pki: Allow overriding EKU flags from certificate request via command line

The flags encoded in the PKCS#10 structure (or derived from the encoded
profile name) might not be appropriate in some instances. This allows
overriding them without having to issue a new certificate request.

diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c
index 023f0536ab4ba3c03949b65b8b759068402d179f..ad4f13d22df08269c36d6184996d309f1629cea5 100644 (file)
--- a/src/pki/commands/issue.c
+++ b/src/pki/commands/issue.c
@@ -482,8 +482,11 @@ static int issue()
                }
                req = (pkcs10_t*)cert_req;
 
-               /* Add Extended Key Usage (EKU) flags */
-               flags |= req->get_flags(req);
+               /* Add Extended Key Usage (EKU) flags if not overridden */
+               if (!flags)
+               {
+                       flags = req->get_flags(req);
+               }
 
                /* Add subjectAltNames from PKCS#10 certificate request */
                enumerator = req->create_subjectAltName_enumerator(req);