[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_2_9_10-380-g96b97d9
From: |
Nikos Mavrogiannopoulos |
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_2_9_10-380-g96b97d9 |
Date: |
Wed, 29 Sep 2010 07:42:47 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=96b97d92e4f6075a42c2d35dd4413b085b58a462
The branch, master has been updated
via 96b97d92e4f6075a42c2d35dd4413b085b58a462 (commit)
via 80ae413ac745472798651d44b72cbfc52d04f21d (commit)
from e92f0b0e772e6aef156ae96629a7d9346f2d9044 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 96b97d92e4f6075a42c2d35dd4413b085b58a462
Author: Micah Anderson <address@hidden>
Date: Wed Sep 29 00:14:56 2010 -0400
Add new extended key usage ipsecIKE
According to RFC 4945 § 5.1.3.12 section title "ExtendedKeyUsage"[0] the
following extended key usage has been added:
... this document defines an ExtendedKeyUsage keyPurposeID that MAY be
used to limit a certificate's use:
id-kp-ipsecIKE OBJECT IDENTIFIER ::= { id-kp 17 }
where id-kp is defined in RFC 3280 [5]. If a certificate is intended
to be used with both IKE and other applications, and one of the other
applications requires use of an EKU value, then such certificates
MUST contain either the keyPurposeID id-kp-ipsecIKE or
anyExtendedKeyUsage [5], as well as the keyPurposeID values
associated with the other applications. Similarly, if a CA issues
multiple otherwise-similar certificates for multiple applications
including IKE, and it is intended that the IKE certificate NOT be
used with another application, the IKE certificate MAY contain an EKU
extension listing a keyPurposeID of id-kp-ipsecIKE to discourage its
use with the other application. Recall, however, that EKU extensions
in certificates meant for use in IKE are NOT RECOMMENDED.
Conforming IKE implementations are not required to support EKU. If a
critical EKU extension appears in a certificate and EKU is not
supported by the implementation, then RFC 3280 requires that the
certificate be rejected. Implementations that do support EKU MUST
support the following logic for certificate validation:
o If no EKU extension, continue.
o If EKU present AND contains either id-kp-ipsecIKE or
anyExtendedKeyUsage, continue.
o Otherwise, reject cert.
Signed-off-by: Nikos Mavrogiannopoulos <address@hidden>
commit 80ae413ac745472798651d44b72cbfc52d04f21d
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Mon Sep 27 17:05:29 2010 +0200
--pkcs11-* in certtool was renamed to --p11-*.
-----------------------------------------------------------------------
Summary of changes:
NEWS | 9 ++
doc/certtool.cfg | 3 +
doc/cha-programs.texi | 3 +
lib/includes/gnutls/x509.h | 1 +
lib/x509/output.c | 2 +
src/certtool-cfg.c | 18 +++++
src/certtool-cfg.h | 2 +-
src/certtool-gaa.c | 180 ++++++++++++++++++++++----------------------
src/certtool.c | 21 +++++
src/certtool.gaa | 28 ++++----
10 files changed, 162 insertions(+), 105 deletions(-)
diff --git a/NEWS b/NEWS
index e6fa574..618dec7 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,15 @@ See the end for copying conditions.
* Version 2.11.2 (unreleased)
+** libgnutls: Add new extended key usage ipsecIKE.
+
+** certtool: Renamed PKCS #11 options to: --p11-provider,
+--p11-export-url, --p11-list-certs, --p11-list-certs,
+--p11-list-privkeys, --p11-list-trusted, --p11-list-all-certs,
+--p11-list-all, --p11-list-tokens, --p11-login, --p11-write,
+--p11-write-label, --p11-write-trusted, --p11-detailed-url,
+--p11-delete-url
+
** libgnutls: Corrected bug that caused importing DSA keys as RSA,
introduced with the new nettle code.
diff --git a/doc/certtool.cfg b/doc/certtool.cfg
index 7259760..db6ba70 100644
--- a/doc/certtool.cfg
+++ b/doc/certtool.cfg
@@ -88,6 +88,9 @@ signing_key
# Whether this key will be used for time stamping.
#time_stamping_key
+# Whether this key will be used for IPsec IKE operations.
+#ipsec_ike_key
+
#a space separated list of key purpose OIDs to be added
#key_purpose_oids = "1.3.6.1.5.5.7.3.1" "1.2.3.4.5.6"
diff --git a/doc/cha-programs.texi b/doc/cha-programs.texi
index c1b940c..1a892ac 100644
--- a/doc/cha-programs.texi
+++ b/doc/cha-programs.texi
@@ -332,6 +332,9 @@ signing_key
# Whether this key will be used for time stamping.
#time_stamping_key
+
+# Whether this key will be used for IPsec IKE operations.
+#ipsec_ike_key
@end example
@node Invoking gnutls-cli
diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h
index 6a313df..0aaa04d 100644
--- a/lib/includes/gnutls/x509.h
+++ b/lib/includes/gnutls/x509.h
@@ -78,6 +78,7 @@ extern "C"
#define GNUTLS_KP_EMAIL_PROTECTION "1.3.6.1.5.5.7.3.4"
#define GNUTLS_KP_TIME_STAMPING "1.3.6.1.5.5.7.3.8"
#define GNUTLS_KP_OCSP_SIGNING "1.3.6.1.5.5.7.3.9"
+#define GNUTLS_KP_IPSEC_IKE "1.3.6.1.5.5.7.3.17"
#define GNUTLS_KP_ANY "2.5.29.37.0"
#define GNUTLS_FSAN_SET 0
diff --git a/lib/x509/output.c b/lib/x509/output.c
index a9cd804..56154cb 100644
--- a/lib/x509/output.c
+++ b/lib/x509/output.c
@@ -469,6 +469,8 @@ print_key_purpose (gnutls_buffer_st * str, const char
*prefix, int type,
addf (str, _("%s\t\t\tTime stamping.\n"), prefix);
else if (strcmp (buffer, GNUTLS_KP_OCSP_SIGNING) == 0)
addf (str, _("%s\t\t\tOCSP signing.\n"), prefix);
+ else if (strcmp (buffer, GNUTLS_KP_IPSEC_IKE) == 0)
+ addf (str, _("%s\t\t\tIpsec IKE.\n"), prefix);
else if (strcmp (buffer, GNUTLS_KP_ANY) == 0)
addf (str, _("%s\t\t\tAny purpose.\n"), prefix);
else
diff --git a/src/certtool-cfg.c b/src/certtool-cfg.c
index 41bcc17..f9ed00d 100644
--- a/src/certtool-cfg.c
+++ b/src/certtool-cfg.c
@@ -76,6 +76,7 @@ typedef struct _cfg_ctx
int code_sign_key;
int ocsp_sign_key;
int time_stamping_key;
+ int ipsec_ike_key;
char **key_purpose_oids;
int crl_next_update;
int crl_number;
@@ -166,6 +167,8 @@ template_parse (const char *template)
(void *) &cfg.ocsp_sign_key, 0},
{NULL, '\0', "time_stamping_key", CFG_BOOL,
(void *) &cfg.time_stamping_key, 0},
+ {NULL, '\0', "ipsec_ike_key", CFG_BOOL,
+ (void *) &cfg.ipsec_ike_key, 0},
{NULL, '\0', "proxy_policy_language", CFG_STR,
(void *) &cfg.proxy_policy_language, 0},
CFG_END_OF_LIST
@@ -1139,6 +1142,21 @@ get_time_stamp_status (void)
}
int
+get_ipsec_ike_status (void)
+{
+ if (batch)
+ {
+ return cfg.ipsec_ike_key;
+ }
+ else
+ {
+ return
+ read_yesno
+ ("Will the certificate be used for IPsec IKE operations? (y/N): ");
+ }
+}
+
+int
get_crl_next_update (void)
{
int days;
diff --git a/src/certtool-cfg.h b/src/certtool-cfg.h
index e44183b..44be8e9 100644
--- a/src/certtool-cfg.h
+++ b/src/certtool-cfg.h
@@ -46,7 +46,7 @@ int get_sign_status (int server);
void get_ip_addr_set (int type, void *crt);
void get_dns_name_set (int type, void *crt);
void get_email_set (int type, void *crt);
-
+int get_ipsec_ike_status(void);
void get_cn_crq_set (gnutls_x509_crq_t crq);
void get_uid_crq_set (gnutls_x509_crq_t crq);
diff --git a/src/certtool-gaa.c b/src/certtool-gaa.c
index 278dd72..ec3dfc0 100644
--- a/src/certtool-gaa.c
+++ b/src/certtool-gaa.c
@@ -180,20 +180,20 @@ void gaa_help(void)
__gaa_helpsingle(0, "infile", "FILE ", "Input file.");
__gaa_helpsingle(0, "template", "FILE ", "Template file to use for non
interactive operation.");
__gaa_helpsingle(0, "pkcs-cipher", "CIPHER ", "Cipher to use for pkcs
operations (3des,3des-pkcs12,aes-128,aes-192,aes-256,rc2-40,arcfour).");
- __gaa_helpsingle(0, "pkcs11-provider", "Library ", "Specify the pkcs11
provider library");
- __gaa_helpsingle(0, "pkcs11-export-url", "URL ", "Export data specified
a pkcs11 URL");
- __gaa_helpsingle(0, "pkcs11-list-certs", "", "List certificates that
have a private key specified by a PKCS#11 URL");
- __gaa_helpsingle(0, "pkcs11-list-privkeys", "", "List private keys
specified by a PKCS#11 URL");
- __gaa_helpsingle(0, "pkcs11-list-trusted", "", "List certificates
marked as trusted, specified by a PKCS#11 URL");
- __gaa_helpsingle(0, "pkcs11-list-all-certs", "", "List all certificates
specified by a PKCS#11 URL");
- __gaa_helpsingle(0, "pkcs11-list-all", "", "List all objects specified
by a PKCS#11 URL");
- __gaa_helpsingle(0, "pkcs11-list-tokens", "", "List all available
tokens");
- __gaa_helpsingle(0, "pkcs11-login", "", "Force login to token");
- __gaa_helpsingle(0, "pkcs11-write", "URL ", "Writes loaded certificates
or private keys to a PKCS11 token.");
- __gaa_helpsingle(0, "pkcs11-write-label", "label ", "Sets a label for
the write operation.");
- __gaa_helpsingle(0, "pkcs11-write-trusted", "", "Marks the certificate
to be imported as trusted.");
- __gaa_helpsingle(0, "pkcs11-detailed-url", "", "Export detailed URLs.");
- __gaa_helpsingle(0, "pkcs11-delete-url", "URL ", "Deletes objects
matching the URL.");
+ __gaa_helpsingle(0, "p11-provider", "Library ", "Specify the pkcs11
provider library");
+ __gaa_helpsingle(0, "p11-export-url", "URL ", "Export data specified a
pkcs11 URL");
+ __gaa_helpsingle(0, "p11-list-certs", "", "List certificates that have
a private key specified by a PKCS#11 URL");
+ __gaa_helpsingle(0, "p11-list-privkeys", "", "List private keys
specified by a PKCS#11 URL");
+ __gaa_helpsingle(0, "p11-list-trusted", "", "List certificates marked
as trusted, specified by a PKCS#11 URL");
+ __gaa_helpsingle(0, "p11-list-all-certs", "", "List all certificates
specified by a PKCS#11 URL");
+ __gaa_helpsingle(0, "p11-list-all", "", "List all objects specified by
a PKCS#11 URL");
+ __gaa_helpsingle(0, "p11-list-tokens", "", "List all available tokens");
+ __gaa_helpsingle(0, "p11-login", "", "Force login to token");
+ __gaa_helpsingle(0, "p11-write", "URL ", "Writes loaded certificates or
private keys to a PKCS11 token.");
+ __gaa_helpsingle(0, "p11-write-label", "label ", "Sets a label for the
write operation.");
+ __gaa_helpsingle(0, "p11-write-trusted", "", "Marks the certificate to
be imported as trusted.");
+ __gaa_helpsingle(0, "p11-detailed-url", "", "Export detailed URLs.");
+ __gaa_helpsingle(0, "p11-delete-url", "URL ", "Deletes objects matching
the URL.");
__gaa_helpsingle('d', "debug", "LEVEL ", "specify the debug level.
Default is 1.");
__gaa_helpsingle('h', "help", "", "shows this help text");
__gaa_helpsingle('v', "version", "", "shows the program's version");
@@ -335,20 +335,20 @@ static int gaa_error = 0;
#define GAAOPTID_version 1
#define GAAOPTID_help 2
#define GAAOPTID_debug 3
-#define GAAOPTID_pkcs11_delete_url 4
-#define GAAOPTID_pkcs11_detailed_url 5
-#define GAAOPTID_pkcs11_write_trusted 6
-#define GAAOPTID_pkcs11_write_label 7
-#define GAAOPTID_pkcs11_write 8
-#define GAAOPTID_pkcs11_login 9
-#define GAAOPTID_pkcs11_list_tokens 10
-#define GAAOPTID_pkcs11_list_all 11
-#define GAAOPTID_pkcs11_list_all_certs 12
-#define GAAOPTID_pkcs11_list_trusted 13
-#define GAAOPTID_pkcs11_list_privkeys 14
-#define GAAOPTID_pkcs11_list_certs 15
-#define GAAOPTID_pkcs11_export_url 16
-#define GAAOPTID_pkcs11_provider 17
+#define GAAOPTID_p11_delete_url 4
+#define GAAOPTID_p11_detailed_url 5
+#define GAAOPTID_p11_write_trusted 6
+#define GAAOPTID_p11_write_label 7
+#define GAAOPTID_p11_write 8
+#define GAAOPTID_p11_login 9
+#define GAAOPTID_p11_list_tokens 10
+#define GAAOPTID_p11_list_all 11
+#define GAAOPTID_p11_list_all_certs 12
+#define GAAOPTID_p11_list_trusted 13
+#define GAAOPTID_p11_list_privkeys 14
+#define GAAOPTID_p11_list_certs 15
+#define GAAOPTID_p11_export_url 16
+#define GAAOPTID_p11_provider 17
#define GAAOPTID_pkcs_cipher 18
#define GAAOPTID_template 19
#define GAAOPTID_infile 20
@@ -591,31 +591,31 @@ struct GAAOPTION_debug
int size1;
};
-struct GAAOPTION_pkcs11_delete_url
+struct GAAOPTION_p11_delete_url
{
char* arg1;
int size1;
};
-struct GAAOPTION_pkcs11_write_label
+struct GAAOPTION_p11_write_label
{
char* arg1;
int size1;
};
-struct GAAOPTION_pkcs11_write
+struct GAAOPTION_p11_write
{
char* arg1;
int size1;
};
-struct GAAOPTION_pkcs11_export_url
+struct GAAOPTION_p11_export_url
{
char* arg1;
int size1;
};
-struct GAAOPTION_pkcs11_provider
+struct GAAOPTION_p11_provider
{
char* arg1;
int size1;
@@ -735,11 +735,11 @@ static int gaa_get_option_num(char *str, int status)
{
case GAA_LETTER_OPTION:
GAA_CHECK1STR("d", GAAOPTID_debug);
- GAA_CHECK1STR("", GAAOPTID_pkcs11_delete_url);
- GAA_CHECK1STR("", GAAOPTID_pkcs11_write_label);
- GAA_CHECK1STR("", GAAOPTID_pkcs11_write);
- GAA_CHECK1STR("", GAAOPTID_pkcs11_export_url);
- GAA_CHECK1STR("", GAAOPTID_pkcs11_provider);
+ GAA_CHECK1STR("", GAAOPTID_p11_delete_url);
+ GAA_CHECK1STR("", GAAOPTID_p11_write_label);
+ GAA_CHECK1STR("", GAAOPTID_p11_write);
+ GAA_CHECK1STR("", GAAOPTID_p11_export_url);
+ GAA_CHECK1STR("", GAAOPTID_p11_provider);
GAA_CHECK1STR("", GAAOPTID_pkcs_cipher);
GAA_CHECK1STR("", GAAOPTID_template);
GAA_CHECK1STR("", GAAOPTID_infile);
@@ -758,15 +758,15 @@ static int gaa_get_option_num(char *str, int status)
#line 375 "gaa.skel"
GAA_CHECK1STR("v", GAAOPTID_version);
GAA_CHECK1STR("h", GAAOPTID_help);
- GAA_CHECK1STR("", GAAOPTID_pkcs11_detailed_url);
- GAA_CHECK1STR("", GAAOPTID_pkcs11_write_trusted);
- GAA_CHECK1STR("", GAAOPTID_pkcs11_login);
- GAA_CHECK1STR("", GAAOPTID_pkcs11_list_tokens);
- GAA_CHECK1STR("", GAAOPTID_pkcs11_list_all);
- GAA_CHECK1STR("", GAAOPTID_pkcs11_list_all_certs);
- GAA_CHECK1STR("", GAAOPTID_pkcs11_list_trusted);
- GAA_CHECK1STR("", GAAOPTID_pkcs11_list_privkeys);
- GAA_CHECK1STR("", GAAOPTID_pkcs11_list_certs);
+ GAA_CHECK1STR("", GAAOPTID_p11_detailed_url);
+ GAA_CHECK1STR("", GAAOPTID_p11_write_trusted);
+ GAA_CHECK1STR("", GAAOPTID_p11_login);
+ GAA_CHECK1STR("", GAAOPTID_p11_list_tokens);
+ GAA_CHECK1STR("", GAAOPTID_p11_list_all);
+ GAA_CHECK1STR("", GAAOPTID_p11_list_all_certs);
+ GAA_CHECK1STR("", GAAOPTID_p11_list_trusted);
+ GAA_CHECK1STR("", GAAOPTID_p11_list_privkeys);
+ GAA_CHECK1STR("", GAAOPTID_p11_list_certs);
GAA_CHECK1STR("", GAAOPTID_disable_quick_random);
GAA_CHECK1STR("", GAAOPTID_outraw);
GAA_CHECK1STR("", GAAOPTID_outder);
@@ -810,20 +810,20 @@ static int gaa_get_option_num(char *str, int status)
GAA_CHECKSTR("version", GAAOPTID_version);
GAA_CHECKSTR("help", GAAOPTID_help);
GAA_CHECKSTR("debug", GAAOPTID_debug);
- GAA_CHECKSTR("pkcs11-delete-url",
GAAOPTID_pkcs11_delete_url);
- GAA_CHECKSTR("pkcs11-detailed-url",
GAAOPTID_pkcs11_detailed_url);
- GAA_CHECKSTR("pkcs11-write-trusted",
GAAOPTID_pkcs11_write_trusted);
- GAA_CHECKSTR("pkcs11-write-label",
GAAOPTID_pkcs11_write_label);
- GAA_CHECKSTR("pkcs11-write", GAAOPTID_pkcs11_write);
- GAA_CHECKSTR("pkcs11-login", GAAOPTID_pkcs11_login);
- GAA_CHECKSTR("pkcs11-list-tokens",
GAAOPTID_pkcs11_list_tokens);
- GAA_CHECKSTR("pkcs11-list-all",
GAAOPTID_pkcs11_list_all);
- GAA_CHECKSTR("pkcs11-list-all-certs",
GAAOPTID_pkcs11_list_all_certs);
- GAA_CHECKSTR("pkcs11-list-trusted",
GAAOPTID_pkcs11_list_trusted);
- GAA_CHECKSTR("pkcs11-list-privkeys",
GAAOPTID_pkcs11_list_privkeys);
- GAA_CHECKSTR("pkcs11-list-certs",
GAAOPTID_pkcs11_list_certs);
- GAA_CHECKSTR("pkcs11-export-url",
GAAOPTID_pkcs11_export_url);
- GAA_CHECKSTR("pkcs11-provider",
GAAOPTID_pkcs11_provider);
+ GAA_CHECKSTR("p11-delete-url", GAAOPTID_p11_delete_url);
+ GAA_CHECKSTR("p11-detailed-url",
GAAOPTID_p11_detailed_url);
+ GAA_CHECKSTR("p11-write-trusted",
GAAOPTID_p11_write_trusted);
+ GAA_CHECKSTR("p11-write-label",
GAAOPTID_p11_write_label);
+ GAA_CHECKSTR("p11-write", GAAOPTID_p11_write);
+ GAA_CHECKSTR("p11-login", GAAOPTID_p11_login);
+ GAA_CHECKSTR("p11-list-tokens",
GAAOPTID_p11_list_tokens);
+ GAA_CHECKSTR("p11-list-all", GAAOPTID_p11_list_all);
+ GAA_CHECKSTR("p11-list-all-certs",
GAAOPTID_p11_list_all_certs);
+ GAA_CHECKSTR("p11-list-trusted",
GAAOPTID_p11_list_trusted);
+ GAA_CHECKSTR("p11-list-privkeys",
GAAOPTID_p11_list_privkeys);
+ GAA_CHECKSTR("p11-list-certs", GAAOPTID_p11_list_certs);
+ GAA_CHECKSTR("p11-export-url", GAAOPTID_p11_export_url);
+ GAA_CHECKSTR("p11-provider", GAAOPTID_p11_provider);
GAA_CHECKSTR("pkcs-cipher", GAAOPTID_pkcs_cipher);
GAA_CHECKSTR("template", GAAOPTID_template);
GAA_CHECKSTR("infile", GAAOPTID_infile);
@@ -887,11 +887,11 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo
*gaaval, char *opt_list)
int OK = 0;
int gaa_last_non_option;
struct GAAOPTION_debug GAATMP_debug;
- struct GAAOPTION_pkcs11_delete_url GAATMP_pkcs11_delete_url;
- struct GAAOPTION_pkcs11_write_label GAATMP_pkcs11_write_label;
- struct GAAOPTION_pkcs11_write GAATMP_pkcs11_write;
- struct GAAOPTION_pkcs11_export_url GAATMP_pkcs11_export_url;
- struct GAAOPTION_pkcs11_provider GAATMP_pkcs11_provider;
+ struct GAAOPTION_p11_delete_url GAATMP_p11_delete_url;
+ struct GAAOPTION_p11_write_label GAATMP_p11_write_label;
+ struct GAAOPTION_p11_write GAATMP_p11_write;
+ struct GAAOPTION_p11_export_url GAATMP_p11_export_url;
+ struct GAAOPTION_p11_provider GAATMP_p11_provider;
struct GAAOPTION_pkcs_cipher GAATMP_pkcs_cipher;
struct GAAOPTION_template GAATMP_template;
struct GAAOPTION_infile GAATMP_infile;
@@ -950,116 +950,116 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo
*gaaval, char *opt_list)
return GAA_OK;
break;
- case GAAOPTID_pkcs11_delete_url:
+ case GAAOPTID_p11_delete_url:
OK = 0;
GAA_TESTMOREARGS;
- GAA_FILL(GAATMP_pkcs11_delete_url.arg1, gaa_getstr,
GAATMP_pkcs11_delete_url.size1);
+ GAA_FILL(GAATMP_p11_delete_url.arg1, gaa_getstr,
GAATMP_p11_delete_url.size1);
gaa_index++;
#line 167 "certtool.gaa"
-{ gaaval->action = ACTION_PKCS11_DELETE_URL; gaaval->pkcs11_url =
GAATMP_pkcs11_delete_url.arg1; ;};
+{ gaaval->action = ACTION_PKCS11_DELETE_URL; gaaval->pkcs11_url =
GAATMP_p11_delete_url.arg1; ;};
return GAA_OK;
break;
- case GAAOPTID_pkcs11_detailed_url:
+ case GAAOPTID_p11_detailed_url:
OK = 0;
#line 165 "certtool.gaa"
{ gaaval->pkcs11_detailed_url = GNUTLS_PKCS11_URL_LIB; ;};
return GAA_OK;
break;
- case GAAOPTID_pkcs11_write_trusted:
+ case GAAOPTID_p11_write_trusted:
OK = 0;
#line 162 "certtool.gaa"
{ gaaval->pkcs11_trusted = 1; ;};
return GAA_OK;
break;
- case GAAOPTID_pkcs11_write_label:
+ case GAAOPTID_p11_write_label:
OK = 0;
GAA_TESTMOREARGS;
- GAA_FILL(GAATMP_pkcs11_write_label.arg1, gaa_getstr,
GAATMP_pkcs11_write_label.size1);
+ GAA_FILL(GAATMP_p11_write_label.arg1, gaa_getstr,
GAATMP_p11_write_label.size1);
gaa_index++;
#line 160 "certtool.gaa"
-{ gaaval->pkcs11_label = GAATMP_pkcs11_write_label.arg1; ;};
+{ gaaval->pkcs11_label = GAATMP_p11_write_label.arg1; ;};
return GAA_OK;
break;
- case GAAOPTID_pkcs11_write:
+ case GAAOPTID_p11_write:
OK = 0;
GAA_TESTMOREARGS;
- GAA_FILL(GAATMP_pkcs11_write.arg1, gaa_getstr,
GAATMP_pkcs11_write.size1);
+ GAA_FILL(GAATMP_p11_write.arg1, gaa_getstr,
GAATMP_p11_write.size1);
gaa_index++;
#line 159 "certtool.gaa"
-{ gaaval->action = ACTION_PKCS11_WRITE_URL; gaaval->pkcs11_url =
GAATMP_pkcs11_write.arg1; ;};
+{ gaaval->action = ACTION_PKCS11_WRITE_URL; gaaval->pkcs11_url =
GAATMP_p11_write.arg1; ;};
return GAA_OK;
break;
- case GAAOPTID_pkcs11_login:
+ case GAAOPTID_p11_login:
OK = 0;
#line 156 "certtool.gaa"
{ gaaval->pkcs11_login = 1; ;};
return GAA_OK;
break;
- case GAAOPTID_pkcs11_list_tokens:
+ case GAAOPTID_p11_list_tokens:
OK = 0;
#line 153 "certtool.gaa"
{ gaaval->action = ACTION_PKCS11_TOKENS; ;};
return GAA_OK;
break;
- case GAAOPTID_pkcs11_list_all:
+ case GAAOPTID_p11_list_all:
OK = 0;
#line 152 "certtool.gaa"
{ gaaval->action = ACTION_PKCS11_LIST; gaaval->pkcs11_type=PKCS11_TYPE_ALL; ;};
return GAA_OK;
break;
- case GAAOPTID_pkcs11_list_all_certs:
+ case GAAOPTID_p11_list_all_certs:
OK = 0;
#line 151 "certtool.gaa"
{ gaaval->action = ACTION_PKCS11_LIST;
gaaval->pkcs11_type=PKCS11_TYPE_CRT_ALL; ;};
return GAA_OK;
break;
- case GAAOPTID_pkcs11_list_trusted:
+ case GAAOPTID_p11_list_trusted:
OK = 0;
#line 150 "certtool.gaa"
{ gaaval->action = ACTION_PKCS11_LIST;
gaaval->pkcs11_type=PKCS11_TYPE_TRUSTED; ;};
return GAA_OK;
break;
- case GAAOPTID_pkcs11_list_privkeys:
+ case GAAOPTID_p11_list_privkeys:
OK = 0;
#line 149 "certtool.gaa"
{ gaaval->action = ACTION_PKCS11_LIST;
gaaval->pkcs11_type=PKCS11_TYPE_PRIVKEY; ;};
return GAA_OK;
break;
- case GAAOPTID_pkcs11_list_certs:
+ case GAAOPTID_p11_list_certs:
OK = 0;
#line 148 "certtool.gaa"
{ gaaval->action = ACTION_PKCS11_LIST; gaaval->pkcs11_type=PKCS11_TYPE_PK; ;};
return GAA_OK;
break;
- case GAAOPTID_pkcs11_export_url:
+ case GAAOPTID_p11_export_url:
OK = 0;
GAA_TESTMOREARGS;
- GAA_FILL(GAATMP_pkcs11_export_url.arg1, gaa_getstr,
GAATMP_pkcs11_export_url.size1);
+ GAA_FILL(GAATMP_p11_export_url.arg1, gaa_getstr,
GAATMP_p11_export_url.size1);
gaa_index++;
#line 145 "certtool.gaa"
-{ gaaval->action = ACTION_PKCS11_EXPORT_URL; gaaval->pkcs11_url =
GAATMP_pkcs11_export_url.arg1; ;};
+{ gaaval->action = ACTION_PKCS11_EXPORT_URL; gaaval->pkcs11_url =
GAATMP_p11_export_url.arg1; ;};
return GAA_OK;
break;
- case GAAOPTID_pkcs11_provider:
+ case GAAOPTID_p11_provider:
OK = 0;
GAA_TESTMOREARGS;
- GAA_FILL(GAATMP_pkcs11_provider.arg1, gaa_getstr,
GAATMP_pkcs11_provider.size1);
+ GAA_FILL(GAATMP_p11_provider.arg1, gaa_getstr,
GAATMP_p11_provider.size1);
gaa_index++;
#line 142 "certtool.gaa"
-{ gaaval->pkcs11_provider = GAATMP_pkcs11_provider.arg1 ;};
+{ gaaval->pkcs11_provider = GAATMP_p11_provider.arg1 ;};
return GAA_OK;
break;
diff --git a/src/certtool.c b/src/certtool.c
index 5e8c2df..e4fbb75 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -603,6 +603,18 @@ generate_certificate (gnutls_x509_privkey_t * ret_key,
error (EXIT_FAILURE, 0, "key_kp: %s",
gnutls_strerror (result));
}
+
+ result = get_ipsec_ike_status ();
+ if (result)
+ {
+ result =
+ gnutls_x509_crt_set_key_purpose_oid (crt,
+ GNUTLS_KP_IPSEC_IKE,
+ 0);
+ if (result < 0)
+ error (EXIT_FAILURE, 0, "key_kp: %s",
+ gnutls_strerror (result));
+ }
}
if (usage != 0)
@@ -2154,6 +2166,15 @@ generate_request (void)
if (ret < 0)
error (EXIT_FAILURE, 0, "key_kp: %s", gnutls_strerror (ret));
}
+
+ ret = get_ipsec_ike_status ();
+ if (ret)
+ {
+ ret = gnutls_x509_crq_set_key_purpose_oid
+ (crq, GNUTLS_KP_IPSEC_IKE, 0);
+ if (ret < 0)
+ error (EXIT_FAILURE, 0, "key_kp: %s", gnutls_strerror (ret));
+ }
}
ret = gnutls_x509_crq_set_key_usage (crq, usage);
diff --git a/src/certtool.gaa b/src/certtool.gaa
index 2295089..6b1be3d 100644
--- a/src/certtool.gaa
+++ b/src/certtool.gaa
@@ -139,32 +139,32 @@ option (template) STR "FILE" { $template = $1 } "Template
file to use for non in
option (pkcs-cipher) STR "CIPHER" { $pkcs_cipher = $1 } "Cipher to use for
pkcs operations (3des,3des-pkcs12,aes-128,aes-192,aes-256,rc2-40,arcfour)."
#char* pkcs11_provider;
-option (pkcs11-provider) STR "Library" { $pkcs11_provider = $1 } "Specify the
pkcs11 provider library"
+option (p11-provider) STR "Library" { $pkcs11_provider = $1 } "Specify the
pkcs11 provider library"
#char* pkcs11_url;
-option (pkcs11-export-url) STR "URL" { $action = ACTION_PKCS11_EXPORT_URL;
$pkcs11_url = $1; } "Export data specified a pkcs11 URL"
+option (p11-export-url) STR "URL" { $action = ACTION_PKCS11_EXPORT_URL;
$pkcs11_url = $1; } "Export data specified a pkcs11 URL"
#int pkcs11_type;
-option (pkcs11-list-certs) { $action = ACTION_PKCS11_LIST;
$pkcs11_type=PKCS11_TYPE_PK; } "List certificates that have a private key
specified by a PKCS#11 URL"
-option (pkcs11-list-privkeys) { $action = ACTION_PKCS11_LIST;
$pkcs11_type=PKCS11_TYPE_PRIVKEY; } "List private keys specified by a PKCS#11
URL"
-option (pkcs11-list-trusted) { $action = ACTION_PKCS11_LIST;
$pkcs11_type=PKCS11_TYPE_TRUSTED; } "List certificates marked as trusted,
specified by a PKCS#11 URL"
-option (pkcs11-list-all-certs) { $action = ACTION_PKCS11_LIST;
$pkcs11_type=PKCS11_TYPE_CRT_ALL; } "List all certificates specified by a
PKCS#11 URL"
-option (pkcs11-list-all) { $action = ACTION_PKCS11_LIST;
$pkcs11_type=PKCS11_TYPE_ALL; } "List all objects specified by a PKCS#11 URL"
-option (pkcs11-list-tokens) { $action = ACTION_PKCS11_TOKENS; } "List all
available tokens"
+option (p11-list-certs) { $action = ACTION_PKCS11_LIST;
$pkcs11_type=PKCS11_TYPE_PK; } "List certificates that have a private key
specified by a PKCS#11 URL"
+option (p11-list-privkeys) { $action = ACTION_PKCS11_LIST;
$pkcs11_type=PKCS11_TYPE_PRIVKEY; } "List private keys specified by a PKCS#11
URL"
+option (p11-list-trusted) { $action = ACTION_PKCS11_LIST;
$pkcs11_type=PKCS11_TYPE_TRUSTED; } "List certificates marked as trusted,
specified by a PKCS#11 URL"
+option (p11-list-all-certs) { $action = ACTION_PKCS11_LIST;
$pkcs11_type=PKCS11_TYPE_CRT_ALL; } "List all certificates specified by a
PKCS#11 URL"
+option (p11-list-all) { $action = ACTION_PKCS11_LIST;
$pkcs11_type=PKCS11_TYPE_ALL; } "List all objects specified by a PKCS#11 URL"
+option (p11-list-tokens) { $action = ACTION_PKCS11_TOKENS; } "List all
available tokens"
#int pkcs11_login;
-option (pkcs11-login) { $pkcs11_login = 1; } "Force login to token"
+option (p11-login) { $pkcs11_login = 1; } "Force login to token"
#char* pkcs11_label;
-option (pkcs11-write) STR "URL" { $action = ACTION_PKCS11_WRITE_URL;
$pkcs11_url = $1; } "Writes loaded certificates or private keys to a PKCS11
token."
-option (pkcs11-write-label) STR "label" { $pkcs11_label = $1; } "Sets a label
for the write operation."
+option (p11-write) STR "URL" { $action = ACTION_PKCS11_WRITE_URL; $pkcs11_url
= $1; } "Writes loaded certificates or private keys to a PKCS11 token."
+option (p11-write-label) STR "label" { $pkcs11_label = $1; } "Sets a label for
the write operation."
#int pkcs11_trusted;
-option (pkcs11-write-trusted) { $pkcs11_trusted = 1; } "Marks the certificate
to be imported as trusted."
+option (p11-write-trusted) { $pkcs11_trusted = 1; } "Marks the certificate to
be imported as trusted."
#int pkcs11_detailed_url;
-option (pkcs11-detailed-url) { $pkcs11_detailed_url = GNUTLS_PKCS11_URL_LIB; }
"Export detailed URLs."
+option (p11-detailed-url) { $pkcs11_detailed_url = GNUTLS_PKCS11_URL_LIB; }
"Export detailed URLs."
-option (pkcs11-delete-url) STR "URL" { $action = ACTION_PKCS11_DELETE_URL;
$pkcs11_url = $1; } "Deletes objects matching the URL."
+option (p11-delete-url) STR "URL" { $action = ACTION_PKCS11_DELETE_URL;
$pkcs11_url = $1; } "Deletes objects matching the URL."
#int debug;
option (d, debug) INT "LEVEL" { $debug = $1 } "specify the debug level.
Default is 1."
hooks/post-receive
--
GNU gnutls
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_2_9_10-380-g96b97d9,
Nikos Mavrogiannopoulos <=