diff options
Diffstat (limited to 'keyexchange/isakmpd-20041012/apps/certpatch')
5 files changed, 518 insertions, 0 deletions
diff --git a/keyexchange/isakmpd-20041012/apps/certpatch/.cvsignore b/keyexchange/isakmpd-20041012/apps/certpatch/.cvsignore new file mode 100644 index 0000000..6203864 --- /dev/null +++ b/keyexchange/isakmpd-20041012/apps/certpatch/.cvsignore @@ -0,0 +1,3 @@ +certpatch +certpatch.cat8 +obj diff --git a/keyexchange/isakmpd-20041012/apps/certpatch/GNUmakefile b/keyexchange/isakmpd-20041012/apps/certpatch/GNUmakefile new file mode 100644 index 0000000..3cd8e3a --- /dev/null +++ b/keyexchange/isakmpd-20041012/apps/certpatch/GNUmakefile @@ -0,0 +1,55 @@ +# $OpenBSD: Makefile,v 1.7 2003/06/03 14:35:00 ho Exp $ +# $EOM: Makefile,v 1.6 2000/03/28 21:22:06 ho Exp $ + +# +# Copyright (c) 1999 Niels Provos. All rights reserved. +# Copyright (c) 2001 Niklas Hallqvist. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# + +# +# This code was written under funding by Ericsson Radio Systems. +# + +PROG= certpatch +SRCS= certpatch.c +BINDIR?= /usr/sbin +TOPSRC= ${.CURDIR}../.. +TOPOBJ!= cd ${TOPSRC}; printf "all:\n\t@pwd\n" |${MAKE} -f- +OS= linux +FEATURES!= awk '/^FEATURES=/ { print $$0 }' ${.CURDIR}/../../Makefile | sed 's/FEATURES=.//' +.PATH: ${TOPSRC} ${TOPSRC}/sysdep/${OS} ${TOPOBJ} +CFLAGS+= -I${TOPSRC} -I${TOPSRC}/sysdep/${OS} -I${TOPOBJ} -Wall +LDFLAGS+= -lcrypto -lssl -lgmp +MAN= certpatch.8 + +CFLAGS+= -DMP_FLAVOUR=MP_FLAVOUR_GMP +LDADD+= -lgmp +DPADD+= ${LIBGMP} + +# Override LIBSYSDEPDIR definition from Makefile.sysdep +LIBSYSDEPDIR= ${TOPSRC}/sysdep/common/libsysdep + +all: ${PROG} + +clean: + rm -f ${PROG} diff --git a/keyexchange/isakmpd-20041012/apps/certpatch/Makefile b/keyexchange/isakmpd-20041012/apps/certpatch/Makefile new file mode 100644 index 0000000..c422938 --- /dev/null +++ b/keyexchange/isakmpd-20041012/apps/certpatch/Makefile @@ -0,0 +1,58 @@ +# $OpenBSD: Makefile,v 1.7 2003/06/03 14:35:00 ho Exp $ +# $EOM: Makefile,v 1.6 2000/03/28 21:22:06 ho Exp $ + +# +# Copyright (c) 1999 Niels Provos. All rights reserved. +# Copyright (c) 2001 Niklas Hallqvist. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# + +# +# This code was written under funding by Ericsson Radio Systems. +# + +PROG= certpatch +SRCS= certpatch.c +BINDIR?= /usr/sbin +TOPSRC= ${.CURDIR}/../.. +TOPOBJ!= cd ${TOPSRC}; printf "all:\n\t@pwd\n" |${MAKE} -f- +OS!= awk '/^OS=/ { print $$2 }' ${.CURDIR}/../../Makefile +FEATURES!= awk '/^FEATURES=/ { print $$0 }' ${.CURDIR}/../../Makefile | sed 's/FEATURES=.//' +.PATH: ${TOPSRC} ${TOPSRC}/sysdep/${OS} ${TOPOBJ} +CFLAGS+= -I${TOPSRC} -I${TOPSRC}/sysdep/${OS} -I${TOPOBJ} -Wall +LDADD+= -lcrypto +DPADD+= ${LIBCRYPTO} +MAN= certpatch.8 + +.if ${FEATURES:Mgmp} == "gmp" +CFLAGS+= -DMP_FLAVOUR=MP_FLAVOUR_GMP +LDADD+= -lgmp +DPADD+= ${LIBGMP} +.else +CFLAGS+= -DMP_FLAVOUR=MP_FLAVOUR_OPENSSL +.endif + +.include "${TOPSRC}/sysdep/${OS}/Makefile.sysdep" +# Override LIBSYSDEPDIR definition from Makefile.sysdep +LIBSYSDEPDIR= ${TOPSRC}/sysdep/common/libsysdep + +.include <bsd.prog.mk> diff --git a/keyexchange/isakmpd-20041012/apps/certpatch/certpatch.8 b/keyexchange/isakmpd-20041012/apps/certpatch/certpatch.8 new file mode 100644 index 0000000..1c1b629 --- /dev/null +++ b/keyexchange/isakmpd-20041012/apps/certpatch/certpatch.8 @@ -0,0 +1,85 @@ +.\" $OpenBSD: certpatch.8,v 1.8 2003/06/04 07:31:17 ho Exp $ +.\" $EOM: certpatch.8,v 1.5 2000/04/07 22:17:11 niklas Exp $ +.\" +.\" Copyright (c) 1999 Niklas Hallqvist. All rights reserved. +.\" Copyright (c) 1999 Angelos D. Keromytis. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.\" This code was written under funding by Ericsson Radio Systems. +.\" +.\" Manual page, using -mandoc macros +.\" +.Dd July 18, 1999 +.Dt CERTPATCH 8 +.Os +.Sh NAME +.Nm certpatch +.Nd add subjectAltName identities to X.509 certificates +.Sh SYNOPSIS +.Nm certpatch +.Op Fl t Ar identity-type +.Fl i +.Ar identity +.Fl k +.Ar signing-key +.Ar input-certificate output-certificate +.Sh DESCRIPTION +.Nm +alters PEM-encoded X.509 certificates by adding a subjectAltName extension +containing an identity used by the signature-based authentication schemes +of the ISAKMP protocol. +After the addition the certificate will be signed +once again with the supplied CA signing key. +.Pp +The options are as follows: +.Bl -tag -width Ds +.It Fl t Ar identity-type +If given, the +.Fl t +option specifies the type of the given identity. +Currently +.Li ip , +.Li fqdn , +and +.Li ufqdn +are recognized. +The default is +.Li ip . +.It Fl i Ar identity +The +.Fl i +option takes an argument which is the identity to put into the +subjectAltName field of the certificate. +If the identity-type is +.Li ip , +this argument should be an IPv4 address in dotted decimal notation. +.It Fl k Ar signing-key +The +.Fl k +option specifies the key used for signing the certificate once the +subjectAltName extension has been added. +The key is specified by +the filename where it is stored in PEM format. +.El +.Sh SEE ALSO +.Xr isakmpd 8 , +.Xr ssl 8 diff --git a/keyexchange/isakmpd-20041012/apps/certpatch/certpatch.c b/keyexchange/isakmpd-20041012/apps/certpatch/certpatch.c new file mode 100644 index 0000000..0a0125a --- /dev/null +++ b/keyexchange/isakmpd-20041012/apps/certpatch/certpatch.c @@ -0,0 +1,317 @@ +/* $OpenBSD: certpatch.c,v 1.21 2003/06/04 07:31:17 ho Exp $ */ +/* $EOM: certpatch.c,v 1.11 2000/12/21 14:50:09 ho Exp $ */ + +/* + * Copyright (c) 1999 Niels Provos. All rights reserved. + * Copyright (c) 1999, 2000 Angelos D. Keromytis. All rights reserved. + * Copyright (c) 2000, 2001 Niklas Hallqvist. All rights reserved. + * Copyright (c) 2001 Håkan Olsson. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +/* + * This program takes a certificate generated by ssleay and a + * private key. It encodes a new id as subject alt name + * extension into the certifcate. The result gets written as + * new certificate that can be used by isakmpd. + */ + +#include <sys/param.h> +#include <sys/types.h> +#include <sys/mman.h> +#include <sys/stat.h> +#include <ctype.h> +#include <fcntl.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <unistd.h> + +#include <sys/socket.h> +#include <netinet/in.h> +#include <arpa/inet.h> + +#include "sysdep.h" + +#ifdef KAME +# ifdef CRYPTO +# include <openssl/rsa.h> +# endif +#else +# include <openssl/rsa.h> +#endif + +#include <openssl/x509.h> +#include <openssl/pem.h> + +#include "conf.h" +#include "ipsec_num.h" +#include "log.h" +#include "math_mp.h" +#include "x509.h" + +#define IDTYPE_IP "ip" +#define IDTYPE_FQDN "fqdn" +#define IDTYPE_UFQDN "ufqdn" + +int +main (int argc, char **argv) +{ + char *usage = "%s [-t idtype] -i id -k keyfile certin certout\n\n" + "This programs takes a certificate and adds a subjectAltName extension\n" + "with the identication given as command line argument. Be sure that \n" + "the signing key matches the issuer.\n"; + EVP_PKEY *pkey_priv; + X509 *cert; + BIO *file; + const EVP_MD *digest; + X509_EXTENSION *ex = NULL; + ASN1_OCTET_STRING *data = NULL; + struct in_addr saddr; + unsigned char ipaddr[6], *new_id; + char *type = IDTYPE_IP, *keyfile = NULL, *id = NULL; + char *certin, *certout; + int ch, err; + +#if SSLEAY_VERSION_NUMBER >= 0x00904100L + unsigned char *p; + ASN1_STRING str; + int i; +#endif + + + /* read command line arguments */ + while ((ch = getopt (argc, argv, "t:k:i:")) != -1) + switch (ch) { + case 't': + type = optarg; + break; + case 'k': + keyfile = optarg; + break; + case 'i': + id = optarg; + break; + default: + fprintf (stderr, usage, argv[0]); + return (1); + } + + argc -= optind; + + if (argc != 2) { + fprintf (stderr, usage, argv[0]); + return (1); + } + + argv += optind; + + certin = argv[0]; + certout = argv[1]; + + /* Check ID */ + + if ((strcasecmp (IDTYPE_IP, type) != 0 && + strcasecmp (IDTYPE_FQDN, type) != 0 && + strcasecmp (IDTYPE_UFQDN, type) != 0) || id == NULL) + { + printf ("wrong id type or missing id\n"); + return (1); + } + + /* + * X509_verify will fail, as will all other functions that call + * EVP_get_digest_byname. + */ + + SSLeay_add_all_algorithms (); + + /* Use a certificate created by ssleay and add the appr. extension */ + printf ("Reading ssleay created certificate %s and modify it\n", + certin); + file = BIO_new (BIO_s_file ()); + if (BIO_read_filename (file, certin) == -1) + { + perror ("read"); + return (1); + } +#if SSLEAY_VERSION_NUMBER >= 0x00904100L + cert = PEM_read_bio_X509 (file, NULL, NULL, NULL); +#else + cert = PEM_read_bio_X509 (file, NULL, NULL); +#endif + BIO_free (file); + if (cert == NULL) + { + printf ("PEM_read_bio_X509 () failed\n"); + return (1); + } + + /* Get the digest for the actual signing */ + digest = EVP_get_digestbyname (OBJ_nid2sn (OBJ_obj2nid (cert->sig_alg->algorithm))); + + if (!X509_set_version (cert, 2)) + { + printf ("X509 failed to set version number\n"); + return (1); + } + + if (!strcasecmp (IDTYPE_IP, type)) + { + if (inet_aton (id, &saddr) == 0) + { + printf ("inet_aton () failed\n"); + return (1); + } + + saddr.s_addr = htonl (saddr.s_addr); + ipaddr[0] = 0x87; + ipaddr[1] = 0x04; + ipaddr[2] = saddr.s_addr >> 24; + ipaddr[3] = (saddr.s_addr >> 16) & 0xff; + ipaddr[4] = (saddr.s_addr >> 8) & 0xff; + ipaddr[5] = saddr.s_addr & 0xff; + +#if SSLEAY_VERSION_NUMBER >= 0x00904100L + str.length = 6; + str.type = V_ASN1_OCTET_STRING; + str.data = ipaddr; + data = ASN1_OCTET_STRING_new (); + if (!data) + { + perror ("ASN1_OCTET_STRING_new() failed"); + return (1); + } + + i = i2d_ASN1_OCTET_STRING ((ASN1_OCTET_STRING *)&str, NULL); + if (!ASN1_STRING_set ((ASN1_STRING *)data,NULL,i)) + { + perror ("ASN1_STRING_set() failed"); + return (1); + } + p = (unsigned char *)data->data; + i2d_ASN1_OCTET_STRING ((ASN1_OCTET_STRING *)&str, &p); + data->length = i; +#else + data = X509v3_pack_string (NULL, V_ASN1_OCTET_STRING, ipaddr, 6); +#endif + } + else if (!strcasecmp (IDTYPE_FQDN, type) || !strcasecmp (IDTYPE_UFQDN, type)) + { + new_id = malloc (strlen (id) + 2); + if (new_id == NULL) + { + printf ("malloc () failed\n"); + return (1); + } + + if (!strcasecmp (IDTYPE_FQDN, type)) + new_id[0] = 0x82; + else + new_id[0] = 0x81; /* IDTYPE_UFQDN */ + + memcpy (new_id + 2, id, strlen(id)); + new_id[1] = strlen (id); +#if SSLEAY_VERSION_NUMBER >= 0x00904100L + str.length = strlen (id) + 2; + str.type = V_ASN1_OCTET_STRING; + str.data = new_id; + data = ASN1_OCTET_STRING_new (); + if (!data) + { + perror ("ASN1_OCTET_STRING_new() failed"); + return (1); + } + + i = i2d_ASN1_OCTET_STRING ((ASN1_OCTET_STRING *)&str, NULL); + if (!ASN1_STRING_set ((ASN1_STRING *)data,NULL,i)) + { + perror ("ASN1_STRING_set() failed"); + return (1); + } + p = (unsigned char *)data->data; + i2d_ASN1_OCTET_STRING ((ASN1_OCTET_STRING *)&str, &p); + data->length = i; +#else + data = X509v3_pack_string (NULL, V_ASN1_OCTET_STRING, new_id, + strlen (id) + 2); +#endif + free (new_id); + } + + /* XXX This is a hack, how to do better? */ + data->type = 0x30; + data->data[0] = 0x30; + ex = X509_EXTENSION_create_by_NID (NULL, NID_subject_alt_name, 1, data); + + if (ex == NULL) + { + printf ("X509_EXTENSION_create ()\n"); + return (1); + } + + X509_add_ext (cert, ex, -1); + + file = BIO_new (BIO_s_file ()); + if (BIO_read_filename (file, keyfile) == -1) + { + perror ("open"); + return (1); + } +#if SSLEAY_VERSION_NUMBER >= 0x00904100L + if ((pkey_priv = PEM_read_bio_PrivateKey (file, NULL, NULL, NULL)) == NULL) +#else + if ((pkey_priv = PEM_read_bio_PrivateKey (file, NULL, NULL)) == NULL) +#endif + { + printf ("Can not read private key %s\n", keyfile); + return (1); + } + BIO_free (file); + + printf ("Creating Signature: PKEY_TYPE = %s: ", + pkey_priv->type == EVP_PKEY_RSA ? "RSA" : "unknown"); + err = X509_sign (cert, pkey_priv, digest); + printf ("X509_sign: %d ", err); + if (!err) + printf ("FAILED "); + else + printf ("OKAY "); + printf ("\n"); + + file = BIO_new (BIO_s_file ()); + if (BIO_write_filename (file, certout) == -1) + { + perror ("open"); + return (1); + } + + printf ("Writing new certificate to %s\n", certout); + PEM_write_bio_X509 (file, cert); + BIO_free (file); + + return (0); +} |