|
1
by Christoph Martin
Import upstream version 0.9.7d |
1 |
/* pkcs12.c */
|
2 |
/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
|
|
|
1.1.2
by Kurt Roeckx
Import upstream version 0.9.8a |
3 |
* project.
|
|
1
by Christoph Martin
Import upstream version 0.9.7d |
4 |
*/
|
5 |
/* ====================================================================
|
|
|
1.1.4
by Kurt Roeckx
Import upstream version 0.9.8c |
6 |
* Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved.
|
|
1
by Christoph Martin
Import upstream version 0.9.7d |
7 |
*
|
8 |
* Redistribution and use in source and binary forms, with or without
|
|
9 |
* modification, are permitted provided that the following conditions
|
|
10 |
* are met:
|
|
11 |
*
|
|
12 |
* 1. Redistributions of source code must retain the above copyright
|
|
13 |
* notice, this list of conditions and the following disclaimer.
|
|
14 |
*
|
|
15 |
* 2. Redistributions in binary form must reproduce the above copyright
|
|
16 |
* notice, this list of conditions and the following disclaimer in
|
|
17 |
* the documentation and/or other materials provided with the
|
|
18 |
* distribution.
|
|
19 |
*
|
|
20 |
* 3. All advertising materials mentioning features or use of this
|
|
21 |
* software must display the following acknowledgment:
|
|
22 |
* "This product includes software developed by the OpenSSL Project
|
|
23 |
* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
|
|
24 |
*
|
|
25 |
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
|
|
26 |
* endorse or promote products derived from this software without
|
|
27 |
* prior written permission. For written permission, please contact
|
|
28 |
* licensing@OpenSSL.org.
|
|
29 |
*
|
|
30 |
* 5. Products derived from this software may not be called "OpenSSL"
|
|
31 |
* nor may "OpenSSL" appear in their names without prior written
|
|
32 |
* permission of the OpenSSL Project.
|
|
33 |
*
|
|
34 |
* 6. Redistributions of any form whatsoever must retain the following
|
|
35 |
* acknowledgment:
|
|
36 |
* "This product includes software developed by the OpenSSL Project
|
|
37 |
* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
|
|
38 |
*
|
|
39 |
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
|
|
40 |
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
41 |
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
|
42 |
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
|
|
43 |
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
|
44 |
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
45 |
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
|
46 |
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
47 |
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
|
48 |
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
49 |
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
|
50 |
* OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
51 |
* ====================================================================
|
|
52 |
*
|
|
53 |
* This product includes cryptographic software written by Eric Young
|
|
54 |
* (eay@cryptsoft.com). This product includes software written by Tim
|
|
55 |
* Hudson (tjh@cryptsoft.com).
|
|
56 |
*
|
|
57 |
*/
|
|
58 |
||
|
1.1.2
by Kurt Roeckx
Import upstream version 0.9.8a |
59 |
#include <openssl/opensslconf.h> |
60 |
#if !defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_SHA1)
|
|
61 |
||
|
1
by Christoph Martin
Import upstream version 0.9.7d |
62 |
#include <stdio.h> |
63 |
#include <stdlib.h> |
|
64 |
#include <string.h> |
|
65 |
#include "apps.h" |
|
66 |
#include <openssl/crypto.h> |
|
67 |
#include <openssl/err.h> |
|
68 |
#include <openssl/pem.h> |
|
69 |
#include <openssl/pkcs12.h> |
|
70 |
||
71 |
#define PROG pkcs12_main
|
|
72 |
||
73 |
const EVP_CIPHER *enc; |
|
74 |
||
75 |
||
76 |
#define NOKEYS 0x1
|
|
77 |
#define NOCERTS 0x2
|
|
78 |
#define INFO 0x4
|
|
79 |
#define CLCERTS 0x8
|
|
80 |
#define CACERTS 0x10
|
|
81 |
||
82 |
int get_cert_chain (X509 *cert, X509_STORE *store, STACK_OF(X509) **chain); |
|
83 |
int dump_certs_keys_p12(BIO *out, PKCS12 *p12, char *pass, int passlen, int options, char *pempass); |
|
84 |
int dump_certs_pkeys_bags(BIO *out, STACK_OF(PKCS12_SAFEBAG) *bags, char *pass, |
|
85 |
int passlen, int options, char *pempass); |
|
86 |
int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bags, char *pass, int passlen, int options, char *pempass); |
|
|
1.1.2
by Kurt Roeckx
Import upstream version 0.9.8a |
87 |
int print_attribs(BIO *out, STACK_OF(X509_ATTRIBUTE) *attrlst,const char *name); |
|
1
by Christoph Martin
Import upstream version 0.9.7d |
88 |
void hex_prin(BIO *out, unsigned char *buf, int len); |
89 |
int alg_print(BIO *x, X509_ALGOR *alg); |
|
90 |
int cert_load(BIO *in, STACK_OF(X509) *sk); |
|
91 |
||
92 |
int MAIN(int, char **); |
|
93 |
||
94 |
int MAIN(int argc, char **argv) |
|
95 |
{
|
|
96 |
ENGINE *e = NULL; |
|
97 |
char *infile=NULL, *outfile=NULL, *keyname = NULL; |
|
98 |
char *certfile=NULL; |
|
99 |
BIO *in=NULL, *out = NULL; |
|
100 |
char **args; |
|
101 |
char *name = NULL; |
|
102 |
char *csp_name = NULL; |
|
103 |
PKCS12 *p12 = NULL; |
|
104 |
char pass[50], macpass[50]; |
|
105 |
int export_cert = 0; |
|
106 |
int options = 0; |
|
107 |
int chain = 0; |
|
108 |
int badarg = 0; |
|
109 |
int iter = PKCS12_DEFAULT_ITER; |
|
110 |
int maciter = PKCS12_DEFAULT_ITER; |
|
111 |
int twopass = 0; |
|
112 |
int keytype = 0; |
|
113 |
int cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC; |
|
114 |
int key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; |
|
115 |
int ret = 1; |
|
116 |
int macver = 1; |
|
117 |
int noprompt = 0; |
|
118 |
STACK *canames = NULL; |
|
119 |
char *cpass = NULL, *mpass = NULL; |
|
120 |
char *passargin = NULL, *passargout = NULL, *passarg = NULL; |
|
121 |
char *passin = NULL, *passout = NULL; |
|
122 |
char *inrand = NULL; |
|
123 |
char *CApath = NULL, *CAfile = NULL; |
|
124 |
#ifndef OPENSSL_NO_ENGINE
|
|
125 |
char *engine=NULL; |
|
126 |
#endif
|
|
127 |
||
128 |
apps_startup(); |
|
129 |
||
130 |
enc = EVP_des_ede3_cbc(); |
|
131 |
if (bio_err == NULL ) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE); |
|
132 |
||
133 |
if (!load_config(bio_err, NULL)) |
|
134 |
goto end; |
|
135 |
||
136 |
args = argv + 1; |
|
137 |
||
138 |
||
139 |
while (*args) { |
|
140 |
if (*args[0] == '-') { |
|
141 |
if (!strcmp (*args, "-nokeys")) options |= NOKEYS; |
|
142 |
else if (!strcmp (*args, "-keyex")) keytype = KEY_EX; |
|
143 |
else if (!strcmp (*args, "-keysig")) keytype = KEY_SIG; |
|
144 |
else if (!strcmp (*args, "-nocerts")) options |= NOCERTS; |
|
145 |
else if (!strcmp (*args, "-clcerts")) options |= CLCERTS; |
|
146 |
else if (!strcmp (*args, "-cacerts")) options |= CACERTS; |
|
147 |
else if (!strcmp (*args, "-noout")) options |= (NOKEYS|NOCERTS); |
|
148 |
else if (!strcmp (*args, "-info")) options |= INFO; |
|
149 |
else if (!strcmp (*args, "-chain")) chain = 1; |
|
150 |
else if (!strcmp (*args, "-twopass")) twopass = 1; |
|
151 |
else if (!strcmp (*args, "-nomacver")) macver = 0; |
|
152 |
else if (!strcmp (*args, "-descert")) |
|
153 |
cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; |
|
154 |
else if (!strcmp (*args, "-export")) export_cert = 1; |
|
155 |
else if (!strcmp (*args, "-des")) enc=EVP_des_cbc(); |
|
|
1.1.6
by Matthias Klose
Import upstream version 0.9.8g |
156 |
else if (!strcmp (*args, "-des3")) enc = EVP_des_ede3_cbc(); |
|
1
by Christoph Martin
Import upstream version 0.9.7d |
157 |
#ifndef OPENSSL_NO_IDEA
|
158 |
else if (!strcmp (*args, "-idea")) enc=EVP_idea_cbc(); |
|
159 |
#endif
|
|
|
1.1.6
by Matthias Klose
Import upstream version 0.9.8g |
160 |
#ifndef OPENSSL_NO_SEED
|
161 |
else if (!strcmp(*args, "-seed")) enc=EVP_seed_cbc(); |
|
162 |
#endif
|
|
|
1
by Christoph Martin
Import upstream version 0.9.7d |
163 |
#ifndef OPENSSL_NO_AES
|
164 |
else if (!strcmp(*args,"-aes128")) enc=EVP_aes_128_cbc(); |
|
165 |
else if (!strcmp(*args,"-aes192")) enc=EVP_aes_192_cbc(); |
|
166 |
else if (!strcmp(*args,"-aes256")) enc=EVP_aes_256_cbc(); |
|
167 |
#endif
|
|
|
1.1.4
by Kurt Roeckx
Import upstream version 0.9.8c |
168 |
#ifndef OPENSSL_NO_CAMELLIA
|
169 |
else if (!strcmp(*args,"-camellia128")) enc=EVP_camellia_128_cbc(); |
|
170 |
else if (!strcmp(*args,"-camellia192")) enc=EVP_camellia_192_cbc(); |
|
171 |
else if (!strcmp(*args,"-camellia256")) enc=EVP_camellia_256_cbc(); |
|
172 |
#endif
|
|
|
1
by Christoph Martin
Import upstream version 0.9.7d |
173 |
else if (!strcmp (*args, "-noiter")) iter = 1; |
174 |
else if (!strcmp (*args, "-maciter")) |
|
175 |
maciter = PKCS12_DEFAULT_ITER; |
|
176 |
else if (!strcmp (*args, "-nomaciter")) |
|
177 |
maciter = 1; |
|
|
1.1.2
by Kurt Roeckx
Import upstream version 0.9.8a |
178 |
else if (!strcmp (*args, "-nomac")) |
179 |
maciter = -1; |
|
|
1
by Christoph Martin
Import upstream version 0.9.7d |
180 |
else if (!strcmp (*args, "-nodes")) enc=NULL; |
181 |
else if (!strcmp (*args, "-certpbe")) { |
|
182 |
if (args[1]) { |
|
183 |
args++; |
|
|
1.1.2
by Kurt Roeckx
Import upstream version 0.9.8a |
184 |
if (!strcmp(*args, "NONE")) |
185 |
cert_pbe = -1; |
|
|
1.1.5
by Kurt Roeckx
Import upstream version 0.9.8e |
186 |
else
|
187 |
cert_pbe=OBJ_txt2nid(*args); |
|
|
1
by Christoph Martin
Import upstream version 0.9.7d |
188 |
if(cert_pbe == NID_undef) { |
189 |
BIO_printf(bio_err, |
|
190 |
"Unknown PBE algorithm %s\n", *args); |
|
191 |
badarg = 1; |
|
192 |
}
|
|
193 |
} else badarg = 1; |
|
194 |
} else if (!strcmp (*args, "-keypbe")) { |
|
195 |
if (args[1]) { |
|
196 |
args++; |
|
|
1.1.2
by Kurt Roeckx
Import upstream version 0.9.8a |
197 |
if (!strcmp(*args, "NONE")) |
198 |
key_pbe = -1; |
|
199 |
else
|
|
200 |
key_pbe=OBJ_txt2nid(*args); |
|
|
1
by Christoph Martin
Import upstream version 0.9.7d |
201 |
if(key_pbe == NID_undef) { |
202 |
BIO_printf(bio_err, |
|
203 |
"Unknown PBE algorithm %s\n", *args); |
|
204 |
badarg = 1; |
|
205 |
}
|
|
206 |
} else badarg = 1; |
|
207 |
} else if (!strcmp (*args, "-rand")) { |
|
208 |
if (args[1]) { |
|
209 |
args++; |
|
210 |
inrand = *args; |
|
211 |
} else badarg = 1; |
|
212 |
} else if (!strcmp (*args, "-inkey")) { |
|
213 |
if (args[1]) { |
|
214 |
args++; |
|
215 |
keyname = *args; |
|
216 |
} else badarg = 1; |
|
217 |
} else if (!strcmp (*args, "-certfile")) { |
|
218 |
if (args[1]) { |
|
219 |
args++; |
|
220 |
certfile = *args; |
|
221 |
} else badarg = 1; |
|
222 |
} else if (!strcmp (*args, "-name")) { |
|
223 |
if (args[1]) { |
|
224 |
args++; |
|
225 |
name = *args; |
|
226 |
} else badarg = 1; |
|
227 |
} else if (!strcmp (*args, "-CSP")) { |
|
228 |
if (args[1]) { |
|
229 |
args++; |
|
230 |
csp_name = *args; |
|
231 |
} else badarg = 1; |
|
232 |
} else if (!strcmp (*args, "-caname")) { |
|
233 |
if (args[1]) { |
|
234 |
args++; |
|
235 |
if (!canames) canames = sk_new_null(); |
|
236 |
sk_push(canames, *args); |
|
237 |
} else badarg = 1; |
|
238 |
} else if (!strcmp (*args, "-in")) { |
|
239 |
if (args[1]) { |
|
240 |
args++; |
|
241 |
infile = *args; |
|
242 |
} else badarg = 1; |
|
243 |
} else if (!strcmp (*args, "-out")) { |
|
244 |
if (args[1]) { |
|
245 |
args++; |
|
246 |
outfile = *args; |
|
247 |
} else badarg = 1; |
|
248 |
} else if (!strcmp(*args,"-passin")) { |
|
249 |
if (args[1]) { |
|
250 |
args++; |
|
251 |
passargin = *args; |
|
252 |
} else badarg = 1; |
|
253 |
} else if (!strcmp(*args,"-passout")) { |
|
254 |
if (args[1]) { |
|
255 |
args++; |
|
256 |
passargout = *args; |
|
257 |
} else badarg = 1; |
|
258 |
} else if (!strcmp (*args, "-password")) { |
|
259 |
if (args[1]) { |
|
260 |
args++; |
|
261 |
passarg = *args; |
|
262 |
noprompt = 1; |
|
263 |
} else badarg = 1; |
|
264 |
} else if (!strcmp(*args,"-CApath")) { |
|
265 |
if (args[1]) { |
|
266 |
args++; |
|
267 |
CApath = *args; |
|
268 |
} else badarg = 1; |
|
269 |
} else if (!strcmp(*args,"-CAfile")) { |
|
270 |
if (args[1]) { |
|
271 |
args++; |
|
272 |
CAfile = *args; |
|
273 |
} else badarg = 1; |
|
274 |
#ifndef OPENSSL_NO_ENGINE
|
|
275 |
} else if (!strcmp(*args,"-engine")) { |
|
276 |
if (args[1]) { |
|
277 |
args++; |
|
278 |
engine = *args; |
|
279 |
} else badarg = 1; |
|
280 |
#endif
|
|
281 |
} else badarg = 1; |
|
282 |
||
283 |
} else badarg = 1; |
|
284 |
args++; |
|
285 |
}
|
|
286 |
||
287 |
if (badarg) { |
|
288 |
BIO_printf (bio_err, "Usage: pkcs12 [options]\n"); |
|
289 |
BIO_printf (bio_err, "where options are\n"); |
|
290 |
BIO_printf (bio_err, "-export output PKCS12 file\n"); |
|
291 |
BIO_printf (bio_err, "-chain add certificate chain\n"); |
|
292 |
BIO_printf (bio_err, "-inkey file private key if not infile\n"); |
|
293 |
BIO_printf (bio_err, "-certfile f add all certs in f\n"); |
|
294 |
BIO_printf (bio_err, "-CApath arg - PEM format directory of CA's\n"); |
|
295 |
BIO_printf (bio_err, "-CAfile arg - PEM format file of CA's\n"); |
|
296 |
BIO_printf (bio_err, "-name \"name\" use name as friendly name\n"); |
|
297 |
BIO_printf (bio_err, "-caname \"nm\" use nm as CA friendly name (can be used more than once).\n"); |
|
298 |
BIO_printf (bio_err, "-in infile input filename\n"); |
|
299 |
BIO_printf (bio_err, "-out outfile output filename\n"); |
|
300 |
BIO_printf (bio_err, "-noout don't output anything, just verify.\n"); |
|
301 |
BIO_printf (bio_err, "-nomacver don't verify MAC.\n"); |
|
302 |
BIO_printf (bio_err, "-nocerts don't output certificates.\n"); |
|
303 |
BIO_printf (bio_err, "-clcerts only output client certificates.\n"); |
|
304 |
BIO_printf (bio_err, "-cacerts only output CA certificates.\n"); |
|
305 |
BIO_printf (bio_err, "-nokeys don't output private keys.\n"); |
|
306 |
BIO_printf (bio_err, "-info give info about PKCS#12 structure.\n"); |
|
307 |
BIO_printf (bio_err, "-des encrypt private keys with DES\n"); |
|
308 |
BIO_printf (bio_err, "-des3 encrypt private keys with triple DES (default)\n"); |
|
309 |
#ifndef OPENSSL_NO_IDEA
|
|
310 |
BIO_printf (bio_err, "-idea encrypt private keys with idea\n"); |
|
311 |
#endif
|
|
|
1.1.6
by Matthias Klose
Import upstream version 0.9.8g |
312 |
#ifndef OPENSSL_NO_SEED
|
313 |
BIO_printf (bio_err, "-seed encrypt private keys with seed\n"); |
|
314 |
#endif
|
|
|
1
by Christoph Martin
Import upstream version 0.9.7d |
315 |
#ifndef OPENSSL_NO_AES
|
316 |
BIO_printf (bio_err, "-aes128, -aes192, -aes256\n"); |
|
317 |
BIO_printf (bio_err, " encrypt PEM output with cbc aes\n"); |
|
318 |
#endif
|
|
|
1.1.4
by Kurt Roeckx
Import upstream version 0.9.8c |
319 |
#ifndef OPENSSL_NO_CAMELLIA
|
320 |
BIO_printf (bio_err, "-camellia128, -camellia192, -camellia256\n"); |
|
321 |
BIO_printf (bio_err, " encrypt PEM output with cbc camellia\n"); |
|
322 |
#endif
|
|
|
1
by Christoph Martin
Import upstream version 0.9.7d |
323 |
BIO_printf (bio_err, "-nodes don't encrypt private keys\n"); |
324 |
BIO_printf (bio_err, "-noiter don't use encryption iteration\n"); |
|
325 |
BIO_printf (bio_err, "-maciter use MAC iteration\n"); |
|
326 |
BIO_printf (bio_err, "-twopass separate MAC, encryption passwords\n"); |
|
327 |
BIO_printf (bio_err, "-descert encrypt PKCS#12 certificates with triple DES (default RC2-40)\n"); |
|
328 |
BIO_printf (bio_err, "-certpbe alg specify certificate PBE algorithm (default RC2-40)\n"); |
|
329 |
BIO_printf (bio_err, "-keypbe alg specify private key PBE algorithm (default 3DES)\n"); |
|
330 |
BIO_printf (bio_err, "-keyex set MS key exchange type\n"); |
|
331 |
BIO_printf (bio_err, "-keysig set MS key signature type\n"); |
|
332 |
BIO_printf (bio_err, "-password p set import/export password source\n"); |
|
333 |
BIO_printf (bio_err, "-passin p input file pass phrase source\n"); |
|
334 |
BIO_printf (bio_err, "-passout p output file pass phrase source\n"); |
|
335 |
#ifndef OPENSSL_NO_ENGINE
|
|
336 |
BIO_printf (bio_err, "-engine e use engine e, possibly a hardware device.\n"); |
|
337 |
#endif
|
|
338 |
BIO_printf(bio_err, "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); |
|
339 |
BIO_printf(bio_err, " load the file (or the files in the directory) into\n"); |
|
340 |
BIO_printf(bio_err, " the random number generator\n"); |
|
341 |
goto end; |
|
342 |
}
|
|
343 |
||
344 |
#ifndef OPENSSL_NO_ENGINE
|
|
345 |
e = setup_engine(bio_err, engine, 0); |
|
346 |
#endif
|
|
347 |
||
348 |
if(passarg) { |
|
349 |
if(export_cert) passargout = passarg; |
|
350 |
else passargin = passarg; |
|
351 |
}
|
|
352 |
||
353 |
if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) { |
|
354 |
BIO_printf(bio_err, "Error getting passwords\n"); |
|
355 |
goto end; |
|
356 |
}
|
|
357 |
||
358 |
if(!cpass) { |
|
359 |
if(export_cert) cpass = passout; |
|
360 |
else cpass = passin; |
|
361 |
}
|
|
362 |
||
363 |
if(cpass) { |
|
364 |
mpass = cpass; |
|
365 |
noprompt = 1; |
|
366 |
} else { |
|
367 |
cpass = pass; |
|
368 |
mpass = macpass; |
|
369 |
}
|
|
370 |
||
371 |
if(export_cert || inrand) { |
|
372 |
app_RAND_load_file(NULL, bio_err, (inrand != NULL)); |
|
373 |
if (inrand != NULL) |
|
374 |
BIO_printf(bio_err,"%ld semi-random bytes loaded\n", |
|
375 |
app_RAND_load_files(inrand)); |
|
376 |
}
|
|
377 |
ERR_load_crypto_strings(); |
|
378 |
||
379 |
#ifdef CRYPTO_MDEBUG
|
|
380 |
CRYPTO_push_info("read files"); |
|
381 |
#endif
|
|
382 |
||
383 |
if (!infile) in = BIO_new_fp(stdin, BIO_NOCLOSE); |
|
384 |
else in = BIO_new_file(infile, "rb"); |
|
385 |
if (!in) { |
|
386 |
BIO_printf(bio_err, "Error opening input file %s\n", |
|
387 |
infile ? infile : "<stdin>"); |
|
388 |
perror (infile); |
|
389 |
goto end; |
|
390 |
}
|
|
391 |
||
392 |
#ifdef CRYPTO_MDEBUG
|
|
393 |
CRYPTO_pop_info(); |
|
394 |
CRYPTO_push_info("write files"); |
|
395 |
#endif
|
|
396 |
||
397 |
if (!outfile) { |
|
398 |
out = BIO_new_fp(stdout, BIO_NOCLOSE); |
|
399 |
#ifdef OPENSSL_SYS_VMS
|
|
400 |
{
|
|
401 |
BIO *tmpbio = BIO_new(BIO_f_linebuffer()); |
|
402 |
out = BIO_push(tmpbio, out); |
|
403 |
}
|
|
404 |
#endif
|
|
405 |
} else out = BIO_new_file(outfile, "wb"); |
|
406 |
if (!out) { |
|
407 |
BIO_printf(bio_err, "Error opening output file %s\n", |
|
408 |
outfile ? outfile : "<stdout>"); |
|
409 |
perror (outfile); |
|
410 |
goto end; |
|
411 |
}
|
|
412 |
if (twopass) { |
|
413 |
#ifdef CRYPTO_MDEBUG
|
|
414 |
CRYPTO_push_info("read MAC password"); |
|
415 |
#endif
|
|
416 |
if(EVP_read_pw_string (macpass, sizeof macpass, "Enter MAC Password:", export_cert)) |
|
417 |
{
|
|
418 |
BIO_printf (bio_err, "Can't read Password\n"); |
|
419 |
goto end; |
|
420 |
}
|
|
421 |
#ifdef CRYPTO_MDEBUG
|
|
422 |
CRYPTO_pop_info(); |
|
423 |
#endif
|
|
424 |
}
|
|
425 |
||
426 |
if (export_cert) { |
|
427 |
EVP_PKEY *key = NULL; |
|
|
1.1.2
by Kurt Roeckx
Import upstream version 0.9.8a |
428 |
X509 *ucert = NULL, *x = NULL; |
|
1
by Christoph Martin
Import upstream version 0.9.7d |
429 |
STACK_OF(X509) *certs=NULL; |
|
1.1.2
by Kurt Roeckx
Import upstream version 0.9.8a |
430 |
unsigned char *catmp = NULL; |
|
1
by Christoph Martin
Import upstream version 0.9.7d |
431 |
int i; |
|
1.1.2
by Kurt Roeckx
Import upstream version 0.9.8a |
432 |
|
433 |
if ((options & (NOCERTS|NOKEYS)) == (NOCERTS|NOKEYS)) |
|
434 |
{
|
|
435 |
BIO_printf(bio_err, "Nothing to do!\n"); |
|
436 |
goto export_end; |
|
437 |
}
|
|
438 |
||
439 |
if (options & NOCERTS) |
|
440 |
chain = 0; |
|
|
1
by Christoph Martin
Import upstream version 0.9.7d |
441 |
|
442 |
#ifdef CRYPTO_MDEBUG
|
|
443 |
CRYPTO_push_info("process -export_cert"); |
|
444 |
CRYPTO_push_info("reading private key"); |
|
445 |
#endif
|
|
|
1.1.2
by Kurt Roeckx
Import upstream version 0.9.8a |
446 |
if (!(options & NOKEYS)) |
447 |
{
|
|
448 |
key = load_key(bio_err, keyname ? keyname : infile, |
|
449 |
FORMAT_PEM, 1, passin, e, "private key"); |
|
450 |
if (!key) |
|
451 |
goto export_end; |
|
452 |
}
|
|
|
1
by Christoph Martin
Import upstream version 0.9.7d |
453 |
|
454 |
#ifdef CRYPTO_MDEBUG
|
|
455 |
CRYPTO_pop_info(); |
|
456 |
CRYPTO_push_info("reading certs from input"); |
|
457 |
#endif
|
|
458 |
||
459 |
/* Load in all certs in input file */
|
|
|
1.1.2
by Kurt Roeckx
Import upstream version 0.9.8a |
460 |
if(!(options & NOCERTS)) |
461 |
{
|
|
462 |
certs = load_certs(bio_err, infile, FORMAT_PEM, NULL, e, |
|
463 |
"certificates"); |
|
464 |
if (!certs) |
|
465 |
goto export_end; |
|
466 |
||
467 |
if (key) |
|
468 |
{
|
|
469 |
/* Look for matching private key */
|
|
470 |
for(i = 0; i < sk_X509_num(certs); i++) |
|
471 |
{
|
|
472 |
x = sk_X509_value(certs, i); |
|
473 |
if(X509_check_private_key(x, key)) |
|
474 |
{
|
|
475 |
ucert = x; |
|
476 |
/* Zero keyid and alias */
|
|
477 |
X509_keyid_set1(ucert, NULL, 0); |
|
478 |
X509_alias_set1(ucert, NULL, 0); |
|
479 |
/* Remove from list */
|
|
|
1.1.6
by Matthias Klose
Import upstream version 0.9.8g |
480 |
(void)sk_X509_delete(certs, i); |
|
1.1.2
by Kurt Roeckx
Import upstream version 0.9.8a |
481 |
break; |
482 |
}
|
|
483 |
}
|
|
484 |
if (!ucert) |
|
485 |
{
|
|
486 |
BIO_printf(bio_err, "No certificate matches private key\n"); |
|
487 |
goto export_end; |
|
488 |
}
|
|
489 |
}
|
|
490 |
||
491 |
}
|
|
|
1
by Christoph Martin
Import upstream version 0.9.7d |
492 |
|
493 |
#ifdef CRYPTO_MDEBUG
|
|
494 |
CRYPTO_pop_info(); |
|
495 |
CRYPTO_push_info("reading certs from input 2"); |
|
496 |
#endif
|
|
497 |
||
498 |
/* Add any more certificates asked for */
|
|
|
1.1.2
by Kurt Roeckx
Import upstream version 0.9.8a |
499 |
if(certfile) |
500 |
{
|
|
|
1
by Christoph Martin
Import upstream version 0.9.7d |
501 |
STACK_OF(X509) *morecerts=NULL; |
502 |
if(!(morecerts = load_certs(bio_err, certfile, FORMAT_PEM, |
|
503 |
NULL, e, |
|
|
1.1.2
by Kurt Roeckx
Import upstream version 0.9.8a |
504 |
"certificates from certfile"))) |
|
1
by Christoph Martin
Import upstream version 0.9.7d |
505 |
goto export_end; |
|
1.1.2
by Kurt Roeckx
Import upstream version 0.9.8a |
506 |
while(sk_X509_num(morecerts) > 0) |
|
1
by Christoph Martin
Import upstream version 0.9.7d |
507 |
sk_X509_push(certs, sk_X509_shift(morecerts)); |
508 |
sk_X509_free(morecerts); |
|
|
1.1.2
by Kurt Roeckx
Import upstream version 0.9.8a |
509 |
}
|
510 |
||
511 |
#ifdef CRYPTO_MDEBUG
|
|
512 |
CRYPTO_pop_info(); |
|
513 |
CRYPTO_push_info("reading certs from certfile"); |
|
514 |
#endif
|
|
|
1
by Christoph Martin
Import upstream version 0.9.7d |
515 |
|
516 |
#ifdef CRYPTO_MDEBUG
|
|
517 |
CRYPTO_pop_info(); |
|
518 |
CRYPTO_push_info("building chain"); |
|
519 |
#endif
|
|
520 |
||
521 |
/* If chaining get chain from user cert */
|
|
522 |
if (chain) { |
|
523 |
int vret; |
|
524 |
STACK_OF(X509) *chain2; |
|
525 |
X509_STORE *store = X509_STORE_new(); |
|
526 |
if (!store) |
|
527 |
{
|
|
528 |
BIO_printf (bio_err, "Memory allocation error\n"); |
|
529 |
goto export_end; |
|
530 |
}
|
|
531 |
if (!X509_STORE_load_locations(store, CAfile, CApath)) |
|
532 |
X509_STORE_set_default_paths (store); |
|
533 |
||
534 |
vret = get_cert_chain (ucert, store, &chain2); |
|
535 |
X509_STORE_free(store); |
|
536 |
||
537 |
if (!vret) { |
|
538 |
/* Exclude verified certificate */
|
|
539 |
for (i = 1; i < sk_X509_num (chain2) ; i++) |
|
540 |
sk_X509_push(certs, sk_X509_value (chain2, i)); |
|
541 |
/* Free first certificate */
|
|
542 |
X509_free(sk_X509_value(chain2, 0)); |
|
543 |
sk_X509_free(chain2); |
|
544 |
} else { |
|
|
1.1.5
by Kurt Roeckx
Import upstream version 0.9.8e |
545 |
if (vret >= 0) |
546 |
BIO_printf (bio_err, "Error %s getting chain.\n", |
|
|
1
by Christoph Martin
Import upstream version 0.9.7d |
547 |
X509_verify_cert_error_string(vret)); |
|
1.1.5
by Kurt Roeckx
Import upstream version 0.9.8e |
548 |
else
|
549 |
ERR_print_errors(bio_err); |
|
|
1
by Christoph Martin
Import upstream version 0.9.7d |
550 |
goto export_end; |
551 |
}
|
|
552 |
}
|
|
553 |
||
|
1.1.2
by Kurt Roeckx
Import upstream version 0.9.8a |
554 |
/* Add any CA names */
|
555 |
||
556 |
for (i = 0; i < sk_num(canames); i++) |
|
557 |
{
|
|
558 |
catmp = (unsigned char *)sk_value(canames, i); |
|
559 |
X509_alias_set1(sk_X509_value(certs, i), catmp, -1); |
|
560 |
}
|
|
561 |
||
562 |
if (csp_name && key) |
|
563 |
EVP_PKEY_add1_attr_by_NID(key, NID_ms_csp_name, |
|
564 |
MBSTRING_ASC, (unsigned char *)csp_name, -1); |
|
565 |
||
566 |
||
567 |
#ifdef CRYPTO_MDEBUG
|
|
568 |
CRYPTO_pop_info(); |
|
569 |
CRYPTO_push_info("reading password"); |
|
|
1
by Christoph Martin
Import upstream version 0.9.7d |
570 |
#endif
|
571 |
||
572 |
if(!noprompt && |
|
|
1.1.2
by Kurt Roeckx
Import upstream version 0.9.8a |
573 |
EVP_read_pw_string(pass, sizeof pass, "Enter Export Password:", 1)) |
574 |
{
|
|
575 |
BIO_printf (bio_err, "Can't read Password\n"); |
|
576 |
goto export_end; |
|
577 |
}
|
|
|
1
by Christoph Martin
Import upstream version 0.9.7d |
578 |
if (!twopass) BUF_strlcpy(macpass, pass, sizeof macpass); |
|
1.1.2
by Kurt Roeckx
Import upstream version 0.9.8a |
579 |
|
580 |
#ifdef CRYPTO_MDEBUG
|
|
581 |
CRYPTO_pop_info(); |
|
582 |
CRYPTO_push_info("creating PKCS#12 structure"); |
|
583 |
#endif
|
|
584 |
||
585 |
p12 = PKCS12_create(cpass, name, key, ucert, certs, |
|
586 |
key_pbe, cert_pbe, iter, -1, keytype); |
|
587 |
||
588 |
if (!p12) |
|
589 |
{
|
|
590 |
ERR_print_errors (bio_err); |
|
|
1
by Christoph Martin
Import upstream version 0.9.7d |
591 |
goto export_end; |
|
1.1.2
by Kurt Roeckx
Import upstream version 0.9.8a |
592 |
}
|
593 |
||
594 |
if (maciter != -1) |
|
595 |
PKCS12_set_mac(p12, mpass, -1, NULL, 0, maciter, NULL); |
|
|
1
by Christoph Martin
Import upstream version 0.9.7d |
596 |
|
597 |
#ifdef CRYPTO_MDEBUG
|
|
598 |
CRYPTO_pop_info(); |
|
599 |
CRYPTO_push_info("writing pkcs12"); |
|
600 |
#endif
|
|
601 |
||
|
1.1.2
by Kurt Roeckx
Import upstream version 0.9.8a |
602 |
i2d_PKCS12_bio(out, p12); |
|
1
by Christoph Martin
Import upstream version 0.9.7d |
603 |
|
604 |
ret = 0; |
|
605 |
||
606 |
export_end: |
|
607 |
#ifdef CRYPTO_MDEBUG
|
|
608 |
CRYPTO_pop_info(); |
|
609 |
CRYPTO_pop_info(); |
|
610 |
CRYPTO_push_info("process -export_cert: freeing"); |
|
611 |
#endif
|
|
612 |
||
613 |
if (key) EVP_PKEY_free(key); |
|
614 |
if (certs) sk_X509_pop_free(certs, X509_free); |
|
|
1.1.2
by Kurt Roeckx
Import upstream version 0.9.8a |
615 |
if (ucert) X509_free(ucert); |
|
1
by Christoph Martin
Import upstream version 0.9.7d |
616 |
|
617 |
#ifdef CRYPTO_MDEBUG
|
|
618 |
CRYPTO_pop_info(); |
|
619 |
#endif
|
|
620 |
goto end; |
|
621 |
||
622 |
}
|
|
623 |
||
624 |
if (!(p12 = d2i_PKCS12_bio (in, NULL))) { |
|
625 |
ERR_print_errors(bio_err); |
|
626 |
goto end; |
|
627 |
}
|
|
628 |
||
629 |
#ifdef CRYPTO_MDEBUG
|
|
630 |
CRYPTO_push_info("read import password"); |
|
631 |
#endif
|
|
632 |
if(!noprompt && EVP_read_pw_string(pass, sizeof pass, "Enter Import Password:", 0)) { |
|
633 |
BIO_printf (bio_err, "Can't read Password\n"); |
|
634 |
goto end; |
|
635 |
}
|
|
636 |
#ifdef CRYPTO_MDEBUG
|
|
637 |
CRYPTO_pop_info(); |
|
638 |
#endif
|
|
639 |
||
640 |
if (!twopass) BUF_strlcpy(macpass, pass, sizeof macpass); |
|
641 |
||
642 |
if (options & INFO) BIO_printf (bio_err, "MAC Iteration %ld\n", p12->mac->iter ? ASN1_INTEGER_get (p12->mac->iter) : 1); |
|
643 |
if(macver) { |
|
644 |
#ifdef CRYPTO_MDEBUG
|
|
645 |
CRYPTO_push_info("verify MAC"); |
|
646 |
#endif
|
|
647 |
/* If we enter empty password try no password first */
|
|
|
1.1.2
by Kurt Roeckx
Import upstream version 0.9.8a |
648 |
if(!mpass[0] && PKCS12_verify_mac(p12, NULL, 0)) { |
|
1
by Christoph Martin
Import upstream version 0.9.7d |
649 |
/* If mac and crypto pass the same set it to NULL too */
|
650 |
if(!twopass) cpass = NULL; |
|
651 |
} else if (!PKCS12_verify_mac(p12, mpass, -1)) { |
|
652 |
BIO_printf (bio_err, "Mac verify error: invalid password?\n"); |
|
653 |
ERR_print_errors (bio_err); |
|
654 |
goto end; |
|
655 |
}
|
|
656 |
BIO_printf (bio_err, "MAC verified OK\n"); |
|
657 |
#ifdef CRYPTO_MDEBUG
|
|
658 |
CRYPTO_pop_info(); |
|
659 |
#endif
|
|
660 |
}
|
|
661 |
||
662 |
#ifdef CRYPTO_MDEBUG
|
|
663 |
CRYPTO_push_info("output keys and certificates"); |
|
664 |
#endif
|
|
665 |
if (!dump_certs_keys_p12 (out, p12, cpass, -1, options, passout)) { |
|
666 |
BIO_printf(bio_err, "Error outputting keys and certificates\n"); |
|
667 |
ERR_print_errors (bio_err); |
|
668 |
goto end; |
|
669 |
}
|
|
670 |
#ifdef CRYPTO_MDEBUG
|
|
671 |
CRYPTO_pop_info(); |
|
672 |
#endif
|
|
673 |
ret = 0; |
|
674 |
end: |
|
675 |
if (p12) PKCS12_free(p12); |
|
676 |
if(export_cert || inrand) app_RAND_write_file(NULL, bio_err); |
|
677 |
#ifdef CRYPTO_MDEBUG
|
|
678 |
CRYPTO_remove_all_info(); |
|
679 |
#endif
|
|
680 |
BIO_free(in); |
|
681 |
BIO_free_all(out); |
|
682 |
if (canames) sk_free(canames); |
|
683 |
if(passin) OPENSSL_free(passin); |
|
684 |
if(passout) OPENSSL_free(passout); |
|
685 |
apps_shutdown(); |
|
686 |
OPENSSL_EXIT(ret); |
|
687 |
}
|
|
688 |
||
689 |
int dump_certs_keys_p12 (BIO *out, PKCS12 *p12, char *pass, |
|
690 |
int passlen, int options, char *pempass) |
|
691 |
{
|
|
|
1.1.2
by Kurt Roeckx
Import upstream version 0.9.8a |
692 |
STACK_OF(PKCS7) *asafes = NULL; |
|
1
by Christoph Martin
Import upstream version 0.9.7d |
693 |
STACK_OF(PKCS12_SAFEBAG) *bags; |
694 |
int i, bagnid; |
|
|
1.1.2
by Kurt Roeckx
Import upstream version 0.9.8a |
695 |
int ret = 0; |
|
1
by Christoph Martin
Import upstream version 0.9.7d |
696 |
PKCS7 *p7; |
697 |
||
698 |
if (!( asafes = PKCS12_unpack_authsafes(p12))) return 0; |
|
699 |
for (i = 0; i < sk_PKCS7_num (asafes); i++) { |
|
700 |
p7 = sk_PKCS7_value (asafes, i); |
|
701 |
bagnid = OBJ_obj2nid (p7->type); |
|
702 |
if (bagnid == NID_pkcs7_data) { |
|
703 |
bags = PKCS12_unpack_p7data(p7); |
|
704 |
if (options & INFO) BIO_printf (bio_err, "PKCS7 Data\n"); |
|
705 |
} else if (bagnid == NID_pkcs7_encrypted) { |
|
706 |
if (options & INFO) { |
|
707 |
BIO_printf(bio_err, "PKCS7 Encrypted data: "); |
|
708 |
alg_print(bio_err, |
|
709 |
p7->d.encrypted->enc_data->algorithm); |
|
710 |
}
|
|
711 |
bags = PKCS12_unpack_p7encdata(p7, pass, passlen); |
|
712 |
} else continue; |
|
|
1.1.2
by Kurt Roeckx
Import upstream version 0.9.8a |
713 |
if (!bags) goto err; |
|
1
by Christoph Martin
Import upstream version 0.9.7d |
714 |
if (!dump_certs_pkeys_bags (out, bags, pass, passlen, |
715 |
options, pempass)) { |
|
716 |
sk_PKCS12_SAFEBAG_pop_free (bags, PKCS12_SAFEBAG_free); |
|
|
1.1.2
by Kurt Roeckx
Import upstream version 0.9.8a |
717 |
goto err; |
|
1
by Christoph Martin
Import upstream version 0.9.7d |
718 |
}
|
719 |
sk_PKCS12_SAFEBAG_pop_free (bags, PKCS12_SAFEBAG_free); |
|
|
1.1.2
by Kurt Roeckx
Import upstream version 0.9.8a |
720 |
bags = NULL; |
|
1
by Christoph Martin
Import upstream version 0.9.7d |
721 |
}
|
|
1.1.2
by Kurt Roeckx
Import upstream version 0.9.8a |
722 |
ret = 1; |
723 |
||
724 |
err: |
|
725 |
||
726 |
if (asafes) |
|
727 |
sk_PKCS7_pop_free (asafes, PKCS7_free); |
|
728 |
return ret; |
|
|
1
by Christoph Martin
Import upstream version 0.9.7d |
729 |
}
|
730 |
||
731 |
int dump_certs_pkeys_bags (BIO *out, STACK_OF(PKCS12_SAFEBAG) *bags, |
|
732 |
char *pass, int passlen, int options, char *pempass) |
|
733 |
{
|
|
734 |
int i; |
|
735 |
for (i = 0; i < sk_PKCS12_SAFEBAG_num (bags); i++) { |
|
736 |
if (!dump_certs_pkeys_bag (out, |
|
737 |
sk_PKCS12_SAFEBAG_value (bags, i), |
|
738 |
pass, passlen, |
|
739 |
options, pempass)) |
|
740 |
return 0; |
|
741 |
}
|
|
742 |
return 1; |
|
743 |
}
|
|
744 |
||
745 |
int dump_certs_pkeys_bag (BIO *out, PKCS12_SAFEBAG *bag, char *pass, |
|
746 |
int passlen, int options, char *pempass) |
|
747 |
{
|
|
748 |
EVP_PKEY *pkey; |
|
749 |
PKCS8_PRIV_KEY_INFO *p8; |
|
750 |
X509 *x509; |
|
751 |
||
752 |
switch (M_PKCS12_bag_type(bag)) |
|
753 |
{
|
|
754 |
case NID_keyBag: |
|
755 |
if (options & INFO) BIO_printf (bio_err, "Key bag\n"); |
|
756 |
if (options & NOKEYS) return 1; |
|
757 |
print_attribs (out, bag->attrib, "Bag Attributes"); |
|
758 |
p8 = bag->value.keybag; |
|
759 |
if (!(pkey = EVP_PKCS82PKEY (p8))) return 0; |
|
760 |
print_attribs (out, p8->attributes, "Key Attributes"); |
|
761 |
PEM_write_bio_PrivateKey (out, pkey, enc, NULL, 0, NULL, pempass); |
|
762 |
EVP_PKEY_free(pkey); |
|
763 |
break; |
|
764 |
||
765 |
case NID_pkcs8ShroudedKeyBag: |
|
766 |
if (options & INFO) { |
|
767 |
BIO_printf (bio_err, "Shrouded Keybag: "); |
|
768 |
alg_print (bio_err, bag->value.shkeybag->algor); |
|
769 |
}
|
|
770 |
if (options & NOKEYS) return 1; |
|
771 |
print_attribs (out, bag->attrib, "Bag Attributes"); |
|
772 |
if (!(p8 = PKCS12_decrypt_skey(bag, pass, passlen))) |
|
773 |
return 0; |
|
774 |
if (!(pkey = EVP_PKCS82PKEY (p8))) { |
|
775 |
PKCS8_PRIV_KEY_INFO_free(p8); |
|
776 |
return 0; |
|
777 |
}
|
|
778 |
print_attribs (out, p8->attributes, "Key Attributes"); |
|
779 |
PKCS8_PRIV_KEY_INFO_free(p8); |
|
780 |
PEM_write_bio_PrivateKey (out, pkey, enc, NULL, 0, NULL, pempass); |
|
781 |
EVP_PKEY_free(pkey); |
|
782 |
break; |
|
783 |
||
784 |
case NID_certBag: |
|
785 |
if (options & INFO) BIO_printf (bio_err, "Certificate bag\n"); |
|
786 |
if (options & NOCERTS) return 1; |
|
787 |
if (PKCS12_get_attr(bag, NID_localKeyID)) { |
|
788 |
if (options & CACERTS) return 1; |
|
789 |
} else if (options & CLCERTS) return 1; |
|
790 |
print_attribs (out, bag->attrib, "Bag Attributes"); |
|
791 |
if (M_PKCS12_cert_bag_type(bag) != NID_x509Certificate ) |
|
792 |
return 1; |
|
793 |
if (!(x509 = PKCS12_certbag2x509(bag))) return 0; |
|
794 |
dump_cert_text (out, x509); |
|
795 |
PEM_write_bio_X509 (out, x509); |
|
796 |
X509_free(x509); |
|
797 |
break; |
|
798 |
||
799 |
case NID_safeContentsBag: |
|
800 |
if (options & INFO) BIO_printf (bio_err, "Safe Contents bag\n"); |
|
801 |
print_attribs (out, bag->attrib, "Bag Attributes"); |
|
802 |
return dump_certs_pkeys_bags (out, bag->value.safes, pass, |
|
803 |
passlen, options, pempass); |
|
804 |
||
805 |
default: |
|
806 |
BIO_printf (bio_err, "Warning unsupported bag type: "); |
|
807 |
i2a_ASN1_OBJECT (bio_err, bag->type); |
|
808 |
BIO_printf (bio_err, "\n"); |
|
809 |
return 1; |
|
810 |
break; |
|
811 |
}
|
|
812 |
return 1; |
|
813 |
}
|
|
814 |
||
815 |
/* Given a single certificate return a verified chain or NULL if error */
|
|
816 |
||
817 |
/* Hope this is OK .... */
|
|
818 |
||
819 |
int get_cert_chain (X509 *cert, X509_STORE *store, STACK_OF(X509) **chain) |
|
820 |
{
|
|
821 |
X509_STORE_CTX store_ctx; |
|
822 |
STACK_OF(X509) *chn; |
|
|
1.1.5
by Kurt Roeckx
Import upstream version 0.9.8e |
823 |
int i = 0; |
|
1
by Christoph Martin
Import upstream version 0.9.7d |
824 |
|
825 |
/* FIXME: Should really check the return status of X509_STORE_CTX_init
|
|
826 |
* for an error, but how that fits into the return value of this
|
|
827 |
* function is less obvious. */
|
|
828 |
X509_STORE_CTX_init(&store_ctx, store, cert, NULL); |
|
829 |
if (X509_verify_cert(&store_ctx) <= 0) { |
|
830 |
i = X509_STORE_CTX_get_error (&store_ctx); |
|
|
1.1.5
by Kurt Roeckx
Import upstream version 0.9.8e |
831 |
if (i == 0) |
832 |
/* avoid returning 0 if X509_verify_cert() did not
|
|
833 |
* set an appropriate error value in the context */
|
|
834 |
i = -1; |
|
835 |
chn = NULL; |
|
|
1
by Christoph Martin
Import upstream version 0.9.7d |
836 |
goto err; |
|
1.1.5
by Kurt Roeckx
Import upstream version 0.9.8e |
837 |
} else |
838 |
chn = X509_STORE_CTX_get1_chain(&store_ctx); |
|
|
1
by Christoph Martin
Import upstream version 0.9.7d |
839 |
err: |
840 |
X509_STORE_CTX_cleanup(&store_ctx); |
|
|
1.1.5
by Kurt Roeckx
Import upstream version 0.9.8e |
841 |
*chain = chn; |
|
1
by Christoph Martin
Import upstream version 0.9.7d |
842 |
|
843 |
return i; |
|
844 |
}
|
|
845 |
||
846 |
int alg_print (BIO *x, X509_ALGOR *alg) |
|
847 |
{
|
|
848 |
PBEPARAM *pbe; |
|
|
1.1.2
by Kurt Roeckx
Import upstream version 0.9.8a |
849 |
const unsigned char *p; |
|
1
by Christoph Martin
Import upstream version 0.9.7d |
850 |
p = alg->parameter->value.sequence->data; |
|
1.1.4
by Kurt Roeckx
Import upstream version 0.9.8c |
851 |
pbe = d2i_PBEPARAM(NULL, &p, alg->parameter->value.sequence->length); |
852 |
if (!pbe) |
|
853 |
return 1; |
|
|
1.1.2
by Kurt Roeckx
Import upstream version 0.9.8a |
854 |
BIO_printf (bio_err, "%s, Iteration %ld\n", |
855 |
OBJ_nid2ln(OBJ_obj2nid(alg->algorithm)), |
|
856 |
ASN1_INTEGER_get(pbe->iter)); |
|
|
1
by Christoph Martin
Import upstream version 0.9.7d |
857 |
PBEPARAM_free (pbe); |
|
1.1.4
by Kurt Roeckx
Import upstream version 0.9.8c |
858 |
return 1; |
|
1
by Christoph Martin
Import upstream version 0.9.7d |
859 |
}
|
860 |
||
861 |
/* Load all certificates from a given file */
|
|
862 |
||
863 |
int cert_load(BIO *in, STACK_OF(X509) *sk) |
|
864 |
{
|
|
865 |
int ret; |
|
866 |
X509 *cert; |
|
867 |
ret = 0; |
|
868 |
#ifdef CRYPTO_MDEBUG
|
|
869 |
CRYPTO_push_info("cert_load(): reading one cert"); |
|
870 |
#endif
|
|
871 |
while((cert = PEM_read_bio_X509(in, NULL, NULL, NULL))) { |
|
872 |
#ifdef CRYPTO_MDEBUG
|
|
873 |
CRYPTO_pop_info(); |
|
874 |
#endif
|
|
875 |
ret = 1; |
|
876 |
sk_X509_push(sk, cert); |
|
877 |
#ifdef CRYPTO_MDEBUG
|
|
878 |
CRYPTO_push_info("cert_load(): reading one cert"); |
|
879 |
#endif
|
|
880 |
}
|
|
881 |
#ifdef CRYPTO_MDEBUG
|
|
882 |
CRYPTO_pop_info(); |
|
883 |
#endif
|
|
884 |
if(ret) ERR_clear_error(); |
|
885 |
return ret; |
|
886 |
}
|
|
887 |
||
888 |
/* Generalised attribute print: handle PKCS#8 and bag attributes */
|
|
889 |
||
|
1.1.2
by Kurt Roeckx
Import upstream version 0.9.8a |
890 |
int print_attribs (BIO *out, STACK_OF(X509_ATTRIBUTE) *attrlst,const char *name) |
|
1
by Christoph Martin
Import upstream version 0.9.7d |
891 |
{
|
892 |
X509_ATTRIBUTE *attr; |
|
893 |
ASN1_TYPE *av; |
|
894 |
char *value; |
|
895 |
int i, attr_nid; |
|
896 |
if(!attrlst) { |
|
897 |
BIO_printf(out, "%s: <No Attributes>\n", name); |
|
898 |
return 1; |
|
899 |
}
|
|
900 |
if(!sk_X509_ATTRIBUTE_num(attrlst)) { |
|
901 |
BIO_printf(out, "%s: <Empty Attributes>\n", name); |
|
902 |
return 1; |
|
903 |
}
|
|
904 |
BIO_printf(out, "%s\n", name); |
|
905 |
for(i = 0; i < sk_X509_ATTRIBUTE_num(attrlst); i++) { |
|
906 |
attr = sk_X509_ATTRIBUTE_value(attrlst, i); |
|
907 |
attr_nid = OBJ_obj2nid(attr->object); |
|
908 |
BIO_printf(out, " "); |
|
909 |
if(attr_nid == NID_undef) { |
|
910 |
i2a_ASN1_OBJECT (out, attr->object); |
|
911 |
BIO_printf(out, ": "); |
|
912 |
} else BIO_printf(out, "%s: ", OBJ_nid2ln(attr_nid)); |
|
913 |
||
914 |
if(sk_ASN1_TYPE_num(attr->value.set)) { |
|
915 |
av = sk_ASN1_TYPE_value(attr->value.set, 0); |
|
916 |
switch(av->type) { |
|
917 |
case V_ASN1_BMPSTRING: |
|
918 |
value = uni2asc(av->value.bmpstring->data, |
|
919 |
av->value.bmpstring->length); |
|
920 |
BIO_printf(out, "%s\n", value); |
|
921 |
OPENSSL_free(value); |
|
922 |
break; |
|
923 |
||
924 |
case V_ASN1_OCTET_STRING: |
|
925 |
hex_prin(out, av->value.octet_string->data, |
|
926 |
av->value.octet_string->length); |
|
927 |
BIO_printf(out, "\n"); |
|
928 |
break; |
|
929 |
||
930 |
case V_ASN1_BIT_STRING: |
|
931 |
hex_prin(out, av->value.bit_string->data, |
|
932 |
av->value.bit_string->length); |
|
933 |
BIO_printf(out, "\n"); |
|
934 |
break; |
|
935 |
||
936 |
default: |
|
937 |
BIO_printf(out, "<Unsupported tag %d>\n", av->type); |
|
938 |
break; |
|
939 |
}
|
|
940 |
} else BIO_printf(out, "<No Values>\n"); |
|
941 |
}
|
|
942 |
return 1; |
|
943 |
}
|
|
944 |
||
945 |
void hex_prin(BIO *out, unsigned char *buf, int len) |
|
946 |
{
|
|
947 |
int i; |
|
948 |
for (i = 0; i < len; i++) BIO_printf (out, "%02X ", buf[i]); |
|
949 |
}
|
|
950 |
||
951 |
#endif
|