Merge pull request #2182 from hanno-arm/key_pwd

Add support for password protected key files to ssl_server2 and ssl_client2
2025-07-29 11:41:15 +03:00 · 2020-08-24 09:42:38 +02:00
parent 5fe5b823d4 721f7c1e64
commit 6edfe60e0d
9 changed files with 130 additions and 15 deletions
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@ -101,6 +101,7 @@ int main( void )
 #define DFL_CRT_FILE            ""
 #define DFL_KEY_FILE            ""
 #define DFL_KEY_OPAQUE          0
+#define DFL_KEY_PWD             ""
 #define DFL_PSK                 ""
 #define DFL_PSK_OPAQUE          0
 #define DFL_PSK_IDENTITY        "Client_identity"
@ -173,7 +174,9 @@ int main( void )
    "                        use \"none\" to skip loading any top-level CAs.\n" \
    "    crt_file=%%s         Your own cert and chain (in bottom to top order, top may be omitted)\n" \
    "                        default: \"\" (pre-loaded)\n" \
-    "    key_file=%%s         default: \"\" (pre-loaded)\n"
+    "    key_file=%%s         default: \"\" (pre-loaded)\n"\
+    "    key_pwd=%%s          Password for key specified by key_file argument\n"\
+    "                        default: none\n"
 #else
 #define USAGE_IO \
    "    No file operations available (MBEDTLS_FS_IO not defined)\n"
@ -485,6 +488,7 @@ struct options
 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
    int ca_callback;            /* Use callback for trusted certificate list */
 #endif
+    const char *key_pwd;        /* the password for the client key          */
    const char *psk;            /* the pre-shared key                       */
    const char *psk_identity;   /* the pre-shared key identity              */
    const char *ecjpake_pw;     /* the EC J-PAKE password                   */
@ -1249,6 +1253,7 @@ int main( int argc, char *argv[] )
    opt.crt_file            = DFL_CRT_FILE;
    opt.key_file            = DFL_KEY_FILE;
    opt.key_opaque          = DFL_KEY_OPAQUE;
+    opt.key_pwd             = DFL_KEY_PWD;
    opt.psk                 = DFL_PSK;
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
    opt.psk_opaque          = DFL_PSK_OPAQUE;
@ -1368,6 +1373,8 @@ int main( int argc, char *argv[] )
            opt.crt_file = q;
        else if( strcmp( p, "key_file" ) == 0 )
            opt.key_file = q;
+        else if( strcmp( p, "key_pwd" ) == 0 )
+            opt.key_pwd = q;
 #if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_X509_CRT_PARSE_C)
        else if( strcmp( p, "key_opaque" ) == 0 )
            opt.key_opaque = atoi( q );
@ -2077,7 +2084,7 @@ int main( int argc, char *argv[] )
    else
 #if defined(MBEDTLS_FS_IO)
    if( strlen( opt.key_file ) )
-        ret = mbedtls_pk_parse_keyfile( &pkey, opt.key_file, "" );
+        ret = mbedtls_pk_parse_keyfile( &pkey, opt.key_file, opt.key_pwd );
    else
 #endif
 #if defined(MBEDTLS_CERTS_C)