summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNikos Mavrogiannopoulos <nmav@redhat.com>2017-08-01 15:11:12 +0200
committerNikos Mavrogiannopoulos <nmav@gnutls.org>2017-08-05 10:06:29 +0200
commit918e2bbc4a36ed5d9b0333c1b32ec71bc7522841 (patch)
tree2c600dd92766d4af1fda44440afd43bb171abd02
parentbb3cdfd280671b837b436ab314e30befe67d6684 (diff)
downloadgnutls-918e2bbc4a36ed5d9b0333c1b32ec71bc7522841.tar.gz
certtool: provable private keys are always exported in PKCS#8 form
That allows the provable parameters to be included. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Diffstat
-rw-r--r--src/certtool-common.c18
-rw-r--r--src/certtool-common.h14
-rw-r--r--src/certtool.c4
3 files changed, 15 insertions, 21 deletions
diff --git a/src/certtool-common.c b/src/certtool-common.c
index 6a7d983fd7..fa834f83e5 100644
--- a/src/certtool-common.c
+++ b/src/certtool-common.c
@@ -1286,7 +1286,7 @@ print_private_key(FILE *outfile, common_info_st * cinfo, gnutls_x509_privkey_t k
if (cinfo->outcert_format == GNUTLS_X509_FMT_PEM)
privkey_info_int(outfile, cinfo, key);
- switch_to_pkcs8_when_needed(cinfo, gnutls_x509_privkey_get_pk_algorithm(key));
+ switch_to_pkcs8_when_needed(cinfo, key, gnutls_x509_privkey_get_pk_algorithm(key));
if (!cinfo->pkcs8) {
@@ -1298,22 +1298,6 @@ print_private_key(FILE *outfile, common_info_st * cinfo, gnutls_x509_privkey_t k
gnutls_strerror(ret));
app_exit(1);
}
-
- if (cinfo->no_compat == 0 && gnutls_x509_privkey_get_seed(key, NULL, NULL, 0) != GNUTLS_E_INVALID_REQUEST) {
- gnutls_x509_privkey_set_flags(key, GNUTLS_PRIVKEY_FLAG_EXPORT_COMPAT);
-
- fwrite(lbuffer, 1, size, outfile);
-
- size = lbuffer_size;
- ret = gnutls_x509_privkey_export(key, cinfo->outcert_format,
- lbuffer, &size);
- if (ret < 0) {
- fprintf(stderr, "privkey_export: %s\n",
- gnutls_strerror(ret));
- app_exit(1);
- }
- }
-
} else {
unsigned int flags = 0;
const char *pass;
diff --git a/src/certtool-common.h b/src/certtool-common.h
index a4a8b5e085..066c98d5fe 100644
--- a/src/certtool-common.h
+++ b/src/certtool-common.h
@@ -81,15 +81,25 @@ typedef struct common_info {
} common_info_st;
static inline
-void switch_to_pkcs8_when_needed(common_info_st *cinfo, unsigned key_type)
+void switch_to_pkcs8_when_needed(common_info_st *cinfo, gnutls_x509_privkey_t key, unsigned key_type)
{
- if ((key_type == GNUTLS_PK_RSA_PSS || key_type == GNUTLS_PK_EDDSA_ED25519) && !cinfo->pkcs8) {
+ if (cinfo->pkcs8)
+ return;
+
+ if ((key_type == GNUTLS_PK_RSA_PSS || key_type == GNUTLS_PK_EDDSA_ED25519)) {
fprintf(stderr, "Assuming --pkcs8 is given; %s private keys can only be exported in PKCS#8 format\n",
gnutls_pk_algorithm_get_name(key_type));
cinfo->pkcs8 = 1;
if (cinfo->password == NULL)
cinfo->password = "";
}
+
+ if (gnutls_x509_privkey_get_seed(key, NULL, NULL, 0) != GNUTLS_E_INVALID_REQUEST) {
+ fprintf(stderr, "Assuming --pkcs8 is given; provable private keys can only be exported in PKCS#8 format\n");
+ cinfo->pkcs8 = 1;
+ if (cinfo->password == NULL)
+ cinfo->password = "";
+ }
}
/* this must be provided by the app */
diff --git a/src/certtool.c b/src/certtool.c
index 7afbb8297e..f0b154b8c5 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -149,8 +149,6 @@ generate_private_key_int(common_info_st * cinfo)
bits = get_bits(key_type, cinfo->bits, cinfo->sec_param, 1);
- switch_to_pkcs8_when_needed(cinfo, key_type);
-
if (key_type == GNUTLS_PK_ECDSA || key_type == GNUTLS_PK_EDDSA_ED25519) {
char name[64];
int ecc_bits;
@@ -197,6 +195,8 @@ generate_private_key_int(common_info_st * cinfo)
app_exit(1);
}
+ switch_to_pkcs8_when_needed(cinfo, key, key_type);
+
if (cinfo->seed_size > 0) {
kdata[kdata_size].type = GNUTLS_KEYGEN_SEED;
kdata[kdata_size].data = (void*)cinfo->seed;
View Lorry Controller Status