2 * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 /* Necessary for legacy RSA public key export */
11 #define OPENSSL_SUPPRESS_DEPRECATED
13 #include <openssl/opensslconf.h>
21 #include <openssl/bio.h>
22 #include <openssl/err.h>
23 #include <openssl/rsa.h>
24 #include <openssl/evp.h>
25 #include <openssl/x509.h>
26 #include <openssl/pem.h>
27 #include <openssl/bn.h>
28 #include <openssl/encoder.h>
31 * This include is to get OSSL_KEYMGMT_SELECT_*, which feels a bit
32 * much just for those macros... they might serve better as EVP macros.
34 #include <openssl/core_dispatch.h>
36 #ifndef OPENSSL_NO_RC4
37 # define DEFAULT_PVK_ENCR_STRENGTH 2
39 # define DEFAULT_PVK_ENCR_STRENGTH 0
42 typedef enum OPTION_choice
{
44 OPT_INFORM
, OPT_OUTFORM
, OPT_ENGINE
, OPT_IN
, OPT_OUT
,
45 OPT_PUBIN
, OPT_PUBOUT
, OPT_PASSOUT
, OPT_PASSIN
,
46 OPT_RSAPUBKEY_IN
, OPT_RSAPUBKEY_OUT
,
47 /* Do not change the order here; see case statements below */
48 OPT_PVK_NONE
, OPT_PVK_WEAK
, OPT_PVK_STRONG
,
49 OPT_NOOUT
, OPT_TEXT
, OPT_MODULUS
, OPT_CHECK
, OPT_CIPHER
,
50 OPT_PROV_ENUM
, OPT_TRADITIONAL
53 const OPTIONS rsa_options
[] = {
54 OPT_SECTION("General"),
55 {"help", OPT_HELP
, '-', "Display this summary"},
56 {"check", OPT_CHECK
, '-', "Verify key consistency"},
57 {"", OPT_CIPHER
, '-', "Any supported cipher"},
58 #ifndef OPENSSL_NO_ENGINE
59 {"engine", OPT_ENGINE
, 's', "Use engine, possibly a hardware device"},
63 {"in", OPT_IN
, 's', "Input file"},
64 {"inform", OPT_INFORM
, 'f', "Input format (DER/PEM/P12/ENGINE)"},
65 {"pubin", OPT_PUBIN
, '-', "Expect a public key in input file"},
66 {"RSAPublicKey_in", OPT_RSAPUBKEY_IN
, '-', "Input is an RSAPublicKey"},
67 {"passin", OPT_PASSIN
, 's', "Input file pass phrase source"},
69 OPT_SECTION("Output"),
70 {"out", OPT_OUT
, '>', "Output file"},
71 {"outform", OPT_OUTFORM
, 'f', "Output format, one of DER PEM PVK"},
72 {"pubout", OPT_PUBOUT
, '-', "Output a public key"},
73 {"RSAPublicKey_out", OPT_RSAPUBKEY_OUT
, '-', "Output is an RSAPublicKey"},
74 {"passout", OPT_PASSOUT
, 's', "Output file pass phrase source"},
75 {"noout", OPT_NOOUT
, '-', "Don't print key out"},
76 {"text", OPT_TEXT
, '-', "Print the key in text"},
77 {"modulus", OPT_MODULUS
, '-', "Print the RSA key modulus"},
78 {"traditional", OPT_TRADITIONAL
, '-',
79 "Use traditional format for private keys"},
81 #ifndef OPENSSL_NO_RC4
83 {"pvk-strong", OPT_PVK_STRONG
, '-', "Enable 'Strong' PVK encoding level (default)"},
84 {"pvk-weak", OPT_PVK_WEAK
, '-', "Enable 'Weak' PVK encoding level"},
85 {"pvk-none", OPT_PVK_NONE
, '-', "Don't enforce PVK encoding"},
92 static int try_legacy_encoding(EVP_PKEY
*pkey
, int outformat
, int pubout
,
96 #ifndef OPENSSL_NO_DEPRECATED_3_0
97 const RSA
*rsa
= EVP_PKEY_get0_RSA(pkey
);
102 if (outformat
== FORMAT_ASN1
) {
104 ret
= i2d_RSAPublicKey_bio(out
, rsa
) > 0;
106 ret
= i2d_RSA_PUBKEY_bio(out
, rsa
) > 0;
107 } else if (outformat
== FORMAT_PEM
) {
109 ret
= PEM_write_bio_RSAPublicKey(out
, rsa
) > 0;
111 ret
= PEM_write_bio_RSA_PUBKEY(out
, rsa
) > 0;
112 # ifndef OPENSSL_NO_DSA
113 } else if (outformat
== FORMAT_MSBLOB
|| outformat
== FORMAT_PVK
) {
114 ret
= i2b_PublicKey_bio(out
, pkey
) > 0;
122 int rsa_main(int argc
, char **argv
)
126 EVP_PKEY
*pkey
= NULL
;
128 EVP_CIPHER
*enc
= NULL
;
129 char *infile
= NULL
, *outfile
= NULL
, *ciphername
= NULL
, *prog
;
130 char *passin
= NULL
, *passout
= NULL
, *passinarg
= NULL
, *passoutarg
= NULL
;
132 int informat
= FORMAT_UNDEF
, outformat
= FORMAT_PEM
, text
= 0, check
= 0;
133 int noout
= 0, modulus
= 0, pubin
= 0, pubout
= 0, ret
= 1;
134 int pvk_encr
= DEFAULT_PVK_ENCR_STRENGTH
;
137 const char *output_type
= NULL
;
138 const char *output_structure
= NULL
;
140 OSSL_ENCODER_CTX
*ectx
= NULL
;
142 opt_set_unknown_name("cipher");
143 prog
= opt_init(argc
, argv
, rsa_options
);
144 while ((o
= opt_next()) != OPT_EOF
) {
149 BIO_printf(bio_err
, "%s: Use -help for summary.\n", prog
);
152 opt_help(rsa_options
);
156 if (!opt_format(opt_arg(), OPT_FMT_ANY
, &informat
))
163 if (!opt_format(opt_arg(), OPT_FMT_ANY
, &outformat
))
170 passinarg
= opt_arg();
173 passoutarg
= opt_arg();
176 e
= setup_engine(opt_arg(), 0);
184 case OPT_RSAPUBKEY_IN
:
187 case OPT_RSAPUBKEY_OUT
:
190 case OPT_PVK_STRONG
: /* pvk_encr:= 2 */
191 case OPT_PVK_WEAK
: /* pvk_encr:= 1 */
192 case OPT_PVK_NONE
: /* pvk_encr:= 0 */
193 pvk_encr
= (o
- OPT_PVK_NONE
);
208 ciphername
= opt_unknown();
211 if (!opt_provider(o
))
214 case OPT_TRADITIONAL
:
220 /* No extra arguments. */
221 if (!opt_check_rest_arg(NULL
))
224 if (!opt_cipher(ciphername
, &enc
))
226 private = (text
&& !pubin
) || (!pubout
&& !noout
);
228 if (!app_passwd(passinarg
, passoutarg
, &passin
, &passout
)) {
229 BIO_printf(bio_err
, "Error getting passwords\n");
232 if (check
&& pubin
) {
233 BIO_printf(bio_err
, "Only private keys can be checked\n");
238 int tmpformat
= FORMAT_UNDEF
;
241 if (informat
== FORMAT_PEM
)
242 tmpformat
= FORMAT_PEMRSA
;
243 else if (informat
== FORMAT_ASN1
)
244 tmpformat
= FORMAT_ASN1RSA
;
246 tmpformat
= informat
;
249 pkey
= load_pubkey(infile
, tmpformat
, 1, passin
, e
, "public key");
251 pkey
= load_key(infile
, informat
, 1, passin
, e
, "private key");
255 ERR_print_errors(bio_err
);
258 if (!EVP_PKEY_is_a(pkey
, "RSA") && !EVP_PKEY_is_a(pkey
, "RSA-PSS")) {
259 BIO_printf(bio_err
, "Not an RSA key\n");
263 out
= bio_open_owner(outfile
, outformat
, private);
268 assert(pubin
|| private);
269 if ((pubin
&& EVP_PKEY_print_public(out
, pkey
, 0, NULL
) <= 0)
270 || (!pubin
&& EVP_PKEY_print_private(out
, pkey
, 0, NULL
) <= 0)) {
272 ERR_print_errors(bio_err
);
280 /* Every RSA key has an 'n' */
281 EVP_PKEY_get_bn_param(pkey
, "n", &n
);
282 BIO_printf(out
, "Modulus=");
284 BIO_printf(out
, "\n");
291 pctx
= EVP_PKEY_CTX_new_from_pkey(NULL
, pkey
, NULL
);
293 BIO_printf(bio_err
, "RSA unable to create PKEY context\n");
294 ERR_print_errors(bio_err
);
297 r
= EVP_PKEY_check(pctx
);
298 EVP_PKEY_CTX_free(pctx
);
301 BIO_printf(out
, "RSA key ok\n");
303 BIO_printf(bio_err
, "RSA key not ok\n");
304 ERR_print_errors(bio_err
);
306 ERR_print_errors(bio_err
);
315 BIO_printf(bio_err
, "writing RSA key\n");
317 /* Choose output type for the format */
318 if (outformat
== FORMAT_ASN1
) {
320 } else if (outformat
== FORMAT_PEM
) {
322 } else if (outformat
== FORMAT_MSBLOB
) {
323 output_type
= "MSBLOB";
324 } else if (outformat
== FORMAT_PVK
) {
326 BIO_printf(bio_err
, "PVK form impossible with public key input\n");
331 BIO_printf(bio_err
, "bad output format specified for outfile\n");
335 /* Select what you want in the output */
336 if (pubout
|| pubin
) {
337 selection
= OSSL_KEYMGMT_SELECT_PUBLIC_KEY
;
340 selection
= (OSSL_KEYMGMT_SELECT_KEYPAIR
341 | OSSL_KEYMGMT_SELECT_ALL_PARAMETERS
);
344 /* For DER based output, select the desired output structure */
345 if (outformat
== FORMAT_ASN1
|| outformat
== FORMAT_PEM
) {
346 if (pubout
|| pubin
) {
348 output_structure
= "pkcs1"; /* "type-specific" would work too */
350 output_structure
= "SubjectPublicKeyInfo";
354 output_structure
= "pkcs1"; /* "type-specific" would work too */
356 output_structure
= "PrivateKeyInfo";
360 /* Now, perform the encoding */
361 ectx
= OSSL_ENCODER_CTX_new_for_pkey(pkey
, selection
,
362 output_type
, output_structure
,
364 if (OSSL_ENCODER_CTX_get_num_encoders(ectx
) == 0) {
365 if ((!pubout
&& !pubin
)
366 || !try_legacy_encoding(pkey
, outformat
, pubout
, out
))
367 BIO_printf(bio_err
, "%s format not supported\n", output_type
);
373 /* Passphrase setup */
375 OSSL_ENCODER_CTX_set_cipher(ectx
, EVP_CIPHER_get0_name(enc
), NULL
);
377 /* Default passphrase prompter */
378 if (enc
!= NULL
|| outformat
== FORMAT_PVK
) {
379 OSSL_ENCODER_CTX_set_passphrase_ui(ectx
, get_ui_method(), NULL
);
381 /* When passout given, override the passphrase prompter */
382 OSSL_ENCODER_CTX_set_passphrase(ectx
,
383 (const unsigned char *)passout
,
387 /* PVK is a bit special... */
388 if (outformat
== FORMAT_PVK
) {
389 OSSL_PARAM params
[2] = { OSSL_PARAM_END
, OSSL_PARAM_END
};
391 params
[0] = OSSL_PARAM_construct_int("encrypt-level", &pvk_encr
);
392 if (!OSSL_ENCODER_CTX_set_params(ectx
, params
)) {
393 BIO_printf(bio_err
, "invalid PVK encryption level\n");
398 if (!OSSL_ENCODER_to_bio(ectx
, out
)) {
399 BIO_printf(bio_err
, "unable to write key\n");
400 ERR_print_errors(bio_err
);
405 OSSL_ENCODER_CTX_free(ectx
);
409 EVP_CIPHER_free(enc
);
410 OPENSSL_free(passin
);
411 OPENSSL_free(passout
);