diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-03-08 14:40:15 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-03-08 14:43:38 +0100 |
commit | 3bc609cda52fdb7ccdb22f564b824b6073e7446c (patch) | |
tree | d8ccdc4274cacb272d69756e537d0826f2887fb0 | |
parent | b095508def0b718137561a7d4743489a2a5193ca (diff) | |
download | gnutls-3bc609cda52fdb7ccdb22f564b824b6073e7446c.tar.gz |
certtool: enhance to allow writing CRLs in PKCS#12 files
In addition fallback to DER when --load-crl fails importing a PEM
encoded CRL due to PEM issues.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-rw-r--r-- | src/certtool-common.c | 3 | ||||
-rw-r--r-- | src/certtool.c | 42 |
2 files changed, 43 insertions, 2 deletions
diff --git a/src/certtool-common.c b/src/certtool-common.c index 85196629bf..0f47be53b0 100644 --- a/src/certtool-common.c +++ b/src/certtool-common.c @@ -477,6 +477,9 @@ gnutls_x509_crl_t *load_crl_list(int mand, size_t * crl_size, dat.size = size; ret = gnutls_x509_crl_list_import2(&crl, &crl_max, &dat, GNUTLS_X509_FMT_PEM, 0); + if (ret == GNUTLS_E_BASE64_DECODING_ERROR) { + ret = gnutls_x509_crl_list_import2(&crl, &crl_max, &dat, GNUTLS_X509_FMT_DER, 0); + } if (ret < 0) { fprintf(stderr, "Error loading CRLs: %s\n", gnutls_strerror(ret)); exit(1); diff --git a/src/certtool.c b/src/certtool.c index e3b850165d..8a99dc7fce 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -3007,6 +3007,7 @@ void generate_pkcs8(common_info_st * cinfo) void generate_pkcs12(common_info_st * cinfo) { gnutls_pkcs12_t pkcs12; + gnutls_x509_crl_t *crls; gnutls_x509_crt_t *crts, ca_crt; gnutls_x509_privkey_t *keys; int result; @@ -3020,6 +3021,7 @@ void generate_pkcs12(common_info_st * cinfo) int indx; size_t ncrts; size_t nkeys; + size_t ncrls; fprintf(stderr, "Generating a PKCS #12 structure...\n"); @@ -3027,8 +3029,10 @@ void generate_pkcs12(common_info_st * cinfo) crts = load_cert_list(0, &ncrts, cinfo); ca_crt = load_ca_cert(0, cinfo); - if (keys == NULL && crts == NULL && ca_crt == NULL) { - fprintf(stderr, "You must specify one of\n\t--load-privkey\n\t--load-certificate\n\t--load-ca-certificate\n"); + crls = load_crl_list(0, &ncrls, cinfo); + + if (keys == NULL && crts == NULL && ca_crt == NULL && crls == NULL) { + fprintf(stderr, "You must specify one of\n\t--load-privkey\n\t--load-certificate\n\t--load-ca-certificate\n\t--load-crl\n"); exit(1); } @@ -3114,6 +3118,40 @@ void generate_pkcs12(common_info_st * cinfo) gnutls_pkcs12_bag_deinit(bag); } + /* add any CRLs */ + for (i = 0; i < ncrls; i++) { + gnutls_pkcs12_bag_t bag; + + result = gnutls_pkcs12_bag_init(&bag); + if (result < 0) { + fprintf(stderr, "bag_init: %s\n", + gnutls_strerror(result)); + exit(1); + } + + result = gnutls_pkcs12_bag_set_crl(bag, crls[i]); + if (result < 0) { + fprintf(stderr, "set_crl[%d]: %s\n", i, + gnutls_strerror(result)); + exit(1); + } + + result = gnutls_pkcs12_bag_encrypt(bag, pass, flags); + if (result < 0) { + fprintf(stderr, "bag_encrypt: %s\n", + gnutls_strerror(result)); + exit(1); + } + + result = gnutls_pkcs12_set_bag(pkcs12, bag); + if (result < 0) { + fprintf(stderr, "set_bag: %s\n", + gnutls_strerror(result)); + exit(1); + } + gnutls_pkcs12_bag_deinit(bag); + } + /* Add the ca cert, if any */ if (ca_crt) { gnutls_pkcs12_bag_t bag; |