diff options
author | stas <stas@FreeBSD.org> | 2011-09-29 05:23:57 +0000 |
---|---|---|
committer | stas <stas@FreeBSD.org> | 2011-09-29 05:23:57 +0000 |
commit | f6e720bf7e3d09d00d73f389a5dac8efdce0eb8c (patch) | |
tree | cf5b65423910d126fddaaf04b885d0de3507d692 /crypto/heimdal/lib/hx509/hxtool.c | |
parent | 51b6601db456e699ea5d4843cbc7239ee92d9c13 (diff) | |
download | FreeBSD-src-f6e720bf7e3d09d00d73f389a5dac8efdce0eb8c.zip FreeBSD-src-f6e720bf7e3d09d00d73f389a5dac8efdce0eb8c.tar.gz |
- Flatten the vendor heimdal tree.
Diffstat (limited to 'crypto/heimdal/lib/hx509/hxtool.c')
-rw-r--r-- | crypto/heimdal/lib/hx509/hxtool.c | 1986 |
1 files changed, 0 insertions, 1986 deletions
diff --git a/crypto/heimdal/lib/hx509/hxtool.c b/crypto/heimdal/lib/hx509/hxtool.c deleted file mode 100644 index 55410b1..0000000 --- a/crypto/heimdal/lib/hx509/hxtool.c +++ /dev/null @@ -1,1986 +0,0 @@ -/* - * Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "hx_locl.h" -RCSID("$Id: hxtool.c 22333 2007-12-17 01:03:43Z lha $"); - -#include <hxtool-commands.h> -#include <sl.h> -#include <parse_time.h> - -static hx509_context context; - -static char *stat_file_string; -static int version_flag; -static int help_flag; - -struct getargs args[] = { - { "statistic-file", 0, arg_string, &stat_file_string }, - { "version", 0, arg_flag, &version_flag }, - { "help", 0, arg_flag, &help_flag } -}; -int num_args = sizeof(args) / sizeof(args[0]); - -static void -usage(int code) -{ - arg_printusage(args, num_args, NULL, "command"); - printf("Use \"%s help\" to get more help\n", getprogname()); - exit(code); -} - -/* - * - */ - -static void -lock_strings(hx509_lock lock, getarg_strings *pass) -{ - int i; - for (i = 0; i < pass->num_strings; i++) { - int ret = hx509_lock_command_string(lock, pass->strings[i]); - if (ret) - errx(1, "hx509_lock_command_string: %s: %d", - pass->strings[i], ret); - } -} - -/* - * - */ - -static void -certs_strings(hx509_context context, const char *type, hx509_certs certs, - hx509_lock lock, const getarg_strings *s) -{ - int i, ret; - - for (i = 0; i < s->num_strings; i++) { - ret = hx509_certs_append(context, certs, lock, s->strings[i]); - if (ret) - hx509_err(context, 1, ret, - "hx509_certs_append: %s %s", type, s->strings[i]); - } -} - -/* - * - */ - -static void -parse_oid(const char *str, const heim_oid *def, heim_oid *oid) -{ - int ret; - if (str) - ret = der_parse_heim_oid (str, " .", oid); - else - ret = der_copy_oid(def, oid); - if (ret) - errx(1, "parse_oid failed for: %s", str ? str : "default oid"); -} - -/* - * - */ - -static void -peer_strings(hx509_context context, - hx509_peer_info *peer, - const getarg_strings *s) -{ - AlgorithmIdentifier *val; - int ret, i; - - ret = hx509_peer_info_alloc(context, peer); - if (ret) - hx509_err(context, 1, ret, "hx509_peer_info_alloc"); - - val = calloc(s->num_strings, sizeof(*val)); - if (val == NULL) - err(1, "malloc"); - - for (i = 0; i < s->num_strings; i++) - parse_oid(s->strings[i], NULL, &val[i].algorithm); - - ret = hx509_peer_info_set_cms_algs(context, *peer, val, s->num_strings); - if (ret) - hx509_err(context, 1, ret, "hx509_peer_info_set_cms_algs"); - - for (i = 0; i < s->num_strings; i++) - free_AlgorithmIdentifier(&val[i]); - free(val); -} - -/* - * - */ - -int -cms_verify_sd(struct cms_verify_sd_options *opt, int argc, char **argv) -{ - hx509_verify_ctx ctx = NULL; - heim_oid type; - heim_octet_string c, co, signeddata, *sd = NULL; - hx509_certs store = NULL; - hx509_certs signers = NULL; - hx509_certs anchors = NULL; - hx509_lock lock; - int ret; - - size_t sz; - void *p; - - if (opt->missing_revoke_flag) - hx509_context_set_missing_revoke(context, 1); - - hx509_lock_init(context, &lock); - lock_strings(lock, &opt->pass_strings); - - ret = _hx509_map_file(argv[0], &p, &sz, NULL); - if (ret) - err(1, "map_file: %s: %d", argv[0], ret); - - if (opt->signed_content_string) { - ret = _hx509_map_file_os(opt->signed_content_string, &signeddata, NULL); - if (ret) - err(1, "map_file: %s: %d", opt->signed_content_string, ret); - sd = &signeddata; - } - - ret = hx509_verify_init_ctx(context, &ctx); - - ret = hx509_certs_init(context, "MEMORY:cms-anchors", 0, NULL, &anchors); - ret = hx509_certs_init(context, "MEMORY:cert-store", 0, NULL, &store); - - certs_strings(context, "anchors", anchors, lock, &opt->anchors_strings); - certs_strings(context, "store", store, lock, &opt->certificate_strings); - - co.data = p; - co.length = sz; - - if (opt->content_info_flag) { - heim_octet_string uwco; - heim_oid oid; - - ret = hx509_cms_unwrap_ContentInfo(&co, &oid, &uwco, NULL); - if (ret) - errx(1, "hx509_cms_unwrap_ContentInfo: %d", ret); - - if (der_heim_oid_cmp(&oid, oid_id_pkcs7_signedData()) != 0) - errx(1, "Content is not SignedData"); - der_free_oid(&oid); - - co = uwco; - } - - hx509_verify_attach_anchors(ctx, anchors); - - ret = hx509_cms_verify_signed(context, ctx, co.data, co.length, sd, - store, &type, &c, &signers); - if (co.data != p) - der_free_octet_string(&co); - if (ret) - hx509_err(context, 1, ret, "hx509_cms_verify_signed"); - - { - char *str; - der_print_heim_oid(&type, '.', &str); - printf("type: %s\n", str); - free(str); - der_free_oid(&type); - } - printf("signers:\n"); - hx509_certs_iter(context, signers, hx509_ci_print_names, stdout); - - hx509_verify_destroy_ctx(ctx); - - hx509_certs_free(&store); - hx509_certs_free(&signers); - hx509_certs_free(&anchors); - - hx509_lock_free(lock); - - ret = _hx509_write_file(argv[1], c.data, c.length); - if (ret) - errx(1, "hx509_write_file: %d", ret); - - der_free_octet_string(&c); - _hx509_unmap_file(p, sz); - if (sd) - _hx509_unmap_file_os(sd); - - return 0; -} - -int -cms_create_sd(struct cms_create_sd_options *opt, int argc, char **argv) -{ - heim_oid contentType; - hx509_peer_info peer = NULL; - heim_octet_string o; - hx509_query *q; - hx509_lock lock; - hx509_certs store, pool, anchors; - hx509_cert cert; - size_t sz; - void *p; - int ret, flags = 0; - char *signer_name = NULL; - - memset(&contentType, 0, sizeof(contentType)); - - if (argc < 2) - errx(1, "argc < 2"); - - hx509_lock_init(context, &lock); - lock_strings(lock, &opt->pass_strings); - - ret = hx509_certs_init(context, "MEMORY:cert-store", 0, NULL, &store); - ret = hx509_certs_init(context, "MEMORY:cert-pool", 0, NULL, &pool); - - certs_strings(context, "store", store, lock, &opt->certificate_strings); - certs_strings(context, "pool", pool, lock, &opt->pool_strings); - - if (opt->anchors_strings.num_strings) { - ret = hx509_certs_init(context, "MEMORY:cert-anchors", - 0, NULL, &anchors); - certs_strings(context, "anchors", anchors, lock, &opt->anchors_strings); - } else - anchors = NULL; - - if (opt->detached_signature_flag) - flags |= HX509_CMS_SIGATURE_DETACHED; - if (opt->id_by_name_flag) - flags |= HX509_CMS_SIGATURE_ID_NAME; - - ret = hx509_query_alloc(context, &q); - if (ret) - errx(1, "hx509_query_alloc: %d", ret); - - hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY); - hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE); - - if (opt->signer_string) - hx509_query_match_friendly_name(q, opt->signer_string); - - ret = hx509_certs_find(context, store, q, &cert); - hx509_query_free(context, q); - if (ret) - hx509_err(context, 1, ret, "hx509_certs_find"); - - ret = _hx509_map_file(argv[0], &p, &sz, NULL); - if (ret) - err(1, "map_file: %s: %d", argv[0], ret); - - if (opt->peer_alg_strings.num_strings) - peer_strings(context, &peer, &opt->peer_alg_strings); - - parse_oid(opt->content_type_string, oid_id_pkcs7_data(), &contentType); - - ret = hx509_cms_create_signed_1(context, - flags, - &contentType, - p, - sz, - NULL, - cert, - peer, - anchors, - pool, - &o); - if (ret) - errx(1, "hx509_cms_create_signed: %d", ret); - - { - hx509_name name; - - ret = hx509_cert_get_subject(cert, &name); - if (ret) - errx(1, "hx509_cert_get_subject"); - - ret = hx509_name_to_string(name, &signer_name); - hx509_name_free(&name); - if (ret) - errx(1, "hx509_name_to_string"); - } - - - hx509_certs_free(&anchors); - hx509_certs_free(&pool); - hx509_cert_free(cert); - hx509_certs_free(&store); - _hx509_unmap_file(p, sz); - hx509_lock_free(lock); - hx509_peer_info_free(peer); - der_free_oid(&contentType); - - if (opt->content_info_flag) { - heim_octet_string wo; - - ret = hx509_cms_wrap_ContentInfo(oid_id_pkcs7_signedData(), &o, &wo); - if (ret) - errx(1, "hx509_cms_wrap_ContentInfo: %d", ret); - - der_free_octet_string(&o); - o = wo; - } - - if (opt->pem_flag) { - hx509_pem_header *header = NULL; - FILE *f; - - hx509_pem_add_header(&header, "Content-disposition", - opt->detached_signature_flag ? "detached" : "inline"); - hx509_pem_add_header(&header, "Signer", signer_name); - - f = fopen(argv[1], "w"); - if (f == NULL) - err(1, "open %s", argv[1]); - - ret = hx509_pem_write(context, "CMS SIGNEDDATA", header, f, - o.data, o.length); - fclose(f); - hx509_pem_free_header(header); - if (ret) - errx(1, "hx509_pem_write: %d", ret); - - } else { - ret = _hx509_write_file(argv[1], o.data, o.length); - if (ret) - errx(1, "hx509_write_file: %d", ret); - } - - free(signer_name); - free(o.data); - - return 0; -} - -int -cms_unenvelope(struct cms_unenvelope_options *opt, int argc, char **argv) -{ - heim_oid contentType = { 0, NULL }; - heim_octet_string o, co; - hx509_certs certs; - size_t sz; - void *p; - int ret; - hx509_lock lock; - - hx509_lock_init(context, &lock); - lock_strings(lock, &opt->pass_strings); - - ret = _hx509_map_file(argv[0], &p, &sz, NULL); - if (ret) - err(1, "map_file: %s: %d", argv[0], ret); - - co.data = p; - co.length = sz; - - if (opt->content_info_flag) { - heim_octet_string uwco; - heim_oid oid; - - ret = hx509_cms_unwrap_ContentInfo(&co, &oid, &uwco, NULL); - if (ret) - errx(1, "hx509_cms_unwrap_ContentInfo: %d", ret); - - if (der_heim_oid_cmp(&oid, oid_id_pkcs7_envelopedData()) != 0) - errx(1, "Content is not SignedData"); - der_free_oid(&oid); - - co = uwco; - } - - ret = hx509_certs_init(context, "MEMORY:cert-store", 0, NULL, &certs); - if (ret) - errx(1, "hx509_certs_init: MEMORY: %d", ret); - - certs_strings(context, "store", certs, lock, &opt->certificate_strings); - - ret = hx509_cms_unenvelope(context, certs, 0, co.data, co.length, - NULL, &contentType, &o); - if (co.data != p) - der_free_octet_string(&co); - if (ret) - hx509_err(context, 1, ret, "hx509_cms_unenvelope"); - - _hx509_unmap_file(p, sz); - hx509_lock_free(lock); - hx509_certs_free(&certs); - der_free_oid(&contentType); - - ret = _hx509_write_file(argv[1], o.data, o.length); - if (ret) - errx(1, "hx509_write_file: %d", ret); - - der_free_octet_string(&o); - - return 0; -} - -int -cms_create_enveloped(struct cms_envelope_options *opt, int argc, char **argv) -{ - heim_oid contentType; - heim_octet_string o; - const heim_oid *enctype = NULL; - hx509_query *q; - hx509_certs certs; - hx509_cert cert; - int ret; - size_t sz; - void *p; - hx509_lock lock; - - memset(&contentType, 0, sizeof(contentType)); - - hx509_lock_init(context, &lock); - lock_strings(lock, &opt->pass_strings); - - ret = _hx509_map_file(argv[0], &p, &sz, NULL); - if (ret) - err(1, "map_file: %s: %d", argv[0], ret); - - ret = hx509_certs_init(context, "MEMORY:cert-store", 0, NULL, &certs); - - certs_strings(context, "store", certs, lock, &opt->certificate_strings); - - if (opt->encryption_type_string) { - enctype = hx509_crypto_enctype_by_name(opt->encryption_type_string); - if (enctype == NULL) - errx(1, "encryption type: %s no found", - opt->encryption_type_string); - } - - ret = hx509_query_alloc(context, &q); - if (ret) - errx(1, "hx509_query_alloc: %d", ret); - - hx509_query_match_option(q, HX509_QUERY_OPTION_KU_ENCIPHERMENT); - - ret = hx509_certs_find(context, certs, q, &cert); - hx509_query_free(context, q); - if (ret) - errx(1, "hx509_certs_find: %d", ret); - - parse_oid(opt->content_type_string, oid_id_pkcs7_data(), &contentType); - - ret = hx509_cms_envelope_1(context, 0, cert, p, sz, enctype, - &contentType, &o); - if (ret) - errx(1, "hx509_cms_envelope_1: %d", ret); - - hx509_cert_free(cert); - hx509_certs_free(&certs); - _hx509_unmap_file(p, sz); - der_free_oid(&contentType); - - if (opt->content_info_flag) { - heim_octet_string wo; - - ret = hx509_cms_wrap_ContentInfo(oid_id_pkcs7_envelopedData(), &o, &wo); - if (ret) - errx(1, "hx509_cms_wrap_ContentInfo: %d", ret); - - der_free_octet_string(&o); - o = wo; - } - - hx509_lock_free(lock); - - ret = _hx509_write_file(argv[1], o.data, o.length); - if (ret) - errx(1, "hx509_write_file: %d", ret); - - der_free_octet_string(&o); - - return 0; -} - -static void -print_certificate(hx509_context hxcontext, hx509_cert cert, int verbose) -{ - hx509_name name; - const char *fn; - char *str; - int ret; - - fn = hx509_cert_get_friendly_name(cert); - if (fn) - printf(" friendly name: %s\n", fn); - printf(" private key: %s\n", - _hx509_cert_private_key(cert) ? "yes" : "no"); - - ret = hx509_cert_get_issuer(cert, &name); - hx509_name_to_string(name, &str); - hx509_name_free(&name); - printf(" issuer: \"%s\"\n", str); - free(str); - - ret = hx509_cert_get_subject(cert, &name); - hx509_name_to_string(name, &str); - hx509_name_free(&name); - printf(" subject: \"%s\"\n", str); - free(str); - - { - heim_integer serialNumber; - - hx509_cert_get_serialnumber(cert, &serialNumber); - der_print_hex_heim_integer(&serialNumber, &str); - der_free_heim_integer(&serialNumber); - printf(" serial: %s\n", str); - free(str); - } - - printf(" keyusage: "); - ret = hx509_cert_keyusage_print(hxcontext, cert, &str); - if (ret == 0) { - printf("%s\n", str); - free(str); - } else - printf("no"); - - if (verbose) { - hx509_validate_ctx vctx; - - hx509_validate_ctx_init(hxcontext, &vctx); - hx509_validate_ctx_set_print(vctx, hx509_print_stdout, stdout); - hx509_validate_ctx_add_flags(vctx, HX509_VALIDATE_F_VALIDATE); - hx509_validate_ctx_add_flags(vctx, HX509_VALIDATE_F_VERBOSE); - - hx509_validate_cert(hxcontext, vctx, cert); - - hx509_validate_ctx_free(vctx); - } -} - - -struct print_s { - int counter; - int verbose; -}; - -static int -print_f(hx509_context hxcontext, void *ctx, hx509_cert cert) -{ - struct print_s *s = ctx; - - printf("cert: %d\n", s->counter++); - print_certificate(context, cert, s->verbose); - - return 0; -} - -int -pcert_print(struct print_options *opt, int argc, char **argv) -{ - hx509_certs certs; - hx509_lock lock; - struct print_s s; - - s.counter = 0; - s.verbose = opt->content_flag; - - hx509_lock_init(context, &lock); - lock_strings(lock, &opt->pass_strings); - - while(argc--) { - int ret; - ret = hx509_certs_init(context, argv[0], 0, lock, &certs); - if (ret) - hx509_err(context, 1, ret, "hx509_certs_init"); - if (opt->info_flag) - hx509_certs_info(context, certs, NULL, NULL); - hx509_certs_iter(context, certs, print_f, &s); - hx509_certs_free(&certs); - argv++; - } - - hx509_lock_free(lock); - - return 0; -} - - -static int -validate_f(hx509_context hxcontext, void *ctx, hx509_cert c) -{ - hx509_validate_cert(hxcontext, ctx, c); - return 0; -} - -int -pcert_validate(struct validate_options *opt, int argc, char **argv) -{ - hx509_validate_ctx ctx; - hx509_certs certs; - hx509_lock lock; - - hx509_lock_init(context, &lock); - lock_strings(lock, &opt->pass_strings); - - hx509_validate_ctx_init(context, &ctx); - hx509_validate_ctx_set_print(ctx, hx509_print_stdout, stdout); - hx509_validate_ctx_add_flags(ctx, HX509_VALIDATE_F_VALIDATE); - - while(argc--) { - int ret; - ret = hx509_certs_init(context, argv[0], 0, lock, &certs); - if (ret) - errx(1, "hx509_certs_init: %d", ret); - hx509_certs_iter(context, certs, validate_f, ctx); - hx509_certs_free(&certs); - argv++; - } - hx509_validate_ctx_free(ctx); - - hx509_lock_free(lock); - - return 0; -} - -int -certificate_copy(struct certificate_copy_options *opt, int argc, char **argv) -{ - hx509_certs certs; - hx509_lock lock; - int ret; - - hx509_lock_init(context, &lock); - lock_strings(lock, &opt->in_pass_strings); - - ret = hx509_certs_init(context, argv[argc - 1], - HX509_CERTS_CREATE, lock, &certs); - if (ret) - hx509_err(context, 1, ret, "hx509_certs_init"); - - while(argc-- > 1) { - int ret; - ret = hx509_certs_append(context, certs, lock, argv[0]); - if (ret) - hx509_err(context, 1, ret, "hx509_certs_append"); - argv++; - } - - ret = hx509_certs_store(context, certs, 0, NULL); - if (ret) - hx509_err(context, 1, ret, "hx509_certs_store"); - - hx509_certs_free(&certs); - hx509_lock_free(lock); - - return 0; -} - -struct verify { - hx509_verify_ctx ctx; - hx509_certs chain; - const char *hostname; - int errors; -}; - -static int -verify_f(hx509_context hxcontext, void *ctx, hx509_cert c) -{ - struct verify *v = ctx; - int ret; - - ret = hx509_verify_path(hxcontext, v->ctx, c, v->chain); - if (ret) { - char *s = hx509_get_error_string(hxcontext, ret); - printf("verify_path: %s: %d\n", s, ret); - hx509_free_error_string(s); - v->errors++; - } else - printf("path ok\n"); - - if (v->hostname) { - ret = hx509_verify_hostname(hxcontext, c, 0, HX509_HN_HOSTNAME, - v->hostname, NULL, 0); - if (ret) { - printf("verify_hostname: %d\n", ret); - v->errors++; - } - } - - return 0; -} - -int -pcert_verify(struct verify_options *opt, int argc, char **argv) -{ - hx509_certs anchors, chain, certs; - hx509_revoke_ctx revoke_ctx; - hx509_verify_ctx ctx; - struct verify v; - int ret; - - memset(&v, 0, sizeof(v)); - - if (opt->missing_revoke_flag) - hx509_context_set_missing_revoke(context, 1); - - ret = hx509_verify_init_ctx(context, &ctx); - ret = hx509_certs_init(context, "MEMORY:anchors", 0, NULL, &anchors); - ret = hx509_certs_init(context, "MEMORY:chain", 0, NULL, &chain); - ret = hx509_certs_init(context, "MEMORY:certs", 0, NULL, &certs); - - if (opt->allow_proxy_certificate_flag) - hx509_verify_set_proxy_certificate(ctx, 1); - - if (opt->time_string) { - const char *p; - struct tm tm; - time_t t; - - memset(&tm, 0, sizeof(tm)); - - p = strptime (opt->time_string, "%Y-%m-%d", &tm); - if (p == NULL) - errx(1, "Failed to parse time %s, need to be on format %%Y-%%m-%%d", - opt->time_string); - - t = tm2time (tm, 0); - - hx509_verify_set_time(ctx, t); - } - - if (opt->hostname_string) - v.hostname = opt->hostname_string; - if (opt->max_depth_integer) - hx509_verify_set_max_depth(ctx, opt->max_depth_integer); - - ret = hx509_revoke_init(context, &revoke_ctx); - if (ret) - errx(1, "hx509_revoke_init: %d", ret); - - while(argc--) { - char *s = *argv++; - - if (strncmp(s, "chain:", 6) == 0) { - s += 6; - - ret = hx509_certs_append(context, chain, NULL, s); - if (ret) - hx509_err(context, 1, ret, "hx509_certs_append: chain: %s: %d", s, ret); - - } else if (strncmp(s, "anchor:", 7) == 0) { - s += 7; - - ret = hx509_certs_append(context, anchors, NULL, s); - if (ret) - hx509_err(context, 1, ret, "hx509_certs_append: anchor: %s: %d", s, ret); - - } else if (strncmp(s, "cert:", 5) == 0) { - s += 5; - - ret = hx509_certs_append(context, certs, NULL, s); - if (ret) - hx509_err(context, 1, ret, "hx509_certs_append: certs: %s: %d", - s, ret); - - } else if (strncmp(s, "crl:", 4) == 0) { - s += 4; - - ret = hx509_revoke_add_crl(context, revoke_ctx, s); - if (ret) - errx(1, "hx509_revoke_add_crl: %s: %d", s, ret); - - } else if (strncmp(s, "ocsp:", 4) == 0) { - s += 5; - - ret = hx509_revoke_add_ocsp(context, revoke_ctx, s); - if (ret) - errx(1, "hx509_revoke_add_ocsp: %s: %d", s, ret); - - } else { - errx(1, "unknown option to verify: `%s'\n", s); - } - } - - hx509_verify_attach_anchors(ctx, anchors); - hx509_verify_attach_revoke(ctx, revoke_ctx); - - v.ctx = ctx; - v.chain = chain; - - hx509_certs_iter(context, certs, verify_f, &v); - - hx509_verify_destroy_ctx(ctx); - - hx509_certs_free(&certs); - hx509_certs_free(&chain); - hx509_certs_free(&anchors); - - hx509_revoke_free(&revoke_ctx); - - if (v.errors) { - printf("failed verifing %d checks\n", v.errors); - return 1; - } - - return 0; -} - -int -query(struct query_options *opt, int argc, char **argv) -{ - hx509_lock lock; - hx509_query *q; - hx509_certs certs; - hx509_cert c; - int ret; - - ret = hx509_query_alloc(context, &q); - if (ret) - errx(1, "hx509_query_alloc: %d", ret); - - hx509_lock_init(context, &lock); - lock_strings(lock, &opt->pass_strings); - - ret = hx509_certs_init(context, "MEMORY:cert-store", 0, NULL, &certs); - - while (argc > 0) { - - ret = hx509_certs_append(context, certs, lock, argv[0]); - if (ret) - errx(1, "hx509_certs_append: %s: %d", argv[0], ret); - - argc--; - argv++; - } - - if (opt->friendlyname_string) - hx509_query_match_friendly_name(q, opt->friendlyname_string); - - if (opt->private_key_flag) - hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY); - - if (opt->keyEncipherment_flag) - hx509_query_match_option(q, HX509_QUERY_OPTION_KU_ENCIPHERMENT); - - if (opt->digitalSignature_flag) - hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE); - - ret = hx509_certs_find(context, certs, q, &c); - hx509_query_free(context, q); - if (ret) - printf("no match found (%d)\n", ret); - else { - printf("match found\n"); - if (opt->print_flag) - print_certificate(context, c, 0); - } - - hx509_cert_free(c); - hx509_certs_free(&certs); - - hx509_lock_free(lock); - - return ret; -} - -int -ocsp_fetch(struct ocsp_fetch_options *opt, int argc, char **argv) -{ - hx509_certs reqcerts, pool; - heim_octet_string req, nonce_data, *nonce = &nonce_data; - hx509_lock lock; - int i, ret; - char *file; - const char *url = "/"; - - memset(&nonce, 0, sizeof(nonce)); - - hx509_lock_init(context, &lock); - lock_strings(lock, &opt->pass_strings); - - /* no nonce */ - if (!opt->nonce_flag) - nonce = NULL; - - if (opt->url_path_string) - url = opt->url_path_string; - - ret = hx509_certs_init(context, "MEMORY:ocsp-pool", 0, NULL, &pool); - - certs_strings(context, "ocsp-pool", pool, lock, &opt->pool_strings); - - file = argv[0]; - - ret = hx509_certs_init(context, "MEMORY:ocsp-req", 0, NULL, &reqcerts); - - for (i = 1; i < argc; i++) { - ret = hx509_certs_append(context, reqcerts, lock, argv[i]); - if (ret) - errx(1, "hx509_certs_append: req: %s: %d", argv[i], ret); - } - - ret = hx509_ocsp_request(context, reqcerts, pool, NULL, NULL, &req, nonce); - if (ret) - errx(1, "hx509_ocsp_request: req: %d", ret); - - { - FILE *f; - - f = fopen(file, "w"); - if (f == NULL) - abort(); - - fprintf(f, - "POST %s HTTP/1.0\r\n" - "Content-Type: application/ocsp-request\r\n" - "Content-Length: %ld\r\n" - "\r\n", - url, - (unsigned long)req.length); - fwrite(req.data, req.length, 1, f); - fclose(f); - } - - if (nonce) - der_free_octet_string(nonce); - - hx509_certs_free(&reqcerts); - hx509_certs_free(&pool); - - return 0; -} - -int -ocsp_print(struct ocsp_print_options *opt, int argc, char **argv) -{ - hx509_revoke_ocsp_print(context, argv[0], stdout); - return 0; -} - -/* - * - */ - -static int -verify_o(hx509_context hxcontext, void *ctx, hx509_cert c) -{ - heim_octet_string *os = ctx; - time_t expiration; - int ret; - - ret = hx509_ocsp_verify(context, 0, c, 0, - os->data, os->length, &expiration); - if (ret) { - char *s = hx509_get_error_string(hxcontext, ret); - printf("ocsp_verify: %s: %d\n", s, ret); - hx509_free_error_string(s); - } else - printf("expire: %d\n", (int)expiration); - - return ret; -} - - -int -ocsp_verify(struct ocsp_verify_options *opt, int argc, char **argv) -{ - hx509_lock lock; - hx509_certs certs; - int ret, i; - heim_octet_string os; - - hx509_lock_init(context, &lock); - - if (opt->ocsp_file_string == NULL) - errx(1, "no ocsp file given"); - - ret = _hx509_map_file(opt->ocsp_file_string, &os.data, &os.length, NULL); - if (ret) - err(1, "map_file: %s: %d", argv[0], ret); - - ret = hx509_certs_init(context, "MEMORY:test-certs", 0, NULL, &certs); - - for (i = 0; i < argc; i++) { - ret = hx509_certs_append(context, certs, lock, argv[i]); - if (ret) - hx509_err(context, 1, ret, "hx509_certs_append: %s", argv[i]); - } - - ret = hx509_certs_iter(context, certs, verify_o, &os); - - hx509_certs_free(&certs); - _hx509_unmap_file(os.data, os.length); - hx509_lock_free(lock); - - return ret; -} - -static int -read_private_key(const char *fn, hx509_private_key *key) -{ - hx509_private_key *keys; - hx509_certs certs; - int ret; - - *key = NULL; - - ret = hx509_certs_init(context, fn, 0, NULL, &certs); - if (ret) - hx509_err(context, 1, ret, "hx509_certs_init: %s", fn); - - ret = _hx509_certs_keys_get(context, certs, &keys); - hx509_certs_free(&certs); - if (ret) - hx509_err(context, 1, ret, "hx509_certs_keys_get"); - if (keys[0] == NULL) - errx(1, "no keys in key store: %s", fn); - - *key = _hx509_private_key_ref(keys[0]); - _hx509_certs_keys_free(context, keys); - - return 0; -} - -static void -get_key(const char *fn, const char *type, int optbits, - hx509_private_key *signer) -{ - int ret; - - if (type) { - BIGNUM *e; - RSA *rsa; - unsigned char *p0, *p; - size_t len; - int bits = 1024; - - if (fn == NULL) - errx(1, "no key argument, don't know here to store key"); - - if (strcasecmp(type, "rsa") != 0) - errx(1, "can only handle rsa keys for now"); - - e = BN_new(); - BN_set_word(e, 0x10001); - - if (optbits) - bits = optbits; - - rsa = RSA_new(); - if(rsa == NULL) - errx(1, "RSA_new failed"); - - ret = RSA_generate_key_ex(rsa, bits, e, NULL); - if(ret != 1) - errx(1, "RSA_new failed"); - - BN_free(e); - - len = i2d_RSAPrivateKey(rsa, NULL); - - p0 = p = malloc(len); - if (p == NULL) - errx(1, "out of memory"); - - i2d_RSAPrivateKey(rsa, &p); - - rk_dumpdata(fn, p0, len); - memset(p0, 0, len); - free(p0); - - RSA_free(rsa); - - } else if (fn == NULL) - err(1, "no private key"); - - ret = read_private_key(fn, signer); - if (ret) - err(1, "read_private_key"); -} - -int -request_create(struct request_create_options *opt, int argc, char **argv) -{ - heim_octet_string request; - hx509_request req; - int ret, i; - hx509_private_key signer; - SubjectPublicKeyInfo key; - const char *outfile = argv[0]; - - memset(&key, 0, sizeof(key)); - - get_key(opt->key_string, - opt->generate_key_string, - opt->key_bits_integer, - &signer); - - _hx509_request_init(context, &req); - - if (opt->subject_string) { - hx509_name name = NULL; - - ret = hx509_parse_name(context, opt->subject_string, &name); - if (ret) - errx(1, "hx509_parse_name: %d\n", ret); - _hx509_request_set_name(context, req, name); - - if (opt->verbose_flag) { - char *s; - hx509_name_to_string(name, &s); - printf("%s\n", s); - } - hx509_name_free(&name); - } - - for (i = 0; i < opt->email_strings.num_strings; i++) { - ret = _hx509_request_add_email(context, req, - opt->email_strings.strings[i]); - } - - for (i = 0; i < opt->dnsname_strings.num_strings; i++) { - ret = _hx509_request_add_dns_name(context, req, - opt->dnsname_strings.strings[i]); - } - - - ret = _hx509_private_key2SPKI(context, signer, &key); - if (ret) - errx(1, "_hx509_private_key2SPKI: %d\n", ret); - - ret = _hx509_request_set_SubjectPublicKeyInfo(context, - req, - &key); - free_SubjectPublicKeyInfo(&key); - if (ret) - hx509_err(context, 1, ret, "_hx509_request_set_SubjectPublicKeyInfo"); - - ret = _hx509_request_to_pkcs10(context, - req, - signer, - &request); - if (ret) - hx509_err(context, 1, ret, "_hx509_request_to_pkcs10"); - - _hx509_private_key_free(&signer); - _hx509_request_free(&req); - - if (ret == 0) - rk_dumpdata(outfile, request.data, request.length); - der_free_octet_string(&request); - - return 0; -} - -int -request_print(struct request_print_options *opt, int argc, char **argv) -{ - int ret, i; - - printf("request print\n"); - - for (i = 0; i < argc; i++) { - hx509_request req; - - ret = _hx509_request_parse(context, argv[i], &req); - if (ret) - hx509_err(context, 1, ret, "parse_request: %s", argv[i]); - - ret = _hx509_request_print(context, req, stdout); - _hx509_request_free(&req); - if (ret) - hx509_err(context, 1, ret, "Failed to print file %s", argv[i]); - } - - return 0; -} - -int -info(void *opt, int argc, char **argv) -{ - - ENGINE_add_conf_module(); - - { - const RSA_METHOD *m = RSA_get_default_method(); - if (m != NULL) - printf("rsa: %s\n", m->name); - } - { - const DH_METHOD *m = DH_get_default_method(); - if (m != NULL) - printf("dh: %s\n", m->name); - } - { - int ret = RAND_status(); - printf("rand: %s\n", ret == 1 ? "ok" : "not available"); - } - - return 0; -} - -int -random_data(void *opt, int argc, char **argv) -{ - void *ptr; - int len, ret; - - len = parse_bytes(argv[0], "byte"); - if (len <= 0) { - fprintf(stderr, "bad argument to random-data\n"); - return 1; - } - - ptr = malloc(len); - if (ptr == NULL) { - fprintf(stderr, "out of memory\n"); - return 1; - } - - ret = RAND_bytes(ptr, len); - if (ret != 1) { - free(ptr); - fprintf(stderr, "did not get cryptographic strong random\n"); - return 1; - } - - fwrite(ptr, len, 1, stdout); - fflush(stdout); - - free(ptr); - - return 0; -} - -int -crypto_available(struct crypto_available_options *opt, int argc, char **argv) -{ - AlgorithmIdentifier *val; - unsigned int len, i; - int ret, type; - - if (opt->type_string) { - if (strcmp(opt->type_string, "all") == 0) - type = HX509_SELECT_ALL; - else if (strcmp(opt->type_string, "digest") == 0) - type = HX509_SELECT_DIGEST; - else if (strcmp(opt->type_string, "public-sig") == 0) - type = HX509_SELECT_PUBLIC_SIG; - else if (strcmp(opt->type_string, "secret") == 0) - type = HX509_SELECT_SECRET_ENC; - else - errx(1, "unknown type: %s", opt->type_string); - } else - type = HX509_SELECT_ALL; - - ret = hx509_crypto_available(context, type, NULL, &val, &len); - if (ret) - errx(1, "hx509_crypto_available"); - - for (i = 0; i < len; i++) { - char *s; - der_print_heim_oid (&val[i].algorithm, '.', &s); - printf("%s\n", s); - free(s); - } - - hx509_crypto_free_algs(val, len); - - return 0; -} - -int -crypto_select(struct crypto_select_options *opt, int argc, char **argv) -{ - hx509_peer_info peer = NULL; - AlgorithmIdentifier selected; - int ret, type; - char *s; - - if (opt->type_string) { - if (strcmp(opt->type_string, "digest") == 0) - type = HX509_SELECT_DIGEST; - else if (strcmp(opt->type_string, "public-sig") == 0) - type = HX509_SELECT_PUBLIC_SIG; - else if (strcmp(opt->type_string, "secret") == 0) - type = HX509_SELECT_SECRET_ENC; - else - errx(1, "unknown type: %s", opt->type_string); - } else - type = HX509_SELECT_DIGEST; - - if (opt->peer_cmstype_strings.num_strings) - peer_strings(context, &peer, &opt->peer_cmstype_strings); - - ret = hx509_crypto_select(context, type, NULL, peer, &selected); - if (ret) - errx(1, "hx509_crypto_available"); - - der_print_heim_oid (&selected.algorithm, '.', &s); - printf("%s\n", s); - free(s); - free_AlgorithmIdentifier(&selected); - - hx509_peer_info_free(peer); - - return 0; -} - -int -hxtool_hex(struct hex_options *opt, int argc, char **argv) -{ - - if (opt->decode_flag) { - char buf[1024], buf2[1024], *p; - ssize_t len; - - while(fgets(buf, sizeof(buf), stdin) != NULL) { - buf[strcspn(buf, "\r\n")] = '\0'; - p = buf; - while(isspace(*(unsigned char *)p)) - p++; - len = hex_decode(p, buf2, strlen(p)); - if (len < 0) - errx(1, "hex_decode failed"); - if (fwrite(buf2, 1, len, stdout) != len) - errx(1, "fwrite failed"); - } - } else { - char buf[28], *p; - size_t len; - - while((len = fread(buf, 1, sizeof(buf), stdin)) != 0) { - len = hex_encode(buf, len, &p); - fprintf(stdout, "%s\n", p); - free(p); - } - } - return 0; -} - -static int -eval_types(hx509_context context, - hx509_ca_tbs tbs, - const struct certificate_sign_options *opt) -{ - int pkinit = 0; - int i, ret; - - for (i = 0; i < opt->type_strings.num_strings; i++) { - const char *type = opt->type_strings.strings[i]; - - if (strcmp(type, "https-server") == 0) { - ret = hx509_ca_tbs_add_eku(context, tbs, - oid_id_pkix_kp_serverAuth()); - if (ret) - hx509_err(context, 1, ret, "hx509_ca_tbs_add_eku"); - } else if (strcmp(type, "https-client") == 0) { - ret = hx509_ca_tbs_add_eku(context, tbs, - oid_id_pkix_kp_clientAuth()); - if (ret) - hx509_err(context, 1, ret, "hx509_ca_tbs_add_eku"); - } else if (strcmp(type, "peap-server") == 0) { - ret = hx509_ca_tbs_add_eku(context, tbs, - oid_id_pkix_kp_serverAuth()); - if (ret) - hx509_err(context, 1, ret, "hx509_ca_tbs_add_eku"); - } else if (strcmp(type, "pkinit-kdc") == 0) { - pkinit++; - ret = hx509_ca_tbs_add_eku(context, tbs, - oid_id_pkkdcekuoid()); - if (ret) - hx509_err(context, 1, ret, "hx509_ca_tbs_add_eku"); - } else if (strcmp(type, "pkinit-client") == 0) { - pkinit++; - ret = hx509_ca_tbs_add_eku(context, tbs, - oid_id_pkekuoid()); - if (ret) - hx509_err(context, 1, ret, "hx509_ca_tbs_add_eku"); - - ret = hx509_ca_tbs_add_eku(context, tbs, - oid_id_ms_client_authentication()); - if (ret) - hx509_err(context, 1, ret, "hx509_ca_tbs_add_eku"); - - ret = hx509_ca_tbs_add_eku(context, tbs, - oid_id_pkinit_ms_eku()); - if (ret) - hx509_err(context, 1, ret, "hx509_ca_tbs_add_eku"); - - } else if (strcmp(type, "email") == 0) { - ret = hx509_ca_tbs_add_eku(context, tbs, - oid_id_pkix_kp_emailProtection()); - if (ret) - hx509_err(context, 1, ret, "hx509_ca_tbs_add_eku"); - } else - errx(1, "unknown type %s", type); - } - - if (pkinit > 1) - errx(1, "More the one PK-INIT type given"); - - if (opt->pk_init_principal_string) { - if (!pkinit) - errx(1, "pk-init principal given but no pk-init oid"); - - ret = hx509_ca_tbs_add_san_pkinit(context, tbs, - opt->pk_init_principal_string); - if (ret) - hx509_err(context, 1, ret, "hx509_ca_tbs_add_san_pkinit"); - } - - if (opt->ms_upn_string) { - if (!pkinit) - errx(1, "MS up given but no pk-init oid"); - - ret = hx509_ca_tbs_add_san_ms_upn(context, tbs, opt->ms_upn_string); - if (ret) - hx509_err(context, 1, ret, "hx509_ca_tbs_add_san_ms_upn"); - } - - - for (i = 0; i < opt->hostname_strings.num_strings; i++) { - const char *hostname = opt->hostname_strings.strings[i]; - - ret = hx509_ca_tbs_add_san_hostname(context, tbs, hostname); - if (ret) - hx509_err(context, 1, ret, "hx509_ca_tbs_add_san_hostname"); - } - - for (i = 0; i < opt->email_strings.num_strings; i++) { - const char *email = opt->email_strings.strings[i]; - - ret = hx509_ca_tbs_add_san_rfc822name(context, tbs, email); - if (ret) - hx509_err(context, 1, ret, "hx509_ca_tbs_add_san_hostname"); - - ret = hx509_ca_tbs_add_eku(context, tbs, - oid_id_pkix_kp_emailProtection()); - if (ret) - hx509_err(context, 1, ret, "hx509_ca_tbs_add_eku"); - } - - if (opt->jid_string) { - ret = hx509_ca_tbs_add_san_jid(context, tbs, opt->jid_string); - if (ret) - hx509_err(context, 1, ret, "hx509_ca_tbs_add_san_jid"); - } - - return 0; -} - -int -hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv) -{ - int ret; - hx509_ca_tbs tbs; - hx509_cert signer = NULL, cert = NULL; - hx509_private_key private_key = NULL; - hx509_private_key cert_key = NULL; - hx509_name subject = NULL; - SubjectPublicKeyInfo spki; - int delta = 0; - - memset(&spki, 0, sizeof(spki)); - - if (opt->ca_certificate_string == NULL && !opt->self_signed_flag) - errx(1, "--ca-certificate argument missing (not using --self-signed)"); - if (opt->ca_private_key_string == NULL && opt->generate_key_string == NULL && opt->self_signed_flag) - errx(1, "--ca-private-key argument missing (using --self-signed)"); - if (opt->certificate_string == NULL) - errx(1, "--certificate argument missing"); - - if (opt->template_certificate_string) { - if (opt->template_fields_string == NULL) - errx(1, "--template-certificate not no --template-fields"); - } - - if (opt->lifetime_string) { - delta = parse_time(opt->lifetime_string, "day"); - if (delta < 0) - errx(1, "Invalid lifetime: %s", opt->lifetime_string); - } - - if (opt->ca_certificate_string) { - hx509_certs cacerts = NULL; - hx509_query *q; - - ret = hx509_certs_init(context, opt->ca_certificate_string, 0, - NULL, &cacerts); - if (ret) - hx509_err(context, 1, ret, - "hx509_certs_init: %s", opt->ca_certificate_string); - - ret = hx509_query_alloc(context, &q); - if (ret) - errx(1, "hx509_query_alloc: %d", ret); - - hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY); - if (!opt->issue_proxy_flag) - hx509_query_match_option(q, HX509_QUERY_OPTION_KU_KEYCERTSIGN); - - ret = hx509_certs_find(context, cacerts, q, &signer); - hx509_query_free(context, q); - hx509_certs_free(&cacerts); - if (ret) - hx509_err(context, 1, ret, "no CA certificate found"); - } else if (opt->self_signed_flag) { - if (opt->generate_key_string == NULL - && opt->ca_private_key_string == NULL) - errx(1, "no signing private key"); - } else - errx(1, "missing ca key"); - - if (opt->ca_private_key_string) { - - ret = read_private_key(opt->ca_private_key_string, &private_key); - if (ret) - err(1, "read_private_key"); - - ret = _hx509_private_key2SPKI(context, private_key, &spki); - if (ret) - errx(1, "_hx509_private_key2SPKI: %d\n", ret); - - if (opt->self_signed_flag) - cert_key = private_key; - } - - if (opt->req_string) { - hx509_request req; - - ret = _hx509_request_parse(context, opt->req_string, &req); - if (ret) - hx509_err(context, 1, ret, "parse_request: %s", opt->req_string); - ret = _hx509_request_get_name(context, req, &subject); - if (ret) - hx509_err(context, 1, ret, "get name"); - ret = _hx509_request_get_SubjectPublicKeyInfo(context, req, &spki); - if (ret) - hx509_err(context, 1, ret, "get spki"); - _hx509_request_free(&req); - } - - if (opt->generate_key_string) { - struct hx509_generate_private_context *keyctx; - - ret = _hx509_generate_private_key_init(context, - oid_id_pkcs1_rsaEncryption(), - &keyctx); - - if (opt->issue_ca_flag) - _hx509_generate_private_key_is_ca(context, keyctx); - - if (opt->key_bits_integer) - _hx509_generate_private_key_bits(context, keyctx, - opt->key_bits_integer); - - ret = _hx509_generate_private_key(context, keyctx, - &cert_key); - _hx509_generate_private_key_free(&keyctx); - if (ret) - hx509_err(context, 1, ret, "generate private key"); - - ret = _hx509_private_key2SPKI(context, cert_key, &spki); - if (ret) - errx(1, "_hx509_private_key2SPKI: %d\n", ret); - - if (opt->self_signed_flag) - private_key = cert_key; - } - - if (opt->certificate_private_key_string) { - ret = read_private_key(opt->certificate_private_key_string, &cert_key); - if (ret) - err(1, "read_private_key for certificate"); - } - - if (opt->subject_string) { - if (subject) - hx509_name_free(&subject); - ret = hx509_parse_name(context, opt->subject_string, &subject); - if (ret) - hx509_err(context, 1, ret, "hx509_parse_name"); - } - - /* - * - */ - - ret = hx509_ca_tbs_init(context, &tbs); - if (ret) - hx509_err(context, 1, ret, "hx509_ca_tbs_init"); - - if (opt->template_certificate_string) { - hx509_cert template; - hx509_certs tcerts; - int flags; - - ret = hx509_certs_init(context, opt->template_certificate_string, 0, - NULL, &tcerts); - if (ret) - hx509_err(context, 1, ret, - "hx509_certs_init: %s", opt->template_certificate_string); - - ret = hx509_get_one_cert(context, tcerts, &template); - - hx509_certs_free(&tcerts); - if (ret) - hx509_err(context, 1, ret, "no template certificate found"); - - flags = parse_units(opt->template_fields_string, - hx509_ca_tbs_template_units(), ""); - - ret = hx509_ca_tbs_set_template(context, tbs, flags, template); - if (ret) - hx509_err(context, 1, ret, "hx509_ca_tbs_set_template"); - - hx509_cert_free(template); - } - - if (opt->serial_number_string) { - heim_integer serialNumber; - - ret = der_parse_hex_heim_integer(opt->serial_number_string, - &serialNumber); - if (ret) - err(1, "der_parse_hex_heim_integer"); - ret = hx509_ca_tbs_set_serialnumber(context, tbs, &serialNumber); - if (ret) - hx509_err(context, 1, ret, "hx509_ca_tbs_init"); - der_free_heim_integer(&serialNumber); - } - - if (spki.subjectPublicKey.length) { - ret = hx509_ca_tbs_set_spki(context, tbs, &spki); - if (ret) - hx509_err(context, 1, ret, "hx509_ca_tbs_set_spki"); - } - - if (subject) { - ret = hx509_ca_tbs_set_subject(context, tbs, subject); - if (ret) - hx509_err(context, 1, ret, "hx509_ca_tbs_set_subject"); - } - - if (opt->crl_uri_string) { - ret = hx509_ca_tbs_add_crl_dp_uri(context, tbs, - opt->crl_uri_string, NULL); - if (ret) - hx509_err(context, 1, ret, "hx509_ca_tbs_add_crl_dp_uri"); - } - - eval_types(context, tbs, opt); - - if (opt->issue_ca_flag) { - ret = hx509_ca_tbs_set_ca(context, tbs, opt->path_length_integer); - if (ret) - hx509_err(context, 1, ret, "hx509_ca_tbs_set_ca"); - } - if (opt->issue_proxy_flag) { - ret = hx509_ca_tbs_set_proxy(context, tbs, opt->path_length_integer); - if (ret) - hx509_err(context, 1, ret, "hx509_ca_tbs_set_proxy"); - } - if (opt->domain_controller_flag) { - hx509_ca_tbs_set_domaincontroller(context, tbs); - if (ret) - hx509_err(context, 1, ret, "hx509_ca_tbs_set_domaincontroller"); - } - - if (delta) { - ret = hx509_ca_tbs_set_notAfter_lifetime(context, tbs, delta); - if (ret) - hx509_err(context, 1, ret, "hx509_ca_tbs_set_notAfter_lifetime"); - } - - if (opt->self_signed_flag) { - ret = hx509_ca_sign_self(context, tbs, private_key, &cert); - if (ret) - hx509_err(context, 1, ret, "hx509_ca_sign_self"); - } else { - ret = hx509_ca_sign(context, tbs, signer, &cert); - if (ret) - hx509_err(context, 1, ret, "hx509_ca_sign"); - } - - if (cert_key) { - ret = _hx509_cert_assign_key(cert, cert_key); - if (ret) - hx509_err(context, 1, ret, "_hx509_cert_assign_key"); - } - - { - hx509_certs certs; - - ret = hx509_certs_init(context, opt->certificate_string, - HX509_CERTS_CREATE, NULL, &certs); - if (ret) - hx509_err(context, 1, ret, "hx509_certs_init"); - - ret = hx509_certs_add(context, certs, cert); - if (ret) - hx509_err(context, 1, ret, "hx509_certs_add"); - - ret = hx509_certs_store(context, certs, 0, NULL); - if (ret) - hx509_err(context, 1, ret, "hx509_certs_store"); - - hx509_certs_free(&certs); - } - - if (subject) - hx509_name_free(&subject); - if (signer) - hx509_cert_free(signer); - hx509_cert_free(cert); - free_SubjectPublicKeyInfo(&spki); - - if (private_key != cert_key) - _hx509_private_key_free(&private_key); - _hx509_private_key_free(&cert_key); - - hx509_ca_tbs_free(&tbs); - - return 0; -} - -static int -test_one_cert(hx509_context hxcontext, void *ctx, hx509_cert cert) -{ - heim_octet_string sd, c; - hx509_verify_ctx vctx = ctx; - hx509_certs signer = NULL; - heim_oid type; - int ret; - - if (_hx509_cert_private_key(cert) == NULL) - return 0; - - ret = hx509_cms_create_signed_1(context, 0, NULL, NULL, 0, - NULL, cert, NULL, NULL, NULL, &sd); - if (ret) - errx(1, "hx509_cms_create_signed_1"); - - ret = hx509_cms_verify_signed(context, vctx, sd.data, sd.length, - NULL, NULL, &type, &c, &signer); - free(sd.data); - if (ret) - hx509_err(context, 1, ret, "hx509_cms_verify_signed"); - - printf("create-signature verify-sigature done\n"); - - free(c.data); - - return 0; -} - -int -test_crypto(struct test_crypto_options *opt, int argc, char ** argv) -{ - hx509_verify_ctx vctx; - hx509_certs certs; - hx509_lock lock; - int i, ret; - - hx509_lock_init(context, &lock); - lock_strings(lock, &opt->pass_strings); - - ret = hx509_certs_init(context, "MEMORY:test-crypto", 0, NULL, &certs); - - for (i = 0; i < argc; i++) { - ret = hx509_certs_append(context, certs, lock, argv[i]); - if (ret) - hx509_err(context, 1, ret, "hx509_certs_append"); - } - - ret = hx509_verify_init_ctx(context, &vctx); - if (ret) - hx509_err(context, 1, ret, "hx509_verify_init_ctx"); - - hx509_verify_attach_anchors(vctx, certs); - - ret = hx509_certs_iter(context, certs, test_one_cert, vctx); - - hx509_certs_free(&certs); - - return 0; -} - -int -statistic_print(struct statistic_print_options*opt, int argc, char **argv) -{ - int type = 0; - - if (stat_file_string == NULL) - errx(1, "no stat file"); - - if (opt->type_integer) - type = opt->type_integer; - - hx509_query_unparse_stats(context, type, stdout); - return 0; -} - -/* - * - */ - -int -crl_sign(struct crl_sign_options *opt, int argc, char **argv) -{ - hx509_crl crl; - heim_octet_string os; - hx509_cert signer = NULL; - hx509_lock lock; - int ret; - - hx509_lock_init(context, &lock); - lock_strings(lock, &opt->pass_strings); - - ret = hx509_crl_alloc(context, &crl); - if (ret) - errx(1, "crl alloc"); - - if (opt->signer_string == NULL) - errx(1, "signer missing"); - - { - hx509_certs certs = NULL; - hx509_query *q; - - ret = hx509_certs_init(context, opt->signer_string, 0, - NULL, &certs); - if (ret) - hx509_err(context, 1, ret, - "hx509_certs_init: %s", opt->signer_string); - - ret = hx509_query_alloc(context, &q); - if (ret) - hx509_err(context, 1, ret, "hx509_query_alloc: %d", ret); - - hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY); - - ret = hx509_certs_find(context, certs, q, &signer); - hx509_query_free(context, q); - hx509_certs_free(&certs); - if (ret) - hx509_err(context, 1, ret, "no signer certificate found"); - } - - if (opt->lifetime_string) { - int delta; - - delta = parse_time(opt->lifetime_string, "day"); - if (delta < 0) - errx(1, "Invalid lifetime: %s", opt->lifetime_string); - - hx509_crl_lifetime(context, crl, delta); - } - - { - hx509_certs revoked = NULL; - int i; - - ret = hx509_certs_init(context, "MEMORY:revoked-certs", 0, - NULL, &revoked); - - for (i = 0; i < argc; i++) { - ret = hx509_certs_append(context, revoked, lock, argv[i]); - if (ret) - hx509_err(context, 1, ret, "hx509_certs_append: %s", argv[i]); - } - - hx509_crl_add_revoked_certs(context, crl, revoked); - hx509_certs_free(&revoked); - } - - hx509_crl_sign(context, signer, crl, &os); - - if (opt->crl_file_string) - rk_dumpdata(opt->crl_file_string, os.data, os.length); - - free(os.data); - - hx509_crl_free(context, &crl); - hx509_cert_free(signer); - hx509_lock_free(lock); - - return 0; -} - -/* - * - */ - -int -help(void *opt, int argc, char **argv) -{ - sl_slc_help(commands, argc, argv); - return 0; -} - -int -main(int argc, char **argv) -{ - int ret, optidx = 0; - - setprogname (argv[0]); - - if(getarg(args, num_args, argc, argv, &optidx)) - usage(1); - if(help_flag) - usage(0); - if(version_flag) { - print_version(NULL); - exit(0); - } - argv += optidx; - argc -= optidx; - - if (argc == 0) - usage(1); - - ret = hx509_context_init(&context); - if (ret) - errx(1, "hx509_context_init failed with %d", ret); - - if (stat_file_string) - hx509_query_statistic_file(context, stat_file_string); - - ret = sl_command(commands, argc, argv); - if(ret == -1) - warnx ("unrecognized command: %s", argv[0]); - - hx509_context_free(&context); - - return ret; -} |