fputs("ok\n", stdout);
break;
}
- {
- size_t ku = KEKSItemsGetByKey(&(verifier->items), verifier->load, "ku");
- if ((ku == 0) || KEKSItemsGetByKey(&(verifier->items), ku, "ca") == 0) {
- fputs("no ca ku\n", stdout);
- return EXIT_FAILURE;
- }
- }
fputs("ok\n", stdout);
toVerify = verifier;
}
)
const (
- KUCA = "ca" // CA-capable key usage
KUSig = "sig" // Signing-capable key usage
KUKEM = "kem" // Key-encapsulation-mechanism key usage
CerMagic = keks.Magic("pki/cer")
err = errors.New("cer can not sign")
return
}
- if !cerLoad.Can(KUCA) {
- err = errors.New("cer can not ca")
- return
- }
idToCer[cerLoad.Pub[0].Id] = cer
}
signer := idToCer[sid]
subj="-subj CN=CA -subj C=RU"
test_expect_success "$caAlgo: CA load generation" "certool \
-algo $caAlgo \
- -ku ca -ku sig $subj \
+ -ku sig $subj \
-prv $TMPDIR/ca.prv -cer $TMPDIR/ca.cer"
test_expect_success "$caAlgo: CA generation" "certool \
-cer $TMPDIR/ca.cer \
subj="-subj CN=SubCA -subj C=RU"
test_expect_success "$eeAlgo: SubCA load generation" "certool \
-algo $eeAlgo \
- -ku ca -ku sig $subj \
+ -ku sig $subj \
-prv $TMPDIR/subca.prv -cer $TMPDIR/subca.cer"
test_expect_success "$eeAlgo: SubCA generation" "certool \
-cer $TMPDIR/subca.cer \
* text => any
}
-ku = "ca" / "sig" / "kem" / "app-name" / text
+ku = "sig" / "kem" / "app-name" / text
crit-ext-type = text
hash of the key.
@item ku
-Intended public key(s) usage. Certificate @strong{must} be signed with
-the certificate having "ca" key usage, unless it is self-signed.
+Intended public key(s) usage.
Application-specific example with multiple public keys is described
above. It @strong{must} be absent if empty.