{
BIT_STRING_BITNAME *bnam;
char first = 1;
+ int last_seen_bit = -1;
+
BIO_printf(out, "%*s", indent, "");
for (bnam = tbl; bnam->lname; bnam++) {
+ /*
+ * Skip duplicate entries for the same bit in the BIT_STRING_BITNAME
+ * table. Those are aliases, but we only want to print the first entry
+ * when converting to a string.
+ */
+ if (last_seen_bit == bnam->bitnum)
+ continue;
+ last_seen_bit = bnam->bitnum;
+
if (ASN1_BIT_STRING_get_bit(bs, bnam->bitnum)) {
if (!first)
BIO_puts(out, ", ");
static BIT_STRING_BITNAME key_usage_type_table[] = {
{0, "Digital Signature", "digitalSignature"},
{1, "Non Repudiation", "nonRepudiation"},
+ {1, "Content Commitment", "contentCommitment"},
{2, "Key Encipherment", "keyEncipherment"},
{3, "Data Encipherment", "dataEncipherment"},
{4, "Key Agreement", "keyAgreement"},
STACK_OF(CONF_VALUE) *ret)
{
BIT_STRING_BITNAME *bnam;
+ int last_seen_bit = -1;
+
for (bnam = method->usr_data; bnam->lname; bnam++) {
+ /*
+ * If the bitnumber did not change from the last iteration, this entry
+ * is an an alias for the previous bit; treat the first result as
+ * canonical and ignore the rest.
+ */
+ if (last_seen_bit == bnam->bitnum)
+ continue;
+ last_seen_bit = bnam->bitnum;
if (ASN1_BIT_STRING_get_bit(bits, bnam->bitnum))
X509V3_add_value(bnam->lname, NULL, &ret);
}
=item B<S/MIME Signing> (C<smimesign>)
In addition to the common S/MIME checks, for target certificates
-the key usage must allow for C<digitalSignature> and/or B<nonRepudiation>.
+the key usage must allow for C<digitalSignature> and/or B<nonRepudiation> (or
+its alias name B<contentCommitment>).
=item B<S/MIME Encryption> (C<smimeencrypt>)
=item B<Timestamp Signing> (C<timestampsign>)
For target certificates, if the key usage extension is present, it must include
-C<digitalSignature> and/or C<nonRepudiation> and must not include other bits.
+C<digitalSignature> and/or C<nonRepudiation> (or its alias name
+C<contentCommitment>) and must not include other bits.
The EKU extension must be present and contain C<timeStamping> only.
Moreover, it must be marked as critical.
Key usage is a multi-valued extension consisting of a list of names of
the permitted key usages. The defined values are: C<digitalSignature>,
-C<nonRepudiation>, C<keyEncipherment>, C<dataEncipherment>, C<keyAgreement>,
-C<keyCertSign>, C<cRLSign>, C<encipherOnly>, and C<decipherOnly>.
+C<nonRepudiation> (with an alternative name C<contentCommitment>),
+C<keyEncipherment>, C<dataEncipherment>, C<keyAgreement>, C<keyCertSign>,
+C<cRLSign>, C<encipherOnly>, and C<decipherOnly>.
Examples:
keyUsage = digitalSignature, nonRepudiation
+ keyUsage = digitalSignature, contentCommitment
+
keyUsage = critical, keyCertSign
=head2 Extended Key Usage
setup("test_req");
-plan tests => 113;
+plan tests => 116;
require_ok(srctop_file('test', 'recipes', 'tconversion.pl'));
"-copy_extensions", "copy");
has_keyUsage($cert, 1);
+# keyUsage=contentCommitment is an alias for nonRepudiation
+$cert = "self-issued-v3_CA_keyUsage_contentCommitment.pem";
+generate_cert($cert, "-addext", "keyUsage = contentCommitment",
+ "-in", srctop_file(@certs, "x509-check.csr"));
+cert_contains($cert, "Non Repudiation", 1);
+cert_contains($cert, "Content Commitment", 0);
+
# Generate cert using req with '-modulus'
ok(run(app(["openssl", "req", "-x509", "-new", "-days", "365",
"-key", srctop_file("test", "testrsa.pem"),
projects / thirdparty / openssl.git / commitdiff
