1 /* Extract X.509 certificate in DER form from PKCS#11 or PEM. 2 * 3 * Copyright © 2014-2015 Red Hat, Inc. All Rights Reserved. 4 * Copyright © 2015 Intel Corporation. 5 * 6 * Authors: David Howells <dhowells@redhat.com> 7 * David Woodhouse <dwmw2@infradead.org> 8 * 9 * This program is free software; you can redistribute it and/or 10 * modify it under the terms of the GNU Lesser General Public License 11 * as published by the Free Software Foundation; either version 2.1 12 * of the licence, or (at your option) any later version. 13 */ 14 #define _GNU_SOURCE 15 #include <stdio.h> 16 #include <stdlib.h> 17 #include <stdint.h> 18 #include <stdbool.h> 19 #include <string.h> 20 #include <err.h> 21 #include <openssl/bio.h> 22 #include <openssl/pem.h> 23 #include <openssl/err.h> 24 #include <openssl/engine.h> 25 26 /* 27 * OpenSSL 3.0 deprecates the OpenSSL's ENGINE API. 28 * 29 * Remove this if/when that API is no longer used 30 */ 31 #pragma GCC diagnostic ignored "-Wdeprecated-declarations" 32 33 #define PKEY_ID_PKCS7 2 34 35 static __attribute__((noreturn)) 36 void format(void) 37 { 38 fprintf(stderr, 39 "Usage: extract-cert <source> <dest>\n"); 40 exit(2); 41 } 42 43 static void display_openssl_errors(int l) 44 { 45 const char *file; 46 char buf[120]; 47 int e, line; 48 49 if (ERR_peek_error() == 0) 50 return; 51 fprintf(stderr, "At main.c:%d:\n", l); 52 53 while ((e = ERR_get_error_line(&file, &line))) { 54 ERR_error_string(e, buf); 55 fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line); 56 } 57 } 58 59 static void drain_openssl_errors(void) 60 { 61 const char *file; 62 int line; 63 64 if (ERR_peek_error() == 0) 65 return; 66 while (ERR_get_error_line(&file, &line)) {} 67 } 68 69 #define ERR(cond, fmt, ...) \ 70 do { \ 71 bool __cond = (cond); \ 72 display_openssl_errors(__LINE__); \ 73 if (__cond) { \ 74 err(1, fmt, ## __VA_ARGS__); \ 75 } \ 76 } while(0) 77 78 static const char *key_pass; 79 static BIO *wb; 80 static char *cert_dst; 81 static int kbuild_verbose; 82 83 static void write_cert(X509 *x509) 84 { 85 char buf[200]; 86 87 if (!wb) { 88 wb = BIO_new_file(cert_dst, "wb"); 89 ERR(!wb, "%s", cert_dst); 90 } 91 X509_NAME_oneline(X509_get_subject_name(x509), buf, sizeof(buf)); 92 ERR(!i2d_X509_bio(wb, x509), "%s", cert_dst); 93 if (kbuild_verbose) 94 fprintf(stderr, "Extracted cert: %s\n", buf); 95 } 96 97 int main(int argc, char **argv) 98 { 99 char *cert_src; 100 101 OpenSSL_add_all_algorithms(); 102 ERR_load_crypto_strings(); 103 ERR_clear_error(); 104 105 kbuild_verbose = atoi(getenv("KBUILD_VERBOSE")?:"0"); 106 107 key_pass = getenv("KBUILD_SIGN_PIN"); 108 109 if (argc != 3) 110 format(); 111 112 cert_src = argv[1]; 113 cert_dst = argv[2]; 114 115 if (!cert_src[0]) { 116 /* Invoked with no input; create empty file */ 117 FILE *f = fopen(cert_dst, "wb"); 118 ERR(!f, "%s", cert_dst); 119 fclose(f); 120 exit(0); 121 } else if (!strncmp(cert_src, "pkcs11:", 7)) { 122 ENGINE *e; 123 struct { 124 const char *cert_id; 125 X509 *cert; 126 } parms; 127 128 parms.cert_id = cert_src; 129 parms.cert = NULL; 130 131 ENGINE_load_builtin_engines(); 132 drain_openssl_errors(); 133 e = ENGINE_by_id("pkcs11"); 134 ERR(!e, "Load PKCS#11 ENGINE"); 135 if (ENGINE_init(e)) 136 drain_openssl_errors(); 137 else 138 ERR(1, "ENGINE_init"); 139 if (key_pass) 140 ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), "Set PKCS#11 PIN"); 141 ENGINE_ctrl_cmd(e, "LOAD_CERT_CTRL", 0, &parms, NULL, 1); 142 ERR(!parms.cert, "Get X.509 from PKCS#11"); 143 write_cert(parms.cert); 144 } else { 145 BIO *b; 146 X509 *x509; 147 148 b = BIO_new_file(cert_src, "rb"); 149 ERR(!b, "%s", cert_src); 150 151 while (1) { 152 x509 = PEM_read_bio_X509(b, NULL, NULL, NULL); 153 if (wb && !x509) { 154 unsigned long err = ERR_peek_last_error(); 155 if (ERR_GET_LIB(err) == ERR_LIB_PEM && 156 ERR_GET_REASON(err) == PEM_R_NO_START_LINE) { 157 ERR_clear_error(); 158 break; 159 } 160 } 161 ERR(!x509, "%s", cert_src); 162 write_cert(x509); 163 } 164 } 165 166 BIO_free(wb); 167 168 return 0; 169 } 170