diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2003-12-19 13:53:45 +0000 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2003-12-19 13:53:45 +0000 |
commit | e9b83b81236e21bedb5293614e671cc0c75f4f57 (patch) | |
tree | 0c939381fe1105bebb87331494c6e9f0c7133df4 /src | |
parent | 5eaf92bd488c59125d8594a5983d1ab679c364df (diff) | |
download | gnutls-e9b83b81236e21bedb5293614e671cc0c75f4f57.tar.gz |
Added gnutls_x509_crt_set_key_usage() and certtool can now set the
certificate's key usage.
Diffstat (limited to 'src')
-rw-r--r-- | src/certtool.c | 67 | ||||
-rw-r--r-- | src/tests.c | 40 | ||||
-rw-r--r-- | src/tests.h | 2 | ||||
-rw-r--r-- | src/tls_test.c | 6 |
4 files changed, 98 insertions, 17 deletions
diff --git a/src/certtool.c b/src/certtool.c index 616601ca9d..60c4b4d451 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -211,23 +211,23 @@ const char* msg; static void print_key_usage( unsigned int x) { if (x&GNUTLS_KEY_DIGITAL_SIGNATURE) - fprintf(outfile,"\t\tDigital signature.\n"); + fprintf(stderr,"\t\tDigital signature.\n"); if (x&GNUTLS_KEY_NON_REPUDIATION) - fprintf(outfile,"\t\tNon repudiation.\n"); + fprintf(stderr,"\t\tNon repudiation.\n"); if (x&GNUTLS_KEY_KEY_ENCIPHERMENT) - fprintf(outfile,"\t\tKey encipherment.\n"); + fprintf(stderr,"\t\tKey encipherment.\n"); if (x&GNUTLS_KEY_DATA_ENCIPHERMENT) - fprintf(outfile,"\t\tData encipherment.\n"); + fprintf(stderr,"\t\tData encipherment.\n"); if (x&GNUTLS_KEY_KEY_AGREEMENT) - fprintf(outfile,"\t\tKey agreement.\n"); + fprintf(stderr,"\t\tKey agreement.\n"); if (x&GNUTLS_KEY_KEY_CERT_SIGN) - fprintf(outfile,"\t\tCertificate signing.\n"); + fprintf(stderr,"\t\tCertificate signing.\n"); if (x&GNUTLS_KEY_CRL_SIGN) - fprintf(outfile,"\t\tCRL signing.\n"); + fprintf(stderr,"\t\tCRL signing.\n"); if (x&GNUTLS_KEY_ENCIPHER_ONLY) - fprintf(outfile,"\t\tKey encipher only.\n"); + fprintf(stderr,"\t\tKey encipher only.\n"); if (x&GNUTLS_KEY_DECIPHER_ONLY) - fprintf(outfile,"\t\tKey decipher only.\n"); + fprintf(stderr,"\t\tKey decipher only.\n"); } static void print_private_key( gnutls_x509_privkey key) @@ -286,6 +286,7 @@ gnutls_x509_crt generate_certificate( gnutls_x509_privkey *ret_key) const char* str; int vers = 3; /* the default version in the certificate */ + unsigned int usage = 0, server; gnutls_x509_crq crq; /* request */ size = gnutls_x509_crt_init(&crt); @@ -365,8 +366,8 @@ gnutls_x509_crt generate_certificate( gnutls_x509_privkey *ret_key) exit(1); } - result = read_yesno( "Is this a web server certificate? (Y/N): "); - if (result != 0) { + server = read_yesno( "Is this a web server certificate? (Y/N): "); + if (server != 0) { str = read_str( "Enter the dnsName of the subject of the certificate: "); if (str != NULL) { result = gnutls_x509_crt_set_subject_alternative_name( crt, GNUTLS_SAN_DNSNAME, str); @@ -388,6 +389,48 @@ gnutls_x509_crt generate_certificate( gnutls_x509_privkey *ret_key) } } + + if (!ca_status || server) { + int pk; + const char* msg1, *msg2; + + if (server) msg1 = "Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (Y/N): "; + else msg1 = "Will the certificate be used for signing (required for TLS)? (Y/N): "; + + if (server) msg2 = "Will the certificate be used for encryption (RSA ciphersuites)? (Y/N): "; + else msg2 = "Will the certificate be used for encryption (not required for TLS)? (Y/N): "; + + pk = gnutls_x509_crt_get_pk_algorithm( crt, NULL); + + if (pk != GNUTLS_PK_DSA) { /* DSA keys can only sign. + */ + result = read_yesno( msg1); + if (result) usage |= GNUTLS_KEY_DIGITAL_SIGNATURE; + + result = read_yesno( msg2); + if (result) usage |= GNUTLS_KEY_KEY_ENCIPHERMENT; + } else usage |= GNUTLS_KEY_DIGITAL_SIGNATURE; + } + + + if (ca_status) { + result = read_yesno( "Will the certificate be used to sign other certificates? (Y/N): "); + if (result) usage |= GNUTLS_KEY_KEY_CERT_SIGN; + + result = read_yesno( "Will the certificate be used to sign CRLs? (Y/N): "); + if (result) usage |= GNUTLS_KEY_CRL_SIGN; + } + + if (usage != 0) { + result = gnutls_x509_crt_set_key_usage( crt, usage); + if (result < 0) { + fprintf(stderr, "key_usage: %s\n", gnutls_strerror(result)); + exit(1); + } + } + + /* Version. + */ result = gnutls_x509_crt_set_version( crt, vers); if (result < 0) { fprintf(stderr, "set_version: %s\n", gnutls_strerror(result)); @@ -981,7 +1024,7 @@ static void print_certificate_info( gnutls_x509_crt crt) ret = gnutls_x509_crt_get_key_usage( crt, &key_usage, &critical); if (ret >= 0) { - fprintf(stderr, "\tKey usage:\n"); + fprintf(stderr, "\tKey usage: %s\n", critical?"(critical)":""); print_key_usage(key_usage); } diff --git a/src/tests.c b/src/tests.c index 8c80e4f322..eba1297aab 100644 --- a/src/tests.c +++ b/src/tests.c @@ -392,7 +392,25 @@ int ret; } #endif -int test_sha( gnutls_session session) { +int test_lzo( gnutls_session session) { +int ret; + gnutls_handshake_set_private_extensions( session, 1); + + ADD_ALL_CIPHERS(session); + ADD_COMP(session, GNUTLS_COMP_LZO); + ADD_ALL_CERTTYPES(session); + ADD_ALL_PROTOCOLS(session); + ADD_ALL_MACS(session); + ADD_ALL_KX(session); + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake( session); + + return ret; +} + +int test_sha( gnutls_session session) +{ int ret; ADD_ALL_CIPHERS(session); ADD_ALL_COMP(session); @@ -406,7 +424,23 @@ int ret; return ret; } -int test_3des( gnutls_session session) { +int test_rmd( gnutls_session session) +{ +int ret; + ADD_ALL_CIPHERS(session); + ADD_ALL_COMP(session); + ADD_ALL_CERTTYPES(session); + ADD_ALL_PROTOCOLS(session); + ADD_MAC(session, GNUTLS_MAC_RMD160); + ADD_ALL_KX(session); + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake( session); + return ret; +} + +int test_3des( gnutls_session session) +{ int ret; ADD_CIPHER(session, GNUTLS_CIPHER_3DES_CBC); ADD_ALL_COMP(session); @@ -451,7 +485,7 @@ int ret; } -/* Advertize both TLS 1.0 and SSL 3.0 if the connection fails, +/* Advertize both TLS 1.0 and SSL 3.0. If the connection fails, * but the previous SSL 3.0 test succeeded then disable TLS 1.0. */ int test_tls1_2( gnutls_session session) { diff --git a/src/tests.h b/src/tests.h index 3c97d891b9..caa589c4d5 100644 --- a/src/tests.h +++ b/src/tests.h @@ -11,6 +11,7 @@ int test_ssl3( gnutls_session state); int test_aes( gnutls_session state); int test_md5( gnutls_session state); int test_sha( gnutls_session state); +int test_rmd( gnutls_session state); int test_3des( gnutls_session state); int test_arcfour( gnutls_session state); int test_tls1( gnutls_session state); @@ -28,6 +29,7 @@ int test_session_resume2( gnutls_session state); int test_rsa_pms_version_check( gnutls_session session); int test_version_oob( gnutls_session session); int test_zlib( gnutls_session session); +int test_lzo( gnutls_session session); int _test_srp_username_callback( gnutls_session session, unsigned int times, char** username, char** password); diff --git a/src/tls_test.c b/src/tls_test.c index 66fb8417b0..83cf5eefad 100644 --- a/src/tls_test.c +++ b/src/tls_test.c @@ -105,14 +105,16 @@ static const TLS_TEST tls_tests[] = { #endif { "for ephemeral Diffie Hellman support", test_dhe, "yes", "no", "dunno" }, { "for ephemeral Diffie Hellman prime size", test_dhe_bits, "", "N/A", "N/A" }, - { "for AES cipher support", test_aes, "yes", "no", "dunno"}, + { "for AES cipher support (TLS extension)", test_aes, "yes", "no", "dunno"}, { "for 3DES cipher support", test_3des, "yes", "no", "dunno"}, { "for ARCFOUR cipher support", test_arcfour, "yes", "no", "dunno"}, { "for MD5 MAC support", test_md5, "yes", "no", "dunno"}, { "for SHA1 MAC support", test_sha, "yes", "no", "dunno"}, + { "for RIPEMD160 MAC support (TLS extension)", test_rmd, "yes", "no", "dunno"}, #ifdef HAVE_LIBZ - { "for ZLIB compression support", test_zlib, "yes", "no", "dunno"}, + { "for ZLIB compression support (TLS extension)", test_zlib, "yes", "no", "dunno"}, #endif + { "for LZO compression support (GnuTLS extension)", test_lzo, "yes", "no", "dunno"}, { "for max record size (TLS extension)", test_max_record_size, "yes", "no", "dunno" }, #ifdef ENABLE_SRP { "for SRP authentication support (TLS extension)", test_srp, "yes", "no", "dunno" }, |