]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
Added gnutls_sec_param_to_pk_bits() et al. to allow select bit
authorNikos Mavrogiannopoulos <nmav@gnutls.org>
Fri, 28 May 2010 19:08:44 +0000 (21:08 +0200)
committerNikos Mavrogiannopoulos <nmav@gnutls.org>
Thu, 3 Jun 2010 17:54:56 +0000 (19:54 +0200)
sizes for private keys using a human understandable scale.

NEWS
lib/gnutls_algorithms.c
lib/includes/gnutls/gnutls.h.in
lib/libgnutls.map
lib/openpgp/output.c
lib/x509/output.c
lib/x509/privkey.c
src/certtool-gaa.c
src/certtool-gaa.h
src/certtool.c
src/certtool.gaa

diff --git a/NEWS b/NEWS
index e23313c9ea19de59cded89c9e31eec9fae6766ce..e6670fae78d2e0f5cd4438860680b06c7b4b787e 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -26,6 +26,9 @@ PKCS #11 private keys.
 ** libgnutls: Added  gnutls_pkcs11_copy_x509_crt(), gnutls_pkcs11_copy_x509_privkey(),
 and gnutls_pkcs11_delete_url() to allow copying and deleting data in tokens.
 
+** libgnutls: Added gnutls_sec_param_to_pk_bits() et al. to allow select bit
+sizes for private keys using a human understandable scale.
+
 ** certtool: Added new options: --pkcs11-list-tokens, --pkcs11-list-all
 --pkcs11-list-all-certs, --pkcs11-list-trusted, --pkcs11-list-certs,
 --pkcs11-delete-url, --pkcs11-write
@@ -40,6 +43,9 @@ pkcs11:token=Root%20CA%20Certificates;serial=1%3AROOTS%3ADEFAULT;model=1%2E0;man
 gnutls_certificate_set_server_retrieve_function: DEPRECATED
 gnutls_certificate_set_client_retrieve_function: DEPRECATED
 gnutls_sign_callback_set: DEPRECATED
+gnutls_sec_param_to_pk_bits: ADDED
+gnutls_pk_bits_to_sec_param: ADDED
+gnutls_sec_param_get_name: ADDED
 gnutls_pkcs11_type_get_name: ADDED
 gnutls_certificate_set_retrieve_function: ADDED
 gnutls_pkcs11_init: ADDED
index 1f7492aea0b02f9e878baa720532e18e0d7efa3b..891b2aa8a0bbd0d59d6bd72483b6af1a3536035e 100644 (file)
@@ -2326,3 +2326,118 @@ _gnutls_x509_pk_to_oid (gnutls_pk_algorithm_t algorithm)
   return ret;
 }
 
+/**
+ * gnutls_sec_param_to_pk_bits:
+ * @algo: is a public key algorithm
+ * @param: is a security parameter
+ *
+ * When generating private and public key pairs a difficult question
+ * is which size of "bits" the modulus will be in RSA and the group size
+ * in DSA. The easy answer is 1024, which is also wrong. This function
+ * will convert a human understandable security parameter to an
+ * appropriate size for the specific algorithm.
+ *
+ * Returns: The number of bits, or zero.
+ *
+ **/
+unsigned int gnutls_sec_param_to_pk_bits (gnutls_pk_algorithm_t algo,
+                                      gnutls_sec_param_t param)
+{
+
+  switch(algo)
+    {
+      case GNUTLS_PK_RSA:
+      case GNUTLS_PK_DSA:
+        switch(param)
+          {
+            case GNUTLS_SEC_PARAM_LOW:
+              return 1024;
+            case GNUTLS_SEC_PARAM_HIGH:
+              return 3072;
+            case GNUTLS_SEC_PARAM_ULTRA:
+              return 7680;
+            case GNUTLS_SEC_PARAM_NORMAL:
+            default:
+              return 2048;
+          }
+        default:
+          gnutls_assert();
+          return 0;
+    }
+
+}
+
+/**
+ * gnutls_sec_param_get_name:
+ * @param: is a security parameter
+ *
+ * Convert a #gnutls_sec_param_t value to a string.
+ *
+ * Returns: a pointer to a string that contains the name of the
+ *   specified public key algorithm, or %NULL.
+ *
+ **/
+const char *
+gnutls_sec_param_get_name (gnutls_sec_param_t param)
+{
+  const char *p;
+
+  switch (param)
+    {
+    case GNUTLS_SEC_PARAM_WEAK:
+      p = "Weak";
+      break;
+
+    case GNUTLS_SEC_PARAM_LOW:
+      p = "Low";
+      break;
+
+    case GNUTLS_SEC_PARAM_NORMAL:
+      p = "Normal";
+      break;
+
+    case GNUTLS_SEC_PARAM_HIGH:
+      p = "High";
+      break;
+
+    case GNUTLS_SEC_PARAM_ULTRA:
+      p = "Ultra";
+      break;
+
+    default:
+      p = "Unknown";
+      break;
+    }
+
+  return p;
+}
+
+/**
+ * gnutls_pk_bits_to_sec_param:
+ * @algo: is a public key algorithm
+ * @bits: is the number of bits
+ *
+ * This is the inverse of gnutls_sec_param_to_pk_bits(). Given an algorithm
+ * and the number of bits, it will return the security parameter. This is
+ * a rough indication.
+ *
+ * Returns: The security parameter.
+ *
+ **/
+gnutls_sec_param_t gnutls_pk_bits_to_sec_param (gnutls_pk_algorithm_t algo,
+                                      unsigned int bits)
+{
+
+  /* currently we ignore algo */
+  if (bits >= 7680)
+    return GNUTLS_SEC_PARAM_ULTRA;
+  else if (bits >= 3072)
+    return GNUTLS_SEC_PARAM_HIGH;
+  else if (bits >= 2048)
+    return GNUTLS_SEC_PARAM_NORMAL;
+  else if (bits >= 1024)
+    return GNUTLS_SEC_PARAM_LOW;
+  else
+    return GNUTLS_SEC_PARAM_WEAK;
+
+}
index df63cb8786807d0bb379c04410362048e1c7372b..441b42850c1867baef2466b9d5ca2deaf9199df3 100644 (file)
@@ -602,6 +602,28 @@ extern "C"
 
   const char *gnutls_sign_algorithm_get_name (gnutls_sign_algorithm_t sign);
 
+  /**
+   * gnutls_sec_param_t:
+   * @GNUTLS_SEC_PARAM_UNKNOWN: Cannot be known
+   * @GNUTLS_SEC_PARAM_WEAK: 50 or less bits of security
+   * @GNUTLS_SEC_PARAM_LOW: 80 bits of security
+   * @GNUTLS_SEC_PARAM_NORMAL: 112 bits of security
+   * @GNUTLS_SEC_PARAM_HIGH: 128 bits of security
+   * @GNUTLS_SEC_PARAM_ULTRA: 192 bits of security
+   *
+   * Enumeration of security parameters for passive attacks
+   */
+  typedef enum
+  {
+    GNUTLS_SEC_PARAM_UNKNOWN,
+    GNUTLS_SEC_PARAM_WEAK,
+    GNUTLS_SEC_PARAM_LOW,
+    GNUTLS_SEC_PARAM_NORMAL,
+    GNUTLS_SEC_PARAM_HIGH,
+    GNUTLS_SEC_PARAM_ULTRA,
+  } gnutls_sec_param_t;
+
+
 /* If you want to change this, then also change the define in
  * gnutls_int.h, and recompile.
  */
@@ -660,6 +682,12 @@ extern "C"
   int gnutls_alert_send_appropriate (gnutls_session_t session, int err);
   const char *gnutls_alert_get_name (gnutls_alert_description_t alert);
 
+  gnutls_sec_param_t gnutls_pk_bits_to_sec_param (gnutls_pk_algorithm_t algo,
+                                      unsigned int bits);
+  const char * gnutls_sec_param_get_name (gnutls_sec_param_t param);
+  unsigned int gnutls_sec_param_to_pk_bits (gnutls_pk_algorithm_t algo,
+                                      gnutls_sec_param_t param);
+
 /* get information on the current session */
   gnutls_cipher_algorithm_t gnutls_cipher_get (gnutls_session_t session);
   gnutls_kx_algorithm_t gnutls_kx_get (gnutls_session_t session);
index 2acda43b542575fc648aee12879dc2f153886df8..1baa463e649ba035dc11fa26776c1a8e6d657e9b 100644 (file)
@@ -671,6 +671,10 @@ GNUTLS_2_11
        gnutls_pkcs11_copy_x509_crt;
        gnutls_pkcs11_copy_x509_privkey;
        gnutls_pkcs11_delete_url;
+
+       gnutls_sec_param_to_pk_bits;
+       gnutls_sec_param_get_name;
+       gnutls_pk_bits_to_sec_param;
 } GNUTLS_2_10;
 
 GNUTLS_PRIVATE {
index 982a6a6662bf8ab94d8de0a105e8d98d3fc7b40a..20d2855aa25db5e3e36f4aa0da36f0e2610cc3e6 100644 (file)
@@ -237,6 +237,8 @@ print_key_info (gnutls_string * str, gnutls_openpgp_crt_t cert, int idx)
        name = _("unknown");
 
       addf (str, _("\tPublic Key Algorithm: %s\n"), name);
+      addf (str, _("\tKey Security Level: %s\n"), gnutls_sec_param_get_name(gnutls_pk_bits_to_sec_param(err, bits)));
+
       switch (err)
        {
        case GNUTLS_PK_RSA:
index f4ea366895d448b109fb807b02b39508f092ebcd..126b88c483dca461d92c77bd7c093cf5d6c8f60b 100644 (file)
@@ -1096,6 +1096,8 @@ print_cert (gnutls_string * str, gnutls_x509_crt_t cert, int notsigned)
          name = _("unknown");
 
        addf (str, _("\tSubject Public Key Algorithm: %s\n"), name);
+       addf (str, _("\tCertificate Security Level: %s\n"), gnutls_sec_param_get_name(gnutls_pk_bits_to_sec_param(err, bits)));
+
 #ifdef ENABLE_PKI
        switch (err)
          {
index dbc3dbc2222771e1c164b4067a3cf9c51e0ef24d..6ef1ad248c56e286f42852131fb7aed0f169ec5d 100644 (file)
@@ -1402,6 +1402,8 @@ cleanup:
  * This function will generate a random private key. Note that this
  * function must be called on an empty private key.
  *
+ * Do not set the number of bits directly, use gnutls_sec_param_to_pk_bits().
+ *
  * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
  *   negative error value.
  **/
index fae02faa53feaced88c79874f66ef46db6f0d24d..c8c761c69ee0db5bb0a1c671cde3d0f5f6672eee 100644 (file)
@@ -172,6 +172,7 @@ void gaa_help(void)
        __gaa_helpsingle(0, "outder", "", "Use DER format for output certificates and private keys.");
        __gaa_helpsingle(0, "outraw", "", "Use RAW/DER format for output certificates and private keys.");
        __gaa_helpsingle(0, "bits", "BITS ", "specify the number of bits for key generation.");
+       __gaa_helpsingle(0, "sec-param", "PARAM ", "specify the security level [low|normal|high|ultra].");
        __gaa_helpsingle(0, "disable-quick-random", "", "Use /dev/random for key generationg, thus increasing the quality of randomness used.");
        __gaa_helpsingle(0, "outfile", "FILE ", "Output file.");
        __gaa_helpsingle(0, "infile", "FILE ", "Input file.");
@@ -205,28 +206,30 @@ typedef struct _gaainfo gaainfo;
 
 struct _gaainfo
 {
-#line 156 "certtool.gaa"
+#line 159 "certtool.gaa"
        int debug;
-#line 151 "certtool.gaa"
+#line 154 "certtool.gaa"
        int pkcs11_trusted;
-#line 148 "certtool.gaa"
+#line 151 "certtool.gaa"
        char* pkcs11_label;
-#line 141 "certtool.gaa"
+#line 144 "certtool.gaa"
        int pkcs11_type;
-#line 138 "certtool.gaa"
+#line 141 "certtool.gaa"
        char* pkcs11_url;
-#line 135 "certtool.gaa"
+#line 138 "certtool.gaa"
        char* pkcs11_provider;
-#line 132 "certtool.gaa"
+#line 135 "certtool.gaa"
        char *pkcs_cipher;
-#line 129 "certtool.gaa"
+#line 132 "certtool.gaa"
        char *template;
-#line 126 "certtool.gaa"
+#line 129 "certtool.gaa"
        char *infile;
-#line 123 "certtool.gaa"
+#line 126 "certtool.gaa"
        char *outfile;
-#line 120 "certtool.gaa"
+#line 123 "certtool.gaa"
        int quick_random;
+#line 120 "certtool.gaa"
+       char* sec_param;
 #line 117 "certtool.gaa"
        int bits;
 #line 113 "certtool.gaa"
@@ -319,7 +322,7 @@ static int gaa_error = 0;
 #define GAA_MULTIPLE_OPTION     3
 
 #define GAA_REST                0
-#define GAA_NB_OPTION           62
+#define GAA_NB_OPTION           63
 #define GAAOPTID_version       1
 #define GAAOPTID_help  2
 #define GAAOPTID_debug 3
@@ -339,49 +342,50 @@ static int gaa_error = 0;
 #define GAAOPTID_infile        17
 #define GAAOPTID_outfile       18
 #define GAAOPTID_disable_quick_random  19
-#define GAAOPTID_bits  20
-#define GAAOPTID_outraw        21
-#define GAAOPTID_outder        22
-#define GAAOPTID_inraw 23
-#define GAAOPTID_inder 24
-#define GAAOPTID_export_ciphers        25
-#define GAAOPTID_hash  26
-#define GAAOPTID_dsa   27
-#define GAAOPTID_pkcs8 28
-#define GAAOPTID_to_p8 29
-#define GAAOPTID_to_p12        30
-#define GAAOPTID_v1    31
-#define GAAOPTID_fix_key       32
-#define GAAOPTID_pubkey_info   33
-#define GAAOPTID_pgp_key_info  34
-#define GAAOPTID_key_info      35
-#define GAAOPTID_smime_to_p7   36
-#define GAAOPTID_p7_info       37
-#define GAAOPTID_p12_info      38
-#define GAAOPTID_no_crq_extensions     39
-#define GAAOPTID_crq_info      40
-#define GAAOPTID_crl_info      41
-#define GAAOPTID_pgp_ring_info 42
-#define GAAOPTID_pgp_certificate_info  43
-#define GAAOPTID_certificate_info      44
-#define GAAOPTID_password      45
-#define GAAOPTID_load_ca_certificate   46
-#define GAAOPTID_load_ca_privkey       47
-#define GAAOPTID_load_certificate      48
-#define GAAOPTID_load_request  49
-#define GAAOPTID_load_pubkey   50
-#define GAAOPTID_load_privkey  51
-#define GAAOPTID_get_dh_params 52
-#define GAAOPTID_generate_dh_params    53
-#define GAAOPTID_verify_crl    54
-#define GAAOPTID_verify_chain  55
-#define GAAOPTID_generate_request      56
-#define GAAOPTID_generate_privkey      57
-#define GAAOPTID_update_certificate    58
-#define GAAOPTID_generate_crl  59
-#define GAAOPTID_generate_proxy        60
-#define GAAOPTID_generate_certificate  61
-#define GAAOPTID_generate_self_signed  62
+#define GAAOPTID_sec_param     20
+#define GAAOPTID_bits  21
+#define GAAOPTID_outraw        22
+#define GAAOPTID_outder        23
+#define GAAOPTID_inraw 24
+#define GAAOPTID_inder 25
+#define GAAOPTID_export_ciphers        26
+#define GAAOPTID_hash  27
+#define GAAOPTID_dsa   28
+#define GAAOPTID_pkcs8 29
+#define GAAOPTID_to_p8 30
+#define GAAOPTID_to_p12        31
+#define GAAOPTID_v1    32
+#define GAAOPTID_fix_key       33
+#define GAAOPTID_pubkey_info   34
+#define GAAOPTID_pgp_key_info  35
+#define GAAOPTID_key_info      36
+#define GAAOPTID_smime_to_p7   37
+#define GAAOPTID_p7_info       38
+#define GAAOPTID_p12_info      39
+#define GAAOPTID_no_crq_extensions     40
+#define GAAOPTID_crq_info      41
+#define GAAOPTID_crl_info      42
+#define GAAOPTID_pgp_ring_info 43
+#define GAAOPTID_pgp_certificate_info  44
+#define GAAOPTID_certificate_info      45
+#define GAAOPTID_password      46
+#define GAAOPTID_load_ca_certificate   47
+#define GAAOPTID_load_ca_privkey       48
+#define GAAOPTID_load_certificate      49
+#define GAAOPTID_load_request  50
+#define GAAOPTID_load_pubkey   51
+#define GAAOPTID_load_privkey  52
+#define GAAOPTID_get_dh_params 53
+#define GAAOPTID_generate_dh_params    54
+#define GAAOPTID_verify_crl    55
+#define GAAOPTID_verify_chain  56
+#define GAAOPTID_generate_request      57
+#define GAAOPTID_generate_privkey      58
+#define GAAOPTID_update_certificate    59
+#define GAAOPTID_generate_crl  60
+#define GAAOPTID_generate_proxy        61
+#define GAAOPTID_generate_certificate  62
+#define GAAOPTID_generate_self_signed  63
 
 #line 168 "gaa.skel"
 
@@ -628,6 +632,12 @@ struct GAAOPTION_outfile
        int size1;
 };
 
+struct GAAOPTION_sec_param
+{
+       char* arg1;
+       int size1;
+};
+
 struct GAAOPTION_bits 
 {
        int arg1;
@@ -721,6 +731,7 @@ static int gaa_get_option_num(char *str, int status)
                        GAA_CHECK1STR("", GAAOPTID_template);
                        GAA_CHECK1STR("", GAAOPTID_infile);
                        GAA_CHECK1STR("", GAAOPTID_outfile);
+                       GAA_CHECK1STR("", GAAOPTID_sec_param);
                        GAA_CHECK1STR("", GAAOPTID_bits);
                        GAA_CHECK1STR("", GAAOPTID_hash);
                        GAA_CHECK1STR("", GAAOPTID_password);
@@ -798,6 +809,7 @@ static int gaa_get_option_num(char *str, int status)
                        GAA_CHECKSTR("infile", GAAOPTID_infile);
                        GAA_CHECKSTR("outfile", GAAOPTID_outfile);
                        GAA_CHECKSTR("disable-quick-random", GAAOPTID_disable_quick_random);
+                       GAA_CHECKSTR("sec-param", GAAOPTID_sec_param);
                        GAA_CHECKSTR("bits", GAAOPTID_bits);
                        GAA_CHECKSTR("outraw", GAAOPTID_outraw);
                        GAA_CHECKSTR("outder", GAAOPTID_outder);
@@ -863,6 +875,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list)
        struct GAAOPTION_template GAATMP_template;
        struct GAAOPTION_infile GAATMP_infile;
        struct GAAOPTION_outfile GAATMP_outfile;
+       struct GAAOPTION_sec_param GAATMP_sec_param;
        struct GAAOPTION_bits GAATMP_bits;
        struct GAAOPTION_hash GAATMP_hash;
        struct GAAOPTION_password GAATMP_password;
@@ -894,14 +907,14 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list)
     {
        case GAAOPTID_version:
        OK = 0;
-#line 161 "certtool.gaa"
+#line 164 "certtool.gaa"
 { certtool_version(); exit(0); ;};
 
                return GAA_OK;
                break;
        case GAAOPTID_help:
        OK = 0;
-#line 159 "certtool.gaa"
+#line 162 "certtool.gaa"
 { gaa_help(); exit(0); ;};
 
                return GAA_OK;
@@ -911,7 +924,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list)
                GAA_TESTMOREARGS;
                GAA_FILL(GAATMP_debug.arg1, gaa_getint, GAATMP_debug.size1);
                gaa_index++;
-#line 157 "certtool.gaa"
+#line 160 "certtool.gaa"
 { gaaval->debug = GAATMP_debug.arg1 ;};
 
                return GAA_OK;
@@ -921,14 +934,14 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list)
                GAA_TESTMOREARGS;
                GAA_FILL(GAATMP_pkcs11_delete_url.arg1, gaa_getstr, GAATMP_pkcs11_delete_url.size1);
                gaa_index++;
-#line 154 "certtool.gaa"
+#line 157 "certtool.gaa"
 { gaaval->action = ACTION_PKCS11_DELETE_URL; gaaval->pkcs11_url = GAATMP_pkcs11_delete_url.arg1; ;};
 
                return GAA_OK;
                break;
        case GAAOPTID_pkcs11_write_trusted:
        OK = 0;
-#line 152 "certtool.gaa"
+#line 155 "certtool.gaa"
 { gaaval->pkcs11_trusted = 1; ;};
 
                return GAA_OK;
@@ -938,7 +951,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list)
                GAA_TESTMOREARGS;
                GAA_FILL(GAATMP_pkcs11_write_label.arg1, gaa_getstr, GAATMP_pkcs11_write_label.size1);
                gaa_index++;
-#line 150 "certtool.gaa"
+#line 153 "certtool.gaa"
 { gaaval->pkcs11_label = GAATMP_pkcs11_write_label.arg1; ;};
 
                return GAA_OK;
@@ -948,42 +961,42 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list)
                GAA_TESTMOREARGS;
                GAA_FILL(GAATMP_pkcs11_write.arg1, gaa_getstr, GAATMP_pkcs11_write.size1);
                gaa_index++;
-#line 149 "certtool.gaa"
+#line 152 "certtool.gaa"
 { gaaval->action = ACTION_PKCS11_WRITE_URL; gaaval->pkcs11_url = GAATMP_pkcs11_write.arg1; ;};
 
                return GAA_OK;
                break;
        case GAAOPTID_pkcs11_list_tokens:
        OK = 0;
-#line 146 "certtool.gaa"
+#line 149 "certtool.gaa"
 { gaaval->action = ACTION_PKCS11_TOKENS; ;};
 
                return GAA_OK;
                break;
        case GAAOPTID_pkcs11_list_all:
        OK = 0;
-#line 145 "certtool.gaa"
+#line 148 "certtool.gaa"
 { gaaval->action = ACTION_PKCS11_LIST; gaaval->pkcs11_type=PKCS11_TYPE_ALL; ;};
 
                return GAA_OK;
                break;
        case GAAOPTID_pkcs11_list_all_certs:
        OK = 0;
-#line 144 "certtool.gaa"
+#line 147 "certtool.gaa"
 { gaaval->action = ACTION_PKCS11_LIST; gaaval->pkcs11_type=PKCS11_TYPE_CRT_ALL; ;};
 
                return GAA_OK;
                break;
        case GAAOPTID_pkcs11_list_trusted:
        OK = 0;
-#line 143 "certtool.gaa"
+#line 146 "certtool.gaa"
 { gaaval->action = ACTION_PKCS11_LIST; gaaval->pkcs11_type=PKCS11_TYPE_TRUSTED; ;};
 
                return GAA_OK;
                break;
        case GAAOPTID_pkcs11_list_certs:
        OK = 0;
-#line 142 "certtool.gaa"
+#line 145 "certtool.gaa"
 { gaaval->action = ACTION_PKCS11_LIST; gaaval->pkcs11_type=PKCS11_TYPE_PK; ;};
 
                return GAA_OK;
@@ -993,7 +1006,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list)
                GAA_TESTMOREARGS;
                GAA_FILL(GAATMP_pkcs11_export_url.arg1, gaa_getstr, GAATMP_pkcs11_export_url.size1);
                gaa_index++;
-#line 139 "certtool.gaa"
+#line 142 "certtool.gaa"
 { gaaval->action = ACTION_PKCS11_EXPORT_URL; gaaval->pkcs11_url = GAATMP_pkcs11_export_url.arg1; ;};
 
                return GAA_OK;
@@ -1003,7 +1016,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list)
                GAA_TESTMOREARGS;
                GAA_FILL(GAATMP_pkcs11_provider.arg1, gaa_getstr, GAATMP_pkcs11_provider.size1);
                gaa_index++;
-#line 136 "certtool.gaa"
+#line 139 "certtool.gaa"
 { gaaval->pkcs11_provider = GAATMP_pkcs11_provider.arg1 ;};
 
                return GAA_OK;
@@ -1013,7 +1026,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list)
                GAA_TESTMOREARGS;
                GAA_FILL(GAATMP_pkcs_cipher.arg1, gaa_getstr, GAATMP_pkcs_cipher.size1);
                gaa_index++;
-#line 133 "certtool.gaa"
+#line 136 "certtool.gaa"
 { gaaval->pkcs_cipher = GAATMP_pkcs_cipher.arg1 ;};
 
                return GAA_OK;
@@ -1023,7 +1036,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list)
                GAA_TESTMOREARGS;
                GAA_FILL(GAATMP_template.arg1, gaa_getstr, GAATMP_template.size1);
                gaa_index++;
-#line 130 "certtool.gaa"
+#line 133 "certtool.gaa"
 { gaaval->template = GAATMP_template.arg1 ;};
 
                return GAA_OK;
@@ -1033,7 +1046,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list)
                GAA_TESTMOREARGS;
                GAA_FILL(GAATMP_infile.arg1, gaa_getstr, GAATMP_infile.size1);
                gaa_index++;
-#line 127 "certtool.gaa"
+#line 130 "certtool.gaa"
 { gaaval->infile = GAATMP_infile.arg1 ;};
 
                return GAA_OK;
@@ -1043,16 +1056,26 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list)
                GAA_TESTMOREARGS;
                GAA_FILL(GAATMP_outfile.arg1, gaa_getstr, GAATMP_outfile.size1);
                gaa_index++;
-#line 124 "certtool.gaa"
+#line 127 "certtool.gaa"
 { gaaval->outfile = GAATMP_outfile.arg1 ;};
 
                return GAA_OK;
                break;
        case GAAOPTID_disable_quick_random:
        OK = 0;
-#line 121 "certtool.gaa"
+#line 124 "certtool.gaa"
 { gaaval->quick_random = 0; ;};
 
+               return GAA_OK;
+               break;
+       case GAAOPTID_sec_param:
+       OK = 0;
+               GAA_TESTMOREARGS;
+               GAA_FILL(GAATMP_sec_param.arg1, gaa_getstr, GAATMP_sec_param.size1);
+               gaa_index++;
+#line 121 "certtool.gaa"
+{ gaaval->sec_param = GAATMP_sec_param.arg1 ;};
+
                return GAA_OK;
                break;
        case GAAOPTID_bits:
@@ -1407,14 +1430,14 @@ int gaa(int argc, char **argv, gaainfo *gaaval)
     if(inited == 0)
     {
 
-#line 163 "certtool.gaa"
-{ gaaval->bits = 2048; gaaval->pkcs8 = 0; gaaval->privkey = NULL; gaaval->ca=NULL; gaaval->ca_privkey = NULL; 
+#line 166 "certtool.gaa"
+{ gaaval->bits = 0; gaaval->pkcs8 = 0; gaaval->privkey = NULL; gaaval->ca=NULL; gaaval->ca_privkey = NULL;
        gaaval->debug=1; gaaval->request = NULL; gaaval->infile = NULL; gaaval->outfile = NULL; gaaval->cert = NULL; 
        gaaval->incert_format = 0; gaaval->outcert_format = 0; gaaval->action=-1; gaaval->pass = NULL; gaaval->v1_cert = 0;
        gaaval->export = 0; gaaval->template = NULL; gaaval->hash=NULL; gaaval->fix_key = 0; gaaval->quick_random=1; 
        gaaval->privkey_op = 0; gaaval->pkcs_cipher = "3des"; gaaval->crq_extensions=1; gaaval->pkcs11_provider= NULL;
        gaaval->pkcs11_url = NULL; gaaval->pkcs11_type = PKCS11_TYPE_PK; gaaval->pubkey=NULL; gaaval->pkcs11_label = NULL; 
-       gaaval->pkcs11_trusted=0; ;};
+       gaaval->pkcs11_trusted=0; gaaval->sec_param = NULL; ;};
 
     }
     inited = 1;
index 8cda5acc1b2f0891fe3fcc856c09430eb811c9a2..647e512b9f850f6a908f6807e68c548da14d5878 100644 (file)
@@ -8,28 +8,30 @@ typedef struct _gaainfo gaainfo;
 
 struct _gaainfo
 {
-#line 156 "certtool.gaa"
+#line 159 "certtool.gaa"
        int debug;
-#line 151 "certtool.gaa"
+#line 154 "certtool.gaa"
        int pkcs11_trusted;
-#line 148 "certtool.gaa"
+#line 151 "certtool.gaa"
        char* pkcs11_label;
-#line 141 "certtool.gaa"
+#line 144 "certtool.gaa"
        int pkcs11_type;
-#line 138 "certtool.gaa"
+#line 141 "certtool.gaa"
        char* pkcs11_url;
-#line 135 "certtool.gaa"
+#line 138 "certtool.gaa"
        char* pkcs11_provider;
-#line 132 "certtool.gaa"
+#line 135 "certtool.gaa"
        char *pkcs_cipher;
-#line 129 "certtool.gaa"
+#line 132 "certtool.gaa"
        char *template;
-#line 126 "certtool.gaa"
+#line 129 "certtool.gaa"
        char *infile;
-#line 123 "certtool.gaa"
+#line 126 "certtool.gaa"
        char *outfile;
-#line 120 "certtool.gaa"
+#line 123 "certtool.gaa"
        int quick_random;
+#line 120 "certtool.gaa"
+       char* sec_param;
 #line 117 "certtool.gaa"
        int bits;
 #line 113 "certtool.gaa"
index b646453c50b4ca40836fdacdd2f6a851cf0d30be..e2f5f4c280db3b019403dda4352592087c8c27a5 100644 (file)
@@ -166,6 +166,33 @@ print_rsa_pkey (gnutls_datum_t * m, gnutls_datum_t * e, gnutls_datum_t * d,
     }
 }
 
+static gnutls_sec_param_t str_to_sec_param(const char* str)
+{
+  if (strcasecmp(str, "low")==0)
+    {
+      return GNUTLS_SEC_PARAM_LOW;
+    }
+  else if (strcasecmp(str, "normal")==0)
+    {
+      return GNUTLS_SEC_PARAM_NORMAL;
+    }
+  else if (strcasecmp(str, "high")==0)
+    {
+      return GNUTLS_SEC_PARAM_HIGH;
+    }
+  else if (strcasecmp(str, "ultra")==0)
+    {
+      return GNUTLS_SEC_PARAM_ULTRA;
+    }
+  else
+    {
+      fprintf(stderr, "Unknown security parameter string: %s\n", str);
+      exit(1);
+    }
+
+}
+
+
 static gnutls_x509_privkey_t
 generate_private_key_int (void)
 {
@@ -183,6 +210,19 @@ generate_private_key_int (void)
   if (ret < 0)
     error (EXIT_FAILURE, 0, "privkey_init: %s", gnutls_strerror (ret));
 
+  if (info.bits != 0)
+    {
+      fprintf(stderr, "** Note: Please use the --sec-param instead of --bits\n");
+    }
+  else
+    {
+      if (info.sec_param)
+        {
+          info.bits = gnutls_sec_param_to_pk_bits(key_type, str_to_sec_param(info.sec_param));
+        }
+      else info.bits = gnutls_sec_param_to_pk_bits(key_type, GNUTLS_SEC_PARAM_NORMAL);
+    }
+
   fprintf (stderr, "Generating a %d bit %s private key...\n", info.bits,
           gnutls_pk_algorithm_get_name (key_type));
 
index 9a835ad3ab427fb11cf797e95b23f35749d73cb4..9b778645eae00cdc00ac35d1404c7f4242e2a2cc 100644 (file)
@@ -117,6 +117,9 @@ option (outraw) { $outcert_format=1 } "Use RAW/DER format for output certificate
 #int bits;
 option (bits) INT "BITS" { $bits = $1 } "specify the number of bits for key generation."
 
+#char* sec_param;
+option (sec-param) STR "PARAM" { $sec_param = $1 } "specify the security level [low|normal|high|ultra]."
+
 #int quick_random;
 option (disable-quick-random) { $quick_random = 0; } "Use /dev/random for key generationg, thus increasing the quality of randomness used."
 
@@ -160,10 +163,10 @@ option (h, help) { gaa_help(); exit(0); } "shows this help text"
 
 option (v, version) { certtool_version(); exit(0); } "shows the program's version"
 
-init { $bits = 2048; $pkcs8 = 0; $privkey = NULL; $ca=NULL; $ca_privkey = NULL; 
+init { $bits = 0; $pkcs8 = 0; $privkey = NULL; $ca=NULL; $ca_privkey = NULL;
        $debug=1; $request = NULL; $infile = NULL; $outfile = NULL; $cert = NULL; 
        $incert_format = 0; $outcert_format = 0; $action=-1; $pass = NULL; $v1_cert = 0;
        $export = 0; $template = NULL; $hash=NULL; $fix_key = 0; $quick_random=1; 
        $privkey_op = 0; $pkcs_cipher = "3des"; $crq_extensions=1; $pkcs11_provider= NULL;
        $pkcs11_url = NULL; $pkcs11_type = PKCS11_TYPE_PK; $pubkey=NULL; $pkcs11_label = NULL; 
-       $pkcs11_trusted=0; }
+       $pkcs11_trusted=0; $sec_param = NULL; }