pkcs12.c 23.9 KB
Newer Older
1
/* pkcs12.c */
B
Bodo Möller 已提交
2 3
#if !defined(NO_DES) && !defined(NO_SHA1)

4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63
/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
 * project 1999.
 */
/* ====================================================================
 * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    licensing@OpenSSL.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
64
#include "apps.h"
65
#include <openssl/crypto.h>
66
#include <openssl/err.h>
67
#include <openssl/pem.h>
68
#include <openssl/pkcs12.h>
69 70 71 72 73 74 75 76 77 78 79 80

#define PROG pkcs12_main

EVP_CIPHER *enc;


#define NOKEYS		0x1
#define NOCERTS 	0x2
#define INFO		0x4
#define CLCERTS		0x8
#define CACERTS		0x10

81
int get_cert_chain(X509 *cert, STACK_OF(X509) **chain);
82 83 84
int dump_certs_keys_p12(BIO *out, PKCS12 *p12, char *pass, int passlen, int options, char *pempass);
int dump_certs_pkeys_bags(BIO *out, STACK *bags, char *pass, int passlen, int options, char *pempass);
int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bags, char *pass, int passlen, int options, char *pempass);
85
int print_attribs(BIO *out, STACK_OF(X509_ATTRIBUTE) *attrlst, char *name);
86 87
void hex_prin(BIO *out, unsigned char *buf, int len);
int alg_print(BIO *x, X509_ALGOR *alg);
88
int cert_load(BIO *in, STACK_OF(X509) *sk);
89 90 91

int MAIN(int, char **);

U
Ulf Möller 已提交
92
int MAIN(int argc, char **argv)
93 94 95 96 97 98 99 100 101 102 103 104
{
    char *infile=NULL, *outfile=NULL, *keyname = NULL;	
    char *certfile=NULL;
    BIO *in=NULL, *out = NULL, *inkey = NULL, *certsin = NULL;
    char **args;
    char *name = NULL;
    PKCS12 *p12 = NULL;
    char pass[50], macpass[50];
    int export_cert = 0;
    int options = 0;
    int chain = 0;
    int badarg = 0;
105
    int iter = PKCS12_DEFAULT_ITER;
106
    int maciter = PKCS12_DEFAULT_ITER;
107 108 109
    int twopass = 0;
    int keytype = 0;
    int cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
110
    int key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
111 112
    int ret = 1;
    int macver = 1;
113
    int noprompt = 0;
114
    STACK *canames = NULL;
115
    char *cpass = NULL, *mpass = NULL;
116
    char *passin = NULL, *passout = NULL;
117
    char *inrand = NULL;
118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148

    apps_startup();

    enc = EVP_des_ede3_cbc();
    if (bio_err == NULL ) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);

    args = argv + 1;


    while (*args) {
	if (*args[0] == '-') {
		if (!strcmp (*args, "-nokeys")) options |= NOKEYS;
		else if (!strcmp (*args, "-keyex")) keytype = KEY_EX;
		else if (!strcmp (*args, "-keysig")) keytype = KEY_SIG;
		else if (!strcmp (*args, "-nocerts")) options |= NOCERTS;
		else if (!strcmp (*args, "-clcerts")) options |= CLCERTS;
		else if (!strcmp (*args, "-cacerts")) options |= CACERTS;
		else if (!strcmp (*args, "-noout")) options |= (NOKEYS|NOCERTS);
		else if (!strcmp (*args, "-info")) options |= INFO;
		else if (!strcmp (*args, "-chain")) chain = 1;
		else if (!strcmp (*args, "-twopass")) twopass = 1;
		else if (!strcmp (*args, "-nomacver")) macver = 0;
		else if (!strcmp (*args, "-descert"))
    			cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
		else if (!strcmp (*args, "-export")) export_cert = 1;
		else if (!strcmp (*args, "-des")) enc=EVP_des_cbc();
#ifndef NO_IDEA
		else if (!strcmp (*args, "-idea")) enc=EVP_idea_cbc();
#endif
		else if (!strcmp (*args, "-des3")) enc = EVP_des_ede3_cbc();
		else if (!strcmp (*args, "-noiter")) iter = 1;
149 150
		else if (!strcmp (*args, "-maciter"))
					 maciter = PKCS12_DEFAULT_ITER;
151 152
		else if (!strcmp (*args, "-nomaciter"))
					 maciter = 1;
153
		else if (!strcmp (*args, "-nodes")) enc=NULL;
154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173
		else if (!strcmp (*args, "-certpbe")) {
			if (args[1]) {
				args++;
				cert_pbe=OBJ_txt2nid(*args);
				if(cert_pbe == NID_undef) {
					BIO_printf(bio_err,
						 "Unknown PBE algorithm %s\n", *args);
					badarg = 1;
				}
			} else badarg = 1;
		} else if (!strcmp (*args, "-keypbe")) {
			if (args[1]) {
				args++;
				key_pbe=OBJ_txt2nid(*args);
				if(key_pbe == NID_undef) {
					BIO_printf(bio_err,
						 "Unknown PBE algorithm %s\n", *args);
					badarg = 1;
				}
			} else badarg = 1;
174 175 176 177 178
		} else if (!strcmp (*args, "-rand")) {
		    if (args[1]) {
			args++;	
			inrand = *args;
		    } else badarg = 1;
179
		} else if (!strcmp (*args, "-inkey")) {
180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209
		    if (args[1]) {
			args++;	
			keyname = *args;
		    } else badarg = 1;
		} else if (!strcmp (*args, "-certfile")) {
		    if (args[1]) {
			args++;	
			certfile = *args;
		    } else badarg = 1;
		} else if (!strcmp (*args, "-name")) {
		    if (args[1]) {
			args++;	
			name = *args;
		    } else badarg = 1;
		} else if (!strcmp (*args, "-caname")) {
		    if (args[1]) {
			args++;	
			if (!canames) canames = sk_new(NULL);
			sk_push(canames, *args);
		    } else badarg = 1;
		} else if (!strcmp (*args, "-in")) {
		    if (args[1]) {
			args++;	
			infile = *args;
		    } else badarg = 1;
		} else if (!strcmp (*args, "-out")) {
		    if (args[1]) {
			args++;	
			outfile = *args;
		    } else badarg = 1;
210 211 212 213 214 215 216 217 218 219 220
		} else if (!strcmp(*args,"-passin")) {
		    if (args[1]) {
			args++;	
			passin = *args;
		    } else badarg = 1;
		} else if (!strcmp(*args,"-envpassin")) {
		    if (args[1]) {
			args++;	
			if(!(passin= getenv(*args))) {
				BIO_printf(bio_err,
				 "Can't read environment variable %s\n",
221
								*args);
222 223 224 225 226 227 228 229 230
				badarg = 1;
			}
		    } else badarg = 1;
		} else if (!strcmp(*args,"-envpassout")) {
		    if (args[1]) {
			args++;	
			if(!(passout= getenv(*args))) {
				BIO_printf(bio_err,
				 "Can't read environment variable %s\n",
231
								*args);
232 233 234 235 236 237 238 239
				badarg = 1;
			}
		    } else badarg = 1;
		} else if (!strcmp(*args,"-passout")) {
		    if (args[1]) {
			args++;	
			passout = *args;
		    } else badarg = 1;
240 241 242 243 244 245 246 247 248 249 250 251 252 253 254
		} else if (!strcmp (*args, "-envpass")) {
		    if (args[1]) {
			args++;	
			if(!(cpass = getenv(*args))) {
				BIO_printf(bio_err,
				 "Can't read environment variable %s\n", *args);
				goto end;
			}
		    } else badarg = 1;
		} else if (!strcmp (*args, "-password")) {
		    if (args[1]) {
			args++;	
			cpass = *args;
		    	noprompt = 1;
		    } else badarg = 1;
255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288
		} else badarg = 1;

	} else badarg = 1;
	args++;
    }

    if (badarg) {
	BIO_printf (bio_err, "Usage: pkcs12 [options]\n");
	BIO_printf (bio_err, "where options are\n");
	BIO_printf (bio_err, "-export       output PKCS12 file\n");
	BIO_printf (bio_err, "-chain        add certificate chain\n");
	BIO_printf (bio_err, "-inkey file   private key if not infile\n");
	BIO_printf (bio_err, "-certfile f   add all certs in f\n");
	BIO_printf (bio_err, "-name \"name\"  use name as friendly name\n");
	BIO_printf (bio_err, "-caname \"nm\"  use nm as CA friendly name (can be used more than once).\n");
	BIO_printf (bio_err, "-in  infile   input filename\n");
	BIO_printf (bio_err, "-out outfile  output filename\n");
	BIO_printf (bio_err, "-noout        don't output anything, just verify.\n");
	BIO_printf (bio_err, "-nomacver     don't verify MAC.\n");
	BIO_printf (bio_err, "-nocerts      don't output certificates.\n");
	BIO_printf (bio_err, "-clcerts      only output client certificates.\n");
	BIO_printf (bio_err, "-cacerts      only output CA certificates.\n");
	BIO_printf (bio_err, "-nokeys       don't output private keys.\n");
	BIO_printf (bio_err, "-info         give info about PKCS#12 structure.\n");
	BIO_printf (bio_err, "-des          encrypt private keys with DES\n");
	BIO_printf (bio_err, "-des3         encrypt private keys with triple DES (default)\n");
#ifndef NO_IDEA
	BIO_printf (bio_err, "-idea         encrypt private keys with idea\n");
#endif
	BIO_printf (bio_err, "-nodes        don't encrypt private keys\n");
	BIO_printf (bio_err, "-noiter       don't use encryption iteration\n");
	BIO_printf (bio_err, "-maciter      use MAC iteration\n");
	BIO_printf (bio_err, "-twopass      separate MAC, encryption passwords\n");
	BIO_printf (bio_err, "-descert      encrypt PKCS#12 certificates with triple DES (default RC2-40)\n");
289 290
	BIO_printf (bio_err, "-certpbe alg  specify certificate PBE algorithm (default RC2-40)\n");
	BIO_printf (bio_err, "-keypbe alg   specify private key PBE algorithm (default 3DES)\n");
291 292
	BIO_printf (bio_err, "-keyex        set MS key exchange type\n");
	BIO_printf (bio_err, "-keysig       set MS key signature type\n");
293 294
	BIO_printf (bio_err, "-password p   set import/export password (NOT RECOMMENDED)\n");
	BIO_printf (bio_err, "-envpass p    set import/export password from environment\n");
295 296 297 298
	BIO_printf (bio_err, "-passin p     input file pass phrase\n");
	BIO_printf (bio_err, "-envpassin p  environment variable containing input file pass phrase\n");
	BIO_printf (bio_err, "-passout p    output file pass phrase\n");
	BIO_printf (bio_err, "-envpassout p environment variable containing output file pass phrase\n");
299 300 301
	BIO_printf(bio_err,  "-rand file:file:...\n");
	BIO_printf(bio_err,  "              load the file (or the files in the directory) into\n");
	BIO_printf(bio_err,  "              the random number generator\n");
302 303 304
    	goto end;
    }

305 306 307 308 309 310 311 312 313
    if(!cpass) {
    	if(export_cert) cpass = passout;
    	else cpass = passin;
    }

    if(cpass) {
	mpass = cpass;
	noprompt = 1;
    } else {
314 315 316 317
	cpass = pass;
	mpass = macpass;
    }

318 319 320 321 322 323
    if(export_cert || inrand) {
    	app_RAND_load_file(NULL, bio_err, (inrand != NULL));
        if (inrand != NULL)
		BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
			app_RAND_load_files(inrand));
    }
324 325
    ERR_load_crypto_strings();

326 327 328 329
#ifdef CRYPTO_MDEBUG
    CRYPTO_push_info("read files");
#endif

D
Dr. Stephen Henson 已提交
330 331 332 333 334
    if (!infile) in = BIO_new_fp(stdin, BIO_NOCLOSE);
    else in = BIO_new_file(infile, "rb");
    if (!in) {
	    BIO_printf(bio_err, "Error opening input file %s\n",
						infile ? infile : "<stdin>");
335 336
	    perror (infile);
	    goto end;
D
Dr. Stephen Henson 已提交
337
   }
338 339

   if (certfile) {
D
Dr. Stephen Henson 已提交
340 341
    	if(!(certsin = BIO_new_file(certfile, "r"))) {
	    BIO_printf(bio_err, "Can't open certificate file %s\n", certfile);
342 343 344 345 346 347
	    perror (certfile);
	    goto end;
	}
    }

    if (keyname) {
D
Dr. Stephen Henson 已提交
348 349
    	if(!(inkey = BIO_new_file(keyname, "r"))) {
	    BIO_printf(bio_err, "Can't key certificate file %s\n", keyname);
350 351 352 353 354
	    perror (keyname);
	    goto end;
	}
     }

355 356 357 358 359
#ifdef CRYPTO_MDEBUG
    CRYPTO_pop_info();
    CRYPTO_push_info("write files");
#endif

D
Dr. Stephen Henson 已提交
360 361 362 363 364 365 366
    if (!outfile) out = BIO_new_fp(stdout, BIO_NOCLOSE);
    else out = BIO_new_file(outfile, "wb");
    if (!out) {
	BIO_printf(bio_err, "Error opening output file %s\n",
						outfile ? outfile : "<stdout>");
	perror (outfile);
	goto end;
367 368
    }
    if (twopass) {
369 370 371
#ifdef CRYPTO_MDEBUG
    CRYPTO_push_info("read MAC password");
#endif
D
Dr. Stephen Henson 已提交
372 373
	if(EVP_read_pw_string (macpass, 50, "Enter MAC Password:", export_cert))
	{
374 375 376
    	    BIO_printf (bio_err, "Can't read Password\n");
    	    goto end;
       	}
377 378 379
#ifdef CRYPTO_MDEBUG
    CRYPTO_pop_info();
#endif
380 381
    }

382
    if (export_cert) {
383 384 385 386 387
	EVP_PKEY *key;
	STACK *bags, *safes;
	PKCS12_SAFEBAG *bag;
	PKCS8_PRIV_KEY_INFO *p8;
	PKCS7 *authsafe;
388
	X509 *ucert = NULL;
389
	STACK_OF(X509) *certs=NULL;
390
	char *catmp;
D
Dr. Stephen Henson 已提交
391
	int i;
392
	unsigned char keyid[EVP_MAX_MD_SIZE];
D
Dr. Stephen Henson 已提交
393
	unsigned int keyidlen = 0;
394 395 396 397

#ifdef CRYPTO_MDEBUG
	CRYPTO_push_info("process -export_cert");
#endif
398
	key = PEM_read_bio_PrivateKey(inkey ? inkey : in, NULL, PEM_cb, passin);
D
Dr. Stephen Henson 已提交
399
	if (!inkey) (void) BIO_reset(in);
400
	else BIO_free(inkey);
401 402 403 404 405 406
	if (!key) {
		BIO_printf (bio_err, "Error loading private key\n");
		ERR_print_errors(bio_err);
		goto end;
	}

407
	certs = sk_X509_new(NULL);
408 409 410 411 412 413 414

	/* Load in all certs in input file */
	if(!cert_load(in, certs)) {
		BIO_printf(bio_err, "Error loading certificates from input\n");
		ERR_print_errors(bio_err);
		goto end;
	}
D
Dr. Stephen Henson 已提交
415 416 417 418

	for(i = 0; i < sk_X509_num(certs); i++) {
		ucert = sk_X509_value(certs, i);
		if(X509_check_private_key(ucert, key)) {
419
			X509_digest(ucert, EVP_sha1(), keyid, &keyidlen);
D
Dr. Stephen Henson 已提交
420 421 422 423 424 425 426 427
			break;
		}
	}

	if(!keyidlen) {
		BIO_printf(bio_err, "No certificate matches private key\n");
		goto end;
	}
428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443
	
	bags = sk_new (NULL);

	/* Add any more certificates asked for */
	if (certsin) {
		if(!cert_load(certsin, certs)) {
			BIO_printf(bio_err, "Error loading certificates from certfile\n");
			ERR_print_errors(bio_err);
			goto end;
		}
	    	BIO_free(certsin);
 	}

	/* If chaining get chain from user cert */
	if (chain) {
        	int vret;
444
		STACK_OF(X509) *chain2;
B
Ben Laurie 已提交
445
		vret = get_cert_chain (ucert, &chain2);
446 447 448 449 450 451
		if (vret) {
			BIO_printf (bio_err, "Error %s getting chain.\n",
					X509_verify_cert_error_string(vret));
			goto end;
		}
		/* Exclude verified certificate */
452 453 454
		for (i = 1; i < sk_X509_num (chain2) ; i++) 
				 sk_X509_push(certs, sk_X509_value (chain2, i));
		sk_X509_free(chain2);
455 456 457 458
			
    	}

	/* We now have loads of certificates: include them all */
459
	for(i = 0; i < sk_X509_num(certs); i++) {
460
		X509 *cert = NULL;
461
		cert = sk_X509_value(certs, i);
462
		bag = M_PKCS12_x5092certbag(cert);
D
Dr. Stephen Henson 已提交
463
		/* If it matches private key set id */
464 465 466 467 468 469 470
		if(cert == ucert) {
			if(name) PKCS12_add_friendlyname(bag, name, -1);
			PKCS12_add_localkeyid(bag, keyid, keyidlen);
		} else if((catmp = sk_shift(canames))) 
				PKCS12_add_friendlyname(bag, catmp, -1);
		sk_push(bags, (char *)bag);
	}
471
	sk_X509_pop_free(certs, X509_free);
472 473
	if (canames) sk_free(canames);

474 475
	if(!noprompt &&
		EVP_read_pw_string(pass, 50, "Enter Export Password:", 1)) {
476 477 478 479 480
	    BIO_printf (bio_err, "Can't read Password\n");
	    goto end;
        }
	if (!twopass) strcpy(macpass, pass);
	/* Turn certbags into encrypted authsafe */
D
Dr. Stephen Henson 已提交
481
	authsafe = PKCS12_pack_p7encdata(cert_pbe, cpass, -1, NULL, 0,
482 483 484 485 486 487 488 489 490 491 492 493 494 495 496
								 iter, bags);
	sk_pop_free(bags, PKCS12_SAFEBAG_free);

	if (!authsafe) {
		ERR_print_errors (bio_err);
		goto end;
	}

	safes = sk_new (NULL);
	sk_push (safes, (char *)authsafe);

	/* Make a shrouded key bag */
	p8 = EVP_PKEY2PKCS8 (key);
	EVP_PKEY_free(key);
	if(keytype) PKCS8_add_keyusage(p8, keytype);
497
	bag = PKCS12_MAKE_SHKEYBAG(key_pbe, cpass, -1, NULL, 0, iter, p8);
498 499
	PKCS8_PRIV_KEY_INFO_free(p8);
        if (name) PKCS12_add_friendlyname (bag, name, -1);
D
Dr. Stephen Henson 已提交
500
	PKCS12_add_localkeyid (bag, keyid, keyidlen);
501 502 503 504 505 506 507 508 509 510 511 512 513
	bags = sk_new(NULL);
	sk_push (bags, (char *)bag);
	/* Turn it into unencrypted safe bag */
	authsafe = PKCS12_pack_p7data (bags);
	sk_pop_free(bags, PKCS12_SAFEBAG_free);
	sk_push (safes, (char *)authsafe);

	p12 = PKCS12_init (NID_pkcs7_data);

	M_PKCS12_pack_authsafes (p12, safes);

	sk_pop_free(safes, PKCS7_free);

514
	PKCS12_set_mac (p12, mpass, -1, NULL, 0, maciter, NULL);
515 516 517 518 519 520

	i2d_PKCS12_bio (out, p12);

	PKCS12_free(p12);

	ret = 0;
521 522 523 524

#ifdef CRYPTO_MDEBUG
	CRYPTO_pop_info();
#endif
525 526
	goto end;
	
527
    }
528 529 530 531 532 533

    if (!(p12 = d2i_PKCS12_bio (in, NULL))) {
	ERR_print_errors(bio_err);
	goto end;
    }

534 535 536
#ifdef CRYPTO_MDEBUG
    CRYPTO_push_info("read import password");
#endif
537
    if(!noprompt && EVP_read_pw_string(pass, 50, "Enter Import Password:", 0)) {
538 539 540
	BIO_printf (bio_err, "Can't read Password\n");
	goto end;
    }
541 542 543
#ifdef CRYPTO_MDEBUG
    CRYPTO_pop_info();
#endif
544 545 546 547 548

    if (!twopass) strcpy(macpass, pass);

    if (options & INFO) BIO_printf (bio_err, "MAC Iteration %ld\n", p12->mac->iter ? ASN1_INTEGER_get (p12->mac->iter) : 1);
    if(macver) {
549 550 551
#ifdef CRYPTO_MDEBUG
    CRYPTO_push_info("verify MAC");
#endif
552
	if (!PKCS12_verify_mac (p12, mpass, -1)) {
U
Ulf Möller 已提交
553
	    BIO_printf (bio_err, "Mac verify error: invalid password?\n");
554 555 556
	    ERR_print_errors (bio_err);
	    goto end;
	} else BIO_printf (bio_err, "MAC verified OK\n");
557 558 559
#ifdef CRYPTO_MDEBUG
    CRYPTO_pop_info();
#endif
560 561
    }

562 563 564
#ifdef CRYPTO_MDEBUG
    CRYPTO_push_info("output keys and certificates");
#endif
565
    if (!dump_certs_keys_p12 (out, p12, cpass, -1, options, passout)) {
566 567 568 569
	BIO_printf(bio_err, "Error outputting keys and certificates\n");
	ERR_print_errors (bio_err);
	goto end;
    }
570 571 572
#ifdef CRYPTO_MDEBUG
    CRYPTO_pop_info();
#endif
573 574 575
    PKCS12_free(p12);
    ret = 0;
    end:
576
    if(export_cert || inrand) app_RAND_write_file(NULL, bio_err);
577 578 579 580
#ifdef CRYPTO_MDEBUG
    CRYPTO_remove_all_info();
#endif
    BIO_free(in);
581
    BIO_free(out);
582 583 584
    EXIT(ret);
}

B
Ben Laurie 已提交
585
int dump_certs_keys_p12 (BIO *out, PKCS12 *p12, char *pass,
586
	     int passlen, int options, char *pempass)
587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607
{
	STACK *asafes, *bags;
	int i, bagnid;
	PKCS7 *p7;
	if (!( asafes = M_PKCS12_unpack_authsafes (p12))) return 0;
	for (i = 0; i < sk_num (asafes); i++) {
		p7 = (PKCS7 *) sk_value (asafes, i);
		bagnid = OBJ_obj2nid (p7->type);
		if (bagnid == NID_pkcs7_data) {
			bags = M_PKCS12_unpack_p7data (p7);
			if (options & INFO) BIO_printf (bio_err, "PKCS7 Data\n");
		} else if (bagnid == NID_pkcs7_encrypted) {
			if (options & INFO) {
				BIO_printf (bio_err, "PKCS7 Encrypted data: ");
				alg_print (bio_err, 
					p7->d.encrypted->enc_data->algorithm);
			}
			bags = M_PKCS12_unpack_p7encdata (p7, pass, passlen);
		} else continue;
		if (!bags) return 0;
	    	if (!dump_certs_pkeys_bags (out, bags, pass, passlen, 
608
						 options, pempass)) {
609 610 611 612 613 614 615 616 617
			sk_pop_free (bags, PKCS12_SAFEBAG_free);
			return 0;
		}
		sk_pop_free (bags, PKCS12_SAFEBAG_free);
	}
	sk_pop_free (asafes, PKCS7_free);
	return 1;
}

B
Ben Laurie 已提交
618
int dump_certs_pkeys_bags (BIO *out, STACK *bags, char *pass,
619
	     int passlen, int options, char *pempass)
620 621 622 623 624
{
	int i;
	for (i = 0; i < sk_num (bags); i++) {
		if (!dump_certs_pkeys_bag (out,
			 (PKCS12_SAFEBAG *)sk_value (bags, i), pass, passlen,
625
					 	options, pempass)) return 0;
626 627 628 629
	}
	return 1;
}

B
Ben Laurie 已提交
630
int dump_certs_pkeys_bag (BIO *out, PKCS12_SAFEBAG *bag, char *pass,
631
	     int passlen, int options, char *pempass)
632 633 634 635 636 637 638 639 640 641 642 643 644 645
{
	EVP_PKEY *pkey;
	PKCS8_PRIV_KEY_INFO *p8;
	X509 *x509;
	
	switch (M_PKCS12_bag_type(bag))
	{
	case NID_keyBag:
		if (options & INFO) BIO_printf (bio_err, "Key bag\n");
		if (options & NOKEYS) return 1;
		print_attribs (out, bag->attrib, "Bag Attributes");
		p8 = bag->value.keybag;
		if (!(pkey = EVP_PKCS82PKEY (p8))) return 0;
		print_attribs (out, p8->attributes, "Key Attributes");
646
		PEM_write_bio_PrivateKey (out, pkey, enc, NULL, 0, PEM_cb, pempass);
647 648 649 650 651 652 653 654 655 656 657 658 659 660 661
		EVP_PKEY_free(pkey);
	break;

	case NID_pkcs8ShroudedKeyBag:
		if (options & INFO) {
			BIO_printf (bio_err, "Shrouded Keybag: ");
			alg_print (bio_err, bag->value.shkeybag->algor);
		}
		if (options & NOKEYS) return 1;
		print_attribs (out, bag->attrib, "Bag Attributes");
		if (!(p8 = M_PKCS12_decrypt_skey (bag, pass, passlen)))
				return 0;
		if (!(pkey = EVP_PKCS82PKEY (p8))) return 0;
		print_attribs (out, p8->attributes, "Key Attributes");
		PKCS8_PRIV_KEY_INFO_free(p8);
662
		PEM_write_bio_PrivateKey (out, pkey, enc, NULL, 0, PEM_cb, pempass);
663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684
		EVP_PKEY_free(pkey);
	break;

	case NID_certBag:
		if (options & INFO) BIO_printf (bio_err, "Certificate bag\n");
		if (options & NOCERTS) return 1;
                if (PKCS12_get_attr(bag, NID_localKeyID)) {
			if (options & CACERTS) return 1;
		} else if (options & CLCERTS) return 1;
		print_attribs (out, bag->attrib, "Bag Attributes");
		if (M_PKCS12_cert_bag_type(bag) != NID_x509Certificate )
								 return 1;
		if (!(x509 = M_PKCS12_certbag2x509(bag))) return 0;
		dump_cert_text (out, x509);
		PEM_write_bio_X509 (out, x509);
		X509_free(x509);
	break;

	case NID_safeContentsBag:
		if (options & INFO) BIO_printf (bio_err, "Safe Contents bag\n");
		print_attribs (out, bag->attrib, "Bag Attributes");
		return dump_certs_pkeys_bags (out, bag->value.safes, pass,
685
							    passlen, options, pempass);
686 687 688 689 690 691 692 693 694 695 696 697 698 699 700
					
	default:
		BIO_printf (bio_err, "Warning unsupported bag type: ");
		i2a_ASN1_OBJECT (bio_err, bag->type);
		BIO_printf (bio_err, "\n");
		return 1;
	break;
	}
	return 1;
}

/* Given a single certificate return a verified chain or NULL if error */

/* Hope this is OK .... */

701
int get_cert_chain (X509 *cert, STACK_OF(X509) **chain)
702 703 704
{
	X509_STORE *store;
	X509_STORE_CTX store_ctx;
705
	STACK_OF(X509) *chn;
706
	int i;
707

708 709 710 711 712 713 714
	store = X509_STORE_new ();
	X509_STORE_set_default_paths (store);
	X509_STORE_CTX_init(&store_ctx, store, cert, NULL);
	if (X509_verify_cert(&store_ctx) <= 0) {
		i = X509_STORE_CTX_get_error (&store_ctx);
		goto err;
	}
715
	chn =  X509_STORE_CTX_rget_chain(&store_ctx);
716 717 718 719 720 721 722 723 724
	i = 0;
	*chain = chn;
err:
	X509_STORE_CTX_cleanup(&store_ctx);
	X509_STORE_free(store);
	
	return i;
}	

U
Ulf Möller 已提交
725
int alg_print (BIO *x, X509_ALGOR *alg)
726 727 728 729 730 731 732 733 734 735 736 737 738
{
	PBEPARAM *pbe;
	unsigned char *p;
	p = alg->parameter->value.sequence->data;
	pbe = d2i_PBEPARAM (NULL, &p, alg->parameter->value.sequence->length);
	BIO_printf (bio_err, "%s, Iteration %d\n", 
	OBJ_nid2ln(OBJ_obj2nid(alg->algorithm)), ASN1_INTEGER_get(pbe->iter));
	PBEPARAM_free (pbe);
	return 0;
}

/* Load all certificates from a given file */

739
int cert_load(BIO *in, STACK_OF(X509) *sk)
740 741 742 743
{
	int ret;
	X509 *cert;
	ret = 0;
744
	while((cert = PEM_read_bio_X509(in, NULL, NULL, NULL))) {
745
		ret = 1;
746
		sk_X509_push(sk, cert);
747 748 749 750 751 752 753
	}
	if(ret) ERR_clear_error();
	return ret;
}

/* Generalised attribute print: handle PKCS#8 and bag attributes */

754
int print_attribs (BIO *out, STACK_OF(X509_ATTRIBUTE) *attrlst, char *name)
755 756 757 758 759 760 761 762 763
{
	X509_ATTRIBUTE *attr;
	ASN1_TYPE *av;
	char *value;
	int i, attr_nid;
	if(!attrlst) {
		BIO_printf(out, "%s: <No Attributes>\n", name);
		return 1;
	}
764
	if(!sk_X509_ATTRIBUTE_num(attrlst)) {
765 766 767 768
		BIO_printf(out, "%s: <Empty Attributes>\n", name);
		return 1;
	}
	BIO_printf(out, "%s\n", name);
769 770
	for(i = 0; i < sk_X509_ATTRIBUTE_num(attrlst); i++) {
		attr = sk_X509_ATTRIBUTE_value(attrlst, i);
771 772 773 774 775 776 777
		attr_nid = OBJ_obj2nid(attr->object);
		BIO_printf(out, "    ");
		if(attr_nid == NID_undef) {
			i2a_ASN1_OBJECT (out, attr->object);
			BIO_printf(out, ": ");
		} else BIO_printf(out, "%s: ", OBJ_nid2ln(attr_nid));

B
Ben Laurie 已提交
778 779
		if(sk_ASN1_TYPE_num(attr->value.set)) {
			av = sk_ASN1_TYPE_value(attr->value.set, 0);
780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808
			switch(av->type) {
				case V_ASN1_BMPSTRING:
        			value = uni2asc(av->value.bmpstring->data,
                                	       av->value.bmpstring->length);
				BIO_printf(out, "%s\n", value);
				Free(value);
				break;

				case V_ASN1_OCTET_STRING:
				hex_prin(out, av->value.bit_string->data,
					av->value.bit_string->length);
				BIO_printf(out, "\n");	
				break;

				case V_ASN1_BIT_STRING:
				hex_prin(out, av->value.octet_string->data,
					av->value.octet_string->length);
				BIO_printf(out, "\n");	
				break;

				default:
					BIO_printf(out, "<Unsupported tag %d>\n", av->type);
				break;
			}
		} else BIO_printf(out, "<No Values>\n");
	}
	return 1;
}

U
Ulf Möller 已提交
809
void hex_prin(BIO *out, unsigned char *buf, int len)
810 811 812 813
{
	int i;
	for (i = 0; i < len; i++) BIO_printf (out, "%02X ", buf[i]);
}
B
Bodo Möller 已提交
814 815

#endif