static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
private_key_t *sign_key, int digest_alg)
{
- chunk_t extensions = chunk_empty;
+ chunk_t extensions = chunk_empty, extendedKeyUsage = chunk_empty;
chunk_t basicConstraints = chunk_empty, subjectAltNames = chunk_empty;
chunk_t subjectKeyIdentifier = chunk_empty, authKeyIdentifier = chunk_empty;
chunk_t crlDistributionPoints = chunk_empty, authorityInfoAccess = chunk_empty;
/* build CA basicConstraint for CA certificates */
if (cert->flags & X509_CA)
{
- chunk_t keyid;
-
basicConstraints = asn1_wrap(ASN1_SEQUENCE, "mmm",
asn1_build_known_oid(OID_BASIC_CONSTRAINTS),
asn1_wrap(ASN1_BOOLEAN, "c",
asn1_wrap(ASN1_SEQUENCE, "m",
asn1_wrap(ASN1_BOOLEAN, "c",
chunk_from_chars(0xFF)))));
- /* add subjectKeyIdentifier to CA certificates */
+ }
+
+ /* add ocspSigning extendedKeyUsage */
+ if (cert->flags & X509_OCSP_SIGNER)
+ {
+ extendedKeyUsage = asn1_wrap(ASN1_SEQUENCE, "mm ",
+ asn1_build_known_oid(OID_EXTENDED_KEY_USAGE),
+ asn1_wrap(ASN1_OCTET_STRING, "m",
+ asn1_wrap(ASN1_SEQUENCE, "m",
+ asn1_build_known_oid(OID_OCSP_SIGNING))));
+ }
+
+ /* add subjectKeyIdentifier to CA and OCSP signer certificates */
+ if (cert->flags & (X509_CA | X509_OCSP_SIGNER))
+ {
+ chunk_t keyid;
+
if (cert->public_key->get_fingerprint(cert->public_key,
KEY_ID_PUBKEY_SHA1, &keyid))
{
asn1_wrap(ASN1_OCTET_STRING, "c", keyid)));
}
}
+
+ /* add the keyid authKeyIdentifier for non self-signed certificates */
if (sign_key)
- { /* add the keyid authKeyIdentifier for non self-signed certificates */
+ {
chunk_t keyid;
if (sign_key->get_fingerprint(sign_key, KEY_ID_PUBKEY_SHA1, &keyid))
crlDistributionPoints.ptr)
{
extensions = asn1_wrap(ASN1_CONTEXT_C_3, "m",
- asn1_wrap(ASN1_SEQUENCE, "mmmmmm",
+ asn1_wrap(ASN1_SEQUENCE, "mmmmmmm",
basicConstraints, subjectKeyIdentifier,
authKeyIdentifier, subjectAltNames,
- crlDistributionPoints, authorityInfoAccess));
+ extendedKeyUsage, crlDistributionPoints,
+ authorityInfoAccess));
}
cert->tbsCertificate = asn1_wrap(ASN1_SEQUENCE, "mmmcmcmm",
case 'b':
flags |= X509_CA;
continue;
+ case 'f':
+ if (streq(arg, "ocspSigning"))
+ {
+ flags |= X509_OCSP_SIGNER;
+ }
+ continue;
case 'u':
cdps->insert_last(cdps, arg);
continue;
{"[--in file] [--type pub|pkcs10]",
" --cacert file --cakey file --dn subject-dn [--san subjectAltName]+",
"[--lifetime days] [--serial hex] [--ca] [--crl uri]+ [--ocsp uri]+",
+ "[--flag serverAuth|ocspSigning]+",
"[--digest md5|sha1|sha224|sha256|sha384|sha512]"},
{
{"help", 'h', 0, "show usage information"},
{"lifetime",'l', 1, "days the certificate is valid, default: 1080"},
{"serial", 's', 1, "serial number in hex, default: random"},
{"ca", 'b', 0, "include CA basicConstraint, default: no"},
+ {"flag", 'f', 1, "include extendedKeyUsage flag"},
{"crl", 'u', 1, "CRL distribution point URI to include"},
{"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"},
{"digest", 'g', 1, "digest for signature creation, default: sha1"},
projects / thirdparty / strongswan.git / commitdiff
