summaryrefslogtreecommitdiff
path: root/src/certtool-common.h
Commit message (Collapse)AuthorAgeFilesLines
* Use https:// for www.gnu.org and www.example.comTim Rühsen2019-03-131-1/+1
| | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* certtool: don't output textual information if --no-text was givenDmitry Eremin-Solenikov2018-11-261-2/+6
| | | | | | | | | Change privkey/certificate/CRL/CSR handling to disable text output if --no-text option was given. Closes #487 Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* certtool: support dumping GOST private key informationDmitry Eremin-Solenikov2018-06-231-0/+5
| | | | Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* certool: export GOST privkeys only in PKCS#8 formatDmitry Eremin-Solenikov2018-06-231-1/+3
| | | | Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* certtool: use larger serial and CRL numbersMartin Sucha2018-05-191-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Serial/CRL numbers can be up to 20 octets in length as per RFC 5280, so it should be possible to use such numbers as input to certtool. certtool only allowed to specify 63-bit numbers in template file or interactively (even though it generated larger numbers in batch mode by default). This patch allows large numbers to be specified as a hexadecimal string. Parsing of decimal numbers larger than native integers would require adding dependency on libgmp directly to certtool or extending the API exposed by GnuTLS library with parsing functions. Since most tools (including GnuTLS) display serial numbers in hexadecimal, it is not worth the trouble to support large decimal numbers. Default values are unified between batch mode and interactive input and their size is extended. CA/Browser forum recommends CAs to include at least 64 bits of random data in the certificate serial numbers in Baseline Requirements[1] section 7.1, but gnutls adds only 32 bits. Some other implementations generate default serial numbers with more entropy as well, here is the current state as of May 2018: +----------------+-------------------------------+ | Implementation | Random bits in default serial | +----------------+-------------------------------+ | OpenSSL [2] | 159 | | CFSSL [3] | 159 | | wolfSSL [4] | 128 | | GnuTLS | 32 | | Mbed TLS [5] | 0 (defaults to 1) | +----------------+-------------------------------+ The 20 octet field size can fit numbers up to 159 bits since the most significant bit must be zero as numbers in DER encoding are in two's complement and the serial and CRL numbers must be positive. Default serial numbers are extended to full 159 bits allowed by the field size and are completely random, which matches other implementations. CRL numbers have the same size requirements, but also need to be monotonic (RFC 5280, section 5.2.3). That's why timestamp is used in them. The timestamp portion is extended from 31 bits to 39 bits as 31 bits will overflow in year 2038. The rest of the available space up to 159 bits allowed in the 20 octet limit is filled with random bits. Since the new CRL numbers are larger, the requirement for them to be monotonically increasing is preserved when upgrading to a newer version. This does not hold the other way around though, so after using a newer version of certtool to generate a CRL with default number and publishing it, it's not possible to use older version anymore to generate subsequent CRLs. Unfortunately, there is no easy workaround for users of older certtool, since it is not possible to specify CRL numbers greater than 63 bits manually prior to this change. Users intending to downgrade to older version later are advised to specify the CRL numbers in new version of certtool manually with values they are smaller than what would get generated by default in the old version. grep does not recognize CRLF line endings generated in tests using MinGW, so we need to convert those to LF endings for $ in the regex to match test output correctly. datefudge 1.21 that is present in Fedora 26 image trims the timestamp to 32 bits. That bug was fixed in datefudge 1.22 available in the Debian image, so we check if datefudge behaves correctly and skip the test that uses more than 32 bits if datefudge is broken. [1] https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.2.pdf [2] https://github.com/openssl/openssl/blob/6ebb49f3f9c9333611192561979bb799fa1eb76d/apps/apps.c#L1513 [3] https://github.com/cloudflare/cfssl/blob/5d63dbd981b5c408effbb58c442d54761ff94fbd/signer/local/local.go#L295 [4] https://github.com/wolfSSL/wolfssl/blob/d60b16c5b8c19cc61db4a5c3f5e085a7a158cd28/wolfcrypt/src/asn.c#L9791 [5] https://github.com/ARMmbed/mbedtls/blob/84a1107818aaddfd2abe4c5a3478cf84ab2e26b4/programs/x509/cert_write.c#L81 Signed-off-by: Martin Sucha <anty.sk+git@gmail.com>
* certtool: honor --ask-pass when loading a private keyNikos Mavrogiannopoulos2018-05-071-0/+1
| | | | | | | | | This also improves the password prompt when the password requested is not for a smart card. Resolves: #436 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* sign_params_to_flags: moved to certtool-common.cNikos Mavrogiannopoulos2017-08-271-0/+3
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* certtool: hash_to_id moved to certtool-common.cNikos Mavrogiannopoulos2017-08-271-0/+2
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* p11tool: --generate-xxx options were replaced by generate-privkeyNikos Mavrogiannopoulos2017-08-091-0/+2
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* certtool: eliminated unused variableNikos Mavrogiannopoulos2017-08-081-3/+0
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* certtool: silence warnings related to --pkcs8Nikos Mavrogiannopoulos2017-08-071-3/+5
| | | | | | There is no reason to bug the user with such details by default. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* certtool: provable private keys are always exported in PKCS#8 formNikos Mavrogiannopoulos2017-08-071-2/+12
| | | | | | That allows the provable parameters to be included. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Added support for EdDSA (Ed25519) curve keysNikos Mavrogiannopoulos2017-07-171-0/+13
| | | | | | | | This adds support for draft-ietf-curdle-pkix-04. Resolves #25 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* ocsptool: --load-chain will sort the input chainNikos Mavrogiannopoulos2017-06-201-0/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* ocsptool: added --load-chain optionNikos Mavrogiannopoulos2017-06-191-0/+3
| | | | | | | This option allows to directly verify all the members of a certificate chain. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* x509: implement RSA-PSS signature schemeDaiki Ueno2017-05-291-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch enables RSA-PSS signature scheme in the X.509 functions and certtool. When creating RSA-PSS signature, there are 3 different scenarios: a. both a private key and a certificate are RSA-PSS b. the private key is RSA, while the certificate is RSA-PSS c. both the private key and the certificate are RSA For (a) and (b), the RSA-PSS parameters are read from the certificate. Any conflicts in parameters between the private key and the certificate are reported as an error. For (c), the sign functions, such as gnutls_x509_crt_privkey_sign() or gnutls_privkey_sign_data(), shall be instructed to generate an RSA-PSS signature. This can be done with the new flag GNUTLS_PRIVKEY_SIGN_FLAG_RSA_PSS. Verification is similar to signing, except for the case (c), use the flag GNUTLS_VERIFY_USE_RSA_PSS instead of GNUTLS_PRIVKEY_SIGN_FLAG_RSA_PSS. From the command line, certtool has a couple of new options: --rsa-pss and --rsa-pss-sign. The --rsa-pss option indicates that the generated private key or certificate is restricted to RSA-PSS, while the --rsa-pss-sign option indicates that the generated certificate is signed with RSA-PSS. For simplicity, there is no means of choosing arbitrary salt length. When it is not given by a private key or a certificate, it is automatically calculated from the underlying hash algorithm and the RSA modulus bits. [minor naming changes by nmav] Signed-off-by: Daiki Ueno <dueno@redhat.com> Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tools: remove outfile when exited on errorNikos Mavrogiannopoulos2017-04-051-0/+6
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* certtool: eliminated memory leaks in DH parameter printing/generation.Nikos Mavrogiannopoulos2016-04-281-1/+1
|
* certtool: combined all the seed decoding methods to a single oneNikos Mavrogiannopoulos2016-04-281-1/+3
| | | | | That not only simplifies the code, but also allows decoding hex strings which contain not hex chars (and that allows decoding hex of the form XX:XX:XX)
* certtool: allow specifying seed size when generating provable DH parametersNikos Mavrogiannopoulos2016-04-281-0/+3
|
* certtool: the --generate-dh-params option can be combined with --provableNikos Mavrogiannopoulos2016-02-111-0/+7
| | | | | | | This however, will generate provable DSA parameters and import them as DH parameters. Resolves #72
* p11tool: introduced --only-urls optionNikos Mavrogiannopoulos2015-11-081-0/+2
| | | | This option allows printing a compact listing containing only of URLs.
* certtool: provable key generation was moved to a separate flag that can be ↵Nikos Mavrogiannopoulos2015-09-131-0/+2
| | | | | | combined with --generate-privkey Also enhanced the test suite with DSA provable key generation/verification.
* certtool: lifted limits on file size to loadNikos Mavrogiannopoulos2015-08-121-2/+2
|
* certtool: added --p7-generate, --p7-sign and --p7-detached-signNikos Mavrogiannopoulos2015-06-021-0/+2
|
* certtool: allow verifying PKCS #7 with detached dataNikos Mavrogiannopoulos2015-06-021-0/+1
|
* certtool: allow verification of PKCS #7 structuresNikos Mavrogiannopoulos2015-06-021-0/+1
|
* p11tool: use the key usage flags to set PKCS #11 propertiesNikos Mavrogiannopoulos2015-04-041-0/+1
|
* certtool: use unsigned for bitsNikos Mavrogiannopoulos2015-02-201-1/+1
|
* p11tool/certtool: Added --curve parameter.Nikos Mavrogiannopoulos2014-07-071-0/+1
| | | | | The curve parameter allows to explicitly specify the curve to use when generating a key.
* p11tool: Ask for label if not specified.Nikos Mavrogiannopoulos2014-07-021-0/+1
| | | | Added --batch parameter to disable interaction.
* p11tool: added options --set-pin and --set-so-pinNikos Mavrogiannopoulos2014-07-011-0/+3
| | | | These allow for an non-interactive --initialize process.
* certtool: allow specifying the friendly name on the command line and use the ↵Nikos Mavrogiannopoulos2014-06-261-1/+1
| | | | load-ca-certificate
* certtool: When an external file is used increase out maximum buffer accordingly.Nikos Mavrogiannopoulos2014-06-041-2/+3
|
* changed the behavior in certtool's PKCS #8 key export with no passwordNikos Mavrogiannopoulos2014-04-031-0/+1
| | | | | | By default when no password is specified, an unencrypted key is output. The previous behavior of encrypting using an empty password can be replicated using --empty-password.
* reindented codeNikos Mavrogiannopoulos2013-11-081-61/+68
|
* enable --outder for certtool --dh-infoDaniel Kahn Gillmor2013-11-081-0/+1
| | | | | "certool --dh-info --outder" produces PEM-encoded output without this patch.
* Added --cprint option to certtoolNikos Mavrogiannopoulos2013-01-211-5/+8
|
* Several updates in certificate/public key printing.Nikos Mavrogiannopoulos2012-11-201-1/+1
| | | | | | | | * Added GNUTLS_CRT_PRINT_FULL_NUMBERS to print bignumbers in an easier to parse format. * Added gnutls_pubkey_import_x509_crq() to convert a certificate request to a public key. * Added gnutls_pubkey_print() to simplify public key printing. * certtool's pubkey-info can be combined with --load-request. * Added --numbers option to certtool which prints big numbers in an easier to parser format.
* get_bits() does not always warn.Nikos Mavrogiannopoulos2012-11-121-1/+2
|
* Certtool updates.Nikos Mavrogiannopoulos2012-10-091-0/+2
| | | | By default generate public key TLSA RR entries. Added --verbose option.
* Changes in password handling of certtool.Nikos Mavrogiannopoulos2012-08-251-0/+2
| | | | | Ask password when required and only if the '--password' option is not given. If the '--password' option is given during key generation then assume the PKCS #8 format.
* Restored ability to decrypt PKCS #8 and #12 keys with a NULL password. ↵Nikos Mavrogiannopoulos2012-08-041-0/+1
| | | | Certtool now accepts the option --null-password.
* Eliminated p11common.c.Nikos Mavrogiannopoulos2012-07-201-3/+0
|
* Added functionality to extract the pubkey key from a TPM key.Nikos Mavrogiannopoulos2012-07-081-0/+14
| | | | | Added new function gnutls_pubkey_import_tpm_raw(). tpmtool can now print the pubkey key from a TPM key.
* Splitted Lucas' contribution to allow incorporation.Nikos Mavrogiannopoulos2012-06-251-0/+2
|
* Certtool exports multiple keys in PKCS12 fileLucas Fisher2012-06-241-0/+2
| | | | | | | | | | | Update certtool to export multiple keys in a PKCS12 file so multiple certificate/key pairs may be included in one file. - Add load_privkey_list() so that --load-privkey loads multiple keys - Change generate_pkcs12() to add multiple keys to the PKCS12 file Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* Cleanup copyright headers.Simon Josefsson2012-01-251-0/+20
|
* certtool uses libopts for command line parsing.Nikos Mavrogiannopoulos2012-01-221-31/+4
|
* Added the --dh-info parameter to certtool.Nikos Mavrogiannopoulos2011-12-131-0/+2
|
View Lorry Controller Status