From 9cb7daa54708dcf5e6500cd20ec7b1cc2f6f6350 Mon Sep 17 00:00:00 2001

From: Stephen Gallagher <sgallagh@redhat.com>

Date: Mon, 10 Jun 2019 10:15:42 -0400

Subject: [PATCH 6/6] Allow specifying keyfile password by file

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>

---

 src/sscg.c | 84 ++++++++++++++++++++++++++++++++++++++++++++++++++++++

 1 file changed, 84 insertions(+)

diff --git a/src/sscg.c b/src/sscg.c

index 9dc926c77038105ca881a612cccd1913bc2d42f1..a02e4df66c6cf9ec1865f425b4a15da82fbfdc72 100644

--- a/src/sscg.c

+++ b/src/sscg.c

@@ -34,6 +34,10 @@

 #include "include/authority.h"

 #include "include/service.h"

+

+/* Same as OpenSSL CLI */

+#define MAX_PW_LEN 1024

+

 static int

 get_security_level (void)

 {

@@ -209,6 +213,44 @@ sscg_options_destructor (TALLOC_CTX *opts)

 }

+static char *

+sscg_read_pw_file (TALLOC_CTX *mem_ctx, char *path)

+{

+  int i;

+  BIO *pwdbio = NULL;

+  char tpass[MAX_PW_LEN];

+  char *tmp = NULL;

+  char *password = NULL;

+

+  pwdbio = BIO_new_file (path, "r");

+  if (pwdbio == NULL)

+    {

+      fprintf (stderr, "Can't open file %s\n", path);

+      return NULL;

+    }

+

+  i = BIO_gets (pwdbio, tpass, MAX_PW_LEN);

+  BIO_free_all (pwdbio);

+  pwdbio = NULL;

+

+  if (i <= 0)

+    {

+      fprintf (stderr, "Error reading password from BIO\n");

+      return NULL;

+    }

+

+  tmp = strchr (tpass, '\n');

+  if (tmp != NULL)

+    *tmp = 0;

+

+  password = talloc_strdup (mem_ctx, tpass);

+

+  memset (tpass, 0, MAX_PW_LEN);

+

+  return password;

+}

+

+

 int

 main (int argc, const char **argv)

 {

@@ -236,10 +278,12 @@ main (int argc, const char **argv)

   int ca_mode = 0644;

   int ca_key_mode = 0600;

   char *ca_key_password = NULL;

+  char *ca_key_passfile = NULL;

   int cert_mode = 0644;

   int cert_key_mode = 0600;

   char *cert_key_password = NULL;

+  char *cert_key_passfile = NULL;

   char *create_mode = NULL;

@@ -470,6 +514,16 @@ main (int argc, const char **argv)

       NULL

     },

+    {

+      "ca-key-passfile",

+      '\0',

+      POPT_ARG_STRING,

+      &ca_key_passfile,

+      0,

+      _ ("A file containing the password to encrypt the CA key file."),

+      NULL

+    },

+

     {

       "ca-key-password-prompt",

       'C',

@@ -531,6 +585,16 @@ main (int argc, const char **argv)

       NULL

     },

+    {

+      "cert-key-passfile",

+      '\0',

+      POPT_ARG_STRING,

+      &cert_key_passfile,

+      0,

+      _ ("A file containing the password to encrypt the service key file."),

+      NULL

+    },

+

     {

       "cert-key-password-prompt",

       'P',

@@ -697,12 +761,32 @@ main (int argc, const char **argv)

       options->ca_key_pass =

         sscg_secure_string_steal (options, ca_key_password);

     }

+  else if (ca_key_passfile)

+    {

+      options->ca_key_pass = sscg_read_pw_file (options, ca_key_passfile);

+      if (!options->ca_key_pass)

+        {

+          fprintf (

+            stderr, "Failed to read passphrase from %s", ca_key_passfile);

+          goto done;

+        }

+    }

   if (cert_key_password)

     {

       options->cert_key_pass =

         sscg_secure_string_steal (options, cert_key_password);

     }

+  else if (cert_key_passfile)

+    {

+      options->cert_key_pass = sscg_read_pw_file (options, cert_key_passfile);

+      if (!options->cert_key_pass)

+        {

+          fprintf (

+            stderr, "Failed to read passphrase from %s", cert_key_passfile);

+          goto done;

+        }

+    }

   if (options->key_strength < options->minimum_key_strength)

-- 

2.23.0