From 52be08c299ffd42ee06f29200ea9b752b44f9ea8 Mon Sep 17 00:00:00 2001 From: Paul Bakker Date: Mon, 9 Sep 2013 12:37:54 +0200 Subject: [PATCH] Added support for writing Key Usage and NS Cert Type extensions --- include/polarssl/x509write.h | 23 +++++++++++++++++++ library/x509write.c | 41 ++++++++++++++++++++++++++++++++++ programs/x509/cert_write.c | 43 ++++++++++++++++++++++++++++++------ 3 files changed, 100 insertions(+), 7 deletions(-) diff --git a/include/polarssl/x509write.h b/include/polarssl/x509write.h index ece231965..075b8adad 100644 --- a/include/polarssl/x509write.h +++ b/include/polarssl/x509write.h @@ -334,6 +334,29 @@ int x509write_crt_set_subject_key_identifier( x509write_cert *ctx ); */ int x509write_crt_set_authority_key_identifier( x509write_cert *ctx ); +/** + * \brief Set the Key Usage Extension flags + * (e.g. KU_DIGITAL_SIGNATURE | KU_KEY_CERT_SIGN) + * + * \param ctx CRT context to use + * \param key_usage key usage flags to set + * + * \return 0 if successful, or POLARSSL_ERR_X509WRITE_MALLOC_FAILED + */ +int x509write_crt_set_key_usage( x509write_cert *ctx, unsigned char key_usage ); + +/** + * \brief Set the Netscape Cert Type flags + * (e.g. NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_EMAIL) + * + * \param ctx CRT context to use + * \param ns_cert_type Netscape Cert Type flags to set + * + * \return 0 if successful, or POLARSSL_ERR_X509WRITE_MALLOC_FAILED + */ +int x509write_crt_set_ns_cert_type( x509write_cert *ctx, + unsigned char ns_cert_type ); + /** * \brief Free the contents of a CRT write context * diff --git a/library/x509write.c b/library/x509write.c index 818a83a0a..c57e56a0b 100644 --- a/library/x509write.c +++ b/library/x509write.c @@ -389,6 +389,47 @@ int x509write_crt_set_authority_key_identifier( x509write_cert *ctx ) 0, buf + sizeof(buf) - len, len ); } +int x509write_crt_set_key_usage( x509write_cert *ctx, unsigned char key_usage ) +{ + unsigned char buf[4]; + unsigned char *c; + int ret; + + c = buf + 4; + + if( ( ret = asn1_write_bitstring( &c, buf, &key_usage, 7 ) ) != 4 ) + return( ret ); + + ret = x509write_crt_set_extension( ctx, OID_KEY_USAGE, + OID_SIZE( OID_KEY_USAGE ), + 1, buf, 4 ); + if( ret != 0 ) + return( ret ); + + return( 0 ); +} + +int x509write_crt_set_ns_cert_type( x509write_cert *ctx, + unsigned char ns_cert_type ) +{ + unsigned char buf[4]; + unsigned char *c; + int ret; + + c = buf + 4; + + if( ( ret = asn1_write_bitstring( &c, buf, &ns_cert_type, 8 ) ) != 4 ) + return( ret ); + + ret = x509write_crt_set_extension( ctx, OID_NS_CERT_TYPE, + OID_SIZE( OID_NS_CERT_TYPE ), + 0, buf, 4 ); + if( ret != 0 ) + return( ret ); + + return( 0 ); +} + int x509write_pubkey_der( rsa_context *rsa, unsigned char *buf, size_t size ) { int ret; diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c index 7a811d49f..dc9f00a99 100644 --- a/programs/x509/cert_write.c +++ b/programs/x509/cert_write.c @@ -317,13 +317,6 @@ int main( int argc, char *argv[] ) goto exit; } -/* - if( opt.key_usage ) - x509write_csr_set_key_usage( &req, opt.key_usage ); - - if( opt.ns_cert_type ) - x509write_csr_set_ns_cert_type( &req, opt.ns_cert_type ); -*/ /* * 1.0. Check the names for validity */ @@ -455,6 +448,42 @@ int main( int argc, char *argv[] ) printf( " ok\n" ); + if( opt.key_usage ) + { + printf( " . Adding the Key Usage extension ..." ); + fflush( stdout ); + + ret = x509write_crt_set_key_usage( &crt, opt.key_usage ); + if( ret != 0 ) + { +#ifdef POLARSSL_ERROR_C + error_strerror( ret, buf, 1024 ); +#endif + printf( " failed\n ! x509write_crt_set_key_usage returned -0x%02x - %s\n\n", -ret, buf ); + goto exit; + } + + printf( " ok\n" ); + } + + if( opt.ns_cert_type ) + { + printf( " . Adding the NS Cert Type extension ..." ); + fflush( stdout ); + + ret = x509write_crt_set_ns_cert_type( &crt, opt.ns_cert_type ); + if( ret != 0 ) + { +#ifdef POLARSSL_ERROR_C + error_strerror( ret, buf, 1024 ); +#endif + printf( " failed\n ! x509write_crt_set_ns_cert_type returned -0x%02x - %s\n\n", -ret, buf ); + goto exit; + } + + printf( " ok\n" ); + } + /* * 1.2. Writing the request */