diff options
author | Tim Kosse <tim.kosse@filezilla-project.org> | 2016-01-07 11:27:13 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-05-30 10:23:28 +0200 |
commit | 1bef39cac91bad1d7cc09f9886cc575294291fa1 (patch) | |
tree | cc34307ed374527e20b8d1ab12f2efe9107bb2a6 | |
parent | 0fb28b050250423c29e63bc9f23499c2058a752e (diff) | |
download | gnutls-1bef39cac91bad1d7cc09f9886cc575294291fa1.tar.gz |
Implement setting the TLS features extension on certificates via certtool's template file.
-rw-r--r-- | doc/certtool.cfg | 5 | ||||
-rw-r--r-- | src/certtool-cfg.c | 53 | ||||
-rw-r--r-- | src/certtool-cfg.h | 1 | ||||
-rw-r--r-- | src/certtool.c | 4 |
4 files changed, 63 insertions, 0 deletions
diff --git a/doc/certtool.cfg b/doc/certtool.cfg index 52b6c8be4e..4a3021b28c 100644 --- a/doc/certtool.cfg +++ b/doc/certtool.cfg @@ -189,3 +189,8 @@ encryption_key # Comment the field for a time-based number. #crl_number = 5 + +# TLS feature extensions (RFC 7633) + +# If the status_request TLS exension is set, OCSP stapling becomes mandatory +#tls_feature = 5 diff --git a/src/certtool-cfg.c b/src/certtool-cfg.c index 67bf0bdd76..ae428d5d35 100644 --- a/src/certtool-cfg.c +++ b/src/certtool-cfg.c @@ -28,6 +28,7 @@ #include <stdint.h> #include <certtool-cfg.h> #include <gnutls/x509.h> +#include <gnutls/x509-ext.h> #include <string.h> #include <limits.h> #include <inttypes.h> @@ -138,6 +139,7 @@ static struct cfg_options available_options[] = { { .name = "key_agreement", .type = OPTION_BOOLEAN }, { .name = "data_encipherment", .type = OPTION_BOOLEAN }, { .name = "non_repudiation", .type = OPTION_BOOLEAN }, + { .name = "tls_feature", .type = OPTION_MULTI_LINE }, }; typedef struct _cfg_ctx { @@ -207,6 +209,7 @@ typedef struct _cfg_ctx { char *proxy_policy_language; char **ocsp_uris; char **ca_issuers_uris; + char **tls_features; } cfg_ctx; cfg_ctx cfg; @@ -522,6 +525,8 @@ int template_parse(const char *template) READ_BOOLEAN("key_agreement", cfg.key_agreement); READ_BOOLEAN("non_repudiation", cfg.non_repudiation); + READ_MULTI_LINE("tls_feature", cfg.tls_features); + optionUnloadNested(pov); return 0; @@ -2574,3 +2579,51 @@ void get_oid_crq_set(gnutls_x509_crq_t crq) } } + +void get_tlsfeatures_set(int type, void *crt) +{ + int ret, i; + unsigned int feature; + + if (batch) { + if (!cfg.tls_features) + return; + + gnutls_x509_tlsfeatures_t features; + ret = gnutls_x509_tlsfeatures_init(&features); + if (ret < 0) { + fprintf(stderr, "gnutls_x509_tlsfeatures_init: %s\n", + gnutls_strerror(ret)); + exit(1); + } + + for (i = 0; cfg.tls_features[i]; ++i) { + feature = strtoul(cfg.tls_features[i], 0, 10); + ret = gnutls_x509_tlsfeatures_add(features, feature); + if (ret < 0) { + fprintf(stderr, "gnutls_x509_tlsfeatures_add: %s\n", + gnutls_strerror(ret)); + exit(1); + } + } + + if (type == TYPE_CRT) { + ret = gnutls_x509_crt_set_tlsfeatures(crt, features); + if (ret < 0) { + fprintf(stderr, "gnutls_x509_crt_set_tlsfeatures: %s\n", + gnutls_strerror(ret)); + exit(1); + } + } + else { + ret = gnutls_x509_crq_set_tlsfeatures(crt, features); + if (ret < 0) { + fprintf(stderr, "gnutls_x509_crq_set_tlsfeatures: %s\n", + gnutls_strerror(ret)); + exit(1); + } + } + + gnutls_x509_tlsfeatures_deinit(features); + } +} diff --git a/src/certtool-cfg.h b/src/certtool-cfg.h index 7f9dac7b99..e792dd2c16 100644 --- a/src/certtool-cfg.h +++ b/src/certtool-cfg.h @@ -83,6 +83,7 @@ void get_dc_set(int type, void *crt); void get_ca_issuers_set(gnutls_x509_crt_t crt); void get_ocsp_issuer_set(gnutls_x509_crt_t crt); void crt_unique_ids_set(gnutls_x509_crt_t crt); +void get_tlsfeatures_set(int type, void *crt); int get_key_agreement_status(void); int get_non_repudiation_status(void); diff --git a/src/certtool.c b/src/certtool.c index e6ee59ecac..5896501aa9 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -301,6 +301,8 @@ generate_certificate(gnutls_privkey_t * ret_key, "This field should not be used in new certificates.\n"); get_pkcs9_email_crt_set(crt); + + get_tlsfeatures_set(TYPE_CRT, crt); } result = gnutls_x509_crt_set_pubkey(crt, pubkey); @@ -2112,6 +2114,8 @@ void generate_request(common_info_st * cinfo) } get_key_purpose_set(TYPE_CRQ, crq); + + get_tlsfeatures_set(TYPE_CRQ, crq); } ret = gnutls_x509_crq_set_pubkey(crq, pubkey); |