2010/9/29 Micah Anderson via RT <[email protected]>
>
> According to RFC 4945 ยง 5.1.3.12 section title "ExtendedKeyUsage"[0] the
> following extended key usage has been added:
>
> ... this document defines an ExtendedKeyUsage keyPurposeID that MAY be
> used to limit a certificate's use:
>
> id-kp-ipsecIKE OBJECT IDENTIFIER ::= { id-kp 17 }
>
> where id-kp is defined in RFC 3280 [5]. If a certificate is intended
> to be used with both IKE and other applications, and one of the other
> applications requires use of an EKU value, then such certificates
> MUST contain either the keyPurposeID id-kp-ipsecIKE or
> anyExtendedKeyUsage [5], as well as the keyPurposeID values
> associated with the other applications. Similarly, if a CA issues
> multiple otherwise-similar certificates for multiple applications
> including IKE, and it is intended that the IKE certificate NOT be
> used with another application, the IKE certificate MAY contain an EKU
> extension listing a keyPurposeID of id-kp-ipsecIKE to discourage its
> use with the other application. Recall, however, that EKU extensions
> in certificates meant for use in IKE are NOT RECOMMENDED.
>
> Conforming IKE implementations are not required to support EKU. If a
> critical EKU extension appears in a certificate and EKU is not
> supported by the implementation, then RFC 3280 requires that the
> certificate be rejected. Implementations that do support EKU MUST
> support the following logic for certificate validation:
>
> o If no EKU extension, continue.
>
> o If EKU present AND contains either id-kp-ipsecIKE or
> anyExtendedKeyUsage, continue.
>
> o Otherwise, reject cert.
>
>
> I believe that the attached patch adds the ipsecIKE extended key usage
> flag to openssl.
>
> Micah
>
>
>
> 0. http://tools.ietf.org/html/rfc4945#section-5.1.3.12
>
> Hi,
I took a look at your patch just by curiosity because I can't judge it.
However, there is a wrong copy/paste in obj_dat.h, even though this file is
generated automatically :
0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x08, /* *[682]* OBJ_time_stamp */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x09, /* *[682]* OBJ_OSCPSigning */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x17, /* [684] OBJ_ipsecIKE */
0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x02,0x01,0x15,/* [690] OBJ_ms_code_ind
*/
0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x02,0x01,0x16,/* [700] OBJ_ms_code_com
*/
0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x0A,0x03,0x01,/* [710] OBJ_ms_ctl_sign
*/
@@ -1091,6 +1090,8 @@ static const ASN1_OBJECT nid_objs[NUM_NID]={
{"emailProtection","E-mail Protection",NID_email_protect,8,
&(lvalues[674]),0},
{"timeStamping","Time Stamping",NID_time_stamp,8,&(lvalues[682]),0},
+{"OSCPSigning", "OSCP Signing",NID_OSCPSigning,8,&(lvalues*[683]*),0},
+{"ipsecIKE", "ipsec Internet Key Exchange
(IKE)",NID_ipsecIKE,8,&(lvalues[684]),0},
