diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2007-10-22 14:03:08 +0300 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2007-10-22 14:03:08 +0300 |
| commit | 628c62e935effc1c276fa6e4ae653f8488e017be (patch) | |
| tree | 437a332054f9a41d4329527f4224cfab542c4e12 | |
| parent | 07837c92f65f09b58c0ec55e3f49382ce0d71ba5 (diff) | |
| download | gnutls-628c62e935effc1c276fa6e4ae653f8488e017be.tar.gz | |
Added the --v1 option to certtool to allow generating version 1 certificates.
| -rw-r--r-- | NEWS | 3 | ||||
| -rw-r--r-- | src/certtool-gaa.c | 121 | ||||
| -rw-r--r-- | src/certtool-gaa.h | 26 | ||||
| -rw-r--r-- | src/certtool.c | 400 | ||||
| -rw-r--r-- | src/certtool.gaa | 5 |
5 files changed, 300 insertions, 255 deletions
@@ -5,6 +5,9 @@ See the end for copying conditions. * Version 2.1.4 (unreleased) +** Added the --v1 option to certtool, to allow generating X.509 +version 1 certificates. + ** API and ABI modifications: gnutls_openpgp_key_t: RENAMED to gnutls_openpgp_crt_t gnutls_openpgp_key_status_t: RENAMEDS gnutls_openpgp_crt_status_t diff --git a/src/certtool-gaa.c b/src/certtool-gaa.c index 3c9e75bbdf..702a8d30ea 100644 --- a/src/certtool-gaa.c +++ b/src/certtool-gaa.c @@ -153,6 +153,7 @@ void gaa_help(void) __gaa_helpsingle(0, "smime-to-p7", "", "Convert S/MIME to PKCS #7 structure."); __gaa_helpsingle('k', "key-info", "", "Print information on a private key."); __gaa_helpsingle(0, "fix-key", "", "Regenerate the parameters in a private key."); + __gaa_helpsingle(0, "v1", "", "Generate an X.509 version 1 certificate (no extensions)."); __gaa_helpsingle(0, "to-p12", "", "Generate a PKCS #12 structure."); __gaa_helpsingle('8', "pkcs8", "", "Use PKCS #8 format for private keys."); __gaa_helpsingle(0, "dsa", "", "Use DSA keys."); @@ -182,30 +183,32 @@ typedef struct _gaainfo gaainfo; struct _gaainfo { -#line 107 "certtool.gaa" +#line 110 "certtool.gaa" int debug; -#line 103 "certtool.gaa" +#line 106 "certtool.gaa" char *template; -#line 100 "certtool.gaa" +#line 103 "certtool.gaa" char *infile; -#line 97 "certtool.gaa" +#line 100 "certtool.gaa" char *outfile; -#line 94 "certtool.gaa" +#line 97 "certtool.gaa" int quick_random; -#line 91 "certtool.gaa" +#line 94 "certtool.gaa" int bits; -#line 88 "certtool.gaa" +#line 91 "certtool.gaa" int outcert_format; -#line 85 "certtool.gaa" +#line 88 "certtool.gaa" int incert_format; -#line 82 "certtool.gaa" +#line 85 "certtool.gaa" int export; -#line 79 "certtool.gaa" +#line 82 "certtool.gaa" char *hash; -#line 76 "certtool.gaa" +#line 79 "certtool.gaa" int dsa; -#line 73 "certtool.gaa" +#line 76 "certtool.gaa" int pkcs8; +#line 71 "certtool.gaa" + int v1_cert; #line 68 "certtool.gaa" int fix_key; #line 53 "certtool.gaa" @@ -276,7 +279,7 @@ static int gaa_error = 0; #define GAA_MULTIPLE_OPTION 3 #define GAA_REST 0 -#define GAA_NB_OPTION 39 +#define GAA_NB_OPTION 40 #define GAAOPTID_version 1 #define GAAOPTID_help 2 #define GAAOPTID_debug 3 @@ -292,30 +295,31 @@ static int gaa_error = 0; #define GAAOPTID_dsa 13 #define GAAOPTID_pkcs8 14 #define GAAOPTID_to_p12 15 -#define GAAOPTID_fix_key 16 -#define GAAOPTID_key_info 17 -#define GAAOPTID_smime_to_p7 18 -#define GAAOPTID_p7_info 19 -#define GAAOPTID_p12_info 20 -#define GAAOPTID_crl_info 21 -#define GAAOPTID_certificate_info 22 -#define GAAOPTID_password 23 -#define GAAOPTID_load_ca_certificate 24 -#define GAAOPTID_load_ca_privkey 25 -#define GAAOPTID_load_certificate 26 -#define GAAOPTID_load_request 27 -#define GAAOPTID_load_privkey 28 -#define GAAOPTID_get_dh_params 29 -#define GAAOPTID_generate_dh_params 30 -#define GAAOPTID_verify_crl 31 -#define GAAOPTID_verify_chain 32 -#define GAAOPTID_generate_request 33 -#define GAAOPTID_generate_privkey 34 -#define GAAOPTID_update_certificate 35 -#define GAAOPTID_generate_crl 36 -#define GAAOPTID_generate_proxy 37 -#define GAAOPTID_generate_certificate 38 -#define GAAOPTID_generate_self_signed 39 +#define GAAOPTID_v1 16 +#define GAAOPTID_fix_key 17 +#define GAAOPTID_key_info 18 +#define GAAOPTID_smime_to_p7 19 +#define GAAOPTID_p7_info 20 +#define GAAOPTID_p12_info 21 +#define GAAOPTID_crl_info 22 +#define GAAOPTID_certificate_info 23 +#define GAAOPTID_password 24 +#define GAAOPTID_load_ca_certificate 25 +#define GAAOPTID_load_ca_privkey 26 +#define GAAOPTID_load_certificate 27 +#define GAAOPTID_load_request 28 +#define GAAOPTID_load_privkey 29 +#define GAAOPTID_get_dh_params 30 +#define GAAOPTID_generate_dh_params 31 +#define GAAOPTID_verify_crl 32 +#define GAAOPTID_verify_chain 33 +#define GAAOPTID_generate_request 34 +#define GAAOPTID_generate_privkey 35 +#define GAAOPTID_update_certificate 36 +#define GAAOPTID_generate_crl 37 +#define GAAOPTID_generate_proxy 38 +#define GAAOPTID_generate_certificate 39 +#define GAAOPTID_generate_self_signed 40 #line 168 "gaa.skel" @@ -626,6 +630,7 @@ static int gaa_get_option_num(char *str, int status) GAA_CHECK1STR("", GAAOPTID_dsa); GAA_CHECK1STR("8", GAAOPTID_pkcs8); GAA_CHECK1STR("", GAAOPTID_to_p12); + GAA_CHECK1STR("", GAAOPTID_v1); GAA_CHECK1STR("", GAAOPTID_fix_key); GAA_CHECK1STR("k", GAAOPTID_key_info); GAA_CHECK1STR("", GAAOPTID_smime_to_p7); @@ -663,6 +668,7 @@ static int gaa_get_option_num(char *str, int status) GAA_CHECKSTR("dsa", GAAOPTID_dsa); GAA_CHECKSTR("pkcs8", GAAOPTID_pkcs8); GAA_CHECKSTR("to-p12", GAAOPTID_to_p12); + GAA_CHECKSTR("v1", GAAOPTID_v1); GAA_CHECKSTR("fix-key", GAAOPTID_fix_key); GAA_CHECKSTR("key-info", GAAOPTID_key_info); GAA_CHECKSTR("smime-to-p7", GAAOPTID_smime_to_p7); @@ -733,14 +739,14 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) { case GAAOPTID_version: OK = 0; -#line 112 "certtool.gaa" +#line 115 "certtool.gaa" { certtool_version(); exit(0); ;}; return GAA_OK; break; case GAAOPTID_help: OK = 0; -#line 110 "certtool.gaa" +#line 113 "certtool.gaa" { gaa_help(); exit(0); ;}; return GAA_OK; @@ -750,7 +756,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_debug.arg1, gaa_getint, GAATMP_debug.size1); gaa_index++; -#line 108 "certtool.gaa" +#line 111 "certtool.gaa" { gaaval->debug = GAATMP_debug.arg1 ;}; return GAA_OK; @@ -760,7 +766,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_template.arg1, gaa_getstr, GAATMP_template.size1); gaa_index++; -#line 104 "certtool.gaa" +#line 107 "certtool.gaa" { gaaval->template = GAATMP_template.arg1 ;}; return GAA_OK; @@ -770,7 +776,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_infile.arg1, gaa_getstr, GAATMP_infile.size1); gaa_index++; -#line 101 "certtool.gaa" +#line 104 "certtool.gaa" { gaaval->infile = GAATMP_infile.arg1 ;}; return GAA_OK; @@ -780,14 +786,14 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_outfile.arg1, gaa_getstr, GAATMP_outfile.size1); gaa_index++; -#line 98 "certtool.gaa" +#line 101 "certtool.gaa" { gaaval->outfile = GAATMP_outfile.arg1 ;}; return GAA_OK; break; case GAAOPTID_quick_random: OK = 0; -#line 95 "certtool.gaa" +#line 98 "certtool.gaa" { gaaval->quick_random = 1; ;}; return GAA_OK; @@ -797,28 +803,28 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_bits.arg1, gaa_getint, GAATMP_bits.size1); gaa_index++; -#line 92 "certtool.gaa" +#line 95 "certtool.gaa" { gaaval->bits = GAATMP_bits.arg1 ;}; return GAA_OK; break; case GAAOPTID_outder: OK = 0; -#line 89 "certtool.gaa" +#line 92 "certtool.gaa" { gaaval->outcert_format=1 ;}; return GAA_OK; break; case GAAOPTID_inder: OK = 0; -#line 86 "certtool.gaa" +#line 89 "certtool.gaa" { gaaval->incert_format=1 ;}; return GAA_OK; break; case GAAOPTID_export_ciphers: OK = 0; -#line 83 "certtool.gaa" +#line 86 "certtool.gaa" { gaaval->export=1 ;}; return GAA_OK; @@ -828,32 +834,39 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_hash.arg1, gaa_getstr, GAATMP_hash.size1); gaa_index++; -#line 80 "certtool.gaa" +#line 83 "certtool.gaa" { gaaval->hash = GAATMP_hash.arg1 ;}; return GAA_OK; break; case GAAOPTID_dsa: OK = 0; -#line 77 "certtool.gaa" +#line 80 "certtool.gaa" { gaaval->dsa=1 ;}; return GAA_OK; break; case GAAOPTID_pkcs8: OK = 0; -#line 74 "certtool.gaa" +#line 77 "certtool.gaa" { gaaval->pkcs8=1 ;}; return GAA_OK; break; case GAAOPTID_to_p12: OK = 0; -#line 71 "certtool.gaa" +#line 74 "certtool.gaa" { gaaval->action = 8; ;}; return GAA_OK; break; + case GAAOPTID_v1: + OK = 0; +#line 72 "certtool.gaa" +{ gaaval->v1_cert = 1; ;}; + + return GAA_OK; + break; case GAAOPTID_fix_key: OK = 0; #line 69 "certtool.gaa" @@ -1064,10 +1077,10 @@ int gaa(int argc, char **argv, gaainfo *gaaval) if(inited == 0) { -#line 114 "certtool.gaa" +#line 117 "certtool.gaa" { gaaval->bits = 2048; gaaval->pkcs8 = 0; gaaval->privkey = NULL; gaaval->ca=NULL; gaaval->ca_privkey = NULL; gaaval->debug=1; gaaval->request = NULL; gaaval->infile = NULL; gaaval->outfile = NULL; gaaval->cert = NULL; - gaaval->incert_format = 0; gaaval->outcert_format = 0; gaaval->action=-1; gaaval->pass = NULL; + gaaval->incert_format = 0; gaaval->outcert_format = 0; gaaval->action=-1; gaaval->pass = NULL; gaaval->v1_cert = 0; gaaval->export = 0; gaaval->template = NULL; gaaval->hash=NULL; gaaval->fix_key = 0; gaaval->quick_random=0; ;}; } diff --git a/src/certtool-gaa.h b/src/certtool-gaa.h index 891360ef98..abda1a0c17 100644 --- a/src/certtool-gaa.h +++ b/src/certtool-gaa.h @@ -8,30 +8,32 @@ typedef struct _gaainfo gaainfo; struct _gaainfo { -#line 107 "certtool.gaa" +#line 110 "certtool.gaa" int debug; -#line 103 "certtool.gaa" +#line 106 "certtool.gaa" char *template; -#line 100 "certtool.gaa" +#line 103 "certtool.gaa" char *infile; -#line 97 "certtool.gaa" +#line 100 "certtool.gaa" char *outfile; -#line 94 "certtool.gaa" +#line 97 "certtool.gaa" int quick_random; -#line 91 "certtool.gaa" +#line 94 "certtool.gaa" int bits; -#line 88 "certtool.gaa" +#line 91 "certtool.gaa" int outcert_format; -#line 85 "certtool.gaa" +#line 88 "certtool.gaa" int incert_format; -#line 82 "certtool.gaa" +#line 85 "certtool.gaa" int export; -#line 79 "certtool.gaa" +#line 82 "certtool.gaa" char *hash; -#line 76 "certtool.gaa" +#line 79 "certtool.gaa" int dsa; -#line 73 "certtool.gaa" +#line 76 "certtool.gaa" int pkcs8; +#line 71 "certtool.gaa" + int v1_cert; #line 68 "certtool.gaa" int fix_key; #line 53 "certtool.gaa" diff --git a/src/certtool.c b/src/certtool.c index 16553899c3..b653ef05a1 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -41,7 +41,7 @@ #include <progname.h> #include <version-etc.h> -static void print_crl_info (gnutls_x509_crl_t crl, FILE *out); +static void print_crl_info (gnutls_x509_crl_t crl, FILE * out); int generate_prime (int bits, int how); void pkcs7_info (void); void smime_to_pkcs7 (void); @@ -57,7 +57,7 @@ gnutls_x509_crt_t load_cert (int mand); void certificate_info (void); void crl_info (void); void privkey_info (void); -static void print_certificate_info (gnutls_x509_crt_t crt, FILE *out, +static void print_certificate_info (gnutls_x509_crt_t crt, FILE * out, unsigned int); static void gaa_parser (int argc, char **argv); void generate_self_signed (void); @@ -134,8 +134,9 @@ generate_private_key_int (void) gnutls_pk_algorithm_get_name (key_type)); if (info.quick_random == 0) - fprintf (stderr, "This might take several minutes depending on availability of randomness" - " in /dev/random. You can consider using --quick-random option but this reduces the quality of randomness used.\n"); + fprintf (stderr, + "This might take several minutes depending on availability of randomness" + " in /dev/random. You can consider using --quick-random option but this reduces the quality of randomness used.\n"); ret = gnutls_x509_privkey_generate (key, key_type, info.bits, 0); if (ret < 0) @@ -201,8 +202,7 @@ generate_private_key (void) gnutls_x509_crt_t generate_certificate (gnutls_x509_privkey_t * ret_key, - gnutls_x509_crt_t ca_crt, - int proxy) + gnutls_x509_crt_t ca_crt, int proxy) { gnutls_x509_crt_t crt; gnutls_x509_privkey_t key = NULL; @@ -211,10 +211,9 @@ generate_certificate (gnutls_x509_privkey_t * ret_key, int serial, client; int days, result, ca_status = 0, path_len; const char *str; - int vers = 3; /* the default version in the certificate - */ + int vers; unsigned int usage = 0, server; - gnutls_x509_crq_t crq; /* request */ + gnutls_x509_crq_t crq; /* request */ ret = gnutls_x509_crt_init (&crt); if (ret < 0) @@ -238,8 +237,8 @@ generate_certificate (gnutls_x509_privkey_t * ret_key, { result = gnutls_x509_crt_set_proxy_dn (crt, ca_crt, 0, NULL, 0); if (result < 0) - error (EXIT_FAILURE, 0, "set_proxy_dn: %s", - gnutls_strerror (result)); + error (EXIT_FAILURE, 0, "set_proxy_dn: %s", + gnutls_strerror (result)); get_cn_crt_set (crt); } @@ -300,207 +299,227 @@ generate_certificate (gnutls_x509_privkey_t * ret_key, if (!batch) fprintf (stderr, "\n\nExtensions.\n"); - if (proxy) + /* do not allow extensions on a v1 certificate */ + if (info.v1_cert == 0) { - const char *policylanguage; - char *policy; - size_t policylen; - int proxypathlen = get_path_len (); - if (!batch) + if (proxy) { - printf ("1.3.6.1.5.5.7.21.1 ::= id-ppl-inheritALL\n"); - printf ("1.3.6.1.5.5.7.21.2 ::= id-ppl-independent\n"); - } + const char *policylanguage; + char *policy; + size_t policylen; + int proxypathlen = get_path_len (); - policylanguage = get_proxy_policy (&policy, &policylen); + if (!batch) + { + printf ("1.3.6.1.5.5.7.21.1 ::= id-ppl-inheritALL\n"); + printf ("1.3.6.1.5.5.7.21.2 ::= id-ppl-independent\n"); + } - result = gnutls_x509_crt_set_proxy (crt, proxypathlen, policylanguage, - policy, policylen); - if (result < 0) - error (EXIT_FAILURE, 0, "set_proxy: %s", gnutls_strerror (result)); - } + policylanguage = get_proxy_policy (&policy, &policylen); - if (!proxy) - ca_status = get_ca_status (); - if (ca_status) - path_len = get_path_len (); - else - path_len = -1; + result = + gnutls_x509_crt_set_proxy (crt, proxypathlen, policylanguage, + policy, policylen); + if (result < 0) + error (EXIT_FAILURE, 0, "set_proxy: %s", + gnutls_strerror (result)); + } - result = gnutls_x509_crt_set_basic_constraints (crt, ca_status, path_len); - if (result < 0) - error (EXIT_FAILURE, 0, "basic_constraints: %s", gnutls_strerror (result)); + if (!proxy) + ca_status = get_ca_status (); + if (ca_status) + path_len = get_path_len (); + else + path_len = -1; - client = get_tls_client_status (); - if (client != 0) - { - result = gnutls_x509_crt_set_key_purpose_oid (crt, - GNUTLS_KP_TLS_WWW_CLIENT, - 0); + result = + gnutls_x509_crt_set_basic_constraints (crt, ca_status, path_len); if (result < 0) - error (EXIT_FAILURE, 0, "key_kp: %s", gnutls_strerror (result)); - } + error (EXIT_FAILURE, 0, "basic_constraints: %s", + gnutls_strerror (result)); - server = get_tls_server_status (); - if (server != 0) - { - result = 0; + client = get_tls_client_status (); + if (client != 0) + { + result = gnutls_x509_crt_set_key_purpose_oid (crt, + GNUTLS_KP_TLS_WWW_CLIENT, + 0); + if (result < 0) + error (EXIT_FAILURE, 0, "key_kp: %s", gnutls_strerror (result)); + } - if (!proxy) + server = get_tls_server_status (); + if (server != 0) { - str = get_dns_name (); - if (str != NULL) - { - result = gnutls_x509_crt_set_subject_alternative_name - (crt, GNUTLS_SAN_DNSNAME, str); - } - else + result = 0; + + if (!proxy) { - str = get_ip_addr (); + str = get_dns_name (); if (str != NULL) { result = gnutls_x509_crt_set_subject_alternative_name - (crt, GNUTLS_SAN_IPADDRESS, str); + (crt, GNUTLS_SAN_DNSNAME, str); + } + else + { + str = get_ip_addr (); + if (str != NULL) + { + result = gnutls_x509_crt_set_subject_alternative_name + (crt, GNUTLS_SAN_IPADDRESS, str); + } } + + if (result < 0) + error (EXIT_FAILURE, 0, "subject_alt_name: %s", + gnutls_strerror (result)); } + result = + gnutls_x509_crt_set_key_purpose_oid (crt, + GNUTLS_KP_TLS_WWW_SERVER, 0); if (result < 0) - error (EXIT_FAILURE, 0, "subject_alt_name: %s", - gnutls_strerror (result)); + error (EXIT_FAILURE, 0, "key_kp: %s", gnutls_strerror (result)); } + else if (!proxy) + { + str = get_email (); - result = - gnutls_x509_crt_set_key_purpose_oid (crt, - GNUTLS_KP_TLS_WWW_SERVER, 0); - if (result < 0) - error (EXIT_FAILURE, 0, "key_kp: %s", gnutls_strerror (result)); - } - else if (!proxy) - { - str = get_email (); + if (str != NULL) + { + result = gnutls_x509_crt_set_subject_alternative_name + (crt, GNUTLS_SAN_RFC822NAME, str); + if (result < 0) + error (EXIT_FAILURE, 0, "subject_alt_name: %s", + gnutls_strerror (result)); + } + } - if (str != NULL) + if (!ca_status || server) { - result = gnutls_x509_crt_set_subject_alternative_name - (crt, GNUTLS_SAN_RFC822NAME, str); - if (result < 0) - error (EXIT_FAILURE, 0, "subject_alt_name: %s", - gnutls_strerror (result)); - } - } + int pk; - if (!ca_status || server) - { - int pk; + pk = gnutls_x509_crt_get_pk_algorithm (crt, NULL); + if (pk != GNUTLS_PK_DSA) + { /* DSA keys can only sign. + */ + result = get_sign_status (server); + if (result) + usage |= GNUTLS_KEY_DIGITAL_SIGNATURE; - pk = gnutls_x509_crt_get_pk_algorithm (crt, NULL); + result = get_encrypt_status (server); + if (result) + usage |= GNUTLS_KEY_KEY_ENCIPHERMENT; + } + else + usage |= GNUTLS_KEY_DIGITAL_SIGNATURE; + } - if (pk != GNUTLS_PK_DSA) - { /* DSA keys can only sign. - */ - result = get_sign_status (server); + + if (ca_status) + { + result = get_cert_sign_status (); if (result) - usage |= GNUTLS_KEY_DIGITAL_SIGNATURE; + usage |= GNUTLS_KEY_KEY_CERT_SIGN; - result = get_encrypt_status (server); + result = get_crl_sign_status (); if (result) - usage |= GNUTLS_KEY_KEY_ENCIPHERMENT; - } - else - usage |= GNUTLS_KEY_DIGITAL_SIGNATURE; - } + usage |= GNUTLS_KEY_CRL_SIGN; + result = get_code_sign_status (); + if (result) + { + result = + gnutls_x509_crt_set_key_purpose_oid (crt, + GNUTLS_KP_CODE_SIGNING, + 0); + if (result < 0) + error (EXIT_FAILURE, 0, "key_kp: %s", + gnutls_strerror (result)); + } - if (ca_status) - { - result = get_cert_sign_status (); - if (result) - usage |= GNUTLS_KEY_KEY_CERT_SIGN; + result = get_ocsp_sign_status (); + if (result) + { + result = + gnutls_x509_crt_set_key_purpose_oid (crt, + GNUTLS_KP_OCSP_SIGNING, + 0); + if (result < 0) + error (EXIT_FAILURE, 0, "key_kp: %s", + gnutls_strerror (result)); + } - result = get_crl_sign_status (); - if (result) - usage |= GNUTLS_KEY_CRL_SIGN; + result = get_time_stamp_status (); + if (result) + { + result = + gnutls_x509_crt_set_key_purpose_oid (crt, + GNUTLS_KP_TIME_STAMPING, + 0); + if (result < 0) + error (EXIT_FAILURE, 0, "key_kp: %s", + gnutls_strerror (result)); + } + } - result = get_code_sign_status (); - if (result) + if (usage != 0) { - result = - gnutls_x509_crt_set_key_purpose_oid (crt, - GNUTLS_KP_CODE_SIGNING, 0); + result = gnutls_x509_crt_set_key_usage (crt, usage); if (result < 0) - error (EXIT_FAILURE, 0, "key_kp: %s", gnutls_strerror (result)); + error (EXIT_FAILURE, 0, "key_usage: %s", + gnutls_strerror (result)); } - result = get_ocsp_sign_status (); - if (result) + /* Subject Key ID. + */ + size = sizeof (buffer); + result = gnutls_x509_crt_get_key_id (crt, 0, buffer, &size); + if (result >= 0) { - result = - gnutls_x509_crt_set_key_purpose_oid (crt, - GNUTLS_KP_OCSP_SIGNING, 0); + result = gnutls_x509_crt_set_subject_key_id (crt, buffer, size); if (result < 0) - error (EXIT_FAILURE, 0, "key_kp: %s", gnutls_strerror (result)); + error (EXIT_FAILURE, 0, "set_subject_key_id: %s", + gnutls_strerror (result)); } - result = get_time_stamp_status (); - if (result) + /* Authority Key ID. + */ + if (ca_crt != NULL) { - result = - gnutls_x509_crt_set_key_purpose_oid (crt, - GNUTLS_KP_TIME_STAMPING, 0); + size = sizeof (buffer); + result = gnutls_x509_crt_get_subject_key_id (ca_crt, buffer, + &size, NULL); if (result < 0) - error (EXIT_FAILURE, 0, "key_kp: %s", gnutls_strerror (result)); + { + size = sizeof (buffer); + result = gnutls_x509_crt_get_key_id (ca_crt, 0, buffer, &size); + } + if (result >= 0) + { + result = + gnutls_x509_crt_set_authority_key_id (crt, buffer, size); + if (result < 0) + error (EXIT_FAILURE, 0, "set_authority_key_id: %s", + gnutls_strerror (result)); + } } } - if (usage != 0) - { - result = gnutls_x509_crt_set_key_usage (crt, usage); - if (result < 0) - error (EXIT_FAILURE, 0, "key_usage: %s", gnutls_strerror (result)); - } - /* Version. */ + if (info.v1_cert != 0) + vers = 1; + else + vers = 3; result = gnutls_x509_crt_set_version (crt, vers); if (result < 0) error (EXIT_FAILURE, 0, "set_version: %s", gnutls_strerror (result)); - /* Subject Key ID. - */ - size = sizeof (buffer); - result = gnutls_x509_crt_get_key_id (crt, 0, buffer, &size); - if (result >= 0) - { - result = gnutls_x509_crt_set_subject_key_id (crt, buffer, size); - if (result < 0) - error (EXIT_FAILURE, 0, "set_subject_key_id: %s", - gnutls_strerror (result)); - } - - /* Authority Key ID. - */ - if (ca_crt != NULL) - { - size = sizeof (buffer); - result = gnutls_x509_crt_get_subject_key_id (ca_crt, buffer, - &size, NULL); - if (result < 0) - { - size = sizeof (buffer); - result = gnutls_x509_crt_get_key_id (ca_crt, 0, buffer, &size); - } - if (result >= 0) - { - result = gnutls_x509_crt_set_authority_key_id (crt, buffer, size); - if (result < 0) - error (EXIT_FAILURE, 0, "set_authority_key_id: %s", - gnutls_strerror (result)); - } - } - *ret_key = key; return crt; @@ -715,7 +734,8 @@ update_signed_certificate (void) days = get_days (); - result = gnutls_x509_crt_set_expiration_time (crt, tim + days * 24 * 60 * 60); + result = + gnutls_x509_crt_set_expiration_time (crt, tim + days * 24 * 60 * 60); if (result < 0) error (EXIT_FAILURE, 0, "set_expiration: %s", gnutls_strerror (result)); @@ -805,7 +825,7 @@ gaa_parser (int argc, char **argv) } if (info.quick_random != 0) - gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); + gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); gnutls_global_set_log_function (tls_log_func); gnutls_global_set_log_level (info.debug); @@ -909,7 +929,8 @@ certificate_info (void) if (count > 1 && info.outcert_format == GNUTLS_X509_FMT_DER) { - error(0, 0, "Cannot output multiple certificates in DER format, using PEM instead."); + error (0, 0, + "Cannot output multiple certificates in DER format, using PEM instead."); info.outcert_format = GNUTLS_X509_FMT_PEM; } @@ -921,13 +942,12 @@ certificate_info (void) if (info.outcert_format == GNUTLS_X509_FMT_PEM) print_certificate_info (crt[i], outfile, 1); - size = sizeof (buffer); - ret = gnutls_x509_crt_export (crt[i], info.outcert_format, buffer, - &size); - if (ret < 0) - error (EXIT_FAILURE, 0, "Export error: %s", - gnutls_strerror (ret)); - fwrite (buffer, 1, size, outfile); + size = sizeof (buffer); + ret = gnutls_x509_crt_export (crt[i], info.outcert_format, buffer, + &size); + if (ret < 0) + error (EXIT_FAILURE, 0, "Export error: %s", gnutls_strerror (ret)); + fwrite (buffer, 1, size, outfile); } } @@ -948,7 +968,7 @@ print_hex_datum (gnutls_datum_t * dat) static void -print_certificate_info (gnutls_x509_crt_t crt, FILE *out, unsigned int all) +print_certificate_info (gnutls_x509_crt_t crt, FILE * out, unsigned int all) { gnutls_datum_t info; int ret; @@ -971,7 +991,7 @@ print_certificate_info (gnutls_x509_crt_t crt, FILE *out, unsigned int all) } static void -print_crl_info (gnutls_x509_crl_t crl, FILE *out) +print_crl_info (gnutls_x509_crl_t crl, FILE * out) { gnutls_datum_t info; int ret; @@ -1169,8 +1189,7 @@ load_private_key (int mand) dat.size = size; if (!dat.data) - error (EXIT_FAILURE, errno, "reading --load-privkey: %s", - info.privkey); + error (EXIT_FAILURE, errno, "reading --load-privkey: %s", info.privkey); if (info.pkcs8) { @@ -1209,8 +1228,7 @@ load_request (void) dat.size = size; if (!dat.data) - error (EXIT_FAILURE, errno, "reading --load-request: %s", - info.request); + error (EXIT_FAILURE, errno, "reading --load-request: %s", info.request); ret = gnutls_x509_crq_import (crq, &dat, info.incert_format); free (dat.data); @@ -1282,8 +1300,7 @@ load_ca_cert (void) dat.size = size; if (!dat.data) - error (EXIT_FAILURE, errno, "reading --load-ca-certificate: %s", - info.ca); + error (EXIT_FAILURE, errno, "reading --load-ca-certificate: %s", info.ca); ret = gnutls_x509_crt_import (crt, &dat, info.incert_format); free (dat.data); @@ -1487,7 +1504,7 @@ _verify_x509_mem (const void *cert, int cert_size) { x509_crl_list = (gnutls_x509_crl_t *) realloc (x509_crl_list, - i * sizeof (gnutls_x509_crl_t)); + i * sizeof (gnutls_x509_crl_t)); if (x509_crl_list == NULL) error (EXIT_FAILURE, 0, "memory error"); @@ -1528,7 +1545,7 @@ _verify_x509_mem (const void *cert, int cert_size) { x509_cert_list = (gnutls_x509_crt_t *) realloc (x509_cert_list, - i * sizeof (gnutls_x509_crt_t)); + i * sizeof (gnutls_x509_crt_t)); if (x509_cert_list == NULL) error (EXIT_FAILURE, 0, "memory error"); @@ -1569,7 +1586,8 @@ _verify_x509_mem (const void *cert, int cert_size) gnutls_x509_crt_get_issuer_dn (x509_cert_list[i - 2], issuer_name, &issuer_name_size); if (ret < 0) - error (EXIT_FAILURE, 0, "get_issuer_dn: %s", gnutls_strerror (ret)); + error (EXIT_FAILURE, 0, "get_issuer_dn: %s", + gnutls_strerror (ret)); fprintf (outfile, "\tIssued by: %s\n", issuer_name); @@ -1634,7 +1652,8 @@ _verify_x509_mem (const void *cert, int cert_size) fprintf (outfile, "\tIssued by: %s\n", name); if (strcmp (issuer_name, name) != 0) - error (EXIT_FAILURE, 0, "Error: The last certificate is not self signed."); + error (EXIT_FAILURE, 0, + "Error: The last certificate is not self signed."); fprintf (outfile, "\tVerification output: "); print_verification_res (x509_cert_list[x509_ncerts - 1], @@ -1653,7 +1672,8 @@ _verify_x509_mem (const void *cert, int cert_size) free (x509_crl_list); if (ret < 0) - error (EXIT_FAILURE, 0, "Error in verification: %s", gnutls_strerror (ret)); + error (EXIT_FAILURE, 0, "Error in verification: %s", + gnutls_strerror (ret)); return 0; } @@ -1883,7 +1903,8 @@ generate_pkcs12 (void) result = gnutls_pkcs12_bag_set_crt (bag, crts[i]); if (result < 0) - error (EXIT_FAILURE, 0, "set_crt[%d]: %s", i, gnutls_strerror (result)); + error (EXIT_FAILURE, 0, "set_crt[%d]: %s", i, + gnutls_strerror (result)); index = result; @@ -1895,14 +1916,16 @@ generate_pkcs12 (void) size = sizeof (_key_id); result = gnutls_x509_crt_get_key_id (crts[i], 0, _key_id, &size); if (result < 0) - error (EXIT_FAILURE, 0, "key_id[%d]: %s", i, gnutls_strerror (result)); + error (EXIT_FAILURE, 0, "key_id[%d]: %s", i, + gnutls_strerror (result)); key_id.data = _key_id; key_id.size = size; result = gnutls_pkcs12_bag_set_key_id (bag, index, &key_id); if (result < 0) - error (EXIT_FAILURE, 0, "bag_set_key_id: %s", gnutls_strerror (result)); + error (EXIT_FAILURE, 0, "bag_set_key_id: %s", + gnutls_strerror (result)); if (info.export) flags = GNUTLS_PKCS_USE_PKCS12_RC2_40; @@ -1963,7 +1986,8 @@ generate_pkcs12 (void) result = gnutls_pkcs12_bag_set_key_id (kbag, index, &key_id); if (result < 0) - error (EXIT_FAILURE, 0, "bag_set_key_id: %s", gnutls_strerror (result)); + error (EXIT_FAILURE, 0, "bag_set_key_id: %s", + gnutls_strerror (result)); result = gnutls_pkcs12_set_bag (pkcs12, kbag); if (result < 0) @@ -2112,7 +2136,7 @@ pkcs12_info (void) index = 0; - for (index = 0; ; index++) + for (index = 0;; index++) { result = gnutls_pkcs12_bag_init (&bag); if (result < 0) @@ -2194,7 +2218,7 @@ pkcs7_info (void) size = sizeof (buffer); result = gnutls_pkcs7_get_crt_raw (pkcs7, index, buffer, &size); if (result < 0) - break; + break; data.data = buffer; data.size = size; @@ -2225,7 +2249,7 @@ pkcs7_info (void) size = sizeof (buffer); result = gnutls_pkcs7_get_crl_raw (pkcs7, index, buffer, &size); if (result < 0) - break; + break; data.data = buffer; data.size = size; @@ -2287,5 +2311,5 @@ certtool_version (void) { version_etc (stdout, program_name, PACKAGE_STRING, gnutls_check_version (NULL), "Nikos Mavroyanopoulos", - "Simon Josefsson", (char*) NULL); + "Simon Josefsson", (char *) NULL); } diff --git a/src/certtool.gaa b/src/certtool.gaa index a854e1072a..83fa637b23 100644 --- a/src/certtool.gaa +++ b/src/certtool.gaa @@ -68,6 +68,9 @@ option (k, key-info) { $action = 6; } "Print information on a private key." #int fix_key; option (fix-key) { $fix_key = 1; } "Regenerate the parameters in a private key." +#int v1_cert; +option (v1) { $v1_cert = 1; } "Generate an X.509 version 1 certificate (no extensions)." + option (to-p12) { $action = 8; } "Generate a PKCS #12 structure." #int pkcs8; @@ -113,6 +116,6 @@ option (v, version) { certtool_version(); exit(0); } "shows the program's versio init { $bits = 2048; $pkcs8 = 0; $privkey = NULL; $ca=NULL; $ca_privkey = NULL; $debug=1; $request = NULL; $infile = NULL; $outfile = NULL; $cert = NULL; - $incert_format = 0; $outcert_format = 0; $action=-1; $pass = NULL; + $incert_format = 0; $outcert_format = 0; $action=-1; $pass = NULL; $v1_cert = 0; $export = 0; $template = NULL; $hash=NULL; $fix_key = 0; $quick_random=0; } |