static int get_cert_chain(X509 *cert, X509_STORE *store,
STACK_OF(X509) **chain);
-int dump_certs_keys_p12(BIO *out, PKCS12 *p12, char *pass, int passlen,
- int options, char *pempass, const EVP_CIPHER *enc);
-int dump_certs_pkeys_bags(BIO *out, STACK_OF(PKCS12_SAFEBAG) *bags,
- char *pass, int passlen, int options, char *pempass,
- const EVP_CIPHER *enc);
-int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bags, char *pass,
- int passlen, int options, char *pempass,
- const EVP_CIPHER *enc);
-int print_attribs(BIO *out, STACK_OF(X509_ATTRIBUTE) *attrlst,
+int dump_certs_keys_p12(BIO *out, const PKCS12 *p12,
+ const char *pass, int passlen, int options,
+ char *pempass, const EVP_CIPHER *enc);
+int dump_certs_pkeys_bags(BIO *out, const STACK_OF(PKCS12_SAFEBAG) *bags,
+ const char *pass, int passlen, int options,
+ char *pempass, const EVP_CIPHER *enc);
+int dump_certs_pkeys_bag(BIO *out, const PKCS12_SAFEBAG *bags,
+ const char *pass, int passlen,
+ int options, char *pempass, const EVP_CIPHER *enc);
+int print_attribs(BIO *out, const STACK_OF(X509_ATTRIBUTE) *attrlst,
const char *name);
void hex_prin(BIO *out, unsigned char *buf, int len);
-static int alg_print(X509_ALGOR *alg);
+static int alg_print(const X509_ALGOR *alg);
int cert_load(BIO *in, STACK_OF(X509) *sk);
static int set_pbe(int *ppbe, const char *str);
{"keypbe", OPT_KEYPBE, 's', "Private key PBE algorithm (default 3DES)"},
{"rand", OPT_RAND, 's',
"Load the file(s) into the random number generator"},
- {"inkey", OPT_INKEY, '<', "Private key if not infile"},
+ {"inkey", OPT_INKEY, 's', "Private key if not infile"},
{"certfile", OPT_CERTFILE, '<', "Load certs from file"},
{"name", OPT_NAME, 's', "Use name as friendly name"},
{"CSP", OPT_CSP, 's', "Microsoft CSP name"},
{
char *infile = NULL, *outfile = NULL, *keyname = NULL, *certfile = NULL;
char *name = NULL, *csp_name = NULL;
- char pass[2048], macpass[2048];
+ char pass[2048] = "", macpass[2048] = "";
int export_cert = 0, options = 0, chain = 0, twopass = 0, keytype = 0;
int iter = PKCS12_DEFAULT_ITER, maciter = PKCS12_DEFAULT_ITER;
# ifndef OPENSSL_NO_RC2
int noprompt = 0;
char *passinarg = NULL, *passoutarg = NULL, *passarg = NULL;
char *passin = NULL, *passout = NULL, *inrand = NULL, *macalg = NULL;
- char *cpass = NULL, *mpass = NULL, *CApath = NULL, *CAfile = NULL;
- char *prog;
+ char *cpass = NULL, *mpass = NULL, *badpass = NULL;
+ const char *CApath = NULL, *CAfile = NULL, *prog;
int noCApath = 0, noCAfile = 0;
ENGINE *e = NULL;
BIO *in = NULL, *out = NULL;
if (1) {
#ifndef OPENSSL_NO_UI
if (EVP_read_pw_string
- (macpass, sizeof macpass, "Enter MAC Password:", export_cert)) {
+ (macpass, sizeof(macpass), "Enter MAC Password:", export_cert)) {
BIO_printf(bio_err, "Can't read Password\n");
goto end;
}
if (!noprompt) {
if (1) {
#ifndef OPENSSL_NO_UI
- if (EVP_read_pw_string(pass, sizeof pass, "Enter Export Password:",
+ if (EVP_read_pw_string(pass, sizeof(pass), "Enter Export Password:",
1)) {
BIO_printf(bio_err, "Can't read Password\n");
goto export_end;
}
if (!twopass)
- OPENSSL_strlcpy(macpass, pass, sizeof macpass);
+ OPENSSL_strlcpy(macpass, pass, sizeof(macpass));
p12 = PKCS12_create(cpass, name, key, ucert, certs,
key_pbe, cert_pbe, iter, -1, keytype);
if (!noprompt) {
if (1) {
#ifndef OPENSSL_NO_UI
- if (EVP_read_pw_string(pass, sizeof pass, "Enter Import Password:",
+ if (EVP_read_pw_string(pass, sizeof(pass), "Enter Import Password:",
0)) {
BIO_printf(bio_err, "Can't read Password\n");
goto end;
}
if (!twopass)
- OPENSSL_strlcpy(macpass, pass, sizeof macpass);
+ OPENSSL_strlcpy(macpass, pass, sizeof(macpass));
if ((options & INFO) && PKCS12_mac_present(p12)) {
- ASN1_INTEGER *tmaciter;
- X509_ALGOR *macalgid;
- ASN1_OBJECT *macobj;
+ const ASN1_INTEGER *tmaciter;
+ const X509_ALGOR *macalgid;
+ const ASN1_OBJECT *macobj;
PKCS12_get0_mac(NULL, &macalgid, NULL, &tmaciter, p12);
X509_ALGOR_get0(&macobj, NULL, NULL, macalgid);
BIO_puts(bio_err, "MAC:");
if (!twopass)
cpass = NULL;
} else if (!PKCS12_verify_mac(p12, mpass, -1)) {
- BIO_printf(bio_err, "Mac verify error: invalid password?\n");
- ERR_print_errors(bio_err);
- goto end;
+ /*
+ * May be UTF8 from previous version of OpenSSL:
+ * convert to a UTF8 form which will translate
+ * to the same Unicode password.
+ */
+ unsigned char *utmp;
+ int utmplen;
+ utmp = OPENSSL_asc2uni(mpass, -1, NULL, &utmplen);
+ if (utmp == NULL)
+ goto end;
+ badpass = OPENSSL_uni2utf8(utmp, utmplen);
+ OPENSSL_free(utmp);
+ if (!PKCS12_verify_mac(p12, badpass, -1)) {
+ BIO_printf(bio_err, "Mac verify error: invalid password?\n");
+ ERR_print_errors(bio_err);
+ goto end;
+ } else {
+ BIO_printf(bio_err, "Warning: using broken algorithm\n");
+ if (!twopass)
+ cpass = badpass;
+ }
}
}
PKCS12_free(p12);
if (export_cert || inrand)
app_RAND_write_file(NULL);
+ release_engine(e);
BIO_free(in);
BIO_free_all(out);
sk_OPENSSL_STRING_free(canames);
+ OPENSSL_free(badpass);
OPENSSL_free(passin);
OPENSSL_free(passout);
return (ret);
}
-int dump_certs_keys_p12(BIO *out, PKCS12 *p12, char *pass,
+int dump_certs_keys_p12(BIO *out, const PKCS12 *p12, const char *pass,
int passlen, int options, char *pempass,
const EVP_CIPHER *enc)
{
return ret;
}
-int dump_certs_pkeys_bags(BIO *out, STACK_OF(PKCS12_SAFEBAG) *bags,
- char *pass, int passlen, int options, char *pempass,
- const EVP_CIPHER *enc)
+int dump_certs_pkeys_bags(BIO *out, const STACK_OF(PKCS12_SAFEBAG) *bags,
+ const char *pass, int passlen, int options,
+ char *pempass, const EVP_CIPHER *enc)
{
int i;
for (i = 0; i < sk_PKCS12_SAFEBAG_num(bags); i++) {
return 1;
}
-int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bag, char *pass,
- int passlen, int options, char *pempass,
- const EVP_CIPHER *enc)
+int dump_certs_pkeys_bag(BIO *out, const PKCS12_SAFEBAG *bag,
+ const char *pass, int passlen, int options,
+ char *pempass, const EVP_CIPHER *enc)
{
EVP_PKEY *pkey;
PKCS8_PRIV_KEY_INFO *p8;
+ const PKCS8_PRIV_KEY_INFO *p8c;
X509 *x509;
- STACK_OF(X509_ATTRIBUTE) *attrs;
+ const STACK_OF(X509_ATTRIBUTE) *attrs;
int ret = 0;
attrs = PKCS12_SAFEBAG_get0_attrs(bag);
if (options & NOKEYS)
return 1;
print_attribs(out, attrs, "Bag Attributes");
- p8 = PKCS12_SAFEBAG_get0_p8inf(bag);
- if ((pkey = EVP_PKCS82PKEY(p8)) == NULL)
+ p8c = PKCS12_SAFEBAG_get0_p8inf(bag);
+ if ((pkey = EVP_PKCS82PKEY(p8c)) == NULL)
return 0;
- print_attribs(out, PKCS8_pkey_get0_attrs(p8), "Key Attributes");
+ print_attribs(out, PKCS8_pkey_get0_attrs(p8c), "Key Attributes");
ret = PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, pempass);
EVP_PKEY_free(pkey);
break;
case NID_pkcs8ShroudedKeyBag:
if (options & INFO) {
- X509_SIG *tp8;
- X509_ALGOR *tp8alg;
+ const X509_SIG *tp8;
+ const X509_ALGOR *tp8alg;
BIO_printf(bio_err, "Shrouded Keybag: ");
tp8 = PKCS12_SAFEBAG_get0_pkcs8(bag);
- X509_SIG_get0(&tp8alg, NULL, tp8);
+ X509_SIG_get0(tp8, &tp8alg, NULL);
alg_print(tp8alg);
}
if (options & NOKEYS)
return i;
}
-static int alg_print(X509_ALGOR *alg)
+static int alg_print(const X509_ALGOR *alg)
{
int pbenid, aparamtype;
- ASN1_OBJECT *aoid;
- void *aparam;
+ const ASN1_OBJECT *aoid;
+ const void *aparam;
PBEPARAM *pbe = NULL;
X509_ALGOR_get0(&aoid, &aparamtype, &aparam, alg);
/* Generalised attribute print: handle PKCS#8 and bag attributes */
-int print_attribs(BIO *out, STACK_OF(X509_ATTRIBUTE) *attrlst,
+int print_attribs(BIO *out, const STACK_OF(X509_ATTRIBUTE) *attrlst,
const char *name)
{
X509_ATTRIBUTE *attr;
projects / openssl.git / blobdiff