sm: Allow combination of usage flags --gen-key.

* sm/certreqgen.c (create_request): Re-implement building of the key-usage extension. -- GnuPG-bug-id: 2029 Signed-off-by: Werner Koch <wk@gnupg.org>
2024-06-06 23:17:47 +02:00 · 2015-10-28 18:57:53 +01:00 · 2015-10-28 18:57:53 +01:00 · 8b6c83dcb0
commit 8b6c83dcb0
parent e095a3fcf2
1 changed files with 46 additions and 31 deletions
--- a/sm/certreqgen.c
+++ b/sm/certreqgen.c
@ -917,38 +917,53 @@ create_request (ctrl_t ctrl,
  /* Set key usage flags.  */
  use = get_parameter_uint (para, pKEYUSAGE);
-  if (use == GCRY_PK_USAGE_SIGN)
+  if (use)
    {
-      /* For signing only we encode the bits:
+      unsigned int mask, pos;
-         KSBA_KEYUSAGE_DIGITAL_SIGNATURE
+      unsigned char der[4];
-         KSBA_KEYUSAGE_NON_REPUDIATION */
+
-      err = ksba_certreq_add_extension (cr, oidstr_keyUsage, 1,
+      der[0] = 0x03;
-                                        "\x03\x02\x06\xC0", 4);
+      der[1] = 0x02;
-    }
+      der[2] = 0;
-  else if (use == GCRY_PK_USAGE_ENCR)
+      der[3] = 0;
-    {
+      if ((use & GCRY_PK_USAGE_SIGN))
-      /* For encrypt only we encode the bits:
+        {
-         KSBA_KEYUSAGE_KEY_ENCIPHERMENT
+          /* For signing only we encode the bits:
-         KSBA_KEYUSAGE_DATA_ENCIPHERMENT */
+             KSBA_KEYUSAGE_DIGITAL_SIGNATURE
-      err = ksba_certreq_add_extension (cr, oidstr_keyUsage, 1,
+             KSBA_KEYUSAGE_NON_REPUDIATION  = 0b11 -> 0b11000000 */
-                                        "\x03\x02\x04\x30", 4);
+          der[3] |= 0xc0;
-    }
+        }
-  else if (use == GCRY_PK_USAGE_CERT)
+      if ((use & GCRY_PK_USAGE_ENCR))
-    {
+        {
-      /* For certify only we encode the bits:
+          /* For encrypt only we encode the bits:
-         KSBA_KEYUSAGE_KEY_CERT_SIGN
+             KSBA_KEYUSAGE_KEY_ENCIPHERMENT
-         KSBA_KEYUSAGE_CRL_SIGN */
+             KSBA_KEYUSAGE_DATA_ENCIPHERMENT = 0b1100 -> 0b00110000 */
-      err = ksba_certreq_add_extension (cr, oidstr_keyUsage, 1,
+          der[3] |= 0x30;
-                                        "\x03\x02\x01\x06", 4);
+        }
-    }
+      if ((use & GCRY_PK_USAGE_CERT))
-  else
+        {
-    err = 0; /* Both or none given: don't request one. */
+          /* For certify only we encode the bits:
-  if (err)
+             KSBA_KEYUSAGE_KEY_CERT_SIGN
-    {
+             KSBA_KEYUSAGE_CRL_SIGN      = 0b1100000 -> 0b00000110 */
-      log_error ("error setting the key usage: %s\n",
+          der[3] |= 0x06;
-                 gpg_strerror (err));
+        }
-      rc = err;
+
-      goto leave;
+      /* Count number of unused bits.  */
      for (mask=1, pos=0; pos < 8 * sizeof mask; pos++, mask <<= 1)
        {
          if ((der[3] & mask))
            break;
          der[2]++;
        }
      err = ksba_certreq_add_extension (cr, oidstr_keyUsage, 1, der, 4);
      if (err)
        {
          log_error ("error setting the key usage: %s\n",
                     gpg_strerror (err));
          rc = err;
          goto leave;
        }
    }