diff options
author | Theo de Raadt <deraadt@cvs.openbsd.org> | 2005-04-08 21:51:09 +0000 |
---|---|---|
committer | Theo de Raadt <deraadt@cvs.openbsd.org> | 2005-04-08 21:51:09 +0000 |
commit | 79d1537841014a8b0a1b3ced1dbd4e3f6dab31ee (patch) | |
tree | 33f40a454370117ff55bc22985853b557f43acf5 /sbin | |
parent | 1306f03c7e3399043e9b5f3fe3dd30171f5caea4 (diff) |
knf; ok cloder hshoexunpunouncable
Diffstat (limited to 'sbin')
-rw-r--r-- | sbin/isakmpd/apps/certpatch/certpatch.c | 416 |
1 files changed, 200 insertions, 216 deletions
diff --git a/sbin/isakmpd/apps/certpatch/certpatch.c b/sbin/isakmpd/apps/certpatch/certpatch.c index 0a0125a1d35..904198b3d28 100644 --- a/sbin/isakmpd/apps/certpatch/certpatch.c +++ b/sbin/isakmpd/apps/certpatch/certpatch.c @@ -1,4 +1,4 @@ -/* $OpenBSD: certpatch.c,v 1.21 2003/06/04 07:31:17 ho Exp $ */ +/* $OpenBSD: certpatch.c,v 1.22 2005/04/08 21:51:08 deraadt Exp $ */ /* $EOM: certpatch.c,v 1.11 2000/12/21 14:50:09 ho Exp $ */ /* @@ -77,241 +77,225 @@ #define IDTYPE_FQDN "fqdn" #define IDTYPE_UFQDN "ufqdn" +void +usage(void) +{ + extern char *__progname; + + fprintf(stderr, + "usage: %s [-t idtype] -i id -k keyfile certin certout\n", + __progname); + exit(1); +} + + int -main (int argc, char **argv) +main(int argc, char **argv) { - char *usage = "%s [-t idtype] -i id -k keyfile certin certout\n\n" - "This programs takes a certificate and adds a subjectAltName extension\n" - "with the identication given as command line argument. Be sure that \n" - "the signing key matches the issuer.\n"; - EVP_PKEY *pkey_priv; - X509 *cert; - BIO *file; - const EVP_MD *digest; - X509_EXTENSION *ex = NULL; - ASN1_OCTET_STRING *data = NULL; - struct in_addr saddr; - unsigned char ipaddr[6], *new_id; - char *type = IDTYPE_IP, *keyfile = NULL, *id = NULL; - char *certin, *certout; - int ch, err; + EVP_PKEY *pkey_priv; + X509 *cert; + BIO *file; + const EVP_MD *digest; + X509_EXTENSION *ex = NULL; + ASN1_OCTET_STRING *data = NULL; + struct in_addr saddr; + unsigned char ipaddr[6], *new_id; + char *type = IDTYPE_IP, *keyfile = NULL, *id = NULL; + char *certin, *certout; + int ch, err; #if SSLEAY_VERSION_NUMBER >= 0x00904100L - unsigned char *p; - ASN1_STRING str; - int i; + unsigned char *p; + ASN1_STRING str; + int i; #endif - /* read command line arguments */ - while ((ch = getopt (argc, argv, "t:k:i:")) != -1) - switch (ch) { - case 't': - type = optarg; - break; - case 'k': - keyfile = optarg; - break; - case 'i': - id = optarg; - break; - default: - fprintf (stderr, usage, argv[0]); - return (1); - } - - argc -= optind; - - if (argc != 2) { - fprintf (stderr, usage, argv[0]); - return (1); - } - - argv += optind; - - certin = argv[0]; - certout = argv[1]; - - /* Check ID */ - - if ((strcasecmp (IDTYPE_IP, type) != 0 && - strcasecmp (IDTYPE_FQDN, type) != 0 && - strcasecmp (IDTYPE_UFQDN, type) != 0) || id == NULL) - { - printf ("wrong id type or missing id\n"); - return (1); - } - - /* - * X509_verify will fail, as will all other functions that call - * EVP_get_digest_byname. - */ - - SSLeay_add_all_algorithms (); - - /* Use a certificate created by ssleay and add the appr. extension */ - printf ("Reading ssleay created certificate %s and modify it\n", - certin); - file = BIO_new (BIO_s_file ()); - if (BIO_read_filename (file, certin) == -1) - { - perror ("read"); - return (1); - } + /* read command line arguments */ + while ((ch = getopt (argc, argv, "t:k:i:")) != -1) + switch (ch) { + case 't': + type = optarg; + break; + case 'k': + keyfile = optarg; + break; + case 'i': + id = optarg; + break; + default: + usage(); + } + + argc -= optind; + + if (argc != 2) + usage(); + + argv += optind; + + certin = argv[0]; + certout = argv[1]; + + /* Check ID */ + + if ((strcasecmp(IDTYPE_IP, type) != 0 && + strcasecmp(IDTYPE_FQDN, type) != 0 && + strcasecmp(IDTYPE_UFQDN, type) != 0) || id == NULL) { + printf("wrong id type or missing id\n"); + return (1); + } + + /* + * X509_verify will fail, as will all other functions that call + * EVP_get_digest_byname. + */ + SSLeay_add_all_algorithms(); + + /* Use a certificate created by ssleay and add the appr. extension */ + printf("Reading ssleay created certificate %s and modify it\n", + certin); + file = BIO_new(BIO_s_file ()); + if (BIO_read_filename(file, certin) == -1) { + perror("read"); + return (1); + } #if SSLEAY_VERSION_NUMBER >= 0x00904100L - cert = PEM_read_bio_X509 (file, NULL, NULL, NULL); + cert = PEM_read_bio_X509(file, NULL, NULL, NULL); #else - cert = PEM_read_bio_X509 (file, NULL, NULL); + cert = PEM_read_bio_X509(file, NULL, NULL); #endif - BIO_free (file); - if (cert == NULL) - { - printf ("PEM_read_bio_X509 () failed\n"); - return (1); - } - - /* Get the digest for the actual signing */ - digest = EVP_get_digestbyname (OBJ_nid2sn (OBJ_obj2nid (cert->sig_alg->algorithm))); - - if (!X509_set_version (cert, 2)) - { - printf ("X509 failed to set version number\n"); - return (1); - } - - if (!strcasecmp (IDTYPE_IP, type)) - { - if (inet_aton (id, &saddr) == 0) - { - printf ("inet_aton () failed\n"); - return (1); + BIO_free(file); + if (cert == NULL) { + printf("PEM_read_bio_X509() failed\n"); + return (1); } - saddr.s_addr = htonl (saddr.s_addr); - ipaddr[0] = 0x87; - ipaddr[1] = 0x04; - ipaddr[2] = saddr.s_addr >> 24; - ipaddr[3] = (saddr.s_addr >> 16) & 0xff; - ipaddr[4] = (saddr.s_addr >> 8) & 0xff; - ipaddr[5] = saddr.s_addr & 0xff; - -#if SSLEAY_VERSION_NUMBER >= 0x00904100L - str.length = 6; - str.type = V_ASN1_OCTET_STRING; - str.data = ipaddr; - data = ASN1_OCTET_STRING_new (); - if (!data) - { - perror ("ASN1_OCTET_STRING_new() failed"); - return (1); + /* Get the digest for the actual signing */ + digest = EVP_get_digestbyname(OBJ_nid2sn(OBJ_obj2nid(cert->sig_alg->algorithm))); + if (!X509_set_version(cert, 2)) { + printf("X509 failed to set version number\n"); + return (1); } - i = i2d_ASN1_OCTET_STRING ((ASN1_OCTET_STRING *)&str, NULL); - if (!ASN1_STRING_set ((ASN1_STRING *)data,NULL,i)) - { - perror ("ASN1_STRING_set() failed"); - return (1); - } - p = (unsigned char *)data->data; - i2d_ASN1_OCTET_STRING ((ASN1_OCTET_STRING *)&str, &p); - data->length = i; + if (!strcasecmp(IDTYPE_IP, type)) { + if (inet_aton(id, &saddr) == 0) { + printf("inet_aton() failed\n"); + return (1); + } + + saddr.s_addr = htonl(saddr.s_addr); + ipaddr[0] = 0x87; + ipaddr[1] = 0x04; + ipaddr[2] = saddr.s_addr >> 24; + ipaddr[3] = (saddr.s_addr >> 16) & 0xff; + ipaddr[4] = (saddr.s_addr >> 8) & 0xff; + ipaddr[5] = saddr.s_addr & 0xff; + +#if SSLEAY_VERSION_NUMBER >= 0x00904100L + str.length = 6; + str.type = V_ASN1_OCTET_STRING; + str.data = ipaddr; + data = ASN1_OCTET_STRING_new(); + if (!data) { + perror("ASN1_OCTET_STRING_new() failed"); + return (1); + } + + i = i2d_ASN1_OCTET_STRING((ASN1_OCTET_STRING *)&str, NULL); + if (!ASN1_STRING_set((ASN1_STRING *)data, NULL, i)) { + perror("ASN1_STRING_set() failed"); + return (1); + } + p = (unsigned char *)data->data; + i2d_ASN1_OCTET_STRING((ASN1_OCTET_STRING *)&str, &p); + data->length = i; #else - data = X509v3_pack_string (NULL, V_ASN1_OCTET_STRING, ipaddr, 6); + data = X509v3_pack_string(NULL, V_ASN1_OCTET_STRING, ipaddr, 6); #endif - } - else if (!strcasecmp (IDTYPE_FQDN, type) || !strcasecmp (IDTYPE_UFQDN, type)) - { - new_id = malloc (strlen (id) + 2); - if (new_id == NULL) - { - printf ("malloc () failed\n"); - return (1); - } - - if (!strcasecmp (IDTYPE_FQDN, type)) - new_id[0] = 0x82; - else - new_id[0] = 0x81; /* IDTYPE_UFQDN */ - - memcpy (new_id + 2, id, strlen(id)); - new_id[1] = strlen (id); + } else if (!strcasecmp(IDTYPE_FQDN, type) || !strcasecmp(IDTYPE_UFQDN, type)) { + new_id = malloc(strlen(id) + 2); + if (new_id == NULL) { + printf("malloc() failed\n"); + return (1); + } + + if (!strcasecmp(IDTYPE_FQDN, type)) + new_id[0] = 0x82; + else + new_id[0] = 0x81; /* IDTYPE_UFQDN */ + + memcpy(new_id + 2, id, strlen(id)); + new_id[1] = strlen(id); #if SSLEAY_VERSION_NUMBER >= 0x00904100L - str.length = strlen (id) + 2; - str.type = V_ASN1_OCTET_STRING; - str.data = new_id; - data = ASN1_OCTET_STRING_new (); - if (!data) - { - perror ("ASN1_OCTET_STRING_new() failed"); - return (1); - } - - i = i2d_ASN1_OCTET_STRING ((ASN1_OCTET_STRING *)&str, NULL); - if (!ASN1_STRING_set ((ASN1_STRING *)data,NULL,i)) - { - perror ("ASN1_STRING_set() failed"); - return (1); - } - p = (unsigned char *)data->data; - i2d_ASN1_OCTET_STRING ((ASN1_OCTET_STRING *)&str, &p); - data->length = i; + str.length = strlen(id) + 2; + str.type = V_ASN1_OCTET_STRING; + str.data = new_id; + data = ASN1_OCTET_STRING_new(); + if (!data) { + perror("ASN1_OCTET_STRING_new() failed"); + return (1); + } + + i = i2d_ASN1_OCTET_STRING((ASN1_OCTET_STRING *)&str, NULL); + if (!ASN1_STRING_set((ASN1_STRING *)data,NULL, i)) { + perror("ASN1_STRING_set() failed"); + return (1); + } + p = (unsigned char *)data->data; + i2d_ASN1_OCTET_STRING((ASN1_OCTET_STRING *)&str, &p); + data->length = i; #else - data = X509v3_pack_string (NULL, V_ASN1_OCTET_STRING, new_id, - strlen (id) + 2); + data = X509v3_pack_string(NULL, V_ASN1_OCTET_STRING, new_id, + strlen (id) + 2); #endif - free (new_id); - } - - /* XXX This is a hack, how to do better? */ - data->type = 0x30; - data->data[0] = 0x30; - ex = X509_EXTENSION_create_by_NID (NULL, NID_subject_alt_name, 1, data); - - if (ex == NULL) - { - printf ("X509_EXTENSION_create ()\n"); - return (1); - } - - X509_add_ext (cert, ex, -1); - - file = BIO_new (BIO_s_file ()); - if (BIO_read_filename (file, keyfile) == -1) - { - perror ("open"); - return (1); - } + free (new_id); + } + + /* XXX This is a hack, how to do better? */ + data->type = 0x30; + data->data[0] = 0x30; + ex = X509_EXTENSION_create_by_NID(NULL, NID_subject_alt_name, 1, data); + if (ex == NULL) { + printf("X509_EXTENSION_create()\n"); + return (1); + } + + X509_add_ext(cert, ex, -1); + + file = BIO_new (BIO_s_file()); + if (BIO_read_filename(file, keyfile) == -1) { + perror("open"); + return (1); + } #if SSLEAY_VERSION_NUMBER >= 0x00904100L - if ((pkey_priv = PEM_read_bio_PrivateKey (file, NULL, NULL, NULL)) == NULL) + if ((pkey_priv = PEM_read_bio_PrivateKey(file, NULL, NULL, NULL)) == NULL) { #else - if ((pkey_priv = PEM_read_bio_PrivateKey (file, NULL, NULL)) == NULL) + if ((pkey_priv = PEM_read_bio_PrivateKey(file, NULL, NULL)) == NULL) { #endif - { - printf ("Can not read private key %s\n", keyfile); - return (1); - } - BIO_free (file); - - printf ("Creating Signature: PKEY_TYPE = %s: ", - pkey_priv->type == EVP_PKEY_RSA ? "RSA" : "unknown"); - err = X509_sign (cert, pkey_priv, digest); - printf ("X509_sign: %d ", err); - if (!err) - printf ("FAILED "); - else - printf ("OKAY "); - printf ("\n"); - - file = BIO_new (BIO_s_file ()); - if (BIO_write_filename (file, certout) == -1) - { - perror ("open"); - return (1); - } - - printf ("Writing new certificate to %s\n", certout); - PEM_write_bio_X509 (file, cert); - BIO_free (file); - - return (0); + printf("Can not read private key %s\n", keyfile); + return (1); + } + BIO_free(file); + + printf("Creating Signature: PKEY_TYPE = %s: ", + pkey_priv->type == EVP_PKEY_RSA ? "RSA" : "unknown"); + err = X509_sign(cert, pkey_priv, digest); + printf("X509_sign: %d ", err); + if (!err) + printf("FAILED "); + else + printf("OKAY "); + printf("\n"); + + file = BIO_new(BIO_s_file()); + if (BIO_write_filename(file, certout) == -1) { + perror("open"); + return (1); + } + + printf("Writing new certificate to %s\n", certout); + PEM_write_bio_X509(file, cert); + BIO_free(file); + return (0); } |