/**
* Maximum number of options in a command (+1)
*/
-#define MAX_OPTIONS 24
+#define MAX_OPTIONS 32
/**
* Maximum number of usage summary lines (+1)
#include "pki.h"
#include <debug.h>
+#include <asn1/asn1.h>
#include <utils/linked_list.h>
#include <credentials/certificates/certificate.h>
#include <credentials/certificates/x509.h>
#include <credentials/certificates/pkcs10.h>
/**
+ * Free cert policy with OID
+ */
+static void destroy_cert_policy(x509_cert_policy_t *policy)
+{
+ free(policy->oid.ptr);
+ free(policy);
+}
+
+/**
* Issue a certificate using a CA certificate and key
*/
static int issue()
char *file = NULL, *dn = NULL, *hex = NULL, *cacert = NULL, *cakey = NULL;
char *error = NULL, *keyid = NULL;
identification_t *id = NULL, *crl_issuer = NULL;;
- linked_list_t *san, *cdps, *ocsp, *permitted, *excluded;
+ linked_list_t *san, *cdps, *ocsp, *permitted, *excluded, *policies;
int lifetime = 1095;
int pathlen = X509_NO_PATH_LEN_CONSTRAINT;
chunk_t serial = chunk_empty;
time_t not_before, not_after;
x509_flag_t flags = 0;
x509_t *x509;
+ x509_cert_policy_t *policy = NULL;
char *arg;
san = linked_list_create();
ocsp = linked_list_create();
permitted = linked_list_create();
excluded = linked_list_create();
+ policies = linked_list_create();
while (TRUE)
{
excluded->insert_last(excluded,
identification_create_from_string(arg));
continue;
+ case 'P':
+ {
+ chunk_t oid;
+
+ oid = asn1_oid_from_string(arg);
+ if (!oid.len)
+ {
+ return command_usage("--cert-policy OID invalid");
+ }
+ INIT(policy,
+ .oid = oid,
+ );
+ policies->insert_last(policies, policy);
+ continue;
+ }
+ case 'C':
+ if (!policy)
+ {
+ return command_usage("--cps-uri must follow a --cert-policy");
+ }
+ policy->cps_uri = arg;
+ continue;
+ case 'U':
+ if (!policy)
+ {
+ return command_usage("--user-notice must follow a --cert-policy");
+ }
+ policy->unotice_text = arg;
+ continue;
case 'e':
if (streq(arg, "serverAuth"))
{
BUILD_CRL_DISTRIBUTION_POINTS, cdps,
BUILD_OCSP_ACCESS_LOCATIONS, ocsp,
BUILD_PERMITTED_NAME_CONSTRAINTS, permitted,
- BUILD_EXCLUDED_NAME_CONSTRAINTS, excluded, BUILD_END);
+ BUILD_EXCLUDED_NAME_CONSTRAINTS, excluded,
+ BUILD_CERTIFICATE_POLICIES, policies, BUILD_END);
if (!cert)
{
error = "generating certificate failed";
san->destroy_offset(san, offsetof(identification_t, destroy));
permitted->destroy_offset(permitted, offsetof(identification_t, destroy));
excluded->destroy_offset(excluded, offsetof(identification_t, destroy));
+ policies->destroy_function(policies, (void*)destroy_cert_policy);
cdps->destroy(cdps);
ocsp->destroy(ocsp);
DESTROY_IF(crl_issuer);
san->destroy_offset(san, offsetof(identification_t, destroy));
permitted->destroy_offset(permitted, offsetof(identification_t, destroy));
excluded->destroy_offset(excluded, offsetof(identification_t, destroy));
+ policies->destroy_function(policies, (void*)destroy_cert_policy);
cdps->destroy(cdps);
ocsp->destroy(ocsp);
DESTROY_IF(crl_issuer);
"[--lifetime days] [--serial hex] [--crl uri]+ [--ocsp uri]+",
"[--ca] [--pathlen len] [--flag serverAuth|clientAuth|crlSign|ocspSigning]+",
"[--nc-permitted name] [--nc-excluded name]",
+ "[--cert-policy oid [--cps-uri uri] [--user-notice text] ]+",
"[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"},
{
{"help", 'h', 0, "show usage information"},
{"pathlen", 'p', 1, "set path length constraint"},
{"nc-permitted",'n', 1, "add permitted NameConstraint"},
{"nc-excluded", 'N', 1, "add excluded NameConstraint"},
+ {"cert-policy", 'P', 1, "certificatePolicy OID to include"},
+ {"cps-uri", 'C', 1, "Certification Practice statement URI for certificatePolicy"},
+ {"user-notice", 'U', 1, "user notice for certificatePolicy"},
{"flag", 'e', 1, "include extendedKeyUsage flag"},
{"crl", 'u', 1, "CRL distribution point URI to include"},
{"crlissuer", 'I', 1, "CRL Issuer for CRL at distribution point"},
#include "pki.h"
+#include <asn1/asn1.h>
#include <credentials/certificates/certificate.h>
#include <credentials/certificates/x509.h>
#include <credentials/certificates/crl.h>
char *uri;
int len;
x509_flag_t flags;
+ x509_cert_policy_t *policy;
chunk = x509->get_serial(x509);
printf("serial: %#B\n", &chunk);
}
enumerator->destroy(enumerator);
+ first = TRUE;
+ enumerator = x509->create_cert_policy_enumerator(x509);
+ while (enumerator->enumerate(enumerator, &policy))
+ {
+ char *oid;
+
+ if (first)
+ {
+ printf("CertificatePolicies:\n");
+ first = FALSE;
+ }
+ oid = asn1_oid_to_string(policy->oid);
+ if (oid)
+ {
+ printf(" %s\n", oid);
+ free(oid);
+ }
+ else
+ {
+ printf(" %#B\n", &policy->oid);
+ }
+ if (policy->cps_uri)
+ {
+ printf(" CPS: %s\n", policy->cps_uri);
+ }
+ if (policy->unotice_text)
+ {
+ printf(" Notice: %s\n", policy->unotice_text);
+
+ }
+ }
+ enumerator->destroy(enumerator);
+
chunk = x509->get_authKeyIdentifier(x509);
if (chunk.ptr)
{
#include <utils/linked_list.h>
#include <credentials/certificates/certificate.h>
#include <credentials/certificates/x509.h>
+#include <asn1/asn1.h>
+
+/**
+ * Free cert policy with OID
+ */
+static void destroy_cert_policy(x509_cert_policy_t *policy)
+{
+ free(policy->oid.ptr);
+ free(policy);
+}
/**
* Create a self signed certificate.
public_key_t *public = NULL;
char *file = NULL, *dn = NULL, *hex = NULL, *error = NULL, *keyid = NULL;
identification_t *id = NULL;
- linked_list_t *san, *ocsp, *permitted, *excluded;
+ linked_list_t *san, *ocsp, *permitted, *excluded, *policies;
int lifetime = 1095;
int pathlen = X509_NO_PATH_LEN_CONSTRAINT;
chunk_t serial = chunk_empty;
chunk_t encoding = chunk_empty;
time_t not_before, not_after;
x509_flag_t flags = 0;
+ x509_cert_policy_t *policy = NULL;
char *arg;
san = linked_list_create();
ocsp = linked_list_create();
permitted = linked_list_create();
excluded = linked_list_create();
+ policies = linked_list_create();
while (TRUE)
{
excluded->insert_last(excluded,
identification_create_from_string(arg));
continue;
+ case 'P':
+ {
+ chunk_t oid;
+
+ oid = asn1_oid_from_string(arg);
+ if (!oid.len)
+ {
+ return command_usage("--cert-policy OID invalid");
+ }
+ INIT(policy,
+ .oid = oid,
+ );
+ policies->insert_last(policies, policy);
+ continue;
+ }
+ case 'C':
+ if (!policy)
+ {
+ return command_usage("--cps-uri must follow a --cert-policy");
+ }
+ policy->cps_uri = arg;
+ continue;
+ case 'U':
+ if (!policy)
+ {
+ return command_usage("--user-notice must follow a --cert-policy");
+ }
+ policy->unotice_text = arg;
+ continue;
case 'e':
if (streq(arg, "serverAuth"))
{
BUILD_PATHLEN, pathlen, BUILD_SUBJECT_ALTNAMES, san,
BUILD_OCSP_ACCESS_LOCATIONS, ocsp,
BUILD_PERMITTED_NAME_CONSTRAINTS, permitted,
- BUILD_EXCLUDED_NAME_CONSTRAINTS, excluded, BUILD_END);
+ BUILD_EXCLUDED_NAME_CONSTRAINTS, excluded,
+ BUILD_CERTIFICATE_POLICIES, policies, BUILD_END);
if (!cert)
{
error = "generating certificate failed";
san->destroy_offset(san, offsetof(identification_t, destroy));
permitted->destroy_offset(permitted, offsetof(identification_t, destroy));
excluded->destroy_offset(excluded, offsetof(identification_t, destroy));
+ policies->destroy_function(policies, (void*)destroy_cert_policy);
ocsp->destroy(ocsp);
free(encoding.ptr);
free(serial.ptr);
san->destroy_offset(san, offsetof(identification_t, destroy));
permitted->destroy_offset(permitted, offsetof(identification_t, destroy));
excluded->destroy_offset(excluded, offsetof(identification_t, destroy));
+ policies->destroy_function(policies, (void*)destroy_cert_policy);
ocsp->destroy(ocsp);
return command_usage(error);
}
"[--lifetime days] [--serial hex] [--ca] [--ocsp uri]+",
"[--flag serverAuth|clientAuth|crlSign|ocspSigning]+",
"[--nc-permitted name] [--nc-excluded name]",
+ "[--cert-policy oid [--cps-uri uri] [--user-notice text] ]+",
"[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"},
{
{"help", 'h', 0, "show usage information"},
{"pathlen", 'p', 1, "set path length constraint"},
{"nc-permitted",'n', 1, "add permitted NameConstraint"},
{"nc-excluded", 'N', 1, "add excluded NameConstraint"},
+ {"cert-policy", 'P', 1, "certificatePolicy OID to include"},
+ {"cps-uri", 'C', 1, "Certification Practice statement URI for certificatePolicy"},
+ {"user-notice", 'U', 1, "user notice for certificatePolicy"},
{"flag", 'e', 1, "include extendedKeyUsage flag"},
{"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"},
{"digest", 'g', 1, "digest for signature creation, default: sha1"},