add extended key usage for certificates

This adds the extended key usage and makes the certificates useable in the wild. The only thing missing are the CRL distribution points and the policy identifiers. These will get added after the code in flags.go is cleaned up. At the moment, it is far too messy.
2015-03-30 20:45:08 +02:00 · 2015-03-30 20:45:08 +02:00 · b4c4c1f18a
parent 855fde6d68
commit b4c4c1f18a
1 changed files with 45 additions and 10 deletions
--- a/flags.go
+++ b/flags.go
@ -27,7 +27,9 @@ const (
 )

 var (
-	EcdsaCurves    = []int{224, 256, 384, 521}
+	// the possible ecdsa curves allowed to be used
+	EcdsaCurves = []int{224, 256, 384, 521}
+	// the possible valid key usages to check against the commandline
 	ValidKeyUsages = map[string]x509.KeyUsage{
 		"digitalsignature":  x509.KeyUsageDigitalSignature,
 		"contentcommitment": x509.KeyUsageContentCommitment,
@ -39,6 +41,21 @@ var (
 		"encipheronly":      x509.KeyUsageEncipherOnly,
 		"decipheronly":      x509.KeyUsageDecipherOnly,
 	}
+	// the valid extended key usages, to check against the commandline
+	ValidExtKeyUsages = map[string]x509.ExtKeyUsage{
+		"any":                        x509.ExtKeyUsageAny,
+		"serverauth":                 x509.ExtKeyUsageServerAuth,
+		"clientauth":                 x509.ExtKeyUsageClientAuth,
+		"codesigning":                x509.ExtKeyUsageCodeSigning,
+		"emailprotection":            x509.ExtKeyUsageEmailProtection,
+		"ipsecendsystem":             x509.ExtKeyUsageIPSECEndSystem,
+		"ipsectunnel":                x509.ExtKeyUsageIPSECTunnel,
+		"ipsecuser":                  x509.ExtKeyUsageIPSECUser,
+		"timestamping":               x509.ExtKeyUsageTimeStamping,
+		"ocspsigning":                x509.ExtKeyUsageOCSPSigning,
+		"microsoftservergatedcrypto": x509.ExtKeyUsageMicrosoftServerGatedCrypto,
+		"netscapeservergatedcrypto":  x509.ExtKeyUsageNetscapeServerGatedCrypto,
+	}
 )

 type (
@ -84,13 +101,14 @@ type (
 	}

 	certGenerationRaw struct {
-		serial    int64
-		notBefore string
-		notAfter  string
-		isCA      bool
-		length    int
-		caPath    string // path to the ca file if isCA is false
-		keyUsage  string // comma separated list of key usages
+		serial      int64
+		notBefore   string
+		notAfter    string
+		isCA        bool
+		length      int
+		caPath      string // path to the ca file if isCA is false
+		keyUsage    string // comma separated list of key usages
+		extKeyUsage string // comma separated list of extended key usages
 	}

 	flagCheck func() error
@ -297,10 +315,14 @@ func InitFlagCert(cmd *Command) {
 	)
 	cmd.Flags().StringVar(
 		&flagContainer.certGeneration.keyUsage,
-		"key-usage",
-		"",
+		"key-usage", "",
 		"comma separated list of key usages",
 	)
+	cmd.Flags().StringVar(
+		&flagContainer.certGeneration.extKeyUsage,
+		"ext-key-usage", "",
+		"comma separated list of extended key usage flags",
+	)
 }

 // parse the certificate data
@ -335,6 +357,19 @@ func checkCertFlags() error {
 		}
 		FlagCertificateGeneration.KeyUsage = keyUresult
 	}
+	// parse the extended key usage flags
+	if eKeyUstr := flagContainer.certGeneration.extKeyUsage; eKeyUstr != "" {
+		eKeyUarr := strings.Split(eKeyUstr, ",")
+		eKeyUResult := make([]x509.ExtKeyUsage, 0)
+		for _, usage := range eKeyUarr {
+			if value, ok := ValidExtKeyUsages[strings.ToLower(usage)]; ok {
+				eKeyUResult = append(eKeyUResult, value)
+			} else {
+				return fmt.Errorf("unsupported extended key usage '%s'", usage)
+			}
+		}
+		FlagCertificateGeneration.KeyExtendedUsage = eKeyUResult
+	}
 	return nil
 }