diff options
| author | Jack Lloyd <[email protected]> | 2016-08-19 16:03:40 -0400 |
|---|---|---|
| committer | Jack Lloyd <[email protected]> | 2016-08-19 16:03:40 -0400 |
| commit | 165a21393f0061a6f3c68b9244a20b41c16c2a78 (patch) | |
| tree | ff78cfd1907d0a208c0bb42b73622b0310172633 /src/lib/cert/x509/x509self.cpp | |
| parent | f26dfb3572aaab003e0c80002615d190488fb613 (diff) | |
| parent | 6cbff45093199d821dee7ee74380474300f49948 (diff) | |
Merge GH #591
Change behavior of default key usage encoding, default now omits
the key usage unless the user set a value.
Fix allowed_usage which could produce incorrect results.
More X.509 tests
Diffstat (limited to 'src/lib/cert/x509/x509self.cpp')
| -rw-r--r-- | src/lib/cert/x509/x509self.cpp | 35 |
1 files changed, 27 insertions, 8 deletions
diff --git a/src/lib/cert/x509/x509self.cpp b/src/lib/cert/x509/x509self.cpp index 8b9aeda09..102e24f77 100644 --- a/src/lib/cert/x509/x509self.cpp +++ b/src/lib/cert/x509/x509self.cpp @@ -55,9 +55,14 @@ X509_Certificate create_self_signed_cert(const X509_Cert_Options& opts, Key_Constraints constraints; if(opts.is_CA) + { constraints = Key_Constraints(KEY_CERT_SIGN | CRL_SIGN); + } else - constraints = find_constraints(key, opts.constraints); + { + verify_cert_constraints_valid_for_key_type(key, opts.constraints); + constraints = opts.constraints; + } Extensions extensions; @@ -65,7 +70,10 @@ X509_Certificate create_self_signed_cert(const X509_Cert_Options& opts, new Cert_Extension::Basic_Constraints(opts.is_CA, opts.path_limit), true); - extensions.add(new Cert_Extension::Key_Usage(constraints), true); + if(constraints != NO_CONSTRAINTS) + { + extensions.add(new Cert_Extension::Key_Usage(constraints), true); + } extensions.add(new Cert_Extension::Subject_Key_ID(pub_key)); @@ -99,16 +107,27 @@ PKCS10_Request create_cert_req(const X509_Cert_Options& opts, const size_t PKCS10_VERSION = 0; + Key_Constraints constraints; + if(opts.is_CA) + { + constraints = Key_Constraints(KEY_CERT_SIGN | CRL_SIGN); + } + else + { + verify_cert_constraints_valid_for_key_type(key, opts.constraints); + constraints = opts.constraints; + } + Extensions extensions; extensions.add( new Cert_Extension::Basic_Constraints(opts.is_CA, opts.path_limit)); - extensions.add( - new Cert_Extension::Key_Usage( - opts.is_CA ? Key_Constraints(KEY_CERT_SIGN | CRL_SIGN) : - find_constraints(key, opts.constraints) - ) - ); + + if(constraints != NO_CONSTRAINTS) + { + extensions.add( + new Cert_Extension::Key_Usage(constraints)); + } extensions.add( new Cert_Extension::Extended_Key_Usage(opts.ex_constraints)); extensions.add( |