From: Dr. Stephen Henson Date: Fri, 24 Dec 1999 23:53:57 +0000 (+0000) Subject: Allow passwords to be included on command line for a few X-Git-Tag: OpenSSL_0_9_5beta1~352 X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=36217a942488852b616974e168a6ff0fecfb02fa Allow passwords to be included on command line for a few more utilities. --- diff --git a/CHANGES b/CHANGES index e19ea183b7..b26145ce44 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,12 @@ Changes between 0.9.4 and 0.9.5 [xx XXX 1999] + *) Add a password callback function PEM_cb() which either prompts for + a password if usr_data is NULL or otherwise assumes it is a null + terminate password. Allow passwords to be passed on command line + environment or config files in a few more utilities. + [Steve Henson] + *) Add a bunch of DER and PEM functions to handle PKCS#8 format private keys. Add some short names for PKCS#8 PBE algorithms and allow them to be specified on the command line for the pkcs8 and pkcs12 utilities. diff --git a/apps/apps.c b/apps/apps.c index 4e3f32d07a..68331084ab 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -325,17 +325,6 @@ int app_init(long mesgwin) } #endif -int MS_CALLBACK key_cb(char *buf, int len, int verify, void *key) - { - int i; - - if (key == NULL) return(0); - i=strlen(key); - i=(i > len)?len:i; - memcpy(buf,key,i); - return(i); - } - int dump_cert_text (BIO *out, X509 *x) { char buf[256]; diff --git a/apps/apps.h b/apps/apps.h index d4c88ab42d..793126da02 100644 --- a/apps/apps.h +++ b/apps/apps.h @@ -143,7 +143,6 @@ int args_from_file(char *file, int *argc, char **argv[]); int str2fmt(char *s); void program_name(char *in,char *out,int size); int chopup_args(ARGS *arg,char *buf, int *argc, char **argv[]); -int MS_CALLBACK key_cb(char *buf,int len,int verify,void *u); #ifdef HEADER_X509_H int dump_cert_text(BIO *out, X509 *x); #endif diff --git a/apps/ca.c b/apps/ca.c index 89a73b666f..ff11c2a05a 100644 --- a/apps/ca.c +++ b/apps/ca.c @@ -528,13 +528,8 @@ bad: BIO_printf(bio_err,"trying to load CA private key\n"); goto err; } - if (key == NULL) - pkey=PEM_read_bio_PrivateKey(in,NULL,NULL,NULL); - else - { - pkey=PEM_read_bio_PrivateKey(in,NULL,key_cb,key); - memset(key,0,strlen(key)); - } + pkey=PEM_read_bio_PrivateKey(in,NULL,PEM_cb,key); + if(key) memset(key,0,strlen(key)); if (pkey == NULL) { BIO_printf(bio_err,"unable to load CA private key\n"); diff --git a/apps/dsa.c b/apps/dsa.c index a5ff647252..94f71b5be8 100644 --- a/apps/dsa.c +++ b/apps/dsa.c @@ -236,11 +236,7 @@ bad: else dsa=d2i_DSAPrivateKey_bio(in,NULL); } else if (informat == FORMAT_PEM) { if(pubin) dsa=PEM_read_bio_DSA_PUBKEY(in,NULL, NULL, NULL); - else { - if(passin) dsa=PEM_read_bio_DSAPrivateKey(in,NULL, - key_cb,passin); - else dsa=PEM_read_bio_DSAPrivateKey(in,NULL,NULL,NULL); - } + else dsa=PEM_read_bio_DSAPrivateKey(in,NULL,PEM_cb,passin); } else { BIO_printf(bio_err,"bad input format specified for key\n"); @@ -287,12 +283,8 @@ bad: } else if (outformat == FORMAT_PEM) { if(pubin || pubout) i=PEM_write_bio_DSA_PUBKEY(out,dsa); - else { - if(passout) i=PEM_write_bio_DSAPrivateKey(out,dsa,enc, - NULL,0,key_cb, passout); - i=PEM_write_bio_DSAPrivateKey(out,dsa,enc,NULL,0, - NULL,NULL); - } + else i=PEM_write_bio_DSAPrivateKey(out,dsa,enc, + NULL,0,PEM_cb, passout); } else { BIO_printf(bio_err,"bad output format specified for outfile\n"); goto end; diff --git a/apps/openssl.cnf b/apps/openssl.cnf index 33b0866f43..907032900e 100644 --- a/apps/openssl.cnf +++ b/apps/openssl.cnf @@ -3,6 +3,9 @@ # This is mostly being used for generation of certificate requests. # +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . RANDFILE = $ENV::HOME/.rnd oid_file = $ENV::HOME/.oid oid_section = new_oids @@ -86,6 +89,10 @@ distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert +# Passwords for private keys if not present they will be prompted for +# input_password = secret +# output_password = secret + # This sets the permitted types in a DirectoryString. There are several # options. # default: PrintableString, T61String, BMPString. diff --git a/apps/req.c b/apps/req.c index 75f2b853ed..24e666f0dc 100644 --- a/apps/req.c +++ b/apps/req.c @@ -146,6 +146,7 @@ int MAIN(int argc, char **argv) char *req_exts = NULL; EVP_CIPHER *cipher=NULL; int modulus=0; + char *passin = NULL, *passout = NULL; char *p; const EVP_MD *md_alg=NULL,*digest=EVP_md5(); #ifndef MONOLITH @@ -217,6 +218,39 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; keyout= *(++argv); } + else if (strcmp(*argv,"-passin") == 0) + { + if (--argc < 1) goto bad; + passin= *(++argv); + } + else if (strcmp(*argv,"-envpassin") == 0) + { + if (--argc < 1) goto bad; + if(!(passin= getenv(*(++argv)))) + { + BIO_printf(bio_err, + "Can't read environment variable %s\n", + *argv); + badops = 1; + } + } + else if (strcmp(*argv,"-envpassout") == 0) + { + if (--argc < 1) goto bad; + if(!(passout= getenv(*(++argv)))) + { + BIO_printf(bio_err, + "Can't read environment variable %s\n", + *argv); + badops = 1; + } + argv++; + } + else if (strcmp(*argv,"-passout") == 0) + { + if (--argc < 1) goto bad; + passout= *(++argv); + } else if (strcmp(*argv,"-newkey") == 0) { int is_numeric; @@ -452,6 +486,12 @@ bad: } } + if(!passin) + passin = CONF_get_string(req_conf, SECTION, "input_password"); + + if(!passout) + passout = CONF_get_string(req_conf, SECTION, "output_password"); + p = CONF_get_string(req_conf, SECTION, DIRSTRING_TYPE); if(p && !ASN1_STRING_set_default_mask_asc(p)) { @@ -491,7 +531,9 @@ bad: rsa=d2i_RSAPrivateKey_bio(in,NULL); else */ if (keyform == FORMAT_PEM) - pkey=PEM_read_bio_PrivateKey(in,NULL,NULL,NULL); + { + pkey=PEM_read_bio_PrivateKey(in,NULL,PEM_cb,passin); + } else { BIO_printf(bio_err,"bad input format specified for X509 request\n"); @@ -579,7 +621,7 @@ bad: i=0; loop: if (!PEM_write_bio_PrivateKey(out,pkey,cipher, - NULL,0,NULL,NULL)) + NULL,0,PEM_cb,passout)) { if ((ERR_GET_REASON(ERR_peek_error()) == PEM_R_PROBLEMS_GETTING_PASSWORD) && (i < 3)) diff --git a/apps/rsa.c b/apps/rsa.c index 219bdd65d6..684252cc1d 100644 --- a/apps/rsa.c +++ b/apps/rsa.c @@ -278,11 +278,7 @@ bad: #endif else if (informat == FORMAT_PEM) { if(pubin) rsa=PEM_read_bio_RSA_PUBKEY(in,NULL,NULL,NULL); - else { - if(passin) rsa=PEM_read_bio_RSAPrivateKey(in,NULL, - key_cb,passin); - else rsa=PEM_read_bio_RSAPrivateKey(in,NULL,NULL,NULL); - } + else rsa=PEM_read_bio_RSAPrivateKey(in,NULL, PEM_cb,passin); } else { @@ -381,12 +377,8 @@ bad: else if (outformat == FORMAT_PEM) { if(pubout || pubin) i=PEM_write_bio_RSA_PUBKEY(out,rsa); - else { - if(passout) i=PEM_write_bio_RSAPrivateKey(out,rsa, - enc,NULL,0,key_cb,passout); - else i=PEM_write_bio_RSAPrivateKey(out,rsa,enc,NULL, - 0,NULL,NULL); - } + else i=PEM_write_bio_RSAPrivateKey(out,rsa, + enc,NULL,0,PEM_cb,passout); } else { BIO_printf(bio_err,"bad output format specified for outfile\n"); goto end; diff --git a/apps/smime.c b/apps/smime.c index 882838c66f..6c15dcfb6e 100644 --- a/apps/smime.c +++ b/apps/smime.c @@ -60,14 +60,14 @@ #include #include +#include "apps.h" #include #include -#include "apps.h" #undef PROG #define PROG smime_main static X509 *load_cert(char *file); -static EVP_PKEY *load_key(char *file); +static EVP_PKEY *load_key(char *file, char *pass); static STACK_OF(X509) *load_certs(char *file); static X509_STORE *setup_verify(char *CAfile, char *CApath); static int save_certs(char *signerfile, STACK_OF(X509) *signers); @@ -98,7 +98,7 @@ int MAIN(int argc, char **argv) int badarg = 0; int flags = PKCS7_DETACHED; char *to = NULL, *from = NULL, *subject = NULL; - char *CAfile = NULL, *CApath = NULL; + char *CAfile = NULL, *CApath = NULL, *passin = NULL; args = argv + 1; @@ -138,7 +138,18 @@ int MAIN(int argc, char **argv) flags |= PKCS7_BINARY; else if (!strcmp (*args, "-nosigs")) flags |= PKCS7_NOSIGS; - else if (!strcmp (*args, "-to")) { + else if (!strcmp(*argv,"-passin")) { + if (--argc < 1) badarg = 1; + else passin= *(++argv); + } else if (!strcmp(*argv,"-envpassin")) { + if (--argc < 1) badarg = 1; + else if(!(passin= getenv(*(++argv)))) { + BIO_printf(bio_err, + "Can't read environment variable %s\n", + *argv); + badarg = 1; + } + } else if (!strcmp (*args, "-to")) { if (args[1]) { args++; to = *args; @@ -303,7 +314,7 @@ int MAIN(int argc, char **argv) } else keyfile = NULL; if(keyfile) { - if(!(key = load_key(keyfile))) { + if(!(key = load_key(keyfile, passin))) { BIO_printf(bio_err, "Can't read recipient certificate file %s\n", keyfile); ERR_print_errors(bio_err); goto end; @@ -405,12 +416,12 @@ static X509 *load_cert(char *file) return cert; } -static EVP_PKEY *load_key(char *file) +static EVP_PKEY *load_key(char *file, char *pass) { BIO *in; EVP_PKEY *key; if(!(in = BIO_new_file(file, "r"))) return NULL; - key = PEM_read_bio_PrivateKey(in, NULL, NULL,NULL); + key = PEM_read_bio_PrivateKey(in, NULL,PEM_cb,pass); BIO_free(in); return key; } diff --git a/apps/x509.c b/apps/x509.c index 0ed5ef1d03..797ee39c7e 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -92,6 +92,8 @@ static char *x509_usage[]={ " -CAkeyform arg - CA key format - default PEM\n", " -in arg - input file - default stdin\n", " -out arg - output file - default stdout\n", +" -passin arg - private key password\n", +" -envpassin arg - read private key password from encvironment variable \"arg\"\n", " -serial - print serial number value\n", " -hash - print hash value\n", " -subject - print subject DN\n", @@ -129,7 +131,7 @@ NULL }; static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx); -static EVP_PKEY *load_key(char *file, int format); +static EVP_PKEY *load_key(char *file, int format, char *passin); static X509 *load_cert(char *file, int format); static int sign (X509 *x, EVP_PKEY *pkey,int days,const EVP_MD *digest, LHASH *conf, char *section); @@ -166,7 +168,7 @@ int MAIN(int argc, char **argv) char buf[256]; const EVP_MD *md_alg,*digest=EVP_md5(); LHASH *extconf = NULL; - char *extsect = NULL, *extfile = NULL; + char *extsect = NULL, *extfile = NULL, *passin = NULL; int need_rand = 0; reqfile=0; @@ -232,6 +234,22 @@ int MAIN(int argc, char **argv) goto bad; } } + else if (strcmp(*argv,"-passin") == 0) + { + if (--argc < 1) goto bad; + passin= *(++argv); + } + else if (strcmp(*argv,"-envpassin") == 0) + { + if (--argc < 1) goto bad; + if(!(passin= getenv(*(++argv)))) + { + BIO_printf(bio_err, + "Can't read environment variable %s\n", + *argv); + badops = 1; + } + } else if (strcmp(*argv,"-extfile") == 0) { if (--argc < 1) goto bad; @@ -751,7 +769,7 @@ bad: BIO_printf(bio_err,"Getting Private key\n"); if (Upkey == NULL) { - Upkey=load_key(keyfile,keyformat); + Upkey=load_key(keyfile,keyformat, passin); if (Upkey == NULL) goto end; } #ifndef NO_DSA @@ -768,7 +786,7 @@ bad: BIO_printf(bio_err,"Getting CA Private Key\n"); if (CAkeyfile != NULL) { - CApkey=load_key(CAkeyfile,CAkeyformat); + CApkey=load_key(CAkeyfile,CAkeyformat, passin); if (CApkey == NULL) goto end; } #ifndef NO_DSA @@ -794,7 +812,7 @@ bad: } else { - pk=load_key(keyfile,FORMAT_PEM); + pk=load_key(keyfile,FORMAT_PEM, passin); if (pk == NULL) goto end; } @@ -1049,7 +1067,7 @@ static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx) } } -static EVP_PKEY *load_key(char *file, int format) +static EVP_PKEY *load_key(char *file, int format, char *passin) { BIO *key=NULL; EVP_PKEY *pkey=NULL; @@ -1088,7 +1106,7 @@ static EVP_PKEY *load_key(char *file, int format) #endif if (format == FORMAT_PEM) { - pkey=PEM_read_bio_PrivateKey(key,NULL,NULL,NULL); + pkey=PEM_read_bio_PrivateKey(key,NULL,PEM_cb,passin); } else { diff --git a/crypto/pem/pem.h b/crypto/pem/pem.h index 26c313b2ef..80ab491a1c 100644 --- a/crypto/pem/pem.h +++ b/crypto/pem/pem.h @@ -601,6 +601,9 @@ EVP_PKEY *d2i_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY **x, pem_password_cb *cb, vo int PEM_write_PKCS8PrivateKey(FILE *fp,EVP_PKEY *x,const EVP_CIPHER *enc, char *kstr,int klen, pem_password_cb *cd, void *u); +#ifdef MS_CALLBACK +int MS_CALLBACK PEM_cb(char *buf, int len, int verify, void *key); +#endif #endif /* SSLEAY_MACROS */ diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c index 2bafb5e735..bb2597b921 100644 --- a/crypto/pem/pem_lib.c +++ b/crypto/pem/pem_lib.c @@ -121,6 +121,22 @@ static int def_callback(char *buf, int num, int w, void *userdata) #endif } +/* This is a generic callback. If the user data is not NULL it is assumed + * to be a null terminated password. Otherwise the default password callback + * is called. + */ + + +int MS_CALLBACK PEM_cb(char *buf, int len, int verify, void *key) +{ + int i; + if (key == NULL) return def_callback(buf, len, verify, key); + i=strlen(key); + i=(i > len)?len:i; + memcpy(buf,key,i); + return(i); +} + void PEM_proc_type(char *buf, int type) { const char *str; diff --git a/crypto/x509/x509.h b/crypto/x509/x509.h index 68b5818c95..a5e83ee824 100644 --- a/crypto/x509/x509.h +++ b/crypto/x509/x509.h @@ -663,6 +663,7 @@ int i2d_PKCS8_fp(FILE *fp,X509_SIG *p8); PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_fp(FILE *fp, PKCS8_PRIV_KEY_INFO **p8inf); int i2d_PKCS8_PRIV_KEY_INFO_fp(FILE *fp,PKCS8_PRIV_KEY_INFO *p8inf); +int i2d_PKCS8PrivateKeyInfo_fp(FILE *fp, EVP_PKEY *key); #endif #endif @@ -692,6 +693,7 @@ int i2d_PKCS8_bio(BIO *bp,X509_SIG *p8); PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_bio(BIO *bp, PKCS8_PRIV_KEY_INFO **p8inf); int i2d_PKCS8_PRIV_KEY_INFO_bio(BIO *bp,PKCS8_PRIV_KEY_INFO *p8inf); +int i2d_PKCS8PrivateKeyInfo_bio(BIO *bp, EVP_PKEY *key); #endif X509 *X509_dup(X509 *x509); diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c index e2db82780d..887999f89d 100644 --- a/crypto/x509/x_all.c +++ b/crypto/x509/x_all.c @@ -469,6 +469,18 @@ int i2d_PKCS8_PRIV_KEY_INFO_fp(FILE *fp, PKCS8_PRIV_KEY_INFO *p8inf) { return(ASN1_i2d_fp(i2d_PKCS8_PRIV_KEY_INFO,fp,(unsigned char *)p8inf)); } + +int i2d_PKCS8PrivateKeyInfo_fp(FILE *fp, EVP_PKEY *key) + { + PKCS8_PRIV_KEY_INFO *p8inf; + int ret; + p8inf = EVP_PKEY2PKCS8(key); + if(!p8inf) return 0; + ret = i2d_PKCS8_PRIV_KEY_INFO_fp(fp, p8inf); + PKCS8_PRIV_KEY_INFO_free(p8inf); + return ret; + } + #endif PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_bio(BIO *bp, @@ -484,3 +496,14 @@ int i2d_PKCS8_PRIV_KEY_INFO_bio(BIO *bp, PKCS8_PRIV_KEY_INFO *p8inf) { return(ASN1_i2d_bio(i2d_PKCS8_PRIV_KEY_INFO,bp,(unsigned char *)p8inf)); } + +int i2d_PKCS8PrivateKeyInfo_bio(BIO *bp, EVP_PKEY *key) + { + PKCS8_PRIV_KEY_INFO *p8inf; + int ret; + p8inf = EVP_PKEY2PKCS8(key); + if(!p8inf) return 0; + ret = i2d_PKCS8_PRIV_KEY_INFO_bio(bp, p8inf); + PKCS8_PRIV_KEY_INFO_free(p8inf); + return ret; + } diff --git a/util/libeay.num b/util/libeay.num index 3c2c06bce9..7db8acf8bd 100755 --- a/util/libeay.num +++ b/util/libeay.num @@ -2149,3 +2149,6 @@ i2d_ASN1_NULL 2173 i2d_PKCS8PrivateKey_nid_fp 2174 d2i_PKCS8PrivateKey_fp 2175 i2d_PKCS8PrivateKey_nid_bio 2176 +i2d_PKCS8PrivateKeyInfo_fp 2177 +i2d_PKCS8PrivateKeyInfo_bio 2178 +PEM_cb 2179