From 6a66c249ef497c7b341a618bf458284113c4e958 Mon Sep 17 00:00:00 2001

From: Tim Burke <tim.burke@gmail.com>

Date: Wed, 2 Oct 2019 13:10:23 -0700

Subject: [PATCH 07/11] Add support for client certificates and dhparams

Resolves: rhbz#1720667

Add --crl-file option

... to (optionally) create an empty Certificate Revocation List file.

Default the mode for the file to 0644, similar to the default for the CA

certificate. User can override this with a new --crl-mode option.

Closes #10.

Add function for DH parameter generation

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>

Generate DH parameters file

Adds CLI options to enable and control dhparam file generation.

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>

Add serverAuth extendedKeyUsage for server certificates

Related to https://github.com/sgallagher/sscg/issues/13

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>

Rename create_service_cert() to create_cert()

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>

Use a common macro for default file modes

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>

Add I/O utility routines

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>

Rework output file handling

SSCG will now verify that it can open all of the files before it

starts processing through them. In addition, it now has better

validation that it isn't storing two keys into the same file, or

dhparams/CRL in a file with other content.

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>

Check for invalid file combinations

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>

Add support for client certificates

Fixes: https://github.com/sgallagher/sscg/issues/13

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>

---

 include/{service.h => cert.h} |  19 +-

 include/dhparams.h            |  42 ++

 include/io_utils.h            |  93 +++++

 include/sscg.h                |  99 ++++-

 meson.build                   |  51 ++-

 meson_options.txt             |  24 ++

 src/cert.c                    | 191 +++++++++

 src/dhparams.c                | 146 +++++++

 src/io_utils.c                | 424 +++++++++++++++++++

 src/service.c                 | 164 --------

 src/sscg.c                    | 753 +++++++++++++++++++++-------------

 test/dhparams_test.c          | 106 +++++

 12 files changed, 1651 insertions(+), 461 deletions(-)

 rename include/{service.h => cert.h} (67%)

 create mode 100644 include/dhparams.h

 create mode 100644 include/io_utils.h

 create mode 100644 meson_options.txt

 create mode 100644 src/cert.c

 create mode 100644 src/dhparams.c

 create mode 100644 src/io_utils.c

 delete mode 100644 src/service.c

 create mode 100644 test/dhparams_test.c

diff --git a/include/service.h b/include/cert.h

similarity index 67%

rename from include/service.h

rename to include/cert.h

index 20083caf905f8e70360539053134c0e9702c304a..11d04e50ebb2e08af781d0aa14b9aec930ff2f50 100644

--- a/include/service.h

+++ b/include/cert.h

@@ -21,15 +21,16 @@

 #include "x509.h"

 #include "key.h"

-#ifndef _SERVICE_H

-#define _SERVICE_H

+#ifndef _SSCG_CERT_H

+#define _SSCG_CERT_H

 int

-create_service_cert (TALLOC_CTX *mem_ctx,

-                     const struct sscg_options *options,

-                     struct sscg_x509_cert *ca_cert,

-                     struct sscg_evp_pkey *ca_key,

-                     struct sscg_x509_cert **_svc_cert,

-                     struct sscg_evp_pkey **_svc_key);

+create_cert (TALLOC_CTX *mem_ctx,

+             const struct sscg_options *options,

+             struct sscg_x509_cert *ca_cert,

+             struct sscg_evp_pkey *ca_key,

+             enum sscg_cert_type type,

+             struct sscg_x509_cert **_svc_cert,

+             struct sscg_evp_pkey **_svc_key);

-#endif /* _SERVICE_H */

+#endif /* _SSCG_CERT_H */

diff --git a/include/dhparams.h b/include/dhparams.h

new file mode 100644

index 0000000000000000000000000000000000000000..baa4fb3b297c5747fcce20f6950239779f71f19a

--- /dev/null

+++ b/include/dhparams.h

@@ -0,0 +1,42 @@

+/*

+    This file is part of sscg.

+

+    sscg is free software: you can redistribute it and/or modify

+    it under the terms of the GNU General Public License as published by

+    the Free Software Foundation, either version 3 of the License, or

+    (at your option) any later version.

+

+    sscg is distributed in the hope that it will be useful,

+    but WITHOUT ANY WARRANTY; without even the implied warranty of

+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+    GNU General Public License for more details.

+

+    You should have received a copy of the GNU General Public License

+    along with sscg.  If not, see <http://www.gnu.org/licenses/>.

+

+    Copyright 2019 by Stephen Gallagher <sgallagh@redhat.com>

+*/

+

+#ifndef _SSCG_DHPARAMS_H

+#define _SSCG_DHPARAMS_H

+

+#include <talloc.h>

+

+#include "include/sscg.h"

+

+struct sscg_dhparams

+{

+  int prime_len;

+  int generator;

+  DH *dh;

+  BN_GENCB *cb;

+};

+

+int

+create_dhparams (TALLOC_CTX *mem_ctx,

+                 enum sscg_verbosity options,

+                 int prime_len,

+                 int generator,

+                 struct sscg_dhparams **_dhparams);

+

+#endif /* _SSCG_DHPARAMS_H */

diff --git a/include/io_utils.h b/include/io_utils.h

new file mode 100644

index 0000000000000000000000000000000000000000..6a89a476b3d982447b6603153c6765835cd67464

--- /dev/null

+++ b/include/io_utils.h

@@ -0,0 +1,93 @@

+/*

+    This file is part of sscg.

+

+    sscg is free software: you can redistribute it and/or modify

+    it under the terms of the GNU General Public License as published by

+    the Free Software Foundation, either version 3 of the License, or

+    (at your option) any later version.

+

+    sscg is distributed in the hope that it will be useful,

+    but WITHOUT ANY WARRANTY; without even the implied warranty of

+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+    GNU General Public License for more details.

+

+    You should have received a copy of the GNU General Public License

+    along with sscg.  If not, see <http://www.gnu.org/licenses/>.

+

+    Copyright 2019 by Stephen Gallagher <sgallagh@redhat.com>

+*/

+

+#ifndef _SSCG_IO_UTILS_H

+#define _SSCG_IO_UTILS_H

+

+#include <openssl/ssl.h>

+#include <stdbool.h>

+#include <talloc.h>

+

+#include "include/sscg.h"

+

+

+struct sscg_stream

+{

+  BIO *bio;

+  char *path;

+  int mode;

+  int filetypes;

+};

+

+

+int

+sscg_normalize_path (TALLOC_CTX *mem_ctx,

+                     const char *path,

+                     char **_normalized_path);

+

+

+struct sscg_stream *

+sscg_io_utils_get_stream_by_path (struct sscg_stream **streams,

+                                  const char *normalized_path);

+

+

+struct sscg_stream *

+sscg_io_utils_get_stream_by_type (struct sscg_stream **streams,

+                                  enum sscg_file_type filetype);

+

+

+BIO *

+sscg_io_utils_get_bio_by_type (struct sscg_stream **streams,

+                               enum sscg_file_type filetype);

+

+

+const char *

+sscg_io_utils_get_path_by_type (struct sscg_stream **streams,

+                                enum sscg_file_type filetype);

+

+

+/**

+ * sscg_io_utils_add_output_file:

+ * @streams: The array of streams from the sscg_options

+ * @filetype:

+ * @path: The path to the file on disk.

+ * @mode: The filesystem mode this file should have when written to disk.

+ * See chmod(1) for the possible values.

+ * @overwrite: If true, replace any existing file at @normalized_path. If

+ * false, opening will fail if it already exists and return an error.

+ *

+ * Prepares all output filenames to be opened. Files are not created until

+ * sscg_io_utils_open_output_files() is called.

+ */

+int

+sscg_io_utils_add_output_file (struct sscg_stream **streams,

+                               enum sscg_file_type filetype,

+                               const char *path,

+                               int mode);

+

+

+int

+sscg_io_utils_open_output_files (struct sscg_stream **streams, bool overwrite);

+

+/* If this function fails, some of the output files may be left as 0400 */

+int

+sscg_io_utils_finalize_output_files (struct sscg_stream **streams);

+

+

+#endif /* _SSCG_IO_UTILS_H */

diff --git a/include/sscg.h b/include/sscg.h

index ce9a7916e9432d0843d82af61d56ea7238ded682..2744404c25c68ed905ca621bb955e0c04b33ca81 100644

--- a/include/sscg.h

+++ b/include/sscg.h

@@ -27,6 +27,8 @@

 #include <talloc.h>

 #include <stdint.h>

+#include "include/io_utils.h"

+

 #ifndef _SSCG_H

 #define _SSCG_H

@@ -108,6 +110,13 @@

     }                                                                         \

   while (0)

+

+#define SSCG_CERT_DEFAULT_MODE 0644

+#define SSCG_CERT_DEFAULT_MODE_HELP _ ("0644")

+#define SSCG_KEY_DEFAULT_MODE 0600

+#define SSCG_KEY_DEFAULT_MODE_HELP _ ("0600")

+

+

 enum sscg_verbosity

 {

   SSCG_QUIET = -1,

@@ -116,6 +125,75 @@ enum sscg_verbosity

   SSCG_DEBUG

 };

+extern int verbosity;

+

+const char *sscg_get_verbosity_name (enum sscg_verbosity);

+

+#define SSCG_LOG(_level, _format, ...)                                        \

+  do                                                                          \

+    {                                                                         \

+      if (verbosity >= _level)                                                \

+        {                                                                     \

+          printf ("%s", sscg_get_verbosity_name (_level));                    \

+          printf (_format, ##__VA_ARGS__);                                    \

+        }                                                                     \

+    }                                                                         \

+  while (0)

+

+#define SSCG_ERROR(_format, ...)                                              \

+  do                                                                          \

+    {                                                                         \

+      if (verbosity > SSCG_QUIET)                                             \

+        {                                                                     \

+          fprintf (stderr, "ERROR: ");                                        \

+          fprintf (stderr, _format, ##__VA_ARGS__);                           \

+        }                                                                     \

+    }                                                                         \

+  while (0)

+

+

+enum sscg_file_type

+{

+  SSCG_FILE_TYPE_UNKNOWN = -1,

+  SSCG_FILE_TYPE_CA,

+  SSCG_FILE_TYPE_CA_KEY,

+  SSCG_FILE_TYPE_SVC,

+  SSCG_FILE_TYPE_SVC_KEY,

+  SSCG_FILE_TYPE_CLIENT,

+  SSCG_FILE_TYPE_CLIENT_KEY,

+  SSCG_FILE_TYPE_CRL,

+  SSCG_FILE_TYPE_DHPARAMS,

+

+  SSCG_NUM_FILE_TYPES

+};

+

+#define SSCG_FILE_TYPE_KEYS                                                   \

+  ((1 << SSCG_FILE_TYPE_CA_KEY) | (1 << SSCG_FILE_TYPE_SVC_KEY) |             \

+   (1 << SSCG_FILE_TYPE_CLIENT_KEY))

+

+#define SSCG_FILE_TYPE_SVC_TYPES                                              \

+  ((1 << SSCG_FILE_TYPE_SVC) | (1 << SSCG_FILE_TYPE_SVC_KEY))

+

+#define SSCG_FILE_TYPE_CLIENT_TYPES                                           \

+  ((1 << SSCG_FILE_TYPE_CLIENT) | (1 << SSCG_FILE_TYPE_CLIENT_KEY))

+

+#define SSCG_FILE_TYPE_CA_TYPES                                               \

+  ((1 << SSCG_FILE_TYPE_CA) | (1 << SSCG_FILE_TYPE_CA_KEY))

+

+const char *

+sscg_get_file_type_name (enum sscg_file_type _type);

+

+#define GET_BIO(_type) sscg_io_utils_get_bio_by_type (options->streams, _type)

+

+#define GET_PATH(_type)                                                       \

+  sscg_io_utils_get_path_by_type (options->streams, _type)

+

+#define ANNOUNCE_WRITE(_type)                                                 \

+  SSCG_LOG (SSCG_DEFAULT,                                                     \

+            "Wrote %s to %s\n",                                               \

+            sscg_get_file_type_name (_type),                                  \

+            GET_PATH (_type));

+

 struct sscg_options

 {

   /* How noisy to be when printing information */

@@ -149,15 +227,28 @@ struct sscg_options

   char *ca_key_pass;

   bool cert_key_pass_prompt;

   char *cert_key_pass;

+  bool client_key_pass_prompt;

+  char *client_key_pass;

   /* Output Files */

-  char *ca_file;

-  char *ca_key_file;

-  char *cert_file;

-  char *cert_key_file;

+  struct sscg_stream **streams;

+

+  /* Diffie-Hellman Parameters */

+  int dhparams_prime_len;

+  int dhparams_generator;

   /* Overwrite the output files */

   bool overwrite;

 };

+

+enum sscg_cert_type

+{

+  SSCG_CERT_TYPE_UNKNOWN = -1,

+  SSCG_CERT_TYPE_SERVER,

+  SSCG_CERT_TYPE_CLIENT,

+

+  SSCG_NUM_CERT_TYPES

+};

+

 #endif /* _SSCG_H */

diff --git a/meson.build b/meson.build

index c7b08ed3d6dff686f08a90ca869ba5881a9e8aaa..eb339ea8c768adab6d576736fbe476b83529e78d 100644

--- a/meson.build

+++ b/meson.build

@@ -52,21 +52,30 @@ endif

 has_get_sec_level = cc.has_function(

     'SSL_CTX_get_security_level',

-    dependencies: [ ssl])

+    dependencies: [ ssl ])

+

+has_generator_3 = cc.has_header_symbol(

+    'openssl/dh.h',

+    'DH_GENERATOR_3',

+    dependencies: [ ssl ])

 sscg_lib_srcs = [

     'src/authority.c',

     'src/bignum.c',

+    'src/cert.c',

+    'src/dhparams.c',

+    'src/io_utils.c',

     'src/key.c',

-    'src/service.c',

     'src/x509.c',

 ]

 sscg_lib_hdrs = [

     'include/authority.h',

     'include/bignum.h',

+    'include/cert.h',

+    'include/dhparams.h',

+    'include/io_utils.h',

     'include/key.h',

-    'include/service.h',

     'include/x509.h',

 ]

@@ -140,6 +149,42 @@ init_bignum_test = executable(

 )

 test('init_bignum_test', init_bignum_test)

+dhparams_test = executable(

+    'dhparams_test',

+    'test/dhparams_test.c',

+    link_with : sscg_lib,

+    dependencies: [],

+    install : false

+)

+

+# Test generating 512-bit, 1024-bit and 2048-bit DH params with multiple

+# generators. 4096-bit and larger takes over ten minutes, so it's excluded from

+# the test suite by default.

+prime_lengths = [ 512, 1024 ]

+dhparam_timeout = 120

+

+if get_option('run_slow_tests')

+    prime_lengths = prime_lengths + [ 2048, 4096 ]

+    dhparam_timeout = 900

+endif

+

+generators = [ 2, 5 ]

+

+if (has_generator_3)

+    generators += [ 3 ]

+endif

+

+foreach prime_len : prime_lengths

+    foreach g : generators

+        test('dhparams_test_' + prime_len.to_string() + '_' + g.to_string(),

+             dhparams_test,

+             args: [ prime_len.to_string(), g.to_string() ],

+             timeout: dhparam_timeout)

+    endforeach

+endforeach

+

+

+

 cdata = configuration_data()

 cdata.set_quoted('PACKAGE_VERSION', meson.project_version())

 cdata.set('HAVE_SSL_CTX_GET_SECURITY_LEVEL', has_get_sec_level)

diff --git a/meson_options.txt b/meson_options.txt

new file mode 100644

index 0000000000000000000000000000000000000000..1d8ff959b3c3d3f2aa6dc928ba38efeedfbe5c96

--- /dev/null

+++ b/meson_options.txt

@@ -0,0 +1,24 @@

+# This file is part of sscg.

+#

+# sscg is free software: you can redistribute it and/or modify

+# it under the terms of the GNU General Public License as published by

+# the Free Software Foundation, either version 3 of the License, or

+# (at your option) any later version.

+#

+# sscg is distributed in the hope that it will be useful,

+# but WITHOUT ANY WARRANTY; without even the implied warranty of

+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+# GNU General Public License for more details.

+

+# You should have received a copy of the GNU General Public License

+# along with sscg.  If not, see <http://www.gnu.org/licenses/>.

+#

+# Copyright 2019 by Stephen Gallagher <sgallagh@redhat.com>

+

+# Generating 4096-bit Diffie-Hellman parameters can take over ten minutes on a

+# fast system. We skip testing it by default.

+

+# Some tests take a long time (dozens of seconds or even minutes)

+# For general development, we will skip them and run them only in the CI

+# environment.

+option('run_slow_tests', type : 'boolean', value : false)

diff --git a/src/cert.c b/src/cert.c

new file mode 100644

index 0000000000000000000000000000000000000000..0377d1357a3881a9705fcb09fdfe2a9c78cc5ed4

--- /dev/null

+++ b/src/cert.c

@@ -0,0 +1,191 @@

+/*

+    This file is part of sscg.

+

+    sscg is free software: you can redistribute it and/or modify

+    it under the terms of the GNU General Public License as published by

+    the Free Software Foundation, either version 3 of the License, or

+    (at your option) any later version.

+

+    sscg is distributed in the hope that it will be useful,

+    but WITHOUT ANY WARRANTY; without even the implied warranty of

+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+    GNU General Public License for more details.

+

+    You should have received a copy of the GNU General Public License

+    along with sscg.  If not, see <http://www.gnu.org/licenses/>.

+

+    Copyright 2017 by Stephen Gallagher <sgallagh@redhat.com>

+*/

+

+

+#include "include/sscg.h"

+#include "include/cert.h"

+#include "include/x509.h"

+#include "include/key.h"

+

+int

+create_cert (TALLOC_CTX *mem_ctx,

+             const struct sscg_options *options,

+             struct sscg_x509_cert *ca_cert,

+             struct sscg_evp_pkey *ca_key,

+             enum sscg_cert_type type,

+             struct sscg_x509_cert **_cert,

+             struct sscg_evp_pkey **_key)

+{

+  int ret;

+  size_t i;

+  struct sscg_bignum *e;

+  struct sscg_bignum *serial;

+  struct sscg_cert_info *certinfo;

+  struct sscg_x509_req *csr;

+  struct sscg_evp_pkey *pkey;

+  struct sscg_x509_cert *cert;

+  X509_EXTENSION *ex = NULL;

+  EXTENDED_KEY_USAGE *extended;

+  TALLOC_CTX *tmp_ctx = NULL;

+

+  tmp_ctx = talloc_new (NULL);

+  CHECK_MEM (tmp_ctx);

+

+  /* create a serial number for this certificate */

+  ret = sscg_generate_serial (tmp_ctx, &serial);

+  CHECK_OK (ret);

+

+  certinfo = sscg_cert_info_new (tmp_ctx, options->hash_fn);

+  CHECK_MEM (certinfo);

+

+  /* Populate cert_info from options */

+  certinfo->country = talloc_strdup (certinfo, options->country);

+  CHECK_MEM (certinfo->country);

+

+  certinfo->state = talloc_strdup (certinfo, options->state);

+  CHECK_MEM (certinfo->state);

+

+  certinfo->locality = talloc_strdup (certinfo, options->locality);

+  CHECK_MEM (certinfo->locality);

+

+  certinfo->org = talloc_strdup (certinfo, options->org);

+  CHECK_MEM (certinfo->org);

+

+  certinfo->org_unit = talloc_strdup (certinfo, options->org_unit);

+  CHECK_MEM (certinfo->org_unit);

+

+  certinfo->email = talloc_strdup (certinfo, options->email);

+  CHECK_MEM (certinfo->email);

+

+  certinfo->cn = talloc_strdup (certinfo, options->hostname);

+  CHECK_MEM (certinfo->cn);

+

+  if (options->subject_alt_names)

+    {

+      for (i = 0; options->subject_alt_names[i]; i++)

+        {

+          certinfo->subject_alt_names = talloc_realloc (

+            certinfo, certinfo->subject_alt_names, char *, i + 2);

+          CHECK_MEM (certinfo->subject_alt_names);

+

+          certinfo->subject_alt_names[i] = talloc_strdup (

+            certinfo->subject_alt_names, options->subject_alt_names[i]);

+          CHECK_MEM (certinfo->subject_alt_names[i]);

+

+          /* Add a NULL terminator to the end */

+          certinfo->subject_alt_names[i + 1] = NULL;

+        }

+    }

+

+  /* Ensure that this certificate may not sign other certificates */

+  /* Add key extensions */

+  ex = X509V3_EXT_conf_nid (

+    NULL, NULL, NID_key_usage, "critical,digitalSignature,keyEncipherment");

+  CHECK_MEM (ex);

+  sk_X509_EXTENSION_push (certinfo->extensions, ex);

+

+  extended = sk_ASN1_OBJECT_new_null ();

+

+  switch (type)

+    {

+    case SSCG_CERT_TYPE_SERVER:

+      sk_ASN1_OBJECT_push (extended, OBJ_nid2obj (NID_server_auth));

+      break;

+

+    case SSCG_CERT_TYPE_CLIENT:

+      sk_ASN1_OBJECT_push (extended, OBJ_nid2obj (NID_client_auth));

+      break;

+

+    default:

+      fprintf (stdout, "Unknown certificate type!");

+      ret = EINVAL;

+      goto done;

+    }

+

+

+  ex = X509V3_EXT_i2d (NID_ext_key_usage, 0, extended);

+  sk_ASN1_OBJECT_pop_free (extended, ASN1_OBJECT_free);

+  sk_X509_EXTENSION_push (certinfo->extensions, ex);

+

+  /* Mark it as not a CA */

+  ex = X509V3_EXT_conf_nid (NULL, NULL, NID_basic_constraints, "CA:FALSE");

+  CHECK_MEM (ex);

+  sk_X509_EXTENSION_push (certinfo->extensions, ex);

+

+  /* Use an exponent value of RSA F4 aka 0x10001 (65537) */

+  ret = sscg_init_bignum (tmp_ctx, RSA_F4, &e);

+  CHECK_OK (ret);

+

+  /* Generate an RSA keypair for this CA */

+  if (options->verbosity >= SSCG_VERBOSE)

+    {

+      fprintf (stdout, "Generating RSA key for certificate.\n");

+    }

+  /* TODO: support DSA keys as well */

+  ret = sscg_generate_rsa_key (tmp_ctx, options->key_strength, e, &pkey);

+  CHECK_OK (ret);

+

+  /* Create a certificate signing request for the private CA */

+  if (options->verbosity >= SSCG_VERBOSE)

+    {

+      fprintf (stdout, "Generating CSR for certificate.\n");

+    }

+  ret = sscg_x509v3_csr_new (tmp_ctx, certinfo, pkey, &csr;;

+  CHECK_OK (ret);

+

+  /* Finalize the CSR */

+  ret = sscg_x509v3_csr_finalize (certinfo, pkey, csr);

+  CHECK_OK (ret);

+

+  if (options->verbosity >= SSCG_DEBUG)

+    {

+      const char *tempcert =

+        SSCG_CERT_TYPE_SERVER ? "./debug-service.csr" : "debug-client.csr";

+

+      fprintf (stderr, "DEBUG: Writing certificate CSR to %s\n", tempcert);

+      BIO *csr_out = BIO_new_file (tempcert, "w");

+      int sslret = PEM_write_bio_X509_REQ (csr_out, csr->x509_req);

+      CHECK_SSL (sslret, PEM_write_bio_X509_REQ);

+    }

+

+  /* Sign the certificate */

+

+  if (options->verbosity >= SSCG_VERBOSE)

+    {

+      fprintf (stdout, "Signing CSR for certificate. \n");

+    }

+

+  ret = sscg_sign_x509_csr (tmp_ctx,

+                            csr,

+                            serial,

+                            options->lifetime,

+                            ca_cert,

+                            ca_key,

+                            options->hash_fn,

+                            &cert);

+  CHECK_OK (ret);

+

+  *_cert = talloc_steal (mem_ctx, cert);

+  *_key = talloc_steal (mem_ctx, pkey);

+

+  ret = EOK;

+done:

+  talloc_free (tmp_ctx);

+  return ret;

+}

diff --git a/src/dhparams.c b/src/dhparams.c

new file mode 100644

index 0000000000000000000000000000000000000000..f9b64629709beb857a948a7f2f42eb805d76c557

--- /dev/null

+++ b/src/dhparams.c

@@ -0,0 +1,146 @@

+/*

+    This file is part of sscg.

+

+    sscg is free software: you can redistribute it and/or modify