More PKCS#8 stuff. Support for unencrypted forms of private key.

e7871ffa · Dr. Stephen Henson · 8d8a8041 · e7871ffa · e7871ffa · e7871ffa
隐藏空白更改
内联并排

Showing with 109 addition and 31 deletion

CHANGES CHANGES +5 -2

apps/pkcs8.c apps/pkcs8.c +64 -28

crypto/pem/pem.h crypto/pem/pem.h +8 -1

crypto/pem/pem_all.c crypto/pem/pem_all.c +32 -0

未找到文件。
--- a/CHANGES
+++ b/CHANGES
@@ -6,8 +6,11 @@
 Changes between 0.9.3a and 0.9.4

  *) Support for PKCS#5 v1.5 compatible password based encryption algorithms
-     and partial PKCS#8 functionality. New 'pkcs8' application linked to
-     openssl.
+     and PKCS#8 functionality. New 'pkcs8' application linked to openssl.
+     Needed to change the PEM_STRING_EVP_PKEY value which was just "PRIVATE
+     KEY" because this clashed with PKCS#8 unencrypted string. Since this
+     value was just used as a "magic string" and not used directly its
+     value doesn't matter.
     [Steve Henson]

  *) Introduce some semblance of const correctness to BN. Shame C doesn't

--- a/apps/pkcs8.c
+++ b/apps/pkcs8.c
@@ -74,6 +74,7 @@ int MAIN(int argc, char **argv)
 	int iter = PKCS12_DEFAULT_ITER;
 	int informat, outformat;
 	int p8_broken = PKCS8_OK;
+	int nocrypt = 0;
 	X509_SIG *p8;
 	PKCS8_PRIV_KEY_INFO *p8inf;
 	EVP_PKEY *pkey;
@@ -98,6 +99,7 @@ int MAIN(int argc, char **argv)
 			} else badarg = 1;
 		} else if (!strcmp (*args, "-topk8")) topk8 = 1;
 		else if (!strcmp (*args, "-noiter")) iter = 1;
+		else if (!strcmp (*args, "-nocrypt")) nocrypt = 1;
 		else if (!strcmp (*args, "-nooct")) p8_broken = PKCS8_NO_OCTET;
 		else if (!strcmp (*args, "-in")) {
 			if (args[1]) {
@@ -116,11 +118,14 @@ int MAIN(int argc, char **argv)
 	if (badarg) {
 		BIO_printf (bio_err, "Usage pkcs8 [options]\n");
 		BIO_printf (bio_err, "where options are\n");
-		BIO_printf (bio_err, "-in file	input file\n");
-		BIO_printf (bio_err, "-out file	output file\n");
-		BIO_printf (bio_err, "-topk8    output PKCS8 file\n");
-		BIO_printf (bio_err, "-nooct    use (broken) no octet form\n");
-		BIO_printf (bio_err, "-noiter   use 1 as iteration cound\n");
+		BIO_printf (bio_err, "-in file   input file\n");
+		BIO_printf (bio_err, "-inform X  input format (DER or PEM)\n");
+		BIO_printf (bio_err, "-outform X output format (DER or PEM)\n");
+		BIO_printf (bio_err, "-out file  output file\n");
+		BIO_printf (bio_err, "-topk8     output PKCS8 file\n");
+		BIO_printf (bio_err, "-nooct     use (broken) no octet form\n");
+		BIO_printf (bio_err, "-noiter    use 1 as iteration count\n");
+		BIO_printf (bio_err, "-nocrypt   use or expect unencrypted private key\n");
 		return (1);
 	}

@@ -154,35 +159,66 @@ int MAIN(int argc, char **argv)
 			return (1);
 		}
 		PKCS8_set_broken(p8inf, p8_broken);
-		EVP_read_pw_string(pass, 50, "Enter Encryption Password:", 1);
-		if (!(p8 = PKCS8_encrypt(pbe_nid, pass, strlen(pass),
-				 NULL, 0, iter, p8inf))) {
-			BIO_printf (bio_err, "Error encrypting key\n", outfile);
-			ERR_print_errors(bio_err);
-			return (1);
+		if(nocrypt) {
+			if(outformat == FORMAT_PEM) 
+				PEM_write_bio_PKCS8_PRIV_KEY_INFO(out, p8inf);
+			else if(outformat == FORMAT_ASN1)
+				i2d_PKCS8_PRIV_KEY_INFO_bio(out, p8inf);
+			else {
+				BIO_printf(bio_err, "Bad format specified for key\n");
+				return (1);
+			}
+		} else {
+			EVP_read_pw_string(pass, 50, "Enter Encryption Password:", 1);
+			if (!(p8 = PKCS8_encrypt(pbe_nid, pass, strlen(pass),
+					 NULL, 0, iter, p8inf))) {
+				BIO_printf (bio_err, "Error encrypting key\n",
+								 outfile);
+				ERR_print_errors(bio_err);
+				return (1);
+			}
+			if(outformat == FORMAT_PEM) 
+				PEM_write_bio_PKCS8 (out, p8);
+			else if(outformat == FORMAT_ASN1)
+				i2d_PKCS8_bio(out, p8);
+			else {
+				BIO_printf(bio_err, "Bad format specified for key\n");
+				return (1);
+			}
+			X509_SIG_free(p8);
 		}
 		PKCS8_PRIV_KEY_INFO_free (p8inf);
-		PEM_write_bio_PKCS8 (out, p8);
-		X509_SIG_free(p8);
 		return (0);
 	}

-	if(informat == FORMAT_PEM) 
-		p8 = PEM_read_bio_PKCS8(in, NULL, NULL);
-	else if(informat == FORMAT_ASN1)
-		p8 = d2i_PKCS8_bio(in, NULL);
-	else {
-		BIO_printf(bio_err, "Bad input format specified for key\n");
-		return (1);
-	}
+	if(nocrypt) {
+		if(informat == FORMAT_PEM) 
+			p8inf = PEM_read_bio_PKCS8_PRIV_KEY_INFO(in,NULL,NULL);
+		else if(informat == FORMAT_ASN1)
+			p8inf = d2i_PKCS8_PRIV_KEY_INFO_bio(in, NULL);
+		else {
+			BIO_printf(bio_err, "Bad format specified for key\n");
+			return (1);
+		}
+	} else {
+		if(informat == FORMAT_PEM) 
+			p8 = PEM_read_bio_PKCS8(in, NULL, NULL);
+		else if(informat == FORMAT_ASN1)
+			p8 = d2i_PKCS8_bio(in, NULL);
+		else {
+			BIO_printf(bio_err, "Bad format specified for key\n");
+			return (1);
+		}

-	if (!p8) {
-		BIO_printf (bio_err, "Error reading key\n", outfile);
-		ERR_print_errors(bio_err);
-		return (1);
+		if (!p8) {
+			BIO_printf (bio_err, "Error reading key\n", outfile);
+			ERR_print_errors(bio_err);
+			return (1);
+		}
+		EVP_read_pw_string(pass, 50, "Enter Password:", 0);
+		p8inf = M_PKCS8_decrypt(p8, pass, strlen(pass));
 	}
-	EVP_read_pw_string(pass, 50, "Enter Password:", 0);
-	p8inf = M_PKCS8_decrypt(p8, pass, strlen(pass));
+
 	if (!p8inf) {
 		BIO_printf(bio_err, "Error decrypting key\n", outfile);
 		ERR_print_errors(bio_err);
@@ -210,7 +246,7 @@ int MAIN(int argc, char **argv)
 	
 	PKCS8_PRIV_KEY_INFO_free(p8inf);

-	PEM_write_bio_PrivateKey (out, pkey, NULL, NULL, 0, NULL);
+	PEM_write_bio_PrivateKey(out, pkey, NULL, NULL, 0, NULL);

 	return (0);
 }
--- a/crypto/pem/pem.h
+++ b/crypto/pem/pem.h
@@ -104,12 +104,13 @@ extern "C" {
 #define PEM_STRING_X509_REQ_OLD	"NEW CERTIFICATE REQUEST"
 #define PEM_STRING_X509_REQ	"CERTIFICATE REQUEST"
 #define PEM_STRING_X509_CRL	"X509 CRL"
-#define PEM_STRING_EVP_PKEY	"PRIVATE KEY"
+#define PEM_STRING_EVP_PKEY	"ANY PRIVATE KEY"
 #define PEM_STRING_RSA		"RSA PRIVATE KEY"
 #define PEM_STRING_RSA_PUBLIC	"RSA PUBLIC KEY"
 #define PEM_STRING_DSA		"DSA PRIVATE KEY"
 #define PEM_STRING_PKCS7	"PKCS7"
 #define PEM_STRING_PKCS8	"ENCRYPTED PRIVATE KEY"
+#define PEM_STRING_PKCS8INF	"PRIVATE KEY"
 #define PEM_STRING_DHPARAMS	"DH PARAMETERS"
 #define PEM_STRING_SSL_SESSION	"SSL SESSION PARAMETERS"
 #define PEM_STRING_DSAPARAMS	"DSA PARAMETERS"
@@ -403,6 +404,8 @@ EVP_PKEY *PEM_read_PrivateKey(FILE *fp,EVP_PKEY **x, pem_password_cb *);
 PKCS7 *PEM_read_PKCS7(FILE *fp,PKCS7 **x, pem_password_cb *);
 NETSCAPE_CERT_SEQUENCE *PEM_read_NETSCAPE_CERT_SEQUENCE(FILE *fp,NETSCAPE_CERT_SEQUENCE **x, pem_password_cb *);
 X509_SIG *PEM_read_PKCS8(FILE *fp,X509_SIG **x, pem_password_cb *);
+PKCS8_PRIV_KEY_INFO *PEM_read_PKCS8_PRIV_KEY_INFO(FILE *fp,
+				PKCS8_PRIV_KEY_INFO **x, pem_password_cb *);
 int PEM_write_X509(FILE *fp,X509 *x);
 int PEM_write_X509_REQ(FILE *fp,X509_REQ *x);
 int PEM_write_X509_CRL(FILE *fp,X509_CRL *x);
@@ -427,6 +430,7 @@ int PEM_write_DSAparams(FILE *fp,DSA *x);
 #endif
 int PEM_write_NETSCAPE_CERT_SEQUENCE(FILE *fp,NETSCAPE_CERT_SEQUENCE *x);
 int PEM_write_PKCS8(FILE *fp,X509_SIG *x);
+int PEM_write_PKCS8_PRIV_KEY_INFO(FILE *fp,PKCS8_PRIV_KEY_INFO *x);
 #endif

 #ifdef HEADER_BIO_H
@@ -447,6 +451,8 @@ DH *PEM_read_bio_DHparams(BIO *bp,DH **x, pem_password_cb *);
 #endif
 NETSCAPE_CERT_SEQUENCE *PEM_read_bio_NETSCAPE_CERT_SEQUENCE(BIO *bp,NETSCAPE_CERT_SEQUENCE **x, pem_password_cb *);
 X509_SIG *PEM_read_bio_PKCS8(BIO *bp,X509_SIG **x, pem_password_cb *);
+PKCS8_PRIV_KEY_INFO *PEM_read_bio_PKCS8_PRIV_KEY_INFO(BIO *bp,
+				PKCS8_PRIV_KEY_INFO **x, pem_password_cb *);
 #ifndef NO_DSA
 DSA *PEM_read_bio_DSAparams(BIO *bp,DSA **x, pem_password_cb *);
 #endif
@@ -473,6 +479,7 @@ int PEM_write_bio_DSAparams(BIO *bp,DSA *x);
 #endif
 int PEM_write_bio_NETSCAPE_CERT_SEQUENCE(BIO *bp,NETSCAPE_CERT_SEQUENCE *x);
 int PEM_write_bio_PKCS8(BIO *bp,X509_SIG *x);
+int PEM_write_bio_PKCS8_PRIV_KEY_INFO(BIO *bp,PKCS8_PRIV_KEY_INFO *x);
 #endif

 #endif /* SSLEAY_MACROS */

--- a/crypto/pem/pem_all.c
+++ b/crypto/pem/pem_all.c
@@ -435,3 +435,35 @@ int PEM_write_bio_PKCS8(BIO *bp, X509_SIG *x)
 	return(PEM_ASN1_write_bio((int (*)())i2d_X509_SIG,
 		PEM_STRING_PKCS8,bp, (char *)x, NULL,NULL,0,NULL));
 	}
+
+#ifndef NO_FP_API
+PKCS8_PRIV_KEY_INFO *PEM_read_PKCS8_PRIV_KEY_INFO(FILE *fp,
+	     PKCS8_PRIV_KEY_INFO **x, pem_password_cb *cb)
+	{
+	return((PKCS8_PRIV_KEY_INFO *)
+		PEM_ASN1_read((char *(*)())d2i_PKCS8_PRIV_KEY_INFO,
+		PEM_STRING_PKCS8INF,fp,(char **)x,cb));
+	}
+#endif
+
+PKCS8_PRIV_KEY_INFO *PEM_read_bio_PKCS8_PRIV_KEY_INFO(BIO *bp,
+	     PKCS8_PRIV_KEY_INFO **x, pem_password_cb *cb)
+	{
+	return((PKCS8_PRIV_KEY_INFO *)
+		PEM_ASN1_read_bio((char *(*)())d2i_PKCS8_PRIV_KEY_INFO,
+		PEM_STRING_PKCS8INF,bp,(char **)x,cb));
+	}
+
+#ifndef NO_FP_API
+int PEM_write_PKCS8_PRIV_KEY_INFO(FILE *fp, PKCS8_PRIV_KEY_INFO *x)
+	{
+	return(PEM_ASN1_write((int (*)())i2d_PKCS8_PRIV_KEY_INFO,
+		PEM_STRING_PKCS8INF,fp, (char *)x, NULL,NULL,0,NULL));
+	}
+#endif
+
+int PEM_write_bio_PKCS8_PRIV_KEY_INFO(BIO *bp, PKCS8_PRIV_KEY_INFO *x)
+	{
+	return(PEM_ASN1_write_bio((int (*)())i2d_PKCS8_PRIV_KEY_INFO,
+		PEM_STRING_PKCS8INF,bp, (char *)x, NULL,NULL,0,NULL));
+	}