free(this);
}
+/**
+ * Parse (extended) key usage flag and add it to the given set
+ */
+static void parse_flag(char *arg, x509_flag_t *flags)
+{
+ if (streq(arg, "serverAuth"))
+ {
+ *flags |= X509_SERVER_AUTH;
+ }
+ else if (streq(arg, "clientAuth"))
+ {
+ *flags |= X509_CLIENT_AUTH;
+ }
+ else if (streq(arg, "ikeIntermediate"))
+ {
+ *flags |= X509_IKE_INTERMEDIATE;
+ }
+ else if (streq(arg, "crlSign"))
+ {
+ *flags |= X509_CRL_SIGN;
+ }
+ else if (streq(arg, "ocspSigning"))
+ {
+ *flags |= X509_OCSP_SIGNER;
+ }
+ else if (streq(arg, "msSmartcardLogon"))
+ {
+ *flags |= X509_MS_SMARTCARD_LOGON;
+ }
+}
+
/**
* Issue a certificate using a CA certificate and key
*/
chunk_t critical_extension_oid = chunk_empty;
time_t not_before, not_after, lifetime = 1095 * 24 * 60 * 60;
char *datenb = NULL, *datena = NULL, *dateform = NULL;
- x509_flag_t flags = 0;
+ x509_flag_t flags = 0, flags_add = 0, flags_rem = 0;
x509_t *x509;
x509_cdp_t *cdp = NULL;
x509_cert_policy_t *policy = NULL;
inhibit_any = atoi(arg);
continue;
case 'e':
- if (streq(arg, "serverAuth"))
- {
- flags |= X509_SERVER_AUTH;
- }
- else if (streq(arg, "clientAuth"))
- {
- flags |= X509_CLIENT_AUTH;
- }
- else if (streq(arg, "ikeIntermediate"))
- {
- flags |= X509_IKE_INTERMEDIATE;
- }
- else if (streq(arg, "crlSign"))
+ if (strpfx(arg, "+"))
{
- flags |= X509_CRL_SIGN;
+ parse_flag(&arg[1], &flags_add);
}
- else if (streq(arg, "ocspSigning"))
+ else if (strpfx(arg, "-"))
{
- flags |= X509_OCSP_SIGNER;
+ parse_flag(&arg[1], &flags_rem);
}
- else if (streq(arg, "msSmartcardLogon"))
+ else
{
- flags |= X509_MS_SMARTCARD_LOGON;
+ parse_flag(arg, &flags);
}
continue;
case 'f':
error = "no signature scheme found";
goto end;
}
+ /* add and/or remove flags */
+ flags |= flags_add;
+ flags &= ~flags_rem;
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
BUILD_SIGNING_KEY, private, BUILD_SIGNING_CERT, ca,
.BI "\-e, \-\-flag " flag
Add extendedKeyUsage flag. One of \fIserverAuth\fR, \fIclientAuth\fR,
\fIcrlSign\fR, \fIocspSigning\fR or \fImsSmartcardLogon\fR. Can be used multiple
-times.
+times. Without modifiers, this overrides flags from PKCS#10 certificate
+requests. Prefixing a flag with \fI+\fR adds it to the set of flags read from
+the request, prefixing it with \fI-\fR removes it from that set.
.TP
.BI "\-g, \-\-digest " digest
Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,