diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-10-18 10:13:56 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-10-18 12:59:22 +0200 |
| commit | f27f488a2158529b965eb70c0d98910d7be6ad23 (patch) | |
| tree | 643c4dc85870184bf66b010c2caa21403127038b | |
| parent | 110b6d3111bf41377a9bb9f6fdbf2249eff84cea (diff) | |
| download | gnutls-f27f488a2158529b965eb70c0d98910d7be6ad23.tar.gz | |
certtool: allow setting key purposes for non-CA certificates
That is, allow setting code signing, or time stamping key purpose
in certificates that are not marked as CA. The previous restriction
served no purpose.
| -rw-r--r-- | src/certtool.c | 135 |
1 files changed, 69 insertions, 66 deletions
diff --git a/src/certtool.c b/src/certtool.c index 09ba675dab..a593908cad 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -542,6 +542,30 @@ generate_certificate(gnutls_privkey_t * ret_key, } } + result = get_code_sign_status(); + if (result) { + result = + gnutls_x509_crt_set_key_purpose_oid + (crt, GNUTLS_KP_CODE_SIGNING, 0); + if (result < 0) { + fprintf(stderr, "key_kp: %s\n", + gnutls_strerror(result)); + exit(1); + } + } + + result = get_time_stamp_status(); + if (result) { + result = + gnutls_x509_crt_set_key_purpose_oid + (crt, GNUTLS_KP_TIME_STAMPING, 0); + if (result < 0) { + fprintf(stderr, "key_kp: %s\n", + gnutls_strerror(result)); + exit(1); + } + } + if (ca_status) { result = get_cert_sign_status(); if (result) @@ -551,33 +575,10 @@ generate_certificate(gnutls_privkey_t * ret_key, if (result) usage |= GNUTLS_KEY_CRL_SIGN; - result = get_code_sign_status(); - if (result) { - result = - gnutls_x509_crt_set_key_purpose_oid - (crt, GNUTLS_KP_CODE_SIGNING, 0); - if (result < 0) { - fprintf(stderr, "key_kp: %s\n", - gnutls_strerror(result)); - exit(1); - } - } crt_constraints_set(crt); - - - result = get_time_stamp_status(); - if (result) { - result = - gnutls_x509_crt_set_key_purpose_oid - (crt, GNUTLS_KP_TIME_STAMPING, 0); - if (result < 0) { - fprintf(stderr, "key_kp: %s\n", - gnutls_strerror(result)); - exit(1); - } - } } + get_ocsp_issuer_set(crt); get_ca_issuers_set(crt); @@ -2051,6 +2052,50 @@ void generate_request(common_info_st * cinfo) usage |= GNUTLS_KEY_DIGITAL_SIGNATURE; } + ret = get_code_sign_status(); + if (ret) { + ret = gnutls_x509_crq_set_key_purpose_oid + (crq, GNUTLS_KP_CODE_SIGNING, 0); + if (ret < 0) { + fprintf(stderr, "key_kp: %s\n", + gnutls_strerror(ret)); + exit(1); + } + } + + ret = get_time_stamp_status(); + if (ret) { + ret = gnutls_x509_crq_set_key_purpose_oid + (crq, GNUTLS_KP_TIME_STAMPING, 0); + if (ret < 0) { + fprintf(stderr, "key_kp: %s\n", + gnutls_strerror(ret)); + exit(1); + } + } + + ret = get_ipsec_ike_status(); + if (ret) { + ret = gnutls_x509_crq_set_key_purpose_oid + (crq, GNUTLS_KP_IPSEC_IKE, 0); + if (ret < 0) { + fprintf(stderr, "key_kp: %s\n", + gnutls_strerror(ret)); + exit(1); + } + } + + ret = get_ocsp_sign_status(); + if (ret) { + ret = gnutls_x509_crq_set_key_purpose_oid + (crq, GNUTLS_KP_OCSP_SIGNING, 0); + if (ret < 0) { + fprintf(stderr, "key_kp: %s\n", + gnutls_strerror(ret)); + exit(1); + } + } + if (ca_status) { ret = get_cert_sign_status(); if (ret) @@ -2060,49 +2105,7 @@ void generate_request(common_info_st * cinfo) if (ret) usage |= GNUTLS_KEY_CRL_SIGN; - ret = get_code_sign_status(); - if (ret) { - ret = gnutls_x509_crq_set_key_purpose_oid - (crq, GNUTLS_KP_CODE_SIGNING, 0); - if (ret < 0) { - fprintf(stderr, "key_kp: %s\n", - gnutls_strerror(ret)); - exit(1); - } - } - - ret = get_ocsp_sign_status(); - if (ret) { - ret = gnutls_x509_crq_set_key_purpose_oid - (crq, GNUTLS_KP_OCSP_SIGNING, 0); - if (ret < 0) { - fprintf(stderr, "key_kp: %s\n", - gnutls_strerror(ret)); - exit(1); - } - } - - ret = get_time_stamp_status(); - if (ret) { - ret = gnutls_x509_crq_set_key_purpose_oid - (crq, GNUTLS_KP_TIME_STAMPING, 0); - if (ret < 0) { - fprintf(stderr, "key_kp: %s\n", - gnutls_strerror(ret)); - exit(1); - } - } - ret = get_ipsec_ike_status(); - if (ret) { - ret = gnutls_x509_crq_set_key_purpose_oid - (crq, GNUTLS_KP_IPSEC_IKE, 0); - if (ret < 0) { - fprintf(stderr, "key_kp: %s\n", - gnutls_strerror(ret)); - exit(1); - } - } } ret = gnutls_x509_crq_set_key_usage(crq, usage); |