/* Extract X.509 certificate in DER form from PKCS#11 or PEM. * * Copyright © 2014-2015 Red Hat, Inc. All Rights Reserved. * Copyright © 2015 Intel Corporation. * * Authors: David Howells * David Woodhouse * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public License * as published by the Free Software Foundation; either version 2.1 * of the licence, or (at your option) any later version. */ #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #if OPENSSL_VERSION_MAJOR >= 3 # define USE_PKCS11_PROVIDER # include # include #else # if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DEPRECATED_3_0) # define USE_PKCS11_ENGINE # include # endif #endif #include "ssl-common.h" #define PKEY_ID_PKCS7 2 static __attribute__((noreturn)) void format(void) { fprintf(stderr, "Usage: extract-cert \n"); exit(2); } static const char *key_pass; static BIO *wb; static char *cert_dst; static bool verbose; static void write_cert(X509 *x509) { char buf[200]; if (!wb) { wb = BIO_new_file(cert_dst, "wb"); ERR(!wb, "%s", cert_dst); } X509_NAME_oneline(X509_get_subject_name(x509), buf, sizeof(buf)); ERR(!i2d_X509_bio(wb, x509), "%s", cert_dst); if (verbose) fprintf(stderr, "Extracted cert: %s\n", buf); } static X509 *load_cert_pkcs11(const char *cert_src) { X509 *cert = NULL; #ifdef USE_PKCS11_PROVIDER OSSL_STORE_CTX *store; if (!OSSL_PROVIDER_try_load(NULL, "pkcs11", true)) ERR(1, "OSSL_PROVIDER_try_load(pkcs11)"); if (!OSSL_PROVIDER_try_load(NULL, "default", true)) ERR(1, "OSSL_PROVIDER_try_load(default)"); store = OSSL_STORE_open(cert_src, NULL, NULL, NULL, NULL); ERR(!store, "OSSL_STORE_open"); while (!OSSL_STORE_eof(store)) { OSSL_STORE_INFO *info = OSSL_STORE_load(store); if (!info) { drain_openssl_errors(__LINE__, 0); continue; } if (OSSL_STORE_INFO_get_type(info) == OSSL_STORE_INFO_CERT) { cert = OSSL_STORE_INFO_get1_CERT(info); ERR(!cert, "OSSL_STORE_INFO_get1_CERT"); } OSSL_STORE_INFO_free(info); if (cert) break; } OSSL_STORE_close(store); #elif defined(USE_PKCS11_ENGINE) ENGINE *e; struct { const char *cert_id; X509 *cert; } parms; parms.cert_id = cert_src; parms.cert = NULL; ENGINE_load_builtin_engines(); drain_openssl_errors(__LINE__, 1); e = ENGINE_by_id("pkcs11"); ERR(!e, "Load PKCS#11 ENGINE"); if (ENGINE_init(e)) drain_openssl_errors(__LINE__, 1); else ERR(1, "ENGINE_init"); if (key_pass) ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), "Set PKCS#11 PIN"); ENGINE_ctrl_cmd(e, "LOAD_CERT_CTRL", 0, &parms, NULL, 1); ERR(!parms.cert, "Get X.509 from PKCS#11"); cert = parms.cert; #else fprintf(stderr, "no pkcs11 engine/provider available\n"); exit(1); #endif return cert; } int main(int argc, char **argv) { char *cert_src; char *verbose_env; OpenSSL_add_all_algorithms(); ERR_load_crypto_strings(); ERR_clear_error(); verbose_env = getenv("KBUILD_VERBOSE"); if (verbose_env && strchr(verbose_env, '1')) verbose = true; key_pass = getenv("KBUILD_SIGN_PIN"); if (argc != 3) format(); cert_src = argv[1]; cert_dst = argv[2]; if (!cert_src[0]) { /* Invoked with no input; create empty file */ FILE *f = fopen(cert_dst, "wb"); ERR(!f, "%s", cert_dst); fclose(f); exit(0); } else if (!strncmp(cert_src, "pkcs11:", 7)) { X509 *cert = load_cert_pkcs11(cert_src); ERR(!cert, "load_cert_pkcs11 failed"); write_cert(cert); } else { BIO *b; X509 *x509; b = BIO_new_file(cert_src, "rb"); ERR(!b, "%s", cert_src); while (1) { x509 = PEM_read_bio_X509(b, NULL, NULL, NULL); if (wb && !x509) { unsigned long err = ERR_peek_last_error(); if (ERR_GET_LIB(err) == ERR_LIB_PEM && ERR_GET_REASON(err) == PEM_R_NO_START_LINE) { ERR_clear_error(); break; } } ERR(!x509, "%s", cert_src); write_cert(x509); } } BIO_free(wb); return 0; }