diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-10-18 10:13:56 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-10-26 14:43:31 +0200 |
commit | b8210a949c0e564c8fbed7059ca7d3ef55ba9727 (patch) | |
tree | 83856809d6fbced7f782496a0d14aae6e72fa265 | |
parent | 6badc135257d90ea9add82bb75a397d40070628e (diff) | |
download | gnutls-b8210a949c0e564c8fbed7059ca7d3ef55ba9727.tar.gz |
certtool: allow setting key purposes for non-CA certificates
That is, allow setting code signing, or time stamping key purpose
in certificates that are not marked as CA. The previous restriction
served no purpose.
-rw-r--r-- | src/certtool.c | 135 |
1 files changed, 69 insertions, 66 deletions
diff --git a/src/certtool.c b/src/certtool.c index 5b5a5556b6..04d4c2ab87 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -532,6 +532,30 @@ generate_certificate(gnutls_privkey_t * ret_key, } } + result = get_code_sign_status(); + if (result) { + result = + gnutls_x509_crt_set_key_purpose_oid + (crt, GNUTLS_KP_CODE_SIGNING, 0); + if (result < 0) { + fprintf(stderr, "key_kp: %s\n", + gnutls_strerror(result)); + exit(1); + } + } + + result = get_time_stamp_status(); + if (result) { + result = + gnutls_x509_crt_set_key_purpose_oid + (crt, GNUTLS_KP_TIME_STAMPING, 0); + if (result < 0) { + fprintf(stderr, "key_kp: %s\n", + gnutls_strerror(result)); + exit(1); + } + } + if (ca_status) { result = get_cert_sign_status(); if (result) @@ -541,33 +565,10 @@ generate_certificate(gnutls_privkey_t * ret_key, if (result) usage |= GNUTLS_KEY_CRL_SIGN; - result = get_code_sign_status(); - if (result) { - result = - gnutls_x509_crt_set_key_purpose_oid - (crt, GNUTLS_KP_CODE_SIGNING, 0); - if (result < 0) { - fprintf(stderr, "key_kp: %s\n", - gnutls_strerror(result)); - exit(1); - } - } crt_constraints_set(crt); - - - result = get_time_stamp_status(); - if (result) { - result = - gnutls_x509_crt_set_key_purpose_oid - (crt, GNUTLS_KP_TIME_STAMPING, 0); - if (result < 0) { - fprintf(stderr, "key_kp: %s\n", - gnutls_strerror(result)); - exit(1); - } - } } + get_ocsp_issuer_set(crt); get_ca_issuers_set(crt); @@ -2135,6 +2136,50 @@ void generate_request(common_info_st * cinfo) usage |= GNUTLS_KEY_DIGITAL_SIGNATURE; } + ret = get_code_sign_status(); + if (ret) { + ret = gnutls_x509_crq_set_key_purpose_oid + (crq, GNUTLS_KP_CODE_SIGNING, 0); + if (ret < 0) { + fprintf(stderr, "key_kp: %s\n", + gnutls_strerror(ret)); + exit(1); + } + } + + ret = get_time_stamp_status(); + if (ret) { + ret = gnutls_x509_crq_set_key_purpose_oid + (crq, GNUTLS_KP_TIME_STAMPING, 0); + if (ret < 0) { + fprintf(stderr, "key_kp: %s\n", + gnutls_strerror(ret)); + exit(1); + } + } + + ret = get_ipsec_ike_status(); + if (ret) { + ret = gnutls_x509_crq_set_key_purpose_oid + (crq, GNUTLS_KP_IPSEC_IKE, 0); + if (ret < 0) { + fprintf(stderr, "key_kp: %s\n", + gnutls_strerror(ret)); + exit(1); + } + } + + ret = get_ocsp_sign_status(); + if (ret) { + ret = gnutls_x509_crq_set_key_purpose_oid + (crq, GNUTLS_KP_OCSP_SIGNING, 0); + if (ret < 0) { + fprintf(stderr, "key_kp: %s\n", + gnutls_strerror(ret)); + exit(1); + } + } + if (ca_status) { ret = get_cert_sign_status(); if (ret) @@ -2144,49 +2189,7 @@ void generate_request(common_info_st * cinfo) if (ret) usage |= GNUTLS_KEY_CRL_SIGN; - ret = get_code_sign_status(); - if (ret) { - ret = gnutls_x509_crq_set_key_purpose_oid - (crq, GNUTLS_KP_CODE_SIGNING, 0); - if (ret < 0) { - fprintf(stderr, "key_kp: %s\n", - gnutls_strerror(ret)); - exit(1); - } - } - - ret = get_ocsp_sign_status(); - if (ret) { - ret = gnutls_x509_crq_set_key_purpose_oid - (crq, GNUTLS_KP_OCSP_SIGNING, 0); - if (ret < 0) { - fprintf(stderr, "key_kp: %s\n", - gnutls_strerror(ret)); - exit(1); - } - } - - ret = get_time_stamp_status(); - if (ret) { - ret = gnutls_x509_crq_set_key_purpose_oid - (crq, GNUTLS_KP_TIME_STAMPING, 0); - if (ret < 0) { - fprintf(stderr, "key_kp: %s\n", - gnutls_strerror(ret)); - exit(1); - } - } - ret = get_ipsec_ike_status(); - if (ret) { - ret = gnutls_x509_crq_set_key_purpose_oid - (crq, GNUTLS_KP_IPSEC_IKE, 0); - if (ret < 0) { - fprintf(stderr, "key_kp: %s\n", - gnutls_strerror(ret)); - exit(1); - } - } } ret = gnutls_x509_crq_set_key_usage(crq, usage); |