Add support for compressed certificates
This could be more sophisticated — it could automatically compress certificates if they are too large, instead of expecting the user to do so manually. But this is a good start.
This commit is contained in:
+1
-1
@@ -47,7 +47,7 @@ option "pin-retries" - "Number of retries before the pin code is blocked" int op
|
|||||||
option "puk-retries" - "Number of retries before the puk code is blocked" int optional dependon="pin-retries"
|
option "puk-retries" - "Number of retries before the puk code is blocked" int optional dependon="pin-retries"
|
||||||
option "input" i "Filename to use as input, - for stdin" string optional default="-"
|
option "input" i "Filename to use as input, - for stdin" string optional default="-"
|
||||||
option "output" o "Filename to use as output, - for stdout" string optional default="-"
|
option "output" o "Filename to use as output, - for stdout" string optional default="-"
|
||||||
option "key-format" K "Format of the key being read/written" values="PEM","PKCS12" enum optional default="PEM"
|
option "key-format" K "Format of the key being read/written" values="PEM","PKCS12","GZIP" enum optional default="PEM"
|
||||||
option "password" p "Password for decryption of private key file" string optional
|
option "password" p "Password for decryption of private key file" string optional
|
||||||
option "subject" S "The subject to use for certificate request" string optional
|
option "subject" S "The subject to use for certificate request" string optional
|
||||||
text "
|
text "
|
||||||
|
|||||||
+23
-4
@@ -31,6 +31,8 @@
|
|||||||
#include <stdlib.h>
|
#include <stdlib.h>
|
||||||
#include <stdbool.h>
|
#include <stdbool.h>
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
|
#include <sys/types.h>
|
||||||
|
#include <sys/stat.h>
|
||||||
|
|
||||||
#include "ykpiv.h"
|
#include "ykpiv.h"
|
||||||
|
|
||||||
@@ -386,6 +388,8 @@ static bool import_cert(ykpiv_state *state, enum enum_key_format cert_format,
|
|||||||
X509 *cert = NULL;
|
X509 *cert = NULL;
|
||||||
PKCS12 *p12 = NULL;
|
PKCS12 *p12 = NULL;
|
||||||
EVP_PKEY *private_key = NULL;
|
EVP_PKEY *private_key = NULL;
|
||||||
|
int compress = 0;
|
||||||
|
int cert_len;
|
||||||
|
|
||||||
input_file = open_file(input_file_name, INPUT);
|
input_file = open_file(input_file_name, INPUT);
|
||||||
if(!input_file) {
|
if(!input_file) {
|
||||||
@@ -398,6 +402,7 @@ static bool import_cert(ykpiv_state *state, enum enum_key_format cert_format,
|
|||||||
fprintf(stderr, "Failed loading certificate for import.\n");
|
fprintf(stderr, "Failed loading certificate for import.\n");
|
||||||
goto import_cert_out;
|
goto import_cert_out;
|
||||||
}
|
}
|
||||||
|
cert_len = i2d_X509(cert, NULL);
|
||||||
} else if(cert_format == key_format_arg_PKCS12) {
|
} else if(cert_format == key_format_arg_PKCS12) {
|
||||||
p12 = d2i_PKCS12_fp(input_file, NULL);
|
p12 = d2i_PKCS12_fp(input_file, NULL);
|
||||||
if(!p12) {
|
if(!p12) {
|
||||||
@@ -408,6 +413,13 @@ static bool import_cert(ykpiv_state *state, enum enum_key_format cert_format,
|
|||||||
fprintf(stderr, "Failed to parse PKCS12 structure.\n");
|
fprintf(stderr, "Failed to parse PKCS12 structure.\n");
|
||||||
goto import_cert_out;
|
goto import_cert_out;
|
||||||
}
|
}
|
||||||
|
cert_len = i2d_X509(cert, NULL);
|
||||||
|
} else if (cert_format == key_format_arg_GZIP) {
|
||||||
|
struct stat st;
|
||||||
|
|
||||||
|
fstat(fileno(input_file), &st);
|
||||||
|
cert_len = st.st_size;
|
||||||
|
compress = 0x01;
|
||||||
} else {
|
} else {
|
||||||
/* TODO: more formats go here */
|
/* TODO: more formats go here */
|
||||||
fprintf(stderr, "Unknown key format.\n");
|
fprintf(stderr, "Unknown key format.\n");
|
||||||
@@ -418,7 +430,6 @@ static bool import_cert(ykpiv_state *state, enum enum_key_format cert_format,
|
|||||||
unsigned char certdata[2100];
|
unsigned char certdata[2100];
|
||||||
unsigned char *certptr = certdata;
|
unsigned char *certptr = certdata;
|
||||||
int object = get_object_id(slot);
|
int object = get_object_id(slot);
|
||||||
int cert_len = i2d_X509(cert, NULL);
|
|
||||||
ykpiv_rc res;
|
ykpiv_rc res;
|
||||||
|
|
||||||
if(cert_len > 2048) {
|
if(cert_len > 2048) {
|
||||||
@@ -427,11 +438,19 @@ static bool import_cert(ykpiv_state *state, enum enum_key_format cert_format,
|
|||||||
}
|
}
|
||||||
*certptr++ = 0x70;
|
*certptr++ = 0x70;
|
||||||
certptr += set_length(certptr, cert_len);
|
certptr += set_length(certptr, cert_len);
|
||||||
/* i2d_X509 increments certptr here.. */
|
if (compress) {
|
||||||
i2d_X509(cert, &certptr);
|
if (fread(certptr, 1, cert_len, input_file) != cert_len) {
|
||||||
|
fprintf(stderr, "Failed to read compressed certificate\n");
|
||||||
|
goto import_cert_out;
|
||||||
|
}
|
||||||
|
certptr += cert_len;
|
||||||
|
} else {
|
||||||
|
/* i2d_X509 increments certptr here.. */
|
||||||
|
i2d_X509(cert, &certptr);
|
||||||
|
}
|
||||||
*certptr++ = 0x71;
|
*certptr++ = 0x71;
|
||||||
*certptr++ = 1;
|
*certptr++ = 1;
|
||||||
*certptr++ = 0; /* certinfo (gzip etc) */
|
*certptr++ = compress; /* certinfo (gzip etc) */
|
||||||
*certptr++ = 0xfe; /* LRC */
|
*certptr++ = 0xfe; /* LRC */
|
||||||
*certptr++ = 0;
|
*certptr++ = 0;
|
||||||
|
|
||||||
|
|||||||
@@ -60,6 +60,12 @@ file with password test, into slot 9c:
|
|||||||
yubico-piv-tool -s 9c -i test.pfx -K PKCS12 -p test -a set-chuid \\
|
yubico-piv-tool -s 9c -i test.pfx -K PKCS12 -p test -a set-chuid \\
|
||||||
-a import-key -a import-cert
|
-a import-key -a import-cert
|
||||||
|
|
||||||
|
Import a certificate which is larger than 2048 bytes and thus requires
|
||||||
|
compression in order to fit:
|
||||||
|
|
||||||
|
openssl x509 -in cert.pem -outform DER | gzip -9 > der.gz
|
||||||
|
yubico-piv-tool -s 9c -i der.gz -K GZIP -a import-cert
|
||||||
|
|
||||||
Change the management key used for administrative authentication:
|
Change the management key used for administrative authentication:
|
||||||
|
|
||||||
yubico-piv-tool -n 0807605403020108070605040302010807060504030201 \\
|
yubico-piv-tool -n 0807605403020108070605040302010807060504030201 \\
|
||||||
|
|||||||
Reference in New Issue
Block a user