nhyatt/osslsigncode
1
0
Fork 0
mirror of https://github.com/mtrojnar/osslsigncode.git synced 2025-04-05 01:00:11 -05:00
Code Issues Projects Releases Wiki Activity

Legacy pkcs12 ciphers support

Browse Source
This commit is contained in:
olszomal 2022-11-29 10:01:39 +01:00 committed by Michał Trojnara
parent dfc13c9bf8
commit 8bba4496c0
1 changed files with 78 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

78
osslsigncode.c
View File

@ -113,6 +113,9 @@
#ifndef OPENSSL_NO_ENGINE #ifndef OPENSSL_NO_ENGINE
#include <openssl/engine.h> #include <openssl/engine.h>
#endif /* OPENSSL_NO_ENGINE */ #endif /* OPENSSL_NO_ENGINE */
#if OPENSSL_VERSION_NUMBER>=0x30000000L
#include <openssl/provider.h>
#endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
#include "msi.h" #include "msi.h"
@ -248,6 +251,9 @@ typedef struct {
char *tsa_crlfile; char *tsa_crlfile;
char *leafhash; char *leafhash;
int jp; int jp;
#if OPENSSL_VERSION_NUMBER>=0x30000000L
int legacy;
#endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
} GLOBAL_OPTIONS; } GLOBAL_OPTIONS;
typedef struct { typedef struct {
@ -1198,6 +1204,9 @@ static void usage(const char *argv0, const char *cmd)
printf("%1s[ sign ] ( -certs | -spc <certfile> -key <keyfile> | -pkcs12 <pkcs12file> |\n", ""); printf("%1s[ sign ] ( -certs | -spc <certfile> -key <keyfile> | -pkcs12 <pkcs12file> |\n", "");
printf("%12s [ -pkcs11engine <engine> ] -pkcs11module <module> -pkcs11cert <pkcs11 cert id> |\n", ""); printf("%12s [ -pkcs11engine <engine> ] -pkcs11module <module> -pkcs11cert <pkcs11 cert id> |\n", "");
printf("%12s -certs <certfile> -key <pkcs11 key id>)\n", ""); printf("%12s -certs <certfile> -key <pkcs11 key id>)\n", "");
#if OPENSSL_VERSION_NUMBER>=0x30000000L
printf("%12s[ -nolegacy ]\n", "");
#endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
printf("%12s[ -pass <password>", ""); printf("%12s[ -pass <password>", "");
#ifdef PROVIDE_ASKPASS #ifdef PROVIDE_ASKPASS
printf("%1s [ -askpass ]", ""); printf("%1s [ -askpass ]", "");
@ -1288,6 +1297,9 @@ static void help_for(const char *argv0, const char *cmd)
const char *cmds_in[] = {"add", "attach-signature", "extract-signature", "remove-signature", "sign", "verify", NULL}; const char *cmds_in[] = {"add", "attach-signature", "extract-signature", "remove-signature", "sign", "verify", NULL};
const char *cmds_jp[] = {"sign", NULL}; const char *cmds_jp[] = {"sign", NULL};
const char *cmds_key[] = {"sign", NULL}; const char *cmds_key[] = {"sign", NULL};
#if OPENSSL_VERSION_NUMBER>=0x30000000L
const char *cmds_nolegacy[] = {"sign", NULL};
#endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
const char *cmds_n[] = {"sign", NULL}; const char *cmds_n[] = {"sign", NULL};
const char *cmds_nest[] = {"attach-signature", "sign", NULL}; const char *cmds_nest[] = {"attach-signature", "sign", NULL};
#ifdef ENABLE_CURL #ifdef ENABLE_CURL
@ -1400,6 +1412,10 @@ static void help_for(const char *argv0, const char *cmd)
printf("%26slevels of permissions in Microsoft Internet Explorer 4.x for CAB files\n", ""); printf("%26slevels of permissions in Microsoft Internet Explorer 4.x for CAB files\n", "");
printf("%26sonly \"low\" level is now supported\n", ""); printf("%26sonly \"low\" level is now supported\n", "");
} }
#if OPENSSL_VERSION_NUMBER>=0x30000000L
if (on_list(cmd, cmds_nolegacy))
printf("%-24s= disable legacy mode and don't automatically load the legacy provider\n", "-nolegacy");
#endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
if (on_list(cmd, cmds_key)) if (on_list(cmd, cmds_key))
printf("%-24s= the private key to use or PKCS#11 URI identifies a key in the token\n", "-key"); printf("%-24s= the private key to use or PKCS#11 URI identifies a key in the token\n", "-key");
if (on_list(cmd, cmds_n)) if (on_list(cmd, cmds_n))
@ -5736,6 +5752,52 @@ static cmd_type_t get_command(char **argv)
return CMD_SIGN; return CMD_SIGN;
} }
#if OPENSSL_VERSION_NUMBER>=0x30000000L
DEFINE_STACK_OF(OSSL_PROVIDER)
static STACK_OF(OSSL_PROVIDER) *providers = NULL;
static void provider_free(OSSL_PROVIDER *prov)
{
OSSL_PROVIDER_unload(prov);
}
static void providers_cleanup(void)
{
sk_OSSL_PROVIDER_pop_free(providers, provider_free);
providers = NULL;
}
static int provider_load(OSSL_LIB_CTX *libctx, const char *pname)
{
OSSL_PROVIDER *prov= OSSL_PROVIDER_load(libctx, pname);
if (prov == NULL) {
printf("Unable to load provider: %s\n", pname);
return 0; /* FAILED */
}
if (providers == NULL) {
providers = sk_OSSL_PROVIDER_new_null();
}
if (providers == NULL || !sk_OSSL_PROVIDER_push(providers, prov)) {
providers_cleanup();
return 0; /* FAILED */
}
return 1; /* OK */
}
static int use_legacy(void)
{
/* load the legacy provider if not loaded already */
if (!OSSL_PROVIDER_available(NULL, "legacy")) {
if (!provider_load(NULL, "legacy"))
return 0; /* FAILED */
/* load the default provider explicitly */
if (!provider_load(NULL, "default"))
return 0; /* FAILED */
}
return 1; /* OK */
}
#endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
static int main_configure(int argc, char **argv, cmd_type_t *cmd, GLOBAL_OPTIONS *options) static int main_configure(int argc, char **argv, cmd_type_t *cmd, GLOBAL_OPTIONS *options)
{ {
int i; int i;
@ -5751,6 +5813,10 @@ static int main_configure(int argc, char **argv, cmd_type_t *cmd, GLOBAL_OPTIONS
options->md = EVP_sha256(); options->md = EVP_sha256();
options->time = INVALID_TIME; options->time = INVALID_TIME;
options->jp = -1; options->jp = -1;
#if OPENSSL_VERSION_NUMBER>=0x30000000L
/* Use legacy PKCS#12 container with RC2-40-CBC private key and certificate encryption algorithm */
options->legacy = 1;
#endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
if (*cmd == CMD_HELP) { if (*cmd == CMD_HELP) {
return 0; /* FAILED */ return 0; /* FAILED */
@ -5824,6 +5890,10 @@ static int main_configure(int argc, char **argv, cmd_type_t *cmd, GLOBAL_OPTIONS
} }
options->p11module = *(++argv); options->p11module = *(++argv);
#endif /* OPENSSL_NO_ENGINE */ #endif /* OPENSSL_NO_ENGINE */
#if OPENSSL_VERSION_NUMBER>=0x30000000L
} else if ((*cmd == CMD_SIGN) && !strcmp(*argv, "-nolegacy")) {
options->legacy = 0;
#endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
} else if ((*cmd == CMD_SIGN) && !strcmp(*argv, "-pass")) { } else if ((*cmd == CMD_SIGN) && !strcmp(*argv, "-pass")) {
if (options->askpass || options->readpass) { if (options->askpass || options->readpass) {
usage(argv0, "all"); usage(argv0, "all");
@ -6051,6 +6121,11 @@ static int main_configure(int argc, char **argv, cmd_type_t *cmd, GLOBAL_OPTIONS
return 0; /* FAILED */ return 0; /* FAILED */
} }
#endif /* WIN32 */ #endif /* WIN32 */
#if OPENSSL_VERSION_NUMBER>=0x30000000L
if (*cmd == CMD_SIGN && options->legacy && !use_legacy()) {
printf("Warning: Legacy mode disabled\n");
}
#endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
return 1; /* OK */ return 1; /* OK */
} }
@ -6313,6 +6388,9 @@ err_cleanup:
free_msi_params(&msiparams); free_msi_params(&msiparams);
free_crypto_params(&cparams); free_crypto_params(&cparams);
free_options(&options); free_options(&options);
#if OPENSSL_VERSION_NUMBER>=0x30000000L
providers_cleanup();
#endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
if (ret) if (ret)
ERR_print_errors_fp(stdout); ERR_print_errors_fp(stdout);
if (cmd == CMD_HELP) if (cmd == CMD_HELP)