summaryrefslogtreecommitdiff
path: root/src/certtool.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/certtool.c')
-rw-r--r--src/certtool.c290
1 files changed, 164 insertions, 126 deletions
diff --git a/src/certtool.c b/src/certtool.c
index 794a0d6b6d..a437698008 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -71,7 +71,8 @@ static void gaa_parser (int argc, char **argv);
void generate_self_signed (void);
void generate_request (void);
gnutls_x509_crt_t *load_cert_list (int mand, size_t * size);
-static void print_certificate_info (gnutls_x509_crt_t crt, FILE * out, unsigned int all);
+static void print_certificate_info (gnutls_x509_crt_t crt, FILE * out,
+ unsigned int all);
static void print_hex_datum (gnutls_datum_t * dat);
@@ -128,7 +129,7 @@ static void
print_dsa_pkey (gnutls_datum_t * x, gnutls_datum_t * y, gnutls_datum_t * p,
gnutls_datum_t * q, gnutls_datum_t * g)
{
- if (x)
+ if (x)
{
fprintf (outfile, "private key:");
print_hex_datum (x);
@@ -146,13 +147,13 @@ print_dsa_pkey (gnutls_datum_t * x, gnutls_datum_t * y, gnutls_datum_t * p,
static void
print_rsa_pkey (gnutls_datum_t * m, gnutls_datum_t * e, gnutls_datum_t * d,
gnutls_datum_t * p, gnutls_datum_t * q, gnutls_datum_t * u,
- gnutls_datum_t * exp1, gnutls_datum_t *exp2)
+ gnutls_datum_t * exp1, gnutls_datum_t * exp2)
{
fprintf (outfile, "modulus:");
print_hex_datum (m);
fprintf (outfile, "public exponent:");
print_hex_datum (e);
- if (d)
+ if (d)
{
fprintf (outfile, "private exponent:");
print_hex_datum (d);
@@ -163,63 +164,70 @@ print_rsa_pkey (gnutls_datum_t * m, gnutls_datum_t * e, gnutls_datum_t * d,
fprintf (outfile, "coefficient:");
print_hex_datum (u);
if (exp1 && exp2)
- {
- fprintf (outfile, "exp1:");
- print_hex_datum (exp1);
- fprintf (outfile, "exp2:");
- print_hex_datum (exp2);
- }
+ {
+ fprintf (outfile, "exp1:");
+ print_hex_datum (exp1);
+ fprintf (outfile, "exp2:");
+ print_hex_datum (exp2);
+ }
}
}
-static gnutls_sec_param_t str_to_sec_param(const char* str)
+static gnutls_sec_param_t
+str_to_sec_param (const char *str)
{
- if (strcasecmp(str, "low")==0)
+ if (strcasecmp (str, "low") == 0)
{
return GNUTLS_SEC_PARAM_LOW;
}
- else if (strcasecmp(str, "normal")==0)
+ else if (strcasecmp (str, "normal") == 0)
{
return GNUTLS_SEC_PARAM_NORMAL;
}
- else if (strcasecmp(str, "high")==0)
+ else if (strcasecmp (str, "high") == 0)
{
return GNUTLS_SEC_PARAM_HIGH;
}
- else if (strcasecmp(str, "ultra")==0)
+ else if (strcasecmp (str, "ultra") == 0)
{
return GNUTLS_SEC_PARAM_ULTRA;
}
else
{
- fprintf(stderr, "Unknown security parameter string: %s\n", str);
- exit(1);
+ fprintf (stderr, "Unknown security parameter string: %s\n", str);
+ exit (1);
}
}
-int get_bits(gnutls_pk_algorithm_t key_type)
+int
+get_bits (gnutls_pk_algorithm_t key_type)
{
-int bits;
+ int bits;
if (info.bits != 0)
{
static int warned = 0;
-
- if (warned == 0)
- {
- warned = 1;
- fprintf(stderr, "** Note: Please use the --sec-param instead of --bits\n");
- }
+
+ if (warned == 0)
+ {
+ warned = 1;
+ fprintf (stderr,
+ "** Note: Please use the --sec-param instead of --bits\n");
+ }
bits = info.bits;
}
else
{
if (info.sec_param)
- {
- bits = gnutls_sec_param_to_pk_bits(key_type, str_to_sec_param(info.sec_param));
- }
- else bits = gnutls_sec_param_to_pk_bits(key_type, GNUTLS_SEC_PARAM_NORMAL);
+ {
+ bits =
+ gnutls_sec_param_to_pk_bits (key_type,
+ str_to_sec_param (info.sec_param));
+ }
+ else
+ bits =
+ gnutls_sec_param_to_pk_bits (key_type, GNUTLS_SEC_PARAM_NORMAL);
}
return bits;
@@ -243,17 +251,17 @@ generate_private_key_int (void)
if (ret < 0)
error (EXIT_FAILURE, 0, "privkey_init: %s", gnutls_strerror (ret));
- bits = get_bits(key_type);
+ bits = get_bits (key_type);
- fprintf (stderr, "Generating a %d bit %s private key...\n", get_bits(key_type),
- gnutls_pk_algorithm_get_name (key_type));
+ fprintf (stderr, "Generating a %d bit %s private key...\n",
+ get_bits (key_type), gnutls_pk_algorithm_get_name (key_type));
if (info.quick_random == 0)
fprintf (stderr,
"This might take several minutes depending on availability of randomness"
" in /dev/random.\n");
- ret = gnutls_x509_privkey_generate (key, key_type, get_bits(key_type), 0);
+ ret = gnutls_x509_privkey_generate (key, key_type, get_bits (key_type), 0);
if (ret < 0)
error (EXIT_FAILURE, 0, "privkey_generate: %s", gnutls_strerror (ret));
@@ -561,8 +569,7 @@ generate_certificate (gnutls_x509_privkey_t * ret_key,
{
result =
gnutls_x509_crt_set_key_purpose_oid (crt,
- GNUTLS_KP_IPSEC_IKE,
- 0);
+ GNUTLS_KP_IPSEC_IKE, 0);
if (result < 0)
error (EXIT_FAILURE, 0, "key_kp: %s",
gnutls_strerror (result));
@@ -621,7 +628,7 @@ generate_certificate (gnutls_x509_privkey_t * ret_key,
{
/* http://tools.ietf.org/html/rfc4945#section-5.1.3.2: if any KU is
set, then either digitalSignature or the nonRepudiation bits in the
- KeyUsage extension MUST for all IKE certs */
+ KeyUsage extension MUST for all IKE certs */
if (is_ike && (get_sign_status (server) != 1))
usage |= GNUTLS_KEY_NON_REPUDIATION;
result = gnutls_x509_crt_set_key_usage (crt, usage);
@@ -757,17 +764,18 @@ generate_crl (gnutls_x509_crt_t ca_crt)
return crl;
}
-static gnutls_digest_algorithm_t get_dig(gnutls_x509_crt crt)
+static gnutls_digest_algorithm_t
+get_dig (gnutls_x509_crt crt)
{
-gnutls_digest_algorithm_t dig;
-int result;
-unsigned int mand;
+ gnutls_digest_algorithm_t dig;
+ int result;
+ unsigned int mand;
- result = gnutls_x509_crt_get_preferred_hash_algorithm(crt, &dig, &mand);
+ result = gnutls_x509_crt_get_preferred_hash_algorithm (crt, &dig, &mand);
if (result < 0)
{
- error (EXIT_FAILURE, 0, "crl_preferred_hash_algorithm: %s",
- gnutls_strerror (result));
+ error (EXIT_FAILURE, 0, "crl_preferred_hash_algorithm: %s",
+ gnutls_strerror (result));
}
/* if algorithm allows alternatives */
@@ -777,7 +785,8 @@ unsigned int mand;
return dig;
}
-void generate_self_signed (void)
+void
+generate_self_signed (void)
{
gnutls_x509_crt_t crt;
gnutls_x509_privkey_t key;
@@ -807,7 +816,7 @@ void generate_self_signed (void)
fprintf (stderr, "\n\nSigning certificate...\n");
- result = gnutls_x509_crt_sign2 (crt, crt, key, get_dig(crt), 0);
+ result = gnutls_x509_crt_sign2 (crt, crt, key, get_dig (crt), 0);
if (result < 0)
error (EXIT_FAILURE, 0, "crt_sign: %s", gnutls_strerror (result));
@@ -849,7 +858,7 @@ generate_signed_certificate (void)
fprintf (stderr, "\n\nSigning certificate...\n");
- result = gnutls_x509_crt_sign2 (crt, ca_crt, ca_key, get_dig(ca_crt), 0);
+ result = gnutls_x509_crt_sign2 (crt, ca_crt, ca_key, get_dig (ca_crt), 0);
if (result < 0)
error (EXIT_FAILURE, 0, "crt_sign: %s", gnutls_strerror (result));
@@ -883,7 +892,7 @@ generate_proxy_certificate (void)
fprintf (stderr, "\n\nSigning certificate...\n");
- result = gnutls_x509_crt_sign2 (crt, eecrt, eekey, get_dig(eecrt), 0);
+ result = gnutls_x509_crt_sign2 (crt, eecrt, eekey, get_dig (eecrt), 0);
if (result < 0)
error (EXIT_FAILURE, 0, "crt_sign: %s", gnutls_strerror (result));
@@ -952,7 +961,7 @@ update_signed_certificate (void)
fprintf (stderr, "\n\nSigning certificate...\n");
- result = gnutls_x509_crt_sign2 (crt, ca_crt, ca_key, get_dig(ca_crt), 0);
+ result = gnutls_x509_crt_sign2 (crt, ca_crt, ca_key, get_dig (ca_crt), 0);
if (result < 0)
error (EXIT_FAILURE, 0, "crt_sign: %s", gnutls_strerror (result));
@@ -1066,25 +1075,27 @@ gaa_parser (int argc, char **argv)
if ((ret = gnutls_global_init ()) < 0)
error (EXIT_FAILURE, 0, "global_init: %s", gnutls_strerror (ret));
-
+
if (info.pkcs11_provider != NULL)
{
- ret = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
+ ret = gnutls_pkcs11_init (GNUTLS_PKCS11_FLAG_MANUAL, NULL);
if (ret < 0)
- fprintf (stderr, "pkcs11_init: %s", gnutls_strerror (ret));
- else {
- ret = gnutls_pkcs11_add_provider(info.pkcs11_provider, NULL);
- if (ret < 0)
- error (EXIT_FAILURE, 0, "pkcs11_add_provider: %s", gnutls_strerror (ret));
- }
+ fprintf (stderr, "pkcs11_init: %s", gnutls_strerror (ret));
+ else
+ {
+ ret = gnutls_pkcs11_add_provider (info.pkcs11_provider, NULL);
+ if (ret < 0)
+ error (EXIT_FAILURE, 0, "pkcs11_add_provider: %s",
+ gnutls_strerror (ret));
+ }
}
else
{
- ret = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_AUTO, NULL);
+ ret = gnutls_pkcs11_init (GNUTLS_PKCS11_FLAG_AUTO, NULL);
if (ret < 0)
- fprintf (stderr, "pkcs11_init: %s", gnutls_strerror (ret));
+ fprintf (stderr, "pkcs11_init: %s", gnutls_strerror (ret));
}
-
+
if ((ret = gnutls_global_init_extra ()) < 0)
error (EXIT_FAILURE, 0, "global_init_extra: %s", gnutls_strerror (ret));
@@ -1155,19 +1166,21 @@ gaa_parser (int argc, char **argv)
generate_pkcs8 ();
break;
case ACTION_PKCS11_LIST:
- pkcs11_list(outfile, info.pkcs11_url, info.pkcs11_type, info.pkcs11_login, info.pkcs11_detailed_url);
+ pkcs11_list (outfile, info.pkcs11_url, info.pkcs11_type,
+ info.pkcs11_login, info.pkcs11_detailed_url);
break;
case ACTION_PKCS11_TOKENS:
- pkcs11_token_list(outfile, info.pkcs11_detailed_url);
+ pkcs11_token_list (outfile, info.pkcs11_detailed_url);
break;
case ACTION_PKCS11_EXPORT_URL:
- pkcs11_export(outfile, info.pkcs11_url, info.pkcs11_login);
+ pkcs11_export (outfile, info.pkcs11_url, info.pkcs11_login);
break;
case ACTION_PKCS11_WRITE_URL:
- pkcs11_write(outfile, info.pkcs11_url, info.pkcs11_label, info.pkcs11_trusted, info.pkcs11_login);
+ pkcs11_write (outfile, info.pkcs11_url, info.pkcs11_label,
+ info.pkcs11_trusted, info.pkcs11_login);
break;
case ACTION_PKCS11_DELETE_URL:
- pkcs11_delete(outfile, info.pkcs11_url, batch, info.pkcs11_login);
+ pkcs11_delete (outfile, info.pkcs11_url, batch, info.pkcs11_login);
break;
#ifdef ENABLE_OPENPGP
case ACTION_PGP_INFO:
@@ -1188,9 +1201,9 @@ gaa_parser (int argc, char **argv)
exit (0);
}
fclose (outfile);
-
- gnutls_pkcs11_deinit();
- gnutls_global_deinit();
+
+ gnutls_pkcs11_deinit ();
+ gnutls_global_deinit ();
}
#define MAX_CRTS 500
@@ -1248,7 +1261,8 @@ certificate_info (int pubkey)
fwrite (buffer, 1, size, outfile);
- if (pubkey) pubkey_info(crt[i]);
+ if (pubkey)
+ pubkey_info (crt[i]);
gnutls_x509_crt_deinit (crt[i]);
}
@@ -1367,7 +1381,9 @@ pgp_privkey_info (void)
fprintf (outfile, "\tPublic Key Algorithm: ");
cprint = gnutls_pk_algorithm_get_name (ret);
fprintf (outfile, "%s\n", cprint ? cprint : "Unknown");
- fprintf (outfile, "\tKey Security Level: %s\n", gnutls_sec_param_get_name(gnutls_openpgp_privkey_sec_param(key)));
+ fprintf (outfile, "\tKey Security Level: %s\n",
+ gnutls_sec_param_get_name (gnutls_openpgp_privkey_sec_param
+ (key)));
/* Print the raw public and private keys
*/
@@ -1671,12 +1687,11 @@ privkey_info (void)
if (info.pkcs8 || ret == GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR)
{
if (info.pass)
- pass = info.pass;
+ pass = info.pass;
else
- pass = get_pass ();
+ pass = get_pass ();
ret = gnutls_x509_privkey_import_pkcs8 (key, &pem,
- info.incert_format,
- pass, 0);
+ info.incert_format, pass, 0);
}
if (ret < 0)
error (EXIT_FAILURE, 0, "import error: %s", gnutls_strerror (ret));
@@ -1689,7 +1704,8 @@ privkey_info (void)
cprint = gnutls_pk_algorithm_get_name (ret);
fprintf (outfile, "%s\n", cprint ? cprint : "Unknown");
- fprintf (outfile, "\tKey Security Level: %s\n", gnutls_sec_param_get_name(gnutls_x509_privkey_sec_param(key)));
+ fprintf (outfile, "\tKey Security Level: %s\n",
+ gnutls_sec_param_get_name (gnutls_x509_privkey_sec_param (key)));
/* Print the raw public and private keys
*/
@@ -1697,7 +1713,9 @@ privkey_info (void)
{
gnutls_datum_t m, e, d, p, q, u, exp1, exp2;
- ret = gnutls_x509_privkey_export_rsa_raw2 (key, &m, &e, &d, &p, &q, &u, &exp1, &exp2);
+ ret =
+ gnutls_x509_privkey_export_rsa_raw2 (key, &m, &e, &d, &p, &q, &u,
+ &exp1, &exp2);
if (ret < 0)
fprintf (stderr, "Error in key RSA data export: %s\n",
gnutls_strerror (ret));
@@ -3159,70 +3177,88 @@ certtool_version (void)
"Nikos Mavrogiannopoulos", "Simon Josefsson", (char *) NULL);
}
-static void print_key_usage(FILE* outfile, unsigned int usage)
+static void
+print_key_usage (FILE * outfile, unsigned int usage)
{
- if (usage & GNUTLS_KEY_DIGITAL_SIGNATURE) {
- fprintf(outfile, "\tDigital signature.\n");
- }
+ if (usage & GNUTLS_KEY_DIGITAL_SIGNATURE)
+ {
+ fprintf (outfile, "\tDigital signature.\n");
+ }
- if (usage & GNUTLS_KEY_NON_REPUDIATION) {
- fprintf(outfile, "\tNon repudiation.\n");
- }
+ if (usage & GNUTLS_KEY_NON_REPUDIATION)
+ {
+ fprintf (outfile, "\tNon repudiation.\n");
+ }
- if (usage & GNUTLS_KEY_KEY_ENCIPHERMENT) {
- fprintf(outfile, "\tKey encipherment.\n");
- }
+ if (usage & GNUTLS_KEY_KEY_ENCIPHERMENT)
+ {
+ fprintf (outfile, "\tKey encipherment.\n");
+ }
- if (usage & GNUTLS_KEY_DATA_ENCIPHERMENT) {
- fprintf(outfile, "\tData encipherment.\n");
- }
+ if (usage & GNUTLS_KEY_DATA_ENCIPHERMENT)
+ {
+ fprintf (outfile, "\tData encipherment.\n");
+ }
- if (usage & GNUTLS_KEY_KEY_AGREEMENT) {
- fprintf(outfile, "\tKey agreement.\n");
- }
+ if (usage & GNUTLS_KEY_KEY_AGREEMENT)
+ {
+ fprintf (outfile, "\tKey agreement.\n");
+ }
- if (usage & GNUTLS_KEY_KEY_CERT_SIGN) {
- fprintf(outfile, "\tCertificate signing.\n");
- }
+ if (usage & GNUTLS_KEY_KEY_CERT_SIGN)
+ {
+ fprintf (outfile, "\tCertificate signing.\n");
+ }
- if (usage & GNUTLS_KEY_NON_REPUDIATION) {
- fprintf(outfile, "\tCRL signing.\n");
- }
+ if (usage & GNUTLS_KEY_NON_REPUDIATION)
+ {
+ fprintf (outfile, "\tCRL signing.\n");
+ }
- if (usage & GNUTLS_KEY_ENCIPHER_ONLY) {
- fprintf(outfile, "\tKey encipher only.\n");
- }
+ if (usage & GNUTLS_KEY_ENCIPHER_ONLY)
+ {
+ fprintf (outfile, "\tKey encipher only.\n");
+ }
- if (usage & GNUTLS_KEY_DECIPHER_ONLY) {
- fprintf(outfile, "\tKey decipher only.\n");
- }
+ if (usage & GNUTLS_KEY_DECIPHER_ONLY)
+ {
+ fprintf (outfile, "\tKey decipher only.\n");
+ }
}
-void pubkey_info (gnutls_x509_crt crt)
+void
+pubkey_info (gnutls_x509_crt crt)
{
gnutls_pubkey_t pubkey;
unsigned int bits, usage;
int ret;
size_t size;
- const char* cprint;
+ const char *cprint;
- ret = gnutls_pubkey_init(&pubkey);
- if (ret < 0) {
- error (EXIT_FAILURE, 0, "pubkey_init: %s", gnutls_strerror (ret));
- }
+ ret = gnutls_pubkey_init (&pubkey);
+ if (ret < 0)
+ {
+ error (EXIT_FAILURE, 0, "pubkey_init: %s", gnutls_strerror (ret));
+ }
- if (crt == NULL) {
- crt = load_cert(0);
- }
-
- if (crt != NULL) {
- ret = gnutls_pubkey_import_x509(pubkey, crt, 0);
- if (ret < 0) {
- error (EXIT_FAILURE, 0, "pubkey_import_x509: %s", gnutls_strerror (ret));
- }
- } else {
- pubkey = load_pubkey(1);
- }
+ if (crt == NULL)
+ {
+ crt = load_cert (0);
+ }
+
+ if (crt != NULL)
+ {
+ ret = gnutls_pubkey_import_x509 (pubkey, crt, 0);
+ if (ret < 0)
+ {
+ error (EXIT_FAILURE, 0, "pubkey_import_x509: %s",
+ gnutls_strerror (ret));
+ }
+ }
+ else
+ {
+ pubkey = load_pubkey (1);
+ }
fprintf (outfile, "Public Key Info:\n\n");
ret = gnutls_pubkey_get_pk_algorithm (pubkey, &bits);
@@ -3268,12 +3304,14 @@ void pubkey_info (gnutls_x509_crt crt)
}
ret = gnutls_pubkey_get_key_usage (pubkey, &usage);
- if (ret < 0) {
- error (EXIT_FAILURE, 0, "pubkey_get_key_usage: %s", gnutls_strerror (ret));
- }
-
+ if (ret < 0)
+ {
+ error (EXIT_FAILURE, 0, "pubkey_get_key_usage: %s",
+ gnutls_strerror (ret));
+ }
+
fprintf (outfile, "Public Key Usage:\n");
- print_key_usage(outfile, usage);
+ print_key_usage (outfile, usage);
fprintf (outfile, "\n");
View Lorry Controller Status