search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
tpmtool now accepts the --inder and --outder options.
[gnutls.git] / src / certtool-cfg.c
blob768c58d7c83923ee89a011183264565c4f8099d8
1 /*
2 * Copyright (C) 2004-2012 Free Software Foundation, Inc.
3 *
4 * This file is part of GnuTLS.
5 *
6 * GnuTLS is free software: you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by
8 * the Free Software Foundation, either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * GnuTLS is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program. If not, see
18 * <http://www.gnu.org/licenses/>.
19 *
20 * Written by Nikos Mavrogiannopoulos <nmav@gnutls.org>.
21 */
22
23 #include <config.h>
24
25 #include <stdio.h>
26 #include <stdlib.h>
27 #include <certtool-cfg.h>
28 #include <gnutls/x509.h>
29 #include <string.h>
30 #include <limits.h>
31 #include <inttypes.h>
32 #include <time.h>
33 #include <autoopts/options.h>
34
35 /* for inet_pton */
36 #include <sys/types.h>
37
38 #if HAVE_SYS_SOCKET_H
39 # include <sys/socket.h>
40 #elif HAVE_WS2TCPIP_H
41 # include <ws2tcpip.h>
42 #endif
43 #include <arpa/inet.h>
44
45 /* Gnulib portability files. */
46 #include <getpass.h>
47 #include "certtool-common.h"
48
49 extern int batch;
50
51 #define MAX_ENTRIES 128
52
53 typedef struct _cfg_ctx
54 {
55 char *organization;
56 char *unit;
57 char *locality;
58 char *state;
59 char *cn;
60 char *uid;
61 char *challenge_password;
62 char *pkcs9_email;
63 char *country;
64 char **dc;
65 char **dns_name;
66 char **uri;
67 char **ip_addr;
68 char **email;
69 char **dn_oid;
70 char *crl_dist_points;
71 char *password;
72 char *pkcs12_key_name;
73 int serial;
74 int expiration_days;
75 int ca;
76 int path_len;
77 int tls_www_client;
78 int tls_www_server;
79 int signing_key;
80 int encryption_key;
81 int cert_sign_key;
82 int crl_sign_key;
83 int code_sign_key;
84 int ocsp_sign_key;
85 int time_stamping_key;
86 int ipsec_ike_key;
87 char **key_purpose_oids;
88 int crl_next_update;
89 int crl_number;
90 int crq_extensions;
91 char *proxy_policy_language;
92 char **ocsp_uris;
93 char **ca_issuers_uris;
94 } cfg_ctx;
95
96 cfg_ctx cfg;
97
98 void
99 cfg_init (void)
100 {
101 memset (&cfg, 0, sizeof (cfg));
102 cfg.path_len = -1;
103 cfg.serial = -1;
104 }
105
106 #define READ_MULTI_LINE(name, s_name) \
107 val = optionGetValue(pov, name); \
108 if (val != NULL && val->valType == OPARG_TYPE_STRING) \
109 { \
110 if (s_name == NULL) { \
111 i = 0; \
112 s_name = malloc(sizeof(char*)*MAX_ENTRIES); \
113 do { \
114 if (val && !strcmp(val->pzName, name)==0) \
115 continue; \
116 s_name[i] = strdup(val->v.strVal); \
117 i++; \
118 if (i>=MAX_ENTRIES) \
119 break; \
120 } while((val = optionNextValue(pov, val)) != NULL); \
121 s_name[i] = NULL; \
122 } \
123 }
124
125 #define READ_MULTI_LINE_TOKENIZED(name, s_name) \
126 val = optionGetValue(pov, name); \
127 if (val != NULL && val->valType == OPARG_TYPE_STRING) \
128 { \
129 char str[512]; \
130 char * p; \
131 if (s_name == NULL) { \
132 i = 0; \
133 s_name = malloc(sizeof(char*)*MAX_ENTRIES); \
134 do { \
135 if (val && !strcmp(val->pzName, name)==0) \
136 continue; \
137 strncpy(str, val->v.strVal, sizeof(str)-1); \
138 str[sizeof(str)-1] = 0; \
139 if ((p=strchr(str, ' ')) == NULL && (p=strchr(str, '\t')) == NULL) { \
140 fprintf(stderr, "Error parsing %s\n", name); \
141 exit(1); \
142 } \
143 p[0] = 0; \
144 p++; \
145 s_name[i] = strdup(str); \
146 while(*p==' ' || *p == '\t') p++; \
147 if (p[0] == 0) { \
148 fprintf(stderr, "Error (2) parsing %s\n", name); \
149 exit(1); \
150 } \
151 s_name[i+1] = strdup(p); \
152 i+=2; \
153 if (i>=MAX_ENTRIES) \
154 break; \
155 } while((val = optionNextValue(pov, val)) != NULL); \
156 s_name[i] = NULL; \
157 } \
158 }
159
160 #define READ_BOOLEAN(name, s_name) \
161 val = optionGetValue(pov, name); \
162 if (val != NULL) \
163 { \
164 s_name = 1; \
165 }
166
167 #define READ_NUMERIC(name, s_name) \
168 val = optionGetValue(pov, name); \
169 if (val != NULL) \
170 { \
171 if (val->valType == OPARG_TYPE_NUMERIC) \
172 s_name = val->v.longVal; \
173 else if (val->valType == OPARG_TYPE_STRING) \
174 s_name = atoi(val->v.strVal); \
175 }
176
177 int
178 template_parse (const char *template)
179 {
180 /* Parsing return code */
181 int ret;
182 unsigned int i;
183 tOptionValue const * pov;
184 const tOptionValue* val;
185
186 pov = configFileLoad(template);
187 if (pov == NULL)
188 {
189 perror("configFileLoad");
190 fprintf(stderr, "Error loading template: %s\n", template);
191 exit(1);
192 }
193
194 /* Option variables */
195 val = optionGetValue(pov, "organization");
196 if (val != NULL && val->valType == OPARG_TYPE_STRING)
197 cfg.organization = strdup(val->v.strVal);
198
199 val = optionGetValue(pov, "unit");
200 if (val != NULL && val->valType == OPARG_TYPE_STRING)
201 cfg.unit = strdup(val->v.strVal);
202
203 val = optionGetValue(pov, "locality");
204 if (val != NULL && val->valType == OPARG_TYPE_STRING)
205 cfg.locality = strdup(val->v.strVal);
206
207 val = optionGetValue(pov, "state");
208 if (val != NULL && val->valType == OPARG_TYPE_STRING)
209 cfg.state = strdup(val->v.strVal);
210
211 val = optionGetValue(pov, "cn");
212 if (val != NULL && val->valType == OPARG_TYPE_STRING)
213 cfg.cn = strdup(val->v.strVal);
214
215 val = optionGetValue(pov, "uid");
216 if (val != NULL && val->valType == OPARG_TYPE_STRING)
217 cfg.uid = strdup(val->v.strVal);
218
219 val = optionGetValue(pov, "challenge_password");
220 if (val != NULL && val->valType == OPARG_TYPE_STRING)
221 cfg.challenge_password = strdup(val->v.strVal);
222
223 val = optionGetValue(pov, "password");
224 if (val != NULL && val->valType == OPARG_TYPE_STRING)
225 cfg.password = strdup(val->v.strVal);
226
227 val = optionGetValue(pov, "pkcs9_email");
228 if (val != NULL && val->valType == OPARG_TYPE_STRING)
229 cfg.pkcs9_email = strdup(val->v.strVal);
230
231 val = optionGetValue(pov, "country");
232 if (val != NULL && val->valType == OPARG_TYPE_STRING)
233 cfg.country = strdup(val->v.strVal);
234
235 READ_MULTI_LINE("dc", cfg.dc);
236 READ_MULTI_LINE("dns_name", cfg.dns_name);
237 READ_MULTI_LINE("uri", cfg.uri);
238
239 READ_MULTI_LINE("ip_address", cfg.ip_addr);
240 READ_MULTI_LINE("email", cfg.email);
241 READ_MULTI_LINE("key_purpose_oid", cfg.key_purpose_oids);
242
243 READ_MULTI_LINE_TOKENIZED("dn_oid", cfg.dn_oid);
244
245 val = optionGetValue(pov, "crl_dist_points");
246 if (val != NULL && val->valType == OPARG_TYPE_STRING)
247 cfg.crl_dist_points = strdup(val->v.strVal);
248
249 val = optionGetValue(pov, "pkcs12_key_name");
250 if (val != NULL && val->valType == OPARG_TYPE_STRING)
251 cfg.pkcs12_key_name = strdup(val->v.strVal);
252
253
254 READ_NUMERIC("serial", cfg.serial);
255 READ_NUMERIC("expiration_days", cfg.expiration_days);
256 READ_NUMERIC("crl_next_update", cfg.crl_next_update);
257 READ_NUMERIC("crl_number", cfg.crl_number);
258
259 val = optionGetValue(pov, "proxy_policy_language");
260 if (val != NULL && val->valType == OPARG_TYPE_STRING)
261 cfg.proxy_policy_language = strdup(val->v.strVal);
262
263 READ_MULTI_LINE("ocsp_uri", cfg.ocsp_uris);
264 READ_MULTI_LINE("ca_issuers_uri", cfg.ca_issuers_uris);
265
266 READ_BOOLEAN("ca", cfg.ca);
267 READ_BOOLEAN("honor_crq_extensions", cfg.crq_extensions);
268 READ_BOOLEAN("path_len", cfg.path_len);
269 READ_BOOLEAN("tls_www_client", cfg.tls_www_client);
270 READ_BOOLEAN("tls_www_server", cfg.tls_www_server);
271 READ_BOOLEAN("signing_key", cfg.signing_key);
272 READ_BOOLEAN("encryption_key", cfg.encryption_key);
273 READ_BOOLEAN("cert_signing_key", cfg.cert_sign_key);
274 READ_BOOLEAN("crl_signing_key", cfg.crl_sign_key);
275 READ_BOOLEAN("code_signing_key", cfg.code_sign_key);
276 READ_BOOLEAN("ocsp_signing_key", cfg.ocsp_sign_key);
277 READ_BOOLEAN("time_stamping_key", cfg.time_stamping_key);
278 READ_BOOLEAN("ipsec_ike_key", cfg.ipsec_ike_key);
279
280 optionUnloadNested(pov);
281
282 return 0;
283 }
284
285 #define IS_NEWLINE(x) ((x[0] == '\n') || (x[0] == '\r'))
286
287 void
288 read_crt_set (gnutls_x509_crt_t crt, const char *input_str, const char *oid)
289 {
290 char input[128];
291 int ret;
292
293 fputs (input_str, stderr);
294 if (fgets (input, sizeof (input), stdin) == NULL)
295 return;
296
297 if (IS_NEWLINE(input))
298 return;
299
300 ret =
301 gnutls_x509_crt_set_dn_by_oid (crt, oid, 0, input, strlen (input) - 1);
302 if (ret < 0)
303 {
304 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
305 exit (1);
306 }
307 }
308
309 void
310 read_crq_set (gnutls_x509_crq_t crq, const char *input_str, const char *oid)
311 {
312 char input[128];
313 int ret;
314
315 fputs (input_str, stderr);
316 if (fgets (input, sizeof (input), stdin) == NULL)
317 return;
318
319 if (IS_NEWLINE(input))
320 return;
321
322 ret =
323 gnutls_x509_crq_set_dn_by_oid (crq, oid, 0, input, strlen (input) - 1);
324 if (ret < 0)
325 {
326 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
327 exit (1);
328 }
329 }
330
331 /* The input_str should contain %d or %u to print the default.
332 */
333 static int
334 read_int_with_default (const char *input_str, int def)
335 {
336 char *endptr;
337 long l, len;
338 static char input[128];
339
340 fprintf (stderr, input_str, def);
341 if (fgets (input, sizeof (input), stdin) == NULL)
342 return def;
343
344 if (IS_NEWLINE(input))
345 return def;
346
347 len = strlen (input);
348
349 l = strtol (input, &endptr, 0);
350
351 if (*endptr != '\0' && *endptr != '\r' && *endptr != '\n')
352 {
353 fprintf (stderr, "Trailing garbage ignored: `%s'\n", endptr);
354 return 0;
355 }
356
357 if (l <= INT_MIN || l >= INT_MAX)
358 {
359 fprintf (stderr, "Integer out of range: `%s'\n", input);
360 return 0;
361 }
362
363 if (input == endptr)
364 l = def;
365
366 return (int) l;
367 }
368
369 int
370 read_int (const char *input_str)
371 {
372 return read_int_with_default (input_str, 0);
373 }
374
375 const char *
376 read_str (const char *input_str)
377 {
378 static char input[128];
379 int len;
380
381 fputs (input_str, stderr);
382 if (fgets (input, sizeof (input), stdin) == NULL)
383 return NULL;
384
385 if (IS_NEWLINE(input))
386 return NULL;
387
388 len = strlen (input);
389 if ((len > 0) && (input[len - 1] == '\n'))
390 input[len - 1] = 0;
391 if (input[0] == 0)
392 return NULL;
393
394 return input;
395 }
396
397 /* Default is no
398 */
399 int
400 read_yesno (const char *input_str)
401 {
402 char input[128];
403
404 fputs (input_str, stderr);
405 if (fgets (input, sizeof (input), stdin) == NULL)
406 return 0;
407
408 if (IS_NEWLINE(input))
409 return 0;
410
411 if (input[0] == 'y' || input[0] == 'Y')
412 return 1;
413
414 return 0;
415 }
416
417
418 /* Wrapper functions for non-interactive mode.
419 */
420 const char *
421 get_pass (void)
422 {
423 if (batch)
424 return cfg.password;
425 else
426 return getpass ("Enter password: ");
427 }
428
429 const char *
430 get_confirmed_pass (bool empty_ok)
431 {
432 if (batch)
433 return cfg.password;
434 else
435 {
436 const char *pass = NULL;
437 char *copy = NULL;
438
439 do
440 {
441 if (pass)
442 fprintf (stderr, "Password missmatch, try again.\n");
443
444 free (copy);
445
446 pass = getpass ("Enter password: ");
447 copy = strdup (pass);
448 pass = getpass ("Confirm password: ");
449 }
450 while (strcmp (pass, copy) != 0 && !(empty_ok && *pass == '\0'));
451
452 free (copy);
453
454 return pass;
455 }
456 }
457
458 const char *
459 get_challenge_pass (void)
460 {
461 if (batch)
462 return cfg.challenge_password;
463 else
464 return getpass ("Enter a challenge password: ");
465 }
466
467 const char *
468 get_crl_dist_point_url (void)
469 {
470 if (batch)
471 return cfg.crl_dist_points;
472 else
473 return read_str ("Enter the URI of the CRL distribution point: ");
474 }
475
476 void
477 get_country_crt_set (gnutls_x509_crt_t crt)
478 {
479 int ret;
480
481 if (batch)
482 {
483 if (!cfg.country)
484 return;
485 ret =
486 gnutls_x509_crt_set_dn_by_oid (crt,
487 GNUTLS_OID_X520_COUNTRY_NAME, 0,
488 cfg.country, strlen (cfg.country));
489 if (ret < 0)
490 {
491 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
492 exit (1);
493 }
494 }
495 else
496 {
497 read_crt_set (crt, "Country name (2 chars): ",
498 GNUTLS_OID_X520_COUNTRY_NAME);
499 }
500
501 }
502
503 void
504 get_organization_crt_set (gnutls_x509_crt_t crt)
505 {
506 int ret;
507
508 if (batch)
509 {
510 if (!cfg.organization)
511 return;
512
513 ret =
514 gnutls_x509_crt_set_dn_by_oid (crt,
515 GNUTLS_OID_X520_ORGANIZATION_NAME,
516 0, cfg.organization,
517 strlen (cfg.organization));
518 if (ret < 0)
519 {
520 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
521 exit (1);
522 }
523 }
524 else
525 {
526 read_crt_set (crt, "Organization name: ",
527 GNUTLS_OID_X520_ORGANIZATION_NAME);
528 }
529
530 }
531
532 void
533 get_unit_crt_set (gnutls_x509_crt_t crt)
534 {
535 int ret;
536
537 if (batch)
538 {
539 if (!cfg.unit)
540 return;
541
542 ret =
543 gnutls_x509_crt_set_dn_by_oid (crt,
544 GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME,
545 0, cfg.unit, strlen (cfg.unit));
546 if (ret < 0)
547 {
548 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
549 exit (1);
550 }
551 }
552 else
553 {
554 read_crt_set (crt, "Organizational unit name: ",
555 GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME);
556 }
557
558 }
559
560 void
561 get_state_crt_set (gnutls_x509_crt_t crt)
562 {
563 int ret;
564
565 if (batch)
566 {
567 if (!cfg.state)
568 return;
569 ret =
570 gnutls_x509_crt_set_dn_by_oid (crt,
571 GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME,
572 0, cfg.state, strlen (cfg.state));
573 if (ret < 0)
574 {
575 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
576 exit (1);
577 }
578 }
579 else
580 {
581 read_crt_set (crt, "State or province name: ",
582 GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME);
583 }
584
585 }
586
587 void
588 get_locality_crt_set (gnutls_x509_crt_t crt)
589 {
590 int ret;
591
592 if (batch)
593 {
594 if (!cfg.locality)
595 return;
596 ret =
597 gnutls_x509_crt_set_dn_by_oid (crt,
598 GNUTLS_OID_X520_LOCALITY_NAME, 0,
599 cfg.locality, strlen (cfg.locality));
600 if (ret < 0)
601 {
602 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
603 exit (1);
604 }
605 }
606 else
607 {
608 read_crt_set (crt, "Locality name: ", GNUTLS_OID_X520_LOCALITY_NAME);
609 }
610
611 }
612
613 void
614 get_cn_crt_set (gnutls_x509_crt_t crt)
615 {
616 int ret;
617
618 if (batch)
619 {
620 if (!cfg.cn)
621 return;
622 ret =
623 gnutls_x509_crt_set_dn_by_oid (crt, GNUTLS_OID_X520_COMMON_NAME,
624 0, cfg.cn, strlen (cfg.cn));
625 if (ret < 0)
626 {
627 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
628 exit (1);
629 }
630 }
631 else
632 {
633 read_crt_set (crt, "Common name: ", GNUTLS_OID_X520_COMMON_NAME);
634 }
635
636 }
637
638 void
639 get_uid_crt_set (gnutls_x509_crt_t crt)
640 {
641 int ret;
642
643 if (batch)
644 {
645 if (!cfg.uid)
646 return;
647 ret = gnutls_x509_crt_set_dn_by_oid (crt, GNUTLS_OID_LDAP_UID, 0,
648 cfg.uid, strlen (cfg.uid));
649 if (ret < 0)
650 {
651 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
652 exit (1);
653 }
654 }
655 else
656 {
657 read_crt_set (crt, "UID: ", GNUTLS_OID_LDAP_UID);
658 }
659
660 }
661
662 void
663 get_oid_crt_set (gnutls_x509_crt_t crt)
664 {
665 int ret, i;
666
667 if (batch)
668 {
669 if (!cfg.dn_oid)
670 return;
671 for (i = 0; cfg.dn_oid[i] != NULL; i += 2)
672 {
673 if (cfg.dn_oid[i + 1] == NULL)
674 {
675 fprintf (stderr, "dn_oid: %s does not have an argument.\n",
676 cfg.dn_oid[i]);
677 exit (1);
678 }
679 ret = gnutls_x509_crt_set_dn_by_oid (crt, cfg.dn_oid[i], 0,
680 cfg.dn_oid[i + 1],
681 strlen (cfg.dn_oid[i + 1]));
682
683 if (ret < 0)
684 {
685 fprintf (stderr, "set_dn_oid: %s\n", gnutls_strerror (ret));
686 exit (1);
687 }
688 }
689 }
690 }
691
692 void
693 get_key_purpose_set (gnutls_x509_crt_t crt)
694 {
695 int ret, i;
696
697 if (batch)
698 {
699 if (!cfg.key_purpose_oids)
700 return;
701 for (i = 0; cfg.key_purpose_oids[i] != NULL; i++)
702 {
703 ret =
704 gnutls_x509_crt_set_key_purpose_oid (crt, cfg.key_purpose_oids[i],
705 0);
706
707 if (ret < 0)
708 {
709 fprintf (stderr, "set_key_purpose_oid (%s): %s\n",
710 cfg.key_purpose_oids[i], gnutls_strerror (ret));
711 exit (1);
712 }
713 }
714 }
715 }
716
717 void
718 get_ocsp_issuer_set (gnutls_x509_crt_t crt)
719 {
720 int ret, i;
721 gnutls_datum_t uri;
722
723 if (batch)
724 {
725 if (!cfg.ocsp_uris)
726 return;
727 for (i = 0; cfg.ocsp_uris[i] != NULL; i++)
728 {
729 uri.data = cfg.ocsp_uris[i];
730 uri.size = strlen(cfg.ocsp_uris[i]);
731 ret =
732 gnutls_x509_crt_set_authority_info_access (crt, GNUTLS_IA_OCSP_URI,
733 &uri);
734 if (ret < 0)
735 {
736 fprintf (stderr, "set OCSP URI (%s): %s\n",
737 cfg.ocsp_uris[i], gnutls_strerror (ret));
738 exit (1);
739 }
740 }
741 }
742 }
743
744 void
745 get_ca_issuers_set (gnutls_x509_crt_t crt)
746 {
747 int ret, i;
748 gnutls_datum_t uri;
749
750 if (batch)
751 {
752 if (!cfg.ca_issuers_uris)
753 return;
754 for (i = 0; cfg.ca_issuers_uris[i] != NULL; i++)
755 {
756 uri.data = cfg.ca_issuers_uris[i];
757 uri.size = strlen(cfg.ca_issuers_uris[i]);
758 ret =
759 gnutls_x509_crt_set_authority_info_access (crt, GNUTLS_IA_CAISSUERS_URI,
760 &uri);
761 if (ret < 0)
762 {
763 fprintf (stderr, "set CA ISSUERS URI (%s): %s\n",
764 cfg.ca_issuers_uris[i], gnutls_strerror (ret));
765 exit (1);
766 }
767 }
768 }
769 }
770
771
772 void
773 get_pkcs9_email_crt_set (gnutls_x509_crt_t crt)
774 {
775 int ret;
776
777 if (batch)
778 {
779 if (!cfg.pkcs9_email)
780 return;
781 ret = gnutls_x509_crt_set_dn_by_oid (crt, GNUTLS_OID_PKCS9_EMAIL, 0,
782 cfg.pkcs9_email,
783 strlen (cfg.pkcs9_email));
784 if (ret < 0)
785 {
786 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
787 exit (1);
788 }
789 }
790 else
791 {
792 read_crt_set (crt, "E-mail: ", GNUTLS_OID_PKCS9_EMAIL);
793 }
794
795 }
796
797 int
798 get_serial (void)
799 {
800 int default_serial = time (NULL);
801
802 if (batch)
803 {
804 if (cfg.serial < 0)
805 return default_serial;
806 return cfg.serial;
807 }
808 else
809 {
810 return read_int_with_default
811 ("Enter the certificate's serial number in decimal (default: %u): ",
812 default_serial);
813 }
814 }
815
816 int
817 get_days (void)
818 {
819 int days;
820
821 if (batch)
822 {
823 if (cfg.expiration_days <= 0)
824 return 365;
825 else
826 return cfg.expiration_days;
827 }
828 else
829 {
830 do
831 {
832 days = read_int ("The certificate will expire in (days): ");
833 }
834 while (days == 0);
835 return days;
836 }
837 }
838
839 int
840 get_ca_status (void)
841 {
842 if (batch)
843 {
844 return cfg.ca;
845 }
846 else
847 {
848 return
849 read_yesno ("Does the certificate belong to an authority? (y/N): ");
850 }
851 }
852
853 int
854 get_crq_extensions_status (void)
855 {
856 if (batch)
857 {
858 return cfg.crq_extensions;
859 }
860 else
861 {
862 return
863 read_yesno
864 ("Do you want to honour the extensions from the request? (y/N): ");
865 }
866 }
867
868 int
869 get_crl_number (void)
870 {
871 if (batch)
872 {
873 return cfg.crl_number;
874 }
875 else
876 {
877 return read_int_with_default ("CRL Number: ", 1);
878 }
879 }
880
881 int
882 get_path_len (void)
883 {
884 if (batch)
885 {
886 return cfg.path_len;
887 }
888 else
889 {
890 return read_int_with_default
891 ("Path length constraint (decimal, %d for no constraint): ", -1);
892 }
893 }
894
895 const char *
896 get_pkcs12_key_name (void)
897 {
898 const char *name;
899
900 if (batch)
901 {
902 if (!cfg.pkcs12_key_name)
903 return "Anonymous";
904 return cfg.pkcs12_key_name;
905 }
906 else
907 {
908 do
909 {
910 name = read_str ("Enter a name for the key: ");
911 }
912 while (name == NULL);
913 }
914 return name;
915 }
916
917 int
918 get_tls_client_status (void)
919 {
920 if (batch)
921 {
922 return cfg.tls_www_client;
923 }
924 else
925 {
926 return read_yesno ("Is this a TLS web client certificate? (y/N): ");
927 }
928 }
929
930 int
931 get_tls_server_status (void)
932 {
933 if (batch)
934 {
935 return cfg.tls_www_server;
936 }
937 else
938 {
939 return
940 read_yesno ("Is this also a TLS web server certificate? (y/N): ");
941 }
942 }
943
944 /* convert a printable IP to binary */
945 static int
946 string_to_ip (unsigned char *ip, const char *str)
947 {
948 int len = strlen (str);
949 int ret;
950
951 #if HAVE_IPV6
952 if (strchr (str, ':') != NULL || len > 16)
953 { /* IPv6 */
954 ret = inet_pton (AF_INET6, str, ip);
955 if (ret <= 0)
956 {
957 fprintf (stderr, "Error in IPv6 address %s\n", str);
958 exit (1);
959 }
960
961 /* To be done */
962 return 16;
963 }
964 else
965 #endif
966 { /* IPv4 */
967 ret = inet_pton (AF_INET, str, ip);
968 if (ret <= 0)
969 {
970 fprintf (stderr, "Error in IPv4 address %s\n", str);
971 exit (1);
972 }
973
974 return 4;
975 }
976
977 }
978
979 void
980 get_ip_addr_set (int type, void *crt)
981 {
982 int ret = 0, i;
983 unsigned char ip[16];
984 int len;
985
986 if (batch)
987 {
988 if (!cfg.ip_addr)
989 return;
990
991 for (i = 0; cfg.ip_addr[i] != NULL; i++)
992 {
993 len = string_to_ip (ip, cfg.ip_addr[i]);
994 if (len <= 0)
995 {
996 fprintf (stderr, "Error parsing address: %s\n", cfg.ip_addr[i]);
997 exit (1);
998 }
999
1000 if (type == TYPE_CRT)
1001 ret =
1002 gnutls_x509_crt_set_subject_alt_name (crt, GNUTLS_SAN_IPADDRESS,
1003 ip, len,
1004 GNUTLS_FSAN_APPEND);
1005 else
1006 ret =
1007 gnutls_x509_crq_set_subject_alt_name (crt, GNUTLS_SAN_IPADDRESS,
1008 ip, len,
1009 GNUTLS_FSAN_APPEND);
1010
1011 if (ret < 0)
1012 break;
1013 }
1014 }
1015 else
1016 {
1017 const char *p;
1018
1019 p =
1020 read_str ("Enter the IP address of the subject of the certificate: ");
1021 if (!p)
1022 return;
1023
1024 len = string_to_ip (ip, p);
1025 if (len <= 0)
1026 {
1027 fprintf (stderr, "Error parsing address: %s\n", p);
1028 exit (1);
1029 }
1030
1031 if (type == TYPE_CRT)
1032 ret = gnutls_x509_crt_set_subject_alt_name (crt, GNUTLS_SAN_IPADDRESS,
1033 ip, len,
1034 GNUTLS_FSAN_APPEND);
1035 else
1036 ret = gnutls_x509_crq_set_subject_alt_name (crt, GNUTLS_SAN_IPADDRESS,
1037 ip, len,
1038 GNUTLS_FSAN_APPEND);
1039 }
1040
1041 if (ret < 0)
1042 {
1043 fprintf (stderr, "set_subject_alt_name: %s\n", gnutls_strerror (ret));
1044 exit (1);
1045 }
1046 }
1047
1048 void
1049 get_email_set (int type, void *crt)
1050 {
1051 int ret = 0, i;
1052
1053 if (batch)
1054 {
1055 if (!cfg.email)
1056 return;
1057
1058 for (i = 0; cfg.email[i] != NULL; i++)
1059 {
1060 if (type == TYPE_CRT)
1061 ret =
1062 gnutls_x509_crt_set_subject_alt_name (crt,
1063 GNUTLS_SAN_RFC822NAME,
1064 cfg.email[i],
1065 strlen (cfg.email[i]),
1066 GNUTLS_FSAN_APPEND);
1067 else
1068 ret =
1069 gnutls_x509_crq_set_subject_alt_name (crt,
1070 GNUTLS_SAN_RFC822NAME,
1071 cfg.email[i],
1072 strlen (cfg.email[i]),
1073 GNUTLS_FSAN_APPEND);
1074
1075 if (ret < 0)
1076 break;
1077 }
1078 }
1079 else
1080 {
1081 const char *p;
1082
1083 p = read_str ("Enter the e-mail of the subject of the certificate: ");
1084 if (!p)
1085 return;
1086
1087 if (type == TYPE_CRT)
1088 ret =
1089 gnutls_x509_crt_set_subject_alt_name (crt, GNUTLS_SAN_RFC822NAME, p,
1090 strlen (p),
1091 GNUTLS_FSAN_APPEND);
1092 else
1093 ret =
1094 gnutls_x509_crq_set_subject_alt_name (crt, GNUTLS_SAN_RFC822NAME, p,
1095 strlen (p),
1096 GNUTLS_FSAN_APPEND);
1097 }
1098
1099 if (ret < 0)
1100 {
1101 fprintf (stderr, "set_subject_alt_name: %s\n", gnutls_strerror (ret));
1102 exit (1);
1103 }
1104 }
1105
1106
1107 void
1108 get_dc_set (int type, void *crt)
1109 {
1110 int ret = 0, i;
1111
1112 if (batch)
1113 {
1114 if (!cfg.dc)
1115 return;
1116
1117 for (i = 0; cfg.dc[i] != NULL; i++)
1118 {
1119 if (type == TYPE_CRT)
1120 ret = gnutls_x509_crt_set_dn_by_oid (crt, GNUTLS_OID_LDAP_DC,
1121 0, cfg.dc[i], strlen (cfg.dc[i]));
1122 else
1123 ret = gnutls_x509_crq_set_dn_by_oid (crt, GNUTLS_OID_LDAP_DC,
1124 0, cfg.dc[i], strlen (cfg.dc[i]));
1125
1126 if (ret < 0)
1127 break;
1128 }
1129 }
1130 else
1131 {
1132 const char *p;
1133
1134 do
1135 {
1136 p = read_str ("Enter the subject's domain component (DC): ");
1137 if (!p)
1138 return;
1139
1140 if (type == TYPE_CRT)
1141 ret = gnutls_x509_crt_set_dn_by_oid (crt, GNUTLS_OID_LDAP_DC,
1142 0, p, strlen (p));
1143 else
1144 ret = gnutls_x509_crq_set_dn_by_oid (crt, GNUTLS_OID_LDAP_DC,
1145 0, p, strlen (p));
1146 }
1147 while(p != NULL);
1148 }
1149
1150 if (ret < 0)
1151 {
1152 fprintf (stderr, "set_dn_by_oid: %s\n", gnutls_strerror (ret));
1153 exit (1);
1154 }
1155 }
1156
1157 void
1158 get_dns_name_set (int type, void *crt)
1159 {
1160 int ret = 0, i;
1161
1162 if (batch)
1163 {
1164 if (!cfg.dns_name)
1165 return;
1166
1167 for (i = 0; cfg.dns_name[i] != NULL; i++)
1168 {
1169 if (type == TYPE_CRT)
1170 ret =
1171 gnutls_x509_crt_set_subject_alt_name (crt, GNUTLS_SAN_DNSNAME,
1172 cfg.dns_name[i],
1173 strlen (cfg.dns_name[i]),
1174 GNUTLS_FSAN_APPEND);
1175 else
1176 ret =
1177 gnutls_x509_crq_set_subject_alt_name (crt, GNUTLS_SAN_DNSNAME,
1178 cfg.dns_name[i],
1179 strlen (cfg.dns_name[i]),
1180 GNUTLS_FSAN_APPEND);
1181
1182 if (ret < 0)
1183 break;
1184 }
1185 }
1186 else
1187 {
1188 const char *p;
1189
1190 do
1191 {
1192 p =
1193 read_str ("Enter a dnsName of the subject of the certificate: ");
1194 if (!p)
1195 return;
1196
1197 if (type == TYPE_CRT)
1198 ret = gnutls_x509_crt_set_subject_alt_name
1199 (crt, GNUTLS_SAN_DNSNAME, p, strlen (p), GNUTLS_FSAN_APPEND);
1200 else
1201 ret = gnutls_x509_crq_set_subject_alt_name
1202 (crt, GNUTLS_SAN_DNSNAME, p, strlen (p), GNUTLS_FSAN_APPEND);
1203 }
1204 while (p);
1205 }
1206
1207 if (ret < 0)
1208 {
1209 fprintf (stderr, "set_subject_alt_name: %s\n", gnutls_strerror (ret));
1210 exit (1);
1211 }
1212 }
1213
1214 void
1215 get_uri_set (int type, void *crt)
1216 {
1217 int ret = 0, i;
1218
1219 if (batch)
1220 {
1221 if (!cfg.uri)
1222 return;
1223
1224 for (i = 0; cfg.uri[i] != NULL; i++)
1225 {
1226 if (type == TYPE_CRT)
1227 ret =
1228 gnutls_x509_crt_set_subject_alt_name (crt, GNUTLS_SAN_URI,
1229 cfg.uri[i],
1230 strlen (cfg.uri[i]),
1231 GNUTLS_FSAN_APPEND);
1232 else
1233 ret =
1234 gnutls_x509_crq_set_subject_alt_name (crt, GNUTLS_SAN_URI,
1235 cfg.uri[i],
1236 strlen (cfg.uri[i]),
1237 GNUTLS_FSAN_APPEND);
1238
1239 if (ret < 0)
1240 break;
1241 }
1242 }
1243 else
1244 {
1245 const char *p;
1246
1247 do
1248 {
1249 p =
1250 read_str ("Enter a URI of the subject of the certificate: ");
1251 if (!p)
1252 return;
1253
1254 if (type == TYPE_CRT)
1255 ret = gnutls_x509_crt_set_subject_alt_name
1256 (crt, GNUTLS_SAN_URI, p, strlen (p), GNUTLS_FSAN_APPEND);
1257 else
1258 ret = gnutls_x509_crq_set_subject_alt_name
1259 (crt, GNUTLS_SAN_URI, p, strlen (p), GNUTLS_FSAN_APPEND);
1260 }
1261 while (p);
1262 }
1263
1264 if (ret < 0)
1265 {
1266 fprintf (stderr, "set_subject_alt_name: %s\n", gnutls_strerror (ret));
1267 exit (1);
1268 }
1269 }
1270
1271
1272
1273 int
1274 get_sign_status (int server)
1275 {
1276 const char *msg;
1277
1278 if (batch)
1279 {
1280 return cfg.signing_key;
1281 }
1282 else
1283 {
1284 if (server)
1285 msg =
1286 "Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N): ";
1287 else
1288 msg =
1289 "Will the certificate be used for signing (required for TLS)? (y/N): ";
1290 return read_yesno (msg);
1291 }
1292 }
1293
1294 int
1295 get_encrypt_status (int server)
1296 {
1297 const char *msg;
1298
1299 if (batch)
1300 {
1301 return cfg.encryption_key;
1302 }
1303 else
1304 {
1305 if (server)
1306 msg =
1307 "Will the certificate be used for encryption (RSA ciphersuites)? (y/N): ";
1308 else
1309 msg =
1310 "Will the certificate be used for encryption (not required for TLS)? (y/N): ";
1311 return read_yesno (msg);
1312 }
1313 }
1314
1315 int
1316 get_cert_sign_status (void)
1317 {
1318 if (batch)
1319 {
1320 return cfg.cert_sign_key;
1321 }
1322 else
1323 {
1324 return
1325 read_yesno
1326 ("Will the certificate be used to sign other certificates? (y/N): ");
1327 }
1328 }
1329
1330 int
1331 get_crl_sign_status (void)
1332 {
1333 if (batch)
1334 {
1335 return cfg.crl_sign_key;
1336 }
1337 else
1338 {
1339 return
1340 read_yesno ("Will the certificate be used to sign CRLs? (y/N): ");
1341 }
1342 }
1343
1344 int
1345 get_code_sign_status (void)
1346 {
1347 if (batch)
1348 {
1349 return cfg.code_sign_key;
1350 }
1351 else
1352 {
1353 return
1354 read_yesno ("Will the certificate be used to sign code? (y/N): ");
1355 }
1356 }
1357
1358 int
1359 get_ocsp_sign_status (void)
1360 {
1361 if (batch)
1362 {
1363 return cfg.ocsp_sign_key;
1364 }
1365 else
1366 {
1367 return
1368 read_yesno
1369 ("Will the certificate be used to sign OCSP requests? (y/N): ");
1370 }
1371 }
1372
1373 int
1374 get_time_stamp_status (void)
1375 {
1376 if (batch)
1377 {
1378 return cfg.time_stamping_key;
1379 }
1380 else
1381 {
1382 return
1383 read_yesno
1384 ("Will the certificate be used for time stamping? (y/N): ");
1385 }
1386 }
1387
1388 int
1389 get_ipsec_ike_status (void)
1390 {
1391 if (batch)
1392 {
1393 return cfg.ipsec_ike_key;
1394 }
1395 else
1396 {
1397 return
1398 read_yesno
1399 ("Will the certificate be used for IPsec IKE operations? (y/N): ");
1400 }
1401 }
1402
1403 int
1404 get_crl_next_update (void)
1405 {
1406 int days;
1407
1408 if (batch)
1409 {
1410 if (cfg.crl_next_update <= 0)
1411 return 365;
1412 else
1413 return cfg.crl_next_update;
1414 }
1415 else
1416 {
1417 do
1418 {
1419 days = read_int ("The next CRL will be issued in (days): ");
1420 }
1421 while (days == 0);
1422 return days;
1423 }
1424 }
1425
1426 const char *
1427 get_proxy_policy (char **policy, size_t * policylen)
1428 {
1429 const char *ret;
1430
1431 if (batch)
1432 {
1433 ret = cfg.proxy_policy_language;
1434 if (!ret)
1435 ret = "1.3.6.1.5.5.7.21.1";
1436 }
1437 else
1438 {
1439 do
1440 {
1441 ret = read_str ("Enter the OID of the proxy policy language: ");
1442 }
1443 while (ret == NULL);
1444 }
1445
1446 *policy = NULL;
1447 *policylen = 0;
1448
1449 if (strcmp (ret, "1.3.6.1.5.5.7.21.1") != 0 &&
1450 strcmp (ret, "1.3.6.1.5.5.7.21.2") != 0)
1451 {
1452 fprintf (stderr, "Reading non-standard proxy policy not supported.\n");
1453 }
1454
1455 return ret;
1456 }
1457
1458 /* CRQ stuff.
1459 */
1460 void
1461 get_country_crq_set (gnutls_x509_crq_t crq)
1462 {
1463 int ret;
1464
1465 if (batch)
1466 {
1467 if (!cfg.country)
1468 return;
1469 ret =
1470 gnutls_x509_crq_set_dn_by_oid (crq,
1471 GNUTLS_OID_X520_COUNTRY_NAME, 0,
1472 cfg.country, strlen (cfg.country));
1473 if (ret < 0)
1474 {
1475 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
1476 exit (1);
1477 }
1478 }
1479 else
1480 {
1481 read_crq_set (crq, "Country name (2 chars): ",
1482 GNUTLS_OID_X520_COUNTRY_NAME);
1483 }
1484
1485 }
1486
1487 void
1488 get_organization_crq_set (gnutls_x509_crq_t crq)
1489 {
1490 int ret;
1491
1492 if (batch)
1493 {
1494 if (!cfg.organization)
1495 return;
1496
1497 ret =
1498 gnutls_x509_crq_set_dn_by_oid (crq,
1499 GNUTLS_OID_X520_ORGANIZATION_NAME,
1500 0, cfg.organization,
1501 strlen (cfg.organization));
1502 if (ret < 0)
1503 {
1504 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
1505 exit (1);
1506 }
1507 }
1508 else
1509 {
1510 read_crq_set (crq, "Organization name: ",
1511 GNUTLS_OID_X520_ORGANIZATION_NAME);
1512 }
1513
1514 }
1515
1516 void
1517 get_unit_crq_set (gnutls_x509_crq_t crq)
1518 {
1519 int ret;
1520
1521 if (batch)
1522 {
1523 if (!cfg.unit)
1524 return;
1525
1526 ret =
1527 gnutls_x509_crq_set_dn_by_oid (crq,
1528 GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME,
1529 0, cfg.unit, strlen (cfg.unit));
1530 if (ret < 0)
1531 {
1532 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
1533 exit (1);
1534 }
1535 }
1536 else
1537 {
1538 read_crq_set (crq, "Organizational unit name: ",
1539 GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME);
1540 }
1541
1542 }
1543
1544 void
1545 get_state_crq_set (gnutls_x509_crq_t crq)
1546 {
1547 int ret;
1548
1549 if (batch)
1550 {
1551 if (!cfg.state)
1552 return;
1553 ret =
1554 gnutls_x509_crq_set_dn_by_oid (crq,
1555 GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME,
1556 0, cfg.state, strlen (cfg.state));
1557 if (ret < 0)
1558 {
1559 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
1560 exit (1);
1561 }
1562 }
1563 else
1564 {
1565 read_crq_set (crq, "State or province name: ",
1566 GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME);
1567 }
1568
1569 }
1570
1571 void
1572 get_locality_crq_set (gnutls_x509_crq_t crq)
1573 {
1574 int ret;
1575
1576 if (batch)
1577 {
1578 if (!cfg.locality)
1579 return;
1580 ret =
1581 gnutls_x509_crq_set_dn_by_oid (crq,
1582 GNUTLS_OID_X520_LOCALITY_NAME, 0,
1583 cfg.locality, strlen (cfg.locality));
1584 if (ret < 0)
1585 {
1586 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
1587 exit (1);
1588 }
1589 }
1590 else
1591 {
1592 read_crq_set (crq, "Locality name: ", GNUTLS_OID_X520_LOCALITY_NAME);
1593 }
1594
1595 }
1596
1597 void
1598 get_cn_crq_set (gnutls_x509_crq_t crq)
1599 {
1600 int ret;
1601
1602 if (batch)
1603 {
1604 if (!cfg.cn)
1605 return;
1606 ret =
1607 gnutls_x509_crq_set_dn_by_oid (crq, GNUTLS_OID_X520_COMMON_NAME,
1608 0, cfg.cn, strlen (cfg.cn));
1609 if (ret < 0)
1610 {
1611 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
1612 exit (1);
1613 }
1614 }
1615 else
1616 {
1617 read_crq_set (crq, "Common name: ", GNUTLS_OID_X520_COMMON_NAME);
1618 }
1619
1620 }
1621
1622 void
1623 get_uid_crq_set (gnutls_x509_crq_t crq)
1624 {
1625 int ret;
1626
1627 if (batch)
1628 {
1629 if (!cfg.uid)
1630 return;
1631 ret = gnutls_x509_crq_set_dn_by_oid (crq, GNUTLS_OID_LDAP_UID, 0,
1632 cfg.uid, strlen (cfg.uid));
1633 if (ret < 0)
1634 {
1635 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
1636 exit (1);
1637 }
1638 }
1639 else
1640 {
1641 read_crq_set (crq, "UID: ", GNUTLS_OID_LDAP_UID);
1642 }
1643
1644 }
1645
1646 void
1647 get_oid_crq_set (gnutls_x509_crq_t crq)
1648 {
1649 int ret, i;
1650
1651 if (batch)
1652 {
1653 if (!cfg.dn_oid)
1654 return;
1655 for (i = 0; cfg.dn_oid[i] != NULL; i += 2)
1656 {
1657 if (cfg.dn_oid[i + 1] == NULL)
1658 {
1659 fprintf (stderr, "dn_oid: %s does not have an argument.\n",
1660 cfg.dn_oid[i]);
1661 exit (1);
1662 }
1663 ret = gnutls_x509_crq_set_dn_by_oid (crq, cfg.dn_oid[i], 0,
1664 cfg.dn_oid[i + 1],
1665 strlen (cfg.dn_oid[i + 1]));
1666
1667 if (ret < 0)
1668 {
1669 fprintf (stderr, "set_dn_oid: %s\n", gnutls_strerror (ret));
1670 exit (1);
1671 }
1672 }
1673 }
1674
1675 }
Implementation of the SSL/TLS protocol