aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorAndreas Steffen <andreas.steffen@strongswan.org>2009-10-05 22:44:01 +0200
committerAndreas Steffen <andreas.steffen@strongswan.org>2009-10-05 22:44:01 +0200
commit408e46a3248e9222e106443796c7f7cd388e5b39 (patch)
treee1ab649e2c3f741071e5c36ef32ec8256334c295 /src
parentce40bf5def7c8cd2986cdcbf39b25d8e25eb1167 (diff)
downloadstrongswan-408e46a3248e9222e106443796c7f7cd388e5b39.tar.bz2
strongswan-408e46a3248e9222e106443796c7f7cd388e5b39.tar.xz
ipsec pki --issue suports --flag authServer option
Diffstat (limited to 'src')
-rw-r--r--src/charon/plugins/stroke/stroke_list.c7
-rw-r--r--src/libstrongswan/asn1/oid.txt2
-rw-r--r--src/libstrongswan/credentials/certificates/x509.c1
-rw-r--r--src/libstrongswan/credentials/certificates/x509.h4
-rw-r--r--src/libstrongswan/plugins/x509/x509_cert.c45
-rw-r--r--src/pki/commands/issue.c6
6 files changed, 46 insertions, 19 deletions
diff --git a/src/charon/plugins/stroke/stroke_list.c b/src/charon/plugins/stroke/stroke_list.c
index f110009ac..5716b4269 100644
--- a/src/charon/plugins/stroke/stroke_list.c
+++ b/src/charon/plugins/stroke/stroke_list.c
@@ -655,8 +655,11 @@ static void stroke_list_certs(linked_list_t *list, char *label,
x509_t *x509 = (x509_t*)cert;
x509_flag_t x509_flags = x509->get_flags(x509);
- /* list only if flag is set, or flags == 0 (ignoring self-signed) */
- if ((x509_flags & flags) || (flags == (x509_flags & ~X509_SELF_SIGNED)))
+ /* list only if flag is set,
+ * or flags == 0 (ignoring self-signed and serverAuth)
+ */
+ if ((x509_flags & flags) ||
+ (flags == (x509_flags & ~(X509_SELF_SIGNED | X509_SERVER_AUTH))))
{
enumerator_t *enumerator;
identification_t *altName;
diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt
index 8b6ee4191..a4b08022d 100644
--- a/src/libstrongswan/asn1/oid.txt
+++ b/src/libstrongswan/asn1/oid.txt
@@ -189,7 +189,7 @@
0x01 "cps"
0x02 "unotice"
0x03 "id-kp"
- 0x01 "serverAuth"
+ 0x01 "serverAuth" OID_SERVER_AUTH
0x02 "clientAuth"
0x03 "codeSigning"
0x04 "emailProtection"
diff --git a/src/libstrongswan/credentials/certificates/x509.c b/src/libstrongswan/credentials/certificates/x509.c
index 0a75056fe..b8819881a 100644
--- a/src/libstrongswan/credentials/certificates/x509.c
+++ b/src/libstrongswan/credentials/certificates/x509.c
@@ -20,6 +20,7 @@ ENUM(x509_flag_names, X509_NONE, X509_SELF_SIGNED,
"X509_CA",
"X509_AA",
"X509_OCSP_SIGNER",
+ "X509_SERVER_AUTH",
"X509_SELF_SIGNED",
);
diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h
index a700238ee..8af9200de 100644
--- a/src/libstrongswan/credentials/certificates/x509.h
+++ b/src/libstrongswan/credentials/certificates/x509.h
@@ -39,8 +39,10 @@ enum x509_flag_t {
X509_AA = (1<<1),
/** cert has OCSP signer constraint */
X509_OCSP_SIGNER = (1<<2),
+ /** cert has serverAuth constraint */
+ X509_SERVER_AUTH = (1<<3),
/** cert is self-signed */
- X509_SELF_SIGNED = (1<<3),
+ X509_SELF_SIGNED = (1<<4),
};
/**
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index b4ed143a0..353c91e9f 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -544,26 +544,34 @@ static const asn1Object_t extendedKeyUsageObjects[] = {
/**
* Extracts extendedKeyUsage OIDs - currently only OCSP_SIGING is returned
*/
-static bool parse_extendedKeyUsage(chunk_t blob, int level0)
+static void parse_extendedKeyUsage(chunk_t blob, int level0,
+ private_x509_cert_t *this)
{
asn1_parser_t *parser;
chunk_t object;
int objectID;
- bool ocsp_signing = FALSE;
parser = asn1_parser_create(extendedKeyUsageObjects, blob);
parser->set_top_level(parser, level0);
while (parser->iterate(parser, &objectID, &object))
{
- if (objectID == EXT_KEY_USAGE_PURPOSE_ID &&
- asn1_known_oid(object) == OID_OCSP_SIGNING)
+ if (objectID == EXT_KEY_USAGE_PURPOSE_ID)
{
- ocsp_signing = TRUE;
+ switch (asn1_known_oid(object))
+ {
+ case OID_SERVER_AUTH:
+ this->flags |= X509_SERVER_AUTH;
+ break;
+ case OID_OCSP_SIGNING:
+ this->flags |= X509_OCSP_SIGNER;
+ break;
+ default:
+ break;
+ }
}
}
parser->destroy(parser);
- return ocsp_signing;
}
/**
@@ -793,10 +801,7 @@ static bool parse_certificate(private_x509_cert_t *this)
parse_authorityInfoAccess(object, level, this);
break;
case OID_EXTENDED_KEY_USAGE:
- if (parse_extendedKeyUsage(object, level))
- {
- this->flags |= X509_OCSP_SIGNER;
- }
+ parse_extendedKeyUsage(object, level, this);
break;
case OID_NS_REVOCATION_URL:
case OID_NS_CA_REVOCATION_URL:
@@ -1268,6 +1273,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
private_key_t *sign_key, int digest_alg)
{
chunk_t extensions = chunk_empty, extendedKeyUsage = chunk_empty;
+ chunk_t serverAuth = chunk_empty, ocspSigning = chunk_empty;
chunk_t basicConstraints = chunk_empty, subjectAltNames = chunk_empty;
chunk_t subjectKeyIdentifier = chunk_empty, authKeyIdentifier = chunk_empty;
chunk_t crlDistributionPoints = chunk_empty, authorityInfoAccess = chunk_empty;
@@ -1383,14 +1389,25 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
chunk_from_chars(0xFF)))));
}
- /* add ocspSigning extendedKeyUsage */
+ /* add serverAuth extendedKeyUsage flag */
+ if (cert->flags & X509_SERVER_AUTH)
+ {
+ serverAuth = asn1_build_known_oid(OID_SERVER_AUTH);
+ }
+
+ /* add ocspSigning extendedKeyUsage flag */
if (cert->flags & X509_OCSP_SIGNER)
{
- extendedKeyUsage = asn1_wrap(ASN1_SEQUENCE, "mm ",
+ ocspSigning = asn1_build_known_oid(OID_OCSP_SIGNING);
+ }
+
+ if (serverAuth.ptr || ocspSigning.ptr)
+ {
+ extendedKeyUsage = asn1_wrap(ASN1_SEQUENCE, "mm",
asn1_build_known_oid(OID_EXTENDED_KEY_USAGE),
asn1_wrap(ASN1_OCTET_STRING, "m",
- asn1_wrap(ASN1_SEQUENCE, "m",
- asn1_build_known_oid(OID_OCSP_SIGNING))));
+ asn1_wrap(ASN1_SEQUENCE, "mm",
+ serverAuth, ocspSigning)));
}
/* add subjectKeyIdentifier to CA and OCSP signer certificates */
diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c
index c71e9b530..48c1ead20 100644
--- a/src/pki/commands/issue.c
+++ b/src/pki/commands/issue.c
@@ -104,7 +104,11 @@ static int issue()
flags |= X509_CA;
continue;
case 'f':
- if (streq(arg, "ocspSigning"))
+ if (streq(arg, "serverAuth"))
+ {
+ flags |= X509_SERVER_AUTH;
+ }
+ else if (streq(arg, "ocspSigning"))
{
flags |= X509_OCSP_SIGNER;
}