search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Check for errors while setting an SRTP profile.
[gnutls.git] / src / certtool.c
blob81ec1425a229dfa70f29f8e7eef22eab22fdefd5
1 /*
2 * Copyright (C) 2003-2012 Free Software Foundation, Inc.
3 *
4 * This file is part of GnuTLS.
5 *
6 * GnuTLS is free software: you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by
8 * the Free Software Foundation, either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * GnuTLS is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program. If not, see
18 * <http://www.gnu.org/licenses/>.
19 */
20
21 #include <config.h>
22
23 #include <gnutls/gnutls.h>
24 #include <gnutls/x509.h>
25 #include <gnutls/openpgp.h>
26 #include <gnutls/pkcs12.h>
27 #include <gnutls/pkcs11.h>
28 #include <gnutls/abstract.h>
29 #include <gnutls/crypto.h>
30
31 #include <stdio.h>
32 #include <stdlib.h>
33 #include <string.h>
34 #include <ctype.h>
35 #include <time.h>
36 #include <unistd.h>
37 #include <errno.h>
38 #include <sys/types.h>
39 #include <sys/stat.h>
40 #include <fcntl.h>
41 #include <error.h>
42
43 /* Gnulib portability files. */
44 #include <read-file.h>
45 #include <progname.h>
46 #include <version-etc.h>
47
48 #include <certtool-cfg.h>
49 #include <common.h>
50 #include "certtool-args.h"
51 #include "certtool-common.h"
52
53 static void privkey_info_int (common_info_st*, gnutls_x509_privkey_t key);
54 static void print_crl_info (gnutls_x509_crl_t crl, FILE * out);
55 void pkcs7_info (void);
56 void crq_info (void);
57 void smime_to_pkcs7 (void);
58 void pkcs12_info (common_info_st*);
59 void generate_pkcs12 (common_info_st *);
60 void generate_pkcs8 (common_info_st *);
61 static void verify_chain (void);
62 void verify_crl (common_info_st * cinfo);
63 void pubkey_info (gnutls_x509_crt_t crt, common_info_st *);
64 void pgp_privkey_info (void);
65 void pgp_ring_info (void);
66 void certificate_info (int, common_info_st *);
67 void pgp_certificate_info (void);
68 void crl_info (void);
69 void privkey_info (common_info_st*);
70 static void cmd_parser (int argc, char **argv);
71 void generate_self_signed (common_info_st *);
72 void generate_request (common_info_st *);
73 static void print_certificate_info (gnutls_x509_crt_t crt, FILE * out,
74 unsigned int all);
75 static void verify_certificate (common_info_st * cinfo);
76
77 FILE *outfile;
78 FILE *infile;
79 static gnutls_digest_algorithm_t default_dig;
80 static unsigned int incert_format, outcert_format;
81 static unsigned int req_key_type;
82
83 /* non interactive operation if set
84 */
85 int batch;
86
87
88 static void
89 tls_log_func (int level, const char *str)
90 {
91 fprintf (stderr, "|<%d>| %s", level, str);
92 }
93
94 int
95 main (int argc, char **argv)
96 {
97 set_program_name (argv[0]);
98 cfg_init ();
99 cmd_parser (argc, argv);
100
101 return 0;
102 }
103
104 static gnutls_x509_privkey_t
105 generate_private_key_int (common_info_st * cinfo)
106 {
107 gnutls_x509_privkey_t key;
108 int ret, key_type, bits;
109
110 key_type = req_key_type;
111
112 ret = gnutls_x509_privkey_init (&key);
113 if (ret < 0)
114 error (EXIT_FAILURE, 0, "privkey_init: %s", gnutls_strerror (ret));
115
116 bits = get_bits (key_type, cinfo->bits, cinfo->sec_param);
117
118 fprintf (stderr, "Generating a %d bit %s private key...\n",
119 bits, gnutls_pk_algorithm_get_name (key_type));
120
121 if (bits > 1024 && key_type == GNUTLS_PK_DSA)
122 fprintf (stderr,
123 "Note that DSA keys with size over 1024 can only be used with TLS 1.2 or later.\n\n");
124
125 ret = gnutls_x509_privkey_generate (key, key_type, bits, 0);
126 if (ret < 0)
127 error (EXIT_FAILURE, 0, "privkey_generate: %s", gnutls_strerror (ret));
128
129 ret = gnutls_x509_privkey_verify_params (key);
130 if (ret < 0)
131 error (EXIT_FAILURE, 0, "privkey_verify_params: %s", gnutls_strerror (ret));
132
133 return key;
134 }
135
136 static int
137 cipher_to_flags (const char *cipher)
138 {
139 if (cipher == NULL)
140 {
141 return GNUTLS_PKCS_USE_PBES2_AES_128;
142 }
143 else if (strcasecmp (cipher, "3des") == 0)
144 {
145 return GNUTLS_PKCS_USE_PBES2_3DES;
146 }
147 else if (strcasecmp (cipher, "3des-pkcs12") == 0)
148 {
149 return GNUTLS_PKCS_USE_PKCS12_3DES;
150 }
151 else if (strcasecmp (cipher, "arcfour") == 0)
152 {
153 return GNUTLS_PKCS_USE_PKCS12_ARCFOUR;
154 }
155 else if (strcasecmp (cipher, "aes-128") == 0)
156 {
157 return GNUTLS_PKCS_USE_PBES2_AES_128;
158 }
159 else if (strcasecmp (cipher, "aes-192") == 0)
160 {
161 return GNUTLS_PKCS_USE_PBES2_AES_192;
162 }
163 else if (strcasecmp (cipher, "aes-256") == 0)
164 {
165 return GNUTLS_PKCS_USE_PBES2_AES_256;
166 }
167 else if (strcasecmp (cipher, "rc2-40") == 0)
168 {
169 return GNUTLS_PKCS_USE_PKCS12_RC2_40;
170 }
171
172 error (EXIT_FAILURE, 0, "unknown cipher %s\n", cipher);
173 return -1;
174 }
175
176
177 static void
178 print_private_key (common_info_st* cinfo, gnutls_x509_privkey_t key)
179 {
180 int ret;
181 size_t size;
182
183 if (!key)
184 return;
185
186 if (outcert_format == GNUTLS_X509_FMT_PEM)
187 privkey_info_int(cinfo, key);
188
189 if (!cinfo->pkcs8)
190 {
191 size = buffer_size;
192 ret = gnutls_x509_privkey_export (key, outcert_format,
193 buffer, &size);
194 if (ret < 0)
195 error (EXIT_FAILURE, 0, "privkey_export: %s", gnutls_strerror (ret));
196 }
197 else
198 {
199 unsigned int flags = 0;
200 const char *pass;
201
202 pass = get_password(cinfo, &flags, 0);
203 flags |= cipher_to_flags (cinfo->pkcs_cipher);
204
205 size = buffer_size;
206 ret =
207 gnutls_x509_privkey_export_pkcs8 (key, outcert_format, pass,
208 flags, buffer, &size);
209 if (ret < 0)
210 error (EXIT_FAILURE, 0, "privkey_export_pkcs8: %s",
211 gnutls_strerror (ret));
212 }
213
214 fwrite (buffer, 1, size, outfile);
215 }
216
217 static void
218 generate_private_key (common_info_st* cinfo)
219 {
220 gnutls_x509_privkey_t key;
221
222 key = generate_private_key_int (cinfo);
223
224 print_private_key (cinfo, key);
225
226 gnutls_x509_privkey_deinit (key);
227 }
228
229
230 static gnutls_x509_crt_t
231 generate_certificate (gnutls_privkey_t * ret_key,
232 gnutls_x509_crt_t ca_crt, int proxy,
233 common_info_st * cinfo)
234 {
235 gnutls_x509_crt_t crt;
236 gnutls_privkey_t key = NULL;
237 gnutls_pubkey_t pubkey;
238 size_t size;
239 int ret;
240 int client;
241 int days, result, ca_status = 0, is_ike = 0, path_len;
242 int vers;
243 unsigned int usage = 0, server;
244 gnutls_x509_crq_t crq; /* request */
245
246 ret = gnutls_x509_crt_init (&crt);
247 if (ret < 0)
248 error (EXIT_FAILURE, 0, "crt_init: %s", gnutls_strerror (ret));
249
250 crq = load_request (cinfo);
251
252 if (crq == NULL)
253 {
254
255 key = load_private_key (0, cinfo);
256
257 pubkey = load_public_key_or_import (1, key, cinfo);
258
259 if (!batch)
260 fprintf (stderr,
261 "Please enter the details of the certificate's distinguished name. "
262 "Just press enter to ignore a field.\n");
263
264 /* set the DN.
265 */
266 if (proxy)
267 {
268 result = gnutls_x509_crt_set_proxy_dn (crt, ca_crt, 0, NULL, 0);
269 if (result < 0)
270 error (EXIT_FAILURE, 0, "set_proxy_dn: %s",
271 gnutls_strerror (result));
272
273 get_cn_crt_set (crt);
274 }
275 else
276 {
277 get_country_crt_set (crt);
278 get_organization_crt_set (crt);
279 get_unit_crt_set (crt);
280 get_locality_crt_set (crt);
281 get_state_crt_set (crt);
282 get_cn_crt_set (crt);
283 get_dc_set (TYPE_CRT, crt);
284 get_uid_crt_set (crt);
285 get_oid_crt_set (crt);
286 get_key_purpose_set (crt);
287
288 if (!batch)
289 fprintf (stderr,
290 "This field should not be used in new certificates.\n");
291
292 get_pkcs9_email_crt_set (crt);
293 }
294
295 result = gnutls_x509_crt_set_pubkey (crt, pubkey);
296 if (result < 0)
297 error (EXIT_FAILURE, 0, "set_key: %s", gnutls_strerror (result));
298 }
299 else
300 {
301 result = gnutls_x509_crt_set_crq (crt, crq);
302 if (result < 0)
303 error (EXIT_FAILURE, 0, "set_crq: %s", gnutls_strerror (result));
304 }
305
306
307 {
308 int serial = get_serial ();
309 char bin_serial[5];
310
311 bin_serial[4] = serial & 0xff;
312 bin_serial[3] = (serial >> 8) & 0xff;
313 bin_serial[2] = (serial >> 16) & 0xff;
314 bin_serial[1] = (serial >> 24) & 0xff;
315 bin_serial[0] = 0;
316
317 result = gnutls_x509_crt_set_serial (crt, bin_serial, 5);
318 if (result < 0)
319 error (EXIT_FAILURE, 0, "serial: %s", gnutls_strerror (result));
320 }
321
322 if (!batch)
323 fprintf (stderr, "\n\nActivation/Expiration time.\n");
324
325 gnutls_x509_crt_set_activation_time (crt, time (NULL));
326
327 days = get_days ();
328
329 result =
330 gnutls_x509_crt_set_expiration_time (crt,
331 time (NULL) + ((time_t) days) * 24 * 60 * 60);
332 if (result < 0)
333 error (EXIT_FAILURE, 0, "set_expiration: %s", gnutls_strerror (result));
334
335 if (!batch)
336 fprintf (stderr, "\n\nExtensions.\n");
337
338 /* do not allow extensions on a v1 certificate */
339 if (crq && get_crq_extensions_status () != 0)
340 {
341 result = gnutls_x509_crt_set_crq_extensions (crt, crq);
342 if (result < 0)
343 error (EXIT_FAILURE, 0, "set_crq: %s", gnutls_strerror (result));
344 }
345
346 /* append additional extensions */
347 if (cinfo->v1_cert == 0)
348 {
349
350 if (proxy)
351 {
352 const char *policylanguage;
353 char *policy;
354 size_t policylen;
355 int proxypathlen = get_path_len ();
356
357 if (!batch)
358 {
359 printf ("1.3.6.1.5.5.7.21.1 ::= id-ppl-inheritALL\n");
360 printf ("1.3.6.1.5.5.7.21.2 ::= id-ppl-independent\n");
361 }
362
363 policylanguage = get_proxy_policy (&policy, &policylen);
364
365 result =
366 gnutls_x509_crt_set_proxy (crt, proxypathlen, policylanguage,
367 policy, policylen);
368 if (result < 0)
369 error (EXIT_FAILURE, 0, "set_proxy: %s",
370 gnutls_strerror (result));
371 }
372
373 if (!proxy)
374 ca_status = get_ca_status ();
375 if (ca_status)
376 path_len = get_path_len ();
377 else
378 path_len = -1;
379
380 result =
381 gnutls_x509_crt_set_basic_constraints (crt, ca_status, path_len);
382 if (result < 0)
383 error (EXIT_FAILURE, 0, "basic_constraints: %s",
384 gnutls_strerror (result));
385
386 client = get_tls_client_status ();
387 if (client != 0)
388 {
389 result = gnutls_x509_crt_set_key_purpose_oid (crt,
390 GNUTLS_KP_TLS_WWW_CLIENT,
391 0);
392 if (result < 0)
393 error (EXIT_FAILURE, 0, "key_kp: %s", gnutls_strerror (result));
394 }
395
396 is_ike = get_ipsec_ike_status ();
397 server = get_tls_server_status ();
398
399 get_dns_name_set (TYPE_CRT, crt);
400 get_uri_set (TYPE_CRT, crt);
401 get_ip_addr_set (TYPE_CRT, crt);
402
403 if (server != 0)
404 {
405 result = 0;
406
407 result =
408 gnutls_x509_crt_set_key_purpose_oid (crt,
409 GNUTLS_KP_TLS_WWW_SERVER, 0);
410 if (result < 0)
411 error (EXIT_FAILURE, 0, "key_kp: %s", gnutls_strerror (result));
412 }
413 else if (!proxy)
414 {
415 get_email_set (TYPE_CRT, crt);
416 }
417
418 if (!ca_status || server)
419 {
420 int pk;
421
422
423 pk = gnutls_x509_crt_get_pk_algorithm (crt, NULL);
424
425 if (pk == GNUTLS_PK_RSA)
426 { /* DSA and ECDSA keys can only sign. */
427 result = get_sign_status (server);
428 if (result)
429 usage |= GNUTLS_KEY_DIGITAL_SIGNATURE;
430
431 result = get_encrypt_status (server);
432 if (result)
433 usage |= GNUTLS_KEY_KEY_ENCIPHERMENT;
434 }
435 else
436 usage |= GNUTLS_KEY_DIGITAL_SIGNATURE;
437
438 if (is_ike)
439 {
440 result =
441 gnutls_x509_crt_set_key_purpose_oid (crt,
442 GNUTLS_KP_IPSEC_IKE, 0);
443 if (result < 0)
444 error (EXIT_FAILURE, 0, "key_kp: %s",
445 gnutls_strerror (result));
446 }
447 }
448
449
450 if (ca_status)
451 {
452 result = get_cert_sign_status ();
453 if (result)
454 usage |= GNUTLS_KEY_KEY_CERT_SIGN;
455
456 result = get_crl_sign_status ();
457 if (result)
458 usage |= GNUTLS_KEY_CRL_SIGN;
459
460 result = get_code_sign_status ();
461 if (result)
462 {
463 result =
464 gnutls_x509_crt_set_key_purpose_oid (crt,
465 GNUTLS_KP_CODE_SIGNING,
466 0);
467 if (result < 0)
468 error (EXIT_FAILURE, 0, "key_kp: %s",
469 gnutls_strerror (result));
470 }
471
472 result = get_ocsp_sign_status ();
473 if (result)
474 {
475 result =
476 gnutls_x509_crt_set_key_purpose_oid (crt,
477 GNUTLS_KP_OCSP_SIGNING,
478 0);
479 if (result < 0)
480 error (EXIT_FAILURE, 0, "key_kp: %s",
481 gnutls_strerror (result));
482 }
483
484 result = get_time_stamp_status ();
485 if (result)
486 {
487 result =
488 gnutls_x509_crt_set_key_purpose_oid (crt,
489 GNUTLS_KP_TIME_STAMPING,
490 0);
491 if (result < 0)
492 error (EXIT_FAILURE, 0, "key_kp: %s",
493 gnutls_strerror (result));
494 }
495 }
496 get_ocsp_issuer_set(crt);
497 get_ca_issuers_set(crt);
498
499 if (usage != 0)
500 {
501 /* http://tools.ietf.org/html/rfc4945#section-5.1.3.2: if any KU is
502 set, then either digitalSignature or the nonRepudiation bits in the
503 KeyUsage extension MUST for all IKE certs */
504 if (is_ike && (get_sign_status (server) != 1))
505 usage |= GNUTLS_KEY_NON_REPUDIATION;
506 result = gnutls_x509_crt_set_key_usage (crt, usage);
507 if (result < 0)
508 error (EXIT_FAILURE, 0, "key_usage: %s",
509 gnutls_strerror (result));
510 }
511
512 /* Subject Key ID.
513 */
514 size = buffer_size;
515 result = gnutls_x509_crt_get_key_id (crt, 0, buffer, &size);
516 if (result >= 0)
517 {
518 result = gnutls_x509_crt_set_subject_key_id (crt, buffer, size);
519 if (result < 0)
520 error (EXIT_FAILURE, 0, "set_subject_key_id: %s",
521 gnutls_strerror (result));
522 }
523
524 /* Authority Key ID.
525 */
526 if (ca_crt != NULL)
527 {
528 size = buffer_size;
529 result = gnutls_x509_crt_get_subject_key_id (ca_crt, buffer,
530 &size, NULL);
531 if (result < 0)
532 {
533 size = buffer_size;
534 result = gnutls_x509_crt_get_key_id (ca_crt, 0, buffer, &size);
535 }
536 if (result >= 0)
537 {
538 result =
539 gnutls_x509_crt_set_authority_key_id (crt, buffer, size);
540 if (result < 0)
541 error (EXIT_FAILURE, 0, "set_authority_key_id: %s",
542 gnutls_strerror (result));
543 }
544 }
545 }
546
547 /* Version.
548 */
549 if (cinfo->v1_cert != 0)
550 vers = 1;
551 else
552 vers = 3;
553 result = gnutls_x509_crt_set_version (crt, vers);
554 if (result < 0)
555 error (EXIT_FAILURE, 0, "set_version: %s", gnutls_strerror (result));
556
557 *ret_key = key;
558 return crt;
559
560 }
561
562 static gnutls_x509_crl_t
563 generate_crl (gnutls_x509_crt_t ca_crt, common_info_st * cinfo)
564 {
565 gnutls_x509_crl_t crl;
566 gnutls_x509_crt_t *crts;
567 size_t size;
568 int days, result;
569 unsigned int i;
570 time_t now = time (NULL);
571
572 result = gnutls_x509_crl_init (&crl);
573 if (result < 0)
574 error (EXIT_FAILURE, 0, "crl_init: %s", gnutls_strerror (result));
575
576 crts = load_cert_list (0, &size, cinfo);
577
578 for (i = 0; i < size; i++)
579 {
580 result = gnutls_x509_crl_set_crt (crl, crts[i], now);
581 if (result < 0)
582 error (EXIT_FAILURE, 0, "crl_set_crt: %s", gnutls_strerror (result));
583 }
584
585 result = gnutls_x509_crl_set_this_update (crl, now);
586 if (result < 0)
587 error (EXIT_FAILURE, 0, "this_update: %s", gnutls_strerror (result));
588
589 fprintf (stderr, "Update times.\n");
590 days = get_crl_next_update ();
591
592 result = gnutls_x509_crl_set_next_update (crl, now + days * 24 * 60 * 60);
593 if (result < 0)
594 error (EXIT_FAILURE, 0, "next_update: %s", gnutls_strerror (result));
595
596 result = gnutls_x509_crl_set_version (crl, 2);
597 if (result < 0)
598 error (EXIT_FAILURE, 0, "set_version: %s", gnutls_strerror (result));
599
600 /* Authority Key ID.
601 */
602 if (ca_crt != NULL)
603 {
604 size = buffer_size;
605 result = gnutls_x509_crt_get_subject_key_id (ca_crt, buffer,
606 &size, NULL);
607 if (result < 0)
608 {
609 size = buffer_size;
610 result = gnutls_x509_crt_get_key_id (ca_crt, 0, buffer, &size);
611 }
612 if (result >= 0)
613 {
614 result = gnutls_x509_crl_set_authority_key_id (crl, buffer, size);
615 if (result < 0)
616 error (EXIT_FAILURE, 0, "set_authority_key_id: %s",
617 gnutls_strerror (result));
618 }
619 }
620
621 {
622 unsigned int number = get_crl_number ();
623 char bin_number[5];
624
625 bin_number[4] = number & 0xff;
626 bin_number[3] = (number >> 8) & 0xff;
627 bin_number[2] = (number >> 16) & 0xff;
628 bin_number[1] = (number >> 24) & 0xff;
629 bin_number[0] = 0;
630
631 result = gnutls_x509_crl_set_number (crl, bin_number, 5);
632 if (result < 0)
633 error (EXIT_FAILURE, 0, "set_number: %s", gnutls_strerror (result));
634 }
635
636 return crl;
637 }
638
639 static gnutls_digest_algorithm_t
640 get_dig_for_pub (gnutls_pubkey_t pubkey)
641 {
642 gnutls_digest_algorithm_t dig;
643 int result;
644 unsigned int mand;
645
646 result = gnutls_pubkey_get_preferred_hash_algorithm (pubkey, &dig, &mand);
647 if (result < 0)
648 {
649 error (EXIT_FAILURE, 0, "crt_get_preferred_hash_algorithm: %s",
650 gnutls_strerror (result));
651 }
652
653 /* if algorithm allows alternatives */
654 if (mand == 0 && default_dig != GNUTLS_DIG_UNKNOWN)
655 dig = default_dig;
656
657 return dig;
658 }
659
660 static gnutls_digest_algorithm_t
661 get_dig (gnutls_x509_crt_t crt)
662 {
663 gnutls_digest_algorithm_t dig;
664 gnutls_pubkey_t pubkey;
665 int result;
666
667 gnutls_pubkey_init(&pubkey);
668
669 result = gnutls_pubkey_import_x509(pubkey, crt, 0);
670 if (result < 0)
671 {
672 error (EXIT_FAILURE, 0, "gnutls_pubkey_import_x509: %s",
673 gnutls_strerror (result));
674 }
675
676 dig = get_dig_for_pub (pubkey);
677
678 gnutls_pubkey_deinit(pubkey);
679
680 return dig;
681 }
682
683 void
684 generate_self_signed (common_info_st * cinfo)
685 {
686 gnutls_x509_crt_t crt;
687 gnutls_privkey_t key;
688 size_t size;
689 int result;
690 const char *uri;
691
692 fprintf (stderr, "Generating a self signed certificate...\n");
693
694 crt = generate_certificate (&key, NULL, 0, cinfo);
695
696 if (!key)
697 key = load_private_key (1, cinfo);
698
699 uri = get_crl_dist_point_url ();
700 if (uri)
701 {
702 result = gnutls_x509_crt_set_crl_dist_points (crt, GNUTLS_SAN_URI,
703 uri,
704 0 /* all reasons */ );
705 if (result < 0)
706 error (EXIT_FAILURE, 0, "crl_dist_points: %s",
707 gnutls_strerror (result));
708 }
709
710 print_certificate_info (crt, stderr, 0);
711
712 fprintf (stderr, "\n\nSigning certificate...\n");
713
714 result = gnutls_x509_crt_privkey_sign (crt, crt, key, get_dig (crt), 0);
715 if (result < 0)
716 error (EXIT_FAILURE, 0, "crt_sign: %s", gnutls_strerror (result));
717
718 size = buffer_size;
719 result = gnutls_x509_crt_export (crt, outcert_format, buffer, &size);
720 if (result < 0)
721 error (EXIT_FAILURE, 0, "crt_export: %s", gnutls_strerror (result));
722
723 fwrite (buffer, 1, size, outfile);
724
725 gnutls_x509_crt_deinit (crt);
726 gnutls_privkey_deinit (key);
727 }
728
729 static void
730 generate_signed_certificate (common_info_st * cinfo)
731 {
732 gnutls_x509_crt_t crt;
733 gnutls_privkey_t key;
734 size_t size;
735 int result;
736 gnutls_privkey_t ca_key;
737 gnutls_x509_crt_t ca_crt;
738
739 fprintf (stderr, "Generating a signed certificate...\n");
740
741 ca_key = load_ca_private_key (cinfo);
742 ca_crt = load_ca_cert (cinfo);
743
744 crt = generate_certificate (&key, ca_crt, 0, cinfo);
745
746 /* Copy the CRL distribution points.
747 */
748 gnutls_x509_crt_cpy_crl_dist_points (crt, ca_crt);
749 /* it doesn't matter if we couldn't copy the CRL dist points.
750 */
751
752 print_certificate_info (crt, stderr, 0);
753
754 fprintf (stderr, "\n\nSigning certificate...\n");
755
756 result = gnutls_x509_crt_privkey_sign (crt, ca_crt, ca_key, get_dig (ca_crt), 0);
757 if (result < 0)
758 error (EXIT_FAILURE, 0, "crt_sign: %s", gnutls_strerror (result));
759
760 size = buffer_size;
761 result = gnutls_x509_crt_export (crt, outcert_format, buffer, &size);
762 if (result < 0)
763 error (EXIT_FAILURE, 0, "crt_export: %s", gnutls_strerror (result));
764
765 fwrite (buffer, 1, size, outfile);
766
767 gnutls_x509_crt_deinit (crt);
768 gnutls_privkey_deinit (key);
769 gnutls_privkey_deinit(ca_key);
770 }
771
772 static void
773 generate_proxy_certificate (common_info_st * cinfo)
774 {
775 gnutls_x509_crt_t crt, eecrt;
776 gnutls_privkey_t key, eekey;
777 size_t size;
778 int result;
779
780 fprintf (stderr, "Generating a proxy certificate...\n");
781
782 eekey = load_ca_private_key (cinfo);
783 eecrt = load_cert (1, cinfo);
784
785 crt = generate_certificate (&key, eecrt, 1, cinfo);
786
787 print_certificate_info (crt, stderr, 0);
788
789 fprintf (stderr, "\n\nSigning certificate...\n");
790
791 result = gnutls_x509_crt_privkey_sign (crt, eecrt, eekey, get_dig (eecrt), 0);
792 if (result < 0)
793 error (EXIT_FAILURE, 0, "crt_sign: %s", gnutls_strerror (result));
794
795 size = buffer_size;
796 result = gnutls_x509_crt_export (crt, outcert_format, buffer, &size);
797 if (result < 0)
798 error (EXIT_FAILURE, 0, "crt_export: %s", gnutls_strerror (result));
799
800 fwrite (buffer, 1, size, outfile);
801
802 gnutls_x509_crt_deinit (eecrt);
803 gnutls_x509_crt_deinit (crt);
804 gnutls_privkey_deinit (key);
805 gnutls_privkey_deinit (eekey);
806 }
807
808 static void
809 generate_signed_crl (common_info_st * cinfo)
810 {
811 gnutls_x509_crl_t crl;
812 int result;
813 gnutls_privkey_t ca_key;
814 gnutls_x509_crt_t ca_crt;
815
816 fprintf (stderr, "Generating a signed CRL...\n");
817
818 ca_key = load_ca_private_key (cinfo);
819 ca_crt = load_ca_cert (cinfo);
820 crl = generate_crl (ca_crt, cinfo);
821
822 fprintf (stderr, "\n");
823 result = gnutls_x509_crl_privkey_sign(crl, ca_crt, ca_key, get_dig (ca_crt), 0);
824 if (result < 0)
825 error (EXIT_FAILURE, 0, "crl_privkey_sign: %s", gnutls_strerror (result));
826
827 print_crl_info (crl, stderr);
828
829 gnutls_privkey_deinit( ca_key);
830 gnutls_x509_crl_deinit (crl);
831 }
832
833 static void
834 update_signed_certificate (common_info_st * cinfo)
835 {
836 gnutls_x509_crt_t crt;
837 size_t size;
838 int result;
839 gnutls_privkey_t ca_key;
840 gnutls_x509_crt_t ca_crt;
841 int days;
842 time_t tim = time (NULL);
843
844 fprintf (stderr, "Generating a signed certificate...\n");
845
846 ca_key = load_ca_private_key (cinfo);
847 ca_crt = load_ca_cert (cinfo);
848 crt = load_cert (1, cinfo);
849
850 fprintf (stderr, "Activation/Expiration time.\n");
851 gnutls_x509_crt_set_activation_time (crt, tim);
852
853 days = get_days ();
854
855 result =
856 gnutls_x509_crt_set_expiration_time (crt, tim + ((time_t) days) * 24 * 60 * 60);
857 if (result < 0)
858 error (EXIT_FAILURE, 0, "set_expiration: %s", gnutls_strerror (result));
859
860 fprintf (stderr, "\n\nSigning certificate...\n");
861
862 result = gnutls_x509_crt_privkey_sign (crt, ca_crt, ca_key, get_dig (ca_crt), 0);
863 if (result < 0)
864 error (EXIT_FAILURE, 0, "crt_sign: %s", gnutls_strerror (result));
865
866 size = buffer_size;
867 result = gnutls_x509_crt_export (crt, outcert_format, buffer, &size);
868 if (result < 0)
869 error (EXIT_FAILURE, 0, "crt_export: %s", gnutls_strerror (result));
870
871 fwrite (buffer, 1, size, outfile);
872
873 gnutls_x509_crt_deinit (crt);
874 }
875
876 static void
877 cmd_parser (int argc, char **argv)
878 {
879 int ret, privkey_op = 0;
880 common_info_st cinfo;
881
882 optionProcess( &certtoolOptions, argc, argv);
883
884 if (HAVE_OPT(GENERATE_PRIVKEY) || HAVE_OPT(GENERATE_REQUEST) ||
885 HAVE_OPT(KEY_INFO) || HAVE_OPT(PGP_KEY_INFO))
886 privkey_op = 1;
887
888 if (HAVE_OPT(OUTFILE))
889 {
890 outfile = safe_open_rw (OPT_ARG(OUTFILE), privkey_op);
891 if (outfile == NULL)
892 error (EXIT_FAILURE, errno, "%s", OPT_ARG(OUTFILE));
893 }
894 else
895 outfile = stdout;
896
897 if (HAVE_OPT(INFILE))
898 {
899 infile = fopen (OPT_ARG(INFILE), "rb");
900 if (infile == NULL)
901 error (EXIT_FAILURE, errno, "%s", OPT_ARG(INFILE));
902 }
903 else
904 infile = stdin;
905
906 if (HAVE_OPT(INDER) || HAVE_OPT(INRAW))
907 incert_format = GNUTLS_X509_FMT_DER;
908 else
909 incert_format = GNUTLS_X509_FMT_PEM;
910
911 if (HAVE_OPT(OUTDER) || HAVE_OPT(OUTRAW))
912 outcert_format = GNUTLS_X509_FMT_DER;
913 else
914 outcert_format = GNUTLS_X509_FMT_PEM;
915
916 if (HAVE_OPT(DSA))
917 req_key_type = GNUTLS_PK_DSA;
918 else if (HAVE_OPT(ECC))
919 req_key_type = GNUTLS_PK_ECC;
920 else
921 req_key_type = GNUTLS_PK_RSA;
922
923 default_dig = GNUTLS_DIG_UNKNOWN;
924 if (HAVE_OPT(HASH))
925 {
926 if (strcasecmp (OPT_ARG(HASH), "md5") == 0)
927 {
928 fprintf (stderr,
929 "Warning: MD5 is broken, and should not be used any more for digital signatures.\n");
930 default_dig = GNUTLS_DIG_MD5;
931 }
932 else if (strcasecmp (OPT_ARG(HASH), "sha1") == 0)
933 default_dig = GNUTLS_DIG_SHA1;
934 else if (strcasecmp (OPT_ARG(HASH), "sha256") == 0)
935 default_dig = GNUTLS_DIG_SHA256;
936 else if (strcasecmp (OPT_ARG(HASH), "sha224") == 0)
937 default_dig = GNUTLS_DIG_SHA224;
938 else if (strcasecmp (OPT_ARG(HASH), "sha384") == 0)
939 default_dig = GNUTLS_DIG_SHA384;
940 else if (strcasecmp (OPT_ARG(HASH), "sha512") == 0)
941 default_dig = GNUTLS_DIG_SHA512;
942 else if (strcasecmp (OPT_ARG(HASH), "rmd160") == 0)
943 default_dig = GNUTLS_DIG_RMD160;
944 else
945 error (EXIT_FAILURE, 0, "invalid hash: %s", OPT_ARG(HASH));
946 }
947
948 batch = 0;
949 if (HAVE_OPT(TEMPLATE))
950 {
951 batch = 1;
952 template_parse (OPT_ARG(TEMPLATE));
953 }
954
955 gnutls_global_set_log_function (tls_log_func);
956
957 if (HAVE_OPT(DEBUG))
958 {
959 gnutls_global_set_log_level (OPT_VALUE_DEBUG);
960 printf ("Setting log level to %d\n", (int)OPT_VALUE_DEBUG);
961 }
962
963 if ((ret = gnutls_global_init ()) < 0)
964 error (EXIT_FAILURE, 0, "global_init: %s", gnutls_strerror (ret));
965
966 #ifdef ENABLE_PKCS11
967 pkcs11_common();
968 #endif
969
970 memset (&cinfo, 0, sizeof (cinfo));
971
972 if (HAVE_OPT(VERBOSE))
973 cinfo.verbose = 1;
974
975 if (HAVE_OPT(LOAD_PRIVKEY))
976 cinfo.privkey = OPT_ARG(LOAD_PRIVKEY);
977
978 cinfo.v1_cert = HAVE_OPT(V1);
979 if (HAVE_OPT(NO_CRQ_EXTENSIONS))
980 cinfo.crq_extensions = 0;
981 else cinfo.crq_extensions = 1;
982
983 if (HAVE_OPT(LOAD_PUBKEY))
984 cinfo.pubkey = OPT_ARG(LOAD_PUBKEY);
985
986 cinfo.pkcs8 = HAVE_OPT(PKCS8);
987 cinfo.incert_format = incert_format;
988
989 if (HAVE_OPT(LOAD_CERTIFICATE))
990 cinfo.cert = OPT_ARG(LOAD_CERTIFICATE);
991
992 if (HAVE_OPT(LOAD_REQUEST))
993 cinfo.request = OPT_ARG(LOAD_REQUEST);
994
995 if (HAVE_OPT(LOAD_CA_CERTIFICATE))
996 cinfo.ca = OPT_ARG(LOAD_CA_CERTIFICATE);
997
998 if (HAVE_OPT(LOAD_CA_PRIVKEY))
999 cinfo.ca_privkey = OPT_ARG(LOAD_CA_PRIVKEY);
1000
1001 if (HAVE_OPT(BITS))
1002 cinfo.bits = OPT_VALUE_BITS;
1003
1004 if (HAVE_OPT(SEC_PARAM))
1005 cinfo.sec_param = OPT_ARG(SEC_PARAM);
1006
1007 if (HAVE_OPT(PKCS_CIPHER))
1008 cinfo.pkcs_cipher = OPT_ARG(PKCS_CIPHER);
1009
1010 if (HAVE_OPT(PASSWORD))
1011 {
1012 cinfo.password = OPT_ARG(PASSWORD);
1013 if (HAVE_OPT(GENERATE_PRIVKEY) && cinfo.pkcs8 == 0)
1014 {
1015 fprintf(stderr, "Assuming PKCS #8 format...\n");
1016 cinfo.pkcs8 = 1;
1017 }
1018 }
1019
1020 if (HAVE_OPT(NULL_PASSWORD))
1021 {
1022 cinfo.null_password = 1;
1023 cinfo.password = "";
1024 }
1025
1026 if (HAVE_OPT(GENERATE_SELF_SIGNED))
1027 generate_self_signed (&cinfo);
1028 else if (HAVE_OPT(GENERATE_CERTIFICATE))
1029 generate_signed_certificate (&cinfo);
1030 else if (HAVE_OPT(GENERATE_PROXY))
1031 generate_proxy_certificate (&cinfo);
1032 else if (HAVE_OPT(GENERATE_CRL))
1033 generate_signed_crl (&cinfo);
1034 else if (HAVE_OPT(UPDATE_CERTIFICATE))
1035 update_signed_certificate (&cinfo);
1036 else if (HAVE_OPT(GENERATE_PRIVKEY))
1037 generate_private_key (&cinfo);
1038 else if (HAVE_OPT(GENERATE_REQUEST))
1039 generate_request (&cinfo);
1040 else if (HAVE_OPT(VERIFY_CHAIN))
1041 verify_chain ();
1042 else if (HAVE_OPT(VERIFY))
1043 verify_certificate (&cinfo);
1044 else if (HAVE_OPT(VERIFY_CRL))
1045 verify_crl (&cinfo);
1046 else if (HAVE_OPT(CERTIFICATE_INFO))
1047 certificate_info (0, &cinfo);
1048 else if (HAVE_OPT(DH_INFO))
1049 dh_info (&cinfo);
1050 else if (HAVE_OPT(CERTIFICATE_PUBKEY))
1051 certificate_info (1, &cinfo);
1052 else if (HAVE_OPT(KEY_INFO))
1053 privkey_info (&cinfo);
1054 else if (HAVE_OPT(PUBKEY_INFO))
1055 pubkey_info (NULL, &cinfo);
1056 else if (HAVE_OPT(TO_P12))
1057 generate_pkcs12 (&cinfo);
1058 else if (HAVE_OPT(P12_INFO))
1059 pkcs12_info (&cinfo);
1060 else if (HAVE_OPT(GENERATE_DH_PARAMS))
1061 generate_prime (1, &cinfo);
1062 else if (HAVE_OPT(GET_DH_PARAMS))
1063 generate_prime (0, &cinfo);
1064 else if (HAVE_OPT(CRL_INFO))
1065 crl_info ();
1066 else if (HAVE_OPT(P7_INFO))
1067 pkcs7_info ();
1068 else if (HAVE_OPT(SMIME_TO_P7))
1069 smime_to_pkcs7 ();
1070 else if (HAVE_OPT(TO_P8))
1071 generate_pkcs8 (&cinfo);
1072 #ifdef ENABLE_OPENPGP
1073 else if (HAVE_OPT(PGP_CERTIFICATE_INFO))
1074 pgp_certificate_info ();
1075 else if (HAVE_OPT(PGP_KEY_INFO))
1076 pgp_privkey_info ();
1077 else if (HAVE_OPT(PGP_RING_INFO))
1078 pgp_ring_info ();
1079 #endif
1080 else if (HAVE_OPT(CRQ_INFO))
1081 crq_info ();
1082 else
1083 USAGE(1);
1084
1085 fclose (outfile);
1086
1087 #ifdef ENABLE_PKCS11
1088 gnutls_pkcs11_deinit ();
1089 #endif
1090 gnutls_global_deinit ();
1091 }
1092
1093 #define MAX_CRTS 500
1094 void
1095 certificate_info (int pubkey, common_info_st * cinfo)
1096 {
1097 gnutls_x509_crt_t crt[MAX_CRTS];
1098 size_t size;
1099 int ret, i, count;
1100 gnutls_datum_t pem;
1101 unsigned int crt_num;
1102
1103 pem.data = (void*)fread_file (infile, &size);
1104 pem.size = size;
1105
1106 crt_num = MAX_CRTS;
1107 ret =
1108 gnutls_x509_crt_list_import (crt, &crt_num, &pem, incert_format,
1109 GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED);
1110 if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER)
1111 {
1112 error (0, 0, "too many certificates (%d); "
1113 "will only read the first %d", crt_num, MAX_CRTS);
1114 crt_num = MAX_CRTS;
1115 ret = gnutls_x509_crt_list_import (crt, &crt_num, &pem,
1116 incert_format, 0);
1117 }
1118 if (ret < 0)
1119 error (EXIT_FAILURE, 0, "import error: %s", gnutls_strerror (ret));
1120
1121 free (pem.data);
1122
1123 count = ret;
1124
1125 if (count > 1 && outcert_format == GNUTLS_X509_FMT_DER)
1126 {
1127 error (0, 0, "cannot output multiple certificates in DER format; "
1128 "using PEM instead");
1129 outcert_format = GNUTLS_X509_FMT_PEM;
1130 }
1131
1132 for (i = 0; i < count; i++)
1133 {
1134 if (i > 0)
1135 fprintf (outfile, "\n");
1136
1137 if (outcert_format == GNUTLS_X509_FMT_PEM)
1138 print_certificate_info (crt[i], outfile, 1);
1139
1140 if (pubkey)
1141 pubkey_info (crt[i], cinfo);
1142 else
1143 {
1144 size = buffer_size;
1145 ret = gnutls_x509_crt_export (crt[i], outcert_format, buffer,
1146 &size);
1147 if (ret < 0)
1148 error (EXIT_FAILURE, 0, "export error: %s", gnutls_strerror (ret));
1149
1150 fwrite (buffer, 1, size, outfile);
1151 }
1152
1153 gnutls_x509_crt_deinit (crt[i]);
1154 }
1155 }
1156
1157 #ifdef ENABLE_OPENPGP
1158
1159 void
1160 pgp_certificate_info (void)
1161 {
1162 gnutls_openpgp_crt_t crt;
1163 size_t size;
1164 int ret;
1165 gnutls_datum_t pem, out_data;
1166 unsigned int verify_status;
1167
1168 pem.data = (void*)fread_file (infile, &size);
1169 pem.size = size;
1170
1171 ret = gnutls_openpgp_crt_init (&crt);
1172 if (ret < 0)
1173 error (EXIT_FAILURE, 0, "openpgp_crt_init: %s", gnutls_strerror (ret));
1174
1175 ret = gnutls_openpgp_crt_import (crt, &pem, incert_format);
1176
1177 if (ret < 0)
1178 error (EXIT_FAILURE, 0, "import error: %s", gnutls_strerror (ret));
1179
1180 free (pem.data);
1181
1182 if (outcert_format == GNUTLS_OPENPGP_FMT_BASE64)
1183 {
1184 ret = gnutls_openpgp_crt_print (crt, 0, &out_data);
1185
1186 if (ret == 0)
1187 {
1188 fprintf (outfile, "%s\n", out_data.data);
1189 gnutls_free (out_data.data);
1190 }
1191 }
1192
1193
1194 ret = gnutls_openpgp_crt_verify_self (crt, 0, &verify_status);
1195 if (ret < 0)
1196 {
1197 error (EXIT_FAILURE, 0, "verify signature error: %s",
1198 gnutls_strerror (ret));
1199 }
1200
1201 if (verify_status & GNUTLS_CERT_INVALID)
1202 {
1203 fprintf (outfile, "Self Signature verification: failed\n\n");
1204 }
1205 else
1206 {
1207 fprintf (outfile, "Self Signature verification: ok (%x)\n\n",
1208 verify_status);
1209 }
1210
1211 size = buffer_size;
1212 ret = gnutls_openpgp_crt_export (crt, outcert_format, buffer, &size);
1213 if (ret < 0)
1214 {
1215 error (EXIT_FAILURE, 0, "export error: %s", gnutls_strerror (ret));
1216 fwrite (buffer, 1, size, outfile);
1217 }
1218
1219 fprintf (outfile, "%s\n", buffer);
1220 gnutls_openpgp_crt_deinit (crt);
1221 }
1222
1223 void
1224 pgp_privkey_info (void)
1225 {
1226 gnutls_openpgp_privkey_t key;
1227 unsigned char keyid[GNUTLS_OPENPGP_KEYID_SIZE];
1228 size_t size;
1229 int ret, i, subkeys, bits = 0;
1230 gnutls_datum_t pem;
1231 const char *cprint;
1232
1233 size = fread (buffer, 1, buffer_size - 1, infile);
1234 buffer[size] = 0;
1235
1236 gnutls_openpgp_privkey_init (&key);
1237
1238 pem.data = buffer;
1239 pem.size = size;
1240
1241 ret = gnutls_openpgp_privkey_import (key, &pem, incert_format,
1242 NULL, 0);
1243
1244 if (ret < 0)
1245 error (EXIT_FAILURE, 0, "import error: %s", gnutls_strerror (ret));
1246
1247 /* Public key algorithm
1248 */
1249 subkeys = gnutls_openpgp_privkey_get_subkey_count (key);
1250 if (subkeys < 0)
1251 error (EXIT_FAILURE, 0, "privkey_get_subkey_count: %s",
1252 gnutls_strerror (subkeys));
1253
1254 for (i = -1; i < subkeys; i++)
1255 {
1256
1257 if (i != -1)
1258 fprintf (outfile, "Subkey[%d]:\n", i);
1259
1260 fprintf (outfile, "Public Key Info:\n");
1261
1262 if (i == -1)
1263 ret = gnutls_openpgp_privkey_get_pk_algorithm (key, NULL);
1264 else
1265 ret = gnutls_openpgp_privkey_get_subkey_pk_algorithm (key, i, NULL);
1266
1267 fprintf (outfile, "\tPublic Key Algorithm: ");
1268 cprint = gnutls_pk_algorithm_get_name (ret);
1269 fprintf (outfile, "%s\n", cprint ? cprint : "Unknown");
1270 fprintf (outfile, "\tKey Security Level: %s\n",
1271 gnutls_sec_param_get_name (gnutls_openpgp_privkey_sec_param
1272 (key)));
1273
1274 /* Print the raw public and private keys
1275 */
1276
1277 if (ret == GNUTLS_PK_RSA)
1278 {
1279 gnutls_datum_t m, e, d, p, q, u;
1280
1281 if (i == -1)
1282 ret =
1283 gnutls_openpgp_privkey_export_rsa_raw (key, &m, &e, &d, &p,
1284 &q, &u);
1285 else
1286 ret =
1287 gnutls_openpgp_privkey_export_subkey_rsa_raw (key, i, &m,
1288 &e, &d, &p,
1289 &q, &u);
1290 if (ret < 0)
1291 fprintf (stderr, "Error in key RSA data export: %s\n",
1292 gnutls_strerror (ret));
1293 else
1294 print_rsa_pkey (outfile, &m, &e, &d, &p, &q, &u, NULL, NULL);
1295
1296 bits = m.size * 8;
1297 }
1298 else if (ret == GNUTLS_PK_DSA)
1299 {
1300 gnutls_datum_t p, q, g, y, x;
1301
1302 if (i == -1)
1303 ret =
1304 gnutls_openpgp_privkey_export_dsa_raw (key, &p, &q, &g, &y, &x);
1305 else
1306 ret =
1307 gnutls_openpgp_privkey_export_subkey_dsa_raw (key, i, &p,
1308 &q, &g, &y, &x);
1309 if (ret < 0)
1310 fprintf (stderr, "Error in key DSA data export: %s\n",
1311 gnutls_strerror (ret));
1312 else
1313 print_dsa_pkey (outfile, &x, &y, &p, &q, &g);
1314
1315 bits = y.size * 8;
1316 }
1317
1318 fprintf (outfile, "\n");
1319
1320 size = buffer_size;
1321 if (i == -1)
1322 ret = gnutls_openpgp_privkey_get_key_id (key, keyid);
1323 else
1324 ret = gnutls_openpgp_privkey_get_subkey_id (key, i, keyid);
1325
1326 if (ret < 0)
1327 {
1328 fprintf (stderr, "Error in key id calculation: %s\n",
1329 gnutls_strerror (ret));
1330 }
1331 else
1332 {
1333 fprintf (outfile, "Public key ID: %s\n", raw_to_string (keyid, 8));
1334 }
1335
1336 size = buffer_size;
1337 if (i == -1)
1338 ret = gnutls_openpgp_privkey_get_fingerprint (key, buffer, &size);
1339 else
1340 ret = gnutls_openpgp_privkey_get_subkey_fingerprint (key, i, buffer, &size);
1341
1342 if (ret < 0)
1343 {
1344 fprintf (stderr, "Error in fingerprint calculation: %s\n",
1345 gnutls_strerror (ret));
1346 }
1347 else
1348 {
1349 gnutls_datum_t art;
1350
1351 fprintf (outfile, "Fingerprint: %s\n", raw_to_string (buffer, size));
1352
1353 ret = gnutls_random_art(GNUTLS_RANDOM_ART_OPENSSH, cprint, bits, buffer, size, &art);
1354 if (ret >= 0)
1355 {
1356 fprintf (outfile, "Fingerprint's random art:\n%s\n\n", art.data);
1357 gnutls_free(art.data);
1358 }
1359 }
1360 }
1361
1362 size = buffer_size;
1363 ret = gnutls_openpgp_privkey_export (key, GNUTLS_OPENPGP_FMT_BASE64,
1364 NULL, 0, buffer, &size);
1365 if (ret < 0)
1366 error (EXIT_FAILURE, 0, "export error: %s", gnutls_strerror (ret));
1367
1368 fprintf (outfile, "\n%s\n", buffer);
1369
1370 gnutls_openpgp_privkey_deinit (key);
1371 }
1372
1373 void
1374 pgp_ring_info (void)
1375 {
1376 gnutls_openpgp_keyring_t ring;
1377 gnutls_openpgp_crt_t crt;
1378 size_t size;
1379 int ret, i, count;
1380 gnutls_datum_t pem;
1381
1382 pem.data = (void*)fread_file (infile, &size);
1383 pem.size = size;
1384
1385 ret = gnutls_openpgp_keyring_init (&ring);
1386 if (ret < 0)
1387 error (EXIT_FAILURE, 0, "openpgp_keyring_init: %s",
1388 gnutls_strerror (ret));
1389
1390 ret = gnutls_openpgp_keyring_import (ring, &pem, incert_format);
1391
1392 if (ret < 0)
1393 error (EXIT_FAILURE, 0, "import error: %s", gnutls_strerror (ret));
1394
1395 free (pem.data);
1396
1397 count = gnutls_openpgp_keyring_get_crt_count (ring);
1398 if (count >= 0)
1399 fprintf (outfile, "Keyring contains %d OpenPGP certificates\n\n", count);
1400 else
1401 error (EXIT_FAILURE, 0, "keyring error: %s", gnutls_strerror (count));
1402
1403 for (i = 0; i < count; i++)
1404 {
1405 ret = gnutls_openpgp_keyring_get_crt (ring, i, &crt);
1406 if (ret < 0)
1407 error (EXIT_FAILURE, 0, "export error: %s", gnutls_strerror (ret));
1408
1409 size = buffer_size;
1410 ret = gnutls_openpgp_crt_export (crt, outcert_format,
1411 buffer, &size);
1412 if (ret < 0)
1413 error (EXIT_FAILURE, 0, "export error: %s", gnutls_strerror (ret));
1414
1415 fwrite (buffer, 1, size, outfile);
1416 fprintf (outfile, "\n\n");
1417
1418 gnutls_openpgp_crt_deinit (crt);
1419
1420
1421 }
1422
1423 gnutls_openpgp_keyring_deinit (ring);
1424 }
1425
1426
1427 #endif
1428
1429
1430
1431 static void
1432 print_certificate_info (gnutls_x509_crt_t crt, FILE * out, unsigned int all)
1433 {
1434 gnutls_datum_t data;
1435 int ret;
1436
1437 if (all)
1438 ret = gnutls_x509_crt_print (crt, GNUTLS_CRT_PRINT_FULL, &data);
1439 else
1440 ret = gnutls_x509_crt_print (crt, GNUTLS_CRT_PRINT_UNSIGNED_FULL, &data);
1441 if (ret == 0)
1442 {
1443 fprintf (out, "%s\n", data.data);
1444 gnutls_free (data.data);
1445 }
1446
1447 if (out == stderr && batch == 0) /* interactive */
1448 if (read_yesno ("Is the above information ok? (y/N): ") == 0)
1449 {
1450 exit (1);
1451 }
1452 }
1453
1454 static void
1455 print_crl_info (gnutls_x509_crl_t crl, FILE * out)
1456 {
1457 gnutls_datum_t data;
1458 int ret;
1459 size_t size;
1460
1461 ret = gnutls_x509_crl_print (crl, GNUTLS_CRT_PRINT_FULL, &data);
1462 if (ret < 0)
1463 error (EXIT_FAILURE, 0, "crl_print: %s", gnutls_strerror (ret));
1464
1465 fprintf (out, "%s\n", data.data);
1466
1467 gnutls_free (data.data);
1468
1469 size = buffer_size;
1470 ret = gnutls_x509_crl_export (crl, GNUTLS_X509_FMT_PEM, buffer, &size);
1471 if (ret < 0)
1472 error (EXIT_FAILURE, 0, "crl_export: %s", gnutls_strerror (ret));
1473
1474 fwrite (buffer, 1, size, outfile);
1475 }
1476
1477 void
1478 crl_info (void)
1479 {
1480 gnutls_x509_crl_t crl;
1481 int ret;
1482 size_t size;
1483 gnutls_datum_t pem;
1484
1485 ret = gnutls_x509_crl_init (&crl);
1486 if (ret < 0)
1487 error (EXIT_FAILURE, 0, "crl_init: %s", gnutls_strerror (ret));
1488
1489 pem.data = (void*)fread_file (infile, &size);
1490 pem.size = size;
1491
1492 if (!pem.data)
1493 error (EXIT_FAILURE, errno, "%s", infile ? "file" :
1494 "standard input");
1495
1496 ret = gnutls_x509_crl_import (crl, &pem, incert_format);
1497
1498 free (pem.data);
1499 if (ret < 0)
1500 error (EXIT_FAILURE, 0, "import error: %s", gnutls_strerror (ret));
1501
1502 print_crl_info (crl, outfile);
1503
1504 gnutls_x509_crl_deinit (crl);
1505 }
1506
1507 static void
1508 print_crq_info (gnutls_x509_crq_t crq, FILE * out)
1509 {
1510 gnutls_datum_t data;
1511 int ret;
1512 size_t size;
1513
1514 if (outcert_format == GNUTLS_X509_FMT_PEM)
1515 {
1516 ret = gnutls_x509_crq_print (crq, GNUTLS_CRT_PRINT_FULL, &data);
1517 if (ret < 0)
1518 error (EXIT_FAILURE, 0, "crq_print: %s", gnutls_strerror (ret));
1519
1520 fprintf (out, "%s\n", data.data);
1521
1522 gnutls_free (data.data);
1523 }
1524
1525 ret = gnutls_x509_crq_verify(crq, 0);
1526 if (ret < 0)
1527 {
1528 fprintf(out, "Self signature: FAILED\n\n");
1529 }
1530 else
1531 {
1532 fprintf(out, "Self signature: verified\n\n");
1533 }
1534
1535 size = buffer_size;
1536 ret = gnutls_x509_crq_export (crq, outcert_format, buffer, &size);
1537 if (ret < 0)
1538 error (EXIT_FAILURE, 0, "crq_export: %s", gnutls_strerror (ret));
1539
1540 fwrite (buffer, 1, size, outfile);
1541 }
1542
1543 void
1544 crq_info (void)
1545 {
1546 gnutls_x509_crq_t crq;
1547 int ret;
1548 size_t size;
1549 gnutls_datum_t pem;
1550
1551 ret = gnutls_x509_crq_init (&crq);
1552 if (ret < 0)
1553 error (EXIT_FAILURE, 0, "crq_init: %s", gnutls_strerror (ret));
1554
1555 pem.data = (void*)fread_file (infile, &size);
1556 pem.size = size;
1557
1558 if (!pem.data)
1559 error (EXIT_FAILURE, errno, "%s", infile ? "file" :
1560 "standard input");
1561
1562 ret = gnutls_x509_crq_import (crq, &pem, incert_format);
1563
1564 free (pem.data);
1565 if (ret < 0)
1566 error (EXIT_FAILURE, 0, "import error: %s", gnutls_strerror (ret));
1567
1568 print_crq_info (crq, outfile);
1569
1570 gnutls_x509_crq_deinit (crq);
1571 }
1572
1573 static void privkey_info_int (common_info_st* cinfo, gnutls_x509_privkey_t key)
1574 {
1575 int ret, key_type;
1576 unsigned int bits = 0;
1577 size_t size;
1578 const char *cprint;
1579
1580 /* Public key algorithm
1581 */
1582 fprintf (outfile, "Public Key Info:\n");
1583 ret = gnutls_x509_privkey_get_pk_algorithm2 (key, &bits);
1584 fprintf (outfile, "\tPublic Key Algorithm: ");
1585
1586 key_type = ret;
1587
1588 cprint = gnutls_pk_algorithm_get_name (key_type);
1589 fprintf (outfile, "%s\n", cprint ? cprint : "Unknown");
1590 fprintf (outfile, "\tKey Security Level: %s (%u bits)\n\n",
1591 gnutls_sec_param_get_name (gnutls_x509_privkey_sec_param (key)), bits);
1592
1593 /* Print the raw public and private keys
1594 */
1595 if (key_type == GNUTLS_PK_RSA)
1596 {
1597 gnutls_datum_t m, e, d, p, q, u, exp1, exp2;
1598
1599 ret =
1600 gnutls_x509_privkey_export_rsa_raw2 (key, &m, &e, &d, &p, &q, &u,
1601 &exp1, &exp2);
1602 if (ret < 0)
1603 fprintf (stderr, "Error in key RSA data export: %s\n",
1604 gnutls_strerror (ret));
1605 else
1606 {
1607 print_rsa_pkey (outfile, &m, &e, &d, &p, &q, &u, &exp1, &exp2);
1608
1609 gnutls_free (m.data);
1610 gnutls_free (e.data);
1611 gnutls_free (d.data);
1612 gnutls_free (p.data);
1613 gnutls_free (q.data);
1614 gnutls_free (u.data);
1615 gnutls_free (exp1.data);
1616 gnutls_free (exp2.data);
1617 }
1618 }
1619 else if (key_type == GNUTLS_PK_DSA)
1620 {
1621 gnutls_datum_t p, q, g, y, x;
1622
1623 ret = gnutls_x509_privkey_export_dsa_raw (key, &p, &q, &g, &y, &x);
1624 if (ret < 0)
1625 fprintf (stderr, "Error in key DSA data export: %s\n",
1626 gnutls_strerror (ret));
1627 else
1628 {
1629 print_dsa_pkey (outfile, &x, &y, &p, &q, &g);
1630
1631 gnutls_free (x.data);
1632 gnutls_free (y.data);
1633 gnutls_free (p.data);
1634 gnutls_free (q.data);
1635 gnutls_free (g.data);
1636 }
1637 }
1638 else if (key_type == GNUTLS_PK_EC)
1639 {
1640 gnutls_datum_t y, x, k;
1641 gnutls_ecc_curve_t curve;
1642
1643 ret = gnutls_x509_privkey_export_ecc_raw (key, &curve, &x, &y, &k);
1644 if (ret < 0)
1645 fprintf (stderr, "Error in key ECC data export: %s\n",
1646 gnutls_strerror (ret));
1647 else
1648 {
1649 print_ecc_pkey (outfile, curve, &k, &x, &y);
1650
1651 gnutls_free (x.data);
1652 gnutls_free (y.data);
1653 gnutls_free (k.data);
1654 }
1655 }
1656
1657 fprintf (outfile, "\n");
1658
1659 size = buffer_size;
1660 if ((ret = gnutls_x509_privkey_get_key_id (key, 0, buffer, &size)) < 0)
1661 {
1662 fprintf (stderr, "Error in key id calculation: %s\n",
1663 gnutls_strerror (ret));
1664 }
1665 else
1666 {
1667 gnutls_datum_t art;
1668
1669 fprintf (outfile, "Public Key ID: %s\n", raw_to_string (buffer, size));
1670
1671 ret = gnutls_random_art(GNUTLS_RANDOM_ART_OPENSSH, cprint, bits, buffer, size, &art);
1672 if (ret >= 0)
1673 {
1674 fprintf (outfile, "Public key's random art:\n%s\n", art.data);
1675 gnutls_free(art.data);
1676 }
1677 }
1678 fprintf (outfile, "\n");
1679
1680 }
1681
1682 void
1683 privkey_info (common_info_st* cinfo)
1684 {
1685 gnutls_x509_privkey_t key;
1686 size_t size;
1687 int ret;
1688 gnutls_datum_t pem;
1689 const char *pass;
1690 unsigned int flags = 0;
1691
1692 size = fread (buffer, 1, buffer_size - 1, infile);
1693 buffer[size] = 0;
1694
1695 gnutls_x509_privkey_init (&key);
1696
1697 pem.data = buffer;
1698 pem.size = size;
1699
1700 ret = gnutls_x509_privkey_import2 (key, &pem, incert_format, NULL, 0);
1701
1702 /* If we failed to import the certificate previously try PKCS #8 */
1703 if (ret == GNUTLS_E_DECRYPTION_FAILED)
1704 {
1705 fprintf(stderr, "Encrypted structure detected...\n");
1706 pass = get_password(cinfo, &flags, 0);
1707
1708 ret = gnutls_x509_privkey_import2 (key, &pem,
1709 incert_format, pass, flags);
1710 }
1711 if (ret < 0)
1712 error (EXIT_FAILURE, 0, "import error: %s", gnutls_strerror (ret));
1713
1714 if (outcert_format == GNUTLS_X509_FMT_PEM)
1715 privkey_info_int (cinfo, key);
1716
1717 ret = gnutls_x509_privkey_verify_params (key);
1718 if (ret < 0)
1719 fprintf (outfile, "\n** Private key parameters validation failed **\n\n");
1720
1721 size = buffer_size;
1722 ret = gnutls_x509_privkey_export (key, outcert_format, buffer, &size);
1723 if (ret < 0)
1724 error (EXIT_FAILURE, 0, "export error: %s", gnutls_strerror (ret));
1725
1726 fwrite (buffer, 1, size, outfile);
1727
1728 gnutls_x509_privkey_deinit (key);
1729 }
1730
1731
1732 /* Generate a PKCS #10 certificate request.
1733 */
1734 void
1735 generate_request (common_info_st * cinfo)
1736 {
1737 gnutls_x509_crq_t crq;
1738 gnutls_x509_privkey_t xkey;
1739 gnutls_pubkey_t pubkey;
1740 gnutls_privkey_t pkey;
1741 int ret, ca_status, path_len, pk;
1742 const char *pass;
1743 unsigned int usage = 0;
1744
1745 fprintf (stderr, "Generating a PKCS #10 certificate request...\n");
1746
1747 ret = gnutls_x509_crq_init (&crq);
1748 if (ret < 0)
1749 error (EXIT_FAILURE, 0, "crq_init: %s", gnutls_strerror (ret));
1750
1751
1752 /* Load the private key.
1753 */
1754 pkey = load_private_key (0, cinfo);
1755 if (!pkey)
1756 {
1757 ret = gnutls_privkey_init (&pkey);
1758 if (ret < 0)
1759 error (EXIT_FAILURE, 0, "privkey_init: %s", gnutls_strerror (ret));
1760
1761 xkey = generate_private_key_int (cinfo);
1762
1763 print_private_key (cinfo, xkey);
1764
1765 ret = gnutls_privkey_import_x509(pkey, xkey, GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE);
1766 if (ret < 0)
1767 error (EXIT_FAILURE, 0, "privkey_import_x509: %s", gnutls_strerror (ret));
1768 }
1769
1770 pubkey = load_public_key_or_import (1, pkey, cinfo);
1771
1772 pk = gnutls_pubkey_get_pk_algorithm (pubkey, NULL);
1773
1774 /* Set the DN.
1775 */
1776 get_country_crq_set (crq);
1777 get_organization_crq_set (crq);
1778 get_unit_crq_set (crq);
1779 get_locality_crq_set (crq);
1780 get_state_crq_set (crq);
1781 get_cn_crq_set (crq);
1782 get_dc_set (TYPE_CRQ, crq);
1783 get_uid_crq_set (crq);
1784 get_oid_crq_set (crq);
1785
1786 get_dns_name_set (TYPE_CRQ, crq);
1787 get_uri_set (TYPE_CRQ, crq);
1788 get_ip_addr_set (TYPE_CRQ, crq);
1789 get_email_set (TYPE_CRQ, crq);
1790
1791 pass = get_challenge_pass ();
1792
1793 if (pass != NULL && pass[0] != 0)
1794 {
1795 ret = gnutls_x509_crq_set_challenge_password (crq, pass);
1796 if (ret < 0)
1797 error (EXIT_FAILURE, 0, "set_pass: %s", gnutls_strerror (ret));
1798 }
1799
1800 if (cinfo->crq_extensions != 0)
1801 {
1802 ca_status = get_ca_status ();
1803 if (ca_status)
1804 path_len = get_path_len ();
1805 else
1806 path_len = -1;
1807
1808 ret = gnutls_x509_crq_set_basic_constraints (crq, ca_status, path_len);
1809 if (ret < 0)
1810 error (EXIT_FAILURE, 0, "set_basic_constraints: %s",
1811 gnutls_strerror (ret));
1812
1813 if (pk == GNUTLS_PK_RSA)
1814 {
1815 ret = get_sign_status (1);
1816 if (ret)
1817 usage |= GNUTLS_KEY_DIGITAL_SIGNATURE;
1818
1819 /* Only ask for an encryption certificate
1820 * if it is an RSA one */
1821 ret = get_encrypt_status (1);
1822 if (ret)
1823 usage |= GNUTLS_KEY_KEY_ENCIPHERMENT;
1824 else
1825 usage |= GNUTLS_KEY_DIGITAL_SIGNATURE;
1826 }
1827 else /* DSA and ECDSA are always signing */
1828 usage |= GNUTLS_KEY_DIGITAL_SIGNATURE;
1829
1830 if (ca_status)
1831 {
1832 ret = get_cert_sign_status ();
1833 if (ret)
1834 usage |= GNUTLS_KEY_KEY_CERT_SIGN;
1835
1836 ret = get_crl_sign_status ();
1837 if (ret)
1838 usage |= GNUTLS_KEY_CRL_SIGN;
1839
1840 ret = get_code_sign_status ();
1841 if (ret)
1842 {
1843 ret = gnutls_x509_crq_set_key_purpose_oid
1844 (crq, GNUTLS_KP_CODE_SIGNING, 0);
1845 if (ret < 0)
1846 error (EXIT_FAILURE, 0, "key_kp: %s", gnutls_strerror (ret));
1847 }
1848
1849 ret = get_ocsp_sign_status ();
1850 if (ret)
1851 {
1852 ret = gnutls_x509_crq_set_key_purpose_oid
1853 (crq, GNUTLS_KP_OCSP_SIGNING, 0);
1854 if (ret < 0)
1855 error (EXIT_FAILURE, 0, "key_kp: %s", gnutls_strerror (ret));
1856 }
1857
1858 ret = get_time_stamp_status ();
1859 if (ret)
1860 {
1861 ret = gnutls_x509_crq_set_key_purpose_oid
1862 (crq, GNUTLS_KP_TIME_STAMPING, 0);
1863 if (ret < 0)
1864 error (EXIT_FAILURE, 0, "key_kp: %s", gnutls_strerror (ret));
1865 }
1866
1867 ret = get_ipsec_ike_status ();
1868 if (ret)
1869 {
1870 ret = gnutls_x509_crq_set_key_purpose_oid
1871 (crq, GNUTLS_KP_IPSEC_IKE, 0);
1872 if (ret < 0)
1873 error (EXIT_FAILURE, 0, "key_kp: %s", gnutls_strerror (ret));
1874 }
1875 }
1876
1877 ret = gnutls_x509_crq_set_key_usage (crq, usage);
1878 if (ret < 0)
1879 error (EXIT_FAILURE, 0, "key_usage: %s", gnutls_strerror (ret));
1880
1881 ret = get_tls_client_status ();
1882 if (ret != 0)
1883 {
1884 ret = gnutls_x509_crq_set_key_purpose_oid
1885 (crq, GNUTLS_KP_TLS_WWW_CLIENT, 0);
1886 if (ret < 0)
1887 error (EXIT_FAILURE, 0, "key_kp: %s", gnutls_strerror (ret));
1888 }
1889
1890 ret = get_tls_server_status ();
1891 if (ret != 0)
1892 {
1893 ret = gnutls_x509_crq_set_key_purpose_oid
1894 (crq, GNUTLS_KP_TLS_WWW_SERVER, 0);
1895 if (ret < 0)
1896 error (EXIT_FAILURE, 0, "key_kp: %s", gnutls_strerror (ret));
1897 }
1898 }
1899
1900 ret = gnutls_x509_crq_set_pubkey (crq, pubkey);
1901 if (ret < 0)
1902 error (EXIT_FAILURE, 0, "set_key: %s", gnutls_strerror (ret));
1903
1904 ret = gnutls_x509_crq_privkey_sign (crq, pkey, get_dig_for_pub (pubkey), 0);
1905 if (ret < 0)
1906 error (EXIT_FAILURE, 0, "sign: %s", gnutls_strerror (ret));
1907
1908 print_crq_info (crq, outfile);
1909
1910 gnutls_x509_crq_deinit (crq);
1911 gnutls_privkey_deinit( pkey);
1912 gnutls_pubkey_deinit( pubkey);
1913
1914 }
1915
1916 static void print_verification_res (FILE* outfile, unsigned int output);
1917
1918 static int detailed_verification(gnutls_x509_crt_t cert,
1919 gnutls_x509_crt_t issuer, gnutls_x509_crl_t crl,
1920 unsigned int verification_output)
1921 {
1922 char name[512];
1923 char tmp[255];
1924 char issuer_name[512];
1925 size_t name_size;
1926 size_t issuer_name_size;
1927 int ret;
1928
1929 issuer_name_size = sizeof (issuer_name);
1930 ret =
1931 gnutls_x509_crt_get_issuer_dn (cert, issuer_name, &issuer_name_size);
1932 if (ret < 0)
1933 error (EXIT_FAILURE, 0, "gnutls_x509_crt_get_issuer_dn: %s", gnutls_strerror (ret));
1934
1935 name_size = sizeof (name);
1936 ret =
1937 gnutls_x509_crt_get_dn (cert, name, &name_size);
1938 if (ret < 0)
1939 error (EXIT_FAILURE, 0, "gnutls_x509_crt_get_dn: %s", gnutls_strerror (ret));
1940
1941 fprintf (outfile, "\tSubject: %s\n", name);
1942 fprintf (outfile, "\tIssuer: %s\n", issuer_name);
1943
1944 if (issuer != NULL)
1945 {
1946 issuer_name_size = sizeof (issuer_name);
1947 ret =
1948 gnutls_x509_crt_get_dn (issuer, issuer_name, &issuer_name_size);
1949 if (ret < 0)
1950 error (EXIT_FAILURE, 0, "gnutls_x509_crt_get_issuer_dn: %s", gnutls_strerror (ret));
1951
1952 fprintf (outfile, "\tChecked against: %s\n", issuer_name);
1953 }
1954
1955 if (crl != NULL)
1956 {
1957 gnutls_datum_t data;
1958
1959 issuer_name_size = sizeof (issuer_name);
1960 ret =
1961 gnutls_x509_crl_get_issuer_dn (crl, issuer_name, &issuer_name_size);
1962 if (ret < 0)
1963 error (EXIT_FAILURE, 0, "gnutls_x509_crl_get_issuer_dn: %s", gnutls_strerror (ret));
1964
1965 name_size = sizeof(tmp);
1966 ret = gnutls_x509_crl_get_number(crl, tmp, &name_size, NULL);
1967 if (ret < 0)
1968 strcpy(name, "unnumbered");
1969 else
1970 {
1971 data.data = (void*)tmp;
1972 data.size = name_size;
1973
1974 name_size = sizeof(name);
1975 ret = gnutls_hex_encode(&data, name, &name_size);
1976 if (ret < 0)
1977 error (EXIT_FAILURE, 0, "gnutls_hex_encode: %s", gnutls_strerror (ret));
1978 }
1979 fprintf (outfile, "\tChecked against CRL[%s] of: %s\n", name, issuer_name);
1980 }
1981
1982 fprintf (outfile, "\tOutput: ");
1983 print_verification_res(outfile, verification_output);
1984
1985 fputs(".\n\n", outfile);
1986
1987 return 0;
1988 }
1989
1990 /* Will verify a certificate chain. If no CA certificates
1991 * are provided, then the last certificate in the certificate
1992 * chain is used as a CA.
1993 */
1994 static int
1995 _verify_x509_mem (const void *cert, int cert_size, const void* ca, int ca_size)
1996 {
1997 int ret;
1998 gnutls_datum_t tmp;
1999 gnutls_x509_crt_t *x509_cert_list = NULL;
2000 gnutls_x509_crt_t *x509_ca_list = NULL;
2001 gnutls_x509_crl_t *x509_crl_list = NULL;
2002 unsigned int x509_ncerts, x509_ncrls = 0, x509_ncas = 0;
2003 gnutls_x509_trust_list_t list;
2004 unsigned int output;
2005
2006 ret = gnutls_x509_trust_list_init(&list, 0);
2007 if (ret < 0)
2008 error (EXIT_FAILURE, 0, "gnutls_x509_trust_list_init: %s",
2009 gnutls_strerror (ret));
2010
2011 if (ca == NULL)
2012 {
2013 tmp.data = (void*)cert;
2014 tmp.size = cert_size;
2015 }
2016 else
2017 {
2018 tmp.data = (void*)ca;
2019 tmp.size = ca_size;
2020
2021 /* Load CAs */
2022 ret = gnutls_x509_crt_list_import2( &x509_ca_list, &x509_ncas, &tmp,
2023 GNUTLS_X509_FMT_PEM, 0);
2024 if (ret < 0 || x509_ncas < 1)
2025 error (EXIT_FAILURE, 0, "error parsing CAs: %s",
2026 gnutls_strerror (ret));
2027 }
2028
2029 ret = gnutls_x509_crl_list_import2( &x509_crl_list, &x509_ncrls, &tmp,
2030 GNUTLS_X509_FMT_PEM, 0);
2031 if (ret < 0)
2032 {
2033 x509_crl_list = NULL;
2034 x509_ncrls = 0;
2035 }
2036
2037 tmp.data = (void*)cert;
2038 tmp.size = cert_size;
2039
2040 /* ignore errors. CRLs might not be given */
2041 ret = gnutls_x509_crt_list_import2( &x509_cert_list, &x509_ncerts, &tmp,
2042 GNUTLS_X509_FMT_PEM, 0);
2043 if (ret < 0 || x509_ncerts < 1)
2044 error (EXIT_FAILURE, 0, "error parsing CRTs: %s",
2045 gnutls_strerror (ret));
2046
2047 if (ca == NULL)
2048 {
2049 x509_ca_list = &x509_cert_list[x509_ncerts - 1];
2050 x509_ncas = 1;
2051 }
2052
2053 fprintf(stdout, "Loaded %d certificates, %d CAs and %d CRLs\n\n",
2054 x509_ncerts, x509_ncas, x509_ncrls);
2055
2056 ret = gnutls_x509_trust_list_add_cas(list, x509_ca_list, x509_ncas, 0);
2057 if (ret < 0)
2058 error (EXIT_FAILURE, 0, "gnutls_x509_trust_add_cas: %s",
2059 gnutls_strerror (ret));
2060
2061 ret = gnutls_x509_trust_list_add_crls(list, x509_crl_list, x509_ncrls, 0, 0);
2062 if (ret < 0)
2063 error (EXIT_FAILURE, 0, "gnutls_x509_trust_add_crls: %s",
2064 gnutls_strerror (ret));
2065
2066 gnutls_free(x509_crl_list);
2067
2068 ret = gnutls_x509_trust_list_verify_crt (list, x509_cert_list, x509_ncerts,
2069 GNUTLS_VERIFY_DO_NOT_ALLOW_SAME|GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT, &output,
2070 detailed_verification);
2071 if (ret < 0)
2072 error (EXIT_FAILURE, 0, "gnutls_x509_trusted_list_verify_crt: %s",
2073 gnutls_strerror (ret));
2074
2075 fprintf (outfile, "Chain verification output: ");
2076 print_verification_res(outfile, output);
2077
2078 fprintf (outfile, ".\n\n");
2079
2080 gnutls_free(x509_cert_list);
2081 gnutls_x509_trust_list_deinit(list, 1);
2082
2083 if (output != 0)
2084 exit(EXIT_FAILURE);
2085
2086 return 0;
2087 }
2088
2089 static void
2090 print_verification_res (FILE* outfile, unsigned int output)
2091 {
2092 int comma = 0;
2093
2094 if (output & GNUTLS_CERT_INVALID)
2095 {
2096 fprintf (outfile, "Not verified");
2097 comma = 1;
2098 }
2099 else
2100 {
2101 fprintf (outfile, "Verified");
2102 comma = 1;
2103 }
2104
2105 if (output & GNUTLS_CERT_SIGNER_NOT_CA)
2106 {
2107 if (comma)
2108 fprintf (outfile, ", ");
2109 fprintf (outfile, "Issuer is not a CA");
2110 comma = 1;
2111 }
2112
2113 if (output & GNUTLS_CERT_INSECURE_ALGORITHM)
2114 {
2115 if (comma)
2116 fprintf (outfile, ", ");
2117 fprintf (outfile, "Insecure algorithm");
2118 comma = 1;
2119 }
2120
2121 if (output & GNUTLS_CERT_NOT_ACTIVATED)
2122 {
2123 if (comma)
2124 fprintf (outfile, ", ");
2125 fprintf (outfile, "Not activated");
2126 comma = 1;
2127 }
2128
2129 if (output & GNUTLS_CERT_EXPIRED)
2130 {
2131 if (comma)
2132 fprintf (outfile, ", ");
2133 fprintf (outfile, "Expired");
2134 comma = 1;
2135 }
2136
2137 if (output & GNUTLS_CERT_REVOKED)
2138 {
2139 if (comma)
2140 fprintf (outfile, ", ");
2141 fprintf (outfile, "Revoked");
2142 comma = 1;
2143 }
2144 }
2145
2146 static void
2147 verify_chain (void)
2148 {
2149 char *buf;
2150 size_t size;
2151
2152 buf = (void*)fread_file (infile, &size);
2153 if (buf == NULL)
2154 error (EXIT_FAILURE, errno, "reading chain");
2155
2156 buf[size] = 0;
2157
2158 _verify_x509_mem (buf, size, NULL, 0);
2159
2160 }
2161
2162 static void
2163 verify_certificate (common_info_st * cinfo)
2164 {
2165 char *cert;
2166 char *cas;
2167 size_t cert_size, ca_size;
2168 FILE * ca_file = fopen(cinfo->ca, "r");
2169
2170 if (ca_file == NULL)
2171 error (EXIT_FAILURE, errno, "opening CA file");
2172
2173 cert = (void*)fread_file (infile, &cert_size);
2174 if (cert == NULL)
2175 error (EXIT_FAILURE, errno, "reading certificate chain");
2176
2177 cert[cert_size] = 0;
2178
2179 cas = (void*)fread_file (ca_file, &ca_size);
2180 if (cas == NULL)
2181 error (EXIT_FAILURE, errno, "reading CA list");
2182
2183 cas[ca_size] = 0;
2184 fclose(ca_file);
2185
2186 _verify_x509_mem (cert, cert_size, cas, ca_size);
2187
2188
2189 }
2190
2191 void
2192 verify_crl (common_info_st * cinfo)
2193 {
2194 size_t size, dn_size;
2195 char dn[128];
2196 unsigned int output;
2197 int comma = 0;
2198 int ret;
2199 gnutls_datum_t pem;
2200 gnutls_x509_crl_t crl;
2201 time_t now = time (0);
2202 gnutls_x509_crt_t issuer;
2203
2204 issuer = load_ca_cert (cinfo);
2205
2206 fprintf (outfile, "\nCA certificate:\n");
2207
2208 dn_size = sizeof (dn);
2209 ret = gnutls_x509_crt_get_dn (issuer, dn, &dn_size);
2210 if (ret < 0)
2211 error (EXIT_FAILURE, 0, "crt_get_dn: %s", gnutls_strerror (ret));
2212
2213 fprintf (outfile, "\tSubject: %s\n\n", dn);
2214
2215 ret = gnutls_x509_crl_init (&crl);
2216 if (ret < 0)
2217 error (EXIT_FAILURE, 0, "crl_init: %s", gnutls_strerror (ret));
2218
2219 pem.data = (void*)fread_file (infile, &size);
2220 pem.size = size;
2221
2222 ret = gnutls_x509_crl_import (crl, &pem, incert_format);
2223 free (pem.data);
2224 if (ret < 0)
2225 error (EXIT_FAILURE, 0, "import error: %s", gnutls_strerror (ret));
2226
2227 print_crl_info (crl, outfile);
2228
2229 fprintf (outfile, "Verification output: ");
2230 ret = gnutls_x509_crl_verify (crl, &issuer, 1, 0, &output);
2231 if (ret < 0)
2232 error (EXIT_FAILURE, 0, "verification error: %s", gnutls_strerror (ret));
2233
2234 if (output & GNUTLS_CERT_INVALID)
2235 {
2236 fprintf (outfile, "Not verified");
2237 comma = 1;
2238 }
2239 else
2240 {
2241 fprintf (outfile, "Verified");
2242 comma = 1;
2243 }
2244
2245 if (output & GNUTLS_CERT_SIGNER_NOT_CA)
2246 {
2247 if (comma)
2248 fprintf (outfile, ", ");
2249 fprintf (outfile, "Issuer is not a CA");
2250 comma = 1;
2251 }
2252
2253 if (output & GNUTLS_CERT_INSECURE_ALGORITHM)
2254 {
2255 if (comma)
2256 fprintf (outfile, ", ");
2257 fprintf (outfile, "Insecure algorithm");
2258 comma = 1;
2259 }
2260
2261 /* Check expiration dates.
2262 */
2263
2264 if (gnutls_x509_crl_get_this_update (crl) > now)
2265 {
2266 if (comma)
2267 fprintf (outfile, ", ");
2268 comma = 1;
2269 fprintf (outfile, "Issued in the future!");
2270 }
2271
2272 if (gnutls_x509_crl_get_next_update (crl) < now)
2273 {
2274 if (comma)
2275 fprintf (outfile, ", ");
2276 comma = 1;
2277 fprintf (outfile, "CRL is not up to date");
2278 }
2279
2280 fprintf (outfile, "\n");
2281 }
2282
2283
2284
2285 void
2286 generate_pkcs8 (common_info_st * cinfo)
2287 {
2288 gnutls_x509_privkey_t key;
2289 int result;
2290 size_t size;
2291 unsigned int flags = 0;
2292 const char *password;
2293
2294 fprintf (stderr, "Generating a PKCS #8 key structure...\n");
2295
2296 key = load_x509_private_key (1, cinfo);
2297
2298 password = get_password(cinfo, &flags, 1);
2299
2300 flags |= cipher_to_flags (cinfo->pkcs_cipher);
2301
2302 size = buffer_size;
2303 result =
2304 gnutls_x509_privkey_export_pkcs8 (key, outcert_format,
2305 password, flags, buffer, &size);
2306
2307 if (result < 0)
2308 error (EXIT_FAILURE, 0, "key_export: %s", gnutls_strerror (result));
2309
2310 fwrite (buffer, 1, size, outfile);
2311
2312 }
2313
2314
2315 #include <gnutls/pkcs12.h>
2316 #include <unistd.h>
2317
2318 void
2319 generate_pkcs12 (common_info_st * cinfo)
2320 {
2321 gnutls_pkcs12_t pkcs12;
2322 gnutls_x509_crt_t *crts;
2323 gnutls_x509_privkey_t *keys;
2324 int result;
2325 size_t size;
2326 gnutls_datum_t data;
2327 const char *pass;
2328 const char *name;
2329 unsigned int flags = 0, i;
2330 gnutls_datum_t key_id;
2331 unsigned char _key_id[32];
2332 int indx;
2333 size_t ncrts;
2334 size_t nkeys;
2335
2336 fprintf (stderr, "Generating a PKCS #12 structure...\n");
2337
2338 keys = load_privkey_list (0, &nkeys, cinfo);
2339 crts = load_cert_list (0, &ncrts, cinfo);
2340
2341 name = get_pkcs12_key_name ();
2342
2343 result = gnutls_pkcs12_init (&pkcs12);
2344 if (result < 0)
2345 error (EXIT_FAILURE, 0, "pkcs12_init: %s", gnutls_strerror (result));
2346
2347 pass = get_password(cinfo, &flags, 1);
2348 flags |= cipher_to_flags (cinfo->pkcs_cipher);
2349
2350 for (i = 0; i < ncrts; i++)
2351 {
2352 gnutls_pkcs12_bag_t bag;
2353
2354 result = gnutls_pkcs12_bag_init (&bag);
2355 if (result < 0)
2356 error (EXIT_FAILURE, 0, "bag_init: %s", gnutls_strerror (result));
2357
2358 result = gnutls_pkcs12_bag_set_crt (bag, crts[i]);
2359 if (result < 0)
2360 error (EXIT_FAILURE, 0, "set_crt[%d]: %s", i,
2361 gnutls_strerror (result));
2362
2363 indx = result;
2364
2365 if (i==0) /* only the first certificate gets the friendly name */
2366 {
2367 result = gnutls_pkcs12_bag_set_friendly_name (bag, indx, name);
2368 if (result < 0)
2369 error (EXIT_FAILURE, 0, "bag_set_friendly_name: %s",
2370 gnutls_strerror (result));
2371 }
2372
2373 size = sizeof (_key_id);
2374 result = gnutls_x509_crt_get_key_id (crts[i], 0, _key_id, &size);
2375 if (result < 0)
2376 error (EXIT_FAILURE, 0, "key_id[%d]: %s", i,
2377 gnutls_strerror (result));
2378
2379 key_id.data = _key_id;
2380 key_id.size = size;
2381
2382 result = gnutls_pkcs12_bag_set_key_id (bag, indx, &key_id);
2383 if (result < 0)
2384 error (EXIT_FAILURE, 0, "bag_set_key_id: %s",
2385 gnutls_strerror (result));
2386
2387 result = gnutls_pkcs12_bag_encrypt (bag, pass, flags);
2388 if (result < 0)
2389 error (EXIT_FAILURE, 0, "bag_encrypt: %s", gnutls_strerror (result));
2390
2391 result = gnutls_pkcs12_set_bag (pkcs12, bag);
2392 if (result < 0)
2393 error (EXIT_FAILURE, 0, "set_bag: %s", gnutls_strerror (result));
2394 }
2395
2396 for (i = 0; i < nkeys; i++)
2397 {
2398 gnutls_pkcs12_bag_t kbag;
2399
2400 result = gnutls_pkcs12_bag_init (&kbag);
2401 if (result < 0)
2402 error (EXIT_FAILURE, 0, "bag_init: %s", gnutls_strerror (result));
2403
2404 size = buffer_size;
2405 result =
2406 gnutls_x509_privkey_export_pkcs8 (keys[i], GNUTLS_X509_FMT_DER,
2407 pass, flags, buffer, &size);
2408 if (result < 0)
2409 error (EXIT_FAILURE, 0, "key_export[%d]: %s", i, gnutls_strerror (result));
2410
2411 data.data = buffer;
2412 data.size = size;
2413 result =
2414 gnutls_pkcs12_bag_set_data (kbag,
2415 GNUTLS_BAG_PKCS8_ENCRYPTED_KEY, &data);
2416 if (result < 0)
2417 error (EXIT_FAILURE, 0, "bag_set_data: %s", gnutls_strerror (result));
2418
2419 indx = result;
2420
2421 result = gnutls_pkcs12_bag_set_friendly_name (kbag, indx, name);
2422 if (result < 0)
2423 error (EXIT_FAILURE, 0, "bag_set_friendly_name: %s",
2424 gnutls_strerror (result));
2425
2426 size = sizeof (_key_id);
2427 result = gnutls_x509_privkey_get_key_id (keys[i], 0, _key_id, &size);
2428 if (result < 0)
2429 error (EXIT_FAILURE, 0, "key_id[%d]: %s", i, gnutls_strerror (result));
2430
2431 key_id.data = _key_id;
2432 key_id.size = size;
2433
2434 result = gnutls_pkcs12_bag_set_key_id (kbag, indx, &key_id);
2435 if (result < 0)
2436 error (EXIT_FAILURE, 0, "bag_set_key_id: %s",
2437 gnutls_strerror (result));
2438
2439 result = gnutls_pkcs12_set_bag (pkcs12, kbag);
2440 if (result < 0)
2441 error (EXIT_FAILURE, 0, "set_bag: %s", gnutls_strerror (result));
2442 }
2443
2444 result = gnutls_pkcs12_generate_mac (pkcs12, pass);
2445 if (result < 0)
2446 error (EXIT_FAILURE, 0, "generate_mac: %s", gnutls_strerror (result));
2447
2448 size = buffer_size;
2449 result = gnutls_pkcs12_export (pkcs12, outcert_format, buffer, &size);
2450 if (result < 0)
2451 error (EXIT_FAILURE, 0, "pkcs12_export: %s", gnutls_strerror (result));
2452
2453 fwrite (buffer, 1, size, outfile);
2454
2455 }
2456
2457 static const char *
2458 BAGTYPE (gnutls_pkcs12_bag_type_t x)
2459 {
2460 switch (x)
2461 {
2462 case GNUTLS_BAG_PKCS8_ENCRYPTED_KEY:
2463 return "PKCS #8 Encrypted key";
2464 case GNUTLS_BAG_EMPTY:
2465 return "Empty";
2466 case GNUTLS_BAG_PKCS8_KEY:
2467 return "PKCS #8 Key";
2468 case GNUTLS_BAG_CERTIFICATE:
2469 return "Certificate";
2470 case GNUTLS_BAG_ENCRYPTED:
2471 return "Encrypted";
2472 case GNUTLS_BAG_CRL:
2473 return "CRL";
2474 case GNUTLS_BAG_SECRET:
2475 return "Secret";
2476 default:
2477 return "Unknown";
2478 }
2479 }
2480
2481 static void
2482 print_bag_data (gnutls_pkcs12_bag_t bag)
2483 {
2484 int result;
2485 int count, i, type;
2486 gnutls_datum_t cdata, id;
2487 const char *str, *name;
2488 gnutls_datum_t out;
2489
2490 count = gnutls_pkcs12_bag_get_count (bag);
2491 if (count < 0)
2492 error (EXIT_FAILURE, 0, "get_count: %s", gnutls_strerror (count));
2493
2494 fprintf (outfile, "\tElements: %d\n", count);
2495
2496 for (i = 0; i < count; i++)
2497 {
2498 type = gnutls_pkcs12_bag_get_type (bag, i);
2499 if (type < 0)
2500 error (EXIT_FAILURE, 0, "get_type: %s", gnutls_strerror (type));
2501
2502 fprintf (stderr, "\tType: %s\n", BAGTYPE (type));
2503
2504 name = NULL;
2505 result = gnutls_pkcs12_bag_get_friendly_name (bag, i, (char **) &name);
2506 if (result < 0)
2507 error (EXIT_FAILURE, 0, "get_friendly_name: %s",
2508 gnutls_strerror (type));
2509 if (name)
2510 fprintf (outfile, "\tFriendly name: %s\n", name);
2511
2512 id.data = NULL;
2513 id.size = 0;
2514 result = gnutls_pkcs12_bag_get_key_id (bag, i, &id);
2515 if (result < 0)
2516 error (EXIT_FAILURE, 0, "get_key_id: %s", gnutls_strerror (type));
2517 if (id.size > 0)
2518 fprintf (outfile, "\tKey ID: %s\n", raw_to_string (id.data, id.size));
2519
2520 result = gnutls_pkcs12_bag_get_data (bag, i, &cdata);
2521 if (result < 0)
2522 error (EXIT_FAILURE, 0, "get_data: %s", gnutls_strerror (result));
2523
2524 switch (type)
2525 {
2526 case GNUTLS_BAG_PKCS8_ENCRYPTED_KEY:
2527 str = "ENCRYPTED PRIVATE KEY";
2528 break;
2529 case GNUTLS_BAG_PKCS8_KEY:
2530 str = "PRIVATE KEY";
2531 break;
2532 case GNUTLS_BAG_CERTIFICATE:
2533 str = "CERTIFICATE";
2534 break;
2535 case GNUTLS_BAG_CRL:
2536 str = "CRL";
2537 break;
2538 case GNUTLS_BAG_ENCRYPTED:
2539 case GNUTLS_BAG_EMPTY:
2540 default:
2541 str = NULL;
2542 }
2543
2544 if (str != NULL)
2545 {
2546 gnutls_pem_base64_encode_alloc (str, &cdata, &out);
2547 fprintf (outfile, "%s\n", out.data);
2548
2549 gnutls_free (out.data);
2550 }
2551
2552 }
2553 }
2554
2555 void
2556 pkcs12_info (common_info_st* cinfo)
2557 {
2558 gnutls_pkcs12_t pkcs12;
2559 gnutls_pkcs12_bag_t bag;
2560 int result;
2561 size_t size;
2562 gnutls_datum_t data;
2563 const char *pass;
2564 int indx, fail = 0;
2565
2566 result = gnutls_pkcs12_init (&pkcs12);
2567 if (result < 0)
2568 error (EXIT_FAILURE, 0, "p12_init: %s", gnutls_strerror (result));
2569
2570 data.data = (void*)fread_file (infile, &size);
2571 data.size = size;
2572
2573 result = gnutls_pkcs12_import (pkcs12, &data, incert_format, 0);
2574 free (data.data);
2575 if (result < 0)
2576 error (EXIT_FAILURE, 0, "p12_import: %s", gnutls_strerror (result));
2577
2578 pass = get_password(cinfo, NULL, 0);
2579
2580 result = gnutls_pkcs12_verify_mac (pkcs12, pass);
2581 if (result < 0)
2582 {
2583 fail = 1;
2584 error (0, 0, "verify_mac: %s", gnutls_strerror (result));
2585 }
2586
2587 for (indx = 0;; indx++)
2588 {
2589 result = gnutls_pkcs12_bag_init (&bag);
2590 if (result < 0)
2591 error (EXIT_FAILURE, 0, "bag_init: %s", gnutls_strerror (result));
2592
2593 result = gnutls_pkcs12_get_bag (pkcs12, indx, bag);
2594 if (result < 0)
2595 break;
2596
2597 result = gnutls_pkcs12_bag_get_count (bag);
2598 if (result < 0)
2599 error (EXIT_FAILURE, 0, "bag_count: %s", gnutls_strerror (result));
2600
2601 fprintf (outfile, "BAG #%d\n", indx);
2602
2603 result = gnutls_pkcs12_bag_get_type (bag, 0);
2604 if (result < 0)
2605 error (EXIT_FAILURE, 0, "bag_init: %s", gnutls_strerror (result));
2606
2607 if (result == GNUTLS_BAG_ENCRYPTED)
2608 {
2609 fprintf (stderr, "\tType: %s\n", BAGTYPE (result));
2610 fprintf (stderr, "\n\tDecrypting...\n");
2611
2612 result = gnutls_pkcs12_bag_decrypt (bag, pass);
2613
2614 if (result < 0)
2615 {
2616 fail = 1;
2617 error (0, 0, "bag_decrypt: %s", gnutls_strerror (result));
2618 continue;
2619 }
2620
2621 result = gnutls_pkcs12_bag_get_count (bag);
2622 if (result < 0)
2623 error (EXIT_FAILURE, 0, "encrypted bag_count: %s",
2624 gnutls_strerror (result));
2625 }
2626
2627 print_bag_data (bag);
2628
2629 gnutls_pkcs12_bag_deinit (bag);
2630 }
2631
2632 if (fail)
2633 error (EXIT_FAILURE, 0, "There were errors parsing the structure\n");
2634 }
2635
2636 void
2637 pkcs7_info (void)
2638 {
2639 gnutls_pkcs7_t pkcs7;
2640 int result;
2641 size_t size;
2642 gnutls_datum_t data, b64;
2643 int indx, count;
2644
2645 result = gnutls_pkcs7_init (&pkcs7);
2646 if (result < 0)
2647 error (EXIT_FAILURE, 0, "p7_init: %s", gnutls_strerror (result));
2648
2649 data.data = (void*)fread_file (infile, &size);
2650 data.size = size;
2651
2652 result = gnutls_pkcs7_import (pkcs7, &data, incert_format);
2653 free (data.data);
2654 if (result < 0)
2655 error (EXIT_FAILURE, 0, "import error: %s", gnutls_strerror (result));
2656
2657 /* Read and print the certificates.
2658 */
2659 result = gnutls_pkcs7_get_crt_count (pkcs7);
2660 if (result < 0)
2661 error (EXIT_FAILURE, 0, "p7_crt_count: %s", gnutls_strerror (result));
2662
2663 count = result;
2664
2665 if (count > 0)
2666 fprintf (outfile, "Number of certificates: %u\n", count);
2667
2668 for (indx = 0; indx < count; indx++)
2669 {
2670 fputs ("\n", outfile);
2671
2672 size = buffer_size;
2673 result = gnutls_pkcs7_get_crt_raw (pkcs7, indx, buffer, &size);
2674 if (result < 0)
2675 break;
2676
2677 data.data = buffer;
2678 data.size = size;
2679
2680 result = gnutls_pem_base64_encode_alloc ("CERTIFICATE", &data, &b64);
2681 if (result < 0)
2682 error (EXIT_FAILURE, 0, "encoding: %s", gnutls_strerror (result));
2683
2684 fputs ((void*)b64.data, outfile);
2685 gnutls_free (b64.data);
2686 }
2687
2688 /* Read the CRLs now.
2689 */
2690 result = gnutls_pkcs7_get_crl_count (pkcs7);
2691 if (result < 0)
2692 error (EXIT_FAILURE, 0, "p7_crl_count: %s", gnutls_strerror (result));
2693
2694 count = result;
2695
2696 if (count > 0)
2697 fprintf (outfile, "\nNumber of CRLs: %u\n", count);
2698
2699 for (indx = 0; indx < count; indx++)
2700 {
2701 fputs ("\n", outfile);
2702
2703 size = buffer_size;
2704 result = gnutls_pkcs7_get_crl_raw (pkcs7, indx, buffer, &size);
2705 if (result < 0)
2706 break;
2707
2708 data.data = buffer;
2709 data.size = size;
2710
2711 result = gnutls_pem_base64_encode_alloc ("X509 CRL", &data, &b64);
2712 if (result < 0)
2713 error (EXIT_FAILURE, 0, "encoding: %s", gnutls_strerror (result));
2714
2715 fputs ((void*)b64.data, outfile);
2716 gnutls_free (b64.data);
2717 }
2718 }
2719
2720 void
2721 smime_to_pkcs7 (void)
2722 {
2723 size_t linesize = 0;
2724 char *lineptr = NULL;
2725 ssize_t len;
2726
2727 /* Find body. FIXME: Handle non-b64 Content-Transfer-Encoding.
2728 Reject non-S/MIME tagged Content-Type's? */
2729 do
2730 {
2731 len = getline (&lineptr, &linesize, infile);
2732 if (len == -1)
2733 error (EXIT_FAILURE, 0, "cannot find RFC 2822 header/body separator");
2734 }
2735 while (strcmp (lineptr, "\r\n") != 0 && strcmp (lineptr, "\n") != 0);
2736
2737 do
2738 {
2739 len = getline (&lineptr, &linesize, infile);
2740 if (len == -1)
2741 error (EXIT_FAILURE, 0, "message has RFC 2822 header but no body");
2742 }
2743 while (strcmp (lineptr, "\r\n") == 0 && strcmp (lineptr, "\n") == 0);
2744
2745 fprintf (outfile, "%s", "-----BEGIN PKCS7-----\n");
2746
2747 do
2748 {
2749 while (len > 0
2750 && (lineptr[len - 1] == '\r' || lineptr[len - 1] == '\n'))
2751 lineptr[--len] = '\0';
2752 if (strcmp (lineptr, "") != 0)
2753 fprintf (outfile, "%s\n", lineptr);
2754 len = getline (&lineptr, &linesize, infile);
2755 }
2756 while (len != -1);
2757
2758 fprintf (outfile, "%s", "-----END PKCS7-----\n");
2759
2760 free (lineptr);
2761 }
2762
2763
2764 void
2765 pubkey_info (gnutls_x509_crt_t crt, common_info_st * cinfo)
2766 {
2767 gnutls_pubkey_t pubkey;
2768 int ret;
2769 size_t size;
2770
2771 ret = gnutls_pubkey_init (&pubkey);
2772 if (ret < 0)
2773 {
2774 error (EXIT_FAILURE, 0, "pubkey_init: %s", gnutls_strerror (ret));
2775 }
2776
2777 if (crt == NULL)
2778 {
2779 crt = load_cert (0, cinfo);
2780 }
2781
2782 if (crt != NULL)
2783 {
2784 ret = gnutls_pubkey_import_x509 (pubkey, crt, 0);
2785 if (ret < 0)
2786 {
2787 error (EXIT_FAILURE, 0, "pubkey_import_x509: %s",
2788 gnutls_strerror (ret));
2789 }
2790 }
2791 else
2792 {
2793 pubkey = load_pubkey (1, cinfo);
2794 }
2795
2796 if (outcert_format == GNUTLS_X509_FMT_DER)
2797 {
2798 size = buffer_size;
2799 ret = gnutls_pubkey_export (pubkey, outcert_format, buffer, &size);
2800 if (ret < 0)
2801 error (EXIT_FAILURE, 0, "export error: %s", gnutls_strerror (ret));
2802
2803 fwrite (buffer, 1, size, outfile);
2804
2805 gnutls_pubkey_deinit (pubkey);
2806
2807 return;
2808 }
2809
2810 /* PEM */
2811
2812 _pubkey_info(outfile, pubkey);
2813 gnutls_pubkey_deinit (pubkey);
2814 }
Implementation of the SSL/TLS protocol