sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-06 00:00:47 -04:00
Code Issues Projects Releases Wiki Activity

set Certificate Sign and CRL Sign flags in keyUsage extension if CA is true

Browse Source
This commit is contained in:
Andreas Steffen 2010-03-07 17:27:53 +01:00
parent 3bcfb271a3
commit 1ec8f22de2
2 changed files with 14 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/libstrongswan/asn1/oid.txt
View File

@ -37,7 +37,7 @@
0x1D "id-ce" 0x1D "id-ce"
0x09 "subjectDirectoryAttrs" 0x09 "subjectDirectoryAttrs"
0x0E "subjectKeyIdentifier" OID_SUBJECT_KEY_ID 0x0E "subjectKeyIdentifier" OID_SUBJECT_KEY_ID
0x0F "keyUsage" 0x0F "keyUsage" OID_KEY_USAGE
0x10 "privateKeyUsagePeriod" 0x10 "privateKeyUsagePeriod"
0x11 "subjectAltName" OID_SUBJECT_ALT_NAME 0x11 "subjectAltName" OID_SUBJECT_ALT_NAME
0x12 "issuerAltName" 0x12 "issuerAltName"

17
src/libstrongswan/plugins/x509/x509_cert.c
View File

@ -1481,7 +1481,9 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
chunk_t extensions = chunk_empty, extendedKeyUsage = chunk_empty; chunk_t extensions = chunk_empty, extendedKeyUsage = chunk_empty;
chunk_t serverAuth = chunk_empty, clientAuth = chunk_empty; chunk_t serverAuth = chunk_empty, clientAuth = chunk_empty;
chunk_t ocspSigning = chunk_empty; chunk_t ocspSigning = chunk_empty;
chunk_t basicConstraints = chunk_empty, subjectAltNames = chunk_empty; chunk_t basicConstraints = chunk_empty;
chunk_t keyUsage = chunk_empty;
chunk_t subjectAltNames = chunk_empty;
chunk_t subjectKeyIdentifier = chunk_empty, authKeyIdentifier = chunk_empty; chunk_t subjectKeyIdentifier = chunk_empty, authKeyIdentifier = chunk_empty;
chunk_t crlDistributionPoints = chunk_empty, authorityInfoAccess = chunk_empty; chunk_t crlDistributionPoints = chunk_empty, authorityInfoAccess = chunk_empty;
identification_t *issuer, *subject; identification_t *issuer, *subject;
@ -1583,7 +1585,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
asn1_wrap(ASN1_SEQUENCE, "m", authorityInfoAccess))); asn1_wrap(ASN1_SEQUENCE, "m", authorityInfoAccess)));
} }
/* build CA basicConstraint for CA certificates */ /* build CA basicConstraint and keyUsage flags for CA certificates */
if (cert->flags & X509_CA) if (cert->flags & X509_CA)
{ {
chunk_t pathLenConstraint = chunk_empty; chunk_t pathLenConstraint = chunk_empty;
@ -1603,6 +1605,13 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
asn1_wrap(ASN1_BOOLEAN, "c", asn1_wrap(ASN1_BOOLEAN, "c",
chunk_from_chars(0xFF)), chunk_from_chars(0xFF)),
pathLenConstraint))); pathLenConstraint)));
keyUsage = asn1_wrap(ASN1_SEQUENCE, "mmm",
asn1_build_known_oid(OID_KEY_USAGE),
asn1_wrap(ASN1_BOOLEAN, "c",
chunk_from_chars(0xFF)),
asn1_wrap(ASN1_OCTET_STRING, "m",
asn1_wrap(ASN1_BIT_STRING, "c",
chunk_from_chars(0x01, 0x06))));
} }
/* add serverAuth extendedKeyUsage flag */ /* add serverAuth extendedKeyUsage flag */
@ -1663,8 +1672,8 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
crlDistributionPoints.ptr) crlDistributionPoints.ptr)
{ {
extensions = asn1_wrap(ASN1_CONTEXT_C_3, "m", extensions = asn1_wrap(ASN1_CONTEXT_C_3, "m",
asn1_wrap(ASN1_SEQUENCE, "mmmmmmm", asn1_wrap(ASN1_SEQUENCE, "mmmmmmmm",
basicConstraints, subjectKeyIdentifier, basicConstraints, keyUsage, subjectKeyIdentifier,
authKeyIdentifier, subjectAltNames, authKeyIdentifier, subjectAltNames,
extendedKeyUsage, crlDistributionPoints, extendedKeyUsage, crlDistributionPoints,
authorityInfoAccess)); authorityInfoAccess));