pki --issue/self support permitted/excluded NameConstraints
authorMartin Willi <martin@revosec.ch>
Thu, 9 Dec 2010 15:29:22 +0000 (16:29 +0100)
committerMartin Willi <martin@revosec.ch>
Wed, 5 Jan 2011 15:46:00 +0000 (16:46 +0100)
src/pki/command.c
src/pki/commands/issue.c
src/pki/commands/self.c

index b9c35d9..ebf2c56 100644 (file)
@@ -201,7 +201,7 @@ int command_usage(char *error)
                }
                for (i = 0; cmds[active].options[i].name; i++)
                {
-                       fprintf(out, "        --%-8s (-%c)  %s\n",
+                       fprintf(out, "        --%-12s (-%c)  %s\n",
                                        cmds[active].options[i].name, cmds[active].options[i].op,
                                        cmds[active].options[i].desc);
                }
index f1af5eb..6fa3ff9 100644 (file)
@@ -37,7 +37,7 @@ static int issue()
        char *file = NULL, *dn = NULL, *hex = NULL, *cacert = NULL, *cakey = NULL;
        char *error = NULL, *keyid = NULL;
        identification_t *id = NULL, *crl_issuer = NULL;;
-       linked_list_t *san, *cdps, *ocsp;
+       linked_list_t *san, *cdps, *ocsp, *permitted, *excluded;
        int lifetime = 1095;
        int pathlen = X509_NO_PATH_LEN_CONSTRAINT;
        chunk_t serial = chunk_empty;
@@ -50,6 +50,8 @@ static int issue()
        san = linked_list_create();
        cdps = linked_list_create();
        ocsp = linked_list_create();
+       permitted = linked_list_create();
+       excluded = linked_list_create();
 
        while (TRUE)
        {
@@ -111,6 +113,14 @@ static int issue()
                        case 'p':
                                pathlen = atoi(arg);
                                continue;
+                       case 'n':
+                               permitted->insert_last(permitted,
+                                                                          identification_create_from_string(arg));
+                               continue;
+                       case 'N':
+                               excluded->insert_last(excluded,
+                                                                         identification_create_from_string(arg));
+                               continue;
                        case 'e':
                                if (streq(arg, "serverAuth"))
                                {
@@ -325,7 +335,9 @@ static int issue()
                                        BUILD_PATHLEN, pathlen,
                                        BUILD_CRL_ISSUER, crl_issuer,
                                        BUILD_CRL_DISTRIBUTION_POINTS, cdps,
-                                       BUILD_OCSP_ACCESS_LOCATIONS, ocsp, BUILD_END);
+                                       BUILD_OCSP_ACCESS_LOCATIONS, ocsp,
+                                       BUILD_PERMITTED_NAME_CONSTRAINTS, permitted,
+                                       BUILD_EXCLUDED_NAME_CONSTRAINTS, excluded, BUILD_END);
        if (!cert)
        {
                error = "generating certificate failed";
@@ -350,6 +362,8 @@ end:
        DESTROY_IF(public);
        DESTROY_IF(private);
        san->destroy_offset(san, offsetof(identification_t, destroy));
+       permitted->destroy_offset(permitted, offsetof(identification_t, destroy));
+       excluded->destroy_offset(excluded, offsetof(identification_t, destroy));
        cdps->destroy(cdps);
        ocsp->destroy(ocsp);
        DESTROY_IF(crl_issuer);
@@ -365,6 +379,8 @@ end:
 
 usage:
        san->destroy_offset(san, offsetof(identification_t, destroy));
+       permitted->destroy_offset(permitted, offsetof(identification_t, destroy));
+       excluded->destroy_offset(excluded, offsetof(identification_t, destroy));
        cdps->destroy(cdps);
        ocsp->destroy(ocsp);
        DESTROY_IF(crl_issuer);
@@ -383,6 +399,7 @@ static void __attribute__ ((constructor))reg()
                 " --cacert file --dn subject-dn [--san subjectAltName]+",
                 "[--lifetime days] [--serial hex] [--crl uri]+ [--ocsp uri]+",
                 "[--ca] [--pathlen len] [--flag serverAuth|clientAuth|crlSign|ocspSigning]+",
+                "[--nc-permitted name] [--nc-excluded name]",
                 "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"},
                {
                        {"help",                'h', 0, "show usage information"},
@@ -397,6 +414,8 @@ static void __attribute__ ((constructor))reg()
                        {"serial",              's', 1, "serial number in hex, default: random"},
                        {"ca",                  'b', 0, "include CA basicConstraint, default: no"},
                        {"pathlen",             'p', 1, "set path length constraint"},
+                       {"nc-permitted",'n', 1, "add permitted NameConstraint"},
+                       {"nc-excluded", 'N', 1, "add excluded NameConstraint"},
                        {"flag",                'e', 1, "include extendedKeyUsage flag"},
                        {"crl",                 'u', 1, "CRL distribution point URI to include"},
                        {"crlissuer",   'I', 1, "CRL Issuer for CRL at distribution point"},
index d15b1e2..b073b07 100644 (file)
@@ -34,7 +34,7 @@ static int self()
        public_key_t *public = NULL;
        char *file = NULL, *dn = NULL, *hex = NULL, *error = NULL, *keyid = NULL;
        identification_t *id = NULL;
-       linked_list_t *san, *ocsp;
+       linked_list_t *san, *ocsp, *permitted, *excluded;
        int lifetime = 1095;
        int pathlen = X509_NO_PATH_LEN_CONSTRAINT;
        chunk_t serial = chunk_empty;
@@ -45,6 +45,8 @@ static int self()
 
        san = linked_list_create();
        ocsp = linked_list_create();
+       permitted = linked_list_create();
+       excluded = linked_list_create();
 
        while (TRUE)
        {
@@ -104,6 +106,14 @@ static int self()
                        case 'p':
                                pathlen = atoi(arg);
                                continue;
+                       case 'n':
+                               permitted->insert_last(permitted,
+                                                                          identification_create_from_string(arg));
+                               continue;
+                       case 'N':
+                               excluded->insert_last(excluded,
+                                                                         identification_create_from_string(arg));
+                               continue;
                        case 'e':
                                if (streq(arg, "serverAuth"))
                                {
@@ -210,7 +220,9 @@ static int self()
                                                BUILD_NOT_AFTER_TIME, not_after, BUILD_SERIAL, serial,
                                                BUILD_DIGEST_ALG, digest, BUILD_X509_FLAG, flags,
                                                BUILD_PATHLEN, pathlen, BUILD_SUBJECT_ALTNAMES, san,
-                                               BUILD_OCSP_ACCESS_LOCATIONS, ocsp, BUILD_END);
+                                               BUILD_OCSP_ACCESS_LOCATIONS, ocsp,
+                                               BUILD_PERMITTED_NAME_CONSTRAINTS, permitted,
+                                               BUILD_EXCLUDED_NAME_CONSTRAINTS, excluded, BUILD_END);
        if (!cert)
        {
                error = "generating certificate failed";
@@ -233,6 +245,8 @@ end:
        DESTROY_IF(public);
        DESTROY_IF(private);
        san->destroy_offset(san, offsetof(identification_t, destroy));
+       permitted->destroy_offset(permitted, offsetof(identification_t, destroy));
+       excluded->destroy_offset(excluded, offsetof(identification_t, destroy));
        ocsp->destroy(ocsp);
        free(encoding.ptr);
        free(serial.ptr);
@@ -246,6 +260,8 @@ end:
 
 usage:
        san->destroy_offset(san, offsetof(identification_t, destroy));
+       permitted->destroy_offset(permitted, offsetof(identification_t, destroy));
+       excluded->destroy_offset(excluded, offsetof(identification_t, destroy));
        ocsp->destroy(ocsp);
        return command_usage(error);
 }
@@ -262,22 +278,25 @@ static void __attribute__ ((constructor))reg()
                 " --dn distinguished-name [--san subjectAltName]+",
                 "[--lifetime days] [--serial hex] [--ca] [--ocsp uri]+",
                 "[--flag serverAuth|clientAuth|crlSign|ocspSigning]+",
+                "[--nc-permitted name] [--nc-excluded name]",
                 "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"},
                {
-                       {"help",        'h', 0, "show usage information"},
-                       {"in",          'i', 1, "private key input file, default: stdin"},
-                       {"keyid",       'x', 1, "keyid on smartcard of private key"},
-                       {"type",        't', 1, "type of input key, default: rsa"},
-                       {"dn",          'd', 1, "subject and issuer distinguished name"},
-                       {"san",         'a', 1, "subjectAltName to include in certificate"},
-                       {"lifetime",'l', 1, "days the certificate is valid, default: 1095"},
-                       {"serial",      's', 1, "serial number in hex, default: random"},
-                       {"ca",          'b', 0, "include CA basicConstraint, default: no"},
-                       {"pathlen",     'p', 1, "set path length constraint"},
-                       {"flag",        'e', 1, "include extendedKeyUsage flag"},
-                       {"ocsp",        'o', 1, "OCSP AuthorityInfoAccess URI to include"},
-                       {"digest",      'g', 1, "digest for signature creation, default: sha1"},
-                       {"outform",     'f', 1, "encoding of generated cert, default: der"},
+                       {"help",                'h', 0, "show usage information"},
+                       {"in",                  'i', 1, "private key input file, default: stdin"},
+                       {"keyid",               'x', 1, "keyid on smartcard of private key"},
+                       {"type",                't', 1, "type of input key, default: rsa"},
+                       {"dn",                  'd', 1, "subject and issuer distinguished name"},
+                       {"san",                 'a', 1, "subjectAltName to include in certificate"},
+                       {"lifetime",    'l', 1, "days the certificate is valid, default: 1095"},
+                       {"serial",              's', 1, "serial number in hex, default: random"},
+                       {"ca",                  'b', 0, "include CA basicConstraint, default: no"},
+                       {"pathlen",             'p', 1, "set path length constraint"},
+                       {"nc-permitted",'n', 1, "add permitted NameConstraint"},
+                       {"nc-excluded", 'N', 1, "add excluded NameConstraint"},
+                       {"flag",                'e', 1, "include extendedKeyUsage flag"},
+                       {"ocsp",                'o', 1, "OCSP AuthorityInfoAccess URI to include"},
+                       {"digest",              'g', 1, "digest for signature creation, default: sha1"},
+                       {"outform",             'f', 1, "encoding of generated cert, default: der"},
                }
        });
 }