Blob Blame History Raw
/*
 * Copyright (C) 2004-2014 Free Software Foundation, Inc.
 * Copyright (C) 2013,2014 Nikos Mavrogiannopoulos
 *
 * This file is part of GnuTLS.
 *
 * GnuTLS is free software: you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * GnuTLS is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see
 * <https://www.gnu.org/licenses/>.
 *
 * Written by Nikos Mavrogiannopoulos <nmav@gnutls.org>.
 */

#include <config.h>

#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <certtool-cfg.h>
#include <gnutls/x509.h>
#include <gnutls/x509-ext.h>
#include <string.h>
#include <limits.h>
#include <time.h>
#include <timespec.h>
#include <parse-datetime.h>
#include <autoopts/options.h>
#include <intprops.h>
#include <gnutls/crypto.h>
#include <libtasn1.h>

/* for inet_pton */
#include <sys/types.h>

#if HAVE_SYS_SOCKET_H
#include <sys/socket.h>
#elif HAVE_WS2TCPIP_H
#include <ws2tcpip.h>
#endif

/* From gnulib for inet_pton() */
#include <arpa/inet.h>

/* Gnulib portability files. */
#include <getpass.h>
#include "certtool-common.h"

/* to print uint64_t */
# define __STDC_FORMAT_MACROS
# include <inttypes.h>

extern int batch;
extern int ask_pass;

#define MAX_ENTRIES 128
#define MAX_POLICIES 8

#define CHECK_MALLOC(x) \
	if (x == NULL) { \
		fprintf(stderr, "memory error\n"); \
		exit(1); \
	}

#define PRINT_TIME_T_ERROR \
	if (sizeof(time_t) < 8) \
		fprintf(stderr, "This system expresses time with a 32-bit time_t; that prevents dates after 2038 to be expressed by GnuTLS.\n")

enum option_types { OPTION_NUMERIC, OPTION_STRING, OPTION_BOOLEAN, OPTION_MULTI_LINE };

struct cfg_options {
	const char *name;
	unsigned type;

	/* used when parsing */
	unsigned found;
};

static struct cfg_options available_options[] = {
	{ .name = "unit", .type = OPTION_MULTI_LINE },
	{ .name = "ou", .type = OPTION_MULTI_LINE },
	{ .name = "organization", .type = OPTION_MULTI_LINE },
	{ .name = "o", .type = OPTION_MULTI_LINE },
	{ .name = "dc", .type = OPTION_MULTI_LINE },
	{ .name = "dns_name", .type = OPTION_MULTI_LINE },
	{ .name = "ip_address", .type = OPTION_MULTI_LINE },
	{ .name = "email", .type = OPTION_MULTI_LINE },
	{ .name = "krb5_principal", .type = OPTION_MULTI_LINE },
	{ .name = "other_name", .type = OPTION_MULTI_LINE },
	{ .name = "other_name_utf8", .type = OPTION_MULTI_LINE },
	{ .name = "other_name_octet", .type = OPTION_MULTI_LINE },
	{ .name = "xmpp_name", .type = OPTION_MULTI_LINE },
	{ .name = "key_purpose_oid", .type = OPTION_MULTI_LINE },
	{ .name = "nc_exclude_dns", .type = OPTION_MULTI_LINE },
	{ .name = "nc_exclude_ip", .type = OPTION_MULTI_LINE },
	{ .name = "nc_exclude_email", .type = OPTION_MULTI_LINE },
	{ .name = "nc_permit_dns", .type = OPTION_MULTI_LINE },
	{ .name = "nc_permit_ip", .type = OPTION_MULTI_LINE },
	{ .name = "nc_permit_email", .type = OPTION_MULTI_LINE },
	{ .name = "dn_oid", .type = OPTION_MULTI_LINE },
	{ .name = "add_extension", .type = OPTION_MULTI_LINE },
	{ .name = "add_critical_extension", .type = OPTION_MULTI_LINE },
	{ .name = "crl_dist_points", .type = OPTION_MULTI_LINE },
	{ .name = "uri", .type = OPTION_MULTI_LINE },
	{ .name = "ocsp_uri", .type = OPTION_MULTI_LINE },
	{ .name = "ca_issuers_uri", .type = OPTION_MULTI_LINE },
	{ .name = "locality", .type = OPTION_STRING },
	{ .name = "state", .type = OPTION_STRING },
	{ .name = "dn", .type = OPTION_STRING },
	{ .name = "cn", .type = OPTION_STRING },
	{ .name = "uid", .type = OPTION_STRING },
	{ .name = "subject_unique_id", .type = OPTION_STRING },
	{ .name = "issuer_unique_id", .type = OPTION_STRING },
	{ .name = "challenge_password", .type = OPTION_STRING },
	{ .name = "password", .type = OPTION_STRING },
	{ .name = "pkcs9_email", .type = OPTION_STRING },
	{ .name = "country", .type = OPTION_STRING },
	{ .name = "expiration_date", .type = OPTION_STRING },
	{ .name = "activation_date", .type = OPTION_STRING },
	{ .name = "crl_revocation_date", .type = OPTION_STRING },
	{ .name = "crl_this_update_date", .type = OPTION_STRING },
	{ .name = "crl_next_update_date", .type = OPTION_STRING },
	{ .name = "policy*", .type = OPTION_MULTI_LINE }, /* not a multi-line but there are multi as it is a wildcard */
	{ .name = "inhibit_anypolicy_skip_certs", .type = OPTION_NUMERIC },
	{ .name = "pkcs12_key_name", .type = OPTION_STRING },
	{ .name = "proxy_policy_language", .type = OPTION_STRING },
	{ .name = "serial", .type = OPTION_STRING },
	{ .name = "expiration_days", .type = OPTION_NUMERIC },
	{ .name = "crl_next_update", .type = OPTION_NUMERIC },
	{ .name = "crl_number", .type = OPTION_STRING },
	{ .name = "path_len", .type = OPTION_NUMERIC },
	{ .name = "ca", .type = OPTION_BOOLEAN },
	{ .name = "honor_crq_extensions", .type = OPTION_BOOLEAN },
	{ .name = "honor_crq_ext", .type = OPTION_MULTI_LINE },
	{ .name = "tls_www_client", .type = OPTION_BOOLEAN },
	{ .name = "tls_www_server", .type = OPTION_BOOLEAN },
	{ .name = "signing_key", .type = OPTION_BOOLEAN },
	{ .name = "encryption_key", .type = OPTION_BOOLEAN },
	{ .name = "cert_signing_key", .type = OPTION_BOOLEAN },
	{ .name = "crl_signing_key", .type = OPTION_BOOLEAN },
	{ .name = "code_signing_key", .type = OPTION_BOOLEAN },
	{ .name = "ocsp_signing_key", .type = OPTION_BOOLEAN },
	{ .name = "time_stamping_key", .type = OPTION_BOOLEAN },
	{ .name = "email_protection_key", .type = OPTION_BOOLEAN },
	{ .name = "ipsec_ike_key", .type = OPTION_BOOLEAN },
	{ .name = "key_agreement", .type = OPTION_BOOLEAN },
	{ .name = "data_encipherment", .type = OPTION_BOOLEAN },
	{ .name = "non_repudiation", .type = OPTION_BOOLEAN },
	{ .name = "tls_feature", .type = OPTION_MULTI_LINE },
};

typedef struct _cfg_ctx {
	char **organization;
	char **unit;
	char *locality;
	char *state;
	char *dn;
	char *cn;
	char *uid;
	uint8_t *subject_unique_id;
	unsigned subject_unique_id_size;
	uint8_t *issuer_unique_id;
	unsigned issuer_unique_id_size;
	char *challenge_password;
	char *pkcs9_email;
	char *country;
	char *policy_oid[MAX_POLICIES];
	char *policy_txt[MAX_POLICIES];
	char *policy_url[MAX_POLICIES];
	char **dc;
	char **dns_name;
	char **uri;
	char **ip_addr;
	char **email;
	char **krb5_principal;
	char **other_name;
	char **other_name_utf8;
	char **other_name_octet;
	char **xmpp_name;
	char **dn_oid;
	char **extensions;
	char **crit_extensions;
	char **permitted_nc_ip;
	char **excluded_nc_ip;
	char **permitted_nc_dns;
	char **excluded_nc_dns;
	char **permitted_nc_email;
	char **excluded_nc_email;
	char **crl_dist_points;
	char *password;
	char *pkcs12_key_name;
	char *expiration_date;
	char *activation_date;
	char *revocation_date;
	char *this_update_date;
	char *next_update_date;
	uint8_t *serial;
	unsigned serial_size;
	int expiration_days;
	int skip_certs; /* from inhibit anypolicy */
	int ca;
	int path_len;
	int tls_www_client;
	int tls_www_server;
	int signing_key;
	int encryption_key;
	int cert_sign_key;
	int crl_sign_key;
	int non_repudiation;
	int data_encipherment;
	int key_agreement;
	int code_sign_key;
	int ocsp_sign_key;
	int time_stamping_key;
	int email_protection_key;
	int ipsec_ike_key;
	char **key_purpose_oids;
	int crl_next_update;
	uint8_t *crl_number;
	unsigned crl_number_size;
	int honor_crq_extensions;
	char *proxy_policy_language;
	char **exts_to_honor;
	char **ocsp_uris;
	char **ca_issuers_uris;
	char **tls_features;
} cfg_ctx;

cfg_ctx cfg;

void cfg_init(void)
{
	memset(&cfg, 0, sizeof(cfg));
	cfg.path_len = -1;
	cfg.skip_certs = -1;
}

#define READ_MULTI_LINE(name, s_name) \
  val = optionGetValue(pov, name); \
  if (val != NULL && val->valType == OPARG_TYPE_STRING) \
  { \
    if (s_name == NULL) { \
      i = 0; \
      s_name = malloc(sizeof(char*)*MAX_ENTRIES); \
      CHECK_MALLOC(s_name); \
      do { \
	if (val && strcmp(val->pzName, name)!=0) \
	  continue; \
	s_name[i] = strdup(val->v.strVal); \
	i++; \
	  if (i>=MAX_ENTRIES) \
	    break; \
      } while((val = optionNextValue(pov, val)) != NULL); \
      s_name[i] = NULL; \
    } \
  }

#define READ_MULTI_LINE_TOKENIZED(name, s_name) \
  val = optionGetValue(pov, name); \
  if (val != NULL && val->valType == OPARG_TYPE_STRING) \
  { \
    char *str; \
    char *p; \
    if (s_name == NULL) { \
      i = 0; \
      s_name = malloc(sizeof(char*)*MAX_ENTRIES); \
      CHECK_MALLOC(s_name); \
      do { \
	if (val && strcmp(val->pzName, name)!=0) \
	  continue; \
	str = strdup(val->v.strVal); \
	CHECK_MALLOC(str); \
	if ((p=strchr(str, ' ')) == NULL && (p=strchr(str, '\t')) == NULL) { \
	  fprintf(stderr, "Error parsing %s\n", name); \
	  exit(1); \
	} \
	p[0] = 0; \
	p++; \
	s_name[i] = strdup(str); \
	while(*p==' ' || *p == '\t') p++; \
	if (p[0] == 0) { \
	  fprintf(stderr, "Error (2) parsing %s\n", name); \
	  exit(1); \
	} \
	s_name[i+1] = strdup(p); \
	i+=2; \
	free(str); \
	if (i>=MAX_ENTRIES) \
	  break; \
      } while((val = optionNextValue(pov, val)) != NULL); \
      s_name[i] = NULL; \
    } \
  }

#define READ_BOOLEAN(name, s_name) \
  val = optionGetValue(pov, name); \
  if (val != NULL) \
    { \
      s_name = 1; \
    }

/* READ_NUMERIC only returns a long */
#define READ_NUMERIC(name, s_name) \
  val = optionGetValue(pov, name); \
  if (val != NULL) \
    { \
      if (val->valType == OPARG_TYPE_NUMERIC) \
	s_name = val->v.longVal; \
      else if (val->valType == OPARG_TYPE_STRING) \
	s_name = strtol(val->v.strVal, NULL, 10); \
    }

#define HEX_DECODE(hex, output, output_size) \
	{ \
		gnutls_datum_t _input = {(void*)hex, strlen(hex)}; \
		gnutls_datum_t _output; \
		ret = gnutls_hex_decode2(&_input, &_output); \
		if (ret < 0) { \
			fprintf(stderr, "error in hex ID: %s\n", hex); \
			exit(1); \
		} \
		output = _output.data; \
		output_size = _output.size; \
	}

#define SERIAL_DECODE(input, output, output_size) \
	{ \
		gnutls_datum_t _output; \
		ret = serial_decode(input, &_output); \
		if (ret < 0) { \
			fprintf(stderr, "error parsing number: %s\n", input); \
			exit(1); \
		} \
		output = _output.data; \
		output_size = _output.size; \
	}


static int handle_option(const tOptionValue* val)
{
unsigned j;
unsigned len, cmp;

	for (j=0;j<sizeof(available_options)/sizeof(available_options[0]);j++) {
		len = strlen(available_options[j].name);
		if (len > 2 && available_options[j].name[len-1] == '*')
			cmp = strncasecmp(val->pzName, available_options[j].name, len-1);
		else
			cmp = strcasecmp(val->pzName, available_options[j].name);

		if (cmp == 0) {
			if (available_options[j].type != OPTION_MULTI_LINE &&
			    available_options[j].found != 0) {
			    fprintf(stderr, "Warning: multiple options found for '%s'; only the first will be taken into account.\n", available_options[j].name);
			}
			available_options[j].found = 1;
			return 1;
		}
	}

	return 0;
}

int template_parse(const char *template)
{
	/* Parsing return code */
	unsigned int i;
	int ret;
	tOptionValue const *pov;
	const tOptionValue *val, *prev;
	char tmpstr[256];

	pov = configFileLoad(template);
	if (pov == NULL) {
		perror("configFileLoad");
		fprintf(stderr, "Error loading template: %s\n", template);
		exit(1);
	}

	val = optionGetValue(pov, NULL);
	while (val != NULL) {
		if (handle_option(val) == 0) {
			fprintf(stderr, "Warning: skipping unknown option '%s'\n", val->pzName);
		}
		prev = val;
		val = optionNextValue(pov, prev);
	}

	/* Option variables */
	READ_MULTI_LINE("unit", cfg.unit);
	if (cfg.unit == NULL) {
		READ_MULTI_LINE("ou", cfg.unit);
	}

	READ_MULTI_LINE("organization", cfg.organization);
	if (cfg.organization == NULL) {
		READ_MULTI_LINE("o", cfg.organization);
	}

	val = optionGetValue(pov, "locality");
	if (val != NULL && val->valType == OPARG_TYPE_STRING)
		cfg.locality = strdup(val->v.strVal);

	val = optionGetValue(pov, "state");
	if (val != NULL && val->valType == OPARG_TYPE_STRING)
		cfg.state = strdup(val->v.strVal);

	val = optionGetValue(pov, "dn");
	if (val != NULL && val->valType == OPARG_TYPE_STRING)
		cfg.dn = strdup(val->v.strVal);

	val = optionGetValue(pov, "cn");
	if (val != NULL && val->valType == OPARG_TYPE_STRING)
		cfg.cn = strdup(val->v.strVal);

	val = optionGetValue(pov, "uid");
	if (val != NULL && val->valType == OPARG_TYPE_STRING)
		cfg.uid = strdup(val->v.strVal);

	val = optionGetValue(pov, "issuer_unique_id");
	if (val != NULL && val->valType == OPARG_TYPE_STRING)
		HEX_DECODE(val->v.strVal, cfg.issuer_unique_id, cfg.issuer_unique_id_size);

	val = optionGetValue(pov, "subject_unique_id");
	if (val != NULL && val->valType == OPARG_TYPE_STRING)
		HEX_DECODE(val->v.strVal, cfg.subject_unique_id, cfg.subject_unique_id_size);

	val = optionGetValue(pov, "challenge_password");
	if (val != NULL && val->valType == OPARG_TYPE_STRING)
		cfg.challenge_password = strdup(val->v.strVal);

	val = optionGetValue(pov, "password");
	if (val != NULL && val->valType == OPARG_TYPE_STRING)
		cfg.password = strdup(val->v.strVal);

	val = optionGetValue(pov, "pkcs9_email");
	if (val != NULL && val->valType == OPARG_TYPE_STRING)
		cfg.pkcs9_email = strdup(val->v.strVal);

	val = optionGetValue(pov, "country");
	if (val != NULL && val->valType == OPARG_TYPE_STRING)
		cfg.country = strdup(val->v.strVal);

	val = optionGetValue(pov, "expiration_date");
	if (val != NULL && val->valType == OPARG_TYPE_STRING)
		cfg.expiration_date = strdup(val->v.strVal);

	val = optionGetValue(pov, "activation_date");
	if (val != NULL && val->valType == OPARG_TYPE_STRING)
		cfg.activation_date = strdup(val->v.strVal);

	val = optionGetValue(pov, "crl_revocation_date");
	if (val != NULL && val->valType == OPARG_TYPE_STRING)
		cfg.revocation_date = strdup(val->v.strVal);

	val = optionGetValue(pov, "crl_this_update_date");
	if (val != NULL && val->valType == OPARG_TYPE_STRING)
		cfg.this_update_date = strdup(val->v.strVal);

	val = optionGetValue(pov, "crl_next_update_date");
	if (val != NULL && val->valType == OPARG_TYPE_STRING)
		cfg.next_update_date = strdup(val->v.strVal);

	READ_NUMERIC("inhibit_anypolicy_skip_certs", cfg.skip_certs);

	for (i = 0; i < MAX_POLICIES; i++) {
		snprintf(tmpstr, sizeof(tmpstr), "policy%d", i + 1);
		val = optionGetValue(pov, tmpstr);
		if (val != NULL && val->valType == OPARG_TYPE_STRING)
			cfg.policy_oid[i] = strdup(val->v.strVal);

		if (cfg.policy_oid[i] != NULL) {
			snprintf(tmpstr, sizeof(tmpstr), "policy%d_url",
				 i + 1);
			val = optionGetValue(pov, tmpstr);
			if (val != NULL
			    && val->valType == OPARG_TYPE_STRING)
				cfg.policy_url[i] = strdup(val->v.strVal);

			snprintf(tmpstr, sizeof(tmpstr), "policy%d_txt",
				 i + 1);
			val = optionGetValue(pov, tmpstr);
			if (val != NULL
			    && val->valType == OPARG_TYPE_STRING) {
				cfg.policy_txt[i] = strdup(val->v.strVal);
			}
		}
	}

	READ_MULTI_LINE("dc", cfg.dc);
	READ_MULTI_LINE("dns_name", cfg.dns_name);
	READ_MULTI_LINE("uri", cfg.uri);
	READ_MULTI_LINE("krb5_principal", cfg.krb5_principal);
	READ_MULTI_LINE_TOKENIZED("other_name", cfg.other_name);
	READ_MULTI_LINE_TOKENIZED("other_name_octet", cfg.other_name_octet);
	READ_MULTI_LINE_TOKENIZED("other_name_utf8", cfg.other_name_utf8);

	READ_MULTI_LINE("xmpp_name", cfg.xmpp_name);
	READ_MULTI_LINE("ip_address", cfg.ip_addr);
	READ_MULTI_LINE("email", cfg.email);
	READ_MULTI_LINE("key_purpose_oid", cfg.key_purpose_oids);

	READ_MULTI_LINE("nc_exclude_ip", cfg.excluded_nc_ip);
	READ_MULTI_LINE("nc_exclude_dns", cfg.excluded_nc_dns);
	READ_MULTI_LINE("nc_exclude_email", cfg.excluded_nc_email);
	READ_MULTI_LINE("nc_permit_ip", cfg.permitted_nc_ip);
	READ_MULTI_LINE("nc_permit_dns", cfg.permitted_nc_dns);
	READ_MULTI_LINE("nc_permit_email", cfg.permitted_nc_email);

	READ_MULTI_LINE_TOKENIZED("dn_oid", cfg.dn_oid);

	READ_MULTI_LINE_TOKENIZED("add_extension", cfg.extensions);
	READ_MULTI_LINE_TOKENIZED("add_critical_extension", cfg.crit_extensions);

	READ_MULTI_LINE("crl_dist_points", cfg.crl_dist_points);

	val = optionGetValue(pov, "pkcs12_key_name");
	if (val != NULL && val->valType == OPARG_TYPE_STRING)
		cfg.pkcs12_key_name = strdup(val->v.strVal);


	val = optionGetValue(pov, "serial");
	if (val != NULL && val->valType == OPARG_TYPE_STRING)
		SERIAL_DECODE(val->v.strVal, cfg.serial, cfg.serial_size);

	READ_NUMERIC("expiration_days", cfg.expiration_days);
	READ_NUMERIC("crl_next_update", cfg.crl_next_update);

	val = optionGetValue(pov, "crl_number");
	if (val != NULL && val->valType == OPARG_TYPE_STRING)
		SERIAL_DECODE(val->v.strVal, cfg.crl_number, cfg.crl_number_size);

	READ_NUMERIC("path_len", cfg.path_len);

	val = optionGetValue(pov, "proxy_policy_language");
	if (val != NULL && val->valType == OPARG_TYPE_STRING)
		cfg.proxy_policy_language = strdup(val->v.strVal);

	READ_MULTI_LINE("ocsp_uri", cfg.ocsp_uris);
	READ_MULTI_LINE("ca_issuers_uri", cfg.ca_issuers_uris);

	READ_BOOLEAN("ca", cfg.ca);
	READ_BOOLEAN("honor_crq_extensions", cfg.honor_crq_extensions);
	READ_MULTI_LINE("honor_crq_ext", cfg.exts_to_honor);

	READ_BOOLEAN("tls_www_client", cfg.tls_www_client);
	READ_BOOLEAN("tls_www_server", cfg.tls_www_server);
	READ_BOOLEAN("signing_key", cfg.signing_key);
	READ_BOOLEAN("encryption_key", cfg.encryption_key);
	READ_BOOLEAN("cert_signing_key", cfg.cert_sign_key);
	READ_BOOLEAN("crl_signing_key", cfg.crl_sign_key);
	READ_BOOLEAN("code_signing_key", cfg.code_sign_key);
	READ_BOOLEAN("ocsp_signing_key", cfg.ocsp_sign_key);
	READ_BOOLEAN("time_stamping_key", cfg.time_stamping_key);
	READ_BOOLEAN("email_protection_key", cfg.email_protection_key);
	READ_BOOLEAN("ipsec_ike_key", cfg.ipsec_ike_key);

	READ_BOOLEAN("data_encipherment", cfg.data_encipherment);
	READ_BOOLEAN("key_agreement", cfg.key_agreement);
	READ_BOOLEAN("non_repudiation", cfg.non_repudiation);

	READ_MULTI_LINE("tls_feature", cfg.tls_features);

	optionUnloadNested(pov);

	return 0;
}

#define IS_NEWLINE(x) ((x[0] == '\n') || (x[0] == '\r'))
#define MAX_INPUT_SIZE 512

static size_t strip_nl(char *str, size_t str_size)
{
	if ((str_size > 0) && (str[str_size - 1] == '\n')) {
		str_size--;
		str[str_size] = 0;
	}
	if ((str_size > 0) && (str[str_size - 1] == '\r')) {
		str_size--;
		str[str_size] = 0;
	}
	return str_size;
}

static int copystr_without_nl(char *out, size_t out_size, const char *in, size_t in_size)
{
	if (in_size+1 >= out_size) {
		fprintf(stderr, "Too long line to parse in interactive mode; please use templates.\n");
		exit(1);
	}
	memcpy(out, in, in_size+1); /* copy terminating null */
	strip_nl(out, in_size);
	return 0;
}

void
read_crt_set(gnutls_x509_crt_t crt, const char *input_str, const char *oid)
{
	ssize_t ret;
	char *lineptr = NULL;
	size_t linesize = 0;

	fputs(input_str, stderr);
	ret = getline(&lineptr, &linesize, stdin);
	if (ret == -1)
		return;

	if (IS_NEWLINE(lineptr)) {
		free(lineptr);
		return;
	}

	linesize = strip_nl(lineptr, ret);

	ret =
	    gnutls_x509_crt_set_dn_by_oid(crt, oid, 0, lineptr,
					  linesize);
	if (ret < 0) {
		fprintf(stderr, "set_dn: %s\n", gnutls_strerror(ret));
		exit(1);
	}
	free(lineptr);
}

void
read_crq_set(gnutls_x509_crq_t crq, const char *input_str, const char *oid)
{
	ssize_t ret;
	char *lineptr = NULL;
	size_t linesize = 0;

	fputs(input_str, stderr);
	ret = getline(&lineptr, &linesize, stdin);
	if (ret == -1)
		return;

	if (IS_NEWLINE(lineptr)) {
		free(lineptr);
		return;
	}

	linesize = strip_nl(lineptr, ret);

	ret =
	    gnutls_x509_crq_set_dn_by_oid(crq, oid, 0, lineptr,
					  linesize);
	if (ret < 0) {
		fprintf(stderr, "set_dn: %s\n", gnutls_strerror(ret));
		exit(1);
	}
	free(lineptr);
}

/* The input_str should contain %d or %u to print the default.
 */
static int64_t read_int_with_default(const char *input_str, long def)
{
	char *endptr;
	int64_t l;
	static char input[MAX_INPUT_SIZE];

	fprintf(stderr, input_str, def);
	if (fgets(input, sizeof(input), stdin) == NULL)
		return def;

	if (IS_NEWLINE(input))
		return def;

#if SIZEOF_LONG < 8
	l = strtoll(input, &endptr, 0);

	if (*endptr != '\0' && *endptr != '\r' && *endptr != '\n') {
		fprintf(stderr, "Trailing garbage ignored: `%s'\n",
			endptr);
		return 0;
	} else {
		*endptr = 0;
	}

	if (l <= LLONG_MIN || l >= LLONG_MAX) {
		fprintf(stderr, "Integer out of range: `%s' (max: %llu)\n", input, LLONG_MAX-1);
		return 0;
	}
#else
	l = strtol(input, &endptr, 0);

	if (*endptr != '\0' && *endptr != '\r' && *endptr != '\n') {
		fprintf(stderr, "Trailing garbage ignored: `%s'\n",
			endptr);
		return 0;
	} else {
		*endptr = 0;
	}

	if (l <= LONG_MIN || l >= LONG_MAX) {
		fprintf(stderr, "Integer out of range: `%s' (max: %lu)\n", input, LONG_MAX-1);
		return 0;
	}
#endif



	if (input == endptr)
		l = def;

	return l;
}

int64_t read_int(const char *input_str)
{
	return read_int_with_default(input_str, 0);
}

int serial_decode(const char *input, gnutls_datum_t *output)
{
	int i;
	int64_t value;
	char *endptr;
	int64_t value_limit;
	gnutls_datum_t input_datum;

	if (input[0] == '0' && input[1] == 'x') {
		input_datum.data = (void *) (input + 2);
		input_datum.size = strlen(input + 2);
		if (input_datum.size == 0) {
			return GNUTLS_E_PARSING_ERROR;
		}
		return gnutls_hex_decode2(&input_datum, output);
	}

#if SIZEOF_LONG < 8
	value = strtol(input, &endptr, 10);
	value_limit = LONG_MAX;
#else
	value = strtoll(input, &endptr, 10);
	value_limit = LLONG_MAX;
#endif

	if (*endptr != '\0') {
		fprintf(stderr, "Trailing garbage: `%s'\n", endptr);
		return GNUTLS_E_PARSING_ERROR;
	}

	if (value <= 0 || value >= value_limit) {
		fprintf(stderr, "Integer out of range: `%s' (min: 1, max: %"PRId64")\n", input, value_limit-1);
		return GNUTLS_E_PARSING_ERROR;
	}

	output->size = sizeof(int64_t);
	output->data = gnutls_malloc(output->size);
	if (output->data == NULL) {
		output->size = 0;
		return GNUTLS_E_MEMORY_ERROR;
	}

	for (i = output->size - 1; i >= 0; i--) {
		output->data[i] = value & 0xff;
		value = value >> 8;
	}

	return 0;
}

const char *read_str(const char *input_str)
{
	static char input[MAX_INPUT_SIZE];
	ssize_t ret;
	char *lineptr = NULL;
	size_t linesize = 0;

	fputs(input_str, stderr);
	ret = getline(&lineptr, &linesize, stdin);
	if (ret == -1)
		return NULL;

	ret = copystr_without_nl(input, sizeof(input), lineptr, ret);
	free(lineptr);
	if (ret < 0)
		return NULL;

	if (IS_NEWLINE(input))
		return NULL;

	if (input[0] == 0)
		return NULL;

	return input;
}

/* Default is:
 * def: 0 -> no
 * def: 1 -> yes
 */
int read_yesno(const char *input_str, int def)
{
	char input[MAX_INPUT_SIZE];

      restart:
	fputs(input_str, stderr);
	if (fgets(input, sizeof(input), stdin) == NULL)
		return def;

	if (IS_NEWLINE(input))
		return def;

	if (input[0] == 'y' || input[0] == 'Y')
		return 1;
	else if (input[0] == 'n' || input[0] == 'N')
		return 0;
	else
		goto restart;
}


/* Wrapper functions for non-interactive mode.
 */
const char *get_pass(void)
{
	if (batch && !ask_pass)
		return cfg.password;
	else
		return getpass("Enter password: ");
}

const char *get_confirmed_pass(bool empty_ok)
{
	if (batch && !ask_pass)
		return cfg.password;
	else {
		const char *pass = NULL;
		char *copy = NULL;

		do {
			if (pass)
				fprintf(stderr,
					"Password mismatch, try again.\n");

			free(copy);

			pass = getpass("Enter password: ");
			copy = strdup(pass);
			pass = getpass("Confirm password: ");
		}
		while (strcmp(pass, copy) != 0
		       && !(empty_ok && *pass == '\0'));

		free(copy);

		return pass;
	}
}

const char *get_challenge_pass(void)
{
	if (batch && !ask_pass)
		return cfg.challenge_password;
	else
		return getpass("Enter a challenge password: ");
}

void get_crl_dist_point_set(gnutls_x509_crt_t crt)
{
	int ret = 0, i;

	if (batch) {
		if (!cfg.crl_dist_points)
			return;

		for (i = 0; cfg.crl_dist_points[i] != NULL; i++) {
			ret =
			    gnutls_x509_crt_set_crl_dist_points
			    (crt, GNUTLS_SAN_URI, cfg.crl_dist_points[i],
			     0);
			if (ret < 0)
				break;
		}
	} else {
		const char *p;
		unsigned int counter = 0;

		do {
			if (counter == 0) {
				p = read_str
				    ("Enter the URI of the CRL distribution point: ");
			} else {
				p = read_str
				    ("Enter an additional URI of the CRL distribution point: ");
			}
			if (!p)
				return;

			ret = gnutls_x509_crt_set_crl_dist_points
			    (crt, GNUTLS_SAN_URI, p, 0);
			if (ret < 0)
				break;

			counter++;
		}
		while (p);
	}

	if (ret < 0) {
		fprintf(stderr, "gnutls_x509_crt_set_crl_dist_points: %s\n",
			gnutls_strerror(ret));
		exit(1);
	}
}

void get_country_crt_set(gnutls_x509_crt_t crt)
{
	int ret;

	if (batch) {
		if (!cfg.country)
			return;
		ret =
		    gnutls_x509_crt_set_dn_by_oid(crt,
						  GNUTLS_OID_X520_COUNTRY_NAME,
						  0, cfg.country,
						  strlen(cfg.country));
		if (ret < 0) {
			fprintf(stderr, "set_dn: %s\n",
				gnutls_strerror(ret));
			exit(1);
		}
	} else {
		read_crt_set(crt, "Country name (2 chars): ",
			     GNUTLS_OID_X520_COUNTRY_NAME);
	}

}

void get_organization_crt_set(gnutls_x509_crt_t crt)
{
	int ret;
	unsigned i;

	if (batch) {
		if (!cfg.organization)
			return;

		for (i = 0; cfg.organization[i] != NULL; i++) {
			ret =
			    gnutls_x509_crt_set_dn_by_oid(crt,
						  GNUTLS_OID_X520_ORGANIZATION_NAME,
						  0, cfg.organization[i],
						  strlen(cfg.organization[i]));
			if (ret < 0) {
				fprintf(stderr, "set_dn: %s\n",
					gnutls_strerror(ret));
				exit(1);
			}
		}
	} else {
		read_crt_set(crt, "Organization name: ",
			     GNUTLS_OID_X520_ORGANIZATION_NAME);
	}

}

void get_unit_crt_set(gnutls_x509_crt_t crt)
{
	int ret;
	unsigned i;

	if (batch) {
		if (!cfg.unit)
			return;

		for (i = 0; cfg.unit[i] != NULL; i++) {
			ret =
			    gnutls_x509_crt_set_dn_by_oid(crt,
						  GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME,
						  0, cfg.unit[i],
						  strlen(cfg.unit[i]));
			if (ret < 0) {
				fprintf(stderr, "set_dn: %s\n",
					gnutls_strerror(ret));
				exit(1);
			}
		}
	} else {
		read_crt_set(crt, "Organizational unit name: ",
			     GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME);
	}

}

void get_state_crt_set(gnutls_x509_crt_t crt)
{
	int ret;

	if (batch) {
		if (!cfg.state)
			return;
		ret =
		    gnutls_x509_crt_set_dn_by_oid(crt,
						  GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME,
						  0, cfg.state,
						  strlen(cfg.state));
		if (ret < 0) {
			fprintf(stderr, "set_dn: %s\n",
				gnutls_strerror(ret));
			exit(1);
		}
	} else {
		read_crt_set(crt, "State or province name: ",
			     GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME);
	}

}

void get_locality_crt_set(gnutls_x509_crt_t crt)
{
	int ret;

	if (batch) {
		if (!cfg.locality)
			return;
		ret =
		    gnutls_x509_crt_set_dn_by_oid(crt,
						  GNUTLS_OID_X520_LOCALITY_NAME,
						  0, cfg.locality,
						  strlen(cfg.locality));
		if (ret < 0) {
			fprintf(stderr, "set_dn: %s\n",
				gnutls_strerror(ret));
			exit(1);
		}
	} else {
		read_crt_set(crt, "Locality name: ",
			     GNUTLS_OID_X520_LOCALITY_NAME);
	}

}

void get_cn_crt_set(gnutls_x509_crt_t crt)
{
	int ret;

	if (batch) {
		if (!cfg.cn)
			return;
		ret =
		    gnutls_x509_crt_set_dn_by_oid(crt,
						  GNUTLS_OID_X520_COMMON_NAME,
						  0, cfg.cn,
						  strlen(cfg.cn));
		if (ret < 0) {
			fprintf(stderr, "set_dn_by_oid: %s\n",
				gnutls_strerror(ret));
			exit(1);
		}
	} else {
		read_crt_set(crt, "Common name: ",
			     GNUTLS_OID_X520_COMMON_NAME);
	}

}

void get_dn_crt_set(gnutls_x509_crt_t crt)
{
	int ret;
	const char *err;

	if (batch) {
		if (!cfg.dn)
			return;
		ret = gnutls_x509_crt_set_dn(crt, cfg.dn, &err);
		if (ret < 0) {
			fprintf(stderr, "set_dn: %s at: %s\n",
				gnutls_strerror(ret), err);
			exit(1);
		}
	}
}

void crt_constraints_set(gnutls_x509_crt_t crt)
{
	int ret;
	unsigned i;
	gnutls_x509_name_constraints_t nc;
	gnutls_datum_t name;

	if (batch) {
		if (cfg.permitted_nc_dns == NULL && cfg.permitted_nc_email == NULL &&
			cfg.excluded_nc_dns == NULL && cfg.excluded_nc_email == NULL &&
			cfg.permitted_nc_ip == NULL && cfg.excluded_nc_ip == NULL)
			return; /* nothing to do */

		ret = gnutls_x509_name_constraints_init(&nc);
		if (ret < 0) {
			fprintf(stderr, "nc_init: %s\n", gnutls_strerror(ret));
			exit(1);
		}

		if (cfg.permitted_nc_ip) {
			for (i = 0; cfg.permitted_nc_ip[i] != NULL; i++) {
				ret = gnutls_x509_cidr_to_rfc5280(cfg.permitted_nc_ip[i], &name);
				if (ret < 0) {
					fprintf(stderr, "error parsing IP constraint: %s\n", gnutls_strerror(ret));
					exit(1);
				}
				ret = gnutls_x509_name_constraints_add_permitted(nc, GNUTLS_SAN_IPADDRESS, &name);
				if (ret < 0) {
					fprintf(stderr, "error adding constraint: %s\n", gnutls_strerror(ret));
					exit(1);
				}
				free(name.data);
			}
		}

		if (cfg.excluded_nc_ip) {
			for (i = 0; cfg.excluded_nc_ip[i] != NULL; i++) {
				ret = gnutls_x509_cidr_to_rfc5280(cfg.excluded_nc_ip[i], &name);
				if (ret < 0) {
					fprintf(stderr, "error parsing IP constraint: %s\n", gnutls_strerror(ret));
					exit(1);
				}
				ret = gnutls_x509_name_constraints_add_excluded(nc, GNUTLS_SAN_IPADDRESS, &name);
				if (ret < 0) {
					fprintf(stderr, "error adding constraint: %s\n", gnutls_strerror(ret));
					exit(1);
				}
				free(name.data);
			}
		}

		if (cfg.permitted_nc_dns) {

			for (i = 0; cfg.permitted_nc_dns[i] != NULL; i++) {

				name.data = (void*)cfg.permitted_nc_dns[i];
				name.size = strlen((char*)name.data);
				ret = gnutls_x509_name_constraints_add_permitted(nc, GNUTLS_SAN_DNSNAME, &name);
				if (ret < 0) {
					fprintf(stderr, "error adding constraint: %s\n", gnutls_strerror(ret));
					exit(1);
				}
			}
		}


		if (cfg.excluded_nc_dns) {
			for (i = 0; cfg.excluded_nc_dns[i] != NULL; i++) {
				name.data = (void*)cfg.excluded_nc_dns[i];
				name.size = strlen((char*)name.data);
				ret = gnutls_x509_name_constraints_add_excluded(nc, GNUTLS_SAN_DNSNAME, &name);
				if (ret < 0) {
					fprintf(stderr, "error adding constraint: %s\n", gnutls_strerror(ret));
					exit(1);
				}
			}
		}

		if (cfg.permitted_nc_email) {
			for (i = 0; cfg.permitted_nc_email[i] != NULL; i++) {
				name.data = (void*)cfg.permitted_nc_email[i];
				name.size = strlen((char*)name.data);
				ret = gnutls_x509_name_constraints_add_permitted(nc, GNUTLS_SAN_RFC822NAME, &name);
				if (ret < 0) {
					fprintf(stderr, "error adding constraint: %s\n", gnutls_strerror(ret));
					exit(1);
				}
			}
		}

		if (cfg.excluded_nc_email) {
			for (i = 0; cfg.excluded_nc_email[i] != NULL; i++) {
				name.data = (void*)cfg.excluded_nc_email[i];
				name.size = strlen((char*)name.data);
				ret = gnutls_x509_name_constraints_add_excluded(nc, GNUTLS_SAN_RFC822NAME, &name);
				if (ret < 0) {
					fprintf(stderr, "error adding constraint: %s\n", gnutls_strerror(ret));
					exit(1);
				}
			}
		}

		ret = gnutls_x509_crt_set_name_constraints(crt, nc, 1);
		if (ret < 0) {
			fprintf(stderr, "error setting constraints: %s\n", gnutls_strerror(ret));
			exit(1);
		}

		gnutls_x509_name_constraints_deinit(nc);
	}
}

void crt_unique_ids_set(gnutls_x509_crt_t crt)
{
	int ret;

	if (batch) {
		if (cfg.subject_unique_id == NULL && cfg.issuer_unique_id == NULL)
			return; /* nothing to do */

		if (cfg.subject_unique_id) {
			ret = gnutls_x509_crt_set_subject_unique_id(crt, cfg.subject_unique_id, cfg.subject_unique_id_size);
			if (ret < 0) {
				fprintf(stderr, "error setting subject unique ID: %s\n", gnutls_strerror(ret));
				exit(1);
			}
		}

		if (cfg.issuer_unique_id) {
			ret = gnutls_x509_crt_set_issuer_unique_id(crt, cfg.issuer_unique_id, cfg.issuer_unique_id_size);
			if (ret < 0) {
				fprintf(stderr, "error setting issuer unique ID: %s\n", gnutls_strerror(ret));
				exit(1);
			}
		}
	}
}

void get_uid_crt_set(gnutls_x509_crt_t crt)
{
	int ret;

	if (batch) {
		if (!cfg.uid)
			return;
		ret =
		    gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_LDAP_UID,
						  0, cfg.uid,
						  strlen(cfg.uid));
		if (ret < 0) {
			fprintf(stderr, "set_dn: %s\n",
				gnutls_strerror(ret));
			exit(1);
		}
	} else {
		read_crt_set(crt, "UID: ", GNUTLS_OID_LDAP_UID);
	}

}

void get_oid_crt_set(gnutls_x509_crt_t crt)
{
	int ret, i;

	if (batch) {
		if (!cfg.dn_oid)
			return;
		for (i = 0; cfg.dn_oid[i] != NULL; i += 2) {
			if (cfg.dn_oid[i + 1] == NULL) {
				fprintf(stderr,
					"dn_oid: %s does not have an argument.\n",
					cfg.dn_oid[i]);
				exit(1);
			}
			ret =
			    gnutls_x509_crt_set_dn_by_oid(crt,
							  cfg.dn_oid[i], 0,
							  cfg.dn_oid[i +
								     1],
							  strlen(cfg.
								 dn_oid[i +
									1]));

			if (ret < 0) {
				fprintf(stderr, "set_dn_oid: %s\n",
					gnutls_strerror(ret));
				exit(1);
			}
		}
	}
}

#define ACTION_NONE  0
#define ENCODE_OCTET_STRING 1
static unsigned char *decode_ext_string(char *str, unsigned int *ret_size)
{
	char *p, *p2;
	unsigned char *tmp;
	unsigned char *raw;
	unsigned int raw_size;
	unsigned action = ACTION_NONE;
	unsigned char tag[ASN1_MAX_TL_SIZE];
	unsigned int tag_len;
	int ret, res;

	p = strchr(str, '(');
	if (p != 0) {
		if (strncmp(str, "octet_string", 12) == 0) {
			action = ENCODE_OCTET_STRING;
		} else {
			fprintf(stderr, "cannot parse: %s\n", str);
			exit(1);
		}
		p++;
		p2 = strchr(p, ')');
		if (p2 == NULL) {
			fprintf(stderr, "there is no terminating parenthesis in: %s\n", str);
			exit(1);
		}
		*p2 = 0;
	} else {
		p = str;
	}

	if (strncmp(p, "0x", 2) == 0)
		p+=2;
	HEX_DECODE(p, raw, raw_size);

	switch(action) {
		case ENCODE_OCTET_STRING:
			tag_len = sizeof(tag);
			res = asn1_encode_simple_der(ASN1_ETYPE_OCTET_STRING, raw, raw_size, tag, &tag_len);
			if (res != ASN1_SUCCESS) {
				fprintf(stderr, "error in DER encoding: %s\n", asn1_strerror(res));
				exit(1);
			}
			tmp = gnutls_malloc(raw_size+tag_len);
			if (tmp == NULL) {
				fprintf(stderr, "error in allocation\n");
				exit(1);
			}
			memcpy(tmp, tag, tag_len);
			memcpy(tmp+tag_len, raw, raw_size);
			gnutls_free(raw);
			raw = tmp;
			raw_size += tag_len;
			break;
	}

	*ret_size = raw_size;
	return raw;
}

void get_extensions_crt_set(int type, void *crt)
{
	int ret, i;
	unsigned char *raw = NULL;
	unsigned raw_size;

	if (batch) {
		if (!cfg.extensions)
			goto check_critical;
		for (i = 0; cfg.extensions[i] != NULL; i += 2) {
			if (cfg.extensions[i + 1] == NULL) {
				fprintf(stderr,
					"extensions: %s does not have an argument.\n",
					cfg.extensions[i]);
				exit(1);
			}

			/* convert hex to bin */
			raw = decode_ext_string(cfg.extensions[i+1], &raw_size);

			if (type == TYPE_CRT)
				ret =
				    gnutls_x509_crt_set_extension_by_oid(crt,
							  cfg.extensions[i],
							  raw, raw_size, 0);
			else
				ret =
				    gnutls_x509_crq_set_extension_by_oid(crt,
							  cfg.extensions[i],
							  raw, raw_size, 0);

			gnutls_free(raw);
			if (ret < 0) {
				fprintf(stderr, "set_extensions: %s\n",
					gnutls_strerror(ret));
				exit(1);
			}
		}

 check_critical:
		if (!cfg.crit_extensions)
			return;
		for (i = 0; cfg.crit_extensions[i] != NULL; i += 2) {
			if (cfg.crit_extensions[i + 1] == NULL) {
				fprintf(stderr,
					"extensions: %s does not have an argument.\n",
					cfg.crit_extensions[i]);
				exit(1);
			}
			/* convert hex to bin */
			raw = decode_ext_string(cfg.crit_extensions[i+1], &raw_size);

			if (type == TYPE_CRT)
				ret =
				    gnutls_x509_crt_set_extension_by_oid(crt,
							  cfg.crit_extensions[i],
							  raw, raw_size, 1);
			else
				ret =
				    gnutls_x509_crq_set_extension_by_oid(crt,
							  cfg.crit_extensions[i],
							  raw, raw_size, 1);

			gnutls_free(raw);

			if (ret < 0) {
				fprintf(stderr, "set_extensions: %s\n",
					gnutls_strerror(ret));
				exit(1);
			}
		}
	}
}

void get_key_purpose_set(int type, void *crt)
{
	int ret, i;

	if (batch) {
		if (!cfg.key_purpose_oids)
			return;
		for (i = 0; cfg.key_purpose_oids[i] != NULL; i++) {
			if (type == TYPE_CRT)
				ret =
				    gnutls_x509_crt_set_key_purpose_oid
				    (crt, cfg.key_purpose_oids[i], 0);
			else
				ret =
				    gnutls_x509_crq_set_key_purpose_oid
				    (crt, cfg.key_purpose_oids[i], 0);

			if (ret < 0) {
				fprintf(stderr,
					"set_key_purpose_oid (%s): %s\n",
					cfg.key_purpose_oids[i],
					gnutls_strerror(ret));
				exit(1);
			}
		}
	}
}

void get_ocsp_issuer_set(gnutls_x509_crt_t crt)
{
	int ret, i;
	gnutls_datum_t uri;

	if (batch) {
		if (!cfg.ocsp_uris)
			return;
		for (i = 0; cfg.ocsp_uris[i] != NULL; i++) {
			uri.data = (void*)cfg.ocsp_uris[i];
			uri.size = strlen(cfg.ocsp_uris[i]);
			ret =
			    gnutls_x509_crt_set_authority_info_access(crt,
								      GNUTLS_IA_OCSP_URI,
								      &uri);
			if (ret < 0) {
				fprintf(stderr, "set OCSP URI (%s): %s\n",
					cfg.ocsp_uris[i],
					gnutls_strerror(ret));
				exit(1);
			}
		}
	}
}

void get_ca_issuers_set(gnutls_x509_crt_t crt)
{
	int ret, i;
	gnutls_datum_t uri;

	if (batch) {
		if (!cfg.ca_issuers_uris)
			return;
		for (i = 0; cfg.ca_issuers_uris[i] != NULL; i++) {
			uri.data = (void*)cfg.ca_issuers_uris[i];
			uri.size = strlen(cfg.ca_issuers_uris[i]);
			ret =
			    gnutls_x509_crt_set_authority_info_access(crt,
								      GNUTLS_IA_CAISSUERS_URI,
								      &uri);
			if (ret < 0) {
				fprintf(stderr,
					"set CA ISSUERS URI (%s): %s\n",
					cfg.ca_issuers_uris[i],
					gnutls_strerror(ret));
				exit(1);
			}
		}
	}
}


void get_pkcs9_email_crt_set(gnutls_x509_crt_t crt)
{
	int ret;

	if (batch) {
		if (!cfg.pkcs9_email)
			return;
		ret =
		    gnutls_x509_crt_set_dn_by_oid(crt,
						  GNUTLS_OID_PKCS9_EMAIL,
						  0, cfg.pkcs9_email,
						  strlen(cfg.pkcs9_email));
		if (ret < 0) {
			fprintf(stderr, "set_dn: %s\n",
				gnutls_strerror(ret));
			exit(1);
		}
	} else {
		read_crt_set(crt, "E-mail: ", GNUTLS_OID_PKCS9_EMAIL);
	}

}


static
int default_crl_number(unsigned char* serial, size_t *size)
{
	struct timespec ts;
	time_t tv_sec_tmp;
	int i;

	/* default format:
	 * |  5 b |  4 b  |  11b
	 * | secs | nsecs | rnd  |
	 */
	gettime(&ts);

	if (*size < 20) {
		return GNUTLS_E_SHORT_MEMORY_BUFFER;
	}

	tv_sec_tmp = ts.tv_sec;
	for (i = 4; i >= 0; i--) {
		serial[i] = tv_sec_tmp & 0xff;
		tv_sec_tmp = tv_sec_tmp >> 8;
	}
	serial[5] = (ts.tv_nsec >> 24) & 0xff;
	serial[6] = (ts.tv_nsec >> 16) & 0xff;
	serial[7] = (ts.tv_nsec >> 8) & 0xff;
	serial[8] = (ts.tv_nsec) & 0xff;
	// crl number must be positive and max 20 octets
	// so we must zero the most significant bit (with MSB set, the DER encoding
	// would be 21 octets long). See RFC 5280, section 5.2.3.
	serial[0] &= 0x7F;
	*size = 20;
	return gnutls_rnd(GNUTLS_RND_NONCE, &serial[9], 11);
}

/**
 * read_serial_value:
 * @serial: pointer to buffer with serial number
 * @size: pointer to actual size of data in buffer
 * @max_size: capacity of the buffer
 * @label: user-facing description of the field we are reading value for
 * @rfc_section: rfc section number that defines the field
 *
 * This function will read a serial number from the user. It takes a buffer
 * that contains a default value that will be displayed to the user and
 * maximum size of the buffer that it can fill. When the function
 * returns, either the buffer is not modified to use the default value
 * or it's contents are changed to reflect the user-entered value.
 **/
static
void read_serial_value(unsigned char *serial, size_t *size, size_t max_size,
		const char *label, const char *rfc_section)
{
	static char input[MAX_INPUT_SIZE];
	int ret;
	size_t input_len;
	gnutls_datum_t decoded;
	gnutls_datum_t serial_datum;
	gnutls_datum_t encoded_default;

	serial_datum.data = serial;
	serial_datum.size = *size;

	ret = gnutls_hex_encode2(&serial_datum, &encoded_default);
	if (ret < 0) {
		fprintf(stderr, "error encoding default to hex: %d\n", ret);
		exit(1);
	}

	while (true) {
		fprintf(stderr,
			"Enter the %s in decimal (123) or hex (0xabcd)\n"
			"(default is 0x%s)\n"
			"value: ",
			label, encoded_default.data);

		if (fgets(input, sizeof(input), stdin) == NULL)
			break;

		input_len = strip_nl(input, strlen(input));

		if (input_len == 0)
			break;

		ret = serial_decode(input, &decoded);
		if (ret < 0) {
			fprintf(stderr, "error parsing %s: %s\n", label, input);
			continue;
		}

		if ((decoded.size == SERIAL_MAX_BYTES && decoded.data[0] & 0x80) ||
				decoded.size > SERIAL_MAX_BYTES) {
			fprintf(stderr, "%s would be encoded in more than 20 bytes,"
				"see RFC 5280, section %s\n", label, rfc_section);
			gnutls_free(decoded.data);
			continue;
		}

		if (decoded.size > max_size) {
			fprintf(stderr, "maximum %zu octets allowed for %s\n",
					max_size, label);
			gnutls_free(decoded.data);
			continue;
		}

		memcpy(serial, decoded.data, decoded.size);
		*size = decoded.size;
		gnutls_free(decoded.data);
		break;
	}

	gnutls_free(encoded_default.data);
}

static
void get_serial_value(unsigned char *serial, size_t *size,
		const unsigned char *config, size_t config_size,
		int (create_default)(unsigned char *, size_t *),
		const char *label, const char *rfc_section)
{
	size_t max_size = *size;
	int ret;

	if (batch && config != NULL) {
		if (config_size > max_size) {
			fprintf(stderr, "maximum %zu octets allowed for %s!\n",
					max_size, label);
			exit(1);
		}
		memcpy(serial, config, config_size);
		*size = config_size;
	} else {
		ret = create_default(serial, size);
		if (ret < 0) {
			fprintf(stderr, "error generating default %s: %s\n",
					label, gnutls_strerror(ret));
			exit(1);
		}
	}

	if (!batch)
		read_serial_value(serial, size, max_size, label, rfc_section);

	if ((*size == SERIAL_MAX_BYTES && serial[0] & 0x80) || *size > SERIAL_MAX_BYTES) {
		fprintf(stderr, "%s would be encoded in more than 20 bytes,"
				"see RFC 5280, section %s\n", label, rfc_section);
		exit(1);
	}
}

static
int default_serial(unsigned char *serial, size_t *size)
{
	int ret;

	if (*size < SERIAL_MAX_BYTES)
		return GNUTLS_E_SHORT_MEMORY_BUFFER;

	ret = gnutls_rnd(GNUTLS_RND_NONCE, serial, SERIAL_MAX_BYTES);
	if (ret < 0)
		return ret;

	// serial must be positive and max 20 octets
	// so we must zero the most significant bit (with MSB set, the DER encoding
	// would be 21 octets long). See RFC 5280, section 4.1.2.2.
	serial[0] &= 0x7F;
	*size = SERIAL_MAX_BYTES;

	return 0;
}

void get_serial(unsigned char *serial, size_t *size)
{
	get_serial_value(serial, size, cfg.serial, cfg.serial_size,
			default_serial, "certificate's serial number", "4.1.2.2");
}

static
time_t get_date(const char* date)
{
	struct timespec r;

	if (date==NULL || parse_datetime(&r, date, NULL) == 0) {
		PRINT_TIME_T_ERROR;
		fprintf(stderr, "Cannot parse date: %s\n", date);
		exit(1);
	}

	return r.tv_sec;
}

time_t get_activation_date(void)
{

	if (batch && cfg.activation_date != NULL) {
		return get_date(cfg.activation_date);
	}

	return time(NULL);
}

time_t get_crl_revocation_date(void)
{

	if (batch && cfg.revocation_date != NULL) {
		return get_date(cfg.revocation_date);
	}

	return time(NULL);
}

time_t get_crl_this_update_date(void)
{

	if (batch && cfg.this_update_date != NULL) {
		return get_date(cfg.this_update_date);
	}

	return time(NULL);
}

static
time_t days_to_secs(int days)
{
time_t secs = days;
time_t now = time(NULL);

	if (secs != (time_t)-1) {
		if (INT_MULTIPLY_OVERFLOW(secs, 24*60*60)) {
			goto overflow;
		} else {
			secs *= 24*60*60;
		}
	}

	if (secs != (time_t)-1) {
		if (INT_ADD_OVERFLOW(secs, now)) {
			goto overflow;
		} else {
			secs += now;
		}
	}

	return secs;
 overflow:
	PRINT_TIME_T_ERROR;
	fprintf(stderr, "Overflow while parsing days\n");
	exit(1);
}

static
time_t get_int_date(const char *txt_val, int int_val, const char *msg)
{
	if (batch) {
		if (txt_val == NULL) {
			time_t secs;

			if (int_val == 0 || int_val < -2)
				secs = days_to_secs(365);
			else {
				secs = days_to_secs(int_val);
			}

			return secs;
		} else
			return get_date(txt_val);
	} else {
		int days;

		do {
			days =
			    read_int(msg);
		}
		while (days == 0);
		return days_to_secs(days);
	}
}

time_t get_expiration_date(void)
{
	return get_int_date(cfg.expiration_date, cfg.expiration_days, "The certificate will expire in (days): ");
}

int get_ca_status(void)
{
	if (batch) {
		return cfg.ca;
	} else {
		return
		    read_yesno
		    ("Does the certificate belong to an authority? (y/N): ",
		     0);
	}
}

int get_crq_extensions_status(void)
{
	if (batch) {
		return cfg.honor_crq_extensions;
	} else {
		return
		    read_yesno
		    ("Do you want to honour all the extensions from the request? (y/N): ",
		     0);
	}
}

void get_crl_number(unsigned char* serial, size_t * size)
{
	get_serial_value(serial, size, cfg.crl_number, cfg.crl_number_size,
			default_crl_number, "CRL's serial number", "5.2.3");
}

int get_path_len(void)
{
	if (batch) {
		return cfg.path_len;
	} else {
		return read_int_with_default
		    ("Path length constraint (decimal, %d for no constraint): ",
		     -1);
	}
}

const char *get_pkcs12_key_name(void)
{
	const char *name;

	if (batch) {
		if (!cfg.pkcs12_key_name)
			return "Anonymous";
		return cfg.pkcs12_key_name;
	} else {
		do {
			name = read_str("Enter a name for the key: ");
		}
		while (name == NULL);
	}
	return name;
}

int get_tls_client_status(void)
{
	if (batch) {
		return cfg.tls_www_client;
	} else {
		return
		    read_yesno
		    ("Is this a TLS web client certificate? (y/N): ", 0);
	}
}

int get_tls_server_status(void)
{
	if (batch) {
		return cfg.tls_www_server;
	} else {
		return
		    read_yesno
		    ("Is this a TLS web server certificate? (y/N): ", 0);
	}
}

/* convert a printable IP to binary */
static int string_to_ip(unsigned char *ip, const char *str)
{
	int ret;

#if HAVE_IPV6
	int len = strlen(str);

	if (strchr(str, ':') != NULL || len > 16) {	/* IPv6 */
		ret = inet_pton(AF_INET6, str, ip);
		if (ret <= 0) {
			fprintf(stderr, "Error in IPv6 address %s\n", str);
			exit(1);
		}

		/* To be done */
		return 16;
	} else
#endif
	{			/* IPv4 */
		ret = inet_pton(AF_INET, str, ip);
		if (ret <= 0) {
			fprintf(stderr, "Error in IPv4 address %s\n", str);
			exit(1);
		}

		return 4;
	}

}

void get_ip_addr_set(int type, void *crt)
{
	int ret = 0, i;
	unsigned char ip[16];
	int len;

	if (batch) {
		if (!cfg.ip_addr)
			return;

		for (i = 0; cfg.ip_addr[i] != NULL; i++) {
			len = string_to_ip(ip, cfg.ip_addr[i]);
			if (len <= 0) {
				fprintf(stderr,
					"Error parsing address: %s\n",
					cfg.ip_addr[i]);
				exit(1);
			}

			if (type == TYPE_CRT)
				ret =
				    gnutls_x509_crt_set_subject_alt_name
				    (crt, GNUTLS_SAN_IPADDRESS, ip, len,
				     GNUTLS_FSAN_APPEND);
			else
				ret =
				    gnutls_x509_crq_set_subject_alt_name
				    (crt, GNUTLS_SAN_IPADDRESS, ip, len,
				     GNUTLS_FSAN_APPEND);

			if (ret < 0)
				break;
		}
	} else {
		const char *p;

		p = read_str
		    ("Enter the IP address of the subject of the certificate: ");
		if (!p)
			return;

		len = string_to_ip(ip, p);
		if (len <= 0) {
			fprintf(stderr, "Error parsing address: %s\n", p);
			exit(1);
		}

		if (type == TYPE_CRT)
			ret =
			    gnutls_x509_crt_set_subject_alt_name(crt,
								 GNUTLS_SAN_IPADDRESS,
								 ip, len,
								 GNUTLS_FSAN_APPEND);
		else
			ret =
			    gnutls_x509_crq_set_subject_alt_name(crt,
								 GNUTLS_SAN_IPADDRESS,
								 ip, len,
								 GNUTLS_FSAN_APPEND);
	}

	if (ret < 0) {
		fprintf(stderr, "set_subject_alt_name: %s\n",
			gnutls_strerror(ret));
		exit(1);
	}
}

void get_email_set(int type, void *crt)
{
	int ret = 0, i;

	if (batch) {
		if (!cfg.email)
			return;

		for (i = 0; cfg.email[i] != NULL; i++) {
			if (type == TYPE_CRT)
				ret =
				    gnutls_x509_crt_set_subject_alt_name
				    (crt, GNUTLS_SAN_RFC822NAME,
				     cfg.email[i], strlen(cfg.email[i]),
				     GNUTLS_FSAN_APPEND);
			else
				ret =
				    gnutls_x509_crq_set_subject_alt_name
				    (crt, GNUTLS_SAN_RFC822NAME,
				     cfg.email[i], strlen(cfg.email[i]),
				     GNUTLS_FSAN_APPEND);

			if (ret < 0)
				break;
		}
	} else {
		const char *p;

		p = read_str
		    ("Enter the e-mail of the subject of the certificate: ");
		if (!p)
			return;

		if (type == TYPE_CRT)
			ret =
			    gnutls_x509_crt_set_subject_alt_name(crt,
								 GNUTLS_SAN_RFC822NAME,
								 p,
								 strlen(p),
								 GNUTLS_FSAN_APPEND);
		else
			ret =
			    gnutls_x509_crq_set_subject_alt_name(crt,
								 GNUTLS_SAN_RFC822NAME,
								 p,
								 strlen(p),
								 GNUTLS_FSAN_APPEND);
	}

	if (ret < 0) {
		fprintf(stderr, "set_subject_alt_name: %s\n",
			gnutls_strerror(ret));
		exit(1);
	}
}


void get_dc_set(int type, void *crt)
{
	int ret = 0, i;

	if (batch) {
		if (!cfg.dc)
			return;

		for (i = 0; cfg.dc[i] != NULL; i++) {
			if (type == TYPE_CRT)
				ret =
				    gnutls_x509_crt_set_dn_by_oid(crt,
								  GNUTLS_OID_LDAP_DC,
								  0,
								  cfg.
								  dc[i],
								  strlen
								  (cfg.
								   dc[i]));
			else
				ret =
				    gnutls_x509_crq_set_dn_by_oid(crt,
								  GNUTLS_OID_LDAP_DC,
								  0,
								  cfg.
								  dc[i],
								  strlen
								  (cfg.
								   dc[i]));

			if (ret < 0)
				break;
		}
	} else {
		const char *p;
		unsigned int counter = 0;

		do {
			if (counter == 0) {
				p = read_str
				    ("Enter the subject's domain component (DC): ");
			} else {
				p = read_str
				    ("Enter an additional domain component (DC): ");
			}
			if (!p)
				return;

			if (type == TYPE_CRT)
				ret =
				    gnutls_x509_crt_set_dn_by_oid(crt,
								  GNUTLS_OID_LDAP_DC,
								  0, p,
								  strlen
								  (p));
			else
				ret =
				    gnutls_x509_crq_set_dn_by_oid(crt,
								  GNUTLS_OID_LDAP_DC,
								  0, p,
								  strlen
								  (p));
			counter++;
			if (ret < 0)
				break;
		}
		while (p != NULL);
	}

	if (ret < 0) {
		fprintf(stderr, "set_dn_by_oid: %s\n",
			gnutls_strerror(ret));
		exit(1);
	}
}

void get_dns_name_set(int type, void *crt)
{
	int ret = 0, i;

	if (batch) {
		if (!cfg.dns_name)
			return;

		for (i = 0; cfg.dns_name[i] != NULL; i++) {
			if (type == TYPE_CRT)
				ret =
				    gnutls_x509_crt_set_subject_alt_name
				    (crt, GNUTLS_SAN_DNSNAME,
				     cfg.dns_name[i],
				     strlen(cfg.dns_name[i]),
				     GNUTLS_FSAN_APPEND);
			else
				ret =
				    gnutls_x509_crq_set_subject_alt_name
				    (crt, GNUTLS_SAN_DNSNAME,
				     cfg.dns_name[i],
				     strlen(cfg.dns_name[i]),
				     GNUTLS_FSAN_APPEND);

			if (ret < 0)
				break;
		}
	} else {
		const char *p;
		unsigned int counter = 0;

		do {
			if (counter == 0) {
				p = read_str("Enter a dnsName of the subject of the certificate: ");
			} else {
				p = read_str("Enter an additional dnsName of the subject of the certificate: ");
			}
			if (!p)
				return;

			if (type == TYPE_CRT)
				ret = gnutls_x509_crt_set_subject_alt_name
				    (crt, GNUTLS_SAN_DNSNAME, p, strlen(p),
				     GNUTLS_FSAN_APPEND);
			else
				ret = gnutls_x509_crq_set_subject_alt_name
				    (crt, GNUTLS_SAN_DNSNAME, p, strlen(p),
				     GNUTLS_FSAN_APPEND);
			counter++;
		} while (p);
	}

	if (ret < 0) {
		fprintf(stderr, "set_subject_alt_name: %s\n",
			gnutls_strerror(ret));
		exit(1);
	}
}

static int set_krb5_principal(int type, void *crt)
{
	int ret = 0, i;

	if (batch) {
		if (!cfg.krb5_principal)
			return 0;

		for (i = 0; cfg.krb5_principal[i] != NULL; i ++) {
			if (type == TYPE_CRT)
				ret =
				    gnutls_x509_crt_set_subject_alt_name
				    (crt, GNUTLS_SAN_OTHERNAME_KRB5PRINCIPAL,
				     cfg.krb5_principal[i], strlen(cfg.krb5_principal[i]),
				     GNUTLS_FSAN_APPEND);
			else
				ret =
				    gnutls_x509_crq_set_subject_alt_name
				    (crt, GNUTLS_SAN_OTHERNAME_KRB5PRINCIPAL,
				     cfg.krb5_principal[i], strlen(cfg.krb5_principal[i]),
				     GNUTLS_FSAN_APPEND);

			if (ret < 0)
				break;
		}
	}

	if (ret < 0) {
		fprintf(stderr, "set_subject_alt_name(GNUTLS_SAN_OTHERNAME_KRB5PRINCIPAL): %s\n",
			gnutls_strerror(ret));
		exit(1);
	}

	return ret;
}

static int set_othername(int type, void *crt)
{
	int ret = 0, i;
	uint8_t *binname = NULL;
	unsigned binnamelen = 0;
	const char *oid;

	if (batch) {
		if (!cfg.other_name)
			return 0;

		for (i = 0; cfg.other_name[i] != NULL; i += 2) {
			oid = cfg.other_name[i];

			if (cfg.other_name[i + 1] == NULL) {
				fprintf(stderr,
					"other_name: %s does not have an argument.\n",
					cfg.other_name[i]);
				exit(1);
			}

			HEX_DECODE (cfg.other_name[i+1], binname, binnamelen);
			if (binnamelen == 0)
				break;

			if (type == TYPE_CRT)
				ret =
				    gnutls_x509_crt_set_subject_alt_othername
				    (crt, oid,
				     binname, binnamelen,
				     GNUTLS_FSAN_APPEND);
			else
				ret =
				    gnutls_x509_crq_set_subject_alt_othername
				    (crt, oid,
				     binname, binnamelen,
				     GNUTLS_FSAN_APPEND);
			free (binname);
			binname = NULL;

			if (ret < 0)
				break;
		}
	}

	if (ret < 0) {
		fprintf(stderr, "set_subject_alt_othername: %s\n",
			gnutls_strerror(ret));
		exit(1);
	}

	return ret;
}

static int set_othername_utf8(int type, void *crt)
{
	int ret = 0, i;
	const char *oid;

	if (batch) {
		if (!cfg.other_name_utf8)
			return 0;

		for (i = 0; cfg.other_name_utf8[i] != NULL; i += 2) {
			oid = cfg.other_name_utf8[i];

			if (cfg.other_name_utf8[i + 1] == NULL) {
				fprintf(stderr,
					"other_name_utf8: %s does not have an argument.\n",
					cfg.other_name_utf8[i]);
				exit(1);
			}

			if (type == TYPE_CRT)
				ret =
				    gnutls_x509_crt_set_subject_alt_othername
				    (crt, oid,
				     cfg.other_name_utf8[i + 1], strlen(cfg.other_name_utf8[i + 1]),
				     GNUTLS_FSAN_APPEND|GNUTLS_FSAN_ENCODE_UTF8_STRING);
			else
				ret =
				    gnutls_x509_crq_set_subject_alt_othername
				    (crt, oid,
				     cfg.other_name_utf8[i + 1], strlen(cfg.other_name_utf8[i + 1]),
				     GNUTLS_FSAN_APPEND|GNUTLS_FSAN_ENCODE_UTF8_STRING);

			if (ret < 0)
				break;
		}
	}

	if (ret < 0) {
		fprintf(stderr, "set_subject_alt_othername: %s\n",
			gnutls_strerror(ret));
		exit(1);
	}

	return ret;
}

static int set_othername_octet(int type, void *crt)
{
	int ret = 0, i;
	const char *oid;

	if (batch) {
		if (!cfg.other_name_octet)
			return 0;

		for (i = 0; cfg.other_name_octet[i] != NULL; i += 2) {
			oid = cfg.other_name_octet[i];

			if (cfg.other_name_octet[i + 1] == NULL) {
				fprintf(stderr,
					"other_name_octet: %s does not have an argument.\n",
					cfg.other_name_octet[i]);
				exit(1);
			}

			if (type == TYPE_CRT)
				ret =
				    gnutls_x509_crt_set_subject_alt_othername
				    (crt, oid,
				     cfg.other_name_octet[i + 1], strlen(cfg.other_name_octet[i + 1]),
				     GNUTLS_FSAN_APPEND|GNUTLS_FSAN_ENCODE_OCTET_STRING);
			else
				ret =
				    gnutls_x509_crq_set_subject_alt_othername
				    (crt, oid,
				     cfg.other_name_octet[i + 1], strlen(cfg.other_name_octet[i + 1]),
				     GNUTLS_FSAN_APPEND|GNUTLS_FSAN_ENCODE_OCTET_STRING);

			if (ret < 0)
				break;
		}
	}

	if (ret < 0) {
		fprintf(stderr, "set_subject_alt_othername: %s\n",
			gnutls_strerror(ret));
		exit(1);
	}

	return ret;
}

static int set_xmpp_name(int type, void *crt)
{
	int ret = 0, i;

	if (batch) {
		if (!cfg.xmpp_name)
			return 0;

		for (i = 0; cfg.xmpp_name[i] != NULL; i ++) {
			if (type == TYPE_CRT)
				ret =
				    gnutls_x509_crt_set_subject_alt_name
				    (crt, GNUTLS_SAN_OTHERNAME_XMPP,
				     cfg.xmpp_name[i], strlen(cfg.xmpp_name[i]),
				     GNUTLS_FSAN_APPEND);
			else
				ret =
				    gnutls_x509_crq_set_subject_alt_name
				    (crt, GNUTLS_SAN_OTHERNAME_XMPP,
				     cfg.xmpp_name[i], strlen(cfg.xmpp_name[i]),
				     GNUTLS_FSAN_APPEND);

			if (ret < 0)
				break;
		}
	}

	if (ret < 0) {
		fprintf(stderr, "set_subject_alt_name(XMPP): %s\n",
			gnutls_strerror(ret));
		exit(1);
	}

	return ret;
}


void get_other_name_set(int type, void *crt)
{
	set_othername(type, crt);
	set_othername_octet(type, crt);
	set_othername_utf8(type, crt);
	set_xmpp_name(type, crt);
	set_krb5_principal(type, crt);
}

void get_policy_set(gnutls_x509_crt_t crt)
{
	int ret = 0, i;
	gnutls_x509_policy_st policy;

	if (batch) {
		if (cfg.skip_certs >= 0) {
			ret = gnutls_x509_crt_set_inhibit_anypolicy(crt, cfg.skip_certs);
			if (ret < 0) {
				fprintf(stderr, "error setting inhibit anypolicy: %s\n", gnutls_strerror(ret));
				exit(1);
			}
		}

		for (i = 0; cfg.policy_oid[i] != NULL; i++) {
			memset(&policy, 0, sizeof(policy));
			policy.oid = cfg.policy_oid[i];

			if (cfg.policy_txt[i] != NULL) {
				policy.qualifier[policy.qualifiers].type =
				    GNUTLS_X509_QUALIFIER_NOTICE;
				policy.qualifier[policy.qualifiers].data =
				    cfg.policy_txt[i];
				policy.qualifier[policy.qualifiers].size =
				    strlen(cfg.policy_txt[i]);
				policy.qualifiers++;
			}

			if (cfg.policy_url[i] != NULL) {
				policy.qualifier[policy.qualifiers].type =
				    GNUTLS_X509_QUALIFIER_URI;
				policy.qualifier[policy.qualifiers].data =
				    cfg.policy_url[i];
				policy.qualifier[policy.qualifiers].size =
				    strlen(cfg.policy_url[i]);
				policy.qualifiers++;
			}

			ret = gnutls_x509_crt_set_policy(crt, &policy, 0);
			if (ret < 0)
				break;
		}
	}

	if (ret < 0) {
		fprintf(stderr, "set_policy: %s\n", gnutls_strerror(ret));
		exit(1);
	}
}

void get_uri_set(int type, void *crt)
{
	int ret = 0, i;

	if (batch) {
		if (!cfg.uri)
			return;

		for (i = 0; cfg.uri[i] != NULL; i++) {
			if (type == TYPE_CRT)
				ret =
				    gnutls_x509_crt_set_subject_alt_name
				    (crt, GNUTLS_SAN_URI, cfg.uri[i],
				     strlen(cfg.uri[i]),
				     GNUTLS_FSAN_APPEND);
			else
				ret =
				    gnutls_x509_crq_set_subject_alt_name
				    (crt, GNUTLS_SAN_URI, cfg.uri[i],
				     strlen(cfg.uri[i]),
				     GNUTLS_FSAN_APPEND);

			if (ret < 0)
				break;
		}
	} else {
		const char *p;
		unsigned int counter = 0;

		do {
			if (counter == 0) {
				p = read_str
				    ("Enter a URI of the subject of the certificate: ");
			} else {
				p = read_str
				    ("Enter an additional URI of the subject of the certificate: ");
			}
			if (!p)
				return;

			if (type == TYPE_CRT)
				ret = gnutls_x509_crt_set_subject_alt_name
				    (crt, GNUTLS_SAN_URI, p, strlen(p),
				     GNUTLS_FSAN_APPEND);
			else
				ret = gnutls_x509_crq_set_subject_alt_name
				    (crt, GNUTLS_SAN_URI, p, strlen(p),
				     GNUTLS_FSAN_APPEND);
			counter++;
			if (ret < 0)
				break;
		}
		while (p);
	}

	if (ret < 0) {
		fprintf(stderr, "set_subject_alt_name: %s\n",
			gnutls_strerror(ret));
		exit(1);
	}
}



int get_sign_status(int server)
{
	const char *msg;

	if (batch) {
		return cfg.signing_key;
	} else {
		if (server)
			msg =
			    "Will the certificate be used for signing (DHE ciphersuites)? (Y/n): ";
		else
			msg =
			    "Will the certificate be used for signing (required for TLS)? (Y/n): ";
		return read_yesno(msg, 1);
	}
}

int get_encrypt_status(int server)
{
	const char *msg;

	if (batch) {
		return cfg.encryption_key;
	} else {
		if (server)
			msg =
			    "Will the certificate be used for encryption (RSA ciphersuites)? (Y/n): ";
		else
			msg =
			    "Will the certificate be used for encryption (not required for TLS)? (Y/n): ";
		return read_yesno(msg, 1);
	}
}

int get_cert_sign_status(void)
{
	if (batch) {
		return cfg.cert_sign_key;
	} else {
		return
		    read_yesno
		    ("Will the certificate be used to sign other certificates? (Y/n): ",
		     1);
	}
}

int get_crl_sign_status(void)
{
	if (batch) {
		return cfg.crl_sign_key;
	} else {
		return
		    read_yesno
		    ("Will the certificate be used to sign CRLs? (y/N): ",
		     0);
	}
}

int get_key_agreement_status(void)
{
	if (batch) {
		return cfg.key_agreement;
	} else {
		/* this option is not asked in interactive mode */
		return 0;
	}
}

int get_non_repudiation_status(void)
{
	if (batch) {
		return cfg.non_repudiation;
	} else {
		/* this option is not asked in interactive mode */
		return 0;
	}
}

int get_data_encipherment_status(void)
{
	if (batch) {
		return cfg.data_encipherment;
	} else {
		return read_yesno("Will the certificate be used for data encryption? (y/N): ", 0);
	}
}

int get_code_sign_status(void)
{
	if (batch) {
		return cfg.code_sign_key;
	} else {
		return
		    read_yesno
		    ("Will the certificate be used to sign code? (y/N): ",
		     0);
	}
}

int get_ocsp_sign_status(void)
{
	if (batch) {
		return cfg.ocsp_sign_key;
	} else {
		return
		    read_yesno
		    ("Will the certificate be used to sign OCSP requests? (y/N): ",
		     0);
	}
}

int get_time_stamp_status(void)
{
	if (batch) {
		return cfg.time_stamping_key;
	} else {
		return
		    read_yesno
		    ("Will the certificate be used for time stamping? (y/N): ",
		     0);
	}
}

int get_email_protection_status(void)
{
	if (batch) {
		return cfg.email_protection_key;
	} else {
		return
		    read_yesno
		    ("Will the certificate be used for email protection? (y/N): ",
		     0);
	}
}

int get_ipsec_ike_status(void)
{
	if (batch) {
		return cfg.ipsec_ike_key;
	} else {
		return
		    read_yesno
		    ("Will the certificate be used for IPsec IKE operations? (y/N): ",
		     0);
	}
}

time_t get_crl_next_update(void)
{
	return get_int_date(cfg.next_update_date, cfg.crl_next_update, "The next CRL will be issued in (days): ");
}

const char *get_proxy_policy(char **policy, size_t * policylen)
{
	const char *ret;

	if (batch) {
		ret = cfg.proxy_policy_language;
		if (!ret)
			ret = "1.3.6.1.5.5.7.21.1";
	} else {
		do {
			ret =
			    read_str
			    ("Enter the OID of the proxy policy language: ");
		}
		while (ret == NULL);
	}

	*policy = NULL;
	*policylen = 0;

	if (strcmp(ret, "1.3.6.1.5.5.7.21.1") != 0 &&
	    strcmp(ret, "1.3.6.1.5.5.7.21.2") != 0) {
		fprintf(stderr,
			"Reading non-standard proxy policy not supported.\n");
	}

	return ret;
}

/* CRQ stuff.
 */
void get_country_crq_set(gnutls_x509_crq_t crq)
{
	int ret;

	if (batch) {
		if (!cfg.country)
			return;
		ret =
		    gnutls_x509_crq_set_dn_by_oid(crq,
						  GNUTLS_OID_X520_COUNTRY_NAME,
						  0, cfg.country,
						  strlen(cfg.country));
		if (ret < 0) {
			fprintf(stderr, "set_dn: %s\n",
				gnutls_strerror(ret));
			exit(1);
		}
	} else {
		read_crq_set(crq, "Country name (2 chars): ",
			     GNUTLS_OID_X520_COUNTRY_NAME);
	}

}

void get_organization_crq_set(gnutls_x509_crq_t crq)
{
	int ret;
	unsigned i;

	if (batch) {
		if (!cfg.organization)
			return;

		for (i = 0; cfg.organization[i] != NULL; i++) {
			ret =
			    gnutls_x509_crq_set_dn_by_oid(crq,
						  GNUTLS_OID_X520_ORGANIZATION_NAME,
						  0, cfg.organization[i],
						  strlen(cfg.
							 organization[i]));
			if (ret < 0) {
				fprintf(stderr, "set_dn: %s\n",
					gnutls_strerror(ret));
				exit(1);
			}
		}
	} else {
		read_crq_set(crq, "Organization name: ",
			     GNUTLS_OID_X520_ORGANIZATION_NAME);
	}

}

void get_unit_crq_set(gnutls_x509_crq_t crq)
{
	int ret;
	unsigned i;

	if (batch) {
		if (!cfg.unit)
			return;

		for (i = 0; cfg.unit[i] != NULL; i++) {
			ret =
			    gnutls_x509_crq_set_dn_by_oid(crq,
						  GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME,
						  0, cfg.unit[i],
						  strlen(cfg.unit[i]));
			if (ret < 0) {
				fprintf(stderr, "set_dn: %s\n",
					gnutls_strerror(ret));
				exit(1);
			}
		}
	} else {
		read_crq_set(crq, "Organizational unit name: ",
			     GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME);
	}

}

void get_state_crq_set(gnutls_x509_crq_t crq)
{
	int ret;

	if (batch) {
		if (!cfg.state)
			return;
		ret =
		    gnutls_x509_crq_set_dn_by_oid(crq,
						  GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME,
						  0, cfg.state,
						  strlen(cfg.state));
		if (ret < 0) {
			fprintf(stderr, "set_dn: %s\n",
				gnutls_strerror(ret));
			exit(1);
		}
	} else {
		read_crq_set(crq, "State or province name: ",
			     GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME);
	}

}

void get_locality_crq_set(gnutls_x509_crq_t crq)
{
	int ret;

	if (batch) {
		if (!cfg.locality)
			return;
		ret =
		    gnutls_x509_crq_set_dn_by_oid(crq,
						  GNUTLS_OID_X520_LOCALITY_NAME,
						  0, cfg.locality,
						  strlen(cfg.locality));
		if (ret < 0) {
			fprintf(stderr, "set_dn: %s\n",
				gnutls_strerror(ret));
			exit(1);
		}
	} else {
		read_crq_set(crq, "Locality name: ",
			     GNUTLS_OID_X520_LOCALITY_NAME);
	}

}

void get_dn_crq_set(gnutls_x509_crq_t crq)
{
	int ret;
	const char *err;

	if (batch) {
		if (!cfg.dn)
			return;
		ret = gnutls_x509_crq_set_dn(crq, cfg.dn, &err);
		if (ret < 0) {
			fprintf(stderr, "set_dn: %s at: %s\n",
				gnutls_strerror(ret), err);
			exit(1);
		}
	}
}

void get_cn_crq_set(gnutls_x509_crq_t crq)
{
	int ret;

	if (batch) {
		if (!cfg.cn)
			return;
		ret =
		    gnutls_x509_crq_set_dn_by_oid(crq,
						  GNUTLS_OID_X520_COMMON_NAME,
						  0, cfg.cn,
						  strlen(cfg.cn));
		if (ret < 0) {
			fprintf(stderr, "set_dn: %s\n",
				gnutls_strerror(ret));
			exit(1);
		}
	} else {
		read_crq_set(crq, "Common name: ",
			     GNUTLS_OID_X520_COMMON_NAME);
	}

}

void get_uid_crq_set(gnutls_x509_crq_t crq)
{
	int ret;

	if (batch) {
		if (!cfg.uid)
			return;
		ret =
		    gnutls_x509_crq_set_dn_by_oid(crq, GNUTLS_OID_LDAP_UID,
						  0, cfg.uid,
						  strlen(cfg.uid));
		if (ret < 0) {
			fprintf(stderr, "set_dn: %s\n",
				gnutls_strerror(ret));
			exit(1);
		}
	} else {
		read_crq_set(crq, "UID: ", GNUTLS_OID_LDAP_UID);
	}

}

void get_oid_crq_set(gnutls_x509_crq_t crq)
{
	int ret, i;

	if (batch) {
		if (!cfg.dn_oid)
			return;
		for (i = 0; cfg.dn_oid[i] != NULL; i += 2) {
			if (cfg.dn_oid[i + 1] == NULL) {
				fprintf(stderr,
					"dn_oid: %s does not have an argument.\n",
					cfg.dn_oid[i]);
				exit(1);
			}
			ret =
			    gnutls_x509_crq_set_dn_by_oid(crq,
							  cfg.dn_oid[i], 0,
							  cfg.dn_oid[i +
								     1],
							  strlen(cfg.
								 dn_oid[i +
									1]));

			if (ret < 0) {
				fprintf(stderr, "set_dn_oid: %s\n",
					gnutls_strerror(ret));
				exit(1);
			}
		}
	}

}

void get_tlsfeatures_set(int type, void *crt)
{
	int ret, i;
	unsigned int feature;

	if (batch) {
		if (!cfg.tls_features)
			return;

		gnutls_x509_tlsfeatures_t features;
		ret = gnutls_x509_tlsfeatures_init(&features);
		if (ret < 0) {
			fprintf(stderr, "gnutls_x509_tlsfeatures_init: %s\n",
				gnutls_strerror(ret));
			exit(1);
		}

		for (i = 0; cfg.tls_features[i]; ++i) {
			feature = strtoul(cfg.tls_features[i], 0, 10);
			ret = gnutls_x509_tlsfeatures_add(features, feature);
			if (ret < 0) {
				fprintf(stderr, "gnutls_x509_tlsfeatures_add: %s\n",
					gnutls_strerror(ret));
				exit(1);
			}
		}

		if (type == TYPE_CRT) {
			ret = gnutls_x509_crt_set_tlsfeatures(crt, features);
			if (ret < 0) {
				fprintf(stderr, "gnutls_x509_crt_set_tlsfeatures: %s\n",
					gnutls_strerror(ret));
				exit(1);
			}
		}
		else {
			ret = gnutls_x509_crq_set_tlsfeatures(crt, features);
			if (ret < 0) {
				fprintf(stderr, "gnutls_x509_crq_set_tlsfeatures: %s\n",
					gnutls_strerror(ret));
				exit(1);
			}
		}

		gnutls_x509_tlsfeatures_deinit(features);
	}
}

void crq_extensions_set(gnutls_x509_crt_t crt, gnutls_x509_crq_t crq)
{
	int ret, i;

	if (batch) {
		if (!cfg.exts_to_honor)
			return;

		for (i = 0; cfg.exts_to_honor[i]; ++i) {
			ret = gnutls_x509_crt_set_crq_extension_by_oid(crt, crq, cfg.exts_to_honor[i], 0);
			if (ret < 0) {
				fprintf(stderr, "setting extension failed: %s: %s\n", cfg.exts_to_honor[i],
					gnutls_strerror(ret));
			}
		}
	}
}