From e7871ffaa86581986d65a0cbb88db874a5aeba20 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Sat, 5 Jun 1999 12:39:10 +0000 Subject: [PATCH] More PKCS#8 stuff. Support for unencrypted forms of private key. --- CHANGES | 7 +++- apps/pkcs8.c | 92 ++++++++++++++++++++++++++++++-------------- crypto/pem/pem.h | 9 ++++- crypto/pem/pem_all.c | 32 +++++++++++++++ 4 files changed, 109 insertions(+), 31 deletions(-) diff --git a/CHANGES b/CHANGES index 7605e6d51a..0c6d47cfda 100644 --- a/CHANGES +++ b/CHANGES @@ -6,8 +6,11 @@ Changes between 0.9.3a and 0.9.4 *) Support for PKCS#5 v1.5 compatible password based encryption algorithms - and partial PKCS#8 functionality. New 'pkcs8' application linked to - openssl. + and PKCS#8 functionality. New 'pkcs8' application linked to openssl. + Needed to change the PEM_STRING_EVP_PKEY value which was just "PRIVATE + KEY" because this clashed with PKCS#8 unencrypted string. Since this + value was just used as a "magic string" and not used directly its + value doesn't matter. [Steve Henson] *) Introduce some semblance of const correctness to BN. Shame C doesn't diff --git a/apps/pkcs8.c b/apps/pkcs8.c index 442eced7ef..42d6ba437c 100644 --- a/apps/pkcs8.c +++ b/apps/pkcs8.c @@ -74,6 +74,7 @@ int MAIN(int argc, char **argv) int iter = PKCS12_DEFAULT_ITER; int informat, outformat; int p8_broken = PKCS8_OK; + int nocrypt = 0; X509_SIG *p8; PKCS8_PRIV_KEY_INFO *p8inf; EVP_PKEY *pkey; @@ -98,6 +99,7 @@ int MAIN(int argc, char **argv) } else badarg = 1; } else if (!strcmp (*args, "-topk8")) topk8 = 1; else if (!strcmp (*args, "-noiter")) iter = 1; + else if (!strcmp (*args, "-nocrypt")) nocrypt = 1; else if (!strcmp (*args, "-nooct")) p8_broken = PKCS8_NO_OCTET; else if (!strcmp (*args, "-in")) { if (args[1]) { @@ -116,11 +118,14 @@ int MAIN(int argc, char **argv) if (badarg) { BIO_printf (bio_err, "Usage pkcs8 [options]\n"); BIO_printf (bio_err, "where options are\n"); - BIO_printf (bio_err, "-in file input file\n"); - BIO_printf (bio_err, "-out file output file\n"); - BIO_printf (bio_err, "-topk8 output PKCS8 file\n"); - BIO_printf (bio_err, "-nooct use (broken) no octet form\n"); - BIO_printf (bio_err, "-noiter use 1 as iteration cound\n"); + BIO_printf (bio_err, "-in file input file\n"); + BIO_printf (bio_err, "-inform X input format (DER or PEM)\n"); + BIO_printf (bio_err, "-outform X output format (DER or PEM)\n"); + BIO_printf (bio_err, "-out file output file\n"); + BIO_printf (bio_err, "-topk8 output PKCS8 file\n"); + BIO_printf (bio_err, "-nooct use (broken) no octet form\n"); + BIO_printf (bio_err, "-noiter use 1 as iteration count\n"); + BIO_printf (bio_err, "-nocrypt use or expect unencrypted private key\n"); return (1); } @@ -154,35 +159,66 @@ int MAIN(int argc, char **argv) return (1); } PKCS8_set_broken(p8inf, p8_broken); - EVP_read_pw_string(pass, 50, "Enter Encryption Password:", 1); - if (!(p8 = PKCS8_encrypt(pbe_nid, pass, strlen(pass), - NULL, 0, iter, p8inf))) { - BIO_printf (bio_err, "Error encrypting key\n", outfile); - ERR_print_errors(bio_err); - return (1); + if(nocrypt) { + if(outformat == FORMAT_PEM) + PEM_write_bio_PKCS8_PRIV_KEY_INFO(out, p8inf); + else if(outformat == FORMAT_ASN1) + i2d_PKCS8_PRIV_KEY_INFO_bio(out, p8inf); + else { + BIO_printf(bio_err, "Bad format specified for key\n"); + return (1); + } + } else { + EVP_read_pw_string(pass, 50, "Enter Encryption Password:", 1); + if (!(p8 = PKCS8_encrypt(pbe_nid, pass, strlen(pass), + NULL, 0, iter, p8inf))) { + BIO_printf (bio_err, "Error encrypting key\n", + outfile); + ERR_print_errors(bio_err); + return (1); + } + if(outformat == FORMAT_PEM) + PEM_write_bio_PKCS8 (out, p8); + else if(outformat == FORMAT_ASN1) + i2d_PKCS8_bio(out, p8); + else { + BIO_printf(bio_err, "Bad format specified for key\n"); + return (1); + } + X509_SIG_free(p8); } PKCS8_PRIV_KEY_INFO_free (p8inf); - PEM_write_bio_PKCS8 (out, p8); - X509_SIG_free(p8); return (0); } - if(informat == FORMAT_PEM) - p8 = PEM_read_bio_PKCS8(in, NULL, NULL); - else if(informat == FORMAT_ASN1) - p8 = d2i_PKCS8_bio(in, NULL); - else { - BIO_printf(bio_err, "Bad input format specified for key\n"); - return (1); + if(nocrypt) { + if(informat == FORMAT_PEM) + p8inf = PEM_read_bio_PKCS8_PRIV_KEY_INFO(in,NULL,NULL); + else if(informat == FORMAT_ASN1) + p8inf = d2i_PKCS8_PRIV_KEY_INFO_bio(in, NULL); + else { + BIO_printf(bio_err, "Bad format specified for key\n"); + return (1); + } + } else { + if(informat == FORMAT_PEM) + p8 = PEM_read_bio_PKCS8(in, NULL, NULL); + else if(informat == FORMAT_ASN1) + p8 = d2i_PKCS8_bio(in, NULL); + else { + BIO_printf(bio_err, "Bad format specified for key\n"); + return (1); + } + + if (!p8) { + BIO_printf (bio_err, "Error reading key\n", outfile); + ERR_print_errors(bio_err); + return (1); + } + EVP_read_pw_string(pass, 50, "Enter Password:", 0); + p8inf = M_PKCS8_decrypt(p8, pass, strlen(pass)); } - if (!p8) { - BIO_printf (bio_err, "Error reading key\n", outfile); - ERR_print_errors(bio_err); - return (1); - } - EVP_read_pw_string(pass, 50, "Enter Password:", 0); - p8inf = M_PKCS8_decrypt(p8, pass, strlen(pass)); if (!p8inf) { BIO_printf(bio_err, "Error decrypting key\n", outfile); ERR_print_errors(bio_err); @@ -210,7 +246,7 @@ int MAIN(int argc, char **argv) PKCS8_PRIV_KEY_INFO_free(p8inf); - PEM_write_bio_PrivateKey (out, pkey, NULL, NULL, 0, NULL); + PEM_write_bio_PrivateKey(out, pkey, NULL, NULL, 0, NULL); return (0); } diff --git a/crypto/pem/pem.h b/crypto/pem/pem.h index c31984c75a..7c02356f1e 100644 --- a/crypto/pem/pem.h +++ b/crypto/pem/pem.h @@ -104,12 +104,13 @@ extern "C" { #define PEM_STRING_X509_REQ_OLD "NEW CERTIFICATE REQUEST" #define PEM_STRING_X509_REQ "CERTIFICATE REQUEST" #define PEM_STRING_X509_CRL "X509 CRL" -#define PEM_STRING_EVP_PKEY "PRIVATE KEY" +#define PEM_STRING_EVP_PKEY "ANY PRIVATE KEY" #define PEM_STRING_RSA "RSA PRIVATE KEY" #define PEM_STRING_RSA_PUBLIC "RSA PUBLIC KEY" #define PEM_STRING_DSA "DSA PRIVATE KEY" #define PEM_STRING_PKCS7 "PKCS7" #define PEM_STRING_PKCS8 "ENCRYPTED PRIVATE KEY" +#define PEM_STRING_PKCS8INF "PRIVATE KEY" #define PEM_STRING_DHPARAMS "DH PARAMETERS" #define PEM_STRING_SSL_SESSION "SSL SESSION PARAMETERS" #define PEM_STRING_DSAPARAMS "DSA PARAMETERS" @@ -403,6 +404,8 @@ EVP_PKEY *PEM_read_PrivateKey(FILE *fp,EVP_PKEY **x, pem_password_cb *); PKCS7 *PEM_read_PKCS7(FILE *fp,PKCS7 **x, pem_password_cb *); NETSCAPE_CERT_SEQUENCE *PEM_read_NETSCAPE_CERT_SEQUENCE(FILE *fp,NETSCAPE_CERT_SEQUENCE **x, pem_password_cb *); X509_SIG *PEM_read_PKCS8(FILE *fp,X509_SIG **x, pem_password_cb *); +PKCS8_PRIV_KEY_INFO *PEM_read_PKCS8_PRIV_KEY_INFO(FILE *fp, + PKCS8_PRIV_KEY_INFO **x, pem_password_cb *); int PEM_write_X509(FILE *fp,X509 *x); int PEM_write_X509_REQ(FILE *fp,X509_REQ *x); int PEM_write_X509_CRL(FILE *fp,X509_CRL *x); @@ -427,6 +430,7 @@ int PEM_write_DSAparams(FILE *fp,DSA *x); #endif int PEM_write_NETSCAPE_CERT_SEQUENCE(FILE *fp,NETSCAPE_CERT_SEQUENCE *x); int PEM_write_PKCS8(FILE *fp,X509_SIG *x); +int PEM_write_PKCS8_PRIV_KEY_INFO(FILE *fp,PKCS8_PRIV_KEY_INFO *x); #endif #ifdef HEADER_BIO_H @@ -447,6 +451,8 @@ DH *PEM_read_bio_DHparams(BIO *bp,DH **x, pem_password_cb *); #endif NETSCAPE_CERT_SEQUENCE *PEM_read_bio_NETSCAPE_CERT_SEQUENCE(BIO *bp,NETSCAPE_CERT_SEQUENCE **x, pem_password_cb *); X509_SIG *PEM_read_bio_PKCS8(BIO *bp,X509_SIG **x, pem_password_cb *); +PKCS8_PRIV_KEY_INFO *PEM_read_bio_PKCS8_PRIV_KEY_INFO(BIO *bp, + PKCS8_PRIV_KEY_INFO **x, pem_password_cb *); #ifndef NO_DSA DSA *PEM_read_bio_DSAparams(BIO *bp,DSA **x, pem_password_cb *); #endif @@ -473,6 +479,7 @@ int PEM_write_bio_DSAparams(BIO *bp,DSA *x); #endif int PEM_write_bio_NETSCAPE_CERT_SEQUENCE(BIO *bp,NETSCAPE_CERT_SEQUENCE *x); int PEM_write_bio_PKCS8(BIO *bp,X509_SIG *x); +int PEM_write_bio_PKCS8_PRIV_KEY_INFO(BIO *bp,PKCS8_PRIV_KEY_INFO *x); #endif #endif /* SSLEAY_MACROS */ diff --git a/crypto/pem/pem_all.c b/crypto/pem/pem_all.c index bb3ce5128b..51eec6d9cf 100644 --- a/crypto/pem/pem_all.c +++ b/crypto/pem/pem_all.c @@ -435,3 +435,35 @@ int PEM_write_bio_PKCS8(BIO *bp, X509_SIG *x) return(PEM_ASN1_write_bio((int (*)())i2d_X509_SIG, PEM_STRING_PKCS8,bp, (char *)x, NULL,NULL,0,NULL)); } + +#ifndef NO_FP_API +PKCS8_PRIV_KEY_INFO *PEM_read_PKCS8_PRIV_KEY_INFO(FILE *fp, + PKCS8_PRIV_KEY_INFO **x, pem_password_cb *cb) + { + return((PKCS8_PRIV_KEY_INFO *) + PEM_ASN1_read((char *(*)())d2i_PKCS8_PRIV_KEY_INFO, + PEM_STRING_PKCS8INF,fp,(char **)x,cb)); + } +#endif + +PKCS8_PRIV_KEY_INFO *PEM_read_bio_PKCS8_PRIV_KEY_INFO(BIO *bp, + PKCS8_PRIV_KEY_INFO **x, pem_password_cb *cb) + { + return((PKCS8_PRIV_KEY_INFO *) + PEM_ASN1_read_bio((char *(*)())d2i_PKCS8_PRIV_KEY_INFO, + PEM_STRING_PKCS8INF,bp,(char **)x,cb)); + } + +#ifndef NO_FP_API +int PEM_write_PKCS8_PRIV_KEY_INFO(FILE *fp, PKCS8_PRIV_KEY_INFO *x) + { + return(PEM_ASN1_write((int (*)())i2d_PKCS8_PRIV_KEY_INFO, + PEM_STRING_PKCS8INF,fp, (char *)x, NULL,NULL,0,NULL)); + } +#endif + +int PEM_write_bio_PKCS8_PRIV_KEY_INFO(BIO *bp, PKCS8_PRIV_KEY_INFO *x) + { + return(PEM_ASN1_write_bio((int (*)())i2d_PKCS8_PRIV_KEY_INFO, + PEM_STRING_PKCS8INF,bp, (char *)x, NULL,NULL,0,NULL)); + }