/* pkcs12.c */#if !defined(NO_DES) && !defined(NO_SHA1)/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL * project 1999. *//* ==================================================================== * Copyright (c) 1999 The OpenSSL Project.  All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright *    notice, this list of conditions and the following disclaimer.  * * 2. Redistributions in binary form must reproduce the above copyright *    notice, this list of conditions and the following disclaimer in *    the documentation and/or other materials provided with the *    distribution. * * 3. All advertising materials mentioning features or use of this *    software must display the following acknowledgment: *    "This product includes software developed by the OpenSSL Project *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to *    endorse or promote products derived from this software without *    prior written permission. For written permission, please contact *    licensing@OpenSSL.org. * * 5. Products derived from this software may not be called "OpenSSL" *    nor may "OpenSSL" appear in their names without prior written *    permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following *    acknowledgment: *    "This product includes software developed by the OpenSSL Project *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com).  This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */#include <stdio.h>#include <stdlib.h>#include <string.h>#include "apps.h"#include <openssl/crypto.h>#include <openssl/err.h>#include <openssl/pem.h>#include <openssl/pkcs12.h>#define PROG pkcs12_mainEVP_CIPHER *enc;#define NOKEYS		0x1#define NOCERTS 	0x2#define INFO		0x4#define CLCERTS		0x8#define CACERTS		0x10int get_cert_chain (X509 *cert, X509_STORE *store, STACK_OF(X509) **chain);int dump_certs_keys_p12(BIO *out, PKCS12 *p12, char *pass, int passlen, int options, char *pempass);int dump_certs_pkeys_bags(BIO *out, STACK_OF(PKCS12_SAFEBAG) *bags, char *pass,			  int passlen, int options, char *pempass);int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bags, char *pass, int passlen, int options, char *pempass);int print_attribs(BIO *out, STACK_OF(X509_ATTRIBUTE) *attrlst, char *name);void hex_prin(BIO *out, unsigned char *buf, int len);int alg_print(BIO *x, X509_ALGOR *alg);int cert_load(BIO *in, STACK_OF(X509) *sk);int MAIN(int, char **);int MAIN(int argc, char **argv){    char *infile=NULL, *outfile=NULL, *keyname = NULL;	    char *certfile=NULL;    BIO *in=NULL, *out = NULL, *inkey = NULL, *certsin = NULL;    char **args;    char *name = NULL;    PKCS12 *p12 = NULL;    char pass[50], macpass[50];    int export_cert = 0;    int options = 0;    int chain = 0;    int badarg = 0;    int iter = PKCS12_DEFAULT_ITER;    int maciter = PKCS12_DEFAULT_ITER;    int twopass = 0;    int keytype = 0;    int cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;    int key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;    int ret = 1;    int macver = 1;    int noprompt = 0;    STACK *canames = NULL;    char *cpass = NULL, *mpass = NULL;    char *passargin = NULL, *passargout = NULL, *passarg = NULL;    char *passin = NULL, *passout = NULL;    char *inrand = NULL;    char *CApath = NULL, *CAfile = NULL;    apps_startup();    enc = EVP_des_ede3_cbc();    if (bio_err == NULL ) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);    args = argv + 1;    while (*args) {	if (*args[0] == '-') {		if (!strcmp (*args, "-nokeys")) options |= NOKEYS;		else if (!strcmp (*args, "-keyex")) keytype = KEY_EX;		else if (!strcmp (*args, "-keysig")) keytype = KEY_SIG;		else if (!strcmp (*args, "-nocerts")) options |= NOCERTS;		else if (!strcmp (*args, "-clcerts")) options |= CLCERTS;		else if (!strcmp (*args, "-cacerts")) options |= CACERTS;		else if (!strcmp (*args, "-noout")) options |= (NOKEYS|NOCERTS);		else if (!strcmp (*args, "-info")) options |= INFO;		else if (!strcmp (*args, "-chain")) chain = 1;		else if (!strcmp (*args, "-twopass")) twopass = 1;		else if (!strcmp (*args, "-nomacver")) macver = 0;		else if (!strcmp (*args, "-descert"))    			cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;		else if (!strcmp (*args, "-export")) export_cert = 1;		else if (!strcmp (*args, "-des")) enc=EVP_des_cbc();#ifndef NO_IDEA		else if (!strcmp (*args, "-idea")) enc=EVP_idea_cbc();#endif		else if (!strcmp (*args, "-des3")) enc = EVP_des_ede3_cbc();		else if (!strcmp (*args, "-noiter")) iter = 1;		else if (!strcmp (*args, "-maciter"))					 maciter = PKCS12_DEFAULT_ITER;		else if (!strcmp (*args, "-nomaciter"))					 maciter = 1;		else if (!strcmp (*args, "-nodes")) enc=NULL;		else if (!strcmp (*args, "-certpbe")) {			if (args[1]) {				args++;				cert_pbe=OBJ_txt2nid(*args);				if(cert_pbe == NID_undef) {					BIO_printf(bio_err,						 "Unknown PBE algorithm %s\n", *args);					badarg = 1;				}			} else badarg = 1;		} else if (!strcmp (*args, "-keypbe")) {			if (args[1]) {				args++;				key_pbe=OBJ_txt2nid(*args);				if(key_pbe == NID_undef) {					BIO_printf(bio_err,						 "Unknown PBE algorithm %s\n", *args);					badarg = 1;				}			} else badarg = 1;		} else if (!strcmp (*args, "-rand")) {		    if (args[1]) {			args++;				inrand = *args;		    } else badarg = 1;		} else if (!strcmp (*args, "-inkey")) {		    if (args[1]) {			args++;				keyname = *args;		    } else badarg = 1;		} else if (!strcmp (*args, "-certfile")) {		    if (args[1]) {			args++;				certfile = *args;		    } else badarg = 1;		} else if (!strcmp (*args, "-name")) {		    if (args[1]) {			args++;				name = *args;		    } else badarg = 1;		} else if (!strcmp (*args, "-caname")) {		    if (args[1]) {			args++;				if (!canames) canames = sk_new_null();			sk_push(canames, *args);		    } else badarg = 1;		} else if (!strcmp (*args, "-in")) {		    if (args[1]) {			args++;				infile = *args;		    } else badarg = 1;		} else if (!strcmp (*args, "-out")) {		    if (args[1]) {			args++;				outfile = *args;		    } else badarg = 1;		} else if (!strcmp(*args,"-passin")) {		    if (args[1]) {			args++;				passargin = *args;		    } else badarg = 1;		} else if (!strcmp(*args,"-passout")) {		    if (args[1]) {			args++;				passargout = *args;		    } else badarg = 1;		} else if (!strcmp (*args, "-password")) {		    if (args[1]) {			args++;				passarg = *args;		    	noprompt = 1;		    } else badarg = 1;		} else if (!strcmp(*args,"-CApath")) {		    if (args[1]) {			args++;				CApath = *args;		    } else badarg = 1;		} else if (!strcmp(*args,"-CAfile")) {		    if (args[1]) {			args++;				CAfile = *args;		    } else badarg = 1;		} else badarg = 1;	} else badarg = 1;	args++;    }    if (badarg) {	BIO_printf (bio_err, "Usage: pkcs12 [options]\n");	BIO_printf (bio_err, "where options are\n");	BIO_printf (bio_err, "-export       output PKCS12 file\n");	BIO_printf (bio_err, "-chain        add certificate chain\n");	BIO_printf (bio_err, "-inkey file   private key if not infile\n");	BIO_printf (bio_err, "-certfile f   add all certs in f\n");	BIO_printf (bio_err, "-CApath arg   - PEM format directory of CA's\n");	BIO_printf (bio_err, "-CAfile arg   - PEM format file of CA's\n");	BIO_printf (bio_err, "-name \"name\"  use name as friendly name\n");	BIO_printf (bio_err, "-caname \"nm\"  use nm as CA friendly name (can be used more than once).\n");	BIO_printf (bio_err, "-in  infile   input filename\n");	BIO_printf (bio_err, "-out outfile  output filename\n");	BIO_printf (bio_err, "-noout        don't output anything, just verify.\n");	BIO_printf (bio_err, "-nomacver     don't verify MAC.\n");	BIO_printf (bio_err, "-nocerts      don't output certificates.\n");	BIO_printf (bio_err, "-clcerts      only output client certificates.\n");	BIO_printf (bio_err, "-cacerts      only output CA certificates.\n");	BIO_printf (bio_err, "-nokeys       don't output private keys.\n");	BIO_printf (bio_err, "-info         give info about PKCS#12 structure.\n");	BIO_printf (bio_err, "-des          encrypt private keys with DES\n");	BIO_printf (bio_err, "-des3         encrypt private keys with triple DES (default)\n");#ifndef NO_IDEA	BIO_printf (bio_err, "-idea         encrypt private keys with idea\n");#endif	BIO_printf (bio_err, "-nodes        don't encrypt private keys\n");	BIO_printf (bio_err, "-noiter       don't use encryption iteration\n");	BIO_printf (bio_err, "-maciter      use MAC iteration\n");	BIO_printf (bio_err, "-twopass      separate MAC, encryption passwords\n");	BIO_printf (bio_err, "-descert      encrypt PKCS#12 certificates with triple DES (default RC2-40)\n");	BIO_printf (bio_err, "-certpbe alg  specify certificate PBE algorithm (default RC2-40)\n");	BIO_printf (bio_err, "-keypbe alg   specify private key PBE algorithm (default 3DES)\n");	BIO_printf (bio_err, "-keyex        set MS key exchange type\n");	BIO_printf (bio_err, "-keysig       set MS key signature type\n");	BIO_printf (bio_err, "-password p   set import/export password source\n");	BIO_printf (bio_err, "-passin p     input file pass phrase source\n");	BIO_printf (bio_err, "-passout p    output file pass phrase source\n");	BIO_printf(bio_err,  "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);	BIO_printf(bio_err,  "              load the file (or the files in the directory) into\n");	BIO_printf(bio_err,  "              the random number generator\n");    	goto end;    }    if(passarg) {	if(export_cert) passargout = passarg;	else passargin = passarg;    }    if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {	BIO_printf(bio_err, "Error getting passwords\n");	goto end;    }    if(!cpass) {    	if(export_cert) cpass = passout;    	else cpass = passin;    }    if(cpass) {	mpass = cpass;	noprompt = 1;    } else {	cpass = pass;	mpass = macpass;    }    if(export_cert || inrand) {    	app_RAND_load_file(NULL, bio_err, (inrand != NULL));        if (inrand != NULL)		BIO_printf(bio_err,"%ld semi-random bytes loaded\n",			app_RAND_load_files(inrand));    }    ERR_load_crypto_strings();#ifdef CRYPTO_MDEBUG    CRYPTO_push_info("read files");#endif    if (!infile) in = BIO_new_fp(stdin, BIO_NOCLOSE);    else in = BIO_new_file(infile, "rb");    if (!in) {	    BIO_printf(bio_err, "Error opening input file %s\n",						infile ? infile : "<stdin>");	    perror (infile);	    goto end;   }   if (certfile) {    	if(!(certsin = BIO_new_file(certfile, "r"))) {	    BIO_printf(bio_err, "Can't open certificate file %s\n", certfile);	    perror (certfile);	    goto end;	}    }    if (keyname) {    	if(!(inkey = BIO_new_file(keyname, "r"))) {	    BIO_printf(bio_err, "Can't key certificate file %s\n", keyname);	    perror (keyname);	    goto end;	}     }#ifdef CRYPTO_MDEBUG    CRYPTO_pop_info();    CRYPTO_push_info("write files");#endif    if (!outfile) {	out = BIO_new_fp(stdout, BIO_NOCLOSE);#ifdef VMS	{	    BIO *tmpbio = BIO_new(BIO_f_linebuffer());	    out = BIO_push(tmpbio, out);	}#endif    } else out = BIO_new_file(outfile, "wb");    if (!out) {	BIO_printf(bio_err, "Error opening output file %s\n",						outfile ? outfile : "<stdout>");	perror (outfile);	goto end;    }    if (twopass) {#ifdef CRYPTO_MDEBUG    CRYPTO_push_info("read MAC password");#endif	if(EVP_read_pw_string (macpass, 50, "Enter MAC Password:", export_cert))	{    	    BIO_printf (bio_err, "Can't read Password\n");    	    goto end;       	}#ifdef CRYPTO_MDEBUG    CRYPTO_pop_info();#endif    }    if (export_cert) {	EVP_PKEY *key = NULL;	STACK_OF(PKCS12_SAFEBAG) *bags = NULL;	STACK_OF(PKCS7) *safes = NULL;	PKCS12_SAFEBAG *bag = NULL;	PKCS8_PRIV_KEY_INFO *p8 = NULL;	PKCS7 *authsafe = NULL;	X509 *ucert = NULL;	STACK_OF(X509) *certs=NULL;	char *catmp = NULL;	int i;	unsigned char keyid[EVP_MAX_MD_SIZE];	unsigned int keyidlen = 0;#ifdef CRYPTO_MDEBUG	CRYPTO_push_info("process -export_cert");	CRYPTO_push_info("reading private key");#endif	key = PEM_read_bio_PrivateKey(inkey ? inkey : in, NULL, NULL, passin);	if (!inkey) (void) BIO_reset(in);	else BIO_free(inkey);	if (!key) {		BIO_printf (bio_err, "Error loading private key\n");		ERR_print_errors(bio_err);		goto export_end;	}#ifdef CRYPTO_MDEBUG	CRYPTO_pop_info();	CRYPTO_push_info("reading certs from input");#endif	certs = sk_X509_new_null();	/* Load in all certs in input file */	if(!cert_load(in, certs)) {		BIO_printf(bio_err, "Error loading certificates from input\n");		ERR_print_errors(bio_err);		goto export_end;	}#ifdef CRYPTO_MDEBUG	CRYPTO_pop_info();	CRYPTO_push_info("reading certs from input 2");#endif	for(i = 0; i < sk_X509_num(certs); i++) {		ucert = sk_X509_value(certs, i);		if(X509_check_private_key(ucert, key)) {			X509_digest(ucert, EVP_sha1(), keyid, &keyidlen);			break;		}	}	if(!keyidlen) {		ucert = NULL;		BIO_printf(bio_err, "No certificate matches private key\n");		goto export_end;	}	#ifdef CRYPTO_MDEBUG	CRYPTO_pop_info();	CRYPTO_push_info("reading certs from certfile");#endif	bags = sk_PKCS12_SAFEBAG_new_null ();	/* Add any more certificates asked for */	if (certsin) {		if(!cert_load(certsin, certs)) {			BIO_printf(bio_err, "Error loading certificates from certfile\n");			ERR_print_errors(bio_err);			goto export_end;		}	    	BIO_free(certsin); 	}#ifdef CRYPTO_MDEBUG	CRYPTO_pop_info();