ipsec pki --issue suports --flag authServer option
authorAndreas Steffen <andreas.steffen@strongswan.org>
Mon, 5 Oct 2009 20:44:01 +0000 (22:44 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Mon, 5 Oct 2009 20:44:01 +0000 (22:44 +0200)
src/charon/plugins/stroke/stroke_list.c
src/libstrongswan/asn1/oid.txt
src/libstrongswan/credentials/certificates/x509.c
src/libstrongswan/credentials/certificates/x509.h
src/libstrongswan/plugins/x509/x509_cert.c
src/pki/commands/issue.c

index f110009..5716b42 100644 (file)
@@ -655,8 +655,11 @@ static void stroke_list_certs(linked_list_t *list, char *label,
                x509_t *x509 = (x509_t*)cert;
                x509_flag_t x509_flags = x509->get_flags(x509);
 
-               /* list only if flag is set, or flags == 0 (ignoring self-signed) */
-               if ((x509_flags & flags) || (flags == (x509_flags & ~X509_SELF_SIGNED)))
+               /* list only if flag is set,
+                * or flags == 0 (ignoring self-signed and serverAuth)
+                */
+               if ((x509_flags & flags) ||
+                       (flags == (x509_flags & ~(X509_SELF_SIGNED | X509_SERVER_AUTH))))
                {
                        enumerator_t *enumerator;
                        identification_t *altName;
index 8b6ee41..a4b0802 100644 (file)
               0x01           "cps"
               0x02           "unotice"
             0x03             "id-kp"
-              0x01           "serverAuth"
+              0x01           "serverAuth"                              OID_SERVER_AUTH
               0x02           "clientAuth"
               0x03           "codeSigning"
               0x04           "emailProtection"
index 0a75056..b881988 100644 (file)
@@ -20,6 +20,7 @@ ENUM(x509_flag_names, X509_NONE, X509_SELF_SIGNED,
        "X509_CA",
        "X509_AA",
        "X509_OCSP_SIGNER",
+       "X509_SERVER_AUTH",
        "X509_SELF_SIGNED",
 );
 
index a700238..8af9200 100644 (file)
@@ -39,8 +39,10 @@ enum x509_flag_t {
        X509_AA =                       (1<<1),
        /** cert has OCSP signer constraint */
        X509_OCSP_SIGNER =      (1<<2),
+       /** cert has serverAuth constraint */
+       X509_SERVER_AUTH =      (1<<3),
        /** cert is self-signed */
-       X509_SELF_SIGNED =  (1<<3),
+       X509_SELF_SIGNED =  (1<<4),
 };
 
 /**
index b4ed143..353c91e 100644 (file)
@@ -544,26 +544,34 @@ static const asn1Object_t extendedKeyUsageObjects[] = {
 /**
  * Extracts extendedKeyUsage OIDs - currently only OCSP_SIGING is returned
  */
-static bool parse_extendedKeyUsage(chunk_t blob, int level0)
+static void parse_extendedKeyUsage(chunk_t blob, int level0,
+                                                                  private_x509_cert_t *this)
 {
        asn1_parser_t *parser;
        chunk_t object;
        int objectID;
-       bool ocsp_signing = FALSE;
 
        parser = asn1_parser_create(extendedKeyUsageObjects, blob);
        parser->set_top_level(parser, level0);
 
        while (parser->iterate(parser, &objectID, &object))
        {
-               if (objectID == EXT_KEY_USAGE_PURPOSE_ID &&
-                       asn1_known_oid(object) == OID_OCSP_SIGNING)
+               if (objectID == EXT_KEY_USAGE_PURPOSE_ID)
                {
-                       ocsp_signing = TRUE;
+                       switch (asn1_known_oid(object))
+                       {
+                               case OID_SERVER_AUTH:
+                                       this->flags |= X509_SERVER_AUTH;
+                                       break;
+                               case OID_OCSP_SIGNING:
+                                       this->flags |= X509_OCSP_SIGNER;
+                                       break;
+                               default:
+                                       break;
+                       }
                }
        }
        parser->destroy(parser);
-       return ocsp_signing;
 }
 
 /**
@@ -793,10 +801,7 @@ static bool parse_certificate(private_x509_cert_t *this)
                                                parse_authorityInfoAccess(object, level, this);
                                                break;
                                        case OID_EXTENDED_KEY_USAGE:
-                                               if (parse_extendedKeyUsage(object, level))
-                                               {
-                                                       this->flags |= X509_OCSP_SIGNER;
-                                               }
+                                               parse_extendedKeyUsage(object, level, this);
                                                break;
                                        case OID_NS_REVOCATION_URL:
                                        case OID_NS_CA_REVOCATION_URL:
@@ -1268,6 +1273,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
                                         private_key_t *sign_key, int digest_alg)
 {
        chunk_t extensions = chunk_empty, extendedKeyUsage = chunk_empty;
+       chunk_t serverAuth = chunk_empty, ocspSigning = chunk_empty;
        chunk_t basicConstraints = chunk_empty, subjectAltNames = chunk_empty;
        chunk_t subjectKeyIdentifier = chunk_empty, authKeyIdentifier = chunk_empty;
        chunk_t crlDistributionPoints = chunk_empty, authorityInfoAccess = chunk_empty;
@@ -1383,14 +1389,25 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
                                                                                                chunk_from_chars(0xFF)))));
        }
 
-       /* add ocspSigning extendedKeyUsage */
+       /* add serverAuth extendedKeyUsage flag */
+       if (cert->flags & X509_SERVER_AUTH)
+       {
+               serverAuth = asn1_build_known_oid(OID_SERVER_AUTH);
+       }
+
+       /* add ocspSigning extendedKeyUsage flag */
        if (cert->flags & X509_OCSP_SIGNER)
        {
-               extendedKeyUsage = asn1_wrap(ASN1_SEQUENCE, "mm ",
+               ocspSigning = asn1_build_known_oid(OID_OCSP_SIGNING);
+       }
+
+       if (serverAuth.ptr || ocspSigning.ptr)
+       {
+               extendedKeyUsage = asn1_wrap(ASN1_SEQUENCE, "mm",
                                                                asn1_build_known_oid(OID_EXTENDED_KEY_USAGE),
                                                                asn1_wrap(ASN1_OCTET_STRING, "m",
-                                                                       asn1_wrap(ASN1_SEQUENCE, "m",
-                                                                               asn1_build_known_oid(OID_OCSP_SIGNING))));
+                                                                       asn1_wrap(ASN1_SEQUENCE, "mm",
+                                                                               serverAuth, ocspSigning)));
        }
 
        /* add subjectKeyIdentifier to CA and OCSP signer certificates */
index c71e9b5..48c1ead 100644 (file)
@@ -104,7 +104,11 @@ static int issue()
                                flags |= X509_CA;
                                continue;
                        case 'f':
-                               if (streq(arg, "ocspSigning"))
+                               if (streq(arg, "serverAuth"))
+                               {
+                                       flags |= X509_SERVER_AUTH;
+                               }
+                               else if (streq(arg, "ocspSigning"))
                                {
                                        flags |= X509_OCSP_SIGNER;
                                }