diff options
-rw-r--r-- | sbin/isakmpd/apps/certpatch/Makefile | 44 | ||||
-rw-r--r-- | sbin/isakmpd/apps/certpatch/certpatch.8 | 86 | ||||
-rw-r--r-- | sbin/isakmpd/apps/certpatch/certpatch.c | 301 |
3 files changed, 0 insertions, 431 deletions
diff --git a/sbin/isakmpd/apps/certpatch/Makefile b/sbin/isakmpd/apps/certpatch/Makefile deleted file mode 100644 index 4325f9063e0..00000000000 --- a/sbin/isakmpd/apps/certpatch/Makefile +++ /dev/null @@ -1,44 +0,0 @@ -# $OpenBSD: Makefile,v 1.10 2005/04/08 21:09:53 deraadt Exp $ -# $EOM: Makefile,v 1.6 2000/03/28 21:22:06 ho Exp $ - -# -# Copyright (c) 1999 Niels Provos. All rights reserved. -# Copyright (c) 2001 Niklas Hallqvist. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# - -# -# This code was written under funding by Ericsson Radio Systems. -# - -PROG= certpatch -SRCS= certpatch.c -BINDIR?= /usr/sbin -TOPSRC= ${.CURDIR}/../.. -TOPOBJ!= cd ${TOPSRC}; printf "all:\n\t@pwd\n" |${MAKE} -f- -.PATH: ${TOPSRC} ${TOPOBJ} -CFLAGS+= -I${TOPSRC} -I${TOPOBJ} -Wall -LDADD+= -lcrypto -DPADD+= ${LIBCRYPTO} -MAN= certpatch.8 - -.include <bsd.prog.mk> diff --git a/sbin/isakmpd/apps/certpatch/certpatch.8 b/sbin/isakmpd/apps/certpatch/certpatch.8 deleted file mode 100644 index dd7d961fc48..00000000000 --- a/sbin/isakmpd/apps/certpatch/certpatch.8 +++ /dev/null @@ -1,86 +0,0 @@ -.\" $OpenBSD: certpatch.8,v 1.10 2005/05/05 12:16:00 jmc Exp $ -.\" $EOM: certpatch.8,v 1.5 2000/04/07 22:17:11 niklas Exp $ -.\" -.\" Copyright (c) 1999 Niklas Hallqvist. All rights reserved. -.\" Copyright (c) 1999 Angelos D. Keromytis. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.\" This code was written under funding by Ericsson Radio Systems. -.\" -.\" Manual page, using -mandoc macros -.\" -.Dd July 18, 1999 -.Dt CERTPATCH 8 -.Os -.Sh NAME -.Nm certpatch -.Nd add subjectAltName identities to X.509 certificates -.Sh SYNOPSIS -.Nm certpatch -.Op Fl t Ar identity-type -.Fl i -.Ar identity -.Fl k -.Ar signing-key -.Ar input-certificate output-certificate -.Sh DESCRIPTION -.Nm -alters PEM-encoded X.509 certificates by adding a subjectAltName extension -containing an identity used by the signature-based authentication schemes -of the ISAKMP protocol. -After the addition, the certificate will be signed -once again with the supplied CA signing key. -.Pp -The options are as follows: -.Bl -tag -width Ds -.It Fl i Ar identity -The -.Fl i -option takes an argument which is the identity to put into the -subjectAltName field of the certificate. -If the identity-type is -.Li ip , -this argument should be an IPv4 address in dotted decimal notation. -.It Fl k Ar signing-key -The -.Fl k -option specifies the key used for signing the certificate once the -subjectAltName extension has been added. -The key is specified by -the filename where it is stored in PEM format. -.It Fl t Ar identity-type -If given, the -.Fl t -option specifies the type of the given identity. -Currently -.Li ip , -.Li fqdn , -and -.Li ufqdn -are recognized. -The default is -.Li ip . -.El -.Sh SEE ALSO -.Xr openssl 1 , -.Xr isakmpd 8 , -.Xr ssl 8 diff --git a/sbin/isakmpd/apps/certpatch/certpatch.c b/sbin/isakmpd/apps/certpatch/certpatch.c deleted file mode 100644 index 904198b3d28..00000000000 --- a/sbin/isakmpd/apps/certpatch/certpatch.c +++ /dev/null @@ -1,301 +0,0 @@ -/* $OpenBSD: certpatch.c,v 1.22 2005/04/08 21:51:08 deraadt Exp $ */ -/* $EOM: certpatch.c,v 1.11 2000/12/21 14:50:09 ho Exp $ */ - -/* - * Copyright (c) 1999 Niels Provos. All rights reserved. - * Copyright (c) 1999, 2000 Angelos D. Keromytis. All rights reserved. - * Copyright (c) 2000, 2001 Niklas Hallqvist. All rights reserved. - * Copyright (c) 2001 Håkan Olsson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -/* - * This program takes a certificate generated by ssleay and a - * private key. It encodes a new id as subject alt name - * extension into the certifcate. The result gets written as - * new certificate that can be used by isakmpd. - */ - -#include <sys/param.h> -#include <sys/types.h> -#include <sys/mman.h> -#include <sys/stat.h> -#include <ctype.h> -#include <fcntl.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <unistd.h> - -#include <sys/socket.h> -#include <netinet/in.h> -#include <arpa/inet.h> - -#include "sysdep.h" - -#ifdef KAME -# ifdef CRYPTO -# include <openssl/rsa.h> -# endif -#else -# include <openssl/rsa.h> -#endif - -#include <openssl/x509.h> -#include <openssl/pem.h> - -#include "conf.h" -#include "ipsec_num.h" -#include "log.h" -#include "math_mp.h" -#include "x509.h" - -#define IDTYPE_IP "ip" -#define IDTYPE_FQDN "fqdn" -#define IDTYPE_UFQDN "ufqdn" - -void -usage(void) -{ - extern char *__progname; - - fprintf(stderr, - "usage: %s [-t idtype] -i id -k keyfile certin certout\n", - __progname); - exit(1); -} - - -int -main(int argc, char **argv) -{ - EVP_PKEY *pkey_priv; - X509 *cert; - BIO *file; - const EVP_MD *digest; - X509_EXTENSION *ex = NULL; - ASN1_OCTET_STRING *data = NULL; - struct in_addr saddr; - unsigned char ipaddr[6], *new_id; - char *type = IDTYPE_IP, *keyfile = NULL, *id = NULL; - char *certin, *certout; - int ch, err; - -#if SSLEAY_VERSION_NUMBER >= 0x00904100L - unsigned char *p; - ASN1_STRING str; - int i; -#endif - - - /* read command line arguments */ - while ((ch = getopt (argc, argv, "t:k:i:")) != -1) - switch (ch) { - case 't': - type = optarg; - break; - case 'k': - keyfile = optarg; - break; - case 'i': - id = optarg; - break; - default: - usage(); - } - - argc -= optind; - - if (argc != 2) - usage(); - - argv += optind; - - certin = argv[0]; - certout = argv[1]; - - /* Check ID */ - - if ((strcasecmp(IDTYPE_IP, type) != 0 && - strcasecmp(IDTYPE_FQDN, type) != 0 && - strcasecmp(IDTYPE_UFQDN, type) != 0) || id == NULL) { - printf("wrong id type or missing id\n"); - return (1); - } - - /* - * X509_verify will fail, as will all other functions that call - * EVP_get_digest_byname. - */ - SSLeay_add_all_algorithms(); - - /* Use a certificate created by ssleay and add the appr. extension */ - printf("Reading ssleay created certificate %s and modify it\n", - certin); - file = BIO_new(BIO_s_file ()); - if (BIO_read_filename(file, certin) == -1) { - perror("read"); - return (1); - } -#if SSLEAY_VERSION_NUMBER >= 0x00904100L - cert = PEM_read_bio_X509(file, NULL, NULL, NULL); -#else - cert = PEM_read_bio_X509(file, NULL, NULL); -#endif - BIO_free(file); - if (cert == NULL) { - printf("PEM_read_bio_X509() failed\n"); - return (1); - } - - /* Get the digest for the actual signing */ - digest = EVP_get_digestbyname(OBJ_nid2sn(OBJ_obj2nid(cert->sig_alg->algorithm))); - if (!X509_set_version(cert, 2)) { - printf("X509 failed to set version number\n"); - return (1); - } - - if (!strcasecmp(IDTYPE_IP, type)) { - if (inet_aton(id, &saddr) == 0) { - printf("inet_aton() failed\n"); - return (1); - } - - saddr.s_addr = htonl(saddr.s_addr); - ipaddr[0] = 0x87; - ipaddr[1] = 0x04; - ipaddr[2] = saddr.s_addr >> 24; - ipaddr[3] = (saddr.s_addr >> 16) & 0xff; - ipaddr[4] = (saddr.s_addr >> 8) & 0xff; - ipaddr[5] = saddr.s_addr & 0xff; - -#if SSLEAY_VERSION_NUMBER >= 0x00904100L - str.length = 6; - str.type = V_ASN1_OCTET_STRING; - str.data = ipaddr; - data = ASN1_OCTET_STRING_new(); - if (!data) { - perror("ASN1_OCTET_STRING_new() failed"); - return (1); - } - - i = i2d_ASN1_OCTET_STRING((ASN1_OCTET_STRING *)&str, NULL); - if (!ASN1_STRING_set((ASN1_STRING *)data, NULL, i)) { - perror("ASN1_STRING_set() failed"); - return (1); - } - p = (unsigned char *)data->data; - i2d_ASN1_OCTET_STRING((ASN1_OCTET_STRING *)&str, &p); - data->length = i; -#else - data = X509v3_pack_string(NULL, V_ASN1_OCTET_STRING, ipaddr, 6); -#endif - } else if (!strcasecmp(IDTYPE_FQDN, type) || !strcasecmp(IDTYPE_UFQDN, type)) { - new_id = malloc(strlen(id) + 2); - if (new_id == NULL) { - printf("malloc() failed\n"); - return (1); - } - - if (!strcasecmp(IDTYPE_FQDN, type)) - new_id[0] = 0x82; - else - new_id[0] = 0x81; /* IDTYPE_UFQDN */ - - memcpy(new_id + 2, id, strlen(id)); - new_id[1] = strlen(id); -#if SSLEAY_VERSION_NUMBER >= 0x00904100L - str.length = strlen(id) + 2; - str.type = V_ASN1_OCTET_STRING; - str.data = new_id; - data = ASN1_OCTET_STRING_new(); - if (!data) { - perror("ASN1_OCTET_STRING_new() failed"); - return (1); - } - - i = i2d_ASN1_OCTET_STRING((ASN1_OCTET_STRING *)&str, NULL); - if (!ASN1_STRING_set((ASN1_STRING *)data,NULL, i)) { - perror("ASN1_STRING_set() failed"); - return (1); - } - p = (unsigned char *)data->data; - i2d_ASN1_OCTET_STRING((ASN1_OCTET_STRING *)&str, &p); - data->length = i; -#else - data = X509v3_pack_string(NULL, V_ASN1_OCTET_STRING, new_id, - strlen (id) + 2); -#endif - free (new_id); - } - - /* XXX This is a hack, how to do better? */ - data->type = 0x30; - data->data[0] = 0x30; - ex = X509_EXTENSION_create_by_NID(NULL, NID_subject_alt_name, 1, data); - if (ex == NULL) { - printf("X509_EXTENSION_create()\n"); - return (1); - } - - X509_add_ext(cert, ex, -1); - - file = BIO_new (BIO_s_file()); - if (BIO_read_filename(file, keyfile) == -1) { - perror("open"); - return (1); - } -#if SSLEAY_VERSION_NUMBER >= 0x00904100L - if ((pkey_priv = PEM_read_bio_PrivateKey(file, NULL, NULL, NULL)) == NULL) { -#else - if ((pkey_priv = PEM_read_bio_PrivateKey(file, NULL, NULL)) == NULL) { -#endif - printf("Can not read private key %s\n", keyfile); - return (1); - } - BIO_free(file); - - printf("Creating Signature: PKEY_TYPE = %s: ", - pkey_priv->type == EVP_PKEY_RSA ? "RSA" : "unknown"); - err = X509_sign(cert, pkey_priv, digest); - printf("X509_sign: %d ", err); - if (!err) - printf("FAILED "); - else - printf("OKAY "); - printf("\n"); - - file = BIO_new(BIO_s_file()); - if (BIO_write_filename(file, certout) == -1) { - perror("open"); - return (1); - } - - printf("Writing new certificate to %s\n", certout); - PEM_write_bio_X509(file, cert); - BIO_free(file); - return (0); -} |