Added support for msSmartcardLogon EKU
authorAndreas Steffen <andreas.steffen@strongswan.org>
Tue, 8 Apr 2014 11:09:03 +0000 (13:09 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Tue, 8 Apr 2014 11:09:03 +0000 (13:09 +0200)
src/libstrongswan/asn1/oid.txt
src/libstrongswan/credentials/certificates/x509.h
src/libstrongswan/plugins/x509/x509_cert.c
src/pki/commands/issue.c
src/pki/commands/print.c
src/pki/commands/self.c

index 5ed079b..e545188 100644 (file)
                   0x04       "msEncryptingFileSystem"
               0x14           "msEnrollmentInfrastructure"
                 0x02         "msCertificateTypeExtension"
-                  0x02       "msSmartcardLogon"
+                  0x02       "msSmartcardLogon"                        OID_MS_SMARTCARD_LOGON
                   0x03       "msUPN"                                   OID_USER_PRINCIPAL_NAME
               0x15           "msCertSrvInfrastructure"
                 0x07         "msCertTemplate"
index 4e8d431..6cbfcde 100644 (file)
@@ -39,25 +39,27 @@ typedef enum x509_constraint_t x509_constraint_t;
  */
 enum x509_flag_t {
        /** cert has no constraints */
-       X509_NONE =                             0,
+       X509_NONE =                    0,
        /** cert has CA constraint */
-       X509_CA =                               (1<<0),
+       X509_CA =                 (1<<0),
        /** cert has AA constraint */
-       X509_AA =                               (1<<1),
+       X509_AA =                 (1<<1),
        /** cert has OCSP signer constraint */
-       X509_OCSP_SIGNER =              (1<<2),
+       X509_OCSP_SIGNER =        (1<<2),
        /** cert has serverAuth key usage */
-       X509_SERVER_AUTH =              (1<<3),
+       X509_SERVER_AUTH =        (1<<3),
        /** cert has clientAuth key usage */
-       X509_CLIENT_AUTH =              (1<<4),
+       X509_CLIENT_AUTH =        (1<<4),
        /** cert is self-signed */
-       X509_SELF_SIGNED =              (1<<5),
+       X509_SELF_SIGNED =        (1<<5),
        /** cert has an ipAddrBlocks extension */
-       X509_IP_ADDR_BLOCKS =   (1<<6),
+       X509_IP_ADDR_BLOCKS =     (1<<6),
        /** cert has CRL sign key usage */
-       X509_CRL_SIGN =                 (1<<7),
+       X509_CRL_SIGN =           (1<<7),
        /** cert has iKEIntermediate key usage */
-       X509_IKE_INTERMEDIATE = (1<<8),
+       X509_IKE_INTERMEDIATE =   (1<<8),
+       /** cert has Microsoft Smartcard Logon usage */
+       X509_MS_SMARTCARD_LOGON = (1<<9),
 };
 
 /**
index ed850e8..cdffd34 100644 (file)
@@ -758,6 +758,9 @@ static void parse_extendedKeyUsage(chunk_t blob, int level0,
                                case OID_OCSP_SIGNING:
                                        this->flags |= X509_OCSP_SIGNER;
                                        break;
+                               case OID_MS_SMARTCARD_LOGON:
+                                       this->flags |= X509_MS_SMARTCARD_LOGON;
+                                       break;
                                default:
                                        break;
                        }
@@ -2008,7 +2011,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
        chunk_t subjectKeyIdentifier = chunk_empty, authKeyIdentifier = chunk_empty;
        chunk_t crlDistributionPoints = chunk_empty, authorityInfoAccess = chunk_empty;
        chunk_t policyConstraints = chunk_empty, inhibitAnyPolicy = chunk_empty;
-       chunk_t ikeIntermediate = chunk_empty;
+       chunk_t ikeIntermediate = chunk_empty, msSmartcardLogon = chunk_empty;
        identification_t *issuer, *subject;
        chunk_t key_info;
        signature_scheme_t scheme;
@@ -2139,6 +2142,10 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
        {
                ocspSigning = asn1_build_known_oid(OID_OCSP_SIGNING);
        }
+       if (cert->flags & X509_MS_SMARTCARD_LOGON)
+       {
+               msSmartcardLogon = asn1_build_known_oid(OID_MS_SMARTCARD_LOGON);
+       }
 
        if (serverAuth.ptr || clientAuth.ptr || ikeIntermediate.ptr ||
                ocspSigning.ptr)
@@ -2146,9 +2153,9 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
                extendedKeyUsage = asn1_wrap(ASN1_SEQUENCE, "mm",
                                                                asn1_build_known_oid(OID_EXTENDED_KEY_USAGE),
                                                                asn1_wrap(ASN1_OCTET_STRING, "m",
-                                                                       asn1_wrap(ASN1_SEQUENCE, "mmmm",
+                                                                       asn1_wrap(ASN1_SEQUENCE, "mmmmm",
                                                                                serverAuth, clientAuth, ikeIntermediate,
-                                                                               ocspSigning)));
+                                                                               ocspSigning, msSmartcardLogon)));
        }
 
        /* add subjectKeyIdentifier to CA and OCSP signer certificates */
index 8d38e2c..d03326e 100644 (file)
@@ -251,6 +251,10 @@ static int issue()
                                {
                                        flags |= X509_OCSP_SIGNER;
                                }
+                               else if (streq(arg, "msSmartcardLogon"))
+                               {
+                                       flags |= X509_MS_SMARTCARD_LOGON;
+                               }
                                continue;
                        case 'f':
                                if (!get_form(arg, &form, CRED_CERTIFICATE))
@@ -549,7 +553,7 @@ static void __attribute__ ((constructor))reg()
                {"[--in file] [--type pub|pkcs10] --cakey file|--cakeyid hex",
                 " --cacert file [--dn subject-dn] [--san subjectAltName]+",
                 "[--lifetime days] [--serial hex] [--ca] [--pathlen len]",
-                "[--flag serverAuth|clientAuth|crlSign|ocspSigning]+",
+                "[--flag serverAuth|clientAuth|crlSign|ocspSigning|msSmartcardLogon]+",
                 "[--crl uri [--crlissuer i]]+ [--ocsp uri]+ [--nc-permitted name]",
                 "[--nc-excluded name] [--policy-mapping issuer-oid:subject-oid]",
                 "[--policy-explicit len] [--policy-inhibit len] [--policy-any len]",
index 5b00db2..af1a2b2 100644 (file)
@@ -140,6 +140,10 @@ static void print_x509(x509_t *x509)
        {
                printf("iKEIntermediate ");
        }
+       if (flags & X509_MS_SMARTCARD_LOGON)
+       {
+               printf("msSmartcardLogon ");
+       }
        if (flags & X509_SELF_SIGNED)
        {
                printf("self-signed ");
index b684d54..2cb47ba 100644 (file)
@@ -235,6 +235,10 @@ static int self()
                                {
                                        flags |= X509_OCSP_SIGNER;
                                }
+                               else if (streq(arg, "msSmartcardLogon"))
+                               {
+                                       flags |= X509_MS_SMARTCARD_LOGON;
+                               }
                                continue;
                        case 'f':
                                if (!get_form(arg, &form, CRED_CERTIFICATE))
@@ -406,7 +410,7 @@ static void __attribute__ ((constructor))reg()
                {" [--in file|--keyid hex] [--type rsa|ecdsa]",
                 " --dn distinguished-name [--san subjectAltName]+",
                 "[--lifetime days] [--serial hex] [--ca] [--ocsp uri]+",
-                "[--flag serverAuth|clientAuth|crlSign|ocspSigning]+",
+                "[--flag serverAuth|clientAuth|crlSign|ocspSigning|msSmartcardLogon]+",
                 "[--nc-permitted name] [--nc-excluded name]",
                 "[--policy-map issuer-oid:subject-oid]",
                 "[--policy-explicit len] [--policy-inhibit len] [--policy-any len]",