Add OAuth and X.509 utilities.

.gitignore

@@ -29,6 +29,7 @@
 /cups/test.raster
 /cups/testarray
 /cups/testclient
+/cups/testclock
 /cups/testcreds
 /cups/testcups
 /cups/testdest
@@ -52,6 +53,8 @@
 /cups/tlscheck
 /packaging/libcups3.list
 /scratch
+/tools/cups-oauth
+/tools/cups-x509
 /tools/ippeveprinter
 /tools/ippeveprinter-static
 /tools/ippfind
@@ -60,7 +63,6 @@
 /tools/ipptool-static
 /tools/ipptransform
 /tools/ipptransform-static
-/tools/libpdfio.a
 /vcnet/.vs
 /vcnet/packages
 /vcnet/x64

CHANGES.md

@@ -8,6 +8,7 @@ libcups v3.0rc4 (YYYY-MM-DD)
 - Added `cupsGetClock` API.
 - Added `cupsJWTLoadCredentials` API.
 - Added "client.conf" man page.
+- Added `cups-oauth` and `cups-x509` utilities (Issue #108)
 - Updated documentation (Issue #99)
 - Updated the `ipptool` utility to support the `--bearer-token` and
   `--client-name` options.

cups/oauth.c

@@ -305,15 +305,15 @@ cupsOAuthCopyUserId(
 // names to request during authorization.  The list of supported scope names are
 // available from the Authorization Server metadata, for example:
 //
-// The "redirect_uri" parameter specifies a 'http:' URL with a listen address,
-// port, and path to use.  If `NULL`, 127.0.0.1 on a random port is used with a
-// path of "/".
-//
 // ```
 // cups_json_t *metadata = cupsOAuthGetMetadata(auth_uri);
 // cups_json_t *scopes_supported = cupsJSONFind(metadata, "scopes_supported");
 // ```
 //
+// The "redirect_uri" parameter specifies a 'http:' URL with a listen address,
+// port, and path to use.  If `NULL`, 127.0.0.1 on a random port is used with a
+// path of "/".
+//
 // The returned authorization code must be freed using the `free` function.
 //
 

doc/Makefile

@@ -1,7 +1,7 @@
 #
 # Documentation makefile for libcups.
 #
-# Copyright © 2021-2023 by OpenPrinting.
+# Copyright © 2021-2025 by OpenPrinting.
 #
 # Licensed under Apache License v2.0.  See the file "LICENSE" for more
 # information.
@@ -16,6 +16,8 @@ include ../Makedefs
 DOCFILES	=	\
 			cups.png \
 			cups.svg \
+			cups-oauth.html \
+			cups-x509.html \
 			cupspm.epub \
 			cupspm.html \
 			index.html \
@@ -25,6 +27,7 @@ DOCFILES	=	\
 			ipptoolfile.html \
 			ipptransform.html \
 			libcups.css \
+			libcups.html \
 			raster.png \
 			raster-organization.png \
 			sample-image.png \

doc/client.conf.html

@@ -222,8 +222,33 @@ <h3 id="client.conf-5.description.directives">Directives</h3>
     <p style="margin-left: 2.5em; text-indent: -2.5em;"><strong>ValidateCerts Yes</strong><br>
 </p>
     <p style="margin-left: 2.5em; text-indent: -2.5em;"><strong>ValidateCerts No</strong><br>
-Specifies whether to only allow TLS with certificates whose common name matches the hostname.
+Specifies whether to only allow TLS with certificates whose commonName or subjectAltName values match the hostname of the printer or server.
 The default is &quot;No&quot;.
+</p>
+    <h2 id="client.conf-5.x.509-certificate-store">X.509 Certificate Store</h2>
+<p>CUPS uses the system root CA certificate store and per-user certificate stores managed by CUPS.
+The per-user certificate stores are found in &quot;/etc/cups/ssl&quot; for the root user and &quot;$XDG_CONFIG_HOME/cups/ssl&quot; (Linux/*BSD), &quot;$HOME/Library/Application Support/cups/ssl&quot; (macOS), &quot;%USERPROFILE%/AppData/Local/cups&quot; (Windows), and/or &quot;$HOME/.cups/ssl&quot; for other user accounts.
+</p>
+    <p>Certificates, certificate signing requests, and private keys are stored as PEM-encoded files with the naming convention &quot;COMMON-NAME.crt&quot; for certificates, &quot;COMMON-NAME.csr&quot; for certificate signing requests, and &quot;COMMON-NAME.key&quot; for private keys. The special common name &quot;_site_&quot; is used for a site-specific root certificate that can be used for trust evaluations.
+</p>
+    <h2 id="client.conf-5.x.509-certificate-validation">X.509 Certificate Validation</h2>
+<p>CUPS supports validation of the certificate's commonName and subjectAltName field values, the certificate expiration date, and the certificate's root certificate(s), if any.
+Self-signed certificates are &quot;pinned&quot; (stored) to the host in order to do validation.
+Validation for certain non-printing servers may add additional restrictions to the policy defined in the
+<strong>client.conf</strong>
+file, for example OAuth authorization requires a CA-signed certificate.
+</p>
+    <p>The
+<strong>AllowAnyRoot</strong>
+directive controls whether unpinned self-signed certificates are acceptable.
+The
+<strong>TrustOnFirstUse</strong>
+directive controls whether self-certificates are automatically pinned in the per-user certificate store for subsequent host validations.
+When
+<strong>AllowAnyRoot</strong>
+is disabled,
+<strong>TrustOnFirstUse</strong>
+is also disabled.
 </p>
     <h2 id="client.conf-5.notes">Notes</h2>
 <p>Because of sandboxing, the <strong>client.conf</strong> file is not generally accessible to applications on macOS.
@@ -240,7 +265,9 @@ <h2 id="client.conf-5.notes">Notes</h2>
 <p>On Linux and other systems using GNU TLS, the <em>/etc/cups/ssl/site.crl</em> file, if present, provides a list of revoked X.509 certificates and is used when validating certificates.
 </p>
     <h2 id="client.conf-5.see-also">See Also</h2>
-<p><strong>cups</strong>(1)
+<p><strong>cups</strong>(1),
+
+<a href="cups-x509.html"><strong>cups-x509</strong>(1)</a>
 
 </p>
     <h2 id="client.conf-5.copyright">Copyright</h2>

doc/cups-oauth.html

@@ -0,0 +1,252 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <style><!--
+body {
+  font-family: sans-serif;
+  font-size: 16pt;
+  margin: 54pt 36pt;
+}
+.center {
+  text-align: center;
+}
+a:link, a:visited {
+  color: #c00;
+  text-decoration: underline;
+}
+
+a:link:hover, a:active {
+  color: #f00;
+  text-decoration: underline;
+}
+code, kbd, pre, tt {
+  font-family: monospace;
+}
+dl {
+  margin-left: 2em;
+}
+h2, h3 {
+  border-bottom: solid 2px black;
+}
+h4 {
+  border-bottom: solid 1px black;
+}
+p {
+  text-align: justify;
+}
+span.info {
+  background: #ddf;
+  border: solid 1px #77c;
+  border-top-left-radius: 5px;
+  border-top-right-radius: 5px;
+  float: right;
+  font-size: 80%;
+  padding: 2px 10px;
+}
+h4 span.info {
+  padding: 1px 8px;
+}
+table {
+  border-collapse: collapse;
+  margin-left: auto;
+  margin-right: auto;
+  max-width: 90%;
+}
+table thead th {
+  border-bottom: solid 2px black;
+  padding: 0 10px;
+  text-align: left;
+  vertical-align: bottom;
+}
+table tbody tr:nth-child(even) {
+  background: #ddd;
+}
+table tbody td {
+  border-bottom: solid 1px black;
+  padding: 4px 10px;
+  vertical-align: top;
+}
+blockquote {
+  background: #ddf;
+  border-left: solid 2px #77c;
+  margin-left: 0;
+  margin-right: 0;
+  padding: 10px;
+}
+/* Dark mode overrides */
+@media (prefers-color-scheme: dark) {
+  body {
+    background: black;
+    color: #ccc;
+  }
+  h2, h3, h4, table tbody td, table thead th {
+    border-color: #ccc;
+  }
+  blockquote, span.info {
+    background: #337;
+    border-color: #66f;
+  }
+  table tbody tr:nth-child(even) {
+    background: #444;
+  }
+}
+--></style>
+    <meta name="creator" content="mantohtml v2.0.2">
+    <title>cups-oauth(1)</title>
+  </head>
+  <body>
+    <h1 id="cups-oauth-1">cups-oauth(1)</h1>
+    <h2 id="cups-oauth-1.name">Name</h2>
+<p>cups-oauth - interact with an oauth/openid authorization server
+</p>
+    <h2 id="cups-oauth-1.synopsis">Synopsis</h2>
+<p><strong>cups-oauth</strong>
+<strong>--help</strong>
+<br>
+<strong>cups-oauth</strong>
+<strong>--version</strong>
+<br>
+<strong>cups-oauth</strong>
+[
+<strong>-a</strong>
+<em>OAUTH-URI</em>
+] [
+<strong>-s</strong>
+<em>SCOPE(S)</em>
+]
+<strong>authorize</strong>
+<em>[RESOURCE]</em>
+<br>
+<strong>cups-oauth</strong>
+[
+<strong>-a</strong>
+<em>OAUTH-URI</em>
+]
+<strong>clear</strong>
+<em>[RESOURCE]</em>
+<br>
+<strong>cups-oauth</strong>
+[
+<strong>-a</strong>
+<em>OAUTH-URI</em>
+]
+<strong>get-access-token</strong>
+<em>[RESOURCE]</em>
+<br>
+<strong>cups-oauth</strong>
+[
+<strong>-a</strong>
+<em>OAUTH-URI</em>
+]
+<strong>get-client-id</strong>
+<br>
+<strong>cups-oauth</strong>
+[
+<strong>-a</strong>
+<em>OAUTH-URI</em>
+]
+<strong>get-metadata</strong>
+<em>[NAME]</em>
+<br>
+<strong>cups-oauth</strong>
+[
+<strong>-a</strong>
+<em>OAUTH-URI</em>
+]
+<strong>get-user-id</strong>
+<em>[RESOURCE]</em>
+<em>[NAME]</em>
+<br>
+<strong>cups-oauth</strong>
+[
+<strong>-a</strong>
+<em>OAUTH-URI</em>
+]
+<strong>set-access-token</strong>
+<em>[RESOURCE]</em>
+<em>TOKEN</em>
+<br>
+<strong>cups-oauth</strong>
+[
+<strong>-a</strong>
+<em>OAUTH-URI</em>
+]
+<strong>set-client-data</strong>
+<em>CLIENT-ID</em>
+<em>CLIENT-SECRET</em>
+</p>
+    <h2 id="cups-oauth-1.description">Description</h2>
+<p>The
+<strong>cups-oauth</strong>
+utility interacts with an OAuth/OpenID authorization server.
+Authorizations are often linked to a resource (a printer URI, web page URL, etc.)
+</p>
+    <h2 id="cups-oauth-1.options">Options</h2>
+<p>The following options are recognized by
+<strong>cups-oauth:</strong>
+</p>
+    <p style="margin-left: 2.5em; text-indent: -2.5em;"><strong>--help</strong><br>
+Show program usage.
+</p>
+    <p style="margin-left: 2.5em; text-indent: -2.5em;"><strong>--version</strong><br>
+Show the CUPS version.
+</p>
+    <p style="margin-left: 2.5em; text-indent: -2.5em;"><strong>-a </strong><em>OAUTH-URI</em><br>
+Specifies the OAuth/OpenID authorization server URL.
+</p>
+    <p style="margin-left: 2.5em; text-indent: -2.5em;"><strong>-s </strong><em>SCOPE(S)</em><br>
+Specifies a space-delimited list of scope names to use when authorizing access.
+The default is to request authorization for all supported scopes.
+</p>
+    <h2 id="cups-oauth-1.commands">Commands</h2>
+    <h3 id="cups-oauth-1.commands.authorize">Authorize</h3>
+<p>Starts an authorization workflow with the default web browser.
+If a resource URI is specified, the authorization is specific to that resource.
+The access token is send to the standard output on success.
+</p>
+    <h3 id="cups-oauth-1.commands.clear">Clear</h3>
+<p>Clears any authorization for the specified resource or for all resources if no resource URI is supplied.
+</p>
+    <h3 id="cups-oauth-1.commands.get-access-token">Get-Access-Token</h3>
+<p>Output the current, unexpired access token, if any, to the standard output.
+</p>
+    <h3 id="cups-oauth-1.commands.get-client-id">Get-Client-Id</h3>
+<p>Output the client ID string, if any, to the standard output.
+</p>
+    <h3 id="cups-oauth-1.commands.get-metadata">Get-Metadata</h3>
+<p>Get the OAuth/OpenID authorization server metadata and send it to the standard output.
+If a name is specified, the output is just the value for the specified metadata.
+</p>
+    <h3 id="cups-oauth-1.commands.get-user-id">Get-User-Id</h3>
+<p>Get the OpenID user ID information and send it to the standard output.
+If a name is specified, the output is just the named claim from the user ID.
+</p>
+    <h3 id="cups-oauth-1.commands.set-access-token">Set-Access-Token</h3>
+<p>Set the access token (which is sometimes also called an API key) for the specified resource or for all resources.
+</p>
+    <h3 id="cups-oauth-1.commands.set-client-data">Set-Client-Data</h3>
+<p>Set the client ID string and secret for an OAuth/OpenID authorization server.
+</p>
+    <h2 id="cups-oauth-1.environment-variables">Environment Variables</h2>
+<p>The
+<strong>CUPS_OAUTH_URI</strong>
+environment variable sets the default OAuth/OpenID authorization server URL.
+</p>
+    <p>The
+<strong>CUPS_OAUTH_SCOPES</strong>
+environment variable sets the default OAuth/OpenID scopes as a space-delimited list.
+</p>
+    <h2 id="cups-oauth-1.notes">Notes</h2>
+<p>CUPS uses a redirect URI of &quot;<a href="http://127.0.0.1/&quot;">http://127.0.0.1/&quot;</a> for all authorization on the local system.
+</p>
+    <h2 id="cups-oauth-1.examples">Examples</h2>
+<p>TBD
+</p>
+    <h2 id="cups-oauth-1.see-also">See Also</h2>
+<p><strong>cups</strong>(1)
+
+</p>
+    <h2 id="cups-oauth-1.copyright">Copyright</h2>
+<p>Copyright &copy; 2025 by OpenPrinting.
+  </body>
+</html>