summaryrefslogtreecommitdiff
path: root/src/pki/commands/issue.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/pki/commands/issue.c')
-rw-r--r--src/pki/commands/issue.c34
1 files changed, 25 insertions, 9 deletions
diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c
index 2002cd555..8ea852e31 100644
--- a/src/pki/commands/issue.c
+++ b/src/pki/commands/issue.c
@@ -35,7 +35,7 @@ static int issue()
public_key_t *public = NULL;
bool pkcs10 = FALSE;
char *file = NULL, *dn = NULL, *hex = NULL, *cacert = NULL, *cakey = NULL;
- char *error = NULL;
+ char *error = NULL, *keyid = NULL;
identification_t *id = NULL;
linked_list_t *san, *cdps, *ocsp;
int lifetime = 1095;
@@ -85,6 +85,9 @@ static int issue()
case 'k':
cakey = arg;
continue;
+ case 'x':
+ keyid = arg;
+ continue;
case 'd':
dn = arg;
continue;
@@ -153,9 +156,9 @@ static int issue()
error = "--cacert is required";
goto usage;
}
- if (!cakey)
+ if (!cakey && !keyid)
{
- error = "--cakey is required";
+ error = "--cakey or --keyid is required";
goto usage;
}
if (dn)
@@ -190,12 +193,24 @@ static int issue()
}
DBG2(DBG_LIB, "Reading ca private key:");
- private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
- public->get_type(public),
- BUILD_FROM_FILE, cakey, BUILD_END);
+ if (cakey)
+ {
+ private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
+ public->get_type(public),
+ BUILD_FROM_FILE, cakey, BUILD_END);
+ }
+ else
+ {
+ chunk_t chunk;
+
+ chunk = chunk_from_hex(chunk_create(keyid, strlen(keyid)), NULL);
+ private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ANY,
+ BUILD_PKCS11_KEYID, chunk, BUILD_END);
+ free(chunk.ptr);
+ }
if (!private)
{
- error = "parsing CA private key failed";
+ error = "loading CA private key failed";
goto end;
}
if (!private->belongs_to(private, public))
@@ -354,8 +369,8 @@ static void __attribute__ ((constructor))reg()
command_register((command_t) {
issue, 'i', "issue",
"issue a certificate using a CA certificate and key",
- {"[--in file] [--type pub|pkcs10]",
- " --cacert file --cakey file --dn subject-dn [--san subjectAltName]+",
+ {"[--in file] [--type pub|pkcs10] --cakey file | --cakeyid hex",
+ " --cacert file --dn subject-dn [--san subjectAltName]+",
"[--lifetime days] [--serial hex] [--crl uri]+ [--ocsp uri]+",
"[--ca] [--pathlen len] [--flag serverAuth|clientAuth|ocspSigning]+",
"[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"},
@@ -365,6 +380,7 @@ static void __attribute__ ((constructor))reg()
{"type", 't', 1, "type of input, default: pub"},
{"cacert", 'c', 1, "CA certificate file"},
{"cakey", 'k', 1, "CA private key file"},
+ {"cakeyid", 'x', 1, "keyid on smartcard of CA private key"},
{"dn", 'd', 1, "distinguished name to include as subject"},
{"san", 'a', 1, "subjectAltName to include in certificate"},
{"lifetime",'l', 1, "days the certificate is valid, default: 1095"},