search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fix KRB-FX-CF2 for enctypes with non-dense keyspaces
[heimdal.git] / lib / hx509 / hxtool.c
blob27c5e92126ccdfafc0988817fb75da0f9fc95954
1 /*
2 * Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "hx_locl.h"
35
36 #include <hxtool-commands.h>
37 #include <sl.h>
38 #include <rtbl.h>
39 #include <parse_time.h>
40
41 static hx509_context context;
42
43 static char *stat_file_string;
44 static int version_flag;
45 static int help_flag;
46
47 struct getargs args[] = {
48 { "statistic-file", 0, arg_string, &stat_file_string, NULL, NULL },
49 { "version", 0, arg_flag, &version_flag, NULL, NULL },
50 { "help", 0, arg_flag, &help_flag, NULL, NULL }
51 };
52 int num_args = sizeof(args) / sizeof(args[0]);
53
54 static void
55 usage(int code)
56 {
57 arg_printusage(args, num_args, NULL, "command");
58 printf("Use \"%s help\" to get more help\n", getprogname());
59 exit(code);
60 }
61
62 /*
63 *
64 */
65
66 static void
67 lock_strings(hx509_lock lock, getarg_strings *pass)
68 {
69 int i;
70 for (i = 0; i < pass->num_strings; i++) {
71 int ret = hx509_lock_command_string(lock, pass->strings[i]);
72 if (ret)
73 errx(1, "hx509_lock_command_string: %s: %d",
74 pass->strings[i], ret);
75 }
76 }
77
78 /*
79 *
80 */
81
82 static void
83 certs_strings(hx509_context contextp, const char *type, hx509_certs certs,
84 hx509_lock lock, const getarg_strings *s)
85 {
86 int i, ret;
87
88 for (i = 0; i < s->num_strings; i++) {
89 ret = hx509_certs_append(contextp, certs, lock, s->strings[i]);
90 if (ret)
91 hx509_err(contextp, 1, ret,
92 "hx509_certs_append: %s %s", type, s->strings[i]);
93 }
94 }
95
96 /*
97 *
98 */
99
100 static void
101 parse_oid(const char *str, const heim_oid *def, heim_oid *oid)
102 {
103 int ret;
104 if (str)
105 ret = der_parse_heim_oid (str, " .", oid);
106 else
107 ret = der_copy_oid(def, oid);
108 if (ret)
109 errx(1, "parse_oid failed for: %s", str ? str : "default oid");
110 }
111
112 /*
113 *
114 */
115
116 static void
117 peer_strings(hx509_context contextp,
118 hx509_peer_info *peer,
119 const getarg_strings *s)
120 {
121 AlgorithmIdentifier *val;
122 int ret, i;
123
124 ret = hx509_peer_info_alloc(contextp, peer);
125 if (ret)
126 hx509_err(contextp, 1, ret, "hx509_peer_info_alloc");
127
128 val = calloc(s->num_strings, sizeof(*val));
129 if (val == NULL)
130 err(1, "malloc");
131
132 for (i = 0; i < s->num_strings; i++)
133 parse_oid(s->strings[i], NULL, &val[i].algorithm);
134
135 ret = hx509_peer_info_set_cms_algs(contextp, *peer, val, s->num_strings);
136 if (ret)
137 hx509_err(contextp, 1, ret, "hx509_peer_info_set_cms_algs");
138
139 for (i = 0; i < s->num_strings; i++)
140 free_AlgorithmIdentifier(&val[i]);
141 free(val);
142 }
143
144 /*
145 *
146 */
147
148 struct pem_data {
149 heim_octet_string *os;
150 int detached_data;
151 };
152
153 static int
154 pem_reader(hx509_context contextp, const char *type,
155 const hx509_pem_header *headers,
156 const void *data , size_t length, void *ctx)
157 {
158 struct pem_data *p = (struct pem_data *)ctx;
159 const char *h;
160
161 p->os->data = malloc(length);
162 if (p->os->data == NULL)
163 return ENOMEM;
164 memcpy(p->os->data, data, length);
165 p->os->length = length;
166
167 h = hx509_pem_find_header(headers, "Content-disposition");
168 if (h && strcasecmp(h, "detached") == 0)
169 p->detached_data = 1;
170
171 return 0;
172 }
173
174 /*
175 *
176 */
177
178 int
179 cms_verify_sd(struct cms_verify_sd_options *opt, int argc, char **argv)
180 {
181 hx509_verify_ctx ctx = NULL;
182 heim_oid type;
183 heim_octet_string c, co, signeddata, *sd = NULL;
184 hx509_certs store = NULL;
185 hx509_certs signers = NULL;
186 hx509_certs anchors = NULL;
187 hx509_lock lock;
188 int ret, flags = 0;
189
190 size_t sz;
191 void *p = NULL;
192
193 if (opt->missing_revoke_flag)
194 hx509_context_set_missing_revoke(context, 1);
195
196 hx509_lock_init(context, &lock);
197 lock_strings(lock, &opt->pass_strings);
198
199 ret = hx509_verify_init_ctx(context, &ctx);
200 if (ret)
201 hx509_err(context, 1, ret, "hx509_verify_init_ctx");
202
203 ret = hx509_certs_init(context, "MEMORY:cms-anchors", 0, NULL, &anchors);
204 if (ret)
205 hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
206 ret = hx509_certs_init(context, "MEMORY:cert-store", 0, NULL, &store);
207 if (ret)
208 hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
209
210 certs_strings(context, "anchors", anchors, lock, &opt->anchors_strings);
211 certs_strings(context, "store", store, lock, &opt->certificate_strings);
212
213 if (opt->pem_flag) {
214 struct pem_data pd;
215 FILE *f;
216
217 pd.os = &co;
218 pd.detached_data = 0;
219
220 f = fopen(argv[0], "r");
221 if (f == NULL)
222 err(1, "Failed to open file %s", argv[0]);
223
224 ret = hx509_pem_read(context, f, pem_reader, &pd);
225 fclose(f);
226 if (ret)
227 errx(1, "PEM reader failed: %d", ret);
228
229 if (pd.detached_data && opt->signed_content_string == NULL) {
230 char *r = strrchr(argv[0], '.');
231 if (r && strcasecmp(r, ".pem") == 0) {
232 char *s = strdup(argv[0]);
233 if (s == NULL)
234 errx(1, "malloc: out of memory");
235 s[r - argv[0]] = '\0';
236 ret = _hx509_map_file_os(s, &signeddata);
237 if (ret)
238 errx(1, "map_file: %s: %d", s, ret);
239 free(s);
240 sd = &signeddata;
241 }
242 }
243
244 } else {
245 ret = rk_undumpdata(argv[0], &p, &sz);
246 if (ret)
247 err(1, "map_file: %s: %d", argv[0], ret);
248
249 co.data = p;
250 co.length = sz;
251 }
252
253 if (opt->signed_content_string) {
254 ret = _hx509_map_file_os(opt->signed_content_string, &signeddata);
255 if (ret)
256 errx(1, "map_file: %s: %d", opt->signed_content_string, ret);
257 sd = &signeddata;
258 }
259
260 if (opt->content_info_flag) {
261 heim_octet_string uwco;
262 heim_oid oid;
263
264 ret = hx509_cms_unwrap_ContentInfo(&co, &oid, &uwco, NULL);
265 if (ret)
266 errx(1, "hx509_cms_unwrap_ContentInfo: %d", ret);
267
268 if (der_heim_oid_cmp(&oid, &asn1_oid_id_pkcs7_signedData) != 0)
269 errx(1, "Content is not SignedData");
270 der_free_oid(&oid);
271
272 if (p == NULL)
273 der_free_octet_string(&co);
274 else {
275 rk_xfree(p);
276 p = NULL;
277 }
278 co = uwco;
279 }
280
281 hx509_verify_attach_anchors(ctx, anchors);
282
283 if (!opt->signer_allowed_flag)
284 flags |= HX509_CMS_VS_ALLOW_ZERO_SIGNER;
285 if (opt->allow_wrong_oid_flag)
286 flags |= HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH;
287
288 ret = hx509_cms_verify_signed(context, ctx, flags, co.data, co.length, sd,
289 store, &type, &c, &signers);
290 if (p != co.data)
291 der_free_octet_string(&co);
292 else
293 rk_xfree(p);
294 if (ret)
295 hx509_err(context, 1, ret, "hx509_cms_verify_signed");
296
297 {
298 char *str;
299 der_print_heim_oid(&type, '.', &str);
300 printf("type: %s\n", str);
301 free(str);
302 der_free_oid(&type);
303 }
304 if (signers == NULL) {
305 printf("unsigned\n");
306 } else {
307 printf("signers:\n");
308 hx509_certs_iter_f(context, signers, hx509_ci_print_names, stdout);
309 }
310
311 hx509_verify_destroy_ctx(ctx);
312
313 hx509_certs_free(&store);
314 hx509_certs_free(&signers);
315 hx509_certs_free(&anchors);
316
317 hx509_lock_free(lock);
318
319 if (argc > 1) {
320 ret = _hx509_write_file(argv[1], c.data, c.length);
321 if (ret)
322 errx(1, "hx509_write_file: %d", ret);
323 }
324
325 der_free_octet_string(&c);
326
327 if (sd)
328 _hx509_unmap_file_os(sd);
329
330 return 0;
331 }
332
333 static int
334 print_signer(hx509_context contextp, void *ctx, hx509_cert cert)
335 {
336 hx509_pem_header **header = ctx;
337 char *signer_name = NULL;
338 hx509_name name;
339 int ret;
340
341 ret = hx509_cert_get_subject(cert, &name);
342 if (ret)
343 errx(1, "hx509_cert_get_subject");
344
345 ret = hx509_name_to_string(name, &signer_name);
346 hx509_name_free(&name);
347 if (ret)
348 errx(1, "hx509_name_to_string");
349
350 hx509_pem_add_header(header, "Signer", signer_name);
351
352 free(signer_name);
353 return 0;
354 }
355
356 int
357 cms_create_sd(struct cms_create_sd_options *opt, int argc, char **argv)
358 {
359 heim_oid contentType;
360 hx509_peer_info peer = NULL;
361 heim_octet_string o;
362 hx509_query *q;
363 hx509_lock lock;
364 hx509_certs store, pool, anchors, signer = NULL;
365 size_t sz;
366 void *p;
367 int ret, flags = 0;
368 char *infile, *outfile = NULL;
369
370 memset(&contentType, 0, sizeof(contentType));
371
372 infile = argv[0];
373
374 if (argc < 2) {
375 ret = asprintf(&outfile, "%s.%s", infile,
376 opt->pem_flag ? "pem" : "cms-signeddata");
377 if (ret == -1 || outfile == NULL)
378 errx(1, "out of memory");
379 } else
380 outfile = argv[1];
381
382 hx509_lock_init(context, &lock);
383 lock_strings(lock, &opt->pass_strings);
384
385 ret = hx509_certs_init(context, "MEMORY:cert-store", 0, NULL, &store);
386 if (ret) hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
387 ret = hx509_certs_init(context, "MEMORY:cert-pool", 0, NULL, &pool);
388 if (ret) hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
389
390 certs_strings(context, "store", store, lock, &opt->certificate_strings);
391 certs_strings(context, "pool", pool, lock, &opt->pool_strings);
392
393 if (opt->anchors_strings.num_strings) {
394 ret = hx509_certs_init(context, "MEMORY:cert-anchors",
395 0, NULL, &anchors);
396 if (ret) hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
397 certs_strings(context, "anchors", anchors, lock, &opt->anchors_strings);
398 } else
399 anchors = NULL;
400
401 if (opt->detached_signature_flag)
402 flags |= HX509_CMS_SIGNATURE_DETACHED;
403 if (opt->id_by_name_flag)
404 flags |= HX509_CMS_SIGNATURE_ID_NAME;
405 if (!opt->signer_flag) {
406 flags |= HX509_CMS_SIGNATURE_NO_SIGNER;
407
408 }
409
410 if (opt->signer_flag) {
411 ret = hx509_query_alloc(context, &q);
412 if (ret)
413 errx(1, "hx509_query_alloc: %d", ret);
414
415 hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
416 hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE);
417
418 if (opt->signer_string)
419 hx509_query_match_friendly_name(q, opt->signer_string);
420
421 ret = hx509_certs_filter(context, store, q, &signer);
422 hx509_query_free(context, q);
423 if (ret)
424 hx509_err(context, 1, ret, "hx509_certs_find");
425 }
426 if (!opt->embedded_certs_flag)
427 flags |= HX509_CMS_SIGNATURE_NO_CERTS;
428 if (opt->embed_leaf_only_flag)
429 flags |= HX509_CMS_SIGNATURE_LEAF_ONLY;
430
431 ret = rk_undumpdata(infile, &p, &sz);
432 if (ret)
433 err(1, "map_file: %s: %d", infile, ret);
434
435 if (opt->peer_alg_strings.num_strings)
436 peer_strings(context, &peer, &opt->peer_alg_strings);
437
438 parse_oid(opt->content_type_string, &asn1_oid_id_pkcs7_data, &contentType);
439
440 ret = hx509_cms_create_signed(context,
441 flags,
442 &contentType,
443 p,
444 sz,
445 NULL,
446 signer,
447 peer,
448 anchors,
449 pool,
450 &o);
451 if (ret)
452 hx509_err(context, 1, ret, "hx509_cms_create_signed: %d", ret);
453
454 hx509_certs_free(&anchors);
455 hx509_certs_free(&pool);
456 hx509_certs_free(&store);
457 rk_xfree(p);
458 hx509_lock_free(lock);
459 hx509_peer_info_free(peer);
460 der_free_oid(&contentType);
461
462 if (opt->content_info_flag) {
463 heim_octet_string wo;
464
465 ret = hx509_cms_wrap_ContentInfo(&asn1_oid_id_pkcs7_signedData, &o, &wo);
466 if (ret)
467 errx(1, "hx509_cms_wrap_ContentInfo: %d", ret);
468
469 der_free_octet_string(&o);
470 o = wo;
471 }
472
473 if (opt->pem_flag) {
474 hx509_pem_header *header = NULL;
475 FILE *f;
476
477 hx509_pem_add_header(&header, "Content-disposition",
478 opt->detached_signature_flag ?
479 "detached" : "inline");
480 if (signer) {
481 ret = hx509_certs_iter_f(context, signer, print_signer, header);
482 if (ret)
483 hx509_err(context, 1, ret, "print signer");
484 }
485
486 f = fopen(outfile, "w");
487 if (f == NULL)
488 err(1, "open %s", outfile);
489
490 ret = hx509_pem_write(context, "CMS SIGNEDDATA", header, f,
491 o.data, o.length);
492 fclose(f);
493 hx509_pem_free_header(header);
494 if (ret)
495 errx(1, "hx509_pem_write: %d", ret);
496
497 } else {
498 ret = _hx509_write_file(outfile, o.data, o.length);
499 if (ret)
500 errx(1, "hx509_write_file: %d", ret);
501 }
502
503 hx509_certs_free(&signer);
504 free(o.data);
505
506 return 0;
507 }
508
509 int
510 cms_unenvelope(struct cms_unenvelope_options *opt, int argc, char **argv)
511 {
512 heim_oid contentType = { 0, NULL };
513 heim_octet_string o, co;
514 hx509_certs certs;
515 size_t sz;
516 void *p;
517 int ret;
518 hx509_lock lock;
519 int flags = 0;
520
521 hx509_lock_init(context, &lock);
522 lock_strings(lock, &opt->pass_strings);
523
524 ret = rk_undumpdata(argv[0], &p, &sz);
525 if (ret)
526 err(1, "map_file: %s: %d", argv[0], ret);
527
528 co.data = p;
529 co.length = sz;
530
531 if (opt->content_info_flag) {
532 heim_octet_string uwco;
533 heim_oid oid;
534
535 ret = hx509_cms_unwrap_ContentInfo(&co, &oid, &uwco, NULL);
536 if (ret)
537 errx(1, "hx509_cms_unwrap_ContentInfo: %d", ret);
538
539 if (der_heim_oid_cmp(&oid, &asn1_oid_id_pkcs7_envelopedData) != 0)
540 errx(1, "Content is not SignedData");
541 der_free_oid(&oid);
542
543 co = uwco;
544 }
545
546 ret = hx509_certs_init(context, "MEMORY:cert-store", 0, NULL, &certs);
547 if (ret)
548 errx(1, "hx509_certs_init: MEMORY: %d", ret);
549
550 certs_strings(context, "store", certs, lock, &opt->certificate_strings);
551
552 if (opt->allow_weak_crypto_flag)
553 flags |= HX509_CMS_UE_ALLOW_WEAK;
554
555 ret = hx509_cms_unenvelope(context, certs, flags, co.data, co.length,
556 NULL, 0, &contentType, &o);
557 if (co.data != p)
558 der_free_octet_string(&co);
559 if (ret)
560 hx509_err(context, 1, ret, "hx509_cms_unenvelope");
561
562 rk_xfree(p);
563 hx509_lock_free(lock);
564 hx509_certs_free(&certs);
565 der_free_oid(&contentType);
566
567 ret = _hx509_write_file(argv[1], o.data, o.length);
568 if (ret)
569 errx(1, "hx509_write_file: %d", ret);
570
571 der_free_octet_string(&o);
572
573 return 0;
574 }
575
576 int
577 cms_create_enveloped(struct cms_envelope_options *opt, int argc, char **argv)
578 {
579 heim_oid contentType;
580 heim_octet_string o;
581 const heim_oid *enctype = NULL;
582 hx509_query *q;
583 hx509_certs certs;
584 hx509_cert cert;
585 int ret;
586 size_t sz;
587 void *p;
588 hx509_lock lock;
589 int flags = 0;
590
591 memset(&contentType, 0, sizeof(contentType));
592
593 hx509_lock_init(context, &lock);
594 lock_strings(lock, &opt->pass_strings);
595
596 ret = rk_undumpdata(argv[0], &p, &sz);
597 if (ret)
598 err(1, "map_file: %s: %d", argv[0], ret);
599
600 ret = hx509_certs_init(context, "MEMORY:cert-store", 0, NULL, &certs);
601 if (ret) hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
602
603 certs_strings(context, "store", certs, lock, &opt->certificate_strings);
604
605 if (opt->allow_weak_crypto_flag)
606 flags |= HX509_CMS_EV_ALLOW_WEAK;
607
608 if (opt->encryption_type_string) {
609 enctype = hx509_crypto_enctype_by_name(opt->encryption_type_string);
610 if (enctype == NULL)
611 errx(1, "encryption type: %s no found",
612 opt->encryption_type_string);
613 }
614
615 ret = hx509_query_alloc(context, &q);
616 if (ret)
617 errx(1, "hx509_query_alloc: %d", ret);
618
619 hx509_query_match_option(q, HX509_QUERY_OPTION_KU_ENCIPHERMENT);
620
621 ret = hx509_certs_find(context, certs, q, &cert);
622 hx509_query_free(context, q);
623 if (ret)
624 errx(1, "hx509_certs_find: %d", ret);
625
626 parse_oid(opt->content_type_string, &asn1_oid_id_pkcs7_data, &contentType);
627
628 ret = hx509_cms_envelope_1(context, flags, cert, p, sz, enctype,
629 &contentType, &o);
630 if (ret)
631 errx(1, "hx509_cms_envelope_1: %d", ret);
632
633 hx509_cert_free(cert);
634 hx509_certs_free(&certs);
635 rk_xfree(p);
636 der_free_oid(&contentType);
637
638 if (opt->content_info_flag) {
639 heim_octet_string wo;
640
641 ret = hx509_cms_wrap_ContentInfo(&asn1_oid_id_pkcs7_envelopedData, &o, &wo);
642 if (ret)
643 errx(1, "hx509_cms_wrap_ContentInfo: %d", ret);
644
645 der_free_octet_string(&o);
646 o = wo;
647 }
648
649 hx509_lock_free(lock);
650
651 ret = _hx509_write_file(argv[1], o.data, o.length);
652 if (ret)
653 errx(1, "hx509_write_file: %d", ret);
654
655 der_free_octet_string(&o);
656
657 return 0;
658 }
659
660 static void
661 print_certificate(hx509_context hxcontext, hx509_cert cert, int verbose)
662 {
663 const char *fn;
664 int ret;
665
666 fn = hx509_cert_get_friendly_name(cert);
667 if (fn)
668 printf(" friendly name: %s\n", fn);
669 printf(" private key: %s\n",
670 _hx509_cert_private_key(cert) ? "yes" : "no");
671
672 ret = hx509_print_cert(hxcontext, cert, NULL);
673 if (ret)
674 errx(1, "failed to print cert");
675
676 if (verbose) {
677 hx509_validate_ctx vctx;
678
679 hx509_validate_ctx_init(hxcontext, &vctx);
680 hx509_validate_ctx_set_print(vctx, hx509_print_stdout, stdout);
681 hx509_validate_ctx_add_flags(vctx, HX509_VALIDATE_F_VALIDATE);
682 hx509_validate_ctx_add_flags(vctx, HX509_VALIDATE_F_VERBOSE);
683
684 hx509_validate_cert(hxcontext, vctx, cert);
685
686 hx509_validate_ctx_free(vctx);
687 }
688 }
689
690
691 struct print_s {
692 int counter;
693 int verbose;
694 };
695
696 static int
697 print_f(hx509_context hxcontext, void *ctx, hx509_cert cert)
698 {
699 struct print_s *s = ctx;
700
701 printf("cert: %d\n", s->counter++);
702 print_certificate(context, cert, s->verbose);
703
704 return 0;
705 }
706
707 int
708 pcert_print(struct print_options *opt, int argc, char **argv)
709 {
710 hx509_certs certs;
711 hx509_lock lock;
712 struct print_s s;
713
714 s.counter = 0;
715 s.verbose = opt->content_flag;
716
717 hx509_lock_init(context, &lock);
718 lock_strings(lock, &opt->pass_strings);
719
720 while(argc--) {
721 int ret;
722 ret = hx509_certs_init(context, argv[0], 0, lock, &certs);
723 if (ret) {
724 if (opt->never_fail_flag) {
725 printf("ignoreing failure: %d\n", ret);
726 continue;
727 }
728 hx509_err(context, 1, ret, "hx509_certs_init");
729 }
730 if (opt->info_flag)
731 hx509_certs_info(context, certs, NULL, NULL);
732 hx509_certs_iter_f(context, certs, print_f, &s);
733 hx509_certs_free(&certs);
734 argv++;
735 }
736
737 hx509_lock_free(lock);
738
739 return 0;
740 }
741
742
743 static int
744 validate_f(hx509_context hxcontext, void *ctx, hx509_cert c)
745 {
746 hx509_validate_cert(hxcontext, ctx, c);
747 return 0;
748 }
749
750 int
751 pcert_validate(struct validate_options *opt, int argc, char **argv)
752 {
753 hx509_validate_ctx ctx;
754 hx509_certs certs;
755 hx509_lock lock;
756
757 hx509_lock_init(context, &lock);
758 lock_strings(lock, &opt->pass_strings);
759
760 hx509_validate_ctx_init(context, &ctx);
761 hx509_validate_ctx_set_print(ctx, hx509_print_stdout, stdout);
762 hx509_validate_ctx_add_flags(ctx, HX509_VALIDATE_F_VALIDATE);
763
764 while(argc--) {
765 int ret;
766 ret = hx509_certs_init(context, argv[0], 0, lock, &certs);
767 if (ret)
768 errx(1, "hx509_certs_init: %d", ret);
769 hx509_certs_iter_f(context, certs, validate_f, ctx);
770 hx509_certs_free(&certs);
771 argv++;
772 }
773 hx509_validate_ctx_free(ctx);
774
775 hx509_lock_free(lock);
776
777 return 0;
778 }
779
780 int
781 certificate_copy(struct certificate_copy_options *opt, int argc, char **argv)
782 {
783 hx509_certs certs;
784 hx509_lock inlock, outlock = NULL;
785 int ret;
786
787 hx509_lock_init(context, &inlock);
788 lock_strings(inlock, &opt->in_pass_strings);
789
790 if (opt->out_pass_string) {
791 hx509_lock_init(context, &outlock);
792 ret = hx509_lock_command_string(outlock, opt->out_pass_string);
793 if (ret)
794 errx(1, "hx509_lock_command_string: %s: %d",
795 opt->out_pass_string, ret);
796 }
797
798 ret = hx509_certs_init(context, argv[argc - 1],
799 HX509_CERTS_CREATE, inlock, &certs);
800 if (ret)
801 hx509_err(context, 1, ret, "hx509_certs_init");
802
803 while(argc-- > 1) {
804 int retx;
805 retx = hx509_certs_append(context, certs, inlock, argv[0]);
806 if (retx)
807 hx509_err(context, 1, retx, "hx509_certs_append");
808 argv++;
809 }
810
811 ret = hx509_certs_store(context, certs, 0, outlock);
812 if (ret)
813 hx509_err(context, 1, ret, "hx509_certs_store");
814
815 hx509_certs_free(&certs);
816 hx509_lock_free(inlock);
817 hx509_lock_free(outlock);
818
819 return 0;
820 }
821
822 struct verify {
823 hx509_verify_ctx ctx;
824 hx509_certs chain;
825 const char *hostname;
826 int errors;
827 int count;
828 };
829
830 static int
831 verify_f(hx509_context hxcontext, void *ctx, hx509_cert c)
832 {
833 struct verify *v = ctx;
834 int ret;
835
836 ret = hx509_verify_path(hxcontext, v->ctx, c, v->chain);
837 if (ret) {
838 char *s = hx509_get_error_string(hxcontext, ret);
839 printf("verify_path: %s: %d\n", s, ret);
840 hx509_free_error_string(s);
841 v->errors++;
842 } else {
843 v->count++;
844 printf("path ok\n");
845 }
846
847 if (v->hostname) {
848 ret = hx509_verify_hostname(hxcontext, c, 0, HX509_HN_HOSTNAME,
849 v->hostname, NULL, 0);
850 if (ret) {
851 printf("verify_hostname: %d\n", ret);
852 v->errors++;
853 }
854 }
855
856 return 0;
857 }
858
859 int
860 pcert_verify(struct verify_options *opt, int argc, char **argv)
861 {
862 hx509_certs anchors, chain, certs;
863 hx509_revoke_ctx revoke_ctx;
864 hx509_verify_ctx ctx;
865 struct verify v;
866 int ret;
867
868 memset(&v, 0, sizeof(v));
869
870 if (opt->missing_revoke_flag)
871 hx509_context_set_missing_revoke(context, 1);
872
873 ret = hx509_verify_init_ctx(context, &ctx);
874 if (ret)
875 hx509_err(context, 1, ret, "hx509_verify_init_ctx");
876 ret = hx509_certs_init(context, "MEMORY:anchors", 0, NULL, &anchors);
877 if (ret)
878 hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
879 ret = hx509_certs_init(context, "MEMORY:chain", 0, NULL, &chain);
880 if (ret)
881 hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
882 ret = hx509_certs_init(context, "MEMORY:certs", 0, NULL, &certs);
883 if (ret)
884 hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
885
886 if (opt->allow_proxy_certificate_flag)
887 hx509_verify_set_proxy_certificate(ctx, 1);
888
889 if (opt->time_string) {
890 const char *p;
891 struct tm tm;
892 time_t t;
893
894 memset(&tm, 0, sizeof(tm));
895
896 p = strptime (opt->time_string, "%Y-%m-%d", &tm);
897 if (p == NULL)
898 errx(1, "Failed to parse time %s, need to be on format %%Y-%%m-%%d",
899 opt->time_string);
900
901 t = tm2time (tm, 0);
902
903 hx509_verify_set_time(ctx, t);
904 }
905
906 if (opt->hostname_string)
907 v.hostname = opt->hostname_string;
908 if (opt->max_depth_integer)
909 hx509_verify_set_max_depth(ctx, opt->max_depth_integer);
910
911 ret = hx509_revoke_init(context, &revoke_ctx);
912 if (ret)
913 errx(1, "hx509_revoke_init: %d", ret);
914
915 while(argc--) {
916 char *s = *argv++;
917
918 if (strncmp(s, "chain:", 6) == 0) {
919 s += 6;
920
921 ret = hx509_certs_append(context, chain, NULL, s);
922 if (ret)
923 hx509_err(context, 1, ret, "hx509_certs_append: chain: %s: %d", s, ret);
924
925 } else if (strncmp(s, "anchor:", 7) == 0) {
926 s += 7;
927
928 ret = hx509_certs_append(context, anchors, NULL, s);
929 if (ret)
930 hx509_err(context, 1, ret, "hx509_certs_append: anchor: %s: %d", s, ret);
931
932 } else if (strncmp(s, "cert:", 5) == 0) {
933 s += 5;
934
935 ret = hx509_certs_append(context, certs, NULL, s);
936 if (ret)
937 hx509_err(context, 1, ret, "hx509_certs_append: certs: %s: %d",
938 s, ret);
939
940 } else if (strncmp(s, "crl:", 4) == 0) {
941 s += 4;
942
943 ret = hx509_revoke_add_crl(context, revoke_ctx, s);
944 if (ret)
945 errx(1, "hx509_revoke_add_crl: %s: %d", s, ret);
946
947 } else if (strncmp(s, "ocsp:", 4) == 0) {
948 s += 5;
949
950 ret = hx509_revoke_add_ocsp(context, revoke_ctx, s);
951 if (ret)
952 errx(1, "hx509_revoke_add_ocsp: %s: %d", s, ret);
953
954 } else {
955 errx(1, "unknown option to verify: `%s'\n", s);
956 }
957 }
958
959 hx509_verify_attach_anchors(ctx, anchors);
960 hx509_verify_attach_revoke(ctx, revoke_ctx);
961
962 v.ctx = ctx;
963 v.chain = chain;
964
965 hx509_certs_iter_f(context, certs, verify_f, &v);
966
967 hx509_verify_destroy_ctx(ctx);
968
969 hx509_certs_free(&certs);
970 hx509_certs_free(&chain);
971 hx509_certs_free(&anchors);
972
973 hx509_revoke_free(&revoke_ctx);
974
975
976 if (v.count == 0) {
977 printf("no certs verify at all\n");
978 return 1;
979 }
980
981 if (v.errors) {
982 printf("failed verifing %d checks\n", v.errors);
983 return 1;
984 }
985
986 return 0;
987 }
988
989 int
990 query(struct query_options *opt, int argc, char **argv)
991 {
992 hx509_lock lock;
993 hx509_query *q;
994 hx509_certs certs;
995 hx509_cert c;
996 int ret;
997
998 ret = hx509_query_alloc(context, &q);
999 if (ret)
1000 errx(1, "hx509_query_alloc: %d", ret);
1001
1002 hx509_lock_init(context, &lock);
1003 lock_strings(lock, &opt->pass_strings);
1004
1005 ret = hx509_certs_init(context, "MEMORY:cert-store", 0, NULL, &certs);
1006 if (ret) hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
1007
1008 while (argc > 0) {
1009
1010 ret = hx509_certs_append(context, certs, lock, argv[0]);
1011 if (ret)
1012 errx(1, "hx509_certs_append: %s: %d", argv[0], ret);
1013
1014 argc--;
1015 argv++;
1016 }
1017
1018 if (opt->friendlyname_string)
1019 hx509_query_match_friendly_name(q, opt->friendlyname_string);
1020
1021 if (opt->eku_string) {
1022 heim_oid oid;
1023
1024 parse_oid(opt->eku_string, NULL, &oid);
1025
1026 ret = hx509_query_match_eku(q, &oid);
1027 if (ret)
1028 errx(1, "hx509_query_match_eku: %d", ret);
1029 der_free_oid(&oid);
1030 }
1031
1032 if (opt->private_key_flag)
1033 hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
1034
1035 if (opt->keyEncipherment_flag)
1036 hx509_query_match_option(q, HX509_QUERY_OPTION_KU_ENCIPHERMENT);
1037
1038 if (opt->digitalSignature_flag)
1039 hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE);
1040
1041 if (opt->expr_string)
1042 hx509_query_match_expr(context, q, opt->expr_string);
1043
1044 ret = hx509_certs_find(context, certs, q, &c);
1045 hx509_query_free(context, q);
1046 if (ret)
1047 printf("no match found (%d)\n", ret);
1048 else {
1049 printf("match found\n");
1050 if (opt->print_flag)
1051 print_certificate(context, c, 0);
1052 }
1053
1054 hx509_cert_free(c);
1055 hx509_certs_free(&certs);
1056
1057 hx509_lock_free(lock);
1058
1059 return ret;
1060 }
1061
1062 int
1063 ocsp_fetch(struct ocsp_fetch_options *opt, int argc, char **argv)
1064 {
1065 hx509_certs reqcerts, pool;
1066 heim_octet_string req, nonce_data, *nonce = &nonce_data;
1067 hx509_lock lock;
1068 int i, ret;
1069 char *file;
1070 const char *url = "/";
1071
1072 memset(&nonce, 0, sizeof(nonce));
1073
1074 hx509_lock_init(context, &lock);
1075 lock_strings(lock, &opt->pass_strings);
1076
1077 /* no nonce */
1078 if (!opt->nonce_flag)
1079 nonce = NULL;
1080
1081 if (opt->url_path_string)
1082 url = opt->url_path_string;
1083
1084 ret = hx509_certs_init(context, "MEMORY:ocsp-pool", 0, NULL, &pool);
1085 if (ret) hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
1086
1087 certs_strings(context, "ocsp-pool", pool, lock, &opt->pool_strings);
1088
1089 file = argv[0];
1090
1091 ret = hx509_certs_init(context, "MEMORY:ocsp-req", 0, NULL, &reqcerts);
1092 if (ret) hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
1093
1094 for (i = 1; i < argc; i++) {
1095 ret = hx509_certs_append(context, reqcerts, lock, argv[i]);
1096 if (ret)
1097 errx(1, "hx509_certs_append: req: %s: %d", argv[i], ret);
1098 }
1099
1100 ret = hx509_ocsp_request(context, reqcerts, pool, NULL, NULL, &req, nonce);
1101 if (ret)
1102 errx(1, "hx509_ocsp_request: req: %d", ret);
1103
1104 {
1105 FILE *f;
1106
1107 f = fopen(file, "w");
1108 if (f == NULL)
1109 abort();
1110
1111 fprintf(f,
1112 "POST %s HTTP/1.0\r\n"
1113 "Content-Type: application/ocsp-request\r\n"
1114 "Content-Length: %ld\r\n"
1115 "\r\n",
1116 url,
1117 (unsigned long)req.length);
1118 fwrite(req.data, req.length, 1, f);
1119 fclose(f);
1120 }
1121
1122 if (nonce)
1123 der_free_octet_string(nonce);
1124
1125 hx509_certs_free(&reqcerts);
1126 hx509_certs_free(&pool);
1127
1128 return 0;
1129 }
1130
1131 int
1132 ocsp_print(struct ocsp_print_options *opt, int argc, char **argv)
1133 {
1134 hx509_revoke_ocsp_print(context, argv[0], stdout);
1135 return 0;
1136 }
1137
1138 int
1139 revoke_print(struct revoke_print_options *opt, int argc, char **argv)
1140 {
1141 hx509_revoke_ctx revoke_ctx;
1142 int ret;
1143
1144 ret = hx509_revoke_init(context, &revoke_ctx);
1145 if (ret)
1146 errx(1, "hx509_revoke_init: %d", ret);
1147
1148 while(argc--) {
1149 char *s = *argv++;
1150
1151 if (strncmp(s, "crl:", 4) == 0) {
1152 s += 4;
1153
1154 ret = hx509_revoke_add_crl(context, revoke_ctx, s);
1155 if (ret)
1156 errx(1, "hx509_revoke_add_crl: %s: %d", s, ret);
1157
1158 } else if (strncmp(s, "ocsp:", 4) == 0) {
1159 s += 5;
1160
1161 ret = hx509_revoke_add_ocsp(context, revoke_ctx, s);
1162 if (ret)
1163 errx(1, "hx509_revoke_add_ocsp: %s: %d", s, ret);
1164
1165 } else {
1166 errx(1, "unknown option to verify: `%s'\n", s);
1167 }
1168 }
1169
1170 ret = hx509_revoke_print(context, revoke_ctx, stdout);
1171 if (ret)
1172 warnx("hx509_revoke_print: %d", ret);
1173
1174 return ret;
1175 }
1176
1177 /*
1178 *
1179 */
1180
1181 static int
1182 verify_o(hx509_context hxcontext, void *ctx, hx509_cert c)
1183 {
1184 heim_octet_string *os = ctx;
1185 time_t expiration;
1186 int ret;
1187
1188 ret = hx509_ocsp_verify(context, 0, c, 0,
1189 os->data, os->length, &expiration);
1190 if (ret) {
1191 char *s = hx509_get_error_string(hxcontext, ret);
1192 printf("ocsp_verify: %s: %d\n", s, ret);
1193 hx509_free_error_string(s);
1194 } else
1195 printf("expire: %d\n", (int)expiration);
1196
1197 return ret;
1198 }
1199
1200
1201 int
1202 ocsp_verify(struct ocsp_verify_options *opt, int argc, char **argv)
1203 {
1204 hx509_lock lock;
1205 hx509_certs certs;
1206 int ret, i;
1207 heim_octet_string os;
1208
1209 hx509_lock_init(context, &lock);
1210
1211 if (opt->ocsp_file_string == NULL)
1212 errx(1, "no ocsp file given");
1213
1214 ret = _hx509_map_file_os(opt->ocsp_file_string, &os);
1215 if (ret)
1216 err(1, "map_file: %s: %d", argv[0], ret);
1217
1218 ret = hx509_certs_init(context, "MEMORY:test-certs", 0, NULL, &certs);
1219 if (ret) hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
1220
1221 for (i = 0; i < argc; i++) {
1222 ret = hx509_certs_append(context, certs, lock, argv[i]);
1223 if (ret)
1224 hx509_err(context, 1, ret, "hx509_certs_append: %s", argv[i]);
1225 }
1226
1227 ret = hx509_certs_iter_f(context, certs, verify_o, &os);
1228
1229 hx509_certs_free(&certs);
1230 _hx509_unmap_file_os(&os);
1231 hx509_lock_free(lock);
1232
1233 return ret;
1234 }
1235
1236 static int
1237 read_private_key(const char *fn, hx509_private_key *key)
1238 {
1239 hx509_private_key *keys;
1240 hx509_certs certs;
1241 int ret;
1242
1243 *key = NULL;
1244
1245 ret = hx509_certs_init(context, fn, 0, NULL, &certs);
1246 if (ret)
1247 hx509_err(context, 1, ret, "hx509_certs_init: %s", fn);
1248
1249 ret = _hx509_certs_keys_get(context, certs, &keys);
1250 hx509_certs_free(&certs);
1251 if (ret)
1252 hx509_err(context, 1, ret, "hx509_certs_keys_get");
1253 if (keys[0] == NULL)
1254 errx(1, "no keys in key store: %s", fn);
1255
1256 *key = _hx509_private_key_ref(keys[0]);
1257 _hx509_certs_keys_free(context, keys);
1258
1259 return 0;
1260 }
1261
1262 static void
1263 get_key(const char *fn, const char *type, int optbits,
1264 hx509_private_key *signer)
1265 {
1266 int ret;
1267
1268 if (type) {
1269 BIGNUM *e;
1270 RSA *rsa;
1271 unsigned char *p0, *p;
1272 size_t len;
1273 int bits = 1024;
1274
1275 if (fn == NULL)
1276 errx(1, "no key argument, don't know here to store key");
1277
1278 if (strcasecmp(type, "rsa") != 0)
1279 errx(1, "can only handle rsa keys for now");
1280
1281 e = BN_new();
1282 BN_set_word(e, 0x10001);
1283
1284 if (optbits)
1285 bits = optbits;
1286
1287 rsa = RSA_new();
1288 if(rsa == NULL)
1289 errx(1, "RSA_new failed");
1290
1291 ret = RSA_generate_key_ex(rsa, bits, e, NULL);
1292 if(ret != 1)
1293 errx(1, "RSA_new failed");
1294
1295 BN_free(e);
1296
1297 len = i2d_RSAPrivateKey(rsa, NULL);
1298
1299 p0 = p = malloc(len);
1300 if (p == NULL)
1301 errx(1, "out of memory");
1302
1303 i2d_RSAPrivateKey(rsa, &p);
1304
1305 rk_dumpdata(fn, p0, len);
1306 memset(p0, 0, len);
1307 free(p0);
1308
1309 RSA_free(rsa);
1310
1311 } else if (fn == NULL)
1312 err(1, "no private key");
1313
1314 ret = read_private_key(fn, signer);
1315 if (ret)
1316 err(1, "read_private_key");
1317 }
1318
1319 int
1320 request_create(struct request_create_options *opt, int argc, char **argv)
1321 {
1322 heim_octet_string request;
1323 hx509_request req;
1324 int ret, i;
1325 hx509_private_key signer;
1326 SubjectPublicKeyInfo key;
1327 const char *outfile = argv[0];
1328
1329 memset(&key, 0, sizeof(key));
1330
1331 get_key(opt->key_string,
1332 opt->generate_key_string,
1333 opt->key_bits_integer,
1334 &signer);
1335
1336 hx509_request_init(context, &req);
1337
1338 if (opt->subject_string) {
1339 hx509_name name = NULL;
1340
1341 ret = hx509_parse_name(context, opt->subject_string, &name);
1342 if (ret)
1343 errx(1, "hx509_parse_name: %d\n", ret);
1344 hx509_request_set_name(context, req, name);
1345
1346 if (opt->verbose_flag) {
1347 char *s;
1348 hx509_name_to_string(name, &s);
1349 printf("%s\n", s);
1350 }
1351 hx509_name_free(&name);
1352 }
1353
1354 for (i = 0; i < opt->email_strings.num_strings; i++) {
1355 ret = _hx509_request_add_email(context, req,
1356 opt->email_strings.strings[i]);
1357 if (ret)
1358 hx509_err(context, 1, ret, "hx509_request_add_email");
1359 }
1360
1361 for (i = 0; i < opt->dnsname_strings.num_strings; i++) {
1362 ret = _hx509_request_add_dns_name(context, req,
1363 opt->dnsname_strings.strings[i]);
1364 if (ret)
1365 hx509_err(context, 1, ret, "hx509_request_add_dns_name");
1366 }
1367
1368
1369 ret = hx509_private_key2SPKI(context, signer, &key);
1370 if (ret)
1371 errx(1, "hx509_private_key2SPKI: %d\n", ret);
1372
1373 ret = hx509_request_set_SubjectPublicKeyInfo(context,
1374 req,
1375 &key);
1376 free_SubjectPublicKeyInfo(&key);
1377 if (ret)
1378 hx509_err(context, 1, ret, "hx509_request_set_SubjectPublicKeyInfo");
1379
1380 ret = _hx509_request_to_pkcs10(context,
1381 req,
1382 signer,
1383 &request);
1384 if (ret)
1385 hx509_err(context, 1, ret, "_hx509_request_to_pkcs10");
1386
1387 hx509_private_key_free(&signer);
1388 hx509_request_free(&req);
1389
1390 if (ret == 0)
1391 rk_dumpdata(outfile, request.data, request.length);
1392 der_free_octet_string(&request);
1393
1394 return 0;
1395 }
1396
1397 int
1398 request_print(struct request_print_options *opt, int argc, char **argv)
1399 {
1400 int ret, i;
1401
1402 printf("request print\n");
1403
1404 for (i = 0; i < argc; i++) {
1405 hx509_request req;
1406
1407 ret = _hx509_request_parse(context, argv[i], &req);
1408 if (ret)
1409 hx509_err(context, 1, ret, "parse_request: %s", argv[i]);
1410
1411 ret = _hx509_request_print(context, req, stdout);
1412 hx509_request_free(&req);
1413 if (ret)
1414 hx509_err(context, 1, ret, "Failed to print file %s", argv[i]);
1415 }
1416
1417 return 0;
1418 }
1419
1420 int
1421 info(void *opt, int argc, char **argv)
1422 {
1423
1424 ENGINE_add_conf_module();
1425
1426 {
1427 const RSA_METHOD *m = RSA_get_default_method();
1428 if (m != NULL)
1429 printf("rsa: %s\n", m->name);
1430 }
1431 {
1432 const DH_METHOD *m = DH_get_default_method();
1433 if (m != NULL)
1434 printf("dh: %s\n", m->name);
1435 }
1436 #ifdef HAVE_OPENSSL
1437 {
1438 printf("ecdsa: ECDSA_METHOD-not-export\n");
1439 }
1440 #else
1441 {
1442 printf("ecdsa: hcrypto null\n");
1443 }
1444 #endif
1445 {
1446 int ret = RAND_status();
1447 printf("rand: %s\n", ret == 1 ? "ok" : "not available");
1448 }
1449
1450 return 0;
1451 }
1452
1453 int
1454 random_data(void *opt, int argc, char **argv)
1455 {
1456 void *ptr;
1457 int len, ret;
1458
1459 len = parse_bytes(argv[0], "byte");
1460 if (len <= 0) {
1461 fprintf(stderr, "bad argument to random-data\n");
1462 return 1;
1463 }
1464
1465 ptr = malloc(len);
1466 if (ptr == NULL) {
1467 fprintf(stderr, "out of memory\n");
1468 return 1;
1469 }
1470
1471 ret = RAND_bytes(ptr, len);
1472 if (ret != 1) {
1473 free(ptr);
1474 fprintf(stderr, "did not get cryptographic strong random\n");
1475 return 1;
1476 }
1477
1478 fwrite(ptr, len, 1, stdout);
1479 fflush(stdout);
1480
1481 free(ptr);
1482
1483 return 0;
1484 }
1485
1486 int
1487 crypto_available(struct crypto_available_options *opt, int argc, char **argv)
1488 {
1489 AlgorithmIdentifier *val;
1490 unsigned int len, i;
1491 int ret, type = HX509_SELECT_ALL;
1492
1493 if (opt->type_string) {
1494 if (strcmp(opt->type_string, "all") == 0)
1495 type = HX509_SELECT_ALL;
1496 else if (strcmp(opt->type_string, "digest") == 0)
1497 type = HX509_SELECT_DIGEST;
1498 else if (strcmp(opt->type_string, "public-sig") == 0)
1499 type = HX509_SELECT_PUBLIC_SIG;
1500 else if (strcmp(opt->type_string, "secret") == 0)
1501 type = HX509_SELECT_SECRET_ENC;
1502 else
1503 errx(1, "unknown type: %s", opt->type_string);
1504 }
1505
1506 ret = hx509_crypto_available(context, type, NULL, &val, &len);
1507 if (ret)
1508 errx(1, "hx509_crypto_available");
1509
1510 for (i = 0; i < len; i++) {
1511 char *s;
1512 der_print_heim_oid (&val[i].algorithm, '.', &s);
1513 printf("%s\n", s);
1514 free(s);
1515 }
1516
1517 hx509_crypto_free_algs(val, len);
1518
1519 return 0;
1520 }
1521
1522 int
1523 crypto_select(struct crypto_select_options *opt, int argc, char **argv)
1524 {
1525 hx509_peer_info peer = NULL;
1526 AlgorithmIdentifier selected;
1527 int ret, type = HX509_SELECT_DIGEST;
1528 char *s;
1529
1530 if (opt->type_string) {
1531 if (strcmp(opt->type_string, "digest") == 0)
1532 type = HX509_SELECT_DIGEST;
1533 else if (strcmp(opt->type_string, "public-sig") == 0)
1534 type = HX509_SELECT_PUBLIC_SIG;
1535 else if (strcmp(opt->type_string, "secret") == 0)
1536 type = HX509_SELECT_SECRET_ENC;
1537 else
1538 errx(1, "unknown type: %s", opt->type_string);
1539 }
1540
1541 if (opt->peer_cmstype_strings.num_strings)
1542 peer_strings(context, &peer, &opt->peer_cmstype_strings);
1543
1544 ret = hx509_crypto_select(context, type, NULL, peer, &selected);
1545 if (ret)
1546 errx(1, "hx509_crypto_available");
1547
1548 der_print_heim_oid (&selected.algorithm, '.', &s);
1549 printf("%s\n", s);
1550 free(s);
1551 free_AlgorithmIdentifier(&selected);
1552
1553 hx509_peer_info_free(peer);
1554
1555 return 0;
1556 }
1557
1558 int
1559 hxtool_hex(struct hex_options *opt, int argc, char **argv)
1560 {
1561
1562 if (opt->decode_flag) {
1563 char buf[1024], buf2[1024], *p;
1564 ssize_t len;
1565
1566 while(fgets(buf, sizeof(buf), stdin) != NULL) {
1567 buf[strcspn(buf, "\r\n")] = '\0';
1568 p = buf;
1569 while(isspace(*(unsigned char *)p))
1570 p++;
1571 len = hex_decode(p, buf2, strlen(p));
1572 if (len < 0)
1573 errx(1, "hex_decode failed");
1574 if (fwrite(buf2, 1, len, stdout) != (size_t)len)
1575 errx(1, "fwrite failed");
1576 }
1577 } else {
1578 char buf[28], *p;
1579 ssize_t len;
1580
1581 while((len = fread(buf, 1, sizeof(buf), stdin)) != 0) {
1582 len = hex_encode(buf, len, &p);
1583 if (len < 0)
1584 continue;
1585 fprintf(stdout, "%s\n", p);
1586 free(p);
1587 }
1588 }
1589 return 0;
1590 }
1591
1592 struct cert_type_opt {
1593 int pkinit;
1594 };
1595
1596
1597 static int
1598 https_server(hx509_context contextp, hx509_ca_tbs tbs, struct cert_type_opt *opt)
1599 {
1600 return hx509_ca_tbs_add_eku(contextp, tbs, &asn1_oid_id_pkix_kp_serverAuth);
1601 }
1602
1603 static int
1604 https_client(hx509_context contextp, hx509_ca_tbs tbs, struct cert_type_opt *opt)
1605 {
1606 return hx509_ca_tbs_add_eku(contextp, tbs, &asn1_oid_id_pkix_kp_clientAuth);
1607 }
1608
1609 static int
1610 peap_server(hx509_context contextp, hx509_ca_tbs tbs, struct cert_type_opt *opt)
1611 {
1612 return hx509_ca_tbs_add_eku(contextp, tbs, &asn1_oid_id_pkix_kp_serverAuth);
1613 }
1614
1615 static int
1616 pkinit_kdc(hx509_context contextp, hx509_ca_tbs tbs, struct cert_type_opt *opt)
1617 {
1618 opt->pkinit++;
1619 return hx509_ca_tbs_add_eku(contextp, tbs, &asn1_oid_id_pkkdcekuoid);
1620 }
1621
1622 static int
1623 pkinit_client(hx509_context contextp, hx509_ca_tbs tbs, struct cert_type_opt *opt)
1624 {
1625 int ret;
1626
1627 opt->pkinit++;
1628
1629 ret = hx509_ca_tbs_add_eku(contextp, tbs, &asn1_oid_id_pkekuoid);
1630 if (ret)
1631 return ret;
1632
1633 ret = hx509_ca_tbs_add_eku(context, tbs, &asn1_oid_id_ms_client_authentication);
1634 if (ret)
1635 return ret;
1636
1637 return hx509_ca_tbs_add_eku(context, tbs, &asn1_oid_id_pkinit_ms_eku);
1638 }
1639
1640 static int
1641 email_client(hx509_context contextp, hx509_ca_tbs tbs, struct cert_type_opt *opt)
1642 {
1643 return hx509_ca_tbs_add_eku(contextp, tbs, &asn1_oid_id_pkix_kp_emailProtection);
1644 }
1645
1646 struct {
1647 const char *type;
1648 const char *desc;
1649 int (*eval)(hx509_context, hx509_ca_tbs, struct cert_type_opt *);
1650 } certtypes[] = {
1651 {
1652 "https-server",
1653 "Used for HTTPS server and many other TLS server certificate types",
1654 https_server
1655 },
1656 {
1657 "https-client",
1658 "Used for HTTPS client certificates",
1659 https_client
1660 },
1661 {
1662 "email-client",
1663 "Certificate will be use for email",
1664 email_client
1665 },
1666 {
1667 "pkinit-client",
1668 "Certificate used for Kerberos PK-INIT client certificates",
1669 pkinit_client
1670 },
1671 {
1672 "pkinit-kdc",
1673 "Certificates used for Kerberos PK-INIT KDC certificates",
1674 pkinit_kdc
1675 },
1676 {
1677 "peap-server",
1678 "Certificate used for Radius PEAP (Protected EAP)",
1679 peap_server
1680 }
1681 };
1682
1683 static void
1684 print_eval_types(FILE *out)
1685 {
1686 rtbl_t table;
1687 unsigned i;
1688
1689 table = rtbl_create();
1690 rtbl_add_column_by_id (table, 0, "Name", 0);
1691 rtbl_add_column_by_id (table, 1, "Description", 0);
1692
1693 for (i = 0; i < sizeof(certtypes)/sizeof(certtypes[0]); i++) {
1694 rtbl_add_column_entry_by_id(table, 0, certtypes[i].type);
1695 rtbl_add_column_entry_by_id(table, 1, certtypes[i].desc);
1696 }
1697
1698 rtbl_format (table, out);
1699 rtbl_destroy (table);
1700 }
1701
1702 static int
1703 eval_types(hx509_context contextp,
1704 hx509_ca_tbs tbs,
1705 const struct certificate_sign_options *opt)
1706 {
1707 struct cert_type_opt ctopt;
1708 int i;
1709 size_t j;
1710 int ret;
1711
1712 memset(&ctopt, 0, sizeof(ctopt));
1713
1714 for (i = 0; i < opt->type_strings.num_strings; i++) {
1715 const char *type = opt->type_strings.strings[i];
1716
1717 for (j = 0; j < sizeof(certtypes)/sizeof(certtypes[0]); j++) {
1718 if (strcasecmp(type, certtypes[j].type) == 0) {
1719 ret = (*certtypes[j].eval)(contextp, tbs, &ctopt);
1720 if (ret)
1721 hx509_err(contextp, 1, ret,
1722 "Failed to evaluate cert type %s", type);
1723 break;
1724 }
1725 }
1726 if (j >= sizeof(certtypes)/sizeof(certtypes[0])) {
1727 fprintf(stderr, "Unknown certificate type %s\n\n", type);
1728 fprintf(stderr, "Available types:\n");
1729 print_eval_types(stderr);
1730 exit(1);
1731 }
1732 }
1733
1734 for (i = 0; i < opt->pk_init_principal_strings.num_strings; i++) {
1735 const char *pk_init_princ = opt->pk_init_principal_strings.strings[i];
1736
1737 if (!ctopt.pkinit)
1738 errx(1, "pk-init principal given but no pk-init oid");
1739
1740 ret = hx509_ca_tbs_add_san_pkinit(contextp, tbs, pk_init_princ);
1741 if (ret)
1742 hx509_err(contextp, 1, ret, "hx509_ca_tbs_add_san_pkinit");
1743 }
1744
1745 if (opt->ms_upn_string) {
1746 if (!ctopt.pkinit)
1747 errx(1, "MS upn given but no pk-init oid");
1748
1749 ret = hx509_ca_tbs_add_san_ms_upn(contextp, tbs, opt->ms_upn_string);
1750 if (ret)
1751 hx509_err(contextp, 1, ret, "hx509_ca_tbs_add_san_ms_upn");
1752 }
1753
1754
1755 for (i = 0; i < opt->hostname_strings.num_strings; i++) {
1756 const char *hostname = opt->hostname_strings.strings[i];
1757
1758 ret = hx509_ca_tbs_add_san_hostname(contextp, tbs, hostname);
1759 if (ret)
1760 hx509_err(contextp, 1, ret, "hx509_ca_tbs_add_san_hostname");
1761 }
1762
1763 for (i = 0; i < opt->email_strings.num_strings; i++) {
1764 const char *email = opt->email_strings.strings[i];
1765
1766 ret = hx509_ca_tbs_add_san_rfc822name(contextp, tbs, email);
1767 if (ret)
1768 hx509_err(contextp, 1, ret, "hx509_ca_tbs_add_san_hostname");
1769
1770 ret = hx509_ca_tbs_add_eku(contextp, tbs,
1771 &asn1_oid_id_pkix_kp_emailProtection);
1772 if (ret)
1773 hx509_err(contextp, 1, ret, "hx509_ca_tbs_add_eku");
1774 }
1775
1776 if (opt->jid_string) {
1777 ret = hx509_ca_tbs_add_san_jid(contextp, tbs, opt->jid_string);
1778 if (ret)
1779 hx509_err(contextp, 1, ret, "hx509_ca_tbs_add_san_jid");
1780 }
1781
1782 return 0;
1783 }
1784
1785 int
1786 hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv)
1787 {
1788 int ret;
1789 hx509_ca_tbs tbs;
1790 hx509_cert signer = NULL, cert = NULL;
1791 hx509_private_key private_key = NULL;
1792 hx509_private_key cert_key = NULL;
1793 hx509_name subject = NULL;
1794 SubjectPublicKeyInfo spki;
1795 int delta = 0;
1796
1797 memset(&spki, 0, sizeof(spki));
1798
1799 if (opt->ca_certificate_string == NULL && !opt->self_signed_flag)
1800 errx(1, "--ca-certificate argument missing (not using --self-signed)");
1801 if (opt->ca_private_key_string == NULL && opt->generate_key_string == NULL && opt->self_signed_flag)
1802 errx(1, "--ca-private-key argument missing (using --self-signed)");
1803 if (opt->certificate_string == NULL)
1804 errx(1, "--certificate argument missing");
1805
1806 if (opt->template_certificate_string) {
1807 if (opt->template_fields_string == NULL)
1808 errx(1, "--template-certificate not no --template-fields");
1809 }
1810
1811 if (opt->lifetime_string) {
1812 delta = parse_time(opt->lifetime_string, "day");
1813 if (delta < 0)
1814 errx(1, "Invalid lifetime: %s", opt->lifetime_string);
1815 }
1816
1817 if (opt->ca_certificate_string) {
1818 hx509_certs cacerts = NULL;
1819 hx509_query *q;
1820
1821 ret = hx509_certs_init(context, opt->ca_certificate_string, 0,
1822 NULL, &cacerts);
1823 if (ret)
1824 hx509_err(context, 1, ret,
1825 "hx509_certs_init: %s", opt->ca_certificate_string);
1826
1827 ret = hx509_query_alloc(context, &q);
1828 if (ret)
1829 errx(1, "hx509_query_alloc: %d", ret);
1830
1831 hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
1832 if (!opt->issue_proxy_flag)
1833 hx509_query_match_option(q, HX509_QUERY_OPTION_KU_KEYCERTSIGN);
1834
1835 ret = hx509_certs_find(context, cacerts, q, &signer);
1836 hx509_query_free(context, q);
1837 hx509_certs_free(&cacerts);
1838 if (ret)
1839 hx509_err(context, 1, ret, "no CA certificate found");
1840 } else if (opt->self_signed_flag) {
1841 if (opt->generate_key_string == NULL
1842 && opt->ca_private_key_string == NULL)
1843 errx(1, "no signing private key");
1844
1845 if (opt->req_string)
1846 errx(1, "can't be self-signing and have a request at the same time");
1847 } else
1848 errx(1, "missing ca key");
1849
1850 if (opt->ca_private_key_string) {
1851
1852 ret = read_private_key(opt->ca_private_key_string, &private_key);
1853 if (ret)
1854 err(1, "read_private_key");
1855
1856 ret = hx509_private_key2SPKI(context, private_key, &spki);
1857 if (ret)
1858 errx(1, "hx509_private_key2SPKI: %d\n", ret);
1859
1860 if (opt->self_signed_flag)
1861 cert_key = private_key;
1862 }
1863
1864 if (opt->req_string) {
1865 hx509_request req;
1866
1867 ret = _hx509_request_parse(context, opt->req_string, &req);
1868 if (ret)
1869 hx509_err(context, 1, ret, "parse_request: %s", opt->req_string);
1870 ret = hx509_request_get_name(context, req, &subject);
1871 if (ret)
1872 hx509_err(context, 1, ret, "get name");
1873 ret = hx509_request_get_SubjectPublicKeyInfo(context, req, &spki);
1874 if (ret)
1875 hx509_err(context, 1, ret, "get spki");
1876 hx509_request_free(&req);
1877 }
1878
1879 if (opt->generate_key_string) {
1880 struct hx509_generate_private_context *keyctx;
1881
1882 ret = _hx509_generate_private_key_init(context,
1883 &asn1_oid_id_pkcs1_rsaEncryption,
1884 &keyctx);
1885 if (ret)
1886 hx509_err(context, 1, ret, "generate private key");
1887
1888 if (opt->issue_ca_flag)
1889 _hx509_generate_private_key_is_ca(context, keyctx);
1890
1891 if (opt->key_bits_integer)
1892 _hx509_generate_private_key_bits(context, keyctx,
1893 opt->key_bits_integer);
1894
1895 ret = _hx509_generate_private_key(context, keyctx,
1896 &cert_key);
1897 _hx509_generate_private_key_free(&keyctx);
1898 if (ret)
1899 hx509_err(context, 1, ret, "generate private key");
1900
1901 ret = hx509_private_key2SPKI(context, cert_key, &spki);
1902 if (ret)
1903 errx(1, "hx509_private_key2SPKI: %d\n", ret);
1904
1905 if (opt->self_signed_flag)
1906 private_key = cert_key;
1907 }
1908
1909 if (opt->certificate_private_key_string) {
1910 ret = read_private_key(opt->certificate_private_key_string, &cert_key);
1911 if (ret)
1912 err(1, "read_private_key for certificate");
1913 }
1914
1915 if (opt->subject_string) {
1916 if (subject)
1917 hx509_name_free(&subject);
1918 ret = hx509_parse_name(context, opt->subject_string, &subject);
1919 if (ret)
1920 hx509_err(context, 1, ret, "hx509_parse_name");
1921 }
1922
1923 /*
1924 *
1925 */
1926
1927 ret = hx509_ca_tbs_init(context, &tbs);
1928 if (ret)
1929 hx509_err(context, 1, ret, "hx509_ca_tbs_init");
1930
1931 if (opt->signature_algorithm_string) {
1932 const AlgorithmIdentifier *sigalg;
1933 if (strcasecmp(opt->signature_algorithm_string, "rsa-with-sha1") == 0)
1934 sigalg = hx509_signature_rsa_with_sha1();
1935 else if (strcasecmp(opt->signature_algorithm_string, "rsa-with-sha256") == 0)
1936 sigalg = hx509_signature_rsa_with_sha256();
1937 else
1938 errx(1, "unsupported sigature algorith");
1939 hx509_ca_tbs_set_signature_algorithm(context, tbs, sigalg);
1940 }
1941
1942 if (opt->template_certificate_string) {
1943 hx509_cert template;
1944 hx509_certs tcerts;
1945 int flags;
1946
1947 ret = hx509_certs_init(context, opt->template_certificate_string, 0,
1948 NULL, &tcerts);
1949 if (ret)
1950 hx509_err(context, 1, ret,
1951 "hx509_certs_init: %s", opt->template_certificate_string);
1952
1953 ret = hx509_get_one_cert(context, tcerts, &template);
1954
1955 hx509_certs_free(&tcerts);
1956 if (ret)
1957 hx509_err(context, 1, ret, "no template certificate found");
1958
1959 flags = parse_units(opt->template_fields_string,
1960 hx509_ca_tbs_template_units(), "");
1961
1962 ret = hx509_ca_tbs_set_template(context, tbs, flags, template);
1963 if (ret)
1964 hx509_err(context, 1, ret, "hx509_ca_tbs_set_template");
1965
1966 hx509_cert_free(template);
1967 }
1968
1969 if (opt->serial_number_string) {
1970 heim_integer serialNumber;
1971
1972 ret = der_parse_hex_heim_integer(opt->serial_number_string,
1973 &serialNumber);
1974 if (ret)
1975 err(1, "der_parse_hex_heim_integer");
1976 ret = hx509_ca_tbs_set_serialnumber(context, tbs, &serialNumber);
1977 if (ret)
1978 hx509_err(context, 1, ret, "hx509_ca_tbs_init");
1979 der_free_heim_integer(&serialNumber);
1980 }
1981
1982 if (spki.subjectPublicKey.length) {
1983 ret = hx509_ca_tbs_set_spki(context, tbs, &spki);
1984 if (ret)
1985 hx509_err(context, 1, ret, "hx509_ca_tbs_set_spki");
1986 }
1987
1988 if (subject) {
1989 ret = hx509_ca_tbs_set_subject(context, tbs, subject);
1990 if (ret)
1991 hx509_err(context, 1, ret, "hx509_ca_tbs_set_subject");
1992 }
1993
1994 if (opt->crl_uri_string) {
1995 ret = hx509_ca_tbs_add_crl_dp_uri(context, tbs,
1996 opt->crl_uri_string, NULL);
1997 if (ret)
1998 hx509_err(context, 1, ret, "hx509_ca_tbs_add_crl_dp_uri");
1999 }
2000
2001 eval_types(context, tbs, opt);
2002
2003 if (opt->issue_ca_flag) {
2004 ret = hx509_ca_tbs_set_ca(context, tbs, opt->path_length_integer);
2005 if (ret)
2006 hx509_err(context, 1, ret, "hx509_ca_tbs_set_ca");
2007 }
2008 if (opt->issue_proxy_flag) {
2009 ret = hx509_ca_tbs_set_proxy(context, tbs, opt->path_length_integer);
2010 if (ret)
2011 hx509_err(context, 1, ret, "hx509_ca_tbs_set_proxy");
2012 }
2013 if (opt->domain_controller_flag) {
2014 hx509_ca_tbs_set_domaincontroller(context, tbs);
2015 if (ret)
2016 hx509_err(context, 1, ret, "hx509_ca_tbs_set_domaincontroller");
2017 }
2018
2019 if (delta) {
2020 ret = hx509_ca_tbs_set_notAfter_lifetime(context, tbs, delta);
2021 if (ret)
2022 hx509_err(context, 1, ret, "hx509_ca_tbs_set_notAfter_lifetime");
2023 }
2024
2025 if (opt->self_signed_flag) {
2026 ret = hx509_ca_sign_self(context, tbs, private_key, &cert);
2027 if (ret)
2028 hx509_err(context, 1, ret, "hx509_ca_sign_self");
2029 } else {
2030 ret = hx509_ca_sign(context, tbs, signer, &cert);
2031 if (ret)
2032 hx509_err(context, 1, ret, "hx509_ca_sign");
2033 }
2034
2035 if (cert_key) {
2036 ret = _hx509_cert_assign_key(cert, cert_key);
2037 if (ret)
2038 hx509_err(context, 1, ret, "_hx509_cert_assign_key");
2039 }
2040
2041 {
2042 hx509_certs certs;
2043
2044 ret = hx509_certs_init(context, opt->certificate_string,
2045 HX509_CERTS_CREATE, NULL, &certs);
2046 if (ret)
2047 hx509_err(context, 1, ret, "hx509_certs_init");
2048
2049 ret = hx509_certs_add(context, certs, cert);
2050 if (ret)
2051 hx509_err(context, 1, ret, "hx509_certs_add");
2052
2053 ret = hx509_certs_store(context, certs, 0, NULL);
2054 if (ret)
2055 hx509_err(context, 1, ret, "hx509_certs_store");
2056
2057 hx509_certs_free(&certs);
2058 }
2059
2060 if (subject)
2061 hx509_name_free(&subject);
2062 if (signer)
2063 hx509_cert_free(signer);
2064 hx509_cert_free(cert);
2065 free_SubjectPublicKeyInfo(&spki);
2066
2067 if (private_key != cert_key)
2068 hx509_private_key_free(&private_key);
2069 hx509_private_key_free(&cert_key);
2070
2071 hx509_ca_tbs_free(&tbs);
2072
2073 return 0;
2074 }
2075
2076 static int
2077 test_one_cert(hx509_context hxcontext, void *ctx, hx509_cert cert)
2078 {
2079 heim_octet_string sd, c;
2080 hx509_verify_ctx vctx = ctx;
2081 hx509_certs signer = NULL;
2082 heim_oid type;
2083 int ret;
2084
2085 if (_hx509_cert_private_key(cert) == NULL)
2086 return 0;
2087
2088 ret = hx509_cms_create_signed_1(context, 0, NULL, NULL, 0,
2089 NULL, cert, NULL, NULL, NULL, &sd);
2090 if (ret)
2091 errx(1, "hx509_cms_create_signed_1");
2092
2093 ret = hx509_cms_verify_signed(context, vctx, 0, sd.data, sd.length,
2094 NULL, NULL, &type, &c, &signer);
2095 free(sd.data);
2096 if (ret)
2097 hx509_err(context, 1, ret, "hx509_cms_verify_signed");
2098
2099 printf("create-signature verify-sigature done\n");
2100
2101 free(c.data);
2102
2103 return 0;
2104 }
2105
2106 int
2107 test_crypto(struct test_crypto_options *opt, int argc, char ** argv)
2108 {
2109 hx509_verify_ctx vctx;
2110 hx509_certs certs;
2111 hx509_lock lock;
2112 int i, ret;
2113
2114 hx509_lock_init(context, &lock);
2115 lock_strings(lock, &opt->pass_strings);
2116
2117 ret = hx509_certs_init(context, "MEMORY:test-crypto", 0, NULL, &certs);
2118 if (ret) hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
2119
2120 for (i = 0; i < argc; i++) {
2121 ret = hx509_certs_append(context, certs, lock, argv[i]);
2122 if (ret)
2123 hx509_err(context, 1, ret, "hx509_certs_append");
2124 }
2125
2126 ret = hx509_verify_init_ctx(context, &vctx);
2127 if (ret)
2128 hx509_err(context, 1, ret, "hx509_verify_init_ctx");
2129
2130 hx509_verify_attach_anchors(vctx, certs);
2131
2132 ret = hx509_certs_iter_f(context, certs, test_one_cert, vctx);
2133 if (ret)
2134 hx509_err(context, 1, ret, "hx509_cert_iter");
2135
2136 hx509_certs_free(&certs);
2137
2138 return 0;
2139 }
2140
2141 int
2142 statistic_print(struct statistic_print_options*opt, int argc, char **argv)
2143 {
2144 int type = 0;
2145
2146 if (stat_file_string == NULL)
2147 errx(1, "no stat file");
2148
2149 if (opt->type_integer)
2150 type = opt->type_integer;
2151
2152 hx509_query_unparse_stats(context, type, stdout);
2153 return 0;
2154 }
2155
2156 /*
2157 *
2158 */
2159
2160 int
2161 crl_sign(struct crl_sign_options *opt, int argc, char **argv)
2162 {
2163 hx509_crl crl;
2164 heim_octet_string os;
2165 hx509_cert signer = NULL;
2166 hx509_lock lock;
2167 int ret;
2168
2169 hx509_lock_init(context, &lock);
2170 lock_strings(lock, &opt->pass_strings);
2171
2172 ret = hx509_crl_alloc(context, &crl);
2173 if (ret)
2174 errx(1, "crl alloc");
2175
2176 if (opt->signer_string == NULL)
2177 errx(1, "signer missing");
2178
2179 {
2180 hx509_certs certs = NULL;
2181 hx509_query *q;
2182
2183 ret = hx509_certs_init(context, opt->signer_string, 0,
2184 NULL, &certs);
2185 if (ret)
2186 hx509_err(context, 1, ret,
2187 "hx509_certs_init: %s", opt->signer_string);
2188
2189 ret = hx509_query_alloc(context, &q);
2190 if (ret)
2191 hx509_err(context, 1, ret, "hx509_query_alloc: %d", ret);
2192
2193 hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
2194
2195 ret = hx509_certs_find(context, certs, q, &signer);
2196 hx509_query_free(context, q);
2197 hx509_certs_free(&certs);
2198 if (ret)
2199 hx509_err(context, 1, ret, "no signer certificate found");
2200 }
2201
2202 if (opt->lifetime_string) {
2203 int delta;
2204
2205 delta = parse_time(opt->lifetime_string, "day");
2206 if (delta < 0)
2207 errx(1, "Invalid lifetime: %s", opt->lifetime_string);
2208
2209 hx509_crl_lifetime(context, crl, delta);
2210 }
2211
2212 {
2213 hx509_certs revoked = NULL;
2214 int i;
2215
2216 ret = hx509_certs_init(context, "MEMORY:revoked-certs", 0,
2217 NULL, &revoked);
2218 if (ret)
2219 hx509_err(context, 1, ret,
2220 "hx509_certs_init: MEMORY cert");
2221
2222 for (i = 0; i < argc; i++) {
2223 ret = hx509_certs_append(context, revoked, lock, argv[i]);
2224 if (ret)
2225 hx509_err(context, 1, ret, "hx509_certs_append: %s", argv[i]);
2226 }
2227
2228 hx509_crl_add_revoked_certs(context, crl, revoked);
2229 hx509_certs_free(&revoked);
2230 }
2231
2232 hx509_crl_sign(context, signer, crl, &os);
2233
2234 if (opt->crl_file_string)
2235 rk_dumpdata(opt->crl_file_string, os.data, os.length);
2236
2237 free(os.data);
2238
2239 hx509_crl_free(context, &crl);
2240 hx509_cert_free(signer);
2241 hx509_lock_free(lock);
2242
2243 return 0;
2244 }
2245
2246 /*
2247 *
2248 */
2249
2250 int
2251 help(void *opt, int argc, char **argv)
2252 {
2253 sl_slc_help(commands, argc, argv);
2254 return 0;
2255 }
2256
2257 int
2258 main(int argc, char **argv)
2259 {
2260 int ret, optidx = 0;
2261
2262 setprogname (argv[0]);
2263
2264 if(getarg(args, num_args, argc, argv, &optidx))
2265 usage(1);
2266 if(help_flag)
2267 usage(0);
2268 if(version_flag) {
2269 print_version(NULL);
2270 exit(0);
2271 }
2272 argv += optidx;
2273 argc -= optidx;
2274
2275 if (argc == 0)
2276 usage(1);
2277
2278 ret = hx509_context_init(&context);
2279 if (ret)
2280 errx(1, "hx509_context_init failed with %d", ret);
2281
2282 if (stat_file_string)
2283 hx509_query_statistic_file(context, stat_file_string);
2284
2285 ret = sl_command(commands, argc, argv);
2286 if(ret == -1)
2287 warnx ("unrecognized command: %s", argv[0]);
2288
2289 hx509_context_free(&context);
2290
2291 return ret;
2292 }
Heimdal