[openssl.org #2351] PATCH: Remove obsolete ipsec extended key usages

Wed, 29 Sep 2010 00:36:15 -0700 

Hi,

The extended key usages id-kp-ipsecEndSystem, id-kp-ipsecTunnel and
id-kp-ipsecUser are obsoleted as per RFC 4945 ยง 5.1.3.12 section title
"ExtendedKeyUsage":

...  Note that there were three IPsecrelated object identifiers in EKU
that were assigned in 1999. The semantics of these values were never
clearly defined. The use of these three EKU values in IKE/IPsec is
obsolete and explicitly deprecated by this specification. CAs SHOULD NOT
issue certificates for use in IKE with them. (For historical reference
only, those values were id-kp-ipsecEndSystem, id-kp-ipsecTunnel, and
id-kpipsecUser.)  ...

I believe that the attached patch removes these extendedkey usages to
comply with the SHOULD NOT assertion in RFC 4945.

Note: A new extended key usage has been created for the Internet Key
Exchange (IKE) called id-kp-ipsecIKE has been added. A follow-up issue
will be created for that.

Micah





diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h
index fe46624..e2345fb 100644
--- a/crypto/objects/obj_dat.h
+++ b/crypto/objects/obj_dat.h
@@ -334,9 +336,6 @@ static const unsigned char lvalues[5824]={
 0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x08,     /* [2129] OBJ_sbgp_autonomousSysNum */
 0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x09,     /* [2137] OBJ_sbgp_routerIdentifier */
 0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x03,     /* [2145] OBJ_textNotice */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x05,     /* [2153] OBJ_ipsecEndSystem */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x06,     /* [2161] OBJ_ipsecTunnel */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x07,     /* [2169] OBJ_ipsecUser */
 0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x0A,     /* [2177] OBJ_dvcs */
 0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x01,     /* [2185] OBJ_id_it_caProtEncCert */
 0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x02,     /* [2193] OBJ_id_it_signKeyPairTypes */
@@ -1357,10 +1358,6 @@ static const ASN1_OBJECT nid_objs[NUM_NID]={
 {"sbgp-routerIdentifier","sbgp-routerIdentifier",
 	NID_sbgp_routerIdentifier,8,&(lvalues[2137]),0},
 {"textNotice","textNotice",NID_textNotice,8,&(lvalues[2145]),0},
-{"ipsecEndSystem","IPSec End System",NID_ipsecEndSystem,8,
-	&(lvalues[2153]),0},
-{"ipsecTunnel","IPSec Tunnel",NID_ipsecTunnel,8,&(lvalues[2161]),0},
-{"ipsecUser","IPSec User",NID_ipsecUser,8,&(lvalues[2169]),0},
 {"DVCS","dvcs",NID_dvcs,8,&(lvalues[2177]),0},
 {"id-it-caProtEncCert","id-it-caProtEncCert",NID_id_it_caProtEncCert,
 	8,&(lvalues[2185]),0},
@@ -2897,9 +2894,6 @@ static const unsigned int sn_objs[NUM_SN]={
 647,	/* "international-organizations" */
 869,	/* "internationaliSDNNumber" */
 142,	/* "invalidityDate" */
-294,	/* "ipsecEndSystem" */
-295,	/* "ipsecTunnel" */
-296,	/* "ipsecUser" */
 86,	/* "issuerAltName" */
 770,	/* "issuingDistributionPoint" */
 492,	/* "janetMailbox" */
@@ -4629,7 +4623,4 @@ static const unsigned int obj_objs[NUM_OBJ]={
 130,	/* OBJ_client_auth                  1 3 6 1 5 5 7 3 2 */
 131,	/* OBJ_code_sign                    1 3 6 1 5 5 7 3 3 */
 132,	/* OBJ_email_protect                1 3 6 1 5 5 7 3 4 */
-294,	/* OBJ_ipsecEndSystem               1 3 6 1 5 5 7 3 5 */
-295,	/* OBJ_ipsecTunnel                  1 3 6 1 5 5 7 3 6 */
-296,	/* OBJ_ipsecUser                    1 3 6 1 5 5 7 3 7 */
 133,	/* OBJ_time_stamp                   1 3 6 1 5 5 7 3 8 */
diff --git a/crypto/objects/obj_mac.h b/crypto/objects/obj_mac.h
index 27304e1..decf0cc 100644
--- a/crypto/objects/obj_mac.h
+++ b/crypto/objects/obj_mac.h
@@ -1500,21 +1500,6 @@
 #define NID_email_protect		132
 #define OBJ_email_protect		OBJ_id_kp,4L
 
-#define SN_ipsecEndSystem		"ipsecEndSystem"
-#define LN_ipsecEndSystem		"IPSec End System"
-#define NID_ipsecEndSystem		294
-#define OBJ_ipsecEndSystem		OBJ_id_kp,5L
-
-#define SN_ipsecTunnel		"ipsecTunnel"
-#define LN_ipsecTunnel		"IPSec Tunnel"
-#define NID_ipsecTunnel		295
-#define OBJ_ipsecTunnel		OBJ_id_kp,6L
-
-#define SN_ipsecUser		"ipsecUser"
-#define LN_ipsecUser		"IPSec User"
-#define NID_ipsecUser		296
-#define OBJ_ipsecUser		OBJ_id_kp,7L
-
 #define SN_time_stamp		"timeStamping"
 #define LN_time_stamp		"Time Stamping"
 #define NID_time_stamp		133
diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num
index 8c50aac..4bc3dfb 100644
--- a/crypto/objects/obj_mac.num
+++ b/crypto/objects/obj_mac.num
@@ -291,9 +291,6 @@ sbgp_ipAddrBlock		290
 sbgp_autonomousSysNum		291
 sbgp_routerIdentifier		292
 textNotice		293
-ipsecEndSystem		294
-ipsecTunnel		295
-ipsecUser		296
 dvcs		297
 id_it_caProtEncCert		298
 id_it_signKeyPairTypes		299
\ No newline at end of file
diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt
index 52ac0a6..f477aa5 100644
--- a/crypto/objects/objects.txt
+++ b/crypto/objects/objects.txt
@@ -481,8 +481,5 @@ id-kp 2			: clientAuth		: TLS Web Client Authentication
 id-kp 3			: codeSigning		: Code Signing
 !Cname email-protect
 id-kp 4			: emailProtection	: E-mail Protection
-id-kp 5			: ipsecEndSystem	: IPSec End System
-id-kp 6			: ipsecTunnel		: IPSec Tunnel
-id-kp 7			: ipsecUser		: IPSec User
 !Cname time-stamp
 id-kp 8			: timeStamping		: Time Stamping

Reply via email to