summaryrefslogtreecommitdiff
path: root/usr.sbin/ikectl
diff options
context:
space:
mode:
authorJonathan Gray <jsg@cvs.openbsd.org>2015-11-02 10:27:45 +0000
committerJonathan Gray <jsg@cvs.openbsd.org>2015-11-02 10:27:45 +0000
commit73b1bbb453ee03ef5fc031fd1ff6eba703c7468b (patch)
tree8dcd1a91d9173f308d1a61ef92267a9b8a28dbfd /usr.sbin/ikectl
parent01f442b213135479fdc96283464eae7b08d3dc34 (diff)
Accept an ocsp option when creating certificates to set the extended
key usage for OCSP signing. Requested by and ok reyk@
Diffstat (limited to 'usr.sbin/ikectl')
-rw-r--r--usr.sbin/ikectl/ikeca.c7
-rw-r--r--usr.sbin/ikectl/ikectl.89
-rw-r--r--usr.sbin/ikectl/ikectl.c4
-rw-r--r--usr.sbin/ikectl/parser.c3
-rw-r--r--usr.sbin/ikectl/parser.h3
5 files changed, 19 insertions, 7 deletions
diff --git a/usr.sbin/ikectl/ikeca.c b/usr.sbin/ikectl/ikeca.c
index 8ecfd3e2d54..90ef087e5c3 100644
--- a/usr.sbin/ikectl/ikeca.c
+++ b/usr.sbin/ikectl/ikeca.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ikeca.c,v 1.37 2015/08/19 21:07:23 reyk Exp $ */
+/* $OpenBSD: ikeca.c,v 1.38 2015/11/02 10:27:44 jsg Exp $ */
/*
* Copyright (c) 2010 Jonathan Gray <jsg@openbsd.org>
@@ -273,6 +273,11 @@ ca_certificate(struct ca *ca, char *keyname, int type, int action)
ca_setenv("$ENV::CERTUSAGE",
"digitalSignature,keyAgreement");
break;
+ case CA_OCSP:
+ ca_setenv("$ENV::EXTCERTUSAGE", "OCSPSigning");
+ ca_setenv("$ENV::CERTUSAGE",
+ "nonRepudiation,digitalSignature,keyEncipherment");
+ break;
default:
break;
}
diff --git a/usr.sbin/ikectl/ikectl.8 b/usr.sbin/ikectl/ikectl.8
index 0ea97116154..40d30ac0e21 100644
--- a/usr.sbin/ikectl/ikectl.8
+++ b/usr.sbin/ikectl/ikectl.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ikectl.8,v 1.24 2015/09/07 15:24:53 sobrado Exp $
+.\" $OpenBSD: ikectl.8,v 1.25 2015/11/02 10:27:44 jsg Exp $
.\"
.\" Copyright (c) 2007-2013 Reyk Floeter <reyk@openbsd.org>
.\"
@@ -14,7 +14,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
-.Dd $Mdocdate: September 7 2015 $
+.Dd $Mdocdate: November 2 2015 $
.Dt IKECTL 8
.Os
.Sh NAME
@@ -149,7 +149,7 @@ as the currently active CA or into the specified
.It Xo
.Cm ca Ar name Cm certificate Ar host
.Cm create
-.Op Ic server | client
+.Op Ic server | client | ocsp
.Xc
Create a private key and certificate for
.Ar host
@@ -163,6 +163,9 @@ this can be restricted using the optional
or
.Ic client
argument.
+If the
+.Ic ocsp
+argument is specified the extended key usage will be set for OCSP signing.
.It Xo
.Cm ca Ar name Cm certificate Ar host
.Cm delete
diff --git a/usr.sbin/ikectl/ikectl.c b/usr.sbin/ikectl/ikectl.c
index d9fd30185b7..223936cca62 100644
--- a/usr.sbin/ikectl/ikectl.c
+++ b/usr.sbin/ikectl/ikectl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ikectl.c,v 1.20 2015/08/19 13:30:54 reyk Exp $ */
+/* $OpenBSD: ikectl.c,v 1.21 2015/11/02 10:27:44 jsg Exp $ */
/*
* Copyright (c) 2007-2013 Reyk Floeter <reyk@openbsd.org>
@@ -113,6 +113,7 @@ ca_opt(struct parse_result *res)
case CA_CERT_CREATE:
case CA_SERVER:
case CA_CLIENT:
+ case CA_OCSP:
ca_certificate(ca, res->host, res->htype, res->action);
break;
case CA_CERT_DELETE:
@@ -193,6 +194,7 @@ main(int argc, char *argv[])
case CA_CERT_CREATE:
case CA_CLIENT:
case CA_SERVER:
+ case CA_OCSP:
case CA_CERT_DELETE:
case CA_CERT_INSTALL:
case CA_CERT_EXPORT:
diff --git a/usr.sbin/ikectl/parser.c b/usr.sbin/ikectl/parser.c
index 5d1e40611c9..a09bf169ebc 100644
--- a/usr.sbin/ikectl/parser.c
+++ b/usr.sbin/ikectl/parser.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: parser.c,v 1.14 2015/08/19 13:30:54 reyk Exp $ */
+/* $OpenBSD: parser.c,v 1.15 2015/11/02 10:27:44 jsg Exp $ */
/*
* Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
@@ -181,6 +181,7 @@ static const struct token t_ca_cert_extusage[] = {
{ NOTOKEN, "", NONE, NULL},
{ KEYWORD, "server", CA_SERVER, NULL },
{ KEYWORD, "client", CA_CLIENT, NULL },
+ { KEYWORD, "ocsp", CA_OCSP, NULL },
{ ENDTOKEN, "", NONE, NULL },
};
diff --git a/usr.sbin/ikectl/parser.h b/usr.sbin/ikectl/parser.h
index 250bae08db9..f87ee3662ee 100644
--- a/usr.sbin/ikectl/parser.h
+++ b/usr.sbin/ikectl/parser.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: parser.h,v 1.13 2015/06/11 18:49:09 reyk Exp $ */
+/* $OpenBSD: parser.h,v 1.14 2015/11/02 10:27:44 jsg Exp $ */
/*
* Copyright (c) 2007-2013 Reyk Floeter <reyk@openbsd.org>
@@ -44,6 +44,7 @@ enum actions {
CA_CERT_CREATE,
CA_SERVER,
CA_CLIENT,
+ CA_OCSP,
CA_CERT_DELETE,
CA_CERT_INSTALL,
CA_CERT_EXPORT,