#include <openssl/rand.h>
#include <openssl/x509.h>
#include <openssl/pem.h>
+#include <openssl/pkcs12.h>
#ifndef NO_DES
#include <openssl/des.h>
#endif
#define MIN_LENGTH 4
-static int def_callback(char *buf, int num, int w);
+static int def_callback(char *buf, int num, int w, void *userdata);
static int load_iv(unsigned char **fromp,unsigned char *to, int num);
-static int def_callback(char *buf, int num, int w)
+static int check_pem(const char *nm, const char *name);
+static int do_pk8pkey(BIO *bp, EVP_PKEY *x, int isder,
+ int nid, const EVP_CIPHER *enc,
+ char *kstr, int klen,
+ pem_password_cb *cb, void *u);
+static int do_pk8pkey_fp(FILE *bp, EVP_PKEY *x, int isder,
+ int nid, const EVP_CIPHER *enc,
+ char *kstr, int klen,
+ pem_password_cb *cb, void *u);
+
+static int def_callback(char *buf, int num, int w, void *key)
{
#ifdef NO_FP_API
/* We should not ever call the default callback routine from
#else
int i,j;
const char *prompt;
+ if(key) {
+ i=strlen(key);
+ i=(i > num)?num:i;
+ memcpy(buf,key,i);
+ return(i);
+ }
prompt=EVP_get_pw_prompt();
if (prompt == NULL)
#ifndef NO_FP_API
char *PEM_ASN1_read(char *(*d2i)(), const char *name, FILE *fp, char **x,
- pem_password_cb *cb)
+ pem_password_cb *cb, void *u)
{
BIO *b;
char *ret;
return(0);
}
BIO_set_fp(b,fp,BIO_NOCLOSE);
- ret=PEM_ASN1_read_bio(d2i,name,b,x,cb);
+ ret=PEM_ASN1_read_bio(d2i,name,b,x,cb,u);
BIO_free(b);
return(ret);
}
#endif
+static int check_pem(const char *nm, const char *name)
+{
+ /* Normal matching nm and name */
+ if (!strcmp(nm,name)) return 1;
+
+ /* Make PEM_STRING_EVP_PKEY match any private key */
+
+ if(!strcmp(nm,PEM_STRING_PKCS8) &&
+ !strcmp(name,PEM_STRING_EVP_PKEY)) return 1;
+
+ if(!strcmp(nm,PEM_STRING_PKCS8INF) &&
+ !strcmp(name,PEM_STRING_EVP_PKEY)) return 1;
+
+ if(!strcmp(nm,PEM_STRING_RSA) &&
+ !strcmp(name,PEM_STRING_EVP_PKEY)) return 1;
+
+ if(!strcmp(nm,PEM_STRING_DSA) &&
+ !strcmp(name,PEM_STRING_EVP_PKEY)) return 1;
+
+ /* Permit older strings */
+
+ if(!strcmp(nm,PEM_STRING_X509_OLD) &&
+ !strcmp(name,PEM_STRING_X509)) return 1;
+
+ if(!strcmp(nm,PEM_STRING_X509_REQ_OLD) &&
+ !strcmp(name,PEM_STRING_X509_REQ)) return 1;
+
+ /* Allow normal certs to be read as trusted certs */
+ if(!strcmp(nm,PEM_STRING_X509) &&
+ !strcmp(name,PEM_STRING_X509_TRUSTED)) return 1;
+
+ if(!strcmp(nm,PEM_STRING_X509_OLD) &&
+ !strcmp(name,PEM_STRING_X509_TRUSTED)) return 1;
+
+ /* Some CAs use PKCS#7 with CERTIFICATE headers */
+ if(!strcmp(nm, PEM_STRING_X509) &&
+ !strcmp(name, PEM_STRING_PKCS7)) return 1;
+
+ return 0;
+}
+
char *PEM_ASN1_read_bio(char *(*d2i)(), const char *name, BIO *bp, char **x,
- pem_password_cb *cb)
+ pem_password_cb *cb, void *u)
{
EVP_CIPHER_INFO cipher;
char *nm=NULL,*header=NULL;
for (;;)
{
- if (!PEM_read_bio(bp,&nm,&header,&data,&len)) return(NULL);
- if ( (strcmp(nm,name) == 0) ||
- ((strcmp(nm,PEM_STRING_RSA) == 0) &&
- (strcmp(name,PEM_STRING_EVP_PKEY) == 0)) ||
- ((strcmp(nm,PEM_STRING_DSA) == 0) &&
- (strcmp(name,PEM_STRING_EVP_PKEY) == 0)) ||
- ((strcmp(nm,PEM_STRING_X509_OLD) == 0) &&
- (strcmp(name,PEM_STRING_X509) == 0)) ||
- ((strcmp(nm,PEM_STRING_X509_REQ_OLD) == 0) &&
- (strcmp(name,PEM_STRING_X509_REQ) == 0))
- )
- break;
+ if (!PEM_read_bio(bp,&nm,&header,&data,&len)) {
+ if(ERR_GET_REASON(ERR_peek_error()) ==
+ PEM_R_NO_START_LINE)
+ ERR_add_error_data(2, "Expecting: ", name);
+ return(NULL);
+ }
+ if(check_pem(nm, name)) break;
Free(nm);
Free(header);
Free(data);
}
if (!PEM_get_EVP_CIPHER_INFO(header,&cipher)) goto err;
- if (!PEM_do_header(&cipher,data,&len,cb)) goto err;
+ if (!PEM_do_header(&cipher,data,&len,cb,u)) goto err;
p=data;
- if (strcmp(name,PEM_STRING_EVP_PKEY) == 0)
- {
+ if (strcmp(name,PEM_STRING_EVP_PKEY) == 0) {
if (strcmp(nm,PEM_STRING_RSA) == 0)
ret=d2i(EVP_PKEY_RSA,x,&p,len);
else if (strcmp(nm,PEM_STRING_DSA) == 0)
ret=d2i(EVP_PKEY_DSA,x,&p,len);
+ else if (strcmp(nm,PEM_STRING_PKCS8INF) == 0) {
+ PKCS8_PRIV_KEY_INFO *p8inf;
+ p8inf=d2i_PKCS8_PRIV_KEY_INFO(
+ (PKCS8_PRIV_KEY_INFO **) x, &p, len);
+ ret = (char *)EVP_PKCS82PKEY(p8inf);
+ PKCS8_PRIV_KEY_INFO_free(p8inf);
+ } else if (strcmp(nm,PEM_STRING_PKCS8) == 0) {
+ PKCS8_PRIV_KEY_INFO *p8inf;
+ X509_SIG *p8;
+ int klen;
+ char psbuf[PEM_BUFSIZE];
+ p8 = d2i_X509_SIG(NULL, &p, len);
+ if(!p8) goto p8err;
+ if (cb) klen=cb(psbuf,PEM_BUFSIZE,0,u);
+ else klen=def_callback(psbuf,PEM_BUFSIZE,0,u);
+ if (klen <= 0) {
+ PEMerr(PEM_F_PEM_ASN1_READ_BIO,
+ PEM_R_BAD_PASSWORD_READ);
+ goto err;
+ }
+ p8inf = M_PKCS8_decrypt(p8, psbuf, klen);
+ X509_SIG_free(p8);
+ if(!p8inf) goto p8err;
+ ret = (char *)EVP_PKCS82PKEY(p8inf);
+ if(x) {
+ if(*x) EVP_PKEY_free((EVP_PKEY *)*x);
+ *x = ret;
+ }
+ PKCS8_PRIV_KEY_INFO_free(p8inf);
}
- else
- ret=d2i(x,&p,len);
+ } else ret=d2i(x,&p,len);
+p8err:
if (ret == NULL)
PEMerr(PEM_F_PEM_ASN1_READ_BIO,ERR_R_ASN1_LIB);
err:
#ifndef NO_FP_API
int PEM_ASN1_write(int (*i2d)(), const char *name, FILE *fp, char *x,
const EVP_CIPHER *enc, unsigned char *kstr, int klen,
- pem_password_cb *callback)
+ pem_password_cb *callback, void *u)
{
BIO *b;
int ret;
return(0);
}
BIO_set_fp(b,fp,BIO_NOCLOSE);
- ret=PEM_ASN1_write_bio(i2d,name,b,x,enc,kstr,klen,callback);
+ ret=PEM_ASN1_write_bio(i2d,name,b,x,enc,kstr,klen,callback,u);
BIO_free(b);
return(ret);
}
int PEM_ASN1_write_bio(int (*i2d)(), const char *name, BIO *bp, char *x,
const EVP_CIPHER *enc, unsigned char *kstr, int klen,
- pem_password_cb *callback)
+ pem_password_cb *callback, void *u)
{
EVP_CIPHER_CTX ctx;
int dsize=0,i,j,ret=0;
unsigned char *p,*data=NULL;
const char *objstr=NULL;
-#define PEM_BUFSIZE 1024
char buf[PEM_BUFSIZE];
unsigned char key[EVP_MAX_KEY_LENGTH];
unsigned char iv[EVP_MAX_IV_LENGTH];
if (kstr == NULL)
{
if (callback == NULL)
- klen=def_callback(buf,PEM_BUFSIZE,1);
+ klen=def_callback(buf,PEM_BUFSIZE,1,u);
else
- klen=(*callback)(buf,PEM_BUFSIZE,1);
+ klen=(*callback)(buf,PEM_BUFSIZE,1,u);
if (klen <= 0)
{
PEMerr(PEM_F_PEM_ASN1_WRITE_BIO,PEM_R_READ_KEY);
#endif
kstr=(unsigned char *)buf;
}
- RAND_seed(data,i);/* put in the RSA key. */
- RAND_bytes(iv,8); /* Generate a salt */
+ RAND_add(data,i,0);/* put in the RSA key. */
+ if (RAND_bytes(iv,8) <= 0) /* Generate a salt */
+ goto err;
/* The 'iv' is used as the iv and as a salt. It is
* NOT taken from the BytesToKey function */
EVP_BytesToKey(enc,EVP_md5(),iv,kstr,klen,1,key,NULL);
}
int PEM_do_header(EVP_CIPHER_INFO *cipher, unsigned char *data, long *plen,
- pem_password_cb *callback)
+ pem_password_cb *callback,void *u)
{
int i,j,o,klen;
long len;
if (cipher->cipher == NULL) return(1);
if (callback == NULL)
- klen=def_callback(buf,PEM_BUFSIZE,0);
+ klen=def_callback(buf,PEM_BUFSIZE,0,u);
else
- klen=callback(buf,PEM_BUFSIZE,0);
+ klen=callback(buf,PEM_BUFSIZE,0,u);
if (klen <= 0)
{
PEMerr(PEM_F_PEM_DO_HEADER,PEM_R_BAD_PASSWORD_READ);
BUF_MEM_free(dataB);
return(0);
}
+
+/* These functions write a private key in PKCS#8 format: it is a "drop in"
+ * replacement for PEM_write_bio_PrivateKey() and friends. As usual if 'enc'
+ * is NULL then it uses the unencrypted private key form. The 'nid' versions
+ * uses PKCS#5 v1.5 PBE algorithms whereas the others use PKCS#5 v2.0.
+ */
+
+int PEM_write_bio_PKCS8PrivateKey_nid(BIO *bp, EVP_PKEY *x, int nid,
+ char *kstr, int klen,
+ pem_password_cb *cb, void *u)
+{
+ return do_pk8pkey(bp, x, 0, nid, NULL, kstr, klen, cb, u);
+}
+
+int PEM_write_bio_PKCS8PrivateKey(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc,
+ char *kstr, int klen,
+ pem_password_cb *cb, void *u)
+{
+ return do_pk8pkey(bp, x, 0, -1, enc, kstr, klen, cb, u);
+}
+
+int i2d_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc,
+ char *kstr, int klen,
+ pem_password_cb *cb, void *u)
+{
+ return do_pk8pkey(bp, x, 1, -1, enc, kstr, klen, cb, u);
+}
+
+int i2d_PKCS8PrivateKey_nid_bio(BIO *bp, EVP_PKEY *x, int nid,
+ char *kstr, int klen,
+ pem_password_cb *cb, void *u)
+{
+ return do_pk8pkey(bp, x, 1, nid, NULL, kstr, klen, cb, u);
+}
+
+static int do_pk8pkey(BIO *bp, EVP_PKEY *x, int isder, int nid, const EVP_CIPHER *enc,
+ char *kstr, int klen,
+ pem_password_cb *cb, void *u)
+{
+ X509_SIG *p8;
+ PKCS8_PRIV_KEY_INFO *p8inf;
+ char buf[PEM_BUFSIZE];
+ int ret;
+ if(!(p8inf = EVP_PKEY2PKCS8(x))) {
+ PEMerr(PEM_F_PEM_WRITE_BIO_PKCS8PRIVATEKEY,
+ PEM_R_ERROR_CONVERTING_PRIVATE_KEY);
+ return 0;
+ }
+ if(enc || (nid != -1)) {
+ if(!kstr) {
+ if(!cb) klen = def_callback(buf, PEM_BUFSIZE, 1, u);
+ else klen = cb(buf, PEM_BUFSIZE, 1, u);
+ if(klen <= 0) {
+ PEMerr(PEM_F_PEM_WRITE_BIO_PKCS8PRIVATEKEY,
+ PEM_R_READ_KEY);
+ PKCS8_PRIV_KEY_INFO_free(p8inf);
+ return 0;
+ }
+
+ kstr = buf;
+ }
+ p8 = PKCS8_encrypt(nid, enc, kstr, klen, NULL, 0, 0, p8inf);
+ if(kstr == buf) memset(buf, 0, klen);
+ PKCS8_PRIV_KEY_INFO_free(p8inf);
+ if(isder) ret = i2d_PKCS8_bio(bp, p8);
+ else ret = PEM_write_bio_PKCS8(bp, p8);
+ X509_SIG_free(p8);
+ return ret;
+ } else {
+ if(isder) ret = i2d_PKCS8_PRIV_KEY_INFO_bio(bp, p8inf);
+ else ret = PEM_write_bio_PKCS8_PRIV_KEY_INFO(bp, p8inf);
+ PKCS8_PRIV_KEY_INFO_free(p8inf);
+ return ret;
+ }
+}
+
+/* Finally the DER version to read PKCS#8 encrypted private keys. It has to be
+ * here to access the default callback.
+ */
+
+EVP_PKEY *d2i_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, void *u)
+{
+ PKCS8_PRIV_KEY_INFO *p8inf = NULL;
+ X509_SIG *p8 = NULL;
+ int klen;
+ EVP_PKEY *ret;
+ char psbuf[PEM_BUFSIZE];
+ p8 = d2i_PKCS8_bio(bp, NULL);
+ if(!p8) return NULL;
+ if (cb) klen=cb(psbuf,PEM_BUFSIZE,0,u);
+ else klen=def_callback(psbuf,PEM_BUFSIZE,0,u);
+ if (klen <= 0) {
+ PEMerr(PEM_F_D2I_PKCS8PRIVATEKEY_BIO, PEM_R_BAD_PASSWORD_READ);
+ X509_SIG_free(p8);
+ return NULL;
+ }
+ p8inf = M_PKCS8_decrypt(p8, psbuf, klen);
+ X509_SIG_free(p8);
+ if(!p8inf) return NULL;
+ ret = EVP_PKCS82PKEY(p8inf);
+ PKCS8_PRIV_KEY_INFO_free(p8inf);
+ if(!ret) return NULL;
+ if(x) {
+ if(*x) EVP_PKEY_free(*x);
+ *x = ret;
+ }
+ return ret;
+}
+
+#ifndef NO_FP_API
+
+int i2d_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
+ char *kstr, int klen,
+ pem_password_cb *cb, void *u)
+{
+ return do_pk8pkey_fp(fp, x, 1, -1, enc, kstr, klen, cb, u);
+}
+
+int i2d_PKCS8PrivateKey_nid_fp(FILE *fp, EVP_PKEY *x, int nid,
+ char *kstr, int klen,
+ pem_password_cb *cb, void *u)
+{
+ return do_pk8pkey_fp(fp, x, 1, nid, NULL, kstr, klen, cb, u);
+}
+
+int PEM_write_PKCS8PrivateKey_nid(FILE *fp, EVP_PKEY *x, int nid,
+ char *kstr, int klen,
+ pem_password_cb *cb, void *u)
+{
+ return do_pk8pkey_fp(fp, x, 0, nid, NULL, kstr, klen, cb, u);
+}
+
+int PEM_write_PKCS8PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
+ char *kstr, int klen, pem_password_cb *cb, void *u)
+{
+ return do_pk8pkey_fp(fp, x, 0, -1, enc, kstr, klen, cb, u);
+}
+
+static int do_pk8pkey_fp(FILE *fp, EVP_PKEY *x, int isder, int nid, const EVP_CIPHER *enc,
+ char *kstr, int klen,
+ pem_password_cb *cb, void *u)
+{
+ BIO *bp;
+ int ret;
+ if(!(bp = BIO_new_fp(fp, BIO_NOCLOSE))) {
+ PEMerr(PEM_F_PEM_F_DO_PK8KEY_FP,ERR_R_BUF_LIB);
+ return(0);
+ }
+ ret = do_pk8pkey(bp, x, isder, nid, enc, kstr, klen, cb, u);
+ BIO_free(bp);
+ return ret;
+}
+
+EVP_PKEY *d2i_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY **x, pem_password_cb *cb, void *u)
+{
+ BIO *bp;
+ EVP_PKEY *ret;
+ if(!(bp = BIO_new_fp(fp, BIO_NOCLOSE))) {
+ PEMerr(PEM_F_D2I_PKCS8PRIVATEKEY_FP,ERR_R_BUF_LIB);
+ return NULL;
+ }
+ ret = d2i_PKCS8PrivateKey_bio(bp, x, cb, u);
+ BIO_free(bp);
+ return ret;
+}
+
+#endif
projects / openssl.git / blobdiff