certtool: provable key generation was moved to a separate flag that can be combined with --generate-privkey

Also enhanced the test suite with DSA provable key generation/verification.

6 files changed, 168 insertions, 15 deletions

diff --git a/src/certtool-args.def b/src/certtool-args.def
index 1568fb3c1f..f8fc4aebb6 100644
--- a/src/certtool-args.def
+++ b/src/certtool-args.def
@@ -58,9 +58,9 @@ flag = {
 };
 
 flag = {
-    name      = generate-provable-privkey;
-    descrip   = "Generate a private key from a seed using a provable method";
-    doc = "This will use the FIPS-186-4 algorithms for provable key generation. You may specify --seed or allow GnuTLS to generate one (recommended).";
+    name      = provable;
+    descrip   = "Generate a private key or parameters from a seed using a provable method";
+    doc = "This will use the FIPS-186-4 algorithms for provable key generation. You may specify --seed or allow GnuTLS to generate one (recommended). This option can be combined with --generate-privkey or --generate-dh-params.";
 };
 
 flag = {
diff --git a/src/certtool-common.h b/src/certtool-common.h
index 58e45bc89d..9ada00aa42 100644
--- a/src/certtool-common.h
+++ b/src/certtool-common.h
@@ -54,6 +54,8 @@ typedef struct common_info {
 	int empty_password;
 	unsigned int crq_extensions;
 	unsigned int v1_cert;
+	/* for key generation */
+	unsigned provable;
 
 	const char *pin;
 	const char *so_pin;
diff --git a/src/certtool.c b/src/certtool.c
index 26baf043eb..483c486eb8 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -109,10 +109,11 @@ int main(int argc, char **argv)
 }
 
 static gnutls_x509_privkey_t
-generate_private_key_int(common_info_st * cinfo, unsigned provable)
+generate_private_key_int(common_info_st * cinfo)
 {
 	gnutls_x509_privkey_t key;
 	int ret, key_type, bits;
+	unsigned provable = cinfo->provable;
 	unsigned flags = 0;
 
 	key_type = req_key_type;
@@ -252,11 +253,11 @@ print_private_key(common_info_st * cinfo, gnutls_x509_privkey_t key)
 	fwrite(lbuffer, 1, size, outfile);
 }
 
-static void generate_private_key(common_info_st * cinfo, unsigned provable)
+static void generate_private_key(common_info_st * cinfo)
 {
 	gnutls_x509_privkey_t key;
 
-	key = generate_private_key_int(cinfo, provable);
+	key = generate_private_key_int(cinfo);
 
 	print_private_key(cinfo, key);
 
@@ -1080,7 +1081,7 @@ static void cmd_parser(int argc, char **argv)
 		stdlog = stderr;
 	}
 
-	if (HAVE_OPT(GENERATE_PRIVKEY) || HAVE_OPT(GENERATE_PROVABLE_PRIVKEY) || HAVE_OPT(GENERATE_REQUEST) ||
+	if (HAVE_OPT(GENERATE_PRIVKEY) || HAVE_OPT(GENERATE_REQUEST) ||
 	    HAVE_OPT(KEY_INFO) || HAVE_OPT(PGP_KEY_INFO))
 		privkey_op = 1;
 
@@ -1260,7 +1261,7 @@ static void cmd_parser(int argc, char **argv)
 
 	if (HAVE_OPT(PASSWORD)) {
 		cinfo.password = OPT_ARG(PASSWORD);
-		if ((HAVE_OPT(GENERATE_PRIVKEY)||HAVE_OPT(GENERATE_PROVABLE_PRIVKEY)) && cinfo.pkcs8 == 0) {
+		if (HAVE_OPT(GENERATE_PRIVKEY) && cinfo.pkcs8 == 0) {
 			fprintf(stderr, "Assuming PKCS #8 format...\n");
 			cinfo.pkcs8 = 1;
 		}
@@ -1271,6 +1272,9 @@ static void cmd_parser(int argc, char **argv)
 		cinfo.password = "";
 	}
 
+	if (HAVE_OPT(PROVABLE))
+		cinfo.provable = 1;
+
 	if (HAVE_OPT(EMPTY_PASSWORD)) {
 		cinfo.empty_password = 1;
 		cinfo.password = "";
@@ -1287,9 +1291,7 @@ static void cmd_parser(int argc, char **argv)
 	else if (HAVE_OPT(UPDATE_CERTIFICATE))
 		update_signed_certificate(&cinfo);
 	else if (HAVE_OPT(GENERATE_PRIVKEY))
-		generate_private_key(&cinfo, 0);
-	else if (HAVE_OPT(GENERATE_PROVABLE_PRIVKEY))
-		generate_private_key(&cinfo, 1);
+		generate_private_key(&cinfo);
 	else if (HAVE_OPT(GENERATE_REQUEST))
 		generate_request(&cinfo);
 	else if (HAVE_OPT(VERIFY_PROVABLE_PRIVKEY))
@@ -2104,7 +2106,7 @@ void generate_request(common_info_st * cinfo)
 			exit(1);
 		}
 
-		xkey = generate_private_key_int(cinfo, 0);
+		xkey = generate_private_key_int(cinfo);
 
 		print_private_key(cinfo, xkey);
 
diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am
index 4851e79ff9..cb10399f2b 100644
--- a/tests/cert-tests/Makefile.am
+++ b/tests/cert-tests/Makefile.am
@@ -34,7 +34,7 @@ EXTRA_DIST = ca-no-pathlen.pem no-ca-or-pathlen.pem aki-cert.pem \
 	pkcs7-detached.txt p7-combined.out template-generalized.pem \
 	template-generalized.tmpl privkey1.pem privkey2.pem privkey3.pem \
 	name-constraints-ip.pem cert-invalid-utf8.der very-long-dn.pem \
-	provable3072.pem provable2048.pem
+	provable3072.pem provable2048.pem provable-dsa2048.pem
 
 dist_check_SCRIPTS = pathlen aki pem-decoding certtool invalid-sig email \
 	pkcs7 privkey-import name-constraints certtool-long-cn crl provable-privkey
diff --git a/tests/cert-tests/provable-dsa2048.pem b/tests/cert-tests/provable-dsa2048.pem
new file mode 100644
index 0000000000..2c3528b70c
--- /dev/null
+++ b/tests/cert-tests/provable-dsa2048.pem
@@ -0,0 +1,112 @@
+Public Key Info:
+	Public Key Algorithm: DSA
+	Key Security Level: Medium (2048 bits)
+
+private key:
+	60:99:ed:e0:cf:71:01:03:8a:8b:c7:92:e3:36:14:
+	c3:6d:82:72:1a:4d:58:2f:41:24:af:52:cf:b0:fb:
+	de:b9:
+
+public key:
+	00:ac:74:2a:cc:27:a8:8c:0e:eb:07:86:85:fa:e1:
+	0d:60:66:a0:e1:5c:d9:b0:8d:be:f6:5a:c4:bc:68:
+	50:9b:cf:72:26:95:a7:0d:e6:5a:dd:fe:0d:0d:eb:
+	9f:40:08:15:af:3a:ab:b4:f8:db:99:a4:fd:e1:e3:
+	21:67:58:6a:ea:56:18:8f:b5:45:00:39:e4:23:04:
+	73:89:b8:7c:5f:65:e5:e9:77:ea:1e:0e:a0:ca:5c:
+	49:1d:a6:3b:0e:12:f4:a7:a3:19:70:5b:76:c1:eb:
+	99:ef:6b:76:74:46:b3:e4:fc:e4:98:d6:c5:01:e6:
+	50:7e:78:5f:e3:e1:7b:23:cf:9f:19:85:e8:99:18:
+	c0:a8:15:c3:c1:e8:2c:00:55:65:f7:19:3b:58:51:
+	53:02:85:73:18:d3:13:d9:03:07:2c:77:c8:ec:a0:
+	68:ef:91:da:da:3c:be:2f:13:3c:2e:ec:7a:3d:76:
+	94:37:71:68:0a:25:ba:88:28:ae:8d:7d:e6:dd:ee:
+	71:89:8b:a6:fc:eb:1d:13:4e:75:8a:d1:aa:21:7d:
+	b8:c2:48:a2:3f:73:d8:b0:0f:da:1d:e4:61:d0:45:
+	19:34:93:e2:dc:a0:01:2c:82:6e:de:35:24:1b:7a:
+	8e:6e:36:cb:da:05:da:5a:9d:69:43:1c:d9:bb:2e:
+	8c:b2:
+
+p:
+	00:d5:14:73:3a:54:d9:a7:56:d8:b3:75:79:3c:ea:
+	7b:1a:eb:23:53:6e:1e:50:64:21:34:13:84:ca:2d:
+	dd:4c:38:c9:72:a4:99:2d:79:eb:06:59:a8:ab:9b:
+	c2:f4:ba:be:51:8f:53:e0:d3:42:f7:5f:19:b8:c8:
+	bb:4c:53:d3:02:95:ee:84:c5:e9:b4:0d:93:ff:26:
+	01:d9:61:de:a6:28:1c:b8:3c:57:2b:9a:4b:a1:ff:
+	5f:d4:b1:f4:e7:90:6c:43:b8:43:ad:3a:c8:7d:59:
+	35:9c:8f:1b:fd:7a:17:50:6f:67:6c:46:63:f4:c8:
+	e5:86:28:d6:1b:88:45:aa:01:e5:5c:23:19:89:58:
+	d4:f8:03:e5:eb:b0:4d:0f:71:81:53:69:40:d3:0a:
+	79:02:5e:76:6e:52:c6:5b:b8:9e:f8:23:d1:2a:68:
+	b0:ad:c5:47:50:d8:2a:e8:73:0f:63:0c:d0:67:8c:
+	ba:5a:9a:98:5e:96:79:e5:2a:d6:f0:76:04:66:55:
+	0f:ee:2d:2d:a7:04:5c:0b:b8:ef:05:a4:c0:a8:c3:
+	5d:cd:32:07:ca:ca:1b:2e:6f:8b:da:e6:c6:11:33:
+	cf:8a:62:15:51:05:4e:3e:63:1f:71:b7:fb:1e:b3:
+	b9:62:3a:dd:15:2a:ba:26:d4:db:e1:f4:d7:90:00:
+	60:b7:
+
+q:
+	00:bc:8b:63:e3:5f:ba:ee:3d:24:fa:2f:d9:a1:a7:
+	68:32:b2:38:b2:4b:8e:72:09:12:ec:1e:f3:8b:ef:
+	d7:9a:df:
+
+g:
+	22:15:6d:4f:b4:54:cb:17:dc:96:ce:4b:34:8d:86:
+	40:0c:f5:42:46:7d:5a:2d:68:6a:5d:ca:86:42:de:
+	32:23:89:0a:cf:e4:3b:c2:7a:48:77:19:55:88:a1:
+	bd:7b:cb:94:3e:44:67:c8:4c:cb:d3:94:d0:ab:f2:
+	b0:2a:e5:60:c5:de:fd:b6:68:3d:9c:82:e9:31:11:
+	64:dc:ca:4f:82:e8:bc:d9:06:8f:ad:0d:cd:4a:79:
+	b6:02:ea:9b:3e:ad:e5:50:7f:e2:d8:0d:ae:3a:c9:
+	09:ca:d1:27:5e:fe:f6:33:bb:a1:fb:ba:af:a6:74:
+	56:da:b3:b6:54:38:7d:49:82:b0:5d:c8:3a:3a:3f:
+	0f:a8:a9:14:3f:90:da:a7:5c:5f:d0:a7:d1:e6:5f:
+	d3:66:19:f1:6b:be:a4:f2:eb:43:84:d3:1a:a6:b4:
+	f2:d6:b6:75:a9:dd:21:c5:93:38:09:45:d6:4e:30:
+	96:1d:34:d2:55:a7:56:db:3c:94:4a:1e:40:e9:4d:
+	b9:45:ce:84:af:e4:92:a8:24:64:56:93:e7:7c:37:
+	2c:45:9d:9e:d8:01:da:51:df:dd:60:06:ce:ce:78:
+	32:62:c7:22:7b:a5:fb:6f:26:53:bf:d3:ea:6b:25:
+	3c:7d:cc:90:2c:7e:a6:51:56:b0:4b:de:57:9c:02:
+	54:
+
+
+Seed: 84:31:21:BD:89:53:5E:E8:69:46:D5:8D:24:6D:47:A5:8D:15:76:A8:35:1B:42:23:E1:CF:F3:69:A1:26:6D:2B:24:B0:72:9D:7C:A5:67:87:FD:E2:E3:DE:19:B9:F2:E7:21:AC:69:8A:29:61:77:32:E7:75:6F:5A:E4:58:0B:E1:79
+Public Key ID: 7D:25:74:11:CA:E8:48:99:C5:1D:9F:6C:E7:A3:27:12:A2:E9:55:FA
+Public key's random art:
++--[ DSA 2048]----+
+|         ...o.+o |
+|         +.+.= . |
+|        + . + * .|
+|       . +   + o |
+|        S.oo.  ..|
+|        o +.. . .|
+|       o o . o . |
+|      . . . . o  |
+|       .   E     |
++-----------------+
+
+-----BEGIN DSA PRIVATE KEY-----
+MIIDqAIBAAKCAQEA1RRzOlTZp1bYs3V5POp7GusjU24eUGQhNBOEyi3dTDjJcqSZ
+LXnrBlmoq5vC9Lq+UY9T4NNC918ZuMi7TFPTApXuhMXptA2T/yYB2WHepigcuDxX
+K5pLof9f1LH055BsQ7hDrTrIfVk1nI8b/XoXUG9nbEZj9MjlhijWG4hFqgHlXCMZ
+iVjU+APl67BND3GBU2lA0wp5Al52blLGW7ie+CPRKmiwrcVHUNgq6HMPYwzQZ4y6
+WpqYXpZ55SrW8HYEZlUP7i0tpwRcC7jvBaTAqMNdzTIHysobLm+L2ubGETPPimIV
+UQVOPmMfcbf7HrO5YjrdFSq6JtTb4fTXkABgtwIhALyLY+Nfuu49JPov2aGnaDKy
+OLJLjnIJEuwe84vv15rfAoIBACIVbU+0VMsX3JbOSzSNhkAM9UJGfVotaGpdyoZC
+3jIjiQrP5DvCekh3GVWIob17y5Q+RGfITMvTlNCr8rAq5WDF3v22aD2cgukxEWTc
+yk+C6LzZBo+tDc1KebYC6ps+reVQf+LYDa46yQnK0Sde/vYzu6H7uq+mdFbas7ZU
+OH1JgrBdyDo6Pw+oqRQ/kNqnXF/Qp9HmX9NmGfFrvqTy60OE0xqmtPLWtnWp3SHF
+kzgJRdZOMJYdNNJVp1bbPJRKHkDpTblFzoSv5JKoJGRWk+d8NyxFnZ7YAdpR391g
+Bs7OeDJixyJ7pftvJlO/0+prJTx9zJAsfqZRVrBL3lecAlQCggEBAKx0KswnqIwO
+6weGhfrhDWBmoOFc2bCNvvZaxLxoUJvPciaVpw3mWt3+DQ3rn0AIFa86q7T425mk
+/eHjIWdYaupWGI+1RQA55CMEc4m4fF9l5el36h4OoMpcSR2mOw4S9KejGXBbdsHr
+me9rdnRGs+T85JjWxQHmUH54X+PheyPPnxmF6JkYwKgVw8HoLABVZfcZO1hRUwKF
+cxjTE9kDByx3yOygaO+R2to8vi8TPC7sej12lDdxaAoluogoro195t3ucYmLpvzr
+HRNOdYrRqiF9uMJIoj9z2LAP2h3kYdBFGTST4tygASyCbt41JBt6jm42y9oF2lqd
+aUMc2bsujLICIGCZ7eDPcQEDiovHkuM2FMNtgnIaTVgvQSSvUs+w+965oVAwTgYJ
+YIZIAWUDBAICBEGEMSG9iVNe6GlG1Y0kbUeljRV2qDUbQiPhz/NpoSZtKySwcp18
+pWeH/eLj3hm58uchrGmKKWF3Mud1b1rkWAvheQ==
+-----END DSA PRIVATE KEY-----
diff --git a/tests/cert-tests/provable-privkey b/tests/cert-tests/provable-privkey
index 713dac0847..ccb596ac59 100755
--- a/tests/cert-tests/provable-privkey
+++ b/tests/cert-tests/provable-privkey
@@ -29,6 +29,7 @@ if ! test -z "${VALGRIND}"; then
 	VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}"
 fi
 
+#RSA keys
 ${VALGRIND} "${CERTTOOL}" --verify-provable-privkey --load-privkey "${srcdir}/provable2048.pem"
 rc=$?
 
@@ -45,7 +46,7 @@ if test "${rc}" != "0"; then
 	exit 1
 fi
 
-${VALGRIND} "${CERTTOOL}" --generate-provable-privkey --bits 2048 --seed "AF:BF:D6:96:BA:5D:05:E3:78:A9:4B:BF:E2:95:BA:F9:94:AC:B8:7F:BC:C8:ED:FF:7A:48:EE:4F" --outfile $OUTFILE
+${VALGRIND} "${CERTTOOL}" --generate-privkey --provable --bits 2048 --seed "AF:BF:D6:96:BA:5D:05:E3:78:A9:4B:BF:E2:95:BA:F9:94:AC:B8:7F:BC:C8:ED:FF:7A:48:EE:4F" --outfile $OUTFILE
 rc=$?
 
 if test "${rc}" != "0"; then
@@ -69,7 +70,7 @@ if test "${rc}" != "0"; then
 	exit 1
 fi
 
-${VALGRIND} "${CERTTOOL}" --generate-provable-privkey --seed "AF:BF:D6:96:BA:5D:05:E3:78:A9:4B:BF:E2:95:BA:F9:94:AC:B8:7F:BC:C8:ED:FF:7A:48:EE:4F" --outfile $OUTFILE
+${VALGRIND} "${CERTTOOL}" --generate-privkey --provable --seed "AF:BF:D6:96:BA:5D:05:E3:78:A9:4B:BF:E2:95:BA:F9:94:AC:B8:7F:BC:C8:ED:FF:7A:48:EE:4F" --outfile $OUTFILE
 rc=$?
 
 if test "${rc}" != "0"; then
@@ -77,4 +78,40 @@ if test "${rc}" != "0"; then
 	exit 1
 fi
 
+#DSA keys
+${VALGRIND} "${CERTTOOL}" --verify-provable-privkey --load-privkey "${srcdir}/provable-dsa2048.pem"
+rc=$?
+
+if test "${rc}" != "0"; then
+	echo "Could not verify the 2048-bit DSA key"
+	exit 1
+fi
+
+SEED="5A:0E:A0:41:77:9B:0A:B7:65:BE:25:09:C4:DE:90:E5:A0:E7:DA:AD:AE:6E:49:D3:59:38:F9:13:33:A8:E1:FE:50:9D:D2:DF:E1:96:7C:D0:04:54:28:10:34:97:D0:03:88:C8:CE:36:29:0F:E9:37:9F:80:03:CB:F8:FD:A4:DA:27"
+${VALGRIND} "${CERTTOOL}" --generate-privkey --provable --bits 2048 --dsa --seed "$SEED" --outfile "$OUTFILE"
+rc=$?
+
+if test "${rc}" != "0"; then
+	echo "Could not generate a 2048-bit DSA key"
+	exit 1
+fi
+
+${VALGRIND} "${CERTTOOL}" --verify-provable-privkey --load-privkey "$OUTFILE"
+rc=$?
+
+if test "${rc}" != "0"; then
+	echo "Could not verify the generated key 1"
+	exit 1
+fi
+
+${VALGRIND} "${CERTTOOL}" --verify-provable-privkey --load-privkey "$OUTFILE" --seed "$SEED"
+rc=$?
+
+if test "${rc}" != "0"; then
+	echo "Could not verify the generated key 2"
+	exit 1
+fi
+
+rm -f "$OUTFILE"
+
 exit 0