[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, new, updated. gnutls_2_9_10-141-g0284011
From: |
Nikos Mavrogiannopoulos |
Subject: |
[SCM] GNU gnutls branch, new, updated. gnutls_2_9_10-141-g0284011 |
Date: |
Fri, 28 May 2010 21:06:44 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=028401136e9dbd6ac5ea294765bd07e01adc31b1
The branch, new has been updated
via 028401136e9dbd6ac5ea294765bd07e01adc31b1 (commit)
via 8d95b56eb97e189f289e74db1c2bd23f01c3d2f5 (commit)
via c50fe33ebe992a83f75dd88e5159cf78971cda51 (commit)
via f5561b0d119c5f9f944e16b7b087bce087f54439 (commit)
via 7863d7ca9118d5a5cac2fb272dc18fac73b2f11e (commit)
via 4c99107c03a7de49194c4c5b272269a085cdeac4 (commit)
via 7f159c28305a2158bdeeeca090d2714bad379ffd (commit)
via 9c6fabfcc1cd8dad2296fcd30998d2f4bb7df31d (commit)
via 9ba6e3ca2183be17481e0c1ad533c8d6d868cf6b (commit)
from db92e6df198c68878c264c9863814ce10ef0761d (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 028401136e9dbd6ac5ea294765bd07e01adc31b1
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri May 28 23:06:28 2010 +0200
More AES stuff (still doesn't work).
commit 8d95b56eb97e189f289e74db1c2bd23f01c3d2f5
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri May 28 23:06:25 2010 +0200
Correction in RSA encryption.
commit c50fe33ebe992a83f75dd88e5159cf78971cda51
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri May 28 21:25:18 2010 +0200
Fixed issue with AES.
commit f5561b0d119c5f9f944e16b7b087bce087f54439
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri May 28 21:08:44 2010 +0200
Added gnutls_sec_param_to_pk_bits() et al. to allow select bit
sizes for private keys using a human understandable scale.
commit 7863d7ca9118d5a5cac2fb272dc18fac73b2f11e
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri May 28 20:37:58 2010 +0200
Added support for SHA224 and SHA256 in DSA.
commit 4c99107c03a7de49194c4c5b272269a085cdeac4
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Fri May 28 17:31:10 2010 +0200
Always use included pakchois.
commit 7f159c28305a2158bdeeeca090d2714bad379ffd
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Thu May 27 00:00:48 2010 +0200
make sure all lines fit in page.
commit 9c6fabfcc1cd8dad2296fcd30998d2f4bb7df31d
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Wed May 26 23:58:35 2010 +0200
make example more compact by removing error checking.
commit 9ba6e3ca2183be17481e0c1ad533c8d6d868cf6b
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Wed May 26 23:55:40 2010 +0200
Added bibliographic reference to PKCS #11.
-----------------------------------------------------------------------
Summary of changes:
NEWS | 8 ++
doc/cha-bib.texi | 4 +
doc/cha-cert-auth.texi | 29 ++----
doc/examples/ex-cert-select-pkcs11.c | 6 +-
lib/gcrypt/Makefile.am | 1 +
lib/gnutls_algorithms.c | 120 +++++++++++++++++++++++
lib/includes/gnutls/gnutls.h.in | 34 +++++++-
lib/libgnutls.map | 4 +
lib/m4/hooks.m4 | 3 +
lib/nettle/Makefile.am | 1 +
lib/nettle/cipher.c | 88 +++++++++++++++---
lib/nettle/pk.c | 4 +-
lib/openpgp/output.c | 2 +
lib/x509/common.h | 4 +
lib/x509/output.c | 2 +
lib/x509/privkey.c | 2 +
src/certtool-gaa.c | 177 +++++++++++++++++++---------------
src/certtool-gaa.h | 24 +++--
src/certtool.c | 40 ++++++++
src/certtool.gaa | 7 +-
20 files changed, 434 insertions(+), 126 deletions(-)
diff --git a/NEWS b/NEWS
index d3b30cd..11fb483 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,8 @@ See the end for copying conditions.
* Version 2.11.0 (unreleased)
+** libgnutls: Added support for DSA-SHA256 and DSA-SHA224
+
** libgnutls: Added PKCS #11 support and an API to access objects in
gnutls/pkcs11.h. Currently certificates and public keys can be
imported from tokens, and operations can be performed on private keys.
@@ -24,6 +26,9 @@ PKCS #11 private keys.
** libgnutls: Added gnutls_pkcs11_copy_x509_crt(),
gnutls_pkcs11_copy_x509_privkey(),
and gnutls_pkcs11_delete_url() to allow copying and deleting data in tokens.
+** libgnutls: Added gnutls_sec_param_to_pk_bits() et al. to allow select bit
+sizes for private keys using a human understandable scale.
+
** certtool: Added new options: --pkcs11-list-tokens, --pkcs11-list-all
--pkcs11-list-all-certs, --pkcs11-list-trusted, --pkcs11-list-certs,
--pkcs11-delete-url, --pkcs11-write
@@ -38,6 +43,9 @@
pkcs11:token=Root%20CA%20Certificates;serial=1%3AROOTS%3ADEFAULT;model=1%2E0;man
gnutls_certificate_set_server_retrieve_function: DEPRECATED
gnutls_certificate_set_client_retrieve_function: DEPRECATED
gnutls_sign_callback_set: DEPRECATED
+gnutls_sec_param_to_pk_bits: ADDED
+gnutls_pk_bits_to_sec_param: ADDED
+gnutls_sec_param_get_name: ADDED
gnutls_pkcs11_type_get_name: ADDED
gnutls_certificate_set_retrieve_function: ADDED
gnutls_pkcs11_init: ADDED
diff --git a/doc/cha-bib.texi b/doc/cha-bib.texi
index d52744e..792bc8c 100644
--- a/doc/cha-bib.texi
+++ b/doc/cha-bib.texi
@@ -94,6 +94,10 @@ January 2008, available from
@url{http://www.ietf.org/rfc/rfc5077}.
RSA Laboratories, "PKCS 12 v1.0: Personal Information Exchange
Syntax", June 1999, Available from @url{http://www.rsa.com}.
address@hidden @anchor{PKCS11}[PKCS11]
+RSA Laboratories, "PKCS #11 Base Functionality v2.30: Cryptoki â Draft 4",
+July 2009, Available from @url{http://www.rsa.com}.
+
@item @anchor{RESCORLA}[RESCORLA]
Eric Rescorla, "SSL and TLS: Designing and Building Secure Systems",
2001
diff --git a/doc/cha-cert-auth.texi b/doc/cha-cert-auth.texi
index 61de5e6..9b653df 100644
--- a/doc/cha-cert-auth.texi
+++ b/doc/cha-cert-auth.texi
@@ -325,7 +325,7 @@ MD5. These algorithms have been broken and should not be
trusted.
@cindex @acronym{PKCS #11} tokens
@subsection Introduction
-This section copes with the @acronym{PKCS #11} support in @acronym{GnuTLS}.
+This section copes with the @acronym{PKCS #11} @xcite{PKCS11} support in
@acronym{GnuTLS}.
@acronym{PKCS #11} is plugin API allowing applications to access cryptographic
operations on a token, as well as to objects residing on the token. A token
can
be a real hardware token such as a smart card, or it can be a software
component
@@ -376,8 +376,8 @@ URLs as described in @code{draft-pechanec-pkcs11uri-01}.
For example a public
key on a smart card may be referenced as:
@example
-pkcs11:token=Nikos;serial=307521161601031;model=PKCS%2315;manufacturer=EnterSafe;\
-object=test1;objecttype=public;\
+pkcs11:token=Nikos;serial=307521161601031;model=PKCS%2315; \
+manufacturer=EnterSafe;object=test1;objecttype=public;\
id=32:f1:53:f3:e3:79:90:b0:86:24:14:10:77:ca:5d:ec:2d:15:fa:ed
@end example
@@ -457,30 +457,21 @@ int i;
GNUTLS_PKCS11_OBJ_ATTR_CRT_WITH_PRIVKEY);
if (ret < 0 && ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
exit(1);
-
+
+ /* no error checking from now on */
obj_list = malloc(sizeof(*obj_list)*obj_list_size);
- if (obj_list == NULL)
- exit(1);
- ret = gnutls_pkcs11_obj_list_import_url( obj_list, &obj_list_size, url,
flags);
- if (ret < 0)
- exit(1);
+ gnutls_pkcs11_obj_list_import_url( obj_list, &obj_list_size, url,
flags);
/* now all certificates are in obj_list */
for (i=0;i<obj_list_size;i++) {
- ret = gnutls_x509_crt_init(&xcrt);
- if (ret < 0)
- exit(1);
+ gnutls_x509_crt_init(&xcrt);
- ret = gnutls_x509_crt_import_pkcs11(xcrt, obj_list[i]);
- if (ret < 0)
- exit(1);
+ gnutls_x509_crt_import_pkcs11(xcrt, obj_list[i]);
- ret = gnutls_x509_crt_print (xcrt, GNUTLS_CRT_PRINT_FULL,
&cinfo);
- if (ret < 0)
- exit(1);
+ gnutls_x509_crt_print (xcrt, GNUTLS_CRT_PRINT_FULL, &cinfo);
fprintf(stdout, "cert[%d]:\n %s\n\n", cinfo.data);
@@ -544,7 +535,7 @@ gnutls_pkcs11_privkey_t ca_key;
gnutls_x509_crt_t ca_cert;
gnutls_privkey_t abs_key;
- /* load the PKCS 11 key and certificates */
+ /* load the PKCS #11 key and certificates */
gnutls_pkcs11_privkey_init(&ca_key);
gnutls_pkcs11_privkey_import_url(ca_key, key_url);
diff --git a/doc/examples/ex-cert-select-pkcs11.c
b/doc/examples/ex-cert-select-pkcs11.c
index ab15fdf..a7cf1e2 100644
--- a/doc/examples/ex-cert-select-pkcs11.c
+++ b/doc/examples/ex-cert-select-pkcs11.c
@@ -25,8 +25,10 @@
#define MSG "GET / HTTP/1.0\r\n\r\n"
#define CAFILE "ca.pem"
-#define CERT_URL
"pkcs11:manufacturer=EnterSafe;object=Certificate;id=db:5b:3e:b5:72:33:92:99:18:ed:bb:eb:74:68:31:bd:b2:23:67:26"
-#define KEY_URL
"pkcs11:manufacturer=EnterSafe;object=Certificate;id=db:5b:3e:b5:72:33:92:99:18:ed:bb:eb:74:68:31:bd:b2:23:67:26"
+#define CERT_URL "pkcs11:manufacturer=EnterSafe;object=Certificate" \
+ ";id=db:5b:3e:b5:72:33:92:99:18:ed:bb:eb:74:68:31:bd:b2:23:67:26"
+#define KEY_URL "pkcs11:manufacturer=EnterSafe;object=Certificate" \
+ ";id=db:5b:3e:b5:72:33:92:99:18:ed:bb:eb:74:68:31:bd:b2:23:67:26"
extern int tcp_connect (void);
extern void tcp_close (int sd);
diff --git a/lib/gcrypt/Makefile.am b/lib/gcrypt/Makefile.am
index e55459c..c7efbe5 100644
--- a/lib/gcrypt/Makefile.am
+++ b/lib/gcrypt/Makefile.am
@@ -21,6 +21,7 @@
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
# MA 02110-1301, USA
+AM_CFLAGS = $(WERROR_CFLAGS) $(WSTACK_CFLAGS) $(WARN_CFLAGS)
AM_CPPFLAGS = \
-I$(srcdir)/../gl \
-I$(builddir)/../gl \
diff --git a/lib/gnutls_algorithms.c b/lib/gnutls_algorithms.c
index 2ba2422..b8aec37 100644
--- a/lib/gnutls_algorithms.c
+++ b/lib/gnutls_algorithms.c
@@ -1908,6 +1908,10 @@ static const gnutls_sign_entry sign_algorithms[] = {
GNUTLS_MAC_RMD160, TLS_SIGN_AID_UNKNOWN},
{"DSA-SHA1", SIG_DSA_SHA1_OID, GNUTLS_SIGN_DSA_SHA1, GNUTLS_PK_DSA,
GNUTLS_MAC_SHA1, {2, 2}},
+ {"DSA-SHA224", SIG_DSA_SHA224_OID, GNUTLS_SIGN_DSA_SHA224, GNUTLS_PK_DSA,
+ GNUTLS_MAC_SHA224, {3, 2}},
+ {"DSA-SHA256", SIG_DSA_SHA256_OID, GNUTLS_SIGN_DSA_SHA256, GNUTLS_PK_DSA,
+ GNUTLS_MAC_SHA256, {4, 2}},
{"RSA-MD5", SIG_RSA_MD5_OID, GNUTLS_SIGN_RSA_MD5, GNUTLS_PK_RSA,
GNUTLS_MAC_MD5, {1, 1}},
{"RSA-MD2", SIG_RSA_MD2_OID, GNUTLS_SIGN_RSA_MD2, GNUTLS_PK_RSA,
@@ -2268,3 +2272,119 @@ _gnutls_x509_pk_to_oid (gnutls_pk_algorithm_t algorithm)
return ret;
}
+
+/**
+ * gnutls_sec_param_to_pk_bits:
+ * @algo: is a public key algorithm
+ * @param: is a security parameter
+ *
+ * When generating private and public key pairs a difficult question
+ * is which size of "bits" the modulus will be in RSA and the group size
+ * in DSA. The easy answer is 1024, which is also wrong. This function
+ * will convert a human understandable security parameter to an
+ * appropriate size for the specific algorithm.
+ *
+ * Returns: The number of bits, or zero.
+ *
+ **/
+unsigned int gnutls_sec_param_to_pk_bits (gnutls_pk_algorithm_t algo,
+ gnutls_sec_param_t param)
+{
+
+ switch(algo)
+ {
+ case GNUTLS_PK_RSA:
+ case GNUTLS_PK_DSA:
+ switch(param)
+ {
+ case GNUTLS_SEC_PARAM_LOW:
+ return 1024;
+ case GNUTLS_SEC_PARAM_HIGH:
+ return 3072;
+ case GNUTLS_SEC_PARAM_ULTRA:
+ return 7680;
+ case GNUTLS_SEC_PARAM_NORMAL:
+ default:
+ return 2048;
+ }
+ default:
+ gnutls_assert();
+ return 0;
+ }
+
+}
+
+/**
+ * gnutls_sec_param_get_name:
+ * @param: is a security parameter
+ *
+ * Convert a #gnutls_sec_param_t value to a string.
+ *
+ * Returns: a pointer to a string that contains the name of the
+ * specified public key algorithm, or %NULL.
+ *
+ **/
+const char *
+gnutls_sec_param_get_name (gnutls_sec_param_t param)
+{
+ const char *p;
+
+ switch (param)
+ {
+ case GNUTLS_SEC_PARAM_WEAK:
+ p = "Weak";
+ break;
+
+ case GNUTLS_SEC_PARAM_LOW:
+ p = "Low";
+ break;
+
+ case GNUTLS_SEC_PARAM_NORMAL:
+ p = "Normal";
+ break;
+
+ case GNUTLS_SEC_PARAM_HIGH:
+ p = "High";
+ break;
+
+ case GNUTLS_SEC_PARAM_ULTRA:
+ p = "Ultra";
+ break;
+
+ default:
+ p = "Unknown";
+ break;
+ }
+
+ return p;
+}
+
+/**
+ * gnutls_pk_bits_to_sec_param:
+ * @algo: is a public key algorithm
+ * @bits: is the number of bits
+ *
+ * This is the inverse of gnutls_sec_param_to_pk_bits(). Given an algorithm
+ * and the number of bits, it will return the security parameter. This is
+ * a rough indication.
+ *
+ * Returns: The security parameter.
+ *
+ **/
+gnutls_sec_param_t gnutls_pk_bits_to_sec_param (gnutls_pk_algorithm_t algo,
+ unsigned int bits)
+{
+
+ /* currently we ignore algo */
+ if (bits >= 7680)
+ return GNUTLS_SEC_PARAM_ULTRA;
+ else if (bits >= 3072)
+ return GNUTLS_SEC_PARAM_HIGH;
+ else if (bits >= 2048)
+ return GNUTLS_SEC_PARAM_NORMAL;
+ else if (bits >= 1024)
+ return GNUTLS_SEC_PARAM_LOW;
+ else
+ return GNUTLS_SEC_PARAM_WEAK;
+
+}
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 3cb9611..441b428 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -569,6 +569,8 @@ extern "C"
* @GNUTLS_SIGN_RSA_SHA1: Digital signature algorithm RSA with SHA-1
* @GNUTLS_SIGN_RSA_SHA: Same as %GNUTLS_SIGN_RSA_SHA1.
* @GNUTLS_SIGN_DSA_SHA1: Digital signature algorithm DSA with SHA-1
+ * @GNUTLS_SIGN_DSA_SHA224: Digital signature algorithm DSA with SHA-224
+ * @GNUTLS_SIGN_DSA_SHA256: Digital signature algorithm DSA with SHA-256
* @GNUTLS_SIGN_DSA_SHA: Same as %GNUTLS_SIGN_DSA_SHA1.
* @GNUTLS_SIGN_RSA_MD5: Digital signature algorithm RSA with MD5.
* @GNUTLS_SIGN_RSA_MD2: Digital signature algorithm RSA with MD2.
@@ -593,11 +595,35 @@ extern "C"
GNUTLS_SIGN_RSA_SHA256 = 6,
GNUTLS_SIGN_RSA_SHA384 = 7,
GNUTLS_SIGN_RSA_SHA512 = 8,
- GNUTLS_SIGN_RSA_SHA224 = 9
+ GNUTLS_SIGN_RSA_SHA224 = 9,
+ GNUTLS_SIGN_DSA_SHA224 = 10,
+ GNUTLS_SIGN_DSA_SHA256 = 11,
} gnutls_sign_algorithm_t;
const char *gnutls_sign_algorithm_get_name (gnutls_sign_algorithm_t sign);
+ /**
+ * gnutls_sec_param_t:
+ * @GNUTLS_SEC_PARAM_UNKNOWN: Cannot be known
+ * @GNUTLS_SEC_PARAM_WEAK: 50 or less bits of security
+ * @GNUTLS_SEC_PARAM_LOW: 80 bits of security
+ * @GNUTLS_SEC_PARAM_NORMAL: 112 bits of security
+ * @GNUTLS_SEC_PARAM_HIGH: 128 bits of security
+ * @GNUTLS_SEC_PARAM_ULTRA: 192 bits of security
+ *
+ * Enumeration of security parameters for passive attacks
+ */
+ typedef enum
+ {
+ GNUTLS_SEC_PARAM_UNKNOWN,
+ GNUTLS_SEC_PARAM_WEAK,
+ GNUTLS_SEC_PARAM_LOW,
+ GNUTLS_SEC_PARAM_NORMAL,
+ GNUTLS_SEC_PARAM_HIGH,
+ GNUTLS_SEC_PARAM_ULTRA,
+ } gnutls_sec_param_t;
+
+
/* If you want to change this, then also change the define in
* gnutls_int.h, and recompile.
*/
@@ -656,6 +682,12 @@ extern "C"
int gnutls_alert_send_appropriate (gnutls_session_t session, int err);
const char *gnutls_alert_get_name (gnutls_alert_description_t alert);
+ gnutls_sec_param_t gnutls_pk_bits_to_sec_param (gnutls_pk_algorithm_t algo,
+ unsigned int bits);
+ const char * gnutls_sec_param_get_name (gnutls_sec_param_t param);
+ unsigned int gnutls_sec_param_to_pk_bits (gnutls_pk_algorithm_t algo,
+ gnutls_sec_param_t param);
+
/* get information on the current session */
gnutls_cipher_algorithm_t gnutls_cipher_get (gnutls_session_t session);
gnutls_kx_algorithm_t gnutls_kx_get (gnutls_session_t session);
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index 2acda43..1baa463 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -671,6 +671,10 @@ GNUTLS_2_11
gnutls_pkcs11_copy_x509_crt;
gnutls_pkcs11_copy_x509_privkey;
gnutls_pkcs11_delete_url;
+
+ gnutls_sec_param_to_pk_bits;
+ gnutls_sec_param_get_name;
+ gnutls_pk_bits_to_sec_param;
} GNUTLS_2_10;
GNUTLS_PRIVATE {
diff --git a/lib/m4/hooks.m4 b/lib/m4/hooks.m4
index aaf95c6..ddac5f8 100644
--- a/lib/m4/hooks.m4
+++ b/lib/m4/hooks.m4
@@ -107,6 +107,9 @@ AC_DEFUN([LIBGNUTLS_HOOKS],
]])
fi
fi
+ #not other option for now. The released pakchois cannot open an arbitrary
PKCS11 module,
+ #and the author is reluctant to add such feature.
+ included_pakchois=yes
AC_MSG_CHECKING([whether to use the included pakchois])
AC_MSG_RESULT($included_pakchois)
AM_CONDITIONAL(ENABLE_LOCAL_PAKCHOIS, test "$included_pakchois" = "yes")
diff --git a/lib/nettle/Makefile.am b/lib/nettle/Makefile.am
index e55459c..c7efbe5 100644
--- a/lib/nettle/Makefile.am
+++ b/lib/nettle/Makefile.am
@@ -21,6 +21,7 @@
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
# MA 02110-1301, USA
+AM_CFLAGS = $(WERROR_CFLAGS) $(WSTACK_CFLAGS) $(WARN_CFLAGS)
AM_CPPFLAGS = \
-I$(srcdir)/../gl \
-I$(builddir)/../gl \
diff --git a/lib/nettle/cipher.c b/lib/nettle/cipher.c
index 1c56a39..d1338f2 100644
--- a/lib/nettle/cipher.c
+++ b/lib/nettle/cipher.c
@@ -49,9 +49,33 @@ static void stream_encrypt (void* ctx, nettle_crypt_func
func, unsigned block_si
func(ctx, length, dst, src);
}
+struct aes_bidi_ctx
+{
+ struct aes_ctx encrypt;
+ struct aes_ctx decrypt;
+};
+
+static void aes_bidi_setkey (struct aes_bidi_ctx* ctx, unsigned length, const
uint8_t *key)
+{
+ aes_set_encrypt_key (&ctx->encrypt, length, key);
+ aes_set_decrypt_key (&ctx->decrypt, length, key);
+}
+
+static void aes_bidi_encrypt(struct aes_bidi_ctx *ctx,
+ unsigned length, uint8_t *dst, const uint8_t *src)
+{
+ aes_encrypt(&ctx->encrypt, length, dst, src);
+}
+
+static void aes_bidi_decrypt(struct aes_bidi_ctx *ctx,
+ unsigned length, uint8_t *dst, const uint8_t *src)
+{
+ aes_decrypt(&ctx->decrypt, length, dst, src);
+}
+
struct nettle_cipher_ctx {
union {
- struct aes_ctx aes;
+ struct aes_bidi_ctx aes_bidi;
struct arcfour_ctx arcfour;
struct arctwo_ctx arctwo;
struct des3_ctx des3;
@@ -65,7 +89,6 @@ struct nettle_cipher_ctx {
nettle_crypt_func* i_decrypt;
encrypt_func encrypt;
decrypt_func decrypt;
- setkey_func setkey;
};
@@ -75,7 +98,7 @@ wrap_nettle_cipher_init (gnutls_cipher_algorithm_t algo, void
**_ctx)
{
struct nettle_cipher_ctx* ctx;
- ctx = gnutls_calloc(1, sizeof(struct nettle_cipher_ctx));
+ ctx = gnutls_calloc(1, sizeof(*ctx));
if (ctx == NULL) {
gnutls_assert();
return GNUTLS_E_MEMORY_ERROR;
@@ -89,10 +112,9 @@ wrap_nettle_cipher_init (gnutls_cipher_algorithm_t algo,
void **_ctx)
case GNUTLS_CIPHER_AES_256_CBC:
ctx->encrypt = cbc_encrypt;
ctx->decrypt = cbc_decrypt;
- ctx->i_encrypt = (nettle_crypt_func*)aes_encrypt;
- ctx->i_decrypt = (nettle_crypt_func*)aes_decrypt;
- ctx->setkey = (setkey_func)aes_set_key;
- ctx->ctx_ptr = &ctx->ctx.aes;
+ ctx->i_encrypt = (nettle_crypt_func*)aes_bidi_encrypt;
+ ctx->i_decrypt = (nettle_crypt_func*)aes_bidi_decrypt;
+ ctx->ctx_ptr = &ctx->ctx.aes_bidi;
ctx->block_size = AES_BLOCK_SIZE;
break;
case GNUTLS_CIPHER_3DES_CBC:
@@ -100,7 +122,6 @@ wrap_nettle_cipher_init (gnutls_cipher_algorithm_t algo,
void **_ctx)
ctx->decrypt = cbc_decrypt;
ctx->i_encrypt = (nettle_crypt_func*)des3_encrypt;
ctx->i_decrypt = (nettle_crypt_func*)des3_decrypt;
- ctx->setkey = (setkey_func)des3_set_key2;
ctx->ctx_ptr = &ctx->ctx.des3;
ctx->block_size = DES3_BLOCK_SIZE;
break;
@@ -109,7 +130,6 @@ wrap_nettle_cipher_init (gnutls_cipher_algorithm_t algo,
void **_ctx)
ctx->decrypt = cbc_decrypt;
ctx->i_encrypt = (nettle_crypt_func*)des_encrypt;
ctx->i_decrypt = (nettle_crypt_func*)des_decrypt;
- ctx->setkey = (setkey_func)des_set_key2;
ctx->ctx_ptr = &ctx->ctx.des;
ctx->block_size = DES_BLOCK_SIZE;
break;
@@ -119,7 +139,6 @@ wrap_nettle_cipher_init (gnutls_cipher_algorithm_t algo,
void **_ctx)
ctx->decrypt = stream_encrypt;
ctx->i_encrypt = (nettle_crypt_func*)arcfour_crypt;
ctx->i_decrypt = (nettle_crypt_func*)arcfour_crypt;
- ctx->setkey = (setkey_func)arcfour_set_key;
ctx->ctx_ptr = &ctx->ctx.arcfour;
ctx->block_size = 1;
break;
@@ -128,7 +147,6 @@ wrap_nettle_cipher_init (gnutls_cipher_algorithm_t algo,
void **_ctx)
ctx->decrypt = cbc_decrypt;
ctx->i_encrypt = (nettle_crypt_func*)arctwo_encrypt;
ctx->i_decrypt = (nettle_crypt_func*)arctwo_decrypt;
- ctx->setkey = (setkey_func)arctwo_set_key;
ctx->ctx_ptr = &ctx->ctx.arctwo;
ctx->block_size = ARCTWO_BLOCK_SIZE;
break;
@@ -147,8 +165,54 @@ static int
wrap_nettle_cipher_setkey (void *_ctx, const void *key, size_t keysize)
{
struct nettle_cipher_ctx* ctx = _ctx;
+ opaque des_key[DES3_KEY_SIZE];
- ctx->setkey(ctx->ctx_ptr, keysize, key);
+ switch (ctx->algo) {
+ case GNUTLS_CIPHER_AES_128_CBC:
+ case GNUTLS_CIPHER_AES_192_CBC:
+ case GNUTLS_CIPHER_AES_256_CBC:
+ aes_bidi_setkey(&ctx->ctx_ptr, keysize, key);
+ break;
+ case GNUTLS_CIPHER_3DES_CBC:
+ /* why do we have to deal with parity address@hidden(*$# */
+ if (keysize != DES3_KEY_SIZE) {
+ gnutls_assert();
+ return GNUTLS_E_INTERNAL_ERROR;
+ }
+
+ des_fix_parity(keysize, des_key, key);
+
+ /* this fails on weak keys */
+ if (des3_set_key(ctx->ctx_ptr, des_key)!=1) {
+ gnutls_assert();
+ return GNUTLS_E_INTERNAL_ERROR;
+ }
+ break;
+ case GNUTLS_CIPHER_DES_CBC:
+ if (keysize != DES_KEY_SIZE)
+ {
+ gnutls_assert();
+ return GNUTLS_E_INTERNAL_ERROR;
+ }
+
+ des_fix_parity(keysize, des_key, key);
+
+ if (des_set_key(ctx->ctx_ptr, des_key)!=1) {
+ gnutls_assert();
+ return GNUTLS_E_INTERNAL_ERROR;
+ }
+ break;
+ case GNUTLS_CIPHER_ARCFOUR_128:
+ case GNUTLS_CIPHER_ARCFOUR_40:
+ arcfour_set_key(ctx->ctx_ptr, keysize, key);
+ break;
+ case GNUTLS_CIPHER_RC2_40_CBC:
+ arctwo_set_key(ctx->ctx_ptr, keysize, key);
+ break;
+ default:
+ gnutls_assert ();
+ return GNUTLS_E_INVALID_REQUEST;
+ }
return 0;
}
diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
index e82cac9..44b6569 100644
--- a/lib/nettle/pk.c
+++ b/lib/nettle/pk.c
@@ -92,9 +92,9 @@ _wrap_nettle_pk_encrypt(gnutls_pk_algorithm_t algo,
return GNUTLS_E_MPI_SCAN_FAILED;
}
- mpz_powm(p, p, TOMPZ(pk_params->params[1]),
TOMPZ(pk_params->params[0]));
+ mpz_powm(p, p, TOMPZ(pk_params->params[1])/*e*/,
TOMPZ(pk_params->params[0]/*m*/));
- ret = _gnutls_mpi_dprint(p, ciphertext);
+ ret = _gnutls_mpi_dprint_size(p, ciphertext, plaintext->size);
_gnutls_mpi_release(&p);
if (ret < 0) {
diff --git a/lib/openpgp/output.c b/lib/openpgp/output.c
index 982a6a6..20d2855 100644
--- a/lib/openpgp/output.c
+++ b/lib/openpgp/output.c
@@ -237,6 +237,8 @@ print_key_info (gnutls_string * str, gnutls_openpgp_crt_t
cert, int idx)
name = _("unknown");
addf (str, _("\tPublic Key Algorithm: %s\n"), name);
+ addf (str, _("\tKey Security Level: %s\n"),
gnutls_sec_param_get_name(gnutls_pk_bits_to_sec_param(err, bits)));
+
switch (err)
{
case GNUTLS_PK_RSA:
diff --git a/lib/x509/common.h b/lib/x509/common.h
index 2ab7634..6dd62ec 100644
--- a/lib/x509/common.h
+++ b/lib/x509/common.h
@@ -49,6 +49,10 @@
/* signature OIDs
*/
#define SIG_DSA_SHA1_OID "1.2.840.10040.4.3"
+/* those two from draft-ietf-pkix-sha2-dsa-ecdsa-06 */
+#define SIG_DSA_SHA224_OID "2.16.840.1.101.3.4.3.1"
+#define SIG_DSA_SHA256_OID "2.16.840.1.101.3.4.3.2"
+
#define SIG_RSA_MD5_OID "1.2.840.113549.1.1.4"
#define SIG_RSA_MD2_OID "1.2.840.113549.1.1.2"
#define SIG_RSA_SHA1_OID "1.2.840.113549.1.1.5"
diff --git a/lib/x509/output.c b/lib/x509/output.c
index f4ea366..98393ae 100644
--- a/lib/x509/output.c
+++ b/lib/x509/output.c
@@ -1096,6 +1096,8 @@ print_cert (gnutls_string * str, gnutls_x509_crt_t cert,
int notsigned)
name = _("unknown");
addf (str, _("\tSubject Public Key Algorithm: %s\n"), name);
+ addf (str, _("\tCertificate Security Level: %s\n"),
gnutls_sec_param_get_name(gnutls_pk_bits_to_sec_param(err, bits)));
+
#ifdef ENABLE_PKI
switch (err)
{
diff --git a/lib/x509/privkey.c b/lib/x509/privkey.c
index f2dc648..419c0be 100644
--- a/lib/x509/privkey.c
+++ b/lib/x509/privkey.c
@@ -1402,6 +1402,8 @@ cleanup:
* This function will generate a random private key. Note that this
* function must be called on an empty private key.
*
+ * Do not set the number of bits directly, use gnutls_sec_param_to_pk_bits().
+ *
* Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
* negative error value.
**/
diff --git a/src/certtool-gaa.c b/src/certtool-gaa.c
index 97e2bcd..63ffb11 100644
--- a/src/certtool-gaa.c
+++ b/src/certtool-gaa.c
@@ -172,6 +172,7 @@ void gaa_help(void)
__gaa_helpsingle(0, "outder", "", "Use DER format for output
certificates and private keys.");
__gaa_helpsingle(0, "outraw", "", "Use RAW/DER format for output
certificates and private keys.");
__gaa_helpsingle(0, "bits", "BITS ", "specify the number of bits for
key generation.");
+ __gaa_helpsingle(0, "sec-param", "PARAM ", "specify the security level
[low|normal|high|ultra].");
__gaa_helpsingle(0, "disable-quick-random", "", "Use /dev/random for
key generationg, thus increasing the quality of randomness used.");
__gaa_helpsingle(0, "outfile", "FILE ", "Output file.");
__gaa_helpsingle(0, "infile", "FILE ", "Input file.");
@@ -205,28 +206,30 @@ typedef struct _gaainfo gaainfo;
struct _gaainfo
{
-#line 157 "certtool.gaa"
+#line 160 "certtool.gaa"
int debug;
-#line 152 "certtool.gaa"
+#line 155 "certtool.gaa"
int pkcs11_trusted;
-#line 149 "certtool.gaa"
+#line 152 "certtool.gaa"
char* pkcs11_label;
-#line 142 "certtool.gaa"
+#line 145 "certtool.gaa"
int pkcs11_type;
-#line 139 "certtool.gaa"
+#line 142 "certtool.gaa"
char* pkcs11_url;
-#line 136 "certtool.gaa"
+#line 139 "certtool.gaa"
char* pkcs11_provider;
-#line 133 "certtool.gaa"
+#line 136 "certtool.gaa"
char *pkcs_cipher;
-#line 130 "certtool.gaa"
+#line 133 "certtool.gaa"
char *template;
-#line 127 "certtool.gaa"
+#line 130 "certtool.gaa"
char *infile;
-#line 124 "certtool.gaa"
+#line 127 "certtool.gaa"
char *outfile;
-#line 121 "certtool.gaa"
+#line 124 "certtool.gaa"
int quick_random;
+#line 121 "certtool.gaa"
+ char* sec_param;
#line 118 "certtool.gaa"
int bits;
#line 114 "certtool.gaa"
@@ -319,7 +322,7 @@ static int gaa_error = 0;
#define GAA_MULTIPLE_OPTION 3
#define GAA_REST 0
-#define GAA_NB_OPTION 62
+#define GAA_NB_OPTION 63
#define GAAOPTID_version 1
#define GAAOPTID_help 2
#define GAAOPTID_debug 3
@@ -339,49 +342,50 @@ static int gaa_error = 0;
#define GAAOPTID_infile 17
#define GAAOPTID_outfile 18
#define GAAOPTID_disable_quick_random 19
-#define GAAOPTID_bits 20
-#define GAAOPTID_outraw 21
-#define GAAOPTID_outder 22
-#define GAAOPTID_inraw 23
-#define GAAOPTID_inder 24
-#define GAAOPTID_export_ciphers 25
-#define GAAOPTID_hash 26
-#define GAAOPTID_dsa 27
-#define GAAOPTID_pkcs8 28
-#define GAAOPTID_to_p8 29
-#define GAAOPTID_to_p12 30
-#define GAAOPTID_v1 31
-#define GAAOPTID_fix_key 32
-#define GAAOPTID_pubkey_info 33
-#define GAAOPTID_pgp_key_info 34
-#define GAAOPTID_key_info 35
-#define GAAOPTID_smime_to_p7 36
-#define GAAOPTID_p7_info 37
-#define GAAOPTID_p12_info 38
-#define GAAOPTID_no_crq_extensions 39
-#define GAAOPTID_crq_info 40
-#define GAAOPTID_crl_info 41
-#define GAAOPTID_pgp_ring_info 42
-#define GAAOPTID_pgp_certificate_info 43
-#define GAAOPTID_certificate_info 44
-#define GAAOPTID_password 45
-#define GAAOPTID_load_ca_certificate 46
-#define GAAOPTID_load_ca_privkey 47
-#define GAAOPTID_load_certificate 48
-#define GAAOPTID_load_request 49
-#define GAAOPTID_load_pubkey 50
-#define GAAOPTID_load_privkey 51
-#define GAAOPTID_get_dh_params 52
-#define GAAOPTID_generate_dh_params 53
-#define GAAOPTID_verify_crl 54
-#define GAAOPTID_verify_chain 55
-#define GAAOPTID_generate_request 56
-#define GAAOPTID_generate_privkey 57
-#define GAAOPTID_update_certificate 58
-#define GAAOPTID_generate_crl 59
-#define GAAOPTID_generate_proxy 60
-#define GAAOPTID_generate_certificate 61
-#define GAAOPTID_generate_self_signed 62
+#define GAAOPTID_sec_param 20
+#define GAAOPTID_bits 21
+#define GAAOPTID_outraw 22
+#define GAAOPTID_outder 23
+#define GAAOPTID_inraw 24
+#define GAAOPTID_inder 25
+#define GAAOPTID_export_ciphers 26
+#define GAAOPTID_hash 27
+#define GAAOPTID_dsa 28
+#define GAAOPTID_pkcs8 29
+#define GAAOPTID_to_p8 30
+#define GAAOPTID_to_p12 31
+#define GAAOPTID_v1 32
+#define GAAOPTID_fix_key 33
+#define GAAOPTID_pubkey_info 34
+#define GAAOPTID_pgp_key_info 35
+#define GAAOPTID_key_info 36
+#define GAAOPTID_smime_to_p7 37
+#define GAAOPTID_p7_info 38
+#define GAAOPTID_p12_info 39
+#define GAAOPTID_no_crq_extensions 40
+#define GAAOPTID_crq_info 41
+#define GAAOPTID_crl_info 42
+#define GAAOPTID_pgp_ring_info 43
+#define GAAOPTID_pgp_certificate_info 44
+#define GAAOPTID_certificate_info 45
+#define GAAOPTID_password 46
+#define GAAOPTID_load_ca_certificate 47
+#define GAAOPTID_load_ca_privkey 48
+#define GAAOPTID_load_certificate 49
+#define GAAOPTID_load_request 50
+#define GAAOPTID_load_pubkey 51
+#define GAAOPTID_load_privkey 52
+#define GAAOPTID_get_dh_params 53
+#define GAAOPTID_generate_dh_params 54
+#define GAAOPTID_verify_crl 55
+#define GAAOPTID_verify_chain 56
+#define GAAOPTID_generate_request 57
+#define GAAOPTID_generate_privkey 58
+#define GAAOPTID_update_certificate 59
+#define GAAOPTID_generate_crl 60
+#define GAAOPTID_generate_proxy 61
+#define GAAOPTID_generate_certificate 62
+#define GAAOPTID_generate_self_signed 63
#line 168 "gaa.skel"
@@ -628,6 +632,12 @@ struct GAAOPTION_outfile
int size1;
};
+struct GAAOPTION_sec_param
+{
+ char* arg1;
+ int size1;
+};
+
struct GAAOPTION_bits
{
int arg1;
@@ -721,6 +731,7 @@ static int gaa_get_option_num(char *str, int status)
GAA_CHECK1STR("", GAAOPTID_template);
GAA_CHECK1STR("", GAAOPTID_infile);
GAA_CHECK1STR("", GAAOPTID_outfile);
+ GAA_CHECK1STR("", GAAOPTID_sec_param);
GAA_CHECK1STR("", GAAOPTID_bits);
GAA_CHECK1STR("", GAAOPTID_hash);
GAA_CHECK1STR("", GAAOPTID_password);
@@ -798,6 +809,7 @@ static int gaa_get_option_num(char *str, int status)
GAA_CHECKSTR("infile", GAAOPTID_infile);
GAA_CHECKSTR("outfile", GAAOPTID_outfile);
GAA_CHECKSTR("disable-quick-random",
GAAOPTID_disable_quick_random);
+ GAA_CHECKSTR("sec-param", GAAOPTID_sec_param);
GAA_CHECKSTR("bits", GAAOPTID_bits);
GAA_CHECKSTR("outraw", GAAOPTID_outraw);
GAA_CHECKSTR("outder", GAAOPTID_outder);
@@ -863,6 +875,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo
*gaaval, char *opt_list)
struct GAAOPTION_template GAATMP_template;
struct GAAOPTION_infile GAATMP_infile;
struct GAAOPTION_outfile GAATMP_outfile;
+ struct GAAOPTION_sec_param GAATMP_sec_param;
struct GAAOPTION_bits GAATMP_bits;
struct GAAOPTION_hash GAATMP_hash;
struct GAAOPTION_password GAATMP_password;
@@ -894,14 +907,14 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo
*gaaval, char *opt_list)
{
case GAAOPTID_version:
OK = 0;
-#line 162 "certtool.gaa"
+#line 165 "certtool.gaa"
{ certtool_version(); exit(0); ;};
return GAA_OK;
break;
case GAAOPTID_help:
OK = 0;
-#line 160 "certtool.gaa"
+#line 163 "certtool.gaa"
{ gaa_help(); exit(0); ;};
return GAA_OK;
@@ -911,7 +924,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo
*gaaval, char *opt_list)
GAA_TESTMOREARGS;
GAA_FILL(GAATMP_debug.arg1, gaa_getint, GAATMP_debug.size1);
gaa_index++;
-#line 158 "certtool.gaa"
+#line 161 "certtool.gaa"
{ gaaval->debug = GAATMP_debug.arg1 ;};
return GAA_OK;
@@ -921,14 +934,14 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo
*gaaval, char *opt_list)
GAA_TESTMOREARGS;
GAA_FILL(GAATMP_pkcs11_delete_url.arg1, gaa_getstr,
GAATMP_pkcs11_delete_url.size1);
gaa_index++;
-#line 155 "certtool.gaa"
+#line 158 "certtool.gaa"
{ gaaval->action = ACTION_PKCS11_DELETE_URL; gaaval->pkcs11_url =
GAATMP_pkcs11_delete_url.arg1; ;};
return GAA_OK;
break;
case GAAOPTID_pkcs11_write_trusted:
OK = 0;
-#line 153 "certtool.gaa"
+#line 156 "certtool.gaa"
{ gaaval->pkcs11_trusted = 1; ;};
return GAA_OK;
@@ -938,7 +951,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo
*gaaval, char *opt_list)
GAA_TESTMOREARGS;
GAA_FILL(GAATMP_pkcs11_write_label.arg1, gaa_getstr,
GAATMP_pkcs11_write_label.size1);
gaa_index++;
-#line 151 "certtool.gaa"
+#line 154 "certtool.gaa"
{ gaaval->pkcs11_label = GAATMP_pkcs11_write_label.arg1; ;};
return GAA_OK;
@@ -948,42 +961,42 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo
*gaaval, char *opt_list)
GAA_TESTMOREARGS;
GAA_FILL(GAATMP_pkcs11_write.arg1, gaa_getstr,
GAATMP_pkcs11_write.size1);
gaa_index++;
-#line 150 "certtool.gaa"
+#line 153 "certtool.gaa"
{ gaaval->action = ACTION_PKCS11_WRITE_URL; gaaval->pkcs11_url =
GAATMP_pkcs11_write.arg1; ;};
return GAA_OK;
break;
case GAAOPTID_pkcs11_list_tokens:
OK = 0;
-#line 147 "certtool.gaa"
+#line 150 "certtool.gaa"
{ gaaval->action = ACTION_PKCS11_TOKENS; ;};
return GAA_OK;
break;
case GAAOPTID_pkcs11_list_all:
OK = 0;
-#line 146 "certtool.gaa"
+#line 149 "certtool.gaa"
{ gaaval->action = ACTION_PKCS11_LIST; gaaval->pkcs11_type=PKCS11_TYPE_ALL; ;};
return GAA_OK;
break;
case GAAOPTID_pkcs11_list_all_certs:
OK = 0;
-#line 145 "certtool.gaa"
+#line 148 "certtool.gaa"
{ gaaval->action = ACTION_PKCS11_LIST;
gaaval->pkcs11_type=PKCS11_TYPE_CRT_ALL; ;};
return GAA_OK;
break;
case GAAOPTID_pkcs11_list_trusted:
OK = 0;
-#line 144 "certtool.gaa"
+#line 147 "certtool.gaa"
{ gaaval->action = ACTION_PKCS11_LIST;
gaaval->pkcs11_type=PKCS11_TYPE_TRUSTED; ;};
return GAA_OK;
break;
case GAAOPTID_pkcs11_list_certs:
OK = 0;
-#line 143 "certtool.gaa"
+#line 146 "certtool.gaa"
{ gaaval->action = ACTION_PKCS11_LIST; gaaval->pkcs11_type=PKCS11_TYPE_PK; ;};
return GAA_OK;
@@ -993,7 +1006,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo
*gaaval, char *opt_list)
GAA_TESTMOREARGS;
GAA_FILL(GAATMP_pkcs11_export_url.arg1, gaa_getstr,
GAATMP_pkcs11_export_url.size1);
gaa_index++;
-#line 140 "certtool.gaa"
+#line 143 "certtool.gaa"
{ gaaval->action = ACTION_PKCS11_EXPORT_URL; gaaval->pkcs11_url =
GAATMP_pkcs11_export_url.arg1; ;};
return GAA_OK;
@@ -1003,7 +1016,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo
*gaaval, char *opt_list)
GAA_TESTMOREARGS;
GAA_FILL(GAATMP_pkcs11_provider.arg1, gaa_getstr,
GAATMP_pkcs11_provider.size1);
gaa_index++;
-#line 137 "certtool.gaa"
+#line 140 "certtool.gaa"
{ gaaval->pkcs11_provider = GAATMP_pkcs11_provider.arg1 ;};
return GAA_OK;
@@ -1013,7 +1026,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo
*gaaval, char *opt_list)
GAA_TESTMOREARGS;
GAA_FILL(GAATMP_pkcs_cipher.arg1, gaa_getstr,
GAATMP_pkcs_cipher.size1);
gaa_index++;
-#line 134 "certtool.gaa"
+#line 137 "certtool.gaa"
{ gaaval->pkcs_cipher = GAATMP_pkcs_cipher.arg1 ;};
return GAA_OK;
@@ -1023,7 +1036,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo
*gaaval, char *opt_list)
GAA_TESTMOREARGS;
GAA_FILL(GAATMP_template.arg1, gaa_getstr,
GAATMP_template.size1);
gaa_index++;
-#line 131 "certtool.gaa"
+#line 134 "certtool.gaa"
{ gaaval->template = GAATMP_template.arg1 ;};
return GAA_OK;
@@ -1033,7 +1046,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo
*gaaval, char *opt_list)
GAA_TESTMOREARGS;
GAA_FILL(GAATMP_infile.arg1, gaa_getstr, GAATMP_infile.size1);
gaa_index++;
-#line 128 "certtool.gaa"
+#line 131 "certtool.gaa"
{ gaaval->infile = GAATMP_infile.arg1 ;};
return GAA_OK;
@@ -1043,18 +1056,28 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo
*gaaval, char *opt_list)
GAA_TESTMOREARGS;
GAA_FILL(GAATMP_outfile.arg1, gaa_getstr, GAATMP_outfile.size1);
gaa_index++;
-#line 125 "certtool.gaa"
+#line 128 "certtool.gaa"
{ gaaval->outfile = GAATMP_outfile.arg1 ;};
return GAA_OK;
break;
case GAAOPTID_disable_quick_random:
OK = 0;
-#line 122 "certtool.gaa"
+#line 125 "certtool.gaa"
{ gaaval->quick_random = 0; ;};
return GAA_OK;
break;
+ case GAAOPTID_sec_param:
+ OK = 0;
+ GAA_TESTMOREARGS;
+ GAA_FILL(GAATMP_sec_param.arg1, gaa_getstr,
GAATMP_sec_param.size1);
+ gaa_index++;
+#line 122 "certtool.gaa"
+{ gaaval->sec_param = GAATMP_sec_param.arg1 ;};
+
+ return GAA_OK;
+ break;
case GAAOPTID_bits:
OK = 0;
GAA_TESTMOREARGS;
@@ -1407,14 +1430,14 @@ int gaa(int argc, char **argv, gaainfo *gaaval)
if(inited == 0)
{
-#line 164 "certtool.gaa"
-{ gaaval->bits = 2048; gaaval->pkcs8 = 0; gaaval->privkey = NULL;
gaaval->ca=NULL; gaaval->ca_privkey = NULL;
+#line 167 "certtool.gaa"
+{ gaaval->bits = 0; gaaval->pkcs8 = 0; gaaval->privkey = NULL;
gaaval->ca=NULL; gaaval->ca_privkey = NULL;
gaaval->debug=1; gaaval->request = NULL; gaaval->infile = NULL;
gaaval->outfile = NULL; gaaval->cert = NULL;
gaaval->incert_format = 0; gaaval->outcert_format = 0;
gaaval->action=-1; gaaval->pass = NULL; gaaval->v1_cert = 0;
gaaval->export = 0; gaaval->template = NULL; gaaval->hash=NULL;
gaaval->fix_key = 0; gaaval->quick_random=1;
gaaval->privkey_op = 0; gaaval->pkcs_cipher = "3des";
gaaval->crq_extensions=1; gaaval->pkcs11_provider= NULL;
gaaval->pkcs11_url = NULL; gaaval->pkcs11_type = PKCS11_TYPE_PK;
gaaval->pubkey=NULL; gaaval->pkcs11_label = NULL;
- gaaval->pkcs11_trusted=0; ;};
+ gaaval->pkcs11_trusted=0; gaaval->sec_param = NULL; ;};
}
inited = 1;
diff --git a/src/certtool-gaa.h b/src/certtool-gaa.h
index 2757a71..f848dfe 100644
--- a/src/certtool-gaa.h
+++ b/src/certtool-gaa.h
@@ -8,28 +8,30 @@ typedef struct _gaainfo gaainfo;
struct _gaainfo
{
-#line 157 "certtool.gaa"
+#line 160 "certtool.gaa"
int debug;
-#line 152 "certtool.gaa"
+#line 155 "certtool.gaa"
int pkcs11_trusted;
-#line 149 "certtool.gaa"
+#line 152 "certtool.gaa"
char* pkcs11_label;
-#line 142 "certtool.gaa"
+#line 145 "certtool.gaa"
int pkcs11_type;
-#line 139 "certtool.gaa"
+#line 142 "certtool.gaa"
char* pkcs11_url;
-#line 136 "certtool.gaa"
+#line 139 "certtool.gaa"
char* pkcs11_provider;
-#line 133 "certtool.gaa"
+#line 136 "certtool.gaa"
char *pkcs_cipher;
-#line 130 "certtool.gaa"
+#line 133 "certtool.gaa"
char *template;
-#line 127 "certtool.gaa"
+#line 130 "certtool.gaa"
char *infile;
-#line 124 "certtool.gaa"
+#line 127 "certtool.gaa"
char *outfile;
-#line 121 "certtool.gaa"
+#line 124 "certtool.gaa"
int quick_random;
+#line 121 "certtool.gaa"
+ char* sec_param;
#line 118 "certtool.gaa"
int bits;
#line 114 "certtool.gaa"
diff --git a/src/certtool.c b/src/certtool.c
index b646453..92c4a28 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -166,6 +166,33 @@ print_rsa_pkey (gnutls_datum_t * m, gnutls_datum_t * e,
gnutls_datum_t * d,
}
}
+static gnutls_sec_param_t str_to_sec_param(const char* str)
+{
+ if (strcasecmp(str, "low")==0)
+ {
+ return GNUTLS_SEC_PARAM_LOW;
+ }
+ else if (strcasecmp(str, "normal")==0)
+ {
+ return GNUTLS_SEC_PARAM_NORMAL;
+ }
+ else if (strcasecmp(str, "high")==0)
+ {
+ return GNUTLS_SEC_PARAM_HIGH;
+ }
+ else if (strcasecmp(str, "ultra")==0)
+ {
+ return GNUTLS_SEC_PARAM_ULTRA;
+ }
+ else
+ {
+ fprintf(stderr, "Unknown security parameter string: %s\n", str);
+ exit(1);
+ }
+
+}
+
+
static gnutls_x509_privkey_t
generate_private_key_int (void)
{
@@ -183,6 +210,19 @@ generate_private_key_int (void)
if (ret < 0)
error (EXIT_FAILURE, 0, "privkey_init: %s", gnutls_strerror (ret));
+ if (info.bits != 0)
+ {
+ fprintf(stderr, "** Note: Please use the --sec-param instead of
--bits\n");
+ }
+ else
+ {
+ if (info.sec_param)
+ {
+ info.bits = gnutls_sec_param_to_pk_bits(key_type,
str_to_sec_param(info.sec_param));
+ }
+ else info.bits = gnutls_sec_param_to_pk_bits(key_type,
GNUTLS_SEC_PARAM_NORMAL);
+ }
+
fprintf (stderr, "Generating a %d bit %s private key...\n", info.bits,
gnutls_pk_algorithm_get_name (key_type));
diff --git a/src/certtool.gaa b/src/certtool.gaa
index 04b2eac..efea640 100644
--- a/src/certtool.gaa
+++ b/src/certtool.gaa
@@ -118,6 +118,9 @@ option (outraw) { $outcert_format=1 } "Use RAW/DER format
for output certificate
#int bits;
option (bits) INT "BITS" { $bits = $1 } "specify the number of bits for key
generation."
+#char* sec_param;
+option (sec-param) STR "PARAM" { $sec_param = $1 } "specify the security level
[low|normal|high|ultra]."
+
#int quick_random;
option (disable-quick-random) { $quick_random = 0; } "Use /dev/random for key
generationg, thus increasing the quality of randomness used."
@@ -161,10 +164,10 @@ option (h, help) { gaa_help(); exit(0); } "shows this
help text"
option (v, version) { certtool_version(); exit(0); } "shows the program's
version"
-init { $bits = 2048; $pkcs8 = 0; $privkey = NULL; $ca=NULL; $ca_privkey =
NULL;
+init { $bits = 0; $pkcs8 = 0; $privkey = NULL; $ca=NULL; $ca_privkey = NULL;
$debug=1; $request = NULL; $infile = NULL; $outfile = NULL; $cert =
NULL;
$incert_format = 0; $outcert_format = 0; $action=-1; $pass = NULL;
$v1_cert = 0;
$export = 0; $template = NULL; $hash=NULL; $fix_key = 0;
$quick_random=1;
$privkey_op = 0; $pkcs_cipher = "3des"; $crq_extensions=1;
$pkcs11_provider= NULL;
$pkcs11_url = NULL; $pkcs11_type = PKCS11_TYPE_PK; $pubkey=NULL;
$pkcs11_label = NULL;
- $pkcs11_trusted=0; }
+ $pkcs11_trusted=0; $sec_param = NULL; }
hooks/post-receive
--
GNU gnutls
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, new, updated. gnutls_2_9_10-141-g0284011,
Nikos Mavrogiannopoulos <=