提交 f07fb9b2 编写于 作者: D Dr. Stephen Henson

Add command line password options to the reamining utilities,

amend docs.
上级 1e8f28c4
......@@ -4,6 +4,9 @@
Changes between 0.9.4 and 0.9.5 [xx XXX 2000]
*) Add command line password options to the remaining applications.
[Steve Henson]
*) Bug fix for BN_div_recp() for numerators with an even number of
bits.
[Ulf Möller]
......
......@@ -195,8 +195,8 @@ bad:
BIO_printf(bio_err," -passin arg input file pass phrase\n");
BIO_printf(bio_err," -envpassin arg environment variable containing input file pass phrase\n");
BIO_printf(bio_err," -out arg output file\n");
BIO_printf(bio_err," -passout arg input file pass phrase\n");
BIO_printf(bio_err," -envpassout arg environment variable containing input file pass phrase\n");
BIO_printf(bio_err," -passout arg output file pass phrase\n");
BIO_printf(bio_err," -envpassout arg environment variable containing output file pass phrase\n");
BIO_printf(bio_err," -des encrypt PEM output with cbc des\n");
BIO_printf(bio_err," -des3 encrypt PEM output with ede cbc des using 168 bit key\n");
#ifndef NO_IDEA
......
......@@ -79,6 +79,7 @@ int MAIN(int argc, char **argv)
int ret=1;
char *outfile=NULL;
char *inrand=NULL,*dsaparams=NULL;
char *passout = NULL;
BIO *out=NULL,*in=NULL;
EVP_CIPHER *enc=NULL;
......@@ -98,6 +99,22 @@ int MAIN(int argc, char **argv)
if (--argc < 1) goto bad;
outfile= *(++argv);
}
else if (strcmp(*argv,"-envpassout") == 0)
{
if (--argc < 1) goto bad;
if(!(passout= getenv(*(++argv))))
{
BIO_printf(bio_err,
"Can't read environment variable %s\n",
*argv);
goto bad;
}
}
else if (strcmp(*argv,"-passout") == 0)
{
if (--argc < 1) goto bad;
passout= *(++argv);
}
else if (strcmp(*argv,"-rand") == 0)
{
if (--argc < 1) goto bad;
......@@ -188,7 +205,7 @@ bad:
app_RAND_write_file(NULL, bio_err);
if (!PEM_write_bio_DSAPrivateKey(out,dsa,enc,NULL,0,NULL,NULL))
if (!PEM_write_bio_DSAPrivateKey(out,dsa,enc,NULL,0,PEM_cb, passout))
goto end;
ret=0;
end:
......
......@@ -84,6 +84,7 @@ int MAIN(int argc, char **argv)
EVP_CIPHER *enc=NULL;
unsigned long f4=RSA_F4;
char *outfile=NULL;
char *passout = NULL;
char *inrand=NULL;
BIO *out=NULL;
......@@ -127,6 +128,22 @@ int MAIN(int argc, char **argv)
else if (strcmp(*argv,"-idea") == 0)
enc=EVP_idea_cbc();
#endif
else if (strcmp(*argv,"-envpassout") == 0)
{
if (--argc < 1) goto bad;
if(!(passout= getenv(*(++argv))))
{
BIO_printf(bio_err,
"Can't read environment variable %s\n",
*argv);
goto bad;
}
}
else if (strcmp(*argv,"-passout") == 0)
{
if (--argc < 1) goto bad;
passout= *(++argv);
}
else
break;
argv++;
......@@ -136,17 +153,19 @@ int MAIN(int argc, char **argv)
{
bad:
BIO_printf(bio_err,"usage: genrsa [args] [numbits]\n");
BIO_printf(bio_err," -des - encrypt the generated key with DES in cbc mode\n");
BIO_printf(bio_err," -des3 - encrypt the generated key with DES in ede cbc mode (168 bit key)\n");
BIO_printf(bio_err," -des encrypt the generated key with DES in cbc mode\n");
BIO_printf(bio_err," -des3 encrypt the generated key with DES in ede cbc mode (168 bit key)\n");
#ifndef NO_IDEA
BIO_printf(bio_err," -idea - encrypt the generated key with IDEA in cbc mode\n");
BIO_printf(bio_err," -idea encrypt the generated key with IDEA in cbc mode\n");
#endif
BIO_printf(bio_err," -out file - output the key to 'file\n");
BIO_printf(bio_err," -f4 - use F4 (0x10001) for the E value\n");
BIO_printf(bio_err," -3 - use 3 for the E value\n");
BIO_printf(bio_err," -out file output the key to 'file\n");
BIO_printf(bio_err," -passout arg output file pass phrase\n");
BIO_printf(bio_err," -envpassout arg environment variable containing output file pass phrase\n");
BIO_printf(bio_err," -f4 use F4 (0x10001) for the E value\n");
BIO_printf(bio_err," -3 use 3 for the E value\n");
BIO_printf(bio_err," -rand file:file:...\n");
BIO_printf(bio_err," - load the file (or the files in the directory) into\n");
BIO_printf(bio_err," the random number generator\n");
BIO_printf(bio_err," load the file (or the files in the directory) into\n");
BIO_printf(bio_err," the random number generator\n");
goto err;
}
......@@ -190,7 +209,7 @@ bad:
l+=rsa->e->d[i];
}
BIO_printf(bio_err,"e is %ld (0x%lX)\n",l,l);
if (!PEM_write_bio_RSAPrivateKey(out,rsa,enc,NULL,0,NULL,NULL))
if (!PEM_write_bio_RSAPrivateKey(out,rsa,enc,NULL,0,PEM_cb, passout))
goto err;
ret=0;
......
......@@ -61,13 +61,12 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "apps.h"
#include <openssl/crypto.h>
#include <openssl/des.h>
#include <openssl/pem.h>
#include <openssl/err.h>
#include <openssl/pem.h>
#include <openssl/pkcs12.h>
#include "apps.h"
#define PROG pkcs12_main
EVP_CIPHER *enc;
......@@ -80,9 +79,9 @@ EVP_CIPHER *enc;
#define CACERTS 0x10
int get_cert_chain(X509 *cert, STACK_OF(X509) **chain);
int dump_certs_keys_p12(BIO *out, PKCS12 *p12, char *pass, int passlen, int options);
int dump_certs_pkeys_bags(BIO *out, STACK *bags, char *pass, int passlen, int options);
int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bags, char *pass, int passlen, int options);
int dump_certs_keys_p12(BIO *out, PKCS12 *p12, char *pass, int passlen, int options, char *pempass);
int dump_certs_pkeys_bags(BIO *out, STACK *bags, char *pass, int passlen, int options, char *pempass);
int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bags, char *pass, int passlen, int options, char *pempass);
int print_attribs(BIO *out, STACK_OF(X509_ATTRIBUTE) *attrlst, char *name);
void hex_prin(BIO *out, unsigned char *buf, int len);
int alg_print(BIO *x, X509_ALGOR *alg);
......@@ -111,6 +110,7 @@ int MAIN(int argc, char **argv)
int noprompt = 0;
STACK *canames = NULL;
char *cpass = NULL, *mpass = NULL;
char *passin = NULL, *passout = NULL;
apps_startup();
......@@ -198,6 +198,36 @@ int MAIN(int argc, char **argv)
args++;
outfile = *args;
} else badarg = 1;
} else if (!strcmp(*args,"-passin")) {
if (args[1]) {
args++;
passin = *args;
} else badarg = 1;
} else if (!strcmp(*args,"-envpassin")) {
if (args[1]) {
args++;
if(!(passin= getenv(*args))) {
BIO_printf(bio_err,
"Can't read environment variable %s\n",
*argv);
badarg = 1;
}
} else badarg = 1;
} else if (!strcmp(*args,"-envpassout")) {
if (args[1]) {
args++;
if(!(passout= getenv(*args))) {
BIO_printf(bio_err,
"Can't read environment variable %s\n",
*argv);
badarg = 1;
}
} else badarg = 1;
} else if (!strcmp(*args,"-passout")) {
if (args[1]) {
args++;
passout = *args;
} else badarg = 1;
} else if (!strcmp (*args, "-envpass")) {
if (args[1]) {
args++;
......@@ -206,7 +236,6 @@ int MAIN(int argc, char **argv)
"Can't read environment variable %s\n", *args);
goto end;
}
noprompt = 1;
} else badarg = 1;
} else if (!strcmp (*args, "-password")) {
if (args[1]) {
......@@ -254,11 +283,22 @@ int MAIN(int argc, char **argv)
BIO_printf (bio_err, "-keysig set MS key signature type\n");
BIO_printf (bio_err, "-password p set import/export password (NOT RECOMMENDED)\n");
BIO_printf (bio_err, "-envpass p set import/export password from environment\n");
BIO_printf (bio_err, "-passin p input file pass phrase\n");
BIO_printf (bio_err, "-envpassin p environment variable containing input file pass phrase\n");
BIO_printf (bio_err, "-passout p output file pass phrase\n");
BIO_printf (bio_err, "-envpassout p environment variable containing output file pass phrase\n");
goto end;
}
if(cpass) mpass = cpass;
else {
if(!cpass) {
if(export_cert) cpass = passout;
else cpass = passin;
}
if(cpass) {
mpass = cpass;
noprompt = 1;
} else {
cpass = pass;
mpass = macpass;
}
......@@ -337,7 +377,7 @@ int MAIN(int argc, char **argv)
#ifdef CRYPTO_MDEBUG
CRYPTO_push_info("process -export_cert");
#endif
key = PEM_read_bio_PrivateKey(inkey ? inkey : in, NULL, NULL, NULL);
key = PEM_read_bio_PrivateKey(inkey ? inkey : in, NULL, PEM_cb, passin);
if (!inkey) (void) BIO_reset(in);
else BIO_free(inkey);
if (!key) {
......@@ -504,7 +544,7 @@ int MAIN(int argc, char **argv)
#ifdef CRYPTO_MDEBUG
CRYPTO_push_info("output keys and certificates");
#endif
if (!dump_certs_keys_p12 (out, p12, cpass, -1, options)) {
if (!dump_certs_keys_p12 (out, p12, cpass, -1, options, passout)) {
BIO_printf(bio_err, "Error outputting keys and certificates\n");
ERR_print_errors (bio_err);
goto end;
......@@ -524,7 +564,7 @@ int MAIN(int argc, char **argv)
}
int dump_certs_keys_p12 (BIO *out, PKCS12 *p12, char *pass,
int passlen, int options)
int passlen, int options, char *pempass)
{
STACK *asafes, *bags;
int i, bagnid;
......@@ -546,7 +586,7 @@ int dump_certs_keys_p12 (BIO *out, PKCS12 *p12, char *pass,
} else continue;
if (!bags) return 0;
if (!dump_certs_pkeys_bags (out, bags, pass, passlen,
options)) {
options, pempass)) {
sk_pop_free (bags, PKCS12_SAFEBAG_free);
return 0;
}
......@@ -557,19 +597,19 @@ int dump_certs_keys_p12 (BIO *out, PKCS12 *p12, char *pass,
}
int dump_certs_pkeys_bags (BIO *out, STACK *bags, char *pass,
int passlen, int options)
int passlen, int options, char *pempass)
{
int i;
for (i = 0; i < sk_num (bags); i++) {
if (!dump_certs_pkeys_bag (out,
(PKCS12_SAFEBAG *)sk_value (bags, i), pass, passlen,
options)) return 0;
options, pempass)) return 0;
}
return 1;
}
int dump_certs_pkeys_bag (BIO *out, PKCS12_SAFEBAG *bag, char *pass,
int passlen, int options)
int passlen, int options, char *pempass)
{
EVP_PKEY *pkey;
PKCS8_PRIV_KEY_INFO *p8;
......@@ -584,7 +624,7 @@ int dump_certs_pkeys_bag (BIO *out, PKCS12_SAFEBAG *bag, char *pass,
p8 = bag->value.keybag;
if (!(pkey = EVP_PKCS82PKEY (p8))) return 0;
print_attribs (out, p8->attributes, "Key Attributes");
PEM_write_bio_PrivateKey (out, pkey, enc, NULL, 0, NULL, NULL);
PEM_write_bio_PrivateKey (out, pkey, enc, NULL, 0, PEM_cb, pempass);
EVP_PKEY_free(pkey);
break;
......@@ -600,7 +640,7 @@ int dump_certs_pkeys_bag (BIO *out, PKCS12_SAFEBAG *bag, char *pass,
if (!(pkey = EVP_PKCS82PKEY (p8))) return 0;
print_attribs (out, p8->attributes, "Key Attributes");
PKCS8_PRIV_KEY_INFO_free(p8);
PEM_write_bio_PrivateKey (out, pkey, enc, NULL, 0, NULL, NULL);
PEM_write_bio_PrivateKey (out, pkey, enc, NULL, 0, PEM_cb, pempass);
EVP_PKEY_free(pkey);
break;
......@@ -623,7 +663,7 @@ int dump_certs_pkeys_bag (BIO *out, PKCS12_SAFEBAG *bag, char *pass,
if (options & INFO) BIO_printf (bio_err, "Safe Contents bag\n");
print_attribs (out, bag->attrib, "Bag Attributes");
return dump_certs_pkeys_bags (out, bag->value.safes, pass,
passlen, options);
passlen, options, pempass);
default:
BIO_printf (bio_err, "Warning unsupported bag type: ");
......
......@@ -176,22 +176,22 @@ int MAIN(int argc, char **argv)
bad:
BIO_printf(bio_err, "Usage pkcs8 [options]\n");
BIO_printf(bio_err, "where options are\n");
BIO_printf(bio_err, "-in file input file\n");
BIO_printf(bio_err, "-inform X input format (DER or PEM)\n");
BIO_printf(bio_err, "-in file input file\n");
BIO_printf(bio_err, "-inform X input format (DER or PEM)\n");
BIO_printf(bio_err, "-passin arg input file pass phrase\n");
BIO_printf(bio_err, "-envpassin arg environment variable containing input file pass phrase\n");
BIO_printf(bio_err, "-outform X output format (DER or PEM)\n");
BIO_printf(bio_err, "-out file output file\n");
BIO_printf(bio_err, "-passout arg input file pass phrase\n");
BIO_printf(bio_err, "-envpassout arg environment variable containing input file pass phrase\n");
BIO_printf(bio_err, "-topk8 output PKCS8 file\n");
BIO_printf(bio_err, "-nooct use (nonstandard) no octet format\n");
BIO_printf(bio_err, "-embed use (nonstandard) embedded DSA parameters format\n");
BIO_printf(bio_err, "-nsdb use (nonstandard) DSA Netscape DB format\n");
BIO_printf(bio_err, "-noiter use 1 as iteration count\n");
BIO_printf(bio_err, "-nocrypt use or expect unencrypted private key\n");
BIO_printf(bio_err, "-v2 alg use PKCS#5 v2.0 and cipher \"alg\"\n");
BIO_printf(bio_err, "-v1 obj use PKCS#5 v1.5 and cipher \"alg\"\n");
BIO_printf(bio_err, "-outform X output format (DER or PEM)\n");
BIO_printf(bio_err, "-out file output file\n");
BIO_printf(bio_err, "-passout arg output file pass phrase\n");
BIO_printf(bio_err, "-envpassout arg environment variable containing outut file pass phrase\n");
BIO_printf(bio_err, "-topk8 output PKCS8 file\n");
BIO_printf(bio_err, "-nooct use (nonstandard) no octet format\n");
BIO_printf(bio_err, "-embed use (nonstandard) embedded DSA parameters format\n");
BIO_printf(bio_err, "-nsdb use (nonstandard) DSA Netscape DB format\n");
BIO_printf(bio_err, "-noiter use 1 as iteration count\n");
BIO_printf(bio_err, "-nocrypt use or expect unencrypted private key\n");
BIO_printf(bio_err, "-v2 alg use PKCS#5 v2.0 and cipher \"alg\"\n");
BIO_printf(bio_err, "-v1 obj use PKCS#5 v1.5 and cipher \"alg\"\n");
return (1);
}
......
......@@ -201,8 +201,8 @@ bad:
BIO_printf(bio_err," -envpassin arg environment variable containing input file pass phrase\n");
BIO_printf(bio_err," -in arg input file\n");
BIO_printf(bio_err," -out arg output file\n");
BIO_printf(bio_err," -passout arg input file pass phrase\n");
BIO_printf(bio_err," -envpassout arg environment variable containing input file pass phrase\n");
BIO_printf(bio_err," -passout arg output file pass phrase\n");
BIO_printf(bio_err," -envpassout arg environment variable containing output file pass phrase\n");
BIO_printf(bio_err," -des encrypt PEM output with cbc des\n");
BIO_printf(bio_err," -des3 encrypt PEM output with ede cbc des using 168 bit key\n");
#ifndef NO_IDEA
......
......@@ -80,7 +80,7 @@ int MAIN(int argc, char **argv)
int i,badops=0, ret = 1;
BIO *in = NULL,*out = NULL, *key = NULL;
int verify=0,noout=0,pubkey=0;
char *infile = NULL,*outfile = NULL,*prog;
char *infile = NULL,*outfile = NULL,*prog, *passin = NULL;
char *spkac = "SPKAC", *spksect = "default", *spkstr = NULL;
char *challenge = NULL, *keyfile = NULL;
LHASH *conf = NULL;
......@@ -106,6 +106,22 @@ int MAIN(int argc, char **argv)
if (--argc < 1) goto bad;
outfile= *(++argv);
}
else if (strcmp(*argv,"-passin") == 0)
{
if (--argc < 1) goto bad;
passin= *(++argv);
}
else if (strcmp(*argv,"-envpassin") == 0)
{
if (--argc < 1) goto bad;
if(!(passin= getenv(*(++argv))))
{
BIO_printf(bio_err,
"Can't read environment variable %s\n",
*argv);
badops = 1;
}
}
else if (strcmp(*argv,"-key") == 0)
{
if (--argc < 1) goto bad;
......@@ -145,6 +161,8 @@ bad:
BIO_printf(bio_err," -in arg input file\n");
BIO_printf(bio_err," -out arg output file\n");
BIO_printf(bio_err," -key arg create SPKAC using private key\n");
BIO_printf(bio_err," -passin arg input file pass phrase\n");
BIO_printf(bio_err," -envpassin arg environment variable containing input file pass phrase\n");
BIO_printf(bio_err," -challenge arg challenge string\n");
BIO_printf(bio_err," -spkac arg alternative SPKAC name\n");
BIO_printf(bio_err," -noout don't print SPKAC\n");
......@@ -163,7 +181,7 @@ bad:
ERR_print_errors(bio_err);
goto end;
}
pkey = PEM_read_bio_PrivateKey(key, NULL, NULL, NULL);
pkey = PEM_read_bio_PrivateKey(key, NULL, PEM_cb, passin);
if(!pkey) {
BIO_printf(bio_err, "Error reading private key\n");
ERR_print_errors(bio_err);
......
......@@ -72,9 +72,9 @@
#include "../bio/bss_file.c"
#endif
const num0 = 100; /* number of tests */
const num1 = 50; /* additional tests for some functions */
const num2 = 5; /* number of tests for slow functions */
const int num0 = 100; /* number of tests */
const int num1 = 50; /* additional tests for some functions */
const int num2 = 5; /* number of tests for slow functions */
int test_add(BIO *bp);
int test_sub(BIO *bp);
......
......@@ -4,11 +4,12 @@
genrsa - generate an RSA private key
=head1 SYNOPSIS
B<openssl> B<genrsa>
[B<-out filename>]
[B<-passout password>]
[B<-envpassout var>]
[B<-des>]
[B<-des3>]
[B<-idea>]
......@@ -25,11 +26,26 @@ The B<genrsa> command generates an RSA private key.
=over 4
=item B<-out filename>
the output filename. If this argument is not specified then standard output is
used.
=item B<-passout password>
the output file password. Since certain utilities like "ps" make the command line
visible this option should be used with caution.
=item B<-envpassout var>
read the output file password from the environment variable B<var>.
=item B<-des|-des3|-idea>
These options encrypt the private key with the DES, triple DES, or the
IDEA ciphers respectively before outputting it. A pass phrase is prompted for.
If none of these options is specified no encryption is used.
IDEA ciphers respectively before outputting it. If none of these options is
specified no encryption is used. If encryption is used a pass phrase is prompted
for if it is not supplied via the B<-passout> or B<-envpassout> arguments.
=item B<-F4|-3>
......
......@@ -37,6 +37,10 @@ B<openssl> B<pkcs12>
[B<-keysig>]
[B<-password password>]
[B<-envpass var>]
[B<-passin password>]
[B<-envpassin var>]
[B<-passout password>]
[B<-envpassout var>]
=head1 DESCRIPTION
......@@ -64,15 +68,24 @@ by default.
The filename to write certificates and private keys to, standard output by default.
They are all written in PEM format.
=item B<-pass password>
=item B<-pass password>, B<-passin password>
the PKCS#12 file password. Since certain utilities like "ps" make the command line
visible this option should be used with caution.
the PKCS#12 file (i.e. input file) password. Since certain utilities like "ps" make
the command line visible this option should be used with caution.
=item B<-envpass var>
=item B<-envpass var>, B<-envpassin password>
read the PKCS#12 file password from the environment variable B<var>.
=item B<-passout password>
pass phrase to encrypt any outputed private keys with. Since certain utilities like
"ps" make the command line visible this option should be used with caution.
=item B<-envpass var>, B<-envpassin password>
read the outputed private keys file password from the environment variable B<var>.
=item B<-noout>
this option inhibits output of the keys and certificates to the output file version
......@@ -169,15 +182,24 @@ used multiple times to specify names for all certificates in the order they
appear. Netscape ignores friendly names on other certificates whereas MSIE
displays them.
=item B<-pass password>
=item B<-pass password>, B<-passout password>
the PKCS#12 file password. Since certain utilities like "ps" make the command line
visible this option should be used with caution.
the PKCS#12 file (i.e. output file) password. Since certain utilities like "ps"
make the command line visible this option should be used with caution.
=item B<-envpass var>
=item B<-envpass var>, B<-envpassout var>
read the PKCS#12 file password from the environment variable B<var>.
=item B<-passin password>
pass phrase to decrypt the input private key with. Since certain utilities like
"ps" make the command line visible this option should be used with caution.
=item B<-envpassin password>
read the input private key file password from the environment variable B<var>.
=item B<-chain>
if this option is present then an attempt is made to include the entire
......@@ -277,9 +299,6 @@ Include some extra certificates:
Some would argue that the PKCS#12 standard is one big bug :-)
Need password options for the PEM files: this will probably be fixed before
release.
=head1 SEE ALSO
L<pkcs8(1)|pkcs8(1)>
......
......@@ -10,6 +10,8 @@ B<openssl> B<spkac>
[B<-in filename>]
[B<-out filename>]
[B<-key keyfile>]
[B<-passin password>]
[B<-envpassin var>]
[B<-challenge string>]
[B<-pubkey>]
[B<-spkac spkacname>]
......@@ -44,6 +46,17 @@ create an SPKAC file using the private key in B<keyfile>. The
B<-in>, B<-noout>, B<-spksect> and B<-verify> options are ignored if
present.
=item B<-passin password>
the private key file password. Since certain utilities like "ps" make the
command line visible this option should be used with caution. Ignored if
the B<-key> argument is not used.
=item B<-envpassin var>
read the private key file password from the environment variable B<var>.
Ignored if the B<-key> argument is not used.
=item B<-challenge string>
specifies the challenge string if an SPKAC is being created.
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册