diff --git a/CHANGES b/CHANGES index 3fd4e4b00c..7605e6d51a 100644 --- a/CHANGES +++ b/CHANGES @@ -6,7 +6,8 @@ Changes between 0.9.3a and 0.9.4 *) Support for PKCS#5 v1.5 compatible password based encryption algorithms - and partial PKCS#8 functionality. + and partial PKCS#8 functionality. New 'pkcs8' application linked to + openssl. [Steve Henson] *) Introduce some semblance of const correctness to BN. Shame C doesn't diff --git a/apps/Makefile.ssl b/apps/Makefile.ssl index 9f3915f128..ac968f25c1 100644 --- a/apps/Makefile.ssl +++ b/apps/Makefile.ssl @@ -36,7 +36,8 @@ EXE= $(PROGRAM) E_EXE= verify asn1pars req dgst dh enc gendh errstr ca crl \ rsa dsa dsaparam \ x509 genrsa gendsa s_server s_client speed \ - s_time version pkcs7 crl2pkcs7 sess_id ciphers nseq pkcs12 + s_time version pkcs7 crl2pkcs7 sess_id ciphers nseq pkcs12 \ + pkcs8 PROGS= $(PROGRAM).c @@ -50,7 +51,7 @@ E_OBJ= verify.o asn1pars.o req.o dgst.o dh.o enc.o gendh.o errstr.o ca.o \ rsa.o dsa.o dsaparam.o \ x509.o genrsa.o gendsa.o s_server.o s_client.o speed.o \ s_time.o $(A_OBJ) $(S_OBJ) version.o sess_id.o \ - ciphers.o nseq.o pkcs12.o + ciphers.o nseq.o pkcs12.o pkcs8.o # pem_mail.o @@ -59,7 +60,7 @@ E_SRC= verify.c asn1pars.c req.c dgst.c dh.c enc.c gendh.c errstr.c ca.c \ rsa.c dsa.c dsaparam.c \ x509.c genrsa.c gendsa.c s_server.c s_client.c speed.c \ s_time.c $(A_SRC) $(S_SRC) version.c sess_id.c \ - ciphers.c nseq.c pkcs12.c + ciphers.c nseq.c pkcs12.c pkcs8.c # pem_mail.c diff --git a/apps/pkcs8.c b/apps/pkcs8.c new file mode 100644 index 0000000000..07359d6515 --- /dev/null +++ b/apps/pkcs8.c @@ -0,0 +1,194 @@ +/* pkcs8.c */ +/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL + * project 1999. + */ +/* ==================================================================== + * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ +#include +#include +#include +#include +#include + +#include "apps.h" +#define PROG pkcs8_main + + +int MAIN(int argc, char **argv) +{ + char **args, *infile = NULL, *outfile = NULL; + BIO *in = NULL, *out = NULL; + int topk8 = 0; + int pbe_nid = -1; + int iter = PKCS12_DEFAULT_ITER; + int p8_broken = PKCS8_OK; + X509_SIG *p8; + PKCS8_PRIV_KEY_INFO *p8inf; + EVP_PKEY *pkey; + char pass[50]; + int badarg = 0; + if (bio_err == NULL) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE); + ERR_load_crypto_strings(); + SSLeay_add_all_algorithms(); + args = argv + 1; + while (!badarg && *args && *args[0] == '-') { + if (!strcmp (*args, "-topk8")) topk8 = 1; + else if (!strcmp (*args, "-noiter")) iter = 1; + else if (!strcmp (*args, "-nooct")) p8_broken = PKCS8_NO_OCTET; + else if (!strcmp (*args, "-in")) { + if (args[1]) { + args++; + infile = *args; + } else badarg = 1; + } else if (!strcmp (*args, "-out")) { + if (args[1]) { + args++; + outfile = *args; + } else badarg = 1; + } else badarg = 1; + args++; + } + + if (badarg) { + BIO_printf (bio_err, "Usage pkcs8 [options]\n"); + BIO_printf (bio_err, "where options are\n"); + BIO_printf (bio_err, "-in file input file\n"); + BIO_printf (bio_err, "-out file output file\n"); + BIO_printf (bio_err, "-topk8 output PKCS8 file\n"); + BIO_printf (bio_err, "-nooct use (broken) no octet form\n"); + BIO_printf (bio_err, "-noiter use 1 as iteration cound\n"); + return (1); + } + + if (pbe_nid == -1) pbe_nid = NID_pbeWithMD5AndDES_CBC; + + if (infile) { + if (!(in = BIO_new_file (infile, "r"))) { + BIO_printf (bio_err, + "Can't open input file %s\n", infile); + return (1); + } + } else in = BIO_new_fp (stdin, BIO_NOCLOSE); + + if (outfile) { + if (!(out = BIO_new_file (outfile, "w"))) { + BIO_printf (bio_err, + "Can't open output file %s\n", outfile); + return (1); + } + } else out = BIO_new_fp (stdout, BIO_NOCLOSE); + + if (topk8) { + if (!(pkey = PEM_read_bio_PrivateKey(in, NULL, NULL))) { + BIO_printf (bio_err, "Error reading key\n", outfile); + ERR_print_errors(bio_err); + return (1); + } + if (!(p8inf = EVP_PKEY2PKCS8(pkey))) { + BIO_printf (bio_err, "Error converting key\n", outfile); + ERR_print_errors(bio_err); + return (1); + } + PKCS8_set_broken(p8inf, p8_broken); + EVP_read_pw_string(pass, 50, "Enter Encryption Password:", 1); + if (!(p8 = PKCS8_encrypt(pbe_nid, pass, strlen(pass), + NULL, 0, iter, p8inf))) { + BIO_printf (bio_err, "Error encrypting key\n", outfile); + ERR_print_errors(bio_err); + return (1); + } + PKCS8_PRIV_KEY_INFO_free (p8inf); + PEM_write_bio_PKCS8 (out, p8); + X509_SIG_free(p8); + return (0); + } + + if (!(p8 = PEM_read_bio_PKCS8 (in, NULL, NULL))) { + BIO_printf (bio_err, "Error reading key\n", outfile); + ERR_print_errors(bio_err); + return (1); + } + EVP_read_pw_string(pass, 50, "Enter Password:", 0); + p8inf = M_PKCS8_decrypt(p8, pass, strlen(pass)); + if (!p8inf) { + BIO_printf(bio_err, "Error decrypting key\n", outfile); + ERR_print_errors(bio_err); + return (1); + } + + if (!(pkey = EVP_PKCS82PKEY(p8inf))) { + BIO_printf(bio_err, "Error converting key\n", outfile); + ERR_print_errors(bio_err); + return (1); + } + + if (p8inf->broken) { + BIO_printf(bio_err, "Warning: broken key encoding: "); + switch (p8inf->broken) { + case PKCS8_NO_OCTET: + BIO_printf(bio_err, "No Octet String\n"); + break; + + default: + BIO_printf(bio_err, "Unknown broken type\n"); + break; + } + } + + PKCS8_PRIV_KEY_INFO_free(p8inf); + + PEM_write_bio_PrivateKey (out, pkey, NULL, NULL, 0, NULL); + + return (0); +} diff --git a/apps/progs.h b/apps/progs.h index a37d7e42ff..0df792e758 100644 --- a/apps/progs.h +++ b/apps/progs.h @@ -27,6 +27,7 @@ extern int sess_id_main(int argc,char *argv[]); extern int ciphers_main(int argc,char *argv[]); extern int nseq_main(int argc,char *argv[]); extern int pkcs12_main(int argc,char *argv[]); +extern int pkcs8_main(int argc,char *argv[]); #ifdef SSLEAY_SRC /* Defined only in openssl.c. */ @@ -90,6 +91,7 @@ FUNCTION functions[] = { #endif {FUNC_TYPE_GENERAL,"nseq",nseq_main}, {FUNC_TYPE_GENERAL,"pkcs12",pkcs12_main}, + {FUNC_TYPE_GENERAL,"pkcs8",pkcs8_main}, {FUNC_TYPE_MD,"md2",dgst_main}, {FUNC_TYPE_MD,"md5",dgst_main}, {FUNC_TYPE_MD,"sha",dgst_main}, diff --git a/crypto/evp/c_all.c b/crypto/evp/c_all.c index 278e9e4dcf..a4d3b43fb9 100644 --- a/crypto/evp/c_all.c +++ b/crypto/evp/c_all.c @@ -189,4 +189,5 @@ void SSLeay_add_all_digests(void) EVP_add_digest_alias(SN_ripemd160,"rmd160"); #endif PKCS12_PBE_add(); + PKCS5_PBE_add(); } diff --git a/crypto/evp/evp.h b/crypto/evp/evp.h index 9df4f1fdab..b4231b0428 100644 --- a/crypto/evp/evp.h +++ b/crypto/evp/evp.h @@ -639,6 +639,8 @@ int PKCS5_PBE_keyivgen(const char *pass, int passlen, unsigned char *salt, int saltlen, int iter, EVP_CIPHER *cipher, EVP_MD *md, unsigned char *key, unsigned char *iv); +void PKCS5_PBE_add(void); + /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run.