Convert openssl(1) pkcs12 to the newer style of option handling

Adapt openssl(1) pkcs12 command to new option handling. Added pkcs12_options struct, and replaced for-if-strcmp handling with options_parse(). ok and comments jsing@
author: inoguchi <> 2019-07-24 13:49:24 +0000
committer: inoguchi <> 2019-07-24 13:49:24 +0000
commit: 1c81897e8b4e5c28f31ac0c70ca3118a74c40c98 (patch)
tree: 952558931f2dd0001bb4183c5d41168152ad1d38
parent: a0c791640cca1f12c159616cf997ff98323e35d3 (diff)
download: openbsd-1c81897e8b4e5c28f31ac0c70ca3118a74c40c98.tar.gz
openbsd-1c81897e8b4e5c28f31ac0c70ca3118a74c40c98.tar.bz2
openbsd-1c81897e8b4e5c28f31ac0c70ca3118a74c40c98.zip
1 files changed, 409 insertions, 214 deletions
diff --git a/src/usr.bin/openssl/pkcs12.c b/src/usr.bin/openssl/pkcs12.c
index 35a17154f8..a1983eee0f 100644
--- a/src/usr.bin/openssl/pkcs12.c
+++ b/src/usr.bin/openssl/pkcs12.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pkcs12.c,v 1.11 2019/07/23 10:18:32 inoguchi Exp $ */
+/* $OpenBSD: pkcs12.c,v 1.12 2019/07/24 13:49:24 inoguchi Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
 */
@@ -119,14 +119,418 @@ static struct {
        int twopass;
 } pkcs12_config;
+static int
+pkcs12_opt_canames(char *arg)
+{
+        if (pkcs12_config.canames == NULL &&
+            (pkcs12_config.canames = sk_OPENSSL_STRING_new_null()) == NULL)
+                return (1);
+        if (!sk_OPENSSL_STRING_push(pkcs12_config.canames, arg))
+                return (1);
+        return (0);
+}
+static int
+pkcs12_opt_cert_pbe(char *arg)
+{
+        return (!set_pbe(bio_err, &pkcs12_config.cert_pbe, arg));
+}
+static int
+pkcs12_opt_key_pbe(char *arg)
+{
+        return (!set_pbe(bio_err, &pkcs12_config.key_pbe, arg));
+}
+static int
+pkcs12_opt_passarg(char *arg)
+{
+        pkcs12_config.passarg = arg;
+        pkcs12_config.noprompt = 1;
+        return (0);
+}
+static const EVP_CIPHER *get_cipher_by_name(char *name)
+{
+        if (name == NULL || strcmp(name, "") == 0)
+                return (NULL);
+#ifndef OPENSSL_NO_AES
+        else if (strcmp(name, "aes128") == 0)
+                return EVP_aes_128_cbc();
+        else if (strcmp(name, "aes192") == 0)
+                return EVP_aes_192_cbc();
+        else if (strcmp(name, "aes256") == 0)
+                return EVP_aes_256_cbc();
+#endif
+#ifndef OPENSSL_NO_CAMELLIA
+        else if (strcmp(name, "camellia128") == 0)
+                return EVP_camellia_128_cbc();
+        else if (strcmp(name, "camellia192") == 0)
+                return EVP_camellia_192_cbc();
+        else if (strcmp(name, "camellia256") == 0)
+                return EVP_camellia_256_cbc();
+#endif
+#ifndef OPENSSL_NO_DES
+        else if (strcmp(name, "des") == 0)
+                return EVP_des_cbc();
+        else if (strcmp(name, "des3") == 0)
+                return EVP_des_ede3_cbc();
+#endif
+#ifndef OPENSSL_NO_IDEA
+        else if (strcmp(name, "idea") == 0)
+                return EVP_idea_cbc();
+#endif
+        else
+                return (NULL);
+}
+static int
+pkcs12_opt_enc(int argc, char **argv, int *argsused)
+{
+        char *name = argv[0];
+        if (*name++ != '-')
+                return (1);
+        if (strcmp(name, "nodes") == 0)
+                pkcs12_config.enc = NULL;
+        else if ((pkcs12_config.enc = get_cipher_by_name(name)) == NULL)
+                return (1);
+        *argsused = 1;
+        return (0);
+}
+static const struct option pkcs12_options[] = {
+#ifndef OPENSSL_NO_AES
+        {
+                .name = "aes128",
+                .desc = "Encrypt PEM output with CBC AES",
+                .type = OPTION_ARGV_FUNC,
+                .opt.argvfunc = pkcs12_opt_enc,
+        },
+        {
+                .name = "aes192",
+                .desc = "Encrypt PEM output with CBC AES",
+                .type = OPTION_ARGV_FUNC,
+                .opt.argvfunc = pkcs12_opt_enc,
+        },
+        {
+                .name = "aes256",
+                .desc = "Encrypt PEM output with CBC AES",
+                .type = OPTION_ARGV_FUNC,
+                .opt.argvfunc = pkcs12_opt_enc,
+        },
+#endif
+#ifndef OPENSSL_NO_CAMELLIA
+        {
+                .name = "camellia128",
+                .desc = "Encrypt PEM output with CBC Camellia",
+                .type = OPTION_ARGV_FUNC,
+                .opt.argvfunc = pkcs12_opt_enc,
+        },
+        {
+                .name = "camellia192",
+                .desc = "Encrypt PEM output with CBC Camellia",
+                .type = OPTION_ARGV_FUNC,
+                .opt.argvfunc = pkcs12_opt_enc,
+        },
+        {
+                .name = "camellia256",
+                .desc = "Encrypt PEM output with CBC Camellia",
+                .type = OPTION_ARGV_FUNC,
+                .opt.argvfunc = pkcs12_opt_enc,
+        },
+#endif
+        {
+                .name = "des",
+                .desc = "Encrypt private keys with DES",
+                .type = OPTION_ARGV_FUNC,
+                .opt.argvfunc = pkcs12_opt_enc,
+        },
+        {
+                .name = "des3",
+                .desc = "Encrypt private keys with triple DES (default)",
+                .type = OPTION_ARGV_FUNC,
+                .opt.argvfunc = pkcs12_opt_enc,
+        },
+#ifndef OPENSSL_NO_IDEA
+        {
+                .name = "idea",
+                .desc = "Encrypt private keys with IDEA",
+                .type = OPTION_ARGV_FUNC,
+                .opt.argvfunc = pkcs12_opt_enc,
+        },
+#endif
+        {
+                .name = "cacerts",
+                .desc = "Only output CA certificates",
+                .type = OPTION_VALUE_OR,
+                .opt.value = &pkcs12_config.options,
+                .value = CACERTS,
+        },
+        {
+                .name = "CAfile",
+                .argname = "file",
+                .desc = "PEM format file of CA certificates",
+                .type = OPTION_ARG,
+                .opt.arg = &pkcs12_config.CAfile,
+        },
+        {
+                .name = "caname",
+                .argname = "name",
+                .desc = "Use name as CA friendly name (can be used more than once)",
+                .type = OPTION_ARG_FUNC,
+                .opt.argfunc = pkcs12_opt_canames,
+        },
+        {
+                .name = "CApath",
+                .argname = "directory",
+                .desc = "PEM format directory of CA certificates",
+                .type = OPTION_ARG,
+                .opt.arg = &pkcs12_config.CApath,
+        },
+        {
+                .name = "certfile",
+                .argname = "file",
+                .desc = "Add all certs in file",
+                .type = OPTION_ARG,
+                .opt.arg = &pkcs12_config.certfile,
+        },
+        {
+                .name = "certpbe",
+                .argname = "alg",
+                .desc = "Specify certificate PBE algorithm (default RC2-40)",
+                .type = OPTION_ARG_FUNC,
+                .opt.argfunc = pkcs12_opt_cert_pbe,
+        },
+        {
+                .name = "chain",
+                .desc = "Add certificate chain",
+                .type = OPTION_FLAG,
+                .opt.flag = &pkcs12_config.chain,
+        },
+        {
+                .name = "clcerts",
+                .desc = "Only output client certificates",
+                .type = OPTION_VALUE_OR,
+                .opt.value = &pkcs12_config.options,
+                .value = CLCERTS,
+        },
+        {
+                .name = "CSP",
+                .argname = "name",
+                .desc = "Microsoft CSP name",
+                .type = OPTION_ARG,
+                .opt.arg = &pkcs12_config.csp_name,
+        },
+        {
+                .name = "descert",
+                .desc = "Encrypt PKCS#12 certificates with triple DES (default RC2-40)",
+                .type = OPTION_VALUE,
+                .opt.value = &pkcs12_config.cert_pbe,
+                .value = NID_pbe_WithSHA1And3_Key_TripleDES_CBC,
+        },
+        {
+                .name = "export",
+                .desc = "Output PKCS#12 file",
+                .type = OPTION_FLAG,
+                .opt.flag = &pkcs12_config.export_cert,
+        },
+        {
+                .name = "in",
+                .argname = "file",
+                .desc = "Input filename",
+                .type = OPTION_ARG,
+                .opt.arg = &pkcs12_config.infile,
+        },
+        {
+                .name = "info",
+                .desc = "Give info about PKCS#12 structure",
+                .type = OPTION_VALUE_OR,
+                .opt.value = &pkcs12_config.options,
+                .value = INFO,
+        },
+        {
+                .name = "inkey",
+                .argname = "file",
+                .desc = "Private key if not infile",
+                .type = OPTION_ARG,
+                .opt.arg = &pkcs12_config.keyname,
+        },
+        {
+                .name = "keyex",
+                .desc = "Set MS key exchange type",
+                .type = OPTION_VALUE,
+                .opt.value = &pkcs12_config.keytype,
+                .value = KEY_EX,
+        },
+        {
+                .name = "keypbe",
+                .argname = "alg",
+                .desc = "Specify private key PBE algorithm (default 3DES)",
+                .type = OPTION_ARG_FUNC,
+                .opt.argfunc = pkcs12_opt_key_pbe,
+        },
+        {
+                .name = "keysig",
+                .desc = "Set MS key signature type",
+                .type = OPTION_VALUE,
+                .opt.value = &pkcs12_config.keytype,
+                .value = KEY_SIG,
+        },
+        {
+                .name = "LMK",
+                .desc = "Add local machine keyset attribute to private key",
+                .type = OPTION_FLAG,
+                .opt.flag = &pkcs12_config.add_lmk,
+        },
+        {
+                .name = "macalg",
+                .argname = "alg",
+                .desc = "Digest algorithm used in MAC (default SHA1)",
+                .type = OPTION_ARG,
+                .opt.arg = &pkcs12_config.macalg,
+        },
+        {
+                .name = "maciter",
+                .desc = "Use MAC iteration",
+                .type = OPTION_VALUE,
+                .opt.value = &pkcs12_config.maciter,
+                .value = PKCS12_DEFAULT_ITER,
+        },
+        {
+                .name = "name",
+                .argname = "name",
+                .desc = "Use name as friendly name",
+                .type = OPTION_ARG,
+                .opt.arg = &pkcs12_config.name,
+        },
+        {
+                .name = "nocerts",
+                .desc = "Don't output certificates",
+                .type = OPTION_VALUE_OR,
+                .opt.value = &pkcs12_config.options,
+                .value = NOCERTS,
+        },
+        {
+                .name = "nodes",
+                .desc = "Don't encrypt private keys",
+                .type = OPTION_ARGV_FUNC,
+                .opt.argvfunc = pkcs12_opt_enc,
+        },
+        {
+                .name = "noiter",
+                .desc = "Don't use encryption iteration",
+                .type = OPTION_VALUE,
+                .opt.value = &pkcs12_config.iter,
+                .value = 1,
+        },
+        {
+                .name = "nokeys",
+                .desc = "Don't output private keys",
+                .type = OPTION_VALUE_OR,
+                .opt.value = &pkcs12_config.options,
+                .value = NOKEYS,
+        },
+        {
+                .name = "nomac",
+                .desc = "Don't generate MAC",
+                .type = OPTION_VALUE,
+                .opt.value = &pkcs12_config.maciter,
+                .value = -1,
+        },
+        {
+                .name = "nomaciter",
+                .desc = "Don't use MAC iteration",
+                .type = OPTION_VALUE,
+                .opt.value = &pkcs12_config.maciter,
+                .value = 1,
+        },
+        {
+                .name = "nomacver",
+                .desc = "Don't verify MAC",
+                .type = OPTION_VALUE,
+                .opt.value = &pkcs12_config.macver,
+                .value = 0,
+        },
+        {
+                .name = "noout",
+                .desc = "Don't output anything, just verify",
+                .type = OPTION_VALUE_OR,
+                .opt.value = &pkcs12_config.options,
+                .value = (NOKEYS | NOCERTS),
+        },
+        {
+                .name = "out",
+                .argname = "file",
+                .desc = "Output filename",
+                .type = OPTION_ARG,
+                .opt.arg = &pkcs12_config.outfile,
+        },
+        {
+                .name = "passin",
+                .argname = "arg",
+                .desc = "Input file passphrase source",
+                .type = OPTION_ARG,
+                .opt.arg = &pkcs12_config.passargin,
+        },
+        {
+                .name = "passout",
+                .argname = "arg",
+                .desc = "Output file passphrase source",
+                .type = OPTION_ARG,
+                .opt.arg = &pkcs12_config.passargout,
+        },
+        {
+                .name = "password",
+                .argname = "arg",
+                .desc = "Set import/export password source",
+                .type = OPTION_ARG_FUNC,
+                .opt.argfunc = pkcs12_opt_passarg,
+        },
+        {
+                .name = "twopass",
+                .desc = "Separate MAC, encryption passwords",
+                .type = OPTION_FLAG,
+                .opt.flag = &pkcs12_config.twopass,
+        },
+        { NULL },
+};
+static void
+pkcs12_usage(void)
+{
+        fprintf(stderr, "usage: pkcs12 [-aes128 | -aes192 | -aes256 |");
+        fprintf(stderr, " -camellia128 |\n");
+        fprintf(stderr, "    -camellia192 | -camellia256 | -des | -des3 |");
+        fprintf(stderr, " -idea]\n");
+        fprintf(stderr, "    [-cacerts] [-CAfile file] [-caname name]\n");
+        fprintf(stderr, "    [-CApath directory] [-certfile file]");
+        fprintf(stderr, " [-certpbe alg]\n");
+        fprintf(stderr, "    [-chain] [-clcerts] [-CSP name] [-descert]");
+        fprintf(stderr, " [-export]\n");
+        fprintf(stderr, "    [-in file] [-info] [-inkey file] [-keyex]");
+        fprintf(stderr, " [-keypbe alg]\n");
+        fprintf(stderr, "    [-keysig] [-LMK] [-macalg alg] [-maciter]");
+        fprintf(stderr, " [-name name]\n");
+        fprintf(stderr, "    [-nocerts] [-nodes] [-noiter] [-nokeys]");
+        fprintf(stderr, " [-nomac]\n");
+        fprintf(stderr, "    [-nomaciter] [-nomacver] [-noout] [-out file]\n");
+        fprintf(stderr, "    [-passin arg] [-passout arg] [-password arg]");
+        fprintf(stderr, " [-twopass]\n\n");
+        options_usage(pkcs12_options);
+        fprintf(stderr, "\n");
+}
 int
 pkcs12_main(int argc, char **argv)
 {
        BIO *in = NULL, *out = NULL;
-        char **args;
        PKCS12 *p12 = NULL;
        char pass[50], macpass[50];
-        int badarg = 0;
        int ret = 1;
        char *cpass = NULL, *mpass = NULL;
        char *passin = NULL, *passout = NULL;
@@ -146,217 +550,8 @@ pkcs12_main(int argc, char **argv)
        pkcs12_config.maciter = PKCS12_DEFAULT_ITER;
        pkcs12_config.macver = 1;
-        args = argv + 1;
+        if (options_parse(argc, argv, pkcs12_options, NULL, NULL) != 0) {
+                pkcs12_usage();
-        while (*args) {
-                if (*args[0] == '-') {
-                        if (!strcmp(*args, "-nokeys"))
-                                pkcs12_config.options |= NOKEYS;
-                        else if (!strcmp(*args, "-keyex"))
-                                pkcs12_config.keytype = KEY_EX;
-                        else if (!strcmp(*args, "-keysig"))
-                                pkcs12_config.keytype = KEY_SIG;
-                        else if (!strcmp(*args, "-nocerts"))
-                                pkcs12_config.options |= NOCERTS;
-                        else if (!strcmp(*args, "-clcerts"))
-                                pkcs12_config.options |= CLCERTS;
-                        else if (!strcmp(*args, "-cacerts"))
-                                pkcs12_config.options |= CACERTS;
-                        else if (!strcmp(*args, "-noout"))
-                                pkcs12_config.options |= (NOKEYS | NOCERTS);
-                        else if (!strcmp(*args, "-info"))
-                                pkcs12_config.options |= INFO;
-                        else if (!strcmp(*args, "-chain"))
-                                pkcs12_config.chain = 1;
-                        else if (!strcmp(*args, "-twopass"))
-                                pkcs12_config.twopass = 1;
-                        else if (!strcmp(*args, "-nomacver"))
-                                pkcs12_config.macver = 0;
-                        else if (!strcmp(*args, "-descert"))
-                                pkcs12_config.cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
-                        else if (!strcmp(*args, "-export"))
-                                pkcs12_config.export_cert = 1;
-                        else if (!strcmp(*args, "-des"))
-                                pkcs12_config.enc = EVP_des_cbc();
-                        else if (!strcmp(*args, "-des3"))
-                                pkcs12_config.enc = EVP_des_ede3_cbc();
-#ifndef OPENSSL_NO_IDEA
-                        else if (!strcmp(*args, "-idea"))
-                                pkcs12_config.enc = EVP_idea_cbc();
-#endif
-#ifndef OPENSSL_NO_AES
-                        else if (!strcmp(*args, "-aes128"))
-                                pkcs12_config.enc = EVP_aes_128_cbc();
-                        else if (!strcmp(*args, "-aes192"))
-                                pkcs12_config.enc = EVP_aes_192_cbc();
-                        else if (!strcmp(*args, "-aes256"))
-                                pkcs12_config.enc = EVP_aes_256_cbc();
-#endif
-#ifndef OPENSSL_NO_CAMELLIA
-                        else if (!strcmp(*args, "-camellia128"))
-                                pkcs12_config.enc = EVP_camellia_128_cbc();
-                        else if (!strcmp(*args, "-camellia192"))
-                                pkcs12_config.enc = EVP_camellia_192_cbc();
-                        else if (!strcmp(*args, "-camellia256"))
-                                pkcs12_config.enc = EVP_camellia_256_cbc();
-#endif
-                        else if (!strcmp(*args, "-noiter"))
-                                pkcs12_config.iter = 1;
-                        else if (!strcmp(*args, "-maciter"))
-                                pkcs12_config.maciter = PKCS12_DEFAULT_ITER;
-                        else if (!strcmp(*args, "-nomaciter"))
-                                pkcs12_config.maciter = 1;
-                        else if (!strcmp(*args, "-nomac"))
-                                pkcs12_config.maciter = -1;
-                        else if (!strcmp(*args, "-macalg"))
-                                if (args[1]) {
-                                        args++;
-                                        pkcs12_config.macalg = *args;
-                                } else
-                                        badarg = 1;
-                        else if (!strcmp(*args, "-nodes"))
-                                pkcs12_config.enc = NULL;
-                        else if (!strcmp(*args, "-certpbe")) {
-                                if (!set_pbe(bio_err, &pkcs12_config.cert_pbe, *++args))
-                                        badarg = 1;
-                        } else if (!strcmp(*args, "-keypbe")) {
-                                if (!set_pbe(bio_err, &pkcs12_config.key_pbe, *++args))
-                                        badarg = 1;
-                        } else if (!strcmp(*args, "-inkey")) {
-                                if (args[1]) {
-                                        args++;
-                                        pkcs12_config.keyname = *args;
-                                } else
-                                        badarg = 1;
-                        } else if (!strcmp(*args, "-certfile")) {
-                                if (args[1]) {
-                                        args++;
-                                        pkcs12_config.certfile = *args;
-                                } else
-                                        badarg = 1;
-                        } else if (!strcmp(*args, "-name")) {
-                                if (args[1]) {
-                                        args++;
-                                        pkcs12_config.name = *args;
-                                } else
-                                        badarg = 1;
-                        } else if (!strcmp(*args, "-LMK"))
-                                pkcs12_config.add_lmk = 1;
-                        else if (!strcmp(*args, "-CSP")) {
-                                if (args[1]) {
-                                        args++;
-                                        pkcs12_config.csp_name = *args;
-                                } else
-                                        badarg = 1;
-                        } else if (!strcmp(*args, "-caname")) {
-                                if (args[1]) {
-                                        args++;
-                                        if (!pkcs12_config.canames)
-                                                pkcs12_config.canames = sk_OPENSSL_STRING_new_null();
-                                        sk_OPENSSL_STRING_push(pkcs12_config.canames, *args);
-                                } else
-                                        badarg = 1;
-                        } else if (!strcmp(*args, "-in")) {
-                                if (args[1]) {
-                                        args++;
-                                        pkcs12_config.infile = *args;
-                                } else
-                                        badarg = 1;
-                        } else if (!strcmp(*args, "-out")) {
-                                if (args[1]) {
-                                        args++;
-                                        pkcs12_config.outfile = *args;
-                                } else
-                                        badarg = 1;
-                        } else if (!strcmp(*args, "-passin")) {
-                                if (args[1]) {
-                                        args++;
-                                        pkcs12_config.passargin = *args;
-                                } else
-                                        badarg = 1;
-                        } else if (!strcmp(*args, "-passout")) {
-                                if (args[1]) {
-                                        args++;
-                                        pkcs12_config.passargout = *args;
-                                } else
-                                        badarg = 1;
-                        } else if (!strcmp(*args, "-password")) {
-                                if (args[1]) {
-                                        args++;
-                                        pkcs12_config.passarg = *args;
-                                        pkcs12_config.noprompt = 1;
-                                } else
-                                        badarg = 1;
-                        } else if (!strcmp(*args, "-CApath")) {
-                                if (args[1]) {
-                                        args++;
-                                        pkcs12_config.CApath = *args;
-                                } else
-                                        badarg = 1;
-                        } else if (!strcmp(*args, "-CAfile")) {
-                                if (args[1]) {
-                                        args++;
-                                        pkcs12_config.CAfile = *args;
-                                } else
-                                        badarg = 1;
-                        } else
-                                badarg = 1;
-                } else
-                        badarg = 1;
-                args++;
-        }
-        if (badarg) {
-                BIO_printf(bio_err, "Usage: pkcs12 [options]\n");
-                BIO_printf(bio_err, "where options are\n");
-                BIO_printf(bio_err, "-export       output PKCS12 file\n");
-                BIO_printf(bio_err, "-chain        add certificate chain\n");
-                BIO_printf(bio_err, "-inkey file   private key if not infile\n");
-                BIO_printf(bio_err, "-certfile f   add all certs in f\n");
-                BIO_printf(bio_err, "-CApath arg   - PEM format directory of CA's\n");
-                BIO_printf(bio_err, "-CAfile arg   - PEM format file of CA's\n");
-                BIO_printf(bio_err, "-name \"name\"  use name as friendly name\n");
-                BIO_printf(bio_err, "-caname \"nm\"  use nm as CA friendly name (can be used more than once).\n");
-                BIO_printf(bio_err, "-in  infile   input filename\n");
-                BIO_printf(bio_err, "-out outfile  output filename\n");
-                BIO_printf(bio_err, "-noout        don't output anything, just verify.\n");
-                BIO_printf(bio_err, "-nomacver     don't verify MAC.\n");
-                BIO_printf(bio_err, "-nocerts      don't output certificates.\n");
-                BIO_printf(bio_err, "-clcerts      only output client certificates.\n");
-                BIO_printf(bio_err, "-cacerts      only output CA certificates.\n");
-                BIO_printf(bio_err, "-nokeys       don't output private keys.\n");
-                BIO_printf(bio_err, "-info         give info about PKCS#12 structure.\n");
-                BIO_printf(bio_err, "-des          encrypt private keys with DES\n");
-                BIO_printf(bio_err, "-des3         encrypt private keys with triple DES (default)\n");
-#ifndef OPENSSL_NO_IDEA
-                BIO_printf(bio_err, "-idea         encrypt private keys with idea\n");
-#endif
-#ifndef OPENSSL_NO_AES
-                BIO_printf(bio_err, "-aes128, -aes192, -aes256\n");
-                BIO_printf(bio_err, "              encrypt PEM output with cbc aes\n");
-#endif
-#ifndef OPENSSL_NO_CAMELLIA
-                BIO_printf(bio_err, "-camellia128, -camellia192, -camellia256\n");
-                BIO_printf(bio_err, "              encrypt PEM output with cbc camellia\n");
-#endif
-                BIO_printf(bio_err, "-nodes        don't encrypt private keys\n");
-                BIO_printf(bio_err, "-noiter       don't use encryption iteration\n");
-                BIO_printf(bio_err, "-nomaciter    don't use MAC iteration\n");
-                BIO_printf(bio_err, "-maciter      use MAC iteration\n");
-                BIO_printf(bio_err, "-nomac        don't generate MAC\n");
-                BIO_printf(bio_err, "-twopass      separate MAC, encryption passwords\n");
-                BIO_printf(bio_err, "-descert      encrypt PKCS#12 certificates with triple DES (default RC2-40)\n");
-                BIO_printf(bio_err, "-certpbe alg  specify certificate PBE algorithm (default RC2-40)\n");
-                BIO_printf(bio_err, "-keypbe alg   specify private key PBE algorithm (default 3DES)\n");
-                BIO_printf(bio_err, "-macalg alg   digest algorithm used in MAC (default SHA1)\n");
-                BIO_printf(bio_err, "-keyex        set MS key exchange type\n");
-                BIO_printf(bio_err, "-keysig       set MS key signature type\n");
-                BIO_printf(bio_err, "-password p   set import/export password source\n");
-                BIO_printf(bio_err, "-passin p     input file pass phrase source\n");
-                BIO_printf(bio_err, "-passout p    output file pass phrase source\n");
-                BIO_printf(bio_err, "-CSP name     Microsoft CSP name\n");
-                BIO_printf(bio_err, "-LMK          Add local machine keyset attribute to private key\n");
                goto end;
        }
author	inoguchi <>	2019-07-24 13:49:24 +0000
committer	inoguchi <>	2019-07-24 13:49:24 +0000
commit	1c81897e8b4e5c28f31ac0c70ca3118a74c40c98 (patch)
tree	952558931f2dd0001bb4183c5d41168152ad1d38
parent	a0c791640cca1f12c159616cf997ff98323e35d3 (diff)
download	openbsd-1c81897e8b4e5c28f31ac0c70ca3118a74c40c98.tar.gz openbsd-1c81897e8b4e5c28f31ac0c70ca3118a74c40c98.tar.bz2 openbsd-1c81897e8b4e5c28f31ac0c70ca3118a74c40c98.zip

diff --git a/src/usr.bin/openssl/pkcs12.c b/src/usr.bin/openssl/pkcs12.c index 35a17154f8..a1983eee0f 100644 --- a/src/usr.bin/openssl/pkcs12.c +++ b/src/usr.bin/openssl/pkcs12.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: pkcs12.c,v 1.11 2019/07/23 10:18:32 inoguchi Exp $ */	1	/* $OpenBSD: pkcs12.c,v 1.12 2019/07/24 13:49:24 inoguchi Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project.	3	* project.
4	*/	4	*/
@@ -119,14 +119,418 @@ static struct {
119	int twopass;	119	int twopass;
120	} pkcs12_config;	120	} pkcs12_config;
121		121
		122	static int
		123	pkcs12_opt_canames(char *arg)
		124	{
		125	if (pkcs12_config.canames == NULL &&
		126	(pkcs12_config.canames = sk_OPENSSL_STRING_new_null()) == NULL)
		127	return (1);
		128
		129	if (!sk_OPENSSL_STRING_push(pkcs12_config.canames, arg))
		130	return (1);
		131
		132	return (0);
		133	}
		134
		135	static int
		136	pkcs12_opt_cert_pbe(char *arg)
		137	{
		138	return (!set_pbe(bio_err, &pkcs12_config.cert_pbe, arg));
		139	}
		140
		141	static int
		142	pkcs12_opt_key_pbe(char *arg)
		143	{
		144	return (!set_pbe(bio_err, &pkcs12_config.key_pbe, arg));
		145	}
		146
		147	static int
		148	pkcs12_opt_passarg(char *arg)
		149	{
		150	pkcs12_config.passarg = arg;
		151	pkcs12_config.noprompt = 1;
		152	return (0);
		153	}
		154
		155	static const EVP_CIPHER get_cipher_by_name(char name)
		156	{
		157	if (name == NULL \|\| strcmp(name, "") == 0)
		158	return (NULL);
		159	#ifndef OPENSSL_NO_AES
		160	else if (strcmp(name, "aes128") == 0)
		161	return EVP_aes_128_cbc();
		162	else if (strcmp(name, "aes192") == 0)
		163	return EVP_aes_192_cbc();
		164	else if (strcmp(name, "aes256") == 0)
		165	return EVP_aes_256_cbc();
		166	#endif
		167	#ifndef OPENSSL_NO_CAMELLIA
		168	else if (strcmp(name, "camellia128") == 0)
		169	return EVP_camellia_128_cbc();
		170	else if (strcmp(name, "camellia192") == 0)
		171	return EVP_camellia_192_cbc();
		172	else if (strcmp(name, "camellia256") == 0)
		173	return EVP_camellia_256_cbc();
		174	#endif
		175	#ifndef OPENSSL_NO_DES
		176	else if (strcmp(name, "des") == 0)
		177	return EVP_des_cbc();
		178	else if (strcmp(name, "des3") == 0)
		179	return EVP_des_ede3_cbc();
		180	#endif
		181	#ifndef OPENSSL_NO_IDEA
		182	else if (strcmp(name, "idea") == 0)
		183	return EVP_idea_cbc();
		184	#endif
		185	else
		186	return (NULL);
		187	}
		188
		189	static int
		190	pkcs12_opt_enc(int argc, char *argv, int argsused)
		191	{
		192	char *name = argv[0];
		193
		194	if (*name++ != '-')
		195	return (1);
		196
		197	if (strcmp(name, "nodes") == 0)
		198	pkcs12_config.enc = NULL;
		199	else if ((pkcs12_config.enc = get_cipher_by_name(name)) == NULL)
		200	return (1);
		201
		202	*argsused = 1;
		203	return (0);
		204	}
		205
		206	static const struct option pkcs12_options[] = {
		207	#ifndef OPENSSL_NO_AES
		208	{
		209	.name = "aes128",
		210	.desc = "Encrypt PEM output with CBC AES",
		211	.type = OPTION_ARGV_FUNC,
		212	.opt.argvfunc = pkcs12_opt_enc,
		213	},
		214	{
		215	.name = "aes192",
		216	.desc = "Encrypt PEM output with CBC AES",
		217	.type = OPTION_ARGV_FUNC,
		218	.opt.argvfunc = pkcs12_opt_enc,
		219	},
		220	{
		221	.name = "aes256",
		222	.desc = "Encrypt PEM output with CBC AES",
		223	.type = OPTION_ARGV_FUNC,
		224	.opt.argvfunc = pkcs12_opt_enc,
		225	},
		226	#endif
		227	#ifndef OPENSSL_NO_CAMELLIA
		228	{
		229	.name = "camellia128",
		230	.desc = "Encrypt PEM output with CBC Camellia",
		231	.type = OPTION_ARGV_FUNC,
		232	.opt.argvfunc = pkcs12_opt_enc,
		233	},
		234	{
		235	.name = "camellia192",
		236	.desc = "Encrypt PEM output with CBC Camellia",
		237	.type = OPTION_ARGV_FUNC,
		238	.opt.argvfunc = pkcs12_opt_enc,
		239	},
		240	{
		241	.name = "camellia256",
		242	.desc = "Encrypt PEM output with CBC Camellia",
		243	.type = OPTION_ARGV_FUNC,
		244	.opt.argvfunc = pkcs12_opt_enc,
		245	},
		246	#endif
		247	{
		248	.name = "des",
		249	.desc = "Encrypt private keys with DES",
		250	.type = OPTION_ARGV_FUNC,
		251	.opt.argvfunc = pkcs12_opt_enc,
		252	},
		253	{
		254	.name = "des3",
		255	.desc = "Encrypt private keys with triple DES (default)",
		256	.type = OPTION_ARGV_FUNC,
		257	.opt.argvfunc = pkcs12_opt_enc,
		258	},
		259	#ifndef OPENSSL_NO_IDEA
		260	{
		261	.name = "idea",
		262	.desc = "Encrypt private keys with IDEA",
		263	.type = OPTION_ARGV_FUNC,
		264	.opt.argvfunc = pkcs12_opt_enc,
		265	},
		266	#endif
		267	{
		268	.name = "cacerts",
		269	.desc = "Only output CA certificates",
		270	.type = OPTION_VALUE_OR,
		271	.opt.value = &pkcs12_config.options,
		272	.value = CACERTS,
		273	},
		274	{
		275	.name = "CAfile",
		276	.argname = "file",
		277	.desc = "PEM format file of CA certificates",
		278	.type = OPTION_ARG,
		279	.opt.arg = &pkcs12_config.CAfile,
		280	},
		281	{
		282	.name = "caname",
		283	.argname = "name",
		284	.desc = "Use name as CA friendly name (can be used more than once)",
		285	.type = OPTION_ARG_FUNC,
		286	.opt.argfunc = pkcs12_opt_canames,
		287	},
		288	{
		289	.name = "CApath",
		290	.argname = "directory",
		291	.desc = "PEM format directory of CA certificates",
		292	.type = OPTION_ARG,
		293	.opt.arg = &pkcs12_config.CApath,
		294	},
		295	{
		296	.name = "certfile",
		297	.argname = "file",
		298	.desc = "Add all certs in file",
		299	.type = OPTION_ARG,
		300	.opt.arg = &pkcs12_config.certfile,
		301	},
		302	{
		303	.name = "certpbe",
		304	.argname = "alg",
		305	.desc = "Specify certificate PBE algorithm (default RC2-40)",
		306	.type = OPTION_ARG_FUNC,
		307	.opt.argfunc = pkcs12_opt_cert_pbe,
		308	},
		309	{
		310	.name = "chain",
		311	.desc = "Add certificate chain",
		312	.type = OPTION_FLAG,
		313	.opt.flag = &pkcs12_config.chain,
		314	},
		315	{
		316	.name = "clcerts",
		317	.desc = "Only output client certificates",
		318	.type = OPTION_VALUE_OR,
		319	.opt.value = &pkcs12_config.options,
		320	.value = CLCERTS,
		321	},
		322	{
		323	.name = "CSP",
		324	.argname = "name",
		325	.desc = "Microsoft CSP name",
		326	.type = OPTION_ARG,
		327	.opt.arg = &pkcs12_config.csp_name,
		328	},
		329	{
		330	.name = "descert",
		331	.desc = "Encrypt PKCS#12 certificates with triple DES (default RC2-40)",
		332	.type = OPTION_VALUE,
		333	.opt.value = &pkcs12_config.cert_pbe,
		334	.value = NID_pbe_WithSHA1And3_Key_TripleDES_CBC,
		335	},
		336	{
		337	.name = "export",
		338	.desc = "Output PKCS#12 file",
		339	.type = OPTION_FLAG,
		340	.opt.flag = &pkcs12_config.export_cert,
		341	},
		342	{
		343	.name = "in",
		344	.argname = "file",
		345	.desc = "Input filename",
		346	.type = OPTION_ARG,
		347	.opt.arg = &pkcs12_config.infile,
		348	},
		349	{
		350	.name = "info",
		351	.desc = "Give info about PKCS#12 structure",
		352	.type = OPTION_VALUE_OR,
		353	.opt.value = &pkcs12_config.options,
		354	.value = INFO,
		355	},
		356	{
		357	.name = "inkey",
		358	.argname = "file",
		359	.desc = "Private key if not infile",
		360	.type = OPTION_ARG,
		361	.opt.arg = &pkcs12_config.keyname,
		362	},
		363	{
		364	.name = "keyex",
		365	.desc = "Set MS key exchange type",
		366	.type = OPTION_VALUE,
		367	.opt.value = &pkcs12_config.keytype,
		368	.value = KEY_EX,
		369	},
		370	{
		371	.name = "keypbe",
		372	.argname = "alg",
		373	.desc = "Specify private key PBE algorithm (default 3DES)",
		374	.type = OPTION_ARG_FUNC,
		375	.opt.argfunc = pkcs12_opt_key_pbe,
		376	},
		377	{
		378	.name = "keysig",
		379	.desc = "Set MS key signature type",
		380	.type = OPTION_VALUE,
		381	.opt.value = &pkcs12_config.keytype,
		382	.value = KEY_SIG,
		383	},
		384	{
		385	.name = "LMK",
		386	.desc = "Add local machine keyset attribute to private key",
		387	.type = OPTION_FLAG,
		388	.opt.flag = &pkcs12_config.add_lmk,
		389	},
		390	{
		391	.name = "macalg",
		392	.argname = "alg",
		393	.desc = "Digest algorithm used in MAC (default SHA1)",
		394	.type = OPTION_ARG,
		395	.opt.arg = &pkcs12_config.macalg,
		396	},
		397	{
		398	.name = "maciter",
		399	.desc = "Use MAC iteration",
		400	.type = OPTION_VALUE,
		401	.opt.value = &pkcs12_config.maciter,
		402	.value = PKCS12_DEFAULT_ITER,
		403	},
		404	{
		405	.name = "name",
		406	.argname = "name",
		407	.desc = "Use name as friendly name",
		408	.type = OPTION_ARG,
		409	.opt.arg = &pkcs12_config.name,
		410	},
		411	{
		412	.name = "nocerts",
		413	.desc = "Don't output certificates",
		414	.type = OPTION_VALUE_OR,
		415	.opt.value = &pkcs12_config.options,
		416	.value = NOCERTS,
		417	},
		418	{
		419	.name = "nodes",
		420	.desc = "Don't encrypt private keys",
		421	.type = OPTION_ARGV_FUNC,
		422	.opt.argvfunc = pkcs12_opt_enc,
		423	},
		424	{
		425	.name = "noiter",
		426	.desc = "Don't use encryption iteration",
		427	.type = OPTION_VALUE,
		428	.opt.value = &pkcs12_config.iter,
		429	.value = 1,
		430	},
		431	{
		432	.name = "nokeys",
		433	.desc = "Don't output private keys",
		434	.type = OPTION_VALUE_OR,
		435	.opt.value = &pkcs12_config.options,
		436	.value = NOKEYS,
		437	},
		438	{
		439	.name = "nomac",
		440	.desc = "Don't generate MAC",
		441	.type = OPTION_VALUE,
		442	.opt.value = &pkcs12_config.maciter,
		443	.value = -1,
		444	},
		445	{
		446	.name = "nomaciter",
		447	.desc = "Don't use MAC iteration",
		448	.type = OPTION_VALUE,
		449	.opt.value = &pkcs12_config.maciter,
		450	.value = 1,
		451	},
		452	{
		453	.name = "nomacver",
		454	.desc = "Don't verify MAC",
		455	.type = OPTION_VALUE,
		456	.opt.value = &pkcs12_config.macver,
		457	.value = 0,
		458	},
		459	{
		460	.name = "noout",
		461	.desc = "Don't output anything, just verify",
		462	.type = OPTION_VALUE_OR,
		463	.opt.value = &pkcs12_config.options,
		464	.value = (NOKEYS \| NOCERTS),
		465	},
		466	{
		467	.name = "out",
		468	.argname = "file",
		469	.desc = "Output filename",
		470	.type = OPTION_ARG,
		471	.opt.arg = &pkcs12_config.outfile,
		472	},
		473	{
		474	.name = "passin",
		475	.argname = "arg",
		476	.desc = "Input file passphrase source",
		477	.type = OPTION_ARG,
		478	.opt.arg = &pkcs12_config.passargin,
		479	},
		480	{
		481	.name = "passout",
		482	.argname = "arg",
		483	.desc = "Output file passphrase source",
		484	.type = OPTION_ARG,
		485	.opt.arg = &pkcs12_config.passargout,
		486	},
		487	{
		488	.name = "password",
		489	.argname = "arg",
		490	.desc = "Set import/export password source",
		491	.type = OPTION_ARG_FUNC,
		492	.opt.argfunc = pkcs12_opt_passarg,
		493	},
		494	{
		495	.name = "twopass",
		496	.desc = "Separate MAC, encryption passwords",
		497	.type = OPTION_FLAG,
		498	.opt.flag = &pkcs12_config.twopass,
		499	},
		500	{ NULL },
		501	};
		502
		503	static void
		504	pkcs12_usage(void)
		505	{
		506	fprintf(stderr, "usage: pkcs12 [-aes128 \| -aes192 \| -aes256 \|");
		507	fprintf(stderr, " -camellia128 \|\n");
		508	fprintf(stderr, " -camellia192 \| -camellia256 \| -des \| -des3 \|");
		509	fprintf(stderr, " -idea]\n");
		510	fprintf(stderr, " [-cacerts] [-CAfile file] [-caname name]\n");
		511	fprintf(stderr, " [-CApath directory] [-certfile file]");
		512	fprintf(stderr, " [-certpbe alg]\n");
		513	fprintf(stderr, " [-chain] [-clcerts] [-CSP name] [-descert]");
		514	fprintf(stderr, " [-export]\n");
		515	fprintf(stderr, " [-in file] [-info] [-inkey file] [-keyex]");
		516	fprintf(stderr, " [-keypbe alg]\n");
		517	fprintf(stderr, " [-keysig] [-LMK] [-macalg alg] [-maciter]");
		518	fprintf(stderr, " [-name name]\n");
		519	fprintf(stderr, " [-nocerts] [-nodes] [-noiter] [-nokeys]");
		520	fprintf(stderr, " [-nomac]\n");
		521	fprintf(stderr, " [-nomaciter] [-nomacver] [-noout] [-out file]\n");
		522	fprintf(stderr, " [-passin arg] [-passout arg] [-password arg]");
		523	fprintf(stderr, " [-twopass]\n\n");
		524	options_usage(pkcs12_options);
		525	fprintf(stderr, "\n");
		526	}
		527
122	int	528	int
123	pkcs12_main(int argc, char **argv)	529	pkcs12_main(int argc, char **argv)
124	{	530	{
125	BIO in = NULL, out = NULL;	531	BIO in = NULL, out = NULL;
126	char **args;
127	PKCS12 *p12 = NULL;	532	PKCS12 *p12 = NULL;
128	char pass[50], macpass[50];	533	char pass[50], macpass[50];
129	int badarg = 0;
130	int ret = 1;	534	int ret = 1;
131	char cpass = NULL, mpass = NULL;	535	char cpass = NULL, mpass = NULL;
132	char passin = NULL, passout = NULL;	536	char passin = NULL, passout = NULL;
@@ -146,217 +550,8 @@ pkcs12_main(int argc, char **argv)
146	pkcs12_config.maciter = PKCS12_DEFAULT_ITER;	550	pkcs12_config.maciter = PKCS12_DEFAULT_ITER;
147	pkcs12_config.macver = 1;	551	pkcs12_config.macver = 1;
148		552
149	args = argv + 1;	553	if (options_parse(argc, argv, pkcs12_options, NULL, NULL) != 0) {
150		554	pkcs12_usage();
151	while (*args) {
152	if (*args[0] == '-') {
153	if (!strcmp(*args, "-nokeys"))
154	pkcs12_config.options \|= NOKEYS;
155	else if (!strcmp(*args, "-keyex"))
156	pkcs12_config.keytype = KEY_EX;
157	else if (!strcmp(*args, "-keysig"))
158	pkcs12_config.keytype = KEY_SIG;
159	else if (!strcmp(*args, "-nocerts"))
160	pkcs12_config.options \|= NOCERTS;
161	else if (!strcmp(*args, "-clcerts"))
162	pkcs12_config.options \|= CLCERTS;
163	else if (!strcmp(*args, "-cacerts"))
164	pkcs12_config.options \|= CACERTS;
165	else if (!strcmp(*args, "-noout"))
166	pkcs12_config.options \|= (NOKEYS \| NOCERTS);
167	else if (!strcmp(*args, "-info"))
168	pkcs12_config.options \|= INFO;
169	else if (!strcmp(*args, "-chain"))
170	pkcs12_config.chain = 1;
171	else if (!strcmp(*args, "-twopass"))
172	pkcs12_config.twopass = 1;
173	else if (!strcmp(*args, "-nomacver"))
174	pkcs12_config.macver = 0;
175	else if (!strcmp(*args, "-descert"))
176	pkcs12_config.cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
177	else if (!strcmp(*args, "-export"))
178	pkcs12_config.export_cert = 1;
179	else if (!strcmp(*args, "-des"))
180	pkcs12_config.enc = EVP_des_cbc();
181	else if (!strcmp(*args, "-des3"))
182	pkcs12_config.enc = EVP_des_ede3_cbc();
183	#ifndef OPENSSL_NO_IDEA
184	else if (!strcmp(*args, "-idea"))
185	pkcs12_config.enc = EVP_idea_cbc();
186	#endif
187	#ifndef OPENSSL_NO_AES
188	else if (!strcmp(*args, "-aes128"))
189	pkcs12_config.enc = EVP_aes_128_cbc();
190	else if (!strcmp(*args, "-aes192"))
191	pkcs12_config.enc = EVP_aes_192_cbc();
192	else if (!strcmp(*args, "-aes256"))
193	pkcs12_config.enc = EVP_aes_256_cbc();
194	#endif
195	#ifndef OPENSSL_NO_CAMELLIA
196	else if (!strcmp(*args, "-camellia128"))
197	pkcs12_config.enc = EVP_camellia_128_cbc();
198	else if (!strcmp(*args, "-camellia192"))
199	pkcs12_config.enc = EVP_camellia_192_cbc();
200	else if (!strcmp(*args, "-camellia256"))
201	pkcs12_config.enc = EVP_camellia_256_cbc();
202	#endif
203	else if (!strcmp(*args, "-noiter"))
204	pkcs12_config.iter = 1;
205	else if (!strcmp(*args, "-maciter"))
206	pkcs12_config.maciter = PKCS12_DEFAULT_ITER;
207	else if (!strcmp(*args, "-nomaciter"))
208	pkcs12_config.maciter = 1;
209	else if (!strcmp(*args, "-nomac"))
210	pkcs12_config.maciter = -1;
211	else if (!strcmp(*args, "-macalg"))
212	if (args[1]) {
213	args++;
214	pkcs12_config.macalg = *args;
215	} else
216	badarg = 1;
217	else if (!strcmp(*args, "-nodes"))
218	pkcs12_config.enc = NULL;
219	else if (!strcmp(*args, "-certpbe")) {
220	if (!set_pbe(bio_err, &pkcs12_config.cert_pbe, *++args))
221	badarg = 1;
222	} else if (!strcmp(*args, "-keypbe")) {
223	if (!set_pbe(bio_err, &pkcs12_config.key_pbe, *++args))
224	badarg = 1;
225	} else if (!strcmp(*args, "-inkey")) {
226	if (args[1]) {
227	args++;
228	pkcs12_config.keyname = *args;
229	} else
230	badarg = 1;
231	} else if (!strcmp(*args, "-certfile")) {
232	if (args[1]) {
233	args++;
234	pkcs12_config.certfile = *args;
235	} else
236	badarg = 1;
237	} else if (!strcmp(*args, "-name")) {
238	if (args[1]) {
239	args++;
240	pkcs12_config.name = *args;
241	} else
242	badarg = 1;
243	} else if (!strcmp(*args, "-LMK"))
244	pkcs12_config.add_lmk = 1;
245	else if (!strcmp(*args, "-CSP")) {
246	if (args[1]) {
247	args++;
248	pkcs12_config.csp_name = *args;
249	} else
250	badarg = 1;
251	} else if (!strcmp(*args, "-caname")) {
252	if (args[1]) {
253	args++;
254	if (!pkcs12_config.canames)
255	pkcs12_config.canames = sk_OPENSSL_STRING_new_null();
256	sk_OPENSSL_STRING_push(pkcs12_config.canames, *args);
257	} else
258	badarg = 1;
259	} else if (!strcmp(*args, "-in")) {
260	if (args[1]) {
261	args++;
262	pkcs12_config.infile = *args;
263	} else
264	badarg = 1;
265	} else if (!strcmp(*args, "-out")) {
266	if (args[1]) {
267	args++;
268	pkcs12_config.outfile = *args;
269	} else
270	badarg = 1;
271	} else if (!strcmp(*args, "-passin")) {
272	if (args[1]) {
273	args++;
274	pkcs12_config.passargin = *args;
275	} else
276	badarg = 1;
277	} else if (!strcmp(*args, "-passout")) {
278	if (args[1]) {
279	args++;
280	pkcs12_config.passargout = *args;
281	} else
282	badarg = 1;
283	} else if (!strcmp(*args, "-password")) {
284	if (args[1]) {
285	args++;
286	pkcs12_config.passarg = *args;
287	pkcs12_config.noprompt = 1;
288	} else
289	badarg = 1;
290	} else if (!strcmp(*args, "-CApath")) {
291	if (args[1]) {
292	args++;
293	pkcs12_config.CApath = *args;
294	} else
295	badarg = 1;
296	} else if (!strcmp(*args, "-CAfile")) {
297	if (args[1]) {
298	args++;
299	pkcs12_config.CAfile = *args;
300	} else
301	badarg = 1;
302	} else
303	badarg = 1;
304
305	} else
306	badarg = 1;
307	args++;
308	}
309
310	if (badarg) {
311	BIO_printf(bio_err, "Usage: pkcs12 [options]\n");
312	BIO_printf(bio_err, "where options are\n");
313	BIO_printf(bio_err, "-export output PKCS12 file\n");
314	BIO_printf(bio_err, "-chain add certificate chain\n");
315	BIO_printf(bio_err, "-inkey file private key if not infile\n");
316	BIO_printf(bio_err, "-certfile f add all certs in f\n");
317	BIO_printf(bio_err, "-CApath arg - PEM format directory of CA's\n");
318	BIO_printf(bio_err, "-CAfile arg - PEM format file of CA's\n");
319	BIO_printf(bio_err, "-name \"name\" use name as friendly name\n");
320	BIO_printf(bio_err, "-caname \"nm\" use nm as CA friendly name (can be used more than once).\n");
321	BIO_printf(bio_err, "-in infile input filename\n");
322	BIO_printf(bio_err, "-out outfile output filename\n");
323	BIO_printf(bio_err, "-noout don't output anything, just verify.\n");
324	BIO_printf(bio_err, "-nomacver don't verify MAC.\n");
325	BIO_printf(bio_err, "-nocerts don't output certificates.\n");
326	BIO_printf(bio_err, "-clcerts only output client certificates.\n");
327	BIO_printf(bio_err, "-cacerts only output CA certificates.\n");
328	BIO_printf(bio_err, "-nokeys don't output private keys.\n");
329	BIO_printf(bio_err, "-info give info about PKCS#12 structure.\n");
330	BIO_printf(bio_err, "-des encrypt private keys with DES\n");
331	BIO_printf(bio_err, "-des3 encrypt private keys with triple DES (default)\n");
332	#ifndef OPENSSL_NO_IDEA
333	BIO_printf(bio_err, "-idea encrypt private keys with idea\n");
334	#endif
335	#ifndef OPENSSL_NO_AES
336	BIO_printf(bio_err, "-aes128, -aes192, -aes256\n");
337	BIO_printf(bio_err, " encrypt PEM output with cbc aes\n");
338	#endif
339	#ifndef OPENSSL_NO_CAMELLIA
340	BIO_printf(bio_err, "-camellia128, -camellia192, -camellia256\n");
341	BIO_printf(bio_err, " encrypt PEM output with cbc camellia\n");
342	#endif
343	BIO_printf(bio_err, "-nodes don't encrypt private keys\n");
344	BIO_printf(bio_err, "-noiter don't use encryption iteration\n");
345	BIO_printf(bio_err, "-nomaciter don't use MAC iteration\n");
346	BIO_printf(bio_err, "-maciter use MAC iteration\n");
347	BIO_printf(bio_err, "-nomac don't generate MAC\n");
348	BIO_printf(bio_err, "-twopass separate MAC, encryption passwords\n");
349	BIO_printf(bio_err, "-descert encrypt PKCS#12 certificates with triple DES (default RC2-40)\n");
350	BIO_printf(bio_err, "-certpbe alg specify certificate PBE algorithm (default RC2-40)\n");
351	BIO_printf(bio_err, "-keypbe alg specify private key PBE algorithm (default 3DES)\n");
352	BIO_printf(bio_err, "-macalg alg digest algorithm used in MAC (default SHA1)\n");
353	BIO_printf(bio_err, "-keyex set MS key exchange type\n");
354	BIO_printf(bio_err, "-keysig set MS key signature type\n");
355	BIO_printf(bio_err, "-password p set import/export password source\n");
356	BIO_printf(bio_err, "-passin p input file pass phrase source\n");
357	BIO_printf(bio_err, "-passout p output file pass phrase source\n");
358	BIO_printf(bio_err, "-CSP name Microsoft CSP name\n");
359	BIO_printf(bio_err, "-LMK Add local machine keyset attribute to private key\n");
360	goto end;	555	goto end;
361	}	556	}
362		557