static Bool IsPKCS12(const char *file) { Bool ret = TRUE; EVP_PKEY *key = NULL; X509 *cert = NULL; BIO *input; PKCS12 *p12; int err_reason; if ((input = BIO_new_file(file, "r")) == NULL){ if (d2i_PKCS12_bio(input, &p12) == NULL) return FALSE; } p12 = d2i_PKCS12_bio(input, NULL); BIO_free(input); if (p12 == NULL) return FALSE; err_reason = PKCS12_parse(p12, "", &key, &cert, NULL); if (err_reason == PKCS12_R_MAC_VERIFY_FAILURE){ ret = FALSE; } if (cert){ X509_free(cert); cert = NULL; } if (key){ EVP_PKEY_free(key); key = NULL; } ERR_clear_error(); PKCS12_free(p12); return ret; }
static void process_file(const char *filename) { FILE *pfxfile; int i, count; unsigned char buffer[LINE_BUFFER_SIZE]; BIO* in = NULL; PKCS12 *p12 = NULL; const char *ext[] = {".p12",".pfx"}; char *fname; if (!(pfxfile = fopen(filename, "rb"))) { fprintf(stderr, "! %s : %s\n", filename, strerror(errno)); return; } in = BIO_new_file(filename, "rb"); if (!in) { fprintf (stderr, "PKCS12 file not found: %s\n", filename); fclose(pfxfile); return; } if(!(p12 = d2i_PKCS12_bio (in, NULL))) { perror("Unable to create PKCS12 object\n"); fclose(pfxfile); return; } if(PKCS12_verify_mac(p12, "", -1)) { fprintf(stderr, "%s has no password!\n", filename); fclose(pfxfile); return; } count = fread(buffer, 1, LINE_BUFFER_SIZE, pfxfile); fname = strip_suffixes(basename(filename), ext, 2); printf("%s:$pfx$*%d*", fname, count); for (i = 0; i < count; i++) { printf("%c%c", itoa16[ARCH_INDEX(buffer[i] >> 4)], itoa16[ARCH_INDEX(buffer[i] & 0x0f)]); } printf("\n"); fclose(pfxfile); if(in) BIO_free(in); }
void PEM_From_P12(PA_PluginParameters params) { sLONG_PTR *pResult = (sLONG_PTR *)params->fResult; PackagePtr pParams = (PackagePtr)params->fParameters; C_BLOB Param1; C_BLOB Param2; C_TEXT Param3; C_TEXT returnValue; Param1.fromParamAtIndex(pParams, 1); Param3.fromParamAtIndex(pParams, 3); BIO *bio = BIO_new_mem_buf((void *)Param1.getBytesPtr(), Param1.getBytesLength()); if(bio){ PKCS12 *p12 = d2i_PKCS12_bio(bio, NULL); if(p12){ EVP_PKEY *key = NULL; X509 *cert = NULL; STACK_OF(X509) *ca = NULL; CUTF8String pass; Param3.copyUTF8String(&pass); if(PKCS12_parse(p12, (const char *)pass.c_str(), &key, &cert, &ca)){ BIO *pem = BIO_new(BIO_s_mem()); if(pem){ PEM_write_bio_PrivateKey(pem, key, NULL, NULL, NULL, NULL, (void *)pass.c_str()); char *buf = NULL; int len = BIO_get_mem_data(pem, &buf); if(len){ Param2.setBytes((const uint8_t *)buf, len); Param2.toParamAtIndex(pParams, 2); CUTF8String pemStr = CUTF8String((const uint8_t *)buf, len); returnValue.setUTF8String(&pemStr); } BIO_free(pem); } } } BIO_free(bio); } Param2.toParamAtIndex(pParams, 2); returnValue.setReturn(pResult); }
void *work_brute( void *ptr ) { // Opening p12 file BIO* in = NULL; workerbrute *wthread = (workerbrute *) ptr; pthread_mutex_lock(wthread->m); in = BIO_new_file(wthread->file2crack, "rb"); if (!in) { fprintf (stderr,"PKCS12 file not found: %s\n",wthread->file2crack); exit(10); } // Creating PKCS12 object PKCS12 *p12 = NULL; if (!(p12 = d2i_PKCS12_bio (in, NULL))) { perror("Unable to create PKCS12 object\n"); exit(30); } pthread_mutex_unlock(wthread->m); int maxwordlength = wthread->wordlength; int i; *(wthread->count) = 0; for (wthread->wordlength=wthread->wordlength_min; wthread->wordlength <= maxwordlength; wthread->wordlength++) { for (i=wthread->id; i<wthread->baselength; i+=nthreads) { wthread->word[0] = wthread->base[i]; if (wthread->wordlength>1) generate(wthread, 1, p12, wthread->count); else try(wthread, p12, wthread->count); } } } void generate(workerbrute *wthread, int pivot, PKCS12 *p12, unsigned long long *gcount) { int i, j, ret; for (i=0; i<wthread->baselength; i++) { wthread->word[pivot] = wthread->base[i]; if (pivot < wthread->wordlength-1) generate(wthread, pivot+1, p12, gcount); else try(wthread,p12,gcount); } wthread->word[pivot] = '\0'; } void try(workerbrute *wthread, PKCS12 *p12, unsigned long long *gcount) { (*gcount)++; if (PKCS12_verify_mac(p12, wthread->word, -1)) { if (!wthread->quiet) sleep(ELAPSEDSECONDS); printf("\n**********************************************************\n"); printf("Brute force attack - Thread %d - Password found: %s\n",wthread->id+1,wthread->word); printf("**********************************************************\n\n"); exit(0); } }
bool Engine::set_p12_certificate_privatekey(const Data & data, const std::string & password) { if( data.empty() ) // BIO undefined behaviour when writing 0 return false; BIO *mem = BIO_new(BIO_s_mem()); BIO_write(mem, data.getData(), data.getSize()); PKCS12 * pkcs12 = d2i_PKCS12_bio(mem, NULL); BIO_free(mem); mem = 0; X509 * cax = 0; EVP_PKEY * pkey = 0; // int succ = PKCS12_parse(pkcs12, password.c_str(), &pkey, &cax, NULL); // int err = ERR_get_error(); // const char * err_str = ERR_error_string(err, 0); int cert_res = SSL_use_certificate(ssl, cax); if (cax) X509_free(cax); cax = 0; int key_res = SSL_use_PrivateKey(ssl, pkey); if( pkey ) EVP_PKEY_free(pkey); pkey = 0; int check_res = SSL_check_private_key(ssl); return cert_res == 1 && key_res == 1 && check_res == 1; }
Settings::KeyPair CertWizard::importCert(QByteArray data, const QString &pw) { X509 *x509 = NULL; EVP_PKEY *pkey = NULL; PKCS12 *pkcs = NULL; BIO *mem = NULL; STACK_OF(X509) *certs = NULL; Settings::KeyPair kp; int ret = 0; mem = BIO_new_mem_buf(data.data(), data.size()); Q_UNUSED(BIO_set_close(mem, BIO_NOCLOSE)); pkcs = d2i_PKCS12_bio(mem, NULL); if (pkcs) { ret = PKCS12_parse(pkcs, NULL, &pkey, &x509, &certs); if (pkcs && !pkey && !x509 && ! pw.isEmpty()) { if (certs) { if (ret) sk_X509_free(certs); certs = NULL; } ret = PKCS12_parse(pkcs, pw.toUtf8().constData(), &pkey, &x509, &certs); } if (pkey && x509 && X509_check_private_key(x509, pkey)) { unsigned char *dptr; QByteArray key, crt; key.resize(i2d_PrivateKey(pkey, NULL)); dptr=reinterpret_cast<unsigned char *>(key.data()); i2d_PrivateKey(pkey, &dptr); crt.resize(i2d_X509(x509, NULL)); dptr=reinterpret_cast<unsigned char *>(crt.data()); i2d_X509(x509, &dptr); QSslCertificate qscCert = QSslCertificate(crt, QSsl::Der); QSslKey qskKey = QSslKey(key, QSsl::Rsa, QSsl::Der); QList<QSslCertificate> qlCerts; qlCerts << qscCert; if (certs) { for (int i=0;i<sk_X509_num(certs);++i) { X509 *c = sk_X509_value(certs, i); crt.resize(i2d_X509(c, NULL)); dptr=reinterpret_cast<unsigned char *>(crt.data()); i2d_X509(c, &dptr); QSslCertificate cert = QSslCertificate(crt, QSsl::Der); qlCerts << cert; } } bool valid = ! qskKey.isNull(); foreach(const QSslCertificate &cert, qlCerts) valid = valid && ! cert.isNull(); if (valid) kp = Settings::KeyPair(qlCerts, qskKey); } }
void SafetPKCS12Private::init( const QByteArray &data, const QByteArray &pin ) { OpenSSL_add_all_algorithms(); qDebug("... SafetPKCS12Private::init ... 1"); BIO *bio = BIO_new_mem_buf( const_cast<char*>(data.constData()), data.size() ); if( !bio ){ return setLastError(); /* qDebug("!bio"); qDebug(qPrintable(errorString)); SafetYAWL::streamlog << SafetLog::Error << QObject::tr("Error al inicializar objeto PKCS12: BIO no valida"); return; */ } PKCS12 *p12 = d2i_PKCS12_bio( bio, NULL ); BIO_free( bio ); if( !p12 ){ return setLastError(); /* qDebug("!p12"); qDebug(qPrintable(errorString)); SafetYAWL::streamlog << SafetLog::Debug << errorString; SafetYAWL::streamlog << SafetLog::Error << QObject::tr("Error al inicializar objeto PKCS12: PKCS12 no valida"); return; */ } X509 *c = NULL; EVP_PKEY *k = NULL; int ret = PKCS12_parse( p12, pin.constData(), &k, &c, NULL ); PKCS12_free( p12 ); if( !ret ){ return setLastError(); /* setLastError(); qDebug("!ret"); qDebug(qPrintable(errorString)); SafetYAWL::streamlog << SafetLog::Error << QObject::tr("Error al inicializar objeto PKCS12: EVP_PKEY no valida"); return; */ } SafetYAWL::streamlog << SafetLog::Debug << QObject::tr("Analizada correctamente la estructura PKCS12"); cert = SafetPKCS12::fromX509( c ); key = SafetPKCS12::keyFromEVP( k ); X509_free( c ); EVP_PKEY_free( k ); qDebug("... SafetPKCS12Private::init ... 2"); SafetYAWL::streamlog << SafetLog::Action << QObject::tr("Inicializado objeto SafetPKCS12 correctamente!"); }
void *work_dict( void *ptr ) { // Opening p12 file BIO* in = NULL; workerdict *wthread = (workerdict *) ptr; pthread_mutex_lock(wthread->m); in = BIO_new_file(wthread->file2crack, "rb"); if (!in) { fprintf (stderr,"PKCS12 file not found: %s\n",wthread->file2crack); exit(10); } // Creating PKCS12 object PKCS12 *p12 = NULL; if (!(p12 = d2i_PKCS12_bio (in, NULL))) { perror("Unable to create PKCS12 object\n"); exit(30); } pthread_mutex_unlock(wthread->m); char line[256]; char found = 0; char stop = 0; int i = 0; char *p; *(wthread->count) = 0; // Work while (!found && fgets(line, sizeof line,wthread->dictfile) != NULL) { p = line + strlen(line) - 1; if (*p == '\n') *p = '\0'; if ((p != line) && (*--p == '\r')) *p = '\0'; (*(wthread->count))++; if (PKCS12_verify_mac(p12, line, -1)) found = 1; } if (found) { if (!wthread->quiet) sleep(ELAPSEDSECONDS); printf("\n*********************************************************\n"); printf("Dictionary attack - Thread %d - Password found: %s\n",wthread->id+1,line); printf("*********************************************************\n\n"); exit(0); } pthread_exit(0); }
SEXP loadPKCS12(SEXP privateKey) { EVP_PKEY *key; BIO *bio_mem; PKCS12 *p12; X509 *cert; if (TYPEOF(privateKey) != RAWSXP) Rf_error("PKCS12 private key must be a raw vector"); bio_mem = BIO_new_mem_buf((void *) RAW(privateKey), LENGTH(privateKey)); p12 = d2i_PKCS12_bio(bio_mem, &p12); if (!p12 || !PKCS12_verify_mac(p12, pass, strlen(pass)) || !PKCS12_parse(p12, pass, &key, &cert, NULL) || !key) { Rf_error("%s", ERR_error_string(ERR_get_error(), NULL)); } return wrap_EVP_PKEY(key); }
static LUA_FUNCTION(openssl_pkcs12_read) { PKCS12 * p12 = NULL; EVP_PKEY * pkey = NULL; X509 * cert = NULL; STACK_OF(X509) * ca = NULL; int ret = 0; int base64 = 0; int olb64 = 0; BIO * b64 = NULL; BIO * bio_in = load_bio_object(L, 1); const char *pass = luaL_checkstring(L, 2); if (!lua_isnoneornil(L, 3)) base64 = auxiliar_checkboolean(L, 3); if (!lua_isnoneornil(L, 4)) olb64 = auxiliar_checkboolean(L, 4); if (base64) { if ((b64 = BIO_new(BIO_f_base64())) == NULL) return 0; if (olb64) BIO_set_flags(b64, BIO_FLAGS_BASE64_NO_NL); bio_in = BIO_push(b64, bio_in); } if (d2i_PKCS12_bio(bio_in, &p12) && PKCS12_parse(p12, pass, &pkey, &cert, &ca)) { lua_newtable(L); AUXILIAR_SETOBJECT(L, cert, "openssl.x509" , -1, "cert"); AUXILIAR_SETOBJECT(L, pkey, "openssl.evp_pkey" , -1, "pkey"); AUXILIAR_SETOBJECT(L, ca, "openssl.stack_of_x509" , -1, "extracerts"); ret = 1; } if (b64) BIO_free(b64); BIO_free(bio_in); PKCS12_free(p12); return ret; }
/* * call-seq: * PKCS12.new -> pkcs12 * PKCS12.new(str) -> pkcs12 * PKCS12.new(str, pass) -> pkcs12 * * === Parameters * * +str+ - Must be a DER encoded PKCS12 string. * * +pass+ - string */ static VALUE ossl_pkcs12_initialize(int argc, VALUE *argv, VALUE self) { BIO *in; VALUE arg, pass, pkey, cert, ca; char *passphrase; EVP_PKEY *key; X509 *x509; STACK_OF(X509) *x509s = NULL; int st = 0; PKCS12 *pkcs = DATA_PTR(self); if(rb_scan_args(argc, argv, "02", &arg, &pass) == 0) return self; passphrase = NIL_P(pass) ? NULL : StringValuePtr(pass); in = ossl_obj2bio(arg); d2i_PKCS12_bio(in, &pkcs); DATA_PTR(self) = pkcs; BIO_free(in); pkey = cert = ca = Qnil; if(!PKCS12_parse(pkcs, passphrase, &key, &x509, &x509s)) ossl_raise(ePKCS12Error, "PKCS12_parse"); pkey = rb_protect((VALUE(*)_((VALUE)))ossl_pkey_new, (VALUE)key, &st); /* NO DUP */ if(st) goto err; cert = rb_protect((VALUE(*)_((VALUE)))ossl_x509_new, (VALUE)x509, &st); if(st) goto err; if(x509s){ ca = rb_protect((VALUE(*)_((VALUE)))ossl_x509_sk2ary, (VALUE)x509s, &st); if(st) goto err; } err: X509_free(x509); sk_X509_pop_free(x509s, X509_free); ossl_pkcs12_set_key(self, pkey); ossl_pkcs12_set_cert(self, cert); ossl_pkcs12_set_ca_certs(self, ca); if(st) rb_jump_tag(st); return self; }
bool OpenSSLContext::setClientCertificate(CertificateWithKey::ref certificate) { boost::shared_ptr<PKCS12Certificate> pkcs12Certificate = boost::dynamic_pointer_cast<PKCS12Certificate>(certificate); if (!pkcs12Certificate || pkcs12Certificate->isNull()) { return false; } // Create a PKCS12 structure BIO* bio = BIO_new(BIO_s_mem()); BIO_write(bio, vecptr(pkcs12Certificate->getData()), pkcs12Certificate->getData().size()); boost::shared_ptr<PKCS12> pkcs12(d2i_PKCS12_bio(bio, NULL), PKCS12_free); BIO_free(bio); if (!pkcs12) { return false; } // Parse PKCS12 X509 *certPtr = 0; EVP_PKEY* privateKeyPtr = 0; STACK_OF(X509)* caCertsPtr = 0; int result = PKCS12_parse(pkcs12.get(), reinterpret_cast<const char*>(vecptr(pkcs12Certificate->getPassword())), &privateKeyPtr, &certPtr, &caCertsPtr); if (result != 1) { return false; } boost::shared_ptr<X509> cert(certPtr, X509_free); boost::shared_ptr<EVP_PKEY> privateKey(privateKeyPtr, EVP_PKEY_free); boost::shared_ptr<STACK_OF(X509)> caCerts(caCertsPtr, freeX509Stack); // Use the key & certificates if (SSL_CTX_use_certificate(context_, cert.get()) != 1) { return false; } if (SSL_CTX_use_PrivateKey(context_, privateKey.get()) != 1) { return false; } for (int i = 0; i < sk_X509_num(caCerts.get()); ++i) { SSL_CTX_add_extra_chain_cert(context_, sk_X509_value(caCerts.get(), i)); } return true; }
static void *get_salt(char *ciphertext) { char *decoded_data; int i; char *ctcopy = strdup(ciphertext); char *keeptr = ctcopy; char *p; static struct custom_salt cs; PKCS12 *p12 = NULL; BIO *bp; ctcopy += 6; /* skip over "$pfx$*" */ p = strtok(ctcopy, "*"); cs.len = atoi(p); decoded_data = (char *) malloc(cs.len + 1); p = strtok(NULL, "*"); for (i = 0; i < cs.len; i++) decoded_data[i] = atoi16[ARCH_INDEX(p[i * 2])] * 16 + atoi16[ARCH_INDEX(p[i * 2 + 1])]; decoded_data[cs.len] = 0; /* load decoded data into OpenSSL structures */ bp = BIO_new(BIO_s_mem()); if (!bp) { fprintf(stderr, "OpenSSL BIO allocation failure\n"); exit(-2); } BIO_write(bp, decoded_data, cs.len); if(!(p12 = d2i_PKCS12_bio(bp, NULL))) { perror("Unable to create PKCS12 object from bio\n"); exit(-3); } /* save custom_salt information */ memset(&cs, 0, sizeof(cs)); memcpy(&cs.pfx, p12, sizeof(PKCS12)); BIO_free(bp); MEM_FREE(decoded_data); MEM_FREE(keeptr); return (void *) &cs; }
static X509 *_load_certificate_from_mem(int format, uint8_t *buffer, uint32_t length, char *password) { X509 *x509 = NULL; BIO *mem = NULL; mem = BIO_new_mem_buf(buffer, length); if (mem != NULL) { switch (format) { case 0 : x509 = d2i_X509_bio(mem, NULL); break; case 1 : x509 = PEM_read_bio_X509(mem, NULL, NULL, NULL); break; case 2 : { PKCS12 *p12 = d2i_PKCS12_bio(mem, NULL); PKCS12_parse(p12, password, NULL, &x509, NULL); PKCS12_free(p12); } break; } BIO_free(mem); } else { DEBUG_ERR_MSG("X509_LOOKUP_load_file failed"); } return x509; }
int32_t mz_crypt_sign(uint8_t *message, int32_t message_size, uint8_t *cert_data, int32_t cert_data_size, const char *cert_pwd, uint8_t **signature, int32_t *signature_size) { PKCS12 *p12 = NULL; EVP_PKEY *evp_pkey = NULL; BUF_MEM *buf_mem = NULL; BIO *cert_bio = NULL; BIO *message_bio = NULL; BIO *signature_bio = NULL; CMS_ContentInfo *cms = NULL; CMS_SignerInfo *signer_info = NULL; STACK_OF(X509) *ca_stack = NULL; X509 *cert = NULL; int32_t result = 0; int32_t err = MZ_OK; if (message == NULL || cert_data == NULL || signature == NULL || signature_size == NULL) return MZ_PARAM_ERROR; mz_crypt_init(); *signature = NULL; *signature_size = 0; cert_bio = BIO_new_mem_buf(cert_data, cert_data_size); if (d2i_PKCS12_bio(cert_bio, &p12) == NULL) err = MZ_SIGN_ERROR; if (err == MZ_OK) result = PKCS12_parse(p12, cert_pwd, &evp_pkey, &cert, &ca_stack); if (result) { cms = CMS_sign(NULL, NULL, ca_stack, NULL, CMS_BINARY | CMS_PARTIAL); if (cms) signer_info = CMS_add1_signer(cms, cert, evp_pkey, EVP_sha256(), 0); if (signer_info == NULL) { err = MZ_SIGN_ERROR; } else { message_bio = BIO_new_mem_buf(message, message_size); signature_bio = BIO_new(BIO_s_mem()); result = CMS_final(cms, message_bio, NULL, CMS_BINARY); if (result) result = i2d_CMS_bio(signature_bio, cms); if (result) { BIO_flush(signature_bio); BIO_get_mem_ptr(signature_bio, &buf_mem); *signature_size = buf_mem->length; *signature = MZ_ALLOC(buf_mem->length); memcpy(*signature, buf_mem->data, buf_mem->length); } #if 0 BIO *yy = BIO_new_file("xyz", "wb"); BIO_write(yy, *signature, *signature_size); BIO_flush(yy); BIO_free(yy); #endif } } if (!result) err = MZ_SIGN_ERROR; if (cms) CMS_ContentInfo_free(cms); if (signature_bio) BIO_free(signature_bio); if (cert_bio) BIO_free(cert_bio); if (message_bio) BIO_free(message_bio); if (p12) PKCS12_free(p12); if (err != MZ_OK && *signature != NULL) { MZ_FREE(*signature); *signature = NULL; *signature_size = 0; } return err; }
int main(int argc, char **argv) { BIO* in=NULL; BIO* out=NULL; char * outfile = NULL; char * infile = NULL ; int tabLength=100; char *binaryptr; char* mimetype; char* mimetypeaccept=NULL; char* contenttype; const char** pp; unsigned char* hostporturl = NULL; BIO * p12bio ; char **args = argv + 1; unsigned char * serverurl; sslctxparm p; char *response; CURLcode res; struct curl_slist * headers=NULL; int badarg=0; binaryptr = malloc(tabLength); p.verbose = 0; p.errorbio = BIO_new_fp (stderr, BIO_NOCLOSE); curl_global_init(CURL_GLOBAL_DEFAULT); /* we need some more for the P12 decoding */ OpenSSL_add_all_ciphers(); OpenSSL_add_all_digests(); ERR_load_crypto_strings(); while (*args && *args[0] == '-') { if (!strcmp (*args, "-in")) { if (args[1]) { infile=*(++args); } else badarg=1; } else if (!strcmp (*args, "-out")) { if (args[1]) { outfile=*(++args); } else badarg=1; } else if (!strcmp (*args, "-p12")) { if (args[1]) { p.p12file = *(++args); } else badarg=1; } else if (strcmp(*args,"-envpass") == 0) { if (args[1]) { p.pst = getenv(*(++args)); } else badarg=1; } else if (strcmp(*args,"-connect") == 0) { if (args[1]) { hostporturl = *(++args); } else badarg=1; } else if (strcmp(*args,"-mimetype") == 0) { if (args[1]) { mimetype = *(++args); } else badarg=1; } else if (strcmp(*args,"-acceptmime") == 0) { if (args[1]) { mimetypeaccept = *(++args); } else badarg=1; } else if (strcmp(*args,"-accesstype") == 0) { if (args[1]) { if ((p.accesstype = OBJ_obj2nid(OBJ_txt2obj(*++args,0))) == 0) badarg=1; } else badarg=1; } else if (strcmp(*args,"-verbose") == 0) { p.verbose++; } else badarg=1; args++; } if (mimetype==NULL || mimetypeaccept == NULL) badarg = 1; if (badarg) { for (pp=curlx_usage; (*pp != NULL); pp++) BIO_printf(p.errorbio,"%s\n",*pp); BIO_printf(p.errorbio,"\n"); goto err; } /* set input */ if ((in=BIO_new(BIO_s_file())) == NULL) { BIO_printf(p.errorbio, "Error setting input bio\n"); goto err; } else if (infile == NULL) BIO_set_fp(in,stdin,BIO_NOCLOSE|BIO_FP_TEXT); else if (BIO_read_filename(in,infile) <= 0) { BIO_printf(p.errorbio, "Error opening input file %s\n", infile); BIO_free(in); goto err; } /* set output */ if ((out=BIO_new(BIO_s_file())) == NULL) { BIO_printf(p.errorbio, "Error setting output bio.\n"); goto err; } else if (outfile == NULL) BIO_set_fp(out,stdout,BIO_NOCLOSE|BIO_FP_TEXT); else if (BIO_write_filename(out,outfile) <= 0) { BIO_printf(p.errorbio, "Error opening output file %s\n", outfile); BIO_free(out); goto err; } p.errorbio = BIO_new_fp (stderr, BIO_NOCLOSE); if (!(p.curl = curl_easy_init())) { BIO_printf(p.errorbio, "Cannot init curl lib\n"); goto err; } if (!(p12bio = BIO_new_file(p.p12file , "rb"))) { BIO_printf(p.errorbio, "Error opening P12 file %s\n", p.p12file); goto err; } if (!(p.p12 = d2i_PKCS12_bio (p12bio, NULL))) { BIO_printf(p.errorbio, "Cannot decode P12 structure %s\n", p.p12file); goto err; } p.ca= NULL; if (!(PKCS12_parse (p.p12, p.pst, &(p.pkey), &(p.usercert), &(p.ca) ) )) { BIO_printf(p.errorbio,"Invalid P12 structure in %s\n", p.p12file); goto err; } if (sk_X509_num(p.ca) <= 0) { BIO_printf(p.errorbio,"No trustworthy CA given.%s\n", p.p12file); goto err; } if (p.verbose > 1) X509_print_ex(p.errorbio,p.usercert,0,0); /* determine URL to go */ if (hostporturl) { serverurl = malloc(9+strlen(hostporturl)); sprintf(serverurl,"https://%s",hostporturl); } else if (p.accesstype != 0) /* see whether we can find an AIA or SIA for a given access type */ { if (!(serverurl = my_get_ext(p.usercert,p.accesstype,NID_info_access))) { int j=0; BIO_printf(p.errorbio,"no service URL in user cert " "cherching in others certificats\n"); for (j=0; j<sk_X509_num(p.ca); j++) { if ((serverurl = my_get_ext(sk_X509_value(p.ca,j),p.accesstype, NID_info_access))) break; if ((serverurl = my_get_ext(sk_X509_value(p.ca,j),p.accesstype, NID_sinfo_access))) break; } } } if (!serverurl) { BIO_printf(p.errorbio, "no service URL in certificats," " check '-accesstype (AD_DVCS | ad_timestamping)'" " or use '-connect'\n"); goto err; } if (p.verbose) BIO_printf(p.errorbio, "Service URL: <%s>\n", serverurl); curl_easy_setopt(p.curl, CURLOPT_URL, serverurl); /* Now specify the POST binary data */ curl_easy_setopt(p.curl, CURLOPT_POSTFIELDS, binaryptr); curl_easy_setopt(p.curl, CURLOPT_POSTFIELDSIZE,(long)tabLength); /* pass our list of custom made headers */ contenttype = malloc(15+strlen(mimetype)); sprintf(contenttype,"Content-type: %s",mimetype); headers = curl_slist_append(headers,contenttype); curl_easy_setopt(p.curl, CURLOPT_HTTPHEADER, headers); if (p.verbose) BIO_printf(p.errorbio, "Service URL: <%s>\n", serverurl); { FILE *outfp; BIO_get_fp(out,&outfp); curl_easy_setopt(p.curl, CURLOPT_WRITEDATA, outfp); } res = curl_easy_setopt(p.curl, CURLOPT_SSL_CTX_FUNCTION, sslctxfun) ; if (res != CURLE_OK) BIO_printf(p.errorbio,"%d %s=%d %d\n", __LINE__, "CURLOPT_SSL_CTX_FUNCTION",CURLOPT_SSL_CTX_FUNCTION,res); curl_easy_setopt(p.curl, CURLOPT_SSL_CTX_DATA, &p); { int lu; int i=0; while ((lu = BIO_read (in,&binaryptr[i],tabLength-i)) >0 ) { i+=lu; if (i== tabLength) { tabLength+=100; binaryptr=realloc(binaryptr,tabLength); /* should be more careful */ } } tabLength = i; } /* Now specify the POST binary data */ curl_easy_setopt(p.curl, CURLOPT_POSTFIELDS, binaryptr); curl_easy_setopt(p.curl, CURLOPT_POSTFIELDSIZE,(long)tabLength); /* Perform the request, res will get the return code */ BIO_printf(p.errorbio,"%d %s %d\n", __LINE__, "curl_easy_perform", res = curl_easy_perform(p.curl)); { int result =curl_easy_getinfo(p.curl,CURLINFO_CONTENT_TYPE,&response); if( mimetypeaccept && p.verbose) if(!strcmp(mimetypeaccept,response)) BIO_printf(p.errorbio,"the response has a correct mimetype : %s\n", response); else BIO_printf(p.errorbio,"the reponse doesn\'t has an acceptable " "mime type, it is %s instead of %s\n", response,mimetypeaccept); } /*** code d'erreur si accept mime ***, egalement code return HTTP != 200 ***/ /* free the header list*/ curl_slist_free_all(headers); /* always cleanup */ curl_easy_cleanup(p.curl); BIO_free(in); BIO_free(out); return (EXIT_SUCCESS); err: BIO_printf(p.errorbio,"error"); exit(1); }
/*============================================================================ * OpcUa_P_OpenSSL_X509_LoadFromFile *===========================================================================*/ OpcUa_StatusCode OpcUa_P_OpenSSL_X509_LoadFromFile( OpcUa_StringA a_fileName, OpcUa_P_FileFormat a_fileFormat, OpcUa_StringA a_sPassword, /* optional: just for OpcUa_PKCS12 */ OpcUa_ByteString* a_pCertificate) { BIO* pCertFile = OpcUa_Null; X509* pCertX509 = OpcUa_Null; PKCS12* pPKCS12Cert = OpcUa_Null; OpcUa_InitializeStatus(OpcUa_Module_P_OpenSSL, "X509_LoadFromFile"); /* check filename */ if(OpcUa_P_String_strlen(a_fileName) < 1) { uStatus = OpcUa_BadInvalidArgument; OpcUa_GotoErrorIfBad(uStatus); } /* import certificate from file by the given encoding type */ pCertFile = BIO_new_file((const char*)a_fileName, "r"); OpcUa_ReturnErrorIfArgumentNull(pCertFile); switch(a_fileFormat) { case OpcUa_Crypto_Encoding_DER: { pCertX509 = d2i_X509_bio(pCertFile, /* sourcefile */ (X509**)NULL); /* target (if preallocated) */ break; } case OpcUa_Crypto_Encoding_PEM: { pCertX509 = PEM_read_bio_X509( pCertFile, /* sourcefile */ (X509**)OpcUa_Null, /* target (if preallocated) */ OpcUa_Null, /* password callback function */ OpcUa_Null); /* passphrase or callback data */ break; } case OpcUa_Crypto_Encoding_PKCS12: { d2i_PKCS12_bio(pCertFile, &pPKCS12Cert); PKCS12_parse(pPKCS12Cert, a_sPassword, OpcUa_Null, &pCertX509, OpcUa_Null); if(pPKCS12Cert != OpcUa_Null) { PKCS12_free(pPKCS12Cert); /*OPENSSL_free(pPKCS12Cert);*/ } break; } default: { BIO_free(pCertFile); return OpcUa_BadNotSupported; } } BIO_free(pCertFile); pCertFile = OpcUa_Null; if(pCertX509 == OpcUa_Null) { /* error in OpenSSL - maybe certificate file was corrupt */ return OpcUa_Bad; } /* prepare container */ memset(a_pCertificate, 0, sizeof(OpcUa_ByteString)); /* get required length for conversion target buffer */ a_pCertificate->Length = i2d_X509( pCertX509, NULL); if(a_pCertificate->Length <= 0) { /* conversion to DER not possible */ uStatus = OpcUa_Bad; } /* allocate conversion target buffer */ a_pCertificate->Data = (OpcUa_Byte*)OpcUa_P_Memory_Alloc(a_pCertificate->Length); OpcUa_GotoErrorIfAllocFailed(a_pCertificate->Data); /* convert into DER */ a_pCertificate->Length = i2d_X509( pCertX509, &(a_pCertificate->Data)); if(a_pCertificate->Length <= 0) { /* conversion to DER not possible */ uStatus = OpcUa_Bad; } else { /* correct pointer incrementation by i2d_X509() */ a_pCertificate->Data -= a_pCertificate->Length; } X509_free(pCertX509); OpcUa_ReturnStatusCode; OpcUa_BeginErrorHandling; if(pCertX509 != OpcUa_Null) { X509_free(pCertX509); } if(pPKCS12Cert != OpcUa_Null) { OPENSSL_free(pPKCS12Cert); } if(a_pCertificate->Data != OpcUa_Null) { OpcUa_P_Memory_Free(a_pCertificate->Data); a_pCertificate->Data = OpcUa_Null; } if(pCertFile != OpcUa_Null) { BIO_free(pCertFile); } OpcUa_FinishErrorHandling; }
DVT_STATUS CERTIFICATE_FILE_CLASS::importPkcs12(const char* filename, bool certificatesOnly, const char* password) // DESCRIPTION : Import certificates from a PKCS#12 formated file. // PRECONDITIONS : // POSTCONDITIONS : // EXCEPTIONS : // NOTES : Returns MSG_OK, MSG_ERROR, MSG_FILE_NOT_EXIST, MSG_NO_VALUE, MSG_INVALID_PASSWORD //<<=========================================================================== { DVT_STATUS status = MSG_ERROR; BIO* bio_ptr = NULL; PKCS12 *p12_ptr = NULL; EVP_PKEY *pkey_ptr = NULL; X509 *cert_ptr = NULL; STACK_OF(X509) *ca_ptr = NULL; const char* password_ptr = NULL; int count = 0; // clear the error queue ERR_clear_error(); // open the file bio_ptr = BIO_new(BIO_s_file_internal()); if (bio_ptr == NULL) { openSslM_ptr->printError(loggerM_ptr, LOG_ERROR, "setting up to read PKCS#12 file"); status = MSG_ERROR; goto end; } if (BIO_read_filename(bio_ptr, filename) <= 0) { unsigned long err; err = ERR_peek_error(); if ((ERR_GET_LIB(err) == ERR_LIB_SYS) && (ERR_GET_REASON(err) == ERROR_FILE_NOT_FOUND)) { // file does not exist ERR_clear_error(); // eat any errors status = MSG_FILE_NOT_EXIST; } else { openSslM_ptr->printError(loggerM_ptr, LOG_ERROR, "opening PKCS#12 file for reading"); status = MSG_ERROR; } goto end; } // read the file p12_ptr = d2i_PKCS12_bio(bio_ptr, NULL); if (!p12_ptr) { openSslM_ptr->printError(loggerM_ptr, LOG_ERROR, "reading PKCS#12 file"); status = MSG_ERROR; goto end; } // see if we have a password that will work if (PKCS12_verify_mac(p12_ptr, NULL, 0)) { password_ptr = NULL; } else if(PKCS12_verify_mac(p12_ptr, "", 0)) { password_ptr = ""; } else if(PKCS12_verify_mac(p12_ptr, password, strlen(password))) { password_ptr = password; } else { status = MSG_INVALID_PASSWORD; goto end; } // parse the data if (!PKCS12_parse(p12_ptr, password_ptr, &pkey_ptr, &cert_ptr, &ca_ptr)) { openSslM_ptr->printError(loggerM_ptr, LOG_ERROR, "parsing PKCS#12 file"); status = MSG_ERROR; ca_ptr = NULL; // this is freed by PKCS12_parse(), but not set to NULL goto end; } if ((pkey_ptr != NULL) && !certificatesOnly) { // save the private key if (!push(pkey_ptr)) { status = MSG_ERROR; goto end; } count++; } if (cert_ptr != NULL) { // save the certificate if (!push(cert_ptr)) { status = MSG_ERROR; goto end; } count++; } if ((ca_ptr != NULL) && (sk_X509_num(ca_ptr) > 0)) { X509* x509_ptr; // save each of the certificates while ((x509_ptr = sk_X509_shift(ca_ptr)) != NULL) { if (!push(x509_ptr)) { status = MSG_ERROR; goto end; } count++; } } if (count == 0) { status = MSG_NO_VALUE; } else { status = MSG_OK; } end: if (bio_ptr != NULL) BIO_free(bio_ptr); if (p12_ptr != NULL) PKCS12_free(p12_ptr); if (pkey_ptr != NULL) EVP_PKEY_free(pkey_ptr); if (cert_ptr != NULL) X509_free(cert_ptr); if (ca_ptr != NULL) sk_X509_pop_free(ca_ptr, X509_free); return status; }
/*============================================================================ * OpcUa_P_OpenSSL_X509_GetPrivateKey *===========================================================================*/ OpcUa_StatusCode OpcUa_P_OpenSSL_X509_GetPrivateKey( OpcUa_CryptoProvider* a_pProvider, OpcUa_StringA a_certificateFileName, OpcUa_StringA a_password, /* this is optional */ OpcUa_Key* a_pPrivateKey) { BIO* pCertFile = OpcUa_Null; PKCS12* pPKCS12Cert = OpcUa_Null; EVP_PKEY* pPrivateKey = OpcUa_Null; RSA* pRsaPrivateKey = OpcUa_Null; OpcUa_InitializeStatus(OpcUa_Module_P_OpenSSL, "X509_GetPrivateKey"); OpcUa_ReferenceParameter(a_pProvider); OpcUa_ReturnErrorIfArgumentNull(a_pProvider); OpcUa_ReturnErrorIfArgumentNull(a_certificateFileName); OpcUa_ReturnErrorIfArgumentNull(a_pPrivateKey); /* import certificate from file by the given encoding type */ pCertFile = BIO_new_file((const char*)a_certificateFileName, "r"); OpcUa_ReturnErrorIfArgumentNull(pCertFile); /* convert certificate file handle to PKCS12 structure */ d2i_PKCS12_bio(pCertFile, &pPKCS12Cert); /* close certificat file handle */ BIO_free(pCertFile); if(pPKCS12Cert != OpcUa_Null) { /* get the private key from the PKCS12 structure*/ PKCS12_parse(pPKCS12Cert, a_password, &pPrivateKey, OpcUa_Null, OpcUa_Null); } else { uStatus = OpcUa_Bad; OpcUa_ReturnStatusCode; } if(pPKCS12Cert != OpcUa_Null) { PKCS12_free(pPKCS12Cert); pPKCS12Cert = OpcUa_Null; } switch(EVP_PKEY_type(pPrivateKey->type)) { case EVP_PKEY_RSA: { /* convert to intermediary openssl struct */ pRsaPrivateKey = EVP_PKEY_get1_RSA(pPrivateKey); EVP_PKEY_free(pPrivateKey); OpcUa_GotoErrorIfNull(pRsaPrivateKey, OpcUa_Bad); /* get required length */ a_pPrivateKey->Key.Length = i2d_RSAPrivateKey(pRsaPrivateKey, OpcUa_Null); OpcUa_GotoErrorIfTrue(a_pPrivateKey->Key.Length <= 0, OpcUa_Bad); if(a_pPrivateKey->Key.Data == OpcUa_Null) { OpcUa_ReturnStatusCode; } /* do real conversion */ a_pPrivateKey->Key.Length = i2d_RSAPrivateKey( pRsaPrivateKey, &a_pPrivateKey->Key.Data); OpcUa_GotoErrorIfTrue(a_pPrivateKey->Key.Length <= 0, OpcUa_Bad); if(pRsaPrivateKey != OpcUa_Null) { RSA_free(pRsaPrivateKey); pRsaPrivateKey = OpcUa_Null; } /* correct buffer pointer */ a_pPrivateKey->Key.Data -= a_pPrivateKey->Key.Length; a_pPrivateKey->Type = OpcUa_Crypto_KeyType_Rsa_Private; break; } case EVP_PKEY_EC: case EVP_PKEY_DSA: case EVP_PKEY_DH: default: { uStatus = OpcUa_BadNotSupported; OpcUa_GotoErrorIfBad(uStatus); } } OpcUa_ReturnStatusCode; OpcUa_BeginErrorHandling; if(pRsaPrivateKey != OpcUa_Null) { RSA_free(pRsaPrivateKey); } if(pPrivateKey != OpcUa_Null) { EVP_PKEY_free(pPrivateKey); } OpcUa_FinishErrorHandling; }
* * \return Whether the PKCS12 structure was successfully loaded */ static bool load_pkcs12(BIO *bio_pkcs12, pem_password_cb *pem_cb, void *cb_data, EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca) { assert(bio_pkcs12 && pem_cb && pkey && cert); PKCS12 *p12; const char *pass; char buf[PEM_BUFSIZE]; int len; int ret = 0; // Load PKCS12 from stream p12 = d2i_PKCS12_bio(bio_pkcs12, nullptr); if (!p12) { LOGE("Failed to load PKCS12 file"); openssl_log_errors(); goto finished; } // Try empty password if (PKCS12_verify_mac(p12, "", 0) || PKCS12_verify_mac(p12, nullptr, 0)) { pass = ""; } else { // Otherwise, get password from callback len = pem_cb(buf, PEM_BUFSIZE, 0, cb_data); if (len < 0) { LOGE("Passphrase callback failed"); goto finished;
int MAIN(int argc, char **argv) { ENGINE *e = NULL; char *infile=NULL, *outfile=NULL, *keyname = NULL; char *certfile=NULL; BIO *in=NULL, *out = NULL; char **args; char *name = NULL; char *csp_name = NULL; PKCS12 *p12 = NULL; char pass[50], macpass[50]; int export_cert = 0; int options = 0; int chain = 0; int badarg = 0; int iter = PKCS12_DEFAULT_ITER; int maciter = PKCS12_DEFAULT_ITER; int twopass = 0; int keytype = 0; int cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC; int key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; int ret = 1; int macver = 1; int noprompt = 0; STACK *canames = NULL; char *cpass = NULL, *mpass = NULL; char *passargin = NULL, *passargout = NULL, *passarg = NULL; char *passin = NULL, *passout = NULL; char *inrand = NULL; char *CApath = NULL, *CAfile = NULL; char *engine=NULL; apps_startup(); enc = EVP_des_ede3_cbc(); if (bio_err == NULL ) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE); if (!load_config(bio_err, NULL)) goto end; args = argv + 1; while (*args) { if (*args[0] == '-') { if (!strcmp (*args, "-nokeys")) options |= NOKEYS; else if (!strcmp (*args, "-keyex")) keytype = KEY_EX; else if (!strcmp (*args, "-keysig")) keytype = KEY_SIG; else if (!strcmp (*args, "-nocerts")) options |= NOCERTS; else if (!strcmp (*args, "-clcerts")) options |= CLCERTS; else if (!strcmp (*args, "-cacerts")) options |= CACERTS; else if (!strcmp (*args, "-noout")) options |= (NOKEYS|NOCERTS); else if (!strcmp (*args, "-info")) options |= INFO; else if (!strcmp (*args, "-chain")) chain = 1; else if (!strcmp (*args, "-twopass")) twopass = 1; else if (!strcmp (*args, "-nomacver")) macver = 0; else if (!strcmp (*args, "-descert")) cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; else if (!strcmp (*args, "-export")) export_cert = 1; else if (!strcmp (*args, "-des")) enc=EVP_des_cbc(); #ifndef OPENSSL_NO_IDEA else if (!strcmp (*args, "-idea")) enc=EVP_idea_cbc(); #endif else if (!strcmp (*args, "-des3")) enc = EVP_des_ede3_cbc(); #ifndef OPENSSL_NO_AES else if (!strcmp(*args,"-aes128")) enc=EVP_aes_128_cbc(); else if (!strcmp(*args,"-aes192")) enc=EVP_aes_192_cbc(); else if (!strcmp(*args,"-aes256")) enc=EVP_aes_256_cbc(); #endif else if (!strcmp (*args, "-noiter")) iter = 1; else if (!strcmp (*args, "-maciter")) maciter = PKCS12_DEFAULT_ITER; else if (!strcmp (*args, "-nomaciter")) maciter = 1; else if (!strcmp (*args, "-nodes")) enc=NULL; else if (!strcmp (*args, "-certpbe")) { if (args[1]) { args++; cert_pbe=OBJ_txt2nid(*args); if(cert_pbe == NID_undef) { BIO_printf(bio_err, "Unknown PBE algorithm %s\n", *args); badarg = 1; } } else badarg = 1; } else if (!strcmp (*args, "-keypbe")) { if (args[1]) { args++; key_pbe=OBJ_txt2nid(*args); if(key_pbe == NID_undef) { BIO_printf(bio_err, "Unknown PBE algorithm %s\n", *args); badarg = 1; } } else badarg = 1; } else if (!strcmp (*args, "-rand")) { if (args[1]) { args++; inrand = *args; } else badarg = 1; } else if (!strcmp (*args, "-inkey")) { if (args[1]) { args++; keyname = *args; } else badarg = 1; } else if (!strcmp (*args, "-certfile")) { if (args[1]) { args++; certfile = *args; } else badarg = 1; } else if (!strcmp (*args, "-name")) { if (args[1]) { args++; name = *args; } else badarg = 1; } else if (!strcmp (*args, "-CSP")) { if (args[1]) { args++; csp_name = *args; } else badarg = 1; } else if (!strcmp (*args, "-caname")) { if (args[1]) { args++; if (!canames) canames = sk_new_null(); sk_push(canames, *args); } else badarg = 1; } else if (!strcmp (*args, "-in")) { if (args[1]) { args++; infile = *args; } else badarg = 1; } else if (!strcmp (*args, "-out")) { if (args[1]) { args++; outfile = *args; } else badarg = 1; } else if (!strcmp(*args,"-passin")) { if (args[1]) { args++; passargin = *args; } else badarg = 1; } else if (!strcmp(*args,"-passout")) { if (args[1]) { args++; passargout = *args; } else badarg = 1; } else if (!strcmp (*args, "-password")) { if (args[1]) { args++; passarg = *args; noprompt = 1; } else badarg = 1; } else if (!strcmp(*args,"-CApath")) { if (args[1]) { args++; CApath = *args; } else badarg = 1; } else if (!strcmp(*args,"-CAfile")) { if (args[1]) { args++; CAfile = *args; } else badarg = 1; } else if (!strcmp(*args,"-engine")) { if (args[1]) { args++; engine = *args; } else badarg = 1; } else badarg = 1; } else badarg = 1; args++; } if (badarg) { BIO_printf (bio_err, "Usage: pkcs12 [options]\n"); BIO_printf (bio_err, "where options are\n"); BIO_printf (bio_err, "-export output PKCS12 file\n"); BIO_printf (bio_err, "-chain add certificate chain\n"); BIO_printf (bio_err, "-inkey file private key if not infile\n"); BIO_printf (bio_err, "-certfile f add all certs in f\n"); BIO_printf (bio_err, "-CApath arg - PEM format directory of CA's\n"); BIO_printf (bio_err, "-CAfile arg - PEM format file of CA's\n"); BIO_printf (bio_err, "-name \"name\" use name as friendly name\n"); BIO_printf (bio_err, "-caname \"nm\" use nm as CA friendly name (can be used more than once).\n"); BIO_printf (bio_err, "-in infile input filename\n"); BIO_printf (bio_err, "-out outfile output filename\n"); BIO_printf (bio_err, "-noout don't output anything, just verify.\n"); BIO_printf (bio_err, "-nomacver don't verify MAC.\n"); BIO_printf (bio_err, "-nocerts don't output certificates.\n"); BIO_printf (bio_err, "-clcerts only output client certificates.\n"); BIO_printf (bio_err, "-cacerts only output CA certificates.\n"); BIO_printf (bio_err, "-nokeys don't output private keys.\n"); BIO_printf (bio_err, "-info give info about PKCS#12 structure.\n"); BIO_printf (bio_err, "-des encrypt private keys with DES\n"); BIO_printf (bio_err, "-des3 encrypt private keys with triple DES (default)\n"); #ifndef OPENSSL_NO_IDEA BIO_printf (bio_err, "-idea encrypt private keys with idea\n"); #endif #ifndef OPENSSL_NO_AES BIO_printf (bio_err, "-aes128, -aes192, -aes256\n"); BIO_printf (bio_err, " encrypt PEM output with cbc aes\n"); #endif BIO_printf (bio_err, "-nodes don't encrypt private keys\n"); BIO_printf (bio_err, "-noiter don't use encryption iteration\n"); BIO_printf (bio_err, "-maciter use MAC iteration\n"); BIO_printf (bio_err, "-twopass separate MAC, encryption passwords\n"); BIO_printf (bio_err, "-descert encrypt PKCS#12 certificates with triple DES (default RC2-40)\n"); BIO_printf (bio_err, "-certpbe alg specify certificate PBE algorithm (default RC2-40)\n"); BIO_printf (bio_err, "-keypbe alg specify private key PBE algorithm (default 3DES)\n"); BIO_printf (bio_err, "-keyex set MS key exchange type\n"); BIO_printf (bio_err, "-keysig set MS key signature type\n"); BIO_printf (bio_err, "-password p set import/export password source\n"); BIO_printf (bio_err, "-passin p input file pass phrase source\n"); BIO_printf (bio_err, "-passout p output file pass phrase source\n"); BIO_printf (bio_err, "-engine e use engine e, possibly a hardware device.\n"); BIO_printf(bio_err, "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); BIO_printf(bio_err, " load the file (or the files in the directory) into\n"); BIO_printf(bio_err, " the random number generator\n"); goto end; } e = setup_engine(bio_err, engine, 0); if(passarg) { if(export_cert) passargout = passarg; else passargin = passarg; } if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) { BIO_printf(bio_err, "Error getting passwords\n"); goto end; } if(!cpass) { if(export_cert) cpass = passout; else cpass = passin; } if(cpass) { mpass = cpass; noprompt = 1; } else { cpass = pass; mpass = macpass; } if(export_cert || inrand) { app_RAND_load_file(NULL, bio_err, (inrand != NULL)); if (inrand != NULL) BIO_printf(bio_err,"%ld semi-random bytes loaded\n", app_RAND_load_files(inrand)); } ERR_load_crypto_strings(); #ifdef CRYPTO_MDEBUG CRYPTO_push_info("read files"); #endif if (!infile) in = BIO_new_fp(stdin, BIO_NOCLOSE); else in = BIO_new_file(infile, "rb"); if (!in) { BIO_printf(bio_err, "Error opening input file %s\n", infile ? infile : "<stdin>"); perror (infile); goto end; } #if 0 if (certfile) { if(!(certsin = BIO_new_file(certfile, "r"))) { BIO_printf(bio_err, "Can't open certificate file %s\n", certfile); perror (certfile); goto end; } } if (keyname) { if(!(inkey = BIO_new_file(keyname, "r"))) { BIO_printf(bio_err, "Can't key certificate file %s\n", keyname); perror (keyname); goto end; } } #endif #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); CRYPTO_push_info("write files"); #endif if (!outfile) { out = BIO_new_fp(stdout, BIO_NOCLOSE); #ifdef OPENSSL_SYS_VMS { BIO *tmpbio = BIO_new(BIO_f_linebuffer()); out = BIO_push(tmpbio, out); } #endif } else out = BIO_new_file(outfile, "wb"); if (!out) { BIO_printf(bio_err, "Error opening output file %s\n", outfile ? outfile : "<stdout>"); perror (outfile); goto end; } if (twopass) { #ifdef CRYPTO_MDEBUG CRYPTO_push_info("read MAC password"); #endif if(EVP_read_pw_string (macpass, sizeof macpass, "Enter MAC Password:"******"Can't read Password\n"); goto end; } #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); #endif } if (export_cert) { EVP_PKEY *key = NULL; STACK_OF(PKCS12_SAFEBAG) *bags = NULL; STACK_OF(PKCS7) *safes = NULL; PKCS12_SAFEBAG *bag = NULL; PKCS8_PRIV_KEY_INFO *p8 = NULL; PKCS7 *authsafe = NULL; X509 *ucert = NULL; STACK_OF(X509) *certs=NULL; char *catmp = NULL; int i; unsigned char keyid[EVP_MAX_MD_SIZE]; unsigned int keyidlen = 0; #ifdef CRYPTO_MDEBUG CRYPTO_push_info("process -export_cert"); CRYPTO_push_info("reading private key"); #endif key = load_key(bio_err, keyname ? keyname : infile, FORMAT_PEM, 1, passin, e, "private key"); if (!key) { goto export_end; } #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); CRYPTO_push_info("reading certs from input"); #endif /* Load in all certs in input file */ if(!(certs = load_certs(bio_err, infile, FORMAT_PEM, NULL, e, "certificates"))) { goto export_end; } #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); CRYPTO_push_info("reading certs from input 2"); #endif for(i = 0; i < sk_X509_num(certs); i++) { ucert = sk_X509_value(certs, i); if(X509_check_private_key(ucert, key)) { X509_digest(ucert, EVP_sha1(), keyid, &keyidlen); break; } } if(!keyidlen) { ucert = NULL; BIO_printf(bio_err, "No certificate matches private key\n"); goto export_end; } #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); CRYPTO_push_info("reading certs from certfile"); #endif bags = sk_PKCS12_SAFEBAG_new_null (); /* Add any more certificates asked for */ if (certfile) { STACK_OF(X509) *morecerts=NULL; if(!(morecerts = load_certs(bio_err, certfile, FORMAT_PEM, NULL, e, "certificates from certfile"))) { goto export_end; } while(sk_X509_num(morecerts) > 0) { sk_X509_push(certs, sk_X509_shift(morecerts)); } sk_X509_free(morecerts); } #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); CRYPTO_push_info("building chain"); #endif /* If chaining get chain from user cert */ if (chain) { int vret; STACK_OF(X509) *chain2; X509_STORE *store = X509_STORE_new(); if (!store) { BIO_printf (bio_err, "Memory allocation error\n"); goto export_end; } if (!X509_STORE_load_locations(store, CAfile, CApath)) X509_STORE_set_default_paths (store); vret = get_cert_chain (ucert, store, &chain2); X509_STORE_free(store); if (!vret) { /* Exclude verified certificate */ for (i = 1; i < sk_X509_num (chain2) ; i++) sk_X509_push(certs, sk_X509_value (chain2, i)); /* Free first certificate */ X509_free(sk_X509_value(chain2, 0)); sk_X509_free(chain2); } else { BIO_printf (bio_err, "Error %s getting chain.\n", X509_verify_cert_error_string(vret)); goto export_end; } } #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); CRYPTO_push_info("building bags"); #endif /* We now have loads of certificates: include them all */ for(i = 0; i < sk_X509_num(certs); i++) { X509 *cert = NULL; cert = sk_X509_value(certs, i); bag = PKCS12_x5092certbag(cert); /* If it matches private key set id */ if(cert == ucert) { if(name) PKCS12_add_friendlyname(bag, name, -1); PKCS12_add_localkeyid(bag, keyid, keyidlen); } else if((catmp = sk_shift(canames))) PKCS12_add_friendlyname(bag, catmp, -1); sk_PKCS12_SAFEBAG_push(bags, bag); } sk_X509_pop_free(certs, X509_free); certs = NULL; #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); CRYPTO_push_info("encrypting bags"); #endif if(!noprompt && EVP_read_pw_string(pass, sizeof pass, "Enter Export Password:"******"Can't read Password\n"); goto export_end; } if (!twopass) strcpy(macpass, pass); /* Turn certbags into encrypted authsafe */ authsafe = PKCS12_pack_p7encdata(cert_pbe, cpass, -1, NULL, 0, iter, bags); sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); bags = NULL; if (!authsafe) { ERR_print_errors (bio_err); goto export_end; } safes = sk_PKCS7_new_null (); sk_PKCS7_push (safes, authsafe); #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); CRYPTO_push_info("building shrouded key bag"); #endif /* Make a shrouded key bag */ p8 = EVP_PKEY2PKCS8 (key); if(keytype) PKCS8_add_keyusage(p8, keytype); bag = PKCS12_MAKE_SHKEYBAG(key_pbe, cpass, -1, NULL, 0, iter, p8); PKCS8_PRIV_KEY_INFO_free(p8); p8 = NULL; if (name) PKCS12_add_friendlyname (bag, name, -1); if(csp_name) PKCS12_add_CSPName_asc(bag, csp_name, -1); PKCS12_add_localkeyid (bag, keyid, keyidlen); bags = sk_PKCS12_SAFEBAG_new_null(); sk_PKCS12_SAFEBAG_push (bags, bag); #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); CRYPTO_push_info("encrypting shrouded key bag"); #endif /* Turn it into unencrypted safe bag */ authsafe = PKCS12_pack_p7data (bags); sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); bags = NULL; sk_PKCS7_push (safes, authsafe); #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); CRYPTO_push_info("building pkcs12"); #endif p12 = PKCS12_init(NID_pkcs7_data); PKCS12_pack_authsafes(p12, safes); sk_PKCS7_pop_free(safes, PKCS7_free); safes = NULL; PKCS12_set_mac (p12, mpass, -1, NULL, 0, maciter, NULL); #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); CRYPTO_push_info("writing pkcs12"); #endif i2d_PKCS12_bio (out, p12); ret = 0; export_end: #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); CRYPTO_pop_info(); CRYPTO_push_info("process -export_cert: freeing"); #endif if (key) EVP_PKEY_free(key); if (certs) sk_X509_pop_free(certs, X509_free); if (safes) sk_PKCS7_pop_free(safes, PKCS7_free); if (bags) sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); #endif goto end; } if (!(p12 = d2i_PKCS12_bio (in, NULL))) { ERR_print_errors(bio_err); goto end; } #ifdef CRYPTO_MDEBUG CRYPTO_push_info("read import password"); #endif if(!noprompt && EVP_read_pw_string(pass, sizeof pass, "Enter Import Password:"******"Can't read Password\n"); goto end; } #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); #endif if (!twopass) strcpy(macpass, pass); if (options & INFO) BIO_printf (bio_err, "MAC Iteration %ld\n", p12->mac->iter ? ASN1_INTEGER_get (p12->mac->iter) : 1); if(macver) { #ifdef CRYPTO_MDEBUG CRYPTO_push_info("verify MAC"); #endif /* If we enter empty password try no password first */ if(!macpass[0] && PKCS12_verify_mac(p12, NULL, 0)) { /* If mac and crypto pass the same set it to NULL too */ if(!twopass) cpass = NULL; } else if (!PKCS12_verify_mac(p12, mpass, -1)) { BIO_printf (bio_err, "Mac verify error: invalid password?\n"); ERR_print_errors (bio_err); goto end; } BIO_printf (bio_err, "MAC verified OK\n"); #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); #endif } #ifdef CRYPTO_MDEBUG CRYPTO_push_info("output keys and certificates"); #endif if (!dump_certs_keys_p12 (out, p12, cpass, -1, options, passout)) { BIO_printf(bio_err, "Error outputting keys and certificates\n"); ERR_print_errors (bio_err); goto end; } #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); #endif ret = 0; end: if (p12) PKCS12_free(p12); if(export_cert || inrand) app_RAND_write_file(NULL, bio_err); #ifdef CRYPTO_MDEBUG CRYPTO_remove_all_info(); #endif BIO_free(in); BIO_free_all(out); if (canames) sk_free(canames); if(passin) OPENSSL_free(passin); if(passout) OPENSSL_free(passout); apps_shutdown(); OPENSSL_EXIT(ret); }
int tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, const char *pkcs12_file_inline, bool load_ca_file ) { FILE *fp; EVP_PKEY *pkey; X509 *cert; STACK_OF(X509) *ca = NULL; PKCS12 *p12; int i; char password[256]; ASSERT(NULL != ctx); if (!strcmp (pkcs12_file, INLINE_FILE_TAG) && pkcs12_file_inline) { BIO *b64 = BIO_new(BIO_f_base64()); BIO *bio = BIO_new_mem_buf((void *) pkcs12_file_inline, (int) strlen(pkcs12_file_inline)); ASSERT(b64 && bio); BIO_push(b64, bio); p12 = d2i_PKCS12_bio(b64, NULL); if (!p12) msg(M_SSLERR, "Error reading inline PKCS#12 file"); BIO_free(b64); BIO_free(bio); } else { /* Load the PKCS #12 file */ if (!(fp = platform_fopen(pkcs12_file, "rb"))) msg(M_SSLERR, "Error opening file %s", pkcs12_file); p12 = d2i_PKCS12_fp(fp, NULL); fclose(fp); if (!p12) msg(M_SSLERR, "Error reading PKCS#12 file %s", pkcs12_file); } /* Parse the PKCS #12 file */ if (!PKCS12_parse(p12, "", &pkey, &cert, &ca)) { pem_password_callback (password, sizeof(password) - 1, 0, NULL); /* Reparse the PKCS #12 file with password */ ca = NULL; if (!PKCS12_parse(p12, password, &pkey, &cert, &ca)) { #ifdef ENABLE_MANAGEMENT if (management && (ERR_GET_REASON (ERR_peek_error()) == PKCS12_R_MAC_VERIFY_FAILURE)) management_auth_failure (management, UP_TYPE_PRIVATE_KEY, NULL); #endif PKCS12_free(p12); return 1; } } PKCS12_free(p12); /* Load Certificate */ if (!SSL_CTX_use_certificate (ctx->ctx, cert)) msg (M_SSLERR, "Cannot use certificate"); /* Load Private Key */ if (!SSL_CTX_use_PrivateKey (ctx->ctx, pkey)) msg (M_SSLERR, "Cannot use private key"); warn_if_group_others_accessible (pkcs12_file); /* Check Private Key */ if (!SSL_CTX_check_private_key (ctx->ctx)) msg (M_SSLERR, "Private key does not match the certificate"); /* Set Certificate Verification chain */ if (load_ca_file) { if (ca && sk_X509_num(ca)) { for (i = 0; i < sk_X509_num(ca); i++) { if (!X509_STORE_add_cert(ctx->ctx->cert_store,sk_X509_value(ca, i))) msg (M_SSLERR, "Cannot add certificate to certificate chain (X509_STORE_add_cert)"); if (!SSL_CTX_add_client_CA(ctx->ctx, sk_X509_value(ca, i))) msg (M_SSLERR, "Cannot add certificate to client CA list (SSL_CTX_add_client_CA)"); } } } return 0; }
int pkcs12_main(int argc, char **argv) { ENGINE *e = NULL; char *infile = NULL, *outfile = NULL, *keyname = NULL; char *certfile = NULL; BIO *in = NULL, *out = NULL; char **args; char *name = NULL; char *csp_name = NULL; int add_lmk = 0; PKCS12 *p12 = NULL; char pass[50], macpass[50]; int export_cert = 0; int options = 0; int chain = 0; int badarg = 0; int iter = PKCS12_DEFAULT_ITER; int maciter = PKCS12_DEFAULT_ITER; int twopass = 0; int keytype = 0; int cert_pbe; int key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; int ret = 1; int macver = 1; int noprompt = 0; STACK_OF(OPENSSL_STRING) * canames = NULL; char *cpass = NULL, *mpass = NULL; char *passargin = NULL, *passargout = NULL, *passarg = NULL; char *passin = NULL, *passout = NULL; char *inrand = NULL; char *macalg = NULL; char *CApath = NULL, *CAfile = NULL; #ifndef OPENSSL_NO_ENGINE char *engine = NULL; #endif signal(SIGPIPE, SIG_IGN); cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC; enc = EVP_des_ede3_cbc(); if (bio_err == NULL) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); if (!load_config(bio_err, NULL)) goto end; args = argv + 1; while (*args) { if (*args[0] == '-') { if (!strcmp(*args, "-nokeys")) options |= NOKEYS; else if (!strcmp(*args, "-keyex")) keytype = KEY_EX; else if (!strcmp(*args, "-keysig")) keytype = KEY_SIG; else if (!strcmp(*args, "-nocerts")) options |= NOCERTS; else if (!strcmp(*args, "-clcerts")) options |= CLCERTS; else if (!strcmp(*args, "-cacerts")) options |= CACERTS; else if (!strcmp(*args, "-noout")) options |= (NOKEYS | NOCERTS); else if (!strcmp(*args, "-info")) options |= INFO; else if (!strcmp(*args, "-chain")) chain = 1; else if (!strcmp(*args, "-twopass")) twopass = 1; else if (!strcmp(*args, "-nomacver")) macver = 0; else if (!strcmp(*args, "-descert")) cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; else if (!strcmp(*args, "-export")) export_cert = 1; else if (!strcmp(*args, "-des")) enc = EVP_des_cbc(); else if (!strcmp(*args, "-des3")) enc = EVP_des_ede3_cbc(); #ifndef OPENSSL_NO_IDEA else if (!strcmp(*args, "-idea")) enc = EVP_idea_cbc(); #endif #ifndef OPENSSL_NO_SEED else if (!strcmp(*args, "-seed")) enc = EVP_seed_cbc(); #endif #ifndef OPENSSL_NO_AES else if (!strcmp(*args, "-aes128")) enc = EVP_aes_128_cbc(); else if (!strcmp(*args, "-aes192")) enc = EVP_aes_192_cbc(); else if (!strcmp(*args, "-aes256")) enc = EVP_aes_256_cbc(); #endif #ifndef OPENSSL_NO_CAMELLIA else if (!strcmp(*args, "-camellia128")) enc = EVP_camellia_128_cbc(); else if (!strcmp(*args, "-camellia192")) enc = EVP_camellia_192_cbc(); else if (!strcmp(*args, "-camellia256")) enc = EVP_camellia_256_cbc(); #endif else if (!strcmp(*args, "-noiter")) iter = 1; else if (!strcmp(*args, "-maciter")) maciter = PKCS12_DEFAULT_ITER; else if (!strcmp(*args, "-nomaciter")) maciter = 1; else if (!strcmp(*args, "-nomac")) maciter = -1; else if (!strcmp(*args, "-macalg")) if (args[1]) { args++; macalg = *args; } else badarg = 1; else if (!strcmp(*args, "-nodes")) enc = NULL; else if (!strcmp(*args, "-certpbe")) { if (!set_pbe(bio_err, &cert_pbe, *++args)) badarg = 1; } else if (!strcmp(*args, "-keypbe")) { if (!set_pbe(bio_err, &key_pbe, *++args)) badarg = 1; } else if (!strcmp(*args, "-rand")) { if (args[1]) { args++; inrand = *args; } else badarg = 1; } else if (!strcmp(*args, "-inkey")) { if (args[1]) { args++; keyname = *args; } else badarg = 1; } else if (!strcmp(*args, "-certfile")) { if (args[1]) { args++; certfile = *args; } else badarg = 1; } else if (!strcmp(*args, "-name")) { if (args[1]) { args++; name = *args; } else badarg = 1; } else if (!strcmp(*args, "-LMK")) add_lmk = 1; else if (!strcmp(*args, "-CSP")) { if (args[1]) { args++; csp_name = *args; } else badarg = 1; } else if (!strcmp(*args, "-caname")) { if (args[1]) { args++; if (!canames) canames = sk_OPENSSL_STRING_new_null(); sk_OPENSSL_STRING_push(canames, *args); } else badarg = 1; } else if (!strcmp(*args, "-in")) { if (args[1]) { args++; infile = *args; } else badarg = 1; } else if (!strcmp(*args, "-out")) { if (args[1]) { args++; outfile = *args; } else badarg = 1; } else if (!strcmp(*args, "-passin")) { if (args[1]) { args++; passargin = *args; } else badarg = 1; } else if (!strcmp(*args, "-passout")) { if (args[1]) { args++; passargout = *args; } else badarg = 1; } else if (!strcmp(*args, "-password")) { if (args[1]) { args++; passarg = *args; noprompt = 1; } else badarg = 1; } else if (!strcmp(*args, "-CApath")) { if (args[1]) { args++; CApath = *args; } else badarg = 1; } else if (!strcmp(*args, "-CAfile")) { if (args[1]) { args++; CAfile = *args; } else badarg = 1; #ifndef OPENSSL_NO_ENGINE } else if (!strcmp(*args, "-engine")) { if (args[1]) { args++; engine = *args; } else badarg = 1; #endif } else badarg = 1; } else badarg = 1; args++; } if (badarg) { BIO_printf(bio_err, "Usage: pkcs12 [options]\n"); BIO_printf(bio_err, "where options are\n"); BIO_printf(bio_err, "-export output PKCS12 file\n"); BIO_printf(bio_err, "-chain add certificate chain\n"); BIO_printf(bio_err, "-inkey file private key if not infile\n"); BIO_printf(bio_err, "-certfile f add all certs in f\n"); BIO_printf(bio_err, "-CApath arg - PEM format directory of CA's\n"); BIO_printf(bio_err, "-CAfile arg - PEM format file of CA's\n"); BIO_printf(bio_err, "-name \"name\" use name as friendly name\n"); BIO_printf(bio_err, "-caname \"nm\" use nm as CA friendly name (can be used more than once).\n"); BIO_printf(bio_err, "-in infile input filename\n"); BIO_printf(bio_err, "-out outfile output filename\n"); BIO_printf(bio_err, "-noout don't output anything, just verify.\n"); BIO_printf(bio_err, "-nomacver don't verify MAC.\n"); BIO_printf(bio_err, "-nocerts don't output certificates.\n"); BIO_printf(bio_err, "-clcerts only output client certificates.\n"); BIO_printf(bio_err, "-cacerts only output CA certificates.\n"); BIO_printf(bio_err, "-nokeys don't output private keys.\n"); BIO_printf(bio_err, "-info give info about PKCS#12 structure.\n"); BIO_printf(bio_err, "-des encrypt private keys with DES\n"); BIO_printf(bio_err, "-des3 encrypt private keys with triple DES (default)\n"); #ifndef OPENSSL_NO_IDEA BIO_printf(bio_err, "-idea encrypt private keys with idea\n"); #endif #ifndef OPENSSL_NO_SEED BIO_printf(bio_err, "-seed encrypt private keys with seed\n"); #endif #ifndef OPENSSL_NO_AES BIO_printf(bio_err, "-aes128, -aes192, -aes256\n"); BIO_printf(bio_err, " encrypt PEM output with cbc aes\n"); #endif #ifndef OPENSSL_NO_CAMELLIA BIO_printf(bio_err, "-camellia128, -camellia192, -camellia256\n"); BIO_printf(bio_err, " encrypt PEM output with cbc camellia\n"); #endif BIO_printf(bio_err, "-nodes don't encrypt private keys\n"); BIO_printf(bio_err, "-noiter don't use encryption iteration\n"); BIO_printf(bio_err, "-nomaciter don't use MAC iteration\n"); BIO_printf(bio_err, "-maciter use MAC iteration\n"); BIO_printf(bio_err, "-nomac don't generate MAC\n"); BIO_printf(bio_err, "-twopass separate MAC, encryption passwords\n"); BIO_printf(bio_err, "-descert encrypt PKCS#12 certificates with triple DES (default RC2-40)\n"); BIO_printf(bio_err, "-certpbe alg specify certificate PBE algorithm (default RC2-40)\n"); BIO_printf(bio_err, "-keypbe alg specify private key PBE algorithm (default 3DES)\n"); BIO_printf(bio_err, "-macalg alg digest algorithm used in MAC (default SHA1)\n"); BIO_printf(bio_err, "-keyex set MS key exchange type\n"); BIO_printf(bio_err, "-keysig set MS key signature type\n"); BIO_printf(bio_err, "-password p set import/export password source\n"); BIO_printf(bio_err, "-passin p input file pass phrase source\n"); BIO_printf(bio_err, "-passout p output file pass phrase source\n"); #ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err, "-engine e use engine e, possibly a hardware device.\n"); #endif BIO_printf(bio_err, "-rand file:file:...\n"); BIO_printf(bio_err, " load the file (or the files in the directory) into\n"); BIO_printf(bio_err, " the random number generator\n"); BIO_printf(bio_err, "-CSP name Microsoft CSP name\n"); BIO_printf(bio_err, "-LMK Add local machine keyset attribute to private key\n"); goto end; } #ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); #endif if (passarg) { if (export_cert) passargout = passarg; else passargin = passarg; } if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) { BIO_printf(bio_err, "Error getting passwords\n"); goto end; } if (!cpass) { if (export_cert) cpass = passout; else cpass = passin; } if (cpass) { mpass = cpass; noprompt = 1; } else { cpass = pass; mpass = macpass; } ERR_load_crypto_strings(); #ifdef CRYPTO_MDEBUG CRYPTO_push_info("read files"); #endif if (!infile) in = BIO_new_fp(stdin, BIO_NOCLOSE); else in = BIO_new_file(infile, "rb"); if (!in) { BIO_printf(bio_err, "Error opening input file %s\n", infile ? infile : "<stdin>"); perror(infile); goto end; } #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); CRYPTO_push_info("write files"); #endif if (!outfile) { out = BIO_new_fp(stdout, BIO_NOCLOSE); } else out = BIO_new_file(outfile, "wb"); if (!out) { BIO_printf(bio_err, "Error opening output file %s\n", outfile ? outfile : "<stdout>"); perror(outfile); goto end; } if (twopass) { #ifdef CRYPTO_MDEBUG CRYPTO_push_info("read MAC password"); #endif if (EVP_read_pw_string(macpass, sizeof macpass, "Enter MAC Password:"******"Can't read Password\n"); goto end; } #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); #endif } if (export_cert) { EVP_PKEY *key = NULL; X509 *ucert = NULL, *x = NULL; STACK_OF(X509) * certs = NULL; const EVP_MD *macmd = NULL; unsigned char *catmp = NULL; int i; if ((options & (NOCERTS | NOKEYS)) == (NOCERTS | NOKEYS)) { BIO_printf(bio_err, "Nothing to do!\n"); goto export_end; } if (options & NOCERTS) chain = 0; #ifdef CRYPTO_MDEBUG CRYPTO_push_info("process -export_cert"); CRYPTO_push_info("reading private key"); #endif if (!(options & NOKEYS)) { key = load_key(bio_err, keyname ? keyname : infile, FORMAT_PEM, 1, passin, e, "private key"); if (!key) goto export_end; } #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); CRYPTO_push_info("reading certs from input"); #endif /* Load in all certs in input file */ if (!(options & NOCERTS)) { certs = load_certs(bio_err, infile, FORMAT_PEM, NULL, e, "certificates"); if (!certs) goto export_end; if (key) { /* Look for matching private key */ for (i = 0; i < sk_X509_num(certs); i++) { x = sk_X509_value(certs, i); if (X509_check_private_key(x, key)) { ucert = x; /* Zero keyid and alias */ X509_keyid_set1(ucert, NULL, 0); X509_alias_set1(ucert, NULL, 0); /* Remove from list */ (void) sk_X509_delete(certs, i); break; } } if (!ucert) { BIO_printf(bio_err, "No certificate matches private key\n"); goto export_end; } } } #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); CRYPTO_push_info("reading certs from input 2"); #endif /* Add any more certificates asked for */ if (certfile) { STACK_OF(X509) * morecerts = NULL; if (!(morecerts = load_certs(bio_err, certfile, FORMAT_PEM, NULL, e, "certificates from certfile"))) goto export_end; while (sk_X509_num(morecerts) > 0) sk_X509_push(certs, sk_X509_shift(morecerts)); sk_X509_free(morecerts); } #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); CRYPTO_push_info("reading certs from certfile"); #endif #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); CRYPTO_push_info("building chain"); #endif /* If chaining get chain from user cert */ if (chain) { int vret; STACK_OF(X509) * chain2; X509_STORE *store = X509_STORE_new(); if (!store) { BIO_printf(bio_err, "Memory allocation error\n"); goto export_end; } if (!X509_STORE_load_locations(store, CAfile, CApath)) X509_STORE_set_default_paths(store); vret = get_cert_chain(ucert, store, &chain2); X509_STORE_free(store); if (!vret) { /* Exclude verified certificate */ for (i = 1; i < sk_X509_num(chain2); i++) sk_X509_push(certs, sk_X509_value(chain2, i)); /* Free first certificate */ X509_free(sk_X509_value(chain2, 0)); sk_X509_free(chain2); } else { if (vret >= 0) BIO_printf(bio_err, "Error %s getting chain.\n", X509_verify_cert_error_string(vret)); else ERR_print_errors(bio_err); goto export_end; } } /* Add any CA names */ for (i = 0; i < sk_OPENSSL_STRING_num(canames); i++) { catmp = (unsigned char *) sk_OPENSSL_STRING_value(canames, i); X509_alias_set1(sk_X509_value(certs, i), catmp, -1); } if (csp_name && key) EVP_PKEY_add1_attr_by_NID(key, NID_ms_csp_name, MBSTRING_ASC, (unsigned char *) csp_name, -1); if (add_lmk && key) EVP_PKEY_add1_attr_by_NID(key, NID_LocalKeySet, 0, NULL, -1); #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); CRYPTO_push_info("reading password"); #endif if (!noprompt && EVP_read_pw_string(pass, sizeof pass, "Enter Export Password:"******"Can't read Password\n"); goto export_end; } if (!twopass) strlcpy(macpass, pass, sizeof macpass); #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); CRYPTO_push_info("creating PKCS#12 structure"); #endif p12 = PKCS12_create(cpass, name, key, ucert, certs, key_pbe, cert_pbe, iter, -1, keytype); if (!p12) { ERR_print_errors(bio_err); goto export_end; } if (macalg) { macmd = EVP_get_digestbyname(macalg); if (!macmd) { BIO_printf(bio_err, "Unknown digest algorithm %s\n", macalg); } } if (maciter != -1) PKCS12_set_mac(p12, mpass, -1, NULL, 0, maciter, macmd); #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); CRYPTO_push_info("writing pkcs12"); #endif i2d_PKCS12_bio(out, p12); ret = 0; export_end: #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); CRYPTO_pop_info(); CRYPTO_push_info("process -export_cert: freeing"); #endif if (key) EVP_PKEY_free(key); if (certs) sk_X509_pop_free(certs, X509_free); if (ucert) X509_free(ucert); #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); #endif goto end; } if (!(p12 = d2i_PKCS12_bio(in, NULL))) { ERR_print_errors(bio_err); goto end; } #ifdef CRYPTO_MDEBUG CRYPTO_push_info("read import password"); #endif if (!noprompt && EVP_read_pw_string(pass, sizeof pass, "Enter Import Password:"******"Can't read Password\n"); goto end; } #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); #endif if (!twopass) strlcpy(macpass, pass, sizeof macpass); if ((options & INFO) && p12->mac) BIO_printf(bio_err, "MAC Iteration %ld\n", p12->mac->iter ? ASN1_INTEGER_get(p12->mac->iter) : 1); if (macver) { #ifdef CRYPTO_MDEBUG CRYPTO_push_info("verify MAC"); #endif /* If we enter empty password try no password first */ if (!mpass[0] && PKCS12_verify_mac(p12, NULL, 0)) { /* If mac and crypto pass the same set it to NULL too */ if (!twopass) cpass = NULL; } else if (!PKCS12_verify_mac(p12, mpass, -1)) { BIO_printf(bio_err, "Mac verify error: invalid password?\n"); ERR_print_errors(bio_err); goto end; } BIO_printf(bio_err, "MAC verified OK\n"); #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); #endif } #ifdef CRYPTO_MDEBUG CRYPTO_push_info("output keys and certificates"); #endif if (!dump_certs_keys_p12(out, p12, cpass, -1, options, passout)) { BIO_printf(bio_err, "Error outputting keys and certificates\n"); ERR_print_errors(bio_err); goto end; } #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); #endif ret = 0; end: if (p12) PKCS12_free(p12); #ifdef CRYPTO_MDEBUG CRYPTO_remove_all_info(); #endif BIO_free(in); BIO_free_all(out); if (canames) sk_OPENSSL_STRING_free(canames); if (passin) free(passin); if (passout) free(passout); return (ret); }
static int ssl_need_client_cert(SSL *ssl, X509 **cert, EVP_PKEY **pkey) { serf_ssl_context_t *ctx = SSL_get_app_data(ssl); apr_status_t status; if (ctx->cached_cert) { *cert = ctx->cached_cert; *pkey = ctx->cached_cert_pw; return 1; } while (ctx->cert_callback) { const char *cert_path; apr_file_t *cert_file; BIO *bio; PKCS12 *p12; int i; int retrying_success = 0; if (ctx->cert_file_success) { status = APR_SUCCESS; cert_path = ctx->cert_file_success; ctx->cert_file_success = NULL; retrying_success = 1; } else { status = ctx->cert_callback(ctx->cert_userdata, &cert_path); } if (status || !cert_path) { break; } /* Load the x.509 cert file stored in PKCS12 */ status = apr_file_open(&cert_file, cert_path, APR_READ, APR_OS_DEFAULT, ctx->pool); if (status) { continue; } bio = BIO_new(&bio_file_method); bio->ptr = cert_file; ctx->cert_path = cert_path; p12 = d2i_PKCS12_bio(bio, NULL); apr_file_close(cert_file); i = PKCS12_parse(p12, NULL, pkey, cert, NULL); if (i == 1) { PKCS12_free(p12); ctx->cached_cert = *cert; ctx->cached_cert_pw = *pkey; if (!retrying_success && ctx->cert_cache_pool) { const char *c; c = apr_pstrdup(ctx->cert_cache_pool, ctx->cert_path); apr_pool_userdata_setn(c, "serf:ssl:cert", apr_pool_cleanup_null, ctx->cert_cache_pool); } return 1; } else { int err = ERR_get_error(); ERR_clear_error(); if (ERR_GET_LIB(err) == ERR_LIB_PKCS12 && ERR_GET_REASON(err) == PKCS12_R_MAC_VERIFY_FAILURE) { if (ctx->cert_pw_callback) { const char *password; if (ctx->cert_pw_success) { status = APR_SUCCESS; password = ctx->cert_pw_success; ctx->cert_pw_success = NULL; } else { status = ctx->cert_pw_callback(ctx->cert_pw_userdata, ctx->cert_path, &password); } if (!status && password) { i = PKCS12_parse(p12, password, pkey, cert, NULL); if (i == 1) { PKCS12_free(p12); ctx->cached_cert = *cert; ctx->cached_cert_pw = *pkey; if (!retrying_success && ctx->cert_cache_pool) { const char *c; c = apr_pstrdup(ctx->cert_cache_pool, ctx->cert_path); apr_pool_userdata_setn(c, "serf:ssl:cert", apr_pool_cleanup_null, ctx->cert_cache_pool); } if (!retrying_success && ctx->cert_pw_cache_pool) { const char *c; c = apr_pstrdup(ctx->cert_pw_cache_pool, password); apr_pool_userdata_setn(c, "serf:ssl:certpw", apr_pool_cleanup_null, ctx->cert_pw_cache_pool); } return 1; } } } PKCS12_free(p12); return 0; } else { printf("OpenSSL cert error: %d %d %d\n", ERR_GET_LIB(err), ERR_GET_FUNC(err), ERR_GET_REASON(err)); PKCS12_free(p12); } } } return 0; }
static Bool LoadPKCS12(SSL_CTX *ctx, const char *file) { char passbuf[256]; char *pass = NULL; PKCS12 *p12; EVP_PKEY *key = NULL; X509 *cert = NULL; BIO *input; int err_reason; int count = 0; const char *prompt = ASKPASS_PROMPT; /* read PKCS #12 from specified file */ if ((input = BIO_new_file(file, "r")) == NULL){ if (d2i_PKCS12_bio(input, &p12) == NULL) return FALSE; } p12 = d2i_PKCS12_bio(input, NULL); BIO_free(input); if (p12 == NULL) return FALSE; /* get key and cert from PKCS #12 */ for (;;){ if (PKCS12_parse(p12, pass, &key, &cert, NULL)) break; err_reason = ERR_GET_REASON(ERR_peek_error()); if (cert){ X509_free(cert); cert = NULL; } if (key){ EVP_PKEY_free(key); key = NULL; } if (err_reason != PKCS12_R_MAC_VERIFY_FAILURE){ Message("PKCS12_parse failure: %s", GetSSLErrorString()); break; } ERR_clear_error(); if (count >= 1) prompt = ASKPASS_PROMPT_RETRY; if ((pass = GetPasswordString(passbuf, sizeof(passbuf), prompt)) == NULL){ Message("PASSWORD input was canceled\n"); break; } count++; } //OPENSSL_cleanse(passbuf, sizeof(passbuf)); memset(passbuf, 0, sizeof(passbuf)); PKCS12_free(p12); /* set key and cert to SSL_CTX */ if (cert && key){ if (!SSL_CTX_use_certificate_with_check(ctx, cert)){ SSL_Error(_d("SSL_CTX_use_certificate failure:\n %s"), GetSSLErrorString()); return FALSE; } if (!SSL_CTX_use_PrivateKey(ctx, key)){ SSL_Error(_d("SSL_CTX_use_PrivateKey failure:\n %s"), GetSSLErrorString()); return FALSE; } if (!SSL_CTX_check_private_key(ctx)){ SSL_Error(_d("SSL_CTX_check_private_key failure:\n %s\n"), GetSSLErrorString()); return FALSE; } } else{ return FALSE; } return TRUE; }
X509* ssl_parse_certificate(void* pCert, size_t certLen, LPCSTR pwd, EVP_PKEY** privateKey) { X509 *x=NULL; PKCS12* p12 = NULL; if(privateKey != NULL) { *privateKey = NULL; } //check for PEM BASE64 header BIO *certBio = NULL; if ((certBio=BIO_new(BIO_s_mem())) != NULL) { BIO_write(certBio, (const char*)pCert, certLen); x = PEM_read_bio_X509(certBio, NULL, 0, NULL); if(x != NULL) { BIO_reset(certBio); BIO_write(certBio, (const char*)pCert, certLen); if(privateKey != NULL) { *privateKey = PEM_read_bio_PrivateKey(certBio, NULL, password_cb, (void*)pwd); } } if(x == NULL) { BIO_reset(certBio); BIO_write(certBio, (const char*)pCert, certLen); p12 = d2i_PKCS12_bio(certBio, NULL); if(p12 != NULL) { if(privateKey == NULL) { PKCS12_parse(p12, pwd, NULL, &x, NULL); } else { PKCS12_parse(p12, pwd, privateKey, &x, NULL); } PKCS12_free(p12); } } BIO_free(certBio); } if(x == NULL) { const UINT8* tmp = (const UINT8*)pCert; x = d2i_X509(NULL, &tmp, certLen); if(x != NULL && privateKey != NULL) { X509_PKEY* pKey; tmp = (const UINT8*)pCert; pKey = d2i_X509_PKEY(NULL, &tmp, certLen); if(pKey != NULL) { *privateKey = pKey->dec_pkey; } } } return x; }
int pkcs12_main(int argc, char **argv) { char *infile = NULL, *outfile = NULL, *keyname = NULL, *certfile = NULL; char *name = NULL, *csp_name = NULL; char pass[50], macpass[50]; int export_cert = 0, options = 0, chain = 0, twopass = 0, keytype = 0; int iter = PKCS12_DEFAULT_ITER, maciter = PKCS12_DEFAULT_ITER; # ifndef OPENSSL_NO_RC2 int cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC; # else int cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; # endif int key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; int ret = 1, macver = 1, noprompt = 0, add_lmk = 0; char *passinarg = NULL, *passoutarg = NULL, *passarg = NULL; char *passin = NULL, *passout = NULL, *inrand = NULL, *macalg = NULL; char *cpass = NULL, *mpass = NULL, *CApath = NULL, *CAfile = NULL; char *prog; ENGINE *e = NULL; BIO *in = NULL, *out = NULL; PKCS12 *p12 = NULL; STACK_OF(OPENSSL_STRING) *canames = NULL; const EVP_CIPHER *enc = EVP_des_ede3_cbc(); OPTION_CHOICE o; prog = opt_init(argc, argv, pkcs12_options); while ((o = opt_next()) != OPT_EOF) { switch (o) { case OPT_EOF: case OPT_ERR: opthelp: BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); goto end; case OPT_HELP: opt_help(pkcs12_options); ret = 0; goto end; case OPT_NOKEYS: options |= NOKEYS; break; case OPT_KEYEX: keytype = KEY_EX; break; case OPT_KEYSIG: keytype = KEY_SIG; break; case OPT_NOCERTS: options |= NOCERTS; break; case OPT_CLCERTS: options |= CLCERTS; break; case OPT_CACERTS: options |= CACERTS; break; case OPT_NOOUT: options |= (NOKEYS | NOCERTS); break; case OPT_INFO: options |= INFO; break; case OPT_CHAIN: chain = 1; break; case OPT_TWOPASS: twopass = 1; break; case OPT_NOMACVER: macver = 0; break; case OPT_DESCERT: cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; break; case OPT_EXPORT: export_cert = 1; break; case OPT_CIPHER: if (!opt_cipher(opt_unknown(), &enc)) goto opthelp; break; case OPT_NOITER: iter = 1; break; case OPT_MACITER: maciter = PKCS12_DEFAULT_ITER; break; case OPT_NOMACITER: maciter = 1; break; case OPT_NOMAC: maciter = -1; break; case OPT_MACALG: macalg = opt_arg(); break; case OPT_NODES: enc = NULL; break; case OPT_CERTPBE: if (!set_pbe(&cert_pbe, opt_arg())) goto opthelp; break; case OPT_KEYPBE: if (!set_pbe(&key_pbe, opt_arg())) goto opthelp; break; case OPT_RAND: inrand = opt_arg(); break; case OPT_INKEY: keyname = opt_arg(); break; case OPT_CERTFILE: certfile = opt_arg(); break; case OPT_NAME: name = opt_arg(); break; case OPT_LMK: add_lmk = 1; break; case OPT_CSP: csp_name = opt_arg(); break; case OPT_CANAME: if (canames == NULL && (canames = sk_OPENSSL_STRING_new_null()) == NULL) goto end; sk_OPENSSL_STRING_push(canames, opt_arg()); break; case OPT_IN: infile = opt_arg(); break; case OPT_OUT: outfile = opt_arg(); break; case OPT_PASSIN: passinarg = opt_arg(); break; case OPT_PASSOUT: passoutarg = opt_arg(); break; case OPT_PASSWORD: passarg = opt_arg(); break; case OPT_CAPATH: CApath = opt_arg(); break; case OPT_CAFILE: CAfile = opt_arg(); break; case OPT_ENGINE: e = setup_engine(opt_arg(), 0); break; } } argc = opt_num_rest(); argv = opt_rest(); if (passarg) { if (export_cert) passoutarg = passarg; else passinarg = passarg; } if (!app_passwd(passinarg, passoutarg, &passin, &passout)) { BIO_printf(bio_err, "Error getting passwords\n"); goto end; } if (!cpass) { if (export_cert) cpass = passout; else cpass = passin; } if (cpass) { mpass = cpass; noprompt = 1; } else { cpass = pass; mpass = macpass; } if (export_cert || inrand) { app_RAND_load_file(NULL, (inrand != NULL)); if (inrand != NULL) BIO_printf(bio_err, "%ld semi-random bytes loaded\n", app_RAND_load_files(inrand)); } in = bio_open_default(infile, "rb"); if (in == NULL) goto end; out = bio_open_default(outfile, "wb"); if (out == NULL) goto end; if (twopass) { if (EVP_read_pw_string (macpass, sizeof macpass, "Enter MAC Password:"******"Can't read Password\n"); goto end; } } if (export_cert) { EVP_PKEY *key = NULL; X509 *ucert = NULL, *x = NULL; STACK_OF(X509) *certs = NULL; const EVP_MD *macmd = NULL; unsigned char *catmp = NULL; int i; if ((options & (NOCERTS | NOKEYS)) == (NOCERTS | NOKEYS)) { BIO_printf(bio_err, "Nothing to do!\n"); goto export_end; } if (options & NOCERTS) chain = 0; if (!(options & NOKEYS)) { key = load_key(keyname ? keyname : infile, FORMAT_PEM, 1, passin, e, "private key"); if (!key) goto export_end; } /* Load in all certs in input file */ if (!(options & NOCERTS)) { certs = load_certs(infile, FORMAT_PEM, NULL, e, "certificates"); if (!certs) goto export_end; if (key) { /* Look for matching private key */ for (i = 0; i < sk_X509_num(certs); i++) { x = sk_X509_value(certs, i); if (X509_check_private_key(x, key)) { ucert = x; /* Zero keyid and alias */ X509_keyid_set1(ucert, NULL, 0); X509_alias_set1(ucert, NULL, 0); /* Remove from list */ (void)sk_X509_delete(certs, i); break; } } if (!ucert) { BIO_printf(bio_err, "No certificate matches private key\n"); goto export_end; } } } /* Add any more certificates asked for */ if (certfile) { STACK_OF(X509) *morecerts = NULL; if (!(morecerts = load_certs(certfile, FORMAT_PEM, NULL, e, "certificates from certfile"))) goto export_end; while (sk_X509_num(morecerts) > 0) sk_X509_push(certs, sk_X509_shift(morecerts)); sk_X509_free(morecerts); } /* If chaining get chain from user cert */ if (chain) { int vret; STACK_OF(X509) *chain2; X509_STORE *store; if (!(store = setup_verify(CAfile, CApath))) goto export_end; vret = get_cert_chain(ucert, store, &chain2); X509_STORE_free(store); if (!vret) { /* Exclude verified certificate */ for (i = 1; i < sk_X509_num(chain2); i++) sk_X509_push(certs, sk_X509_value(chain2, i)); /* Free first certificate */ X509_free(sk_X509_value(chain2, 0)); sk_X509_free(chain2); } else { if (vret >= 0) BIO_printf(bio_err, "Error %s getting chain.\n", X509_verify_cert_error_string(vret)); else ERR_print_errors(bio_err); goto export_end; } } /* Add any CA names */ for (i = 0; i < sk_OPENSSL_STRING_num(canames); i++) { catmp = (unsigned char *)sk_OPENSSL_STRING_value(canames, i); X509_alias_set1(sk_X509_value(certs, i), catmp, -1); } if (csp_name && key) EVP_PKEY_add1_attr_by_NID(key, NID_ms_csp_name, MBSTRING_ASC, (unsigned char *)csp_name, -1); if (add_lmk && key) EVP_PKEY_add1_attr_by_NID(key, NID_LocalKeySet, 0, NULL, -1); if (!noprompt && EVP_read_pw_string(pass, sizeof pass, "Enter Export Password:"******"Can't read Password\n"); goto export_end; } if (!twopass) BUF_strlcpy(macpass, pass, sizeof macpass); p12 = PKCS12_create(cpass, name, key, ucert, certs, key_pbe, cert_pbe, iter, -1, keytype); if (!p12) { ERR_print_errors(bio_err); goto export_end; } if (macalg) { if (!opt_md(macalg, &macmd)) goto opthelp; } if (maciter != -1) PKCS12_set_mac(p12, mpass, -1, NULL, 0, maciter, macmd); i2d_PKCS12_bio(out, p12); ret = 0; export_end: EVP_PKEY_free(key); if (certs) sk_X509_pop_free(certs, X509_free); if (ucert) X509_free(ucert); goto end; } if (!(p12 = d2i_PKCS12_bio(in, NULL))) { ERR_print_errors(bio_err); goto end; } if (!noprompt && EVP_read_pw_string(pass, sizeof pass, "Enter Import Password:"******"Can't read Password\n"); goto end; } if (!twopass) BUF_strlcpy(macpass, pass, sizeof macpass); if ((options & INFO) && p12->mac) BIO_printf(bio_err, "MAC Iteration %ld\n", p12->mac->iter ? ASN1_INTEGER_get(p12->mac->iter) : 1); if (macver) { /* If we enter empty password try no password first */ if (!mpass[0] && PKCS12_verify_mac(p12, NULL, 0)) { /* If mac and crypto pass the same set it to NULL too */ if (!twopass) cpass = NULL; } else if (!PKCS12_verify_mac(p12, mpass, -1)) { BIO_printf(bio_err, "Mac verify error: invalid password?\n"); ERR_print_errors(bio_err); goto end; } } if (!dump_certs_keys_p12(out, p12, cpass, -1, options, passout, enc)) { BIO_printf(bio_err, "Error outputting keys and certificates\n"); ERR_print_errors(bio_err); goto end; } ret = 0; end: PKCS12_free(p12); if (export_cert || inrand) app_RAND_write_file(NULL); BIO_free(in); BIO_free_all(out); if (canames) sk_OPENSSL_STRING_free(canames); if (passin) OPENSSL_free(passin); if (passout) OPENSSL_free(passout); return (ret); }
/*============================================================================ * OpcUa_P_OpenSSL_RSA_LoadPrivateKeyFromFile *===========================================================================*/ OpcUa_StatusCode OpcUa_P_OpenSSL_RSA_LoadPrivateKeyFromFile( OpcUa_StringA a_privateKeyFile, OpcUa_P_FileFormat a_fileFormat, OpcUa_StringA a_password, /* optional: just needed encrypted PEM */ OpcUa_ByteString* a_pPrivateKey) { BIO* pPrivateKeyFile = OpcUa_Null; RSA* pRsaPrivateKey = OpcUa_Null; EVP_PKEY* pEvpKey = OpcUa_Null; unsigned char* pData; OpcUa_InitializeStatus(OpcUa_Module_P_OpenSSL, "RSA_LoadPrivateKeyFromFile"); /* check parameters */ OpcUa_ReturnErrorIfArgumentNull(a_privateKeyFile); OpcUa_ReturnErrorIfArgumentNull(a_pPrivateKey); if(a_fileFormat == OpcUa_Crypto_Encoding_Invalid) { return OpcUa_BadInvalidArgument; } OpcUa_ReferenceParameter(a_password); /* open file */ pPrivateKeyFile = BIO_new_file((const char*)a_privateKeyFile, "rb"); OpcUa_ReturnErrorIfArgumentNull(pPrivateKeyFile); /* read and convert file */ switch(a_fileFormat) { case OpcUa_Crypto_Encoding_PEM: { /* read from file */ pEvpKey = PEM_read_bio_PrivateKey( pPrivateKeyFile, /* file */ NULL, /* key struct */ 0, /* password callback */ a_password); /* default passphrase or arbitrary handle */ OpcUa_GotoErrorIfNull(pEvpKey, OpcUa_Bad); break; } case OpcUa_Crypto_Encoding_PKCS12: { int iResult = 0; /* read from file. */ PKCS12* pPkcs12 = d2i_PKCS12_bio(pPrivateKeyFile, NULL); if (pPkcs12 == 0) { OpcUa_GotoErrorWithStatus(OpcUa_BadEncodingError); } /* parse the certificate. */ iResult = PKCS12_parse(pPkcs12, a_password, &pEvpKey, NULL, NULL); if (iResult == 0) { OpcUa_GotoErrorWithStatus(OpcUa_BadEncodingError); } /* free certificate. */ PKCS12_free(pPkcs12); pPkcs12 = NULL; break; } case OpcUa_Crypto_Encoding_DER: default: { uStatus = OpcUa_BadNotSupported; OpcUa_GotoError; } } /* convert to intermediary openssl struct */ pRsaPrivateKey = EVP_PKEY_get1_RSA(pEvpKey); EVP_PKEY_free(pEvpKey); OpcUa_GotoErrorIfNull(pRsaPrivateKey, OpcUa_Bad); /* get required length */ a_pPrivateKey->Length = i2d_RSAPrivateKey(pRsaPrivateKey, OpcUa_Null); OpcUa_GotoErrorIfTrue((a_pPrivateKey->Length <= 0), OpcUa_Bad); /* allocate target buffer */ a_pPrivateKey->Data = (OpcUa_Byte*)OpcUa_P_Memory_Alloc(a_pPrivateKey->Length); OpcUa_GotoErrorIfAllocFailed(a_pPrivateKey->Data); /* do real conversion */ pData = a_pPrivateKey->Data; a_pPrivateKey->Length = i2d_RSAPrivateKey(pRsaPrivateKey, &pData); OpcUa_GotoErrorIfTrue((a_pPrivateKey->Length <= 0), OpcUa_Bad); RSA_free(pRsaPrivateKey); BIO_free(pPrivateKeyFile); OpcUa_ReturnStatusCode; OpcUa_BeginErrorHandling; if(pEvpKey) { EVP_PKEY_free(pEvpKey); } if(a_pPrivateKey != OpcUa_Null) { if(a_pPrivateKey->Data != OpcUa_Null) { OpcUa_P_Memory_Free(a_pPrivateKey->Data); a_pPrivateKey->Data = OpcUa_Null; a_pPrivateKey->Length = -1; } } if(pPrivateKeyFile != NULL) { BIO_free(pPrivateKeyFile); } if(pRsaPrivateKey != NULL) { RSA_free(pRsaPrivateKey); } OpcUa_FinishErrorHandling; }
PKCS12 *p12 = NULL; EVP_PKEY *pKey = NULL; STACK_OF(X509) *chain = NULL; xmlSecKeyPtr key = NULL; xmlSecKeyDataPtr data = NULL; xmlSecKeyDataPtr x509Data = NULL; X509 *cert = NULL; X509 *tmpcert = NULL; int i; int has_cert; int ret; xmlSecAssert2(bio != NULL, NULL); p12 = d2i_PKCS12_bio(bio, NULL); if(p12 == NULL) { xmlSecError(XMLSEC_ERRORS_HERE, NULL, "d2i_PKCS12_fp", XMLSEC_ERRORS_R_CRYPTO_FAILED, XMLSEC_ERRORS_NO_MESSAGE); goto done; } ret = PKCS12_verify_mac(p12, pwd, (pwd != NULL) ? strlen(pwd) : 0); if(ret != 1) { xmlSecError(XMLSEC_ERRORS_HERE, NULL, "PKCS12_verify_mac", XMLSEC_ERRORS_R_CRYPTO_FAILED,