certtool is able to set certificate policies via a template

author: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2012-11-20 00:12:14 +0100
committer: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2012-11-20 00:19:32 +0100
commit: a221c87220a212680a74e8fdcf840b02bdaa22fa (patch)
tree: aea70513aa3f0a355295b13b0c8aaf70dad8aa01
parent: ccb7b18b21c199207fe89d63940ca34c420a29a1 (diff)
download: gnutls-a221c87220a212680a74e8fdcf840b02bdaa22fa.tar.gz
8 files changed, 104 insertions, 3 deletions
diff --git a/NEWS b/NEWS
index b415b13c7d..289b9553db 100644
--- a/NEWS
+++ b/NEWS
@@ -19,6 +19,8 @@ affected combined levels. Patch by Tim Kosse.
 --load-privkey in order to print the corresponding public key of a private 
 key.
 
+** certtool: It is able to set certificate policies via a template.
+
 ** p11tool: After key generation, outputs the public key (useful in
 tokens that do not store the public key).
 
diff --git a/doc/invoke-certtool.texi b/doc/invoke-certtool.texi
index 329c26dca1..ed521186a8 100644
--- a/doc/invoke-certtool.texi
+++ b/doc/invoke-certtool.texi
@@ -6,7 +6,7 @@
 # 
 # DO NOT EDIT THIS FILE   (invoke-certtool.texi)
 # 
-# It has been AutoGen-ed  November 11, 2012 at 08:40:03 PM by AutoGen 5.16
+# It has been AutoGen-ed  November 20, 2012 at 12:17:13 AM by AutoGen 5.16
 # From the definitions    ../src/certtool-args.def
 # and the template file   agtexi-cmd.tpl
 @end ignore
@@ -543,9 +543,20 @@ signing_key
 # CA issuers URI
 # ca_issuers_uri = http://my.ca.issuer
 
+# Certificate policies
+# policy = 1.3.6.1.4.1.5484.1.10.99.1.0
+# policy1_txt = "This is a long policy to summarize"
+# policy1_url = http://www.example.com/a-policy-to-read
+
+# policy = 1.3.6.1.4.1.5484.1.10.99.1.1
+# policy2_txt = "This is a short policy"
+# policy2_url = http://www.example.com/another-policy-to-read
+
+
 # Options for proxy certificates
 # proxy_policy_language = 1.3.6.1.5.5.7.21.1
 
+
 # Options for generating a CRL
 
 # next CRL update will be in 43 days (wow)
diff --git a/src/certtool-args.c b/src/certtool-args.c
index 26d78f9178..33f7ad071f 100644
--- a/src/certtool-args.c
+++ b/src/certtool-args.c
@@ -2,7 +2,7 @@
  *  
  *  DO NOT EDIT THIS FILE   (certtool-args.c)
  *  
- *  It has been AutoGen-ed  November 11, 2012 at 08:37:40 PM by AutoGen 5.16
+ *  It has been AutoGen-ed  November 20, 2012 at 12:12:56 AM by AutoGen 5.16
  *  From the definitions    certtool-args.def
  *  and the template file   options
  *
diff --git a/src/certtool-args.def b/src/certtool-args.def
index 480c16eb6c..34c2d42d8d 100644
--- a/src/certtool-args.def
+++ b/src/certtool-args.def
@@ -633,9 +633,20 @@ signing_key
 # CA issuers URI
 # ca_issuers_uri = http://my.ca.issuer
 
+# Certificate policies
+# policy = 1.3.6.1.4.1.5484.1.10.99.1.0
+# policy1_txt = "This is a long policy to summarize"
+# policy1_url = http://www.example.com/a-policy-to-read
+
+# policy = 1.3.6.1.4.1.5484.1.10.99.1.1
+# policy2_txt = "This is a short policy"
+# policy2_url = http://www.example.com/another-policy-to-read
+
+
 # Options for proxy certificates
 # proxy_policy_language = 1.3.6.1.5.5.7.21.1
 
+
 # Options for generating a CRL
 
 # next CRL update will be in 43 days (wow)
diff --git a/src/certtool-args.h b/src/certtool-args.h
index 6c0b9449c2..46af66d63f 100644
--- a/src/certtool-args.h
+++ b/src/certtool-args.h
@@ -2,7 +2,7 @@
  *  
  *  DO NOT EDIT THIS FILE   (certtool-args.h)
  *  
- *  It has been AutoGen-ed  November 11, 2012 at 08:37:40 PM by AutoGen 5.16
+ *  It has been AutoGen-ed  November 20, 2012 at 12:12:55 AM by AutoGen 5.16
  *  From the definitions    certtool-args.def
  *  and the template file   options
  *
diff --git a/src/certtool-cfg.c b/src/certtool-cfg.c
index 768c58d7c8..c2cf1c1234 100644
--- a/src/certtool-cfg.c
+++ b/src/certtool-cfg.c
@@ -61,6 +61,9 @@ typedef struct _cfg_ctx
   char *challenge_password;
   char *pkcs9_email;
   char *country;
+  char **policy_oid;
+  char *policy_txt[MAX_ENTRIES];
+  char *policy_url[MAX_ENTRIES];
   char **dc;
   char **dns_name;
   char **uri;
@@ -182,6 +185,7 @@ template_parse (const char *template)
   unsigned int i;
   tOptionValue const * pov;
   const tOptionValue* val;
+  char tmpstr[256];
 
   pov = configFileLoad(template);
   if (pov == NULL)
@@ -232,6 +236,29 @@ template_parse (const char *template)
   if (val != NULL && val->valType == OPARG_TYPE_STRING)
     cfg.country = strdup(val->v.strVal);
   
+  READ_MULTI_LINE("policy", cfg.policy_oid);
+  
+  if (cfg.policy_oid != NULL) 
+    {
+      int i = 0;
+      while(cfg.policy_oid[i] != NULL) 
+        {
+          snprintf(tmpstr, sizeof(tmpstr), "policy%d_url", i+1);
+          val = optionGetValue(pov, tmpstr);
+          if (val != NULL && val->valType == OPARG_TYPE_STRING)
+            cfg.policy_url[i] = strdup(val->v.strVal);
+
+          snprintf(tmpstr, sizeof(tmpstr), "policy%d_txt", i+1);
+          val = optionGetValue(pov, tmpstr);
+          if (val != NULL && val->valType == OPARG_TYPE_STRING)
+            {
+              cfg.policy_txt[i] = strdup(val->v.strVal);
+            }
+          
+          i++;
+        }
+    }
+  
   READ_MULTI_LINE("dc", cfg.dc);
   READ_MULTI_LINE("dns_name", cfg.dns_name);
   READ_MULTI_LINE("uri", cfg.uri);
@@ -1212,6 +1239,54 @@ get_dns_name_set (int type, void *crt)
 }
 
 void
+get_policy_set (gnutls_x509_crt_t crt)
+{
+  int ret = 0, i;
+  gnutls_x509_policy_st policy;
+
+  if (batch)
+    {
+      if (!cfg.policy_oid)
+        return;
+
+      for (i = 0; cfg.policy_oid[i] != NULL; i++)
+        {
+          memset(&policy, 0, sizeof(policy));
+          policy.oid = cfg.policy_oid[i];
+          
+          if (cfg.policy_txt[i] != NULL)
+            {
+              policy.qualifier[policy.qualifiers].type = GNUTLS_X509_QUALIFIER_NOTICE;
+              policy.qualifier[policy.qualifiers].data = cfg.policy_txt[i];
+              policy.qualifier[policy.qualifiers].size = strlen(cfg.policy_txt[i]);
+              policy.qualifiers++;
+            }
+
+          if (cfg.policy_url[i] != NULL)
+            {
+              policy.qualifier[policy.qualifiers].type = GNUTLS_X509_QUALIFIER_URI;
+              policy.qualifier[policy.qualifiers].data = cfg.policy_url[i];
+              policy.qualifier[policy.qualifiers].size = strlen(cfg.policy_url[i]);
+              policy.qualifiers++;
+            }
+
+fprintf(stderr, "setting policy %s with %d qualifiers\n", policy.oid, policy.qualifiers);
+          
+          ret =
+            gnutls_x509_crt_set_policy (crt, &policy, 0);
+          if (ret < 0)
+            break;
+        }
+    }
+
+  if (ret < 0)
+    {
+      fprintf (stderr, "set_policy: %s\n", gnutls_strerror (ret));
+      exit (1);
+    }
+}
+
+void
 get_uri_set (int type, void *crt)
 {
   int ret = 0, i;
diff --git a/src/certtool-cfg.h b/src/certtool-cfg.h
index 878ecac34f..bcb96d7428 100644
--- a/src/certtool-cfg.h
+++ b/src/certtool-cfg.h
@@ -67,6 +67,7 @@ int get_encrypt_status (int server);
 int get_sign_status (int server);
 void get_ip_addr_set (int type, void *crt);
 void get_dns_name_set (int type, void *crt);
+void get_policy_set (gnutls_x509_crt_t);
 void get_uri_set (int type, void *crt);
 void get_email_set (int type, void *crt);
 int get_ipsec_ike_status (void);
diff --git a/src/certtool.c b/src/certtool.c
index 2f2eca7263..dd34e3ac29 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -399,6 +399,7 @@ generate_certificate (gnutls_privkey_t * ret_key,
       get_dns_name_set (TYPE_CRT, crt);
       get_uri_set (TYPE_CRT, crt);
       get_ip_addr_set (TYPE_CRT, crt);
+      get_policy_set (crt);
 
       if (server != 0)
         {
author	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2012-11-20 00:12:14 +0100
committer	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2012-11-20 00:19:32 +0100
commit	a221c87220a212680a74e8fdcf840b02bdaa22fa (patch)
tree	aea70513aa3f0a355295b13b0c8aaf70dad8aa01
parent	ccb7b18b21c199207fe89d63940ca34c420a29a1 (diff)
download	gnutls-a221c87220a212680a74e8fdcf840b02bdaa22fa.tar.gz