search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
bumped version
[gnutls.git] / src / certtool.c
blobab9c7bae2f0a7d7bdb2bab2fff4fea07d1785602
1 /*
2 * Copyright (C) 2003-2012 Free Software Foundation, Inc.
3 *
4 * This file is part of GnuTLS.
5 *
6 * GnuTLS is free software: you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by
8 * the Free Software Foundation, either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * GnuTLS is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program. If not, see
18 * <http://www.gnu.org/licenses/>.
19 */
20
21 #include <config.h>
22
23 #include <gnutls/gnutls.h>
24 #include <gnutls/x509.h>
25 #include <gnutls/openpgp.h>
26 #include <gnutls/pkcs12.h>
27 #include <gnutls/pkcs11.h>
28 #include <gnutls/abstract.h>
29 #include <gnutls/crypto.h>
30
31 #include <stdio.h>
32 #include <stdlib.h>
33 #include <string.h>
34 #include <ctype.h>
35 #include <time.h>
36 #include <unistd.h>
37 #include <errno.h>
38 #include <sys/types.h>
39 #include <sys/stat.h>
40 #include <fcntl.h>
41 #include <error.h>
42
43 /* Gnulib portability files. */
44 #include <read-file.h>
45 #include <progname.h>
46 #include <version-etc.h>
47
48 #include <certtool-cfg.h>
49 #include <common.h>
50 #include "certtool-args.h"
51 #include "certtool-common.h"
52
53 static void privkey_info_int (common_info_st*, gnutls_x509_privkey_t key);
54 static void print_crl_info (gnutls_x509_crl_t crl, FILE * out);
55 void pkcs7_info (void);
56 void crq_info (void);
57 void smime_to_pkcs7 (void);
58 void pkcs12_info (common_info_st*);
59 void generate_pkcs12 (common_info_st *);
60 void generate_pkcs8 (common_info_st *);
61 static void verify_chain (void);
62 void verify_crl (common_info_st * cinfo);
63 void pubkey_info (gnutls_x509_crt_t crt, common_info_st *);
64 void pgp_privkey_info (void);
65 void pgp_ring_info (void);
66 void certificate_info (int, common_info_st *);
67 void pgp_certificate_info (void);
68 void crl_info (void);
69 void privkey_info (common_info_st*);
70 static void cmd_parser (int argc, char **argv);
71 void generate_self_signed (common_info_st *);
72 void generate_request (common_info_st *);
73 static void print_certificate_info (gnutls_x509_crt_t crt, FILE * out,
74 unsigned int all);
75 static void verify_certificate (common_info_st * cinfo);
76
77 FILE *outfile;
78 FILE *infile;
79 static gnutls_digest_algorithm_t default_dig;
80 static unsigned int incert_format, outcert_format;
81 static unsigned int req_key_type;
82 gnutls_certificate_print_formats_t full_format = GNUTLS_CRT_PRINT_FULL;
83
84 /* non interactive operation if set
85 */
86 int batch;
87
88
89 static void
90 tls_log_func (int level, const char *str)
91 {
92 fprintf (stderr, "|<%d>| %s", level, str);
93 }
94
95 int
96 main (int argc, char **argv)
97 {
98 set_program_name (argv[0]);
99 cfg_init ();
100 cmd_parser (argc, argv);
101
102 return 0;
103 }
104
105 static gnutls_x509_privkey_t
106 generate_private_key_int (common_info_st * cinfo)
107 {
108 gnutls_x509_privkey_t key;
109 int ret, key_type, bits;
110
111 key_type = req_key_type;
112
113 ret = gnutls_x509_privkey_init (&key);
114 if (ret < 0)
115 error (EXIT_FAILURE, 0, "privkey_init: %s", gnutls_strerror (ret));
116
117 bits = get_bits (key_type, cinfo->bits, cinfo->sec_param, 1);
118
119 fprintf (stderr, "Generating a %d bit %s private key...\n",
120 bits, gnutls_pk_algorithm_get_name (key_type));
121
122 if (bits > 1024 && key_type == GNUTLS_PK_DSA)
123 fprintf (stderr,
124 "Note that DSA keys with size over 1024 may cause incompatibility problems when used with earlier than TLS 1.2 versions.\n\n");
125
126 ret = gnutls_x509_privkey_generate (key, key_type, bits, 0);
127 if (ret < 0)
128 error (EXIT_FAILURE, 0, "privkey_generate: %s", gnutls_strerror (ret));
129
130 ret = gnutls_x509_privkey_verify_params (key);
131 if (ret < 0)
132 error (EXIT_FAILURE, 0, "privkey_verify_params: %s", gnutls_strerror (ret));
133
134 return key;
135 }
136
137 static int
138 cipher_to_flags (const char *cipher)
139 {
140 if (cipher == NULL)
141 {
142 return GNUTLS_PKCS_USE_PBES2_AES_128;
143 }
144 else if (strcasecmp (cipher, "3des") == 0)
145 {
146 return GNUTLS_PKCS_USE_PBES2_3DES;
147 }
148 else if (strcasecmp (cipher, "3des-pkcs12") == 0)
149 {
150 return GNUTLS_PKCS_USE_PKCS12_3DES;
151 }
152 else if (strcasecmp (cipher, "arcfour") == 0)
153 {
154 return GNUTLS_PKCS_USE_PKCS12_ARCFOUR;
155 }
156 else if (strcasecmp (cipher, "aes-128") == 0)
157 {
158 return GNUTLS_PKCS_USE_PBES2_AES_128;
159 }
160 else if (strcasecmp (cipher, "aes-192") == 0)
161 {
162 return GNUTLS_PKCS_USE_PBES2_AES_192;
163 }
164 else if (strcasecmp (cipher, "aes-256") == 0)
165 {
166 return GNUTLS_PKCS_USE_PBES2_AES_256;
167 }
168 else if (strcasecmp (cipher, "rc2-40") == 0)
169 {
170 return GNUTLS_PKCS_USE_PKCS12_RC2_40;
171 }
172
173 error (EXIT_FAILURE, 0, "unknown cipher %s\n", cipher);
174 return -1;
175 }
176
177
178 static void
179 print_private_key (common_info_st* cinfo, gnutls_x509_privkey_t key)
180 {
181 int ret;
182 size_t size;
183
184 if (!key)
185 return;
186
187 if (outcert_format == GNUTLS_X509_FMT_PEM)
188 privkey_info_int(cinfo, key);
189
190 if (!cinfo->pkcs8)
191 {
192 size = buffer_size;
193 ret = gnutls_x509_privkey_export (key, outcert_format,
194 buffer, &size);
195 if (ret < 0)
196 error (EXIT_FAILURE, 0, "privkey_export: %s", gnutls_strerror (ret));
197 }
198 else
199 {
200 unsigned int flags = 0;
201 const char *pass;
202
203 pass = get_password(cinfo, &flags, 0);
204 flags |= cipher_to_flags (cinfo->pkcs_cipher);
205
206 size = buffer_size;
207 ret =
208 gnutls_x509_privkey_export_pkcs8 (key, outcert_format, pass,
209 flags, buffer, &size);
210 if (ret < 0)
211 error (EXIT_FAILURE, 0, "privkey_export_pkcs8: %s",
212 gnutls_strerror (ret));
213 }
214
215 fwrite (buffer, 1, size, outfile);
216 }
217
218 static void
219 generate_private_key (common_info_st* cinfo)
220 {
221 gnutls_x509_privkey_t key;
222
223 key = generate_private_key_int (cinfo);
224
225 print_private_key (cinfo, key);
226
227 gnutls_x509_privkey_deinit (key);
228 }
229
230
231 static gnutls_x509_crt_t
232 generate_certificate (gnutls_privkey_t * ret_key,
233 gnutls_x509_crt_t ca_crt, int proxy,
234 common_info_st * cinfo)
235 {
236 gnutls_x509_crt_t crt;
237 gnutls_privkey_t key = NULL;
238 gnutls_pubkey_t pubkey;
239 size_t size;
240 int ret;
241 int client;
242 int days, result, ca_status = 0, is_ike = 0, path_len;
243 int vers;
244 unsigned int usage = 0, server;
245 gnutls_x509_crq_t crq; /* request */
246
247 ret = gnutls_x509_crt_init (&crt);
248 if (ret < 0)
249 error (EXIT_FAILURE, 0, "crt_init: %s", gnutls_strerror (ret));
250
251 crq = load_request (cinfo);
252
253 if (crq == NULL)
254 {
255
256 key = load_private_key (0, cinfo);
257
258 pubkey = load_public_key_or_import (1, key, cinfo);
259
260 if (!batch)
261 fprintf (stderr,
262 "Please enter the details of the certificate's distinguished name. "
263 "Just press enter to ignore a field.\n");
264
265 /* set the DN.
266 */
267 if (proxy)
268 {
269 result = gnutls_x509_crt_set_proxy_dn (crt, ca_crt, 0, NULL, 0);
270 if (result < 0)
271 error (EXIT_FAILURE, 0, "set_proxy_dn: %s",
272 gnutls_strerror (result));
273
274 get_cn_crt_set (crt);
275 }
276 else
277 {
278 get_country_crt_set (crt);
279 get_organization_crt_set (crt);
280 get_unit_crt_set (crt);
281 get_locality_crt_set (crt);
282 get_state_crt_set (crt);
283 get_cn_crt_set (crt);
284 get_dc_set (TYPE_CRT, crt);
285 get_uid_crt_set (crt);
286 get_oid_crt_set (crt);
287 get_key_purpose_set (crt);
288
289 if (!batch)
290 fprintf (stderr,
291 "This field should not be used in new certificates.\n");
292
293 get_pkcs9_email_crt_set (crt);
294 }
295
296 result = gnutls_x509_crt_set_pubkey (crt, pubkey);
297 if (result < 0)
298 error (EXIT_FAILURE, 0, "set_key: %s", gnutls_strerror (result));
299 }
300 else
301 {
302 result = gnutls_x509_crt_set_crq (crt, crq);
303 if (result < 0)
304 error (EXIT_FAILURE, 0, "set_crq: %s", gnutls_strerror (result));
305 }
306
307
308 {
309 int serial = get_serial ();
310 char bin_serial[5];
311
312 bin_serial[4] = serial & 0xff;
313 bin_serial[3] = (serial >> 8) & 0xff;
314 bin_serial[2] = (serial >> 16) & 0xff;
315 bin_serial[1] = (serial >> 24) & 0xff;
316 bin_serial[0] = 0;
317
318 result = gnutls_x509_crt_set_serial (crt, bin_serial, 5);
319 if (result < 0)
320 error (EXIT_FAILURE, 0, "serial: %s", gnutls_strerror (result));
321 }
322
323 if (!batch)
324 fprintf (stderr, "\n\nActivation/Expiration time.\n");
325
326 gnutls_x509_crt_set_activation_time (crt, time (NULL));
327
328 days = get_days ();
329
330 result =
331 gnutls_x509_crt_set_expiration_time (crt,
332 time (NULL) + ((time_t) days) * 24 * 60 * 60);
333 if (result < 0)
334 error (EXIT_FAILURE, 0, "set_expiration: %s", gnutls_strerror (result));
335
336 if (!batch)
337 fprintf (stderr, "\n\nExtensions.\n");
338
339 /* do not allow extensions on a v1 certificate */
340 if (crq && get_crq_extensions_status () != 0)
341 {
342 result = gnutls_x509_crt_set_crq_extensions (crt, crq);
343 if (result < 0)
344 error (EXIT_FAILURE, 0, "set_crq: %s", gnutls_strerror (result));
345 }
346
347 /* append additional extensions */
348 if (cinfo->v1_cert == 0)
349 {
350
351 if (proxy)
352 {
353 const char *policylanguage;
354 char *policy;
355 size_t policylen;
356 int proxypathlen = get_path_len ();
357
358 if (!batch)
359 {
360 printf ("1.3.6.1.5.5.7.21.1 ::= id-ppl-inheritALL\n");
361 printf ("1.3.6.1.5.5.7.21.2 ::= id-ppl-independent\n");
362 }
363
364 policylanguage = get_proxy_policy (&policy, &policylen);
365
366 result =
367 gnutls_x509_crt_set_proxy (crt, proxypathlen, policylanguage,
368 policy, policylen);
369 if (result < 0)
370 error (EXIT_FAILURE, 0, "set_proxy: %s",
371 gnutls_strerror (result));
372 }
373
374 if (!proxy)
375 ca_status = get_ca_status ();
376 if (ca_status)
377 path_len = get_path_len ();
378 else
379 path_len = -1;
380
381 result =
382 gnutls_x509_crt_set_basic_constraints (crt, ca_status, path_len);
383 if (result < 0)
384 error (EXIT_FAILURE, 0, "basic_constraints: %s",
385 gnutls_strerror (result));
386
387 client = get_tls_client_status ();
388 if (client != 0)
389 {
390 result = gnutls_x509_crt_set_key_purpose_oid (crt,
391 GNUTLS_KP_TLS_WWW_CLIENT,
392 0);
393 if (result < 0)
394 error (EXIT_FAILURE, 0, "key_kp: %s", gnutls_strerror (result));
395 }
396
397 is_ike = get_ipsec_ike_status ();
398 server = get_tls_server_status ();
399
400 get_dns_name_set (TYPE_CRT, crt);
401 get_uri_set (TYPE_CRT, crt);
402 get_ip_addr_set (TYPE_CRT, crt);
403 get_policy_set (crt);
404
405 if (server != 0)
406 {
407 result = 0;
408
409 result =
410 gnutls_x509_crt_set_key_purpose_oid (crt,
411 GNUTLS_KP_TLS_WWW_SERVER, 0);
412 if (result < 0)
413 error (EXIT_FAILURE, 0, "key_kp: %s", gnutls_strerror (result));
414 }
415 else if (!proxy)
416 {
417 get_email_set (TYPE_CRT, crt);
418 }
419
420 if (!ca_status || server)
421 {
422 int pk;
423
424
425 pk = gnutls_x509_crt_get_pk_algorithm (crt, NULL);
426
427 if (pk == GNUTLS_PK_RSA)
428 { /* DSA and ECDSA keys can only sign. */
429 result = get_sign_status (server);
430 if (result)
431 usage |= GNUTLS_KEY_DIGITAL_SIGNATURE;
432
433 result = get_encrypt_status (server);
434 if (result)
435 usage |= GNUTLS_KEY_KEY_ENCIPHERMENT;
436 }
437 else
438 usage |= GNUTLS_KEY_DIGITAL_SIGNATURE;
439
440 if (is_ike)
441 {
442 result =
443 gnutls_x509_crt_set_key_purpose_oid (crt,
444 GNUTLS_KP_IPSEC_IKE, 0);
445 if (result < 0)
446 error (EXIT_FAILURE, 0, "key_kp: %s",
447 gnutls_strerror (result));
448 }
449 }
450
451
452 if (ca_status)
453 {
454 result = get_cert_sign_status ();
455 if (result)
456 usage |= GNUTLS_KEY_KEY_CERT_SIGN;
457
458 result = get_crl_sign_status ();
459 if (result)
460 usage |= GNUTLS_KEY_CRL_SIGN;
461
462 result = get_code_sign_status ();
463 if (result)
464 {
465 result =
466 gnutls_x509_crt_set_key_purpose_oid (crt,
467 GNUTLS_KP_CODE_SIGNING,
468 0);
469 if (result < 0)
470 error (EXIT_FAILURE, 0, "key_kp: %s",
471 gnutls_strerror (result));
472 }
473
474 result = get_ocsp_sign_status ();
475 if (result)
476 {
477 result =
478 gnutls_x509_crt_set_key_purpose_oid (crt,
479 GNUTLS_KP_OCSP_SIGNING,
480 0);
481 if (result < 0)
482 error (EXIT_FAILURE, 0, "key_kp: %s",
483 gnutls_strerror (result));
484 }
485
486 result = get_time_stamp_status ();
487 if (result)
488 {
489 result =
490 gnutls_x509_crt_set_key_purpose_oid (crt,
491 GNUTLS_KP_TIME_STAMPING,
492 0);
493 if (result < 0)
494 error (EXIT_FAILURE, 0, "key_kp: %s",
495 gnutls_strerror (result));
496 }
497 }
498 get_ocsp_issuer_set(crt);
499 get_ca_issuers_set(crt);
500
501 if (usage != 0)
502 {
503 /* http://tools.ietf.org/html/rfc4945#section-5.1.3.2: if any KU is
504 set, then either digitalSignature or the nonRepudiation bits in the
505 KeyUsage extension MUST for all IKE certs */
506 if (is_ike && (get_sign_status (server) != 1))
507 usage |= GNUTLS_KEY_NON_REPUDIATION;
508 result = gnutls_x509_crt_set_key_usage (crt, usage);
509 if (result < 0)
510 error (EXIT_FAILURE, 0, "key_usage: %s",
511 gnutls_strerror (result));
512 }
513
514 /* Subject Key ID.
515 */
516 size = buffer_size;
517 result = gnutls_x509_crt_get_key_id (crt, 0, buffer, &size);
518 if (result >= 0)
519 {
520 result = gnutls_x509_crt_set_subject_key_id (crt, buffer, size);
521 if (result < 0)
522 error (EXIT_FAILURE, 0, "set_subject_key_id: %s",
523 gnutls_strerror (result));
524 }
525
526 /* Authority Key ID.
527 */
528 if (ca_crt != NULL)
529 {
530 size = buffer_size;
531 result = gnutls_x509_crt_get_subject_key_id (ca_crt, buffer,
532 &size, NULL);
533 if (result < 0)
534 {
535 size = buffer_size;
536 result = gnutls_x509_crt_get_key_id (ca_crt, 0, buffer, &size);
537 }
538 if (result >= 0)
539 {
540 result =
541 gnutls_x509_crt_set_authority_key_id (crt, buffer, size);
542 if (result < 0)
543 error (EXIT_FAILURE, 0, "set_authority_key_id: %s",
544 gnutls_strerror (result));
545 }
546 }
547 }
548
549 /* Version.
550 */
551 if (cinfo->v1_cert != 0)
552 vers = 1;
553 else
554 vers = 3;
555 result = gnutls_x509_crt_set_version (crt, vers);
556 if (result < 0)
557 error (EXIT_FAILURE, 0, "set_version: %s", gnutls_strerror (result));
558
559 *ret_key = key;
560 return crt;
561
562 }
563
564 static gnutls_x509_crl_t
565 generate_crl (gnutls_x509_crt_t ca_crt, common_info_st * cinfo)
566 {
567 gnutls_x509_crl_t crl;
568 gnutls_x509_crt_t *crts;
569 size_t size;
570 int days, result;
571 unsigned int i;
572 time_t now = time (NULL);
573
574 result = gnutls_x509_crl_init (&crl);
575 if (result < 0)
576 error (EXIT_FAILURE, 0, "crl_init: %s", gnutls_strerror (result));
577
578 crts = load_cert_list (0, &size, cinfo);
579
580 for (i = 0; i < size; i++)
581 {
582 result = gnutls_x509_crl_set_crt (crl, crts[i], now);
583 if (result < 0)
584 error (EXIT_FAILURE, 0, "crl_set_crt: %s", gnutls_strerror (result));
585 }
586
587 result = gnutls_x509_crl_set_this_update (crl, now);
588 if (result < 0)
589 error (EXIT_FAILURE, 0, "this_update: %s", gnutls_strerror (result));
590
591 fprintf (stderr, "Update times.\n");
592 days = get_crl_next_update ();
593
594 result = gnutls_x509_crl_set_next_update (crl, now + days * 24 * 60 * 60);
595 if (result < 0)
596 error (EXIT_FAILURE, 0, "next_update: %s", gnutls_strerror (result));
597
598 result = gnutls_x509_crl_set_version (crl, 2);
599 if (result < 0)
600 error (EXIT_FAILURE, 0, "set_version: %s", gnutls_strerror (result));
601
602 /* Authority Key ID.
603 */
604 if (ca_crt != NULL)
605 {
606 size = buffer_size;
607 result = gnutls_x509_crt_get_subject_key_id (ca_crt, buffer,
608 &size, NULL);
609 if (result < 0)
610 {
611 size = buffer_size;
612 result = gnutls_x509_crt_get_key_id (ca_crt, 0, buffer, &size);
613 }
614 if (result >= 0)
615 {
616 result = gnutls_x509_crl_set_authority_key_id (crl, buffer, size);
617 if (result < 0)
618 error (EXIT_FAILURE, 0, "set_authority_key_id: %s",
619 gnutls_strerror (result));
620 }
621 }
622
623 {
624 unsigned int number = get_crl_number ();
625 char bin_number[5];
626
627 bin_number[4] = number & 0xff;
628 bin_number[3] = (number >> 8) & 0xff;
629 bin_number[2] = (number >> 16) & 0xff;
630 bin_number[1] = (number >> 24) & 0xff;
631 bin_number[0] = 0;
632
633 result = gnutls_x509_crl_set_number (crl, bin_number, 5);
634 if (result < 0)
635 error (EXIT_FAILURE, 0, "set_number: %s", gnutls_strerror (result));
636 }
637
638 return crl;
639 }
640
641 static gnutls_digest_algorithm_t
642 get_dig_for_pub (gnutls_pubkey_t pubkey)
643 {
644 gnutls_digest_algorithm_t dig;
645 int result;
646 unsigned int mand;
647
648 result = gnutls_pubkey_get_preferred_hash_algorithm (pubkey, &dig, &mand);
649 if (result < 0)
650 {
651 error (EXIT_FAILURE, 0, "crt_get_preferred_hash_algorithm: %s",
652 gnutls_strerror (result));
653 }
654
655 /* if algorithm allows alternatives */
656 if (mand == 0 && default_dig != GNUTLS_DIG_UNKNOWN)
657 dig = default_dig;
658
659 return dig;
660 }
661
662 static gnutls_digest_algorithm_t
663 get_dig (gnutls_x509_crt_t crt)
664 {
665 gnutls_digest_algorithm_t dig;
666 gnutls_pubkey_t pubkey;
667 int result;
668
669 gnutls_pubkey_init(&pubkey);
670
671 result = gnutls_pubkey_import_x509(pubkey, crt, 0);
672 if (result < 0)
673 {
674 error (EXIT_FAILURE, 0, "gnutls_pubkey_import_x509: %s",
675 gnutls_strerror (result));
676 }
677
678 dig = get_dig_for_pub (pubkey);
679
680 gnutls_pubkey_deinit(pubkey);
681
682 return dig;
683 }
684
685 void
686 generate_self_signed (common_info_st * cinfo)
687 {
688 gnutls_x509_crt_t crt;
689 gnutls_privkey_t key;
690 size_t size;
691 int result;
692 const char *uri;
693
694 fprintf (stderr, "Generating a self signed certificate...\n");
695
696 crt = generate_certificate (&key, NULL, 0, cinfo);
697
698 if (!key)
699 key = load_private_key (1, cinfo);
700
701 uri = get_crl_dist_point_url ();
702 if (uri)
703 {
704 result = gnutls_x509_crt_set_crl_dist_points (crt, GNUTLS_SAN_URI,
705 uri,
706 0 /* all reasons */ );
707 if (result < 0)
708 error (EXIT_FAILURE, 0, "crl_dist_points: %s",
709 gnutls_strerror (result));
710 }
711
712 print_certificate_info (crt, stderr, 0);
713
714 fprintf (stderr, "\n\nSigning certificate...\n");
715
716 result = gnutls_x509_crt_privkey_sign (crt, crt, key, get_dig (crt), 0);
717 if (result < 0)
718 error (EXIT_FAILURE, 0, "crt_sign: %s", gnutls_strerror (result));
719
720 size = buffer_size;
721 result = gnutls_x509_crt_export (crt, outcert_format, buffer, &size);
722 if (result < 0)
723 error (EXIT_FAILURE, 0, "crt_export: %s", gnutls_strerror (result));
724
725 fwrite (buffer, 1, size, outfile);
726
727 gnutls_x509_crt_deinit (crt);
728 gnutls_privkey_deinit (key);
729 }
730
731 static void
732 generate_signed_certificate (common_info_st * cinfo)
733 {
734 gnutls_x509_crt_t crt;
735 gnutls_privkey_t key;
736 size_t size;
737 int result;
738 gnutls_privkey_t ca_key;
739 gnutls_x509_crt_t ca_crt;
740
741 fprintf (stderr, "Generating a signed certificate...\n");
742
743 ca_key = load_ca_private_key (cinfo);
744 ca_crt = load_ca_cert (cinfo);
745
746 crt = generate_certificate (&key, ca_crt, 0, cinfo);
747
748 /* Copy the CRL distribution points.
749 */
750 gnutls_x509_crt_cpy_crl_dist_points (crt, ca_crt);
751 /* it doesn't matter if we couldn't copy the CRL dist points.
752 */
753
754 print_certificate_info (crt, stderr, 0);
755
756 fprintf (stderr, "\n\nSigning certificate...\n");
757
758 result = gnutls_x509_crt_privkey_sign (crt, ca_crt, ca_key, get_dig (ca_crt), 0);
759 if (result < 0)
760 error (EXIT_FAILURE, 0, "crt_sign: %s", gnutls_strerror (result));
761
762 size = buffer_size;
763 result = gnutls_x509_crt_export (crt, outcert_format, buffer, &size);
764 if (result < 0)
765 error (EXIT_FAILURE, 0, "crt_export: %s", gnutls_strerror (result));
766
767 fwrite (buffer, 1, size, outfile);
768
769 gnutls_x509_crt_deinit (crt);
770 gnutls_privkey_deinit (key);
771 gnutls_privkey_deinit(ca_key);
772 }
773
774 static void
775 generate_proxy_certificate (common_info_st * cinfo)
776 {
777 gnutls_x509_crt_t crt, eecrt;
778 gnutls_privkey_t key, eekey;
779 size_t size;
780 int result;
781
782 fprintf (stderr, "Generating a proxy certificate...\n");
783
784 eekey = load_ca_private_key (cinfo);
785 eecrt = load_cert (1, cinfo);
786
787 crt = generate_certificate (&key, eecrt, 1, cinfo);
788
789 print_certificate_info (crt, stderr, 0);
790
791 fprintf (stderr, "\n\nSigning certificate...\n");
792
793 result = gnutls_x509_crt_privkey_sign (crt, eecrt, eekey, get_dig (eecrt), 0);
794 if (result < 0)
795 error (EXIT_FAILURE, 0, "crt_sign: %s", gnutls_strerror (result));
796
797 size = buffer_size;
798 result = gnutls_x509_crt_export (crt, outcert_format, buffer, &size);
799 if (result < 0)
800 error (EXIT_FAILURE, 0, "crt_export: %s", gnutls_strerror (result));
801
802 fwrite (buffer, 1, size, outfile);
803
804 gnutls_x509_crt_deinit (eecrt);
805 gnutls_x509_crt_deinit (crt);
806 gnutls_privkey_deinit (key);
807 gnutls_privkey_deinit (eekey);
808 }
809
810 static void
811 generate_signed_crl (common_info_st * cinfo)
812 {
813 gnutls_x509_crl_t crl;
814 int result;
815 gnutls_privkey_t ca_key;
816 gnutls_x509_crt_t ca_crt;
817
818 fprintf (stderr, "Generating a signed CRL...\n");
819
820 ca_key = load_ca_private_key (cinfo);
821 ca_crt = load_ca_cert (cinfo);
822 crl = generate_crl (ca_crt, cinfo);
823
824 fprintf (stderr, "\n");
825 result = gnutls_x509_crl_privkey_sign(crl, ca_crt, ca_key, get_dig (ca_crt), 0);
826 if (result < 0)
827 error (EXIT_FAILURE, 0, "crl_privkey_sign: %s", gnutls_strerror (result));
828
829 print_crl_info (crl, stderr);
830
831 gnutls_privkey_deinit( ca_key);
832 gnutls_x509_crl_deinit (crl);
833 }
834
835 static void
836 update_signed_certificate (common_info_st * cinfo)
837 {
838 gnutls_x509_crt_t crt;
839 size_t size;
840 int result;
841 gnutls_privkey_t ca_key;
842 gnutls_x509_crt_t ca_crt;
843 int days;
844 time_t tim = time (NULL);
845
846 fprintf (stderr, "Generating a signed certificate...\n");
847
848 ca_key = load_ca_private_key (cinfo);
849 ca_crt = load_ca_cert (cinfo);
850 crt = load_cert (1, cinfo);
851
852 fprintf (stderr, "Activation/Expiration time.\n");
853 gnutls_x509_crt_set_activation_time (crt, tim);
854
855 days = get_days ();
856
857 result =
858 gnutls_x509_crt_set_expiration_time (crt, tim + ((time_t) days) * 24 * 60 * 60);
859 if (result < 0)
860 error (EXIT_FAILURE, 0, "set_expiration: %s", gnutls_strerror (result));
861
862 fprintf (stderr, "\n\nSigning certificate...\n");
863
864 result = gnutls_x509_crt_privkey_sign (crt, ca_crt, ca_key, get_dig (ca_crt), 0);
865 if (result < 0)
866 error (EXIT_FAILURE, 0, "crt_sign: %s", gnutls_strerror (result));
867
868 size = buffer_size;
869 result = gnutls_x509_crt_export (crt, outcert_format, buffer, &size);
870 if (result < 0)
871 error (EXIT_FAILURE, 0, "crt_export: %s", gnutls_strerror (result));
872
873 fwrite (buffer, 1, size, outfile);
874
875 gnutls_x509_crt_deinit (crt);
876 }
877
878 static void
879 cmd_parser (int argc, char **argv)
880 {
881 int ret, privkey_op = 0;
882 common_info_st cinfo;
883
884 optionProcess( &certtoolOptions, argc, argv);
885
886 if (HAVE_OPT(GENERATE_PRIVKEY) || HAVE_OPT(GENERATE_REQUEST) ||
887 HAVE_OPT(KEY_INFO) || HAVE_OPT(PGP_KEY_INFO))
888 privkey_op = 1;
889
890 if (HAVE_OPT(HEX_NUMBERS))
891 full_format = GNUTLS_CRT_PRINT_FULL_NUMBERS;
892
893 if (HAVE_OPT(OUTFILE))
894 {
895 outfile = safe_open_rw (OPT_ARG(OUTFILE), privkey_op);
896 if (outfile == NULL)
897 error (EXIT_FAILURE, errno, "%s", OPT_ARG(OUTFILE));
898 }
899 else
900 outfile = stdout;
901
902 if (HAVE_OPT(INFILE))
903 {
904 infile = fopen (OPT_ARG(INFILE), "rb");
905 if (infile == NULL)
906 error (EXIT_FAILURE, errno, "%s", OPT_ARG(INFILE));
907 }
908 else
909 infile = stdin;
910
911 if (HAVE_OPT(INDER) || HAVE_OPT(INRAW))
912 incert_format = GNUTLS_X509_FMT_DER;
913 else
914 incert_format = GNUTLS_X509_FMT_PEM;
915
916 if (HAVE_OPT(OUTDER) || HAVE_OPT(OUTRAW))
917 outcert_format = GNUTLS_X509_FMT_DER;
918 else
919 outcert_format = GNUTLS_X509_FMT_PEM;
920
921 if (HAVE_OPT(DSA))
922 req_key_type = GNUTLS_PK_DSA;
923 else if (HAVE_OPT(ECC))
924 req_key_type = GNUTLS_PK_ECC;
925 else
926 req_key_type = GNUTLS_PK_RSA;
927
928 default_dig = GNUTLS_DIG_UNKNOWN;
929 if (HAVE_OPT(HASH))
930 {
931 if (strcasecmp (OPT_ARG(HASH), "md5") == 0)
932 {
933 fprintf (stderr,
934 "Warning: MD5 is broken, and should not be used any more for digital signatures.\n");
935 default_dig = GNUTLS_DIG_MD5;
936 }
937 else if (strcasecmp (OPT_ARG(HASH), "sha1") == 0)
938 default_dig = GNUTLS_DIG_SHA1;
939 else if (strcasecmp (OPT_ARG(HASH), "sha256") == 0)
940 default_dig = GNUTLS_DIG_SHA256;
941 else if (strcasecmp (OPT_ARG(HASH), "sha224") == 0)
942 default_dig = GNUTLS_DIG_SHA224;
943 else if (strcasecmp (OPT_ARG(HASH), "sha384") == 0)
944 default_dig = GNUTLS_DIG_SHA384;
945 else if (strcasecmp (OPT_ARG(HASH), "sha512") == 0)
946 default_dig = GNUTLS_DIG_SHA512;
947 else if (strcasecmp (OPT_ARG(HASH), "rmd160") == 0)
948 default_dig = GNUTLS_DIG_RMD160;
949 else
950 error (EXIT_FAILURE, 0, "invalid hash: %s", OPT_ARG(HASH));
951 }
952
953 batch = 0;
954 if (HAVE_OPT(TEMPLATE))
955 {
956 batch = 1;
957 template_parse (OPT_ARG(TEMPLATE));
958 }
959
960 gnutls_global_set_log_function (tls_log_func);
961
962 if (HAVE_OPT(DEBUG))
963 {
964 gnutls_global_set_log_level (OPT_VALUE_DEBUG);
965 printf ("Setting log level to %d\n", (int)OPT_VALUE_DEBUG);
966 }
967
968 if ((ret = gnutls_global_init ()) < 0)
969 error (EXIT_FAILURE, 0, "global_init: %s", gnutls_strerror (ret));
970
971 #ifdef ENABLE_PKCS11
972 pkcs11_common();
973 #endif
974
975 memset (&cinfo, 0, sizeof (cinfo));
976
977 if (HAVE_OPT(VERBOSE))
978 cinfo.verbose = 1;
979
980 if (HAVE_OPT(LOAD_PRIVKEY))
981 cinfo.privkey = OPT_ARG(LOAD_PRIVKEY);
982
983 cinfo.v1_cert = HAVE_OPT(V1);
984 if (HAVE_OPT(NO_CRQ_EXTENSIONS))
985 cinfo.crq_extensions = 0;
986 else cinfo.crq_extensions = 1;
987
988 if (HAVE_OPT(LOAD_PUBKEY))
989 cinfo.pubkey = OPT_ARG(LOAD_PUBKEY);
990
991 cinfo.pkcs8 = HAVE_OPT(PKCS8);
992 cinfo.incert_format = incert_format;
993
994 if (HAVE_OPT(LOAD_CERTIFICATE))
995 cinfo.cert = OPT_ARG(LOAD_CERTIFICATE);
996
997 if (HAVE_OPT(LOAD_REQUEST))
998 cinfo.request = OPT_ARG(LOAD_REQUEST);
999
1000 if (HAVE_OPT(LOAD_CA_CERTIFICATE))
1001 cinfo.ca = OPT_ARG(LOAD_CA_CERTIFICATE);
1002
1003 if (HAVE_OPT(LOAD_CA_PRIVKEY))
1004 cinfo.ca_privkey = OPT_ARG(LOAD_CA_PRIVKEY);
1005
1006 if (HAVE_OPT(BITS))
1007 cinfo.bits = OPT_VALUE_BITS;
1008
1009 if (HAVE_OPT(SEC_PARAM))
1010 cinfo.sec_param = OPT_ARG(SEC_PARAM);
1011
1012 if (HAVE_OPT(PKCS_CIPHER))
1013 cinfo.pkcs_cipher = OPT_ARG(PKCS_CIPHER);
1014
1015 if (HAVE_OPT(PASSWORD))
1016 {
1017 cinfo.password = OPT_ARG(PASSWORD);
1018 if (HAVE_OPT(GENERATE_PRIVKEY) && cinfo.pkcs8 == 0)
1019 {
1020 fprintf(stderr, "Assuming PKCS #8 format...\n");
1021 cinfo.pkcs8 = 1;
1022 }
1023 }
1024
1025 if (HAVE_OPT(NULL_PASSWORD))
1026 {
1027 cinfo.null_password = 1;
1028 cinfo.password = "";
1029 }
1030
1031 if (HAVE_OPT(GENERATE_SELF_SIGNED))
1032 generate_self_signed (&cinfo);
1033 else if (HAVE_OPT(GENERATE_CERTIFICATE))
1034 generate_signed_certificate (&cinfo);
1035 else if (HAVE_OPT(GENERATE_PROXY))
1036 generate_proxy_certificate (&cinfo);
1037 else if (HAVE_OPT(GENERATE_CRL))
1038 generate_signed_crl (&cinfo);
1039 else if (HAVE_OPT(UPDATE_CERTIFICATE))
1040 update_signed_certificate (&cinfo);
1041 else if (HAVE_OPT(GENERATE_PRIVKEY))
1042 generate_private_key (&cinfo);
1043 else if (HAVE_OPT(GENERATE_REQUEST))
1044 generate_request (&cinfo);
1045 else if (HAVE_OPT(VERIFY_CHAIN))
1046 verify_chain ();
1047 else if (HAVE_OPT(VERIFY))
1048 verify_certificate (&cinfo);
1049 else if (HAVE_OPT(VERIFY_CRL))
1050 verify_crl (&cinfo);
1051 else if (HAVE_OPT(CERTIFICATE_INFO))
1052 certificate_info (0, &cinfo);
1053 else if (HAVE_OPT(DH_INFO))
1054 dh_info (&cinfo);
1055 else if (HAVE_OPT(CERTIFICATE_PUBKEY))
1056 certificate_info (1, &cinfo);
1057 else if (HAVE_OPT(KEY_INFO))
1058 privkey_info (&cinfo);
1059 else if (HAVE_OPT(PUBKEY_INFO))
1060 pubkey_info (NULL, &cinfo);
1061 else if (HAVE_OPT(TO_P12))
1062 generate_pkcs12 (&cinfo);
1063 else if (HAVE_OPT(P12_INFO))
1064 pkcs12_info (&cinfo);
1065 else if (HAVE_OPT(GENERATE_DH_PARAMS))
1066 generate_prime (1, &cinfo);
1067 else if (HAVE_OPT(GET_DH_PARAMS))
1068 generate_prime (0, &cinfo);
1069 else if (HAVE_OPT(CRL_INFO))
1070 crl_info ();
1071 else if (HAVE_OPT(P7_INFO))
1072 pkcs7_info ();
1073 else if (HAVE_OPT(SMIME_TO_P7))
1074 smime_to_pkcs7 ();
1075 else if (HAVE_OPT(TO_P8))
1076 generate_pkcs8 (&cinfo);
1077 #ifdef ENABLE_OPENPGP
1078 else if (HAVE_OPT(PGP_CERTIFICATE_INFO))
1079 pgp_certificate_info ();
1080 else if (HAVE_OPT(PGP_KEY_INFO))
1081 pgp_privkey_info ();
1082 else if (HAVE_OPT(PGP_RING_INFO))
1083 pgp_ring_info ();
1084 #endif
1085 else if (HAVE_OPT(CRQ_INFO))
1086 crq_info ();
1087 else
1088 USAGE(1);
1089
1090 fclose (outfile);
1091
1092 #ifdef ENABLE_PKCS11
1093 gnutls_pkcs11_deinit ();
1094 #endif
1095 gnutls_global_deinit ();
1096 }
1097
1098 #define MAX_CRTS 500
1099 void
1100 certificate_info (int pubkey, common_info_st * cinfo)
1101 {
1102 gnutls_x509_crt_t crt[MAX_CRTS];
1103 size_t size;
1104 int ret, i, count;
1105 gnutls_datum_t pem;
1106 unsigned int crt_num;
1107
1108 pem.data = (void*)fread_file (infile, &size);
1109 pem.size = size;
1110
1111 crt_num = MAX_CRTS;
1112 ret =
1113 gnutls_x509_crt_list_import (crt, &crt_num, &pem, incert_format,
1114 GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED);
1115 if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER)
1116 {
1117 error (0, 0, "too many certificates (%d); "
1118 "will only read the first %d", crt_num, MAX_CRTS);
1119 crt_num = MAX_CRTS;
1120 ret = gnutls_x509_crt_list_import (crt, &crt_num, &pem,
1121 incert_format, 0);
1122 }
1123 if (ret < 0)
1124 error (EXIT_FAILURE, 0, "import error: %s", gnutls_strerror (ret));
1125
1126 free (pem.data);
1127
1128 count = ret;
1129
1130 if (count > 1 && outcert_format == GNUTLS_X509_FMT_DER)
1131 {
1132 error (0, 0, "cannot output multiple certificates in DER format; "
1133 "using PEM instead");
1134 outcert_format = GNUTLS_X509_FMT_PEM;
1135 }
1136
1137 for (i = 0; i < count; i++)
1138 {
1139 if (i > 0)
1140 fprintf (outfile, "\n");
1141
1142 if (outcert_format == GNUTLS_X509_FMT_PEM)
1143 print_certificate_info (crt[i], outfile, 1);
1144
1145 if (pubkey)
1146 pubkey_info (crt[i], cinfo);
1147 else
1148 {
1149 size = buffer_size;
1150 ret = gnutls_x509_crt_export (crt[i], outcert_format, buffer,
1151 &size);
1152 if (ret < 0)
1153 error (EXIT_FAILURE, 0, "export error: %s", gnutls_strerror (ret));
1154
1155 fwrite (buffer, 1, size, outfile);
1156 }
1157
1158 gnutls_x509_crt_deinit (crt[i]);
1159 }
1160 }
1161
1162 #ifdef ENABLE_OPENPGP
1163
1164 void
1165 pgp_certificate_info (void)
1166 {
1167 gnutls_openpgp_crt_t crt;
1168 size_t size;
1169 int ret;
1170 gnutls_datum_t pem, out_data;
1171 unsigned int verify_status;
1172
1173 pem.data = (void*)fread_file (infile, &size);
1174 pem.size = size;
1175
1176 ret = gnutls_openpgp_crt_init (&crt);
1177 if (ret < 0)
1178 error (EXIT_FAILURE, 0, "openpgp_crt_init: %s", gnutls_strerror (ret));
1179
1180 ret = gnutls_openpgp_crt_import (crt, &pem, incert_format);
1181
1182 if (ret < 0)
1183 error (EXIT_FAILURE, 0, "import error: %s", gnutls_strerror (ret));
1184
1185 free (pem.data);
1186
1187 if (outcert_format == GNUTLS_OPENPGP_FMT_BASE64)
1188 {
1189 ret = gnutls_openpgp_crt_print (crt, 0, &out_data);
1190
1191 if (ret == 0)
1192 {
1193 fprintf (outfile, "%s\n", out_data.data);
1194 gnutls_free (out_data.data);
1195 }
1196 }
1197
1198
1199 ret = gnutls_openpgp_crt_verify_self (crt, 0, &verify_status);
1200 if (ret < 0)
1201 {
1202 error (EXIT_FAILURE, 0, "verify signature error: %s",
1203 gnutls_strerror (ret));
1204 }
1205
1206 if (verify_status & GNUTLS_CERT_INVALID)
1207 {
1208 fprintf (outfile, "Self Signature verification: failed\n\n");
1209 }
1210 else
1211 {
1212 fprintf (outfile, "Self Signature verification: ok (%x)\n\n",
1213 verify_status);
1214 }
1215
1216 size = buffer_size;
1217 ret = gnutls_openpgp_crt_export (crt, outcert_format, buffer, &size);
1218 if (ret < 0)
1219 {
1220 error (EXIT_FAILURE, 0, "export error: %s", gnutls_strerror (ret));
1221 fwrite (buffer, 1, size, outfile);
1222 }
1223
1224 fprintf (outfile, "%s\n", buffer);
1225 gnutls_openpgp_crt_deinit (crt);
1226 }
1227
1228 void
1229 pgp_privkey_info (void)
1230 {
1231 gnutls_openpgp_privkey_t key;
1232 unsigned char keyid[GNUTLS_OPENPGP_KEYID_SIZE];
1233 size_t size;
1234 int ret, i, subkeys, bits = 0;
1235 gnutls_datum_t pem;
1236 const char *cprint;
1237
1238 size = fread (buffer, 1, buffer_size - 1, infile);
1239 buffer[size] = 0;
1240
1241 gnutls_openpgp_privkey_init (&key);
1242
1243 pem.data = buffer;
1244 pem.size = size;
1245
1246 ret = gnutls_openpgp_privkey_import (key, &pem, incert_format,
1247 NULL, 0);
1248
1249 if (ret < 0)
1250 error (EXIT_FAILURE, 0, "import error: %s", gnutls_strerror (ret));
1251
1252 /* Public key algorithm
1253 */
1254 subkeys = gnutls_openpgp_privkey_get_subkey_count (key);
1255 if (subkeys < 0)
1256 error (EXIT_FAILURE, 0, "privkey_get_subkey_count: %s",
1257 gnutls_strerror (subkeys));
1258
1259 for (i = -1; i < subkeys; i++)
1260 {
1261
1262 if (i != -1)
1263 fprintf (outfile, "Subkey[%d]:\n", i);
1264
1265 fprintf (outfile, "Public Key Info:\n");
1266
1267 if (i == -1)
1268 ret = gnutls_openpgp_privkey_get_pk_algorithm (key, NULL);
1269 else
1270 ret = gnutls_openpgp_privkey_get_subkey_pk_algorithm (key, i, NULL);
1271
1272 fprintf (outfile, "\tPublic Key Algorithm: ");
1273 cprint = gnutls_pk_algorithm_get_name (ret);
1274 fprintf (outfile, "%s\n", cprint ? cprint : "Unknown");
1275 fprintf (outfile, "\tKey Security Level: %s\n",
1276 gnutls_sec_param_get_name (gnutls_openpgp_privkey_sec_param
1277 (key)));
1278
1279 /* Print the raw public and private keys
1280 */
1281
1282 if (ret == GNUTLS_PK_RSA)
1283 {
1284 gnutls_datum_t m, e, d, p, q, u;
1285
1286 if (i == -1)
1287 ret =
1288 gnutls_openpgp_privkey_export_rsa_raw (key, &m, &e, &d, &p,
1289 &q, &u);
1290 else
1291 ret =
1292 gnutls_openpgp_privkey_export_subkey_rsa_raw (key, i, &m,
1293 &e, &d, &p,
1294 &q, &u);
1295 if (ret < 0)
1296 fprintf (stderr, "Error in key RSA data export: %s\n",
1297 gnutls_strerror (ret));
1298 else
1299 print_rsa_pkey (outfile, &m, &e, &d, &p, &q, &u, NULL, NULL);
1300
1301 bits = m.size * 8;
1302 }
1303 else if (ret == GNUTLS_PK_DSA)
1304 {
1305 gnutls_datum_t p, q, g, y, x;
1306
1307 if (i == -1)
1308 ret =
1309 gnutls_openpgp_privkey_export_dsa_raw (key, &p, &q, &g, &y, &x);
1310 else
1311 ret =
1312 gnutls_openpgp_privkey_export_subkey_dsa_raw (key, i, &p,
1313 &q, &g, &y, &x);
1314 if (ret < 0)
1315 fprintf (stderr, "Error in key DSA data export: %s\n",
1316 gnutls_strerror (ret));
1317 else
1318 print_dsa_pkey (outfile, &x, &y, &p, &q, &g);
1319
1320 bits = y.size * 8;
1321 }
1322
1323 fprintf (outfile, "\n");
1324
1325 size = buffer_size;
1326 if (i == -1)
1327 ret = gnutls_openpgp_privkey_get_key_id (key, keyid);
1328 else
1329 ret = gnutls_openpgp_privkey_get_subkey_id (key, i, keyid);
1330
1331 if (ret < 0)
1332 {
1333 fprintf (stderr, "Error in key id calculation: %s\n",
1334 gnutls_strerror (ret));
1335 }
1336 else
1337 {
1338 fprintf (outfile, "Public key ID: %s\n", raw_to_string (keyid, 8));
1339 }
1340
1341 size = buffer_size;
1342 if (i == -1)
1343 ret = gnutls_openpgp_privkey_get_fingerprint (key, buffer, &size);
1344 else
1345 ret = gnutls_openpgp_privkey_get_subkey_fingerprint (key, i, buffer, &size);
1346
1347 if (ret < 0)
1348 {
1349 fprintf (stderr, "Error in fingerprint calculation: %s\n",
1350 gnutls_strerror (ret));
1351 }
1352 else
1353 {
1354 gnutls_datum_t art;
1355
1356 fprintf (outfile, "Fingerprint: %s\n", raw_to_string (buffer, size));
1357
1358 ret = gnutls_random_art(GNUTLS_RANDOM_ART_OPENSSH, cprint, bits, buffer, size, &art);
1359 if (ret >= 0)
1360 {
1361 fprintf (outfile, "Fingerprint's random art:\n%s\n\n", art.data);
1362 gnutls_free(art.data);
1363 }
1364 }
1365 }
1366
1367 size = buffer_size;
1368 ret = gnutls_openpgp_privkey_export (key, GNUTLS_OPENPGP_FMT_BASE64,
1369 NULL, 0, buffer, &size);
1370 if (ret < 0)
1371 error (EXIT_FAILURE, 0, "export error: %s", gnutls_strerror (ret));
1372
1373 fprintf (outfile, "\n%s\n", buffer);
1374
1375 gnutls_openpgp_privkey_deinit (key);
1376 }
1377
1378 void
1379 pgp_ring_info (void)
1380 {
1381 gnutls_openpgp_keyring_t ring;
1382 gnutls_openpgp_crt_t crt;
1383 size_t size;
1384 int ret, i, count;
1385 gnutls_datum_t pem;
1386
1387 pem.data = (void*)fread_file (infile, &size);
1388 pem.size = size;
1389
1390 ret = gnutls_openpgp_keyring_init (&ring);
1391 if (ret < 0)
1392 error (EXIT_FAILURE, 0, "openpgp_keyring_init: %s",
1393 gnutls_strerror (ret));
1394
1395 ret = gnutls_openpgp_keyring_import (ring, &pem, incert_format);
1396
1397 if (ret < 0)
1398 error (EXIT_FAILURE, 0, "import error: %s", gnutls_strerror (ret));
1399
1400 free (pem.data);
1401
1402 count = gnutls_openpgp_keyring_get_crt_count (ring);
1403 if (count >= 0)
1404 fprintf (outfile, "Keyring contains %d OpenPGP certificates\n\n", count);
1405 else
1406 error (EXIT_FAILURE, 0, "keyring error: %s", gnutls_strerror (count));
1407
1408 for (i = 0; i < count; i++)
1409 {
1410 ret = gnutls_openpgp_keyring_get_crt (ring, i, &crt);
1411 if (ret < 0)
1412 error (EXIT_FAILURE, 0, "export error: %s", gnutls_strerror (ret));
1413
1414 size = buffer_size;
1415 ret = gnutls_openpgp_crt_export (crt, outcert_format,
1416 buffer, &size);
1417 if (ret < 0)
1418 error (EXIT_FAILURE, 0, "export error: %s", gnutls_strerror (ret));
1419
1420 fwrite (buffer, 1, size, outfile);
1421 fprintf (outfile, "\n\n");
1422
1423 gnutls_openpgp_crt_deinit (crt);
1424
1425
1426 }
1427
1428 gnutls_openpgp_keyring_deinit (ring);
1429 }
1430
1431
1432 #endif
1433
1434
1435
1436 static void
1437 print_certificate_info (gnutls_x509_crt_t crt, FILE * out, unsigned int all)
1438 {
1439 gnutls_datum_t data;
1440 int ret;
1441
1442 if (all)
1443 ret = gnutls_x509_crt_print (crt, full_format, &data);
1444 else
1445 ret = gnutls_x509_crt_print (crt, GNUTLS_CRT_PRINT_UNSIGNED_FULL, &data);
1446 if (ret == 0)
1447 {
1448 fprintf (out, "%s\n", data.data);
1449 gnutls_free (data.data);
1450 }
1451
1452 if (out == stderr && batch == 0) /* interactive */
1453 if (read_yesno ("Is the above information ok? (y/N): ") == 0)
1454 {
1455 exit (1);
1456 }
1457 }
1458
1459 static void
1460 print_crl_info (gnutls_x509_crl_t crl, FILE * out)
1461 {
1462 gnutls_datum_t data;
1463 int ret;
1464 size_t size;
1465
1466 ret = gnutls_x509_crl_print (crl, full_format, &data);
1467 if (ret < 0)
1468 error (EXIT_FAILURE, 0, "crl_print: %s", gnutls_strerror (ret));
1469
1470 fprintf (out, "%s\n", data.data);
1471
1472 gnutls_free (data.data);
1473
1474 size = buffer_size;
1475 ret = gnutls_x509_crl_export (crl, GNUTLS_X509_FMT_PEM, buffer, &size);
1476 if (ret < 0)
1477 error (EXIT_FAILURE, 0, "crl_export: %s", gnutls_strerror (ret));
1478
1479 fwrite (buffer, 1, size, outfile);
1480 }
1481
1482 void
1483 crl_info (void)
1484 {
1485 gnutls_x509_crl_t crl;
1486 int ret;
1487 size_t size;
1488 gnutls_datum_t pem;
1489
1490 ret = gnutls_x509_crl_init (&crl);
1491 if (ret < 0)
1492 error (EXIT_FAILURE, 0, "crl_init: %s", gnutls_strerror (ret));
1493
1494 pem.data = (void*)fread_file (infile, &size);
1495 pem.size = size;
1496
1497 if (!pem.data)
1498 error (EXIT_FAILURE, errno, "%s", infile ? "file" :
1499 "standard input");
1500
1501 ret = gnutls_x509_crl_import (crl, &pem, incert_format);
1502
1503 free (pem.data);
1504 if (ret < 0)
1505 error (EXIT_FAILURE, 0, "import error: %s", gnutls_strerror (ret));
1506
1507 print_crl_info (crl, outfile);
1508
1509 gnutls_x509_crl_deinit (crl);
1510 }
1511
1512 static void
1513 print_crq_info (gnutls_x509_crq_t crq, FILE * out)
1514 {
1515 gnutls_datum_t data;
1516 int ret;
1517 size_t size;
1518
1519 if (outcert_format == GNUTLS_X509_FMT_PEM)
1520 {
1521 ret = gnutls_x509_crq_print (crq, full_format, &data);
1522 if (ret < 0)
1523 error (EXIT_FAILURE, 0, "crq_print: %s", gnutls_strerror (ret));
1524
1525 fprintf (out, "%s\n", data.data);
1526
1527 gnutls_free (data.data);
1528 }
1529
1530 ret = gnutls_x509_crq_verify(crq, 0);
1531 if (ret < 0)
1532 {
1533 fprintf(out, "Self signature: FAILED\n\n");
1534 }
1535 else
1536 {
1537 fprintf(out, "Self signature: verified\n\n");
1538 }
1539
1540 size = buffer_size;
1541 ret = gnutls_x509_crq_export (crq, outcert_format, buffer, &size);
1542 if (ret < 0)
1543 error (EXIT_FAILURE, 0, "crq_export: %s", gnutls_strerror (ret));
1544
1545 fwrite (buffer, 1, size, outfile);
1546 }
1547
1548 void
1549 crq_info (void)
1550 {
1551 gnutls_x509_crq_t crq;
1552 int ret;
1553 size_t size;
1554 gnutls_datum_t pem;
1555
1556 ret = gnutls_x509_crq_init (&crq);
1557 if (ret < 0)
1558 error (EXIT_FAILURE, 0, "crq_init: %s", gnutls_strerror (ret));
1559
1560 pem.data = (void*)fread_file (infile, &size);
1561 pem.size = size;
1562
1563 if (!pem.data)
1564 error (EXIT_FAILURE, errno, "%s", infile ? "file" :
1565 "standard input");
1566
1567 ret = gnutls_x509_crq_import (crq, &pem, incert_format);
1568
1569 free (pem.data);
1570 if (ret < 0)
1571 error (EXIT_FAILURE, 0, "import error: %s", gnutls_strerror (ret));
1572
1573 print_crq_info (crq, outfile);
1574
1575 gnutls_x509_crq_deinit (crq);
1576 }
1577
1578 static void privkey_info_int (common_info_st* cinfo, gnutls_x509_privkey_t key)
1579 {
1580 int ret, key_type;
1581 unsigned int bits = 0;
1582 size_t size;
1583 const char *cprint;
1584
1585 /* Public key algorithm
1586 */
1587 fprintf (outfile, "Public Key Info:\n");
1588 ret = gnutls_x509_privkey_get_pk_algorithm2 (key, &bits);
1589 fprintf (outfile, "\tPublic Key Algorithm: ");
1590
1591 key_type = ret;
1592
1593 cprint = gnutls_pk_algorithm_get_name (key_type);
1594 fprintf (outfile, "%s\n", cprint ? cprint : "Unknown");
1595 fprintf (outfile, "\tKey Security Level: %s (%u bits)\n\n",
1596 gnutls_sec_param_get_name (gnutls_x509_privkey_sec_param (key)), bits);
1597
1598 /* Print the raw public and private keys
1599 */
1600 if (key_type == GNUTLS_PK_RSA)
1601 {
1602 gnutls_datum_t m, e, d, p, q, u, exp1, exp2;
1603
1604 ret =
1605 gnutls_x509_privkey_export_rsa_raw2 (key, &m, &e, &d, &p, &q, &u,
1606 &exp1, &exp2);
1607 if (ret < 0)
1608 fprintf (stderr, "Error in key RSA data export: %s\n",
1609 gnutls_strerror (ret));
1610 else
1611 {
1612 print_rsa_pkey (outfile, &m, &e, &d, &p, &q, &u, &exp1, &exp2);
1613
1614 gnutls_free (m.data);
1615 gnutls_free (e.data);
1616 gnutls_free (d.data);
1617 gnutls_free (p.data);
1618 gnutls_free (q.data);
1619 gnutls_free (u.data);
1620 gnutls_free (exp1.data);
1621 gnutls_free (exp2.data);
1622 }
1623 }
1624 else if (key_type == GNUTLS_PK_DSA)
1625 {
1626 gnutls_datum_t p, q, g, y, x;
1627
1628 ret = gnutls_x509_privkey_export_dsa_raw (key, &p, &q, &g, &y, &x);
1629 if (ret < 0)
1630 fprintf (stderr, "Error in key DSA data export: %s\n",
1631 gnutls_strerror (ret));
1632 else
1633 {
1634 print_dsa_pkey (outfile, &x, &y, &p, &q, &g);
1635
1636 gnutls_free (x.data);
1637 gnutls_free (y.data);
1638 gnutls_free (p.data);
1639 gnutls_free (q.data);
1640 gnutls_free (g.data);
1641 }
1642 }
1643 else if (key_type == GNUTLS_PK_EC)
1644 {
1645 gnutls_datum_t y, x, k;
1646 gnutls_ecc_curve_t curve;
1647
1648 ret = gnutls_x509_privkey_export_ecc_raw (key, &curve, &x, &y, &k);
1649 if (ret < 0)
1650 fprintf (stderr, "Error in key ECC data export: %s\n",
1651 gnutls_strerror (ret));
1652 else
1653 {
1654 print_ecc_pkey (outfile, curve, &k, &x, &y);
1655
1656 gnutls_free (x.data);
1657 gnutls_free (y.data);
1658 gnutls_free (k.data);
1659 }
1660 }
1661
1662 fprintf (outfile, "\n");
1663
1664 size = buffer_size;
1665 if ((ret = gnutls_x509_privkey_get_key_id (key, 0, buffer, &size)) < 0)
1666 {
1667 fprintf (stderr, "Error in key id calculation: %s\n",
1668 gnutls_strerror (ret));
1669 }
1670 else
1671 {
1672 gnutls_datum_t art;
1673
1674 fprintf (outfile, "Public Key ID: %s\n", raw_to_string (buffer, size));
1675
1676 ret = gnutls_random_art(GNUTLS_RANDOM_ART_OPENSSH, cprint, bits, buffer, size, &art);
1677 if (ret >= 0)
1678 {
1679 fprintf (outfile, "Public key's random art:\n%s\n", art.data);
1680 gnutls_free(art.data);
1681 }
1682 }
1683 fprintf (outfile, "\n");
1684
1685 }
1686
1687 void
1688 privkey_info (common_info_st* cinfo)
1689 {
1690 gnutls_x509_privkey_t key;
1691 size_t size;
1692 int ret;
1693 gnutls_datum_t pem;
1694 const char *pass;
1695 unsigned int flags = 0;
1696
1697 size = fread (buffer, 1, buffer_size - 1, infile);
1698 buffer[size] = 0;
1699
1700 gnutls_x509_privkey_init (&key);
1701
1702 pem.data = buffer;
1703 pem.size = size;
1704
1705 ret = gnutls_x509_privkey_import2 (key, &pem, incert_format, NULL, 0);
1706
1707 /* If we failed to import the certificate previously try PKCS #8 */
1708 if (ret == GNUTLS_E_DECRYPTION_FAILED)
1709 {
1710 fprintf(stderr, "Encrypted structure detected...\n");
1711 pass = get_password(cinfo, &flags, 0);
1712
1713 ret = gnutls_x509_privkey_import2 (key, &pem,
1714 incert_format, pass, flags);
1715 }
1716 if (ret < 0)
1717 error (EXIT_FAILURE, 0, "import error: %s", gnutls_strerror (ret));
1718
1719 if (outcert_format == GNUTLS_X509_FMT_PEM)
1720 privkey_info_int (cinfo, key);
1721
1722 ret = gnutls_x509_privkey_verify_params (key);
1723 if (ret < 0)
1724 fprintf (outfile, "\n** Private key parameters validation failed **\n\n");
1725
1726 size = buffer_size;
1727 ret = gnutls_x509_privkey_export (key, outcert_format, buffer, &size);
1728 if (ret < 0)
1729 error (EXIT_FAILURE, 0, "export error: %s", gnutls_strerror (ret));
1730
1731 fwrite (buffer, 1, size, outfile);
1732
1733 gnutls_x509_privkey_deinit (key);
1734 }
1735
1736
1737 /* Generate a PKCS #10 certificate request.
1738 */
1739 void
1740 generate_request (common_info_st * cinfo)
1741 {
1742 gnutls_x509_crq_t crq;
1743 gnutls_x509_privkey_t xkey;
1744 gnutls_pubkey_t pubkey;
1745 gnutls_privkey_t pkey;
1746 int ret, ca_status, path_len, pk;
1747 const char *pass;
1748 unsigned int usage = 0;
1749
1750 fprintf (stderr, "Generating a PKCS #10 certificate request...\n");
1751
1752 ret = gnutls_x509_crq_init (&crq);
1753 if (ret < 0)
1754 error (EXIT_FAILURE, 0, "crq_init: %s", gnutls_strerror (ret));
1755
1756
1757 /* Load the private key.
1758 */
1759 pkey = load_private_key (0, cinfo);
1760 if (!pkey)
1761 {
1762 ret = gnutls_privkey_init (&pkey);
1763 if (ret < 0)
1764 error (EXIT_FAILURE, 0, "privkey_init: %s", gnutls_strerror (ret));
1765
1766 xkey = generate_private_key_int (cinfo);
1767
1768 print_private_key (cinfo, xkey);
1769
1770 ret = gnutls_privkey_import_x509(pkey, xkey, GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE);
1771 if (ret < 0)
1772 error (EXIT_FAILURE, 0, "privkey_import_x509: %s", gnutls_strerror (ret));
1773 }
1774
1775 pubkey = load_public_key_or_import (1, pkey, cinfo);
1776
1777 pk = gnutls_pubkey_get_pk_algorithm (pubkey, NULL);
1778
1779 /* Set the DN.
1780 */
1781 get_country_crq_set (crq);
1782 get_organization_crq_set (crq);
1783 get_unit_crq_set (crq);
1784 get_locality_crq_set (crq);
1785 get_state_crq_set (crq);
1786 get_cn_crq_set (crq);
1787 get_dc_set (TYPE_CRQ, crq);
1788 get_uid_crq_set (crq);
1789 get_oid_crq_set (crq);
1790
1791 get_dns_name_set (TYPE_CRQ, crq);
1792 get_uri_set (TYPE_CRQ, crq);
1793 get_ip_addr_set (TYPE_CRQ, crq);
1794 get_email_set (TYPE_CRQ, crq);
1795
1796 pass = get_challenge_pass ();
1797
1798 if (pass != NULL && pass[0] != 0)
1799 {
1800 ret = gnutls_x509_crq_set_challenge_password (crq, pass);
1801 if (ret < 0)
1802 error (EXIT_FAILURE, 0, "set_pass: %s", gnutls_strerror (ret));
1803 }
1804
1805 if (cinfo->crq_extensions != 0)
1806 {
1807 ca_status = get_ca_status ();
1808 if (ca_status)
1809 path_len = get_path_len ();
1810 else
1811 path_len = -1;
1812
1813 ret = gnutls_x509_crq_set_basic_constraints (crq, ca_status, path_len);
1814 if (ret < 0)
1815 error (EXIT_FAILURE, 0, "set_basic_constraints: %s",
1816 gnutls_strerror (ret));
1817
1818 if (pk == GNUTLS_PK_RSA)
1819 {
1820 ret = get_sign_status (1);
1821 if (ret)
1822 usage |= GNUTLS_KEY_DIGITAL_SIGNATURE;
1823
1824 /* Only ask for an encryption certificate
1825 * if it is an RSA one */
1826 ret = get_encrypt_status (1);
1827 if (ret)
1828 usage |= GNUTLS_KEY_KEY_ENCIPHERMENT;
1829 else
1830 usage |= GNUTLS_KEY_DIGITAL_SIGNATURE;
1831 }
1832 else /* DSA and ECDSA are always signing */
1833 usage |= GNUTLS_KEY_DIGITAL_SIGNATURE;
1834
1835 if (ca_status)
1836 {
1837 ret = get_cert_sign_status ();
1838 if (ret)
1839 usage |= GNUTLS_KEY_KEY_CERT_SIGN;
1840
1841 ret = get_crl_sign_status ();
1842 if (ret)
1843 usage |= GNUTLS_KEY_CRL_SIGN;
1844
1845 ret = get_code_sign_status ();
1846 if (ret)
1847 {
1848 ret = gnutls_x509_crq_set_key_purpose_oid
1849 (crq, GNUTLS_KP_CODE_SIGNING, 0);
1850 if (ret < 0)
1851 error (EXIT_FAILURE, 0, "key_kp: %s", gnutls_strerror (ret));
1852 }
1853
1854 ret = get_ocsp_sign_status ();
1855 if (ret)
1856 {
1857 ret = gnutls_x509_crq_set_key_purpose_oid
1858 (crq, GNUTLS_KP_OCSP_SIGNING, 0);
1859 if (ret < 0)
1860 error (EXIT_FAILURE, 0, "key_kp: %s", gnutls_strerror (ret));
1861 }
1862
1863 ret = get_time_stamp_status ();
1864 if (ret)
1865 {
1866 ret = gnutls_x509_crq_set_key_purpose_oid
1867 (crq, GNUTLS_KP_TIME_STAMPING, 0);
1868 if (ret < 0)
1869 error (EXIT_FAILURE, 0, "key_kp: %s", gnutls_strerror (ret));
1870 }
1871
1872 ret = get_ipsec_ike_status ();
1873 if (ret)
1874 {
1875 ret = gnutls_x509_crq_set_key_purpose_oid
1876 (crq, GNUTLS_KP_IPSEC_IKE, 0);
1877 if (ret < 0)
1878 error (EXIT_FAILURE, 0, "key_kp: %s", gnutls_strerror (ret));
1879 }
1880 }
1881
1882 ret = gnutls_x509_crq_set_key_usage (crq, usage);
1883 if (ret < 0)
1884 error (EXIT_FAILURE, 0, "key_usage: %s", gnutls_strerror (ret));
1885
1886 ret = get_tls_client_status ();
1887 if (ret != 0)
1888 {
1889 ret = gnutls_x509_crq_set_key_purpose_oid
1890 (crq, GNUTLS_KP_TLS_WWW_CLIENT, 0);
1891 if (ret < 0)
1892 error (EXIT_FAILURE, 0, "key_kp: %s", gnutls_strerror (ret));
1893 }
1894
1895 ret = get_tls_server_status ();
1896 if (ret != 0)
1897 {
1898 ret = gnutls_x509_crq_set_key_purpose_oid
1899 (crq, GNUTLS_KP_TLS_WWW_SERVER, 0);
1900 if (ret < 0)
1901 error (EXIT_FAILURE, 0, "key_kp: %s", gnutls_strerror (ret));
1902 }
1903 }
1904
1905 ret = gnutls_x509_crq_set_pubkey (crq, pubkey);
1906 if (ret < 0)
1907 error (EXIT_FAILURE, 0, "set_key: %s", gnutls_strerror (ret));
1908
1909 ret = gnutls_x509_crq_privkey_sign (crq, pkey, get_dig_for_pub (pubkey), 0);
1910 if (ret < 0)
1911 error (EXIT_FAILURE, 0, "sign: %s", gnutls_strerror (ret));
1912
1913 print_crq_info (crq, outfile);
1914
1915 gnutls_x509_crq_deinit (crq);
1916 gnutls_privkey_deinit( pkey);
1917 gnutls_pubkey_deinit( pubkey);
1918
1919 }
1920
1921 static void print_verification_res (FILE* outfile, unsigned int output);
1922
1923 static int detailed_verification(gnutls_x509_crt_t cert,
1924 gnutls_x509_crt_t issuer, gnutls_x509_crl_t crl,
1925 unsigned int verification_output)
1926 {
1927 char name[512];
1928 char tmp[255];
1929 char issuer_name[512];
1930 size_t name_size;
1931 size_t issuer_name_size;
1932 int ret;
1933
1934 issuer_name_size = sizeof (issuer_name);
1935 ret =
1936 gnutls_x509_crt_get_issuer_dn (cert, issuer_name, &issuer_name_size);
1937 if (ret < 0)
1938 error (EXIT_FAILURE, 0, "gnutls_x509_crt_get_issuer_dn: %s", gnutls_strerror (ret));
1939
1940 name_size = sizeof (name);
1941 ret =
1942 gnutls_x509_crt_get_dn (cert, name, &name_size);
1943 if (ret < 0)
1944 error (EXIT_FAILURE, 0, "gnutls_x509_crt_get_dn: %s", gnutls_strerror (ret));
1945
1946 fprintf (outfile, "\tSubject: %s\n", name);
1947 fprintf (outfile, "\tIssuer: %s\n", issuer_name);
1948
1949 if (issuer != NULL)
1950 {
1951 issuer_name_size = sizeof (issuer_name);
1952 ret =
1953 gnutls_x509_crt_get_dn (issuer, issuer_name, &issuer_name_size);
1954 if (ret < 0)
1955 error (EXIT_FAILURE, 0, "gnutls_x509_crt_get_issuer_dn: %s", gnutls_strerror (ret));
1956
1957 fprintf (outfile, "\tChecked against: %s\n", issuer_name);
1958 }
1959
1960 if (crl != NULL)
1961 {
1962 gnutls_datum_t data;
1963
1964 issuer_name_size = sizeof (issuer_name);
1965 ret =
1966 gnutls_x509_crl_get_issuer_dn (crl, issuer_name, &issuer_name_size);
1967 if (ret < 0)
1968 error (EXIT_FAILURE, 0, "gnutls_x509_crl_get_issuer_dn: %s", gnutls_strerror (ret));
1969
1970 name_size = sizeof(tmp);
1971 ret = gnutls_x509_crl_get_number(crl, tmp, &name_size, NULL);
1972 if (ret < 0)
1973 strcpy(name, "unnumbered");
1974 else
1975 {
1976 data.data = (void*)tmp;
1977 data.size = name_size;
1978
1979 name_size = sizeof(name);
1980 ret = gnutls_hex_encode(&data, name, &name_size);
1981 if (ret < 0)
1982 error (EXIT_FAILURE, 0, "gnutls_hex_encode: %s", gnutls_strerror (ret));
1983 }
1984 fprintf (outfile, "\tChecked against CRL[%s] of: %s\n", name, issuer_name);
1985 }
1986
1987 fprintf (outfile, "\tOutput: ");
1988 print_verification_res(outfile, verification_output);
1989
1990 fputs("\n\n", outfile);
1991
1992 return 0;
1993 }
1994
1995 /* Will verify a certificate chain. If no CA certificates
1996 * are provided, then the last certificate in the certificate
1997 * chain is used as a CA.
1998 */
1999 static int
2000 _verify_x509_mem (const void *cert, int cert_size, const void* ca, int ca_size)
2001 {
2002 int ret;
2003 gnutls_datum_t tmp;
2004 gnutls_x509_crt_t *x509_cert_list = NULL;
2005 gnutls_x509_crt_t *x509_ca_list = NULL;
2006 gnutls_x509_crl_t *x509_crl_list = NULL;
2007 unsigned int x509_ncerts, x509_ncrls = 0, x509_ncas = 0;
2008 gnutls_x509_trust_list_t list;
2009 unsigned int output;
2010
2011 ret = gnutls_x509_trust_list_init(&list, 0);
2012 if (ret < 0)
2013 error (EXIT_FAILURE, 0, "gnutls_x509_trust_list_init: %s",
2014 gnutls_strerror (ret));
2015
2016 if (ca == NULL)
2017 {
2018 tmp.data = (void*)cert;
2019 tmp.size = cert_size;
2020 }
2021 else
2022 {
2023 tmp.data = (void*)ca;
2024 tmp.size = ca_size;
2025
2026 /* Load CAs */
2027 ret = gnutls_x509_crt_list_import2( &x509_ca_list, &x509_ncas, &tmp,
2028 GNUTLS_X509_FMT_PEM, 0);
2029 if (ret < 0 || x509_ncas < 1)
2030 error (EXIT_FAILURE, 0, "error parsing CAs: %s",
2031 gnutls_strerror (ret));
2032 }
2033
2034 ret = gnutls_x509_crl_list_import2( &x509_crl_list, &x509_ncrls, &tmp,
2035 GNUTLS_X509_FMT_PEM, 0);
2036 if (ret < 0)
2037 {
2038 x509_crl_list = NULL;
2039 x509_ncrls = 0;
2040 }
2041
2042 tmp.data = (void*)cert;
2043 tmp.size = cert_size;
2044
2045 /* ignore errors. CRLs might not be given */
2046 ret = gnutls_x509_crt_list_import2( &x509_cert_list, &x509_ncerts, &tmp,
2047 GNUTLS_X509_FMT_PEM, 0);
2048 if (ret < 0 || x509_ncerts < 1)
2049 error (EXIT_FAILURE, 0, "error parsing CRTs: %s",
2050 gnutls_strerror (ret));
2051
2052 if (ca == NULL)
2053 {
2054 x509_ca_list = &x509_cert_list[x509_ncerts - 1];
2055 x509_ncas = 1;
2056 }
2057
2058 fprintf(stdout, "Loaded %d certificates, %d CAs and %d CRLs\n\n",
2059 x509_ncerts, x509_ncas, x509_ncrls);
2060
2061 ret = gnutls_x509_trust_list_add_cas(list, x509_ca_list, x509_ncas, 0);
2062 if (ret < 0)
2063 error (EXIT_FAILURE, 0, "gnutls_x509_trust_add_cas: %s",
2064 gnutls_strerror (ret));
2065
2066 ret = gnutls_x509_trust_list_add_crls(list, x509_crl_list, x509_ncrls, 0, 0);
2067 if (ret < 0)
2068 error (EXIT_FAILURE, 0, "gnutls_x509_trust_add_crls: %s",
2069 gnutls_strerror (ret));
2070
2071 gnutls_free(x509_crl_list);
2072
2073 ret = gnutls_x509_trust_list_verify_crt (list, x509_cert_list, x509_ncerts,
2074 GNUTLS_VERIFY_DO_NOT_ALLOW_SAME|GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT, &output,
2075 detailed_verification);
2076 if (ret < 0)
2077 error (EXIT_FAILURE, 0, "gnutls_x509_trusted_list_verify_crt: %s",
2078 gnutls_strerror (ret));
2079
2080 fprintf (outfile, "Chain verification output: ");
2081 print_verification_res(outfile, output);
2082
2083 fprintf (outfile, "\n\n");
2084
2085 gnutls_free(x509_cert_list);
2086 gnutls_x509_trust_list_deinit(list, 1);
2087
2088 if (output != 0)
2089 exit(EXIT_FAILURE);
2090
2091 return 0;
2092 }
2093
2094 static void
2095 print_verification_res (FILE* outfile, unsigned int output)
2096 {
2097 gnutls_datum_t pout;
2098 int ret;
2099
2100 if (output)
2101 {
2102 fprintf (outfile, "Not verified.");
2103 }
2104 else
2105 {
2106 fprintf (outfile, "Verified.");
2107 }
2108
2109 ret = gnutls_certificate_verification_status_print( output, GNUTLS_CRT_X509, &pout, 0);
2110 if (ret < 0)
2111 {
2112 fprintf(stderr, "error: %s\n", gnutls_strerror(ret));
2113 exit(EXIT_FAILURE);
2114 }
2115
2116 fprintf (outfile, " %s", pout.data);
2117 gnutls_free(pout.data);
2118 }
2119
2120 static void
2121 verify_chain (void)
2122 {
2123 char *buf;
2124 size_t size;
2125
2126 buf = (void*)fread_file (infile, &size);
2127 if (buf == NULL)
2128 error (EXIT_FAILURE, errno, "reading chain");
2129
2130 buf[size] = 0;
2131
2132 _verify_x509_mem (buf, size, NULL, 0);
2133
2134 }
2135
2136 static void
2137 verify_certificate (common_info_st * cinfo)
2138 {
2139 char *cert;
2140 char *cas;
2141 size_t cert_size, ca_size;
2142 FILE * ca_file = fopen(cinfo->ca, "r");
2143
2144 if (ca_file == NULL)
2145 error (EXIT_FAILURE, errno, "opening CA file");
2146
2147 cert = (void*)fread_file (infile, &cert_size);
2148 if (cert == NULL)
2149 error (EXIT_FAILURE, errno, "reading certificate chain");
2150
2151 cert[cert_size] = 0;
2152
2153 cas = (void*)fread_file (ca_file, &ca_size);
2154 if (cas == NULL)
2155 error (EXIT_FAILURE, errno, "reading CA list");
2156
2157 cas[ca_size] = 0;
2158 fclose(ca_file);
2159
2160 _verify_x509_mem (cert, cert_size, cas, ca_size);
2161
2162
2163 }
2164
2165 void
2166 verify_crl (common_info_st * cinfo)
2167 {
2168 size_t size, dn_size;
2169 char dn[128];
2170 unsigned int output;
2171 int ret;
2172 gnutls_datum_t pem, pout;
2173 gnutls_x509_crl_t crl;
2174 gnutls_x509_crt_t issuer;
2175
2176 issuer = load_ca_cert (cinfo);
2177
2178 fprintf (outfile, "\nCA certificate:\n");
2179
2180 dn_size = sizeof (dn);
2181 ret = gnutls_x509_crt_get_dn (issuer, dn, &dn_size);
2182 if (ret < 0)
2183 error (EXIT_FAILURE, 0, "crt_get_dn: %s", gnutls_strerror (ret));
2184
2185 fprintf (outfile, "\tSubject: %s\n\n", dn);
2186
2187 ret = gnutls_x509_crl_init (&crl);
2188 if (ret < 0)
2189 error (EXIT_FAILURE, 0, "crl_init: %s", gnutls_strerror (ret));
2190
2191 pem.data = (void*)fread_file (infile, &size);
2192 pem.size = size;
2193
2194 ret = gnutls_x509_crl_import (crl, &pem, incert_format);
2195 free (pem.data);
2196 if (ret < 0)
2197 error (EXIT_FAILURE, 0, "import error: %s", gnutls_strerror (ret));
2198
2199 print_crl_info (crl, outfile);
2200
2201 fprintf (outfile, "Verification output: ");
2202 ret = gnutls_x509_crl_verify (crl, &issuer, 1, 0, &output);
2203 if (ret < 0)
2204 error (EXIT_FAILURE, 0, "verification error: %s", gnutls_strerror (ret));
2205
2206 if (output)
2207 {
2208 fprintf (outfile, "Not verified. ");
2209 }
2210 else
2211 {
2212 fprintf (outfile, "Verified.");
2213 }
2214
2215 ret = gnutls_certificate_verification_status_print( output, GNUTLS_CRT_X509, &pout, 0);
2216 if (ret < 0)
2217 {
2218 fprintf(stderr, "error: %s\n", gnutls_strerror(ret));
2219 exit(EXIT_FAILURE);
2220 }
2221
2222 fprintf (outfile, " %s", pout.data);
2223 gnutls_free(pout.data);
2224
2225 fprintf (outfile, "\n");
2226 }
2227
2228
2229
2230 void
2231 generate_pkcs8 (common_info_st * cinfo)
2232 {
2233 gnutls_x509_privkey_t key;
2234 int result;
2235 size_t size;
2236 unsigned int flags = 0;
2237 const char *password;
2238
2239 fprintf (stderr, "Generating a PKCS #8 key structure...\n");
2240
2241 key = load_x509_private_key (1, cinfo);
2242
2243 password = get_password(cinfo, &flags, 1);
2244
2245 flags |= cipher_to_flags (cinfo->pkcs_cipher);
2246
2247 size = buffer_size;
2248 result =
2249 gnutls_x509_privkey_export_pkcs8 (key, outcert_format,
2250 password, flags, buffer, &size);
2251
2252 if (result < 0)
2253 error (EXIT_FAILURE, 0, "key_export: %s", gnutls_strerror (result));
2254
2255 fwrite (buffer, 1, size, outfile);
2256
2257 }
2258
2259
2260 #include <gnutls/pkcs12.h>
2261 #include <unistd.h>
2262
2263 void
2264 generate_pkcs12 (common_info_st * cinfo)
2265 {
2266 gnutls_pkcs12_t pkcs12;
2267 gnutls_x509_crt_t *crts;
2268 gnutls_x509_privkey_t *keys;
2269 int result;
2270 size_t size;
2271 gnutls_datum_t data;
2272 const char *pass;
2273 const char *name;
2274 unsigned int flags = 0, i;
2275 gnutls_datum_t key_id;
2276 unsigned char _key_id[32];
2277 int indx;
2278 size_t ncrts;
2279 size_t nkeys;
2280
2281 fprintf (stderr, "Generating a PKCS #12 structure...\n");
2282
2283 keys = load_privkey_list (0, &nkeys, cinfo);
2284 crts = load_cert_list (0, &ncrts, cinfo);
2285
2286 name = get_pkcs12_key_name ();
2287
2288 result = gnutls_pkcs12_init (&pkcs12);
2289 if (result < 0)
2290 error (EXIT_FAILURE, 0, "pkcs12_init: %s", gnutls_strerror (result));
2291
2292 pass = get_password(cinfo, &flags, 1);
2293 flags |= cipher_to_flags (cinfo->pkcs_cipher);
2294
2295 for (i = 0; i < ncrts; i++)
2296 {
2297 gnutls_pkcs12_bag_t bag;
2298
2299 result = gnutls_pkcs12_bag_init (&bag);
2300 if (result < 0)
2301 error (EXIT_FAILURE, 0, "bag_init: %s", gnutls_strerror (result));
2302
2303 result = gnutls_pkcs12_bag_set_crt (bag, crts[i]);
2304 if (result < 0)
2305 error (EXIT_FAILURE, 0, "set_crt[%d]: %s", i,
2306 gnutls_strerror (result));
2307
2308 indx = result;
2309
2310 if (i==0) /* only the first certificate gets the friendly name */
2311 {
2312 result = gnutls_pkcs12_bag_set_friendly_name (bag, indx, name);
2313 if (result < 0)
2314 error (EXIT_FAILURE, 0, "bag_set_friendly_name: %s",
2315 gnutls_strerror (result));
2316 }
2317
2318 size = sizeof (_key_id);
2319 result = gnutls_x509_crt_get_key_id (crts[i], 0, _key_id, &size);
2320 if (result < 0)
2321 error (EXIT_FAILURE, 0, "key_id[%d]: %s", i,
2322 gnutls_strerror (result));
2323
2324 key_id.data = _key_id;
2325 key_id.size = size;
2326
2327 result = gnutls_pkcs12_bag_set_key_id (bag, indx, &key_id);
2328 if (result < 0)
2329 error (EXIT_FAILURE, 0, "bag_set_key_id: %s",
2330 gnutls_strerror (result));
2331
2332 result = gnutls_pkcs12_bag_encrypt (bag, pass, flags);
2333 if (result < 0)
2334 error (EXIT_FAILURE, 0, "bag_encrypt: %s", gnutls_strerror (result));
2335
2336 result = gnutls_pkcs12_set_bag (pkcs12, bag);
2337 if (result < 0)
2338 error (EXIT_FAILURE, 0, "set_bag: %s", gnutls_strerror (result));
2339 }
2340
2341 for (i = 0; i < nkeys; i++)
2342 {
2343 gnutls_pkcs12_bag_t kbag;
2344
2345 result = gnutls_pkcs12_bag_init (&kbag);
2346 if (result < 0)
2347 error (EXIT_FAILURE, 0, "bag_init: %s", gnutls_strerror (result));
2348
2349 size = buffer_size;
2350 result =
2351 gnutls_x509_privkey_export_pkcs8 (keys[i], GNUTLS_X509_FMT_DER,
2352 pass, flags, buffer, &size);
2353 if (result < 0)
2354 error (EXIT_FAILURE, 0, "key_export[%d]: %s", i, gnutls_strerror (result));
2355
2356 data.data = buffer;
2357 data.size = size;
2358 result =
2359 gnutls_pkcs12_bag_set_data (kbag,
2360 GNUTLS_BAG_PKCS8_ENCRYPTED_KEY, &data);
2361 if (result < 0)
2362 error (EXIT_FAILURE, 0, "bag_set_data: %s", gnutls_strerror (result));
2363
2364 indx = result;
2365
2366 result = gnutls_pkcs12_bag_set_friendly_name (kbag, indx, name);
2367 if (result < 0)
2368 error (EXIT_FAILURE, 0, "bag_set_friendly_name: %s",
2369 gnutls_strerror (result));
2370
2371 size = sizeof (_key_id);
2372 result = gnutls_x509_privkey_get_key_id (keys[i], 0, _key_id, &size);
2373 if (result < 0)
2374 error (EXIT_FAILURE, 0, "key_id[%d]: %s", i, gnutls_strerror (result));
2375
2376 key_id.data = _key_id;
2377 key_id.size = size;
2378
2379 result = gnutls_pkcs12_bag_set_key_id (kbag, indx, &key_id);
2380 if (result < 0)
2381 error (EXIT_FAILURE, 0, "bag_set_key_id: %s",
2382 gnutls_strerror (result));
2383
2384 result = gnutls_pkcs12_set_bag (pkcs12, kbag);
2385 if (result < 0)
2386 error (EXIT_FAILURE, 0, "set_bag: %s", gnutls_strerror (result));
2387 }
2388
2389 result = gnutls_pkcs12_generate_mac (pkcs12, pass);
2390 if (result < 0)
2391 error (EXIT_FAILURE, 0, "generate_mac: %s", gnutls_strerror (result));
2392
2393 size = buffer_size;
2394 result = gnutls_pkcs12_export (pkcs12, outcert_format, buffer, &size);
2395 if (result < 0)
2396 error (EXIT_FAILURE, 0, "pkcs12_export: %s", gnutls_strerror (result));
2397
2398 fwrite (buffer, 1, size, outfile);
2399
2400 }
2401
2402 static const char *
2403 BAGTYPE (gnutls_pkcs12_bag_type_t x)
2404 {
2405 switch (x)
2406 {
2407 case GNUTLS_BAG_PKCS8_ENCRYPTED_KEY:
2408 return "PKCS #8 Encrypted key";
2409 case GNUTLS_BAG_EMPTY:
2410 return "Empty";
2411 case GNUTLS_BAG_PKCS8_KEY:
2412 return "PKCS #8 Key";
2413 case GNUTLS_BAG_CERTIFICATE:
2414 return "Certificate";
2415 case GNUTLS_BAG_ENCRYPTED:
2416 return "Encrypted";
2417 case GNUTLS_BAG_CRL:
2418 return "CRL";
2419 case GNUTLS_BAG_SECRET:
2420 return "Secret";
2421 default:
2422 return "Unknown";
2423 }
2424 }
2425
2426 static void
2427 print_bag_data (gnutls_pkcs12_bag_t bag)
2428 {
2429 int result;
2430 int count, i, type;
2431 gnutls_datum_t cdata, id;
2432 const char *str, *name;
2433 gnutls_datum_t out;
2434
2435 count = gnutls_pkcs12_bag_get_count (bag);
2436 if (count < 0)
2437 error (EXIT_FAILURE, 0, "get_count: %s", gnutls_strerror (count));
2438
2439 fprintf (outfile, "\tElements: %d\n", count);
2440
2441 for (i = 0; i < count; i++)
2442 {
2443 type = gnutls_pkcs12_bag_get_type (bag, i);
2444 if (type < 0)
2445 error (EXIT_FAILURE, 0, "get_type: %s", gnutls_strerror (type));
2446
2447 fprintf (stderr, "\tType: %s\n", BAGTYPE (type));
2448
2449 name = NULL;
2450 result = gnutls_pkcs12_bag_get_friendly_name (bag, i, (char **) &name);
2451 if (result < 0)
2452 error (EXIT_FAILURE, 0, "get_friendly_name: %s",
2453 gnutls_strerror (type));
2454 if (name)
2455 fprintf (outfile, "\tFriendly name: %s\n", name);
2456
2457 id.data = NULL;
2458 id.size = 0;
2459 result = gnutls_pkcs12_bag_get_key_id (bag, i, &id);
2460 if (result < 0)
2461 error (EXIT_FAILURE, 0, "get_key_id: %s", gnutls_strerror (type));
2462 if (id.size > 0)
2463 fprintf (outfile, "\tKey ID: %s\n", raw_to_string (id.data, id.size));
2464
2465 result = gnutls_pkcs12_bag_get_data (bag, i, &cdata);
2466 if (result < 0)
2467 error (EXIT_FAILURE, 0, "get_data: %s", gnutls_strerror (result));
2468
2469 switch (type)
2470 {
2471 case GNUTLS_BAG_PKCS8_ENCRYPTED_KEY:
2472 str = "ENCRYPTED PRIVATE KEY";
2473 break;
2474 case GNUTLS_BAG_PKCS8_KEY:
2475 str = "PRIVATE KEY";
2476 break;
2477 case GNUTLS_BAG_CERTIFICATE:
2478 str = "CERTIFICATE";
2479 break;
2480 case GNUTLS_BAG_CRL:
2481 str = "CRL";
2482 break;
2483 case GNUTLS_BAG_ENCRYPTED:
2484 case GNUTLS_BAG_EMPTY:
2485 default:
2486 str = NULL;
2487 }
2488
2489 if (str != NULL)
2490 {
2491 gnutls_pem_base64_encode_alloc (str, &cdata, &out);
2492 fprintf (outfile, "%s\n", out.data);
2493
2494 gnutls_free (out.data);
2495 }
2496
2497 }
2498 }
2499
2500 void
2501 pkcs12_info (common_info_st* cinfo)
2502 {
2503 gnutls_pkcs12_t pkcs12;
2504 gnutls_pkcs12_bag_t bag;
2505 int result;
2506 size_t size;
2507 gnutls_datum_t data;
2508 const char *pass;
2509 int indx, fail = 0;
2510
2511 result = gnutls_pkcs12_init (&pkcs12);
2512 if (result < 0)
2513 error (EXIT_FAILURE, 0, "p12_init: %s", gnutls_strerror (result));
2514
2515 data.data = (void*)fread_file (infile, &size);
2516 data.size = size;
2517
2518 result = gnutls_pkcs12_import (pkcs12, &data, incert_format, 0);
2519 free (data.data);
2520 if (result < 0)
2521 error (EXIT_FAILURE, 0, "p12_import: %s", gnutls_strerror (result));
2522
2523 pass = get_password(cinfo, NULL, 0);
2524
2525 result = gnutls_pkcs12_verify_mac (pkcs12, pass);
2526 if (result < 0)
2527 {
2528 fail = 1;
2529 error (0, 0, "verify_mac: %s", gnutls_strerror (result));
2530 }
2531
2532 for (indx = 0;; indx++)
2533 {
2534 result = gnutls_pkcs12_bag_init (&bag);
2535 if (result < 0)
2536 error (EXIT_FAILURE, 0, "bag_init: %s", gnutls_strerror (result));
2537
2538 result = gnutls_pkcs12_get_bag (pkcs12, indx, bag);
2539 if (result < 0)
2540 break;
2541
2542 result = gnutls_pkcs12_bag_get_count (bag);
2543 if (result < 0)
2544 error (EXIT_FAILURE, 0, "bag_count: %s", gnutls_strerror (result));
2545
2546 fprintf (outfile, "BAG #%d\n", indx);
2547
2548 result = gnutls_pkcs12_bag_get_type (bag, 0);
2549 if (result < 0)
2550 error (EXIT_FAILURE, 0, "bag_init: %s", gnutls_strerror (result));
2551
2552 if (result == GNUTLS_BAG_ENCRYPTED)
2553 {
2554 fprintf (stderr, "\tType: %s\n", BAGTYPE (result));
2555 fprintf (stderr, "\n\tDecrypting...\n");
2556
2557 result = gnutls_pkcs12_bag_decrypt (bag, pass);
2558
2559 if (result < 0)
2560 {
2561 fail = 1;
2562 error (0, 0, "bag_decrypt: %s", gnutls_strerror (result));
2563 continue;
2564 }
2565
2566 result = gnutls_pkcs12_bag_get_count (bag);
2567 if (result < 0)
2568 error (EXIT_FAILURE, 0, "encrypted bag_count: %s",
2569 gnutls_strerror (result));
2570 }
2571
2572 print_bag_data (bag);
2573
2574 gnutls_pkcs12_bag_deinit (bag);
2575 }
2576
2577 if (fail)
2578 error (EXIT_FAILURE, 0, "There were errors parsing the structure\n");
2579 }
2580
2581 void
2582 pkcs7_info (void)
2583 {
2584 gnutls_pkcs7_t pkcs7;
2585 int result;
2586 size_t size;
2587 gnutls_datum_t data, b64;
2588 int indx, count;
2589
2590 result = gnutls_pkcs7_init (&pkcs7);
2591 if (result < 0)
2592 error (EXIT_FAILURE, 0, "p7_init: %s", gnutls_strerror (result));
2593
2594 data.data = (void*)fread_file (infile, &size);
2595 data.size = size;
2596
2597 result = gnutls_pkcs7_import (pkcs7, &data, incert_format);
2598 free (data.data);
2599 if (result < 0)
2600 error (EXIT_FAILURE, 0, "import error: %s", gnutls_strerror (result));
2601
2602 /* Read and print the certificates.
2603 */
2604 result = gnutls_pkcs7_get_crt_count (pkcs7);
2605 if (result < 0)
2606 error (EXIT_FAILURE, 0, "p7_crt_count: %s", gnutls_strerror (result));
2607
2608 count = result;
2609
2610 if (count > 0)
2611 fprintf (outfile, "Number of certificates: %u\n", count);
2612
2613 for (indx = 0; indx < count; indx++)
2614 {
2615 fputs ("\n", outfile);
2616
2617 size = buffer_size;
2618 result = gnutls_pkcs7_get_crt_raw (pkcs7, indx, buffer, &size);
2619 if (result < 0)
2620 break;
2621
2622 data.data = buffer;
2623 data.size = size;
2624
2625 result = gnutls_pem_base64_encode_alloc ("CERTIFICATE", &data, &b64);
2626 if (result < 0)
2627 error (EXIT_FAILURE, 0, "encoding: %s", gnutls_strerror (result));
2628
2629 fputs ((void*)b64.data, outfile);
2630 gnutls_free (b64.data);
2631 }
2632
2633 /* Read the CRLs now.
2634 */
2635 result = gnutls_pkcs7_get_crl_count (pkcs7);
2636 if (result < 0)
2637 error (EXIT_FAILURE, 0, "p7_crl_count: %s", gnutls_strerror (result));
2638
2639 count = result;
2640
2641 if (count > 0)
2642 fprintf (outfile, "\nNumber of CRLs: %u\n", count);
2643
2644 for (indx = 0; indx < count; indx++)
2645 {
2646 fputs ("\n", outfile);
2647
2648 size = buffer_size;
2649 result = gnutls_pkcs7_get_crl_raw (pkcs7, indx, buffer, &size);
2650 if (result < 0)
2651 break;
2652
2653 data.data = buffer;
2654 data.size = size;
2655
2656 result = gnutls_pem_base64_encode_alloc ("X509 CRL", &data, &b64);
2657 if (result < 0)
2658 error (EXIT_FAILURE, 0, "encoding: %s", gnutls_strerror (result));
2659
2660 fputs ((void*)b64.data, outfile);
2661 gnutls_free (b64.data);
2662 }
2663 }
2664
2665 void
2666 smime_to_pkcs7 (void)
2667 {
2668 size_t linesize = 0;
2669 char *lineptr = NULL;
2670 ssize_t len;
2671
2672 /* Find body. FIXME: Handle non-b64 Content-Transfer-Encoding.
2673 Reject non-S/MIME tagged Content-Type's? */
2674 do
2675 {
2676 len = getline (&lineptr, &linesize, infile);
2677 if (len == -1)
2678 error (EXIT_FAILURE, 0, "cannot find RFC 2822 header/body separator");
2679 }
2680 while (strcmp (lineptr, "\r\n") != 0 && strcmp (lineptr, "\n") != 0);
2681
2682 do
2683 {
2684 len = getline (&lineptr, &linesize, infile);
2685 if (len == -1)
2686 error (EXIT_FAILURE, 0, "message has RFC 2822 header but no body");
2687 }
2688 while (strcmp (lineptr, "\r\n") == 0 && strcmp (lineptr, "\n") == 0);
2689
2690 fprintf (outfile, "%s", "-----BEGIN PKCS7-----\n");
2691
2692 do
2693 {
2694 while (len > 0
2695 && (lineptr[len - 1] == '\r' || lineptr[len - 1] == '\n'))
2696 lineptr[--len] = '\0';
2697 if (strcmp (lineptr, "") != 0)
2698 fprintf (outfile, "%s\n", lineptr);
2699 len = getline (&lineptr, &linesize, infile);
2700 }
2701 while (len != -1);
2702
2703 fprintf (outfile, "%s", "-----END PKCS7-----\n");
2704
2705 free (lineptr);
2706 }
2707
2708
2709 void
2710 pubkey_info (gnutls_x509_crt_t crt, common_info_st * cinfo)
2711 {
2712 gnutls_pubkey_t pubkey;
2713 gnutls_privkey_t privkey = NULL;
2714 gnutls_x509_crq_t crq = NULL;
2715 int ret;
2716 size_t size;
2717
2718 ret = gnutls_pubkey_init (&pubkey);
2719 if (ret < 0)
2720 {
2721 error (EXIT_FAILURE, 0, "pubkey_init: %s", gnutls_strerror (ret));
2722 }
2723
2724 if (crt == NULL)
2725 {
2726 crt = load_cert (0, cinfo);
2727 }
2728
2729 if (crq == NULL)
2730 {
2731 crq = load_request (cinfo);
2732 }
2733
2734 if (crt != NULL)
2735 {
2736 ret = gnutls_pubkey_import_x509 (pubkey, crt, 0);
2737 if (ret < 0)
2738 error (EXIT_FAILURE, 0, "pubkey_import_x509: %s",
2739 gnutls_strerror (ret));
2740 }
2741 else if (crq != NULL)
2742 {
2743 ret = gnutls_pubkey_import_x509_crq (pubkey, crq, 0);
2744 if (ret < 0)
2745 error (EXIT_FAILURE, 0, "pubkey_import_x509_crq: %s",
2746 gnutls_strerror (ret));
2747 }
2748 else
2749 {
2750 privkey = load_private_key (0, cinfo);
2751
2752 if (privkey != NULL)
2753 {
2754 ret = gnutls_pubkey_import_privkey(pubkey, privkey, 0, 0);
2755 if (ret < 0)
2756 error (EXIT_FAILURE, 0, "pubkey_import_privkey: %s",
2757 gnutls_strerror (ret));
2758 }
2759 else
2760 {
2761 gnutls_pubkey_deinit(pubkey);
2762 pubkey = load_pubkey (1, cinfo);
2763 }
2764 }
2765
2766 if (outcert_format == GNUTLS_X509_FMT_DER)
2767 {
2768 size = buffer_size;
2769 ret = gnutls_pubkey_export (pubkey, outcert_format, buffer, &size);
2770 if (ret < 0)
2771 error (EXIT_FAILURE, 0, "export error: %s", gnutls_strerror (ret));
2772
2773 fwrite (buffer, 1, size, outfile);
2774
2775 gnutls_pubkey_deinit (pubkey);
2776
2777 return;
2778 }
2779
2780 /* PEM */
2781
2782 _pubkey_info(outfile, full_format, pubkey);
2783 gnutls_pubkey_deinit (pubkey);
2784 }
Implementation of the SSL/TLS protocol