search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
texinfo documentation is similar to the printed manual.
[gnutls.git] / src / certtool-cfg.c
blobd47ef764ef88237af4998884f4e278261e6f9539
1 /*
2 * Copyright (C) 2004-2012 Free Software Foundation, Inc.
3 *
4 * This file is part of GnuTLS.
5 *
6 * GnuTLS is free software: you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by
8 * the Free Software Foundation, either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * GnuTLS is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program. If not, see
18 * <http://www.gnu.org/licenses/>.
19 *
20 * Written by Nikos Mavrogiannopoulos <nmav@gnutls.org>.
21 */
22
23 #include <config.h>
24
25 #include <stdio.h>
26 #include <stdlib.h>
27 #include <certtool-cfg.h>
28 #include <gnutls/x509.h>
29 #include <string.h>
30 #include <limits.h>
31 #include <inttypes.h>
32 #include <time.h>
33 #include <autoopts/options.h>
34
35 /* for inet_pton */
36 #include <sys/types.h>
37
38 #if HAVE_SYS_SOCKET_H
39 # include <sys/socket.h>
40 #elif HAVE_WS2TCPIP_H
41 # include <ws2tcpip.h>
42 #endif
43 #include <arpa/inet.h>
44
45 /* Gnulib portability files. */
46 #include <getpass.h>
47 #include "certtool-common.h"
48
49 extern int batch;
50
51 #define MAX_ENTRIES 16
52
53 typedef struct _cfg_ctx
54 {
55 char *organization;
56 char *unit;
57 char *locality;
58 char *state;
59 char *cn;
60 char *uid;
61 char *challenge_password;
62 char *pkcs9_email;
63 char *country;
64 char **dc;
65 char **dns_name;
66 char **ip_addr;
67 char **email;
68 char **dn_oid;
69 char *crl_dist_points;
70 char *password;
71 char *pkcs12_key_name;
72 int serial;
73 int expiration_days;
74 int ca;
75 int path_len;
76 int tls_www_client;
77 int tls_www_server;
78 int signing_key;
79 int encryption_key;
80 int cert_sign_key;
81 int crl_sign_key;
82 int code_sign_key;
83 int ocsp_sign_key;
84 int time_stamping_key;
85 int ipsec_ike_key;
86 char **key_purpose_oids;
87 int crl_next_update;
88 int crl_number;
89 int crq_extensions;
90 char *proxy_policy_language;
91 char **ocsp_uris;
92 char **ca_issuers_uris;
93 } cfg_ctx;
94
95 cfg_ctx cfg;
96
97 void
98 cfg_init (void)
99 {
100 memset (&cfg, 0, sizeof (cfg));
101 cfg.path_len = -1;
102 cfg.serial = -1;
103 }
104
105 #define READ_MULTI_LINE(name, s_name) \
106 val = optionGetValue(pov, name); \
107 if (val != NULL && val->valType == OPARG_TYPE_STRING) \
108 { \
109 if (s_name == NULL) { \
110 i = 0; \
111 s_name = malloc(sizeof(char*)*MAX_ENTRIES); \
112 do { \
113 if (val && !strcmp(val->pzName, name)==0) \
114 continue; \
115 s_name[i] = strdup(val->v.strVal); \
116 i++; \
117 if (i>=MAX_ENTRIES) \
118 break; \
119 } while((val = optionNextValue(pov, val)) != NULL); \
120 s_name[i] = NULL; \
121 } \
122 }
123
124 #define READ_MULTI_LINE_TOKENIZED(name, s_name) \
125 val = optionGetValue(pov, name); \
126 if (val != NULL && val->valType == OPARG_TYPE_STRING) \
127 { \
128 char str[512]; \
129 char * p; \
130 if (s_name == NULL) { \
131 i = 0; \
132 s_name = malloc(sizeof(char*)*MAX_ENTRIES); \
133 do { \
134 if (val && !strcmp(val->pzName, name)==0) \
135 continue; \
136 strncpy(str, val->v.strVal, sizeof(str)-1); \
137 str[sizeof(str)-1] = 0; \
138 if ((p=strchr(str, ' ')) == NULL && (p=strchr(str, '\t')) == NULL) { \
139 fprintf(stderr, "Error parsing %s\n", name); \
140 exit(1); \
141 } \
142 p[0] = 0; \
143 p++; \
144 s_name[i] = strdup(str); \
145 while(*p==' ' || *p == '\t') p++; \
146 if (p[0] == 0) { \
147 fprintf(stderr, "Error (2) parsing %s\n", name); \
148 exit(1); \
149 } \
150 s_name[i+1] = strdup(p); \
151 i+=2; \
152 if (i>=MAX_ENTRIES) \
153 break; \
154 } while((val = optionNextValue(pov, val)) != NULL); \
155 s_name[i] = NULL; \
156 } \
157 }
158
159 #define READ_BOOLEAN(name, s_name) \
160 val = optionGetValue(pov, name); \
161 if (val != NULL) \
162 { \
163 s_name = 1; \
164 }
165
166 #define READ_NUMERIC(name, s_name) \
167 val = optionGetValue(pov, name); \
168 if (val != NULL) \
169 { \
170 if (val->valType == OPARG_TYPE_NUMERIC) \
171 s_name = val->v.longVal; \
172 else if (val->valType == OPARG_TYPE_STRING) \
173 s_name = atoi(val->v.strVal); \
174 }
175
176 int
177 template_parse (const char *template)
178 {
179 /* Parsing return code */
180 int ret;
181 unsigned int i;
182 tOptionValue const * pov;
183 const tOptionValue* val;
184
185 pov = configFileLoad(template);
186 if (pov == NULL)
187 {
188 perror("configFileLoad");
189 fprintf(stderr, "Error loading template: %s\n", template);
190 exit(1);
191 }
192
193 /* Option variables */
194 val = optionGetValue(pov, "organization");
195 if (val != NULL && val->valType == OPARG_TYPE_STRING)
196 cfg.organization = strdup(val->v.strVal);
197
198 val = optionGetValue(pov, "unit");
199 if (val != NULL && val->valType == OPARG_TYPE_STRING)
200 cfg.unit = strdup(val->v.strVal);
201
202 val = optionGetValue(pov, "locality");
203 if (val != NULL && val->valType == OPARG_TYPE_STRING)
204 cfg.locality = strdup(val->v.strVal);
205
206 val = optionGetValue(pov, "state");
207 if (val != NULL && val->valType == OPARG_TYPE_STRING)
208 cfg.state = strdup(val->v.strVal);
209
210 val = optionGetValue(pov, "cn");
211 if (val != NULL && val->valType == OPARG_TYPE_STRING)
212 cfg.cn = strdup(val->v.strVal);
213
214 val = optionGetValue(pov, "uid");
215 if (val != NULL && val->valType == OPARG_TYPE_STRING)
216 cfg.uid = strdup(val->v.strVal);
217
218 val = optionGetValue(pov, "challenge_password");
219 if (val != NULL && val->valType == OPARG_TYPE_STRING)
220 cfg.challenge_password = strdup(val->v.strVal);
221
222 val = optionGetValue(pov, "password");
223 if (val != NULL && val->valType == OPARG_TYPE_STRING)
224 cfg.password = strdup(val->v.strVal);
225
226 val = optionGetValue(pov, "pkcs9_email");
227 if (val != NULL && val->valType == OPARG_TYPE_STRING)
228 cfg.pkcs9_email = strdup(val->v.strVal);
229
230 val = optionGetValue(pov, "country");
231 if (val != NULL && val->valType == OPARG_TYPE_STRING)
232 cfg.country = strdup(val->v.strVal);
233
234 READ_MULTI_LINE("dc", cfg.dc);
235 READ_MULTI_LINE("dns_name", cfg.dns_name);
236 READ_MULTI_LINE("ip_address", cfg.ip_addr);
237 READ_MULTI_LINE("email", cfg.email);
238 READ_MULTI_LINE("key_purpose_oid", cfg.key_purpose_oids);
239
240 READ_MULTI_LINE_TOKENIZED("dn_oid", cfg.dn_oid);
241
242 val = optionGetValue(pov, "crl_dist_points");
243 if (val != NULL && val->valType == OPARG_TYPE_STRING)
244 cfg.crl_dist_points = strdup(val->v.strVal);
245
246 val = optionGetValue(pov, "pkcs12_key_name");
247 if (val != NULL && val->valType == OPARG_TYPE_STRING)
248 cfg.pkcs12_key_name = strdup(val->v.strVal);
249
250
251 READ_NUMERIC("serial", cfg.serial);
252 READ_NUMERIC("expiration_days", cfg.expiration_days);
253 READ_NUMERIC("crl_next_update", cfg.crl_next_update);
254 READ_NUMERIC("crl_number", cfg.crl_number);
255
256 val = optionGetValue(pov, "proxy_policy_language");
257 if (val != NULL && val->valType == OPARG_TYPE_STRING)
258 cfg.proxy_policy_language = strdup(val->v.strVal);
259
260 READ_MULTI_LINE("ocsp_uri", cfg.ocsp_uris);
261 READ_MULTI_LINE("ca_issuers_uri", cfg.ca_issuers_uris);
262
263 READ_BOOLEAN("ca", cfg.ca);
264 READ_BOOLEAN("honor_crq_extensions", cfg.crq_extensions);
265 READ_BOOLEAN("path_len", cfg.path_len);
266 READ_BOOLEAN("tls_www_client", cfg.tls_www_client);
267 READ_BOOLEAN("tls_www_server", cfg.tls_www_server);
268 READ_BOOLEAN("signing_key", cfg.signing_key);
269 READ_BOOLEAN("encryption_key", cfg.encryption_key);
270 READ_BOOLEAN("cert_signing_key", cfg.cert_sign_key);
271 READ_BOOLEAN("crl_signing_key", cfg.crl_sign_key);
272 READ_BOOLEAN("code_signing_key", cfg.code_sign_key);
273 READ_BOOLEAN("ocsp_signing_key", cfg.ocsp_sign_key);
274 READ_BOOLEAN("time_stamping_key", cfg.time_stamping_key);
275 READ_BOOLEAN("ipsec_ike_key", cfg.ipsec_ike_key);
276
277 optionUnloadNested(pov);
278
279 return 0;
280 }
281
282 #define IS_NEWLINE(x) ((x[0] == '\n') || (x[0] == '\r'))
283
284 void
285 read_crt_set (gnutls_x509_crt_t crt, const char *input_str, const char *oid)
286 {
287 char input[128];
288 int ret;
289
290 fputs (input_str, stderr);
291 if (fgets (input, sizeof (input), stdin) == NULL)
292 return;
293
294 if (IS_NEWLINE(input))
295 return;
296
297 ret =
298 gnutls_x509_crt_set_dn_by_oid (crt, oid, 0, input, strlen (input) - 1);
299 if (ret < 0)
300 {
301 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
302 exit (1);
303 }
304 }
305
306 void
307 read_crq_set (gnutls_x509_crq_t crq, const char *input_str, const char *oid)
308 {
309 char input[128];
310 int ret;
311
312 fputs (input_str, stderr);
313 if (fgets (input, sizeof (input), stdin) == NULL)
314 return;
315
316 if (IS_NEWLINE(input))
317 return;
318
319 ret =
320 gnutls_x509_crq_set_dn_by_oid (crq, oid, 0, input, strlen (input) - 1);
321 if (ret < 0)
322 {
323 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
324 exit (1);
325 }
326 }
327
328 /* The input_str should contain %d or %u to print the default.
329 */
330 static int
331 read_int_with_default (const char *input_str, int def)
332 {
333 char *endptr;
334 long l, len;
335 static char input[128];
336
337 fprintf (stderr, input_str, def);
338 if (fgets (input, sizeof (input), stdin) == NULL)
339 return def;
340
341 if (IS_NEWLINE(input))
342 return def;
343
344 len = strlen (input);
345
346 l = strtol (input, &endptr, 0);
347
348 if (*endptr != '\0' && *endptr != '\r' && *endptr != '\n')
349 {
350 fprintf (stderr, "Trailing garbage ignored: `%s'\n", endptr);
351 return 0;
352 }
353
354 if (l <= INT_MIN || l >= INT_MAX)
355 {
356 fprintf (stderr, "Integer out of range: `%s'\n", input);
357 return 0;
358 }
359
360 if (input == endptr)
361 l = def;
362
363 return (int) l;
364 }
365
366 int
367 read_int (const char *input_str)
368 {
369 return read_int_with_default (input_str, 0);
370 }
371
372 const char *
373 read_str (const char *input_str)
374 {
375 static char input[128];
376 int len;
377
378 fputs (input_str, stderr);
379 if (fgets (input, sizeof (input), stdin) == NULL)
380 return NULL;
381
382 if (IS_NEWLINE(input))
383 return NULL;
384
385 len = strlen (input);
386 if ((len > 0) && (input[len - 1] == '\n'))
387 input[len - 1] = 0;
388 if (input[0] == 0)
389 return NULL;
390
391 return input;
392 }
393
394 /* Default is no
395 */
396 int
397 read_yesno (const char *input_str)
398 {
399 char input[128];
400
401 fputs (input_str, stderr);
402 if (fgets (input, sizeof (input), stdin) == NULL)
403 return 0;
404
405 if (IS_NEWLINE(input))
406 return 0;
407
408 if (input[0] == 'y' || input[0] == 'Y')
409 return 1;
410
411 return 0;
412 }
413
414
415 /* Wrapper functions for non-interactive mode.
416 */
417 const char *
418 get_pass (void)
419 {
420 if (batch)
421 return cfg.password;
422 else
423 return getpass ("Enter password: ");
424 }
425
426 const char *
427 get_confirmed_pass (bool empty_ok)
428 {
429 if (batch)
430 return cfg.password;
431 else
432 {
433 const char *pass = NULL;
434 char *copy = NULL;
435
436 do
437 {
438 if (pass)
439 printf ("Password missmatch, try again.\n");
440
441 free (copy);
442
443 pass = getpass ("Enter password: ");
444 copy = strdup (pass);
445 pass = getpass ("Confirm password: ");
446 }
447 while (strcmp (pass, copy) != 0 && !(empty_ok && *pass == '\0'));
448
449 free (copy);
450
451 return pass;
452 }
453 }
454
455 const char *
456 get_challenge_pass (void)
457 {
458 if (batch)
459 return cfg.challenge_password;
460 else
461 return getpass ("Enter a challenge password: ");
462 }
463
464 const char *
465 get_crl_dist_point_url (void)
466 {
467 if (batch)
468 return cfg.crl_dist_points;
469 else
470 return read_str ("Enter the URI of the CRL distribution point: ");
471 }
472
473 void
474 get_country_crt_set (gnutls_x509_crt_t crt)
475 {
476 int ret;
477
478 if (batch)
479 {
480 if (!cfg.country)
481 return;
482 ret =
483 gnutls_x509_crt_set_dn_by_oid (crt,
484 GNUTLS_OID_X520_COUNTRY_NAME, 0,
485 cfg.country, strlen (cfg.country));
486 if (ret < 0)
487 {
488 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
489 exit (1);
490 }
491 }
492 else
493 {
494 read_crt_set (crt, "Country name (2 chars): ",
495 GNUTLS_OID_X520_COUNTRY_NAME);
496 }
497
498 }
499
500 void
501 get_organization_crt_set (gnutls_x509_crt_t crt)
502 {
503 int ret;
504
505 if (batch)
506 {
507 if (!cfg.organization)
508 return;
509
510 ret =
511 gnutls_x509_crt_set_dn_by_oid (crt,
512 GNUTLS_OID_X520_ORGANIZATION_NAME,
513 0, cfg.organization,
514 strlen (cfg.organization));
515 if (ret < 0)
516 {
517 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
518 exit (1);
519 }
520 }
521 else
522 {
523 read_crt_set (crt, "Organization name: ",
524 GNUTLS_OID_X520_ORGANIZATION_NAME);
525 }
526
527 }
528
529 void
530 get_unit_crt_set (gnutls_x509_crt_t crt)
531 {
532 int ret;
533
534 if (batch)
535 {
536 if (!cfg.unit)
537 return;
538
539 ret =
540 gnutls_x509_crt_set_dn_by_oid (crt,
541 GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME,
542 0, cfg.unit, strlen (cfg.unit));
543 if (ret < 0)
544 {
545 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
546 exit (1);
547 }
548 }
549 else
550 {
551 read_crt_set (crt, "Organizational unit name: ",
552 GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME);
553 }
554
555 }
556
557 void
558 get_state_crt_set (gnutls_x509_crt_t crt)
559 {
560 int ret;
561
562 if (batch)
563 {
564 if (!cfg.state)
565 return;
566 ret =
567 gnutls_x509_crt_set_dn_by_oid (crt,
568 GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME,
569 0, cfg.state, strlen (cfg.state));
570 if (ret < 0)
571 {
572 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
573 exit (1);
574 }
575 }
576 else
577 {
578 read_crt_set (crt, "State or province name: ",
579 GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME);
580 }
581
582 }
583
584 void
585 get_locality_crt_set (gnutls_x509_crt_t crt)
586 {
587 int ret;
588
589 if (batch)
590 {
591 if (!cfg.locality)
592 return;
593 ret =
594 gnutls_x509_crt_set_dn_by_oid (crt,
595 GNUTLS_OID_X520_LOCALITY_NAME, 0,
596 cfg.locality, strlen (cfg.locality));
597 if (ret < 0)
598 {
599 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
600 exit (1);
601 }
602 }
603 else
604 {
605 read_crt_set (crt, "Locality name: ", GNUTLS_OID_X520_LOCALITY_NAME);
606 }
607
608 }
609
610 void
611 get_cn_crt_set (gnutls_x509_crt_t crt)
612 {
613 int ret;
614
615 if (batch)
616 {
617 if (!cfg.cn)
618 return;
619 ret =
620 gnutls_x509_crt_set_dn_by_oid (crt, GNUTLS_OID_X520_COMMON_NAME,
621 0, cfg.cn, strlen (cfg.cn));
622 if (ret < 0)
623 {
624 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
625 exit (1);
626 }
627 }
628 else
629 {
630 read_crt_set (crt, "Common name: ", GNUTLS_OID_X520_COMMON_NAME);
631 }
632
633 }
634
635 void
636 get_uid_crt_set (gnutls_x509_crt_t crt)
637 {
638 int ret;
639
640 if (batch)
641 {
642 if (!cfg.uid)
643 return;
644 ret = gnutls_x509_crt_set_dn_by_oid (crt, GNUTLS_OID_LDAP_UID, 0,
645 cfg.uid, strlen (cfg.uid));
646 if (ret < 0)
647 {
648 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
649 exit (1);
650 }
651 }
652 else
653 {
654 read_crt_set (crt, "UID: ", GNUTLS_OID_LDAP_UID);
655 }
656
657 }
658
659 void
660 get_oid_crt_set (gnutls_x509_crt_t crt)
661 {
662 int ret, i;
663
664 if (batch)
665 {
666 if (!cfg.dn_oid)
667 return;
668 for (i = 0; cfg.dn_oid[i] != NULL; i += 2)
669 {
670 if (cfg.dn_oid[i + 1] == NULL)
671 {
672 fprintf (stderr, "dn_oid: %s does not have an argument.\n",
673 cfg.dn_oid[i]);
674 exit (1);
675 }
676 ret = gnutls_x509_crt_set_dn_by_oid (crt, cfg.dn_oid[i], 0,
677 cfg.dn_oid[i + 1],
678 strlen (cfg.dn_oid[i + 1]));
679
680 if (ret < 0)
681 {
682 fprintf (stderr, "set_dn_oid: %s\n", gnutls_strerror (ret));
683 exit (1);
684 }
685 }
686 }
687 }
688
689 void
690 get_key_purpose_set (gnutls_x509_crt_t crt)
691 {
692 int ret, i;
693
694 if (batch)
695 {
696 if (!cfg.key_purpose_oids)
697 return;
698 for (i = 0; cfg.key_purpose_oids[i] != NULL; i++)
699 {
700 ret =
701 gnutls_x509_crt_set_key_purpose_oid (crt, cfg.key_purpose_oids[i],
702 0);
703
704 if (ret < 0)
705 {
706 fprintf (stderr, "set_key_purpose_oid (%s): %s\n",
707 cfg.key_purpose_oids[i], gnutls_strerror (ret));
708 exit (1);
709 }
710 }
711 }
712 }
713
714 void
715 get_ocsp_issuer_set (gnutls_x509_crt_t crt)
716 {
717 int ret, i;
718 gnutls_datum_t uri;
719
720 if (batch)
721 {
722 if (!cfg.ocsp_uris)
723 return;
724 for (i = 0; cfg.ocsp_uris[i] != NULL; i++)
725 {
726 uri.data = cfg.ocsp_uris[i];
727 uri.size = strlen(cfg.ocsp_uris[i]);
728 ret =
729 gnutls_x509_crt_set_authority_info_access (crt, GNUTLS_IA_OCSP_URI,
730 &uri);
731 if (ret < 0)
732 {
733 fprintf (stderr, "set OCSP URI (%s): %s\n",
734 cfg.ocsp_uris[i], gnutls_strerror (ret));
735 exit (1);
736 }
737 }
738 }
739 }
740
741 void
742 get_ca_issuers_set (gnutls_x509_crt_t crt)
743 {
744 int ret, i;
745 gnutls_datum_t uri;
746
747 if (batch)
748 {
749 if (!cfg.ca_issuers_uris)
750 return;
751 for (i = 0; cfg.ca_issuers_uris[i] != NULL; i++)
752 {
753 uri.data = cfg.ca_issuers_uris[i];
754 uri.size = strlen(cfg.ca_issuers_uris[i]);
755 ret =
756 gnutls_x509_crt_set_authority_info_access (crt, GNUTLS_IA_CAISSUERS_URI,
757 &uri);
758 if (ret < 0)
759 {
760 fprintf (stderr, "set CA ISSUERS URI (%s): %s\n",
761 cfg.ca_issuers_uris[i], gnutls_strerror (ret));
762 exit (1);
763 }
764 }
765 }
766 }
767
768
769 void
770 get_pkcs9_email_crt_set (gnutls_x509_crt_t crt)
771 {
772 int ret;
773
774 if (batch)
775 {
776 if (!cfg.pkcs9_email)
777 return;
778 ret = gnutls_x509_crt_set_dn_by_oid (crt, GNUTLS_OID_PKCS9_EMAIL, 0,
779 cfg.pkcs9_email,
780 strlen (cfg.pkcs9_email));
781 if (ret < 0)
782 {
783 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
784 exit (1);
785 }
786 }
787 else
788 {
789 read_crt_set (crt, "E-mail: ", GNUTLS_OID_PKCS9_EMAIL);
790 }
791
792 }
793
794 int
795 get_serial (void)
796 {
797 int default_serial = time (NULL);
798
799 if (batch)
800 {
801 if (cfg.serial < 0)
802 return default_serial;
803 return cfg.serial;
804 }
805 else
806 {
807 return read_int_with_default
808 ("Enter the certificate's serial number in decimal (default: %u): ",
809 default_serial);
810 }
811 }
812
813 int
814 get_days (void)
815 {
816 int days;
817
818 if (batch)
819 {
820 if (cfg.expiration_days <= 0)
821 return 365;
822 else
823 return cfg.expiration_days;
824 }
825 else
826 {
827 do
828 {
829 days = read_int ("The certificate will expire in (days): ");
830 }
831 while (days == 0);
832 return days;
833 }
834 }
835
836 int
837 get_ca_status (void)
838 {
839 if (batch)
840 {
841 return cfg.ca;
842 }
843 else
844 {
845 return
846 read_yesno ("Does the certificate belong to an authority? (y/N): ");
847 }
848 }
849
850 int
851 get_crq_extensions_status (void)
852 {
853 if (batch)
854 {
855 return cfg.crq_extensions;
856 }
857 else
858 {
859 return
860 read_yesno
861 ("Do you want to honour the extensions from the request? (y/N): ");
862 }
863 }
864
865 int
866 get_crl_number (void)
867 {
868 if (batch)
869 {
870 return cfg.crl_number;
871 }
872 else
873 {
874 return read_int_with_default ("CRL Number: ", 1);
875 }
876 }
877
878 int
879 get_path_len (void)
880 {
881 if (batch)
882 {
883 return cfg.path_len;
884 }
885 else
886 {
887 return read_int_with_default
888 ("Path length constraint (decimal, %d for no constraint): ", -1);
889 }
890 }
891
892 const char *
893 get_pkcs12_key_name (void)
894 {
895 const char *name;
896
897 if (batch)
898 {
899 if (!cfg.pkcs12_key_name)
900 return "Anonymous";
901 return cfg.pkcs12_key_name;
902 }
903 else
904 {
905 do
906 {
907 name = read_str ("Enter a name for the key: ");
908 }
909 while (name == NULL);
910 }
911 return name;
912 }
913
914 int
915 get_tls_client_status (void)
916 {
917 if (batch)
918 {
919 return cfg.tls_www_client;
920 }
921 else
922 {
923 return read_yesno ("Is this a TLS web client certificate? (y/N): ");
924 }
925 }
926
927 int
928 get_tls_server_status (void)
929 {
930 if (batch)
931 {
932 return cfg.tls_www_server;
933 }
934 else
935 {
936 return
937 read_yesno ("Is this also a TLS web server certificate? (y/N): ");
938 }
939 }
940
941 /* convert a printable IP to binary */
942 static int
943 string_to_ip (unsigned char *ip, const char *str)
944 {
945 int len = strlen (str);
946 int ret;
947
948 #if HAVE_IPV6
949 if (strchr (str, ':') != NULL || len > 16)
950 { /* IPv6 */
951 ret = inet_pton (AF_INET6, str, ip);
952 if (ret <= 0)
953 {
954 fprintf (stderr, "Error in IPv6 address %s\n", str);
955 exit (1);
956 }
957
958 /* To be done */
959 return 16;
960 }
961 else
962 #endif
963 { /* IPv4 */
964 ret = inet_pton (AF_INET, str, ip);
965 if (ret <= 0)
966 {
967 fprintf (stderr, "Error in IPv4 address %s\n", str);
968 exit (1);
969 }
970
971 return 4;
972 }
973
974 }
975
976 void
977 get_ip_addr_set (int type, void *crt)
978 {
979 int ret = 0, i;
980 unsigned char ip[16];
981 int len;
982
983 if (batch)
984 {
985 if (!cfg.ip_addr)
986 return;
987
988 for (i = 0; cfg.ip_addr[i] != NULL; i++)
989 {
990 len = string_to_ip (ip, cfg.ip_addr[i]);
991 if (len <= 0)
992 {
993 fprintf (stderr, "Error parsing address: %s\n", cfg.ip_addr[i]);
994 exit (1);
995 }
996
997 if (type == TYPE_CRT)
998 ret =
999 gnutls_x509_crt_set_subject_alt_name (crt, GNUTLS_SAN_IPADDRESS,
1000 ip, len,
1001 GNUTLS_FSAN_APPEND);
1002 else
1003 ret =
1004 gnutls_x509_crq_set_subject_alt_name (crt, GNUTLS_SAN_IPADDRESS,
1005 ip, len,
1006 GNUTLS_FSAN_APPEND);
1007
1008 if (ret < 0)
1009 break;
1010 }
1011 }
1012 else
1013 {
1014 const char *p;
1015
1016 p =
1017 read_str ("Enter the IP address of the subject of the certificate: ");
1018 if (!p)
1019 return;
1020
1021 len = string_to_ip (ip, p);
1022 if (len <= 0)
1023 {
1024 fprintf (stderr, "Error parsing address: %s\n", p);
1025 exit (1);
1026 }
1027
1028 if (type == TYPE_CRT)
1029 ret = gnutls_x509_crt_set_subject_alt_name (crt, GNUTLS_SAN_IPADDRESS,
1030 ip, len,
1031 GNUTLS_FSAN_APPEND);
1032 else
1033 ret = gnutls_x509_crq_set_subject_alt_name (crt, GNUTLS_SAN_IPADDRESS,
1034 ip, len,
1035 GNUTLS_FSAN_APPEND);
1036 }
1037
1038 if (ret < 0)
1039 {
1040 fprintf (stderr, "set_subject_alt_name: %s\n", gnutls_strerror (ret));
1041 exit (1);
1042 }
1043 }
1044
1045 void
1046 get_email_set (int type, void *crt)
1047 {
1048 int ret = 0, i;
1049
1050 if (batch)
1051 {
1052 if (!cfg.email)
1053 return;
1054
1055 for (i = 0; cfg.email[i] != NULL; i++)
1056 {
1057 if (type == TYPE_CRT)
1058 ret =
1059 gnutls_x509_crt_set_subject_alt_name (crt,
1060 GNUTLS_SAN_RFC822NAME,
1061 cfg.email[i],
1062 strlen (cfg.email[i]),
1063 GNUTLS_FSAN_APPEND);
1064 else
1065 ret =
1066 gnutls_x509_crq_set_subject_alt_name (crt,
1067 GNUTLS_SAN_RFC822NAME,
1068 cfg.email[i],
1069 strlen (cfg.email[i]),
1070 GNUTLS_FSAN_APPEND);
1071
1072 if (ret < 0)
1073 break;
1074 }
1075 }
1076 else
1077 {
1078 const char *p;
1079
1080 p = read_str ("Enter the e-mail of the subject of the certificate: ");
1081 if (!p)
1082 return;
1083
1084 if (type == TYPE_CRT)
1085 ret =
1086 gnutls_x509_crt_set_subject_alt_name (crt, GNUTLS_SAN_RFC822NAME, p,
1087 strlen (p),
1088 GNUTLS_FSAN_APPEND);
1089 else
1090 ret =
1091 gnutls_x509_crq_set_subject_alt_name (crt, GNUTLS_SAN_RFC822NAME, p,
1092 strlen (p),
1093 GNUTLS_FSAN_APPEND);
1094 }
1095
1096 if (ret < 0)
1097 {
1098 fprintf (stderr, "set_subject_alt_name: %s\n", gnutls_strerror (ret));
1099 exit (1);
1100 }
1101 }
1102
1103
1104 void
1105 get_dc_set (int type, void *crt)
1106 {
1107 int ret = 0, i;
1108
1109 if (batch)
1110 {
1111 if (!cfg.dc)
1112 return;
1113
1114 for (i = 0; cfg.dc[i] != NULL; i++)
1115 {
1116 if (type == TYPE_CRT)
1117 ret = gnutls_x509_crt_set_dn_by_oid (crt, GNUTLS_OID_LDAP_DC,
1118 0, cfg.dc[i], strlen (cfg.dc[i]));
1119 else
1120 ret = gnutls_x509_crq_set_dn_by_oid (crt, GNUTLS_OID_LDAP_DC,
1121 0, cfg.dc[i], strlen (cfg.dc[i]));
1122
1123 if (ret < 0)
1124 break;
1125 }
1126 }
1127 else
1128 {
1129 const char *p;
1130
1131 do
1132 {
1133 p = read_str ("Enter the subject's domain component (DC): ");
1134 if (!p)
1135 return;
1136
1137 if (type == TYPE_CRT)
1138 ret = gnutls_x509_crt_set_dn_by_oid (crt, GNUTLS_OID_LDAP_DC,
1139 0, p, strlen (p));
1140 else
1141 ret = gnutls_x509_crq_set_dn_by_oid (crt, GNUTLS_OID_LDAP_DC,
1142 0, p, strlen (p));
1143 }
1144 while(p != NULL);
1145 }
1146
1147 if (ret < 0)
1148 {
1149 fprintf (stderr, "set_dn_by_oid: %s\n", gnutls_strerror (ret));
1150 exit (1);
1151 }
1152 }
1153
1154 void
1155 get_dns_name_set (int type, void *crt)
1156 {
1157 int ret = 0, i;
1158
1159 if (batch)
1160 {
1161 if (!cfg.dns_name)
1162 return;
1163
1164 for (i = 0; cfg.dns_name[i] != NULL; i++)
1165 {
1166 if (type == TYPE_CRT)
1167 ret =
1168 gnutls_x509_crt_set_subject_alt_name (crt, GNUTLS_SAN_DNSNAME,
1169 cfg.dns_name[i],
1170 strlen (cfg.dns_name[i]),
1171 GNUTLS_FSAN_APPEND);
1172 else
1173 ret =
1174 gnutls_x509_crq_set_subject_alt_name (crt, GNUTLS_SAN_DNSNAME,
1175 cfg.dns_name[i],
1176 strlen (cfg.dns_name[i]),
1177 GNUTLS_FSAN_APPEND);
1178
1179 if (ret < 0)
1180 break;
1181 }
1182 }
1183 else
1184 {
1185 const char *p;
1186
1187 do
1188 {
1189 p =
1190 read_str ("Enter a dnsName of the subject of the certificate: ");
1191 if (!p)
1192 return;
1193
1194 if (type == TYPE_CRT)
1195 ret = gnutls_x509_crt_set_subject_alt_name
1196 (crt, GNUTLS_SAN_DNSNAME, p, strlen (p), GNUTLS_FSAN_APPEND);
1197 else
1198 ret = gnutls_x509_crq_set_subject_alt_name
1199 (crt, GNUTLS_SAN_DNSNAME, p, strlen (p), GNUTLS_FSAN_APPEND);
1200 }
1201 while (p);
1202 }
1203
1204 if (ret < 0)
1205 {
1206 fprintf (stderr, "set_subject_alt_name: %s\n", gnutls_strerror (ret));
1207 exit (1);
1208 }
1209 }
1210
1211
1212 int
1213 get_sign_status (int server)
1214 {
1215 const char *msg;
1216
1217 if (batch)
1218 {
1219 return cfg.signing_key;
1220 }
1221 else
1222 {
1223 if (server)
1224 msg =
1225 "Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N): ";
1226 else
1227 msg =
1228 "Will the certificate be used for signing (required for TLS)? (y/N): ";
1229 return read_yesno (msg);
1230 }
1231 }
1232
1233 int
1234 get_encrypt_status (int server)
1235 {
1236 const char *msg;
1237
1238 if (batch)
1239 {
1240 return cfg.encryption_key;
1241 }
1242 else
1243 {
1244 if (server)
1245 msg =
1246 "Will the certificate be used for encryption (RSA ciphersuites)? (y/N): ";
1247 else
1248 msg =
1249 "Will the certificate be used for encryption (not required for TLS)? (y/N): ";
1250 return read_yesno (msg);
1251 }
1252 }
1253
1254 int
1255 get_cert_sign_status (void)
1256 {
1257 if (batch)
1258 {
1259 return cfg.cert_sign_key;
1260 }
1261 else
1262 {
1263 return
1264 read_yesno
1265 ("Will the certificate be used to sign other certificates? (y/N): ");
1266 }
1267 }
1268
1269 int
1270 get_crl_sign_status (void)
1271 {
1272 if (batch)
1273 {
1274 return cfg.crl_sign_key;
1275 }
1276 else
1277 {
1278 return
1279 read_yesno ("Will the certificate be used to sign CRLs? (y/N): ");
1280 }
1281 }
1282
1283 int
1284 get_code_sign_status (void)
1285 {
1286 if (batch)
1287 {
1288 return cfg.code_sign_key;
1289 }
1290 else
1291 {
1292 return
1293 read_yesno ("Will the certificate be used to sign code? (y/N): ");
1294 }
1295 }
1296
1297 int
1298 get_ocsp_sign_status (void)
1299 {
1300 if (batch)
1301 {
1302 return cfg.ocsp_sign_key;
1303 }
1304 else
1305 {
1306 return
1307 read_yesno
1308 ("Will the certificate be used to sign OCSP requests? (y/N): ");
1309 }
1310 }
1311
1312 int
1313 get_time_stamp_status (void)
1314 {
1315 if (batch)
1316 {
1317 return cfg.time_stamping_key;
1318 }
1319 else
1320 {
1321 return
1322 read_yesno
1323 ("Will the certificate be used for time stamping? (y/N): ");
1324 }
1325 }
1326
1327 int
1328 get_ipsec_ike_status (void)
1329 {
1330 if (batch)
1331 {
1332 return cfg.ipsec_ike_key;
1333 }
1334 else
1335 {
1336 return
1337 read_yesno
1338 ("Will the certificate be used for IPsec IKE operations? (y/N): ");
1339 }
1340 }
1341
1342 int
1343 get_crl_next_update (void)
1344 {
1345 int days;
1346
1347 if (batch)
1348 {
1349 if (cfg.crl_next_update <= 0)
1350 return 365;
1351 else
1352 return cfg.crl_next_update;
1353 }
1354 else
1355 {
1356 do
1357 {
1358 days = read_int ("The next CRL will be issued in (days): ");
1359 }
1360 while (days == 0);
1361 return days;
1362 }
1363 }
1364
1365 const char *
1366 get_proxy_policy (char **policy, size_t * policylen)
1367 {
1368 const char *ret;
1369
1370 if (batch)
1371 {
1372 ret = cfg.proxy_policy_language;
1373 if (!ret)
1374 ret = "1.3.6.1.5.5.7.21.1";
1375 }
1376 else
1377 {
1378 do
1379 {
1380 ret = read_str ("Enter the OID of the proxy policy language: ");
1381 }
1382 while (ret == NULL);
1383 }
1384
1385 *policy = NULL;
1386 *policylen = 0;
1387
1388 if (strcmp (ret, "1.3.6.1.5.5.7.21.1") != 0 &&
1389 strcmp (ret, "1.3.6.1.5.5.7.21.2") != 0)
1390 {
1391 fprintf (stderr, "Reading non-standard proxy policy not supported.\n");
1392 }
1393
1394 return ret;
1395 }
1396
1397 /* CRQ stuff.
1398 */
1399 void
1400 get_country_crq_set (gnutls_x509_crq_t crq)
1401 {
1402 int ret;
1403
1404 if (batch)
1405 {
1406 if (!cfg.country)
1407 return;
1408 ret =
1409 gnutls_x509_crq_set_dn_by_oid (crq,
1410 GNUTLS_OID_X520_COUNTRY_NAME, 0,
1411 cfg.country, strlen (cfg.country));
1412 if (ret < 0)
1413 {
1414 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
1415 exit (1);
1416 }
1417 }
1418 else
1419 {
1420 read_crq_set (crq, "Country name (2 chars): ",
1421 GNUTLS_OID_X520_COUNTRY_NAME);
1422 }
1423
1424 }
1425
1426 void
1427 get_organization_crq_set (gnutls_x509_crq_t crq)
1428 {
1429 int ret;
1430
1431 if (batch)
1432 {
1433 if (!cfg.organization)
1434 return;
1435
1436 ret =
1437 gnutls_x509_crq_set_dn_by_oid (crq,
1438 GNUTLS_OID_X520_ORGANIZATION_NAME,
1439 0, cfg.organization,
1440 strlen (cfg.organization));
1441 if (ret < 0)
1442 {
1443 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
1444 exit (1);
1445 }
1446 }
1447 else
1448 {
1449 read_crq_set (crq, "Organization name: ",
1450 GNUTLS_OID_X520_ORGANIZATION_NAME);
1451 }
1452
1453 }
1454
1455 void
1456 get_unit_crq_set (gnutls_x509_crq_t crq)
1457 {
1458 int ret;
1459
1460 if (batch)
1461 {
1462 if (!cfg.unit)
1463 return;
1464
1465 ret =
1466 gnutls_x509_crq_set_dn_by_oid (crq,
1467 GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME,
1468 0, cfg.unit, strlen (cfg.unit));
1469 if (ret < 0)
1470 {
1471 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
1472 exit (1);
1473 }
1474 }
1475 else
1476 {
1477 read_crq_set (crq, "Organizational unit name: ",
1478 GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME);
1479 }
1480
1481 }
1482
1483 void
1484 get_state_crq_set (gnutls_x509_crq_t crq)
1485 {
1486 int ret;
1487
1488 if (batch)
1489 {
1490 if (!cfg.state)
1491 return;
1492 ret =
1493 gnutls_x509_crq_set_dn_by_oid (crq,
1494 GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME,
1495 0, cfg.state, strlen (cfg.state));
1496 if (ret < 0)
1497 {
1498 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
1499 exit (1);
1500 }
1501 }
1502 else
1503 {
1504 read_crq_set (crq, "State or province name: ",
1505 GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME);
1506 }
1507
1508 }
1509
1510 void
1511 get_locality_crq_set (gnutls_x509_crq_t crq)
1512 {
1513 int ret;
1514
1515 if (batch)
1516 {
1517 if (!cfg.locality)
1518 return;
1519 ret =
1520 gnutls_x509_crq_set_dn_by_oid (crq,
1521 GNUTLS_OID_X520_LOCALITY_NAME, 0,
1522 cfg.locality, strlen (cfg.locality));
1523 if (ret < 0)
1524 {
1525 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
1526 exit (1);
1527 }
1528 }
1529 else
1530 {
1531 read_crq_set (crq, "Locality name: ", GNUTLS_OID_X520_LOCALITY_NAME);
1532 }
1533
1534 }
1535
1536 void
1537 get_cn_crq_set (gnutls_x509_crq_t crq)
1538 {
1539 int ret;
1540
1541 if (batch)
1542 {
1543 if (!cfg.cn)
1544 return;
1545 ret =
1546 gnutls_x509_crq_set_dn_by_oid (crq, GNUTLS_OID_X520_COMMON_NAME,
1547 0, cfg.cn, strlen (cfg.cn));
1548 if (ret < 0)
1549 {
1550 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
1551 exit (1);
1552 }
1553 }
1554 else
1555 {
1556 read_crq_set (crq, "Common name: ", GNUTLS_OID_X520_COMMON_NAME);
1557 }
1558
1559 }
1560
1561 void
1562 get_uid_crq_set (gnutls_x509_crq_t crq)
1563 {
1564 int ret;
1565
1566 if (batch)
1567 {
1568 if (!cfg.uid)
1569 return;
1570 ret = gnutls_x509_crq_set_dn_by_oid (crq, GNUTLS_OID_LDAP_UID, 0,
1571 cfg.uid, strlen (cfg.uid));
1572 if (ret < 0)
1573 {
1574 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
1575 exit (1);
1576 }
1577 }
1578 else
1579 {
1580 read_crq_set (crq, "UID: ", GNUTLS_OID_LDAP_UID);
1581 }
1582
1583 }
1584
1585 void
1586 get_oid_crq_set (gnutls_x509_crq_t crq)
1587 {
1588 int ret, i;
1589
1590 if (batch)
1591 {
1592 if (!cfg.dn_oid)
1593 return;
1594 for (i = 0; cfg.dn_oid[i] != NULL; i += 2)
1595 {
1596 if (cfg.dn_oid[i + 1] == NULL)
1597 {
1598 fprintf (stderr, "dn_oid: %s does not have an argument.\n",
1599 cfg.dn_oid[i]);
1600 exit (1);
1601 }
1602 ret = gnutls_x509_crq_set_dn_by_oid (crq, cfg.dn_oid[i], 0,
1603 cfg.dn_oid[i + 1],
1604 strlen (cfg.dn_oid[i + 1]));
1605
1606 if (ret < 0)
1607 {
1608 fprintf (stderr, "set_dn_oid: %s\n", gnutls_strerror (ret));
1609 exit (1);
1610 }
1611 }
1612 }
1613
1614 }
Implementation of the SSL/TLS protocol