]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
certtool: do not require a CA for OCSP signing
authorNikos Mavrogiannopoulos <nmav@redhat.com>
Tue, 15 Mar 2016 10:20:16 +0000 (11:20 +0100)
committerNikos Mavrogiannopoulos <nmav@redhat.com>
Tue, 15 Mar 2016 10:20:18 +0000 (11:20 +0100)
This follows the recommendations in RFC6960 in 4.2.2.2
which allow a CA to delegate OCSP signing to another certificate
without requiring it to be a CA.

Reported by Thomas Klute.

src/certtool.c

index 835c76a582afa15795fcc5796ec2a2c038f9ed09..8cca98fa65fc6a9aea002811fb42016a1b26a576 100644 (file)
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2003-2015 Free Software Foundation, Inc.
+ * Copyright (C) 2003-2016 Free Software Foundation, Inc.
+ * Copyright (C) 2015-2016 Red Hat, Inc.
  *
  * This file is part of GnuTLS.
  *
@@ -519,6 +520,18 @@ generate_certificate(gnutls_privkey_t * ret_key,
                if (result)
                        usage |= GNUTLS_KEY_NON_REPUDIATION;
 
+               result = get_ocsp_sign_status();
+               if (result) {
+                       result =
+                           gnutls_x509_crt_set_key_purpose_oid
+                           (crt, GNUTLS_KP_OCSP_SIGNING, 0);
+                       if (result < 0) {
+                               fprintf(stderr, "key_kp: %s\n",
+                                       gnutls_strerror(result));
+                               exit(1);
+                       }
+               }
+
                if (ca_status) {
                        result = get_cert_sign_status();
                        if (result)
@@ -542,17 +555,6 @@ generate_certificate(gnutls_privkey_t * ret_key,
 
                        crt_constraints_set(crt);
 
-                       result = get_ocsp_sign_status();
-                       if (result) {
-                               result =
-                                   gnutls_x509_crt_set_key_purpose_oid
-                                   (crt, GNUTLS_KP_OCSP_SIGNING, 0);
-                               if (result < 0) {
-                                       fprintf(stderr, "key_kp: %s\n",
-                                               gnutls_strerror(result));
-                                       exit(1);
-                               }
-                       }
 
                        result = get_time_stamp_status();
                        if (result) {