summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/certtool-args.def2
-rw-r--r--src/certtool-common.c13
-rw-r--r--src/certtool-common.h9
-rw-r--r--src/certtool.c14
4 files changed, 23 insertions, 15 deletions
diff --git a/src/certtool-args.def b/src/certtool-args.def
index bc1bf5f5da..13162dfb0b 100644
--- a/src/certtool-args.def
+++ b/src/certtool-args.def
@@ -217,6 +217,8 @@ flag = {
flag = {
name = pkcs8;
value = 8;
+ enabled;
+ disable = "no";
descrip = "Use PKCS #8 format for private keys";
doc = "";
};
diff --git a/src/certtool-common.c b/src/certtool-common.c
index 4d876976dc..a7f55ace28 100644
--- a/src/certtool-common.c
+++ b/src/certtool-common.c
@@ -322,7 +322,7 @@ load_x509_private_key(int mand, common_info_st * info)
app_exit(1);
}
- if (info->pkcs8) {
+ if (info->ask_pass) {
pass = get_password(info, &flags, 0);
ret =
gnutls_x509_privkey_import_pkcs8(key, &dat,
@@ -1291,7 +1291,7 @@ print_private_key(FILE *outfile, common_info_st * cinfo, gnutls_x509_privkey_t k
switch_to_pkcs8_when_needed(cinfo, key, gnutls_x509_privkey_get_pk_algorithm(key));
- if (!cinfo->pkcs8) {
+ if (cinfo->no_pkcs8) {
size = lbuffer_size;
ret = gnutls_x509_privkey_export(key, cinfo->outcert_format,
@@ -1305,8 +1305,13 @@ print_private_key(FILE *outfile, common_info_st * cinfo, gnutls_x509_privkey_t k
unsigned int flags = 0;
const char *pass;
- pass = get_password(cinfo, &flags, 0);
- flags |= cipher_to_flags(cinfo->pkcs_cipher);
+ if (cinfo->ask_pass) {
+ pass = get_password(cinfo, &flags, 0);
+ flags |= cipher_to_flags(cinfo->pkcs_cipher);
+ } else {
+ pass = NULL;
+ flags |= GNUTLS_PKCS_PLAIN;
+ }
size = lbuffer_size;
ret =
diff --git a/src/certtool-common.h b/src/certtool-common.h
index 3973f1a28a..6092cc6c43 100644
--- a/src/certtool-common.h
+++ b/src/certtool-common.h
@@ -38,10 +38,10 @@ typedef struct common_info {
const char *secret_key;
const char *privkey;
const char *pubkey;
- int pkcs8;
int incert_format;
int outcert_format;
const char *cert;
+ int no_pkcs8;
const char *request;
const char *crl;
@@ -51,6 +51,7 @@ typedef struct common_info {
unsigned bits;
const char *sec_param;
const char *pkcs_cipher;
+ int ask_pass;
const char *password;
int null_password;
int empty_password;
@@ -83,14 +84,14 @@ typedef struct common_info {
static inline
void switch_to_pkcs8_when_needed(common_info_st *cinfo, gnutls_x509_privkey_t key, unsigned key_type)
{
- if (cinfo->pkcs8)
+ if (!cinfo->no_pkcs8)
return;
if ((key_type == GNUTLS_PK_RSA_PSS || key_type == GNUTLS_PK_EDDSA_ED25519)) {
if (cinfo->verbose)
fprintf(stderr, "Assuming --pkcs8 is given; %s private keys can only be exported in PKCS#8 format\n",
gnutls_pk_algorithm_get_name(key_type));
- cinfo->pkcs8 = 1;
+ cinfo->no_pkcs8 = 0;
if (cinfo->password == NULL)
cinfo->password = "";
}
@@ -98,7 +99,7 @@ void switch_to_pkcs8_when_needed(common_info_st *cinfo, gnutls_x509_privkey_t ke
if (gnutls_x509_privkey_get_seed(key, NULL, NULL, 0) != GNUTLS_E_INVALID_REQUEST) {
if (cinfo->verbose)
fprintf(stderr, "Assuming --pkcs8 is given; provable private keys can only be exported in PKCS#8 format\n");
- cinfo->pkcs8 = 1;
+ cinfo->no_pkcs8 = 0;
if (cinfo->password == NULL)
cinfo->password = "";
}
diff --git a/src/certtool.c b/src/certtool.c
index a57e324449..5bb6414978 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -1371,7 +1371,10 @@ static void cmd_parser(int argc, char **argv)
if (HAVE_OPT(LOAD_PUBKEY))
cinfo.pubkey = OPT_ARG(LOAD_PUBKEY);
- cinfo.pkcs8 = HAVE_OPT(PKCS8);
+ /* The --pkcs8 option was being used to encrypt private keys.
+ * Let it be for backwards compatibility */
+ cinfo.ask_pass = HAVE_OPT(PKCS8);
+ cinfo.no_pkcs8 = !(ENABLED_OPT(PKCS8));
cinfo.incert_format = incert_format;
cinfo.outcert_format = outcert_format;
@@ -1403,9 +1406,9 @@ static void cmd_parser(int argc, char **argv)
if (HAVE_OPT(PASSWORD)) {
cinfo.password = OPT_ARG(PASSWORD);
- if (HAVE_OPT(GENERATE_PRIVKEY) && cinfo.pkcs8 == 0) {
- fprintf(stderr, "Assuming PKCS #8 format...\n");
- cinfo.pkcs8 = 1;
+ if (HAVE_OPT(GENERATE_PRIVKEY) && cinfo.no_pkcs8) {
+ fprintf(stderr, "A private key can be encrypted only in PKCS#8 format...\n");
+ app_exit(1);
}
}
@@ -1763,9 +1766,6 @@ void privkey_info(common_info_st * cinfo)
fprintf(stderr, "import error: %s\n", gnutls_strerror(ret));
app_exit(1);
}
- /* On this option we may import from PKCS #8 but we are always exporting
- * to our format. */
- cinfo->pkcs8 = 0;
print_private_key(outfile, cinfo, key);
View Lorry Controller Status