added keyexchange

6 files changed, 552 insertions, 0 deletions

diff --git a/keyexchange/isakmpd-20041012/apps/Makefile b/keyexchange/isakmpd-20041012/apps/Makefile
new file mode 100644
index 0000000..7d1bbe9
--- /dev/null
+++ b/keyexchange/isakmpd-20041012/apps/Makefile
@@ -0,0 +1,34 @@
+#	$OpenBSD: Makefile,v 1.2 2003/06/03 14:35:00 ho Exp $
+#	$EOM: Makefile,v 1.2 1999/07/17 20:44:12 niklas Exp $
+
+#
+# Copyright (c) 1999 Niels Provos.  All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+
+#
+# This code was written under funding by Ericsson Radio Systems.
+#
+
+SUBDIR= certpatch
+
+#.include <bsd.subdir.mk>
diff --git a/keyexchange/isakmpd-20041012/apps/certpatch/.cvsignore b/keyexchange/isakmpd-20041012/apps/certpatch/.cvsignore
new file mode 100644
index 0000000..6203864
--- /dev/null
+++ b/keyexchange/isakmpd-20041012/apps/certpatch/.cvsignore
@@ -0,0 +1,3 @@
+certpatch
+certpatch.cat8
+obj
diff --git a/keyexchange/isakmpd-20041012/apps/certpatch/GNUmakefile b/keyexchange/isakmpd-20041012/apps/certpatch/GNUmakefile
new file mode 100644
index 0000000..3cd8e3a
--- /dev/null
+++ b/keyexchange/isakmpd-20041012/apps/certpatch/GNUmakefile
@@ -0,0 +1,55 @@
+#	$OpenBSD: Makefile,v 1.7 2003/06/03 14:35:00 ho Exp $
+#	$EOM: Makefile,v 1.6 2000/03/28 21:22:06 ho Exp $
+
+#
+# Copyright (c) 1999 Niels Provos.  All rights reserved.
+# Copyright (c) 2001 Niklas Hallqvist.  All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+
+#
+# This code was written under funding by Ericsson Radio Systems.
+#
+
+PROG=		certpatch
+SRCS=		certpatch.c
+BINDIR?=	/usr/sbin
+TOPSRC=		${.CURDIR}../..
+TOPOBJ!=	cd ${TOPSRC}; printf "all:\n\t@pwd\n" |${MAKE} -f-
+OS=			linux
+FEATURES!=	awk '/^FEATURES=/ { print $$0 }' ${.CURDIR}/../../Makefile | sed 's/FEATURES=.//'
+.PATH:		${TOPSRC} ${TOPSRC}/sysdep/${OS} ${TOPOBJ}
+CFLAGS+=	-I${TOPSRC} -I${TOPSRC}/sysdep/${OS} -I${TOPOBJ} -Wall
+LDFLAGS+=	-lcrypto -lssl -lgmp
+MAN=		certpatch.8
+
+CFLAGS+=	-DMP_FLAVOUR=MP_FLAVOUR_GMP
+LDADD+=		-lgmp
+DPADD+=		${LIBGMP}
+
+# Override LIBSYSDEPDIR definition from Makefile.sysdep
+LIBSYSDEPDIR=	${TOPSRC}/sysdep/common/libsysdep
+
+all:	${PROG}
+
+clean:	
+	rm -f ${PROG}
diff --git a/keyexchange/isakmpd-20041012/apps/certpatch/Makefile b/keyexchange/isakmpd-20041012/apps/certpatch/Makefile
new file mode 100644
index 0000000..c422938
--- /dev/null
+++ b/keyexchange/isakmpd-20041012/apps/certpatch/Makefile
@@ -0,0 +1,58 @@
+#	$OpenBSD: Makefile,v 1.7 2003/06/03 14:35:00 ho Exp $
+#	$EOM: Makefile,v 1.6 2000/03/28 21:22:06 ho Exp $
+
+#
+# Copyright (c) 1999 Niels Provos.  All rights reserved.
+# Copyright (c) 2001 Niklas Hallqvist.  All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+
+#
+# This code was written under funding by Ericsson Radio Systems.
+#
+
+PROG=		certpatch
+SRCS=		certpatch.c
+BINDIR?=	/usr/sbin
+TOPSRC=		${.CURDIR}/../..
+TOPOBJ!=	cd ${TOPSRC}; printf "all:\n\t@pwd\n" |${MAKE} -f-
+OS!=		awk '/^OS=/ { print $$2 }' ${.CURDIR}/../../Makefile
+FEATURES!=	awk '/^FEATURES=/ { print $$0 }' ${.CURDIR}/../../Makefile | sed 's/FEATURES=.//'
+.PATH:		${TOPSRC} ${TOPSRC}/sysdep/${OS} ${TOPOBJ}
+CFLAGS+=	-I${TOPSRC} -I${TOPSRC}/sysdep/${OS} -I${TOPOBJ} -Wall
+LDADD+=		-lcrypto
+DPADD+=		${LIBCRYPTO}
+MAN=		certpatch.8
+
+.if ${FEATURES:Mgmp} == "gmp"
+CFLAGS+=	-DMP_FLAVOUR=MP_FLAVOUR_GMP
+LDADD+=		-lgmp
+DPADD+=		${LIBGMP}
+.else
+CFLAGS+=	-DMP_FLAVOUR=MP_FLAVOUR_OPENSSL
+.endif
+
+.include "${TOPSRC}/sysdep/${OS}/Makefile.sysdep"
+# Override LIBSYSDEPDIR definition from Makefile.sysdep
+LIBSYSDEPDIR=	${TOPSRC}/sysdep/common/libsysdep
+
+.include <bsd.prog.mk>
diff --git a/keyexchange/isakmpd-20041012/apps/certpatch/certpatch.8 b/keyexchange/isakmpd-20041012/apps/certpatch/certpatch.8
new file mode 100644
index 0000000..1c1b629
--- /dev/null
+++ b/keyexchange/isakmpd-20041012/apps/certpatch/certpatch.8
@@ -0,0 +1,85 @@
+.\" $OpenBSD: certpatch.8,v 1.8 2003/06/04 07:31:17 ho Exp $
+.\" $EOM: certpatch.8,v 1.5 2000/04/07 22:17:11 niklas Exp $
+.\"
+.\" Copyright (c) 1999 Niklas Hallqvist.  All rights reserved.
+.\" Copyright (c) 1999 Angelos D. Keromytis.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" This code was written under funding by Ericsson Radio Systems.
+.\"
+.\" Manual page, using -mandoc macros
+.\"
+.Dd July 18, 1999
+.Dt CERTPATCH 8
+.Os
+.Sh NAME
+.Nm certpatch
+.Nd add subjectAltName identities to X.509 certificates
+.Sh SYNOPSIS
+.Nm certpatch
+.Op Fl t Ar identity-type
+.Fl i
+.Ar identity
+.Fl k
+.Ar signing-key
+.Ar input-certificate output-certificate
+.Sh DESCRIPTION
+.Nm
+alters PEM-encoded X.509 certificates by adding a subjectAltName extension
+containing an identity used by the signature-based authentication schemes
+of the ISAKMP protocol.
+After the addition the certificate will be signed
+once again with the supplied CA signing key.
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl t Ar identity-type
+If given, the
+.Fl t
+option specifies the type of the given identity.
+Currently
+.Li ip ,
+.Li fqdn ,
+and
+.Li ufqdn
+are recognized.
+The default is
+.Li ip .
+.It Fl i Ar identity
+The
+.Fl i
+option takes an argument which is the identity to put into the
+subjectAltName field of the certificate.
+If the identity-type is
+.Li ip ,
+this argument should be an IPv4 address in dotted decimal notation.
+.It Fl k Ar signing-key
+The
+.Fl k
+option specifies the key used for signing the certificate once the
+subjectAltName extension has been added.
+The key is specified by
+the filename where it is stored in PEM format.
+.El
+.Sh SEE ALSO
+.Xr isakmpd 8 ,
+.Xr ssl 8
diff --git a/keyexchange/isakmpd-20041012/apps/certpatch/certpatch.c b/keyexchange/isakmpd-20041012/apps/certpatch/certpatch.c
new file mode 100644
index 0000000..0a0125a
--- /dev/null
+++ b/keyexchange/isakmpd-20041012/apps/certpatch/certpatch.c
@@ -0,0 +1,317 @@
+/*	$OpenBSD: certpatch.c,v 1.21 2003/06/04 07:31:17 ho Exp $	*/
+/*	$EOM: certpatch.c,v 1.11 2000/12/21 14:50:09 ho Exp $	*/
+
+/*
+ * Copyright (c) 1999 Niels Provos.  All rights reserved.
+ * Copyright (c) 1999, 2000 Angelos D. Keromytis.  All rights reserved.
+ * Copyright (c) 2000, 2001 Niklas Hallqvist.  All rights reserved.
+ * Copyright (c) 2001 Håkan Olsson.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * This code was written under funding by Ericsson Radio Systems.
+ */
+
+/*
+ * This program takes a certificate generated by ssleay and a
+ * private key. It encodes a new id as subject alt name
+ * extension into the certifcate. The result gets written as
+ * new certificate that can be used by isakmpd.
+ */
+
+#include <sys/param.h>
+#include <sys/types.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <ctype.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#include "sysdep.h"
+
+#ifdef KAME
+#  ifdef CRYPTO
+#    include <openssl/rsa.h>
+#  endif
+#else
+#  include <openssl/rsa.h>
+#endif
+
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+
+#include "conf.h"
+#include "ipsec_num.h"
+#include "log.h"
+#include "math_mp.h"
+#include "x509.h"
+
+#define IDTYPE_IP	"ip"
+#define IDTYPE_FQDN     "fqdn"
+#define IDTYPE_UFQDN    "ufqdn"
+
+int
+main (int argc, char **argv)
+{
+  char *usage = "%s [-t idtype] -i id -k keyfile certin certout\n\n"
+    "This programs takes a certificate and adds a subjectAltName extension\n"
+    "with the identication given as command line argument.  Be sure that \n"
+    "the signing key matches the issuer.\n";
+  EVP_PKEY *pkey_priv;
+  X509 *cert;
+  BIO *file;
+  const EVP_MD *digest;
+  X509_EXTENSION *ex = NULL;
+  ASN1_OCTET_STRING *data = NULL;
+  struct in_addr saddr;
+  unsigned char ipaddr[6], *new_id;
+  char *type = IDTYPE_IP, *keyfile = NULL, *id = NULL;
+  char *certin, *certout;
+  int ch, err;
+
+#if SSLEAY_VERSION_NUMBER >= 0x00904100L
+  unsigned char *p;
+  ASN1_STRING str;
+  int i;
+#endif
+
+
+  /* read command line arguments */
+  while ((ch = getopt (argc, argv, "t:k:i:")) != -1)
+    switch (ch) {
+    case 't':
+      type = optarg;
+      break;
+    case 'k':
+      keyfile = optarg;
+      break;
+    case 'i':
+      id = optarg;
+      break;
+    default:
+      fprintf (stderr, usage, argv[0]);
+      return (1);
+    }
+
+  argc -= optind;
+
+  if (argc != 2) {
+    fprintf (stderr, usage, argv[0]);
+    return (1);
+  }
+
+  argv += optind;
+
+  certin = argv[0];
+  certout = argv[1];
+
+  /* Check ID */
+
+  if ((strcasecmp (IDTYPE_IP, type) != 0 &&
+       strcasecmp (IDTYPE_FQDN, type) != 0 &&
+       strcasecmp (IDTYPE_UFQDN, type) != 0) || id == NULL)
+    {
+      printf ("wrong id type or missing id\n");
+      return (1);
+    }
+
+  /*
+   * X509_verify will fail, as will all other functions that call
+   * EVP_get_digest_byname.
+   */
+
+  SSLeay_add_all_algorithms ();
+
+  /* Use a certificate created by ssleay and add the appr. extension */
+  printf ("Reading ssleay created certificate %s and modify it\n",
+	  certin);
+  file = BIO_new (BIO_s_file ());
+  if (BIO_read_filename (file, certin) == -1)
+    {
+      perror ("read");
+      return (1);
+    }
+#if SSLEAY_VERSION_NUMBER >= 0x00904100L
+  cert = PEM_read_bio_X509 (file, NULL, NULL, NULL);
+#else
+  cert = PEM_read_bio_X509 (file, NULL, NULL);
+#endif
+  BIO_free (file);
+  if (cert == NULL)
+    {
+      printf ("PEM_read_bio_X509 () failed\n");
+      return (1);
+    }
+
+  /* Get the digest for the actual signing */
+  digest = EVP_get_digestbyname (OBJ_nid2sn (OBJ_obj2nid (cert->sig_alg->algorithm)));
+
+  if (!X509_set_version (cert, 2))
+    {
+      printf ("X509 failed to set version number\n");
+      return (1);
+    }
+
+  if (!strcasecmp (IDTYPE_IP, type))
+    {
+      if (inet_aton (id, &saddr) == 0)
+        {
+	  printf ("inet_aton () failed\n");
+	  return (1);
+	}
+
+      saddr.s_addr = htonl (saddr.s_addr);
+      ipaddr[0] = 0x87;
+      ipaddr[1] = 0x04;
+      ipaddr[2] = saddr.s_addr >> 24;
+      ipaddr[3] = (saddr.s_addr >> 16) & 0xff;
+      ipaddr[4] = (saddr.s_addr >> 8) & 0xff;
+      ipaddr[5] = saddr.s_addr & 0xff;
+
+#if SSLEAY_VERSION_NUMBER >= 0x00904100L
+      str.length = 6;
+      str.type = V_ASN1_OCTET_STRING;
+      str.data = ipaddr;
+      data = ASN1_OCTET_STRING_new ();
+      if (!data)
+	{
+	  perror ("ASN1_OCTET_STRING_new() failed");
+	  return (1);
+	}
+
+      i = i2d_ASN1_OCTET_STRING ((ASN1_OCTET_STRING *)&str, NULL);
+      if (!ASN1_STRING_set ((ASN1_STRING *)data,NULL,i))
+        {
+	  perror ("ASN1_STRING_set() failed");
+	  return (1);
+	}
+      p = (unsigned char *)data->data;
+      i2d_ASN1_OCTET_STRING ((ASN1_OCTET_STRING *)&str, &p);
+      data->length = i;
+#else
+      data = X509v3_pack_string (NULL, V_ASN1_OCTET_STRING, ipaddr, 6);
+#endif
+    }
+  else if (!strcasecmp (IDTYPE_FQDN, type) || !strcasecmp (IDTYPE_UFQDN, type))
+    {
+      new_id = malloc (strlen (id) + 2);
+      if (new_id == NULL)
+        {
+          printf ("malloc () failed\n");
+          return (1);
+        }
+
+      if (!strcasecmp (IDTYPE_FQDN, type))
+        new_id[0] = 0x82;
+      else
+        new_id[0] = 0x81; /* IDTYPE_UFQDN */
+
+      memcpy (new_id + 2, id, strlen(id));
+      new_id[1] = strlen (id);
+#if SSLEAY_VERSION_NUMBER >= 0x00904100L
+      str.length = strlen (id) + 2;
+      str.type = V_ASN1_OCTET_STRING;
+      str.data = new_id;
+      data = ASN1_OCTET_STRING_new ();
+      if (!data)
+        {
+          perror ("ASN1_OCTET_STRING_new() failed");
+          return (1);
+        }
+
+      i = i2d_ASN1_OCTET_STRING ((ASN1_OCTET_STRING *)&str, NULL);
+      if (!ASN1_STRING_set ((ASN1_STRING *)data,NULL,i))
+        {
+          perror ("ASN1_STRING_set() failed");
+          return (1);
+        }
+      p = (unsigned char *)data->data;
+      i2d_ASN1_OCTET_STRING ((ASN1_OCTET_STRING *)&str, &p);
+      data->length = i;
+#else
+      data = X509v3_pack_string (NULL, V_ASN1_OCTET_STRING, new_id,
+				 strlen (id) + 2);
+#endif
+      free (new_id);
+    }
+
+  /* XXX This is a hack, how to do better?  */
+  data->type = 0x30;
+  data->data[0] = 0x30;
+  ex = X509_EXTENSION_create_by_NID (NULL, NID_subject_alt_name, 1, data);
+
+  if (ex == NULL)
+    {
+      printf ("X509_EXTENSION_create ()\n");
+      return (1);
+    }
+
+  X509_add_ext (cert, ex, -1);
+
+  file = BIO_new (BIO_s_file ());
+  if (BIO_read_filename (file, keyfile) == -1)
+    {
+      perror ("open");
+      return (1);
+    }
+#if SSLEAY_VERSION_NUMBER >= 0x00904100L
+  if ((pkey_priv = PEM_read_bio_PrivateKey (file, NULL, NULL, NULL)) == NULL)
+#else
+  if ((pkey_priv = PEM_read_bio_PrivateKey (file, NULL, NULL)) == NULL)
+#endif
+    {
+      printf ("Can not read private key %s\n", keyfile);
+      return (1);
+    }
+  BIO_free (file);
+
+  printf ("Creating Signature: PKEY_TYPE = %s: ",
+	  pkey_priv->type == EVP_PKEY_RSA ? "RSA" : "unknown");
+  err = X509_sign (cert, pkey_priv, digest);
+  printf ("X509_sign: %d ", err);
+  if (!err)
+    printf ("FAILED ");
+  else
+    printf ("OKAY ");
+  printf ("\n");
+
+  file = BIO_new (BIO_s_file ());
+  if (BIO_write_filename (file, certout) == -1)
+    {
+      perror ("open");
+      return (1);
+    }
+
+  printf ("Writing new certificate to %s\n", certout);
+  PEM_write_bio_X509 (file, cert);
+  BIO_free (file);
+
+  return (0);
+}