summaryrefslogtreecommitdiff
path: root/security/nss/cmd/certutil
diff options
context:
space:
mode:
authoralexei.volkov.bugs%sun.com <devnull@localhost>2009-02-12 17:17:48 +0000
committeralexei.volkov.bugs%sun.com <devnull@localhost>2009-02-12 17:17:48 +0000
commit2c1fa08b8b8b06b3bf408c75281496549f5f432a (patch)
tree8774a35f2f9cb06a20a4c785d5a0b6c510b86148 /security/nss/cmd/certutil
parent85122803096e737da82fa7369fb614e29d046a82 (diff)
downloadnss-hg-2c1fa08b8b8b06b3bf408c75281496549f5f432a.tar.gz
476979 - Add cert chain tests that will do cert validation for different ku/eku. r=nelson
Diffstat (limited to 'security/nss/cmd/certutil')
-rw-r--r--security/nss/cmd/certutil/certext.c321
-rw-r--r--security/nss/cmd/certutil/certutil.c97
-rw-r--r--security/nss/cmd/certutil/certutil.h7
3 files changed, 300 insertions, 125 deletions
diff --git a/security/nss/cmd/certutil/certext.c b/security/nss/cmd/certutil/certext.c
index cdebedc6b..ee7b00ddc 100644
--- a/security/nss/cmd/certutil/certext.c
+++ b/security/nss/cmd/certutil/certext.c
@@ -278,49 +278,121 @@ GetYesNo(char *prompt)
return (buffPrt && (buf[0] == 'y' || buf[0] == 'Y')) ? PR_TRUE : PR_FALSE;
}
+/* Parses comma separated values out of the string pointed by nextPos.
+ * Parsed value is compared to an array of possible values(valueArray).
+ * If match is found, a value index is returned, otherwise returns SECFailue.
+ * nextPos is set to the token after found comma separator or to NULL.
+ * NULL in nextPos should be used as indication of the last parsed token.
+ * A special value "critical" can be parsed out from the supplied sting.*/
+
+static SECStatus
+parseNextCmdInput(const char * const *valueArray, int *value, char **nextPos,
+ PRBool *critical)
+{
+ char *thisPos = *nextPos;
+ int keyLen = 0;
+ int arrIndex = 0;
+
+ if (!valueArray || !value || !nextPos || !critical) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
+ }
+ while (1) {
+ if ((*nextPos = strchr(thisPos, ',')) == NULL) {
+ keyLen = strlen(thisPos);
+ } else {
+ keyLen = *nextPos - thisPos;
+ *nextPos += 1;
+ }
+ /* if critical keyword is found, go for another loop,
+ * but check, if it is the last keyword of
+ * the string.*/
+ if (!strncmp("critical", thisPos, keyLen)) {
+ *critical = PR_TRUE;
+ if (*nextPos == NULL) {
+ return SECSuccess;
+ }
+ thisPos = *nextPos;
+ continue;
+ }
+ break;
+ }
+ for (arrIndex = 0; valueArray[arrIndex]; arrIndex++) {
+ if (!strncmp(valueArray[arrIndex], thisPos, keyLen)) {
+ *value = arrIndex;
+ return SECSuccess;
+ }
+ }
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
+}
+
+static const char * const
+keyUsageKeyWordArray[] = { "digitalSignature",
+ "nonRepudiation",
+ "keyEncipherment",
+ "dataEncipherment",
+ "keyAgreement",
+ "certSigning",
+ "crlSigning",
+ NULL};
+
static SECStatus
-AddKeyUsage (void *extHandle)
+AddKeyUsage (void *extHandle, const char *userSuppliedValue)
{
SECItem bitStringValue;
unsigned char keyUsage = 0x0;
char buffer[5];
int value;
- PRBool yesNoAns;
-
- while (1) {
- if (PrintChoicesAndGetAnswer(
- "\t\t0 - Digital Signature\n"
- "\t\t1 - Non-repudiation\n"
- "\t\t2 - Key encipherment\n"
- "\t\t3 - Data encipherment\n"
- "\t\t4 - Key agreement\n"
- "\t\t5 - Cert signing key\n"
- "\t\t6 - CRL signing key\n"
- "\t\tOther to finish\n",
- buffer, sizeof(buffer)) == SECFailure) {
- return SECFailure;
+ char *nextPos = (char*)userSuppliedValue;
+ PRBool isCriticalExt = PR_FALSE;
+
+ if (!userSuppliedValue) {
+ while (1) {
+ if (PrintChoicesAndGetAnswer(
+ "\t\t0 - Digital Signature\n"
+ "\t\t1 - Non-repudiation\n"
+ "\t\t2 - Key encipherment\n"
+ "\t\t3 - Data encipherment\n"
+ "\t\t4 - Key agreement\n"
+ "\t\t5 - Cert signing key\n"
+ "\t\t6 - CRL signing key\n"
+ "\t\tOther to finish\n",
+ buffer, sizeof(buffer)) == SECFailure) {
+ return SECFailure;
+ }
+ value = PORT_Atoi (buffer);
+ if (value < 0 || value > 6)
+ break;
+ if (value == 0) {
+ /* Checking that zero value of variable 'value'
+ * corresponds to '0' input made by user */
+ char *chPtr = strchr(buffer, '0');
+ if (chPtr == NULL) {
+ continue;
+ }
+ }
+ keyUsage |= (0x80 >> value);
}
- value = PORT_Atoi (buffer);
- if (value < 0 || value > 6)
- break;
- if (value == 0) {
- /* Checking that zero value of variable 'value'
- * corresponds to '0' input made by user */
- char *chPtr = strchr(buffer, '0');
- if (chPtr == NULL) {
- continue;
+ isCriticalExt = GetYesNo("Is this a critical extension [y/N]?");
+ } else {
+ while (1) {
+ if (parseNextCmdInput(keyUsageKeyWordArray, &value, &nextPos,
+ &isCriticalExt) == SECFailure) {
+ return SECFailure;
}
+ keyUsage |= (0x80 >> value);
+ if (!nextPos)
+ break;
}
- keyUsage |= (0x80 >> value);
}
bitStringValue.data = &keyUsage;
bitStringValue.len = 1;
- yesNoAns = GetYesNo("Is this a critical extension [y/N]?");
return (CERT_EncodeAndAddBitStrExtension
(extHandle, SEC_OID_X509_KEY_USAGE, &bitStringValue,
- yesNoAns));
+ isCriticalExt));
}
@@ -378,6 +450,10 @@ AddOidToSequence(CERTOidSequence *os, SECOidTag oidTag)
}
for( oids = os->oids; (SECItem *)NULL != *oids; oids++ ) {
+ if (*oids == &od->oid) {
+ /* We already have this oid */
+ return SECSuccess;
+ }
count++;
}
@@ -432,42 +508,60 @@ loser:
return (SECItem *)NULL;
}
+static const char * const
+extKeyUsageKeyWordArray[] = { "serverAuth",
+ "clientAuth",
+ "codeSigning",
+ "emailProtection",
+ "timeStamp",
+ "ocspResponder",
+ "stepUp",
+ NULL};
+
static SECStatus
-AddExtKeyUsage (void *extHandle)
+AddExtKeyUsage (void *extHandle, const char *userSuppliedValue)
{
char buffer[5];
int value;
CERTOidSequence *os;
SECStatus rv;
SECItem *item;
- PRBool yesNoAns;
-
+ PRBool isCriticalExt = PR_FALSE;
+ char *nextPos = (char*)userSuppliedValue;
+
os = CreateOidSequence();
if( (CERTOidSequence *)NULL == os ) {
return SECFailure;
}
while (1) {
- if (PrintChoicesAndGetAnswer(
- "\t\t0 - Server Auth\n"
- "\t\t1 - Client Auth\n"
- "\t\t2 - Code Signing\n"
- "\t\t3 - Email Protection\n"
- "\t\t4 - Timestamp\n"
- "\t\t5 - OCSP Responder\n"
- "\t\t6 - Step-up\n"
- "\t\tOther to finish\n",
- buffer, sizeof(buffer)) == SECFailure) {
- GEN_BREAK(SECFailure);
- }
- value = PORT_Atoi(buffer);
-
- if (value == 0) {
- /* Checking that zero value of variable 'value'
- * corresponds to '0' input made by user */
- char *chPtr = strchr(buffer, '0');
- if (chPtr == NULL) {
- continue;
+ if (!userSuppliedValue) {
+ if (PrintChoicesAndGetAnswer(
+ "\t\t0 - Server Auth\n"
+ "\t\t1 - Client Auth\n"
+ "\t\t2 - Code Signing\n"
+ "\t\t3 - Email Protection\n"
+ "\t\t4 - Timestamp\n"
+ "\t\t5 - OCSP Responder\n"
+ "\t\t6 - Step-up\n"
+ "\t\tOther to finish\n",
+ buffer, sizeof(buffer)) == SECFailure) {
+ GEN_BREAK(SECFailure);
+ }
+ value = PORT_Atoi(buffer);
+
+ if (value == 0) {
+ /* Checking that zero value of variable 'value'
+ * corresponds to '0' input made by user */
+ char *chPtr = strchr(buffer, '0');
+ if (chPtr == NULL) {
+ continue;
+ }
+ }
+ } else {
+ if (parseNextCmdInput(extKeyUsageKeyWordArray, &value, &nextPos,
+ &isCriticalExt) == SECFailure) {
+ return SECFailure;
}
}
@@ -497,66 +591,95 @@ AddExtKeyUsage (void *extHandle)
goto endloop;
}
- if( SECSuccess != rv ) goto loser;
+ if (userSuppliedValue && !nextPos)
+ break;
+ if( SECSuccess != rv )
+ goto loser;
}
endloop:
item = EncodeOidSequence(os);
- yesNoAns = GetYesNo("Is this a critical extension [y/N]?");
+ if (!userSuppliedValue) {
+ isCriticalExt = GetYesNo("Is this a critical extension [y/N]?");
+ }
rv = CERT_AddExtension(extHandle, SEC_OID_X509_EXT_KEY_USAGE, item,
- yesNoAns, PR_TRUE);
+ isCriticalExt, PR_TRUE);
/*FALLTHROUGH*/
loser:
DestroyOidSequence(os);
return rv;
}
+static const char * const
+nsCertTypeKeyWordArray[] = { "sslClient",
+ "sslServer",
+ "smime",
+ "objectSigning",
+ "Not!Used",
+ "sslCA",
+ "smimeCA",
+ "objectSigningCA",
+ NULL };
+
static SECStatus
-AddNscpCertType (void *extHandle)
+AddNscpCertType (void *extHandle, const char *userSuppliedValue)
{
SECItem bitStringValue;
unsigned char keyUsage = 0x0;
char buffer[5];
int value;
- PRBool yesNoAns;
-
- while (1) {
- if (PrintChoicesAndGetAnswer(
- "\t\t0 - SSL Client\n"
- "\t\t1 - SSL Server\n"
- "\t\t2 - S/MIME\n"
- "\t\t3 - Object Signing\n"
- "\t\t4 - Reserved for future use\n"
- "\t\t5 - SSL CA\n"
- "\t\t6 - S/MIME CA\n"
- "\t\t7 - Object Signing CA\n"
- "\t\tOther to finish\n",
- buffer, sizeof(buffer)) == SECFailure) {
- return SECFailure;
+ char *nextPos = (char*)userSuppliedValue;
+ PRBool isCriticalExt = PR_FALSE;
+
+ if (!userSuppliedValue) {
+ while (1) {
+ if (PrintChoicesAndGetAnswer(
+ "\t\t0 - SSL Client\n"
+ "\t\t1 - SSL Server\n"
+ "\t\t2 - S/MIME\n"
+ "\t\t3 - Object Signing\n"
+ "\t\t4 - Reserved for future use\n"
+ "\t\t5 - SSL CA\n"
+ "\t\t6 - S/MIME CA\n"
+ "\t\t7 - Object Signing CA\n"
+ "\t\tOther to finish\n",
+ buffer, sizeof(buffer)) == SECFailure) {
+ return SECFailure;
+ }
+ value = PORT_Atoi (buffer);
+ if (value < 0 || value > 7)
+ break;
+ if (value == 0) {
+ /* Checking that zero value of variable 'value'
+ * corresponds to '0' input made by user */
+ char *chPtr = strchr(buffer, '0');
+ if (chPtr == NULL) {
+ continue;
+ }
+ }
+ keyUsage |= (0x80 >> value);
}
- value = PORT_Atoi (buffer);
- if (value < 0 || value > 7)
- break;
- if (value == 0) {
- /* Checking that zero value of variable 'value'
- * corresponds to '0' input made by user */
- char *chPtr = strchr(buffer, '0');
- if (chPtr == NULL) {
- continue;
+ isCriticalExt = GetYesNo("Is this a critical extension [y/N]?");
+ } else {
+ while (1) {
+ if (parseNextCmdInput(nsCertTypeKeyWordArray, &value, &nextPos,
+ &isCriticalExt) == SECFailure) {
+ return SECFailure;
}
+ keyUsage |= (0x80 >> value);
+ if (!nextPos)
+ break;
}
- keyUsage |= (0x80 >> value);
}
bitStringValue.data = &keyUsage;
bitStringValue.len = 1;
- yesNoAns = GetYesNo("Is this a critical extension [y/N]?");
return (CERT_EncodeAndAddBitStrExtension
(extHandle, SEC_OID_NS_CERT_EXT_CERT_TYPE, &bitStringValue,
- yesNoAns));
+ isCriticalExt));
}
@@ -571,7 +694,6 @@ AddSubjectAltNames(PRArenaPool *arena, CERTGeneralName **existingListp,
char *tbuf;
SECStatus rv = SECSuccess;
-
/*
* walk down the comma separated list of names. NOTE: there is
* no sanity checks to see if the email address look like
@@ -1557,8 +1679,8 @@ AddExtensions(void *extHandle, const char *emailAddrs, const char *dnsNames,
do {
/* Add key usage extension */
- if (extList[ext_keyUsage]) {
- rv = AddKeyUsage(extHandle);
+ if (extList[ext_keyUsage].activated) {
+ rv = AddKeyUsage(extHandle, extList[ext_keyUsage].arg);
if (rv) {
errstring = "KeyUsage";
break;
@@ -1566,8 +1688,8 @@ AddExtensions(void *extHandle, const char *emailAddrs, const char *dnsNames,
}
/* Add extended key usage extension */
- if (extList[ext_extKeyUsage]) {
- rv = AddExtKeyUsage(extHandle);
+ if (extList[ext_extKeyUsage].activated) {
+ rv = AddExtKeyUsage(extHandle, extList[ext_extKeyUsage].arg);
if (rv) {
errstring = "ExtendedKeyUsage";
break;
@@ -1575,7 +1697,7 @@ AddExtensions(void *extHandle, const char *emailAddrs, const char *dnsNames,
}
/* Add basic constraint extension */
- if (extList[ext_basicConstraint]) {
+ if (extList[ext_basicConstraint].activated) {
rv = AddBasicConstraint(extHandle);
if (rv) {
errstring = "BasicConstraint";
@@ -1583,7 +1705,7 @@ AddExtensions(void *extHandle, const char *emailAddrs, const char *dnsNames,
}
}
- if (extList[ext_authorityKeyID]) {
+ if (extList[ext_authorityKeyID].activated) {
rv = AddAuthKeyID(extHandle);
if (rv) {
errstring = "AuthorityKeyID";
@@ -1591,7 +1713,7 @@ AddExtensions(void *extHandle, const char *emailAddrs, const char *dnsNames,
}
}
- if (extList[ext_subjectKeyID]) {
+ if (extList[ext_subjectKeyID].activated) {
rv = AddSubjKeyID(extHandle);
if (rv) {
errstring = "SubjectKeyID";
@@ -1599,7 +1721,7 @@ AddExtensions(void *extHandle, const char *emailAddrs, const char *dnsNames,
}
}
- if (extList[ext_CRLDistPts]) {
+ if (extList[ext_CRLDistPts].activated) {
rv = AddCrlDistPoint(extHandle);
if (rv) {
errstring = "CRLDistPoints";
@@ -1607,24 +1729,25 @@ AddExtensions(void *extHandle, const char *emailAddrs, const char *dnsNames,
}
}
- if (extList[ext_NSCertType]) {
- rv = AddNscpCertType(extHandle);
+ if (extList[ext_NSCertType].activated) {
+ rv = AddNscpCertType(extHandle, extList[ext_extKeyUsage].arg);
if (rv) {
errstring = "NSCertType";
break;
}
}
- if (extList[ext_authInfoAcc] || extList[ext_subjInfoAcc]) {
- rv = AddInfoAccess(extHandle, extList[ext_subjInfoAcc],
- extList[ext_basicConstraint]);
+ if (extList[ext_authInfoAcc].activated ||
+ extList[ext_subjInfoAcc].activated) {
+ rv = AddInfoAccess(extHandle, extList[ext_subjInfoAcc].activated,
+ extList[ext_basicConstraint].activated);
if (rv) {
errstring = "InformationAccess";
break;
}
}
- if (extList[ext_certPolicies]) {
+ if (extList[ext_certPolicies].activated) {
rv = AddCertPolicies(extHandle);
if (rv) {
errstring = "Policies";
@@ -1632,7 +1755,7 @@ AddExtensions(void *extHandle, const char *emailAddrs, const char *dnsNames,
}
}
- if (extList[ext_policyMappings]) {
+ if (extList[ext_policyMappings].activated) {
rv = AddPolicyMappings(extHandle);
if (rv) {
errstring = "PolicyMappings";
@@ -1640,7 +1763,7 @@ AddExtensions(void *extHandle, const char *emailAddrs, const char *dnsNames,
}
}
- if (extList[ext_policyConstr]) {
+ if (extList[ext_policyConstr].activated) {
rv = AddPolicyConstraints(extHandle);
if (rv) {
errstring = "PolicyConstraints";
@@ -1648,7 +1771,7 @@ AddExtensions(void *extHandle, const char *emailAddrs, const char *dnsNames,
}
}
- if (extList[ext_inhibitAnyPolicy]) {
+ if (extList[ext_inhibitAnyPolicy].activated) {
rv = AddInhibitAnyPolicy(extHandle);
if (rv) {
errstring = "InhibitAnyPolicy";
diff --git a/security/nss/cmd/certutil/certutil.c b/security/nss/cmd/certutil/certutil.c
index 70d7a7488..a5bcb4591 100644
--- a/security/nss/cmd/certutil/certutil.c
+++ b/security/nss/cmd/certutil/certutil.c
@@ -940,8 +940,11 @@ Usage(char *progName)
FPS "\t%s -B -i batch-file\n", progName);
FPS "\t%s -C [-c issuer-name | -x] -i cert-request-file -o cert-file\n"
"\t\t [-m serial-number] [-w warp-months] [-v months-valid]\n"
- "\t\t [-f pwfile] [-d certdir] [-P dbprefix] [-1] [-2] [-3] [-4] [-5]\n"
- "\t\t [-6] [-7 emailAddrs] [-8 dns-names] [-a]\n",
+ "\t\t [-f pwfile] [-d certdir] [-P dbprefix]\n"
+ "\t\t [-1 | --keyUsage [keyUsageKeyword,..]] [-2] [-3] [-4]\n"
+ "\t\t [-5 | --nsCertType [nsCertTypeKeyword,...]]\n"
+ "\t\t [-6 | --extKeyUsage [extKeyUsageKeyword,...]] [-7 emailAddrs]\n"
+ "\t\t [-8 dns-names] [-a]\n",
progName);
FPS "\t%s -D -n cert-name [-d certdir] [-P dbprefix]\n", progName);
FPS "\t%s -E -n cert-name -t trustargs [-d certdir] [-P dbprefix] [-a] [-i input]\n",
@@ -1049,18 +1052,29 @@ static void LongUsage(char *progName)
" -d certdir");
FPS "%-20s Cert & Key database prefix\n",
" -P dbprefix");
- FPS "%-20s Create key usage extension\n",
- " -1 ");
+ FPS "%-20s \n"
+ "%-20s Create key usage extension. Possible keywords:\n"
+ "%-20s \"digitalSignature\", \"nonRepudiation\", \"keyEncipherment\",\n"
+ "%-20s \"dataEncipherment\", \"keyAgreement\", \"certSigning\",\n"
+ "%-20s \"crlSigning\", \"critical\"\n",
+ " -1 | --keyUsage keyword,keyword,...", "", "", "", "");
FPS "%-20s Create basic constraint extension\n",
" -2 ");
FPS "%-20s Create authority key ID extension\n",
" -3 ");
FPS "%-20s Create crl distribution point extension\n",
" -4 ");
- FPS "%-20s Create netscape cert type extension\n",
- " -5 ");
- FPS "%-20s Create extended key usage extension\n",
- " -6 ");
+ FPS "%-20s \n"
+ "%-20s Create netscape cert type extension. Possible keywords:\n"
+ "%-20s \"sslClient\", \"sslServer\", \"smime\", \"objectSigning\",\n"
+ "%-20s \"sslCA\", \"smimeCA\", \"objectSigningCA\", \"critical\".\n",
+ " -5 | -nsCertType keyword,keyword,... ", "", "", "");
+ FPS "%-20s \n"
+ "%-20s Create extended key usage extension. Possible keywords:\n"
+ "%-20s \"serverAuth\", \"clientAuth\",\"codeSigning\",\n"
+ "%-20s \"emailProtection\", \"timeStamp\",\"ocspResponder\",\n"
+ "%-20s \"stepUp\", \"critical\"\n",
+ " -6 | --extKeyUsage keyword,keyword,...", "", "", "", "");
FPS "%-20s Create an email subject alt name extension\n",
" -7 emailAddrs");
FPS "%-20s Create an dns subject alt name extension\n",
@@ -1803,6 +1817,9 @@ enum certutilOpts {
opt_AddPolicyConstrExt,
opt_AddInhibAnyExt,
opt_AddSubjectKeyIDExt,
+ opt_AddCmdKeyUsageExt,
+ opt_AddCmdNSCertTypeExt,
+ opt_AddCmdExtKeyUsageExt,
opt_SourceDir,
opt_SourcePrefix,
opt_UpgradeID,
@@ -1888,6 +1905,13 @@ secuCommandFlag options_init[] =
{ /* opt_AddInhibAnyExt */ 0, PR_FALSE, 0, PR_FALSE, "extIA" },
{ /* opt_AddSubjectKeyIDExt */ 0, PR_FALSE, 0, PR_FALSE,
"extSKID" },
+ { /* opt_AddCmdKeyUsageExt */ 0, PR_TRUE, 0, PR_FALSE,
+ "keyUsage" },
+ { /* opt_AddCmdNSCertTypeExt */ 0, PR_TRUE, 0, PR_FALSE,
+ "nsCertType" },
+ { /* opt_AddCmdExtKeyUsageExt*/ 0, PR_TRUE, 0, PR_FALSE,
+ "extKeyUsage" },
+
{ /* opt_SourceDir */ 0, PR_TRUE, 0, PR_FALSE,
"source-dir"},
{ /* opt_SourcePrefix */ 0, PR_TRUE, 0, PR_FALSE,
@@ -2676,31 +2700,54 @@ merge_fail:
if (certutil.commands[cmd_CertReq].activated ||
certutil.commands[cmd_CreateAndAddCert].activated ||
certutil.commands[cmd_CreateNewCert].activated) {
- certutil_extns[ext_keyUsage] =
- certutil.options[opt_AddKeyUsageExt].activated;
- certutil_extns[ext_basicConstraint] =
+ certutil_extns[ext_keyUsage].activated =
+ certutil.options[opt_AddCmdKeyUsageExt].activated;
+ if (!certutil_extns[ext_keyUsage].activated) {
+ certutil_extns[ext_keyUsage].activated =
+ certutil.options[opt_AddKeyUsageExt].activated;
+ } else {
+ certutil_extns[ext_keyUsage].arg =
+ certutil.options[opt_AddCmdKeyUsageExt].arg;
+ }
+ certutil_extns[ext_basicConstraint].activated =
certutil.options[opt_AddBasicConstraintExt].activated;
- certutil_extns[ext_authorityKeyID] =
+ certutil_extns[ext_authorityKeyID].activated =
certutil.options[opt_AddAuthorityKeyIDExt].activated;
- certutil_extns[ext_subjectKeyID] =
+ certutil_extns[ext_subjectKeyID].activated =
certutil.options[opt_AddSubjectKeyIDExt].activated;
- certutil_extns[ext_CRLDistPts] =
+ certutil_extns[ext_CRLDistPts].activated =
certutil.options[opt_AddCRLDistPtsExt].activated;
- certutil_extns[ext_NSCertType] =
- certutil.options[opt_AddNSCertTypeExt].activated;
- certutil_extns[ext_extKeyUsage] =
- certutil.options[opt_AddExtKeyUsageExt].activated;
- certutil_extns[ext_authInfoAcc] =
+ certutil_extns[ext_NSCertType].activated =
+ certutil.options[opt_AddCmdNSCertTypeExt].activated;
+ if (!certutil_extns[ext_NSCertType].activated) {
+ certutil_extns[ext_NSCertType].activated =
+ certutil.options[opt_AddNSCertTypeExt].activated;
+ } else {
+ certutil_extns[ext_NSCertType].arg =
+ certutil.options[opt_AddCmdNSCertTypeExt].arg;
+ }
+
+ certutil_extns[ext_extKeyUsage].activated =
+ certutil.options[opt_AddCmdExtKeyUsageExt].activated;
+ if (!certutil_extns[ext_extKeyUsage].activated) {
+ certutil_extns[ext_extKeyUsage].activated =
+ certutil.options[opt_AddExtKeyUsageExt].activated;
+ } else {
+ certutil_extns[ext_extKeyUsage].arg =
+ certutil.options[opt_AddCmdExtKeyUsageExt].arg;
+ }
+
+ certutil_extns[ext_authInfoAcc].activated =
certutil.options[opt_AddAuthInfoAccExt].activated;
- certutil_extns[ext_subjInfoAcc] =
+ certutil_extns[ext_subjInfoAcc].activated =
certutil.options[opt_AddSubjInfoAccExt].activated;
- certutil_extns[ext_certPolicies] =
+ certutil_extns[ext_certPolicies].activated =
certutil.options[opt_AddCertPoliciesExt].activated;
- certutil_extns[ext_policyMappings] =
+ certutil_extns[ext_policyMappings].activated =
certutil.options[opt_AddPolicyMapExt].activated;
- certutil_extns[ext_policyConstr] =
+ certutil_extns[ext_policyConstr].activated =
certutil.options[opt_AddPolicyConstrExt].activated;
- certutil_extns[ext_inhibitAnyPolicy] =
+ certutil_extns[ext_inhibitAnyPolicy].activated =
certutil.options[opt_AddInhibAnyExt].activated;
}
/*
@@ -2730,7 +2777,7 @@ merge_fail:
* and output the cert to another file.
*/
if (certutil.commands[cmd_CreateAndAddCert].activated) {
- static certutilExtnList nullextnlist = {PR_FALSE};
+ static certutilExtnList nullextnlist = {{PR_FALSE, NULL}};
rv = CertReq(privkey, pubkey, keytype, hashAlgTag, subject,
certutil.options[opt_PhoneNumber].arg,
certutil.options[opt_ASCIIForIO].activated,
diff --git a/security/nss/cmd/certutil/certutil.h b/security/nss/cmd/certutil/certutil.h
index eda0c497e..0f9470d6f 100644
--- a/security/nss/cmd/certutil/certutil.h
+++ b/security/nss/cmd/certutil/certutil.h
@@ -67,7 +67,12 @@ enum certutilExtns {
ext_End
};
-typedef PRBool certutilExtnList[ext_End];
+typedef struct ExtensionEntryStr {
+ PRBool activated;
+ const char *arg;
+} ExtensionEntry;
+
+typedef ExtensionEntry certutilExtnList[ext_End];
extern SECStatus
AddExtensions(void *extHandle, const char *emailAddrs, const char *dnsNames,