Bug Summary

File:src/certtool.c
Location:line 2352, column 7
Description:Value stored to 'comma' is never read

Annotated Source Code

1/*
2 * Copyright (C) 2003-2012 Free Software Foundation, Inc.
3 *
4 * This file is part of GnuTLS.
5 *
6 * GnuTLS is free software: you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by
8 * the Free Software Foundation, either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * GnuTLS is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program. If not, see
18 * <http://www.gnu.org/licenses/>.
19 */
20
21#include <config.h>
22
23#include <gnutls/gnutls.h>
24#include <gnutls/x509.h>
25#include <gnutls/openpgp.h>
26#include <gnutls/pkcs12.h>
27#include <gnutls/pkcs11.h>
28#include <gnutls/abstract.h>
29
30#include <stdio.h>
31#include <stdlib.h>
32#include <string.h>
33#include <ctype.h>
34#include <time.h>
35#include <unistd.h>
36#include <errno(*__errno_location ()).h>
37#include <sys/types.h>
38#include <sys/stat.h>
39#include <fcntl.h>
40#include <error.h>
41
42/* Gnulib portability files. */
43#include <read-file.h>
44#include <progname.h>
45#include <version-etc.h>
46
47#include <certtool-cfg.h>
48#include <p11common.h>
49#include "certtool-gaa.h"
50#include "certtool-common.h"
51
52#define SIGN_HASHGNUTLS_DIG_SHA256 GNUTLS_DIG_SHA256
53
54static void privkey_info_int (gnutls_x509_privkey_t key);
55static void print_crl_info (gnutls_x509_crl_t crl, FILE * out);
56void pkcs7_info (void);
57void crq_info (void);
58void smime_to_pkcs7 (void);
59void pkcs12_info (void);
60void generate_pkcs12 (common_info_st *);
61void generate_pkcs8 (common_info_st *);
62static void verify_chain (void);
63void verify_crl (common_info_st * cinfo);
64void pubkey_info (gnutls_x509_crt_t crt, common_info_st *);
65void pgp_privkey_info (void);
66void pgp_ring_info (void);
67void certificate_info (int, common_info_st *);
68void pgp_certificate_info (void);
69void crl_info (void);
70void privkey_info (void);
71static void gaa_parser (int argc, char **argv);
72void generate_self_signed (common_info_st *);
73void generate_request (common_info_st *);
74static void print_certificate_info (gnutls_x509_crt_t crt, FILE * out,
75 unsigned int all);
76static void verify_certificate (common_info_st * cinfo);
77
78static void print_hex_datum (gnutls_datum_t * dat);
79
80static gaainfo info;
81FILE *outfile;
82FILE *infile;
83gnutls_digest_algorithm_t default_dig;
84
85/* non interactive operation if set
86 */
87int batch;
88
89
90static void
91tls_log_func (int level, const char *str)
92{
93 fprintf (stderrstderr, "|<%d>| %s", level, str);
94}
95
96int
97main (int argc, char **argv)
98{
99 set_program_name (argv[0]);
100 cfg_init ();
101 gaa_parser (argc, argv);
102
103 return 0;
104}
105
106static const char *
107raw_to_string (const unsigned char *raw, size_t raw_size)
108{
109 static char buf[1024];
110 size_t i;
111 if (raw_size == 0)
112 return NULL((void*)0);
113
114 if (raw_size * 3 + 1 >= sizeof (buf))
115 return NULL((void*)0);
116
117 for (i = 0; i < raw_size; i++)
118 {
119 sprintf (&(buf[i * 3]), "%02X%s", raw[i],
120 (i == raw_size - 1) ? "" : ":");
121 }
122 buf[sizeof (buf) - 1] = '\0';
123
124 return buf;
125}
126
127static void
128print_dsa_pkey (gnutls_datum_t * x, gnutls_datum_t * y, gnutls_datum_t * p,
129 gnutls_datum_t * q, gnutls_datum_t * g)
130{
131 if (x)
132 {
133 fprintf (outfile, "private key:");
134 print_hex_datum (x);
135 }
136 fprintf (outfile, "public key:");
137 print_hex_datum (y);
138 fprintf (outfile, "p:");
139 print_hex_datum (p);
140 fprintf (outfile, "q:");
141 print_hex_datum (q);
142 fprintf (outfile, "g:");
143 print_hex_datum (g);
144}
145
146static void
147print_ecc_pkey (gnutls_ecc_curve_t curve, gnutls_datum_t* k, gnutls_datum_t * x, gnutls_datum_t * y)
148{
149 fprintf (outfile, "curve:\t%s\n", gnutls_ecc_curve_get_name(curve));
150 if (k)
151 {
152 fprintf (outfile, "private key:");
153 print_hex_datum (k);
154 }
155 fprintf (outfile, "x:");
156 print_hex_datum (x);
157 fprintf (outfile, "y:");
158 print_hex_datum (y);
159}
160
161static void
162print_rsa_pkey (gnutls_datum_t * m, gnutls_datum_t * e, gnutls_datum_t * d,
163 gnutls_datum_t * p, gnutls_datum_t * q, gnutls_datum_t * u,
164 gnutls_datum_t * exp1, gnutls_datum_t * exp2)
165{
166 fprintf (outfile, "modulus:");
167 print_hex_datum (m);
168 fprintf (outfile, "public exponent:");
169 print_hex_datum (e);
170 if (d)
171 {
172 fprintf (outfile, "private exponent:");
173 print_hex_datum (d);
174 fprintf (outfile, "prime1:");
175 print_hex_datum (p);
176 fprintf (outfile, "prime2:");
177 print_hex_datum (q);
178 fprintf (outfile, "coefficient:");
179 print_hex_datum (u);
180 if (exp1 && exp2)
181 {
182 fprintf (outfile, "exp1:");
183 print_hex_datum (exp1);
184 fprintf (outfile, "exp2:");
185 print_hex_datum (exp2);
186 }
187 }
188}
189
190static gnutls_x509_privkey_t
191generate_private_key_int (void)
192{
193 gnutls_x509_privkey_t key;
194 int ret, key_type, bits;
195
196 if (info.dsa)
197 key_type = GNUTLS_PK_DSA;
198 else if (info.ecc)
199 key_type = GNUTLS_PK_EC;
200 else
201 key_type = GNUTLS_PK_RSA;
202
203 ret = gnutls_x509_privkey_init (&key);
204 if (ret < 0)
205 error (EXIT_FAILURE1, 0, "privkey_init: %s", gnutls_strerror (ret));
206
207 bits = get_bits (key_type, info.bits, info.sec_param);
208
209 fprintf (stderrstderr, "Generating a %d bit %s private key...\n",
210 bits, gnutls_pk_algorithm_get_name (key_type));
211
212 if (info.quick_random == 0)
213 fprintf (stderrstderr,
214 "This might take several minutes depending on availability of randomness"
215 " in /dev/random.\n");
216
217 if (bits > 1024 && key_type == GNUTLS_PK_DSA)
218 fprintf (stderrstderr,
219 "Note that DSA keys with size over 1024 can only be used with TLS 1.2 or later.\n\n");
220
221 ret = gnutls_x509_privkey_generate (key, key_type, bits, 0);
222 if (ret < 0)
223 error (EXIT_FAILURE1, 0, "privkey_generate: %s", gnutls_strerror (ret));
224
225 ret = gnutls_x509_privkey_verify_params (key);
226 if (ret < 0)
227 error (EXIT_FAILURE1, 0, "privkey_verify_params: %s", gnutls_strerror (ret));
228
229 return key;
230}
231
232static int
233cipher_to_flags (const char *cipher)
234{
235 if (strcasecmp (cipher, "3des") == 0)
236 {
237 return GNUTLS_PKCS_USE_PBES2_3DES;
238 }
239 else if (strcasecmp (cipher, "3des-pkcs12") == 0)
240 {
241 return GNUTLS_PKCS_USE_PKCS12_3DES;
242 }
243 else if (strcasecmp (cipher, "arcfour") == 0)
244 {
245 return GNUTLS_PKCS_USE_PKCS12_ARCFOUR;
246 }
247 else if (strcasecmp (cipher, "aes-128") == 0)
248 {
249 return GNUTLS_PKCS_USE_PBES2_AES_128;
250 }
251 else if (strcasecmp (cipher, "aes-192") == 0)
252 {
253 return GNUTLS_PKCS_USE_PBES2_AES_192;
254 }
255 else if (strcasecmp (cipher, "aes-256") == 0)
256 {
257 return GNUTLS_PKCS_USE_PBES2_AES_256;
258 }
259 else if (strcasecmp (cipher, "rc2-40") == 0)
260 {
261 return GNUTLS_PKCS_USE_PKCS12_RC2_40;
262 }
263
264 error (EXIT_FAILURE1, 0, "unknown cipher %s\n", cipher);
265 return -1;
266}
267
268
269static void
270print_private_key (gnutls_x509_privkey_t key)
271{
272 int ret;
273 size_t size;
274
275 if (!key)
276 return;
277
278 if (info.outcert_format == GNUTLS_X509_FMT_PEM)
279 privkey_info_int(key);
280
281 if (!info.pkcs8)
282 {
283 size = buffer_size;
284 ret = gnutls_x509_privkey_export (key, info.outcert_format,
285 buffer, &size);
286 if (ret < 0)
287 error (EXIT_FAILURE1, 0, "privkey_export: %s", gnutls_strerror (ret));
288 }
289 else
290 {
291 unsigned int flags;
292 const char *pass;
293
294 if (info.export)
295 flags = GNUTLS_PKCS_USE_PKCS12_RC2_40;
296 else
297 flags = cipher_to_flags (info.pkcs_cipher);
298
299 if ((pass = get_confirmed_pass (true1)) == NULL((void*)0) || *pass == '\0')
300 flags = GNUTLS_PKCS_PLAIN;
301
302 size = buffer_size;
303 ret =
304 gnutls_x509_privkey_export_pkcs8 (key, info.outcert_format, pass,
305 flags, buffer, &size);
306 if (ret < 0)
307 error (EXIT_FAILURE1, 0, "privkey_export_pkcs8: %s",
308 gnutls_strerror (ret));
309 }
310
311 fwrite (buffer, 1, size, outfile);
312}
313
314static void
315generate_private_key (void)
316{
317 gnutls_x509_privkey_t key;
318
319 key = generate_private_key_int ();
320
321 print_private_key (key);
322
323 gnutls_x509_privkey_deinit (key);
324}
325
326
327static gnutls_x509_crt_t
328generate_certificate (gnutls_privkey_t * ret_key,
329 gnutls_x509_crt_t ca_crt, int proxy,
330 common_info_st * cinfo)
331{
332 gnutls_x509_crt_t crt;
333 gnutls_privkey_t key = NULL((void*)0);
334 gnutls_pubkey_t pubkey;
335 size_t size;
336 int ret;
337 int client;
338 int days, result, ca_status = 0, is_ike = 0, path_len;
339 int vers;
340 unsigned int usage = 0, server;
341 gnutls_x509_crq_t crq; /* request */
342
343 ret = gnutls_x509_crt_init (&crt);
344 if (ret < 0)
345 error (EXIT_FAILURE1, 0, "crt_init: %s", gnutls_strerror (ret));
346
347 crq = load_request (cinfo);
348
349 if (crq == NULL((void*)0))
350 {
351
352 key = load_private_key (1, cinfo);
353
354 pubkey = load_public_key_or_import (1, key, cinfo);
355
356 if (!batch)
357 fprintf (stderrstderr,
358 "Please enter the details of the certificate's distinguished name. "
359 "Just press enter to ignore a field.\n");
360
361 /* set the DN.
362 */
363 if (proxy)
364 {
365 result = gnutls_x509_crt_set_proxy_dn (crt, ca_crt, 0, NULL((void*)0), 0);
366 if (result < 0)
367 error (EXIT_FAILURE1, 0, "set_proxy_dn: %s",
368 gnutls_strerror (result));
369
370 get_cn_crt_set (crt);
371 }
372 else
373 {
374 get_country_crt_set (crt);
375 get_organization_crt_set (crt);
376 get_unit_crt_set (crt);
377 get_locality_crt_set (crt);
378 get_state_crt_set (crt);
379 get_cn_crt_set (crt);
380 get_uid_crt_set (crt);
381 get_oid_crt_set (crt);
382 get_key_purpose_set (crt);
383
384 if (!batch)
385 fprintf (stderrstderr,
386 "This field should not be used in new certificates.\n");
387
388 get_pkcs9_email_crt_set (crt);
389 }
390
391 result = gnutls_x509_crt_set_pubkey (crt, pubkey);
392 if (result < 0)
393 error (EXIT_FAILURE1, 0, "set_key: %s", gnutls_strerror (result));
394 }
395 else
396 {
397 result = gnutls_x509_crt_set_crq (crt, crq);
398 if (result < 0)
399 error (EXIT_FAILURE1, 0, "set_crq: %s", gnutls_strerror (result));
400 }
401
402
403 {
404 int serial = get_serial ();
405 char bin_serial[5];
406
407 bin_serial[4] = serial & 0xff;
408 bin_serial[3] = (serial >> 8) & 0xff;
409 bin_serial[2] = (serial >> 16) & 0xff;
410 bin_serial[1] = (serial >> 24) & 0xff;
411 bin_serial[0] = 0;
412
413 result = gnutls_x509_crt_set_serial (crt, bin_serial, 5);
414 if (result < 0)
415 error (EXIT_FAILURE1, 0, "serial: %s", gnutls_strerror (result));
416 }
417
418 if (!batch)
419 fprintf (stderrstderr, "\n\nActivation/Expiration time.\n");
420
421 gnutls_x509_crt_set_activation_time (crt, time (NULL((void*)0)));
422
423 days = get_days ();
424
425 result =
426 gnutls_x509_crt_set_expiration_time (crt,
427 time (NULL((void*)0)) + days * 24 * 60 * 60);
428 if (result < 0)
429 error (EXIT_FAILURE1, 0, "set_expiration: %s", gnutls_strerror (result));
430
431 if (!batch)
432 fprintf (stderrstderr, "\n\nExtensions.\n");
433
434 /* do not allow extensions on a v1 certificate */
435 if (crq && get_crq_extensions_status () != 0)
436 {
437 result = gnutls_x509_crt_set_crq_extensions (crt, crq);
438 if (result < 0)
439 error (EXIT_FAILURE1, 0, "set_crq: %s", gnutls_strerror (result));
440 }
441
442 /* append additional extensions */
443 if (info.v1_cert == 0)
444 {
445
446 if (proxy)
447 {
448 const char *policylanguage;
449 char *policy;
450 size_t policylen;
451 int proxypathlen = get_path_len ();
452
453 if (!batch)
454 {
455 printf ("1.3.6.1.5.5.7.21.1 ::= id-ppl-inheritALL\n");
456 printf ("1.3.6.1.5.5.7.21.2 ::= id-ppl-independent\n");
457 }
458
459 policylanguage = get_proxy_policy (&policy, &policylen);
460
461 result =
462 gnutls_x509_crt_set_proxy (crt, proxypathlen, policylanguage,
463 policy, policylen);
464 if (result < 0)
465 error (EXIT_FAILURE1, 0, "set_proxy: %s",
466 gnutls_strerror (result));
467 }
468
469 if (!proxy)
470 ca_status = get_ca_status ();
471 if (ca_status)
472 path_len = get_path_len ();
473 else
474 path_len = -1;
475
476 result =
477 gnutls_x509_crt_set_basic_constraints (crt, ca_status, path_len);
478 if (result < 0)
479 error (EXIT_FAILURE1, 0, "basic_constraints: %s",
480 gnutls_strerror (result));
481
482 client = get_tls_client_status ();
483 if (client != 0)
484 {
485 result = gnutls_x509_crt_set_key_purpose_oid (crt,
486 GNUTLS_KP_TLS_WWW_CLIENT"1.3.6.1.5.5.7.3.2",
487 0);
488 if (result < 0)
489 error (EXIT_FAILURE1, 0, "key_kp: %s", gnutls_strerror (result));
490 }
491
492 is_ike = get_ipsec_ike_status ();
493 server = get_tls_server_status ();
494 if ((server != 0 && !proxy) || is_ike)
495 {
496 get_dns_name_set (TYPE_CRT1, crt);
497 get_ip_addr_set (TYPE_CRT1, crt);
498 }
499
500 if (server != 0)
501 {
502 result = 0;
503
504 result =
505 gnutls_x509_crt_set_key_purpose_oid (crt,
506 GNUTLS_KP_TLS_WWW_SERVER"1.3.6.1.5.5.7.3.1", 0);
507 if (result < 0)
508 error (EXIT_FAILURE1, 0, "key_kp: %s", gnutls_strerror (result));
509 }
510 else if (!proxy)
511 {
512 get_email_set (TYPE_CRT1, crt);
513 }
514
515 if (!ca_status || server)
516 {
517 int pk;
518
519
520 pk = gnutls_x509_crt_get_pk_algorithm (crt, NULL((void*)0));
521
522 if (pk != GNUTLS_PK_DSA)
523 { /* DSA keys can only sign.
524 */
525 result = get_sign_status (server);
526 if (result)
527 usage |= GNUTLS_KEY_DIGITAL_SIGNATURE128;
528
529 result = get_encrypt_status (server);
530 if (result)
531 usage |= GNUTLS_KEY_KEY_ENCIPHERMENT32;
532 }
533 else
534 usage |= GNUTLS_KEY_DIGITAL_SIGNATURE128;
535
536 if (is_ike)
537 {
538 result =
539 gnutls_x509_crt_set_key_purpose_oid (crt,
540 GNUTLS_KP_IPSEC_IKE"1.3.6.1.5.5.7.3.17", 0);
541 if (result < 0)
542 error (EXIT_FAILURE1, 0, "key_kp: %s",
543 gnutls_strerror (result));
544 }
545 }
546
547
548 if (ca_status)
549 {
550 result = get_cert_sign_status ();
551 if (result)
552 usage |= GNUTLS_KEY_KEY_CERT_SIGN4;
553
554 result = get_crl_sign_status ();
555 if (result)
556 usage |= GNUTLS_KEY_CRL_SIGN2;
557
558 result = get_code_sign_status ();
559 if (result)
560 {
561 result =
562 gnutls_x509_crt_set_key_purpose_oid (crt,
563 GNUTLS_KP_CODE_SIGNING"1.3.6.1.5.5.7.3.3",
564 0);
565 if (result < 0)
566 error (EXIT_FAILURE1, 0, "key_kp: %s",
567 gnutls_strerror (result));
568 }
569
570 result = get_ocsp_sign_status ();
571 if (result)
572 {
573 result =
574 gnutls_x509_crt_set_key_purpose_oid (crt,
575 GNUTLS_KP_OCSP_SIGNING"1.3.6.1.5.5.7.3.9",
576 0);
577 if (result < 0)
578 error (EXIT_FAILURE1, 0, "key_kp: %s",
579 gnutls_strerror (result));
580 }
581
582 result = get_time_stamp_status ();
583 if (result)
584 {
585 result =
586 gnutls_x509_crt_set_key_purpose_oid (crt,
587 GNUTLS_KP_TIME_STAMPING"1.3.6.1.5.5.7.3.8",
588 0);
589 if (result < 0)
590 error (EXIT_FAILURE1, 0, "key_kp: %s",
591 gnutls_strerror (result));
592 }
593 }
594
595 if (usage != 0)
596 {
597 /* http://tools.ietf.org/html/rfc4945#section-5.1.3.2: if any KU is
598 set, then either digitalSignature or the nonRepudiation bits in the
599 KeyUsage extension MUST for all IKE certs */
600 if (is_ike && (get_sign_status (server) != 1))
601 usage |= GNUTLS_KEY_NON_REPUDIATION64;
602 result = gnutls_x509_crt_set_key_usage (crt, usage);
603 if (result < 0)
604 error (EXIT_FAILURE1, 0, "key_usage: %s",
605 gnutls_strerror (result));
606 }
607
608 /* Subject Key ID.
609 */
610 size = buffer_size;
611 result = gnutls_x509_crt_get_key_id (crt, 0, buffer, &size);
612 if (result >= 0)
613 {
614 result = gnutls_x509_crt_set_subject_key_id (crt, buffer, size);
615 if (result < 0)
616 error (EXIT_FAILURE1, 0, "set_subject_key_id: %s",
617 gnutls_strerror (result));
618 }
619
620 /* Authority Key ID.
621 */
622 if (ca_crt != NULL((void*)0))
623 {
624 size = buffer_size;
625 result = gnutls_x509_crt_get_subject_key_id (ca_crt, buffer,
626 &size, NULL((void*)0));
627 if (result < 0)
628 {
629 size = buffer_size;
630 result = gnutls_x509_crt_get_key_id (ca_crt, 0, buffer, &size);
631 }
632 if (result >= 0)
633 {
634 result =
635 gnutls_x509_crt_set_authority_key_id (crt, buffer, size);
636 if (result < 0)
637 error (EXIT_FAILURE1, 0, "set_authority_key_id: %s",
638 gnutls_strerror (result));
639 }
640 }
641 }
642
643 /* Version.
644 */
645 if (info.v1_cert != 0)
646 vers = 1;
647 else
648 vers = 3;
649 result = gnutls_x509_crt_set_version (crt, vers);
650 if (result < 0)
651 error (EXIT_FAILURE1, 0, "set_version: %s", gnutls_strerror (result));
652
653 *ret_key = key;
654 return crt;
655
656}
657
658static gnutls_x509_crl_t
659generate_crl (gnutls_x509_crt_t ca_crt, common_info_st * cinfo)
660{
661 gnutls_x509_crl_t crl;
662 gnutls_x509_crt_t *crts;
663 size_t size;
664 int days, result;
665 unsigned int i;
666 time_t now = time (NULL((void*)0));
667
668 result = gnutls_x509_crl_init (&crl);
669 if (result < 0)
670 error (EXIT_FAILURE1, 0, "crl_init: %s", gnutls_strerror (result));
671
672 crts = load_cert_list (0, &size, cinfo);
673
674 for (i = 0; i < size; i++)
675 {
676 result = gnutls_x509_crl_set_crt (crl, crts[i], now);
677 if (result < 0)
678 error (EXIT_FAILURE1, 0, "crl_set_crt: %s", gnutls_strerror (result));
679 }
680
681 result = gnutls_x509_crl_set_this_update (crl, now);
682 if (result < 0)
683 error (EXIT_FAILURE1, 0, "this_update: %s", gnutls_strerror (result));
684
685 fprintf (stderrstderr, "Update times.\n");
686 days = get_crl_next_update ();
687
688 result = gnutls_x509_crl_set_next_update (crl, now + days * 24 * 60 * 60);
689 if (result < 0)
690 error (EXIT_FAILURE1, 0, "next_update: %s", gnutls_strerror (result));
691
692 result = gnutls_x509_crl_set_version (crl, 2);
693 if (result < 0)
694 error (EXIT_FAILURE1, 0, "set_version: %s", gnutls_strerror (result));
695
696 /* Authority Key ID.
697 */
698 if (ca_crt != NULL((void*)0))
699 {
700 size = buffer_size;
701 result = gnutls_x509_crt_get_subject_key_id (ca_crt, buffer,
702 &size, NULL((void*)0));
703 if (result < 0)
704 {
705 size = buffer_size;
706 result = gnutls_x509_crt_get_key_id (ca_crt, 0, buffer, &size);
707 }
708 if (result >= 0)
709 {
710 result = gnutls_x509_crl_set_authority_key_id (crl, buffer, size);
711 if (result < 0)
712 error (EXIT_FAILURE1, 0, "set_authority_key_id: %s",
713 gnutls_strerror (result));
714 }
715 }
716
717 {
718 unsigned int number = get_crl_number ();
719 char bin_number[5];
720
721 bin_number[4] = number & 0xff;
722 bin_number[3] = (number >> 8) & 0xff;
723 bin_number[2] = (number >> 16) & 0xff;
724 bin_number[1] = (number >> 24) & 0xff;
725 bin_number[0] = 0;
726
727 result = gnutls_x509_crl_set_number (crl, bin_number, 5);
728 if (result < 0)
729 error (EXIT_FAILURE1, 0, "set_number: %s", gnutls_strerror (result));
730 }
731
732 return crl;
733}
734
735static gnutls_digest_algorithm_t
736get_dig (gnutls_x509_crt_t crt)
737{
738 gnutls_digest_algorithm_t dig;
739 gnutls_pubkey_t pubkey;
740 int result;
741 unsigned int mand;
742
743 gnutls_pubkey_init(&pubkey);
744
745 result = gnutls_pubkey_import_x509(pubkey, crt, 0);
746 if (result < 0)
747 {
748 error (EXIT_FAILURE1, 0, "gnutls_pubkey_import_x509: %s",
749 gnutls_strerror (result));
750 }
751
752 result = gnutls_pubkey_get_preferred_hash_algorithm (pubkey, &dig, &mand);
753 if (result < 0)
754 {
755 error (EXIT_FAILURE1, 0, "crt_get_preferred_hash_algorithm: %s",
756 gnutls_strerror (result));
757 }
758
759 gnutls_pubkey_deinit(pubkey);
760
761 /* if algorithm allows alternatives */
762 if (mand == 0 && default_dig != GNUTLS_DIG_UNKNOWN)
763 dig = default_dig;
764
765 return dig;
766}
767
768void
769generate_self_signed (common_info_st * cinfo)
770{
771 gnutls_x509_crt_t crt;
772 gnutls_privkey_t key;
773 size_t size;
774 int result;
775 const char *uri;
776
777 fprintf (stderrstderr, "Generating a self signed certificate...\n");
778
779 crt = generate_certificate (&key, NULL((void*)0), 0, cinfo);
780
781 if (!key)
782 key = load_private_key (1, cinfo);
783
784 uri = get_crl_dist_point_url ();
785 if (uri)
786 {
787 result = gnutls_x509_crt_set_crl_dist_points (crt, GNUTLS_SAN_URI,
788 uri,
789 0 /* all reasons */ );
790 if (result < 0)
791 error (EXIT_FAILURE1, 0, "crl_dist_points: %s",
792 gnutls_strerror (result));
793 }
794
795 print_certificate_info (crt, stderrstderr, 0);
796
797 fprintf (stderrstderr, "\n\nSigning certificate...\n");
798
799 result = gnutls_x509_crt_privkey_sign (crt, crt, key, get_dig (crt), 0);
800 if (result < 0)
801 error (EXIT_FAILURE1, 0, "crt_sign: %s", gnutls_strerror (result));
802
803 size = buffer_size;
804 result = gnutls_x509_crt_export (crt, info.outcert_format, buffer, &size);
805 if (result < 0)
806 error (EXIT_FAILURE1, 0, "crt_export: %s", gnutls_strerror (result));
807
808 fwrite (buffer, 1, size, outfile);
809
810 gnutls_x509_crt_deinit (crt);
811 gnutls_privkey_deinit (key);
812}
813
814static void
815generate_signed_certificate (common_info_st * cinfo)
816{
817 gnutls_x509_crt_t crt;
818 gnutls_privkey_t key;
819 size_t size;
820 int result;
821 gnutls_privkey_t ca_key;
822 gnutls_x509_crt_t ca_crt;
823
824 fprintf (stderrstderr, "Generating a signed certificate...\n");
825
826 ca_key = load_ca_private_key (cinfo);
827 ca_crt = load_ca_cert (cinfo);
828
829 crt = generate_certificate (&key, ca_crt, 0, cinfo);
830
831 /* Copy the CRL distribution points.
832 */
833 gnutls_x509_crt_cpy_crl_dist_points (crt, ca_crt);
834 /* it doesn't matter if we couldn't copy the CRL dist points.
835 */
836
837 print_certificate_info (crt, stderrstderr, 0);
838
839 fprintf (stderrstderr, "\n\nSigning certificate...\n");
840
841 result = gnutls_x509_crt_privkey_sign (crt, ca_crt, ca_key, get_dig (ca_crt), 0);
842 if (result < 0)
843 error (EXIT_FAILURE1, 0, "crt_sign: %s", gnutls_strerror (result));
844
845 size = buffer_size;
846 result = gnutls_x509_crt_export (crt, info.outcert_format, buffer, &size);
847 if (result < 0)
848 error (EXIT_FAILURE1, 0, "crt_export: %s", gnutls_strerror (result));
849
850 fwrite (buffer, 1, size, outfile);
851
852 gnutls_x509_crt_deinit (crt);
853 gnutls_privkey_deinit (key);
854 gnutls_privkey_deinit(ca_key);
855}
856
857static void
858generate_proxy_certificate (common_info_st * cinfo)
859{
860 gnutls_x509_crt_t crt, eecrt;
861 gnutls_privkey_t key, eekey;
862 size_t size;
863 int result;
864
865 fprintf (stderrstderr, "Generating a proxy certificate...\n");
866
867 eekey = load_ca_private_key (cinfo);
868 eecrt = load_cert (1, cinfo);
869
870 crt = generate_certificate (&key, eecrt, 1, cinfo);
871
872 print_certificate_info (crt, stderrstderr, 0);
873
874 fprintf (stderrstderr, "\n\nSigning certificate...\n");
875
876 result = gnutls_x509_crt_privkey_sign (crt, eecrt, eekey, get_dig (eecrt), 0);
877 if (result < 0)
878 error (EXIT_FAILURE1, 0, "crt_sign: %s", gnutls_strerror (result));
879
880 size = buffer_size;
881 result = gnutls_x509_crt_export (crt, info.outcert_format, buffer, &size);
882 if (result < 0)
883 error (EXIT_FAILURE1, 0, "crt_export: %s", gnutls_strerror (result));
884
885 fwrite (buffer, 1, size, outfile);
886
887 gnutls_x509_crt_deinit (eecrt);
888 gnutls_x509_crt_deinit (crt);
889 gnutls_privkey_deinit (key);
890 gnutls_privkey_deinit (eekey);
891}
892
893static void
894generate_signed_crl (common_info_st * cinfo)
895{
896 gnutls_x509_crl_t crl;
897 int result;
898 gnutls_privkey_t ca_key;
899 gnutls_x509_crt_t ca_crt;
900
901 fprintf (stderrstderr, "Generating a signed CRL...\n");
902
903 ca_key = load_ca_private_key (cinfo);
904 ca_crt = load_ca_cert (cinfo);
905 crl = generate_crl (ca_crt, cinfo);
906
907 fprintf (stderrstderr, "\n");
908 result = gnutls_x509_crl_privkey_sign(crl, ca_crt, ca_key, SIGN_HASHGNUTLS_DIG_SHA256, 0);
909 if (result < 0)
910 error (EXIT_FAILURE1, 0, "crl_privkey_sign: %s", gnutls_strerror (result));
911
912 print_crl_info (crl, stderrstderr);
913
914 gnutls_privkey_deinit( ca_key);
915 gnutls_x509_crl_deinit (crl);
916}
917
918static void
919update_signed_certificate (common_info_st * cinfo)
920{
921 gnutls_x509_crt_t crt;
922 size_t size;
923 int result;
924 gnutls_privkey_t ca_key;
925 gnutls_x509_crt_t ca_crt;
926 int days;
927 time_t tim = time (NULL((void*)0));
928
929 fprintf (stderrstderr, "Generating a signed certificate...\n");
930
931 ca_key = load_ca_private_key (cinfo);
932 ca_crt = load_ca_cert (cinfo);
933 crt = load_cert (1, cinfo);
934
935 fprintf (stderrstderr, "Activation/Expiration time.\n");
936 gnutls_x509_crt_set_activation_time (crt, tim);
937
938 days = get_days ();
939
940 result =
941 gnutls_x509_crt_set_expiration_time (crt, tim + days * 24 * 60 * 60);
942 if (result < 0)
943 error (EXIT_FAILURE1, 0, "set_expiration: %s", gnutls_strerror (result));
944
945 fprintf (stderrstderr, "\n\nSigning certificate...\n");
946
947 result = gnutls_x509_crt_privkey_sign (crt, ca_crt, ca_key, get_dig (ca_crt), 0);
948 if (result < 0)
949 error (EXIT_FAILURE1, 0, "crt_sign: %s", gnutls_strerror (result));
950
951 size = buffer_size;
952 result = gnutls_x509_crt_export (crt, info.outcert_format, buffer, &size);
953 if (result < 0)
954 error (EXIT_FAILURE1, 0, "crt_export: %s", gnutls_strerror (result));
955
956 fwrite (buffer, 1, size, outfile);
957
958 gnutls_x509_crt_deinit (crt);
959}
960
961void
962gaa_parser (int argc, char **argv)
963{
964 int ret;
965 common_info_st cinfo;
966
967 if (gaa (argc, argv, &info) != -1)
968 {
969 fprintf (stderrstderr, "Try `%s --help' for more information.\n",
970 program_name);
971 exit (1);
972 }
973
974 if (info.outfile)
975 {
976 outfile = safe_open_rw (info.outfile, info.privkey_op);
977 if (outfile == NULL((void*)0))
978 error (EXIT_FAILURE1, errno(*__errno_location ()), "%s", info.outfile);
979 }
980 else
981 outfile = stdoutstdout;
982
983 if (info.infile)
984 {
985 infile = fopen (info.infile, "rb");
986 if (infile == NULL((void*)0))
987 error (EXIT_FAILURE1, errno(*__errno_location ()), "%s", info.infile);
988 }
989 else
990 infile = stdinstdin;
991
992 if (info.incert_format)
993 info.incert_format = GNUTLS_X509_FMT_DER;
994 else
995 info.incert_format = GNUTLS_X509_FMT_PEM;
996
997 if (info.outcert_format)
998 info.outcert_format = GNUTLS_X509_FMT_DER;
999 else
1000 info.outcert_format = GNUTLS_X509_FMT_PEM;
1001
1002 default_dig = GNUTLS_DIG_UNKNOWN;
1003 if (info.hash != NULL((void*)0))
1004 {
1005 if (strcasecmp (info.hash, "md5") == 0)
1006 {
1007 fprintf (stderrstderr,
1008 "Warning: MD5 is broken, and should not be used any more for digital signatures.\n");
1009 default_dig = GNUTLS_DIG_MD5;
1010 }
1011 else if (strcasecmp (info.hash, "sha1") == 0)
1012 default_dig = GNUTLS_DIG_SHA1;
1013 else if (strcasecmp (info.hash, "sha256") == 0)
1014 default_dig = GNUTLS_DIG_SHA256;
1015 else if (strcasecmp (info.hash, "sha224") == 0)
1016 default_dig = GNUTLS_DIG_SHA224;
1017 else if (strcasecmp (info.hash, "sha384") == 0)
1018 default_dig = GNUTLS_DIG_SHA384;
1019 else if (strcasecmp (info.hash, "sha512") == 0)
1020 default_dig = GNUTLS_DIG_SHA512;
1021 else if (strcasecmp (info.hash, "rmd160") == 0)
1022 default_dig = GNUTLS_DIG_RMD160;
1023 else
1024 error (EXIT_FAILURE1, 0, "invalid hash: %s", info.hash);
1025 }
1026
1027 batch = 0;
1028 if (info.template)
1029 {
1030 batch = 1;
1031 template_parse (info.template);
1032 }
1033
1034 gnutls_global_set_log_function (tls_log_func);
1035 gnutls_global_set_log_level (info.debug);
1036 if (info.debug > 1)
1037 printf ("Setting log level to %d\n", info.debug);
1038
1039 if ((ret = gnutls_global_init ()) < 0)
1040 error (EXIT_FAILURE1, 0, "global_init: %s", gnutls_strerror (ret));
1041
1042#ifdef ENABLE_PKCS111
1043 pkcs11_common();
1044#endif
1045
1046 memset (&cinfo, 0, sizeof (cinfo));
1047 cinfo.privkey = info.privkey;
1048 cinfo.pubkey = info.pubkey;
1049 cinfo.pkcs8 = info.pkcs8;
1050 cinfo.incert_format = info.incert_format;
1051 cinfo.cert = info.cert;
1052 cinfo.request = info.request;
1053 cinfo.ca = info.ca;
1054 cinfo.ca_privkey = info.ca_privkey;
1055 cinfo.bits = info.bits;
1056 cinfo.sec_param = info.sec_param;
1057
1058 switch (info.action)
1059 {
1060 case ACTION_SELF_SIGNED:
1061 generate_self_signed (&cinfo);
1062 break;
1063 case ACTION_GENERATE_PRIVKEY:
1064 generate_private_key ();
1065 break;
1066 case ACTION_CERT_INFO:
1067 certificate_info (0, &cinfo);
1068 break;
1069 case ACTION_DH_INFO:
1070 dh_info (&cinfo);
1071 break;
1072 case ACTION_CERT_PUBKEY:
1073 certificate_info (1, &cinfo);
1074 break;
1075 case ACTION_GENERATE_REQUEST:
1076 generate_request (&cinfo);
1077 break;
1078 case ACTION_GENERATE_CERTIFICATE:
1079 generate_signed_certificate (&cinfo);
1080 break;
1081 case ACTION_VERIFY_CHAIN:
1082 verify_chain ();
1083 break;
1084 case ACTION_VERIFY:
1085 verify_certificate (&cinfo);
1086 break;
1087 case ACTION_PRIVKEY_INFO:
1088 privkey_info ();
1089 break;
1090 case ACTION_PUBKEY_INFO:
1091 pubkey_info (NULL((void*)0), &cinfo);
1092 break;
1093 case ACTION_UPDATE_CERTIFICATE:
1094 update_signed_certificate (&cinfo);
1095 break;
1096 case ACTION_TO_PKCS12:
1097 generate_pkcs12 (&cinfo);
1098 break;
1099 case ACTION_PKCS12_INFO:
1100 pkcs12_info ();
1101 break;
1102 case ACTION_GENERATE_DH:
1103 generate_prime (1, &cinfo);
1104 break;
1105 case ACTION_GET_DH:
1106 generate_prime (0, &cinfo);
1107 break;
1108 case ACTION_CRL_INFO:
1109 crl_info ();
1110 break;
1111 case ACTION_P7_INFO:
1112 pkcs7_info ();
1113 break;
1114 case ACTION_GENERATE_CRL:
1115 generate_signed_crl (&cinfo);
1116 break;
1117 case ACTION_VERIFY_CRL:
1118 verify_crl (&cinfo);
1119 break;
1120 case ACTION_SMIME_TO_P7:
1121 smime_to_pkcs7 ();
1122 break;
1123 case ACTION_GENERATE_PROXY:
1124 generate_proxy_certificate (&cinfo);
1125 break;
1126 case ACTION_GENERATE_PKCS8:
1127 generate_pkcs8 (&cinfo);
1128 break;
1129#ifdef ENABLE_OPENPGP1
1130 case ACTION_PGP_INFO:
1131 pgp_certificate_info ();
1132 break;
1133 case ACTION_PGP_PRIVKEY_INFO:
1134 pgp_privkey_info ();
1135 break;
1136 case ACTION_RING_INFO:
1137 pgp_ring_info ();
1138 break;
1139#endif
1140 case ACTION_REQUEST:
1141 crq_info ();
1142 break;
1143 default:
1144 gaa_help ();
1145 exit (0);
1146 }
1147 fclose (outfile);
1148
1149#ifdef ENABLE_PKCS111
1150 gnutls_pkcs11_deinit ();
1151#endif
1152 gnutls_global_deinit ();
1153}
1154
1155#define MAX_CRTS500 500
1156void
1157certificate_info (int pubkey, common_info_st * cinfo)
1158{
1159 gnutls_x509_crt_t crt[MAX_CRTS500];
1160 size_t size;
1161 int ret, i, count;
1162 gnutls_datum_t pem;
1163 unsigned int crt_num;
1164
1165 pem.data = fread_file_gnutls_fread_file (infile, &size);
1166 pem.size = size;
1167
1168 crt_num = MAX_CRTS500;
1169 ret =
1170 gnutls_x509_crt_list_import (crt, &crt_num, &pem, info.incert_format,
1171 GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED);
1172 if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER-51)
1173 {
1174 error (0, 0, "too many certificates (%d); "
1175 "will only read the first %d", crt_num, MAX_CRTS500);
1176 crt_num = MAX_CRTS500;
1177 ret = gnutls_x509_crt_list_import (crt, &crt_num, &pem,
1178 info.incert_format, 0);
1179 }
1180 if (ret < 0)
1181 error (EXIT_FAILURE1, 0, "import error: %s", gnutls_strerror (ret));
1182
1183 free (pem.data);
1184
1185 count = ret;
1186
1187 if (count > 1 && info.outcert_format == GNUTLS_X509_FMT_DER)
1188 {
1189 error (0, 0, "cannot output multiple certificates in DER format; "
1190 "using PEM instead");
1191 info.outcert_format = GNUTLS_X509_FMT_PEM;
1192 }
1193
1194 for (i = 0; i < count; i++)
1195 {
1196 if (i > 0)
1197 fprintf (outfile, "\n");
1198
1199 if (info.outcert_format == GNUTLS_X509_FMT_PEM)
1200 print_certificate_info (crt[i], outfile, 1);
1201
1202 if (pubkey)
1203 pubkey_info (crt[i], cinfo);
1204 else
1205 {
1206 size = buffer_size;
1207 ret = gnutls_x509_crt_export (crt[i], info.outcert_format, buffer,
1208 &size);
1209 if (ret < 0)
1210 error (EXIT_FAILURE1, 0, "export error: %s", gnutls_strerror (ret));
1211
1212 fwrite (buffer, 1, size, outfile);
1213 }
1214
1215 gnutls_x509_crt_deinit (crt[i]);
1216 }
1217}
1218
1219#ifdef ENABLE_OPENPGP1
1220
1221void
1222pgp_certificate_info (void)
1223{
1224 gnutls_openpgp_crt_t crt;
1225 size_t size;
1226 int ret;
1227 gnutls_datum_t pem, out_data;
1228 unsigned int verify_status;
1229
1230 pem.data = fread_file_gnutls_fread_file (infile, &size);
1231 pem.size = size;
1232
1233 ret = gnutls_openpgp_crt_init (&crt);
1234 if (ret < 0)
1235 error (EXIT_FAILURE1, 0, "openpgp_crt_init: %s", gnutls_strerror (ret));
1236
1237 ret = gnutls_openpgp_crt_import (crt, &pem, info.incert_format);
1238
1239 if (ret < 0)
1240 error (EXIT_FAILURE1, 0, "import error: %s", gnutls_strerror (ret));
1241
1242 free (pem.data);
1243
1244 if (info.outcert_format == GNUTLS_OPENPGP_FMT_BASE64)
1245 {
1246 ret = gnutls_openpgp_crt_print (crt, 0, &out_data);
1247
1248 if (ret == 0)
1249 {
1250 fprintf (outfile, "%s\n", out_data.data);
1251 gnutls_free (out_data.data);
1252 }
1253 }
1254
1255
1256 ret = gnutls_openpgp_crt_verify_self (crt, 0, &verify_status);
1257 if (ret < 0)
1258 {
1259 error (EXIT_FAILURE1, 0, "verify signature error: %s",
1260 gnutls_strerror (ret));
1261 }
1262
1263 if (verify_status & GNUTLS_CERT_INVALID)
1264 {
1265 fprintf (outfile, "Self Signature verification: failed\n\n");
1266 }
1267 else
1268 {
1269 fprintf (outfile, "Self Signature verification: ok (%x)\n\n",
1270 verify_status);
1271 }
1272
1273 size = buffer_size;
1274 ret = gnutls_openpgp_crt_export (crt, info.outcert_format, buffer, &size);
1275 if (ret < 0)
1276 {
1277 error (EXIT_FAILURE1, 0, "export error: %s", gnutls_strerror (ret));
1278 fwrite (buffer, 1, size, outfile);
1279 }
1280
1281 fprintf (outfile, "%s\n", buffer);
1282 gnutls_openpgp_crt_deinit (crt);
1283}
1284
1285void
1286pgp_privkey_info (void)
1287{
1288 gnutls_openpgp_privkey_t key;
1289 unsigned char keyid[GNUTLS_OPENPGP_KEYID_SIZE8];
1290 size_t size;
1291 int ret, i, subkeys, bits = 0;
1292 gnutls_datum_t pem;
1293 const char *cprint;
1294
1295 size = fread (buffer, 1, buffer_size - 1, infile);
1296 buffer[size] = 0;
1297
1298 gnutls_openpgp_privkey_init (&key);
1299
1300 pem.data = buffer;
1301 pem.size = size;
1302
1303 ret = gnutls_openpgp_privkey_import (key, &pem, info.incert_format,
1304 NULL((void*)0), 0);
1305
1306 if (ret < 0)
1307 error (EXIT_FAILURE1, 0, "import error: %s", gnutls_strerror (ret));
1308
1309 /* Public key algorithm
1310 */
1311 subkeys = gnutls_openpgp_privkey_get_subkey_count (key);
1312 if (subkeys < 0)
1313 error (EXIT_FAILURE1, 0, "privkey_get_subkey_count: %s",
1314 gnutls_strerror (subkeys));
1315
1316 for (i = -1; i < subkeys; i++)
1317 {
1318
1319 if (i != -1)
1320 fprintf (outfile, "Subkey[%d]:\n", i);
1321
1322 fprintf (outfile, "Public Key Info:\n");
1323
1324 if (i == -1)
1325 ret = gnutls_openpgp_privkey_get_pk_algorithm (key, NULL((void*)0));
1326 else
1327 ret = gnutls_openpgp_privkey_get_subkey_pk_algorithm (key, i, NULL((void*)0));
1328
1329 fprintf (outfile, "\tPublic Key Algorithm: ");
1330 cprint = gnutls_pk_algorithm_get_name (ret);
1331 fprintf (outfile, "%s\n", cprint ? cprint : "Unknown");
1332 fprintf (outfile, "\tKey Security Level: %s\n",
1333 gnutls_sec_param_get_name (gnutls_openpgp_privkey_sec_param
1334 (key)));
1335
1336 /* Print the raw public and private keys
1337 */
1338
1339 if (ret == GNUTLS_PK_RSA)
1340 {
1341 gnutls_datum_t m, e, d, p, q, u;
1342
1343 if (i == -1)
1344 ret =
1345 gnutls_openpgp_privkey_export_rsa_raw (key, &m, &e, &d, &p,
1346 &q, &u);
1347 else
1348 ret =
1349 gnutls_openpgp_privkey_export_subkey_rsa_raw (key, i, &m,
1350 &e, &d, &p,
1351 &q, &u);
1352 if (ret < 0)
1353 fprintf (stderrstderr, "Error in key RSA data export: %s\n",
1354 gnutls_strerror (ret));
1355 else
1356 print_rsa_pkey (&m, &e, &d, &p, &q, &u, NULL((void*)0), NULL((void*)0));
1357
1358 bits = m.size * 8;
1359 }
1360 else if (ret == GNUTLS_PK_DSA)
1361 {
1362 gnutls_datum_t p, q, g, y, x;
1363
1364 if (i == -1)
1365 ret =
1366 gnutls_openpgp_privkey_export_dsa_raw (key, &p, &q, &g, &y, &x);
1367 else
1368 ret =
1369 gnutls_openpgp_privkey_export_subkey_dsa_raw (key, i, &p,
1370 &q, &g, &y, &x);
1371 if (ret < 0)
1372 fprintf (stderrstderr, "Error in key DSA data export: %s\n",
1373 gnutls_strerror (ret));
1374 else
1375 print_dsa_pkey (&x, &y, &p, &q, &g);
1376
1377 bits = y.size * 8;
1378 }
1379
1380 fprintf (outfile, "\n");
1381
1382 size = buffer_size;
1383 if (i == -1)
1384 ret = gnutls_openpgp_privkey_get_key_id (key, keyid);
1385 else
1386 ret = gnutls_openpgp_privkey_get_subkey_id (key, i, keyid);
1387
1388 if (ret < 0)
1389 {
1390 fprintf (stderrstderr, "Error in key id calculation: %s\n",
1391 gnutls_strerror (ret));
1392 }
1393 else
1394 {
1395 fprintf (outfile, "Public key ID: %s\n", raw_to_string (keyid, 8));
1396 }
1397
1398 size = buffer_size;
1399 if (i == -1)
1400 ret = gnutls_openpgp_privkey_get_fingerprint (key, buffer, &size);
1401 else
1402 ret = gnutls_openpgp_privkey_get_subkey_fingerprint (key, i, buffer, &size);
1403
1404 if (ret < 0)
1405 {
1406 fprintf (stderrstderr, "Error in fingerprint calculation: %s\n",
1407 gnutls_strerror (ret));
1408 }
1409 else
1410 {
1411 gnutls_datum_t art;
1412
1413 fprintf (outfile, "Fingerprint: %s\n", raw_to_string (buffer, size));
1414
1415 ret = gnutls_random_art(GNUTLS_RANDOM_ART_OPENSSH, cprint, bits, buffer, size, &art);
1416 if (ret >= 0)
1417 {
1418 fprintf (outfile, "Fingerprint's random art:\n%s\n\n", art.data);
1419 gnutls_free(art.data);
1420 }
1421 }
1422 }
1423
1424 size = buffer_size;
1425 ret = gnutls_openpgp_privkey_export (key, GNUTLS_OPENPGP_FMT_BASE64,
1426 NULL((void*)0), 0, buffer, &size);
1427 if (ret < 0)
1428 error (EXIT_FAILURE1, 0, "export error: %s", gnutls_strerror (ret));
1429
1430 fprintf (outfile, "\n%s\n", buffer);
1431
1432 gnutls_openpgp_privkey_deinit (key);
1433}
1434
1435void
1436pgp_ring_info (void)
1437{
1438 gnutls_openpgp_keyring_t ring;
1439 gnutls_openpgp_crt_t crt;
1440 size_t size;
1441 int ret, i, count;
1442 gnutls_datum_t pem;
1443
1444 pem.data = fread_file_gnutls_fread_file (infile, &size);
1445 pem.size = size;
1446
1447 ret = gnutls_openpgp_keyring_init (&ring);
1448 if (ret < 0)
1449 error (EXIT_FAILURE1, 0, "openpgp_keyring_init: %s",
1450 gnutls_strerror (ret));
1451
1452 ret = gnutls_openpgp_keyring_import (ring, &pem, info.incert_format);
1453
1454 if (ret < 0)
1455 error (EXIT_FAILURE1, 0, "import error: %s", gnutls_strerror (ret));
1456
1457 free (pem.data);
1458
1459 count = gnutls_openpgp_keyring_get_crt_count (ring);
1460 if (count >= 0)
1461 fprintf (outfile, "Keyring contains %d OpenPGP certificates\n\n", count);
1462 else
1463 error (EXIT_FAILURE1, 0, "keyring error: %s", gnutls_strerror (count));
1464
1465 for (i = 0; i < count; i++)
1466 {
1467 ret = gnutls_openpgp_keyring_get_crt (ring, i, &crt);
1468 if (ret < 0)
1469 error (EXIT_FAILURE1, 0, "export error: %s", gnutls_strerror (ret));
1470
1471 size = buffer_size;
1472 ret = gnutls_openpgp_crt_export (crt, info.outcert_format,
1473 buffer, &size);
1474 if (ret < 0)
1475 error (EXIT_FAILURE1, 0, "export error: %s", gnutls_strerror (ret));
1476
1477 fwrite (buffer, 1, size, outfile);
1478 fprintf (outfile, "\n\n");
1479
1480 gnutls_openpgp_crt_deinit (crt);
1481
1482
1483 }
1484
1485 gnutls_openpgp_keyring_deinit (ring);
1486}
1487
1488
1489#endif
1490
1491static void
1492print_hex_datum (gnutls_datum_t * dat)
1493{
1494 unsigned int j;
1495#define SPACE"\t" "\t"
1496 fprintf (outfile, "\n" SPACE"\t");
1497 for (j = 0; j < dat->size; j++)
1498 {
1499 fprintf (outfile, "%.2x:", (unsigned char) dat->data[j]);
1500 if ((j + 1) % 15 == 0)
1501 fprintf (outfile, "\n" SPACE"\t");
1502 }
1503 fprintf (outfile, "\n");
1504}
1505
1506
1507static void
1508print_certificate_info (gnutls_x509_crt_t crt, FILE * out, unsigned int all)
1509{
1510 gnutls_datum_t cinfo;
1511 int ret;
1512
1513 if (all)
1514 ret = gnutls_x509_crt_print (crt, GNUTLS_CRT_PRINT_FULL, &cinfo);
1515 else
1516 ret = gnutls_x509_crt_print (crt, GNUTLS_CRT_PRINT_UNSIGNED_FULL, &cinfo);
1517 if (ret == 0)
1518 {
1519 fprintf (out, "%s\n", cinfo.data);
1520 gnutls_free (cinfo.data);
1521 }
1522
1523 if (out == stderrstderr && batch == 0) /* interactive */
1524 if (read_yesno ("Is the above information ok? (y/N): ") == 0)
1525 {
1526 exit (1);
1527 }
1528}
1529
1530static void
1531print_crl_info (gnutls_x509_crl_t crl, FILE * out)
1532{
1533 gnutls_datum_t cinfo;
1534 int ret;
1535 size_t size;
1536
1537 ret = gnutls_x509_crl_print (crl, GNUTLS_CRT_PRINT_FULL, &cinfo);
1538 if (ret < 0)
1539 error (EXIT_FAILURE1, 0, "crl_print: %s", gnutls_strerror (ret));
1540
1541 fprintf (out, "%s\n", cinfo.data);
1542
1543 gnutls_free (cinfo.data);
1544
1545 size = buffer_size;
1546 ret = gnutls_x509_crl_export (crl, GNUTLS_X509_FMT_PEM, buffer, &size);
1547 if (ret < 0)
1548 error (EXIT_FAILURE1, 0, "crl_export: %s", gnutls_strerror (ret));
1549
1550 fwrite (buffer, 1, size, outfile);
1551}
1552
1553void
1554crl_info (void)
1555{
1556 gnutls_x509_crl_t crl;
1557 int ret;
1558 size_t size;
1559 gnutls_datum_t pem;
1560
1561 ret = gnutls_x509_crl_init (&crl);
1562 if (ret < 0)
1563 error (EXIT_FAILURE1, 0, "crl_init: %s", gnutls_strerror (ret));
1564
1565 pem.data = fread_file_gnutls_fread_file (infile, &size);
1566 pem.size = size;
1567
1568 if (!pem.data)
1569 error (EXIT_FAILURE1, errno(*__errno_location ()), "%s", info.infile ? info.infile :
1570 "standard input");
1571
1572 ret = gnutls_x509_crl_import (crl, &pem, info.incert_format);
1573
1574 free (pem.data);
1575 if (ret < 0)
1576 error (EXIT_FAILURE1, 0, "import error: %s", gnutls_strerror (ret));
1577
1578 print_crl_info (crl, outfile);
1579
1580 gnutls_x509_crl_deinit (crl);
1581}
1582
1583static void
1584print_crq_info (gnutls_x509_crq_t crq, FILE * out)
1585{
1586 gnutls_datum_t cinfo;
1587 int ret;
1588 size_t size;
1589
1590 if (info.outcert_format == GNUTLS_X509_FMT_PEM)
1591 {
1592 ret = gnutls_x509_crq_print (crq, GNUTLS_CRT_PRINT_FULL, &cinfo);
1593 if (ret < 0)
1594 error (EXIT_FAILURE1, 0, "crq_print: %s", gnutls_strerror (ret));
1595
1596 fprintf (out, "%s\n", cinfo.data);
1597
1598 gnutls_free (cinfo.data);
1599 }
1600
1601 ret = gnutls_x509_crq_verify(crq, 0);
1602 if (ret < 0)
1603 {
1604 fprintf(out, "Self signature: FAILED\n\n");
1605 }
1606 else
1607 {
1608 fprintf(out, "Self signature: verified\n\n");
1609 }
1610
1611 size = buffer_size;
1612 ret = gnutls_x509_crq_export (crq, info.outcert_format, buffer, &size);
1613 if (ret < 0)
1614 error (EXIT_FAILURE1, 0, "crq_export: %s", gnutls_strerror (ret));
1615
1616 fwrite (buffer, 1, size, outfile);
1617}
1618
1619void
1620crq_info (void)
1621{
1622 gnutls_x509_crq_t crq;
1623 int ret;
1624 size_t size;
1625 gnutls_datum_t pem;
1626
1627 ret = gnutls_x509_crq_init (&crq);
1628 if (ret < 0)
1629 error (EXIT_FAILURE1, 0, "crq_init: %s", gnutls_strerror (ret));
1630
1631 pem.data = fread_file_gnutls_fread_file (infile, &size);
1632 pem.size = size;
1633
1634 if (!pem.data)
1635 error (EXIT_FAILURE1, errno(*__errno_location ()), "%s", info.infile ? info.infile :
1636 "standard input");
1637
1638 ret = gnutls_x509_crq_import (crq, &pem, info.incert_format);
1639
1640 free (pem.data);
1641 if (ret < 0)
1642 error (EXIT_FAILURE1, 0, "import error: %s", gnutls_strerror (ret));
1643
1644 print_crq_info (crq, outfile);
1645
1646 gnutls_x509_crq_deinit (crq);
1647}
1648
1649static void privkey_info_int (gnutls_x509_privkey_t key)
1650{
1651int ret, key_type, bits = 0;
1652size_t size;
1653const char *cprint;
1654
1655 /* Public key algorithm
1656 */
1657 fprintf (outfile, "Public Key Info:\n");
1658 ret = gnutls_x509_privkey_get_pk_algorithm (key);
1659 fprintf (outfile, "\tPublic Key Algorithm: ");
1660
1661 key_type = ret;
1662
1663 cprint = gnutls_pk_algorithm_get_name (key_type);
1664 fprintf (outfile, "%s\n", cprint ? cprint : "Unknown");
1665 fprintf (outfile, "\tKey Security Level: %s\n\n",
1666 gnutls_sec_param_get_name (gnutls_x509_privkey_sec_param (key)));
1667
1668 /* Print the raw public and private keys
1669 */
1670 if (key_type == GNUTLS_PK_RSA)
1671 {
1672 gnutls_datum_t m, e, d, p, q, u, exp1, exp2;
1673
1674 ret =
1675 gnutls_x509_privkey_export_rsa_raw2 (key, &m, &e, &d, &p, &q, &u,
1676 &exp1, &exp2);
1677 if (ret < 0)
1678 fprintf (stderrstderr, "Error in key RSA data export: %s\n",
1679 gnutls_strerror (ret));
1680 else
1681 {
1682 print_rsa_pkey (&m, &e, &d, &p, &q, &u, &exp1, &exp2);
1683 bits = m.size * 8;
1684
1685 gnutls_free (m.data);
1686 gnutls_free (e.data);
1687 gnutls_free (d.data);
1688 gnutls_free (p.data);
1689 gnutls_free (q.data);
1690 gnutls_free (u.data);
1691 gnutls_free (exp1.data);
1692 gnutls_free (exp2.data);
1693 }
1694 }
1695 else if (key_type == GNUTLS_PK_DSA)
1696 {
1697 gnutls_datum_t p, q, g, y, x;
1698
1699 ret = gnutls_x509_privkey_export_dsa_raw (key, &p, &q, &g, &y, &x);
1700 if (ret < 0)
1701 fprintf (stderrstderr, "Error in key DSA data export: %s\n",
1702 gnutls_strerror (ret));
1703 else
1704 {
1705 print_dsa_pkey (&x, &y, &p, &q, &g);
1706 bits = y.size * 8;
1707
1708 gnutls_free (x.data);
1709 gnutls_free (y.data);
1710 gnutls_free (p.data);
1711 gnutls_free (q.data);
1712 gnutls_free (g.data);
1713 }
1714 }
1715 else if (key_type == GNUTLS_PK_EC)
1716 {
1717 gnutls_datum_t y, x, k;
1718 gnutls_ecc_curve_t curve;
1719
1720 ret = gnutls_x509_privkey_export_ecc_raw (key, &curve, &x, &y, &k);
1721 if (ret < 0)
1722 fprintf (stderrstderr, "Error in key ECC data export: %s\n",
1723 gnutls_strerror (ret));
1724 else
1725 {
1726 print_ecc_pkey (curve, &k, &x, &y);
1727 bits = gnutls_ecc_curve_get_size(curve) * 8;
1728
1729 gnutls_free (x.data);
1730 gnutls_free (y.data);
1731 gnutls_free (k.data);
1732 }
1733 }
1734
1735 fprintf (outfile, "\n");
1736
1737 size = buffer_size;
1738 if ((ret = gnutls_x509_privkey_get_key_id (key, 0, buffer, &size)) < 0)
1739 {
1740 fprintf (stderrstderr, "Error in key id calculation: %s\n",
1741 gnutls_strerror (ret));
1742 }
1743 else
1744 {
1745 gnutls_datum_t art;
1746
1747 fprintf (outfile, "Public Key ID: %s\n", raw_to_string (buffer, size));
1748
1749 ret = gnutls_random_art(GNUTLS_RANDOM_ART_OPENSSH, cprint, bits, buffer, size, &art);
1750 if (ret >= 0)
1751 {
1752 fprintf (outfile, "Public key's random art:\n%s\n", art.data);
1753 gnutls_free(art.data);
1754 }
1755 }
1756 fprintf (outfile, "\n");
1757
1758}
1759
1760void
1761privkey_info (void)
1762{
1763 gnutls_x509_privkey_t key;
1764 size_t size;
1765 int ret;
1766 gnutls_datum_t pem;
1767 const char *pass;
1768
1769 size = fread (buffer, 1, buffer_size - 1, infile);
1770 buffer[size] = 0;
1771
1772 gnutls_x509_privkey_init (&key);
1773
1774 pem.data = buffer;
1775 pem.size = size;
1776
1777 ret = 0;
1778 if (!info.pkcs8)
1779 ret = gnutls_x509_privkey_import (key, &pem, info.incert_format);
1780
1781 /* If we failed to import the certificate previously try PKCS #8 */
1782 if (info.pkcs8 || ret == GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR-207)
1783 {
1784 if (info.pass)
1785 pass = info.pass;
1786 else
1787 pass = get_pass ();
1788 ret = gnutls_x509_privkey_import_pkcs8 (key, &pem,
1789 info.incert_format, pass, 0);
1790 }
1791 if (ret < 0)
1792 error (EXIT_FAILURE1, 0, "import error: %s", gnutls_strerror (ret));
1793
1794 if (info.outcert_format == GNUTLS_X509_FMT_PEM)
1795 privkey_info_int (key);
1796
1797 ret = gnutls_x509_privkey_verify_params (key);
1798 if (ret < 0)
1799 fprintf (outfile, "\n** Private key parameters validation failed **\n\n");
1800
1801 if (info.fix_key != 0)
1802 {
1803 ret = gnutls_x509_privkey_fix (key);
1804 if (ret < 0)
1805 error (EXIT_FAILURE1, 0, "privkey_fix: %s", gnutls_strerror (ret));
1806 }
1807
1808 size = buffer_size;
1809 ret = gnutls_x509_privkey_export (key, info.outcert_format, buffer, &size);
1810 if (ret < 0)
1811 error (EXIT_FAILURE1, 0, "export error: %s", gnutls_strerror (ret));
1812
1813 fwrite (buffer, 1, size, outfile);
1814
1815 gnutls_x509_privkey_deinit (key);
1816}
1817
1818
1819/* Generate a PKCS #10 certificate request.
1820 */
1821void
1822generate_request (common_info_st * cinfo)
1823{
1824 gnutls_x509_crq_t crq;
1825 gnutls_x509_privkey_t xkey;
1826 gnutls_pubkey_t pubkey;
1827 gnutls_privkey_t pkey;
1828 int ret, ca_status, path_len;
1829 const char *pass;
1830 unsigned int usage = 0;
1831
1832 fprintf (stderrstderr, "Generating a PKCS #10 certificate request...\n");
1833
1834 ret = gnutls_x509_crq_init (&crq);
1835 if (ret < 0)
1836 error (EXIT_FAILURE1, 0, "crq_init: %s", gnutls_strerror (ret));
1837
1838
1839 /* Load the private key.
1840 */
1841 pkey = load_private_key (0, cinfo);
1842 if (!pkey)
1843 {
1844 ret = gnutls_privkey_init (&pkey);
1845 if (ret < 0)
1846 error (EXIT_FAILURE1, 0, "privkey_init: %s", gnutls_strerror (ret));
1847
1848 xkey = generate_private_key_int ();
1849
1850 print_private_key (xkey);
1851
1852 ret = gnutls_privkey_import_x509(pkey, xkey, GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE(1<<0));
1853 if (ret < 0)
1854 error (EXIT_FAILURE1, 0, "privkey_import_x509: %s", gnutls_strerror (ret));
1855 }
1856
1857 pubkey = load_public_key_or_import (1, pkey, cinfo);
1858
1859 /* Set the DN.
1860 */
1861 get_country_crq_set (crq);
1862 get_organization_crq_set (crq);
1863 get_unit_crq_set (crq);
1864 get_locality_crq_set (crq);
1865 get_state_crq_set (crq);
1866 get_cn_crq_set (crq);
1867 get_uid_crq_set (crq);
1868 get_oid_crq_set (crq);
1869
1870 get_dns_name_set (TYPE_CRQ2, crq);
1871 get_ip_addr_set (TYPE_CRQ2, crq);
1872 get_email_set (TYPE_CRQ2, crq);
1873
1874 pass = get_challenge_pass ();
1875
1876 if (pass != NULL((void*)0) && pass[0] != 0)
1877 {
1878 ret = gnutls_x509_crq_set_challenge_password (crq, pass);
1879 if (ret < 0)
1880 error (EXIT_FAILURE1, 0, "set_pass: %s", gnutls_strerror (ret));
1881 }
1882
1883 if (info.crq_extensions != 0)
1884 {
1885 ca_status = get_ca_status ();
1886 if (ca_status)
1887 path_len = get_path_len ();
1888 else
1889 path_len = -1;
1890
1891 ret = gnutls_x509_crq_set_basic_constraints (crq, ca_status, path_len);
1892 if (ret < 0)
1893 error (EXIT_FAILURE1, 0, "set_basic_constraints: %s",
1894 gnutls_strerror (ret));
1895
1896 ret = get_sign_status (1);
1897 if (ret)
1898 usage |= GNUTLS_KEY_DIGITAL_SIGNATURE128;
1899
1900 ret = get_encrypt_status (1);
1901 if (ret)
1902 usage |= GNUTLS_KEY_KEY_ENCIPHERMENT32;
1903 else
1904 usage |= GNUTLS_KEY_DIGITAL_SIGNATURE128;
1905
1906 if (ca_status)
1907 {
1908 ret = get_cert_sign_status ();
1909 if (ret)
1910 usage |= GNUTLS_KEY_KEY_CERT_SIGN4;
1911
1912 ret = get_crl_sign_status ();
1913 if (ret)
1914 usage |= GNUTLS_KEY_CRL_SIGN2;
1915
1916 ret = get_code_sign_status ();
1917 if (ret)
1918 {
1919 ret = gnutls_x509_crq_set_key_purpose_oid
1920 (crq, GNUTLS_KP_CODE_SIGNING"1.3.6.1.5.5.7.3.3", 0);
1921 if (ret < 0)
1922 error (EXIT_FAILURE1, 0, "key_kp: %s", gnutls_strerror (ret));
1923 }
1924
1925 ret = get_ocsp_sign_status ();
1926 if (ret)
1927 {
1928 ret = gnutls_x509_crq_set_key_purpose_oid
1929 (crq, GNUTLS_KP_OCSP_SIGNING"1.3.6.1.5.5.7.3.9", 0);
1930 if (ret < 0)
1931 error (EXIT_FAILURE1, 0, "key_kp: %s", gnutls_strerror (ret));
1932 }
1933
1934 ret = get_time_stamp_status ();
1935 if (ret)
1936 {
1937 ret = gnutls_x509_crq_set_key_purpose_oid
1938 (crq, GNUTLS_KP_TIME_STAMPING"1.3.6.1.5.5.7.3.8", 0);
1939 if (ret < 0)
1940 error (EXIT_FAILURE1, 0, "key_kp: %s", gnutls_strerror (ret));
1941 }
1942
1943 ret = get_ipsec_ike_status ();
1944 if (ret)
1945 {
1946 ret = gnutls_x509_crq_set_key_purpose_oid
1947 (crq, GNUTLS_KP_IPSEC_IKE"1.3.6.1.5.5.7.3.17", 0);
1948 if (ret < 0)
1949 error (EXIT_FAILURE1, 0, "key_kp: %s", gnutls_strerror (ret));
1950 }
1951 }
1952
1953 ret = gnutls_x509_crq_set_key_usage (crq, usage);
1954 if (ret < 0)
1955 error (EXIT_FAILURE1, 0, "key_usage: %s", gnutls_strerror (ret));
1956
1957 ret = get_tls_client_status ();
1958 if (ret != 0)
1959 {
1960 ret = gnutls_x509_crq_set_key_purpose_oid
1961 (crq, GNUTLS_KP_TLS_WWW_CLIENT"1.3.6.1.5.5.7.3.2", 0);
1962 if (ret < 0)
1963 error (EXIT_FAILURE1, 0, "key_kp: %s", gnutls_strerror (ret));
1964 }
1965
1966 ret = get_tls_server_status ();
1967 if (ret != 0)
1968 {
1969 ret = gnutls_x509_crq_set_key_purpose_oid
1970 (crq, GNUTLS_KP_TLS_WWW_SERVER"1.3.6.1.5.5.7.3.1", 0);
1971 if (ret < 0)
1972 error (EXIT_FAILURE1, 0, "key_kp: %s", gnutls_strerror (ret));
1973 }
1974 }
1975
1976 ret = gnutls_x509_crq_set_pubkey (crq, pubkey);
1977 if (ret < 0)
1978 error (EXIT_FAILURE1, 0, "set_key: %s", gnutls_strerror (ret));
1979
1980 ret = gnutls_x509_crq_privkey_sign (crq, pkey, SIGN_HASHGNUTLS_DIG_SHA256, 0);
1981 if (ret < 0)
1982 error (EXIT_FAILURE1, 0, "sign: %s", gnutls_strerror (ret));
1983
1984 print_crq_info (crq, outfile);
1985
1986 gnutls_x509_crq_deinit (crq);
1987 gnutls_privkey_deinit( pkey);
1988 gnutls_pubkey_deinit( pubkey);
1989
1990}
1991
1992static void print_verification_res (FILE* outfile, unsigned int output);
1993
1994static int detailed_verification(gnutls_x509_crt_t cert,
1995 gnutls_x509_crt_t issuer, gnutls_x509_crl_t crl,
1996 unsigned int verification_output)
1997{
1998 char name[512];
1999 char tmp[255];
2000 char issuer_name[512];
2001 size_t name_size;
2002 size_t issuer_name_size;
2003 int ret;
2004
2005 issuer_name_size = sizeof (issuer_name);
2006 ret =
2007 gnutls_x509_crt_get_issuer_dn (cert, issuer_name, &issuer_name_size);
2008 if (ret < 0)
2009 error (EXIT_FAILURE1, 0, "gnutls_x509_crt_get_issuer_dn: %s", gnutls_strerror (ret));
2010
2011 name_size = sizeof (name);
2012 ret =
2013 gnutls_x509_crt_get_dn (cert, name, &name_size);
2014 if (ret < 0)
2015 error (EXIT_FAILURE1, 0, "gnutls_x509_crt_get_dn: %s", gnutls_strerror (ret));
2016
2017 fprintf (outfile, "\tSubject: %s\n", name);
2018 fprintf (outfile, "\tIssuer: %s\n", issuer_name);
2019
2020 if (issuer != NULL((void*)0))
2021 {
2022 issuer_name_size = sizeof (issuer_name);
2023 ret =
2024 gnutls_x509_crt_get_dn (issuer, issuer_name, &issuer_name_size);
2025 if (ret < 0)
2026 error (EXIT_FAILURE1, 0, "gnutls_x509_crt_get_issuer_dn: %s", gnutls_strerror (ret));
2027
2028 fprintf (outfile, "\tChecked against: %s\n", issuer_name);
2029 }
2030
2031 if (crl != NULL((void*)0))
2032 {
2033 gnutls_datum_t data;
2034
2035 issuer_name_size = sizeof (issuer_name);
2036 ret =
2037 gnutls_x509_crl_get_issuer_dn (crl, issuer_name, &issuer_name_size);
2038 if (ret < 0)
2039 error (EXIT_FAILURE1, 0, "gnutls_x509_crl_get_issuer_dn: %s", gnutls_strerror (ret));
2040
2041 name_size = sizeof(tmp);
2042 ret = gnutls_x509_crl_get_number(crl, tmp, &name_size, NULL((void*)0));
2043 if (ret < 0)
2044 strcpy(name, "unnumbered");
2045 else
2046 {
2047 data.data = tmp;
2048 data.size = name_size;
2049
2050 name_size = sizeof(name);
2051 ret = gnutls_hex_encode(&data, name, &name_size);
2052 if (ret < 0)
2053 error (EXIT_FAILURE1, 0, "gnutls_hex_encode: %s", gnutls_strerror (ret));
2054 }
2055 fprintf (outfile, "\tChecked against CRL[%s] of: %s\n", name, issuer_name);
2056 }
2057
2058 fprintf (outfile, "\tOutput: ");
2059 print_verification_res(outfile, verification_output);
2060
2061 fputs(".\n\n", outfile);
2062
2063 return 0;
2064}
2065
2066/* Will verify a certificate chain. If no CA certificates
2067 * are provided, then the last certificate in the certificate
2068 * chain is used as a CA.
2069 */
2070static int
2071_verify_x509_mem (const void *cert, int cert_size, const void* ca, int ca_size)
2072{
2073 int ret;
2074 gnutls_datum_t tmp;
2075 gnutls_x509_crt_t *x509_cert_list = NULL((void*)0);
2076 gnutls_x509_crt_t *x509_ca_list = NULL((void*)0);
2077 gnutls_x509_crl_t *x509_crl_list = NULL((void*)0);
2078 unsigned int x509_ncerts, x509_ncrls = 0, x509_ncas = 0;
2079 gnutls_x509_trust_list_t list;
2080 unsigned int output;
2081
2082 ret = gnutls_x509_trust_list_init(&list, 0);
2083 if (ret < 0)
2084 error (EXIT_FAILURE1, 0, "gnutls_x509_trust_list_init: %s",
2085 gnutls_strerror (ret));
2086
2087 if (ca == NULL((void*)0))
2088 {
2089 tmp.data = (void*)cert;
2090 tmp.size = cert_size;
2091 }
2092 else
2093 {
2094 tmp.data = (void*)ca;
2095 tmp.size = ca_size;
2096
2097 /* Load CAs */
2098 ret = gnutls_x509_crt_list_import2( &x509_ca_list, &x509_ncas, &tmp,
2099 GNUTLS_X509_FMT_PEM, 0);
2100 if (ret < 0 || x509_ncas < 1)
2101 error (EXIT_FAILURE1, 0, "error parsing CAs: %s",
2102 gnutls_strerror (ret));
2103 }
2104
2105 ret = gnutls_x509_crl_list_import2( &x509_crl_list, &x509_ncrls, &tmp,
2106 GNUTLS_X509_FMT_PEM, 0);
2107 if (ret < 0)
2108 {
2109 x509_crl_list = NULL((void*)0);
2110 x509_ncrls = 0;
2111 }
2112
2113 tmp.data = (void*)cert;
2114 tmp.size = cert_size;
2115
2116 /* ignore errors. CRLs might not be given */
2117 ret = gnutls_x509_crt_list_import2( &x509_cert_list, &x509_ncerts, &tmp,
2118 GNUTLS_X509_FMT_PEM, 0);
2119 if (ret < 0 || x509_ncerts < 1)
2120 error (EXIT_FAILURE1, 0, "error parsing CRTs: %s",
2121 gnutls_strerror (ret));
2122
2123 if (ca == NULL((void*)0))
2124 {
2125 x509_ca_list = &x509_cert_list[x509_ncerts - 1];
2126 x509_ncas = 1;
2127 }
2128
2129 fprintf(stdoutstdout, "Loaded %d certificates, %d CAs and %d CRLs\n\n",
2130 x509_ncerts, x509_ncas, x509_ncrls);
2131
2132 ret = gnutls_x509_trust_list_add_cas(list, x509_ca_list, x509_ncas, 0);
2133 if (ret < 0)
2134 error (EXIT_FAILURE1, 0, "gnutls_x509_trust_add_cas: %s",
2135 gnutls_strerror (ret));
2136
2137 ret = gnutls_x509_trust_list_add_crls(list, x509_crl_list, x509_ncrls, 0, 0);
2138 if (ret < 0)
2139 error (EXIT_FAILURE1, 0, "gnutls_x509_trust_add_crls: %s",
2140 gnutls_strerror (ret));
2141
2142 gnutls_free(x509_crl_list);
2143
2144 ret = gnutls_x509_trust_list_verify_crt (list, x509_cert_list, x509_ncerts,
2145 GNUTLS_VERIFY_DO_NOT_ALLOW_SAME|GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT, &output,
2146 detailed_verification);
2147 if (ret < 0)
2148 error (EXIT_FAILURE1, 0, "gnutls_x509_trusted_list_verify_crt: %s",
2149 gnutls_strerror (ret));
2150
2151 fprintf (outfile, "Chain verification output: ");
2152 print_verification_res(outfile, output);
2153
2154 fprintf (outfile, ".\n\n");
2155
2156 gnutls_free(x509_cert_list);
2157 gnutls_x509_trust_list_deinit(list, 1);
2158
2159 if (output != 0)
2160 exit(EXIT_FAILURE1);
2161
2162 return 0;
2163}
2164
2165static void
2166print_verification_res (FILE* outfile, unsigned int output)
2167{
2168 int comma = 0;
2169
2170 if (output & GNUTLS_CERT_INVALID)
2171 {
2172 fprintf (outfile, "Not verified");
2173 comma = 1;
2174 }
2175 else
2176 {
2177 fprintf (outfile, "Verified");
2178 comma = 1;
2179 }
2180
2181 if (output & GNUTLS_CERT_SIGNER_NOT_CA)
2182 {
2183 if (comma)
2184 fprintf (outfile, ", ");
2185 fprintf (outfile, "Issuer is not a CA");
2186 comma = 1;
2187 }
2188
2189 if (output & GNUTLS_CERT_INSECURE_ALGORITHM)
2190 {
2191 if (comma)
2192 fprintf (outfile, ", ");
2193 fprintf (outfile, "Insecure algorithm");
2194 comma = 1;
2195 }
2196
2197 if (output & GNUTLS_CERT_NOT_ACTIVATED)
2198 {
2199 if (comma)
2200 fprintf (outfile, ", ");
2201 fprintf (outfile, "Not activated");
2202 comma = 1;
2203 }
2204
2205 if (output & GNUTLS_CERT_EXPIRED)
2206 {
2207 if (comma)
2208 fprintf (outfile, ", ");
2209 fprintf (outfile, "Expired");
2210 comma = 1;
2211 }
2212
2213 if (output & GNUTLS_CERT_REVOKED)
2214 {
2215 if (comma)
2216 fprintf (outfile, ", ");
2217 fprintf (outfile, "Revoked");
2218 comma = 1;
2219 }
2220}
2221
2222static void
2223verify_chain (void)
2224{
2225 char *buf;
2226 size_t size;
2227
2228 buf = fread_file_gnutls_fread_file (infile, &size);
2229 if (buf == NULL((void*)0))
2230 error (EXIT_FAILURE1, errno(*__errno_location ()), "reading chain");
2231
2232 buf[size] = 0;
2233
2234 _verify_x509_mem (buf, size, NULL((void*)0), 0);
2235
2236}
2237
2238static void
2239verify_certificate (common_info_st * cinfo)
2240{
2241 char *cert;
2242 char *cas;
2243 size_t cert_size, ca_size;
2244 FILE * ca_file = fopen(cinfo->ca, "r");
2245
2246 if (ca_file == NULL((void*)0))
2247 error (EXIT_FAILURE1, errno(*__errno_location ()), "opening CA file");
2248
2249 cert = fread_file_gnutls_fread_file (infile, &cert_size);
2250 if (cert == NULL((void*)0))
2251 error (EXIT_FAILURE1, errno(*__errno_location ()), "reading certificate chain");
2252
2253 cert[cert_size] = 0;
2254
2255 cas = fread_file_gnutls_fread_file (ca_file, &ca_size);
2256 if (cas == NULL((void*)0))
2257 error (EXIT_FAILURE1, errno(*__errno_location ()), "reading CA list");
2258
2259 cas[ca_size] = 0;
2260 fclose(ca_file);
2261
2262 _verify_x509_mem (cert, cert_size, cas, ca_size);
2263
2264
2265}
2266
2267void
2268verify_crl (common_info_st * cinfo)
2269{
2270 size_t size, dn_size;
2271 char dn[128];
2272 unsigned int output;
2273 int comma = 0;
2274 int ret;
2275 gnutls_datum_t pem;
2276 gnutls_x509_crl_t crl;
2277 time_t now = time (0);
2278 gnutls_x509_crt_t issuer;
2279
2280 issuer = load_ca_cert (cinfo);
2281
2282 fprintf (outfile, "\nCA certificate:\n");
2283
2284 dn_size = sizeof (dn);
2285 ret = gnutls_x509_crt_get_dn (issuer, dn, &dn_size);
2286 if (ret < 0)
2287 error (EXIT_FAILURE1, 0, "crt_get_dn: %s", gnutls_strerror (ret));
2288
2289 fprintf (outfile, "\tSubject: %s\n\n", dn);
2290
2291 ret = gnutls_x509_crl_init (&crl);
2292 if (ret < 0)
2293 error (EXIT_FAILURE1, 0, "crl_init: %s", gnutls_strerror (ret));
2294
2295 pem.data = fread_file_gnutls_fread_file (infile, &size);
2296 pem.size = size;
2297
2298 ret = gnutls_x509_crl_import (crl, &pem, info.incert_format);
2299 free (pem.data);
2300 if (ret < 0)
2301 error (EXIT_FAILURE1, 0, "import error: %s", gnutls_strerror (ret));
2302
2303 print_crl_info (crl, outfile);
2304
2305 fprintf (outfile, "Verification output: ");
2306 ret = gnutls_x509_crl_verify (crl, &issuer, 1, 0, &output);
2307 if (ret < 0)
2308 error (EXIT_FAILURE1, 0, "verification error: %s", gnutls_strerror (ret));
2309
2310 if (output & GNUTLS_CERT_INVALID)
2311 {
2312 fprintf (outfile, "Not verified");
2313 comma = 1;
2314 }
2315 else
2316 {
2317 fprintf (outfile, "Verified");
2318 comma = 1;
2319 }
2320
2321 if (output & GNUTLS_CERT_SIGNER_NOT_CA)
2322 {
2323 if (comma)
2324 fprintf (outfile, ", ");
2325 fprintf (outfile, "Issuer is not a CA");
2326 comma = 1;
2327 }
2328
2329 if (output & GNUTLS_CERT_INSECURE_ALGORITHM)
2330 {
2331 if (comma)
2332 fprintf (outfile, ", ");
2333 fprintf (outfile, "Insecure algorithm");
2334 comma = 1;
2335 }
2336
2337 /* Check expiration dates.
2338 */
2339
2340 if (gnutls_x509_crl_get_this_update (crl) > now)
2341 {
2342 if (comma)
2343 fprintf (outfile, ", ");
2344 comma = 1;
2345 fprintf (outfile, "Issued in the future!");
2346 }
2347
2348 if (gnutls_x509_crl_get_next_update (crl) < now)
2349 {
2350 if (comma)
2351 fprintf (outfile, ", ");
2352 comma = 1;
Value stored to 'comma' is never read
2353 fprintf (outfile, "CRL is not up to date");
2354 }
2355
2356 fprintf (outfile, "\n");
2357}
2358
2359
2360void
2361generate_pkcs8 (common_info_st * cinfo)
2362{
2363 gnutls_x509_privkey_t key;
2364 int result;
2365 size_t size;
2366 int flags = 0;
2367 const char *password;
2368
2369 fprintf (stderrstderr, "Generating a PKCS #8 key structure...\n");
2370
2371 key = load_x509_private_key (1, cinfo);
2372
2373 if (info.pass)
2374 password = info.pass;
2375 else
2376 password = get_pass ();
2377
2378 if (info.export)
2379 flags = GNUTLS_PKCS_USE_PKCS12_RC2_40;
2380 else
2381 flags = cipher_to_flags (info.pkcs_cipher);
2382
2383 if (password == NULL((void*)0) || password[0] == 0)
2384 {
2385 flags = GNUTLS_PKCS_PLAIN;
2386 }
2387
2388 size = buffer_size;
2389 result =
2390 gnutls_x509_privkey_export_pkcs8 (key, info.outcert_format,
2391 password, flags, buffer, &size);
2392
2393 if (result < 0)
2394 error (EXIT_FAILURE1, 0, "key_export: %s", gnutls_strerror (result));
2395
2396 fwrite (buffer, 1, size, outfile);
2397
2398}
2399
2400
2401#include <gnutls/pkcs12.h>
2402#include <unistd.h>
2403
2404void
2405generate_pkcs12 (common_info_st * cinfo)
2406{
2407 gnutls_pkcs12_t pkcs12;
2408 gnutls_x509_crt_t *crts;
2409 gnutls_x509_privkey_t key;
2410 int result;
2411 size_t size;
2412 gnutls_datum_t data;
2413 const char *pass;
2414 const char *name;
2415 unsigned int flags, i;
2416 gnutls_datum_t key_id;
2417 unsigned char _key_id[32];
2418 int indx;
2419 size_t ncrts;
2420
2421 fprintf (stderrstderr, "Generating a PKCS #12 structure...\n");
2422
2423 key = load_x509_private_key (0, cinfo);
2424 crts = load_cert_list (0, &ncrts, cinfo);
2425
2426 name = get_pkcs12_key_name ();
2427
2428 result = gnutls_pkcs12_init (&pkcs12);
2429 if (result < 0)
2430 error (EXIT_FAILURE1, 0, "pkcs12_init: %s", gnutls_strerror (result));
2431
2432 if (info.pass)
2433 pass = info.pass;
2434 else
2435 pass = get_pass ();
2436
2437 if (pass == NULL((void*)0))
2438 {
2439 fprintf(stderrstderr, "No password given for PKCS #12. Assuming null password...\n");
2440 pass = "";
2441 }
2442
2443
2444 for (i = 0; i < ncrts; i++)
2445 {
2446 gnutls_pkcs12_bag_t bag;
2447
2448 result = gnutls_pkcs12_bag_init (&bag);
2449 if (result < 0)
2450 error (EXIT_FAILURE1, 0, "bag_init: %s", gnutls_strerror (result));
2451
2452 result = gnutls_pkcs12_bag_set_crt (bag, crts[i]);
2453 if (result < 0)
2454 error (EXIT_FAILURE1, 0, "set_crt[%d]: %s", i,
2455 gnutls_strerror (result));
2456
2457 indx = result;
2458
2459 result = gnutls_pkcs12_bag_set_friendly_name (bag, indx, name);
2460 if (result < 0)
2461 error (EXIT_FAILURE1, 0, "bag_set_friendly_name: %s",
2462 gnutls_strerror (result));
2463
2464 size = sizeof (_key_id);
2465 result = gnutls_x509_crt_get_key_id (crts[i], 0, _key_id, &size);
2466 if (result < 0)
2467 error (EXIT_FAILURE1, 0, "key_id[%d]: %s", i,
2468 gnutls_strerror (result));
2469
2470 key_id.data = _key_id;
2471 key_id.size = size;
2472
2473 result = gnutls_pkcs12_bag_set_key_id (bag, indx, &key_id);
2474 if (result < 0)
2475 error (EXIT_FAILURE1, 0, "bag_set_key_id: %s",
2476 gnutls_strerror (result));
2477
2478 if (info.export)
2479 flags = GNUTLS_PKCS_USE_PKCS12_RC2_40;
2480 else
2481 flags = cipher_to_flags (info.pkcs_cipher);
2482
2483 result = gnutls_pkcs12_bag_encrypt (bag, pass, flags);
2484 if (result < 0)
2485 error (EXIT_FAILURE1, 0, "bag_encrypt: %s", gnutls_strerror (result));
2486
2487 result = gnutls_pkcs12_set_bag (pkcs12, bag);
2488 if (result < 0)
2489 error (EXIT_FAILURE1, 0, "set_bag: %s", gnutls_strerror (result));
2490 }
2491
2492 if (key)
2493 {
2494 gnutls_pkcs12_bag_t kbag;
2495
2496 result = gnutls_pkcs12_bag_init (&kbag);
2497 if (result < 0)
2498 error (EXIT_FAILURE1, 0, "bag_init: %s", gnutls_strerror (result));
2499
2500 if (info.export)
2501 flags = GNUTLS_PKCS_USE_PKCS12_RC2_40;
2502 else
2503 flags = cipher_to_flags (info.pkcs_cipher);
2504
2505 size = buffer_size;
2506 result =
2507 gnutls_x509_privkey_export_pkcs8 (key, GNUTLS_X509_FMT_DER,
2508 pass, flags, buffer, &size);
2509 if (result < 0)
2510 error (EXIT_FAILURE1, 0, "key_export: %s", gnutls_strerror (result));
2511
2512 data.data = buffer;
2513 data.size = size;
2514 result =
2515 gnutls_pkcs12_bag_set_data (kbag,
2516 GNUTLS_BAG_PKCS8_ENCRYPTED_KEY, &data);
2517 if (result < 0)
2518 error (EXIT_FAILURE1, 0, "bag_set_data: %s", gnutls_strerror (result));
2519
2520 indx = result;
2521
2522 result = gnutls_pkcs12_bag_set_friendly_name (kbag, indx, name);
2523 if (result < 0)
2524 error (EXIT_FAILURE1, 0, "bag_set_friendly_name: %s",
2525 gnutls_strerror (result));
2526
2527 size = sizeof (_key_id);
2528 result = gnutls_x509_privkey_get_key_id (key, 0, _key_id, &size);
2529 if (result < 0)
2530 error (EXIT_FAILURE1, 0, "key_id: %s", gnutls_strerror (result));
2531
2532 key_id.data = _key_id;
2533 key_id.size = size;
2534
2535 result = gnutls_pkcs12_bag_set_key_id (kbag, indx, &key_id);
2536 if (result < 0)
2537 error (EXIT_FAILURE1, 0, "bag_set_key_id: %s",
2538 gnutls_strerror (result));
2539
2540 result = gnutls_pkcs12_set_bag (pkcs12, kbag);
2541 if (result < 0)
2542 error (EXIT_FAILURE1, 0, "set_bag: %s", gnutls_strerror (result));
2543 }
2544
2545 result = gnutls_pkcs12_generate_mac (pkcs12, pass);
2546 if (result < 0)
2547 error (EXIT_FAILURE1, 0, "generate_mac: %s", gnutls_strerror (result));
2548
2549 size = buffer_size;
2550 result = gnutls_pkcs12_export (pkcs12, info.outcert_format, buffer, &size);
2551 if (result < 0)
2552 error (EXIT_FAILURE1, 0, "pkcs12_export: %s", gnutls_strerror (result));
2553
2554 fwrite (buffer, 1, size, outfile);
2555
2556}
2557
2558static const char *
2559BAGTYPE (gnutls_pkcs12_bag_type_t x)
2560{
2561 switch (x)
2562 {
2563 case GNUTLS_BAG_PKCS8_ENCRYPTED_KEY:
2564 return "PKCS #8 Encrypted key";
2565 case GNUTLS_BAG_EMPTY:
2566 return "Empty";
2567 case GNUTLS_BAG_PKCS8_KEY:
2568 return "PKCS #8 Key";
2569 case GNUTLS_BAG_CERTIFICATE:
2570 return "Certificate";
2571 case GNUTLS_BAG_ENCRYPTED:
2572 return "Encrypted";
2573 case GNUTLS_BAG_CRL:
2574 return "CRL";
2575 case GNUTLS_BAG_SECRET:
2576 return "Secret";
2577 default:
2578 return "Unknown";
2579 }
2580}
2581
2582static void
2583print_bag_data (gnutls_pkcs12_bag_t bag)
2584{
2585 int result;
2586 int count, i, type;
2587 gnutls_datum_t cdata, id;
2588 const char *str, *name;
2589 gnutls_datum_t out;
2590
2591 count = gnutls_pkcs12_bag_get_count (bag);
2592 if (count < 0)
2593 error (EXIT_FAILURE1, 0, "get_count: %s", gnutls_strerror (count));
2594
2595 fprintf (outfile, "\tElements: %d\n", count);
2596
2597 for (i = 0; i < count; i++)
2598 {
2599 type = gnutls_pkcs12_bag_get_type (bag, i);
2600 if (type < 0)
2601 error (EXIT_FAILURE1, 0, "get_type: %s", gnutls_strerror (type));
2602
2603 fprintf (stderrstderr, "\tType: %s\n", BAGTYPE (type));
2604
2605 name = NULL((void*)0);
2606 result = gnutls_pkcs12_bag_get_friendly_name (bag, i, (char **) &name);
2607 if (result < 0)
2608 error (EXIT_FAILURE1, 0, "get_friendly_name: %s",
2609 gnutls_strerror (type));
2610 if (name)
2611 fprintf (outfile, "\tFriendly name: %s\n", name);
2612
2613 id.data = NULL((void*)0);
2614 id.size = 0;
2615 result = gnutls_pkcs12_bag_get_key_id (bag, i, &id);
2616 if (result < 0)
2617 error (EXIT_FAILURE1, 0, "get_key_id: %s", gnutls_strerror (type));
2618 fprintf (outfile, "\tKey ID: %s\n", raw_to_string (id.data, id.size));
2619
2620 result = gnutls_pkcs12_bag_get_data (bag, i, &cdata);
2621 if (result < 0)
2622 error (EXIT_FAILURE1, 0, "get_data: %s", gnutls_strerror (result));
2623
2624 switch (type)
2625 {
2626 case GNUTLS_BAG_PKCS8_ENCRYPTED_KEY:
2627 str = "ENCRYPTED PRIVATE KEY";
2628 break;
2629 case GNUTLS_BAG_PKCS8_KEY:
2630 str = "PRIVATE KEY";
2631 break;
2632 case GNUTLS_BAG_CERTIFICATE:
2633 str = "CERTIFICATE";
2634 break;
2635 case GNUTLS_BAG_CRL:
2636 str = "CRL";
2637 break;
2638 case GNUTLS_BAG_ENCRYPTED:
2639 case GNUTLS_BAG_EMPTY:
2640 default:
2641 str = NULL((void*)0);
2642 }
2643
2644 if (str != NULL((void*)0))
2645 {
2646 gnutls_pem_base64_encode_alloc (str, &cdata, &out);
2647 fprintf (outfile, "%s\n", out.data);
2648
2649 gnutls_free (out.data);
2650 }
2651
2652 }
2653}
2654
2655void
2656pkcs12_info (void)
2657{
2658 gnutls_pkcs12_t pkcs12;
2659 gnutls_pkcs12_bag_t bag;
2660 int result;
2661 size_t size;
2662 gnutls_datum_t data;
2663 const char *pass;
2664 int indx;
2665
2666 result = gnutls_pkcs12_init (&pkcs12);
2667 if (result < 0)
2668 error (EXIT_FAILURE1, 0, "p12_init: %s", gnutls_strerror (result));
2669
2670 data.data = fread_file_gnutls_fread_file (infile, &size);
2671 data.size = size;
2672
2673 result = gnutls_pkcs12_import (pkcs12, &data, info.incert_format, 0);
2674 free (data.data);
2675 if (result < 0)
2676 error (EXIT_FAILURE1, 0, "p12_import: %s", gnutls_strerror (result));
2677
2678 if (info.pass)
2679 pass = info.pass;
2680 else
2681 pass = get_pass ();
2682
2683 result = gnutls_pkcs12_verify_mac (pkcs12, pass);
2684 if (result < 0)
2685 error (0, 0, "verify_mac: %s", gnutls_strerror (result));
2686
2687 for (indx = 0;; indx++)
2688 {
2689 result = gnutls_pkcs12_bag_init (&bag);
2690 if (result < 0)
2691 error (EXIT_FAILURE1, 0, "bag_init: %s", gnutls_strerror (result));
2692
2693 result = gnutls_pkcs12_get_bag (pkcs12, indx, bag);
2694 if (result < 0)
2695 break;
2696
2697 result = gnutls_pkcs12_bag_get_count (bag);
2698 if (result < 0)
2699 error (EXIT_FAILURE1, 0, "bag_count: %s", gnutls_strerror (result));
2700
2701 fprintf (outfile, "BAG #%d\n", indx);
2702
2703 result = gnutls_pkcs12_bag_get_type (bag, 0);
2704 if (result < 0)
2705 error (EXIT_FAILURE1, 0, "bag_init: %s", gnutls_strerror (result));
2706
2707 if (result == GNUTLS_BAG_ENCRYPTED)
2708 {
2709 fprintf (stderrstderr, "\tType: %s\n", BAGTYPE (result));
2710 fprintf (stderrstderr, "\n\tDecrypting...\n");
2711
2712 result = gnutls_pkcs12_bag_decrypt (bag, pass);
2713
2714 if (result < 0)
2715 {
2716 error (0, 0, "bag_decrypt: %s", gnutls_strerror (result));
2717 continue;
2718 }
2719
2720 result = gnutls_pkcs12_bag_get_count (bag);
2721 if (result < 0)
2722 error (EXIT_FAILURE1, 0, "encrypted bag_count: %s",
2723 gnutls_strerror (result));
2724 }
2725
2726 print_bag_data (bag);
2727
2728 gnutls_pkcs12_bag_deinit (bag);
2729 }
2730}
2731
2732void
2733pkcs7_info (void)
2734{
2735 gnutls_pkcs7_t pkcs7;
2736 int result;
2737 size_t size;
2738 gnutls_datum_t data, b64;
2739 int indx, count;
2740
2741 result = gnutls_pkcs7_init (&pkcs7);
2742 if (result < 0)
2743 error (EXIT_FAILURE1, 0, "p7_init: %s", gnutls_strerror (result));
2744
2745 data.data = fread_file_gnutls_fread_file (infile, &size);
2746 data.size = size;
2747
2748 result = gnutls_pkcs7_import (pkcs7, &data, info.incert_format);
2749 free (data.data);
2750 if (result < 0)
2751 error (EXIT_FAILURE1, 0, "import error: %s", gnutls_strerror (result));
2752
2753 /* Read and print the certificates.
2754 */
2755 result = gnutls_pkcs7_get_crt_count (pkcs7);
2756 if (result < 0)
2757 error (EXIT_FAILURE1, 0, "p7_crt_count: %s", gnutls_strerror (result));
2758
2759 count = result;
2760
2761 if (count > 0)
2762 fprintf (outfile, "Number of certificates: %u\n", count);
2763
2764 for (indx = 0; indx < count; indx++)
2765 {
2766 fputs ("\n", outfile);
2767
2768 size = buffer_size;
2769 result = gnutls_pkcs7_get_crt_raw (pkcs7, indx, buffer, &size);
2770 if (result < 0)
2771 break;
2772
2773 data.data = buffer;
2774 data.size = size;
2775
2776 result = gnutls_pem_base64_encode_alloc ("CERTIFICATE", &data, &b64);
2777 if (result < 0)
2778 error (EXIT_FAILURE1, 0, "encoding: %s", gnutls_strerror (result));
2779
2780 fputs (b64.data, outfile);
2781 gnutls_free (b64.data);
2782 }
2783
2784 /* Read the CRLs now.
2785 */
2786 result = gnutls_pkcs7_get_crl_count (pkcs7);
2787 if (result < 0)
2788 error (EXIT_FAILURE1, 0, "p7_crl_count: %s", gnutls_strerror (result));
2789
2790 count = result;
2791
2792 if (count > 0)
2793 fprintf (outfile, "\nNumber of CRLs: %u\n", count);
2794
2795 for (indx = 0; indx < count; indx++)
2796 {
2797 fputs ("\n", outfile);
2798
2799 size = buffer_size;
2800 result = gnutls_pkcs7_get_crl_raw (pkcs7, indx, buffer, &size);
2801 if (result < 0)
2802 break;
2803
2804 data.data = buffer;
2805 data.size = size;
2806
2807 result = gnutls_pem_base64_encode_alloc ("X509 CRL", &data, &b64);
2808 if (result < 0)
2809 error (EXIT_FAILURE1, 0, "encoding: %s", gnutls_strerror (result));
2810
2811 fputs (b64.data, outfile);
2812 gnutls_free (b64.data);
2813 }
2814}
2815
2816void
2817smime_to_pkcs7 (void)
2818{
2819 size_t linesize = 0;
2820 char *lineptr = NULL((void*)0);
2821 ssize_t len;
2822
2823 /* Find body. FIXME: Handle non-b64 Content-Transfer-Encoding.
2824 Reject non-S/MIME tagged Content-Type's? */
2825 do
2826 {
2827 len = getline (&lineptr, &linesize, infile);
2828 if (len == -1)
2829 error (EXIT_FAILURE1, 0, "cannot find RFC 2822 header/body separator");
2830 }
2831 while (strcmp (lineptr, "\r\n") != 0 && strcmp (lineptr, "\n") != 0);
2832
2833 do
2834 {
2835 len = getline (&lineptr, &linesize, infile);
2836 if (len == -1)
2837 error (EXIT_FAILURE1, 0, "message has RFC 2822 header but no body");
2838 }
2839 while (strcmp (lineptr, "\r\n") == 0 && strcmp (lineptr, "\n") == 0);
2840
2841 fprintf (outfile, "%s", "-----BEGIN PKCS7-----\n");
2842
2843 do
2844 {
2845 while (len > 0
2846 && (lineptr[len - 1] == '\r' || lineptr[len - 1] == '\n'))
2847 lineptr[--len] = '\0';
2848 if (strcmp (lineptr, "") != 0)
2849 fprintf (outfile, "%s\n", lineptr);
2850 len = getline (&lineptr, &linesize, infile);
2851 }
2852 while (len != -1);
2853
2854 fprintf (outfile, "%s", "-----END PKCS7-----\n");
2855
2856 free (lineptr);
2857}
2858
2859void
2860certtool_version (void)
2861{
2862 const char *p = PACKAGE_NAME"GnuTLS";
2863 if (strcmp (gnutls_check_version (NULL((void*)0)), PACKAGE_VERSION"3.0.12") != 0)
2864 p = PACKAGE_STRING"GnuTLS 3.0.12";
2865 version_etc (stdoutstdout, program_name, p, gnutls_check_version (NULL((void*)0)),
2866 "Nikos Mavrogiannopoulos", "Simon Josefsson", (char *) NULL((void*)0));
2867}
2868
2869static void
2870print_key_usage (FILE * outfile, unsigned int usage)
2871{
2872 if (usage & GNUTLS_KEY_DIGITAL_SIGNATURE128)
2873 {
2874 fprintf (outfile, "\tDigital signature.\n");
2875 }
2876
2877 if (usage & GNUTLS_KEY_NON_REPUDIATION64)
2878 {
2879 fprintf (outfile, "\tNon repudiation.\n");
2880 }
2881
2882 if (usage & GNUTLS_KEY_KEY_ENCIPHERMENT32)
2883 {
2884 fprintf (outfile, "\tKey encipherment.\n");
2885 }
2886
2887 if (usage & GNUTLS_KEY_DATA_ENCIPHERMENT16)
2888 {
2889 fprintf (outfile, "\tData encipherment.\n");
2890 }
2891
2892 if (usage & GNUTLS_KEY_KEY_AGREEMENT8)
2893 {
2894 fprintf (outfile, "\tKey agreement.\n");
2895 }
2896
2897 if (usage & GNUTLS_KEY_KEY_CERT_SIGN4)
2898 {
2899 fprintf (outfile, "\tCertificate signing.\n");
2900 }
2901
2902 if (usage & GNUTLS_KEY_NON_REPUDIATION64)
2903 {
2904 fprintf (outfile, "\tCRL signing.\n");
2905 }
2906
2907 if (usage & GNUTLS_KEY_ENCIPHER_ONLY1)
2908 {
2909 fprintf (outfile, "\tKey encipher only.\n");
2910 }
2911
2912 if (usage & GNUTLS_KEY_DECIPHER_ONLY32768)
2913 {
2914 fprintf (outfile, "\tKey decipher only.\n");
2915 }
2916}
2917
2918void
2919pubkey_info (gnutls_x509_crt_t crt, common_info_st * cinfo)
2920{
2921 gnutls_pubkey_t pubkey;
2922 unsigned int bits, usage;
2923 int ret;
2924 size_t size;
2925 const char *cprint;
2926
2927 ret = gnutls_pubkey_init (&pubkey);
2928 if (ret < 0)
2929 {
2930 error (EXIT_FAILURE1, 0, "pubkey_init: %s", gnutls_strerror (ret));
2931 }
2932
2933 if (crt == NULL((void*)0))
2934 {
2935 crt = load_cert (0, cinfo);
2936 }
2937
2938 if (crt != NULL((void*)0))
2939 {
2940 ret = gnutls_pubkey_import_x509 (pubkey, crt, 0);
2941 if (ret < 0)
2942 {
2943 error (EXIT_FAILURE1, 0, "pubkey_import_x509: %s",
2944 gnutls_strerror (ret));
2945 }
2946 }
2947 else
2948 {
2949 pubkey = load_pubkey (1, cinfo);
2950 }
2951
2952 if (info.outcert_format == GNUTLS_X509_FMT_DER)
2953 {
2954 size = buffer_size;
2955 ret = gnutls_pubkey_export (pubkey, info.outcert_format, buffer, &size);
2956 if (ret < 0)
2957 error (EXIT_FAILURE1, 0, "export error: %s", gnutls_strerror (ret));
2958
2959 fwrite (buffer, 1, size, outfile);
2960
2961 gnutls_pubkey_deinit (pubkey);
2962
2963 return;
2964 }
2965
2966 /* PEM */
2967
2968 fprintf (outfile, "Public Key Info:\n\n");
2969 ret = gnutls_pubkey_get_pk_algorithm (pubkey, &bits);
2970 fprintf (outfile, "Public Key Algorithm: ");
2971
2972 cprint = gnutls_pk_algorithm_get_name (ret);
2973 fprintf (outfile, "%s (%u bits)\n", cprint ? cprint : "Unknown", bits);
2974
2975
2976 /* Print the raw public and private keys
2977 */
2978 if (ret == GNUTLS_PK_RSA)
2979 {
2980 gnutls_datum_t m, e;
2981
2982 ret = gnutls_pubkey_get_pk_rsa_raw (pubkey, &m, &e);
2983 if (ret < 0)
2984 fprintf (stderrstderr, "Error in key RSA data export: %s\n",
2985 gnutls_strerror (ret));
2986 else
2987 {
2988 print_rsa_pkey (&m, &e, NULL((void*)0), NULL((void*)0), NULL((void*)0), NULL((void*)0), NULL((void*)0), NULL((void*)0));
2989 gnutls_free (m.data);
2990 gnutls_free (e.data);
2991 }
2992 }
2993 else if (ret == GNUTLS_PK_DSA)
2994 {
2995 gnutls_datum_t p, q, g, y;
2996
2997 ret = gnutls_pubkey_get_pk_dsa_raw (pubkey, &p, &q, &g, &y);
2998 if (ret < 0)
2999 fprintf (stderrstderr, "Error in key DSA data export: %s\n",
3000 gnutls_strerror (ret));
3001 else
3002 {
3003 print_dsa_pkey (NULL((void*)0), &y, &p, &q, &g);
3004 gnutls_free (y.data);
3005 gnutls_free (p.data);
3006 gnutls_free (q.data);
3007 gnutls_free (g.data);
3008 }
3009 }
3010 else if (ret == GNUTLS_PK_EC)
3011 {
3012 gnutls_datum_t x, y;
3013 gnutls_ecc_curve_t curve;
3014
3015 ret = gnutls_pubkey_get_pk_ecc_raw (pubkey, &curve, &x, &y);
3016 if (ret < 0)
3017 fprintf (stderrstderr, "Error in key ECC data export: %s\n",
3018 gnutls_strerror (ret));
3019 else
3020 {
3021 print_ecc_pkey (curve, NULL((void*)0), &y, &x);
3022 gnutls_free (y.data);
3023 gnutls_free (x.data);
3024 }
3025 }
3026
3027 ret = gnutls_pubkey_get_key_usage (pubkey, &usage);
3028 if (ret < 0)
3029 {
3030 error (EXIT_FAILURE1, 0, "pubkey_get_key_usage: %s",
3031 gnutls_strerror (ret));
3032 }
3033
3034 fprintf (outfile, "Public Key Usage:\n");
3035 print_key_usage (outfile, usage);
3036
3037 fprintf (outfile, "\n");
3038
3039 size = buffer_size;
3040 if ((ret = gnutls_pubkey_get_key_id (pubkey, 0, buffer, &size)) < 0)
3041 {
3042 fprintf (stderrstderr, "Error in key id calculation: %s\n",
3043 gnutls_strerror (ret));
3044 }
3045 else
3046 {
3047 fprintf (outfile, "Public Key ID: %s\n", raw_to_string (buffer, size));
3048 }
3049
3050 size = buffer_size;
3051 ret = gnutls_pubkey_export (pubkey, GNUTLS_X509_FMT_PEM, buffer, &size);
3052 if (ret < 0)
3053 error (EXIT_FAILURE1, 0, "export error: %s", gnutls_strerror (ret));
3054
3055 fprintf (outfile, "\n%s\n", buffer);
3056
3057 gnutls_pubkey_deinit (pubkey);
3058}