From 9422910e55d1c798df7c5e377db4d9ef4d8a9bc3 Mon Sep 17 00:00:00 2001 From: Martin Mares Date: Sat, 2 Jun 2007 17:24:42 +0200 Subject: [PATCH] First attempts at using gnutls. --- submit/Makefile | 22 +++++++++++ submit/ca-cert.tpl | 88 ++++++++++++++++++++++++++++++++++++++++++ submit/server-cert.tpl | 88 ++++++++++++++++++++++++++++++++++++++++++ submit/submitd.c | 26 +++++++++++++ 4 files changed, 224 insertions(+) create mode 100644 submit/Makefile create mode 100644 submit/ca-cert.tpl create mode 100644 submit/server-cert.tpl create mode 100644 submit/submitd.c diff --git a/submit/Makefile b/submit/Makefile new file mode 100644 index 0000000..d5fe54a --- /dev/null +++ b/submit/Makefile @@ -0,0 +1,22 @@ +TLSCF:=$(shell libgnutls-config --cflags) +TLSLF:=$(shell libgnutls-config --libs) + +CFLAGS=-O2 -Iinclude -g -Wall -W -Wno-parentheses -Wstrict-prototypes -Wmissing-prototypes -Wundef -Wredundant-decls -std=gnu99 $(TLSCF) +LDFLAGS=$(TLSLF) + +all: submitd + +submitd: submitd.o lib/libucw.a lib/libsh.a +submitd.o: submitd.c + +certs: + certtool --generate-privkey --outfile ca-key.pem + certtool --generate-privkey --outfile ca-key.pem --template ca-cert.tpl + certtool --generate-privkey --outfile server-key.pem + certtool --generate-request --load-privkey server-key.pem --outfile server-req.pem --template server-cert.tpl + certtool --generate-certificate --load-request server-req.pem --outfile server-cert.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server-cert.tpl + # Beware of serial numbers + +clean: + rm -f `find . -name "*~" -or -name "*.[oa]" -or -name "\#*\#" -or -name TAGS -or -name core -or -name .depend -or -name .#*` + rm -f submitd diff --git a/submit/ca-cert.tpl b/submit/ca-cert.tpl new file mode 100644 index 0000000..0169ca7 --- /dev/null +++ b/submit/ca-cert.tpl @@ -0,0 +1,88 @@ +# X.509 Certificate options +# +# DN options + +# The organization of the subject. +organization = "MO-Eval" + +# The organizational unit of the subject. +#unit = "MO-Eval" + +# The locality of the subject. +# locality = + +# The state of the certificate owner. +#state = "xx" + +# The country of the subject. Two letter code. +#country = CZ + +# The common name of the certificate owner. +cn = "Submit Server" + +# A user id of the certificate owner. +#uid = "clauper" + +# If the supported DN OIDs are not adequate you can set +# any OID here. +# For example set the X.520 Title and the X.520 Pseudonym +# by using OID and string pairs. +#dn_oid = "2.5.4.12" "Dr." "2.5.4.65" "jackal" + +# This is deprecated and should not be used in new +# certificates. +# pkcs9_email = "none@none.org" + +# The serial number of the certificate +serial = 001 + +# In how many days, counting from today, this certificate will expire. +expiration_days = 700 + +# X.509 v3 extensions + +# A dnsname in case of a WWW server. +#dns_name = "www.none.org" + +# An IP address in case of a server. +#ip_address = "192.168.1.1" + +# An email in case of a person +email = "mj@ucw.cz" + +# An URL that has CRLs (certificate revocation lists) +# available. Needed in CA certificates. +#crl_dist_points = "http://www.getcrl.crl/getcrl/" + +# Whether this is a CA certificate or not +ca + +# Whether this certificate will be used for a TLS client +#tls_www_client + +# Whether this certificate will be used for a TLS server +#tls_www_server + +# Whether this certificate will be used to sign data (needed +# in TLS DHE ciphersuites). +signing_key + +# Whether this certificate will be used to encrypt data (needed +# in TLS RSA ciphersuites). Note that it is prefered to use different +# keys for encryption and signing. +#encryption_key + +# Whether this key will be used to sign other certificates. +cert_signing_key + +# Whether this key will be used to sign CRLs. +#crl_signing_key + +# Whether this key will be used to sign code. +#code_signing_key + +# Whether this key will be used to sign OCSP data. +#ocsp_signing_key + +# Whether this key will be used for time stamping. +#time_stamping_key diff --git a/submit/server-cert.tpl b/submit/server-cert.tpl new file mode 100644 index 0000000..098c94b --- /dev/null +++ b/submit/server-cert.tpl @@ -0,0 +1,88 @@ +# X.509 Certificate options +# +# DN options + +# The organization of the subject. +organization = "MO-Eval" + +# The organizational unit of the subject. +#unit = "MO-Eval" + +# The locality of the subject. +# locality = + +# The state of the certificate owner. +#state = "xx" + +# The country of the subject. Two letter code. +#country = CZ + +# The common name of the certificate owner. +cn = "Submit Server" + +# A user id of the certificate owner. +#uid = "clauper" + +# If the supported DN OIDs are not adequate you can set +# any OID here. +# For example set the X.520 Title and the X.520 Pseudonym +# by using OID and string pairs. +#dn_oid = "2.5.4.12" "Dr." "2.5.4.65" "jackal" + +# This is deprecated and should not be used in new +# certificates. +# pkcs9_email = "none@none.org" + +# The serial number of the certificate +serial = 001 + +# In how many days, counting from today, this certificate will expire. +expiration_days = 700 + +# X.509 v3 extensions + +# A dnsname in case of a WWW server. +dns_name = "localhost" + +# An IP address in case of a server. +#ip_address = "192.168.1.1" + +# An email in case of a person +#email = "mj@ucw.cz" + +# An URL that has CRLs (certificate revocation lists) +# available. Needed in CA certificates. +#crl_dist_points = "http://www.getcrl.crl/getcrl/" + +# Whether this is a CA certificate or not +#ca + +# Whether this certificate will be used for a TLS client +#tls_www_client + +# Whether this certificate will be used for a TLS server +tls_www_server + +# Whether this certificate will be used to sign data (needed +# in TLS DHE ciphersuites). +signing_key + +# Whether this certificate will be used to encrypt data (needed +# in TLS RSA ciphersuites). Note that it is prefered to use different +# keys for encryption and signing. +encryption_key + +# Whether this key will be used to sign other certificates. +#cert_signing_key + +# Whether this key will be used to sign CRLs. +#crl_signing_key + +# Whether this key will be used to sign code. +#code_signing_key + +# Whether this key will be used to sign OCSP data. +#ocsp_signing_key + +# Whether this key will be used for time stamping. +#time_stamping_key diff --git a/submit/submitd.c b/submit/submitd.c new file mode 100644 index 0000000..1bc63d1 --- /dev/null +++ b/submit/submitd.c @@ -0,0 +1,26 @@ +#include "lib/lib.h" + +#include + +static gnutls_certificate_credentials_t cert_cred; + +int main(void) +{ + int err; + + gnutls_global_init(); + err = gnutls_certificate_allocate_credentials(&cert_cred); + if (err) + die("Unable to allocate credentials: %s", gnutls_strerror(err)); + err = gnutls_certificate_set_x509_trust_file(cert_cred, "ca-cert.pem", GNUTLS_X509_FMT_PEM); + if (!err) + die("No CA certificate found"); + if (err < 0) + die("Unable to load X509 trust file: %s", gnutls_strerror(err)); + err = gnutls_certificate_set_x509_key_file(cert_cred, "server-cert.pem", "server-key.pem", GNUTLS_X509_FMT_PEM); + if (err < 0) + die("Unable to load X509 key file: %s", gnutls_strerror(err)); + + gnutls_global_deinit(); + return 0; +} -- 2.39.2