Context Navigation

hxtool.c

Last change on this file was 1, checked in by Paul Smedley, 10 years ago
Initial commit of Heimdal 1.5.3
File size: 52.7 KB

Line
1	/*
2	* Copyright (c) 2004 - 2007 Kungliga Tekniska HÃ¶gskolan
3	* (Royal Institute of Technology, Stockholm, Sweden).
4	* All rights reserved.
5	*
6	* Redistribution and use in source and binary forms, with or without
7	* modification, are permitted provided that the following conditions
8	* are met:
9	*
10	* 1. Redistributions of source code must retain the above copyright
11	* notice, this list of conditions and the following disclaimer.
12	*
13	* 2. Redistributions in binary form must reproduce the above copyright
14	* notice, this list of conditions and the following disclaimer in the
15	* documentation and/or other materials provided with the distribution.
16	*
17	* 3. Neither the name of the Institute nor the names of its contributors
18	* may be used to endorse or promote products derived from this software
19	* without specific prior written permission.
20	*
21	* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24	* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31	* SUCH DAMAGE.
32	*/
33
34	#include "hx_locl.h"
35
36	#include <hxtool-commands.h>
37	#include <sl.h>
38	#include <rtbl.h>
39	#include <parse_time.h>
40
41	static hx509_context context;
42
43	static char *stat_file_string;
44	static int version_flag;
45	static int help_flag;
46
47	struct getargs args[] = {
48	{ "statistic-file", 0, arg_string, &stat_file_string, NULL, NULL },
49	{ "version", 0, arg_flag, &version_flag, NULL, NULL },
50	{ "help", 0, arg_flag, &help_flag, NULL, NULL }
51	};
52	int num_args = sizeof(args) / sizeof(args[0]);
53
54	static void
55	usage(int code)
56	{
57	arg_printusage(args, num_args, NULL, "command");
58	printf("Use \"%s help\" to get more help\n", getprogname());
59	exit(code);
60	}
61
62	/*
63	*
64	*/
65
66	static void
67	lock_strings(hx509_lock lock, getarg_strings *pass)
68	{
69	int i;
70	for (i = 0; i < pass->num_strings; i++) {
71	int ret = hx509_lock_command_string(lock, pass->strings[i]);
72	if (ret)
73	errx(1, "hx509_lock_command_string: %s: %d",
74	pass->strings[i], ret);
75	}
76	}
77
78	/*
79	*
80	*/
81
82	static void
83	certs_strings(hx509_context contextp, const char *type, hx509_certs certs,
84	hx509_lock lock, const getarg_strings *s)
85	{
86	int i, ret;
87
88	for (i = 0; i < s->num_strings; i++) {
89	ret = hx509_certs_append(contextp, certs, lock, s->strings[i]);
90	if (ret)
91	hx509_err(contextp, 1, ret,
92	"hx509_certs_append: %s %s", type, s->strings[i]);
93	}
94	}
95
96	/*
97	*
98	*/
99
100	static void
101	parse_oid(const char str, const heim_oid def, heim_oid *oid)
102	{
103	int ret;
104	if (str)
105	ret = der_parse_heim_oid (str, " .", oid);
106	else
107	ret = der_copy_oid(def, oid);
108	if (ret)
109	errx(1, "parse_oid failed for: %s", str ? str : "default oid");
110	}
111
112	/*
113	*
114	*/
115
116	static void
117	peer_strings(hx509_context contextp,
118	hx509_peer_info *peer,
119	const getarg_strings *s)
120	{
121	AlgorithmIdentifier *val;
122	int ret, i;
123
124	ret = hx509_peer_info_alloc(contextp, peer);
125	if (ret)
126	hx509_err(contextp, 1, ret, "hx509_peer_info_alloc");
127
128	val = calloc(s->num_strings, sizeof(*val));
129	if (val == NULL)
130	err(1, "malloc");
131
132	for (i = 0; i < s->num_strings; i++)
133	parse_oid(s->strings[i], NULL, &val[i].algorithm);
134
135	ret = hx509_peer_info_set_cms_algs(contextp, *peer, val, s->num_strings);
136	if (ret)
137	hx509_err(contextp, 1, ret, "hx509_peer_info_set_cms_algs");
138
139	for (i = 0; i < s->num_strings; i++)
140	free_AlgorithmIdentifier(&val[i]);
141	free(val);
142	}
143
144	/*
145	*
146	*/
147
148	struct pem_data {
149	heim_octet_string *os;
150	int detached_data;
151	};
152
153	static int
154	pem_reader(hx509_context contextp, const char *type,
155	const hx509_pem_header *headers,
156	const void data , size_t length, void ctx)
157	{
158	struct pem_data p = (struct pem_data )ctx;
159	const char *h;
160
161	p->os->data = malloc(length);
162	if (p->os->data == NULL)
163	return ENOMEM;
164	memcpy(p->os->data, data, length);
165	p->os->length = length;
166
167	h = hx509_pem_find_header(headers, "Content-disposition");
168	if (h && strcasecmp(h, "detached") == 0)
169	p->detached_data = 1;
170
171	return 0;
172	}
173
174	/*
175	*
176	*/
177
178	int
179	cms_verify_sd(struct cms_verify_sd_options opt, int argc, char *argv)
180	{
181	hx509_verify_ctx ctx = NULL;
182	heim_oid type;
183	heim_octet_string c, co, signeddata, *sd = NULL;
184	hx509_certs store = NULL;
185	hx509_certs signers = NULL;
186	hx509_certs anchors = NULL;
187	hx509_lock lock;
188	int ret, flags = 0;
189
190	size_t sz;
191	void *p = NULL;
192
193	if (opt->missing_revoke_flag)
194	hx509_context_set_missing_revoke(context, 1);
195
196	hx509_lock_init(context, &lock);
197	lock_strings(lock, &opt->pass_strings);
198
199	ret = hx509_verify_init_ctx(context, &ctx);
200	if (ret)
201	hx509_err(context, 1, ret, "hx509_verify_init_ctx");
202
203	ret = hx509_certs_init(context, "MEMORY:cms-anchors", 0, NULL, &anchors);
204	if (ret)
205	hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
206	ret = hx509_certs_init(context, "MEMORY:cert-store", 0, NULL, &store);
207	if (ret)
208	hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
209
210	certs_strings(context, "anchors", anchors, lock, &opt->anchors_strings);
211	certs_strings(context, "store", store, lock, &opt->certificate_strings);
212
213	if (opt->pem_flag) {
214	struct pem_data pd;
215	FILE *f;
216
217	pd.os = &co;
218	pd.detached_data = 0;
219
220	f = fopen(argv[0], "r");
221	if (f == NULL)
222	err(1, "Failed to open file %s", argv[0]);
223
224	ret = hx509_pem_read(context, f, pem_reader, &pd);
225	fclose(f);
226	if (ret)
227	errx(1, "PEM reader failed: %d", ret);
228
229	if (pd.detached_data && opt->signed_content_string == NULL) {
230	char *r = strrchr(argv[0], '.');
231	if (r && strcasecmp(r, ".pem") == 0) {
232	char *s = strdup(argv[0]);
233	if (s == NULL)
234	errx(1, "malloc: out of memory");
235	s[r - argv[0]] = '\0';
236	ret = _hx509_map_file_os(s, &signeddata);
237	if (ret)
238	errx(1, "map_file: %s: %d", s, ret);
239	free(s);
240	sd = &signeddata;
241	}
242	}
243
244	} else {
245	ret = rk_undumpdata(argv[0], &p, &sz);
246	if (ret)
247	err(1, "map_file: %s: %d", argv[0], ret);
248
249	co.data = p;
250	co.length = sz;
251	}
252
253	if (opt->signed_content_string) {
254	ret = _hx509_map_file_os(opt->signed_content_string, &signeddata);
255	if (ret)
256	errx(1, "map_file: %s: %d", opt->signed_content_string, ret);
257	sd = &signeddata;
258	}
259
260	if (opt->content_info_flag) {
261	heim_octet_string uwco;
262	heim_oid oid;
263
264	ret = hx509_cms_unwrap_ContentInfo(&co, &oid, &uwco, NULL);
265	if (ret)
266	errx(1, "hx509_cms_unwrap_ContentInfo: %d", ret);
267
268	if (der_heim_oid_cmp(&oid, &asn1_oid_id_pkcs7_signedData) != 0)
269	errx(1, "Content is not SignedData");
270	der_free_oid(&oid);
271
272	if (p == NULL)
273	der_free_octet_string(&co);
274	else {
275	rk_xfree(p);
276	p = NULL;
277	}
278	co = uwco;
279	}
280
281	hx509_verify_attach_anchors(ctx, anchors);
282
283	if (!opt->signer_allowed_flag)
284	flags \|= HX509_CMS_VS_ALLOW_ZERO_SIGNER;
285	if (opt->allow_wrong_oid_flag)
286	flags \|= HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH;
287
288	ret = hx509_cms_verify_signed(context, ctx, flags, co.data, co.length, sd,
289	store, &type, &c, &signers);
290	if (p != co.data)
291	der_free_octet_string(&co);
292	else
293	rk_xfree(p);
294	if (ret)
295	hx509_err(context, 1, ret, "hx509_cms_verify_signed");
296
297	{
298	char *str;
299	der_print_heim_oid(&type, '.', &str);
300	printf("type: %s\n", str);
301	free(str);
302	der_free_oid(&type);
303	}
304	if (signers == NULL) {
305	printf("unsigned\n");
306	} else {
307	printf("signers:\n");
308	hx509_certs_iter_f(context, signers, hx509_ci_print_names, stdout);
309	}
310
311	hx509_verify_destroy_ctx(ctx);
312
313	hx509_certs_free(&store);
314	hx509_certs_free(&signers);
315	hx509_certs_free(&anchors);
316
317	hx509_lock_free(lock);
318
319	if (argc > 1) {
320	ret = _hx509_write_file(argv[1], c.data, c.length);
321	if (ret)
322	errx(1, "hx509_write_file: %d", ret);
323	}
324
325	der_free_octet_string(&c);
326
327	if (sd)
328	_hx509_unmap_file_os(sd);
329
330	return 0;
331	}
332
333	static int
334	print_signer(hx509_context contextp, void *ctx, hx509_cert cert)
335	{
336	hx509_pem_header **header = ctx;
337	char *signer_name = NULL;
338	hx509_name name;
339	int ret;
340
341	ret = hx509_cert_get_subject(cert, &name);
342	if (ret)
343	errx(1, "hx509_cert_get_subject");
344
345	ret = hx509_name_to_string(name, &signer_name);
346	hx509_name_free(&name);
347	if (ret)
348	errx(1, "hx509_name_to_string");
349
350	hx509_pem_add_header(header, "Signer", signer_name);
351
352	free(signer_name);
353	return 0;
354	}
355
356	int
357	cms_create_sd(struct cms_create_sd_options opt, int argc, char *argv)
358	{
359	heim_oid contentType;
360	hx509_peer_info peer = NULL;
361	heim_octet_string o;
362	hx509_query *q;
363	hx509_lock lock;
364	hx509_certs store, pool, anchors, signer = NULL;
365	size_t sz;
366	void *p;
367	int ret, flags = 0;
368	char infile, outfile = NULL;
369
370	memset(&contentType, 0, sizeof(contentType));
371
372	infile = argv[0];
373
374	if (argc < 2) {
375	asprintf(&outfile, "%s.%s", infile,
376	opt->pem_flag ? "pem" : "cms-signeddata");
377	if (outfile == NULL)
378	errx(1, "out of memory");
379	} else
380	outfile = argv[1];
381
382	hx509_lock_init(context, &lock);
383	lock_strings(lock, &opt->pass_strings);
384
385	ret = hx509_certs_init(context, "MEMORY:cert-store", 0, NULL, &store);
386	if (ret) hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
387	ret = hx509_certs_init(context, "MEMORY:cert-pool", 0, NULL, &pool);
388	if (ret) hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
389
390	certs_strings(context, "store", store, lock, &opt->certificate_strings);
391	certs_strings(context, "pool", pool, lock, &opt->pool_strings);
392
393	if (opt->anchors_strings.num_strings) {
394	ret = hx509_certs_init(context, "MEMORY:cert-anchors",
395	0, NULL, &anchors);
396	if (ret) hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
397	certs_strings(context, "anchors", anchors, lock, &opt->anchors_strings);
398	} else
399	anchors = NULL;
400
401	if (opt->detached_signature_flag)
402	flags \|= HX509_CMS_SIGNATURE_DETACHED;
403	if (opt->id_by_name_flag)
404	flags \|= HX509_CMS_SIGNATURE_ID_NAME;
405	if (!opt->signer_flag) {
406	flags \|= HX509_CMS_SIGNATURE_NO_SIGNER;
407
408	}
409
410	if (opt->signer_flag) {
411	ret = hx509_query_alloc(context, &q);
412	if (ret)
413	errx(1, "hx509_query_alloc: %d", ret);
414
415	hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
416	hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE);
417
418	if (opt->signer_string)
419	hx509_query_match_friendly_name(q, opt->signer_string);
420
421	ret = hx509_certs_filter(context, store, q, &signer);
422	hx509_query_free(context, q);
423	if (ret)
424	hx509_err(context, 1, ret, "hx509_certs_find");
425	}
426	if (!opt->embedded_certs_flag)
427	flags \|= HX509_CMS_SIGNATURE_NO_CERTS;
428	if (opt->embed_leaf_only_flag)
429	flags \|= HX509_CMS_SIGNATURE_LEAF_ONLY;
430
431	ret = rk_undumpdata(infile, &p, &sz);
432	if (ret)
433	err(1, "map_file: %s: %d", infile, ret);
434
435	if (opt->peer_alg_strings.num_strings)
436	peer_strings(context, &peer, &opt->peer_alg_strings);
437
438	parse_oid(opt->content_type_string, &asn1_oid_id_pkcs7_data, &contentType);
439
440	ret = hx509_cms_create_signed(context,
441	flags,
442	&contentType,
443	p,
444	sz,
445	NULL,
446	signer,
447	peer,
448	anchors,
449	pool,
450	&o);
451	if (ret)
452	hx509_err(context, 1, ret, "hx509_cms_create_signed: %d", ret);
453
454	hx509_certs_free(&anchors);
455	hx509_certs_free(&pool);
456	hx509_certs_free(&store);
457	rk_xfree(p);
458	hx509_lock_free(lock);
459	hx509_peer_info_free(peer);
460	der_free_oid(&contentType);
461
462	if (opt->content_info_flag) {
463	heim_octet_string wo;
464
465	ret = hx509_cms_wrap_ContentInfo(&asn1_oid_id_pkcs7_signedData, &o, &wo);
466	if (ret)
467	errx(1, "hx509_cms_wrap_ContentInfo: %d", ret);
468
469	der_free_octet_string(&o);
470	o = wo;
471	}
472
473	if (opt->pem_flag) {
474	hx509_pem_header *header = NULL;
475	FILE *f;
476
477	hx509_pem_add_header(&header, "Content-disposition",
478	opt->detached_signature_flag ?
479	"detached" : "inline");
480	if (signer) {
481	ret = hx509_certs_iter_f(context, signer, print_signer, header);
482	if (ret)
483	hx509_err(context, 1, ret, "print signer");
484	}
485
486	f = fopen(outfile, "w");
487	if (f == NULL)
488	err(1, "open %s", outfile);
489
490	ret = hx509_pem_write(context, "CMS SIGNEDDATA", header, f,
491	o.data, o.length);
492	fclose(f);
493	hx509_pem_free_header(header);
494	if (ret)
495	errx(1, "hx509_pem_write: %d", ret);
496
497	} else {
498	ret = _hx509_write_file(outfile, o.data, o.length);
499	if (ret)
500	errx(1, "hx509_write_file: %d", ret);
501	}
502
503	hx509_certs_free(&signer);
504	free(o.data);
505
506	return 0;
507	}
508
509	int
510	cms_unenvelope(struct cms_unenvelope_options opt, int argc, char *argv)
511	{
512	heim_oid contentType = { 0, NULL };
513	heim_octet_string o, co;
514	hx509_certs certs;
515	size_t sz;
516	void *p;
517	int ret;
518	hx509_lock lock;
519	int flags = 0;
520
521	hx509_lock_init(context, &lock);
522	lock_strings(lock, &opt->pass_strings);
523
524	ret = rk_undumpdata(argv[0], &p, &sz);
525	if (ret)
526	err(1, "map_file: %s: %d", argv[0], ret);
527
528	co.data = p;
529	co.length = sz;
530
531	if (opt->content_info_flag) {
532	heim_octet_string uwco;
533	heim_oid oid;
534
535	ret = hx509_cms_unwrap_ContentInfo(&co, &oid, &uwco, NULL);
536	if (ret)
537	errx(1, "hx509_cms_unwrap_ContentInfo: %d", ret);
538
539	if (der_heim_oid_cmp(&oid, &asn1_oid_id_pkcs7_envelopedData) != 0)
540	errx(1, "Content is not SignedData");
541	der_free_oid(&oid);
542
543	co = uwco;
544	}
545
546	ret = hx509_certs_init(context, "MEMORY:cert-store", 0, NULL, &certs);
547	if (ret)
548	errx(1, "hx509_certs_init: MEMORY: %d", ret);
549
550	certs_strings(context, "store", certs, lock, &opt->certificate_strings);
551
552	if (opt->allow_weak_crypto_flag)
553	flags \|= HX509_CMS_UE_ALLOW_WEAK;
554
555	ret = hx509_cms_unenvelope(context, certs, flags, co.data, co.length,
556	NULL, 0, &contentType, &o);
557	if (co.data != p)
558	der_free_octet_string(&co);
559	if (ret)
560	hx509_err(context, 1, ret, "hx509_cms_unenvelope");
561
562	rk_xfree(p);
563	hx509_lock_free(lock);
564	hx509_certs_free(&certs);
565	der_free_oid(&contentType);
566
567	ret = _hx509_write_file(argv[1], o.data, o.length);
568	if (ret)
569	errx(1, "hx509_write_file: %d", ret);
570
571	der_free_octet_string(&o);
572
573	return 0;
574	}
575
576	int
577	cms_create_enveloped(struct cms_envelope_options opt, int argc, char *argv)
578	{
579	heim_oid contentType;
580	heim_octet_string o;
581	const heim_oid *enctype = NULL;
582	hx509_query *q;
583	hx509_certs certs;
584	hx509_cert cert;
585	int ret;
586	size_t sz;
587	void *p;
588	hx509_lock lock;
589	int flags = 0;
590
591	memset(&contentType, 0, sizeof(contentType));
592
593	hx509_lock_init(context, &lock);
594	lock_strings(lock, &opt->pass_strings);
595
596	ret = rk_undumpdata(argv[0], &p, &sz);
597	if (ret)
598	err(1, "map_file: %s: %d", argv[0], ret);
599
600	ret = hx509_certs_init(context, "MEMORY:cert-store", 0, NULL, &certs);
601	if (ret) hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
602
603	certs_strings(context, "store", certs, lock, &opt->certificate_strings);
604
605	if (opt->allow_weak_crypto_flag)
606	flags \|= HX509_CMS_EV_ALLOW_WEAK;
607
608	if (opt->encryption_type_string) {
609	enctype = hx509_crypto_enctype_by_name(opt->encryption_type_string);
610	if (enctype == NULL)
611	errx(1, "encryption type: %s no found",
612	opt->encryption_type_string);
613	}
614
615	ret = hx509_query_alloc(context, &q);
616	if (ret)
617	errx(1, "hx509_query_alloc: %d", ret);
618
619	hx509_query_match_option(q, HX509_QUERY_OPTION_KU_ENCIPHERMENT);
620
621	ret = hx509_certs_find(context, certs, q, &cert);
622	hx509_query_free(context, q);
623	if (ret)
624	errx(1, "hx509_certs_find: %d", ret);
625
626	parse_oid(opt->content_type_string, &asn1_oid_id_pkcs7_data, &contentType);
627
628	ret = hx509_cms_envelope_1(context, flags, cert, p, sz, enctype,
629	&contentType, &o);
630	if (ret)
631	errx(1, "hx509_cms_envelope_1: %d", ret);
632
633	hx509_cert_free(cert);
634	hx509_certs_free(&certs);
635	rk_xfree(p);
636	der_free_oid(&contentType);
637
638	if (opt->content_info_flag) {
639	heim_octet_string wo;
640
641	ret = hx509_cms_wrap_ContentInfo(&asn1_oid_id_pkcs7_envelopedData, &o, &wo);
642	if (ret)
643	errx(1, "hx509_cms_wrap_ContentInfo: %d", ret);
644
645	der_free_octet_string(&o);
646	o = wo;
647	}
648
649	hx509_lock_free(lock);
650
651	ret = _hx509_write_file(argv[1], o.data, o.length);
652	if (ret)
653	errx(1, "hx509_write_file: %d", ret);
654
655	der_free_octet_string(&o);
656
657	return 0;
658	}
659
660	static void
661	print_certificate(hx509_context hxcontext, hx509_cert cert, int verbose)
662	{
663	const char *fn;
664	int ret;
665
666	fn = hx509_cert_get_friendly_name(cert);
667	if (fn)
668	printf(" friendly name: %s\n", fn);
669	printf(" private key: %s\n",
670	_hx509_cert_private_key(cert) ? "yes" : "no");
671
672	ret = hx509_print_cert(hxcontext, cert, NULL);
673	if (ret)
674	errx(1, "failed to print cert");
675
676	if (verbose) {
677	hx509_validate_ctx vctx;
678
679	hx509_validate_ctx_init(hxcontext, &vctx);
680	hx509_validate_ctx_set_print(vctx, hx509_print_stdout, stdout);
681	hx509_validate_ctx_add_flags(vctx, HX509_VALIDATE_F_VALIDATE);
682	hx509_validate_ctx_add_flags(vctx, HX509_VALIDATE_F_VERBOSE);
683
684	hx509_validate_cert(hxcontext, vctx, cert);
685
686	hx509_validate_ctx_free(vctx);
687	}
688	}
689
690
691	struct print_s {
692	int counter;
693	int verbose;
694	};
695
696	static int
697	print_f(hx509_context hxcontext, void *ctx, hx509_cert cert)
698	{
699	struct print_s *s = ctx;
700
701	printf("cert: %d\n", s->counter++);
702	print_certificate(context, cert, s->verbose);
703
704	return 0;
705	}
706
707	int
708	pcert_print(struct print_options opt, int argc, char *argv)
709	{
710	hx509_certs certs;
711	hx509_lock lock;
712	struct print_s s;
713
714	s.counter = 0;
715	s.verbose = opt->content_flag;
716
717	hx509_lock_init(context, &lock);
718	lock_strings(lock, &opt->pass_strings);
719
720	while(argc--) {
721	int ret;
722	ret = hx509_certs_init(context, argv[0], 0, lock, &certs);
723	if (ret) {
724	if (opt->never_fail_flag) {
725	printf("ignoreing failure: %d\n", ret);
726	continue;
727	}
728	hx509_err(context, 1, ret, "hx509_certs_init");
729	}
730	if (opt->info_flag)
731	hx509_certs_info(context, certs, NULL, NULL);
732	hx509_certs_iter_f(context, certs, print_f, &s);
733	hx509_certs_free(&certs);
734	argv++;
735	}
736
737	hx509_lock_free(lock);
738
739	return 0;
740	}
741
742
743	static int
744	validate_f(hx509_context hxcontext, void *ctx, hx509_cert c)
745	{
746	hx509_validate_cert(hxcontext, ctx, c);
747	return 0;
748	}
749
750	int
751	pcert_validate(struct validate_options opt, int argc, char *argv)
752	{
753	hx509_validate_ctx ctx;
754	hx509_certs certs;
755	hx509_lock lock;
756
757	hx509_lock_init(context, &lock);
758	lock_strings(lock, &opt->pass_strings);
759
760	hx509_validate_ctx_init(context, &ctx);
761	hx509_validate_ctx_set_print(ctx, hx509_print_stdout, stdout);
762	hx509_validate_ctx_add_flags(ctx, HX509_VALIDATE_F_VALIDATE);
763
764	while(argc--) {
765	int ret;
766	ret = hx509_certs_init(context, argv[0], 0, lock, &certs);
767	if (ret)
768	errx(1, "hx509_certs_init: %d", ret);
769	hx509_certs_iter_f(context, certs, validate_f, ctx);
770	hx509_certs_free(&certs);
771	argv++;
772	}
773	hx509_validate_ctx_free(ctx);
774
775	hx509_lock_free(lock);
776
777	return 0;
778	}
779
780	int
781	certificate_copy(struct certificate_copy_options opt, int argc, char *argv)
782	{
783	hx509_certs certs;
784	hx509_lock inlock, outlock = NULL;
785	int ret;
786
787	hx509_lock_init(context, &inlock);
788	lock_strings(inlock, &opt->in_pass_strings);
789
790	if (opt->out_pass_string) {
791	hx509_lock_init(context, &outlock);
792	ret = hx509_lock_command_string(outlock, opt->out_pass_string);
793	if (ret)
794	errx(1, "hx509_lock_command_string: %s: %d",
795	opt->out_pass_string, ret);
796	}
797
798	ret = hx509_certs_init(context, argv[argc - 1],
799	HX509_CERTS_CREATE, inlock, &certs);
800	if (ret)
801	hx509_err(context, 1, ret, "hx509_certs_init");
802
803	while(argc-- > 1) {
804	int retx;
805	retx = hx509_certs_append(context, certs, inlock, argv[0]);
806	if (retx)
807	hx509_err(context, 1, retx, "hx509_certs_append");
808	argv++;
809	}
810
811	ret = hx509_certs_store(context, certs, 0, outlock);
812	if (ret)
813	hx509_err(context, 1, ret, "hx509_certs_store");
814
815	hx509_certs_free(&certs);
816	hx509_lock_free(inlock);
817	hx509_lock_free(outlock);
818
819	return 0;
820	}
821
822	struct verify {
823	hx509_verify_ctx ctx;
824	hx509_certs chain;
825	const char *hostname;
826	int errors;
827	int count;
828	};
829
830	static int
831	verify_f(hx509_context hxcontext, void *ctx, hx509_cert c)
832	{
833	struct verify *v = ctx;
834	int ret;
835
836	ret = hx509_verify_path(hxcontext, v->ctx, c, v->chain);
837	if (ret) {
838	char *s = hx509_get_error_string(hxcontext, ret);
839	printf("verify_path: %s: %d\n", s, ret);
840	hx509_free_error_string(s);
841	v->errors++;
842	} else {
843	v->count++;
844	printf("path ok\n");
845	}
846
847	if (v->hostname) {
848	ret = hx509_verify_hostname(hxcontext, c, 0, HX509_HN_HOSTNAME,
849	v->hostname, NULL, 0);
850	if (ret) {
851	printf("verify_hostname: %d\n", ret);
852	v->errors++;
853	}
854	}
855
856	return 0;
857	}
858
859	int
860	pcert_verify(struct verify_options opt, int argc, char *argv)
861	{
862	hx509_certs anchors, chain, certs;
863	hx509_revoke_ctx revoke_ctx;
864	hx509_verify_ctx ctx;
865	struct verify v;
866	int ret;
867
868	memset(&v, 0, sizeof(v));
869
870	if (opt->missing_revoke_flag)
871	hx509_context_set_missing_revoke(context, 1);
872
873	ret = hx509_verify_init_ctx(context, &ctx);
874	if (ret)
875	hx509_err(context, 1, ret, "hx509_verify_init_ctx");
876	ret = hx509_certs_init(context, "MEMORY:anchors", 0, NULL, &anchors);
877	if (ret)
878	hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
879	ret = hx509_certs_init(context, "MEMORY:chain", 0, NULL, &chain);
880	if (ret)
881	hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
882	ret = hx509_certs_init(context, "MEMORY:certs", 0, NULL, &certs);
883	if (ret)
884	hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
885
886	if (opt->allow_proxy_certificate_flag)
887	hx509_verify_set_proxy_certificate(ctx, 1);
888
889	if (opt->time_string) {
890	const char *p;
891	struct tm tm;
892	time_t t;
893
894	memset(&tm, 0, sizeof(tm));
895
896	p = strptime (opt->time_string, "%Y-%m-%d", &tm);
897	if (p == NULL)
898	errx(1, "Failed to parse time %s, need to be on format %%Y-%%m-%%d",
899	opt->time_string);
900
901	t = tm2time (tm, 0);
902
903	hx509_verify_set_time(ctx, t);
904	}
905
906	if (opt->hostname_string)
907	v.hostname = opt->hostname_string;
908	if (opt->max_depth_integer)
909	hx509_verify_set_max_depth(ctx, opt->max_depth_integer);
910
911	ret = hx509_revoke_init(context, &revoke_ctx);
912	if (ret)
913	errx(1, "hx509_revoke_init: %d", ret);
914
915	while(argc--) {
916	char s = argv++;
917
918	if (strncmp(s, "chain:", 6) == 0) {
919	s += 6;
920
921	ret = hx509_certs_append(context, chain, NULL, s);
922	if (ret)
923	hx509_err(context, 1, ret, "hx509_certs_append: chain: %s: %d", s, ret);
924
925	} else if (strncmp(s, "anchor:", 7) == 0) {
926	s += 7;
927
928	ret = hx509_certs_append(context, anchors, NULL, s);
929	if (ret)
930	hx509_err(context, 1, ret, "hx509_certs_append: anchor: %s: %d", s, ret);
931
932	} else if (strncmp(s, "cert:", 5) == 0) {
933	s += 5;
934
935	ret = hx509_certs_append(context, certs, NULL, s);
936	if (ret)
937	hx509_err(context, 1, ret, "hx509_certs_append: certs: %s: %d",
938	s, ret);
939
940	} else if (strncmp(s, "crl:", 4) == 0) {
941	s += 4;
942
943	ret = hx509_revoke_add_crl(context, revoke_ctx, s);
944	if (ret)
945	errx(1, "hx509_revoke_add_crl: %s: %d", s, ret);
946
947	} else if (strncmp(s, "ocsp:", 4) == 0) {
948	s += 5;
949
950	ret = hx509_revoke_add_ocsp(context, revoke_ctx, s);
951	if (ret)
952	errx(1, "hx509_revoke_add_ocsp: %s: %d", s, ret);
953
954	} else {
955	errx(1, "unknown option to verify: `%s'\n", s);
956	}
957	}
958
959	hx509_verify_attach_anchors(ctx, anchors);
960	hx509_verify_attach_revoke(ctx, revoke_ctx);
961
962	v.ctx = ctx;
963	v.chain = chain;
964
965	hx509_certs_iter_f(context, certs, verify_f, &v);
966
967	hx509_verify_destroy_ctx(ctx);
968
969	hx509_certs_free(&certs);
970	hx509_certs_free(&chain);
971	hx509_certs_free(&anchors);
972
973	hx509_revoke_free(&revoke_ctx);
974
975
976	if (v.count == 0) {
977	printf("no certs verify at all\n");
978	return 1;
979	}
980
981	if (v.errors) {
982	printf("failed verifing %d checks\n", v.errors);
983	return 1;
984	}
985
986	return 0;
987	}
988
989	int
990	query(struct query_options opt, int argc, char *argv)
991	{
992	hx509_lock lock;
993	hx509_query *q;
994	hx509_certs certs;
995	hx509_cert c;
996	int ret;
997
998	ret = hx509_query_alloc(context, &q);
999	if (ret)
1000	errx(1, "hx509_query_alloc: %d", ret);
1001
1002	hx509_lock_init(context, &lock);
1003	lock_strings(lock, &opt->pass_strings);
1004
1005	ret = hx509_certs_init(context, "MEMORY:cert-store", 0, NULL, &certs);
1006	if (ret) hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
1007
1008	while (argc > 0) {
1009
1010	ret = hx509_certs_append(context, certs, lock, argv[0]);
1011	if (ret)
1012	errx(1, "hx509_certs_append: %s: %d", argv[0], ret);
1013
1014	argc--;
1015	argv++;
1016	}
1017
1018	if (opt->friendlyname_string)
1019	hx509_query_match_friendly_name(q, opt->friendlyname_string);
1020
1021	if (opt->eku_string) {
1022	heim_oid oid;
1023
1024	parse_oid(opt->eku_string, NULL, &oid);
1025
1026	ret = hx509_query_match_eku(q, &oid);
1027	if (ret)
1028	errx(1, "hx509_query_match_eku: %d", ret);
1029	der_free_oid(&oid);
1030	}
1031
1032	if (opt->private_key_flag)
1033	hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
1034
1035	if (opt->keyEncipherment_flag)
1036	hx509_query_match_option(q, HX509_QUERY_OPTION_KU_ENCIPHERMENT);
1037
1038	if (opt->digitalSignature_flag)
1039	hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE);
1040
1041	if (opt->expr_string)
1042	hx509_query_match_expr(context, q, opt->expr_string);
1043
1044	ret = hx509_certs_find(context, certs, q, &c);
1045	hx509_query_free(context, q);
1046	if (ret)
1047	printf("no match found (%d)\n", ret);
1048	else {
1049	printf("match found\n");
1050	if (opt->print_flag)
1051	print_certificate(context, c, 0);
1052	}
1053
1054	hx509_cert_free(c);
1055	hx509_certs_free(&certs);
1056
1057	hx509_lock_free(lock);
1058
1059	return ret;
1060	}
1061
1062	int
1063	ocsp_fetch(struct ocsp_fetch_options opt, int argc, char *argv)
1064	{
1065	hx509_certs reqcerts, pool;
1066	heim_octet_string req, nonce_data, *nonce = &nonce_data;
1067	hx509_lock lock;
1068	int i, ret;
1069	char *file;
1070	const char *url = "/";
1071
1072	memset(&nonce, 0, sizeof(nonce));
1073
1074	hx509_lock_init(context, &lock);
1075	lock_strings(lock, &opt->pass_strings);
1076
1077	/* no nonce */
1078	if (!opt->nonce_flag)
1079	nonce = NULL;
1080
1081	if (opt->url_path_string)
1082	url = opt->url_path_string;
1083
1084	ret = hx509_certs_init(context, "MEMORY:ocsp-pool", 0, NULL, &pool);
1085	if (ret) hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
1086
1087	certs_strings(context, "ocsp-pool", pool, lock, &opt->pool_strings);
1088
1089	file = argv[0];
1090
1091	ret = hx509_certs_init(context, "MEMORY:ocsp-req", 0, NULL, &reqcerts);
1092	if (ret) hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
1093
1094	for (i = 1; i < argc; i++) {
1095	ret = hx509_certs_append(context, reqcerts, lock, argv[i]);
1096	if (ret)
1097	errx(1, "hx509_certs_append: req: %s: %d", argv[i], ret);
1098	}
1099
1100	ret = hx509_ocsp_request(context, reqcerts, pool, NULL, NULL, &req, nonce);
1101	if (ret)
1102	errx(1, "hx509_ocsp_request: req: %d", ret);
1103
1104	{
1105	FILE *f;
1106
1107	f = fopen(file, "w");
1108	if (f == NULL)
1109	abort();
1110
1111	fprintf(f,
1112	"POST %s HTTP/1.0\r\n"
1113	"Content-Type: application/ocsp-request\r\n"
1114	"Content-Length: %ld\r\n"
1115	"\r\n",
1116	url,
1117	(unsigned long)req.length);
1118	fwrite(req.data, req.length, 1, f);
1119	fclose(f);
1120	}
1121
1122	if (nonce)
1123	der_free_octet_string(nonce);
1124
1125	hx509_certs_free(&reqcerts);
1126	hx509_certs_free(&pool);
1127
1128	return 0;
1129	}
1130
1131	int
1132	ocsp_print(struct ocsp_print_options opt, int argc, char *argv)
1133	{
1134	hx509_revoke_ocsp_print(context, argv[0], stdout);
1135	return 0;
1136	}
1137
1138	/*
1139	*
1140	*/
1141
1142	static int
1143	verify_o(hx509_context hxcontext, void *ctx, hx509_cert c)
1144	{
1145	heim_octet_string *os = ctx;
1146	time_t expiration;
1147	int ret;
1148
1149	ret = hx509_ocsp_verify(context, 0, c, 0,
1150	os->data, os->length, &expiration);
1151	if (ret) {
1152	char *s = hx509_get_error_string(hxcontext, ret);
1153	printf("ocsp_verify: %s: %d\n", s, ret);
1154	hx509_free_error_string(s);
1155	} else
1156	printf("expire: %d\n", (int)expiration);
1157
1158	return ret;
1159	}
1160
1161
1162	int
1163	ocsp_verify(struct ocsp_verify_options opt, int argc, char *argv)
1164	{
1165	hx509_lock lock;
1166	hx509_certs certs;
1167	int ret, i;
1168	heim_octet_string os;
1169
1170	hx509_lock_init(context, &lock);
1171
1172	if (opt->ocsp_file_string == NULL)
1173	errx(1, "no ocsp file given");
1174
1175	ret = _hx509_map_file_os(opt->ocsp_file_string, &os);
1176	if (ret)
1177	err(1, "map_file: %s: %d", argv[0], ret);
1178
1179	ret = hx509_certs_init(context, "MEMORY:test-certs", 0, NULL, &certs);
1180	if (ret) hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
1181
1182	for (i = 0; i < argc; i++) {
1183	ret = hx509_certs_append(context, certs, lock, argv[i]);
1184	if (ret)
1185	hx509_err(context, 1, ret, "hx509_certs_append: %s", argv[i]);
1186	}
1187
1188	ret = hx509_certs_iter_f(context, certs, verify_o, &os);
1189
1190	hx509_certs_free(&certs);
1191	_hx509_unmap_file_os(&os);
1192	hx509_lock_free(lock);
1193
1194	return ret;
1195	}
1196
1197	static int
1198	read_private_key(const char fn, hx509_private_key key)
1199	{
1200	hx509_private_key *keys;
1201	hx509_certs certs;
1202	int ret;
1203
1204	*key = NULL;
1205
1206	ret = hx509_certs_init(context, fn, 0, NULL, &certs);
1207	if (ret)
1208	hx509_err(context, 1, ret, "hx509_certs_init: %s", fn);
1209
1210	ret = _hx509_certs_keys_get(context, certs, &keys);
1211	hx509_certs_free(&certs);
1212	if (ret)
1213	hx509_err(context, 1, ret, "hx509_certs_keys_get");
1214	if (keys[0] == NULL)
1215	errx(1, "no keys in key store: %s", fn);
1216
1217	*key = _hx509_private_key_ref(keys[0]);
1218	_hx509_certs_keys_free(context, keys);
1219
1220	return 0;
1221	}
1222
1223	static void
1224	get_key(const char fn, const char type, int optbits,
1225	hx509_private_key *signer)
1226	{
1227	int ret;
1228
1229	if (type) {
1230	BIGNUM *e;
1231	RSA *rsa;
1232	unsigned char p0, p;
1233	size_t len;
1234	int bits = 1024;
1235
1236	if (fn == NULL)
1237	errx(1, "no key argument, don't know here to store key");
1238
1239	if (strcasecmp(type, "rsa") != 0)
1240	errx(1, "can only handle rsa keys for now");
1241
1242	e = BN_new();
1243	BN_set_word(e, 0x10001);
1244
1245	if (optbits)
1246	bits = optbits;
1247
1248	rsa = RSA_new();
1249	if(rsa == NULL)
1250	errx(1, "RSA_new failed");
1251
1252	ret = RSA_generate_key_ex(rsa, bits, e, NULL);
1253	if(ret != 1)
1254	errx(1, "RSA_new failed");
1255
1256	BN_free(e);
1257
1258	len = i2d_RSAPrivateKey(rsa, NULL);
1259
1260	p0 = p = malloc(len);
1261	if (p == NULL)
1262	errx(1, "out of memory");
1263
1264	i2d_RSAPrivateKey(rsa, &p);
1265
1266	rk_dumpdata(fn, p0, len);
1267	memset(p0, 0, len);
1268	free(p0);
1269
1270	RSA_free(rsa);
1271
1272	} else if (fn == NULL)
1273	err(1, "no private key");
1274
1275	ret = read_private_key(fn, signer);
1276	if (ret)
1277	err(1, "read_private_key");
1278	}
1279
1280	int
1281	request_create(struct request_create_options opt, int argc, char *argv)
1282	{
1283	heim_octet_string request;
1284	hx509_request req;
1285	int ret, i;
1286	hx509_private_key signer;
1287	SubjectPublicKeyInfo key;
1288	const char *outfile = argv[0];
1289
1290	memset(&key, 0, sizeof(key));
1291
1292	get_key(opt->key_string,
1293	opt->generate_key_string,
1294	opt->key_bits_integer,
1295	&signer);
1296
1297	hx509_request_init(context, &req);
1298
1299	if (opt->subject_string) {
1300	hx509_name name = NULL;
1301
1302	ret = hx509_parse_name(context, opt->subject_string, &name);
1303	if (ret)
1304	errx(1, "hx509_parse_name: %d\n", ret);
1305	hx509_request_set_name(context, req, name);
1306
1307	if (opt->verbose_flag) {
1308	char *s;
1309	hx509_name_to_string(name, &s);
1310	printf("%s\n", s);
1311	}
1312	hx509_name_free(&name);
1313	}
1314
1315	for (i = 0; i < opt->email_strings.num_strings; i++) {
1316	ret = _hx509_request_add_email(context, req,
1317	opt->email_strings.strings[i]);
1318	if (ret)
1319	hx509_err(context, 1, ret, "hx509_request_add_email");
1320	}
1321
1322	for (i = 0; i < opt->dnsname_strings.num_strings; i++) {
1323	ret = _hx509_request_add_dns_name(context, req,
1324	opt->dnsname_strings.strings[i]);
1325	if (ret)
1326	hx509_err(context, 1, ret, "hx509_request_add_dns_name");
1327	}
1328
1329
1330	ret = hx509_private_key2SPKI(context, signer, &key);
1331	if (ret)
1332	errx(1, "hx509_private_key2SPKI: %d\n", ret);
1333
1334	ret = hx509_request_set_SubjectPublicKeyInfo(context,
1335	req,
1336	&key);
1337	free_SubjectPublicKeyInfo(&key);
1338	if (ret)
1339	hx509_err(context, 1, ret, "hx509_request_set_SubjectPublicKeyInfo");
1340
1341	ret = _hx509_request_to_pkcs10(context,
1342	req,
1343	signer,
1344	&request);
1345	if (ret)
1346	hx509_err(context, 1, ret, "_hx509_request_to_pkcs10");
1347
1348	hx509_private_key_free(&signer);
1349	hx509_request_free(&req);
1350
1351	if (ret == 0)
1352	rk_dumpdata(outfile, request.data, request.length);
1353	der_free_octet_string(&request);
1354
1355	return 0;
1356	}
1357
1358	int
1359	request_print(struct request_print_options opt, int argc, char *argv)
1360	{
1361	int ret, i;
1362
1363	printf("request print\n");
1364
1365	for (i = 0; i < argc; i++) {
1366	hx509_request req;
1367
1368	ret = _hx509_request_parse(context, argv[i], &req);
1369	if (ret)
1370	hx509_err(context, 1, ret, "parse_request: %s", argv[i]);
1371
1372	ret = _hx509_request_print(context, req, stdout);
1373	hx509_request_free(&req);
1374	if (ret)
1375	hx509_err(context, 1, ret, "Failed to print file %s", argv[i]);
1376	}
1377
1378	return 0;
1379	}
1380
1381	int
1382	info(void opt, int argc, char *argv)
1383	{
1384
1385	ENGINE_add_conf_module();
1386
1387	{
1388	const RSA_METHOD *m = RSA_get_default_method();
1389	if (m != NULL)
1390	printf("rsa: %s\n", m->name);
1391	}
1392	{
1393	const DH_METHOD *m = DH_get_default_method();
1394	if (m != NULL)
1395	printf("dh: %s\n", m->name);
1396	}
1397	#ifdef HAVE_OPENSSL
1398	{
1399	printf("ecdsa: ECDSA_METHOD-not-export\n");
1400	}
1401	#else
1402	{
1403	printf("ecdsa: hcrypto null\n");
1404	}
1405	#endif
1406	{
1407	int ret = RAND_status();
1408	printf("rand: %s\n", ret == 1 ? "ok" : "not available");
1409	}
1410
1411	return 0;
1412	}
1413
1414	int
1415	random_data(void opt, int argc, char *argv)
1416	{
1417	void *ptr;
1418	int len, ret;
1419
1420	len = parse_bytes(argv[0], "byte");
1421	if (len <= 0) {
1422	fprintf(stderr, "bad argument to random-data\n");
1423	return 1;
1424	}
1425
1426	ptr = malloc(len);
1427	if (ptr == NULL) {
1428	fprintf(stderr, "out of memory\n");
1429	return 1;
1430	}
1431
1432	ret = RAND_bytes(ptr, len);
1433	if (ret != 1) {
1434	free(ptr);
1435	fprintf(stderr, "did not get cryptographic strong random\n");
1436	return 1;
1437	}
1438
1439	fwrite(ptr, len, 1, stdout);
1440	fflush(stdout);
1441
1442	free(ptr);
1443
1444	return 0;
1445	}
1446
1447	int
1448	crypto_available(struct crypto_available_options opt, int argc, char *argv)
1449	{
1450	AlgorithmIdentifier *val;
1451	unsigned int len, i;
1452	int ret, type = HX509_SELECT_ALL;
1453
1454	if (opt->type_string) {
1455	if (strcmp(opt->type_string, "all") == 0)
1456	type = HX509_SELECT_ALL;
1457	else if (strcmp(opt->type_string, "digest") == 0)
1458	type = HX509_SELECT_DIGEST;
1459	else if (strcmp(opt->type_string, "public-sig") == 0)
1460	type = HX509_SELECT_PUBLIC_SIG;
1461	else if (strcmp(opt->type_string, "secret") == 0)
1462	type = HX509_SELECT_SECRET_ENC;
1463	else
1464	errx(1, "unknown type: %s", opt->type_string);
1465	}
1466
1467	ret = hx509_crypto_available(context, type, NULL, &val, &len);
1468	if (ret)
1469	errx(1, "hx509_crypto_available");
1470
1471	for (i = 0; i < len; i++) {
1472	char *s;
1473	der_print_heim_oid (&val[i].algorithm, '.', &s);
1474	printf("%s\n", s);
1475	free(s);
1476	}
1477
1478	hx509_crypto_free_algs(val, len);
1479
1480	return 0;
1481	}
1482
1483	int
1484	crypto_select(struct crypto_select_options opt, int argc, char *argv)
1485	{
1486	hx509_peer_info peer = NULL;
1487	AlgorithmIdentifier selected;
1488	int ret, type = HX509_SELECT_DIGEST;
1489	char *s;
1490
1491	if (opt->type_string) {
1492	if (strcmp(opt->type_string, "digest") == 0)
1493	type = HX509_SELECT_DIGEST;
1494	else if (strcmp(opt->type_string, "public-sig") == 0)
1495	type = HX509_SELECT_PUBLIC_SIG;
1496	else if (strcmp(opt->type_string, "secret") == 0)
1497	type = HX509_SELECT_SECRET_ENC;
1498	else
1499	errx(1, "unknown type: %s", opt->type_string);
1500	}
1501
1502	if (opt->peer_cmstype_strings.num_strings)
1503	peer_strings(context, &peer, &opt->peer_cmstype_strings);
1504
1505	ret = hx509_crypto_select(context, type, NULL, peer, &selected);
1506	if (ret)
1507	errx(1, "hx509_crypto_available");
1508
1509	der_print_heim_oid (&selected.algorithm, '.', &s);
1510	printf("%s\n", s);
1511	free(s);
1512	free_AlgorithmIdentifier(&selected);
1513
1514	hx509_peer_info_free(peer);
1515
1516	return 0;
1517	}
1518
1519	int
1520	hxtool_hex(struct hex_options opt, int argc, char *argv)
1521	{
1522
1523	if (opt->decode_flag) {
1524	char buf[1024], buf2[1024], *p;
1525	ssize_t len;
1526
1527	while(fgets(buf, sizeof(buf), stdin) != NULL) {
1528	buf[strcspn(buf, "\r\n")] = '\0';
1529	p = buf;
1530	while(isspace((unsigned char )p))
1531	p++;
1532	len = hex_decode(p, buf2, strlen(p));
1533	if (len < 0)
1534	errx(1, "hex_decode failed");
1535	if (fwrite(buf2, 1, len, stdout) != (size_t)len)
1536	errx(1, "fwrite failed");
1537	}
1538	} else {
1539	char buf[28], *p;
1540	ssize_t len;
1541
1542	while((len = fread(buf, 1, sizeof(buf), stdin)) != 0) {
1543	len = hex_encode(buf, len, &p);
1544	if (len < 0)
1545	continue;
1546	fprintf(stdout, "%s\n", p);
1547	free(p);
1548	}
1549	}
1550	return 0;
1551	}
1552
1553	struct cert_type_opt {
1554	int pkinit;
1555	};
1556
1557
1558	static int
1559	https_server(hx509_context contextp, hx509_ca_tbs tbs, struct cert_type_opt *opt)
1560	{
1561	return hx509_ca_tbs_add_eku(contextp, tbs, &asn1_oid_id_pkix_kp_serverAuth);
1562	}
1563
1564	static int
1565	https_client(hx509_context contextp, hx509_ca_tbs tbs, struct cert_type_opt *opt)
1566	{
1567	return hx509_ca_tbs_add_eku(contextp, tbs, &asn1_oid_id_pkix_kp_clientAuth);
1568	}
1569
1570	static int
1571	peap_server(hx509_context contextp, hx509_ca_tbs tbs, struct cert_type_opt *opt)
1572	{
1573	return hx509_ca_tbs_add_eku(contextp, tbs, &asn1_oid_id_pkix_kp_serverAuth);
1574	}
1575
1576	static int
1577	pkinit_kdc(hx509_context contextp, hx509_ca_tbs tbs, struct cert_type_opt *opt)
1578	{
1579	opt->pkinit++;
1580	return hx509_ca_tbs_add_eku(contextp, tbs, &asn1_oid_id_pkkdcekuoid);
1581	}
1582
1583	static int
1584	pkinit_client(hx509_context contextp, hx509_ca_tbs tbs, struct cert_type_opt *opt)
1585	{
1586	int ret;
1587
1588	opt->pkinit++;
1589
1590	ret = hx509_ca_tbs_add_eku(contextp, tbs, &asn1_oid_id_pkekuoid);
1591	if (ret)
1592	return ret;
1593
1594	ret = hx509_ca_tbs_add_eku(context, tbs, &asn1_oid_id_ms_client_authentication);
1595	if (ret)
1596	return ret;
1597
1598	return hx509_ca_tbs_add_eku(context, tbs, &asn1_oid_id_pkinit_ms_eku);
1599	}
1600
1601	static int
1602	email_client(hx509_context contextp, hx509_ca_tbs tbs, struct cert_type_opt *opt)
1603	{
1604	return hx509_ca_tbs_add_eku(contextp, tbs, &asn1_oid_id_pkix_kp_emailProtection);
1605	}
1606
1607	struct {
1608	const char *type;
1609	const char *desc;
1610	int (eval)(hx509_context, hx509_ca_tbs, struct cert_type_opt );
1611	} certtypes[] = {
1612	{
1613	"https-server",
1614	"Used for HTTPS server and many other TLS server certificate types",
1615	https_server
1616	},
1617	{
1618	"https-client",
1619	"Used for HTTPS client certificates",
1620	https_client
1621	},
1622	{
1623	"email-client",
1624	"Certificate will be use for email",
1625	email_client
1626	},
1627	{
1628	"pkinit-client",
1629	"Certificate used for Kerberos PK-INIT client certificates",
1630	pkinit_client
1631	},
1632	{
1633	"pkinit-kdc",
1634	"Certificates used for Kerberos PK-INIT KDC certificates",
1635	pkinit_kdc
1636	},
1637	{
1638	"peap-server",
1639	"Certificate used for Radius PEAP (Protected EAP)",
1640	peap_server
1641	}
1642	};
1643
1644	static void
1645	print_eval_types(FILE *out)
1646	{
1647	rtbl_t table;
1648	unsigned i;
1649
1650	table = rtbl_create();
1651	rtbl_add_column_by_id (table, 0, "Name", 0);
1652	rtbl_add_column_by_id (table, 1, "Description", 0);
1653
1654	for (i = 0; i < sizeof(certtypes)/sizeof(certtypes[0]); i++) {
1655	rtbl_add_column_entry_by_id(table, 0, certtypes[i].type);
1656	rtbl_add_column_entry_by_id(table, 1, certtypes[i].desc);
1657	}
1658
1659	rtbl_format (table, out);
1660	rtbl_destroy (table);
1661	}
1662
1663	static int
1664	eval_types(hx509_context contextp,
1665	hx509_ca_tbs tbs,
1666	const struct certificate_sign_options *opt)
1667	{
1668	struct cert_type_opt ctopt;
1669	int i;
1670	size_t j;
1671	int ret;
1672
1673	memset(&ctopt, 0, sizeof(ctopt));
1674
1675	for (i = 0; i < opt->type_strings.num_strings; i++) {
1676	const char *type = opt->type_strings.strings[i];
1677
1678	for (j = 0; j < sizeof(certtypes)/sizeof(certtypes[0]); j++) {
1679	if (strcasecmp(type, certtypes[j].type) == 0) {
1680	ret = (*certtypes[j].eval)(contextp, tbs, &ctopt);
1681	if (ret)
1682	hx509_err(contextp, 1, ret,
1683	"Failed to evaluate cert type %s", type);
1684	break;
1685	}
1686	}
1687	if (j >= sizeof(certtypes)/sizeof(certtypes[0])) {
1688	fprintf(stderr, "Unknown certificate type %s\n\n", type);
1689	fprintf(stderr, "Available types:\n");
1690	print_eval_types(stderr);
1691	exit(1);
1692	}
1693	}
1694
1695	if (opt->pk_init_principal_string) {
1696	if (!ctopt.pkinit)
1697	errx(1, "pk-init principal given but no pk-init oid");
1698
1699	ret = hx509_ca_tbs_add_san_pkinit(contextp, tbs,
1700	opt->pk_init_principal_string);
1701	if (ret)
1702	hx509_err(contextp, 1, ret, "hx509_ca_tbs_add_san_pkinit");
1703	}
1704
1705	if (opt->ms_upn_string) {
1706	if (!ctopt.pkinit)
1707	errx(1, "MS upn given but no pk-init oid");
1708
1709	ret = hx509_ca_tbs_add_san_ms_upn(contextp, tbs, opt->ms_upn_string);
1710	if (ret)
1711	hx509_err(contextp, 1, ret, "hx509_ca_tbs_add_san_ms_upn");
1712	}
1713
1714
1715	for (i = 0; i < opt->hostname_strings.num_strings; i++) {
1716	const char *hostname = opt->hostname_strings.strings[i];
1717
1718	ret = hx509_ca_tbs_add_san_hostname(contextp, tbs, hostname);
1719	if (ret)
1720	hx509_err(contextp, 1, ret, "hx509_ca_tbs_add_san_hostname");
1721	}
1722
1723	for (i = 0; i < opt->email_strings.num_strings; i++) {
1724	const char *email = opt->email_strings.strings[i];
1725
1726	ret = hx509_ca_tbs_add_san_rfc822name(contextp, tbs, email);
1727	if (ret)
1728	hx509_err(contextp, 1, ret, "hx509_ca_tbs_add_san_hostname");
1729
1730	ret = hx509_ca_tbs_add_eku(contextp, tbs,
1731	&asn1_oid_id_pkix_kp_emailProtection);
1732	if (ret)
1733	hx509_err(contextp, 1, ret, "hx509_ca_tbs_add_eku");
1734	}
1735
1736	if (opt->jid_string) {
1737	ret = hx509_ca_tbs_add_san_jid(contextp, tbs, opt->jid_string);
1738	if (ret)
1739	hx509_err(contextp, 1, ret, "hx509_ca_tbs_add_san_jid");
1740	}
1741
1742	return 0;
1743	}
1744
1745	int
1746	hxtool_ca(struct certificate_sign_options opt, int argc, char *argv)
1747	{
1748	int ret;
1749	hx509_ca_tbs tbs;
1750	hx509_cert signer = NULL, cert = NULL;
1751	hx509_private_key private_key = NULL;
1752	hx509_private_key cert_key = NULL;
1753	hx509_name subject = NULL;
1754	SubjectPublicKeyInfo spki;
1755	int delta = 0;
1756
1757	memset(&spki, 0, sizeof(spki));
1758
1759	if (opt->ca_certificate_string == NULL && !opt->self_signed_flag)
1760	errx(1, "--ca-certificate argument missing (not using --self-signed)");
1761	if (opt->ca_private_key_string == NULL && opt->generate_key_string == NULL && opt->self_signed_flag)
1762	errx(1, "--ca-private-key argument missing (using --self-signed)");
1763	if (opt->certificate_string == NULL)
1764	errx(1, "--certificate argument missing");
1765
1766	if (opt->template_certificate_string) {
1767	if (opt->template_fields_string == NULL)
1768	errx(1, "--template-certificate not no --template-fields");
1769	}
1770
1771	if (opt->lifetime_string) {
1772	delta = parse_time(opt->lifetime_string, "day");
1773	if (delta < 0)
1774	errx(1, "Invalid lifetime: %s", opt->lifetime_string);
1775	}
1776
1777	if (opt->ca_certificate_string) {
1778	hx509_certs cacerts = NULL;
1779	hx509_query *q;
1780
1781	ret = hx509_certs_init(context, opt->ca_certificate_string, 0,
1782	NULL, &cacerts);
1783	if (ret)
1784	hx509_err(context, 1, ret,
1785	"hx509_certs_init: %s", opt->ca_certificate_string);
1786
1787	ret = hx509_query_alloc(context, &q);
1788	if (ret)
1789	errx(1, "hx509_query_alloc: %d", ret);
1790
1791	hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
1792	if (!opt->issue_proxy_flag)
1793	hx509_query_match_option(q, HX509_QUERY_OPTION_KU_KEYCERTSIGN);
1794
1795	ret = hx509_certs_find(context, cacerts, q, &signer);
1796	hx509_query_free(context, q);
1797	hx509_certs_free(&cacerts);
1798	if (ret)
1799	hx509_err(context, 1, ret, "no CA certificate found");
1800	} else if (opt->self_signed_flag) {
1801	if (opt->generate_key_string == NULL
1802	&& opt->ca_private_key_string == NULL)
1803	errx(1, "no signing private key");
1804
1805	if (opt->req_string)
1806	errx(1, "can't be self-signing and have a request at the same time");
1807	} else
1808	errx(1, "missing ca key");
1809
1810	if (opt->ca_private_key_string) {
1811
1812	ret = read_private_key(opt->ca_private_key_string, &private_key);
1813	if (ret)
1814	err(1, "read_private_key");
1815
1816	ret = hx509_private_key2SPKI(context, private_key, &spki);
1817	if (ret)
1818	errx(1, "hx509_private_key2SPKI: %d\n", ret);
1819
1820	if (opt->self_signed_flag)
1821	cert_key = private_key;
1822	}
1823
1824	if (opt->req_string) {
1825	hx509_request req;
1826
1827	ret = _hx509_request_parse(context, opt->req_string, &req);
1828	if (ret)
1829	hx509_err(context, 1, ret, "parse_request: %s", opt->req_string);
1830	ret = hx509_request_get_name(context, req, &subject);
1831	if (ret)
1832	hx509_err(context, 1, ret, "get name");
1833	ret = hx509_request_get_SubjectPublicKeyInfo(context, req, &spki);
1834	if (ret)
1835	hx509_err(context, 1, ret, "get spki");
1836	hx509_request_free(&req);
1837	}
1838
1839	if (opt->generate_key_string) {
1840	struct hx509_generate_private_context *keyctx;
1841
1842	ret = _hx509_generate_private_key_init(context,
1843	&asn1_oid_id_pkcs1_rsaEncryption,
1844	&keyctx);
1845	if (ret)
1846	hx509_err(context, 1, ret, "generate private key");
1847
1848	if (opt->issue_ca_flag)
1849	_hx509_generate_private_key_is_ca(context, keyctx);
1850
1851	if (opt->key_bits_integer)
1852	_hx509_generate_private_key_bits(context, keyctx,
1853	opt->key_bits_integer);
1854
1855	ret = _hx509_generate_private_key(context, keyctx,
1856	&cert_key);
1857	_hx509_generate_private_key_free(&keyctx);
1858	if (ret)
1859	hx509_err(context, 1, ret, "generate private key");
1860
1861	ret = hx509_private_key2SPKI(context, cert_key, &spki);
1862	if (ret)
1863	errx(1, "hx509_private_key2SPKI: %d\n", ret);
1864
1865	if (opt->self_signed_flag)
1866	private_key = cert_key;
1867	}
1868
1869	if (opt->certificate_private_key_string) {
1870	ret = read_private_key(opt->certificate_private_key_string, &cert_key);
1871	if (ret)
1872	err(1, "read_private_key for certificate");
1873	}
1874
1875	if (opt->subject_string) {
1876	if (subject)
1877	hx509_name_free(&subject);
1878	ret = hx509_parse_name(context, opt->subject_string, &subject);
1879	if (ret)
1880	hx509_err(context, 1, ret, "hx509_parse_name");
1881	}
1882
1883	/*
1884	*
1885	*/
1886
1887	ret = hx509_ca_tbs_init(context, &tbs);
1888	if (ret)
1889	hx509_err(context, 1, ret, "hx509_ca_tbs_init");
1890
1891	if (opt->template_certificate_string) {
1892	hx509_cert template;
1893	hx509_certs tcerts;
1894	int flags;
1895
1896	ret = hx509_certs_init(context, opt->template_certificate_string, 0,
1897	NULL, &tcerts);
1898	if (ret)
1899	hx509_err(context, 1, ret,
1900	"hx509_certs_init: %s", opt->template_certificate_string);
1901
1902	ret = hx509_get_one_cert(context, tcerts, &template);
1903
1904	hx509_certs_free(&tcerts);
1905	if (ret)
1906	hx509_err(context, 1, ret, "no template certificate found");
1907
1908	flags = parse_units(opt->template_fields_string,
1909	hx509_ca_tbs_template_units(), "");
1910
1911	ret = hx509_ca_tbs_set_template(context, tbs, flags, template);
1912	if (ret)
1913	hx509_err(context, 1, ret, "hx509_ca_tbs_set_template");
1914
1915	hx509_cert_free(template);
1916	}
1917
1918	if (opt->serial_number_string) {
1919	heim_integer serialNumber;
1920
1921	ret = der_parse_hex_heim_integer(opt->serial_number_string,
1922	&serialNumber);
1923	if (ret)
1924	err(1, "der_parse_hex_heim_integer");
1925	ret = hx509_ca_tbs_set_serialnumber(context, tbs, &serialNumber);
1926	if (ret)
1927	hx509_err(context, 1, ret, "hx509_ca_tbs_init");
1928	der_free_heim_integer(&serialNumber);
1929	}
1930
1931	if (spki.subjectPublicKey.length) {
1932	ret = hx509_ca_tbs_set_spki(context, tbs, &spki);
1933	if (ret)
1934	hx509_err(context, 1, ret, "hx509_ca_tbs_set_spki");
1935	}
1936
1937	if (subject) {
1938	ret = hx509_ca_tbs_set_subject(context, tbs, subject);
1939	if (ret)
1940	hx509_err(context, 1, ret, "hx509_ca_tbs_set_subject");
1941	}
1942
1943	if (opt->crl_uri_string) {
1944	ret = hx509_ca_tbs_add_crl_dp_uri(context, tbs,
1945	opt->crl_uri_string, NULL);
1946	if (ret)
1947	hx509_err(context, 1, ret, "hx509_ca_tbs_add_crl_dp_uri");
1948	}
1949
1950	eval_types(context, tbs, opt);
1951
1952	if (opt->issue_ca_flag) {
1953	ret = hx509_ca_tbs_set_ca(context, tbs, opt->path_length_integer);
1954	if (ret)
1955	hx509_err(context, 1, ret, "hx509_ca_tbs_set_ca");
1956	}
1957	if (opt->issue_proxy_flag) {
1958	ret = hx509_ca_tbs_set_proxy(context, tbs, opt->path_length_integer);
1959	if (ret)
1960	hx509_err(context, 1, ret, "hx509_ca_tbs_set_proxy");
1961	}
1962	if (opt->domain_controller_flag) {
1963	hx509_ca_tbs_set_domaincontroller(context, tbs);
1964	if (ret)
1965	hx509_err(context, 1, ret, "hx509_ca_tbs_set_domaincontroller");
1966	}
1967
1968	if (delta) {
1969	ret = hx509_ca_tbs_set_notAfter_lifetime(context, tbs, delta);
1970	if (ret)
1971	hx509_err(context, 1, ret, "hx509_ca_tbs_set_notAfter_lifetime");
1972	}
1973
1974	if (opt->self_signed_flag) {
1975	ret = hx509_ca_sign_self(context, tbs, private_key, &cert);
1976	if (ret)
1977	hx509_err(context, 1, ret, "hx509_ca_sign_self");
1978	} else {
1979	ret = hx509_ca_sign(context, tbs, signer, &cert);
1980	if (ret)
1981	hx509_err(context, 1, ret, "hx509_ca_sign");
1982	}
1983
1984	if (cert_key) {
1985	ret = _hx509_cert_assign_key(cert, cert_key);
1986	if (ret)
1987	hx509_err(context, 1, ret, "_hx509_cert_assign_key");
1988	}
1989
1990	{
1991	hx509_certs certs;
1992
1993	ret = hx509_certs_init(context, opt->certificate_string,
1994	HX509_CERTS_CREATE, NULL, &certs);
1995	if (ret)
1996	hx509_err(context, 1, ret, "hx509_certs_init");
1997
1998	ret = hx509_certs_add(context, certs, cert);
1999	if (ret)
2000	hx509_err(context, 1, ret, "hx509_certs_add");
2001
2002	ret = hx509_certs_store(context, certs, 0, NULL);
2003	if (ret)
2004	hx509_err(context, 1, ret, "hx509_certs_store");
2005
2006	hx509_certs_free(&certs);
2007	}
2008
2009	if (subject)
2010	hx509_name_free(&subject);
2011	if (signer)
2012	hx509_cert_free(signer);
2013	hx509_cert_free(cert);
2014	free_SubjectPublicKeyInfo(&spki);
2015
2016	if (private_key != cert_key)
2017	hx509_private_key_free(&private_key);
2018	hx509_private_key_free(&cert_key);
2019
2020	hx509_ca_tbs_free(&tbs);
2021
2022	return 0;
2023	}
2024
2025	static int
2026	test_one_cert(hx509_context hxcontext, void *ctx, hx509_cert cert)
2027	{
2028	heim_octet_string sd, c;
2029	hx509_verify_ctx vctx = ctx;
2030	hx509_certs signer = NULL;
2031	heim_oid type;
2032	int ret;
2033
2034	if (_hx509_cert_private_key(cert) == NULL)
2035	return 0;
2036
2037	ret = hx509_cms_create_signed_1(context, 0, NULL, NULL, 0,
2038	NULL, cert, NULL, NULL, NULL, &sd);
2039	if (ret)
2040	errx(1, "hx509_cms_create_signed_1");
2041
2042	ret = hx509_cms_verify_signed(context, vctx, 0, sd.data, sd.length,
2043	NULL, NULL, &type, &c, &signer);
2044	free(sd.data);
2045	if (ret)
2046	hx509_err(context, 1, ret, "hx509_cms_verify_signed");
2047
2048	printf("create-signature verify-sigature done\n");
2049
2050	free(c.data);
2051
2052	return 0;
2053	}
2054
2055	int
2056	test_crypto(struct test_crypto_options opt, int argc, char * argv)
2057	{
2058	hx509_verify_ctx vctx;
2059	hx509_certs certs;
2060	hx509_lock lock;
2061	int i, ret;
2062
2063	hx509_lock_init(context, &lock);
2064	lock_strings(lock, &opt->pass_strings);
2065
2066	ret = hx509_certs_init(context, "MEMORY:test-crypto", 0, NULL, &certs);
2067	if (ret) hx509_err(context, 1, ret, "hx509_certs_init: MEMORY");
2068
2069	for (i = 0; i < argc; i++) {
2070	ret = hx509_certs_append(context, certs, lock, argv[i]);
2071	if (ret)
2072	hx509_err(context, 1, ret, "hx509_certs_append");
2073	}
2074
2075	ret = hx509_verify_init_ctx(context, &vctx);
2076	if (ret)
2077	hx509_err(context, 1, ret, "hx509_verify_init_ctx");
2078
2079	hx509_verify_attach_anchors(vctx, certs);
2080
2081	ret = hx509_certs_iter_f(context, certs, test_one_cert, vctx);
2082	if (ret)
2083	hx509_err(context, 1, ret, "hx509_cert_iter");
2084
2085	hx509_certs_free(&certs);
2086
2087	return 0;
2088	}
2089
2090	int
2091	statistic_print(struct statistic_print_optionsopt, int argc, char *argv)
2092	{
2093	int type = 0;
2094
2095	if (stat_file_string == NULL)
2096	errx(1, "no stat file");
2097
2098	if (opt->type_integer)
2099	type = opt->type_integer;
2100
2101	hx509_query_unparse_stats(context, type, stdout);
2102	return 0;
2103	}
2104
2105	/*
2106	*
2107	*/
2108
2109	int
2110	crl_sign(struct crl_sign_options opt, int argc, char *argv)
2111	{
2112	hx509_crl crl;
2113	heim_octet_string os;
2114	hx509_cert signer = NULL;
2115	hx509_lock lock;
2116	int ret;
2117
2118	hx509_lock_init(context, &lock);
2119	lock_strings(lock, &opt->pass_strings);
2120
2121	ret = hx509_crl_alloc(context, &crl);
2122	if (ret)
2123	errx(1, "crl alloc");
2124
2125	if (opt->signer_string == NULL)
2126	errx(1, "signer missing");
2127
2128	{
2129	hx509_certs certs = NULL;
2130	hx509_query *q;
2131
2132	ret = hx509_certs_init(context, opt->signer_string, 0,
2133	NULL, &certs);
2134	if (ret)
2135	hx509_err(context, 1, ret,
2136	"hx509_certs_init: %s", opt->signer_string);
2137
2138	ret = hx509_query_alloc(context, &q);
2139	if (ret)
2140	hx509_err(context, 1, ret, "hx509_query_alloc: %d", ret);
2141
2142	hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
2143
2144	ret = hx509_certs_find(context, certs, q, &signer);
2145	hx509_query_free(context, q);
2146	hx509_certs_free(&certs);
2147	if (ret)
2148	hx509_err(context, 1, ret, "no signer certificate found");
2149	}
2150
2151	if (opt->lifetime_string) {
2152	int delta;
2153
2154	delta = parse_time(opt->lifetime_string, "day");
2155	if (delta < 0)
2156	errx(1, "Invalid lifetime: %s", opt->lifetime_string);
2157
2158	hx509_crl_lifetime(context, crl, delta);
2159	}
2160
2161	{
2162	hx509_certs revoked = NULL;
2163	int i;
2164
2165	ret = hx509_certs_init(context, "MEMORY:revoked-certs", 0,
2166	NULL, &revoked);
2167	if (ret)
2168	hx509_err(context, 1, ret,
2169	"hx509_certs_init: MEMORY cert");
2170
2171	for (i = 0; i < argc; i++) {
2172	ret = hx509_certs_append(context, revoked, lock, argv[i]);
2173	if (ret)
2174	hx509_err(context, 1, ret, "hx509_certs_append: %s", argv[i]);
2175	}
2176
2177	hx509_crl_add_revoked_certs(context, crl, revoked);
2178	hx509_certs_free(&revoked);
2179	}
2180
2181	hx509_crl_sign(context, signer, crl, &os);
2182
2183	if (opt->crl_file_string)
2184	rk_dumpdata(opt->crl_file_string, os.data, os.length);
2185
2186	free(os.data);
2187
2188	hx509_crl_free(context, &crl);
2189	hx509_cert_free(signer);
2190	hx509_lock_free(lock);
2191
2192	return 0;
2193	}
2194
2195	/*
2196	*
2197	*/
2198
2199	int
2200	help(void opt, int argc, char *argv)
2201	{
2202	sl_slc_help(commands, argc, argv);
2203	return 0;
2204	}
2205
2206	int
2207	main(int argc, char **argv)
2208	{
2209	int ret, optidx = 0;
2210
2211	setprogname (argv[0]);
2212
2213	if(getarg(args, num_args, argc, argv, &optidx))
2214	usage(1);
2215	if(help_flag)
2216	usage(0);
2217	if(version_flag) {
2218	print_version(NULL);
2219	exit(0);
2220	}
2221	argv += optidx;
2222	argc -= optidx;
2223
2224	if (argc == 0)
2225	usage(1);
2226
2227	ret = hx509_context_init(&context);
2228	if (ret)
2229	errx(1, "hx509_context_init failed with %d", ret);
2230
2231	if (stat_file_string)
2232	hx509_query_statistic_file(context, stat_file_string);
2233
2234	ret = sl_command(commands, argc, argv);
2235	if(ret == -1)
2236	warnx ("unrecognized command: %s", argv[0]);
2237
2238	hx509_context_free(&context);
2239
2240	return ret;
2241	}

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: heimdal/vendor/current/lib/hx509/hxtool.c

Download in other formats: