certtool: Allow to set the nonRepudiation, keyAgreement and dataEncipherment flags

4 files changed, 66 insertions, 0 deletions

diff --git a/src/certtool-args.def b/src/certtool-args.def
index b21d7bb787..7bf7f6e522 100644
--- a/src/certtool-args.def
+++ b/src/certtool-args.def
@@ -692,6 +692,17 @@ encryption_key
 # cRLSign flag in RFC5280 terminology.
 #crl_signing_key
 
+# The keyAgreement flag of RFC5280. It's purpose is loosely
+# defined. Not use it unless required by a protocol.
+#key_agreement
+
+# The dataEncipherment flag of RFC5280. It's purpose is loosely
+# defined. Not use it unless required by a protocol.
+#data_encipherment
+
+# The nonRepudiation flag of RFC5280. It's purpose is loosely
+# defined. Not use it unless required by a protocol.
+#non_repudiation
 
 #### Extended key usage (key purposes)
 
diff --git a/src/certtool-cfg.c b/src/certtool-cfg.c
index 0ed2d1d58b..999d71196c 100644
--- a/src/certtool-cfg.c
+++ b/src/certtool-cfg.c
@@ -117,6 +117,9 @@ static struct cfg_options available_options[] = {
 	{ .name = "ocsp_signing_key", .type = OPTION_BOOLEAN },
 	{ .name = "time_stamping_key", .type = OPTION_BOOLEAN },
 	{ .name = "ipsec_ike_key", .type = OPTION_BOOLEAN },
+	{ .name = "key_agreement", .type = OPTION_BOOLEAN },
+	{ .name = "data_encipherment", .type = OPTION_BOOLEAN },
+	{ .name = "non_repudiation", .type = OPTION_BOOLEAN },
 };
 
 typedef struct _cfg_ctx {
@@ -158,6 +161,9 @@ typedef struct _cfg_ctx {
 	int encryption_key;
 	int cert_sign_key;
 	int crl_sign_key;
+	int non_repudiation;
+	int data_encipherment;
+	int key_agreement;
 	int code_sign_key;
 	int ocsp_sign_key;
 	int time_stamping_key;
@@ -429,6 +435,10 @@ int template_parse(const char *template)
 	READ_BOOLEAN("time_stamping_key", cfg.time_stamping_key);
 	READ_BOOLEAN("ipsec_ike_key", cfg.ipsec_ike_key);
 
+	READ_BOOLEAN("data_encipherment", cfg.data_encipherment);
+	READ_BOOLEAN("key_agreement", cfg.key_agreement);
+	READ_BOOLEAN("non_repudiation", cfg.non_repudiation);
+
 	optionUnloadNested(pov);
 
 	return 0;
@@ -1721,6 +1731,36 @@ int get_crl_sign_status(void)
 	}
 }
 
+int get_key_agreement_status(void)
+{
+	if (batch) {
+		return cfg.key_agreement;
+	} else {
+		/* this option is not asked in interactive mode */
+		return 0;
+	}
+}
+
+int get_non_repudiation_status(void)
+{
+	if (batch) {
+		return cfg.non_repudiation;
+	} else {
+		/* this option is not asked in interactive mode */
+		return 0;
+	}
+}
+
+int get_data_encipherment_status(void)
+{
+	if (batch) {
+		return cfg.data_encipherment;
+	} else {
+		/* this option is not asked in interactive mode */
+		return 0;
+	}
+}
+
 int get_code_sign_status(void)
 {
 	if (batch) {
diff --git a/src/certtool-cfg.h b/src/certtool-cfg.h
index 30e927f064..e9ab30bff2 100644
--- a/src/certtool-cfg.h
+++ b/src/certtool-cfg.h
@@ -79,6 +79,10 @@ void get_dc_set(int type, void *crt);
 void get_ca_issuers_set(gnutls_x509_crt_t crt);
 void get_ocsp_issuer_set(gnutls_x509_crt_t crt);
 
+int get_key_agreement_status(void);
+int get_non_repudiation_status(void);
+int get_data_encipherment_status(void);
+
 void get_cn_crq_set(gnutls_x509_crq_t crq);
 void get_uid_crq_set(gnutls_x509_crq_t crq);
 void get_locality_crq_set(gnutls_x509_crq_t crq);
diff --git a/src/certtool.c b/src/certtool.c
index 0a97c1d0a1..e0f47192b5 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -484,6 +484,17 @@ generate_certificate(gnutls_privkey_t * ret_key,
 			}
 		}
 
+		result = get_key_agreement_status();
+		if (result)
+			usage |= GNUTLS_KEY_KEY_AGREEMENT;
+
+		result = get_data_encipherment_status();
+		if (result)
+			usage |= GNUTLS_KEY_DATA_ENCIPHERMENT;
+
+		result = get_non_repudiation_status();
+		if (result)
+			usage |= GNUTLS_KEY_NON_REPUDIATION;
 
 		if (ca_status) {
 			result = get_cert_sign_status();