add extended key usage for certificates
This adds the extended key usage and makes the certificates useable in the wild. The only thing missing are the CRL distribution points and the policy identifiers. These will get added after the code in flags.go is cleaned up. At the moment, it is far too messy.
This commit is contained in:
parent
855fde6d68
commit
b4c4c1f18a
55
flags.go
55
flags.go
|
@ -27,7 +27,9 @@ const (
|
||||||
)
|
)
|
||||||
|
|
||||||
var (
|
var (
|
||||||
EcdsaCurves = []int{224, 256, 384, 521}
|
// the possible ecdsa curves allowed to be used
|
||||||
|
EcdsaCurves = []int{224, 256, 384, 521}
|
||||||
|
// the possible valid key usages to check against the commandline
|
||||||
ValidKeyUsages = map[string]x509.KeyUsage{
|
ValidKeyUsages = map[string]x509.KeyUsage{
|
||||||
"digitalsignature": x509.KeyUsageDigitalSignature,
|
"digitalsignature": x509.KeyUsageDigitalSignature,
|
||||||
"contentcommitment": x509.KeyUsageContentCommitment,
|
"contentcommitment": x509.KeyUsageContentCommitment,
|
||||||
|
@ -39,6 +41,21 @@ var (
|
||||||
"encipheronly": x509.KeyUsageEncipherOnly,
|
"encipheronly": x509.KeyUsageEncipherOnly,
|
||||||
"decipheronly": x509.KeyUsageDecipherOnly,
|
"decipheronly": x509.KeyUsageDecipherOnly,
|
||||||
}
|
}
|
||||||
|
// the valid extended key usages, to check against the commandline
|
||||||
|
ValidExtKeyUsages = map[string]x509.ExtKeyUsage{
|
||||||
|
"any": x509.ExtKeyUsageAny,
|
||||||
|
"serverauth": x509.ExtKeyUsageServerAuth,
|
||||||
|
"clientauth": x509.ExtKeyUsageClientAuth,
|
||||||
|
"codesigning": x509.ExtKeyUsageCodeSigning,
|
||||||
|
"emailprotection": x509.ExtKeyUsageEmailProtection,
|
||||||
|
"ipsecendsystem": x509.ExtKeyUsageIPSECEndSystem,
|
||||||
|
"ipsectunnel": x509.ExtKeyUsageIPSECTunnel,
|
||||||
|
"ipsecuser": x509.ExtKeyUsageIPSECUser,
|
||||||
|
"timestamping": x509.ExtKeyUsageTimeStamping,
|
||||||
|
"ocspsigning": x509.ExtKeyUsageOCSPSigning,
|
||||||
|
"microsoftservergatedcrypto": x509.ExtKeyUsageMicrosoftServerGatedCrypto,
|
||||||
|
"netscapeservergatedcrypto": x509.ExtKeyUsageNetscapeServerGatedCrypto,
|
||||||
|
}
|
||||||
)
|
)
|
||||||
|
|
||||||
type (
|
type (
|
||||||
|
@ -84,13 +101,14 @@ type (
|
||||||
}
|
}
|
||||||
|
|
||||||
certGenerationRaw struct {
|
certGenerationRaw struct {
|
||||||
serial int64
|
serial int64
|
||||||
notBefore string
|
notBefore string
|
||||||
notAfter string
|
notAfter string
|
||||||
isCA bool
|
isCA bool
|
||||||
length int
|
length int
|
||||||
caPath string // path to the ca file if isCA is false
|
caPath string // path to the ca file if isCA is false
|
||||||
keyUsage string // comma separated list of key usages
|
keyUsage string // comma separated list of key usages
|
||||||
|
extKeyUsage string // comma separated list of extended key usages
|
||||||
}
|
}
|
||||||
|
|
||||||
flagCheck func() error
|
flagCheck func() error
|
||||||
|
@ -297,10 +315,14 @@ func InitFlagCert(cmd *Command) {
|
||||||
)
|
)
|
||||||
cmd.Flags().StringVar(
|
cmd.Flags().StringVar(
|
||||||
&flagContainer.certGeneration.keyUsage,
|
&flagContainer.certGeneration.keyUsage,
|
||||||
"key-usage",
|
"key-usage", "",
|
||||||
"",
|
|
||||||
"comma separated list of key usages",
|
"comma separated list of key usages",
|
||||||
)
|
)
|
||||||
|
cmd.Flags().StringVar(
|
||||||
|
&flagContainer.certGeneration.extKeyUsage,
|
||||||
|
"ext-key-usage", "",
|
||||||
|
"comma separated list of extended key usage flags",
|
||||||
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
// parse the certificate data
|
// parse the certificate data
|
||||||
|
@ -335,6 +357,19 @@ func checkCertFlags() error {
|
||||||
}
|
}
|
||||||
FlagCertificateGeneration.KeyUsage = keyUresult
|
FlagCertificateGeneration.KeyUsage = keyUresult
|
||||||
}
|
}
|
||||||
|
// parse the extended key usage flags
|
||||||
|
if eKeyUstr := flagContainer.certGeneration.extKeyUsage; eKeyUstr != "" {
|
||||||
|
eKeyUarr := strings.Split(eKeyUstr, ",")
|
||||||
|
eKeyUResult := make([]x509.ExtKeyUsage, 0)
|
||||||
|
for _, usage := range eKeyUarr {
|
||||||
|
if value, ok := ValidExtKeyUsages[strings.ToLower(usage)]; ok {
|
||||||
|
eKeyUResult = append(eKeyUResult, value)
|
||||||
|
} else {
|
||||||
|
return fmt.Errorf("unsupported extended key usage '%s'", usage)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
FlagCertificateGeneration.KeyExtendedUsage = eKeyUResult
|
||||||
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue