Accept an ocsp option when creating certificates to set the extended

key usage for OCSP signing.

Requested by and ok reyk@

5 files changed, 19 insertions, 7 deletions

diff --git a/usr.sbin/ikectl/ikeca.c b/usr.sbin/ikectl/ikeca.c
index 8ecfd3e2d54..90ef087e5c3 100644
--- a/usr.sbin/ikectl/ikeca.c
+++ b/usr.sbin/ikectl/ikeca.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ikeca.c,v 1.37 2015/08/19 21:07:23 reyk Exp $	*/
+/*	$OpenBSD: ikeca.c,v 1.38 2015/11/02 10:27:44 jsg Exp $	*/
 
 /*
  * Copyright (c) 2010 Jonathan Gray <jsg@openbsd.org>
@@ -273,6 +273,11 @@ ca_certificate(struct ca *ca, char *keyname, int type, int action)
 		ca_setenv("$ENV::CERTUSAGE",
 		    "digitalSignature,keyAgreement");
 		break;
+	case CA_OCSP:
+		ca_setenv("$ENV::EXTCERTUSAGE", "OCSPSigning");
+		ca_setenv("$ENV::CERTUSAGE",
+		    "nonRepudiation,digitalSignature,keyEncipherment");
+		break;
 	default:
 		break;
 	}
diff --git a/usr.sbin/ikectl/ikectl.8 b/usr.sbin/ikectl/ikectl.8
index 0ea97116154..40d30ac0e21 100644
--- a/usr.sbin/ikectl/ikectl.8
+++ b/usr.sbin/ikectl/ikectl.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ikectl.8,v 1.24 2015/09/07 15:24:53 sobrado Exp $
+.\" $OpenBSD: ikectl.8,v 1.25 2015/11/02 10:27:44 jsg Exp $
 .\"
 .\" Copyright (c) 2007-2013 Reyk Floeter <reyk@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 7 2015 $
+.Dd $Mdocdate: November 2 2015 $
 .Dt IKECTL 8
 .Os
 .Sh NAME
@@ -149,7 +149,7 @@ as the currently active CA or into the specified
 .It Xo
 .Cm ca Ar name Cm certificate Ar host
 .Cm create
-.Op Ic server | client
+.Op Ic server | client | ocsp
 .Xc
 Create a private key and certificate for
 .Ar host
@@ -163,6 +163,9 @@ this can be restricted using the optional
 or
 .Ic client
 argument.
+If the
+.Ic ocsp
+argument is specified the extended key usage will be set for OCSP signing.
 .It Xo
 .Cm ca Ar name Cm certificate Ar host
 .Cm delete
diff --git a/usr.sbin/ikectl/ikectl.c b/usr.sbin/ikectl/ikectl.c
index d9fd30185b7..223936cca62 100644
--- a/usr.sbin/ikectl/ikectl.c
+++ b/usr.sbin/ikectl/ikectl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ikectl.c,v 1.20 2015/08/19 13:30:54 reyk Exp $	*/
+/*	$OpenBSD: ikectl.c,v 1.21 2015/11/02 10:27:44 jsg Exp $	*/
 
 /*
  * Copyright (c) 2007-2013 Reyk Floeter <reyk@openbsd.org>
@@ -113,6 +113,7 @@ ca_opt(struct parse_result *res)
 	case CA_CERT_CREATE:
 	case CA_SERVER:
 	case CA_CLIENT:
+	case CA_OCSP:
 		ca_certificate(ca, res->host, res->htype, res->action);
 		break;
 	case CA_CERT_DELETE:
@@ -193,6 +194,7 @@ main(int argc, char *argv[])
 	case CA_CERT_CREATE:
 	case CA_CLIENT:
 	case CA_SERVER:
+	case CA_OCSP:
 	case CA_CERT_DELETE:
 	case CA_CERT_INSTALL:
 	case CA_CERT_EXPORT:
diff --git a/usr.sbin/ikectl/parser.c b/usr.sbin/ikectl/parser.c
index 5d1e40611c9..a09bf169ebc 100644
--- a/usr.sbin/ikectl/parser.c
+++ b/usr.sbin/ikectl/parser.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parser.c,v 1.14 2015/08/19 13:30:54 reyk Exp $	*/
+/*	$OpenBSD: parser.c,v 1.15 2015/11/02 10:27:44 jsg Exp $	*/
 
 /*
  * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
@@ -181,6 +181,7 @@ static const struct token t_ca_cert_extusage[] = {
 	{ NOTOKEN,	"",		NONE,		NULL},
 	{ KEYWORD,	"server",	CA_SERVER,	NULL },
 	{ KEYWORD,	"client",	CA_CLIENT,	NULL },
+	{ KEYWORD,	"ocsp",		CA_OCSP,	NULL },
 	{ ENDTOKEN,	"",		NONE,		NULL },
 };
 
diff --git a/usr.sbin/ikectl/parser.h b/usr.sbin/ikectl/parser.h
index 250bae08db9..f87ee3662ee 100644
--- a/usr.sbin/ikectl/parser.h
+++ b/usr.sbin/ikectl/parser.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parser.h,v 1.13 2015/06/11 18:49:09 reyk Exp $	*/
+/*	$OpenBSD: parser.h,v 1.14 2015/11/02 10:27:44 jsg Exp $	*/
 
 /*
  * Copyright (c) 2007-2013 Reyk Floeter <reyk@openbsd.org>
@@ -44,6 +44,7 @@ enum actions {
 	CA_CERT_CREATE,
 	CA_SERVER,
 	CA_CLIENT,
+	CA_OCSP,
 	CA_CERT_DELETE,
 	CA_CERT_INSTALL,
 	CA_CERT_EXPORT,