summaryrefslogtreecommitdiff
path: root/src/pki/commands
diff options
context:
space:
mode:
Diffstat (limited to 'src/pki/commands')
-rw-r--r--src/pki/commands/issue.c223
-rw-r--r--src/pki/commands/print.c151
-rw-r--r--src/pki/commands/self.c171
-rw-r--r--src/pki/commands/signcrl.c86
4 files changed, 553 insertions, 78 deletions
diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c
index 8ea852e31..6a5686d92 100644
--- a/src/pki/commands/issue.c
+++ b/src/pki/commands/issue.c
@@ -18,12 +18,41 @@
#include "pki.h"
#include <debug.h>
+#include <asn1/asn1.h>
#include <utils/linked_list.h>
#include <credentials/certificates/certificate.h>
#include <credentials/certificates/x509.h>
#include <credentials/certificates/pkcs10.h>
/**
+ * Free cert policy with OID
+ */
+static void destroy_cert_policy(x509_cert_policy_t *policy)
+{
+ free(policy->oid.ptr);
+ free(policy);
+}
+
+/**
+ * Free policy mapping
+ */
+static void destroy_policy_mapping(x509_policy_mapping_t *mapping)
+{
+ free(mapping->issuer.ptr);
+ free(mapping->subject.ptr);
+ free(mapping);
+}
+
+/**
+ * Free a CRL DistributionPoint
+ */
+static void destroy_cdp(x509_cdp_t *this)
+{
+ DESTROY_IF(this->issuer);
+ free(this);
+}
+
+/**
* Issue a certificate using a CA certificate and key
*/
static int issue()
@@ -37,19 +66,26 @@ static int issue()
char *file = NULL, *dn = NULL, *hex = NULL, *cacert = NULL, *cakey = NULL;
char *error = NULL, *keyid = NULL;
identification_t *id = NULL;
- linked_list_t *san, *cdps, *ocsp;
+ linked_list_t *san, *cdps, *ocsp, *permitted, *excluded, *policies, *mappings;
int lifetime = 1095;
- int pathlen = X509_NO_PATH_LEN_CONSTRAINT;
+ int pathlen = X509_NO_CONSTRAINT, inhibit_any = X509_NO_CONSTRAINT;
+ int inhibit_mapping = X509_NO_CONSTRAINT, require_explicit = X509_NO_CONSTRAINT;
chunk_t serial = chunk_empty;
chunk_t encoding = chunk_empty;
time_t not_before, not_after;
x509_flag_t flags = 0;
x509_t *x509;
+ x509_cdp_t *cdp = NULL;
+ x509_cert_policy_t *policy = NULL;
char *arg;
san = linked_list_create();
cdps = linked_list_create();
ocsp = linked_list_create();
+ permitted = linked_list_create();
+ excluded = linked_list_create();
+ policies = linked_list_create();
+ mappings = linked_list_create();
while (TRUE)
{
@@ -111,6 +147,79 @@ static int issue()
case 'p':
pathlen = atoi(arg);
continue;
+ case 'n':
+ permitted->insert_last(permitted,
+ identification_create_from_string(arg));
+ continue;
+ case 'N':
+ excluded->insert_last(excluded,
+ identification_create_from_string(arg));
+ continue;
+ case 'P':
+ {
+ chunk_t oid;
+
+ oid = asn1_oid_from_string(arg);
+ if (!oid.len)
+ {
+ error = "--cert-policy OID invalid";
+ goto usage;
+ }
+ INIT(policy,
+ .oid = oid,
+ );
+ policies->insert_last(policies, policy);
+ continue;
+ }
+ case 'C':
+ if (!policy)
+ {
+ error = "--cps-uri must follow a --cert-policy";
+ goto usage;
+ }
+ policy->cps_uri = arg;
+ continue;
+ case 'U':
+ if (!policy)
+ {
+ error = "--user-notice must follow a --cert-policy";
+ goto usage;
+ }
+ policy->unotice_text = arg;
+ continue;
+ case 'M':
+ {
+ char *pos = strchr(arg, ':');
+ x509_policy_mapping_t *mapping;
+ chunk_t subject_oid, issuer_oid;
+
+ if (pos)
+ {
+ *pos++ = '\0';
+ issuer_oid = asn1_oid_from_string(arg);
+ subject_oid = asn1_oid_from_string(pos);
+ }
+ if (!pos || !issuer_oid.len || !subject_oid.len)
+ {
+ error = "--policy-map OIDs invalid";
+ goto usage;
+ }
+ INIT(mapping,
+ .issuer = issuer_oid,
+ .subject = subject_oid,
+ );
+ mappings->insert_last(mappings, mapping);
+ continue;
+ }
+ case 'E':
+ require_explicit = atoi(arg);
+ continue;
+ case 'H':
+ inhibit_mapping = atoi(arg);
+ continue;
+ case 'A':
+ inhibit_any = atoi(arg);
+ continue;
case 'e':
if (streq(arg, "serverAuth"))
{
@@ -120,6 +229,10 @@ static int issue()
{
flags |= X509_CLIENT_AUTH;
}
+ else if (streq(arg, "crlSign"))
+ {
+ flags |= X509_CRL_SIGN;
+ }
else if (streq(arg, "ocspSigning"))
{
flags |= X509_OCSP_SIGNER;
@@ -128,11 +241,23 @@ static int issue()
case 'f':
if (!get_form(arg, &form, CRED_CERTIFICATE))
{
- return command_usage("invalid output format");
+ error = "invalid output format";
+ goto usage;
}
continue;
case 'u':
- cdps->insert_last(cdps, arg);
+ INIT(cdp,
+ .uri = arg,
+ );
+ cdps->insert_last(cdps, cdp);
+ continue;
+ case 'I':
+ if (!cdp || cdp->issuer)
+ {
+ error = "--crlissuer must follow a --crl";
+ goto usage;
+ }
+ cdp->issuer = identification_create_from_string(arg);
continue;
case 'o':
ocsp->insert_last(ocsp, arg);
@@ -145,12 +270,6 @@ static int issue()
}
break;
}
-
- if (!pkcs10 && !dn)
- {
- error = "--dn is required";
- goto usage;
- }
if (!cacert)
{
error = "--cacert is required";
@@ -161,7 +280,7 @@ static int issue()
error = "--cakey or --keyid is required";
goto usage;
}
- if (dn)
+ if (dn && *dn)
{
id = identification_create_from_string(dn);
if (id->get_type(id) != ID_DER_ASN1_DN)
@@ -306,6 +425,12 @@ static int issue()
goto end;
}
+ if (!id)
+ {
+ id = identification_create_from_encoding(ID_DER_ASN1_DN,
+ chunk_from_chars(ASN1_SEQUENCE, 0));
+ }
+
not_before = time(NULL);
not_after = not_before + lifetime * 24 * 60 * 60;
@@ -317,7 +442,15 @@ static int issue()
BUILD_SUBJECT_ALTNAMES, san, BUILD_X509_FLAG, flags,
BUILD_PATHLEN, pathlen,
BUILD_CRL_DISTRIBUTION_POINTS, cdps,
- BUILD_OCSP_ACCESS_LOCATIONS, ocsp, BUILD_END);
+ BUILD_OCSP_ACCESS_LOCATIONS, ocsp,
+ BUILD_PERMITTED_NAME_CONSTRAINTS, permitted,
+ BUILD_EXCLUDED_NAME_CONSTRAINTS, excluded,
+ BUILD_CERTIFICATE_POLICIES, policies,
+ BUILD_POLICY_MAPPINGS, mappings,
+ BUILD_POLICY_REQUIRE_EXPLICIT, require_explicit,
+ BUILD_POLICY_INHIBIT_MAPPING, inhibit_mapping,
+ BUILD_POLICY_INHIBIT_ANY, inhibit_any,
+ BUILD_END);
if (!cert)
{
error = "generating certificate failed";
@@ -342,7 +475,11 @@ end:
DESTROY_IF(public);
DESTROY_IF(private);
san->destroy_offset(san, offsetof(identification_t, destroy));
- cdps->destroy(cdps);
+ permitted->destroy_offset(permitted, offsetof(identification_t, destroy));
+ excluded->destroy_offset(excluded, offsetof(identification_t, destroy));
+ policies->destroy_function(policies, (void*)destroy_cert_policy);
+ mappings->destroy_function(mappings, (void*)destroy_policy_mapping);
+ cdps->destroy_function(cdps, (void*)destroy_cdp);
ocsp->destroy(ocsp);
free(encoding.ptr);
free(serial.ptr);
@@ -356,7 +493,11 @@ end:
usage:
san->destroy_offset(san, offsetof(identification_t, destroy));
- cdps->destroy(cdps);
+ permitted->destroy_offset(permitted, offsetof(identification_t, destroy));
+ excluded->destroy_offset(excluded, offsetof(identification_t, destroy));
+ policies->destroy_function(policies, (void*)destroy_cert_policy);
+ mappings->destroy_function(mappings, (void*)destroy_policy_mapping);
+ cdps->destroy_function(cdps, (void*)destroy_cdp);
ocsp->destroy(ocsp);
return command_usage(error);
}
@@ -370,28 +511,42 @@ static void __attribute__ ((constructor))reg()
issue, 'i', "issue",
"issue a certificate using a CA certificate and key",
{"[--in file] [--type pub|pkcs10] --cakey file | --cakeyid hex",
- " --cacert file --dn subject-dn [--san subjectAltName]+",
- "[--lifetime days] [--serial hex] [--crl uri]+ [--ocsp uri]+",
- "[--ca] [--pathlen len] [--flag serverAuth|clientAuth|ocspSigning]+",
+ " --cacert file [--dn subject-dn] [--san subjectAltName]+",
+ "[--lifetime days] [--serial hex] [--crl uri [--crlissuer i] ]+ [--ocsp uri]+",
+ "[--ca] [--pathlen len] [--flag serverAuth|clientAuth|crlSign|ocspSigning]+",
+ "[--nc-permitted name] [--nc-excluded name]",
+ "[--cert-policy oid [--cps-uri uri] [--user-notice text] ]+",
+ "[--policy-map issuer-oid:subject-oid]",
+ "[--policy-explicit len] [--policy-inhibit len] [--policy-any len]",
"[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"},
{
- {"help", 'h', 0, "show usage information"},
- {"in", 'i', 1, "public key/request file to issue, default: stdin"},
- {"type", 't', 1, "type of input, default: pub"},
- {"cacert", 'c', 1, "CA certificate file"},
- {"cakey", 'k', 1, "CA private key file"},
- {"cakeyid", 'x', 1, "keyid on smartcard of CA private key"},
- {"dn", 'd', 1, "distinguished name to include as subject"},
- {"san", 'a', 1, "subjectAltName to include in certificate"},
- {"lifetime",'l', 1, "days the certificate is valid, default: 1095"},
- {"serial", 's', 1, "serial number in hex, default: random"},
- {"ca", 'b', 0, "include CA basicConstraint, default: no"},
- {"pathlen", 'p', 1, "set path length constraint"},
- {"flag", 'e', 1, "include extendedKeyUsage flag"},
- {"crl", 'u', 1, "CRL distribution point URI to include"},
- {"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"},
- {"digest", 'g', 1, "digest for signature creation, default: sha1"},
- {"outform", 'f', 1, "encoding of generated cert, default: der"},
+ {"help", 'h', 0, "show usage information"},
+ {"in", 'i', 1, "public key/request file to issue, default: stdin"},
+ {"type", 't', 1, "type of input, default: pub"},
+ {"cacert", 'c', 1, "CA certificate file"},
+ {"cakey", 'k', 1, "CA private key file"},
+ {"cakeyid", 'x', 1, "keyid on smartcard of CA private key"},
+ {"dn", 'd', 1, "distinguished name to include as subject"},
+ {"san", 'a', 1, "subjectAltName to include in certificate"},
+ {"lifetime", 'l', 1, "days the certificate is valid, default: 1095"},
+ {"serial", 's', 1, "serial number in hex, default: random"},
+ {"ca", 'b', 0, "include CA basicConstraint, default: no"},
+ {"pathlen", 'p', 1, "set path length constraint"},
+ {"nc-permitted", 'n', 1, "add permitted NameConstraint"},
+ {"nc-excluded", 'N', 1, "add excluded NameConstraint"},
+ {"cert-policy", 'P', 1, "certificatePolicy OID to include"},
+ {"cps-uri", 'C', 1, "Certification Practice statement URI for certificatePolicy"},
+ {"user-notice", 'U', 1, "user notice for certificatePolicy"},
+ {"policy-mapping", 'M', 1, "policyMapping from issuer to subject OID"},
+ {"policy-explicit", 'E', 1, "requireExplicitPolicy constraint"},
+ {"policy-inhibit", 'H', 1, "inhibitPolicyMapping constraint"},
+ {"policy-any", 'A', 1, "inhibitAnyPolicy constraint"},
+ {"flag", 'e', 1, "include extendedKeyUsage flag"},
+ {"crl", 'u', 1, "CRL distribution point URI to include"},
+ {"crlissuer", 'I', 1, "CRL Issuer for CRL at distribution point"},
+ {"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"},
+ {"digest", 'g', 1, "digest for signature creation, default: sha1"},
+ {"outform", 'f', 1, "encoding of generated cert, default: der"},
}
});
}
diff --git a/src/pki/commands/print.c b/src/pki/commands/print.c
index 870dca920..ee6f30c98 100644
--- a/src/pki/commands/print.c
+++ b/src/pki/commands/print.c
@@ -15,6 +15,7 @@
#include "pki.h"
+#include <asn1/asn1.h>
#include <credentials/certificates/certificate.h>
#include <credentials/certificates/x509.h>
#include <credentials/certificates/crl.h>
@@ -72,8 +73,11 @@ static void print_x509(x509_t *x509)
chunk_t chunk;
bool first;
char *uri;
- int len;
+ int len, explicit, inhibit;
x509_flag_t flags;
+ x509_cdp_t *cdp;
+ x509_cert_policy_t *policy;
+ x509_policy_mapping_t *mapping;
chunk = x509->get_serial(x509);
printf("serial: %#B\n", &chunk);
@@ -105,6 +109,10 @@ static void print_x509(x509_t *x509)
{
printf("CA ");
}
+ if (flags & X509_CRL_SIGN)
+ {
+ printf("CRLSign ");
+ }
if (flags & X509_AA)
{
printf("AA ");
@@ -133,17 +141,22 @@ static void print_x509(x509_t *x509)
first = TRUE;
enumerator = x509->create_crl_uri_enumerator(x509);
- while (enumerator->enumerate(enumerator, &uri))
+ while (enumerator->enumerate(enumerator, &cdp))
{
if (first)
{
- printf("CRL URIs: %s\n", uri);
+ printf("CRL URIs: %s", cdp->uri);
first = FALSE;
}
else
{
- printf(" %s\n", uri);
+ printf(" %s", cdp->uri);
+ }
+ if (cdp->issuer)
+ {
+ printf(" (CRL issuer: %Y)", cdp->issuer);
}
+ printf("\n");
}
enumerator->destroy(enumerator);
@@ -163,12 +176,111 @@ static void print_x509(x509_t *x509)
}
enumerator->destroy(enumerator);
- len = x509->get_pathLenConstraint(x509);
- if (len != X509_NO_PATH_LEN_CONSTRAINT)
+ len = x509->get_constraint(x509, X509_PATH_LEN);
+ if (len != X509_NO_CONSTRAINT)
{
printf("pathlen: %d\n", len);
}
+ first = TRUE;
+ enumerator = x509->create_name_constraint_enumerator(x509, TRUE);
+ while (enumerator->enumerate(enumerator, &id))
+ {
+ if (first)
+ {
+ printf("Permitted NameConstraints:\n");
+ first = FALSE;
+ }
+ printf(" %Y\n", id);
+ }
+ enumerator->destroy(enumerator);
+ first = TRUE;
+ enumerator = x509->create_name_constraint_enumerator(x509, FALSE);
+ while (enumerator->enumerate(enumerator, &id))
+ {
+ if (first)
+ {
+ printf("Excluded NameConstraints:\n");
+ first = FALSE;
+ }
+ printf(" %Y\n", id);
+ }
+ enumerator->destroy(enumerator);
+
+ first = TRUE;
+ enumerator = x509->create_cert_policy_enumerator(x509);
+ while (enumerator->enumerate(enumerator, &policy))
+ {
+ char *oid;
+
+ if (first)
+ {
+ printf("CertificatePolicies:\n");
+ first = FALSE;
+ }
+ oid = asn1_oid_to_string(policy->oid);
+ if (oid)
+ {
+ printf(" %s\n", oid);
+ free(oid);
+ }
+ else
+ {
+ printf(" %#B\n", &policy->oid);
+ }
+ if (policy->cps_uri)
+ {
+ printf(" CPS: %s\n", policy->cps_uri);
+ }
+ if (policy->unotice_text)
+ {
+ printf(" Notice: %s\n", policy->unotice_text);
+
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ first = TRUE;
+ enumerator = x509->create_policy_mapping_enumerator(x509);
+ while (enumerator->enumerate(enumerator, &mapping))
+ {
+ char *issuer_oid, *subject_oid;
+
+ if (first)
+ {
+ printf("PolicyMappings:\n");
+ first = FALSE;
+ }
+ issuer_oid = asn1_oid_to_string(mapping->issuer);
+ subject_oid = asn1_oid_to_string(mapping->subject);
+ printf(" %s => %s\n", issuer_oid, subject_oid);
+ free(issuer_oid);
+ free(subject_oid);
+ }
+ enumerator->destroy(enumerator);
+
+ explicit = x509->get_constraint(x509, X509_REQUIRE_EXPLICIT_POLICY);
+ inhibit = x509->get_constraint(x509, X509_INHIBIT_POLICY_MAPPING);
+ len = x509->get_constraint(x509, X509_INHIBIT_ANY_POLICY);
+
+ if (explicit != X509_NO_CONSTRAINT || inhibit != X509_NO_CONSTRAINT ||
+ len != X509_NO_CONSTRAINT)
+ {
+ printf("PolicyConstraints:\n");
+ if (explicit != X509_NO_CONSTRAINT)
+ {
+ printf(" requireExplicitPolicy: %d\n", explicit);
+ }
+ if (inhibit != X509_NO_CONSTRAINT)
+ {
+ printf(" inhibitPolicyMapping: %d\n", inhibit);
+ }
+ if (len != X509_NO_CONSTRAINT)
+ {
+ printf(" inhibitAnyPolicy: %d\n", len);
+ }
+ }
+
chunk = x509->get_authKeyIdentifier(x509);
if (chunk.ptr)
{
@@ -212,14 +324,41 @@ static void print_crl(crl_t *crl)
crl_reason_t reason;
chunk_t chunk;
int count = 0;
+ bool first;
char buf[64];
struct tm tm;
+ x509_cdp_t *cdp;
chunk = crl->get_serial(crl);
printf("serial: %#B\n", &chunk);
+ if (crl->is_delta_crl(crl, &chunk))
+ {
+ printf("delta CRL: for serial %#B\n", &chunk);
+ }
chunk = crl->get_authKeyIdentifier(crl);
printf("authKeyId: %#B\n", &chunk);
+ first = TRUE;
+ enumerator = crl->create_delta_crl_uri_enumerator(crl);
+ while (enumerator->enumerate(enumerator, &cdp))
+ {
+ if (first)
+ {
+ printf("freshest: %s", cdp->uri);
+ first = FALSE;
+ }
+ else
+ {
+ printf(" %s", cdp->uri);
+ }
+ if (cdp->issuer)
+ {
+ printf(" (CRL issuer: %Y)", cdp->issuer);
+ }
+ printf("\n");
+ }
+ enumerator->destroy(enumerator);
+
enumerator = crl->create_enumerator(crl);
while (enumerator->enumerate(enumerator, &chunk, &ts, &reason))
{
diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c
index 5e6f0bd14..c7788ff62 100644
--- a/src/pki/commands/self.c
+++ b/src/pki/commands/self.c
@@ -20,6 +20,26 @@
#include <utils/linked_list.h>
#include <credentials/certificates/certificate.h>
#include <credentials/certificates/x509.h>
+#include <asn1/asn1.h>
+
+/**
+ * Free cert policy with OID
+ */
+static void destroy_cert_policy(x509_cert_policy_t *policy)
+{
+ free(policy->oid.ptr);
+ free(policy);
+}
+
+/**
+ * Free policy mapping
+ */
+static void destroy_policy_mapping(x509_policy_mapping_t *mapping)
+{
+ free(mapping->issuer.ptr);
+ free(mapping->subject.ptr);
+ free(mapping);
+}
/**
* Create a self signed certificate.
@@ -34,17 +54,23 @@ static int self()
public_key_t *public = NULL;
char *file = NULL, *dn = NULL, *hex = NULL, *error = NULL, *keyid = NULL;
identification_t *id = NULL;
- linked_list_t *san, *ocsp;
+ linked_list_t *san, *ocsp, *permitted, *excluded, *policies, *mappings;
int lifetime = 1095;
- int pathlen = X509_NO_PATH_LEN_CONSTRAINT;
+ int pathlen = X509_NO_CONSTRAINT, inhibit_any = X509_NO_CONSTRAINT;
+ int inhibit_mapping = X509_NO_CONSTRAINT, require_explicit = X509_NO_CONSTRAINT;
chunk_t serial = chunk_empty;
chunk_t encoding = chunk_empty;
time_t not_before, not_after;
x509_flag_t flags = 0;
+ x509_cert_policy_t *policy = NULL;
char *arg;
san = linked_list_create();
ocsp = linked_list_create();
+ permitted = linked_list_create();
+ excluded = linked_list_create();
+ policies = linked_list_create();
+ mappings = linked_list_create();
while (TRUE)
{
@@ -104,6 +130,79 @@ static int self()
case 'p':
pathlen = atoi(arg);
continue;
+ case 'n':
+ permitted->insert_last(permitted,
+ identification_create_from_string(arg));
+ continue;
+ case 'N':
+ excluded->insert_last(excluded,
+ identification_create_from_string(arg));
+ continue;
+ case 'P':
+ {
+ chunk_t oid;
+
+ oid = asn1_oid_from_string(arg);
+ if (!oid.len)
+ {
+ error = "--cert-policy OID invalid";
+ goto usage;
+ }
+ INIT(policy,
+ .oid = oid,
+ );
+ policies->insert_last(policies, policy);
+ continue;
+ }
+ case 'C':
+ if (!policy)
+ {
+ error = "--cps-uri must follow a --cert-policy";
+ goto usage;
+ }
+ policy->cps_uri = arg;
+ continue;
+ case 'U':
+ if (!policy)
+ {
+ error = "--user-notice must follow a --cert-policy";
+ goto usage;
+ }
+ policy->unotice_text = arg;
+ continue;
+ case 'M':
+ {
+ char *pos = strchr(arg, ':');
+ x509_policy_mapping_t *mapping;
+ chunk_t subject_oid, issuer_oid;
+
+ if (pos)
+ {
+ *pos++ = '\0';
+ issuer_oid = asn1_oid_from_string(arg);
+ subject_oid = asn1_oid_from_string(pos);
+ }
+ if (!pos || !issuer_oid.len || !subject_oid.len)
+ {
+ error = "--policy-map OIDs invalid";
+ goto usage;
+ }
+ INIT(mapping,
+ .issuer = issuer_oid,
+ .subject = subject_oid,
+ );
+ mappings->insert_last(mappings, mapping);
+ continue;
+ }
+ case 'E':
+ require_explicit = atoi(arg);
+ continue;
+ case 'H':
+ inhibit_mapping = atoi(arg);
+ continue;
+ case 'A':
+ inhibit_any = atoi(arg);
+ continue;
case 'e':
if (streq(arg, "serverAuth"))
{
@@ -113,6 +212,10 @@ static int self()
{
flags |= X509_CLIENT_AUTH;
}
+ else if (streq(arg, "crlSign"))
+ {
+ flags |= X509_CRL_SIGN;
+ }
else if (streq(arg, "ocspSigning"))
{
flags |= X509_OCSP_SIGNER;
@@ -121,7 +224,8 @@ static int self()
case 'f':
if (!get_form(arg, &form, CRED_CERTIFICATE))
{
- return command_usage("invalid output format");
+ error = "invalid output format";
+ goto usage;
}
continue;
case 'o':
@@ -206,7 +310,15 @@ static int self()
BUILD_NOT_AFTER_TIME, not_after, BUILD_SERIAL, serial,
BUILD_DIGEST_ALG, digest, BUILD_X509_FLAG, flags,
BUILD_PATHLEN, pathlen, BUILD_SUBJECT_ALTNAMES, san,
- BUILD_OCSP_ACCESS_LOCATIONS, ocsp, BUILD_END);
+ BUILD_OCSP_ACCESS_LOCATIONS, ocsp,
+ BUILD_PERMITTED_NAME_CONSTRAINTS, permitted,
+ BUILD_EXCLUDED_NAME_CONSTRAINTS, excluded,
+ BUILD_CERTIFICATE_POLICIES, policies,
+ BUILD_POLICY_MAPPINGS, mappings,
+ BUILD_POLICY_REQUIRE_EXPLICIT, require_explicit,
+ BUILD_POLICY_INHIBIT_MAPPING, inhibit_mapping,
+ BUILD_POLICY_INHIBIT_ANY, inhibit_any,
+ BUILD_END);
if (!cert)
{
error = "generating certificate failed";
@@ -229,6 +341,10 @@ end:
DESTROY_IF(public);
DESTROY_IF(private);
san->destroy_offset(san, offsetof(identification_t, destroy));
+ permitted->destroy_offset(permitted, offsetof(identification_t, destroy));
+ excluded->destroy_offset(excluded, offsetof(identification_t, destroy));
+ policies->destroy_function(policies, (void*)destroy_cert_policy);
+ mappings->destroy_function(mappings, (void*)destroy_policy_mapping);
ocsp->destroy(ocsp);
free(encoding.ptr);
free(serial.ptr);
@@ -242,6 +358,10 @@ end:
usage:
san->destroy_offset(san, offsetof(identification_t, destroy));
+ permitted->destroy_offset(permitted, offsetof(identification_t, destroy));
+ excluded->destroy_offset(excluded, offsetof(identification_t, destroy));
+ policies->destroy_function(policies, (void*)destroy_cert_policy);
+ mappings->destroy_function(mappings, (void*)destroy_policy_mapping);
ocsp->destroy(ocsp);
return command_usage(error);
}
@@ -257,23 +377,36 @@ static void __attribute__ ((constructor))reg()
{"[--in file | --keyid hex] [--type rsa|ecdsa]",
" --dn distinguished-name [--san subjectAltName]+",
"[--lifetime days] [--serial hex] [--ca] [--ocsp uri]+",
- "[--flag serverAuth|clientAuth|ocspSigning]+",
+ "[--flag serverAuth|clientAuth|crlSign|ocspSigning]+",
+ "[--nc-permitted name] [--nc-excluded name]",
+ "[--cert-policy oid [--cps-uri uri] [--user-notice text] ]+",
+ "[--policy-map issuer-oid:subject-oid]",
+ "[--policy-explicit len] [--policy-inhibit len] [--policy-any len]",
"[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"},
{
- {"help", 'h', 0, "show usage information"},
- {"in", 'i', 1, "private key input file, default: stdin"},
- {"keyid", 'x', 1, "keyid on smartcard of private key"},
- {"type", 't', 1, "type of input key, default: rsa"},
- {"dn", 'd', 1, "subject and issuer distinguished name"},
- {"san", 'a', 1, "subjectAltName to include in certificate"},
- {"lifetime",'l', 1, "days the certificate is valid, default: 1095"},
- {"serial", 's', 1, "serial number in hex, default: random"},
- {"ca", 'b', 0, "include CA basicConstraint, default: no"},
- {"pathlen", 'p', 1, "set path length constraint"},
- {"flag", 'e', 1, "include extendedKeyUsage flag"},
- {"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"},
- {"digest", 'g', 1, "digest for signature creation, default: sha1"},
- {"outform", 'f', 1, "encoding of generated cert, default: der"},
+ {"help", 'h', 0, "show usage information"},
+ {"in", 'i', 1, "private key input file, default: stdin"},
+ {"keyid", 'x', 1, "keyid on smartcard of private key"},
+ {"type", 't', 1, "type of input key, default: rsa"},
+ {"dn", 'd', 1, "subject and issuer distinguished name"},
+ {"san", 'a', 1, "subjectAltName to include in certificate"},
+ {"lifetime", 'l', 1, "days the certificate is valid, default: 1095"},
+ {"serial", 's', 1, "serial number in hex, default: random"},
+ {"ca", 'b', 0, "include CA basicConstraint, default: no"},
+ {"pathlen", 'p', 1, "set path length constraint"},
+ {"nc-permitted", 'n', 1, "add permitted NameConstraint"},
+ {"nc-excluded", 'N', 1, "add excluded NameConstraint"},
+ {"cert-policy", 'P', 1, "certificatePolicy OID to include"},
+ {"cps-uri", 'C', 1, "Certification Practice statement URI for certificatePolicy"},
+ {"user-notice", 'U', 1, "user notice for certificatePolicy"},
+ {"policy-mapping", 'M', 1, "policyMapping from issuer to subject OID"},
+ {"policy-explicit", 'E', 1, "requireExplicitPolicy constraint"},
+ {"policy-inhibit", 'H', 1, "inhibitPolicyMapping constraint"},
+ {"policy-any", 'A', 1, "inhibitAnyPolicy constraint"},
+ {"flag", 'e', 1, "include extendedKeyUsage flag"},
+ {"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"},
+ {"digest", 'g', 1, "digest for signature creation, default: sha1"},
+ {"outform", 'f', 1, "encoding of generated cert, default: der"},
}
});
}
diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c
index 24bf9123f..4b1c12e5c 100644
--- a/src/pki/commands/signcrl.c
+++ b/src/pki/commands/signcrl.c
@@ -98,6 +98,15 @@ static int read_serial(char *file, char *buf, int buflen)
}
/**
+ * Destroy a CDP
+ */
+static void cdp_destroy(x509_cdp_t *this)
+{
+ free(this->uri);
+ free(this);
+}
+
+/**
* Sign a CRL
*/
static int sign_crl()
@@ -110,16 +119,19 @@ static int sign_crl()
x509_t *x509;
hash_algorithm_t digest = HASH_SHA1;
char *arg, *cacert = NULL, *cakey = NULL, *lastupdate = NULL, *error = NULL;
+ char *basecrl = NULL;
char serial[512], crl_serial[8], *keyid = NULL;
int serial_len = 0;
crl_reason_t reason = CRL_REASON_UNSPECIFIED;
time_t thisUpdate, nextUpdate, date = time(NULL);
int lifetime = 15;
- linked_list_t *list;
+ linked_list_t *list, *cdps;
enumerator_t *enumerator, *lastenum = NULL;
- chunk_t encoding = chunk_empty;
+ x509_cdp_t *cdp;
+ chunk_t encoding = chunk_empty, baseCrlNumber = chunk_empty;
list = linked_list_create();
+ cdps = linked_list_create();
memset(crl_serial, 0, sizeof(crl_serial));
@@ -190,6 +202,15 @@ static int sign_crl()
reason = CRL_REASON_UNSPECIFIED;
continue;
}
+ case 'b':
+ basecrl = arg;
+ continue;
+ case 'u':
+ INIT(cdp,
+ .uri = strdup(arg),
+ );
+ cdps->insert_last(cdps, cdp);
+ continue;
case 'r':
if (streq(arg, "key-compromise"))
{
@@ -262,9 +283,9 @@ static int sign_crl()
goto error;
}
x509 = (x509_t*)ca;
- if (!(x509->get_flags(x509) & X509_CA))
+ if (!(x509->get_flags(x509) & (X509_CA | X509_CRL_SIGN)))
{
- error = "CA certificate misses CA basicConstraint";
+ error = "CA certificate misses CA basicConstraint / CRLSign keyUsage";
goto error;
}
public = ca->get_public_key(ca);
@@ -302,6 +323,22 @@ static int sign_crl()
thisUpdate = time(NULL);
nextUpdate = thisUpdate + lifetime * 24 * 60 * 60;
+ if (basecrl)
+ {
+ lastcrl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL,
+ BUILD_FROM_FILE, basecrl, BUILD_END);
+ if (!lastcrl)
+ {
+ error = "loading base CRL failed";
+ goto error;
+ }
+ memcpy(crl_serial, lastcrl->get_serial(lastcrl).ptr,
+ min(lastcrl->get_serial(lastcrl).len, sizeof(crl_serial)));
+ baseCrlNumber = chunk_clone(lastcrl->get_serial(lastcrl));
+ DESTROY_IF((certificate_t*)lastcrl);
+ lastcrl = NULL;
+ }
+
if (lastupdate)
{
lastcrl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL,
@@ -315,6 +352,10 @@ static int sign_crl()
min(lastcrl->get_serial(lastcrl).len, sizeof(crl_serial)));
lastenum = lastcrl->create_enumerator(lastcrl);
}
+ else
+ {
+ lastenum = enumerator_create_empty();
+ }
chunk_increment(chunk_create(crl_serial, sizeof(crl_serial)));
@@ -324,11 +365,12 @@ static int sign_crl()
BUILD_SIGNING_KEY, private, BUILD_SIGNING_CERT, ca,
BUILD_SERIAL, chunk_create(crl_serial, sizeof(crl_serial)),
BUILD_NOT_BEFORE_TIME, thisUpdate, BUILD_NOT_AFTER_TIME, nextUpdate,
- BUILD_REVOKED_ENUMERATOR, enumerator, BUILD_DIGEST_ALG, digest,
- lastenum ? BUILD_REVOKED_ENUMERATOR : BUILD_END, lastenum,
+ BUILD_REVOKED_ENUMERATOR, enumerator,
+ BUILD_REVOKED_ENUMERATOR, lastenum, BUILD_DIGEST_ALG, digest,
+ BUILD_CRL_DISTRIBUTION_POINTS, cdps, BUILD_BASE_CRL, baseCrlNumber,
BUILD_END);
enumerator->destroy(enumerator);
- DESTROY_IF(lastenum);
+ lastenum->destroy(lastenum);
DESTROY_IF((certificate_t*)lastcrl);
if (!crl)
@@ -353,7 +395,9 @@ error:
DESTROY_IF(ca);
DESTROY_IF(crl);
free(encoding.ptr);
+ free(baseCrlNumber.ptr);
list->destroy_function(list, (void*)revoked_destroy);
+ cdps->destroy_function(cdps, (void*)cdp_destroy);
if (error)
{
fprintf(stderr, "%s\n", error);
@@ -363,6 +407,7 @@ error:
usage:
list->destroy_function(list, (void*)revoked_destroy);
+ cdps->destroy_function(cdps, (void*)cdp_destroy);
return command_usage(error);
}
@@ -375,24 +420,27 @@ static void __attribute__ ((constructor))reg()
sign_crl, 'c', "signcrl",
"issue a CRL using a CA certificate and key",
{"--cacert file --cakey file | --cakeyid hex --lifetime days",
+ "[--lastcrl crl] [--basecrl crl] [--crluri uri ]+",
"[ [--reason key-compromise|ca-compromise|affiliation-changed|",
" superseded|cessation-of-operation|certificate-hold]",
" [--date timestamp]",
" --cert file | --serial hex ]*",
"[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"},
{
- {"help", 'h', 0, "show usage information"},
- {"cacert", 'c', 1, "CA certificate file"},
- {"cakey", 'k', 1, "CA private key file"},
- {"cakeyid", 'x', 1, "keyid on smartcard of CA private key"},
- {"lifetime",'l', 1, "days the CRL gets a nextUpdate, default: 15"},
- {"lastcrl", 'a', 1, "CRL of lastUpdate to copy revocations from"},
- {"cert", 'z', 1, "certificate file to revoke"},
- {"serial", 's', 1, "hex encoded certificate serial number to revoke"},
- {"reason", 'r', 1, "reason for certificate revocation"},
- {"date", 'd', 1, "revocation date as unix timestamp, default: now"},
- {"digest", 'g', 1, "digest for signature creation, default: sha1"},
- {"outform", 'f', 1, "encoding of generated crl, default: der"},
+ {"help", 'h', 0, "show usage information"},
+ {"cacert", 'c', 1, "CA certificate file"},
+ {"cakey", 'k', 1, "CA private key file"},
+ {"cakeyid", 'x', 1, "keyid on smartcard of CA private key"},
+ {"lifetime", 'l', 1, "days the CRL gets a nextUpdate, default: 15"},
+ {"lastcrl", 'a', 1, "CRL of lastUpdate to copy revocations from"},
+ {"basecrl", 'b', 1, "base CRL to create a delta CRL for"},
+ {"crluri", 'u', 1, "freshest delta CRL URI to include"},
+ {"cert", 'z', 1, "certificate file to revoke"},
+ {"serial", 's', 1, "hex encoded certificate serial number to revoke"},
+ {"reason", 'r', 1, "reason for certificate revocation"},
+ {"date", 'd', 1, "revocation date as unix timestamp, default: now"},
+ {"digest", 'g', 1, "digest for signature creation, default: sha1"},
+ {"outform", 'f', 1, "encoding of generated crl, default: der"},
}
});
}