Allow passwords to be included on command line for a few

more utilities.

CHANGES

@@ -4,6 +4,12 @@
 
  Changes between 0.9.4 and 0.9.5  [xx XXX 1999]
 
+  *) Add a password callback function PEM_cb() which either prompts for
+     a password if usr_data is NULL or otherwise assumes it is a null
+     terminate password. Allow passwords to be passed on command line
+     environment or config files in a few more utilities.
+     [Steve Henson]
+
   *) Add a bunch of DER and PEM functions to handle PKCS#8 format private
      keys. Add some short names for PKCS#8 PBE algorithms and allow them
      to be specified on the command line for the pkcs8 and pkcs12 utilities.

apps/apps.c

@@ -325,17 +325,6 @@ int app_init(long mesgwin)
 	}
 #endif
 
-int MS_CALLBACK key_cb(char *buf, int len, int verify, void *key)
-	{
-	int i;
-
-	if (key == NULL) return(0);
-	i=strlen(key);
-	i=(i > len)?len:i;
-	memcpy(buf,key,i);
-	return(i);
-	}
-
 int dump_cert_text (BIO *out, X509 *x)
 {
 	char buf[256];

apps/apps.h

@@ -143,7 +143,6 @@ int args_from_file(char *file, int *argc, char **argv[]);
 int str2fmt(char *s);
 void program_name(char *in,char *out,int size);
 int chopup_args(ARGS *arg,char *buf, int *argc, char **argv[]);
-int MS_CALLBACK key_cb(char *buf,int len,int verify,void *u);
 #ifdef HEADER_X509_H
 int dump_cert_text(BIO *out, X509 *x);
 #endif

apps/ca.c

@@ -528,13 +528,8 @@ bad:
 		BIO_printf(bio_err,"trying to load CA private key\n");
 		goto err;
 		}
-	if (key == NULL)
-		pkey=PEM_read_bio_PrivateKey(in,NULL,NULL,NULL);
-	else
-		{
-		pkey=PEM_read_bio_PrivateKey(in,NULL,key_cb,key);
-		memset(key,0,strlen(key));
-		}
+		pkey=PEM_read_bio_PrivateKey(in,NULL,PEM_cb,key);
+		if(key) memset(key,0,strlen(key));
 	if (pkey == NULL)
 		{
 		BIO_printf(bio_err,"unable to load CA private key\n");

apps/dsa.c

@@ -236,11 +236,7 @@ bad:
 		else dsa=d2i_DSAPrivateKey_bio(in,NULL);
 	} else if (informat == FORMAT_PEM) {
 		if(pubin) dsa=PEM_read_bio_DSA_PUBKEY(in,NULL, NULL, NULL);
-		else {
-			if(passin) dsa=PEM_read_bio_DSAPrivateKey(in,NULL,
-								key_cb,passin);
-			else dsa=PEM_read_bio_DSAPrivateKey(in,NULL,NULL,NULL);
-		}
+		else dsa=PEM_read_bio_DSAPrivateKey(in,NULL,PEM_cb,passin);
 	} else
 		{
 		BIO_printf(bio_err,"bad input format specified for key\n");
@@ -287,12 +283,8 @@ bad:
 	} else if (outformat == FORMAT_PEM) {
 		if(pubin || pubout)
 			i=PEM_write_bio_DSA_PUBKEY(out,dsa);
-		else {
-			if(passout) i=PEM_write_bio_DSAPrivateKey(out,dsa,enc,
-							NULL,0,key_cb, passout);
-			i=PEM_write_bio_DSAPrivateKey(out,dsa,enc,NULL,0,
-								     NULL,NULL);
-		}
+		else i=PEM_write_bio_DSAPrivateKey(out,dsa,enc,
+							NULL,0,PEM_cb, passout);
 	} else {
 		BIO_printf(bio_err,"bad output format specified for outfile\n");
 		goto end;

apps/openssl.cnf

@@ -3,6 +3,9 @@
 # This is mostly being used for generation of certificate requests.
 #
 
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
 RANDFILE		= $ENV::HOME/.rnd
 oid_file		= $ENV::HOME/.oid
 oid_section		= new_oids
@@ -86,6 +89,10 @@ distinguished_name	= req_distinguished_name
 attributes		= req_attributes
 x509_extensions	= v3_ca	# The extentions to add to the self signed cert
 
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
 # This sets the permitted types in a DirectoryString. There are several
 # options. 
 # default: PrintableString, T61String, BMPString.

apps/req.c

@@ -146,6 +146,7 @@ int MAIN(int argc, char **argv)
 	char *req_exts = NULL;
 	EVP_CIPHER *cipher=NULL;
 	int modulus=0;
+	char *passin = NULL, *passout = NULL;
 	char *p;
 	const EVP_MD *md_alg=NULL,*digest=EVP_md5();
 #ifndef MONOLITH
@@ -217,6 +218,39 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			keyout= *(++argv);
 			}
+		else if (strcmp(*argv,"-passin") == 0)
+			{
+			if (--argc < 1) goto bad;
+			passin= *(++argv);
+			}
+		else if (strcmp(*argv,"-envpassin") == 0)
+			{
+			if (--argc < 1) goto bad;
+				if(!(passin= getenv(*(++argv))))
+				{
+				BIO_printf(bio_err,
+				 "Can't read environment variable %s\n",
+								*argv);
+				badops = 1;
+				}
+			}
+		else if (strcmp(*argv,"-envpassout") == 0)
+			{
+			if (--argc < 1) goto bad;
+				if(!(passout= getenv(*(++argv))))
+				{
+				BIO_printf(bio_err,
+				 "Can't read environment variable %s\n",
+								*argv);
+				badops = 1;
+				}
+			argv++;
+			}
+		else if (strcmp(*argv,"-passout") == 0)
+			{
+			if (--argc < 1) goto bad;
+			passout= *(++argv);
+			}
 		else if (strcmp(*argv,"-newkey") == 0)
 			{
 			int is_numeric;
@@ -452,6 +486,12 @@ bad:
 		}
 	}
 
+	if(!passin)
+		passin = CONF_get_string(req_conf, SECTION, "input_password");
+
+	if(!passout)
+		passout = CONF_get_string(req_conf, SECTION, "output_password");
+
 	p = CONF_get_string(req_conf, SECTION, DIRSTRING_TYPE);
 
 	if(p && !ASN1_STRING_set_default_mask_asc(p)) {
@@ -491,7 +531,9 @@ bad:
 			rsa=d2i_RSAPrivateKey_bio(in,NULL);
 		else */
 		if (keyform == FORMAT_PEM)
-			pkey=PEM_read_bio_PrivateKey(in,NULL,NULL,NULL);
+			{
+			pkey=PEM_read_bio_PrivateKey(in,NULL,PEM_cb,passin);
+			}
 		else
 			{
 			BIO_printf(bio_err,"bad input format specified for X509 request\n");
@@ -579,7 +621,7 @@ bad:
 		i=0;
 loop:
 		if (!PEM_write_bio_PrivateKey(out,pkey,cipher,
-			NULL,0,NULL,NULL))
+			NULL,0,PEM_cb,passout))
 			{
 			if ((ERR_GET_REASON(ERR_peek_error()) ==
 				PEM_R_PROBLEMS_GETTING_PASSWORD) && (i < 3))

apps/rsa.c

@@ -278,11 +278,7 @@ bad:
 #endif
 	else if (informat == FORMAT_PEM) {
 		if(pubin) rsa=PEM_read_bio_RSA_PUBKEY(in,NULL,NULL,NULL);
-		else {
-			if(passin) rsa=PEM_read_bio_RSAPrivateKey(in,NULL,
-								key_cb,passin);
-			else rsa=PEM_read_bio_RSAPrivateKey(in,NULL,NULL,NULL);
-		}
+		else rsa=PEM_read_bio_RSAPrivateKey(in,NULL, PEM_cb,passin);
 	}
 	else
 		{
@@ -381,12 +377,8 @@ bad:
 	else if (outformat == FORMAT_PEM) {
 		if(pubout || pubin)
 		    i=PEM_write_bio_RSA_PUBKEY(out,rsa);
-		else {
-			if(passout) i=PEM_write_bio_RSAPrivateKey(out,rsa,
-						enc,NULL,0,key_cb,passout);
-			else i=PEM_write_bio_RSAPrivateKey(out,rsa,enc,NULL,
-								0,NULL,NULL);
-		}
+		else i=PEM_write_bio_RSAPrivateKey(out,rsa,
+						enc,NULL,0,PEM_cb,passout);
 	} else	{
 		BIO_printf(bio_err,"bad output format specified for outfile\n");
 		goto end;

apps/smime.c

@@ -60,14 +60,14 @@
 
 #include <stdio.h>
 #include <string.h>
+#include "apps.h"
 #include <openssl/pem.h>
 #include <openssl/err.h>
-#include "apps.h"
 
 #undef PROG
 #define PROG smime_main
 static X509 *load_cert(char *file);
-static EVP_PKEY *load_key(char *file);
+static EVP_PKEY *load_key(char *file, char *pass);
 static STACK_OF(X509) *load_certs(char *file);
 static X509_STORE *setup_verify(char *CAfile, char *CApath);
 static int save_certs(char *signerfile, STACK_OF(X509) *signers);
@@ -98,7 +98,7 @@ int MAIN(int argc, char **argv)
 	int badarg = 0;
 	int flags = PKCS7_DETACHED;
 	char *to = NULL, *from = NULL, *subject = NULL;
-	char *CAfile = NULL, *CApath = NULL;
+	char *CAfile = NULL, *CApath = NULL, *passin = NULL;
 
 	args = argv + 1;
 
@@ -138,7 +138,18 @@ int MAIN(int argc, char **argv)
 				flags |= PKCS7_BINARY;
 		else if (!strcmp (*args, "-nosigs"))
 				flags |= PKCS7_NOSIGS;
-		else if (!strcmp (*args, "-to")) {
+		else if (!strcmp(*argv,"-passin")) {
+			if (--argc < 1) badarg = 1;
+			else passin= *(++argv);
+		} else if (!strcmp(*argv,"-envpassin")) {
+			if (--argc < 1) badarg = 1;
+			else if(!(passin= getenv(*(++argv)))) {
+				BIO_printf(bio_err,
+				 "Can't read environment variable %s\n",
+								*argv);
+				badarg = 1;
+			}
+		} else if (!strcmp (*args, "-to")) {
 			if (args[1]) {
 				args++;
 				to = *args;
@@ -303,7 +314,7 @@ int MAIN(int argc, char **argv)
 	} else keyfile = NULL;
 
 	if(keyfile) {
-		if(!(key = load_key(keyfile))) {
+		if(!(key = load_key(keyfile, passin))) {
 			BIO_printf(bio_err, "Can't read recipient certificate file %s\n", keyfile);
 			ERR_print_errors(bio_err);
 			goto end;
@@ -405,12 +416,12 @@ static X509 *load_cert(char *file)
 	return cert;
 }
 
-static EVP_PKEY *load_key(char *file)
+static EVP_PKEY *load_key(char *file, char *pass)
 {
 	BIO *in;
 	EVP_PKEY *key;
 	if(!(in = BIO_new_file(file, "r"))) return NULL;
-	key = PEM_read_bio_PrivateKey(in, NULL, NULL,NULL);
+	key = PEM_read_bio_PrivateKey(in, NULL,PEM_cb,pass);
 	BIO_free(in);
 	return key;
 }

apps/x509.c

@@ -92,6 +92,8 @@ static char *x509_usage[]={
 " -CAkeyform arg  - CA key format - default PEM\n",
 " -in arg         - input file - default stdin\n",
 " -out arg        - output file - default stdout\n",
+" -passin arg     - private key password\n",
+" -envpassin arg  - read private key password from encvironment variable \"arg\"\n",
 " -serial         - print serial number value\n",
 " -hash           - print hash value\n",
 " -subject        - print subject DN\n",
@@ -129,7 +131,7 @@ NULL
 };
 
 static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx);
-static EVP_PKEY *load_key(char *file, int format);
+static EVP_PKEY *load_key(char *file, int format, char *passin);
 static X509 *load_cert(char *file, int format);
 static int sign (X509 *x, EVP_PKEY *pkey,int days,const EVP_MD *digest,
 						LHASH *conf, char *section);
@@ -166,7 +168,7 @@ int MAIN(int argc, char **argv)
 	char buf[256];
 	const EVP_MD *md_alg,*digest=EVP_md5();
 	LHASH *extconf = NULL;
-	char *extsect = NULL, *extfile = NULL;
+	char *extsect = NULL, *extfile = NULL, *passin = NULL;
 	int need_rand = 0;
 
 	reqfile=0;
@@ -232,6 +234,22 @@ int MAIN(int argc, char **argv)
 				goto bad;
 				}
 			}
+		else if (strcmp(*argv,"-passin") == 0)
+			{
+			if (--argc < 1) goto bad;
+			passin= *(++argv);
+			}
+		else if (strcmp(*argv,"-envpassin") == 0)
+			{
+			if (--argc < 1) goto bad;
+				if(!(passin= getenv(*(++argv))))
+				{
+				BIO_printf(bio_err,
+				 "Can't read environment variable %s\n",
+								*argv);
+				badops = 1;
+				}
+			}
 		else if (strcmp(*argv,"-extfile") == 0)
 			{
 			if (--argc < 1) goto bad;
@@ -751,7 +769,7 @@ bad:
 				BIO_printf(bio_err,"Getting Private key\n");
 				if (Upkey == NULL)
 					{
-					Upkey=load_key(keyfile,keyformat);
+					Upkey=load_key(keyfile,keyformat, passin);
 					if (Upkey == NULL) goto end;
 					}
 #ifndef NO_DSA
@@ -768,7 +786,7 @@ bad:
 				BIO_printf(bio_err,"Getting CA Private Key\n");
 				if (CAkeyfile != NULL)
 					{
-					CApkey=load_key(CAkeyfile,CAkeyformat);
+					CApkey=load_key(CAkeyfile,CAkeyformat, passin);
 					if (CApkey == NULL) goto end;
 					}
 #ifndef NO_DSA
@@ -794,7 +812,7 @@ bad:
 					}
 				else
 					{
-					pk=load_key(keyfile,FORMAT_PEM);
+					pk=load_key(keyfile,FORMAT_PEM, passin);
 					if (pk == NULL) goto end;
 					}
 
@@ -1049,7 +1067,7 @@ static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx)
 		}
 	}
 
-static EVP_PKEY *load_key(char *file, int format)
+static EVP_PKEY *load_key(char *file, int format, char *passin)
 	{
 	BIO *key=NULL;
 	EVP_PKEY *pkey=NULL;
@@ -1088,7 +1106,7 @@ static EVP_PKEY *load_key(char *file, int format)
 #endif
 		if (format == FORMAT_PEM)
 		{
-		pkey=PEM_read_bio_PrivateKey(key,NULL,NULL,NULL);
+		pkey=PEM_read_bio_PrivateKey(key,NULL,PEM_cb,passin);
 		}
 	else
 		{

crypto/pem/pem.h

@@ -601,6 +601,9 @@ EVP_PKEY *d2i_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY **x, pem_password_cb *cb, vo
 
 int PEM_write_PKCS8PrivateKey(FILE *fp,EVP_PKEY *x,const EVP_CIPHER *enc,
 			      char *kstr,int klen, pem_password_cb *cd, void *u);
+#ifdef MS_CALLBACK
+int MS_CALLBACK PEM_cb(char *buf, int len, int verify, void *key);
+#endif
 
 #endif /* SSLEAY_MACROS */
 

crypto/pem/pem_lib.c

@@ -121,6 +121,22 @@ static int def_callback(char *buf, int num, int w, void *userdata)
 #endif
 	}
 
+/* This is a generic callback. If the user data is not NULL it is assumed 
+ * to be a null terminated password. Otherwise the default password callback
+ * is called.
+ */
+
+
+int MS_CALLBACK PEM_cb(char *buf, int len, int verify, void *key)
+{
+	int i;
+	if (key == NULL) return def_callback(buf, len, verify, key);
+	i=strlen(key);
+	i=(i > len)?len:i;
+	memcpy(buf,key,i);
+	return(i);
+}
+
 void PEM_proc_type(char *buf, int type)
 	{
 	const char *str;

crypto/x509/x509.h

@@ -663,6 +663,7 @@ int i2d_PKCS8_fp(FILE *fp,X509_SIG *p8);
 PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_fp(FILE *fp,
 						PKCS8_PRIV_KEY_INFO **p8inf);
 int i2d_PKCS8_PRIV_KEY_INFO_fp(FILE *fp,PKCS8_PRIV_KEY_INFO *p8inf);
+int i2d_PKCS8PrivateKeyInfo_fp(FILE *fp, EVP_PKEY *key);
 #endif
 #endif
 
@@ -692,6 +693,7 @@ int i2d_PKCS8_bio(BIO *bp,X509_SIG *p8);
 PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_bio(BIO *bp,
 						PKCS8_PRIV_KEY_INFO **p8inf);
 int i2d_PKCS8_PRIV_KEY_INFO_bio(BIO *bp,PKCS8_PRIV_KEY_INFO *p8inf);
+int i2d_PKCS8PrivateKeyInfo_bio(BIO *bp, EVP_PKEY *key);
 #endif
 
 X509 *X509_dup(X509 *x509);

crypto/x509/x_all.c

@@ -469,6 +469,18 @@ int i2d_PKCS8_PRIV_KEY_INFO_fp(FILE *fp, PKCS8_PRIV_KEY_INFO *p8inf)
 	{
 	return(ASN1_i2d_fp(i2d_PKCS8_PRIV_KEY_INFO,fp,(unsigned char *)p8inf));
 	}
+
+int i2d_PKCS8PrivateKeyInfo_fp(FILE *fp, EVP_PKEY *key)
+	{
+	PKCS8_PRIV_KEY_INFO *p8inf;
+	int ret;
+	p8inf = EVP_PKEY2PKCS8(key);
+	if(!p8inf) return 0;
+	ret = i2d_PKCS8_PRIV_KEY_INFO_fp(fp, p8inf);
+	PKCS8_PRIV_KEY_INFO_free(p8inf);
+	return ret;
+	}
+
 #endif
 
 PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_bio(BIO *bp,
@@ -484,3 +496,14 @@ int i2d_PKCS8_PRIV_KEY_INFO_bio(BIO *bp, PKCS8_PRIV_KEY_INFO *p8inf)
 	{
 	return(ASN1_i2d_bio(i2d_PKCS8_PRIV_KEY_INFO,bp,(unsigned char *)p8inf));
 	}
+
+int i2d_PKCS8PrivateKeyInfo_bio(BIO *bp, EVP_PKEY *key)
+	{
+	PKCS8_PRIV_KEY_INFO *p8inf;
+	int ret;
+	p8inf = EVP_PKEY2PKCS8(key);
+	if(!p8inf) return 0;
+	ret = i2d_PKCS8_PRIV_KEY_INFO_bio(bp, p8inf);
+	PKCS8_PRIV_KEY_INFO_free(p8inf);
+	return ret;
+	}

util/libeay.num

@@ -2149,3 +2149,6 @@ i2d_ASN1_NULL                           2173
 i2d_PKCS8PrivateKey_nid_fp              2174
 d2i_PKCS8PrivateKey_fp                  2175
 i2d_PKCS8PrivateKey_nid_bio             2176
+i2d_PKCS8PrivateKeyInfo_fp              2177
+i2d_PKCS8PrivateKeyInfo_bio             2178
+PEM_cb                                  2179