diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2012-10-08 16:55:38 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2012-10-08 16:56:15 +0200 |
| commit | 68be536de1bad4d224f4db6b40f6bdf1e7341445 (patch) | |
| tree | 62e0e842cf5312d29e80d4246df80d18056c32ee /src | |
| parent | 76f3f3783b06a111661ce06a593bffd30d51637e (diff) | |
| download | gnutls-68be536de1bad4d224f4db6b40f6bdf1e7341445.tar.gz | |
Certtool can generate a DANE RR entry.
Diffstat (limited to 'src')
| -rw-r--r-- | src/certtool-args.c | 204 | ||||
| -rw-r--r-- | src/certtool-args.def | 62 | ||||
| -rw-r--r-- | src/certtool-args.h | 24 | ||||
| -rw-r--r-- | src/certtool.c | 90 |
4 files changed, 346 insertions, 34 deletions
diff --git a/src/certtool-args.c b/src/certtool-args.c index 269adc5138..cfc38ae54b 100644 --- a/src/certtool-args.c +++ b/src/certtool-args.c @@ -2,7 +2,7 @@ * * DO NOT EDIT THIS FILE (certtool-args.c) * - * It has been AutoGen-ed August 4, 2012 at 12:13:08 PM by AutoGen 5.16 + * It has been AutoGen-ed October 8, 2012 at 04:53:23 PM by AutoGen 5.16 * From the definitions certtool-args.def * and the template file options * @@ -67,7 +67,7 @@ extern FILE * option_usage_fp; /* * certtool option static const strings */ -static char const certtool_opt_strs[4658] = +static char const certtool_opt_strs[5116] = /* 0 */ "certtool @VERSION@\n" "Copyright (C) 2000-2012 Free Software Foundation, all rights reserved.\n" "This is free software. It is licensed for use, modification and\n" @@ -245,23 +245,43 @@ static char const certtool_opt_strs[4658] = /* 4044 */ "Cipher to use for PKCS #8 and #12 operations\0" /* 4089 */ "PKCS_CIPHER\0" /* 4101 */ "pkcs-cipher\0" -/* 4113 */ "Display extended usage information and exit\0" -/* 4157 */ "help\0" -/* 4162 */ "Extended usage information passed thru pager\0" -/* 4207 */ "more-help\0" -/* 4217 */ "Output version information and exit\0" -/* 4253 */ "version\0" -/* 4261 */ "CERTTOOL\0" -/* 4270 */ "certtool - GnuTLS PKCS #11 tool - Ver. @VERSION@\n" +/* 4113 */ "Print the DANE RR data on a certificate or public key\0" +/* 4167 */ "DANE_RR\0" +/* 4175 */ "dane-rr\0" +/* 4183 */ "Specify the hostname to be used in the DANE RR\0" +/* 4230 */ "DANE_HOST\0" +/* 4240 */ "dane-host\0" +/* 4250 */ "The protocol set for DANE data (tcp, udp etc.)\0" +/* 4297 */ "DANE_PROTO\0" +/* 4308 */ "dane-proto\0" +/* 4319 */ "Specify the port number for the DANE data.\0" +/* 4362 */ "DANE_PORT\0" +/* 4372 */ "dane-port\0" +/* 4382 */ "Whether the provided certificate or public key is a Certificate\n" + "authority.\0" +/* 4457 */ "DANE_CA\0" +/* 4465 */ "dane-ca\0" +/* 4473 */ "Whether the provided certificate or public key is an unsigned local\n" + "entity.\0" +/* 4549 */ "DANE_LOCAL\0" +/* 4560 */ "dane-local\0" +/* 4571 */ "Display extended usage information and exit\0" +/* 4615 */ "help\0" +/* 4620 */ "Extended usage information passed thru pager\0" +/* 4665 */ "more-help\0" +/* 4675 */ "Output version information and exit\0" +/* 4711 */ "version\0" +/* 4719 */ "CERTTOOL\0" +/* 4728 */ "certtool - GnuTLS PKCS #11 tool - Ver. @VERSION@\n" "USAGE: %s [ -<flag> [<val>] | --<name>[{=| }<val>] ]...\n\0" -/* 4377 */ "bug-gnutls@gnu.org\0" -/* 4396 */ "\n\n\0" -/* 4399 */ "\n" +/* 4835 */ "bug-gnutls@gnu.org\0" +/* 4854 */ "\n\n\0" +/* 4857 */ "\n" "Tool to parse and generate X.509 certificates, requests and private keys.\n" "It can be used interactively or non interactively by specifying the\n" "template command line option.\n\0" -/* 4573 */ "certtool @VERSION@\0" -/* 4592 */ "certtool [options] [url]\n" +/* 5031 */ "certtool @VERSION@\0" +/* 5050 */ "certtool [options] [url]\n" "certtool --help for usage instructions.\n"; /* @@ -725,13 +745,67 @@ static int const aTo_P12MustList[] = { | OPTST_SET_ARGTYPE(OPARG_TYPE_STRING)) /* + * dane-rr option description with + * "Must also have options" and "Incompatible options": + */ +#define DANE_RR_DESC (certtool_opt_strs+4113) +#define DANE_RR_NAME (certtool_opt_strs+4167) +#define DANE_RR_name (certtool_opt_strs+4175) +static int const aDane_RrMustList[] = { + INDEX_OPT_DANE_HOST, NO_EQUIVALENT }; +#define DANE_RR_FLAGS (OPTST_DISABLED) + +/* + * dane-host option description: + */ +#define DANE_HOST_DESC (certtool_opt_strs+4183) +#define DANE_HOST_NAME (certtool_opt_strs+4230) +#define DANE_HOST_name (certtool_opt_strs+4240) +#define DANE_HOST_FLAGS (OPTST_DISABLED \ + | OPTST_SET_ARGTYPE(OPARG_TYPE_STRING)) + +/* + * dane-proto option description: + */ +#define DANE_PROTO_DESC (certtool_opt_strs+4250) +#define DANE_PROTO_NAME (certtool_opt_strs+4297) +#define DANE_PROTO_name (certtool_opt_strs+4308) +#define DANE_PROTO_FLAGS (OPTST_DISABLED \ + | OPTST_SET_ARGTYPE(OPARG_TYPE_STRING)) + +/* + * dane-port option description: + */ +#define DANE_PORT_DESC (certtool_opt_strs+4319) +#define DANE_PORT_NAME (certtool_opt_strs+4362) +#define DANE_PORT_name (certtool_opt_strs+4372) +#define DANE_PORT_FLAGS (OPTST_DISABLED \ + | OPTST_SET_ARGTYPE(OPARG_TYPE_NUMERIC)) + +/* + * dane-ca option description: + */ +#define DANE_CA_DESC (certtool_opt_strs+4382) +#define DANE_CA_NAME (certtool_opt_strs+4457) +#define DANE_CA_name (certtool_opt_strs+4465) +#define DANE_CA_FLAGS (OPTST_DISABLED) + +/* + * dane-local option description: + */ +#define DANE_LOCAL_DESC (certtool_opt_strs+4473) +#define DANE_LOCAL_NAME (certtool_opt_strs+4549) +#define DANE_LOCAL_name (certtool_opt_strs+4560) +#define DANE_LOCAL_FLAGS (OPTST_DISABLED) + +/* * Help/More_Help/Version option descriptions: */ -#define HELP_DESC (certtool_opt_strs+4113) -#define HELP_name (certtool_opt_strs+4157) +#define HELP_DESC (certtool_opt_strs+4571) +#define HELP_name (certtool_opt_strs+4615) #ifdef HAVE_WORKING_FORK -#define MORE_HELP_DESC (certtool_opt_strs+4162) -#define MORE_HELP_name (certtool_opt_strs+4207) +#define MORE_HELP_DESC (certtool_opt_strs+4620) +#define MORE_HELP_name (certtool_opt_strs+4665) #define MORE_HELP_FLAGS (OPTST_IMM | OPTST_NO_INIT) #else #define MORE_HELP_DESC NULL @@ -744,8 +818,8 @@ static int const aTo_P12MustList[] = { # define VER_FLAGS (OPTST_SET_ARGTYPE(OPARG_TYPE_STRING) | \ OPTST_ARG_OPTIONAL | OPTST_IMM | OPTST_NO_INIT) #endif -#define VER_DESC (certtool_opt_strs+4217) -#define VER_name (certtool_opt_strs+4253) +#define VER_DESC (certtool_opt_strs+4675) +#define VER_name (certtool_opt_strs+4711) /* * Declare option callback procedures */ @@ -1415,6 +1489,78 @@ static tOptDesc optDesc[OPTION_CT] = { /* desc, NAME, name */ PKCS_CIPHER_DESC, PKCS_CIPHER_NAME, PKCS_CIPHER_name, /* disablement strs */ NULL, NULL }, + { /* entry idx, value */ 54, VALUE_OPT_DANE_RR, + /* equiv idx, value */ 54, VALUE_OPT_DANE_RR, + /* equivalenced to */ NO_EQUIVALENT, + /* min, max, act ct */ 0, 1, 0, + /* opt state flags */ DANE_RR_FLAGS, 0, + /* last opt argumnt */ { NULL }, /* --dane-rr */ + /* arg list/cookie */ NULL, + /* must/cannot opts */ aDane_RrMustList, NULL, + /* option proc */ NULL, + /* desc, NAME, name */ DANE_RR_DESC, DANE_RR_NAME, DANE_RR_name, + /* disablement strs */ NULL, NULL }, + + { /* entry idx, value */ 55, VALUE_OPT_DANE_HOST, + /* equiv idx, value */ 55, VALUE_OPT_DANE_HOST, + /* equivalenced to */ NO_EQUIVALENT, + /* min, max, act ct */ 0, 1, 0, + /* opt state flags */ DANE_HOST_FLAGS, 0, + /* last opt argumnt */ { NULL }, /* --dane-host */ + /* arg list/cookie */ NULL, + /* must/cannot opts */ NULL, NULL, + /* option proc */ NULL, + /* desc, NAME, name */ DANE_HOST_DESC, DANE_HOST_NAME, DANE_HOST_name, + /* disablement strs */ NULL, NULL }, + + { /* entry idx, value */ 56, VALUE_OPT_DANE_PROTO, + /* equiv idx, value */ 56, VALUE_OPT_DANE_PROTO, + /* equivalenced to */ NO_EQUIVALENT, + /* min, max, act ct */ 0, 1, 0, + /* opt state flags */ DANE_PROTO_FLAGS, 0, + /* last opt argumnt */ { NULL }, /* --dane-proto */ + /* arg list/cookie */ NULL, + /* must/cannot opts */ NULL, NULL, + /* option proc */ NULL, + /* desc, NAME, name */ DANE_PROTO_DESC, DANE_PROTO_NAME, DANE_PROTO_name, + /* disablement strs */ NULL, NULL }, + + { /* entry idx, value */ 57, VALUE_OPT_DANE_PORT, + /* equiv idx, value */ 57, VALUE_OPT_DANE_PORT, + /* equivalenced to */ NO_EQUIVALENT, + /* min, max, act ct */ 0, 1, 0, + /* opt state flags */ DANE_PORT_FLAGS, 0, + /* last opt argumnt */ { NULL }, /* --dane-port */ + /* arg list/cookie */ NULL, + /* must/cannot opts */ NULL, NULL, + /* option proc */ optionNumericVal, + /* desc, NAME, name */ DANE_PORT_DESC, DANE_PORT_NAME, DANE_PORT_name, + /* disablement strs */ NULL, NULL }, + + { /* entry idx, value */ 58, VALUE_OPT_DANE_CA, + /* equiv idx, value */ 58, VALUE_OPT_DANE_CA, + /* equivalenced to */ NO_EQUIVALENT, + /* min, max, act ct */ 0, 1, 0, + /* opt state flags */ DANE_CA_FLAGS, 0, + /* last opt argumnt */ { NULL }, /* --dane-ca */ + /* arg list/cookie */ NULL, + /* must/cannot opts */ NULL, NULL, + /* option proc */ NULL, + /* desc, NAME, name */ DANE_CA_DESC, DANE_CA_NAME, DANE_CA_name, + /* disablement strs */ NULL, NULL }, + + { /* entry idx, value */ 59, VALUE_OPT_DANE_LOCAL, + /* equiv idx, value */ 59, VALUE_OPT_DANE_LOCAL, + /* equivalenced to */ NO_EQUIVALENT, + /* min, max, act ct */ 0, 1, 0, + /* opt state flags */ DANE_LOCAL_FLAGS, 0, + /* last opt argumnt */ { NULL }, /* --dane-local */ + /* arg list/cookie */ NULL, + /* must/cannot opts */ NULL, NULL, + /* option proc */ NULL, + /* desc, NAME, name */ DANE_LOCAL_DESC, DANE_LOCAL_NAME, DANE_LOCAL_name, + /* disablement strs */ NULL, NULL }, + { /* entry idx, value */ INDEX_OPT_VERSION, VALUE_OPT_VERSION, /* equiv idx value */ NO_EQUIVALENT, VALUE_OPT_VERSION, /* equivalenced to */ NO_EQUIVALENT, @@ -1459,14 +1605,14 @@ static tOptDesc optDesc[OPTION_CT] = { * * Define the certtool Option Environment */ -#define zPROGNAME (certtool_opt_strs+4261) -#define zUsageTitle (certtool_opt_strs+4270) +#define zPROGNAME (certtool_opt_strs+4719) +#define zUsageTitle (certtool_opt_strs+4728) #define zRcName NULL #define apzHomeList NULL -#define zBugsAddr (certtool_opt_strs+4377) -#define zExplain (certtool_opt_strs+4396) -#define zDetail (certtool_opt_strs+4399) -#define zFullVersion (certtool_opt_strs+4573) +#define zBugsAddr (certtool_opt_strs+4835) +#define zExplain (certtool_opt_strs+4854) +#define zDetail (certtool_opt_strs+4857) +#define zFullVersion (certtool_opt_strs+5031) /* extracted from optcode.tlib near line 350 */ #if defined(ENABLE_NLS) @@ -1480,7 +1626,7 @@ static tOptDesc optDesc[OPTION_CT] = { #define certtool_full_usage (NULL) -#define certtool_short_usage (certtool_opt_strs+4592) +#define certtool_short_usage (certtool_opt_strs+5050) #endif /* not defined __doxygen__ */ @@ -1697,7 +1843,7 @@ tOptions certtoolOptions = { NO_EQUIVALENT, /* '-#' option index */ NO_EQUIVALENT /* index of default opt */ }, - 57 /* full option count */, 54 /* user option count */, + 63 /* full option count */, 60 /* user option count */, certtool_full_usage, certtool_short_usage, NULL, NULL, PKGDATADIR, certtool_packager_info diff --git a/src/certtool-args.def b/src/certtool-args.def index f802dcc255..ac40d78a45 100644 --- a/src/certtool-args.def +++ b/src/certtool-args.def @@ -353,6 +353,49 @@ flag = { doc = "Cipher may be one of 3des, 3des-pkcs12, aes-128, aes-192, aes-256, rc2-40, arcfour."; }; +flag = { + name = dane-rr; + descrip = "Print the DANE RR data on a certificate or public key"; + flags_must = dane-host; + doc = "This command prints the DANE RR data needed to enable DANE on a DNS server."; +}; + +flag = { + name = dane-host; + descrip = "Specify the hostname to be used in the DANE RR"; + arg-type = string; + arg-name = "Hostname"; + doc = "This command sets the hostname for the DANE RR."; +}; + +flag = { + name = dane-proto; + descrip = "The protocol set for DANE data (tcp, udp etc.)"; + arg-type = string; + arg-name = "Protocol"; + doc = "This command specifies the protocol for the service set in the DANE data."; +}; + +flag = { + name = dane-port; + arg-type = number; + descrip = "Specify the port number for the DANE data."; + default-value = 443; + doc = ""; +}; + +flag = { + name = dane-ca; + descrip = "Whether the provided certificate or public key is a Certificate authority."; + doc = "Marks the DANE RR as a CA certificate if specified."; +}; + +flag = { + name = dane-local; + descrip = "Whether the provided certificate or public key is an unsigned local entity."; + doc = "DANE distinguishes certificates and public keys offered via the DNSSEC to trusted and local entities. Use this flag if this is a local entity."; +}; + doc-section = { ds-type = 'SEE ALSO'; ds-format = 'texi'; @@ -481,6 +524,25 @@ To verify a Certificate Revocation List (CRL) do: @example $ certtool --verify-crl --load-ca-certificate x509-ca.pem < crl.pem @end example + +@subheading DANE RR generation +To create a DANE resource record for a CA signed certificate use the following commands. + +@example +$ certtool --dane-rr --dane-host www.example.com --load-certificate cert.pem +@end example + +For a self signed certificate use: +@example +$ certtool --dane-rr --dane-host www.example.com --load-certificate cert.pem \ + --dane-local +@end example + +In order to create a record for the signer of your certificate use: +@example +$ certtool --dane-rr --dane-host www.example.com --load-certificate cert.pem \ + --dane-ca +@end example _EOT_; }; diff --git a/src/certtool-args.h b/src/certtool-args.h index b7d9f6ede7..429b67a900 100644 --- a/src/certtool-args.h +++ b/src/certtool-args.h @@ -2,7 +2,7 @@ * * DO NOT EDIT THIS FILE (certtool-args.h) * - * It has been AutoGen-ed August 4, 2012 at 12:13:08 PM by AutoGen 5.16 + * It has been AutoGen-ed October 8, 2012 at 04:53:23 PM by AutoGen 5.16 * From the definitions certtool-args.def * and the template file options * @@ -121,12 +121,18 @@ typedef enum { INDEX_OPT_DISABLE_QUICK_RANDOM = 51, INDEX_OPT_TEMPLATE = 52, INDEX_OPT_PKCS_CIPHER = 53, - INDEX_OPT_VERSION = 54, - INDEX_OPT_HELP = 55, - INDEX_OPT_MORE_HELP = 56 + INDEX_OPT_DANE_RR = 54, + INDEX_OPT_DANE_HOST = 55, + INDEX_OPT_DANE_PROTO = 56, + INDEX_OPT_DANE_PORT = 57, + INDEX_OPT_DANE_CA = 58, + INDEX_OPT_DANE_LOCAL = 59, + INDEX_OPT_VERSION = 60, + INDEX_OPT_HELP = 61, + INDEX_OPT_MORE_HELP = 62 } teOptIndex; -#define OPTION_CT 57 +#define OPTION_CT 63 #define CERTTOOL_VERSION "@VERSION@" #define CERTTOOL_FULL_VERSION "certtool @VERSION@" @@ -222,6 +228,14 @@ typedef enum { #define VALUE_OPT_DISABLE_QUICK_RANDOM 147 #define VALUE_OPT_TEMPLATE 148 #define VALUE_OPT_PKCS_CIPHER 149 +#define VALUE_OPT_DANE_RR 150 +#define VALUE_OPT_DANE_HOST 151 +#define VALUE_OPT_DANE_PROTO 152 +#define VALUE_OPT_DANE_PORT 153 + +#define OPT_VALUE_DANE_PORT (DESC(DANE_PORT).optArg.argInt) +#define VALUE_OPT_DANE_CA 154 +#define VALUE_OPT_DANE_LOCAL 155 #define VALUE_OPT_HELP 'h' #define VALUE_OPT_MORE_HELP '!' #define VALUE_OPT_VERSION 'v' diff --git a/src/certtool.c b/src/certtool.c index 8779131ef1..9e238f5010 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -26,6 +26,7 @@ #include <gnutls/pkcs12.h> #include <gnutls/pkcs11.h> #include <gnutls/abstract.h> +#include <gnutls/crypto.h> #include <stdio.h> #include <stdlib.h> @@ -72,6 +73,8 @@ void generate_request (common_info_st *); static void print_certificate_info (gnutls_x509_crt_t crt, FILE * out, unsigned int all); static void verify_certificate (common_info_st * cinfo); +static void dane_info(const char* host, const char* proto, unsigned int port, + unsigned int ca, unsigned int local, common_info_st * cinfo); FILE *outfile; FILE *infile; @@ -1075,6 +1078,9 @@ cmd_parser (int argc, char **argv) #endif else if (HAVE_OPT(CRQ_INFO)) crq_info (); + else if (HAVE_OPT(DANE_RR)) + dane_info (OPT_ARG(DANE_HOST), OPT_ARG(DANE_PROTO), OPT_VALUE_DANE_PORT, + HAVE_OPT(DANE_CA), HAVE_OPT(DANE_LOCAL), &cinfo); else USAGE(1); @@ -1086,6 +1092,90 @@ cmd_parser (int argc, char **argv) gnutls_global_deinit (); } +static void dane_info(const char* host, const char* proto, unsigned int port, + unsigned int ca, unsigned int local, common_info_st * cinfo) +{ + gnutls_pubkey_t pubkey; + gnutls_x509_crt_t crt; + unsigned char digest[64]; + gnutls_datum_t t; + int ret; + unsigned int usage, selector, type; + size_t size; + + if (proto == NULL) + proto = "tcp"; + if (port == 0) + port = 443; + + crt = load_cert (0, cinfo); + + ret = gnutls_pubkey_init (&pubkey); + if (ret < 0) + { + error (EXIT_FAILURE, 0, "pubkey_init: %s", gnutls_strerror (ret)); + } + + if (crt != NULL) + { + ret = gnutls_pubkey_import_x509 (pubkey, crt, 0); + if (ret < 0) + { + error (EXIT_FAILURE, 0, "pubkey_import_x509: %s", + gnutls_strerror (ret)); + } + } + else + { + pubkey = load_pubkey (1, cinfo); + } + + size = buffer_size; + ret = gnutls_pubkey_export (pubkey, GNUTLS_X509_FMT_DER, buffer, &size); + if (ret < 0) + error (EXIT_FAILURE, 0, "export error: %s", gnutls_strerror (ret)); + + gnutls_pubkey_deinit (pubkey); + + if (default_dig != GNUTLS_DIG_SHA256 && default_dig != GNUTLS_DIG_SHA512) + default_dig = GNUTLS_DIG_SHA256; + + ret = gnutls_hash_fast(default_dig, buffer, size, digest); + if (ret < 0) + error (EXIT_FAILURE, 0, "hash error: %s", gnutls_strerror (ret)); + + selector = 1; + if (default_dig == GNUTLS_DIG_SHA256) + type = 1; + else type = 2; + + /* DANE certificate classification crap */ + if (local==0) + { + if (ca) usage = 0; + else usage = 1; + } + else + { + if (ca) usage = 2; + else usage = 3; + } + + t.data = digest; + t.size = gnutls_hash_get_len(default_dig); + + size = buffer_size; + ret = gnutls_hex_encode(&t, (void*)buffer, &size); + if (ret < 0) + error (EXIT_FAILURE, 0, "hex encode error: %s", gnutls_strerror (ret)); + + fprintf(outfile, "_%u._%s.%s. IN TLSA ( %u %u %u %s )\n", port, proto, host, usage, selector, type, buffer); + + + +} + + #define MAX_CRTS 500 void certificate_info (int pubkey, common_info_st * cinfo) |