diff options
author | Jonathan Gray <jsg@cvs.openbsd.org> | 2015-11-02 10:27:45 +0000 |
---|---|---|
committer | Jonathan Gray <jsg@cvs.openbsd.org> | 2015-11-02 10:27:45 +0000 |
commit | 73b1bbb453ee03ef5fc031fd1ff6eba703c7468b (patch) | |
tree | 8dcd1a91d9173f308d1a61ef92267a9b8a28dbfd /usr.sbin/ikectl | |
parent | 01f442b213135479fdc96283464eae7b08d3dc34 (diff) |
Accept an ocsp option when creating certificates to set the extended
key usage for OCSP signing.
Requested by and ok reyk@
Diffstat (limited to 'usr.sbin/ikectl')
-rw-r--r-- | usr.sbin/ikectl/ikeca.c | 7 | ||||
-rw-r--r-- | usr.sbin/ikectl/ikectl.8 | 9 | ||||
-rw-r--r-- | usr.sbin/ikectl/ikectl.c | 4 | ||||
-rw-r--r-- | usr.sbin/ikectl/parser.c | 3 | ||||
-rw-r--r-- | usr.sbin/ikectl/parser.h | 3 |
5 files changed, 19 insertions, 7 deletions
diff --git a/usr.sbin/ikectl/ikeca.c b/usr.sbin/ikectl/ikeca.c index 8ecfd3e2d54..90ef087e5c3 100644 --- a/usr.sbin/ikectl/ikeca.c +++ b/usr.sbin/ikectl/ikeca.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikeca.c,v 1.37 2015/08/19 21:07:23 reyk Exp $ */ +/* $OpenBSD: ikeca.c,v 1.38 2015/11/02 10:27:44 jsg Exp $ */ /* * Copyright (c) 2010 Jonathan Gray <jsg@openbsd.org> @@ -273,6 +273,11 @@ ca_certificate(struct ca *ca, char *keyname, int type, int action) ca_setenv("$ENV::CERTUSAGE", "digitalSignature,keyAgreement"); break; + case CA_OCSP: + ca_setenv("$ENV::EXTCERTUSAGE", "OCSPSigning"); + ca_setenv("$ENV::CERTUSAGE", + "nonRepudiation,digitalSignature,keyEncipherment"); + break; default: break; } diff --git a/usr.sbin/ikectl/ikectl.8 b/usr.sbin/ikectl/ikectl.8 index 0ea97116154..40d30ac0e21 100644 --- a/usr.sbin/ikectl/ikectl.8 +++ b/usr.sbin/ikectl/ikectl.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ikectl.8,v 1.24 2015/09/07 15:24:53 sobrado Exp $ +.\" $OpenBSD: ikectl.8,v 1.25 2015/11/02 10:27:44 jsg Exp $ .\" .\" Copyright (c) 2007-2013 Reyk Floeter <reyk@openbsd.org> .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: September 7 2015 $ +.Dd $Mdocdate: November 2 2015 $ .Dt IKECTL 8 .Os .Sh NAME @@ -149,7 +149,7 @@ as the currently active CA or into the specified .It Xo .Cm ca Ar name Cm certificate Ar host .Cm create -.Op Ic server | client +.Op Ic server | client | ocsp .Xc Create a private key and certificate for .Ar host @@ -163,6 +163,9 @@ this can be restricted using the optional or .Ic client argument. +If the +.Ic ocsp +argument is specified the extended key usage will be set for OCSP signing. .It Xo .Cm ca Ar name Cm certificate Ar host .Cm delete diff --git a/usr.sbin/ikectl/ikectl.c b/usr.sbin/ikectl/ikectl.c index d9fd30185b7..223936cca62 100644 --- a/usr.sbin/ikectl/ikectl.c +++ b/usr.sbin/ikectl/ikectl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikectl.c,v 1.20 2015/08/19 13:30:54 reyk Exp $ */ +/* $OpenBSD: ikectl.c,v 1.21 2015/11/02 10:27:44 jsg Exp $ */ /* * Copyright (c) 2007-2013 Reyk Floeter <reyk@openbsd.org> @@ -113,6 +113,7 @@ ca_opt(struct parse_result *res) case CA_CERT_CREATE: case CA_SERVER: case CA_CLIENT: + case CA_OCSP: ca_certificate(ca, res->host, res->htype, res->action); break; case CA_CERT_DELETE: @@ -193,6 +194,7 @@ main(int argc, char *argv[]) case CA_CERT_CREATE: case CA_CLIENT: case CA_SERVER: + case CA_OCSP: case CA_CERT_DELETE: case CA_CERT_INSTALL: case CA_CERT_EXPORT: diff --git a/usr.sbin/ikectl/parser.c b/usr.sbin/ikectl/parser.c index 5d1e40611c9..a09bf169ebc 100644 --- a/usr.sbin/ikectl/parser.c +++ b/usr.sbin/ikectl/parser.c @@ -1,4 +1,4 @@ -/* $OpenBSD: parser.c,v 1.14 2015/08/19 13:30:54 reyk Exp $ */ +/* $OpenBSD: parser.c,v 1.15 2015/11/02 10:27:44 jsg Exp $ */ /* * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> @@ -181,6 +181,7 @@ static const struct token t_ca_cert_extusage[] = { { NOTOKEN, "", NONE, NULL}, { KEYWORD, "server", CA_SERVER, NULL }, { KEYWORD, "client", CA_CLIENT, NULL }, + { KEYWORD, "ocsp", CA_OCSP, NULL }, { ENDTOKEN, "", NONE, NULL }, }; diff --git a/usr.sbin/ikectl/parser.h b/usr.sbin/ikectl/parser.h index 250bae08db9..f87ee3662ee 100644 --- a/usr.sbin/ikectl/parser.h +++ b/usr.sbin/ikectl/parser.h @@ -1,4 +1,4 @@ -/* $OpenBSD: parser.h,v 1.13 2015/06/11 18:49:09 reyk Exp $ */ +/* $OpenBSD: parser.h,v 1.14 2015/11/02 10:27:44 jsg Exp $ */ /* * Copyright (c) 2007-2013 Reyk Floeter <reyk@openbsd.org> @@ -44,6 +44,7 @@ enum actions { CA_CERT_CREATE, CA_SERVER, CA_CLIENT, + CA_OCSP, CA_CERT_DELETE, CA_CERT_INSTALL, CA_CERT_EXPORT, |