diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2004-05-15 06:38:31 +0000 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2004-05-15 06:38:31 +0000 |
commit | cc54e551119433d50b27930a5c5d77bed4c30ebb (patch) | |
tree | 9baac91c9edd271f8886e8e1b287a11e0d5e742f | |
parent | 144f107143ceff80a2eb642c40eab39485516c87 (diff) | |
download | gnutls-cc54e551119433d50b27930a5c5d77bed4c30ebb.tar.gz |
certtool has now support for more X.520 DN attribute types.
-rw-r--r-- | NEWS | 1 | ||||
-rw-r--r-- | configure.in | 5 | ||||
-rw-r--r-- | doc/certtool.cfg | 6 | ||||
-rw-r--r-- | lib/pkix.asn | 30 | ||||
-rw-r--r-- | libextra/Makefile.am | 3 | ||||
-rw-r--r-- | src/certtool-cfg.c | 53 | ||||
-rw-r--r-- | src/certtool.c | 6 |
7 files changed, 88 insertions, 16 deletions
@@ -3,6 +3,7 @@ Version 1.0.14 certificates. - Updates in the documentation. - certtool can now add ip address SAN extension. +- certtool has now support for more X.520 DN attribute types. - Opencdk library is being included if not found. Version 1.0.13 (29/04/2004) diff --git a/configure.in b/configure.in index 8be013ea1e..4996e784a2 100644 --- a/configure.in +++ b/configure.in @@ -480,7 +480,8 @@ fi if test x"$minilzo_enabled" = xyes; then AC_DEFINE(USE_MINILZO, 1, [whether to use the included minilzo]) else -LZO_LINK=-llzo +LZO_LIBS=-llzo +AC_SUBST(LZO_LIBS) fi dnl use lzo @@ -526,7 +527,7 @@ AC_SUBST(LIBGNUTLS_CFLAGS) SERV_LIBS="$LIBS $SERV_LIBS" AC_SUBST(SERV_LIBS) -LIBGNUTLS_EXTRA_LIBS="-L${libdir} -lgnutls-extra -lgnutls $LIBOPENCDK_LIBS $LZO_LINK" +LIBGNUTLS_EXTRA_LIBS="-L${libdir} -lgnutls-extra -lgnutls $LIBOPENCDK_LIBS $LZO_LIBS" LIBGNUTLS_EXTRA_CFLAGS="$LIBOPENCDK_CFLAGS -I${includedir}" AC_SUBST(LIBGNUTLS_EXTRA_LIBS) diff --git a/doc/certtool.cfg b/doc/certtool.cfg index 14879a14a4..bd9ca316c6 100644 --- a/doc/certtool.cfg +++ b/doc/certtool.cfg @@ -23,6 +23,12 @@ cn = "Cindy Lauper" # A user id of the certificate owner. #uid = "clauper" +# If the support DN OIDs are not adequate you can set +# any OID here. +# For example set the X.520 Title and the X.520 Pseudonym +# by using OID and string pairs. +#dn_oid = "2.5.4.12" "Dr." "2.5.4.65" "jackal" + # This is deprecated and should not be used in new # certificates. # pkcs9_email = "none@none.org" diff --git a/lib/pkix.asn b/lib/pkix.asn index 5a2f93d73d..95b6e32cc7 100644 --- a/lib/pkix.asn +++ b/lib/pkix.asn @@ -196,21 +196,14 @@ id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= {id-ce 31} CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint DistributionPoint ::= SEQUENCE { - distributionPoint [0] DistributionPointName OPTIONAL, + distributionPoint [0] EXPLICIT DistributionPointName OPTIONAL, reasons [1] ReasonFlags OPTIONAL, cRLIssuer [2] GeneralNames OPTIONAL } --- original definition: --- DistributionPointName ::= CHOICE { --- fullName [0] GeneralNames, --- nameRelativeToCRLIssuer [1] RelativeDistinguishedName ---} --- This does not work since it does not tag elements. - -DistributionPointName ::= SEQUENCE { - fullName [0] GeneralNames OPTIONAL, - nameRelativeToCRLIssuer [1] RelativeDistinguishedName OPTIONAL +DistributionPointName ::= CHOICE { + fullName [0] GeneralNames, + nameRelativeToCRLIssuer [1] RelativeDistinguishedName } ReasonFlags ::= BIT STRING { @@ -441,15 +434,30 @@ X520OrganizationalUnitName ::= DirectoryString id-at-title AttributeType ::= {id-at 12} X520Title ::= DirectoryString +id-at-description AttributeType ::= {id-at 13} +X520Description ::= DirectoryString + id-at-dnQualifier AttributeType ::= {id-at 46} X520dnQualifier ::= PrintableString id-at-countryName AttributeType ::= {id-at 6} X520countryName ::= PrintableString (SIZE (2)) -- IS 3166 codes +id-at-serialNumber AttributeType ::= {id-at 5} +X520serialNumber ::= PrintableString + +id-at-telephoneNumber AttributeType ::= {id-at 20} +X520telephoneNumber ::= PrintableString + +id-at-facsimileTelephoneNumber AttributeType ::= {id-at 23} +X520facsimileTelephoneNumber ::= PrintableString + id-at-pseudonym AttributeType ::= {id-at 65} X520pseudonym ::= DirectoryString +id-at-name AttributeType ::= {id-at 41} +X520name ::= DirectoryString + id-at-streetAddress AttributeType ::= {id-at 9} X520streetAddress ::= DirectoryString diff --git a/libextra/Makefile.am b/libextra/Makefile.am index b8a97332f1..67e7fa9b47 100644 --- a/libextra/Makefile.am +++ b/libextra/Makefile.am @@ -45,9 +45,6 @@ if ENABLE_INCLUDED_LZO LZO_OBJECTS = minilzo.c else -if USE_LZO -LZO_LIBS = -llzo -endif LZO_OBJECTS = endif diff --git a/src/certtool-cfg.c b/src/certtool-cfg.c index ef578ebd09..cb9ad0e44e 100644 --- a/src/certtool-cfg.c +++ b/src/certtool-cfg.c @@ -46,6 +46,7 @@ typedef struct _cfg_ctx char *dns_name; char* ip_addr; char *email; + char **dn_oid; char *crl_dist_points; char *password; char *pkcs12_key_name; @@ -96,6 +97,9 @@ int template_parse(const char *template) {NULL, '\0', "dns_name", CFG_STR, (void *) &cfg.dns_name, 0}, {NULL, '\0', "ip_address", CFG_STR, (void *) &cfg.ip_addr, 0}, {NULL, '\0', "email", CFG_STR, (void *) &cfg.email, 0}, + + {NULL, '\0', "dn_oid", CFG_STR+CFG_MULTI_SEPARATED, (void *) &cfg.dn_oid, 0}, + {NULL, '\0', "crl_dist_points", CFG_STR, (void *) &cfg.crl_dist_points, 0}, {NULL, '\0', "pkcs12_key_name", CFG_STR, (void *) &cfg.pkcs12_key_name, 0}, @@ -369,6 +373,30 @@ int ret; } +void get_oid_crt_set( gnutls_x509_crt crt) +{ +int ret, i; + + if (batch) { + if (!cfg.dn_oid) return; + for( i = 0; cfg.dn_oid[i] != NULL; i+=2) { + if (cfg.dn_oid[i+1]==NULL) { + fprintf(stderr, "dn_oid: %s does not have an argument.\n", + cfg.dn_oid[i]); + exit(1); + } + ret = gnutls_x509_crt_set_dn_by_oid(crt, cfg.dn_oid[i], 0, + cfg.dn_oid[i+1], strlen(cfg.dn_oid[i+1])); + + if (ret < 0) { + fprintf(stderr, "set_dn_oid: %s\n", gnutls_strerror(ret)); + exit(1); + } + } + } + +} + void get_pkcs9_email_crt_set( gnutls_x509_crt crt) { @@ -698,4 +726,29 @@ int ret; } +void get_oid_crq_set( gnutls_x509_crq crq) +{ +int ret, i; + + if (batch) { + if (!cfg.dn_oid) return; + for( i = 0; cfg.dn_oid[i] != NULL; i+=2) { + if (cfg.dn_oid[i+1]==NULL) { + fprintf(stderr, "dn_oid: %s does not have an argument.\n", + cfg.dn_oid[i]); + exit(1); + } + ret = gnutls_x509_crq_set_dn_by_oid(crq, cfg.dn_oid[i], 0, + cfg.dn_oid[i+1], strlen(cfg.dn_oid[i+1])); + + if (ret < 0) { + fprintf(stderr, "set_dn_oid: %s\n", gnutls_strerror(ret)); + exit(1); + } + } + } + +} + + #endif diff --git a/src/certtool.c b/src/certtool.c index f133226c11..620ddcf73f 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -246,6 +246,8 @@ gnutls_x509_crt generate_certificate( gnutls_x509_privkey *ret_key, fprintf(stderr, "Please enter the details of the certificate's distinguished name. " "Just press enter to ignore a field.\n"); + /* set the DN. + */ get_country_crt_set( crt); get_organization_crt_set(crt); get_unit_crt_set( crt); @@ -253,6 +255,7 @@ gnutls_x509_crt generate_certificate( gnutls_x509_privkey *ret_key, get_state_crt_set( crt); get_cn_crt_set( crt); get_uid_crt_set( crt); + get_oid_crt_set( crt); if (!batch) fprintf(stderr, "This field should not be used in new certificates.\n"); @@ -1640,6 +1643,8 @@ void generate_request(void) */ key = generate_private_key_int(); + /* Set the DN. + */ get_country_crq_set( crq); get_organization_crq_set(crq); get_unit_crq_set( crq); @@ -1647,6 +1652,7 @@ void generate_request(void) get_state_crq_set( crq); get_cn_crq_set( crq); get_uid_crq_set( crq); + get_oid_crq_set( crq); ret = gnutls_x509_crq_set_version( crq, 1); if (ret < 0) { |