diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2012-11-20 00:12:14 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2012-11-20 00:19:32 +0100 |
commit | a221c87220a212680a74e8fdcf840b02bdaa22fa (patch) | |
tree | aea70513aa3f0a355295b13b0c8aaf70dad8aa01 | |
parent | ccb7b18b21c199207fe89d63940ca34c420a29a1 (diff) | |
download | gnutls-a221c87220a212680a74e8fdcf840b02bdaa22fa.tar.gz |
certtool is able to set certificate policies via a template
-rw-r--r-- | NEWS | 2 | ||||
-rw-r--r-- | doc/invoke-certtool.texi | 13 | ||||
-rw-r--r-- | src/certtool-args.c | 2 | ||||
-rw-r--r-- | src/certtool-args.def | 11 | ||||
-rw-r--r-- | src/certtool-args.h | 2 | ||||
-rw-r--r-- | src/certtool-cfg.c | 75 | ||||
-rw-r--r-- | src/certtool-cfg.h | 1 | ||||
-rw-r--r-- | src/certtool.c | 1 |
8 files changed, 104 insertions, 3 deletions
@@ -19,6 +19,8 @@ affected combined levels. Patch by Tim Kosse. --load-privkey in order to print the corresponding public key of a private key. +** certtool: It is able to set certificate policies via a template. + ** p11tool: After key generation, outputs the public key (useful in tokens that do not store the public key). diff --git a/doc/invoke-certtool.texi b/doc/invoke-certtool.texi index 329c26dca1..ed521186a8 100644 --- a/doc/invoke-certtool.texi +++ b/doc/invoke-certtool.texi @@ -6,7 +6,7 @@ # # DO NOT EDIT THIS FILE (invoke-certtool.texi) # -# It has been AutoGen-ed November 11, 2012 at 08:40:03 PM by AutoGen 5.16 +# It has been AutoGen-ed November 20, 2012 at 12:17:13 AM by AutoGen 5.16 # From the definitions ../src/certtool-args.def # and the template file agtexi-cmd.tpl @end ignore @@ -543,9 +543,20 @@ signing_key # CA issuers URI # ca_issuers_uri = http://my.ca.issuer +# Certificate policies +# policy = 1.3.6.1.4.1.5484.1.10.99.1.0 +# policy1_txt = "This is a long policy to summarize" +# policy1_url = http://www.example.com/a-policy-to-read + +# policy = 1.3.6.1.4.1.5484.1.10.99.1.1 +# policy2_txt = "This is a short policy" +# policy2_url = http://www.example.com/another-policy-to-read + + # Options for proxy certificates # proxy_policy_language = 1.3.6.1.5.5.7.21.1 + # Options for generating a CRL # next CRL update will be in 43 days (wow) diff --git a/src/certtool-args.c b/src/certtool-args.c index 26d78f9178..33f7ad071f 100644 --- a/src/certtool-args.c +++ b/src/certtool-args.c @@ -2,7 +2,7 @@ * * DO NOT EDIT THIS FILE (certtool-args.c) * - * It has been AutoGen-ed November 11, 2012 at 08:37:40 PM by AutoGen 5.16 + * It has been AutoGen-ed November 20, 2012 at 12:12:56 AM by AutoGen 5.16 * From the definitions certtool-args.def * and the template file options * diff --git a/src/certtool-args.def b/src/certtool-args.def index 480c16eb6c..34c2d42d8d 100644 --- a/src/certtool-args.def +++ b/src/certtool-args.def @@ -633,9 +633,20 @@ signing_key # CA issuers URI # ca_issuers_uri = http://my.ca.issuer +# Certificate policies +# policy = 1.3.6.1.4.1.5484.1.10.99.1.0 +# policy1_txt = "This is a long policy to summarize" +# policy1_url = http://www.example.com/a-policy-to-read + +# policy = 1.3.6.1.4.1.5484.1.10.99.1.1 +# policy2_txt = "This is a short policy" +# policy2_url = http://www.example.com/another-policy-to-read + + # Options for proxy certificates # proxy_policy_language = 1.3.6.1.5.5.7.21.1 + # Options for generating a CRL # next CRL update will be in 43 days (wow) diff --git a/src/certtool-args.h b/src/certtool-args.h index 6c0b9449c2..46af66d63f 100644 --- a/src/certtool-args.h +++ b/src/certtool-args.h @@ -2,7 +2,7 @@ * * DO NOT EDIT THIS FILE (certtool-args.h) * - * It has been AutoGen-ed November 11, 2012 at 08:37:40 PM by AutoGen 5.16 + * It has been AutoGen-ed November 20, 2012 at 12:12:55 AM by AutoGen 5.16 * From the definitions certtool-args.def * and the template file options * diff --git a/src/certtool-cfg.c b/src/certtool-cfg.c index 768c58d7c8..c2cf1c1234 100644 --- a/src/certtool-cfg.c +++ b/src/certtool-cfg.c @@ -61,6 +61,9 @@ typedef struct _cfg_ctx char *challenge_password; char *pkcs9_email; char *country; + char **policy_oid; + char *policy_txt[MAX_ENTRIES]; + char *policy_url[MAX_ENTRIES]; char **dc; char **dns_name; char **uri; @@ -182,6 +185,7 @@ template_parse (const char *template) unsigned int i; tOptionValue const * pov; const tOptionValue* val; + char tmpstr[256]; pov = configFileLoad(template); if (pov == NULL) @@ -232,6 +236,29 @@ template_parse (const char *template) if (val != NULL && val->valType == OPARG_TYPE_STRING) cfg.country = strdup(val->v.strVal); + READ_MULTI_LINE("policy", cfg.policy_oid); + + if (cfg.policy_oid != NULL) + { + int i = 0; + while(cfg.policy_oid[i] != NULL) + { + snprintf(tmpstr, sizeof(tmpstr), "policy%d_url", i+1); + val = optionGetValue(pov, tmpstr); + if (val != NULL && val->valType == OPARG_TYPE_STRING) + cfg.policy_url[i] = strdup(val->v.strVal); + + snprintf(tmpstr, sizeof(tmpstr), "policy%d_txt", i+1); + val = optionGetValue(pov, tmpstr); + if (val != NULL && val->valType == OPARG_TYPE_STRING) + { + cfg.policy_txt[i] = strdup(val->v.strVal); + } + + i++; + } + } + READ_MULTI_LINE("dc", cfg.dc); READ_MULTI_LINE("dns_name", cfg.dns_name); READ_MULTI_LINE("uri", cfg.uri); @@ -1212,6 +1239,54 @@ get_dns_name_set (int type, void *crt) } void +get_policy_set (gnutls_x509_crt_t crt) +{ + int ret = 0, i; + gnutls_x509_policy_st policy; + + if (batch) + { + if (!cfg.policy_oid) + return; + + for (i = 0; cfg.policy_oid[i] != NULL; i++) + { + memset(&policy, 0, sizeof(policy)); + policy.oid = cfg.policy_oid[i]; + + if (cfg.policy_txt[i] != NULL) + { + policy.qualifier[policy.qualifiers].type = GNUTLS_X509_QUALIFIER_NOTICE; + policy.qualifier[policy.qualifiers].data = cfg.policy_txt[i]; + policy.qualifier[policy.qualifiers].size = strlen(cfg.policy_txt[i]); + policy.qualifiers++; + } + + if (cfg.policy_url[i] != NULL) + { + policy.qualifier[policy.qualifiers].type = GNUTLS_X509_QUALIFIER_URI; + policy.qualifier[policy.qualifiers].data = cfg.policy_url[i]; + policy.qualifier[policy.qualifiers].size = strlen(cfg.policy_url[i]); + policy.qualifiers++; + } + +fprintf(stderr, "setting policy %s with %d qualifiers\n", policy.oid, policy.qualifiers); + + ret = + gnutls_x509_crt_set_policy (crt, &policy, 0); + if (ret < 0) + break; + } + } + + if (ret < 0) + { + fprintf (stderr, "set_policy: %s\n", gnutls_strerror (ret)); + exit (1); + } +} + +void get_uri_set (int type, void *crt) { int ret = 0, i; diff --git a/src/certtool-cfg.h b/src/certtool-cfg.h index 878ecac34f..bcb96d7428 100644 --- a/src/certtool-cfg.h +++ b/src/certtool-cfg.h @@ -67,6 +67,7 @@ int get_encrypt_status (int server); int get_sign_status (int server); void get_ip_addr_set (int type, void *crt); void get_dns_name_set (int type, void *crt); +void get_policy_set (gnutls_x509_crt_t); void get_uri_set (int type, void *crt); void get_email_set (int type, void *crt); int get_ipsec_ike_status (void); diff --git a/src/certtool.c b/src/certtool.c index 2f2eca7263..dd34e3ac29 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -399,6 +399,7 @@ generate_certificate (gnutls_privkey_t * ret_key, get_dns_name_set (TYPE_CRT, crt); get_uri_set (TYPE_CRT, crt); get_ip_addr_set (TYPE_CRT, crt); + get_policy_set (crt); if (server != 0) { |