certtool: added the ability to encode arbitrary extensions

That is, added the ability to encode as an octet string any specified extension data.
author: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2016-07-14 09:43:28 +0200
committer: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2016-07-14 10:43:05 +0200
commit: 5a2bb75ece9ae3303b074852cfb82881b3426243 (patch)
tree: 76c6bd239cd9ff50f4917c2145c369ff0b3c2c37
parent: 650230b4c7ab86a9d4f2f3c7bbe4e3a05fe031f6 (diff)
download: gnutls-5a2bb75ece9ae3303b074852cfb82881b3426243.tar.gz
3 files changed, 84 insertions, 21 deletions
diff --git a/src/Makefile.am b/src/Makefile.am
index 6ae280936c..37a9bea71e 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -144,6 +144,13 @@ noinst_LTLIBRARIES += libcmd-cli-debug.la
 libcmd_cli_debug_la_SOURCES = cli-debug-args.def cli-debug-args.c cli-debug-args.h
 
 #certtool
+COMMON_LIBS = $(LIBOPTS) $(LTLIBINTL)
+if ENABLE_MINITASN1
+COMMON_LIBS += ../lib/minitasn1/libminitasn1.la ../gl/libgnu.la 
+else
+COMMON_LIBS += $(LIBTASN1_LIBS)
+endif
+
 
 certtool_SOURCES = certtool.c certtool-common.c certtool-extras.c common.c
 certtool_LDADD = ../lib/libgnutls.la 
@@ -153,10 +160,11 @@ noinst_LTLIBRARIES += libcmd-certtool.la
 libcmd_certtool_la_SOURCES = certtool-args.c certtool-args.def certtool-args.h	\
 	certtool-cfg.h certtool-cfg.c
 libcmd_certtool_la_LIBADD = ../lib/libgnutls.la gl/libgnu_gpl.la ../gl/libgnu.la 
-libcmd_certtool_la_LIBADD += $(LIBOPTS) $(LTLIBINTL)
+libcmd_certtool_la_LIBADD += $(COMMON_LIBS)
 libcmd_certtool_la_LIBADD += $(LTLIBREADLINE) gl/libgnu_gpl.la
 libcmd_certtool_la_LIBADD += $(INET_PTON_LIB) $(LIB_CLOCK_GETTIME)
 
+
 danetool_SOURCES = danetool.c certtool-common.c certtool-extras.c common.c socket.c
 danetool_LDADD = ../lib/libgnutls.la  $(LIBIDN_LIBS)
 danetool_LDADD += libcmd-danetool.la ../gl/libgnu.la gl/libgnu_gpl.la
@@ -168,8 +176,7 @@ noinst_LTLIBRARIES += libcmd-danetool.la
 libcmd_danetool_la_SOURCES = danetool-args.c danetool-args.def danetool-args.h \
 	certtool-cfg.h certtool-cfg.c
 libcmd_danetool_la_LIBADD = ../lib/libgnutls.la gl/libgnu_gpl.la ../gl/libgnu.la 
-libcmd_danetool_la_LIBADD += $(LIBOPTS)
-libcmd_danetool_la_LIBADD += $(LTLIBINTL)
+libcmd_danetool_la_LIBADD += $(COMMON_LIBS)
 libcmd_danetool_la_LIBADD += $(LTLIBREADLINE)
 libcmd_danetool_la_LIBADD += $(INET_PTON_LIB) $(LIB_CLOCK_GETTIME)
 
@@ -179,8 +186,8 @@ if ENABLE_PKCS11
 p11tool_SOURCES = p11tool-args.def p11tool.c pkcs11.c certtool-common.c \
 	certtool-extras.c p11tool.h common.c
 p11tool_LDADD = ../lib/libgnutls.la
-p11tool_LDADD += libcmd-p11tool.la $(LIBOPTS) ../gl/libgnu.la gl/libgnu_gpl.la
-p11tool_LDADD += $(LTLIBINTL)
+p11tool_LDADD += libcmd-p11tool.la ../gl/libgnu.la gl/libgnu_gpl.la
+p11tool_LDADD += $(COMMON_LIBS)
 
 noinst_LTLIBRARIES += libcmd-p11tool.la
 libcmd_p11tool_la_SOURCES = p11tool-args.def p11tool-args.c p11tool-args.h \
@@ -194,8 +201,8 @@ if ENABLE_TROUSERS
 
 tpmtool_SOURCES = tpmtool-args.def tpmtool.c certtool-common.c certtool-extras.c common.c
 tpmtool_LDADD = ../lib/libgnutls.la
-tpmtool_LDADD += libcmd-tpmtool.la $(LIBOPTS) ../gl/libgnu.la gl/libgnu_gpl.la
-tpmtool_LDADD += $(LTLIBINTL)
+tpmtool_LDADD += libcmd-tpmtool.la ../gl/libgnu.la gl/libgnu_gpl.la
+tpmtool_LDADD += $(COMMON_LIBS)
 
 noinst_LTLIBRARIES += libcmd-tpmtool.la
 libcmd_tpmtool_la_SOURCES = tpmtool-args.def tpmtool-args.c tpmtool-args.h \
@@ -207,8 +214,8 @@ endif # ENABLE_TROUSERS
 
 systemkey_SOURCES = systemkey.c certtool-common.c common.c
 systemkey_LDADD = ../lib/libgnutls.la
-systemkey_LDADD += libcmd-systemkey.la $(LIBOPTS) ../gl/libgnu.la gl/libgnu_gpl.la
-systemkey_LDADD += $(LTLIBINTL)
+systemkey_LDADD += libcmd-systemkey.la ../gl/libgnu.la gl/libgnu_gpl.la
+systemkey_LDADD += $(COMMON_LIBS)
 
 noinst_LTLIBRARIES += libcmd-systemkey.la
 libcmd_systemkey_la_SOURCES = systemkey-args.def systemkey-args.c systemkey-args.h \
diff --git a/src/certtool-args.def b/src/certtool-args.def
index e0325b00f2..29835f8fe4 100644
--- a/src/certtool-args.def
+++ b/src/certtool-args.def
@@ -905,9 +905,12 @@ encryption_key
 
 ### Adding arbitrary extensions
 # This requires to provide the extension OIDs, as well as the extension data in
-# hex format.
+# hex format. The following two options are available since GnuTLS 3.5.3.
 #add_extension = "1.2.3.4 0x0AAB01ACFE"
 
+# As above but encode the data as an octet string
+#add_extension = "1.2.3.4 octet_string(0x0AAB01ACFE)"
+
 # For portability critical extensions shouldn't be set to certificates.
 #add_critical_extension = "5.6.7.8 0x1AAB01ACFE"
 
diff --git a/src/certtool-cfg.c b/src/certtool-cfg.c
index bd9ff4336b..3162a87b30 100644
--- a/src/certtool-cfg.c
+++ b/src/certtool-cfg.c
@@ -38,6 +38,7 @@
 #include <autoopts/options.h>
 #include <intprops.h>
 #include <gnutls/crypto.h>
+#include <libtasn1.h>
 
 /* for inet_pton */
 #include <sys/types.h>
@@ -1229,12 +1230,72 @@ void get_oid_crt_set(gnutls_x509_crt_t crt)
 	}
 }
 
+#define ACTION_NONE  0
+#define ENCODE_OCTET_STRING 1
+static unsigned char *decode_ext_string(char *str, unsigned int *ret_size)
+{
+	char *p, *p2;
+	unsigned char *tmp;
+	unsigned char *raw;
+	unsigned int raw_size;
+	unsigned action = ACTION_NONE;
+	unsigned char tag[ASN1_MAX_TL_SIZE];
+	unsigned int tag_len;
+	int ret, res;
+
+	p = strchr(str, '(');
+	if (p != 0) {
+		if (strncmp(str, "octet_string", 12) == 0) {
+			action = ENCODE_OCTET_STRING;
+		} else {
+			fprintf(stderr, "cannot parse: %s\n", str);
+			exit(1);
+		}
+		p++;
+		p2 = strchr(p, ')');
+		if (p2 == NULL) {
+			fprintf(stderr, "there is no terminating parenthesis in: %s\n", str);
+			exit(1);
+		}
+		*p2 = 0;
+	} else {
+		p = str;
+	}
+
+	if (strncmp(p, "0x", 2) == 0)
+		p+=2;
+	HEX_DECODE(p, raw, raw_size);
+
+	switch(action) {
+		case ENCODE_OCTET_STRING:
+			tag_len = sizeof(tag);
+			res = asn1_encode_simple_der(ASN1_ETYPE_OCTET_STRING, raw, raw_size, tag, &tag_len);
+			if (res != ASN1_SUCCESS) {
+				fprintf(stderr, "error in DER encoding: %s\n", asn1_strerror(res));
+				exit(1);
+			}
+			tmp = gnutls_malloc(raw_size+tag_len);
+			if (tmp == NULL) {
+				fprintf(stderr, "error in allocation\n");
+				exit(1);
+			}
+			memcpy(tmp, tag, tag_len);
+			memcpy(tmp+tag_len, raw, raw_size);
+			gnutls_free(raw);
+			raw = tmp;
+			raw_size += tag_len;
+			break;
+	}
+
+	*ret_size = raw_size;
+	return raw;
+}
+
 void get_extensions_crt_set(int type, void *crt)
 {
 	int ret, i;
 	unsigned char *raw = NULL;
 	unsigned raw_size;
-	char *p;
 
 	if (batch) {
 		if (!cfg.extensions)
@@ -1248,11 +1309,7 @@ void get_extensions_crt_set(int type, void *crt)
 			}
 
 			/* convert hex to bin */
-			if (strncmp(cfg.extensions[i+1], "0x", 2) == 0)
-				p = cfg.extensions[i+1]+2;
-			else
-				p = cfg.extensions[i+1];
-			HEX_DECODE(p, raw, raw_size);
+			raw = decode_ext_string(cfg.extensions[i+1], &raw_size);
 
 			if (type == TYPE_CRT)
 				ret =
@@ -1283,11 +1340,7 @@ void get_extensions_crt_set(int type, void *crt)
 				exit(1);
 			}
 			/* convert hex to bin */
-			if (strncmp(cfg.crit_extensions[i+1], "0x", 2) == 0)
-				p = cfg.crit_extensions[i+1]+2;
-			else
-				p = cfg.crit_extensions[i+1];
-			HEX_DECODE(p, raw, raw_size);
+			raw = decode_ext_string(cfg.crit_extensions[i+1], &raw_size);
 
 			if (type == TYPE_CRT)
 				ret =
author	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2016-07-14 09:43:28 +0200
committer	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2016-07-14 10:43:05 +0200
commit	5a2bb75ece9ae3303b074852cfb82881b3426243 (patch)
tree	76c6bd239cd9ff50f4917c2145c369ff0b3c2c37
parent	650230b4c7ab86a9d4f2f3c7bbe4e3a05fe031f6 (diff)
download	gnutls-5a2bb75ece9ae3303b074852cfb82881b3426243.tar.gz