Added gnutls_x509_crt_set_key_usage() and certtool can now set the

certificate's key usage.

4 files changed, 98 insertions, 17 deletions

diff --git a/src/certtool.c b/src/certtool.c
index 616601ca9d..60c4b4d451 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -211,23 +211,23 @@ const char* msg;
 static void print_key_usage( unsigned int x) 
 {
 	if (x&GNUTLS_KEY_DIGITAL_SIGNATURE)
-		fprintf(outfile,"\t\tDigital signature.\n");
+		fprintf(stderr,"\t\tDigital signature.\n");
 	if (x&GNUTLS_KEY_NON_REPUDIATION)
-		fprintf(outfile,"\t\tNon repudiation.\n");
+		fprintf(stderr,"\t\tNon repudiation.\n");
 	if (x&GNUTLS_KEY_KEY_ENCIPHERMENT)
-		fprintf(outfile,"\t\tKey encipherment.\n");
+		fprintf(stderr,"\t\tKey encipherment.\n");
 	if (x&GNUTLS_KEY_DATA_ENCIPHERMENT)
-		fprintf(outfile,"\t\tData encipherment.\n");
+		fprintf(stderr,"\t\tData encipherment.\n");
 	if (x&GNUTLS_KEY_KEY_AGREEMENT)
-		fprintf(outfile,"\t\tKey agreement.\n");
+		fprintf(stderr,"\t\tKey agreement.\n");
 	if (x&GNUTLS_KEY_KEY_CERT_SIGN)
-		fprintf(outfile,"\t\tCertificate signing.\n");
+		fprintf(stderr,"\t\tCertificate signing.\n");
 	if (x&GNUTLS_KEY_CRL_SIGN)
-		fprintf(outfile,"\t\tCRL signing.\n");
+		fprintf(stderr,"\t\tCRL signing.\n");
 	if (x&GNUTLS_KEY_ENCIPHER_ONLY)
-		fprintf(outfile,"\t\tKey encipher only.\n");
+		fprintf(stderr,"\t\tKey encipher only.\n");
 	if (x&GNUTLS_KEY_DECIPHER_ONLY)
-		fprintf(outfile,"\t\tKey decipher only.\n");
+		fprintf(stderr,"\t\tKey decipher only.\n");
 }
 
 static void print_private_key( gnutls_x509_privkey key)
@@ -286,6 +286,7 @@ gnutls_x509_crt generate_certificate( gnutls_x509_privkey *ret_key)
 	const char* str;
 	int vers = 3; /* the default version in the certificate 
 	               */
+	unsigned int usage = 0, server;
 	gnutls_x509_crq crq; /* request */
 
 	size = gnutls_x509_crt_init(&crt);
@@ -365,8 +366,8 @@ gnutls_x509_crt generate_certificate( gnutls_x509_privkey *ret_key)
 		exit(1);
 	}
 
-	result = read_yesno( "Is this a web server certificate? (Y/N): ");
-	if (result != 0) {
+	server = read_yesno( "Is this a web server certificate? (Y/N): ");
+	if (server != 0) {
 		str = read_str( "Enter the dnsName of the subject of the certificate: ");
 		if (str != NULL) {
 			result = gnutls_x509_crt_set_subject_alternative_name( crt, GNUTLS_SAN_DNSNAME, str);
@@ -388,6 +389,48 @@ gnutls_x509_crt generate_certificate( gnutls_x509_privkey *ret_key)
 		}
 	}
 
+
+	if (!ca_status || server) {
+		int pk;
+		const char* msg1, *msg2;
+		
+		if (server) msg1 = "Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (Y/N): ";
+		else msg1 = "Will the certificate be used for signing (required for TLS)? (Y/N): ";
+
+		if (server) msg2 = "Will the certificate be used for encryption (RSA ciphersuites)? (Y/N): ";
+		else msg2 = "Will the certificate be used for encryption (not required for TLS)? (Y/N): ";
+
+		pk = gnutls_x509_crt_get_pk_algorithm( crt, NULL);
+
+		if (pk != GNUTLS_PK_DSA) { /* DSA keys can only sign.
+				  	    */
+			result = read_yesno( msg1);
+			if (result) usage |= GNUTLS_KEY_DIGITAL_SIGNATURE;
+
+			result = read_yesno( msg2);
+			if (result) usage |= GNUTLS_KEY_KEY_ENCIPHERMENT;
+		} else usage |= GNUTLS_KEY_DIGITAL_SIGNATURE;
+	}
+
+
+	if (ca_status) {
+		result = read_yesno( "Will the certificate be used to sign other certificates? (Y/N): ");
+		if (result) usage |= GNUTLS_KEY_KEY_CERT_SIGN;
+
+		result = read_yesno( "Will the certificate be used to sign CRLs? (Y/N): ");
+		if (result) usage |= GNUTLS_KEY_CRL_SIGN;
+	}
+
+	if (usage != 0) {
+		result = gnutls_x509_crt_set_key_usage( crt, usage);
+		if (result < 0) {
+			fprintf(stderr, "key_usage: %s\n", gnutls_strerror(result));
+			exit(1);
+		}
+	}
+
+	/* Version.
+	 */
 	result = gnutls_x509_crt_set_version( crt, vers);
 	if (result < 0) {
 		fprintf(stderr, "set_version: %s\n", gnutls_strerror(result));
@@ -981,7 +1024,7 @@ static void print_certificate_info( gnutls_x509_crt crt)
 	ret = gnutls_x509_crt_get_key_usage( crt, &key_usage, &critical);
 	
 	if (ret >= 0) {
-		fprintf(stderr, "\tKey usage:\n");
+		fprintf(stderr, "\tKey usage: %s\n", critical?"(critical)":"");
 		print_key_usage(key_usage);
 	}
 
diff --git a/src/tests.c b/src/tests.c
index 8c80e4f322..eba1297aab 100644
--- a/src/tests.c
+++ b/src/tests.c
@@ -392,7 +392,25 @@ int ret;
 }
 #endif
 
-int test_sha( gnutls_session session) {
+int test_lzo( gnutls_session session) {
+int ret;
+	gnutls_handshake_set_private_extensions( session, 1);
+
+	ADD_ALL_CIPHERS(session);
+	ADD_COMP(session, GNUTLS_COMP_LZO);
+	ADD_ALL_CERTTYPES(session);
+	ADD_ALL_PROTOCOLS(session);
+	ADD_ALL_MACS(session);
+	ADD_ALL_KX(session);
+	gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
+
+	ret = do_handshake( session);
+
+	return ret;
+}
+
+int test_sha( gnutls_session session) 
+{
 int ret;
 	ADD_ALL_CIPHERS(session);
 	ADD_ALL_COMP(session);
@@ -406,7 +424,23 @@ int ret;
 	return ret;
 }
 
-int test_3des( gnutls_session session) {
+int test_rmd( gnutls_session session) 
+{
+int ret;
+	ADD_ALL_CIPHERS(session);
+	ADD_ALL_COMP(session);
+	ADD_ALL_CERTTYPES(session);
+	ADD_ALL_PROTOCOLS(session);
+	ADD_MAC(session, GNUTLS_MAC_RMD160);
+	ADD_ALL_KX(session);
+	gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
+
+	ret = do_handshake( session);
+	return ret;
+}
+
+int test_3des( gnutls_session session) 
+{
 int ret;
 	ADD_CIPHER(session, GNUTLS_CIPHER_3DES_CBC);
 	ADD_ALL_COMP(session);
@@ -451,7 +485,7 @@ int ret;
 
 }
 
-/* Advertize both TLS 1.0 and SSL 3.0 if the connection fails,
+/* Advertize both TLS 1.0 and SSL 3.0. If the connection fails,
  * but the previous SSL 3.0 test succeeded then disable TLS 1.0.
  */
 int test_tls1_2( gnutls_session session) {
diff --git a/src/tests.h b/src/tests.h
index 3c97d891b9..caa589c4d5 100644
--- a/src/tests.h
+++ b/src/tests.h
@@ -11,6 +11,7 @@ int test_ssl3( gnutls_session state);
 int test_aes( gnutls_session state);
 int test_md5( gnutls_session state);
 int test_sha( gnutls_session state);
+int test_rmd( gnutls_session state);
 int test_3des( gnutls_session state);
 int test_arcfour( gnutls_session state);
 int test_tls1( gnutls_session state);
@@ -28,6 +29,7 @@ int test_session_resume2( gnutls_session state);
 int test_rsa_pms_version_check( gnutls_session session);
 int test_version_oob( gnutls_session session);
 int test_zlib( gnutls_session session);
+int test_lzo( gnutls_session session);
 int _test_srp_username_callback( gnutls_session session, unsigned int times,
 	char** username, char** password);
 
diff --git a/src/tls_test.c b/src/tls_test.c
index 66fb8417b0..83cf5eefad 100644
--- a/src/tls_test.c
+++ b/src/tls_test.c
@@ -105,14 +105,16 @@ static const TLS_TEST tls_tests[] = {
 #endif
 	{ "for ephemeral Diffie Hellman support", test_dhe, "yes", "no", "dunno" },
 	{ "for ephemeral Diffie Hellman prime size", test_dhe_bits, "", "N/A", "N/A" },
-	{ "for AES cipher support", test_aes, "yes", "no", "dunno"},
+	{ "for AES cipher support (TLS extension)", test_aes, "yes", "no", "dunno"},
 	{ "for 3DES cipher support", test_3des, "yes", "no", "dunno"},
 	{ "for ARCFOUR cipher support", test_arcfour, "yes", "no", "dunno"},
 	{ "for MD5 MAC support", test_md5, "yes", "no", "dunno"},
 	{ "for SHA1 MAC support", test_sha, "yes", "no", "dunno"},
+	{ "for RIPEMD160 MAC support (TLS extension)", test_rmd, "yes", "no", "dunno"},
 #ifdef HAVE_LIBZ
-	{ "for ZLIB compression support", test_zlib, "yes", "no", "dunno"},
+	{ "for ZLIB compression support (TLS extension)", test_zlib, "yes", "no", "dunno"},
 #endif
+	{ "for LZO compression support (GnuTLS extension)", test_lzo, "yes", "no", "dunno"},
 	{ "for max record size (TLS extension)", test_max_record_size, "yes", "no", "dunno" },
 #ifdef ENABLE_SRP
 	{ "for SRP authentication support (TLS extension)", test_srp, "yes", "no", "dunno" },