hxtool request-create: fix --key argument handling
```
hxtool request-create --subject=... \
--generate-key=... \
--key-bits=... \
--key=STORE \
store
```
wants to generate a key, store it in the location specified by the --key
argument, then read it back, then generate the CSR, and store it in
`store`.
But it didn't work because for generating a key this really wants the
`--key` argument to be a file path into which a raw DER-encoded RSA key
will be written (only RSA is supported, ay!), but for reading the key
back it uses `hx509_certs_init()`, which wants `TYPE:name` keystore
specification. A deadly embrace.
Now that we have improved libhx509 functionality for reading/writing
private keys from/to PEM files we use this functionality and require a
store type in the `--key=STORE` argument.
This commit is contained in:
Nicolas Williams
@@ -1263,57 +1263,57 @@ static void
|
|||||||
get_key(const char *fn, const char *type, int optbits,
|
get_key(const char *fn, const char *type, int optbits,
|
||||||
hx509_private_key *signer)
|
hx509_private_key *signer)
|
||||||
{
|
{
|
||||||
int ret;
|
int ret = 0;
|
||||||
|
|
||||||
if (type) {
|
if (type) {
|
||||||
BIGNUM *e;
|
struct hx509_generate_private_context *gen_ctx;
|
||||||
RSA *rsa;
|
|
||||||
unsigned char *p0, *p;
|
|
||||||
size_t len;
|
|
||||||
int bits = 1024;
|
|
||||||
|
|
||||||
if (fn == NULL)
|
|
||||||
errx(1, "no key argument, don't know here to store key");
|
|
||||||
|
|
||||||
if (strcasecmp(type, "rsa") != 0)
|
if (strcasecmp(type, "rsa") != 0)
|
||||||
errx(1, "can only handle rsa keys for now");
|
errx(1, "can only handle rsa keys for now");
|
||||||
|
|
||||||
e = BN_new();
|
ret = _hx509_generate_private_key_init(context,
|
||||||
BN_set_word(e, 0x10001);
|
ASN1_OID_ID_PKCS1_RSAENCRYPTION,
|
||||||
|
&gen_ctx);
|
||||||
|
if (ret == 0)
|
||||||
|
ret = _hx509_generate_private_key_bits(context, gen_ctx, optbits);
|
||||||
|
if (ret == 0)
|
||||||
|
ret = _hx509_generate_private_key(context, gen_ctx, signer);
|
||||||
|
if (ret)
|
||||||
|
hx509_err(context, 1, ret, "failed to generate private key of type %s", type);
|
||||||
|
|
||||||
if (optbits)
|
if (fn) {
|
||||||
bits = optbits;
|
hx509_certs certs = NULL;
|
||||||
|
hx509_cert cert = NULL;
|
||||||
|
|
||||||
rsa = RSA_new();
|
cert = hx509_cert_init_private_key(context,
|
||||||
if(rsa == NULL)
|
_hx509_private_key_ref(*signer),
|
||||||
errx(1, "RSA_new failed");
|
NULL);
|
||||||
|
if (cert)
|
||||||
|
ret = hx509_certs_init(context, fn,
|
||||||
|
HX509_CERTS_CREATE |
|
||||||
|
HX509_CERTS_UNPROTECT_ALL,
|
||||||
|
NULL, &certs);
|
||||||
|
if (ret == 0)
|
||||||
|
ret = hx509_certs_add(context, certs, cert);
|
||||||
|
if (ret == 0)
|
||||||
|
ret = hx509_certs_store(context, certs, 0, NULL);
|
||||||
|
if (ret)
|
||||||
|
hx509_err(context, 1, ret, "failed to store generated private "
|
||||||
|
"key in %s", fn);
|
||||||
|
|
||||||
ret = RSA_generate_key_ex(rsa, bits, e, NULL);
|
if (certs)
|
||||||
if(ret != 1)
|
hx509_certs_free(&certs);
|
||||||
errx(1, "RSA_new failed");
|
if (cert)
|
||||||
|
hx509_cert_free(cert);
|
||||||
BN_free(e);
|
}
|
||||||
|
} else {
|
||||||
len = i2d_RSAPrivateKey(rsa, NULL);
|
if (fn == NULL)
|
||||||
|
err(1, "no private key");
|
||||||
p0 = p = malloc(len);
|
ret = read_private_key(fn, signer);
|
||||||
if (p == NULL)
|
if (ret)
|
||||||
errx(1, "out of memory");
|
hx509_err(context, 1, ret, "failed to read private key from %s",
|
||||||
|
fn);
|
||||||
i2d_RSAPrivateKey(rsa, &p);
|
}
|
||||||
|
|
||||||
rk_dumpdata(fn, p0, len);
|
|
||||||
memset(p0, 0, len);
|
|
||||||
free(p0);
|
|
||||||
|
|
||||||
RSA_free(rsa);
|
|
||||||
|
|
||||||
} else if (fn == NULL)
|
|
||||||
err(1, "no private key");
|
|
||||||
|
|
||||||
ret = read_private_key(fn, signer);
|
|
||||||
if (ret)
|
|
||||||
err(1, "read_private_key");
|
|
||||||
}
|
}
|
||||||
|
|
||||||
int
|
int
|
||||||
|
|||||||
Reference in New Issue
Block a user