Changes between 0.9.4 and 0.9.5 [xx XXX 2000]
+ *) Reorganise password command line arguments: now passwords can be
+ obtained from various sources. Delete the PEM_cb function and make
+ it the default behaviour: i.e. if the callback is NULL and the
+ usrdata argument is not NULL interpret it as a null terminated pass
+ phrase. If usrdata and the callback are NULL then the pass phrase
+ is prompted for as usual.
+ [Steve Henson]
+
*) Add support for the Compaq Atalla crypto accelerator. If it is installed,
the support is automatically enabled. The resulting binaries will
autodetect the card and use it if present.
}
#endif
+
int dump_cert_text (BIO *out, X509 *x)
{
char buf[256];
BIO_puts(out,"\n");
return 0;
}
+
+static char *app_get_pass(BIO *err, char *arg, int keepbio);
+
+int app_passwd(BIO *err, char *arg1, char *arg2, char **pass1, char **pass2)
+{
+ int same;
+ if(!arg2 || !arg1 || strcmp(arg1, arg2)) same = 0;
+ else same = 1;
+ if(arg1) {
+ *pass1 = app_get_pass(err, arg1, same);
+ if(!*pass1) return 0;
+ } else if(pass1) *pass1 = NULL;
+ if(arg2) {
+ *pass2 = app_get_pass(err, arg2, same ? 2 : 0);
+ if(!*pass2) return 0;
+ } else if(pass2) *pass2 = NULL;
+ return 1;
+}
+
+static char *app_get_pass(BIO *err, char *arg, int keepbio)
+{
+ char *tmp, tpass[APP_PASS_LEN];
+ static BIO *pwdbio = NULL;
+ int i;
+ if(!strncmp(arg, "pass:", 5)) return BUF_strdup(arg + 5);
+ if(!strncmp(arg, "env:", 4)) {
+ tmp = getenv(arg + 4);
+ if(!tmp) {
+ BIO_printf(err, "Can't read environment variable %s\n", arg + 4);
+ return NULL;
+ }
+ return BUF_strdup(tmp);
+ }
+ if(!keepbio || !pwdbio) {
+ if(!strncmp(arg, "file:", 5)) {
+ pwdbio = BIO_new_file(arg + 5, "r");
+ if(!pwdbio) {
+ BIO_printf(err, "Can't open file %s\n", arg + 5);
+ return NULL;
+ }
+ } else if(!strncmp(arg, "fd:", 3)) {
+ BIO *btmp;
+ i = atoi(arg + 3);
+ if(i >= 0) pwdbio = BIO_new_fd(i, BIO_NOCLOSE);
+ if((i < 0) || !pwdbio) {
+ BIO_printf(err, "Can't access file descriptor %s\n", arg + 3);
+ return NULL;
+ }
+ /* Can't do BIO_gets on an fd BIO so add a buffering BIO */
+ btmp = BIO_new(BIO_f_buffer());
+ pwdbio = BIO_push(btmp, pwdbio);
+ } else if(!strcmp(arg, "stdin")) {
+ pwdbio = BIO_new_fp(stdin, BIO_NOCLOSE);
+ if(!pwdbio) {
+ BIO_printf(err, "Can't open BIO for stdin\n");
+ return NULL;
+ }
+ } else {
+ BIO_printf(err, "Invalid password argument \"%s\"\n", arg);
+ return NULL;
+ }
+ }
+ i = BIO_gets(pwdbio, tpass, APP_PASS_LEN);
+ if(keepbio != 1) {
+ BIO_free_all(pwdbio);
+ pwdbio = NULL;
+ }
+ if(i <= 0) {
+ BIO_printf(err, "Error reading password from BIO\n");
+ return NULL;
+ }
+ tmp = strchr(tpass, '\n');
+ if(tmp) *tmp = 0;
+ return BUF_strdup(tpass);
+}
#ifdef HEADER_X509_H
int dump_cert_text(BIO *out, X509 *x);
#endif
+int app_passwd(BIO *err, char *arg1, char *arg2, char **pass1, char **pass2);
#define FORMAT_UNDEF 0
#define FORMAT_ASN1 1
#define FORMAT_TEXT 2
#define FORMAT_PEM 3
#define FORMAT_NETSCAPE 4
+#define APP_PASS_LEN 1024
+
#endif
BIO_printf(bio_err,"trying to load CA private key\n");
goto err;
}
- pkey=PEM_read_bio_PrivateKey(in,NULL,PEM_cb,key);
+ pkey=PEM_read_bio_PrivateKey(in,NULL,NULL,key);
if(key) memset(key,0,strlen(key));
if (pkey == NULL)
{
int informat,outformat,text=0,noout=0;
int pubin = 0, pubout = 0;
char *infile,*outfile,*prog;
+ char *passargin = NULL, *passargout = NULL;
char *passin = NULL, *passout = NULL;
int modulus=0;
else if (strcmp(*argv,"-passin") == 0)
{
if (--argc < 1) goto bad;
- passin= *(++argv);
- }
- else if (strcmp(*argv,"-envpassin") == 0)
- {
- if (--argc < 1) goto bad;
- if(!(passin= getenv(*(++argv))))
- {
- BIO_printf(bio_err,
- "Can't read environment variable %s\n",
- *argv);
- badops = 1;
- }
- }
- else if (strcmp(*argv,"-envpassout") == 0)
- {
- if (--argc < 1) goto bad;
- if(!(passout= getenv(*(++argv))))
- {
- BIO_printf(bio_err,
- "Can't read environment variable %s\n",
- *argv);
- badops = 1;
- }
+ passargin= *(++argv);
}
else if (strcmp(*argv,"-passout") == 0)
{
if (--argc < 1) goto bad;
- passout= *(++argv);
+ passargout= *(++argv);
}
else if (strcmp(*argv,"-noout") == 0)
noout=1;
BIO_printf(bio_err," -inform arg input format - DER or PEM\n");
BIO_printf(bio_err," -outform arg output format - DER or PEM\n");
BIO_printf(bio_err," -in arg input file\n");
- BIO_printf(bio_err," -passin arg input file pass phrase\n");
- BIO_printf(bio_err," -envpassin arg environment variable containing input file pass phrase\n");
+ BIO_printf(bio_err," -passin arg input file pass phrase source\n");
BIO_printf(bio_err," -out arg output file\n");
- BIO_printf(bio_err," -passout arg output file pass phrase\n");
- BIO_printf(bio_err," -envpassout arg environment variable containing output file pass phrase\n");
+ BIO_printf(bio_err," -passout arg output file pass phrase source\n");
BIO_printf(bio_err," -des encrypt PEM output with cbc des\n");
BIO_printf(bio_err," -des3 encrypt PEM output with ede cbc des using 168 bit key\n");
#ifndef NO_IDEA
ERR_load_crypto_strings();
+ if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
+ BIO_printf(bio_err, "Error getting passwords\n");
+ goto end;
+ }
+
in=BIO_new(BIO_s_file());
out=BIO_new(BIO_s_file());
if ((in == NULL) || (out == NULL))
else dsa=d2i_DSAPrivateKey_bio(in,NULL);
} else if (informat == FORMAT_PEM) {
if(pubin) dsa=PEM_read_bio_DSA_PUBKEY(in,NULL, NULL, NULL);
- else dsa=PEM_read_bio_DSAPrivateKey(in,NULL,PEM_cb,passin);
+ else dsa=PEM_read_bio_DSAPrivateKey(in,NULL,NULL,passin);
} else
{
BIO_printf(bio_err,"bad input format specified for key\n");
if(pubin || pubout)
i=PEM_write_bio_DSA_PUBKEY(out,dsa);
else i=PEM_write_bio_DSAPrivateKey(out,dsa,enc,
- NULL,0,PEM_cb, passout);
+ NULL,0,NULL, passout);
} else {
BIO_printf(bio_err,"bad output format specified for outfile\n");
goto end;
else
ret=0;
end:
- if (in != NULL) BIO_free(in);
- if (out != NULL) BIO_free(out);
- if (dsa != NULL) DSA_free(dsa);
+ if(in != NULL) BIO_free(in);
+ if(out != NULL) BIO_free(out);
+ if(dsa != NULL) DSA_free(dsa);
+ if(passin) Free(passin);
+ if(passout) Free(passout);
EXIT(ret);
}
#endif
int ret=1;
char *outfile=NULL;
char *inrand=NULL,*dsaparams=NULL;
- char *passout = NULL;
+ char *passargout = NULL, *passout = NULL;
BIO *out=NULL,*in=NULL;
EVP_CIPHER *enc=NULL;
if (--argc < 1) goto bad;
outfile= *(++argv);
}
- else if (strcmp(*argv,"-envpassout") == 0)
- {
- if (--argc < 1) goto bad;
- if(!(passout= getenv(*(++argv))))
- {
- BIO_printf(bio_err,
- "Can't read environment variable %s\n",
- *argv);
- goto bad;
- }
- }
else if (strcmp(*argv,"-passout") == 0)
{
if (--argc < 1) goto bad;
- passout= *(++argv);
+ passargout= *(++argv);
}
else if (strcmp(*argv,"-rand") == 0)
{
goto end;
}
+ if(!app_passwd(bio_err, NULL, passargout, NULL, &passout)) {
+ BIO_printf(bio_err, "Error getting password\n");
+ goto end;
+ }
+
+
in=BIO_new(BIO_s_file());
if (!(BIO_read_filename(in,dsaparams)))
{
app_RAND_write_file(NULL, bio_err);
- if (!PEM_write_bio_DSAPrivateKey(out,dsa,enc,NULL,0,PEM_cb, passout))
+ if (!PEM_write_bio_DSAPrivateKey(out,dsa,enc,NULL,0,NULL, passout))
goto end;
ret=0;
end:
if (in != NULL) BIO_free(in);
if (out != NULL) BIO_free(out);
if (dsa != NULL) DSA_free(dsa);
+ if(passout) Free(passout);
EXIT(ret);
}
#endif
EVP_CIPHER *enc=NULL;
unsigned long f4=RSA_F4;
char *outfile=NULL;
- char *passout = NULL;
+ char *passargout = NULL, *passout = NULL;
char *inrand=NULL;
BIO *out=NULL;
else if (strcmp(*argv,"-idea") == 0)
enc=EVP_idea_cbc();
#endif
- else if (strcmp(*argv,"-envpassout") == 0)
- {
- if (--argc < 1) goto bad;
- if(!(passout= getenv(*(++argv))))
- {
- BIO_printf(bio_err,
- "Can't read environment variable %s\n",
- *argv);
- goto bad;
- }
- }
else if (strcmp(*argv,"-passout") == 0)
{
if (--argc < 1) goto bad;
- passout= *(++argv);
+ passargout= *(++argv);
}
else
break;
BIO_printf(bio_err," -idea encrypt the generated key with IDEA in cbc mode\n");
#endif
BIO_printf(bio_err," -out file output the key to 'file\n");
- BIO_printf(bio_err," -passout arg output file pass phrase\n");
- BIO_printf(bio_err," -envpassout arg environment variable containing output file pass phrase\n");
+ BIO_printf(bio_err," -passout arg output file pass phrase source\n");
BIO_printf(bio_err," -f4 use F4 (0x10001) for the E value\n");
BIO_printf(bio_err," -3 use 3 for the E value\n");
BIO_printf(bio_err," -rand file:file:...\n");
}
ERR_load_crypto_strings();
+
+ if(!app_passwd(bio_err, NULL, passargout, NULL, &passout)) {
+ BIO_printf(bio_err, "Error getting password\n");
+ goto err;
+ }
+
if (outfile == NULL)
BIO_set_fp(out,stdout,BIO_NOCLOSE);
else
l+=rsa->e->d[i];
}
BIO_printf(bio_err,"e is %ld (0x%lX)\n",l,l);
- if (!PEM_write_bio_RSAPrivateKey(out,rsa,enc,NULL,0,PEM_cb, passout))
+ if (!PEM_write_bio_RSAPrivateKey(out,rsa,enc,NULL,0,NULL, passout))
goto err;
ret=0;
err:
if (rsa != NULL) RSA_free(rsa);
if (out != NULL) BIO_free(out);
+ if(passout) Free(passout);
if (ret != 0)
ERR_print_errors(bio_err);
EXIT(ret);
int noprompt = 0;
STACK *canames = NULL;
char *cpass = NULL, *mpass = NULL;
+ char *passargin = NULL, *passargout = NULL, *passarg = NULL;
char *passin = NULL, *passout = NULL;
char *inrand = NULL;
} else if (!strcmp(*args,"-passin")) {
if (args[1]) {
args++;
- passin = *args;
- } else badarg = 1;
- } else if (!strcmp(*args,"-envpassin")) {
- if (args[1]) {
- args++;
- if(!(passin= getenv(*args))) {
- BIO_printf(bio_err,
- "Can't read environment variable %s\n",
- *args);
- badarg = 1;
- }
- } else badarg = 1;
- } else if (!strcmp(*args,"-envpassout")) {
- if (args[1]) {
- args++;
- if(!(passout= getenv(*args))) {
- BIO_printf(bio_err,
- "Can't read environment variable %s\n",
- *args);
- badarg = 1;
- }
+ passargin = *args;
} else badarg = 1;
} else if (!strcmp(*args,"-passout")) {
if (args[1]) {
args++;
- passout = *args;
- } else badarg = 1;
- } else if (!strcmp (*args, "-envpass")) {
- if (args[1]) {
- args++;
- if(!(cpass = getenv(*args))) {
- BIO_printf(bio_err,
- "Can't read environment variable %s\n", *args);
- goto end;
- }
+ passargout = *args;
} else badarg = 1;
} else if (!strcmp (*args, "-password")) {
if (args[1]) {
args++;
- cpass = *args;
+ passarg = *args;
noprompt = 1;
} else badarg = 1;
} else badarg = 1;
BIO_printf (bio_err, "-keypbe alg specify private key PBE algorithm (default 3DES)\n");
BIO_printf (bio_err, "-keyex set MS key exchange type\n");
BIO_printf (bio_err, "-keysig set MS key signature type\n");
- BIO_printf (bio_err, "-password p set import/export password (NOT RECOMMENDED)\n");
- BIO_printf (bio_err, "-envpass p set import/export password from environment\n");
- BIO_printf (bio_err, "-passin p input file pass phrase\n");
- BIO_printf (bio_err, "-envpassin p environment variable containing input file pass phrase\n");
- BIO_printf (bio_err, "-passout p output file pass phrase\n");
- BIO_printf (bio_err, "-envpassout p environment variable containing output file pass phrase\n");
+ BIO_printf (bio_err, "-password p set import/export password source\n");
+ BIO_printf (bio_err, "-passin p input file pass phrase source\n");
+ BIO_printf (bio_err, "-passout p output file pass phrase source\n");
BIO_printf(bio_err, "-rand file:file:...\n");
BIO_printf(bio_err, " load the file (or the files in the directory) into\n");
BIO_printf(bio_err, " the random number generator\n");
goto end;
}
+ if(passarg) {
+ if(export_cert) passargout = passarg;
+ else passargin = passarg;
+ }
+
+ if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
+ BIO_printf(bio_err, "Error getting passwords\n");
+ goto end;
+ }
+
if(!cpass) {
if(export_cert) cpass = passout;
else cpass = passin;
#ifdef CRYPTO_MDEBUG
CRYPTO_push_info("process -export_cert");
#endif
- key = PEM_read_bio_PrivateKey(inkey ? inkey : in, NULL, PEM_cb, passin);
+ key = PEM_read_bio_PrivateKey(inkey ? inkey : in, NULL, NULL, passin);
if (!inkey) (void) BIO_reset(in);
else BIO_free(inkey);
if (!key) {
#endif
BIO_free(in);
BIO_free(out);
+ if(passin) Free(passin);
+ if(passout) Free(passout);
EXIT(ret);
}
p8 = bag->value.keybag;
if (!(pkey = EVP_PKCS82PKEY (p8))) return 0;
print_attribs (out, p8->attributes, "Key Attributes");
- PEM_write_bio_PrivateKey (out, pkey, enc, NULL, 0, PEM_cb, pempass);
+ PEM_write_bio_PrivateKey (out, pkey, enc, NULL, 0, NULL, pempass);
EVP_PKEY_free(pkey);
break;
if (!(pkey = EVP_PKCS82PKEY (p8))) return 0;
print_attribs (out, p8->attributes, "Key Attributes");
PKCS8_PRIV_KEY_INFO_free(p8);
- PEM_write_bio_PrivateKey (out, pkey, enc, NULL, 0, PEM_cb, pempass);
+ PEM_write_bio_PrivateKey (out, pkey, enc, NULL, 0, NULL, pempass);
EVP_PKEY_free(pkey);
break;
int MAIN(int argc, char **argv)
{
char **args, *infile = NULL, *outfile = NULL;
+ char *passargin = NULL, *passargout = NULL;
BIO *in = NULL, *out = NULL;
int topk8 = 0;
int pbe_nid = -1;
else if (!strcmp(*args,"-passin"))
{
if (!args[1]) goto bad;
- passin= *(++args);
- }
- else if (!strcmp(*args,"-envpassin"))
- {
- if (!args[1]) goto bad;
- if(!(passin= getenv(*(++args))))
- {
- BIO_printf(bio_err,
- "Can't read environment variable %s\n",
- *args);
- badarg = 1;
- }
- }
- else if (strcmp(*args,"-envpassout") == 0)
- {
- if (!args[1]) goto bad;
- if(!(passout= getenv(*(++args))))
- {
- BIO_printf(bio_err,
- "Can't read environment variable %s\n",
- *args);
- badarg = 1;
- }
+ passargin= *(++args);
}
else if (!strcmp(*args,"-passout"))
{
if (!args[1]) goto bad;
- passout= *(++args);
+ passargout= *(++args);
}
else if (!strcmp (*args, "-in")) {
if (args[1]) {
BIO_printf(bio_err, "where options are\n");
BIO_printf(bio_err, "-in file input file\n");
BIO_printf(bio_err, "-inform X input format (DER or PEM)\n");
- BIO_printf(bio_err, "-passin arg input file pass phrase\n");
- BIO_printf(bio_err, "-envpassin arg environment variable containing input file pass phrase\n");
+ BIO_printf(bio_err, "-passin arg input file pass phrase source\n");
BIO_printf(bio_err, "-outform X output format (DER or PEM)\n");
BIO_printf(bio_err, "-out file output file\n");
- BIO_printf(bio_err, "-passout arg output file pass phrase\n");
- BIO_printf(bio_err, "-envpassout arg environment variable containing outut file pass phrase\n");
+ BIO_printf(bio_err, "-passout arg output file pass phrase source\n");
BIO_printf(bio_err, "-topk8 output PKCS8 file\n");
BIO_printf(bio_err, "-nooct use (nonstandard) no octet format\n");
BIO_printf(bio_err, "-embed use (nonstandard) embedded DSA parameters format\n");
return (1);
}
+ if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
+ BIO_printf(bio_err, "Error getting passwords\n");
+ return (1);
+ }
+
if ((pbe_nid == -1) && !cipher) pbe_nid = NID_pbeWithMD5AndDES_CBC;
if (infile) {
if (topk8) {
if(informat == FORMAT_PEM)
- pkey = PEM_read_bio_PrivateKey(in, NULL, PEM_cb, passin);
+ pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, passin);
else if(informat == FORMAT_ASN1)
pkey = d2i_PrivateKey_bio(in, NULL);
else {
PKCS8_PRIV_KEY_INFO_free(p8inf);
if(outformat == FORMAT_PEM)
- PEM_write_bio_PrivateKey(out, pkey, NULL, NULL, 0, PEM_cb, passout);
+ PEM_write_bio_PrivateKey(out, pkey, NULL, NULL, 0, NULL, passout);
else if(outformat == FORMAT_ASN1)
i2d_PrivateKey_bio(out, pkey);
else {
EVP_PKEY_free(pkey);
BIO_free(out);
BIO_free(in);
+ if(passin) Free(passin);
+ if(passout) Free(passout);
return (0);
}
char *req_exts = NULL;
EVP_CIPHER *cipher=NULL;
int modulus=0;
+ char *passargin = NULL, *passargout = NULL;
char *passin = NULL, *passout = NULL;
char *p;
const EVP_MD *md_alg=NULL,*digest=EVP_md5();
else if (strcmp(*argv,"-passin") == 0)
{
if (--argc < 1) goto bad;
- passin= *(++argv);
- }
- else if (strcmp(*argv,"-envpassin") == 0)
- {
- if (--argc < 1) goto bad;
- if(!(passin= getenv(*(++argv))))
- {
- BIO_printf(bio_err,
- "Can't read environment variable %s\n",
- *argv);
- badops = 1;
- }
- }
- else if (strcmp(*argv,"-envpassout") == 0)
- {
- if (--argc < 1) goto bad;
- if(!(passout= getenv(*(++argv))))
- {
- BIO_printf(bio_err,
- "Can't read environment variable %s\n",
- *argv);
- badops = 1;
- }
+ passargin= *(++argv);
}
else if (strcmp(*argv,"-passout") == 0)
{
if (--argc < 1) goto bad;
- passout= *(++argv);
+ passargout= *(++argv);
}
else if (strcmp(*argv,"-newkey") == 0)
{
BIO_printf(bio_err," -days number of days a x509 generated by -x509 is valid for.\n");
BIO_printf(bio_err," -asn1-kludge Output the 'request' in a format that is wrong but some CA's\n");
BIO_printf(bio_err," have been reported as requiring\n");
- BIO_printf(bio_err," [ It is now always turned on but can be turned off with -no-asn1-kludge ]\n");
BIO_printf(bio_err," -extensions .. specify certificate extension section (override value in config file)\n");
BIO_printf(bio_err," -reqexts .. specify request extension section (override value in config file)\n");
goto end;
}
ERR_load_crypto_strings();
+ if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
+ BIO_printf(bio_err, "Error getting passwords\n");
+ goto end;
+ }
#ifndef MONOLITH /* else this has happened in openssl.c (global `config') */
/* Lets load up our environment a little */
pkey=d2i_PrivateKey_bio(in,NULL);
else if (keyform == FORMAT_PEM)
{
- pkey=PEM_read_bio_PrivateKey(in,NULL,PEM_cb,passin);
+ pkey=PEM_read_bio_PrivateKey(in,NULL,NULL,passin);
}
else
{
i=0;
loop:
if (!PEM_write_bio_PrivateKey(out,pkey,cipher,
- NULL,0,PEM_cb,passout))
+ NULL,0,NULL,passout))
{
if ((ERR_GET_REASON(ERR_peek_error()) ==
PEM_R_PROBLEMS_GETTING_PASSWORD) && (i < 3))
EVP_PKEY_free(pkey);
X509_REQ_free(req);
X509_free(x509ss);
+ if(passin) Free(passin);
+ if(passout) Free(passout);
OBJ_cleanup();
#ifndef NO_DSA
if (dsa_params != NULL) DSA_free(dsa_params);
int informat,outformat,text=0,check=0,noout=0;
int pubin = 0, pubout = 0;
char *infile,*outfile,*prog;
+ char *passargin = NULL, *passargout = NULL;
char *passin = NULL, *passout = NULL;
int modulus=0;
else if (strcmp(*argv,"-passin") == 0)
{
if (--argc < 1) goto bad;
- passin= *(++argv);
- }
- else if (strcmp(*argv,"-envpassin") == 0)
- {
- if (--argc < 1) goto bad;
- if(!(passin= getenv(*(++argv))))
- {
- BIO_printf(bio_err,
- "Can't read environment variable %s\n",
- *argv);
- badops = 1;
- }
- }
- else if (strcmp(*argv,"-envpassout") == 0)
- {
- if (--argc < 1) goto bad;
- if(!(passout= getenv(*(++argv))))
- {
- BIO_printf(bio_err,
- "Can't read environment variable %s\n",
- *argv);
- badops = 1;
- }
+ passargin= *(++argv);
}
else if (strcmp(*argv,"-passout") == 0)
{
if (--argc < 1) goto bad;
- passout= *(++argv);
+ passargout= *(++argv);
}
else if (strcmp(*argv,"-pubin") == 0)
pubin=1;
BIO_printf(bio_err," -inform arg input format - one of DER NET PEM\n");
BIO_printf(bio_err," -outform arg output format - one of DER NET PEM\n");
BIO_printf(bio_err," -in arg input file\n");
- BIO_printf(bio_err," -passin arg input file pass phrase\n");
- BIO_printf(bio_err," -envpassin arg environment variable containing input file pass phrase\n");
+ BIO_printf(bio_err," -passin arg input file pass phrase source\n");
BIO_printf(bio_err," -in arg input file\n");
BIO_printf(bio_err," -out arg output file\n");
- BIO_printf(bio_err," -passout arg output file pass phrase\n");
- BIO_printf(bio_err," -envpassout arg environment variable containing output file pass phrase\n");
+ BIO_printf(bio_err," -passout arg output file pass phrase source\n");
BIO_printf(bio_err," -des encrypt PEM output with cbc des\n");
BIO_printf(bio_err," -des3 encrypt PEM output with ede cbc des using 168 bit key\n");
#ifndef NO_IDEA
ERR_load_crypto_strings();
+ if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
+ BIO_printf(bio_err, "Error getting passwords\n");
+ goto end;
+ }
+
if(check && pubin) {
BIO_printf(bio_err, "Only private keys can be checked\n");
goto end;
#endif
else if (informat == FORMAT_PEM) {
if(pubin) rsa=PEM_read_bio_RSA_PUBKEY(in,NULL,NULL,NULL);
- else rsa=PEM_read_bio_RSAPrivateKey(in,NULL, PEM_cb,passin);
+ else rsa=PEM_read_bio_RSAPrivateKey(in,NULL, NULL,passin);
}
else
{
if(pubout || pubin)
i=PEM_write_bio_RSA_PUBKEY(out,rsa);
else i=PEM_write_bio_RSAPrivateKey(out,rsa,
- enc,NULL,0,PEM_cb,passout);
+ enc,NULL,0,NULL,passout);
} else {
BIO_printf(bio_err,"bad output format specified for outfile\n");
goto end;
else
ret=0;
end:
- if (in != NULL) BIO_free(in);
- if (out != NULL) BIO_free(out);
- if (rsa != NULL) RSA_free(rsa);
+ if(in != NULL) BIO_free(in);
+ if(out != NULL) BIO_free(out);
+ if(rsa != NULL) RSA_free(rsa);
+ if(passin) Free(passin);
+ if(passout) Free(passout);
EXIT(ret);
}
#else /* !NO_RSA */
int badarg = 0;
int flags = PKCS7_DETACHED;
char *to = NULL, *from = NULL, *subject = NULL;
- char *CAfile = NULL, *CApath = NULL, *passin = NULL;
+ char *CAfile = NULL, *CApath = NULL;
+ char *passargin = NULL, *passin = NULL;
char *inrand = NULL;
int need_rand = 0;
args = argv + 1;
} else if (!strcmp(*args,"-passin")) {
if (args[1]) {
args++;
- passin = *args;
- } else badarg = 1;
- } else if (!strcmp(*argv,"-envpassin")) {
- if (args[1]) {
- args++;
- if(!(passin= getenv(*args))) {
- BIO_printf(bio_err,
- "Can't read environment variable %s\n",
- *args);
- badarg = 1;
- }
+ passargin = *args;
} else badarg = 1;
} else if (!strcmp (*args, "-to")) {
if (args[1]) {
goto end;
}
+ if(!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
+ BIO_printf(bio_err, "Error getting password\n");
+ goto end;
+ }
+
if (need_rand) {
app_RAND_load_file(NULL, bio_err, (inrand != NULL));
if (inrand != NULL)
BIO_free(in);
BIO_free(indata);
BIO_free(out);
+ if(passin) Free(passin);
return (ret);
}
BIO *in;
EVP_PKEY *key;
if(!(in = BIO_new_file(file, "r"))) return NULL;
- key = PEM_read_bio_PrivateKey(in, NULL,PEM_cb,pass);
+ key = PEM_read_bio_PrivateKey(in, NULL,NULL,pass);
BIO_free(in);
return key;
}
int i,badops=0, ret = 1;
BIO *in = NULL,*out = NULL, *key = NULL;
int verify=0,noout=0,pubkey=0;
- char *infile = NULL,*outfile = NULL,*prog, *passin = NULL;
+ char *infile = NULL,*outfile = NULL,*prog;
+ char *passargin = NULL, *passin = NULL;
char *spkac = "SPKAC", *spksect = "default", *spkstr = NULL;
char *challenge = NULL, *keyfile = NULL;
LHASH *conf = NULL;
else if (strcmp(*argv,"-passin") == 0)
{
if (--argc < 1) goto bad;
- passin= *(++argv);
- }
- else if (strcmp(*argv,"-envpassin") == 0)
- {
- if (--argc < 1) goto bad;
- if(!(passin= getenv(*(++argv))))
- {
- BIO_printf(bio_err,
- "Can't read environment variable %s\n",
- *argv);
- badops = 1;
- }
+ passargin= *(++argv);
}
else if (strcmp(*argv,"-key") == 0)
{
BIO_printf(bio_err," -in arg input file\n");
BIO_printf(bio_err," -out arg output file\n");
BIO_printf(bio_err," -key arg create SPKAC using private key\n");
- BIO_printf(bio_err," -passin arg input file pass phrase\n");
- BIO_printf(bio_err," -envpassin arg environment variable containing input file pass phrase\n");
+ BIO_printf(bio_err," -passin arg input file pass phrase source\n");
BIO_printf(bio_err," -challenge arg challenge string\n");
BIO_printf(bio_err," -spkac arg alternative SPKAC name\n");
BIO_printf(bio_err," -noout don't print SPKAC\n");
}
ERR_load_crypto_strings();
+ if(!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
+ BIO_printf(bio_err, "Error getting password\n");
+ goto end;
+ }
if(keyfile) {
if(strcmp(keyfile, "-")) key = BIO_new_file(keyfile, "r");
ERR_print_errors(bio_err);
goto end;
}
- pkey = PEM_read_bio_PrivateKey(key, NULL, PEM_cb, passin);
+ pkey = PEM_read_bio_PrivateKey(key, NULL, NULL, passin);
if(!pkey) {
BIO_printf(bio_err, "Error reading private key\n");
ERR_print_errors(bio_err);
BIO_free(out);
BIO_free(key);
EVP_PKEY_free(pkey);
+ if(passin) Free(passin);
EXIT(ret);
}
" -CAkeyform arg - CA key format - default PEM\n",
" -in arg - input file - default stdin\n",
" -out arg - output file - default stdout\n",
-" -passin arg - private key password\n",
-" -envpassin arg - read private key password from environment variable \"arg\"\n",
+" -passin arg - private key password source\n",
" -serial - print serial number value\n",
" -hash - print hash value\n",
" -subject - print subject DN\n",
char buf[256];
const EVP_MD *md_alg,*digest=EVP_md5();
LHASH *extconf = NULL;
- char *extsect = NULL, *extfile = NULL, *passin = NULL;
+ char *extsect = NULL, *extfile = NULL, *passin = NULL, *passargin = NULL;
int need_rand = 0;
reqfile=0;
else if (strcmp(*argv,"-passin") == 0)
{
if (--argc < 1) goto bad;
- passin= *(++argv);
- }
- else if (strcmp(*argv,"-envpassin") == 0)
- {
- if (--argc < 1) goto bad;
- if(!(passin= getenv(*(++argv))))
- {
- BIO_printf(bio_err,
- "Can't read environment variable %s\n",
- *argv);
- badops = 1;
- }
+ passargin= *(++argv);
}
else if (strcmp(*argv,"-extfile") == 0)
{
ERR_load_crypto_strings();
+ if(!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
+ BIO_printf(bio_err, "Error getting password\n");
+ goto end;
+ }
+
if (!X509_STORE_set_default_paths(ctx))
{
ERR_print_errors(bio_err);
X509_REQ_free(rq);
sk_ASN1_OBJECT_pop_free(trust, ASN1_OBJECT_free);
sk_ASN1_OBJECT_pop_free(reject, ASN1_OBJECT_free);
+ if(passin) Free(passin);
EXIT(ret);
}
#endif
if (format == FORMAT_PEM)
{
- pkey=PEM_read_bio_PrivateKey(key,NULL,PEM_cb,passin);
+ pkey=PEM_read_bio_PrivateKey(key,NULL,NULL,passin);
}
else
{
{ return M_ASN1_STRING_type(x); }
unsigned char * ASN1_STRING_data(ASN1_STRING *x)
-{ return ASN1_STRING_data(x); }
+{ return M_ASN1_STRING_data(x); }
int PEM_write_PKCS8PrivateKey(FILE *fp,EVP_PKEY *x,const EVP_CIPHER *enc,
char *kstr,int klen, pem_password_cb *cd, void *u);
-#ifdef MS_CALLBACK
-int MS_CALLBACK PEM_cb(char *buf, int len, int verify, void *key);
-#endif
#endif /* SSLEAY_MACROS */
char *kstr, int klen,
pem_password_cb *cb, void *u);
-static int def_callback(char *buf, int num, int w, void *userdata)
+static int def_callback(char *buf, int num, int w, void *key)
{
#ifdef NO_FP_API
/* We should not ever call the default callback routine from
#else
int i,j;
const char *prompt;
+ if(key) {
+ i=strlen(key);
+ i=(i > num)?num:i;
+ memcpy(buf,key,i);
+ return(i);
+ }
prompt=EVP_get_pw_prompt();
if (prompt == NULL)
#endif
}
-/* This is a generic callback. If the user data is not NULL it is assumed
- * to be a null terminated password. Otherwise the default password callback
- * is called.
- */
-
-
-int MS_CALLBACK PEM_cb(char *buf, int len, int verify, void *key)
-{
- int i;
- if (key == NULL) return def_callback(buf, len, verify, key);
- i=strlen(key);
- i=(i > len)?len:i;
- memcpy(buf,key,i);
- return(i);
-}
-
void PEM_proc_type(char *buf, int type)
{
const char *str;
[B<-inform PEM|DER>]
[B<-outform PEM|DER>]
[B<-in filename>]
-[B<-passin password>]
-[B<-envpassin var>]
+[B<-passin arg>]
[B<-out filename>]
-[B<-passout password>]
-[B<-envpassout var>]
+[B<-passout arg>]
[B<-des>]
[B<-des3>]
[B<-idea>]
option is not specified. If the key is encrypted a pass phrase will be
prompted for.
-=item B<-passin password>
+=item B<-passin arg>
-the input file password. Since certain utilities like "ps" make the command line
-visible this option should be used with caution.
-
-=item B<-envpassin var>
-
-read the input file password from the environment variable B<var>.
+the input file password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
=item B<-out filename>
prompted for. The output filename should B<not> be the same as the input
filename.
-=item B<-passout password>
-
-the output file password. Since certain utilities like "ps" make the command line
-visible this option should be used with caution.
-
-=item B<-envpassout var>
+=item B<-passout arg>
-read the output file password from the environment variable B<var>.
+the output file password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
=item B<-des|-des3|-idea>
B<openssl> B<genrsa>
[B<-out filename>]
-[B<-passout password>]
-[B<-envpassout var>]
+[B<-passout arg>]
[B<-des>]
[B<-des3>]
[B<-idea>]
the output filename. If this argument is not specified then standard output is
used.
-=item B<-passout password>
+=item B<-passout arg>
-the output file password. Since certain utilities like "ps" make the command line
-visible this option should be used with caution.
-
-=item B<-envpassout var>
-
-read the output file password from the environment variable B<var>.
+the output file password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
=item B<-des|-des3|-idea>
These options encrypt the private key with the DES, triple DES, or the
IDEA ciphers respectively before outputting it. If none of these options is
specified no encryption is used. If encryption is used a pass phrase is prompted
-for if it is not supplied via the B<-passout> or B<-envpassout> arguments.
+for if it is not supplied via the B<-passout> argument.
=item B<-F4|-3>
RSA private key generation essentially involves the generation of two prime
numbers. When generating a private key various symbols will be output to
-indicate the progress of the generation. A B<.> represents each number tested.
-A B<+> means a number has passed a single primality test. A newline means that
-the number has passed all the prime tests (currently set to 5 single tests).
+indicate the progress of the generation. A B<.> represents each number which
+has passed an initial sieve test, B<+> means a number has passed a single
+round of the Miller-Rabin primality test. A newline means that the number has
+passed all the prime tests (the actual number depends on the key size).
Because key generation is a random process the time taken to generate a key
may vary somewhat.
=back
+=head1 PASS PHRASE ARGUMENTS
+
+Several commands accept password arguments, typically using B<-passin>
+and B<-passout> for input and output passwords respectively. These allow
+the password to be obtained from a variety of sources. Both of these
+options take a single argument whose format is described below. If no
+password argument is given and a password is required then the user is
+prompted to enter one: this will typically be read from the current
+terminal with echoing turned off.
+
+=over 10
+
+=item B<pass:password>
+
+the actual password is B<password>. Since the password is visible
+to utilities (like 'ps' under Unix) this form should only be used
+where security is not important.
+
+=item B<env:var>
+
+obtain the password from the environment variable B<var>. Since
+the environment of other processes is visible on certain platforms
+(e.g. ps under certain Unix OSes) this option should be used with caution.
+
+=item B<file:pathname>
+
+the first line of B<pathname> is the password. If the same B<pathname>
+argument is supplied to B<-passin> and B<-passout> arguments then the first
+line will be used for the input password and the next line for the output
+password. B<pathname> need not refer to a regular file: it could for example
+refer to a device or named pipe.
+
+=item B<fd:number>
+
+read the password from the file descriptor B<number>. This can be used to
+send the data via a pipe for example.
+
+=item B<stdin>
+
+read the password from standard input.
+
+=back
+
=head1 SEE ALSO
L<asn1parse(1)|asn1parse(1)>, L<ca(1)|ca(1)>, L<config(5)|config(5)>,
[B<-keypbe>]
[B<-keyex>]
[B<-keysig>]
-[B<-password password>]
-[B<-envpass var>]
-[B<-passin password>]
-[B<-envpassin var>]
-[B<-passout password>]
-[B<-envpassout var>]
+[B<-password arg>]
+[B<-passin arg>]
+[B<-passout arg>]
[B<-rand file(s)>]
=head1 DESCRIPTION
The filename to write certificates and private keys to, standard output by default.
They are all written in PEM format.
-=item B<-pass password>, B<-passin password>
+=item B<-pass arg>, B<-passin arg>
-the PKCS#12 file (i.e. input file) password. Since certain utilities like "ps" make
-the command line visible this option should be used with caution.
+the PKCS#12 file (i.e. input file) password source. For more information about the
+format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
+L<openssl(1)|openssl(1)>.
-=item B<-envpass var>, B<-envpassin password>
+=item B<-passout arg>
-read the PKCS#12 file password from the environment variable B<var>.
-
-=item B<-passout password>
-
-pass phrase to encrypt any outputed private keys with. Since certain utilities like
-"ps" make the command line visible this option should be used with caution.
-
-=item B<-envpass var>, B<-envpassin password>
-
-read the outputed private keys file password from the environment variable B<var>.
+pass phrase source to encrypt any outputed private keys with. For more information
+about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
+L<openssl(1)|openssl(1)>.
=item B<-noout>
appear. Netscape ignores friendly names on other certificates whereas MSIE
displays them.
-=item B<-pass password>, B<-passout password>
+=item B<-pass arg>, B<-passout arg>
-the PKCS#12 file (i.e. output file) password. Since certain utilities like "ps"
-make the command line visible this option should be used with caution.
-
-=item B<-envpass var>, B<-envpassout var>
-
-read the PKCS#12 file password from the environment variable B<var>.
+the PKCS#12 file (i.e. output file) password source. For more information about
+the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
+L<openssl(1)|openssl(1)>.
=item B<-passin password>
-pass phrase to decrypt the input private key with. Since certain utilities like
-"ps" make the command line visible this option should be used with caution.
-
-=item B<-envpassin password>
-
-read the input private key file password from the environment variable B<var>.
+pass phrase source to decrypt any input private keys with. For more information
+about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
+L<openssl(1)|openssl(1)>.
=item B<-chain>
[B<-inform PEM|DER>]
[B<-outform PEM|DER>]
[B<-in filename>]
-[B<-passin password>]
-[B<-envpassin var>]
+[B<-passin arg>]
[B<-out filename>]
-[B<-passout password>]
-[B<-envpassout var>]
+[B<-passout arg>]
[B<-noiter>]
[B<-nocrypt>]
[B<-nooct>]
option is not specified. If the key is encrypted a pass phrase will be
prompted for.
-=item B<-passin password>
+=item B<-passin arg>
-the input file password. Since certain utilities like "ps" make the command line
-visible this option should be used with caution.
-
-=item B<-envpassin var>
-
-read the input file password from the environment variable B<var>.
+the input file password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
=item B<-out filename>
prompted for. The output filename should B<not> be the same as the input
filename.
-=item B<-passout password>
-
-the output file password. Since certain utilities like "ps" make the command line
-visible this option should be used with caution.
-
-=item B<-envpassout var>
+=item B<-passout arg>
-read the output file password from the environment variable B<var>.
+the output file password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
=item B<-nocrypt>
[B<-inform PEM|DER>]
[B<-outform PEM|DER>]
[B<-in filename>]
-[B<-passin password>]
-[B<-envpassin var>]
+[B<-passin arg>]
[B<-out filename>]
-[B<-passout password>]
-[B<-envpassout var>]
+[B<-passout arg>]
[B<-text>]
[B<-noout>]
[B<-verify>]
if this option is not specified. A request is only read if the creation
options (B<-new> and B<-newkey>) are not specified.
-=item B<-passin password>
+=item B<-passin arg>
-the input file password. Since certain utilities like "ps" make the command line
-visible this option should be used with caution.
-
-=item B<-envpassin var>
-
-read the input file password from the environment variable B<var>.
+the input file password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
=item B<-out filename>
This specifies the output filename to write to or standard output by
default.
-=item B<-passout password>
-
-the output file password. Since certain utilities like "ps" make the command line
-visible this option should be used with caution.
-
-=item B<-envpassout var>
+=item B<-passout arg>
-read the output file password from the environment variable B<var>.
+the output file password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
=item B<-text>
The passwords for the input private key file (if present) and
the output private key file (if one will be created). The
-command line options B<passin>, B<envpassin>, B<passout> and
-B<envpassout> override the configuration file values.
+command line options B<passin> and B<passout> override the
+configuration file values.
=item B<default_bits>
[B<-inform PEM|NET|DER>]
[B<-outform PEM|NET|DER>]
[B<-in filename>]
-[B<-passin password>]
-[B<-envpassin var>]
+[B<-passin arg>]
[B<-out filename>]
-[B<-passout password>]
-[B<-envpassout var>]
+[B<-passout arg>]
[B<-des>]
[B<-des3>]
[B<-idea>]
option is not specified. If the key is encrypted a pass phrase will be
prompted for.
-=item B<-passin password>
+=item B<-passin arg>
-the input file password. Since certain utilities like "ps" make the command line
-visible this option should be used with caution.
-
-=item B<-envpassin var>
-
-read the input file password from the environment variable B<var>.
+the input file password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
=item B<-out filename>
=item B<-passout password>
-the output file password. Since certain utilities like "ps" make the command line
-visible this option should be used with caution.
-
-=item B<-envpassout var>
-
-read the output file password from the environment variable B<var>.
+the output file password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
=item B<-des|-des3|-idea>
[B<-in filename>]
[B<-out filename>]
[B<-key keyfile>]
-[B<-passin password>]
-[B<-envpassin var>]
+[B<-passin arg>]
[B<-challenge string>]
[B<-pubkey>]
[B<-spkac spkacname>]
=item B<-passin password>
-the private key file password. Since certain utilities like "ps" make the
-command line visible this option should be used with caution. Ignored if
-the B<-key> argument is not used.
-
-=item B<-envpassin var>
-
-read the private key file password from the environment variable B<var>.
-Ignored if the B<-key> argument is not used.
+the input file password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
=item B<-challenge string>