1 files changed, 166 insertions, 0 deletions
diff --git a/scripts/extract-cert.c b/scripts/extract-cert.c
new file mode 100644
index 000000000000..10d23ca9f617
--- /dev/null
+++ b/scripts/extract-cert.c
@@ -0,0 +1,166 @@
+/* Extract X.509 certificate in DER form from PKCS#11 or PEM.
+ *
+ * Copyright © 2014 Red Hat, Inc. All Rights Reserved.
+ * Copyright © 2015 Intel Corporation.
+ *
+ * Authors: David Howells <dhowells@redhat.com>
+ *          David Woodhouse <dwmw2@infradead.org>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public Licence
+ * as published by the Free Software Foundation; either version
+ * 2 of the Licence, or (at your option) any later version.
+ */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <stdbool.h>
+#include <string.h>
+#include <getopt.h>
+#include <err.h>
+#include <arpa/inet.h>
+#include <openssl/bio.h>
+#include <openssl/evp.h>
+#include <openssl/pem.h>
+#include <openssl/pkcs7.h>
+#include <openssl/err.h>
+#include <openssl/engine.h>
+#define PKEY_ID_PKCS7 2
+static __attribute__((noreturn))
+void format(void)
+{
+        fprintf(stderr,
+                "Usage: scripts/extract-cert <source> <dest>\n");
+        exit(2);
+}
+static void display_openssl_errors(int l)
+{
+        const char *file;
+        char buf[120];
+        int e, line;
+        if (ERR_peek_error() == 0)
+                return;
+        fprintf(stderr, "At main.c:%d:\n", l);
+        while ((e = ERR_get_error_line(&file, &line))) {
+                ERR_error_string(e, buf);
+                fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line);
+        }
+}
+static void drain_openssl_errors(void)
+{
+        const char *file;
+        int line;
+        if (ERR_peek_error() == 0)
+                return;
+        while (ERR_get_error_line(&file, &line)) {}
+}
+#define ERR(cond, fmt, ...)                             \
+        do {                                            \
+                bool __cond = (cond);                   \
+                display_openssl_errors(__LINE__);       \
+                if (__cond) {                           \
+                        err(1, fmt, ## __VA_ARGS__);    \
+                }                                       \
+        } while(0)
+static const char *key_pass;
+static BIO *wb;
+static char *cert_dst;
+int kbuild_verbose;
+static void write_cert(X509 *x509)
+{
+        char buf[200];
+        if (!wb) {
+                wb = BIO_new_file(cert_dst, "wb");
+                ERR(!wb, "%s", cert_dst);
+        }
+        X509_NAME_oneline(X509_get_subject_name(x509), buf, sizeof(buf));
+        ERR(!i2d_X509_bio(wb, x509), "%s", cert_dst);
+        if (kbuild_verbose)
+                fprintf(stderr, "Extracted cert: %s\n", buf);
+}
+int main(int argc, char **argv)
+{
+        char *cert_src;
+        OpenSSL_add_all_algorithms();
+        ERR_load_crypto_strings();
+        ERR_clear_error();
+        kbuild_verbose = atoi(getenv("KBUILD_VERBOSE")?:"0");
+        key_pass = getenv("KBUILD_SIGN_PIN");
+        if (argc != 3)
+                format();
+        cert_src = argv[1];
+        cert_dst = argv[2];
+        if (!cert_src[0]) {
+                /* Invoked with no input; create empty file */
+                FILE *f = fopen(cert_dst, "wb");
+                ERR(!f, "%s", cert_dst);
+                fclose(f);
+                exit(0);
+        } else if (!strncmp(cert_src, "pkcs11:", 7)) {
+                ENGINE *e;
+                struct {
+                        const char *cert_id;
+                        X509 *cert;
+                } parms;
+                parms.cert_id = cert_src;
+                parms.cert = NULL;
+                ENGINE_load_builtin_engines();
+                drain_openssl_errors();
+                e = ENGINE_by_id("pkcs11");
+                ERR(!e, "Load PKCS#11 ENGINE");
+                if (ENGINE_init(e))
+                        drain_openssl_errors();
+                else
+                        ERR(1, "ENGINE_init");
+                if (key_pass)
+                        ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), "Set PKCS#11 PIN");
+                ENGINE_ctrl_cmd(e, "LOAD_CERT_CTRL", 0, &parms, NULL, 1);
+                ERR(!parms.cert, "Get X.509 from PKCS#11");
+                write_cert(parms.cert);
+        } else {
+                BIO *b;
+                X509 *x509;
+                b = BIO_new_file(cert_src, "rb");
+                ERR(!b, "%s", cert_src);
+                while (1) {
+                        x509 = PEM_read_bio_X509(b, NULL, NULL, NULL);
+                        if (wb && !x509) {
+                                unsigned long err = ERR_peek_last_error();
+                                if (ERR_GET_LIB(err) == ERR_LIB_PEM &&
+                                    ERR_GET_REASON(err) == PEM_R_NO_START_LINE) {
+                                        ERR_clear_error();
+                                        break;
+                                }
+                        }
+                        ERR(!x509, "%s", cert_src);
+                        write_cert(x509);
+                }
+        }
+        BIO_free(wb);
+        return 0;
+}

diff --git a/scripts/extract-cert.c b/scripts/extract-cert.c new file mode 100644 index 000000000000..10d23ca9f617 --- /dev/null +++ b/scripts/extract-cert.c
@@ -0,0 +1,166 @@
	1	/* Extract X.509 certificate in DER form from PKCS#11 or PEM.
	2	*
	3	* Copyright © 2014 Red Hat, Inc. All Rights Reserved.
	4	* Copyright © 2015 Intel Corporation.
	5	*
	6	* Authors: David Howells <dhowells@redhat.com>
	7	* David Woodhouse <dwmw2@infradead.org>
	8	*
	9	* This program is free software; you can redistribute it and/or
	10	* modify it under the terms of the GNU General Public Licence
	11	* as published by the Free Software Foundation; either version
	12	* 2 of the Licence, or (at your option) any later version.
	13	*/
	14	#define _GNU_SOURCE
	15	#include <stdio.h>
	16	#include <stdlib.h>
	17	#include <stdint.h>
	18	#include <stdbool.h>
	19	#include <string.h>
	20	#include <getopt.h>
	21	#include <err.h>
	22	#include <arpa/inet.h>
	23	#include <openssl/bio.h>
	24	#include <openssl/evp.h>
	25	#include <openssl/pem.h>
	26	#include <openssl/pkcs7.h>
	27	#include <openssl/err.h>
	28	#include <openssl/engine.h>
	29
	30	#define PKEY_ID_PKCS7 2
	31
	32	static __attribute__((noreturn))
	33	void format(void)
	34	{
	35	fprintf(stderr,
	36	"Usage: scripts/extract-cert <source> <dest>\n");
	37	exit(2);
	38	}
	39
	40	static void display_openssl_errors(int l)
	41	{
	42	const char *file;
	43	char buf[120];
	44	int e, line;
	45
	46	if (ERR_peek_error() == 0)
	47	return;
	48	fprintf(stderr, "At main.c:%d:\n", l);
	49
	50	while ((e = ERR_get_error_line(&file, &line))) {
	51	ERR_error_string(e, buf);
	52	fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line);
	53	}
	54	}
	55
	56	static void drain_openssl_errors(void)
	57	{
	58	const char *file;
	59	int line;
	60
	61	if (ERR_peek_error() == 0)
	62	return;
	63	while (ERR_get_error_line(&file, &line)) {}
	64	}
	65
	66	#define ERR(cond, fmt, ...) \
	67	do { \
	68	bool __cond = (cond); \
	69	display_openssl_errors(__LINE__); \
	70	if (__cond) { \
	71	err(1, fmt, ## __VA_ARGS__); \
	72	} \
	73	} while(0)
	74
	75	static const char *key_pass;
	76	static BIO *wb;
	77	static char *cert_dst;
	78	int kbuild_verbose;
	79
	80	static void write_cert(X509 *x509)
	81	{
	82	char buf[200];
	83
	84	if (!wb) {
	85	wb = BIO_new_file(cert_dst, "wb");
	86	ERR(!wb, "%s", cert_dst);
	87	}
	88	X509_NAME_oneline(X509_get_subject_name(x509), buf, sizeof(buf));
	89	ERR(!i2d_X509_bio(wb, x509), "%s", cert_dst);
	90	if (kbuild_verbose)
	91	fprintf(stderr, "Extracted cert: %s\n", buf);
	92	}
	93
	94	int main(int argc, char **argv)
	95	{
	96	char *cert_src;
	97
	98	OpenSSL_add_all_algorithms();
	99	ERR_load_crypto_strings();
	100	ERR_clear_error();
	101
	102	kbuild_verbose = atoi(getenv("KBUILD_VERBOSE")?:"0");
	103
	104	key_pass = getenv("KBUILD_SIGN_PIN");
	105
	106	if (argc != 3)
	107	format();
	108
	109	cert_src = argv[1];
	110	cert_dst = argv[2];
	111
	112	if (!cert_src[0]) {
	113	/* Invoked with no input; create empty file */
	114	FILE *f = fopen(cert_dst, "wb");
	115	ERR(!f, "%s", cert_dst);
	116	fclose(f);
	117	exit(0);
	118	} else if (!strncmp(cert_src, "pkcs11:", 7)) {
	119	ENGINE *e;
	120	struct {
	121	const char *cert_id;
	122	X509 *cert;
	123	} parms;
	124
	125	parms.cert_id = cert_src;
	126	parms.cert = NULL;
	127
	128	ENGINE_load_builtin_engines();
	129	drain_openssl_errors();
	130	e = ENGINE_by_id("pkcs11");
	131	ERR(!e, "Load PKCS#11 ENGINE");
	132	if (ENGINE_init(e))
	133	drain_openssl_errors();
	134	else
	135	ERR(1, "ENGINE_init");
	136	if (key_pass)
	137	ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), "Set PKCS#11 PIN");
	138	ENGINE_ctrl_cmd(e, "LOAD_CERT_CTRL", 0, &parms, NULL, 1);
	139	ERR(!parms.cert, "Get X.509 from PKCS#11");
	140	write_cert(parms.cert);
	141	} else {
	142	BIO *b;
	143	X509 *x509;
	144
	145	b = BIO_new_file(cert_src, "rb");
	146	ERR(!b, "%s", cert_src);
	147
	148	while (1) {
	149	x509 = PEM_read_bio_X509(b, NULL, NULL, NULL);
	150	if (wb && !x509) {
	151	unsigned long err = ERR_peek_last_error();
	152	if (ERR_GET_LIB(err) == ERR_LIB_PEM &&
	153	ERR_GET_REASON(err) == PEM_R_NO_START_LINE) {
	154	ERR_clear_error();
	155	break;
	156	}
	157	}
	158	ERR(!x509, "%s", cert_src);
	159	write_cert(x509);
	160	}
	161	}
	162
	163	BIO_free(wb);
	164
	165	return 0;
	166	}