winpr-makecert: use sha256 and update command line

* use sha256 instead of sha1 as default hash algorithm
* fix command line parser
* mark not implemented command line switches as unsupported
This commit is contained in:
Bernhard Miklautz 2017-01-12 11:04:34 +01:00
parent 2f93c0f452
commit 960f4644cd

View File

@ -67,7 +67,7 @@ static COMMAND_LINE_ARGUMENT_A args[] =
/* Custom Options */
{ "rdp", COMMAND_LINE_VALUE_FLAG, NULL, NULL, NULL, -1, NULL,
"Generate certificate with required options for RDP usage."
"Unsupported - Generate certificate with required options for RDP usage."
},
{ "silent", COMMAND_LINE_VALUE_FLAG, NULL, NULL, NULL, -1, NULL,
"Silently generate certificate without verbose output."
@ -92,82 +92,82 @@ static COMMAND_LINE_ARGUMENT_A args[] =
"The simplest method is to specify the name in double quotes, preceded by CN=; for example, -n \"CN=myName\"."
},
{ "pe", COMMAND_LINE_VALUE_FLAG, NULL, NULL, NULL, -1, NULL,
"Marks the generated private key as exportable. This allows the private key to be included in the certificate."
"Unsupported - Marks the generated private key as exportable. This allows the private key to be included in the certificate."
},
{ "sk", COMMAND_LINE_VALUE_REQUIRED, "<keyname>", NULL, NULL, -1, NULL,
"Specifies the subject's key container location, which contains the private key. "
"Unsupported - Specifies the subject's key container location, which contains the private key. "
"If a key container does not exist, it will be created."
},
{ "sr", COMMAND_LINE_VALUE_REQUIRED, "<location>", NULL, NULL, -1, NULL,
"Specifies the subject's certificate store location. location can be either currentuser (the default) or localmachine."
"Unsupported - Specifies the subject's certificate store location. location can be either currentuser (the default) or localmachine."
},
{ "ss", COMMAND_LINE_VALUE_REQUIRED, "<store>", NULL, NULL, -1, NULL,
"Specifies the subject's certificate store name that stores the output certificate."
"Unsupported - Specifies the subject's certificate store name that stores the output certificate."
},
{ "#", COMMAND_LINE_VALUE_REQUIRED, "<number>", NULL, NULL, -1, NULL,
"Specifies a serial number from 1 to 2,147,483,647. The default is a unique value generated by Makecert.exe."
},
{ "$", COMMAND_LINE_VALUE_REQUIRED, "<authority>", NULL, NULL, -1, NULL,
"Specifies the signing authority of the certificate, which must be set to either commercial "
"Unsupported - Specifies the signing authority of the certificate, which must be set to either commercial "
"(for certificates used by commercial software publishers) or individual (for certificates used by individual software publishers)."
},
/* Extended Options */
{ "a", COMMAND_LINE_VALUE_REQUIRED, "<algorithm>", NULL, NULL, -1, NULL,
"Specifies the signature algorithm. algorithm must be md5, sha1 (the default), sha256, sha384, or sha512."
"Specifies the signature algorithm. algorithm must be md5, sha1, sha256 (the default), sha384, or sha512."
},
{ "b", COMMAND_LINE_VALUE_REQUIRED, "<mm/dd/yyyy>", NULL, NULL, -1, NULL,
"Specifies the start of the validity period. Defaults to the current date."
"Unsupported - Specifies the start of the validity period. Defaults to the current date."
},
{ "crl", COMMAND_LINE_VALUE_FLAG, NULL, NULL, NULL, -1, NULL,
"Generates a certificate relocation list (CRL) instead of a certificate."
"Unsupported - Generates a certificate relocation list (CRL) instead of a certificate."
},
{ "cy", COMMAND_LINE_VALUE_REQUIRED, "<certType>", NULL, NULL, -1, NULL,
"Specifies the certificate type. Valid values are end for end-entity and authority for certification authority."
"Unsupported - Specifies the certificate type. Valid values are end for end-entity and authority for certification authority."
},
{ "e", COMMAND_LINE_VALUE_REQUIRED, "<mm/dd/yyyy>", NULL, NULL, -1, NULL,
"Specifies the end of the validity period. Defaults to 12/31/2039 11:59:59 GMT."
"Unsupported - Specifies the end of the validity period. Defaults to 12/31/2039 11:59:59 GMT."
},
{ "eku", COMMAND_LINE_VALUE_REQUIRED, "<oid[,oid…]>", NULL, NULL, -1, NULL,
"Inserts a list of comma-separated, enhanced key usage object identifiers (OIDs) into the certificate."
"Unsupported - Inserts a list of comma-separated, enhanced key usage object identifiers (OIDs) into the certificate."
},
{ "h", COMMAND_LINE_VALUE_REQUIRED, "<number>", NULL, NULL, -1, NULL,
"Specifies the maximum height of the tree below this certificate."
"Unsupported - Specifies the maximum height of the tree below this certificate."
},
{ "ic", COMMAND_LINE_VALUE_REQUIRED, "<file>", NULL, NULL, -1, NULL,
"Specifies the issuer's certificate file."
"Unsupported - Specifies the issuer's certificate file."
},
{ "ik", COMMAND_LINE_VALUE_REQUIRED, "<keyName>", NULL, NULL, -1, NULL,
"Specifies the issuer's key container name."
"Unsupported - Specifies the issuer's key container name."
},
{ "iky", COMMAND_LINE_VALUE_REQUIRED, "<keyType>", NULL, NULL, -1, NULL,
"Specifies the issuer's key type, which must be one of the following: "
"Unsupported - Specifies the issuer's key type, which must be one of the following: "
"signature (which indicates that the key is used for a digital signature), "
"exchange (which indicates that the key is used for key encryption and key exchange), "
"or an integer that represents a provider type. "
"By default, you can pass 1 for an exchange key or 2 for a signature key."
},
{ "in", COMMAND_LINE_VALUE_REQUIRED, "<name>", NULL, NULL, -1, NULL,
"Specifies the issuer's certificate common name."
"Unsupported - Specifies the issuer's certificate common name."
},
{ "ip", COMMAND_LINE_VALUE_REQUIRED, "<provider>", NULL, NULL, -1, NULL,
"Specifies the issuer's CryptoAPI provider name. For information about the CryptoAPI provider name, see the sp option."
"Unsupported - Specifies the issuer's CryptoAPI provider name. For information about the CryptoAPI provider name, see the sp option."
},
{ "ir", COMMAND_LINE_VALUE_REQUIRED, "<location>", NULL, NULL, -1, NULL,
"Specifies the location of the issuer's certificate store. location can be either currentuser (the default) or localmachine."
"Unsupported - Specifies the location of the issuer's certificate store. location can be either currentuser (the default) or localmachine."
},
{ "is", COMMAND_LINE_VALUE_REQUIRED, "<store>", NULL, NULL, -1, NULL,
"Specifies the issuer's certificate store name."
"Unsupported - Specifies the issuer's certificate store name."
},
{ "iv", COMMAND_LINE_VALUE_REQUIRED, "<pvkFile>", NULL, NULL, -1, NULL,
"Specifies the issuer's .pvk private key file."
"Unsupported - Specifies the issuer's .pvk private key file."
},
{ "iy", COMMAND_LINE_VALUE_REQUIRED, "<type>", NULL, NULL, -1, NULL,
"Specifies the issuer's CryptoAPI provider type. For information about the CryptoAPI provider type, see the sy option."
"Unsupported - Specifies the issuer's CryptoAPI provider type. For information about the CryptoAPI provider type, see the sy option."
},
{ "l", COMMAND_LINE_VALUE_REQUIRED, "<link>", NULL, NULL, -1, NULL,
"Links to policy information (for example, to a URL)."
"Unsupported - Links to policy information (for example, to a URL)."
},
{ "len", COMMAND_LINE_VALUE_REQUIRED, "<number>", NULL, NULL, -1, NULL,
"Specifies the generated key length, in bits."
@ -179,36 +179,36 @@ static COMMAND_LINE_ARGUMENT_A args[] =
"Specifies the duration, in years, of the certificate validity period."
},
{ "nscp", COMMAND_LINE_VALUE_FLAG, NULL, NULL, NULL, -1, NULL,
"Includes the Netscape client-authorization extension."
"Unsupported - Includes the Netscape client-authorization extension."
},
{ "r", COMMAND_LINE_VALUE_FLAG, NULL, NULL, NULL, -1, NULL,
"Creates a self-signed certificate."
"Unsupported - Creates a self-signed certificate."
},
{ "sc", COMMAND_LINE_VALUE_REQUIRED, "<file>", NULL, NULL, -1, NULL,
"Specifies the subject's certificate file."
"Unsupported - Specifies the subject's certificate file."
},
{ "sky", COMMAND_LINE_VALUE_REQUIRED, "<keyType>", NULL, NULL, -1, NULL,
"Specifies the subject's key type, which must be one of the following: "
"Unsupported - Specifies the subject's key type, which must be one of the following: "
"signature (which indicates that the key is used for a digital signature), "
"exchange (which indicates that the key is used for key encryption and key exchange), "
"or an integer that represents a provider type. "
"By default, you can pass 1 for an exchange key or 2 for a signature key."
},
{ "sp", COMMAND_LINE_VALUE_REQUIRED, "<provider>", NULL, NULL, -1, NULL,
"Specifies the subject's CryptoAPI provider name, which must be defined in the registry subkeys of "
"Unsupported - Specifies the subject's CryptoAPI provider name, which must be defined in the registry subkeys of "
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider. If both sp and sy are present, "
"the type of the CryptoAPI provider must correspond to the Type value of the provider's subkey."
},
{ "sv", COMMAND_LINE_VALUE_REQUIRED, "<pvkFile>", NULL, NULL, -1, NULL,
"Specifies the subject's .pvk private key file. The file is created if none exists."
"Unsupported - Specifies the subject's .pvk private key file. The file is created if none exists."
},
{ "sy", COMMAND_LINE_VALUE_REQUIRED, "<type>", NULL, NULL, -1, NULL,
"Specifies the subject's CryptoAPI provider type, which must be defined in the registry subkeys of "
"Unsupported - Specifies the subject's CryptoAPI provider type, which must be defined in the registry subkeys of "
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider Types. If both sy and sp are present, "
"the name of the CryptoAPI provider must correspond to the Name value of the provider type subkey."
},
{ "tbs", COMMAND_LINE_VALUE_REQUIRED, "<file>", NULL, NULL, -1, NULL,
"Specifies the certificate or CRL file to be signed."
"Unsupported - Specifies the certificate or CRL file to be signed."
},
/* Help */
@ -354,9 +354,8 @@ int command_line_pre_filter(MAKECERT_CONTEXT* context, int index, int argc, LPCS
context->output_file = _strdup(argv[index]);
if (!context->output_file)
return -1;
return 1;
}
return 1;
}
return 0;
@ -389,11 +388,10 @@ int makecert_context_parse_arguments(MAKECERT_CONTEXT* context, int argc, char**
do
{
if (!(arg->Flags & COMMAND_LINE_VALUE_PRESENT))
if (!(arg->Flags & COMMAND_LINE_ARGUMENT_PRESENT))
continue;
CommandLineSwitchStart(arg)
/* Basic Options */
CommandLineSwitchCase(arg, "silent")
@ -474,7 +472,6 @@ int makecert_context_parse_arguments(MAKECERT_CONTEXT* context, int argc, char**
CommandLineSwitchDefault(arg)
{
}
CommandLineSwitchEnd(arg)
@ -579,7 +576,7 @@ int makecert_context_output_certificate_file(MAKECERT_CONTEXT* context, char* pa
goto out_fail;
status = BIO_read(bio, x509_str, length);
if (status < 0)
goto out_fail;
@ -634,7 +631,7 @@ int makecert_context_output_certificate_file(MAKECERT_CONTEXT* context, char* pa
goto out_fail;
status = BIO_read(bio, x509_str, length);
if (status < 0)
goto out_fail;
@ -692,7 +689,7 @@ int makecert_context_output_certificate_file(MAKECERT_CONTEXT* context, char* pa
goto out_fail;
status = BIO_read(bio, x509_str, length);
if (status < 0)
goto out_fail;
@ -880,7 +877,9 @@ int makecert_context_process(MAKECERT_CONTEXT* context, int argc, char** argv)
ret = makecert_context_parse_arguments(context, argc, argv);
if (ret < 1)
{
return ret;
}
if (!context->default_name && !context->common_name)
{
@ -951,7 +950,7 @@ int makecert_context_process(MAKECERT_CONTEXT* context, int argc, char** argv)
{
X509_gmtime_adj(X509_get_notAfter(context->x509), (long) (60 * 60 * 24 * 365 * context->duration_years));
}
X509_set_pubkey(context->x509, context->pkey);
name = X509_get_subject_name(context->x509);
@ -1004,7 +1003,7 @@ int makecert_context_process(MAKECERT_CONTEXT* context, int argc, char** argv)
arg = CommandLineFindArgumentA(args, "a");
md = EVP_sha1();
md = EVP_sha256();
if (arg->Flags & COMMAND_LINE_VALUE_PRESENT)
{
@ -1051,14 +1050,14 @@ int makecert_context_process(MAKECERT_CONTEXT* context, int argc, char** argv)
}
status = BIO_read(bio, x509_str, length);
if (status < 0)
{
BIO_free(bio);
free(x509_str);
return -1;
}
offset += status;
while (offset >= length)
@ -1087,7 +1086,7 @@ int makecert_context_process(MAKECERT_CONTEXT* context, int argc, char** argv)
if (status < 0)
return -1;
length = offset;
x509_str[length] = '\0';
@ -1106,7 +1105,7 @@ int makecert_context_process(MAKECERT_CONTEXT* context, int argc, char** argv)
makecert_context_output_certificate_file(context, context->output_path);
if (context->crtFormat)
{
{
if (makecert_context_output_private_key_file(context, context->output_path) < 0)
return -1;
}