From 859c587dc25bebf0c3618a7a531fb26642f1416f Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Sun, 23 Jun 2019 14:31:13 -0500 Subject: [PATCH] Add more hxtool EKU options, and KeyUsage too This is necessary in order to have more control over, e.g., template certificates for kx509. But also it's good to have this more generally. Some batteries not included. Specifically: no attempt is made to validate that given KeyUsage values are compatible with the subjectPublicKey's alrogithm and parameters. --- lib/hx509/ca.c | 58 +++++++++++++++++++--------------- lib/hx509/hxtool-commands.in | 17 ++++++++++ lib/hx509/hxtool.c | 41 +++++++++++++++++++++--- lib/hx509/libhx509-exports.def | 2 ++ lib/hx509/version-script.map | 2 ++ 5 files changed, 91 insertions(+), 29 deletions(-) diff --git a/lib/hx509/ca.c b/lib/hx509/ca.c index bcbd777ed..c1324bb37 100644 --- a/lib/hx509/ca.c +++ b/lib/hx509/ca.c @@ -43,9 +43,9 @@ struct hx509_ca_tbs { hx509_name subject; SubjectPublicKeyInfo spki; + KeyUsage ku; ExtKeyUsage eku; GeneralNames san; - unsigned key_usage; heim_integer serial; struct { unsigned int proxy:1; @@ -262,11 +262,9 @@ hx509_ca_tbs_set_template(hx509_context context, return ret; } if (flags & HX509_CA_TEMPLATE_KU) { - KeyUsage ku; - ret = _hx509_cert_get_keyusage(context, cert, &ku); + ret = _hx509_cert_get_keyusage(context, cert, &tbs->ku); if (ret) return ret; - tbs->key_usage = KeyUsage2int(ku); } if (flags & HX509_CA_TEMPLATE_EKU) { ExtKeyUsage eku; @@ -405,6 +403,28 @@ hx509_ca_tbs_set_serialnumber(hx509_context context, return ret; } +/** + * An an extended key usage to the to-be-signed certificate object. + * Duplicates will detected and not added. + * + * @param context A hx509 context. + * @param tbs object to be signed. + * @param oid extended key usage to add. + * + * @return An hx509 error code, see hx509_get_error_string(). + * + * @ingroup hx509_ca + */ + +HX509_LIB_FUNCTION int HX509_LIB_CALL +hx509_ca_tbs_add_ku(hx509_context context, + hx509_ca_tbs tbs, + KeyUsage ku) +{ + tbs->ku = ku; + return 0; +} + /** * An an extended key usage to the to-be-signed certificate object. * Duplicates will detected and not added. @@ -1033,7 +1053,6 @@ ca_sign(hx509_context context, const AlgorithmIdentifier *sigalg; time_t notBefore; time_t notAfter; - unsigned key_usage; sigalg = tbs->sigalg; if (sigalg == NULL) @@ -1053,21 +1072,12 @@ ca_sign(hx509_context context, if (notAfter == 0) notAfter = time(NULL) + 3600 * 24 * 365; - key_usage = tbs->key_usage; - if (key_usage == 0) { - KeyUsage ku; - memset(&ku, 0, sizeof(ku)); - ku.digitalSignature = 1; - ku.keyEncipherment = 1; - key_usage = KeyUsage2int(ku); - } - if (tbs->flags.ca) { - KeyUsage ku; - memset(&ku, 0, sizeof(ku)); - ku.keyCertSign = 1; - ku.cRLSign = 1; - key_usage |= KeyUsage2int(ku); + tbs->ku.keyCertSign = 1; + tbs->ku.cRLSign = 1; + } else if (KeyUsage2int(tbs->ku) == 0) { + tbs->ku.digitalSignature = 1; + tbs->ku.keyEncipherment = 1; } /* @@ -1237,11 +1247,9 @@ ca_sign(hx509_context context, } /* add KeyUsage */ - { - KeyUsage ku; - - ku = int2KeyUsage(key_usage); - ASN1_MALLOC_ENCODE(KeyUsage, data.data, data.length, &ku, &size, ret); + if (KeyUsage2int(tbs->ku) > 0) { + ASN1_MALLOC_ENCODE(KeyUsage, data.data, data.length, + &tbs->ku, &size, ret); if (ret) { hx509_set_error_string(context, 0, ret, "Out of memory"); goto out; @@ -1265,7 +1273,7 @@ ca_sign(hx509_context context, } if (size != data.length) _hx509_abort("internal ASN.1 encoder error"); - ret = add_extension(context, tbsc, 0, + ret = add_extension(context, tbsc, 1, &asn1_oid_id_x509_ce_extKeyUsage, &data); free(data.data); if (ret) diff --git a/lib/hx509/hxtool-commands.in b/lib/hx509/hxtool-commands.in index 49e392d03..b772f2b10 100644 --- a/lib/hx509/hxtool-commands.in +++ b/lib/hx509/hxtool-commands.in @@ -426,6 +426,12 @@ command = { type = "string" help = "Subject DN" } + option = { + long = "eku" + type = "strings" + argument = "oid-string" + help = "Add Extended Key Usage OID" + } option = { long = "email" type = "strings" @@ -650,6 +656,17 @@ command = { type = "integer" help = "Maximum path length (CA and proxy certificates), -1 no limit" } + option = { + long = "eku" + type = "strings" + argument = "oid-string" + help = "Add Extended Key Usage OID" + } + option = { + long = "ku" + type = "strings" + help = "Key Usage (digitalSignature, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly, decipherOnly)" + } option = { long = "hostname" type = "strings" diff --git a/lib/hx509/hxtool.c b/lib/hx509/hxtool.c index 2bafd4907..06345e9a8 100644 --- a/lib/hx509/hxtool.c +++ b/lib/hx509/hxtool.c @@ -1365,6 +1365,15 @@ request_create(struct request_create_options *opt, int argc, char **argv) hx509_err(context, 1, ret, "hx509_request_add_dns_name"); } + for (i = 0; i < opt->eku_strings.num_strings; i++) { + heim_oid oid; + + parse_oid(opt->eku_strings.strings[i], NULL, &oid); + ret = _hx509_request_add_eku(context, req, &oid); + if (ret) + hx509_err(context, 1, ret, "hx509_request_add_eku"); + } + ret = hx509_private_key2SPKI(context, signer, &key); if (ret) @@ -1792,6 +1801,7 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv) hx509_private_key cert_key = NULL; hx509_name subject = NULL; SubjectPublicKeyInfo spki; + size_t i; int delta = 0; memset(&spki, 0, sizeof(spki)); @@ -1803,10 +1813,8 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv) if (opt->certificate_string == NULL) errx(1, "--certificate argument missing"); - if (opt->template_certificate_string) { - if (opt->template_fields_string == NULL) - errx(1, "--template-certificate not no --template-fields"); - } + if (opt->template_certificate_string && opt->template_fields_string == NULL) + errx(1, "--template-certificate used but no --template-fields given"); if (opt->lifetime_string) { delta = parse_time(opt->lifetime_string, "day"); @@ -1928,6 +1936,31 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv) if (ret) hx509_err(context, 1, ret, "hx509_ca_tbs_init"); + for (i = 0; i < opt->eku_strings.num_strings; i++) { + heim_oid oid; + + parse_oid(opt->eku_strings.strings[i], NULL, &oid); + ret = hx509_ca_tbs_add_eku(context, tbs, &oid); + if (ret) + hx509_err(context, 1, ret, "hx509_request_add_eku"); + } + if (opt->ku_strings.num_strings) { + const struct units *kus = asn1_KeyUsage_units(); + const struct units *kup; + uint64_t n = 0; + + for (i = 0; i < opt->ku_strings.num_strings; i++) { + for (kup = kus; kup->name; kup++) { + if (strcmp(kup->name, opt->ku_strings.strings[i])) + continue; + n |= kup->mult; + break; + } + } + ret = hx509_ca_tbs_add_ku(context, tbs, int2KeyUsage(n)); + if (ret) + hx509_err(context, 1, ret, "hx509_request_add_ku"); + } if (opt->signature_algorithm_string) { const AlgorithmIdentifier *sigalg; if (strcasecmp(opt->signature_algorithm_string, "rsa-with-sha1") == 0) diff --git a/lib/hx509/libhx509-exports.def b/lib/hx509/libhx509-exports.def index acdcdaeac..328936d67 100644 --- a/lib/hx509/libhx509-exports.def +++ b/lib/hx509/libhx509-exports.def @@ -18,6 +18,7 @@ EXPORTS hx509_private_key_free _hx509_private_key_ref _hx509_request_add_dns_name + _hx509_request_add_eku _hx509_request_add_email _hx509_private_key_export _hx509_private_key_exportable @@ -42,6 +43,7 @@ EXPORTS hx509_ca_sign_self hx509_ca_tbs_add_crl_dp_uri hx509_ca_tbs_add_eku + hx509_ca_tbs_add_ku hx509_ca_tbs_add_san_hostname hx509_ca_tbs_add_san_jid hx509_ca_tbs_add_san_ms_upn diff --git a/lib/hx509/version-script.map b/lib/hx509/version-script.map index 995281d56..621a22d60 100644 --- a/lib/hx509/version-script.map +++ b/lib/hx509/version-script.map @@ -22,6 +22,7 @@ HEIMDAL_X509_1.2 { _hx509_private_key_oid; _hx509_private_key_ref; _hx509_request_add_dns_name; + _hx509_request_add_eku; _hx509_request_add_email; _hx509_request_parse; _hx509_request_print; @@ -34,6 +35,7 @@ HEIMDAL_X509_1.2 { hx509_ca_sign_self; hx509_ca_tbs_add_crl_dp_uri; hx509_ca_tbs_add_eku; + hx509_ca_tbs_add_ku; hx509_ca_tbs_add_san_hostname; hx509_ca_tbs_add_san_jid; hx509_ca_tbs_add_san_ms_upn;