static int get_cert_chain(X509 *cert, X509_STORE *store,
STACK_OF(X509) **chain);
-int dump_certs_keys_p12(BIO *out, PKCS12 *p12, char *pass, int passlen,
- int options, char *pempass, const EVP_CIPHER *enc);
-int dump_certs_pkeys_bags(BIO *out, STACK_OF(PKCS12_SAFEBAG) *bags,
- char *pass, int passlen, int options, char *pempass,
- const EVP_CIPHER *enc);
-int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bags, char *pass,
- int passlen, int options, char *pempass,
- const EVP_CIPHER *enc);
+int dump_certs_keys_p12(BIO *out, const PKCS12 *p12,
+ const char *pass, int passlen, int options,
+ char *pempass, const EVP_CIPHER *enc);
+int dump_certs_pkeys_bags(BIO *out, const STACK_OF(PKCS12_SAFEBAG) *bags,
+ const char *pass, int passlen, int options,
+ char *pempass, const EVP_CIPHER *enc);
+int dump_certs_pkeys_bag(BIO *out, const PKCS12_SAFEBAG *bags,
+ const char *pass, int passlen,
+ int options, char *pempass, const EVP_CIPHER *enc);
int print_attribs(BIO *out, const STACK_OF(X509_ATTRIBUTE) *attrlst,
const char *name);
void hex_prin(BIO *out, unsigned char *buf, int len);
-static int alg_print(X509_ALGOR *alg);
+static int alg_print(const X509_ALGOR *alg);
int cert_load(BIO *in, STACK_OF(X509) *sk);
static int set_pbe(int *ppbe, const char *str);
{
char *infile = NULL, *outfile = NULL, *keyname = NULL, *certfile = NULL;
char *name = NULL, *csp_name = NULL;
- char pass[2048], macpass[2048];
+ char pass[2048] = "", macpass[2048] = "";
int export_cert = 0, options = 0, chain = 0, twopass = 0, keytype = 0;
int iter = PKCS12_DEFAULT_ITER, maciter = PKCS12_DEFAULT_ITER;
# ifndef OPENSSL_NO_RC2
int noprompt = 0;
char *passinarg = NULL, *passoutarg = NULL, *passarg = NULL;
char *passin = NULL, *passout = NULL, *inrand = NULL, *macalg = NULL;
- char *cpass = NULL, *mpass = NULL;
+ char *cpass = NULL, *mpass = NULL, *badpass = NULL;
const char *CApath = NULL, *CAfile = NULL, *prog;
int noCApath = 0, noCAfile = 0;
ENGINE *e = NULL;
OPENSSL_strlcpy(macpass, pass, sizeof macpass);
if ((options & INFO) && PKCS12_mac_present(p12)) {
- ASN1_INTEGER *tmaciter;
- X509_ALGOR *macalgid;
+ const ASN1_INTEGER *tmaciter;
+ const X509_ALGOR *macalgid;
const ASN1_OBJECT *macobj;
PKCS12_get0_mac(NULL, &macalgid, NULL, &tmaciter, p12);
X509_ALGOR_get0(&macobj, NULL, NULL, macalgid);
if (!twopass)
cpass = NULL;
} else if (!PKCS12_verify_mac(p12, mpass, -1)) {
- BIO_printf(bio_err, "Mac verify error: invalid password?\n");
- ERR_print_errors(bio_err);
- goto end;
+ /*
+ * May be UTF8 from previous version of OpenSSL:
+ * convert to a UTF8 form which will translate
+ * to the same Unicode password.
+ */
+ unsigned char *utmp;
+ int utmplen;
+ utmp = OPENSSL_asc2uni(mpass, -1, NULL, &utmplen);
+ if (utmp == NULL)
+ goto end;
+ badpass = OPENSSL_uni2utf8(utmp, utmplen);
+ OPENSSL_free(utmp);
+ if (!PKCS12_verify_mac(p12, badpass, -1)) {
+ BIO_printf(bio_err, "Mac verify error: invalid password?\n");
+ ERR_print_errors(bio_err);
+ goto end;
+ } else {
+ BIO_printf(bio_err, "Warning: using broken algorithm\n");
+ if (!twopass)
+ cpass = badpass;
+ }
}
}
PKCS12_free(p12);
if (export_cert || inrand)
app_RAND_write_file(NULL);
+ release_engine(e);
BIO_free(in);
BIO_free_all(out);
sk_OPENSSL_STRING_free(canames);
+ OPENSSL_free(badpass);
OPENSSL_free(passin);
OPENSSL_free(passout);
return (ret);
}
-int dump_certs_keys_p12(BIO *out, PKCS12 *p12, char *pass,
+int dump_certs_keys_p12(BIO *out, const PKCS12 *p12, const char *pass,
int passlen, int options, char *pempass,
const EVP_CIPHER *enc)
{
return ret;
}
-int dump_certs_pkeys_bags(BIO *out, STACK_OF(PKCS12_SAFEBAG) *bags,
- char *pass, int passlen, int options, char *pempass,
- const EVP_CIPHER *enc)
+int dump_certs_pkeys_bags(BIO *out, const STACK_OF(PKCS12_SAFEBAG) *bags,
+ const char *pass, int passlen, int options,
+ char *pempass, const EVP_CIPHER *enc)
{
int i;
for (i = 0; i < sk_PKCS12_SAFEBAG_num(bags); i++) {
return 1;
}
-int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bag, char *pass,
- int passlen, int options, char *pempass,
- const EVP_CIPHER *enc)
+int dump_certs_pkeys_bag(BIO *out, const PKCS12_SAFEBAG *bag,
+ const char *pass, int passlen, int options,
+ char *pempass, const EVP_CIPHER *enc)
{
EVP_PKEY *pkey;
PKCS8_PRIV_KEY_INFO *p8;
+ const PKCS8_PRIV_KEY_INFO *p8c;
X509 *x509;
- STACK_OF(X509_ATTRIBUTE) *attrs;
+ const STACK_OF(X509_ATTRIBUTE) *attrs;
int ret = 0;
attrs = PKCS12_SAFEBAG_get0_attrs(bag);
if (options & NOKEYS)
return 1;
print_attribs(out, attrs, "Bag Attributes");
- p8 = PKCS12_SAFEBAG_get0_p8inf(bag);
- if ((pkey = EVP_PKCS82PKEY(p8)) == NULL)
+ p8c = PKCS12_SAFEBAG_get0_p8inf(bag);
+ if ((pkey = EVP_PKCS82PKEY(p8c)) == NULL)
return 0;
- print_attribs(out, PKCS8_pkey_get0_attrs(p8), "Key Attributes");
+ print_attribs(out, PKCS8_pkey_get0_attrs(p8c), "Key Attributes");
ret = PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, pempass);
EVP_PKEY_free(pkey);
break;
case NID_pkcs8ShroudedKeyBag:
if (options & INFO) {
- X509_SIG *tp8;
- X509_ALGOR *tp8alg;
+ const X509_SIG *tp8;
+ const X509_ALGOR *tp8alg;
BIO_printf(bio_err, "Shrouded Keybag: ");
tp8 = PKCS12_SAFEBAG_get0_pkcs8(bag);
- X509_SIG_get0(&tp8alg, NULL, tp8);
+ X509_SIG_get0(tp8, &tp8alg, NULL);
alg_print(tp8alg);
}
if (options & NOKEYS)
return i;
}
-static int alg_print(X509_ALGOR *alg)
+static int alg_print(const X509_ALGOR *alg)
{
int pbenid, aparamtype;
const ASN1_OBJECT *aoid;