X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=apps%2Fpkcs12.c;h=a45b2da72f101764a5ebd3f9efa1f8f02786f67f;hp=a54555b46778df6414914445d762d627d5a4c674;hb=e41c8d6ad4d1ffab51865d8cf90baff108bbe4a1;hpb=667ac4ec6a9afb23a07dc7c695dbc5be0f2c83cd diff --git a/apps/pkcs12.c b/apps/pkcs12.c index a54555b467..a45b2da72f 100644 --- a/apps/pkcs12.c +++ b/apps/pkcs12.c @@ -80,7 +80,8 @@ EVP_CIPHER *enc; int get_cert_chain(X509 *cert, STACK_OF(X509) **chain); int dump_certs_keys_p12(BIO *out, PKCS12 *p12, char *pass, int passlen, int options, char *pempass); -int dump_certs_pkeys_bags(BIO *out, STACK *bags, char *pass, int passlen, int options, char *pempass); +int dump_certs_pkeys_bags(BIO *out, STACK_OF(PKCS12_SAFEBAG) *bags, char *pass, + int passlen, int options, char *pempass); int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bags, char *pass, int passlen, int options, char *pempass); int print_attribs(BIO *out, STACK_OF(X509_ATTRIBUTE) *attrlst, char *name); void hex_prin(BIO *out, unsigned char *buf, int len); @@ -113,7 +114,9 @@ int MAIN(int argc, char **argv) int noprompt = 0; STACK *canames = NULL; char *cpass = NULL, *mpass = NULL; + char *passargin = NULL, *passargout = NULL, *passarg = NULL; char *passin = NULL, *passout = NULL; + char *inrand = NULL; apps_startup(); @@ -170,6 +173,11 @@ int MAIN(int argc, char **argv) badarg = 1; } } else badarg = 1; + } else if (!strcmp (*args, "-rand")) { + if (args[1]) { + args++; + inrand = *args; + } else badarg = 1; } else if (!strcmp (*args, "-inkey")) { if (args[1]) { args++; @@ -204,46 +212,17 @@ int MAIN(int argc, char **argv) } else if (!strcmp(*args,"-passin")) { if (args[1]) { args++; - passin = *args; - } else badarg = 1; - } else if (!strcmp(*args,"-envpassin")) { - if (args[1]) { - args++; - if(!(passin= getenv(*args))) { - BIO_printf(bio_err, - "Can't read environment variable %s\n", - *argv); - badarg = 1; - } - } else badarg = 1; - } else if (!strcmp(*args,"-envpassout")) { - if (args[1]) { - args++; - if(!(passout= getenv(*args))) { - BIO_printf(bio_err, - "Can't read environment variable %s\n", - *argv); - badarg = 1; - } + passargin = *args; } else badarg = 1; } else if (!strcmp(*args,"-passout")) { if (args[1]) { args++; - passout = *args; - } else badarg = 1; - } else if (!strcmp (*args, "-envpass")) { - if (args[1]) { - args++; - if(!(cpass = getenv(*args))) { - BIO_printf(bio_err, - "Can't read environment variable %s\n", *args); - goto end; - } + passargout = *args; } else badarg = 1; } else if (!strcmp (*args, "-password")) { if (args[1]) { args++; - cpass = *args; + passarg = *args; noprompt = 1; } else badarg = 1; } else badarg = 1; @@ -284,15 +263,25 @@ int MAIN(int argc, char **argv) BIO_printf (bio_err, "-keypbe alg specify private key PBE algorithm (default 3DES)\n"); BIO_printf (bio_err, "-keyex set MS key exchange type\n"); BIO_printf (bio_err, "-keysig set MS key signature type\n"); - BIO_printf (bio_err, "-password p set import/export password (NOT RECOMMENDED)\n"); - BIO_printf (bio_err, "-envpass p set import/export password from environment\n"); - BIO_printf (bio_err, "-passin p input file pass phrase\n"); - BIO_printf (bio_err, "-envpassin p environment variable containing input file pass phrase\n"); - BIO_printf (bio_err, "-passout p output file pass phrase\n"); - BIO_printf (bio_err, "-envpassout p environment variable containing output file pass phrase\n"); + BIO_printf (bio_err, "-password p set import/export password source\n"); + BIO_printf (bio_err, "-passin p input file pass phrase source\n"); + BIO_printf (bio_err, "-passout p output file pass phrase source\n"); + BIO_printf(bio_err, "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); + BIO_printf(bio_err, " load the file (or the files in the directory) into\n"); + BIO_printf(bio_err, " the random number generator\n"); goto end; } + if(passarg) { + if(export_cert) passargout = passarg; + else passargin = passarg; + } + + if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) { + BIO_printf(bio_err, "Error getting passwords\n"); + goto end; + } + if(!cpass) { if(export_cert) cpass = passout; else cpass = passin; @@ -306,6 +295,12 @@ int MAIN(int argc, char **argv) mpass = macpass; } + if(export_cert || inrand) { + app_RAND_load_file(NULL, bio_err, (inrand != NULL)); + if (inrand != NULL) + BIO_printf(bio_err,"%ld semi-random bytes loaded\n", + app_RAND_load_files(inrand)); + } ERR_load_crypto_strings(); #ifdef CRYPTO_MDEBUG @@ -366,7 +361,8 @@ int MAIN(int argc, char **argv) if (export_cert) { EVP_PKEY *key; - STACK *bags, *safes; + STACK_OF(PKCS12_SAFEBAG) *bags; + STACK_OF(PKCS7) *safes; PKCS12_SAFEBAG *bag; PKCS8_PRIV_KEY_INFO *p8; PKCS7 *authsafe; @@ -380,7 +376,7 @@ int MAIN(int argc, char **argv) #ifdef CRYPTO_MDEBUG CRYPTO_push_info("process -export_cert"); #endif - key = PEM_read_bio_PrivateKey(inkey ? inkey : in, NULL, PEM_cb, passin); + key = PEM_read_bio_PrivateKey(inkey ? inkey : in, NULL, NULL, passin); if (!inkey) (void) BIO_reset(in); else BIO_free(inkey); if (!key) { @@ -411,7 +407,7 @@ int MAIN(int argc, char **argv) goto end; } - bags = sk_new (NULL); + bags = sk_PKCS12_SAFEBAG_new (NULL); /* Add any more certificates asked for */ if (certsin) { @@ -451,7 +447,7 @@ int MAIN(int argc, char **argv) PKCS12_add_localkeyid(bag, keyid, keyidlen); } else if((catmp = sk_shift(canames))) PKCS12_add_friendlyname(bag, catmp, -1); - sk_push(bags, (char *)bag); + sk_PKCS12_SAFEBAG_push(bags, bag); } sk_X509_pop_free(certs, X509_free); if (canames) sk_free(canames); @@ -465,15 +461,15 @@ int MAIN(int argc, char **argv) /* Turn certbags into encrypted authsafe */ authsafe = PKCS12_pack_p7encdata(cert_pbe, cpass, -1, NULL, 0, iter, bags); - sk_pop_free(bags, PKCS12_SAFEBAG_free); + sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); if (!authsafe) { ERR_print_errors (bio_err); goto end; } - safes = sk_new (NULL); - sk_push (safes, (char *)authsafe); + safes = sk_PKCS7_new (NULL); + sk_PKCS7_push (safes, authsafe); /* Make a shrouded key bag */ p8 = EVP_PKEY2PKCS8 (key); @@ -483,18 +479,18 @@ int MAIN(int argc, char **argv) PKCS8_PRIV_KEY_INFO_free(p8); if (name) PKCS12_add_friendlyname (bag, name, -1); PKCS12_add_localkeyid (bag, keyid, keyidlen); - bags = sk_new(NULL); - sk_push (bags, (char *)bag); + bags = sk_PKCS12_SAFEBAG_new(NULL); + sk_PKCS12_SAFEBAG_push (bags, bag); /* Turn it into unencrypted safe bag */ authsafe = PKCS12_pack_p7data (bags); - sk_pop_free(bags, PKCS12_SAFEBAG_free); - sk_push (safes, (char *)authsafe); + sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); + sk_PKCS7_push (safes, authsafe); p12 = PKCS12_init (NID_pkcs7_data); M_PKCS12_pack_authsafes (p12, safes); - sk_pop_free(safes, PKCS7_free); + sk_PKCS7_pop_free(safes, PKCS7_free); PKCS12_set_mac (p12, mpass, -1, NULL, 0, maciter, NULL); @@ -534,11 +530,16 @@ int MAIN(int argc, char **argv) #ifdef CRYPTO_MDEBUG CRYPTO_push_info("verify MAC"); #endif - if (!PKCS12_verify_mac (p12, mpass, -1)) { + /* If we enter empty password try no password first */ + if(!macpass[0] && PKCS12_verify_mac(p12, NULL, 0)) { + /* If mac and crypto pass the same set it to NULL too */ + if(!twopass) cpass = NULL; + } else if (!PKCS12_verify_mac(p12, mpass, -1)) { BIO_printf (bio_err, "Mac verify error: invalid password?\n"); ERR_print_errors (bio_err); goto end; - } else BIO_printf (bio_err, "MAC verified OK\n"); + } + BIO_printf (bio_err, "MAC verified OK\n"); #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); #endif @@ -555,26 +556,31 @@ int MAIN(int argc, char **argv) #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); #endif - PKCS12_free(p12); ret = 0; end: + PKCS12_free(p12); + if(export_cert || inrand) app_RAND_write_file(NULL, bio_err); #ifdef CRYPTO_MDEBUG CRYPTO_remove_all_info(); #endif BIO_free(in); BIO_free(out); + if(passin) Free(passin); + if(passout) Free(passout); EXIT(ret); } int dump_certs_keys_p12 (BIO *out, PKCS12 *p12, char *pass, int passlen, int options, char *pempass) { - STACK *asafes, *bags; + STACK_OF(PKCS7) *asafes; + STACK_OF(PKCS12_SAFEBAG) *bags; int i, bagnid; PKCS7 *p7; + if (!( asafes = M_PKCS12_unpack_authsafes (p12))) return 0; - for (i = 0; i < sk_num (asafes); i++) { - p7 = (PKCS7 *) sk_value (asafes, i); + for (i = 0; i < sk_PKCS7_num (asafes); i++) { + p7 = sk_PKCS7_value (asafes, i); bagnid = OBJ_obj2nid (p7->type); if (bagnid == NID_pkcs7_data) { bags = M_PKCS12_unpack_p7data (p7); @@ -590,23 +596,25 @@ int dump_certs_keys_p12 (BIO *out, PKCS12 *p12, char *pass, if (!bags) return 0; if (!dump_certs_pkeys_bags (out, bags, pass, passlen, options, pempass)) { - sk_pop_free (bags, PKCS12_SAFEBAG_free); + sk_PKCS12_SAFEBAG_pop_free (bags, PKCS12_SAFEBAG_free); return 0; } - sk_pop_free (bags, PKCS12_SAFEBAG_free); + sk_PKCS12_SAFEBAG_pop_free (bags, PKCS12_SAFEBAG_free); } - sk_pop_free (asafes, PKCS7_free); + sk_PKCS7_pop_free (asafes, PKCS7_free); return 1; } -int dump_certs_pkeys_bags (BIO *out, STACK *bags, char *pass, - int passlen, int options, char *pempass) +int dump_certs_pkeys_bags (BIO *out, STACK_OF(PKCS12_SAFEBAG) *bags, + char *pass, int passlen, int options, char *pempass) { int i; - for (i = 0; i < sk_num (bags); i++) { + for (i = 0; i < sk_PKCS12_SAFEBAG_num (bags); i++) { if (!dump_certs_pkeys_bag (out, - (PKCS12_SAFEBAG *)sk_value (bags, i), pass, passlen, - options, pempass)) return 0; + sk_PKCS12_SAFEBAG_value (bags, i), + pass, passlen, + options, pempass)) + return 0; } return 1; } @@ -627,7 +635,7 @@ int dump_certs_pkeys_bag (BIO *out, PKCS12_SAFEBAG *bag, char *pass, p8 = bag->value.keybag; if (!(pkey = EVP_PKCS82PKEY (p8))) return 0; print_attribs (out, p8->attributes, "Key Attributes"); - PEM_write_bio_PrivateKey (out, pkey, enc, NULL, 0, PEM_cb, pempass); + PEM_write_bio_PrivateKey (out, pkey, enc, NULL, 0, NULL, pempass); EVP_PKEY_free(pkey); break; @@ -643,7 +651,7 @@ int dump_certs_pkeys_bag (BIO *out, PKCS12_SAFEBAG *bag, char *pass, if (!(pkey = EVP_PKCS82PKEY (p8))) return 0; print_attribs (out, p8->attributes, "Key Attributes"); PKCS8_PRIV_KEY_INFO_free(p8); - PEM_write_bio_PrivateKey (out, pkey, enc, NULL, 0, PEM_cb, pempass); + PEM_write_bio_PrivateKey (out, pkey, enc, NULL, 0, NULL, pempass); EVP_PKEY_free(pkey); break; @@ -696,7 +704,7 @@ int get_cert_chain (X509 *cert, STACK_OF(X509) **chain) i = X509_STORE_CTX_get_error (&store_ctx); goto err; } - chn = X509_STORE_CTX_rget_chain(&store_ctx); + chn = X509_STORE_CTX_get1_chain(&store_ctx); i = 0; *chain = chn; err: