gibheer
/
pkictl
0
0
Fork 0
Code

add extended key usage for certificates 

This adds the extended key usage and makes the certificates useable in
the wild.
The only thing missing are the CRL distribution points and the policy
identifiers. These will get added after the code in flags.go is cleaned
up. At the moment, it is far too messy.
This commit is contained in:
Gibheer 2015-03-30 20:45:08 +02:00
parent 855fde6d68
commit b4c4c1f18a
1 changed files with 45 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
flags.go
View File

@ -27,7 +27,9 @@ const (
) )
var ( var (
EcdsaCurves = []int{224, 256, 384, 521} // the possible ecdsa curves allowed to be used
EcdsaCurves = []int{224, 256, 384, 521}
// the possible valid key usages to check against the commandline
ValidKeyUsages = map[string]x509.KeyUsage{ ValidKeyUsages = map[string]x509.KeyUsage{
"digitalsignature": x509.KeyUsageDigitalSignature, "digitalsignature": x509.KeyUsageDigitalSignature,
"contentcommitment": x509.KeyUsageContentCommitment, "contentcommitment": x509.KeyUsageContentCommitment,
@ -39,6 +41,21 @@ var (
"encipheronly": x509.KeyUsageEncipherOnly, "encipheronly": x509.KeyUsageEncipherOnly,
"decipheronly": x509.KeyUsageDecipherOnly, "decipheronly": x509.KeyUsageDecipherOnly,
} }
// the valid extended key usages, to check against the commandline
ValidExtKeyUsages = map[string]x509.ExtKeyUsage{
"any": x509.ExtKeyUsageAny,
"serverauth": x509.ExtKeyUsageServerAuth,
"clientauth": x509.ExtKeyUsageClientAuth,
"codesigning": x509.ExtKeyUsageCodeSigning,
"emailprotection": x509.ExtKeyUsageEmailProtection,
"ipsecendsystem": x509.ExtKeyUsageIPSECEndSystem,
"ipsectunnel": x509.ExtKeyUsageIPSECTunnel,
"ipsecuser": x509.ExtKeyUsageIPSECUser,
"timestamping": x509.ExtKeyUsageTimeStamping,
"ocspsigning": x509.ExtKeyUsageOCSPSigning,
"microsoftservergatedcrypto": x509.ExtKeyUsageMicrosoftServerGatedCrypto,
"netscapeservergatedcrypto": x509.ExtKeyUsageNetscapeServerGatedCrypto,
}
) )
type ( type (
@ -84,13 +101,14 @@ type (
} }
certGenerationRaw struct { certGenerationRaw struct {
serial int64 serial int64
notBefore string notBefore string
notAfter string notAfter string
isCA bool isCA bool
length int length int
caPath string // path to the ca file if isCA is false caPath string // path to the ca file if isCA is false
keyUsage string // comma separated list of key usages keyUsage string // comma separated list of key usages
extKeyUsage string // comma separated list of extended key usages
} }
flagCheck func() error flagCheck func() error
@ -297,10 +315,14 @@ func InitFlagCert(cmd *Command) {
) )
cmd.Flags().StringVar( cmd.Flags().StringVar(
&flagContainer.certGeneration.keyUsage, &flagContainer.certGeneration.keyUsage,
"key-usage", "key-usage", "",
"",
"comma separated list of key usages", "comma separated list of key usages",
) )
cmd.Flags().StringVar(
&flagContainer.certGeneration.extKeyUsage,
"ext-key-usage", "",
"comma separated list of extended key usage flags",
)
} }
// parse the certificate data // parse the certificate data
@ -335,6 +357,19 @@ func checkCertFlags() error {
} }
FlagCertificateGeneration.KeyUsage = keyUresult FlagCertificateGeneration.KeyUsage = keyUresult
} }
// parse the extended key usage flags
if eKeyUstr := flagContainer.certGeneration.extKeyUsage; eKeyUstr != "" {
eKeyUarr := strings.Split(eKeyUstr, ",")
eKeyUResult := make([]x509.ExtKeyUsage, 0)
for _, usage := range eKeyUarr {
if value, ok := ValidExtKeyUsages[strings.ToLower(usage)]; ok {
eKeyUResult = append(eKeyUResult, value)
} else {
return fmt.Errorf("unsupported extended key usage '%s'", usage)
}
}
FlagCertificateGeneration.KeyExtendedUsage = eKeyUResult
}
return nil return nil
} }