From: Tobias Brunner <tobias@strongswan.org>
Date: Thu, 23 Feb 2023 16:03:05 +0000 (+0100)
Subject: pki: Add possibility to add/remove flags in requests when issuing certificates
X-Git-Tag: 5.9.10~5
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8e9b2bd27f312eda51cd5f709b304a7a010ca518;p=thirdparty%2Fstrongswan.git

pki: Add possibility to add/remove flags in requests when issuing certificates
---

diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c
index ad4f13d22d..d8e908f011 100644
--- a/src/pki/commands/issue.c
+++ b/src/pki/commands/issue.c
@@ -55,6 +55,37 @@ static void destroy_cdp(x509_cdp_t *this)
 	free(this);
 }
 
+/**
+ * Parse (extended) key usage flag and add it to the given set
+ */
+static void parse_flag(char *arg, x509_flag_t *flags)
+{
+	if (streq(arg, "serverAuth"))
+	{
+		*flags |= X509_SERVER_AUTH;
+	}
+	else if (streq(arg, "clientAuth"))
+	{
+		*flags |= X509_CLIENT_AUTH;
+	}
+	else if (streq(arg, "ikeIntermediate"))
+	{
+		*flags |= X509_IKE_INTERMEDIATE;
+	}
+	else if (streq(arg, "crlSign"))
+	{
+		*flags |= X509_CRL_SIGN;
+	}
+	else if (streq(arg, "ocspSigning"))
+	{
+		*flags |= X509_OCSP_SIGNER;
+	}
+	else if (streq(arg, "msSmartcardLogon"))
+	{
+		*flags |= X509_MS_SMARTCARD_LOGON;
+	}
+}
+
 /**
  * Issue a certificate using a CA certificate and key
  */
@@ -81,7 +112,7 @@ static int issue()
 	chunk_t critical_extension_oid = chunk_empty;
 	time_t not_before, not_after, lifetime = 1095 * 24 * 60 * 60;
 	char *datenb = NULL, *datena = NULL, *dateform = NULL;
-	x509_flag_t flags = 0;
+	x509_flag_t flags = 0, flags_add = 0, flags_rem = 0;
 	x509_t *x509;
 	x509_cdp_t *cdp = NULL;
 	x509_cert_policy_t *policy = NULL;
@@ -291,29 +322,17 @@ static int issue()
 				inhibit_any = atoi(arg);
 				continue;
 			case 'e':
-				if (streq(arg, "serverAuth"))
-				{
-					flags |= X509_SERVER_AUTH;
-				}
-				else if (streq(arg, "clientAuth"))
-				{
-					flags |= X509_CLIENT_AUTH;
-				}
-				else if (streq(arg, "ikeIntermediate"))
-				{
-					flags |= X509_IKE_INTERMEDIATE;
-				}
-				else if (streq(arg, "crlSign"))
+				if (strpfx(arg, "+"))
 				{
-					flags |= X509_CRL_SIGN;
+					parse_flag(&arg[1], &flags_add);
 				}
-				else if (streq(arg, "ocspSigning"))
+				else if (strpfx(arg, "-"))
 				{
-					flags |= X509_OCSP_SIGNER;
+					parse_flag(&arg[1], &flags_rem);
 				}
-				else if (streq(arg, "msSmartcardLogon"))
+				else
 				{
-					flags |= X509_MS_SMARTCARD_LOGON;
+					parse_flag(arg, &flags);
 				}
 				continue;
 			case 'f':
@@ -545,6 +564,9 @@ static int issue()
 		error = "no signature scheme found";
 		goto end;
 	}
+	/* add and/or remove flags */
+	flags |= flags_add;
+	flags &= ~flags_rem;
 
 	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
 					BUILD_SIGNING_KEY, private, BUILD_SIGNING_CERT, ca,
diff --git a/src/pki/man/pki---issue.1.in b/src/pki/man/pki---issue.1.in
index ae7a62ddd9..fb99c2e4f8 100644
--- a/src/pki/man/pki---issue.1.in
+++ b/src/pki/man/pki---issue.1.in
@@ -126,7 +126,9 @@ Serial number in hex. It is randomly allocated by default.
 .BI "\-e, \-\-flag " flag
 Add extendedKeyUsage flag. One of \fIserverAuth\fR, \fIclientAuth\fR,
 \fIcrlSign\fR, \fIocspSigning\fR or \fImsSmartcardLogon\fR. Can be used multiple
-times.
+times. Without modifiers, this overrides flags from PKCS#10 certificate
+requests. Prefixing a flag with \fI+\fR adds it to the set of flags read from
+the request, prefixing it with \fI-\fR removes it from that set.
 .TP
 .BI "\-g, \-\-digest " digest
 Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,