certtool: Allow writing unique IDs in generated certificates

author: Nikos Mavrogiannopoulos <nmav@redhat.com> 2015-11-12 12:03:14 +0100
committer: Nikos Mavrogiannopoulos <nmav@redhat.com> 2015-11-12 12:05:06 +0100
commit: 37480283983681f4b4c910ad05e82c8917b6c06a (patch)
tree: 60f2d8604c35f105bd8920a759c6f2d51f66f719 /src
parent: 2c595568261e9cbbe7ae0a23007b202a2a717346 (diff)
download: gnutls-37480283983681f4b4c910ad05e82c8917b6c06a.tar.gz
4 files changed, 62 insertions, 0 deletions
diff --git a/src/certtool-args.def b/src/certtool-args.def
index af2c41bfab..91c6a59883 100644
--- a/src/certtool-args.def
+++ b/src/certtool-args.def
@@ -747,6 +747,12 @@ challenge_password = 123456
 # Whether this is a CA certificate or not
 #ca
 
+# Subject Unique ID (in hex)
+#subject_unique_id = 00153224
+
+# Issuer Unique ID (in hex)
+#issuer_unique_id = 00153225
+
 #### Key usage
 
 # The following key usage flags are used by CAs and end certificates
diff --git a/src/certtool-cfg.c b/src/certtool-cfg.c
index 540ee42658..1bae6ec8c9 100644
--- a/src/certtool-cfg.c
+++ b/src/certtool-cfg.c
@@ -97,6 +97,8 @@ static struct cfg_options available_options[] = {
 	{ .name = "dn", .type = OPTION_STRING },
 	{ .name = "cn", .type = OPTION_STRING },
 	{ .name = "uid", .type = OPTION_STRING },
+	{ .name = "subject_unique_id", .type = OPTION_STRING },
+	{ .name = "issuer_unique_id", .type = OPTION_STRING },
 	{ .name = "challenge_password", .type = OPTION_STRING },
 	{ .name = "password", .type = OPTION_STRING },
 	{ .name = "pkcs9_email", .type = OPTION_STRING },
@@ -139,6 +141,10 @@ typedef struct _cfg_ctx {
 	char *dn;
 	char *cn;
 	char *uid;
+	uint8_t *subject_unique_id;
+	unsigned subject_unique_id_size;
+	uint8_t *issuer_unique_id;
+	unsigned issuer_unique_id_size;
 	char *challenge_password;
 	char *pkcs9_email;
 	char *country;
@@ -277,6 +283,18 @@ void cfg_init(void)
         s_name = strtol(val->v.strVal, NULL, 10); \
     }
 
+#define HEX_DECODE(hex, output, output_size) \
+	{ \
+		gnutls_datum_t _input = {(void*)hex, strlen(hex)}; \
+		gnutls_datum_t _output; \
+		ret = gnutls_hex_decode2(&_input, &_output); \
+		if (ret < 0) { \
+			fprintf(stderr, "error in hex ID: %s\n", hex); \
+			exit(1); \
+		} \
+		output = _output.data; \
+		output_size = _output.size; \
+	}
 
 static int handle_option(const tOptionValue* val)
 {
@@ -307,6 +325,7 @@ int template_parse(const char *template)
 {
 	/* Parsing return code */
 	unsigned int i;
+	int ret;
 	tOptionValue const *pov;
 	const tOptionValue *val, *prev;
 	char tmpstr[256];
@@ -358,6 +377,14 @@ int template_parse(const char *template)
 	if (val != NULL && val->valType == OPARG_TYPE_STRING)
 		cfg.uid = strdup(val->v.strVal);
 
+	val = optionGetValue(pov, "issuer_unique_id");
+	if (val != NULL && val->valType == OPARG_TYPE_STRING)
+		HEX_DECODE(val->v.strVal, cfg.issuer_unique_id, cfg.issuer_unique_id_size);
+
+	val = optionGetValue(pov, "subject_unique_id");
+	if (val != NULL && val->valType == OPARG_TYPE_STRING)
+		HEX_DECODE(val->v.strVal, cfg.subject_unique_id, cfg.subject_unique_id_size);
+
 	val = optionGetValue(pov, "challenge_password");
 	if (val != NULL && val->valType == OPARG_TYPE_STRING)
 		cfg.challenge_password = strdup(val->v.strVal);
@@ -962,6 +989,32 @@ void crt_constraints_set(gnutls_x509_crt_t crt)
 	}
 }
 
+void crt_unique_ids_set(gnutls_x509_crt_t crt)
+{
+	int ret;
+
+	if (batch) {
+		if (cfg.subject_unique_id == NULL && cfg.issuer_unique_id == NULL)
+			return; /* nothing to do */
+
+		if (cfg.subject_unique_id) {
+			ret = gnutls_x509_crt_set_subject_unique_id(crt, cfg.subject_unique_id, cfg.subject_unique_id_size);
+			if (ret < 0) {
+				fprintf(stderr, "error setting subject unique ID: %s\n", gnutls_strerror(ret));
+				exit(1);
+			}
+		}
+
+		if (cfg.issuer_unique_id) {
+			ret = gnutls_x509_crt_set_issuer_unique_id(crt, cfg.issuer_unique_id, cfg.issuer_unique_id_size);
+			if (ret < 0) {
+				fprintf(stderr, "error setting issuer unique ID: %s\n", gnutls_strerror(ret));
+				exit(1);
+			}
+		}
+	}
+}
+
 void get_uid_crt_set(gnutls_x509_crt_t crt)
 {
 	int ret;
diff --git a/src/certtool-cfg.h b/src/certtool-cfg.h
index 2c7240daa2..1942ad867b 100644
--- a/src/certtool-cfg.h
+++ b/src/certtool-cfg.h
@@ -81,6 +81,7 @@ int get_ipsec_ike_status(void);
 void get_dc_set(int type, void *crt);
 void get_ca_issuers_set(gnutls_x509_crt_t crt);
 void get_ocsp_issuer_set(gnutls_x509_crt_t crt);
+void crt_unique_ids_set(gnutls_x509_crt_t crt);
 
 int get_key_agreement_status(void);
 int get_non_repudiation_status(void);
diff --git a/src/certtool.c b/src/certtool.c
index b7e9d32eaf..9926a722f1 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -448,6 +448,8 @@ generate_certificate(gnutls_privkey_t * ret_key,
 			}
 		}
 
+		crt_unique_ids_set(crt);
+
 		is_ike = get_ipsec_ike_status();
 		server = get_tls_server_status();
author	Nikos Mavrogiannopoulos <nmav@redhat.com>	2015-11-12 12:03:14 +0100
committer	Nikos Mavrogiannopoulos <nmav@redhat.com>	2015-11-12 12:05:06 +0100
commit	37480283983681f4b4c910ad05e82c8917b6c06a (patch)
tree	60f2d8604c35f105bd8920a759c6f2d51f66f719 /src
parent	2c595568261e9cbbe7ae0a23007b202a2a717346 (diff)
download	gnutls-37480283983681f4b4c910ad05e82c8917b6c06a.tar.gz