According to RFC 4945 ยง 5.1.3.12 section title "ExtendedKeyUsage"[0] the following extended key usage has been added:
... this document defines an ExtendedKeyUsage keyPurposeID that MAY be used to limit a certificate's use: id-kp-ipsecIKE OBJECT IDENTIFIER ::= { id-kp 17 } where id-kp is defined in RFC 3280 [5]. If a certificate is intended to be used with both IKE and other applications, and one of the other applications requires use of an EKU value, then such certificates MUST contain either the keyPurposeID id-kp-ipsecIKE or anyExtendedKeyUsage [5], as well as the keyPurposeID values associated with the other applications. Similarly, if a CA issues multiple otherwise-similar certificates for multiple applications including IKE, and it is intended that the IKE certificate NOT be used with another application, the IKE certificate MAY contain an EKU extension listing a keyPurposeID of id-kp-ipsecIKE to discourage its use with the other application. Recall, however, that EKU extensions in certificates meant for use in IKE are NOT RECOMMENDED. Conforming IKE implementations are not required to support EKU. If a critical EKU extension appears in a certificate and EKU is not supported by the implementation, then RFC 3280 requires that the certificate be rejected. Implementations that do support EKU MUST support the following logic for certificate validation: o If no EKU extension, continue. o If EKU present AND contains either id-kp-ipsecIKE or anyExtendedKeyUsage, continue. o Otherwise, reject cert. I believe that the attached patch adds the ipsecIKE extended key usage flag to openssl. Micah 0. http://tools.ietf.org/html/rfc4945#section-5.1.3.12 --
diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h index fe46624..e2345fb 100644 --- a/crypto/objects/obj_dat.h +++ b/crypto/objects/obj_dat.h @@ -175,6 +175,8 @@ static const unsigned char lvalues[5824]={ 0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x03, /* [666] OBJ_code_sign */ 0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x04, /* [674] OBJ_email_protect */ 0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x08, /* [682] OBJ_time_stamp */ +0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x09, /* [682] OBJ_OSCPSigning */ +0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x17, /* [684] OBJ_ipsecIKE */ 0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x02,0x01,0x15,/* [690] OBJ_ms_code_ind */ 0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x02,0x01,0x16,/* [700] OBJ_ms_code_com */ 0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x0A,0x03,0x01,/* [710] OBJ_ms_ctl_sign */ @@ -1091,6 +1090,8 @@ static const ASN1_OBJECT nid_objs[NUM_NID]={ {"emailProtection","E-mail Protection",NID_email_protect,8, &(lvalues[674]),0}, {"timeStamping","Time Stamping",NID_time_stamp,8,&(lvalues[682]),0}, +{"OSCPSigning", "OSCP Signing",NID_OSCPSigning,8,&(lvalues[683]),0}, +{"ipsecIKE", "ipsec Internet Key Exchange (IKE)",NID_ipsecIKE,8,&(lvalues[684]),0}, {"msCodeInd","Microsoft Individual Code Signing",NID_ms_code_ind,10, &(lvalues[690]),0}, {"msCodeCom","Microsoft Commercial Code Signing",NID_ms_code_com,10, @@ -4636,5 +4627,6 @@ 180, /* OBJ_OCSP_sign 1 3 6 1 5 5 7 3 9 */ 297, /* OBJ_dvcs 1 3 6 1 5 5 7 3 10 */ +893, /* OBJ_ipsec_IKE 1 3 6 1 5 5 7 3 17 */ 298, /* OBJ_id_it_caProtEncCert 1 3 6 1 5 5 7 4 1 */ 299, /* OBJ_id_it_signKeyPairTypes 1 3 6 1 5 5 7 4 2 */ 300, /* OBJ_id_it_encKeyPairTypes 1 3 6 1 5 5 7 4 3 */ diff --git a/crypto/objects/obj_mac.h b/crypto/objects/obj_mac.h index 27304e1..decf0cc 100644 --- a/crypto/objects/obj_mac.h +++ b/crypto/objects/obj_mac.h @@ -1530,6 +1515,11 @@ #define NID_dvcs 297 #define OBJ_dvcs OBJ_id_kp,10L +#define SN_ipsec_IKE "ipsecIKE" +#define LN_ipsec_IKE "ipsec Internet Key Exchange (IKE)" +#define NID_ipsec_IKE 893 +#define OBJ_ipsec_IKE OBJ_id_kp,17L + #define SN_id_it_caProtEncCert "id-it-caProtEncCert" #define NID_id_it_caProtEncCert 298 #define OBJ_id_it_caProtEncCert OBJ_id_it,1L diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num index 8c50aac..4bc3dfb 100644 --- a/crypto/objects/obj_mac.num +++ b/crypto/objects/obj_mac.num @@ -890,3 +887,4 @@ houseIdentifier 889 supportedAlgorithms 890 deltaRevocationList 891 dmdName 892 +ipsecIKE 893 \ No newline at end of file diff --git a/crypto/objects/objects.h b/crypto/objects/objects.h index bd0ee52..191c895 100644 --- a/crypto/objects/objects.h +++ b/crypto/objects/objects.h @@ -714,6 +714,16 @@ #define NID_time_stamp 133 #define OBJ_time_stamp OBJ_id_kp,8L +#define SN_OCSP_sign "OCSPSigning" +#define LN_OCSP_sign "OCSP Signing" +#define NID_OCSP_sign 180 +#define OBJ_OCSP_sign OBJ_id_kp,9L + +#define SN_ipsec_IKE "ipsecIKE" +#define LN_ipsec_IKE "ipsec Internet Key Exchange (IKE)" +#define NID_ipsec_IKE 893 +#define OBJ_ipsec_IKE OBJ_id_kp,17L + /* Additional extended key usage OIDs: Microsoft */ #define SN_ms_code_ind "msCodeInd" diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt index 52ac0a6..f477aa5 100644 --- a/crypto/objects/objects.txt +++ b/crypto/objects/objects.txt @@ -488,8 +485,12 @@ id-kp 8 : timeStamping : Time Stamping # From OCSP spec RFC2560 !Cname OCSP-sign id-kp 9 : OCSPSigning : OCSP Signing id-kp 10 : DVCS : dvcs +# From Internet IP Security PKI Profile of IKEv1/ISAKMP, IKEv2, and PKIX RFC4945 +!Cname ipsec-IKE +id-kp 17 : ipsecIKE : ipsec Internet Key Exchange (IKE) + # CMP information types id-it 1 : id-it-caProtEncCert diff --git a/doc/apps/x509v3_config.pod b/doc/apps/x509v3_config.pod index 0450067..e138eb3 100644 --- a/doc/apps/x509v3_config.pod +++ b/doc/apps/x509v3_config.pod @@ -115,6 +115,8 @@ following PKIX, NS and MS values are meaningful: codeSigning Code signing. emailProtection E-mail Protection (S/MIME). timeStamping Trusted Timestamping + OCSPSigning OCSP Signing + ipsecIKE ipsec Internet Key Exchange (IKE) msCodeInd Microsoft Individual Code Signing (authenticode) msCodeCom Microsoft Commercial Code Signing (authenticode) msCTLSign Microsoft Trust List Signing