1 /* $OpenBSD: crl2p7.c,v 1.12 2024/12/26 14:07:58 tb Exp $ */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 59 /* This was written by Gordon Chaffee <chaffee@plateau.cs.berkeley.edu> 60 * and donated 'to the cause' along with lots and lots of other fixes to 61 * the library. */ 62 63 #include <sys/types.h> 64 65 #include <stdio.h> 66 #include <string.h> 67 68 #include "apps.h" 69 70 #include <openssl/err.h> 71 #include <openssl/evp.h> 72 #include <openssl/objects.h> 73 #include <openssl/pem.h> 74 #include <openssl/pkcs7.h> 75 #include <openssl/x509.h> 76 77 static int add_certs_from_file(STACK_OF(X509) * stack, char *certfile); 78 79 static struct { 80 STACK_OF(OPENSSL_STRING) *certflst; 81 char *infile; 82 int informat; 83 int nocrl; 84 char *outfile; 85 int outformat; 86 } cfg; 87 88 static int 89 crl2p7_opt_certfile(char *arg) 90 { 91 if (cfg.certflst == NULL) 92 cfg.certflst = sk_OPENSSL_STRING_new_null(); 93 if (cfg.certflst == NULL) { 94 fprintf(stderr, "out of memory\n"); 95 return (1); 96 } 97 if (!sk_OPENSSL_STRING_push(cfg.certflst, arg)) { 98 fprintf(stderr, "out of memory\n"); 99 return (1); 100 } 101 102 return (0); 103 } 104 105 static const struct option crl2p7_options[] = { 106 { 107 .name = "certfile", 108 .argname = "file", 109 .desc = "Chain of PEM certificates to a trusted CA", 110 .type = OPTION_ARG_FUNC, 111 .opt.argfunc = crl2p7_opt_certfile, 112 }, 113 { 114 .name = "in", 115 .argname = "file", 116 .desc = "Input file (default stdin)", 117 .type = OPTION_ARG, 118 .opt.arg = &cfg.infile, 119 }, 120 { 121 .name = "inform", 122 .argname = "format", 123 .desc = "Input format (DER or PEM (default))", 124 .type = OPTION_ARG_FORMAT, 125 .opt.value = &cfg.informat, 126 }, 127 { 128 .name = "nocrl", 129 .desc = "Do not read CRL from input or include CRL in output", 130 .type = OPTION_FLAG, 131 .opt.flag = &cfg.nocrl, 132 }, 133 { 134 .name = "out", 135 .argname = "file", 136 .desc = "Output file (default stdout)", 137 .type = OPTION_ARG, 138 .opt.arg = &cfg.outfile, 139 }, 140 { 141 .name = "outform", 142 .argname = "format", 143 .desc = "Output format (DER or PEM (default))", 144 .type = OPTION_ARG_FORMAT, 145 .opt.value = &cfg.outformat, 146 }, 147 { NULL }, 148 }; 149 150 static void 151 crl2p7_usage(void) 152 { 153 fprintf(stderr, 154 "usage: crl2p7 [-certfile file] [-in file] [-inform DER | PEM]\n" 155 " [-nocrl] [-out file] [-outform DER | PEM]\n\n"); 156 options_usage(crl2p7_options); 157 } 158 159 int 160 crl2pkcs7_main(int argc, char **argv) 161 { 162 int i; 163 BIO *in = NULL, *out = NULL; 164 char *certfile; 165 PKCS7 *p7 = NULL; 166 PKCS7_SIGNED *p7s = NULL; 167 X509_CRL *crl = NULL; 168 STACK_OF(X509_CRL) *crl_stack = NULL; 169 STACK_OF(X509) *cert_stack = NULL; 170 int ret = 1; 171 172 if (pledge("stdio cpath wpath rpath", NULL) == -1) { 173 perror("pledge"); 174 exit(1); 175 } 176 177 memset(&cfg, 0, sizeof(cfg)); 178 179 cfg.informat = FORMAT_PEM; 180 cfg.outformat = FORMAT_PEM; 181 182 if (options_parse(argc, argv, crl2p7_options, NULL, NULL) != 0) { 183 crl2p7_usage(); 184 goto end; 185 } 186 187 in = BIO_new(BIO_s_file()); 188 out = BIO_new(BIO_s_file()); 189 if (in == NULL || out == NULL) { 190 ERR_print_errors(bio_err); 191 goto end; 192 } 193 if (!cfg.nocrl) { 194 if (cfg.infile == NULL) 195 BIO_set_fp(in, stdin, BIO_NOCLOSE); 196 else { 197 if (BIO_read_filename(in, cfg.infile) <= 0) { 198 perror(cfg.infile); 199 goto end; 200 } 201 } 202 203 if (cfg.informat == FORMAT_ASN1) 204 crl = d2i_X509_CRL_bio(in, NULL); 205 else if (cfg.informat == FORMAT_PEM) 206 crl = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL); 207 else { 208 BIO_printf(bio_err, 209 "bad input format specified for input crl\n"); 210 goto end; 211 } 212 if (crl == NULL) { 213 BIO_printf(bio_err, "unable to load CRL\n"); 214 ERR_print_errors(bio_err); 215 goto end; 216 } 217 } 218 if ((p7 = PKCS7_new()) == NULL) 219 goto end; 220 if ((p7s = PKCS7_SIGNED_new()) == NULL) 221 goto end; 222 p7->type = OBJ_nid2obj(NID_pkcs7_signed); 223 p7->d.sign = p7s; 224 p7s->contents->type = OBJ_nid2obj(NID_pkcs7_data); 225 226 if (!ASN1_INTEGER_set(p7s->version, 1)) 227 goto end; 228 if ((crl_stack = sk_X509_CRL_new_null()) == NULL) 229 goto end; 230 p7s->crl = crl_stack; 231 if (crl != NULL) { 232 if (!sk_X509_CRL_push(crl_stack, crl)) 233 goto end; 234 crl = NULL; 235 } 236 if ((cert_stack = sk_X509_new_null()) == NULL) 237 goto end; 238 p7s->cert = cert_stack; 239 240 if (cfg.certflst) { 241 for (i = 0; i < sk_OPENSSL_STRING_num(cfg.certflst); i++) { 242 certfile = sk_OPENSSL_STRING_value(cfg.certflst, i); 243 if (add_certs_from_file(cert_stack, certfile) < 0) { 244 BIO_printf(bio_err, 245 "error loading certificates\n"); 246 ERR_print_errors(bio_err); 247 goto end; 248 } 249 } 250 } 251 252 if (cfg.outfile == NULL) { 253 BIO_set_fp(out, stdout, BIO_NOCLOSE); 254 } else { 255 if (BIO_write_filename(out, cfg.outfile) <= 0) { 256 perror(cfg.outfile); 257 goto end; 258 } 259 } 260 261 if (cfg.outformat == FORMAT_ASN1) 262 i = i2d_PKCS7_bio(out, p7); 263 else if (cfg.outformat == FORMAT_PEM) 264 i = PEM_write_bio_PKCS7(out, p7); 265 else { 266 BIO_printf(bio_err, 267 "bad output format specified for outfile\n"); 268 goto end; 269 } 270 if (!i) { 271 BIO_printf(bio_err, "unable to write pkcs7 object\n"); 272 ERR_print_errors(bio_err); 273 goto end; 274 } 275 276 ret = 0; 277 278 end: 279 BIO_free(in); 280 BIO_free_all(out); 281 PKCS7_free(p7); 282 X509_CRL_free(crl); 283 sk_OPENSSL_STRING_free(cfg.certflst); 284 285 return ret; 286 } 287 288 static int 289 add_certs_from_file(STACK_OF(X509) *stack, char *certfile) 290 { 291 BIO *in = NULL; 292 int count = 0; 293 int ret = -1; 294 STACK_OF(X509_INFO) *sk = NULL; 295 X509_INFO *xi = NULL; 296 297 in = BIO_new(BIO_s_file()); 298 if (in == NULL || BIO_read_filename(in, certfile) <= 0) { 299 BIO_printf(bio_err, "error opening the file, %s\n", certfile); 300 goto end; 301 } 302 /* This loads from a file, a stack of x509/crl/pkey sets */ 303 sk = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL); 304 if (sk == NULL) { 305 BIO_printf(bio_err, "error reading the file, %s\n", certfile); 306 goto end; 307 } 308 /* scan over it and pull out the CRL's */ 309 while (sk_X509_INFO_num(sk) > 0) { 310 xi = sk_X509_INFO_shift(sk); 311 if (xi->x509 != NULL) { 312 if (!sk_X509_push(stack, xi->x509)) 313 goto end; 314 xi->x509 = NULL; 315 count++; 316 } 317 X509_INFO_free(xi); 318 xi = NULL; 319 } 320 321 ret = count; 322 323 end: 324 BIO_free(in); 325 X509_INFO_free(xi); 326 sk_X509_INFO_free(sk); 327 328 return ret; 329 } 330