ipsec pki --issue supports --flag ocspSigning option
authorAndreas Steffen <andreas.steffen@strongswan.org>
Mon, 5 Oct 2009 19:20:42 +0000 (21:20 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Mon, 5 Oct 2009 19:20:42 +0000 (21:20 +0200)
src/libstrongswan/plugins/x509/x509_cert.c
src/pki/commands/issue.c

index 5472611..b4ed143 100644 (file)
@@ -1267,7 +1267,7 @@ chunk_t x509_build_subjectAltNames(linked_list_t *list)
 static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
                                         private_key_t *sign_key, int digest_alg)
 {
-       chunk_t extensions = chunk_empty;
+       chunk_t extensions = chunk_empty, extendedKeyUsage = chunk_empty;
        chunk_t basicConstraints = chunk_empty, subjectAltNames = chunk_empty;
        chunk_t subjectKeyIdentifier = chunk_empty, authKeyIdentifier = chunk_empty;
        chunk_t crlDistributionPoints = chunk_empty, authorityInfoAccess = chunk_empty;
@@ -1373,8 +1373,6 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
        /* build CA basicConstraint for CA certificates */
        if (cert->flags & X509_CA)
        {
-               chunk_t keyid;
-
                basicConstraints = asn1_wrap(ASN1_SEQUENCE, "mmm",
                                                                asn1_build_known_oid(OID_BASIC_CONSTRAINTS),
                                                                asn1_wrap(ASN1_BOOLEAN, "c",
@@ -1383,7 +1381,23 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
                                                                                asn1_wrap(ASN1_SEQUENCE, "m",
                                                                                        asn1_wrap(ASN1_BOOLEAN, "c",
                                                                                                chunk_from_chars(0xFF)))));
-               /* add subjectKeyIdentifier to CA certificates */
+       }
+
+       /* add ocspSigning extendedKeyUsage */
+       if (cert->flags & X509_OCSP_SIGNER)
+       {
+               extendedKeyUsage = asn1_wrap(ASN1_SEQUENCE, "mm ",
+                                                               asn1_build_known_oid(OID_EXTENDED_KEY_USAGE),
+                                                               asn1_wrap(ASN1_OCTET_STRING, "m",
+                                                                       asn1_wrap(ASN1_SEQUENCE, "m",
+                                                                               asn1_build_known_oid(OID_OCSP_SIGNING))));
+       }
+
+       /* add subjectKeyIdentifier to CA and OCSP signer certificates */
+       if (cert->flags & (X509_CA | X509_OCSP_SIGNER))
+       {
+               chunk_t keyid;
+
                if (cert->public_key->get_fingerprint(cert->public_key,
                                                                                          KEY_ID_PUBKEY_SHA1, &keyid))
                {
@@ -1393,8 +1407,10 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
                                                                                asn1_wrap(ASN1_OCTET_STRING, "c", keyid)));
                }
        }
+
+       /* add the keyid authKeyIdentifier for non self-signed certificates */
        if (sign_key)
-       {       /* add the keyid authKeyIdentifier for non self-signed certificates */
+       {
                chunk_t keyid;
 
                if (sign_key->get_fingerprint(sign_key, KEY_ID_PUBKEY_SHA1, &keyid))
@@ -1410,10 +1426,11 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
                crlDistributionPoints.ptr)
        {
                extensions = asn1_wrap(ASN1_CONTEXT_C_3, "m",
-                                               asn1_wrap(ASN1_SEQUENCE, "mmmmmm",
+                                               asn1_wrap(ASN1_SEQUENCE, "mmmmmmm",
                                                        basicConstraints, subjectKeyIdentifier,
                                                        authKeyIdentifier, subjectAltNames,
-                                                       crlDistributionPoints, authorityInfoAccess));
+                                                       extendedKeyUsage, crlDistributionPoints,
+                                                       authorityInfoAccess));
        }
 
        cert->tbsCertificate = asn1_wrap(ASN1_SEQUENCE, "mmmcmcmm",
index 3e1835d..c71e9b5 100644 (file)
@@ -103,6 +103,12 @@ static int issue()
                        case 'b':
                                flags |= X509_CA;
                                continue;
+                       case 'f':
+                               if (streq(arg, "ocspSigning"))
+                               {
+                                       flags |= X509_OCSP_SIGNER;
+                               }
+                               continue;
                        case 'u':
                                cdps->insert_last(cdps, arg);
                                continue;
@@ -327,6 +333,7 @@ static void __attribute__ ((constructor))reg()
                {"[--in file] [--type pub|pkcs10]",
                 " --cacert file --cakey file --dn subject-dn [--san subjectAltName]+",
                 "[--lifetime days] [--serial hex] [--ca] [--crl uri]+ [--ocsp uri]+",
+                "[--flag serverAuth|ocspSigning]+",
                 "[--digest md5|sha1|sha224|sha256|sha384|sha512]"},
                {
                        {"help",        'h', 0, "show usage information"},
@@ -339,6 +346,7 @@ static void __attribute__ ((constructor))reg()
                        {"lifetime",'l', 1, "days the certificate is valid, default: 1080"},
                        {"serial",      's', 1, "serial number in hex, default: random"},
                        {"ca",          'b', 0, "include CA basicConstraint, default: no"},
+                       {"flag",        'f', 1, "include extendedKeyUsage flag"},
                        {"crl",         'u', 1, "CRL distribution point URI to include"},
                        {"ocsp",        'o', 1, "OCSP AuthorityInfoAccess URI to include"},
                        {"digest",      'g', 1, "digest for signature creation, default: sha1"},