certtool: introduced the email_protection_key option

This option was introduced in documentation for certtool without
an implementation of it. It is a shortcut for option
key_purpose_oid = 1.3.6.1.5.5.7.3.4

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

3 files changed, 40 insertions, 0 deletions

diff --git a/src/certtool-cfg.c b/src/certtool-cfg.c
index 0aa5b88c9b..657ef0ad93 100644
--- a/src/certtool-cfg.c
+++ b/src/certtool-cfg.c
@@ -144,6 +144,7 @@ static struct cfg_options available_options[] = {
 	{ .name = "code_signing_key", .type = OPTION_BOOLEAN },
 	{ .name = "ocsp_signing_key", .type = OPTION_BOOLEAN },
 	{ .name = "time_stamping_key", .type = OPTION_BOOLEAN },
+	{ .name = "email_protection_key", .type = OPTION_BOOLEAN },
 	{ .name = "ipsec_ike_key", .type = OPTION_BOOLEAN },
 	{ .name = "key_agreement", .type = OPTION_BOOLEAN },
 	{ .name = "data_encipherment", .type = OPTION_BOOLEAN },
@@ -213,6 +214,7 @@ typedef struct _cfg_ctx {
 	int code_sign_key;
 	int ocsp_sign_key;
 	int time_stamping_key;
+	int email_protection_key;
 	int ipsec_ike_key;
 	char **key_purpose_oids;
 	int crl_next_update;
@@ -546,6 +548,7 @@ int template_parse(const char *template)
 	READ_BOOLEAN("code_signing_key", cfg.code_sign_key);
 	READ_BOOLEAN("ocsp_signing_key", cfg.ocsp_sign_key);
 	READ_BOOLEAN("time_stamping_key", cfg.time_stamping_key);
+	READ_BOOLEAN("email_protection_key", cfg.email_protection_key);
 	READ_BOOLEAN("ipsec_ike_key", cfg.ipsec_ike_key);
 
 	READ_BOOLEAN("data_encipherment", cfg.data_encipherment);
@@ -2461,6 +2464,18 @@ int get_time_stamp_status(void)
 	}
 }
 
+int get_email_protection_status(void)
+{
+	if (batch) {
+		return cfg.email_protection_key;
+	} else {
+		return
+		    read_yesno
+		    ("Will the certificate be used for email protection? (y/N): ",
+		     0);
+	}
+}
+
 int get_ipsec_ike_status(void)
 {
 	if (batch) {
diff --git a/src/certtool-cfg.h b/src/certtool-cfg.h
index 8d1daadca9..e3fc56ce99 100644
--- a/src/certtool-cfg.h
+++ b/src/certtool-cfg.h
@@ -66,6 +66,7 @@ time_t get_crl_next_update(void);
 time_t get_crl_revocation_date(void);
 time_t get_crl_this_update_date(void);
 int get_time_stamp_status(void);
+int get_email_protection_status(void);
 int get_ocsp_sign_status(void);
 int get_code_sign_status(void);
 int get_crl_sign_status(void);
diff --git a/src/certtool.c b/src/certtool.c
index 20ae26c44e..72b7778207 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -579,6 +579,18 @@ generate_certificate(gnutls_privkey_t * ret_key,
 			}
 		}
 
+		result = get_email_protection_status();
+		if (result) {
+			result =
+			    gnutls_x509_crt_set_key_purpose_oid
+			    (crt, GNUTLS_KP_EMAIL_PROTECTION, 0);
+			if (result < 0) {
+				fprintf(stderr, "key_kp: %s\n",
+					gnutls_strerror(result));
+				app_exit(1);
+			}
+		}
+
 		if (ca_status) {
 			result = get_cert_sign_status();
 			if (result)
@@ -2081,6 +2093,18 @@ void generate_request(common_info_st * cinfo)
 			}
 		}
 
+		ret = get_email_protection_status();
+		if (ret) {
+			ret =
+			    gnutls_x509_crq_set_key_purpose_oid
+			    (crq, GNUTLS_KP_EMAIL_PROTECTION, 0);
+			if (ret < 0) {
+				fprintf(stderr, "key_kp: %s\n",
+					gnutls_strerror(ret));
+				app_exit(1);
+			}
+		}
+
 		ret = get_ipsec_ike_status();
 		if (ret) {
 			ret = gnutls_x509_crq_set_key_purpose_oid