pki tool can issue/self-sign certificates with OCSP URIs

diff --git a/src/pki/command.h b/src/pki/command.h
index b6418146b595571f5704389b393e581e791355bf..b82d174b363363eea46f43b115cf46fbde31dcf5 100644 (file)
--- a/src/pki/command.h
+++ b/src/pki/command.h
@@ -32,12 +32,12 @@
 /**
  * Maximum number of options in a command (+1)
  */
-#define MAX_OPTIONS 14
+#define MAX_OPTIONS 20
 
 /**
  * Maximum number of usage summary lines (+1)
  */
-#define MAX_LINES 8
+#define MAX_LINES 10
 
 typedef struct command_t command_t;
 typedef enum command_type_t command_type_t;

diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c
index 06c4e8157f14055fe84e7449f9485e56ff6072b0..bd27297faf6ebb2e4b5bd6357f3a686c57b6cd3c 100644 (file)
--- a/src/pki/commands/issue.c
+++ b/src/pki/commands/issue.c
@@ -34,7 +34,7 @@ static int issue(int argc, char *argv[])
        char *file = NULL, *dn = NULL, *hex = NULL, *cacert = NULL, *cakey = NULL;
        char *error = NULL;
        identification_t *id = NULL;
-       linked_list_t *san, *cdps;
+       linked_list_t *san, *cdps, *ocsp;
        int lifetime = 1080;
        chunk_t serial = chunk_empty;
        chunk_t encoding = chunk_empty;
@@ -46,6 +46,7 @@ static int issue(int argc, char *argv[])
        options = options_create();
        san = linked_list_create();
        cdps = linked_list_create();
+       ocsp = linked_list_create();
 
        while (TRUE)
        {
@@ -84,9 +85,6 @@ static int issue(int argc, char *argv[])
                        case 'k':
                                cakey = optarg;
                                continue;
-                       case 'u':
-                               cdps->insert_last(cdps, optarg);
-                               continue;
                        case 'd':
                                dn = optarg;
                                continue;
@@ -107,6 +105,12 @@ static int issue(int argc, char *argv[])
                        case 'b':
                                flags |= X509_CA;
                                continue;
+                       case 'u':
+                               cdps->insert_last(cdps, optarg);
+                               continue;
+                       case 'o':
+                               ocsp->insert_last(ocsp, optarg);
+                               continue;
                        case EOF:
                                break;
                        default:
@@ -212,7 +216,8 @@ static int issue(int argc, char *argv[])
                                        BUILD_NOT_BEFORE_TIME, not_before, BUILD_DIGEST_ALG, digest,
                                        BUILD_NOT_AFTER_TIME, not_after, BUILD_SERIAL, serial,
                                        BUILD_SUBJECT_ALTNAMES, san, BUILD_X509_FLAG, flags,
-                                       BUILD_CRL_DISTRIBUTION_POINTS, cdps, BUILD_END);
+                                       BUILD_CRL_DISTRIBUTION_POINTS, cdps,
+                                       BUILD_OCSP_ACCESS_LOCATIONS, ocsp, BUILD_END);
        if (!cert)
        {
                error = "generating certificate failed";
@@ -238,6 +243,7 @@ end:
        DESTROY_IF(private);
        san->destroy_offset(san, offsetof(identification_t, destroy));
        cdps->destroy(cdps);
+       ocsp->destroy(ocsp);
        options->destroy(options);
        free(encoding.ptr);
        free(serial.ptr);
@@ -252,6 +258,7 @@ end:
 usage:
        san->destroy_offset(san, offsetof(identification_t, destroy));
        cdps->destroy(cdps);
+       ocsp->destroy(ocsp);
        options->destroy(options);
        return command_usage(error);
 }
@@ -265,9 +272,8 @@ static void __attribute__ ((constructor))reg()
                issue, 'i', "issue",
                "issue a certificate using a CA certificate and key",
                {"[--in file] [--type pub|pkcs10]",
-                " --cacert file --cakey file [--cdp uri]+",
-                " --dn subject-dn [--san subjectAltName]+",
-                "[--lifetime days] [--serial hex] [--ca]",
+                " --cacert file --cakey file --dn subject-dn [--san subjectAltName]+",
+                "[--lifetime days] [--serial hex] [--ca] [--crl uri]+ [--ocsp URI]+",
                 "[--digest md5|sha1|sha224|sha256|sha384|sha512]",
                 "[--options file]"},
                {
@@ -276,12 +282,13 @@ static void __attribute__ ((constructor))reg()
                        {"type",        't', 1, "type of input, default: pub"},
                        {"cacert",      'c', 1, "CA certificate file"},
                        {"cakey",       'k', 1, "CA private key file"},
-                       {"cdp",         'u', 1, "CRL distribution point URI to include"},
                        {"dn",          'd', 1, "distinguished name to include as subject"},
                        {"san",         'a', 1, "subjectAltName to include in certificate"},
                        {"lifetime",'l', 1, "days the certificate is valid, default: 1080"},
                        {"serial",      's', 1, "serial number in hex, default: random"},
                        {"ca",          'b', 0, "include CA basicConstraint, default: no"},
+                       {"crl",         'u', 1, "CRL distribution point URI to include"},
+                       {"ocsp",        'o', 1, "OCSP AuthoritiyInfoAccess URI to incude"},
                        {"digest",      'g', 1, "digest for signature creation, default: sha1"},
                        {"options",     '+', 1, "read command line options from file"},
                }

diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c
index de1761c9cf38dda621e920992204d4f413dc41e5..6edf8990273cd48a76a60686158bc5100fee6d95 100644 (file)
--- a/src/pki/commands/self.c
+++ b/src/pki/commands/self.c
@@ -34,7 +34,7 @@ static int self(int argc, char *argv[])
        public_key_t *public = NULL;
        char *file = NULL, *dn = NULL, *hex = NULL, *error = NULL;
        identification_t *id = NULL;
-       linked_list_t *san;
+       linked_list_t *san, *ocsp;
        int lifetime = 1080;
        chunk_t serial = chunk_empty;
        chunk_t encoding = chunk_empty;
@@ -44,6 +44,7 @@ static int self(int argc, char *argv[])
 
        options = options_create();
        san = linked_list_create();
+       ocsp = linked_list_create();
 
        while (TRUE)
        {
@@ -101,9 +102,12 @@ static int self(int argc, char *argv[])
                        case 's':
                                hex = optarg;
                                continue;
-                       case 'c':
+                       case 'b':
                                flags |= X509_CA;
                                continue;
+                       case 'o':
+                               ocsp->insert_last(ocsp, optarg);
+                               continue;
                        case EOF:
                                break;
                        default:
@@ -168,7 +172,8 @@ static int self(int argc, char *argv[])
                                                BUILD_SUBJECT, id, BUILD_NOT_BEFORE_TIME, not_before,
                                                BUILD_NOT_AFTER_TIME, not_after, BUILD_SERIAL, serial,
                                                BUILD_DIGEST_ALG, digest, BUILD_X509_FLAG, flags,
-                                               BUILD_SUBJECT_ALTNAMES, san, BUILD_END);
+                                               BUILD_SUBJECT_ALTNAMES, san,
+                                               BUILD_OCSP_ACCESS_LOCATIONS, ocsp, BUILD_END);
        if (!cert)
        {
                error = "generating certificate failed";
@@ -192,6 +197,7 @@ end:
        DESTROY_IF(public);
        DESTROY_IF(private);
        san->destroy_offset(san, offsetof(identification_t, destroy));
+       ocsp->destroy(ocsp);
        options->destroy(options);
        free(encoding.ptr);
        free(serial.ptr);
@@ -205,6 +211,7 @@ end:
 
 usage:
        san->destroy_offset(san, offsetof(identification_t, destroy));
+       ocsp->destroy(ocsp);
        options->destroy(options);
        return command_usage(error);
 }
@@ -219,7 +226,7 @@ static void __attribute__ ((constructor))reg()
                "create a self signed certificate",
                {"[--in file] [--type rsa|ecdsa]",
                 " --dn distinguished-name [--san subjectAltName]+",
-                "[--lifetime days] [--serial hex] [--ca]",
+                "[--lifetime days] [--serial hex] [--ca] [--ocsp URI]+",
                 "[--digest md5|sha1|sha224|sha256|sha384|sha512]",
                 "[--options file]"},
                {
@@ -231,6 +238,7 @@ static void __attribute__ ((constructor))reg()
                        {"lifetime",'l', 1, "days the certificate is valid, default: 1080"},
                        {"serial",      's', 1, "serial number in hex, default: random"},
                        {"ca",          'b', 0, "include CA basicConstraint, default: no"},
+                       {"ocsp",        'o', 1, "OCSP AuthoritiyInfoAccess URI to incude"},
                        {"digest",      'g', 1, "digest for signature creation, default: sha1"},
                        {"options",     '+', 1, "read command line options from file"},
                }