#include <openssl/err.h>
#include <openssl/pem.h>
#include <openssl/pkcs12.h>
-#include <openssl/engine.h>
#define PROG pkcs12_main
ENGINE *e = NULL;
char *infile=NULL, *outfile=NULL, *keyname = NULL;
char *certfile=NULL;
- BIO *in=NULL, *out = NULL, *inkey = NULL, *certsin = NULL;
+ BIO *in=NULL, *out = NULL;
char **args;
char *name = NULL;
char *csp_name = NULL;
enc = EVP_des_ede3_cbc();
if (bio_err == NULL ) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
+ if (!load_config(bio_err, NULL))
+ goto end;
+
args = argv + 1;
else if (!strcmp (*args, "-idea")) enc=EVP_idea_cbc();
#endif
else if (!strcmp (*args, "-des3")) enc = EVP_des_ede3_cbc();
+#ifndef OPENSSL_NO_AES
+ else if (!strcmp(*args,"-aes128")) enc=EVP_aes_128_cbc();
+ else if (!strcmp(*args,"-aes192")) enc=EVP_aes_192_cbc();
+ else if (!strcmp(*args,"-aes256")) enc=EVP_aes_256_cbc();
+#endif
else if (!strcmp (*args, "-noiter")) iter = 1;
else if (!strcmp (*args, "-maciter"))
maciter = PKCS12_DEFAULT_ITER;
BIO_printf (bio_err, "-des3 encrypt private keys with triple DES (default)\n");
#ifndef OPENSSL_NO_IDEA
BIO_printf (bio_err, "-idea encrypt private keys with idea\n");
+#endif
+#ifndef OPENSSL_NO_AES
+ BIO_printf (bio_err, "-aes128, -aes192, -aes256\n");
+ BIO_printf (bio_err, " encrypt PEM output with cbc aes\n");
#endif
BIO_printf (bio_err, "-nodes don't encrypt private keys\n");
BIO_printf (bio_err, "-noiter don't use encryption iteration\n");
goto end;
}
+#if 0
if (certfile) {
if(!(certsin = BIO_new_file(certfile, "r"))) {
BIO_printf(bio_err, "Can't open certificate file %s\n", certfile);
goto end;
}
}
+#endif
#ifdef CRYPTO_MDEBUG
CRYPTO_pop_info();
#ifdef CRYPTO_MDEBUG
CRYPTO_push_info("read MAC password");
#endif
- if(EVP_read_pw_string (macpass, 50, "Enter MAC Password:", export_cert))
+ if(EVP_read_pw_string (macpass, sizeof macpass, "Enter MAC Password:", export_cert))
{
BIO_printf (bio_err, "Can't read Password\n");
goto end;
CRYPTO_push_info("process -export_cert");
CRYPTO_push_info("reading private key");
#endif
- key = PEM_read_bio_PrivateKey(inkey ? inkey : in, NULL, NULL, passin);
- if (!inkey) (void) BIO_reset(in);
- else BIO_free(inkey);
+ key = load_key(bio_err, keyname ? keyname : infile, FORMAT_PEM, 1,
+ passin, e, "private key");
if (!key) {
- BIO_printf (bio_err, "Error loading private key\n");
- ERR_print_errors(bio_err);
goto export_end;
}
CRYPTO_push_info("reading certs from input");
#endif
- certs = sk_X509_new_null();
-
/* Load in all certs in input file */
- if(!cert_load(in, certs)) {
- BIO_printf(bio_err, "Error loading certificates from input\n");
- ERR_print_errors(bio_err);
+ if(!(certs = load_certs(bio_err, infile, FORMAT_PEM, NULL, e,
+ "certificates"))) {
goto export_end;
}
bags = sk_PKCS12_SAFEBAG_new_null ();
/* Add any more certificates asked for */
- if (certsin) {
- if(!cert_load(certsin, certs)) {
- BIO_printf(bio_err, "Error loading certificates from certfile\n");
- ERR_print_errors(bio_err);
+ if (certfile) {
+ STACK_OF(X509) *morecerts=NULL;
+ if(!(morecerts = load_certs(bio_err, certfile, FORMAT_PEM,
+ NULL, e,
+ "certificates from certfile"))) {
goto export_end;
}
- BIO_free(certsin);
+ while(sk_X509_num(morecerts) > 0) {
+ sk_X509_push(certs, sk_X509_shift(morecerts));
+ }
+ sk_X509_free(morecerts);
}
#ifdef CRYPTO_MDEBUG
/* Exclude verified certificate */
for (i = 1; i < sk_X509_num (chain2) ; i++)
sk_X509_push(certs, sk_X509_value (chain2, i));
- }
- sk_X509_free(chain2);
- if (vret) {
+ /* Free first certificate */
+ X509_free(sk_X509_value(chain2, 0));
+ sk_X509_free(chain2);
+ } else {
BIO_printf (bio_err, "Error %s getting chain.\n",
X509_verify_cert_error_string(vret));
goto export_end;
}
sk_X509_pop_free(certs, X509_free);
certs = NULL;
- /* ucert is part of certs so it is already freed */
- ucert = NULL;
#ifdef CRYPTO_MDEBUG
CRYPTO_pop_info();
#endif
if(!noprompt &&
- EVP_read_pw_string(pass, 50, "Enter Export Password:", 1)) {
+ EVP_read_pw_string(pass, sizeof pass, "Enter Export Password:", 1)) {
BIO_printf (bio_err, "Can't read Password\n");
goto export_end;
}
if (certs) sk_X509_pop_free(certs, X509_free);
if (safes) sk_PKCS7_pop_free(safes, PKCS7_free);
if (bags) sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
- if (ucert) X509_free(ucert);
#ifdef CRYPTO_MDEBUG
CRYPTO_pop_info();
#ifdef CRYPTO_MDEBUG
CRYPTO_push_info("read import password");
#endif
- if(!noprompt && EVP_read_pw_string(pass, 50, "Enter Import Password:", 0)) {
+ if(!noprompt && EVP_read_pw_string(pass, sizeof pass, "Enter Import Password:", 0)) {
BIO_printf (bio_err, "Can't read Password\n");
goto end;
}
if (canames) sk_free(canames);
if(passin) OPENSSL_free(passin);
if(passout) OPENSSL_free(passout);
- EXIT(ret);
+ apps_shutdown();
+ OPENSSL_EXIT(ret);
}
int dump_certs_keys_p12 (BIO *out, PKCS12 *p12, char *pass,
print_attribs (out, bag->attrib, "Bag Attributes");
if (!(p8 = PKCS12_decrypt_skey(bag, pass, passlen)))
return 0;
- if (!(pkey = EVP_PKCS82PKEY (p8))) return 0;
+ if (!(pkey = EVP_PKCS82PKEY (p8))) {
+ PKCS8_PRIV_KEY_INFO_free(p8);
+ return 0;
+ }
print_attribs (out, p8->attributes, "Key Attributes");
PKCS8_PRIV_KEY_INFO_free(p8);
PEM_write_bio_PrivateKey (out, pkey, enc, NULL, 0, NULL, pempass);
STACK_OF(X509) *chn;
int i;
+ /* FIXME: Should really check the return status of X509_STORE_CTX_init
+ * for an error, but how that fits into the return value of this
+ * function is less obvious. */
X509_STORE_CTX_init(&store_ctx, store, cert, NULL);
if (X509_verify_cert(&store_ctx) <= 0) {
i = X509_STORE_CTX_get_error (&store_ctx);