Merge branch 'master' of ssh://github.com/dwmw2/yubico-piv-tool

This commit is contained in:
Klas Lindfors
2014-11-10 09:54:09 +01:00
3 changed files with 30 additions and 5 deletions
+1 -1
View File
@@ -47,7 +47,7 @@ option "pin-retries" - "Number of retries before the pin code is blocked" int op
option "puk-retries" - "Number of retries before the puk code is blocked" int optional dependon="pin-retries"
option "input" i "Filename to use as input, - for stdin" string optional default="-"
option "output" o "Filename to use as output, - for stdout" string optional default="-"
option "key-format" K "Format of the key being read/written" values="PEM","PKCS12" enum optional default="PEM"
option "key-format" K "Format of the key being read/written" values="PEM","PKCS12","GZIP" enum optional default="PEM"
option "password" p "Password for decryption of private key file" string optional
option "subject" S "The subject to use for certificate request" string optional
text "
+21 -2
View File
@@ -31,6 +31,8 @@
#include <stdlib.h>
#include <stdbool.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include "ykpiv.h"
@@ -386,6 +388,8 @@ static bool import_cert(ykpiv_state *state, enum enum_key_format cert_format,
X509 *cert = NULL;
PKCS12 *p12 = NULL;
EVP_PKEY *private_key = NULL;
int compress = 0;
int cert_len;
input_file = open_file(input_file_name, INPUT);
if(!input_file) {
@@ -398,6 +402,7 @@ static bool import_cert(ykpiv_state *state, enum enum_key_format cert_format,
fprintf(stderr, "Failed loading certificate for import.\n");
goto import_cert_out;
}
cert_len = i2d_X509(cert, NULL);
} else if(cert_format == key_format_arg_PKCS12) {
p12 = d2i_PKCS12_fp(input_file, NULL);
if(!p12) {
@@ -408,6 +413,13 @@ static bool import_cert(ykpiv_state *state, enum enum_key_format cert_format,
fprintf(stderr, "Failed to parse PKCS12 structure.\n");
goto import_cert_out;
}
cert_len = i2d_X509(cert, NULL);
} else if (cert_format == key_format_arg_GZIP) {
struct stat st;
fstat(fileno(input_file), &st);
cert_len = st.st_size;
compress = 0x01;
} else {
/* TODO: more formats go here */
fprintf(stderr, "Unknown key format.\n");
@@ -418,7 +430,6 @@ static bool import_cert(ykpiv_state *state, enum enum_key_format cert_format,
unsigned char certdata[2100];
unsigned char *certptr = certdata;
int object = get_object_id(slot);
int cert_len = i2d_X509(cert, NULL);
ykpiv_rc res;
if(cert_len > 2048) {
@@ -427,11 +438,19 @@ static bool import_cert(ykpiv_state *state, enum enum_key_format cert_format,
}
*certptr++ = 0x70;
certptr += set_length(certptr, cert_len);
if (compress) {
if (fread(certptr, 1, cert_len, input_file) != cert_len) {
fprintf(stderr, "Failed to read compressed certificate\n");
goto import_cert_out;
}
certptr += cert_len;
} else {
/* i2d_X509 increments certptr here.. */
i2d_X509(cert, &certptr);
}
*certptr++ = 0x71;
*certptr++ = 1;
*certptr++ = 0; /* certinfo (gzip etc) */
*certptr++ = compress; /* certinfo (gzip etc) */
*certptr++ = 0xfe; /* LRC */
*certptr++ = 0;
+6
View File
@@ -60,6 +60,12 @@ file with password test, into slot 9c:
yubico-piv-tool -s 9c -i test.pfx -K PKCS12 -p test -a set-chuid \\
-a import-key -a import-cert
Import a certificate which is larger than 2048 bytes and thus requires
compression in order to fit:
openssl x509 -in cert.pem -outform DER | gzip -9 > der.gz
yubico-piv-tool -s 9c -i der.gz -K GZIP -a import-cert
Change the management key used for administrative authentication:
yubico-piv-tool -n 0807605403020108070605040302010807060504030201 \\