1 /* Extract X.509 certificate in DER form from 1 2 * 3 * Copyright © 2014-2015 Red Hat, Inc. All Ri 4 * Copyright © 2015 Intel Corporation. 5 * 6 * Authors: David Howells <dhowells@redhat.com 7 * David Woodhouse <dwmw2@infradead.o 8 * 9 * This program is free software; you can redi 10 * modify it under the terms of the GNU Lesser 11 * as published by the Free Software Foundatio 12 * of the licence, or (at your option) any lat 13 */ 14 #define _GNU_SOURCE 15 #include <stdio.h> 16 #include <stdlib.h> 17 #include <stdint.h> 18 #include <stdbool.h> 19 #include <string.h> 20 #include <err.h> 21 #include <openssl/bio.h> 22 #include <openssl/pem.h> 23 #include <openssl/err.h> 24 #if OPENSSL_VERSION_MAJOR >= 3 25 # define USE_PKCS11_PROVIDER 26 # include <openssl/provider.h> 27 # include <openssl/store.h> 28 #else 29 # if !defined(OPENSSL_NO_ENGINE) && !defined(O 30 # define USE_PKCS11_ENGINE 31 # include <openssl/engine.h> 32 # endif 33 #endif 34 #include "ssl-common.h" 35 36 #define PKEY_ID_PKCS7 2 37 38 static __attribute__((noreturn)) 39 void format(void) 40 { 41 fprintf(stderr, 42 "Usage: extract-cert <source> 43 exit(2); 44 } 45 46 static const char *key_pass; 47 static BIO *wb; 48 static char *cert_dst; 49 static bool verbose; 50 51 static void write_cert(X509 *x509) 52 { 53 char buf[200]; 54 55 if (!wb) { 56 wb = BIO_new_file(cert_dst, "w 57 ERR(!wb, "%s", cert_dst); 58 } 59 X509_NAME_oneline(X509_get_subject_nam 60 ERR(!i2d_X509_bio(wb, x509), "%s", cer 61 if (verbose) 62 fprintf(stderr, "Extracted cer 63 } 64 65 static X509 *load_cert_pkcs11(const char *cert 66 { 67 X509 *cert = NULL; 68 #ifdef USE_PKCS11_PROVIDER 69 OSSL_STORE_CTX *store; 70 71 if (!OSSL_PROVIDER_try_load(NULL, "pkc 72 ERR(1, "OSSL_PROVIDER_try_load 73 if (!OSSL_PROVIDER_try_load(NULL, "def 74 ERR(1, "OSSL_PROVIDER_try_load 75 76 store = OSSL_STORE_open(cert_src, NULL 77 ERR(!store, "OSSL_STORE_open"); 78 79 while (!OSSL_STORE_eof(store)) { 80 OSSL_STORE_INFO *info = OSSL_S 81 82 if (!info) { 83 drain_openssl_errors(_ 84 continue; 85 } 86 if (OSSL_STORE_INFO_get_type(i 87 cert = OSSL_STORE_INFO 88 ERR(!cert, "OSSL_STORE 89 } 90 OSSL_STORE_INFO_free(info); 91 if (cert) 92 break; 93 } 94 OSSL_STORE_close(store); 95 #elif defined(USE_PKCS11_ENGINE) 96 ENGINE *e; 97 struct { 98 const char *cert_id; 99 X509 *cert; 100 } parms; 101 102 parms.cert_id = cert_src; 103 parms.cert = NULL; 104 105 ENGINE_load_builtin_engines(); 106 drain_openssl_errors(__LINE__, 107 e = ENGINE_by_id("pkcs11"); 108 ERR(!e, "Load PKCS#11 ENGINE") 109 if (ENGINE_init(e)) 110 drain_openssl_errors(_ 111 else 112 ERR(1, "ENGINE_init"); 113 if (key_pass) 114 ERR(!ENGINE_ctrl_cmd_s 115 ENGINE_ctrl_cmd(e, "LOAD_CERT_ 116 ERR(!parms.cert, "Get X.509 fr 117 cert = parms.cert; 118 #else 119 fprintf(stderr, "no pkcs11 eng 120 exit(1); 121 #endif 122 return cert; 123 } 124 125 int main(int argc, char **argv) 126 { 127 char *cert_src; 128 char *verbose_env; 129 130 OpenSSL_add_all_algorithms(); 131 ERR_load_crypto_strings(); 132 ERR_clear_error(); 133 134 verbose_env = getenv("KBUILD_VERBOSE") 135 if (verbose_env && strchr(verbose_env, 136 verbose = true; 137 138 key_pass = getenv("KBUILD_SIGN_PIN"); 139 140 if (argc != 3) 141 format(); 142 143 cert_src = argv[1]; 144 cert_dst = argv[2]; 145 146 if (!cert_src[0]) { 147 /* Invoked with no input; crea 148 FILE *f = fopen(cert_dst, "wb" 149 ERR(!f, "%s", cert_dst); 150 fclose(f); 151 exit(0); 152 } else if (!strncmp(cert_src, "pkcs11: 153 X509 *cert = load_cert_pkcs11( 154 155 ERR(!cert, "load_cert_pkcs11 f 156 write_cert(cert); 157 } else { 158 BIO *b; 159 X509 *x509; 160 161 b = BIO_new_file(cert_src, "rb 162 ERR(!b, "%s", cert_src); 163 164 while (1) { 165 x509 = PEM_read_bio_X5 166 if (wb && !x509) { 167 unsigned long 168 if (ERR_GET_LI 169 ERR_GET_RE 170 ERR_cl 171 break; 172 } 173 } 174 ERR(!x509, "%s", cert_ 175 write_cert(x509); 176 } 177 } 178 179 BIO_free(wb); 180 181 return 0; 182 } 183
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.