extract-cert.c 3.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163
  1. /* Extract X.509 certificate in DER form from PKCS#11 or PEM.
  2. *
  3. * Copyright © 2014-2015 Red Hat, Inc. All Rights Reserved.
  4. * Copyright © 2015 Intel Corporation.
  5. *
  6. * Authors: David Howells <dhowells@redhat.com>
  7. * David Woodhouse <dwmw2@infradead.org>
  8. *
  9. * This program is free software; you can redistribute it and/or
  10. * modify it under the terms of the GNU Lesser General Public License
  11. * as published by the Free Software Foundation; either version 2.1
  12. * of the licence, or (at your option) any later version.
  13. */
  14. #define _GNU_SOURCE
  15. #include <stdio.h>
  16. #include <stdlib.h>
  17. #include <stdint.h>
  18. #include <stdbool.h>
  19. #include <string.h>
  20. #include <err.h>
  21. #include <openssl/bio.h>
  22. #include <openssl/pem.h>
  23. #include <openssl/err.h>
  24. #include <openssl/engine.h>
  25. #define PKEY_ID_PKCS7 2
  26. static __attribute__((noreturn))
  27. void format(void)
  28. {
  29. fprintf(stderr,
  30. "Usage: scripts/extract-cert <source> <dest>\n");
  31. exit(2);
  32. }
  33. static void display_openssl_errors(int l)
  34. {
  35. const char *file;
  36. char buf[120];
  37. int e, line;
  38. if (ERR_peek_error() == 0)
  39. return;
  40. fprintf(stderr, "At main.c:%d:\n", l);
  41. while ((e = ERR_get_error_line(&file, &line))) {
  42. ERR_error_string(e, buf);
  43. fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line);
  44. }
  45. }
  46. static void drain_openssl_errors(void)
  47. {
  48. const char *file;
  49. int line;
  50. if (ERR_peek_error() == 0)
  51. return;
  52. while (ERR_get_error_line(&file, &line)) {}
  53. }
  54. #define ERR(cond, fmt, ...) \
  55. do { \
  56. bool __cond = (cond); \
  57. display_openssl_errors(__LINE__); \
  58. if (__cond) { \
  59. err(1, fmt, ## __VA_ARGS__); \
  60. } \
  61. } while(0)
  62. static const char *key_pass;
  63. static BIO *wb;
  64. static char *cert_dst;
  65. int kbuild_verbose;
  66. static void write_cert(X509 *x509)
  67. {
  68. char buf[200];
  69. if (!wb) {
  70. wb = BIO_new_file(cert_dst, "wb");
  71. ERR(!wb, "%s", cert_dst);
  72. }
  73. X509_NAME_oneline(X509_get_subject_name(x509), buf, sizeof(buf));
  74. ERR(!i2d_X509_bio(wb, x509), "%s", cert_dst);
  75. if (kbuild_verbose)
  76. fprintf(stderr, "Extracted cert: %s\n", buf);
  77. }
  78. int main(int argc, char **argv)
  79. {
  80. char *cert_src;
  81. OpenSSL_add_all_algorithms();
  82. ERR_load_crypto_strings();
  83. ERR_clear_error();
  84. kbuild_verbose = atoi(getenv("KBUILD_VERBOSE")?:"0");
  85. key_pass = getenv("KBUILD_SIGN_PIN");
  86. if (argc != 3)
  87. format();
  88. cert_src = argv[1];
  89. cert_dst = argv[2];
  90. if (!cert_src[0]) {
  91. /* Invoked with no input; create empty file */
  92. FILE *f = fopen(cert_dst, "wb");
  93. ERR(!f, "%s", cert_dst);
  94. fclose(f);
  95. exit(0);
  96. } else if (!strncmp(cert_src, "pkcs11:", 7)) {
  97. ENGINE *e;
  98. struct {
  99. const char *cert_id;
  100. X509 *cert;
  101. } parms;
  102. parms.cert_id = cert_src;
  103. parms.cert = NULL;
  104. ENGINE_load_builtin_engines();
  105. drain_openssl_errors();
  106. e = ENGINE_by_id("pkcs11");
  107. ERR(!e, "Load PKCS#11 ENGINE");
  108. if (ENGINE_init(e))
  109. drain_openssl_errors();
  110. else
  111. ERR(1, "ENGINE_init");
  112. if (key_pass)
  113. ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), "Set PKCS#11 PIN");
  114. ENGINE_ctrl_cmd(e, "LOAD_CERT_CTRL", 0, &parms, NULL, 1);
  115. ERR(!parms.cert, "Get X.509 from PKCS#11");
  116. write_cert(parms.cert);
  117. } else {
  118. BIO *b;
  119. X509 *x509;
  120. b = BIO_new_file(cert_src, "rb");
  121. ERR(!b, "%s", cert_src);
  122. while (1) {
  123. x509 = PEM_read_bio_X509(b, NULL, NULL, NULL);
  124. if (wb && !x509) {
  125. unsigned long err = ERR_peek_last_error();
  126. if (ERR_GET_LIB(err) == ERR_LIB_PEM &&
  127. ERR_GET_REASON(err) == PEM_R_NO_START_LINE) {
  128. ERR_clear_error();
  129. break;
  130. }
  131. }
  132. ERR(!x509, "%s", cert_src);
  133. write_cert(x509);
  134. }
  135. }
  136. BIO_free(wb);
  137. return 0;
  138. }