From 9cb7daa54708dcf5e6500cd20ec7b1cc2f6f6350 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Mon, 10 Jun 2019 10:15:42 -0400
Subject: [PATCH 6/6] Allow specifying keyfile password by file

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
---
 src/sscg.c | 84 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 84 insertions(+)

diff --git a/src/sscg.c b/src/sscg.c
index 9dc926c77038105ca881a612cccd1913bc2d42f1..a02e4df66c6cf9ec1865f425b4a15da82fbfdc72 100644
--- a/src/sscg.c
+++ b/src/sscg.c
@@ -34,6 +34,10 @@
 #include "include/authority.h"
 #include "include/service.h"
 
+
+/* Same as OpenSSL CLI */
+#define MAX_PW_LEN 1024
+
 static int
 get_security_level (void)
 {
@@ -209,6 +213,44 @@ sscg_options_destructor (TALLOC_CTX *opts)
 }
 
 
+static char *
+sscg_read_pw_file (TALLOC_CTX *mem_ctx, char *path)
+{
+  int i;
+  BIO *pwdbio = NULL;
+  char tpass[MAX_PW_LEN];
+  char *tmp = NULL;
+  char *password = NULL;
+
+  pwdbio = BIO_new_file (path, "r");
+  if (pwdbio == NULL)
+    {
+      fprintf (stderr, "Can't open file %s\n", path);
+      return NULL;
+    }
+
+  i = BIO_gets (pwdbio, tpass, MAX_PW_LEN);
+  BIO_free_all (pwdbio);
+  pwdbio = NULL;
+
+  if (i <= 0)
+    {
+      fprintf (stderr, "Error reading password from BIO\n");
+      return NULL;
+    }
+
+  tmp = strchr (tpass, '\n');
+  if (tmp != NULL)
+    *tmp = 0;
+
+  password = talloc_strdup (mem_ctx, tpass);
+
+  memset (tpass, 0, MAX_PW_LEN);
+
+  return password;
+}
+
+
 int
 main (int argc, const char **argv)
 {
@@ -236,10 +278,12 @@ main (int argc, const char **argv)
   int ca_mode = 0644;
   int ca_key_mode = 0600;
   char *ca_key_password = NULL;
+  char *ca_key_passfile = NULL;
 
   int cert_mode = 0644;
   int cert_key_mode = 0600;
   char *cert_key_password = NULL;
+  char *cert_key_passfile = NULL;
 
   char *create_mode = NULL;
 
@@ -470,6 +514,16 @@ main (int argc, const char **argv)
       NULL
     },
 
+    {
+      "ca-key-passfile",
+      '\0',
+      POPT_ARG_STRING,
+      &ca_key_passfile,
+      0,
+      _ ("A file containing the password to encrypt the CA key file."),
+      NULL
+    },
+
     {
       "ca-key-password-prompt",
       'C',
@@ -531,6 +585,16 @@ main (int argc, const char **argv)
       NULL
     },
 
+    {
+      "cert-key-passfile",
+      '\0',
+      POPT_ARG_STRING,
+      &cert_key_passfile,
+      0,
+      _ ("A file containing the password to encrypt the service key file."),
+      NULL
+    },
+
     {
       "cert-key-password-prompt",
       'P',
@@ -697,12 +761,32 @@ main (int argc, const char **argv)
       options->ca_key_pass =
         sscg_secure_string_steal (options, ca_key_password);
     }
+  else if (ca_key_passfile)
+    {
+      options->ca_key_pass = sscg_read_pw_file (options, ca_key_passfile);
+      if (!options->ca_key_pass)
+        {
+          fprintf (
+            stderr, "Failed to read passphrase from %s", ca_key_passfile);
+          goto done;
+        }
+    }
 
   if (cert_key_password)
     {
       options->cert_key_pass =
         sscg_secure_string_steal (options, cert_key_password);
     }
+  else if (cert_key_passfile)
+    {
+      options->cert_key_pass = sscg_read_pw_file (options, cert_key_passfile);
+      if (!options->cert_key_pass)
+        {
+          fprintf (
+            stderr, "Failed to read passphrase from %s", cert_key_passfile);
+          goto done;
+        }
+    }
 
 
   if (options->key_strength < options->minimum_key_strength)
-- 
2.23.0