From 065ed8638504cdd29e1b709d1bee42e831eddec8 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Aug 24 2017 22:25:54 +0000 Subject: MS cert template: add option to command line programs Add the --ms-template-spec command line argument for specifying the value of the V2 Certificate Template extension. Part of: https://pagure.io/certmonger/issue/78 --- diff --git a/src/getcert-rekey.1.in b/src/getcert-rekey.1.in index ba11bf7..39ba761 100644 --- a/src/getcert-rekey.1.in +++ b/src/getcert-rekey.1.in @@ -61,6 +61,12 @@ the CA should correspond to one listed by \fIgetcert list-cas\fR. Request a certificate using the named profile, template, or certtype, from the specified CA. .TP +\fB\-\-ms-template-spec\fR SPEC +Include a V2 Certificate Template extension in the signing request. +This datum includes an Object Identifier, a major version number +(positive integer) and an optional minor version number. The format +is: \fB:[:]\fR. +.TP \fB\-X\fR NAME Request a certificate using the named issuer from the specified CA. .TP diff --git a/src/getcert-request.1.in b/src/getcert-request.1.in index ed9dd6a..f71ada7 100644 --- a/src/getcert-request.1.in +++ b/src/getcert-request.1.in @@ -88,6 +88,12 @@ the CA should correspond to one listed by \fIgetcert list-cas\fR. Request a certificate using the named profile, template, or certtype, from the specified CA. .TP +\fB\-\-ms-template-spec\fR SPEC +Include a V2 Certificate Template extension in the signing request. +This datum includes an Object Identifier, a major version number +(positive integer) and an optional minor version number. The format +is: \fB:[:]\fR. +.TP \fB\-X\fR NAME Request a certificate using the named issuer from the specified CA. diff --git a/src/getcert-resubmit.1.in b/src/getcert-resubmit.1.in index ec92b6e..f9e6bb1 100644 --- a/src/getcert-resubmit.1.in +++ b/src/getcert-resubmit.1.in @@ -48,6 +48,12 @@ the CA should correspond to one listed by \fIgetcert list-cas\fR. Request a certificate using the named profile, template, or certtype, from the specified CA. .TP +\fB\-\-ms-template-spec\fR SPEC +Include a V2 Certificate Template extension in the signing request. +This datum includes an Object Identifier, a major version number +(positive integer) and an optional minor version number. The format +is: \fB:[:]\fR. +.TP \fB\-X\fR NAME Request a certificate using the named issuer from the specified CA. .TP diff --git a/src/getcert-start-tracking.1.in b/src/getcert-start-tracking.1.in index 75d3a4d..f60e4a7 100644 --- a/src/getcert-start-tracking.1.in +++ b/src/getcert-start-tracking.1.in @@ -86,6 +86,12 @@ useful in combination with \fB\-r\fR. Request a certificate using the named profile, template, or certtype, from the specified CA. .TP +\fB\-\-ms-template-spec\fR SPEC +Include a V2 Certificate Template extension in the signing request. +This datum includes an Object Identifier, a major version number +(positive integer) and an optional minor version number. The format +is: \fB:[:]\fR. +.TP \fB\-X\fR NAME Request a certificate using the named issuer from the specified CA. diff --git a/src/getcert.c b/src/getcert.c index e39a173..5ecd712 100644 --- a/src/getcert.c +++ b/src/getcert.c @@ -748,6 +748,7 @@ request(const char *argv0, int argc, const char **argv) int keysize = 0, auto_renew = 1, verbose = 0, ku = 0, kubit, c, i, j; char *ca = DEFAULT_CA, *subject = NULL, **eku = NULL, *oid, *id = NULL; char *profile = NULL, *issuer = NULL, kustring[16]; + char *ms_template_spec = NULL; char **principal = NULL, **dns = NULL, **email = NULL, **ipaddr = NULL; char *key_owner = NULL, *key_perms = NULL; char *cert_owner = NULL, *cert_perms = NULL; @@ -789,6 +790,7 @@ request(const char *argv0, int argc, const char **argv) {"ca", 'c', POPT_ARG_STRING, &ca, 0, _("use the specified CA configuration rather than the default"), HELP_TYPE_NAME}, #endif {"profile", 'T', POPT_ARG_STRING, NULL, 'T', _("ask the CA to process the request using the named profile or template"), HELP_TYPE_NAME}, + {"ms-template-spec", 0, POPT_ARG_STRING, NULL, 'Y', _("include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])"), HELP_TYPE_NAME}, {"issuer", 'X', POPT_ARG_STRING, NULL, 'X', _("ask the CA to process the request using the named issuer"), HELP_TYPE_NAME}, {"subject-name", 'N', POPT_ARG_STRING, NULL, 'N', _("set requested subject name (default: CN=)"), HELP_TYPE_SUBJECT}, {"key-usage", 'u', POPT_ARG_STRING, NULL, 'u', _("set requested key usage value"), HELP_TYPE_KU}, @@ -919,6 +921,9 @@ request(const char *argv0, int argc, const char **argv) case 'T': profile = talloc_strdup(globals.tctx, poptarg); break; + case 'Y': + ms_template_spec = talloc_strdup(globals.tctx, poptarg); + break; case 'X': issuer = talloc_strdup(globals.tctx, poptarg); break; @@ -1362,6 +1367,13 @@ request(const char *argv0, int argc, const char **argv) params[i] = ¶m[i]; i++; } + if (ms_template_spec != NULL) { + param[i].key = CM_DBUS_PROP_TEMPLATE_MS_CERTIFICATE_TEMPLATE; + param[i].value_type = cm_tdbusm_dict_s; + param[i].value.s = ms_template_spec; + params[i] = ¶m[i]; + i++; + } if (issuer != NULL) { param[i].key = CM_DBUS_PROP_TEMPLATE_ISSUER; param[i].value_type = cm_tdbusm_dict_s; @@ -1561,6 +1573,7 @@ add_basic_request(enum cm_tdbus_type bus, char *id, char *pin, char *pinfile, char *cpass, char *cpassfile, char *ca, char *profile, char *issuer, + char *ms_template_spec, char *precommand, char *postcommand, char **anchor_dbs, char **anchor_files, int is_ca, int path_length, @@ -1735,6 +1748,13 @@ add_basic_request(enum cm_tdbus_type bus, char *id, params[i] = ¶m[i]; i++; } + if (ms_template_spec != NULL) { + param[i].key = CM_DBUS_PROP_TEMPLATE_MS_CERTIFICATE_TEMPLATE; + param[i].value_type = cm_tdbusm_dict_s; + param[i].value.s = ms_template_spec; + params[i] = ¶m[i]; + i++; + } if (issuer != NULL) { param[i].key = CM_DBUS_PROP_TEMPLATE_ISSUER; param[i].value_type = cm_tdbusm_dict_s; @@ -1825,6 +1845,7 @@ set_tracking(const char *argv0, const char *category, char *id = NULL, *new_id = NULL, *new_request; char *keyfile = NULL, *certfile = NULL, *ca = DEFAULT_CA; char *profile = NULL, *issuer = NULL; + char *ms_template_spec = NULL; char *pin = NULL, *pinfile = NULL, *cpass = NULL, *cpassfile = NULL; char *key_owner = NULL, *key_perms = NULL; char *cert_owner = NULL, *cert_perms = NULL; @@ -1866,6 +1887,7 @@ set_tracking(const char *argv0, const char *category, {"ca", 'c', POPT_ARG_STRING, &ca, 0, _("use the specified CA configuration rather than the default"), HELP_TYPE_NAME}, #endif {"profile", 'T', POPT_ARG_STRING, NULL, 'T', _("ask the CA to process the request using the named profile or template"), HELP_TYPE_NAME}, + {"ms-template-spec", 0, POPT_ARG_STRING, NULL, 'Y', _("include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])"), HELP_TYPE_NAME}, {"issuer", 'X', POPT_ARG_STRING, NULL, 'X', _("ask the CA to process the request using the named issuer"), HELP_TYPE_NAME}, {"key-usage", 'u', POPT_ARG_STRING, NULL, 'u', _("override requested key usage value"), HELP_TYPE_KU}, {"extended-key-usage", 'U', POPT_ARG_STRING, NULL, 'U', _("override requested extended key usage OID"), HELP_TYPE_EKU}, @@ -1971,6 +1993,9 @@ set_tracking(const char *argv0, const char *category, case 'T': profile = talloc_strdup(globals.tctx, poptarg); break; + case 'Y': + ms_template_spec = talloc_strdup(globals.tctx, poptarg); + break; case 'X': issuer = talloc_strdup(globals.tctx, poptarg); break; @@ -2409,6 +2434,7 @@ set_tracking(const char *argv0, const char *category, pin, pinfile, cpass, cpassfile, ca, profile, issuer, + ms_template_spec, precommand, postcommand, anchor_dbs, anchor_files, is_ca, path_length, @@ -2485,6 +2511,7 @@ rekey_or_resubmit(const char *argv0, const char *category, int argc, char *subject = NULL, **eku = NULL, *oid = NULL; char **principal = NULL, **dns = NULL, **email = NULL, **ipaddr = NULL; char *profile = NULL, *issuer = NULL, kustring[16]; + char *ms_template_spec = NULL; char *key_owner = NULL, *key_perms = NULL; char *cert_owner = NULL, *cert_perms = NULL; char *keytype = NULL; @@ -2522,6 +2549,7 @@ rekey_or_resubmit(const char *argv0, const char *category, int argc, {"ca", 'c', POPT_ARG_STRING, &ca, 0, _("use the specified CA configuration rather than the current one"), HELP_TYPE_NAME}, #endif {"profile", 'T', POPT_ARG_STRING, NULL, 'T', _("ask the CA to process the request using the named profile or template"), HELP_TYPE_NAME}, + {"ms-template-spec", 0, POPT_ARG_STRING, NULL, 'Y', _("include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])"), HELP_TYPE_NAME}, {"issuer", 'X', POPT_ARG_STRING, NULL, 'X', _("ask the CA to process the request using the named issuer"), HELP_TYPE_NAME}, {"subject-name", 'N', POPT_ARG_STRING, NULL, 'N', _("set requested subject name (default: CN=)"), HELP_TYPE_SUBJECT}, {"key-usage", 'u', POPT_ARG_STRING, NULL, 'u', _("set requested key usage value"), HELP_TYPE_KU}, @@ -2600,6 +2628,9 @@ rekey_or_resubmit(const char *argv0, const char *category, int argc, case 'T': profile = talloc_strdup(globals.tctx, poptarg); break; + case 'Y': + ms_template_spec = talloc_strdup(globals.tctx, poptarg); + break; case 'X': issuer = talloc_strdup(globals.tctx, poptarg); break; @@ -2975,6 +3006,13 @@ rekey_or_resubmit(const char *argv0, const char *category, int argc, params[i] = ¶m[i]; i++; } + if (ms_template_spec != NULL) { + param[i].key = CM_DBUS_PROP_TEMPLATE_MS_CERTIFICATE_TEMPLATE; + param[i].value_type = cm_tdbusm_dict_s; + param[i].value.s = ms_template_spec; + params[i] = ¶m[i]; + i++; + } if (issuer != NULL) { param[i].key = CM_DBUS_PROP_TEMPLATE_ISSUER; param[i].value_type = cm_tdbusm_dict_s; @@ -4816,6 +4854,8 @@ help(const char *twopartcmd, const char *category) N_(" -c CA use the specified CA rather than the default\n"), #endif N_(" -T PROFILE ask the CA to process the request using the named profile or template\n"), + N_(" --ms-template-spec SPEC\n"), + N_(" include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"), N_(" -X ISSUER ask the CA to process the request using the named issuer\n"), N_("* Parameters for the signing request:\n"), N_(" -N NAME set requested subject name (default: CN=)\n"), @@ -4865,6 +4905,8 @@ help(const char *twopartcmd, const char *category) N_(" -c CA use the specified CA rather than the default\n"), #endif N_(" -T PROFILE ask the CA to process the request using the named profile or template\n"), + N_(" --ms-template-spec SPEC\n"), + N_(" include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"), N_(" -X ISSUER ask the CA to process the request using the named issuer\n"), N_("* Parameters for the signing request at renewal time:\n"), N_(" -U EXTUSAGE override requested extended key usage OID\n"), @@ -4944,6 +4986,8 @@ help(const char *twopartcmd, const char *category) N_(" -c CA use the specified CA rather than the current one\n"), #endif N_(" -T PROFILE ask the CA to process the request using the named profile or template\n"), + N_(" --ms-template-spec SPEC\n"), + N_(" include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"), N_(" -X ISSUER ask the CA to process the request using the named issuer\n"), N_("* Bus options:\n"), N_(" -S connect to the certmonger service on the system bus\n"), @@ -4992,6 +5036,8 @@ help(const char *twopartcmd, const char *category) N_(" -c CA use the specified CA rather than the current one\n"), #endif N_(" -T PROFILE ask the CA to process the request using the named profile or template\n"), + N_(" --ms-template-spec SPEC\n"), + N_(" include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"), N_(" -X ISSUER ask the CA to process the request using the named issuer\n"), N_(" -G TYPE type of new key to be generated\n"), N_(" -g SIZE size of new key to be generated\n"),