diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2010-10-02 23:30:08 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2010-10-02 23:30:08 +0200 |
| commit | e468763b03ec470c1aec999efbc5b74821e4457f (patch) | |
| tree | 091c03dc2fa864f81284e3540fd51cd0a797404e | |
| parent | 256f3817f97398d89f59d20b654445b07eab6cdc (diff) | |
| download | gnutls-e468763b03ec470c1aec999efbc5b74821e4457f.tar.gz | |
Applied patch on IKE extension by Micah Anderson
| -rw-r--r-- | src/certtool.c | 43 |
1 files changed, 24 insertions, 19 deletions
diff --git a/src/certtool.c b/src/certtool.c index e4fbb75878..794a0d6b6d 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -361,7 +361,7 @@ generate_certificate (gnutls_x509_privkey_t * ret_key, size_t size; int ret; int client; - int days, result, ca_status = 0, path_len; + int days, result, ca_status = 0, is_ike = 0, path_len; int vers; unsigned int usage = 0, server; gnutls_x509_crq_t crq; /* request */ @@ -513,17 +513,18 @@ generate_certificate (gnutls_x509_privkey_t * ret_key, error (EXIT_FAILURE, 0, "key_kp: %s", gnutls_strerror (result)); } + is_ike = get_ipsec_ike_status (); server = get_tls_server_status (); + if ((server != 0 && !proxy) || is_ike) + { + get_dns_name_set (TYPE_CRT, crt); + get_ip_addr_set (TYPE_CRT, crt); + } + if (server != 0) { result = 0; - if (!proxy) - { - get_dns_name_set (TYPE_CRT, crt); - get_ip_addr_set (TYPE_CRT, crt); - } - result = gnutls_x509_crt_set_key_purpose_oid (crt, GNUTLS_KP_TLS_WWW_SERVER, 0); @@ -555,6 +556,17 @@ generate_certificate (gnutls_x509_privkey_t * ret_key, } else usage |= GNUTLS_KEY_DIGITAL_SIGNATURE; + + if (is_ike) + { + result = + gnutls_x509_crt_set_key_purpose_oid (crt, + GNUTLS_KP_IPSEC_IKE, + 0); + if (result < 0) + error (EXIT_FAILURE, 0, "key_kp: %s", + gnutls_strerror (result)); + } } @@ -603,22 +615,15 @@ generate_certificate (gnutls_x509_privkey_t * ret_key, error (EXIT_FAILURE, 0, "key_kp: %s", gnutls_strerror (result)); } - - result = get_ipsec_ike_status (); - if (result) - { - result = - gnutls_x509_crt_set_key_purpose_oid (crt, - GNUTLS_KP_IPSEC_IKE, - 0); - if (result < 0) - error (EXIT_FAILURE, 0, "key_kp: %s", - gnutls_strerror (result)); - } } if (usage != 0) { + /* http://tools.ietf.org/html/rfc4945#section-5.1.3.2: if any KU is + set, then either digitalSignature or the nonRepudiation bits in the + KeyUsage extension MUST for all IKE certs */ + if (is_ike && (get_sign_status (server) != 1)) + usage |= GNUTLS_KEY_NON_REPUDIATION; result = gnutls_x509_crt_set_key_usage (crt, usage); if (result < 0) error (EXIT_FAILURE, 0, "key_usage: %s", |