[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_3_1_2-58-g130c659
From: |
Nikos Mavrogiannopoulos |
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_3_1_2-58-g130c659 |
Date: |
Mon, 08 Oct 2012 15:07:49 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=130c6598286058c4e362e609fdb2ac4005b5131d
The branch, master has been updated
via 130c6598286058c4e362e609fdb2ac4005b5131d (commit)
via 68be536de1bad4d224f4db6b40f6bdf1e7341445 (commit)
via 76f3f3783b06a111661ce06a593bffd30d51637e (commit)
via 2f7b1cf155a7c856a7de0c7f63ec5d39e49e7e4f (commit)
from 4da9342263784dada84671893a6b41cd52e38701 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 130c6598286058c4e362e609fdb2ac4005b5131d
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Mon Oct 8 17:07:09 2012 +0200
Certtool generates DANE entries with selector 0 (X.509 certificate).
commit 68be536de1bad4d224f4db6b40f6bdf1e7341445
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Mon Oct 8 16:55:38 2012 +0200
Certtool can generate a DANE RR entry.
commit 76f3f3783b06a111661ce06a593bffd30d51637e
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Mon Oct 8 16:39:49 2012 +0200
use the old libtasn1 type
commit 2f7b1cf155a7c856a7de0c7f63ec5d39e49e7e4f
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Mon Oct 8 16:36:19 2012 +0200
removed old file
-----------------------------------------------------------------------
Summary of changes:
NEWS | 2 +
doc/invoke-certtool.texi | 72 ++++++++++++++++-
lib/minitasn1/Makefile.am | 2 +-
lib/pkix_asn1_tab.c | 2 +-
src/certtool-args.c | 204 ++++++++++++++++++++++++++++++++++++++-------
src/certtool-args.def | 62 ++++++++++++++
src/certtool-args.h | 24 ++++-
src/certtool.c | 93 ++++++++++++++++++++
8 files changed, 424 insertions(+), 37 deletions(-)
diff --git a/NEWS b/NEWS
index 9854b55..f85f977 100644
--- a/NEWS
+++ b/NEWS
@@ -25,6 +25,8 @@ GNUTLS_NO_EXTENSIONS can be used to prevent that.
** libdane: Added. It is a library to provide DANE with DNSSEC certificate
verification.
+** certtool: The --dane-rr option generates DANE Resource Records (RR).
+
** API and ABI modifications:
gnutls_certificate_set_ocsp_status_request_function: Added
gnutls_certificate_set_ocsp_status_request_file: Added
diff --git a/doc/invoke-certtool.texi b/doc/invoke-certtool.texi
index 4bc812c..4891908 100644
--- a/doc/invoke-certtool.texi
+++ b/doc/invoke-certtool.texi
@@ -7,7 +7,7 @@
#
# DO NOT EDIT THIS FILE (invoke-certtool.texi)
#
-# It has been AutoGen-ed August 4, 2012 at 01:15:27 PM by AutoGen 5.16
+# It has been AutoGen-ed October 8, 2012 at 04:55:06 PM by AutoGen 5.16
# From the definitions ../src/certtool-args.def
# and the template file agtexi-cmd.tpl
@end ignore
@@ -106,6 +106,16 @@ USAGE: certtool [ -<flag> [<val>] |
--<name>address@hidden| @}<val>] ]...
--template=file Template file to use for non-interactive
operation
- file must pre-exist
--pkcs-cipher=str Cipher to use for PKCS #8 and #12 operations
+ --dane-rr Print the DANE RR data on a certificate or
public key
+ - requires these options:
+ dane-host
+ --dane-host=str Specify the hostname to be used in the DANE RR
+ --dane-proto=str The protocol set for DANE data (tcp, udp etc.)
+ --dane-port=num Specify the port number for the DANE data.
+ --dane-ca Whether the provided certificate or public key
is a Certificate
+authority.
+ --dane-local Whether the provided certificate or public key
is an unsigned local
+entity.
-v, --version[=arg] Output version information and exit
-h, --help Display extended usage information and exit
-!, --more-help Extended usage information passed thru pager
@@ -278,6 +288,47 @@ This is alternative to the bits option.
This is the ``cipher to use for pkcs #8 and #12 operations'' option.
This option takes an argument string @file{Cipher}.
Cipher may be one of 3des, 3des-pkcs12, aes-128, aes-192, aes-256, rc2-40,
arcfour.
address@hidden dane-rr}
address@hidden dane-rr option
address@hidden certtool-dane-rr
+
+This is the ``print the dane rr data on a certificate or public key'' option.
+
address@hidden
+This option has some usage constraints. It:
address@hidden @bullet
address@hidden
+must appear in combination with the following options:
+dane-host.
address@hidden itemize
+
+This command prints the DANE RR data needed to enable DANE on a DNS server.
address@hidden dane-host}
address@hidden dane-host option
address@hidden certtool-dane-host
+
+This is the ``specify the hostname to be used in the dane rr'' option.
+This option takes an argument string @file{Hostname}.
+This command sets the hostname for the DANE RR.
address@hidden dane-proto}
address@hidden dane-proto option
address@hidden certtool-dane-proto
+
+This is the ``the protocol set for dane data (tcp, udp etc.)'' option.
+This option takes an argument string @file{Protocol}.
+This command specifies the protocol for the service set in the DANE data.
address@hidden dane-ca}
address@hidden dane-ca option
address@hidden certtool-dane-ca
+
+This is the ``whether the provided certificate or public key is a certificate
authority.'' option.
+Marks the DANE RR as a CA certificate if specified.
address@hidden dane-local}
address@hidden dane-local option
address@hidden certtool-dane-local
+
+This is the ``whether the provided certificate or public key is an unsigned
local entity.'' option.
+DANE distinguishes certificates and public keys offered via the DNSSEC to
trusted and local entities. Use this flag if this is a local entity.
@anchor{certtool exit status}
@subheading certtool exit status
@@ -411,6 +462,25 @@ To verify a Certificate Revocation List (CRL) do:
$ certtool --verify-crl --load-ca-certificate x509-ca.pem < crl.pem
@end example
address@hidden DANE RR generation
+To create a DANE resource record for a CA signed certificate use the following
commands.
+
address@hidden
+$ certtool --dane-rr --dane-host www.example.com --load-certificate cert.pem
address@hidden example
+
+For a self signed certificate use:
address@hidden
+$ certtool --dane-rr --dane-host www.example.com --load-certificate cert.pem \
+ --dane-local
address@hidden example
+
+In order to create a record for the signer of your certificate use:
address@hidden
+$ certtool --dane-rr --dane-host www.example.com --load-certificate cert.pem \
+ --dane-ca
address@hidden example
+
@anchor{certtool Files}
@subheading certtool Files
@subheading Certtool's template file format
diff --git a/lib/minitasn1/Makefile.am b/lib/minitasn1/Makefile.am
index dc26f1f..7de6a75 100644
--- a/lib/minitasn1/Makefile.am
+++ b/lib/minitasn1/Makefile.am
@@ -29,4 +29,4 @@ noinst_LTLIBRARIES = libminitasn1.la
libminitasn1_la_SOURCES = libtasn1.h gstr.h int.h parser_aux.h \
structure.h element.h decoding.c gstr.c errors.c parser_aux.c \
- structure.c element.c coding.c version.c hash.c
+ structure.c element.c coding.c version.c
diff --git a/lib/pkix_asn1_tab.c b/lib/pkix_asn1_tab.c
index be8bcd5..ac5b0ab 100644
--- a/lib/pkix_asn1_tab.c
+++ b/lib/pkix_asn1_tab.c
@@ -4,7 +4,7 @@
#include <libtasn1.h>
-const asn_static_node_t pkix_asn1_tab[] = {
+const ASN1_ARRAY_TYPE pkix_asn1_tab[] = {
{ "PKIX1", 536875024, NULL },
{ NULL, 1073741836, NULL },
{ "id-pkix", 1879048204, NULL },
diff --git a/src/certtool-args.c b/src/certtool-args.c
index 269adc5..cfc38ae 100644
--- a/src/certtool-args.c
+++ b/src/certtool-args.c
@@ -2,7 +2,7 @@
*
* DO NOT EDIT THIS FILE (certtool-args.c)
*
- * It has been AutoGen-ed August 4, 2012 at 12:13:08 PM by AutoGen 5.16
+ * It has been AutoGen-ed October 8, 2012 at 04:53:23 PM by AutoGen 5.16
* From the definitions certtool-args.def
* and the template file options
*
@@ -67,7 +67,7 @@ extern FILE * option_usage_fp;
/*
* certtool option static const strings
*/
-static char const certtool_opt_strs[4658] =
+static char const certtool_opt_strs[5116] =
/* 0 */ "certtool @address@hidden"
"Copyright (C) 2000-2012 Free Software Foundation, all rights
reserved.\n"
"This is free software. It is licensed for use, modification and\n"
@@ -245,23 +245,43 @@ static char const certtool_opt_strs[4658] =
/* 4044 */ "Cipher to use for PKCS #8 and #12 operations\0"
/* 4089 */ "PKCS_CIPHER\0"
/* 4101 */ "pkcs-cipher\0"
-/* 4113 */ "Display extended usage information and exit\0"
-/* 4157 */ "help\0"
-/* 4162 */ "Extended usage information passed thru pager\0"
-/* 4207 */ "more-help\0"
-/* 4217 */ "Output version information and exit\0"
-/* 4253 */ "version\0"
-/* 4261 */ "CERTTOOL\0"
-/* 4270 */ "certtool - GnuTLS PKCS #11 tool - Ver. @address@hidden"
+/* 4113 */ "Print the DANE RR data on a certificate or public key\0"
+/* 4167 */ "DANE_RR\0"
+/* 4175 */ "dane-rr\0"
+/* 4183 */ "Specify the hostname to be used in the DANE RR\0"
+/* 4230 */ "DANE_HOST\0"
+/* 4240 */ "dane-host\0"
+/* 4250 */ "The protocol set for DANE data (tcp, udp etc.)\0"
+/* 4297 */ "DANE_PROTO\0"
+/* 4308 */ "dane-proto\0"
+/* 4319 */ "Specify the port number for the DANE data.\0"
+/* 4362 */ "DANE_PORT\0"
+/* 4372 */ "dane-port\0"
+/* 4382 */ "Whether the provided certificate or public key is a Certificate\n"
+ "authority.\0"
+/* 4457 */ "DANE_CA\0"
+/* 4465 */ "dane-ca\0"
+/* 4473 */ "Whether the provided certificate or public key is an unsigned
local\n"
+ "entity.\0"
+/* 4549 */ "DANE_LOCAL\0"
+/* 4560 */ "dane-local\0"
+/* 4571 */ "Display extended usage information and exit\0"
+/* 4615 */ "help\0"
+/* 4620 */ "Extended usage information passed thru pager\0"
+/* 4665 */ "more-help\0"
+/* 4675 */ "Output version information and exit\0"
+/* 4711 */ "version\0"
+/* 4719 */ "CERTTOOL\0"
+/* 4728 */ "certtool - GnuTLS PKCS #11 tool - Ver. @address@hidden"
"USAGE: %s [ -<flag> [<val>] | --<name>[{=| }<val>] ]...\n\0"
-/* 4377 */ "address@hidden"
-/* 4396 */ "\n\n\0"
-/* 4399 */ "\n"
+/* 4835 */ "address@hidden"
+/* 4854 */ "\n\n\0"
+/* 4857 */ "\n"
"Tool to parse and generate X.509 certificates, requests and
private keys.\n"
"It can be used interactively or non interactively by specifying
the\n"
"template command line option.\n\0"
-/* 4573 */ "certtool @address@hidden"
-/* 4592 */ "certtool [options] [url]\n"
+/* 5031 */ "certtool @address@hidden"
+/* 5050 */ "certtool [options] [url]\n"
"certtool --help for usage instructions.\n";
/*
@@ -725,13 +745,67 @@ static int const aTo_P12MustList[] = {
| OPTST_SET_ARGTYPE(OPARG_TYPE_STRING))
/*
+ * dane-rr option description with
+ * "Must also have options" and "Incompatible options":
+ */
+#define DANE_RR_DESC (certtool_opt_strs+4113)
+#define DANE_RR_NAME (certtool_opt_strs+4167)
+#define DANE_RR_name (certtool_opt_strs+4175)
+static int const aDane_RrMustList[] = {
+ INDEX_OPT_DANE_HOST, NO_EQUIVALENT };
+#define DANE_RR_FLAGS (OPTST_DISABLED)
+
+/*
+ * dane-host option description:
+ */
+#define DANE_HOST_DESC (certtool_opt_strs+4183)
+#define DANE_HOST_NAME (certtool_opt_strs+4230)
+#define DANE_HOST_name (certtool_opt_strs+4240)
+#define DANE_HOST_FLAGS (OPTST_DISABLED \
+ | OPTST_SET_ARGTYPE(OPARG_TYPE_STRING))
+
+/*
+ * dane-proto option description:
+ */
+#define DANE_PROTO_DESC (certtool_opt_strs+4250)
+#define DANE_PROTO_NAME (certtool_opt_strs+4297)
+#define DANE_PROTO_name (certtool_opt_strs+4308)
+#define DANE_PROTO_FLAGS (OPTST_DISABLED \
+ | OPTST_SET_ARGTYPE(OPARG_TYPE_STRING))
+
+/*
+ * dane-port option description:
+ */
+#define DANE_PORT_DESC (certtool_opt_strs+4319)
+#define DANE_PORT_NAME (certtool_opt_strs+4362)
+#define DANE_PORT_name (certtool_opt_strs+4372)
+#define DANE_PORT_FLAGS (OPTST_DISABLED \
+ | OPTST_SET_ARGTYPE(OPARG_TYPE_NUMERIC))
+
+/*
+ * dane-ca option description:
+ */
+#define DANE_CA_DESC (certtool_opt_strs+4382)
+#define DANE_CA_NAME (certtool_opt_strs+4457)
+#define DANE_CA_name (certtool_opt_strs+4465)
+#define DANE_CA_FLAGS (OPTST_DISABLED)
+
+/*
+ * dane-local option description:
+ */
+#define DANE_LOCAL_DESC (certtool_opt_strs+4473)
+#define DANE_LOCAL_NAME (certtool_opt_strs+4549)
+#define DANE_LOCAL_name (certtool_opt_strs+4560)
+#define DANE_LOCAL_FLAGS (OPTST_DISABLED)
+
+/*
* Help/More_Help/Version option descriptions:
*/
-#define HELP_DESC (certtool_opt_strs+4113)
-#define HELP_name (certtool_opt_strs+4157)
+#define HELP_DESC (certtool_opt_strs+4571)
+#define HELP_name (certtool_opt_strs+4615)
#ifdef HAVE_WORKING_FORK
-#define MORE_HELP_DESC (certtool_opt_strs+4162)
-#define MORE_HELP_name (certtool_opt_strs+4207)
+#define MORE_HELP_DESC (certtool_opt_strs+4620)
+#define MORE_HELP_name (certtool_opt_strs+4665)
#define MORE_HELP_FLAGS (OPTST_IMM | OPTST_NO_INIT)
#else
#define MORE_HELP_DESC NULL
@@ -744,8 +818,8 @@ static int const aTo_P12MustList[] = {
# define VER_FLAGS (OPTST_SET_ARGTYPE(OPARG_TYPE_STRING) | \
OPTST_ARG_OPTIONAL | OPTST_IMM | OPTST_NO_INIT)
#endif
-#define VER_DESC (certtool_opt_strs+4217)
-#define VER_name (certtool_opt_strs+4253)
+#define VER_DESC (certtool_opt_strs+4675)
+#define VER_name (certtool_opt_strs+4711)
/*
* Declare option callback procedures
*/
@@ -1415,6 +1489,78 @@ static tOptDesc optDesc[OPTION_CT] = {
/* desc, NAME, name */ PKCS_CIPHER_DESC, PKCS_CIPHER_NAME,
PKCS_CIPHER_name,
/* disablement strs */ NULL, NULL },
+ { /* entry idx, value */ 54, VALUE_OPT_DANE_RR,
+ /* equiv idx, value */ 54, VALUE_OPT_DANE_RR,
+ /* equivalenced to */ NO_EQUIVALENT,
+ /* min, max, act ct */ 0, 1, 0,
+ /* opt state flags */ DANE_RR_FLAGS, 0,
+ /* last opt argumnt */ { NULL }, /* --dane-rr */
+ /* arg list/cookie */ NULL,
+ /* must/cannot opts */ aDane_RrMustList, NULL,
+ /* option proc */ NULL,
+ /* desc, NAME, name */ DANE_RR_DESC, DANE_RR_NAME, DANE_RR_name,
+ /* disablement strs */ NULL, NULL },
+
+ { /* entry idx, value */ 55, VALUE_OPT_DANE_HOST,
+ /* equiv idx, value */ 55, VALUE_OPT_DANE_HOST,
+ /* equivalenced to */ NO_EQUIVALENT,
+ /* min, max, act ct */ 0, 1, 0,
+ /* opt state flags */ DANE_HOST_FLAGS, 0,
+ /* last opt argumnt */ { NULL }, /* --dane-host */
+ /* arg list/cookie */ NULL,
+ /* must/cannot opts */ NULL, NULL,
+ /* option proc */ NULL,
+ /* desc, NAME, name */ DANE_HOST_DESC, DANE_HOST_NAME, DANE_HOST_name,
+ /* disablement strs */ NULL, NULL },
+
+ { /* entry idx, value */ 56, VALUE_OPT_DANE_PROTO,
+ /* equiv idx, value */ 56, VALUE_OPT_DANE_PROTO,
+ /* equivalenced to */ NO_EQUIVALENT,
+ /* min, max, act ct */ 0, 1, 0,
+ /* opt state flags */ DANE_PROTO_FLAGS, 0,
+ /* last opt argumnt */ { NULL }, /* --dane-proto */
+ /* arg list/cookie */ NULL,
+ /* must/cannot opts */ NULL, NULL,
+ /* option proc */ NULL,
+ /* desc, NAME, name */ DANE_PROTO_DESC, DANE_PROTO_NAME, DANE_PROTO_name,
+ /* disablement strs */ NULL, NULL },
+
+ { /* entry idx, value */ 57, VALUE_OPT_DANE_PORT,
+ /* equiv idx, value */ 57, VALUE_OPT_DANE_PORT,
+ /* equivalenced to */ NO_EQUIVALENT,
+ /* min, max, act ct */ 0, 1, 0,
+ /* opt state flags */ DANE_PORT_FLAGS, 0,
+ /* last opt argumnt */ { NULL }, /* --dane-port */
+ /* arg list/cookie */ NULL,
+ /* must/cannot opts */ NULL, NULL,
+ /* option proc */ optionNumericVal,
+ /* desc, NAME, name */ DANE_PORT_DESC, DANE_PORT_NAME, DANE_PORT_name,
+ /* disablement strs */ NULL, NULL },
+
+ { /* entry idx, value */ 58, VALUE_OPT_DANE_CA,
+ /* equiv idx, value */ 58, VALUE_OPT_DANE_CA,
+ /* equivalenced to */ NO_EQUIVALENT,
+ /* min, max, act ct */ 0, 1, 0,
+ /* opt state flags */ DANE_CA_FLAGS, 0,
+ /* last opt argumnt */ { NULL }, /* --dane-ca */
+ /* arg list/cookie */ NULL,
+ /* must/cannot opts */ NULL, NULL,
+ /* option proc */ NULL,
+ /* desc, NAME, name */ DANE_CA_DESC, DANE_CA_NAME, DANE_CA_name,
+ /* disablement strs */ NULL, NULL },
+
+ { /* entry idx, value */ 59, VALUE_OPT_DANE_LOCAL,
+ /* equiv idx, value */ 59, VALUE_OPT_DANE_LOCAL,
+ /* equivalenced to */ NO_EQUIVALENT,
+ /* min, max, act ct */ 0, 1, 0,
+ /* opt state flags */ DANE_LOCAL_FLAGS, 0,
+ /* last opt argumnt */ { NULL }, /* --dane-local */
+ /* arg list/cookie */ NULL,
+ /* must/cannot opts */ NULL, NULL,
+ /* option proc */ NULL,
+ /* desc, NAME, name */ DANE_LOCAL_DESC, DANE_LOCAL_NAME, DANE_LOCAL_name,
+ /* disablement strs */ NULL, NULL },
+
{ /* entry idx, value */ INDEX_OPT_VERSION, VALUE_OPT_VERSION,
/* equiv idx value */ NO_EQUIVALENT, VALUE_OPT_VERSION,
/* equivalenced to */ NO_EQUIVALENT,
@@ -1459,14 +1605,14 @@ static tOptDesc optDesc[OPTION_CT] = {
*
* Define the certtool Option Environment
*/
-#define zPROGNAME (certtool_opt_strs+4261)
-#define zUsageTitle (certtool_opt_strs+4270)
+#define zPROGNAME (certtool_opt_strs+4719)
+#define zUsageTitle (certtool_opt_strs+4728)
#define zRcName NULL
#define apzHomeList NULL
-#define zBugsAddr (certtool_opt_strs+4377)
-#define zExplain (certtool_opt_strs+4396)
-#define zDetail (certtool_opt_strs+4399)
-#define zFullVersion (certtool_opt_strs+4573)
+#define zBugsAddr (certtool_opt_strs+4835)
+#define zExplain (certtool_opt_strs+4854)
+#define zDetail (certtool_opt_strs+4857)
+#define zFullVersion (certtool_opt_strs+5031)
/* extracted from optcode.tlib near line 350 */
#if defined(ENABLE_NLS)
@@ -1480,7 +1626,7 @@ static tOptDesc optDesc[OPTION_CT] = {
#define certtool_full_usage (NULL)
-#define certtool_short_usage (certtool_opt_strs+4592)
+#define certtool_short_usage (certtool_opt_strs+5050)
#endif /* not defined __doxygen__ */
@@ -1697,7 +1843,7 @@ tOptions certtoolOptions = {
NO_EQUIVALENT, /* '-#' option index */
NO_EQUIVALENT /* index of default opt */
},
- 57 /* full option count */, 54 /* user option count */,
+ 63 /* full option count */, 60 /* user option count */,
certtool_full_usage, certtool_short_usage,
NULL, NULL,
PKGDATADIR, certtool_packager_info
diff --git a/src/certtool-args.def b/src/certtool-args.def
index f802dcc..ac40d78 100644
--- a/src/certtool-args.def
+++ b/src/certtool-args.def
@@ -353,6 +353,49 @@ flag = {
doc = "Cipher may be one of 3des, 3des-pkcs12, aes-128, aes-192,
aes-256, rc2-40, arcfour.";
};
+flag = {
+ name = dane-rr;
+ descrip = "Print the DANE RR data on a certificate or public key";
+ flags_must = dane-host;
+ doc = "This command prints the DANE RR data needed to enable DANE on a DNS
server.";
+};
+
+flag = {
+ name = dane-host;
+ descrip = "Specify the hostname to be used in the DANE RR";
+ arg-type = string;
+ arg-name = "Hostname";
+ doc = "This command sets the hostname for the DANE RR.";
+};
+
+flag = {
+ name = dane-proto;
+ descrip = "The protocol set for DANE data (tcp, udp etc.)";
+ arg-type = string;
+ arg-name = "Protocol";
+ doc = "This command specifies the protocol for the service set in the DANE
data.";
+};
+
+flag = {
+ name = dane-port;
+ arg-type = number;
+ descrip = "Specify the port number for the DANE data.";
+ default-value = 443;
+ doc = "";
+};
+
+flag = {
+ name = dane-ca;
+ descrip = "Whether the provided certificate or public key is a
Certificate authority.";
+ doc = "Marks the DANE RR as a CA certificate if specified.";
+};
+
+flag = {
+ name = dane-local;
+ descrip = "Whether the provided certificate or public key is an unsigned
local entity.";
+ doc = "DANE distinguishes certificates and public keys offered via
the DNSSEC to trusted and local entities. Use this flag if this is a local
entity.";
+};
+
doc-section = {
ds-type = 'SEE ALSO';
ds-format = 'texi';
@@ -481,6 +524,25 @@ To verify a Certificate Revocation List (CRL) do:
@example
$ certtool --verify-crl --load-ca-certificate x509-ca.pem < crl.pem
@end example
+
address@hidden DANE RR generation
+To create a DANE resource record for a CA signed certificate use the following
commands.
+
address@hidden
+$ certtool --dane-rr --dane-host www.example.com --load-certificate cert.pem
address@hidden example
+
+For a self signed certificate use:
address@hidden
+$ certtool --dane-rr --dane-host www.example.com --load-certificate cert.pem \
+ --dane-local
address@hidden example
+
+In order to create a record for the signer of your certificate use:
address@hidden
+$ certtool --dane-rr --dane-host www.example.com --load-certificate cert.pem \
+ --dane-ca
address@hidden example
_EOT_;
};
diff --git a/src/certtool-args.h b/src/certtool-args.h
index b7d9f6e..429b67a 100644
--- a/src/certtool-args.h
+++ b/src/certtool-args.h
@@ -2,7 +2,7 @@
*
* DO NOT EDIT THIS FILE (certtool-args.h)
*
- * It has been AutoGen-ed August 4, 2012 at 12:13:08 PM by AutoGen 5.16
+ * It has been AutoGen-ed October 8, 2012 at 04:53:23 PM by AutoGen 5.16
* From the definitions certtool-args.def
* and the template file options
*
@@ -121,12 +121,18 @@ typedef enum {
INDEX_OPT_DISABLE_QUICK_RANDOM = 51,
INDEX_OPT_TEMPLATE = 52,
INDEX_OPT_PKCS_CIPHER = 53,
- INDEX_OPT_VERSION = 54,
- INDEX_OPT_HELP = 55,
- INDEX_OPT_MORE_HELP = 56
+ INDEX_OPT_DANE_RR = 54,
+ INDEX_OPT_DANE_HOST = 55,
+ INDEX_OPT_DANE_PROTO = 56,
+ INDEX_OPT_DANE_PORT = 57,
+ INDEX_OPT_DANE_CA = 58,
+ INDEX_OPT_DANE_LOCAL = 59,
+ INDEX_OPT_VERSION = 60,
+ INDEX_OPT_HELP = 61,
+ INDEX_OPT_MORE_HELP = 62
} teOptIndex;
-#define OPTION_CT 57
+#define OPTION_CT 63
#define CERTTOOL_VERSION "@VERSION@"
#define CERTTOOL_FULL_VERSION "certtool @VERSION@"
@@ -222,6 +228,14 @@ typedef enum {
#define VALUE_OPT_DISABLE_QUICK_RANDOM 147
#define VALUE_OPT_TEMPLATE 148
#define VALUE_OPT_PKCS_CIPHER 149
+#define VALUE_OPT_DANE_RR 150
+#define VALUE_OPT_DANE_HOST 151
+#define VALUE_OPT_DANE_PROTO 152
+#define VALUE_OPT_DANE_PORT 153
+
+#define OPT_VALUE_DANE_PORT (DESC(DANE_PORT).optArg.argInt)
+#define VALUE_OPT_DANE_CA 154
+#define VALUE_OPT_DANE_LOCAL 155
#define VALUE_OPT_HELP 'h'
#define VALUE_OPT_MORE_HELP '!'
#define VALUE_OPT_VERSION 'v'
diff --git a/src/certtool.c b/src/certtool.c
index 8779131..ce71b20 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -26,6 +26,7 @@
#include <gnutls/pkcs12.h>
#include <gnutls/pkcs11.h>
#include <gnutls/abstract.h>
+#include <gnutls/crypto.h>
#include <stdio.h>
#include <stdlib.h>
@@ -72,6 +73,8 @@ void generate_request (common_info_st *);
static void print_certificate_info (gnutls_x509_crt_t crt, FILE * out,
unsigned int all);
static void verify_certificate (common_info_st * cinfo);
+static void dane_info(const char* host, const char* proto, unsigned int port,
+ unsigned int ca, unsigned int local, common_info_st *
cinfo);
FILE *outfile;
FILE *infile;
@@ -1075,6 +1078,9 @@ cmd_parser (int argc, char **argv)
#endif
else if (HAVE_OPT(CRQ_INFO))
crq_info ();
+ else if (HAVE_OPT(DANE_RR))
+ dane_info (OPT_ARG(DANE_HOST), OPT_ARG(DANE_PROTO), OPT_VALUE_DANE_PORT,
+ HAVE_OPT(DANE_CA), HAVE_OPT(DANE_LOCAL), &cinfo);
else
USAGE(1);
@@ -1086,6 +1092,93 @@ cmd_parser (int argc, char **argv)
gnutls_global_deinit ();
}
+static void dane_info(const char* host, const char* proto, unsigned int port,
+ unsigned int ca, unsigned int local, common_info_st *
cinfo)
+{
+ gnutls_pubkey_t pubkey;
+ gnutls_x509_crt_t crt;
+ unsigned char digest[64];
+ gnutls_datum_t t;
+ int ret;
+ unsigned int usage, selector, type;
+ size_t size;
+
+ if (proto == NULL)
+ proto = "tcp";
+ if (port == 0)
+ port = 443;
+
+ crt = load_cert (0, cinfo);
+ if (crt != NULL)
+ {
+ selector = 0; /* X.509 */
+
+ size = buffer_size;
+ ret = gnutls_x509_crt_export (crt, GNUTLS_X509_FMT_DER, buffer, &size);
+ if (ret < 0)
+ error (EXIT_FAILURE, 0, "export error: %s", gnutls_strerror (ret));
+
+ gnutls_x509_crt_deinit (crt);
+ }
+ else
+ {
+ selector = 1;
+
+ ret = gnutls_pubkey_init (&pubkey);
+ if (ret < 0)
+ error (EXIT_FAILURE, 0, "pubkey_init: %s", gnutls_strerror (ret));
+
+ pubkey = load_pubkey (1, cinfo);
+
+ size = buffer_size;
+ ret = gnutls_pubkey_export (pubkey, GNUTLS_X509_FMT_DER, buffer, &size);
+ if (ret < 0)
+ error (EXIT_FAILURE, 0, "export error: %s", gnutls_strerror (ret));
+
+ gnutls_pubkey_deinit (pubkey);
+ }
+
+ if (default_dig != GNUTLS_DIG_SHA256 && default_dig != GNUTLS_DIG_SHA512)
+ {
+ fprintf(stderr, "Unsupported digest. Assuming SHA256.\n");
+ default_dig = GNUTLS_DIG_SHA256;
+ }
+
+ ret = gnutls_hash_fast(default_dig, buffer, size, digest);
+ if (ret < 0)
+ error (EXIT_FAILURE, 0, "hash error: %s", gnutls_strerror (ret));
+
+ if (default_dig == GNUTLS_DIG_SHA256)
+ type = 1;
+ else type = 2;
+
+ /* DANE certificate classification crap */
+ if (local==0)
+ {
+ if (ca) usage = 0;
+ else usage = 1;
+ }
+ else
+ {
+ if (ca) usage = 2;
+ else usage = 3;
+ }
+
+ t.data = digest;
+ t.size = gnutls_hash_get_len(default_dig);
+
+ size = buffer_size;
+ ret = gnutls_hex_encode(&t, (void*)buffer, &size);
+ if (ret < 0)
+ error (EXIT_FAILURE, 0, "hex encode error: %s", gnutls_strerror (ret));
+
+ fprintf(outfile, "_%u._%s.%s. IN TLSA ( %u %u %u %s )\n", port, proto, host,
usage, selector, type, buffer);
+
+
+
+}
+
+
#define MAX_CRTS 500
void
certificate_info (int pubkey, common_info_st * cinfo)
hooks/post-receive
--
GNU gnutls
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_3_1_2-58-g130c659,
Nikos Mavrogiannopoulos <=