1 /*
2 * Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "hx_locl.h"
35
36 #include <hxtool-commands.h>
37 #include <sl.h>
38 #include <rtbl.h>
39 #include <parse_time.h>
40
41 static hx509_context context;
42
43 static char *stat_file_string;
44 static int version_flag;
45 static int help_flag;
46
47 struct getargs args[] = {
48 { "statistic-file", 0, arg_string, &stat_file_string, NULL, NULL },
49 { "version", 0, arg_flag, &version_flag, NULL, NULL },
50 { "help", 0, arg_flag, &help_flag, NULL, NULL }
51 };
52 int num_args = sizeof(args) / sizeof(args[0]);
53
54 static void
usage(int code)55 usage(int code)
56 {
57 arg_printusage(args, num_args, NULL, "command");
58 printf("Use \"%s help\" to get more help\n", getprogname());
59 exit(code);
60 }
61
62 /*
63 *
64 */
65
66 static void
lock_strings(hx509_lock lock,getarg_strings * pass)67 lock_strings(hx509_lock lock, getarg_strings *pass)
68 {
69 int i;
70 for (i = 0; i < pass->num_strings; i++) {
71 int ret = hx509_lock_command_string(lock, pass->strings[i]);
72 if (ret)
73 errx(1, "hx509_lock_command_string: %s: %d",
74 pass->strings[i], ret);
75 }
76 }
77
78 /*
79 *
80 */
81
82 static void
certs_strings(hx509_context contextp,const char * type,hx509_certs certs,hx509_lock lock,const getarg_strings * s)83 certs_strings(hx509_context contextp, const char *type, hx509_certs certs,
84 hx509_lock lock, const getarg_strings *s)
85 {
86 int i, ret;
87
88 for (i = 0; i < s->num_strings; i++) {
89 ret = hx509_certs_append(contextp, certs, lock, s->strings[i]);
90 if (ret)
91 hx509_err(contextp, 1, ret,
92 "hx509_certs_append: %s %s", type, s->strings[i]);
93 }
94 }
95
96 /*
97 *
98 */
99
100 static void
parse_oid(const char * str,const heim_oid * def,heim_oid * oid)101 parse_oid(const char *str, const heim_oid *def, heim_oid *oid)
102 {
103 int ret;
104 if (str)
105 ret = der_parse_heim_oid (str, " .", oid);
106 else
107 ret = der_copy_oid(def, oid);
108 if (ret)
109 errx(1, "parse_oid failed for: %s", str ? str : "default oid");
110 }
111
112 /*
113 *
114 */
115
116 static void
peer_strings(hx509_context contextp,hx509_peer_info * peer,const getarg_strings * s)117 peer_strings(hx509_context contextp,
118 hx509_peer_info *peer,
119 const getarg_strings *s)
120 {
121 AlgorithmIdentifier *val;
122 int ret, i;
123
124 ret = hx509_peer_info_alloc(contextp, peer);
125 if (ret)
126 hx509_err(contextp, 1, ret, "hx509_peer_info_alloc");
127
128 val = calloc(s->num_strings, sizeof(*val));
129 if (val == NULL)
130 err(1, "malloc");
131
132 for (i = 0; i < s->num_strings; i++)
133 parse_oid(s->strings[i], NULL, &val[i].algorithm);
134
135 ret = hx509_peer_info_set_cms_algs(contextp, *peer, val, s->num_strings);
136 if (ret)
137 hx509_err(contextp, 1, ret, "hx509_peer_info_set_cms_algs");
138
139 for (i = 0; i < s->num_strings; i++)
140 free_AlgorithmIdentifier(&val[i]);
141 free(val);
142 }
143
144 /*
145 *
146 */
147
148 struct pem_data {
149 heim_octet_string *os;
150 int detached_data;
151 };
152
153 static int
pem_reader(hx509_context contextp,const char * type,const hx509_pem_header * headers,const void * data,size_t length,void * ctx)154 pem_reader(hx509_context contextp, const char *type,
155 const hx509_pem_header *headers,
156 const void *data , size_t length, void *ctx)
157 {
158 struct pem_data *p = (struct pem_data *)ctx;
159 const char *h;
160
161 p->os->data = malloc(length);
162 if (p->os->data == NULL)
163 return ENOMEM;
164 memcpy(p->os->data, data, length);
165 p->os->length = length;
166
167 h = hx509_pem_find_header(headers, "Content-disposition");
168 if (h && strcasecmp(h, "detached") == 0)
169 p->detached_data = 1;
170
171 return 0;
172 }
173
174 /*
175 *
176 */
177
178 int
cms_verify_sd(struct cms_verify_sd_options * opt,int argc,char ** argv)179 cms_verify_sd(struct cms_verify_sd_options *opt, int argc, char **argv)
180 {
181 hx509_verify_ctx ctx = NULL;
182 heim_oid type;
183 heim_octet_string c, co, signeddata, *sd = NULL;
184 hx509_certs store = NULL;
185 hx509_certs signers = NULL;
186 hx509_certs anchors = NULL;
187 hx509_lock lock;
188 int ret, flags = 0;
189
190 size_t sz;
191 void *p = NULL;
192
193 if (opt->missing_revoke_flag)
194 hx509_context_set_missing_revoke(context, 1);
195
196 hx509_lock_init(context, &lock);
197 lock_strings(lock, &opt->pass_strings);
198
199 ret = hx509_verify_init_ctx(context, &ctx);
200 if (ret)
201 hx509_err(context, 1, ret, "hx509_verify_init_ctx");
202
203 ret = hx509_certs_init(context, "MEMORY:cms-anchors", 0, NULL, &anchors);
204 if (ret)
205 hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
206 ret = hx509_certs_init(context, "MEMORY:cert-store", 0, NULL, &store);
207 if (ret)
208 hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
209
210 certs_strings(context, "anchors", anchors, lock, &opt->anchors_strings);
211 certs_strings(context, "store", store, lock, &opt->certificate_strings);
212
213 if (opt->pem_flag) {
214 struct pem_data pd;
215 FILE *f;
216
217 pd.os = &co;
218 pd.detached_data = 0;
219
220 f = fopen(argv[0], "r");
221 if (f == NULL)
222 err(1, "Failed to open file %s", argv[0]);
223
224 ret = hx509_pem_read(context, f, pem_reader, &pd);
225 fclose(f);
226 if (ret)
227 errx(1, "PEM reader failed: %d", ret);
228
229 if (pd.detached_data && opt->signed_content_string == NULL) {
230 char *r = strrchr(argv[0], '.');
231 if (r && strcasecmp(r, ".pem") == 0) {
232 char *s = strdup(argv[0]);
233 if (s == NULL)
234 errx(1, "malloc: out of memory");
235 s[r - argv[0]] = '\0';
236 ret = _hx509_map_file_os(s, &signeddata);
237 if (ret)
238 errx(1, "map_file: %s: %d", s, ret);
239 free(s);
240 sd = &signeddata;
241 }
242 }
243
244 } else {
245 ret = rk_undumpdata(argv[0], &p, &sz);
246 if (ret)
247 err(1, "map_file: %s: %d", argv[0], ret);
248
249 co.data = p;
250 co.length = sz;
251 }
252
253 if (opt->signed_content_string) {
254 ret = _hx509_map_file_os(opt->signed_content_string, &signeddata);
255 if (ret)
256 errx(1, "map_file: %s: %d", opt->signed_content_string, ret);
257 sd = &signeddata;
258 }
259
260 if (opt->content_info_flag) {
261 heim_octet_string uwco;
262 heim_oid oid;
263
264 ret = hx509_cms_unwrap_ContentInfo(&co, &oid, &uwco, NULL);
265 if (ret)
266 errx(1, "hx509_cms_unwrap_ContentInfo: %d", ret);
267
268 if (der_heim_oid_cmp(&oid, &asn1_oid_id_pkcs7_signedData) != 0)
269 errx(1, "Content is not SignedData");
270 der_free_oid(&oid);
271
272 if (p == NULL)
273 der_free_octet_string(&co);
274 else {
275 rk_xfree(p);
276 p = NULL;
277 }
278 co = uwco;
279 }
280
281 hx509_verify_attach_anchors(ctx, anchors);
282
283 if (!opt->signer_allowed_flag)
284 flags |= HX509_CMS_VS_ALLOW_ZERO_SIGNER;
285 if (opt->allow_wrong_oid_flag)
286 flags |= HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH;
287
288 ret = hx509_cms_verify_signed(context, ctx, flags, co.data, co.length, sd,
289 store, &type, &c, &signers);
290 if (p != co.data)
291 der_free_octet_string(&co);
292 else
293 rk_xfree(p);
294 if (ret)
295 hx509_err(context, 1, ret, "hx509_cms_verify_signed");
296
297 {
298 char *str;
299 der_print_heim_oid(&type, '.', &str);
300 printf("type: %s\n", str);
301 free(str);
302 der_free_oid(&type);
303 }
304 if (signers == NULL) {
305 printf("unsigned\n");
306 } else {
307 printf("signers:\n");
308 hx509_certs_iter_f(context, signers, hx509_ci_print_names, stdout);
309 }
310
311 hx509_verify_destroy_ctx(ctx);
312
313 hx509_certs_free(&store);
314 hx509_certs_free(&signers);
315 hx509_certs_free(&anchors);
316
317 hx509_lock_free(lock);
318
319 if (argc > 1) {
320 ret = _hx509_write_file(argv[1], c.data, c.length);
321 if (ret)
322 errx(1, "hx509_write_file: %d", ret);
323 }
324
325 der_free_octet_string(&c);
326
327 if (sd)
328 _hx509_unmap_file_os(sd);
329
330 return 0;
331 }
332
333 static int
print_signer(hx509_context contextp,void * ctx,hx509_cert cert)334 print_signer(hx509_context contextp, void *ctx, hx509_cert cert)
335 {
336 hx509_pem_header **header = ctx;
337 char *signer_name = NULL;
338 hx509_name name;
339 int ret;
340
341 ret = hx509_cert_get_subject(cert, &name);
342 if (ret)
343 errx(1, "hx509_cert_get_subject");
344
345 ret = hx509_name_to_string(name, &signer_name);
346 hx509_name_free(&name);
347 if (ret)
348 errx(1, "hx509_name_to_string");
349
350 hx509_pem_add_header(header, "Signer", signer_name);
351
352 free(signer_name);
353 return 0;
354 }
355
356 int
cms_create_sd(struct cms_create_sd_options * opt,int argc,char ** argv)357 cms_create_sd(struct cms_create_sd_options *opt, int argc, char **argv)
358 {
359 heim_oid contentType;
360 hx509_peer_info peer = NULL;
361 heim_octet_string o;
362 hx509_query *q;
363 hx509_lock lock;
364 hx509_certs store, pool, anchors, signer = NULL;
365 size_t sz;
366 void *p;
367 int ret, flags = 0;
368 char *infile, *outfile = NULL;
369
370 memset(&contentType, 0, sizeof(contentType));
371
372 infile = argv[0];
373
374 if (argc < 2) {
375 asprintf(&outfile, "%s.%s", infile,
376 opt->pem_flag ? "pem" : "cms-signeddata");
377 if (outfile == NULL)
378 errx(1, "out of memory");
379 } else
380 outfile = argv[1];
381
382 hx509_lock_init(context, &lock);
383 lock_strings(lock, &opt->pass_strings);
384
385 ret = hx509_certs_init(context, "MEMORY:cert-store", 0, NULL, &store);
386 if (ret) hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
387 ret = hx509_certs_init(context, "MEMORY:cert-pool", 0, NULL, &pool);
388 if (ret) hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
389
390 certs_strings(context, "store", store, lock, &opt->certificate_strings);
391 certs_strings(context, "pool", pool, lock, &opt->pool_strings);
392
393 if (opt->anchors_strings.num_strings) {
394 ret = hx509_certs_init(context, "MEMORY:cert-anchors",
395 0, NULL, &anchors);
396 if (ret) hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
397 certs_strings(context, "anchors", anchors, lock, &opt->anchors_strings);
398 } else
399 anchors = NULL;
400
401 if (opt->detached_signature_flag)
402 flags |= HX509_CMS_SIGNATURE_DETACHED;
403 if (opt->id_by_name_flag)
404 flags |= HX509_CMS_SIGNATURE_ID_NAME;
405 if (!opt->signer_flag) {
406 flags |= HX509_CMS_SIGNATURE_NO_SIGNER;
407
408 }
409
410 if (opt->signer_flag) {
411 ret = hx509_query_alloc(context, &q);
412 if (ret)
413 errx(1, "hx509_query_alloc: %d", ret);
414
415 hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
416 hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE);
417
418 if (opt->signer_string)
419 hx509_query_match_friendly_name(q, opt->signer_string);
420
421 ret = hx509_certs_filter(context, store, q, &signer);
422 hx509_query_free(context, q);
423 if (ret)
424 hx509_err(context, 1, ret, "hx509_certs_find");
425 }
426 if (!opt->embedded_certs_flag)
427 flags |= HX509_CMS_SIGNATURE_NO_CERTS;
428 if (opt->embed_leaf_only_flag)
429 flags |= HX509_CMS_SIGNATURE_LEAF_ONLY;
430
431 ret = rk_undumpdata(infile, &p, &sz);
432 if (ret)
433 err(1, "map_file: %s: %d", infile, ret);
434
435 if (opt->peer_alg_strings.num_strings)
436 peer_strings(context, &peer, &opt->peer_alg_strings);
437
438 parse_oid(opt->content_type_string, &asn1_oid_id_pkcs7_data, &contentType);
439
440 ret = hx509_cms_create_signed(context,
441 flags,
442 &contentType,
443 p,
444 sz,
445 NULL,
446 signer,
447 peer,
448 anchors,
449 pool,
450 &o);
451 if (ret)
452 hx509_err(context, 1, ret, "hx509_cms_create_signed: %d", ret);
453
454 hx509_certs_free(&anchors);
455 hx509_certs_free(&pool);
456 hx509_certs_free(&store);
457 rk_xfree(p);
458 hx509_lock_free(lock);
459 hx509_peer_info_free(peer);
460 der_free_oid(&contentType);
461
462 if (opt->content_info_flag) {
463 heim_octet_string wo;
464
465 ret = hx509_cms_wrap_ContentInfo(&asn1_oid_id_pkcs7_signedData, &o, &wo);
466 if (ret)
467 errx(1, "hx509_cms_wrap_ContentInfo: %d", ret);
468
469 der_free_octet_string(&o);
470 o = wo;
471 }
472
473 if (opt->pem_flag) {
474 hx509_pem_header *header = NULL;
475 FILE *f;
476
477 hx509_pem_add_header(&header, "Content-disposition",
478 opt->detached_signature_flag ?
479 "detached" : "inline");
480 if (signer) {
481 ret = hx509_certs_iter_f(context, signer, print_signer, header);
482 if (ret)
483 hx509_err(context, 1, ret, "print signer");
484 }
485
486 f = fopen(outfile, "w");
487 if (f == NULL)
488 err(1, "open %s", outfile);
489
490 ret = hx509_pem_write(context, "CMS SIGNEDDATA", header, f,
491 o.data, o.length);
492 fclose(f);
493 hx509_pem_free_header(header);
494 if (ret)
495 errx(1, "hx509_pem_write: %d", ret);
496
497 } else {
498 ret = _hx509_write_file(outfile, o.data, o.length);
499 if (ret)
500 errx(1, "hx509_write_file: %d", ret);
501 }
502
503 hx509_certs_free(&signer);
504 free(o.data);
505
506 return 0;
507 }
508
509 int
cms_unenvelope(struct cms_unenvelope_options * opt,int argc,char ** argv)510 cms_unenvelope(struct cms_unenvelope_options *opt, int argc, char **argv)
511 {
512 heim_oid contentType = { 0, NULL };
513 heim_octet_string o, co;
514 hx509_certs certs;
515 size_t sz;
516 void *p;
517 int ret;
518 hx509_lock lock;
519 int flags = 0;
520
521 hx509_lock_init(context, &lock);
522 lock_strings(lock, &opt->pass_strings);
523
524 ret = rk_undumpdata(argv[0], &p, &sz);
525 if (ret)
526 err(1, "map_file: %s: %d", argv[0], ret);
527
528 co.data = p;
529 co.length = sz;
530
531 if (opt->content_info_flag) {
532 heim_octet_string uwco;
533 heim_oid oid;
534
535 ret = hx509_cms_unwrap_ContentInfo(&co, &oid, &uwco, NULL);
536 if (ret)
537 errx(1, "hx509_cms_unwrap_ContentInfo: %d", ret);
538
539 if (der_heim_oid_cmp(&oid, &asn1_oid_id_pkcs7_envelopedData) != 0)
540 errx(1, "Content is not SignedData");
541 der_free_oid(&oid);
542
543 co = uwco;
544 }
545
546 ret = hx509_certs_init(context, "MEMORY:cert-store", 0, NULL, &certs);
547 if (ret)
548 errx(1, "hx509_certs_init: MEMORY: %d", ret);
549
550 certs_strings(context, "store", certs, lock, &opt->certificate_strings);
551
552 if (opt->allow_weak_crypto_flag)
553 flags |= HX509_CMS_UE_ALLOW_WEAK;
554
555 ret = hx509_cms_unenvelope(context, certs, flags, co.data, co.length,
556 NULL, 0, &contentType, &o);
557 if (co.data != p)
558 der_free_octet_string(&co);
559 if (ret)
560 hx509_err(context, 1, ret, "hx509_cms_unenvelope");
561
562 rk_xfree(p);
563 hx509_lock_free(lock);
564 hx509_certs_free(&certs);
565 der_free_oid(&contentType);
566
567 ret = _hx509_write_file(argv[1], o.data, o.length);
568 if (ret)
569 errx(1, "hx509_write_file: %d", ret);
570
571 der_free_octet_string(&o);
572
573 return 0;
574 }
575
576 int
cms_create_enveloped(struct cms_envelope_options * opt,int argc,char ** argv)577 cms_create_enveloped(struct cms_envelope_options *opt, int argc, char **argv)
578 {
579 heim_oid contentType;
580 heim_octet_string o;
581 const heim_oid *enctype = NULL;
582 hx509_query *q;
583 hx509_certs certs;
584 hx509_cert cert;
585 int ret;
586 size_t sz;
587 void *p;
588 hx509_lock lock;
589 int flags = 0;
590
591 memset(&contentType, 0, sizeof(contentType));
592
593 hx509_lock_init(context, &lock);
594 lock_strings(lock, &opt->pass_strings);
595
596 ret = rk_undumpdata(argv[0], &p, &sz);
597 if (ret)
598 err(1, "map_file: %s: %d", argv[0], ret);
599
600 ret = hx509_certs_init(context, "MEMORY:cert-store", 0, NULL, &certs);
601 if (ret) hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
602
603 certs_strings(context, "store", certs, lock, &opt->certificate_strings);
604
605 if (opt->allow_weak_crypto_flag)
606 flags |= HX509_CMS_EV_ALLOW_WEAK;
607
608 if (opt->encryption_type_string) {
609 enctype = hx509_crypto_enctype_by_name(opt->encryption_type_string);
610 if (enctype == NULL)
611 errx(1, "encryption type: %s no found",
612 opt->encryption_type_string);
613 }
614
615 ret = hx509_query_alloc(context, &q);
616 if (ret)
617 errx(1, "hx509_query_alloc: %d", ret);
618
619 hx509_query_match_option(q, HX509_QUERY_OPTION_KU_ENCIPHERMENT);
620
621 ret = hx509_certs_find(context, certs, q, &cert);
622 hx509_query_free(context, q);
623 if (ret)
624 errx(1, "hx509_certs_find: %d", ret);
625
626 parse_oid(opt->content_type_string, &asn1_oid_id_pkcs7_data, &contentType);
627
628 ret = hx509_cms_envelope_1(context, flags, cert, p, sz, enctype,
629 &contentType, &o);
630 if (ret)
631 errx(1, "hx509_cms_envelope_1: %d", ret);
632
633 hx509_cert_free(cert);
634 hx509_certs_free(&certs);
635 rk_xfree(p);
636 der_free_oid(&contentType);
637
638 if (opt->content_info_flag) {
639 heim_octet_string wo;
640
641 ret = hx509_cms_wrap_ContentInfo(&asn1_oid_id_pkcs7_envelopedData, &o, &wo);
642 if (ret)
643 errx(1, "hx509_cms_wrap_ContentInfo: %d", ret);
644
645 der_free_octet_string(&o);
646 o = wo;
647 }
648
649 hx509_lock_free(lock);
650
651 ret = _hx509_write_file(argv[1], o.data, o.length);
652 if (ret)
653 errx(1, "hx509_write_file: %d", ret);
654
655 der_free_octet_string(&o);
656
657 return 0;
658 }
659
660 static void
print_certificate(hx509_context hxcontext,hx509_cert cert,int verbose)661 print_certificate(hx509_context hxcontext, hx509_cert cert, int verbose)
662 {
663 const char *fn;
664 int ret;
665
666 fn = hx509_cert_get_friendly_name(cert);
667 if (fn)
668 printf(" friendly name: %s\n", fn);
669 printf(" private key: %s\n",
670 _hx509_cert_private_key(cert) ? "yes" : "no");
671
672 ret = hx509_print_cert(hxcontext, cert, NULL);
673 if (ret)
674 errx(1, "failed to print cert");
675
676 if (verbose) {
677 hx509_validate_ctx vctx;
678
679 hx509_validate_ctx_init(hxcontext, &vctx);
680 hx509_validate_ctx_set_print(vctx, hx509_print_stdout, stdout);
681 hx509_validate_ctx_add_flags(vctx, HX509_VALIDATE_F_VALIDATE);
682 hx509_validate_ctx_add_flags(vctx, HX509_VALIDATE_F_VERBOSE);
683
684 hx509_validate_cert(hxcontext, vctx, cert);
685
686 hx509_validate_ctx_free(vctx);
687 }
688 }
689
690
691 struct print_s {
692 int counter;
693 int verbose;
694 };
695
696 static int
print_f(hx509_context hxcontext,void * ctx,hx509_cert cert)697 print_f(hx509_context hxcontext, void *ctx, hx509_cert cert)
698 {
699 struct print_s *s = ctx;
700
701 printf("cert: %d\n", s->counter++);
702 print_certificate(context, cert, s->verbose);
703
704 return 0;
705 }
706
707 int
pcert_print(struct print_options * opt,int argc,char ** argv)708 pcert_print(struct print_options *opt, int argc, char **argv)
709 {
710 hx509_certs certs;
711 hx509_lock lock;
712 struct print_s s;
713
714 s.counter = 0;
715 s.verbose = opt->content_flag;
716
717 hx509_lock_init(context, &lock);
718 lock_strings(lock, &opt->pass_strings);
719
720 while(argc--) {
721 int ret;
722 ret = hx509_certs_init(context, argv[0], 0, lock, &certs);
723 if (ret) {
724 if (opt->never_fail_flag) {
725 printf("ignoreing failure: %d\n", ret);
726 continue;
727 }
728 hx509_err(context, 1, ret, "hx509_certs_init");
729 }
730 if (opt->info_flag)
731 hx509_certs_info(context, certs, NULL, NULL);
732 hx509_certs_iter_f(context, certs, print_f, &s);
733 hx509_certs_free(&certs);
734 argv++;
735 }
736
737 hx509_lock_free(lock);
738
739 return 0;
740 }
741
742
743 static int
validate_f(hx509_context hxcontext,void * ctx,hx509_cert c)744 validate_f(hx509_context hxcontext, void *ctx, hx509_cert c)
745 {
746 hx509_validate_cert(hxcontext, ctx, c);
747 return 0;
748 }
749
750 int
pcert_validate(struct validate_options * opt,int argc,char ** argv)751 pcert_validate(struct validate_options *opt, int argc, char **argv)
752 {
753 hx509_validate_ctx ctx;
754 hx509_certs certs;
755 hx509_lock lock;
756
757 hx509_lock_init(context, &lock);
758 lock_strings(lock, &opt->pass_strings);
759
760 hx509_validate_ctx_init(context, &ctx);
761 hx509_validate_ctx_set_print(ctx, hx509_print_stdout, stdout);
762 hx509_validate_ctx_add_flags(ctx, HX509_VALIDATE_F_VALIDATE);
763
764 while(argc--) {
765 int ret;
766 ret = hx509_certs_init(context, argv[0], 0, lock, &certs);
767 if (ret)
768 errx(1, "hx509_certs_init: %d", ret);
769 hx509_certs_iter_f(context, certs, validate_f, ctx);
770 hx509_certs_free(&certs);
771 argv++;
772 }
773 hx509_validate_ctx_free(ctx);
774
775 hx509_lock_free(lock);
776
777 return 0;
778 }
779
780 int
certificate_copy(struct certificate_copy_options * opt,int argc,char ** argv)781 certificate_copy(struct certificate_copy_options *opt, int argc, char **argv)
782 {
783 hx509_certs certs;
784 hx509_lock inlock, outlock = NULL;
785 int ret;
786
787 hx509_lock_init(context, &inlock);
788 lock_strings(inlock, &opt->in_pass_strings);
789
790 if (opt->out_pass_string) {
791 hx509_lock_init(context, &outlock);
792 ret = hx509_lock_command_string(outlock, opt->out_pass_string);
793 if (ret)
794 errx(1, "hx509_lock_command_string: %s: %d",
795 opt->out_pass_string, ret);
796 }
797
798 ret = hx509_certs_init(context, argv[argc - 1],
799 HX509_CERTS_CREATE, inlock, &certs);
800 if (ret)
801 hx509_err(context, 1, ret, "hx509_certs_init");
802
803 while(argc-- > 1) {
804 int retx;
805 retx = hx509_certs_append(context, certs, inlock, argv[0]);
806 if (retx)
807 hx509_err(context, 1, retx, "hx509_certs_append");
808 argv++;
809 }
810
811 ret = hx509_certs_store(context, certs, 0, outlock);
812 if (ret)
813 hx509_err(context, 1, ret, "hx509_certs_store");
814
815 hx509_certs_free(&certs);
816 hx509_lock_free(inlock);
817 hx509_lock_free(outlock);
818
819 return 0;
820 }
821
822 struct verify {
823 hx509_verify_ctx ctx;
824 hx509_certs chain;
825 const char *hostname;
826 int errors;
827 int count;
828 };
829
830 static int
verify_f(hx509_context hxcontext,void * ctx,hx509_cert c)831 verify_f(hx509_context hxcontext, void *ctx, hx509_cert c)
832 {
833 struct verify *v = ctx;
834 int ret;
835
836 ret = hx509_verify_path(hxcontext, v->ctx, c, v->chain);
837 if (ret) {
838 char *s = hx509_get_error_string(hxcontext, ret);
839 printf("verify_path: %s: %d\n", s, ret);
840 hx509_free_error_string(s);
841 v->errors++;
842 } else {
843 v->count++;
844 printf("path ok\n");
845 }
846
847 if (v->hostname) {
848 ret = hx509_verify_hostname(hxcontext, c, 0, HX509_HN_HOSTNAME,
849 v->hostname, NULL, 0);
850 if (ret) {
851 printf("verify_hostname: %d\n", ret);
852 v->errors++;
853 }
854 }
855
856 return 0;
857 }
858
859 int
pcert_verify(struct verify_options * opt,int argc,char ** argv)860 pcert_verify(struct verify_options *opt, int argc, char **argv)
861 {
862 hx509_certs anchors, chain, certs;
863 hx509_revoke_ctx revoke_ctx;
864 hx509_verify_ctx ctx;
865 struct verify v;
866 int ret;
867
868 memset(&v, 0, sizeof(v));
869
870 if (opt->missing_revoke_flag)
871 hx509_context_set_missing_revoke(context, 1);
872
873 ret = hx509_verify_init_ctx(context, &ctx);
874 if (ret)
875 hx509_err(context, 1, ret, "hx509_verify_init_ctx");
876 ret = hx509_certs_init(context, "MEMORY:anchors", 0, NULL, &anchors);
877 if (ret)
878 hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
879 ret = hx509_certs_init(context, "MEMORY:chain", 0, NULL, &chain);
880 if (ret)
881 hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
882 ret = hx509_certs_init(context, "MEMORY:certs", 0, NULL, &certs);
883 if (ret)
884 hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
885
886 if (opt->allow_proxy_certificate_flag)
887 hx509_verify_set_proxy_certificate(ctx, 1);
888
889 if (opt->time_string) {
890 const char *p;
891 struct tm tm;
892 time_t t;
893
894 memset(&tm, 0, sizeof(tm));
895
896 p = strptime (opt->time_string, "%Y-%m-%d", &tm);
897 if (p == NULL)
898 errx(1, "Failed to parse time %s, need to be on format %%Y-%%m-%%d",
899 opt->time_string);
900
901 t = tm2time (tm, 0);
902
903 hx509_verify_set_time(ctx, t);
904 }
905
906 if (opt->hostname_string)
907 v.hostname = opt->hostname_string;
908 if (opt->max_depth_integer)
909 hx509_verify_set_max_depth(ctx, opt->max_depth_integer);
910
911 ret = hx509_revoke_init(context, &revoke_ctx);
912 if (ret)
913 errx(1, "hx509_revoke_init: %d", ret);
914
915 while(argc--) {
916 char *s = *argv++;
917
918 if (strncmp(s, "chain:", 6) == 0) {
919 s += 6;
920
921 ret = hx509_certs_append(context, chain, NULL, s);
922 if (ret)
923 hx509_err(context, 1, ret, "hx509_certs_append: chain: %s: %d", s, ret);
924
925 } else if (strncmp(s, "anchor:", 7) == 0) {
926 s += 7;
927
928 ret = hx509_certs_append(context, anchors, NULL, s);
929 if (ret)
930 hx509_err(context, 1, ret, "hx509_certs_append: anchor: %s: %d", s, ret);
931
932 } else if (strncmp(s, "cert:", 5) == 0) {
933 s += 5;
934
935 ret = hx509_certs_append(context, certs, NULL, s);
936 if (ret)
937 hx509_err(context, 1, ret, "hx509_certs_append: certs: %s: %d",
938 s, ret);
939
940 } else if (strncmp(s, "crl:", 4) == 0) {
941 s += 4;
942
943 ret = hx509_revoke_add_crl(context, revoke_ctx, s);
944 if (ret)
945 errx(1, "hx509_revoke_add_crl: %s: %d", s, ret);
946
947 } else if (strncmp(s, "ocsp:", 4) == 0) {
948 s += 5;
949
950 ret = hx509_revoke_add_ocsp(context, revoke_ctx, s);
951 if (ret)
952 errx(1, "hx509_revoke_add_ocsp: %s: %d", s, ret);
953
954 } else {
955 errx(1, "unknown option to verify: `%s'\n", s);
956 }
957 }
958
959 hx509_verify_attach_anchors(ctx, anchors);
960 hx509_verify_attach_revoke(ctx, revoke_ctx);
961
962 v.ctx = ctx;
963 v.chain = chain;
964
965 hx509_certs_iter_f(context, certs, verify_f, &v);
966
967 hx509_verify_destroy_ctx(ctx);
968
969 hx509_certs_free(&certs);
970 hx509_certs_free(&chain);
971 hx509_certs_free(&anchors);
972
973 hx509_revoke_free(&revoke_ctx);
974
975
976 if (v.count == 0) {
977 printf("no certs verify at all\n");
978 return 1;
979 }
980
981 if (v.errors) {
982 printf("failed verifing %d checks\n", v.errors);
983 return 1;
984 }
985
986 return 0;
987 }
988
989 int
query(struct query_options * opt,int argc,char ** argv)990 query(struct query_options *opt, int argc, char **argv)
991 {
992 hx509_lock lock;
993 hx509_query *q;
994 hx509_certs certs;
995 hx509_cert c;
996 int ret;
997
998 ret = hx509_query_alloc(context, &q);
999 if (ret)
1000 errx(1, "hx509_query_alloc: %d", ret);
1001
1002 hx509_lock_init(context, &lock);
1003 lock_strings(lock, &opt->pass_strings);
1004
1005 ret = hx509_certs_init(context, "MEMORY:cert-store", 0, NULL, &certs);
1006 if (ret) hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
1007
1008 while (argc > 0) {
1009
1010 ret = hx509_certs_append(context, certs, lock, argv[0]);
1011 if (ret)
1012 errx(1, "hx509_certs_append: %s: %d", argv[0], ret);
1013
1014 argc--;
1015 argv++;
1016 }
1017
1018 if (opt->friendlyname_string)
1019 hx509_query_match_friendly_name(q, opt->friendlyname_string);
1020
1021 if (opt->eku_string) {
1022 heim_oid oid;
1023
1024 parse_oid(opt->eku_string, NULL, &oid);
1025
1026 ret = hx509_query_match_eku(q, &oid);
1027 if (ret)
1028 errx(1, "hx509_query_match_eku: %d", ret);
1029 der_free_oid(&oid);
1030 }
1031
1032 if (opt->private_key_flag)
1033 hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
1034
1035 if (opt->keyEncipherment_flag)
1036 hx509_query_match_option(q, HX509_QUERY_OPTION_KU_ENCIPHERMENT);
1037
1038 if (opt->digitalSignature_flag)
1039 hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE);
1040
1041 if (opt->expr_string)
1042 hx509_query_match_expr(context, q, opt->expr_string);
1043
1044 ret = hx509_certs_find(context, certs, q, &c);
1045 hx509_query_free(context, q);
1046 if (ret)
1047 printf("no match found (%d)\n", ret);
1048 else {
1049 printf("match found\n");
1050 if (opt->print_flag)
1051 print_certificate(context, c, 0);
1052 }
1053
1054 hx509_cert_free(c);
1055 hx509_certs_free(&certs);
1056
1057 hx509_lock_free(lock);
1058
1059 return ret;
1060 }
1061
1062 int
ocsp_fetch(struct ocsp_fetch_options * opt,int argc,char ** argv)1063 ocsp_fetch(struct ocsp_fetch_options *opt, int argc, char **argv)
1064 {
1065 hx509_certs reqcerts, pool;
1066 heim_octet_string req, nonce_data, *nonce = &nonce_data;
1067 hx509_lock lock;
1068 int i, ret;
1069 char *file;
1070 const char *url = "/";
1071
1072 memset(&nonce, 0, sizeof(nonce));
1073
1074 hx509_lock_init(context, &lock);
1075 lock_strings(lock, &opt->pass_strings);
1076
1077 /* no nonce */
1078 if (!opt->nonce_flag)
1079 nonce = NULL;
1080
1081 if (opt->url_path_string)
1082 url = opt->url_path_string;
1083
1084 ret = hx509_certs_init(context, "MEMORY:ocsp-pool", 0, NULL, &pool);
1085 if (ret) hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
1086
1087 certs_strings(context, "ocsp-pool", pool, lock, &opt->pool_strings);
1088
1089 file = argv[0];
1090
1091 ret = hx509_certs_init(context, "MEMORY:ocsp-req", 0, NULL, &reqcerts);
1092 if (ret) hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
1093
1094 for (i = 1; i < argc; i++) {
1095 ret = hx509_certs_append(context, reqcerts, lock, argv[i]);
1096 if (ret)
1097 errx(1, "hx509_certs_append: req: %s: %d", argv[i], ret);
1098 }
1099
1100 ret = hx509_ocsp_request(context, reqcerts, pool, NULL, NULL, &req, nonce);
1101 if (ret)
1102 errx(1, "hx509_ocsp_request: req: %d", ret);
1103
1104 {
1105 FILE *f;
1106
1107 f = fopen(file, "w");
1108 if (f == NULL)
1109 abort();
1110
1111 fprintf(f,
1112 "POST %s HTTP/1.0\r\n"
1113 "Content-Type: application/ocsp-request\r\n"
1114 "Content-Length: %ld\r\n"
1115 "\r\n",
1116 url,
1117 (unsigned long)req.length);
1118 fwrite(req.data, req.length, 1, f);
1119 fclose(f);
1120 }
1121
1122 if (nonce)
1123 der_free_octet_string(nonce);
1124
1125 hx509_certs_free(&reqcerts);
1126 hx509_certs_free(&pool);
1127
1128 return 0;
1129 }
1130
1131 int
ocsp_print(struct ocsp_print_options * opt,int argc,char ** argv)1132 ocsp_print(struct ocsp_print_options *opt, int argc, char **argv)
1133 {
1134 hx509_revoke_ocsp_print(context, argv[0], stdout);
1135 return 0;
1136 }
1137
1138 /*
1139 *
1140 */
1141
1142 static int
verify_o(hx509_context hxcontext,void * ctx,hx509_cert c)1143 verify_o(hx509_context hxcontext, void *ctx, hx509_cert c)
1144 {
1145 heim_octet_string *os = ctx;
1146 time_t expiration;
1147 int ret;
1148
1149 ret = hx509_ocsp_verify(context, 0, c, 0,
1150 os->data, os->length, &expiration);
1151 if (ret) {
1152 char *s = hx509_get_error_string(hxcontext, ret);
1153 printf("ocsp_verify: %s: %d\n", s, ret);
1154 hx509_free_error_string(s);
1155 } else
1156 printf("expire: %d\n", (int)expiration);
1157
1158 return ret;
1159 }
1160
1161
1162 int
ocsp_verify(struct ocsp_verify_options * opt,int argc,char ** argv)1163 ocsp_verify(struct ocsp_verify_options *opt, int argc, char **argv)
1164 {
1165 hx509_lock lock;
1166 hx509_certs certs;
1167 int ret, i;
1168 heim_octet_string os;
1169
1170 hx509_lock_init(context, &lock);
1171
1172 if (opt->ocsp_file_string == NULL)
1173 errx(1, "no ocsp file given");
1174
1175 ret = _hx509_map_file_os(opt->ocsp_file_string, &os);
1176 if (ret)
1177 err(1, "map_file: %s: %d", argv[0], ret);
1178
1179 ret = hx509_certs_init(context, "MEMORY:test-certs", 0, NULL, &certs);
1180 if (ret) hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
1181
1182 for (i = 0; i < argc; i++) {
1183 ret = hx509_certs_append(context, certs, lock, argv[i]);
1184 if (ret)
1185 hx509_err(context, 1, ret, "hx509_certs_append: %s", argv[i]);
1186 }
1187
1188 ret = hx509_certs_iter_f(context, certs, verify_o, &os);
1189
1190 hx509_certs_free(&certs);
1191 _hx509_unmap_file_os(&os);
1192 hx509_lock_free(lock);
1193
1194 return ret;
1195 }
1196
1197 static int
read_private_key(const char * fn,hx509_private_key * key)1198 read_private_key(const char *fn, hx509_private_key *key)
1199 {
1200 hx509_private_key *keys;
1201 hx509_certs certs;
1202 int ret;
1203
1204 *key = NULL;
1205
1206 ret = hx509_certs_init(context, fn, 0, NULL, &certs);
1207 if (ret)
1208 hx509_err(context, 1, ret, "hx509_certs_init: %s", fn);
1209
1210 ret = _hx509_certs_keys_get(context, certs, &keys);
1211 hx509_certs_free(&certs);
1212 if (ret)
1213 hx509_err(context, 1, ret, "hx509_certs_keys_get");
1214 if (keys[0] == NULL)
1215 errx(1, "no keys in key store: %s", fn);
1216
1217 *key = _hx509_private_key_ref(keys[0]);
1218 _hx509_certs_keys_free(context, keys);
1219
1220 return 0;
1221 }
1222
1223 static void
get_key(const char * fn,const char * type,int optbits,hx509_private_key * signer)1224 get_key(const char *fn, const char *type, int optbits,
1225 hx509_private_key *signer)
1226 {
1227 int ret;
1228
1229 if (type) {
1230 BIGNUM *e;
1231 RSA *rsa;
1232 unsigned char *p0, *p;
1233 size_t len;
1234 int bits = 1024;
1235
1236 if (fn == NULL)
1237 errx(1, "no key argument, don't know here to store key");
1238
1239 if (strcasecmp(type, "rsa") != 0)
1240 errx(1, "can only handle rsa keys for now");
1241
1242 e = BN_new();
1243 BN_set_word(e, 0x10001);
1244
1245 if (optbits)
1246 bits = optbits;
1247
1248 rsa = RSA_new();
1249 if(rsa == NULL)
1250 errx(1, "RSA_new failed");
1251
1252 ret = RSA_generate_key_ex(rsa, bits, e, NULL);
1253 if(ret != 1)
1254 errx(1, "RSA_new failed");
1255
1256 BN_free(e);
1257
1258 len = i2d_RSAPrivateKey(rsa, NULL);
1259
1260 p0 = p = malloc(len);
1261 if (p == NULL)
1262 errx(1, "out of memory");
1263
1264 i2d_RSAPrivateKey(rsa, &p);
1265
1266 rk_dumpdata(fn, p0, len);
1267 memset(p0, 0, len);
1268 free(p0);
1269
1270 RSA_free(rsa);
1271
1272 } else if (fn == NULL)
1273 err(1, "no private key");
1274
1275 ret = read_private_key(fn, signer);
1276 if (ret)
1277 err(1, "read_private_key");
1278 }
1279
1280 int
request_create(struct request_create_options * opt,int argc,char ** argv)1281 request_create(struct request_create_options *opt, int argc, char **argv)
1282 {
1283 heim_octet_string request;
1284 hx509_request req;
1285 int ret, i;
1286 hx509_private_key signer;
1287 SubjectPublicKeyInfo key;
1288 const char *outfile = argv[0];
1289
1290 memset(&key, 0, sizeof(key));
1291 memset(&signer, 0, sizeof(signer));
1292
1293 get_key(opt->key_string,
1294 opt->generate_key_string,
1295 opt->key_bits_integer,
1296 &signer);
1297
1298 hx509_request_init(context, &req);
1299
1300 if (opt->subject_string) {
1301 hx509_name name = NULL;
1302
1303 ret = hx509_parse_name(context, opt->subject_string, &name);
1304 if (ret)
1305 errx(1, "hx509_parse_name: %d\n", ret);
1306 hx509_request_set_name(context, req, name);
1307
1308 if (opt->verbose_flag) {
1309 char *s;
1310 hx509_name_to_string(name, &s);
1311 printf("%s\n", s);
1312 }
1313 hx509_name_free(&name);
1314 }
1315
1316 for (i = 0; i < opt->email_strings.num_strings; i++) {
1317 ret = _hx509_request_add_email(context, req,
1318 opt->email_strings.strings[i]);
1319 if (ret)
1320 hx509_err(context, 1, ret, "hx509_request_add_email");
1321 }
1322
1323 for (i = 0; i < opt->dnsname_strings.num_strings; i++) {
1324 ret = _hx509_request_add_dns_name(context, req,
1325 opt->dnsname_strings.strings[i]);
1326 if (ret)
1327 hx509_err(context, 1, ret, "hx509_request_add_dns_name");
1328 }
1329
1330
1331 ret = hx509_private_key2SPKI(context, signer, &key);
1332 if (ret)
1333 errx(1, "hx509_private_key2SPKI: %d\n", ret);
1334
1335 ret = hx509_request_set_SubjectPublicKeyInfo(context,
1336 req,
1337 &key);
1338 free_SubjectPublicKeyInfo(&key);
1339 if (ret)
1340 hx509_err(context, 1, ret, "hx509_request_set_SubjectPublicKeyInfo");
1341
1342 ret = _hx509_request_to_pkcs10(context,
1343 req,
1344 signer,
1345 &request);
1346 if (ret)
1347 hx509_err(context, 1, ret, "_hx509_request_to_pkcs10");
1348
1349 hx509_private_key_free(&signer);
1350 hx509_request_free(&req);
1351
1352 if (ret == 0)
1353 rk_dumpdata(outfile, request.data, request.length);
1354 der_free_octet_string(&request);
1355
1356 return 0;
1357 }
1358
1359 int
request_print(struct request_print_options * opt,int argc,char ** argv)1360 request_print(struct request_print_options *opt, int argc, char **argv)
1361 {
1362 int ret, i;
1363
1364 printf("request print\n");
1365
1366 for (i = 0; i < argc; i++) {
1367 hx509_request req;
1368
1369 ret = _hx509_request_parse(context, argv[i], &req);
1370 if (ret)
1371 hx509_err(context, 1, ret, "parse_request: %s", argv[i]);
1372
1373 ret = _hx509_request_print(context, req, stdout);
1374 hx509_request_free(&req);
1375 if (ret)
1376 hx509_err(context, 1, ret, "Failed to print file %s", argv[i]);
1377 }
1378
1379 return 0;
1380 }
1381
1382 int
info(void * opt,int argc,char ** argv)1383 info(void *opt, int argc, char **argv)
1384 {
1385
1386 ENGINE_add_conf_module();
1387
1388 {
1389 const RSA_METHOD *m = RSA_get_default_method();
1390 if (m != NULL)
1391 printf("rsa: %s\n", RSA_meth_get0_name(m));
1392 }
1393 {
1394 const DH_METHOD *m = DH_get_default_method();
1395 if (m != NULL)
1396 printf("dh: %s\n", DH_meth_get0_name(m));
1397 }
1398 #ifdef HAVE_OPENSSL
1399 {
1400 printf("ecdsa: ECDSA_METHOD-not-export\n");
1401 }
1402 #else
1403 {
1404 printf("ecdsa: hcrypto null\n");
1405 }
1406 #endif
1407 {
1408 int ret = RAND_status();
1409 printf("rand: %s\n", ret == 1 ? "ok" : "not available");
1410 }
1411
1412 return 0;
1413 }
1414
1415 int
random_data(void * opt,int argc,char ** argv)1416 random_data(void *opt, int argc, char **argv)
1417 {
1418 void *ptr;
1419 int len, ret;
1420
1421 len = parse_bytes(argv[0], "byte");
1422 if (len <= 0) {
1423 fprintf(stderr, "bad argument to random-data\n");
1424 return 1;
1425 }
1426
1427 ptr = malloc(len);
1428 if (ptr == NULL) {
1429 fprintf(stderr, "out of memory\n");
1430 return 1;
1431 }
1432
1433 ret = RAND_bytes(ptr, len);
1434 if (ret != 1) {
1435 free(ptr);
1436 fprintf(stderr, "did not get cryptographic strong random\n");
1437 return 1;
1438 }
1439
1440 fwrite(ptr, len, 1, stdout);
1441 fflush(stdout);
1442
1443 free(ptr);
1444
1445 return 0;
1446 }
1447
1448 int
crypto_available(struct crypto_available_options * opt,int argc,char ** argv)1449 crypto_available(struct crypto_available_options *opt, int argc, char **argv)
1450 {
1451 AlgorithmIdentifier *val;
1452 unsigned int len, i;
1453 int ret, type = HX509_SELECT_ALL;
1454
1455 if (opt->type_string) {
1456 if (strcmp(opt->type_string, "all") == 0)
1457 type = HX509_SELECT_ALL;
1458 else if (strcmp(opt->type_string, "digest") == 0)
1459 type = HX509_SELECT_DIGEST;
1460 else if (strcmp(opt->type_string, "public-sig") == 0)
1461 type = HX509_SELECT_PUBLIC_SIG;
1462 else if (strcmp(opt->type_string, "secret") == 0)
1463 type = HX509_SELECT_SECRET_ENC;
1464 else
1465 errx(1, "unknown type: %s", opt->type_string);
1466 }
1467
1468 ret = hx509_crypto_available(context, type, NULL, &val, &len);
1469 if (ret)
1470 errx(1, "hx509_crypto_available");
1471
1472 for (i = 0; i < len; i++) {
1473 char *s;
1474 der_print_heim_oid (&val[i].algorithm, '.', &s);
1475 printf("%s\n", s);
1476 free(s);
1477 }
1478
1479 hx509_crypto_free_algs(val, len);
1480
1481 return 0;
1482 }
1483
1484 int
crypto_select(struct crypto_select_options * opt,int argc,char ** argv)1485 crypto_select(struct crypto_select_options *opt, int argc, char **argv)
1486 {
1487 hx509_peer_info peer = NULL;
1488 AlgorithmIdentifier selected;
1489 int ret, type = HX509_SELECT_DIGEST;
1490 char *s;
1491
1492 if (opt->type_string) {
1493 if (strcmp(opt->type_string, "digest") == 0)
1494 type = HX509_SELECT_DIGEST;
1495 else if (strcmp(opt->type_string, "public-sig") == 0)
1496 type = HX509_SELECT_PUBLIC_SIG;
1497 else if (strcmp(opt->type_string, "secret") == 0)
1498 type = HX509_SELECT_SECRET_ENC;
1499 else
1500 errx(1, "unknown type: %s", opt->type_string);
1501 }
1502
1503 if (opt->peer_cmstype_strings.num_strings)
1504 peer_strings(context, &peer, &opt->peer_cmstype_strings);
1505
1506 ret = hx509_crypto_select(context, type, NULL, peer, &selected);
1507 if (ret)
1508 errx(1, "hx509_crypto_available");
1509
1510 der_print_heim_oid (&selected.algorithm, '.', &s);
1511 printf("%s\n", s);
1512 free(s);
1513 free_AlgorithmIdentifier(&selected);
1514
1515 hx509_peer_info_free(peer);
1516
1517 return 0;
1518 }
1519
1520 int
hxtool_hex(struct hex_options * opt,int argc,char ** argv)1521 hxtool_hex(struct hex_options *opt, int argc, char **argv)
1522 {
1523
1524 if (opt->decode_flag) {
1525 char buf[1024], buf2[1024], *p;
1526 ssize_t len;
1527
1528 while(fgets(buf, sizeof(buf), stdin) != NULL) {
1529 buf[strcspn(buf, "\r\n")] = '\0';
1530 p = buf;
1531 while(isspace(*(unsigned char *)p))
1532 p++;
1533 len = hex_decode(p, buf2, strlen(p));
1534 if (len < 0)
1535 errx(1, "hex_decode failed");
1536 if (fwrite(buf2, 1, len, stdout) != (size_t)len)
1537 errx(1, "fwrite failed");
1538 }
1539 } else {
1540 char buf[28], *p;
1541 ssize_t len;
1542
1543 while((len = fread(buf, 1, sizeof(buf), stdin)) != 0) {
1544 len = hex_encode(buf, len, &p);
1545 if (len < 0)
1546 continue;
1547 fprintf(stdout, "%s\n", p);
1548 free(p);
1549 }
1550 }
1551 return 0;
1552 }
1553
1554 struct cert_type_opt {
1555 int pkinit;
1556 };
1557
1558
1559 static int
https_server(hx509_context contextp,hx509_ca_tbs tbs,struct cert_type_opt * opt)1560 https_server(hx509_context contextp, hx509_ca_tbs tbs, struct cert_type_opt *opt)
1561 {
1562 return hx509_ca_tbs_add_eku(contextp, tbs, &asn1_oid_id_pkix_kp_serverAuth);
1563 }
1564
1565 static int
https_client(hx509_context contextp,hx509_ca_tbs tbs,struct cert_type_opt * opt)1566 https_client(hx509_context contextp, hx509_ca_tbs tbs, struct cert_type_opt *opt)
1567 {
1568 return hx509_ca_tbs_add_eku(contextp, tbs, &asn1_oid_id_pkix_kp_clientAuth);
1569 }
1570
1571 static int
peap_server(hx509_context contextp,hx509_ca_tbs tbs,struct cert_type_opt * opt)1572 peap_server(hx509_context contextp, hx509_ca_tbs tbs, struct cert_type_opt *opt)
1573 {
1574 return hx509_ca_tbs_add_eku(contextp, tbs, &asn1_oid_id_pkix_kp_serverAuth);
1575 }
1576
1577 static int
pkinit_kdc(hx509_context contextp,hx509_ca_tbs tbs,struct cert_type_opt * opt)1578 pkinit_kdc(hx509_context contextp, hx509_ca_tbs tbs, struct cert_type_opt *opt)
1579 {
1580 opt->pkinit++;
1581 return hx509_ca_tbs_add_eku(contextp, tbs, &asn1_oid_id_pkkdcekuoid);
1582 }
1583
1584 static int
pkinit_client(hx509_context contextp,hx509_ca_tbs tbs,struct cert_type_opt * opt)1585 pkinit_client(hx509_context contextp, hx509_ca_tbs tbs, struct cert_type_opt *opt)
1586 {
1587 int ret;
1588
1589 opt->pkinit++;
1590
1591 ret = hx509_ca_tbs_add_eku(contextp, tbs, &asn1_oid_id_pkekuoid);
1592 if (ret)
1593 return ret;
1594
1595 ret = hx509_ca_tbs_add_eku(context, tbs, &asn1_oid_id_ms_client_authentication);
1596 if (ret)
1597 return ret;
1598
1599 return hx509_ca_tbs_add_eku(context, tbs, &asn1_oid_id_pkinit_ms_eku);
1600 }
1601
1602 static int
email_client(hx509_context contextp,hx509_ca_tbs tbs,struct cert_type_opt * opt)1603 email_client(hx509_context contextp, hx509_ca_tbs tbs, struct cert_type_opt *opt)
1604 {
1605 return hx509_ca_tbs_add_eku(contextp, tbs, &asn1_oid_id_pkix_kp_emailProtection);
1606 }
1607
1608 struct {
1609 const char *type;
1610 const char *desc;
1611 int (*eval)(hx509_context, hx509_ca_tbs, struct cert_type_opt *);
1612 } certtypes[] = {
1613 {
1614 "https-server",
1615 "Used for HTTPS server and many other TLS server certificate types",
1616 https_server
1617 },
1618 {
1619 "https-client",
1620 "Used for HTTPS client certificates",
1621 https_client
1622 },
1623 {
1624 "email-client",
1625 "Certificate will be use for email",
1626 email_client
1627 },
1628 {
1629 "pkinit-client",
1630 "Certificate used for Kerberos PK-INIT client certificates",
1631 pkinit_client
1632 },
1633 {
1634 "pkinit-kdc",
1635 "Certificates used for Kerberos PK-INIT KDC certificates",
1636 pkinit_kdc
1637 },
1638 {
1639 "peap-server",
1640 "Certificate used for Radius PEAP (Protected EAP)",
1641 peap_server
1642 }
1643 };
1644
1645 static void
print_eval_types(FILE * out)1646 print_eval_types(FILE *out)
1647 {
1648 rtbl_t table;
1649 unsigned i;
1650
1651 table = rtbl_create();
1652 rtbl_add_column_by_id (table, 0, "Name", 0);
1653 rtbl_add_column_by_id (table, 1, "Description", 0);
1654
1655 for (i = 0; i < sizeof(certtypes)/sizeof(certtypes[0]); i++) {
1656 rtbl_add_column_entry_by_id(table, 0, certtypes[i].type);
1657 rtbl_add_column_entry_by_id(table, 1, certtypes[i].desc);
1658 }
1659
1660 rtbl_format (table, out);
1661 rtbl_destroy (table);
1662 }
1663
1664 static int
eval_types(hx509_context contextp,hx509_ca_tbs tbs,const struct certificate_sign_options * opt)1665 eval_types(hx509_context contextp,
1666 hx509_ca_tbs tbs,
1667 const struct certificate_sign_options *opt)
1668 {
1669 struct cert_type_opt ctopt;
1670 int i;
1671 size_t j;
1672 int ret;
1673
1674 memset(&ctopt, 0, sizeof(ctopt));
1675
1676 for (i = 0; i < opt->type_strings.num_strings; i++) {
1677 const char *type = opt->type_strings.strings[i];
1678
1679 for (j = 0; j < sizeof(certtypes)/sizeof(certtypes[0]); j++) {
1680 if (strcasecmp(type, certtypes[j].type) == 0) {
1681 ret = (*certtypes[j].eval)(contextp, tbs, &ctopt);
1682 if (ret)
1683 hx509_err(contextp, 1, ret,
1684 "Failed to evaluate cert type %s", type);
1685 break;
1686 }
1687 }
1688 if (j >= sizeof(certtypes)/sizeof(certtypes[0])) {
1689 fprintf(stderr, "Unknown certificate type %s\n\n", type);
1690 fprintf(stderr, "Available types:\n");
1691 print_eval_types(stderr);
1692 exit(1);
1693 }
1694 }
1695
1696 if (opt->pk_init_principal_string) {
1697 if (!ctopt.pkinit)
1698 errx(1, "pk-init principal given but no pk-init oid");
1699
1700 ret = hx509_ca_tbs_add_san_pkinit(contextp, tbs,
1701 opt->pk_init_principal_string);
1702 if (ret)
1703 hx509_err(contextp, 1, ret, "hx509_ca_tbs_add_san_pkinit");
1704 }
1705
1706 if (opt->ms_upn_string) {
1707 if (!ctopt.pkinit)
1708 errx(1, "MS upn given but no pk-init oid");
1709
1710 ret = hx509_ca_tbs_add_san_ms_upn(contextp, tbs, opt->ms_upn_string);
1711 if (ret)
1712 hx509_err(contextp, 1, ret, "hx509_ca_tbs_add_san_ms_upn");
1713 }
1714
1715
1716 for (i = 0; i < opt->hostname_strings.num_strings; i++) {
1717 const char *hostname = opt->hostname_strings.strings[i];
1718
1719 ret = hx509_ca_tbs_add_san_hostname(contextp, tbs, hostname);
1720 if (ret)
1721 hx509_err(contextp, 1, ret, "hx509_ca_tbs_add_san_hostname");
1722 }
1723
1724 for (i = 0; i < opt->email_strings.num_strings; i++) {
1725 const char *email = opt->email_strings.strings[i];
1726
1727 ret = hx509_ca_tbs_add_san_rfc822name(contextp, tbs, email);
1728 if (ret)
1729 hx509_err(contextp, 1, ret, "hx509_ca_tbs_add_san_hostname");
1730
1731 ret = hx509_ca_tbs_add_eku(contextp, tbs,
1732 &asn1_oid_id_pkix_kp_emailProtection);
1733 if (ret)
1734 hx509_err(contextp, 1, ret, "hx509_ca_tbs_add_eku");
1735 }
1736
1737 if (opt->jid_string) {
1738 ret = hx509_ca_tbs_add_san_jid(contextp, tbs, opt->jid_string);
1739 if (ret)
1740 hx509_err(contextp, 1, ret, "hx509_ca_tbs_add_san_jid");
1741 }
1742
1743 return 0;
1744 }
1745
1746 int
hxtool_ca(struct certificate_sign_options * opt,int argc,char ** argv)1747 hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv)
1748 {
1749 int ret;
1750 hx509_ca_tbs tbs;
1751 hx509_cert signer = NULL, cert = NULL;
1752 hx509_private_key private_key = NULL;
1753 hx509_private_key cert_key = NULL;
1754 hx509_name subject = NULL;
1755 SubjectPublicKeyInfo spki;
1756 int delta = 0;
1757
1758 memset(&spki, 0, sizeof(spki));
1759
1760 if (opt->ca_certificate_string == NULL && !opt->self_signed_flag)
1761 errx(1, "--ca-certificate argument missing (not using --self-signed)");
1762 if (opt->ca_private_key_string == NULL && opt->generate_key_string == NULL && opt->self_signed_flag)
1763 errx(1, "--ca-private-key argument missing (using --self-signed)");
1764 if (opt->certificate_string == NULL)
1765 errx(1, "--certificate argument missing");
1766
1767 if (opt->template_certificate_string) {
1768 if (opt->template_fields_string == NULL)
1769 errx(1, "--template-certificate not no --template-fields");
1770 }
1771
1772 if (opt->lifetime_string) {
1773 delta = parse_time(opt->lifetime_string, "day");
1774 if (delta < 0)
1775 errx(1, "Invalid lifetime: %s", opt->lifetime_string);
1776 }
1777
1778 if (opt->ca_certificate_string) {
1779 hx509_certs cacerts = NULL;
1780 hx509_query *q;
1781
1782 ret = hx509_certs_init(context, opt->ca_certificate_string, 0,
1783 NULL, &cacerts);
1784 if (ret)
1785 hx509_err(context, 1, ret,
1786 "hx509_certs_init: %s", opt->ca_certificate_string);
1787
1788 ret = hx509_query_alloc(context, &q);
1789 if (ret)
1790 errx(1, "hx509_query_alloc: %d", ret);
1791
1792 hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
1793 if (!opt->issue_proxy_flag)
1794 hx509_query_match_option(q, HX509_QUERY_OPTION_KU_KEYCERTSIGN);
1795
1796 ret = hx509_certs_find(context, cacerts, q, &signer);
1797 hx509_query_free(context, q);
1798 hx509_certs_free(&cacerts);
1799 if (ret)
1800 hx509_err(context, 1, ret, "no CA certificate found");
1801 } else if (opt->self_signed_flag) {
1802 if (opt->generate_key_string == NULL
1803 && opt->ca_private_key_string == NULL)
1804 errx(1, "no signing private key");
1805
1806 if (opt->req_string)
1807 errx(1, "can't be self-signing and have a request at the same time");
1808 } else
1809 errx(1, "missing ca key");
1810
1811 if (opt->ca_private_key_string) {
1812
1813 ret = read_private_key(opt->ca_private_key_string, &private_key);
1814 if (ret)
1815 err(1, "read_private_key");
1816
1817 ret = hx509_private_key2SPKI(context, private_key, &spki);
1818 if (ret)
1819 errx(1, "hx509_private_key2SPKI: %d\n", ret);
1820
1821 if (opt->self_signed_flag)
1822 cert_key = private_key;
1823 }
1824
1825 if (opt->req_string) {
1826 hx509_request req;
1827
1828 ret = _hx509_request_parse(context, opt->req_string, &req);
1829 if (ret)
1830 hx509_err(context, 1, ret, "parse_request: %s", opt->req_string);
1831 ret = hx509_request_get_name(context, req, &subject);
1832 if (ret)
1833 hx509_err(context, 1, ret, "get name");
1834 ret = hx509_request_get_SubjectPublicKeyInfo(context, req, &spki);
1835 if (ret)
1836 hx509_err(context, 1, ret, "get spki");
1837 hx509_request_free(&req);
1838 }
1839
1840 if (opt->generate_key_string) {
1841 struct hx509_generate_private_context *keyctx;
1842
1843 ret = _hx509_generate_private_key_init(context,
1844 &asn1_oid_id_pkcs1_rsaEncryption,
1845 &keyctx);
1846 if (ret)
1847 hx509_err(context, 1, ret, "generate private key");
1848
1849 if (opt->issue_ca_flag)
1850 _hx509_generate_private_key_is_ca(context, keyctx);
1851
1852 if (opt->key_bits_integer)
1853 _hx509_generate_private_key_bits(context, keyctx,
1854 opt->key_bits_integer);
1855
1856 ret = _hx509_generate_private_key(context, keyctx,
1857 &cert_key);
1858 _hx509_generate_private_key_free(&keyctx);
1859 if (ret)
1860 hx509_err(context, 1, ret, "generate private key");
1861
1862 ret = hx509_private_key2SPKI(context, cert_key, &spki);
1863 if (ret)
1864 errx(1, "hx509_private_key2SPKI: %d\n", ret);
1865
1866 if (opt->self_signed_flag)
1867 private_key = cert_key;
1868 }
1869
1870 if (opt->certificate_private_key_string) {
1871 ret = read_private_key(opt->certificate_private_key_string, &cert_key);
1872 if (ret)
1873 err(1, "read_private_key for certificate");
1874 }
1875
1876 if (opt->subject_string) {
1877 if (subject)
1878 hx509_name_free(&subject);
1879 ret = hx509_parse_name(context, opt->subject_string, &subject);
1880 if (ret)
1881 hx509_err(context, 1, ret, "hx509_parse_name");
1882 }
1883
1884 /*
1885 *
1886 */
1887
1888 ret = hx509_ca_tbs_init(context, &tbs);
1889 if (ret)
1890 hx509_err(context, 1, ret, "hx509_ca_tbs_init");
1891
1892 if (opt->template_certificate_string) {
1893 hx509_cert template;
1894 hx509_certs tcerts;
1895 int flags;
1896
1897 ret = hx509_certs_init(context, opt->template_certificate_string, 0,
1898 NULL, &tcerts);
1899 if (ret)
1900 hx509_err(context, 1, ret,
1901 "hx509_certs_init: %s", opt->template_certificate_string);
1902
1903 ret = hx509_get_one_cert(context, tcerts, &template);
1904
1905 hx509_certs_free(&tcerts);
1906 if (ret)
1907 hx509_err(context, 1, ret, "no template certificate found");
1908
1909 flags = parse_units(opt->template_fields_string,
1910 hx509_ca_tbs_template_units(), "");
1911
1912 ret = hx509_ca_tbs_set_template(context, tbs, flags, template);
1913 if (ret)
1914 hx509_err(context, 1, ret, "hx509_ca_tbs_set_template");
1915
1916 hx509_cert_free(template);
1917 }
1918
1919 if (opt->serial_number_string) {
1920 heim_integer serialNumber;
1921
1922 ret = der_parse_hex_heim_integer(opt->serial_number_string,
1923 &serialNumber);
1924 if (ret)
1925 err(1, "der_parse_hex_heim_integer");
1926 ret = hx509_ca_tbs_set_serialnumber(context, tbs, &serialNumber);
1927 if (ret)
1928 hx509_err(context, 1, ret, "hx509_ca_tbs_init");
1929 der_free_heim_integer(&serialNumber);
1930 }
1931
1932 if (spki.subjectPublicKey.length) {
1933 ret = hx509_ca_tbs_set_spki(context, tbs, &spki);
1934 if (ret)
1935 hx509_err(context, 1, ret, "hx509_ca_tbs_set_spki");
1936 }
1937
1938 if (subject) {
1939 ret = hx509_ca_tbs_set_subject(context, tbs, subject);
1940 if (ret)
1941 hx509_err(context, 1, ret, "hx509_ca_tbs_set_subject");
1942 }
1943
1944 if (opt->crl_uri_string) {
1945 ret = hx509_ca_tbs_add_crl_dp_uri(context, tbs,
1946 opt->crl_uri_string, NULL);
1947 if (ret)
1948 hx509_err(context, 1, ret, "hx509_ca_tbs_add_crl_dp_uri");
1949 }
1950
1951 eval_types(context, tbs, opt);
1952
1953 if (opt->issue_ca_flag) {
1954 ret = hx509_ca_tbs_set_ca(context, tbs, opt->path_length_integer);
1955 if (ret)
1956 hx509_err(context, 1, ret, "hx509_ca_tbs_set_ca");
1957 }
1958 if (opt->issue_proxy_flag) {
1959 ret = hx509_ca_tbs_set_proxy(context, tbs, opt->path_length_integer);
1960 if (ret)
1961 hx509_err(context, 1, ret, "hx509_ca_tbs_set_proxy");
1962 }
1963 if (opt->domain_controller_flag) {
1964 hx509_ca_tbs_set_domaincontroller(context, tbs);
1965 if (ret)
1966 hx509_err(context, 1, ret, "hx509_ca_tbs_set_domaincontroller");
1967 }
1968
1969 if (delta) {
1970 ret = hx509_ca_tbs_set_notAfter_lifetime(context, tbs, delta);
1971 if (ret)
1972 hx509_err(context, 1, ret, "hx509_ca_tbs_set_notAfter_lifetime");
1973 }
1974
1975 if (opt->self_signed_flag) {
1976 ret = hx509_ca_sign_self(context, tbs, private_key, &cert);
1977 if (ret)
1978 hx509_err(context, 1, ret, "hx509_ca_sign_self");
1979 } else {
1980 ret = hx509_ca_sign(context, tbs, signer, &cert);
1981 if (ret)
1982 hx509_err(context, 1, ret, "hx509_ca_sign");
1983 }
1984
1985 if (cert_key) {
1986 ret = _hx509_cert_assign_key(cert, cert_key);
1987 if (ret)
1988 hx509_err(context, 1, ret, "_hx509_cert_assign_key");
1989 }
1990
1991 {
1992 hx509_certs certs;
1993
1994 ret = hx509_certs_init(context, opt->certificate_string,
1995 HX509_CERTS_CREATE, NULL, &certs);
1996 if (ret)
1997 hx509_err(context, 1, ret, "hx509_certs_init");
1998
1999 ret = hx509_certs_add(context, certs, cert);
2000 if (ret)
2001 hx509_err(context, 1, ret, "hx509_certs_add");
2002
2003 ret = hx509_certs_store(context, certs, 0, NULL);
2004 if (ret)
2005 hx509_err(context, 1, ret, "hx509_certs_store");
2006
2007 hx509_certs_free(&certs);
2008 }
2009
2010 if (subject)
2011 hx509_name_free(&subject);
2012 if (signer)
2013 hx509_cert_free(signer);
2014 hx509_cert_free(cert);
2015 free_SubjectPublicKeyInfo(&spki);
2016
2017 if (private_key != cert_key)
2018 hx509_private_key_free(&private_key);
2019 hx509_private_key_free(&cert_key);
2020
2021 hx509_ca_tbs_free(&tbs);
2022
2023 return 0;
2024 }
2025
2026 static int
test_one_cert(hx509_context hxcontext,void * ctx,hx509_cert cert)2027 test_one_cert(hx509_context hxcontext, void *ctx, hx509_cert cert)
2028 {
2029 heim_octet_string sd, c;
2030 hx509_verify_ctx vctx = ctx;
2031 hx509_certs signer = NULL;
2032 heim_oid type;
2033 int ret;
2034
2035 if (_hx509_cert_private_key(cert) == NULL)
2036 return 0;
2037
2038 ret = hx509_cms_create_signed_1(context, 0, NULL, NULL, 0,
2039 NULL, cert, NULL, NULL, NULL, &sd);
2040 if (ret)
2041 errx(1, "hx509_cms_create_signed_1");
2042
2043 ret = hx509_cms_verify_signed(context, vctx, 0, sd.data, sd.length,
2044 NULL, NULL, &type, &c, &signer);
2045 free(sd.data);
2046 if (ret)
2047 hx509_err(context, 1, ret, "hx509_cms_verify_signed");
2048
2049 printf("create-signature verify-sigature done\n");
2050
2051 free(c.data);
2052
2053 return 0;
2054 }
2055
2056 int
test_crypto(struct test_crypto_options * opt,int argc,char ** argv)2057 test_crypto(struct test_crypto_options *opt, int argc, char ** argv)
2058 {
2059 hx509_verify_ctx vctx;
2060 hx509_certs certs;
2061 hx509_lock lock;
2062 int i, ret;
2063
2064 hx509_lock_init(context, &lock);
2065 lock_strings(lock, &opt->pass_strings);
2066
2067 ret = hx509_certs_init(context, "MEMORY:test-crypto", 0, NULL, &certs);
2068 if (ret) hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
2069
2070 for (i = 0; i < argc; i++) {
2071 ret = hx509_certs_append(context, certs, lock, argv[i]);
2072 if (ret)
2073 hx509_err(context, 1, ret, "hx509_certs_append");
2074 }
2075
2076 ret = hx509_verify_init_ctx(context, &vctx);
2077 if (ret)
2078 hx509_err(context, 1, ret, "hx509_verify_init_ctx");
2079
2080 hx509_verify_attach_anchors(vctx, certs);
2081
2082 ret = hx509_certs_iter_f(context, certs, test_one_cert, vctx);
2083 if (ret)
2084 hx509_err(context, 1, ret, "hx509_cert_iter");
2085
2086 hx509_certs_free(&certs);
2087
2088 return 0;
2089 }
2090
2091 int
statistic_print(struct statistic_print_options * opt,int argc,char ** argv)2092 statistic_print(struct statistic_print_options*opt, int argc, char **argv)
2093 {
2094 int type = 0;
2095
2096 if (stat_file_string == NULL)
2097 errx(1, "no stat file");
2098
2099 if (opt->type_integer)
2100 type = opt->type_integer;
2101
2102 hx509_query_unparse_stats(context, type, stdout);
2103 return 0;
2104 }
2105
2106 /*
2107 *
2108 */
2109
2110 int
crl_sign(struct crl_sign_options * opt,int argc,char ** argv)2111 crl_sign(struct crl_sign_options *opt, int argc, char **argv)
2112 {
2113 hx509_crl crl;
2114 heim_octet_string os;
2115 hx509_cert signer = NULL;
2116 hx509_lock lock;
2117 int ret;
2118
2119 hx509_lock_init(context, &lock);
2120 lock_strings(lock, &opt->pass_strings);
2121
2122 ret = hx509_crl_alloc(context, &crl);
2123 if (ret)
2124 errx(1, "crl alloc");
2125
2126 if (opt->signer_string == NULL)
2127 errx(1, "signer missing");
2128
2129 {
2130 hx509_certs certs = NULL;
2131 hx509_query *q;
2132
2133 ret = hx509_certs_init(context, opt->signer_string, 0,
2134 NULL, &certs);
2135 if (ret)
2136 hx509_err(context, 1, ret,
2137 "hx509_certs_init: %s", opt->signer_string);
2138
2139 ret = hx509_query_alloc(context, &q);
2140 if (ret)
2141 hx509_err(context, 1, ret, "hx509_query_alloc: %d", ret);
2142
2143 hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
2144
2145 ret = hx509_certs_find(context, certs, q, &signer);
2146 hx509_query_free(context, q);
2147 hx509_certs_free(&certs);
2148 if (ret)
2149 hx509_err(context, 1, ret, "no signer certificate found");
2150 }
2151
2152 if (opt->lifetime_string) {
2153 int delta;
2154
2155 delta = parse_time(opt->lifetime_string, "day");
2156 if (delta < 0)
2157 errx(1, "Invalid lifetime: %s", opt->lifetime_string);
2158
2159 hx509_crl_lifetime(context, crl, delta);
2160 }
2161
2162 {
2163 hx509_certs revoked = NULL;
2164 int i;
2165
2166 ret = hx509_certs_init(context, "MEMORY:revoked-certs", 0,
2167 NULL, &revoked);
2168 if (ret)
2169 hx509_err(context, 1, ret,
2170 "hx509_certs_init: MEMORY cert");
2171
2172 for (i = 0; i < argc; i++) {
2173 ret = hx509_certs_append(context, revoked, lock, argv[i]);
2174 if (ret)
2175 hx509_err(context, 1, ret, "hx509_certs_append: %s", argv[i]);
2176 }
2177
2178 hx509_crl_add_revoked_certs(context, crl, revoked);
2179 hx509_certs_free(&revoked);
2180 }
2181
2182 hx509_crl_sign(context, signer, crl, &os);
2183
2184 if (opt->crl_file_string)
2185 rk_dumpdata(opt->crl_file_string, os.data, os.length);
2186
2187 free(os.data);
2188
2189 hx509_crl_free(context, &crl);
2190 hx509_cert_free(signer);
2191 hx509_lock_free(lock);
2192
2193 return 0;
2194 }
2195
2196 /*
2197 *
2198 */
2199
2200 int
help(void * opt,int argc,char ** argv)2201 help(void *opt, int argc, char **argv)
2202 {
2203 sl_slc_help(commands, argc, argv);
2204 return 0;
2205 }
2206
2207 int
main(int argc,char ** argv)2208 main(int argc, char **argv)
2209 {
2210 int ret, optidx = 0;
2211
2212 setprogname (argv[0]);
2213
2214 if(getarg(args, num_args, argc, argv, &optidx))
2215 usage(1);
2216 if(help_flag)
2217 usage(0);
2218 if(version_flag) {
2219 print_version(NULL);
2220 exit(0);
2221 }
2222 argv += optidx;
2223 argc -= optidx;
2224
2225 if (argc == 0)
2226 usage(1);
2227
2228 ret = hx509_context_init(&context);
2229 if (ret)
2230 errx(1, "hx509_context_init failed with %d", ret);
2231
2232 if (stat_file_string)
2233 hx509_query_statistic_file(context, stat_file_string);
2234
2235 ret = sl_command(commands, argc, argv);
2236 if(ret == -1)
2237 warnx ("unrecognized command: %s", argv[0]);
2238
2239 hx509_context_free(&context);
2240
2241 return ret;
2242 }
2243