/* This function take a user certificate and a private key in x509 format and convert it into pkcs12 format. This function returns -1 if a problem occurs, 0 otherwise */ int convert_x509_to_p12(char *privkey, char *clicert, char *p12cert) { X509 *cert; PKCS12 *p12; EVP_PKEY *cert_privkey; FILE *certfile, *keyfile, *p12file; int bytes = 0; OpenSSL_add_all_algorithms(); ERR_load_crypto_strings(); /* Read the private key file */ if ((cert_privkey = EVP_PKEY_new()) == NULL){ printf("Error creating EVP_PKEY structure.\n"); return -1; } if (! (keyfile = fopen(privkey, "r"))){ printf("Error cant read certificate private key file.\n"); return -1; } if (! (cert_privkey = PEM_read_PrivateKey(keyfile, NULL, NULL, NULL))){ printf("Error loading certificate private key content.\n"); return -1; } fclose(keyfile); /* Read the user certificate */ if (! (certfile = fopen(clicert, "r"))){ printf("Error cant read certificate file.\n"); return -1; } if (! (cert = PEM_read_X509(certfile, NULL, NULL, NULL))){ printf("Error loading cert into memory.\n"); return -1; } fclose(certfile); /* Generate the p12 certificate */ if ((p12 = PKCS12_new()) == NULL){ printf("Error creating PKCS12 structure.\n"); return -1;} p12 = PKCS12_create(NULL, NULL, cert_privkey, cert, NULL, 0, 0, 0, 0, 0); if ( p12 == NULL){ printf("Error generating a valid PKCS12 certificate.\n"); return -1; } if (! (p12file = fopen(p12cert, "w"))){ printf("Error cant open pkcs12 certificate file for writing.\n"); return -1; } bytes = i2d_PKCS12_fp(p12file, p12); if (bytes <= 0){ printf("Error writing PKCS12 certificate.\n"); return -1; } fclose(p12file); PKCS12_free(p12); X509_free(cert); EVP_PKEY_free(cert_privkey); return 0; }
void pki_pkcs12::writePKCS12(const QString fname) { Passwd pass; pass_info p(XCA_TITLE, tr("Please enter the password to encrypt the PKCS#12 file")); if (cert == NULL || key == NULL) { my_error(tr("No key or no Cert and no pkcs12")); } FILE *fp = fopen(QString2filename(fname), "wb"); if (fp != NULL) { if (PwDialog::execute(&p, &pass, true) != 1) { fclose(fp); return; } PKCS12 *pkcs12 = PKCS12_create(pass.data(), getIntName().toUtf8().data(), key->decryptKey(), cert->getCert(), certstack, 0, 0, 0, 0, 0); i2d_PKCS12_fp(fp, pkcs12); fclose (fp); openssl_error(); PKCS12_free(pkcs12); } else fopen_error(fname); }
void saveCertKeyPair(const char* certFile, const char* p12File, const char* keyPairFile, CertKeyPair certKeyPair) { FILE* certFilePtr = fopen(certFile, "w"); FILE* keyPairFilePtr = fopen(keyPairFile, "w"); FILE* p12FilePtr = fopen(p12File, "wb"); //TODO: error check PEM_write_PrivateKey(keyPairFilePtr, certKeyPair.pkey, NULL, NULL, 0, NULL, NULL); PEM_write_X509(certFilePtr, certKeyPair.x509); i2d_PKCS12_fp(p12FilePtr, certKeyPair.p12); fclose(p12FilePtr); fclose(certFilePtr); fclose(keyPairFilePtr); }
void pki_pkcs12::writePKCS12(const QString fname) { char pass[MAX_PASS_LENGTH]; pass_info p(XCA_TITLE, tr("Please enter the password to encrypt the PKCS#12 file")); if (cert == NULL || key == NULL) { my_error(tr("No key or no Cert and no pkcs12")); } FILE *fp = fopen(QString2filename(fname), "wb"); if (fp != NULL) { passcb(pass, MAX_PASS_LENGTH, 0, &p); PKCS12 *pkcs12 = PKCS12_create(pass, getIntName().toUtf8().data(), key->decryptKey(), cert->getCert(), certstack, 0, 0, 0, 0, 0); i2d_PKCS12_fp(fp, pkcs12); openssl_error(); fclose (fp); PKCS12_free(pkcs12); } else fopen_error(fname); }
int main(int argc, char **argv) { FILE *fp; EVP_PKEY *pkey; X509 *cert; PKCS12 *p12; if (argc != 5) { fprintf(stderr, "Usage: pkwrite infile password name p12file\n"); exit(1); } SSLeay_add_all_algorithms(); ERR_load_crypto_strings(); if (!(fp = fopen(argv[1], "r"))) { fprintf(stderr, "Error opening file %s\n", argv[1]); exit(1); } cert = PEM_read_X509(fp, NULL, NULL, NULL); rewind(fp); pkey = PEM_read_PrivateKey(fp, NULL, NULL, NULL); fclose(fp); p12 = PKCS12_create(argv[2], argv[3], pkey, cert, NULL, 0,0,0,0,0); if(!p12) { fprintf(stderr, "Error creating PKCS#12 structure\n"); ERR_print_errors_fp(stderr); exit(1); } if (!(fp = fopen(argv[4], "wb"))) { fprintf(stderr, "Error opening file %s\n", argv[1]); ERR_print_errors_fp(stderr); exit(1); } i2d_PKCS12_fp(fp, p12); PKCS12_free(p12); fclose(fp); return 0; }
void openssl_pkcs12_cert() { FILE *tmpfile; PKCS12 *pkcs12s; EVP_PKEY *certprk; X509 *cscert, *cacert; STACK_OF(X509) * cacerts; OpenSSL_add_all_algorithms(); ERR_load_crypto_strings(); certprk = EVP_PKEY_new(); tmpfile = fopen(PKEYF, "r"); certprk = PEM_read_PrivateKey(tmpfile, NULL, NULL, NULL); fclose(tmpfile); tmpfile = fopen(PCERTF, "r"); cscert = PEM_read_X509(tmpfile, NULL, NULL, NULL); fclose(tmpfile); tmpfile = fopen(RCERTF, "r"); cacert = PEM_read_X509(tmpfile, NULL, NULL, NULL); fclose(tmpfile); pkcs12s = PKCS12_new(); cacerts = sk_X509_new_null(); sk_X509_push(cacerts, cacert); pkcs12s = PKCS12_create("beike2012", "mypkcs12", certprk, cscert, cacerts, 0, 0, 0, 0, 0); tmpfile = fopen(PKCS12F, "w"); if (i2d_PKCS12_fp(tmpfile, pkcs12s) <= 0) openssl_error_show("i2d_PKCS12_fp", 1); fclose(tmpfile); sk_X509_free(cacerts); PKCS12_free(pkcs12s); }
static TokenError saveKeys(const CertReq *reqs, const char *hostname, const char *password, FILE *file) { TokenError error = TokenError_Unknown; PKCS12 *p12 = NULL; // Add PKCS7 safes with the keys STACK_OF(PKCS7) *authsafes = NULL; uint32_t localKeyId = 0; size_t error_count = 0; while (reqs) { STACK_OF(PKCS12_SAFEBAG) *bags = NULL; X509 *cert = NULL; ASN1_OBJECT *objOwningHost = NULL; uint32_t keyid = htonl(localKeyId++); bool success = false; // Add private key PKCS12_SAFEBAG *bag = PKCS12_add_key(&bags, reqs->privkey, opensslKeyUsages[reqs->pkcs10->keyUsage], ENC_ITER, ENC_NID, (char*)password); if (!bag) goto loop_end; // Add name and localKeyId to the key bag // TODO extract name from subject DN char *name = "names are not implemented yet"; if (!X509at_add1_attr_by_NID(&bag->attrib, NID_friendlyName, MBSTRING_UTF8, (unsigned char*)name, strlen(name)) || !PKCS12_add_localkeyid(bag, (unsigned char*)&keyid, sizeof(keyid))) goto loop_end; // Add a certificate so we can find the key by the subject name cert = X509_REQ_to_X509(reqs->x509, 3650, reqs->privkey); if (!cert || !X509_keyid_set1(cert, (unsigned char*)&keyid, sizeof(keyid))) goto loop_end; if (!X509_add_ext(cert, makeKeyUsageExt(reqs->pkcs10->keyUsage), -1)) goto loop_end; if (!PKCS12_add_cert(&bags, cert)) goto loop_end; // Add hostname (FriBID extension) so we can do same-origin checks // TODO maybe we should use document.domain instead of document.location.hostname? objOwningHost = OBJ_txt2obj(OID_OWNING_HOST, 1); if (!objOwningHost) goto loop_end; bag = sk_PKCS12_SAFEBAG_value(bags, sk_PKCS12_SAFEBAG_num(bags)-1); if (!X509at_add1_attr_by_OBJ(&bag->attrib, objOwningHost, MBSTRING_UTF8, (unsigned char*)hostname, strlen(hostname))) goto loop_end; // Add a new authsafe if (!PKCS12_add_safe(&authsafes, bags, -1, 0, NULL)) goto loop_end; // Success! success = true; loop_end: if (!success) { error_count--; certutil_updateErrorString(); } ASN1_OBJECT_free(objOwningHost); X509_free(cert); sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); reqs = reqs->next; } if (error_count != 0) goto end; // Create the PKCS12 wrapper p12 = PKCS12_add_safes(authsafes, 0); if (!p12) { certutil_updateErrorString(); goto end; } PKCS12_set_mac(p12, (char*)password, -1, NULL, 0, MAC_ITER, NULL); // Save file if (i2d_PKCS12_fp(file, p12)) { error = TokenError_Success; } end: sk_PKCS7_pop_free(authsafes, PKCS7_free); PKCS12_free(p12); return error; }
/* ChangePasswordPKCS12() returns: * -1 Wrong password * 0 Changing password failed for unknown reason * 1 Password changed successfully */ int ChangePasswordPKCS12(HWND hwndDlg) { char keyfile[MAX_PATH]; char oldpsw[50]; char newpsw[50]; WCHAR oldpsw_unicode[50]; WCHAR newpsw_unicode[50]; FILE *fp; EVP_PKEY *privkey; X509 *cert; STACK_OF(X509) *ca = NULL; PKCS12 *p12; PKCS12 *new_p12; char *alias; /* Get filename, old_psw and new_psw from Dialog */ GetDlgItemText(hwndDlg, TEXT_KEYFILE, keyfile, sizeof(keyfile) - 1); GetDlgItemTextW(hwndDlg, EDIT_PSW_CURRENT, oldpsw_unicode, sizeof(oldpsw_unicode)/2 - 1); GetDlgItemTextW(hwndDlg, EDIT_PSW_NEW, newpsw_unicode, sizeof(newpsw_unicode)/2 - 1); /* Convert Unicode to ASCII (CP850) */ ConvertUnicode2Ascii(oldpsw_unicode, oldpsw, sizeof(oldpsw)); if (!ConvertUnicode2Ascii(newpsw_unicode, newpsw, sizeof(newpsw))) { ShowLocalizedMsg(GUI_NAME, ERR_INVALID_CHARS_IN_PSW, ""); return(-1); } /* Load the PKCS #12 file */ if (!(fp = fopen(keyfile, "rb"))) { /* error opening file */ ShowLocalizedMsg(GUI_NAME, ERR_OPEN_PRIVATE_KEY_FILE, keyfile); return(0); } p12 = d2i_PKCS12_fp(fp, NULL); fclose (fp); if (!p12) { /* error reading PKCS #12 */ ShowLocalizedMsg(GUI_NAME, ERR_READ_PKCS12, keyfile); return(0); } /* Parse the PKCS #12 file */ if (!PKCS12_parse(p12, oldpsw, &privkey, &cert, &ca)) { /* old password incorrect */ ShowLocalizedMsg(GUI_NAME, ERR_OLD_PWD_INCORRECT, ""); PKCS12_free(p12); return(-1); } /* Free old PKCS12 object */ PKCS12_free(p12); /* Get FriendlyName of old cert */ alias = X509_alias_get0(cert, NULL); /* Create new PKCS12 object */ p12 = PKCS12_create(newpsw, alias, privkey, cert, ca, 0,0,0,0,0); if (!p12) { /* create failed */ //ShowMsg(GUI_NAME, ERR_error_string(ERR_peek_last_error(), NULL)); ShowLocalizedMsg(GUI_NAME, ERR_CREATE_PKCS12, ""); return(0); } /* Free old key, cert and ca */ EVP_PKEY_free(privkey); X509_free(cert); sk_X509_pop_free(ca, X509_free); /* Open keyfile for writing */ if (!(fp = fopen(keyfile, "wb"))) { ShowLocalizedMsg(GUI_NAME, ERR_OPEN_WRITE_KEY, keyfile); PKCS12_free(p12); return(0); } /* Write new key to file */ i2d_PKCS12_fp(fp, p12); PKCS12_free(p12); fclose(fp); /* signal success to user */ ShowLocalizedMsg(GUI_NAME, INFO_PWD_CHANGED, ""); return(1); }
// ============================================================= LONGBOW_STOP_DEPRECATED_WARNINGS // ============================================================= bool parcPkcs12KeyStore_CreateFile( const char *filename, const char *password, const char *subjectName, unsigned keyLength, unsigned validityDays) { parcSecurity_AssertIsInitialized(); bool result = false; PARCCertificateFactory *factory = parcCertificateFactory_Create(PARCCertificateType_X509, PARCContainerEncoding_DER); PARCBuffer *privateKeyBuffer; PARCCertificate *certificate = parcCertificateFactory_CreateSelfSignedCertificate(factory, &privateKeyBuffer, (char *) subjectName, keyLength, validityDays); parcCertificateFactory_Release(&factory); if (certificate != NULL) { // construct the full PKCS12 keystore to hold the certificate and private key // Extract the private key EVP_PKEY *privateKey = NULL; uint8_t *privateKeyBytes = parcBuffer_Overlay(privateKeyBuffer, parcBuffer_Limit(privateKeyBuffer)); d2i_PrivateKey(EVP_PKEY_RSA, &privateKey, (const unsigned char **) &privateKeyBytes, parcBuffer_Limit(privateKeyBuffer)); parcBuffer_Release(&privateKeyBuffer); // Extract the certificate PARCBuffer *certBuffer = parcCertificate_GetDEREncodedCertificate(certificate); uint8_t *certBytes = parcBuffer_Overlay(certBuffer, parcBuffer_Limit(certBuffer)); X509 *cert = NULL; d2i_X509(&cert, (const unsigned char **) &certBytes, parcBuffer_Limit(certBuffer)); parcCertificate_Release(&certificate); PKCS12 *pkcs12 = PKCS12_create((char *) password, "ccnxuser", privateKey, cert, NULL, 0, 0, 0 /*default iter*/, PKCS12_DEFAULT_ITER /*mac_iter*/, 0); if (pkcs12 != NULL) { int fd = open(filename, O_CREAT | O_WRONLY | O_TRUNC, 0600); if (fd != -1) { FILE *fp = fdopen(fd, "wb"); if (fp != NULL) { i2d_PKCS12_fp(fp, pkcs12); fclose(fp); result = true; } else { trapUnrecoverableState("Cannot fdopen(3) the file descriptor %d", fd); } close(fd); } else { trapUnrecoverableState("Cannot open(2) the file '%s': %s", filename, strerror(errno)); } PKCS12_free(pkcs12); X509_free(cert); EVP_PKEY_free(privateKey); } else { unsigned long errcode; while ((errcode = ERR_get_error()) != 0) { fprintf(stderr, "openssl error: %s\n", ERR_error_string(errcode, NULL)); } trapUnrecoverableState("PKCS12_create returned a NULL value."); } } return result; }