strongswan.org
Wiki/Project Management
Downloads
Gitweb
projects
/
strongswan.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
776f59f
)
Support TLS client authentication Extended Key Usage in x509 generation
author
Martin Willi
<martin@strongswan.org>
Thu, 14 Jan 2010 11:00:43 +0000
(12:00 +0100)
committer
Martin Willi
<martin@strongswan.org>
Thu, 14 Jan 2010 11:00:43 +0000
(12:00 +0100)
src/charon/plugins/stroke/stroke_list.c
patch
|
blob
|
history
src/libstrongswan/asn1/oid.txt
patch
|
blob
|
history
src/libstrongswan/credentials/certificates/x509.c
patch
|
blob
|
history
src/libstrongswan/credentials/certificates/x509.h
patch
|
blob
|
history
src/libstrongswan/plugins/x509/x509_cert.c
patch
|
blob
|
history
src/pki/commands/issue.c
patch
|
blob
|
history
diff --git
a/src/charon/plugins/stroke/stroke_list.c
b/src/charon/plugins/stroke/stroke_list.c
index
470f8e9
..
c2a98da
100644
(file)
--- a/
src/charon/plugins/stroke/stroke_list.c
+++ b/
src/charon/plugins/stroke/stroke_list.c
@@
-661,7
+661,7
@@
static void stroke_list_pgp(linked_list_t *list,bool utc, FILE *out)
if (first)
{
if (first)
{
- fprintf(out, "\n");
+ fprintf(out, "\n");
fprintf(out, "List of PGP End Entity Certificates:\n");
first = FALSE;
}
fprintf(out, "List of PGP End Entity Certificates:\n");
first = FALSE;
}
@@
-699,7
+699,8
@@
static void stroke_list_certs(linked_list_t *list, char *label,
x509_flag_t flag_mask;
/* mask all auxiliary flags */
x509_flag_t flag_mask;
/* mask all auxiliary flags */
- flag_mask = ~(X509_SELF_SIGNED | X509_SERVER_AUTH | X509_IP_ADDR_BLOCKS );
+ flag_mask = ~(X509_SERVER_AUTH | X509_CLIENT_AUTH |
+ X509_SELF_SIGNED | X509_IP_ADDR_BLOCKS );
enumerator = list->create_enumerator(list);
while (enumerator->enumerate(enumerator, (void**)&cert))
enumerator = list->create_enumerator(list);
while (enumerator->enumerate(enumerator, (void**)&cert))
diff --git
a/src/libstrongswan/asn1/oid.txt
b/src/libstrongswan/asn1/oid.txt
index
87922f6
..
203bc1f
100644
(file)
--- a/
src/libstrongswan/asn1/oid.txt
+++ b/
src/libstrongswan/asn1/oid.txt
@@
-191,7
+191,7
@@
0x02 "unotice"
0x03 "id-kp"
0x01 "serverAuth" OID_SERVER_AUTH
0x02 "unotice"
0x03 "id-kp"
0x01 "serverAuth" OID_SERVER_AUTH
- 0x02 "clientAuth"
+ 0x02 "clientAuth"
OID_CLIENT_AUTH
0x03 "codeSigning"
0x04 "emailProtection"
0x05 "ipsecEndSystem"
0x03 "codeSigning"
0x04 "emailProtection"
0x05 "ipsecEndSystem"
diff --git
a/src/libstrongswan/credentials/certificates/x509.c
b/src/libstrongswan/credentials/certificates/x509.c
index
b881988
..
66dc192
100644
(file)
--- a/
src/libstrongswan/credentials/certificates/x509.c
+++ b/
src/libstrongswan/credentials/certificates/x509.c
@@
-15,12
+15,14
@@
#include "x509.h"
#include "x509.h"
-ENUM(x509_flag_names, X509_NONE, X509_
SELF_SIGNED
,
+ENUM(x509_flag_names, X509_NONE, X509_
IP_ADDR_BLOCKS
,
"X509_NONE",
"X509_CA",
"X509_AA",
"X509_OCSP_SIGNER",
"X509_SERVER_AUTH",
"X509_NONE",
"X509_CA",
"X509_AA",
"X509_OCSP_SIGNER",
"X509_SERVER_AUTH",
+ "X509_CLIENT_AUTH",
"X509_SELF_SIGNED",
"X509_SELF_SIGNED",
+ "X509_IP_ADDR_BLOCKS",
);
);
diff --git
a/src/libstrongswan/credentials/certificates/x509.h
b/src/libstrongswan/credentials/certificates/x509.h
index
ebe660d
..
172bd96
100644
(file)
--- a/
src/libstrongswan/credentials/certificates/x509.h
+++ b/
src/libstrongswan/credentials/certificates/x509.h
@@
-35,19
+35,21
@@
typedef enum x509_flag_t x509_flag_t;
*/
enum x509_flag_t {
/** cert has no constraints */
*/
enum x509_flag_t {
/** cert has no constraints */
- X509_NONE =
0,
+ X509_NONE =
0,
/** cert has CA constraint */
/** cert has CA constraint */
- X509_CA = (1<<0),
+ X509_CA =
(1<<0),
/** cert has AA constraint */
/** cert has AA constraint */
- X509_AA = (1<<1),
+ X509_AA =
(1<<1),
/** cert has OCSP signer constraint */
/** cert has OCSP signer constraint */
- X509_OCSP_SIGNER = (1<<2),
- /** cert has serverAuth constraint */
- X509_SERVER_AUTH = (1<<3),
+ X509_OCSP_SIGNER = (1<<2),
+ /** cert has serverAuth key usage */
+ X509_SERVER_AUTH = (1<<3),
+ /** cert has clientAuth key usage */
+ X509_CLIENT_AUTH = (1<<4),
/** cert is self-signed */
/** cert is self-signed */
- X509_SELF_SIGNED =
(1<<4
),
+ X509_SELF_SIGNED =
(1<<5
),
/** cert has an ipAddrBlocks extension */
/** cert has an ipAddrBlocks extension */
- X509_IP_ADDR_BLOCKS =
(1<<5
),
+ X509_IP_ADDR_BLOCKS =
(1<<6
),
};
/**
};
/**
diff --git
a/src/libstrongswan/plugins/x509/x509_cert.c
b/src/libstrongswan/plugins/x509/x509_cert.c
index
199d593
..
ff8bcb2
100644
(file)
--- a/
src/libstrongswan/plugins/x509/x509_cert.c
+++ b/
src/libstrongswan/plugins/x509/x509_cert.c
@@
-596,6
+596,9
@@
static void parse_extendedKeyUsage(chunk_t blob, int level0,
case OID_SERVER_AUTH:
this->flags |= X509_SERVER_AUTH;
break;
case OID_SERVER_AUTH:
this->flags |= X509_SERVER_AUTH;
break;
+ case OID_CLIENT_AUTH:
+ this->flags |= X509_CLIENT_AUTH;
+ break;
case OID_OCSP_SIGNING:
this->flags |= X509_OCSP_SIGNER;
break;
case OID_OCSP_SIGNING:
this->flags |= X509_OCSP_SIGNER;
break;
@@
-804,7
+807,7
@@
static void parse_ipAddrBlocks(chunk_t blob, int level0,
}
}
this->flags |= X509_IP_ADDR_BLOCKS;
}
}
this->flags |= X509_IP_ADDR_BLOCKS;
-
+
end:
parser->destroy(parser);
}
end:
parser->destroy(parser);
}
@@
-891,7
+894,7
@@
static bool parse_certificate(private_x509_cert_t *this)
if (this->version < 1 || this->version > 3)
{
DBG1("X.509v%d not supported", this->version);
if (this->version < 1 || this->version > 3)
{
DBG1("X.509v%d not supported", this->version);
- goto end;
+ goto end;
}
else
{
}
else
{
@@
-993,7
+996,7
@@
static bool parse_certificate(private_x509_cert_t *this)
{
DBG1("critical %s extension not supported",
(extn_oid == OID_UNKNOWN) ? "unknown" :
{
DBG1("critical %s extension not supported",
(extn_oid == OID_UNKNOWN) ? "unknown" :
- (char*)oid_names[extn_oid].name);
+ (char*)oid_names[extn_oid].name);
goto end;
}
break;
goto end;
}
break;
@@
-1281,7
+1284,7
@@
static chunk_t get_subjectKeyIdentifier(private_x509_cert_t *this)
{
return chunk_empty;
}
{
return chunk_empty;
}
- }
+ }
}
/**
}
/**
@@
-1476,7
+1479,8
@@
static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
private_key_t *sign_key, int digest_alg)
{
chunk_t extensions = chunk_empty, extendedKeyUsage = chunk_empty;
private_key_t *sign_key, int digest_alg)
{
chunk_t extensions = chunk_empty, extendedKeyUsage = chunk_empty;
- chunk_t serverAuth = chunk_empty, ocspSigning = chunk_empty;
+ chunk_t serverAuth = chunk_empty, clientAuth = chunk_empty;
+ chunk_t ocspSigning = chunk_empty;
chunk_t basicConstraints = chunk_empty, subjectAltNames = chunk_empty;
chunk_t subjectKeyIdentifier = chunk_empty, authKeyIdentifier = chunk_empty;
chunk_t crlDistributionPoints = chunk_empty, authorityInfoAccess = chunk_empty;
chunk_t basicConstraints = chunk_empty, subjectAltNames = chunk_empty;
chunk_t subjectKeyIdentifier = chunk_empty, authKeyIdentifier = chunk_empty;
chunk_t crlDistributionPoints = chunk_empty, authorityInfoAccess = chunk_empty;
@@
-1606,6
+1610,10
@@
static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
{
serverAuth = asn1_build_known_oid(OID_SERVER_AUTH);
}
{
serverAuth = asn1_build_known_oid(OID_SERVER_AUTH);
}
+ if (cert->flags & X509_CLIENT_AUTH)
+ {
+ clientAuth = asn1_build_known_oid(OID_CLIENT_AUTH);
+ }
/* add ocspSigning extendedKeyUsage flag */
if (cert->flags & X509_OCSP_SIGNER)
/* add ocspSigning extendedKeyUsage flag */
if (cert->flags & X509_OCSP_SIGNER)
@@
-1613,13
+1621,13
@@
static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
ocspSigning = asn1_build_known_oid(OID_OCSP_SIGNING);
}
ocspSigning = asn1_build_known_oid(OID_OCSP_SIGNING);
}
- if (serverAuth.ptr || ocspSigning.ptr)
+ if (serverAuth.ptr ||
clientAuth.ptr ||
ocspSigning.ptr)
{
extendedKeyUsage = asn1_wrap(ASN1_SEQUENCE, "mm",
asn1_build_known_oid(OID_EXTENDED_KEY_USAGE),
asn1_wrap(ASN1_OCTET_STRING, "m",
{
extendedKeyUsage = asn1_wrap(ASN1_SEQUENCE, "mm",
asn1_build_known_oid(OID_EXTENDED_KEY_USAGE),
asn1_wrap(ASN1_OCTET_STRING, "m",
- asn1_wrap(ASN1_SEQUENCE, "mm",
- serverAuth, ocspSigning)));
+ asn1_wrap(ASN1_SEQUENCE, "mm
m
",
+ serverAuth,
clientAuth,
ocspSigning)));
}
/* add subjectKeyIdentifier to CA and OCSP signer certificates */
}
/* add subjectKeyIdentifier to CA and OCSP signer certificates */
diff --git
a/src/pki/commands/issue.c
b/src/pki/commands/issue.c
index
89c9cc7
..
07ab906
100644
(file)
--- a/
src/pki/commands/issue.c
+++ b/
src/pki/commands/issue.c
@@
-112,6
+112,10
@@
static int issue()
{
flags |= X509_SERVER_AUTH;
}
{
flags |= X509_SERVER_AUTH;
}
+ else if (streq(arg, "clientAuth"))
+ {
+ flags |= X509_CLIENT_AUTH;
+ }
else if (streq(arg, "ocspSigning"))
{
flags |= X509_OCSP_SIGNER;
else if (streq(arg, "ocspSigning"))
{
flags |= X509_OCSP_SIGNER;
@@
-342,7
+346,7
@@
static void __attribute__ ((constructor))reg()
{"[--in file] [--type pub|pkcs10]",
" --cacert file --cakey file --dn subject-dn [--san subjectAltName]+",
"[--lifetime days] [--serial hex] [--crl uri]+ [--ocsp uri]+",
{"[--in file] [--type pub|pkcs10]",
" --cacert file --cakey file --dn subject-dn [--san subjectAltName]+",
"[--lifetime days] [--serial hex] [--crl uri]+ [--ocsp uri]+",
- "[--ca] [--pathlen len] [--flag serverAuth|ocspSigning]+",
+ "[--ca] [--pathlen len] [--flag serverAuth|
clientAuth|
ocspSigning]+",
"[--digest md5|sha1|sha224|sha256|sha384|sha512]"},
{
{"help", 'h', 0, "show usage information"},
"[--digest md5|sha1|sha224|sha256|sha384|sha512]"},
{
{"help", 'h', 0, "show usage information"},
projects / strongswan.git / commitdiff