pki tool supports single letter short options
[strongswan.git] / src / pki / commands / issue.c
index bd27297..d62de39 100644 (file)
 
 #include "pki.h"
 
+#include <debug.h>
 #include <utils/linked_list.h>
 #include <utils/optionsfrom.h>
 #include <credentials/certificates/certificate.h>
 #include <credentials/certificates/x509.h>
+#include <credentials/certificates/pkcs10.h>
 
 /**
  * Issue a certificate using a CA certificate and key
 static int issue(int argc, char *argv[])
 {
        hash_algorithm_t digest = HASH_SHA1;
-       certificate_t *cert = NULL, *ca =NULL;
+       certificate_t *cert_req = NULL, *cert = NULL, *ca =NULL;
        private_key_t *private = NULL;
        public_key_t *public = NULL;
+       bool pkcs10 = FALSE;
        char *file = NULL, *dn = NULL, *hex = NULL, *cacert = NULL, *cakey = NULL;
        char *error = NULL;
        identification_t *id = NULL;
@@ -50,10 +53,13 @@ static int issue(int argc, char *argv[])
 
        while (TRUE)
        {
-               switch (getopt_long(argc, argv, "", command_opts, NULL))
+               switch (getopt_long(argc, argv, command_optstring, command_opts, NULL))
                {
                        case 'h':
                                goto usage;
+                       case 'v':
+                               dbg_level = atoi(optarg);
+                               continue;
                        case '+':
                                if (!options->from(options, optarg, &argc, &argv, optind))
                                {
@@ -62,7 +68,11 @@ static int issue(int argc, char *argv[])
                                }
                                continue;
                        case 't':
-                               if (!streq(optarg, "pub"))
+                               if (streq(optarg, "pkcs10"))
+                               {
+                                       pkcs10 = TRUE;
+                               }
+                               else if (!streq(optarg, "pub"))
                                {
                                        error = "invalid input type";
                                        goto usage;
@@ -120,7 +130,7 @@ static int issue(int argc, char *argv[])
                break;
        }
 
-       if (!dn)
+       if (!pkcs10 && !dn)
        {
                error = "--dn is required";
                goto usage;
@@ -135,12 +145,17 @@ static int issue(int argc, char *argv[])
                error = "--cakey is required";
                goto usage;
        }
-       id = identification_create_from_string(dn);
-       if (id->get_type(id) != ID_DER_ASN1_DN)
+       if (dn)
        {
-               error = "supplied --dn is not a distinguished name";
-               goto end;
+               id = identification_create_from_string(dn);
+               if (id->get_type(id) != ID_DER_ASN1_DN)
+               {
+                       error = "supplied --dn is not a distinguished name";
+                       goto end;
+               }
        }
+
+       DBG2("Reading ca certificate:");
        ca = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
                                                        BUILD_FROM_FILE, cacert, BUILD_END);
        if (!ca)
@@ -154,13 +169,14 @@ static int issue(int argc, char *argv[])
                error = "CA certificate misses CA basicConstraint";
                goto end;
        }
-
        public = ca->get_public_key(ca);
        if (!public)
        {
                error = "extracting CA certificate public key failed";
                goto end;
        }
+
+       DBG2("Reading ca private key:");
        private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
                                                                 public->get_type(public),
                                                                 BUILD_FROM_FILE, cakey, BUILD_END);
@@ -176,22 +192,6 @@ static int issue(int argc, char *argv[])
        }
        public->destroy(public);
 
-       if (file)
-       {
-               public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
-                                                                        BUILD_FROM_FILE, file, BUILD_END);
-       }
-       else
-       {
-               public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
-                                                                        BUILD_FROM_FD, 0, BUILD_END);
-       }
-       if (!public)
-       {
-               error = "parsing public key failed";
-               goto end;
-       }
-
        if (hex)
        {
                serial = chunk_from_hex(chunk_create(hex, strlen(hex)), NULL);
@@ -208,8 +208,74 @@ static int issue(int argc, char *argv[])
                rng->allocate_bytes(rng, 8, &serial);
                rng->destroy(rng);
        }
+
+       if (pkcs10)
+       {
+               enumerator_t *enumerator;
+               identification_t *subjectAltName;
+               pkcs10_t *req;
+
+               DBG2("Reading certificate request");
+               if (file)
+               {
+                       cert_req = lib->creds->create(lib->creds, CRED_CERTIFICATE,
+                                                                                 CERT_PKCS10_REQUEST,
+                                                                                 BUILD_FROM_FILE, file, BUILD_END);
+               }
+               else
+               {
+                       cert_req = lib->creds->create(lib->creds, CRED_CERTIFICATE,
+                                                                                 CERT_PKCS10_REQUEST,
+                                                                                 BUILD_FROM_FD, 0, BUILD_END);
+               }
+               if (!cert_req)
+               {
+                       error = "parsing certificate request failed";
+                       goto end;
+               }
+
+               /* If not set yet use subject from PKCS#10 certificate request as DN */
+               if (!id)
+               {
+                       id = cert_req->get_subject(cert_req);
+                       id = id->clone(id);
+               }
+
+               /* Add subjectAltNames from PKCS#10 certificate request */
+               req = (pkcs10_t*)cert_req;
+               enumerator = req->create_subjectAltName_enumerator(req);
+               while (enumerator->enumerate(enumerator, &subjectAltName))
+               {
+                       san->insert_last(san, subjectAltName->clone(subjectAltName));
+               }
+               enumerator->destroy(enumerator);
+
+               /* Use public key from PKCS#10 certificate request */
+               public = cert_req->get_public_key(cert_req);
+       }
+       else
+       {
+               DBG2("Reading public key:");
+               if (file)
+               {
+                       public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
+                                                                               BUILD_FROM_FILE, file, BUILD_END);
+               }
+               else
+               {
+                       public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
+                                                                                BUILD_FROM_FD, 0, BUILD_END);
+               }
+       }
+       if (!public)
+       {
+               error = "parsing public key failed";
+               goto end;
+       }
+
        not_before = time(NULL);
        not_after = not_before + lifetime * 24 * 60 * 60;
+
        cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
                                        BUILD_SIGNING_KEY, private, BUILD_SIGNING_CERT, ca,
                                        BUILD_PUBLIC_KEY, public, BUILD_SUBJECT, id,
@@ -237,6 +303,7 @@ static int issue(int argc, char *argv[])
 
 end:
        DESTROY_IF(id);
+       DESTROY_IF(cert_req);
        DESTROY_IF(cert);
        DESTROY_IF(ca);
        DESTROY_IF(public);
@@ -273,7 +340,7 @@ static void __attribute__ ((constructor))reg()
                "issue a certificate using a CA certificate and key",
                {"[--in file] [--type pub|pkcs10]",
                 " --cacert file --cakey file --dn subject-dn [--san subjectAltName]+",
-                "[--lifetime days] [--serial hex] [--ca] [--crl uri]+ [--ocsp URI]+",
+                "[--lifetime days] [--serial hex] [--ca] [--crl uri]+ [--ocsp uri]+",
                 "[--digest md5|sha1|sha224|sha256|sha384|sha512]",
                 "[--options file]"},
                {
@@ -288,8 +355,9 @@ static void __attribute__ ((constructor))reg()
                        {"serial",      's', 1, "serial number in hex, default: random"},
                        {"ca",          'b', 0, "include CA basicConstraint, default: no"},
                        {"crl",         'u', 1, "CRL distribution point URI to include"},
-                       {"ocsp",        'o', 1, "OCSP AuthoritiyInfoAccess URI to incude"},
+                       {"ocsp",        'o', 1, "OCSP AuthorityInfoAccess URI to include"},
                        {"digest",      'g', 1, "digest for signature creation, default: sha1"},
+                       {"debug",       'v', 1, "set debug level, default: 1"},
                        {"options",     '+', 1, "read command line options from file"},
                }
        });