Support for traditional format private keys.

Add new function PEM_write_bio_PrivateKey_traditional() to enforce the use of legacy "traditional" private key format. Add -traditional option to pkcs8 and pkey utilities. Reviewed-by: Matt Caswell <matt@openssl.org>
author: Dr. Stephen Henson <steve@openssl.org> 2016-05-17 14:15:20 +0100
committer: Dr. Stephen Henson <steve@openssl.org> 2016-05-23 16:41:34 +0100
commit: 05dba8151bd418cdc111d62102aaf9f4e7bd2f3f (patch)
tree: d29b35e495de274097853570f16271fe29f32cb8 /apps
parent: 07930a75a1f82fd359d0af7849f01990b73659dd (diff)
2 files changed, 29 insertions, 10 deletions
diff --git a/apps/pkcs8.c b/apps/pkcs8.c
index cd6b537948..22b5866144 100644
--- a/apps/pkcs8.c
+++ b/apps/pkcs8.c
@@ -23,7 +23,8 @@ typedef enum OPTION_choice {
 #ifndef OPENSSL_NO_SCRYPT
     OPT_SCRYPT, OPT_SCRYPT_N, OPT_SCRYPT_R, OPT_SCRYPT_P,
 #endif
-    OPT_V2, OPT_V1, OPT_V2PRF, OPT_ITER, OPT_PASSIN, OPT_PASSOUT
+    OPT_V2, OPT_V1, OPT_V2PRF, OPT_ITER, OPT_PASSIN, OPT_PASSOUT,
+    OPT_TRADITIONAL
 } OPTION_CHOICE;
 
 OPTIONS pkcs8_options[] = {
@@ -41,6 +42,7 @@ OPTIONS pkcs8_options[] = {
     {"iter", OPT_ITER, 'p', "Specify the iteration count"},
     {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
     {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
+    {"traditional", OPT_TRADITIONAL, '-', "use traditional format private key"},
 #ifndef OPENSSL_NO_ENGINE
     {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
 #endif
@@ -70,7 +72,7 @@ int pkcs8_main(int argc, char **argv)
     OPTION_CHOICE o;
     int nocrypt = 0, ret = 1, iter = PKCS12_DEFAULT_ITER;
     int informat = FORMAT_PEM, outformat = FORMAT_PEM, topk8 = 0, pbe_nid = -1;
-    int private = 0;
+    int private = 0, traditional = 0;
 #ifndef OPENSSL_NO_SCRYPT
     long scrypt_N = 0, scrypt_r = 0, scrypt_p = 0;
 #endif
@@ -110,6 +112,9 @@ int pkcs8_main(int argc, char **argv)
         case OPT_NOCRYPT:
             nocrypt = 1;
             break;
+        case OPT_TRADITIONAL:
+            traditional = 1;
+            break;
         case OPT_V2:
             if (!opt_cipher(opt_arg(), &cipher))
                 goto opthelp;
@@ -320,11 +325,15 @@ int pkcs8_main(int argc, char **argv)
     }
 
     assert(private);
-    if (outformat == FORMAT_PEM)
-        PEM_write_bio_PrivateKey(out, pkey, NULL, NULL, 0, NULL, passout);
-    else if (outformat == FORMAT_ASN1)
+    if (outformat == FORMAT_PEM) {
+        if (traditional)
+            PEM_write_bio_PrivateKey_traditional(out, pkey, NULL, NULL, 0,
+                                                 NULL, passout);
+        else
+            PEM_write_bio_PrivateKey(out, pkey, NULL, NULL, 0, NULL, passout);
+    } else if (outformat == FORMAT_ASN1) {
         i2d_PrivateKey_bio(out, pkey);
-    else {
+    } else {
         BIO_printf(bio_err, "Bad format specified for key\n");
         goto end;
     }
diff --git a/apps/pkey.c b/apps/pkey.c
index 6abd63c52e..50ee05f784 100644
--- a/apps/pkey.c
+++ b/apps/pkey.c
@@ -18,7 +18,7 @@ typedef enum OPTION_choice {
     OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
     OPT_INFORM, OPT_OUTFORM, OPT_PASSIN, OPT_PASSOUT, OPT_ENGINE,
     OPT_IN, OPT_OUT, OPT_PUBIN, OPT_PUBOUT, OPT_TEXT_PUB,
-    OPT_TEXT, OPT_NOOUT, OPT_MD
+    OPT_TEXT, OPT_NOOUT, OPT_MD, OPT_TRADITIONAL
 } OPTION_CHOICE;
 
 OPTIONS pkey_options[] = {
@@ -36,6 +36,8 @@ OPTIONS pkey_options[] = {
     {"text", OPT_TEXT, '-', "Output in plaintext as well"},
     {"noout", OPT_NOOUT, '-', "Don't output the key"},
     {"", OPT_MD, '-', "Any supported cipher"},
+    {"traditional", OPT_TRADITIONAL, '-',
+     "Use traditional format for private keys"},
 #ifndef OPENSSL_NO_ENGINE
     {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
 #endif
@@ -53,7 +55,7 @@ int pkey_main(int argc, char **argv)
     OPTION_CHOICE o;
     int informat = FORMAT_PEM, outformat = FORMAT_PEM;
     int pubin = 0, pubout = 0, pubtext = 0, text = 0, noout = 0, ret = 1;
-    int private = 0;
+    int private = 0, traditional = 0;
 
     prog = opt_init(argc, argv, pkey_options);
     while ((o = opt_next()) != OPT_EOF) {
@@ -105,6 +107,9 @@ int pkey_main(int argc, char **argv)
         case OPT_NOOUT:
             noout = 1;
             break;
+        case OPT_TRADITIONAL:
+            traditional = 1;
+            break;
         case OPT_MD:
             if (!opt_cipher(opt_unknown(), &cipher))
                 goto opthelp;
@@ -140,8 +145,13 @@ int pkey_main(int argc, char **argv)
                 PEM_write_bio_PUBKEY(out, pkey);
             else {
                 assert(private);
-                PEM_write_bio_PrivateKey(out, pkey, cipher,
-                                         NULL, 0, NULL, passout);
+                if (traditional)
+                    PEM_write_bio_PrivateKey_traditional(out, pkey, cipher,
+                                                         NULL, 0, NULL,
+                                                         passout);
+                else
+                    PEM_write_bio_PrivateKey(out, pkey, cipher,
+                                             NULL, 0, NULL, passout);
             }
         } else if (outformat == FORMAT_ASN1) {
             if (pubout)
author	Dr. Stephen Henson <steve@openssl.org>	2016-05-17 14:15:20 +0100
committer	Dr. Stephen Henson <steve@openssl.org>	2016-05-23 16:41:34 +0100
commit	05dba8151bd418cdc111d62102aaf9f4e7bd2f3f (patch)
tree	d29b35e495de274097853570f16271fe29f32cb8 /apps
parent	07930a75a1f82fd359d0af7849f01990b73659dd (diff)