From 1bdcceac380cbfe4fa78b3dd3dc3513663fab972 Mon Sep 17 00:00:00 2001 From: Tom Vrancken Date: Mon, 26 Aug 2019 17:12:40 +0200 Subject: Implemented raw public key support for gnutls-cli application. Signed-off-by: Tom Vrancken --- src/cli-args.def | 49 +++++++++++++++- src/cli.c | 172 ++++++++++++++++++++++++++++++++++++++----------------- src/common.c | 55 +++++++++++++++++- 3 files changed, 223 insertions(+), 53 deletions(-) diff --git a/src/cli-args.def b/src/cli-args.def index 621de61f3c..602eaf9058 100644 --- a/src/cli-args.def +++ b/src/cli-args.def @@ -238,6 +238,31 @@ flag = { flags-must = x509keyfile; }; +flag = { + name = rawpkkeyfile; + arg-type = string; + descrip = "Private key file (PKCS #8 or PKCS #12) or PKCS #11 URL to use"; + doc = "In order to instruct the application to negotiate raw public keys one +must enable the respective certificate types via the priority strings (i.e. CTYPE-CLI-* +and CTYPE-SRV-* flags). + +Check the GnuTLS manual on section ``Priority strings'' for more +information on how to set certificate types."; +}; + +flag = { + name = rawpkfile; + arg-type = string; + descrip = "Raw public-key file to use"; + doc = "In order to instruct the application to negotiate raw public keys one +must enable the respective certificate types via the priority strings (i.e. CTYPE-CLI-* +and CTYPE-SRV-* flags). + +Check the GnuTLS manual on section ``Priority strings'' for more +information on how to set certificate types."; + flags-must = rawpkkeyfile; +}; + flag = { name = srpusername; arg-type = string; @@ -467,7 +492,29 @@ Connecting to '127.0.0.1:5556'... - Simple Client Mode: @end example -By keeping the --pskusername parameter and removing the --pskkey parameter, it will query only for the password during the handshake. +By keeping the --pskusername parameter and removing the --pskkey parameter, it will query only for the password during the handshake. + +@subheading Connecting using raw public-key authentication +To connect to a server using raw public-key authentication, you need to enable the option to negotiate raw public-keys via the priority strings such as in the example below. +@example +$ ./gnutls-cli -p 5556 localhost --priority NORMAL:-CTYPE-CLI-ALL:+CTYPE-CLI-RAWPK \ + --rawpkkeyfile cli.key.pem \ + --rawpkfile cli.rawpk.pem +Processed 1 client raw public key pair... +Resolving 'localhost'... +Connecting to '127.0.0.1:5556'... +- Successfully sent 1 certificate(s) to server. +- Server has requested a certificate. +- Certificate type: X.509 +- Got a certificate list of 1 certificates. +- Certificate[0] info: + - skipped +- Description: (TLS1.3-Raw Public Key-X.509)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM) +- Options: +- Handshake was completed + +- Simple Client Mode: +@end example @subheading Connecting to STARTTLS services diff --git a/src/cli.c b/src/cli.c index 691eb98c54..b31f43cadb 100644 --- a/src/cli.c +++ b/src/cli.c @@ -95,9 +95,11 @@ const char *x509_certfile = NULL; const char *x509_cafile = NULL; const char *x509_crlfile = NULL; static int x509ctype; +const char *rawpk_keyfile = NULL; +const char *rawpk_file = NULL; static int disable_extensions; static int disable_sni; -static unsigned int init_flags = GNUTLS_CLIENT; +static unsigned int init_flags = GNUTLS_CLIENT | GNUTLS_ENABLE_RAWPK; static const char *priorities = NULL; static const char *inline_commands_prefix; @@ -121,10 +123,60 @@ static int cert_verify_ocsp(gnutls_session_t session); static unsigned int x509_crt_size; static gnutls_pcert_st x509_crt[MAX_CRT]; static gnutls_privkey_t x509_key = NULL; +static gnutls_pcert_st rawpk; +static gnutls_privkey_t rawpk_key = NULL; -/* Load the certificate and the private key. + +/* Load a PKCS #8, PKCS #12 private key or PKCS #11 URL */ -static void load_keys(void) +static void load_priv_key(gnutls_privkey_t* privkey, const char* key_source) +{ + int ret; + gnutls_datum_t data = { NULL, 0 }; + + ret = gnutls_privkey_init(privkey); + + if (ret < 0) { + fprintf(stderr, "*** Error initializing key: %s\n", + gnutls_strerror(ret)); + exit(1); + } + + gnutls_privkey_set_pin_function(*privkey, pin_callback, + NULL); + + if (gnutls_url_is_supported(key_source) != 0) { + ret = gnutls_privkey_import_url(*privkey, key_source, 0); + if (ret < 0) { + fprintf(stderr, + "*** Error loading url: %s\n", + gnutls_strerror(ret)); + exit(1); + } + } else { + ret = gnutls_load_file(key_source, &data); + if (ret < 0) { + fprintf(stderr, + "*** Error loading key file.\n"); + exit(1); + } + + ret = gnutls_privkey_import_x509_raw(*privkey, &data, + x509ctype, NULL, 0); + if (ret < 0) { + fprintf(stderr, + "*** Error importing key: %s\n", + gnutls_strerror(ret)); + exit(1); + } + + gnutls_free(data.data); + } +} + +/* Load the X509 certificate and the private key. + */ +static void load_x509_keys(void) { unsigned int crt_num; int ret; @@ -209,51 +261,45 @@ static void load_keys(void) gnutls_free(data.data); - ret = gnutls_privkey_init(&x509_key); + load_priv_key(&x509_key, x509_keyfile); + + fprintf(stdout, + "Processed %d client X.509 certificates...\n", + x509_crt_size); + } +} + +/* Load the raw public key and corresponding private key. + */ +static void load_rawpk_keys(void) +{ + int ret; + gnutls_datum_t data = { NULL, 0 }; + + if (rawpk_file != NULL && rawpk_keyfile != NULL) { + // First we load the raw public key + ret = gnutls_load_file(rawpk_file, &data); if (ret < 0) { - fprintf(stderr, "*** Error initializing key: %s\n", - gnutls_strerror(ret)); + fprintf(stderr, + "*** Error loading cert file.\n"); exit(1); } - gnutls_privkey_set_pin_function(x509_key, pin_callback, - NULL); - - if (gnutls_url_is_supported(x509_keyfile) != 0) { - ret = - gnutls_privkey_import_url(x509_key, - x509_keyfile, 0); - if (ret < 0) { - fprintf(stderr, - "*** Error loading url: %s\n", - gnutls_strerror(ret)); - exit(1); - } - } else { - ret = gnutls_load_file(x509_keyfile, &data); - if (ret < 0) { - fprintf(stderr, - "*** Error loading key file.\n"); - exit(1); - } + ret = gnutls_pcert_import_rawpk_raw(&rawpk, &data, x509ctype, 0, 0); + if (ret < 0) { + fprintf(stderr, + "*** Error importing rawpk to pcert: %s\n", + gnutls_strerror(ret)); + exit(1); + } - ret = - gnutls_privkey_import_x509_raw(x509_key, &data, - x509ctype, NULL, - 0); - if (ret < 0) { - fprintf(stderr, - "*** Error loading url: %s\n", - gnutls_strerror(ret)); - exit(1); - } + gnutls_free(data.data); - gnutls_free(data.data); - } + // Secondly, we load the private key corresponding to the raw pk + load_priv_key(&rawpk_key, rawpk_keyfile); fprintf(stdout, - "Processed %d client X.509 certificates...\n", - x509_crt_size); + "Processed %d client raw public key pair...\n", 1); } } @@ -541,23 +587,40 @@ cert_callback(gnutls_session_t session, * supported by the server. */ - cert_type = gnutls_certificate_type_get(session); + cert_type = gnutls_certificate_type_get2(session, GNUTLS_CTYPE_CLIENT); *pcert_length = 0; - if (cert_type == GNUTLS_CRT_X509) { - if (x509_crt_size > 0) { - if (x509_key != NULL) { - *pkey = x509_key; - } else { + switch (cert_type) { + case GNUTLS_CRT_X509: + if (x509_crt_size > 0) { + if (x509_key != NULL) { + *pkey = x509_key; + } else { + log_msg + (stdout, "- Could not find a suitable key to send to server\n"); + return -1; + } + + *pcert_length = x509_crt_size; + *pcert = x509_crt; + } + break; + case GNUTLS_CRT_RAWPK: + if (rawpk_key == NULL || rawpk.type != GNUTLS_CRT_RAWPK) { log_msg - (stdout, "- Could not find a suitable key to send to server\n"); + (stdout, "- Could not find a suitable key to send to server\n"); return -1; } - *pcert_length = x509_crt_size; - *pcert = x509_crt; - } + *pkey = rawpk_key; + *pcert = &rawpk; + *pcert_length = 1; + break; + default: + log_msg(stdout, "- Could not retrieve unsupported certificate type %s.\n", + gnutls_certificate_type_get_name(cert_type)); + return -1; } log_msg(stdout, "- Successfully sent %u certificate(s) to server.\n", @@ -1570,6 +1633,12 @@ static void cmd_parser(int argc, char **argv) if (HAVE_OPT(X509CERTFILE)) x509_certfile = OPT_ARG(X509CERTFILE); + if (HAVE_OPT(RAWPKKEYFILE)) + rawpk_keyfile = OPT_ARG(RAWPKKEYFILE); + + if (HAVE_OPT(RAWPKFILE)) + rawpk_file = OPT_ARG(RAWPKFILE); + if (HAVE_OPT(PSKUSERNAME)) psk_username = OPT_ARG(PSKUSERNAME); @@ -1841,7 +1910,8 @@ static void init_global_tls_stuff(void) } } - load_keys(); + load_x509_keys(); + load_rawpk_keys(); #ifdef ENABLE_SRP if (srp_username && srp_passwd) { diff --git a/src/common.c b/src/common.c index 433e31ac90..6a0c00ebaa 100644 --- a/src/common.c +++ b/src/common.c @@ -182,6 +182,56 @@ print_x509_info(gnutls_session_t session, FILE *out, int flag, int print_cert, i } } +static void +print_rawpk_info(gnutls_session_t session, FILE *out, int flag, int print_cert, int print_crt_status) +{ + gnutls_pcert_st pk_cert; + gnutls_pk_algorithm_t pk_algo; + const gnutls_datum_t *cert_list; + unsigned int cert_list_size = 0; + int ret; + + cert_list = gnutls_certificate_get_peers(session, &cert_list_size); + if (cert_list_size == 0) { + if (print_crt_status) + fprintf(stderr, "No certificates found!\n"); + return; + } + + log_msg(out, "- Certificate type: Raw Public Key\n"); + log_msg(out, "- Got %d Raw public-key(s).\n", + cert_list_size); + + + ret = gnutls_pcert_import_rawpk_raw(&pk_cert, cert_list, GNUTLS_X509_FMT_DER, 0, 0); + if (ret < 0) { + fprintf(stderr, "Decoding error: %s\n", + gnutls_strerror(ret)); + return; + } + + pk_algo = gnutls_pubkey_get_pk_algorithm(pk_cert.pubkey, NULL); + + log_msg(out, "- Raw pk info:\n"); + log_msg(out, " - PK algo: %s\n", gnutls_pk_algorithm_get_name(pk_algo)); + + if (print_cert) { + gnutls_datum_t pem; + + ret = gnutls_pubkey_export2(pk_cert.pubkey, GNUTLS_X509_FMT_PEM, &pem); + if (ret < 0) { + fprintf(stderr, "Encoding error: %s\n", + gnutls_strerror(ret)); + return; + } + + log_msg(out, "\n%s\n", (char*)pem.data); + + gnutls_free(pem.data); + } + +} + /* returns false (0) if not verified, or true (1) otherwise */ int cert_verify(gnutls_session_t session, const char *hostname, const char *purpose) @@ -543,10 +593,13 @@ void print_cert_info2(gnutls_session_t session, int verbose, FILE *out, int prin print_crt_status = 1; } - switch (gnutls_certificate_type_get(session)) { + switch (gnutls_certificate_type_get2(session, GNUTLS_CTYPE_PEERS)) { case GNUTLS_CRT_X509: print_x509_info(session, out, flag, print_cert, print_crt_status); break; + case GNUTLS_CRT_RAWPK: + print_rawpk_info(session, out, flag, print_cert, print_crt_status); + break; default: break; } -- cgit v1.2.1 From 6e9861f77b14aecd0c4e332dec7fd042ba3bc513 Mon Sep 17 00:00:00 2001 From: Tom Vrancken Date: Tue, 27 Aug 2019 17:10:04 +0200 Subject: Implemented raw public key support for gnutls-serv application. Signed-off-by: Tom Vrancken --- src/serv-args.def | 58 +++++++++++++++++++++++++++++++++++++++++++++++++++++-- src/serv.c | 49 ++++++++++++++++++++++++++++++++++++++++++---- 2 files changed, 101 insertions(+), 6 deletions(-) diff --git a/src/serv-args.def b/src/serv-args.def index a2e9d1c6f8..996fbe36ba 100644 --- a/src/serv-args.def +++ b/src/serv-args.def @@ -249,6 +249,45 @@ flag = { deprecated; }; +flag = { + name = rawpkkeyfile; + arg-type = string; + descrip = "Private key file (PKCS #8 or PKCS #12) or PKCS #11 URL to use"; + doc = "Specify the private key file or URI to use; it must correspond to +the raw public-key specified in --rawpkfile. Multiple key pairs +can be specified with this option and in that case each occurrence of keyfile +must be followed by the corresponding rawpkfile or vice-versa. + +In order to instruct the application to negotiate raw public keys one +must enable the respective certificate types via the priority strings (i.e. CTYPE-CLI-* +and CTYPE-SRV-* flags). + +Check the GnuTLS manual on section ``Priority strings'' for more +information on how to set certificate types."; + stack-arg; + max = NOLIMIT; +}; + +flag = { + name = rawpkfile; + arg-type = string; + descrip = "Raw public-key file to use"; + doc = "Specify the raw public-key file to use; it must correspond to +the private key specified in --rawpkkeyfile. Multiple key pairs +can be specified with this option and in that case each occurrence of keyfile +must be followed by the corresponding rawpkfile or vice-versa. + +In order to instruct the application to negotiate raw public keys one +must enable the respective certificate types via the priority strings (i.e. CTYPE-CLI-* +and CTYPE-SRV-* flags). + +Check the GnuTLS manual on section ``Priority strings'' for more +information on how to set certificate types."; + stack-arg; + max = NOLIMIT; + flags-must = rawpkkeyfile; +}; + flag = { name = srppasswd; arg-type = file; @@ -478,11 +517,24 @@ gnutls-serv --http --priority NORMAL:+ECDHE-PSK:+PSK \ --pskpasswd psk-passwd.txt @end example +If you want a server with support for raw public-keys we can also add these +credentials. Note however that there is no identity information linked to these +keys as is the case with regular x509 certificates. Authentication must be done +via different means. Also we need to explicitly enable raw public-key certificates +via the priority strings. + +@example +gnutls-serv --http --priority NORMAL:+CTYPE-CLI-RAWPK:+CTYPE-SRV-RAWPK \ + --rawpkfile srv.rawpk.pem \ + --rawpkkeyfile srv.key.pem +@end example + + Finally, we start the server with all the earlier parameters and you get this command: @example -gnutls-serv --http --priority NORMAL:+PSK:+SRP \ +gnutls-serv --http --priority NORMAL:+PSK:+SRP:+CTYPE-CLI-RAWPK:+CTYPE-SRV-RAWPK \ --x509cafile x509-ca.pem \ --x509keyfile x509-server-key.pem \ --x509certfile x509-server.pem \ @@ -490,7 +542,9 @@ gnutls-serv --http --priority NORMAL:+PSK:+SRP \ --x509certfile x509-server-ecc.pem \ --srppasswdconf srp-tpasswd.conf \ --srppasswd srp-passwd.txt \ - --pskpasswd psk-passwd.txt + --pskpasswd psk-passwd.txt \ + --rawpkfile srv.rawpk.pem \ + --rawpkkeyfile srv.key.pem @end example _EOF_; }; diff --git a/src/serv.c b/src/serv.c index cc68abb509..60b02f6983 100644 --- a/src/serv.c +++ b/src/serv.c @@ -76,6 +76,10 @@ const char *x509_cafile = NULL; const char *dh_params_file = NULL; const char *x509_crlfile = NULL; const char *priorities = NULL; +const char **rawpk_keyfile = NULL; +const char **rawpk_file = NULL; +unsigned rawpk_keyfile_size = 0; +unsigned rawpk_file_size = 0; const char **ocsp_responses = NULL; unsigned ocsp_responses_size = 0; @@ -382,7 +386,7 @@ gnutls_session_t initialize_session(int dtls) const char *err; gnutls_datum_t alpn[MAX_ALPN_PROTOCOLS]; unsigned alpn_size; - unsigned flags = GNUTLS_SERVER | GNUTLS_POST_HANDSHAKE_AUTH; + unsigned flags = GNUTLS_SERVER | GNUTLS_POST_HANDSHAKE_AUTH | GNUTLS_ENABLE_RAWPK; if (dtls) flags |= GNUTLS_DATAGRAM; @@ -556,7 +560,7 @@ static char *peer_print_info(gnutls_session_t session, int *ret_length, return http_buffer; } - if (gnutls_certificate_type_get(session) == GNUTLS_CRT_X509) { + if (gnutls_certificate_type_get2(session, GNUTLS_CTYPE_CLIENT) == GNUTLS_CRT_X509) { const gnutls_datum_t *cert_list; unsigned int cert_list_size = 0; @@ -675,10 +679,10 @@ static char *peer_print_info(gnutls_session_t session, int *ret_length, } if (gnutls_auth_get_type(session) == GNUTLS_CRD_CERTIFICATE && - gnutls_certificate_type_get(session) != GNUTLS_CRT_X509) { + gnutls_certificate_type_get2(session, GNUTLS_CTYPE_CLIENT) != GNUTLS_CRT_X509) { tmp = gnutls_certificate_type_get_name - (gnutls_certificate_type_get(session)); + (gnutls_certificate_type_get2(session, GNUTLS_CTYPE_CLIENT)); if (tmp == NULL) tmp = str_unknown; snprintf(tmp_buffer, tmp_buffer_size, @@ -1178,6 +1182,7 @@ int main(int argc, char **argv) exit(1); } + /* X509 credentials */ if (x509_cafile != NULL) { if ((ret = gnutls_certificate_set_x509_trust_file (cert_cred, x509_cafile, x509ctype)) < 0) { @@ -1215,6 +1220,25 @@ int main(int argc, char **argv) cert_set = 1; } } + + /* Raw public-key credentials */ + if (rawpk_file_size > 0 && rawpk_keyfile_size > 0) { + for (i = 0; i < rawpk_keyfile_size; i++) { + ret = gnutls_certificate_set_rawpk_key_file(cert_cred, rawpk_file[i], + rawpk_keyfile[i], + x509ctype, + NULL, 0, NULL, 0, + 0, 0); + if (ret < 0) { + fprintf(stderr, "Error reading '%s' or '%s'\n", + rawpk_file[i], rawpk_keyfile[i]); + GERR(ret); + exit(1); + } else { + cert_set = 1; + } + } + } if (cert_set == 0) { fprintf(stderr, @@ -1808,12 +1832,29 @@ static void cmd_parser(int argc, char **argv) if (x509_certfile_size != x509_keyfile_size) { fprintf(stderr, "The certificate number provided (%u) doesn't match the keys (%u)\n", x509_certfile_size, x509_keyfile_size); + exit(1); } if (HAVE_OPT(X509CAFILE)) x509_cafile = OPT_ARG(X509CAFILE); if (HAVE_OPT(X509CRLFILE)) x509_crlfile = OPT_ARG(X509CRLFILE); + + if (HAVE_OPT(RAWPKKEYFILE)) { + rawpk_keyfile = STACKLST_OPT(RAWPKKEYFILE); + rawpk_keyfile_size = STACKCT_OPT(RAWPKKEYFILE); + } + + if (HAVE_OPT(RAWPKFILE)) { + rawpk_file = STACKLST_OPT(RAWPKFILE); + rawpk_file_size = STACKCT_OPT(RAWPKFILE); + } + + if (rawpk_file_size != rawpk_keyfile_size) { + fprintf(stderr, "The number of raw public-keys provided (%u) doesn't match the number of corresponding private keys (%u)\n", + rawpk_file_size, rawpk_keyfile_size); + exit(1); + } if (HAVE_OPT(SRPPASSWD)) srp_passwd = OPT_ARG(SRPPASSWD); -- cgit v1.2.1 From 4d7ab8830b37593404b622c0526d4dd06a627bcb Mon Sep 17 00:00:00 2001 From: Tom Vrancken Date: Mon, 30 Sep 2019 21:22:59 +0200 Subject: Added functional regression tests for rawpk functionality in gnutls-cli and gnutls-serv. Signed-off-by: Tom Vrancken --- tests/Makefile.am | 2 +- tests/gnutls-cli-rawpk.sh | 320 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 321 insertions(+), 1 deletion(-) create mode 100755 tests/gnutls-cli-rawpk.sh diff --git a/tests/Makefile.am b/tests/Makefile.am index e056e3a951..c462b54e41 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -505,7 +505,7 @@ dist_check_SCRIPTS += system-override-sig-hash.sh system-override-versions.sh sy system-override-kx.sh endif -dist_check_SCRIPTS += gnutls-cli-self-signed.sh gnutls-cli-invalid-crl.sh +dist_check_SCRIPTS += gnutls-cli-self-signed.sh gnutls-cli-invalid-crl.sh gnutls-cli-rawpk.sh if ENABLE_PKCS11 dist_check_SCRIPTS += p11-kit-trust.sh testpkcs11.sh certtool-pkcs11.sh diff --git a/tests/gnutls-cli-rawpk.sh b/tests/gnutls-cli-rawpk.sh new file mode 100755 index 0000000000..8b60da780e --- /dev/null +++ b/tests/gnutls-cli-rawpk.sh @@ -0,0 +1,320 @@ +#!/bin/sh + +# Copyright (C) 2019 Tom Vrancken (dev@tomvrancken.nl) +# +# Author: Tom Vrancken +# Nikos Mavrogiannopoulos +# +# This file is part of GnuTLS. +# +# GnuTLS is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 3 of the License, or (at +# your option) any later version. +# +# GnuTLS is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this program. If not, see + +srcdir="${srcdir:-.}" +SERV="${SERV:-../src/gnutls-serv${EXEEXT}}" +CLI="${CLI:-../src/gnutls-cli${EXEEXT}}" +unset RETCODE +CERTFILE1=rawpk-script1.$$.pem.tmp +CERTFILE2=rawpk-script2.$$.pem.tmp + +TMPFILE=rawpk-script.$$.log + +if ! test -x "${SERV}"; then + exit 77 +fi + +if ! test -x "${CLI}"; then + exit 77 +fi + +if test "${WINDIR}" != ""; then + exit 77 +fi + +if ! test -z "${VALGRIND}"; then + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15" +fi + +SERV="${SERV} -q" + +. "${srcdir}/scripts/common.sh" + +echo "Checking whether we can connect with raw public-keys" + +cat <<__EOF__ >${CERTFILE1} +-----BEGIN CERTIFICATE----- +MIIEXDCCAsSgAwIBAgIIWkcxay17JgYwDQYJKoZIhvcNAQELBQAwQjEaMBgGA1UE +AxMRdGVzdC1hbGwtZGVmYXVsdHMxCzAJBgNVBAYTAkFUMRcwFQYKCZImiZPyLGQB +GRYHYmVidC5kZTAeFw0xNzEyMzAwNjI1NDhaFw0xOTEyMjAwNjI1NTFaMEIxGjAY +BgNVBAMTEXRlc3QtYWxsLWRlZmF1bHRzMQswCQYDVQQGEwJBVDEXMBUGCgmSJomT +8ixkARkWB2JlYnQuZGUwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCv +M1Y+Q4goCtHi3SLHTBQ14LS6NI4UbEa8YZFfaOfmOOufzwdNUntUkSA2PPS7mQ55 +SN+Sdel1x4f4EjfxCWhj0j0Y26OmJS+wYNz3oOdoKThLq4Mn5SumO7mhU684mZTi +EP2qrxFeYvQqQBdjv8rfP2LJ+RsB/3CiwWdkx4qeudoSUCqzWo8e6K2ul0JJuk+Z +fvqkPpDl+cVTikmxNwqjAt4Ef9oiT1YjUIBUae+RCdNZEa6d2AhW+4bD+vl0Pci+ +EBPzhLeR8iYuIEX66Tpv8AUvv412SuvVZbizGP5EDH4gkWtNWem9yNPCHA9rBqrC +6Nib4TPPLm1aN4mJyLdoQ1gD0STHcFADo+1H0JDywzxlgkks9cj5sQmApO7+AuGs +JoUDAp4g4LHnBw/H/5esVta5Pn7GThKwu7PRY0Y59ZKQrT5deXm9TeySdav+9wR/ +5aiIZpAsAM5zWnN5qAP58Xl+pa0qN48GPcwmAsa4Zh9ehGhzR00MFHD3V8i0rFcC +AwEAAaNWMFQwDAYDVR0TAQH/BAIwADAUBgNVHREEDTALgglsb2NhbGhvc3QwDwYD +VR0PAQH/BAUDAwegADAdBgNVHQ4EFgQU0tGobgnLApQRxvbzIhOT2gAUQAYwDQYJ +KoZIhvcNAQELBQADggGBAHmqS1jOY5J9ad63aFXaei0lZhTnYCsFOGWuyLqZtz9K +21n0V8WVXeGmBjXkYNS3LCwPwFqKsp3vhsh4Hw5cyKkfQIri0HlWASYiJCPZxDLH +odVJSOPV65Q+gmhT/ltHK5CW4DJ2Gy82vPEFqw3+Kca28IJ0m2wr0FlhOCvnHUa7 +GMS/+SdaMbsi1Eui0wUG/xWw8/2kY26IjhDJHrsTUjpYQ+vTy5oOjyq6Yf15Orjw +tJTwGgRcfoiBGhzMgTbUfFCO33L6f0u/WR/sI7DYDO/6JW1USnTrMuwEL6/jMNAw +QPl6irVOy/UwcIcLIBw8ta5cR8JVbhYuV7cUT9qDVwCOqotkwjDVsH2aztLLLr5d +ywMQXvXh2UI4jSujWf9vYY3F7GkDGy/cOwVprZoAe0mXwvuCvDyNZqXJTxKtq/w9 +ZwOveNtNeXHOJljseNXLQPCfCcQ6mEUNjqwo2eDqH0OtJsQRN2CAUsn+YBnAALrv +P4J46RbB7bnzQ9kHiv6KuA== +-----END CERTIFICATE----- + +-----BEGIN RSA PRIVATE KEY----- +MIIG4gIBAAKCAYEArzNWPkOIKArR4t0ix0wUNeC0ujSOFGxGvGGRX2jn5jjrn88H +TVJ7VJEgNjz0u5kOeUjfknXpdceH+BI38QloY9I9GNujpiUvsGDc96DnaCk4S6uD +J+Urpju5oVOvOJmU4hD9qq8RXmL0KkAXY7/K3z9iyfkbAf9wosFnZMeKnrnaElAq +s1qPHuitrpdCSbpPmX76pD6Q5fnFU4pJsTcKowLeBH/aIk9WI1CAVGnvkQnTWRGu +ndgIVvuGw/r5dD3IvhAT84S3kfImLiBF+uk6b/AFL7+Ndkrr1WW4sxj+RAx+IJFr +TVnpvcjTwhwPawaqwujYm+Ezzy5tWjeJici3aENYA9Ekx3BQA6PtR9CQ8sM8ZYJJ +LPXI+bEJgKTu/gLhrCaFAwKeIOCx5wcPx/+XrFbWuT5+xk4SsLuz0WNGOfWSkK0+ +XXl5vU3sknWr/vcEf+WoiGaQLADOc1pzeagD+fF5fqWtKjePBj3MJgLGuGYfXoRo +c0dNDBRw91fItKxXAgMBAAECggGACEz1XBPVApioowf5Gtom5vqTdXMB/EO5AjnZ +Kl0NB6JQv4yOewJaZ4JMtWUj7zNsNSDXvtepTPQ8I+uxDNF2SaxvSps1YKzIWqHs +NitAa3Xwfd1NZHl+HO0deWA+n/7ex+soKYsL1p33lXzd3tL6aKNXKdyMhAa3Lm7d +WDAACE8j3tQ/ganbuAosGGaANIAIP2x9sYRpVwwDZlbZ8PR7o4eCP1JTYmbB3QB2 +ZAl02TlO8xxcWowesQhPtT9RzEkVAqKC8EULvdvY4b5OFQxkmLDQYv/c+HqetKQ7 +/ewkp/PRndGJ+k0Nebr6G2yIj6D3pN1YfquTfwGMi2yTZh4hQgkXi2WP8KRRgpIU +iUfsSA9wZ4s2WNTMPQANfztP2cUVSPHW8UlTM373qLc3TGDuxmR+h7vqeQ0kVakL +vhQ+HkEvQ2yrxc3m3g1BDoM3/ShHx7IskBqeX3L3Ad7pZpu/Q+Y/z5tVtDUY42LW +DTeB/mKZcKZLK0BCz+o4L9KPceQxAoHBANZfiYobRMXmT0yOfTj68JWR/g7B9XBV +rQ03xKxpI9mVckAT52xPJCUsSRVyUbJDs4hnBOe/y3Uk3jejDoCoI1h8ZyKCwhHq +Py0GFCmB/AzeYRchD0TY1H69r4PZjloGX6SWlha784ajcJspoV5TYuLkhOVDFsA/ +R4Yu4irkQ2hugPT/q3ysiDXgQSB9+SqCYGUfMbadC+Ppm5+egTF8uyHJeV4YQ/Jr +CNvsA6wxnONg0gbhsd3wLixjzz8jfJ1N6QKBwQDROIg0JumHkO5pl7wdKUSRx43y +OOBNOf3KqGsRT8EDnRcepJy1gdg/SIp5/MRi+PJLqDfLNcIr8gQhanJnZ160UFVX +8IhJ02Of/NGrFvctURJ3Dt63SspIoi6Yt/7Z1IQrvxpHsD3eaNtqywtYF59yhkdB +hKomPn++LraDyXHqu0xCuO9te61ZP2haHhPsGI1Z2fuep5dnZJRLNR9BZWuqmkv9 +qj34ftm6Np8qSpdp9GotsRL2WIRaNF/sP+Z6gD8CgcAF7VZMLzzTi+6dW0MzFB0a +xZKUreAvXu8N8oDJk46eMXebNfGsGPQS4wqSQTrpBt4r401Law4hCwfp2eRIwl1X +0Pi5B4x+Gk/s2sIr86AYav2cOhnF+YjGiFAWASnia1Kxpkg4ELJHArXWVGxVw1B0 +nYTfId+7KQS9PQab0PvcI1IFdBw1sj+B3dVvJIyDFF+97ALf3a+6eXcIDsXbrGsw +H/XvGBSo2zS/f+MKG8UOtFqaPhtA26crKwdL45tKbiECgcAO468NxxcnhrDw4tOI +X795gHIhotqTpGTjX0j/WmWqFCvpCl38rNju6AKy28I+KOlVaQtPcuv2pKqWljS+ +FyUuP+lS8NNCLcERSbTCMEg2+WYPAwfmk3QB50jZpX6FkhI16su7/lbo1R2IZBrS +khvO0q+Pghl5z0jYCAsFJfjtc5bhyLeBWyPjDhgnEazpSHYGxvSZPeQQf5/uGkG3 +LbiT05dE3jC61ow4LFr3b4eHCtXjmo526aXBpaiN754/aZECgcBAK3aOmgwI5vw4 +7a94mWffD0LzHl26D2ayXHvXmzjTOv7hsvilUTitdlqNrlZ3AxOWX1nGUcxdUwPT +Ri1h4yIi28MvTjBD+wvXOGwmINGkBFWKIzkhh/bvbzQsuRSmG09JF1tBJjE6oCUs +5ZJ7v0NCtg7yGOY8ciWIpahFc796prk17ZgIn/t0hebc9ZTaIat5QKbr4SWLZJEl +i2yISkQxkJZp8sTwSlIGZSBpuZcDq9AdUjan1WhGgl4hpHpjr3Y= +-----END RSA PRIVATE KEY----- +__EOF__ + +cat <<__EOF__ >${CERTFILE2} +-----BEGIN PUBLIC KEY----- +MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAtfCQ/U13p076UUEggNm8 +mI+bEilHrvKiyZpY/NZ2JYhmU+n0ChuH6XweXuiuW2gKR/Fl0vpGAxhugQAR3lMS +0XJZjg4z1gFP0BMeR0YYQuWe2Gfg24fUNPluHCf+dJMHAadIVKyUvVKFPDTwu6yU +lVafn0uoMme8b51yAwQAeXGOJnTFHSaRhuDWAokaTsW0kdAr5FSxMadSTVuDNSav +ic6qSUimJvPjT+URzpIjy/2MG8aj00At1MSj8sC/g5JuBvMKXe4mg6/Xd1YsP9gT +GhpfuBzwt+H4HDm4MzwNqdWNJ7pAhdcBOztqsScZJUqmGT742Fr0OjYYOFvHYLcx +SMD65huLlKTiQwg0HocVFA/VilLLV65cW+AUakr0YCXKyucPz4omVy/RINi663Bn +UyIR3pkOwbr71syuiU1S9cMnG0BxHsPmbvgaYttnCwp0cexB8MrJNJv5FcKLOGUL +MMCvSIT7elYwGN2p5gtAg1RLmyVvubTmkOAmxAgybgqHAgMBAAE= +-----END PUBLIC KEY----- + +-----BEGIN RSA PRIVATE KEY----- +MIIG4gIBAAKCAYEAtfCQ/U13p076UUEggNm8mI+bEilHrvKiyZpY/NZ2JYhmU+n0 +ChuH6XweXuiuW2gKR/Fl0vpGAxhugQAR3lMS0XJZjg4z1gFP0BMeR0YYQuWe2Gfg +24fUNPluHCf+dJMHAadIVKyUvVKFPDTwu6yUlVafn0uoMme8b51yAwQAeXGOJnTF +HSaRhuDWAokaTsW0kdAr5FSxMadSTVuDNSavic6qSUimJvPjT+URzpIjy/2MG8aj +00At1MSj8sC/g5JuBvMKXe4mg6/Xd1YsP9gTGhpfuBzwt+H4HDm4MzwNqdWNJ7pA +hdcBOztqsScZJUqmGT742Fr0OjYYOFvHYLcxSMD65huLlKTiQwg0HocVFA/VilLL +V65cW+AUakr0YCXKyucPz4omVy/RINi663BnUyIR3pkOwbr71syuiU1S9cMnG0Bx +HsPmbvgaYttnCwp0cexB8MrJNJv5FcKLOGULMMCvSIT7elYwGN2p5gtAg1RLmyVv +ubTmkOAmxAgybgqHAgMBAAECggGAAoHBDaxulKCS9GGoV/4oChYYdeSZt0Bim9KD +nWA7GoNJnahgk28TrVTnejlMhbfmRF2AIKsQIeTJSP++P0j3vmkL8NgjQLSd6+kH +hsXhebJ+QM8VmxDBDMXPDZZDfEm2VACBD6GdHwqvCUhVdNCI75HU+zXoqGEjiIor +0vzQINw+sCr1uFQatzgL2tcWxLUWqteqcyfzlRKQIL69DRNuYcC2OfJFT84WeLhY +SXdcBOiGcK+I/FUrDH51H9gmC2MOGRnWsB0daTMUraJ2or9TCH3PrULGshlMuMzs +aMnecKf79DBKj4BO/x2VFo2rq7H2uPczv6+6bHapjagMtxWcogFceUqjNXnnWyiK +8oH7iin2PnIDUX+ks3YwQ9hpbJIy3V9UF2J6PgyaKDGfyT2mVoLmTbD0IpPlpF7G +xGdUCEVB3AqB1nA8KE6vim8BKktInVM1fMylR/n0jj7mSK1oqqH76S1kmfH4sla/ +KetthtIy2IVnljsgIbrABp1A5gd5AoHBANnDTBXsDMA9VE+ArOB8WNkzT1gl44QO +cKHLJQ2sTGNrSA5m9xjGgcmOogJTw5wxz5vPqqKol0xpIEHIAmftREt1qpem7+Gi +CNslPzHR9PYe5XGAV3bgFe4iL2Q9dD+rOx5/EK9GroqNtNNSEzcckAu414whIazb +sNhFcsCd1Yn6kadfeMRdt8MQ4sgQWWxON1gjOynbx5lHuLqZs8SYUJ6v3RRn7ZXv +cGI9NeuAxHDpZPqhnpsFyfWbLFHJIUaaVQKBwQDV4vmL0gpdiBfKPS6D8OkVSayQ +CBLoaq9sW4VWPpv83lTtB6nf6zfhxs7ho+0aosieV5KQkJho0KY5mHvKfFO5ih1g +ADtG90X37tVxHyQLXxqBpOBQO12lVsc/ILO6hqDOFoAzGMPpT43CrF2/09GQM/uA +Uo2s0Z9mvMalybtWcGDrsfGQhuY5soeEho9gziAC3zFMtSZJDBd5pf+Ls2ZcBDFp +5GrIvVFYGIOqbSheeSuYyhgZGHiAXtibRkroZWsCgcAeCMiisWbk0NCjEn1FjQD4 +HBKSds9VdGRmfE1FAIGcqLxMeDkWarKV6R1BMupkzZ3zwIWpX5VWjZ1MVVi3msrz +mWwI9JZbSWztRMrdhTbDB2nf6LKni6qaqI5exfcVnPlPcHkNo7MJGxhYmRZbYI4h +f8IC6sLpQ3e1rIZyOJKuMCgMrKdMdhyVQ+vzagXbYUJS3rEXSd/SrUi2O+LGd7eO +23Sjjt3+8wJOGmEodR8i753kz4u/l+HOBTPsp8/2G+0CgcBD72Pz1TMVojRsOCKe +JdbivBPja60VxU0Szb78Nca1+qhe4SBDzyJgxBTR9o9I9otiP859vG+sWxlxEc2/ +8t1lAUlzRJ+PWtsOdP22gH2iXwK8SvI0iaak7Xs7wddUV46b5umxURxo7qvIOZdN +ZqoZc2leyNnXGn3W0/8EiZ7HRcqDEnH3xeE6UkpY/aRsywu/3cR66M7QRNbv/Jm+ +daz9bReE2thQClHb+W1YpHM+Dp6aWRZuYidkHrwOFbWVOyECgcBSsN2yk6eV9pmQ +p4yHZcJ6QdCHm1KqdAMK/pSurjSf3+281mkxTAkZBGLl2QwZKEBTapKZhvsoC3+d +fpk1UZneP1g9PHoRS7rooQV5baUj0sOd3RyD3iylb1soyyEKWxbzdiS/nswYbwCV +LMvucEsmS5aIfIUo4ntlNs3bVZqLdh0BAG9+WuimpYyp7pxrvuj2FM+gwbwDZvto +O2/1wSKkPX2klUKg1hNNELJAXfxHLw2+NvV9x4rDiu5xJHgDCD0= +-----END RSA PRIVATE KEY----- +__EOF__ + +trap "cleanup" EXIT QUIT + +cleanup() +{ + kill ${PID} >/dev/null 2>&1 + rm -f ${CERTFILE1} ${CERTFILE2} + +} + +echo " * testing server X.509, client RAW" + +eval "${GETPORT}" +launch_server $$ --echo --x509keyfile ${CERTFILE1} --x509certfile ${CERTFILE1} --priority NORMAL:-CTYPE-CLI-ALL:+CTYPE-CLI-RAWPK --require-client-cert +PID=$! +wait_server ${PID} + +${VALGRIND} "${CLI}" -p "${PORT}" localhost --priority NORMAL:-CTYPE-CLI-ALL:+CTYPE-CLI-RAWPK --no-ca-verification --rawpkkeyfile ${CERTFILE2} --rawpkfile ${CERTFILE2} >${TMPFILE} 2>&1 ${TMPFILE} 2>&1 ${TMPFILE} 2>&1 ${TMPFILE} 2>&1 ${TMPFILE} 2>&1 ${TMPFILE} 2>&1 ${TMPFILE} 2>&1 ${TMPFILE} 2>&1 ${TMPFILE} 2>&1 ${TMPFILE} 2>&1 ${TMPFILE} 2>&1 ${TMPFILE} 2>&1 ${TMPFILE} 2>&1 Date: Fri, 4 Oct 2019 20:50:19 +0200 Subject: Updated NEWS to reflect the added raw public-key handling functionality for gnutls-cli/serv tools. Signed-off-by: Tom Vrancken --- NEWS | 3 +++ 1 file changed, 3 insertions(+) diff --git a/NEWS b/NEWS index a175a1eb7f..e2a10e7746 100644 --- a/NEWS +++ b/NEWS @@ -35,6 +35,9 @@ See the end for copying conditions. ** certtool: when outputting an encrypted private key do not insert the textual description of it. This fixes a regression since 3.6.5 (#840). +** gnutls-cli/serv: added raw public-key handling capabilities (RFC7250). + Key material can be set via the --rawpkkeyfile and --rawpkfile flags. + ** API and ABI modifications: gnutls_aead_cipher_encryptv2: Added gnutls_aead_cipher_decryptv2: Added -- cgit v1.2.1