Added policyConstraints support to pki tool
This commit is contained in:
parent
a742d97fb8
commit
a864eb37b1
|
@ -201,7 +201,7 @@ int command_usage(char *error)
|
|||
}
|
||||
for (i = 0; cmds[active].options[i].name; i++)
|
||||
{
|
||||
fprintf(out, " --%-12s (-%c) %s\n",
|
||||
fprintf(out, " --%-15s (-%c) %s\n",
|
||||
cmds[active].options[i].name, cmds[active].options[i].op,
|
||||
cmds[active].options[i].desc);
|
||||
}
|
||||
|
|
|
@ -60,6 +60,7 @@ static int issue()
|
|||
linked_list_t *san, *cdps, *ocsp, *permitted, *excluded, *policies, *mappings;
|
||||
int lifetime = 1095;
|
||||
int pathlen = X509_NO_CONSTRAINT;
|
||||
int inhibit_policy = X509_NO_CONSTRAINT, explicit_policy = X509_NO_CONSTRAINT;
|
||||
chunk_t serial = chunk_empty;
|
||||
chunk_t encoding = chunk_empty;
|
||||
time_t not_before, not_after;
|
||||
|
@ -200,6 +201,12 @@ static int issue()
|
|||
mappings->insert_last(mappings, mapping);
|
||||
continue;
|
||||
}
|
||||
case 'E':
|
||||
explicit_policy = atoi(arg);
|
||||
continue;
|
||||
case 'H':
|
||||
inhibit_policy = atoi(arg);
|
||||
continue;
|
||||
case 'e':
|
||||
if (streq(arg, "serverAuth"))
|
||||
{
|
||||
|
@ -420,6 +427,8 @@ static int issue()
|
|||
BUILD_EXCLUDED_NAME_CONSTRAINTS, excluded,
|
||||
BUILD_CERTIFICATE_POLICIES, policies,
|
||||
BUILD_POLICY_MAPPINGS, mappings,
|
||||
BUILD_POLICY_CONSTRAINT_INHIBIT, inhibit_policy,
|
||||
BUILD_POLICY_CONSTRAINT_EXPLICIT, explicit_policy,
|
||||
BUILD_END);
|
||||
if (!cert)
|
||||
{
|
||||
|
@ -489,32 +498,35 @@ static void __attribute__ ((constructor))reg()
|
|||
"[--nc-permitted name] [--nc-excluded name]",
|
||||
"[--cert-policy oid [--cps-uri uri] [--user-notice text] ]+",
|
||||
"[--policy-map issuer-oid:subject-oid]",
|
||||
"[--policy-explicit len] [--policy-inhibit len] ",
|
||||
"[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"},
|
||||
{
|
||||
{"help", 'h', 0, "show usage information"},
|
||||
{"in", 'i', 1, "public key/request file to issue, default: stdin"},
|
||||
{"type", 't', 1, "type of input, default: pub"},
|
||||
{"cacert", 'c', 1, "CA certificate file"},
|
||||
{"cakey", 'k', 1, "CA private key file"},
|
||||
{"cakeyid", 'x', 1, "keyid on smartcard of CA private key"},
|
||||
{"dn", 'd', 1, "distinguished name to include as subject"},
|
||||
{"san", 'a', 1, "subjectAltName to include in certificate"},
|
||||
{"lifetime", 'l', 1, "days the certificate is valid, default: 1095"},
|
||||
{"serial", 's', 1, "serial number in hex, default: random"},
|
||||
{"ca", 'b', 0, "include CA basicConstraint, default: no"},
|
||||
{"pathlen", 'p', 1, "set path length constraint"},
|
||||
{"nc-permitted",'n', 1, "add permitted NameConstraint"},
|
||||
{"nc-excluded", 'N', 1, "add excluded NameConstraint"},
|
||||
{"cert-policy", 'P', 1, "certificatePolicy OID to include"},
|
||||
{"cps-uri", 'C', 1, "Certification Practice statement URI for certificatePolicy"},
|
||||
{"user-notice", 'U', 1, "user notice for certificatePolicy"},
|
||||
{"policy-map", 'M', 1, "policyMapping from issuer to subject OID"},
|
||||
{"flag", 'e', 1, "include extendedKeyUsage flag"},
|
||||
{"crl", 'u', 1, "CRL distribution point URI to include"},
|
||||
{"crlissuer", 'I', 1, "CRL Issuer for CRL at distribution point"},
|
||||
{"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"},
|
||||
{"digest", 'g', 1, "digest for signature creation, default: sha1"},
|
||||
{"outform", 'f', 1, "encoding of generated cert, default: der"},
|
||||
{"help", 'h', 0, "show usage information"},
|
||||
{"in", 'i', 1, "public key/request file to issue, default: stdin"},
|
||||
{"type", 't', 1, "type of input, default: pub"},
|
||||
{"cacert", 'c', 1, "CA certificate file"},
|
||||
{"cakey", 'k', 1, "CA private key file"},
|
||||
{"cakeyid", 'x', 1, "keyid on smartcard of CA private key"},
|
||||
{"dn", 'd', 1, "distinguished name to include as subject"},
|
||||
{"san", 'a', 1, "subjectAltName to include in certificate"},
|
||||
{"lifetime", 'l', 1, "days the certificate is valid, default: 1095"},
|
||||
{"serial", 's', 1, "serial number in hex, default: random"},
|
||||
{"ca", 'b', 0, "include CA basicConstraint, default: no"},
|
||||
{"pathlen", 'p', 1, "set path length constraint"},
|
||||
{"nc-permitted", 'n', 1, "add permitted NameConstraint"},
|
||||
{"nc-excluded", 'N', 1, "add excluded NameConstraint"},
|
||||
{"cert-policy", 'P', 1, "certificatePolicy OID to include"},
|
||||
{"cps-uri", 'C', 1, "Certification Practice statement URI for certificatePolicy"},
|
||||
{"user-notice", 'U', 1, "user notice for certificatePolicy"},
|
||||
{"policy-mapping", 'M', 1, "policyMapping from issuer to subject OID"},
|
||||
{"policy-explicit", 'E', 1, "requireExplicitPolicy constraint"},
|
||||
{"policy-inhibit", 'H', 1, "inhibitPolicyMapping constraint"},
|
||||
{"flag", 'e', 1, "include extendedKeyUsage flag"},
|
||||
{"crl", 'u', 1, "CRL distribution point URI to include"},
|
||||
{"crlissuer", 'I', 1, "CRL Issuer for CRL at distribution point"},
|
||||
{"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"},
|
||||
{"digest", 'g', 1, "digest for signature creation, default: sha1"},
|
||||
{"outform", 'f', 1, "encoding of generated cert, default: der"},
|
||||
}
|
||||
});
|
||||
}
|
||||
|
|
|
@ -258,6 +258,22 @@ static void print_x509(x509_t *x509)
|
|||
}
|
||||
enumerator->destroy(enumerator);
|
||||
|
||||
if (x509->get_policyConstraint(x509, FALSE) != X509_NO_CONSTRAINT ||
|
||||
x509->get_policyConstraint(x509, TRUE) != X509_NO_CONSTRAINT)
|
||||
{
|
||||
printf("PolicyConstraints:\n");
|
||||
if (x509->get_policyConstraint(x509, FALSE) != X509_NO_CONSTRAINT)
|
||||
{
|
||||
printf(" requireExplicitPolicy: %d\n",
|
||||
x509->get_policyConstraint(x509, FALSE));
|
||||
}
|
||||
if (x509->get_policyConstraint(x509, TRUE) != X509_NO_CONSTRAINT)
|
||||
{
|
||||
printf(" inhibitPolicyMapping: %d\n",
|
||||
x509->get_policyConstraint(x509, TRUE));
|
||||
}
|
||||
}
|
||||
|
||||
chunk = x509->get_authKeyIdentifier(x509);
|
||||
if (chunk.ptr)
|
||||
{
|
||||
|
|
|
@ -57,6 +57,7 @@ static int self()
|
|||
linked_list_t *san, *ocsp, *permitted, *excluded, *policies, *mappings;
|
||||
int lifetime = 1095;
|
||||
int pathlen = X509_NO_CONSTRAINT;
|
||||
int inhibit_policy = X509_NO_CONSTRAINT, explicit_policy = X509_NO_CONSTRAINT;
|
||||
chunk_t serial = chunk_empty;
|
||||
chunk_t encoding = chunk_empty;
|
||||
time_t not_before, not_after;
|
||||
|
@ -193,6 +194,12 @@ static int self()
|
|||
mappings->insert_last(mappings, mapping);
|
||||
continue;
|
||||
}
|
||||
case 'E':
|
||||
explicit_policy = atoi(arg);
|
||||
continue;
|
||||
case 'H':
|
||||
inhibit_policy = atoi(arg);
|
||||
continue;
|
||||
case 'e':
|
||||
if (streq(arg, "serverAuth"))
|
||||
{
|
||||
|
@ -304,7 +311,10 @@ static int self()
|
|||
BUILD_PERMITTED_NAME_CONSTRAINTS, permitted,
|
||||
BUILD_EXCLUDED_NAME_CONSTRAINTS, excluded,
|
||||
BUILD_CERTIFICATE_POLICIES, policies,
|
||||
BUILD_POLICY_MAPPINGS, mappings, BUILD_END);
|
||||
BUILD_POLICY_MAPPINGS, mappings,
|
||||
BUILD_POLICY_CONSTRAINT_EXPLICIT, explicit_policy,
|
||||
BUILD_POLICY_CONSTRAINT_INHIBIT, inhibit_policy,
|
||||
BUILD_END);
|
||||
if (!cert)
|
||||
{
|
||||
error = "generating certificate failed";
|
||||
|
@ -367,28 +377,31 @@ static void __attribute__ ((constructor))reg()
|
|||
"[--nc-permitted name] [--nc-excluded name]",
|
||||
"[--cert-policy oid [--cps-uri uri] [--user-notice text] ]+",
|
||||
"[--policy-map issuer-oid:subject-oid]",
|
||||
"[--policy-explicit len] [--policy-inhibit len] ",
|
||||
"[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"},
|
||||
{
|
||||
{"help", 'h', 0, "show usage information"},
|
||||
{"in", 'i', 1, "private key input file, default: stdin"},
|
||||
{"keyid", 'x', 1, "keyid on smartcard of private key"},
|
||||
{"type", 't', 1, "type of input key, default: rsa"},
|
||||
{"dn", 'd', 1, "subject and issuer distinguished name"},
|
||||
{"san", 'a', 1, "subjectAltName to include in certificate"},
|
||||
{"lifetime", 'l', 1, "days the certificate is valid, default: 1095"},
|
||||
{"serial", 's', 1, "serial number in hex, default: random"},
|
||||
{"ca", 'b', 0, "include CA basicConstraint, default: no"},
|
||||
{"pathlen", 'p', 1, "set path length constraint"},
|
||||
{"nc-permitted",'n', 1, "add permitted NameConstraint"},
|
||||
{"nc-excluded", 'N', 1, "add excluded NameConstraint"},
|
||||
{"cert-policy", 'P', 1, "certificatePolicy OID to include"},
|
||||
{"cps-uri", 'C', 1, "Certification Practice statement URI for certificatePolicy"},
|
||||
{"user-notice", 'U', 1, "user notice for certificatePolicy"},
|
||||
{"policy-map", 'M', 1, "policyMapping from issuer to subject OID"},
|
||||
{"flag", 'e', 1, "include extendedKeyUsage flag"},
|
||||
{"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"},
|
||||
{"digest", 'g', 1, "digest for signature creation, default: sha1"},
|
||||
{"outform", 'f', 1, "encoding of generated cert, default: der"},
|
||||
{"help", 'h', 0, "show usage information"},
|
||||
{"in", 'i', 1, "private key input file, default: stdin"},
|
||||
{"keyid", 'x', 1, "keyid on smartcard of private key"},
|
||||
{"type", 't', 1, "type of input key, default: rsa"},
|
||||
{"dn", 'd', 1, "subject and issuer distinguished name"},
|
||||
{"san", 'a', 1, "subjectAltName to include in certificate"},
|
||||
{"lifetime", 'l', 1, "days the certificate is valid, default: 1095"},
|
||||
{"serial", 's', 1, "serial number in hex, default: random"},
|
||||
{"ca", 'b', 0, "include CA basicConstraint, default: no"},
|
||||
{"pathlen", 'p', 1, "set path length constraint"},
|
||||
{"nc-permitted", 'n', 1, "add permitted NameConstraint"},
|
||||
{"nc-excluded", 'N', 1, "add excluded NameConstraint"},
|
||||
{"cert-policy", 'P', 1, "certificatePolicy OID to include"},
|
||||
{"cps-uri", 'C', 1, "Certification Practice statement URI for certificatePolicy"},
|
||||
{"user-notice", 'U', 1, "user notice for certificatePolicy"},
|
||||
{"policy-mapping", 'M', 1, "policyMapping from issuer to subject OID"},
|
||||
{"policy-explicit", 'E', 1, "requireExplicitPolicy constraint"},
|
||||
{"policy-inhibit", 'H', 1, "inhibitPolicyMapping constraint"},
|
||||
{"flag", 'e', 1, "include extendedKeyUsage flag"},
|
||||
{"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"},
|
||||
{"digest", 'g', 1, "digest for signature creation, default: sha1"},
|
||||
{"outform", 'f', 1, "encoding of generated cert, default: der"},
|
||||
}
|
||||
});
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue