Fix crahses and leaks in pkcs12 utility -chain option

[openssl.git] / apps / pkcs12.c

diff --git a/apps/pkcs12.c b/apps/pkcs12.c
index f277956cd96423fedbf2935f090afad259519693..1697f6157ff5eb2245fb4fcfd6fd73d2eaaf7661 100644 (file)
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -66,7 +66,6 @@
 #include <openssl/err.h>
 #include <openssl/pem.h>
 #include <openssl/pkcs12.h>
-#include <openssl/engine.h>
 
 #define PROG pkcs12_main
 
@@ -96,7 +95,7 @@ int MAIN(int argc, char **argv)
     ENGINE *e = NULL;
     char *infile=NULL, *outfile=NULL, *keyname = NULL; 
     char *certfile=NULL;
-    BIO *in=NULL, *out = NULL, *inkey = NULL, *certsin = NULL;
+    BIO *in=NULL, *out = NULL;
     char **args;
     char *name = NULL;
     char *csp_name = NULL;
@@ -128,6 +127,9 @@ int MAIN(int argc, char **argv)
     enc = EVP_des_ede3_cbc();
     if (bio_err == NULL ) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
 
+       if (!load_config(bio_err, NULL))
+               goto end;
+
     args = argv + 1;
 
 
@@ -152,6 +154,11 @@ int MAIN(int argc, char **argv)
                else if (!strcmp (*args, "-idea")) enc=EVP_idea_cbc();
 #endif
                else if (!strcmp (*args, "-des3")) enc = EVP_des_ede3_cbc();
+#ifndef OPENSSL_NO_AES
+               else if (!strcmp(*args,"-aes128")) enc=EVP_aes_128_cbc();
+               else if (!strcmp(*args,"-aes192")) enc=EVP_aes_192_cbc();
+               else if (!strcmp(*args,"-aes256")) enc=EVP_aes_256_cbc();
+#endif
                else if (!strcmp (*args, "-noiter")) iter = 1;
                else if (!strcmp (*args, "-maciter"))
                                         maciter = PKCS12_DEFAULT_ITER;
@@ -280,6 +287,10 @@ int MAIN(int argc, char **argv)
        BIO_printf (bio_err, "-des3         encrypt private keys with triple DES (default)\n");
 #ifndef OPENSSL_NO_IDEA
        BIO_printf (bio_err, "-idea         encrypt private keys with idea\n");
+#endif
+#ifndef OPENSSL_NO_AES
+       BIO_printf (bio_err, "-aes128, -aes192, -aes256\n");
+       BIO_printf (bio_err, "              encrypt PEM output with cbc aes\n");
 #endif
        BIO_printf (bio_err, "-nodes        don't encrypt private keys\n");
        BIO_printf (bio_err, "-noiter       don't use encryption iteration\n");
@@ -300,19 +311,7 @@ int MAIN(int argc, char **argv)
        goto end;
     }
 
-    if (engine != NULL) {
-       if((e = ENGINE_by_id(engine)) == NULL) {
-           BIO_printf(bio_err,"invalid engine \"%s\"\n", engine);
-           goto end;
-       }
-       if(!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
-           BIO_printf(bio_err,"can't use that engine\n");
-           goto end;
-       }
-       BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
-       /* Free our "structural" reference. */
-       ENGINE_free(e);
-    }
+    e = setup_engine(bio_err, engine, 0);
 
     if(passarg) {
        if(export_cert) passargout = passarg;
@@ -358,6 +357,7 @@ int MAIN(int argc, char **argv)
            goto end;
    }
 
+#if 0
    if (certfile) {
        if(!(certsin = BIO_new_file(certfile, "r"))) {
            BIO_printf(bio_err, "Can't open certificate file %s\n", certfile);
@@ -373,6 +373,7 @@ int MAIN(int argc, char **argv)
            goto end;
        }
      }
+#endif
 
 #ifdef CRYPTO_MDEBUG
     CRYPTO_pop_info();
@@ -426,12 +427,9 @@ int MAIN(int argc, char **argv)
        CRYPTO_push_info("process -export_cert");
        CRYPTO_push_info("reading private key");
 #endif
-       key = PEM_read_bio_PrivateKey(inkey ? inkey : in, NULL, NULL, passin);
-       if (!inkey) (void) BIO_reset(in);
-       else BIO_free(inkey);
+       key = load_key(bio_err, keyname ? keyname : infile, FORMAT_PEM, 1,
+               passin, e, "private key");
        if (!key) {
-               BIO_printf (bio_err, "Error loading private key\n");
-               ERR_print_errors(bio_err);
                goto export_end;
        }
 
@@ -440,12 +438,9 @@ int MAIN(int argc, char **argv)
        CRYPTO_push_info("reading certs from input");
 #endif
 
-       certs = sk_X509_new_null();
-
        /* Load in all certs in input file */
-       if(!cert_load(in, certs)) {
-               BIO_printf(bio_err, "Error loading certificates from input\n");
-               ERR_print_errors(bio_err);
+       if(!(certs = load_certs(bio_err, infile, FORMAT_PEM, NULL, e,
+               "certificates"))) {
                goto export_end;
        }
 
@@ -475,13 +470,17 @@ int MAIN(int argc, char **argv)
        bags = sk_PKCS12_SAFEBAG_new_null ();
 
        /* Add any more certificates asked for */
-       if (certsin) {
-               if(!cert_load(certsin, certs)) {
-                       BIO_printf(bio_err, "Error loading certificates from certfile\n");
-                       ERR_print_errors(bio_err);
+       if (certfile) {
+               STACK_OF(X509) *morecerts=NULL;
+               if(!(morecerts = load_certs(bio_err, certfile, FORMAT_PEM,
+                                           NULL, e,
+                                           "certificates from certfile"))) {
                        goto export_end;
                }
-               BIO_free(certsin);
+               while(sk_X509_num(morecerts) > 0) {
+                       sk_X509_push(certs, sk_X509_shift(morecerts));
+               }
+               sk_X509_free(morecerts);
        }
 
 #ifdef CRYPTO_MDEBUG
@@ -509,9 +508,10 @@ int MAIN(int argc, char **argv)
                    /* Exclude verified certificate */
                    for (i = 1; i < sk_X509_num (chain2) ; i++) 
                        sk_X509_push(certs, sk_X509_value (chain2, i));
-               }
-               sk_X509_free(chain2);
-               if (vret) {
+                   /* Free first certificate */
+                   X509_free(sk_X509_value(chain2, 0));
+                   sk_X509_free(chain2);
+               } else {
                        BIO_printf (bio_err, "Error %s getting chain.\n",
                                        X509_verify_cert_error_string(vret));
                        goto export_end;
@@ -538,8 +538,6 @@ int MAIN(int argc, char **argv)
        }
        sk_X509_pop_free(certs, X509_free);
        certs = NULL;
-       /* ucert is part of certs so it is already freed */
-       ucert = NULL;
 
 #ifdef CRYPTO_MDEBUG
        CRYPTO_pop_info();
@@ -628,7 +626,6 @@ int MAIN(int argc, char **argv)
        if (certs) sk_X509_pop_free(certs, X509_free);
        if (safes) sk_PKCS7_pop_free(safes, PKCS7_free);
        if (bags) sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
-       if (ucert) X509_free(ucert);
 
 #ifdef CRYPTO_MDEBUG
        CRYPTO_pop_info();
@@ -698,6 +695,7 @@ int MAIN(int argc, char **argv)
     if (canames) sk_free(canames);
     if(passin) OPENSSL_free(passin);
     if(passout) OPENSSL_free(passout);
+    apps_shutdown();
     EXIT(ret);
 }
 
@@ -779,7 +777,10 @@ int dump_certs_pkeys_bag (BIO *out, PKCS12_SAFEBAG *bag, char *pass,
                print_attribs (out, bag->attrib, "Bag Attributes");
                if (!(p8 = PKCS12_decrypt_skey(bag, pass, passlen)))
                                return 0;
-               if (!(pkey = EVP_PKCS82PKEY (p8))) return 0;
+               if (!(pkey = EVP_PKCS82PKEY (p8))) {
+                       PKCS8_PRIV_KEY_INFO_free(p8);
+                       return 0;
+               }
                print_attribs (out, p8->attributes, "Key Attributes");
                PKCS8_PRIV_KEY_INFO_free(p8);
                PEM_write_bio_PrivateKey (out, pkey, enc, NULL, 0, NULL, pempass);
@@ -827,6 +828,9 @@ int get_cert_chain (X509 *cert, X509_STORE *store, STACK_OF(X509) **chain)
        STACK_OF(X509) *chn;
        int i;
 
+       /* FIXME: Should really check the return status of X509_STORE_CTX_init
+        * for an error, but how that fits into the return value of this
+        * function is less obvious. */
        X509_STORE_CTX_init(&store_ctx, store, cert, NULL);
        if (X509_verify_cert(&store_ctx) <= 0) {
                i = X509_STORE_CTX_get_error (&store_ctx);