diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-09-17 01:39:00 +0200 |
---|---|---|
committer | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-09-24 14:34:56 +0200 |
commit | 50eb2a507732b4d32879709dbfa335ccb542f676 (patch) | |
tree | 18bba64cf2babfee3c6ee5f89a7cde5c579d7807 /apps | |
parent | ACVP: add test case for DRBG (diff) | |
download | openssl-50eb2a507732b4d32879709dbfa335ccb542f676.tar.xz openssl-50eb2a507732b4d32879709dbfa335ccb542f676.zip |
load_key_certs_crls(): Restore output of fatal errors
Also improve credentials loading diagnostics for many apps.
Fixes #12840
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12893)
Diffstat (limited to 'apps')
-rw-r--r-- | apps/ca.c | 5 | ||||
-rw-r--r-- | apps/cms.c | 4 | ||||
-rw-r--r-- | apps/dgst.c | 4 | ||||
-rw-r--r-- | apps/dsa.c | 4 | ||||
-rw-r--r-- | apps/ec.c | 4 | ||||
-rw-r--r-- | apps/lib/apps.c | 65 | ||||
-rw-r--r-- | apps/lib/s_cb.c | 6 | ||||
-rw-r--r-- | apps/pkeyutl.c | 6 | ||||
-rw-r--r-- | apps/req.c | 2 | ||||
-rw-r--r-- | apps/rsa.c | 4 | ||||
-rw-r--r-- | apps/rsautl.c | 4 | ||||
-rw-r--r-- | apps/s_client.c | 4 | ||||
-rw-r--r-- | apps/s_server.c | 12 | ||||
-rw-r--r-- | apps/smime.c | 4 | ||||
-rw-r--r-- | apps/x509.c | 10 |
15 files changed, 82 insertions, 56 deletions
@@ -1269,7 +1269,8 @@ end_of_options: } else { X509 *revcert; - revcert = load_cert_pass(infile, certformat, passin, infile); + revcert = load_cert_pass(infile, certformat, passin, + "certificate to be revoked"); if (revcert == NULL) goto end; if (dorevoke == 2) @@ -1403,7 +1404,7 @@ static int certify_cert(X509 **xret, const char *infile, int certformat, EVP_PKEY *pktmp = NULL; int ok = -1, i; - if ((req = load_cert_pass(infile, certformat, passin, infile)) == NULL) + if ((req = load_cert_pass(infile, certformat, passin, "template certificate")) == NULL) goto end; if (verbose) X509_print(bio_err, req); diff --git a/apps/cms.c b/apps/cms.c index 178c441f1a..ad8f64fcaa 100644 --- a/apps/cms.c +++ b/apps/cms.c @@ -857,7 +857,7 @@ int cms_main(int argc, char **argv) } if (keyfile != NULL) { - key = load_key(keyfile, keyform, 0, passin, e, "signing key file"); + key = load_key(keyfile, keyform, 0, passin, e, "signing key"); if (key == NULL) goto end; @@ -1060,7 +1060,7 @@ int cms_main(int argc, char **argv) ret = 2; goto end; } - key = load_key(keyfile, keyform, 0, passin, e, "signing key file"); + key = load_key(keyfile, keyform, 0, passin, e, "signing key"); if (key == NULL) { ret = 2; goto end; diff --git a/apps/dgst.c b/apps/dgst.c index 650115b468..badcfdf0e2 100644 --- a/apps/dgst.c +++ b/apps/dgst.c @@ -268,9 +268,9 @@ int dgst_main(int argc, char **argv) int type; if (want_pub) - sigkey = load_pubkey(keyfile, keyform, 0, NULL, e, "key file"); + sigkey = load_pubkey(keyfile, keyform, 0, NULL, e, "public key"); else - sigkey = load_key(keyfile, keyform, 0, passin, e, "key file"); + sigkey = load_key(keyfile, keyform, 0, passin, e, "private key"); if (sigkey == NULL) { /* * load_[pub]key() has already printed an appropriate message diff --git a/apps/dsa.c b/apps/dsa.c index 8ef802e0da..75a0504548 100644 --- a/apps/dsa.c +++ b/apps/dsa.c @@ -165,9 +165,9 @@ int dsa_main(int argc, char **argv) BIO_printf(bio_err, "read DSA key\n"); if (pubin) - pkey = load_pubkey(infile, informat, 1, passin, e, "Public Key"); + pkey = load_pubkey(infile, informat, 1, passin, e, "public key"); else - pkey = load_key(infile, informat, 1, passin, e, "Private Key"); + pkey = load_key(infile, informat, 1, passin, e, "private key"); if (pkey != NULL) dsa = EVP_PKEY_get1_DSA(pkey); @@ -194,9 +194,9 @@ int ec_main(int argc, char **argv) } else if (informat == FORMAT_ENGINE) { EVP_PKEY *pkey; if (pubin) - pkey = load_pubkey(infile, informat, 1, passin, e, "Public Key"); + pkey = load_pubkey(infile, informat, 1, passin, e, "public key"); else - pkey = load_key(infile, informat, 1, passin, e, "Private Key"); + pkey = load_key(infile, informat, 1, passin, e, "private key"); if (pkey != NULL) { eckey = EVP_PKEY_get1_EC_KEY(pkey); EVP_PKEY_free(pkey); diff --git a/apps/lib/apps.c b/apps/lib/apps.c index c0c56d9c22..fa015aa4ea 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -708,7 +708,10 @@ int load_key_certs_crls(const char *uri, int maybe_stdin, const char *propq = app_get0_propq(); int ncerts = 0; int ncrls = 0; - const char *failed = "any"; + const char *failed = + ppkey != NULL ? "key" : ppubkey != NULL ? "public key" : + pcert != NULL ? "cert" : pcrl != NULL ? "CRL" : + pcerts != NULL ? "certs" : pcrls != NULL ? "CRLs" : NULL; /* TODO make use of the engine reference 'eng' when loading pkeys */ if (ppkey != NULL) @@ -717,33 +720,36 @@ int load_key_certs_crls(const char *uri, int maybe_stdin, *ppubkey = NULL; if (pcert != NULL) *pcert = NULL; + if (failed == NULL) { + BIO_printf(bio_err, "Internal error: nothing to load into from %s\n", + uri != NULL ? uri : "<stdin>"); + return 0; + } + if (pcerts != NULL && *pcerts == NULL && (*pcerts = sk_X509_new_null()) == NULL) { - BIO_printf(bio_err, "Out of memory"); + BIO_printf(bio_err, "Out of memory loading"); goto end; } if (pcrl != NULL) *pcrl = NULL; if (pcrls != NULL && *pcrls == NULL && (*pcrls = sk_X509_CRL_new_null()) == NULL) { - BIO_printf(bio_err, "Out of memory"); + BIO_printf(bio_err, "Out of memory loading"); goto end; } - if (desc == NULL) - desc = "key/certificate/CRL"; uidata.password = pass; uidata.prompt_info = uri; if (uri == NULL) { BIO *bio; - uri = "<stdin>"; if (!maybe_stdin) { - BIO_printf(bio_err, "No filename or uri specified for loading %s\n", - desc); + BIO_printf(bio_err, "No filename or uri specified for loading"); goto end; } + uri = "<stdin>"; unbuffer(stdin); bio = BIO_new_fp(stdin, 0); if (bio != NULL) @@ -754,17 +760,18 @@ int load_key_certs_crls(const char *uri, int maybe_stdin, &uidata, NULL, NULL); } if (ctx == NULL) { - BIO_printf(bio_err, "Could not open file or uri %s for loading %s\n", - uri, desc); + BIO_printf(bio_err, "Could not open file or uri for loading"); goto end; } failed = NULL; while (!OSSL_STORE_eof(ctx)) { OSSL_STORE_INFO *info = OSSL_STORE_load(ctx); - int type = info == NULL ? 0 : OSSL_STORE_INFO_get_type(info); - int ok = 1; + int type, ok = 1; + if (info == NULL) + break; + type = OSSL_STORE_INFO_get_type(info); switch (type) { case OSSL_STORE_INFO_PKEY: if (ppkey != NULL && *ppkey == NULL) @@ -805,8 +812,7 @@ int load_key_certs_crls(const char *uri, int maybe_stdin, OSSL_STORE_INFO_free(info); if (!ok) { failed = info == NULL ? NULL : OSSL_STORE_INFO_type_string(type); - BIO_printf(bio_err, "Error reading %s of %s from %s\n", - failed, desc, uri); + BIO_printf(bio_err, "Error reading"); break; } } @@ -814,18 +820,37 @@ int load_key_certs_crls(const char *uri, int maybe_stdin, end: OSSL_STORE_close(ctx); if (failed == NULL) { - if (ppkey != NULL && *ppkey == NULL) + int any = 0; + + if (ppkey != NULL && *ppkey == NULL) { failed = "key"; - else if ((pcert != NULL || pcerts != NULL) && ncerts == 0) + } else if ((pcert != NULL || pcerts != NULL) && ncerts == 0) { + if (pcert == NULL) + any = 1; failed = "cert"; - else if ((pcrl != NULL || pcrls != NULL) && ncrls == 0) + } else if ((pcrl != NULL || pcrls != NULL) && ncrls == 0) { + if (pcrl == NULL) + any = 1; failed = "CRL"; + } if (failed != NULL) - BIO_printf(bio_err, "Could not read any %s of %s from %s\n", - failed, desc, uri); + BIO_printf(bio_err, "Could not read"); + if (any) + BIO_printf(bio_err, " any"); } - if (failed != NULL) + if (failed != NULL) { + if (desc != NULL && strstr(desc, failed) != NULL) { + BIO_printf(bio_err, " %s", desc); + } else { + BIO_printf(bio_err, " %s", failed); + if (desc != NULL) + BIO_printf(bio_err, " of %s", desc); + } + if (uri != NULL) + BIO_printf(bio_err, " from %s", uri); + BIO_printf(bio_err, "\n"); ERR_print_errors(bio_err); + } return failed == NULL; } diff --git a/apps/lib/s_cb.c b/apps/lib/s_cb.c index 72fb98402d..142659d05e 100644 --- a/apps/lib/s_cb.c +++ b/apps/lib/s_cb.c @@ -1047,15 +1047,15 @@ int load_excert(SSL_EXCERT **pexc) return 0; if (exc->keyfile != NULL) { exc->key = load_key(exc->keyfile, exc->keyform, - 0, NULL, NULL, "Server Key"); + 0, NULL, NULL, "server key"); } else { exc->key = load_key(exc->certfile, exc->certform, - 0, NULL, NULL, "Server Key"); + 0, NULL, NULL, "server key"); } if (exc->key == NULL) return 0; if (exc->chainfile != NULL) { - if (!load_certs(exc->chainfile, &exc->chain, NULL, "Server Chain")) + if (!load_certs(exc->chainfile, &exc->chain, NULL, "server chain")) return 0; } } diff --git a/apps/pkeyutl.c b/apps/pkeyutl.c index 5f53867790..61f9130175 100644 --- a/apps/pkeyutl.c +++ b/apps/pkeyutl.c @@ -532,11 +532,11 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize, } switch (key_type) { case KEY_PRIVKEY: - pkey = load_key(keyfile, keyform, 0, passin, e, "Private Key"); + pkey = load_key(keyfile, keyform, 0, passin, e, "private key"); break; case KEY_PUBKEY: - pkey = load_pubkey(keyfile, keyform, 0, NULL, e, "Public Key"); + pkey = load_pubkey(keyfile, keyform, 0, NULL, e, "public key"); break; case KEY_CERT: @@ -644,7 +644,7 @@ static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file, if (peerform == FORMAT_ENGINE) engine = e; - peer = load_pubkey(file, peerform, 0, NULL, engine, "Peer Key"); + peer = load_pubkey(file, peerform, 0, NULL, engine, "peer key"); if (peer == NULL) { BIO_printf(bio_err, "Error reading peer key %s\n", file); ERR_print_errors(bio_err); diff --git a/apps/req.c b/apps/req.c index cb5850c6b5..62abf226ac 100644 --- a/apps/req.c +++ b/apps/req.c @@ -591,7 +591,7 @@ int req_main(int argc, char **argv) } if (keyfile != NULL) { - pkey = load_key(keyfile, keyform, 0, passin, e, "Private Key"); + pkey = load_key(keyfile, keyform, 0, passin, e, "private key"); if (pkey == NULL) goto end; app_RAND_load_conf(req_conf, section); diff --git a/apps/rsa.c b/apps/rsa.c index fdee96d570..558b126560 100644 --- a/apps/rsa.c +++ b/apps/rsa.c @@ -198,9 +198,9 @@ int rsa_main(int argc, char **argv) tmpformat = informat; } - pkey = load_pubkey(infile, tmpformat, 1, passin, e, "Public Key"); + pkey = load_pubkey(infile, tmpformat, 1, passin, e, "public key"); } else { - pkey = load_key(infile, informat, 1, passin, e, "Private Key"); + pkey = load_key(infile, informat, 1, passin, e, "private key"); } if (pkey != NULL) diff --git a/apps/rsautl.c b/apps/rsautl.c index 0f9789c39c..49d9fcfea4 100644 --- a/apps/rsautl.c +++ b/apps/rsautl.c @@ -189,11 +189,11 @@ int rsautl_main(int argc, char **argv) switch (key_type) { case KEY_PRIVKEY: - pkey = load_key(keyfile, keyformat, 0, passin, e, "Private Key"); + pkey = load_key(keyfile, keyformat, 0, passin, e, "private key"); break; case KEY_PUBKEY: - pkey = load_pubkey(keyfile, keyformat, 0, NULL, e, "Public Key"); + pkey = load_pubkey(keyfile, keyformat, 0, NULL, e, "public key"); break; case KEY_CERT: diff --git a/apps/s_client.c b/apps/s_client.c index ca9891aba8..513beeaa9a 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -1728,13 +1728,13 @@ int s_client_main(int argc, char **argv) if (key_file != NULL) { key = load_key(key_file, key_format, 0, pass, e, - "client certificate private key file"); + "client certificate private key"); if (key == NULL) goto end; } if (cert_file != NULL) { - cert = load_cert_pass(cert_file, cert_format, pass, "client certificate file"); + cert = load_cert_pass(cert_file, cert_format, pass, "client certificate"); if (cert == NULL) goto end; } diff --git a/apps/s_server.c b/apps/s_server.c index dde0ee60c0..dee38584c4 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -1740,12 +1740,12 @@ int s_server_main(int argc, char *argv[]) if (nocert == 0) { s_key = load_key(s_key_file, s_key_format, 0, pass, engine, - "server certificate private key file"); + "server certificate private key"); if (s_key == NULL) goto end; s_cert = load_cert_pass(s_cert_file, s_cert_format, pass, - "server certificate file"); + "server certificate"); if (s_cert == NULL) goto end; @@ -1757,12 +1757,12 @@ int s_server_main(int argc, char *argv[]) if (tlsextcbp.servername != NULL) { s_key2 = load_key(s_key_file2, s_key_format, 0, pass, engine, - "second server certificate private key file"); + "second server certificate private key"); if (s_key2 == NULL) goto end; s_cert2 = load_cert_pass(s_cert_file2, s_cert_format, pass, - "second server certificate file"); + "second server certificate"); if (s_cert2 == NULL) goto end; @@ -1802,12 +1802,12 @@ int s_server_main(int argc, char *argv[]) s_dkey_file = s_dcert_file; s_dkey = load_key(s_dkey_file, s_dkey_format, - 0, dpass, engine, "second certificate private key file"); + 0, dpass, engine, "second certificate private key"); if (s_dkey == NULL) goto end; s_dcert = load_cert_pass(s_dcert_file, s_dcert_format, dpass, - "second server certificate file"); + "second server certificate"); if (s_dcert == NULL) { ERR_print_errors(bio_err); diff --git a/apps/smime.c b/apps/smime.c index 9113038db7..e6d539457e 100644 --- a/apps/smime.c +++ b/apps/smime.c @@ -471,7 +471,7 @@ int smime_main(int argc, char **argv) } if (keyfile != NULL) { - key = load_key(keyfile, keyform, 0, passin, e, "signing key file"); + key = load_key(keyfile, keyform, 0, passin, e, "signing key"); if (key == NULL) goto end; @@ -573,7 +573,7 @@ int smime_main(int argc, char **argv) "signer certificate"); if (signer == NULL) goto end; - key = load_key(keyfile, keyform, 0, passin, e, "signing key file"); + key = load_key(keyfile, keyform, 0, passin, e, "signing key"); if (key == NULL) goto end; diff --git a/apps/x509.c b/apps/x509.c index 5627bd9dbe..367cbf45f1 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -522,7 +522,7 @@ int x509_main(int argc, char **argv) goto end; } if (fkeyfile != NULL) { - fkey = load_pubkey(fkeyfile, keyformat, 0, NULL, e, "Forced key"); + fkey = load_pubkey(fkeyfile, keyformat, 0, NULL, e, "forced key"); if (fkey == NULL) goto end; } @@ -629,7 +629,7 @@ int x509_main(int argc, char **argv) if (!X509_set_pubkey(x, fkey != NULL ? fkey : X509_REQ_get0_pubkey(req))) goto end; } else { - x = load_cert_pass(infile, FORMAT_UNDEF, passin, "Certificate"); + x = load_cert_pass(infile, FORMAT_UNDEF, passin, "certificate"); if (x == NULL) goto end; if (fkey != NULL && !X509_set_pubkey(x, fkey)) @@ -639,7 +639,7 @@ int x509_main(int argc, char **argv) } if (CA_flag) { - xca = load_cert_pass(CAfile, CAformat, passin, "CA Certificate"); + xca = load_cert_pass(CAfile, CAformat, passin, "CA certificate"); if (xca == NULL) goto end; } @@ -846,7 +846,7 @@ int x509_main(int argc, char **argv) BIO_printf(bio_err, "Getting Private key\n"); if (Upkey == NULL) { Upkey = load_key(keyfile, keyformat, 0, - passin, e, "Private key"); + passin, e, "private key"); if (Upkey == NULL) goto end; } @@ -858,7 +858,7 @@ int x509_main(int argc, char **argv) BIO_printf(bio_err, "Getting CA Private Key\n"); if (CAkeyfile != NULL) { CApkey = load_key(CAkeyfile, CAkeyformat, - 0, passin, e, "CA Private Key"); + 0, passin, e, "CA private key"); if (CApkey == NULL) goto end; } |