summaryrefslogtreecommitdiff
path: root/sbin
diff options
context:
space:
mode:
authorNiklas Hallqvist <niklas@cvs.openbsd.org>1999-07-17 21:49:00 +0000
committerNiklas Hallqvist <niklas@cvs.openbsd.org>1999-07-17 21:49:00 +0000
commit3f2078cfb68f35ab8e947cd42d516d2d69758665 (patch)
treecc580b84ddcaf49e91fed559e7c294cca9cbf803 /sbin
parent0f558efe33fb1ae6c2d46aaa8560257512e42cb6 (diff)
apps/certpatch/certpatch.c: Merge with EOM 1.2
apps/certpatch/Makefile: Merge with EOM 1.2 apps/Makefile: Merge with EOM 1.2 author: niklas From Niels Provos, edited by me: certificate support using SSLeay author: provos add a tool that takes a certificate and private key in PEM format, adds a subjectAltName extension to the certifcate and finally signs it with the private key, writing back the result.
Diffstat (limited to 'sbin')
-rw-r--r--sbin/isakmpd/apps/Makefile39
-rw-r--r--sbin/isakmpd/apps/certpatch/Makefile50
-rw-r--r--sbin/isakmpd/apps/certpatch/certpatch.c222
3 files changed, 311 insertions, 0 deletions
diff --git a/sbin/isakmpd/apps/Makefile b/sbin/isakmpd/apps/Makefile
new file mode 100644
index 00000000000..78c8808e300
--- /dev/null
+++ b/sbin/isakmpd/apps/Makefile
@@ -0,0 +1,39 @@
+# $OpenBSD: Makefile,v 1.1 1999/07/17 21:48:59 niklas Exp $
+# $EOM: Makefile,v 1.2 1999/07/17 20:44:12 niklas Exp $
+
+#
+# Copyright (c) 1999 Niels Provos. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+# 3. All advertising materials mentioning features or use of this software
+# must display the following acknowledgement:
+# This product includes software developed by Ericsson Radio Systems.
+# 4. The name of the author may not be used to endorse or promote products
+# derived from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+
+#
+# This code was written under funding by Ericsson Radio Systems.
+#
+
+SUBDIR= certpatch
+
+.include <bsd.subdir.mk>
diff --git a/sbin/isakmpd/apps/certpatch/Makefile b/sbin/isakmpd/apps/certpatch/Makefile
new file mode 100644
index 00000000000..a71d4e38500
--- /dev/null
+++ b/sbin/isakmpd/apps/certpatch/Makefile
@@ -0,0 +1,50 @@
+# $OpenBSD: Makefile,v 1.1 1999/07/17 21:48:59 niklas Exp $
+# $EOM: Makefile,v 1.2 1999/07/17 20:44:12 niklas Exp $
+
+#
+# Copyright (c) 1999 Niels Provos. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+# 3. All advertising materials mentioning features or use of this software
+# must display the following acknowledgement:
+# This product includes software developed by Ericsson Radio Systems.
+# 4. The name of the author may not be used to endorse or promote products
+# derived from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+
+#
+# This code was written under funding by Ericsson Radio Systems.
+#
+
+PROG= certpatch
+SRCS= certpatch.c
+BINDIR= /usr/sbin
+TOPSRC= ${.CURDIR}/../..
+TOPOBJ!= cd ${TOPSRC}; printf "all:\n\t@pwd\n" |${MAKE} -f-
+OS!= awk '/^OS=/ { print $$2 }' ${.CURDIR}/../../Makefile
+.PATH: ${TOPSRC} ${TOPSRC}/sysdep/${OS} ${TOPOBJ}
+CFLAGS+= -I${TOPSRC} -I${TOPSRC}/sysdep/${OS} -I${TOPOBJ} -Wall
+LDADD+= -lcrypto
+DPADD+= ${LIBDES}
+NOMAN=
+DEBUG= -g
+
+.include <bsd.prog.mk>
diff --git a/sbin/isakmpd/apps/certpatch/certpatch.c b/sbin/isakmpd/apps/certpatch/certpatch.c
new file mode 100644
index 00000000000..6f162a3216a
--- /dev/null
+++ b/sbin/isakmpd/apps/certpatch/certpatch.c
@@ -0,0 +1,222 @@
+/* $OpenBSD: certpatch.c,v 1.1 1999/07/17 21:48:59 niklas Exp $ */
+/* $EOM: certpatch.c,v 1.2 1999/07/17 20:44:13 niklas Exp $ */
+
+/*
+ * Copyright (c) 1999 Niels Provos. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ * must display the following acknowledgement:
+ * This product includes software developed by Ericsson Radio Systems.
+ * 4. The name of the author may not be used to endorse or promote products
+ * derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * This code was written under funding by Ericsson Radio Systems.
+ */
+
+/*
+ * This program takes a certificate generated by ssleay and a
+ * private key. It encodes a new id as subject alt name
+ * extension into the certifcate. The result gets written as
+ * new certificate that can be used by isakmpd.
+ */
+
+#include <sys/param.h>
+#include <sys/types.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <ctype.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <gmp.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#include <ssl/rsa.h>
+#include <ssl/x509.h>
+#include <ssl/pem.h>
+
+#include "conf.h"
+#include "log.h"
+#include "ipsec_num.h"
+#include "x509.h"
+
+#define IDTYPE_IP "ip"
+
+int
+main (int argc, char **argv)
+{
+ char *usage = "%s [-t idtype] -i id -k keyfile certin certout\n\n"
+ "This programs takes a certificate and adds a subjectAltName extension\n"
+ "with the identication given as command line argument. Be sure that \n"
+ "the signing key matches the issuer.\n";
+ EVP_PKEY *pkey_priv;
+ X509 *cert;
+ BIO *file;
+ EVP_MD *digest = EVP_md5 ();
+ X509_EXTENSION *ex = NULL;
+ ASN1_OCTET_STRING *data = NULL;
+ struct in_addr saddr;
+ char ipaddr[6];
+ char *type = "ip", *keyfile = NULL, *id = NULL;
+ char *certin, *certout;
+ char ch;
+ int err;
+
+
+ /* read command line arguments */
+ while ((ch = getopt (argc, argv, "t:k:i:")) != -1)
+ switch(ch) {
+ case 't':
+ type = optarg;
+ break;
+ case 'k':
+ keyfile = optarg;
+ break;
+ case 'i':
+ id = optarg;
+ break;
+ default:
+ fprintf (stderr, usage, argv[0]);
+ exit (1);
+ }
+
+ argc -= optind;
+
+ if (argc != 2) {
+ fprintf (stderr, usage, argv[0]);
+ exit (1);
+ }
+
+ argv += optind;
+
+ certin = argv[0];
+ certout = argv[1];
+
+ /* Check ID */
+
+ if (strcasecmp (IDTYPE_IP, type) != 0 || id == NULL)
+ {
+ printf ("wrong id type or missing id\n");
+ exit (1);
+ }
+
+ /*
+ * X509_verify will fail, as will all other functions that call
+ * EVP_get_digest_byname.
+ */
+
+ SSLeay_add_all_algorithms ();
+
+ /* Use a certificate created by ssleay and add the appr. extension */
+ printf ("Reading ssleay created certificate %s and modify it\n",
+ certin);
+ file = BIO_new (BIO_s_file ());
+ if (BIO_read_filename (file, certin) == -1)
+ {
+ perror ("read");
+ exit(1);
+ }
+ cert = PEM_read_bio_X509 (file, NULL, NULL);
+ BIO_free (file);
+ if (cert == NULL)
+ {
+ printf ("PEM_read_bio_X509 () failed\n");
+ exit (1);
+ }
+
+ if (!X509_set_version (cert, 2))
+ {
+ printf ("X509 failed to set version number\n");
+ exit (1);
+ }
+
+ if (inet_aton (id, &saddr) == -1)
+ {
+ printf ("inet_aton () failed\n");
+ exit (1);
+ }
+
+ saddr.s_addr = htonl (saddr.s_addr);
+ ipaddr[0] = 0x87;
+ ipaddr[1] = 0x04;
+ ipaddr[2] = saddr.s_addr >> 24;
+ ipaddr[3] = (saddr.s_addr >> 16) & 0xff;
+ ipaddr[4] = (saddr.s_addr >> 8) & 0xff;
+ ipaddr[5] = saddr.s_addr & 0xff;
+
+ data = X509v3_pack_string (NULL, V_ASN1_OCTET_STRING, ipaddr, 6);
+ /* XXX This is a hack, how to do better? */
+ data->type = 0x30;
+ data->data[0] = 0x30;
+ ex = X509_EXTENSION_create_by_NID (NULL, NID_subject_alt_name, 1, data);
+
+ if (ex == NULL)
+ {
+ printf ("X509_EXTENSION_create ()\n");
+ exit (1);
+ }
+
+ X509_add_ext (cert, ex, -1);
+
+ file = BIO_new (BIO_s_file ());
+ if (BIO_read_filename (file, keyfile) == -1)
+ {
+ perror ("open");
+ exit (1);
+ }
+ if ((pkey_priv = PEM_read_bio_PrivateKey (file, NULL, NULL)) == NULL)
+ {
+ printf ("Can not read private key %s\n", keyfile);
+ exit (1);
+ }
+ BIO_free (file);
+
+ printf ("Creating Signature: PKEY_TYPE = %s: ",
+ pkey_priv->type == EVP_PKEY_RSA ? "RSA" : "unknown");
+ err = X509_sign (cert, pkey_priv, digest);
+ printf ("X509_sign: %d ", err);
+ if (!err)
+ printf ("FAILED ");
+ else
+ printf ("OKAY ");
+ printf ("\n");
+
+ file = BIO_new (BIO_s_file ());
+ if (BIO_write_filename (file, certout) == -1)
+ {
+ perror ("open");
+ exit (1);
+ }
+
+ printf ("Writing new certificate to %s\n", certout);
+ PEM_write_bio_X509 (file, cert);
+ BIO_free (file);
+
+ return 1;
+}