"BUILD_CERT",
"BUILD_CRL_DISTRIBUTION_POINTS",
"BUILD_OCSP_ACCESS_LOCATIONS",
+ "BUILD_PATHLEN",
"BUILD_X509_FLAG",
"BUILD_SMARTCARD_KEYID",
"BUILD_SMARTCARD_PIN",
BUILD_CRL_DISTRIBUTION_POINTS,
/** OCSP AuthorityInfoAccess locations, linked_list_t* containing char* */
BUILD_OCSP_ACCESS_LOCATIONS,
+ /** certificate path length constraint */
+ BUILD_PATHLEN,
/** enforce an additional X509 flag, x509_flag_t */
BUILD_X509_FLAG,
/** key ID of a key on a smartcard, null terminated char* ([slot:]keyid) */
/* build CA basicConstraint for CA certificates */
if (cert->flags & X509_CA)
{
+ chunk_t pathLenConstraint = chunk_empty;
+
+ if (cert->pathLenConstraint != X509_NO_PATH_LEN_CONSTRAINT)
+ {
+ char pathlen = (char)cert->pathLenConstraint;
+
+ pathLenConstraint = asn1_integer("c", chunk_from_thing(pathlen));
+ }
basicConstraints = asn1_wrap(ASN1_SEQUENCE, "mmm",
asn1_build_known_oid(OID_BASIC_CONSTRAINTS),
asn1_wrap(ASN1_BOOLEAN, "c",
chunk_from_chars(0xFF)),
asn1_wrap(ASN1_OCTET_STRING, "m",
- asn1_wrap(ASN1_SEQUENCE, "m",
+ asn1_wrap(ASN1_SEQUENCE, "mm",
asn1_wrap(ASN1_BOOLEAN, "c",
- chunk_from_chars(0xFF)))));
+ chunk_from_chars(0xFF)),
+ pathLenConstraint)));
}
/* add serverAuth extendedKeyUsage flag */
enumerator->destroy(enumerator);
continue;
}
+ case BUILD_PATHLEN:
+ cert->pathLenConstraint = va_arg(args, int);
+ if (cert->pathLenConstraint < 0 || cert->pathLenConstraint > 127)
+ {
+ cert->pathLenConstraint = X509_NO_PATH_LEN_CONSTRAINT;
+ }
+ continue;
case BUILD_NOT_BEFORE_TIME:
cert->notBefore = va_arg(args, time_t);
continue;
identification_t *id = NULL;
linked_list_t *san, *cdps, *ocsp;
int lifetime = 1080;
+ int pathlen = X509_NO_PATH_LEN_CONSTRAINT;
chunk_t serial = chunk_empty;
chunk_t encoding = chunk_empty;
time_t not_before, not_after;
case 'b':
flags |= X509_CA;
continue;
+ case 'p':
+ pathlen = atoi(arg);
+ continue;
case 'f':
if (streq(arg, "serverAuth"))
{
BUILD_NOT_BEFORE_TIME, not_before, BUILD_DIGEST_ALG, digest,
BUILD_NOT_AFTER_TIME, not_after, BUILD_SERIAL, serial,
BUILD_SUBJECT_ALTNAMES, san, BUILD_X509_FLAG, flags,
+ BUILD_PATHLEN, pathlen,
BUILD_CRL_DISTRIBUTION_POINTS, cdps,
BUILD_OCSP_ACCESS_LOCATIONS, ocsp, BUILD_END);
if (!cert)
"issue a certificate using a CA certificate and key",
{"[--in file] [--type pub|pkcs10]",
" --cacert file --cakey file --dn subject-dn [--san subjectAltName]+",
- "[--lifetime days] [--serial hex] [--ca] [--crl uri]+ [--ocsp uri]+",
- "[--flag serverAuth|ocspSigning]+",
+ "[--lifetime days] [--serial hex] [--crl uri]+ [--ocsp uri]+",
+ "[--ca] [--pathlen len] [--flag serverAuth|ocspSigning]+",
"[--digest md5|sha1|sha224|sha256|sha384|sha512]"},
{
{"help", 'h', 0, "show usage information"},
{"lifetime",'l', 1, "days the certificate is valid, default: 1080"},
{"serial", 's', 1, "serial number in hex, default: random"},
{"ca", 'b', 0, "include CA basicConstraint, default: no"},
+ {"pathlen", 'p', 1, "set path length constraint"},
{"flag", 'f', 1, "include extendedKeyUsage flag"},
{"crl", 'u', 1, "CRL distribution point URI to include"},
{"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"},
identification_t *id = NULL;
linked_list_t *san, *ocsp;
int lifetime = 1080;
+ int pathlen = X509_NO_PATH_LEN_CONSTRAINT;
chunk_t serial = chunk_empty;
chunk_t encoding = chunk_empty;
time_t not_before, not_after;
case 'b':
flags |= X509_CA;
continue;
+ case 'p':
+ pathlen = atoi(arg);
+ continue;
case 'o':
ocsp->insert_last(ocsp, arg);
continue;
BUILD_SUBJECT, id, BUILD_NOT_BEFORE_TIME, not_before,
BUILD_NOT_AFTER_TIME, not_after, BUILD_SERIAL, serial,
BUILD_DIGEST_ALG, digest, BUILD_X509_FLAG, flags,
- BUILD_SUBJECT_ALTNAMES, san,
+ BUILD_PATHLEN, pathlen, BUILD_SUBJECT_ALTNAMES, san,
BUILD_OCSP_ACCESS_LOCATIONS, ocsp, BUILD_END);
if (!cert)
{
{"lifetime",'l', 1, "days the certificate is valid, default: 1080"},
{"serial", 's', 1, "serial number in hex, default: random"},
{"ca", 'b', 0, "include CA basicConstraint, default: no"},
+ {"pathlen", 'p', 1, "set path length constraint"},
{"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"},
{"digest", 'g', 1, "digest for signature creation, default: sha1"},
}
projects / thirdparty / strongswan.git / commitdiff
