/*
 * Copyright (C) 2003-2016 Free Software Foundation, Inc.
 * Copyright (C) 2015-2019 Red Hat, Inc.
 *
 * This file is part of GnuTLS.
 *
 * GnuTLS is free software: you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * GnuTLS is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see
 * <https://www.gnu.org/licenses/>.
 */

#include <config.h>

#include <gnutls/gnutls.h>
#include <gnutls/x509.h>
#include <gnutls/openpgp.h>
#include <gnutls/pkcs12.h>
#include <gnutls/pkcs11.h>
#include <gnutls/abstract.h>
#include <gnutls/crypto.h>

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
#include <time.h>
#include <unistd.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#ifndef _WIN32
# include <signal.h>
#endif

#include <assert.h>

/* Gnulib portability files. */
#include <read-file.h>

#include <certtool-cfg.h>
#include <common.h>
#include "certtool-args.h"
#include "certtool-common.h"

#define MAX_HASH_SIZE 64

static FILE *stdlog = NULL;

static void print_crl_info(gnutls_x509_crl_t crl, FILE * out, common_info_st *cinfo);
void pkcs7_info(common_info_st *cinfo, unsigned display_data);
void pkcs7_sign(common_info_st *, unsigned embed);
void pkcs7_generate(common_info_st *);
void pkcs8_info(void);
void pkcs8_info_int(gnutls_datum_t *data, unsigned format,
			unsigned ignore_err, FILE *out, const char *tab);
void crq_info(common_info_st *cinfo);
void smime_to_pkcs7(void);
void pkcs12_info(common_info_st *);
void generate_pkcs12(common_info_st *);
void generate_pkcs8(common_info_st *);
static void verify_chain(common_info_st * cinfo);
void verify_crl(common_info_st * cinfo);
void verify_pkcs7(common_info_st * cinfo, const char *purpose, unsigned display_data);
void pubkey_info(gnutls_x509_crt_t crt, common_info_st *);
void certificate_info(int, common_info_st *);
void crl_info(common_info_st *cinfo);
void privkey_info(common_info_st *);
static void cmd_parser(int argc, char **argv);
void generate_self_signed(common_info_st *);
void generate_request(common_info_st *);
static void print_certificate_info(gnutls_x509_crt_t crt, FILE * out,
				   unsigned int all);
static void verify_certificate(common_info_st * cinfo);

static void privkey_to_rsa(common_info_st * cinfo);

static void pubkey_keyid(common_info_st * cinfo);
static void certificate_fpr(common_info_st * cinfo);
static gnutls_digest_algorithm_t get_dig(gnutls_x509_crt_t crt, common_info_st * cinfo);

FILE *outfile;
static const char *outfile_name = NULL; /* to delete on exit */

#define REQ_KEY_TYPE_DEFAULT GNUTLS_PK_RSA

FILE *infile;
static unsigned int incert_format, outcert_format;
static unsigned int req_key_type = REQ_KEY_TYPE_DEFAULT;
gnutls_certificate_print_formats_t full_format = GNUTLS_CRT_PRINT_FULL;

/* non interactive operation if set
 */
int batch;
int ask_pass;

/* ensure we cleanup */
void app_exit(int val)
{
	if (val != 0) {
		if (outfile_name)
			(void)remove(outfile_name);
	}
	exit(val);
}

static void tls_log_func(int level, const char *str)
{
	fprintf(stderr, "|<%d>| %s", level, str);
}

int main(int argc, char **argv)
{
#ifndef _WIN32
	signal(SIGPIPE, SIG_IGN);
#endif
	cfg_init();
	cmd_parser(argc, argv);

	return 0;
}

#define SET_SPKI_PARAMS(spki, cinfo) \
	do { \
		unsigned _salt_size; \
		if (!cinfo->hash) { \
			fprintf(stderr, "You must provide the hash algorithm and optionally the salt size for RSA-PSS\n"); \
			app_exit(1); \
		} \
		if (HAVE_OPT(SALT_SIZE)) { \
			_salt_size = OPT_VALUE_SALT_SIZE; \
		} else { \
			_salt_size = gnutls_hash_get_len(cinfo->hash); \
		} \
		gnutls_x509_spki_set_rsa_pss_params(spki, cinfo->hash, _salt_size); \
	} while(0)

static gnutls_x509_privkey_t
generate_private_key_int(common_info_st * cinfo)
{
	gnutls_x509_privkey_t key;
	int ret, key_type, bits;
	unsigned provable = cinfo->provable;
	unsigned flags = 0;
	gnutls_keygen_data_st kdata[8];
	unsigned kdata_size = 0;
	gnutls_x509_spki_t spki;

	key_type = req_key_type;

	ret = gnutls_x509_privkey_init(&key);
	if (ret < 0) {
		fprintf(stderr, "privkey_init: %s", gnutls_strerror(ret));
		app_exit(1);
	}

	bits = get_bits(key_type, cinfo->bits, cinfo->sec_param, 1);

	if (key_type == GNUTLS_PK_ECDSA ||
	    key_type == GNUTLS_PK_EDDSA_ED25519 ||
	    key_type == GNUTLS_PK_EDDSA_ED448 ||
	    key_type == GNUTLS_PK_GOST_01 ||
	    key_type == GNUTLS_PK_GOST_12_256 ||
	    key_type == GNUTLS_PK_GOST_12_512) {
		char name[64];
		int ecc_bits;

		if (GNUTLS_BITS_ARE_CURVE(bits)) {
			gnutls_ecc_curve_t curve = GNUTLS_BITS_TO_CURVE(bits);
			ecc_bits = gnutls_ecc_curve_get_size(curve) * 8;
			snprintf(name, sizeof(name), "(%s)", gnutls_ecc_curve_get_name(curve));
		} else {
			ecc_bits = bits;
			name[0] = 0;
		}

		fprintf(stdlog, "Generating a %d bit %s private key %s...\n",
			ecc_bits, gnutls_pk_algorithm_get_name(key_type), name);

		if (ecc_bits < 256)
			fprintf(stderr,
				"Note that ECDSA keys with size less than 256 are not widely supported.\n\n");
	} else {
		fprintf(stdlog, "Generating a %d bit %s private key...\n",
			bits, gnutls_pk_algorithm_get_name(key_type));
	}

	if (provable && (!GNUTLS_PK_IS_RSA(key_type) && key_type != GNUTLS_PK_DSA)) {
		fprintf(stderr,
			"The --provable parameter cannot be used with ECDSA keys.\n");
		app_exit(1);
	}

	if (bits > 1024 && key_type == GNUTLS_PK_DSA)
		fprintf(stderr,
			"Note that DSA keys with size over 1024 may cause incompatibility problems when used with earlier than TLS 1.2 versions.\n\n");

	if ((HAVE_OPT(SEED) || provable) && GNUTLS_PK_IS_RSA(key_type)) {
		if (bits != 2048 && bits != 3072) {
			fprintf(stderr, "Note that the FIPS 186-4 key generation restricts keys to 2048 and 3072 bits\n");
		}
	}

	ret = gnutls_x509_spki_init(&spki);
	if (ret < 0) {
		fprintf(stderr, "error in SPKI initialization: %s\n", gnutls_strerror(ret));
		app_exit(1);
	}

	switch_to_pkcs8_when_needed(cinfo, key, key_type);

	if (cinfo->seed_size > 0) {
		kdata[kdata_size].type = GNUTLS_KEYGEN_SEED;
		kdata[kdata_size].data = (void*)cinfo->seed;
		kdata[kdata_size++].size = cinfo->seed_size;

		if (GNUTLS_PK_IS_RSA(key_type)) {
			if ((bits == 3072 && cinfo->seed_size != 32) || (bits == 2048 && cinfo->seed_size != 28)) {
				fprintf(stderr, "The seed size (%d) doesn't match the size of the request security level; use -d 2 for more information.\n", (int)cinfo->seed_size);
			}
		} else if (key_type == GNUTLS_PK_DSA) {
			if (cinfo->seed_size != 65) {
				fprintf(stderr, "The seed size (%d) doesn't match the size of the request security level; use -d 2 for more information.\n", (int)cinfo->seed_size);
			}
		}

		flags |= GNUTLS_PRIVKEY_FLAG_PROVABLE;
	}

	if (key_type == GNUTLS_PK_RSA_PSS && (cinfo->hash || HAVE_OPT(SALT_SIZE))) {

		SET_SPKI_PARAMS(spki, cinfo);

		kdata[kdata_size].type = GNUTLS_KEYGEN_SPKI;
		kdata[kdata_size].data = (void*)spki;
		kdata[kdata_size++].size = sizeof(spki);
	}

	if (provable)
		flags |= GNUTLS_PRIVKEY_FLAG_PROVABLE;

	ret = gnutls_x509_privkey_generate2(key, key_type, bits, flags, kdata, kdata_size);
	if (ret < 0) {
		fprintf(stderr, "privkey_generate: %s\n",
			gnutls_strerror(ret));
		app_exit(1);
	}

	gnutls_x509_spki_deinit(spki);

	ret = gnutls_x509_privkey_verify_params(key);
	if (ret < 0) {
		fprintf(stderr, "privkey_verify_params: %s\n",
			gnutls_strerror(ret));
		app_exit(1);
	}

	return key;
}


static void generate_private_key(common_info_st * cinfo)
{
	gnutls_x509_privkey_t key;

	key = generate_private_key_int(cinfo);

	print_private_key(outfile, cinfo, key);

	gnutls_x509_privkey_deinit(key);
}

static void verify_provable_privkey(common_info_st * cinfo)
{
	gnutls_privkey_t pkey;
	int ret;

	pkey = load_private_key(1, cinfo);

	if (cinfo->seed_size > 0) {
		ret = gnutls_privkey_verify_seed(pkey, 0, cinfo->seed, cinfo->seed_size);
	} else {
		ret = gnutls_privkey_verify_seed(pkey, 0, NULL, 0);
	}

	if (ret < 0) {
		if (ret == GNUTLS_E_UNIMPLEMENTED_FEATURE)
			fprintf(stderr, "The private key type cannot be associated with validated parameters\n");
		else
			fprintf(stderr, "Error verifying private key: %s\n", gnutls_strerror(ret));
		app_exit(1);
	}

	printf("Key was verified\n");
	gnutls_privkey_deinit(pkey);

	return;
}

static gnutls_x509_crt_t
generate_certificate(gnutls_privkey_t * ret_key,
		     gnutls_x509_crt_t ca_crt, int proxy,
		     common_info_st * cinfo)
{
	gnutls_x509_crt_t crt;
	gnutls_x509_spki_t spki;
	gnutls_privkey_t key = NULL;
	gnutls_pubkey_t pubkey;
	size_t size;
	int ret;
	int client;
	int result, ca_status = 0, is_ike = 0, path_len;
	time_t secs;
	int vers;
	unsigned int usage = 0, server, ask;
	gnutls_x509_crq_t crq;	/* request */
	unsigned pk;
	char timebuf[SIMPLE_CTIME_BUF_SIZE];

	ret = gnutls_x509_crt_init(&crt);
	if (ret < 0) {
		fprintf(stderr, "crt_init: %s\n", gnutls_strerror(ret));
		app_exit(1);
	}

	crq = load_request(cinfo);

	if (crq == NULL) {

		key = load_private_key(0, cinfo);

		pubkey = load_public_key_or_import(1, key, cinfo);

		if (!batch)
			fprintf(stderr,
				"Please enter the details of the certificate's distinguished name. "
				"Just press enter to ignore a field.\n");

		/* set the DN.
		 */
		if (proxy) {
			result =
			    gnutls_x509_crt_set_proxy_dn(crt, ca_crt, 0,
							 NULL, 0);
			if (result < 0) {
				fprintf(stderr, "set_proxy_dn: %s\n",
					gnutls_strerror(result));
				app_exit(1);
			}

			get_dn_crt_set(crt);
			get_cn_crt_set(crt);
		} else {
			get_dn_crt_set(crt);

			get_cn_crt_set(crt);
			get_uid_crt_set(crt);
			get_unit_crt_set(crt);
			get_organization_crt_set(crt);
			get_locality_crt_set(crt);
			get_state_crt_set(crt);
			get_country_crt_set(crt);
			get_dc_set(TYPE_CRT, crt);

			get_oid_crt_set(crt);
			get_key_purpose_set(TYPE_CRT, crt);

			if (!batch)
				fprintf(stderr,
					"This field should not be used in new certificates.\n");

			get_pkcs9_email_crt_set(crt);

			get_tlsfeatures_set(TYPE_CRT, crt);
		}

		result = gnutls_x509_crt_set_pubkey(crt, pubkey);
		if (result < 0) {
			fprintf(stderr, "set_key: %s\n",
				gnutls_strerror(result));
			app_exit(1);
		}
		gnutls_pubkey_deinit(pubkey);
	} else {

		result = gnutls_x509_crt_set_crq(crt, crq);
		if (result < 0) {
			fprintf(stderr, "set_crq: %s\n",
				gnutls_strerror(result));
			app_exit(1);
		}

		crq_extensions_set(crt, crq);
	}

	pk = gnutls_x509_crt_get_pk_algorithm(crt, NULL);

	{
		size_t serial_size;
		unsigned char serial[SERIAL_MAX_BYTES];

		serial_size = sizeof(serial);

		get_serial(serial, &serial_size);

		result = gnutls_x509_crt_set_serial(crt, serial, serial_size);
		if (result < 0) {
			fprintf(stderr, "serial: %s\n",
				gnutls_strerror(result));
			app_exit(1);
		}
	}

	if (!batch)
		fprintf(stderr, "\n\nActivation/Expiration time.\n");

	secs = get_activation_date();

	result = gnutls_x509_crt_set_activation_time(crt, secs);
	if (result < 0) {
		fprintf(stderr, "set_activation: %s\n",
			gnutls_strerror(result));
		app_exit(1);
	}

	do {
		ask = 0;
		secs = get_expiration_date();

		if (ca_crt && (secs > gnutls_x509_crt_get_expiration_time(ca_crt))) {
			time_t exp = gnutls_x509_crt_get_expiration_time(ca_crt);
			fprintf(stderr, "\nExpiration time: %s\n", simple_ctime(&secs, timebuf));
			fprintf(stderr, "CA expiration time: %s\n", simple_ctime(&exp, timebuf));
			fprintf(stderr, "Warning: The time set exceeds the CA's expiration time\n");
			ask = 1;
		}
	} while(batch == 0 && ask != 0 && read_yesno("Is it ok to proceed? (y/N): ", 0) == 0);


	result = gnutls_x509_crt_set_expiration_time(crt, secs);
	if (result < 0) {
		fprintf(stderr, "set_expiration: %s\n",
			gnutls_strerror(result));
		app_exit(1);
	}

	if (!batch)
		fprintf(stderr, "\n\nExtensions.\n");

	/* do not allow extensions on a v1 certificate */
	if (crq && get_crq_extensions_status() != 0) {
		result = gnutls_x509_crt_set_crq_extensions(crt, crq);
		if (result < 0) {
			fprintf(stderr, "set_crq: %s\n",
				gnutls_strerror(result));
			app_exit(1);
		}
	}

	get_extensions_crt_set(TYPE_CRT, crt);

	/* append additional extensions */
	if (cinfo->v1_cert == 0) {

		if (proxy) {
			const char *policylanguage;
			char *policy;
			size_t policylen;
			int proxypathlen = get_path_len();

			if (!batch) {
				printf
				    ("1.3.6.1.5.5.7.21.1 ::= id-ppl-inheritALL\n");
				printf
				    ("1.3.6.1.5.5.7.21.2 ::= id-ppl-independent\n");
			}

			policylanguage =
			    get_proxy_policy(&policy, &policylen);

			result =
			    gnutls_x509_crt_set_proxy(crt, proxypathlen,
						      policylanguage,
						      policy, policylen);
			if (result < 0) {
				fprintf(stderr, "set_proxy: %s\n",
					gnutls_strerror(result));
				app_exit(1);
			}
		}

		if (!proxy)
			ca_status = get_ca_status();
		if (ca_status)
			path_len = get_path_len();
		else
			path_len = -1;

		result =
		    gnutls_x509_crt_set_basic_constraints(crt, ca_status,
							  path_len);
		if (result < 0) {
			fprintf(stderr, "basic_constraints: %s\n",
				gnutls_strerror(result));
			app_exit(1);
		}

		client = get_tls_client_status();
		if (client != 0) {
			result = gnutls_x509_crt_set_key_purpose_oid(crt,
								     GNUTLS_KP_TLS_WWW_CLIENT,
								     0);
			if (result < 0) {
				fprintf(stderr, "key_kp: %s\n",
					gnutls_strerror(result));
				app_exit(1);
			}
		}

		crt_unique_ids_set(crt);

		is_ike = get_ipsec_ike_status();
		server = get_tls_server_status();

		get_dns_name_set(TYPE_CRT, crt);
		get_uri_set(TYPE_CRT, crt);
		get_ip_addr_set(TYPE_CRT, crt);
		get_other_name_set(TYPE_CRT, crt);
		get_policy_set(crt);

		if (server != 0) {
			result =
			    gnutls_x509_crt_set_key_purpose_oid(crt,
								GNUTLS_KP_TLS_WWW_SERVER,
								0);
			if (result < 0) {
				fprintf(stderr, "key_kp: %s\n",
					gnutls_strerror(result));
				app_exit(1);
			}
		} else if (!proxy) {
			get_email_set(TYPE_CRT, crt);
		}

		if (!ca_status || server) {
			if (pk == GNUTLS_PK_RSA ||
			    pk == GNUTLS_PK_GOST_01 ||
			    pk == GNUTLS_PK_GOST_12_256 ||
			    pk == GNUTLS_PK_GOST_12_512)  {	/* DSA and ECDSA keys can only sign. */
				result = get_sign_status(server);
				if (result)
					usage |=
					    GNUTLS_KEY_DIGITAL_SIGNATURE;

				result = get_encrypt_status(server);
				if (result)
					usage |=
					    GNUTLS_KEY_KEY_ENCIPHERMENT;
			} else {
				usage |= GNUTLS_KEY_DIGITAL_SIGNATURE;
			}

			if (is_ike) {
				result =
				    gnutls_x509_crt_set_key_purpose_oid
				    (crt, GNUTLS_KP_IPSEC_IKE, 0);
				if (result < 0) {
					fprintf(stderr, "key_kp: %s\n",
						gnutls_strerror(result));
					app_exit(1);
				}
			}

		} else if (ca_status) {
			/* CAs always sign */
			if (get_sign_status(server))
				usage |= GNUTLS_KEY_DIGITAL_SIGNATURE;
		}

		result = get_key_agreement_status();
		if (result)
			usage |= GNUTLS_KEY_KEY_AGREEMENT;

		result = get_data_encipherment_status();
		if (result)
			usage |= GNUTLS_KEY_DATA_ENCIPHERMENT;

		result = get_non_repudiation_status();
		if (result)
			usage |= GNUTLS_KEY_NON_REPUDIATION;

		result = get_ocsp_sign_status();
		if (result) {
			result =
			    gnutls_x509_crt_set_key_purpose_oid
			    (crt, GNUTLS_KP_OCSP_SIGNING, 0);
			if (result < 0) {
				fprintf(stderr, "key_kp: %s\n",
					gnutls_strerror(result));
				app_exit(1);
			}
		}

		result = get_code_sign_status();
		if (result) {
			result =
			    gnutls_x509_crt_set_key_purpose_oid
			    (crt, GNUTLS_KP_CODE_SIGNING, 0);
			if (result < 0) {
				fprintf(stderr, "key_kp: %s\n",
					gnutls_strerror(result));
				app_exit(1);
			}
		}

		result = get_time_stamp_status();
		if (result) {
			result =
			    gnutls_x509_crt_set_key_purpose_oid
			    (crt, GNUTLS_KP_TIME_STAMPING, 0);
			if (result < 0) {
				fprintf(stderr, "key_kp: %s\n",
					gnutls_strerror(result));
				app_exit(1);
			}
		}

		result = get_email_protection_status();
		if (result) {
			result =
			    gnutls_x509_crt_set_key_purpose_oid
			    (crt, GNUTLS_KP_EMAIL_PROTECTION, 0);
			if (result < 0) {
				fprintf(stderr, "key_kp: %s\n",
					gnutls_strerror(result));
				app_exit(1);
			}
		}

		if (ca_status) {
			result = get_cert_sign_status();
			if (result)
				usage |= GNUTLS_KEY_KEY_CERT_SIGN;

			result = get_crl_sign_status();
			if (result)
				usage |= GNUTLS_KEY_CRL_SIGN;


			crt_constraints_set(crt);
		}

		get_ocsp_issuer_set(crt);
		get_ca_issuers_set(crt);

		if (usage != 0) {
			/* https://tools.ietf.org/html/rfc4945#section-5.1.3.2: if any KU is
			   set, then either digitalSignature or the nonRepudiation bits in the
			   KeyUsage extension MUST for all IKE certs */
			if (is_ike && (get_sign_status(server) != 1))
				usage |= GNUTLS_KEY_NON_REPUDIATION;
			result = gnutls_x509_crt_set_key_usage(crt, usage);
			if (result < 0) {
				fprintf(stderr, "key_usage: %s\n",
					gnutls_strerror(result));
				app_exit(1);
			}
		}

		/* Subject Key ID.
		 */
		size = lbuffer_size;
		result = gnutls_x509_crt_get_key_id(crt, GNUTLS_KEYID_USE_SHA1, lbuffer, &size);
		if (result >= 0) {
			result =
			    gnutls_x509_crt_set_subject_key_id(crt, lbuffer,
							       size);
			if (result < 0) {
				fprintf(stderr, "set_subject_key_id: %s\n",
					gnutls_strerror(result));
				app_exit(1);
			}
		}

		/* Authority Key ID.
		 */
		if (ca_crt != NULL) {
			size = lbuffer_size;
			result =
			    gnutls_x509_crt_get_subject_key_id(ca_crt,
							       lbuffer,
							       &size,
							       NULL);
			if (result >= 0) {
				result =
				    gnutls_x509_crt_set_authority_key_id
				    (crt, lbuffer, size);
				if (result < 0) {
					fprintf(stderr,
						"error setting authority key id: %s\n",
						gnutls_strerror(result));
					app_exit(1);
				}
			}
		}
	}

	/* Version.
	 */
	if (cinfo->v1_cert != 0)
		vers = 1;
	else
		vers = 3;
	result = gnutls_x509_crt_set_version(crt, vers);
	if (result < 0) {
		fprintf(stderr, "error setting certificate version: %s\n",
			gnutls_strerror(result));
		app_exit(1);
	}

	if ((HAVE_OPT(KEY_TYPE) || req_key_type != REQ_KEY_TYPE_DEFAULT) && req_key_type != pk) {
		if (pk != GNUTLS_PK_RSA || req_key_type != GNUTLS_PK_RSA_PSS) {
			fprintf(stderr, "cannot set certificate type (%s) incompatible with the key (%s)\n",
				gnutls_pk_get_name(req_key_type), gnutls_pk_get_name(pk));
			app_exit(1);
		}
	}

	/* Set algorithm parameter restriction in CAs.
	 */
	if (pk == GNUTLS_PK_RSA_PSS && ca_status && key) {
		result = gnutls_x509_spki_init(&spki);
		if (result < 0) {
			fprintf(stderr, "spki_init: %s\n",
				gnutls_strerror(result));
			app_exit(1);
		}

		result = gnutls_privkey_get_spki(key, spki, 0);
		if (result >= 0) {
			result = gnutls_x509_crt_set_spki(crt, spki, 0);
			if (result < 0) {
				fprintf(stderr, "error setting RSA-PSS SPKI information: %s\n",
					gnutls_strerror(result));
				app_exit(1);
			}
		}

		gnutls_x509_spki_deinit(spki);

	} else if (pk == GNUTLS_PK_RSA && req_key_type == GNUTLS_PK_RSA_PSS) {
		result = gnutls_x509_spki_init(&spki);
		if (result < 0) {
			fprintf(stderr, "spki_init: %s\n",
				gnutls_strerror(result));
			app_exit(1);
		}

		SET_SPKI_PARAMS(spki, cinfo);

		result = gnutls_x509_crt_set_spki(crt, spki, 0);
		if (result < 0) {
			fprintf(stderr, "error setting RSA-PSS SPKI information: %s\n",
				gnutls_strerror(result));
			app_exit(1);
		}

		gnutls_x509_spki_deinit(spki);
	}

	/* always set CRL distribution points on CAs, but also on certificates
	 * generated with --generate-self-signed. The latter is to retain
	 * compatibility with previous versions of certtool. */
	if (ca_status || (!proxy && ca_crt == NULL)) {
		get_crl_dist_point_set(crt);
	} else if (!proxy && ca_crt != NULL) {
		gnutls_x509_crt_cpy_crl_dist_points(crt, ca_crt);
	}

	*ret_key = key;
	return crt;

}

static gnutls_x509_crl_t
generate_crl(gnutls_x509_crt_t ca_crt, common_info_st * cinfo)
{
	gnutls_x509_crl_t crl;
	gnutls_x509_crt_t *crts;
	gnutls_x509_crl_t *crls;
	size_t size, crl_size;
	int result;
	unsigned int i;
	time_t secs, this_update, exp;

	crls = load_crl_list(0, &crl_size, cinfo);
	if (crls != NULL) {
		if (crl_size > 1) {
			fprintf(stderr, "load_crl: too many CRLs present\n");
			app_exit(1);
		}
		crl = crls[0];
		gnutls_free(crls);
	} else {
		result = gnutls_x509_crl_init(&crl);
		if (result < 0) {
			fprintf(stderr, "crl_init: %s\n", gnutls_strerror(result));
			app_exit(1);
		}
	}

	crts = load_cert_list(0, &size, cinfo);

	exp = get_crl_revocation_date();

	for (i = 0; i < size; i++) {
		result = gnutls_x509_crl_set_crt(crl, crts[i], exp);
		if (result < 0) {
			fprintf(stderr, "crl_set_crt: %s\n",
				gnutls_strerror(result));
			app_exit(1);
		}
		gnutls_x509_crt_deinit(crts[i]);
	}
	gnutls_free(crts);

	this_update = get_crl_this_update_date();

	result = gnutls_x509_crl_set_this_update(crl, this_update);
	if (result < 0) {
		fprintf(stderr, "this_update: %s\n",
			gnutls_strerror(result));
		app_exit(1);
	}

	secs = get_crl_next_update();

	result =
	    gnutls_x509_crl_set_next_update(crl, secs);
	if (result < 0) {
		fprintf(stderr, "next_update: %s\n",
			gnutls_strerror(result));
		app_exit(1);
	}

	result = gnutls_x509_crl_set_version(crl, 2);
	if (result < 0) {
		fprintf(stderr, "set_version: %s\n",
			gnutls_strerror(result));
		app_exit(1);
	}

	/* Authority Key ID.
	 */
	if (ca_crt != NULL) {
		size = lbuffer_size;
		result = gnutls_x509_crt_get_subject_key_id(ca_crt, lbuffer,
							    &size, NULL);
		if (result >= 0) {
			result =
			    gnutls_x509_crl_set_authority_key_id(crl,
								 lbuffer,
								 size);
			if (result < 0) {
				fprintf(stderr, "set_authority_key_id: %s\n",
					gnutls_strerror(result));
				app_exit(1);
			}

		}
	}

	{
		size_t serial_size;
		unsigned char serial[SERIAL_MAX_BYTES];

		serial_size = sizeof(serial);

		get_crl_number(serial, &serial_size);

		result = gnutls_x509_crl_set_number(crl, serial, serial_size);
		if (result < 0) {
			fprintf(stderr, "error setting CRL serial: %s\n",
				gnutls_strerror(result));
			app_exit(1);
		}
	}

	return crl;
}

static gnutls_digest_algorithm_t get_dig_for_pub(gnutls_pubkey_t pubkey, common_info_st * cinfo)
{
	gnutls_digest_algorithm_t dig;
	int result;
	unsigned int mand;

	result =
	    gnutls_pubkey_get_preferred_hash_algorithm(pubkey, &dig,
						       &mand);
	if (result < 0) {
		{
			fprintf(stderr,
				"crt_get_preferred_hash_algorithm: %s\n",
				gnutls_strerror(result));
			app_exit(1);
		}
	}

	/* if algorithm allows alternatives */
	if (mand == 0 && cinfo->hash != GNUTLS_DIG_UNKNOWN)
		dig = cinfo->hash;

	return dig;
}

static gnutls_digest_algorithm_t get_dig(gnutls_x509_crt_t crt, common_info_st * cinfo)
{
	gnutls_digest_algorithm_t dig;
	gnutls_pubkey_t pubkey;
	int result;

	result = gnutls_pubkey_init(&pubkey);
	if (result < 0) {
		fprintf(stderr, "memory error\n");
		app_exit(1);
	}

	result = gnutls_pubkey_import_x509(pubkey, crt, 0);
	if (result < 0) {
		{
			fprintf(stderr, "gnutls_pubkey_import_x509: %s\n",
				gnutls_strerror(result));
			app_exit(1);
		}
	}

	dig = get_dig_for_pub(pubkey, cinfo);

	gnutls_pubkey_deinit(pubkey);

	return dig;
}

void generate_self_signed(common_info_st * cinfo)
{
	gnutls_x509_crt_t crt;
	gnutls_datum_t out;
	gnutls_privkey_t key;
	int result;
	unsigned int flags = 0;

	fprintf(stdlog, "Generating a self signed certificate...\n");

	crt = generate_certificate(&key, NULL, 0, cinfo);

	if (!key)
		key = load_private_key(1, cinfo);

	print_certificate_info(crt, stdlog, 0);

	fprintf(stdlog, "\n\nSigning certificate...\n");

	if (cinfo->rsa_pss_sign)
		flags |= GNUTLS_PRIVKEY_SIGN_FLAG_RSA_PSS;

	result =
	    gnutls_x509_crt_privkey_sign(crt, crt, key, get_dig(crt, cinfo), flags);
	if (result < 0) {
		fprintf(stderr, "crt_sign: %s\n", gnutls_strerror(result));
		app_exit(1);
	}

	result =
	    gnutls_x509_crt_export2(crt, outcert_format, &out);
	if (result < 0) {
		fprintf(stderr, "crt_export: %s\n", gnutls_strerror(result));
		app_exit(1);
	}

	fwrite(out.data, 1, out.size, outfile);
	gnutls_free(out.data);

	gnutls_x509_crt_deinit(crt);
	gnutls_privkey_deinit(key);
}

static void generate_signed_certificate(common_info_st * cinfo)
{
	gnutls_x509_crt_t crt;
	gnutls_privkey_t key;
	gnutls_datum_t out;
	int result;
	gnutls_privkey_t ca_key;
	gnutls_x509_crt_t ca_crt;
	unsigned int flags = 0;

	fprintf(stdlog, "Generating a signed certificate...\n");

	ca_key = load_ca_private_key(cinfo);
	ca_crt = load_ca_cert(1, cinfo);

	crt = generate_certificate(&key, ca_crt, 0, cinfo);

	print_certificate_info(crt, stdlog, 0);

	fprintf(stdlog, "\n\nSigning certificate...\n");

	if (cinfo->rsa_pss_sign)
		flags |= GNUTLS_PRIVKEY_SIGN_FLAG_RSA_PSS;

	result =
	    gnutls_x509_crt_privkey_sign(crt, ca_crt, ca_key,
					 get_dig(ca_crt, cinfo), flags);
	if (result < 0) {
		fprintf(stderr, "crt_sign: %s\n", gnutls_strerror(result));
		app_exit(1);
	}

	result =
	    gnutls_x509_crt_export2(crt, outcert_format, &out);
	if (result < 0) {
		fprintf(stderr, "crt_export: %s\n", gnutls_strerror(result));
		app_exit(1);
	}

	fwrite(out.data, 1, out.size, outfile);
	gnutls_free(out.data);

	gnutls_x509_crt_deinit(crt);
	gnutls_x509_crt_deinit(ca_crt);
	gnutls_privkey_deinit(key);
	gnutls_privkey_deinit(ca_key);
}

static void generate_proxy_certificate(common_info_st * cinfo)
{
	gnutls_x509_crt_t crt, eecrt;
	gnutls_privkey_t key, eekey;
	gnutls_datum_t out;
	int result;
	unsigned int flags = 0;

	fprintf(stdlog, "Generating a proxy certificate...\n");

	eekey = load_ca_private_key(cinfo);
	eecrt = load_cert(1, cinfo);

	crt = generate_certificate(&key, eecrt, 1, cinfo);

	print_certificate_info(crt, stdlog, 0);

	fprintf(stdlog, "\n\nSigning certificate...\n");

	if (cinfo->rsa_pss_sign)
		flags |= GNUTLS_PRIVKEY_SIGN_FLAG_RSA_PSS;

	result =
	    gnutls_x509_crt_privkey_sign(crt, eecrt, eekey, get_dig(eecrt, cinfo),
					 flags);
	if (result < 0) {
		fprintf(stderr, "crt_sign: %s\n", gnutls_strerror(result));
		app_exit(1);
	}

	result =
	    gnutls_x509_crt_export2(crt, outcert_format, &out);
	if (result < 0) {
		fprintf(stderr, "crt_export: %s\n", gnutls_strerror(result));
		app_exit(1);
	}

	fwrite(out.data, 1, out.size, outfile);
	gnutls_free(out.data);

	gnutls_x509_crt_deinit(eecrt);
	gnutls_x509_crt_deinit(crt);
	gnutls_privkey_deinit(key);
	gnutls_privkey_deinit(eekey);
}

static void generate_signed_crl(common_info_st * cinfo)
{
	gnutls_x509_crl_t crl;
	int result;
	gnutls_privkey_t ca_key;
	gnutls_x509_crt_t ca_crt;

	fprintf(stdlog, "Generating a signed CRL...\n");

	ca_key = load_ca_private_key(cinfo);
	ca_crt = load_ca_cert(1, cinfo);
	crl = generate_crl(ca_crt, cinfo);

	fprintf(stdlog, "\n");
	result =
	    gnutls_x509_crl_privkey_sign(crl, ca_crt, ca_key,
					 get_dig(ca_crt, cinfo), 0);
	if (result < 0) {
		fprintf(stderr, "crl_privkey_sign: %s\n",
			gnutls_strerror(result));
		app_exit(1);
	}

	print_crl_info(crl, stdlog, cinfo);

	gnutls_privkey_deinit(ca_key);
	gnutls_x509_crl_deinit(crl);
	gnutls_x509_crt_deinit(ca_crt);
}

static void update_signed_certificate(common_info_st * cinfo)
{
	gnutls_x509_crt_t crt;
	int result;
	gnutls_privkey_t ca_key;
	gnutls_privkey_t pkey;
	gnutls_pubkey_t pubkey;
	gnutls_x509_crt_t ca_crt;
	gnutls_datum_t out;
	time_t tim;
	unsigned int flags = 0;

	fprintf(stdlog, "Generating a signed certificate...\n");


	ca_key = load_ca_private_key(cinfo);
	ca_crt = load_ca_cert(1, cinfo);
	crt = load_cert(1, cinfo);

	fprintf(stderr, "Activation/Expiration time.\n");
	tim = get_activation_date();

	result = gnutls_x509_crt_set_activation_time(crt, tim);
	if (result < 0) {
		fprintf(stderr, "set_activation: %s\n",
			gnutls_strerror(result));
		app_exit(1);
	}

	tim = get_expiration_date();
	result = gnutls_x509_crt_set_expiration_time(crt, tim);
	if (result < 0) {
		fprintf(stderr, "set_expiration: %s\n",
			gnutls_strerror(result));
		app_exit(1);
	}

	pkey = load_private_key(0, cinfo);
	pubkey = load_public_key_or_import(0, pkey, cinfo);

	if (pubkey) {
		fprintf(stderr, "Updating public key\n");
		result = gnutls_x509_crt_set_pubkey(crt, pubkey);
		if (result < 0) {
			fprintf(stderr, "cannot set public key: %s\n",
				gnutls_strerror(result));
			app_exit(1);
		}
	}

	fprintf(stderr, "\n\nSigning certificate...\n");

	if (cinfo->rsa_pss_sign)
		flags |= GNUTLS_PRIVKEY_SIGN_FLAG_RSA_PSS;

	result =
	    gnutls_x509_crt_privkey_sign(crt, ca_crt, ca_key,
					 get_dig(ca_crt, cinfo), flags);
	if (result < 0) {
		fprintf(stderr, "crt_sign: %s\n", gnutls_strerror(result));
		app_exit(1);
	}

	result =
	    gnutls_x509_crt_export2(crt, outcert_format, &out);
	if (result < 0) {
		fprintf(stderr, "crt_export: %s\n", gnutls_strerror(result));
		app_exit(1);
	}

	fwrite(out.data, 1, out.size, outfile);
	gnutls_free(out.data);

	gnutls_x509_crt_deinit(crt);
}

static void load_infile(const char *file)
{
	struct stat st;
	if (stat(file, &st) == 0) {
		fix_lbuffer(2*st.st_size);
	}

	infile = fopen(file, "rb");
	if (infile == NULL) {
		fprintf(stderr, "Cannot open %s for reading\n", OPT_ARG(INFILE));
		app_exit(1);
	}
}

static void cmd_parser(int argc, char **argv)
{
	int ret, privkey_op = 0;
	common_info_st cinfo;

	optionProcess(&certtoolOptions, argc, argv);

	if (HAVE_OPT(STDOUT_INFO)) {
		/* print informational messages on stdout instead of stderr */
		stdlog = stdout;
	} else {
		stdlog = stderr;
	}

	if (HAVE_OPT(GENERATE_PRIVKEY) || HAVE_OPT(GENERATE_REQUEST))
		privkey_op = 1;

	if (HAVE_OPT(HEX_NUMBERS))
		full_format = GNUTLS_CRT_PRINT_FULL_NUMBERS;

	if (HAVE_OPT(OUTFILE)) {
		outfile = safe_open_rw(OPT_ARG(OUTFILE), privkey_op);
		if (outfile == NULL) {
			fprintf(stderr, "Cannot open %s for writing\n", OPT_ARG(OUTFILE));
			app_exit(1);
		}
		outfile_name = OPT_ARG(OUTFILE);
	} else {
		outfile = stdout;
	}

	if (!HAVE_OPT(INFILE)) {
		/* infile can be different option depending on command */
		if (HAVE_OPT(CERTIFICATE_INFO) && HAVE_OPT(LOAD_CERTIFICATE)) {
			load_infile(OPT_ARG(LOAD_CERTIFICATE));
		} else if (HAVE_OPT(CRQ_INFO) && HAVE_OPT(LOAD_REQUEST)) {
			load_infile(OPT_ARG(LOAD_REQUEST));
		} else if (HAVE_OPT(PUBKEY_INFO) && HAVE_OPT(LOAD_PUBKEY)) {
			load_infile(OPT_ARG(LOAD_PUBKEY));
		} else if (HAVE_OPT(KEY_INFO) && HAVE_OPT(LOAD_PRIVKEY)) {
			load_infile(OPT_ARG(LOAD_PRIVKEY));
		} else if (HAVE_OPT(TO_RSA) && HAVE_OPT(LOAD_PRIVKEY)) {
			load_infile(OPT_ARG(LOAD_PRIVKEY));
		} else if (HAVE_OPT(CRL_INFO) && HAVE_OPT(LOAD_CRL)) {
			load_infile(OPT_ARG(LOAD_CRL));
		} else
			infile = stdin;
	} else {
		load_infile(OPT_ARG(INFILE));
	}


	fix_lbuffer(0);

	if (HAVE_OPT(INDER) || HAVE_OPT(INRAW))
		incert_format = GNUTLS_X509_FMT_DER;
	else
		incert_format = GNUTLS_X509_FMT_PEM;

	if (HAVE_OPT(OUTDER) || HAVE_OPT(OUTRAW))
		outcert_format = GNUTLS_X509_FMT_DER;
	else
		outcert_format = GNUTLS_X509_FMT_PEM;

	/* legacy options */
	if (HAVE_OPT(RSA)) {
		req_key_type = GNUTLS_PK_RSA;
	} else if (HAVE_OPT(DSA)) {
		req_key_type = GNUTLS_PK_DSA;
	} else if (HAVE_OPT(ECC)) {
		req_key_type = GNUTLS_PK_ECDSA;
	}

	if (HAVE_OPT(KEY_TYPE)) {
		req_key_type = figure_key_type(OPT_ARG(KEY_TYPE));
		if (req_key_type == GNUTLS_PK_UNKNOWN)
			app_exit(1);
	}

	batch = 0;
	if (HAVE_OPT(TEMPLATE)) {
		batch = 1;
		template_parse(OPT_ARG(TEMPLATE));
	}


	gnutls_global_set_log_function(tls_log_func);

	if (HAVE_OPT(DEBUG)) {
		gnutls_global_set_log_level(OPT_VALUE_DEBUG);
		printf("Setting log level to %d\n", (int) OPT_VALUE_DEBUG);
	}

	if ((ret = gnutls_global_init()) < 0) {
		fprintf(stderr, "global_init: %s\n", gnutls_strerror(ret));
		app_exit(1);
	}

	memset(&cinfo, 0, sizeof(cinfo));

	ask_pass = cinfo.ask_pass = ENABLED_OPT(ASK_PASS);
	cinfo.hash = GNUTLS_DIG_UNKNOWN;
	if (HAVE_OPT(HASH)) {
		cinfo.hash = hash_to_id(OPT_ARG(HASH));
		if (cinfo.hash == GNUTLS_DIG_UNKNOWN) {
			fprintf(stderr, "invalid hash: %s\n", OPT_ARG(HASH));
			app_exit(1);
		}
	}

#ifdef ENABLE_PKCS11
	if (HAVE_OPT(PROVIDER)) {
		ret = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
		if (ret < 0)
			fprintf(stderr, "pkcs11_init: %s",
				gnutls_strerror(ret));
		else {
			ret =
			    gnutls_pkcs11_add_provider(OPT_ARG(PROVIDER),
						       NULL);
			if (ret < 0) {
				fprintf(stderr, "pkcs11_add_provider: %s",
					gnutls_strerror(ret));
				app_exit(1);
			}
		}
	}

	pkcs11_common(&cinfo);
#endif

	if (HAVE_OPT(VERBOSE))
		cinfo.verbose = 1;

	if (HAVE_OPT(SEED)) {
		gnutls_datum_t seed;
		decode_seed(&seed, OPT_ARG(SEED), strlen(OPT_ARG(SEED)));

		cinfo.seed = seed.data;
		cinfo.seed_size = seed.size;
	}

	cinfo.batch = batch;
	cinfo.cprint = HAVE_OPT(CPRINT);

	if (HAVE_OPT(LOAD_PRIVKEY))
		cinfo.privkey = OPT_ARG(LOAD_PRIVKEY);

	if (HAVE_OPT(LOAD_CRL))
		cinfo.crl = OPT_ARG(LOAD_CRL);

	if (HAVE_OPT(LOAD_DATA))
		cinfo.data_file = OPT_ARG(LOAD_DATA);

	cinfo.v1_cert = HAVE_OPT(V1);
	if (HAVE_OPT(NO_CRQ_EXTENSIONS))
		cinfo.crq_extensions = 0;
	else
		cinfo.crq_extensions = 1;

	if (HAVE_OPT(LOAD_PUBKEY))
		cinfo.pubkey = OPT_ARG(LOAD_PUBKEY);

	cinfo.pkcs8 = HAVE_OPT(PKCS8);
	cinfo.incert_format = incert_format;
	cinfo.outcert_format = outcert_format;
	cinfo.outtext = ENABLED_OPT(TEXT) && outcert_format == GNUTLS_X509_FMT_PEM;

	if (HAVE_OPT(LOAD_CERTIFICATE))
		cinfo.cert = OPT_ARG(LOAD_CERTIFICATE);

	if (HAVE_OPT(LOAD_REQUEST))
		cinfo.request = OPT_ARG(LOAD_REQUEST);

	if (HAVE_OPT(LOAD_CA_CERTIFICATE))
		cinfo.ca = OPT_ARG(LOAD_CA_CERTIFICATE);

	if (HAVE_OPT(LOAD_CA_PRIVKEY))
		cinfo.ca_privkey = OPT_ARG(LOAD_CA_PRIVKEY);

	if (HAVE_OPT(BITS))
		cinfo.bits = OPT_VALUE_BITS;

	if (HAVE_OPT(CURVE)) {
		gnutls_ecc_curve_t curve = str_to_curve(OPT_ARG(CURVE));
		cinfo.bits = GNUTLS_CURVE_TO_BITS(curve);
	}

	if (HAVE_OPT(SEC_PARAM))
		cinfo.sec_param = OPT_ARG(SEC_PARAM);

	if (HAVE_OPT(PKCS_CIPHER))
		cinfo.pkcs_cipher = OPT_ARG(PKCS_CIPHER);

	if (HAVE_OPT(PASSWORD)) {
		cinfo.password = OPT_ARG(PASSWORD);
		if (HAVE_OPT(GENERATE_PRIVKEY) && cinfo.pkcs8 == 0) {
			fprintf(stderr, "Assuming PKCS #8 format...\n");
			cinfo.pkcs8 = 1;
		}
	}

	if (HAVE_OPT(NULL_PASSWORD)) {
		cinfo.null_password = 1;
		cinfo.password = "";
	}

	if (HAVE_OPT(PROVABLE))
		cinfo.provable = 1;

	if (HAVE_OPT(EMPTY_PASSWORD)) {
		cinfo.empty_password = 1;
		cinfo.password = "";
	}

	if (HAVE_OPT(VERIFY_PROFILE)) {
		if (strcasecmp(OPT_ARG(VERIFY_PROFILE), "none")) {
			cinfo.verification_profile = GNUTLS_PROFILE_UNKNOWN;
		} else {
			cinfo.verification_profile = gnutls_certificate_verification_profile_get_id(OPT_ARG(VERIFY_PROFILE));
		}
	} else if (!HAVE_OPT(VERIFY_ALLOW_BROKEN)) {
		if (HAVE_OPT(VERIFY_CHAIN) || HAVE_OPT(VERIFY)) {
			fprintf(stderr, "Note that no verification profile was selected. In the future the medium profile will be enabled by default.\n");
			fprintf(stderr, "Use --verify-profile low to apply the default verification of NORMAL priority string.\n");
		}
		/* cinfo.verification_profile = GNUTLS_PROFILE_LOW; */
	}

	if (HAVE_OPT(SIGN_PARAMS))
		sign_params_to_flags(&cinfo, OPT_ARG(SIGN_PARAMS));

	if (HAVE_OPT(GENERATE_SELF_SIGNED))
		generate_self_signed(&cinfo);
	else if (HAVE_OPT(GENERATE_CERTIFICATE))
		generate_signed_certificate(&cinfo);
	else if (HAVE_OPT(GENERATE_PROXY))
		generate_proxy_certificate(&cinfo);
	else if (HAVE_OPT(GENERATE_CRL))
		generate_signed_crl(&cinfo);
	else if (HAVE_OPT(UPDATE_CERTIFICATE))
		update_signed_certificate(&cinfo);
	else if (HAVE_OPT(GENERATE_PRIVKEY))
		generate_private_key(&cinfo);
	else if (HAVE_OPT(GENERATE_REQUEST))
		generate_request(&cinfo);
	else if (HAVE_OPT(VERIFY_PROVABLE_PRIVKEY))
		verify_provable_privkey(&cinfo);
	else if (HAVE_OPT(VERIFY_CHAIN))
		verify_chain(&cinfo);
	else if (HAVE_OPT(VERIFY))
		verify_certificate(&cinfo);
	else if (HAVE_OPT(VERIFY_CRL))
		verify_crl(&cinfo);
	else if (HAVE_OPT(CERTIFICATE_INFO))
		certificate_info(0, &cinfo);
	else if (HAVE_OPT(DH_INFO))
		dh_info(infile, outfile, &cinfo);
	else if (HAVE_OPT(CERTIFICATE_PUBKEY))
		certificate_info(1, &cinfo);
	else if (HAVE_OPT(KEY_INFO))
		privkey_info(&cinfo);
	else if (HAVE_OPT(TO_RSA)) {
		privkey_to_rsa(&cinfo);
	} else if (HAVE_OPT(PUBKEY_INFO))
		pubkey_info(NULL, &cinfo);
	else if (HAVE_OPT(FINGERPRINT))
		certificate_fpr(&cinfo);
	else if (HAVE_OPT(KEY_ID))
		pubkey_keyid(&cinfo);
	else if (HAVE_OPT(TO_P12))
		generate_pkcs12(&cinfo);
	else if (HAVE_OPT(P12_INFO))
		pkcs12_info(&cinfo);
	else if (HAVE_OPT(GENERATE_DH_PARAMS))
		generate_prime(outfile, 1, &cinfo);
	else if (HAVE_OPT(GET_DH_PARAMS))
		generate_prime(outfile, 0, &cinfo);
	else if (HAVE_OPT(CRL_INFO))
		crl_info(&cinfo);
	else if (HAVE_OPT(P7_INFO))
		pkcs7_info(&cinfo, ENABLED_OPT(P7_SHOW_DATA));
	else if (HAVE_OPT(P7_GENERATE))
		pkcs7_generate(&cinfo);
	else if (HAVE_OPT(P7_SIGN))
		pkcs7_sign(&cinfo, 1);
	else if (HAVE_OPT(P7_DETACHED_SIGN))
		pkcs7_sign(&cinfo, 0);
	else if (HAVE_OPT(P7_VERIFY))
		verify_pkcs7(&cinfo, OPT_ARG(VERIFY_PURPOSE), ENABLED_OPT(P7_SHOW_DATA));
	else if (HAVE_OPT(P8_INFO))
		pkcs8_info();
	else if (HAVE_OPT(SMIME_TO_P7))
		smime_to_pkcs7();
	else if (HAVE_OPT(TO_P8))
		generate_pkcs8(&cinfo);
	else if (HAVE_OPT(CRQ_INFO))
		crq_info(&cinfo);
	else
		USAGE(1);

	if (outfile != stdout)
		fclose(outfile);


	free(cinfo.seed);
#ifdef ENABLE_PKCS11
	gnutls_pkcs11_deinit();
#endif
	gnutls_global_deinit();
}

void certificate_info(int pubkey, common_info_st * cinfo)
{
	gnutls_x509_crt_t *crts = NULL;
	size_t size;
	gnutls_datum_t out;
	int ret, i, count;
	gnutls_datum_t pem;
	unsigned int crt_num;

	pem.data = (void *) fread_file(infile, 0, &size);
	pem.size = size;

	if (!pem.data) {
		fprintf(stderr, "%s", infile ? "file" : "standard input");
		app_exit(1);
	}

	ret =
	    gnutls_x509_crt_list_import2(&crts, &crt_num, &pem, incert_format, 0);
	if (ret < 0) {
		fprintf(stderr, "import error: %s\n", gnutls_strerror(ret));
		app_exit(1);
	}

	free(pem.data);

	count = crt_num;

	if (count > 1 && outcert_format == GNUTLS_X509_FMT_DER) {
		fprintf(stderr,
			"Cannot output multiple certificates in DER format; "
			"using PEM instead\n");
		outcert_format = GNUTLS_X509_FMT_PEM;
	}

	for (i = 0; i < count; i++) {
		if (i > 0)
			fprintf(outfile, "\n");

		if (cinfo->outtext)
			print_certificate_info(crts[i], outfile, 1);

		if (pubkey) {
			/* this deinitializes the certificate */
			pubkey_info(crts[i], cinfo);
		} else {
			ret =
			    gnutls_x509_crt_export2(crts[i], outcert_format, &out);
			if (ret < 0) {
				fprintf(stderr, "export error: %s\n",
					gnutls_strerror(ret));
				app_exit(1);
			}

			fwrite(out.data, 1, out.size, outfile);
			gnutls_free(out.data);

			gnutls_x509_crt_deinit(crts[i]);
		}

	}
	gnutls_free(crts);
}

static void
print_certificate_info(gnutls_x509_crt_t crt, FILE * out, unsigned int all)
{
	gnutls_datum_t data;
	int ret;

	if (all)
		ret = gnutls_x509_crt_print(crt, full_format, &data);
	else
		ret =
		    gnutls_x509_crt_print(crt,
					  GNUTLS_CRT_PRINT_UNSIGNED_FULL,
					  &data);
	if (ret == 0) {
		fprintf(out, "%s\n", data.data);
		gnutls_free(data.data);
	}

	if (out == stderr && batch == 0)	/* interactive */
		if (read_yesno("Is the above information ok? (y/N): ", 0)
		    == 0) {
			app_exit(1);
		}
}

static void print_crl_info(gnutls_x509_crl_t crl, FILE * out, common_info_st *cinfo)
{
	gnutls_datum_t data;
	gnutls_datum_t cout;
	int ret;

	if (cinfo->outtext) {
		ret = gnutls_x509_crl_print(crl, full_format, &data);
		if (ret < 0) {
			fprintf(stderr, "crl_print: %s\n", gnutls_strerror(ret));
			app_exit(1);
		}
		fprintf(out, "%s\n", data.data);

		gnutls_free(data.data);
	}

	ret =
	    gnutls_x509_crl_export2(crl, outcert_format, &cout);
	if (ret < 0) {
		fprintf(stderr, "crl_export: %s\n", gnutls_strerror(ret));
		app_exit(1);
	}

	fwrite(cout.data, 1, cout.size, outfile);
	gnutls_free(cout.data);
}

void crl_info(common_info_st *cinfo)
{
	gnutls_x509_crl_t crl;
	int ret;
	size_t size;
	gnutls_datum_t pem;

	ret = gnutls_x509_crl_init(&crl);
	if (ret < 0) {
		fprintf(stderr, "crl_init: %s\n", gnutls_strerror(ret));
		app_exit(1);
	}

	pem.data = (void *) fread_file(infile, 0, &size);
	pem.size = size;

	if (!pem.data) {
		fprintf(stderr, "%s", infile ? "file" : "standard input");
		app_exit(1);
	}

	ret = gnutls_x509_crl_import(crl, &pem, incert_format);

	free(pem.data);
	if (ret < 0) {
		fprintf(stderr, "import error: %s\n", gnutls_strerror(ret));
		app_exit(1);
	}

	print_crl_info(crl, outfile, cinfo);

	gnutls_x509_crl_deinit(crl);
}

static void print_crq_info(gnutls_x509_crq_t crq, FILE * out, common_info_st *cinfo)
{
	gnutls_datum_t data;
	int ret;
	size_t size;

	if (cinfo->outtext) {
		ret = gnutls_x509_crq_print(crq, full_format, &data);
		if (ret < 0) {
			fprintf(stderr, "crq_print: %s\n",
				gnutls_strerror(ret));
			app_exit(1);
		}

		fprintf(out, "%s\n", data.data);

		gnutls_free(data.data);
	}

	ret = gnutls_x509_crq_verify(crq, 0);
	if (ret < 0) {
		fprintf(cinfo->outtext ? out : stderr,
			"Self signature: FAILED\n\n");
	} else {
		fprintf(cinfo->outtext ? out : stderr,
			"Self signature: verified\n\n");
	}

	size = lbuffer_size;
	ret = gnutls_x509_crq_export(crq, outcert_format, lbuffer, &size);
	if (ret < 0) {
		fprintf(stderr, "crq_export: %s\n", gnutls_strerror(ret));
		app_exit(1);
	}

	fwrite(lbuffer, 1, size, outfile);
}

void crq_info(common_info_st *cinfo)
{
	gnutls_x509_crq_t crq;
	int ret;
	size_t size;
	gnutls_datum_t pem;

	ret = gnutls_x509_crq_init(&crq);
	if (ret < 0) {
		fprintf(stderr, "crq_init: %s\n", gnutls_strerror(ret));
		app_exit(1);
	}

	pem.data = (void *) fread_file(infile, 0, &size);
	pem.size = size;

	if (!pem.data) {
		fprintf(stderr, "%s", infile ? "file" : "standard input");
		app_exit(1);
	}

	ret = gnutls_x509_crq_import(crq, &pem, incert_format);

	free(pem.data);
	if (ret < 0) {
		fprintf(stderr, "import error: %s\n", gnutls_strerror(ret));
		app_exit(1);
	}

	print_crq_info(crq, outfile, cinfo);

	gnutls_x509_crq_deinit(crq);
}

void privkey_info(common_info_st * cinfo)
{
	gnutls_x509_privkey_t key;
	size_t size;
	int ret;
	gnutls_datum_t pem;
	const char *pass;
	unsigned int flags = 0;

	size = fread(lbuffer, 1, lbuffer_size - 1, infile);
	lbuffer[size] = 0;

	ret = gnutls_x509_privkey_init(&key);
	if (ret < 0) {
		fprintf(stderr, "privkey_init: %s", gnutls_strerror(ret));
		app_exit(1);
	}

	pem.data = lbuffer;
	pem.size = size;

	ret =
	    gnutls_x509_privkey_import2(key, &pem, incert_format, NULL, GNUTLS_PKCS_PLAIN);

	/* If we failed to import the certificate previously try PKCS #8 */
	if (ret == GNUTLS_E_DECRYPTION_FAILED) {
		fprintf(stderr, "Encrypted structure detected...\n");

		if (outcert_format == GNUTLS_X509_FMT_DER)
			pkcs8_info_int(&pem, incert_format, 1, stderr, "");
		else
			pkcs8_info_int(&pem, incert_format, 1, outfile, "");

		pass = get_password(cinfo, &flags, 0);

		ret = gnutls_x509_privkey_import2(key, &pem,
						  incert_format, pass,
						  flags);
	}
	if (ret < 0) {
		fprintf(stderr, "import error: %s\n", gnutls_strerror(ret));
		app_exit(1);
	}
	/* On this option we may import from PKCS #8 but we are always exporting
	 * to our format. */
	cinfo->pkcs8 = 0;

	print_private_key(outfile, cinfo, key);

	ret = gnutls_x509_privkey_verify_params(key);
	if (ret < 0)
		fprintf(outfile,
			"\n** Private key parameters validation failed **\n\n");

	gnutls_x509_privkey_deinit(key);
}

static void privkey_to_rsa(common_info_st * cinfo)
{
	gnutls_x509_privkey_t key;
	size_t size;
	int ret;
	gnutls_datum_t pem;
	const char *pass;
	unsigned int flags = 0;
	gnutls_datum_t out;

	size = fread(lbuffer, 1, lbuffer_size - 1, infile);
	lbuffer[size] = 0;

	ret = gnutls_x509_privkey_init(&key);
	if (ret < 0) {
		fprintf(stderr, "privkey_init: %s", gnutls_strerror(ret));
		app_exit(1);
	}

	pem.data = lbuffer;
	pem.size = size;

	ret =
	    gnutls_x509_privkey_import2(key, &pem, incert_format, NULL, GNUTLS_PKCS_PLAIN);

	/* If we failed to import the certificate previously try PKCS #8 */
	if (ret == GNUTLS_E_DECRYPTION_FAILED) {
		fprintf(stderr, "Encrypted structure detected...\n");

		if (outcert_format == GNUTLS_X509_FMT_DER)
			pkcs8_info_int(&pem, incert_format, 1, stderr, "");
		else
			pkcs8_info_int(&pem, incert_format, 1, outfile, "");

		pass = get_password(cinfo, &flags, 0);

		ret = gnutls_x509_privkey_import2(key, &pem,
						  incert_format, pass,
						  flags);
	}
	if (ret < 0) {
		fprintf(stderr, "import error: %s\n", gnutls_strerror(ret));
		app_exit(1);
	}

	ret = gnutls_x509_privkey_get_pk_algorithm(key);
	if (ret != GNUTLS_PK_RSA && ret != GNUTLS_PK_RSA_PSS) {
		fprintf(stderr, "unexpected key type: %s\n", gnutls_pk_get_name(ret));
		app_exit(1);
	}

	gnutls_x509_privkey_set_flags(key, GNUTLS_PRIVKEY_FLAG_EXPORT_COMPAT);

	ret = gnutls_x509_privkey_export2(key, cinfo->outcert_format, &out);
	if (ret < 0) {
		fprintf(stderr, "export error: %s\n", gnutls_strerror(ret));
		app_exit(1);
	}

	fwrite(out.data, out.size, 1, outfile);
	gnutls_free(out.data);

	gnutls_x509_privkey_deinit(key);
}


/* Generate a PKCS #10 certificate request.
 */
void generate_request(common_info_st * cinfo)
{
	gnutls_x509_crq_t crq;
	gnutls_x509_privkey_t xkey;
	gnutls_pubkey_t pubkey;
	gnutls_privkey_t pkey;
	int ret, ca_status, path_len, pk;
	const char *pass;
	unsigned int usage = 0;

	fprintf(stderr, "Generating a PKCS #10 certificate request...\n");

	ret = gnutls_x509_crq_init(&crq);
	if (ret < 0) {
		fprintf(stderr, "crq_init: %s\n", gnutls_strerror(ret));
		app_exit(1);
	}

	/* Load the private key.
	 */
	pkey = load_private_key(0, cinfo);
	if (!pkey) {
		if (HAVE_OPT(LOAD_PUBKEY)) {
			fprintf(stderr, "--load-pubkey was specified without corresponding --load-privkey\n");
			app_exit(1);
		}

		ret = gnutls_privkey_init(&pkey);
		if (ret < 0) {
			fprintf(stderr, "privkey_init: %s\n",
				gnutls_strerror(ret));
			app_exit(1);
		}

		xkey = generate_private_key_int(cinfo);

		print_private_key(outfile, cinfo, xkey);

		ret =
		    gnutls_privkey_import_x509(pkey, xkey,
					       GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE);
		if (ret < 0) {
			fprintf(stderr, "privkey_import_x509: %s\n",
				gnutls_strerror(ret));
			app_exit(1);
		}
	}

	pubkey = load_public_key_or_import(1, pkey, cinfo);

	pk = gnutls_pubkey_get_pk_algorithm(pubkey, NULL);

	/* Set the DN.
	 */
	get_dn_crq_set(crq);

	get_cn_crq_set(crq);
	get_unit_crq_set(crq);
	get_organization_crq_set(crq);
	get_locality_crq_set(crq);
	get_state_crq_set(crq);
	get_country_crq_set(crq);

	get_dc_set(TYPE_CRQ, crq);
	get_uid_crq_set(crq);
	get_oid_crq_set(crq);

	get_dns_name_set(TYPE_CRQ, crq);
	get_uri_set(TYPE_CRQ, crq);
	get_ip_addr_set(TYPE_CRQ, crq);
	get_email_set(TYPE_CRQ, crq);
	get_other_name_set(TYPE_CRQ, crq);
	get_extensions_crt_set(TYPE_CRQ, crq);

	pass = get_challenge_pass();

	if (pass != NULL && pass[0] != 0) {
		ret = gnutls_x509_crq_set_challenge_password(crq, pass);
		if (ret < 0) {
			fprintf(stderr, "set_pass: %s\n",
				gnutls_strerror(ret));
			app_exit(1);
		}
	}

	if (cinfo->crq_extensions != 0) {
		ca_status = get_ca_status();
		if (ca_status)
			path_len = get_path_len();
		else
			path_len = -1;

		ret =
		    gnutls_x509_crq_set_basic_constraints(crq, ca_status,
							  path_len);
		if (ret < 0) {
			fprintf(stderr, "set_basic_constraints: %s\n",
				gnutls_strerror(ret));
			app_exit(1);
		}

		if (pk == GNUTLS_PK_RSA ||
		    pk == GNUTLS_PK_GOST_01 ||
		    pk == GNUTLS_PK_GOST_12_256 ||
		    pk == GNUTLS_PK_GOST_12_512) {
			ret = get_sign_status(1);
			if (ret)
				usage |= GNUTLS_KEY_DIGITAL_SIGNATURE;

			/* Only ask for an encryption certificate
			 * if it is an RSA one */
			ret = get_encrypt_status(1);
			if (ret)
				usage |= GNUTLS_KEY_KEY_ENCIPHERMENT;
			else
				usage |= GNUTLS_KEY_DIGITAL_SIGNATURE;
		} else {	/* DSA and ECDSA are always signing */
			if (get_encrypt_status(1))
				fprintf(stderr, "warning: this algorithm does not support encryption; disabling the encryption flag\n");

			usage |= GNUTLS_KEY_DIGITAL_SIGNATURE;
		}

		ret = get_code_sign_status();
		if (ret) {
			ret = gnutls_x509_crq_set_key_purpose_oid
			    (crq, GNUTLS_KP_CODE_SIGNING, 0);
			if (ret < 0) {
				fprintf(stderr, "key_kp: %s\n",
					gnutls_strerror(ret));
				app_exit(1);
			}
		}

		ret = get_time_stamp_status();
		if (ret) {
			ret = gnutls_x509_crq_set_key_purpose_oid
			    (crq, GNUTLS_KP_TIME_STAMPING, 0);
			if (ret < 0) {
				fprintf(stderr, "key_kp: %s\n",
					gnutls_strerror(ret));
				app_exit(1);
			}
		}

		ret = get_email_protection_status();
		if (ret) {
			ret =
			    gnutls_x509_crq_set_key_purpose_oid
			    (crq, GNUTLS_KP_EMAIL_PROTECTION, 0);
			if (ret < 0) {
				fprintf(stderr, "key_kp: %s\n",
					gnutls_strerror(ret));
				app_exit(1);
			}
		}

		ret = get_ipsec_ike_status();
		if (ret) {
			ret = gnutls_x509_crq_set_key_purpose_oid
			    (crq, GNUTLS_KP_IPSEC_IKE, 0);
			if (ret < 0) {
				fprintf(stderr, "key_kp: %s\n",
					gnutls_strerror(ret));
				app_exit(1);
			}
		}

		ret = get_ocsp_sign_status();
		if (ret) {
			ret = gnutls_x509_crq_set_key_purpose_oid
			    (crq, GNUTLS_KP_OCSP_SIGNING, 0);
			if (ret < 0) {
				fprintf(stderr, "key_kp: %s\n",
					gnutls_strerror(ret));
				app_exit(1);
			}
		}

		if (ca_status) {
			ret = get_cert_sign_status();
			if (ret)
				usage |= GNUTLS_KEY_KEY_CERT_SIGN;

			ret = get_crl_sign_status();
			if (ret)
				usage |= GNUTLS_KEY_CRL_SIGN;


		}

		ret = gnutls_x509_crq_set_key_usage(crq, usage);
		if (ret < 0) {
			fprintf(stderr, "key_usage: %s\n",
				gnutls_strerror(ret));
			app_exit(1);
		}

		ret = get_tls_client_status();
		if (ret != 0) {
			ret = gnutls_x509_crq_set_key_purpose_oid
			    (crq, GNUTLS_KP_TLS_WWW_CLIENT, 0);
			if (ret < 0) {
				fprintf(stderr, "key_kp: %s\n",
					gnutls_strerror(ret));
				app_exit(1);
			}
		}

		ret = get_tls_server_status();
		if (ret != 0) {
			ret = gnutls_x509_crq_set_key_purpose_oid
			    (crq, GNUTLS_KP_TLS_WWW_SERVER, 0);
			if (ret < 0) {
				fprintf(stderr, "key_kp: %s\n",
					gnutls_strerror(ret));
				app_exit(1);
			}
		}

		get_key_purpose_set(TYPE_CRQ, crq);

		get_tlsfeatures_set(TYPE_CRQ, crq);
	}

	ret = gnutls_x509_crq_set_pubkey(crq, pubkey);
	if (ret < 0) {
		fprintf(stderr, "set_key: %s\n", gnutls_strerror(ret));
		app_exit(1);
	}

	ret =
	    gnutls_x509_crq_privkey_sign(crq, pkey,
					 get_dig_for_pub(pubkey, cinfo), 0);
	if (ret < 0) {
		fprintf(stderr, "sign: %s\n", gnutls_strerror(ret));
		app_exit(1);
	}

	print_crq_info(crq, outfile, cinfo);

	gnutls_x509_crq_deinit(crq);
	gnutls_privkey_deinit(pkey);
	gnutls_pubkey_deinit(pubkey);

}

static void print_verification_res(FILE * outfile, unsigned int output);

static const char *get_signature_algo(gnutls_x509_crt_t crt)
{
	int ret;
	static char oid[128];

	ret = gnutls_x509_crt_get_signature_algorithm(crt);
	if (ret < 0 || ret == GNUTLS_SIGN_UNKNOWN) {
		size_t oid_size = sizeof(oid);
		ret = gnutls_x509_crt_get_signature_oid(crt, oid, &oid_size);
		if (ret < 0)
			return NULL;
		return oid;
	}

	return gnutls_sign_get_name(ret);
}

static int detailed_verification(gnutls_x509_crt_t cert,
				 gnutls_x509_crt_t issuer,
				 gnutls_x509_crl_t crl,
				 unsigned int verification_output)
{
	char tmp[255];
	size_t tmp_size;
	gnutls_datum_t name = {NULL,0}, issuer_name = {NULL,0};
	gnutls_datum_t serial = {NULL,0};
	int ret;

	ret =
	    gnutls_x509_crt_get_issuer_dn3(cert, &issuer_name, 0);
	if (ret < 0) {
		fprintf(stderr, "gnutls_x509_crt_get_issuer_dn: %s\n",
			gnutls_strerror(ret));
		app_exit(1);
	}

	ret = gnutls_x509_crt_get_dn3(cert, &name, 0);
	if (ret < 0) {
		if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
			name.data = 0;
			name.size = 0;
		} else {
			fprintf(stderr, "gnutls_x509_crt_get_dn: %s\n",
				gnutls_strerror(ret));
			app_exit(1);
		}
	}

	fprintf(outfile, "\tSubject: %s\n", name.data);
	fprintf(outfile, "\tIssuer: %s\n", issuer_name.data);

	if (issuer != NULL) {
		gnutls_free(issuer_name.data);
		ret =
		    gnutls_x509_crt_get_dn3(issuer, &issuer_name, 0);
		if (ret < 0) {
			fprintf(stderr,
				"gnutls_x509_crt_get_issuer_dn: %s\n",
				gnutls_strerror(ret));
			app_exit(1);
		}

		fprintf(outfile, "\tChecked against: %s\n", issuer_name.data);
	}

	fprintf(outfile, "\tSignature algorithm: %s\n", get_signature_algo(cert));

	if (crl != NULL) {
		gnutls_datum_t data;
		gnutls_free(issuer_name.data);

		ret =
		    gnutls_x509_crl_get_issuer_dn3(crl, &issuer_name, 0);
		if (ret < 0) {
			fprintf(stderr,
				"gnutls_x509_crl_get_issuer_dn: %s\n",
				gnutls_strerror(ret));
			app_exit(1);
		}

		tmp_size = sizeof(tmp);
		ret =
		    gnutls_x509_crl_get_number(crl, tmp, &tmp_size, NULL);
		if (ret < 0) {
			serial.data = (void*)gnutls_strdup("unnumbered");
		} else {
			data.data = (void *) tmp;
			data.size = tmp_size;

			ret = gnutls_hex_encode2(&data, &serial);
			if (ret < 0) {
				fprintf(stderr, "gnutls_hex_encode: %s\n",
					gnutls_strerror(ret));
				app_exit(1);
			}
		}
		fprintf(outfile, "\tChecked against CRL[%s] of: %s\n",
			serial.data, issuer_name.data);
	}

	fprintf(outfile, "\tOutput: ");
	print_verification_res(outfile, verification_output);

	fputs("\n\n", outfile);

	gnutls_free(serial.data);
	gnutls_free(name.data);
	gnutls_free(issuer_name.data);

	return 0;
}

static void load_data(common_info_st *cinfo, gnutls_datum_t *data)
{
	FILE *fp;
	size_t size;

	fp = fopen(cinfo->data_file, "r");
	if (fp == NULL) {
		fprintf(stderr, "Could not open %s\n", cinfo->data_file);
		app_exit(1);
	}

	data->data = (void *) fread_file(fp, 0, &size);
	if (data->data == NULL) {
		fprintf(stderr, "Error reading data file");
		app_exit(1);
	}

	data->size = size;
	fclose(fp);
}

static gnutls_x509_trust_list_t load_tl(common_info_st * cinfo)
{
	gnutls_x509_trust_list_t list;
	int ret;

	ret = gnutls_x509_trust_list_init(&list, 0);
	if (ret < 0) {
		fprintf(stderr, "gnutls_x509_trust_list_init: %s\n",
			gnutls_strerror(ret));
		app_exit(1);
	}

	if (cinfo->ca == NULL) { /* system */
		ret = gnutls_x509_trust_list_add_system_trust(list, 0, 0);
		if (ret < 0) {
			fprintf(stderr, "Error loading system trust: %s\n",
				gnutls_strerror(ret));
			app_exit(1);
		}
		fprintf(stderr, "Loaded system trust (%d CAs available)\n", ret);
	} else if (cinfo->ca != NULL) {
		ret = gnutls_x509_trust_list_add_trust_file(list, cinfo->ca, cinfo->crl, cinfo->incert_format, 0, 0);
		if (ret < 0) {
			int ret2 = gnutls_x509_trust_list_add_trust_file(list, cinfo->ca, cinfo->crl, GNUTLS_X509_FMT_PEM, 0, 0);
			if (ret2 >= 0)
				ret = ret2;
		}

		if (ret < 0) {
			fprintf(stderr, "gnutls_x509_trust_add_trust_file: %s\n",
				gnutls_strerror(ret));
			app_exit(1);
		}

		fprintf(stderr, "Loaded CAs (%d available)\n", ret);
	}

	return list;
}

/* Loads from a certificate chain, the last certificate on the
 * trusted list. In addition it will load any CRLs if present.
 */
static gnutls_x509_trust_list_t load_tl_from_cert_chain(const char *cert, int cert_size)
{
	gnutls_datum_t tmp;
	gnutls_x509_crt_t *x509_cert_list = NULL;
	gnutls_x509_crl_t *x509_crl_list = NULL;
	unsigned x509_ncerts, x509_ncrls = 0;
	unsigned i;
	int ret;
	gnutls_x509_trust_list_t list;

	/* otherwise load the certificates in the trust list */
	ret = gnutls_x509_trust_list_init(&list, 0);
	if (ret < 0) {
		fprintf(stderr, "gnutls_x509_trust_list_init: %s\n",
			gnutls_strerror(ret));
		app_exit(1);
	}

	tmp.data = (void *) cert;
	tmp.size = cert_size;

	ret = gnutls_x509_crt_list_import2(&x509_cert_list, &x509_ncerts, &tmp, GNUTLS_X509_FMT_PEM, 0);
	if (ret < 0 || x509_ncerts < 1) {
		fprintf(stderr, "error parsing CRTs: %s\n",
			gnutls_strerror(ret));
		app_exit(1);
	}

	ret =
	    gnutls_x509_crl_list_import2(&x509_crl_list,
					 &x509_ncrls, &tmp,
					 GNUTLS_X509_FMT_PEM, 0);
	if (ret < 0) {
		x509_crl_list = NULL;
		x509_ncrls = 0;
	}

	/* add CAs */
	ret =
	    gnutls_x509_trust_list_add_cas(list, &x509_cert_list[x509_ncerts - 1],
					   1, 0);
	if (ret < 0) {
		fprintf(stderr, "gnutls_x509_trust_add_cas: %s\n",
			gnutls_strerror(ret));
		app_exit(1);
	}

	/* add CRLs */
	if (x509_ncrls > 0) {
		ret =
		    gnutls_x509_trust_list_add_crls(list, x509_crl_list,
						    x509_ncrls, 0, 0);
		if (ret < 0) {
			fprintf(stderr, "gnutls_x509_trust_add_crls: %s\n",
				gnutls_strerror(ret));
			app_exit(1);
		}
	}

	if (x509_ncerts > 1) {
		for (i=0;i<x509_ncerts-1;i++)
			gnutls_x509_crt_deinit(x509_cert_list[i]);
	}
	gnutls_free(x509_cert_list);
	gnutls_free(x509_crl_list);

	return list;
}

/* Will verify a certificate chain. If no CA certificates
 * are provided, then the last certificate in the certificate
 * chain is used as a CA.
 *
 * If @system is non-zero then the system's CA will be used.
 */
static int
_verify_x509_mem(const void *cert, int cert_size, common_info_st *cinfo,
		 unsigned use_system_trust, /* if ca_file == NULL */
		 const char *purpose,
		 const char *hostname, const char *email)
{
	int ret;
	unsigned i;
	gnutls_datum_t tmp;
	gnutls_x509_crt_t *x509_cert_list = NULL;
	unsigned int x509_ncerts;
	gnutls_x509_trust_list_t list;
	unsigned int output;
	unsigned vflags;

	if (use_system_trust != 0 || cinfo->ca != NULL) {
		list = load_tl(cinfo);
		if (list == NULL) {
			fprintf(stderr, "error loading trust list\n");
		}

	} else {
		list = load_tl_from_cert_chain(cert, cert_size);
		if (list == NULL) {
			fprintf(stderr, "error loading trust list\n");
		}
	}

	tmp.data = (void *) cert;
	tmp.size = cert_size;

	ret =
	    gnutls_x509_crt_list_import2(&x509_cert_list,
					 &x509_ncerts, &tmp,
					 GNUTLS_X509_FMT_PEM, 0);
	if (ret < 0 || x509_ncerts < 1) {
		fprintf(stderr, "error parsing CRTs: %s\n",
			gnutls_strerror(ret));
		app_exit(1);
	}

	vflags = GNUTLS_VERIFY_DO_NOT_ALLOW_SAME;
	vflags |= GNUTLS_PROFILE_TO_VFLAGS(cinfo->verification_profile);

	if (HAVE_OPT(VERIFY_ALLOW_BROKEN))
		vflags |= GNUTLS_VERIFY_ALLOW_BROKEN;


	if (purpose || hostname || email) {
		gnutls_typed_vdata_st vdata[2];
		unsigned vdata_size = 0;

		if (purpose) {
			vdata[vdata_size].type = GNUTLS_DT_KEY_PURPOSE_OID;
			vdata[vdata_size].data = (void*)purpose;
			vdata[vdata_size].size = strlen(purpose);
			vdata_size++;
		}

		if (hostname) {
			vdata[vdata_size].type = GNUTLS_DT_DNS_HOSTNAME;
			vdata[vdata_size].data = (void*)hostname;
			vdata[vdata_size].size = strlen(hostname);
			vdata_size++;
		} else if (email) {
			vdata[vdata_size].type = GNUTLS_DT_RFC822NAME;
			vdata[vdata_size].data = (void*)email;
			vdata[vdata_size].size = strlen(email);
			vdata_size++;
		}

		ret =
		    gnutls_x509_trust_list_verify_crt2(list, x509_cert_list,
						       x509_ncerts,
						       vdata,
						       vdata_size,
						       vflags,
						       &output,
						       detailed_verification);
	} else {
		ret =
		    gnutls_x509_trust_list_verify_crt(list, x509_cert_list,
						      x509_ncerts,
						      vflags,
						      &output,
						      detailed_verification);
	}
	if (ret < 0) {
		fprintf(stderr, "gnutls_x509_trusted_list_verify_crt: %s\n",
			gnutls_strerror(ret));
		app_exit(1);
	}

	fprintf(outfile, "Chain verification output: ");
	print_verification_res(outfile, output);

	fprintf(outfile, "\n\n");

	gnutls_x509_trust_list_deinit(list, 1);
	for (i=0;i<x509_ncerts;i++)
		gnutls_x509_crt_deinit(x509_cert_list[i]);
	gnutls_free(x509_cert_list);

	/* intentionally does not use app_exit() to preserve outfile */
	if (output != 0)
		exit(EXIT_FAILURE);

	return 0;
}

static void print_verification_res(FILE * out, unsigned int output)
{
	gnutls_datum_t pout;
	int ret;

	if (output) {
		fprintf(out, "Not verified.");
	} else {
		fprintf(out, "Verified.");
	}

	ret =
	    gnutls_certificate_verification_status_print(output,
							 GNUTLS_CRT_X509,
							 &pout, 0);
	if (ret < 0) {
		fprintf(stderr, "error: %s\n", gnutls_strerror(ret));
		app_exit(EXIT_FAILURE);
	}

	fprintf(out, " %s", pout.data);
	gnutls_free(pout.data);
}

static void verify_chain(common_info_st * cinfo)
{
	char *buf;
	size_t size;

	if (cinfo->ca != NULL) {
		fprintf(stderr, "This option cannot be combined with --load-ca-certificate\n");
		app_exit(1);
	}

	buf = (void *) fread_file(infile, 0, &size);
	if (buf == NULL) {
		fprintf(stderr, "Error reading certificate chain");
		app_exit(1);
	}

	_verify_x509_mem(buf, size, cinfo, 0, OPT_ARG(VERIFY_PURPOSE),
			 OPT_ARG(VERIFY_HOSTNAME), OPT_ARG(VERIFY_EMAIL));
	free(buf);
}

static void verify_certificate(common_info_st * cinfo)
{
	char *cert;
	char *cas = NULL;
	size_t cert_size;

	cert = (void *) fread_file(infile, 0, &cert_size);
	if (cert == NULL) {
		fprintf(stderr, "Error reading certificate chain");
		app_exit(1);
	}

	_verify_x509_mem(cert, cert_size, cinfo, 1,
			 OPT_ARG(VERIFY_PURPOSE),
			 OPT_ARG(VERIFY_HOSTNAME), OPT_ARG(VERIFY_EMAIL));
	free(cert);
	free(cas);


}

void verify_crl(common_info_st * cinfo)
{
	size_t size;
	gnutls_datum_t dn;
	unsigned int output;
	int ret, rc;
	gnutls_datum_t pem, pout;
	gnutls_x509_crl_t crl;
	gnutls_x509_crt_t issuer;

	issuer = load_ca_cert(1, cinfo);

	fprintf(outfile, "\nCA certificate:\n");

	ret = gnutls_x509_crt_get_dn3(issuer, &dn, 0);
	if (ret < 0) {
		fprintf(stderr, "crt_get_dn: %s\n", gnutls_strerror(ret));
		app_exit(1);
	}

	fprintf(outfile, "\tSubject: %s\n\n", dn.data);

	ret = gnutls_x509_crl_init(&crl);
	if (ret < 0) {
		fprintf(stderr, "crl_init: %s\n", gnutls_strerror(ret));
		app_exit(1);
	}

	pem.data = (void *) fread_file(infile, 0, &size);
	pem.size = size;

	if (!pem.data) {
		fprintf(stderr, "%s", infile ? "file" : "standard input");
		app_exit(1);
	}

	ret = gnutls_x509_crl_import(crl, &pem, incert_format);
	free(pem.data);
	if (ret < 0) {
		fprintf(stderr, "import error: %s\n", gnutls_strerror(ret));
		app_exit(1);
	}

	print_crl_info(crl, outfile, cinfo);

	ret = gnutls_x509_crl_verify(crl, &issuer, 1, 0, &output);
	if (ret < 0) {
		fprintf(stderr, "verification error: %s\n",
			gnutls_strerror(ret));
		app_exit(1);
	}

	fprintf(outfile, "Verification output: ");

	if (output) {
		fprintf(outfile, "Not verified. ");
		rc = 1;
	} else {
		fprintf(outfile, "Verified.");
		rc = 0;
	}

	ret =
	    gnutls_certificate_verification_status_print(output,
							 GNUTLS_CRT_X509,
							 &pout, 0);
	if (ret < 0) {
		fprintf(stderr, "error: %s\n", gnutls_strerror(ret));
		app_exit(EXIT_FAILURE);
	}

	fprintf(outfile, " %s", pout.data);
	gnutls_free(pout.data);

	fprintf(outfile, "\n");

	app_exit(rc);
}

static void print_pkcs7_sig_info(gnutls_pkcs7_signature_info_st *info, common_info_st *cinfo)
{
	int ret;
	gnutls_datum_t str;

	ret = gnutls_pkcs7_print_signature_info(info, GNUTLS_CRT_PRINT_COMPACT, &str);
	if (ret < 0) {
		fprintf(stderr, "printing error: %s\n",
				gnutls_strerror(ret));
		app_exit(1);
	}

	fprintf(outfile, "%s", str.data);
	gnutls_free(str.data);
}

void verify_pkcs7(common_info_st * cinfo, const char *purpose, unsigned display_data)
{
	gnutls_pkcs7_t pkcs7;
	int ret, ecode;
	size_t size;
	gnutls_datum_t data, detached = {NULL,0};
	gnutls_datum_t tmp = {NULL,0};
	int i;
	gnutls_pkcs7_signature_info_st info;
	gnutls_x509_trust_list_t tl = NULL;
	gnutls_typed_vdata_st vdata[2];
	unsigned vdata_size = 0;
	gnutls_x509_crt_t signer = NULL;
	unsigned flags = 0;

	ret = gnutls_pkcs7_init(&pkcs7);
	if (ret < 0) {
		fprintf(stderr, "p7_init: %s\n", gnutls_strerror(ret));
		app_exit(1);
	}

	data.data = (void *) fread_file(infile, 0, &size);
	data.size = size;

	if (!data.data) {
		fprintf(stderr, "%s", infile ? "file" : "standard input");
		app_exit(1);
	}

	ret = gnutls_pkcs7_import(pkcs7, &data, cinfo->incert_format);
	free(data.data);
	if (ret < 0) {
		fprintf(stderr, "import error: %s\n",
			gnutls_strerror(ret));
		app_exit(1);
	}

	if (cinfo->cert != NULL) {
		signer = load_cert(1, cinfo);
	} else { /* trust list */
		tl = load_tl(cinfo);
		if (tl == NULL) {
			fprintf(stderr, "error loading trust list\n");
		}
	}

	if (cinfo->data_file)
		load_data(cinfo, &detached);

	if (purpose) {
		vdata[vdata_size].type = GNUTLS_DT_KEY_PURPOSE_OID;
		vdata[vdata_size].data = (void*)purpose;
		vdata[vdata_size].size = strlen(purpose);
		vdata_size++;
	}

	ecode = 1;
	for (i=0;;i++) {
		ret = gnutls_pkcs7_get_signature_info(pkcs7, i, &info);
		if (ret < 0)
			break;

		if (!display_data) {
			if (i==0) {
				fprintf(outfile, "eContent Type: %s\n", gnutls_pkcs7_get_embedded_data_oid(pkcs7));
				fprintf(outfile, "Signers:\n");
			}
			print_pkcs7_sig_info(&info, cinfo);
		} else if (i == 0) {
			if (!detached.data) {
				ret = gnutls_pkcs7_get_embedded_data(pkcs7, 0, &tmp);
				if (ret < 0) {
					fprintf(stderr, "error getting embedded data: %s\n", gnutls_strerror(ret));
					app_exit(1);
				}

				fwrite(tmp.data, 1, tmp.size, outfile);
				gnutls_free(tmp.data);
				tmp.data = NULL;
			} else {
				fwrite(detached.data, 1, detached.size, outfile);
			}
		}

		gnutls_pkcs7_signature_info_deinit(&info);

		if (HAVE_OPT(VERIFY_ALLOW_BROKEN))
			flags |= GNUTLS_VERIFY_ALLOW_BROKEN;

		if (signer) {
			ret = gnutls_pkcs7_verify_direct(pkcs7, signer, i, detached.data!=NULL?&detached:NULL, flags);

			if (ret >= 0 && purpose) {
				unsigned res = gnutls_x509_crt_check_key_purpose(signer, purpose, 0);
				if (res == 0)
					ret = GNUTLS_E_CONSTRAINT_ERROR;
			}

		} else {
			assert(tl != NULL);
			ret = gnutls_pkcs7_verify(pkcs7, tl, vdata, vdata_size, i, detached.data!=NULL?&detached:NULL, flags);
		}
		if (ret < 0) {
			fprintf(stderr, "\tSignature status: verification failed: %s\n", gnutls_strerror(ret));
			ecode = 1;
		} else {
			fprintf(stderr, "\tSignature status: ok\n");
			ecode = 0;
		}
	}


	gnutls_pkcs7_deinit(pkcs7);
	if (signer)
		gnutls_x509_crt_deinit(signer);
	else
		gnutls_x509_trust_list_deinit(tl, 1);
	free(detached.data);
	app_exit(ecode);
}

void pkcs7_sign(common_info_st * cinfo, unsigned embed)
{
	gnutls_pkcs7_t pkcs7;
	gnutls_privkey_t key;
	int ret;
	size_t size;
	gnutls_datum_t data;
	unsigned flags = 0;
	gnutls_x509_crt_t *crts;
	size_t crt_size;
	size_t i;

	if (ENABLED_OPT(P7_TIME))
		flags |= GNUTLS_PKCS7_INCLUDE_TIME;

	if (ENABLED_OPT(P7_INCLUDE_CERT))
		flags |= GNUTLS_PKCS7_INCLUDE_CERT;

	ret = gnutls_pkcs7_init(&pkcs7);
	if (ret < 0) {
		fprintf(stderr, "p7_init: %s\n", gnutls_strerror(ret));
		app_exit(1);
	}

	data.data = (void *) fread_file(infile, 0, &size);
	data.size = size;

	if (!data.data) {
		fprintf(stderr, "%s", infile ? "file" : "standard input");
		app_exit(1);
	}

	crts = load_cert_list(1, &crt_size, cinfo);
	key = load_private_key(1, cinfo);

	if (embed)
		flags |= GNUTLS_PKCS7_EMBED_DATA;

	ret = gnutls_pkcs7_sign(pkcs7, *crts, key, &data, NULL, NULL, get_dig(*crts, cinfo), flags);
	if (ret < 0) {
		fprintf(stderr, "Error signing: %s\n", gnutls_strerror(ret));
		app_exit(1);
	}

	for (i=1;i<crt_size;i++) {
		ret = gnutls_pkcs7_set_crt(pkcs7, crts[i]);
		if (ret < 0) {
			fprintf(stderr, "Error adding cert: %s\n", gnutls_strerror(ret));
			exit(1);
		}
	}


	size = lbuffer_size;
	ret =
	    gnutls_pkcs7_export(pkcs7, outcert_format, lbuffer, &size);
	if (ret < 0) {
		fprintf(stderr, "pkcs7_export: %s\n", gnutls_strerror(ret));
		app_exit(1);
	}

	fwrite(lbuffer, 1, size, outfile);

	gnutls_privkey_deinit(key);
	for (i=0;i<crt_size;i++) {
		gnutls_x509_crt_deinit(crts[i]);
	}
	gnutls_free(crts);
	gnutls_pkcs7_deinit(pkcs7);
	app_exit(0);
}

void pkcs7_generate(common_info_st * cinfo)
{
	gnutls_pkcs7_t pkcs7;
	int ret;
	size_t crl_size = 0, crt_size = 0;
	gnutls_x509_crt_t *crts;
	gnutls_x509_crl_t *crls;
	gnutls_datum_t tmp;
	unsigned i;

	crts = load_cert_list(1, &crt_size, cinfo);
	crls = load_crl_list(0, &crl_size, cinfo);

	ret = gnutls_pkcs7_init(&pkcs7);
	if (ret < 0) {
		fprintf(stderr, "p7_init: %s\n", gnutls_strerror(ret));
		app_exit(1);
	}

	for (i=0;i<crt_size;i++) {
		ret = gnutls_pkcs7_set_crt(pkcs7, crts[i]);
		if (ret < 0) {
			fprintf(stderr, "Error adding cert: %s\n", gnutls_strerror(ret));
			app_exit(1);
		}
		gnutls_x509_crt_deinit(crts[i]);
	}
	gnutls_free(crts);

	for (i=0;i<crl_size;i++) {
		ret = gnutls_pkcs7_set_crl(pkcs7, crls[i]);
		if (ret < 0) {
			fprintf(stderr, "Error adding CRL: %s\n", gnutls_strerror(ret));
			app_exit(1);
		}
		gnutls_x509_crl_deinit(crls[i]);
	}
	gnutls_free(crls);

	ret =
	    gnutls_pkcs7_export2(pkcs7, outcert_format, &tmp);
	if (ret < 0) {
		fprintf(stderr, "pkcs7_export: %s\n", gnutls_strerror(ret));
		app_exit(1);
	}

	fwrite(tmp.data, 1, tmp.size, outfile);
	gnutls_free(tmp.data);

	gnutls_pkcs7_deinit(pkcs7);
	app_exit(0);
}


void generate_pkcs8(common_info_st * cinfo)
{
	gnutls_x509_privkey_t key;
	int result;
	size_t size;
	unsigned int flags = 0;
	const char *password;

	fprintf(stderr, "Generating a PKCS #8 key structure...\n");

	key = load_x509_private_key(1, cinfo);

	password = get_password(cinfo, &flags, 1);

	flags |= cipher_to_flags(cinfo->pkcs_cipher);

	size = lbuffer_size;
	result =
	    gnutls_x509_privkey_export_pkcs8(key, outcert_format,
					     password, flags, lbuffer,
					     &size);

	if (result < 0) {
		fprintf(stderr, "key_export: %s\n", gnutls_strerror(result));
		app_exit(1);
	}

	fwrite(lbuffer, 1, size, outfile);

}


#include <gnutls/pkcs12.h>
#include <unistd.h>

void generate_pkcs12(common_info_st * cinfo)
{
	gnutls_pkcs12_t pkcs12;
	gnutls_x509_crl_t *crls;
	gnutls_x509_crt_t *crts, ca_crt;
	gnutls_x509_privkey_t *keys;
	gnutls_mac_algorithm_t mac;
	int result;
	size_t size;
	gnutls_datum_t data;
	const char *pass;
	const char *name;
	unsigned int flags = 0, i;
	gnutls_datum_t key_id;
	unsigned char _key_id[64];
	int indx;
	size_t ncrts;
	size_t nkeys;
	size_t ncrls;

	fprintf(stderr, "Generating a PKCS #12 structure...\n");

	keys = load_privkey_list(0, &nkeys, cinfo);
	crts = load_cert_list(0, &ncrts, cinfo);
	ca_crt = load_ca_cert(0, cinfo);

	crls = load_crl_list(0, &ncrls, cinfo);

	if (keys == NULL && crts == NULL && ca_crt == NULL && crls == NULL) {
		fprintf(stderr, "You must specify one of\n\t--load-privkey\n\t--load-certificate\n\t--load-ca-certificate\n\t--load-crl\n");
		app_exit(1);
	}

	if (cinfo->hash != GNUTLS_DIG_UNKNOWN)
		mac = cinfo->hash;
	else
		mac = GNUTLS_MAC_SHA1;

	if (HAVE_OPT(P12_NAME)) {
		name = OPT_ARG(P12_NAME);
	} else {
		name = get_pkcs12_key_name();
	}

	result = gnutls_pkcs12_init(&pkcs12);
	if (result < 0) {
		fprintf(stderr, "pkcs12_init: %s\n",
			gnutls_strerror(result));
		app_exit(1);
	}

	pass = get_password(cinfo, &flags, 1);
	flags |= cipher_to_flags(cinfo->pkcs_cipher);

	for (i = 0; i < ncrts; i++) {
		gnutls_pkcs12_bag_t bag;

		result = gnutls_pkcs12_bag_init(&bag);
		if (result < 0) {
			fprintf(stderr, "bag_init: %s\n",
				gnutls_strerror(result));
			app_exit(1);
		}

		assert(crts != NULL && crts[i] != NULL);
		result = gnutls_pkcs12_bag_set_crt(bag, crts[i]);
		if (result < 0) {
			fprintf(stderr, "set_crt[%d]: %s\n", i,
				gnutls_strerror(result));
			app_exit(1);
		}

		indx = result;

		if (i == 0) {	/* only the first certificate gets the friendly name */
			result =
			    gnutls_pkcs12_bag_set_friendly_name(bag, indx,
								name);
			if (result < 0) {
				fprintf(stderr,
					"bag_set_friendly_name: %s\n",
					gnutls_strerror(result));
				app_exit(1);
			}
		}

		size = sizeof(_key_id);
		result =
		    gnutls_x509_crt_get_key_id(crts[i], GNUTLS_KEYID_USE_SHA1, _key_id, &size);
		if (result < 0) {
			fprintf(stderr, "key_id[%d]: %s\n", i,
				gnutls_strerror(result));
			app_exit(1);
		}

		key_id.data = _key_id;
		key_id.size = size;

		result = gnutls_pkcs12_bag_set_key_id(bag, indx, &key_id);
		if (result < 0) {
			fprintf(stderr, "bag_set_key_id: %s\n",
				gnutls_strerror(result));
			app_exit(1);
		}

		result = gnutls_pkcs12_bag_encrypt(bag, pass, flags);
		if (result < 0) {
			fprintf(stderr, "bag_encrypt: %s\n",
				gnutls_strerror(result));
			app_exit(1);
		}

		result = gnutls_pkcs12_set_bag(pkcs12, bag);
		if (result < 0) {
			fprintf(stderr, "set_bag: %s\n",
				gnutls_strerror(result));
			app_exit(1);
		}
		gnutls_pkcs12_bag_deinit(bag);
	}

	/* add any CRLs */
	for (i = 0; i < ncrls; i++) {
		gnutls_pkcs12_bag_t bag;

		result = gnutls_pkcs12_bag_init(&bag);
		if (result < 0) {
			fprintf(stderr, "bag_init: %s\n",
				gnutls_strerror(result));
			app_exit(1);
		}

		result = gnutls_pkcs12_bag_set_crl(bag, crls[i]);
		if (result < 0) {
			fprintf(stderr, "set_crl[%d]: %s\n", i,
				gnutls_strerror(result));
			app_exit(1);
		}

		result = gnutls_pkcs12_bag_encrypt(bag, pass, flags);
		if (result < 0) {
			fprintf(stderr, "bag_encrypt: %s\n",
				gnutls_strerror(result));
			app_exit(1);
		}

		result = gnutls_pkcs12_set_bag(pkcs12, bag);
		if (result < 0) {
			fprintf(stderr, "set_bag: %s\n",
				gnutls_strerror(result));
			app_exit(1);
		}
		gnutls_pkcs12_bag_deinit(bag);
	}

	/* Add the ca cert, if any */
	if (ca_crt) {
		gnutls_pkcs12_bag_t bag;

		result = gnutls_pkcs12_bag_init(&bag);
		if (result < 0) {
			fprintf(stderr, "bag_init: %s\n",
				gnutls_strerror(result));
			app_exit(1);
		}

		result = gnutls_pkcs12_bag_set_crt(bag, ca_crt);
		if (result < 0) {
			fprintf(stderr, "set_crt[%d]: %s\n", i,
				gnutls_strerror(result));
			app_exit(1);
		}

		result = gnutls_pkcs12_bag_encrypt(bag, pass, flags);
		if (result < 0) {
			fprintf(stderr, "bag_encrypt: %s\n",
				gnutls_strerror(result));
			app_exit(1);
		}

		result = gnutls_pkcs12_set_bag(pkcs12, bag);
		if (result < 0) {
			fprintf(stderr, "set_bag: %s\n",
				gnutls_strerror(result));
			app_exit(1);
		}
		gnutls_pkcs12_bag_deinit(bag);
	}

	for (i = 0; i < nkeys; i++) {
		gnutls_pkcs12_bag_t kbag;

		result = gnutls_pkcs12_bag_init(&kbag);
		if (result < 0) {
			fprintf(stderr, "bag_init: %s\n",
				gnutls_strerror(result));
			app_exit(1);
		}

		assert(keys != NULL && keys[i] != NULL);

		size = lbuffer_size;
		result =
		    gnutls_x509_privkey_export_pkcs8(keys[i],
						     GNUTLS_X509_FMT_DER,
						     pass, flags, lbuffer,
						     &size);
		if (result < 0) {
			fprintf(stderr, "key_export[%d]: %s\n", i,
				gnutls_strerror(result));
			app_exit(1);
		}

		data.data = lbuffer;
		data.size = size;
		result =
		    gnutls_pkcs12_bag_set_data(kbag,
					       GNUTLS_BAG_PKCS8_ENCRYPTED_KEY,
					       &data);
		if (result < 0) {
			fprintf(stderr, "bag_set_data: %s\n",
				gnutls_strerror(result));
			app_exit(1);
		}

		indx = result;

		result =
		    gnutls_pkcs12_bag_set_friendly_name(kbag, indx, name);
		if (result < 0) {
			fprintf(stderr, "bag_set_friendly_name: %s\n",
				gnutls_strerror(result));
			app_exit(1);
		}

		size = sizeof(_key_id);
		result =
		    gnutls_x509_privkey_get_key_id(keys[i], GNUTLS_KEYID_USE_SHA1, _key_id,
						   &size);
		if (result < 0) {
			fprintf(stderr, "key_id[%d]: %s\n", i,
				gnutls_strerror(result));
			app_exit(1);
		}

		key_id.data = _key_id;
		key_id.size = size;

		result = gnutls_pkcs12_bag_set_key_id(kbag, indx, &key_id);
		if (result < 0) {
			fprintf(stderr, "bag_set_key_id: %s\n",
				gnutls_strerror(result));
			app_exit(1);
		}

		result = gnutls_pkcs12_set_bag(pkcs12, kbag);
		if (result < 0) {
			fprintf(stderr, "set_bag: %s\n",
				gnutls_strerror(result));
			app_exit(1);
		}
		gnutls_pkcs12_bag_deinit(kbag);
	}

	result = gnutls_pkcs12_generate_mac2(pkcs12, mac, pass);
	if (result < 0) {
		fprintf(stderr, "generate_mac: %s\n",
			gnutls_strerror(result));
		app_exit(1);
	}

	size = lbuffer_size;
	result =
	    gnutls_pkcs12_export(pkcs12, outcert_format, lbuffer, &size);
	if (result < 0) {
		fprintf(stderr, "pkcs12_export: %s\n",
			gnutls_strerror(result));
		app_exit(1);
	}

	fwrite(lbuffer, 1, size, outfile);
	for (i=0;i<ncrts;i++)
		gnutls_x509_crt_deinit(crts[i]);
	gnutls_free(crts);
	gnutls_x509_crt_deinit(ca_crt);
	gnutls_pkcs12_deinit(pkcs12);
}

static const char *BAGTYPE(gnutls_pkcs12_bag_type_t x)
{
	switch (x) {
	case GNUTLS_BAG_PKCS8_ENCRYPTED_KEY:
		return "PKCS #8 Encrypted key";
	case GNUTLS_BAG_EMPTY:
		return "Empty";
	case GNUTLS_BAG_PKCS8_KEY:
		return "PKCS #8 Key";
	case GNUTLS_BAG_CERTIFICATE:
		return "Certificate";
	case GNUTLS_BAG_ENCRYPTED:
		return "Encrypted";
	case GNUTLS_BAG_CRL:
		return "CRL";
	case GNUTLS_BAG_SECRET:
		return "Secret";
	default:
		return "Unknown";
	}
}

static void print_bag_data(gnutls_pkcs12_bag_t bag, int outtext)
{
	int result;
	int count, i, type;
	gnutls_datum_t cdata, id;
	const char *str, *name;
	gnutls_datum_t out;

	count = gnutls_pkcs12_bag_get_count(bag);
	if (count < 0) {
		fprintf(stderr, "get_count: %s\n", gnutls_strerror(count));
		app_exit(1);
	}

	if (outtext)
		fprintf(outfile, "\tElements: %d\n", count);

	for (i = 0; i < count; i++) {
		type = gnutls_pkcs12_bag_get_type(bag, i);
		if (type < 0) {
			fprintf(stderr, "get_type: %s\n",
				gnutls_strerror(type));
			app_exit(1);
		}

		if (outtext)
			fprintf(outfile, "\tType: %s\n", BAGTYPE(type));

		result = gnutls_pkcs12_bag_get_data(bag, i, &cdata);
		if (result < 0) {
			fprintf(stderr, "get_data: %s\n",
				gnutls_strerror(result));
			app_exit(1);
		}

		if (type == GNUTLS_BAG_PKCS8_ENCRYPTED_KEY &&
		    outtext)
			pkcs8_info_int(&cdata, GNUTLS_X509_FMT_DER, 1, outfile, "\t");

		name = NULL;
		result =
		    gnutls_pkcs12_bag_get_friendly_name(bag, i,
							(char **) &name);
		if (result < 0) {
			fprintf(stderr, "get_friendly_name: %s\n",
				gnutls_strerror(result));
			app_exit(1);
		}

		if (name && outtext)
			fprintf(outfile, "\tFriendly name: %s\n", name);

		id.data = NULL;
		id.size = 0;
		result = gnutls_pkcs12_bag_get_key_id(bag, i, &id);
		if (result < 0) {
			fprintf(stderr, "get_key_id: %s\n",
				gnutls_strerror(result));
			app_exit(1);
		}

		if (id.size > 0 && outtext)
			fprintf(outfile, "\tKey ID: %s\n",
				raw_to_string(id.data, id.size));


		switch (type) {
		case GNUTLS_BAG_PKCS8_ENCRYPTED_KEY:
			str = "ENCRYPTED PRIVATE KEY";
			break;
		case GNUTLS_BAG_PKCS8_KEY:
			str = "PRIVATE KEY";
			break;
		case GNUTLS_BAG_CERTIFICATE:
			str = "CERTIFICATE";
			break;
		case GNUTLS_BAG_CRL:
			str = "CRL";
			break;
		case GNUTLS_BAG_ENCRYPTED:
		case GNUTLS_BAG_EMPTY:
		default:
			str = NULL;
		}

		if (str != NULL) {
			result = gnutls_pem_base64_encode_alloc(str, &cdata, &out);
			if (result < 0) {
				fprintf(stderr, "Error in base64 encoding: %s\n", gnutls_strerror(result));
				app_exit(1);
			}
			fprintf(outfile, "%s", out.data);
			gnutls_free(out.data);
		}

	}
}

static
void pkcs12_bag_enc_info(gnutls_pkcs12_bag_t bag, FILE *out)
{
	int ret;
	unsigned schema;
	unsigned cipher;
	unsigned char salt[32];
	char hex[64+1];
	unsigned salt_size = sizeof(salt);
	unsigned iter_count;
	gnutls_datum_t bin;
	size_t hex_size = sizeof(hex);
	const char *str;
	char *oid = NULL;

	ret = gnutls_pkcs12_bag_enc_info(bag,
		&schema, &cipher, salt, &salt_size, &iter_count, &oid);
	if (ret == GNUTLS_E_UNKNOWN_CIPHER_TYPE) {
		fprintf(out, "\tSchema: unsupported (%s)\n", oid);
		gnutls_free(oid);
		return;
	}

	if (ret < 0) {
		fprintf(stderr, "PKCS #12 bag read error: %s\n",
			gnutls_strerror(ret));
		return;
	}
	gnutls_free(oid);

	fprintf(out, "\tCipher: %s\n", gnutls_cipher_get_name(cipher));

	str = gnutls_pkcs_schema_get_name(schema);
	if (str != NULL) {
		fprintf(out, "\tSchema: %s (%s)\n", str, gnutls_pkcs_schema_get_oid(schema));
	}

	bin.data = salt;
	bin.size = salt_size;
	ret = gnutls_hex_encode(&bin, hex, &hex_size);
	if (ret < 0) {
		fprintf(stderr, "hex encode error: %s\n",
			gnutls_strerror(ret));
		app_exit(1);
	}

	fprintf(out, "\tSalt: %s\n", hex);
	fprintf(out, "\tSalt size: %u\n", salt_size);
	fprintf(out, "\tIteration count: %u\n", iter_count);
}

void pkcs12_info(common_info_st * cinfo)
{
	gnutls_pkcs12_t pkcs12;
	gnutls_pkcs12_bag_t bag;
	gnutls_mac_algorithm_t mac_algo;
	char *mac_oid = NULL;
	char hex[64+1];
	size_t hex_size = sizeof(hex);
	char salt[32];
	unsigned int salt_size;
	unsigned int mac_iter;
	int result;
	size_t size;
	gnutls_datum_t data;
	const char *pass;
	int indx, fail = 0;

	result = gnutls_pkcs12_init(&pkcs12);
	if (result < 0) {
		fprintf(stderr, "p12_init: %s\n", gnutls_strerror(result));
		app_exit(1);
	}

	data.data = (void *) fread_file(infile, 0, &size);
	data.size = size;

	if (!data.data) {
		fprintf(stderr, "%s", infile ? "file" : "standard input");
		app_exit(1);
	}

	result = gnutls_pkcs12_import(pkcs12, &data, incert_format, 0);
	free(data.data);
	if (result < 0) {
		fprintf(stderr, "p12_import: %s\n", gnutls_strerror(result));
		app_exit(1);
	}

	salt_size = sizeof(salt);
	result = gnutls_pkcs12_mac_info(pkcs12, &mac_algo, salt, &salt_size, &mac_iter, &mac_oid);
	if (result == GNUTLS_E_UNKNOWN_HASH_ALGORITHM && cinfo->outtext) {
		fprintf(outfile, "MAC info:\n");
		if (mac_oid != NULL)
			fprintf(outfile, "\tMAC: unknown (%s)\n", mac_oid);
	} else if (result >= 0 && cinfo->outtext) {
		gnutls_datum_t bin;

		fprintf(outfile, "MAC info:\n");
		fprintf(outfile, "\tMAC: %s (%s)\n", gnutls_mac_get_name(mac_algo), mac_oid);

		bin.data = (void*)salt;
		bin.size = salt_size;
		result = gnutls_hex_encode(&bin, hex, &hex_size);
		if (result < 0) {
			fprintf(stderr, "hex encode error: %s\n",
				gnutls_strerror(result));
			app_exit(1);
		}

		fprintf(outfile, "\tSalt: %s\n", hex);
		fprintf(outfile, "\tSalt size: %u\n", salt_size);
		fprintf(outfile, "\tIteration count: %u\n\n", mac_iter);
	}
	gnutls_free(mac_oid);

	pass = get_password(cinfo, NULL, 0);

	result = gnutls_pkcs12_verify_mac(pkcs12, pass);
	if (result < 0) {
		fail = 1;
		fprintf(stderr, "verify_mac: %s\n", gnutls_strerror(result));
	}

	for (indx = 0;; indx++) {
		result = gnutls_pkcs12_bag_init(&bag);
		if (result < 0) {
			fprintf(stderr, "bag_init: %s\n",
				gnutls_strerror(result));
			app_exit(1);
		}

		result = gnutls_pkcs12_get_bag(pkcs12, indx, bag);
		if (result < 0) {
			gnutls_pkcs12_bag_deinit(bag);
			break;
		}

		result = gnutls_pkcs12_bag_get_count(bag);
		if (result < 0) {
			fprintf(stderr, "bag_count: %s\n",
				gnutls_strerror(result));
			gnutls_pkcs12_bag_deinit(bag);
			app_exit(1);
		}

		if (cinfo->outtext)
			fprintf(outfile, "%sBAG #%d\n", indx ? "\n" : "", indx);

		result = gnutls_pkcs12_bag_get_type(bag, 0);
		if (result < 0) {
			fprintf(stderr, "bag_init: %s\n",
				gnutls_strerror(result));
			gnutls_pkcs12_bag_deinit(bag);
			app_exit(1);
		}

		if (result == GNUTLS_BAG_ENCRYPTED) {
			if (cinfo->outtext) {
				fprintf(outfile, "\tType: %s\n", BAGTYPE(result));
				pkcs12_bag_enc_info(bag, outfile);
				fprintf(outfile, "\n\tDecrypting...\n");
			}

			result = gnutls_pkcs12_bag_decrypt(bag, pass);

			if (result < 0) {
				fail = 1;
				fprintf(stderr, "bag_decrypt: %s\n",
					gnutls_strerror(result));
				gnutls_pkcs12_bag_deinit(bag);
				continue;
			}

			result = gnutls_pkcs12_bag_get_count(bag);
			if (result < 0) {
				fprintf(stderr, "encrypted bag_count: %s\n",
					gnutls_strerror(result));
				gnutls_pkcs12_bag_deinit(bag);
				app_exit(1);
			}
		}

		print_bag_data(bag, cinfo->outtext);

		gnutls_pkcs12_bag_deinit(bag);
	}

	gnutls_pkcs12_deinit(pkcs12);

	if (fail) {
		fprintf(stderr,
			"There were errors parsing the structure\n");
		app_exit(1);
	}
}

void pkcs8_info_int(gnutls_datum_t *data, unsigned format,
		    unsigned ignore_err, FILE *out, const char *tab)
{
	int ret;
	unsigned schema;
	unsigned cipher;
	unsigned char salt[32];
	char hex[64+1];
	unsigned salt_size = sizeof(salt);
	unsigned iter_count;
	gnutls_datum_t bin;
	size_t hex_size = sizeof(hex);
	const char *str;
	char *oid = NULL;

	ret = gnutls_pkcs8_info(data, format,
		&schema, &cipher, salt, &salt_size, &iter_count, &oid);
	if (ret == GNUTLS_E_UNKNOWN_CIPHER_TYPE) {
		fprintf(out, "PKCS #8 information:\n");
		fprintf(out, "\tSchema: unsupported (%s)\n", oid);
		goto cleanup;
	} else if (ret == GNUTLS_E_INVALID_REQUEST) {
		fprintf(out, "PKCS #8 information:\n");
		fprintf(out, "\tSchema: unencrypted key\n");
		goto cleanup;
	}

	if (ret < 0) {
		if (ignore_err)
			return;
		fprintf(stderr, "PKCS #8 read error: %s\n",
			gnutls_strerror(ret));
		app_exit(1);
	}

	fprintf(out, "%sPKCS #8 information:\n", tab);
	fprintf(out, "%s\tCipher: %s\n", tab, gnutls_cipher_get_name(cipher));

	str = gnutls_pkcs_schema_get_name(schema);
	if (str != NULL) {
		fprintf(out, "%s\tSchema: %s (%s)\n", tab, str,  gnutls_pkcs_schema_get_oid(schema));
	}


	bin.data = salt;
	bin.size = salt_size;
	ret = gnutls_hex_encode(&bin, hex, &hex_size);
	if (ret < 0) {
		fprintf(stderr, "hex encode error: %s\n",
			gnutls_strerror(ret));
		app_exit(1);
	}

	fprintf(out, "%s\tSalt: %s\n", tab, hex);
	fprintf(out, "%s\tSalt size: %u\n", tab, salt_size);
	fprintf(out, "%s\tIteration count: %u\n\n", tab, iter_count);

 cleanup:
	gnutls_free(oid);
}

void pkcs8_info(void)
{
	size_t size;
	gnutls_datum_t data;

	data.data = (void *) fread_file(infile, 0, &size);
	data.size = size;

	if (!data.data) {
		fprintf(stderr, "%s", infile ? "file" : "standard input");
		app_exit(1);
	}

	pkcs8_info_int(&data, incert_format, 0, outfile, "");
	free(data.data);
}

void pkcs7_info(common_info_st *cinfo, unsigned display_data)
{
	gnutls_pkcs7_t pkcs7;
	int ret;
	size_t size;
	gnutls_datum_t data, str;

	ret = gnutls_pkcs7_init(&pkcs7);
	if (ret < 0) {
		fprintf(stderr, "p7_init: %s\n", gnutls_strerror(ret));
		app_exit(1);
	}

	data.data = (void *) fread_file(infile, 0, &size);
	data.size = size;

	if (!data.data) {
		fprintf(stderr, "%s", infile ? "file" : "standard input");
		app_exit(1);
	}

	ret = gnutls_pkcs7_import(pkcs7, &data, incert_format);
	free(data.data);
	if (ret < 0) {
		fprintf(stderr, "import error: %s\n",
			gnutls_strerror(ret));
		app_exit(1);
	}

	if (display_data) {
		gnutls_datum_t tmp;

		ret = gnutls_pkcs7_get_embedded_data(pkcs7, 0, &tmp);
		if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
			if (ret < 0) {
				fprintf(stderr, "error getting embedded data: %s\n", gnutls_strerror(ret));
				app_exit(1);
			}

			fwrite(tmp.data, 1, tmp.size, outfile);
			gnutls_free(tmp.data);
		} else {
			fprintf(stderr, "no embedded data are available\n");
			app_exit(1);
		}
	} else {
		if (cinfo->outtext) {
			ret = gnutls_pkcs7_print(pkcs7, GNUTLS_CRT_PRINT_FULL, &str);
			if (ret < 0) {
				fprintf(stderr, "printing error: %s\n",
					gnutls_strerror(ret));
				app_exit(1);
			}

			fprintf(outfile, "%s", str.data);
			gnutls_free(str.data);
		}

		size = lbuffer_size;
		ret =
		    gnutls_pkcs7_export(pkcs7, outcert_format,
					lbuffer, &size);
		if (ret < 0) {
			fprintf(stderr, "export error: %s\n",
				gnutls_strerror(ret));
			app_exit(1);
		}

		fwrite(lbuffer, 1, size, outfile);
	}

	gnutls_pkcs7_deinit(pkcs7);
}

void smime_to_pkcs7(void)
{
	size_t linesize = 0;
	char *lineptr = NULL;
	ssize_t len;

	/* Find body. We do not handle non-b64 Content-Transfer-Encoding. */
	do {
		len = getline(&lineptr, &linesize, infile);
		if (len == -1) {
			fprintf(stderr,
				"cannot find RFC 2822 header/body separator");
			app_exit(1);
		}
	}
	while (strcmp(lineptr, "\r\n") != 0 && strcmp(lineptr, "\n") != 0);

	/* skip newlines */
	do {
		len = getline(&lineptr, &linesize, infile);
		if (len == -1) {
			fprintf(stderr,
				"message has RFC 2822 header but no body");
			app_exit(1);
		}
	}
	while (strcmp(lineptr, "\r\n") == 0 || strcmp(lineptr, "\n") == 0);

	fprintf(outfile, "%s", "-----BEGIN PKCS7-----\n");

	do {
		while (len > 0
		       && (lineptr[len - 1] == '\r'
			   || lineptr[len - 1] == '\n'))
			lineptr[--len] = '\0';
		if (strcmp(lineptr, "") != 0)
			fprintf(outfile, "%s\n", lineptr);
		len = getline(&lineptr, &linesize, infile);
	}
	while (len != -1);

	fprintf(outfile, "%s", "-----END PKCS7-----\n");

	free(lineptr);
}

/* Tries to find a public key in the provided options or stdin
 * When @crt is provided, it will be deinitialized.
 */
static
gnutls_pubkey_t find_pubkey(gnutls_x509_crt_t crt, common_info_st * cinfo)
{
	gnutls_pubkey_t pubkey = NULL;
	gnutls_privkey_t privkey = NULL;
	gnutls_x509_crq_t crq = NULL;
	int ret;
	size_t size;
	gnutls_datum_t pem;

	ret = gnutls_pubkey_init(&pubkey);
	if (ret < 0) {
		fprintf(stderr, "pubkey_init: %s\n", gnutls_strerror(ret));
		app_exit(1);
	}

	if (crt == NULL) {
		crt = load_cert(0, cinfo);
	}

	if (crq == NULL) {
		crq = load_request(cinfo);
	}

	if (crt != NULL) {
		ret = gnutls_pubkey_import_x509(pubkey, crt, 0);
		if (ret < 0) {
			fprintf(stderr, "pubkey_import_x509: %s\n",
				gnutls_strerror(ret));
			app_exit(1);
		}
		gnutls_x509_crt_deinit(crt);
	} else if (crq != NULL) {
		ret = gnutls_pubkey_import_x509_crq(pubkey, crq, 0);
		if (ret < 0) {
			fprintf(stderr, "pubkey_import_x509_crq: %s\n",
				gnutls_strerror(ret));
			app_exit(1);
		}
		gnutls_x509_crq_deinit(crq);
	} else {
		privkey = load_private_key(0, cinfo);

		if (privkey != NULL) {
			ret =
			    gnutls_pubkey_import_privkey(pubkey, privkey,
							 0, 0);
			if (ret < 0) {
				fprintf(stderr,
					"pubkey_import_privkey: %s\n",
					gnutls_strerror(ret));
				app_exit(1);
			}
			gnutls_privkey_deinit(privkey);
		} else {
			gnutls_pubkey_deinit(pubkey);
			pubkey = load_pubkey(0, cinfo);

			if (pubkey == NULL) { /* load from stdin */
				pem.data = (void *) fread_file(infile, 0, &size);
				pem.size = size;

				if (!pem.data) {
					fprintf(stderr, "%s", infile ? "file" : "standard input");
					app_exit(1);
				}

				ret = gnutls_pubkey_init(&pubkey);
				if (ret < 0) {
					fprintf(stderr,
						"pubkey_init: %s\n",
						gnutls_strerror(ret));
					app_exit(1);
				}

				if (memmem(pem.data, pem.size, "BEGIN CERTIFICATE", 16) != 0 ||
				    memmem(pem.data, pem.size, "BEGIN X509", 10) != 0) {
					ret = gnutls_x509_crt_init(&crt);
					if (ret < 0) {
						fprintf(stderr,
							"crt_init: %s\n",
							gnutls_strerror(ret));
						app_exit(1);
					}

					ret = gnutls_x509_crt_import(crt, &pem, GNUTLS_X509_FMT_PEM);
					if (ret < 0) {
						fprintf(stderr,
							"crt_import: %s\n",
							gnutls_strerror(ret));
						app_exit(1);
					}

					ret = gnutls_pubkey_import_x509(pubkey, crt, 0);
					if (ret < 0) {
						fprintf(stderr, "pubkey_import_x509: %s\n",
						gnutls_strerror(ret));
						app_exit(1);
					}
					gnutls_x509_crt_deinit(crt);
				} else {
					ret = gnutls_pubkey_import(pubkey, &pem, incert_format);
					if (ret < 0) {
						fprintf(stderr,
							"pubkey_import: %s\n",
							gnutls_strerror(ret));
						app_exit(1);
					}
				}
				free(pem.data);
			}

		}
	}

	return pubkey;
}

void pubkey_info(gnutls_x509_crt_t crt, common_info_st * cinfo)
{
	gnutls_pubkey_t pubkey;

	pubkey = find_pubkey(crt, cinfo);
	if (pubkey == 0) {
		fprintf(stderr, "find public key error\n");
		app_exit(1);
	}

	print_pubkey_info(pubkey, outfile, full_format, outcert_format, cinfo->outtext);
	gnutls_pubkey_deinit(pubkey);
}

static
void pubkey_keyid(common_info_st * cinfo)
{
	gnutls_pubkey_t pubkey;
	uint8_t fpr[MAX_HASH_SIZE];
	char txt[MAX_HASH_SIZE*2+1];
	int ret;
	size_t size, fpr_size;
	gnutls_datum_t tmp;
	unsigned flags;

	pubkey = find_pubkey(NULL, cinfo);
	if (pubkey == 0) {
		fprintf(stderr, "find public key error\n");
		app_exit(1);
	}

	if (cinfo->hash == GNUTLS_DIG_SHA1 || cinfo->hash == GNUTLS_DIG_UNKNOWN)
		flags = GNUTLS_KEYID_USE_SHA1; /* be backwards compatible */
	else if (cinfo->hash == GNUTLS_DIG_SHA512)
		flags = GNUTLS_KEYID_USE_SHA512;
	else if (cinfo->hash == GNUTLS_DIG_SHA256)
		flags = GNUTLS_KEYID_USE_SHA256;
	else {
		fprintf(stderr, "Cannot calculate key ID with the provided hash (use sha1, sha256 or sha512)\n");
		app_exit(1);
	}

	fpr_size = sizeof(fpr);
	ret = gnutls_pubkey_get_key_id(pubkey, flags, fpr, &fpr_size);
	if (ret < 0) {
		fprintf(stderr,
			"get_key_id: %s\n",
			gnutls_strerror(ret));
		app_exit(1);
	}

	tmp.data = fpr;
	tmp.size = fpr_size;

	size = sizeof(txt);
	ret = gnutls_hex_encode(&tmp, txt, &size);
	if (ret < 0) {
		fprintf(stderr,
			"hex_encode: %s\n",
			gnutls_strerror(ret));
		app_exit(1);
	}

	fputs(txt, outfile);
	fputs("\n", outfile);

	gnutls_pubkey_deinit(pubkey);
	return;
}

static
void certificate_fpr(common_info_st * cinfo)
{
	gnutls_x509_crt_t crt;
	size_t size;
	int ret = 0;
	gnutls_datum_t pem, tmp;
	unsigned int crt_num;
	uint8_t fpr[MAX_HASH_SIZE];
	char txt[MAX_HASH_SIZE*2+1];
	size_t fpr_size;

	crt = load_cert(0, cinfo);

	if (crt == NULL) {
		pem.data = (void *) fread_file(infile, 0, &size);
		pem.size = size;

		if (!pem.data) {
			fprintf(stderr, "%s", infile ? "file" : "standard input");
			app_exit(1);
		}

		crt_num = 1;
		ret =
		    gnutls_x509_crt_list_import(&crt, &crt_num, &pem, incert_format,
						GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED);
		if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) {
			fprintf(stderr, "too many certificates (%d).",
				crt_num);
		} else if (ret >= 0 && crt_num == 0) {
			fprintf(stderr, "no certificates were found.\n");
		}

		free(pem.data);
	}

	if (ret < 0) {
		fprintf(stderr, "import error: %s\n", gnutls_strerror(ret));
		app_exit(1);
	}

	fpr_size = sizeof(fpr);

	if (cinfo->hash == GNUTLS_DIG_UNKNOWN)
		cinfo->hash = GNUTLS_DIG_SHA1;

	ret = gnutls_x509_crt_get_fingerprint(crt, cinfo->hash, fpr, &fpr_size);
	if (ret < 0) {
		fprintf(stderr,
			"get_key_id: %s\n",
			gnutls_strerror(ret));
		app_exit(1);
	}

	tmp.data = fpr;
	tmp.size = fpr_size;

	size = sizeof(txt);
	ret = gnutls_hex_encode(&tmp, txt, &size);
	if (ret < 0) {
		fprintf(stderr,
			"hex_encode: %s\n",
			gnutls_strerror(ret));
		app_exit(1);
	}

	fputs(txt, outfile);
	fputs("\n", outfile);

	gnutls_x509_crt_deinit(crt);
	return;
}