2 * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010,
3 * 2011 Free Software Foundation, Inc.
5 * This file is part of GnuTLS.
7 * GnuTLS is free software: you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by
9 * the Free Software Foundation, either version 3 of the License, or
10 * (at your option) any later version.
12 * GnuTLS is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program. If not, see
19 * <http://www.gnu.org/licenses/>.
24 #include <gnutls/gnutls.h>
25 #include <gnutls/x509.h>
26 #include <gnutls/openpgp.h>
27 #include <gnutls/pkcs12.h>
28 #include <gnutls/pkcs11.h>
29 #include <gnutls/abstract.h>
38 #include <sys/types.h>
43 /* Gnulib portability files. */
44 #include <read-file.h>
46 #include <version-etc.h>
48 #include <certtool-cfg.h>
49 #include <p11common.h>
50 #include "certtool-gaa.h"
51 #include "certtool-common.h"
53 #define SIGN_HASH GNUTLS_DIG_SHA1
55 static void print_crl_info (gnutls_x509_crl_t crl, FILE * out);
56 void pkcs7_info (void);
58 void smime_to_pkcs7 (void);
59 void pkcs12_info (void);
60 void generate_pkcs12 (common_info_st *);
61 void generate_pkcs8 (common_info_st *);
62 void verify_chain (void);
63 void verify_crl (common_info_st * cinfo);
64 void pubkey_info (gnutls_x509_crt crt, common_info_st *);
65 void pgp_privkey_info (void);
66 void pgp_ring_info (void);
67 void certificate_info (int, common_info_st *);
68 void pgp_certificate_info (void);
70 void privkey_info (void);
71 static void gaa_parser (int argc, char **argv);
72 void generate_self_signed (common_info_st *);
73 void generate_request (common_info_st *);
74 static void print_certificate_info (gnutls_x509_crt_t crt, FILE * out,
77 static void print_hex_datum (gnutls_datum_t * dat);
82 gnutls_digest_algorithm_t default_dig;
84 /* non interactive operation if set
90 tls_log_func (int level, const char *str)
92 fprintf (stderr, "|<%d>| %s", level, str);
96 main (int argc, char **argv)
98 set_program_name (argv[0]);
100 gaa_parser (argc, argv);
106 raw_to_string (const unsigned char *raw, size_t raw_size)
108 static char buf[1024];
113 if (raw_size * 3 + 1 >= sizeof (buf))
116 for (i = 0; i < raw_size; i++)
118 sprintf (&(buf[i * 3]), "%02X%s", raw[i],
119 (i == raw_size - 1) ? "" : ":");
121 buf[sizeof (buf) - 1] = '\0';
127 print_dsa_pkey (gnutls_datum_t * x, gnutls_datum_t * y, gnutls_datum_t * p,
128 gnutls_datum_t * q, gnutls_datum_t * g)
132 fprintf (outfile, "private key:");
135 fprintf (outfile, "public key:");
137 fprintf (outfile, "p:");
139 fprintf (outfile, "q:");
141 fprintf (outfile, "g:");
146 print_rsa_pkey (gnutls_datum_t * m, gnutls_datum_t * e, gnutls_datum_t * d,
147 gnutls_datum_t * p, gnutls_datum_t * q, gnutls_datum_t * u,
148 gnutls_datum_t * exp1, gnutls_datum_t * exp2)
150 fprintf (outfile, "modulus:");
152 fprintf (outfile, "public exponent:");
156 fprintf (outfile, "private exponent:");
158 fprintf (outfile, "prime1:");
160 fprintf (outfile, "prime2:");
162 fprintf (outfile, "coefficient:");
166 fprintf (outfile, "exp1:");
167 print_hex_datum (exp1);
168 fprintf (outfile, "exp2:");
169 print_hex_datum (exp2);
174 static gnutls_sec_param_t
175 str_to_sec_param (const char *str)
177 if (strcasecmp (str, "low") == 0)
179 return GNUTLS_SEC_PARAM_LOW;
181 else if (strcasecmp (str, "normal") == 0)
183 return GNUTLS_SEC_PARAM_NORMAL;
185 else if (strcasecmp (str, "high") == 0)
187 return GNUTLS_SEC_PARAM_HIGH;
189 else if (strcasecmp (str, "ultra") == 0)
191 return GNUTLS_SEC_PARAM_ULTRA;
195 fprintf (stderr, "Unknown security parameter string: %s\n", str);
202 get_bits (gnutls_pk_algorithm_t key_type)
208 static int warned = 0;
214 "** Note: Please use the --sec-param instead of --bits\n");
223 gnutls_sec_param_to_pk_bits (key_type,
224 str_to_sec_param (info.sec_param));
228 gnutls_sec_param_to_pk_bits (key_type, GNUTLS_SEC_PARAM_NORMAL);
235 static gnutls_x509_privkey_t
236 generate_private_key_int (void)
238 gnutls_x509_privkey_t key;
239 int ret, key_type, bits;
243 key_type = GNUTLS_PK_DSA;
246 key_type = GNUTLS_PK_RSA;
248 ret = gnutls_x509_privkey_init (&key);
250 error (EXIT_FAILURE, 0, "privkey_init: %s", gnutls_strerror (ret));
252 bits = get_bits (key_type);
254 fprintf (stderr, "Generating a %d bit %s private key...\n",
255 bits, gnutls_pk_algorithm_get_name (key_type));
257 if (info.quick_random == 0)
259 "This might take several minutes depending on availability of randomness"
260 " in /dev/random.\n");
262 if (bits > 1024 && key_type == GNUTLS_PK_DSA)
264 "Note that DSA keys with size over 1024 can only be used with TLS 1.2 or later.\n\n");
266 ret = gnutls_x509_privkey_generate (key, key_type,bits, 0);
268 error (EXIT_FAILURE, 0, "privkey_generate: %s", gnutls_strerror (ret));
274 cipher_to_flags (const char *cipher)
276 if (strcasecmp (cipher, "3des") == 0)
278 return GNUTLS_PKCS_USE_PBES2_3DES;
280 else if (strcasecmp (cipher, "3des-pkcs12") == 0)
282 return GNUTLS_PKCS_USE_PKCS12_3DES;
284 else if (strcasecmp (cipher, "arcfour") == 0)
286 return GNUTLS_PKCS_USE_PKCS12_ARCFOUR;
288 else if (strcasecmp (cipher, "aes-128") == 0)
290 return GNUTLS_PKCS_USE_PBES2_AES_128;
292 else if (strcasecmp (cipher, "aes-192") == 0)
294 return GNUTLS_PKCS_USE_PBES2_AES_192;
296 else if (strcasecmp (cipher, "aes-256") == 0)
298 return GNUTLS_PKCS_USE_PBES2_AES_256;
300 else if (strcasecmp (cipher, "rc2-40") == 0)
302 return GNUTLS_PKCS_USE_PKCS12_RC2_40;
305 error (EXIT_FAILURE, 0, "Unknown cipher %s\n", cipher);
311 print_private_key (gnutls_x509_privkey_t key)
322 ret = gnutls_x509_privkey_export (key, info.outcert_format,
325 error (EXIT_FAILURE, 0, "privkey_export: %s", gnutls_strerror (ret));
333 flags = GNUTLS_PKCS_USE_PKCS12_RC2_40;
335 flags = cipher_to_flags (info.pkcs_cipher);
337 if ((pass = get_confirmed_pass (true)) == NULL || *pass == '\0')
338 flags = GNUTLS_PKCS_PLAIN;
342 gnutls_x509_privkey_export_pkcs8 (key, info.outcert_format, pass,
343 flags, buffer, &size);
345 error (EXIT_FAILURE, 0, "privkey_export_pkcs8: %s",
346 gnutls_strerror (ret));
349 fwrite (buffer, 1, size, outfile);
353 generate_private_key (void)
355 gnutls_x509_privkey_t key;
357 key = generate_private_key_int ();
359 print_private_key (key);
361 gnutls_x509_privkey_deinit (key);
365 static gnutls_x509_crt_t
366 generate_certificate (gnutls_privkey_t * ret_key,
367 gnutls_x509_crt_t ca_crt, int proxy,
368 common_info_st * cinfo)
370 gnutls_x509_crt_t crt;
371 gnutls_privkey_t key = NULL;
372 gnutls_pubkey_t pubkey;
376 int days, result, ca_status = 0, is_ike = 0, path_len;
378 unsigned int usage = 0, server;
379 gnutls_x509_crq_t crq; /* request */
381 ret = gnutls_x509_crt_init (&crt);
383 error (EXIT_FAILURE, 0, "crt_init: %s", gnutls_strerror (ret));
385 crq = load_request (cinfo);
390 key = load_private_key (1, cinfo);
392 pubkey = load_public_key_or_import (1, key, cinfo);
396 "Please enter the details of the certificate's distinguished name. "
397 "Just press enter to ignore a field.\n");
403 result = gnutls_x509_crt_set_proxy_dn (crt, ca_crt, 0, NULL, 0);
405 error (EXIT_FAILURE, 0, "set_proxy_dn: %s",
406 gnutls_strerror (result));
408 get_cn_crt_set (crt);
412 get_country_crt_set (crt);
413 get_organization_crt_set (crt);
414 get_unit_crt_set (crt);
415 get_locality_crt_set (crt);
416 get_state_crt_set (crt);
417 get_cn_crt_set (crt);
418 get_uid_crt_set (crt);
419 get_oid_crt_set (crt);
420 get_key_purpose_set (crt);
424 "This field should not be used in new certificates.\n");
426 get_pkcs9_email_crt_set (crt);
429 result = gnutls_x509_crt_set_pubkey (crt, pubkey);
431 error (EXIT_FAILURE, 0, "set_key: %s", gnutls_strerror (result));
435 result = gnutls_x509_crt_set_crq (crt, crq);
437 error (EXIT_FAILURE, 0, "set_crq: %s", gnutls_strerror (result));
442 int serial = get_serial ();
445 bin_serial[4] = serial & 0xff;
446 bin_serial[3] = (serial >> 8) & 0xff;
447 bin_serial[2] = (serial >> 16) & 0xff;
448 bin_serial[1] = (serial >> 24) & 0xff;
451 result = gnutls_x509_crt_set_serial (crt, bin_serial, 5);
453 error (EXIT_FAILURE, 0, "serial: %s", gnutls_strerror (result));
457 fprintf (stderr, "\n\nActivation/Expiration time.\n");
459 gnutls_x509_crt_set_activation_time (crt, time (NULL));
464 gnutls_x509_crt_set_expiration_time (crt,
465 time (NULL) + days * 24 * 60 * 60);
467 error (EXIT_FAILURE, 0, "set_expiration: %s", gnutls_strerror (result));
470 fprintf (stderr, "\n\nExtensions.\n");
472 /* do not allow extensions on a v1 certificate */
473 if (crq && get_crq_extensions_status () != 0)
475 result = gnutls_x509_crt_set_crq_extensions (crt, crq);
477 error (EXIT_FAILURE, 0, "set_crq: %s", gnutls_strerror (result));
480 /* append additional extensions */
481 if (info.v1_cert == 0)
486 const char *policylanguage;
489 int proxypathlen = get_path_len ();
493 printf ("1.3.6.1.5.5.7.21.1 ::= id-ppl-inheritALL\n");
494 printf ("1.3.6.1.5.5.7.21.2 ::= id-ppl-independent\n");
497 policylanguage = get_proxy_policy (&policy, &policylen);
500 gnutls_x509_crt_set_proxy (crt, proxypathlen, policylanguage,
503 error (EXIT_FAILURE, 0, "set_proxy: %s",
504 gnutls_strerror (result));
508 ca_status = get_ca_status ();
510 path_len = get_path_len ();
515 gnutls_x509_crt_set_basic_constraints (crt, ca_status, path_len);
517 error (EXIT_FAILURE, 0, "basic_constraints: %s",
518 gnutls_strerror (result));
520 client = get_tls_client_status ();
523 result = gnutls_x509_crt_set_key_purpose_oid (crt,
524 GNUTLS_KP_TLS_WWW_CLIENT,
527 error (EXIT_FAILURE, 0, "key_kp: %s", gnutls_strerror (result));
530 is_ike = get_ipsec_ike_status ();
531 server = get_tls_server_status ();
532 if ((server != 0 && !proxy) || is_ike)
534 get_dns_name_set (TYPE_CRT, crt);
535 get_ip_addr_set (TYPE_CRT, crt);
543 gnutls_x509_crt_set_key_purpose_oid (crt,
544 GNUTLS_KP_TLS_WWW_SERVER, 0);
546 error (EXIT_FAILURE, 0, "key_kp: %s", gnutls_strerror (result));
550 get_email_set (TYPE_CRT, crt);
553 if (!ca_status || server)
558 pk = gnutls_x509_crt_get_pk_algorithm (crt, NULL);
560 if (pk != GNUTLS_PK_DSA)
561 { /* DSA keys can only sign.
563 result = get_sign_status (server);
565 usage |= GNUTLS_KEY_DIGITAL_SIGNATURE;
567 result = get_encrypt_status (server);
569 usage |= GNUTLS_KEY_KEY_ENCIPHERMENT;
572 usage |= GNUTLS_KEY_DIGITAL_SIGNATURE;
577 gnutls_x509_crt_set_key_purpose_oid (crt,
578 GNUTLS_KP_IPSEC_IKE, 0);
580 error (EXIT_FAILURE, 0, "key_kp: %s",
581 gnutls_strerror (result));
588 result = get_cert_sign_status ();
590 usage |= GNUTLS_KEY_KEY_CERT_SIGN;
592 result = get_crl_sign_status ();
594 usage |= GNUTLS_KEY_CRL_SIGN;
596 result = get_code_sign_status ();
600 gnutls_x509_crt_set_key_purpose_oid (crt,
601 GNUTLS_KP_CODE_SIGNING,
604 error (EXIT_FAILURE, 0, "key_kp: %s",
605 gnutls_strerror (result));
608 result = get_ocsp_sign_status ();
612 gnutls_x509_crt_set_key_purpose_oid (crt,
613 GNUTLS_KP_OCSP_SIGNING,
616 error (EXIT_FAILURE, 0, "key_kp: %s",
617 gnutls_strerror (result));
620 result = get_time_stamp_status ();
624 gnutls_x509_crt_set_key_purpose_oid (crt,
625 GNUTLS_KP_TIME_STAMPING,
628 error (EXIT_FAILURE, 0, "key_kp: %s",
629 gnutls_strerror (result));
635 /* http://tools.ietf.org/html/rfc4945#section-5.1.3.2: if any KU is
636 set, then either digitalSignature or the nonRepudiation bits in the
637 KeyUsage extension MUST for all IKE certs */
638 if (is_ike && (get_sign_status (server) != 1))
639 usage |= GNUTLS_KEY_NON_REPUDIATION;
640 result = gnutls_x509_crt_set_key_usage (crt, usage);
642 error (EXIT_FAILURE, 0, "key_usage: %s",
643 gnutls_strerror (result));
649 result = gnutls_x509_crt_get_key_id (crt, 0, buffer, &size);
652 result = gnutls_x509_crt_set_subject_key_id (crt, buffer, size);
654 error (EXIT_FAILURE, 0, "set_subject_key_id: %s",
655 gnutls_strerror (result));
663 result = gnutls_x509_crt_get_subject_key_id (ca_crt, buffer,
668 result = gnutls_x509_crt_get_key_id (ca_crt, 0, buffer, &size);
673 gnutls_x509_crt_set_authority_key_id (crt, buffer, size);
675 error (EXIT_FAILURE, 0, "set_authority_key_id: %s",
676 gnutls_strerror (result));
683 if (info.v1_cert != 0)
687 result = gnutls_x509_crt_set_version (crt, vers);
689 error (EXIT_FAILURE, 0, "set_version: %s", gnutls_strerror (result));
696 static gnutls_x509_crl_t
697 generate_crl (gnutls_x509_crt_t ca_crt, common_info_st * cinfo)
699 gnutls_x509_crl_t crl;
700 gnutls_x509_crt_t *crts;
704 time_t now = time (NULL);
706 result = gnutls_x509_crl_init (&crl);
708 error (EXIT_FAILURE, 0, "crl_init: %s", gnutls_strerror (result));
710 crts = load_cert_list (0, &size, cinfo);
712 for (i = 0; i < size; i++)
714 result = gnutls_x509_crl_set_crt (crl, crts[i], now);
716 error (EXIT_FAILURE, 0, "crl_set_crt: %s", gnutls_strerror (result));
719 result = gnutls_x509_crl_set_this_update (crl, now);
721 error (EXIT_FAILURE, 0, "this_update: %s", gnutls_strerror (result));
723 fprintf (stderr, "Update times.\n");
724 days = get_crl_next_update ();
726 result = gnutls_x509_crl_set_next_update (crl, now + days * 24 * 60 * 60);
728 error (EXIT_FAILURE, 0, "next_update: %s", gnutls_strerror (result));
730 result = gnutls_x509_crl_set_version (crl, 2);
732 error (EXIT_FAILURE, 0, "set_version: %s", gnutls_strerror (result));
739 result = gnutls_x509_crt_get_subject_key_id (ca_crt, buffer,
744 result = gnutls_x509_crt_get_key_id (ca_crt, 0, buffer, &size);
748 result = gnutls_x509_crl_set_authority_key_id (crl, buffer, size);
750 error (EXIT_FAILURE, 0, "set_authority_key_id: %s",
751 gnutls_strerror (result));
756 unsigned int number = get_crl_number ();
759 bin_number[4] = number & 0xff;
760 bin_number[3] = (number >> 8) & 0xff;
761 bin_number[2] = (number >> 16) & 0xff;
762 bin_number[1] = (number >> 24) & 0xff;
765 result = gnutls_x509_crl_set_number (crl, bin_number, 5);
767 error (EXIT_FAILURE, 0, "set_number: %s", gnutls_strerror (result));
773 static gnutls_digest_algorithm_t
774 get_dig (gnutls_x509_crt crt)
776 gnutls_digest_algorithm_t dig;
777 gnutls_pubkey_t pubkey;
781 gnutls_pubkey_init(&pubkey);
783 result = gnutls_pubkey_import_x509(pubkey, crt, 0);
786 error (EXIT_FAILURE, 0, "gnutls_pubkey_import_x509: %s",
787 gnutls_strerror (result));
790 result = gnutls_pubkey_get_preferred_hash_algorithm (pubkey, &dig, &mand);
793 error (EXIT_FAILURE, 0, "crt_get_preferred_hash_algorithm: %s",
794 gnutls_strerror (result));
797 gnutls_pubkey_deinit(pubkey);
799 /* if algorithm allows alternatives */
800 if (mand == 0 && default_dig != GNUTLS_DIG_UNKNOWN)
807 generate_self_signed (common_info_st * cinfo)
809 gnutls_x509_crt_t crt;
810 gnutls_privkey_t key;
815 fprintf (stderr, "Generating a self signed certificate...\n");
817 crt = generate_certificate (&key, NULL, 0, cinfo);
820 key = load_private_key (1, cinfo);
822 uri = get_crl_dist_point_url ();
825 result = gnutls_x509_crt_set_crl_dist_points (crt, GNUTLS_SAN_URI,
827 0 /* all reasons */ );
829 error (EXIT_FAILURE, 0, "crl_dist_points: %s",
830 gnutls_strerror (result));
833 print_certificate_info (crt, stderr, 0);
835 fprintf (stderr, "\n\nSigning certificate...\n");
837 result = gnutls_x509_crt_privkey_sign (crt, crt, key, get_dig (crt), 0);
839 error (EXIT_FAILURE, 0, "crt_sign: %s", gnutls_strerror (result));
842 result = gnutls_x509_crt_export (crt, info.outcert_format, buffer, &size);
844 error (EXIT_FAILURE, 0, "crt_export: %s", gnutls_strerror (result));
846 fwrite (buffer, 1, size, outfile);
848 gnutls_x509_crt_deinit (crt);
849 gnutls_privkey_deinit (key);
853 generate_signed_certificate (common_info_st * cinfo)
855 gnutls_x509_crt_t crt;
856 gnutls_privkey_t key;
859 gnutls_privkey_t ca_key;
860 gnutls_x509_crt_t ca_crt;
862 fprintf (stderr, "Generating a signed certificate...\n");
864 ca_key = load_ca_private_key (cinfo);
865 ca_crt = load_ca_cert (cinfo);
867 crt = generate_certificate (&key, ca_crt, 0, cinfo);
869 /* Copy the CRL distribution points.
871 gnutls_x509_crt_cpy_crl_dist_points (crt, ca_crt);
872 /* it doesn't matter if we couldn't copy the CRL dist points.
875 print_certificate_info (crt, stderr, 0);
877 fprintf (stderr, "\n\nSigning certificate...\n");
879 result = gnutls_x509_crt_privkey_sign (crt, ca_crt, ca_key, get_dig (ca_crt), 0);
881 error (EXIT_FAILURE, 0, "crt_sign: %s", gnutls_strerror (result));
884 result = gnutls_x509_crt_export (crt, info.outcert_format, buffer, &size);
886 error (EXIT_FAILURE, 0, "crt_export: %s", gnutls_strerror (result));
888 fwrite (buffer, 1, size, outfile);
890 gnutls_x509_crt_deinit (crt);
891 gnutls_privkey_deinit (key);
892 gnutls_privkey_deinit(ca_key);
896 generate_proxy_certificate (common_info_st * cinfo)
898 gnutls_x509_crt_t crt, eecrt;
899 gnutls_privkey_t key, eekey;
903 fprintf (stderr, "Generating a proxy certificate...\n");
905 eekey = load_ca_private_key (cinfo);
906 eecrt = load_cert (1, cinfo);
908 crt = generate_certificate (&key, eecrt, 1, cinfo);
910 print_certificate_info (crt, stderr, 0);
912 fprintf (stderr, "\n\nSigning certificate...\n");
914 result = gnutls_x509_crt_privkey_sign (crt, eecrt, eekey, get_dig (eecrt), 0);
916 error (EXIT_FAILURE, 0, "crt_sign: %s", gnutls_strerror (result));
919 result = gnutls_x509_crt_export (crt, info.outcert_format, buffer, &size);
921 error (EXIT_FAILURE, 0, "crt_export: %s", gnutls_strerror (result));
923 fwrite (buffer, 1, size, outfile);
925 gnutls_x509_crt_deinit (eecrt);
926 gnutls_x509_crt_deinit (crt);
927 gnutls_privkey_deinit (key);
928 gnutls_privkey_deinit (eekey);
932 generate_signed_crl (common_info_st * cinfo)
934 gnutls_x509_crl_t crl;
936 gnutls_privkey_t ca_key;
937 gnutls_x509_crt_t ca_crt;
939 fprintf (stderr, "Generating a signed CRL...\n");
941 ca_key = load_ca_private_key (cinfo);
942 ca_crt = load_ca_cert (cinfo);
943 crl = generate_crl (ca_crt, cinfo);
945 fprintf (stderr, "\n");
946 result = gnutls_x509_crl_privkey_sign(crl, ca_crt, ca_key, SIGN_HASH, 0);
948 error (EXIT_FAILURE, 0, "crl_privkey_sign: %s", gnutls_strerror (result));
950 print_crl_info (crl, stderr);
952 gnutls_privkey_deinit( ca_key);
953 gnutls_x509_crl_deinit (crl);
957 update_signed_certificate (common_info_st * cinfo)
959 gnutls_x509_crt_t crt;
962 gnutls_privkey_t ca_key;
963 gnutls_x509_crt_t ca_crt;
965 time_t tim = time (NULL);
967 fprintf (stderr, "Generating a signed certificate...\n");
969 ca_key = load_ca_private_key (cinfo);
970 ca_crt = load_ca_cert (cinfo);
971 crt = load_cert (1, cinfo);
973 fprintf (stderr, "Activation/Expiration time.\n");
974 gnutls_x509_crt_set_activation_time (crt, tim);
979 gnutls_x509_crt_set_expiration_time (crt, tim + days * 24 * 60 * 60);
981 error (EXIT_FAILURE, 0, "set_expiration: %s", gnutls_strerror (result));
983 fprintf (stderr, "\n\nSigning certificate...\n");
985 result = gnutls_x509_crt_privkey_sign (crt, ca_crt, ca_key, get_dig (ca_crt), 0);
987 error (EXIT_FAILURE, 0, "crt_sign: %s", gnutls_strerror (result));
990 result = gnutls_x509_crt_export (crt, info.outcert_format, buffer, &size);
992 error (EXIT_FAILURE, 0, "crt_export: %s", gnutls_strerror (result));
994 fwrite (buffer, 1, size, outfile);
996 gnutls_x509_crt_deinit (crt);
1000 gaa_parser (int argc, char **argv)
1003 common_info_st cinfo;
1005 if (gaa (argc, argv, &info) != -1)
1007 fprintf (stderr, "Try `%s --help' for more information.\n",
1014 outfile = safe_open_rw (info.outfile, info.privkey_op);
1015 if (outfile == NULL)
1016 error (EXIT_FAILURE, errno, "%s", info.outfile);
1023 infile = fopen (info.infile, "rb");
1025 error (EXIT_FAILURE, errno, "%s", info.infile);
1030 if (info.incert_format)
1031 info.incert_format = GNUTLS_X509_FMT_DER;
1033 info.incert_format = GNUTLS_X509_FMT_PEM;
1035 if (info.outcert_format)
1036 info.outcert_format = GNUTLS_X509_FMT_DER;
1038 info.outcert_format = GNUTLS_X509_FMT_PEM;
1040 default_dig = GNUTLS_DIG_UNKNOWN;
1041 if (info.hash != NULL)
1043 if (strcasecmp (info.hash, "md5") == 0)
1046 "Warning: MD5 is broken, and should not be used any more for digital signatures.\n");
1047 default_dig = GNUTLS_DIG_MD5;
1049 else if (strcasecmp (info.hash, "sha1") == 0)
1050 default_dig = GNUTLS_DIG_SHA1;
1051 else if (strcasecmp (info.hash, "sha256") == 0)
1052 default_dig = GNUTLS_DIG_SHA256;
1053 else if (strcasecmp (info.hash, "sha224") == 0)
1054 default_dig = GNUTLS_DIG_SHA224;
1055 else if (strcasecmp (info.hash, "sha384") == 0)
1056 default_dig = GNUTLS_DIG_SHA384;
1057 else if (strcasecmp (info.hash, "sha512") == 0)
1058 default_dig = GNUTLS_DIG_SHA512;
1059 else if (strcasecmp (info.hash, "rmd160") == 0)
1060 default_dig = GNUTLS_DIG_RMD160;
1062 error (EXIT_FAILURE, 0, "invalid hash: %s", info.hash);
1069 template_parse (info.template);
1072 gnutls_global_set_log_function (tls_log_func);
1073 gnutls_global_set_log_level (info.debug);
1075 printf ("Setting log level to %d\n", info.debug);
1077 if ((ret = gnutls_global_init ()) < 0)
1078 error (EXIT_FAILURE, 0, "global_init: %s", gnutls_strerror (ret));
1080 #ifdef ENABLE_PKCS11
1084 memset (&cinfo, 0, sizeof (cinfo));
1085 cinfo.privkey = info.privkey;
1086 cinfo.pubkey = info.pubkey;
1087 cinfo.pkcs8 = info.pkcs8;
1088 cinfo.incert_format = info.incert_format;
1089 cinfo.cert = info.cert;
1090 cinfo.request = info.request;
1092 cinfo.ca_privkey = info.ca_privkey;
1094 switch (info.action)
1096 case ACTION_SELF_SIGNED:
1097 generate_self_signed (&cinfo);
1099 case ACTION_GENERATE_PRIVKEY:
1100 generate_private_key ();
1102 case ACTION_CERT_INFO:
1103 certificate_info (0, &cinfo);
1105 case ACTION_CERT_PUBKEY:
1106 certificate_info (1, &cinfo);
1108 case ACTION_GENERATE_REQUEST:
1109 generate_request (&cinfo);
1111 case ACTION_GENERATE_CERTIFICATE:
1112 generate_signed_certificate (&cinfo);
1114 case ACTION_VERIFY_CHAIN:
1117 case ACTION_PRIVKEY_INFO:
1120 case ACTION_PUBKEY_INFO:
1121 pubkey_info (NULL, &cinfo);
1123 case ACTION_UPDATE_CERTIFICATE:
1124 update_signed_certificate (&cinfo);
1126 case ACTION_TO_PKCS12:
1127 generate_pkcs12 (&cinfo);
1129 case ACTION_PKCS12_INFO:
1132 case ACTION_GENERATE_DH:
1138 case ACTION_CRL_INFO:
1141 case ACTION_P7_INFO:
1144 case ACTION_GENERATE_CRL:
1145 generate_signed_crl (&cinfo);
1147 case ACTION_VERIFY_CRL:
1148 verify_crl (&cinfo);
1150 case ACTION_SMIME_TO_P7:
1153 case ACTION_GENERATE_PROXY:
1154 generate_proxy_certificate (&cinfo);
1156 case ACTION_GENERATE_PKCS8:
1157 generate_pkcs8 (&cinfo);
1159 #ifdef ENABLE_OPENPGP
1160 case ACTION_PGP_INFO:
1161 pgp_certificate_info ();
1163 case ACTION_PGP_PRIVKEY_INFO:
1164 pgp_privkey_info ();
1166 case ACTION_RING_INFO:
1170 case ACTION_REQUEST:
1179 #ifdef ENABLE_PKCS11
1180 gnutls_pkcs11_deinit ();
1182 gnutls_global_deinit ();
1185 #define MAX_CRTS 500
1187 certificate_info (int pubkey, common_info_st * cinfo)
1189 gnutls_x509_crt_t crt[MAX_CRTS];
1193 unsigned int crt_num;
1195 pem.data = fread_file (infile, &size);
1200 gnutls_x509_crt_list_import (crt, &crt_num, &pem, info.incert_format,
1201 GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED);
1202 if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER)
1204 error (0, 0, "too many certificates (%d); "
1205 "will only read the first %d", crt_num, MAX_CRTS);
1207 ret = gnutls_x509_crt_list_import (crt, &crt_num, &pem,
1208 info.incert_format, 0);
1211 error (EXIT_FAILURE, 0, "import error: %s", gnutls_strerror (ret));
1217 if (count > 1 && info.outcert_format == GNUTLS_X509_FMT_DER)
1219 error (0, 0, "cannot output multiple certificates in DER format; "
1220 "using PEM instead");
1221 info.outcert_format = GNUTLS_X509_FMT_PEM;
1224 for (i = 0; i < count; i++)
1227 fprintf (outfile, "\n");
1229 if (info.outcert_format == GNUTLS_X509_FMT_PEM)
1230 print_certificate_info (crt[i], outfile, 1);
1233 ret = gnutls_x509_crt_export (crt[i], info.outcert_format, buffer,
1236 error (EXIT_FAILURE, 0, "export error: %s", gnutls_strerror (ret));
1238 fwrite (buffer, 1, size, outfile);
1241 pubkey_info (crt[i], cinfo);
1243 gnutls_x509_crt_deinit (crt[i]);
1247 #ifdef ENABLE_OPENPGP
1250 pgp_certificate_info (void)
1252 gnutls_openpgp_crt_t crt;
1255 gnutls_datum_t pem, out_data;
1256 unsigned int verify_status;
1258 pem.data = fread_file (infile, &size);
1261 ret = gnutls_openpgp_crt_init (&crt);
1263 error (EXIT_FAILURE, 0, "openpgp_crt_init: %s", gnutls_strerror (ret));
1265 ret = gnutls_openpgp_crt_import (crt, &pem, info.incert_format);
1268 error (EXIT_FAILURE, 0, "import error: %s", gnutls_strerror (ret));
1272 if (info.outcert_format == GNUTLS_OPENPGP_FMT_BASE64)
1274 ret = gnutls_openpgp_crt_print (crt, 0, &out_data);
1278 fprintf (outfile, "%s\n", out_data.data);
1279 gnutls_free (out_data.data);
1284 ret = gnutls_openpgp_crt_verify_self (crt, 0, &verify_status);
1287 error (EXIT_FAILURE, 0, "verify signature error: %s",
1288 gnutls_strerror (ret));
1291 if (verify_status & GNUTLS_CERT_INVALID)
1293 fprintf (outfile, "Self Signature verification: failed\n\n");
1297 fprintf (outfile, "Self Signature verification: ok (%x)\n\n",
1302 ret = gnutls_openpgp_crt_export (crt, info.outcert_format, buffer, &size);
1305 error (EXIT_FAILURE, 0, "export error: %s", gnutls_strerror (ret));
1306 fwrite (buffer, 1, size, outfile);
1309 fprintf (outfile, "%s\n", buffer);
1310 gnutls_openpgp_crt_deinit (crt);
1314 pgp_privkey_info (void)
1316 gnutls_openpgp_privkey_t key;
1317 unsigned char keyid[GNUTLS_OPENPGP_KEYID_SIZE];
1319 int ret, i, subkeys;
1323 size = fread (buffer, 1, buffer_size - 1, infile);
1326 gnutls_openpgp_privkey_init (&key);
1331 ret = gnutls_openpgp_privkey_import (key, &pem, info.incert_format,
1335 error (EXIT_FAILURE, 0, "import error: %s", gnutls_strerror (ret));
1337 /* Public key algorithm
1339 subkeys = gnutls_openpgp_privkey_get_subkey_count (key);
1341 error (EXIT_FAILURE, 0, "privkey_get_subkey_count: %s",
1342 gnutls_strerror (subkeys));
1344 for (i = -1; i < subkeys; i++)
1348 fprintf (outfile, "Subkey[%d]:\n", i);
1350 fprintf (outfile, "Public Key Info:\n");
1353 ret = gnutls_openpgp_privkey_get_pk_algorithm (key, NULL);
1355 ret = gnutls_openpgp_privkey_get_subkey_pk_algorithm (key, i, NULL);
1357 fprintf (outfile, "\tPublic Key Algorithm: ");
1358 cprint = gnutls_pk_algorithm_get_name (ret);
1359 fprintf (outfile, "%s\n", cprint ? cprint : "Unknown");
1360 fprintf (outfile, "\tKey Security Level: %s\n",
1361 gnutls_sec_param_get_name (gnutls_openpgp_privkey_sec_param
1364 /* Print the raw public and private keys
1367 if (ret == GNUTLS_PK_RSA)
1369 gnutls_datum_t m, e, d, p, q, u;
1373 gnutls_openpgp_privkey_export_rsa_raw (key, &m, &e, &d, &p,
1377 gnutls_openpgp_privkey_export_subkey_rsa_raw (key, i, &m,
1381 fprintf (stderr, "Error in key RSA data export: %s\n",
1382 gnutls_strerror (ret));
1384 print_rsa_pkey (&m, &e, &d, &p, &q, &u, NULL, NULL);
1387 else if (ret == GNUTLS_PK_DSA)
1389 gnutls_datum_t p, q, g, y, x;
1393 gnutls_openpgp_privkey_export_dsa_raw (key, &p, &q, &g, &y, &x);
1396 gnutls_openpgp_privkey_export_subkey_dsa_raw (key, i, &p,
1399 fprintf (stderr, "Error in key DSA data export: %s\n",
1400 gnutls_strerror (ret));
1402 print_dsa_pkey (&x, &y, &p, &q, &g);
1405 fprintf (outfile, "\n");
1409 ret = gnutls_openpgp_privkey_get_key_id (key, keyid);
1411 ret = gnutls_openpgp_privkey_get_subkey_id (key, i, keyid);
1415 fprintf (stderr, "Error in key id calculation: %s\n",
1416 gnutls_strerror (ret));
1420 fprintf (outfile, "Public Key ID: %s\n", raw_to_string (keyid, 8));
1426 ret = gnutls_openpgp_privkey_export (key, GNUTLS_OPENPGP_FMT_BASE64,
1427 NULL, 0, buffer, &size);
1429 error (EXIT_FAILURE, 0, "export error: %s", gnutls_strerror (ret));
1431 fprintf (outfile, "\n%s\n", buffer);
1433 gnutls_openpgp_privkey_deinit (key);
1437 pgp_ring_info (void)
1439 gnutls_openpgp_keyring_t ring;
1440 gnutls_openpgp_crt_t crt;
1445 pem.data = fread_file (infile, &size);
1448 ret = gnutls_openpgp_keyring_init (&ring);
1450 error (EXIT_FAILURE, 0, "openpgp_keyring_init: %s",
1451 gnutls_strerror (ret));
1453 ret = gnutls_openpgp_keyring_import (ring, &pem, info.incert_format);
1456 error (EXIT_FAILURE, 0, "import error: %s", gnutls_strerror (ret));
1460 count = gnutls_openpgp_keyring_get_crt_count (ring);
1462 fprintf (outfile, "Keyring contains %d OpenPGP certificates\n\n", count);
1464 error (EXIT_FAILURE, 0, "keyring error: %s", gnutls_strerror (count));
1466 for (i = 0; i < count; i++)
1468 ret = gnutls_openpgp_keyring_get_crt (ring, i, &crt);
1470 error (EXIT_FAILURE, 0, "export error: %s", gnutls_strerror (ret));
1473 ret = gnutls_openpgp_crt_export (crt, info.outcert_format,
1476 error (EXIT_FAILURE, 0, "export error: %s", gnutls_strerror (ret));
1478 fwrite (buffer, 1, size, outfile);
1479 fprintf (outfile, "\n\n");
1481 gnutls_openpgp_crt_deinit (crt);
1486 gnutls_openpgp_keyring_deinit (ring);
1493 print_hex_datum (gnutls_datum_t * dat)
1497 fprintf (outfile, "\n" SPACE);
1498 for (j = 0; j < dat->size; j++)
1500 fprintf (outfile, "%.2x:", (unsigned char) dat->data[j]);
1501 if ((j + 1) % 15 == 0)
1502 fprintf (outfile, "\n" SPACE);
1504 fprintf (outfile, "\n");
1509 print_certificate_info (gnutls_x509_crt_t crt, FILE * out, unsigned int all)
1511 gnutls_datum_t cinfo;
1515 ret = gnutls_x509_crt_print (crt, GNUTLS_CRT_PRINT_FULL, &cinfo);
1517 ret = gnutls_x509_crt_print (crt, GNUTLS_CRT_PRINT_UNSIGNED_FULL, &cinfo);
1520 fprintf (out, "%s\n", cinfo.data);
1521 gnutls_free (cinfo.data);
1524 if (out == stderr && batch == 0) /* interactive */
1525 if (read_yesno ("Is the above information ok? (y/N): ") == 0)
1532 print_crl_info (gnutls_x509_crl_t crl, FILE * out)
1534 gnutls_datum_t cinfo;
1538 ret = gnutls_x509_crl_print (crl, GNUTLS_CRT_PRINT_FULL, &cinfo);
1540 error (EXIT_FAILURE, 0, "crl_print: %s", gnutls_strerror (ret));
1542 fprintf (out, "%s\n", cinfo.data);
1544 gnutls_free (cinfo.data);
1547 ret = gnutls_x509_crl_export (crl, GNUTLS_X509_FMT_PEM, buffer, &size);
1549 error (EXIT_FAILURE, 0, "crl_export: %s", gnutls_strerror (ret));
1551 fwrite (buffer, 1, size, outfile);
1557 gnutls_x509_crl_t crl;
1562 ret = gnutls_x509_crl_init (&crl);
1564 error (EXIT_FAILURE, 0, "crl_init: %s", gnutls_strerror (ret));
1566 pem.data = fread_file (infile, &size);
1570 error (EXIT_FAILURE, errno, "%s", info.infile ? info.infile :
1573 ret = gnutls_x509_crl_import (crl, &pem, info.incert_format);
1577 error (EXIT_FAILURE, 0, "import error: %s", gnutls_strerror (ret));
1579 print_crl_info (crl, outfile);
1581 gnutls_x509_crl_deinit (crl);
1585 print_crq_info (gnutls_x509_crq_t crq, FILE * out)
1587 gnutls_datum_t cinfo;
1591 if (info.outcert_format == GNUTLS_X509_FMT_PEM)
1593 ret = gnutls_x509_crq_print (crq, GNUTLS_CRT_PRINT_FULL, &cinfo);
1595 error (EXIT_FAILURE, 0, "crq_print: %s", gnutls_strerror (ret));
1597 fprintf (out, "%s\n", cinfo.data);
1599 gnutls_free (cinfo.data);
1603 ret = gnutls_x509_crq_export (crq, info.outcert_format, buffer, &size);
1605 error (EXIT_FAILURE, 0, "crq_export: %s", gnutls_strerror (ret));
1607 fwrite (buffer, 1, size, outfile);
1613 gnutls_x509_crq_t crq;
1618 ret = gnutls_x509_crq_init (&crq);
1620 error (EXIT_FAILURE, 0, "crq_init: %s", gnutls_strerror (ret));
1622 pem.data = fread_file (infile, &size);
1626 error (EXIT_FAILURE, errno, "%s", info.infile ? info.infile :
1629 ret = gnutls_x509_crq_import (crq, &pem, info.incert_format);
1633 error (EXIT_FAILURE, 0, "import error: %s", gnutls_strerror (ret));
1635 print_crq_info (crq, outfile);
1637 gnutls_x509_crq_deinit (crq);
1643 gnutls_x509_privkey_t key;
1650 size = fread (buffer, 1, buffer_size - 1, infile);
1653 gnutls_x509_privkey_init (&key);
1660 ret = gnutls_x509_privkey_import (key, &pem, info.incert_format);
1662 /* If we failed to import the certificate previously try PKCS #8 */
1663 if (info.pkcs8 || ret == GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR)
1669 ret = gnutls_x509_privkey_import_pkcs8 (key, &pem,
1670 info.incert_format, pass, 0);
1673 error (EXIT_FAILURE, 0, "import error: %s", gnutls_strerror (ret));
1675 /* Public key algorithm
1677 fprintf (outfile, "Public Key Info:\n");
1678 ret = gnutls_x509_privkey_get_pk_algorithm (key);
1679 fprintf (outfile, "\tPublic Key Algorithm: ");
1681 cprint = gnutls_pk_algorithm_get_name (ret);
1682 fprintf (outfile, "%s\n", cprint ? cprint : "Unknown");
1683 fprintf (outfile, "\tKey Security Level: %s\n",
1684 gnutls_sec_param_get_name (gnutls_x509_privkey_sec_param (key)));
1686 /* Print the raw public and private keys
1688 if (ret == GNUTLS_PK_RSA)
1690 gnutls_datum_t m, e, d, p, q, u, exp1, exp2;
1693 gnutls_x509_privkey_export_rsa_raw2 (key, &m, &e, &d, &p, &q, &u,
1696 fprintf (stderr, "Error in key RSA data export: %s\n",
1697 gnutls_strerror (ret));
1700 print_rsa_pkey (&m, &e, &d, &p, &q, &u, &exp1, &exp2);
1701 gnutls_free (m.data);
1702 gnutls_free (e.data);
1703 gnutls_free (d.data);
1704 gnutls_free (p.data);
1705 gnutls_free (q.data);
1706 gnutls_free (u.data);
1707 gnutls_free (exp1.data);
1708 gnutls_free (exp2.data);
1711 else if (ret == GNUTLS_PK_DSA)
1713 gnutls_datum_t p, q, g, y, x;
1715 ret = gnutls_x509_privkey_export_dsa_raw (key, &p, &q, &g, &y, &x);
1717 fprintf (stderr, "Error in key DSA data export: %s\n",
1718 gnutls_strerror (ret));
1721 print_dsa_pkey (&x, &y, &p, &q, &g);
1722 gnutls_free (x.data);
1723 gnutls_free (y.data);
1724 gnutls_free (p.data);
1725 gnutls_free (q.data);
1726 gnutls_free (g.data);
1730 fprintf (outfile, "\n");
1733 if ((ret = gnutls_x509_privkey_get_key_id (key, 0, buffer, &size)) < 0)
1735 fprintf (stderr, "Error in key id calculation: %s\n",
1736 gnutls_strerror (ret));
1740 fprintf (outfile, "Public Key ID: %s\n", raw_to_string (buffer, size));
1743 if (info.fix_key != 0)
1745 ret = gnutls_x509_privkey_fix (key);
1747 error (EXIT_FAILURE, 0, "privkey_fix: %s", gnutls_strerror (ret));
1751 ret = gnutls_x509_privkey_export (key, GNUTLS_X509_FMT_PEM, buffer, &size);
1753 error (EXIT_FAILURE, 0, "export error: %s", gnutls_strerror (ret));
1755 fprintf (outfile, "\n%s\n", buffer);
1757 gnutls_x509_privkey_deinit (key);
1761 /* Generate a PKCS #10 certificate request.
1764 generate_request (common_info_st * cinfo)
1766 gnutls_x509_crq_t crq;
1767 gnutls_x509_privkey_t xkey;
1768 gnutls_pubkey_t pubkey;
1769 gnutls_privkey_t pkey;
1770 int ret, ca_status, path_len;
1772 unsigned int usage = 0;
1774 fprintf (stderr, "Generating a PKCS #10 certificate request...\n");
1776 ret = gnutls_x509_crq_init (&crq);
1778 error (EXIT_FAILURE, 0, "crq_init: %s", gnutls_strerror (ret));
1781 /* Load the private key.
1783 pkey = load_private_key (0, cinfo);
1786 ret = gnutls_privkey_init (&pkey);
1788 error (EXIT_FAILURE, 0, "privkey_init: %s", gnutls_strerror (ret));
1790 xkey = generate_private_key_int ();
1792 print_private_key (xkey);
1794 ret = gnutls_privkey_import_x509(pkey, xkey, GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE);
1796 error (EXIT_FAILURE, 0, "privkey_import_x509: %s", gnutls_strerror (ret));
1799 pubkey = load_public_key_or_import (1, pkey, cinfo);
1803 get_country_crq_set (crq);
1804 get_organization_crq_set (crq);
1805 get_unit_crq_set (crq);
1806 get_locality_crq_set (crq);
1807 get_state_crq_set (crq);
1808 get_cn_crq_set (crq);
1809 get_uid_crq_set (crq);
1810 get_oid_crq_set (crq);
1812 get_dns_name_set (TYPE_CRQ, crq);
1813 get_ip_addr_set (TYPE_CRQ, crq);
1814 get_email_set (TYPE_CRQ, crq);
1816 pass = get_challenge_pass ();
1818 if (pass != NULL && pass[0] != 0)
1820 ret = gnutls_x509_crq_set_challenge_password (crq, pass);
1822 error (EXIT_FAILURE, 0, "set_pass: %s", gnutls_strerror (ret));
1825 if (info.crq_extensions != 0)
1827 ca_status = get_ca_status ();
1829 path_len = get_path_len ();
1833 ret = gnutls_x509_crq_set_basic_constraints (crq, ca_status, path_len);
1835 error (EXIT_FAILURE, 0, "set_basic_constraints: %s",
1836 gnutls_strerror (ret));
1838 ret = get_sign_status (1);
1840 usage |= GNUTLS_KEY_DIGITAL_SIGNATURE;
1842 ret = get_encrypt_status (1);
1844 usage |= GNUTLS_KEY_KEY_ENCIPHERMENT;
1846 usage |= GNUTLS_KEY_DIGITAL_SIGNATURE;
1850 ret = get_cert_sign_status ();
1852 usage |= GNUTLS_KEY_KEY_CERT_SIGN;
1854 ret = get_crl_sign_status ();
1856 usage |= GNUTLS_KEY_CRL_SIGN;
1858 ret = get_code_sign_status ();
1861 ret = gnutls_x509_crq_set_key_purpose_oid
1862 (crq, GNUTLS_KP_CODE_SIGNING, 0);
1864 error (EXIT_FAILURE, 0, "key_kp: %s", gnutls_strerror (ret));
1867 ret = get_ocsp_sign_status ();
1870 ret = gnutls_x509_crq_set_key_purpose_oid
1871 (crq, GNUTLS_KP_OCSP_SIGNING, 0);
1873 error (EXIT_FAILURE, 0, "key_kp: %s", gnutls_strerror (ret));
1876 ret = get_time_stamp_status ();
1879 ret = gnutls_x509_crq_set_key_purpose_oid
1880 (crq, GNUTLS_KP_TIME_STAMPING, 0);
1882 error (EXIT_FAILURE, 0, "key_kp: %s", gnutls_strerror (ret));
1885 ret = get_ipsec_ike_status ();
1888 ret = gnutls_x509_crq_set_key_purpose_oid
1889 (crq, GNUTLS_KP_IPSEC_IKE, 0);
1891 error (EXIT_FAILURE, 0, "key_kp: %s", gnutls_strerror (ret));
1895 ret = gnutls_x509_crq_set_key_usage (crq, usage);
1897 error (EXIT_FAILURE, 0, "key_usage: %s", gnutls_strerror (ret));
1899 ret = get_tls_client_status ();
1902 ret = gnutls_x509_crq_set_key_purpose_oid
1903 (crq, GNUTLS_KP_TLS_WWW_CLIENT, 0);
1905 error (EXIT_FAILURE, 0, "key_kp: %s", gnutls_strerror (ret));
1908 ret = get_tls_server_status ();
1911 ret = gnutls_x509_crq_set_key_purpose_oid
1912 (crq, GNUTLS_KP_TLS_WWW_SERVER, 0);
1914 error (EXIT_FAILURE, 0, "key_kp: %s", gnutls_strerror (ret));
1918 ret = gnutls_x509_crq_set_pubkey (crq, pubkey);
1920 error (EXIT_FAILURE, 0, "set_key: %s", gnutls_strerror (ret));
1922 ret = gnutls_x509_crq_privkey_sign (crq, pkey, SIGN_HASH, 0);
1924 error (EXIT_FAILURE, 0, "sign: %s", gnutls_strerror (ret));
1926 print_crq_info (crq, outfile);
1928 gnutls_x509_crq_deinit (crq);
1929 gnutls_privkey_deinit( pkey);
1930 gnutls_pubkey_deinit( pubkey);
1934 static void print_verification_res (gnutls_x509_crt_t crt,
1935 gnutls_x509_crt_t issuer,
1936 gnutls_x509_crl_t * crl_list,
1937 int crl_list_size, unsigned int flags);
1939 #define CERT_SEP "-----BEGIN CERT"
1940 #define CRL_SEP "-----BEGIN X509 CRL"
1942 _verify_x509_mem (const void *cert, int cert_size)
1947 char issuer_name[512];
1949 size_t issuer_name_size;
1951 gnutls_x509_crt_t *x509_cert_list = NULL;
1952 gnutls_x509_crl_t *x509_crl_list = NULL;
1953 int x509_ncerts, x509_ncrls;
1956 /* Decode the CA certificate
1959 /* Decode the CRL list
1965 if (strstr (ptr, CRL_SEP) != NULL) /* if CRLs exist */
1969 (gnutls_x509_crl_t *) realloc (x509_crl_list,
1970 i * sizeof (gnutls_x509_crl_t));
1971 if (x509_crl_list == NULL)
1972 error (EXIT_FAILURE, 0, "memory error");
1974 tmp.data = (char *) ptr;
1975 tmp.size = cert_size;
1977 (unsigned int) ((unsigned char *) ptr - (unsigned char *) cert);
1979 ret = gnutls_x509_crl_init (&x509_crl_list[i - 1]);
1981 error (EXIT_FAILURE, 0, "error parsing CRL[%d]: %s", i,
1982 gnutls_strerror (ret));
1984 ret = gnutls_x509_crl_import (x509_crl_list[i - 1], &tmp,
1985 GNUTLS_X509_FMT_PEM);
1987 error (EXIT_FAILURE, 0, "error parsing CRL[%d]: %s", i,
1988 gnutls_strerror (ret));
1990 /* now we move ptr after the pem header */
1991 ptr = strstr (ptr, CRL_SEP);
1997 while ((ptr = strstr (ptr, CRL_SEP)) != NULL);
2002 /* Decode the certificate chain.
2011 (gnutls_x509_crt_t *) realloc (x509_cert_list,
2012 i * sizeof (gnutls_x509_crt_t));
2013 if (x509_cert_list == NULL)
2014 error (EXIT_FAILURE, 0, "memory error");
2017 tmp.data = (char *) ptr;
2018 tmp.size = cert_size;
2020 (unsigned int) ((unsigned char *) ptr - (unsigned char *) cert);
2022 ret = gnutls_x509_crt_init (&x509_cert_list[i - 1]);
2024 error (EXIT_FAILURE, 0, "error parsing certificate[%d]: %s", i,
2025 gnutls_strerror (ret));
2028 gnutls_x509_crt_import (x509_cert_list[i - 1], &tmp,
2029 GNUTLS_X509_FMT_PEM);
2031 error (EXIT_FAILURE, 0, "error parsing certificate[%d]: %s", i,
2032 gnutls_strerror (ret));
2037 /* verify the previous certificate using this one
2041 name_size = sizeof (name);
2043 gnutls_x509_crt_get_dn (x509_cert_list[i - 2], name, &name_size);
2045 error (EXIT_FAILURE, 0, "get_dn: %s", gnutls_strerror (ret));
2047 fprintf (outfile, "Certificate[%d]: %s\n", i - 2, name);
2051 issuer_name_size = sizeof (issuer_name);
2053 gnutls_x509_crt_get_issuer_dn (x509_cert_list[i - 2],
2054 issuer_name, &issuer_name_size);
2056 error (EXIT_FAILURE, 0, "get_issuer_dn: %s",
2057 gnutls_strerror (ret));
2059 fprintf (outfile, "\tIssued by: %s\n", issuer_name);
2061 /* Get the Issuer's name
2063 name_size = sizeof (name);
2065 gnutls_x509_crt_get_dn (x509_cert_list[i - 1], name, &name_size);
2067 error (EXIT_FAILURE, 0, "get_dn: %s", gnutls_strerror (ret));
2069 fprintf (outfile, "\tVerifying against certificate[%d].\n", i - 1);
2071 if (strcmp (issuer_name, name) != 0)
2073 fprintf (stderr, "Error: Issuer's name: %s\n", name);
2074 error (EXIT_FAILURE, 0,
2075 "issuer name does not match the next certificate");
2078 fprintf (outfile, "\tVerification output: ");
2079 print_verification_res (x509_cert_list[i - 2],
2080 x509_cert_list[i - 1], x509_crl_list,
2082 GNUTLS_VERIFY_DO_NOT_ALLOW_SAME);
2083 fprintf (outfile, ".\n\n");
2088 /* now we move ptr after the pem header
2090 ptr = strstr (ptr, CERT_SEP);
2096 while ((ptr = strstr (ptr, CERT_SEP)) != NULL);
2098 x509_ncerts = i - 1;
2100 /* The last certificate in the list will be used as
2101 * a CA (should be self signed).
2103 name_size = sizeof (name);
2104 ret = gnutls_x509_crt_get_dn (x509_cert_list[x509_ncerts - 1], name,
2107 error (EXIT_FAILURE, 0, "get_dn: %s", gnutls_strerror (ret));
2109 fprintf (outfile, "Certificate[%d]: %s\n", x509_ncerts - 1, name);
2113 issuer_name_size = sizeof (issuer_name);
2115 gnutls_x509_crt_get_issuer_dn (x509_cert_list[x509_ncerts - 1],
2116 issuer_name, &issuer_name_size);
2118 error (EXIT_FAILURE, 0, "get_issuer_dn: %s", gnutls_strerror (ret));
2120 fprintf (outfile, "\tIssued by: %s\n", name);
2122 if (strcmp (issuer_name, name) != 0)
2123 error (EXIT_FAILURE, 0, "the last certificate is not self signed");
2125 fprintf (outfile, "\tVerification output: ");
2126 print_verification_res (x509_cert_list[x509_ncerts - 1],
2127 x509_cert_list[x509_ncerts - 1], x509_crl_list,
2128 /* we add GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT since it is
2131 GNUTLS_VERIFY_DO_NOT_ALLOW_SAME |
2132 GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
2134 fprintf (outfile, ".\n\n");
2136 /* Verify using internal algorithm too. */
2140 ret = gnutls_x509_crt_list_verify (x509_cert_list, x509_ncerts,
2141 &x509_cert_list[x509_ncerts - 1], 1,
2144 GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT |
2145 GNUTLS_VERIFY_DO_NOT_ALLOW_SAME,
2148 error (EXIT_FAILURE, 0, "gnutls_x509_crt_list_verify: %s",
2149 gnutls_strerror (ret));
2151 fprintf (outfile, "Chain verification output: ");
2153 if (verify_status & GNUTLS_CERT_INVALID)
2155 fprintf (outfile, "Not verified");
2159 fprintf (outfile, "Verified");
2162 if (verify_status & GNUTLS_CERT_SIGNER_NOT_CA)
2164 fprintf (outfile, ", ");
2165 fprintf (outfile, "Issuer is not a CA");
2168 if (verify_status & GNUTLS_CERT_INSECURE_ALGORITHM)
2170 fprintf (outfile, ", ");
2171 fprintf (outfile, "Insecure algorithm");
2174 fprintf (outfile, ".\n");
2177 for (i = 0; i < x509_ncerts; i++)
2178 gnutls_x509_crt_deinit (x509_cert_list[i]);
2180 for (i = 0; i < x509_ncrls; i++)
2181 gnutls_x509_crl_deinit (x509_crl_list[i]);
2183 free (x509_cert_list);
2184 free (x509_crl_list);
2187 error (EXIT_FAILURE, 0, "verification error: %s", gnutls_strerror (ret));
2193 print_verification_res (gnutls_x509_crt_t crt,
2194 gnutls_x509_crt_t issuer,
2195 gnutls_x509_crl_t * crl_list, int crl_list_size,
2198 unsigned int output;
2202 ret = gnutls_x509_crt_verify (crt, &issuer, 1, flags, &output);
2204 error (EXIT_FAILURE, 0, "verification error: %s", gnutls_strerror (ret));
2206 if (output & GNUTLS_CERT_INVALID)
2208 fprintf (outfile, "Not verified");
2213 fprintf (outfile, "Verified");
2217 if (output & GNUTLS_CERT_SIGNER_NOT_CA)
2220 fprintf (outfile, ", ");
2221 fprintf (outfile, "Issuer is not a CA");
2225 if (output & GNUTLS_CERT_INSECURE_ALGORITHM)
2228 fprintf (outfile, ", ");
2229 fprintf (outfile, "Insecure algorithm");
2233 if (output & GNUTLS_CERT_NOT_ACTIVATED)
2236 fprintf (outfile, ", ");
2237 fprintf (outfile, "Not activated");
2241 if (output & GNUTLS_CERT_EXPIRED)
2244 fprintf (outfile, ", ");
2245 fprintf (outfile, "Expired");
2249 ret = gnutls_x509_crt_check_revocation (crt, crl_list, crl_list_size);
2251 error (EXIT_FAILURE, 0, "revocation check: %s", gnutls_strerror (ret));
2256 fprintf (outfile, ", ");
2258 fprintf (outfile, "Revoked");
2268 buf = fread_file (infile, &size);
2270 error (EXIT_FAILURE, errno, "reading chain");
2274 _verify_x509_mem (buf, size);
2279 verify_crl (common_info_st * cinfo)
2281 size_t size, dn_size;
2283 unsigned int output;
2287 gnutls_x509_crl_t crl;
2288 time_t now = time (0);
2289 gnutls_x509_crt_t issuer;
2291 issuer = load_ca_cert (cinfo);
2293 fprintf (outfile, "\nCA certificate:\n");
2295 dn_size = sizeof (dn);
2296 ret = gnutls_x509_crt_get_dn (issuer, dn, &dn_size);
2298 error (EXIT_FAILURE, 0, "crt_get_dn: %s", gnutls_strerror (ret));
2300 fprintf (outfile, "\tSubject: %s\n\n", dn);
2302 ret = gnutls_x509_crl_init (&crl);
2304 error (EXIT_FAILURE, 0, "crl_init: %s", gnutls_strerror (ret));
2306 pem.data = fread_file (infile, &size);
2309 ret = gnutls_x509_crl_import (crl, &pem, info.incert_format);
2312 error (EXIT_FAILURE, 0, "import error: %s", gnutls_strerror (ret));
2314 print_crl_info (crl, outfile);
2316 fprintf (outfile, "Verification output: ");
2317 ret = gnutls_x509_crl_verify (crl, &issuer, 1, 0, &output);
2319 error (EXIT_FAILURE, 0, "verification error: %s", gnutls_strerror (ret));
2321 if (output & GNUTLS_CERT_INVALID)
2323 fprintf (outfile, "Not verified");
2328 fprintf (outfile, "Verified");
2332 if (output & GNUTLS_CERT_SIGNER_NOT_CA)
2335 fprintf (outfile, ", ");
2336 fprintf (outfile, "Issuer is not a CA");
2340 if (output & GNUTLS_CERT_INSECURE_ALGORITHM)
2343 fprintf (outfile, ", ");
2344 fprintf (outfile, "Insecure algorithm");
2348 /* Check expiration dates.
2351 if (gnutls_x509_crl_get_this_update (crl) > now)
2354 fprintf (outfile, ", ");
2356 fprintf (outfile, "Issued in the future!");
2359 if (gnutls_x509_crl_get_next_update (crl) < now)
2362 fprintf (outfile, ", ");
2364 fprintf (outfile, "CRL is not up to date");
2367 fprintf (outfile, "\n");
2372 generate_pkcs8 (common_info_st * cinfo)
2374 gnutls_x509_privkey_t key;
2378 const char *password;
2380 fprintf (stderr, "Generating a PKCS #8 key structure...\n");
2382 key = load_x509_private_key (1, cinfo);
2385 password = info.pass;
2387 password = get_pass ();
2390 flags = GNUTLS_PKCS_USE_PKCS12_RC2_40;
2392 flags = cipher_to_flags (info.pkcs_cipher);
2394 if (password == NULL || password[0] == 0)
2396 flags = GNUTLS_PKCS_PLAIN;
2401 gnutls_x509_privkey_export_pkcs8 (key, info.outcert_format,
2402 password, flags, buffer, &size);
2405 error (EXIT_FAILURE, 0, "key_export: %s", gnutls_strerror (result));
2407 fwrite (buffer, 1, size, outfile);
2412 #include <gnutls/pkcs12.h>
2416 generate_pkcs12 (common_info_st * cinfo)
2418 gnutls_pkcs12_t pkcs12;
2419 gnutls_x509_crt_t *crts;
2420 gnutls_x509_privkey_t key;
2423 gnutls_datum_t data;
2426 unsigned int flags, i;
2427 gnutls_datum_t key_id;
2428 unsigned char _key_id[20];
2432 fprintf (stderr, "Generating a PKCS #12 structure...\n");
2434 key = load_x509_private_key (0, cinfo);
2435 crts = load_cert_list (0, &ncrts, cinfo);
2437 name = get_pkcs12_key_name ();
2439 result = gnutls_pkcs12_init (&pkcs12);
2441 error (EXIT_FAILURE, 0, "pkcs12_init: %s", gnutls_strerror (result));
2450 fprintf(stderr, "No password given for PKCS #12. Assuming null password...\n");
2455 for (i = 0; i < ncrts; i++)
2457 gnutls_pkcs12_bag_t bag;
2459 result = gnutls_pkcs12_bag_init (&bag);
2461 error (EXIT_FAILURE, 0, "bag_init: %s", gnutls_strerror (result));
2463 result = gnutls_pkcs12_bag_set_crt (bag, crts[i]);
2465 error (EXIT_FAILURE, 0, "set_crt[%d]: %s", i,
2466 gnutls_strerror (result));
2470 result = gnutls_pkcs12_bag_set_friendly_name (bag, indx, name);
2472 error (EXIT_FAILURE, 0, "bag_set_friendly_name: %s",
2473 gnutls_strerror (result));
2475 size = sizeof (_key_id);
2476 result = gnutls_x509_crt_get_key_id (crts[i], 0, _key_id, &size);
2478 error (EXIT_FAILURE, 0, "key_id[%d]: %s", i,
2479 gnutls_strerror (result));
2481 key_id.data = _key_id;
2484 result = gnutls_pkcs12_bag_set_key_id (bag, indx, &key_id);
2486 error (EXIT_FAILURE, 0, "bag_set_key_id: %s",
2487 gnutls_strerror (result));
2490 flags = GNUTLS_PKCS_USE_PKCS12_RC2_40;
2492 flags = cipher_to_flags (info.pkcs_cipher);
2494 result = gnutls_pkcs12_bag_encrypt (bag, pass, flags);
2496 error (EXIT_FAILURE, 0, "bag_encrypt: %s", gnutls_strerror (result));
2498 result = gnutls_pkcs12_set_bag (pkcs12, bag);
2500 error (EXIT_FAILURE, 0, "set_bag: %s", gnutls_strerror (result));
2505 gnutls_pkcs12_bag_t kbag;
2507 result = gnutls_pkcs12_bag_init (&kbag);
2509 error (EXIT_FAILURE, 0, "bag_init: %s", gnutls_strerror (result));
2512 flags = GNUTLS_PKCS_USE_PKCS12_RC2_40;
2514 flags = cipher_to_flags (info.pkcs_cipher);
2518 gnutls_x509_privkey_export_pkcs8 (key, GNUTLS_X509_FMT_DER,
2519 pass, flags, buffer, &size);
2521 error (EXIT_FAILURE, 0, "key_export: %s", gnutls_strerror (result));
2526 gnutls_pkcs12_bag_set_data (kbag,
2527 GNUTLS_BAG_PKCS8_ENCRYPTED_KEY, &data);
2529 error (EXIT_FAILURE, 0, "bag_set_data: %s", gnutls_strerror (result));
2533 result = gnutls_pkcs12_bag_set_friendly_name (kbag, indx, name);
2535 error (EXIT_FAILURE, 0, "bag_set_friendly_name: %s",
2536 gnutls_strerror (result));
2538 size = sizeof (_key_id);
2539 result = gnutls_x509_privkey_get_key_id (key, 0, _key_id, &size);
2541 error (EXIT_FAILURE, 0, "key_id: %s", gnutls_strerror (result));
2543 key_id.data = _key_id;
2546 result = gnutls_pkcs12_bag_set_key_id (kbag, indx, &key_id);
2548 error (EXIT_FAILURE, 0, "bag_set_key_id: %s",
2549 gnutls_strerror (result));
2551 result = gnutls_pkcs12_set_bag (pkcs12, kbag);
2553 error (EXIT_FAILURE, 0, "set_bag: %s", gnutls_strerror (result));
2556 result = gnutls_pkcs12_generate_mac (pkcs12, pass);
2558 error (EXIT_FAILURE, 0, "generate_mac: %s", gnutls_strerror (result));
2561 result = gnutls_pkcs12_export (pkcs12, info.outcert_format, buffer, &size);
2563 error (EXIT_FAILURE, 0, "pkcs12_export: %s", gnutls_strerror (result));
2565 fwrite (buffer, 1, size, outfile);
2570 BAGTYPE (gnutls_pkcs12_bag_type_t x)
2574 case GNUTLS_BAG_PKCS8_ENCRYPTED_KEY:
2575 return "PKCS #8 Encrypted key";
2576 case GNUTLS_BAG_EMPTY:
2578 case GNUTLS_BAG_PKCS8_KEY:
2579 return "PKCS #8 Key";
2580 case GNUTLS_BAG_CERTIFICATE:
2581 return "Certificate";
2582 case GNUTLS_BAG_ENCRYPTED:
2584 case GNUTLS_BAG_CRL:
2586 case GNUTLS_BAG_SECRET:
2594 print_bag_data (gnutls_pkcs12_bag_t bag)
2598 gnutls_datum_t cdata, id;
2599 const char *str, *name;
2602 count = gnutls_pkcs12_bag_get_count (bag);
2604 error (EXIT_FAILURE, 0, "get_count: %s", gnutls_strerror (count));
2606 fprintf (outfile, "\tElements: %d\n", count);
2608 for (i = 0; i < count; i++)
2610 type = gnutls_pkcs12_bag_get_type (bag, i);
2612 error (EXIT_FAILURE, 0, "get_type: %s", gnutls_strerror (type));
2614 fprintf (stderr, "\tType: %s\n", BAGTYPE (type));
2617 result = gnutls_pkcs12_bag_get_friendly_name (bag, i, (char **) &name);
2619 error (EXIT_FAILURE, 0, "get_friendly_name: %s",
2620 gnutls_strerror (type));
2622 fprintf (outfile, "\tFriendly name: %s\n", name);
2626 result = gnutls_pkcs12_bag_get_key_id (bag, i, &id);
2628 error (EXIT_FAILURE, 0, "get_key_id: %s", gnutls_strerror (type));
2629 fprintf (outfile, "\tKey ID: %s\n", raw_to_string (id.data, id.size));
2631 result = gnutls_pkcs12_bag_get_data (bag, i, &cdata);
2633 error (EXIT_FAILURE, 0, "get_data: %s", gnutls_strerror (result));
2637 case GNUTLS_BAG_PKCS8_ENCRYPTED_KEY:
2638 str = "ENCRYPTED PRIVATE KEY";
2640 case GNUTLS_BAG_PKCS8_KEY:
2641 str = "PRIVATE KEY";
2643 case GNUTLS_BAG_CERTIFICATE:
2644 str = "CERTIFICATE";
2646 case GNUTLS_BAG_CRL:
2649 case GNUTLS_BAG_ENCRYPTED:
2650 case GNUTLS_BAG_EMPTY:
2657 gnutls_pem_base64_encode_alloc (str, &cdata, &out);
2658 fprintf (outfile, "%s\n", out.data);
2660 gnutls_free (out.data);
2669 gnutls_pkcs12_t pkcs12;
2670 gnutls_pkcs12_bag_t bag;
2673 gnutls_datum_t data;
2677 result = gnutls_pkcs12_init (&pkcs12);
2679 error (EXIT_FAILURE, 0, "p12_init: %s", gnutls_strerror (result));
2681 data.data = fread_file (infile, &size);
2684 result = gnutls_pkcs12_import (pkcs12, &data, info.incert_format, 0);
2687 error (EXIT_FAILURE, 0, "p12_import: %s", gnutls_strerror (result));
2694 result = gnutls_pkcs12_verify_mac (pkcs12, pass);
2696 error (0, 0, "verify_mac: %s", gnutls_strerror (result));
2698 for (indx = 0;; indx++)
2700 result = gnutls_pkcs12_bag_init (&bag);
2702 error (EXIT_FAILURE, 0, "bag_init: %s", gnutls_strerror (result));
2704 result = gnutls_pkcs12_get_bag (pkcs12, indx, bag);
2708 result = gnutls_pkcs12_bag_get_count (bag);
2710 error (EXIT_FAILURE, 0, "bag_count: %s", gnutls_strerror (result));
2712 fprintf (outfile, "BAG #%d\n", indx);
2714 result = gnutls_pkcs12_bag_get_type (bag, 0);
2716 error (EXIT_FAILURE, 0, "bag_init: %s", gnutls_strerror (result));
2718 if (result == GNUTLS_BAG_ENCRYPTED)
2720 fprintf (stderr, "\tType: %s\n", BAGTYPE (result));
2721 fprintf (stderr, "\n\tDecrypting...\n");
2723 result = gnutls_pkcs12_bag_decrypt (bag, pass);
2727 error (0, 0, "bag_decrypt: %s", gnutls_strerror (result));
2731 result = gnutls_pkcs12_bag_get_count (bag);
2733 error (EXIT_FAILURE, 0, "encrypted bag_count: %s",
2734 gnutls_strerror (result));
2737 print_bag_data (bag);
2739 gnutls_pkcs12_bag_deinit (bag);
2746 gnutls_pkcs7_t pkcs7;
2749 gnutls_datum_t data, b64;
2752 result = gnutls_pkcs7_init (&pkcs7);
2754 error (EXIT_FAILURE, 0, "p7_init: %s", gnutls_strerror (result));
2756 data.data = fread_file (infile, &size);
2759 result = gnutls_pkcs7_import (pkcs7, &data, info.incert_format);
2762 error (EXIT_FAILURE, 0, "import error: %s", gnutls_strerror (result));
2764 /* Read and print the certificates.
2766 result = gnutls_pkcs7_get_crt_count (pkcs7);
2768 error (EXIT_FAILURE, 0, "p7_crt_count: %s", gnutls_strerror (result));
2773 fprintf (outfile, "Number of certificates: %u\n", count);
2775 for (indx = 0; indx < count; indx++)
2777 fputs ("\n", outfile);
2780 result = gnutls_pkcs7_get_crt_raw (pkcs7, indx, buffer, &size);
2787 result = gnutls_pem_base64_encode_alloc ("CERTIFICATE", &data, &b64);
2789 error (EXIT_FAILURE, 0, "encoding: %s", gnutls_strerror (result));
2791 fputs (b64.data, outfile);
2792 gnutls_free (b64.data);
2795 /* Read the CRLs now.
2797 result = gnutls_pkcs7_get_crl_count (pkcs7);
2799 error (EXIT_FAILURE, 0, "p7_crl_count: %s", gnutls_strerror (result));
2804 fprintf (outfile, "\nNumber of CRLs: %u\n", count);
2806 for (indx = 0; indx < count; indx++)
2808 fputs ("\n", outfile);
2811 result = gnutls_pkcs7_get_crl_raw (pkcs7, indx, buffer, &size);
2818 result = gnutls_pem_base64_encode_alloc ("X509 CRL", &data, &b64);
2820 error (EXIT_FAILURE, 0, "encoding: %s", gnutls_strerror (result));
2822 fputs (b64.data, outfile);
2823 gnutls_free (b64.data);
2828 smime_to_pkcs7 (void)
2830 size_t linesize = 0;
2831 char *lineptr = NULL;
2834 /* Find body. FIXME: Handle non-b64 Content-Transfer-Encoding.
2835 Reject non-S/MIME tagged Content-Type's? */
2838 len = getline (&lineptr, &linesize, infile);
2840 error (EXIT_FAILURE, 0, "cannot find RFC 2822 header/body separator");
2842 while (strcmp (lineptr, "\r\n") != 0 && strcmp (lineptr, "\n") != 0);
2846 len = getline (&lineptr, &linesize, infile);
2848 error (EXIT_FAILURE, 0, "message has RFC 2822 header but no body");
2850 while (strcmp (lineptr, "\r\n") == 0 && strcmp (lineptr, "\n") == 0);
2852 fprintf (outfile, "%s", "-----BEGIN PKCS7-----\n");
2857 && (lineptr[len - 1] == '\r' || lineptr[len - 1] == '\n'))
2858 lineptr[--len] = '\0';
2859 if (strcmp (lineptr, "") != 0)
2860 fprintf (outfile, "%s\n", lineptr);
2861 len = getline (&lineptr, &linesize, infile);
2865 fprintf (outfile, "%s", "-----END PKCS7-----\n");
2871 certtool_version (void)
2873 const char *p = PACKAGE_NAME;
2874 if (strcmp (gnutls_check_version (NULL), PACKAGE_VERSION) != 0)
2876 version_etc (stdout, program_name, p, gnutls_check_version (NULL),
2877 "Nikos Mavrogiannopoulos", "Simon Josefsson", (char *) NULL);
2881 print_key_usage (FILE * outfile, unsigned int usage)
2883 if (usage & GNUTLS_KEY_DIGITAL_SIGNATURE)
2885 fprintf (outfile, "\tDigital signature.\n");
2888 if (usage & GNUTLS_KEY_NON_REPUDIATION)
2890 fprintf (outfile, "\tNon repudiation.\n");
2893 if (usage & GNUTLS_KEY_KEY_ENCIPHERMENT)
2895 fprintf (outfile, "\tKey encipherment.\n");
2898 if (usage & GNUTLS_KEY_DATA_ENCIPHERMENT)
2900 fprintf (outfile, "\tData encipherment.\n");
2903 if (usage & GNUTLS_KEY_KEY_AGREEMENT)
2905 fprintf (outfile, "\tKey agreement.\n");
2908 if (usage & GNUTLS_KEY_KEY_CERT_SIGN)
2910 fprintf (outfile, "\tCertificate signing.\n");
2913 if (usage & GNUTLS_KEY_NON_REPUDIATION)
2915 fprintf (outfile, "\tCRL signing.\n");
2918 if (usage & GNUTLS_KEY_ENCIPHER_ONLY)
2920 fprintf (outfile, "\tKey encipher only.\n");
2923 if (usage & GNUTLS_KEY_DECIPHER_ONLY)
2925 fprintf (outfile, "\tKey decipher only.\n");
2930 pubkey_info (gnutls_x509_crt crt, common_info_st * cinfo)
2932 gnutls_pubkey_t pubkey;
2933 unsigned int bits, usage;
2938 ret = gnutls_pubkey_init (&pubkey);
2941 error (EXIT_FAILURE, 0, "pubkey_init: %s", gnutls_strerror (ret));
2946 crt = load_cert (0, cinfo);
2951 ret = gnutls_pubkey_import_x509 (pubkey, crt, 0);
2954 error (EXIT_FAILURE, 0, "pubkey_import_x509: %s",
2955 gnutls_strerror (ret));
2960 pubkey = load_pubkey (1, cinfo);
2963 fprintf (outfile, "Public Key Info:\n\n");
2964 ret = gnutls_pubkey_get_pk_algorithm (pubkey, &bits);
2965 fprintf (outfile, "Public Key Algorithm: ");
2967 cprint = gnutls_pk_algorithm_get_name (ret);
2968 fprintf (outfile, "%s (%u bits)\n", cprint ? cprint : "Unknown", bits);
2971 /* Print the raw public and private keys
2973 if (ret == GNUTLS_PK_RSA)
2975 gnutls_datum_t m, e;
2977 ret = gnutls_pubkey_get_pk_rsa_raw (pubkey, &m, &e);
2979 fprintf (stderr, "Error in key RSA data export: %s\n",
2980 gnutls_strerror (ret));
2983 print_rsa_pkey (&m, &e, NULL, NULL, NULL, NULL, NULL, NULL);
2984 gnutls_free (m.data);
2985 gnutls_free (e.data);
2988 else if (ret == GNUTLS_PK_DSA)
2990 gnutls_datum_t p, q, g, y;
2992 ret = gnutls_pubkey_get_pk_dsa_raw (pubkey, &p, &q, &g, &y);
2994 fprintf (stderr, "Error in key DSA data export: %s\n",
2995 gnutls_strerror (ret));
2998 print_dsa_pkey (NULL, &y, &p, &q, &g);
2999 gnutls_free (y.data);
3000 gnutls_free (p.data);
3001 gnutls_free (q.data);
3002 gnutls_free (g.data);
3006 ret = gnutls_pubkey_get_key_usage (pubkey, &usage);
3009 error (EXIT_FAILURE, 0, "pubkey_get_key_usage: %s",
3010 gnutls_strerror (ret));
3013 fprintf (outfile, "Public Key Usage:\n");
3014 print_key_usage (outfile, usage);
3016 fprintf (outfile, "\n");
3019 if ((ret = gnutls_pubkey_get_key_id (pubkey, 0, buffer, &size)) < 0)
3021 fprintf (stderr, "Error in key id calculation: %s\n",
3022 gnutls_strerror (ret));
3026 fprintf (outfile, "Public Key ID: %s\n", raw_to_string (buffer, size));
3030 ret = gnutls_pubkey_export (pubkey, GNUTLS_X509_FMT_PEM, buffer, &size);
3032 error (EXIT_FAILURE, 0, "export error: %s", gnutls_strerror (ret));
3034 fprintf (outfile, "\n%s\n", buffer);
3036 gnutls_pubkey_deinit (pubkey);