diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2012-08-25 15:38:14 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2012-08-25 15:38:17 +0200 |
commit | efadaaf31d58d1264797ac77c70a710569fe8f01 (patch) | |
tree | c827082c37c5cd0e820cf84c2b102408ba8d5d21 /src | |
parent | 95a922c2a8b75e6eddbcc688c0d719d0b07ee395 (diff) | |
download | gnutls-efadaaf31d58d1264797ac77c70a710569fe8f01.tar.gz |
Changes in password handling of certtool.
Ask password when required and only if the '--password' option is not given.
If the '--password' option is given during key generation then assume the PKCS #8 format.
Diffstat (limited to 'src')
-rw-r--r-- | src/certtool-common.c | 64 | ||||
-rw-r--r-- | src/certtool-common.h | 2 | ||||
-rw-r--r-- | src/certtool.c | 31 |
3 files changed, 52 insertions, 45 deletions
diff --git a/src/certtool-common.c b/src/certtool-common.c index 3bf6536070..a07fe02642 100644 --- a/src/certtool-common.c +++ b/src/certtool-common.c @@ -102,46 +102,57 @@ load_secret_key (int mand, common_info_st * info) return &key; } +const char* get_password(common_info_st * cinfo, unsigned int *flags, int confirm) +{ + if (cinfo->null_password) + { + if (flags) *flags |= GNUTLS_PKCS_NULL_PASSWORD; + return NULL; + } + else if (cinfo->password) + { + if (cinfo->password[0] == 0 && flags) + *flags |= GNUTLS_PKCS_PLAIN; + return cinfo->password; + } + else + { + if (confirm) + return get_confirmed_pass (true); + else + return get_pass (); + } +} + static gnutls_privkey_t _load_privkey(gnutls_datum_t *dat, common_info_st * info) { int ret; gnutls_privkey_t key; -gnutls_x509_privkey_t xkey; - - ret = gnutls_x509_privkey_init (&xkey); - if (ret < 0) - error (EXIT_FAILURE, 0, "x509_privkey_init: %s", gnutls_strerror (ret)); +unsigned int flags = 0; +const char* pass; ret = gnutls_privkey_init (&key); if (ret < 0) error (EXIT_FAILURE, 0, "privkey_init: %s", gnutls_strerror (ret)); - if (info->pkcs8) + ret = gnutls_privkey_import_x509_raw (key, dat, info->incert_format, NULL, 0); + if (ret == GNUTLS_E_DECRYPTION_FAILED) { - const char *pass = get_pass (); - ret = - gnutls_x509_privkey_import_pkcs8 (xkey, dat, info->incert_format, - pass, 0); + pass = get_password (info, &flags, 0); + ret = gnutls_privkey_import_x509_raw (key, dat, info->incert_format, pass, flags); } - else - ret = gnutls_x509_privkey_import (xkey, dat, info->incert_format); if (ret == GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR) { error (EXIT_FAILURE, 0, "import error: could not find a valid PEM header; " - "check if your key is PKCS #8 or PKCS #12 encoded"); + "check if your key is PKCS #12 encoded"); } if (ret < 0) error (EXIT_FAILURE, 0, "importing --load-privkey: %s: %s", info->privkey, gnutls_strerror (ret)); - ret = gnutls_privkey_import_x509(key, xkey, GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE); - if (ret < 0) - error (EXIT_FAILURE, 0, "gnutls_privkey_import_x509: %s", - gnutls_strerror (ret)); - return key; } @@ -229,6 +240,8 @@ load_x509_private_key (int mand, common_info_st * info) int ret; gnutls_datum_t dat; size_t size; + unsigned int flags = 0; + const char* pass; if (!info->privkey && !mand) return NULL; @@ -248,13 +261,20 @@ load_x509_private_key (int mand, common_info_st * info) if (info->pkcs8) { - const char *pass = get_pass (); + pass = get_password (info, &flags, 0); ret = gnutls_x509_privkey_import_pkcs8 (key, &dat, info->incert_format, - pass, 0); + pass, flags); } else - ret = gnutls_x509_privkey_import (key, &dat, info->incert_format); + { + ret = gnutls_x509_privkey_import2 (key, &dat, info->incert_format, NULL, 0); + if (ret == GNUTLS_E_DECRYPTION_FAILED) + { + pass = get_password (info, &flags, 0); + ret = gnutls_x509_privkey_import2 (key, &dat, info->incert_format, pass, flags); + } + } free (dat.data); @@ -262,7 +282,7 @@ load_x509_private_key (int mand, common_info_st * info) { error (EXIT_FAILURE, 0, "import error: could not find a valid PEM header; " - "check if your key is PKCS #8 or PKCS #12 encoded"); + "check if your key is PKCS #12 encoded"); } if (ret < 0) diff --git a/src/certtool-common.h b/src/certtool-common.h index a68e47b922..cdfec62c43 100644 --- a/src/certtool-common.h +++ b/src/certtool-common.h @@ -88,6 +88,8 @@ print_dsa_pkey (FILE* outfile, gnutls_datum_t * x, gnutls_datum_t * y, gnutls_da FILE *safe_open_rw (const char *file, int privkey_op); +const char* get_password(common_info_st * cinfo, unsigned int *flags, int confirm); + extern unsigned char buffer[]; extern const int buffer_size; diff --git a/src/certtool.c b/src/certtool.c index eab00f41f3..4e027edcf6 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -172,28 +172,6 @@ cipher_to_flags (const char *cipher) return -1; } -static const char* get_password(common_info_st * cinfo, unsigned int *flags, int confirm) -{ - if (cinfo->null_password) - { - if (flags) *flags |= GNUTLS_PKCS_NULL_PASSWORD; - return NULL; - } - else if (cinfo->password) - { - if (cinfo->password[0] == 0 && flags) - *flags |= GNUTLS_PKCS_PLAIN; - return cinfo->password; - } - else - { - if (confirm) - return get_confirmed_pass (true); - else - return get_pass (); - } -} - static void print_private_key (common_info_st* cinfo, gnutls_x509_privkey_t key) @@ -1027,7 +1005,14 @@ cmd_parser (int argc, char **argv) cinfo.pkcs_cipher = OPT_ARG(PKCS_CIPHER); if (HAVE_OPT(PASSWORD)) - cinfo.password = OPT_ARG(PASSWORD); + { + cinfo.password = OPT_ARG(PASSWORD); + if (HAVE_OPT(GENERATE_PRIVKEY) && cinfo.pkcs8 == 0) + { + fprintf(stderr, "Assuming PKCS #8 format...\n"); + cinfo.pkcs8 = 1; + } + } if (HAVE_OPT(NULL_PASSWORD)) { |