diff options
| -rw-r--r-- | src/pki/commands/issue.c | 17 | ||||
| -rw-r--r-- | src/pki/man/pki---issue.1.in | 6 |
2 files changed, 22 insertions, 1 deletions
diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c index d95f53c03..333c6ebb3 100644 --- a/src/pki/commands/issue.c +++ b/src/pki/commands/issue.c @@ -71,6 +71,7 @@ static int issue() char *error = NULL, *keyid = NULL; identification_t *id = NULL; linked_list_t *san, *cdps, *ocsp, *permitted, *excluded, *policies, *mappings; + linked_list_t *addrblocks; int pathlen = X509_NO_CONSTRAINT, inhibit_any = X509_NO_CONSTRAINT; int inhibit_mapping = X509_NO_CONSTRAINT, require_explicit = X509_NO_CONSTRAINT; chunk_t serial = chunk_empty; @@ -81,6 +82,7 @@ static int issue() x509_t *x509; x509_cdp_t *cdp = NULL; x509_cert_policy_t *policy = NULL; + traffic_selector_t *ts; char *arg; san = linked_list_create(); @@ -90,6 +92,7 @@ static int issue() excluded = linked_list_create(); policies = linked_list_create(); mappings = linked_list_create(); + addrblocks = linked_list_create(); while (TRUE) { @@ -184,6 +187,15 @@ static int issue() case 'p': pathlen = atoi(arg); continue; + case 'B': + ts = parse_ts(arg); + if (!ts) + { + error = "invalid addressBlock"; + goto usage; + } + addrblocks->insert_last(addrblocks, ts); + continue; case 'n': permitted->insert_last(permitted, identification_create_from_string(arg)); @@ -519,7 +531,7 @@ static int issue() BUILD_NOT_BEFORE_TIME, not_before, BUILD_DIGEST_ALG, digest, BUILD_NOT_AFTER_TIME, not_after, BUILD_SERIAL, serial, BUILD_SUBJECT_ALTNAMES, san, BUILD_X509_FLAG, flags, - BUILD_PATHLEN, pathlen, + BUILD_PATHLEN, pathlen, BUILD_ADDRBLOCKS, addrblocks, BUILD_CRL_DISTRIBUTION_POINTS, cdps, BUILD_OCSP_ACCESS_LOCATIONS, ocsp, BUILD_PERMITTED_NAME_CONSTRAINTS, permitted, @@ -557,6 +569,7 @@ end: san->destroy_offset(san, offsetof(identification_t, destroy)); permitted->destroy_offset(permitted, offsetof(identification_t, destroy)); excluded->destroy_offset(excluded, offsetof(identification_t, destroy)); + addrblocks->destroy_offset(addrblocks, offsetof(traffic_selector_t, destroy)); policies->destroy_function(policies, (void*)destroy_cert_policy); mappings->destroy_function(mappings, (void*)destroy_policy_mapping); cdps->destroy_function(cdps, (void*)destroy_cdp); @@ -575,6 +588,7 @@ usage: san->destroy_offset(san, offsetof(identification_t, destroy)); permitted->destroy_offset(permitted, offsetof(identification_t, destroy)); excluded->destroy_offset(excluded, offsetof(identification_t, destroy)); + addrblocks->destroy_offset(addrblocks, offsetof(traffic_selector_t, destroy)); policies->destroy_function(policies, (void*)destroy_cert_policy); mappings->destroy_function(mappings, (void*)destroy_policy_mapping); cdps->destroy_function(cdps, (void*)destroy_cdp); @@ -616,6 +630,7 @@ static void __attribute__ ((constructor))reg() {"serial", 's', 1, "serial number in hex, default: random"}, {"ca", 'b', 0, "include CA basicConstraint, default: no"}, {"pathlen", 'p', 1, "set path length constraint"}, + {"addrblock", 'B', 1, "RFC 3779 addrBlock to include"}, {"nc-permitted", 'n', 1, "add permitted NameConstraint"}, {"nc-excluded", 'N', 1, "add excluded NameConstraint"}, {"cert-policy", 'P', 1, "certificatePolicy OID to include"}, diff --git a/src/pki/man/pki---issue.1.in b/src/pki/man/pki---issue.1.in index ba5886f5f..3f9382e9a 100644 --- a/src/pki/man/pki---issue.1.in +++ b/src/pki/man/pki---issue.1.in @@ -24,6 +24,7 @@ pki \-\-issue \- Issue a certificate using a CA certificate and key .OP \-\-ocsp uri .OP \-\-pathlen len .OP \-\-nc-permitted name +.OP \-\-addrblock block .OP \-\-nc-excluded name .OP \-\-policy\-mapping mapping .OP \-\-policy\-explicit len @@ -148,6 +149,11 @@ times. .BI "\-p, \-\-pathlen " len Set path length constraint. .TP +.BI "\-B, \-\-addrblock " block +RFC 3779 address block to include in certificate. \fIblock\fR is either a +CIDR subnet (such as \fI10.0.0.0/8\fR) or an arbitrary address range +(\fI192.168.1.7-192.168.1.13\fR). Can be repeated to include multiple blocks. +.TP .BI "\-n, \-\-nc-permitted " name Add permitted NameConstraint extension to certificate. For DNS or email constraints, the identity type is not always detectable by the given name. Use |