diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2014-04-03 14:54:15 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2014-04-03 20:49:13 +0200 |
commit | f57af19286b5ab83df41679b0d04ef929cdfb01f (patch) | |
tree | 5bd88b2d6e5c9c8fdafdbca5d6b94f71e1cc075b | |
parent | eb17620a2b13faae062f5c124c3d76b8dd884635 (diff) | |
download | gnutls-f57af19286b5ab83df41679b0d04ef929cdfb01f.tar.gz |
changed the behavior in certtool's PKCS #8 key export with no password
By default when no password is specified, an unencrypted key is output.
The previous behavior of encrypting using an empty password can be
replicated using --empty-password.
-rw-r--r-- | src/certtool-args.def | 6 | ||||
-rw-r--r-- | src/certtool-common.c | 15 | ||||
-rw-r--r-- | src/certtool-common.h | 1 | ||||
-rw-r--r-- | src/certtool.c | 5 |
4 files changed, 22 insertions, 5 deletions
diff --git a/src/certtool-args.def b/src/certtool-args.def index b9b29b87e1..24d691ed36 100644 --- a/src/certtool-args.def +++ b/src/certtool-args.def @@ -170,6 +170,12 @@ flag = { }; flag = { + name = empty-password; + descrip = "Enforce an empty password"; + doc = "This option enforces an empty password. This is different than the NULL or no password in schemas like PKCS #8."; +}; + +flag = { name = certificate-info; value = i; descrip = "Print information on the given certificate"; diff --git a/src/certtool-common.c b/src/certtool-common.c index c5d28668c1..853b491a3c 100644 --- a/src/certtool-common.c +++ b/src/certtool-common.c @@ -104,20 +104,25 @@ gnutls_datum_t *load_secret_key(int mand, common_info_st * info) const char *get_password(common_info_st * cinfo, unsigned int *flags, int confirm) { + const char *p; + if (cinfo->null_password) { if (flags) *flags |= GNUTLS_PKCS_NULL_PASSWORD; return NULL; } else if (cinfo->password) { - if (cinfo->password[0] == 0 && flags) - *flags |= GNUTLS_PKCS_PLAIN; - return cinfo->password; + p = cinfo->password; } else { if (confirm) - return get_confirmed_pass(true); + p = get_confirmed_pass(true); else - return get_pass(); + p = get_pass(); } + + if (p[0] == 0 && flags && !cinfo->empty_password) + *flags |= GNUTLS_PKCS_PLAIN; + + return p; } static gnutls_privkey_t _load_privkey(gnutls_datum_t * dat, diff --git a/src/certtool-common.h b/src/certtool-common.h index b300988487..d55c007a60 100644 --- a/src/certtool-common.h +++ b/src/certtool-common.h @@ -49,6 +49,7 @@ typedef struct common_info { const char *pkcs_cipher; const char *password; int null_password; + int empty_password; unsigned int crq_extensions; unsigned int v1_cert; diff --git a/src/certtool.c b/src/certtool.c index aff75e9e14..8a5988cbc5 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -1129,6 +1129,11 @@ static void cmd_parser(int argc, char **argv) cinfo.password = ""; } + if (HAVE_OPT(EMPTY_PASSWORD)) { + cinfo.empty_password = 1; + cinfo.password = ""; + } + if (HAVE_OPT(GENERATE_SELF_SIGNED)) generate_self_signed(&cinfo); else if (HAVE_OPT(GENERATE_CERTIFICATE)) |