*** empty log message ***

4 files changed, 51 insertions, 7 deletions

diff --git a/ChangeLog b/ChangeLog
index 7248ad9..229a09a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+Thu, 03 Jul 2003 20:04:01 +0900 -- GOTOU Yuuzou <gotoyuzo@notwork.org>
+	* examples/gen_cert.rb: added --type option.
+	* examples/ossl_ocsp.rb: check the signature in the response.
+	* examples/ossl_ca_cert.rb: del pathlen in basicConstraints.
+
 Thu, 03 Jul 2003 12:04:33 +0900 -- GOTOU Yuuzou <gotoyuzo@notwork.org>
 	* ossl_ocsp.c: OCSP::Respopnse#basic returns nil if no OCSP_BASICRESP given.
 	* ossl_x509name.c: X509::Name#eql?: should check type of other.
diff --git a/examples/gen_ca_cert.rb b/examples/gen_ca_cert.rb
index 8bdb5f9..1e1b8db 100755
--- a/examples/gen_ca_cert.rb
+++ b/examples/gen_ca_cert.rb
@@ -36,7 +36,7 @@ cert.version = 2 # X509v3
 
 ef = X509::ExtensionFactory.new
 ef.subject_certificate = cert
-ext1 = ef.create_extension("basicConstraints","CA:TRUE,pathlen:0")
+ext1 = ef.create_extension("basicConstraints", "CA:TRUE")
 ext2 = ef.create_extension("nsComment","Generated by OpenSSL for Ruby.")
 ext3 = ef.create_extension("subjectKeyIdentifier", "hash")
 cert.extensions = [ext1, ext2, ext3]
diff --git a/examples/gen_cert.rb b/examples/gen_cert.rb
index 6f7fa35..4706b7a 100755
--- a/examples/gen_cert.rb
+++ b/examples/gen_cert.rb
@@ -26,12 +26,13 @@ def usage
   exit
 end
 
-getopts nil, "c:", "k:"
+getopts nil, "c:", "k:", "type:user"
 
 num = ARGV.shift or usage()
 csr = ARGV.shift  or usage()
 ARGV.empty?      or usage()
 
+cert_type = $OPT_type
 $stdout.sync = true
 
 ca_file = $OPT_c || "./0cert.pem"
@@ -54,14 +55,47 @@ cert.public_key = req.public_key
 cert.serial = num.to_i
 cert.version = 2 # X509v3
 
+key_usage = []
+ext_key_usage = []
+
+case cert_type
+when "subca"
+  basic_constraint = "CA:TRUE,pathlen:0"
+  key_usage << "cRLSign" << "keyCertSign"
+when "server"
+  basic_constraint = "CA:FALSE"
+  key_usage << "nonRepudiation" << "digitalSignature" << "keyEncipherment"
+  key_usage << "dataEncipherment"
+  ext_key_usage << "serverAuth"
+when "oscp"
+  basic_constraint = "CA:FALSE"
+  key_usage << "nonRepudiation" << "digitalSignature" << "keyEncipherment"
+  key_usage << "dataEncipherment"
+  ext_key_usage << "serverAuth"
+  ext_key_usage << "OCSPSigning"
+when "user"
+  basic_constraint = "CA:FALSE"
+  key_usage << "nonRepudiation" << "digitalSignature" << "keyEncipherment"
+  ext_key_usage << "clientAuth"
+  ext_key_usage << "codeSigning"
+  ext_key_usage << "emailProtection"
+else
+  raise "unknonw cert type \"#{cert_type}\" is specified."
+end
+
+ext = []
 ef = X509::ExtensionFactory.new
 ef.subject_certificate = cert
 ef.issuer_certificate = ca
-ext1 = ef.create_extension("basicConstraints","CA:FALSE")
-ext2 = ef.create_extension("nsComment","Generated by OpenSSL for Ruby.")
-ext3 = ef.create_extension("subjectKeyIdentifier", "hash")
-ext4 = ef.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always")
-cert.extensions = [ext1, ext2, ext3, ext4]
+ext << ef.create_extension("basicConstraints", basic_constraint, true)
+ext << ef.create_extension("keyUsage", key_usage.join(","), true)
+if ext_key_usage.size > 0
+  ext << ef.create_extension("extendedKeyUsage", ext_key_usage.join(","), true)
+end
+ext << ef.create_extension("nsComment","Generated by OpenSSL for Ruby.")
+ext << ef.create_extension("subjectKeyIdentifier", "hash")
+ext << ef.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always")
+cert.extensions = ext
 cert.sign(ca_key, Digest::SHA1.new)
 
 cert_file = "./#{cert.serial}cert.pem"
diff --git a/examples/ossl_ocsp.rb b/examples/ossl_ocsp.rb
index e5b65ba..36c8990 100644
--- a/examples/ossl_ocsp.rb
+++ b/examples/ossl_ocsp.rb
@@ -99,6 +99,10 @@ res = OCSP::Response.new(res_der)
 p [ res.status, res.status_string ]
 if res.status ==  OCSP::RESPONSE_STATUS_SUCCESSFUL
   basic = res.basic
+  unless basic.verify([], store)
+    $stderr.puts "invalid OCSP response"
+    exit 2
+  end
   req.check_nonce(basic)
   basic.status.each{|st|
     cid, cert_status, reason, revtime, thisupd, nextupd, ext = st
@@ -112,4 +116,5 @@ if res.status ==  OCSP::RESPONSE_STATUS_SUCCESSFUL
       p [ :revtime, revtime ]
     end
   }
+  end
 end