diff options
author | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2010-08-09 09:43:35 +0000 |
---|---|---|
committer | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2010-08-09 09:43:35 +0000 |
commit | 9e7fb8577802de2abf191d783be5b6b953c22271 (patch) | |
tree | e6818532d3a85a8a840652f6dfc0d58d42c89a69 /src/pki | |
parent | 20e652eab94f898365fdde046ed11a2dda2f165e (diff) | |
download | vyos-strongswan-9e7fb8577802de2abf191d783be5b6b953c22271.tar.gz vyos-strongswan-9e7fb8577802de2abf191d783be5b6b953c22271.zip |
New upstream release.
Diffstat (limited to 'src/pki')
-rw-r--r-- | src/pki/Makefile.am | 2 | ||||
-rw-r--r-- | src/pki/Makefile.in | 37 | ||||
-rw-r--r-- | src/pki/command.c | 2 | ||||
-rw-r--r-- | src/pki/commands/gen.c | 4 | ||||
-rw-r--r-- | src/pki/commands/issue.c | 21 | ||||
-rw-r--r-- | src/pki/commands/keyid.c | 12 | ||||
-rw-r--r-- | src/pki/commands/print.c | 368 | ||||
-rw-r--r-- | src/pki/commands/pub.c | 4 | ||||
-rw-r--r-- | src/pki/commands/req.c | 13 | ||||
-rw-r--r-- | src/pki/commands/self.c | 33 | ||||
-rw-r--r-- | src/pki/commands/signcrl.c | 382 | ||||
-rw-r--r-- | src/pki/pki.c | 53 | ||||
-rw-r--r-- | src/pki/pki.h | 2 |
13 files changed, 894 insertions, 39 deletions
diff --git a/src/pki/Makefile.am b/src/pki/Makefile.am index 8eac07afc..99e9bc581 100644 --- a/src/pki/Makefile.am +++ b/src/pki/Makefile.am @@ -7,6 +7,8 @@ pki_SOURCES = pki.c pki.h command.c command.h \ commands/pub.c \ commands/req.c \ commands/self.c \ + commands/print.c \ + commands/signcrl.c \ commands/verify.c pki_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la diff --git a/src/pki/Makefile.in b/src/pki/Makefile.in index 522b9e887..8f08777bb 100644 --- a/src/pki/Makefile.in +++ b/src/pki/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, @@ -55,7 +55,8 @@ am__installdirs = "$(DESTDIR)$(ipsecdir)" PROGRAMS = $(ipsec_PROGRAMS) am_pki_OBJECTS = pki.$(OBJEXT) command.$(OBJEXT) gen.$(OBJEXT) \ issue.$(OBJEXT) keyid.$(OBJEXT) pub.$(OBJEXT) req.$(OBJEXT) \ - self.$(OBJEXT) verify.$(OBJEXT) + self.$(OBJEXT) print.$(OBJEXT) signcrl.$(OBJEXT) \ + verify.$(OBJEXT) pki_OBJECTS = $(am_pki_OBJECTS) pki_DEPENDENCIES = $(top_builddir)/src/libstrongswan/libstrongswan.la DEFAULT_INCLUDES = -I.@am__isrc@ @@ -238,6 +239,8 @@ pki_SOURCES = pki.c pki.h command.c command.h \ commands/pub.c \ commands/req.c \ commands/self.c \ + commands/print.c \ + commands/signcrl.c \ commands/verify.c pki_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la @@ -337,9 +340,11 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/issue.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keyid.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pki.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/print.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pub.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/req.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/self.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/signcrl.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/verify.Po@am__quote@ .c.o: @@ -447,6 +452,34 @@ self.obj: commands/self.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o self.obj `if test -f 'commands/self.c'; then $(CYGPATH_W) 'commands/self.c'; else $(CYGPATH_W) '$(srcdir)/commands/self.c'; fi` +print.o: commands/print.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT print.o -MD -MP -MF $(DEPDIR)/print.Tpo -c -o print.o `test -f 'commands/print.c' || echo '$(srcdir)/'`commands/print.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/print.Tpo $(DEPDIR)/print.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='commands/print.c' object='print.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o print.o `test -f 'commands/print.c' || echo '$(srcdir)/'`commands/print.c + +print.obj: commands/print.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT print.obj -MD -MP -MF $(DEPDIR)/print.Tpo -c -o print.obj `if test -f 'commands/print.c'; then $(CYGPATH_W) 'commands/print.c'; else $(CYGPATH_W) '$(srcdir)/commands/print.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/print.Tpo $(DEPDIR)/print.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='commands/print.c' object='print.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o print.obj `if test -f 'commands/print.c'; then $(CYGPATH_W) 'commands/print.c'; else $(CYGPATH_W) '$(srcdir)/commands/print.c'; fi` + +signcrl.o: commands/signcrl.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT signcrl.o -MD -MP -MF $(DEPDIR)/signcrl.Tpo -c -o signcrl.o `test -f 'commands/signcrl.c' || echo '$(srcdir)/'`commands/signcrl.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/signcrl.Tpo $(DEPDIR)/signcrl.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='commands/signcrl.c' object='signcrl.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o signcrl.o `test -f 'commands/signcrl.c' || echo '$(srcdir)/'`commands/signcrl.c + +signcrl.obj: commands/signcrl.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT signcrl.obj -MD -MP -MF $(DEPDIR)/signcrl.Tpo -c -o signcrl.obj `if test -f 'commands/signcrl.c'; then $(CYGPATH_W) 'commands/signcrl.c'; else $(CYGPATH_W) '$(srcdir)/commands/signcrl.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/signcrl.Tpo $(DEPDIR)/signcrl.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='commands/signcrl.c' object='signcrl.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o signcrl.obj `if test -f 'commands/signcrl.c'; then $(CYGPATH_W) 'commands/signcrl.c'; else $(CYGPATH_W) '$(srcdir)/commands/signcrl.c'; fi` + verify.o: commands/verify.c @am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT verify.o -MD -MP -MF $(DEPDIR)/verify.Tpo -c -o verify.o `test -f 'commands/verify.c' || echo '$(srcdir)/'`commands/verify.c @am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/verify.Tpo $(DEPDIR)/verify.Po diff --git a/src/pki/command.c b/src/pki/command.c index 8f53817f0..b9c35d99b 100644 --- a/src/pki/command.c +++ b/src/pki/command.c @@ -181,7 +181,7 @@ int command_usage(char *error) { for (i = 0; cmds[i].cmd; i++) { - fprintf(out, " pki --%-6s (-%c) %s\n", + fprintf(out, " pki --%-7s (-%c) %s\n", cmds[i].cmd, cmds[i].op, cmds[i].description); } } diff --git a/src/pki/commands/gen.c b/src/pki/commands/gen.c index b2769da54..33d9cf35d 100644 --- a/src/pki/commands/gen.c +++ b/src/pki/commands/gen.c @@ -20,7 +20,7 @@ */ static int gen() { - key_encoding_type_t form = KEY_PRIV_ASN1_DER; + cred_encoding_type_t form = PRIVKEY_ASN1_DER; key_type_t type = KEY_RSA; u_int size = 0; private_key_t *key; @@ -48,7 +48,7 @@ static int gen() } continue; case 'f': - if (!get_form(arg, &form, FALSE)) + if (!get_form(arg, &form, CRED_PRIVATE_KEY)) { return command_usage("invalid key output format"); } diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c index fcd758f87..2002cd555 100644 --- a/src/pki/commands/issue.c +++ b/src/pki/commands/issue.c @@ -28,6 +28,7 @@ */ static int issue() { + cred_encoding_type_t form = CERT_ASN1_DER; hash_algorithm_t digest = HASH_SHA1; certificate_t *cert_req = NULL, *cert = NULL, *ca =NULL; private_key_t *private = NULL; @@ -37,7 +38,7 @@ static int issue() char *error = NULL; identification_t *id = NULL; linked_list_t *san, *cdps, *ocsp; - int lifetime = 1080; + int lifetime = 1095; int pathlen = X509_NO_PATH_LEN_CONSTRAINT; chunk_t serial = chunk_empty; chunk_t encoding = chunk_empty; @@ -107,7 +108,7 @@ static int issue() case 'p': pathlen = atoi(arg); continue; - case 'f': + case 'e': if (streq(arg, "serverAuth")) { flags |= X509_SERVER_AUTH; @@ -121,6 +122,12 @@ static int issue() flags |= X509_OCSP_SIGNER; } continue; + case 'f': + if (!get_form(arg, &form, CRED_CERTIFICATE)) + { + return command_usage("invalid output format"); + } + continue; case 'u': cdps->insert_last(cdps, arg); continue; @@ -301,8 +308,7 @@ static int issue() error = "generating certificate failed"; goto end; } - encoding = cert->get_encoding(cert); - if (!encoding.ptr) + if (!cert->get_encoding(cert, form, &encoding)) { error = "encoding certificate failed"; goto end; @@ -352,7 +358,7 @@ static void __attribute__ ((constructor))reg() " --cacert file --cakey file --dn subject-dn [--san subjectAltName]+", "[--lifetime days] [--serial hex] [--crl uri]+ [--ocsp uri]+", "[--ca] [--pathlen len] [--flag serverAuth|clientAuth|ocspSigning]+", - "[--digest md5|sha1|sha224|sha256|sha384|sha512]"}, + "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"}, { {"help", 'h', 0, "show usage information"}, {"in", 'i', 1, "public key/request file to issue, default: stdin"}, @@ -361,14 +367,15 @@ static void __attribute__ ((constructor))reg() {"cakey", 'k', 1, "CA private key file"}, {"dn", 'd', 1, "distinguished name to include as subject"}, {"san", 'a', 1, "subjectAltName to include in certificate"}, - {"lifetime",'l', 1, "days the certificate is valid, default: 1080"}, + {"lifetime",'l', 1, "days the certificate is valid, default: 1095"}, {"serial", 's', 1, "serial number in hex, default: random"}, {"ca", 'b', 0, "include CA basicConstraint, default: no"}, {"pathlen", 'p', 1, "set path length constraint"}, - {"flag", 'f', 1, "include extendedKeyUsage flag"}, + {"flag", 'e', 1, "include extendedKeyUsage flag"}, {"crl", 'u', 1, "CRL distribution point URI to include"}, {"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"}, {"digest", 'g', 1, "digest for signature creation, default: sha1"}, + {"outform", 'f', 1, "encoding of generated cert, default: der"}, } }); } diff --git a/src/pki/commands/keyid.c b/src/pki/commands/keyid.c index c15c1193e..6d2f7b915 100644 --- a/src/pki/commands/keyid.c +++ b/src/pki/commands/keyid.c @@ -99,11 +99,11 @@ static int keyid() if (type == CRED_PRIVATE_KEY) { private = cred; - if (private->get_fingerprint(private, KEY_ID_PUBKEY_SHA1, &id)) + if (private->get_fingerprint(private, KEYID_PUBKEY_SHA1, &id)) { printf("subjectKeyIdentifier: %#B\n", &id); } - if (private->get_fingerprint(private, KEY_ID_PUBKEY_INFO_SHA1, &id)) + if (private->get_fingerprint(private, KEYID_PUBKEY_INFO_SHA1, &id)) { printf("subjectPublicKeyInfo hash: %#B\n", &id); } @@ -112,11 +112,11 @@ static int keyid() else if (type == CRED_PUBLIC_KEY) { public = cred; - if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &id)) + if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &id)) { printf("subjectKeyIdentifier: %#B\n", &id); } - if (public->get_fingerprint(public, KEY_ID_PUBKEY_INFO_SHA1, &id)) + if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &id)) { printf("subjectPublicKeyInfo hash: %#B\n", &id); } @@ -131,11 +131,11 @@ static int keyid() fprintf(stderr, "extracting public key from certificate failed"); return 1; } - if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &id)) + if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &id)) { printf("subjectKeyIdentifier: %#B\n", &id); } - if (public->get_fingerprint(public, KEY_ID_PUBKEY_INFO_SHA1, &id)) + if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &id)) { printf("subjectPublicKeyInfo hash: %#B\n", &id); } diff --git a/src/pki/commands/print.c b/src/pki/commands/print.c new file mode 100644 index 000000000..6d5462783 --- /dev/null +++ b/src/pki/commands/print.c @@ -0,0 +1,368 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "pki.h" + +#include <credentials/certificates/certificate.h> +#include <credentials/certificates/x509.h> +#include <selectors/traffic_selector.h> + +#include <time.h> + +/** + * Print public key information + */ +static void print_pubkey(public_key_t *key) +{ + chunk_t chunk; + + printf("pubkey: %N %d bits\n", key_type_names, key->get_type(key), + key->get_keysize(key) * 8); + if (key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &chunk)) + { + printf("keyid: %#B\n", &chunk); + } + if (key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &chunk)) + { + printf("subjkey: %#B\n", &chunk); + } +} + +/** + * Print private key information + */ +static void print_key(private_key_t *key) +{ + public_key_t *public; + + public = key->get_public_key(key); + if (public) + { + printf("private key with:\n"); + print_pubkey(public); + public->destroy(public); + } + else + { + printf("extracting public from private key failed\n"); + } +} + +/** + * Print X509 specific certificate information + */ +static void print_x509(x509_t *x509) +{ + enumerator_t *enumerator; + identification_t *id; + traffic_selector_t *block; + chunk_t chunk; + bool first; + char *uri; + int len; + x509_flag_t flags; + + chunk = x509->get_serial(x509); + printf("serial: %#B\n", &chunk); + + first = TRUE; + enumerator = x509->create_subjectAltName_enumerator(x509); + while (enumerator->enumerate(enumerator, &id)) + { + if (first) + { + printf("altNames: "); + first = FALSE; + } + else + { + printf(", "); + } + printf("%Y", id); + } + if (!first) + { + printf("\n"); + } + enumerator->destroy(enumerator); + + flags = x509->get_flags(x509); + printf("flags: "); + if (flags & X509_CA) + { + printf("CA "); + } + if (flags & X509_AA) + { + printf("AA "); + } + if (flags & X509_OCSP_SIGNER) + { + printf("OCSP "); + } + if (flags & X509_AA) + { + printf("AA "); + } + if (flags & X509_SERVER_AUTH) + { + printf("serverAuth "); + } + if (flags & X509_CLIENT_AUTH) + { + printf("clientAuth "); + } + if (flags & X509_SELF_SIGNED) + { + printf("self-signed "); + } + printf("\n"); + + first = TRUE; + enumerator = x509->create_crl_uri_enumerator(x509); + while (enumerator->enumerate(enumerator, &uri)) + { + if (first) + { + printf("CRL URIs: %s\n", uri); + first = FALSE; + } + else + { + printf(" %s\n", uri); + } + } + enumerator->destroy(enumerator); + + first = TRUE; + enumerator = x509->create_ocsp_uri_enumerator(x509); + while (enumerator->enumerate(enumerator, &uri)) + { + if (first) + { + printf("OCSP URIs: %s\n", uri); + first = FALSE; + } + else + { + printf(" %s\n", uri); + } + } + enumerator->destroy(enumerator); + + len = x509->get_pathLenConstraint(x509); + if (len != X509_NO_PATH_LEN_CONSTRAINT) + { + printf("pathlen: %d\n", len); + } + + chunk = x509->get_authKeyIdentifier(x509); + if (chunk.ptr) + { + printf("authkeyId: %#B\n", &chunk); + } + + chunk = x509->get_subjectKeyIdentifier(x509); + if (chunk.ptr) + { + printf("subjkeyId: %#B\n", &chunk); + } + if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS) + { + first = TRUE; + printf("addresses: "); + enumerator = x509->create_ipAddrBlock_enumerator(x509); + while (enumerator->enumerate(enumerator, &block)) + { + if (first) + { + first = FALSE; + } + else + { + printf(", "); + } + printf("%R", block); + } + enumerator->destroy(enumerator); + printf("\n"); + } +} + +/** + * Print certificate information + */ +static void print_cert(certificate_t *cert) +{ + time_t now, notAfter, notBefore; + public_key_t *key; + + now = time(NULL); + + printf("cert: %N\n", certificate_type_names, cert->get_type(cert)); + printf("subject: \"%Y\"\n", cert->get_subject(cert)); + printf("issuer: \"%Y\"\n", cert->get_issuer(cert)); + + cert->get_validity(cert, &now, ¬Before, ¬After); + printf("validity: not before %T, ", ¬Before, FALSE); + if (now < notBefore) + { + printf("not valid yet (valid in %V)\n", &now, ¬Before); + } + else + { + printf("ok\n"); + } + printf(" not after %T, ", ¬After, FALSE); + if (now > notAfter) + { + printf("expired (%V ago)\n", &now, ¬After); + } + else + { + printf("ok (expires in %V)\n", &now, ¬After); + } + + switch (cert->get_type(cert)) + { + case CERT_X509: + print_x509((x509_t*)cert); + break; + default: + printf("parsing certificate subtype %N not implemented\n", + certificate_type_names, cert->get_type(cert)); + break; + } + + key = cert->get_public_key(cert); + if (key) + { + print_pubkey(key); + key->destroy(key); + } + else + { + printf("unable to extract public key\n"); + } +} + +/** + * Print a credential in a human readable form + */ +static int print() +{ + credential_type_t type = CRED_CERTIFICATE; + int subtype = CERT_X509; + void *cred; + char *arg, *file = NULL; + + while (TRUE) + { + switch (command_getopt(&arg)) + { + case 'h': + return command_usage(NULL); + case 't': + if (streq(arg, "x509")) + { + type = CRED_CERTIFICATE; + subtype = CERT_X509; + } + else if (streq(arg, "pub")) + { + type = CRED_PUBLIC_KEY; + subtype = KEY_ANY; + } + else if (streq(arg, "rsa-priv")) + { + type = CRED_PRIVATE_KEY; + subtype = KEY_RSA; + } + else if (streq(arg, "ecdsa-priv")) + { + type = CRED_PRIVATE_KEY; + subtype = KEY_ECDSA; + } + else + { + return command_usage( "invalid input type"); + } + continue; + case 'i': + file = arg; + continue; + case EOF: + break; + default: + return command_usage("invalid --print option"); + } + break; + } + if (file) + { + cred = lib->creds->create(lib->creds, type, subtype, + BUILD_FROM_FILE, file, BUILD_END); + } + else + { + cred = lib->creds->create(lib->creds, type, subtype, + BUILD_FROM_FD, 0, BUILD_END); + } + if (!cred) + { + fprintf(stderr, "parsing input failed\n"); + return 1; + } + + if (type == CRED_CERTIFICATE) + { + certificate_t *cert = (certificate_t*)cred; + + print_cert(cert); + cert->destroy(cert); + } + if (type == CRED_PUBLIC_KEY) + { + public_key_t *key = (public_key_t*)cred; + + print_pubkey(key); + key->destroy(key); + } + if (type == CRED_PRIVATE_KEY) + { + private_key_t *key = (private_key_t*)cred; + + print_key(key); + key->destroy(key); + } + return 0; +} + +/** + * Register the command. + */ +static void __attribute__ ((constructor))reg() +{ + command_register((command_t) + { print, 'a', "print", + "print a credential in a human readable form", + {"[--in file] [--type rsa-priv|ecdsa-priv|pub|x509]"}, + { + {"help", 'h', 0, "show usage information"}, + {"in", 'i', 1, "input file, default: stdin"}, + {"type", 't', 1, "type of credential, default: x509"}, + } + }); +} diff --git a/src/pki/commands/pub.c b/src/pki/commands/pub.c index de0444c1a..fc2614c7d 100644 --- a/src/pki/commands/pub.c +++ b/src/pki/commands/pub.c @@ -23,7 +23,7 @@ */ static int pub() { - key_encoding_type_t form = KEY_PUB_SPKI_ASN1_DER; + cred_encoding_type_t form = PUBKEY_SPKI_ASN1_DER; credential_type_t type = CRED_PRIVATE_KEY; int subtype = KEY_RSA; certificate_t *cert; @@ -67,7 +67,7 @@ static int pub() } continue; case 'f': - if (!get_form(arg, &form, TRUE)) + if (!get_form(arg, &form, CRED_PUBLIC_KEY)) { return command_usage("invalid output format"); } diff --git a/src/pki/commands/req.c b/src/pki/commands/req.c index 8335f2595..a1ae2f515 100644 --- a/src/pki/commands/req.c +++ b/src/pki/commands/req.c @@ -27,6 +27,7 @@ */ static int req() { + cred_encoding_type_t form = CERT_ASN1_DER; key_type_t type = KEY_RSA; hash_algorithm_t digest = HASH_SHA1; certificate_t *cert = NULL; @@ -81,6 +82,12 @@ static int req() case 'p': challenge_password = chunk_create(arg, strlen(arg)); continue; + case 'f': + if (!get_form(arg, &form, CRED_CERTIFICATE)) + { + return command_usage("invalid output format"); + } + continue; case EOF: break; default: @@ -128,8 +135,7 @@ static int req() error = "generating certificate request failed"; goto end; } - encoding = cert->get_encoding(cert); - if (!encoding.ptr) + if (!cert->get_encoding(cert, form, &encoding)) { error = "encoding certificate request failed"; goto end; @@ -170,7 +176,7 @@ static void __attribute__ ((constructor))reg() {"[--in file] [--type rsa|ecdsa]", " --dn distinguished-name [--san subjectAltName]+", "[--password challengePassword]", - "[--digest md5|sha1|sha224|sha256|sha384|sha512]"}, + "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"}, { {"help", 'h', 0, "show usage information"}, {"in", 'i', 1, "private key input file, default: stdin"}, @@ -179,6 +185,7 @@ static void __attribute__ ((constructor))reg() {"san", 'a', 1, "subjectAltName to include in cert request"}, {"password",'p', 1, "challengePassword to include in cert request"}, {"digest", 'g', 1, "digest for signature creation, default: sha1"}, + {"outform", 'f', 1, "encoding of generated request, default: der"}, } }); } diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c index d283daa6a..71776c745 100644 --- a/src/pki/commands/self.c +++ b/src/pki/commands/self.c @@ -26,6 +26,7 @@ */ static int self() { + cred_encoding_type_t form = CERT_ASN1_DER; key_type_t type = KEY_RSA; hash_algorithm_t digest = HASH_SHA1; certificate_t *cert = NULL; @@ -34,7 +35,7 @@ static int self() char *file = NULL, *dn = NULL, *hex = NULL, *error = NULL; identification_t *id = NULL; linked_list_t *san, *ocsp; - int lifetime = 1080; + int lifetime = 1095; int pathlen = X509_NO_PATH_LEN_CONSTRAINT; chunk_t serial = chunk_empty; chunk_t encoding = chunk_empty; @@ -100,6 +101,26 @@ static int self() case 'p': pathlen = atoi(arg); continue; + case 'e': + if (streq(arg, "serverAuth")) + { + flags |= X509_SERVER_AUTH; + } + else if (streq(arg, "clientAuth")) + { + flags |= X509_CLIENT_AUTH; + } + else if (streq(arg, "ocspSigning")) + { + flags |= X509_OCSP_SIGNER; + } + continue; + case 'f': + if (!get_form(arg, &form, CRED_CERTIFICATE)) + { + return command_usage("invalid output format"); + } + continue; case 'o': ocsp->insert_last(ocsp, arg); continue; @@ -179,8 +200,7 @@ static int self() error = "generating certificate failed"; goto end; } - encoding = cert->get_encoding(cert); - if (!encoding.ptr) + if (!cert->get_encoding(cert, form, &encoding)) { error = "encoding certificate failed"; goto end; @@ -225,19 +245,22 @@ static void __attribute__ ((constructor))reg() {"[--in file] [--type rsa|ecdsa]", " --dn distinguished-name [--san subjectAltName]+", "[--lifetime days] [--serial hex] [--ca] [--ocsp uri]+", - "[--digest md5|sha1|sha224|sha256|sha384|sha512]"}, + "[--flag serverAuth|clientAuth|ocspSigning]+", + "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"}, { {"help", 'h', 0, "show usage information"}, {"in", 'i', 1, "private key input file, default: stdin"}, {"type", 't', 1, "type of input key, default: rsa"}, {"dn", 'd', 1, "subject and issuer distinguished name"}, {"san", 'a', 1, "subjectAltName to include in certificate"}, - {"lifetime",'l', 1, "days the certificate is valid, default: 1080"}, + {"lifetime",'l', 1, "days the certificate is valid, default: 1095"}, {"serial", 's', 1, "serial number in hex, default: random"}, {"ca", 'b', 0, "include CA basicConstraint, default: no"}, {"pathlen", 'p', 1, "set path length constraint"}, + {"flag", 'e', 1, "include extendedKeyUsage flag"}, {"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"}, {"digest", 'g', 1, "digest for signature creation, default: sha1"}, + {"outform", 'f', 1, "encoding of generated cert, default: der"}, } }); } diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c new file mode 100644 index 000000000..b7163a153 --- /dev/null +++ b/src/pki/commands/signcrl.c @@ -0,0 +1,382 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include <time.h> + +#include "pki.h" + +#include <debug.h> +#include <utils/linked_list.h> +#include <credentials/certificates/certificate.h> +#include <credentials/certificates/x509.h> +#include <credentials/certificates/crl.h> + + +/** + * Entry for a revoked certificate + */ +typedef struct { + chunk_t serial; + crl_reason_t reason; + time_t date; +} revoked_t; + +/** + * Add a revocation to the list + */ +static void add_revoked(linked_list_t *list, + chunk_t serial, crl_reason_t reason, time_t date) +{ + revoked_t *revoked; + + INIT(revoked, + .serial = chunk_clone(serial), + .reason = reason, + .date = date, + ); + list->insert_last(list, revoked); +} + +/** + * Destroy a reason entry + */ +static void revoked_destroy(revoked_t *revoked) +{ + free(revoked->serial.ptr); + free(revoked); +} + +/** + * Filter for revoked enumerator + */ +static bool filter(void *data, revoked_t **revoked, chunk_t *serial, void *p2, + time_t *date, void *p3, crl_reason_t *reason) +{ + *serial = (*revoked)->serial; + *date = (*revoked)->date; + *reason = (*revoked)->reason; + return TRUE; +} + +/** + * Extract the serial of a certificate, write it into buf + */ +static int read_serial(char *file, char *buf, int buflen) +{ + certificate_t *cert; + x509_t *x509; + chunk_t serial; + + x509 = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, + BUILD_FROM_FILE, file, BUILD_END); + cert = &x509->interface; + if (!cert) + { + return -1; + } + serial = x509->get_serial(x509); + if (serial.len == 0 || serial.len > buflen) + { + cert->destroy(cert); + return -2; + } + memcpy(buf, serial.ptr, serial.len); + cert->destroy(cert); + return serial.len; +} + +/** + * Sign a CRL + */ +static int sign_crl() +{ + cred_encoding_type_t form = CERT_ASN1_DER; + private_key_t *private = NULL; + public_key_t *public = NULL; + certificate_t *ca = NULL, *crl = NULL; + crl_t *lastcrl = NULL; + x509_t *x509; + hash_algorithm_t digest = HASH_SHA1; + char *arg, *cacert = NULL, *cakey = NULL, *lastupdate = NULL, *error = NULL; + char serial[512], crl_serial[8]; + int serial_len = 0; + crl_reason_t reason = CRL_REASON_UNSPECIFIED; + time_t thisUpdate, nextUpdate, date = time(NULL); + int lifetime = 15; + linked_list_t *list; + enumerator_t *enumerator, *lastenum = NULL; + chunk_t encoding = chunk_empty; + + list = linked_list_create(); + + memset(crl_serial, 0, sizeof(crl_serial)); + + while (TRUE) + { + switch (command_getopt(&arg)) + { + case 'h': + goto usage; + case 'g': + digest = get_digest(arg); + if (digest == HASH_UNKNOWN) + { + error = "invalid --digest type"; + goto usage; + } + continue; + case 'c': + cacert = arg; + continue; + case 'k': + cakey = arg; + continue; + case 'a': + lastupdate = arg; + continue; + case 'l': + lifetime = atoi(arg); + if (!lifetime) + { + error = "invalid lifetime"; + goto usage; + } + continue; + case 'z': + serial_len = read_serial(arg, serial, sizeof(serial)); + if (serial_len < 0) + { + snprintf(serial, sizeof(serial), + "parsing certificate '%s' failed", arg); + error = serial; + goto error; + } + add_revoked(list, chunk_create(serial, serial_len), reason, date); + date = time(NULL); + serial_len = 0; + reason = CRL_REASON_UNSPECIFIED; + continue; + case 's': + { + chunk_t chunk; + int hex_len; + + hex_len = strlen(arg); + if ((hex_len / 2) + (hex_len % 2) > sizeof(serial)) + { + error = "invalid serial"; + goto usage; + } + chunk = chunk_from_hex(chunk_create(arg, hex_len), serial); + serial_len = chunk.len; + add_revoked(list, chunk_create(serial, serial_len), reason, date); + date = time(NULL); + serial_len = 0; + reason = CRL_REASON_UNSPECIFIED; + continue; + } + case 'r': + if (streq(arg, "key-compromise")) + { + reason = CRL_REASON_KEY_COMPROMISE; + } + else if (streq(arg, "ca-compromise")) + { + reason = CRL_REASON_CA_COMPROMISE; + } + else if (streq(arg, "affiliation-changed")) + { + reason = CRL_REASON_AFFILIATION_CHANGED; + } + else if (streq(arg, "superseded")) + { + reason = CRL_REASON_SUPERSEDED; + } + else if (streq(arg, "cessation-of-operation")) + { + reason = CRL_REASON_CESSATION_OF_OPERATON; + } + else if (streq(arg, "certificate-hold")) + { + reason = CRL_REASON_CERTIFICATE_HOLD; + } + else + { + return command_usage( "invalid revocation reason"); + } + continue; + case 'd': + date = atol(arg); + if (!date) + { + error = "invalid date"; + goto usage; + } + continue; + case 'f': + if (!get_form(arg, &form, CRED_CERTIFICATE)) + { + return command_usage("invalid output format"); + } + continue; + case EOF: + break; + default: + error = "invalid --signcrl option"; + goto usage; + } + break; + } + + if (!cacert) + { + error = "--cacert is required"; + goto usage; + } + if (!cakey) + { + error = "--cakey is required"; + goto usage; + } + + ca = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, + BUILD_FROM_FILE, cacert, BUILD_END); + if (!ca) + { + error = "parsing CA certificate failed"; + goto error; + } + x509 = (x509_t*)ca; + if (!(x509->get_flags(x509) & X509_CA)) + { + error = "CA certificate misses CA basicConstraint"; + goto error; + } + public = ca->get_public_key(ca); + if (!public) + { + error = "extracting CA certificate public key failed"; + goto error; + } + private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, + public->get_type(public), + BUILD_FROM_FILE, cakey, BUILD_END); + if (!private) + { + error = "parsing CA private key failed"; + goto error; + } + if (!private->belongs_to(private, public)) + { + error = "CA private key does not match CA certificate"; + goto error; + } + + thisUpdate = time(NULL); + nextUpdate = thisUpdate + lifetime * 24 * 60 * 60; + + if (lastupdate) + { + lastcrl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, + BUILD_FROM_FILE, lastupdate, BUILD_END); + if (!lastcrl) + { + error = "loading lastUpdate CRL failed"; + goto error; + } + memcpy(crl_serial, lastcrl->get_serial(lastcrl).ptr, + min(lastcrl->get_serial(lastcrl).len, sizeof(crl_serial))); + lastenum = lastcrl->create_enumerator(lastcrl); + } + + chunk_increment(chunk_create(crl_serial, sizeof(crl_serial))); + + enumerator = enumerator_create_filter(list->create_enumerator(list), + (void*)filter, NULL, NULL); + crl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, + BUILD_SIGNING_KEY, private, BUILD_SIGNING_CERT, ca, + BUILD_SERIAL, chunk_create(crl_serial, sizeof(crl_serial)), + BUILD_NOT_BEFORE_TIME, thisUpdate, BUILD_NOT_AFTER_TIME, nextUpdate, + BUILD_REVOKED_ENUMERATOR, enumerator, BUILD_DIGEST_ALG, digest, + lastenum ? BUILD_REVOKED_ENUMERATOR : BUILD_END, lastenum, + BUILD_END); + enumerator->destroy(enumerator); + DESTROY_IF(lastenum); + DESTROY_IF((certificate_t*)lastcrl); + + if (!crl) + { + error = "generating CRL failed"; + goto error; + } + if (!crl->get_encoding(crl, form, &encoding)) + { + error = "encoding CRL failed"; + goto error; + } + if (fwrite(encoding.ptr, encoding.len, 1, stdout) != 1) + { + error = "writing CRL failed"; + goto error; + } + +error: + DESTROY_IF(public); + DESTROY_IF(private); + DESTROY_IF(ca); + DESTROY_IF(crl); + free(encoding.ptr); + list->destroy_function(list, (void*)revoked_destroy); + if (error) + { + fprintf(stderr, "%s\n", error); + return 1; + } + return 0; + +usage: + list->destroy_function(list, (void*)revoked_destroy); + return command_usage(error); +} + +/** + * Register the command. + */ +static void __attribute__ ((constructor))reg() +{ + command_register((command_t) { + sign_crl, 'c', "signcrl", + "issue a CRL using a CA certificate and key", + {"--cacert file --cakey file --lifetime days", + "[ [--reason key-compromise|ca-compromise|affiliation-changed|", + " superseded|cessation-of-operation|certificate-hold]", + " [--date timestamp]", + " --cert file | --serial hex ]*", + "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"}, + { + {"help", 'h', 0, "show usage information"}, + {"cacert", 'c', 1, "CA certificate file"}, + {"cakey", 'k', 1, "CA private key file"}, + {"lifetime",'l', 1, "days the CRL gets a nextUpdate, default: 15"}, + {"lastcrl", 'a', 1, "CRL of lastUpdate to copy revocations from"}, + {"cert", 'z', 1, "certificate file to revoke"}, + {"serial", 's', 1, "hex encoded certificate serial number to revoke"}, + {"reason", 'r', 1, "reason for certificate revocation"}, + {"date", 'd', 1, "revocation date as unix timestamp, default: now"}, + {"digest", 'g', 1, "digest for signature creation, default: sha1"}, + {"outform", 'f', 1, "encoding of generated crl, default: der"}, + } + }); +} diff --git a/src/pki/pki.c b/src/pki/pki.c index 0912d5051..d5dd03fa0 100644 --- a/src/pki/pki.c +++ b/src/pki/pki.c @@ -21,26 +21,59 @@ /** * Convert a form string to a encoding type */ -bool get_form(char *form, key_encoding_type_t *type, bool pub) +bool get_form(char *form, cred_encoding_type_t *enc, credential_type_t type) { if (streq(form, "der")) { - /* der encoded keys usually contain the complete SubjectPublicKeyInfo */ - *type = pub ? KEY_PUB_SPKI_ASN1_DER : KEY_PRIV_ASN1_DER; + switch (type) + { + case CRED_CERTIFICATE: + *enc = CERT_ASN1_DER; + return TRUE; + case CRED_PRIVATE_KEY: + *enc = PRIVKEY_ASN1_DER; + return TRUE; + case CRED_PUBLIC_KEY: + /* der encoded keys usually contain the complete + * SubjectPublicKeyInfo */ + *enc = PUBKEY_SPKI_ASN1_DER; + return TRUE; + default: + return FALSE; + } } else if (streq(form, "pem")) { - *type = pub ? KEY_PUB_PEM : KEY_PRIV_PEM; + switch (type) + { + case CRED_CERTIFICATE: + *enc = CERT_PEM; + return TRUE; + case CRED_PRIVATE_KEY: + *enc = PRIVKEY_PEM; + return TRUE; + case CRED_PUBLIC_KEY: + *enc = PUBKEY_PEM; + return TRUE; + default: + return FALSE; + } } else if (streq(form, "pgp")) { - *type = pub ? KEY_PUB_PGP : KEY_PRIV_PGP; + switch (type) + { + case CRED_PRIVATE_KEY: + *enc = PRIVKEY_PGP; + return TRUE; + case CRED_PUBLIC_KEY: + *enc = PUBKEY_PGP; + return TRUE; + default: + return FALSE; + } } - else - { - return FALSE; - } - return TRUE; + return FALSE; } /** diff --git a/src/pki/pki.h b/src/pki/pki.h index 01b103c8f..9c145cdc0 100644 --- a/src/pki/pki.h +++ b/src/pki/pki.h @@ -29,7 +29,7 @@ /** * Convert a form string to a encoding type */ -bool get_form(char *form, key_encoding_type_t *type, bool pub); +bool get_form(char *form, cred_encoding_type_t *enc, credential_type_t type); /** * Convert a digest string to a hash algorithm |