Annotation of embedaddon/strongswan/src/pki/commands/issue.c, revision 1.1
1.1 ! misho 1: /*
! 2: * Copyright (C) 2009 Martin Willi
! 3: * Copyright (C) 2015-2019 Andreas Steffen
! 4: * HSR Hochschule fuer Technik Rapperswil
! 5: *
! 6: * This program is free software; you can redistribute it and/or modify it
! 7: * under the terms of the GNU General Public License as published by the
! 8: * Free Software Foundation; either version 2 of the License, or (at your
! 9: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
! 10: *
! 11: * This program is distributed in the hope that it will be useful, but
! 12: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
! 13: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
! 14: * for more details.
! 15: */
! 16:
! 17: #include <time.h>
! 18: #include <errno.h>
! 19:
! 20: #include "pki.h"
! 21:
! 22: #include <utils/debug.h>
! 23: #include <asn1/asn1.h>
! 24: #include <collections/linked_list.h>
! 25: #include <credentials/certificates/certificate.h>
! 26: #include <credentials/certificates/x509.h>
! 27: #include <credentials/certificates/pkcs10.h>
! 28:
! 29: /**
! 30: * Free cert policy with OID
! 31: */
! 32: static void destroy_cert_policy(x509_cert_policy_t *policy)
! 33: {
! 34: free(policy->oid.ptr);
! 35: free(policy);
! 36: }
! 37:
! 38: /**
! 39: * Free policy mapping
! 40: */
! 41: static void destroy_policy_mapping(x509_policy_mapping_t *mapping)
! 42: {
! 43: free(mapping->issuer.ptr);
! 44: free(mapping->subject.ptr);
! 45: free(mapping);
! 46: }
! 47:
! 48: /**
! 49: * Free a CRL DistributionPoint
! 50: */
! 51: static void destroy_cdp(x509_cdp_t *this)
! 52: {
! 53: DESTROY_IF(this->issuer);
! 54: free(this);
! 55: }
! 56:
! 57: /**
! 58: * Issue a certificate using a CA certificate and key
! 59: */
! 60: static int issue()
! 61: {
! 62: cred_encoding_type_t form = CERT_ASN1_DER;
! 63: hash_algorithm_t digest = HASH_UNKNOWN;
! 64: signature_params_t *scheme = NULL;
! 65: certificate_t *cert_req = NULL, *cert = NULL, *ca =NULL;
! 66: private_key_t *private = NULL;
! 67: public_key_t *public = NULL;
! 68: credential_type_t type = CRED_PUBLIC_KEY;
! 69: key_type_t subtype = KEY_ANY;
! 70: bool pkcs10 = FALSE;
! 71: char *file = NULL, *dn = NULL, *hex = NULL, *cacert = NULL, *cakey = NULL;
! 72: char *error = NULL, *keyid = NULL;
! 73: identification_t *id = NULL;
! 74: linked_list_t *san, *cdps, *ocsp, *permitted, *excluded, *policies, *mappings;
! 75: linked_list_t *addrblocks;
! 76: int pathlen = X509_NO_CONSTRAINT, inhibit_any = X509_NO_CONSTRAINT;
! 77: int inhibit_mapping = X509_NO_CONSTRAINT, require_explicit = X509_NO_CONSTRAINT;
! 78: chunk_t serial = chunk_empty;
! 79: chunk_t encoding = chunk_empty;
! 80: chunk_t critical_extension_oid = chunk_empty;
! 81: time_t not_before, not_after, lifetime = 1095 * 24 * 60 * 60;
! 82: char *datenb = NULL, *datena = NULL, *dateform = NULL;
! 83: x509_flag_t flags = 0;
! 84: x509_t *x509;
! 85: x509_cdp_t *cdp = NULL;
! 86: x509_cert_policy_t *policy = NULL;
! 87: traffic_selector_t *ts;
! 88: char *arg;
! 89: bool pss = lib->settings->get_bool(lib->settings, "%s.rsa_pss", FALSE,
! 90: lib->ns);
! 91:
! 92: san = linked_list_create();
! 93: cdps = linked_list_create();
! 94: ocsp = linked_list_create();
! 95: permitted = linked_list_create();
! 96: excluded = linked_list_create();
! 97: policies = linked_list_create();
! 98: mappings = linked_list_create();
! 99: addrblocks = linked_list_create();
! 100:
! 101: while (TRUE)
! 102: {
! 103: switch (command_getopt(&arg))
! 104: {
! 105: case 'h':
! 106: goto usage;
! 107: case 't':
! 108: if (streq(arg, "pkcs10"))
! 109: {
! 110: pkcs10 = TRUE;
! 111: }
! 112: else if (streq(arg, "rsa"))
! 113: {
! 114: type = CRED_PRIVATE_KEY;
! 115: subtype = KEY_RSA;
! 116: }
! 117: else if (streq(arg, "ecdsa"))
! 118: {
! 119: type = CRED_PRIVATE_KEY;
! 120: subtype = KEY_ECDSA;
! 121: }
! 122: else if (streq(arg, "ed25519"))
! 123: {
! 124: type = CRED_PRIVATE_KEY;
! 125: subtype = KEY_ED25519;
! 126: }
! 127: else if (streq(arg, "ed448"))
! 128: {
! 129: type = CRED_PRIVATE_KEY;
! 130: subtype = KEY_ED448;
! 131: }
! 132: else if (streq(arg, "bliss"))
! 133: {
! 134: type = CRED_PRIVATE_KEY;
! 135: subtype = KEY_BLISS;
! 136: }
! 137: else if (streq(arg, "priv"))
! 138: {
! 139: type = CRED_PRIVATE_KEY;
! 140: subtype = KEY_ANY;
! 141: }
! 142: else if (!streq(arg, "pub"))
! 143: {
! 144: error = "invalid input type";
! 145: goto usage;
! 146: }
! 147: continue;
! 148: case 'g':
! 149: if (!enum_from_name(hash_algorithm_short_names, arg, &digest))
! 150: {
! 151: error = "invalid --digest type";
! 152: goto usage;
! 153: }
! 154: continue;
! 155: case 'R':
! 156: if (streq(arg, "pss"))
! 157: {
! 158: pss = TRUE;
! 159: }
! 160: else if (!streq(arg, "pkcs1"))
! 161: {
! 162: error = "invalid RSA padding";
! 163: goto usage;
! 164: }
! 165: continue;
! 166: case 'i':
! 167: file = arg;
! 168: continue;
! 169: case 'c':
! 170: cacert = arg;
! 171: continue;
! 172: case 'k':
! 173: cakey = arg;
! 174: continue;
! 175: case 'x':
! 176: keyid = arg;
! 177: continue;
! 178: case 'd':
! 179: dn = arg;
! 180: continue;
! 181: case 'a':
! 182: san->insert_last(san, identification_create_from_string(arg));
! 183: continue;
! 184: case 'l':
! 185: lifetime = atoi(arg) * 24 * 60 * 60;
! 186: if (!lifetime)
! 187: {
! 188: error = "invalid --lifetime value";
! 189: goto usage;
! 190: }
! 191: continue;
! 192: case 'D':
! 193: dateform = arg;
! 194: continue;
! 195: case 'F':
! 196: datenb = arg;
! 197: continue;
! 198: case 'T':
! 199: datena = arg;
! 200: continue;
! 201: case 's':
! 202: hex = arg;
! 203: continue;
! 204: case 'b':
! 205: flags |= X509_CA;
! 206: continue;
! 207: case 'p':
! 208: pathlen = atoi(arg);
! 209: continue;
! 210: case 'B':
! 211: ts = parse_ts(arg);
! 212: if (!ts)
! 213: {
! 214: error = "invalid addressBlock";
! 215: goto usage;
! 216: }
! 217: addrblocks->insert_last(addrblocks, ts);
! 218: continue;
! 219: case 'n':
! 220: permitted->insert_last(permitted,
! 221: identification_create_from_string(arg));
! 222: continue;
! 223: case 'N':
! 224: excluded->insert_last(excluded,
! 225: identification_create_from_string(arg));
! 226: continue;
! 227: case 'P':
! 228: {
! 229: chunk_t oid;
! 230:
! 231: oid = asn1_oid_from_string(arg);
! 232: if (!oid.len)
! 233: {
! 234: error = "--cert-policy OID invalid";
! 235: goto usage;
! 236: }
! 237: INIT(policy,
! 238: .oid = oid,
! 239: );
! 240: policies->insert_last(policies, policy);
! 241: continue;
! 242: }
! 243: case 'C':
! 244: if (!policy)
! 245: {
! 246: error = "--cps-uri must follow a --cert-policy";
! 247: goto usage;
! 248: }
! 249: policy->cps_uri = arg;
! 250: continue;
! 251: case 'U':
! 252: if (!policy)
! 253: {
! 254: error = "--user-notice must follow a --cert-policy";
! 255: goto usage;
! 256: }
! 257: policy->unotice_text = arg;
! 258: continue;
! 259: case 'M':
! 260: {
! 261: char *pos = strchr(arg, ':');
! 262: x509_policy_mapping_t *mapping;
! 263: chunk_t subject_oid, issuer_oid;
! 264:
! 265: if (pos)
! 266: {
! 267: *pos++ = '\0';
! 268: issuer_oid = asn1_oid_from_string(arg);
! 269: subject_oid = asn1_oid_from_string(pos);
! 270: }
! 271: if (!pos || !issuer_oid.len || !subject_oid.len)
! 272: {
! 273: error = "--policy-map OIDs invalid";
! 274: goto usage;
! 275: }
! 276: INIT(mapping,
! 277: .issuer = issuer_oid,
! 278: .subject = subject_oid,
! 279: );
! 280: mappings->insert_last(mappings, mapping);
! 281: continue;
! 282: }
! 283: case 'E':
! 284: require_explicit = atoi(arg);
! 285: continue;
! 286: case 'H':
! 287: inhibit_mapping = atoi(arg);
! 288: continue;
! 289: case 'A':
! 290: inhibit_any = atoi(arg);
! 291: continue;
! 292: case 'e':
! 293: if (streq(arg, "serverAuth"))
! 294: {
! 295: flags |= X509_SERVER_AUTH;
! 296: }
! 297: else if (streq(arg, "clientAuth"))
! 298: {
! 299: flags |= X509_CLIENT_AUTH;
! 300: }
! 301: else if (streq(arg, "ikeIntermediate"))
! 302: {
! 303: flags |= X509_IKE_INTERMEDIATE;
! 304: }
! 305: else if (streq(arg, "crlSign"))
! 306: {
! 307: flags |= X509_CRL_SIGN;
! 308: }
! 309: else if (streq(arg, "ocspSigning"))
! 310: {
! 311: flags |= X509_OCSP_SIGNER;
! 312: }
! 313: else if (streq(arg, "msSmartcardLogon"))
! 314: {
! 315: flags |= X509_MS_SMARTCARD_LOGON;
! 316: }
! 317: continue;
! 318: case 'f':
! 319: if (!get_form(arg, &form, CRED_CERTIFICATE))
! 320: {
! 321: error = "invalid output format";
! 322: goto usage;
! 323: }
! 324: continue;
! 325: case 'u':
! 326: INIT(cdp,
! 327: .uri = arg,
! 328: );
! 329: cdps->insert_last(cdps, cdp);
! 330: continue;
! 331: case 'I':
! 332: if (!cdp || cdp->issuer)
! 333: {
! 334: error = "--crlissuer must follow a --crl";
! 335: goto usage;
! 336: }
! 337: cdp->issuer = identification_create_from_string(arg);
! 338: continue;
! 339: case 'o':
! 340: ocsp->insert_last(ocsp, arg);
! 341: continue;
! 342: case 'X':
! 343: chunk_free(&critical_extension_oid);
! 344: critical_extension_oid = asn1_oid_from_string(arg);
! 345: continue;
! 346: case EOF:
! 347: break;
! 348: default:
! 349: error = "invalid --issue option";
! 350: goto usage;
! 351: }
! 352: break;
! 353: }
! 354:
! 355: if (!cacert)
! 356: {
! 357: error = "--cacert is required";
! 358: goto usage;
! 359: }
! 360: if (!cakey && !keyid)
! 361: {
! 362: error = "--cakey or --keyid is required";
! 363: goto usage;
! 364: }
! 365: if (!calculate_lifetime(dateform, datenb, datena, lifetime,
! 366: ¬_before, ¬_after))
! 367: {
! 368: error = "invalid --not-before/after datetime";
! 369: goto usage;
! 370: }
! 371: if (dn && *dn)
! 372: {
! 373: id = identification_create_from_string(dn);
! 374: if (id->get_type(id) != ID_DER_ASN1_DN)
! 375: {
! 376: error = "supplied --dn is not a distinguished name";
! 377: goto end;
! 378: }
! 379: }
! 380:
! 381: DBG2(DBG_LIB, "Reading ca certificate:");
! 382: ca = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
! 383: BUILD_FROM_FILE, cacert, BUILD_END);
! 384: if (!ca)
! 385: {
! 386: error = "parsing CA certificate failed";
! 387: goto end;
! 388: }
! 389: x509 = (x509_t*)ca;
! 390: if (!(x509->get_flags(x509) & X509_CA))
! 391: {
! 392: error = "CA certificate misses CA basicConstraint";
! 393: goto end;
! 394: }
! 395: public = ca->get_public_key(ca);
! 396: if (!public)
! 397: {
! 398: error = "extracting CA certificate public key failed";
! 399: goto end;
! 400: }
! 401:
! 402: DBG2(DBG_LIB, "Reading ca private key:");
! 403: if (cakey)
! 404: {
! 405: private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
! 406: public->get_type(public),
! 407: BUILD_FROM_FILE, cakey, BUILD_END);
! 408: }
! 409: else
! 410: {
! 411: chunk_t chunk;
! 412:
! 413: chunk = chunk_from_hex(chunk_create(keyid, strlen(keyid)), NULL);
! 414: private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ANY,
! 415: BUILD_PKCS11_KEYID, chunk, BUILD_END);
! 416: free(chunk.ptr);
! 417: }
! 418: if (!private)
! 419: {
! 420: error = "loading CA private key failed";
! 421: goto end;
! 422: }
! 423: if (!private->belongs_to(private, public))
! 424: {
! 425: error = "CA private key does not match CA certificate";
! 426: goto end;
! 427: }
! 428: public->destroy(public);
! 429: public = NULL;
! 430:
! 431: if (hex)
! 432: {
! 433: serial = chunk_from_hex(chunk_create(hex, strlen(hex)), NULL);
! 434: }
! 435: else
! 436: {
! 437: rng_t *rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
! 438:
! 439: if (!rng)
! 440: {
! 441: error = "no random number generator found";
! 442: goto end;
! 443: }
! 444: if (!rng_allocate_bytes_not_zero(rng, 8, &serial, FALSE))
! 445: {
! 446: error = "failed to generate serial number";
! 447: rng->destroy(rng);
! 448: goto end;
! 449: }
! 450: serial.ptr[0] &= 0x7F;
! 451: rng->destroy(rng);
! 452: }
! 453:
! 454: if (pkcs10)
! 455: {
! 456: enumerator_t *enumerator;
! 457: identification_t *subjectAltName;
! 458: pkcs10_t *req;
! 459:
! 460: DBG2(DBG_LIB, "Reading certificate request");
! 461: if (file)
! 462: {
! 463: cert_req = lib->creds->create(lib->creds, CRED_CERTIFICATE,
! 464: CERT_PKCS10_REQUEST,
! 465: BUILD_FROM_FILE, file, BUILD_END);
! 466: }
! 467: else
! 468: {
! 469: chunk_t chunk;
! 470:
! 471: set_file_mode(stdin, CERT_ASN1_DER);
! 472: if (!chunk_from_fd(0, &chunk))
! 473: {
! 474: fprintf(stderr, "%s: ", strerror(errno));
! 475: error = "reading certificate request failed";
! 476: goto end;
! 477: }
! 478: cert_req = lib->creds->create(lib->creds, CRED_CERTIFICATE,
! 479: CERT_PKCS10_REQUEST,
! 480: BUILD_BLOB, chunk, BUILD_END);
! 481: free(chunk.ptr);
! 482: }
! 483: if (!cert_req)
! 484: {
! 485: error = "parsing certificate request failed";
! 486: goto end;
! 487: }
! 488:
! 489: /* If not set yet use subject from PKCS#10 certificate request as DN */
! 490: if (!id)
! 491: {
! 492: id = cert_req->get_subject(cert_req);
! 493: id = id->clone(id);
! 494: }
! 495:
! 496: /* Add subjectAltNames from PKCS#10 certificate request */
! 497: req = (pkcs10_t*)cert_req;
! 498: enumerator = req->create_subjectAltName_enumerator(req);
! 499: while (enumerator->enumerate(enumerator, &subjectAltName))
! 500: {
! 501: san->insert_last(san, subjectAltName->clone(subjectAltName));
! 502: }
! 503: enumerator->destroy(enumerator);
! 504:
! 505: /* Use public key from PKCS#10 certificate request */
! 506: public = cert_req->get_public_key(cert_req);
! 507: }
! 508: else
! 509: {
! 510: DBG2(DBG_LIB, "Reading key:");
! 511: if (file)
! 512: {
! 513: public = lib->creds->create(lib->creds, type, subtype,
! 514: BUILD_FROM_FILE, file, BUILD_END);
! 515: }
! 516: else
! 517: {
! 518: chunk_t chunk;
! 519:
! 520: if (!chunk_from_fd(0, &chunk))
! 521: {
! 522: fprintf(stderr, "%s: ", strerror(errno));
! 523: error = "reading key failed";
! 524: goto end;
! 525: }
! 526: public = lib->creds->create(lib->creds, type, subtype,
! 527: BUILD_BLOB, chunk, BUILD_END);
! 528: free(chunk.ptr);
! 529: }
! 530: if (public && type == CRED_PRIVATE_KEY)
! 531: {
! 532: private_key_t *priv = (private_key_t*)public;
! 533: public = priv->get_public_key(priv);
! 534: priv->destroy(priv);
! 535: }
! 536: }
! 537: if (!public)
! 538: {
! 539: error = "parsing public key failed";
! 540: goto end;
! 541: }
! 542:
! 543: if (!id)
! 544: {
! 545: id = identification_create_from_encoding(ID_DER_ASN1_DN,
! 546: chunk_from_chars(ASN1_SEQUENCE, 0));
! 547: }
! 548: scheme = get_signature_scheme(private, digest, pss);
! 549: if (!scheme)
! 550: {
! 551: error = "no signature scheme found";
! 552: goto end;
! 553: }
! 554:
! 555: cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
! 556: BUILD_SIGNING_KEY, private, BUILD_SIGNING_CERT, ca,
! 557: BUILD_PUBLIC_KEY, public, BUILD_SUBJECT, id,
! 558: BUILD_NOT_BEFORE_TIME, not_before,
! 559: BUILD_NOT_AFTER_TIME, not_after, BUILD_SERIAL, serial,
! 560: BUILD_SUBJECT_ALTNAMES, san, BUILD_X509_FLAG, flags,
! 561: BUILD_PATHLEN, pathlen, BUILD_ADDRBLOCKS, addrblocks,
! 562: BUILD_CRL_DISTRIBUTION_POINTS, cdps,
! 563: BUILD_OCSP_ACCESS_LOCATIONS, ocsp,
! 564: BUILD_PERMITTED_NAME_CONSTRAINTS, permitted,
! 565: BUILD_EXCLUDED_NAME_CONSTRAINTS, excluded,
! 566: BUILD_CERTIFICATE_POLICIES, policies,
! 567: BUILD_POLICY_MAPPINGS, mappings,
! 568: BUILD_POLICY_REQUIRE_EXPLICIT, require_explicit,
! 569: BUILD_POLICY_INHIBIT_MAPPING, inhibit_mapping,
! 570: BUILD_POLICY_INHIBIT_ANY, inhibit_any,
! 571: BUILD_CRITICAL_EXTENSION, critical_extension_oid,
! 572: BUILD_SIGNATURE_SCHEME, scheme,
! 573: BUILD_END);
! 574: if (!cert)
! 575: {
! 576: error = "generating certificate failed";
! 577: goto end;
! 578: }
! 579: if (!cert->get_encoding(cert, form, &encoding))
! 580: {
! 581: error = "encoding certificate failed";
! 582: goto end;
! 583: }
! 584: set_file_mode(stdout, form);
! 585: if (fwrite(encoding.ptr, encoding.len, 1, stdout) != 1)
! 586: {
! 587: error = "writing certificate key failed";
! 588: goto end;
! 589: }
! 590:
! 591: end:
! 592: DESTROY_IF(id);
! 593: DESTROY_IF(cert_req);
! 594: DESTROY_IF(cert);
! 595: DESTROY_IF(ca);
! 596: DESTROY_IF(public);
! 597: DESTROY_IF(private);
! 598: san->destroy_offset(san, offsetof(identification_t, destroy));
! 599: permitted->destroy_offset(permitted, offsetof(identification_t, destroy));
! 600: excluded->destroy_offset(excluded, offsetof(identification_t, destroy));
! 601: addrblocks->destroy_offset(addrblocks, offsetof(traffic_selector_t, destroy));
! 602: policies->destroy_function(policies, (void*)destroy_cert_policy);
! 603: mappings->destroy_function(mappings, (void*)destroy_policy_mapping);
! 604: cdps->destroy_function(cdps, (void*)destroy_cdp);
! 605: ocsp->destroy(ocsp);
! 606: signature_params_destroy(scheme);
! 607: free(critical_extension_oid.ptr);
! 608: free(encoding.ptr);
! 609: free(serial.ptr);
! 610:
! 611: if (error)
! 612: {
! 613: fprintf(stderr, "%s\n", error);
! 614: return 1;
! 615: }
! 616: return 0;
! 617:
! 618: usage:
! 619: san->destroy_offset(san, offsetof(identification_t, destroy));
! 620: permitted->destroy_offset(permitted, offsetof(identification_t, destroy));
! 621: excluded->destroy_offset(excluded, offsetof(identification_t, destroy));
! 622: addrblocks->destroy_offset(addrblocks, offsetof(traffic_selector_t, destroy));
! 623: policies->destroy_function(policies, (void*)destroy_cert_policy);
! 624: mappings->destroy_function(mappings, (void*)destroy_policy_mapping);
! 625: cdps->destroy_function(cdps, (void*)destroy_cdp);
! 626: ocsp->destroy(ocsp);
! 627: free(critical_extension_oid.ptr);
! 628: return command_usage(error);
! 629: }
! 630:
! 631: /**
! 632: * Register the command.
! 633: */
! 634: static void __attribute__ ((constructor))reg()
! 635: {
! 636: command_register((command_t) {
! 637: issue, 'i', "issue",
! 638: "issue a certificate using a CA certificate and key",
! 639: {"[--in file] [--type pub|pkcs10|priv|rsa|ecdsa|ed25519|ed448|bliss]",
! 640: "--cakey file|--cakeyid hex --cacert file [--dn subject-dn]",
! 641: "[--san subjectAltName]+ [--lifetime days] [--serial hex]",
! 642: "[--ca] [--pathlen len]",
! 643: "[--flag serverAuth|clientAuth|crlSign|ocspSigning|msSmartcardLogon]+",
! 644: "[--crl uri [--crlissuer i]]+ [--ocsp uri]+ [--nc-permitted name]",
! 645: "[--nc-excluded name] [--policy-mapping issuer-oid:subject-oid]",
! 646: "[--policy-explicit len] [--policy-inhibit len] [--policy-any len]",
! 647: "[--cert-policy oid [--cps-uri uri] [--user-notice text]]+",
! 648: "[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]",
! 649: "[--rsa-padding pkcs1|pss] [--critical oid]",
! 650: "[--outform der|pem]"},
! 651: {
! 652: {"help", 'h', 0, "show usage information"},
! 653: {"in", 'i', 1, "key/request file to issue, default: stdin"},
! 654: {"type", 't', 1, "type of input, default: pub"},
! 655: {"cacert", 'c', 1, "CA certificate file"},
! 656: {"cakey", 'k', 1, "CA private key file"},
! 657: {"cakeyid", 'x', 1, "smartcard or TPM CA private key object handle"},
! 658: {"dn", 'd', 1, "distinguished name to include as subject"},
! 659: {"san", 'a', 1, "subjectAltName to include in certificate"},
! 660: {"lifetime", 'l', 1, "days the certificate is valid, default: 1095"},
! 661: {"not-before", 'F', 1, "date/time the validity of the cert starts"},
! 662: {"not-after", 'T', 1, "date/time the validity of the cert ends"},
! 663: {"dateform", 'D', 1, "strptime(3) input format, default: %d.%m.%y %T"},
! 664: {"serial", 's', 1, "serial number in hex, default: random"},
! 665: {"ca", 'b', 0, "include CA basicConstraint, default: no"},
! 666: {"pathlen", 'p', 1, "set path length constraint"},
! 667: {"addrblock", 'B', 1, "RFC 3779 addrBlock to include"},
! 668: {"nc-permitted", 'n', 1, "add permitted NameConstraint"},
! 669: {"nc-excluded", 'N', 1, "add excluded NameConstraint"},
! 670: {"cert-policy", 'P', 1, "certificatePolicy OID to include"},
! 671: {"cps-uri", 'C', 1, "Certification Practice statement URI for certificatePolicy"},
! 672: {"user-notice", 'U', 1, "user notice for certificatePolicy"},
! 673: {"policy-mapping", 'M', 1, "policyMapping from issuer to subject OID"},
! 674: {"policy-explicit", 'E', 1, "requireExplicitPolicy constraint"},
! 675: {"policy-inhibit", 'H', 1, "inhibitPolicyMapping constraint"},
! 676: {"policy-any", 'A', 1, "inhibitAnyPolicy constraint"},
! 677: {"flag", 'e', 1, "include extendedKeyUsage flag"},
! 678: {"crl", 'u', 1, "CRL distribution point URI to include"},
! 679: {"crlissuer", 'I', 1, "CRL Issuer for CRL at distribution point"},
! 680: {"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"},
! 681: {"digest", 'g', 1, "digest for signature creation, default: key-specific"},
! 682: {"rsa-padding", 'R', 1, "padding for RSA signatures, default: pkcs1"},
! 683: {"critical", 'X', 1, "critical extension OID to include"},
! 684: {"outform", 'f', 1, "encoding of generated cert, default: der"},
! 685: }
! 686: });
! 687: }
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to issue.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / pki / commands