Added support for iKEIntermediate X.509 extended key usage flag.

Mac OS X requires server certificates to have this flag set.

diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c
index d2fda1b3c8073c025805460c10dc167e022ccfac..eb160471e3d53078d1ce64f1406bb7a66a20f456 100644 (file)
--- a/src/libcharon/plugins/stroke/stroke_list.c
+++ b/src/libcharon/plugins/stroke/stroke_list.c
@@ -799,8 +799,8 @@ static void stroke_list_certs(linked_list_t *list, char *label,
        x509_flag_t flag_mask;
 
        /* mask all auxiliary flags */
-       flag_mask = ~(X509_SERVER_AUTH | X509_CLIENT_AUTH |
-                                 X509_SELF_SIGNED | X509_IP_ADDR_BLOCKS );
+       flag_mask = ~(X509_SERVER_AUTH | X509_CLIENT_AUTH | X509_IKE_INTERMEDIATE |
+                                 X509_SELF_SIGNED | X509_IP_ADDR_BLOCKS);
 
        enumerator = list->create_enumerator(list);
        while (enumerator->enumerate(enumerator, (void**)&cert))

diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt
index f16287cb293c035d2a3cf0b6e94d743838af8606..73c0688513261120e3b5242ed1fb2be55ea3bf16 100644 (file)
--- a/src/libstrongswan/asn1/oid.txt
+++ b/src/libstrongswan/asn1/oid.txt
@@ -226,6 +226,9 @@
               0x02           "caIssuers"                               OID_CA_ISSUERS
               0x03           "timeStamping"
               0x05           "caRepository"
+          0x08               "ipsec"
+            0x02             "certificate"
+              0x02           "iKEIntermediate"                         OID_IKE_INTERMEDIATE
   0x0E                       "oiw"
     0x03                     "secsig"
       0x02                   "algorithms"

diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h
index ba3766b1fa93c8c70536410babdb27238407543d..8bd2a6a83779a4c5163bf121632d1281721d0027 100644 (file)
--- a/src/libstrongswan/credentials/certificates/x509.h
+++ b/src/libstrongswan/credentials/certificates/x509.h
@@ -56,6 +56,8 @@ enum x509_flag_t {
        X509_IP_ADDR_BLOCKS =   (1<<6),
        /** cert has CRL sign key usage */
        X509_CRL_SIGN =                 (1<<7),
+       /** cert has iKEIntermediate key usage */
+       X509_IKE_INTERMEDIATE = (1<<8),
 };
 
 /**

diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index 6db2e6869e3087032cb47c7371e0ccd7ec720bd0..cba1a46105a85341caac7f4d76fffd0ede40ad70 100644 (file)
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -752,6 +752,9 @@ static void parse_extendedKeyUsage(chunk_t blob, int level0,
                                case OID_CLIENT_AUTH:
                                        this->flags |= X509_CLIENT_AUTH;
                                        break;
+                               case OID_IKE_INTERMEDIATE:
+                                       this->flags |= X509_IKE_INTERMEDIATE;
+                                       break;
                                case OID_OCSP_SIGNING:
                                        this->flags |= X509_OCSP_SIGNER;
                                        break;
@@ -1994,6 +1997,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
        chunk_t subjectKeyIdentifier = chunk_empty, authKeyIdentifier = chunk_empty;
        chunk_t crlDistributionPoints = chunk_empty, authorityInfoAccess = chunk_empty;
        chunk_t policyConstraints = chunk_empty, inhibitAnyPolicy = chunk_empty;
+       chunk_t ikeIntermediate = chunk_empty;
        identification_t *issuer, *subject;
        chunk_t key_info;
        signature_scheme_t scheme;
@@ -2107,7 +2111,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
                                                        asn1_wrap(ASN1_BIT_STRING, "c", keyUsageBits)));
        }
 
-       /* add serverAuth extendedKeyUsage flag */
+       /* add extendedKeyUsage flags */
        if (cert->flags & X509_SERVER_AUTH)
        {
                serverAuth = asn1_build_known_oid(OID_SERVER_AUTH);
@@ -2116,20 +2120,24 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
        {
                clientAuth = asn1_build_known_oid(OID_CLIENT_AUTH);
        }
-
-       /* add ocspSigning extendedKeyUsage flag */
+       if (cert->flags & X509_IKE_INTERMEDIATE)
+       {
+               ikeIntermediate = asn1_build_known_oid(OID_IKE_INTERMEDIATE);
+       }
        if (cert->flags & X509_OCSP_SIGNER)
        {
                ocspSigning = asn1_build_known_oid(OID_OCSP_SIGNING);
        }
 
-       if (serverAuth.ptr || clientAuth.ptr || ocspSigning.ptr)
+       if (serverAuth.ptr || clientAuth.ptr || ikeIntermediate.ptr ||
+               ocspSigning.ptr)
        {
                extendedKeyUsage = asn1_wrap(ASN1_SEQUENCE, "mm",
                                                                asn1_build_known_oid(OID_EXTENDED_KEY_USAGE),
                                                                asn1_wrap(ASN1_OCTET_STRING, "m",
-                                                                       asn1_wrap(ASN1_SEQUENCE, "mmm",
-                                                                               serverAuth, clientAuth, ocspSigning)));
+                                                                       asn1_wrap(ASN1_SEQUENCE, "mmmm",
+                                                                               serverAuth, clientAuth, ikeIntermediate,
+                                                                               ocspSigning)));
        }
 
        /* add subjectKeyIdentifier to CA and OCSP signer certificates */