diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-04-04 16:27:34 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-04-06 12:57:07 +0200 |
| commit | 99bfa2f551a307b28ded575b88d171cf7850822e (patch) | |
| tree | 2065d73248b20dfd874bd3c33597509845be4044 | |
| parent | 7cc1a60e6073d775af561f94cd9828ffd5de0abe (diff) | |
| download | gnutls-99bfa2f551a307b28ded575b88d171cf7850822e.tar.gz | |
certtool: added template option inhibit_anypolicy_skip_certs
This option writes the inhibit anyPolicy option in a certificate.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| -rw-r--r-- | src/certtool-args.def | 4 | ||||
| -rw-r--r-- | src/certtool-cfg.c | 13 |
2 files changed, 17 insertions, 0 deletions
diff --git a/src/certtool-args.def b/src/certtool-args.def index 6aea3f2562..f43d328a35 100644 --- a/src/certtool-args.def +++ b/src/certtool-args.def @@ -965,6 +965,10 @@ encryption_key #policy2_txt = "This is a short policy" #policy2_url = http://www.example.com/another-policy-to-read +# The number of additional certificates that may appear in a +# path before the anyPolicy is no longer acceptable. +#inhibit_anypolicy_skip_certs 1 + # Name constraints # DNS diff --git a/src/certtool-cfg.c b/src/certtool-cfg.c index 107703c047..233c43f3f5 100644 --- a/src/certtool-cfg.c +++ b/src/certtool-cfg.c @@ -123,6 +123,7 @@ static struct cfg_options available_options[] = { { .name = "crl_this_update_date", .type = OPTION_STRING }, { .name = "crl_next_update_date", .type = OPTION_STRING }, { .name = "policy*", .type = OPTION_MULTI_LINE }, /* not a multi-line but there are multi as it is a wildcard */ + { .name = "inhibit_anypolicy_skip_certs", .type = OPTION_NUMERIC }, { .name = "pkcs12_key_name", .type = OPTION_STRING }, { .name = "proxy_policy_language", .type = OPTION_STRING }, { .name = "serial", .type = OPTION_NUMERIC }, @@ -196,6 +197,7 @@ typedef struct _cfg_ctx { char *next_update_date; int64_t serial; int expiration_days; + int skip_certs; /* from inhibit anypolicy */ int ca; int path_len; int tls_www_client; @@ -230,6 +232,7 @@ void cfg_init(void) cfg.path_len = -1; cfg.crl_number = -1; cfg.serial = -1; + cfg.skip_certs = -1; } #define READ_MULTI_LINE(name, s_name) \ @@ -454,6 +457,8 @@ int template_parse(const char *template) if (val != NULL && val->valType == OPARG_TYPE_STRING) cfg.next_update_date = strdup(val->v.strVal); + READ_NUMERIC("inhibit_anypolicy_skip_certs", cfg.skip_certs); + for (i = 0; i < MAX_POLICIES; i++) { snprintf(tmpstr, sizeof(tmpstr), "policy%d", i + 1); val = optionGetValue(pov, tmpstr); @@ -2223,6 +2228,14 @@ void get_policy_set(gnutls_x509_crt_t crt) gnutls_x509_policy_st policy; if (batch) { + if (cfg.skip_certs >= 0) { + ret = gnutls_x509_crt_set_inhibit_anypolicy(crt, cfg.skip_certs); + if (ret < 0) { + fprintf(stderr, "error setting inhibit anypolicy: %s\n", gnutls_strerror(ret)); + exit(1); + } + } + if (!cfg.policy_oid) return; |