pki tool can set CA basicConstraint on --self/--issued certificates
authorMartin Willi <martin@strongswan.org>
Tue, 8 Sep 2009 08:39:04 +0000 (10:39 +0200)
committerMartin Willi <martin@strongswan.org>
Tue, 8 Sep 2009 08:39:04 +0000 (10:39 +0200)
src/pki/pki.c

index 951d541..c6eb82e 100644 (file)
@@ -67,6 +67,7 @@ static int usage(char *error)
        fprintf(out, "        --lifetime days the certificate is valid, default: 1080\n");
        fprintf(out, "        --serial   serial number in hex, default: random\n");
        fprintf(out, "        --digest   digest for signature creation, default: sha1\n");
+       fprintf(out, "        --ca       include CA basicConstraint, default: no\n");
        fprintf(out, "  pki --issue [--in file] [--type pub|pkcs10]\n");
        fprintf(out, "              --cacert file --cakey file --dn subject-dn\n");
        fprintf(out, "              [--lifetime days] [--serial hex]\n");
@@ -80,10 +81,11 @@ static int usage(char *error)
        fprintf(out, "        --lifetime days the certificate is valid, default: 1080\n");
        fprintf(out, "        --serial   serial number in hex, default: random\n");
        fprintf(out, "        --digest   digest for signature creation, default: sha1\n");
+       fprintf(out, "        --ca       include CA basicConstraint, default: no\n");
        fprintf(out, "  pki --verify [--in file] [--ca file]\n");
        fprintf(out, "      verify a certificate using the CA certificate\n");
        fprintf(out, "        --in       x509 certifcate to verify, default: stdin\n");
-       fprintf(out, "        --ca       CA certificate, default: verify self signed\n");
+       fprintf(out, "        --cacert   CA certificate, default: verify self signed\n");
        return !!error;
 }
 
@@ -494,6 +496,7 @@ static int self(int argc, char *argv[])
        int lifetime = 1080;
        chunk_t serial, encoding;
        time_t not_before, not_after;
+       x509_flag_t flags = 0;
 
        struct option long_opts[] = {
                { "type", required_argument, NULL, 't' },
@@ -502,6 +505,7 @@ static int self(int argc, char *argv[])
                { "lifetime", required_argument, NULL, 'l' },
                { "serial", required_argument, NULL, 's' },
                { "digest", required_argument, NULL, 'h' },
+               { "ca", no_argument, NULL, 'c' },
                { 0,0,0,0 }
        };
 
@@ -546,6 +550,9 @@ static int self(int argc, char *argv[])
                        case 's':
                                hex = optarg;
                                continue;
+                       case 'c':
+                               flags |= X509_CA;
+                               continue;
                        case EOF:
                                break;
                        default:
@@ -613,7 +620,8 @@ static int self(int argc, char *argv[])
                                                BUILD_SIGNING_KEY, private, BUILD_PUBLIC_KEY, public,
                                                BUILD_SUBJECT, id, BUILD_NOT_BEFORE_TIME, not_before,
                                                BUILD_NOT_AFTER_TIME, not_after, BUILD_SERIAL, serial,
-                                               BUILD_DIGEST_ALG, digest, BUILD_END);
+                                               BUILD_DIGEST_ALG, digest, BUILD_X509_FLAG, flags,
+                                               BUILD_END);
        private->destroy(private);
        public->destroy(public);
        id->destroy(id);
@@ -655,6 +663,7 @@ static int issue(int argc, char *argv[])
        int lifetime = 1080;
        chunk_t serial, encoding;
        time_t not_before, not_after;
+       x509_flag_t flags = 0;
 
        struct option long_opts[] = {
                { "type", required_argument, NULL, 't' },
@@ -665,6 +674,7 @@ static int issue(int argc, char *argv[])
                { "lifetime", required_argument, NULL, 'l' },
                { "serial", required_argument, NULL, 's' },
                { "digest", required_argument, NULL, 'h' },
+               { "ca", no_argument, NULL, 'b' },
                { 0,0,0,0 }
        };
 
@@ -707,6 +717,9 @@ static int issue(int argc, char *argv[])
                        case 's':
                                hex = optarg;
                                continue;
+                       case 'b':
+                               flags |= X509_CA;
+                               continue;
                        case EOF:
                                break;
                        default:
@@ -816,7 +829,7 @@ static int issue(int argc, char *argv[])
                                        BUILD_PUBLIC_KEY, public, BUILD_SUBJECT, id,
                                        BUILD_NOT_BEFORE_TIME, not_before, BUILD_DIGEST_ALG, digest,
                                        BUILD_NOT_AFTER_TIME, not_after, BUILD_SERIAL, serial,
-                                       BUILD_END);
+                                       BUILD_X509_FLAG, flags, BUILD_END);
        private->destroy(private);
        public->destroy(public);
        ca->destroy(ca);
@@ -856,7 +869,7 @@ static int verify(int argc, char *argv[])
 
        struct option long_opts[] = {
                { "in", required_argument, NULL, 'i' },
-               { "ca", required_argument, NULL, 'c' },
+               { "cacert", required_argument, NULL, 'c' },
                { 0,0,0,0 }
        };