diff options
Diffstat (limited to 'src/pki/commands')
| -rw-r--r-- | src/pki/commands/issue.c | 7 | ||||
| -rw-r--r-- | src/pki/commands/keyid.c | 20 | ||||
| -rw-r--r-- | src/pki/commands/print.c | 16 | ||||
| -rw-r--r-- | src/pki/commands/pub.c | 11 | ||||
| -rw-r--r-- | src/pki/commands/req.c | 10 | ||||
| -rw-r--r-- | src/pki/commands/self.c | 8 | ||||
| -rw-r--r-- | src/pki/commands/signcrl.c | 18 | ||||
| -rw-r--r-- | src/pki/commands/verify.c | 18 |
8 files changed, 80 insertions, 28 deletions
diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c index fdc43d705..b15f90199 100644 --- a/src/pki/commands/issue.c +++ b/src/pki/commands/issue.c @@ -117,6 +117,11 @@ static int issue() type = CRED_PRIVATE_KEY; subtype = KEY_BLISS; } + else if (streq(arg, "priv")) + { + type = CRED_PRIVATE_KEY; + subtype = KEY_ANY; + } else if (!streq(arg, "pub")) { error = "invalid input type"; @@ -580,7 +585,7 @@ static void __attribute__ ((constructor))reg() command_register((command_t) { issue, 'i', "issue", "issue a certificate using a CA certificate and key", - {"[--in file] [--type pub|pkcs10|rsa|ecdsa|bliss] --cakey file|--cakeyid hex", + {"[--in file] [--type pub|pkcs10|priv|rsa|ecdsa|bliss] --cakey file|--cakeyid hex", " --cacert file [--dn subject-dn] [--san subjectAltName]+", "[--lifetime days] [--serial hex] [--ca] [--pathlen len]", "[--flag serverAuth|clientAuth|crlSign|ocspSigning|msSmartcardLogon]+", diff --git a/src/pki/commands/keyid.c b/src/pki/commands/keyid.c index 3bc62e74d..f79120b31 100644 --- a/src/pki/commands/keyid.c +++ b/src/pki/commands/keyid.c @@ -26,7 +26,7 @@ static int keyid() { credential_type_t type = CRED_PRIVATE_KEY; - int subtype = KEY_RSA; + int subtype = KEY_ANY; certificate_t *cert; private_key_t *private; public_key_t *public; @@ -42,21 +42,29 @@ static int keyid() case 'h': return command_usage(NULL); case 't': - if (streq(arg, "rsa-priv")) + if (streq(arg, "rsa") || + streq(arg, "rsa-priv")) { type = CRED_PRIVATE_KEY; subtype = KEY_RSA; } - else if (streq(arg, "ecdsa-priv")) + else if (streq(arg, "ecdsa") || + streq(arg, "ecdsa-priv")) { type = CRED_PRIVATE_KEY; subtype = KEY_ECDSA; } - else if (streq(arg, "bliss-priv")) + else if (streq(arg, "bliss") || + streq(arg, "bliss-priv")) { type = CRED_PRIVATE_KEY; subtype = KEY_BLISS; } + else if (streq(arg, "priv")) + { + type = CRED_PRIVATE_KEY; + subtype = KEY_ANY; + } else if (streq(arg, "pub")) { type = CRED_PUBLIC_KEY; @@ -169,11 +177,11 @@ static void __attribute__ ((constructor))reg() command_register((command_t) { keyid, 'k', "keyid", "calculate key identifiers of a key/certificate", - {"[--in file] [--type rsa-priv|ecdsa-priv|bliss-priv|pub|pkcs10|x509]"}, + {"[--in file] [--type priv|rsa|ecdsa|bliss|pub|pkcs10|x509]"}, { {"help", 'h', 0, "show usage information"}, {"in", 'i', 1, "input file, default: stdin"}, - {"type", 't', 1, "type of key, default: rsa-priv"}, + {"type", 't', 1, "type of key, default: priv"}, } }); } diff --git a/src/pki/commands/print.c b/src/pki/commands/print.c index c367a21a9..8cb0a7b5d 100644 --- a/src/pki/commands/print.c +++ b/src/pki/commands/print.c @@ -89,17 +89,25 @@ static int print() type = CRED_CERTIFICATE; subtype = CERT_TRUSTED_PUBKEY; } - else if (streq(arg, "rsa-priv")) + else if (streq(arg, "priv")) + { + type = CRED_PRIVATE_KEY; + subtype = KEY_ANY; + } + else if (streq(arg, "rsa") || + streq(arg, "rsa-priv")) { type = CRED_PRIVATE_KEY; subtype = KEY_RSA; } - else if (streq(arg, "ecdsa-priv")) + else if (streq(arg, "ecdsa") || + streq(arg, "ecdsa-priv")) { type = CRED_PRIVATE_KEY; subtype = KEY_ECDSA; } - else if (streq(arg, "bliss-priv")) + else if (streq(arg, "bliss") || + streq(arg, "bliss-priv")) { type = CRED_PRIVATE_KEY; subtype = KEY_BLISS; @@ -173,7 +181,7 @@ static void __attribute__ ((constructor))reg() command_register((command_t) { print, 'a', "print", "print a credential in a human readable form", - {"[--in file] [--type rsa-priv|ecdsa-priv|bliss-priv|pub|x509|crl|ac]"}, + {"[--in file] [--type x509|crl|ac|pub|priv|rsa|ecdsa|bliss]"}, { {"help", 'h', 0, "show usage information"}, {"in", 'i', 1, "input file, default: stdin"}, diff --git a/src/pki/commands/pub.c b/src/pki/commands/pub.c index ccc3c4251..1d876f6f7 100644 --- a/src/pki/commands/pub.c +++ b/src/pki/commands/pub.c @@ -28,7 +28,7 @@ static int pub() { cred_encoding_type_t form = PUBKEY_SPKI_ASN1_DER; credential_type_t type = CRED_PRIVATE_KEY; - int subtype = KEY_RSA; + int subtype = KEY_ANY; certificate_t *cert; private_key_t *private; public_key_t *public; @@ -59,6 +59,11 @@ static int pub() type = CRED_PRIVATE_KEY; subtype = KEY_BLISS; } + else if (streq(arg, "priv")) + { + type = CRED_PRIVATE_KEY; + subtype = KEY_ANY; + } else if (streq(arg, "pub")) { type = CRED_PUBLIC_KEY; @@ -189,13 +194,13 @@ static void __attribute__ ((constructor))reg() command_register((command_t) { pub, 'p', "pub", "extract the public key from a private key/certificate", - {"[--in file|--keyid hex] [--type rsa|ecdsa|bliss|pub|pkcs10|x509]", + {"[--in file|--keyid hex] [--type rsa|ecdsa|bliss|priv|pub|pkcs10|x509]", "[--outform der|pem|dnskey|sshkey]"}, { {"help", 'h', 0, "show usage information"}, {"in", 'i', 1, "input file, default: stdin"}, {"keyid", 'x', 1, "keyid on smartcard of private key"}, - {"type", 't', 1, "type of credential, default: rsa"}, + {"type", 't', 1, "type of credential, default: priv"}, {"outform", 'f', 1, "encoding of extracted public key, default: der"}, } }); diff --git a/src/pki/commands/req.c b/src/pki/commands/req.c index 68d611250..23d07a28d 100644 --- a/src/pki/commands/req.c +++ b/src/pki/commands/req.c @@ -30,7 +30,7 @@ static int req() { cred_encoding_type_t form = CERT_ASN1_DER; - key_type_t type = KEY_RSA; + key_type_t type = KEY_ANY; hash_algorithm_t digest = HASH_UNKNOWN; certificate_t *cert = NULL; private_key_t *private = NULL; @@ -62,6 +62,10 @@ static int req() { type = KEY_BLISS; } + else if (streq(arg, "priv")) + { + type = KEY_ANY; + } else { error = "invalid input type"; @@ -194,14 +198,14 @@ static void __attribute__ ((constructor))reg() command_register((command_t) { req, 'r', "req", "create a PKCS#10 certificate request", - {" [--in file] [--type rsa|ecdsa|bliss] --dn distinguished-name", + {" [--in file] [--type rsa|ecdsa|bliss|priv] --dn distinguished-name", "[--san subjectAltName]+ [--password challengePassword]", "[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]", "[--outform der|pem]"}, { {"help", 'h', 0, "show usage information"}, {"in", 'i', 1, "private key input file, default: stdin"}, - {"type", 't', 1, "type of input key, default: rsa"}, + {"type", 't', 1, "type of input key, default: priv"}, {"dn", 'd', 1, "subject distinguished name"}, {"san", 'a', 1, "subjectAltName to include in cert request"}, {"password",'p', 1, "challengePassword to include in cert request"}, diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c index f4e83c76c..6fb7b75ae 100644 --- a/src/pki/commands/self.c +++ b/src/pki/commands/self.c @@ -94,6 +94,10 @@ static int self() { type = KEY_BLISS; } + else if (streq(arg, "priv")) + { + type = KEY_ANY; + } else { error = "invalid input type"; @@ -417,7 +421,7 @@ static void __attribute__ ((constructor))reg() command_register((command_t) { self, 's', "self", "create a self signed certificate", - {" [--in file|--keyid hex] [--type rsa|ecdsa|bliss]", + {" [--in file|--keyid hex] [--type rsa|ecdsa|bliss|priv]", " --dn distinguished-name [--san subjectAltName]+", "[--lifetime days] [--serial hex] [--ca] [--ocsp uri]+", "[--flag serverAuth|clientAuth|crlSign|ocspSigning|msSmartcardLogon]+", @@ -431,7 +435,7 @@ static void __attribute__ ((constructor))reg() {"help", 'h', 0, "show usage information"}, {"in", 'i', 1, "private key input file, default: stdin"}, {"keyid", 'x', 1, "keyid on smartcard of private key"}, - {"type", 't', 1, "type of input key, default: rsa"}, + {"type", 't', 1, "type of input key, default: priv"}, {"dn", 'd', 1, "subject and issuer distinguished name"}, {"san", 'a', 1, "subjectAltName to include in certificate"}, {"lifetime", 'l', 1, "days the certificate is valid, default: 1095"}, diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c index 6c27289f9..b9cf9c466 100644 --- a/src/pki/commands/signcrl.c +++ b/src/pki/commands/signcrl.c @@ -369,18 +369,22 @@ static int sign_crl() } else { - crl_serial = chunk_from_chars(0x00); + if (!crl_serial.ptr) + { + crl_serial = chunk_from_chars(0x00); + } lastenum = enumerator_create_empty(); } - /* remove superfluous leading zeros */ - while (crl_serial.len > 1 && crl_serial.ptr[0] == 0x00 && - (crl_serial.ptr[1] & 0x80) == 0x00) + if (!crl_serial.len || crl_serial.ptr[0] & 0x80) + { /* add leading 0x00 to handle potential overflow if serial is encoded + * incorrectly */ + crl_serial = chunk_cat("cc", chunk_from_chars(0x00), crl_serial); + } + else { - crl_serial = chunk_skip_zero(crl_serial); + crl_serial = chunk_clone(crl_serial); } - crl_serial = chunk_clone(crl_serial); - /* increment the serial number by one */ chunk_increment(crl_serial); diff --git a/src/pki/commands/verify.c b/src/pki/commands/verify.c index 8cc633a95..dd667fb34 100644 --- a/src/pki/commands/verify.c +++ b/src/pki/commands/verify.c @@ -1,6 +1,7 @@ /* + * Copyright (C) 2016 Tobias Brunner * Copyright (C) 2009 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -59,6 +60,18 @@ static int verify() has_ca = TRUE; creds->add_cert(creds, TRUE, cert); continue; + case 'l': + cert = lib->creds->create(lib->creds, + CRED_CERTIFICATE, CERT_X509_CRL, + BUILD_FROM_FILE, arg, BUILD_END); + if (!cert) + { + fprintf(stderr, "parsing CRL failed\n"); + goto end; + } + online = TRUE; + creds->add_crl(creds, (crl_t*)cert); + continue; case 'o': online = TRUE; continue; @@ -173,11 +186,12 @@ static void __attribute__ ((constructor))reg() command_register((command_t) { verify, 'v', "verify", "verify a certificate using the CA certificate", - {"[--in file] [--cacert file]"}, + {"[--in file] [--cacert file] [--crl file]"}, { {"help", 'h', 0, "show usage information"}, {"in", 'i', 1, "X.509 certificate to verify, default: stdin"}, {"cacert", 'c', 1, "CA certificate for trustchain verification"}, + {"crl", 'l', 1, "CRL for trustchain verification"}, {"online", 'o', 0, "enable online CRL/OCSP revocation checking"}, } }); |