diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2012-10-12 09:24:54 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2012-10-12 09:28:27 +0200 |
| commit | 6e3eb1752a8928b54269c387f0deebc52bd396ea (patch) | |
| tree | e68ac5426820385d57b48df70e301ca7b67b1b61 | |
| parent | 730868e3af71e691aa9b26467e72977f0d69c66f (diff) | |
| download | gnutls-6e3eb1752a8928b54269c387f0deebc52bd396ea.tar.gz | |
Separated DANE functionality from certtool and added danetool.
| -rw-r--r-- | .gitignore | 2 | ||||
| -rw-r--r-- | NEWS | 2 | ||||
| -rw-r--r-- | doc/Makefile.am | 11 | ||||
| -rw-r--r-- | doc/cha-cert-auth.texi | 2 | ||||
| -rw-r--r-- | doc/cha-cert-auth2.texi | 2 | ||||
| -rw-r--r-- | doc/invoke-certtool.texi | 88 | ||||
| -rw-r--r-- | doc/invoke-danetool.texi | 224 | ||||
| -rw-r--r-- | src/Makefile.am | 22 | ||||
| -rw-r--r-- | src/certtool-args.c | 226 | ||||
| -rw-r--r-- | src/certtool-args.def | 76 | ||||
| -rw-r--r-- | src/certtool-args.h | 26 | ||||
| -rw-r--r-- | src/certtool.c | 115 | ||||
| -rw-r--r-- | src/danetool-args.c | 920 | ||||
| -rw-r--r-- | src/danetool-args.def | 150 | ||||
| -rw-r--r-- | src/danetool-args.h | 219 | ||||
| -rw-r--r-- | src/danetool.c | 288 |
16 files changed, 1877 insertions, 496 deletions
diff --git a/.gitignore b/.gitignore index 3d9f114098..743a7f9019 100644 --- a/.gitignore +++ b/.gitignore @@ -598,3 +598,5 @@ tests/mini-x509-callbacks doc/manpages/stamp_mans libdane/libgnutls-dane.la doc/latex/dane-api.tex +src/libcmd-danetool.la +src/danetool @@ -36,7 +36,7 @@ certificate verification. ** gnutls-cli: Added --dane option to enable DANE certificate verification. -** certtool: The --dane-tlsa-rr option generates DANE TLSA Resource Records (RR). +** danetool: Added tool to generate DANE TLSA Resource Records (RR). ** API and ABI modifications: gnutls_certificate_get_peers_subkey_id: Added diff --git a/doc/Makefile.am b/doc/Makefile.am index ac4ee64a8d..c9d84ee719 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -33,6 +33,7 @@ SRC_DEF_CLI_DEBUG = SRC_DEF_SERV = SRC_DEF_CERTTOOL = SRC_DEF_OCSPTOOL = +SRC_DEF_DANETOOL = SRC_DEF_SRPTOOL = SRC_DEF_PSKTOOL = SRC_DEF_P11TOOL = @@ -43,6 +44,7 @@ SRC_DEF_CLI_DEBUG += ../src/cli-debug-args.def SRC_DEF_SERV += ../src/serv-args.def SRC_DEF_CERTTOOL += ../src/certtool-args.def SRC_DEF_OCSPTOOL += ../src/ocsptool-args.def +SRC_DEF_DANETOOL += ../src/danetool-args.def SRC_DEF_SRPTOOL += ../src/srptool-args.def SRC_DEF_PSKTOOL += ../src/psk-args.def SRC_DEF_P11TOOL += ../src/p11tool-args.def @@ -84,6 +86,13 @@ invoke-ocsptool.texi: $(SRC_DEF_OCSPTOOL) mv -f ../doc/$@.tmp ../doc/$@ && \ rm -f ../src/$@ +invoke-danetool.texi: $(SRC_DEF_DANETOOL) + @-cd ../src/ && autogen -Tagtexi-cmd.tpl $< && \ + rm -f ../doc/$@ && \ + ../doc/scripts/cleanup-autogen.pl <../src/$@ >../doc/$@.tmp && \ + mv -f ../doc/$@.tmp ../doc/$@ && \ + rm -f ../src/$@ + invoke-srptool.texi: $(SRC_DEF_SRPTOOL) @-cd ../src/ && autogen -Tagtexi-cmd.tpl $< && \ rm -f ../doc/$@ && \ @@ -133,7 +142,7 @@ gnutls_TEXINFOS = gnutls.texi fdl-1.3.texi \ gnutls_TEXINFOS += invoke-gnutls-cli.texi invoke-gnutls-cli-debug.texi \ invoke-gnutls-serv.texi invoke-certtool.texi invoke-srptool.texi \ invoke-ocsptool.texi invoke-psktool.texi invoke-p11tool.texi \ - invoke-tpmtool.texi + invoke-tpmtool.texi invoke-danetool.texi gnutls_TEXINFOS += stamp_functions diff --git a/doc/cha-cert-auth.texi b/doc/cha-cert-auth.texi index 10f0ef91fb..7e62365dc4 100644 --- a/doc/cha-cert-auth.texi +++ b/doc/cha-cert-auth.texi @@ -516,7 +516,7 @@ indicate the status of the verification. @showenumdesc{dane_verify_status_t,The DANE verification status flags.} In order to generate a DANE TLSA entry to use in a DNS server -you may use certtool's DANE commands (see @ref{certtool Invocation}). +you may use danetool (see @ref{danetool Invocation}). @node Digital signatures @section Digital signatures diff --git a/doc/cha-cert-auth2.texi b/doc/cha-cert-auth2.texi index a89b2ed08d..fe10087c2a 100644 --- a/doc/cha-cert-auth2.texi +++ b/doc/cha-cert-auth2.texi @@ -14,6 +14,7 @@ structures, etc., are discussed in this chapter. * Managing encrypted keys:: * certtool Invocation:: Invoking certtool * ocsptool Invocation:: Invoking ocsptool +* danetool Invocation:: Invoking danetool @end menu @node PKCS 10 certificate requests @@ -379,3 +380,4 @@ Generic and higher level private key import functions are also available. @include invoke-ocsptool.texi +@include invoke-danetool.texi diff --git a/doc/invoke-certtool.texi b/doc/invoke-certtool.texi index 8228754c25..56dfb14557 100644 --- a/doc/invoke-certtool.texi +++ b/doc/invoke-certtool.texi @@ -1,13 +1,13 @@ @node certtool Invocation @section Invoking certtool @pindex certtool -@cindex GnuTLS PKCS #11 tool +@cindex GnuTLS certificate tool @ignore # -*- buffer-read-only: t -*- vi: set ro: # # DO NOT EDIT THIS FILE (invoke-certtool.texi) # -# It has been AutoGen-ed October 9, 2012 at 10:59:40 PM by AutoGen 5.16 +# It has been AutoGen-ed October 12, 2012 at 09:21:29 AM by AutoGen 5.16 # From the definitions ../src/certtool-args.def # and the template file agtexi-cmd.tpl @end ignore @@ -36,7 +36,7 @@ with a status code of 0. @exampleindent 0 @example -certtool - GnuTLS PKCS #11 tool - Ver. @@VERSION@@ +certtool - GnuTLS certificate tool - Ver. @@VERSION@@ USAGE: certtool [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]... -d, --debug=num Enable debugging. @@ -108,16 +108,6 @@ USAGE: certtool [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]... --template=file Template file to use for non-interactive operation - file must pre-exist --pkcs-cipher=str Cipher to use for PKCS #8 and #12 operations - --dane-tlsa-rr Print the DANE RR data on a certificate or public key - - requires these options: - dane-host - --dane-host=str Specify the hostname to be used in the DANE RR - --dane-proto=str The protocol set for DANE data (tcp, udp etc.) - --dane-port=num Specify the port number for the DANE data. - --dane-ca Whether the provided certificate or public key is a Certificate -authority. - --dane-x509 Use the hash of the X.509 certificate, rather than the public key. - --dane-local The provided certificate or public key is a local entity. -v, --version[=arg] Output version information and exit -h, --help Display extended usage information and exit -!, --more-help Extended usage information passed thru pager @@ -290,53 +280,6 @@ This is alternative to the bits option. This is the ``cipher to use for pkcs #8 and #12 operations'' option. This option takes an argument string @file{Cipher}. Cipher may be one of 3des, 3des-pkcs12, aes-128, aes-192, aes-256, rc2-40, arcfour. -@anchor{certtool dane-tlsa-rr} -@subheading dane-tlsa-rr option -@cindex certtool-dane-tlsa-rr - -This is the ``print the dane rr data on a certificate or public key'' option. - -@noindent -This option has some usage constraints. It: -@itemize @bullet -@item -must appear in combination with the following options: -dane-host. -@end itemize - -This command prints the DANE RR data needed to enable DANE on a DNS server. -@anchor{certtool dane-host} -@subheading dane-host option -@cindex certtool-dane-host - -This is the ``specify the hostname to be used in the dane rr'' option. -This option takes an argument string @file{Hostname}. -This command sets the hostname for the DANE RR. -@anchor{certtool dane-proto} -@subheading dane-proto option -@cindex certtool-dane-proto - -This is the ``the protocol set for dane data (tcp, udp etc.)'' option. -This option takes an argument string @file{Protocol}. -This command specifies the protocol for the service set in the DANE data. -@anchor{certtool dane-ca} -@subheading dane-ca option -@cindex certtool-dane-ca - -This is the ``whether the provided certificate or public key is a certificate authority.'' option. -Marks the DANE RR as a CA certificate if specified. -@anchor{certtool dane-x509} -@subheading dane-x509 option -@cindex certtool-dane-x509 - -This is the ``use the hash of the x.509 certificate, rather than the public key.'' option. -This option forces the generated record to contain the hash of the full X.509 certificate. By default only the hash of the public key is used. -@anchor{certtool dane-local} -@subheading dane-local option -@cindex certtool-dane-local - -This is the ``the provided certificate or public key is a local entity.'' option. -DANE distinguishes certificates and public keys offered via the DNSSEC to trusted and local entities. Use this flag if this is a local (and possibly unsigned) entity. @anchor{certtool exit status} @subheading certtool exit status @@ -470,31 +413,6 @@ To verify a Certificate Revocation List (CRL) do: $ certtool --verify-crl --load-ca-certificate x509-ca.pem < crl.pem @end example -@subheading DANE TLSA RR generation - - -To create a DANE TLSA resource record for a CA signed certificate use the following commands. - -@example -$ certtool --dane-tlsa-rr --dane-host www.example.com --load-certificate cert.pem -@end example - -For a self signed certificate use: -@example -$ certtool --dane-tlsa-rr --dane-host www.example.com --load-certificate cert.pem \ - --dane-local -@end example - -The latter is useful to add in your DNS entry even if your certificate is signed -by a CA. That way even users who do not trust your CA will be able to verify your -certificate using DANE. - -In order to create a record for the signer of your certificate use: -@example -$ certtool --dane-tlsa-rr --dane-host www.example.com --load-certificate cert.pem \ - --dane-ca -@end example - @anchor{certtool Files} @subheading certtool Files @subheading Certtool's template file format diff --git a/doc/invoke-danetool.texi b/doc/invoke-danetool.texi new file mode 100644 index 0000000000..63b90cea24 --- /dev/null +++ b/doc/invoke-danetool.texi @@ -0,0 +1,224 @@ +@node danetool Invocation +@section Invoking danetool +@pindex danetool +@cindex GnuTLS DANE tool +@ignore +# -*- buffer-read-only: t -*- vi: set ro: +# +# DO NOT EDIT THIS FILE (invoke-danetool.texi) +# +# It has been AutoGen-ed October 12, 2012 at 09:27:38 AM by AutoGen 5.16 +# From the definitions ../src/danetool-args.def +# and the template file agtexi-cmd.tpl +@end ignore + + +Tool generate DNS resource records for the DANE protocol. + +This section was generated by @strong{AutoGen}, +using the @code{agtexi-cmd} template and the option descriptions for the @code{danetool} program. +This software is released under the GNU General Public License, version 3 or later. + + +@anchor{danetool usage} +@subheading danetool help/usage (-h) +@cindex danetool help + +This is the automatically generated usage text for danetool. +The text printed is the same whether for the @code{help} option (-h) or the @code{more-help} option (-!). @code{more-help} will print +the usage text by passing it through a pager program. +@code{more-help} is disabled on platforms without a working +@code{fork(2)} function. The @code{PAGER} environment variable is +used to select the program, defaulting to @file{more}. Both will exit +with a status code of 0. + +@exampleindent 0 +@example +danetool - GnuTLS DANE tool - Ver. @@VERSION@@ +USAGE: danetool [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]... + + -d, --debug=num Enable debugging. + - It must be in the range: + 0 to 9999 + -V, --verbose More verbose output + - may appear multiple times + --infile=file Input file + - file must pre-exist + --outfile=str Output file + --load-pubkey=str Loads a public key file + --load-certificate=str Loads a certificate file + --hash=str Hash algorithm to use for signing. + --inder Use DER format for input certificates and private keys. + - disabled as --no-inder + --inraw This is an alias for 'inder' + --outder Use DER format for output certificates and private keys + - disabled as --no-outder + --outraw This is an alias for 'outder' + --tlsa-rr Print the DANE RR data on a certificate or public key + - requires these options: + host + --host=str Specify the hostname to be used in the DANE RR + --proto=str The protocol set for DANE data (tcp, udp etc.) + --port=num Specify the port number for the DANE data. + --ca Whether the provided certificate or public key is a Certificate +authority. + --x509 Use the hash of the X.509 certificate, rather than the public key. + --local The provided certificate or public key is a local entity. + -v, --version[=arg] Output version information and exit + -h, --help Display extended usage information and exit + -!, --more-help Extended usage information passed thru pager + +Options are specified by doubled hyphens and their name or by a single +hyphen and the flag character. + + + +Tool generate DNS resource records for the DANE protocol. + +please send bug reports to: bug-gnutls@@gnu.org +@end example +@exampleindent 4 + +@anchor{danetool debug} +@subheading debug option (-d) +@cindex danetool-debug + +This is the ``enable debugging.'' option. +This option takes an argument number. +Specifies the debug level. +@anchor{danetool load-pubkey} +@subheading load-pubkey option +@cindex danetool-load-pubkey + +This is the ``loads a public key file'' option. +This option takes an argument string. +This can be either a file or a PKCS #11 URL +@anchor{danetool load-certificate} +@subheading load-certificate option +@cindex danetool-load-certificate + +This is the ``loads a certificate file'' option. +This option takes an argument string. +This can be either a file or a PKCS #11 URL +@anchor{danetool hash} +@subheading hash option +@cindex danetool-hash + +This is the ``hash algorithm to use for signing.'' option. +This option takes an argument string. +Available hash functions are SHA1, RMD160, SHA256, SHA384, SHA512. +@anchor{danetool inder} +@subheading inder option +@cindex danetool-inder + +This is the ``use der format for input certificates and private keys.'' option. +The input files will be assumed to be in DER or RAW format. +Unlike options that in PEM input would allow multiple input data (e.g. multiple +certificates), when reading in DER format a single data structure is read. +@anchor{danetool inraw} +@subheading inraw option +@cindex danetool-inraw + +This is an alias for the inder option, +@pxref{danetool inder, the inder option documentation}. + +@anchor{danetool outder} +@subheading outder option +@cindex danetool-outder + +This is the ``use der format for output certificates and private keys'' option. +The output will be in DER or RAW format. +@anchor{danetool outraw} +@subheading outraw option +@cindex danetool-outraw + +This is an alias for the outder option, +@pxref{danetool outder, the outder option documentation}. + +@anchor{danetool tlsa-rr} +@subheading tlsa-rr option +@cindex danetool-tlsa-rr + +This is the ``print the dane rr data on a certificate or public key'' option. + +@noindent +This option has some usage constraints. It: +@itemize @bullet +@item +must appear in combination with the following options: +host. +@end itemize + +This command prints the DANE RR data needed to enable DANE on a DNS server. +@anchor{danetool host} +@subheading host option +@cindex danetool-host + +This is the ``specify the hostname to be used in the dane rr'' option. +This option takes an argument string @file{Hostname}. +This command sets the hostname for the DANE RR. +@anchor{danetool proto} +@subheading proto option +@cindex danetool-proto + +This is the ``the protocol set for dane data (tcp, udp etc.)'' option. +This option takes an argument string @file{Protocol}. +This command specifies the protocol for the service set in the DANE data. +@anchor{danetool ca} +@subheading ca option +@cindex danetool-ca + +This is the ``whether the provided certificate or public key is a certificate authority.'' option. +Marks the DANE RR as a CA certificate if specified. +@anchor{danetool x509} +@subheading x509 option +@cindex danetool-x509 + +This is the ``use the hash of the x.509 certificate, rather than the public key.'' option. +This option forces the generated record to contain the hash of the full X.509 certificate. By default only the hash of the public key is used. +@anchor{danetool local} +@subheading local option +@cindex danetool-local + +This is the ``the provided certificate or public key is a local entity.'' option. +DANE distinguishes certificates and public keys offered via the DNSSEC to trusted and local entities. Use this flag if this is a local (and possibly unsigned) entity. +@anchor{danetool exit status} +@subheading danetool exit status + +One of the following exit values will be returned: +@table @samp +@item 0 (EXIT_SUCCESS) +Successful program execution. +@item 1 (EXIT_FAILURE) +The operation failed or the command syntax was not valid. +@end table +@anchor{danetool See Also} +@subheading danetool See Also + p11tool (1) + +@anchor{danetool Examples} +@subheading danetool Examples +@subheading DANE TLSA RR generation + +To create a DANE TLSA resource record for a CA signed certificate use the following commands. + +@example +$ certtool --tlsa-rr --host www.example.com --load-certificate cert.pem +@end example + +For a self signed certificate use: +@example +$ certtool --tlsa-rr --host www.example.com --load-certificate cert.pem \ + --local +@end example + +The latter is useful to add in your DNS entry even if your certificate is signed +by a CA. That way even users who do not trust your CA will be able to verify your +certificate using DANE. + +In order to create a record for the signer of your certificate use: +@example +$ certtool --tlsa-rr --host www.example.com --load-certificate cert.pem \ + --ca +@end example + diff --git a/src/Makefile.am b/src/Makefile.am index 4796c70c21..5d5f4e6d85 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -46,6 +46,9 @@ endif if ENABLE_OCSP bin_PROGRAMS += ocsptool endif +if ENABLE_DANE +bin_PROGRAMS += danetool +endif if ENABLE_TROUSERS bin_PROGRAMS += tpmtool @@ -138,6 +141,23 @@ libcmd_certtool_la_LIBADD += $(LIBOPTS_LDADD) $(LTLIBINTL) libcmd_certtool_la_LIBADD += $(LTLIBREADLINE) libcmd_certtool_la_LIBADD += $(INET_PTON_LIB) +if ENABLE_DANE + +danetool_SOURCES = danetool.c certtool-common.c certtool-extras.c common.c +danetool_LDADD = ../lib/libgnutls.la +danetool_LDADD += libcmd-danetool.la ../gl/libgnu.la + +noinst_LTLIBRARIES += libcmd-danetool.la +libcmd_danetool_la_CFLAGS = +libcmd_danetool_la_SOURCES = danetool-args.c danetool-args.def danetool-args.h \ + certtool-cfg.h certtool-cfg.c +libcmd_danetool_la_LIBADD = ../gl/libgnu.la ../lib/libgnutls.la +libcmd_danetool_la_LIBADD += $(LIBOPTS_LDADD) $(LTLIBINTL) +libcmd_danetool_la_LIBADD += $(LTLIBREADLINE) +libcmd_danetool_la_LIBADD += $(INET_PTON_LIB) + +endif #ENABLE_DANE + # p11 tool if ENABLE_PKCS11 @@ -175,6 +195,8 @@ endif # ENABLE_TROUSERS BUILT_SOURCES = ocsptool-args.c p11tool-args.c psk-args.c cli-debug-args.c \ cli-args.c serv-args.c srptool-args.c certtool-args.c +danetool-args.c: $(srcdir)/args-std.def $(srcdir)/danetool-args.def + -autogen danetool-args.def ocsptool-args.c: $(srcdir)/args-std.def $(srcdir)/ocsptool-args.def -autogen ocsptool-args.def tpmtool-args.c: $(srcdir)/args-std.def $(srcdir)/tpmtool-args.def diff --git a/src/certtool-args.c b/src/certtool-args.c index 8d751229d8..b71148b1a0 100644 --- a/src/certtool-args.c +++ b/src/certtool-args.c @@ -2,7 +2,7 @@ * * DO NOT EDIT THIS FILE (certtool-args.c) * - * It has been AutoGen-ed October 9, 2012 at 10:58:10 PM by AutoGen 5.16 + * It has been AutoGen-ed October 12, 2012 at 09:17:49 AM by AutoGen 5.16 * From the definitions certtool-args.def * and the template file options * @@ -67,7 +67,7 @@ extern FILE * option_usage_fp; /* * certtool option static const strings */ -static char const certtool_opt_strs[5231] = +static char const certtool_opt_strs[4697] = /* 0 */ "certtool @VERSION@\n" "Copyright (C) 2000-2012 Free Software Foundation, all rights reserved.\n" "This is free software. It is licensed for use, modification and\n" @@ -248,45 +248,23 @@ static char const certtool_opt_strs[5231] = /* 4080 */ "Cipher to use for PKCS #8 and #12 operations\0" /* 4125 */ "PKCS_CIPHER\0" /* 4137 */ "pkcs-cipher\0" -/* 4149 */ "Print the DANE RR data on a certificate or public key\0" -/* 4203 */ "DANE_TLSA_RR\0" -/* 4216 */ "dane-tlsa-rr\0" -/* 4229 */ "Specify the hostname to be used in the DANE RR\0" -/* 4276 */ "DANE_HOST\0" -/* 4286 */ "dane-host\0" -/* 4296 */ "The protocol set for DANE data (tcp, udp etc.)\0" -/* 4343 */ "DANE_PROTO\0" -/* 4354 */ "dane-proto\0" -/* 4365 */ "Specify the port number for the DANE data.\0" -/* 4408 */ "DANE_PORT\0" -/* 4418 */ "dane-port\0" -/* 4428 */ "Whether the provided certificate or public key is a Certificate\n" - "authority.\0" -/* 4503 */ "DANE_CA\0" -/* 4511 */ "dane-ca\0" -/* 4519 */ "Use the hash of the X.509 certificate, rather than the public key.\0" -/* 4586 */ "DANE_X509\0" -/* 4596 */ "dane-x509\0" -/* 4606 */ "The provided certificate or public key is a local entity.\0" -/* 4664 */ "DANE_LOCAL\0" -/* 4675 */ "dane-local\0" -/* 4686 */ "Display extended usage information and exit\0" -/* 4730 */ "help\0" -/* 4735 */ "Extended usage information passed thru pager\0" -/* 4780 */ "more-help\0" -/* 4790 */ "Output version information and exit\0" -/* 4826 */ "version\0" -/* 4834 */ "CERTTOOL\0" -/* 4843 */ "certtool - GnuTLS PKCS #11 tool - Ver. @VERSION@\n" +/* 4149 */ "Display extended usage information and exit\0" +/* 4193 */ "help\0" +/* 4198 */ "Extended usage information passed thru pager\0" +/* 4243 */ "more-help\0" +/* 4253 */ "Output version information and exit\0" +/* 4289 */ "version\0" +/* 4297 */ "CERTTOOL\0" +/* 4306 */ "certtool - GnuTLS certificate tool - Ver. @VERSION@\n" "USAGE: %s [ -<flag> [<val>] | --<name>[{=| }<val>] ]...\n\0" -/* 4950 */ "bug-gnutls@gnu.org\0" -/* 4969 */ "\n\n\0" -/* 4972 */ "\n" +/* 4416 */ "bug-gnutls@gnu.org\0" +/* 4435 */ "\n\n\0" +/* 4438 */ "\n" "Tool to parse and generate X.509 certificates, requests and private keys.\n" "It can be used interactively or non interactively by specifying the\n" "template command line option.\n\0" -/* 5146 */ "certtool @VERSION@\0" -/* 5165 */ "certtool [options] [url]\n" +/* 4612 */ "certtool @VERSION@\0" +/* 4631 */ "certtool [options] [url]\n" "certtool --help for usage instructions.\n"; /* @@ -758,75 +736,13 @@ static int const aTo_P12MustList[] = { | OPTST_SET_ARGTYPE(OPARG_TYPE_STRING)) /* - * dane-tlsa-rr option description with - * "Must also have options" and "Incompatible options": - */ -#define DANE_TLSA_RR_DESC (certtool_opt_strs+4149) -#define DANE_TLSA_RR_NAME (certtool_opt_strs+4203) -#define DANE_TLSA_RR_name (certtool_opt_strs+4216) -static int const aDane_Tlsa_RrMustList[] = { - INDEX_OPT_DANE_HOST, NO_EQUIVALENT }; -#define DANE_TLSA_RR_FLAGS (OPTST_DISABLED) - -/* - * dane-host option description: - */ -#define DANE_HOST_DESC (certtool_opt_strs+4229) -#define DANE_HOST_NAME (certtool_opt_strs+4276) -#define DANE_HOST_name (certtool_opt_strs+4286) -#define DANE_HOST_FLAGS (OPTST_DISABLED \ - | OPTST_SET_ARGTYPE(OPARG_TYPE_STRING)) - -/* - * dane-proto option description: - */ -#define DANE_PROTO_DESC (certtool_opt_strs+4296) -#define DANE_PROTO_NAME (certtool_opt_strs+4343) -#define DANE_PROTO_name (certtool_opt_strs+4354) -#define DANE_PROTO_FLAGS (OPTST_DISABLED \ - | OPTST_SET_ARGTYPE(OPARG_TYPE_STRING)) - -/* - * dane-port option description: - */ -#define DANE_PORT_DESC (certtool_opt_strs+4365) -#define DANE_PORT_NAME (certtool_opt_strs+4408) -#define DANE_PORT_name (certtool_opt_strs+4418) -#define DANE_PORT_FLAGS (OPTST_DISABLED \ - | OPTST_SET_ARGTYPE(OPARG_TYPE_NUMERIC)) - -/* - * dane-ca option description: - */ -#define DANE_CA_DESC (certtool_opt_strs+4428) -#define DANE_CA_NAME (certtool_opt_strs+4503) -#define DANE_CA_name (certtool_opt_strs+4511) -#define DANE_CA_FLAGS (OPTST_DISABLED) - -/* - * dane-x509 option description: - */ -#define DANE_X509_DESC (certtool_opt_strs+4519) -#define DANE_X509_NAME (certtool_opt_strs+4586) -#define DANE_X509_name (certtool_opt_strs+4596) -#define DANE_X509_FLAGS (OPTST_DISABLED) - -/* - * dane-local option description: - */ -#define DANE_LOCAL_DESC (certtool_opt_strs+4606) -#define DANE_LOCAL_NAME (certtool_opt_strs+4664) -#define DANE_LOCAL_name (certtool_opt_strs+4675) -#define DANE_LOCAL_FLAGS (OPTST_DISABLED) - -/* * Help/More_Help/Version option descriptions: */ -#define HELP_DESC (certtool_opt_strs+4686) -#define HELP_name (certtool_opt_strs+4730) +#define HELP_DESC (certtool_opt_strs+4149) +#define HELP_name (certtool_opt_strs+4193) #ifdef HAVE_WORKING_FORK -#define MORE_HELP_DESC (certtool_opt_strs+4735) -#define MORE_HELP_name (certtool_opt_strs+4780) +#define MORE_HELP_DESC (certtool_opt_strs+4198) +#define MORE_HELP_name (certtool_opt_strs+4243) #define MORE_HELP_FLAGS (OPTST_IMM | OPTST_NO_INIT) #else #define MORE_HELP_DESC NULL @@ -839,8 +755,8 @@ static int const aDane_Tlsa_RrMustList[] = { # define VER_FLAGS (OPTST_SET_ARGTYPE(OPARG_TYPE_STRING) | \ OPTST_ARG_OPTIONAL | OPTST_IMM | OPTST_NO_INIT) #endif -#define VER_DESC (certtool_opt_strs+4790) -#define VER_name (certtool_opt_strs+4826) +#define VER_DESC (certtool_opt_strs+4253) +#define VER_name (certtool_opt_strs+4289) /* * Declare option callback procedures */ @@ -1522,90 +1438,6 @@ static tOptDesc optDesc[OPTION_CT] = { /* desc, NAME, name */ PKCS_CIPHER_DESC, PKCS_CIPHER_NAME, PKCS_CIPHER_name, /* disablement strs */ NULL, NULL }, - { /* entry idx, value */ 55, VALUE_OPT_DANE_TLSA_RR, - /* equiv idx, value */ 55, VALUE_OPT_DANE_TLSA_RR, - /* equivalenced to */ NO_EQUIVALENT, - /* min, max, act ct */ 0, 1, 0, - /* opt state flags */ DANE_TLSA_RR_FLAGS, 0, - /* last opt argumnt */ { NULL }, /* --dane-tlsa-rr */ - /* arg list/cookie */ NULL, - /* must/cannot opts */ aDane_Tlsa_RrMustList, NULL, - /* option proc */ NULL, - /* desc, NAME, name */ DANE_TLSA_RR_DESC, DANE_TLSA_RR_NAME, DANE_TLSA_RR_name, - /* disablement strs */ NULL, NULL }, - - { /* entry idx, value */ 56, VALUE_OPT_DANE_HOST, - /* equiv idx, value */ 56, VALUE_OPT_DANE_HOST, - /* equivalenced to */ NO_EQUIVALENT, - /* min, max, act ct */ 0, 1, 0, - /* opt state flags */ DANE_HOST_FLAGS, 0, - /* last opt argumnt */ { NULL }, /* --dane-host */ - /* arg list/cookie */ NULL, - /* must/cannot opts */ NULL, NULL, - /* option proc */ NULL, - /* desc, NAME, name */ DANE_HOST_DESC, DANE_HOST_NAME, DANE_HOST_name, - /* disablement strs */ NULL, NULL }, - - { /* entry idx, value */ 57, VALUE_OPT_DANE_PROTO, - /* equiv idx, value */ 57, VALUE_OPT_DANE_PROTO, - /* equivalenced to */ NO_EQUIVALENT, - /* min, max, act ct */ 0, 1, 0, - /* opt state flags */ DANE_PROTO_FLAGS, 0, - /* last opt argumnt */ { NULL }, /* --dane-proto */ - /* arg list/cookie */ NULL, - /* must/cannot opts */ NULL, NULL, - /* option proc */ NULL, - /* desc, NAME, name */ DANE_PROTO_DESC, DANE_PROTO_NAME, DANE_PROTO_name, - /* disablement strs */ NULL, NULL }, - - { /* entry idx, value */ 58, VALUE_OPT_DANE_PORT, - /* equiv idx, value */ 58, VALUE_OPT_DANE_PORT, - /* equivalenced to */ NO_EQUIVALENT, - /* min, max, act ct */ 0, 1, 0, - /* opt state flags */ DANE_PORT_FLAGS, 0, - /* last opt argumnt */ { NULL }, /* --dane-port */ - /* arg list/cookie */ NULL, - /* must/cannot opts */ NULL, NULL, - /* option proc */ optionNumericVal, - /* desc, NAME, name */ DANE_PORT_DESC, DANE_PORT_NAME, DANE_PORT_name, - /* disablement strs */ NULL, NULL }, - - { /* entry idx, value */ 59, VALUE_OPT_DANE_CA, - /* equiv idx, value */ 59, VALUE_OPT_DANE_CA, - /* equivalenced to */ NO_EQUIVALENT, - /* min, max, act ct */ 0, 1, 0, - /* opt state flags */ DANE_CA_FLAGS, 0, - /* last opt argumnt */ { NULL }, /* --dane-ca */ - /* arg list/cookie */ NULL, - /* must/cannot opts */ NULL, NULL, - /* option proc */ NULL, - /* desc, NAME, name */ DANE_CA_DESC, DANE_CA_NAME, DANE_CA_name, - /* disablement strs */ NULL, NULL }, - - { /* entry idx, value */ 60, VALUE_OPT_DANE_X509, - /* equiv idx, value */ 60, VALUE_OPT_DANE_X509, - /* equivalenced to */ NO_EQUIVALENT, - /* min, max, act ct */ 0, 1, 0, - /* opt state flags */ DANE_X509_FLAGS, 0, - /* last opt argumnt */ { NULL }, /* --dane-x509 */ - /* arg list/cookie */ NULL, - /* must/cannot opts */ NULL, NULL, - /* option proc */ NULL, - /* desc, NAME, name */ DANE_X509_DESC, DANE_X509_NAME, DANE_X509_name, - /* disablement strs */ NULL, NULL }, - - { /* entry idx, value */ 61, VALUE_OPT_DANE_LOCAL, - /* equiv idx, value */ 61, VALUE_OPT_DANE_LOCAL, - /* equivalenced to */ NO_EQUIVALENT, - /* min, max, act ct */ 0, 1, 0, - /* opt state flags */ DANE_LOCAL_FLAGS, 0, - /* last opt argumnt */ { NULL }, /* --dane-local */ - /* arg list/cookie */ NULL, - /* must/cannot opts */ NULL, NULL, - /* option proc */ NULL, - /* desc, NAME, name */ DANE_LOCAL_DESC, DANE_LOCAL_NAME, DANE_LOCAL_name, - /* disablement strs */ NULL, NULL }, - { /* entry idx, value */ INDEX_OPT_VERSION, VALUE_OPT_VERSION, /* equiv idx value */ NO_EQUIVALENT, VALUE_OPT_VERSION, /* equivalenced to */ NO_EQUIVALENT, @@ -1650,14 +1482,14 @@ static tOptDesc optDesc[OPTION_CT] = { * * Define the certtool Option Environment */ -#define zPROGNAME (certtool_opt_strs+4834) -#define zUsageTitle (certtool_opt_strs+4843) +#define zPROGNAME (certtool_opt_strs+4297) +#define zUsageTitle (certtool_opt_strs+4306) #define zRcName NULL #define apzHomeList NULL -#define zBugsAddr (certtool_opt_strs+4950) -#define zExplain (certtool_opt_strs+4969) -#define zDetail (certtool_opt_strs+4972) -#define zFullVersion (certtool_opt_strs+5146) +#define zBugsAddr (certtool_opt_strs+4416) +#define zExplain (certtool_opt_strs+4435) +#define zDetail (certtool_opt_strs+4438) +#define zFullVersion (certtool_opt_strs+4612) /* extracted from optcode.tlib near line 350 */ #if defined(ENABLE_NLS) @@ -1671,7 +1503,7 @@ static tOptDesc optDesc[OPTION_CT] = { #define certtool_full_usage (NULL) -#define certtool_short_usage (certtool_opt_strs+5165) +#define certtool_short_usage (certtool_opt_strs+4631) #endif /* not defined __doxygen__ */ @@ -1888,7 +1720,7 @@ tOptions certtoolOptions = { NO_EQUIVALENT, /* '-#' option index */ NO_EQUIVALENT /* index of default opt */ }, - 65 /* full option count */, 62 /* user option count */, + 58 /* full option count */, 55 /* user option count */, certtool_full_usage, certtool_short_usage, NULL, NULL, PKGDATADIR, certtool_packager_info diff --git a/src/certtool-args.def b/src/certtool-args.def index 50a69adc76..c4d8a53dbb 100644 --- a/src/certtool-args.def +++ b/src/certtool-args.def @@ -1,6 +1,6 @@ AutoGen Definitions options; prog-name = certtool; -prog-title = "GnuTLS PKCS #11 tool"; +prog-title = "GnuTLS certificate tool"; prog-desc = "Manipulate certificates and private keys."; detail = "Tool to parse and generate X.509 certificates, requests and private keys. It can be used interactively or non interactively by @@ -354,55 +354,6 @@ flag = { doc = "Cipher may be one of 3des, 3des-pkcs12, aes-128, aes-192, aes-256, rc2-40, arcfour."; }; -flag = { - name = dane-tlsa-rr; - descrip = "Print the DANE RR data on a certificate or public key"; - flags_must = dane-host; - doc = "This command prints the DANE RR data needed to enable DANE on a DNS server."; -}; - -flag = { - name = dane-host; - descrip = "Specify the hostname to be used in the DANE RR"; - arg-type = string; - arg-name = "Hostname"; - doc = "This command sets the hostname for the DANE RR."; -}; - -flag = { - name = dane-proto; - descrip = "The protocol set for DANE data (tcp, udp etc.)"; - arg-type = string; - arg-name = "Protocol"; - doc = "This command specifies the protocol for the service set in the DANE data."; -}; - -flag = { - name = dane-port; - arg-type = number; - descrip = "Specify the port number for the DANE data."; - default-value = 443; - doc = ""; -}; - -flag = { - name = dane-ca; - descrip = "Whether the provided certificate or public key is a Certificate authority."; - doc = "Marks the DANE RR as a CA certificate if specified."; -}; - -flag = { - name = dane-x509; - descrip = "Use the hash of the X.509 certificate, rather than the public key."; - doc = "This option forces the generated record to contain the hash of the full X.509 certificate. By default only the hash of the public key is used."; -}; - -flag = { - name = dane-local; - descrip = "The provided certificate or public key is a local entity."; - doc = "DANE distinguishes certificates and public keys offered via the DNSSEC to trusted and local entities. Use this flag if this is a local (and possibly unsigned) entity."; -}; - doc-section = { ds-type = 'SEE ALSO'; ds-format = 'texi'; @@ -531,31 +482,6 @@ To verify a Certificate Revocation List (CRL) do: @example $ certtool --verify-crl --load-ca-certificate x509-ca.pem < crl.pem @end example - -@subheading DANE TLSA RR generation - - -To create a DANE TLSA resource record for a CA signed certificate use the following commands. - -@example -$ certtool --dane-tlsa-rr --dane-host www.example.com --load-certificate cert.pem -@end example - -For a self signed certificate use: -@example -$ certtool --dane-tlsa-rr --dane-host www.example.com --load-certificate cert.pem \ - --dane-local -@end example - -The latter is useful to add in your DNS entry even if your certificate is signed -by a CA. That way even users who do not trust your CA will be able to verify your -certificate using DANE. - -In order to create a record for the signer of your certificate use: -@example -$ certtool --dane-tlsa-rr --dane-host www.example.com --load-certificate cert.pem \ - --dane-ca -@end example _EOT_; }; diff --git a/src/certtool-args.h b/src/certtool-args.h index 92b384c000..c328d59040 100644 --- a/src/certtool-args.h +++ b/src/certtool-args.h @@ -2,7 +2,7 @@ * * DO NOT EDIT THIS FILE (certtool-args.h) * - * It has been AutoGen-ed October 9, 2012 at 10:58:10 PM by AutoGen 5.16 + * It has been AutoGen-ed October 12, 2012 at 09:17:49 AM by AutoGen 5.16 * From the definitions certtool-args.def * and the template file options * @@ -122,19 +122,12 @@ typedef enum { INDEX_OPT_DISABLE_QUICK_RANDOM = 52, INDEX_OPT_TEMPLATE = 53, INDEX_OPT_PKCS_CIPHER = 54, - INDEX_OPT_DANE_TLSA_RR = 55, - INDEX_OPT_DANE_HOST = 56, - INDEX_OPT_DANE_PROTO = 57, - INDEX_OPT_DANE_PORT = 58, - INDEX_OPT_DANE_CA = 59, - INDEX_OPT_DANE_X509 = 60, - INDEX_OPT_DANE_LOCAL = 61, - INDEX_OPT_VERSION = 62, - INDEX_OPT_HELP = 63, - INDEX_OPT_MORE_HELP = 64 + INDEX_OPT_VERSION = 55, + INDEX_OPT_HELP = 56, + INDEX_OPT_MORE_HELP = 57 } teOptIndex; -#define OPTION_CT 65 +#define OPTION_CT 58 #define CERTTOOL_VERSION "@VERSION@" #define CERTTOOL_FULL_VERSION "certtool @VERSION@" @@ -231,15 +224,6 @@ typedef enum { #define VALUE_OPT_DISABLE_QUICK_RANDOM 148 #define VALUE_OPT_TEMPLATE 149 #define VALUE_OPT_PKCS_CIPHER 150 -#define VALUE_OPT_DANE_TLSA_RR 151 -#define VALUE_OPT_DANE_HOST 152 -#define VALUE_OPT_DANE_PROTO 153 -#define VALUE_OPT_DANE_PORT 154 - -#define OPT_VALUE_DANE_PORT (DESC(DANE_PORT).optArg.argInt) -#define VALUE_OPT_DANE_CA 155 -#define VALUE_OPT_DANE_X509 156 -#define VALUE_OPT_DANE_LOCAL 157 #define VALUE_OPT_HELP 'h' #define VALUE_OPT_MORE_HELP '!' #define VALUE_OPT_VERSION 'v' diff --git a/src/certtool.c b/src/certtool.c index 10e0478d17..81ec1425a2 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -73,8 +73,6 @@ void generate_request (common_info_st *); static void print_certificate_info (gnutls_x509_crt_t crt, FILE * out, unsigned int all); static void verify_certificate (common_info_st * cinfo); -static void dane_info(const char* host, const char* proto, unsigned int port, - unsigned int ca, unsigned int local, common_info_st * cinfo); FILE *outfile; FILE *infile; @@ -1081,9 +1079,6 @@ cmd_parser (int argc, char **argv) #endif else if (HAVE_OPT(CRQ_INFO)) crq_info (); - else if (HAVE_OPT(DANE_TLSA_RR)) - dane_info (OPT_ARG(DANE_HOST), OPT_ARG(DANE_PROTO), OPT_VALUE_DANE_PORT, - HAVE_OPT(DANE_CA), HAVE_OPT(DANE_LOCAL), &cinfo); else USAGE(1); @@ -1095,116 +1090,6 @@ cmd_parser (int argc, char **argv) gnutls_global_deinit (); } -static void dane_info(const char* host, const char* proto, unsigned int port, - unsigned int ca, unsigned int local, common_info_st * cinfo) -{ - gnutls_pubkey_t pubkey; - gnutls_x509_crt_t crt; - unsigned char digest[64]; - gnutls_datum_t t; - int ret; - unsigned int usage, selector, type; - size_t size; - - if (proto == NULL) - proto = "tcp"; - if (port == 0) - port = 443; - - crt = load_cert (0, cinfo); - if (crt != NULL && HAVE_OPT(DANE_X509)) - { - selector = 0; /* X.509 */ - - size = buffer_size; - ret = gnutls_x509_crt_export (crt, GNUTLS_X509_FMT_DER, buffer, &size); - if (ret < 0) - error (EXIT_FAILURE, 0, "export error: %s", gnutls_strerror (ret)); - - gnutls_x509_crt_deinit (crt); - } - else /* use public key only */ - { - selector = 1; - - ret = gnutls_pubkey_init (&pubkey); - if (ret < 0) - error (EXIT_FAILURE, 0, "pubkey_init: %s", gnutls_strerror (ret)); - - if (crt != NULL) - { - - ret = gnutls_pubkey_import_x509 (pubkey, crt, 0); - if (ret < 0) - { - error (EXIT_FAILURE, 0, "pubkey_import_x509: %s", - gnutls_strerror (ret)); - } - - size = buffer_size; - ret = gnutls_pubkey_export (pubkey, GNUTLS_X509_FMT_DER, buffer, &size); - if (ret < 0) - { - error (EXIT_FAILURE, 0, "pubkey_export: %s", - gnutls_strerror (ret)); - } - - gnutls_x509_crt_deinit(crt); - } - else - { - pubkey = load_pubkey (1, cinfo); - - size = buffer_size; - ret = gnutls_pubkey_export (pubkey, GNUTLS_X509_FMT_DER, buffer, &size); - if (ret < 0) - error (EXIT_FAILURE, 0, "export error: %s", gnutls_strerror (ret)); - } - - gnutls_pubkey_deinit (pubkey); - } - - if (default_dig != GNUTLS_DIG_SHA256 && default_dig != GNUTLS_DIG_SHA512) - { - if (default_dig != GNUTLS_DIG_UNKNOWN) fprintf(stderr, "Unsupported digest. Assuming SHA256.\n"); - default_dig = GNUTLS_DIG_SHA256; - } - - ret = gnutls_hash_fast(default_dig, buffer, size, digest); - if (ret < 0) - error (EXIT_FAILURE, 0, "hash error: %s", gnutls_strerror (ret)); - - if (default_dig == GNUTLS_DIG_SHA256) - type = 1; - else type = 2; - - /* DANE certificate classification crap */ - if (local==0) - { - if (ca) usage = 0; - else usage = 1; - } - else - { - if (ca) usage = 2; - else usage = 3; - } - - t.data = digest; - t.size = gnutls_hash_get_len(default_dig); - - size = buffer_size; - ret = gnutls_hex_encode(&t, (void*)buffer, &size); - if (ret < 0) - error (EXIT_FAILURE, 0, "hex encode error: %s", gnutls_strerror (ret)); - - fprintf(outfile, "_%u._%s.%s. IN TLSA ( %x %x %x %s )\n", port, proto, host, usage, selector, type, buffer); - - - -} - - #define MAX_CRTS 500 void certificate_info (int pubkey, common_info_st * cinfo) diff --git a/src/danetool-args.c b/src/danetool-args.c new file mode 100644 index 0000000000..c89443c7f0 --- /dev/null +++ b/src/danetool-args.c @@ -0,0 +1,920 @@ +/* -*- buffer-read-only: t -*- vi: set ro: + * + * DO NOT EDIT THIS FILE (danetool-args.c) + * + * It has been AutoGen-ed October 12, 2012 at 09:16:57 AM by AutoGen 5.16 + * From the definitions danetool-args.def + * and the template file options + * + * Generated from AutoOpts 36:4:11 templates. + * + * AutoOpts is a copyrighted work. This source file is not encumbered + * by AutoOpts licensing, but is provided under the licensing terms chosen + * by the danetool author or copyright holder. AutoOpts is + * licensed under the terms of the LGPL. The redistributable library + * (``libopts'') is licensed under the terms of either the LGPL or, at the + * users discretion, the BSD license. See the AutoOpts and/or libopts sources + * for details. + * + * The danetool program is copyrighted and licensed + * under the following terms: + * + * Copyright (C) 2000-2012 Free Software Foundation, all rights reserved. + * This is free software. It is licensed for use, modification and + * redistribution under the terms of the + * GNU General Public License, version 3 or later + * <http://gnu.org/licenses/gpl.html> + * + * danetool is free software: you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * danetool is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + * See the GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program. If not, see <http://www.gnu.org/licenses/>. + */ + +#ifndef __doxygen__ +#define OPTION_CODE_COMPILE 1 +#include "danetool-args.h" +#include <sys/types.h> + +#include <limits.h> +#include <stdio.h> +#include <stdlib.h> +#include <errno.h> + +#ifdef __cplusplus +extern "C" { +#endif +extern FILE * option_usage_fp; + +/* TRANSLATORS: choose the translation for option names wisely because you + cannot ever change your mind. */ +#define zCopyright (danetool_opt_strs+0) +#define zLicenseDescrip (danetool_opt_strs+279) + + +#ifndef NULL +# define NULL 0 +#endif + +/* + * danetool option static const strings + */ +static char const danetool_opt_strs[2268] = +/* 0 */ "danetool @VERSION@\n" + "Copyright (C) 2000-2012 Free Software Foundation, all rights reserved.\n" + "This is free software. It is licensed for use, modification and\n" + "redistribution under the terms of the\n" + "GNU General Public License, version 3 or later\n" + " <http://gnu.org/licenses/gpl.html>\n\0" +/* 279 */ "danetool is free software: you can redistribute it and/or modify it under\n" + "the terms of the GNU General Public License as published by the Free\n" + "Software Foundation, either version 3 of the License, or (at your option)\n" + "any later version.\n\n" + "danetool is distributed in the hope that it will be useful, but WITHOUT ANY\n" + "WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS\n" + "FOR A PARTICULAR PURPOSE. See the GNU General Public License for more\n" + "details.\n\n" + "You should have received a copy of the GNU General Public License along\n" + "with this program. If not, see <http://www.gnu.org/licenses/>.\n\0" +/* 884 */ "Enable debugging.\0" +/* 902 */ "DEBUG\0" +/* 908 */ "debug\0" +/* 914 */ "More verbose output\0" +/* 934 */ "VERBOSE\0" +/* 942 */ "verbose\0" +/* 950 */ "Input file\0" +/* 961 */ "INFILE\0" +/* 968 */ "infile\0" +/* 975 */ "Output file\0" +/* 987 */ "OUTFILE\0" +/* 995 */ "outfile\0" +/* 1003 */ "Loads a public key file\0" +/* 1027 */ "LOAD_PUBKEY\0" +/* 1039 */ "load-pubkey\0" +/* 1051 */ "Loads a certificate file\0" +/* 1076 */ "LOAD_CERTIFICATE\0" +/* 1093 */ "load-certificate\0" +/* 1110 */ "Hash algorithm to use for signing.\0" +/* 1145 */ "HASH\0" +/* 1150 */ "hash\0" +/* 1155 */ "Use DER format for input certificates and private keys.\0" +/* 1211 */ "INDER\0" +/* 1217 */ "no-inder\0" +/* 1226 */ "no\0" +/* 1229 */ "This is an alias for 'inder'\0" +/* 1258 */ "inraw\0" +/* 1264 */ "Use DER format for output certificates and private keys\0" +/* 1320 */ "OUTDER\0" +/* 1327 */ "no-outder\0" +/* 1337 */ "This is an alias for 'outder'\0" +/* 1367 */ "outraw\0" +/* 1374 */ "Print the DANE RR data on a certificate or public key\0" +/* 1428 */ "TLSA_RR\0" +/* 1436 */ "tlsa-rr\0" +/* 1444 */ "Specify the hostname to be used in the DANE RR\0" +/* 1491 */ "HOST\0" +/* 1496 */ "host\0" +/* 1501 */ "The protocol set for DANE data (tcp, udp etc.)\0" +/* 1548 */ "PROTO\0" +/* 1554 */ "proto\0" +/* 1560 */ "Specify the port number for the DANE data.\0" +/* 1603 */ "PORT\0" +/* 1608 */ "port\0" +/* 1613 */ "Whether the provided certificate or public key is a Certificate\n" + "authority.\0" +/* 1688 */ "CA\0" +/* 1691 */ "ca\0" +/* 1694 */ "Use the hash of the X.509 certificate, rather than the public key.\0" +/* 1761 */ "X509\0" +/* 1766 */ "x509\0" +/* 1771 */ "The provided certificate or public key is a local entity.\0" +/* 1829 */ "LOCAL\0" +/* 1835 */ "local\0" +/* 1841 */ "Display extended usage information and exit\0" +/* 1885 */ "help\0" +/* 1890 */ "Extended usage information passed thru pager\0" +/* 1935 */ "more-help\0" +/* 1945 */ "Output version information and exit\0" +/* 1981 */ "version\0" +/* 1989 */ "DANETOOL\0" +/* 1998 */ "danetool - GnuTLS DANE tool - Ver. @VERSION@\n" + "USAGE: %s [ -<flag> [<val>] | --<name>[{=| }<val>] ]...\n\0" +/* 2101 */ "bug-gnutls@gnu.org\0" +/* 2120 */ "\n\n\0" +/* 2123 */ "\n" + "Tool generate DNS resource records for the DANE protocol.\n\0" +/* 2183 */ "danetool @VERSION@\0" +/* 2202 */ "danetool [options] [url]\n" + "danetool --help for usage instructions.\n"; + +/* + * debug option description: + */ +#define DEBUG_DESC (danetool_opt_strs+884) +#define DEBUG_NAME (danetool_opt_strs+902) +#define DEBUG_name (danetool_opt_strs+908) +#define DEBUG_FLAGS (OPTST_DISABLED \ + | OPTST_SET_ARGTYPE(OPARG_TYPE_NUMERIC)) + +/* + * verbose option description: + */ +#define VERBOSE_DESC (danetool_opt_strs+914) +#define VERBOSE_NAME (danetool_opt_strs+934) +#define VERBOSE_name (danetool_opt_strs+942) +#define VERBOSE_FLAGS (OPTST_DISABLED) + +/* + * infile option description: + */ +#define INFILE_DESC (danetool_opt_strs+950) +#define INFILE_NAME (danetool_opt_strs+961) +#define INFILE_name (danetool_opt_strs+968) +#define INFILE_FLAGS (OPTST_DISABLED \ + | OPTST_SET_ARGTYPE(OPARG_TYPE_FILE)) + +/* + * outfile option description: + */ +#define OUTFILE_DESC (danetool_opt_strs+975) +#define OUTFILE_NAME (danetool_opt_strs+987) +#define OUTFILE_name (danetool_opt_strs+995) +#define OUTFILE_FLAGS (OPTST_DISABLED \ + | OPTST_SET_ARGTYPE(OPARG_TYPE_STRING)) + +/* + * load-pubkey option description: + */ +#define LOAD_PUBKEY_DESC (danetool_opt_strs+1003) +#define LOAD_PUBKEY_NAME (danetool_opt_strs+1027) +#define LOAD_PUBKEY_name (danetool_opt_strs+1039) +#define LOAD_PUBKEY_FLAGS (OPTST_DISABLED \ + | OPTST_SET_ARGTYPE(OPARG_TYPE_STRING)) + +/* + * load-certificate option description: + */ +#define LOAD_CERTIFICATE_DESC (danetool_opt_strs+1051) +#define LOAD_CERTIFICATE_NAME (danetool_opt_strs+1076) +#define LOAD_CERTIFICATE_name (danetool_opt_strs+1093) +#define LOAD_CERTIFICATE_FLAGS (OPTST_DISABLED \ + | OPTST_SET_ARGTYPE(OPARG_TYPE_STRING)) + +/* + * hash option description: + */ +#define HASH_DESC (danetool_opt_strs+1110) +#define HASH_NAME (danetool_opt_strs+1145) +#define HASH_name (danetool_opt_strs+1150) +#define HASH_FLAGS (OPTST_DISABLED \ + | OPTST_SET_ARGTYPE(OPARG_TYPE_STRING)) + +/* + * inder option description: + */ +#define INDER_DESC (danetool_opt_strs+1155) +#define INDER_NAME (danetool_opt_strs+1211) +#define NOT_INDER_name (danetool_opt_strs+1217) +#define NOT_INDER_PFX (danetool_opt_strs+1226) +#define INDER_name (NOT_INDER_name + 3) +#define INDER_FLAGS (OPTST_DISABLED) + +/* + * inraw option description: + */ +#define INRAW_DESC (danetool_opt_strs+1229) +#define INRAW_NAME NULL +#define INRAW_name (danetool_opt_strs+1258) +#define INRAW_FLAGS (INDER_FLAGS | OPTST_ALIAS) + +/* + * outder option description: + */ +#define OUTDER_DESC (danetool_opt_strs+1264) +#define OUTDER_NAME (danetool_opt_strs+1320) +#define NOT_OUTDER_name (danetool_opt_strs+1327) +#define NOT_OUTDER_PFX (danetool_opt_strs+1226) +#define OUTDER_name (NOT_OUTDER_name + 3) +#define OUTDER_FLAGS (OPTST_DISABLED) + +/* + * outraw option description: + */ +#define OUTRAW_DESC (danetool_opt_strs+1337) +#define OUTRAW_NAME NULL +#define OUTRAW_name (danetool_opt_strs+1367) +#define OUTRAW_FLAGS (OUTDER_FLAGS | OPTST_ALIAS) + +/* + * tlsa-rr option description with + * "Must also have options" and "Incompatible options": + */ +#define TLSA_RR_DESC (danetool_opt_strs+1374) +#define TLSA_RR_NAME (danetool_opt_strs+1428) +#define TLSA_RR_name (danetool_opt_strs+1436) +static int const aTlsa_RrMustList[] = { + INDEX_OPT_HOST, NO_EQUIVALENT }; +#define TLSA_RR_FLAGS (OPTST_DISABLED) + +/* + * host option description: + */ +#define HOST_DESC (danetool_opt_strs+1444) +#define HOST_NAME (danetool_opt_strs+1491) +#define HOST_name (danetool_opt_strs+1496) +#define HOST_FLAGS (OPTST_DISABLED \ + | OPTST_SET_ARGTYPE(OPARG_TYPE_STRING)) + +/* + * proto option description: + */ +#define PROTO_DESC (danetool_opt_strs+1501) +#define PROTO_NAME (danetool_opt_strs+1548) +#define PROTO_name (danetool_opt_strs+1554) +#define PROTO_FLAGS (OPTST_DISABLED \ + | OPTST_SET_ARGTYPE(OPARG_TYPE_STRING)) + +/* + * port option description: + */ +#define PORT_DESC (danetool_opt_strs+1560) +#define PORT_NAME (danetool_opt_strs+1603) +#define PORT_name (danetool_opt_strs+1608) +#define PORT_FLAGS (OPTST_DISABLED \ + | OPTST_SET_ARGTYPE(OPARG_TYPE_NUMERIC)) + +/* + * ca option description: + */ +#define CA_DESC (danetool_opt_strs+1613) +#define CA_NAME (danetool_opt_strs+1688) +#define CA_name (danetool_opt_strs+1691) +#define CA_FLAGS (OPTST_DISABLED) + +/* + * x509 option description: + */ +#define X509_DESC (danetool_opt_strs+1694) +#define X509_NAME (danetool_opt_strs+1761) +#define X509_name (danetool_opt_strs+1766) +#define X509_FLAGS (OPTST_DISABLED) + +/* + * local option description: + */ +#define LOCAL_DESC (danetool_opt_strs+1771) +#define LOCAL_NAME (danetool_opt_strs+1829) +#define LOCAL_name (danetool_opt_strs+1835) +#define LOCAL_FLAGS (OPTST_DISABLED) + +/* + * Help/More_Help/Version option descriptions: + */ +#define HELP_DESC (danetool_opt_strs+1841) +#define HELP_name (danetool_opt_strs+1885) +#ifdef HAVE_WORKING_FORK +#define MORE_HELP_DESC (danetool_opt_strs+1890) +#define MORE_HELP_name (danetool_opt_strs+1935) +#define MORE_HELP_FLAGS (OPTST_IMM | OPTST_NO_INIT) +#else +#define MORE_HELP_DESC NULL +#define MORE_HELP_name NULL +#define MORE_HELP_FLAGS (OPTST_OMITTED | OPTST_NO_INIT) +#endif +#ifdef NO_OPTIONAL_OPT_ARGS +# define VER_FLAGS (OPTST_IMM | OPTST_NO_INIT) +#else +# define VER_FLAGS (OPTST_SET_ARGTYPE(OPARG_TYPE_STRING) | \ + OPTST_ARG_OPTIONAL | OPTST_IMM | OPTST_NO_INIT) +#endif +#define VER_DESC (danetool_opt_strs+1945) +#define VER_name (danetool_opt_strs+1981) +/* + * Declare option callback procedures + */ +extern tOptProc + optionBooleanVal, optionNestedVal, optionNumericVal, + optionPagedUsage, optionPrintVersion, optionResetOpt, + optionStackArg, optionTimeDate, optionTimeVal, + optionUnstackArg, optionVendorOption; +static tOptProc + doOptDebug, doOptInfile, doOptInraw, doOptOutraw, doUsageOpt; +#define VER_PROC optionPrintVersion + +/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ +/** + * Define the danetool Option Descriptions. + * This is an array of OPTION_CT entries, one for each + * option that the danetool program responds to. + */ +static tOptDesc optDesc[OPTION_CT] = { + { /* entry idx, value */ 0, VALUE_OPT_DEBUG, + /* equiv idx, value */ 0, VALUE_OPT_DEBUG, + /* equivalenced to */ NO_EQUIVALENT, + /* min, max, act ct */ 0, 1, 0, + /* opt state flags */ DEBUG_FLAGS, 0, + /* last opt argumnt */ { NULL }, /* --debug */ + /* arg list/cookie */ NULL, + /* must/cannot opts */ NULL, NULL, + /* option proc */ doOptDebug, + /* desc, NAME, name */ DEBUG_DESC, DEBUG_NAME, DEBUG_name, + /* disablement strs */ NULL, NULL }, + + { /* entry idx, value */ 1, VALUE_OPT_VERBOSE, + /* equiv idx, value */ 1, VALUE_OPT_VERBOSE, + /* equivalenced to */ NO_EQUIVALENT, + /* min, max, act ct */ 0, NOLIMIT, 0, + /* opt state flags */ VERBOSE_FLAGS, 0, + /* last opt argumnt */ { NULL }, /* --verbose */ + /* arg list/cookie */ NULL, + /* must/cannot opts */ NULL, NULL, + /* option proc */ NULL, + /* desc, NAME, name */ VERBOSE_DESC, VERBOSE_NAME, VERBOSE_name, + /* disablement strs */ NULL, NULL }, + + { /* entry idx, value */ 2, VALUE_OPT_INFILE, + /* equiv idx, value */ 2, VALUE_OPT_INFILE, + /* equivalenced to */ NO_EQUIVALENT, + /* min, max, act ct */ 0, 1, 0, + /* opt state flags */ INFILE_FLAGS, 0, + /* last opt argumnt */ { NULL }, /* --infile */ + /* arg list/cookie */ NULL, + /* must/cannot opts */ NULL, NULL, + /* option proc */ doOptInfile, + /* desc, NAME, name */ INFILE_DESC, INFILE_NAME, INFILE_name, + /* disablement strs */ NULL, NULL }, + + { /* entry idx, value */ 3, VALUE_OPT_OUTFILE, + /* equiv idx, value */ 3, VALUE_OPT_OUTFILE, + /* equivalenced to */ NO_EQUIVALENT, + /* min, max, act ct */ 0, 1, 0, + /* opt state flags */ OUTFILE_FLAGS, 0, + /* last opt argumnt */ { NULL }, /* --outfile */ + /* arg list/cookie */ NULL, + /* must/cannot opts */ NULL, NULL, + /* option proc */ NULL, + /* desc, NAME, name */ OUTFILE_DESC, OUTFILE_NAME, OUTFILE_name, + /* disablement strs */ NULL, NULL }, + + { /* entry idx, value */ 4, VALUE_OPT_LOAD_PUBKEY, + /* equiv idx, value */ 4, VALUE_OPT_LOAD_PUBKEY, + /* equivalenced to */ NO_EQUIVALENT, + /* min, max, act ct */ 0, 1, 0, + /* opt state flags */ LOAD_PUBKEY_FLAGS, 0, + /* last opt argumnt */ { NULL }, /* --load-pubkey */ + /* arg list/cookie */ NULL, + /* must/cannot opts */ NULL, NULL, + /* option proc */ NULL, + /* desc, NAME, name */ LOAD_PUBKEY_DESC, LOAD_PUBKEY_NAME, LOAD_PUBKEY_name, + /* disablement strs */ NULL, NULL }, + + { /* entry idx, value */ 5, VALUE_OPT_LOAD_CERTIFICATE, + /* equiv idx, value */ 5, VALUE_OPT_LOAD_CERTIFICATE, + /* equivalenced to */ NO_EQUIVALENT, + /* min, max, act ct */ 0, 1, 0, + /* opt state flags */ LOAD_CERTIFICATE_FLAGS, 0, + /* last opt argumnt */ { NULL }, /* --load-certificate */ + /* arg list/cookie */ NULL, + /* must/cannot opts */ NULL, NULL, + /* option proc */ NULL, + /* desc, NAME, name */ LOAD_CERTIFICATE_DESC, LOAD_CERTIFICATE_NAME, LOAD_CERTIFICATE_name, + /* disablement strs */ NULL, NULL }, + + { /* entry idx, value */ 6, VALUE_OPT_HASH, + /* equiv idx, value */ 6, VALUE_OPT_HASH, + /* equivalenced to */ NO_EQUIVALENT, + /* min, max, act ct */ 0, 1, 0, + /* opt state flags */ HASH_FLAGS, 0, + /* last opt argumnt */ { NULL }, /* --hash */ + /* arg list/cookie */ NULL, + /* must/cannot opts */ NULL, NULL, + /* option proc */ NULL, + /* desc, NAME, name */ HASH_DESC, HASH_NAME, HASH_name, + /* disablement strs */ NULL, NULL }, + + { /* entry idx, value */ 7, VALUE_OPT_INDER, + /* equiv idx, value */ 7, VALUE_OPT_INDER, + /* equivalenced to */ NO_EQUIVALENT, + /* min, max, act ct */ 0, 1, 0, + /* opt state flags */ INDER_FLAGS, 0, + /* last opt argumnt */ { NULL }, /* --inder */ + /* arg list/cookie */ NULL, + /* must/cannot opts */ NULL, NULL, + /* option proc */ NULL, + /* desc, NAME, name */ INDER_DESC, INDER_NAME, INDER_name, + /* disablement strs */ NOT_INDER_name, NOT_INDER_PFX }, + + { /* entry idx, value */ 8, VALUE_OPT_INRAW, + /* equiv idx, value */ 8, VALUE_OPT_INRAW, + /* equivalenced to */ NO_EQUIVALENT, + /* min, max, act ct */ 0, 1, 0, + /* opt state flags */ INRAW_FLAGS, 0, + /* last opt argumnt */ { NULL }, /* --inraw */ + /* arg list/cookie */ NULL, + /* must/cannot opts */ NULL, NULL, + /* option proc */ doOptInraw, + /* desc, NAME, name */ INRAW_DESC, INRAW_NAME, INRAW_name, + /* disablement strs */ 0, 0 }, + + { /* entry idx, value */ 9, VALUE_OPT_OUTDER, + /* equiv idx, value */ 9, VALUE_OPT_OUTDER, + /* equivalenced to */ NO_EQUIVALENT, + /* min, max, act ct */ 0, 1, 0, + /* opt state flags */ OUTDER_FLAGS, 0, + /* last opt argumnt */ { NULL }, /* --outder */ + /* arg list/cookie */ NULL, + /* must/cannot opts */ NULL, NULL, + /* option proc */ NULL, + /* desc, NAME, name */ OUTDER_DESC, OUTDER_NAME, OUTDER_name, + /* disablement strs */ NOT_OUTDER_name, NOT_OUTDER_PFX }, + + { /* entry idx, value */ 10, VALUE_OPT_OUTRAW, + /* equiv idx, value */ 10, VALUE_OPT_OUTRAW, + /* equivalenced to */ NO_EQUIVALENT, + /* min, max, act ct */ 0, 1, 0, + /* opt state flags */ OUTRAW_FLAGS, 0, + /* last opt argumnt */ { NULL }, /* --outraw */ + /* arg list/cookie */ NULL, + /* must/cannot opts */ NULL, NULL, + /* option proc */ doOptOutraw, + /* desc, NAME, name */ OUTRAW_DESC, OUTRAW_NAME, OUTRAW_name, + /* disablement strs */ 0, 0 }, + + { /* entry idx, value */ 11, VALUE_OPT_TLSA_RR, + /* equiv idx, value */ 11, VALUE_OPT_TLSA_RR, + /* equivalenced to */ NO_EQUIVALENT, + /* min, max, act ct */ 0, 1, 0, + /* opt state flags */ TLSA_RR_FLAGS, 0, + /* last opt argumnt */ { NULL }, /* --tlsa-rr */ + /* arg list/cookie */ NULL, + /* must/cannot opts */ aTlsa_RrMustList, NULL, + /* option proc */ NULL, + /* desc, NAME, name */ TLSA_RR_DESC, TLSA_RR_NAME, TLSA_RR_name, + /* disablement strs */ NULL, NULL }, + + { /* entry idx, value */ 12, VALUE_OPT_HOST, + /* equiv idx, value */ 12, VALUE_OPT_HOST, + /* equivalenced to */ NO_EQUIVALENT, + /* min, max, act ct */ 0, 1, 0, + /* opt state flags */ HOST_FLAGS, 0, + /* last opt argumnt */ { NULL }, /* --host */ + /* arg list/cookie */ NULL, + /* must/cannot opts */ NULL, NULL, + /* option proc */ NULL, + /* desc, NAME, name */ HOST_DESC, HOST_NAME, HOST_name, + /* disablement strs */ NULL, NULL }, + + { /* entry idx, value */ 13, VALUE_OPT_PROTO, + /* equiv idx, value */ 13, VALUE_OPT_PROTO, + /* equivalenced to */ NO_EQUIVALENT, + /* min, max, act ct */ 0, 1, 0, + /* opt state flags */ PROTO_FLAGS, 0, + /* last opt argumnt */ { NULL }, /* --proto */ + /* arg list/cookie */ NULL, + /* must/cannot opts */ NULL, NULL, + /* option proc */ NULL, + /* desc, NAME, name */ PROTO_DESC, PROTO_NAME, PROTO_name, + /* disablement strs */ NULL, NULL }, + + { /* entry idx, value */ 14, VALUE_OPT_PORT, + /* equiv idx, value */ 14, VALUE_OPT_PORT, + /* equivalenced to */ NO_EQUIVALENT, + /* min, max, act ct */ 0, 1, 0, + /* opt state flags */ PORT_FLAGS, 0, + /* last opt argumnt */ { NULL }, /* --port */ + /* arg list/cookie */ NULL, + /* must/cannot opts */ NULL, NULL, + /* option proc */ optionNumericVal, + /* desc, NAME, name */ PORT_DESC, PORT_NAME, PORT_name, + /* disablement strs */ NULL, NULL }, + + { /* entry idx, value */ 15, VALUE_OPT_CA, + /* equiv idx, value */ 15, VALUE_OPT_CA, + /* equivalenced to */ NO_EQUIVALENT, + /* min, max, act ct */ 0, 1, 0, + /* opt state flags */ CA_FLAGS, 0, + /* last opt argumnt */ { NULL }, /* --ca */ + /* arg list/cookie */ NULL, + /* must/cannot opts */ NULL, NULL, + /* option proc */ NULL, + /* desc, NAME, name */ CA_DESC, CA_NAME, CA_name, + /* disablement strs */ NULL, NULL }, + + { /* entry idx, value */ 16, VALUE_OPT_X509, + /* equiv idx, value */ 16, VALUE_OPT_X509, + /* equivalenced to */ NO_EQUIVALENT, + /* min, max, act ct */ 0, 1, 0, + /* opt state flags */ X509_FLAGS, 0, + /* last opt argumnt */ { NULL }, /* --x509 */ + /* arg list/cookie */ NULL, + /* must/cannot opts */ NULL, NULL, + /* option proc */ NULL, + /* desc, NAME, name */ X509_DESC, X509_NAME, X509_name, + /* disablement strs */ NULL, NULL }, + + { /* entry idx, value */ 17, VALUE_OPT_LOCAL, + /* equiv idx, value */ 17, VALUE_OPT_LOCAL, + /* equivalenced to */ NO_EQUIVALENT, + /* min, max, act ct */ 0, 1, 0, + /* opt state flags */ LOCAL_FLAGS, 0, + /* last opt argumnt */ { NULL }, /* --local */ + /* arg list/cookie */ NULL, + /* must/cannot opts */ NULL, NULL, + /* option proc */ NULL, + /* desc, NAME, name */ LOCAL_DESC, LOCAL_NAME, LOCAL_name, + /* disablement strs */ NULL, NULL }, + + { /* entry idx, value */ INDEX_OPT_VERSION, VALUE_OPT_VERSION, + /* equiv idx value */ NO_EQUIVALENT, VALUE_OPT_VERSION, + /* equivalenced to */ NO_EQUIVALENT, + /* min, max, act ct */ 0, 1, 0, + /* opt state flags */ VER_FLAGS, 0, + /* last opt argumnt */ { NULL }, + /* arg list/cookie */ NULL, + /* must/cannot opts */ NULL, NULL, + /* option proc */ VER_PROC, + /* desc, NAME, name */ VER_DESC, NULL, VER_name, + /* disablement strs */ NULL, NULL }, + + + + { /* entry idx, value */ INDEX_OPT_HELP, VALUE_OPT_HELP, + /* equiv idx value */ NO_EQUIVALENT, VALUE_OPT_HELP, + /* equivalenced to */ NO_EQUIVALENT, + /* min, max, act ct */ 0, 1, 0, + /* opt state flags */ OPTST_IMM | OPTST_NO_INIT, 0, + /* last opt argumnt */ { NULL }, + /* arg list/cookie */ NULL, + /* must/cannot opts */ NULL, NULL, + /* option proc */ doUsageOpt, + /* desc, NAME, name */ HELP_DESC, NULL, HELP_name, + /* disablement strs */ NULL, NULL }, + + { /* entry idx, value */ INDEX_OPT_MORE_HELP, VALUE_OPT_MORE_HELP, + /* equiv idx value */ NO_EQUIVALENT, VALUE_OPT_MORE_HELP, + /* equivalenced to */ NO_EQUIVALENT, + /* min, max, act ct */ 0, 1, 0, + /* opt state flags */ MORE_HELP_FLAGS, 0, + /* last opt argumnt */ { NULL }, + /* arg list/cookie */ NULL, + /* must/cannot opts */ NULL, NULL, + /* option proc */ optionPagedUsage, + /* desc, NAME, name */ MORE_HELP_DESC, NULL, MORE_HELP_name, + /* disablement strs */ NULL, NULL } +}; + + +/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * + * + * Define the danetool Option Environment + */ +#define zPROGNAME (danetool_opt_strs+1989) +#define zUsageTitle (danetool_opt_strs+1998) +#define zRcName NULL +#define apzHomeList NULL +#define zBugsAddr (danetool_opt_strs+2101) +#define zExplain (danetool_opt_strs+2120) +#define zDetail (danetool_opt_strs+2123) +#define zFullVersion (danetool_opt_strs+2183) +/* extracted from optcode.tlib near line 350 */ + +#if defined(ENABLE_NLS) +# define OPTPROC_BASE OPTPROC_TRANSLATE | OPTPROC_NXLAT_OPT + static tOptionXlateProc translate_option_strings; +#else +# define OPTPROC_BASE OPTPROC_NONE +# define translate_option_strings NULL +#endif /* ENABLE_NLS */ + + +#define danetool_full_usage (NULL) + +#define danetool_short_usage (danetool_opt_strs+2202) + +#endif /* not defined __doxygen__ */ + +/* + * Create the static procedure(s) declared above. + */ +/** + * The callout function that invokes the optionUsage function. + * + * @param pOptions the AutoOpts option description structure + * @param pOptDesc the descriptor for the "help" (usage) option. + * @noreturn + */ +static void +doUsageOpt(tOptions * pOptions, tOptDesc * pOptDesc) +{ + optionUsage(&danetoolOptions, DANETOOL_EXIT_SUCCESS); + /* NOTREACHED */ + (void)pOptDesc; + (void)pOptions; +} + +/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ +/** + * Code to handle the debug option. + * + * @param pOptions the danetool options data structure + * @param pOptDesc the option descriptor for this option. + */ +static void +doOptDebug(tOptions* pOptions, tOptDesc* pOptDesc) +{ + static struct {long rmin, rmax;} const rng[1] = { + { 0 , 9999 } }; + int ix; + + if (pOptions <= OPTPROC_EMIT_LIMIT) + goto emit_ranges; + optionNumericVal(pOptions, pOptDesc); + + for (ix = 0; ix < 1; ix++) { + if (pOptDesc->optArg.argInt < rng[ix].rmin) + continue; /* ranges need not be ordered. */ + if (pOptDesc->optArg.argInt == rng[ix].rmin) + return; + if (rng[ix].rmax == LONG_MIN) + continue; + if (pOptDesc->optArg.argInt <= rng[ix].rmax) + return; + } + + option_usage_fp = stderr; + +emit_ranges: + + optionShowRange(pOptions, pOptDesc, (void *)rng, 1); +} + +/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ +/** + * Code to handle the infile option. + * + * @param pOptions the danetool options data structure + * @param pOptDesc the option descriptor for this option. + */ +static void +doOptInfile(tOptions* pOptions, tOptDesc* pOptDesc) +{ + static teOptFileType const type = + FTYPE_MODE_MUST_EXIST + FTYPE_MODE_NO_OPEN; + static tuFileMode mode; +#ifndef O_CLOEXEC +# define O_CLOEXEC 0 +#endif + mode.file_flags = O_CLOEXEC; + + optionFileCheck(pOptions, pOptDesc, type, mode); +} + +/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ +/** + * Code to handle the inraw option. + * + * @param pOptions the danetool options data structure + * @param pOptDesc the option descriptor for this option. + */ +static void +doOptInraw(tOptions* pOptions, tOptDesc* pOptDesc) +{ + int res = optionAlias(pOptions, pOptDesc, INDEX_OPT_INDER); + if ((res != 0) && ((pOptions->fOptSet & OPTPROC_ERRSTOP) != 0)) + USAGE(DANETOOL_EXIT_FAILURE); + +} + +/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ +/** + * Code to handle the outraw option. + * + * @param pOptions the danetool options data structure + * @param pOptDesc the option descriptor for this option. + */ +static void +doOptOutraw(tOptions* pOptions, tOptDesc* pOptDesc) +{ + int res = optionAlias(pOptions, pOptDesc, INDEX_OPT_OUTDER); + if ((res != 0) && ((pOptions->fOptSet & OPTPROC_ERRSTOP) != 0)) + USAGE(DANETOOL_EXIT_FAILURE); + +} +/* extracted from optmain.tlib near line 1113 */ + +/** + * The directory containing the data associated with danetool. + */ +#ifndef PKGDATADIR +# define PKGDATADIR "" +#endif + +/** + * Information about the person or institution that packaged danetool + * for the current distribution. + */ +#ifndef WITH_PACKAGER +# define danetool_packager_info NULL +#else +static char const danetool_packager_info[] = + "Packaged by " WITH_PACKAGER + +# ifdef WITH_PACKAGER_VERSION + " ("WITH_PACKAGER_VERSION")" +# endif + +# ifdef WITH_PACKAGER_BUG_REPORTS + "\nReport danetool bugs to " WITH_PACKAGER_BUG_REPORTS +# endif + "\n"; +#endif +#ifndef __doxygen__ + +#endif /* __doxygen__ */ +/** + * The option definitions for danetool. The one structure that + * binds them all. + */ +tOptions danetoolOptions = { + OPTIONS_STRUCT_VERSION, + 0, NULL, /* original argc + argv */ + ( OPTPROC_BASE + + OPTPROC_ERRSTOP + + OPTPROC_SHORTOPT + + OPTPROC_LONGOPT + + OPTPROC_NO_REQ_OPT + + OPTPROC_NEGATIONS + + OPTPROC_NO_ARGS + + OPTPROC_GNUUSAGE + + OPTPROC_MISUSE ), + 0, NULL, /* current option index, current option */ + NULL, NULL, zPROGNAME, + zRcName, zCopyright, zLicenseDescrip, + zFullVersion, apzHomeList, zUsageTitle, + zExplain, zDetail, optDesc, + zBugsAddr, /* address to send bugs to */ + NULL, NULL, /* extensions/saved state */ + optionUsage, /* usage procedure */ + translate_option_strings, /* translation procedure */ + /* + * Indexes to special options + */ + { INDEX_OPT_MORE_HELP, /* more-help option index */ + NO_EQUIVALENT, /* save option index */ + NO_EQUIVALENT, /* '-#' option index */ + NO_EQUIVALENT /* index of default opt */ + }, + 21 /* full option count */, 18 /* user option count */, + danetool_full_usage, danetool_short_usage, + NULL, NULL, + PKGDATADIR, danetool_packager_info +}; + +#if ENABLE_NLS +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <unistd.h> +#include <autoopts/usage-txt.h> + +static char* AO_gettext(char const* pz); +static void coerce_it(void** s); + +/** + * AutoGen specific wrapper function for gettext. + * It relies on the macro _() to convert from English to the target + * language, then strdup-duplicates the result string. + * + * @param[in] pz the input text used as a lookup key. + * @returns the translated text (if there is one), + * or the original text (if not). + */ +static char * +AO_gettext(char const* pz) +{ + char* pzRes; + if (pz == NULL) + return NULL; + pzRes = _(pz); + if (pzRes == pz) + return pzRes; + pzRes = strdup(pzRes); + if (pzRes == NULL) { + fputs(_("No memory for duping translated strings\n"), stderr); + exit(DANETOOL_EXIT_FAILURE); + } + return pzRes; +} + +static void coerce_it(void** s) { *s = AO_gettext(*s); +} + +/** + * Translate all the translatable strings in the danetoolOptions + * structure defined above. This is done only once. + */ +static void +translate_option_strings(void) +{ + tOptions * const pOpt = &danetoolOptions; + + /* + * Guard against re-translation. It won't work. The strings will have + * been changed by the first pass through this code. One shot only. + */ + if (option_usage_text.field_ct != 0) { + /* + * Do the translations. The first pointer follows the field count + * field. The field count field is the size of a pointer. + */ + tOptDesc * pOD = pOpt->pOptDesc; + char ** ppz = (char**)(void*)&(option_usage_text); + int ix = option_usage_text.field_ct; + + do { + ppz++; + *ppz = AO_gettext(*ppz); + } while (--ix > 0); + + coerce_it((void*)&(pOpt->pzCopyright)); + coerce_it((void*)&(pOpt->pzCopyNotice)); + coerce_it((void*)&(pOpt->pzFullVersion)); + coerce_it((void*)&(pOpt->pzUsageTitle)); + coerce_it((void*)&(pOpt->pzExplain)); + coerce_it((void*)&(pOpt->pzDetail)); + coerce_it((void*)&(pOpt->pzPackager)); + coerce_it((void*)&(pOpt->pzShortUsage)); + option_usage_text.field_ct = 0; + + for (ix = pOpt->optCt; ix > 0; ix--, pOD++) + coerce_it((void*)&(pOD->pzText)); + } + + if ((pOpt->fOptSet & OPTPROC_NXLAT_OPT_CFG) == 0) { + tOptDesc * pOD = pOpt->pOptDesc; + int ix; + + for (ix = pOpt->optCt; ix > 0; ix--, pOD++) { + coerce_it((void*)&(pOD->pz_Name)); + coerce_it((void*)&(pOD->pz_DisableName)); + coerce_it((void*)&(pOD->pz_DisablePfx)); + } + /* prevent re-translation */ + danetoolOptions.fOptSet |= OPTPROC_NXLAT_OPT_CFG | OPTPROC_NXLAT_OPT; + } +} + +#endif /* ENABLE_NLS */ + +#ifdef __cplusplus +} +#endif +/* danetool-args.c ends here */ diff --git a/src/danetool-args.def b/src/danetool-args.def new file mode 100644 index 0000000000..0e8f74fa92 --- /dev/null +++ b/src/danetool-args.def @@ -0,0 +1,150 @@ +AutoGen Definitions options; +prog-name = danetool; +prog-title = "GnuTLS DANE tool"; +prog-desc = "Generate DANE TLSA RR entries."; +detail = "Tool generate DNS resource records for the DANE protocol."; +short-usage = "danetool [options] [url]\ndanetool --help for usage instructions.\n"; +explain = ""; + +#define INFILE_OPT 1 +#define OUTFILE_OPT 1 +#define VERBOSE_OPT 1 +#include args-std.def + +flag = { + name = load-pubkey; + descrip = "Loads a public key file"; + arg-type = string; + doc = "This can be either a file or a PKCS #11 URL"; +}; + +flag = { + name = load-certificate; + descrip = "Loads a certificate file"; + arg-type = string; + doc = "This can be either a file or a PKCS #11 URL"; +}; + +flag = { + name = hash; + arg-type = string; + descrip = "Hash algorithm to use for signing."; + doc = "Available hash functions are SHA1, RMD160, SHA256, SHA384, SHA512."; +}; + +flag = { + name = inder; + descrip = "Use DER format for input certificates and private keys."; + disabled; + disable = "no"; + doc = "The input files will be assumed to be in DER or RAW format. +Unlike options that in PEM input would allow multiple input data (e.g. multiple +certificates), when reading in DER format a single data structure is read."; +}; + +flag = { + name = inraw; + aliases = inder; +}; + +flag = { + name = outder; + descrip = "Use DER format for output certificates and private keys"; + disabled; + disable = "no"; + doc = "The output will be in DER or RAW format."; +}; + +flag = { + name = outraw; + aliases = outder; +}; + +flag = { + name = tlsa-rr; + descrip = "Print the DANE RR data on a certificate or public key"; + flags_must = host; + doc = "This command prints the DANE RR data needed to enable DANE on a DNS server."; +}; + +flag = { + name = host; + descrip = "Specify the hostname to be used in the DANE RR"; + arg-type = string; + arg-name = "Hostname"; + doc = "This command sets the hostname for the DANE RR."; +}; + +flag = { + name = proto; + descrip = "The protocol set for DANE data (tcp, udp etc.)"; + arg-type = string; + arg-name = "Protocol"; + doc = "This command specifies the protocol for the service set in the DANE data."; +}; + +flag = { + name = port; + arg-type = number; + descrip = "Specify the port number for the DANE data."; + default-value = 443; + doc = ""; +}; + +flag = { + name = ca; + descrip = "Whether the provided certificate or public key is a Certificate authority."; + doc = "Marks the DANE RR as a CA certificate if specified."; +}; + +flag = { + name = x509; + descrip = "Use the hash of the X.509 certificate, rather than the public key."; + doc = "This option forces the generated record to contain the hash of the full X.509 certificate. By default only the hash of the public key is used."; +}; + +flag = { + name = local; + descrip = "The provided certificate or public key is a local entity."; + doc = "DANE distinguishes certificates and public keys offered via the DNSSEC to trusted and local entities. Use this flag if this is a local (and possibly unsigned) entity."; +}; + +doc-section = { + ds-type = 'SEE ALSO'; + ds-format = 'texi'; + ds-text = <<-_EOT_ + p11tool (1) +_EOT_; +}; + +doc-section = { + ds-type = 'EXAMPLES'; + ds-format = 'texi'; + ds-text = <<-_EOT_ +@subheading DANE TLSA RR generation + +To create a DANE TLSA resource record for a CA signed certificate use the following commands. + +@example +$ certtool --tlsa-rr --host www.example.com --load-certificate cert.pem +@end example + +For a self signed certificate use: +@example +$ certtool --tlsa-rr --host www.example.com --load-certificate cert.pem \ + --local +@end example + +The latter is useful to add in your DNS entry even if your certificate is signed +by a CA. That way even users who do not trust your CA will be able to verify your +certificate using DANE. + +In order to create a record for the signer of your certificate use: +@example +$ certtool --tlsa-rr --host www.example.com --load-certificate cert.pem \ + --ca +@end example +_EOT_; +}; + + diff --git a/src/danetool-args.h b/src/danetool-args.h new file mode 100644 index 0000000000..cb4ad97072 --- /dev/null +++ b/src/danetool-args.h @@ -0,0 +1,219 @@ +/* -*- buffer-read-only: t -*- vi: set ro: + * + * DO NOT EDIT THIS FILE (danetool-args.h) + * + * It has been AutoGen-ed October 12, 2012 at 09:16:57 AM by AutoGen 5.16 + * From the definitions danetool-args.def + * and the template file options + * + * Generated from AutoOpts 36:4:11 templates. + * + * AutoOpts is a copyrighted work. This header file is not encumbered + * by AutoOpts licensing, but is provided under the licensing terms chosen + * by the danetool author or copyright holder. AutoOpts is + * licensed under the terms of the LGPL. The redistributable library + * (``libopts'') is licensed under the terms of either the LGPL or, at the + * users discretion, the BSD license. See the AutoOpts and/or libopts sources + * for details. + * + * The danetool program is copyrighted and licensed + * under the following terms: + * + * Copyright (C) 2000-2012 Free Software Foundation, all rights reserved. + * This is free software. It is licensed for use, modification and + * redistribution under the terms of the + * GNU General Public License, version 3 or later + * <http://gnu.org/licenses/gpl.html> + * + * danetool is free software: you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * danetool is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + * See the GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program. If not, see <http://www.gnu.org/licenses/>. + */ +/* + * This file contains the programmatic interface to the Automated + * Options generated for the danetool program. + * These macros are documented in the AutoGen info file in the + * "AutoOpts" chapter. Please refer to that doc for usage help. + */ +#ifndef AUTOOPTS_DANETOOL_ARGS_H_GUARD +#define AUTOOPTS_DANETOOL_ARGS_H_GUARD 1 +#include "config.h" +#include <autoopts/options.h> + +/* + * Ensure that the library used for compiling this generated header is at + * least as new as the version current when the header template was released + * (not counting patch version increments). Also ensure that the oldest + * tolerable version is at least as old as what was current when the header + * template was released. + */ +#define AO_TEMPLATE_VERSION 147460 +#if (AO_TEMPLATE_VERSION < OPTIONS_MINIMUM_VERSION) \ + || (AO_TEMPLATE_VERSION > OPTIONS_STRUCT_VERSION) +# error option template version mismatches autoopts/options.h header + Choke Me. +#endif + +/* + * Enumeration of each option: + */ +typedef enum { + INDEX_OPT_DEBUG = 0, + INDEX_OPT_VERBOSE = 1, + INDEX_OPT_INFILE = 2, + INDEX_OPT_OUTFILE = 3, + INDEX_OPT_LOAD_PUBKEY = 4, + INDEX_OPT_LOAD_CERTIFICATE = 5, + INDEX_OPT_HASH = 6, + INDEX_OPT_INDER = 7, + INDEX_OPT_INRAW = 8, + INDEX_OPT_OUTDER = 9, + INDEX_OPT_OUTRAW = 10, + INDEX_OPT_TLSA_RR = 11, + INDEX_OPT_HOST = 12, + INDEX_OPT_PROTO = 13, + INDEX_OPT_PORT = 14, + INDEX_OPT_CA = 15, + INDEX_OPT_X509 = 16, + INDEX_OPT_LOCAL = 17, + INDEX_OPT_VERSION = 18, + INDEX_OPT_HELP = 19, + INDEX_OPT_MORE_HELP = 20 +} teOptIndex; + +#define OPTION_CT 21 +#define DANETOOL_VERSION "@VERSION@" +#define DANETOOL_FULL_VERSION "danetool @VERSION@" + +/* + * Interface defines for all options. Replace "n" with the UPPER_CASED + * option name (as in the teOptIndex enumeration above). + * e.g. HAVE_OPT(DEBUG) + */ +#define DESC(n) (danetoolOptions.pOptDesc[INDEX_OPT_## n]) +#define HAVE_OPT(n) (! UNUSED_OPT(& DESC(n))) +#define OPT_ARG(n) (DESC(n).optArg.argString) +#define STATE_OPT(n) (DESC(n).fOptState & OPTST_SET_MASK) +#define COUNT_OPT(n) (DESC(n).optOccCt) +#define ISSEL_OPT(n) (SELECTED_OPT(&DESC(n))) +#define ISUNUSED_OPT(n) (UNUSED_OPT(& DESC(n))) +#define ENABLED_OPT(n) (! DISABLED_OPT(& DESC(n))) +#define STACKCT_OPT(n) (((tArgList*)(DESC(n).optCookie))->useCt) +#define STACKLST_OPT(n) (((tArgList*)(DESC(n).optCookie))->apzArgs) +#define CLEAR_OPT(n) STMTS( \ + DESC(n).fOptState &= OPTST_PERSISTENT_MASK; \ + if ((DESC(n).fOptState & OPTST_INITENABLED) == 0) \ + DESC(n).fOptState |= OPTST_DISABLED; \ + DESC(n).optCookie = NULL ) + +/* * * * * * + * + * Enumeration of danetool exit codes + */ +typedef enum { + DANETOOL_EXIT_SUCCESS = 0, + DANETOOL_EXIT_FAILURE = 1, + DANETOOL_EXIT_LIBOPTS_FAILURE = 70 +} danetool_exit_code_t; +/* * * * * * + * + * Interface defines for specific options. + */ +#define VALUE_OPT_DEBUG 'd' + +#define OPT_VALUE_DEBUG (DESC(DEBUG).optArg.argInt) +#define VALUE_OPT_VERBOSE 'V' +#define VALUE_OPT_INFILE 2 +#define VALUE_OPT_OUTFILE 3 +#define VALUE_OPT_LOAD_PUBKEY 4 +#define VALUE_OPT_LOAD_CERTIFICATE 5 +#define VALUE_OPT_HASH 6 +#define VALUE_OPT_INDER 7 +#define VALUE_OPT_INRAW 8 +#define VALUE_OPT_OUTDER 9 +#define VALUE_OPT_OUTRAW 10 +#define VALUE_OPT_TLSA_RR 11 +#define VALUE_OPT_HOST 12 +#define VALUE_OPT_PROTO 13 +#define VALUE_OPT_PORT 14 + +#define OPT_VALUE_PORT (DESC(PORT).optArg.argInt) +#define VALUE_OPT_CA 15 +#define VALUE_OPT_X509 16 +#define VALUE_OPT_LOCAL 17 +#define VALUE_OPT_HELP 'h' +#define VALUE_OPT_MORE_HELP '!' +#define VALUE_OPT_VERSION 'v' +/* + * Interface defines not associated with particular options + */ +#define ERRSKIP_OPTERR STMTS(danetoolOptions.fOptSet &= ~OPTPROC_ERRSTOP) +#define ERRSTOP_OPTERR STMTS(danetoolOptions.fOptSet |= OPTPROC_ERRSTOP) +#define RESTART_OPT(n) STMTS( \ + danetoolOptions.curOptIdx = (n); \ + danetoolOptions.pzCurOpt = NULL) +#define START_OPT RESTART_OPT(1) +#define USAGE(c) (*danetoolOptions.pUsageProc)(&danetoolOptions, c) +/* extracted from opthead.tlib near line 484 */ + +#ifdef __cplusplus +extern "C" { +#endif +/* + * global exported definitions + */ +#include <gettext.h> + + +/* * * * * * + * + * Declare the danetool option descriptor. + */ +extern tOptions danetoolOptions; + +#if defined(ENABLE_NLS) +# ifndef _ +# include <stdio.h> +static inline char* aoGetsText(char const* pz) { + if (pz == NULL) return NULL; + return (char*)gettext(pz); +} +# define _(s) aoGetsText(s) +# endif /* _() */ + +# define OPT_NO_XLAT_CFG_NAMES STMTS(danetoolOptions.fOptSet |= \ + OPTPROC_NXLAT_OPT_CFG;) +# define OPT_NO_XLAT_OPT_NAMES STMTS(danetoolOptions.fOptSet |= \ + OPTPROC_NXLAT_OPT|OPTPROC_NXLAT_OPT_CFG;) + +# define OPT_XLAT_CFG_NAMES STMTS(danetoolOptions.fOptSet &= \ + ~(OPTPROC_NXLAT_OPT|OPTPROC_NXLAT_OPT_CFG);) +# define OPT_XLAT_OPT_NAMES STMTS(danetoolOptions.fOptSet &= \ + ~OPTPROC_NXLAT_OPT;) + +#else /* ENABLE_NLS */ +# define OPT_NO_XLAT_CFG_NAMES +# define OPT_NO_XLAT_OPT_NAMES + +# define OPT_XLAT_CFG_NAMES +# define OPT_XLAT_OPT_NAMES + +# ifndef _ +# define _(_s) _s +# endif +#endif /* ENABLE_NLS */ + +#ifdef __cplusplus +} +#endif +#endif /* AUTOOPTS_DANETOOL_ARGS_H_GUARD */ +/* danetool-args.h ends here */ diff --git a/src/danetool.c b/src/danetool.c new file mode 100644 index 0000000000..52fd03223f --- /dev/null +++ b/src/danetool.c @@ -0,0 +1,288 @@ +/* + * Copyright (C) 2003-2012 Free Software Foundation, Inc. + * + * This file is part of GnuTLS. + * + * GnuTLS is free software: you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * GnuTLS is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see + * <http://www.gnu.org/licenses/>. + */ + +#include <config.h> + +#include <gnutls/gnutls.h> +#include <gnutls/x509.h> +#include <gnutls/openpgp.h> +#include <gnutls/pkcs12.h> +#include <gnutls/pkcs11.h> +#include <gnutls/abstract.h> +#include <gnutls/crypto.h> + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <ctype.h> +#include <time.h> +#include <unistd.h> +#include <errno.h> +#include <sys/types.h> +#include <sys/stat.h> +#include <fcntl.h> +#include <error.h> + +/* Gnulib portability files. */ +#include <read-file.h> +#include <progname.h> +#include <version-etc.h> + +#include <common.h> +#include "danetool-args.h" +#include "certtool-common.h" + +static void cmd_parser (int argc, char **argv); +static void dane_info(const char* host, const char* proto, unsigned int port, + unsigned int ca, unsigned int local, common_info_st * cinfo); + +FILE *outfile; +FILE *infile; +static gnutls_digest_algorithm_t default_dig; +static unsigned int incert_format, outcert_format; + +/* non interactive operation if set + */ +int batch; + + +static void +tls_log_func (int level, const char *str) +{ + fprintf (stderr, "|<%d>| %s", level, str); +} + +int +main (int argc, char **argv) +{ + set_program_name (argv[0]); + cmd_parser (argc, argv); + + return 0; +} + + +static void +cmd_parser (int argc, char **argv) +{ + int ret, privkey_op = 0; + common_info_st cinfo; + + optionProcess( &danetoolOptions, argc, argv); + + if (HAVE_OPT(OUTFILE)) + { + outfile = safe_open_rw (OPT_ARG(OUTFILE), privkey_op); + if (outfile == NULL) + error (EXIT_FAILURE, errno, "%s", OPT_ARG(OUTFILE)); + } + else + outfile = stdout; + + if (HAVE_OPT(INFILE)) + { + infile = fopen (OPT_ARG(INFILE), "rb"); + if (infile == NULL) + error (EXIT_FAILURE, errno, "%s", OPT_ARG(INFILE)); + } + else + infile = stdin; + + if (HAVE_OPT(INDER) || HAVE_OPT(INRAW)) + incert_format = GNUTLS_X509_FMT_DER; + else + incert_format = GNUTLS_X509_FMT_PEM; + + if (HAVE_OPT(OUTDER) || HAVE_OPT(OUTRAW)) + outcert_format = GNUTLS_X509_FMT_DER; + else + outcert_format = GNUTLS_X509_FMT_PEM; + + default_dig = GNUTLS_DIG_UNKNOWN; + if (HAVE_OPT(HASH)) + { + if (strcasecmp (OPT_ARG(HASH), "md5") == 0) + { + fprintf (stderr, + "Warning: MD5 is broken, and should not be used any more for digital signatures.\n"); + default_dig = GNUTLS_DIG_MD5; + } + else if (strcasecmp (OPT_ARG(HASH), "sha1") == 0) + default_dig = GNUTLS_DIG_SHA1; + else if (strcasecmp (OPT_ARG(HASH), "sha256") == 0) + default_dig = GNUTLS_DIG_SHA256; + else if (strcasecmp (OPT_ARG(HASH), "sha224") == 0) + default_dig = GNUTLS_DIG_SHA224; + else if (strcasecmp (OPT_ARG(HASH), "sha384") == 0) + default_dig = GNUTLS_DIG_SHA384; + else if (strcasecmp (OPT_ARG(HASH), "sha512") == 0) + default_dig = GNUTLS_DIG_SHA512; + else if (strcasecmp (OPT_ARG(HASH), "rmd160") == 0) + default_dig = GNUTLS_DIG_RMD160; + else + error (EXIT_FAILURE, 0, "invalid hash: %s", OPT_ARG(HASH)); + } + + gnutls_global_set_log_function (tls_log_func); + + if (HAVE_OPT(DEBUG)) + { + gnutls_global_set_log_level (OPT_VALUE_DEBUG); + printf ("Setting log level to %d\n", (int)OPT_VALUE_DEBUG); + } + + if ((ret = gnutls_global_init ()) < 0) + error (EXIT_FAILURE, 0, "global_init: %s", gnutls_strerror (ret)); + +#ifdef ENABLE_PKCS11 + pkcs11_common(); +#endif + + memset (&cinfo, 0, sizeof (cinfo)); + + if (HAVE_OPT(VERBOSE)) + cinfo.verbose = 1; + + if (HAVE_OPT(LOAD_PUBKEY)) + cinfo.pubkey = OPT_ARG(LOAD_PUBKEY); + + if (HAVE_OPT(LOAD_CERTIFICATE)) + cinfo.cert = OPT_ARG(LOAD_CERTIFICATE); + + if (HAVE_OPT(TLSA_RR)) + dane_info (OPT_ARG(HOST), OPT_ARG(PROTO), OPT_VALUE_PORT, + HAVE_OPT(CA), HAVE_OPT(LOCAL), &cinfo); + else + USAGE(1); + + fclose (outfile); + +#ifdef ENABLE_PKCS11 + gnutls_pkcs11_deinit (); +#endif + gnutls_global_deinit (); +} + +static void dane_info(const char* host, const char* proto, unsigned int port, + unsigned int ca, unsigned int local, common_info_st * cinfo) +{ + gnutls_pubkey_t pubkey; + gnutls_x509_crt_t crt; + unsigned char digest[64]; + gnutls_datum_t t; + int ret; + unsigned int usage, selector, type; + size_t size; + + if (proto == NULL) + proto = "tcp"; + if (port == 0) + port = 443; + + crt = load_cert (0, cinfo); + if (crt != NULL && HAVE_OPT(X509)) + { + selector = 0; /* X.509 */ + + size = buffer_size; + ret = gnutls_x509_crt_export (crt, GNUTLS_X509_FMT_DER, buffer, &size); + if (ret < 0) + error (EXIT_FAILURE, 0, "export error: %s", gnutls_strerror (ret)); + + gnutls_x509_crt_deinit (crt); + } + else /* use public key only */ + { + selector = 1; + + ret = gnutls_pubkey_init (&pubkey); + if (ret < 0) + error (EXIT_FAILURE, 0, "pubkey_init: %s", gnutls_strerror (ret)); + + if (crt != NULL) + { + + ret = gnutls_pubkey_import_x509 (pubkey, crt, 0); + if (ret < 0) + { + error (EXIT_FAILURE, 0, "pubkey_import_x509: %s", + gnutls_strerror (ret)); + } + + size = buffer_size; + ret = gnutls_pubkey_export (pubkey, GNUTLS_X509_FMT_DER, buffer, &size); + if (ret < 0) + { + error (EXIT_FAILURE, 0, "pubkey_export: %s", + gnutls_strerror (ret)); + } + + gnutls_x509_crt_deinit(crt); + } + else + { + pubkey = load_pubkey (1, cinfo); + + size = buffer_size; + ret = gnutls_pubkey_export (pubkey, GNUTLS_X509_FMT_DER, buffer, &size); + if (ret < 0) + error (EXIT_FAILURE, 0, "export error: %s", gnutls_strerror (ret)); + } + + gnutls_pubkey_deinit (pubkey); + } + + if (default_dig != GNUTLS_DIG_SHA256 && default_dig != GNUTLS_DIG_SHA512) + { + if (default_dig != GNUTLS_DIG_UNKNOWN) fprintf(stderr, "Unsupported digest. Assuming SHA256.\n"); + default_dig = GNUTLS_DIG_SHA256; + } + + ret = gnutls_hash_fast(default_dig, buffer, size, digest); + if (ret < 0) + error (EXIT_FAILURE, 0, "hash error: %s", gnutls_strerror (ret)); + + if (default_dig == GNUTLS_DIG_SHA256) + type = 1; + else type = 2; + + /* DANE certificate classification crap */ + if (local==0) + { + if (ca) usage = 0; + else usage = 1; + } + else + { + if (ca) usage = 2; + else usage = 3; + } + + t.data = digest; + t.size = gnutls_hash_get_len(default_dig); + + size = buffer_size; + ret = gnutls_hex_encode(&t, (void*)buffer, &size); + if (ret < 0) + error (EXIT_FAILURE, 0, "hex encode error: %s", gnutls_strerror (ret)); + + fprintf(outfile, "_%u._%s.%s. IN TLSA ( %.2x %.2x %.2x %s )\n", port, proto, host, usage, selector, type, buffer); + +} |