diff options
Diffstat (limited to 'lib/hx509/hxtool.c')
-rw-r--r-- | lib/hx509/hxtool.c | 1986 |
1 files changed, 1986 insertions, 0 deletions
diff --git a/lib/hx509/hxtool.c b/lib/hx509/hxtool.c new file mode 100644 index 0000000..55410b1 --- /dev/null +++ b/lib/hx509/hxtool.c @@ -0,0 +1,1986 @@ +/* + * Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "hx_locl.h" +RCSID("$Id: hxtool.c 22333 2007-12-17 01:03:43Z lha $"); + +#include <hxtool-commands.h> +#include <sl.h> +#include <parse_time.h> + +static hx509_context context; + +static char *stat_file_string; +static int version_flag; +static int help_flag; + +struct getargs args[] = { + { "statistic-file", 0, arg_string, &stat_file_string }, + { "version", 0, arg_flag, &version_flag }, + { "help", 0, arg_flag, &help_flag } +}; +int num_args = sizeof(args) / sizeof(args[0]); + +static void +usage(int code) +{ + arg_printusage(args, num_args, NULL, "command"); + printf("Use \"%s help\" to get more help\n", getprogname()); + exit(code); +} + +/* + * + */ + +static void +lock_strings(hx509_lock lock, getarg_strings *pass) +{ + int i; + for (i = 0; i < pass->num_strings; i++) { + int ret = hx509_lock_command_string(lock, pass->strings[i]); + if (ret) + errx(1, "hx509_lock_command_string: %s: %d", + pass->strings[i], ret); + } +} + +/* + * + */ + +static void +certs_strings(hx509_context context, const char *type, hx509_certs certs, + hx509_lock lock, const getarg_strings *s) +{ + int i, ret; + + for (i = 0; i < s->num_strings; i++) { + ret = hx509_certs_append(context, certs, lock, s->strings[i]); + if (ret) + hx509_err(context, 1, ret, + "hx509_certs_append: %s %s", type, s->strings[i]); + } +} + +/* + * + */ + +static void +parse_oid(const char *str, const heim_oid *def, heim_oid *oid) +{ + int ret; + if (str) + ret = der_parse_heim_oid (str, " .", oid); + else + ret = der_copy_oid(def, oid); + if (ret) + errx(1, "parse_oid failed for: %s", str ? str : "default oid"); +} + +/* + * + */ + +static void +peer_strings(hx509_context context, + hx509_peer_info *peer, + const getarg_strings *s) +{ + AlgorithmIdentifier *val; + int ret, i; + + ret = hx509_peer_info_alloc(context, peer); + if (ret) + hx509_err(context, 1, ret, "hx509_peer_info_alloc"); + + val = calloc(s->num_strings, sizeof(*val)); + if (val == NULL) + err(1, "malloc"); + + for (i = 0; i < s->num_strings; i++) + parse_oid(s->strings[i], NULL, &val[i].algorithm); + + ret = hx509_peer_info_set_cms_algs(context, *peer, val, s->num_strings); + if (ret) + hx509_err(context, 1, ret, "hx509_peer_info_set_cms_algs"); + + for (i = 0; i < s->num_strings; i++) + free_AlgorithmIdentifier(&val[i]); + free(val); +} + +/* + * + */ + +int +cms_verify_sd(struct cms_verify_sd_options *opt, int argc, char **argv) +{ + hx509_verify_ctx ctx = NULL; + heim_oid type; + heim_octet_string c, co, signeddata, *sd = NULL; + hx509_certs store = NULL; + hx509_certs signers = NULL; + hx509_certs anchors = NULL; + hx509_lock lock; + int ret; + + size_t sz; + void *p; + + if (opt->missing_revoke_flag) + hx509_context_set_missing_revoke(context, 1); + + hx509_lock_init(context, &lock); + lock_strings(lock, &opt->pass_strings); + + ret = _hx509_map_file(argv[0], &p, &sz, NULL); + if (ret) + err(1, "map_file: %s: %d", argv[0], ret); + + if (opt->signed_content_string) { + ret = _hx509_map_file_os(opt->signed_content_string, &signeddata, NULL); + if (ret) + err(1, "map_file: %s: %d", opt->signed_content_string, ret); + sd = &signeddata; + } + + ret = hx509_verify_init_ctx(context, &ctx); + + ret = hx509_certs_init(context, "MEMORY:cms-anchors", 0, NULL, &anchors); + ret = hx509_certs_init(context, "MEMORY:cert-store", 0, NULL, &store); + + certs_strings(context, "anchors", anchors, lock, &opt->anchors_strings); + certs_strings(context, "store", store, lock, &opt->certificate_strings); + + co.data = p; + co.length = sz; + + if (opt->content_info_flag) { + heim_octet_string uwco; + heim_oid oid; + + ret = hx509_cms_unwrap_ContentInfo(&co, &oid, &uwco, NULL); + if (ret) + errx(1, "hx509_cms_unwrap_ContentInfo: %d", ret); + + if (der_heim_oid_cmp(&oid, oid_id_pkcs7_signedData()) != 0) + errx(1, "Content is not SignedData"); + der_free_oid(&oid); + + co = uwco; + } + + hx509_verify_attach_anchors(ctx, anchors); + + ret = hx509_cms_verify_signed(context, ctx, co.data, co.length, sd, + store, &type, &c, &signers); + if (co.data != p) + der_free_octet_string(&co); + if (ret) + hx509_err(context, 1, ret, "hx509_cms_verify_signed"); + + { + char *str; + der_print_heim_oid(&type, '.', &str); + printf("type: %s\n", str); + free(str); + der_free_oid(&type); + } + printf("signers:\n"); + hx509_certs_iter(context, signers, hx509_ci_print_names, stdout); + + hx509_verify_destroy_ctx(ctx); + + hx509_certs_free(&store); + hx509_certs_free(&signers); + hx509_certs_free(&anchors); + + hx509_lock_free(lock); + + ret = _hx509_write_file(argv[1], c.data, c.length); + if (ret) + errx(1, "hx509_write_file: %d", ret); + + der_free_octet_string(&c); + _hx509_unmap_file(p, sz); + if (sd) + _hx509_unmap_file_os(sd); + + return 0; +} + +int +cms_create_sd(struct cms_create_sd_options *opt, int argc, char **argv) +{ + heim_oid contentType; + hx509_peer_info peer = NULL; + heim_octet_string o; + hx509_query *q; + hx509_lock lock; + hx509_certs store, pool, anchors; + hx509_cert cert; + size_t sz; + void *p; + int ret, flags = 0; + char *signer_name = NULL; + + memset(&contentType, 0, sizeof(contentType)); + + if (argc < 2) + errx(1, "argc < 2"); + + hx509_lock_init(context, &lock); + lock_strings(lock, &opt->pass_strings); + + ret = hx509_certs_init(context, "MEMORY:cert-store", 0, NULL, &store); + ret = hx509_certs_init(context, "MEMORY:cert-pool", 0, NULL, &pool); + + certs_strings(context, "store", store, lock, &opt->certificate_strings); + certs_strings(context, "pool", pool, lock, &opt->pool_strings); + + if (opt->anchors_strings.num_strings) { + ret = hx509_certs_init(context, "MEMORY:cert-anchors", + 0, NULL, &anchors); + certs_strings(context, "anchors", anchors, lock, &opt->anchors_strings); + } else + anchors = NULL; + + if (opt->detached_signature_flag) + flags |= HX509_CMS_SIGATURE_DETACHED; + if (opt->id_by_name_flag) + flags |= HX509_CMS_SIGATURE_ID_NAME; + + ret = hx509_query_alloc(context, &q); + if (ret) + errx(1, "hx509_query_alloc: %d", ret); + + hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY); + hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE); + + if (opt->signer_string) + hx509_query_match_friendly_name(q, opt->signer_string); + + ret = hx509_certs_find(context, store, q, &cert); + hx509_query_free(context, q); + if (ret) + hx509_err(context, 1, ret, "hx509_certs_find"); + + ret = _hx509_map_file(argv[0], &p, &sz, NULL); + if (ret) + err(1, "map_file: %s: %d", argv[0], ret); + + if (opt->peer_alg_strings.num_strings) + peer_strings(context, &peer, &opt->peer_alg_strings); + + parse_oid(opt->content_type_string, oid_id_pkcs7_data(), &contentType); + + ret = hx509_cms_create_signed_1(context, + flags, + &contentType, + p, + sz, + NULL, + cert, + peer, + anchors, + pool, + &o); + if (ret) + errx(1, "hx509_cms_create_signed: %d", ret); + + { + hx509_name name; + + ret = hx509_cert_get_subject(cert, &name); + if (ret) + errx(1, "hx509_cert_get_subject"); + + ret = hx509_name_to_string(name, &signer_name); + hx509_name_free(&name); + if (ret) + errx(1, "hx509_name_to_string"); + } + + + hx509_certs_free(&anchors); + hx509_certs_free(&pool); + hx509_cert_free(cert); + hx509_certs_free(&store); + _hx509_unmap_file(p, sz); + hx509_lock_free(lock); + hx509_peer_info_free(peer); + der_free_oid(&contentType); + + if (opt->content_info_flag) { + heim_octet_string wo; + + ret = hx509_cms_wrap_ContentInfo(oid_id_pkcs7_signedData(), &o, &wo); + if (ret) + errx(1, "hx509_cms_wrap_ContentInfo: %d", ret); + + der_free_octet_string(&o); + o = wo; + } + + if (opt->pem_flag) { + hx509_pem_header *header = NULL; + FILE *f; + + hx509_pem_add_header(&header, "Content-disposition", + opt->detached_signature_flag ? "detached" : "inline"); + hx509_pem_add_header(&header, "Signer", signer_name); + + f = fopen(argv[1], "w"); + if (f == NULL) + err(1, "open %s", argv[1]); + + ret = hx509_pem_write(context, "CMS SIGNEDDATA", header, f, + o.data, o.length); + fclose(f); + hx509_pem_free_header(header); + if (ret) + errx(1, "hx509_pem_write: %d", ret); + + } else { + ret = _hx509_write_file(argv[1], o.data, o.length); + if (ret) + errx(1, "hx509_write_file: %d", ret); + } + + free(signer_name); + free(o.data); + + return 0; +} + +int +cms_unenvelope(struct cms_unenvelope_options *opt, int argc, char **argv) +{ + heim_oid contentType = { 0, NULL }; + heim_octet_string o, co; + hx509_certs certs; + size_t sz; + void *p; + int ret; + hx509_lock lock; + + hx509_lock_init(context, &lock); + lock_strings(lock, &opt->pass_strings); + + ret = _hx509_map_file(argv[0], &p, &sz, NULL); + if (ret) + err(1, "map_file: %s: %d", argv[0], ret); + + co.data = p; + co.length = sz; + + if (opt->content_info_flag) { + heim_octet_string uwco; + heim_oid oid; + + ret = hx509_cms_unwrap_ContentInfo(&co, &oid, &uwco, NULL); + if (ret) + errx(1, "hx509_cms_unwrap_ContentInfo: %d", ret); + + if (der_heim_oid_cmp(&oid, oid_id_pkcs7_envelopedData()) != 0) + errx(1, "Content is not SignedData"); + der_free_oid(&oid); + + co = uwco; + } + + ret = hx509_certs_init(context, "MEMORY:cert-store", 0, NULL, &certs); + if (ret) + errx(1, "hx509_certs_init: MEMORY: %d", ret); + + certs_strings(context, "store", certs, lock, &opt->certificate_strings); + + ret = hx509_cms_unenvelope(context, certs, 0, co.data, co.length, + NULL, &contentType, &o); + if (co.data != p) + der_free_octet_string(&co); + if (ret) + hx509_err(context, 1, ret, "hx509_cms_unenvelope"); + + _hx509_unmap_file(p, sz); + hx509_lock_free(lock); + hx509_certs_free(&certs); + der_free_oid(&contentType); + + ret = _hx509_write_file(argv[1], o.data, o.length); + if (ret) + errx(1, "hx509_write_file: %d", ret); + + der_free_octet_string(&o); + + return 0; +} + +int +cms_create_enveloped(struct cms_envelope_options *opt, int argc, char **argv) +{ + heim_oid contentType; + heim_octet_string o; + const heim_oid *enctype = NULL; + hx509_query *q; + hx509_certs certs; + hx509_cert cert; + int ret; + size_t sz; + void *p; + hx509_lock lock; + + memset(&contentType, 0, sizeof(contentType)); + + hx509_lock_init(context, &lock); + lock_strings(lock, &opt->pass_strings); + + ret = _hx509_map_file(argv[0], &p, &sz, NULL); + if (ret) + err(1, "map_file: %s: %d", argv[0], ret); + + ret = hx509_certs_init(context, "MEMORY:cert-store", 0, NULL, &certs); + + certs_strings(context, "store", certs, lock, &opt->certificate_strings); + + if (opt->encryption_type_string) { + enctype = hx509_crypto_enctype_by_name(opt->encryption_type_string); + if (enctype == NULL) + errx(1, "encryption type: %s no found", + opt->encryption_type_string); + } + + ret = hx509_query_alloc(context, &q); + if (ret) + errx(1, "hx509_query_alloc: %d", ret); + + hx509_query_match_option(q, HX509_QUERY_OPTION_KU_ENCIPHERMENT); + + ret = hx509_certs_find(context, certs, q, &cert); + hx509_query_free(context, q); + if (ret) + errx(1, "hx509_certs_find: %d", ret); + + parse_oid(opt->content_type_string, oid_id_pkcs7_data(), &contentType); + + ret = hx509_cms_envelope_1(context, 0, cert, p, sz, enctype, + &contentType, &o); + if (ret) + errx(1, "hx509_cms_envelope_1: %d", ret); + + hx509_cert_free(cert); + hx509_certs_free(&certs); + _hx509_unmap_file(p, sz); + der_free_oid(&contentType); + + if (opt->content_info_flag) { + heim_octet_string wo; + + ret = hx509_cms_wrap_ContentInfo(oid_id_pkcs7_envelopedData(), &o, &wo); + if (ret) + errx(1, "hx509_cms_wrap_ContentInfo: %d", ret); + + der_free_octet_string(&o); + o = wo; + } + + hx509_lock_free(lock); + + ret = _hx509_write_file(argv[1], o.data, o.length); + if (ret) + errx(1, "hx509_write_file: %d", ret); + + der_free_octet_string(&o); + + return 0; +} + +static void +print_certificate(hx509_context hxcontext, hx509_cert cert, int verbose) +{ + hx509_name name; + const char *fn; + char *str; + int ret; + + fn = hx509_cert_get_friendly_name(cert); + if (fn) + printf(" friendly name: %s\n", fn); + printf(" private key: %s\n", + _hx509_cert_private_key(cert) ? "yes" : "no"); + + ret = hx509_cert_get_issuer(cert, &name); + hx509_name_to_string(name, &str); + hx509_name_free(&name); + printf(" issuer: \"%s\"\n", str); + free(str); + + ret = hx509_cert_get_subject(cert, &name); + hx509_name_to_string(name, &str); + hx509_name_free(&name); + printf(" subject: \"%s\"\n", str); + free(str); + + { + heim_integer serialNumber; + + hx509_cert_get_serialnumber(cert, &serialNumber); + der_print_hex_heim_integer(&serialNumber, &str); + der_free_heim_integer(&serialNumber); + printf(" serial: %s\n", str); + free(str); + } + + printf(" keyusage: "); + ret = hx509_cert_keyusage_print(hxcontext, cert, &str); + if (ret == 0) { + printf("%s\n", str); + free(str); + } else + printf("no"); + + if (verbose) { + hx509_validate_ctx vctx; + + hx509_validate_ctx_init(hxcontext, &vctx); + hx509_validate_ctx_set_print(vctx, hx509_print_stdout, stdout); + hx509_validate_ctx_add_flags(vctx, HX509_VALIDATE_F_VALIDATE); + hx509_validate_ctx_add_flags(vctx, HX509_VALIDATE_F_VERBOSE); + + hx509_validate_cert(hxcontext, vctx, cert); + + hx509_validate_ctx_free(vctx); + } +} + + +struct print_s { + int counter; + int verbose; +}; + +static int +print_f(hx509_context hxcontext, void *ctx, hx509_cert cert) +{ + struct print_s *s = ctx; + + printf("cert: %d\n", s->counter++); + print_certificate(context, cert, s->verbose); + + return 0; +} + +int +pcert_print(struct print_options *opt, int argc, char **argv) +{ + hx509_certs certs; + hx509_lock lock; + struct print_s s; + + s.counter = 0; + s.verbose = opt->content_flag; + + hx509_lock_init(context, &lock); + lock_strings(lock, &opt->pass_strings); + + while(argc--) { + int ret; + ret = hx509_certs_init(context, argv[0], 0, lock, &certs); + if (ret) + hx509_err(context, 1, ret, "hx509_certs_init"); + if (opt->info_flag) + hx509_certs_info(context, certs, NULL, NULL); + hx509_certs_iter(context, certs, print_f, &s); + hx509_certs_free(&certs); + argv++; + } + + hx509_lock_free(lock); + + return 0; +} + + +static int +validate_f(hx509_context hxcontext, void *ctx, hx509_cert c) +{ + hx509_validate_cert(hxcontext, ctx, c); + return 0; +} + +int +pcert_validate(struct validate_options *opt, int argc, char **argv) +{ + hx509_validate_ctx ctx; + hx509_certs certs; + hx509_lock lock; + + hx509_lock_init(context, &lock); + lock_strings(lock, &opt->pass_strings); + + hx509_validate_ctx_init(context, &ctx); + hx509_validate_ctx_set_print(ctx, hx509_print_stdout, stdout); + hx509_validate_ctx_add_flags(ctx, HX509_VALIDATE_F_VALIDATE); + + while(argc--) { + int ret; + ret = hx509_certs_init(context, argv[0], 0, lock, &certs); + if (ret) + errx(1, "hx509_certs_init: %d", ret); + hx509_certs_iter(context, certs, validate_f, ctx); + hx509_certs_free(&certs); + argv++; + } + hx509_validate_ctx_free(ctx); + + hx509_lock_free(lock); + + return 0; +} + +int +certificate_copy(struct certificate_copy_options *opt, int argc, char **argv) +{ + hx509_certs certs; + hx509_lock lock; + int ret; + + hx509_lock_init(context, &lock); + lock_strings(lock, &opt->in_pass_strings); + + ret = hx509_certs_init(context, argv[argc - 1], + HX509_CERTS_CREATE, lock, &certs); + if (ret) + hx509_err(context, 1, ret, "hx509_certs_init"); + + while(argc-- > 1) { + int ret; + ret = hx509_certs_append(context, certs, lock, argv[0]); + if (ret) + hx509_err(context, 1, ret, "hx509_certs_append"); + argv++; + } + + ret = hx509_certs_store(context, certs, 0, NULL); + if (ret) + hx509_err(context, 1, ret, "hx509_certs_store"); + + hx509_certs_free(&certs); + hx509_lock_free(lock); + + return 0; +} + +struct verify { + hx509_verify_ctx ctx; + hx509_certs chain; + const char *hostname; + int errors; +}; + +static int +verify_f(hx509_context hxcontext, void *ctx, hx509_cert c) +{ + struct verify *v = ctx; + int ret; + + ret = hx509_verify_path(hxcontext, v->ctx, c, v->chain); + if (ret) { + char *s = hx509_get_error_string(hxcontext, ret); + printf("verify_path: %s: %d\n", s, ret); + hx509_free_error_string(s); + v->errors++; + } else + printf("path ok\n"); + + if (v->hostname) { + ret = hx509_verify_hostname(hxcontext, c, 0, HX509_HN_HOSTNAME, + v->hostname, NULL, 0); + if (ret) { + printf("verify_hostname: %d\n", ret); + v->errors++; + } + } + + return 0; +} + +int +pcert_verify(struct verify_options *opt, int argc, char **argv) +{ + hx509_certs anchors, chain, certs; + hx509_revoke_ctx revoke_ctx; + hx509_verify_ctx ctx; + struct verify v; + int ret; + + memset(&v, 0, sizeof(v)); + + if (opt->missing_revoke_flag) + hx509_context_set_missing_revoke(context, 1); + + ret = hx509_verify_init_ctx(context, &ctx); + ret = hx509_certs_init(context, "MEMORY:anchors", 0, NULL, &anchors); + ret = hx509_certs_init(context, "MEMORY:chain", 0, NULL, &chain); + ret = hx509_certs_init(context, "MEMORY:certs", 0, NULL, &certs); + + if (opt->allow_proxy_certificate_flag) + hx509_verify_set_proxy_certificate(ctx, 1); + + if (opt->time_string) { + const char *p; + struct tm tm; + time_t t; + + memset(&tm, 0, sizeof(tm)); + + p = strptime (opt->time_string, "%Y-%m-%d", &tm); + if (p == NULL) + errx(1, "Failed to parse time %s, need to be on format %%Y-%%m-%%d", + opt->time_string); + + t = tm2time (tm, 0); + + hx509_verify_set_time(ctx, t); + } + + if (opt->hostname_string) + v.hostname = opt->hostname_string; + if (opt->max_depth_integer) + hx509_verify_set_max_depth(ctx, opt->max_depth_integer); + + ret = hx509_revoke_init(context, &revoke_ctx); + if (ret) + errx(1, "hx509_revoke_init: %d", ret); + + while(argc--) { + char *s = *argv++; + + if (strncmp(s, "chain:", 6) == 0) { + s += 6; + + ret = hx509_certs_append(context, chain, NULL, s); + if (ret) + hx509_err(context, 1, ret, "hx509_certs_append: chain: %s: %d", s, ret); + + } else if (strncmp(s, "anchor:", 7) == 0) { + s += 7; + + ret = hx509_certs_append(context, anchors, NULL, s); + if (ret) + hx509_err(context, 1, ret, "hx509_certs_append: anchor: %s: %d", s, ret); + + } else if (strncmp(s, "cert:", 5) == 0) { + s += 5; + + ret = hx509_certs_append(context, certs, NULL, s); + if (ret) + hx509_err(context, 1, ret, "hx509_certs_append: certs: %s: %d", + s, ret); + + } else if (strncmp(s, "crl:", 4) == 0) { + s += 4; + + ret = hx509_revoke_add_crl(context, revoke_ctx, s); + if (ret) + errx(1, "hx509_revoke_add_crl: %s: %d", s, ret); + + } else if (strncmp(s, "ocsp:", 4) == 0) { + s += 5; + + ret = hx509_revoke_add_ocsp(context, revoke_ctx, s); + if (ret) + errx(1, "hx509_revoke_add_ocsp: %s: %d", s, ret); + + } else { + errx(1, "unknown option to verify: `%s'\n", s); + } + } + + hx509_verify_attach_anchors(ctx, anchors); + hx509_verify_attach_revoke(ctx, revoke_ctx); + + v.ctx = ctx; + v.chain = chain; + + hx509_certs_iter(context, certs, verify_f, &v); + + hx509_verify_destroy_ctx(ctx); + + hx509_certs_free(&certs); + hx509_certs_free(&chain); + hx509_certs_free(&anchors); + + hx509_revoke_free(&revoke_ctx); + + if (v.errors) { + printf("failed verifing %d checks\n", v.errors); + return 1; + } + + return 0; +} + +int +query(struct query_options *opt, int argc, char **argv) +{ + hx509_lock lock; + hx509_query *q; + hx509_certs certs; + hx509_cert c; + int ret; + + ret = hx509_query_alloc(context, &q); + if (ret) + errx(1, "hx509_query_alloc: %d", ret); + + hx509_lock_init(context, &lock); + lock_strings(lock, &opt->pass_strings); + + ret = hx509_certs_init(context, "MEMORY:cert-store", 0, NULL, &certs); + + while (argc > 0) { + + ret = hx509_certs_append(context, certs, lock, argv[0]); + if (ret) + errx(1, "hx509_certs_append: %s: %d", argv[0], ret); + + argc--; + argv++; + } + + if (opt->friendlyname_string) + hx509_query_match_friendly_name(q, opt->friendlyname_string); + + if (opt->private_key_flag) + hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY); + + if (opt->keyEncipherment_flag) + hx509_query_match_option(q, HX509_QUERY_OPTION_KU_ENCIPHERMENT); + + if (opt->digitalSignature_flag) + hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE); + + ret = hx509_certs_find(context, certs, q, &c); + hx509_query_free(context, q); + if (ret) + printf("no match found (%d)\n", ret); + else { + printf("match found\n"); + if (opt->print_flag) + print_certificate(context, c, 0); + } + + hx509_cert_free(c); + hx509_certs_free(&certs); + + hx509_lock_free(lock); + + return ret; +} + +int +ocsp_fetch(struct ocsp_fetch_options *opt, int argc, char **argv) +{ + hx509_certs reqcerts, pool; + heim_octet_string req, nonce_data, *nonce = &nonce_data; + hx509_lock lock; + int i, ret; + char *file; + const char *url = "/"; + + memset(&nonce, 0, sizeof(nonce)); + + hx509_lock_init(context, &lock); + lock_strings(lock, &opt->pass_strings); + + /* no nonce */ + if (!opt->nonce_flag) + nonce = NULL; + + if (opt->url_path_string) + url = opt->url_path_string; + + ret = hx509_certs_init(context, "MEMORY:ocsp-pool", 0, NULL, &pool); + + certs_strings(context, "ocsp-pool", pool, lock, &opt->pool_strings); + + file = argv[0]; + + ret = hx509_certs_init(context, "MEMORY:ocsp-req", 0, NULL, &reqcerts); + + for (i = 1; i < argc; i++) { + ret = hx509_certs_append(context, reqcerts, lock, argv[i]); + if (ret) + errx(1, "hx509_certs_append: req: %s: %d", argv[i], ret); + } + + ret = hx509_ocsp_request(context, reqcerts, pool, NULL, NULL, &req, nonce); + if (ret) + errx(1, "hx509_ocsp_request: req: %d", ret); + + { + FILE *f; + + f = fopen(file, "w"); + if (f == NULL) + abort(); + + fprintf(f, + "POST %s HTTP/1.0\r\n" + "Content-Type: application/ocsp-request\r\n" + "Content-Length: %ld\r\n" + "\r\n", + url, + (unsigned long)req.length); + fwrite(req.data, req.length, 1, f); + fclose(f); + } + + if (nonce) + der_free_octet_string(nonce); + + hx509_certs_free(&reqcerts); + hx509_certs_free(&pool); + + return 0; +} + +int +ocsp_print(struct ocsp_print_options *opt, int argc, char **argv) +{ + hx509_revoke_ocsp_print(context, argv[0], stdout); + return 0; +} + +/* + * + */ + +static int +verify_o(hx509_context hxcontext, void *ctx, hx509_cert c) +{ + heim_octet_string *os = ctx; + time_t expiration; + int ret; + + ret = hx509_ocsp_verify(context, 0, c, 0, + os->data, os->length, &expiration); + if (ret) { + char *s = hx509_get_error_string(hxcontext, ret); + printf("ocsp_verify: %s: %d\n", s, ret); + hx509_free_error_string(s); + } else + printf("expire: %d\n", (int)expiration); + + return ret; +} + + +int +ocsp_verify(struct ocsp_verify_options *opt, int argc, char **argv) +{ + hx509_lock lock; + hx509_certs certs; + int ret, i; + heim_octet_string os; + + hx509_lock_init(context, &lock); + + if (opt->ocsp_file_string == NULL) + errx(1, "no ocsp file given"); + + ret = _hx509_map_file(opt->ocsp_file_string, &os.data, &os.length, NULL); + if (ret) + err(1, "map_file: %s: %d", argv[0], ret); + + ret = hx509_certs_init(context, "MEMORY:test-certs", 0, NULL, &certs); + + for (i = 0; i < argc; i++) { + ret = hx509_certs_append(context, certs, lock, argv[i]); + if (ret) + hx509_err(context, 1, ret, "hx509_certs_append: %s", argv[i]); + } + + ret = hx509_certs_iter(context, certs, verify_o, &os); + + hx509_certs_free(&certs); + _hx509_unmap_file(os.data, os.length); + hx509_lock_free(lock); + + return ret; +} + +static int +read_private_key(const char *fn, hx509_private_key *key) +{ + hx509_private_key *keys; + hx509_certs certs; + int ret; + + *key = NULL; + + ret = hx509_certs_init(context, fn, 0, NULL, &certs); + if (ret) + hx509_err(context, 1, ret, "hx509_certs_init: %s", fn); + + ret = _hx509_certs_keys_get(context, certs, &keys); + hx509_certs_free(&certs); + if (ret) + hx509_err(context, 1, ret, "hx509_certs_keys_get"); + if (keys[0] == NULL) + errx(1, "no keys in key store: %s", fn); + + *key = _hx509_private_key_ref(keys[0]); + _hx509_certs_keys_free(context, keys); + + return 0; +} + +static void +get_key(const char *fn, const char *type, int optbits, + hx509_private_key *signer) +{ + int ret; + + if (type) { + BIGNUM *e; + RSA *rsa; + unsigned char *p0, *p; + size_t len; + int bits = 1024; + + if (fn == NULL) + errx(1, "no key argument, don't know here to store key"); + + if (strcasecmp(type, "rsa") != 0) + errx(1, "can only handle rsa keys for now"); + + e = BN_new(); + BN_set_word(e, 0x10001); + + if (optbits) + bits = optbits; + + rsa = RSA_new(); + if(rsa == NULL) + errx(1, "RSA_new failed"); + + ret = RSA_generate_key_ex(rsa, bits, e, NULL); + if(ret != 1) + errx(1, "RSA_new failed"); + + BN_free(e); + + len = i2d_RSAPrivateKey(rsa, NULL); + + p0 = p = malloc(len); + if (p == NULL) + errx(1, "out of memory"); + + i2d_RSAPrivateKey(rsa, &p); + + rk_dumpdata(fn, p0, len); + memset(p0, 0, len); + free(p0); + + RSA_free(rsa); + + } else if (fn == NULL) + err(1, "no private key"); + + ret = read_private_key(fn, signer); + if (ret) + err(1, "read_private_key"); +} + +int +request_create(struct request_create_options *opt, int argc, char **argv) +{ + heim_octet_string request; + hx509_request req; + int ret, i; + hx509_private_key signer; + SubjectPublicKeyInfo key; + const char *outfile = argv[0]; + + memset(&key, 0, sizeof(key)); + + get_key(opt->key_string, + opt->generate_key_string, + opt->key_bits_integer, + &signer); + + _hx509_request_init(context, &req); + + if (opt->subject_string) { + hx509_name name = NULL; + + ret = hx509_parse_name(context, opt->subject_string, &name); + if (ret) + errx(1, "hx509_parse_name: %d\n", ret); + _hx509_request_set_name(context, req, name); + + if (opt->verbose_flag) { + char *s; + hx509_name_to_string(name, &s); + printf("%s\n", s); + } + hx509_name_free(&name); + } + + for (i = 0; i < opt->email_strings.num_strings; i++) { + ret = _hx509_request_add_email(context, req, + opt->email_strings.strings[i]); + } + + for (i = 0; i < opt->dnsname_strings.num_strings; i++) { + ret = _hx509_request_add_dns_name(context, req, + opt->dnsname_strings.strings[i]); + } + + + ret = _hx509_private_key2SPKI(context, signer, &key); + if (ret) + errx(1, "_hx509_private_key2SPKI: %d\n", ret); + + ret = _hx509_request_set_SubjectPublicKeyInfo(context, + req, + &key); + free_SubjectPublicKeyInfo(&key); + if (ret) + hx509_err(context, 1, ret, "_hx509_request_set_SubjectPublicKeyInfo"); + + ret = _hx509_request_to_pkcs10(context, + req, + signer, + &request); + if (ret) + hx509_err(context, 1, ret, "_hx509_request_to_pkcs10"); + + _hx509_private_key_free(&signer); + _hx509_request_free(&req); + + if (ret == 0) + rk_dumpdata(outfile, request.data, request.length); + der_free_octet_string(&request); + + return 0; +} + +int +request_print(struct request_print_options *opt, int argc, char **argv) +{ + int ret, i; + + printf("request print\n"); + + for (i = 0; i < argc; i++) { + hx509_request req; + + ret = _hx509_request_parse(context, argv[i], &req); + if (ret) + hx509_err(context, 1, ret, "parse_request: %s", argv[i]); + + ret = _hx509_request_print(context, req, stdout); + _hx509_request_free(&req); + if (ret) + hx509_err(context, 1, ret, "Failed to print file %s", argv[i]); + } + + return 0; +} + +int +info(void *opt, int argc, char **argv) +{ + + ENGINE_add_conf_module(); + + { + const RSA_METHOD *m = RSA_get_default_method(); + if (m != NULL) + printf("rsa: %s\n", m->name); + } + { + const DH_METHOD *m = DH_get_default_method(); + if (m != NULL) + printf("dh: %s\n", m->name); + } + { + int ret = RAND_status(); + printf("rand: %s\n", ret == 1 ? "ok" : "not available"); + } + + return 0; +} + +int +random_data(void *opt, int argc, char **argv) +{ + void *ptr; + int len, ret; + + len = parse_bytes(argv[0], "byte"); + if (len <= 0) { + fprintf(stderr, "bad argument to random-data\n"); + return 1; + } + + ptr = malloc(len); + if (ptr == NULL) { + fprintf(stderr, "out of memory\n"); + return 1; + } + + ret = RAND_bytes(ptr, len); + if (ret != 1) { + free(ptr); + fprintf(stderr, "did not get cryptographic strong random\n"); + return 1; + } + + fwrite(ptr, len, 1, stdout); + fflush(stdout); + + free(ptr); + + return 0; +} + +int +crypto_available(struct crypto_available_options *opt, int argc, char **argv) +{ + AlgorithmIdentifier *val; + unsigned int len, i; + int ret, type; + + if (opt->type_string) { + if (strcmp(opt->type_string, "all") == 0) + type = HX509_SELECT_ALL; + else if (strcmp(opt->type_string, "digest") == 0) + type = HX509_SELECT_DIGEST; + else if (strcmp(opt->type_string, "public-sig") == 0) + type = HX509_SELECT_PUBLIC_SIG; + else if (strcmp(opt->type_string, "secret") == 0) + type = HX509_SELECT_SECRET_ENC; + else + errx(1, "unknown type: %s", opt->type_string); + } else + type = HX509_SELECT_ALL; + + ret = hx509_crypto_available(context, type, NULL, &val, &len); + if (ret) + errx(1, "hx509_crypto_available"); + + for (i = 0; i < len; i++) { + char *s; + der_print_heim_oid (&val[i].algorithm, '.', &s); + printf("%s\n", s); + free(s); + } + + hx509_crypto_free_algs(val, len); + + return 0; +} + +int +crypto_select(struct crypto_select_options *opt, int argc, char **argv) +{ + hx509_peer_info peer = NULL; + AlgorithmIdentifier selected; + int ret, type; + char *s; + + if (opt->type_string) { + if (strcmp(opt->type_string, "digest") == 0) + type = HX509_SELECT_DIGEST; + else if (strcmp(opt->type_string, "public-sig") == 0) + type = HX509_SELECT_PUBLIC_SIG; + else if (strcmp(opt->type_string, "secret") == 0) + type = HX509_SELECT_SECRET_ENC; + else + errx(1, "unknown type: %s", opt->type_string); + } else + type = HX509_SELECT_DIGEST; + + if (opt->peer_cmstype_strings.num_strings) + peer_strings(context, &peer, &opt->peer_cmstype_strings); + + ret = hx509_crypto_select(context, type, NULL, peer, &selected); + if (ret) + errx(1, "hx509_crypto_available"); + + der_print_heim_oid (&selected.algorithm, '.', &s); + printf("%s\n", s); + free(s); + free_AlgorithmIdentifier(&selected); + + hx509_peer_info_free(peer); + + return 0; +} + +int +hxtool_hex(struct hex_options *opt, int argc, char **argv) +{ + + if (opt->decode_flag) { + char buf[1024], buf2[1024], *p; + ssize_t len; + + while(fgets(buf, sizeof(buf), stdin) != NULL) { + buf[strcspn(buf, "\r\n")] = '\0'; + p = buf; + while(isspace(*(unsigned char *)p)) + p++; + len = hex_decode(p, buf2, strlen(p)); + if (len < 0) + errx(1, "hex_decode failed"); + if (fwrite(buf2, 1, len, stdout) != len) + errx(1, "fwrite failed"); + } + } else { + char buf[28], *p; + size_t len; + + while((len = fread(buf, 1, sizeof(buf), stdin)) != 0) { + len = hex_encode(buf, len, &p); + fprintf(stdout, "%s\n", p); + free(p); + } + } + return 0; +} + +static int +eval_types(hx509_context context, + hx509_ca_tbs tbs, + const struct certificate_sign_options *opt) +{ + int pkinit = 0; + int i, ret; + + for (i = 0; i < opt->type_strings.num_strings; i++) { + const char *type = opt->type_strings.strings[i]; + + if (strcmp(type, "https-server") == 0) { + ret = hx509_ca_tbs_add_eku(context, tbs, + oid_id_pkix_kp_serverAuth()); + if (ret) + hx509_err(context, 1, ret, "hx509_ca_tbs_add_eku"); + } else if (strcmp(type, "https-client") == 0) { + ret = hx509_ca_tbs_add_eku(context, tbs, + oid_id_pkix_kp_clientAuth()); + if (ret) + hx509_err(context, 1, ret, "hx509_ca_tbs_add_eku"); + } else if (strcmp(type, "peap-server") == 0) { + ret = hx509_ca_tbs_add_eku(context, tbs, + oid_id_pkix_kp_serverAuth()); + if (ret) + hx509_err(context, 1, ret, "hx509_ca_tbs_add_eku"); + } else if (strcmp(type, "pkinit-kdc") == 0) { + pkinit++; + ret = hx509_ca_tbs_add_eku(context, tbs, + oid_id_pkkdcekuoid()); + if (ret) + hx509_err(context, 1, ret, "hx509_ca_tbs_add_eku"); + } else if (strcmp(type, "pkinit-client") == 0) { + pkinit++; + ret = hx509_ca_tbs_add_eku(context, tbs, + oid_id_pkekuoid()); + if (ret) + hx509_err(context, 1, ret, "hx509_ca_tbs_add_eku"); + + ret = hx509_ca_tbs_add_eku(context, tbs, + oid_id_ms_client_authentication()); + if (ret) + hx509_err(context, 1, ret, "hx509_ca_tbs_add_eku"); + + ret = hx509_ca_tbs_add_eku(context, tbs, + oid_id_pkinit_ms_eku()); + if (ret) + hx509_err(context, 1, ret, "hx509_ca_tbs_add_eku"); + + } else if (strcmp(type, "email") == 0) { + ret = hx509_ca_tbs_add_eku(context, tbs, + oid_id_pkix_kp_emailProtection()); + if (ret) + hx509_err(context, 1, ret, "hx509_ca_tbs_add_eku"); + } else + errx(1, "unknown type %s", type); + } + + if (pkinit > 1) + errx(1, "More the one PK-INIT type given"); + + if (opt->pk_init_principal_string) { + if (!pkinit) + errx(1, "pk-init principal given but no pk-init oid"); + + ret = hx509_ca_tbs_add_san_pkinit(context, tbs, + opt->pk_init_principal_string); + if (ret) + hx509_err(context, 1, ret, "hx509_ca_tbs_add_san_pkinit"); + } + + if (opt->ms_upn_string) { + if (!pkinit) + errx(1, "MS up given but no pk-init oid"); + + ret = hx509_ca_tbs_add_san_ms_upn(context, tbs, opt->ms_upn_string); + if (ret) + hx509_err(context, 1, ret, "hx509_ca_tbs_add_san_ms_upn"); + } + + + for (i = 0; i < opt->hostname_strings.num_strings; i++) { + const char *hostname = opt->hostname_strings.strings[i]; + + ret = hx509_ca_tbs_add_san_hostname(context, tbs, hostname); + if (ret) + hx509_err(context, 1, ret, "hx509_ca_tbs_add_san_hostname"); + } + + for (i = 0; i < opt->email_strings.num_strings; i++) { + const char *email = opt->email_strings.strings[i]; + + ret = hx509_ca_tbs_add_san_rfc822name(context, tbs, email); + if (ret) + hx509_err(context, 1, ret, "hx509_ca_tbs_add_san_hostname"); + + ret = hx509_ca_tbs_add_eku(context, tbs, + oid_id_pkix_kp_emailProtection()); + if (ret) + hx509_err(context, 1, ret, "hx509_ca_tbs_add_eku"); + } + + if (opt->jid_string) { + ret = hx509_ca_tbs_add_san_jid(context, tbs, opt->jid_string); + if (ret) + hx509_err(context, 1, ret, "hx509_ca_tbs_add_san_jid"); + } + + return 0; +} + +int +hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv) +{ + int ret; + hx509_ca_tbs tbs; + hx509_cert signer = NULL, cert = NULL; + hx509_private_key private_key = NULL; + hx509_private_key cert_key = NULL; + hx509_name subject = NULL; + SubjectPublicKeyInfo spki; + int delta = 0; + + memset(&spki, 0, sizeof(spki)); + + if (opt->ca_certificate_string == NULL && !opt->self_signed_flag) + errx(1, "--ca-certificate argument missing (not using --self-signed)"); + if (opt->ca_private_key_string == NULL && opt->generate_key_string == NULL && opt->self_signed_flag) + errx(1, "--ca-private-key argument missing (using --self-signed)"); + if (opt->certificate_string == NULL) + errx(1, "--certificate argument missing"); + + if (opt->template_certificate_string) { + if (opt->template_fields_string == NULL) + errx(1, "--template-certificate not no --template-fields"); + } + + if (opt->lifetime_string) { + delta = parse_time(opt->lifetime_string, "day"); + if (delta < 0) + errx(1, "Invalid lifetime: %s", opt->lifetime_string); + } + + if (opt->ca_certificate_string) { + hx509_certs cacerts = NULL; + hx509_query *q; + + ret = hx509_certs_init(context, opt->ca_certificate_string, 0, + NULL, &cacerts); + if (ret) + hx509_err(context, 1, ret, + "hx509_certs_init: %s", opt->ca_certificate_string); + + ret = hx509_query_alloc(context, &q); + if (ret) + errx(1, "hx509_query_alloc: %d", ret); + + hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY); + if (!opt->issue_proxy_flag) + hx509_query_match_option(q, HX509_QUERY_OPTION_KU_KEYCERTSIGN); + + ret = hx509_certs_find(context, cacerts, q, &signer); + hx509_query_free(context, q); + hx509_certs_free(&cacerts); + if (ret) + hx509_err(context, 1, ret, "no CA certificate found"); + } else if (opt->self_signed_flag) { + if (opt->generate_key_string == NULL + && opt->ca_private_key_string == NULL) + errx(1, "no signing private key"); + } else + errx(1, "missing ca key"); + + if (opt->ca_private_key_string) { + + ret = read_private_key(opt->ca_private_key_string, &private_key); + if (ret) + err(1, "read_private_key"); + + ret = _hx509_private_key2SPKI(context, private_key, &spki); + if (ret) + errx(1, "_hx509_private_key2SPKI: %d\n", ret); + + if (opt->self_signed_flag) + cert_key = private_key; + } + + if (opt->req_string) { + hx509_request req; + + ret = _hx509_request_parse(context, opt->req_string, &req); + if (ret) + hx509_err(context, 1, ret, "parse_request: %s", opt->req_string); + ret = _hx509_request_get_name(context, req, &subject); + if (ret) + hx509_err(context, 1, ret, "get name"); + ret = _hx509_request_get_SubjectPublicKeyInfo(context, req, &spki); + if (ret) + hx509_err(context, 1, ret, "get spki"); + _hx509_request_free(&req); + } + + if (opt->generate_key_string) { + struct hx509_generate_private_context *keyctx; + + ret = _hx509_generate_private_key_init(context, + oid_id_pkcs1_rsaEncryption(), + &keyctx); + + if (opt->issue_ca_flag) + _hx509_generate_private_key_is_ca(context, keyctx); + + if (opt->key_bits_integer) + _hx509_generate_private_key_bits(context, keyctx, + opt->key_bits_integer); + + ret = _hx509_generate_private_key(context, keyctx, + &cert_key); + _hx509_generate_private_key_free(&keyctx); + if (ret) + hx509_err(context, 1, ret, "generate private key"); + + ret = _hx509_private_key2SPKI(context, cert_key, &spki); + if (ret) + errx(1, "_hx509_private_key2SPKI: %d\n", ret); + + if (opt->self_signed_flag) + private_key = cert_key; + } + + if (opt->certificate_private_key_string) { + ret = read_private_key(opt->certificate_private_key_string, &cert_key); + if (ret) + err(1, "read_private_key for certificate"); + } + + if (opt->subject_string) { + if (subject) + hx509_name_free(&subject); + ret = hx509_parse_name(context, opt->subject_string, &subject); + if (ret) + hx509_err(context, 1, ret, "hx509_parse_name"); + } + + /* + * + */ + + ret = hx509_ca_tbs_init(context, &tbs); + if (ret) + hx509_err(context, 1, ret, "hx509_ca_tbs_init"); + + if (opt->template_certificate_string) { + hx509_cert template; + hx509_certs tcerts; + int flags; + + ret = hx509_certs_init(context, opt->template_certificate_string, 0, + NULL, &tcerts); + if (ret) + hx509_err(context, 1, ret, + "hx509_certs_init: %s", opt->template_certificate_string); + + ret = hx509_get_one_cert(context, tcerts, &template); + + hx509_certs_free(&tcerts); + if (ret) + hx509_err(context, 1, ret, "no template certificate found"); + + flags = parse_units(opt->template_fields_string, + hx509_ca_tbs_template_units(), ""); + + ret = hx509_ca_tbs_set_template(context, tbs, flags, template); + if (ret) + hx509_err(context, 1, ret, "hx509_ca_tbs_set_template"); + + hx509_cert_free(template); + } + + if (opt->serial_number_string) { + heim_integer serialNumber; + + ret = der_parse_hex_heim_integer(opt->serial_number_string, + &serialNumber); + if (ret) + err(1, "der_parse_hex_heim_integer"); + ret = hx509_ca_tbs_set_serialnumber(context, tbs, &serialNumber); + if (ret) + hx509_err(context, 1, ret, "hx509_ca_tbs_init"); + der_free_heim_integer(&serialNumber); + } + + if (spki.subjectPublicKey.length) { + ret = hx509_ca_tbs_set_spki(context, tbs, &spki); + if (ret) + hx509_err(context, 1, ret, "hx509_ca_tbs_set_spki"); + } + + if (subject) { + ret = hx509_ca_tbs_set_subject(context, tbs, subject); + if (ret) + hx509_err(context, 1, ret, "hx509_ca_tbs_set_subject"); + } + + if (opt->crl_uri_string) { + ret = hx509_ca_tbs_add_crl_dp_uri(context, tbs, + opt->crl_uri_string, NULL); + if (ret) + hx509_err(context, 1, ret, "hx509_ca_tbs_add_crl_dp_uri"); + } + + eval_types(context, tbs, opt); + + if (opt->issue_ca_flag) { + ret = hx509_ca_tbs_set_ca(context, tbs, opt->path_length_integer); + if (ret) + hx509_err(context, 1, ret, "hx509_ca_tbs_set_ca"); + } + if (opt->issue_proxy_flag) { + ret = hx509_ca_tbs_set_proxy(context, tbs, opt->path_length_integer); + if (ret) + hx509_err(context, 1, ret, "hx509_ca_tbs_set_proxy"); + } + if (opt->domain_controller_flag) { + hx509_ca_tbs_set_domaincontroller(context, tbs); + if (ret) + hx509_err(context, 1, ret, "hx509_ca_tbs_set_domaincontroller"); + } + + if (delta) { + ret = hx509_ca_tbs_set_notAfter_lifetime(context, tbs, delta); + if (ret) + hx509_err(context, 1, ret, "hx509_ca_tbs_set_notAfter_lifetime"); + } + + if (opt->self_signed_flag) { + ret = hx509_ca_sign_self(context, tbs, private_key, &cert); + if (ret) + hx509_err(context, 1, ret, "hx509_ca_sign_self"); + } else { + ret = hx509_ca_sign(context, tbs, signer, &cert); + if (ret) + hx509_err(context, 1, ret, "hx509_ca_sign"); + } + + if (cert_key) { + ret = _hx509_cert_assign_key(cert, cert_key); + if (ret) + hx509_err(context, 1, ret, "_hx509_cert_assign_key"); + } + + { + hx509_certs certs; + + ret = hx509_certs_init(context, opt->certificate_string, + HX509_CERTS_CREATE, NULL, &certs); + if (ret) + hx509_err(context, 1, ret, "hx509_certs_init"); + + ret = hx509_certs_add(context, certs, cert); + if (ret) + hx509_err(context, 1, ret, "hx509_certs_add"); + + ret = hx509_certs_store(context, certs, 0, NULL); + if (ret) + hx509_err(context, 1, ret, "hx509_certs_store"); + + hx509_certs_free(&certs); + } + + if (subject) + hx509_name_free(&subject); + if (signer) + hx509_cert_free(signer); + hx509_cert_free(cert); + free_SubjectPublicKeyInfo(&spki); + + if (private_key != cert_key) + _hx509_private_key_free(&private_key); + _hx509_private_key_free(&cert_key); + + hx509_ca_tbs_free(&tbs); + + return 0; +} + +static int +test_one_cert(hx509_context hxcontext, void *ctx, hx509_cert cert) +{ + heim_octet_string sd, c; + hx509_verify_ctx vctx = ctx; + hx509_certs signer = NULL; + heim_oid type; + int ret; + + if (_hx509_cert_private_key(cert) == NULL) + return 0; + + ret = hx509_cms_create_signed_1(context, 0, NULL, NULL, 0, + NULL, cert, NULL, NULL, NULL, &sd); + if (ret) + errx(1, "hx509_cms_create_signed_1"); + + ret = hx509_cms_verify_signed(context, vctx, sd.data, sd.length, + NULL, NULL, &type, &c, &signer); + free(sd.data); + if (ret) + hx509_err(context, 1, ret, "hx509_cms_verify_signed"); + + printf("create-signature verify-sigature done\n"); + + free(c.data); + + return 0; +} + +int +test_crypto(struct test_crypto_options *opt, int argc, char ** argv) +{ + hx509_verify_ctx vctx; + hx509_certs certs; + hx509_lock lock; + int i, ret; + + hx509_lock_init(context, &lock); + lock_strings(lock, &opt->pass_strings); + + ret = hx509_certs_init(context, "MEMORY:test-crypto", 0, NULL, &certs); + + for (i = 0; i < argc; i++) { + ret = hx509_certs_append(context, certs, lock, argv[i]); + if (ret) + hx509_err(context, 1, ret, "hx509_certs_append"); + } + + ret = hx509_verify_init_ctx(context, &vctx); + if (ret) + hx509_err(context, 1, ret, "hx509_verify_init_ctx"); + + hx509_verify_attach_anchors(vctx, certs); + + ret = hx509_certs_iter(context, certs, test_one_cert, vctx); + + hx509_certs_free(&certs); + + return 0; +} + +int +statistic_print(struct statistic_print_options*opt, int argc, char **argv) +{ + int type = 0; + + if (stat_file_string == NULL) + errx(1, "no stat file"); + + if (opt->type_integer) + type = opt->type_integer; + + hx509_query_unparse_stats(context, type, stdout); + return 0; +} + +/* + * + */ + +int +crl_sign(struct crl_sign_options *opt, int argc, char **argv) +{ + hx509_crl crl; + heim_octet_string os; + hx509_cert signer = NULL; + hx509_lock lock; + int ret; + + hx509_lock_init(context, &lock); + lock_strings(lock, &opt->pass_strings); + + ret = hx509_crl_alloc(context, &crl); + if (ret) + errx(1, "crl alloc"); + + if (opt->signer_string == NULL) + errx(1, "signer missing"); + + { + hx509_certs certs = NULL; + hx509_query *q; + + ret = hx509_certs_init(context, opt->signer_string, 0, + NULL, &certs); + if (ret) + hx509_err(context, 1, ret, + "hx509_certs_init: %s", opt->signer_string); + + ret = hx509_query_alloc(context, &q); + if (ret) + hx509_err(context, 1, ret, "hx509_query_alloc: %d", ret); + + hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY); + + ret = hx509_certs_find(context, certs, q, &signer); + hx509_query_free(context, q); + hx509_certs_free(&certs); + if (ret) + hx509_err(context, 1, ret, "no signer certificate found"); + } + + if (opt->lifetime_string) { + int delta; + + delta = parse_time(opt->lifetime_string, "day"); + if (delta < 0) + errx(1, "Invalid lifetime: %s", opt->lifetime_string); + + hx509_crl_lifetime(context, crl, delta); + } + + { + hx509_certs revoked = NULL; + int i; + + ret = hx509_certs_init(context, "MEMORY:revoked-certs", 0, + NULL, &revoked); + + for (i = 0; i < argc; i++) { + ret = hx509_certs_append(context, revoked, lock, argv[i]); + if (ret) + hx509_err(context, 1, ret, "hx509_certs_append: %s", argv[i]); + } + + hx509_crl_add_revoked_certs(context, crl, revoked); + hx509_certs_free(&revoked); + } + + hx509_crl_sign(context, signer, crl, &os); + + if (opt->crl_file_string) + rk_dumpdata(opt->crl_file_string, os.data, os.length); + + free(os.data); + + hx509_crl_free(context, &crl); + hx509_cert_free(signer); + hx509_lock_free(lock); + + return 0; +} + +/* + * + */ + +int +help(void *opt, int argc, char **argv) +{ + sl_slc_help(commands, argc, argv); + return 0; +} + +int +main(int argc, char **argv) +{ + int ret, optidx = 0; + + setprogname (argv[0]); + + if(getarg(args, num_args, argc, argv, &optidx)) + usage(1); + if(help_flag) + usage(0); + if(version_flag) { + print_version(NULL); + exit(0); + } + argv += optidx; + argc -= optidx; + + if (argc == 0) + usage(1); + + ret = hx509_context_init(&context); + if (ret) + errx(1, "hx509_context_init failed with %d", ret); + + if (stat_file_string) + hx509_query_statistic_file(context, stat_file_string); + + ret = sl_command(commands, argc, argv); + if(ret == -1) + warnx ("unrecognized command: %s", argv[0]); + + hx509_context_free(&context); + + return ret; +} |