summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNikos Mavrogiannopoulos <nmav@gnutls.org>2016-06-14 13:23:03 +0200
committerNikos Mavrogiannopoulos <nmav@gnutls.org>2016-06-14 13:52:12 +0200
commitf6f94538c319eaefcb398ad1e4e6f223bae3935a (patch)
tree0aee4e83cd4b1de5ee6bb3a72033bdc6ee92b5d1
parent07a281936e5e4bc7f9875873744dd40a701b1557 (diff)
downloadgnutls-f6f94538c319eaefcb398ad1e4e6f223bae3935a.tar.gz
certtool: allow copying specific certificate request extensions to certificate
This introduces the honor_crq_extension multi-line template option.
-rw-r--r--src/certtool-args.def4
-rw-r--r--src/certtool-cfg.c30
-rw-r--r--src/certtool-cfg.h2
-rw-r--r--src/certtool.c2
4 files changed, 34 insertions, 4 deletions
diff --git a/src/certtool-args.def b/src/certtool-args.def
index c62d2a478d..931cbe8832 100644
--- a/src/certtool-args.def
+++ b/src/certtool-args.def
@@ -908,6 +908,10 @@ encryption_key
# and store them in the real certificate.
#honor_crq_extensions
+# Alternatively only specific extensions can be copied.
+#honor_crq_ext = 2.5.29.17
+#honor_crq_ext = 2.5.29.15
+
# Path length contraint. Sets the maximum number of
# certificates that can be used to certify this certificate.
# (i.e. the certificate chain length)
diff --git a/src/certtool-cfg.c b/src/certtool-cfg.c
index ae428d5d35..b5bef5ffb8 100644
--- a/src/certtool-cfg.c
+++ b/src/certtool-cfg.c
@@ -126,6 +126,7 @@ static struct cfg_options available_options[] = {
{ .name = "path_len", .type = OPTION_NUMERIC },
{ .name = "ca", .type = OPTION_BOOLEAN },
{ .name = "honor_crq_extensions", .type = OPTION_BOOLEAN },
+ { .name = "honor_crq_ext", .type = OPTION_MULTI_LINE },
{ .name = "tls_www_client", .type = OPTION_BOOLEAN },
{ .name = "tls_www_server", .type = OPTION_BOOLEAN },
{ .name = "signing_key", .type = OPTION_BOOLEAN },
@@ -205,8 +206,9 @@ typedef struct _cfg_ctx {
char **key_purpose_oids;
int crl_next_update;
int64_t crl_number;
- int crq_extensions;
+ int honor_crq_extensions;
char *proxy_policy_language;
+ char **exts_to_honor;
char **ocsp_uris;
char **ca_issuers_uris;
char **tls_features;
@@ -509,7 +511,9 @@ int template_parse(const char *template)
READ_MULTI_LINE("ca_issuers_uri", cfg.ca_issuers_uris);
READ_BOOLEAN("ca", cfg.ca);
- READ_BOOLEAN("honor_crq_extensions", cfg.crq_extensions);
+ READ_BOOLEAN("honor_crq_extensions", cfg.honor_crq_extensions);
+ READ_MULTI_LINE("honor_crq_ext", cfg.exts_to_honor);
+
READ_BOOLEAN("tls_www_client", cfg.tls_www_client);
READ_BOOLEAN("tls_www_server", cfg.tls_www_server);
READ_BOOLEAN("signing_key", cfg.signing_key);
@@ -1514,11 +1518,11 @@ int get_ca_status(void)
int get_crq_extensions_status(void)
{
if (batch) {
- return cfg.crq_extensions;
+ return cfg.honor_crq_extensions;
} else {
return
read_yesno
- ("Do you want to honour the extensions from the request? (y/N): ",
+ ("Do you want to honour all the extensions from the request? (y/N): ",
0);
}
}
@@ -2627,3 +2631,21 @@ void get_tlsfeatures_set(int type, void *crt)
gnutls_x509_tlsfeatures_deinit(features);
}
}
+
+void crq_extensions_set(gnutls_x509_crt_t crt, gnutls_x509_crq_t crq)
+{
+ int ret, i;
+
+ if (batch) {
+ if (!cfg.exts_to_honor)
+ return;
+
+ for (i = 0; cfg.exts_to_honor[i]; ++i) {
+ ret = gnutls_x509_crt_set_crq_extension_by_oid(crt, crq, cfg.exts_to_honor[i], 0);
+ if (ret < 0) {
+ fprintf(stderr, "setting extension failed: %s: %s\n", cfg.exts_to_honor[i],
+ gnutls_strerror(ret));
+ }
+ }
+ }
+}
diff --git a/src/certtool-cfg.h b/src/certtool-cfg.h
index e792dd2c16..2c54d7f1af 100644
--- a/src/certtool-cfg.h
+++ b/src/certtool-cfg.h
@@ -98,3 +98,5 @@ void get_organization_crq_set(gnutls_x509_crq_t crq);
void get_country_crq_set(gnutls_x509_crq_t crq);
void get_oid_crq_set(gnutls_x509_crq_t crq);
const char *get_proxy_policy(char **policy, size_t * policylen);
+
+void crq_extensions_set(gnutls_x509_crt_t crt, gnutls_x509_crq_t crq);
diff --git a/src/certtool.c b/src/certtool.c
index 5896501aa9..28d7893f57 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -319,6 +319,8 @@ generate_certificate(gnutls_privkey_t * ret_key,
gnutls_strerror(result));
exit(1);
}
+
+ crq_extensions_set(crt, crq);
}