From 98ae0492b684faf3bf2fccfa71dec53d6415a984 Mon Sep 17 00:00:00 2001
From: Andreas Steffen <andreas.steffen@strongswan.org>
Date: Tue, 8 Apr 2014 13:09:03 +0200
Subject: [PATCH] Added support for msSmartcardLogon EKU

---
 src/libstrongswan/asn1/oid.txt                    |  2 +-
 src/libstrongswan/credentials/certificates/x509.h | 22 ++++++++++++----------
 src/libstrongswan/plugins/x509/x509_cert.c        | 13 ++++++++++---
 src/pki/commands/issue.c                          |  6 +++++-
 src/pki/commands/print.c                          |  4 ++++
 src/pki/commands/self.c                           |  6 +++++-
 6 files changed, 37 insertions(+), 16 deletions(-)

diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt
index 5ed079b..e545188 100644
--- a/src/libstrongswan/asn1/oid.txt
+++ b/src/libstrongswan/asn1/oid.txt
@@ -200,7 +200,7 @@
                   0x04       "msEncryptingFileSystem"
               0x14           "msEnrollmentInfrastructure"
                 0x02         "msCertificateTypeExtension"
-                  0x02       "msSmartcardLogon"
+                  0x02       "msSmartcardLogon"			OID_MS_SMARTCARD_LOGON
                   0x03       "msUPN"					OID_USER_PRINCIPAL_NAME
               0x15           "msCertSrvInfrastructure"
                 0x07         "msCertTemplate"
diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h
index 4e8d431..6cbfcde 100644
--- a/src/libstrongswan/credentials/certificates/x509.h
+++ b/src/libstrongswan/credentials/certificates/x509.h
@@ -39,25 +39,27 @@ typedef enum x509_constraint_t x509_constraint_t;
  */
 enum x509_flag_t {
 	/** cert has no constraints */
-	X509_NONE =				0,
+	X509_NONE =	               0,
 	/** cert has CA constraint */
-	X509_CA =				(1<<0),
+	X509_CA =                 (1<<0),
 	/** cert has AA constraint */
-	X509_AA =				(1<<1),
+	X509_AA =                 (1<<1),
 	/** cert has OCSP signer constraint */
-	X509_OCSP_SIGNER =		(1<<2),
+	X509_OCSP_SIGNER =        (1<<2),
 	/** cert has serverAuth key usage */
-	X509_SERVER_AUTH =		(1<<3),
+	X509_SERVER_AUTH =        (1<<3),
 	/** cert has clientAuth key usage */
-	X509_CLIENT_AUTH =		(1<<4),
+	X509_CLIENT_AUTH =        (1<<4),
 	/** cert is self-signed */
-	X509_SELF_SIGNED =		(1<<5),
+	X509_SELF_SIGNED =        (1<<5),
 	/** cert has an ipAddrBlocks extension */
-	X509_IP_ADDR_BLOCKS =	(1<<6),
+	X509_IP_ADDR_BLOCKS =     (1<<6),
 	/** cert has CRL sign key usage */
-	X509_CRL_SIGN =			(1<<7),
+	X509_CRL_SIGN =           (1<<7),
 	/** cert has iKEIntermediate key usage */
-	X509_IKE_INTERMEDIATE =	(1<<8),
+	X509_IKE_INTERMEDIATE =   (1<<8),
+	/** cert has Microsoft Smartcard Logon usage */
+	X509_MS_SMARTCARD_LOGON = (1<<9),
 };
 
 /**
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index ed850e8..cdffd34 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -758,6 +758,9 @@ static void parse_extendedKeyUsage(chunk_t blob, int level0,
 				case OID_OCSP_SIGNING:
 					this->flags |= X509_OCSP_SIGNER;
 					break;
+				case OID_MS_SMARTCARD_LOGON:
+					this->flags |= X509_MS_SMARTCARD_LOGON;
+					break;
 				default:
 					break;
 			}
@@ -2008,7 +2011,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
 	chunk_t subjectKeyIdentifier = chunk_empty, authKeyIdentifier = chunk_empty;
 	chunk_t crlDistributionPoints = chunk_empty, authorityInfoAccess = chunk_empty;
 	chunk_t policyConstraints = chunk_empty, inhibitAnyPolicy = chunk_empty;
-	chunk_t ikeIntermediate = chunk_empty;
+	chunk_t ikeIntermediate = chunk_empty, msSmartcardLogon = chunk_empty;
 	identification_t *issuer, *subject;
 	chunk_t key_info;
 	signature_scheme_t scheme;
@@ -2139,6 +2142,10 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
 	{
 		ocspSigning = asn1_build_known_oid(OID_OCSP_SIGNING);
 	}
+	if (cert->flags & X509_MS_SMARTCARD_LOGON)
+	{
+		msSmartcardLogon = asn1_build_known_oid(OID_MS_SMARTCARD_LOGON);
+	}
 
 	if (serverAuth.ptr || clientAuth.ptr || ikeIntermediate.ptr ||
 		ocspSigning.ptr)
@@ -2146,9 +2153,9 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
 		extendedKeyUsage = asn1_wrap(ASN1_SEQUENCE, "mm",
 								asn1_build_known_oid(OID_EXTENDED_KEY_USAGE),
 								asn1_wrap(ASN1_OCTET_STRING, "m",
-									asn1_wrap(ASN1_SEQUENCE, "mmmm",
+									asn1_wrap(ASN1_SEQUENCE, "mmmmm",
 										serverAuth, clientAuth, ikeIntermediate,
-										ocspSigning)));
+										ocspSigning, msSmartcardLogon)));
 	}
 
 	/* add subjectKeyIdentifier to CA and OCSP signer certificates */
diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c
index 8d38e2c..d03326e 100644
--- a/src/pki/commands/issue.c
+++ b/src/pki/commands/issue.c
@@ -251,6 +251,10 @@ static int issue()
 				{
 					flags |= X509_OCSP_SIGNER;
 				}
+				else if (streq(arg, "msSmartcardLogon"))
+				{
+					flags |= X509_MS_SMARTCARD_LOGON;
+				}
 				continue;
 			case 'f':
 				if (!get_form(arg, &form, CRED_CERTIFICATE))
@@ -549,7 +553,7 @@ static void __attribute__ ((constructor))reg()
 		{"[--in file] [--type pub|pkcs10] --cakey file|--cakeyid hex",
 		 " --cacert file [--dn subject-dn] [--san subjectAltName]+",
 		 "[--lifetime days] [--serial hex] [--ca] [--pathlen len]",
-		 "[--flag serverAuth|clientAuth|crlSign|ocspSigning]+",
+		 "[--flag serverAuth|clientAuth|crlSign|ocspSigning|msSmartcardLogon]+",
 		 "[--crl uri [--crlissuer i]]+ [--ocsp uri]+ [--nc-permitted name]",
 		 "[--nc-excluded name] [--policy-mapping issuer-oid:subject-oid]",
 		 "[--policy-explicit len] [--policy-inhibit len] [--policy-any len]",
diff --git a/src/pki/commands/print.c b/src/pki/commands/print.c
index 5b00db2..af1a2b2 100644
--- a/src/pki/commands/print.c
+++ b/src/pki/commands/print.c
@@ -140,6 +140,10 @@ static void print_x509(x509_t *x509)
 	{
 		printf("iKEIntermediate ");
 	}
+	if (flags & X509_MS_SMARTCARD_LOGON)
+	{
+		printf("msSmartcardLogon ");
+	}
 	if (flags & X509_SELF_SIGNED)
 	{
 		printf("self-signed ");
diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c
index b684d54..2cb47ba 100644
--- a/src/pki/commands/self.c
+++ b/src/pki/commands/self.c
@@ -235,6 +235,10 @@ static int self()
 				{
 					flags |= X509_OCSP_SIGNER;
 				}
+				else if (streq(arg, "msSmartcardLogon"))
+				{
+					flags |= X509_MS_SMARTCARD_LOGON;
+				}
 				continue;
 			case 'f':
 				if (!get_form(arg, &form, CRED_CERTIFICATE))
@@ -406,7 +410,7 @@ static void __attribute__ ((constructor))reg()
 		{" [--in file|--keyid hex] [--type rsa|ecdsa]",
 		 " --dn distinguished-name [--san subjectAltName]+",
 		 "[--lifetime days] [--serial hex] [--ca] [--ocsp uri]+",
-		 "[--flag serverAuth|clientAuth|crlSign|ocspSigning]+",
+		 "[--flag serverAuth|clientAuth|crlSign|ocspSigning|msSmartcardLogon]+",
 		 "[--nc-permitted name] [--nc-excluded name]",
 		 "[--policy-map issuer-oid:subject-oid]",
 		 "[--policy-explicit len] [--policy-inhibit len] [--policy-any len]",
-- 
2.7.4