diff options
| author | Andreas Steffen <andreas.steffen@strongswan.org> | 2010-03-07 17:27:53 +0100 |
|---|---|---|
| committer | Andreas Steffen <andreas.steffen@strongswan.org> | 2010-03-07 17:27:53 +0100 |
| commit | 1ec8f22de2229520b97981224d7655f4d9e5b1e9 (patch) | |
| tree | 8af2255aef27b46cedd103d857fa4f4dc2695304 | |
| parent | 3bcfb271a322bc7c2d98dc691eb06a47e0cd3185 (diff) | |
| download | strongswan-1ec8f22de2229520b97981224d7655f4d9e5b1e9.tar.bz2 strongswan-1ec8f22de2229520b97981224d7655f4d9e5b1e9.tar.xz | |
set Certificate Sign and CRL Sign flags in keyUsage extension if CA is true
| -rw-r--r-- | src/libstrongswan/asn1/oid.txt | 2 | ||||
| -rw-r--r-- | src/libstrongswan/plugins/x509/x509_cert.c | 17 |
2 files changed, 14 insertions, 5 deletions
diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt index 203bc1f28..5d729c2eb 100644 --- a/src/libstrongswan/asn1/oid.txt +++ b/src/libstrongswan/asn1/oid.txt @@ -37,7 +37,7 @@ 0x1D "id-ce" 0x09 "subjectDirectoryAttrs" 0x0E "subjectKeyIdentifier" OID_SUBJECT_KEY_ID - 0x0F "keyUsage" + 0x0F "keyUsage" OID_KEY_USAGE 0x10 "privateKeyUsagePeriod" 0x11 "subjectAltName" OID_SUBJECT_ALT_NAME 0x12 "issuerAltName" diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c index 3b729236e..698903456 100644 --- a/src/libstrongswan/plugins/x509/x509_cert.c +++ b/src/libstrongswan/plugins/x509/x509_cert.c @@ -1481,7 +1481,9 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, chunk_t extensions = chunk_empty, extendedKeyUsage = chunk_empty; chunk_t serverAuth = chunk_empty, clientAuth = chunk_empty; chunk_t ocspSigning = chunk_empty; - chunk_t basicConstraints = chunk_empty, subjectAltNames = chunk_empty; + chunk_t basicConstraints = chunk_empty; + chunk_t keyUsage = chunk_empty; + chunk_t subjectAltNames = chunk_empty; chunk_t subjectKeyIdentifier = chunk_empty, authKeyIdentifier = chunk_empty; chunk_t crlDistributionPoints = chunk_empty, authorityInfoAccess = chunk_empty; identification_t *issuer, *subject; @@ -1583,7 +1585,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, asn1_wrap(ASN1_SEQUENCE, "m", authorityInfoAccess))); } - /* build CA basicConstraint for CA certificates */ + /* build CA basicConstraint and keyUsage flags for CA certificates */ if (cert->flags & X509_CA) { chunk_t pathLenConstraint = chunk_empty; @@ -1603,6 +1605,13 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, asn1_wrap(ASN1_BOOLEAN, "c", chunk_from_chars(0xFF)), pathLenConstraint))); + keyUsage = asn1_wrap(ASN1_SEQUENCE, "mmm", + asn1_build_known_oid(OID_KEY_USAGE), + asn1_wrap(ASN1_BOOLEAN, "c", + chunk_from_chars(0xFF)), + asn1_wrap(ASN1_OCTET_STRING, "m", + asn1_wrap(ASN1_BIT_STRING, "c", + chunk_from_chars(0x01, 0x06)))); } /* add serverAuth extendedKeyUsage flag */ @@ -1663,8 +1672,8 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, crlDistributionPoints.ptr) { extensions = asn1_wrap(ASN1_CONTEXT_C_3, "m", - asn1_wrap(ASN1_SEQUENCE, "mmmmmmm", - basicConstraints, subjectKeyIdentifier, + asn1_wrap(ASN1_SEQUENCE, "mmmmmmmm", + basicConstraints, keyUsage, subjectKeyIdentifier, authKeyIdentifier, subjectAltNames, extendedKeyUsage, crlDistributionPoints, authorityInfoAccess)); |