1 /* $OpenBSD: pkcs8.c,v 1.11 2018/02/07 05:47:55 jsing Exp $ */
2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
5 /* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
34 * 6. Redistributions of any form whatsoever must retain the following
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
65 #include <openssl/err.h>
66 #include <openssl/evp.h>
67 #include <openssl/pem.h>
68 #include <openssl/pkcs12.h>
71 const EVP_CIPHER
*cipher
;
86 pkcs8_opt_v1(char *arg
)
88 if ((pkcs8_config
.pbe_nid
= OBJ_txt2nid(arg
)) == NID_undef
) {
89 fprintf(stderr
, "Unknown PBE algorithm '%s'\n", arg
);
97 pkcs8_opt_v2(char *arg
)
99 if ((pkcs8_config
.cipher
= EVP_get_cipherbyname(arg
)) == NULL
) {
100 fprintf(stderr
, "Unknown cipher '%s'\n", arg
);
107 static struct option pkcs8_options
[] = {
110 .desc
= "Generate DSA keys in a broken format",
111 .type
= OPTION_VALUE
,
112 .value
= PKCS8_EMBEDDED_PARAM
,
113 .opt
.value
= &pkcs8_config
.p8_broken
,
118 .desc
= "Input file (default stdin)",
120 .opt
.arg
= &pkcs8_config
.infile
,
125 .desc
= "Input format (DER or PEM (default))",
126 .type
= OPTION_ARG_FORMAT
,
127 .opt
.value
= &pkcs8_config
.informat
,
131 .desc
= "Use or expect unencrypted private key",
133 .opt
.flag
= &pkcs8_config
.nocrypt
,
137 .desc
= "Use 1 as iteration count",
138 .type
= OPTION_VALUE
,
140 .opt
.value
= &pkcs8_config
.iter
,
144 .desc
= "Generate RSA keys in a broken format (no octet)",
145 .type
= OPTION_VALUE
,
146 .value
= PKCS8_NO_OCTET
,
147 .opt
.value
= &pkcs8_config
.p8_broken
,
151 .desc
= "Generate DSA keys in the broken Netscape DB format",
152 .type
= OPTION_VALUE
,
153 .value
= PKCS8_NS_DB
,
154 .opt
.value
= &pkcs8_config
.p8_broken
,
159 .desc
= "Output file (default stdout)",
161 .opt
.arg
= &pkcs8_config
.outfile
,
166 .desc
= "Output format (DER or PEM (default))",
167 .type
= OPTION_ARG_FORMAT
,
168 .opt
.value
= &pkcs8_config
.outformat
,
173 .desc
= "Input file passphrase source",
175 .opt
.arg
= &pkcs8_config
.passargin
,
180 .desc
= "Output file passphrase source",
182 .opt
.arg
= &pkcs8_config
.passargout
,
186 .desc
= "Read traditional format key and write PKCS#8 format"
189 .opt
.flag
= &pkcs8_config
.topk8
,
193 .argname
= "algorithm",
194 .desc
= "Use PKCS#5 v1.5 or PKCS#12 with given algorithm",
195 .type
= OPTION_ARG_FUNC
,
196 .opt
.argfunc
= pkcs8_opt_v1
,
201 .desc
= "Use PKCS#5 v2.0 with given cipher",
202 .type
= OPTION_ARG_FUNC
,
203 .opt
.argfunc
= pkcs8_opt_v2
,
211 fprintf(stderr
, "usage: pkcs8 [-embed] [-in file] "
212 "[-inform fmt] [-nocrypt]\n"
213 " [-noiter] [-nooct] [-nsdb] [-out file] [-outform fmt] "
215 " [-passout src] [-topk8] [-v1 alg] [-v2 alg]\n\n");
216 options_usage(pkcs8_options
);
220 pkcs8_main(int argc
, char **argv
)
222 BIO
*in
= NULL
, *out
= NULL
;
224 PKCS8_PRIV_KEY_INFO
*p8inf
= NULL
;
225 EVP_PKEY
*pkey
= NULL
;
226 char pass
[50], *passin
= NULL
, *passout
= NULL
, *p8pass
= NULL
;
229 if (single_execution
) {
230 if (pledge("stdio cpath wpath rpath tty", NULL
) == -1) {
236 memset(&pkcs8_config
, 0, sizeof(pkcs8_config
));
238 pkcs8_config
.iter
= PKCS12_DEFAULT_ITER
;
239 pkcs8_config
.informat
= FORMAT_PEM
;
240 pkcs8_config
.outformat
= FORMAT_PEM
;
241 pkcs8_config
.p8_broken
= PKCS8_OK
;
242 pkcs8_config
.pbe_nid
= -1;
244 if (options_parse(argc
, argv
, pkcs8_options
, NULL
, NULL
) != 0) {
249 if (!app_passwd(bio_err
, pkcs8_config
.passargin
,
250 pkcs8_config
.passargout
, &passin
, &passout
)) {
251 BIO_printf(bio_err
, "Error getting passwords\n");
254 if ((pkcs8_config
.pbe_nid
== -1) && !pkcs8_config
.cipher
)
255 pkcs8_config
.pbe_nid
= NID_pbeWithMD5AndDES_CBC
;
257 if (pkcs8_config
.infile
) {
258 if (!(in
= BIO_new_file(pkcs8_config
.infile
, "rb"))) {
260 "Can't open input file '%s'\n",
261 pkcs8_config
.infile
);
265 in
= BIO_new_fp(stdin
, BIO_NOCLOSE
);
267 if (pkcs8_config
.outfile
) {
268 if (!(out
= BIO_new_file(pkcs8_config
.outfile
, "wb"))) {
269 BIO_printf(bio_err
, "Can't open output file '%s'\n",
270 pkcs8_config
.outfile
);
274 out
= BIO_new_fp(stdout
, BIO_NOCLOSE
);
276 if (pkcs8_config
.topk8
) {
277 pkey
= load_key(bio_err
, pkcs8_config
.infile
,
278 pkcs8_config
.informat
, 1, passin
, "key");
281 if (!(p8inf
= EVP_PKEY2PKCS8_broken(pkey
,
282 pkcs8_config
.p8_broken
))) {
283 BIO_printf(bio_err
, "Error converting key\n");
284 ERR_print_errors(bio_err
);
287 if (pkcs8_config
.nocrypt
) {
288 if (pkcs8_config
.outformat
== FORMAT_PEM
)
289 PEM_write_bio_PKCS8_PRIV_KEY_INFO(out
, p8inf
);
290 else if (pkcs8_config
.outformat
== FORMAT_ASN1
)
291 i2d_PKCS8_PRIV_KEY_INFO_bio(out
, p8inf
);
294 "Bad format specified for key\n");
302 if (EVP_read_pw_string(pass
, sizeof pass
,
303 "Enter Encryption Password:", 1))
306 if (!(p8
= PKCS8_encrypt(pkcs8_config
.pbe_nid
,
307 pkcs8_config
.cipher
, p8pass
, strlen(p8pass
),
308 NULL
, 0, pkcs8_config
.iter
, p8inf
))) {
309 BIO_printf(bio_err
, "Error encrypting key\n");
310 ERR_print_errors(bio_err
);
313 if (pkcs8_config
.outformat
== FORMAT_PEM
)
314 PEM_write_bio_PKCS8(out
, p8
);
315 else if (pkcs8_config
.outformat
== FORMAT_ASN1
)
316 i2d_PKCS8_bio(out
, p8
);
319 "Bad format specified for key\n");
327 if (pkcs8_config
.nocrypt
) {
328 if (pkcs8_config
.informat
== FORMAT_PEM
)
329 p8inf
= PEM_read_bio_PKCS8_PRIV_KEY_INFO(in
, NULL
,
331 else if (pkcs8_config
.informat
== FORMAT_ASN1
)
332 p8inf
= d2i_PKCS8_PRIV_KEY_INFO_bio(in
, NULL
);
334 BIO_printf(bio_err
, "Bad format specified for key\n");
338 if (pkcs8_config
.informat
== FORMAT_PEM
)
339 p8
= PEM_read_bio_PKCS8(in
, NULL
, NULL
, NULL
);
340 else if (pkcs8_config
.informat
== FORMAT_ASN1
)
341 p8
= d2i_PKCS8_bio(in
, NULL
);
343 BIO_printf(bio_err
, "Bad format specified for key\n");
348 BIO_printf(bio_err
, "Error reading key\n");
349 ERR_print_errors(bio_err
);
356 EVP_read_pw_string(pass
, sizeof pass
,
357 "Enter Password:", 0);
359 p8inf
= PKCS8_decrypt(p8
, p8pass
, strlen(p8pass
));
363 BIO_printf(bio_err
, "Error decrypting key\n");
364 ERR_print_errors(bio_err
);
367 if (!(pkey
= EVP_PKCS82PKEY(p8inf
))) {
368 BIO_printf(bio_err
, "Error converting key\n");
369 ERR_print_errors(bio_err
);
373 BIO_printf(bio_err
, "Warning: broken key encoding: ");
374 switch (p8inf
->broken
) {
376 BIO_printf(bio_err
, "No Octet String in PrivateKey\n");
379 case PKCS8_EMBEDDED_PARAM
:
381 "DSA parameters included in PrivateKey\n");
386 "DSA public key include in PrivateKey\n");
389 case PKCS8_NEG_PRIVKEY
:
390 BIO_printf(bio_err
, "DSA private key value is negative\n");
394 BIO_printf(bio_err
, "Unknown broken type\n");
398 if (pkcs8_config
.outformat
== FORMAT_PEM
)
399 PEM_write_bio_PrivateKey(out
, pkey
, NULL
, NULL
, 0, NULL
,
401 else if (pkcs8_config
.outformat
== FORMAT_ASN1
)
402 i2d_PrivateKey_bio(out
, pkey
);
404 BIO_printf(bio_err
, "Bad format specified for key\n");
411 PKCS8_PRIV_KEY_INFO_free(p8inf
);