Allow passwords to be included on command line for a few

more utilities.

9 files changed, 102 insertions, 57 deletions

diff --git a/apps/apps.c b/apps/apps.c
index 4e3f32d07a..68331084ab 100644
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -325,17 +325,6 @@ int app_init(long mesgwin)
 	}
 #endif
 
-int MS_CALLBACK key_cb(char *buf, int len, int verify, void *key)
-	{
-	int i;
-
-	if (key == NULL) return(0);
-	i=strlen(key);
-	i=(i > len)?len:i;
-	memcpy(buf,key,i);
-	return(i);
-	}
-
 int dump_cert_text (BIO *out, X509 *x)
 {
 	char buf[256];
diff --git a/apps/apps.h b/apps/apps.h
index d4c88ab42d..793126da02 100644
--- a/apps/apps.h
+++ b/apps/apps.h
@@ -143,7 +143,6 @@ int args_from_file(char *file, int *argc, char **argv[]);
 int str2fmt(char *s);
 void program_name(char *in,char *out,int size);
 int chopup_args(ARGS *arg,char *buf, int *argc, char **argv[]);
-int MS_CALLBACK key_cb(char *buf,int len,int verify,void *u);
 #ifdef HEADER_X509_H
 int dump_cert_text(BIO *out, X509 *x);
 #endif
diff --git a/apps/ca.c b/apps/ca.c
index 89a73b666f..ff11c2a05a 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -528,13 +528,8 @@ bad:
 		BIO_printf(bio_err,"trying to load CA private key\n");
 		goto err;
 		}
-	if (key == NULL)
-		pkey=PEM_read_bio_PrivateKey(in,NULL,NULL,NULL);
-	else
-		{
-		pkey=PEM_read_bio_PrivateKey(in,NULL,key_cb,key);
-		memset(key,0,strlen(key));
-		}
+		pkey=PEM_read_bio_PrivateKey(in,NULL,PEM_cb,key);
+		if(key) memset(key,0,strlen(key));
 	if (pkey == NULL)
 		{
 		BIO_printf(bio_err,"unable to load CA private key\n");
diff --git a/apps/dsa.c b/apps/dsa.c
index a5ff647252..94f71b5be8 100644
--- a/apps/dsa.c
+++ b/apps/dsa.c
@@ -236,11 +236,7 @@ bad:
 		else dsa=d2i_DSAPrivateKey_bio(in,NULL);
 	} else if (informat == FORMAT_PEM) {
 		if(pubin) dsa=PEM_read_bio_DSA_PUBKEY(in,NULL, NULL, NULL);
-		else {
-			if(passin) dsa=PEM_read_bio_DSAPrivateKey(in,NULL,
-								key_cb,passin);
-			else dsa=PEM_read_bio_DSAPrivateKey(in,NULL,NULL,NULL);
-		}
+		else dsa=PEM_read_bio_DSAPrivateKey(in,NULL,PEM_cb,passin);
 	} else
 		{
 		BIO_printf(bio_err,"bad input format specified for key\n");
@@ -287,12 +283,8 @@ bad:
 	} else if (outformat == FORMAT_PEM) {
 		if(pubin || pubout)
 			i=PEM_write_bio_DSA_PUBKEY(out,dsa);
-		else {
-			if(passout) i=PEM_write_bio_DSAPrivateKey(out,dsa,enc,
-							NULL,0,key_cb, passout);
-			i=PEM_write_bio_DSAPrivateKey(out,dsa,enc,NULL,0,
-								     NULL,NULL);
-		}
+		else i=PEM_write_bio_DSAPrivateKey(out,dsa,enc,
+							NULL,0,PEM_cb, passout);
 	} else {
 		BIO_printf(bio_err,"bad output format specified for outfile\n");
 		goto end;
diff --git a/apps/openssl.cnf b/apps/openssl.cnf
index 33b0866f43..907032900e 100644
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -3,6 +3,9 @@
 # This is mostly being used for generation of certificate requests.
 #
 
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
 RANDFILE		= $ENV::HOME/.rnd
 oid_file		= $ENV::HOME/.oid
 oid_section		= new_oids
@@ -86,6 +89,10 @@ distinguished_name	= req_distinguished_name
 attributes		= req_attributes
 x509_extensions	= v3_ca	# The extentions to add to the self signed cert
 
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
 # This sets the permitted types in a DirectoryString. There are several
 # options. 
 # default: PrintableString, T61String, BMPString.
diff --git a/apps/req.c b/apps/req.c
index 75f2b853ed..24e666f0dc 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -146,6 +146,7 @@ int MAIN(int argc, char **argv)
 	char *req_exts = NULL;
 	EVP_CIPHER *cipher=NULL;
 	int modulus=0;
+	char *passin = NULL, *passout = NULL;
 	char *p;
 	const EVP_MD *md_alg=NULL,*digest=EVP_md5();
 #ifndef MONOLITH
@@ -217,6 +218,39 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			keyout= *(++argv);
 			}
+		else if (strcmp(*argv,"-passin") == 0)
+			{
+			if (--argc < 1) goto bad;
+			passin= *(++argv);
+			}
+		else if (strcmp(*argv,"-envpassin") == 0)
+			{
+			if (--argc < 1) goto bad;
+				if(!(passin= getenv(*(++argv))))
+				{
+				BIO_printf(bio_err,
+				 "Can't read environment variable %s\n",
+								*argv);
+				badops = 1;
+				}
+			}
+		else if (strcmp(*argv,"-envpassout") == 0)
+			{
+			if (--argc < 1) goto bad;
+				if(!(passout= getenv(*(++argv))))
+				{
+				BIO_printf(bio_err,
+				 "Can't read environment variable %s\n",
+								*argv);
+				badops = 1;
+				}
+			argv++;
+			}
+		else if (strcmp(*argv,"-passout") == 0)
+			{
+			if (--argc < 1) goto bad;
+			passout= *(++argv);
+			}
 		else if (strcmp(*argv,"-newkey") == 0)
 			{
 			int is_numeric;
@@ -452,6 +486,12 @@ bad:
 		}
 	}
 
+	if(!passin)
+		passin = CONF_get_string(req_conf, SECTION, "input_password");
+
+	if(!passout)
+		passout = CONF_get_string(req_conf, SECTION, "output_password");
+
 	p = CONF_get_string(req_conf, SECTION, DIRSTRING_TYPE);
 
 	if(p && !ASN1_STRING_set_default_mask_asc(p)) {
@@ -491,7 +531,9 @@ bad:
 			rsa=d2i_RSAPrivateKey_bio(in,NULL);
 		else */
 		if (keyform == FORMAT_PEM)
-			pkey=PEM_read_bio_PrivateKey(in,NULL,NULL,NULL);
+			{
+			pkey=PEM_read_bio_PrivateKey(in,NULL,PEM_cb,passin);
+			}
 		else
 			{
 			BIO_printf(bio_err,"bad input format specified for X509 request\n");
@@ -579,7 +621,7 @@ bad:
 		i=0;
 loop:
 		if (!PEM_write_bio_PrivateKey(out,pkey,cipher,
-			NULL,0,NULL,NULL))
+			NULL,0,PEM_cb,passout))
 			{
 			if ((ERR_GET_REASON(ERR_peek_error()) ==
 				PEM_R_PROBLEMS_GETTING_PASSWORD) && (i < 3))
diff --git a/apps/rsa.c b/apps/rsa.c
index 219bdd65d6..684252cc1d 100644
--- a/apps/rsa.c
+++ b/apps/rsa.c
@@ -278,11 +278,7 @@ bad:
 #endif
 	else if (informat == FORMAT_PEM) {
 		if(pubin) rsa=PEM_read_bio_RSA_PUBKEY(in,NULL,NULL,NULL);
-		else {
-			if(passin) rsa=PEM_read_bio_RSAPrivateKey(in,NULL,
-								key_cb,passin);
-			else rsa=PEM_read_bio_RSAPrivateKey(in,NULL,NULL,NULL);
-		}
+		else rsa=PEM_read_bio_RSAPrivateKey(in,NULL, PEM_cb,passin);
 	}
 	else
 		{
@@ -381,12 +377,8 @@ bad:
 	else if (outformat == FORMAT_PEM) {
 		if(pubout || pubin)
 		    i=PEM_write_bio_RSA_PUBKEY(out,rsa);
-		else {
-			if(passout) i=PEM_write_bio_RSAPrivateKey(out,rsa,
-						enc,NULL,0,key_cb,passout);
-			else i=PEM_write_bio_RSAPrivateKey(out,rsa,enc,NULL,
-								0,NULL,NULL);
-		}
+		else i=PEM_write_bio_RSAPrivateKey(out,rsa,
+						enc,NULL,0,PEM_cb,passout);
 	} else	{
 		BIO_printf(bio_err,"bad output format specified for outfile\n");
 		goto end;
diff --git a/apps/smime.c b/apps/smime.c
index 882838c66f..6c15dcfb6e 100644
--- a/apps/smime.c
+++ b/apps/smime.c
@@ -60,14 +60,14 @@
 
 #include <stdio.h>
 #include <string.h>
+#include "apps.h"
 #include <openssl/pem.h>
 #include <openssl/err.h>
-#include "apps.h"
 
 #undef PROG
 #define PROG smime_main
 static X509 *load_cert(char *file);
-static EVP_PKEY *load_key(char *file);
+static EVP_PKEY *load_key(char *file, char *pass);
 static STACK_OF(X509) *load_certs(char *file);
 static X509_STORE *setup_verify(char *CAfile, char *CApath);
 static int save_certs(char *signerfile, STACK_OF(X509) *signers);
@@ -98,7 +98,7 @@ int MAIN(int argc, char **argv)
 	int badarg = 0;
 	int flags = PKCS7_DETACHED;
 	char *to = NULL, *from = NULL, *subject = NULL;
-	char *CAfile = NULL, *CApath = NULL;
+	char *CAfile = NULL, *CApath = NULL, *passin = NULL;
 
 	args = argv + 1;
 
@@ -138,7 +138,18 @@ int MAIN(int argc, char **argv)
 				flags |= PKCS7_BINARY;
 		else if (!strcmp (*args, "-nosigs"))
 				flags |= PKCS7_NOSIGS;
-		else if (!strcmp (*args, "-to")) {
+		else if (!strcmp(*argv,"-passin")) {
+			if (--argc < 1) badarg = 1;
+			else passin= *(++argv);
+		} else if (!strcmp(*argv,"-envpassin")) {
+			if (--argc < 1) badarg = 1;
+			else if(!(passin= getenv(*(++argv)))) {
+				BIO_printf(bio_err,
+				 "Can't read environment variable %s\n",
+								*argv);
+				badarg = 1;
+			}
+		} else if (!strcmp (*args, "-to")) {
 			if (args[1]) {
 				args++;
 				to = *args;
@@ -303,7 +314,7 @@ int MAIN(int argc, char **argv)
 	} else keyfile = NULL;
 
 	if(keyfile) {
-		if(!(key = load_key(keyfile))) {
+		if(!(key = load_key(keyfile, passin))) {
 			BIO_printf(bio_err, "Can't read recipient certificate file %s\n", keyfile);
 			ERR_print_errors(bio_err);
 			goto end;
@@ -405,12 +416,12 @@ static X509 *load_cert(char *file)
 	return cert;
 }
 
-static EVP_PKEY *load_key(char *file)
+static EVP_PKEY *load_key(char *file, char *pass)
 {
 	BIO *in;
 	EVP_PKEY *key;
 	if(!(in = BIO_new_file(file, "r"))) return NULL;
-	key = PEM_read_bio_PrivateKey(in, NULL, NULL,NULL);
+	key = PEM_read_bio_PrivateKey(in, NULL,PEM_cb,pass);
 	BIO_free(in);
 	return key;
 }
diff --git a/apps/x509.c b/apps/x509.c
index 0ed5ef1d03..797ee39c7e 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -92,6 +92,8 @@ static char *x509_usage[]={
 " -CAkeyform arg  - CA key format - default PEM\n",
 " -in arg         - input file - default stdin\n",
 " -out arg        - output file - default stdout\n",
+" -passin arg     - private key password\n",
+" -envpassin arg  - read private key password from encvironment variable \"arg\"\n",
 " -serial         - print serial number value\n",
 " -hash           - print hash value\n",
 " -subject        - print subject DN\n",
@@ -129,7 +131,7 @@ NULL
 };
 
 static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx);
-static EVP_PKEY *load_key(char *file, int format);
+static EVP_PKEY *load_key(char *file, int format, char *passin);
 static X509 *load_cert(char *file, int format);
 static int sign (X509 *x, EVP_PKEY *pkey,int days,const EVP_MD *digest,
 						LHASH *conf, char *section);
@@ -166,7 +168,7 @@ int MAIN(int argc, char **argv)
 	char buf[256];
 	const EVP_MD *md_alg,*digest=EVP_md5();
 	LHASH *extconf = NULL;
-	char *extsect = NULL, *extfile = NULL;
+	char *extsect = NULL, *extfile = NULL, *passin = NULL;
 	int need_rand = 0;
 
 	reqfile=0;
@@ -232,6 +234,22 @@ int MAIN(int argc, char **argv)
 				goto bad;
 				}
 			}
+		else if (strcmp(*argv,"-passin") == 0)
+			{
+			if (--argc < 1) goto bad;
+			passin= *(++argv);
+			}
+		else if (strcmp(*argv,"-envpassin") == 0)
+			{
+			if (--argc < 1) goto bad;
+				if(!(passin= getenv(*(++argv))))
+				{
+				BIO_printf(bio_err,
+				 "Can't read environment variable %s\n",
+								*argv);
+				badops = 1;
+				}
+			}
 		else if (strcmp(*argv,"-extfile") == 0)
 			{
 			if (--argc < 1) goto bad;
@@ -751,7 +769,7 @@ bad:
 				BIO_printf(bio_err,"Getting Private key\n");
 				if (Upkey == NULL)
 					{
-					Upkey=load_key(keyfile,keyformat);
+					Upkey=load_key(keyfile,keyformat, passin);
 					if (Upkey == NULL) goto end;
 					}
 #ifndef NO_DSA
@@ -768,7 +786,7 @@ bad:
 				BIO_printf(bio_err,"Getting CA Private Key\n");
 				if (CAkeyfile != NULL)
 					{
-					CApkey=load_key(CAkeyfile,CAkeyformat);
+					CApkey=load_key(CAkeyfile,CAkeyformat, passin);
 					if (CApkey == NULL) goto end;
 					}
 #ifndef NO_DSA
@@ -794,7 +812,7 @@ bad:
 					}
 				else
 					{
-					pk=load_key(keyfile,FORMAT_PEM);
+					pk=load_key(keyfile,FORMAT_PEM, passin);
 					if (pk == NULL) goto end;
 					}
 
@@ -1049,7 +1067,7 @@ static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx)
 		}
 	}
 
-static EVP_PKEY *load_key(char *file, int format)
+static EVP_PKEY *load_key(char *file, int format, char *passin)
 	{
 	BIO *key=NULL;
 	EVP_PKEY *pkey=NULL;
@@ -1088,7 +1106,7 @@ static EVP_PKEY *load_key(char *file, int format)
 #endif
 		if (format == FORMAT_PEM)
 		{
-		pkey=PEM_read_bio_PrivateKey(key,NULL,NULL,NULL);
+		pkey=PEM_read_bio_PrivateKey(key,NULL,PEM_cb,passin);
 		}
 	else
 		{