[apple/security.git] / SecurityTests / cspxutils / pubKeyTool / pubKeyTool.cpp

/*
 * pubKeyTool.cpp - calculate public key hash of arbitrary keys and certs; derive
 *                  public key from a private key or a cert. 
 */
 
#include <stdlib.h>
#include <strings.h>
#include <stdio.h>
#include <unistd.h>
#include <Security/Security.h>
#include <security_cdsa_utils/cuFileIo.h>
#include <security_cdsa_utils/cuCdsaUtils.h>
#include "cspwrap.h"
#include "common.h"

static void usage(char **argv)
{
	printf("usage: %s [options]\n", argv[0]);
	printf("Options:\n");
	printf("   -k priv_key_file      -- private key file to read\n");
	printf("   -b pub_key_file       -- public key file to read\n");
	printf("   -c cert_file          -- cert file to read\n");
	printf("   -d                    -- print public key digest\n");
	printf("   -o out_file           -- write public key to out_file\n");
	printf("   -f pkcs1|pkcs8|x509   -- input key format\n");
	printf("                         -- default is PKCS8 for private key, PKCS1 for"
											" public\n");
	printf("   -K keychain           -- import pub key to this keychain; workaround "
											"for Radar 4191851)\n");
	exit(1);
}

/* Convert raw key blob into a respectable CSSM_KEY. */
static CSSM_RETURN inferCssmKey(
	const CSSM_DATA &keyBlob,
	bool isPrivKey,
	CSSM_KEYBLOB_FORMAT keyForm,
	CSSM_CSP_HANDLE cspHand,
	CSSM_KEY &outKey)
{
	memset(&outKey, 0, sizeof(CSSM_KEY));
	outKey.KeyData = keyBlob;
	CSSM_KEYHEADER &hdr = outKey.KeyHeader;
	hdr.HeaderVersion = CSSM_KEYHEADER_VERSION;
	/* CspId blank */
	hdr.BlobType = CSSM_KEYBLOB_RAW;
	hdr.AlgorithmId = CSSM_ALGID_RSA;
	hdr.KeyAttr = CSSM_KEYATTR_EXTRACTABLE;
	hdr.Format = keyForm;
	hdr.KeyClass = isPrivKey ? CSSM_KEYCLASS_PRIVATE_KEY : CSSM_KEYCLASS_PUBLIC_KEY;
	hdr.KeyUsage = CSSM_KEYUSE_ANY;
	hdr.WrapAlgorithmId = CSSM_ALGID_NONE;
	hdr.WrapMode = CSSM_ALGMODE_NONE;
	/*
	 * LogicalKeySizeInBits - ask the CSP
	 */
	CSSM_KEY_SIZE keySize;
	CSSM_RETURN crtn;
	crtn = CSSM_QueryKeySizeInBits(cspHand, CSSM_INVALID_HANDLE, &outKey,
		&keySize);
	if(crtn) {
		cssmPerror("CSSM_QueryKeySizeInBits", crtn);
		return crtn;
	}
	hdr.LogicalKeySizeInBits = keySize.LogicalKeySizeInBits;
	return CSSM_OK;
}

/*
 * Given any key in either blob or reference format,
 * obtain the associated public key's SHA-1 hash. 
 */
static CSSM_RETURN keyDigest(
	CSSM_CSP_HANDLE		cspHand,	
	const CSSM_KEY		*key,		
	CSSM_DATA_PTR		*hashData)	/* struct and contents cuAppMalloc'd and RETURNED */
{
	CSSM_CC_HANDLE		ccHand;
	CSSM_RETURN			crtn;
	CSSM_DATA_PTR		dp;
	
	*hashData = NULL;
	
	/* validate input params */
	if((key == NULL) ||
	   (hashData == NULL)) {
	   	printf("keyHash: bogus args\n");
		return CSSMERR_CSSM_INTERNAL_ERROR;				
	}
	
	/* cook up a context for a passthrough op */
	crtn = CSSM_CSP_CreatePassThroughContext(cspHand,
	 	key,
		&ccHand);
	if(ccHand == 0) {
		cssmPerror("CSSM_CSP_CreatePassThroughContext", crtn);
		return crtn;
	}
	
	/* now it's up to the CSP */
	crtn = CSSM_CSP_PassThrough(ccHand,
		CSSM_APPLECSP_KEYDIGEST,
		NULL,
		(void **)&dp);
	if(crtn) {
		cssmPerror("CSSM_CSP_PassThrough(KEYDIGEST)", crtn);
	}
	else {
		*hashData = dp;
		crtn = CSSM_OK;
	}
	CSSM_DeleteContext(ccHand);
	return crtn;
}

/* 
 * Here's a tricky one. Given a private key, obtain the correspoding public key. 
 * This uses a private key blob format that's used internally in the CSP
 * to generate key digests. 
 */
 
/* 
 * this magic const copied from BinaryKey.h 
 */
#define CSSM_KEYBLOB_RAW_FORMAT_DIGEST	\
	(CSSM_KEYBLOB_RAW_FORMAT_VENDOR_DEFINED + 0x12345)

static CSSM_RETURN pubKeyFromPrivKey(
	CSSM_CSP_HANDLE cspHand, 
	const CSSM_KEY *privKey,			// assumed to be raw format
	CSSM_KEY *pubKey)			
{
	/* first convert to reference key */
	CSSM_KEY refKey;
	CSSM_RETURN crtn;
	crtn = cspRawKeyToRef(cspHand, privKey, &refKey);
	if(crtn) {
		return crtn;
	}
	
	/* now a NULL wrap with the magic format attribute */
	CSSM_CC_HANDLE ccHand;
	CSSM_ACCESS_CREDENTIALS	creds;
	CSSM_DATA descData = {0, 0};
	
	crtn = CSSM_CSP_CreateSymmetricContext(cspHand,
			CSSM_ALGID_NONE,
			CSSM_ALGMODE_NONE,
			NULL,			// passPhrase,
			NULL,			// key
			NULL,			// initVector,
			CSSM_PADDING_NONE,	
			NULL,			// Reserved
			&ccHand);
	if(crtn) {
		cssmPerror("CSSM_CSP_CreateSymmetricContext", crtn);
		return crtn;
	}
	crtn = AddContextAttribute(ccHand,
		/* 
		 * The output of the WrapKey is a private key as far as the CSP is 
		 * concerned, at the level that this attribute is used anyway.... 
		 */
		CSSM_ATTRIBUTE_PRIVATE_KEY_FORMAT,
		sizeof(uint32),
		CAT_Uint32,
		NULL,
		CSSM_KEYBLOB_RAW_FORMAT_DIGEST);
	if(crtn) {
		cssmPerror("CSSM_CSP_CreateSymmetricContext", crtn);
		goto errOut;
	}
	memset(pubKey, 0, sizeof(CSSM_KEY));
	memset(&creds, 0, sizeof(CSSM_ACCESS_CREDENTIALS));
	crtn = CSSM_WrapKey(ccHand,
		&creds,
		&refKey,
		&descData,	
		pubKey);
	if(crtn) {
		cssmPerror("CSSM_WrapKey", crtn);
		goto errOut;
	}
	
	/* now: presto chango - don't do this at home! */
	pubKey->KeyHeader.KeyClass = CSSM_KEYCLASS_PUBLIC_KEY;
errOut:
	CSSM_FreeKey(cspHand, NULL, &refKey, CSSM_FALSE);
	CSSM_DeleteContext(ccHand);
	return crtn;
}

/* 
 * Import a key into a DLDB.
 */
static CSSM_RETURN importToDlDb(
	CSSM_CSP_HANDLE	cspHand,
	CSSM_DL_DB_HANDLE_PTR dlDbHand,
	const CSSM_KEY *rawPubKey,
	CSSM_DATA_PTR labelData,
	CSSM_KEY_PTR importedKey)
{
	CSSM_CC_HANDLE			ccHand = 0;
	CSSM_RETURN				crtn;
	uint32					keyAttr;
	CSSM_ACCESS_CREDENTIALS	creds;
	CSSM_CONTEXT_ATTRIBUTE	newAttr;	
	CSSM_DATA				descData = {0, 0};
	
	memset(importedKey, 0, sizeof(CSSM_KEY));
	memset(&creds, 0, sizeof(CSSM_ACCESS_CREDENTIALS));
	crtn = CSSM_CSP_CreateSymmetricContext(cspHand,
				CSSM_ALGID_NONE,
				CSSM_ALGMODE_NONE,
				&creds,
				NULL,			// unwrappingKey
				NULL,			// initVector
				CSSM_PADDING_NONE,
				0,				// Params
				&ccHand);
	if(crtn) {
		cssmPerror("CSSM_CSP_CreateSymmetricContext", crtn);
		return crtn;
	}
	keyAttr = CSSM_KEYATTR_RETURN_REF | CSSM_KEYATTR_EXTRACTABLE | CSSM_KEYATTR_PERMANENT;
	
	/* Add DLDB to context */
	newAttr.AttributeType     = CSSM_ATTRIBUTE_DL_DB_HANDLE;
	newAttr.AttributeLength   = sizeof(CSSM_ATTRIBUTE_DL_DB_HANDLE);
	newAttr.Attribute.Data    = (CSSM_DATA_PTR)dlDbHand;
	crtn = CSSM_UpdateContextAttributes(ccHand, 1, &newAttr);
	if(crtn) {
		cssmPerror("CSSM_UpdateContextAttributes", crtn);
		goto errOut;
	}
	
	/* import */
	crtn = CSSM_UnwrapKey(ccHand,
		NULL,				// PublicKey
		rawPubKey,
		CSSM_KEYUSE_ANY,
		keyAttr,
		labelData,
		NULL,				// CredAndAclEntry
		importedKey,
		&descData);			// required
	if(crtn) {
		cssmPerror("CSSM_UnwrapKey", crtn);
	}
errOut:
	if(ccHand) {
		CSSM_DeleteContext(ccHand);
	}
	return crtn;
}

/*
 * Free memory via specified plugin's app-level allocator
 */
void impExpFreeCssmMemory(
	CSSM_HANDLE		hand,
	void 			*p)
{
	CSSM_API_MEMORY_FUNCS memFuncs;
	CSSM_RETURN crtn = CSSM_GetAPIMemoryFunctions(hand, &memFuncs);
	if(crtn) {
		return;
	}
	memFuncs.free_func(p, memFuncs.AllocRef);
}

/*
 * Key attrribute names and values.
 *
 * This is where the public key hash goes.
 */
#define SEC_KEY_HASH_ATTR_NAME			"Label"

/*
 * This is where the publicly visible name goes.
 */
#define SEC_KEY_PRINT_NAME_ATTR_NAME	"PrintName"

/* 
 * Look up public key by label 
 * Set label to new specified label (SHA1 digest)
 * Set print name to new specified user-visible name
 */
static CSSM_RETURN setPubKeyLabel(
	CSSM_CSP_HANDLE 	cspHand,		// where the key lives
	CSSM_DL_DB_HANDLE 	*dlDbHand,		// ditto
	const CSSM_DATA		*existKeyLabel,	// existing label, a random string, for lookup
	const CSSM_DATA		*keyDigest,		// SHA1 digest, the new label
	const CSSM_DATA		*newPrintName)	// new user-visible name
{
	CSSM_QUERY						query;
	CSSM_SELECTION_PREDICATE		predicate;
	CSSM_DB_UNIQUE_RECORD_PTR		record = NULL;
	CSSM_RETURN						crtn;
	CSSM_HANDLE						resultHand = 0;
	
	/*
	 * Look up the key in the DL.
	 */
	query.RecordType = CSSM_DL_DB_RECORD_PUBLIC_KEY;
	query.Conjunctive = CSSM_DB_NONE;
	query.NumSelectionPredicates = 1;
	predicate.DbOperator = CSSM_DB_EQUAL;
	
	predicate.Attribute.Info.AttributeNameFormat = 
		CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
	predicate.Attribute.Info.Label.AttributeName = (char *)"Label";
	predicate.Attribute.Info.AttributeFormat = 
		CSSM_DB_ATTRIBUTE_FORMAT_BLOB;
	/* hope this cast is OK */
	predicate.Attribute.Value = (CSSM_DATA_PTR)existKeyLabel;
	query.SelectionPredicate = &predicate;
	
	query.QueryLimits.TimeLimit = 0;	// FIXME - meaningful?
	query.QueryLimits.SizeLimit = 1;	// FIXME - meaningful?
	query.QueryFlags = 0; // CSSM_QUERY_RETURN_DATA;	// FIXME - used?

	/* build Record attribute with two attrs */
	CSSM_DB_RECORD_ATTRIBUTE_DATA recordAttrs;
	CSSM_DB_ATTRIBUTE_DATA attr[2];
	
	attr[0].Info.AttributeNameFormat = CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
	attr[0].Info.Label.AttributeName = (char *)SEC_KEY_HASH_ATTR_NAME;
	attr[0].Info.AttributeFormat     = CSSM_DB_ATTRIBUTE_FORMAT_BLOB;
	attr[1].Info.AttributeNameFormat = CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
	attr[1].Info.Label.AttributeName = (char *)SEC_KEY_PRINT_NAME_ATTR_NAME;
	attr[1].Info.AttributeFormat     = CSSM_DB_ATTRIBUTE_FORMAT_BLOB;
	
	recordAttrs.DataRecordType		 = CSSM_DL_DB_RECORD_PUBLIC_KEY;
	recordAttrs.NumberOfAttributes   = 2;
	recordAttrs.AttributeData        = attr;
	
	crtn = CSSM_DL_DataGetFirst(*dlDbHand,
		&query,
		&resultHand,
		&recordAttrs,
		NULL,			// theData
		&record);
	/* abort only on success */
	if(crtn != CSSM_OK) {
		cssmPerror("CSSM_DL_DataGetFirst", crtn);
		goto errOut;
	}
	
	/* 
	 * Update existing attr data.
	 * NOTE: the module which allocated this attribute data - a DL -
	 * was loaded and attached by the keychain layer, not by us. Thus 
	 * we can't use the memory allocator functions *we* used when 
	 * attaching to the CSP - we have to use the ones
	 * which the client registered with the DL.
	 */
	impExpFreeCssmMemory(dlDbHand->DLHandle, attr[0].Value->Data);
	impExpFreeCssmMemory(dlDbHand->DLHandle, attr[0].Value);
	impExpFreeCssmMemory(dlDbHand->DLHandle, attr[1].Value->Data);
	impExpFreeCssmMemory(dlDbHand->DLHandle, attr[1].Value);
	attr[0].Value = const_cast<CSSM_DATA *>(keyDigest);
	attr[1].Value = const_cast<CSSM_DATA *>(newPrintName);
	
	crtn = CSSM_DL_DataModify(*dlDbHand,
			CSSM_DL_DB_RECORD_PUBLIC_KEY,
			record,
			&recordAttrs,
            NULL,				// DataToBeModified
			CSSM_DB_MODIFY_ATTRIBUTE_REPLACE);
	if(crtn) {
		cssmPerror("CSSM_DL_DataModify", crtn);
	}
errOut:
	/* free resources */
	if(resultHand) {
		CSSM_DL_DataAbortQuery(*dlDbHand, resultHand);
	}
	if(record) {
		CSSM_DL_FreeUniqueRecord(*dlDbHand, record);
	}
	return crtn;
}

#define SHA1_LABEL_LEN	20
#define IMPORTED_KEY_NAME "Imported Public Key"

/* 
 * Import a public key into a keychain, with proper Label attribute setting. 
 * A workaround for Radar 4191851.
 */
static int pubKeyImport(
	const char *kcName, 
	const CSSM_KEY *pubKey,
	CSSM_CSP_HANDLE rawCspHand)		/* raw CSP handle for calculating digest */
{
	CSSM_CSP_HANDLE cspHand;
	CSSM_DL_DB_HANDLE dlDbHand;
	OSStatus ortn;
	CSSM_RETURN crtn;
	SecKeychainRef kcRef = NULL;
	int ourRtn = 0;
	CSSM_DATA_PTR digest = NULL;
	CSSM_KEY importedKey;
	CSSM_DATA newPrintName = 
		{ (uint32)strlen(IMPORTED_KEY_NAME), (uint8 *)IMPORTED_KEY_NAME};
		
	/* NULL unwrap stuff */
	uint8 tempLabel[SHA1_LABEL_LEN];
	CSSM_DATA labelData = {SHA1_LABEL_LEN, tempLabel};
	
	ortn = SecKeychainOpen(kcName, &kcRef);
	if(ortn) {
		cssmPerror("SecKeychainOpen", ortn);
		return -1;
	}
	/* subsequent errors to errOut: */
	
	/* Get CSSM handles */
	ortn = SecKeychainGetCSPHandle(kcRef, &cspHand);
	if(ortn) {
		cssmPerror("SecKeychainGetCSPHandle", ortn);
		ourRtn = -1;
		goto errOut;
	}
	ortn = SecKeychainGetDLDBHandle(kcRef, &dlDbHand);
	if(ortn) {
		cssmPerror("SecKeychainGetCSPHandle", ortn);
		ourRtn = -1;
		goto errOut;
	}
	
	/* public key hash from raw CSP */
	crtn = keyDigest(rawCspHand, pubKey, &digest);
	if(crtn) {
		ourRtn = -1;
		goto errOut;
	}
	
	/* random label for initial storage and later retrieval */
	appGetRandomBytes(tempLabel, SHA1_LABEL_LEN);
	
	/* import the key into the keychain's DLDB */
	memset(&importedKey, 0, sizeof(CSSM_KEY));
	crtn = importToDlDb(cspHand, &dlDbHand, pubKey, &labelData, &importedKey);
	if(crtn) {
		ourRtn = -1;
		goto errOut;
	}
	
	/* don't need this */
	CSSM_FreeKey(cspHand, NULL, &importedKey, CSSM_FALSE);
	
	/* update the label and printName attributes */
	crtn = setPubKeyLabel(cspHand, &dlDbHand, &labelData, digest, &newPrintName);
	if(crtn) {
		ourRtn = -1;
	}
errOut:
	CFRelease(kcRef);
	if(digest) {
		APP_FREE(digest->Data);
		APP_FREE(digest);
	}
	return ourRtn;
}

int main(int argc, char **argv)
{
	char *privKeyFile = NULL;
	char *pubKeyFile = NULL;
	char *certFile = NULL;
	char *outFile = NULL;
	bool printDigest = false;
	CSSM_KEYBLOB_FORMAT keyForm = CSSM_KEYBLOB_RAW_FORMAT_NONE;
	char *kcName = NULL;
	
	if(argc < 3) {
		usage(argv);
	}
	extern char *optarg;
	int arg;
	while ((arg = getopt(argc, argv, "k:b:c:do:f:K:h")) != -1) {
		switch (arg) {
			case 'k':
				privKeyFile = optarg;
				break;
			case 'b':
				pubKeyFile = optarg;
				break;
			case 'c':
				certFile = optarg;
				break;
			case 'd':
				printDigest = true;
				break;
			case 'o':
				outFile = optarg;
				break;
			case 'f':
				if(!strcmp("pkcs1", optarg)) {
					keyForm = CSSM_KEYBLOB_RAW_FORMAT_PKCS1;
				}
				else if(!strcmp("pkcs8", optarg)) {
					keyForm = CSSM_KEYBLOB_RAW_FORMAT_PKCS8;
				}
				else if(!strcmp("x509", optarg)) {
					keyForm = CSSM_KEYBLOB_RAW_FORMAT_X509;
				}
				break;
			case 'K':
				kcName = optarg;
				break;
			case 'h':
				usage(argv);
		}
	}
	if(optind != argc) {
		usage(argv);
	}
	
	CSSM_DATA privKeyBlob = {0, NULL};
	CSSM_DATA pubKeyBlob = {0, NULL};
	CSSM_KEY thePrivKey;			// constructed
	CSSM_KEY thePubKey;				// null-wrapped
	CSSM_KEY_PTR pubKey = NULL;
	CSSM_KEY_PTR privKey = NULL;
	CSSM_RETURN crtn;
	CSSM_CL_HANDLE clHand = 0;
	CSSM_CSP_HANDLE cspHand = cuCspStartup(CSSM_TRUE);

	/* gather input */
	if(privKeyFile) {
		/* key blob from a file ==> a private CSSM_KEY */

		if(pubKeyFile || certFile) {
			printf("****Specify exactly one of {cert_file, priv_key_file, "
					"pub_key_file}.\n");
			exit(1);
		}
		unsigned len;
		if(readFile(privKeyFile, &privKeyBlob.Data, &len)) {
			printf("***Error reading private key from %s. Aborting.\n", privKeyFile);
			exit(1);
		}
		privKeyBlob.Length = len;
		if(keyForm == CSSM_KEYBLOB_RAW_FORMAT_NONE) {
			/* default for private keys */
			keyForm = CSSM_KEYBLOB_RAW_FORMAT_PKCS8;
		}
		crtn = inferCssmKey(privKeyBlob, true, keyForm, cspHand, thePrivKey);
		if(crtn) {
			goto errOut;
		}
		privKey = &thePrivKey;
	}
	if(pubKeyFile) {
		/* key blob from a file ==> a public CSSM_KEY */

		if(privKeyFile || certFile) {
			printf("****Specify exactly one of {cert_file, priv_key_file, "
					"pub_key_file}.\n");
			exit(1);
		}
		
		unsigned len;
		if(readFile(pubKeyFile, &pubKeyBlob.Data, &len)) {
			printf("***Error reading public key from %s. Aborting.\n", pubKeyFile);
			exit(1);
		}
		pubKeyBlob.Length = len;
		if(keyForm == CSSM_KEYBLOB_RAW_FORMAT_NONE) {
			/* default for public keys */
			keyForm = CSSM_KEYBLOB_RAW_FORMAT_PKCS1;
		}
		crtn = inferCssmKey(pubKeyBlob, false, keyForm, cspHand, thePubKey);
		if(crtn) {
			goto errOut;
		}
		pubKey = &thePubKey;
	}
	if(certFile) {
		/* cert from a file ==> a public CSSM_KEY */

		if(privKeyFile || pubKeyFile) {
			printf("****Specify exactly one of {cert_file, priv_key_file, "
					"pub_key_file}.\n");
			exit(1);
		}
		
		CSSM_DATA certData = {0, NULL};
		unsigned len;
		if(readFile(certFile, &certData.Data, &len)) {
			printf("***Error reading cert from %s. Aborting.\n", certFile);
			exit(1);
		}
		certData.Length = len;
		
		/* Extract public key - that's what we will be using later */
		clHand = cuClStartup();
		crtn = CSSM_CL_CertGetKeyInfo(clHand, &certData, &pubKey);
		if(crtn) {
			cssmPerror("CSSM_CL_CertGetKeyInfo", crtn);
			goto errOut;
		}
	}
	
	/* now do something useful */
	if(printDigest) {
		CSSM_KEY_PTR theKey = privKey;
		if(theKey == NULL) {
			/* maybe we got public key from a cert */
			theKey = pubKey;
		}
		if(theKey == NULL) {
			printf("***Can't calculate digest because I don't have a key or a clue.\n");
			goto errOut;
		}
		CSSM_DATA_PTR dig = NULL;
		crtn = keyDigest(cspHand, theKey, &dig);
		if(crtn) {
			printf("Sorry, can't get the digest for this key.\n");
			goto errOut;
		}
		if((dig == NULL) || (dig->Length == 0)) {
			printf("Screwup calculating digest.\n");
			goto errOut;
		}
		printf("Key Digest:\n");
		for(unsigned dex=0; dex<dig->Length; dex++) {
			printf("%02X ", dig->Data[dex]);
		}
		printf("\n");
		APP_FREE(dig->Data);
		APP_FREE(dig);
	}
	
	if(outFile || kcName) {
		/* get a public key if we don't already have one */
		if(pubKey == NULL) {
			if(privKey == NULL) {
				printf("***PubKey file name specified but no privKey or cert. "	
						"Aborting.\n");
				goto errOut;
			}
			crtn = pubKeyFromPrivKey(cspHand, privKey, &thePubKey);
			if(crtn) {
				goto errOut;
			}
			pubKey = &thePubKey;
		}
	}
	if(outFile) {
		if(writeFile(outFile, pubKey->KeyData.Data, pubKey->KeyData.Length)) {
			printf("***Error writing to %s.\n", outFile);
		}
		else {
			printf("...%lu bytes written to %s.\n", pubKey->KeyData.Length, outFile);
		}
	}
	if(kcName) {
		if(pubKeyImport(kcName, pubKey, cspHand) == 0) {
			printf("....public key %s imported to %s\n", pubKeyFile, kcName);
		}
		else {
			printf("***Error importing public key %s to %s\n", pubKeyFile, kcName);
		}
	}
errOut:
	/* clean up here if you must */
	return 0;
}
Commit	Line	Data
d8f41ccd A	1	/*
	2	* pubKeyTool.cpp - calculate public key hash of arbitrary keys and certs; derive
	3	* public key from a private key or a cert.
	4	*/
	5
	6	#include <stdlib.h>
	7	#include <strings.h>
	8	#include <stdio.h>
	9	#include <unistd.h>
	10	#include <Security/Security.h>
	11	#include <security_cdsa_utils/cuFileIo.h>
	12	#include <security_cdsa_utils/cuCdsaUtils.h>
	13	#include "cspwrap.h"
	14	#include "common.h"
	15
	16	static void usage(char **argv)
	17	{
	18	printf("usage: %s [options]\n", argv[0]);
	19	printf("Options:\n");
	20	printf(" -k priv_key_file -- private key file to read\n");
	21	printf(" -b pub_key_file -- public key file to read\n");
	22	printf(" -c cert_file -- cert file to read\n");
	23	printf(" -d -- print public key digest\n");
	24	printf(" -o out_file -- write public key to out_file\n");
	25	printf(" -f pkcs1\|pkcs8\|x509 -- input key format\n");
	26	printf(" -- default is PKCS8 for private key, PKCS1 for"
	27	" public\n");
	28	printf(" -K keychain -- import pub key to this keychain; workaround "
	29	"for Radar 4191851)\n");
	30	exit(1);
	31	}
	32
	33	/* Convert raw key blob into a respectable CSSM_KEY. */
	34	static CSSM_RETURN inferCssmKey(
	35	const CSSM_DATA &keyBlob,
	36	bool isPrivKey,
	37	CSSM_KEYBLOB_FORMAT keyForm,
	38	CSSM_CSP_HANDLE cspHand,
	39	CSSM_KEY &outKey)
	40	{
	41	memset(&outKey, 0, sizeof(CSSM_KEY));
	42	outKey.KeyData = keyBlob;
	43	CSSM_KEYHEADER &hdr = outKey.KeyHeader;
	44	hdr.HeaderVersion = CSSM_KEYHEADER_VERSION;
	45	/* CspId blank */
	46	hdr.BlobType = CSSM_KEYBLOB_RAW;
	47	hdr.AlgorithmId = CSSM_ALGID_RSA;
	48	hdr.KeyAttr = CSSM_KEYATTR_EXTRACTABLE;
	49	hdr.Format = keyForm;
	50	hdr.KeyClass = isPrivKey ? CSSM_KEYCLASS_PRIVATE_KEY : CSSM_KEYCLASS_PUBLIC_KEY;
	51	hdr.KeyUsage = CSSM_KEYUSE_ANY;
	52	hdr.WrapAlgorithmId = CSSM_ALGID_NONE;
	53	hdr.WrapMode = CSSM_ALGMODE_NONE;
	54	/*
	55	* LogicalKeySizeInBits - ask the CSP
	56	*/
	57	CSSM_KEY_SIZE keySize;
	58	CSSM_RETURN crtn;
	59	crtn = CSSM_QueryKeySizeInBits(cspHand, CSSM_INVALID_HANDLE, &outKey,
	60	&keySize);
	61	if(crtn) {
	62	cssmPerror("CSSM_QueryKeySizeInBits", crtn);
	63	return crtn;
	64	}
65	hdr.LogicalKeySizeInBits = keySize.LogicalKeySizeInBits;
66	return CSSM_OK;
67	}
68
69	/*
70	* Given any key in either blob or reference format,
71	* obtain the associated public key's SHA-1 hash.
72	*/
73	static CSSM_RETURN keyDigest(
74	CSSM_CSP_HANDLE cspHand,
75	const CSSM_KEY *key,
76	CSSM_DATA_PTR hashData) / struct and contents cuAppMalloc'd and RETURNED */
77	{
78	CSSM_CC_HANDLE ccHand;
79	CSSM_RETURN crtn;
80	CSSM_DATA_PTR dp;
81
82	*hashData = NULL;
83
84	/* validate input params */
85	if((key == NULL) \|\|
86	(hashData == NULL)) {
87	printf("keyHash: bogus args\n");
88	return CSSMERR_CSSM_INTERNAL_ERROR;
89	}
90
91	/* cook up a context for a passthrough op */
92	crtn = CSSM_CSP_CreatePassThroughContext(cspHand,
93	key,
94	&ccHand);
95	if(ccHand == 0) {
96	cssmPerror("CSSM_CSP_CreatePassThroughContext", crtn);
97	return crtn;
98	}
99
100	/* now it's up to the CSP */
101	crtn = CSSM_CSP_PassThrough(ccHand,
102	CSSM_APPLECSP_KEYDIGEST,
103	NULL,
104	(void **)&dp);
105	if(crtn) {
106	cssmPerror("CSSM_CSP_PassThrough(KEYDIGEST)", crtn);
107	}
108	else {
109	*hashData = dp;
110	crtn = CSSM_OK;
111	}
112	CSSM_DeleteContext(ccHand);
113	return crtn;
114	}
115
116	/*
117	* Here's a tricky one. Given a private key, obtain the correspoding public key.
118	* This uses a private key blob format that's used internally in the CSP
119	* to generate key digests.
120	*/
121
122	/*
123	* this magic const copied from BinaryKey.h
124	*/
125	#define CSSM_KEYBLOB_RAW_FORMAT_DIGEST \
126	(CSSM_KEYBLOB_RAW_FORMAT_VENDOR_DEFINED + 0x12345)
127
128	static CSSM_RETURN pubKeyFromPrivKey(
129	CSSM_CSP_HANDLE cspHand,
130	const CSSM_KEY *privKey, // assumed to be raw format
131	CSSM_KEY *pubKey)
132	{
133	/* first convert to reference key */
134	CSSM_KEY refKey;
135	CSSM_RETURN crtn;
136	crtn = cspRawKeyToRef(cspHand, privKey, &refKey);
137	if(crtn) {
138	return crtn;
139	}
140
141	/* now a NULL wrap with the magic format attribute */
142	CSSM_CC_HANDLE ccHand;
143	CSSM_ACCESS_CREDENTIALS creds;
144	CSSM_DATA descData = {0, 0};
145
146	crtn = CSSM_CSP_CreateSymmetricContext(cspHand,
147	CSSM_ALGID_NONE,
148	CSSM_ALGMODE_NONE,
149	NULL, // passPhrase,
150	NULL, // key
151	NULL, // initVector,
152	CSSM_PADDING_NONE,
153	NULL, // Reserved
154	&ccHand);
155	if(crtn) {
156	cssmPerror("CSSM_CSP_CreateSymmetricContext", crtn);
157	return crtn;
158	}
159	crtn = AddContextAttribute(ccHand,
160	/*
161	* The output of the WrapKey is a private key as far as the CSP is
162	* concerned, at the level that this attribute is used anyway....
163	*/
164	CSSM_ATTRIBUTE_PRIVATE_KEY_FORMAT,
165	sizeof(uint32),
166	CAT_Uint32,
167	NULL,
168	CSSM_KEYBLOB_RAW_FORMAT_DIGEST);
169	if(crtn) {
170	cssmPerror("CSSM_CSP_CreateSymmetricContext", crtn);
171	goto errOut;
172	}
173	memset(pubKey, 0, sizeof(CSSM_KEY));
174	memset(&creds, 0, sizeof(CSSM_ACCESS_CREDENTIALS));
175	crtn = CSSM_WrapKey(ccHand,
176	&creds,
177	&refKey,
178	&descData,
179	pubKey);
180	if(crtn) {
181	cssmPerror("CSSM_WrapKey", crtn);
182	goto errOut;
183	}
184
185	/* now: presto chango - don't do this at home! */
186	pubKey->KeyHeader.KeyClass = CSSM_KEYCLASS_PUBLIC_KEY;
187	errOut:
188	CSSM_FreeKey(cspHand, NULL, &refKey, CSSM_FALSE);
189	CSSM_DeleteContext(ccHand);
190	return crtn;
191	}
192
193	/*
194	* Import a key into a DLDB.
195	*/
196	static CSSM_RETURN importToDlDb(
197	CSSM_CSP_HANDLE cspHand,
198	CSSM_DL_DB_HANDLE_PTR dlDbHand,
199	const CSSM_KEY *rawPubKey,
200	CSSM_DATA_PTR labelData,
201	CSSM_KEY_PTR importedKey)
202	{
203	CSSM_CC_HANDLE ccHand = 0;
204	CSSM_RETURN crtn;
205	uint32 keyAttr;
206	CSSM_ACCESS_CREDENTIALS creds;
207	CSSM_CONTEXT_ATTRIBUTE newAttr;
208	CSSM_DATA descData = {0, 0};
209
210	memset(importedKey, 0, sizeof(CSSM_KEY));
211	memset(&creds, 0, sizeof(CSSM_ACCESS_CREDENTIALS));
212	crtn = CSSM_CSP_CreateSymmetricContext(cspHand,
213	CSSM_ALGID_NONE,
214	CSSM_ALGMODE_NONE,
215	&creds,
216	NULL, // unwrappingKey
217	NULL, // initVector
218	CSSM_PADDING_NONE,
219	0, // Params
220	&ccHand);
221	if(crtn) {
222	cssmPerror("CSSM_CSP_CreateSymmetricContext", crtn);
223	return crtn;
224	}
225	keyAttr = CSSM_KEYATTR_RETURN_REF \| CSSM_KEYATTR_EXTRACTABLE \| CSSM_KEYATTR_PERMANENT;
226
227	/* Add DLDB to context */
228	newAttr.AttributeType = CSSM_ATTRIBUTE_DL_DB_HANDLE;
229	newAttr.AttributeLength = sizeof(CSSM_ATTRIBUTE_DL_DB_HANDLE);
230	newAttr.Attribute.Data = (CSSM_DATA_PTR)dlDbHand;
231	crtn = CSSM_UpdateContextAttributes(ccHand, 1, &newAttr);
232	if(crtn) {
233	cssmPerror("CSSM_UpdateContextAttributes", crtn);
234	goto errOut;
235	}
236
237	/* import */
238	crtn = CSSM_UnwrapKey(ccHand,
239	NULL, // PublicKey
240	rawPubKey,
241	CSSM_KEYUSE_ANY,
242	keyAttr,
243	labelData,
244	NULL, // CredAndAclEntry
245	importedKey,
246	&descData); // required
247	if(crtn) {
248	cssmPerror("CSSM_UnwrapKey", crtn);
249	}
250	errOut:
251	if(ccHand) {
252	CSSM_DeleteContext(ccHand);
253	}
254	return crtn;
255	}
256
257	/*
258	* Free memory via specified plugin's app-level allocator
259	*/
260	void impExpFreeCssmMemory(
261	CSSM_HANDLE hand,
262	void *p)
263	{
264	CSSM_API_MEMORY_FUNCS memFuncs;
265	CSSM_RETURN crtn = CSSM_GetAPIMemoryFunctions(hand, &memFuncs);
266	if(crtn) {
267	return;
268	}
269	memFuncs.free_func(p, memFuncs.AllocRef);
270	}
271
272	/*
273	* Key attrribute names and values.
274	*
275	* This is where the public key hash goes.
276	*/
277	#define SEC_KEY_HASH_ATTR_NAME "Label"
278
279	/*
280	* This is where the publicly visible name goes.
281	*/
282	#define SEC_KEY_PRINT_NAME_ATTR_NAME "PrintName"
283
284	/*
285	* Look up public key by label
286	* Set label to new specified label (SHA1 digest)
287	* Set print name to new specified user-visible name
288	*/
289	static CSSM_RETURN setPubKeyLabel(
290	CSSM_CSP_HANDLE cspHand, // where the key lives
291	CSSM_DL_DB_HANDLE *dlDbHand, // ditto
292	const CSSM_DATA *existKeyLabel, // existing label, a random string, for lookup
293	const CSSM_DATA *keyDigest, // SHA1 digest, the new label
294	const CSSM_DATA *newPrintName) // new user-visible name
295	{
296	CSSM_QUERY query;
297	CSSM_SELECTION_PREDICATE predicate;
298	CSSM_DB_UNIQUE_RECORD_PTR record = NULL;
299	CSSM_RETURN crtn;
300	CSSM_HANDLE resultHand = 0;
301
302	/*
303	* Look up the key in the DL.
304	*/
305	query.RecordType = CSSM_DL_DB_RECORD_PUBLIC_KEY;
306	query.Conjunctive = CSSM_DB_NONE;
307	query.NumSelectionPredicates = 1;
308	predicate.DbOperator = CSSM_DB_EQUAL;
309
310	predicate.Attribute.Info.AttributeNameFormat =
311	CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
312	predicate.Attribute.Info.Label.AttributeName = (char *)"Label";
313	predicate.Attribute.Info.AttributeFormat =
314	CSSM_DB_ATTRIBUTE_FORMAT_BLOB;
315	/* hope this cast is OK */
316	predicate.Attribute.Value = (CSSM_DATA_PTR)existKeyLabel;
317	query.SelectionPredicate = &predicate;
318
319	query.QueryLimits.TimeLimit = 0; // FIXME - meaningful?
320	query.QueryLimits.SizeLimit = 1; // FIXME - meaningful?
321	query.QueryFlags = 0; // CSSM_QUERY_RETURN_DATA; // FIXME - used?
322
323	/* build Record attribute with two attrs */
324	CSSM_DB_RECORD_ATTRIBUTE_DATA recordAttrs;
325	CSSM_DB_ATTRIBUTE_DATA attr[2];
326
327	attr[0].Info.AttributeNameFormat = CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
328	attr[0].Info.Label.AttributeName = (char *)SEC_KEY_HASH_ATTR_NAME;
329	attr[0].Info.AttributeFormat = CSSM_DB_ATTRIBUTE_FORMAT_BLOB;
330	attr[1].Info.AttributeNameFormat = CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
331	attr[1].Info.Label.AttributeName = (char *)SEC_KEY_PRINT_NAME_ATTR_NAME;
332	attr[1].Info.AttributeFormat = CSSM_DB_ATTRIBUTE_FORMAT_BLOB;
333
334	recordAttrs.DataRecordType = CSSM_DL_DB_RECORD_PUBLIC_KEY;
335	recordAttrs.NumberOfAttributes = 2;
336	recordAttrs.AttributeData = attr;
337
338	crtn = CSSM_DL_DataGetFirst(*dlDbHand,
339	&query,
340	&resultHand,
341	&recordAttrs,
342	NULL, // theData
343	&record);
344	/* abort only on success */
345	if(crtn != CSSM_OK) {
346	cssmPerror("CSSM_DL_DataGetFirst", crtn);
347	goto errOut;
348	}
349
350	/*
351	* Update existing attr data.
352	* NOTE: the module which allocated this attribute data - a DL -
353	* was loaded and attached by the keychain layer, not by us. Thus
354	* we can't use the memory allocator functions we used when
355	* attaching to the CSP - we have to use the ones
356	* which the client registered with the DL.
357	*/
358	impExpFreeCssmMemory(dlDbHand->DLHandle, attr[0].Value->Data);
359	impExpFreeCssmMemory(dlDbHand->DLHandle, attr[0].Value);
360	impExpFreeCssmMemory(dlDbHand->DLHandle, attr[1].Value->Data);
361	impExpFreeCssmMemory(dlDbHand->DLHandle, attr[1].Value);
362	attr[0].Value = const_cast<CSSM_DATA *>(keyDigest);
363	attr[1].Value = const_cast<CSSM_DATA *>(newPrintName);
364
365	crtn = CSSM_DL_DataModify(*dlDbHand,
366	CSSM_DL_DB_RECORD_PUBLIC_KEY,
367	record,
368	&recordAttrs,
369	NULL, // DataToBeModified
370	CSSM_DB_MODIFY_ATTRIBUTE_REPLACE);
371	if(crtn) {
372	cssmPerror("CSSM_DL_DataModify", crtn);
373	}
374	errOut:
375	/* free resources */
376	if(resultHand) {
377	CSSM_DL_DataAbortQuery(*dlDbHand, resultHand);
378	}
379	if(record) {
380	CSSM_DL_FreeUniqueRecord(*dlDbHand, record);
381	}
382	return crtn;
383	}
384
385	#define SHA1_LABEL_LEN 20
386	#define IMPORTED_KEY_NAME "Imported Public Key"
387
388	/*
389	* Import a public key into a keychain, with proper Label attribute setting.
390	* A workaround for Radar 4191851.
391	*/
392	static int pubKeyImport(
393	const char *kcName,
394	const CSSM_KEY *pubKey,
395	CSSM_CSP_HANDLE rawCspHand) /* raw CSP handle for calculating digest */
396	{
397	CSSM_CSP_HANDLE cspHand;
398	CSSM_DL_DB_HANDLE dlDbHand;
399	OSStatus ortn;
400	CSSM_RETURN crtn;
401	SecKeychainRef kcRef = NULL;
402	int ourRtn = 0;
403	CSSM_DATA_PTR digest = NULL;
404	CSSM_KEY importedKey;
405	CSSM_DATA newPrintName =
406	{ (uint32)strlen(IMPORTED_KEY_NAME), (uint8 *)IMPORTED_KEY_NAME};
407
408	/* NULL unwrap stuff */
409	uint8 tempLabel[SHA1_LABEL_LEN];
410	CSSM_DATA labelData = {SHA1_LABEL_LEN, tempLabel};
411
412	ortn = SecKeychainOpen(kcName, &kcRef);
413	if(ortn) {
414	cssmPerror("SecKeychainOpen", ortn);
415	return -1;
416	}
417	/* subsequent errors to errOut: */
418
419	/* Get CSSM handles */
420	ortn = SecKeychainGetCSPHandle(kcRef, &cspHand);
421	if(ortn) {
422	cssmPerror("SecKeychainGetCSPHandle", ortn);
423	ourRtn = -1;
424	goto errOut;
425	}
426	ortn = SecKeychainGetDLDBHandle(kcRef, &dlDbHand);
427	if(ortn) {
428	cssmPerror("SecKeychainGetCSPHandle", ortn);
429	ourRtn = -1;
430	goto errOut;
431	}
432
433	/* public key hash from raw CSP */
434	crtn = keyDigest(rawCspHand, pubKey, &digest);
435	if(crtn) {
436	ourRtn = -1;
437	goto errOut;
438	}
439
440	/* random label for initial storage and later retrieval */
441	appGetRandomBytes(tempLabel, SHA1_LABEL_LEN);
442
443	/* import the key into the keychain's DLDB */
444	memset(&importedKey, 0, sizeof(CSSM_KEY));
445	crtn = importToDlDb(cspHand, &dlDbHand, pubKey, &labelData, &importedKey);
446	if(crtn) {
447	ourRtn = -1;
448	goto errOut;
449	}
450
451	/* don't need this */
452	CSSM_FreeKey(cspHand, NULL, &importedKey, CSSM_FALSE);
453
454	/* update the label and printName attributes */
455	crtn = setPubKeyLabel(cspHand, &dlDbHand, &labelData, digest, &newPrintName);
456	if(crtn) {
457	ourRtn = -1;
458	}
459	errOut:
460	CFRelease(kcRef);
461	if(digest) {
462	APP_FREE(digest->Data);
463	APP_FREE(digest);
464	}
465	return ourRtn;
466	}
467
468	int main(int argc, char **argv)
469	{
470	char *privKeyFile = NULL;
471	char *pubKeyFile = NULL;
472	char *certFile = NULL;
473	char *outFile = NULL;
474	bool printDigest = false;
475	CSSM_KEYBLOB_FORMAT keyForm = CSSM_KEYBLOB_RAW_FORMAT_NONE;
476	char *kcName = NULL;
477
478	if(argc < 3) {
479	usage(argv);
480	}
481	extern char *optarg;
482	int arg;
483	while ((arg = getopt(argc, argv, "k:b:c:do:f:K:h")) != -1) {
484	switch (arg) {
485	case 'k':
486	privKeyFile = optarg;
487	break;
488	case 'b':
489	pubKeyFile = optarg;
490	break;
491	case 'c':
492	certFile = optarg;
493	break;
494	case 'd':
495	printDigest = true;
496	break;
497	case 'o':
498	outFile = optarg;
499	break;
500	case 'f':
501	if(!strcmp("pkcs1", optarg)) {
502	keyForm = CSSM_KEYBLOB_RAW_FORMAT_PKCS1;
503	}
504	else if(!strcmp("pkcs8", optarg)) {
505	keyForm = CSSM_KEYBLOB_RAW_FORMAT_PKCS8;
506	}
507	else if(!strcmp("x509", optarg)) {
508	keyForm = CSSM_KEYBLOB_RAW_FORMAT_X509;
509	}
510	break;
511	case 'K':
512	kcName = optarg;
513	break;
514	case 'h':
515	usage(argv);
516	}
517	}
518	if(optind != argc) {
519	usage(argv);
520	}
521
522	CSSM_DATA privKeyBlob = {0, NULL};
523	CSSM_DATA pubKeyBlob = {0, NULL};
524	CSSM_KEY thePrivKey; // constructed
525	CSSM_KEY thePubKey; // null-wrapped
526	CSSM_KEY_PTR pubKey = NULL;
527	CSSM_KEY_PTR privKey = NULL;
528	CSSM_RETURN crtn;
529	CSSM_CL_HANDLE clHand = 0;
530	CSSM_CSP_HANDLE cspHand = cuCspStartup(CSSM_TRUE);
531
532	/* gather input */
533	if(privKeyFile) {
534	/* key blob from a file ==> a private CSSM_KEY */
535
536	if(pubKeyFile \|\| certFile) {
537	printf("****Specify exactly one of {cert_file, priv_key_file, "
538	"pub_key_file}.\n");
539	exit(1);
540	}
541	unsigned len;
542	if(readFile(privKeyFile, &privKeyBlob.Data, &len)) {
543	printf("***Error reading private key from %s. Aborting.\n", privKeyFile);
544	exit(1);
545	}
546	privKeyBlob.Length = len;
547	if(keyForm == CSSM_KEYBLOB_RAW_FORMAT_NONE) {
548	/* default for private keys */
549	keyForm = CSSM_KEYBLOB_RAW_FORMAT_PKCS8;
550	}
551	crtn = inferCssmKey(privKeyBlob, true, keyForm, cspHand, thePrivKey);
552	if(crtn) {
553	goto errOut;
554	}
555	privKey = &thePrivKey;
556	}
557	if(pubKeyFile) {
558	/* key blob from a file ==> a public CSSM_KEY */
559
560	if(privKeyFile \|\| certFile) {
561	printf("****Specify exactly one of {cert_file, priv_key_file, "
562	"pub_key_file}.\n");
563	exit(1);
564	}
565
566	unsigned len;
567	if(readFile(pubKeyFile, &pubKeyBlob.Data, &len)) {
568	printf("***Error reading public key from %s. Aborting.\n", pubKeyFile);
569	exit(1);
570	}
571	pubKeyBlob.Length = len;
572	if(keyForm == CSSM_KEYBLOB_RAW_FORMAT_NONE) {
573	/* default for public keys */
574	keyForm = CSSM_KEYBLOB_RAW_FORMAT_PKCS1;
575	}
576	crtn = inferCssmKey(pubKeyBlob, false, keyForm, cspHand, thePubKey);
577	if(crtn) {
578	goto errOut;
579	}
580	pubKey = &thePubKey;
581	}
582	if(certFile) {
583	/* cert from a file ==> a public CSSM_KEY */
584
585	if(privKeyFile \|\| pubKeyFile) {
586	printf("****Specify exactly one of {cert_file, priv_key_file, "
587	"pub_key_file}.\n");
588	exit(1);
589	}
590
591	CSSM_DATA certData = {0, NULL};
592	unsigned len;
593	if(readFile(certFile, &certData.Data, &len)) {
594	printf("***Error reading cert from %s. Aborting.\n", certFile);
595	exit(1);
596	}
597	certData.Length = len;
598
599	/* Extract public key - that's what we will be using later */
600	clHand = cuClStartup();
601	crtn = CSSM_CL_CertGetKeyInfo(clHand, &certData, &pubKey);
602	if(crtn) {
603	cssmPerror("CSSM_CL_CertGetKeyInfo", crtn);
604	goto errOut;
605	}
606	}
607
608	/* now do something useful */
609	if(printDigest) {
610	CSSM_KEY_PTR theKey = privKey;
611	if(theKey == NULL) {
612	/* maybe we got public key from a cert */
613	theKey = pubKey;
614	}
615	if(theKey == NULL) {
616	printf("***Can't calculate digest because I don't have a key or a clue.\n");
617	goto errOut;
618	}
619	CSSM_DATA_PTR dig = NULL;
620	crtn = keyDigest(cspHand, theKey, &dig);
621	if(crtn) {
622	printf("Sorry, can't get the digest for this key.\n");
623	goto errOut;
624	}
625	if((dig == NULL) \|\| (dig->Length == 0)) {
626	printf("Screwup calculating digest.\n");
627	goto errOut;
628	}
629	printf("Key Digest:\n");
630	for(unsigned dex=0; dex<dig->Length; dex++) {
631	printf("%02X ", dig->Data[dex]);
632	}
633	printf("\n");
634	APP_FREE(dig->Data);
635	APP_FREE(dig);
636	}
637
638	if(outFile \|\| kcName) {
639	/* get a public key if we don't already have one */
640	if(pubKey == NULL) {
641	if(privKey == NULL) {
642	printf("***PubKey file name specified but no privKey or cert. "
643	"Aborting.\n");
644	goto errOut;
645	}
646	crtn = pubKeyFromPrivKey(cspHand, privKey, &thePubKey);
647	if(crtn) {
648	goto errOut;
649	}
650	pubKey = &thePubKey;
651	}
652	}
653	if(outFile) {
654	if(writeFile(outFile, pubKey->KeyData.Data, pubKey->KeyData.Length)) {
655	printf("***Error writing to %s.\n", outFile);
656	}
657	else {
658	printf("...%lu bytes written to %s.\n", pubKey->KeyData.Length, outFile);
659	}
660	}
661	if(kcName) {
662	if(pubKeyImport(kcName, pubKey, cspHand) == 0) {
663	printf("....public key %s imported to %s\n", pubKeyFile, kcName);
664	}
665	else {
666	printf("***Error importing public key %s to %s\n", pubKeyFile, kcName);
667	}
668	}
669	errOut:
670	/* clean up here if you must */
671	return 0;
672	}