certtool: do not require a CA for OCSP signing

This follows the recommendations in RFC6960 in 4.2.2.2
which allow a CA to delegate OCSP signing to another certificate
without requiring it to be a CA.

Reported by Thomas Klute.

1 files changed, 14 insertions, 12 deletions

diff --git a/src/certtool.c b/src/certtool.c
index 835c76a582..8cca98fa65 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2003-2015 Free Software Foundation, Inc.
+ * Copyright (C) 2003-2016 Free Software Foundation, Inc.
+ * Copyright (C) 2015-2016 Red Hat, Inc.
  *
  * This file is part of GnuTLS.
  *
@@ -519,6 +520,18 @@ generate_certificate(gnutls_privkey_t * ret_key,
 		if (result)
 			usage |= GNUTLS_KEY_NON_REPUDIATION;
 
+		result = get_ocsp_sign_status();
+		if (result) {
+			result =
+			    gnutls_x509_crt_set_key_purpose_oid
+			    (crt, GNUTLS_KP_OCSP_SIGNING, 0);
+			if (result < 0) {
+				fprintf(stderr, "key_kp: %s\n",
+					gnutls_strerror(result));
+				exit(1);
+			}
+		}
+
 		if (ca_status) {
 			result = get_cert_sign_status();
 			if (result)
@@ -542,17 +555,6 @@ generate_certificate(gnutls_privkey_t * ret_key,
 
 			crt_constraints_set(crt);
 
-			result = get_ocsp_sign_status();
-			if (result) {
-				result =
-				    gnutls_x509_crt_set_key_purpose_oid
-				    (crt, GNUTLS_KP_OCSP_SIGNING, 0);
-				if (result < 0) {
-					fprintf(stderr, "key_kp: %s\n",
-						gnutls_strerror(result));
-					exit(1);
-				}
-			}
 
 			result = get_time_stamp_status();
 			if (result) {