add extended key usage for certificates
This adds the extended key usage and makes the certificates useable in the wild. The only thing missing are the CRL distribution points and the policy identifiers. These will get added after the code in flags.go is cleaned up. At the moment, it is far too messy.
This commit is contained in:
parent
855fde6d68
commit
b4c4c1f18a
55
flags.go
55
flags.go
|
@ -27,7 +27,9 @@ const (
|
|||
)
|
||||
|
||||
var (
|
||||
EcdsaCurves = []int{224, 256, 384, 521}
|
||||
// the possible ecdsa curves allowed to be used
|
||||
EcdsaCurves = []int{224, 256, 384, 521}
|
||||
// the possible valid key usages to check against the commandline
|
||||
ValidKeyUsages = map[string]x509.KeyUsage{
|
||||
"digitalsignature": x509.KeyUsageDigitalSignature,
|
||||
"contentcommitment": x509.KeyUsageContentCommitment,
|
||||
|
@ -39,6 +41,21 @@ var (
|
|||
"encipheronly": x509.KeyUsageEncipherOnly,
|
||||
"decipheronly": x509.KeyUsageDecipherOnly,
|
||||
}
|
||||
// the valid extended key usages, to check against the commandline
|
||||
ValidExtKeyUsages = map[string]x509.ExtKeyUsage{
|
||||
"any": x509.ExtKeyUsageAny,
|
||||
"serverauth": x509.ExtKeyUsageServerAuth,
|
||||
"clientauth": x509.ExtKeyUsageClientAuth,
|
||||
"codesigning": x509.ExtKeyUsageCodeSigning,
|
||||
"emailprotection": x509.ExtKeyUsageEmailProtection,
|
||||
"ipsecendsystem": x509.ExtKeyUsageIPSECEndSystem,
|
||||
"ipsectunnel": x509.ExtKeyUsageIPSECTunnel,
|
||||
"ipsecuser": x509.ExtKeyUsageIPSECUser,
|
||||
"timestamping": x509.ExtKeyUsageTimeStamping,
|
||||
"ocspsigning": x509.ExtKeyUsageOCSPSigning,
|
||||
"microsoftservergatedcrypto": x509.ExtKeyUsageMicrosoftServerGatedCrypto,
|
||||
"netscapeservergatedcrypto": x509.ExtKeyUsageNetscapeServerGatedCrypto,
|
||||
}
|
||||
)
|
||||
|
||||
type (
|
||||
|
@ -84,13 +101,14 @@ type (
|
|||
}
|
||||
|
||||
certGenerationRaw struct {
|
||||
serial int64
|
||||
notBefore string
|
||||
notAfter string
|
||||
isCA bool
|
||||
length int
|
||||
caPath string // path to the ca file if isCA is false
|
||||
keyUsage string // comma separated list of key usages
|
||||
serial int64
|
||||
notBefore string
|
||||
notAfter string
|
||||
isCA bool
|
||||
length int
|
||||
caPath string // path to the ca file if isCA is false
|
||||
keyUsage string // comma separated list of key usages
|
||||
extKeyUsage string // comma separated list of extended key usages
|
||||
}
|
||||
|
||||
flagCheck func() error
|
||||
|
@ -297,10 +315,14 @@ func InitFlagCert(cmd *Command) {
|
|||
)
|
||||
cmd.Flags().StringVar(
|
||||
&flagContainer.certGeneration.keyUsage,
|
||||
"key-usage",
|
||||
"",
|
||||
"key-usage", "",
|
||||
"comma separated list of key usages",
|
||||
)
|
||||
cmd.Flags().StringVar(
|
||||
&flagContainer.certGeneration.extKeyUsage,
|
||||
"ext-key-usage", "",
|
||||
"comma separated list of extended key usage flags",
|
||||
)
|
||||
}
|
||||
|
||||
// parse the certificate data
|
||||
|
@ -335,6 +357,19 @@ func checkCertFlags() error {
|
|||
}
|
||||
FlagCertificateGeneration.KeyUsage = keyUresult
|
||||
}
|
||||
// parse the extended key usage flags
|
||||
if eKeyUstr := flagContainer.certGeneration.extKeyUsage; eKeyUstr != "" {
|
||||
eKeyUarr := strings.Split(eKeyUstr, ",")
|
||||
eKeyUResult := make([]x509.ExtKeyUsage, 0)
|
||||
for _, usage := range eKeyUarr {
|
||||
if value, ok := ValidExtKeyUsages[strings.ToLower(usage)]; ok {
|
||||
eKeyUResult = append(eKeyUResult, value)
|
||||
} else {
|
||||
return fmt.Errorf("unsupported extended key usage '%s'", usage)
|
||||
}
|
||||
}
|
||||
FlagCertificateGeneration.KeyExtendedUsage = eKeyUResult
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue