1 /* $NetBSD: hxtool.c,v 1.4 2023/06/19 21:41:44 christos Exp $ */
2
3 /*
4 * Copyright (c) 2004 - 2016 Kungliga Tekniska Högskolan
5 * (Royal Institute of Technology, Stockholm, Sweden).
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 *
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 */
35
36 #include "hx_locl.h"
37
38 #include <hxtool-commands.h>
39 #include <krb5/sl.h>
40 #include <krb5/rtbl.h>
41 #include <krb5/parse_time.h>
42
43 static hx509_context context;
44
45 static char *stat_file_string;
46 static int version_flag;
47 static int help_flag;
48
49 struct getargs args[] = {
50 { "statistic-file", 0, arg_string, &stat_file_string, NULL, NULL },
51 { "version", 0, arg_flag, &version_flag, NULL, NULL },
52 { "help", 0, arg_flag, &help_flag, NULL, NULL }
53 };
54 int num_args = sizeof(args) / sizeof(args[0]);
55
56 static void
usage(int code)57 usage(int code)
58 {
59 arg_printusage(args, num_args, NULL, "command");
60 printf("Use \"%s help\" to get more help\n", getprogname());
61 exit(code);
62 }
63
64 /*
65 *
66 */
67
68 static void
lock_strings(hx509_lock lock,getarg_strings * pass)69 lock_strings(hx509_lock lock, getarg_strings *pass)
70 {
71 int i;
72 for (i = 0; i < pass->num_strings; i++) {
73 int ret = hx509_lock_command_string(lock, pass->strings[i]);
74 if (ret)
75 errx(1, "hx509_lock_command_string: %s: %d",
76 pass->strings[i], ret);
77 }
78 }
79
80 /*
81 *
82 */
83
84 static void
certs_strings(hx509_context contextp,const char * type,hx509_certs certs,hx509_lock lock,const getarg_strings * s)85 certs_strings(hx509_context contextp, const char *type, hx509_certs certs,
86 hx509_lock lock, const getarg_strings *s)
87 {
88 int i, ret;
89
90 for (i = 0; i < s->num_strings; i++) {
91 ret = hx509_certs_append(contextp, certs, lock, s->strings[i]);
92 if (ret)
93 hx509_err(contextp, 1, ret,
94 "hx509_certs_append: %s %s", type, s->strings[i]);
95 }
96 }
97
98 /*
99 *
100 */
101
102 static void
parse_oid(const char * str,const heim_oid * def,heim_oid * oid)103 parse_oid(const char *str, const heim_oid *def, heim_oid *oid)
104 {
105 int ret;
106 if (str)
107 ret = der_parse_heim_oid (str, " .", oid);
108 else
109 ret = der_copy_oid(def, oid);
110 if (ret)
111 errx(1, "parse_oid failed for: %s", str ? str : "default oid");
112 }
113
114 /*
115 *
116 */
117
118 static void
peer_strings(hx509_context contextp,hx509_peer_info * peer,const getarg_strings * s)119 peer_strings(hx509_context contextp,
120 hx509_peer_info *peer,
121 const getarg_strings *s)
122 {
123 AlgorithmIdentifier *val;
124 int ret, i;
125
126 ret = hx509_peer_info_alloc(contextp, peer);
127 if (ret)
128 hx509_err(contextp, 1, ret, "hx509_peer_info_alloc");
129
130 val = calloc(s->num_strings, sizeof(*val));
131 if (val == NULL)
132 err(1, "malloc");
133
134 for (i = 0; i < s->num_strings; i++)
135 parse_oid(s->strings[i], NULL, &val[i].algorithm);
136
137 ret = hx509_peer_info_set_cms_algs(contextp, *peer, val, s->num_strings);
138 if (ret)
139 hx509_err(contextp, 1, ret, "hx509_peer_info_set_cms_algs");
140
141 for (i = 0; i < s->num_strings; i++)
142 free_AlgorithmIdentifier(&val[i]);
143 free(val);
144 }
145
146 /*
147 *
148 */
149
150 struct pem_data {
151 heim_octet_string *os;
152 int detached_data;
153 };
154
155 static int
pem_reader(hx509_context contextp,const char * type,const hx509_pem_header * headers,const void * data,size_t length,void * ctx)156 pem_reader(hx509_context contextp, const char *type,
157 const hx509_pem_header *headers,
158 const void *data , size_t length, void *ctx)
159 {
160 struct pem_data *p = (struct pem_data *)ctx;
161 const char *h;
162
163 p->os->data = malloc(length);
164 if (p->os->data == NULL)
165 return ENOMEM;
166 memcpy(p->os->data, data, length);
167 p->os->length = length;
168
169 h = hx509_pem_find_header(headers, "Content-disposition");
170 if (h && strcasecmp(h, "detached") == 0)
171 p->detached_data = 1;
172
173 return 0;
174 }
175
176 /*
177 *
178 */
179
180 int
cms_verify_sd(struct cms_verify_sd_options * opt,int argc,char ** argv)181 cms_verify_sd(struct cms_verify_sd_options *opt, int argc, char **argv)
182 {
183 hx509_verify_ctx ctx = NULL;
184 heim_oid type;
185 heim_octet_string c, co, signeddata, *sd = NULL;
186 hx509_certs store = NULL;
187 hx509_certs signers = NULL;
188 hx509_certs anchors = NULL;
189 hx509_lock lock;
190 int ret, flags = 0;
191
192 size_t sz;
193 void *p = NULL;
194
195 if (opt->missing_revoke_flag)
196 hx509_context_set_missing_revoke(context, 1);
197
198 hx509_lock_init(context, &lock);
199 lock_strings(lock, &opt->pass_strings);
200
201 ret = hx509_verify_init_ctx(context, &ctx);
202 if (ret)
203 hx509_err(context, 1, ret, "hx509_verify_init_ctx");
204
205 ret = hx509_certs_init(context, "MEMORY:cms-anchors", 0, NULL, &anchors);
206 if (ret)
207 hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
208 ret = hx509_certs_init(context, "MEMORY:cert-store", 0, NULL, &store);
209 if (ret)
210 hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
211
212 certs_strings(context, "anchors", anchors, lock, &opt->anchors_strings);
213 certs_strings(context, "store", store, lock, &opt->certificate_strings);
214
215 if (opt->pem_flag) {
216 struct pem_data pd;
217 FILE *f;
218
219 pd.os = &co;
220 pd.detached_data = 0;
221
222 f = fopen(argv[0], "r");
223 if (f == NULL)
224 err(1, "Failed to open file %s", argv[0]);
225
226 ret = hx509_pem_read(context, f, pem_reader, &pd);
227 fclose(f);
228 if (ret)
229 errx(1, "PEM reader failed: %d", ret);
230
231 if (pd.detached_data && opt->signed_content_string == NULL) {
232 char *r = strrchr(argv[0], '.');
233 if (r && strcasecmp(r, ".pem") == 0) {
234 char *s = strdup(argv[0]);
235 if (s == NULL)
236 errx(1, "malloc: out of memory");
237 s[r - argv[0]] = '\0';
238 ret = _hx509_map_file_os(s, &signeddata);
239 if (ret)
240 errx(1, "map_file: %s: %d", s, ret);
241 free(s);
242 sd = &signeddata;
243 }
244 }
245
246 } else {
247 ret = rk_undumpdata(argv[0], &p, &sz);
248 if (ret)
249 err(1, "map_file: %s: %d", argv[0], ret);
250
251 co.data = p;
252 co.length = sz;
253 }
254
255 if (opt->signed_content_string) {
256 ret = _hx509_map_file_os(opt->signed_content_string, &signeddata);
257 if (ret)
258 errx(1, "map_file: %s: %d", opt->signed_content_string, ret);
259 sd = &signeddata;
260 }
261
262 if (opt->content_info_flag) {
263 heim_octet_string uwco;
264 heim_oid oid;
265
266 ret = hx509_cms_unwrap_ContentInfo(&co, &oid, &uwco, NULL);
267 if (ret)
268 errx(1, "hx509_cms_unwrap_ContentInfo: %d", ret);
269
270 if (der_heim_oid_cmp(&oid, &asn1_oid_id_pkcs7_signedData) != 0)
271 errx(1, "Content is not SignedData");
272 der_free_oid(&oid);
273
274 if (p == NULL)
275 der_free_octet_string(&co);
276 else {
277 rk_xfree(p);
278 p = NULL;
279 }
280 co = uwco;
281 }
282
283 hx509_verify_attach_anchors(ctx, anchors);
284
285 if (!opt->signer_allowed_flag)
286 flags |= HX509_CMS_VS_ALLOW_ZERO_SIGNER;
287 if (opt->allow_wrong_oid_flag)
288 flags |= HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH;
289
290 ret = hx509_cms_verify_signed(context, ctx, flags, co.data, co.length, sd,
291 store, &type, &c, &signers);
292 if (p != co.data)
293 der_free_octet_string(&co);
294 else
295 rk_xfree(p);
296 if (ret)
297 hx509_err(context, 1, ret, "hx509_cms_verify_signed");
298
299 {
300 char *str;
301 der_print_heim_oid(&type, '.', &str);
302 printf("type: %s\n", str);
303 free(str);
304 der_free_oid(&type);
305 }
306 if (signers == NULL) {
307 printf("unsigned\n");
308 } else {
309 printf("signers:\n");
310 hx509_certs_iter_f(context, signers, hx509_ci_print_names, stdout);
311 }
312
313 hx509_verify_destroy_ctx(ctx);
314
315 hx509_certs_free(&store);
316 hx509_certs_free(&signers);
317 hx509_certs_free(&anchors);
318
319 hx509_lock_free(lock);
320
321 if (argc > 1) {
322 ret = _hx509_write_file(argv[1], c.data, c.length);
323 if (ret)
324 errx(1, "hx509_write_file: %d", ret);
325 }
326
327 der_free_octet_string(&c);
328
329 if (sd)
330 _hx509_unmap_file_os(sd);
331
332 return 0;
333 }
334
335 static int
print_signer(hx509_context contextp,void * ctx,hx509_cert cert)336 print_signer(hx509_context contextp, void *ctx, hx509_cert cert)
337 {
338 hx509_pem_header **header = ctx;
339 char *signer_name = NULL;
340 hx509_name name;
341 int ret;
342
343 ret = hx509_cert_get_subject(cert, &name);
344 if (ret)
345 errx(1, "hx509_cert_get_subject");
346
347 ret = hx509_name_to_string(name, &signer_name);
348 hx509_name_free(&name);
349 if (ret)
350 errx(1, "hx509_name_to_string");
351
352 hx509_pem_add_header(header, "Signer", signer_name);
353
354 free(signer_name);
355 return 0;
356 }
357
358 int
cms_create_sd(struct cms_create_sd_options * opt,int argc,char ** argv)359 cms_create_sd(struct cms_create_sd_options *opt, int argc, char **argv)
360 {
361 heim_oid contentType;
362 hx509_peer_info peer = NULL;
363 heim_octet_string o;
364 hx509_query *q;
365 hx509_lock lock;
366 hx509_certs store, pool, anchors, signer = NULL;
367 size_t sz;
368 void *p;
369 int ret, flags = 0;
370 char *infile, *outfile = NULL;
371
372 memset(&contentType, 0, sizeof(contentType));
373
374 infile = argv[0];
375
376 if (argc < 2) {
377 ret = asprintf(&outfile, "%s.%s", infile,
378 opt->pem_flag ? "pem" : "cms-signeddata");
379 if (ret == -1 || outfile == NULL)
380 errx(1, "out of memory");
381 } else
382 outfile = argv[1];
383
384 hx509_lock_init(context, &lock);
385 lock_strings(lock, &opt->pass_strings);
386
387 ret = hx509_certs_init(context, "MEMORY:cert-store", 0, NULL, &store);
388 if (ret) hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
389 ret = hx509_certs_init(context, "MEMORY:cert-pool", 0, NULL, &pool);
390 if (ret) hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
391
392 certs_strings(context, "store", store, lock, &opt->certificate_strings);
393 certs_strings(context, "pool", pool, lock, &opt->pool_strings);
394
395 if (opt->anchors_strings.num_strings) {
396 ret = hx509_certs_init(context, "MEMORY:cert-anchors",
397 0, NULL, &anchors);
398 if (ret) hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
399 certs_strings(context, "anchors", anchors, lock, &opt->anchors_strings);
400 } else
401 anchors = NULL;
402
403 if (opt->detached_signature_flag)
404 flags |= HX509_CMS_SIGNATURE_DETACHED;
405 if (opt->id_by_name_flag)
406 flags |= HX509_CMS_SIGNATURE_ID_NAME;
407 if (!opt->signer_flag) {
408 flags |= HX509_CMS_SIGNATURE_NO_SIGNER;
409
410 }
411
412 if (opt->signer_flag) {
413 ret = hx509_query_alloc(context, &q);
414 if (ret)
415 errx(1, "hx509_query_alloc: %d", ret);
416
417 hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
418 hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE);
419
420 if (opt->signer_string)
421 hx509_query_match_friendly_name(q, opt->signer_string);
422
423 ret = hx509_certs_filter(context, store, q, &signer);
424 hx509_query_free(context, q);
425 if (ret)
426 hx509_err(context, 1, ret, "hx509_certs_find");
427 }
428 if (!opt->embedded_certs_flag)
429 flags |= HX509_CMS_SIGNATURE_NO_CERTS;
430 if (opt->embed_leaf_only_flag)
431 flags |= HX509_CMS_SIGNATURE_LEAF_ONLY;
432
433 ret = rk_undumpdata(infile, &p, &sz);
434 if (ret)
435 err(1, "map_file: %s: %d", infile, ret);
436
437 if (opt->peer_alg_strings.num_strings)
438 peer_strings(context, &peer, &opt->peer_alg_strings);
439
440 parse_oid(opt->content_type_string, &asn1_oid_id_pkcs7_data, &contentType);
441
442 ret = hx509_cms_create_signed(context,
443 flags,
444 &contentType,
445 p,
446 sz,
447 NULL,
448 signer,
449 peer,
450 anchors,
451 pool,
452 &o);
453 if (ret)
454 hx509_err(context, 1, ret, "hx509_cms_create_signed: %d", ret);
455
456 hx509_certs_free(&anchors);
457 hx509_certs_free(&pool);
458 hx509_certs_free(&store);
459 rk_xfree(p);
460 hx509_lock_free(lock);
461 hx509_peer_info_free(peer);
462 der_free_oid(&contentType);
463
464 if (opt->content_info_flag) {
465 heim_octet_string wo;
466
467 ret = hx509_cms_wrap_ContentInfo(&asn1_oid_id_pkcs7_signedData, &o, &wo);
468 if (ret)
469 errx(1, "hx509_cms_wrap_ContentInfo: %d", ret);
470
471 der_free_octet_string(&o);
472 o = wo;
473 }
474
475 if (opt->pem_flag) {
476 hx509_pem_header *header = NULL;
477 FILE *f;
478
479 hx509_pem_add_header(&header, "Content-disposition",
480 opt->detached_signature_flag ?
481 "detached" : "inline");
482 if (signer) {
483 ret = hx509_certs_iter_f(context, signer, print_signer, header);
484 if (ret)
485 hx509_err(context, 1, ret, "print signer");
486 }
487
488 f = fopen(outfile, "w");
489 if (f == NULL)
490 err(1, "open %s", outfile);
491
492 ret = hx509_pem_write(context, "CMS SIGNEDDATA", header, f,
493 o.data, o.length);
494 fclose(f);
495 hx509_pem_free_header(header);
496 if (ret)
497 errx(1, "hx509_pem_write: %d", ret);
498
499 } else {
500 ret = _hx509_write_file(outfile, o.data, o.length);
501 if (ret)
502 errx(1, "hx509_write_file: %d", ret);
503 }
504
505 hx509_certs_free(&signer);
506 free(o.data);
507
508 return 0;
509 }
510
511 int
cms_unenvelope(struct cms_unenvelope_options * opt,int argc,char ** argv)512 cms_unenvelope(struct cms_unenvelope_options *opt, int argc, char **argv)
513 {
514 heim_oid contentType = { 0, NULL };
515 heim_octet_string o, co;
516 hx509_certs certs;
517 size_t sz;
518 void *p;
519 int ret;
520 hx509_lock lock;
521 int flags = 0;
522
523 hx509_lock_init(context, &lock);
524 lock_strings(lock, &opt->pass_strings);
525
526 ret = rk_undumpdata(argv[0], &p, &sz);
527 if (ret)
528 err(1, "map_file: %s: %d", argv[0], ret);
529
530 co.data = p;
531 co.length = sz;
532
533 if (opt->content_info_flag) {
534 heim_octet_string uwco;
535 heim_oid oid;
536
537 ret = hx509_cms_unwrap_ContentInfo(&co, &oid, &uwco, NULL);
538 if (ret)
539 errx(1, "hx509_cms_unwrap_ContentInfo: %d", ret);
540
541 if (der_heim_oid_cmp(&oid, &asn1_oid_id_pkcs7_envelopedData) != 0)
542 errx(1, "Content is not SignedData");
543 der_free_oid(&oid);
544
545 co = uwco;
546 }
547
548 ret = hx509_certs_init(context, "MEMORY:cert-store", 0, NULL, &certs);
549 if (ret)
550 errx(1, "hx509_certs_init: MEMORY: %d", ret);
551
552 certs_strings(context, "store", certs, lock, &opt->certificate_strings);
553
554 if (opt->allow_weak_crypto_flag)
555 flags |= HX509_CMS_UE_ALLOW_WEAK;
556
557 ret = hx509_cms_unenvelope(context, certs, flags, co.data, co.length,
558 NULL, 0, &contentType, &o);
559 if (co.data != p)
560 der_free_octet_string(&co);
561 if (ret)
562 hx509_err(context, 1, ret, "hx509_cms_unenvelope");
563
564 rk_xfree(p);
565 hx509_lock_free(lock);
566 hx509_certs_free(&certs);
567 der_free_oid(&contentType);
568
569 ret = _hx509_write_file(argv[1], o.data, o.length);
570 if (ret)
571 errx(1, "hx509_write_file: %d", ret);
572
573 der_free_octet_string(&o);
574
575 return 0;
576 }
577
578 int
cms_create_enveloped(struct cms_envelope_options * opt,int argc,char ** argv)579 cms_create_enveloped(struct cms_envelope_options *opt, int argc, char **argv)
580 {
581 heim_oid contentType;
582 heim_octet_string o;
583 const heim_oid *enctype = NULL;
584 hx509_query *q;
585 hx509_certs certs;
586 hx509_cert cert;
587 int ret;
588 size_t sz;
589 void *p;
590 hx509_lock lock;
591 int flags = 0;
592
593 memset(&contentType, 0, sizeof(contentType));
594
595 hx509_lock_init(context, &lock);
596 lock_strings(lock, &opt->pass_strings);
597
598 ret = rk_undumpdata(argv[0], &p, &sz);
599 if (ret)
600 err(1, "map_file: %s: %d", argv[0], ret);
601
602 ret = hx509_certs_init(context, "MEMORY:cert-store", 0, NULL, &certs);
603 if (ret) hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
604
605 certs_strings(context, "store", certs, lock, &opt->certificate_strings);
606
607 if (opt->allow_weak_crypto_flag)
608 flags |= HX509_CMS_EV_ALLOW_WEAK;
609
610 if (opt->encryption_type_string) {
611 enctype = hx509_crypto_enctype_by_name(opt->encryption_type_string);
612 if (enctype == NULL)
613 errx(1, "encryption type: %s no found",
614 opt->encryption_type_string);
615 }
616
617 ret = hx509_query_alloc(context, &q);
618 if (ret)
619 errx(1, "hx509_query_alloc: %d", ret);
620
621 hx509_query_match_option(q, HX509_QUERY_OPTION_KU_ENCIPHERMENT);
622
623 ret = hx509_certs_find(context, certs, q, &cert);
624 hx509_query_free(context, q);
625 if (ret)
626 errx(1, "hx509_certs_find: %d", ret);
627
628 parse_oid(opt->content_type_string, &asn1_oid_id_pkcs7_data, &contentType);
629
630 ret = hx509_cms_envelope_1(context, flags, cert, p, sz, enctype,
631 &contentType, &o);
632 if (ret)
633 errx(1, "hx509_cms_envelope_1: %d", ret);
634
635 hx509_cert_free(cert);
636 hx509_certs_free(&certs);
637 rk_xfree(p);
638 der_free_oid(&contentType);
639
640 if (opt->content_info_flag) {
641 heim_octet_string wo;
642
643 ret = hx509_cms_wrap_ContentInfo(&asn1_oid_id_pkcs7_envelopedData, &o, &wo);
644 if (ret)
645 errx(1, "hx509_cms_wrap_ContentInfo: %d", ret);
646
647 der_free_octet_string(&o);
648 o = wo;
649 }
650
651 hx509_lock_free(lock);
652
653 ret = _hx509_write_file(argv[1], o.data, o.length);
654 if (ret)
655 errx(1, "hx509_write_file: %d", ret);
656
657 der_free_octet_string(&o);
658
659 return 0;
660 }
661
662 static void
print_certificate(hx509_context hxcontext,hx509_cert cert,int verbose)663 print_certificate(hx509_context hxcontext, hx509_cert cert, int verbose)
664 {
665 const char *fn;
666 int ret;
667
668 fn = hx509_cert_get_friendly_name(cert);
669 if (fn)
670 printf(" friendly name: %s\n", fn);
671 printf(" private key: %s\n",
672 _hx509_cert_private_key(cert) ? "yes" : "no");
673
674 ret = hx509_print_cert(hxcontext, cert, NULL);
675 if (ret)
676 errx(1, "failed to print cert");
677
678 if (verbose) {
679 hx509_validate_ctx vctx;
680
681 hx509_validate_ctx_init(hxcontext, &vctx);
682 hx509_validate_ctx_set_print(vctx, hx509_print_stdout, stdout);
683 hx509_validate_ctx_add_flags(vctx, HX509_VALIDATE_F_VALIDATE);
684 hx509_validate_ctx_add_flags(vctx, HX509_VALIDATE_F_VERBOSE);
685
686 hx509_validate_cert(hxcontext, vctx, cert);
687
688 hx509_validate_ctx_free(vctx);
689 }
690 }
691
692
693 struct print_s {
694 int counter;
695 int verbose;
696 };
697
698 static int
print_f(hx509_context hxcontext,void * ctx,hx509_cert cert)699 print_f(hx509_context hxcontext, void *ctx, hx509_cert cert)
700 {
701 struct print_s *s = ctx;
702
703 printf("cert: %d\n", s->counter++);
704 print_certificate(context, cert, s->verbose);
705
706 return 0;
707 }
708
709 int
pcert_print(struct print_options * opt,int argc,char ** argv)710 pcert_print(struct print_options *opt, int argc, char **argv)
711 {
712 hx509_certs certs;
713 hx509_lock lock;
714 struct print_s s;
715
716 s.counter = 0;
717 s.verbose = opt->content_flag;
718
719 hx509_lock_init(context, &lock);
720 lock_strings(lock, &opt->pass_strings);
721
722 while(argc--) {
723 int ret;
724 ret = hx509_certs_init(context, argv[0], 0, lock, &certs);
725 if (ret) {
726 if (opt->never_fail_flag) {
727 printf("ignoreing failure: %d\n", ret);
728 continue;
729 }
730 hx509_err(context, 1, ret, "hx509_certs_init");
731 }
732 if (opt->info_flag)
733 hx509_certs_info(context, certs, NULL, NULL);
734 hx509_certs_iter_f(context, certs, print_f, &s);
735 hx509_certs_free(&certs);
736 argv++;
737 }
738
739 hx509_lock_free(lock);
740
741 return 0;
742 }
743
744
745 static int
validate_f(hx509_context hxcontext,void * ctx,hx509_cert c)746 validate_f(hx509_context hxcontext, void *ctx, hx509_cert c)
747 {
748 hx509_validate_cert(hxcontext, ctx, c);
749 return 0;
750 }
751
752 int
pcert_validate(struct validate_options * opt,int argc,char ** argv)753 pcert_validate(struct validate_options *opt, int argc, char **argv)
754 {
755 hx509_validate_ctx ctx;
756 hx509_certs certs;
757 hx509_lock lock;
758
759 hx509_lock_init(context, &lock);
760 lock_strings(lock, &opt->pass_strings);
761
762 hx509_validate_ctx_init(context, &ctx);
763 hx509_validate_ctx_set_print(ctx, hx509_print_stdout, stdout);
764 hx509_validate_ctx_add_flags(ctx, HX509_VALIDATE_F_VALIDATE);
765
766 while(argc--) {
767 int ret;
768 ret = hx509_certs_init(context, argv[0], 0, lock, &certs);
769 if (ret)
770 errx(1, "hx509_certs_init: %d", ret);
771 hx509_certs_iter_f(context, certs, validate_f, ctx);
772 hx509_certs_free(&certs);
773 argv++;
774 }
775 hx509_validate_ctx_free(ctx);
776
777 hx509_lock_free(lock);
778
779 return 0;
780 }
781
782 int
certificate_copy(struct certificate_copy_options * opt,int argc,char ** argv)783 certificate_copy(struct certificate_copy_options *opt, int argc, char **argv)
784 {
785 hx509_certs certs;
786 hx509_lock inlock, outlock = NULL;
787 int ret;
788
789 hx509_lock_init(context, &inlock);
790 lock_strings(inlock, &opt->in_pass_strings);
791
792 if (opt->out_pass_string) {
793 hx509_lock_init(context, &outlock);
794 ret = hx509_lock_command_string(outlock, opt->out_pass_string);
795 if (ret)
796 errx(1, "hx509_lock_command_string: %s: %d",
797 opt->out_pass_string, ret);
798 }
799
800 ret = hx509_certs_init(context, argv[argc - 1],
801 HX509_CERTS_CREATE, inlock, &certs);
802 if (ret)
803 hx509_err(context, 1, ret, "hx509_certs_init");
804
805 while(argc-- > 1) {
806 int retx;
807 retx = hx509_certs_append(context, certs, inlock, argv[0]);
808 if (retx)
809 hx509_err(context, 1, retx, "hx509_certs_append");
810 argv++;
811 }
812
813 ret = hx509_certs_store(context, certs, 0, outlock);
814 if (ret)
815 hx509_err(context, 1, ret, "hx509_certs_store");
816
817 hx509_certs_free(&certs);
818 hx509_lock_free(inlock);
819 hx509_lock_free(outlock);
820
821 return 0;
822 }
823
824 struct verify {
825 hx509_verify_ctx ctx;
826 hx509_certs chain;
827 const char *hostname;
828 int errors;
829 int count;
830 };
831
832 static int
verify_f(hx509_context hxcontext,void * ctx,hx509_cert c)833 verify_f(hx509_context hxcontext, void *ctx, hx509_cert c)
834 {
835 struct verify *v = ctx;
836 int ret;
837
838 ret = hx509_verify_path(hxcontext, v->ctx, c, v->chain);
839 if (ret) {
840 char *s = hx509_get_error_string(hxcontext, ret);
841 printf("verify_path: %s: %d\n", s, ret);
842 hx509_free_error_string(s);
843 v->errors++;
844 } else {
845 v->count++;
846 printf("path ok\n");
847 }
848
849 if (v->hostname) {
850 ret = hx509_verify_hostname(hxcontext, c, 0, HX509_HN_HOSTNAME,
851 v->hostname, NULL, 0);
852 if (ret) {
853 printf("verify_hostname: %d\n", ret);
854 v->errors++;
855 }
856 }
857
858 return 0;
859 }
860
861 int
pcert_verify(struct verify_options * opt,int argc,char ** argv)862 pcert_verify(struct verify_options *opt, int argc, char **argv)
863 {
864 hx509_certs anchors, chain, certs;
865 hx509_revoke_ctx revoke_ctx;
866 hx509_verify_ctx ctx;
867 struct verify v;
868 int ret;
869
870 memset(&v, 0, sizeof(v));
871
872 if (opt->missing_revoke_flag)
873 hx509_context_set_missing_revoke(context, 1);
874
875 ret = hx509_verify_init_ctx(context, &ctx);
876 if (ret)
877 hx509_err(context, 1, ret, "hx509_verify_init_ctx");
878 ret = hx509_certs_init(context, "MEMORY:anchors", 0, NULL, &anchors);
879 if (ret)
880 hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
881 ret = hx509_certs_init(context, "MEMORY:chain", 0, NULL, &chain);
882 if (ret)
883 hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
884 ret = hx509_certs_init(context, "MEMORY:certs", 0, NULL, &certs);
885 if (ret)
886 hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
887
888 if (opt->allow_proxy_certificate_flag)
889 hx509_verify_set_proxy_certificate(ctx, 1);
890
891 if (opt->time_string) {
892 const char *p;
893 struct tm tm;
894 time_t t;
895
896 memset(&tm, 0, sizeof(tm));
897
898 p = strptime (opt->time_string, "%Y-%m-%d", &tm);
899 if (p == NULL)
900 errx(1, "Failed to parse time %s, need to be on format %%Y-%%m-%%d",
901 opt->time_string);
902
903 t = tm2time (tm, 0);
904
905 hx509_verify_set_time(ctx, t);
906 }
907
908 if (opt->hostname_string)
909 v.hostname = opt->hostname_string;
910 if (opt->max_depth_integer)
911 hx509_verify_set_max_depth(ctx, opt->max_depth_integer);
912
913 ret = hx509_revoke_init(context, &revoke_ctx);
914 if (ret)
915 errx(1, "hx509_revoke_init: %d", ret);
916
917 while(argc--) {
918 char *s = *argv++;
919
920 if (strncmp(s, "chain:", 6) == 0) {
921 s += 6;
922
923 ret = hx509_certs_append(context, chain, NULL, s);
924 if (ret)
925 hx509_err(context, 1, ret, "hx509_certs_append: chain: %s: %d", s, ret);
926
927 } else if (strncmp(s, "anchor:", 7) == 0) {
928 s += 7;
929
930 ret = hx509_certs_append(context, anchors, NULL, s);
931 if (ret)
932 hx509_err(context, 1, ret, "hx509_certs_append: anchor: %s: %d", s, ret);
933
934 } else if (strncmp(s, "cert:", 5) == 0) {
935 s += 5;
936
937 ret = hx509_certs_append(context, certs, NULL, s);
938 if (ret)
939 hx509_err(context, 1, ret, "hx509_certs_append: certs: %s: %d",
940 s, ret);
941
942 } else if (strncmp(s, "crl:", 4) == 0) {
943 s += 4;
944
945 ret = hx509_revoke_add_crl(context, revoke_ctx, s);
946 if (ret)
947 errx(1, "hx509_revoke_add_crl: %s: %d", s, ret);
948
949 } else if (strncmp(s, "ocsp:", 4) == 0) {
950 s += 5;
951
952 ret = hx509_revoke_add_ocsp(context, revoke_ctx, s);
953 if (ret)
954 errx(1, "hx509_revoke_add_ocsp: %s: %d", s, ret);
955
956 } else {
957 errx(1, "unknown option to verify: `%s'\n", s);
958 }
959 }
960
961 hx509_verify_attach_anchors(ctx, anchors);
962 hx509_verify_attach_revoke(ctx, revoke_ctx);
963
964 v.ctx = ctx;
965 v.chain = chain;
966
967 hx509_certs_iter_f(context, certs, verify_f, &v);
968
969 hx509_verify_destroy_ctx(ctx);
970
971 hx509_certs_free(&certs);
972 hx509_certs_free(&chain);
973 hx509_certs_free(&anchors);
974
975 hx509_revoke_free(&revoke_ctx);
976
977
978 if (v.count == 0) {
979 printf("no certs verify at all\n");
980 return 1;
981 }
982
983 if (v.errors) {
984 printf("failed verifing %d checks\n", v.errors);
985 return 1;
986 }
987
988 return 0;
989 }
990
991 int
query(struct query_options * opt,int argc,char ** argv)992 query(struct query_options *opt, int argc, char **argv)
993 {
994 hx509_lock lock;
995 hx509_query *q;
996 hx509_certs certs;
997 hx509_cert c;
998 int ret;
999
1000 ret = hx509_query_alloc(context, &q);
1001 if (ret)
1002 errx(1, "hx509_query_alloc: %d", ret);
1003
1004 hx509_lock_init(context, &lock);
1005 lock_strings(lock, &opt->pass_strings);
1006
1007 ret = hx509_certs_init(context, "MEMORY:cert-store", 0, NULL, &certs);
1008 if (ret) hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
1009
1010 while (argc > 0) {
1011
1012 ret = hx509_certs_append(context, certs, lock, argv[0]);
1013 if (ret)
1014 errx(1, "hx509_certs_append: %s: %d", argv[0], ret);
1015
1016 argc--;
1017 argv++;
1018 }
1019
1020 if (opt->friendlyname_string)
1021 hx509_query_match_friendly_name(q, opt->friendlyname_string);
1022
1023 if (opt->eku_string) {
1024 heim_oid oid;
1025
1026 parse_oid(opt->eku_string, NULL, &oid);
1027
1028 ret = hx509_query_match_eku(q, &oid);
1029 if (ret)
1030 errx(1, "hx509_query_match_eku: %d", ret);
1031 der_free_oid(&oid);
1032 }
1033
1034 if (opt->private_key_flag)
1035 hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
1036
1037 if (opt->keyEncipherment_flag)
1038 hx509_query_match_option(q, HX509_QUERY_OPTION_KU_ENCIPHERMENT);
1039
1040 if (opt->digitalSignature_flag)
1041 hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE);
1042
1043 if (opt->expr_string)
1044 hx509_query_match_expr(context, q, opt->expr_string);
1045
1046 ret = hx509_certs_find(context, certs, q, &c);
1047 hx509_query_free(context, q);
1048 if (ret)
1049 printf("no match found (%d)\n", ret);
1050 else {
1051 printf("match found\n");
1052 if (opt->print_flag)
1053 print_certificate(context, c, 0);
1054 }
1055
1056 hx509_cert_free(c);
1057 hx509_certs_free(&certs);
1058
1059 hx509_lock_free(lock);
1060
1061 return ret;
1062 }
1063
1064 int
ocsp_fetch(struct ocsp_fetch_options * opt,int argc,char ** argv)1065 ocsp_fetch(struct ocsp_fetch_options *opt, int argc, char **argv)
1066 {
1067 hx509_certs reqcerts, pool;
1068 heim_octet_string req, nonce_data, *nonce = &nonce_data;
1069 hx509_lock lock;
1070 int i, ret;
1071 char *file;
1072 const char *url = "/";
1073
1074 memset(&nonce, 0, sizeof(nonce));
1075
1076 hx509_lock_init(context, &lock);
1077 lock_strings(lock, &opt->pass_strings);
1078
1079 /* no nonce */
1080 if (!opt->nonce_flag)
1081 nonce = NULL;
1082
1083 if (opt->url_path_string)
1084 url = opt->url_path_string;
1085
1086 ret = hx509_certs_init(context, "MEMORY:ocsp-pool", 0, NULL, &pool);
1087 if (ret) hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
1088
1089 certs_strings(context, "ocsp-pool", pool, lock, &opt->pool_strings);
1090
1091 file = argv[0];
1092
1093 ret = hx509_certs_init(context, "MEMORY:ocsp-req", 0, NULL, &reqcerts);
1094 if (ret) hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
1095
1096 for (i = 1; i < argc; i++) {
1097 ret = hx509_certs_append(context, reqcerts, lock, argv[i]);
1098 if (ret)
1099 errx(1, "hx509_certs_append: req: %s: %d", argv[i], ret);
1100 }
1101
1102 ret = hx509_ocsp_request(context, reqcerts, pool, NULL, NULL, &req, nonce);
1103 if (ret)
1104 errx(1, "hx509_ocsp_request: req: %d", ret);
1105
1106 {
1107 FILE *f;
1108
1109 f = fopen(file, "w");
1110 if (f == NULL)
1111 abort();
1112
1113 fprintf(f,
1114 "POST %s HTTP/1.0\r\n"
1115 "Content-Type: application/ocsp-request\r\n"
1116 "Content-Length: %ld\r\n"
1117 "\r\n",
1118 url,
1119 (unsigned long)req.length);
1120 fwrite(req.data, req.length, 1, f);
1121 fclose(f);
1122 }
1123
1124 if (nonce)
1125 der_free_octet_string(nonce);
1126
1127 hx509_certs_free(&reqcerts);
1128 hx509_certs_free(&pool);
1129
1130 return 0;
1131 }
1132
1133 int
ocsp_print(struct ocsp_print_options * opt,int argc,char ** argv)1134 ocsp_print(struct ocsp_print_options *opt, int argc, char **argv)
1135 {
1136 hx509_revoke_ocsp_print(context, argv[0], stdout);
1137 return 0;
1138 }
1139
1140 int
revoke_print(struct revoke_print_options * opt,int argc,char ** argv)1141 revoke_print(struct revoke_print_options *opt, int argc, char **argv)
1142 {
1143 hx509_revoke_ctx revoke_ctx;
1144 int ret;
1145
1146 ret = hx509_revoke_init(context, &revoke_ctx);
1147 if (ret)
1148 errx(1, "hx509_revoke_init: %d", ret);
1149
1150 while(argc--) {
1151 char *s = *argv++;
1152
1153 if (strncmp(s, "crl:", 4) == 0) {
1154 s += 4;
1155
1156 ret = hx509_revoke_add_crl(context, revoke_ctx, s);
1157 if (ret)
1158 errx(1, "hx509_revoke_add_crl: %s: %d", s, ret);
1159
1160 } else if (strncmp(s, "ocsp:", 4) == 0) {
1161 s += 5;
1162
1163 ret = hx509_revoke_add_ocsp(context, revoke_ctx, s);
1164 if (ret)
1165 errx(1, "hx509_revoke_add_ocsp: %s: %d", s, ret);
1166
1167 } else {
1168 errx(1, "unknown option to verify: `%s'\n", s);
1169 }
1170 }
1171
1172 ret = hx509_revoke_print(context, revoke_ctx, stdout);
1173 if (ret)
1174 warnx("hx509_revoke_print: %d", ret);
1175
1176 return ret;
1177 }
1178
1179 /*
1180 *
1181 */
1182
1183 static int
verify_o(hx509_context hxcontext,void * ctx,hx509_cert c)1184 verify_o(hx509_context hxcontext, void *ctx, hx509_cert c)
1185 {
1186 heim_octet_string *os = ctx;
1187 time_t expiration;
1188 int ret;
1189
1190 ret = hx509_ocsp_verify(context, 0, c, 0,
1191 os->data, os->length, &expiration);
1192 if (ret) {
1193 char *s = hx509_get_error_string(hxcontext, ret);
1194 printf("ocsp_verify: %s: %d\n", s, ret);
1195 hx509_free_error_string(s);
1196 } else
1197 printf("expire: %d\n", (int)expiration);
1198
1199 return ret;
1200 }
1201
1202
1203 int
ocsp_verify(struct ocsp_verify_options * opt,int argc,char ** argv)1204 ocsp_verify(struct ocsp_verify_options *opt, int argc, char **argv)
1205 {
1206 hx509_lock lock;
1207 hx509_certs certs;
1208 int ret, i;
1209 heim_octet_string os;
1210
1211 hx509_lock_init(context, &lock);
1212
1213 if (opt->ocsp_file_string == NULL)
1214 errx(1, "no ocsp file given");
1215
1216 ret = _hx509_map_file_os(opt->ocsp_file_string, &os);
1217 if (ret)
1218 err(1, "map_file: %s: %d", argv[0], ret);
1219
1220 ret = hx509_certs_init(context, "MEMORY:test-certs", 0, NULL, &certs);
1221 if (ret) hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
1222
1223 for (i = 0; i < argc; i++) {
1224 ret = hx509_certs_append(context, certs, lock, argv[i]);
1225 if (ret)
1226 hx509_err(context, 1, ret, "hx509_certs_append: %s", argv[i]);
1227 }
1228
1229 ret = hx509_certs_iter_f(context, certs, verify_o, &os);
1230
1231 hx509_certs_free(&certs);
1232 _hx509_unmap_file_os(&os);
1233 hx509_lock_free(lock);
1234
1235 return ret;
1236 }
1237
1238 static int
read_private_key(const char * fn,hx509_private_key * key)1239 read_private_key(const char *fn, hx509_private_key *key)
1240 {
1241 hx509_private_key *keys;
1242 hx509_certs certs;
1243 int ret;
1244
1245 *key = NULL;
1246
1247 ret = hx509_certs_init(context, fn, 0, NULL, &certs);
1248 if (ret)
1249 hx509_err(context, 1, ret, "hx509_certs_init: %s", fn);
1250
1251 ret = _hx509_certs_keys_get(context, certs, &keys);
1252 hx509_certs_free(&certs);
1253 if (ret)
1254 hx509_err(context, 1, ret, "hx509_certs_keys_get");
1255 if (keys[0] == NULL)
1256 errx(1, "no keys in key store: %s", fn);
1257
1258 *key = _hx509_private_key_ref(keys[0]);
1259 _hx509_certs_keys_free(context, keys);
1260
1261 return 0;
1262 }
1263
1264 static void
get_key(const char * fn,const char * type,int optbits,hx509_private_key * signer)1265 get_key(const char *fn, const char *type, int optbits,
1266 hx509_private_key *signer)
1267 {
1268 int ret;
1269
1270 if (type) {
1271 BIGNUM *e;
1272 RSA *rsa;
1273 unsigned char *p0, *p;
1274 size_t len;
1275 int bits = 1024;
1276
1277 if (fn == NULL)
1278 errx(1, "no key argument, don't know here to store key");
1279
1280 if (strcasecmp(type, "rsa") != 0)
1281 errx(1, "can only handle rsa keys for now");
1282
1283 e = BN_new();
1284 BN_set_word(e, 0x10001);
1285
1286 if (optbits)
1287 bits = optbits;
1288
1289 rsa = RSA_new();
1290 if(rsa == NULL)
1291 errx(1, "RSA_new failed");
1292
1293 ret = RSA_generate_key_ex(rsa, bits, e, NULL);
1294 if(ret != 1)
1295 errx(1, "RSA_new failed");
1296
1297 BN_free(e);
1298
1299 len = i2d_RSAPrivateKey(rsa, NULL);
1300
1301 p0 = p = malloc(len);
1302 if (p == NULL)
1303 errx(1, "out of memory");
1304
1305 i2d_RSAPrivateKey(rsa, &p);
1306
1307 rk_dumpdata(fn, p0, len);
1308 memset(p0, 0, len);
1309 free(p0);
1310
1311 RSA_free(rsa);
1312
1313 } else if (fn == NULL)
1314 err(1, "no private key");
1315
1316 ret = read_private_key(fn, signer);
1317 if (ret)
1318 err(1, "read_private_key");
1319 }
1320
1321 int
request_create(struct request_create_options * opt,int argc,char ** argv)1322 request_create(struct request_create_options *opt, int argc, char **argv)
1323 {
1324 heim_octet_string request;
1325 hx509_request req;
1326 int ret, i;
1327 hx509_private_key signer;
1328 SubjectPublicKeyInfo key;
1329 const char *outfile = argv[0];
1330
1331 memset(&key, 0, sizeof(key));
1332 memset(&signer, 0, sizeof(signer));
1333
1334 get_key(opt->key_string,
1335 opt->generate_key_string,
1336 opt->key_bits_integer,
1337 &signer);
1338
1339 hx509_request_init(context, &req);
1340
1341 if (opt->subject_string) {
1342 hx509_name name = NULL;
1343
1344 ret = hx509_parse_name(context, opt->subject_string, &name);
1345 if (ret)
1346 errx(1, "hx509_parse_name: %d\n", ret);
1347 hx509_request_set_name(context, req, name);
1348
1349 if (opt->verbose_flag) {
1350 char *s;
1351 hx509_name_to_string(name, &s);
1352 printf("%s\n", s);
1353 }
1354 hx509_name_free(&name);
1355 }
1356
1357 for (i = 0; i < opt->email_strings.num_strings; i++) {
1358 ret = _hx509_request_add_email(context, req,
1359 opt->email_strings.strings[i]);
1360 if (ret)
1361 hx509_err(context, 1, ret, "hx509_request_add_email");
1362 }
1363
1364 for (i = 0; i < opt->dnsname_strings.num_strings; i++) {
1365 ret = _hx509_request_add_dns_name(context, req,
1366 opt->dnsname_strings.strings[i]);
1367 if (ret)
1368 hx509_err(context, 1, ret, "hx509_request_add_dns_name");
1369 }
1370
1371
1372 ret = hx509_private_key2SPKI(context, signer, &key);
1373 if (ret)
1374 errx(1, "hx509_private_key2SPKI: %d\n", ret);
1375
1376 ret = hx509_request_set_SubjectPublicKeyInfo(context,
1377 req,
1378 &key);
1379 free_SubjectPublicKeyInfo(&key);
1380 if (ret)
1381 hx509_err(context, 1, ret, "hx509_request_set_SubjectPublicKeyInfo");
1382
1383 ret = _hx509_request_to_pkcs10(context,
1384 req,
1385 signer,
1386 &request);
1387 if (ret)
1388 hx509_err(context, 1, ret, "_hx509_request_to_pkcs10");
1389
1390 hx509_private_key_free(&signer);
1391 hx509_request_free(&req);
1392
1393 if (ret == 0)
1394 rk_dumpdata(outfile, request.data, request.length);
1395 der_free_octet_string(&request);
1396
1397 return 0;
1398 }
1399
1400 int
request_print(struct request_print_options * opt,int argc,char ** argv)1401 request_print(struct request_print_options *opt, int argc, char **argv)
1402 {
1403 int ret, i;
1404
1405 printf("request print\n");
1406
1407 for (i = 0; i < argc; i++) {
1408 hx509_request req;
1409
1410 ret = _hx509_request_parse(context, argv[i], &req);
1411 if (ret)
1412 hx509_err(context, 1, ret, "parse_request: %s", argv[i]);
1413
1414 ret = _hx509_request_print(context, req, stdout);
1415 hx509_request_free(&req);
1416 if (ret)
1417 hx509_err(context, 1, ret, "Failed to print file %s", argv[i]);
1418 }
1419
1420 return 0;
1421 }
1422
1423 int
info(void * opt,int argc,char ** argv)1424 info(void *opt, int argc, char **argv)
1425 {
1426
1427 ENGINE_add_conf_module();
1428
1429 {
1430 const RSA_METHOD *m = RSA_get_default_method();
1431 if (m != NULL) {
1432 const char *name;
1433 #if OPENSSL_VERSION_NUMBER < 0x10100000UL
1434 name = m->name;
1435 #else
1436 name = RSA_meth_get0_name(m);
1437 #endif
1438 printf("rsa: %s\n", name);
1439 }
1440 }
1441 {
1442 const DH_METHOD *m = DH_get_default_method();
1443 if (m != NULL) {
1444 const char *name;
1445 #if OPENSSL_VERSION_NUMBER < 0x10100000UL
1446 name = m->name;
1447 #else
1448 name = DH_meth_get0_name(m);
1449 #endif
1450 printf("dh: %s\n", name);
1451 }
1452 }
1453 #ifdef HAVE_HCRYPTO_W_OPENSSL
1454 {
1455 printf("ecdsa: ECDSA_METHOD-not-export\n");
1456 }
1457 #else
1458 {
1459 printf("ecdsa: hcrypto null\n");
1460 }
1461 #endif
1462 {
1463 int ret = RAND_status();
1464 printf("rand: %s\n", ret == 1 ? "ok" : "not available");
1465 }
1466
1467 return 0;
1468 }
1469
1470 int
random_data(void * opt,int argc,char ** argv)1471 random_data(void *opt, int argc, char **argv)
1472 {
1473 void *ptr;
1474 int len, ret;
1475
1476 len = parse_bytes(argv[0], "byte");
1477 if (len <= 0) {
1478 fprintf(stderr, "bad argument to random-data\n");
1479 return 1;
1480 }
1481
1482 ptr = malloc(len);
1483 if (ptr == NULL) {
1484 fprintf(stderr, "out of memory\n");
1485 return 1;
1486 }
1487
1488 ret = RAND_bytes(ptr, len);
1489 if (ret != 1) {
1490 free(ptr);
1491 fprintf(stderr, "did not get cryptographic strong random\n");
1492 return 1;
1493 }
1494
1495 fwrite(ptr, len, 1, stdout);
1496 fflush(stdout);
1497
1498 free(ptr);
1499
1500 return 0;
1501 }
1502
1503 int
crypto_available(struct crypto_available_options * opt,int argc,char ** argv)1504 crypto_available(struct crypto_available_options *opt, int argc, char **argv)
1505 {
1506 AlgorithmIdentifier *val;
1507 unsigned int len, i;
1508 int ret, type = HX509_SELECT_ALL;
1509
1510 if (opt->type_string) {
1511 if (strcmp(opt->type_string, "all") == 0)
1512 type = HX509_SELECT_ALL;
1513 else if (strcmp(opt->type_string, "digest") == 0)
1514 type = HX509_SELECT_DIGEST;
1515 else if (strcmp(opt->type_string, "public-sig") == 0)
1516 type = HX509_SELECT_PUBLIC_SIG;
1517 else if (strcmp(opt->type_string, "secret") == 0)
1518 type = HX509_SELECT_SECRET_ENC;
1519 else
1520 errx(1, "unknown type: %s", opt->type_string);
1521 }
1522
1523 ret = hx509_crypto_available(context, type, NULL, &val, &len);
1524 if (ret)
1525 errx(1, "hx509_crypto_available");
1526
1527 for (i = 0; i < len; i++) {
1528 char *s;
1529 der_print_heim_oid (&val[i].algorithm, '.', &s);
1530 printf("%s\n", s);
1531 free(s);
1532 }
1533
1534 hx509_crypto_free_algs(val, len);
1535
1536 return 0;
1537 }
1538
1539 int
crypto_select(struct crypto_select_options * opt,int argc,char ** argv)1540 crypto_select(struct crypto_select_options *opt, int argc, char **argv)
1541 {
1542 hx509_peer_info peer = NULL;
1543 AlgorithmIdentifier selected;
1544 int ret, type = HX509_SELECT_DIGEST;
1545 char *s;
1546
1547 if (opt->type_string) {
1548 if (strcmp(opt->type_string, "digest") == 0)
1549 type = HX509_SELECT_DIGEST;
1550 else if (strcmp(opt->type_string, "public-sig") == 0)
1551 type = HX509_SELECT_PUBLIC_SIG;
1552 else if (strcmp(opt->type_string, "secret") == 0)
1553 type = HX509_SELECT_SECRET_ENC;
1554 else
1555 errx(1, "unknown type: %s", opt->type_string);
1556 }
1557
1558 if (opt->peer_cmstype_strings.num_strings)
1559 peer_strings(context, &peer, &opt->peer_cmstype_strings);
1560
1561 ret = hx509_crypto_select(context, type, NULL, peer, &selected);
1562 if (ret)
1563 errx(1, "hx509_crypto_available");
1564
1565 der_print_heim_oid (&selected.algorithm, '.', &s);
1566 printf("%s\n", s);
1567 free(s);
1568 free_AlgorithmIdentifier(&selected);
1569
1570 hx509_peer_info_free(peer);
1571
1572 return 0;
1573 }
1574
1575 int
hxtool_hex(struct hex_options * opt,int argc,char ** argv)1576 hxtool_hex(struct hex_options *opt, int argc, char **argv)
1577 {
1578
1579 if (opt->decode_flag) {
1580 char buf[1024], buf2[1024], *p;
1581 ssize_t len;
1582
1583 while(fgets(buf, sizeof(buf), stdin) != NULL) {
1584 buf[strcspn(buf, "\r\n")] = '\0';
1585 p = buf;
1586 while(isspace(*(unsigned char *)p))
1587 p++;
1588 len = hex_decode(p, buf2, strlen(p));
1589 if (len < 0)
1590 errx(1, "hex_decode failed");
1591 if (fwrite(buf2, 1, len, stdout) != (size_t)len)
1592 errx(1, "fwrite failed");
1593 }
1594 } else {
1595 char buf[28], *p;
1596 ssize_t len;
1597
1598 while((len = fread(buf, 1, sizeof(buf), stdin)) != 0) {
1599 len = hex_encode(buf, len, &p);
1600 if (len < 0)
1601 continue;
1602 fprintf(stdout, "%s\n", p);
1603 free(p);
1604 }
1605 }
1606 return 0;
1607 }
1608
1609 struct cert_type_opt {
1610 int pkinit;
1611 };
1612
1613
1614 static int
https_server(hx509_context contextp,hx509_ca_tbs tbs,struct cert_type_opt * opt)1615 https_server(hx509_context contextp, hx509_ca_tbs tbs, struct cert_type_opt *opt)
1616 {
1617 return hx509_ca_tbs_add_eku(contextp, tbs, &asn1_oid_id_pkix_kp_serverAuth);
1618 }
1619
1620 static int
https_client(hx509_context contextp,hx509_ca_tbs tbs,struct cert_type_opt * opt)1621 https_client(hx509_context contextp, hx509_ca_tbs tbs, struct cert_type_opt *opt)
1622 {
1623 return hx509_ca_tbs_add_eku(contextp, tbs, &asn1_oid_id_pkix_kp_clientAuth);
1624 }
1625
1626 static int
peap_server(hx509_context contextp,hx509_ca_tbs tbs,struct cert_type_opt * opt)1627 peap_server(hx509_context contextp, hx509_ca_tbs tbs, struct cert_type_opt *opt)
1628 {
1629 return hx509_ca_tbs_add_eku(contextp, tbs, &asn1_oid_id_pkix_kp_serverAuth);
1630 }
1631
1632 static int
pkinit_kdc(hx509_context contextp,hx509_ca_tbs tbs,struct cert_type_opt * opt)1633 pkinit_kdc(hx509_context contextp, hx509_ca_tbs tbs, struct cert_type_opt *opt)
1634 {
1635 opt->pkinit++;
1636 return hx509_ca_tbs_add_eku(contextp, tbs, &asn1_oid_id_pkkdcekuoid);
1637 }
1638
1639 static int
pkinit_client(hx509_context contextp,hx509_ca_tbs tbs,struct cert_type_opt * opt)1640 pkinit_client(hx509_context contextp, hx509_ca_tbs tbs, struct cert_type_opt *opt)
1641 {
1642 int ret;
1643
1644 opt->pkinit++;
1645
1646 ret = hx509_ca_tbs_add_eku(contextp, tbs, &asn1_oid_id_pkekuoid);
1647 if (ret)
1648 return ret;
1649
1650 ret = hx509_ca_tbs_add_eku(context, tbs, &asn1_oid_id_ms_client_authentication);
1651 if (ret)
1652 return ret;
1653
1654 return hx509_ca_tbs_add_eku(context, tbs, &asn1_oid_id_pkinit_ms_eku);
1655 }
1656
1657 static int
email_client(hx509_context contextp,hx509_ca_tbs tbs,struct cert_type_opt * opt)1658 email_client(hx509_context contextp, hx509_ca_tbs tbs, struct cert_type_opt *opt)
1659 {
1660 return hx509_ca_tbs_add_eku(contextp, tbs, &asn1_oid_id_pkix_kp_emailProtection);
1661 }
1662
1663 struct {
1664 const char *type;
1665 const char *desc;
1666 int (*eval)(hx509_context, hx509_ca_tbs, struct cert_type_opt *);
1667 } certtypes[] = {
1668 {
1669 "https-server",
1670 "Used for HTTPS server and many other TLS server certificate types",
1671 https_server
1672 },
1673 {
1674 "https-client",
1675 "Used for HTTPS client certificates",
1676 https_client
1677 },
1678 {
1679 "email-client",
1680 "Certificate will be use for email",
1681 email_client
1682 },
1683 {
1684 "pkinit-client",
1685 "Certificate used for Kerberos PK-INIT client certificates",
1686 pkinit_client
1687 },
1688 {
1689 "pkinit-kdc",
1690 "Certificates used for Kerberos PK-INIT KDC certificates",
1691 pkinit_kdc
1692 },
1693 {
1694 "peap-server",
1695 "Certificate used for Radius PEAP (Protected EAP)",
1696 peap_server
1697 }
1698 };
1699
1700 static void
print_eval_types(FILE * out)1701 print_eval_types(FILE *out)
1702 {
1703 rtbl_t table;
1704 unsigned i;
1705
1706 table = rtbl_create();
1707 rtbl_add_column_by_id (table, 0, "Name", 0);
1708 rtbl_add_column_by_id (table, 1, "Description", 0);
1709
1710 for (i = 0; i < sizeof(certtypes)/sizeof(certtypes[0]); i++) {
1711 rtbl_add_column_entry_by_id(table, 0, certtypes[i].type);
1712 rtbl_add_column_entry_by_id(table, 1, certtypes[i].desc);
1713 }
1714
1715 rtbl_format (table, out);
1716 rtbl_destroy (table);
1717 }
1718
1719 static int
eval_types(hx509_context contextp,hx509_ca_tbs tbs,const struct certificate_sign_options * opt)1720 eval_types(hx509_context contextp,
1721 hx509_ca_tbs tbs,
1722 const struct certificate_sign_options *opt)
1723 {
1724 struct cert_type_opt ctopt;
1725 int i;
1726 size_t j;
1727 int ret;
1728
1729 memset(&ctopt, 0, sizeof(ctopt));
1730
1731 for (i = 0; i < opt->type_strings.num_strings; i++) {
1732 const char *type = opt->type_strings.strings[i];
1733
1734 for (j = 0; j < sizeof(certtypes)/sizeof(certtypes[0]); j++) {
1735 if (strcasecmp(type, certtypes[j].type) == 0) {
1736 ret = (*certtypes[j].eval)(contextp, tbs, &ctopt);
1737 if (ret)
1738 hx509_err(contextp, 1, ret,
1739 "Failed to evaluate cert type %s", type);
1740 break;
1741 }
1742 }
1743 if (j >= sizeof(certtypes)/sizeof(certtypes[0])) {
1744 fprintf(stderr, "Unknown certificate type %s\n\n", type);
1745 fprintf(stderr, "Available types:\n");
1746 print_eval_types(stderr);
1747 exit(1);
1748 }
1749 }
1750
1751 for (i = 0; i < opt->pk_init_principal_strings.num_strings; i++) {
1752 const char *pk_init_princ = opt->pk_init_principal_strings.strings[i];
1753
1754 if (!ctopt.pkinit)
1755 errx(1, "pk-init principal given but no pk-init oid");
1756
1757 ret = hx509_ca_tbs_add_san_pkinit(contextp, tbs, pk_init_princ);
1758 if (ret)
1759 hx509_err(contextp, 1, ret, "hx509_ca_tbs_add_san_pkinit");
1760 }
1761
1762 if (opt->ms_upn_string) {
1763 if (!ctopt.pkinit)
1764 errx(1, "MS upn given but no pk-init oid");
1765
1766 ret = hx509_ca_tbs_add_san_ms_upn(contextp, tbs, opt->ms_upn_string);
1767 if (ret)
1768 hx509_err(contextp, 1, ret, "hx509_ca_tbs_add_san_ms_upn");
1769 }
1770
1771
1772 for (i = 0; i < opt->hostname_strings.num_strings; i++) {
1773 const char *hostname = opt->hostname_strings.strings[i];
1774
1775 ret = hx509_ca_tbs_add_san_hostname(contextp, tbs, hostname);
1776 if (ret)
1777 hx509_err(contextp, 1, ret, "hx509_ca_tbs_add_san_hostname");
1778 }
1779
1780 for (i = 0; i < opt->email_strings.num_strings; i++) {
1781 const char *email = opt->email_strings.strings[i];
1782
1783 ret = hx509_ca_tbs_add_san_rfc822name(contextp, tbs, email);
1784 if (ret)
1785 hx509_err(contextp, 1, ret, "hx509_ca_tbs_add_san_hostname");
1786
1787 ret = hx509_ca_tbs_add_eku(contextp, tbs,
1788 &asn1_oid_id_pkix_kp_emailProtection);
1789 if (ret)
1790 hx509_err(contextp, 1, ret, "hx509_ca_tbs_add_eku");
1791 }
1792
1793 if (opt->jid_string) {
1794 ret = hx509_ca_tbs_add_san_jid(contextp, tbs, opt->jid_string);
1795 if (ret)
1796 hx509_err(contextp, 1, ret, "hx509_ca_tbs_add_san_jid");
1797 }
1798
1799 return 0;
1800 }
1801
1802 int
hxtool_ca(struct certificate_sign_options * opt,int argc,char ** argv)1803 hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv)
1804 {
1805 int ret;
1806 hx509_ca_tbs tbs;
1807 hx509_cert signer = NULL, cert = NULL;
1808 hx509_private_key private_key = NULL;
1809 hx509_private_key cert_key = NULL;
1810 hx509_name subject = NULL;
1811 SubjectPublicKeyInfo spki;
1812 int delta = 0;
1813
1814 memset(&spki, 0, sizeof(spki));
1815
1816 if (opt->ca_certificate_string == NULL && !opt->self_signed_flag)
1817 errx(1, "--ca-certificate argument missing (not using --self-signed)");
1818 if (opt->ca_private_key_string == NULL && opt->generate_key_string == NULL && opt->self_signed_flag)
1819 errx(1, "--ca-private-key argument missing (using --self-signed)");
1820 if (opt->certificate_string == NULL)
1821 errx(1, "--certificate argument missing");
1822
1823 if (opt->template_certificate_string) {
1824 if (opt->template_fields_string == NULL)
1825 errx(1, "--template-certificate not no --template-fields");
1826 }
1827
1828 if (opt->lifetime_string) {
1829 delta = parse_time(opt->lifetime_string, "day");
1830 if (delta < 0)
1831 errx(1, "Invalid lifetime: %s", opt->lifetime_string);
1832 }
1833
1834 if (opt->ca_certificate_string) {
1835 hx509_certs cacerts = NULL;
1836 hx509_query *q;
1837
1838 ret = hx509_certs_init(context, opt->ca_certificate_string, 0,
1839 NULL, &cacerts);
1840 if (ret)
1841 hx509_err(context, 1, ret,
1842 "hx509_certs_init: %s", opt->ca_certificate_string);
1843
1844 ret = hx509_query_alloc(context, &q);
1845 if (ret)
1846 errx(1, "hx509_query_alloc: %d", ret);
1847
1848 hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
1849 if (!opt->issue_proxy_flag)
1850 hx509_query_match_option(q, HX509_QUERY_OPTION_KU_KEYCERTSIGN);
1851
1852 ret = hx509_certs_find(context, cacerts, q, &signer);
1853 hx509_query_free(context, q);
1854 hx509_certs_free(&cacerts);
1855 if (ret)
1856 hx509_err(context, 1, ret, "no CA certificate found");
1857 } else if (opt->self_signed_flag) {
1858 if (opt->generate_key_string == NULL
1859 && opt->ca_private_key_string == NULL)
1860 errx(1, "no signing private key");
1861
1862 if (opt->req_string)
1863 errx(1, "can't be self-signing and have a request at the same time");
1864 } else
1865 errx(1, "missing ca key");
1866
1867 if (opt->ca_private_key_string) {
1868
1869 ret = read_private_key(opt->ca_private_key_string, &private_key);
1870 if (ret)
1871 err(1, "read_private_key");
1872
1873 ret = hx509_private_key2SPKI(context, private_key, &spki);
1874 if (ret)
1875 errx(1, "hx509_private_key2SPKI: %d\n", ret);
1876
1877 if (opt->self_signed_flag)
1878 cert_key = private_key;
1879 }
1880
1881 if (opt->req_string) {
1882 hx509_request req;
1883
1884 ret = _hx509_request_parse(context, opt->req_string, &req);
1885 if (ret)
1886 hx509_err(context, 1, ret, "parse_request: %s", opt->req_string);
1887 ret = hx509_request_get_name(context, req, &subject);
1888 if (ret)
1889 hx509_err(context, 1, ret, "get name");
1890 ret = hx509_request_get_SubjectPublicKeyInfo(context, req, &spki);
1891 if (ret)
1892 hx509_err(context, 1, ret, "get spki");
1893 hx509_request_free(&req);
1894 }
1895
1896 if (opt->generate_key_string) {
1897 struct hx509_generate_private_context *keyctx;
1898
1899 ret = _hx509_generate_private_key_init(context,
1900 &asn1_oid_id_pkcs1_rsaEncryption,
1901 &keyctx);
1902 if (ret)
1903 hx509_err(context, 1, ret, "generate private key");
1904
1905 if (opt->issue_ca_flag)
1906 _hx509_generate_private_key_is_ca(context, keyctx);
1907
1908 if (opt->key_bits_integer)
1909 _hx509_generate_private_key_bits(context, keyctx,
1910 opt->key_bits_integer);
1911
1912 ret = _hx509_generate_private_key(context, keyctx,
1913 &cert_key);
1914 _hx509_generate_private_key_free(&keyctx);
1915 if (ret)
1916 hx509_err(context, 1, ret, "generate private key");
1917
1918 ret = hx509_private_key2SPKI(context, cert_key, &spki);
1919 if (ret)
1920 errx(1, "hx509_private_key2SPKI: %d\n", ret);
1921
1922 if (opt->self_signed_flag)
1923 private_key = cert_key;
1924 }
1925
1926 if (opt->certificate_private_key_string) {
1927 ret = read_private_key(opt->certificate_private_key_string, &cert_key);
1928 if (ret)
1929 err(1, "read_private_key for certificate");
1930 }
1931
1932 if (opt->subject_string) {
1933 if (subject)
1934 hx509_name_free(&subject);
1935 ret = hx509_parse_name(context, opt->subject_string, &subject);
1936 if (ret)
1937 hx509_err(context, 1, ret, "hx509_parse_name");
1938 }
1939
1940 /*
1941 *
1942 */
1943
1944 ret = hx509_ca_tbs_init(context, &tbs);
1945 if (ret)
1946 hx509_err(context, 1, ret, "hx509_ca_tbs_init");
1947
1948 if (opt->signature_algorithm_string) {
1949 const AlgorithmIdentifier *sigalg;
1950 if (strcasecmp(opt->signature_algorithm_string, "rsa-with-sha1") == 0)
1951 sigalg = hx509_signature_rsa_with_sha1();
1952 else if (strcasecmp(opt->signature_algorithm_string, "rsa-with-sha256") == 0)
1953 sigalg = hx509_signature_rsa_with_sha256();
1954 else
1955 errx(1, "unsupported sigature algorithm");
1956 hx509_ca_tbs_set_signature_algorithm(context, tbs, sigalg);
1957 }
1958
1959 if (opt->template_certificate_string) {
1960 hx509_cert template;
1961 hx509_certs tcerts;
1962 int flags;
1963
1964 ret = hx509_certs_init(context, opt->template_certificate_string, 0,
1965 NULL, &tcerts);
1966 if (ret)
1967 hx509_err(context, 1, ret,
1968 "hx509_certs_init: %s", opt->template_certificate_string);
1969
1970 ret = hx509_get_one_cert(context, tcerts, &template);
1971
1972 hx509_certs_free(&tcerts);
1973 if (ret)
1974 hx509_err(context, 1, ret, "no template certificate found");
1975
1976 flags = parse_units(opt->template_fields_string,
1977 hx509_ca_tbs_template_units(), "");
1978
1979 ret = hx509_ca_tbs_set_template(context, tbs, flags, template);
1980 if (ret)
1981 hx509_err(context, 1, ret, "hx509_ca_tbs_set_template");
1982
1983 hx509_cert_free(template);
1984 }
1985
1986 if (opt->serial_number_string) {
1987 heim_integer serialNumber;
1988
1989 ret = der_parse_hex_heim_integer(opt->serial_number_string,
1990 &serialNumber);
1991 if (ret)
1992 err(1, "der_parse_hex_heim_integer");
1993 ret = hx509_ca_tbs_set_serialnumber(context, tbs, &serialNumber);
1994 if (ret)
1995 hx509_err(context, 1, ret, "hx509_ca_tbs_init");
1996 der_free_heim_integer(&serialNumber);
1997 }
1998
1999 if (spki.subjectPublicKey.length) {
2000 ret = hx509_ca_tbs_set_spki(context, tbs, &spki);
2001 if (ret)
2002 hx509_err(context, 1, ret, "hx509_ca_tbs_set_spki");
2003 }
2004
2005 if (subject) {
2006 ret = hx509_ca_tbs_set_subject(context, tbs, subject);
2007 if (ret)
2008 hx509_err(context, 1, ret, "hx509_ca_tbs_set_subject");
2009 }
2010
2011 if (opt->crl_uri_string) {
2012 ret = hx509_ca_tbs_add_crl_dp_uri(context, tbs,
2013 opt->crl_uri_string, NULL);
2014 if (ret)
2015 hx509_err(context, 1, ret, "hx509_ca_tbs_add_crl_dp_uri");
2016 }
2017
2018 eval_types(context, tbs, opt);
2019
2020 if (opt->issue_ca_flag) {
2021 ret = hx509_ca_tbs_set_ca(context, tbs, opt->path_length_integer);
2022 if (ret)
2023 hx509_err(context, 1, ret, "hx509_ca_tbs_set_ca");
2024 }
2025 if (opt->issue_proxy_flag) {
2026 ret = hx509_ca_tbs_set_proxy(context, tbs, opt->path_length_integer);
2027 if (ret)
2028 hx509_err(context, 1, ret, "hx509_ca_tbs_set_proxy");
2029 }
2030 if (opt->domain_controller_flag) {
2031 hx509_ca_tbs_set_domaincontroller(context, tbs);
2032 if (ret)
2033 hx509_err(context, 1, ret, "hx509_ca_tbs_set_domaincontroller");
2034 }
2035
2036 if (delta) {
2037 ret = hx509_ca_tbs_set_notAfter_lifetime(context, tbs, delta);
2038 if (ret)
2039 hx509_err(context, 1, ret, "hx509_ca_tbs_set_notAfter_lifetime");
2040 }
2041
2042 if (opt->self_signed_flag) {
2043 ret = hx509_ca_sign_self(context, tbs, private_key, &cert);
2044 if (ret)
2045 hx509_err(context, 1, ret, "hx509_ca_sign_self");
2046 } else {
2047 ret = hx509_ca_sign(context, tbs, signer, &cert);
2048 if (ret)
2049 hx509_err(context, 1, ret, "hx509_ca_sign");
2050 }
2051
2052 if (cert_key) {
2053 ret = _hx509_cert_assign_key(cert, cert_key);
2054 if (ret)
2055 hx509_err(context, 1, ret, "_hx509_cert_assign_key");
2056 }
2057
2058 {
2059 hx509_certs certs;
2060
2061 ret = hx509_certs_init(context, opt->certificate_string,
2062 HX509_CERTS_CREATE, NULL, &certs);
2063 if (ret)
2064 hx509_err(context, 1, ret, "hx509_certs_init");
2065
2066 ret = hx509_certs_add(context, certs, cert);
2067 if (ret)
2068 hx509_err(context, 1, ret, "hx509_certs_add");
2069
2070 ret = hx509_certs_store(context, certs, 0, NULL);
2071 if (ret)
2072 hx509_err(context, 1, ret, "hx509_certs_store");
2073
2074 hx509_certs_free(&certs);
2075 }
2076
2077 if (subject)
2078 hx509_name_free(&subject);
2079 if (signer)
2080 hx509_cert_free(signer);
2081 hx509_cert_free(cert);
2082 free_SubjectPublicKeyInfo(&spki);
2083
2084 if (private_key != cert_key)
2085 hx509_private_key_free(&private_key);
2086 hx509_private_key_free(&cert_key);
2087
2088 hx509_ca_tbs_free(&tbs);
2089
2090 return 0;
2091 }
2092
2093 static int
test_one_cert(hx509_context hxcontext,void * ctx,hx509_cert cert)2094 test_one_cert(hx509_context hxcontext, void *ctx, hx509_cert cert)
2095 {
2096 heim_octet_string sd, c;
2097 hx509_verify_ctx vctx = ctx;
2098 hx509_certs signer = NULL;
2099 heim_oid type;
2100 int ret;
2101
2102 if (_hx509_cert_private_key(cert) == NULL)
2103 return 0;
2104
2105 ret = hx509_cms_create_signed_1(context, 0, NULL, NULL, 0,
2106 NULL, cert, NULL, NULL, NULL, &sd);
2107 if (ret)
2108 errx(1, "hx509_cms_create_signed_1");
2109
2110 ret = hx509_cms_verify_signed(context, vctx, 0, sd.data, sd.length,
2111 NULL, NULL, &type, &c, &signer);
2112 free(sd.data);
2113 if (ret)
2114 hx509_err(context, 1, ret, "hx509_cms_verify_signed");
2115
2116 printf("create-signature verify-sigature done\n");
2117
2118 free(c.data);
2119
2120 return 0;
2121 }
2122
2123 int
test_crypto(struct test_crypto_options * opt,int argc,char ** argv)2124 test_crypto(struct test_crypto_options *opt, int argc, char ** argv)
2125 {
2126 hx509_verify_ctx vctx;
2127 hx509_certs certs;
2128 hx509_lock lock;
2129 int i, ret;
2130
2131 hx509_lock_init(context, &lock);
2132 lock_strings(lock, &opt->pass_strings);
2133
2134 ret = hx509_certs_init(context, "MEMORY:test-crypto", 0, NULL, &certs);
2135 if (ret) hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
2136
2137 for (i = 0; i < argc; i++) {
2138 ret = hx509_certs_append(context, certs, lock, argv[i]);
2139 if (ret)
2140 hx509_err(context, 1, ret, "hx509_certs_append");
2141 }
2142
2143 ret = hx509_verify_init_ctx(context, &vctx);
2144 if (ret)
2145 hx509_err(context, 1, ret, "hx509_verify_init_ctx");
2146
2147 hx509_verify_attach_anchors(vctx, certs);
2148
2149 ret = hx509_certs_iter_f(context, certs, test_one_cert, vctx);
2150 if (ret)
2151 hx509_err(context, 1, ret, "hx509_cert_iter");
2152
2153 hx509_certs_free(&certs);
2154
2155 return 0;
2156 }
2157
2158 int
statistic_print(struct statistic_print_options * opt,int argc,char ** argv)2159 statistic_print(struct statistic_print_options*opt, int argc, char **argv)
2160 {
2161 int type = 0;
2162
2163 if (stat_file_string == NULL)
2164 errx(1, "no stat file");
2165
2166 if (opt->type_integer)
2167 type = opt->type_integer;
2168
2169 hx509_query_unparse_stats(context, type, stdout);
2170 return 0;
2171 }
2172
2173 /*
2174 *
2175 */
2176
2177 int
crl_sign(struct crl_sign_options * opt,int argc,char ** argv)2178 crl_sign(struct crl_sign_options *opt, int argc, char **argv)
2179 {
2180 hx509_crl crl;
2181 heim_octet_string os;
2182 hx509_cert signer = NULL;
2183 hx509_lock lock;
2184 int ret;
2185
2186 hx509_lock_init(context, &lock);
2187 lock_strings(lock, &opt->pass_strings);
2188
2189 ret = hx509_crl_alloc(context, &crl);
2190 if (ret)
2191 errx(1, "crl alloc");
2192
2193 if (opt->signer_string == NULL)
2194 errx(1, "signer missing");
2195
2196 {
2197 hx509_certs certs = NULL;
2198 hx509_query *q;
2199
2200 ret = hx509_certs_init(context, opt->signer_string, 0,
2201 NULL, &certs);
2202 if (ret)
2203 hx509_err(context, 1, ret,
2204 "hx509_certs_init: %s", opt->signer_string);
2205
2206 ret = hx509_query_alloc(context, &q);
2207 if (ret)
2208 hx509_err(context, 1, ret, "hx509_query_alloc: %d", ret);
2209
2210 hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
2211
2212 ret = hx509_certs_find(context, certs, q, &signer);
2213 hx509_query_free(context, q);
2214 hx509_certs_free(&certs);
2215 if (ret)
2216 hx509_err(context, 1, ret, "no signer certificate found");
2217 }
2218
2219 if (opt->lifetime_string) {
2220 int delta;
2221
2222 delta = parse_time(opt->lifetime_string, "day");
2223 if (delta < 0)
2224 errx(1, "Invalid lifetime: %s", opt->lifetime_string);
2225
2226 hx509_crl_lifetime(context, crl, delta);
2227 }
2228
2229 {
2230 hx509_certs revoked = NULL;
2231 int i;
2232
2233 ret = hx509_certs_init(context, "MEMORY:revoked-certs", 0,
2234 NULL, &revoked);
2235 if (ret)
2236 hx509_err(context, 1, ret,
2237 "hx509_certs_init: MEMORY cert");
2238
2239 for (i = 0; i < argc; i++) {
2240 ret = hx509_certs_append(context, revoked, lock, argv[i]);
2241 if (ret)
2242 hx509_err(context, 1, ret, "hx509_certs_append: %s", argv[i]);
2243 }
2244
2245 hx509_crl_add_revoked_certs(context, crl, revoked);
2246 hx509_certs_free(&revoked);
2247 }
2248
2249 hx509_crl_sign(context, signer, crl, &os);
2250
2251 if (opt->crl_file_string)
2252 rk_dumpdata(opt->crl_file_string, os.data, os.length);
2253
2254 free(os.data);
2255
2256 hx509_crl_free(context, &crl);
2257 hx509_cert_free(signer);
2258 hx509_lock_free(lock);
2259
2260 return 0;
2261 }
2262
2263 /*
2264 *
2265 */
2266
2267 int
help(void * opt,int argc,char ** argv)2268 help(void *opt, int argc, char **argv)
2269 {
2270 sl_slc_help(commands, argc, argv);
2271 return 0;
2272 }
2273
2274 int
main(int argc,char ** argv)2275 main(int argc, char **argv)
2276 {
2277 int ret, optidx = 0;
2278
2279 setprogname (argv[0]);
2280
2281 if(getarg(args, num_args, argc, argv, &optidx))
2282 usage(1);
2283 if(help_flag)
2284 usage(0);
2285 if(version_flag) {
2286 print_version(NULL);
2287 exit(0);
2288 }
2289 argv += optidx;
2290 argc -= optidx;
2291
2292 if (argc == 0)
2293 usage(1);
2294
2295 ret = hx509_context_init(&context);
2296 if (ret)
2297 errx(1, "hx509_context_init failed with %d", ret);
2298
2299 if (stat_file_string)
2300 hx509_query_statistic_file(context, stat_file_string);
2301
2302 ret = sl_command(commands, argc, argv);
2303 if(ret == -1)
2304 warnx ("unrecognized command: %s", argv[0]);
2305
2306 hx509_context_free(&context);
2307
2308 return ret;
2309 }
2310