diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2016-06-14 13:23:03 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2016-06-14 13:52:12 +0200 |
commit | f6f94538c319eaefcb398ad1e4e6f223bae3935a (patch) | |
tree | 0aee4e83cd4b1de5ee6bb3a72033bdc6ee92b5d1 | |
parent | 07a281936e5e4bc7f9875873744dd40a701b1557 (diff) | |
download | gnutls-f6f94538c319eaefcb398ad1e4e6f223bae3935a.tar.gz |
certtool: allow copying specific certificate request extensions to certificate
This introduces the honor_crq_extension multi-line template option.
-rw-r--r-- | src/certtool-args.def | 4 | ||||
-rw-r--r-- | src/certtool-cfg.c | 30 | ||||
-rw-r--r-- | src/certtool-cfg.h | 2 | ||||
-rw-r--r-- | src/certtool.c | 2 |
4 files changed, 34 insertions, 4 deletions
diff --git a/src/certtool-args.def b/src/certtool-args.def index c62d2a478d..931cbe8832 100644 --- a/src/certtool-args.def +++ b/src/certtool-args.def @@ -908,6 +908,10 @@ encryption_key # and store them in the real certificate. #honor_crq_extensions +# Alternatively only specific extensions can be copied. +#honor_crq_ext = 2.5.29.17 +#honor_crq_ext = 2.5.29.15 + # Path length contraint. Sets the maximum number of # certificates that can be used to certify this certificate. # (i.e. the certificate chain length) diff --git a/src/certtool-cfg.c b/src/certtool-cfg.c index ae428d5d35..b5bef5ffb8 100644 --- a/src/certtool-cfg.c +++ b/src/certtool-cfg.c @@ -126,6 +126,7 @@ static struct cfg_options available_options[] = { { .name = "path_len", .type = OPTION_NUMERIC }, { .name = "ca", .type = OPTION_BOOLEAN }, { .name = "honor_crq_extensions", .type = OPTION_BOOLEAN }, + { .name = "honor_crq_ext", .type = OPTION_MULTI_LINE }, { .name = "tls_www_client", .type = OPTION_BOOLEAN }, { .name = "tls_www_server", .type = OPTION_BOOLEAN }, { .name = "signing_key", .type = OPTION_BOOLEAN }, @@ -205,8 +206,9 @@ typedef struct _cfg_ctx { char **key_purpose_oids; int crl_next_update; int64_t crl_number; - int crq_extensions; + int honor_crq_extensions; char *proxy_policy_language; + char **exts_to_honor; char **ocsp_uris; char **ca_issuers_uris; char **tls_features; @@ -509,7 +511,9 @@ int template_parse(const char *template) READ_MULTI_LINE("ca_issuers_uri", cfg.ca_issuers_uris); READ_BOOLEAN("ca", cfg.ca); - READ_BOOLEAN("honor_crq_extensions", cfg.crq_extensions); + READ_BOOLEAN("honor_crq_extensions", cfg.honor_crq_extensions); + READ_MULTI_LINE("honor_crq_ext", cfg.exts_to_honor); + READ_BOOLEAN("tls_www_client", cfg.tls_www_client); READ_BOOLEAN("tls_www_server", cfg.tls_www_server); READ_BOOLEAN("signing_key", cfg.signing_key); @@ -1514,11 +1518,11 @@ int get_ca_status(void) int get_crq_extensions_status(void) { if (batch) { - return cfg.crq_extensions; + return cfg.honor_crq_extensions; } else { return read_yesno - ("Do you want to honour the extensions from the request? (y/N): ", + ("Do you want to honour all the extensions from the request? (y/N): ", 0); } } @@ -2627,3 +2631,21 @@ void get_tlsfeatures_set(int type, void *crt) gnutls_x509_tlsfeatures_deinit(features); } } + +void crq_extensions_set(gnutls_x509_crt_t crt, gnutls_x509_crq_t crq) +{ + int ret, i; + + if (batch) { + if (!cfg.exts_to_honor) + return; + + for (i = 0; cfg.exts_to_honor[i]; ++i) { + ret = gnutls_x509_crt_set_crq_extension_by_oid(crt, crq, cfg.exts_to_honor[i], 0); + if (ret < 0) { + fprintf(stderr, "setting extension failed: %s: %s\n", cfg.exts_to_honor[i], + gnutls_strerror(ret)); + } + } + } +} diff --git a/src/certtool-cfg.h b/src/certtool-cfg.h index e792dd2c16..2c54d7f1af 100644 --- a/src/certtool-cfg.h +++ b/src/certtool-cfg.h @@ -98,3 +98,5 @@ void get_organization_crq_set(gnutls_x509_crq_t crq); void get_country_crq_set(gnutls_x509_crq_t crq); void get_oid_crq_set(gnutls_x509_crq_t crq); const char *get_proxy_policy(char **policy, size_t * policylen); + +void crq_extensions_set(gnutls_x509_crt_t crt, gnutls_x509_crq_t crq); diff --git a/src/certtool.c b/src/certtool.c index 5896501aa9..28d7893f57 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -319,6 +319,8 @@ generate_certificate(gnutls_privkey_t * ret_key, gnutls_strerror(result)); exit(1); } + + crq_extensions_set(crt, crq); } |