Fix some of the command line password stuff. New function that can automatically determine the type of a DER encoded "traditional" format private key and change some of the d2i functions to use it instead of requiring the application to work out the key type.
diff --git a/apps/dsa.c b/apps/dsa.c index 94f71b5..c9b9d71 100644 --- a/apps/dsa.c +++ b/apps/dsa.c
@@ -140,7 +140,7 @@ else if (strcmp(*argv,"-envpassin") == 0) { if (--argc < 1) goto bad; - if(!(passin= getenv(*(++argv)))) + if(!(passin= getenv(*(++argv)))) { BIO_printf(bio_err, "Can't read environment variable %s\n", @@ -151,14 +151,13 @@ else if (strcmp(*argv,"-envpassout") == 0) { if (--argc < 1) goto bad; - if(!(passout= getenv(*(++argv)))) + if(!(passout= getenv(*(++argv)))) { BIO_printf(bio_err, "Can't read environment variable %s\n", *argv); badops = 1; } - argv++; } else if (strcmp(*argv,"-passout") == 0) {
diff --git a/apps/openssl.cnf b/apps/openssl.cnf index 9070329..13aeb9b 100644 --- a/apps/openssl.cnf +++ b/apps/openssl.cnf
@@ -7,7 +7,9 @@ # defined. HOME = . RANDFILE = $ENV::HOME/.rnd -oid_file = $ENV::HOME/.oid + +# Extra OBJECT IDENTIFIER info: +#oid_file = $ENV::HOME/.oid oid_section = new_oids # To use this configuration file with the "-extfile" option of the
diff --git a/apps/pkcs8.c b/apps/pkcs8.c index 8ac9e12..a958333 100644 --- a/apps/pkcs8.c +++ b/apps/pkcs8.c
@@ -57,6 +57,7 @@ */ #include <stdio.h> #include <string.h> +#include "apps.h" #include <openssl/pem.h> #include <openssl/err.h> #include <openssl/evp.h> @@ -80,7 +81,7 @@ X509_SIG *p8; PKCS8_PRIV_KEY_INFO *p8inf; EVP_PKEY *pkey; - char pass[50]; + char pass[50], *passin = NULL, *passout = NULL; int badarg = 0; if (bio_err == NULL) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE); informat=FORMAT_PEM; @@ -123,6 +124,38 @@ else if (!strcmp (*args, "-noiter")) iter = 1; else if (!strcmp (*args, "-nocrypt")) nocrypt = 1; else if (!strcmp (*args, "-nooct")) p8_broken = PKCS8_NO_OCTET; + else if (!strcmp(*args,"-passin")) + { + if (!args[1]) goto bad; + passin= *(++args); + } + else if (!strcmp(*args,"-envpassin")) + { + if (!args[1]) goto bad; + if(!(passin= getenv(*(++args)))) + { + BIO_printf(bio_err, + "Can't read environment variable %s\n", + *args); + badarg = 1; + } + } + else if (strcmp(*args,"-envpassout") == 0) + { + if (!args[1]) goto bad; + if(!(passout= getenv(*(++args)))) + { + BIO_printf(bio_err, + "Can't read environment variable %s\n", + *args); + badarg = 1; + } + } + else if (!strcmp(*args,"-passout")) + { + if (!args[1]) goto bad; + passout= *(++args); + } else if (!strcmp (*args, "-in")) { if (args[1]) { args++; @@ -138,26 +171,31 @@ } if (badarg) { - BIO_printf (bio_err, "Usage pkcs8 [options]\n"); - BIO_printf (bio_err, "where options are\n"); - BIO_printf (bio_err, "-in file input file\n"); - BIO_printf (bio_err, "-inform X input format (DER or PEM)\n"); - BIO_printf (bio_err, "-outform X output format (DER or PEM)\n"); - BIO_printf (bio_err, "-out file output file\n"); - BIO_printf (bio_err, "-topk8 output PKCS8 file\n"); - BIO_printf (bio_err, "-nooct use (broken) no octet form\n"); - BIO_printf (bio_err, "-noiter use 1 as iteration count\n"); - BIO_printf (bio_err, "-nocrypt use or expect unencrypted private key\n"); - BIO_printf (bio_err, "-v2 alg use PKCS#5 v2.0 and cipher \"alg\"\n"); - BIO_printf (bio_err, "-v1 obj use PKCS#5 v1.5 and cipher \"alg\"\n"); + bad: + BIO_printf(bio_err, "Usage pkcs8 [options]\n"); + BIO_printf(bio_err, "where options are\n"); + BIO_printf(bio_err, "-in file input file\n"); + BIO_printf(bio_err, "-inform X input format (DER or PEM)\n"); + BIO_printf(bio_err, "-passin arg input file pass phrase\n"); + BIO_printf(bio_err, "-envpassin arg environment variable containing input file pass phrase\n"); + BIO_printf(bio_err, "-outform X output format (DER or PEM)\n"); + BIO_printf(bio_err, "-out file output file\n"); + BIO_printf(bio_err, "-passout arg input file pass phrase\n"); + BIO_printf(bio_err, "-envpassout arg environment variable containing input file pass phrase\n"); + BIO_printf(bio_err, "-topk8 output PKCS8 file\n"); + BIO_printf(bio_err, "-nooct use (broken) no octet form\n"); + BIO_printf(bio_err, "-noiter use 1 as iteration count\n"); + BIO_printf(bio_err, "-nocrypt use or expect unencrypted private key\n"); + BIO_printf(bio_err, "-v2 alg use PKCS#5 v2.0 and cipher \"alg\"\n"); + BIO_printf(bio_err, "-v1 obj use PKCS#5 v1.5 and cipher \"alg\"\n"); return (1); } if ((pbe_nid == -1) && !cipher) pbe_nid = NID_pbeWithMD5AndDES_CBC; if (infile) { - if (!(in = BIO_new_file (infile, "rb"))) { - BIO_printf (bio_err, + if (!(in = BIO_new_file(infile, "rb"))) { + BIO_printf(bio_err, "Can't open input file %s\n", infile); return (1); } @@ -165,21 +203,29 @@ if (outfile) { if (!(out = BIO_new_file (outfile, "wb"))) { - BIO_printf (bio_err, + BIO_printf(bio_err, "Can't open output file %s\n", outfile); return (1); } } else out = BIO_new_fp (stdout, BIO_NOCLOSE); if (topk8) { - if (!(pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL))) { - BIO_printf (bio_err, "Error reading key\n", outfile); + if(informat == FORMAT_PEM) + pkey = PEM_read_bio_PrivateKey(in, NULL, PEM_cb, passin); + else if(informat == FORMAT_ASN1) + pkey = d2i_PrivateKey_bio(in, NULL); + else { + BIO_printf(bio_err, "Bad format specified for key\n"); + return (1); + } + if (!pkey) { + BIO_printf(bio_err, "Error reading key\n", outfile); ERR_print_errors(bio_err); return (1); } BIO_free(in); if (!(p8inf = EVP_PKEY2PKCS8(pkey))) { - BIO_printf (bio_err, "Error converting key\n", outfile); + BIO_printf(bio_err, "Error converting key\n", outfile); ERR_print_errors(bio_err); return (1); } @@ -194,17 +240,20 @@ return (1); } } else { - EVP_read_pw_string(pass, 50, "Enter Encryption Password:", 1); + if(!passout) { + passout = pass; + EVP_read_pw_string(pass, 50, "Enter Encryption Password:", 1); + } if (!(p8 = PKCS8_encrypt(pbe_nid, cipher, - pass, strlen(pass), + passout, strlen(passout), NULL, 0, iter, p8inf))) { - BIO_printf (bio_err, "Error encrypting key\n", + BIO_printf(bio_err, "Error encrypting key\n", outfile); ERR_print_errors(bio_err); return (1); } if(outformat == FORMAT_PEM) - PEM_write_bio_PKCS8 (out, p8); + PEM_write_bio_PKCS8(out, p8); else if(outformat == FORMAT_ASN1) i2d_PKCS8_bio(out, p8); else { @@ -243,8 +292,11 @@ ERR_print_errors(bio_err); return (1); } - EVP_read_pw_string(pass, 50, "Enter Password:", 0); - p8inf = M_PKCS8_decrypt(p8, pass, strlen(pass)); + if(!passin) { + passin = pass; + EVP_read_pw_string(pass, 50, "Enter Password:", 0); + } + p8inf = M_PKCS8_decrypt(p8, passin, strlen(passin)); X509_SIG_free(p8); } @@ -274,8 +326,14 @@ } PKCS8_PRIV_KEY_INFO_free(p8inf); - - PEM_write_bio_PrivateKey(out, pkey, NULL, NULL, 0, NULL, NULL); + if(outformat == FORMAT_PEM) + PEM_write_bio_PrivateKey(out, pkey, NULL, NULL, 0, PEM_cb, passout); + else if(outformat == FORMAT_ASN1) + i2d_PrivateKey_bio(out, pkey); + else { + BIO_printf(bio_err, "Bad format specified for key\n"); + return (1); + } EVP_PKEY_free(pkey); BIO_free(out);
diff --git a/apps/req.c b/apps/req.c index 24e666f..5c14c71 100644 --- a/apps/req.c +++ b/apps/req.c
@@ -237,14 +237,13 @@ else if (strcmp(*argv,"-envpassout") == 0) { if (--argc < 1) goto bad; - if(!(passout= getenv(*(++argv)))) + if(!(passout= getenv(*(++argv)))) { BIO_printf(bio_err, "Can't read environment variable %s\n", *argv); badops = 1; } - argv++; } else if (strcmp(*argv,"-passout") == 0) { @@ -527,10 +526,9 @@ goto end; } -/* if (keyform == FORMAT_ASN1) - rsa=d2i_RSAPrivateKey_bio(in,NULL); - else */ - if (keyform == FORMAT_PEM) + if (keyform == FORMAT_ASN1) + pkey=d2i_PrivateKey_bio(in,NULL); + else if (keyform == FORMAT_PEM) { pkey=PEM_read_bio_PrivateKey(in,NULL,PEM_cb,passin); }
diff --git a/apps/rsa.c b/apps/rsa.c index 684252c..7d58b17 100644 --- a/apps/rsa.c +++ b/apps/rsa.c
@@ -161,7 +161,6 @@ *argv); badops = 1; } - argv++; } else if (strcmp(*argv,"-passout") == 0) {