/*
* Copyright (C) 2008 Martin Willi
- * Copyright (C) 2016 Andreas Steffen
+ * Copyright (C) 2016-2019 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
"BUILD_THRESHOLD",
"BUILD_EDDSA_PUB",
"BUILD_EDDSA_PRIV_ASN1_DER",
+ "BUILD_CRITICAL_EXTENSION",
"BUILD_END",
);
/*
* Copyright (C) 2008 Martin Willi
- * Copyright (C) 2016 Andreas Steffen
+ * Copyright (C) 2016-2019 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
BUILD_EDDSA_PUB,
/** DER encoded ASN.1 EdDSA private key */
BUILD_EDDSA_PRIV_ASN1_DER,
+ /** OID of an [unsupported] critical extension */
+ BUILD_CRITICAL_EXTENSION,
/** end of variable argument builder list */
BUILD_END,
};
*/
chunk_t authKeySerialNumber;
+ /**
+ * Optional OID of an [unsupported] critical extension
+ */
+ chunk_t critical_extension_oid;
+
/**
* Path Length Constraint
*/
chunk_free(&this->authKeyIdentifier);
chunk_free(&this->encoding);
chunk_free(&this->encoding_hash);
+ chunk_free(&this->critical_extension_oid);
if (!this->parsed)
{ /* only parsed certificates point these fields to "encoded" */
chunk_free(&this->signature);
chunk_t policyConstraints = chunk_empty, inhibitAnyPolicy = chunk_empty;
chunk_t ikeIntermediate = chunk_empty, msSmartcardLogon = chunk_empty;
chunk_t ipAddrBlocks = chunk_empty, sig_scheme = chunk_empty;
+ chunk_t criticalExtension = chunk_empty;
identification_t *issuer, *subject;
chunk_t key_info;
hasher_t *hasher;
chunk_from_thing(cert->inhibit_any))));
}
+ if (cert->critical_extension_oid.len > 0)
+ {
+ criticalExtension = asn1_wrap(ASN1_SEQUENCE, "mmm",
+ asn1_simple_object(ASN1_OID, cert->critical_extension_oid),
+ asn1_simple_object(ASN1_BOOLEAN, chunk_from_chars(0xFF)),
+ asn1_simple_object(ASN1_OCTET_STRING, chunk_empty));
+ }
+
if (basicConstraints.ptr || subjectAltNames.ptr || authKeyIdentifier.ptr ||
crlDistributionPoints.ptr || nameConstraints.ptr || ipAddrBlocks.ptr)
{
extensions = asn1_wrap(ASN1_CONTEXT_C_3, "m",
- asn1_wrap(ASN1_SEQUENCE, "mmmmmmmmmmmmmm",
+ asn1_wrap(ASN1_SEQUENCE, "mmmmmmmmmmmmmmm",
basicConstraints, keyUsage, subjectKeyIdentifier,
authKeyIdentifier, subjectAltNames,
extendedKeyUsage, crlDistributionPoints,
authorityInfoAccess, nameConstraints, certPolicies,
policyMappings, policyConstraints, inhibitAnyPolicy,
- ipAddrBlocks));
+ ipAddrBlocks, criticalExtension));
}
cert->tbsCertificate = asn1_wrap(ASN1_SEQUENCE, "mmccmcmm",
case BUILD_DIGEST_ALG:
digest_alg = va_arg(args, int);
continue;
+ case BUILD_CRITICAL_EXTENSION:
+ cert->critical_extension_oid = chunk_clone(va_arg(args, chunk_t));
+ continue;
case BUILD_END:
break;
default:
*/
chunk_t authKeySerialNumber;
+ /**
+ * Optional OID of an [unsupported] critical extension
+ */
+ chunk_t critical_extension_oid;
+
/**
* Number of BaseCRL, if a delta CRL
*/
DESTROY_IF(this->issuer);
free(this->authKeyIdentifier.ptr);
free(this->encoding.ptr);
+ free(this->critical_extension_oid.ptr);
if (this->generated)
{
free(this->crlNumber.ptr);
{
chunk_t extensions = chunk_empty, certList = chunk_empty, serial;
chunk_t crlDistributionPoints = chunk_empty, baseCrlNumber = chunk_empty;
- chunk_t sig_scheme = chunk_empty;
+ chunk_t sig_scheme = chunk_empty, criticalExtension = chunk_empty;
enumerator_t *enumerator;
crl_reason_t reason;
time_t date;
asn1_integer("c", this->baseCrlNumber)));
}
+ if (this->critical_extension_oid.len > 0)
+ {
+ criticalExtension = asn1_wrap(ASN1_SEQUENCE, "mmm",
+ asn1_simple_object(ASN1_OID, this->critical_extension_oid),
+ asn1_simple_object(ASN1_BOOLEAN, chunk_from_chars(0xFF)),
+ asn1_simple_object(ASN1_OCTET_STRING, chunk_empty));
+ }
+
extensions = asn1_wrap(ASN1_CONTEXT_C_0, "m",
- asn1_wrap(ASN1_SEQUENCE, "mmmm",
+ asn1_wrap(ASN1_SEQUENCE, "mmmmm",
asn1_wrap(ASN1_SEQUENCE, "mm",
asn1_build_known_oid(OID_AUTHORITY_KEY_ID),
asn1_wrap(ASN1_OCTET_STRING, "m",
asn1_build_known_oid(OID_CRL_NUMBER),
asn1_wrap(ASN1_OCTET_STRING, "m",
asn1_integer("c", this->crlNumber))),
- crlDistributionPoints, baseCrlNumber));
+ crlDistributionPoints, baseCrlNumber,
+ criticalExtension));
this->tbsCertList = asn1_wrap(ASN1_SEQUENCE, "cccmmmm",
ASN1_INTEGER_1,
enumerator->destroy(enumerator);
continue;
}
+ case BUILD_CRITICAL_EXTENSION:
+ crl->critical_extension_oid = chunk_clone(va_arg(args, chunk_t));
+ continue;
case BUILD_END:
break;
default:
/*
* Copyright (C) 2009 Martin Willi
- * Copyright (C) 2015-2017 Andreas Steffen
+ * Copyright (C) 2015-2019 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
int inhibit_mapping = X509_NO_CONSTRAINT, require_explicit = X509_NO_CONSTRAINT;
chunk_t serial = chunk_empty;
chunk_t encoding = chunk_empty;
+ chunk_t critical_extension_oid = chunk_empty;
time_t not_before, not_after, lifetime = 1095 * 24 * 60 * 60;
char *datenb = NULL, *datena = NULL, *dateform = NULL;
x509_flag_t flags = 0;
case 'o':
ocsp->insert_last(ocsp, arg);
continue;
+ case 'X':
+ chunk_free(&critical_extension_oid);
+ critical_extension_oid = asn1_oid_from_string(arg);
+ continue;
case EOF:
break;
default:
BUILD_POLICY_REQUIRE_EXPLICIT, require_explicit,
BUILD_POLICY_INHIBIT_MAPPING, inhibit_mapping,
BUILD_POLICY_INHIBIT_ANY, inhibit_any,
+ BUILD_CRITICAL_EXTENSION, critical_extension_oid,
BUILD_SIGNATURE_SCHEME, scheme,
BUILD_END);
if (!cert)
cdps->destroy_function(cdps, (void*)destroy_cdp);
ocsp->destroy(ocsp);
signature_params_destroy(scheme);
+ free(critical_extension_oid.ptr);
free(encoding.ptr);
free(serial.ptr);
mappings->destroy_function(mappings, (void*)destroy_policy_mapping);
cdps->destroy_function(cdps, (void*)destroy_cdp);
ocsp->destroy(ocsp);
+ free(critical_extension_oid.ptr);
return command_usage(error);
}
"[--policy-explicit len] [--policy-inhibit len] [--policy-any len]",
"[--cert-policy oid [--cps-uri uri] [--user-notice text]]+",
"[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]",
- "[--rsa-padding pkcs1|pss]",
+ "[--rsa-padding pkcs1|pss] [--critical oid]",
"[--outform der|pem]"},
{
{"help", 'h', 0, "show usage information"},
{"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"},
{"digest", 'g', 1, "digest for signature creation, default: key-specific"},
{"rsa-padding", 'R', 1, "padding for RSA signatures, default: pkcs1"},
+ {"critical", 'X', 1, "critical extension OID to include"},
{"outform", 'f', 1, "encoding of generated cert, default: der"},
}
});
/*
* Copyright (C) 2009 Martin Willi
- * Copyright (C) 2015-2017 Andreas Steffen
+ * Copyright (C) 2015-2019 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
int require_explicit = X509_NO_CONSTRAINT;
chunk_t serial = chunk_empty;
chunk_t encoding = chunk_empty;
+ chunk_t critical_extension_oid = chunk_empty;
time_t not_before, not_after, lifetime = 1095 * 24 * 60 * 60;
char *datenb = NULL, *datena = NULL, *dateform = NULL;
x509_flag_t flags = 0;
case 'o':
ocsp->insert_last(ocsp, arg);
continue;
+ case 'X':
+ chunk_free(&critical_extension_oid);
+ critical_extension_oid = asn1_oid_from_string(arg);
+ continue;
case EOF:
break;
default:
BUILD_POLICY_REQUIRE_EXPLICIT, require_explicit,
BUILD_POLICY_INHIBIT_MAPPING, inhibit_mapping,
BUILD_POLICY_INHIBIT_ANY, inhibit_any,
+ BUILD_CRITICAL_EXTENSION, critical_extension_oid,
BUILD_END);
if (!cert)
{
mappings->destroy_function(mappings, (void*)destroy_policy_mapping);
ocsp->destroy(ocsp);
signature_params_destroy(scheme);
+ free(critical_extension_oid.ptr);
free(encoding.ptr);
free(serial.ptr);
policies->destroy_function(policies, (void*)destroy_cert_policy);
mappings->destroy_function(mappings, (void*)destroy_policy_mapping);
ocsp->destroy(ocsp);
+ free(critical_extension_oid.ptr);
return command_usage(error);
}
"[--policy-explicit len] [--policy-inhibit len] [--policy-any len]",
"[--cert-policy oid [--cps-uri uri] [--user-notice text]]+",
"[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]",
- "[--rsa-padding pkcs1|pss]",
+ "[--rsa-padding pkcs1|pss] [--critical oid]",
"[--outform der|pem]"},
{
{"help", 'h', 0, "show usage information"},
{"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"},
{"digest", 'g', 1, "digest for signature creation, default: key-specific"},
{"rsa-padding", 'R', 1, "padding for RSA signatures, default: pkcs1"},
+ {"critical", 'X', 1, "critical extension OID to include for test purposes"},
{"outform", 'f', 1, "encoding of generated cert, default: der"},
}
});
* Copyright (C) 2010 Martin Willi
* Copyright (C) 2010 revosec AG
*
- * Copyright (C) 2017 Andreas Steffen
+ * Copyright (C) 2017-2019 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
#include <credentials/certificates/certificate.h>
#include <credentials/certificates/x509.h>
#include <credentials/certificates/crl.h>
+#include <asn1/asn1.h>
/**
enumerator_t *enumerator, *lastenum = NULL;
x509_cdp_t *cdp;
chunk_t crl_serial = chunk_empty, baseCrlNumber = chunk_empty;
+ chunk_t critical_extension_oid = chunk_empty;
chunk_t encoding = chunk_empty;
bool pss = lib->settings->get_bool(lib->settings, "%s.rsa_pss", FALSE,
lib->ns);
goto usage;
}
continue;
+ case 'X':
+ chunk_free(&critical_extension_oid);
+ critical_extension_oid = asn1_oid_from_string(arg);
+ continue;
case EOF:
break;
default:
BUILD_REVOKED_ENUMERATOR, enumerator,
BUILD_REVOKED_ENUMERATOR, lastenum, BUILD_SIGNATURE_SCHEME, scheme,
BUILD_CRL_DISTRIBUTION_POINTS, cdps, BUILD_BASE_CRL, baseCrlNumber,
+ BUILD_CRITICAL_EXTENSION, critical_extension_oid,
BUILD_END);
enumerator->destroy(enumerator);
DESTROY_IF(lastenum);
DESTROY_IF((certificate_t*)lastcrl);
signature_params_destroy(scheme);
+ free(critical_extension_oid.ptr);
free(encoding.ptr);
free(baseCrlNumber.ptr);
free(crl_serial.ptr);
usage:
list->destroy_function(list, (void*)revoked_destroy);
cdps->destroy_function(cdps, (void*)x509_cdp_destroy);
+ free(critical_extension_oid.ptr);
return command_usage(error);
}
" superseded|cessation-of-operation|certificate-hold]",
" [--date timestamp] --cert file|--serial hex]*",
"[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]",
- "[--rsa-padding pkcs1|pss]",
+ "[--rsa-padding pkcs1|pss] [--critical oid]",
"[--outform der|pem]"},
{
{"help", 'h', 0, "show usage information"},
{"date", 'd', 1, "revocation date as unix timestamp, default: now"},
{"digest", 'g', 1, "digest for signature creation, default: key-specific"},
{"rsa-padding", 'R', 1, "padding for RSA signatures, default: pkcs1"},
+ {"critical", 'X', 1, "critical extension OID to include for test purposes"},
{"outform", 'f', 1, "encoding of generated crl, default: der"},
}
});
-.TH "PKI \-\-ISSUE" 1 "2016-12-13" "@PACKAGE_VERSION@" "strongSwan"
+.TH "PKI \-\-ISSUE" 1 "2019-05-06" "@PACKAGE_VERSION@" "strongSwan"
.
.SH "NAME"
.
.OP \-\-crl uri\ \fR[\fB\-\-crlissuer\ \fIissuer\fR]
.OP \-\-ocsp uri
.OP \-\-pathlen len
-.OP \-\-nc-permitted name
.OP \-\-addrblock block
+.OP \-\-nc-permitted name
.OP \-\-nc-excluded name
+.OP \-\-critical oid
.OP \-\-policy\-mapping mapping
.OP \-\-policy\-explicit len
.OP \-\-policy\-inhibit len
.B email:
prefix to force a constraint type.
.TP
+.BI "\-X, \-\-critical " oid
+Add a critical extension with the given OID.
+.TP
.BI "\-M, \-\-policy-mapping " issuer-oid:subject-oid
Add policyMapping from issuer to subject OID.
.TP
-.TH "PKI \-\-SELF" 1 "2016-12-13" "@PACKAGE_VERSION@" "strongSwan"
+.TH "PKI \-\-SELF" 1 "2019-05-06" "@PACKAGE_VERSION@" "strongSwan"
.
.SH "NAME"
.
.OP \-\-addrblock block
.OP \-\-nc-permitted name
.OP \-\-nc-excluded name
+.OP \-\-critical oid
.OP \-\-policy\-mapping mapping
.OP \-\-policy\-explicit len
.OP \-\-policy\-inhibit len
.B email:
prefix to force a constraint type.
.TP
+.BI "\-X, \-\-critical " oid
+Add a critical extension with the given OID.
+.TP
.BI "\-M, \-\-policy-mapping " issuer-oid:subject-oid
Add policyMapping from issuer to subject OID.
.TP
-.TH "PKI \-\-SIGNCRL" 1 "2013-08-12" "@PACKAGE_VERSION@" "strongSwan"
+.TH "PKI \-\-SIGNCRL" 1 "2019-05-06" "@PACKAGE_VERSION@" "strongSwan"
.
.SH "NAME"
.
.OP \-\-digest digest
.OP \-\-rsa\-padding padding
.OP \fR[\fB\-\-reason\ \fIreason\fR]\ \fR[\fB\-\-date\ \fIts\fR]\ \fB\-\-cert\ \fIfile\fB|\-\-serial\ \fIhex\fR
+.OP \-\-critical oid
.OP \-\-outform encoding
.OP \-\-debug level
.YS
Padding to use for RSA signatures. Either \fIpkcs1\fR or \fIpss\fR, defaults
to \fIpkcs1\fR.
.TP
+.BI "\-X, \-\-critical " oid
+Add a critical extension with the given OID.
+.TP
.BI "\-f, \-\-outform " encoding
Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
\fIpem\fR (Base64 PEM), defaults to \fIder\fR.