From a0754ce52e28851fe6cef367ef0fbf45914ada49 Mon Sep 17 00:00:00 2001 From: Dmitry Eremin-Solenikov Date: Fri, 16 Nov 2018 03:46:52 +0300 Subject: certtool: don't output textual information if --no-text was given Change privkey/certificate/CRL/CSR handling to disable text output if --no-text option was given. Closes #487 Signed-off-by: Dmitry Eremin-Solenikov --- NEWS | 3 +++ src/certtool-args.def | 8 +++++++ src/certtool-common.c | 36 ++++++++++++++++------------- src/certtool-common.h | 8 +++++-- src/certtool.c | 63 +++++++++++++++++---------------------------------- src/tpmtool.c | 2 +- 6 files changed, 59 insertions(+), 61 deletions(-) diff --git a/NEWS b/NEWS index eb09d3a831..30f6ffffc7 100644 --- a/NEWS +++ b/NEWS @@ -32,6 +32,9 @@ See the end for copying conditions. ** libgnutls: Added support for GOST key unmasking and unwrapped GOST private keys parsing, as specified in R 50.1.112-2016. +** certtool: Add parameter --no-text that prevents certtool from outputting + text before PEM-encoded private key, public key, certificate, CRL or CSR. + ** API and ABI modifications: GNUTLS_AUTO_REAUTH: Added GNUTLS_CIPHER_AES_128_CFB8: Added diff --git a/src/certtool-args.def b/src/certtool-args.def index 84a40efb05..d5336eda7b 100644 --- a/src/certtool-args.def +++ b/src/certtool-args.def @@ -661,6 +661,14 @@ flag = { doc = "This will override the default options in /etc/gnutls/pkcs11.conf"; }; +flag = { + name = text; + descrip = "Output textual information before PEM-encoded certificates, private keys, etc"; + enabled; + disable = "no"; + doc = "Output textual information before PEM-encoded data"; +}; + doc-section = { ds-type = 'SEE ALSO'; ds-format = 'texi'; diff --git a/src/certtool-common.c b/src/certtool-common.c index 893e17f276..ec149860b5 100644 --- a/src/certtool-common.c +++ b/src/certtool-common.c @@ -993,36 +993,40 @@ print_rsa_pkey(FILE * outfile, gnutls_datum_t * m, gnutls_datum_t * e, } } -void _pubkey_info(FILE * outfile, - gnutls_certificate_print_formats_t format, - gnutls_pubkey_t pubkey) +void print_pubkey_info(gnutls_pubkey_t pubkey, + FILE *outfile, + gnutls_certificate_print_formats_t format, + gnutls_x509_crt_fmt_t outcert_format, + unsigned int outtext) { gnutls_datum_t data; int ret; size_t size; - fix_lbuffer(0); + if (outtext) { + ret = gnutls_pubkey_print(pubkey, format, &data); + if (ret < 0) { + fprintf(stderr, "pubkey_print error: %s\n", + gnutls_strerror(ret)); + app_exit(1); + } - ret = gnutls_pubkey_print(pubkey, format, &data); - if (ret < 0) { - fprintf(stderr, "pubkey_print error: %s\n", - gnutls_strerror(ret)); - app_exit(1); + fprintf(outfile, "%s\n\n", data.data); + gnutls_free(data.data); } - fprintf(outfile, "%s\n", data.data); - gnutls_free(data.data); + fix_lbuffer(0); size = lbuffer_size; ret = - gnutls_pubkey_export(pubkey, GNUTLS_X509_FMT_PEM, lbuffer, + gnutls_pubkey_export(pubkey, outcert_format, lbuffer, &size); if (ret < 0) { fprintf(stderr, "export error: %s\n", gnutls_strerror(ret)); app_exit(1); } - fprintf(outfile, "\n%s\n", lbuffer); + fwrite(lbuffer, 1, size, outfile); } static void @@ -1114,7 +1118,7 @@ void dh_info(FILE * infile, FILE * outfile, common_info_st * ci) app_exit(1); } - if (ci->outcert_format == GNUTLS_X509_FMT_PEM) + if (ci->outtext) print_dh_info(outfile, &p, &g, q_bits, ci->cprint); if (!ci->cprint) { /* generate a PKCS#3 structure */ @@ -1378,7 +1382,7 @@ print_private_key(FILE *outfile, common_info_st * cinfo, gnutls_x509_privkey_t k /* Only print private key parameters when an unencrypted * format is used */ - if (cinfo->outcert_format == GNUTLS_X509_FMT_PEM) + if (cinfo->outtext) privkey_info_int(outfile, cinfo, key); switch_to_pkcs8_when_needed(cinfo, key, gnutls_x509_privkey_get_pk_algorithm(key)); @@ -1568,7 +1572,7 @@ int generate_prime(FILE * outfile, int how, common_info_st * info) #endif } - if (info->outcert_format == GNUTLS_X509_FMT_PEM) + if (info->outtext) print_dh_info(outfile, &p, &g, q_bits, info->cprint); if (!info->cprint) { /* generate a PKCS#3 structure */ diff --git a/src/certtool-common.h b/src/certtool-common.h index 3dac2ae3c1..ea7f43f2f1 100644 --- a/src/certtool-common.h +++ b/src/certtool-common.h @@ -43,6 +43,7 @@ typedef struct common_info { int pkcs8; int incert_format; int outcert_format; + int outtext; const char *cert; const char *request; @@ -150,8 +151,11 @@ void dh_info(FILE * infile, FILE * outfile, common_info_st * ci); gnutls_x509_privkey_t *load_privkey_list(int mand, size_t * privkey_size, common_info_st * info); -void _pubkey_info(FILE * outfile, gnutls_certificate_print_formats_t, - gnutls_pubkey_t pubkey); +void print_pubkey_info(gnutls_pubkey_t pubkey, + FILE *outfile, + gnutls_certificate_print_formats_t format, + gnutls_x509_crt_fmt_t outcert_format, + unsigned int outtext); void print_ecc_pkey(FILE * outfile, gnutls_ecc_curve_t curve, gnutls_datum_t * k, gnutls_datum_t * x, gnutls_datum_t * y, int cprint); diff --git a/src/certtool.c b/src/certtool.c index a755e1bca3..a45efdf7b7 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -57,14 +57,14 @@ static FILE *stdlog = NULL; -static void print_crl_info(gnutls_x509_crl_t crl, FILE * out); +static void print_crl_info(gnutls_x509_crl_t crl, FILE * out, common_info_st *cinfo); void pkcs7_info(common_info_st *cinfo, unsigned display_data); void pkcs7_sign(common_info_st *, unsigned embed); void pkcs7_generate(common_info_st *); void pkcs8_info(void); void pkcs8_info_int(gnutls_datum_t *data, unsigned format, unsigned ignore_err, FILE *out, const char *tab); -void crq_info(void); +void crq_info(common_info_st *cinfo); void smime_to_pkcs7(void); void pkcs12_info(common_info_st *); void generate_pkcs12(common_info_st *); @@ -74,7 +74,7 @@ void verify_crl(common_info_st * cinfo); void verify_pkcs7(common_info_st * cinfo, const char *purpose, unsigned display_data); void pubkey_info(gnutls_x509_crt_t crt, common_info_st *); void certificate_info(int, common_info_st *); -void crl_info(void); +void crl_info(common_info_st *cinfo); void privkey_info(common_info_st *); static void cmd_parser(int argc, char **argv); void generate_self_signed(common_info_st *); @@ -1073,7 +1073,7 @@ static void generate_signed_crl(common_info_st * cinfo) app_exit(1); } - print_crl_info(crl, stdlog); + print_crl_info(crl, stdlog, cinfo); gnutls_privkey_deinit(ca_key); gnutls_x509_crl_deinit(crl); @@ -1334,6 +1334,7 @@ static void cmd_parser(int argc, char **argv) cinfo.pkcs8 = HAVE_OPT(PKCS8); cinfo.incert_format = incert_format; cinfo.outcert_format = outcert_format; + cinfo.outtext = ENABLED_OPT(TEXT) && outcert_format == GNUTLS_X509_FMT_PEM; if (HAVE_OPT(LOAD_CERTIFICATE)) cinfo.cert = OPT_ARG(LOAD_CERTIFICATE); @@ -1432,7 +1433,7 @@ static void cmd_parser(int argc, char **argv) else if (HAVE_OPT(GET_DH_PARAMS)) generate_prime(outfile, 0, &cinfo); else if (HAVE_OPT(CRL_INFO)) - crl_info(); + crl_info(&cinfo); else if (HAVE_OPT(P7_INFO)) pkcs7_info(&cinfo, ENABLED_OPT(P7_SHOW_DATA)); else if (HAVE_OPT(P7_GENERATE)) @@ -1450,7 +1451,7 @@ static void cmd_parser(int argc, char **argv) else if (HAVE_OPT(TO_P8)) generate_pkcs8(&cinfo); else if (HAVE_OPT(CRQ_INFO)) - crq_info(); + crq_info(&cinfo); else USAGE(1); @@ -1504,7 +1505,7 @@ void certificate_info(int pubkey, common_info_st * cinfo) if (i > 0) fprintf(outfile, "\n"); - if (outcert_format == GNUTLS_X509_FMT_PEM) + if (cinfo->outtext) print_certificate_info(crts[i], outfile, 1); if (pubkey) { @@ -1554,13 +1555,13 @@ print_certificate_info(gnutls_x509_crt_t crt, FILE * out, unsigned int all) } } -static void print_crl_info(gnutls_x509_crl_t crl, FILE * out) +static void print_crl_info(gnutls_x509_crl_t crl, FILE * out, common_info_st *cinfo) { gnutls_datum_t data; gnutls_datum_t cout; int ret; - if (outcert_format == GNUTLS_X509_FMT_PEM) { + if (cinfo->outtext) { ret = gnutls_x509_crl_print(crl, full_format, &data); if (ret < 0) { fprintf(stderr, "crl_print: %s\n", gnutls_strerror(ret)); @@ -1582,7 +1583,7 @@ static void print_crl_info(gnutls_x509_crl_t crl, FILE * out) gnutls_free(cout.data); } -void crl_info(void) +void crl_info(common_info_st *cinfo) { gnutls_x509_crl_t crl; int ret; @@ -1611,18 +1612,18 @@ void crl_info(void) app_exit(1); } - print_crl_info(crl, outfile); + print_crl_info(crl, outfile, cinfo); gnutls_x509_crl_deinit(crl); } -static void print_crq_info(gnutls_x509_crq_t crq, FILE * out) +static void print_crq_info(gnutls_x509_crq_t crq, FILE * out, common_info_st *cinfo) { gnutls_datum_t data; int ret; size_t size; - if (outcert_format == GNUTLS_X509_FMT_PEM) { + if (cinfo->outtext) { ret = gnutls_x509_crq_print(crq, full_format, &data); if (ret < 0) { fprintf(stderr, "crq_print: %s\n", @@ -1637,10 +1638,10 @@ static void print_crq_info(gnutls_x509_crq_t crq, FILE * out) ret = gnutls_x509_crq_verify(crq, 0); if (ret < 0) { - fprintf(outcert_format == GNUTLS_X509_FMT_PEM ? out : stderr, + fprintf(cinfo->outtext ? out : stderr, "Self signature: FAILED\n\n"); } else { - fprintf(outcert_format == GNUTLS_X509_FMT_PEM ? out : stderr, + fprintf(cinfo->outtext ? out : stderr, "Self signature: verified\n\n"); } @@ -1654,7 +1655,7 @@ static void print_crq_info(gnutls_x509_crq_t crq, FILE * out) fwrite(lbuffer, 1, size, outfile); } -void crq_info(void) +void crq_info(common_info_st *cinfo) { gnutls_x509_crq_t crq; int ret; @@ -1683,7 +1684,7 @@ void crq_info(void) app_exit(1); } - print_crq_info(crq, outfile); + print_crq_info(crq, outfile, cinfo); gnutls_x509_crq_deinit(crq); } @@ -2052,7 +2053,7 @@ void generate_request(common_info_st * cinfo) app_exit(1); } - print_crq_info(crq, outfile); + print_crq_info(crq, outfile, cinfo); gnutls_x509_crq_deinit(crq); gnutls_privkey_deinit(pkey); @@ -2531,7 +2532,7 @@ void verify_crl(common_info_st * cinfo) app_exit(1); } - print_crl_info(crl, outfile); + print_crl_info(crl, outfile, cinfo); ret = gnutls_x509_crl_verify(crl, &issuer, 1, 0, &output); if (ret < 0) { @@ -3864,8 +3865,6 @@ gnutls_pubkey_t find_pubkey(gnutls_x509_crt_t crt, common_info_st * cinfo) void pubkey_info(gnutls_x509_crt_t crt, common_info_st * cinfo) { gnutls_pubkey_t pubkey; - int ret; - size_t size; pubkey = find_pubkey(crt, cinfo); if (pubkey == 0) { @@ -3873,27 +3872,7 @@ void pubkey_info(gnutls_x509_crt_t crt, common_info_st * cinfo) app_exit(1); } - if (outcert_format == GNUTLS_X509_FMT_DER) { - size = lbuffer_size; - ret = - gnutls_pubkey_export(pubkey, outcert_format, lbuffer, - &size); - if (ret < 0) { - fprintf(stderr, "export error: %s\n", - gnutls_strerror(ret)); - app_exit(1); - } - - fwrite(lbuffer, 1, size, outfile); - - gnutls_pubkey_deinit(pubkey); - - return; - } - - /* PEM */ - - _pubkey_info(outfile, full_format, pubkey); + print_pubkey_info(pubkey, outfile, full_format, outcert_format, cinfo->outtext); gnutls_pubkey_deinit(pubkey); } diff --git a/src/tpmtool.c b/src/tpmtool.c index 23085b1976..76568bb428 100644 --- a/src/tpmtool.c +++ b/src/tpmtool.c @@ -373,7 +373,7 @@ static void tpm_pubkey(const char *url, FILE * out, unsigned int srk_well_known) exit(1); } - _pubkey_info(out, GNUTLS_CRT_PRINT_FULL, pubkey); + print_pubkey_info(pubkey, out, GNUTLS_CRT_PRINT_FULL, GNUTLS_X509_FMT_PEM, 1); gnutls_pubkey_deinit(pubkey); } -- cgit v1.2.1 From fc81bfef9a816db9afbb21f4fc7c1b4371f6e069 Mon Sep 17 00:00:00 2001 From: Dmitry Eremin-Solenikov Date: Wed, 21 Nov 2018 18:35:07 +0300 Subject: cert-tests: verify --no-text switch for cert/crq/pub/privkeys Signed-off-by: Dmitry Eremin-Solenikov --- tests/cert-tests/crl | 15 +++++++++++++++ tests/cert-tests/crq | 13 +++++++++++++ tests/cert-tests/pem-decoding | 42 +++++++++++++++++++++++++++++++++++++++++ tests/cert-tests/privkey-import | 16 ++++++++++++++++ 4 files changed, 86 insertions(+) diff --git a/tests/cert-tests/crl b/tests/cert-tests/crl index f1d1c9683c..15fa44b844 100755 --- a/tests/cert-tests/crl +++ b/tests/cert-tests/crl @@ -39,6 +39,7 @@ OUTFILE=out-crl.$$.tmp INFOFILE=out-crl-info.$$.tmp OUTFILE2=out2-crl.$$.tmp TMPFILE=crl.$$.tmpl +TMP2FILE=crl.$$.tmp2 echo "crl_next_update = 43" >$TMPFILE echo "crl_number = 7" >>$TMPFILE @@ -54,6 +55,19 @@ if test "${rc}" != "0"; then exit ${rc} fi +${VALGRIND} "${CERTTOOL}" --crl-info --infile ${OUTFILE} --no-text >${TMP2FILE} +rc=$? + +if test "${rc}" != "0"; then + echo "--no-text crl info failed 1" + exit ${rc} +fi + +if grep -v '^-----BEGIN [A-Z0-9 ]\+-----$\|^[A-Za-z0-9/+=]\+$\|^-----END [A-Z0-9 ]\+-----$' ${TMP2FILE} ; then + echo "--no-text crl info failed 2" + exit 1 +fi + grep "Revoked certificates (152)" "${INFOFILE}" >/dev/null 2>&1 if test "$?" != "0"; then echo "CRL generation didn't succeed as expected" @@ -289,5 +303,6 @@ rm -f "${OUTFILE}" rm -f "${INFOFILE}" rm -f "${OUTFILE2}" rm -f "${TMPFILE}" +rm -f "${TMP2FILE}" exit 0 diff --git a/tests/cert-tests/crq b/tests/cert-tests/crq index 3edc004d6b..2c59930fef 100755 --- a/tests/cert-tests/crq +++ b/tests/cert-tests/crq @@ -66,6 +66,19 @@ datefudge -s "2007-04-22" \ --template "${srcdir}/templates/template-tlsfeature.tmpl" \ --outfile $OUTFILE 2>/dev/null +${CERTTOOL} --crq-info --no-text --infile ${OUTFILE} > ${TMPFILE} +rc=$? + +if test "${rc}" != "0"; then + echo "--no-text crq info failed 1" + exit ${rc} +fi + +if grep -v '^-----BEGIN [A-Z0-9 ]\+-----$\|^[A-Za-z0-9/+=]\+$\|^-----END [A-Z0-9 ]\+-----$' ${TMPFILE} ; then + echo "--no-text crq info failed 2" + exit 1 +fi + datefudge -s "2007-04-22" \ "${CERTTOOL}" --generate-certificate \ --load-ca-privkey "${srcdir}/data/template-test.key" \ diff --git a/tests/cert-tests/pem-decoding b/tests/cert-tests/pem-decoding index 0222ae72af..7419656d02 100755 --- a/tests/cert-tests/pem-decoding +++ b/tests/cert-tests/pem-decoding @@ -179,6 +179,48 @@ if test "${rc}" != "0"; then exit ${rc} fi +#check if --no-text works as expected +${VALGRIND} "${CERTTOOL}" --certificate-info --infile "${srcdir}/data/cert-ecc256.pem" --no-text >${TMPFILE} +rc=$? + +if test "${rc}" != "0"; then + echo "--no-text -k --certificate-info failed 1" + exit ${rc} +fi + +if grep -v '^-----BEGIN [A-Z0-9 ]\+-----$\|^[A-Za-z0-9/+=]\+$\|^-----END [A-Z0-9 ]\+-----$' ${TMPFILE} ; then + echo "--no-text -k --certificate-info failed 2" + exit 1 +fi + +#check if --no-text works as expected +${VALGRIND} "${CERTTOOL}" --certificate-pubkey --infile "${srcdir}/data/cert-ecc256.pem" --no-text >${TMPFILE} +rc=$? + +if test "${rc}" != "0"; then + echo "--no-text cert pubkey failed 1" + exit ${rc} +fi + +if grep -v '^-----BEGIN [A-Z0-9 ]\+-----$\|^[A-Za-z0-9/+=]\+$\|^-----END [A-Z0-9 ]\+-----$' ${TMPFILE} ; then + echo "--no-text cert pubkey failed 2" + exit 1 +fi + +#check if --no-text works as expected +${VALGRIND} "${CERTTOOL}" --pubkey-info --infile "${srcdir}/data/cert-ecc256.pem" --no-text >${TMPFILE} +rc=$? + +if test "${rc}" != "0"; then + echo "--no-text pubkey info failed 1" + exit ${rc} +fi + +if grep -v '^-----BEGIN [A-Z0-9 ]\+-----$\|^[A-Za-z0-9/+=]\+$\|^-----END [A-Z0-9 ]\+-----$' ${TMPFILE} ; then + echo "--no-text pubkey info failed 2" + exit 1 +fi + rm -f ${TMPFILE} ${TMPFILE1} ${TMPFILE2} exit 0 diff --git a/tests/cert-tests/privkey-import b/tests/cert-tests/privkey-import index 6eaa237836..afac285463 100755 --- a/tests/cert-tests/privkey-import +++ b/tests/cert-tests/privkey-import @@ -23,6 +23,7 @@ srcdir="${srcdir:-.}" CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" DIFF="${DIFF:-diff}" +TMPFILE=tmp-$$.privkey.tmp if ! test -x "${CERTTOOL}"; then exit 77 @@ -43,4 +44,19 @@ if test "${rc}" != "0";then fi done +${VALGRIND} "${CERTTOOL}" -k --infile "${srcdir}/data/privkey1.pem" --no-text >${TMPFILE} +rc=$? + +if test "${rc}" != "0"; then + echo "--no-text privkey info failed 1" + exit ${rc} +fi + +if grep -v '^-----BEGIN [A-Z0-9 ]\+-----$\|^[A-Za-z0-9/+=]\+$\|^-----END [A-Z0-9 ]\+-----$' ${TMPFILE} ; then + echo "--no-text privkey info failed 2" + exit 1 +fi + +rm -f ${TMPFILE} + exit 0 -- cgit v1.2.1 From f9874f9feac63ea25d462d15ccdeb2d2f883298e Mon Sep 17 00:00:00 2001 From: Dmitry Eremin-Solenikov Date: Wed, 21 Nov 2018 20:05:20 +0300 Subject: certtool: don't output pkcs12 information to stderr Print all pkcs12-info output to outfile, rather than stderr. Signed-off-by: Dmitry Eremin-Solenikov --- src/certtool.c | 17 +++++++---------- tests/cert-tests/data/key-corpus-rc2-1.p12.out | 5 +++++ 2 files changed, 12 insertions(+), 10 deletions(-) diff --git a/src/certtool.c b/src/certtool.c index a45efdf7b7..e32541319f 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -3273,7 +3273,7 @@ static void print_bag_data(gnutls_pkcs12_bag_t bag) app_exit(1); } - fprintf(stderr, "\tType: %s\n", BAGTYPE(type)); + fprintf(outfile, "\tType: %s\n", BAGTYPE(type)); result = gnutls_pkcs12_bag_get_data(bag, i, &cdata); if (result < 0) { @@ -3282,12 +3282,9 @@ static void print_bag_data(gnutls_pkcs12_bag_t bag) app_exit(1); } - if (type == GNUTLS_BAG_PKCS8_ENCRYPTED_KEY) { - if (outcert_format == GNUTLS_X509_FMT_DER) - pkcs8_info_int(&cdata, GNUTLS_X509_FMT_DER, 1, stderr, "\t"); - else - pkcs8_info_int(&cdata, GNUTLS_X509_FMT_DER, 1, outfile, "\t"); - } + if (type == GNUTLS_BAG_PKCS8_ENCRYPTED_KEY && + outcert_format == GNUTLS_X509_FMT_PEM) + pkcs8_info_int(&cdata, GNUTLS_X509_FMT_DER, 1, outfile, "\t"); name = NULL; result = @@ -3505,9 +3502,9 @@ void pkcs12_info(common_info_st * cinfo) } if (result == GNUTLS_BAG_ENCRYPTED) { - fprintf(stderr, "\tType: %s\n", BAGTYPE(result)); - pkcs12_bag_enc_info(bag, stderr); - fprintf(stderr, "\n\tDecrypting...\n"); + fprintf(outfile, "\tType: %s\n", BAGTYPE(result)); + pkcs12_bag_enc_info(bag, outfile); + fprintf(outfile, "\n\tDecrypting...\n"); result = gnutls_pkcs12_bag_decrypt(bag, pass); diff --git a/tests/cert-tests/data/key-corpus-rc2-1.p12.out b/tests/cert-tests/data/key-corpus-rc2-1.p12.out index 534b796546..6246ca31b9 100644 --- a/tests/cert-tests/data/key-corpus-rc2-1.p12.out +++ b/tests/cert-tests/data/key-corpus-rc2-1.p12.out @@ -5,8 +5,13 @@ MAC info: Iteration count: 2048 BAG #0 + Type: Encrypted + Schema: unsupported (1.2.840.113549.1.5.13) + + Decrypting... BAG #1 Elements: 1 + Type: PKCS #8 Encrypted key PKCS #8 information: Schema: unsupported (1.2.840.113549.1.5.13/1.2.840.113549.3.2) Friendly name: localhost -- cgit v1.2.1 From 2e6f022fda292eeedfb1289aa1593af4a31f77b6 Mon Sep 17 00:00:00 2001 From: Dmitry Eremin-Solenikov Date: Fri, 16 Nov 2018 03:46:52 +0300 Subject: certtool: don't output textual information if --no-text was given Disable text output if --no-text option was given for --p7-info and --p12-info. Signed-off-by: Dmitry Eremin-Solenikov --- src/certtool.c | 35 +++++++++++++++----------- tests/cert-tests/data/key-corpus-rc2-1.p12.out | 2 +- 2 files changed, 21 insertions(+), 16 deletions(-) diff --git a/src/certtool.c b/src/certtool.c index e32541319f..2708b9e9b0 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -3249,7 +3249,7 @@ static const char *BAGTYPE(gnutls_pkcs12_bag_type_t x) } } -static void print_bag_data(gnutls_pkcs12_bag_t bag) +static void print_bag_data(gnutls_pkcs12_bag_t bag, int outtext) { int result; int count, i, type; @@ -3263,7 +3263,8 @@ static void print_bag_data(gnutls_pkcs12_bag_t bag) app_exit(1); } - fprintf(outfile, "\tElements: %d\n", count); + if (outtext) + fprintf(outfile, "\tElements: %d\n", count); for (i = 0; i < count; i++) { type = gnutls_pkcs12_bag_get_type(bag, i); @@ -3273,7 +3274,8 @@ static void print_bag_data(gnutls_pkcs12_bag_t bag) app_exit(1); } - fprintf(outfile, "\tType: %s\n", BAGTYPE(type)); + if (outtext) + fprintf(outfile, "\tType: %s\n", BAGTYPE(type)); result = gnutls_pkcs12_bag_get_data(bag, i, &cdata); if (result < 0) { @@ -3283,7 +3285,7 @@ static void print_bag_data(gnutls_pkcs12_bag_t bag) } if (type == GNUTLS_BAG_PKCS8_ENCRYPTED_KEY && - outcert_format == GNUTLS_X509_FMT_PEM) + outtext) pkcs8_info_int(&cdata, GNUTLS_X509_FMT_DER, 1, outfile, "\t"); name = NULL; @@ -3296,7 +3298,7 @@ static void print_bag_data(gnutls_pkcs12_bag_t bag) app_exit(1); } - if (name) + if (name && outtext) fprintf(outfile, "\tFriendly name: %s\n", name); id.data = NULL; @@ -3308,7 +3310,7 @@ static void print_bag_data(gnutls_pkcs12_bag_t bag) app_exit(1); } - if (id.size > 0) + if (id.size > 0 && outtext) fprintf(outfile, "\tKey ID: %s\n", raw_to_string(id.data, id.size)); @@ -3338,7 +3340,7 @@ static void print_bag_data(gnutls_pkcs12_bag_t bag) fprintf(stderr, "Error in base64 encoding: %s\n", gnutls_strerror(result)); app_exit(1); } - fprintf(outfile, "%s\n", out.data); + fprintf(outfile, "%s", out.data); gnutls_free(out.data); } @@ -3436,11 +3438,11 @@ void pkcs12_info(common_info_st * cinfo) salt_size = sizeof(salt); result = gnutls_pkcs12_mac_info(pkcs12, &mac_algo, salt, &salt_size, &mac_iter, &mac_oid); - if (result == GNUTLS_E_UNKNOWN_HASH_ALGORITHM) { + if (result == GNUTLS_E_UNKNOWN_HASH_ALGORITHM && cinfo->outtext) { fprintf(outfile, "MAC info:\n"); if (mac_oid != NULL) fprintf(outfile, "\tMAC: unknown (%s)\n", mac_oid); - } else if (result >= 0) { + } else if (result >= 0 && cinfo->outtext) { gnutls_datum_t bin; fprintf(outfile, "MAC info:\n"); @@ -3491,7 +3493,8 @@ void pkcs12_info(common_info_st * cinfo) app_exit(1); } - fprintf(outfile, "BAG #%d\n", indx); + if (cinfo->outtext) + fprintf(outfile, "%sBAG #%d\n", indx ? "\n" : "", indx); result = gnutls_pkcs12_bag_get_type(bag, 0); if (result < 0) { @@ -3502,9 +3505,11 @@ void pkcs12_info(common_info_st * cinfo) } if (result == GNUTLS_BAG_ENCRYPTED) { - fprintf(outfile, "\tType: %s\n", BAGTYPE(result)); - pkcs12_bag_enc_info(bag, outfile); - fprintf(outfile, "\n\tDecrypting...\n"); + if (cinfo->outtext) { + fprintf(outfile, "\tType: %s\n", BAGTYPE(result)); + pkcs12_bag_enc_info(bag, outfile); + fprintf(outfile, "\n\tDecrypting...\n"); + } result = gnutls_pkcs12_bag_decrypt(bag, pass); @@ -3525,7 +3530,7 @@ void pkcs12_info(common_info_st * cinfo) } } - print_bag_data(bag); + print_bag_data(bag, cinfo->outtext); gnutls_pkcs12_bag_deinit(bag); } @@ -3663,7 +3668,7 @@ void pkcs7_info(common_info_st *cinfo, unsigned display_data) app_exit(1); } } else { - if (outcert_format == GNUTLS_X509_FMT_PEM) { + if (cinfo->outtext) { ret = gnutls_pkcs7_print(pkcs7, GNUTLS_CRT_PRINT_FULL, &str); if (ret < 0) { fprintf(stderr, "printing error: %s\n", diff --git a/tests/cert-tests/data/key-corpus-rc2-1.p12.out b/tests/cert-tests/data/key-corpus-rc2-1.p12.out index 6246ca31b9..1781059233 100644 --- a/tests/cert-tests/data/key-corpus-rc2-1.p12.out +++ b/tests/cert-tests/data/key-corpus-rc2-1.p12.out @@ -9,6 +9,7 @@ BAG #0 Schema: unsupported (1.2.840.113549.1.5.13) Decrypting... + BAG #1 Elements: 1 Type: PKCS #8 Encrypted key @@ -46,4 +47,3 @@ XPvobYe2HqIYKwkDOpP9wX7ClCiPoOlt7VKMuBJQy/1JFC6DRA7oBYmcZbZxw2uo j/dC2cK5jsPC75a5+8HqySwQGlBGxlMOeyi/pKzSdWOdZ9NEshvTje/mnme3Hx05 JWamOc7reYsFpA== -----END ENCRYPTED PRIVATE KEY----- - -- cgit v1.2.1 From d2c6553ed15ef5327e9f7179e7f4fbdfa1ae4169 Mon Sep 17 00:00:00 2001 From: Dmitry Eremin-Solenikov Date: Wed, 21 Nov 2018 18:35:07 +0300 Subject: cert-tests: verify --no-text switch for pkcs7/pkcs12 info Signed-off-by: Dmitry Eremin-Solenikov --- tests/cert-tests/pkcs12 | 13 +++++++++++++ tests/cert-tests/pkcs7 | 15 +++++++++++++++ 2 files changed, 28 insertions(+) diff --git a/tests/cert-tests/pkcs12 b/tests/cert-tests/pkcs12 index 12049c8fd0..d05389d10f 100755 --- a/tests/cert-tests/pkcs12 +++ b/tests/cert-tests/pkcs12 @@ -80,6 +80,19 @@ if test ${rc} != 0; then exit 1 fi +${VALGRIND} "${CERTTOOL}" --p12-info --inder --password 1234 --infile "$srcdir/data/sha256.p12" --outfile "${TMPFILE}" --no-text +rc=$? + +if test "${rc}" != "0"; then + echo "--no-text pkcs12 info failed 1" + exit ${rc} +fi + +if grep -v '^-----BEGIN [A-Z0-9 ]\+-----$\|^[A-Za-z0-9/+=]\+$\|^-----END [A-Z0-9 ]\+-----$' ${TMPFILE} ; then + echo "--no-text pkcs12 info failed 2" + exit 1 +fi + # test whether we can encode a certificate and a key ${VALGRIND} "${CERTTOOL}" --to-p12 --password 1234 --p12-name "my-key" --load-certificate "${srcdir}/../certs/cert-ecc256.pem" --load-privkey "${srcdir}/../certs/ecc256.pem" --outder --outfile $TMPFILE >/dev/null rc=$? diff --git a/tests/cert-tests/pkcs7 b/tests/cert-tests/pkcs7 index 48192985ec..bfe11290fc 100755 --- a/tests/cert-tests/pkcs7 +++ b/tests/cert-tests/pkcs7 @@ -34,6 +34,7 @@ fi OUTFILE=out-pkcs7.$$.tmp OUTFILE2=out2-pkcs7.$$.tmp +TMPFILE=tmp-pkcs7.$$.tmp . ${srcdir}/../scripts/common.sh @@ -63,6 +64,19 @@ if test "$?" != "0"; then fi done +${VALGRIND} "${CERTTOOL}" --inder --p7-info --infile "${srcdir}/data/full.p7b" --outfile "${TMPFILE}" --no-text +rc=$? + +if test "${rc}" != "0"; then + echo "--no-text pkcs7 info failed 1" + exit ${rc} +fi + +if grep -v '^-----BEGIN [A-Z0-9 ]\+-----$\|^[A-Za-z0-9/+=]\+$\|^-----END [A-Z0-9 ]\+-----$' ${TMPFILE} ; then + echo "--no-text pkcs7 info failed 2" + exit 1 +fi + # check signatures for FILE in full.p7b openssl.p7b openssl-keyid.p7b; do @@ -324,5 +338,6 @@ fi rm -f "${OUTFILE}" rm -f "${OUTFILE2}" +rm -f "${TMPFILE}" exit 0 -- cgit v1.2.1