projects / strongswan.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: e3b987f)
Added pki PEM encoding support for certificates, CRLs and PKCS10 requests
authorMartin Willi <martin@revosec.ch>
Tue, 13 Jul 2010 12:14:39 +0000 (14:14 +0200)
committerMartin Willi <martin@revosec.ch>
Tue, 13 Jul 2010 12:14:39 +0000 (14:14 +0200)
src/pki/commands/gen.c patch | blob | history
src/pki/commands/issue.c patch | blob | history
src/pki/commands/pub.c patch | blob | history
src/pki/commands/req.c patch | blob | history
src/pki/commands/self.c patch | blob | history
src/pki/commands/signcrl.c patch | blob | history
src/pki/pki.c patch | blob | history
src/pki/pki.h patch | blob | history

diff --git a/src/pki/commands/gen.c b/src/pki/commands/gen.c
index 0a65711..33d9cf3 100644 (file)
--- a/src/pki/commands/gen.c
+++ b/src/pki/commands/gen.c
@@ -48,7 +48,7 @@ static int gen()
                                }
                                continue;
                        case 'f':
-                               if (!get_form(arg, &form, FALSE))
+                               if (!get_form(arg, &form, CRED_PRIVATE_KEY))
                                {
                                        return command_usage("invalid key output format");
                                }
diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c
index d6d26d5..2002cd5 100644 (file)
--- a/src/pki/commands/issue.c
+++ b/src/pki/commands/issue.c
@@ -28,6 +28,7 @@
  */
 static int issue()
 {
+       cred_encoding_type_t form = CERT_ASN1_DER;
        hash_algorithm_t digest = HASH_SHA1;
        certificate_t *cert_req = NULL, *cert = NULL, *ca =NULL;
        private_key_t *private = NULL;
@@ -107,7 +108,7 @@ static int issue()
                        case 'p':
                                pathlen = atoi(arg);
                                continue;
-                       case 'f':
+                       case 'e':
                                if (streq(arg, "serverAuth"))
                                {
                                        flags |= X509_SERVER_AUTH;
@@ -121,6 +122,12 @@ static int issue()
                                        flags |= X509_OCSP_SIGNER;
                                }
                                continue;
+                       case 'f':
+                               if (!get_form(arg, &form, CRED_CERTIFICATE))
+                               {
+                                       return command_usage("invalid output format");
+                               }
+                               continue;
                        case 'u':
                                cdps->insert_last(cdps, arg);
                                continue;
@@ -301,7 +308,7 @@ static int issue()
                error = "generating certificate failed";
                goto end;
        }
-       if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoding))
+       if (!cert->get_encoding(cert, form, &encoding))
        {
                error = "encoding certificate failed";
                goto end;
@@ -351,7 +358,7 @@ static void __attribute__ ((constructor))reg()
                 " --cacert file --cakey file --dn subject-dn [--san subjectAltName]+",
                 "[--lifetime days] [--serial hex] [--crl uri]+ [--ocsp uri]+",
                 "[--ca] [--pathlen len] [--flag serverAuth|clientAuth|ocspSigning]+",
-                "[--digest md5|sha1|sha224|sha256|sha384|sha512]"},
+                "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"},
                {
                        {"help",        'h', 0, "show usage information"},
                        {"in",          'i', 1, "public key/request file to issue, default: stdin"},
@@ -364,10 +371,11 @@ static void __attribute__ ((constructor))reg()
                        {"serial",      's', 1, "serial number in hex, default: random"},
                        {"ca",          'b', 0, "include CA basicConstraint, default: no"},
                        {"pathlen",     'p', 1, "set path length constraint"},
-                       {"flag",        'f', 1, "include extendedKeyUsage flag"},
+                       {"flag",        'e', 1, "include extendedKeyUsage flag"},
                        {"crl",         'u', 1, "CRL distribution point URI to include"},
                        {"ocsp",        'o', 1, "OCSP AuthorityInfoAccess URI to include"},
                        {"digest",      'g', 1, "digest for signature creation, default: sha1"},
+                       {"outform",     'f', 1, "encoding of generated cert, default: der"},
                }
        });
 }
diff --git a/src/pki/commands/pub.c b/src/pki/commands/pub.c
index 6883136..fc2614c 100644 (file)
--- a/src/pki/commands/pub.c
+++ b/src/pki/commands/pub.c
@@ -67,7 +67,7 @@ static int pub()
                                }
                                continue;
                        case 'f':
-                               if (!get_form(arg, &form, TRUE))
+                               if (!get_form(arg, &form, CRED_PUBLIC_KEY))
                                {
                                        return command_usage("invalid output format");
                                }
diff --git a/src/pki/commands/req.c b/src/pki/commands/req.c
index c983a32..a1ae2f5 100644 (file)
--- a/src/pki/commands/req.c
+++ b/src/pki/commands/req.c
@@ -27,6 +27,7 @@
  */
 static int req()
 {
+       cred_encoding_type_t form = CERT_ASN1_DER;
        key_type_t type = KEY_RSA;
        hash_algorithm_t digest = HASH_SHA1;
        certificate_t *cert = NULL;
@@ -81,6 +82,12 @@ static int req()
                        case 'p':
                                challenge_password = chunk_create(arg, strlen(arg));
                                continue;
+                       case 'f':
+                               if (!get_form(arg, &form, CRED_CERTIFICATE))
+                               {
+                                       return command_usage("invalid output format");
+                               }
+                               continue;
                        case EOF:
                                break;
                        default:
@@ -128,7 +135,7 @@ static int req()
                error = "generating certificate request failed";
                goto end;
        }
-       if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoding))
+       if (!cert->get_encoding(cert, form, &encoding))
        {
                error = "encoding certificate request failed";
                goto end;
@@ -169,7 +176,7 @@ static void __attribute__ ((constructor))reg()
                {"[--in file] [--type rsa|ecdsa]",
                 " --dn distinguished-name [--san subjectAltName]+",
                 "[--password challengePassword]",
-                "[--digest md5|sha1|sha224|sha256|sha384|sha512]"},
+                "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"},
                {
                        {"help",        'h', 0, "show usage information"},
                        {"in",          'i', 1, "private key input file, default: stdin"},
@@ -178,6 +185,7 @@ static void __attribute__ ((constructor))reg()
                        {"san",         'a', 1, "subjectAltName to include in cert request"},
                        {"password",'p', 1, "challengePassword to include in cert request"},
                        {"digest",      'g', 1, "digest for signature creation, default: sha1"},
+                       {"outform",     'f', 1, "encoding of generated request, default: der"},
                }
        });
 }
diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c
index aebd883..71776c7 100644 (file)
--- a/src/pki/commands/self.c
+++ b/src/pki/commands/self.c
@@ -26,6 +26,7 @@
  */
 static int self()
 {
+       cred_encoding_type_t form = CERT_ASN1_DER;
        key_type_t type = KEY_RSA;
        hash_algorithm_t digest = HASH_SHA1;
        certificate_t *cert = NULL;
@@ -100,7 +101,7 @@ static int self()
                        case 'p':
                                pathlen = atoi(arg);
                                continue;
-                       case 'f':
+                       case 'e':
                                if (streq(arg, "serverAuth"))
                                {
                                        flags |= X509_SERVER_AUTH;
@@ -114,6 +115,12 @@ static int self()
                                        flags |= X509_OCSP_SIGNER;
                                }
                                continue;
+                       case 'f':
+                               if (!get_form(arg, &form, CRED_CERTIFICATE))
+                               {
+                                       return command_usage("invalid output format");
+                               }
+                               continue;
                        case 'o':
                                ocsp->insert_last(ocsp, arg);
                                continue;
@@ -193,7 +200,7 @@ static int self()
                error = "generating certificate failed";
                goto end;
        }
-       if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoding))
+       if (!cert->get_encoding(cert, form, &encoding))
        {
                error = "encoding certificate failed";
                goto end;
@@ -239,7 +246,7 @@ static void __attribute__ ((constructor))reg()
                 " --dn distinguished-name [--san subjectAltName]+",
                 "[--lifetime days] [--serial hex] [--ca] [--ocsp uri]+",
                 "[--flag serverAuth|clientAuth|ocspSigning]+",
-                "[--digest md5|sha1|sha224|sha256|sha384|sha512]"},
+                "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"},
                {
                        {"help",        'h', 0, "show usage information"},
                        {"in",          'i', 1, "private key input file, default: stdin"},
@@ -250,9 +257,10 @@ static void __attribute__ ((constructor))reg()
                        {"serial",      's', 1, "serial number in hex, default: random"},
                        {"ca",          'b', 0, "include CA basicConstraint, default: no"},
                        {"pathlen",     'p', 1, "set path length constraint"},
-                       {"flag",        'f', 1, "include extendedKeyUsage flag"},
+                       {"flag",        'e', 1, "include extendedKeyUsage flag"},
                        {"ocsp",        'o', 1, "OCSP AuthorityInfoAccess URI to include"},
                        {"digest",      'g', 1, "digest for signature creation, default: sha1"},
+                       {"outform",     'f', 1, "encoding of generated cert, default: der"},
                }
        });
 }
diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c
index 3d83392..b7163a1 100644 (file)
--- a/src/pki/commands/signcrl.c
+++ b/src/pki/commands/signcrl.c
@@ -102,6 +102,7 @@ static int read_serial(char *file, char *buf, int buflen)
  */
 static int sign_crl()
 {
+       cred_encoding_type_t form = CERT_ASN1_DER;
        private_key_t *private = NULL;
        public_key_t *public = NULL;
        certificate_t *ca = NULL, *crl = NULL;
@@ -224,6 +225,12 @@ static int sign_crl()
                                        goto usage;
                                }
                                continue;
+                       case 'f':
+                               if (!get_form(arg, &form, CRED_CERTIFICATE))
+                               {
+                                       return command_usage("invalid output format");
+                               }
+                               continue;
                        case EOF:
                                break;
                        default:
@@ -314,7 +321,7 @@ static int sign_crl()
                error = "generating CRL failed";
                goto error;
        }
-       if (!crl->get_encoding(crl, CERT_ASN1_DER, &encoding))
+       if (!crl->get_encoding(crl, form, &encoding))
        {
                error = "encoding CRL failed";
                goto error;
@@ -357,7 +364,7 @@ static void __attribute__ ((constructor))reg()
                 "             superseded|cessation-of-operation|certificate-hold]",
                 "   [--date timestamp]",
                 "    --cert file | --serial hex ]*",
-                "[--digest md5|sha1|sha224|sha256|sha384|sha512]"},
+                "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"},
                {
                        {"help",        'h', 0, "show usage information"},
                        {"cacert",      'c', 1, "CA certificate file"},
@@ -369,6 +376,7 @@ static void __attribute__ ((constructor))reg()
                        {"reason",      'r', 1, "reason for certificate revocation"},
                        {"date",        'd', 1, "revocation date as unix timestamp, default: now"},
                        {"digest",      'g', 1, "digest for signature creation, default: sha1"},
+                       {"outform",     'f', 1, "encoding of generated crl, default: der"},
                }
        });
 }
diff --git a/src/pki/pki.c b/src/pki/pki.c
index 4917404..d5dd03f 100644 (file)
--- a/src/pki/pki.c
+++ b/src/pki/pki.c
@@ -21,26 +21,59 @@
 /**
  * Convert a form string to a encoding type
  */
-bool get_form(char *form, cred_encoding_type_t *type, bool pub)
+bool get_form(char *form, cred_encoding_type_t *enc, credential_type_t type)
 {
        if (streq(form, "der"))
        {
-               /* der encoded keys usually contain the complete SubjectPublicKeyInfo */
-               *type = pub ? PUBKEY_SPKI_ASN1_DER : PRIVKEY_ASN1_DER;
+               switch (type)
+               {
+                       case CRED_CERTIFICATE:
+                               *enc = CERT_ASN1_DER;
+                               return TRUE;
+                       case CRED_PRIVATE_KEY:
+                               *enc = PRIVKEY_ASN1_DER;
+                               return TRUE;
+                       case CRED_PUBLIC_KEY:
+                               /* der encoded keys usually contain the complete
+                                * SubjectPublicKeyInfo */
+                               *enc = PUBKEY_SPKI_ASN1_DER;
+                               return TRUE;
+                       default:
+                               return FALSE;
+               }
        }
        else if (streq(form, "pem"))
        {
-               *type = pub ? PUBKEY_PEM : PRIVKEY_PEM;
+               switch (type)
+               {
+                       case CRED_CERTIFICATE:
+                               *enc = CERT_PEM;
+                               return TRUE;
+                       case CRED_PRIVATE_KEY:
+                               *enc = PRIVKEY_PEM;
+                               return TRUE;
+                       case CRED_PUBLIC_KEY:
+                               *enc = PUBKEY_PEM;
+                               return TRUE;
+                       default:
+                               return FALSE;
+               }
        }
        else if (streq(form, "pgp"))
        {
-               *type = pub ? PUBKEY_PGP : PRIVKEY_PGP;
+               switch (type)
+               {
+                       case CRED_PRIVATE_KEY:
+                               *enc = PRIVKEY_PGP;
+                               return TRUE;
+                       case CRED_PUBLIC_KEY:
+                               *enc = PUBKEY_PGP;
+                               return TRUE;
+                       default:
+                               return FALSE;
+               }
        }
-       else
-       {
-               return FALSE;
-       }
-       return TRUE;
+       return FALSE;
 }
 
 /**
diff --git a/src/pki/pki.h b/src/pki/pki.h
index 9867eb5..9c145cd 100644 (file)
--- a/src/pki/pki.h
+++ b/src/pki/pki.h
@@ -29,7 +29,7 @@
 /**
  * Convert a form string to a encoding type
  */
-bool get_form(char *form, cred_encoding_type_t *type, bool pub);
+bool get_form(char *form, cred_encoding_type_t *enc, credential_type_t type);
 
 /**
  * Convert a digest string to a hash algorithm
strongSwan - IPsec VPN