0x04 "msEncryptingFileSystem"
0x14 "msEnrollmentInfrastructure"
0x02 "msCertificateTypeExtension"
- 0x02 "msSmartcardLogon"
+ 0x02 "msSmartcardLogon" OID_MS_SMARTCARD_LOGON
0x03 "msUPN" OID_USER_PRINCIPAL_NAME
0x15 "msCertSrvInfrastructure"
0x07 "msCertTemplate"
*/
enum x509_flag_t {
/** cert has no constraints */
- X509_NONE = 0,
+ X509_NONE = 0,
/** cert has CA constraint */
- X509_CA = (1<<0),
+ X509_CA = (1<<0),
/** cert has AA constraint */
- X509_AA = (1<<1),
+ X509_AA = (1<<1),
/** cert has OCSP signer constraint */
- X509_OCSP_SIGNER = (1<<2),
+ X509_OCSP_SIGNER = (1<<2),
/** cert has serverAuth key usage */
- X509_SERVER_AUTH = (1<<3),
+ X509_SERVER_AUTH = (1<<3),
/** cert has clientAuth key usage */
- X509_CLIENT_AUTH = (1<<4),
+ X509_CLIENT_AUTH = (1<<4),
/** cert is self-signed */
- X509_SELF_SIGNED = (1<<5),
+ X509_SELF_SIGNED = (1<<5),
/** cert has an ipAddrBlocks extension */
- X509_IP_ADDR_BLOCKS = (1<<6),
+ X509_IP_ADDR_BLOCKS = (1<<6),
/** cert has CRL sign key usage */
- X509_CRL_SIGN = (1<<7),
+ X509_CRL_SIGN = (1<<7),
/** cert has iKEIntermediate key usage */
- X509_IKE_INTERMEDIATE = (1<<8),
+ X509_IKE_INTERMEDIATE = (1<<8),
+ /** cert has Microsoft Smartcard Logon usage */
+ X509_MS_SMARTCARD_LOGON = (1<<9),
};
/**
case OID_OCSP_SIGNING:
this->flags |= X509_OCSP_SIGNER;
break;
+ case OID_MS_SMARTCARD_LOGON:
+ this->flags |= X509_MS_SMARTCARD_LOGON;
+ break;
default:
break;
}
chunk_t subjectKeyIdentifier = chunk_empty, authKeyIdentifier = chunk_empty;
chunk_t crlDistributionPoints = chunk_empty, authorityInfoAccess = chunk_empty;
chunk_t policyConstraints = chunk_empty, inhibitAnyPolicy = chunk_empty;
- chunk_t ikeIntermediate = chunk_empty;
+ chunk_t ikeIntermediate = chunk_empty, msSmartcardLogon = chunk_empty;
identification_t *issuer, *subject;
chunk_t key_info;
signature_scheme_t scheme;
{
ocspSigning = asn1_build_known_oid(OID_OCSP_SIGNING);
}
+ if (cert->flags & X509_MS_SMARTCARD_LOGON)
+ {
+ msSmartcardLogon = asn1_build_known_oid(OID_MS_SMARTCARD_LOGON);
+ }
if (serverAuth.ptr || clientAuth.ptr || ikeIntermediate.ptr ||
ocspSigning.ptr)
extendedKeyUsage = asn1_wrap(ASN1_SEQUENCE, "mm",
asn1_build_known_oid(OID_EXTENDED_KEY_USAGE),
asn1_wrap(ASN1_OCTET_STRING, "m",
- asn1_wrap(ASN1_SEQUENCE, "mmmm",
+ asn1_wrap(ASN1_SEQUENCE, "mmmmm",
serverAuth, clientAuth, ikeIntermediate,
- ocspSigning)));
+ ocspSigning, msSmartcardLogon)));
}
/* add subjectKeyIdentifier to CA and OCSP signer certificates */
{
flags |= X509_OCSP_SIGNER;
}
+ else if (streq(arg, "msSmartcardLogon"))
+ {
+ flags |= X509_MS_SMARTCARD_LOGON;
+ }
continue;
case 'f':
if (!get_form(arg, &form, CRED_CERTIFICATE))
{"[--in file] [--type pub|pkcs10] --cakey file|--cakeyid hex",
" --cacert file [--dn subject-dn] [--san subjectAltName]+",
"[--lifetime days] [--serial hex] [--ca] [--pathlen len]",
- "[--flag serverAuth|clientAuth|crlSign|ocspSigning]+",
+ "[--flag serverAuth|clientAuth|crlSign|ocspSigning|msSmartcardLogon]+",
"[--crl uri [--crlissuer i]]+ [--ocsp uri]+ [--nc-permitted name]",
"[--nc-excluded name] [--policy-mapping issuer-oid:subject-oid]",
"[--policy-explicit len] [--policy-inhibit len] [--policy-any len]",
{
printf("iKEIntermediate ");
}
+ if (flags & X509_MS_SMARTCARD_LOGON)
+ {
+ printf("msSmartcardLogon ");
+ }
if (flags & X509_SELF_SIGNED)
{
printf("self-signed ");
{
flags |= X509_OCSP_SIGNER;
}
+ else if (streq(arg, "msSmartcardLogon"))
+ {
+ flags |= X509_MS_SMARTCARD_LOGON;
+ }
continue;
case 'f':
if (!get_form(arg, &form, CRED_CERTIFICATE))
{" [--in file|--keyid hex] [--type rsa|ecdsa]",
" --dn distinguished-name [--san subjectAltName]+",
"[--lifetime days] [--serial hex] [--ca] [--ocsp uri]+",
- "[--flag serverAuth|clientAuth|crlSign|ocspSigning]+",
+ "[--flag serverAuth|clientAuth|crlSign|ocspSigning|msSmartcardLogon]+",
"[--nc-permitted name] [--nc-excluded name]",
"[--policy-map issuer-oid:subject-oid]",
"[--policy-explicit len] [--policy-inhibit len] [--policy-any len]",