search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fix license.
[gnutls.git] / src / certtool-cfg.c
blob3921f66e51ec0a65a4a0dd24123893442fdd1ae6
1 /*
2 * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free
3 * Software Foundation, Inc.
4 *
5 * This file is part of GNUTLS.
6 *
7 * GNUTLS is free software: you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by
9 * the Free Software Foundation, either version 3 of the License, or
10 * (at your option) any later version.
11 *
12 * GNUTLS is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program. If not, see
19 * <http://www.gnu.org/licenses/>.
20 *
21 * Written by Nikos Mavrogiannopoulos <nmav@gnutls.org>.
22 */
23
24 #include <config.h>
25
26 #include <stdio.h>
27 #include <stdlib.h>
28 #include <certtool-cfg.h>
29 #include <cfg+.h>
30 #include <gnutls/x509.h>
31 #include <string.h>
32 #include <limits.h>
33 #include <inttypes.h>
34 #include <time.h>
35
36 /* for inet_pton */
37 #include <sys/types.h>
38 #include <sys/socket.h>
39 #include <arpa/inet.h>
40
41 /* Gnulib portability files. */
42 #include <getpass.h>
43 #include "readline.h"
44 #include "certtool-common.h"
45
46 extern int batch;
47
48 typedef struct _cfg_ctx
49 {
50 char *organization;
51 char *unit;
52 char *locality;
53 char *state;
54 char *cn;
55 char *uid;
56 char *challenge_password;
57 char *pkcs9_email;
58 char *country;
59 char **dns_name;
60 char **ip_addr;
61 char **email;
62 char **dn_oid;
63 char *crl_dist_points;
64 char *password;
65 char *pkcs12_key_name;
66 int serial;
67 int expiration_days;
68 int ca;
69 int path_len;
70 int tls_www_client;
71 int tls_www_server;
72 int signing_key;
73 int encryption_key;
74 int cert_sign_key;
75 int crl_sign_key;
76 int code_sign_key;
77 int ocsp_sign_key;
78 int time_stamping_key;
79 char **key_purpose_oids;
80 int crl_next_update;
81 int crl_number;
82 int crq_extensions;
83 char *proxy_policy_language;
84 } cfg_ctx;
85
86 cfg_ctx cfg;
87
88 void
89 cfg_init (void)
90 {
91 memset (&cfg, 0, sizeof (cfg));
92 cfg.path_len = -1;
93 cfg.serial = -1;
94 }
95
96 int
97 template_parse (const char *template)
98 {
99 /* libcfg+ parsing context */
100 CFG_CONTEXT con;
101
102 /* Parsing return code */
103 register int ret;
104
105 /* Option variables */
106
107 /* Option set */
108 struct cfg_option options[] = {
109 {NULL, '\0', "organization", CFG_STR, (void *) &cfg.organization,
110 0},
111 {NULL, '\0', "unit", CFG_STR, (void *) &cfg.unit, 0},
112 {NULL, '\0', "locality", CFG_STR, (void *) &cfg.locality, 0},
113 {NULL, '\0', "state", CFG_STR, (void *) &cfg.state, 0},
114 {NULL, '\0', "cn", CFG_STR, (void *) &cfg.cn, 0},
115 {NULL, '\0', "uid", CFG_STR, (void *) &cfg.uid, 0},
116 {NULL, '\0', "challenge_password", CFG_STR,
117 (void *) &cfg.challenge_password, 0},
118 {NULL, '\0', "password", CFG_STR, (void *) &cfg.password, 0},
119 {NULL, '\0', "pkcs9_email", CFG_STR, (void *) &cfg.pkcs9_email, 0},
120 {NULL, '\0', "country", CFG_STR, (void *) &cfg.country, 0},
121 {NULL, '\0', "dns_name", CFG_STR | CFG_MULTI_ARRAY,
122 (void *) &cfg.dns_name, 0},
123 {NULL, '\0', "ip_address", CFG_STR | CFG_MULTI_ARRAY,
124 (void *) &cfg.ip_addr, 0},
125 {NULL, '\0', "email", CFG_STR | CFG_MULTI_ARRAY, (void *) &cfg.email, 0},
126
127 {NULL, '\0', "dn_oid", CFG_STR + CFG_MULTI_SEPARATED,
128 (void *) &cfg.dn_oid, 0},
129 {NULL, '\0', "key_purpose_oids", CFG_STR + CFG_MULTI_SEPARATED,
130 (void *) &cfg.key_purpose_oids, 0},
131
132 {NULL, '\0', "crl_dist_points", CFG_STR,
133 (void *) &cfg.crl_dist_points, 0},
134 {NULL, '\0', "pkcs12_key_name", CFG_STR,
135 (void *) &cfg.pkcs12_key_name, 0},
136
137 {NULL, '\0', "serial", CFG_INT, (void *) &cfg.serial, 0},
138 {NULL, '\0', "expiration_days", CFG_INT,
139 (void *) &cfg.expiration_days, 0},
140
141 {NULL, '\0', "crl_next_update", CFG_INT,
142 (void *) &cfg.crl_next_update, 0},
143
144 {NULL, '\0', "crl_number", CFG_INT,
145 (void *) &cfg.crl_number, 0},
146
147 {NULL, '\0', "ca", CFG_BOOL, (void *) &cfg.ca, 0},
148 {NULL, '\0', "honor_crq_extensions", CFG_BOOL,
149 (void *) &cfg.crq_extensions, 0},
150 {NULL, '\0', "path_len", CFG_INT, (void *) &cfg.path_len, 0},
151 {NULL, '\0', "tls_www_client", CFG_BOOL,
152 (void *) &cfg.tls_www_client, 0},
153 {NULL, '\0', "tls_www_server", CFG_BOOL,
154 (void *) &cfg.tls_www_server, 0},
155 {NULL, '\0', "signing_key", CFG_BOOL, (void *) &cfg.signing_key,
156 0},
157 {NULL, '\0', "encryption_key", CFG_BOOL,
158 (void *) &cfg.encryption_key, 0},
159 {NULL, '\0', "cert_signing_key", CFG_BOOL,
160 (void *) &cfg.cert_sign_key, 0},
161 {NULL, '\0', "crl_signing_key", CFG_BOOL,
162 (void *) &cfg.crl_sign_key, 0},
163 {NULL, '\0', "code_signing_key", CFG_BOOL,
164 (void *) &cfg.code_sign_key, 0},
165 {NULL, '\0', "ocsp_signing_key", CFG_BOOL,
166 (void *) &cfg.ocsp_sign_key, 0},
167 {NULL, '\0', "time_stamping_key", CFG_BOOL,
168 (void *) &cfg.time_stamping_key, 0},
169 {NULL, '\0', "proxy_policy_language", CFG_STR,
170 (void *) &cfg.proxy_policy_language, 0},
171 CFG_END_OF_LIST
172 };
173
174 /* Creating context */
175 con = cfg_get_context (options);
176 if (con == NULL)
177 {
178 puts ("Not enough memory");
179 exit (1);
180 }
181
182 cfg_set_cfgfile_context (con, 0, -1, (char *) template);
183
184 /* Parsing command line */
185 ret = cfg_parse (con);
186
187 if (ret != CFG_OK)
188 {
189 printf ("error parsing command line: %s: ", template);
190 cfg_fprint_error (con, stdout);
191 putchar ('\n');
192 exit (ret < 0 ? -ret : ret);
193 }
194
195 return 0;
196 }
197
198 void
199 read_crt_set (gnutls_x509_crt_t crt, const char *input_str, const char *oid)
200 {
201 char input[128];
202 int ret;
203
204 fputs (input_str, stderr);
205 if (fgets (input, sizeof (input), stdin) == NULL)
206 return;
207
208 if (strlen (input) == 1) /* only newline */
209 return;
210
211 ret =
212 gnutls_x509_crt_set_dn_by_oid (crt, oid, 0, input, strlen (input) - 1);
213 if (ret < 0)
214 {
215 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
216 exit (1);
217 }
218 }
219
220 void
221 read_crq_set (gnutls_x509_crq_t crq, const char *input_str, const char *oid)
222 {
223 char input[128];
224 int ret;
225
226 fputs (input_str, stderr);
227 if (fgets (input, sizeof (input), stdin) == NULL)
228 return;
229
230 if (strlen (input) == 1) /* only newline */
231 return;
232
233 ret =
234 gnutls_x509_crq_set_dn_by_oid (crq, oid, 0, input, strlen (input) - 1);
235 if (ret < 0)
236 {
237 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
238 exit (1);
239 }
240 }
241
242 /* The input_str should contain %d or %u to print the default.
243 */
244 static int
245 read_int_with_default (const char *input_str, int def)
246 {
247 char *in;
248 char *endptr;
249 long l;
250
251 printf (input_str, def);
252 in = readline ("");
253
254 l = strtol (in, &endptr, 0);
255
256 if (*endptr != '\0')
257 {
258 fprintf (stderr, "Trailing garbage ignored: `%s'\n", endptr);
259 free (in);
260 return 0;
261 }
262
263 if (l <= INT_MIN || l >= INT_MAX)
264 {
265 fprintf (stderr, "Integer out of range: `%s'\n", in);
266 free (in);
267 return 0;
268 }
269
270 if (in == endptr)
271 l = def;
272
273 free (in);
274
275 return (int) l;
276 }
277
278 int
279 read_int (const char *input_str)
280 {
281 return read_int_with_default (input_str, 0);
282 }
283
284 const char *
285 read_str (const char *input_str)
286 {
287 static char input[128];
288 int len;
289
290 fputs (input_str, stderr);
291 if (fgets (input, sizeof (input), stdin) == NULL)
292 return NULL;
293
294 len = strlen (input);
295 if ((len > 0) && (input[len - 1] == '\n'))
296 input[len - 1] = 0;
297 if (input[0] == 0)
298 return NULL;
299
300 return input;
301 }
302
303 /* Default is no
304 */
305 int
306 read_yesno (const char *input_str)
307 {
308 char input[128];
309
310 fputs (input_str, stderr);
311 if (fgets (input, sizeof (input), stdin) == NULL)
312 return 0;
313
314 if (strlen (input) == 1) /* only newline */
315 return 0;
316
317 if (input[0] == 'y' || input[0] == 'Y')
318 return 1;
319
320 return 0;
321 }
322
323
324 /* Wrapper functions for non-interactive mode.
325 */
326 const char *
327 get_pass (void)
328 {
329 if (batch)
330 return cfg.password;
331 else
332 return getpass ("Enter password: ");
333 }
334
335 const char *
336 get_confirmed_pass (bool empty_ok)
337 {
338 if (batch)
339 return cfg.password;
340 else
341 {
342 const char *pass = NULL;
343 char *copy = NULL;
344
345 do
346 {
347 if (pass)
348 printf ("Password missmatch, try again.\n");
349
350 free (copy);
351
352 pass = getpass ("Enter password: ");
353 copy = strdup (pass);
354 pass = getpass ("Confirm password: ");
355 }
356 while (strcmp (pass, copy) != 0 && !(empty_ok && *pass == '\0'));
357
358 free (copy);
359
360 return pass;
361 }
362 }
363
364 const char *
365 get_challenge_pass (void)
366 {
367 if (batch)
368 return cfg.challenge_password;
369 else
370 return getpass ("Enter a challenge password: ");
371 }
372
373 const char *
374 get_crl_dist_point_url (void)
375 {
376 if (batch)
377 return cfg.crl_dist_points;
378 else
379 return read_str ("Enter the URI of the CRL distribution point: ");
380 }
381
382 void
383 get_country_crt_set (gnutls_x509_crt_t crt)
384 {
385 int ret;
386
387 if (batch)
388 {
389 if (!cfg.country)
390 return;
391 ret =
392 gnutls_x509_crt_set_dn_by_oid (crt,
393 GNUTLS_OID_X520_COUNTRY_NAME, 0,
394 cfg.country, strlen (cfg.country));
395 if (ret < 0)
396 {
397 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
398 exit (1);
399 }
400 }
401 else
402 {
403 read_crt_set (crt, "Country name (2 chars): ",
404 GNUTLS_OID_X520_COUNTRY_NAME);
405 }
406
407 }
408
409 void
410 get_organization_crt_set (gnutls_x509_crt_t crt)
411 {
412 int ret;
413
414 if (batch)
415 {
416 if (!cfg.organization)
417 return;
418
419 ret =
420 gnutls_x509_crt_set_dn_by_oid (crt,
421 GNUTLS_OID_X520_ORGANIZATION_NAME,
422 0, cfg.organization,
423 strlen (cfg.organization));
424 if (ret < 0)
425 {
426 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
427 exit (1);
428 }
429 }
430 else
431 {
432 read_crt_set (crt, "Organization name: ",
433 GNUTLS_OID_X520_ORGANIZATION_NAME);
434 }
435
436 }
437
438 void
439 get_unit_crt_set (gnutls_x509_crt_t crt)
440 {
441 int ret;
442
443 if (batch)
444 {
445 if (!cfg.unit)
446 return;
447
448 ret =
449 gnutls_x509_crt_set_dn_by_oid (crt,
450 GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME,
451 0, cfg.unit, strlen (cfg.unit));
452 if (ret < 0)
453 {
454 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
455 exit (1);
456 }
457 }
458 else
459 {
460 read_crt_set (crt, "Organizational unit name: ",
461 GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME);
462 }
463
464 }
465
466 void
467 get_state_crt_set (gnutls_x509_crt_t crt)
468 {
469 int ret;
470
471 if (batch)
472 {
473 if (!cfg.state)
474 return;
475 ret =
476 gnutls_x509_crt_set_dn_by_oid (crt,
477 GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME,
478 0, cfg.state, strlen (cfg.state));
479 if (ret < 0)
480 {
481 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
482 exit (1);
483 }
484 }
485 else
486 {
487 read_crt_set (crt, "State or province name: ",
488 GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME);
489 }
490
491 }
492
493 void
494 get_locality_crt_set (gnutls_x509_crt_t crt)
495 {
496 int ret;
497
498 if (batch)
499 {
500 if (!cfg.locality)
501 return;
502 ret =
503 gnutls_x509_crt_set_dn_by_oid (crt,
504 GNUTLS_OID_X520_LOCALITY_NAME, 0,
505 cfg.locality, strlen (cfg.locality));
506 if (ret < 0)
507 {
508 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
509 exit (1);
510 }
511 }
512 else
513 {
514 read_crt_set (crt, "Locality name: ", GNUTLS_OID_X520_LOCALITY_NAME);
515 }
516
517 }
518
519 void
520 get_cn_crt_set (gnutls_x509_crt_t crt)
521 {
522 int ret;
523
524 if (batch)
525 {
526 if (!cfg.cn)
527 return;
528 ret =
529 gnutls_x509_crt_set_dn_by_oid (crt, GNUTLS_OID_X520_COMMON_NAME,
530 0, cfg.cn, strlen (cfg.cn));
531 if (ret < 0)
532 {
533 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
534 exit (1);
535 }
536 }
537 else
538 {
539 read_crt_set (crt, "Common name: ", GNUTLS_OID_X520_COMMON_NAME);
540 }
541
542 }
543
544 void
545 get_uid_crt_set (gnutls_x509_crt_t crt)
546 {
547 int ret;
548
549 if (batch)
550 {
551 if (!cfg.uid)
552 return;
553 ret = gnutls_x509_crt_set_dn_by_oid (crt, GNUTLS_OID_LDAP_UID, 0,
554 cfg.uid, strlen (cfg.uid));
555 if (ret < 0)
556 {
557 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
558 exit (1);
559 }
560 }
561 else
562 {
563 read_crt_set (crt, "UID: ", GNUTLS_OID_LDAP_UID);
564 }
565
566 }
567
568 void
569 get_oid_crt_set (gnutls_x509_crt_t crt)
570 {
571 int ret, i;
572
573 if (batch)
574 {
575 if (!cfg.dn_oid)
576 return;
577 for (i = 0; cfg.dn_oid[i] != NULL; i += 2)
578 {
579 if (cfg.dn_oid[i + 1] == NULL)
580 {
581 fprintf (stderr, "dn_oid: %s does not have an argument.\n",
582 cfg.dn_oid[i]);
583 exit (1);
584 }
585 ret = gnutls_x509_crt_set_dn_by_oid (crt, cfg.dn_oid[i], 0,
586 cfg.dn_oid[i + 1],
587 strlen (cfg.dn_oid[i + 1]));
588
589 if (ret < 0)
590 {
591 fprintf (stderr, "set_dn_oid: %s\n", gnutls_strerror (ret));
592 exit (1);
593 }
594 }
595 }
596 }
597
598 void
599 get_key_purpose_set (gnutls_x509_crt_t crt)
600 {
601 int ret, i;
602
603 if (batch)
604 {
605 if (!cfg.key_purpose_oids)
606 return;
607 for (i = 0; cfg.key_purpose_oids[i] != NULL; i++)
608 {
609 ret =
610 gnutls_x509_crt_set_key_purpose_oid (crt, cfg.key_purpose_oids[i],
611 0);
612
613 if (ret < 0)
614 {
615 fprintf (stderr, "set_key_purpose_oid (%s): %s\n",
616 cfg.key_purpose_oids[i], gnutls_strerror (ret));
617 exit (1);
618 }
619 }
620 }
621
622 }
623
624
625 void
626 get_pkcs9_email_crt_set (gnutls_x509_crt_t crt)
627 {
628 int ret;
629
630 if (batch)
631 {
632 if (!cfg.pkcs9_email)
633 return;
634 ret = gnutls_x509_crt_set_dn_by_oid (crt, GNUTLS_OID_PKCS9_EMAIL, 0,
635 cfg.pkcs9_email,
636 strlen (cfg.pkcs9_email));
637 if (ret < 0)
638 {
639 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
640 exit (1);
641 }
642 }
643 else
644 {
645 read_crt_set (crt, "E-mail: ", GNUTLS_OID_PKCS9_EMAIL);
646 }
647
648 }
649
650 int
651 get_serial (void)
652 {
653 int default_serial = time (NULL);
654
655 if (batch)
656 {
657 if (cfg.serial < 0)
658 return default_serial;
659 return cfg.serial;
660 }
661 else
662 {
663 return read_int_with_default
664 ("Enter the certificate's serial number in decimal (default: %u): ",
665 default_serial);
666 }
667 }
668
669 int
670 get_days (void)
671 {
672 int days;
673
674 if (batch)
675 {
676 if (cfg.expiration_days <= 0)
677 return 365;
678 else
679 return cfg.expiration_days;
680 }
681 else
682 {
683 do
684 {
685 days = read_int ("The certificate will expire in (days): ");
686 }
687 while (days == 0);
688 return days;
689 }
690 }
691
692 int
693 get_ca_status (void)
694 {
695 if (batch)
696 {
697 return cfg.ca;
698 }
699 else
700 {
701 return
702 read_yesno ("Does the certificate belong to an authority? (y/N): ");
703 }
704 }
705
706 int
707 get_crq_extensions_status (void)
708 {
709 if (batch)
710 {
711 return cfg.crq_extensions;
712 }
713 else
714 {
715 return
716 read_yesno
717 ("Do you want to honour the extensions from the request? (y/N): ");
718 }
719 }
720
721 int
722 get_crl_number (void)
723 {
724 if (batch)
725 {
726 return cfg.crl_number;
727 }
728 else
729 {
730 return read_int_with_default ("CRL Number: ", 1);
731 }
732 }
733
734 int
735 get_path_len (void)
736 {
737 if (batch)
738 {
739 return cfg.path_len;
740 }
741 else
742 {
743 return read_int_with_default
744 ("Path length constraint (decimal, %d for no constraint): ", -1);
745 }
746 }
747
748 const char *
749 get_pkcs12_key_name (void)
750 {
751 const char *name;
752
753 if (batch)
754 {
755 if (!cfg.pkcs12_key_name)
756 return "Anonymous";
757 return cfg.pkcs12_key_name;
758 }
759 else
760 {
761 do
762 {
763 name = read_str ("Enter a name for the key: ");
764 }
765 while (name == NULL);
766 }
767 return name;
768 }
769
770 int
771 get_tls_client_status (void)
772 {
773 if (batch)
774 {
775 return cfg.tls_www_client;
776 }
777 else
778 {
779 return read_yesno ("Is this a TLS web client certificate? (y/N): ");
780 }
781 }
782
783 int
784 get_tls_server_status (void)
785 {
786 if (batch)
787 {
788 return cfg.tls_www_server;
789 }
790 else
791 {
792 return
793 read_yesno ("Is this also a TLS web server certificate? (y/N): ");
794 }
795 }
796
797 #include <sys/types.h>
798 #include <sys/socket.h>
799 #include <arpa/inet.h>
800
801 /* convert a printable IP to binary */
802 static int
803 string_to_ip (unsigned char *ip, const char *str)
804 {
805 int len = strlen (str);
806 int ret;
807
808 #if HAVE_IPV6
809 if (strchr (str, ':') != NULL || len > 16)
810 { /* IPv6 */
811 ret = inet_pton (AF_INET6, str, ip);
812 if (ret <= 0)
813 {
814 fprintf (stderr, "Error in IPv6 address %s\n", str);
815 exit (1);
816 }
817
818 /* To be done */
819 return 16;
820 }
821 else
822 #endif
823 { /* IPv4 */
824 ret = inet_pton (AF_INET, str, ip);
825 if (ret <= 0)
826 {
827 fprintf (stderr, "Error in IPv4 address %s\n", str);
828 exit (1);
829 }
830
831 return 4;
832 }
833
834 }
835
836 void
837 get_ip_addr_set (int type, void *crt)
838 {
839 int ret = 0, i;
840 unsigned char ip[16];
841 int len;
842
843 if (batch)
844 {
845 if (!cfg.ip_addr)
846 return;
847
848 for (i = 0; cfg.ip_addr[i] != NULL; i++)
849 {
850 len = string_to_ip (ip, cfg.ip_addr[i]);
851 if (len <= 0)
852 {
853 fprintf (stderr, "Error parsing address: %s\n", cfg.ip_addr[i]);
854 exit (1);
855 }
856
857 if (type == TYPE_CRT)
858 ret =
859 gnutls_x509_crt_set_subject_alt_name (crt, GNUTLS_SAN_IPADDRESS,
860 ip, len,
861 GNUTLS_FSAN_APPEND);
862 else
863 ret =
864 gnutls_x509_crq_set_subject_alt_name (crt, GNUTLS_SAN_IPADDRESS,
865 ip, len,
866 GNUTLS_FSAN_APPEND);
867
868 if (ret < 0)
869 break;
870 }
871 }
872 else
873 {
874 const char *p;
875
876 p =
877 read_str ("Enter the IP address of the subject of the certificate: ");
878 if (!p)
879 return;
880
881 len = string_to_ip (ip, p);
882 if (len <= 0)
883 {
884 fprintf (stderr, "Error parsing address: %s\n", p);
885 exit (1);
886 }
887
888 if (type == TYPE_CRT)
889 ret = gnutls_x509_crt_set_subject_alt_name (crt, GNUTLS_SAN_IPADDRESS,
890 ip, len,
891 GNUTLS_FSAN_APPEND);
892 else
893 ret = gnutls_x509_crq_set_subject_alt_name (crt, GNUTLS_SAN_IPADDRESS,
894 ip, len,
895 GNUTLS_FSAN_APPEND);
896 }
897
898 if (ret < 0)
899 {
900 fprintf (stderr, "set_subject_alt_name: %s\n", gnutls_strerror (ret));
901 exit (1);
902 }
903 }
904
905
906 void
907 get_email_set (int type, void *crt)
908 {
909 int ret = 0, i;
910
911 if (batch)
912 {
913 if (!cfg.email)
914 return;
915
916 for (i = 0; cfg.email[i] != NULL; i++)
917 {
918 if (type == TYPE_CRT)
919 ret =
920 gnutls_x509_crt_set_subject_alt_name (crt,
921 GNUTLS_SAN_RFC822NAME,
922 cfg.email[i],
923 strlen (cfg.email[i]),
924 GNUTLS_FSAN_APPEND);
925 else
926 ret =
927 gnutls_x509_crq_set_subject_alt_name (crt,
928 GNUTLS_SAN_RFC822NAME,
929 cfg.email[i],
930 strlen (cfg.email[i]),
931 GNUTLS_FSAN_APPEND);
932
933 if (ret < 0)
934 break;
935 }
936 }
937 else
938 {
939 const char *p;
940
941 p = read_str ("Enter the e-mail of the subject of the certificate: ");
942 if (!p)
943 return;
944
945 if (type == TYPE_CRT)
946 ret =
947 gnutls_x509_crt_set_subject_alt_name (crt, GNUTLS_SAN_RFC822NAME, p,
948 strlen (p),
949 GNUTLS_FSAN_APPEND);
950 else
951 ret =
952 gnutls_x509_crq_set_subject_alt_name (crt, GNUTLS_SAN_RFC822NAME, p,
953 strlen (p),
954 GNUTLS_FSAN_APPEND);
955 }
956
957 if (ret < 0)
958 {
959 fprintf (stderr, "set_subject_alt_name: %s\n", gnutls_strerror (ret));
960 exit (1);
961 }
962 }
963
964 void
965 get_dns_name_set (int type, void *crt)
966 {
967 int ret = 0, i;
968
969 if (batch)
970 {
971 if (!cfg.dns_name)
972 return;
973
974 for (i = 0; cfg.dns_name[i] != NULL; i++)
975 {
976 if (type == TYPE_CRT)
977 ret =
978 gnutls_x509_crt_set_subject_alt_name (crt, GNUTLS_SAN_DNSNAME,
979 cfg.dns_name[i],
980 strlen (cfg.dns_name[i]),
981 GNUTLS_FSAN_APPEND);
982 else
983 ret =
984 gnutls_x509_crq_set_subject_alt_name (crt, GNUTLS_SAN_DNSNAME,
985 cfg.dns_name[i],
986 strlen (cfg.dns_name[i]),
987 GNUTLS_FSAN_APPEND);
988
989 if (ret < 0)
990 break;
991 }
992 }
993 else
994 {
995 const char *p;
996
997 do
998 {
999 p =
1000 read_str ("Enter a dnsName of the subject of the certificate: ");
1001 if (!p)
1002 return;
1003
1004 if (type == TYPE_CRT)
1005 ret = gnutls_x509_crt_set_subject_alt_name
1006 (crt, GNUTLS_SAN_DNSNAME, p, strlen (p), GNUTLS_FSAN_APPEND);
1007 else
1008 ret = gnutls_x509_crq_set_subject_alt_name
1009 (crt, GNUTLS_SAN_DNSNAME, p, strlen (p), GNUTLS_FSAN_APPEND);
1010 }
1011 while (p);
1012 }
1013
1014 if (ret < 0)
1015 {
1016 fprintf (stderr, "set_subject_alt_name: %s\n", gnutls_strerror (ret));
1017 exit (1);
1018 }
1019 }
1020
1021
1022 int
1023 get_sign_status (int server)
1024 {
1025 const char *msg;
1026
1027 if (batch)
1028 {
1029 return cfg.signing_key;
1030 }
1031 else
1032 {
1033 if (server)
1034 msg =
1035 "Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N): ";
1036 else
1037 msg =
1038 "Will the certificate be used for signing (required for TLS)? (y/N): ";
1039 return read_yesno (msg);
1040 }
1041 }
1042
1043 int
1044 get_encrypt_status (int server)
1045 {
1046 const char *msg;
1047
1048 if (batch)
1049 {
1050 return cfg.encryption_key;
1051 }
1052 else
1053 {
1054 if (server)
1055 msg =
1056 "Will the certificate be used for encryption (RSA ciphersuites)? (y/N): ";
1057 else
1058 msg =
1059 "Will the certificate be used for encryption (not required for TLS)? (y/N): ";
1060 return read_yesno (msg);
1061 }
1062 }
1063
1064 int
1065 get_cert_sign_status (void)
1066 {
1067 if (batch)
1068 {
1069 return cfg.cert_sign_key;
1070 }
1071 else
1072 {
1073 return
1074 read_yesno
1075 ("Will the certificate be used to sign other certificates? (y/N): ");
1076 }
1077 }
1078
1079 int
1080 get_crl_sign_status (void)
1081 {
1082 if (batch)
1083 {
1084 return cfg.crl_sign_key;
1085 }
1086 else
1087 {
1088 return
1089 read_yesno ("Will the certificate be used to sign CRLs? (y/N): ");
1090 }
1091 }
1092
1093 int
1094 get_code_sign_status (void)
1095 {
1096 if (batch)
1097 {
1098 return cfg.code_sign_key;
1099 }
1100 else
1101 {
1102 return
1103 read_yesno ("Will the certificate be used to sign code? (y/N): ");
1104 }
1105 }
1106
1107 int
1108 get_ocsp_sign_status (void)
1109 {
1110 if (batch)
1111 {
1112 return cfg.ocsp_sign_key;
1113 }
1114 else
1115 {
1116 return
1117 read_yesno
1118 ("Will the certificate be used to sign OCSP requests? (y/N): ");
1119 }
1120 }
1121
1122 int
1123 get_time_stamp_status (void)
1124 {
1125 if (batch)
1126 {
1127 return cfg.time_stamping_key;
1128 }
1129 else
1130 {
1131 return
1132 read_yesno
1133 ("Will the certificate be used for time stamping? (y/N): ");
1134 }
1135 }
1136
1137 int
1138 get_crl_next_update (void)
1139 {
1140 int days;
1141
1142 if (batch)
1143 {
1144 if (cfg.crl_next_update <= 0)
1145 return 365;
1146 else
1147 return cfg.crl_next_update;
1148 }
1149 else
1150 {
1151 do
1152 {
1153 days = read_int ("The next CRL will be issued in (days): ");
1154 }
1155 while (days == 0);
1156 return days;
1157 }
1158 }
1159
1160 const char *
1161 get_proxy_policy (char **policy, size_t * policylen)
1162 {
1163 const char *ret;
1164
1165 if (batch)
1166 {
1167 ret = cfg.proxy_policy_language;
1168 if (!ret)
1169 ret = "1.3.6.1.5.5.7.21.1";
1170 }
1171 else
1172 {
1173 do
1174 {
1175 ret = read_str ("Enter the OID of the proxy policy language: ");
1176 }
1177 while (ret == NULL);
1178 }
1179
1180 *policy = NULL;
1181 *policylen = 0;
1182
1183 if (strcmp (ret, "1.3.6.1.5.5.7.21.1") != 0 &&
1184 strcmp (ret, "1.3.6.1.5.5.7.21.2") != 0)
1185 {
1186 fprintf (stderr, "Reading non-standard proxy policy not supported.\n");
1187 }
1188
1189 return ret;
1190 }
1191
1192 /* CRQ stuff.
1193 */
1194 void
1195 get_country_crq_set (gnutls_x509_crq_t crq)
1196 {
1197 int ret;
1198
1199 if (batch)
1200 {
1201 if (!cfg.country)
1202 return;
1203 ret =
1204 gnutls_x509_crq_set_dn_by_oid (crq,
1205 GNUTLS_OID_X520_COUNTRY_NAME, 0,
1206 cfg.country, strlen (cfg.country));
1207 if (ret < 0)
1208 {
1209 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
1210 exit (1);
1211 }
1212 }
1213 else
1214 {
1215 read_crq_set (crq, "Country name (2 chars): ",
1216 GNUTLS_OID_X520_COUNTRY_NAME);
1217 }
1218
1219 }
1220
1221 void
1222 get_organization_crq_set (gnutls_x509_crq_t crq)
1223 {
1224 int ret;
1225
1226 if (batch)
1227 {
1228 if (!cfg.organization)
1229 return;
1230
1231 ret =
1232 gnutls_x509_crq_set_dn_by_oid (crq,
1233 GNUTLS_OID_X520_ORGANIZATION_NAME,
1234 0, cfg.organization,
1235 strlen (cfg.organization));
1236 if (ret < 0)
1237 {
1238 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
1239 exit (1);
1240 }
1241 }
1242 else
1243 {
1244 read_crq_set (crq, "Organization name: ",
1245 GNUTLS_OID_X520_ORGANIZATION_NAME);
1246 }
1247
1248 }
1249
1250 void
1251 get_unit_crq_set (gnutls_x509_crq_t crq)
1252 {
1253 int ret;
1254
1255 if (batch)
1256 {
1257 if (!cfg.unit)
1258 return;
1259
1260 ret =
1261 gnutls_x509_crq_set_dn_by_oid (crq,
1262 GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME,
1263 0, cfg.unit, strlen (cfg.unit));
1264 if (ret < 0)
1265 {
1266 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
1267 exit (1);
1268 }
1269 }
1270 else
1271 {
1272 read_crq_set (crq, "Organizational unit name: ",
1273 GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME);
1274 }
1275
1276 }
1277
1278 void
1279 get_state_crq_set (gnutls_x509_crq_t crq)
1280 {
1281 int ret;
1282
1283 if (batch)
1284 {
1285 if (!cfg.state)
1286 return;
1287 ret =
1288 gnutls_x509_crq_set_dn_by_oid (crq,
1289 GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME,
1290 0, cfg.state, strlen (cfg.state));
1291 if (ret < 0)
1292 {
1293 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
1294 exit (1);
1295 }
1296 }
1297 else
1298 {
1299 read_crq_set (crq, "State or province name: ",
1300 GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME);
1301 }
1302
1303 }
1304
1305 void
1306 get_locality_crq_set (gnutls_x509_crq_t crq)
1307 {
1308 int ret;
1309
1310 if (batch)
1311 {
1312 if (!cfg.locality)
1313 return;
1314 ret =
1315 gnutls_x509_crq_set_dn_by_oid (crq,
1316 GNUTLS_OID_X520_LOCALITY_NAME, 0,
1317 cfg.locality, strlen (cfg.locality));
1318 if (ret < 0)
1319 {
1320 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
1321 exit (1);
1322 }
1323 }
1324 else
1325 {
1326 read_crq_set (crq, "Locality name: ", GNUTLS_OID_X520_LOCALITY_NAME);
1327 }
1328
1329 }
1330
1331 void
1332 get_cn_crq_set (gnutls_x509_crq_t crq)
1333 {
1334 int ret;
1335
1336 if (batch)
1337 {
1338 if (!cfg.cn)
1339 return;
1340 ret =
1341 gnutls_x509_crq_set_dn_by_oid (crq, GNUTLS_OID_X520_COMMON_NAME,
1342 0, cfg.cn, strlen (cfg.cn));
1343 if (ret < 0)
1344 {
1345 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
1346 exit (1);
1347 }
1348 }
1349 else
1350 {
1351 read_crq_set (crq, "Common name: ", GNUTLS_OID_X520_COMMON_NAME);
1352 }
1353
1354 }
1355
1356 void
1357 get_uid_crq_set (gnutls_x509_crq_t crq)
1358 {
1359 int ret;
1360
1361 if (batch)
1362 {
1363 if (!cfg.uid)
1364 return;
1365 ret = gnutls_x509_crq_set_dn_by_oid (crq, GNUTLS_OID_LDAP_UID, 0,
1366 cfg.uid, strlen (cfg.uid));
1367 if (ret < 0)
1368 {
1369 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
1370 exit (1);
1371 }
1372 }
1373 else
1374 {
1375 read_crq_set (crq, "UID: ", GNUTLS_OID_LDAP_UID);
1376 }
1377
1378 }
1379
1380 void
1381 get_oid_crq_set (gnutls_x509_crq_t crq)
1382 {
1383 int ret, i;
1384
1385 if (batch)
1386 {
1387 if (!cfg.dn_oid)
1388 return;
1389 for (i = 0; cfg.dn_oid[i] != NULL; i += 2)
1390 {
1391 if (cfg.dn_oid[i + 1] == NULL)
1392 {
1393 fprintf (stderr, "dn_oid: %s does not have an argument.\n",
1394 cfg.dn_oid[i]);
1395 exit (1);
1396 }
1397 ret = gnutls_x509_crq_set_dn_by_oid (crq, cfg.dn_oid[i], 0,
1398 cfg.dn_oid[i + 1],
1399 strlen (cfg.dn_oid[i + 1]));
1400
1401 if (ret < 0)
1402 {
1403 fprintf (stderr, "set_dn_oid: %s\n", gnutls_strerror (ret));
1404 exit (1);
1405 }
1406 }
1407 }
1408
1409 }
Implementation of the SSL/TLS protocol