summaryrefslogtreecommitdiff
path: root/src/certtool.c
Commit message (Collapse)AuthorAgeFilesLines
* tests: replaced rsa-pss/eddsa certtool options with --key-typeNikos Mavrogiannopoulos2017-07-171-5/+5
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* certtool: introduced the --key-type optionNikos Mavrogiannopoulos2017-07-171-9/+26
| | | | | | This replaces the --rsa-pss and --eddsa options. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Added support for EdDSA (Ed25519) curve keysNikos Mavrogiannopoulos2017-07-171-14/+12
| | | | | | | | This adds support for draft-ietf-curdle-pkix-04. Resolves #25 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tools: removed options for openpgp supportNikos Mavrogiannopoulos2017-06-161-319/+1
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* certtool: fix DER export with --p7-infoNikos Mavrogiannopoulos2017-06-061-8/+10
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* certtool: do not ask for password when exporting to PKCS#8 implicitlytmp-rsa-pss-additionNikos Mavrogiannopoulos2017-05-291-1/+6
| | | | | | | | | Previously --generate-privkey wouldn't ask for password unless --pkcs8 was explicitly given. Keep that behavior, and do not ask for any password even if we need to export to PKCS#8 for some key types. Always require the --pkcs8 option to encrypt with password. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* certtool: replaced rsa-pss-sign with sign-params optionNikos Mavrogiannopoulos2017-05-291-4/+16
| | | | | | | This option could accomodate future enhancements/additions in certificate signining. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* certtool: use PKCS#8 format for generated RSA-PSS keysNikos Mavrogiannopoulos2017-05-291-0/+5
| | | | | | | | An RSA-PSS key has additional parameters which cannot be stored in the "standard" PKCS#1 format. For that when asked to generate an RSA-PSS key, we export to the PKCS#8 form. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* x509: implement RSA-PSS signature schemeDaiki Ueno2017-05-291-8/+59
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch enables RSA-PSS signature scheme in the X.509 functions and certtool. When creating RSA-PSS signature, there are 3 different scenarios: a. both a private key and a certificate are RSA-PSS b. the private key is RSA, while the certificate is RSA-PSS c. both the private key and the certificate are RSA For (a) and (b), the RSA-PSS parameters are read from the certificate. Any conflicts in parameters between the private key and the certificate are reported as an error. For (c), the sign functions, such as gnutls_x509_crt_privkey_sign() or gnutls_privkey_sign_data(), shall be instructed to generate an RSA-PSS signature. This can be done with the new flag GNUTLS_PRIVKEY_SIGN_FLAG_RSA_PSS. Verification is similar to signing, except for the case (c), use the flag GNUTLS_VERIFY_USE_RSA_PSS instead of GNUTLS_PRIVKEY_SIGN_FLAG_RSA_PSS. From the command line, certtool has a couple of new options: --rsa-pss and --rsa-pss-sign. The --rsa-pss option indicates that the generated private key or certificate is restricted to RSA-PSS, while the --rsa-pss-sign option indicates that the generated certificate is signed with RSA-PSS. For simplicity, there is no means of choosing arbitrary salt length. When it is not given by a private key or a certificate, it is automatically calculated from the underlying hash algorithm and the RSA modulus bits. [minor naming changes by nmav] Signed-off-by: Daiki Ueno <dueno@redhat.com> Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* certtool: allow multiple certificates in --p7-signKarl Tarbe2017-05-141-4/+18
| | | | Signed-off-by: Karl Tarbe <karl.tarbe@cyber.ee>
* certtool: introduced the email_protection_key optionNikos Mavrogiannopoulos2017-05-051-0/+24
| | | | | | | | This option was introduced in documentation for certtool without an implementation of it. It is a shortcut for option key_purpose_oid = 1.3.6.1.5.5.7.3.4 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* certtool: ensure no leaks on pkcs12_info() error pathsNikos Mavrogiannopoulos2017-04-251-0/+4
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* certtool: added newline in error messageNikos Mavrogiannopoulos2017-04-071-2/+2
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* certtool: print the key PIN on private and public keysNikos Mavrogiannopoulos2017-04-071-11/+0
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* Mark with (void) the remove() function and other unchecked functionsNikos Mavrogiannopoulos2017-04-061-1/+1
| | | | | | This allows static analysers to properly warn on unchecked return values. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* certtool: fixed newline skip code in smime-to-p7 codeNikos Mavrogiannopoulos2017-04-061-1/+2
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* certtool: fixed minor issues pointed out by coverityNikos Mavrogiannopoulos2017-04-061-2/+6
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* certtool: guard the value of tl before gnutls_pkcs7_verifyNikos Mavrogiannopoulos2017-04-061-1/+5
| | | | | | This utilizes assert() as it cannot be triggered in practice. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* tools: remove outfile when exited on errorNikos Mavrogiannopoulos2017-04-051-216/+230
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* certtool: enhance to allow writing CRLs in PKCS#12 filesNikos Mavrogiannopoulos2017-03-081-2/+40
| | | | | | | In addition fallback to DER when --load-crl fails importing a PEM encoded CRL due to PEM issues. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* certtool: pkcs8_info_int: fix memory leakNikos Mavrogiannopoulos2017-01-021-5/+7
|
* certtool: don't print PKCS#8 information when outputting DER dataNikos Mavrogiannopoulos2017-01-021-2/+8
|
* certtool: improved error reporting on file errorNikos Mavrogiannopoulos2016-12-311-2/+2
|
* certtool: properly report unencrypted PKCS#8 keys in --p8-infoNikos Mavrogiannopoulos2016-12-301-0/+4
|
* certtool: unified the CA certificate loading processNikos Mavrogiannopoulos2016-12-191-183/+103
| | | | | | | That is, combined how CA certificates are loaded for --verify-chain, --verify and --p7-verify. It is based on the trust list high level functions, something that allows PKCS#11 URLs to be specified in --load-ca-certificate.
* Don't trash DER CRQ output with text dataDmitry Eremin-Solenikov2016-12-071-2/+2
| | | | Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* certtool: prevent-null termination of buffers allocated with fread_file()Nikos Mavrogiannopoulos2016-12-011-5/+0
| | | | | We do not know whether their allocated size allows for that additional null, and we do not need the null termination.
* certtool: One if check is enoughAndreas Schneider2016-11-241-6/+4
| | | | Signed-off-by: Andreas Schneider <asn@samba.org>
* certtool: use the new APIs for DN extractionNikos Mavrogiannopoulos2016-11-141-35/+31
|
* certtool: allow setting key purposes for non-CA certificatesNikos Mavrogiannopoulos2016-10-181-66/+69
| | | | | | That is, allow setting code signing, or time stamping key purpose in certificates that are not marked as CA. The previous restriction served no purpose.
* certtool: introduce key purpose checks in p7 direct verificationNikos Mavrogiannopoulos2016-10-181-2/+9
|
* certtool: --p7-info will include the PKCS#7 encoded data in PEM formatNikos Mavrogiannopoulos2016-10-141-1/+12
|
* Revert "certtool: improve text on missing options for cert generation"Nikos Mavrogiannopoulos2016-10-141-5/+1
| | | | This reverts commit 7daed1fd0602bce7495d252f1a9b638fc41e38d3.
* certtool: improve text on missing options for cert generationNikos Mavrogiannopoulos2016-10-131-1/+5
|
* certtool: corrected use of gnutls_pkcs7_get_embedded_data()Nikos Mavrogiannopoulos2016-10-111-28/+10
|
* certtool: print the enacapsulated content OID on verificationNikos Mavrogiannopoulos2016-10-111-1/+3
|
* certtool: --p7-info can be combined with --p7-show-data to display embedded dataNikos Mavrogiannopoulos2016-10-111-17/+36
|
* certtool: lift any limits in print_raw()Nikos Mavrogiannopoulos2016-10-071-6/+5
|
* certtool: added safety net when generating a certificate requestNikos Mavrogiannopoulos2016-10-071-1/+5
| | | | | | That is, do not allow specifying --generate-request --load-pubkey without specifying --load-privkey. Previously if --load-pubkey would have been used, it would have been ignored, causing confusion to the users.
* certtool: print correct size of EC keysDaiki Ueno2016-09-271-5/+18
| | | | | | | | Previously certtool complained about key size if --curve is given: $ certtool --generate-privkey --ecc --curve secp256r1 --outfile key.pem Generating a -2147483646 bit EC/ECDSA private key... Note that ECDSA keys with size less than 256 are not widely supported.
* certtool: do not require a certificate to generate a PKCS#12 fileNikos Mavrogiannopoulos2016-09-221-0/+5
| | | | That is, allow generating PKCS#12 files with private keys only as well.
* several spacing fixes to keep syntax-check happyNikos Mavrogiannopoulos2016-09-111-13/+13
|
* certtool: added options to set arbitrary extensions to certificates and requestsNikos Mavrogiannopoulos2016-07-131-0/+2
| | | | | | | | This allows setting arbitrary extensions using the following new template options: add_extension = "5.6.7.8 0x0001020304050607AAABCD" add_critical_extension = "9.10.11.12.13.14.15.16.17.1.5 0xCAFE" The "0x" prefix can be omitted.
* certtool: allow copying specific certificate request extensions to certificateNikos Mavrogiannopoulos2016-06-141-0/+2
| | | | This introduces the honor_crq_extension multi-line template option.
* Implement setting the TLS features extension on certificates via certtool's ↵Tim Kosse2016-05-301-0/+4
| | | | template file.
* certtool: handle empty CNs on verificationNikos Mavrogiannopoulos2016-05-101-3/+8
| | | | | That is, handle GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if returned from gnutls_x509_crt_get_dn() on the end certificate.
* certtool: eliminated memory leaks in DH parameter printing/generation.Nikos Mavrogiannopoulos2016-04-281-0/+2
|
* certtool: combined all the seed decoding methods to a single oneNikos Mavrogiannopoulos2016-04-281-27/+13
| | | | | That not only simplifies the code, but also allows decoding hex strings which contain not hex chars (and that allows decoding hex of the form XX:XX:XX)
* certtool: allow specifying seed size when generating provable DH parametersNikos Mavrogiannopoulos2016-04-281-11/+18
|
* certtool: do not allow combining --provable with --ecc in key generationNikos Mavrogiannopoulos2016-04-141-0/+6
| | | | There is no such support in the library.
View Lorry Controller Status