[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, gnutls_2_10_x, updated. gnutls_2_10_1-12-g2be55
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, gnutls_2_10_x, updated. gnutls_2_10_1-12-g2be55b1 |
|
Date: |
Wed, 29 Sep 2010 07:41:47 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=2be55b1509f5cbeae63fe64e02a849c404fcc008
The branch, gnutls_2_10_x has been updated
via 2be55b1509f5cbeae63fe64e02a849c404fcc008 (commit)
from e2dacaf9816653e21f6e4eb4f75ca35069be3e48 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 2be55b1509f5cbeae63fe64e02a849c404fcc008
Author: Micah Anderson <address@hidden>
Date: Wed Sep 29 00:14:56 2010 -0400
Add new extended key usage ipsecIKE
According to RFC 4945 § 5.1.3.12 section title "ExtendedKeyUsage"[0] the
following extended key usage has been added:
... this document defines an ExtendedKeyUsage keyPurposeID that MAY be
used to limit a certificate's use:
id-kp-ipsecIKE OBJECT IDENTIFIER ::= { id-kp 17 }
where id-kp is defined in RFC 3280 [5]. If a certificate is intended
to be used with both IKE and other applications, and one of the other
applications requires use of an EKU value, then such certificates
MUST contain either the keyPurposeID id-kp-ipsecIKE or
anyExtendedKeyUsage [5], as well as the keyPurposeID values
associated with the other applications. Similarly, if a CA issues
multiple otherwise-similar certificates for multiple applications
including IKE, and it is intended that the IKE certificate NOT be
used with another application, the IKE certificate MAY contain an EKU
extension listing a keyPurposeID of id-kp-ipsecIKE to discourage its
use with the other application. Recall, however, that EKU extensions
in certificates meant for use in IKE are NOT RECOMMENDED.
Conforming IKE implementations are not required to support EKU. If a
critical EKU extension appears in a certificate and EKU is not
supported by the implementation, then RFC 3280 requires that the
certificate be rejected. Implementations that do support EKU MUST
support the following logic for certificate validation:
o If no EKU extension, continue.
o If EKU present AND contains either id-kp-ipsecIKE or
anyExtendedKeyUsage, continue.
o Otherwise, reject cert.
Signed-off-by: Nikos Mavrogiannopoulos <address@hidden>
-----------------------------------------------------------------------
Summary of changes:
NEWS | 2 ++
doc/certtool.cfg | 3 +++
lib/includes/gnutls/x509.h | 1 +
lib/x509/output.c | 2 ++
src/certtool-cfg.c | 18 ++++++++++++++++++
src/certtool-cfg.h | 2 +-
src/certtool.c | 21 +++++++++++++++++++++
7 files changed, 48 insertions(+), 1 deletions(-)
diff --git a/NEWS b/NEWS
index fc6612c..32e6ab8 100644
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,8 @@ See the end for copying conditions.
** Use Libtool 2.2.10 to ease MinGW64 builds.
+** libgnutls: Add new extended key usage ipsecIKE.
+
** libgnutls: Is now more liberal in the PEM decoding.
That is spaces and tabs are being skipped.
diff --git a/doc/certtool.cfg b/doc/certtool.cfg
index 7259760..db6ba70 100644
--- a/doc/certtool.cfg
+++ b/doc/certtool.cfg
@@ -88,6 +88,9 @@ signing_key
# Whether this key will be used for time stamping.
#time_stamping_key
+# Whether this key will be used for IPsec IKE operations.
+#ipsec_ike_key
+
#a space separated list of key purpose OIDs to be added
#key_purpose_oids = "1.3.6.1.5.5.7.3.1" "1.2.3.4.5.6"
diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h
index 7ff7bde..9a338b1 100644
--- a/lib/includes/gnutls/x509.h
+++ b/lib/includes/gnutls/x509.h
@@ -78,6 +78,7 @@ extern "C"
#define GNUTLS_KP_EMAIL_PROTECTION "1.3.6.1.5.5.7.3.4"
#define GNUTLS_KP_TIME_STAMPING "1.3.6.1.5.5.7.3.8"
#define GNUTLS_KP_OCSP_SIGNING "1.3.6.1.5.5.7.3.9"
+#define GNUTLS_KP_IPSEC_IKE "1.3.6.1.5.5.7.3.17"
#define GNUTLS_KP_ANY "2.5.29.37.0"
#define GNUTLS_FSAN_SET 0
diff --git a/lib/x509/output.c b/lib/x509/output.c
index f4ea366..6f038c3 100644
--- a/lib/x509/output.c
+++ b/lib/x509/output.c
@@ -469,6 +469,8 @@ print_key_purpose (gnutls_string * str, const char *prefix,
int type,
addf (str, _("%s\t\t\tTime stamping.\n"), prefix);
else if (strcmp (buffer, GNUTLS_KP_OCSP_SIGNING) == 0)
addf (str, _("%s\t\t\tOCSP signing.\n"), prefix);
+ else if (strcmp (buffer, GNUTLS_KP_IPSEC_IKE) == 0)
+ addf (str, _("%s\t\t\tIpsec IKE.\n"), prefix);
else if (strcmp (buffer, GNUTLS_KP_ANY) == 0)
addf (str, _("%s\t\t\tAny purpose.\n"), prefix);
else
diff --git a/src/certtool-cfg.c b/src/certtool-cfg.c
index 41bcc17..f9ed00d 100644
--- a/src/certtool-cfg.c
+++ b/src/certtool-cfg.c
@@ -76,6 +76,7 @@ typedef struct _cfg_ctx
int code_sign_key;
int ocsp_sign_key;
int time_stamping_key;
+ int ipsec_ike_key;
char **key_purpose_oids;
int crl_next_update;
int crl_number;
@@ -166,6 +167,8 @@ template_parse (const char *template)
(void *) &cfg.ocsp_sign_key, 0},
{NULL, '\0', "time_stamping_key", CFG_BOOL,
(void *) &cfg.time_stamping_key, 0},
+ {NULL, '\0', "ipsec_ike_key", CFG_BOOL,
+ (void *) &cfg.ipsec_ike_key, 0},
{NULL, '\0', "proxy_policy_language", CFG_STR,
(void *) &cfg.proxy_policy_language, 0},
CFG_END_OF_LIST
@@ -1139,6 +1142,21 @@ get_time_stamp_status (void)
}
int
+get_ipsec_ike_status (void)
+{
+ if (batch)
+ {
+ return cfg.ipsec_ike_key;
+ }
+ else
+ {
+ return
+ read_yesno
+ ("Will the certificate be used for IPsec IKE operations? (y/N): ");
+ }
+}
+
+int
get_crl_next_update (void)
{
int days;
diff --git a/src/certtool-cfg.h b/src/certtool-cfg.h
index e44183b..44be8e9 100644
--- a/src/certtool-cfg.h
+++ b/src/certtool-cfg.h
@@ -46,7 +46,7 @@ int get_sign_status (int server);
void get_ip_addr_set (int type, void *crt);
void get_dns_name_set (int type, void *crt);
void get_email_set (int type, void *crt);
-
+int get_ipsec_ike_status(void);
void get_cn_crq_set (gnutls_x509_crq_t crq);
void get_uid_crq_set (gnutls_x509_crq_t crq);
diff --git a/src/certtool.c b/src/certtool.c
index 51139ba..30cde61 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -543,6 +543,18 @@ generate_certificate (gnutls_x509_privkey_t * ret_key,
error (EXIT_FAILURE, 0, "key_kp: %s",
gnutls_strerror (result));
}
+
+ result = get_ipsec_ike_status ();
+ if (result)
+ {
+ result =
+ gnutls_x509_crt_set_key_purpose_oid (crt,
+ GNUTLS_KP_IPSEC_IKE,
+ 0);
+ if (result < 0)
+ error (EXIT_FAILURE, 0, "key_kp: %s",
+ gnutls_strerror (result));
+ }
}
if (usage != 0)
@@ -1992,6 +2004,15 @@ generate_request (void)
if (ret < 0)
error (EXIT_FAILURE, 0, "key_kp: %s", gnutls_strerror (ret));
}
+
+ ret = get_ipsec_ike_status ();
+ if (ret)
+ {
+ ret = gnutls_x509_crq_set_key_purpose_oid
+ (crq, GNUTLS_KP_IPSEC_IKE, 0);
+ if (ret < 0)
+ error (EXIT_FAILURE, 0, "key_kp: %s", gnutls_strerror (ret));
+ }
}
ret = gnutls_x509_crq_set_key_usage (crq, usage);
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, gnutls_2_10_x, updated. gnutls_2_10_1-12-g2be55b1,
Nikos Mavrogiannopoulos <=