diff options
author | Andreas Steffen <andreas.steffen@strongswan.org> | 2009-10-05 22:44:01 +0200 |
---|---|---|
committer | Andreas Steffen <andreas.steffen@strongswan.org> | 2009-10-05 22:44:01 +0200 |
commit | 408e46a3248e9222e106443796c7f7cd388e5b39 (patch) | |
tree | e1ab649e2c3f741071e5c36ef32ec8256334c295 /src | |
parent | ce40bf5def7c8cd2986cdcbf39b25d8e25eb1167 (diff) | |
download | strongswan-408e46a3248e9222e106443796c7f7cd388e5b39.tar.bz2 strongswan-408e46a3248e9222e106443796c7f7cd388e5b39.tar.xz |
ipsec pki --issue suports --flag authServer option
Diffstat (limited to 'src')
-rw-r--r-- | src/charon/plugins/stroke/stroke_list.c | 7 | ||||
-rw-r--r-- | src/libstrongswan/asn1/oid.txt | 2 | ||||
-rw-r--r-- | src/libstrongswan/credentials/certificates/x509.c | 1 | ||||
-rw-r--r-- | src/libstrongswan/credentials/certificates/x509.h | 4 | ||||
-rw-r--r-- | src/libstrongswan/plugins/x509/x509_cert.c | 45 | ||||
-rw-r--r-- | src/pki/commands/issue.c | 6 |
6 files changed, 46 insertions, 19 deletions
diff --git a/src/charon/plugins/stroke/stroke_list.c b/src/charon/plugins/stroke/stroke_list.c index f110009ac..5716b4269 100644 --- a/src/charon/plugins/stroke/stroke_list.c +++ b/src/charon/plugins/stroke/stroke_list.c @@ -655,8 +655,11 @@ static void stroke_list_certs(linked_list_t *list, char *label, x509_t *x509 = (x509_t*)cert; x509_flag_t x509_flags = x509->get_flags(x509); - /* list only if flag is set, or flags == 0 (ignoring self-signed) */ - if ((x509_flags & flags) || (flags == (x509_flags & ~X509_SELF_SIGNED))) + /* list only if flag is set, + * or flags == 0 (ignoring self-signed and serverAuth) + */ + if ((x509_flags & flags) || + (flags == (x509_flags & ~(X509_SELF_SIGNED | X509_SERVER_AUTH)))) { enumerator_t *enumerator; identification_t *altName; diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt index 8b6ee4191..a4b08022d 100644 --- a/src/libstrongswan/asn1/oid.txt +++ b/src/libstrongswan/asn1/oid.txt @@ -189,7 +189,7 @@ 0x01 "cps" 0x02 "unotice" 0x03 "id-kp" - 0x01 "serverAuth" + 0x01 "serverAuth" OID_SERVER_AUTH 0x02 "clientAuth" 0x03 "codeSigning" 0x04 "emailProtection" diff --git a/src/libstrongswan/credentials/certificates/x509.c b/src/libstrongswan/credentials/certificates/x509.c index 0a75056fe..b8819881a 100644 --- a/src/libstrongswan/credentials/certificates/x509.c +++ b/src/libstrongswan/credentials/certificates/x509.c @@ -20,6 +20,7 @@ ENUM(x509_flag_names, X509_NONE, X509_SELF_SIGNED, "X509_CA", "X509_AA", "X509_OCSP_SIGNER", + "X509_SERVER_AUTH", "X509_SELF_SIGNED", ); diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h index a700238ee..8af9200de 100644 --- a/src/libstrongswan/credentials/certificates/x509.h +++ b/src/libstrongswan/credentials/certificates/x509.h @@ -39,8 +39,10 @@ enum x509_flag_t { X509_AA = (1<<1), /** cert has OCSP signer constraint */ X509_OCSP_SIGNER = (1<<2), + /** cert has serverAuth constraint */ + X509_SERVER_AUTH = (1<<3), /** cert is self-signed */ - X509_SELF_SIGNED = (1<<3), + X509_SELF_SIGNED = (1<<4), }; /** diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c index b4ed143a0..353c91e9f 100644 --- a/src/libstrongswan/plugins/x509/x509_cert.c +++ b/src/libstrongswan/plugins/x509/x509_cert.c @@ -544,26 +544,34 @@ static const asn1Object_t extendedKeyUsageObjects[] = { /** * Extracts extendedKeyUsage OIDs - currently only OCSP_SIGING is returned */ -static bool parse_extendedKeyUsage(chunk_t blob, int level0) +static void parse_extendedKeyUsage(chunk_t blob, int level0, + private_x509_cert_t *this) { asn1_parser_t *parser; chunk_t object; int objectID; - bool ocsp_signing = FALSE; parser = asn1_parser_create(extendedKeyUsageObjects, blob); parser->set_top_level(parser, level0); while (parser->iterate(parser, &objectID, &object)) { - if (objectID == EXT_KEY_USAGE_PURPOSE_ID && - asn1_known_oid(object) == OID_OCSP_SIGNING) + if (objectID == EXT_KEY_USAGE_PURPOSE_ID) { - ocsp_signing = TRUE; + switch (asn1_known_oid(object)) + { + case OID_SERVER_AUTH: + this->flags |= X509_SERVER_AUTH; + break; + case OID_OCSP_SIGNING: + this->flags |= X509_OCSP_SIGNER; + break; + default: + break; + } } } parser->destroy(parser); - return ocsp_signing; } /** @@ -793,10 +801,7 @@ static bool parse_certificate(private_x509_cert_t *this) parse_authorityInfoAccess(object, level, this); break; case OID_EXTENDED_KEY_USAGE: - if (parse_extendedKeyUsage(object, level)) - { - this->flags |= X509_OCSP_SIGNER; - } + parse_extendedKeyUsage(object, level, this); break; case OID_NS_REVOCATION_URL: case OID_NS_CA_REVOCATION_URL: @@ -1268,6 +1273,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, private_key_t *sign_key, int digest_alg) { chunk_t extensions = chunk_empty, extendedKeyUsage = chunk_empty; + chunk_t serverAuth = chunk_empty, ocspSigning = chunk_empty; chunk_t basicConstraints = chunk_empty, subjectAltNames = chunk_empty; chunk_t subjectKeyIdentifier = chunk_empty, authKeyIdentifier = chunk_empty; chunk_t crlDistributionPoints = chunk_empty, authorityInfoAccess = chunk_empty; @@ -1383,14 +1389,25 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, chunk_from_chars(0xFF))))); } - /* add ocspSigning extendedKeyUsage */ + /* add serverAuth extendedKeyUsage flag */ + if (cert->flags & X509_SERVER_AUTH) + { + serverAuth = asn1_build_known_oid(OID_SERVER_AUTH); + } + + /* add ocspSigning extendedKeyUsage flag */ if (cert->flags & X509_OCSP_SIGNER) { - extendedKeyUsage = asn1_wrap(ASN1_SEQUENCE, "mm ", + ocspSigning = asn1_build_known_oid(OID_OCSP_SIGNING); + } + + if (serverAuth.ptr || ocspSigning.ptr) + { + extendedKeyUsage = asn1_wrap(ASN1_SEQUENCE, "mm", asn1_build_known_oid(OID_EXTENDED_KEY_USAGE), asn1_wrap(ASN1_OCTET_STRING, "m", - asn1_wrap(ASN1_SEQUENCE, "m", - asn1_build_known_oid(OID_OCSP_SIGNING)))); + asn1_wrap(ASN1_SEQUENCE, "mm", + serverAuth, ocspSigning))); } /* add subjectKeyIdentifier to CA and OCSP signer certificates */ diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c index c71e9b530..48c1ead20 100644 --- a/src/pki/commands/issue.c +++ b/src/pki/commands/issue.c @@ -104,7 +104,11 @@ static int issue() flags |= X509_CA; continue; case 'f': - if (streq(arg, "ocspSigning")) + if (streq(arg, "serverAuth")) + { + flags |= X509_SERVER_AUTH; + } + else if (streq(arg, "ocspSigning")) { flags |= X509_OCSP_SIGNER; } |