void writePublicKey( EVP_PKEY* evpKey, char* rawBuffer, const std::size_t buffSize ){
std::memset( rawBuffer, 0, buffSize );
BIO* buff = BIO_new( BIO_s_mem() );
PEM_write_bio_PUBKEY( buff, evpKey );
BIO_read( buff, rawBuffer, buffSize );
BIO_free( buff );
}
PyObject *
get_key_pem_public(const struct ndn_pkey *key_ndn)
{
unsigned long err;
BIO *bio;
BUF_MEM *bufmem;
int r;
PyObject *py_res;
bio = BIO_new(BIO_s_mem());
JUMP_IF_NULL(bio, openssl_error);
r = PEM_write_bio_PUBKEY(bio, (EVP_PKEY *) key_ndn);
if (!r)
goto openssl_error;
BIO_get_mem_ptr(bio, &bufmem);
py_res = PyBytes_FromStringAndSize(bufmem->data, bufmem->length);
r = BIO_free(bio);
if (!r)
goto openssl_error;
return py_res;
openssl_error:
err = ERR_get_error();
PyErr_Format(g_PyExc_NDNKeyError, "Unable to obtain PEM: %s",
ERR_reason_error_string(err));
BIO_free(bio);
return NULL;
}
std::string PublicKey::getPemEncoded()
throw (EncodeException)
{
BIO *buffer;
int ndata, wrote;
std::string ret;
ByteArray *retTemp;
unsigned char *data;
buffer = BIO_new(BIO_s_mem());
if (buffer == NULL)
{
throw EncodeException(EncodeException::BUFFER_CREATING, "PublicKey::getPemEncoded");
}
wrote = PEM_write_bio_PUBKEY(buffer, this->key);
if (!wrote)
{
BIO_free(buffer);
throw EncodeException(EncodeException::PEM_ENCODE, "PublicKey::getPemEncoded");
}
ndata = BIO_get_mem_data(buffer, &data);
if (ndata <= 0)
{
BIO_free(buffer);
throw EncodeException(EncodeException::BUFFER_READING, "PublicKey::getPemEncoded");
}
retTemp = new ByteArray(data, ndata);
ret = retTemp->toString();
delete retTemp;
BIO_free(buffer);
return ret;
}
int main(int argc, char *argv[])
{
const char *cert_filename = "ecc_server.crt";
BIO *cert_bio = NULL;
BIO *out_bio = NULL;
X509 *cert = NULL;
EVP_PKEY *pkey = NULL;
int ret;
OpenSSL_add_all_algorithms();
ERR_load_BIO_strings();
ERR_load_crypto_strings();
cert_bio = BIO_new(BIO_s_file());
out_bio = BIO_new_fp(stdout, BIO_NOCLOSE);
ret = BIO_read_filename(cert_bio, cert_filename);
if (!(cert = PEM_read_bio_X509(cert_bio, NULL, 0, NULL)))
{
BIO_printf(out_bio, "Error loading cert into memory\n");
exit(-1);
}
if ((pkey = X509_get_pubkey(cert)) == NULL)
BIO_printf(out_bio, "Error getting public key from certificate\n");
if (pkey)
{
switch (EVP_PKEY_id(pkey))
{
case EVP_PKEY_RSA:
BIO_printf(out_bio, "%d bit RSA Key\n\n", EVP_PKEY_bits(pkey));
break;
case EVP_PKEY_DSA:
BIO_printf(out_bio, "%d bit DSA Key\n\n", EVP_PKEY_bits(pkey));
break;
default:
BIO_printf(out_bio, "%d bit non-RSA/DSA\n\n", EVP_PKEY_bits(pkey));
break;
}
}
if (!PEM_write_bio_PUBKEY(out_bio, pkey))
BIO_printf(out_bio, "Error writing public key data in PEM format\n");
EVP_PKEY_free(pkey);
X509_free(cert);
BIO_free_all(cert_bio);
BIO_free_all(out_bio);
return 0;
}
TEST(SignTest, TestLoadValidPemKeys)
{
ScopedEVP_PKEY private_key(nullptr, EVP_PKEY_free);
ScopedEVP_PKEY public_key(nullptr, EVP_PKEY_free);
ScopedBIO bio_private_key_enc(BIO_new(BIO_s_mem()), BIO_free);
ASSERT_TRUE(!!bio_private_key_enc);
ScopedBIO bio_private_key_noenc(BIO_new(BIO_s_mem()), BIO_free);
ASSERT_TRUE(!!bio_private_key_noenc);
ScopedBIO bio_public_key(BIO_new(BIO_s_mem()), BIO_free);
ASSERT_TRUE(!!bio_public_key);
// Generate keys
ASSERT_TRUE(generate_keys(private_key, public_key));
// Write keys
ASSERT_TRUE(PEM_write_bio_PrivateKey(bio_private_key_enc.get(),
private_key.get(), EVP_des_ede3_cbc(),
nullptr, 0, nullptr,
const_cast<char *>("testing")));
ASSERT_TRUE(PEM_write_bio_PrivateKey(bio_private_key_noenc.get(),
private_key.get(), nullptr, nullptr, 0,
nullptr, nullptr));
ASSERT_TRUE(PEM_write_bio_PUBKEY(bio_public_key.get(), public_key.get()));
// Read back the keys
ScopedEVP_PKEY private_key_enc_read(mb::sign::load_private_key(
bio_private_key_enc.get(), mb::sign::KEY_FORMAT_PEM, "testing"),
EVP_PKEY_free);
ASSERT_TRUE(!!private_key_enc_read);
ScopedEVP_PKEY private_key_noenc_read(mb::sign::load_private_key(
bio_private_key_noenc.get(), mb::sign::KEY_FORMAT_PEM, nullptr),
EVP_PKEY_free);
ASSERT_TRUE(!!private_key_noenc_read);
ScopedEVP_PKEY public_key_read(mb::sign::load_public_key(
bio_public_key.get(), mb::sign::KEY_FORMAT_PEM, "testing"),
EVP_PKEY_free);
ASSERT_TRUE(!!public_key_read);
// Compare keys
ASSERT_EQ(EVP_PKEY_cmp(private_key.get(), private_key_enc_read.get()), 1);
ASSERT_EQ(EVP_PKEY_cmp(private_key.get(), private_key_noenc_read.get()), 1);
ASSERT_EQ(EVP_PKEY_cmp(public_key.get(), public_key_read.get()), 1);
}
/**
* Extract public key in PEM format.
*/
static int meth_pubkey(lua_State* L)
{
char* data;
long bytes;
int ret = 1;
X509* cert = lsec_checkx509(L, 1);
BIO *bio = BIO_new(BIO_s_mem());
EVP_PKEY *pkey = X509_get_pubkey(cert);
if(PEM_write_bio_PUBKEY(bio, pkey)) {
bytes = BIO_get_mem_data(bio, &data);
if (bytes > 0) {
lua_pushlstring(L, data, bytes);
switch(EVP_PKEY_type(pkey->type)) {
case EVP_PKEY_RSA:
lua_pushstring(L, "RSA");
break;
case EVP_PKEY_DSA:
lua_pushstring(L, "DSA");
break;
case EVP_PKEY_DH:
lua_pushstring(L, "DH");
break;
case EVP_PKEY_EC:
lua_pushstring(L, "EC");
break;
default:
lua_pushstring(L, "Unknown");
break;
}
lua_pushinteger(L, EVP_PKEY_bits(pkey));
ret = 3;
}
else
lua_pushnil(L);
}
else
lua_pushnil(L);
/* Cleanup */
BIO_free(bio);
EVP_PKEY_free(pkey);
return ret;
}
//Get key from a cert file, return string
std::string get_key_from_certfile(const char* certfile) {
BIO* certbio = NULL;
certbio = BIO_new_file(certfile, "r");
X509* cert = NULL;
cert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
EVP_PKEY* key = NULL;
key = X509_get_pubkey(cert);
BIO* out = NULL;
out = BIO_new(BIO_s_mem());
PEM_write_bio_PUBKEY(out, key);
std::string pubkey_str;
for(;;) {
char s[256];
int l = BIO_read(out,s,sizeof(s));
if(l <= 0) break;
pubkey_str.append(s,l);;
}
EVP_PKEY_free(key);
X509_free(cert);
BIO_free_all(certbio);
BIO_free_all(out);
if(!pubkey_str.empty()) {
std::size_t pos = pubkey_str.find("BEGIN PUBLIC KEY");
if(pos != std::string::npos) {
std::size_t pos1 = pubkey_str.find_first_of("---", pos);
std::size_t pos2 = pubkey_str.find_first_not_of("-", pos1);
std::size_t pos3 = pubkey_str.find_first_of("---", pos2);
std::string str = pubkey_str.substr(pos2+1, pos3-pos2-2);
return str;
}
return ("");
}
return pubkey_str;
}
int
spkac_main(int argc, char **argv)
{
int i, ret = 1;
BIO *in = NULL, *out = NULL;
char *passin = NULL;
char *spkstr = NULL;
CONF *conf = NULL;
NETSCAPE_SPKI *spki = NULL;
EVP_PKEY *pkey = NULL;
if (single_execution) {
if (pledge("stdio rpath wpath cpath tty", NULL) == -1) {
perror("pledge");
exit(1);
}
}
memset(&spkac_config, 0, sizeof(spkac_config));
spkac_config.spkac = "SPKAC";
spkac_config.spksect = "default";
if (options_parse(argc, argv, spkac_options, NULL, NULL) != 0) {
spkac_usage();
return (1);
}
if (!app_passwd(bio_err, spkac_config.passargin, NULL, &passin, NULL)) {
BIO_printf(bio_err, "Error getting password\n");
goto end;
}
if (spkac_config.keyfile) {
pkey = load_key(bio_err,
strcmp(spkac_config.keyfile, "-") ? spkac_config.keyfile
: NULL, FORMAT_PEM, 1, passin, "private key");
if (!pkey) {
goto end;
}
spki = NETSCAPE_SPKI_new();
if (spkac_config.challenge)
ASN1_STRING_set(spki->spkac->challenge,
spkac_config.challenge,
(int) strlen(spkac_config.challenge));
NETSCAPE_SPKI_set_pubkey(spki, pkey);
NETSCAPE_SPKI_sign(spki, pkey, EVP_md5());
spkstr = NETSCAPE_SPKI_b64_encode(spki);
if (spkstr == NULL) {
BIO_printf(bio_err, "Error encoding SPKAC\n");
ERR_print_errors(bio_err);
goto end;
}
if (spkac_config.outfile)
out = BIO_new_file(spkac_config.outfile, "w");
else
out = BIO_new_fp(stdout, BIO_NOCLOSE);
if (!out) {
BIO_printf(bio_err, "Error opening output file\n");
ERR_print_errors(bio_err);
} else {
BIO_printf(out, "SPKAC=%s\n", spkstr);
ret = 0;
}
free(spkstr);
goto end;
}
if (spkac_config.infile)
in = BIO_new_file(spkac_config.infile, "r");
else
in = BIO_new_fp(stdin, BIO_NOCLOSE);
if (!in) {
BIO_printf(bio_err, "Error opening input file\n");
ERR_print_errors(bio_err);
goto end;
}
conf = NCONF_new(NULL);
i = NCONF_load_bio(conf, in, NULL);
if (!i) {
BIO_printf(bio_err, "Error parsing config file\n");
ERR_print_errors(bio_err);
goto end;
}
spkstr = NCONF_get_string(conf, spkac_config.spksect,
spkac_config.spkac);
if (!spkstr) {
BIO_printf(bio_err, "Can't find SPKAC called \"%s\"\n",
spkac_config.spkac);
ERR_print_errors(bio_err);
goto end;
}
spki = NETSCAPE_SPKI_b64_decode(spkstr, -1);
if (!spki) {
BIO_printf(bio_err, "Error loading SPKAC\n");
ERR_print_errors(bio_err);
goto end;
}
if (spkac_config.outfile)
out = BIO_new_file(spkac_config.outfile, "w");
else {
out = BIO_new_fp(stdout, BIO_NOCLOSE);
}
if (!out) {
BIO_printf(bio_err, "Error opening output file\n");
ERR_print_errors(bio_err);
goto end;
}
if (!spkac_config.noout)
NETSCAPE_SPKI_print(out, spki);
pkey = NETSCAPE_SPKI_get_pubkey(spki);
if (spkac_config.verify) {
i = NETSCAPE_SPKI_verify(spki, pkey);
if (i > 0)
BIO_printf(bio_err, "Signature OK\n");
else {
BIO_printf(bio_err, "Signature Failure\n");
ERR_print_errors(bio_err);
goto end;
}
}
if (spkac_config.pubkey)
PEM_write_bio_PUBKEY(out, pkey);
ret = 0;
end:
NCONF_free(conf);
NETSCAPE_SPKI_free(spki);
BIO_free(in);
BIO_free_all(out);
EVP_PKEY_free(pkey);
free(passin);
return (ret);
}
int x509_main(int argc, char **argv)
{
ASN1_INTEGER *sno = NULL;
ASN1_OBJECT *objtmp;
BIO *out = NULL;
CONF *extconf = NULL;
EVP_PKEY *Upkey = NULL, *CApkey = NULL, *fkey = NULL;
STACK_OF(ASN1_OBJECT) *trust = NULL, *reject = NULL;
STACK_OF(OPENSSL_STRING) *sigopts = NULL;
X509 *x = NULL, *xca = NULL;
X509_REQ *req = NULL, *rq = NULL;
X509_STORE *ctx = NULL;
const EVP_MD *digest = NULL;
char *CAkeyfile = NULL, *CAserial = NULL, *fkeyfile = NULL, *alias = NULL;
char *checkhost = NULL, *checkemail = NULL, *checkip = NULL;
char *extsect = NULL, *extfile = NULL, *passin = NULL, *passinarg = NULL;
char *infile = NULL, *outfile = NULL, *keyfile = NULL, *CAfile = NULL;
char buf[256], *prog;
int x509req = 0, days = DEF_DAYS, modulus = 0, pubkey = 0, pprint = 0;
int C = 0, CAformat = FORMAT_PEM, CAkeyformat = FORMAT_PEM;
int fingerprint = 0, reqfile = 0, need_rand = 0, checkend = 0;
int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyformat = FORMAT_PEM;
int next_serial = 0, subject_hash = 0, issuer_hash = 0, ocspid = 0;
int noout = 0, sign_flag = 0, CA_flag = 0, CA_createserial = 0, email = 0;
int ocsp_uri = 0, trustout = 0, clrtrust = 0, clrreject = 0, aliasout = 0;
int ret = 1, i, num = 0, badsig = 0, clrext = 0, nocert = 0;
int text = 0, serial = 0, subject = 0, issuer = 0, startdate = 0;
int checkoffset = 0, enddate = 0;
unsigned long nmflag = 0, certflag = 0;
OPTION_CHOICE o;
ENGINE *e = NULL;
#ifndef OPENSSL_NO_MD5
int subject_hash_old = 0, issuer_hash_old = 0;
#endif
ctx = X509_STORE_new();
if (ctx == NULL)
goto end;
X509_STORE_set_verify_cb(ctx, callb);
prog = opt_init(argc, argv, x509_options);
while ((o = opt_next()) != OPT_EOF) {
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
opt_help(x509_options);
ret = 0;
goto end;
case OPT_INFORM:
if (!opt_format(opt_arg(), OPT_FMT_ANY, &informat))
goto opthelp;
break;
case OPT_IN:
infile = opt_arg();
break;
case OPT_OUTFORM:
if (!opt_format(opt_arg(), OPT_FMT_ANY, &outformat))
goto opthelp;
break;
case OPT_KEYFORM:
if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &keyformat))
goto opthelp;
break;
case OPT_CAFORM:
if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &CAformat))
goto opthelp;
break;
case OPT_CAKEYFORM:
if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &CAkeyformat))
goto opthelp;
break;
case OPT_OUT:
outfile = opt_arg();
break;
case OPT_REQ:
reqfile = need_rand = 1;
break;
case OPT_SIGOPT:
if (!sigopts)
sigopts = sk_OPENSSL_STRING_new_null();
if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, opt_arg()))
goto opthelp;
break;
#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
case OPT_FORCE_VERSION:
force_version = atoi(opt_arg()) - 1;
break;
#endif
case OPT_DAYS:
days = atoi(opt_arg());
break;
case OPT_PASSIN:
passinarg = opt_arg();
break;
case OPT_EXTFILE:
extfile = opt_arg();
break;
case OPT_EXTENSIONS:
extsect = opt_arg();
break;
case OPT_SIGNKEY:
keyfile = opt_arg();
sign_flag = ++num;
need_rand = 1;
break;
case OPT_CA:
CAfile = opt_arg();
CA_flag = ++num;
need_rand = 1;
break;
case OPT_CAKEY:
CAkeyfile = opt_arg();
break;
case OPT_CASERIAL:
CAserial = opt_arg();
break;
case OPT_SET_SERIAL:
if ((sno = s2i_ASN1_INTEGER(NULL, opt_arg())) == NULL)
goto opthelp;
break;
case OPT_FORCE_PUBKEY:
fkeyfile = opt_arg();
break;
case OPT_ADDTRUST:
if ((objtmp = OBJ_txt2obj(opt_arg(), 0)) == NULL) {
BIO_printf(bio_err,
"%s: Invalid trust object value %s\n",
prog, opt_arg());
goto opthelp;
}
if (trust == NULL && (trust = sk_ASN1_OBJECT_new_null()) == NULL)
goto end;
sk_ASN1_OBJECT_push(trust, objtmp);
trustout = 1;
break;
case OPT_ADDREJECT:
if ((objtmp = OBJ_txt2obj(opt_arg(), 0)) == NULL) {
BIO_printf(bio_err,
"%s: Invalid reject object value %s\n",
prog, opt_arg());
goto opthelp;
}
if (reject == NULL
&& (reject = sk_ASN1_OBJECT_new_null()) == NULL)
goto end;
sk_ASN1_OBJECT_push(reject, objtmp);
trustout = 1;
break;
case OPT_SETALIAS:
alias = opt_arg();
trustout = 1;
break;
case OPT_CERTOPT:
if (!set_cert_ex(&certflag, opt_arg()))
goto opthelp;
break;
case OPT_NAMEOPT:
if (!set_name_ex(&nmflag, opt_arg()))
goto opthelp;
break;
case OPT_ENGINE:
e = setup_engine(opt_arg(), 0);
break;
case OPT_C:
C = ++num;
break;
case OPT_EMAIL:
email = ++num;
break;
case OPT_OCSP_URI:
ocsp_uri = ++num;
break;
case OPT_SERIAL:
serial = ++num;
break;
case OPT_NEXT_SERIAL:
next_serial = ++num;
break;
case OPT_MODULUS:
modulus = ++num;
break;
case OPT_PUBKEY:
pubkey = ++num;
break;
case OPT_X509TOREQ:
x509req = ++num;
break;
case OPT_TEXT:
text = ++num;
break;
case OPT_SUBJECT:
subject = ++num;
break;
case OPT_ISSUER:
issuer = ++num;
break;
case OPT_FINGERPRINT:
fingerprint = ++num;
break;
case OPT_HASH:
subject_hash = ++num;
break;
case OPT_ISSUER_HASH:
issuer_hash = ++num;
break;
case OPT_PURPOSE:
pprint = ++num;
break;
case OPT_STARTDATE:
startdate = ++num;
break;
case OPT_ENDDATE:
enddate = ++num;
break;
case OPT_NOOUT:
noout = ++num;
break;
case OPT_NOCERT:
nocert = 1;
break;
case OPT_TRUSTOUT:
trustout = 1;
break;
case OPT_CLRTRUST:
clrtrust = ++num;
break;
case OPT_CLRREJECT:
clrreject = ++num;
break;
case OPT_ALIAS:
aliasout = ++num;
break;
case OPT_CACREATESERIAL:
CA_createserial = ++num;
break;
case OPT_CLREXT:
clrext = 1;
break;
case OPT_OCSPID:
ocspid = ++num;
break;
case OPT_BADSIG:
badsig = 1;
break;
#ifndef OPENSSL_NO_MD5
case OPT_SUBJECT_HASH_OLD:
subject_hash_old = ++num;
break;
case OPT_ISSUER_HASH_OLD:
issuer_hash_old = ++num;
break;
#endif
case OPT_DATES:
startdate = ++num;
enddate = ++num;
break;
case OPT_CHECKEND:
checkoffset = atoi(opt_arg());
checkend = 1;
break;
case OPT_CHECKHOST:
checkhost = opt_arg();
break;
case OPT_CHECKEMAIL:
checkemail = opt_arg();
break;
case OPT_CHECKIP:
checkip = opt_arg();
break;
case OPT_MD:
if (!opt_md(opt_unknown(), &digest))
goto opthelp;
}
}
argc = opt_num_rest();
argv = opt_rest();
if (argc != 0) {
BIO_printf(bio_err, "%s: Unknown parameter %s\n", prog, argv[0]);
goto opthelp;
}
out = bio_open_default(outfile, "w");
if (out == NULL)
goto end;
if (need_rand)
app_RAND_load_file(NULL, 0);
if (!app_passwd(passinarg, NULL, &passin, NULL)) {
BIO_printf(bio_err, "Error getting password\n");
goto end;
}
if (!X509_STORE_set_default_paths(ctx)) {
ERR_print_errors(bio_err);
goto end;
}
if (fkeyfile) {
fkey = load_pubkey(fkeyfile, keyformat, 0, NULL, e, "Forced key");
if (fkey == NULL)
goto end;
}
if ((CAkeyfile == NULL) && (CA_flag) && (CAformat == FORMAT_PEM)) {
CAkeyfile = CAfile;
} else if ((CA_flag) && (CAkeyfile == NULL)) {
BIO_printf(bio_err,
"need to specify a CAkey if using the CA command\n");
goto end;
}
if (extfile) {
long errorline = -1;
X509V3_CTX ctx2;
extconf = NCONF_new(NULL);
if (!NCONF_load(extconf, extfile, &errorline)) {
if (errorline <= 0)
BIO_printf(bio_err,
"error loading the config file '%s'\n", extfile);
else
BIO_printf(bio_err,
"error on line %ld of config file '%s'\n",
errorline, extfile);
goto end;
}
if (!extsect) {
extsect = NCONF_get_string(extconf, "default", "extensions");
if (!extsect) {
ERR_clear_error();
extsect = "default";
}
}
X509V3_set_ctx_test(&ctx2);
X509V3_set_nconf(&ctx2, extconf);
if (!X509V3_EXT_add_nconf(extconf, &ctx2, extsect, NULL)) {
BIO_printf(bio_err,
"Error Loading extension section %s\n", extsect);
ERR_print_errors(bio_err);
goto end;
}
}
if (reqfile) {
EVP_PKEY *pkey;
BIO *in;
if (!sign_flag && !CA_flag) {
BIO_printf(bio_err, "We need a private key to sign with\n");
goto end;
}
in = bio_open_default(infile, "r");
if (in == NULL)
goto end;
req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL);
BIO_free(in);
if (req == NULL) {
ERR_print_errors(bio_err);
goto end;
}
if ((req->req_info == NULL) ||
(req->req_info->pubkey == NULL) ||
(req->req_info->pubkey->public_key == NULL) ||
(req->req_info->pubkey->public_key->data == NULL)) {
BIO_printf(bio_err,
"The certificate request appears to corrupted\n");
BIO_printf(bio_err, "It does not contain a public key\n");
goto end;
}
if ((pkey = X509_REQ_get_pubkey(req)) == NULL) {
BIO_printf(bio_err, "error unpacking public key\n");
goto end;
}
i = X509_REQ_verify(req, pkey);
EVP_PKEY_free(pkey);
if (i < 0) {
BIO_printf(bio_err, "Signature verification error\n");
ERR_print_errors(bio_err);
goto end;
}
if (i == 0) {
BIO_printf(bio_err,
"Signature did not match the certificate request\n");
goto end;
} else
BIO_printf(bio_err, "Signature ok\n");
print_name(bio_err, "subject=", X509_REQ_get_subject_name(req),
nmflag);
if ((x = X509_new()) == NULL)
goto end;
if (sno == NULL) {
sno = ASN1_INTEGER_new();
if (!sno || !rand_serial(NULL, sno))
goto end;
if (!X509_set_serialNumber(x, sno))
goto end;
ASN1_INTEGER_free(sno);
sno = NULL;
} else if (!X509_set_serialNumber(x, sno))
goto end;
if (!X509_set_issuer_name(x, req->req_info->subject))
goto end;
if (!X509_set_subject_name(x, req->req_info->subject))
goto end;
X509_gmtime_adj(X509_get_notBefore(x), 0);
X509_time_adj_ex(X509_get_notAfter(x), days, 0, NULL);
if (fkey)
X509_set_pubkey(x, fkey);
else {
pkey = X509_REQ_get_pubkey(req);
X509_set_pubkey(x, pkey);
EVP_PKEY_free(pkey);
}
} else
x = load_cert(infile, informat, NULL, e, "Certificate");
if (x == NULL)
goto end;
if (CA_flag) {
xca = load_cert(CAfile, CAformat, NULL, e, "CA Certificate");
if (xca == NULL)
goto end;
}
if (!noout || text || next_serial) {
OBJ_create("2.99999.3", "SET.ex3", "SET x509v3 extension 3");
}
if (alias)
X509_alias_set1(x, (unsigned char *)alias, -1);
if (clrtrust)
X509_trust_clear(x);
if (clrreject)
X509_reject_clear(x);
if (trust) {
for (i = 0; i < sk_ASN1_OBJECT_num(trust); i++) {
objtmp = sk_ASN1_OBJECT_value(trust, i);
X509_add1_trust_object(x, objtmp);
}
}
if (reject) {
for (i = 0; i < sk_ASN1_OBJECT_num(reject); i++) {
objtmp = sk_ASN1_OBJECT_value(reject, i);
X509_add1_reject_object(x, objtmp);
}
}
if (num) {
for (i = 1; i <= num; i++) {
if (issuer == i) {
print_name(out, "issuer= ", X509_get_issuer_name(x), nmflag);
} else if (subject == i) {
print_name(out, "subject= ",
X509_get_subject_name(x), nmflag);
} else if (serial == i) {
BIO_printf(out, "serial=");
i2a_ASN1_INTEGER(out, X509_get_serialNumber(x));
BIO_printf(out, "\n");
} else if (next_serial == i) {
BIGNUM *bnser;
ASN1_INTEGER *ser;
ser = X509_get_serialNumber(x);
bnser = ASN1_INTEGER_to_BN(ser, NULL);
if (!bnser)
goto end;
if (!BN_add_word(bnser, 1))
goto end;
ser = BN_to_ASN1_INTEGER(bnser, NULL);
if (!ser)
goto end;
BN_free(bnser);
i2a_ASN1_INTEGER(out, ser);
ASN1_INTEGER_free(ser);
BIO_puts(out, "\n");
} else if ((email == i) || (ocsp_uri == i)) {
int j;
STACK_OF(OPENSSL_STRING) *emlst;
if (email == i)
emlst = X509_get1_email(x);
else
emlst = X509_get1_ocsp(x);
for (j = 0; j < sk_OPENSSL_STRING_num(emlst); j++)
BIO_printf(out, "%s\n",
sk_OPENSSL_STRING_value(emlst, j));
X509_email_free(emlst);
} else if (aliasout == i) {
unsigned char *alstr;
alstr = X509_alias_get0(x, NULL);
if (alstr)
BIO_printf(out, "%s\n", alstr);
else
BIO_puts(out, "<No Alias>\n");
} else if (subject_hash == i) {
BIO_printf(out, "%08lx\n", X509_subject_name_hash(x));
}
#ifndef OPENSSL_NO_MD5
else if (subject_hash_old == i) {
BIO_printf(out, "%08lx\n", X509_subject_name_hash_old(x));
}
#endif
else if (issuer_hash == i) {
BIO_printf(out, "%08lx\n", X509_issuer_name_hash(x));
}
#ifndef OPENSSL_NO_MD5
else if (issuer_hash_old == i) {
BIO_printf(out, "%08lx\n", X509_issuer_name_hash_old(x));
}
#endif
else if (pprint == i) {
X509_PURPOSE *ptmp;
int j;
BIO_printf(out, "Certificate purposes:\n");
for (j = 0; j < X509_PURPOSE_get_count(); j++) {
ptmp = X509_PURPOSE_get0(j);
purpose_print(out, x, ptmp);
}
} else if (modulus == i) {
EVP_PKEY *pkey;
pkey = X509_get_pubkey(x);
if (pkey == NULL) {
BIO_printf(bio_err, "Modulus=unavailable\n");
ERR_print_errors(bio_err);
goto end;
}
BIO_printf(out, "Modulus=");
#ifndef OPENSSL_NO_RSA
if (pkey->type == EVP_PKEY_RSA)
BN_print(out, pkey->pkey.rsa->n);
else
#endif
#ifndef OPENSSL_NO_DSA
if (pkey->type == EVP_PKEY_DSA)
BN_print(out, pkey->pkey.dsa->pub_key);
else
#endif
BIO_printf(out, "Wrong Algorithm type");
BIO_printf(out, "\n");
EVP_PKEY_free(pkey);
} else if (pubkey == i) {
EVP_PKEY *pkey;
pkey = X509_get_pubkey(x);
if (pkey == NULL) {
BIO_printf(bio_err, "Error getting public key\n");
ERR_print_errors(bio_err);
goto end;
}
PEM_write_bio_PUBKEY(out, pkey);
EVP_PKEY_free(pkey);
} else if (C == i) {
unsigned char *d;
char *m;
int len;
X509_NAME_oneline(X509_get_subject_name(x), buf, sizeof buf);
BIO_printf(out, "/*\n"
" * Subject: %s\n", buf);
m = X509_NAME_oneline(X509_get_issuer_name(x), buf, sizeof buf);
BIO_printf(out, " * Issuer: %s\n"
" */\n", buf);
len = i2d_X509(x, NULL);
m = app_malloc(len, "x509 name buffer");
d = (unsigned char *)m;
len = i2d_X509_NAME(X509_get_subject_name(x), &d);
print_array(out, "the_subject_name", len, (unsigned char *)m);
d = (unsigned char *)m;
len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(x), &d);
print_array(out, "the_public_key", len, (unsigned char *)m);
d = (unsigned char *)m;
len = i2d_X509(x, &d);
print_array(out, "the_certificate", len, (unsigned char *)m);
OPENSSL_free(m);
} else if (text == i) {
X509_print_ex(out, x, nmflag, certflag);
} else if (startdate == i) {
BIO_puts(out, "notBefore=");
ASN1_TIME_print(out, X509_get_notBefore(x));
BIO_puts(out, "\n");
} else if (enddate == i) {
BIO_puts(out, "notAfter=");
ASN1_TIME_print(out, X509_get_notAfter(x));
BIO_puts(out, "\n");
} else if (fingerprint == i) {
int j;
unsigned int n;
unsigned char md[EVP_MAX_MD_SIZE];
const EVP_MD *fdig = digest;
if (!fdig)
fdig = EVP_sha1();
if (!X509_digest(x, fdig, md, &n)) {
BIO_printf(bio_err, "out of memory\n");
goto end;
}
BIO_printf(out, "%s Fingerprint=",
OBJ_nid2sn(EVP_MD_type(fdig)));
for (j = 0; j < (int)n; j++) {
BIO_printf(out, "%02X%c", md[j], (j + 1 == (int)n)
? '\n' : ':');
}
}
/* should be in the library */
else if ((sign_flag == i) && (x509req == 0)) {
BIO_printf(bio_err, "Getting Private key\n");
if (Upkey == NULL) {
Upkey = load_key(keyfile, keyformat, 0,
passin, e, "Private key");
if (Upkey == NULL)
goto end;
}
assert(need_rand);
if (!sign(x, Upkey, days, clrext, digest, extconf, extsect))
goto end;
} else if (CA_flag == i) {
BIO_printf(bio_err, "Getting CA Private Key\n");
if (CAkeyfile != NULL) {
CApkey = load_key(CAkeyfile, CAkeyformat,
0, passin, e, "CA Private Key");
if (CApkey == NULL)
goto end;
}
assert(need_rand);
if (!x509_certify(ctx, CAfile, digest, x, xca,
CApkey, sigopts,
CAserial, CA_createserial, days, clrext,
extconf, extsect, sno, reqfile))
goto end;
} else if (x509req == i) {
EVP_PKEY *pk;
BIO_printf(bio_err, "Getting request Private Key\n");
if (keyfile == NULL) {
BIO_printf(bio_err, "no request key file specified\n");
goto end;
} else {
pk = load_key(keyfile, keyformat, 0,
passin, e, "request key");
if (pk == NULL)
goto end;
}
BIO_printf(bio_err, "Generating certificate request\n");
rq = X509_to_X509_REQ(x, pk, digest);
EVP_PKEY_free(pk);
if (rq == NULL) {
ERR_print_errors(bio_err);
goto end;
}
if (!noout) {
X509_REQ_print(out, rq);
PEM_write_bio_X509_REQ(out, rq);
}
noout = 1;
} else if (ocspid == i) {
X509_ocspid_print(out, x);
}
}
}
if (checkend) {
time_t tcheck = time(NULL) + checkoffset;
if (X509_cmp_time(X509_get_notAfter(x), &tcheck) < 0) {
BIO_printf(out, "Certificate will expire\n");
ret = 1;
} else {
BIO_printf(out, "Certificate will not expire\n");
ret = 0;
}
goto end;
}
print_cert_checks(out, x, checkhost, checkemail, checkip);
if (noout || nocert) {
ret = 0;
goto end;
}
if (badsig)
x->signature->data[x->signature->length - 1] ^= 0x1;
if (outformat == FORMAT_ASN1)
i = i2d_X509_bio(out, x);
else if (outformat == FORMAT_PEM) {
if (trustout)
i = PEM_write_bio_X509_AUX(out, x);
else
i = PEM_write_bio_X509(out, x);
} else if (outformat == FORMAT_NETSCAPE) {
NETSCAPE_X509 nx;
ASN1_OCTET_STRING hdr;
hdr.data = (unsigned char *)NETSCAPE_CERT_HDR;
hdr.length = strlen(NETSCAPE_CERT_HDR);
nx.header = &hdr;
nx.cert = x;
i = ASN1_item_i2d_bio(ASN1_ITEM_rptr(NETSCAPE_X509), out, &nx);
} else {
BIO_printf(bio_err, "bad output format specified for outfile\n");
goto end;
}
if (!i) {
BIO_printf(bio_err, "unable to write certificate\n");
ERR_print_errors(bio_err);
goto end;
}
ret = 0;
end:
if (need_rand)
app_RAND_write_file(NULL);
OBJ_cleanup();
NCONF_free(extconf);
BIO_free_all(out);
X509_STORE_free(ctx);
X509_REQ_free(req);
X509_free(x);
X509_free(xca);
EVP_PKEY_free(Upkey);
EVP_PKEY_free(CApkey);
EVP_PKEY_free(fkey);
sk_OPENSSL_STRING_free(sigopts);
X509_REQ_free(rq);
ASN1_INTEGER_free(sno);
sk_ASN1_OBJECT_pop_free(trust, ASN1_OBJECT_free);
sk_ASN1_OBJECT_pop_free(reject, ASN1_OBJECT_free);
OPENSSL_free(passin);
return (ret);
}
int MAIN(int argc, char **argv)
{
ENGINE *e = NULL;
int i,badops=0, ret = 1;
BIO *in = NULL,*out = NULL;
int verify=0,noout=0,pubkey=0;
char *infile = NULL,*outfile = NULL,*prog;
char *passargin = NULL, *passin = NULL;
const char *spkac = "SPKAC", *spksect = "default";
char *spkstr = NULL;
char *challenge = NULL, *keyfile = NULL;
CONF *conf = NULL;
NETSCAPE_SPKI *spki = NULL;
EVP_PKEY *pkey = NULL;
#ifndef OPENSSL_NO_ENGINE
char *engine=NULL;
#endif
apps_startup();
if (!bio_err) bio_err = BIO_new_fp(OPENSSL_TYPE__FILE_STDERR, BIO_NOCLOSE);
if (!load_config(bio_err, NULL))
goto end;
prog=argv[0];
argc--;
argv++;
while (argc >= 1)
{
if (TINYCLR_SSL_STRCMP(*argv,"-in") == 0)
{
if (--argc < 1) goto bad;
infile= *(++argv);
}
else if (TINYCLR_SSL_STRCMP(*argv,"-out") == 0)
{
if (--argc < 1) goto bad;
outfile= *(++argv);
}
else if (TINYCLR_SSL_STRCMP(*argv,"-passin") == 0)
{
if (--argc < 1) goto bad;
passargin= *(++argv);
}
else if (TINYCLR_SSL_STRCMP(*argv,"-key") == 0)
{
if (--argc < 1) goto bad;
keyfile= *(++argv);
}
else if (TINYCLR_SSL_STRCMP(*argv,"-challenge") == 0)
{
if (--argc < 1) goto bad;
challenge= *(++argv);
}
else if (TINYCLR_SSL_STRCMP(*argv,"-spkac") == 0)
{
if (--argc < 1) goto bad;
spkac= *(++argv);
}
else if (TINYCLR_SSL_STRCMP(*argv,"-spksect") == 0)
{
if (--argc < 1) goto bad;
spksect= *(++argv);
}
#ifndef OPENSSL_NO_ENGINE
else if (TINYCLR_SSL_STRCMP(*argv,"-engine") == 0)
{
if (--argc < 1) goto bad;
engine= *(++argv);
}
#endif
else if (TINYCLR_SSL_STRCMP(*argv,"-noout") == 0)
noout=1;
else if (TINYCLR_SSL_STRCMP(*argv,"-pubkey") == 0)
pubkey=1;
else if (TINYCLR_SSL_STRCMP(*argv,"-verify") == 0)
verify=1;
else badops = 1;
argc--;
argv++;
}
if (badops)
{
bad:
BIO_printf(bio_err,"%s [options]\n",prog);
BIO_printf(bio_err,"where options are\n");
BIO_printf(bio_err," -in arg input file\n");
BIO_printf(bio_err," -out arg output file\n");
BIO_printf(bio_err," -key arg create SPKAC using private key\n");
BIO_printf(bio_err," -passin arg input file pass phrase source\n");
BIO_printf(bio_err," -challenge arg challenge string\n");
BIO_printf(bio_err," -spkac arg alternative SPKAC name\n");
BIO_printf(bio_err," -noout don't print SPKAC\n");
BIO_printf(bio_err," -pubkey output public key\n");
BIO_printf(bio_err," -verify verify SPKAC signature\n");
#ifndef OPENSSL_NO_ENGINE
BIO_printf(bio_err," -engine e use engine e, possibly a hardware device.\n");
#endif
goto end;
}
ERR_load_crypto_strings();
if(!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
BIO_printf(bio_err, "Error getting password\n");
goto end;
}
#ifndef OPENSSL_NO_ENGINE
e = setup_engine(bio_err, engine, 0);
#endif
if(keyfile) {
pkey = load_key(bio_err,
TINYCLR_SSL_STRCMP(keyfile, "-") ? keyfile : NULL,
FORMAT_PEM, 1, passin, e, "private key");
if(!pkey) {
goto end;
}
spki = NETSCAPE_SPKI_new();
if(challenge) ASN1_STRING_set(spki->spkac->challenge,
challenge, (int)TINYCLR_SSL_STRLEN(challenge));
NETSCAPE_SPKI_set_pubkey(spki, pkey);
NETSCAPE_SPKI_sign(spki, pkey, EVP_md5());
spkstr = NETSCAPE_SPKI_b64_encode(spki);
if (outfile) out = BIO_new_file(outfile, "w");
else {
out = BIO_new_fp(OPENSSL_TYPE__FILE_STDOUT, BIO_NOCLOSE);
#ifdef OPENSSL_SYS_VMS
{
BIO *tmpbio = BIO_new(BIO_f_linebuffer());
out = BIO_push(tmpbio, out);
}
#endif
}
if(!out) {
BIO_printf(bio_err, "Error opening output file\n");
ERR_print_errors(bio_err);
goto end;
}
BIO_printf(out, "SPKAC=%s\n", spkstr);
OPENSSL_free(spkstr);
ret = 0;
goto end;
}
if (infile) in = BIO_new_file(infile, "r");
else in = BIO_new_fp(OPENSSL_TYPE__FILE_STDIN, BIO_NOCLOSE);
if(!in) {
BIO_printf(bio_err, "Error opening input file\n");
ERR_print_errors(bio_err);
goto end;
}
conf = NCONF_new(NULL);
i = NCONF_load_bio(conf, in, NULL);
if(!i) {
BIO_printf(bio_err, "Error parsing config file\n");
ERR_print_errors(bio_err);
goto end;
}
spkstr = NCONF_get_string(conf, spksect, spkac);
if(!spkstr) {
BIO_printf(bio_err, "Can't find SPKAC called \"%s\"\n", spkac);
ERR_print_errors(bio_err);
goto end;
}
spki = NETSCAPE_SPKI_b64_decode(spkstr, -1);
if(!spki) {
BIO_printf(bio_err, "Error loading SPKAC\n");
ERR_print_errors(bio_err);
goto end;
}
if (outfile) out = BIO_new_file(outfile, "w");
else {
out = BIO_new_fp(OPENSSL_TYPE__FILE_STDOUT, BIO_NOCLOSE);
#ifdef OPENSSL_SYS_VMS
{
BIO *tmpbio = BIO_new(BIO_f_linebuffer());
out = BIO_push(tmpbio, out);
}
#endif
}
if(!out) {
BIO_printf(bio_err, "Error opening output file\n");
ERR_print_errors(bio_err);
goto end;
}
if(!noout) NETSCAPE_SPKI_print(out, spki);
pkey = NETSCAPE_SPKI_get_pubkey(spki);
if(verify) {
i = NETSCAPE_SPKI_verify(spki, pkey);
if (i > 0) BIO_printf(bio_err, "Signature OK\n");
else {
BIO_printf(bio_err, "Signature Failure\n");
ERR_print_errors(bio_err);
goto end;
}
}
if(pubkey) PEM_write_bio_PUBKEY(out, pkey);
ret = 0;
end:
NCONF_free(conf);
NETSCAPE_SPKI_free(spki);
BIO_free(in);
BIO_free_all(out);
EVP_PKEY_free(pkey);
if(passin) OPENSSL_free(passin);
apps_shutdown();
OPENSSL_EXIT(ret);
}
int MAIN(int argc, char **argv)
{
ENGINE *e = NULL;
char **args, *infile = NULL, *outfile = NULL;
char *passargin = NULL, *passargout = NULL;
BIO *in = NULL, *out = NULL;
const EVP_CIPHER *cipher = NULL;
int informat, outformat;
int pubin = 0, pubout = 0, pubtext = 0, text = 0, noout = 0;
EVP_PKEY *pkey = NULL;
char *passin = NULL, *passout = NULL;
int badarg = 0;
#ifndef OPENSSL_NO_ENGINE
char *engine = NULL;
#endif
int ret = 1;
if (bio_err == NULL)
bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
if (!load_config(bio_err, NULL))
goto end;
informat = FORMAT_PEM;
outformat = FORMAT_PEM;
ERR_load_crypto_strings();
OpenSSL_add_all_algorithms();
args = argv + 1;
while (!badarg && *args && *args[0] == '-') {
if (!strcmp(*args, "-inform")) {
if (args[1]) {
args++;
informat = str2fmt(*args);
} else
badarg = 1;
} else if (!strcmp(*args, "-outform")) {
if (args[1]) {
args++;
outformat = str2fmt(*args);
} else
badarg = 1;
} else if (!strcmp(*args, "-passin")) {
if (!args[1])
goto bad;
passargin = *(++args);
} else if (!strcmp(*args, "-passout")) {
if (!args[1])
goto bad;
passargout = *(++args);
}
#ifndef OPENSSL_NO_ENGINE
else if (strcmp(*args, "-engine") == 0) {
if (!args[1])
goto bad;
engine = *(++args);
}
#endif
else if (!strcmp(*args, "-in")) {
if (args[1]) {
args++;
infile = *args;
} else
badarg = 1;
} else if (!strcmp(*args, "-out")) {
if (args[1]) {
args++;
outfile = *args;
} else
badarg = 1;
} else if (strcmp(*args, "-pubin") == 0) {
pubin = 1;
pubout = 1;
pubtext = 1;
} else if (strcmp(*args, "-pubout") == 0)
pubout = 1;
else if (strcmp(*args, "-text_pub") == 0) {
pubtext = 1;
text = 1;
} else if (strcmp(*args, "-text") == 0)
text = 1;
else if (strcmp(*args, "-noout") == 0)
noout = 1;
else {
cipher = EVP_get_cipherbyname(*args + 1);
if (!cipher) {
BIO_printf(bio_err, "Unknown cipher %s\n", *args + 1);
badarg = 1;
}
}
args++;
}
if (badarg) {
bad:
BIO_printf(bio_err, "Usage pkey [options]\n");
BIO_printf(bio_err, "where options are\n");
BIO_printf(bio_err, "-in file input file\n");
BIO_printf(bio_err, "-inform X input format (DER or PEM)\n");
BIO_printf(bio_err,
"-passin arg input file pass phrase source\n");
BIO_printf(bio_err, "-outform X output format (DER or PEM)\n");
BIO_printf(bio_err, "-out file output file\n");
BIO_printf(bio_err,
"-passout arg output file pass phrase source\n");
#ifndef OPENSSL_NO_ENGINE
BIO_printf(bio_err,
"-engine e use engine e, possibly a hardware device.\n");
#endif
return 1;
}
#ifndef OPENSSL_NO_ENGINE
e = setup_engine(bio_err, engine, 0);
#endif
if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
BIO_printf(bio_err, "Error getting passwords\n");
goto end;
}
if (outfile) {
if (!(out = BIO_new_file(outfile, "wb"))) {
BIO_printf(bio_err, "Can't open output file %s\n", outfile);
goto end;
}
} else {
out = BIO_new_fp(stdout, BIO_NOCLOSE);
#ifdef OPENSSL_SYS_VMS
{
BIO *tmpbio = BIO_new(BIO_f_linebuffer());
out = BIO_push(tmpbio, out);
}
#endif
}
if (pubin)
pkey = load_pubkey(bio_err, infile, informat, 1,
passin, e, "Public Key");
else
pkey = load_key(bio_err, infile, informat, 1, passin, e, "key");
if (!pkey)
goto end;
if (!noout) {
if (outformat == FORMAT_PEM) {
if (pubout)
PEM_write_bio_PUBKEY(out, pkey);
else
PEM_write_bio_PrivateKey(out, pkey, cipher,
NULL, 0, NULL, passout);
} else if (outformat == FORMAT_ASN1) {
if (pubout)
i2d_PUBKEY_bio(out, pkey);
else
i2d_PrivateKey_bio(out, pkey);
} else {
BIO_printf(bio_err, "Bad format specified for key\n");
goto end;
}
}
if (text) {
if (pubtext)
EVP_PKEY_print_public(out, pkey, 0, NULL);
else
EVP_PKEY_print_private(out, pkey, 0, NULL);
}
ret = 0;
end:
EVP_PKEY_free(pkey);
BIO_free_all(out);
BIO_free(in);
if (passin)
OPENSSL_free(passin);
if (passout)
OPENSSL_free(passout);
return ret;
}
int spkac_main(int argc, char **argv)
{
BIO *out = NULL;
CONF *conf = NULL;
ENGINE *e = NULL;
EVP_PKEY *pkey = NULL;
NETSCAPE_SPKI *spki = NULL;
char *challenge = NULL, *keyfile = NULL;
char *infile = NULL, *outfile = NULL, *passinarg = NULL, *passin = NULL;
char *spkstr = NULL, *prog;
const char *spkac = "SPKAC", *spksect = "default";
int i, ret = 1, verify = 0, noout = 0, pubkey = 0;
OPTION_CHOICE o;
prog = opt_init(argc, argv, spkac_options);
while ((o = opt_next()) != OPT_EOF) {
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
opt_help(spkac_options);
ret = 0;
goto end;
case OPT_IN:
infile = opt_arg();
break;
case OPT_OUT:
outfile = opt_arg();
break;
case OPT_NOOUT:
noout = 1;
break;
case OPT_PUBKEY:
pubkey = 1;
break;
case OPT_VERIFY:
verify = 1;
break;
case OPT_PASSIN:
passinarg = opt_arg();
break;
case OPT_KEY:
keyfile = opt_arg();
break;
case OPT_CHALLENGE:
challenge = opt_arg();
break;
case OPT_SPKAC:
spkac = opt_arg();
break;
case OPT_SPKSECT:
spksect = opt_arg();
break;
case OPT_ENGINE:
e = setup_engine(opt_arg(), 0);
break;
}
}
argc = opt_num_rest();
if (argc != 0)
goto opthelp;
if (!app_passwd(passinarg, NULL, &passin, NULL)) {
BIO_printf(bio_err, "Error getting password\n");
goto end;
}
if (keyfile) {
pkey = load_key(strcmp(keyfile, "-") ? keyfile : NULL,
FORMAT_PEM, 1, passin, e, "private key");
if (!pkey) {
goto end;
}
spki = NETSCAPE_SPKI_new();
if (challenge)
ASN1_STRING_set(spki->spkac->challenge,
challenge, (int)strlen(challenge));
NETSCAPE_SPKI_set_pubkey(spki, pkey);
NETSCAPE_SPKI_sign(spki, pkey, EVP_md5());
spkstr = NETSCAPE_SPKI_b64_encode(spki);
out = bio_open_default(outfile, 'w', FORMAT_TEXT);
if (out == NULL)
goto end;
BIO_printf(out, "SPKAC=%s\n", spkstr);
OPENSSL_free(spkstr);
ret = 0;
goto end;
}
if ((conf = app_load_config(infile)) == NULL)
goto end;
spkstr = NCONF_get_string(conf, spksect, spkac);
if (spkstr == NULL) {
BIO_printf(bio_err, "Can't find SPKAC called \"%s\"\n", spkac);
ERR_print_errors(bio_err);
goto end;
}
spki = NETSCAPE_SPKI_b64_decode(spkstr, -1);
if (!spki) {
BIO_printf(bio_err, "Error loading SPKAC\n");
ERR_print_errors(bio_err);
goto end;
}
out = bio_open_default(outfile, 'w', FORMAT_TEXT);
if (out == NULL)
goto end;
if (!noout)
NETSCAPE_SPKI_print(out, spki);
pkey = NETSCAPE_SPKI_get_pubkey(spki);
if (verify) {
i = NETSCAPE_SPKI_verify(spki, pkey);
if (i > 0)
BIO_printf(bio_err, "Signature OK\n");
else {
BIO_printf(bio_err, "Signature Failure\n");
ERR_print_errors(bio_err);
goto end;
}
}
if (pubkey)
PEM_write_bio_PUBKEY(out, pkey);
ret = 0;
end:
NCONF_free(conf);
NETSCAPE_SPKI_free(spki);
BIO_free_all(out);
EVP_PKEY_free(pkey);
OPENSSL_free(passin);
return (ret);
}
int main() {
char dest_url[] = "https://www.hp.com";
BIO *certbio = NULL;
BIO *outbio = NULL;
X509 *cert = NULL;
X509_NAME *certname = NULL;
const SSL_METHOD *method;
SSL_CTX *ctx;
SSL *ssl;
int server = 0;
int ret, i;
EVP_PKEY *pkey = NULL;
/* ---------------------------------------------------------- *
* These function calls initialize openssl for correct work. *
* ---------------------------------------------------------- */
OpenSSL_add_all_algorithms();
ERR_load_BIO_strings();
ERR_load_crypto_strings();
SSL_load_error_strings();
/* ---------------------------------------------------------- *
* Create the Input/Output BIO's. *
* ---------------------------------------------------------- */
certbio = BIO_new(BIO_s_file());
outbio = BIO_new_fp(stdout, BIO_NOCLOSE);
/* ---------------------------------------------------------- *
* initialize SSL library and register algorithms *
* ---------------------------------------------------------- */
if(SSL_library_init() < 0)
BIO_printf(outbio, "Could not initialize the OpenSSL library !\n");
/* ---------------------------------------------------------- *
* Set SSLv2 client hello, also announce SSLv3 and TLSv1 *
* ---------------------------------------------------------- */
method = SSLv23_client_method();
/* ---------------------------------------------------------- *
* Try to create a new SSL context *
* ---------------------------------------------------------- */
if ( (ctx = SSL_CTX_new(method)) == NULL)
BIO_printf(outbio, "Unable to create a new SSL context structure.\n");
/* ---------------------------------------------------------- *
* Disabling SSLv2 will leave v3 and TSLv1 for negotiation *
* ---------------------------------------------------------- */
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
/* ---------------------------------------------------------- *
* Create new SSL connection state object *
* ---------------------------------------------------------- */
ssl = SSL_new(ctx);
/* ---------------------------------------------------------- *
* Make the underlying TCP socket connection *
* ---------------------------------------------------------- */
server = create_socket(dest_url, outbio);
if(server != 0)
BIO_printf(outbio, "Successfully made the TCP connection to: %s.\n", dest_url);
/* ---------------------------------------------------------- *
* Attach the SSL session to the socket descriptor *
* ---------------------------------------------------------- */
SSL_set_fd(ssl, server);
/* ---------------------------------------------------------- *
* Try to SSL-connect here, returns 1 for success *
* ---------------------------------------------------------- */
if ( SSL_connect(ssl) != 1 )
BIO_printf(outbio, "Error: Could not build a SSL session to: %s.\n", dest_url);
else
BIO_printf(outbio, "Successfully enabled SSL/TLS session to: %s.\n", dest_url);
/* ---------------------------------------------------------- *
* Get the remote certificate into the X509 structure *
* ---------------------------------------------------------- */
cert = SSL_get_peer_certificate(ssl);
if (cert == NULL)
BIO_printf(outbio, "Error: Could not get a certificate from: %s.\n", dest_url);
else
BIO_printf(outbio, "Retrieved the server's certificate from: %s.\n", dest_url);
if ((pkey = X509_get_pubkey(cert)) == NULL)
BIO_printf(outbio, "Error getting public key from certificate");
if (pkey) {
switch (pkey->type) {
case EVP_PKEY_RSA:
BIO_printf(outbio, "%d bit RSA Key\n\n", EVP_PKEY_bits(pkey));
break;
case EVP_PKEY_DSA:
BIO_printf(outbio, "%d bit DSA Key\n\n", EVP_PKEY_bits(pkey));
break;
default:
BIO_printf(outbio, "%d bit non-RSA/DSA Key\n\n", EVP_PKEY_bits(pkey));
break;
}
}
if(!PEM_write_bio_PUBKEY(outbio, pkey))
BIO_printf(outbio, "Error writing public key data in PEM format");
/* ---------------------------------------------------------- *
* extract various certificate information *
* -----------------------------------------------------------*/
certname = X509_NAME_new();
certname = X509_get_subject_name(cert);
/* ---------------------------------------------------------- *
* display the cert subject here *
* -----------------------------------------------------------*/
BIO_printf(outbio, "Displaying the certificate subject data:\n");
X509_NAME_print_ex(outbio, certname, 0, 0);
BIO_printf(outbio, "\n");
/* ---------------------------------------------------------- *
* Free the structures we don't need anymore *
* -----------------------------------------------------------*/
SSL_free(ssl);
close(server);
X509_free(cert);
SSL_CTX_free(ctx);
BIO_printf(outbio, "Finished SSL/TLS connection with server: %s.\n", dest_url);
return(0);
}
/*
* We use a simple lookup table to simulate manual enrollment
* of certs by the CA. This is the case where an operator
* needs to review each cert request and approve it (e.g.
* auto-enrollment is off).
*
* Return 1 if a match was found and the enrollment operation
* should proceed. Return 0 if no match was found, in which
* case we'll add the public key from the cert request into
* our lookup table so it can be correlated later.
*
* Windows: Rewriting to forgo the use of search.h API
* lookup table will be implemented as a basic linked list
*/
static int lookup_pkcs10_request(unsigned char *pkcs10, int p10_len)
{
X509_REQ *req = NULL;
BIO *in = NULL;
BIO *out = NULL;
BIO *b64;
EVP_PKEY *pkey = NULL;
BUF_MEM *bptr;
int rv;
LOOKUP_ENTRY *l;
LOOKUP_ENTRY *n;
/*
* Decode the request into an X509_REQ structure
*/
b64 = BIO_new(BIO_f_base64());
in = BIO_new_mem_buf(pkcs10, p10_len);
in = BIO_push(b64, in);
if ((req = d2i_X509_REQ_bio(in, NULL)) == NULL) {
/* Unable to parse the request, just let this fall through
* and the enrollment will fail */
rv = 1;
goto DONE;
}
/*
* Get the public key from the request, this will be our index into
* the lookup table. Frankly, I'm not sure how a real CA
* would do this lookup. But this should be good enough for
* testing the retry-after logic.
*/
pkey = X509_PUBKEY_get(req->req_info->pubkey);
if (!pkey) {
rv = 1;
goto DONE;
}
out = BIO_new(BIO_s_mem());
PEM_write_bio_PUBKEY(out, pkey);
BIO_get_mem_ptr(out, &bptr);
/*
* see if we can find a match for this public key
*/
n = malloc(sizeof(LOOKUP_ENTRY));
n->data = malloc(bptr->length);
n->length = bptr->length;
memcpy(n->data, bptr->data, n->length);
n->next = NULL;
l = search_list(lookup_root, n);
if (l) {
/* We have a match, allow the enrollment */
rv = 1;
lookup_root = delete_lookup_entry(lookup_root, n);
printf("\nRemoving key from lookup table:\n");
dumpbin((char*)n->data, n->length);
free(n->data);
free(n);
}
else {
/* Not a match, add it to the list and return */
if (lookup_root == NULL) {
/*
* Initialize the list
*/
lookup_root = n;
}
else {
add_entry(lookup_root, n);
}
rv = 0;
printf("\nAdding key to lookup table:\n");
dumpbin((char*)n->data, n->length);
}
DONE:
if (out)
BIO_free_all(out);
if (in)
BIO_free_all(in);
if (req)
X509_REQ_free(req);
if (pkey)
EVP_PKEY_free(pkey);
return (rv);
}
// Take a public key, theKey (input), and create an armored version of
// it into ascKey (output.)
//
// OpenSSL loaded key ===> ASCII-Armored export of same key.
//
//static
//
bool OTAsymmetricKey_OpenSSL::OTAsymmetricKey_OpenSSLPrivdp::ArmorPublicKey(EVP_PKEY & theKey, OTASCIIArmor & ascKey)
{
bool bReturnVal = false;
const char * szFunc = "OTAsymmetricKey_OpenSSL::ArmorPublicKey";
ascKey.Release();
// ----------------------------------------
// Create a new memory buffer on the OpenSSL side
OpenSSL_BIO bmem = BIO_new(BIO_s_mem());
OT_ASSERT_MSG(NULL != bmem, "OTAsymmetricKey_OpenSSL::ArmorPublicKey: ASSERT: NULL != bmem");
int64_t lSize = 0;
// ----------------------------------------
// write a public key to that buffer, from theKey (parameter.)
//
int32_t nWriteBio = PEM_write_bio_PUBKEY(bmem, &theKey);
if (0 == nWriteBio)
{
OTLog::vError("%s: Error: Failed writing EVP_PKEY to memory buffer.\n", szFunc);
}
else
{
OTLog::vOutput(5, "%s: Success writing EVP_PKEY to memory buffer.\n", szFunc);
OTPayload theData;
char * pChar = NULL;
// After the below call, pChar will point to the memory buffer where the public key
// supposedly is, and lSize will contain the size of that memory.
//
lSize = BIO_get_mem_data(bmem, &pChar);
uint32_t nSize = static_cast<uint32_t>(lSize); // todo security, etc. Fix this assumed type conversion.
if (nSize > 0)
{
// Set the buffer size in our own memory.
theData.SetPayloadSize(nSize);
// void * pv =
OTPassword::safe_memcpy((static_cast<char*>(const_cast<void*>(theData.GetPayloadPointer()))), // destination
theData.GetSize(), // size of destination buffer.
pChar, // source
nSize); // length of source.
// bool bZeroSource=false); // if true, sets the source buffer to zero after copying is done.
// ------------------------------------------------
// This base64 encodes the public key data
//
ascKey.SetData(theData);
OTLog::vOutput(5, "%s: Success copying public key into memory.\n", szFunc);
bReturnVal = true;
}
else
{
OTLog::vError("%s: Failed copying public key into memory.\n", szFunc);
}
}
return bReturnVal;
}
//static // CALLER must EVP_pkey_free!
EVP_PKEY * OTAsymmetricKey_OpenSSL::OTAsymmetricKey_OpenSSLPrivdp::CopyPublicKey(EVP_PKEY & theKey, OTPasswordData * pPWData/*=NULL*/, OTPassword * pImportPassword/*=NULL*/)
{
// ----------------------------------------
// Create a new memory buffer on the OpenSSL side
OpenSSL_BIO bmem = BIO_new(BIO_s_mem());
OT_ASSERT_MSG(NULL != bmem, "OTAsymmetricKey_OpenSSL::CopyPublicKey: ASSERT: NULL != bmem");
EVP_PKEY * pReturnKey = NULL;
// ----------------------------------------
// write a public key to that buffer, from theKey (parameter.)
//
int32_t nWriteBio = PEM_write_bio_PUBKEY(bmem, &theKey);
if (0 == nWriteBio)
{
OTLog::vError("%s: Error: Failed writing EVP_PKEY to memory buffer.\n", __FUNCTION__);
}
else
{
OTLog::vOutput(5, "%s: Success writing EVP_PKEY to memory buffer.\n", __FUNCTION__);
char * pChar = NULL;
// After the below call, pChar will point to the memory buffer where the public key
// supposedly is, and lSize will contain the size of that memory.
//
const int64_t lSize = BIO_get_mem_data(bmem, &pChar);
const uint32_t nSize = static_cast<uint32_t>(lSize);
if (nSize > 0)
{
OTPayload theData;
// Set the buffer size in our own memory.
theData.SetPayloadSize(nSize);
void * pv =
OTPassword::safe_memcpy((static_cast<char*>(const_cast<void*>(theData.GetPayloadPointer()))), // destination
theData.GetSize(), // size of destination buffer.
pChar, // source
nSize); // length of source.
// bool bZeroSource=false); // if true, sets the source buffer to zero after copying is done.
if (NULL != pv)
{
// -----------------------------------------------
// Next, copy theData's contents into a new BIO_mem_buf,
// so OpenSSL can load the key out of it.
//
OpenSSL_BIO keyBio = BIO_new_mem_buf(static_cast<char*>(const_cast<void*>(theData.GetPayloadPointer())),
theData.GetSize());
OT_ASSERT_MSG(NULL != keyBio, "OTAsymmetricKey_OpenSSL::CopyPublicKey: Assert: NULL != keyBio \n");
// -------------------------------------------
// Next we load up the key from the BIO string into an instantiated key object.
//
OTPasswordData thePWData(NULL == pImportPassword ?
"Enter your wallet master passphrase. (OTAsymmetricKey_OpenSSL::CopyPublicKey is calling PEM_read_bio_PUBKEY...)" :
"Enter the passphrase for your exported Nym.");
if (NULL == pImportPassword)
pReturnKey = PEM_read_bio_PUBKEY(keyBio, NULL, OTAsymmetricKey::GetPasswordCallback(), NULL == pPWData ? &thePWData : pPWData);
else
pReturnKey = PEM_read_bio_PUBKEY(keyBio, NULL, 0, pImportPassword);
// -------------------------------------------
// We don't need the BIO anymore.
// Free the BIO and related buffers, filters, etc. (auto with scope).
//
}
else
OTLog::vError("%s: Error: Failed copying memory from BIO into OTPayload.\n");
// -------------------------------------------
}
else
{
OTLog::vError("%s: Failed copying private key into memory.\n", __FUNCTION__);
}
}
return pReturnKey;
}
int MAIN(int argc, char **argv)
{
int i,badops=0, ret = 1;
BIO *in = NULL,*out = NULL, *key = NULL;
int verify=0,noout=0,pubkey=0;
char *infile = NULL,*outfile = NULL,*prog;
char *passargin = NULL, *passin = NULL;
char *spkac = "SPKAC", *spksect = "default", *spkstr = NULL;
char *challenge = NULL, *keyfile = NULL;
LHASH *conf = NULL;
NETSCAPE_SPKI *spki = NULL;
EVP_PKEY *pkey = NULL;
apps_startup();
if (!bio_err) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
prog=argv[0];
argc--;
argv++;
while (argc >= 1)
{
if (strcmp(*argv,"-in") == 0)
{
if (--argc < 1) goto bad;
infile= *(++argv);
}
else if (strcmp(*argv,"-out") == 0)
{
if (--argc < 1) goto bad;
outfile= *(++argv);
}
else if (strcmp(*argv,"-passin") == 0)
{
if (--argc < 1) goto bad;
passargin= *(++argv);
}
else if (strcmp(*argv,"-key") == 0)
{
if (--argc < 1) goto bad;
keyfile= *(++argv);
}
else if (strcmp(*argv,"-challenge") == 0)
{
if (--argc < 1) goto bad;
challenge= *(++argv);
}
else if (strcmp(*argv,"-spkac") == 0)
{
if (--argc < 1) goto bad;
spkac= *(++argv);
}
else if (strcmp(*argv,"-spksect") == 0)
{
if (--argc < 1) goto bad;
spksect= *(++argv);
}
else if (strcmp(*argv,"-noout") == 0)
noout=1;
else if (strcmp(*argv,"-pubkey") == 0)
pubkey=1;
else if (strcmp(*argv,"-verify") == 0)
verify=1;
else badops = 1;
argc--;
argv++;
}
if (badops)
{
bad:
BIO_printf(bio_err,"%s [options]\n",prog);
BIO_printf(bio_err,"where options are\n");
BIO_printf(bio_err," -in arg input file\n");
BIO_printf(bio_err," -out arg output file\n");
BIO_printf(bio_err," -key arg create SPKAC using private key\n");
BIO_printf(bio_err," -passin arg input file pass phrase source\n");
BIO_printf(bio_err," -challenge arg challenge string\n");
BIO_printf(bio_err," -spkac arg alternative SPKAC name\n");
BIO_printf(bio_err," -noout don't print SPKAC\n");
BIO_printf(bio_err," -pubkey output public key\n");
BIO_printf(bio_err," -verify verify SPKAC signature\n");
goto end;
}
ERR_load_crypto_strings();
if(!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
BIO_printf(bio_err, "Error getting password\n");
goto end;
}
if(keyfile) {
if(strcmp(keyfile, "-")) key = BIO_new_file(keyfile, "r");
else key = BIO_new_fp(stdin, BIO_NOCLOSE);
if(!key) {
BIO_printf(bio_err, "Error opening key file\n");
ERR_print_errors(bio_err);
goto end;
}
pkey = PEM_read_bio_PrivateKey(key, NULL, NULL, passin);
if(!pkey) {
BIO_printf(bio_err, "Error reading private key\n");
ERR_print_errors(bio_err);
goto end;
}
spki = NETSCAPE_SPKI_new();
if(challenge) ASN1_STRING_set(spki->spkac->challenge,
challenge, strlen(challenge));
NETSCAPE_SPKI_set_pubkey(spki, pkey);
NETSCAPE_SPKI_sign(spki, pkey, EVP_md5());
spkstr = NETSCAPE_SPKI_b64_encode(spki);
if (outfile) out = BIO_new_file(outfile, "w");
else {
out = BIO_new_fp(stdout, BIO_NOCLOSE);
#ifdef VMS
{
BIO *tmpbio = BIO_new(BIO_f_linebuffer());
out = BIO_push(tmpbio, out);
}
#endif
}
if(!out) {
BIO_printf(bio_err, "Error opening output file\n");
ERR_print_errors(bio_err);
goto end;
}
BIO_printf(out, "SPKAC=%s\n", spkstr);
OPENSSL_free(spkstr);
ret = 0;
goto end;
}
if (infile) in = BIO_new_file(infile, "r");
else in = BIO_new_fp(stdin, BIO_NOCLOSE);
if(!in) {
BIO_printf(bio_err, "Error opening input file\n");
ERR_print_errors(bio_err);
goto end;
}
conf = CONF_load_bio(NULL, in, NULL);
if(!conf) {
BIO_printf(bio_err, "Error parsing config file\n");
ERR_print_errors(bio_err);
goto end;
}
spkstr = CONF_get_string(conf, spksect, spkac);
if(!spkstr) {
BIO_printf(bio_err, "Can't find SPKAC called \"%s\"\n", spkac);
ERR_print_errors(bio_err);
goto end;
}
spki = NETSCAPE_SPKI_b64_decode(spkstr, -1);
if(!spki) {
BIO_printf(bio_err, "Error loading SPKAC\n");
ERR_print_errors(bio_err);
goto end;
}
if (outfile) out = BIO_new_file(outfile, "w");
else {
out = BIO_new_fp(stdout, BIO_NOCLOSE);
#ifdef VMS
{
BIO *tmpbio = BIO_new(BIO_f_linebuffer());
out = BIO_push(tmpbio, out);
}
#endif
}
if(!out) {
BIO_printf(bio_err, "Error opening output file\n");
ERR_print_errors(bio_err);
goto end;
}
if(!noout) NETSCAPE_SPKI_print(out, spki);
pkey = NETSCAPE_SPKI_get_pubkey(spki);
if(verify) {
i = NETSCAPE_SPKI_verify(spki, pkey);
if(i) BIO_printf(bio_err, "Signature OK\n");
else {
BIO_printf(bio_err, "Signature Failure\n");
ERR_print_errors(bio_err);
goto end;
}
}
if(pubkey) PEM_write_bio_PUBKEY(out, pkey);
ret = 0;
end:
CONF_free(conf);
NETSCAPE_SPKI_free(spki);
BIO_free(in);
BIO_free_all(out);
BIO_free(key);
EVP_PKEY_free(pkey);
if(passin) OPENSSL_free(passin);
EXIT(ret);
}
PKI_MEM_STACK *URL_get_data_pkcs11_url ( URL *url, ssize_t size ) {
#ifdef HAVE_P11
// PKCS11_CTX *ctx = NULL;
PKCS11_SLOT *slots = NULL;
PKCS11_TOKEN *tk = NULL;
char *libfile = NULL;
int num = 0;
int i = 0;
char * search_label = NULL;
char * search_id = NULL;
char * search_slot = NULL;
char * search_slotid = NULL;
PKI_MEM *tmp_mem = NULL;
PKI_MEM_STACK *sk = NULL;
if( !url ) return (NULL);
/*
if((libfile = pkcs11_parse_url_libpath ( url )) == NULL ) {
return( NULL );
}
*/
/*
slot = pkcs11_parse_url_slot ( url );
id = pkcs11_parse_url_id ( url );
*/
if( ctx == NULL ) {
if((ctx = PKCS11_CTX_new ()) == NULL ) {
return(NULL);
}
PKI_log_debug("Loading %s Library", url->addr );
if(( i = PKCS11_CTX_load(ctx, url->addr)) != 0 ) {
PKI_log_err("Can not load library %s [err::%d]", url->addr, i);
// ERR_print_errors_fp( stderr );
}
}
if( PKCS11_enumerate_slots( ctx, &slots, &num ) == -1 ) {
PKI_log_err ("Can not enumerate slots");
goto err;
};
if(( sk = PKI_STACK_MEM_new()) == NULL ) {
goto err;
}
search_slot = pkcs11_parse_url_getval( url, "slot" );
search_slotid = pkcs11_parse_url_getval( url, "slotid" );
search_label = pkcs11_parse_url_getval( url, "label" );
search_id = pkcs11_parse_url_getval( url, "id" );
if( search_slot )
PKI_log_debug("DEBUG::PKCS11::SEARCH::SLOT => %s\n", search_slot);
if( search_slotid )
PKI_log_debug("DEBUG::PKCS11::SEARCH::SLOTID => %s\n", search_slotid);
if( search_label )
PKI_log_debug("DEBUG::PKCS11::SEARCH::LABEL => %s\n", search_label);
if( search_id )
PKI_log_debug("DEBUG::PKCS11::SEARCH::ID => %s\n", search_id);
for(i = 0; i < num; i++ ) {
BIO *mem = NULL;
BUF_MEM *mem_buf = NULL;
PKCS11_CERT *certs = NULL;
PKCS11_SLOT *p = NULL;
PKCS11_CERT *x = NULL;
PKCS11_KEY *keyList = NULL;
PKCS11_KEY *key = NULL;
EVP_PKEY *evp_pkey = NULL;
int n = 0;
int t = 0;
int n_objs = 0;
int p_ret = 0;
p = &slots[i];
if((!p) || ((tk = p->token) == NULL) ) {
continue;
}
if( (search_slot) && ( strncmp_nocase( search_slot,
tk->label, strlen(search_slot) == 0) )) {
continue;
}
if( (search_slotid) && ( atoi(search_slotid) != i )) {
PKI_log_debug("PKCS11::SLOTID is %s (%d), curr is %d\n",
search_slotid, atoi(search_slotid), i);
continue;
}
if( strncmp_nocase( url->attrs, "cert", 4 ) == 0) {
PKI_log_debug("PKCS11::CERT DATATYPE SELECTED!\n");
if((mem = BIO_new(BIO_s_mem())) == NULL ) {
goto err;
}
/* Get the list of certificates in the slot */
p_ret = PKCS11_enumerate_certs( tk, &certs, &n_objs);
for( n = 0; n < n_objs; n++ ) {
/* Pointer to the current certificate */
x = &certs[n];
PKI_log_debug("PKCS11::CERT label=%s\n",
x->label);
PKI_log_debug("PKCS11::CERT id=");
for( t = 0; t < x->id_len; t ++ ) {
printf("%c", x->id[t] );
} printf("\n");
if( (search_label) &&
(strncmp_nocase( search_label, x->label,
strlen( search_label)) != 0 )){
PKI_log_debug("PKCS11::LABEL does not"
"match, SKIPPING!!!!\n");
continue;
}
if( search_id ) {
int stop = 0;
for( t = 0; t < x->id_len; t ++ ) {
if( search_id[t] != x->id[t] ) {
stop = 1;
break;
}
}
if( stop == 1 ) {
printf("DEBUG::PKCS11::ID does not"
"match, SKIPPING!!!!\n");
continue;
}
}
/* Write the cert in PEM format to memory */
p_ret = PEM_write_bio_X509( mem, x->x509 );
/* Get the pointer to the memory buffer */
BIO_get_mem_ptr( mem, &mem_buf );
/* Push a PKI_MEM buffer on the stack */
tmp_mem = PKI_MEM_new_null();
PKI_MEM_add ( tmp_mem, mem_buf->data,
mem_buf->length);
PKI_STACK_push( sk, tmp_mem );
}
/* Free the temp memory buffer */
if( mem ) BIO_free( mem );
} else if (strncmp_nocase( url->attrs, "key", 3) == 0 ) {
char *pin = NULL;
PKI_log_debug("PKCS11::KEY DATATYPE SELECTED!\n");
pin = pkcs11_parse_url_getval( url, "pin" );
if ( (tk->loginRequired == 1) && (pin != NULL ) ) {
p_ret = PKCS11_login ( p, 0, pin );
PKI_log_debug("PKCS11::LOGIN Result %d\n",
p_ret );
}
if((mem = BIO_new(BIO_s_mem())) == NULL ) {
goto err;
}
p_ret = PKCS11_enumerate_keys ( tk, &keyList, &n_objs );
for( n = 0; n < n_objs; n++ ) {
key = &keyList[n];
printf("DEBUG::PKCS11::KEY label=%s\n",
key->label);
printf("DEBUG::PKCS11::KEY id=");
for( t = 0; t < key->id_len; t ++ ) {
printf("%c", key->id[t] );
} printf("\n");
if( (search_label) &&
(strncmp_nocase( search_label, x->label,
strlen( search_label)) != 0 )){
printf("DEBUG::PKCS11::LABEL does not"
"match, SKIPPING!!!!\n");
continue;
}
if( search_id ) {
int stop = 0;
for( t = 0; t < x->id_len; t ++ ) {
if( search_id[t] != x->id[t] ) {
stop = 1;
break;
}
}
if( stop == 1 ) {
printf("DEBUG::PKCS11::ID does not"
"match, SKIPPING!!!!\n");
continue;
}
}
/* Get Private Key in OpenSSL format */
evp_pkey = PKCS11_get_private_key( key );
/* Write the cert in PEM format to memory */
p_ret = PEM_write_bio_PUBKEY( mem, evp_pkey );
/* Get the pointer to the memory buffer */
BIO_get_mem_ptr( mem, &mem_buf );
/* Push a PKI_MEM buffer on the stack */
tmp_mem = PKI_MEM_new_null();
PKI_MEM_add ( tmp_mem, mem_buf->data,
mem_buf->length);
PKI_STACK_push( sk, tmp_mem );
}
if( mem ) BIO_free ( mem );
} else {
printf("DEBUG::PKCS11::OTHER DATATYPE SELECTED!\n");
}
}
err:
if( slots ) PKCS11_release_all_slots( ctx, slots, num );
/*
if( ctx ) {
PKCS11_CTX_unload(ctx);
PKCS11_CTX_free(ctx);
}
*/
if( libfile ) PKI_Free (libfile);
if( search_slot ) PKI_Free ( search_slot );
if( search_slotid ) PKI_Free ( search_slotid );
if( search_label ) PKI_Free ( search_label );
if( search_id ) PKI_Free ( search_id );
return ( sk );
#else
return ( NULL );
#endif
}
int MAIN(int argc, char **argv)
{
ENGINE *e = NULL;
int ret=1;
X509_REQ *req=NULL;
X509 *x=NULL,*xca=NULL;
ASN1_OBJECT *objtmp;
STACK_OF(OPENSSL_STRING) *sigopts = NULL;
EVP_PKEY *Upkey=NULL,*CApkey=NULL;
ASN1_INTEGER *sno = NULL;
int i,num,badops=0;
BIO *out=NULL;
BIO *STDout=NULL;
STACK_OF(ASN1_OBJECT) *trust = NULL, *reject = NULL;
int informat,outformat,keyformat,CAformat,CAkeyformat;
char *infile=NULL,*outfile=NULL,*keyfile=NULL,*CAfile=NULL;
char *CAkeyfile=NULL,*CAserial=NULL;
char *alias=NULL;
int text=0,serial=0,subject=0,issuer=0,startdate=0,enddate=0;
int next_serial=0;
int subject_hash=0,issuer_hash=0,ocspid=0;
#ifndef OPENSSL_NO_MD5
int subject_hash_old=0,issuer_hash_old=0;
#endif
int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0,email=0;
int ocsp_uri=0;
int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0;
int C=0;
int x509req=0,days=DEF_DAYS,modulus=0,pubkey=0;
int pprint = 0;
const char **pp;
X509_STORE *ctx=NULL;
X509_REQ *rq=NULL;
int fingerprint=0;
char buf[256];
const EVP_MD *md_alg,*digest=NULL;
CONF *extconf = NULL;
char *extsect = NULL, *extfile = NULL, *passin = NULL, *passargin = NULL;
int need_rand = 0;
int checkend=0,checkoffset=0;
unsigned long nmflag = 0, certflag = 0;
#ifndef OPENSSL_NO_ENGINE
char *engine=NULL;
#endif
reqfile=0;
apps_startup();
if (bio_err == NULL)
bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
if (!load_config(bio_err, NULL))
goto end;
STDout=BIO_new_fp(stdout,BIO_NOCLOSE);
#ifdef OPENSSL_SYS_VMS
{
BIO *tmpbio = BIO_new(BIO_f_linebuffer());
STDout = BIO_push(tmpbio, STDout);
}
#endif
informat=FORMAT_PEM;
outformat=FORMAT_PEM;
keyformat=FORMAT_PEM;
CAformat=FORMAT_PEM;
CAkeyformat=FORMAT_PEM;
ctx=X509_STORE_new();
if (ctx == NULL) goto end;
X509_STORE_set_verify_cb(ctx,callb);
argc--;
argv++;
num=0;
while (argc >= 1)
{
if (strcmp(*argv,"-inform") == 0)
{
if (--argc < 1) goto bad;
informat=str2fmt(*(++argv));
}
else if (strcmp(*argv,"-outform") == 0)
{
if (--argc < 1) goto bad;
outformat=str2fmt(*(++argv));
}
else if (strcmp(*argv,"-keyform") == 0)
{
if (--argc < 1) goto bad;
keyformat=str2fmt(*(++argv));
}
else if (strcmp(*argv,"-req") == 0)
{
reqfile=1;
need_rand = 1;
}
else if (strcmp(*argv,"-CAform") == 0)
{
if (--argc < 1) goto bad;
CAformat=str2fmt(*(++argv));
}
else if (strcmp(*argv,"-CAkeyform") == 0)
{
if (--argc < 1) goto bad;
CAkeyformat=str2fmt(*(++argv));
}
else if (strcmp(*argv,"-sigopt") == 0)
{
if (--argc < 1)
goto bad;
if (!sigopts)
sigopts = sk_OPENSSL_STRING_new_null();
if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, *(++argv)))
goto bad;
}
else if (strcmp(*argv,"-days") == 0)
{
if (--argc < 1) goto bad;
days=atoi(*(++argv));
if (days == 0)
{
BIO_printf(STDout,"bad number of days\n");
goto bad;
}
}
else if (strcmp(*argv,"-passin") == 0)
{
if (--argc < 1) goto bad;
passargin= *(++argv);
}
else if (strcmp(*argv,"-extfile") == 0)
{
if (--argc < 1) goto bad;
extfile= *(++argv);
}
else if (strcmp(*argv,"-extensions") == 0)
{
if (--argc < 1) goto bad;
extsect= *(++argv);
}
else if (strcmp(*argv,"-in") == 0)
{
if (--argc < 1) goto bad;
infile= *(++argv);
}
else if (strcmp(*argv,"-out") == 0)
{
if (--argc < 1) goto bad;
outfile= *(++argv);
}
else if (strcmp(*argv,"-signkey") == 0)
{
if (--argc < 1) goto bad;
keyfile= *(++argv);
sign_flag= ++num;
need_rand = 1;
}
else if (strcmp(*argv,"-CA") == 0)
{
if (--argc < 1) goto bad;
CAfile= *(++argv);
CA_flag= ++num;
need_rand = 1;
}
else if (strcmp(*argv,"-CAkey") == 0)
{
if (--argc < 1) goto bad;
CAkeyfile= *(++argv);
}
else if (strcmp(*argv,"-CAserial") == 0)
{
if (--argc < 1) goto bad;
CAserial= *(++argv);
}
else if (strcmp(*argv,"-set_serial") == 0)
{
if (--argc < 1) goto bad;
if (!(sno = s2i_ASN1_INTEGER(NULL, *(++argv))))
goto bad;
}
else if (strcmp(*argv,"-addtrust") == 0)
{
if (--argc < 1) goto bad;
if (!(objtmp = OBJ_txt2obj(*(++argv), 0)))
{
BIO_printf(bio_err,
"Invalid trust object value %s\n", *argv);
goto bad;
}
if (!trust) trust = sk_ASN1_OBJECT_new_null();
sk_ASN1_OBJECT_push(trust, objtmp);
trustout = 1;
}
else if (strcmp(*argv,"-addreject") == 0)
{
if (--argc < 1) goto bad;
if (!(objtmp = OBJ_txt2obj(*(++argv), 0)))
{
BIO_printf(bio_err,
"Invalid reject object value %s\n", *argv);
goto bad;
}
if (!reject) reject = sk_ASN1_OBJECT_new_null();
sk_ASN1_OBJECT_push(reject, objtmp);
trustout = 1;
}
else if (strcmp(*argv,"-setalias") == 0)
{
if (--argc < 1) goto bad;
alias= *(++argv);
trustout = 1;
}
else if (strcmp(*argv,"-certopt") == 0)
{
if (--argc < 1) goto bad;
if (!set_cert_ex(&certflag, *(++argv))) goto bad;
}
else if (strcmp(*argv,"-nameopt") == 0)
{
if (--argc < 1) goto bad;
if (!set_name_ex(&nmflag, *(++argv))) goto bad;
}
#ifndef OPENSSL_NO_ENGINE
else if (strcmp(*argv,"-engine") == 0)
{
if (--argc < 1) goto bad;
engine= *(++argv);
}
#endif
else if (strcmp(*argv,"-C") == 0)
C= ++num;
else if (strcmp(*argv,"-email") == 0)
email= ++num;
else if (strcmp(*argv,"-ocsp_uri") == 0)
ocsp_uri= ++num;
else if (strcmp(*argv,"-serial") == 0)
serial= ++num;
else if (strcmp(*argv,"-next_serial") == 0)
next_serial= ++num;
else if (strcmp(*argv,"-modulus") == 0)
modulus= ++num;
else if (strcmp(*argv,"-pubkey") == 0)
pubkey= ++num;
else if (strcmp(*argv,"-x509toreq") == 0)
x509req= ++num;
else if (strcmp(*argv,"-text") == 0)
text= ++num;
else if (strcmp(*argv,"-hash") == 0
|| strcmp(*argv,"-subject_hash") == 0)
subject_hash= ++num;
#ifndef OPENSSL_NO_MD5
else if (strcmp(*argv,"-subject_hash_old") == 0)
subject_hash_old= ++num;
#endif
else if (strcmp(*argv,"-issuer_hash") == 0)
issuer_hash= ++num;
#ifndef OPENSSL_NO_MD5
else if (strcmp(*argv,"-issuer_hash_old") == 0)
issuer_hash_old= ++num;
#endif
else if (strcmp(*argv,"-subject") == 0)
subject= ++num;
else if (strcmp(*argv,"-issuer") == 0)
issuer= ++num;
else if (strcmp(*argv,"-fingerprint") == 0)
fingerprint= ++num;
else if (strcmp(*argv,"-dates") == 0)
{
startdate= ++num;
enddate= ++num;
}
else if (strcmp(*argv,"-purpose") == 0)
pprint= ++num;
else if (strcmp(*argv,"-startdate") == 0)
startdate= ++num;
else if (strcmp(*argv,"-enddate") == 0)
enddate= ++num;
else if (strcmp(*argv,"-checkend") == 0)
{
if (--argc < 1) goto bad;
checkoffset=atoi(*(++argv));
checkend=1;
}
else if (strcmp(*argv,"-noout") == 0)
noout= ++num;
else if (strcmp(*argv,"-trustout") == 0)
trustout= 1;
else if (strcmp(*argv,"-clrtrust") == 0)
clrtrust= ++num;
else if (strcmp(*argv,"-clrreject") == 0)
clrreject= ++num;
else if (strcmp(*argv,"-alias") == 0)
aliasout= ++num;
else if (strcmp(*argv,"-CAcreateserial") == 0)
CA_createserial= ++num;
else if (strcmp(*argv,"-clrext") == 0)
clrext = 1;
#if 1 /* stay backwards-compatible with 0.9.5; this should go away soon */
else if (strcmp(*argv,"-crlext") == 0)
{
BIO_printf(bio_err,"use -clrext instead of -crlext\n");
clrext = 1;
}
#endif
else if (strcmp(*argv,"-ocspid") == 0)
ocspid= ++num;
else if ((md_alg=EVP_get_digestbyname(*argv + 1)))
{
/* ok */
digest=md_alg;
}
else
{
BIO_printf(bio_err,"unknown option %s\n",*argv);
badops=1;
break;
}
argc--;
argv++;
}
if (badops)
{
bad:
for (pp=x509_usage; (*pp != NULL); pp++)
BIO_printf(bio_err,"%s",*pp);
goto end;
}
#ifndef OPENSSL_NO_ENGINE
e = setup_engine(bio_err, engine, 0);
#endif
if (need_rand)
app_RAND_load_file(NULL, bio_err, 0);
ERR_load_crypto_strings();
if (!app_passwd(bio_err, passargin, NULL, &passin, NULL))
{
BIO_printf(bio_err, "Error getting password\n");
goto end;
}
if (!X509_STORE_set_default_paths(ctx))
{
ERR_print_errors(bio_err);
goto end;
}
if ((CAkeyfile == NULL) && (CA_flag) && (CAformat == FORMAT_PEM))
{ CAkeyfile=CAfile; }
else if ((CA_flag) && (CAkeyfile == NULL))
{
BIO_printf(bio_err,"need to specify a CAkey if using the CA command\n");
goto end;
}
if (extfile)
{
long errorline = -1;
X509V3_CTX ctx2;
extconf = NCONF_new(NULL);
if (!NCONF_load(extconf, extfile,&errorline))
{
if (errorline <= 0)
BIO_printf(bio_err,
"error loading the config file '%s'\n",
extfile);
else
BIO_printf(bio_err,
"error on line %ld of config file '%s'\n"
,errorline,extfile);
goto end;
}
if (!extsect)
{
extsect = NCONF_get_string(extconf, "default", "extensions");
if (!extsect)
{
ERR_clear_error();
extsect = "default";
}
}
X509V3_set_ctx_test(&ctx2);
X509V3_set_nconf(&ctx2, extconf);
if (!X509V3_EXT_add_nconf(extconf, &ctx2, extsect, NULL))
{
BIO_printf(bio_err,
"Error Loading extension section %s\n",
extsect);
ERR_print_errors(bio_err);
goto end;
}
}
if (reqfile)
{
EVP_PKEY *pkey;
BIO *in;
if (!sign_flag && !CA_flag)
{
BIO_printf(bio_err,"We need a private key to sign with\n");
goto end;
}
in=BIO_new(BIO_s_file());
if (in == NULL)
{
ERR_print_errors(bio_err);
goto end;
}
if (infile == NULL)
BIO_set_fp(in,stdin,BIO_NOCLOSE|BIO_FP_TEXT);
else
{
if (BIO_read_filename(in,infile) <= 0)
{
perror(infile);
BIO_free(in);
goto end;
}
}
req=PEM_read_bio_X509_REQ(in,NULL,NULL,NULL);
BIO_free(in);
if (req == NULL)
{
ERR_print_errors(bio_err);
goto end;
}
if ( (req->req_info == NULL) ||
(req->req_info->pubkey == NULL) ||
(req->req_info->pubkey->public_key == NULL) ||
(req->req_info->pubkey->public_key->data == NULL))
{
BIO_printf(bio_err,"The certificate request appears to corrupted\n");
BIO_printf(bio_err,"It does not contain a public key\n");
goto end;
}
if ((pkey=X509_REQ_get_pubkey(req)) == NULL)
{
BIO_printf(bio_err,"error unpacking public key\n");
goto end;
}
i=X509_REQ_verify(req,pkey);
EVP_PKEY_free(pkey);
if (i < 0)
{
BIO_printf(bio_err,"Signature verification error\n");
ERR_print_errors(bio_err);
goto end;
}
if (i == 0)
{
BIO_printf(bio_err,"Signature did not match the certificate request\n");
goto end;
}
else
BIO_printf(bio_err,"Signature ok\n");
print_name(bio_err, "subject=", X509_REQ_get_subject_name(req), nmflag);
if ((x=X509_new()) == NULL) goto end;
if (sno == NULL)
{
sno = ASN1_INTEGER_new();
if (!sno || !rand_serial(NULL, sno))
goto end;
if (!X509_set_serialNumber(x, sno))
goto end;
ASN1_INTEGER_free(sno);
sno = NULL;
}
else if (!X509_set_serialNumber(x, sno))
goto end;
if (!X509_set_issuer_name(x,req->req_info->subject)) goto end;
if (!X509_set_subject_name(x,req->req_info->subject)) goto end;
X509_gmtime_adj(X509_get_notBefore(x),0);
X509_time_adj_ex(X509_get_notAfter(x),days, 0, NULL);
pkey = X509_REQ_get_pubkey(req);
X509_set_pubkey(x,pkey);
EVP_PKEY_free(pkey);
}
else
x=load_cert(bio_err,infile,informat,NULL,e,"Certificate");
if (x == NULL) goto end;
if (CA_flag)
{
xca=load_cert(bio_err,CAfile,CAformat,NULL,e,"CA Certificate");
if (xca == NULL) goto end;
}
if (!noout || text || next_serial)
{
OBJ_create("2.99999.3",
"SET.ex3","SET x509v3 extension 3");
out=BIO_new(BIO_s_file());
if (out == NULL)
{
ERR_print_errors(bio_err);
goto end;
}
if (outfile == NULL)
{
BIO_set_fp(out,stdout,BIO_NOCLOSE);
#ifdef OPENSSL_SYS_VMS
{
BIO *tmpbio = BIO_new(BIO_f_linebuffer());
out = BIO_push(tmpbio, out);
}
#endif
}
else
{
if (BIO_write_filename(out,outfile) <= 0)
{
perror(outfile);
goto end;
}
}
}
if (alias) X509_alias_set1(x, (unsigned char *)alias, -1);
if (clrtrust) X509_trust_clear(x);
if (clrreject) X509_reject_clear(x);
if (trust)
{
for (i = 0; i < sk_ASN1_OBJECT_num(trust); i++)
{
objtmp = sk_ASN1_OBJECT_value(trust, i);
X509_add1_trust_object(x, objtmp);
}
}
if (reject)
{
for (i = 0; i < sk_ASN1_OBJECT_num(reject); i++)
{
objtmp = sk_ASN1_OBJECT_value(reject, i);
X509_add1_reject_object(x, objtmp);
}
}
if (num)
{
for (i=1; i<=num; i++)
{
if (issuer == i)
{
print_name(STDout, "issuer= ",
X509_get_issuer_name(x), nmflag);
}
else if (subject == i)
{
print_name(STDout, "subject= ",
X509_get_subject_name(x), nmflag);
}
else if (serial == i)
{
BIO_printf(STDout,"serial=");
i2a_ASN1_INTEGER(STDout,
X509_get_serialNumber(x));
BIO_printf(STDout,"\n");
}
else if (next_serial == i)
{
BIGNUM *bnser;
ASN1_INTEGER *ser;
ser = X509_get_serialNumber(x);
bnser = ASN1_INTEGER_to_BN(ser, NULL);
if (!bnser)
goto end;
if (!BN_add_word(bnser, 1))
goto end;
ser = BN_to_ASN1_INTEGER(bnser, NULL);
if (!ser)
goto end;
BN_free(bnser);
i2a_ASN1_INTEGER(out, ser);
ASN1_INTEGER_free(ser);
BIO_puts(out, "\n");
}
else if ((email == i) || (ocsp_uri == i))
{
int j;
STACK_OF(OPENSSL_STRING) *emlst;
if (email == i)
emlst = X509_get1_email(x);
else
emlst = X509_get1_ocsp(x);
for (j = 0; j < sk_OPENSSL_STRING_num(emlst); j++)
BIO_printf(STDout, "%s\n",
sk_OPENSSL_STRING_value(emlst, j));
X509_email_free(emlst);
}
else if (aliasout == i)
{
unsigned char *alstr;
alstr = X509_alias_get0(x, NULL);
if (alstr) BIO_printf(STDout,"%s\n", alstr);
else BIO_puts(STDout,"<No Alias>\n");
}
else if (subject_hash == i)
{
BIO_printf(STDout,"%08lx\n",X509_subject_name_hash(x));
}
#ifndef OPENSSL_NO_MD5
else if (subject_hash_old == i)
{
BIO_printf(STDout,"%08lx\n",X509_subject_name_hash_old(x));
}
#endif
else if (issuer_hash == i)
{
BIO_printf(STDout,"%08lx\n",X509_issuer_name_hash(x));
}
#ifndef OPENSSL_NO_MD5
else if (issuer_hash_old == i)
{
BIO_printf(STDout,"%08lx\n",X509_issuer_name_hash_old(x));
}
#endif
else if (pprint == i)
{
X509_PURPOSE *ptmp;
int j;
BIO_printf(STDout, "Certificate purposes:\n");
for (j = 0; j < X509_PURPOSE_get_count(); j++)
{
ptmp = X509_PURPOSE_get0(j);
purpose_print(STDout, x, ptmp);
}
}
else
if (modulus == i)
{
EVP_PKEY *pkey;
pkey=X509_get_pubkey(x);
if (pkey == NULL)
{
BIO_printf(bio_err,"Modulus=unavailable\n");
ERR_print_errors(bio_err);
goto end;
}
BIO_printf(STDout,"Modulus=");
#ifndef OPENSSL_NO_RSA
if (pkey->type == EVP_PKEY_RSA)
BN_print(STDout,pkey->pkey.rsa->n);
else
#endif
#ifndef OPENSSL_NO_DSA
if (pkey->type == EVP_PKEY_DSA)
BN_print(STDout,pkey->pkey.dsa->pub_key);
else
#endif
BIO_printf(STDout,"Wrong Algorithm type");
BIO_printf(STDout,"\n");
EVP_PKEY_free(pkey);
}
else
if (pubkey == i)
{
EVP_PKEY *pkey;
pkey=X509_get_pubkey(x);
if (pkey == NULL)
{
BIO_printf(bio_err,"Error getting public key\n");
ERR_print_errors(bio_err);
goto end;
}
PEM_write_bio_PUBKEY(STDout, pkey);
EVP_PKEY_free(pkey);
}
else
if (C == i)
{
unsigned char *d;
char *m;
int y,z;
X509_NAME_oneline(X509_get_subject_name(x),
buf,sizeof buf);
BIO_printf(STDout,"/* subject:%s */\n",buf);
m=X509_NAME_oneline(
X509_get_issuer_name(x),buf,
sizeof buf);
BIO_printf(STDout,"/* issuer :%s */\n",buf);
z=i2d_X509(x,NULL);
m=OPENSSL_malloc(z);
d=(unsigned char *)m;
z=i2d_X509_NAME(X509_get_subject_name(x),&d);
BIO_printf(STDout,"unsigned char XXX_subject_name[%d]={\n",z);
d=(unsigned char *)m;
for (y=0; y<z; y++)
{
BIO_printf(STDout,"0x%02X,",d[y]);
if ((y & 0x0f) == 0x0f) BIO_printf(STDout,"\n");
}
if (y%16 != 0) BIO_printf(STDout,"\n");
BIO_printf(STDout,"};\n");
z=i2d_X509_PUBKEY(X509_get_X509_PUBKEY(x),&d);
BIO_printf(STDout,"unsigned char XXX_public_key[%d]={\n",z);
d=(unsigned char *)m;
for (y=0; y<z; y++)
{
BIO_printf(STDout,"0x%02X,",d[y]);
if ((y & 0x0f) == 0x0f)
BIO_printf(STDout,"\n");
}
if (y%16 != 0) BIO_printf(STDout,"\n");
BIO_printf(STDout,"};\n");
z=i2d_X509(x,&d);
BIO_printf(STDout,"unsigned char XXX_certificate[%d]={\n",z);
d=(unsigned char *)m;
for (y=0; y<z; y++)
{
BIO_printf(STDout,"0x%02X,",d[y]);
if ((y & 0x0f) == 0x0f)
BIO_printf(STDout,"\n");
}
if (y%16 != 0) BIO_printf(STDout,"\n");
BIO_printf(STDout,"};\n");
OPENSSL_free(m);
}
else if (text == i)
{
X509_print_ex(out,x,nmflag, certflag);
}
else if (startdate == i)
{
BIO_puts(STDout,"notBefore=");
ASN1_TIME_print(STDout,X509_get_notBefore(x));
BIO_puts(STDout,"\n");
}
else if (enddate == i)
{
BIO_puts(STDout,"notAfter=");
ASN1_TIME_print(STDout,X509_get_notAfter(x));
BIO_puts(STDout,"\n");
}
else if (fingerprint == i)
{
int j;
unsigned int n;
unsigned char md[EVP_MAX_MD_SIZE];
const EVP_MD *fdig = digest;
if (!fdig)
fdig = EVP_sha1();
if (!X509_digest(x,fdig,md,&n))
{
BIO_printf(bio_err,"out of memory\n");
goto end;
}
BIO_printf(STDout,"%s Fingerprint=",
OBJ_nid2sn(EVP_MD_type(fdig)));
for (j=0; j<(int)n; j++)
{
BIO_printf(STDout,"%02X%c",md[j],
(j+1 == (int)n)
?'\n':':');
}
}
/* should be in the library */
else if ((sign_flag == i) && (x509req == 0))
{
BIO_printf(bio_err,"Getting Private key\n");
if (Upkey == NULL)
{
Upkey=load_key(bio_err,
keyfile, keyformat, 0,
passin, e, "Private key");
if (Upkey == NULL) goto end;
}
assert(need_rand);
if (!sign(x,Upkey,days,clrext,digest,
extconf, extsect)) goto end;
}
else if (CA_flag == i)
{
BIO_printf(bio_err,"Getting CA Private Key\n");
if (CAkeyfile != NULL)
{
CApkey=load_key(bio_err,
CAkeyfile, CAkeyformat,
0, passin, e,
"CA Private Key");
if (CApkey == NULL) goto end;
}
assert(need_rand);
if (!x509_certify(ctx,CAfile,digest,x,xca,
CApkey, sigopts,
CAserial,CA_createserial,days, clrext,
extconf, extsect, sno))
goto end;
}
else if (x509req == i)
{
EVP_PKEY *pk;
BIO_printf(bio_err,"Getting request Private Key\n");
if (keyfile == NULL)
{
BIO_printf(bio_err,"no request key file specified\n");
goto end;
}
else
{
pk=load_key(bio_err,
keyfile, keyformat, 0,
passin, e, "request key");
if (pk == NULL) goto end;
}
BIO_printf(bio_err,"Generating certificate request\n");
rq=X509_to_X509_REQ(x,pk,digest);
EVP_PKEY_free(pk);
if (rq == NULL)
{
ERR_print_errors(bio_err);
goto end;
}
if (!noout)
{
X509_REQ_print(out,rq);
PEM_write_bio_X509_REQ(out,rq);
}
noout=1;
}
else if (ocspid == i)
{
X509_ocspid_print(out, x);
}
}
}
if (checkend)
{
time_t tcheck=time(NULL) + checkoffset;
if (X509_cmp_time(X509_get_notAfter(x), &tcheck) < 0)
{
BIO_printf(out,"Certificate will expire\n");
ret=1;
}
else
{
BIO_printf(out,"Certificate will not expire\n");
ret=0;
}
goto end;
}
if (noout)
{
ret=0;
goto end;
}
if (outformat == FORMAT_ASN1)
i=i2d_X509_bio(out,x);
else if (outformat == FORMAT_PEM)
{
if (trustout) i=PEM_write_bio_X509_AUX(out,x);
else i=PEM_write_bio_X509(out,x);
}
else if (outformat == FORMAT_NETSCAPE)
{
NETSCAPE_X509 nx;
ASN1_OCTET_STRING hdr;
hdr.data=(unsigned char *)NETSCAPE_CERT_HDR;
hdr.length=strlen(NETSCAPE_CERT_HDR);
nx.header= &hdr;
nx.cert=x;
i=ASN1_item_i2d_bio(ASN1_ITEM_rptr(NETSCAPE_X509),out,&nx);
}
else {
BIO_printf(bio_err,"bad output format specified for outfile\n");
goto end;
}
if (!i)
{
BIO_printf(bio_err,"unable to write certificate\n");
ERR_print_errors(bio_err);
goto end;
}
ret=0;
end:
if (need_rand)
app_RAND_write_file(NULL, bio_err);
OBJ_cleanup();
NCONF_free(extconf);
BIO_free_all(out);
BIO_free_all(STDout);
X509_STORE_free(ctx);
X509_REQ_free(req);
X509_free(x);
X509_free(xca);
EVP_PKEY_free(Upkey);
EVP_PKEY_free(CApkey);
if (sigopts)
sk_OPENSSL_STRING_free(sigopts);
X509_REQ_free(rq);
ASN1_INTEGER_free(sno);
sk_ASN1_OBJECT_pop_free(trust, ASN1_OBJECT_free);
sk_ASN1_OBJECT_pop_free(reject, ASN1_OBJECT_free);
if (passin) OPENSSL_free(passin);
apps_shutdown();
OPENSSL_EXIT(ret);
}
static LUA_FUNCTION(openssl_pkey_export)
{
EVP_PKEY * key;
int ispriv = 0;
int exraw = 0;
int expem = 1;
size_t passphrase_len = 0;
BIO * bio_out = NULL;
int ret = 0;
const EVP_CIPHER * cipher;
const char * passphrase = NULL;
key = CHECK_OBJECT(1, EVP_PKEY, "openssl.evp_pkey");
ispriv = openssl_pkey_is_private(key);
if (!lua_isnoneornil(L, 2))
expem = lua_toboolean(L, 2);
if (expem)
{
if (!lua_isnoneornil(L, 3))
exraw = lua_toboolean(L, 3);
passphrase = luaL_optlstring(L, 4, NULL, &passphrase_len);
} else
{
passphrase = luaL_optlstring(L, 3, NULL, &passphrase_len);
}
if (passphrase)
{
cipher = (EVP_CIPHER *) EVP_des_ede3_cbc();
}
else
{
cipher = NULL;
}
bio_out = BIO_new(BIO_s_mem());
if (expem)
{
if (exraw==0)
{
ret = ispriv ?
PEM_write_bio_PrivateKey(bio_out, key, cipher, (unsigned char *)passphrase, passphrase_len, NULL, NULL) :
PEM_write_bio_PUBKEY(bio_out, key);
}
else
{
/* export raw key format */
switch (EVP_PKEY_type(key->type))
{
case EVP_PKEY_RSA:
case EVP_PKEY_RSA2:
ret = ispriv ? PEM_write_bio_RSAPrivateKey(bio_out, key->pkey.rsa, cipher, (unsigned char *)passphrase, passphrase_len, NULL, NULL)
: PEM_write_bio_RSAPublicKey(bio_out, key->pkey.rsa);
break;
case EVP_PKEY_DSA:
case EVP_PKEY_DSA2:
case EVP_PKEY_DSA3:
case EVP_PKEY_DSA4:
{
ret = ispriv ? PEM_write_bio_DSAPrivateKey(bio_out, key->pkey.dsa, cipher, (unsigned char *)passphrase, passphrase_len, NULL, NULL)
: PEM_write_bio_DSA_PUBKEY(bio_out, key->pkey.dsa);
}
break;
case EVP_PKEY_DH:
ret = PEM_write_bio_DHparams(bio_out, key->pkey.dh);
break;
#ifndef OPENSSL_NO_EC
case EVP_PKEY_EC:
ret = ispriv ? PEM_write_bio_ECPrivateKey(bio_out, key->pkey.ec, cipher, (unsigned char *)passphrase, passphrase_len, NULL, NULL)
: PEM_write_bio_EC_PUBKEY(bio_out, key->pkey.ec);
break;
#endif
default:
ret = 0;
break;
}
}
}
else
{
if (ispriv)
{
if (passphrase == NULL)
{
ret = i2d_PrivateKey_bio(bio_out, key);
} else
{
ret = i2d_PKCS8PrivateKey_bio(bio_out, key, cipher, (char *)passphrase, passphrase_len, NULL, NULL);
}
} else
{
int l;
l = i2d_PublicKey(key, NULL);
if (l > 0)
{
unsigned char* p = malloc(l);
unsigned char* pp = p;
l = i2d_PublicKey(key, &pp);
if (l > 0)
{
BIO_write(bio_out, p, l);
ret = 1;
} else
ret = 0;
free(p);
} else
ret = 0;
}
}
if (ret)
{
char * bio_mem_ptr;
long bio_mem_len;
bio_mem_len = BIO_get_mem_data(bio_out, &bio_mem_ptr);
lua_pushlstring(L, bio_mem_ptr, bio_mem_len);
ret = 1;
}
if (bio_out)
{
BIO_free(bio_out);
}
return ret;
}
int
pkey_main(int argc, char **argv)
{
char **args, *infile = NULL, *outfile = NULL;
char *passargin = NULL, *passargout = NULL;
BIO *in = NULL, *out = NULL;
const EVP_CIPHER *cipher = NULL;
int informat, outformat;
int pubin = 0, pubout = 0, pubtext = 0, text = 0, noout = 0;
EVP_PKEY *pkey = NULL;
char *passin = NULL, *passout = NULL;
int badarg = 0;
int ret = 1;
if (single_execution) {
if (pledge("stdio rpath wpath cpath tty", NULL) == -1) {
perror("pledge");
exit(1);
}
}
informat = FORMAT_PEM;
outformat = FORMAT_PEM;
args = argv + 1;
while (!badarg && *args && *args[0] == '-') {
if (!strcmp(*args, "-inform")) {
if (args[1]) {
args++;
informat = str2fmt(*args);
} else
badarg = 1;
} else if (!strcmp(*args, "-outform")) {
if (args[1]) {
args++;
outformat = str2fmt(*args);
} else
badarg = 1;
} else if (!strcmp(*args, "-passin")) {
if (!args[1])
goto bad;
passargin = *(++args);
} else if (!strcmp(*args, "-passout")) {
if (!args[1])
goto bad;
passargout = *(++args);
}
else if (!strcmp(*args, "-in")) {
if (args[1]) {
args++;
infile = *args;
} else
badarg = 1;
} else if (!strcmp(*args, "-out")) {
if (args[1]) {
args++;
outfile = *args;
} else
badarg = 1;
} else if (strcmp(*args, "-pubin") == 0) {
pubin = 1;
pubout = 1;
pubtext = 1;
} else if (strcmp(*args, "-pubout") == 0)
pubout = 1;
else if (strcmp(*args, "-text_pub") == 0) {
pubtext = 1;
text = 1;
} else if (strcmp(*args, "-text") == 0)
text = 1;
else if (strcmp(*args, "-noout") == 0)
noout = 1;
else {
cipher = EVP_get_cipherbyname(*args + 1);
if (!cipher) {
BIO_printf(bio_err, "Unknown cipher %s\n",
*args + 1);
badarg = 1;
}
}
args++;
}
if (badarg) {
bad:
BIO_printf(bio_err, "Usage pkey [options]\n");
BIO_printf(bio_err, "where options are\n");
BIO_printf(bio_err, "-in file input file\n");
BIO_printf(bio_err, "-inform X input format (DER or PEM)\n");
BIO_printf(bio_err, "-passin arg input file pass phrase source\n");
BIO_printf(bio_err, "-outform X output format (DER or PEM)\n");
BIO_printf(bio_err, "-out file output file\n");
BIO_printf(bio_err, "-passout arg output file pass phrase source\n");
return 1;
}
if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
BIO_printf(bio_err, "Error getting passwords\n");
goto end;
}
if (outfile) {
if (!(out = BIO_new_file(outfile, "wb"))) {
BIO_printf(bio_err,
"Can't open output file %s\n", outfile);
goto end;
}
} else {
out = BIO_new_fp(stdout, BIO_NOCLOSE);
}
if (pubin)
pkey = load_pubkey(bio_err, infile, informat, 1,
passin, "Public Key");
else
pkey = load_key(bio_err, infile, informat, 1, passin, "key");
if (!pkey)
goto end;
if (!noout) {
if (outformat == FORMAT_PEM) {
if (pubout)
PEM_write_bio_PUBKEY(out, pkey);
else
PEM_write_bio_PrivateKey(out, pkey, cipher,
NULL, 0, NULL, passout);
} else if (outformat == FORMAT_ASN1) {
if (pubout)
i2d_PUBKEY_bio(out, pkey);
else
i2d_PrivateKey_bio(out, pkey);
} else {
BIO_printf(bio_err, "Bad format specified for key\n");
goto end;
}
}
if (text) {
if (pubtext)
EVP_PKEY_print_public(out, pkey, 0, NULL);
else
EVP_PKEY_print_private(out, pkey, 0, NULL);
}
ret = 0;
end:
EVP_PKEY_free(pkey);
BIO_free_all(out);
BIO_free(in);
free(passin);
free(passout);
return ret;
}
static EP_STAT
key_write_bio(EP_CRYPTO_KEY *key,
BIO *bio,
int keyform,
int keyenc,
const char *passwd,
uint32_t flags)
{
const char *pubsec = EP_UT_BITSET(EP_CRYPTO_F_SECRET, flags) ?
"secret" : "public";
int istat;
EP_ASSERT(bio != NULL);
if (keyform <= 0)
{
(void) _ep_crypto_error("keyform must be specified");
return EP_STAT_CRYPTO_CONVERT;
}
if (keyform == EP_CRYPTO_KEYFORM_PEM)
{
// easy case
if (EP_UT_BITSET(EP_CRYPTO_F_SECRET, flags))
{
const EVP_CIPHER *enc = cipher_byid(keyenc);
istat = PEM_write_bio_PrivateKey(bio, key, enc,
NULL, 0, NULL, (void *) passwd);
}
else
{
istat = PEM_write_bio_PUBKEY(bio, key);
}
if (istat != 1)
{
(void) _ep_crypto_error("cannot write %s PEM key",
pubsec);
return EP_STAT_CRYPTO_CONVERT;
}
goto finis;
}
#if _EP_CRYPTO_INCLUDE_DER
else if (keyform == EP_CRYPTO_KEYFORM_DER)
{
if (EP_UT_BITSET(EP_CRYPTO_F_SECRET, flags))
{
if (keyenc != EP_CRYPTO_SYMKEY_NONE &&
ep_dbg_test(Dbg, 1))
{
ep_dbg_printf("WARNING: writing unencrypted "
"private key DER file\n");
}
istat = i2d_PrivateKey_bio(bio, key);
}
else
{
istat = i2d_PUBKEY_bio(bio, key);
}
if (istat != 1)
{
(void) _ep_crypto_error("cannot write %s DER key",
pubsec);
return EP_STAT_CRYPTO_CONVERT;
}
}
#endif // _EP_CRYPTO_INCLUDE_DER
else
{
(void) _ep_crypto_error("unknown key format %d", keyform);
return EP_STAT_CRYPTO_KEYFORM;
}
finis:
return EP_STAT_FROM_INT(BIO_ctrl_pending(bio));
}