Added option to certtool to use export-grade algorithms. If password is set in pkcs8 mode, then the output structure will be encrypted.

author: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2003-11-01 10:25:02 +0000
committer: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2003-11-01 10:25:02 +0000
commit: 6759b42c5445bcb5ed90b1effe6bf7a9462df42d (patch)
tree: 64e6e75f1ea08b979d5982807a81dc44209f45b1
parent: 1ddd294bfcde6a5797793e64460d38346fc12d62 (diff)
download: gnutls-6759b42c5445bcb5ed90b1effe6bf7a9462df42d.tar.gz
4 files changed, 82 insertions, 49 deletions
diff --git a/src/certtool-gaa.c b/src/certtool-gaa.c
index 1d9d361e90..f490374cb6 100644
--- a/src/certtool-gaa.c
+++ b/src/certtool-gaa.c
@@ -135,6 +135,7 @@ void gaa_help(void)
 	__gaa_helpsingle('k', "key-info", "", "Print information on a private key.");
 	__gaa_helpsingle(0, "to-p12", "", "Generate a PKCS #12 structure.");
 	__gaa_helpsingle('8', "pkcs8", "", "Use PKCS #8 format for private keys.");
+	__gaa_helpsingle(0, "export-ciphers", "", "Use weak encryption algorithms.");
 	__gaa_helpsingle(0, "inder", "", "Use DER format for input certificates and private keys.");
 	__gaa_helpsingle(0, "outder", "", "Use DER format for output certificates and private keys.");
 	__gaa_helpsingle(0, "bits", "BITS ", "specify the number of bits for key generation.");
@@ -158,18 +159,20 @@ typedef struct _gaainfo gaainfo;
 
 struct _gaainfo
 {
-#line 62 "certtool.gaa"
+#line 65 "certtool.gaa"
 	int debug;
-#line 59 "certtool.gaa"
+#line 62 "certtool.gaa"
 	char *infile;
-#line 56 "certtool.gaa"
+#line 59 "certtool.gaa"
 	char *outfile;
-#line 53 "certtool.gaa"
+#line 56 "certtool.gaa"
 	int bits;
-#line 50 "certtool.gaa"
+#line 53 "certtool.gaa"
 	int outcert_format;
-#line 47 "certtool.gaa"
+#line 50 "certtool.gaa"
 	int incert_format;
+#line 47 "certtool.gaa"
+	int export;
 #line 44 "certtool.gaa"
 	int pkcs8;
 #line 33 "certtool.gaa"
@@ -240,7 +243,7 @@ int gaa_error = 0;
 #define GAA_MULTIPLE_OPTION     3
 
 #define GAA_REST                0
-#define GAA_NB_OPTION           27
+#define GAA_NB_OPTION           28
 #define GAAOPTID_copyright	1
 #define GAAOPTID_version	2
 #define GAAOPTID_help	3
@@ -250,24 +253,25 @@ int gaa_error = 0;
 #define GAAOPTID_bits	7
 #define GAAOPTID_outder	8
 #define GAAOPTID_inder	9
-#define GAAOPTID_pkcs8	10
-#define GAAOPTID_to_p12	11
-#define GAAOPTID_key_info	12
-#define GAAOPTID_p12_info	13
-#define GAAOPTID_certificate_info	14
-#define GAAOPTID_password	15
-#define GAAOPTID_load_ca_certificate	16
-#define GAAOPTID_load_ca_privkey	17
-#define GAAOPTID_load_certificate	18
-#define GAAOPTID_load_request	19
-#define GAAOPTID_load_privkey	20
-#define GAAOPTID_generate_dh_params	21
-#define GAAOPTID_verify_chain	22
-#define GAAOPTID_generate_request	23
-#define GAAOPTID_generate_privkey	24
-#define GAAOPTID_update_certificate	25
-#define GAAOPTID_generate_certificate	26
-#define GAAOPTID_generate_self_signed	27
+#define GAAOPTID_export_ciphers	10
+#define GAAOPTID_pkcs8	11
+#define GAAOPTID_to_p12	12
+#define GAAOPTID_key_info	13
+#define GAAOPTID_p12_info	14
+#define GAAOPTID_certificate_info	15
+#define GAAOPTID_password	16
+#define GAAOPTID_load_ca_certificate	17
+#define GAAOPTID_load_ca_privkey	18
+#define GAAOPTID_load_certificate	19
+#define GAAOPTID_load_request	20
+#define GAAOPTID_load_privkey	21
+#define GAAOPTID_generate_dh_params	22
+#define GAAOPTID_verify_chain	23
+#define GAAOPTID_generate_request	24
+#define GAAOPTID_generate_privkey	25
+#define GAAOPTID_update_certificate	26
+#define GAAOPTID_generate_certificate	27
+#define GAAOPTID_generate_self_signed	28
 
 #line 168 "gaa.skel"
 
@@ -560,6 +564,7 @@ int gaa_get_option_num(char *str, int status)
 			GAA_CHECK1STR("h", GAAOPTID_help);
 			GAA_CHECK1STR("", GAAOPTID_outder);
 			GAA_CHECK1STR("", GAAOPTID_inder);
+			GAA_CHECK1STR("", GAAOPTID_export_ciphers);
 			GAA_CHECK1STR("8", GAAOPTID_pkcs8);
 			GAA_CHECK1STR("", GAAOPTID_to_p12);
 			GAA_CHECK1STR("k", GAAOPTID_key_info);
@@ -585,6 +590,7 @@ int gaa_get_option_num(char *str, int status)
 			GAA_CHECKSTR("bits", GAAOPTID_bits);
 			GAA_CHECKSTR("outder", GAAOPTID_outder);
 			GAA_CHECKSTR("inder", GAAOPTID_inder);
+			GAA_CHECKSTR("export-ciphers", GAAOPTID_export_ciphers);
 			GAA_CHECKSTR("pkcs8", GAAOPTID_pkcs8);
 			GAA_CHECKSTR("to-p12", GAAOPTID_to_p12);
 			GAA_CHECKSTR("key-info", GAAOPTID_key_info);
@@ -647,21 +653,21 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list)
     {
 	case GAAOPTID_copyright:
 	OK = 0;
-#line 68 "certtool.gaa"
+#line 71 "certtool.gaa"
 { print_license(); exit(0); ;};
 
 		return GAA_OK;
 		break;
 	case GAAOPTID_version:
 	OK = 0;
-#line 67 "certtool.gaa"
+#line 70 "certtool.gaa"
 { certtool_version(); exit(0); ;};
 
 		return GAA_OK;
 		break;
 	case GAAOPTID_help:
 	OK = 0;
-#line 65 "certtool.gaa"
+#line 68 "certtool.gaa"
 { gaa_help(); exit(0); ;};
 
 		return GAA_OK;
@@ -671,7 +677,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list)
 		GAA_TESTMOREARGS;
 		GAA_FILL(GAATMP_debug.arg1, gaa_getint, GAATMP_debug.size1);
 		gaa_index++;
-#line 63 "certtool.gaa"
+#line 66 "certtool.gaa"
 { gaaval->debug = GAATMP_debug.arg1 ;};
 
 		return GAA_OK;
@@ -681,7 +687,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list)
 		GAA_TESTMOREARGS;
 		GAA_FILL(GAATMP_infile.arg1, gaa_getstr, GAATMP_infile.size1);
 		gaa_index++;
-#line 60 "certtool.gaa"
+#line 63 "certtool.gaa"
 { gaaval->infile = GAATMP_infile.arg1 ;};
 
 		return GAA_OK;
@@ -691,7 +697,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list)
 		GAA_TESTMOREARGS;
 		GAA_FILL(GAATMP_outfile.arg1, gaa_getstr, GAATMP_outfile.size1);
 		gaa_index++;
-#line 57 "certtool.gaa"
+#line 60 "certtool.gaa"
 { gaaval->outfile = GAATMP_outfile.arg1 ;};
 
 		return GAA_OK;
@@ -701,25 +707,32 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list)
 		GAA_TESTMOREARGS;
 		GAA_FILL(GAATMP_bits.arg1, gaa_getint, GAATMP_bits.size1);
 		gaa_index++;
-#line 54 "certtool.gaa"
+#line 57 "certtool.gaa"
 { gaaval->bits = GAATMP_bits.arg1 ;};
 
 		return GAA_OK;
 		break;
 	case GAAOPTID_outder:
 	OK = 0;
-#line 51 "certtool.gaa"
+#line 54 "certtool.gaa"
 { gaaval->outcert_format=1 ;};
 
 		return GAA_OK;
 		break;
 	case GAAOPTID_inder:
 	OK = 0;
-#line 48 "certtool.gaa"
+#line 51 "certtool.gaa"
 { gaaval->incert_format=1 ;};
 
 		return GAA_OK;
 		break;
+	case GAAOPTID_export_ciphers:
+	OK = 0;
+#line 48 "certtool.gaa"
+{ gaaval->export=1 ;};
+
+		return GAA_OK;
+		break;
 	case GAAOPTID_pkcs8:
 	OK = 0;
 #line 45 "certtool.gaa"
@@ -888,10 +901,11 @@ int gaa(int argc, char **argv, gaainfo *gaaval)
     if(inited == 0)
     {
 
-#line 70 "certtool.gaa"
+#line 73 "certtool.gaa"
 { gaaval->bits = 1024; gaaval->pkcs8 = 0; gaaval->privkey = NULL; gaaval->ca=NULL; gaaval->ca_privkey = NULL; 
 	gaaval->debug=1; gaaval->request = NULL; gaaval->infile = NULL; gaaval->outfile = NULL; gaaval->cert = NULL; 
-	gaaval->incert_format = 0; gaaval->outcert_format = 0; gaaval->action=-1; gaaval->pass = NULL; ;};
+	gaaval->incert_format = 0; gaaval->outcert_format = 0; gaaval->action=-1; gaaval->pass = NULL; 
+	gaaval->export = 0; ;};
 
     }
     inited = 1;
diff --git a/src/certtool-gaa.h b/src/certtool-gaa.h
index 756c61b6bc..d2fd49acab 100644
--- a/src/certtool-gaa.h
+++ b/src/certtool-gaa.h
@@ -8,18 +8,20 @@ typedef struct _gaainfo gaainfo;
 
 struct _gaainfo
 {
-#line 62 "certtool.gaa"
+#line 65 "certtool.gaa"
 	int debug;
-#line 59 "certtool.gaa"
+#line 62 "certtool.gaa"
 	char *infile;
-#line 56 "certtool.gaa"
+#line 59 "certtool.gaa"
 	char *outfile;
-#line 53 "certtool.gaa"
+#line 56 "certtool.gaa"
 	int bits;
-#line 50 "certtool.gaa"
+#line 53 "certtool.gaa"
 	int outcert_format;
-#line 47 "certtool.gaa"
+#line 50 "certtool.gaa"
 	int incert_format;
+#line 47 "certtool.gaa"
+	int export;
 #line 44 "certtool.gaa"
 	int pkcs8;
 #line 33 "certtool.gaa"
diff --git a/src/certtool.c b/src/certtool.c
index 7cb9a32be5..d2844f3926 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -204,8 +204,14 @@ int size, ret;
 			exit(1);
 		}
 	} else {
+		unsigned int flags;
+		
+		if (info.export) flags = GNUTLS_PKCS_USE_PKCS12_RC2_40;
+		else flags = GNUTLS_PKCS_USE_PKCS12_3DES;
+		if (info.pass == NULL) flags = GNUTLS_PKCS_PLAIN;
+
 		size = sizeof(buffer);
-		ret = gnutls_x509_privkey_export_pkcs8( key, out_cert_format, NULL, GNUTLS_PKCS8_PLAIN, buffer, &size);
+		ret = gnutls_x509_privkey_export_pkcs8( key, out_cert_format, info.pass, flags, buffer, &size);
 		if (ret < 0) {
 			fprintf(stderr, "privkey_export_pkcs8: %s\n", gnutls_strerror(ret));
 			exit(1);
@@ -779,7 +785,7 @@ void privkey_info( void)
 	if (!info.pkcs8) {
 		ret = gnutls_x509_privkey_import(key, &pem, in_cert_format);
 	} else {
-		ret = gnutls_x509_privkey_import_pkcs8(key, &pem, in_cert_format, NULL, GNUTLS_PKCS8_PLAIN);
+		ret = gnutls_x509_privkey_import_pkcs8(key, &pem, in_cert_format, info.pass, 0);
 	}
 
 	if (ret < 0) {
@@ -850,7 +856,7 @@ size_t size;
 		ret = gnutls_x509_privkey_import( key, &dat, in_cert_format);
 	else
 		ret = gnutls_x509_privkey_import_pkcs8( key, &dat, in_cert_format,
-			NULL, 0);
+			info.pass, 0);
 	
 	if (ret < 0) {
 		fprintf(stderr, "privkey_import: %s\n", gnutls_strerror(ret));
@@ -939,7 +945,7 @@ size_t size;
 		ret = gnutls_x509_privkey_import( key, &dat, in_cert_format);
 	else
 		ret = gnutls_x509_privkey_import_pkcs8( key, &dat, in_cert_format,
-			NULL, 0);
+			info.pass, 0);
 	
 	if (ret < 0) {
 		fprintf(stderr, "privkey_import: %s\n", gnutls_strerror(ret));
@@ -1410,6 +1416,7 @@ void generate_pkcs12( void)
 	gnutls_datum data;
 	char* password;
 	const char* name;
+	unsigned int flags;
 	gnutls_datum key_id;
 	unsigned char _key_id[20];
 	int index;
@@ -1463,7 +1470,10 @@ void generate_pkcs12( void)
 		exit(1);
 	}
 
-	result = gnutls_pkcs12_bag_encrypt( bag, password, 0);
+	if (info.export) flags = GNUTLS_PKCS_USE_PKCS12_RC2_40;
+	else flags = GNUTLS_PKCS8_USE_PKCS12_3DES;
+
+	result = gnutls_pkcs12_bag_encrypt( bag, password, flags);
 	if (result < 0) {
 		fprintf(stderr, "bag_encrypt: %s\n", gnutls_strerror(result));
 		exit(1);
@@ -1477,9 +1487,12 @@ void generate_pkcs12( void)
 		exit(1);
 	}
 
+	if (info.export) flags = GNUTLS_PKCS_USE_PKCS12_RC2_40;
+	else flags = GNUTLS_PKCS_USE_PKCS12_3DES;
+
 	size = sizeof(buffer);
 	result = gnutls_x509_privkey_export_pkcs8( key, GNUTLS_X509_FMT_DER, password,
-		GNUTLS_PKCS8_USE_PKCS12_3DES, buffer, &size);
+		flags, buffer, &size);
 	if (result < 0) {
 		fprintf(stderr, "key_export: %s\n", gnutls_strerror(result));
 		exit(1);
diff --git a/src/certtool.gaa b/src/certtool.gaa
index 24460820b9..5eef66e797 100644
--- a/src/certtool.gaa
+++ b/src/certtool.gaa
@@ -44,6 +44,9 @@ option (to-p12) { $action = 8; } "Generate a PKCS #12 structure."
 #int pkcs8;
 option (8, pkcs8) { $pkcs8=1 } "Use PKCS #8 format for private keys."
 
+#int export;
+option (export-ciphers) { $export=1 } "Use weak encryption algorithms."
+
 #int incert_format;
 option (inder) { $incert_format=1 } "Use DER format for input certificates and private keys."
 
@@ -69,5 +72,6 @@ option ( copyright) { print_license(); exit(0); } "shows the program's license"
 
 init { $bits = 1024; $pkcs8 = 0; $privkey = NULL; $ca=NULL; $ca_privkey = NULL; 
 	$debug=1; $request = NULL; $infile = NULL; $outfile = NULL; $cert = NULL; 
-	$incert_format = 0; $outcert_format = 0; $action=-1; $pass = NULL; }
+	$incert_format = 0; $outcert_format = 0; $action=-1; $pass = NULL; 
+	$export = 0; }
author	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2003-11-01 10:25:02 +0000
committer	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2003-11-01 10:25:02 +0000
commit	6759b42c5445bcb5ed90b1effe6bf7a9462df42d (patch)
tree	64e6e75f1ea08b979d5982807a81dc44209f45b1
parent	1ddd294bfcde6a5797793e64460d38346fc12d62 (diff)
download	gnutls-6759b42c5445bcb5ed90b1effe6bf7a9462df42d.tar.gz