE) *attrlst, const char *name); void hex_prin(BIO *out, unsigned char *buf, int len); @@ -49,26 +53,65 @@ typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_CIPHER, OPT_NOKEYS, OPT_KEYEX, OPT_KEYSIG, OPT_NOCERTS, OPT_CLCERTS, OPT_CACERTS, OPT_NOOUT, OPT_INFO, OPT_CHAIN, OPT_TWOPASS, OPT_NOMACVER, - OPT_DESCERT, OPT_EXPORT, OPT_NOITER, OPT_MACITER, OPT_NOMACITER, + OPT_DESCERT, OPT_EXPORT, OPT_ITER, OPT_NOITER, OPT_MACITER, OPT_NOMACITER, OPT_NOMAC, OPT_LMK, OPT_NODES, OPT_MACALG, OPT_CERTPBE, OPT_KEYPBE, - OPT_RAND, OPT_INKEY, OPT_CERTFILE, OPT_NAME, OPT_CSP, OPT_CANAME, + OPT_INKEY, OPT_CERTFILE, OPT_NAME, OPT_CSP, OPT_CANAME, OPT_IN, OPT_OUT, OPT_PASSIN, OPT_PASSOUT, OPT_PASSWORD, OPT_CAPATH, - OPT_CAFILE, OPT_NOCAPATH, OPT_NOCAFILE, OPT_ENGINE + OPT_CAFILE, OPT_CASTORE, OPT_NOCAPATH, OPT_NOCAFILE, OPT_NOCASTORE, OPT_ENGINE, + OPT_R_ENUM, OPT_PROV_ENUM } OPTION_CHOICE; const OPTIONS pkcs12_options[] = { + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, - {"nokeys", OPT_NOKEYS, '-', "Don't output private keys"}, - {"keyex", OPT_KEYEX, '-', "Set MS key exchange type"}, - {"keysig", OPT_KEYSIG, '-', "Set MS key signature type"}, +# ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +# endif + + OPT_SECTION("CA"), + {"CApath", OPT_CAPATH, '/', "PEM-format directory of CA's"}, + {"CAfile", OPT_CAFILE, '<', "PEM-format file of CA's"}, + {"CAstore", OPT_CASTORE, ':', "URI to store of CA's"}, + {"no-CAfile", OPT_NOCAFILE, '-', + "Do not load the default certificates file"}, + {"no-CApath", OPT_NOCAPATH, '-', + "Do not load certificates from the default certificates directory"}, + {"no-CAstore", OPT_NOCASTORE, '-', + "Do not load certificates from the default certificates store"}, + + OPT_SECTION("Input"), + {"inkey", OPT_INKEY, 's', "Private key if not infile"}, + {"certfile", OPT_CERTFILE, '<', "Load certs from file"}, + {"name", OPT_NAME, 's', "Use name as friendly name"}, + {"CSP", OPT_CSP, 's', "Microsoft CSP name"}, + {"caname", OPT_CANAME, 's', + "Use name as CA friendly name (can be repeated)"}, + {"in", OPT_IN, '<', "Input filename"}, + {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, + + OPT_SECTION("Output"), + {"export", OPT_EXPORT, '-', "Output PKCS12 file"}, + {"LMK", OPT_LMK, '-', + "Add local machine keyset attribute to private key"}, + {"macalg", OPT_MACALG, 's', + "Digest algorithm used in MAC (default SHA1)"}, + {"keypbe", OPT_KEYPBE, 's', "Private key PBE algorithm (default 3DES)"}, + {"out", OPT_OUT, '>', "Output filename"}, + {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, + {"password", OPT_PASSWORD, 's', "Set import/export password source"}, {"nocerts", OPT_NOCERTS, '-', "Don't output certificates"}, {"clcerts", OPT_CLCERTS, '-', "Only output client certificates"}, {"cacerts", OPT_CACERTS, '-', "Only output CA certificates"}, {"noout", OPT_NOOUT, '-', "Don't output anything, just verify"}, - {"info", OPT_INFO, '-', "Print info about PKCS#12 structure"}, {"chain", OPT_CHAIN, '-', "Add certificate chain"}, {"twopass", OPT_TWOPASS, '-', "Separate MAC, encryption passwords"}, {"nomacver", OPT_NOMACVER, '-', "Don't verify MAC"}, + {"info", OPT_INFO, '-', "Print info about PKCS#12 structure"}, + {"nokeys", OPT_NOKEYS, '-', "Don't output private keys"}, + {"keyex", OPT_KEYEX, '-', "Set MS key exchange type"}, + {"keysig", OPT_KEYSIG, '-', "Set MS key signature type"}, + + OPT_SECTION("Encryption"), # ifndef OPENSSL_NO_RC2 {"descert", OPT_DESCERT, '-', "Encrypt output with 3DES (default RC2-40)"}, @@ -78,40 +121,16 @@ const OPTIONS pkcs12_options[] = { {"descert", OPT_DESCERT, '-', "Encrypt output with 3DES (the default)"}, {"certpbe", OPT_CERTPBE, 's', "Certificate PBE algorithm (default 3DES)"}, # endif - {"export", OPT_EXPORT, '-', "Output PKCS12 file"}, - {"noiter", OPT_NOITER, '-', "Don't use encryption iteration"}, - {"maciter", OPT_MACITER, '-', "Use MAC iteration"}, + {"iter", OPT_ITER, 'p', "Specify the iteration count for encryption key and MAC"}, + {"noiter", OPT_NOITER, '-', "Don't use encryption key iteration"}, + {"maciter", OPT_MACITER, '-', "Unused, kept for backwards compatibility"}, {"nomaciter", OPT_NOMACITER, '-', "Don't use MAC iteration"}, {"nomac", OPT_NOMAC, '-', "Don't generate MAC"}, - {"LMK", OPT_LMK, '-', - "Add local machine keyset attribute to private key"}, {"nodes", OPT_NODES, '-', "Don't encrypt private keys"}, - {"macalg", OPT_MACALG, 's', - "Digest algorithm used in MAC (default SHA1)"}, - {"keypbe", OPT_KEYPBE, 's', "Private key PBE algorithm (default 3DES)"}, - {"rand", OPT_RAND, 's', - "Load the file(s) into the random number generator"}, - {"inkey", OPT_INKEY, 's', "Private key if not infile"}, - {"certfile", OPT_CERTFILE, '<', "Load certs from file"}, - {"name", OPT_NAME, 's', "Use name as friendly name"}, - {"CSP", OPT_CSP, 's', "Microsoft CSP name"}, - {"caname", OPT_CANAME, 's', - "Use name as CA friendly name (can be repeated)"}, - {"in", OPT_IN, '<', "Input filename"}, - {"out", OPT_OUT, '>', "Output filename"}, - {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, - {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, - {"password", OPT_PASSWORD, 's', "Set import/export password source"}, - {"CApath", OPT_CAPATH, '/', "PEM-format directory of CA's"}, - {"CAfile", OPT_CAFILE, '<', "PEM-format file of CA's"}, - {"no-CAfile", OPT_NOCAFILE, '-', - "Do not load the default certificates file"}, - {"no-CApath", OPT_NOCAPATH, '-', - "Do not load certificates from the default certificates directory"}, {"", OPT_CIPHER, '-', "Any supported cipher"}, -# ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, -# endif + + OPT_R_OPTIONS, + OPT_PROV_OPTIONS, {NULL} }; @@ -119,7 +138,7 @@ int pkcs12_main(int argc, char **argv) { char *infile = NULL, *outfile = NULL, *keyname = NULL, *certfile = NULL; char *name = NULL, *csp_name = NULL; - char pass[2048] = "", macpass[2048] = ""; + char pass[PASSWD_BUF_SIZE] = "", macpass[PASSWD_BUF_SIZE] = ""; int export_cert = 0, options = 0, chain = 0, twopass = 0, keytype = 0; int iter = PKCS12_DEFAULT_ITER, maciter = PKCS12_DEFAULT_ITER; # ifndef OPENSSL_NO_RC2 @@ -131,10 +150,10 @@ int pkcs12_main(int argc, char **argv) int ret = 1, macver = 1, add_lmk = 0, private = 0; int noprompt = 0; char *passinarg = NULL, *passoutarg = NULL, *passarg = NULL; - char *passin = NULL, *passout = NULL, *inrand = NULL, *macalg = NULL; + char *passin = NULL, *passout = NULL, *macalg = NULL; char *cpass = NULL, *mpass = NULL, *badpass = NULL; - const char *CApath = NULL, *CAfile = NULL, *prog; - int noCApath = 0, noCAfile = 0; + const char *CApath = NULL, *CAfile = NULL, *CAstore = NULL, *prog; + int noCApath = 0, noCAfile = 0, noCAstore = 0; ENGINE *e = NULL; BIO *in = NULL, *out = NULL; PKCS12 *p12 = NULL; @@ -197,11 +216,16 @@ int pkcs12_main(int argc, char **argv) if (!opt_cipher(opt_unknown(), &enc)) goto opthelp; break; + case OPT_ITER: + if (!opt_int(opt_arg(), &iter)) + goto opthelp; + maciter = iter; + break; case OPT_NOITER: iter = 1; break; case OPT_MACITER: - maciter = PKCS12_DEFAULT_ITER; + /* no-op */ break; case OPT_NOMACITER: maciter = 1; @@ -223,8 +247,9 @@ int pkcs12_main(int argc, char **argv) if (!set_pbe(&key_pbe, opt_arg())) goto opthelp; break; - case OPT_RAND: - inrand = opt_arg(); + case OPT_R_CASES: + if (!opt_rand(o)) + goto end; break; case OPT_INKEY: keyname = opt_arg(); @@ -265,18 +290,28 @@ int pkcs12_main(int argc, char **argv) case OPT_CAPATH: CApath = opt_arg(); break; + case OPT_CASTORE: + CAstore = opt_arg(); + break; case OPT_CAFILE: CAfile = opt_arg(); break; case OPT_NOCAPATH: noCApath = 1; break; + case OPT_NOCASTORE: + noCAstore = 1; + break; case OPT_NOCAFILE: noCAfile = 1; break; case OPT_ENGINE: e = setup_engine(opt_arg(), 0); break; + case OPT_PROV_CASES: + if (!opt_provider(o)) + goto end; + break; } } argc = opt_num_rest(); @@ -307,24 +342,24 @@ int pkcs12_main(int argc, char **argv) if (cpass != NULL) { mpass = cpass; noprompt = 1; + if (twopass) { + if (export_cert) + BIO_printf(bio_err, "Option -twopass cannot be used with -passout or -password\n"); + else + BIO_printf(bio_err, "Option -twopass cannot be used with -passin or -password\n"); + goto end; + } } else { cpass = pass; mpass = macpass; } - if (export_cert || inrand != NULL) { - app_RAND_load_file(NULL, (inrand != NULL)); - if (inrand != NULL) - BIO_printf(bio_err, "%ld semi-random bytes loaded\n", - app_RAND_load_files(inrand)); - } - if (twopass) { /* To avoid bit rot */ if (1) { #ifndef OPENSSL_NO_UI_CONSOLE - if (EVP_read_pw_string - (macpass, sizeof macpass, "Enter MAC Password:", export_cert)) { + if (EVP_read_pw_string( + macpass, sizeof(macpass), "Enter MAC Password:", export_cert)) { BIO_printf(bio_err, "Can't read Password\n"); goto end; } @@ -399,7 +434,8 @@ int pkcs12_main(int argc, char **argv) int vret; STACK_OF(X509) *chain2; X509_STORE *store; - if ((store = setup_verify(CAfile, CApath, noCAfile, noCApath)) + if ((store = setup_verify(CAfile, noCAfile, CApath, noCApath, + CAstore, noCAstore)) == NULL) goto export_end; @@ -442,8 +478,8 @@ int pkcs12_main(int argc, char **argv) /* To avoid bit rot */ if (1) { #ifndef OPENSSL_NO_UI_CONSOLE - if (EVP_read_pw_string(pass, sizeof pass, "Enter Export Password:", - 1)) { + if (EVP_read_pw_string(pass, sizeof(pass), + "Enter Export Password:", 1)) { BIO_printf(bio_err, "Can't read Password\n"); goto export_end; } @@ -455,12 +491,12 @@ int pkcs12_main(int argc, char **argv) } if (!twopass) - OPENSSL_strlcpy(macpass, pass, sizeof macpass); + OPENSSL_strlcpy(macpass, pass, sizeof(macpass)); p12 = PKCS12_create(cpass, name, key, ucert, certs, key_pbe, cert_pbe, iter, -1, keytype); - if (!p12) { + if (p12 == NULL) { ERR_print_errors(bio_err); goto export_end; } @@ -508,7 +544,7 @@ int pkcs12_main(int argc, char **argv) if (!noprompt) { if (1) { #ifndef OPENSSL_NO_UI_CONSOLE - if (EVP_read_pw_string(pass, sizeof pass, "Enter Import Password:", + if (EVP_read_pw_string(pass, sizeof(pass), "Enter Import Password:", 0)) { BIO_printf(bio_err, "Can't read Password\n"); goto end; @@ -521,18 +557,26 @@ int pkcs12_main(int argc, char **argv) } if (!twopass) - OPENSSL_strlcpy(macpass, pass, sizeof macpass); + OPENSSL_strlcpy(macpass, pass, sizeof(macpass)); if ((options & INFO) && PKCS12_mac_present(p12)) { const ASN1_INTEGER *tmaciter; const X509_ALGOR *macalgid; const ASN1_OBJECT *macobj; - PKCS12_get0_mac(NULL, &macalgid, NULL, &tmaciter, p12); + const ASN1_OCTET_STRING *tmac; + const ASN1_OCTET_STRING *tsalt; + + PKCS12_get0_mac(&tmac, &macalgid, &tsalt, &tmaciter, p12); + /* current hash algorithms do not use parameters so extract just name, + in future alg_print() may be needed */ X509_ALGOR_get0(&macobj, NULL, NULL, macalgid); - BIO_puts(bio_err, "MAC:"); + BIO_puts(bio_err, "MAC: "); i2a_ASN1_OBJECT(bio_err, macobj); - BIO_printf(bio_err, " Iteration %ld\n", - tmaciter != NULL ? ASN1_INTEGER_get(tmaciter) : 1L); + BIO_printf(bio_err, ", Iteration %ld\n", + tmaciter != NULL ? ASN1_INTEGER_get(tmaciter) : 1L); + BIO_printf(bio_err, "MAC length: %ld, salt length: %ld\n", + tmac != NULL ? ASN1_STRING_length(tmac) : 0L, + tsalt != NULL ? ASN1_STRING_length(tsalt) : 0L); } if (macver) { /* If we enter empty password try no password first */ @@ -574,8 +618,6 @@ int pkcs12_main(int argc, char **argv) ret = 0; end: PKCS12_free(p12); - if (export_cert || inrand) - app_RAND_write_file(NULL); release_engine(e); BIO_free(in); BIO_free_all(out); @@ -583,7 +625,7 @@ int pkcs12_main(int argc, char **argv) OPENSSL_free(badpass); OPENSSL_free(passin); OPENSSL_free(passout); - return (ret); + return ret; } int dump_certs_keys_p12(BIO *out, const PKCS12 *p12, const char *pass, @@ -788,7 +830,7 @@ static int alg_print(const X509_ALGOR *alg) if (aparamtype == V_ASN1_SEQUENCE) pbe2 = ASN1_item_unpack(aparam, ASN1_ITEM_rptr(PBE2PARAM)); if (pbe2 == NULL) { - BIO_puts(bio_err, ""); + BIO_puts(bio_err, ", "); goto done; } X509_ALGOR_get0(&aoid, &aparamtype, &aparam, pbe2->keyfunc); @@ -804,7 +846,7 @@ static int alg_print(const X509_ALGOR *alg) if (aparamtype == V_ASN1_SEQUENCE) kdf = ASN1_item_unpack(aparam, ASN1_ITEM_rptr(PBKDF2PARAM)); if (kdf == NULL) { - BIO_puts(bio_err, ""); + BIO_puts(bio_err, ", "); goto done; } @@ -817,13 +859,31 @@ static int alg_print(const X509_ALGOR *alg) BIO_printf(bio_err, ", Iteration %ld, PRF %s", ASN1_INTEGER_get(kdf->iter), OBJ_nid2sn(prfnid)); PBKDF2PARAM_free(kdf); +#ifndef OPENSSL_NO_SCRYPT + } else if (pbenid == NID_id_scrypt) { + SCRYPT_PARAMS *kdf = NULL; + + if (aparamtype == V_ASN1_SEQUENCE) + kdf = ASN1_item_unpack(aparam, ASN1_ITEM_rptr(SCRYPT_PARAMS)); + if (kdf == NULL) { + BIO_puts(bio_err, ", "); + goto done; + } + BIO_printf(bio_err, ", Salt length: %d, Cost(N): %ld, " + "Block size(r): %ld, Parallelism(p): %ld", + ASN1_STRING_length(kdf->salt), + ASN1_INTEGER_get(kdf->costParameter), + ASN1_INTEGER_get(kdf->blockSize), + ASN1_INTEGER_get(kdf->parallelizationParameter)); + SCRYPT_PARAMS_free(kdf); +#endif } PBE2PARAM_free(pbe2); } else { if (aparamtype == V_ASN1_SEQUENCE) pbe = ASN1_item_unpack(aparam, ASN1_ITEM_rptr(PBEPARAM)); if (pbe == NULL) { - BIO_puts(bio_err, ""); + BIO_puts(bio_err, ", "); goto done; } BIO_printf(bio_err, ", Iteration %ld", ASN1_INTEGER_get(pbe->iter)); @@ -838,18 +898,51 @@ static int alg_print(const X509_ALGOR *alg) int cert_load(BIO *in, STACK_OF(X509) *sk) { - int ret; + int ret = 0; X509 *cert; - ret = 0; + while ((cert = PEM_read_bio_X509(in, NULL, NULL, NULL))) { ret = 1; - sk_X509_push(sk, cert); + if (!sk_X509_push(sk, cert)) + return 0; } if (ret) ERR_clear_error(); return ret; } +/* Generalised x509 attribute value print */ + +void print_attribute(BIO *out, const ASN1_TYPE *av) +{ + char *value; + + switch (av->type) { + case V_ASN1_BMPSTRING: + value = OPENSSL_uni2asc(av->value.bmpstring->data, + av->value.bmpstring->length); + BIO_printf(out, "%s\n", value); + OPENSSL_free(value); + break; + + case V_ASN1_OCTET_STRING: + hex_prin(out, av->value.octet_string->data, + av->value.octet_string->length); + BIO_printf(out, "\n"); + break; + + case V_ASN1_BIT_STRING: + hex_prin(out, av->value.bit_string->data, + av->value.bit_string->length); + BIO_printf(out, "\n"); + break; + + default: + BIO_printf(out, "\n", av->type); + break; + } +} + /* Generalised attribute print: handle PKCS#8 and bag attributes */ int print_attribs(BIO *out, const STACK_OF(X509_ATTRIBUTE) *attrlst, @@ -857,8 +950,7 @@ int print_attribs(BIO *out, const STACK_OF(X509_ATTRIBUTE) *attrlst, { X509_ATTRIBUTE *attr; ASN1_TYPE *av; - char *value; - int i, attr_nid; + int i, j, attr_nid; if (!attrlst) { BIO_printf(out, "%s: \n", name); return 1; @@ -882,30 +974,10 @@ int print_attribs(BIO *out, const STACK_OF(X509_ATTRIBUTE) *attrlst, } if (X509_ATTRIBUTE_count(attr)) { - av = X509_ATTRIBUTE_get0_type(attr, 0); - switch (av->type) { - case V_ASN1_BMPSTRING: - value = OPENSSL_uni2asc(av->value.bmpstring->data, - av->value.bmpstring->length); - BIO_printf(out, "%s\n", value); - OPENSSL_free(value); - break; - - case V_ASN1_OCTET_STRING: - hex_prin(out, av->value.octet_string->data, - av->value.octet_string->length); - BIO_printf(out, "\n"); - break; - - case V_ASN1_BIT_STRING: - hex_prin(out, av->value.bit_string->data, - av->value.bit_string->length); - BIO_printf(out, "\n"); - break; - - default: - BIO_printf(out, "\n", av->type); - break; + for (j = 0; j < X509_ATTRIBUTE_count(attr); j++) + { + av = X509_ATTRIBUTE_get0_type(attr, j); + print_attribute(out, av); } } else { BIO_printf(out, "\n");