/*
This function take a user certificate and a private key in x509 format and
convert it into pkcs12 format. This function returns -1 if a problem occurs, 0 otherwise
*/
int convert_x509_to_p12(char *privkey, char *clicert, char *p12cert)
{
X509 *cert;
PKCS12 *p12;
EVP_PKEY *cert_privkey;
FILE *certfile, *keyfile, *p12file;
int bytes = 0;
OpenSSL_add_all_algorithms();
ERR_load_crypto_strings();
/* Read the private key file */
if ((cert_privkey = EVP_PKEY_new()) == NULL){
printf("Error creating EVP_PKEY structure.\n");
return -1;
}
if (! (keyfile = fopen(privkey, "r"))){
printf("Error cant read certificate private key file.\n");
return -1;
}
if (! (cert_privkey = PEM_read_PrivateKey(keyfile, NULL, NULL, NULL))){
printf("Error loading certificate private key content.\n");
return -1;
}
fclose(keyfile);
/* Read the user certificate */
if (! (certfile = fopen(clicert, "r"))){
printf("Error cant read certificate file.\n");
return -1;
}
if (! (cert = PEM_read_X509(certfile, NULL, NULL, NULL))){
printf("Error loading cert into memory.\n");
return -1;
}
fclose(certfile);
/* Generate the p12 certificate */
if ((p12 = PKCS12_new()) == NULL){
printf("Error creating PKCS12 structure.\n");
return -1;}
p12 = PKCS12_create(NULL, NULL, cert_privkey, cert, NULL, 0, 0, 0, 0, 0);
if ( p12 == NULL){
printf("Error generating a valid PKCS12 certificate.\n");
return -1;
}
if (! (p12file = fopen(p12cert, "w"))){
printf("Error cant open pkcs12 certificate file for writing.\n");
return -1;
}
bytes = i2d_PKCS12_fp(p12file, p12);
if (bytes <= 0){
printf("Error writing PKCS12 certificate.\n");
return -1;
}
fclose(p12file);
PKCS12_free(p12);
X509_free(cert);
EVP_PKEY_free(cert_privkey);
return 0;
}
void pki_pkcs12::writePKCS12(const QString fname)
{
Passwd pass;
pass_info p(XCA_TITLE, tr("Please enter the password to encrypt the PKCS#12 file"));
if (cert == NULL || key == NULL) {
my_error(tr("No key or no Cert and no pkcs12"));
}
FILE *fp = fopen(QString2filename(fname), "wb");
if (fp != NULL) {
if (PwDialog::execute(&p, &pass, true) != 1) {
fclose(fp);
return;
}
PKCS12 *pkcs12 = PKCS12_create(pass.data(),
getIntName().toUtf8().data(),
key->decryptKey(),
cert->getCert(), certstack, 0, 0, 0, 0, 0);
i2d_PKCS12_fp(fp, pkcs12);
fclose (fp);
openssl_error();
PKCS12_free(pkcs12);
}
else fopen_error(fname);
}
void saveCertKeyPair(const char* certFile, const char* p12File, const char* keyPairFile, CertKeyPair certKeyPair) {
FILE* certFilePtr = fopen(certFile, "w");
FILE* keyPairFilePtr = fopen(keyPairFile, "w");
FILE* p12FilePtr = fopen(p12File, "wb");
//TODO: error check
PEM_write_PrivateKey(keyPairFilePtr, certKeyPair.pkey, NULL, NULL, 0, NULL, NULL);
PEM_write_X509(certFilePtr, certKeyPair.x509);
i2d_PKCS12_fp(p12FilePtr, certKeyPair.p12);
fclose(p12FilePtr);
fclose(certFilePtr);
fclose(keyPairFilePtr);
}
void pki_pkcs12::writePKCS12(const QString fname)
{
char pass[MAX_PASS_LENGTH];
pass_info p(XCA_TITLE, tr("Please enter the password to encrypt the PKCS#12 file"));
if (cert == NULL || key == NULL) {
my_error(tr("No key or no Cert and no pkcs12"));
}
FILE *fp = fopen(QString2filename(fname), "wb");
if (fp != NULL) {
passcb(pass, MAX_PASS_LENGTH, 0, &p);
PKCS12 *pkcs12 = PKCS12_create(pass,
getIntName().toUtf8().data(),
key->decryptKey(),
cert->getCert(), certstack, 0, 0, 0, 0, 0);
i2d_PKCS12_fp(fp, pkcs12);
openssl_error();
fclose (fp);
PKCS12_free(pkcs12);
}
else fopen_error(fname);
}
int main(int argc, char **argv)
{
FILE *fp;
EVP_PKEY *pkey;
X509 *cert;
PKCS12 *p12;
if (argc != 5) {
fprintf(stderr, "Usage: pkwrite infile password name p12file\n");
exit(1);
}
SSLeay_add_all_algorithms();
ERR_load_crypto_strings();
if (!(fp = fopen(argv[1], "r"))) {
fprintf(stderr, "Error opening file %s\n", argv[1]);
exit(1);
}
cert = PEM_read_X509(fp, NULL, NULL, NULL);
rewind(fp);
pkey = PEM_read_PrivateKey(fp, NULL, NULL, NULL);
fclose(fp);
p12 = PKCS12_create(argv[2], argv[3], pkey, cert, NULL, 0,0,0,0,0);
if(!p12) {
fprintf(stderr, "Error creating PKCS#12 structure\n");
ERR_print_errors_fp(stderr);
exit(1);
}
if (!(fp = fopen(argv[4], "wb"))) {
fprintf(stderr, "Error opening file %s\n", argv[1]);
ERR_print_errors_fp(stderr);
exit(1);
}
i2d_PKCS12_fp(fp, p12);
PKCS12_free(p12);
fclose(fp);
return 0;
}
void openssl_pkcs12_cert()
{
FILE *tmpfile;
PKCS12 *pkcs12s;
EVP_PKEY *certprk;
X509 *cscert, *cacert;
STACK_OF(X509) * cacerts;
OpenSSL_add_all_algorithms();
ERR_load_crypto_strings();
certprk = EVP_PKEY_new();
tmpfile = fopen(PKEYF, "r");
certprk = PEM_read_PrivateKey(tmpfile, NULL, NULL, NULL);
fclose(tmpfile);
tmpfile = fopen(PCERTF, "r");
cscert = PEM_read_X509(tmpfile, NULL, NULL, NULL);
fclose(tmpfile);
tmpfile = fopen(RCERTF, "r");
cacert = PEM_read_X509(tmpfile, NULL, NULL, NULL);
fclose(tmpfile);
pkcs12s = PKCS12_new();
cacerts = sk_X509_new_null();
sk_X509_push(cacerts, cacert);
pkcs12s = PKCS12_create("beike2012", "mypkcs12", certprk, cscert,
cacerts, 0, 0, 0, 0, 0);
tmpfile = fopen(PKCS12F, "w");
if (i2d_PKCS12_fp(tmpfile, pkcs12s) <= 0)
openssl_error_show("i2d_PKCS12_fp", 1);
fclose(tmpfile);
sk_X509_free(cacerts);
PKCS12_free(pkcs12s);
}
static TokenError saveKeys(const CertReq *reqs, const char *hostname,
const char *password, FILE *file) {
TokenError error = TokenError_Unknown;
PKCS12 *p12 = NULL;
// Add PKCS7 safes with the keys
STACK_OF(PKCS7) *authsafes = NULL;
uint32_t localKeyId = 0;
size_t error_count = 0;
while (reqs) {
STACK_OF(PKCS12_SAFEBAG) *bags = NULL;
X509 *cert = NULL;
ASN1_OBJECT *objOwningHost = NULL;
uint32_t keyid = htonl(localKeyId++);
bool success = false;
// Add private key
PKCS12_SAFEBAG *bag = PKCS12_add_key(&bags, reqs->privkey,
opensslKeyUsages[reqs->pkcs10->keyUsage], ENC_ITER, ENC_NID, (char*)password);
if (!bag) goto loop_end;
// Add name and localKeyId to the key bag
// TODO extract name from subject DN
char *name = "names are not implemented yet";
if (!X509at_add1_attr_by_NID(&bag->attrib, NID_friendlyName, MBSTRING_UTF8,
(unsigned char*)name, strlen(name)) ||
!PKCS12_add_localkeyid(bag, (unsigned char*)&keyid, sizeof(keyid)))
goto loop_end;
// Add a certificate so we can find the key by the subject name
cert = X509_REQ_to_X509(reqs->x509, 3650, reqs->privkey);
if (!cert ||
!X509_keyid_set1(cert, (unsigned char*)&keyid, sizeof(keyid)))
goto loop_end;
if (!X509_add_ext(cert, makeKeyUsageExt(reqs->pkcs10->keyUsage), -1))
goto loop_end;
if (!PKCS12_add_cert(&bags, cert))
goto loop_end;
// Add hostname (FriBID extension) so we can do same-origin checks
// TODO maybe we should use document.domain instead of document.location.hostname?
objOwningHost = OBJ_txt2obj(OID_OWNING_HOST, 1);
if (!objOwningHost) goto loop_end;
bag = sk_PKCS12_SAFEBAG_value(bags, sk_PKCS12_SAFEBAG_num(bags)-1);
if (!X509at_add1_attr_by_OBJ(&bag->attrib, objOwningHost, MBSTRING_UTF8,
(unsigned char*)hostname, strlen(hostname)))
goto loop_end;
// Add a new authsafe
if (!PKCS12_add_safe(&authsafes, bags, -1, 0, NULL))
goto loop_end;
// Success!
success = true;
loop_end:
if (!success) {
error_count--;
certutil_updateErrorString();
}
ASN1_OBJECT_free(objOwningHost);
X509_free(cert);
sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
reqs = reqs->next;
}
if (error_count != 0)
goto end;
// Create the PKCS12 wrapper
p12 = PKCS12_add_safes(authsafes, 0);
if (!p12) {
certutil_updateErrorString();
goto end;
}
PKCS12_set_mac(p12, (char*)password, -1, NULL, 0, MAC_ITER, NULL);
// Save file
if (i2d_PKCS12_fp(file, p12)) {
error = TokenError_Success;
}
end:
sk_PKCS7_pop_free(authsafes, PKCS7_free);
PKCS12_free(p12);
return error;
}
/* ChangePasswordPKCS12() returns:
* -1 Wrong password
* 0 Changing password failed for unknown reason
* 1 Password changed successfully
*/
int ChangePasswordPKCS12(HWND hwndDlg)
{
char keyfile[MAX_PATH];
char oldpsw[50];
char newpsw[50];
WCHAR oldpsw_unicode[50];
WCHAR newpsw_unicode[50];
FILE *fp;
EVP_PKEY *privkey;
X509 *cert;
STACK_OF(X509) *ca = NULL;
PKCS12 *p12;
PKCS12 *new_p12;
char *alias;
/* Get filename, old_psw and new_psw from Dialog */
GetDlgItemText(hwndDlg, TEXT_KEYFILE, keyfile, sizeof(keyfile) - 1);
GetDlgItemTextW(hwndDlg, EDIT_PSW_CURRENT, oldpsw_unicode, sizeof(oldpsw_unicode)/2 - 1);
GetDlgItemTextW(hwndDlg, EDIT_PSW_NEW, newpsw_unicode, sizeof(newpsw_unicode)/2 - 1);
/* Convert Unicode to ASCII (CP850) */
ConvertUnicode2Ascii(oldpsw_unicode, oldpsw, sizeof(oldpsw));
if (!ConvertUnicode2Ascii(newpsw_unicode, newpsw, sizeof(newpsw)))
{
ShowLocalizedMsg(GUI_NAME, ERR_INVALID_CHARS_IN_PSW, "");
return(-1);
}
/* Load the PKCS #12 file */
if (!(fp = fopen(keyfile, "rb")))
{
/* error opening file */
ShowLocalizedMsg(GUI_NAME, ERR_OPEN_PRIVATE_KEY_FILE, keyfile);
return(0);
}
p12 = d2i_PKCS12_fp(fp, NULL);
fclose (fp);
if (!p12)
{
/* error reading PKCS #12 */
ShowLocalizedMsg(GUI_NAME, ERR_READ_PKCS12, keyfile);
return(0);
}
/* Parse the PKCS #12 file */
if (!PKCS12_parse(p12, oldpsw, &privkey, &cert, &ca))
{
/* old password incorrect */
ShowLocalizedMsg(GUI_NAME, ERR_OLD_PWD_INCORRECT, "");
PKCS12_free(p12);
return(-1);
}
/* Free old PKCS12 object */
PKCS12_free(p12);
/* Get FriendlyName of old cert */
alias = X509_alias_get0(cert, NULL);
/* Create new PKCS12 object */
p12 = PKCS12_create(newpsw, alias, privkey, cert, ca, 0,0,0,0,0);
if (!p12)
{
/* create failed */
//ShowMsg(GUI_NAME, ERR_error_string(ERR_peek_last_error(), NULL));
ShowLocalizedMsg(GUI_NAME, ERR_CREATE_PKCS12, "");
return(0);
}
/* Free old key, cert and ca */
EVP_PKEY_free(privkey);
X509_free(cert);
sk_X509_pop_free(ca, X509_free);
/* Open keyfile for writing */
if (!(fp = fopen(keyfile, "wb")))
{
ShowLocalizedMsg(GUI_NAME, ERR_OPEN_WRITE_KEY, keyfile);
PKCS12_free(p12);
return(0);
}
/* Write new key to file */
i2d_PKCS12_fp(fp, p12);
PKCS12_free(p12);
fclose(fp);
/* signal success to user */
ShowLocalizedMsg(GUI_NAME, INFO_PWD_CHANGED, "");
return(1);
}
// =============================================================
LONGBOW_STOP_DEPRECATED_WARNINGS
// =============================================================
bool
parcPkcs12KeyStore_CreateFile(
const char *filename,
const char *password,
const char *subjectName,
unsigned keyLength,
unsigned validityDays)
{
parcSecurity_AssertIsInitialized();
bool result = false;
PARCCertificateFactory *factory = parcCertificateFactory_Create(PARCCertificateType_X509, PARCContainerEncoding_DER);
PARCBuffer *privateKeyBuffer;
PARCCertificate *certificate = parcCertificateFactory_CreateSelfSignedCertificate(factory, &privateKeyBuffer, (char *) subjectName, keyLength, validityDays);
parcCertificateFactory_Release(&factory);
if (certificate != NULL) {
// construct the full PKCS12 keystore to hold the certificate and private key
// Extract the private key
EVP_PKEY *privateKey = NULL;
uint8_t *privateKeyBytes = parcBuffer_Overlay(privateKeyBuffer, parcBuffer_Limit(privateKeyBuffer));
d2i_PrivateKey(EVP_PKEY_RSA, &privateKey, (const unsigned char **) &privateKeyBytes, parcBuffer_Limit(privateKeyBuffer));
parcBuffer_Release(&privateKeyBuffer);
// Extract the certificate
PARCBuffer *certBuffer = parcCertificate_GetDEREncodedCertificate(certificate);
uint8_t *certBytes = parcBuffer_Overlay(certBuffer, parcBuffer_Limit(certBuffer));
X509 *cert = NULL;
d2i_X509(&cert, (const unsigned char **) &certBytes, parcBuffer_Limit(certBuffer));
parcCertificate_Release(&certificate);
PKCS12 *pkcs12 = PKCS12_create((char *) password,
"ccnxuser",
privateKey,
cert,
NULL,
0,
0,
0 /*default iter*/,
PKCS12_DEFAULT_ITER /*mac_iter*/,
0);
if (pkcs12 != NULL) {
int fd = open(filename, O_CREAT | O_WRONLY | O_TRUNC, 0600);
if (fd != -1) {
FILE *fp = fdopen(fd, "wb");
if (fp != NULL) {
i2d_PKCS12_fp(fp, pkcs12);
fclose(fp);
result = true;
} else {
trapUnrecoverableState("Cannot fdopen(3) the file descriptor %d", fd);
}
close(fd);
} else {
trapUnrecoverableState("Cannot open(2) the file '%s': %s", filename, strerror(errno));
}
PKCS12_free(pkcs12);
X509_free(cert);
EVP_PKEY_free(privateKey);
} else {
unsigned long errcode;
while ((errcode = ERR_get_error()) != 0) {
fprintf(stderr, "openssl error: %s\n", ERR_error_string(errcode, NULL));
}
trapUnrecoverableState("PKCS12_create returned a NULL value.");
}
}
return result;
}
