void pki_evp::writePKCS8(const QString fname, const EVP_CIPHER *enc,
pem_password_cb *cb, bool pem)
{
EVP_PKEY *pkey;
pass_info p(XCA_TITLE, tr("Please enter the password protecting the PKCS#8 key '%1'").arg(getIntName()));
FILE *fp = fopen(QString2filename(fname), "w");
if (fp != NULL) {
if (key) {
pkey = decryptKey();
if (pkey) {
if (pem)
PEM_write_PKCS8PrivateKey(fp, pkey, enc, NULL, 0, cb, &p);
else
i2d_PKCS8PrivateKey_fp(fp, pkey, enc, NULL, 0, cb, &p);
EVP_PKEY_free(pkey);
}
}
fclose(fp);
pki_openssl_error();
} else
fopen_error(fname);
}
void pki_crl::fload(const QString fname)
{
FILE *fp = fopen(QString2filename(fname), "r");
X509_CRL *_crl;
if (fp != NULL) {
_crl = PEM_read_X509_CRL(fp, NULL, NULL, NULL);
if (!_crl) {
pki_ign_openssl_error();
rewind(fp);
_crl = d2i_X509_CRL_fp(fp, NULL);
}
fclose(fp);
if (pki_ign_openssl_error()) {
if (_crl)
X509_CRL_free(_crl);
throw errorEx(tr("Unable to load the revokation list in file %1. Tried PEM and DER formatted CRL.").arg(fname));
}
if (crl)
X509_CRL_free(crl);
crl = _crl;
setIntName(rmslashdot(fname));
pki_openssl_error();
} else
fopen_error(fname);
}
void pki_evp::writeKey(const QString fname, const EVP_CIPHER *enc,
pem_password_cb *cb, bool pem)
{
EVP_PKEY *pkey;
pass_info p(XCA_TITLE, tr("Please enter the export password for the private key '%1'").arg(getIntName()));
if (isPubKey()) {
writePublic(fname, pem);
return;
}
FILE *fp = fopen(QString2filename(fname), "w");
if (!fp) {
fopen_error(fname);
return;
}
if (key){
pkey = decryptKey();
if (pkey) {
if (pem) {
PEM_write_PrivateKey(fp, pkey, enc, NULL, 0, cb, &p);
} else {
i2d_PrivateKey_fp(fp, pkey);
}
EVP_PKEY_free(pkey);
}
pki_openssl_error();
}
fclose(fp);
}
void pki_pkcs12::writePKCS12(const QString fname)
{
Passwd pass;
pass_info p(XCA_TITLE, tr("Please enter the password to encrypt the PKCS#12 file"));
if (cert == NULL || key == NULL) {
my_error(tr("No key or no Cert and no pkcs12"));
}
FILE *fp = fopen(QString2filename(fname), "wb");
if (fp != NULL) {
if (PwDialog::execute(&p, &pass, true) != 1) {
fclose(fp);
return;
}
PKCS12 *pkcs12 = PKCS12_create(pass.data(),
getIntName().toUtf8().data(),
key->decryptKey(),
cert->getCert(), certstack, 0, 0, 0, 0, 0);
i2d_PKCS12_fp(fp, pkcs12);
fclose (fp);
openssl_error();
PKCS12_free(pkcs12);
}
else fopen_error(fname);
}
pki_pkcs12::pki_pkcs12(const QString fname, pem_password_cb *cb)
:pki_base(fname)
{
FILE *fp;
char pass[MAX_PASS_LENGTH];
EVP_PKEY *mykey = NULL;
X509 *mycert = NULL;
key=NULL; cert=NULL;
passcb = cb;
class_name="pki_pkcs12";
certstack = sk_X509_new_null();
pass_info p(XCA_TITLE, tr("Please enter the password to decrypt the PKCS#12 file.")
+ "\n'" + fname + "'");
fp = fopen(QString2filename(fname), "rb");
if (fp) {
PKCS12 *pkcs12 = d2i_PKCS12_fp(fp, NULL);
fclose(fp);
if (ign_openssl_error()) {
if (pkcs12)
PKCS12_free(pkcs12);
throw errorEx(tr("Unable to load the PKCS#12 (pfx) file %1.").arg(fname));
}
if (PKCS12_verify_mac(pkcs12, "", 0) || PKCS12_verify_mac(pkcs12, NULL, 0))
pass[0] = '\0';
else if (passcb(pass, MAX_PASS_LENGTH, 0, &p) < 0) {
/* cancel pressed */
PKCS12_free(pkcs12);
throw errorEx("","");
}
PKCS12_parse(pkcs12, pass, &mykey, &mycert, &certstack);
int error = ERR_peek_error();
if (ERR_GET_REASON(error) == PKCS12_R_MAC_VERIFY_FAILURE) {
ign_openssl_error();
PKCS12_free(pkcs12);
throw errorEx(getClassName(), tr("The supplied password was wrong (%1)").arg(ERR_reason_error_string(error)));
}
ign_openssl_error();
if (mycert) {
if (mycert->aux && mycert->aux->alias) {
alias = asn1ToQString(mycert->aux->alias);
alias = QString::fromUtf8(alias.toAscii());
}
cert = new pki_x509(mycert);
if (alias.isEmpty()) {
cert->autoIntName();
} else {
cert->setIntName(alias);
}
alias = cert->getIntName();
}
if (mykey) {
key = new pki_evp(mykey);
key->setIntName(alias + "_key");
key->bogusEncryptKey();
}
PKCS12_free(pkcs12);
} else
fopen_error(fname);
}
void pki_pkcs7::encryptFile(pki_x509 *crt, QString filename)
{
BIO *bio = NULL;
bio = BIO_new_file(QString2filename(filename), "r");
openssl_error();
encryptBio(crt, bio);
BIO_free(bio);
}
void pki_pkcs7::signFile(pki_x509 *crt, QString filename)
{
BIO *bio;
if (!crt)
return;
bio = BIO_new_file(QString2filename(filename), "r");
openssl_error();
signBio(crt, bio);
BIO_free(bio);
}
void pki_multi::fload(const QString fname)
{
FILE * fp;
BIO *bio = NULL;
fp = fopen(QString2filename(fname), "r");
if (!fp) {
fopen_error(fname);
return;
}
bio = BIO_new_fp(fp, BIO_CLOSE);
fromPEM_BIO(bio, fname);
BIO_free(bio);
};
void pki_key::writePublic(const QString fname, bool pem)
{
FILE *fp = fopen(QString2filename(fname), "w");
if (fp == NULL) {
fopen_error(fname);
return;
}
if (pem)
PEM_write_PUBKEY(fp, key);
else
i2d_PUBKEY_fp(fp, key);
fclose(fp);
pki_openssl_error();
}
void pki_x509req::writeReq(const QString fname, bool pem)
{
FILE *fp = fopen(QString2filename(fname), "w");
if (fp) {
if (request){
if (pem)
PEM_write_X509_REQ(fp, request);
else
i2d_X509_REQ_fp(fp, request);
}
fclose(fp);
pki_openssl_error();
} else
fopen_error(fname);
}
void pki_crl::writeCrl(const QString fname, bool pem)
{
FILE *fp = fopen(QString2filename(fname), "w");
if (fp != NULL) {
if (crl){
if (pem)
PEM_write_X509_CRL(fp, crl);
else
i2d_X509_CRL_fp(fp, crl);
}
fclose(fp);
pki_openssl_error();
} else
fopen_error(fname);
}
int MainWindow::open_default_db()
{
if (!dbfile.isEmpty())
return 0;
FILE *fp = fopen(QString2filename(getUserSettingsDir() +
QDir::separator() + "defaultdb"), "r");
if (!fp)
return 0;
char buff[256];
size_t len = fread(buff, 1, 255, fp);
fclose(fp);
buff[len] = 0;
dbfile = filename2QString(buff).trimmed();
if (QFile::exists(dbfile))
return init_database();
return 0;
}
void MainWindow::default_database()
{
QFileInfo fi(dbfile);
QString dir = getUserSettingsDir();
FILE *fp;
QDir d;
d.mkpath(dir);
fp = fopen(QString2filename(dir +QDir::separator() +"defaultdb"), "w");
if (fp) {
QByteArray ba;
ba = filename2bytearray(fi.canonicalFilePath() + "\n");
fwrite(ba.constData(), ba.size(), 1, fp);
fclose(fp);
}
}
void pki_pkcs12::writePKCS12(const QString fname)
{
char pass[MAX_PASS_LENGTH];
pass_info p(XCA_TITLE, tr("Please enter the password to encrypt the PKCS#12 file"));
if (cert == NULL || key == NULL) {
my_error(tr("No key or no Cert and no pkcs12"));
}
FILE *fp = fopen(QString2filename(fname), "wb");
if (fp != NULL) {
passcb(pass, MAX_PASS_LENGTH, 0, &p);
PKCS12 *pkcs12 = PKCS12_create(pass,
getIntName().toUtf8().data(),
key->decryptKey(),
cert->getCert(), certstack, 0, 0, 0, 0, 0);
i2d_PKCS12_fp(fp, pkcs12);
openssl_error();
fclose (fp);
PKCS12_free(pkcs12);
}
else fopen_error(fname);
}
void pki_x509req::fload(const QString fname)
{
FILE *fp = fopen(QString2filename(fname), "r");
X509_REQ *_req;
int ret = 0;
if (fp != NULL) {
_req = PEM_read_X509_REQ(fp, NULL, NULL, NULL);
if (!_req) {
pki_ign_openssl_error();
rewind(fp);
_req = d2i_X509_REQ_fp(fp, NULL);
}
fclose(fp);
// SPKAC
if (!_req) {
pki_ign_openssl_error();
ret = load_spkac(fname);
}
if (ret || pki_ign_openssl_error()) {
if (_req)
X509_REQ_free(_req);
throw errorEx(tr("Unable to load the certificate request in file %1. Tried PEM, DER and SPKAC format.").arg(fname));
}
} else {
fopen_error(fname);
return;
}
if (_req) {
X509_REQ_free(request);
request = _req;
}
autoIntName();
if (getIntName().isEmpty())
setIntName(rmslashdot(fname));
openssl_error(fname);
}
int MainWindow::init_database()
{
int ret = 2;
fprintf(stderr, "Opening database: %s\n", QString2filename(dbfile));
keys = NULL; reqs = NULL; certs = NULL; temps = NULL; crls = NULL;
certView->setRootIsDecorated(db_x509::treeview);
try {
ret = initPass();
if (ret == 2)
return ret;
keys = new db_key(dbfile, this);
reqs = new db_x509req(dbfile, this);
certs = new db_x509(dbfile, this);
temps = new db_temp(dbfile, this);
crls = new db_crl(dbfile, this);
}
catch (errorEx &err) {
Error(err);
dbfile = "";
return ret;
}
mandatory_dn = "";
string_opt = QString("MASK:0x2002");
ASN1_STRING_set_default_mask_asc((char*)CCHAR(string_opt));
hashBox::resetDefault();
pkcs11path = getDefaultPkcs11Lib();
workingdir = QDir::currentPath();
setOptFlags((QString()));
try {
pkcs11_lib p(pkcs11path);
} catch (errorEx &e) {
pkcs11path = QString();
}
connect( keys, SIGNAL(newKey(pki_key *)),
certs, SLOT(newKey(pki_key *)) );
connect( keys, SIGNAL(delKey(pki_key *)),
certs, SLOT(delKey(pki_key *)) );
connect( keys, SIGNAL(newKey(pki_key *)),
reqs, SLOT(newKey(pki_key *)) );
connect( keys, SIGNAL(delKey(pki_key *)),
reqs, SLOT(delKey(pki_key *)) );
connect( certs, SIGNAL(connNewX509(NewX509 *)), this,
SLOT(connNewX509(NewX509 *)) );
connect( reqs, SIGNAL(connNewX509(NewX509 *)), this,
SLOT(connNewX509(NewX509 *)) );
connect( reqs, SIGNAL(newCert(pki_x509req *)),
certs, SLOT(newCert(pki_x509req *)) );
connect( temps, SIGNAL(newCert(pki_temp *)),
certs, SLOT(newCert(pki_temp *)) );
connect( temps, SIGNAL(newReq(pki_temp *)),
reqs, SLOT(newItem(pki_temp *)) );
keyView->setIconSize(pki_evp::icon[0]->size());
reqView->setIconSize(pki_x509req::icon[0]->size());
certView->setIconSize(pki_x509::icon[0]->size());
tempView->setIconSize(pki_temp::icon->size());
crlView->setIconSize(pki_crl::icon->size());
keyView->setModel(keys);
reqView->setModel(reqs);
certView->setModel(certs);
tempView->setModel(temps);
crlView->setModel(crls);
try {
db mydb(dbfile);
char *p;
if (!mydb.find(setting, "workingdir")) {
if ((p = (char *)mydb.load(NULL))) {
workingdir = p;
free(p);
}
}
mydb.first();
if (!mydb.find(setting, "pkcs11path")) {
if ((p = (char *)mydb.load(NULL))) {
pkcs11path = p;
free(p);
}
}
mydb.first();
if (!mydb.find(setting, "default_hash")) {
if ((p = (char *)mydb.load(NULL))) {
hashBox::setDefault(p);
free(p);
}
}
mydb.first();
if (!mydb.find(setting, "mandatory_dn")) {
if ((p = (char *)mydb.load(NULL))) {
mandatory_dn = p;
free(p);
}
}
// what a stupid idea....
mydb.first();
if (!mydb.find(setting, "multiple_key_use")) {
mydb.erase();
}
mydb.first();
if (!mydb.find(setting, "string_opt")) {
if ((p = (char *)mydb.load(NULL))) {
string_opt = p;
free(p);
}
}
mydb.first();
if (!mydb.find(setting, "suppress")) {
if ((p = (char *)mydb.load(NULL))) {
QString x = p;
free(p);
if (x == "1")
pki_base::suppress_messages = 1;
}
}
mydb.first();
if (!mydb.find(setting, "optionflags")) {
if ((p = (char *)mydb.load(NULL))) {
setOptFlags((QString(p)));
free(p);
}
}
ASN1_STRING_set_default_mask_asc((char*)CCHAR(string_opt));
mydb.first();
if (!mydb.find(setting, "mw_geometry")) {
db_header_t h;
if ((p = (char *)mydb.load(&h))) {
if (h.version == 1) {
QByteArray ba;
ba = QByteArray::fromRawData(p, h.len);
int w, h, i;
w = db::intFromData(ba);
h = db::intFromData(ba);
i = db::intFromData(ba);
resize(w,h);
if (i != -1)
tabView->setCurrentIndex(i);
}
free(p);
}
}
} catch (errorEx &err) {
Error(err);
return ret;
}
setWindowTitle(tr(XCA_TITLE));
setItemEnabled(true);
if (pki_evp::passwd.isNull())
QMessageBox::information(this, XCA_TITLE,
tr("Using or exporting private keys will not be possible without providing the correct password"));
dbindex->setText(tr("Database") + ":" + dbfile);
load_engine();
return ret;
}
void pki_evp::fload(const QString fname)
{
pass_info p(XCA_TITLE, qApp->translate("MainWindow",
"Please enter the password to decrypt the private key: '%1'").
arg(fname));
pem_password_cb *cb = MainWindow::passRead;
FILE *fp = fopen(QString2filename(fname), "r");
EVP_PKEY *pkey;
pki_ign_openssl_error();
if (!fp) {
fopen_error(fname);
return;
}
pkey = PEM_read_PrivateKey(fp, NULL, cb, &p);
if (!pkey) {
if (ERR_get_error() == 0x06065064) {
fclose(fp);
pki_ign_openssl_error();
throw errorEx(tr("Failed to decrypt the key (bad password) ") +
fname, class_name);
}
}
if (!pkey) {
pki_ign_openssl_error();
rewind(fp);
pkey = d2i_PrivateKey_fp(fp, NULL);
}
if (!pkey) {
pki_ign_openssl_error();
rewind(fp);
pkey = d2i_PKCS8PrivateKey_fp(fp, NULL, cb, &p);
}
if (!pkey) {
PKCS8_PRIV_KEY_INFO *p8inf;
pki_ign_openssl_error();
rewind(fp);
p8inf = d2i_PKCS8_PRIV_KEY_INFO_fp(fp, NULL);
if (p8inf) {
pkey = EVP_PKCS82PKEY(p8inf);
PKCS8_PRIV_KEY_INFO_free(p8inf);
}
}
if (!pkey) {
pki_ign_openssl_error();
rewind(fp);
pkey = PEM_read_PUBKEY(fp, NULL, cb, &p);
}
if (!pkey) {
pki_ign_openssl_error();
rewind(fp);
pkey = d2i_PUBKEY_fp(fp, NULL);
}
fclose(fp);
if (pki_ign_openssl_error()) {
if (pkey)
EVP_PKEY_free(pkey);
throw errorEx(tr("Unable to load the private key in file %1. Tried PEM and DER private, public and PKCS#8 key types.").arg(fname));
}
if (pkey){
if (pkey->type == EVP_PKEY_EC)
search_ec_oid(pkey->pkey.ec);
if (key)
EVP_PKEY_free(key);
key = pkey;
if (EVP_PKEY_isPrivKey(key))
bogusEncryptKey();
setIntName(rmslashdot(fname));
}
}
int MainWindow::init_database()
{
int ret = 2;
qDebug("Opening database: %s", QString2filename(dbfile));
keys = NULL; reqs = NULL; certs = NULL; temps = NULL; crls = NULL;
Entropy::seed_rng();
certView->setRootIsDecorated(db_x509::treeview);
try {
ret = initPass();
if (ret == 2)
return ret;
keys = new db_key(dbfile, this);
reqs = new db_x509req(dbfile, this);
certs = new db_x509(dbfile, this);
temps = new db_temp(dbfile, this);
crls = new db_crl(dbfile, this);
certs->updateAfterDbLoad();
}
catch (errorEx &err) {
Error(err);
dbfile = "";
return ret;
}
searchEdit->setText("");
searchEdit->show();
statusBar()->addWidget(searchEdit, 1);
mandatory_dn = "";
explicit_dn = explicit_dn_default;
string_opt = QString("MASK:0x2002");
ASN1_STRING_set_default_mask_asc((char*)CCHAR(string_opt));
hashBox::resetDefault();
pkcs11path = QString();
workingdir = QDir::currentPath();
setOptFlags((QString()));
connect( keys, SIGNAL(newKey(pki_key *)),
certs, SLOT(newKey(pki_key *)) );
connect( keys, SIGNAL(delKey(pki_key *)),
certs, SLOT(delKey(pki_key *)) );
connect( keys, SIGNAL(newKey(pki_key *)),
reqs, SLOT(newKey(pki_key *)) );
connect( keys, SIGNAL(delKey(pki_key *)),
reqs, SLOT(delKey(pki_key *)) );
connect( certs, SIGNAL(connNewX509(NewX509 *)), this,
SLOT(connNewX509(NewX509 *)) );
connect( reqs, SIGNAL(connNewX509(NewX509 *)), this,
SLOT(connNewX509(NewX509 *)) );
connect( reqs, SIGNAL(newCert(pki_x509req *)),
certs, SLOT(newCert(pki_x509req *)) );
connect( tempView, SIGNAL(newCert(pki_temp *)),
certs, SLOT(newCert(pki_temp *)) );
connect( tempView, SIGNAL(newReq(pki_temp *)),
reqs, SLOT(newItem(pki_temp *)) );
keyView->setIconSize(pki_evp::icon[0]->size());
reqView->setIconSize(pki_x509req::icon[0]->size());
certView->setIconSize(pki_x509::icon[0]->size());
tempView->setIconSize(pki_temp::icon->size());
crlView->setIconSize(pki_crl::icon->size());
keyView->setModel(keys);
reqView->setModel(reqs);
certView->setModel(certs);
tempView->setModel(temps);
crlView->setModel(crls);
try {
db mydb(dbfile);
while (mydb.find(setting, QString()) == 0) {
QString key;
db_header_t head;
char *p = (char *)mydb.load(&head);
if (!p) {
if (mydb.next())
break;
continue;
}
key = head.name;
if (key == "workingdir")
workingdir = p;
else if (key == "pkcs11path")
pkcs11path = p;
else if (key == "default_hash")
hashBox::setDefault(p);
else if (key == "mandatory_dn")
mandatory_dn = p;
else if (key == "explicit_dn")
explicit_dn = p;
/* what a stupid idea.... */
else if (key == "multiple_key_use")
mydb.erase();
else if (key == "string_opt")
string_opt = p;
else if (key == "suppress")
mydb.erase();
else if (key == "optionflags1")
setOptFlags((QString(p)));
/* Different optionflags, since setOptFlags()
* does an abort() for unknown flags in
* older versions. *Another stupid idea*
* This is for backward compatibility
*/
else if (key == "optionflags")
setOptFlags_old((QString(p)));
else if (key == "defaultkey")
NewKey::setDefault((QString(p)));
else if (key == "mw_geometry")
set_geometry(p, &head);
free(p);
if (mydb.next())
break;
}
} catch (errorEx &err) {
Error(err);
return ret;
}
ASN1_STRING_set_default_mask_asc((char*)CCHAR(string_opt));
if (explicit_dn.isEmpty())
explicit_dn = explicit_dn_default;
setWindowTitle(tr(XCA_TITLE));
setItemEnabled(true);
if (pki_evp::passwd.isNull())
XCA_INFO(tr("Using or exporting private keys will not be possible without providing the correct password"));
dbindex->setText(tr("Database") + ": " + dbfile);
load_engine();
return ret;
}
