sscg/0006-Allow-specifying-keyfile-password-by-file.patch

154 lines
3.5 KiB
Diff

From bfb35ad835e6fcbe97c2d70b3ca8f724b4dc2a5f Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Mon, 10 Jun 2019 10:15:42 -0400
Subject: [PATCH 06/11] Allow specifying keyfile password by file
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
---
src/sscg.c | 84 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 84 insertions(+)
diff --git a/src/sscg.c b/src/sscg.c
index 9dc926c77038105ca881a612cccd1913bc2d42f1..a02e4df66c6cf9ec1865f425b4a15da82fbfdc72 100644
--- a/src/sscg.c
+++ b/src/sscg.c
@@ -34,6 +34,10 @@
#include "include/authority.h"
#include "include/service.h"
+
+/* Same as OpenSSL CLI */
+#define MAX_PW_LEN 1024
+
static int
get_security_level (void)
{
@@ -209,6 +213,44 @@ sscg_options_destructor (TALLOC_CTX *opts)
}
+static char *
+sscg_read_pw_file (TALLOC_CTX *mem_ctx, char *path)
+{
+ int i;
+ BIO *pwdbio = NULL;
+ char tpass[MAX_PW_LEN];
+ char *tmp = NULL;
+ char *password = NULL;
+
+ pwdbio = BIO_new_file (path, "r");
+ if (pwdbio == NULL)
+ {
+ fprintf (stderr, "Can't open file %s\n", path);
+ return NULL;
+ }
+
+ i = BIO_gets (pwdbio, tpass, MAX_PW_LEN);
+ BIO_free_all (pwdbio);
+ pwdbio = NULL;
+
+ if (i <= 0)
+ {
+ fprintf (stderr, "Error reading password from BIO\n");
+ return NULL;
+ }
+
+ tmp = strchr (tpass, '\n');
+ if (tmp != NULL)
+ *tmp = 0;
+
+ password = talloc_strdup (mem_ctx, tpass);
+
+ memset (tpass, 0, MAX_PW_LEN);
+
+ return password;
+}
+
+
int
main (int argc, const char **argv)
{
@@ -236,10 +278,12 @@ main (int argc, const char **argv)
int ca_mode = 0644;
int ca_key_mode = 0600;
char *ca_key_password = NULL;
+ char *ca_key_passfile = NULL;
int cert_mode = 0644;
int cert_key_mode = 0600;
char *cert_key_password = NULL;
+ char *cert_key_passfile = NULL;
char *create_mode = NULL;
@@ -470,6 +514,16 @@ main (int argc, const char **argv)
NULL
},
+ {
+ "ca-key-passfile",
+ '\0',
+ POPT_ARG_STRING,
+ &ca_key_passfile,
+ 0,
+ _ ("A file containing the password to encrypt the CA key file."),
+ NULL
+ },
+
{
"ca-key-password-prompt",
'C',
@@ -531,6 +585,16 @@ main (int argc, const char **argv)
NULL
},
+ {
+ "cert-key-passfile",
+ '\0',
+ POPT_ARG_STRING,
+ &cert_key_passfile,
+ 0,
+ _ ("A file containing the password to encrypt the service key file."),
+ NULL
+ },
+
{
"cert-key-password-prompt",
'P',
@@ -697,12 +761,32 @@ main (int argc, const char **argv)
options->ca_key_pass =
sscg_secure_string_steal (options, ca_key_password);
}
+ else if (ca_key_passfile)
+ {
+ options->ca_key_pass = sscg_read_pw_file (options, ca_key_passfile);
+ if (!options->ca_key_pass)
+ {
+ fprintf (
+ stderr, "Failed to read passphrase from %s", ca_key_passfile);
+ goto done;
+ }
+ }
if (cert_key_password)
{
options->cert_key_pass =
sscg_secure_string_steal (options, cert_key_password);
}
+ else if (cert_key_passfile)
+ {
+ options->cert_key_pass = sscg_read_pw_file (options, cert_key_passfile);
+ if (!options->cert_key_pass)
+ {
+ fprintf (
+ stderr, "Failed to read passphrase from %s", cert_key_passfile);
+ goto done;
+ }
+ }
if (options->key_strength < options->minimum_key_strength)
--
2.35.1