winpr-makecert: use sha256 and update command line

* use sha256 instead of sha1 as default hash algorithm
* fix command line parser
* mark not implemented command line switches as unsupported
This commit is contained in:
Bernhard Miklautz 2017-01-12 11:04:34 +01:00
parent 2f93c0f452
commit 960f4644cd

View File

@ -67,7 +67,7 @@ static COMMAND_LINE_ARGUMENT_A args[] =
/* Custom Options */ /* Custom Options */
{ "rdp", COMMAND_LINE_VALUE_FLAG, NULL, NULL, NULL, -1, NULL, { "rdp", COMMAND_LINE_VALUE_FLAG, NULL, NULL, NULL, -1, NULL,
"Generate certificate with required options for RDP usage." "Unsupported - Generate certificate with required options for RDP usage."
}, },
{ "silent", COMMAND_LINE_VALUE_FLAG, NULL, NULL, NULL, -1, NULL, { "silent", COMMAND_LINE_VALUE_FLAG, NULL, NULL, NULL, -1, NULL,
"Silently generate certificate without verbose output." "Silently generate certificate without verbose output."
@ -92,82 +92,82 @@ static COMMAND_LINE_ARGUMENT_A args[] =
"The simplest method is to specify the name in double quotes, preceded by CN=; for example, -n \"CN=myName\"." "The simplest method is to specify the name in double quotes, preceded by CN=; for example, -n \"CN=myName\"."
}, },
{ "pe", COMMAND_LINE_VALUE_FLAG, NULL, NULL, NULL, -1, NULL, { "pe", COMMAND_LINE_VALUE_FLAG, NULL, NULL, NULL, -1, NULL,
"Marks the generated private key as exportable. This allows the private key to be included in the certificate." "Unsupported - Marks the generated private key as exportable. This allows the private key to be included in the certificate."
}, },
{ "sk", COMMAND_LINE_VALUE_REQUIRED, "<keyname>", NULL, NULL, -1, NULL, { "sk", COMMAND_LINE_VALUE_REQUIRED, "<keyname>", NULL, NULL, -1, NULL,
"Specifies the subject's key container location, which contains the private key. " "Unsupported - Specifies the subject's key container location, which contains the private key. "
"If a key container does not exist, it will be created." "If a key container does not exist, it will be created."
}, },
{ "sr", COMMAND_LINE_VALUE_REQUIRED, "<location>", NULL, NULL, -1, NULL, { "sr", COMMAND_LINE_VALUE_REQUIRED, "<location>", NULL, NULL, -1, NULL,
"Specifies the subject's certificate store location. location can be either currentuser (the default) or localmachine." "Unsupported - Specifies the subject's certificate store location. location can be either currentuser (the default) or localmachine."
}, },
{ "ss", COMMAND_LINE_VALUE_REQUIRED, "<store>", NULL, NULL, -1, NULL, { "ss", COMMAND_LINE_VALUE_REQUIRED, "<store>", NULL, NULL, -1, NULL,
"Specifies the subject's certificate store name that stores the output certificate." "Unsupported - Specifies the subject's certificate store name that stores the output certificate."
}, },
{ "#", COMMAND_LINE_VALUE_REQUIRED, "<number>", NULL, NULL, -1, NULL, { "#", COMMAND_LINE_VALUE_REQUIRED, "<number>", NULL, NULL, -1, NULL,
"Specifies a serial number from 1 to 2,147,483,647. The default is a unique value generated by Makecert.exe." "Specifies a serial number from 1 to 2,147,483,647. The default is a unique value generated by Makecert.exe."
}, },
{ "$", COMMAND_LINE_VALUE_REQUIRED, "<authority>", NULL, NULL, -1, NULL, { "$", COMMAND_LINE_VALUE_REQUIRED, "<authority>", NULL, NULL, -1, NULL,
"Specifies the signing authority of the certificate, which must be set to either commercial " "Unsupported - Specifies the signing authority of the certificate, which must be set to either commercial "
"(for certificates used by commercial software publishers) or individual (for certificates used by individual software publishers)." "(for certificates used by commercial software publishers) or individual (for certificates used by individual software publishers)."
}, },
/* Extended Options */ /* Extended Options */
{ "a", COMMAND_LINE_VALUE_REQUIRED, "<algorithm>", NULL, NULL, -1, NULL, { "a", COMMAND_LINE_VALUE_REQUIRED, "<algorithm>", NULL, NULL, -1, NULL,
"Specifies the signature algorithm. algorithm must be md5, sha1 (the default), sha256, sha384, or sha512." "Specifies the signature algorithm. algorithm must be md5, sha1, sha256 (the default), sha384, or sha512."
}, },
{ "b", COMMAND_LINE_VALUE_REQUIRED, "<mm/dd/yyyy>", NULL, NULL, -1, NULL, { "b", COMMAND_LINE_VALUE_REQUIRED, "<mm/dd/yyyy>", NULL, NULL, -1, NULL,
"Specifies the start of the validity period. Defaults to the current date." "Unsupported - Specifies the start of the validity period. Defaults to the current date."
}, },
{ "crl", COMMAND_LINE_VALUE_FLAG, NULL, NULL, NULL, -1, NULL, { "crl", COMMAND_LINE_VALUE_FLAG, NULL, NULL, NULL, -1, NULL,
"Generates a certificate relocation list (CRL) instead of a certificate." "Unsupported - Generates a certificate relocation list (CRL) instead of a certificate."
}, },
{ "cy", COMMAND_LINE_VALUE_REQUIRED, "<certType>", NULL, NULL, -1, NULL, { "cy", COMMAND_LINE_VALUE_REQUIRED, "<certType>", NULL, NULL, -1, NULL,
"Specifies the certificate type. Valid values are end for end-entity and authority for certification authority." "Unsupported - Specifies the certificate type. Valid values are end for end-entity and authority for certification authority."
}, },
{ "e", COMMAND_LINE_VALUE_REQUIRED, "<mm/dd/yyyy>", NULL, NULL, -1, NULL, { "e", COMMAND_LINE_VALUE_REQUIRED, "<mm/dd/yyyy>", NULL, NULL, -1, NULL,
"Specifies the end of the validity period. Defaults to 12/31/2039 11:59:59 GMT." "Unsupported - Specifies the end of the validity period. Defaults to 12/31/2039 11:59:59 GMT."
}, },
{ "eku", COMMAND_LINE_VALUE_REQUIRED, "<oid[,oid…]>", NULL, NULL, -1, NULL, { "eku", COMMAND_LINE_VALUE_REQUIRED, "<oid[,oid…]>", NULL, NULL, -1, NULL,
"Inserts a list of comma-separated, enhanced key usage object identifiers (OIDs) into the certificate." "Unsupported - Inserts a list of comma-separated, enhanced key usage object identifiers (OIDs) into the certificate."
}, },
{ "h", COMMAND_LINE_VALUE_REQUIRED, "<number>", NULL, NULL, -1, NULL, { "h", COMMAND_LINE_VALUE_REQUIRED, "<number>", NULL, NULL, -1, NULL,
"Specifies the maximum height of the tree below this certificate." "Unsupported - Specifies the maximum height of the tree below this certificate."
}, },
{ "ic", COMMAND_LINE_VALUE_REQUIRED, "<file>", NULL, NULL, -1, NULL, { "ic", COMMAND_LINE_VALUE_REQUIRED, "<file>", NULL, NULL, -1, NULL,
"Specifies the issuer's certificate file." "Unsupported - Specifies the issuer's certificate file."
}, },
{ "ik", COMMAND_LINE_VALUE_REQUIRED, "<keyName>", NULL, NULL, -1, NULL, { "ik", COMMAND_LINE_VALUE_REQUIRED, "<keyName>", NULL, NULL, -1, NULL,
"Specifies the issuer's key container name." "Unsupported - Specifies the issuer's key container name."
}, },
{ "iky", COMMAND_LINE_VALUE_REQUIRED, "<keyType>", NULL, NULL, -1, NULL, { "iky", COMMAND_LINE_VALUE_REQUIRED, "<keyType>", NULL, NULL, -1, NULL,
"Specifies the issuer's key type, which must be one of the following: " "Unsupported - Specifies the issuer's key type, which must be one of the following: "
"signature (which indicates that the key is used for a digital signature), " "signature (which indicates that the key is used for a digital signature), "
"exchange (which indicates that the key is used for key encryption and key exchange), " "exchange (which indicates that the key is used for key encryption and key exchange), "
"or an integer that represents a provider type. " "or an integer that represents a provider type. "
"By default, you can pass 1 for an exchange key or 2 for a signature key." "By default, you can pass 1 for an exchange key or 2 for a signature key."
}, },
{ "in", COMMAND_LINE_VALUE_REQUIRED, "<name>", NULL, NULL, -1, NULL, { "in", COMMAND_LINE_VALUE_REQUIRED, "<name>", NULL, NULL, -1, NULL,
"Specifies the issuer's certificate common name." "Unsupported - Specifies the issuer's certificate common name."
}, },
{ "ip", COMMAND_LINE_VALUE_REQUIRED, "<provider>", NULL, NULL, -1, NULL, { "ip", COMMAND_LINE_VALUE_REQUIRED, "<provider>", NULL, NULL, -1, NULL,
"Specifies the issuer's CryptoAPI provider name. For information about the CryptoAPI provider name, see the sp option." "Unsupported - Specifies the issuer's CryptoAPI provider name. For information about the CryptoAPI provider name, see the sp option."
}, },
{ "ir", COMMAND_LINE_VALUE_REQUIRED, "<location>", NULL, NULL, -1, NULL, { "ir", COMMAND_LINE_VALUE_REQUIRED, "<location>", NULL, NULL, -1, NULL,
"Specifies the location of the issuer's certificate store. location can be either currentuser (the default) or localmachine." "Unsupported - Specifies the location of the issuer's certificate store. location can be either currentuser (the default) or localmachine."
}, },
{ "is", COMMAND_LINE_VALUE_REQUIRED, "<store>", NULL, NULL, -1, NULL, { "is", COMMAND_LINE_VALUE_REQUIRED, "<store>", NULL, NULL, -1, NULL,
"Specifies the issuer's certificate store name." "Unsupported - Specifies the issuer's certificate store name."
}, },
{ "iv", COMMAND_LINE_VALUE_REQUIRED, "<pvkFile>", NULL, NULL, -1, NULL, { "iv", COMMAND_LINE_VALUE_REQUIRED, "<pvkFile>", NULL, NULL, -1, NULL,
"Specifies the issuer's .pvk private key file." "Unsupported - Specifies the issuer's .pvk private key file."
}, },
{ "iy", COMMAND_LINE_VALUE_REQUIRED, "<type>", NULL, NULL, -1, NULL, { "iy", COMMAND_LINE_VALUE_REQUIRED, "<type>", NULL, NULL, -1, NULL,
"Specifies the issuer's CryptoAPI provider type. For information about the CryptoAPI provider type, see the sy option." "Unsupported - Specifies the issuer's CryptoAPI provider type. For information about the CryptoAPI provider type, see the sy option."
}, },
{ "l", COMMAND_LINE_VALUE_REQUIRED, "<link>", NULL, NULL, -1, NULL, { "l", COMMAND_LINE_VALUE_REQUIRED, "<link>", NULL, NULL, -1, NULL,
"Links to policy information (for example, to a URL)." "Unsupported - Links to policy information (for example, to a URL)."
}, },
{ "len", COMMAND_LINE_VALUE_REQUIRED, "<number>", NULL, NULL, -1, NULL, { "len", COMMAND_LINE_VALUE_REQUIRED, "<number>", NULL, NULL, -1, NULL,
"Specifies the generated key length, in bits." "Specifies the generated key length, in bits."
@ -179,36 +179,36 @@ static COMMAND_LINE_ARGUMENT_A args[] =
"Specifies the duration, in years, of the certificate validity period." "Specifies the duration, in years, of the certificate validity period."
}, },
{ "nscp", COMMAND_LINE_VALUE_FLAG, NULL, NULL, NULL, -1, NULL, { "nscp", COMMAND_LINE_VALUE_FLAG, NULL, NULL, NULL, -1, NULL,
"Includes the Netscape client-authorization extension." "Unsupported - Includes the Netscape client-authorization extension."
}, },
{ "r", COMMAND_LINE_VALUE_FLAG, NULL, NULL, NULL, -1, NULL, { "r", COMMAND_LINE_VALUE_FLAG, NULL, NULL, NULL, -1, NULL,
"Creates a self-signed certificate." "Unsupported - Creates a self-signed certificate."
}, },
{ "sc", COMMAND_LINE_VALUE_REQUIRED, "<file>", NULL, NULL, -1, NULL, { "sc", COMMAND_LINE_VALUE_REQUIRED, "<file>", NULL, NULL, -1, NULL,
"Specifies the subject's certificate file." "Unsupported - Specifies the subject's certificate file."
}, },
{ "sky", COMMAND_LINE_VALUE_REQUIRED, "<keyType>", NULL, NULL, -1, NULL, { "sky", COMMAND_LINE_VALUE_REQUIRED, "<keyType>", NULL, NULL, -1, NULL,
"Specifies the subject's key type, which must be one of the following: " "Unsupported - Specifies the subject's key type, which must be one of the following: "
"signature (which indicates that the key is used for a digital signature), " "signature (which indicates that the key is used for a digital signature), "
"exchange (which indicates that the key is used for key encryption and key exchange), " "exchange (which indicates that the key is used for key encryption and key exchange), "
"or an integer that represents a provider type. " "or an integer that represents a provider type. "
"By default, you can pass 1 for an exchange key or 2 for a signature key." "By default, you can pass 1 for an exchange key or 2 for a signature key."
}, },
{ "sp", COMMAND_LINE_VALUE_REQUIRED, "<provider>", NULL, NULL, -1, NULL, { "sp", COMMAND_LINE_VALUE_REQUIRED, "<provider>", NULL, NULL, -1, NULL,
"Specifies the subject's CryptoAPI provider name, which must be defined in the registry subkeys of " "Unsupported - Specifies the subject's CryptoAPI provider name, which must be defined in the registry subkeys of "
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider. If both sp and sy are present, " "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider. If both sp and sy are present, "
"the type of the CryptoAPI provider must correspond to the Type value of the provider's subkey." "the type of the CryptoAPI provider must correspond to the Type value of the provider's subkey."
}, },
{ "sv", COMMAND_LINE_VALUE_REQUIRED, "<pvkFile>", NULL, NULL, -1, NULL, { "sv", COMMAND_LINE_VALUE_REQUIRED, "<pvkFile>", NULL, NULL, -1, NULL,
"Specifies the subject's .pvk private key file. The file is created if none exists." "Unsupported - Specifies the subject's .pvk private key file. The file is created if none exists."
}, },
{ "sy", COMMAND_LINE_VALUE_REQUIRED, "<type>", NULL, NULL, -1, NULL, { "sy", COMMAND_LINE_VALUE_REQUIRED, "<type>", NULL, NULL, -1, NULL,
"Specifies the subject's CryptoAPI provider type, which must be defined in the registry subkeys of " "Unsupported - Specifies the subject's CryptoAPI provider type, which must be defined in the registry subkeys of "
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider Types. If both sy and sp are present, " "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider Types. If both sy and sp are present, "
"the name of the CryptoAPI provider must correspond to the Name value of the provider type subkey." "the name of the CryptoAPI provider must correspond to the Name value of the provider type subkey."
}, },
{ "tbs", COMMAND_LINE_VALUE_REQUIRED, "<file>", NULL, NULL, -1, NULL, { "tbs", COMMAND_LINE_VALUE_REQUIRED, "<file>", NULL, NULL, -1, NULL,
"Specifies the certificate or CRL file to be signed." "Unsupported - Specifies the certificate or CRL file to be signed."
}, },
/* Help */ /* Help */
@ -354,9 +354,8 @@ int command_line_pre_filter(MAKECERT_CONTEXT* context, int index, int argc, LPCS
context->output_file = _strdup(argv[index]); context->output_file = _strdup(argv[index]);
if (!context->output_file) if (!context->output_file)
return -1; return -1;
return 1;
} }
return 1;
} }
return 0; return 0;
@ -389,11 +388,10 @@ int makecert_context_parse_arguments(MAKECERT_CONTEXT* context, int argc, char**
do do
{ {
if (!(arg->Flags & COMMAND_LINE_VALUE_PRESENT)) if (!(arg->Flags & COMMAND_LINE_ARGUMENT_PRESENT))
continue; continue;
CommandLineSwitchStart(arg) CommandLineSwitchStart(arg)
/* Basic Options */ /* Basic Options */
CommandLineSwitchCase(arg, "silent") CommandLineSwitchCase(arg, "silent")
@ -474,7 +472,6 @@ int makecert_context_parse_arguments(MAKECERT_CONTEXT* context, int argc, char**
CommandLineSwitchDefault(arg) CommandLineSwitchDefault(arg)
{ {
} }
CommandLineSwitchEnd(arg) CommandLineSwitchEnd(arg)
@ -880,7 +877,9 @@ int makecert_context_process(MAKECERT_CONTEXT* context, int argc, char** argv)
ret = makecert_context_parse_arguments(context, argc, argv); ret = makecert_context_parse_arguments(context, argc, argv);
if (ret < 1) if (ret < 1)
{
return ret; return ret;
}
if (!context->default_name && !context->common_name) if (!context->default_name && !context->common_name)
{ {
@ -1004,7 +1003,7 @@ int makecert_context_process(MAKECERT_CONTEXT* context, int argc, char** argv)
arg = CommandLineFindArgumentA(args, "a"); arg = CommandLineFindArgumentA(args, "a");
md = EVP_sha1(); md = EVP_sha256();
if (arg->Flags & COMMAND_LINE_VALUE_PRESENT) if (arg->Flags & COMMAND_LINE_VALUE_PRESENT)
{ {