diff options
Diffstat (limited to 'src/certtool.c')
-rw-r--r-- | src/certtool.c | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/src/certtool.c b/src/certtool.c index 34188f4c6d..35438daafa 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -373,7 +373,6 @@ generate_certificate(gnutls_privkey_t * ret_key, get_oid_crt_set(crt); get_key_purpose_set(TYPE_CRT, crt); - get_extensions_crt_set(TYPE_CRT, crt); if (!batch) fprintf(stderr, @@ -467,6 +466,8 @@ generate_certificate(gnutls_privkey_t * ret_key, } } + get_extensions_crt_set(TYPE_CRT, crt); + /* append additional extensions */ if (cinfo->v1_cert == 0) { @@ -1422,6 +1423,20 @@ static void cmd_parser(int argc, char **argv) cinfo.password = ""; } + if (HAVE_OPT(VERIFY_PROFILE)) { + if (strcasecmp(OPT_ARG(VERIFY_PROFILE), "none")) { + cinfo.verification_profile = GNUTLS_PROFILE_UNKNOWN; + } else { + cinfo.verification_profile = gnutls_certificate_verification_profile_get_id(OPT_ARG(VERIFY_PROFILE)); + } + } else if (!HAVE_OPT(VERIFY_ALLOW_BROKEN)) { + if (HAVE_OPT(VERIFY_CHAIN) || HAVE_OPT(VERIFY)) { + fprintf(stderr, "Note that no verification profile was selected. In the future the medium profile will be enabled by default.\n"); + fprintf(stderr, "Use --verify-profile low to apply the default verification of NORMAL priority string.\n"); + } + /* cinfo.verification_profile = GNUTLS_PROFILE_LOW; */ + } + if (HAVE_OPT(SIGN_PARAMS)) sign_params_to_flags(&cinfo, OPT_ARG(SIGN_PARAMS)); @@ -2395,6 +2410,7 @@ _verify_x509_mem(const void *cert, int cert_size, common_info_st *cinfo, } vflags = GNUTLS_VERIFY_DO_NOT_ALLOW_SAME; + vflags |= GNUTLS_PROFILE_TO_VFLAGS(cinfo->verification_profile); if (HAVE_OPT(VERIFY_ALLOW_BROKEN)) vflags |= GNUTLS_VERIFY_ALLOW_BROKEN; |