2 * Copyright (C) 2004, 2005, 2006, 2007 Free Software Foundation
4 * This file is part of GNUTLS.
6 * GNUTLS is free software: you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation, either version 3 of the License, or
9 * (at your option) any later version.
11 * GNUTLS is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include <certtool-cfg.h>
26 #include <gnutls/x509.h>
32 /* Gnulib portability files. */
38 typedef struct _cfg_ctx
46 char *challenge_password
;
53 char *crl_dist_points
;
55 char *pkcs12_key_name
;
68 int time_stamping_key
;
70 char *proxy_policy_language
;
78 memset (&cfg
, 0, sizeof (cfg
));
84 template_parse (const char *template)
86 /* libcfg+ parsing context */
89 /* Parsing return code */
92 /* Option variables */
95 struct cfg_option options
[] = {
96 {NULL
, '\0', "organization", CFG_STR
, (void *) &cfg
.organization
,
98 {NULL
, '\0', "unit", CFG_STR
, (void *) &cfg
.unit
, 0},
99 {NULL
, '\0', "locality", CFG_STR
, (void *) &cfg
.locality
, 0},
100 {NULL
, '\0', "state", CFG_STR
, (void *) &cfg
.state
, 0},
101 {NULL
, '\0', "cn", CFG_STR
, (void *) &cfg
.cn
, 0},
102 {NULL
, '\0', "uid", CFG_STR
, (void *) &cfg
.uid
, 0},
103 {NULL
, '\0', "challenge_password", CFG_STR
,
104 (void *) &cfg
.challenge_password
, 0},
105 {NULL
, '\0', "password", CFG_STR
, (void *) &cfg
.password
, 0},
106 {NULL
, '\0', "pkcs9_email", CFG_STR
, (void *) &cfg
.pkcs9_email
, 0},
107 {NULL
, '\0', "country", CFG_STR
, (void *) &cfg
.country
, 0},
108 {NULL
, '\0', "dns_name", CFG_STR
, (void *) &cfg
.dns_name
, 0},
109 {NULL
, '\0', "ip_address", CFG_STR
, (void *) &cfg
.ip_addr
, 0},
110 {NULL
, '\0', "email", CFG_STR
, (void *) &cfg
.email
, 0},
112 {NULL
, '\0', "dn_oid", CFG_STR
+ CFG_MULTI_SEPARATED
,
113 (void *) &cfg
.dn_oid
, 0},
115 {NULL
, '\0', "crl_dist_points", CFG_STR
,
116 (void *) &cfg
.crl_dist_points
, 0},
117 {NULL
, '\0', "pkcs12_key_name", CFG_STR
,
118 (void *) &cfg
.pkcs12_key_name
, 0},
120 {NULL
, '\0', "serial", CFG_INT
, (void *) &cfg
.serial
, 0},
121 {NULL
, '\0', "expiration_days", CFG_INT
,
122 (void *) &cfg
.expiration_days
, 0},
124 {NULL
, '\0', "crl_next_update", CFG_INT
,
125 (void *) &cfg
.crl_next_update
, 0},
127 {NULL
, '\0', "ca", CFG_BOOL
, (void *) &cfg
.ca
, 0},
128 {NULL
, '\0', "path_len", CFG_INT
, (void *) &cfg
.path_len
, 0},
129 {NULL
, '\0', "tls_www_client", CFG_BOOL
,
130 (void *) &cfg
.tls_www_client
, 0},
131 {NULL
, '\0', "tls_www_server", CFG_BOOL
,
132 (void *) &cfg
.tls_www_server
, 0},
133 {NULL
, '\0', "signing_key", CFG_BOOL
, (void *) &cfg
.signing_key
,
135 {NULL
, '\0', "encryption_key", CFG_BOOL
,
136 (void *) &cfg
.encryption_key
, 0},
137 {NULL
, '\0', "cert_signing_key", CFG_BOOL
,
138 (void *) &cfg
.cert_sign_key
, 0},
139 {NULL
, '\0', "crl_signing_key", CFG_BOOL
,
140 (void *) &cfg
.crl_sign_key
, 0},
141 {NULL
, '\0', "code_signing_key", CFG_BOOL
,
142 (void *) &cfg
.code_sign_key
, 0},
143 {NULL
, '\0', "ocsp_signing_key", CFG_BOOL
,
144 (void *) &cfg
.ocsp_sign_key
, 0},
145 {NULL
, '\0', "time_stamping_key", CFG_BOOL
,
146 (void *) &cfg
.time_stamping_key
, 0},
147 {NULL
, '\0', "proxy_policy_language", CFG_STR
,
148 (void *) &cfg
.proxy_policy_language
, 0},
152 /* Creating context */
153 con
= cfg_get_context (options
);
156 puts ("Not enough memory");
160 cfg_set_cfgfile_context (con
, 0, -1, (char *) template);
162 /* Parsing command line */
163 ret
= cfg_parse (con
);
167 printf ("error parsing command line: %s: ", template);
168 cfg_fprint_error (con
, stdout
);
170 exit (ret
< 0 ? -ret
: ret
);
177 read_crt_set (gnutls_x509_crt_t crt
, const char *input_str
, const char *oid
)
182 fputs (input_str
, stderr
);
183 fgets (input
, sizeof (input
), stdin
);
185 if (strlen (input
) == 1) /* only newline */
189 gnutls_x509_crt_set_dn_by_oid (crt
, oid
, 0, input
, strlen (input
) - 1);
192 fprintf (stderr
, "set_dn: %s\n", gnutls_strerror (ret
));
198 read_crq_set (gnutls_x509_crq_t crq
, const char *input_str
, const char *oid
)
203 fputs (input_str
, stderr
);
204 fgets (input
, sizeof (input
), stdin
);
206 if (strlen (input
) == 1) /* only newline */
210 gnutls_x509_crq_set_dn_by_oid (crq
, oid
, 0, input
, strlen (input
) - 1);
213 fprintf (stderr
, "set_dn: %s\n", gnutls_strerror (ret
));
218 /* The input_str should contain %d or %u to print the default.
221 read_int_with_default (const char *input_str
, int def
)
227 printf(input_str
, def
);
230 l
= strtol (in
, &endptr
, 0);
234 fprintf (stderr
, "Trailing garbage ignored: `%s'\n", endptr
);
239 if (l
<= INT_MIN
|| l
>= INT_MAX
)
241 fprintf (stderr
, "Integer out of range: `%s'\n", in
);
255 read_int (const char *input_str
)
257 return read_int_with_default (input_str
, 0);
261 read_str (const char *input_str
)
263 static char input
[128];
266 fputs (input_str
, stderr
);
267 if (fgets (input
, sizeof (input
), stdin
) == NULL
)
270 len
= strlen (input
);
271 if ((len
> 0) && (input
[len
- 1] == '\n'))
282 read_yesno (const char *input_str
)
286 fputs (input_str
, stderr
);
287 fgets (input
, sizeof (input
), stdin
);
289 if (strlen (input
) == 1) /* only newline */
292 if (input
[0] == 'y' || input
[0] == 'Y')
299 /* Wrapper functions for non-interactive mode.
307 return getpass ("Enter password: ");
311 get_challenge_pass (void)
314 return cfg
.challenge_password
;
316 return getpass ("Enter a challenge password: ");
320 get_crl_dist_point_url (void)
323 return cfg
.crl_dist_points
;
325 return read_str ("Enter the URI of the CRL distribution point: ");
329 get_country_crt_set (gnutls_x509_crt_t crt
)
338 gnutls_x509_crt_set_dn_by_oid (crt
,
339 GNUTLS_OID_X520_COUNTRY_NAME
, 0,
340 cfg
.country
, strlen (cfg
.country
));
343 fprintf (stderr
, "set_dn: %s\n", gnutls_strerror (ret
));
349 read_crt_set (crt
, "Country name (2 chars): ",
350 GNUTLS_OID_X520_COUNTRY_NAME
);
356 get_organization_crt_set (gnutls_x509_crt_t crt
)
362 if (!cfg
.organization
)
366 gnutls_x509_crt_set_dn_by_oid (crt
,
367 GNUTLS_OID_X520_ORGANIZATION_NAME
,
369 strlen (cfg
.organization
));
372 fprintf (stderr
, "set_dn: %s\n", gnutls_strerror (ret
));
378 read_crt_set (crt
, "Organization name: ",
379 GNUTLS_OID_X520_ORGANIZATION_NAME
);
385 get_unit_crt_set (gnutls_x509_crt_t crt
)
395 gnutls_x509_crt_set_dn_by_oid (crt
,
396 GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME
,
397 0, cfg
.unit
, strlen (cfg
.unit
));
400 fprintf (stderr
, "set_dn: %s\n", gnutls_strerror (ret
));
406 read_crt_set (crt
, "Organizational unit name: ",
407 GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME
);
413 get_state_crt_set (gnutls_x509_crt_t crt
)
422 gnutls_x509_crt_set_dn_by_oid (crt
,
423 GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME
,
424 0, cfg
.state
, strlen (cfg
.state
));
427 fprintf (stderr
, "set_dn: %s\n", gnutls_strerror (ret
));
433 read_crt_set (crt
, "State or province name: ",
434 GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME
);
440 get_locality_crt_set (gnutls_x509_crt_t crt
)
449 gnutls_x509_crt_set_dn_by_oid (crt
,
450 GNUTLS_OID_X520_LOCALITY_NAME
, 0,
451 cfg
.locality
, strlen (cfg
.locality
));
454 fprintf (stderr
, "set_dn: %s\n", gnutls_strerror (ret
));
460 read_crt_set (crt
, "Locality name: ", GNUTLS_OID_X520_LOCALITY_NAME
);
466 get_cn_crt_set (gnutls_x509_crt_t crt
)
475 gnutls_x509_crt_set_dn_by_oid (crt
, GNUTLS_OID_X520_COMMON_NAME
,
476 0, cfg
.cn
, strlen (cfg
.cn
));
479 fprintf (stderr
, "set_dn: %s\n", gnutls_strerror (ret
));
485 read_crt_set (crt
, "Common name: ", GNUTLS_OID_X520_COMMON_NAME
);
491 get_uid_crt_set (gnutls_x509_crt_t crt
)
499 ret
= gnutls_x509_crt_set_dn_by_oid (crt
, GNUTLS_OID_LDAP_UID
, 0,
500 cfg
.uid
, strlen (cfg
.uid
));
503 fprintf (stderr
, "set_dn: %s\n", gnutls_strerror (ret
));
509 read_crt_set (crt
, "UID: ", GNUTLS_OID_LDAP_UID
);
515 get_oid_crt_set (gnutls_x509_crt_t crt
)
523 for (i
= 0; cfg
.dn_oid
[i
] != NULL
; i
+= 2)
525 if (cfg
.dn_oid
[i
+ 1] == NULL
)
527 fprintf (stderr
, "dn_oid: %s does not have an argument.\n",
531 ret
= gnutls_x509_crt_set_dn_by_oid (crt
, cfg
.dn_oid
[i
], 0,
533 strlen (cfg
.dn_oid
[i
+ 1]));
537 fprintf (stderr
, "set_dn_oid: %s\n", gnutls_strerror (ret
));
547 get_pkcs9_email_crt_set (gnutls_x509_crt_t crt
)
553 if (!cfg
.pkcs9_email
)
555 ret
= gnutls_x509_crt_set_dn_by_oid (crt
, GNUTLS_OID_PKCS9_EMAIL
, 0,
557 strlen (cfg
.pkcs9_email
));
560 fprintf (stderr
, "set_dn: %s\n", gnutls_strerror (ret
));
566 read_crt_set (crt
, "E-mail: ", GNUTLS_OID_PKCS9_EMAIL
);
574 int default_serial
= time (NULL
);
579 return default_serial
;
584 return read_int_with_default
585 ("Enter the certificate's serial number in decimal (default: %u): ", default_serial
);
596 if (cfg
.expiration_days
<= 0)
599 return cfg
.expiration_days
;
605 days
= read_int ("The certificate will expire in (days): ");
622 read_yesno ("Does the certificate belong to an authority? (y/N): ");
635 return read_int_with_default
636 ("Path length constraint (decimal, %d for no constraint): ", -1);
641 get_pkcs12_key_name (void)
647 if (!cfg
.pkcs12_key_name
)
649 return cfg
.pkcs12_key_name
;
655 name
= read_str ("Enter a name for the key: ");
657 while (name
== NULL
);
663 get_tls_client_status (void)
667 return cfg
.tls_www_client
;
671 return read_yesno ("Is this a TLS web client certificate? (y/N): ");
676 get_tls_server_status (void)
680 return cfg
.tls_www_server
;
685 read_yesno ("Is this also a TLS web server certificate? (y/N): ");
699 read_str ("Enter the dnsName of the subject of the certificate: ");
713 read_str ("Enter the IP address of the subject of the certificate: ");
727 read_str ("Enter the e-mail of the subject of the certificate: ");
732 get_sign_status (int server
)
738 return cfg
.signing_key
;
744 "Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N): ";
747 "Will the certificate be used for signing (required for TLS)? (y/N): ";
748 return read_yesno (msg
);
753 get_encrypt_status (int server
)
759 return cfg
.encryption_key
;
765 "Will the certificate be used for encryption (RSA ciphersuites)? (y/N): ";
768 "Will the certificate be used for encryption (not required for TLS)? (y/N): ";
769 return read_yesno (msg
);
774 get_cert_sign_status (void)
778 return cfg
.cert_sign_key
;
784 ("Will the certificate be used to sign other certificates? (y/N): ");
789 get_crl_sign_status (void)
793 return cfg
.crl_sign_key
;
798 read_yesno ("Will the certificate be used to sign CRLs? (y/N): ");
803 get_code_sign_status (void)
807 return cfg
.code_sign_key
;
812 read_yesno ("Will the certificate be used to sign code? (y/N): ");
817 get_ocsp_sign_status (void)
821 return cfg
.ocsp_sign_key
;
827 ("Will the certificate be used to sign OCSP requests? (y/N): ");
832 get_time_stamp_status (void)
836 return cfg
.time_stamping_key
;
842 ("Will the certificate be used for time stamping? (y/N): ");
847 get_crl_next_update (void)
853 if (cfg
.crl_next_update
<= 0)
856 return cfg
.crl_next_update
;
862 days
= read_int ("The next CRL will be issued in (days): ");
870 get_proxy_policy (char **policy
, size_t *policylen
)
876 ret
= cfg
.proxy_policy_language
;
878 ret
= "1.3.6.1.5.5.7.21.1";
884 ret
= read_str ("Enter the OID of the proxy policy language: ");
892 if (strcmp (ret
, "1.3.6.1.5.5.7.21.1") != 0 &&
893 strcmp (ret
, "1.3.6.1.5.5.7.21.2") != 0)
895 fprintf (stderr
, "Reading non-standard proxy policy not supported.\n");
904 get_country_crq_set (gnutls_x509_crq_t crq
)
913 gnutls_x509_crq_set_dn_by_oid (crq
,
914 GNUTLS_OID_X520_COUNTRY_NAME
, 0,
915 cfg
.country
, strlen (cfg
.country
));
918 fprintf (stderr
, "set_dn: %s\n", gnutls_strerror (ret
));
924 read_crq_set (crq
, "Country name (2 chars): ",
925 GNUTLS_OID_X520_COUNTRY_NAME
);
931 get_organization_crq_set (gnutls_x509_crq_t crq
)
937 if (!cfg
.organization
)
941 gnutls_x509_crq_set_dn_by_oid (crq
,
942 GNUTLS_OID_X520_ORGANIZATION_NAME
,
944 strlen (cfg
.organization
));
947 fprintf (stderr
, "set_dn: %s\n", gnutls_strerror (ret
));
953 read_crq_set (crq
, "Organization name: ",
954 GNUTLS_OID_X520_ORGANIZATION_NAME
);
960 get_unit_crq_set (gnutls_x509_crq_t crq
)
970 gnutls_x509_crq_set_dn_by_oid (crq
,
971 GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME
,
972 0, cfg
.unit
, strlen (cfg
.unit
));
975 fprintf (stderr
, "set_dn: %s\n", gnutls_strerror (ret
));
981 read_crq_set (crq
, "Organizational unit name: ",
982 GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME
);
988 get_state_crq_set (gnutls_x509_crq_t crq
)
997 gnutls_x509_crq_set_dn_by_oid (crq
,
998 GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME
,
999 0, cfg
.state
, strlen (cfg
.state
));
1002 fprintf (stderr
, "set_dn: %s\n", gnutls_strerror (ret
));
1008 read_crq_set (crq
, "State or province name: ",
1009 GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME
);
1015 get_locality_crq_set (gnutls_x509_crq_t crq
)
1024 gnutls_x509_crq_set_dn_by_oid (crq
,
1025 GNUTLS_OID_X520_LOCALITY_NAME
, 0,
1026 cfg
.locality
, strlen (cfg
.locality
));
1029 fprintf (stderr
, "set_dn: %s\n", gnutls_strerror (ret
));
1035 read_crq_set (crq
, "Locality name: ", GNUTLS_OID_X520_LOCALITY_NAME
);
1041 get_cn_crq_set (gnutls_x509_crq_t crq
)
1050 gnutls_x509_crq_set_dn_by_oid (crq
, GNUTLS_OID_X520_COMMON_NAME
,
1051 0, cfg
.cn
, strlen (cfg
.cn
));
1054 fprintf (stderr
, "set_dn: %s\n", gnutls_strerror (ret
));
1060 read_crq_set (crq
, "Common name: ", GNUTLS_OID_X520_COMMON_NAME
);
1066 get_uid_crq_set (gnutls_x509_crq_t crq
)
1074 ret
= gnutls_x509_crq_set_dn_by_oid (crq
, GNUTLS_OID_LDAP_UID
, 0,
1075 cfg
.uid
, strlen (cfg
.uid
));
1078 fprintf (stderr
, "set_dn: %s\n", gnutls_strerror (ret
));
1084 read_crq_set (crq
, "UID: ", GNUTLS_OID_LDAP_UID
);
1090 get_oid_crq_set (gnutls_x509_crq_t crq
)
1098 for (i
= 0; cfg
.dn_oid
[i
] != NULL
; i
+= 2)
1100 if (cfg
.dn_oid
[i
+ 1] == NULL
)
1102 fprintf (stderr
, "dn_oid: %s does not have an argument.\n",
1106 ret
= gnutls_x509_crq_set_dn_by_oid (crq
, cfg
.dn_oid
[i
], 0,
1108 strlen (cfg
.dn_oid
[i
+ 1]));
1112 fprintf (stderr
, "set_dn_oid: %s\n", gnutls_strerror (ret
));