diff options
| author | Martin Willi <martin@revosec.ch> | 2010-07-13 14:14:39 +0200 |
|---|---|---|
| committer | Martin Willi <martin@revosec.ch> | 2010-07-13 14:14:39 +0200 |
| commit | b5b95c75deb01c6a7342f6174c4d79fe90bd8766 (patch) | |
| tree | e47ba3b21aa564e23cdb9d72cf71864dee74a067 | |
| parent | e3b987f79b44f6e03f1cc58294a319faadd30c77 (diff) | |
| download | strongswan-b5b95c75deb01c6a7342f6174c4d79fe90bd8766.tar.bz2 strongswan-b5b95c75deb01c6a7342f6174c4d79fe90bd8766.tar.xz | |
Added pki PEM encoding support for certificates, CRLs and PKCS10 requests
| -rw-r--r-- | src/pki/commands/gen.c | 2 | ||||
| -rw-r--r-- | src/pki/commands/issue.c | 16 | ||||
| -rw-r--r-- | src/pki/commands/pub.c | 2 | ||||
| -rw-r--r-- | src/pki/commands/req.c | 12 | ||||
| -rw-r--r-- | src/pki/commands/self.c | 16 | ||||
| -rw-r--r-- | src/pki/commands/signcrl.c | 12 | ||||
| -rw-r--r-- | src/pki/pki.c | 53 | ||||
| -rw-r--r-- | src/pki/pki.h | 2 |
8 files changed, 90 insertions, 25 deletions
diff --git a/src/pki/commands/gen.c b/src/pki/commands/gen.c index 0a6571153..33d9cf35d 100644 --- a/src/pki/commands/gen.c +++ b/src/pki/commands/gen.c @@ -48,7 +48,7 @@ static int gen() } continue; case 'f': - if (!get_form(arg, &form, FALSE)) + if (!get_form(arg, &form, CRED_PRIVATE_KEY)) { return command_usage("invalid key output format"); } diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c index d6d26d5a8..2002cd555 100644 --- a/src/pki/commands/issue.c +++ b/src/pki/commands/issue.c @@ -28,6 +28,7 @@ */ static int issue() { + cred_encoding_type_t form = CERT_ASN1_DER; hash_algorithm_t digest = HASH_SHA1; certificate_t *cert_req = NULL, *cert = NULL, *ca =NULL; private_key_t *private = NULL; @@ -107,7 +108,7 @@ static int issue() case 'p': pathlen = atoi(arg); continue; - case 'f': + case 'e': if (streq(arg, "serverAuth")) { flags |= X509_SERVER_AUTH; @@ -121,6 +122,12 @@ static int issue() flags |= X509_OCSP_SIGNER; } continue; + case 'f': + if (!get_form(arg, &form, CRED_CERTIFICATE)) + { + return command_usage("invalid output format"); + } + continue; case 'u': cdps->insert_last(cdps, arg); continue; @@ -301,7 +308,7 @@ static int issue() error = "generating certificate failed"; goto end; } - if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoding)) + if (!cert->get_encoding(cert, form, &encoding)) { error = "encoding certificate failed"; goto end; @@ -351,7 +358,7 @@ static void __attribute__ ((constructor))reg() " --cacert file --cakey file --dn subject-dn [--san subjectAltName]+", "[--lifetime days] [--serial hex] [--crl uri]+ [--ocsp uri]+", "[--ca] [--pathlen len] [--flag serverAuth|clientAuth|ocspSigning]+", - "[--digest md5|sha1|sha224|sha256|sha384|sha512]"}, + "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"}, { {"help", 'h', 0, "show usage information"}, {"in", 'i', 1, "public key/request file to issue, default: stdin"}, @@ -364,10 +371,11 @@ static void __attribute__ ((constructor))reg() {"serial", 's', 1, "serial number in hex, default: random"}, {"ca", 'b', 0, "include CA basicConstraint, default: no"}, {"pathlen", 'p', 1, "set path length constraint"}, - {"flag", 'f', 1, "include extendedKeyUsage flag"}, + {"flag", 'e', 1, "include extendedKeyUsage flag"}, {"crl", 'u', 1, "CRL distribution point URI to include"}, {"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"}, {"digest", 'g', 1, "digest for signature creation, default: sha1"}, + {"outform", 'f', 1, "encoding of generated cert, default: der"}, } }); } diff --git a/src/pki/commands/pub.c b/src/pki/commands/pub.c index 68831362b..fc2614c7d 100644 --- a/src/pki/commands/pub.c +++ b/src/pki/commands/pub.c @@ -67,7 +67,7 @@ static int pub() } continue; case 'f': - if (!get_form(arg, &form, TRUE)) + if (!get_form(arg, &form, CRED_PUBLIC_KEY)) { return command_usage("invalid output format"); } diff --git a/src/pki/commands/req.c b/src/pki/commands/req.c index c983a324d..a1ae2f515 100644 --- a/src/pki/commands/req.c +++ b/src/pki/commands/req.c @@ -27,6 +27,7 @@ */ static int req() { + cred_encoding_type_t form = CERT_ASN1_DER; key_type_t type = KEY_RSA; hash_algorithm_t digest = HASH_SHA1; certificate_t *cert = NULL; @@ -81,6 +82,12 @@ static int req() case 'p': challenge_password = chunk_create(arg, strlen(arg)); continue; + case 'f': + if (!get_form(arg, &form, CRED_CERTIFICATE)) + { + return command_usage("invalid output format"); + } + continue; case EOF: break; default: @@ -128,7 +135,7 @@ static int req() error = "generating certificate request failed"; goto end; } - if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoding)) + if (!cert->get_encoding(cert, form, &encoding)) { error = "encoding certificate request failed"; goto end; @@ -169,7 +176,7 @@ static void __attribute__ ((constructor))reg() {"[--in file] [--type rsa|ecdsa]", " --dn distinguished-name [--san subjectAltName]+", "[--password challengePassword]", - "[--digest md5|sha1|sha224|sha256|sha384|sha512]"}, + "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"}, { {"help", 'h', 0, "show usage information"}, {"in", 'i', 1, "private key input file, default: stdin"}, @@ -178,6 +185,7 @@ static void __attribute__ ((constructor))reg() {"san", 'a', 1, "subjectAltName to include in cert request"}, {"password",'p', 1, "challengePassword to include in cert request"}, {"digest", 'g', 1, "digest for signature creation, default: sha1"}, + {"outform", 'f', 1, "encoding of generated request, default: der"}, } }); } diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c index aebd883dd..71776c745 100644 --- a/src/pki/commands/self.c +++ b/src/pki/commands/self.c @@ -26,6 +26,7 @@ */ static int self() { + cred_encoding_type_t form = CERT_ASN1_DER; key_type_t type = KEY_RSA; hash_algorithm_t digest = HASH_SHA1; certificate_t *cert = NULL; @@ -100,7 +101,7 @@ static int self() case 'p': pathlen = atoi(arg); continue; - case 'f': + case 'e': if (streq(arg, "serverAuth")) { flags |= X509_SERVER_AUTH; @@ -114,6 +115,12 @@ static int self() flags |= X509_OCSP_SIGNER; } continue; + case 'f': + if (!get_form(arg, &form, CRED_CERTIFICATE)) + { + return command_usage("invalid output format"); + } + continue; case 'o': ocsp->insert_last(ocsp, arg); continue; @@ -193,7 +200,7 @@ static int self() error = "generating certificate failed"; goto end; } - if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoding)) + if (!cert->get_encoding(cert, form, &encoding)) { error = "encoding certificate failed"; goto end; @@ -239,7 +246,7 @@ static void __attribute__ ((constructor))reg() " --dn distinguished-name [--san subjectAltName]+", "[--lifetime days] [--serial hex] [--ca] [--ocsp uri]+", "[--flag serverAuth|clientAuth|ocspSigning]+", - "[--digest md5|sha1|sha224|sha256|sha384|sha512]"}, + "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"}, { {"help", 'h', 0, "show usage information"}, {"in", 'i', 1, "private key input file, default: stdin"}, @@ -250,9 +257,10 @@ static void __attribute__ ((constructor))reg() {"serial", 's', 1, "serial number in hex, default: random"}, {"ca", 'b', 0, "include CA basicConstraint, default: no"}, {"pathlen", 'p', 1, "set path length constraint"}, - {"flag", 'f', 1, "include extendedKeyUsage flag"}, + {"flag", 'e', 1, "include extendedKeyUsage flag"}, {"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"}, {"digest", 'g', 1, "digest for signature creation, default: sha1"}, + {"outform", 'f', 1, "encoding of generated cert, default: der"}, } }); } diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c index 3d8339289..b7163a153 100644 --- a/src/pki/commands/signcrl.c +++ b/src/pki/commands/signcrl.c @@ -102,6 +102,7 @@ static int read_serial(char *file, char *buf, int buflen) */ static int sign_crl() { + cred_encoding_type_t form = CERT_ASN1_DER; private_key_t *private = NULL; public_key_t *public = NULL; certificate_t *ca = NULL, *crl = NULL; @@ -224,6 +225,12 @@ static int sign_crl() goto usage; } continue; + case 'f': + if (!get_form(arg, &form, CRED_CERTIFICATE)) + { + return command_usage("invalid output format"); + } + continue; case EOF: break; default: @@ -314,7 +321,7 @@ static int sign_crl() error = "generating CRL failed"; goto error; } - if (!crl->get_encoding(crl, CERT_ASN1_DER, &encoding)) + if (!crl->get_encoding(crl, form, &encoding)) { error = "encoding CRL failed"; goto error; @@ -357,7 +364,7 @@ static void __attribute__ ((constructor))reg() " superseded|cessation-of-operation|certificate-hold]", " [--date timestamp]", " --cert file | --serial hex ]*", - "[--digest md5|sha1|sha224|sha256|sha384|sha512]"}, + "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"}, { {"help", 'h', 0, "show usage information"}, {"cacert", 'c', 1, "CA certificate file"}, @@ -369,6 +376,7 @@ static void __attribute__ ((constructor))reg() {"reason", 'r', 1, "reason for certificate revocation"}, {"date", 'd', 1, "revocation date as unix timestamp, default: now"}, {"digest", 'g', 1, "digest for signature creation, default: sha1"}, + {"outform", 'f', 1, "encoding of generated crl, default: der"}, } }); } diff --git a/src/pki/pki.c b/src/pki/pki.c index 49174047d..d5dd03fa0 100644 --- a/src/pki/pki.c +++ b/src/pki/pki.c @@ -21,26 +21,59 @@ /** * Convert a form string to a encoding type */ -bool get_form(char *form, cred_encoding_type_t *type, bool pub) +bool get_form(char *form, cred_encoding_type_t *enc, credential_type_t type) { if (streq(form, "der")) { - /* der encoded keys usually contain the complete SubjectPublicKeyInfo */ - *type = pub ? PUBKEY_SPKI_ASN1_DER : PRIVKEY_ASN1_DER; + switch (type) + { + case CRED_CERTIFICATE: + *enc = CERT_ASN1_DER; + return TRUE; + case CRED_PRIVATE_KEY: + *enc = PRIVKEY_ASN1_DER; + return TRUE; + case CRED_PUBLIC_KEY: + /* der encoded keys usually contain the complete + * SubjectPublicKeyInfo */ + *enc = PUBKEY_SPKI_ASN1_DER; + return TRUE; + default: + return FALSE; + } } else if (streq(form, "pem")) { - *type = pub ? PUBKEY_PEM : PRIVKEY_PEM; + switch (type) + { + case CRED_CERTIFICATE: + *enc = CERT_PEM; + return TRUE; + case CRED_PRIVATE_KEY: + *enc = PRIVKEY_PEM; + return TRUE; + case CRED_PUBLIC_KEY: + *enc = PUBKEY_PEM; + return TRUE; + default: + return FALSE; + } } else if (streq(form, "pgp")) { - *type = pub ? PUBKEY_PGP : PRIVKEY_PGP; + switch (type) + { + case CRED_PRIVATE_KEY: + *enc = PRIVKEY_PGP; + return TRUE; + case CRED_PUBLIC_KEY: + *enc = PUBKEY_PGP; + return TRUE; + default: + return FALSE; + } } - else - { - return FALSE; - } - return TRUE; + return FALSE; } /** diff --git a/src/pki/pki.h b/src/pki/pki.h index 9867eb5e0..9c145cdc0 100644 --- a/src/pki/pki.h +++ b/src/pki/pki.h @@ -29,7 +29,7 @@ /** * Convert a form string to a encoding type */ -bool get_form(char *form, cred_encoding_type_t *type, bool pub); +bool get_form(char *form, cred_encoding_type_t *enc, credential_type_t type); /** * Convert a digest string to a hash algorithm |