summaryrefslogtreecommitdiff
path: root/sbin
diff options
context:
space:
mode:
authorTheo de Raadt <deraadt@cvs.openbsd.org>2005-04-08 21:51:09 +0000
committerTheo de Raadt <deraadt@cvs.openbsd.org>2005-04-08 21:51:09 +0000
commit79d1537841014a8b0a1b3ced1dbd4e3f6dab31ee (patch)
tree33f40a454370117ff55bc22985853b557f43acf5 /sbin
parent1306f03c7e3399043e9b5f3fe3dd30171f5caea4 (diff)
knf; ok cloder hshoexunpunouncable
Diffstat (limited to 'sbin')
-rw-r--r--sbin/isakmpd/apps/certpatch/certpatch.c416
1 files changed, 200 insertions, 216 deletions
diff --git a/sbin/isakmpd/apps/certpatch/certpatch.c b/sbin/isakmpd/apps/certpatch/certpatch.c
index 0a0125a1d35..904198b3d28 100644
--- a/sbin/isakmpd/apps/certpatch/certpatch.c
+++ b/sbin/isakmpd/apps/certpatch/certpatch.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: certpatch.c,v 1.21 2003/06/04 07:31:17 ho Exp $ */
+/* $OpenBSD: certpatch.c,v 1.22 2005/04/08 21:51:08 deraadt Exp $ */
/* $EOM: certpatch.c,v 1.11 2000/12/21 14:50:09 ho Exp $ */
/*
@@ -77,241 +77,225 @@
#define IDTYPE_FQDN "fqdn"
#define IDTYPE_UFQDN "ufqdn"
+void
+usage(void)
+{
+ extern char *__progname;
+
+ fprintf(stderr,
+ "usage: %s [-t idtype] -i id -k keyfile certin certout\n",
+ __progname);
+ exit(1);
+}
+
+
int
-main (int argc, char **argv)
+main(int argc, char **argv)
{
- char *usage = "%s [-t idtype] -i id -k keyfile certin certout\n\n"
- "This programs takes a certificate and adds a subjectAltName extension\n"
- "with the identication given as command line argument. Be sure that \n"
- "the signing key matches the issuer.\n";
- EVP_PKEY *pkey_priv;
- X509 *cert;
- BIO *file;
- const EVP_MD *digest;
- X509_EXTENSION *ex = NULL;
- ASN1_OCTET_STRING *data = NULL;
- struct in_addr saddr;
- unsigned char ipaddr[6], *new_id;
- char *type = IDTYPE_IP, *keyfile = NULL, *id = NULL;
- char *certin, *certout;
- int ch, err;
+ EVP_PKEY *pkey_priv;
+ X509 *cert;
+ BIO *file;
+ const EVP_MD *digest;
+ X509_EXTENSION *ex = NULL;
+ ASN1_OCTET_STRING *data = NULL;
+ struct in_addr saddr;
+ unsigned char ipaddr[6], *new_id;
+ char *type = IDTYPE_IP, *keyfile = NULL, *id = NULL;
+ char *certin, *certout;
+ int ch, err;
#if SSLEAY_VERSION_NUMBER >= 0x00904100L
- unsigned char *p;
- ASN1_STRING str;
- int i;
+ unsigned char *p;
+ ASN1_STRING str;
+ int i;
#endif
- /* read command line arguments */
- while ((ch = getopt (argc, argv, "t:k:i:")) != -1)
- switch (ch) {
- case 't':
- type = optarg;
- break;
- case 'k':
- keyfile = optarg;
- break;
- case 'i':
- id = optarg;
- break;
- default:
- fprintf (stderr, usage, argv[0]);
- return (1);
- }
-
- argc -= optind;
-
- if (argc != 2) {
- fprintf (stderr, usage, argv[0]);
- return (1);
- }
-
- argv += optind;
-
- certin = argv[0];
- certout = argv[1];
-
- /* Check ID */
-
- if ((strcasecmp (IDTYPE_IP, type) != 0 &&
- strcasecmp (IDTYPE_FQDN, type) != 0 &&
- strcasecmp (IDTYPE_UFQDN, type) != 0) || id == NULL)
- {
- printf ("wrong id type or missing id\n");
- return (1);
- }
-
- /*
- * X509_verify will fail, as will all other functions that call
- * EVP_get_digest_byname.
- */
-
- SSLeay_add_all_algorithms ();
-
- /* Use a certificate created by ssleay and add the appr. extension */
- printf ("Reading ssleay created certificate %s and modify it\n",
- certin);
- file = BIO_new (BIO_s_file ());
- if (BIO_read_filename (file, certin) == -1)
- {
- perror ("read");
- return (1);
- }
+ /* read command line arguments */
+ while ((ch = getopt (argc, argv, "t:k:i:")) != -1)
+ switch (ch) {
+ case 't':
+ type = optarg;
+ break;
+ case 'k':
+ keyfile = optarg;
+ break;
+ case 'i':
+ id = optarg;
+ break;
+ default:
+ usage();
+ }
+
+ argc -= optind;
+
+ if (argc != 2)
+ usage();
+
+ argv += optind;
+
+ certin = argv[0];
+ certout = argv[1];
+
+ /* Check ID */
+
+ if ((strcasecmp(IDTYPE_IP, type) != 0 &&
+ strcasecmp(IDTYPE_FQDN, type) != 0 &&
+ strcasecmp(IDTYPE_UFQDN, type) != 0) || id == NULL) {
+ printf("wrong id type or missing id\n");
+ return (1);
+ }
+
+ /*
+ * X509_verify will fail, as will all other functions that call
+ * EVP_get_digest_byname.
+ */
+ SSLeay_add_all_algorithms();
+
+ /* Use a certificate created by ssleay and add the appr. extension */
+ printf("Reading ssleay created certificate %s and modify it\n",
+ certin);
+ file = BIO_new(BIO_s_file ());
+ if (BIO_read_filename(file, certin) == -1) {
+ perror("read");
+ return (1);
+ }
#if SSLEAY_VERSION_NUMBER >= 0x00904100L
- cert = PEM_read_bio_X509 (file, NULL, NULL, NULL);
+ cert = PEM_read_bio_X509(file, NULL, NULL, NULL);
#else
- cert = PEM_read_bio_X509 (file, NULL, NULL);
+ cert = PEM_read_bio_X509(file, NULL, NULL);
#endif
- BIO_free (file);
- if (cert == NULL)
- {
- printf ("PEM_read_bio_X509 () failed\n");
- return (1);
- }
-
- /* Get the digest for the actual signing */
- digest = EVP_get_digestbyname (OBJ_nid2sn (OBJ_obj2nid (cert->sig_alg->algorithm)));
-
- if (!X509_set_version (cert, 2))
- {
- printf ("X509 failed to set version number\n");
- return (1);
- }
-
- if (!strcasecmp (IDTYPE_IP, type))
- {
- if (inet_aton (id, &saddr) == 0)
- {
- printf ("inet_aton () failed\n");
- return (1);
+ BIO_free(file);
+ if (cert == NULL) {
+ printf("PEM_read_bio_X509() failed\n");
+ return (1);
}
- saddr.s_addr = htonl (saddr.s_addr);
- ipaddr[0] = 0x87;
- ipaddr[1] = 0x04;
- ipaddr[2] = saddr.s_addr >> 24;
- ipaddr[3] = (saddr.s_addr >> 16) & 0xff;
- ipaddr[4] = (saddr.s_addr >> 8) & 0xff;
- ipaddr[5] = saddr.s_addr & 0xff;
-
-#if SSLEAY_VERSION_NUMBER >= 0x00904100L
- str.length = 6;
- str.type = V_ASN1_OCTET_STRING;
- str.data = ipaddr;
- data = ASN1_OCTET_STRING_new ();
- if (!data)
- {
- perror ("ASN1_OCTET_STRING_new() failed");
- return (1);
+ /* Get the digest for the actual signing */
+ digest = EVP_get_digestbyname(OBJ_nid2sn(OBJ_obj2nid(cert->sig_alg->algorithm)));
+ if (!X509_set_version(cert, 2)) {
+ printf("X509 failed to set version number\n");
+ return (1);
}
- i = i2d_ASN1_OCTET_STRING ((ASN1_OCTET_STRING *)&str, NULL);
- if (!ASN1_STRING_set ((ASN1_STRING *)data,NULL,i))
- {
- perror ("ASN1_STRING_set() failed");
- return (1);
- }
- p = (unsigned char *)data->data;
- i2d_ASN1_OCTET_STRING ((ASN1_OCTET_STRING *)&str, &p);
- data->length = i;
+ if (!strcasecmp(IDTYPE_IP, type)) {
+ if (inet_aton(id, &saddr) == 0) {
+ printf("inet_aton() failed\n");
+ return (1);
+ }
+
+ saddr.s_addr = htonl(saddr.s_addr);
+ ipaddr[0] = 0x87;
+ ipaddr[1] = 0x04;
+ ipaddr[2] = saddr.s_addr >> 24;
+ ipaddr[3] = (saddr.s_addr >> 16) & 0xff;
+ ipaddr[4] = (saddr.s_addr >> 8) & 0xff;
+ ipaddr[5] = saddr.s_addr & 0xff;
+
+#if SSLEAY_VERSION_NUMBER >= 0x00904100L
+ str.length = 6;
+ str.type = V_ASN1_OCTET_STRING;
+ str.data = ipaddr;
+ data = ASN1_OCTET_STRING_new();
+ if (!data) {
+ perror("ASN1_OCTET_STRING_new() failed");
+ return (1);
+ }
+
+ i = i2d_ASN1_OCTET_STRING((ASN1_OCTET_STRING *)&str, NULL);
+ if (!ASN1_STRING_set((ASN1_STRING *)data, NULL, i)) {
+ perror("ASN1_STRING_set() failed");
+ return (1);
+ }
+ p = (unsigned char *)data->data;
+ i2d_ASN1_OCTET_STRING((ASN1_OCTET_STRING *)&str, &p);
+ data->length = i;
#else
- data = X509v3_pack_string (NULL, V_ASN1_OCTET_STRING, ipaddr, 6);
+ data = X509v3_pack_string(NULL, V_ASN1_OCTET_STRING, ipaddr, 6);
#endif
- }
- else if (!strcasecmp (IDTYPE_FQDN, type) || !strcasecmp (IDTYPE_UFQDN, type))
- {
- new_id = malloc (strlen (id) + 2);
- if (new_id == NULL)
- {
- printf ("malloc () failed\n");
- return (1);
- }
-
- if (!strcasecmp (IDTYPE_FQDN, type))
- new_id[0] = 0x82;
- else
- new_id[0] = 0x81; /* IDTYPE_UFQDN */
-
- memcpy (new_id + 2, id, strlen(id));
- new_id[1] = strlen (id);
+ } else if (!strcasecmp(IDTYPE_FQDN, type) || !strcasecmp(IDTYPE_UFQDN, type)) {
+ new_id = malloc(strlen(id) + 2);
+ if (new_id == NULL) {
+ printf("malloc() failed\n");
+ return (1);
+ }
+
+ if (!strcasecmp(IDTYPE_FQDN, type))
+ new_id[0] = 0x82;
+ else
+ new_id[0] = 0x81; /* IDTYPE_UFQDN */
+
+ memcpy(new_id + 2, id, strlen(id));
+ new_id[1] = strlen(id);
#if SSLEAY_VERSION_NUMBER >= 0x00904100L
- str.length = strlen (id) + 2;
- str.type = V_ASN1_OCTET_STRING;
- str.data = new_id;
- data = ASN1_OCTET_STRING_new ();
- if (!data)
- {
- perror ("ASN1_OCTET_STRING_new() failed");
- return (1);
- }
-
- i = i2d_ASN1_OCTET_STRING ((ASN1_OCTET_STRING *)&str, NULL);
- if (!ASN1_STRING_set ((ASN1_STRING *)data,NULL,i))
- {
- perror ("ASN1_STRING_set() failed");
- return (1);
- }
- p = (unsigned char *)data->data;
- i2d_ASN1_OCTET_STRING ((ASN1_OCTET_STRING *)&str, &p);
- data->length = i;
+ str.length = strlen(id) + 2;
+ str.type = V_ASN1_OCTET_STRING;
+ str.data = new_id;
+ data = ASN1_OCTET_STRING_new();
+ if (!data) {
+ perror("ASN1_OCTET_STRING_new() failed");
+ return (1);
+ }
+
+ i = i2d_ASN1_OCTET_STRING((ASN1_OCTET_STRING *)&str, NULL);
+ if (!ASN1_STRING_set((ASN1_STRING *)data,NULL, i)) {
+ perror("ASN1_STRING_set() failed");
+ return (1);
+ }
+ p = (unsigned char *)data->data;
+ i2d_ASN1_OCTET_STRING((ASN1_OCTET_STRING *)&str, &p);
+ data->length = i;
#else
- data = X509v3_pack_string (NULL, V_ASN1_OCTET_STRING, new_id,
- strlen (id) + 2);
+ data = X509v3_pack_string(NULL, V_ASN1_OCTET_STRING, new_id,
+ strlen (id) + 2);
#endif
- free (new_id);
- }
-
- /* XXX This is a hack, how to do better? */
- data->type = 0x30;
- data->data[0] = 0x30;
- ex = X509_EXTENSION_create_by_NID (NULL, NID_subject_alt_name, 1, data);
-
- if (ex == NULL)
- {
- printf ("X509_EXTENSION_create ()\n");
- return (1);
- }
-
- X509_add_ext (cert, ex, -1);
-
- file = BIO_new (BIO_s_file ());
- if (BIO_read_filename (file, keyfile) == -1)
- {
- perror ("open");
- return (1);
- }
+ free (new_id);
+ }
+
+ /* XXX This is a hack, how to do better? */
+ data->type = 0x30;
+ data->data[0] = 0x30;
+ ex = X509_EXTENSION_create_by_NID(NULL, NID_subject_alt_name, 1, data);
+ if (ex == NULL) {
+ printf("X509_EXTENSION_create()\n");
+ return (1);
+ }
+
+ X509_add_ext(cert, ex, -1);
+
+ file = BIO_new (BIO_s_file());
+ if (BIO_read_filename(file, keyfile) == -1) {
+ perror("open");
+ return (1);
+ }
#if SSLEAY_VERSION_NUMBER >= 0x00904100L
- if ((pkey_priv = PEM_read_bio_PrivateKey (file, NULL, NULL, NULL)) == NULL)
+ if ((pkey_priv = PEM_read_bio_PrivateKey(file, NULL, NULL, NULL)) == NULL) {
#else
- if ((pkey_priv = PEM_read_bio_PrivateKey (file, NULL, NULL)) == NULL)
+ if ((pkey_priv = PEM_read_bio_PrivateKey(file, NULL, NULL)) == NULL) {
#endif
- {
- printf ("Can not read private key %s\n", keyfile);
- return (1);
- }
- BIO_free (file);
-
- printf ("Creating Signature: PKEY_TYPE = %s: ",
- pkey_priv->type == EVP_PKEY_RSA ? "RSA" : "unknown");
- err = X509_sign (cert, pkey_priv, digest);
- printf ("X509_sign: %d ", err);
- if (!err)
- printf ("FAILED ");
- else
- printf ("OKAY ");
- printf ("\n");
-
- file = BIO_new (BIO_s_file ());
- if (BIO_write_filename (file, certout) == -1)
- {
- perror ("open");
- return (1);
- }
-
- printf ("Writing new certificate to %s\n", certout);
- PEM_write_bio_X509 (file, cert);
- BIO_free (file);
-
- return (0);
+ printf("Can not read private key %s\n", keyfile);
+ return (1);
+ }
+ BIO_free(file);
+
+ printf("Creating Signature: PKEY_TYPE = %s: ",
+ pkey_priv->type == EVP_PKEY_RSA ? "RSA" : "unknown");
+ err = X509_sign(cert, pkey_priv, digest);
+ printf("X509_sign: %d ", err);
+ if (!err)
+ printf("FAILED ");
+ else
+ printf("OKAY ");
+ printf("\n");
+
+ file = BIO_new(BIO_s_file());
+ if (BIO_write_filename(file, certout) == -1) {
+ perror("open");
+ return (1);
+ }
+
+ printf("Writing new certificate to %s\n", certout);
+ PEM_write_bio_X509(file, cert);
+ BIO_free(file);
+ return (0);
}