From 98f843e7e7fb698b1aea919b9d490504a5fd24ca Mon Sep 17 00:00:00 2001 From: Matt Moyer Date: Wed, 10 Feb 2016 17:30:05 -0600 Subject: [PATCH 1/3] Add a --valid-days parameter to yubico-piv-tool. Allows the expiration date (notAfter) value of self signed certificates to be configured. --- tool/cmdline.ggo | 1 + tool/yubico-piv-tool.c | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/tool/cmdline.ggo b/tool/cmdline.ggo index 03e61c9..30dc8c6 100644 --- a/tool/cmdline.ggo +++ b/tool/cmdline.ggo @@ -57,6 +57,7 @@ option "subject" S "The subject to use for certificate request" string optional text " The subject must be written as: /CN=host.example.com/OU=test/O=example.com/\n" +option "valid-days" - "Time (in days) until the self-signed certificate expires" int optional default="365" option "pin" P "Pin/puk code for verification" string optional option "new-pin" N "New pin/puk code for changing" string optional dependon="pin" option "pin-policy" - "Set pin policy for action generate or import-key" values="never","once","always" enum optional diff --git a/tool/yubico-piv-tool.c b/tool/yubico-piv-tool.c index ae048e2..2e471ec 100644 --- a/tool/yubico-piv-tool.c +++ b/tool/yubico-piv-tool.c @@ -781,7 +781,7 @@ request_out: static bool selfsign_certificate(ykpiv_state *state, enum enum_key_format key_format, const char *input_file_name, const char *slot, char *subject, enum enum_hash hash, - const char *output_file_name) { + const int validDays, const char *output_file_name) { FILE *input_file = NULL; FILE *output_file = NULL; bool ret = false; @@ -855,7 +855,7 @@ static bool selfsign_certificate(ykpiv_state *state, enum enum_key_format key_fo fprintf(stderr, "Failed to set certificate notBefore.\n"); goto selfsign_out; } - if(!X509_gmtime_adj(X509_get_notAfter(x509), 31536000L)) { + if(!X509_gmtime_adj(X509_get_notAfter(x509), 60L * 60L * 24L * validDays)) { fprintf(stderr, "Failed to set certificate notAfter.\n"); goto selfsign_out; } @@ -1986,7 +1986,7 @@ int main(int argc, char *argv[]) { case action_arg_selfsignMINUS_certificate: if(selfsign_certificate(state, args_info.key_format_arg, args_info.input_arg, args_info.slot_orig, args_info.subject_arg, args_info.hash_arg, - args_info.output_arg) == false) { + args_info.valid_days_arg, args_info.output_arg) == false) { ret = EXIT_FAILURE; } else { fprintf(stderr, "Successfully generated a new self signed certificate.\n"); From f91cf3379a8062b37254c544681fcb762c4267e1 Mon Sep 17 00:00:00 2001 From: Matt Moyer Date: Wed, 10 Feb 2016 17:40:12 -0600 Subject: [PATCH 2/3] Add a --serial parameter to yubico-piv-tool. Allows the serial number of self signed certificates to be configured. --- tool/cmdline.ggo | 1 + tool/yubico-piv-tool.c | 7 ++++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/tool/cmdline.ggo b/tool/cmdline.ggo index 30dc8c6..a8f618f 100644 --- a/tool/cmdline.ggo +++ b/tool/cmdline.ggo @@ -57,6 +57,7 @@ option "subject" S "The subject to use for certificate request" string optional text " The subject must be written as: /CN=host.example.com/OU=test/O=example.com/\n" +option "serial" - "Serial number of the self-signed certificate" int optional default="1" option "valid-days" - "Time (in days) until the self-signed certificate expires" int optional default="365" option "pin" P "Pin/puk code for verification" string optional option "new-pin" N "New pin/puk code for changing" string optional dependon="pin" diff --git a/tool/yubico-piv-tool.c b/tool/yubico-piv-tool.c index 2e471ec..4917763 100644 --- a/tool/yubico-piv-tool.c +++ b/tool/yubico-piv-tool.c @@ -781,7 +781,7 @@ request_out: static bool selfsign_certificate(ykpiv_state *state, enum enum_key_format key_format, const char *input_file_name, const char *slot, char *subject, enum enum_hash hash, - const int validDays, const char *output_file_name) { + const int serial, const int validDays, const char *output_file_name) { FILE *input_file = NULL; FILE *output_file = NULL; bool ret = false; @@ -847,7 +847,7 @@ static bool selfsign_certificate(ykpiv_state *state, enum enum_key_format key_fo fprintf(stderr, "Failed to set the certificate public key.\n"); goto selfsign_out; } - if(!ASN1_INTEGER_set(X509_get_serialNumber(x509), 1)) { + if(!ASN1_INTEGER_set(X509_get_serialNumber(x509), serial)) { fprintf(stderr, "Failed to set certificate serial.\n"); goto selfsign_out; } @@ -1986,7 +1986,8 @@ int main(int argc, char *argv[]) { case action_arg_selfsignMINUS_certificate: if(selfsign_certificate(state, args_info.key_format_arg, args_info.input_arg, args_info.slot_orig, args_info.subject_arg, args_info.hash_arg, - args_info.valid_days_arg, args_info.output_arg) == false) { + args_info.serial_arg, args_info.valid_days_arg, + args_info.output_arg) == false) { ret = EXIT_FAILURE; } else { fprintf(stderr, "Successfully generated a new self signed certificate.\n"); From d39b697d49b10b0eb0227003ec346ff8206286a2 Mon Sep 17 00:00:00 2001 From: Matt Moyer Date: Fri, 12 Feb 2016 09:01:12 -0600 Subject: [PATCH 3/3] Drop const from these these int parameters. --- tool/yubico-piv-tool.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tool/yubico-piv-tool.c b/tool/yubico-piv-tool.c index 4917763..d8ce0b1 100644 --- a/tool/yubico-piv-tool.c +++ b/tool/yubico-piv-tool.c @@ -781,7 +781,7 @@ request_out: static bool selfsign_certificate(ykpiv_state *state, enum enum_key_format key_format, const char *input_file_name, const char *slot, char *subject, enum enum_hash hash, - const int serial, const int validDays, const char *output_file_name) { + int serial, int validDays, const char *output_file_name) { FILE *input_file = NULL; FILE *output_file = NULL; bool ret = false;