Implement setting the TLS features extension on certificates via certtool's template file.

4 files changed, 63 insertions, 0 deletions

diff --git a/doc/certtool.cfg b/doc/certtool.cfg
index 52b6c8be4e..4a3021b28c 100644
--- a/doc/certtool.cfg
+++ b/doc/certtool.cfg
@@ -189,3 +189,8 @@ encryption_key
 # Comment the field for a time-based number.
 #crl_number = 5
 
+
+# TLS feature extensions (RFC 7633)
+
+# If the status_request TLS exension is set, OCSP stapling becomes mandatory
+#tls_feature = 5
diff --git a/src/certtool-cfg.c b/src/certtool-cfg.c
index 67bf0bdd76..ae428d5d35 100644
--- a/src/certtool-cfg.c
+++ b/src/certtool-cfg.c
@@ -28,6 +28,7 @@
 #include <stdint.h>
 #include <certtool-cfg.h>
 #include <gnutls/x509.h>
+#include <gnutls/x509-ext.h>
 #include <string.h>
 #include <limits.h>
 #include <inttypes.h>
@@ -138,6 +139,7 @@ static struct cfg_options available_options[] = {
 	{ .name = "key_agreement", .type = OPTION_BOOLEAN },
 	{ .name = "data_encipherment", .type = OPTION_BOOLEAN },
 	{ .name = "non_repudiation", .type = OPTION_BOOLEAN },
+	{ .name = "tls_feature", .type = OPTION_MULTI_LINE },
 };
 
 typedef struct _cfg_ctx {
@@ -207,6 +209,7 @@ typedef struct _cfg_ctx {
 	char *proxy_policy_language;
 	char **ocsp_uris;
 	char **ca_issuers_uris;
+	char **tls_features;
 } cfg_ctx;
 
 cfg_ctx cfg;
@@ -522,6 +525,8 @@ int template_parse(const char *template)
 	READ_BOOLEAN("key_agreement", cfg.key_agreement);
 	READ_BOOLEAN("non_repudiation", cfg.non_repudiation);
 
+	READ_MULTI_LINE("tls_feature", cfg.tls_features);
+
 	optionUnloadNested(pov);
 
 	return 0;
@@ -2574,3 +2579,51 @@ void get_oid_crq_set(gnutls_x509_crq_t crq)
 	}
 
 }
+
+void get_tlsfeatures_set(int type, void *crt)
+{
+	int ret, i;
+	unsigned int feature;
+
+	if (batch) {
+		if (!cfg.tls_features)
+			return;
+
+		gnutls_x509_tlsfeatures_t features;
+		ret = gnutls_x509_tlsfeatures_init(&features);
+		if (ret < 0) {
+			fprintf(stderr, "gnutls_x509_tlsfeatures_init: %s\n",
+				gnutls_strerror(ret));
+			exit(1);
+		}
+
+		for (i = 0; cfg.tls_features[i]; ++i) {
+			feature = strtoul(cfg.tls_features[i], 0, 10);
+			ret = gnutls_x509_tlsfeatures_add(features, feature);
+			if (ret < 0) {
+				fprintf(stderr, "gnutls_x509_tlsfeatures_add: %s\n",
+					gnutls_strerror(ret));
+				exit(1);
+			}
+		}
+
+		if (type == TYPE_CRT) {
+			ret = gnutls_x509_crt_set_tlsfeatures(crt, features);
+			if (ret < 0) {
+				fprintf(stderr, "gnutls_x509_crt_set_tlsfeatures: %s\n",
+					gnutls_strerror(ret));
+				exit(1);
+			}
+		}
+		else {
+			ret = gnutls_x509_crq_set_tlsfeatures(crt, features);
+			if (ret < 0) {
+				fprintf(stderr, "gnutls_x509_crq_set_tlsfeatures: %s\n",
+					gnutls_strerror(ret));
+				exit(1);
+			}
+		}
+
+		gnutls_x509_tlsfeatures_deinit(features);
+	}
+}
diff --git a/src/certtool-cfg.h b/src/certtool-cfg.h
index 7f9dac7b99..e792dd2c16 100644
--- a/src/certtool-cfg.h
+++ b/src/certtool-cfg.h
@@ -83,6 +83,7 @@ void get_dc_set(int type, void *crt);
 void get_ca_issuers_set(gnutls_x509_crt_t crt);
 void get_ocsp_issuer_set(gnutls_x509_crt_t crt);
 void crt_unique_ids_set(gnutls_x509_crt_t crt);
+void get_tlsfeatures_set(int type, void *crt);
 
 int get_key_agreement_status(void);
 int get_non_repudiation_status(void);
diff --git a/src/certtool.c b/src/certtool.c
index e6ee59ecac..5896501aa9 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -301,6 +301,8 @@ generate_certificate(gnutls_privkey_t * ret_key,
 					"This field should not be used in new certificates.\n");
 
 			get_pkcs9_email_crt_set(crt);
+
+			get_tlsfeatures_set(TYPE_CRT, crt);
 		}
 
 		result = gnutls_x509_crt_set_pubkey(crt, pubkey);
@@ -2112,6 +2114,8 @@ void generate_request(common_info_st * cinfo)
 		}
 
 		get_key_purpose_set(TYPE_CRQ, crq);
+
+		get_tlsfeatures_set(TYPE_CRQ, crq);
 	}
 
 	ret = gnutls_x509_crq_set_pubkey(crq, pubkey);