1/* Extract X.509 certificate in DER form from PKCS#11 or PEM. 2 * 3 * Copyright �� 2014-2015 Red Hat, Inc. All Rights Reserved. 4 * Copyright �� 2015 Intel Corporation. 5 * 6 * Authors: David Howells <dhowells@redhat.com> 7 * David Woodhouse <dwmw2@infradead.org> 8 * 9 * This program is free software; you can redistribute it and/or 10 * modify it under the terms of the GNU Lesser General Public License 11 * as published by the Free Software Foundation; either version 2.1 12 * of the licence, or (at your option) any later version. 13 */ 14#define _GNU_SOURCE 15#include <stdio.h> 16#include <stdlib.h> 17#include <stdint.h> 18#include <stdbool.h> 19#include <string.h> 20#include <err.h> 21#include <openssl/bio.h> 22#include <openssl/pem.h> 23#include <openssl/err.h> 24#include <openssl/engine.h> 25 26#define PKEY_ID_PKCS7 2 27 28static __attribute__((noreturn)) 29void format(void) 30{ 31 fprintf(stderr, 32 "Usage: scripts/extract-cert <source> <dest>\n"); 33 exit(2); 34} 35 36static void display_openssl_errors(int l) 37{ 38 const char *file; 39 char buf[120]; 40 int e, line; 41 42 if (ERR_peek_error() == 0) 43 return; 44 fprintf(stderr, "At main.c:%d:\n", l); 45 46 while ((e = ERR_get_error_line(&file, &line))) { 47 ERR_error_string(e, buf); 48 fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line); 49 } 50} 51 52static void drain_openssl_errors(void) 53{ 54 const char *file; 55 int line; 56 57 if (ERR_peek_error() == 0) 58 return; 59 while (ERR_get_error_line(&file, &line)) {} 60} 61 62#define ERR(cond, fmt, ...) \ 63 do { \ 64 bool __cond = (cond); \ 65 display_openssl_errors(__LINE__); \ 66 if (__cond) { \ 67 err(1, fmt, ## __VA_ARGS__); \ 68 } \ 69 } while(0) 70 71static const char *key_pass; 72static BIO *wb; 73static char *cert_dst; 74int kbuild_verbose; 75 76static void write_cert(X509 *x509) 77{ 78 char buf[200]; 79 80 if (!wb) { 81 wb = BIO_new_file(cert_dst, "wb"); 82 ERR(!wb, "%s", cert_dst); 83 } 84 X509_NAME_oneline(X509_get_subject_name(x509), buf, sizeof(buf)); 85 ERR(!i2d_X509_bio(wb, x509), "%s", cert_dst); 86 if (kbuild_verbose) 87 fprintf(stderr, "Extracted cert: %s\n", buf); 88} 89 90int main(int argc, char **argv) 91{ 92 char *cert_src; 93 94 OpenSSL_add_all_algorithms(); 95 ERR_load_crypto_strings(); 96 ERR_clear_error(); 97 98 kbuild_verbose = atoi(getenv("KBUILD_VERBOSE")?:"0"); 99 100 key_pass = getenv("KBUILD_SIGN_PIN"); 101 102 if (argc != 3) 103 format(); 104 105 cert_src = argv[1]; 106 cert_dst = argv[2]; 107 108 if (!cert_src[0]) { 109 /* Invoked with no input; create empty file */ 110 FILE *f = fopen(cert_dst, "wb"); 111 ERR(!f, "%s", cert_dst); 112 fclose(f); 113 exit(0); 114 } else if (!strncmp(cert_src, "pkcs11:", 7)) { 115 ENGINE *e; 116 struct { 117 const char *cert_id; 118 X509 *cert; 119 } parms; 120 121 parms.cert_id = cert_src; 122 parms.cert = NULL; 123 124 ENGINE_load_builtin_engines(); 125 drain_openssl_errors(); 126 e = ENGINE_by_id("pkcs11"); 127 ERR(!e, "Load PKCS#11 ENGINE"); 128 if (ENGINE_init(e)) 129 drain_openssl_errors(); 130 else 131 ERR(1, "ENGINE_init"); 132 if (key_pass) 133 ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), "Set PKCS#11 PIN"); 134 ENGINE_ctrl_cmd(e, "LOAD_CERT_CTRL", 0, &parms, NULL, 1); 135 ERR(!parms.cert, "Get X.509 from PKCS#11"); 136 write_cert(parms.cert); 137 } else { 138 BIO *b; 139 X509 *x509; 140 141 b = BIO_new_file(cert_src, "rb"); 142 ERR(!b, "%s", cert_src); 143 144 while (1) { 145 x509 = PEM_read_bio_X509(b, NULL, NULL, NULL); 146 if (wb && !x509) { 147 unsigned long err = ERR_peek_last_error(); 148 if (ERR_GET_LIB(err) == ERR_LIB_PEM && 149 ERR_GET_REASON(err) == PEM_R_NO_START_LINE) { 150 ERR_clear_error(); 151 break; 152 } 153 } 154 ERR(!x509, "%s", cert_src); 155 write_cert(x509); 156 } 157 } 158 159 BIO_free(wb); 160 161 return 0; 162} 163