diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2014-11-17 18:21:48 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2014-11-17 18:21:48 +0100 |
commit | 08cb8780902de3c684912d7be6e638171cd61b96 (patch) | |
tree | 6b614f68e8be324c39ae81e50851ca0b25fba7a6 | |
parent | 4b2878da2d91081e84ffb2dda2dd0951f16fc4d7 (diff) | |
download | gnutls-08cb8780902de3c684912d7be6e638171cd61b96.tar.gz |
certtool: Allow to set the nonRepudiation, keyAgreement and dataEncipherment flags
-rw-r--r-- | src/certtool-args.def | 11 | ||||
-rw-r--r-- | src/certtool-cfg.c | 40 | ||||
-rw-r--r-- | src/certtool-cfg.h | 4 | ||||
-rw-r--r-- | src/certtool.c | 11 |
4 files changed, 66 insertions, 0 deletions
diff --git a/src/certtool-args.def b/src/certtool-args.def index b21d7bb787..7bf7f6e522 100644 --- a/src/certtool-args.def +++ b/src/certtool-args.def @@ -692,6 +692,17 @@ encryption_key # cRLSign flag in RFC5280 terminology. #crl_signing_key +# The keyAgreement flag of RFC5280. It's purpose is loosely +# defined. Not use it unless required by a protocol. +#key_agreement + +# The dataEncipherment flag of RFC5280. It's purpose is loosely +# defined. Not use it unless required by a protocol. +#data_encipherment + +# The nonRepudiation flag of RFC5280. It's purpose is loosely +# defined. Not use it unless required by a protocol. +#non_repudiation #### Extended key usage (key purposes) diff --git a/src/certtool-cfg.c b/src/certtool-cfg.c index 0ed2d1d58b..999d71196c 100644 --- a/src/certtool-cfg.c +++ b/src/certtool-cfg.c @@ -117,6 +117,9 @@ static struct cfg_options available_options[] = { { .name = "ocsp_signing_key", .type = OPTION_BOOLEAN }, { .name = "time_stamping_key", .type = OPTION_BOOLEAN }, { .name = "ipsec_ike_key", .type = OPTION_BOOLEAN }, + { .name = "key_agreement", .type = OPTION_BOOLEAN }, + { .name = "data_encipherment", .type = OPTION_BOOLEAN }, + { .name = "non_repudiation", .type = OPTION_BOOLEAN }, }; typedef struct _cfg_ctx { @@ -158,6 +161,9 @@ typedef struct _cfg_ctx { int encryption_key; int cert_sign_key; int crl_sign_key; + int non_repudiation; + int data_encipherment; + int key_agreement; int code_sign_key; int ocsp_sign_key; int time_stamping_key; @@ -429,6 +435,10 @@ int template_parse(const char *template) READ_BOOLEAN("time_stamping_key", cfg.time_stamping_key); READ_BOOLEAN("ipsec_ike_key", cfg.ipsec_ike_key); + READ_BOOLEAN("data_encipherment", cfg.data_encipherment); + READ_BOOLEAN("key_agreement", cfg.key_agreement); + READ_BOOLEAN("non_repudiation", cfg.non_repudiation); + optionUnloadNested(pov); return 0; @@ -1721,6 +1731,36 @@ int get_crl_sign_status(void) } } +int get_key_agreement_status(void) +{ + if (batch) { + return cfg.key_agreement; + } else { + /* this option is not asked in interactive mode */ + return 0; + } +} + +int get_non_repudiation_status(void) +{ + if (batch) { + return cfg.non_repudiation; + } else { + /* this option is not asked in interactive mode */ + return 0; + } +} + +int get_data_encipherment_status(void) +{ + if (batch) { + return cfg.data_encipherment; + } else { + /* this option is not asked in interactive mode */ + return 0; + } +} + int get_code_sign_status(void) { if (batch) { diff --git a/src/certtool-cfg.h b/src/certtool-cfg.h index 30e927f064..e9ab30bff2 100644 --- a/src/certtool-cfg.h +++ b/src/certtool-cfg.h @@ -79,6 +79,10 @@ void get_dc_set(int type, void *crt); void get_ca_issuers_set(gnutls_x509_crt_t crt); void get_ocsp_issuer_set(gnutls_x509_crt_t crt); +int get_key_agreement_status(void); +int get_non_repudiation_status(void); +int get_data_encipherment_status(void); + void get_cn_crq_set(gnutls_x509_crq_t crq); void get_uid_crq_set(gnutls_x509_crq_t crq); void get_locality_crq_set(gnutls_x509_crq_t crq); diff --git a/src/certtool.c b/src/certtool.c index 0a97c1d0a1..e0f47192b5 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -484,6 +484,17 @@ generate_certificate(gnutls_privkey_t * ret_key, } } + result = get_key_agreement_status(); + if (result) + usage |= GNUTLS_KEY_KEY_AGREEMENT; + + result = get_data_encipherment_status(); + if (result) + usage |= GNUTLS_KEY_DATA_ENCIPHERMENT; + + result = get_non_repudiation_status(); + if (result) + usage |= GNUTLS_KEY_NON_REPUDIATION; if (ca_status) { result = get_cert_sign_status(); |