[rt-commit] r137 - in /redwax-tool/trunk: ChangeLog redwax-tool.c redwax-tool.h redwax_openssl.c
rt-commit at redwax.eu
rt-commit at redwax.eu
Sat Oct 1 13:36:33 CEST 2022
Author: minfrin at redwax.eu
Date: Sat Oct 1 13:36:32 2022
New Revision: 137
Log:
Add --der-out, with the ability to split certificates,
intermediates, roots, crls and keys into individual
DER files.
Modified:
redwax-tool/trunk/ChangeLog
redwax-tool/trunk/redwax-tool.c
redwax-tool/trunk/redwax-tool.h
redwax-tool/trunk/redwax_openssl.c
Modified: redwax-tool/trunk/ChangeLog
==============================================================================
--- redwax-tool/trunk/ChangeLog (original)
+++ redwax-tool/trunk/ChangeLog Sat Oct 1 13:36:32 2022
@@ -1,5 +1,9 @@
Changes with v0.9.2
+
+ *) Add --der-out, with the ability to split certificates,
+ intermediates, roots, crls and keys into individual
+ DER files. [Graham Leggett]
*) Make sure when we filter no verified certificates, we
exit with a non zero code. [Graham Leggett]
Modified: redwax-tool/trunk/redwax-tool.c
==============================================================================
--- redwax-tool/trunk/redwax-tool.c (original)
+++ redwax-tool/trunk/redwax-tool.c Sat Oct 1 13:36:32 2022
@@ -62,6 +62,8 @@
APR_HOOK_LINK(complete_nss_out);
APR_HOOK_LINK(process_nss_out);
APR_HOOK_LINK(complete_nss_token_out);
+ APR_HOOK_LINK(complete_der_out);
+ APR_HOOK_LINK(process_der_out);
APR_HOOK_LINK(complete_pem_out);
APR_HOOK_LINK(process_pem_out);
APR_HOOK_LINK(complete_pkcs12_out);
@@ -108,6 +110,8 @@
(r, path, token, secrets), DECLINED);
APR_IMPLEMENT_EXTERNAL_HOOK_RUN_FIRST(rt, REDWAX, int, complete_nss_token_out,
(redwax_tool_t * r, apr_hash_t *tokens), (r, tokens), DECLINED);
+APR_IMPLEMENT_EXTERNAL_HOOK_RUN_FIRST(rt, REDWAX, int, process_der_out,
+ (redwax_tool_t * r, const char *arg, const char *secret), (r, arg, secret), DECLINED);
APR_IMPLEMENT_EXTERNAL_HOOK_RUN_FIRST(rt, REDWAX, int, process_pem_out,
(redwax_tool_t * r, const char *arg, const char *secret), (r, arg, secret), DECLINED);
APR_IMPLEMENT_EXTERNAL_HOOK_RUN_FIRST(rt, REDWAX, int, process_pkcs12_out,
@@ -275,9 +279,7 @@
" --no-auto-out\t\t\tOutput everything as specified." },
{ "nss-out", REDWAX_TOOL_NSS_OUT, 1, " --nss-out=directory\t\tWrite certificates, intermediate certificates,\n\t\t\t\troot certificates, crls, and keys to an NSS\n\t\t\t\tdatabase." },
{ "nss-token-out", REDWAX_TOOL_NSS_SLOT_OUT, 1, " --nss-token-out=token\t\tSpecify the token to which certificates, intermediate\n\t\t\t\tcertificates, root certificates, crls, and keys will\n\t\t\t\tbe written to an NSS database. Must appear after the\n\t\t\t\t--nss-out option." },
-#if 0
{ "der-out", REDWAX_TOOL_DER_OUT, 1, " --der-out=prefix\t\tWrite certificates, intermediate certificates,\n\t\t\t\troot certificates, crls, and keys. Each one is\n\t\t\t\twritten to a file with a suffix indicating type and\n\t\t\t\tindex. Use '-' for stdout, output will be concatenated." },
-#endif
{ "pem-out", REDWAX_TOOL_PEM_OUT, 1, " --pem-out=file\t\tWrite certificates, intermediate certificates,\n\t\t\t\troot certificates, crls, and keys. Use '-'\n\t\t\t\tfor stdout." },
{ "pkcs12-out", REDWAX_TOOL_PKCS12_OUT, 1, " --pkcs12-out=file\t\tWrite certificates, intermediate certificates,\n\t\t\t\troot certificates, crls, and keys into a PKCS12\n\t\t\t\tfile. Use '-' for stdout." },
{ "pkcs11-out", REDWAX_TOOL_PKCS11_OUT, 1, " --pkcs11-out=url\t\tWrite certificates, intermediate certificates,\n\t\t\t\troot certificates, crls, and keys into a PKCS11\n\t\t\t\ttoken identified by the given url." },
@@ -2536,6 +2538,10 @@
redwax_nss_token_out(r, optarg);
break;
}
+ case REDWAX_TOOL_DER_OUT: {
+ redwax_file_out(r, optarg, &rt_run_process_der_out);
+ break;
+ }
case REDWAX_TOOL_PEM_OUT: {
redwax_file_out(r, optarg, &rt_run_process_pem_out);
break;
@@ -2723,6 +2729,10 @@
redwax_complete_nss_token_out(r, optarg, state.isquoted);
break;
}
+ case REDWAX_TOOL_DER_OUT: {
+ redwax_complete_file(r, optarg, state.isquoted);
+ break;
+ }
case REDWAX_TOOL_PEM_OUT: {
redwax_complete_file(r, optarg, state.isquoted);
break;
@@ -2911,12 +2921,16 @@
redwax_complete_nss_token_out(r, "", state.isquoted);
break;
}
+ case REDWAX_TOOL_DER_OUT: {
+ redwax_complete_file(r, "", state.isquoted);
+ break;
+ }
case REDWAX_TOOL_PEM_OUT: {
- redwax_complete_file(r, optarg, state.isquoted);
+ redwax_complete_file(r, "", state.isquoted);
break;
}
case REDWAX_TOOL_PKCS12_OUT: {
- redwax_complete_file(r, optarg, state.isquoted);
+ redwax_complete_file(r, "", state.isquoted);
break;
}
case REDWAX_TOOL_PKCS11_OUT: {
Modified: redwax-tool/trunk/redwax-tool.h
==============================================================================
--- redwax-tool/trunk/redwax-tool.h (original)
+++ redwax-tool/trunk/redwax-tool.h Sat Oct 1 13:36:32 2022
@@ -461,6 +461,14 @@
*
* @param r The redwax-tool context.
*/
+APR_DECLARE_EXTERNAL_HOOK(rt, REDWAX, apr_status_t, process_der_out,
+ (redwax_tool_t *r, const char *arg, const char *secret));
+
+/**
+ * Hook to write outgoing certificates / intermediates / keys.
+ *
+ * @param r The redwax-tool context.
+ */
APR_DECLARE_EXTERNAL_HOOK(rt, REDWAX, apr_status_t, process_pem_out,
(redwax_tool_t *r, const char *arg, const char *secret));
Modified: redwax-tool/trunk/redwax_openssl.c
==============================================================================
--- redwax-tool/trunk/redwax_openssl.c (original)
+++ redwax-tool/trunk/redwax_openssl.c Sat Oct 1 13:36:32 2022
@@ -1781,6 +1781,282 @@
}
}
+static apr_status_t redwax_openssl_process_der_out(redwax_tool_t *r,
+ const char *file, const char *secret)
+{
+
+ BIO *bio;
+ int i;
+
+ if (r->cert_out) {
+ for (i = 0; i < r->certs_out->nelts; i++)
+ {
+ const redwax_certificate_t *cert = &APR_ARRAY_IDX(r->certs_out, i, const redwax_certificate_t);
+
+ const unsigned char *der = cert->der;
+
+ X509 *x = d2i_X509(NULL, &der, cert->len);
+
+ if (x) {
+
+ redwax_print_error(r, "der-out: certificate: %s\n",
+ redwax_openssl_name(r->pool, X509_get_subject_name(x)));
+
+ if (!strcmp(file, "-")) {
+ if ((bio = BIO_new_fp(stdout, BIO_NOCLOSE)) == NULL) {
+ redwax_openssl_print_errors(r);
+ return APR_ENOMEM;
+ }
+ }
+ else if ((bio = BIO_new(BIO_s_file())) == NULL) {
+ redwax_openssl_print_errors(r);
+ return APR_ENOMEM;
+ }
+ else if (BIO_write_filename(bio,
+ (char *)apr_psprintf(r->pool, "%s.cert.%d", file, i)) <= 0) {
+ redwax_openssl_print_errors(r);
+ BIO_free(bio);
+ return APR_ENOENT;
+ }
+
+ if (BIO_write(bio, cert->der, cert->len) < 0) {
+ redwax_openssl_print_errors(r);
+ X509_free(x);
+ BIO_free(bio);
+ return APR_EGENERAL;
+ }
+ BIO_flush(bio);
+ X509_free(x);
+ BIO_free(bio);
+
+ }
+
+ }
+ }
+
+ if (r->chain_out) {
+ for (i = 0; i < r->intermediates_out->nelts; i++)
+ {
+ const redwax_certificate_t *cert = &APR_ARRAY_IDX(r->intermediates_out, i, const redwax_certificate_t);
+
+ const unsigned char *der = cert->der;
+
+ X509 *x = d2i_X509(NULL, &der, cert->len);
+
+ if (x) {
+
+ redwax_print_error(r, "der-out: intermediate: %s\n",
+ redwax_openssl_name(r->pool, X509_get_subject_name(x)));
+
+ if (!strcmp(file, "-")) {
+ if ((bio = BIO_new_fp(stdout, BIO_NOCLOSE)) == NULL) {
+ redwax_openssl_print_errors(r);
+ return APR_ENOMEM;
+ }
+ }
+ else if ((bio = BIO_new(BIO_s_file())) == NULL) {
+ redwax_openssl_print_errors(r);
+ return APR_ENOMEM;
+ }
+ else if (BIO_write_filename(bio,
+ (char *)apr_psprintf(r->pool, "%s.chain.%d", file, i)) <= 0) {
+ redwax_openssl_print_errors(r);
+ BIO_free(bio);
+ return APR_ENOENT;
+ }
+
+ if (BIO_write(bio, cert->der, cert->len) < 0) {
+ redwax_openssl_print_errors(r);
+ X509_free(x);
+ BIO_free(bio);
+ return APR_EGENERAL;
+ }
+ BIO_flush(bio);
+ X509_free(x);
+ BIO_free(bio);
+
+ }
+
+ }
+ }
+
+ if (r->root_out || r->trust_out) {
+ for (i = 0; i < r->trusted_out->nelts; i++)
+ {
+ const redwax_certificate_t *cert = &APR_ARRAY_IDX(r->trusted_out, i, const redwax_certificate_t);
+
+ const unsigned char *der = cert->der;
+
+ X509 *x = d2i_X509_AUX(NULL, &der, cert->len);
+
+ if (x) {
+
+ redwax_print_error(r, "der-out: trusted: %s\n",
+ redwax_openssl_name(r->pool, X509_get_subject_name(x)));
+
+ if (!strcmp(file, "-")) {
+ if ((bio = BIO_new_fp(stdout, BIO_NOCLOSE)) == NULL) {
+ redwax_openssl_print_errors(r);
+ return APR_ENOMEM;
+ }
+ }
+ else if ((bio = BIO_new(BIO_s_file())) == NULL) {
+ redwax_openssl_print_errors(r);
+ return APR_ENOMEM;
+ }
+ else if (BIO_write_filename(bio,
+ (char *)apr_psprintf(r->pool, "%s.ca.%d", file, i)) <= 0) {
+ redwax_openssl_print_errors(r);
+ BIO_free(bio);
+ return APR_ENOENT;
+ }
+
+ if (BIO_write(bio, cert->der, cert->len) < 0) {
+ redwax_openssl_print_errors(r);
+ X509_free(x);
+ BIO_free(bio);
+ return APR_EGENERAL;
+ }
+ BIO_flush(bio);
+ X509_free(x);
+ BIO_free(bio);
+
+ }
+
+ }
+ }
+
+ if (r->crl_out) {
+ for (i = 0; i < r->crls_out->nelts; i++)
+ {
+ const redwax_crl_t *crl = &APR_ARRAY_IDX(r->crls_out, i, const redwax_crl_t);
+
+ const unsigned char *der = crl->der;
+
+ X509_CRL *c = d2i_X509_CRL(NULL, &der, crl->len);
+
+ if (c) {
+
+ redwax_print_error(r, "der-out: crl: %s\n",
+ redwax_openssl_name(r->pool, X509_CRL_get_issuer(c)));
+
+ if (!strcmp(file, "-")) {
+ if ((bio = BIO_new_fp(stdout, BIO_NOCLOSE)) == NULL) {
+ redwax_openssl_print_errors(r);
+ X509_CRL_free(c);
+ return APR_ENOMEM;
+ }
+ }
+ else if ((bio = BIO_new(BIO_s_file())) == NULL) {
+ redwax_openssl_print_errors(r);
+ X509_CRL_free(c);
+ return APR_ENOMEM;
+ }
+ else if (BIO_write_filename(bio,
+ (char *)apr_psprintf(r->pool, "%s.crl.%d", file, i)) <= 0) {
+ redwax_openssl_print_errors(r);
+ X509_CRL_free(c);
+ BIO_free(bio);
+ return APR_ENOENT;
+ }
+
+ if (BIO_write(bio, crl->der, crl->len) < 0) {
+ redwax_openssl_print_errors(r);
+ X509_CRL_free(c);
+ BIO_free(bio);
+ return APR_EGENERAL;
+ }
+ BIO_flush(bio);
+ X509_CRL_free(c);
+ BIO_free(bio);
+ }
+
+ }
+ }
+
+ if (r->key_out) {
+ for (i = 0; i < r->keys_out->nelts; i++)
+ {
+ const redwax_key_t *key = &APR_ARRAY_IDX(r->keys_out, i, const redwax_key_t);
+
+ BIO *kbio;
+ PKCS8_PRIV_KEY_INFO *p8inf;
+ EVP_PKEY *pkey;
+
+ if (!key->der) {
+ redwax_print_error(r, "der-out: non-extractable private key, skipping\n");
+
+ continue;
+ }
+
+ if ((kbio = BIO_new_mem_buf(key->der, key->len)) == NULL) {
+ return APR_ENOMEM;
+ }
+
+ apr_pool_cleanup_register(r->pool, kbio, cleanup_bio,
+ apr_pool_cleanup_null);
+
+ if (!(p8inf = d2i_PKCS8_PRIV_KEY_INFO_bio(kbio, NULL))) {
+
+ redwax_openssl_print_errors(r);
+ return APR_ENOENT;
+ }
+
+ if (!(pkey = EVP_PKCS82PKEY(p8inf))) {
+
+ redwax_openssl_print_errors(r);
+ PKCS8_PRIV_KEY_INFO_free(p8inf);
+ return APR_ENOENT;
+ }
+
+#if HAVE_EVP_PKEY_GET0_DESCRIPTION
+ redwax_print_error(r, "der-out: private key: %s\n",
+ EVP_PKEY_get0_description(pkey));
+#else
+ redwax_print_error(r, "der-out: private key\n");
+#endif
+
+ if (!strcmp(file, "-")) {
+ if ((bio = BIO_new_fp(stdout, BIO_NOCLOSE)) == NULL) {
+ redwax_openssl_print_errors(r);
+ EVP_PKEY_free(pkey);
+ PKCS8_PRIV_KEY_INFO_free(p8inf);
+ return APR_ENOMEM;
+ }
+ }
+ else if ((bio = BIO_new(BIO_s_file())) == NULL) {
+ redwax_openssl_print_errors(r);
+ EVP_PKEY_free(pkey);
+ PKCS8_PRIV_KEY_INFO_free(p8inf);
+ return APR_ENOMEM;
+ }
+ else if (BIO_write_filename(bio,
+ (char *)apr_psprintf(r->pool, "%s.key.%d", file, i)) <= 0) {
+ redwax_openssl_print_errors(r);
+ EVP_PKEY_free(pkey);
+ PKCS8_PRIV_KEY_INFO_free(p8inf);
+ BIO_free(bio);
+ return APR_ENOENT;
+ }
+
+ if (BIO_write(bio, key->der, key->len) < 0) {
+ redwax_openssl_print_errors(r);
+ EVP_PKEY_free(pkey);
+ PKCS8_PRIV_KEY_INFO_free(p8inf);
+ BIO_free(bio);
+ return APR_EGENERAL;
+ }
+ BIO_flush(bio);
+ EVP_PKEY_free(pkey);
+ PKCS8_PRIV_KEY_INFO_free(p8inf);
+ BIO_free(bio);
+
+ }
+ }
+
+ return APR_SUCCESS;
+}
+
static apr_status_t redwax_openssl_process_pem_out(redwax_tool_t *r,
const char *file, const char *secret)
{
@@ -4892,6 +5168,7 @@
rt_hook_process_filter(redwax_openssl_process_filter_verify, NULL, NULL, APR_HOOK_MIDDLE);
rt_hook_complete_filter(redwax_openssl_complete_filter_search, NULL, NULL, APR_HOOK_MIDDLE);
rt_hook_process_filter(redwax_openssl_process_filter_search, NULL, NULL, APR_HOOK_MIDDLE);
+ rt_hook_process_der_out(redwax_openssl_process_der_out, NULL, NULL, APR_HOOK_MIDDLE);
rt_hook_process_pem_out(redwax_openssl_process_pem_out, NULL, NULL, APR_HOOK_MIDDLE);
rt_hook_process_pkcs12_out(redwax_openssl_process_pkcs12_out, NULL, NULL, APR_HOOK_MIDDLE);
rt_hook_process_metadata_out(redwax_openssl_process_metadata_out, NULL, NULL, APR_HOOK_MIDDLE);
More information about the rt-commit
mailing list