diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-03-15 11:20:16 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-03-15 11:20:18 +0100 |
commit | f851b6870903b9ce451f9e978dd37f0692bf32dd (patch) | |
tree | 2b9d2e4103d22476c9abdf5f28022c158f16c8a0 /src | |
parent | 2995b1ed747d89285414975003fb286fa2edf545 (diff) | |
download | gnutls-f851b6870903b9ce451f9e978dd37f0692bf32dd.tar.gz |
certtool: do not require a CA for OCSP signing
This follows the recommendations in RFC6960 in 4.2.2.2
which allow a CA to delegate OCSP signing to another certificate
without requiring it to be a CA.
Reported by Thomas Klute.
Diffstat (limited to 'src')
-rw-r--r-- | src/certtool.c | 26 |
1 files changed, 14 insertions, 12 deletions
diff --git a/src/certtool.c b/src/certtool.c index 835c76a582..8cca98fa65 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -1,5 +1,6 @@ /* - * Copyright (C) 2003-2015 Free Software Foundation, Inc. + * Copyright (C) 2003-2016 Free Software Foundation, Inc. + * Copyright (C) 2015-2016 Red Hat, Inc. * * This file is part of GnuTLS. * @@ -519,6 +520,18 @@ generate_certificate(gnutls_privkey_t * ret_key, if (result) usage |= GNUTLS_KEY_NON_REPUDIATION; + result = get_ocsp_sign_status(); + if (result) { + result = + gnutls_x509_crt_set_key_purpose_oid + (crt, GNUTLS_KP_OCSP_SIGNING, 0); + if (result < 0) { + fprintf(stderr, "key_kp: %s\n", + gnutls_strerror(result)); + exit(1); + } + } + if (ca_status) { result = get_cert_sign_status(); if (result) @@ -542,17 +555,6 @@ generate_certificate(gnutls_privkey_t * ret_key, crt_constraints_set(crt); - result = get_ocsp_sign_status(); - if (result) { - result = - gnutls_x509_crt_set_key_purpose_oid - (crt, GNUTLS_KP_OCSP_SIGNING, 0); - if (result < 0) { - fprintf(stderr, "key_kp: %s\n", - gnutls_strerror(result)); - exit(1); - } - } result = get_time_stamp_status(); if (result) { |