Added support for writing Key Usage and NS Cert Type extensions

include/polarssl/x509write.h

@@ -334,6 +334,29 @@ int x509write_crt_set_subject_key_identifier( x509write_cert *ctx );
  */
 int x509write_crt_set_authority_key_identifier( x509write_cert *ctx );
 
+/**
+ * \brief           Set the Key Usage Extension flags
+ *                  (e.g. KU_DIGITAL_SIGNATURE | KU_KEY_CERT_SIGN)
+ *
+ * \param ctx       CRT context to use
+ * \param key_usage key usage flags to set
+ *
+ * \return          0 if successful, or POLARSSL_ERR_X509WRITE_MALLOC_FAILED
+ */
+int x509write_crt_set_key_usage( x509write_cert *ctx, unsigned char key_usage );
+
+/**
+ * \brief           Set the Netscape Cert Type flags
+ *                  (e.g. NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_EMAIL)
+ *
+ * \param ctx           CRT context to use
+ * \param ns_cert_type  Netscape Cert Type flags to set
+ *
+ * \return          0 if successful, or POLARSSL_ERR_X509WRITE_MALLOC_FAILED
+ */
+int x509write_crt_set_ns_cert_type( x509write_cert *ctx,
+                                    unsigned char ns_cert_type );
+
 /**
  * \brief           Free the contents of a CRT write context
  *

library/x509write.c

@@ -389,6 +389,47 @@ int x509write_crt_set_authority_key_identifier( x509write_cert *ctx )
                                    0, buf + sizeof(buf) - len, len );
 }
 
+int x509write_crt_set_key_usage( x509write_cert *ctx, unsigned char key_usage )
+{
+    unsigned char buf[4];
+    unsigned char *c;
+    int ret;
+
+    c = buf + 4;
+
+    if( ( ret = asn1_write_bitstring( &c, buf, &key_usage, 7 ) ) != 4 )
+        return( ret );
+
+    ret = x509write_crt_set_extension( ctx, OID_KEY_USAGE,
+                                       OID_SIZE( OID_KEY_USAGE ),
+                                       1, buf, 4 );
+    if( ret != 0 )
+        return( ret );
+
+    return( 0 );
+}
+
+int x509write_crt_set_ns_cert_type( x509write_cert *ctx,
+                                    unsigned char ns_cert_type )
+{
+    unsigned char buf[4];
+    unsigned char *c;
+    int ret;
+
+    c = buf + 4;
+
+    if( ( ret = asn1_write_bitstring( &c, buf, &ns_cert_type, 8 ) ) != 4 )
+        return( ret );
+
+    ret = x509write_crt_set_extension( ctx, OID_NS_CERT_TYPE,
+                                       OID_SIZE( OID_NS_CERT_TYPE ),
+                                       0, buf, 4 );
+    if( ret != 0 )
+        return( ret );
+
+    return( 0 );
+}
+
 int x509write_pubkey_der( rsa_context *rsa, unsigned char *buf, size_t size )
 {
     int ret;

programs/x509/cert_write.c

@@ -317,13 +317,6 @@ int main( int argc, char *argv[] )
         goto exit;
     }
 
-/*
-    if( opt.key_usage )
-        x509write_csr_set_key_usage( &req, opt.key_usage );
-
-    if( opt.ns_cert_type )
-        x509write_csr_set_ns_cert_type( &req, opt.ns_cert_type );
-*/
     /*
      * 1.0. Check the names for validity
      */
@@ -455,6 +448,42 @@ int main( int argc, char *argv[] )
 
     printf( " ok\n" );
 
+    if( opt.key_usage )
+    {
+        printf( "  . Adding the Key Usage extension ..." );
+        fflush( stdout );
+
+        ret = x509write_crt_set_key_usage( &crt, opt.key_usage );
+        if( ret != 0 )
+        {
+#ifdef POLARSSL_ERROR_C
+            error_strerror( ret, buf, 1024 );
+#endif
+            printf( " failed\n  !  x509write_crt_set_key_usage returned -0x%02x - %s\n\n", -ret, buf );
+            goto exit;
+        }
+
+        printf( " ok\n" );
+    }
+
+    if( opt.ns_cert_type )
+    {
+        printf( "  . Adding the NS Cert Type extension ..." );
+        fflush( stdout );
+
+        ret = x509write_crt_set_ns_cert_type( &crt, opt.ns_cert_type );
+        if( ret != 0 )
+        {
+#ifdef POLARSSL_ERROR_C
+            error_strerror( ret, buf, 1024 );
+#endif
+            printf( " failed\n  !  x509write_crt_set_ns_cert_type returned -0x%02x - %s\n\n", -ret, buf );
+            goto exit;
+        }
+
+        printf( " ok\n" );
+    }
+
     /*
      * 1.2. Writing the request
      */