search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
corrected makefile
[gnutls.git] / src / certtool-cfg.c
blobf92a5075b926620e299d0b6002e0243ac97620ba
1 /*
2 * Copyright (C) 2004-2012 Free Software Foundation, Inc.
3 *
4 * This file is part of GnuTLS.
5 *
6 * GnuTLS is free software: you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by
8 * the Free Software Foundation, either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * GnuTLS is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program. If not, see
18 * <http://www.gnu.org/licenses/>.
19 *
20 * Written by Nikos Mavrogiannopoulos <nmav@gnutls.org>.
21 */
22
23 #include <config.h>
24
25 #include <stdio.h>
26 #include <stdlib.h>
27 #include <certtool-cfg.h>
28 #include <gnutls/x509.h>
29 #include <string.h>
30 #include <limits.h>
31 #include <inttypes.h>
32 #include <time.h>
33 #include <autoopts/options.h>
34
35 /* for inet_pton */
36 #include <sys/types.h>
37
38 #if HAVE_SYS_SOCKET_H
39 # include <sys/socket.h>
40 #elif HAVE_WS2TCPIP_H
41 # include <ws2tcpip.h>
42 #endif
43 #include <arpa/inet.h>
44
45 /* Gnulib portability files. */
46 #include <getpass.h>
47 #include "certtool-common.h"
48
49 extern int batch;
50
51 #define MAX_ENTRIES 16
52
53 typedef struct _cfg_ctx
54 {
55 char *organization;
56 char *unit;
57 char *locality;
58 char *state;
59 char *cn;
60 char *uid;
61 char *challenge_password;
62 char *pkcs9_email;
63 char *country;
64 char **dc;
65 char **dns_name;
66 char **ip_addr;
67 char **email;
68 char **dn_oid;
69 char *crl_dist_points;
70 char *password;
71 char *pkcs12_key_name;
72 int serial;
73 int expiration_days;
74 int ca;
75 int path_len;
76 int tls_www_client;
77 int tls_www_server;
78 int signing_key;
79 int encryption_key;
80 int cert_sign_key;
81 int crl_sign_key;
82 int code_sign_key;
83 int ocsp_sign_key;
84 int time_stamping_key;
85 int ipsec_ike_key;
86 char **key_purpose_oids;
87 int crl_next_update;
88 int crl_number;
89 int crq_extensions;
90 char *proxy_policy_language;
91 } cfg_ctx;
92
93 cfg_ctx cfg;
94
95 void
96 cfg_init (void)
97 {
98 memset (&cfg, 0, sizeof (cfg));
99 cfg.path_len = -1;
100 cfg.serial = -1;
101 }
102
103 #define READ_MULTI_LINE(name, s_name) \
104 val = optionGetValue(pov, name); \
105 if (val != NULL && val->valType == OPARG_TYPE_STRING) \
106 { \
107 if (s_name == NULL) { \
108 i = 0; \
109 s_name = malloc(sizeof(char*)*MAX_ENTRIES); \
110 do { \
111 if (val && !strcmp(val->pzName, name)==0) \
112 continue; \
113 s_name[i] = strdup(val->v.strVal); \
114 i++; \
115 if (i>=MAX_ENTRIES) \
116 break; \
117 } while((val = optionNextValue(pov, val)) != NULL); \
118 s_name[i] = NULL; \
119 } \
120 }
121
122 #define READ_MULTI_LINE_TOKENIZED(name, s_name) \
123 val = optionGetValue(pov, name); \
124 if (val != NULL && val->valType == OPARG_TYPE_STRING) \
125 { \
126 char str[512]; \
127 char * p; \
128 if (s_name == NULL) { \
129 i = 0; \
130 s_name = malloc(sizeof(char*)*MAX_ENTRIES); \
131 do { \
132 if (val && !strcmp(val->pzName, name)==0) \
133 continue; \
134 strncpy(str, val->v.strVal, sizeof(str)-1); \
135 str[sizeof(str)-1] = 0; \
136 if ((p=strchr(str, ' ')) == NULL && (p=strchr(str, '\t')) == NULL) { \
137 fprintf(stderr, "Error parsing %s\n", name); \
138 exit(1); \
139 } \
140 p[0] = 0; \
141 p++; \
142 s_name[i] = strdup(str); \
143 while(*p==' ' || *p == '\t') p++; \
144 if (p[0] == 0) { \
145 fprintf(stderr, "Error (2) parsing %s\n", name); \
146 exit(1); \
147 } \
148 s_name[i+1] = strdup(p); \
149 i+=2; \
150 if (i>=MAX_ENTRIES) \
151 break; \
152 } while((val = optionNextValue(pov, val)) != NULL); \
153 s_name[i] = NULL; \
154 } \
155 }
156
157 #define READ_BOOLEAN(name, s_name) \
158 val = optionGetValue(pov, name); \
159 if (val != NULL) \
160 { \
161 s_name = 1; \
162 }
163
164 #define READ_NUMERIC(name, s_name) \
165 val = optionGetValue(pov, name); \
166 if (val != NULL) \
167 { \
168 if (val->valType == OPARG_TYPE_NUMERIC) \
169 s_name = val->v.longVal; \
170 else if (val->valType == OPARG_TYPE_STRING) \
171 s_name = atoi(val->v.strVal); \
172 }
173
174 int
175 template_parse (const char *template)
176 {
177 /* Parsing return code */
178 int ret;
179 unsigned int i;
180 tOptionValue const * pov;
181 const tOptionValue* val;
182
183 pov = configFileLoad(template);
184 if (pov == NULL)
185 {
186 perror("configFileLoad");
187 fprintf(stderr, "Error loading template: %s\n", template);
188 exit(1);
189 }
190
191 /* Option variables */
192 val = optionGetValue(pov, "organization");
193 if (val != NULL && val->valType == OPARG_TYPE_STRING)
194 cfg.organization = strdup(val->v.strVal);
195
196 val = optionGetValue(pov, "unit");
197 if (val != NULL && val->valType == OPARG_TYPE_STRING)
198 cfg.unit = strdup(val->v.strVal);
199
200 val = optionGetValue(pov, "locality");
201 if (val != NULL && val->valType == OPARG_TYPE_STRING)
202 cfg.locality = strdup(val->v.strVal);
203
204 val = optionGetValue(pov, "state");
205 if (val != NULL && val->valType == OPARG_TYPE_STRING)
206 cfg.state = strdup(val->v.strVal);
207
208 val = optionGetValue(pov, "cn");
209 if (val != NULL && val->valType == OPARG_TYPE_STRING)
210 cfg.cn = strdup(val->v.strVal);
211
212 val = optionGetValue(pov, "uid");
213 if (val != NULL && val->valType == OPARG_TYPE_STRING)
214 cfg.uid = strdup(val->v.strVal);
215
216 val = optionGetValue(pov, "challenge_password");
217 if (val != NULL && val->valType == OPARG_TYPE_STRING)
218 cfg.challenge_password = strdup(val->v.strVal);
219
220 val = optionGetValue(pov, "password");
221 if (val != NULL && val->valType == OPARG_TYPE_STRING)
222 cfg.password = strdup(val->v.strVal);
223
224 val = optionGetValue(pov, "pkcs9_email");
225 if (val != NULL && val->valType == OPARG_TYPE_STRING)
226 cfg.pkcs9_email = strdup(val->v.strVal);
227
228 val = optionGetValue(pov, "country");
229 if (val != NULL && val->valType == OPARG_TYPE_STRING)
230 cfg.country = strdup(val->v.strVal);
231
232 READ_MULTI_LINE("dc", cfg.dc);
233 READ_MULTI_LINE("dns_name", cfg.dns_name);
234 READ_MULTI_LINE("ip_address", cfg.ip_addr);
235 READ_MULTI_LINE("email", cfg.email);
236 READ_MULTI_LINE("key_purpose_oid", cfg.key_purpose_oids);
237
238 READ_MULTI_LINE_TOKENIZED("dn_oid", cfg.dn_oid);
239
240 val = optionGetValue(pov, "crl_dist_points");
241 if (val != NULL && val->valType == OPARG_TYPE_STRING)
242 cfg.crl_dist_points = strdup(val->v.strVal);
243
244 val = optionGetValue(pov, "pkcs12_key_name");
245 if (val != NULL && val->valType == OPARG_TYPE_STRING)
246 cfg.pkcs12_key_name = strdup(val->v.strVal);
247
248
249 READ_NUMERIC("serial", cfg.serial);
250 READ_NUMERIC("expiration_days", cfg.expiration_days);
251 READ_NUMERIC("crl_next_update", cfg.crl_next_update);
252 READ_NUMERIC("crl_number", cfg.crl_number);
253
254 val = optionGetValue(pov, "proxy_policy_language");
255 if (val != NULL && val->valType == OPARG_TYPE_STRING)
256 cfg.proxy_policy_language = strdup(val->v.strVal);
257
258 READ_BOOLEAN("ca", cfg.ca);
259 READ_BOOLEAN("honor_crq_extensions", cfg.crq_extensions);
260 READ_BOOLEAN("path_len", cfg.path_len);
261 READ_BOOLEAN("tls_www_client", cfg.tls_www_client);
262 READ_BOOLEAN("tls_www_server", cfg.tls_www_server);
263 READ_BOOLEAN("signing_key", cfg.signing_key);
264 READ_BOOLEAN("encryption_key", cfg.encryption_key);
265 READ_BOOLEAN("cert_signing_key", cfg.cert_sign_key);
266 READ_BOOLEAN("crl_signing_key", cfg.crl_sign_key);
267 READ_BOOLEAN("code_signing_key", cfg.code_sign_key);
268 READ_BOOLEAN("ocsp_signing_key", cfg.ocsp_sign_key);
269 READ_BOOLEAN("time_stamping_key", cfg.time_stamping_key);
270 READ_BOOLEAN("ipsec_ike_key", cfg.ipsec_ike_key);
271
272 optionUnloadNested(pov);
273
274 return 0;
275 }
276
277 #define IS_NEWLINE(x) ((x[0] == '\n') || (x[0] == '\r'))
278
279 void
280 read_crt_set (gnutls_x509_crt_t crt, const char *input_str, const char *oid)
281 {
282 char input[128];
283 int ret;
284
285 fputs (input_str, stderr);
286 if (fgets (input, sizeof (input), stdin) == NULL)
287 return;
288
289 if (IS_NEWLINE(input))
290 return;
291
292 ret =
293 gnutls_x509_crt_set_dn_by_oid (crt, oid, 0, input, strlen (input) - 1);
294 if (ret < 0)
295 {
296 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
297 exit (1);
298 }
299 }
300
301 void
302 read_crq_set (gnutls_x509_crq_t crq, const char *input_str, const char *oid)
303 {
304 char input[128];
305 int ret;
306
307 fputs (input_str, stderr);
308 if (fgets (input, sizeof (input), stdin) == NULL)
309 return;
310
311 if (IS_NEWLINE(input))
312 return;
313
314 ret =
315 gnutls_x509_crq_set_dn_by_oid (crq, oid, 0, input, strlen (input) - 1);
316 if (ret < 0)
317 {
318 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
319 exit (1);
320 }
321 }
322
323 /* The input_str should contain %d or %u to print the default.
324 */
325 static int
326 read_int_with_default (const char *input_str, int def)
327 {
328 char *endptr;
329 long l, len;
330 static char input[128];
331
332 fprintf (stderr, input_str, def);
333 if (fgets (input, sizeof (input), stdin) == NULL)
334 return def;
335
336 if (IS_NEWLINE(input))
337 return def;
338
339 len = strlen (input);
340
341 l = strtol (input, &endptr, 0);
342
343 if (*endptr != '\0' && *endptr != '\r' && *endptr != '\n')
344 {
345 fprintf (stderr, "Trailing garbage ignored: `%s'\n", endptr);
346 return 0;
347 }
348
349 if (l <= INT_MIN || l >= INT_MAX)
350 {
351 fprintf (stderr, "Integer out of range: `%s'\n", input);
352 return 0;
353 }
354
355 if (input == endptr)
356 l = def;
357
358 return (int) l;
359 }
360
361 int
362 read_int (const char *input_str)
363 {
364 return read_int_with_default (input_str, 0);
365 }
366
367 const char *
368 read_str (const char *input_str)
369 {
370 static char input[128];
371 int len;
372
373 fputs (input_str, stderr);
374 if (fgets (input, sizeof (input), stdin) == NULL)
375 return NULL;
376
377 if (IS_NEWLINE(input))
378 return NULL;
379
380 len = strlen (input);
381 if ((len > 0) && (input[len - 1] == '\n'))
382 input[len - 1] = 0;
383 if (input[0] == 0)
384 return NULL;
385
386 return input;
387 }
388
389 /* Default is no
390 */
391 int
392 read_yesno (const char *input_str)
393 {
394 char input[128];
395
396 fputs (input_str, stderr);
397 if (fgets (input, sizeof (input), stdin) == NULL)
398 return 0;
399
400 if (IS_NEWLINE(input))
401 return 0;
402
403 if (input[0] == 'y' || input[0] == 'Y')
404 return 1;
405
406 return 0;
407 }
408
409
410 /* Wrapper functions for non-interactive mode.
411 */
412 const char *
413 get_pass (void)
414 {
415 if (batch)
416 return cfg.password;
417 else
418 return getpass ("Enter password: ");
419 }
420
421 const char *
422 get_confirmed_pass (bool empty_ok)
423 {
424 if (batch)
425 return cfg.password;
426 else
427 {
428 const char *pass = NULL;
429 char *copy = NULL;
430
431 do
432 {
433 if (pass)
434 printf ("Password missmatch, try again.\n");
435
436 free (copy);
437
438 pass = getpass ("Enter password: ");
439 copy = strdup (pass);
440 pass = getpass ("Confirm password: ");
441 }
442 while (strcmp (pass, copy) != 0 && !(empty_ok && *pass == '\0'));
443
444 free (copy);
445
446 return pass;
447 }
448 }
449
450 const char *
451 get_challenge_pass (void)
452 {
453 if (batch)
454 return cfg.challenge_password;
455 else
456 return getpass ("Enter a challenge password: ");
457 }
458
459 const char *
460 get_crl_dist_point_url (void)
461 {
462 if (batch)
463 return cfg.crl_dist_points;
464 else
465 return read_str ("Enter the URI of the CRL distribution point: ");
466 }
467
468 void
469 get_country_crt_set (gnutls_x509_crt_t crt)
470 {
471 int ret;
472
473 if (batch)
474 {
475 if (!cfg.country)
476 return;
477 ret =
478 gnutls_x509_crt_set_dn_by_oid (crt,
479 GNUTLS_OID_X520_COUNTRY_NAME, 0,
480 cfg.country, strlen (cfg.country));
481 if (ret < 0)
482 {
483 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
484 exit (1);
485 }
486 }
487 else
488 {
489 read_crt_set (crt, "Country name (2 chars): ",
490 GNUTLS_OID_X520_COUNTRY_NAME);
491 }
492
493 }
494
495 void
496 get_organization_crt_set (gnutls_x509_crt_t crt)
497 {
498 int ret;
499
500 if (batch)
501 {
502 if (!cfg.organization)
503 return;
504
505 ret =
506 gnutls_x509_crt_set_dn_by_oid (crt,
507 GNUTLS_OID_X520_ORGANIZATION_NAME,
508 0, cfg.organization,
509 strlen (cfg.organization));
510 if (ret < 0)
511 {
512 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
513 exit (1);
514 }
515 }
516 else
517 {
518 read_crt_set (crt, "Organization name: ",
519 GNUTLS_OID_X520_ORGANIZATION_NAME);
520 }
521
522 }
523
524 void
525 get_unit_crt_set (gnutls_x509_crt_t crt)
526 {
527 int ret;
528
529 if (batch)
530 {
531 if (!cfg.unit)
532 return;
533
534 ret =
535 gnutls_x509_crt_set_dn_by_oid (crt,
536 GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME,
537 0, cfg.unit, strlen (cfg.unit));
538 if (ret < 0)
539 {
540 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
541 exit (1);
542 }
543 }
544 else
545 {
546 read_crt_set (crt, "Organizational unit name: ",
547 GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME);
548 }
549
550 }
551
552 void
553 get_state_crt_set (gnutls_x509_crt_t crt)
554 {
555 int ret;
556
557 if (batch)
558 {
559 if (!cfg.state)
560 return;
561 ret =
562 gnutls_x509_crt_set_dn_by_oid (crt,
563 GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME,
564 0, cfg.state, strlen (cfg.state));
565 if (ret < 0)
566 {
567 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
568 exit (1);
569 }
570 }
571 else
572 {
573 read_crt_set (crt, "State or province name: ",
574 GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME);
575 }
576
577 }
578
579 void
580 get_locality_crt_set (gnutls_x509_crt_t crt)
581 {
582 int ret;
583
584 if (batch)
585 {
586 if (!cfg.locality)
587 return;
588 ret =
589 gnutls_x509_crt_set_dn_by_oid (crt,
590 GNUTLS_OID_X520_LOCALITY_NAME, 0,
591 cfg.locality, strlen (cfg.locality));
592 if (ret < 0)
593 {
594 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
595 exit (1);
596 }
597 }
598 else
599 {
600 read_crt_set (crt, "Locality name: ", GNUTLS_OID_X520_LOCALITY_NAME);
601 }
602
603 }
604
605 void
606 get_cn_crt_set (gnutls_x509_crt_t crt)
607 {
608 int ret;
609
610 if (batch)
611 {
612 if (!cfg.cn)
613 return;
614 ret =
615 gnutls_x509_crt_set_dn_by_oid (crt, GNUTLS_OID_X520_COMMON_NAME,
616 0, cfg.cn, strlen (cfg.cn));
617 if (ret < 0)
618 {
619 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
620 exit (1);
621 }
622 }
623 else
624 {
625 read_crt_set (crt, "Common name: ", GNUTLS_OID_X520_COMMON_NAME);
626 }
627
628 }
629
630 void
631 get_uid_crt_set (gnutls_x509_crt_t crt)
632 {
633 int ret;
634
635 if (batch)
636 {
637 if (!cfg.uid)
638 return;
639 ret = gnutls_x509_crt_set_dn_by_oid (crt, GNUTLS_OID_LDAP_UID, 0,
640 cfg.uid, strlen (cfg.uid));
641 if (ret < 0)
642 {
643 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
644 exit (1);
645 }
646 }
647 else
648 {
649 read_crt_set (crt, "UID: ", GNUTLS_OID_LDAP_UID);
650 }
651
652 }
653
654 void
655 get_oid_crt_set (gnutls_x509_crt_t crt)
656 {
657 int ret, i;
658
659 if (batch)
660 {
661 if (!cfg.dn_oid)
662 return;
663 for (i = 0; cfg.dn_oid[i] != NULL; i += 2)
664 {
665 if (cfg.dn_oid[i + 1] == NULL)
666 {
667 fprintf (stderr, "dn_oid: %s does not have an argument.\n",
668 cfg.dn_oid[i]);
669 exit (1);
670 }
671 ret = gnutls_x509_crt_set_dn_by_oid (crt, cfg.dn_oid[i], 0,
672 cfg.dn_oid[i + 1],
673 strlen (cfg.dn_oid[i + 1]));
674
675 if (ret < 0)
676 {
677 fprintf (stderr, "set_dn_oid: %s\n", gnutls_strerror (ret));
678 exit (1);
679 }
680 }
681 }
682 }
683
684 void
685 get_key_purpose_set (gnutls_x509_crt_t crt)
686 {
687 int ret, i;
688
689 if (batch)
690 {
691 if (!cfg.key_purpose_oids)
692 return;
693 for (i = 0; cfg.key_purpose_oids[i] != NULL; i++)
694 {
695 ret =
696 gnutls_x509_crt_set_key_purpose_oid (crt, cfg.key_purpose_oids[i],
697 0);
698
699 if (ret < 0)
700 {
701 fprintf (stderr, "set_key_purpose_oid (%s): %s\n",
702 cfg.key_purpose_oids[i], gnutls_strerror (ret));
703 exit (1);
704 }
705 }
706 }
707
708 }
709
710
711 void
712 get_pkcs9_email_crt_set (gnutls_x509_crt_t crt)
713 {
714 int ret;
715
716 if (batch)
717 {
718 if (!cfg.pkcs9_email)
719 return;
720 ret = gnutls_x509_crt_set_dn_by_oid (crt, GNUTLS_OID_PKCS9_EMAIL, 0,
721 cfg.pkcs9_email,
722 strlen (cfg.pkcs9_email));
723 if (ret < 0)
724 {
725 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
726 exit (1);
727 }
728 }
729 else
730 {
731 read_crt_set (crt, "E-mail: ", GNUTLS_OID_PKCS9_EMAIL);
732 }
733
734 }
735
736 int
737 get_serial (void)
738 {
739 int default_serial = time (NULL);
740
741 if (batch)
742 {
743 if (cfg.serial < 0)
744 return default_serial;
745 return cfg.serial;
746 }
747 else
748 {
749 return read_int_with_default
750 ("Enter the certificate's serial number in decimal (default: %u): ",
751 default_serial);
752 }
753 }
754
755 int
756 get_days (void)
757 {
758 int days;
759
760 if (batch)
761 {
762 if (cfg.expiration_days <= 0)
763 return 365;
764 else
765 return cfg.expiration_days;
766 }
767 else
768 {
769 do
770 {
771 days = read_int ("The certificate will expire in (days): ");
772 }
773 while (days == 0);
774 return days;
775 }
776 }
777
778 int
779 get_ca_status (void)
780 {
781 if (batch)
782 {
783 return cfg.ca;
784 }
785 else
786 {
787 return
788 read_yesno ("Does the certificate belong to an authority? (y/N): ");
789 }
790 }
791
792 int
793 get_crq_extensions_status (void)
794 {
795 if (batch)
796 {
797 return cfg.crq_extensions;
798 }
799 else
800 {
801 return
802 read_yesno
803 ("Do you want to honour the extensions from the request? (y/N): ");
804 }
805 }
806
807 int
808 get_crl_number (void)
809 {
810 if (batch)
811 {
812 return cfg.crl_number;
813 }
814 else
815 {
816 return read_int_with_default ("CRL Number: ", 1);
817 }
818 }
819
820 int
821 get_path_len (void)
822 {
823 if (batch)
824 {
825 return cfg.path_len;
826 }
827 else
828 {
829 return read_int_with_default
830 ("Path length constraint (decimal, %d for no constraint): ", -1);
831 }
832 }
833
834 const char *
835 get_pkcs12_key_name (void)
836 {
837 const char *name;
838
839 if (batch)
840 {
841 if (!cfg.pkcs12_key_name)
842 return "Anonymous";
843 return cfg.pkcs12_key_name;
844 }
845 else
846 {
847 do
848 {
849 name = read_str ("Enter a name for the key: ");
850 }
851 while (name == NULL);
852 }
853 return name;
854 }
855
856 int
857 get_tls_client_status (void)
858 {
859 if (batch)
860 {
861 return cfg.tls_www_client;
862 }
863 else
864 {
865 return read_yesno ("Is this a TLS web client certificate? (y/N): ");
866 }
867 }
868
869 int
870 get_tls_server_status (void)
871 {
872 if (batch)
873 {
874 return cfg.tls_www_server;
875 }
876 else
877 {
878 return
879 read_yesno ("Is this also a TLS web server certificate? (y/N): ");
880 }
881 }
882
883 /* convert a printable IP to binary */
884 static int
885 string_to_ip (unsigned char *ip, const char *str)
886 {
887 int len = strlen (str);
888 int ret;
889
890 #if HAVE_IPV6
891 if (strchr (str, ':') != NULL || len > 16)
892 { /* IPv6 */
893 ret = inet_pton (AF_INET6, str, ip);
894 if (ret <= 0)
895 {
896 fprintf (stderr, "Error in IPv6 address %s\n", str);
897 exit (1);
898 }
899
900 /* To be done */
901 return 16;
902 }
903 else
904 #endif
905 { /* IPv4 */
906 ret = inet_pton (AF_INET, str, ip);
907 if (ret <= 0)
908 {
909 fprintf (stderr, "Error in IPv4 address %s\n", str);
910 exit (1);
911 }
912
913 return 4;
914 }
915
916 }
917
918 void
919 get_ip_addr_set (int type, void *crt)
920 {
921 int ret = 0, i;
922 unsigned char ip[16];
923 int len;
924
925 if (batch)
926 {
927 if (!cfg.ip_addr)
928 return;
929
930 for (i = 0; cfg.ip_addr[i] != NULL; i++)
931 {
932 len = string_to_ip (ip, cfg.ip_addr[i]);
933 if (len <= 0)
934 {
935 fprintf (stderr, "Error parsing address: %s\n", cfg.ip_addr[i]);
936 exit (1);
937 }
938
939 if (type == TYPE_CRT)
940 ret =
941 gnutls_x509_crt_set_subject_alt_name (crt, GNUTLS_SAN_IPADDRESS,
942 ip, len,
943 GNUTLS_FSAN_APPEND);
944 else
945 ret =
946 gnutls_x509_crq_set_subject_alt_name (crt, GNUTLS_SAN_IPADDRESS,
947 ip, len,
948 GNUTLS_FSAN_APPEND);
949
950 if (ret < 0)
951 break;
952 }
953 }
954 else
955 {
956 const char *p;
957
958 p =
959 read_str ("Enter the IP address of the subject of the certificate: ");
960 if (!p)
961 return;
962
963 len = string_to_ip (ip, p);
964 if (len <= 0)
965 {
966 fprintf (stderr, "Error parsing address: %s\n", p);
967 exit (1);
968 }
969
970 if (type == TYPE_CRT)
971 ret = gnutls_x509_crt_set_subject_alt_name (crt, GNUTLS_SAN_IPADDRESS,
972 ip, len,
973 GNUTLS_FSAN_APPEND);
974 else
975 ret = gnutls_x509_crq_set_subject_alt_name (crt, GNUTLS_SAN_IPADDRESS,
976 ip, len,
977 GNUTLS_FSAN_APPEND);
978 }
979
980 if (ret < 0)
981 {
982 fprintf (stderr, "set_subject_alt_name: %s\n", gnutls_strerror (ret));
983 exit (1);
984 }
985 }
986
987 void
988 get_email_set (int type, void *crt)
989 {
990 int ret = 0, i;
991
992 if (batch)
993 {
994 if (!cfg.email)
995 return;
996
997 for (i = 0; cfg.email[i] != NULL; i++)
998 {
999 if (type == TYPE_CRT)
1000 ret =
1001 gnutls_x509_crt_set_subject_alt_name (crt,
1002 GNUTLS_SAN_RFC822NAME,
1003 cfg.email[i],
1004 strlen (cfg.email[i]),
1005 GNUTLS_FSAN_APPEND);
1006 else
1007 ret =
1008 gnutls_x509_crq_set_subject_alt_name (crt,
1009 GNUTLS_SAN_RFC822NAME,
1010 cfg.email[i],
1011 strlen (cfg.email[i]),
1012 GNUTLS_FSAN_APPEND);
1013
1014 if (ret < 0)
1015 break;
1016 }
1017 }
1018 else
1019 {
1020 const char *p;
1021
1022 p = read_str ("Enter the e-mail of the subject of the certificate: ");
1023 if (!p)
1024 return;
1025
1026 if (type == TYPE_CRT)
1027 ret =
1028 gnutls_x509_crt_set_subject_alt_name (crt, GNUTLS_SAN_RFC822NAME, p,
1029 strlen (p),
1030 GNUTLS_FSAN_APPEND);
1031 else
1032 ret =
1033 gnutls_x509_crq_set_subject_alt_name (crt, GNUTLS_SAN_RFC822NAME, p,
1034 strlen (p),
1035 GNUTLS_FSAN_APPEND);
1036 }
1037
1038 if (ret < 0)
1039 {
1040 fprintf (stderr, "set_subject_alt_name: %s\n", gnutls_strerror (ret));
1041 exit (1);
1042 }
1043 }
1044
1045
1046 void
1047 get_dc_set (int type, void *crt)
1048 {
1049 int ret = 0, i;
1050
1051 if (batch)
1052 {
1053 if (!cfg.dc)
1054 return;
1055
1056 for (i = 0; cfg.dc[i] != NULL; i++)
1057 {
1058 if (type == TYPE_CRT)
1059 ret = gnutls_x509_crt_set_dn_by_oid (crt, GNUTLS_OID_LDAP_DC,
1060 0, cfg.dc[i], strlen (cfg.dc[i]));
1061 else
1062 ret = gnutls_x509_crq_set_dn_by_oid (crt, GNUTLS_OID_LDAP_DC,
1063 0, cfg.dc[i], strlen (cfg.dc[i]));
1064
1065 if (ret < 0)
1066 break;
1067 }
1068 }
1069 else
1070 {
1071 const char *p;
1072
1073 do
1074 {
1075 p = read_str ("Enter the subject's domain component (DC): ");
1076 if (!p)
1077 return;
1078
1079 if (type == TYPE_CRT)
1080 ret = gnutls_x509_crt_set_dn_by_oid (crt, GNUTLS_OID_LDAP_DC,
1081 0, p, strlen (p));
1082 else
1083 ret = gnutls_x509_crq_set_dn_by_oid (crt, GNUTLS_OID_LDAP_DC,
1084 0, p, strlen (p));
1085 }
1086 while(p != NULL);
1087 }
1088
1089 if (ret < 0)
1090 {
1091 fprintf (stderr, "set_dn_by_oid: %s\n", gnutls_strerror (ret));
1092 exit (1);
1093 }
1094 }
1095
1096 void
1097 get_dns_name_set (int type, void *crt)
1098 {
1099 int ret = 0, i;
1100
1101 if (batch)
1102 {
1103 if (!cfg.dns_name)
1104 return;
1105
1106 for (i = 0; cfg.dns_name[i] != NULL; i++)
1107 {
1108 if (type == TYPE_CRT)
1109 ret =
1110 gnutls_x509_crt_set_subject_alt_name (crt, GNUTLS_SAN_DNSNAME,
1111 cfg.dns_name[i],
1112 strlen (cfg.dns_name[i]),
1113 GNUTLS_FSAN_APPEND);
1114 else
1115 ret =
1116 gnutls_x509_crq_set_subject_alt_name (crt, GNUTLS_SAN_DNSNAME,
1117 cfg.dns_name[i],
1118 strlen (cfg.dns_name[i]),
1119 GNUTLS_FSAN_APPEND);
1120
1121 if (ret < 0)
1122 break;
1123 }
1124 }
1125 else
1126 {
1127 const char *p;
1128
1129 do
1130 {
1131 p =
1132 read_str ("Enter a dnsName of the subject of the certificate: ");
1133 if (!p)
1134 return;
1135
1136 if (type == TYPE_CRT)
1137 ret = gnutls_x509_crt_set_subject_alt_name
1138 (crt, GNUTLS_SAN_DNSNAME, p, strlen (p), GNUTLS_FSAN_APPEND);
1139 else
1140 ret = gnutls_x509_crq_set_subject_alt_name
1141 (crt, GNUTLS_SAN_DNSNAME, p, strlen (p), GNUTLS_FSAN_APPEND);
1142 }
1143 while (p);
1144 }
1145
1146 if (ret < 0)
1147 {
1148 fprintf (stderr, "set_subject_alt_name: %s\n", gnutls_strerror (ret));
1149 exit (1);
1150 }
1151 }
1152
1153
1154 int
1155 get_sign_status (int server)
1156 {
1157 const char *msg;
1158
1159 if (batch)
1160 {
1161 return cfg.signing_key;
1162 }
1163 else
1164 {
1165 if (server)
1166 msg =
1167 "Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N): ";
1168 else
1169 msg =
1170 "Will the certificate be used for signing (required for TLS)? (y/N): ";
1171 return read_yesno (msg);
1172 }
1173 }
1174
1175 int
1176 get_encrypt_status (int server)
1177 {
1178 const char *msg;
1179
1180 if (batch)
1181 {
1182 return cfg.encryption_key;
1183 }
1184 else
1185 {
1186 if (server)
1187 msg =
1188 "Will the certificate be used for encryption (RSA ciphersuites)? (y/N): ";
1189 else
1190 msg =
1191 "Will the certificate be used for encryption (not required for TLS)? (y/N): ";
1192 return read_yesno (msg);
1193 }
1194 }
1195
1196 int
1197 get_cert_sign_status (void)
1198 {
1199 if (batch)
1200 {
1201 return cfg.cert_sign_key;
1202 }
1203 else
1204 {
1205 return
1206 read_yesno
1207 ("Will the certificate be used to sign other certificates? (y/N): ");
1208 }
1209 }
1210
1211 int
1212 get_crl_sign_status (void)
1213 {
1214 if (batch)
1215 {
1216 return cfg.crl_sign_key;
1217 }
1218 else
1219 {
1220 return
1221 read_yesno ("Will the certificate be used to sign CRLs? (y/N): ");
1222 }
1223 }
1224
1225 int
1226 get_code_sign_status (void)
1227 {
1228 if (batch)
1229 {
1230 return cfg.code_sign_key;
1231 }
1232 else
1233 {
1234 return
1235 read_yesno ("Will the certificate be used to sign code? (y/N): ");
1236 }
1237 }
1238
1239 int
1240 get_ocsp_sign_status (void)
1241 {
1242 if (batch)
1243 {
1244 return cfg.ocsp_sign_key;
1245 }
1246 else
1247 {
1248 return
1249 read_yesno
1250 ("Will the certificate be used to sign OCSP requests? (y/N): ");
1251 }
1252 }
1253
1254 int
1255 get_time_stamp_status (void)
1256 {
1257 if (batch)
1258 {
1259 return cfg.time_stamping_key;
1260 }
1261 else
1262 {
1263 return
1264 read_yesno
1265 ("Will the certificate be used for time stamping? (y/N): ");
1266 }
1267 }
1268
1269 int
1270 get_ipsec_ike_status (void)
1271 {
1272 if (batch)
1273 {
1274 return cfg.ipsec_ike_key;
1275 }
1276 else
1277 {
1278 return
1279 read_yesno
1280 ("Will the certificate be used for IPsec IKE operations? (y/N): ");
1281 }
1282 }
1283
1284 int
1285 get_crl_next_update (void)
1286 {
1287 int days;
1288
1289 if (batch)
1290 {
1291 if (cfg.crl_next_update <= 0)
1292 return 365;
1293 else
1294 return cfg.crl_next_update;
1295 }
1296 else
1297 {
1298 do
1299 {
1300 days = read_int ("The next CRL will be issued in (days): ");
1301 }
1302 while (days == 0);
1303 return days;
1304 }
1305 }
1306
1307 const char *
1308 get_proxy_policy (char **policy, size_t * policylen)
1309 {
1310 const char *ret;
1311
1312 if (batch)
1313 {
1314 ret = cfg.proxy_policy_language;
1315 if (!ret)
1316 ret = "1.3.6.1.5.5.7.21.1";
1317 }
1318 else
1319 {
1320 do
1321 {
1322 ret = read_str ("Enter the OID of the proxy policy language: ");
1323 }
1324 while (ret == NULL);
1325 }
1326
1327 *policy = NULL;
1328 *policylen = 0;
1329
1330 if (strcmp (ret, "1.3.6.1.5.5.7.21.1") != 0 &&
1331 strcmp (ret, "1.3.6.1.5.5.7.21.2") != 0)
1332 {
1333 fprintf (stderr, "Reading non-standard proxy policy not supported.\n");
1334 }
1335
1336 return ret;
1337 }
1338
1339 /* CRQ stuff.
1340 */
1341 void
1342 get_country_crq_set (gnutls_x509_crq_t crq)
1343 {
1344 int ret;
1345
1346 if (batch)
1347 {
1348 if (!cfg.country)
1349 return;
1350 ret =
1351 gnutls_x509_crq_set_dn_by_oid (crq,
1352 GNUTLS_OID_X520_COUNTRY_NAME, 0,
1353 cfg.country, strlen (cfg.country));
1354 if (ret < 0)
1355 {
1356 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
1357 exit (1);
1358 }
1359 }
1360 else
1361 {
1362 read_crq_set (crq, "Country name (2 chars): ",
1363 GNUTLS_OID_X520_COUNTRY_NAME);
1364 }
1365
1366 }
1367
1368 void
1369 get_organization_crq_set (gnutls_x509_crq_t crq)
1370 {
1371 int ret;
1372
1373 if (batch)
1374 {
1375 if (!cfg.organization)
1376 return;
1377
1378 ret =
1379 gnutls_x509_crq_set_dn_by_oid (crq,
1380 GNUTLS_OID_X520_ORGANIZATION_NAME,
1381 0, cfg.organization,
1382 strlen (cfg.organization));
1383 if (ret < 0)
1384 {
1385 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
1386 exit (1);
1387 }
1388 }
1389 else
1390 {
1391 read_crq_set (crq, "Organization name: ",
1392 GNUTLS_OID_X520_ORGANIZATION_NAME);
1393 }
1394
1395 }
1396
1397 void
1398 get_unit_crq_set (gnutls_x509_crq_t crq)
1399 {
1400 int ret;
1401
1402 if (batch)
1403 {
1404 if (!cfg.unit)
1405 return;
1406
1407 ret =
1408 gnutls_x509_crq_set_dn_by_oid (crq,
1409 GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME,
1410 0, cfg.unit, strlen (cfg.unit));
1411 if (ret < 0)
1412 {
1413 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
1414 exit (1);
1415 }
1416 }
1417 else
1418 {
1419 read_crq_set (crq, "Organizational unit name: ",
1420 GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME);
1421 }
1422
1423 }
1424
1425 void
1426 get_state_crq_set (gnutls_x509_crq_t crq)
1427 {
1428 int ret;
1429
1430 if (batch)
1431 {
1432 if (!cfg.state)
1433 return;
1434 ret =
1435 gnutls_x509_crq_set_dn_by_oid (crq,
1436 GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME,
1437 0, cfg.state, strlen (cfg.state));
1438 if (ret < 0)
1439 {
1440 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
1441 exit (1);
1442 }
1443 }
1444 else
1445 {
1446 read_crq_set (crq, "State or province name: ",
1447 GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME);
1448 }
1449
1450 }
1451
1452 void
1453 get_locality_crq_set (gnutls_x509_crq_t crq)
1454 {
1455 int ret;
1456
1457 if (batch)
1458 {
1459 if (!cfg.locality)
1460 return;
1461 ret =
1462 gnutls_x509_crq_set_dn_by_oid (crq,
1463 GNUTLS_OID_X520_LOCALITY_NAME, 0,
1464 cfg.locality, strlen (cfg.locality));
1465 if (ret < 0)
1466 {
1467 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
1468 exit (1);
1469 }
1470 }
1471 else
1472 {
1473 read_crq_set (crq, "Locality name: ", GNUTLS_OID_X520_LOCALITY_NAME);
1474 }
1475
1476 }
1477
1478 void
1479 get_cn_crq_set (gnutls_x509_crq_t crq)
1480 {
1481 int ret;
1482
1483 if (batch)
1484 {
1485 if (!cfg.cn)
1486 return;
1487 ret =
1488 gnutls_x509_crq_set_dn_by_oid (crq, GNUTLS_OID_X520_COMMON_NAME,
1489 0, cfg.cn, strlen (cfg.cn));
1490 if (ret < 0)
1491 {
1492 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
1493 exit (1);
1494 }
1495 }
1496 else
1497 {
1498 read_crq_set (crq, "Common name: ", GNUTLS_OID_X520_COMMON_NAME);
1499 }
1500
1501 }
1502
1503 void
1504 get_uid_crq_set (gnutls_x509_crq_t crq)
1505 {
1506 int ret;
1507
1508 if (batch)
1509 {
1510 if (!cfg.uid)
1511 return;
1512 ret = gnutls_x509_crq_set_dn_by_oid (crq, GNUTLS_OID_LDAP_UID, 0,
1513 cfg.uid, strlen (cfg.uid));
1514 if (ret < 0)
1515 {
1516 fprintf (stderr, "set_dn: %s\n", gnutls_strerror (ret));
1517 exit (1);
1518 }
1519 }
1520 else
1521 {
1522 read_crq_set (crq, "UID: ", GNUTLS_OID_LDAP_UID);
1523 }
1524
1525 }
1526
1527 void
1528 get_oid_crq_set (gnutls_x509_crq_t crq)
1529 {
1530 int ret, i;
1531
1532 if (batch)
1533 {
1534 if (!cfg.dn_oid)
1535 return;
1536 for (i = 0; cfg.dn_oid[i] != NULL; i += 2)
1537 {
1538 if (cfg.dn_oid[i + 1] == NULL)
1539 {
1540 fprintf (stderr, "dn_oid: %s does not have an argument.\n",
1541 cfg.dn_oid[i]);
1542 exit (1);
1543 }
1544 ret = gnutls_x509_crq_set_dn_by_oid (crq, cfg.dn_oid[i], 0,
1545 cfg.dn_oid[i + 1],
1546 strlen (cfg.dn_oid[i + 1]));
1547
1548 if (ret < 0)
1549 {
1550 fprintf (stderr, "set_dn_oid: %s\n", gnutls_strerror (ret));
1551 exit (1);
1552 }
1553 }
1554 }
1555
1556 }
Implementation of the SSL/TLS protocol