hx509: keep track of authorized CSR features

This commit adds a few functions for marking KU, EKUs, and SANs as authorized, and for getting a count of unsupported certificate extensions requested, and a count of authorized KU/EKUs/SANs. The intent is to make it easier to build CSR authorization and CA code that is robust in the face of future support for certificate extensions and SAN types not currently supported. An application could parse a CSR, iterate all KU/EKUs/SANs, check a subject's authorization to them, mark them authorized where authorized, then check if there are any remaining unauthorized extensions or unsupported extensions requested. Ultimately, if a CSR's KU/EKUs/SANs are all authorized, then they can all be copied to a TBS, and a certificate can be issued.
2019-11-18 23:18:57 -06:00
parent d519094117
commit a7a1d798c3
7 changed files with 603 additions and 286 deletions
--- a/lib/hx509/test_req.in
+++ b/lib/hx509/test_req.in
@@ -76,8 +76,8 @@ PKCS#10 CertificationRequest:
  san: rfc822Name: foo@test.h5l.se
  san: dNSName: nutcracker.test.h5l.se
  san: dNSName: foo.nutcracker.test.h5l.se
-  san: otherName: 1.3.6.1.5.2.2 HTTP/foo.nutcracker.it.su.se@TEST.H5L.SE
-  san: otherName: 1.3.6.1.5.2.2 host/foo.nutcracker.it.su.se@TEST.H5L.SE
+  san: pkinit: HTTP/foo.nutcracker.it.su.se@TEST.H5L.SE
+  san: pkinit: host/foo.nutcracker.it.su.se@TEST.H5L.SE
  san: registeredID: 1.2.3.4.5.6.9
 EOF