summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRobert Relyea <rrelyea@redhat.com>2018-11-09 15:42:43 -0800
committerRobert Relyea <rrelyea@redhat.com>2018-11-09 15:42:43 -0800
commit9dcbb13974272886b6e1499b092166aed6016bd4 (patch)
tree263fd459dff9a2154e8bfcc6e954eb4d4749467d
parent34805e5f374fb05deb2f4c04549904ade45bfdd6 (diff)
downloadnss-hg-9dcbb13974272886b6e1499b092166aed6016bd4.tar.gz
# Bug 1252891 Implement certUsageIPSec as defined in RFC 4945
Patch by Kai r=rrelyea
Diffstat
-rw-r--r--cmd/certutil/certutil.c4
-rw-r--r--cmd/dbck/dbrecover.c3
-rw-r--r--cmd/ocspclnt/ocspclnt.c5
-rw-r--r--cmd/p7verify/p7verify.c1
-rw-r--r--cmd/smimetools/cmsutil.c1
-rw-r--r--cmd/vfychain/vfychain.c3
-rw-r--r--lib/certdb/certdb.c77
-rw-r--r--lib/certdb/certi.h3
-rw-r--r--lib/certdb/certt.h6
-rw-r--r--lib/certhigh/certvfy.c34
-rw-r--r--lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c16
-rw-r--r--lib/util/secoid.c26
-rw-r--r--lib/util/secoidt.h5
-rwxr-xr-xtests/chains/chains.sh14
-rw-r--r--tests/chains/scenarios/ipsec.cfg61
-rw-r--r--tests/chains/scenarios/scenarios1
16 files changed, 248 insertions, 12 deletions
diff --git a/cmd/certutil/certutil.c b/cmd/certutil/certutil.c
index 5ecf1e71a..df02e4439 100644
--- a/cmd/certutil/certutil.c
+++ b/cmd/certutil/certutil.c
@@ -741,6 +741,9 @@ ValidateCert(CERTCertDBHandle *handle, char *name, char *date,
case 'V':
usage = certificateUsageSSLServer;
break;
+ case 'I':
+ usage = certificateUsageIPsec;
+ break;
case 'S':
usage = certificateUsageEmailSigner;
break;
@@ -1706,6 +1709,7 @@ luV(enum usage_level ul, const char *command)
FPS "%-20s Specify certificate usage:\n", " -u certusage");
FPS "%-25s C \t SSL Client\n", "");
FPS "%-25s V \t SSL Server\n", "");
+ FPS "%-25s I \t IPsec\n", "");
FPS "%-25s L \t SSL CA\n", "");
FPS "%-25s A \t Any CA\n", "");
FPS "%-25s Y \t Verify CA\n", "");
diff --git a/cmd/dbck/dbrecover.c b/cmd/dbck/dbrecover.c
index 74d21d85e..5b7e0549d 100644
--- a/cmd/dbck/dbrecover.c
+++ b/cmd/dbck/dbrecover.c
@@ -288,7 +288,8 @@ addCertToDB(certDBEntryCert *certEntry, dbRestoreInfo *info,
/* If user chooses so, ignore expired certificates. */
allowOverride = (PRBool)((oldCert->keyUsage == certUsageSSLServer) ||
- (oldCert->keyUsage == certUsageSSLServerWithStepUp));
+ (oldCert->keyUsage == certUsageSSLServerWithStepUp) ||
+ (oldCert->keyUsage == certUsageIPsec));
validity = CERT_CheckCertValidTimes(oldCert, PR_Now(), allowOverride);
/* If cert expired and user wants to delete it, ignore it. */
if ((validity != secCertTimeValid) &&
diff --git a/cmd/ocspclnt/ocspclnt.c b/cmd/ocspclnt/ocspclnt.c
index 0927f8ef6..359dbc217 100644
--- a/cmd/ocspclnt/ocspclnt.c
+++ b/cmd/ocspclnt/ocspclnt.c
@@ -134,6 +134,8 @@ long_usage(char *progname)
PR_fprintf(pr_stderr,
"%-17s s SSL Server\n", "");
PR_fprintf(pr_stderr,
+ "%-17s I IPsec\n", "");
+ PR_fprintf(pr_stderr,
"%-17s e Email Recipient\n", "");
PR_fprintf(pr_stderr,
"%-17s E Email Signer\n", "");
@@ -908,6 +910,9 @@ cert_usage_from_char(const char *cert_usage_str, SECCertUsage *cert_usage)
case 's':
*cert_usage = certUsageSSLServer;
break;
+ case 'I':
+ *cert_usage = certUsageIPsec;
+ break;
case 'e':
*cert_usage = certUsageEmailRecipient;
break;
diff --git a/cmd/p7verify/p7verify.c b/cmd/p7verify/p7verify.c
index ba38e1158..5cbb4dcae 100644
--- a/cmd/p7verify/p7verify.c
+++ b/cmd/p7verify/p7verify.c
@@ -117,6 +117,7 @@ Usage(char *progName)
fprintf(stderr, "%-25s 9 - certUsageProtectedObjectSigner\n", " ");
fprintf(stderr, "%-25s 10 - certUsageStatusResponder\n", " ");
fprintf(stderr, "%-25s 11 - certUsageAnyCA\n", " ");
+ fprintf(stderr, "%-25s 12 - certUsageIPsec\n", " ");
exit(-1);
}
diff --git a/cmd/smimetools/cmsutil.c b/cmd/smimetools/cmsutil.c
index 7106521c1..9106d9955 100644
--- a/cmd/smimetools/cmsutil.c
+++ b/cmd/smimetools/cmsutil.c
@@ -115,6 +115,7 @@ Usage(void)
fprintf(stderr, "%-25s 9 - certUsageProtectedObjectSigner\n", " ");
fprintf(stderr, "%-25s 10 - certUsageStatusResponder\n", " ");
fprintf(stderr, "%-25s 11 - certUsageAnyCA\n", " ");
+ fprintf(stderr, "%-25s 12 - certUsageIPsec\n", " ");
exit(-1);
}
diff --git a/cmd/vfychain/vfychain.c b/cmd/vfychain/vfychain.c
index d42274c12..c01cdd08e 100644
--- a/cmd/vfychain/vfychain.c
+++ b/cmd/vfychain/vfychain.c
@@ -64,7 +64,8 @@ Usage(const char *progName)
"\t-t\t\t Following cert is explicitly trusted (overrides db trust).\n"
"\t-u usage \t 0=SSL client, 1=SSL server, 2=SSL StepUp, 3=SSL CA,\n"
"\t\t\t 4=Email signer, 5=Email recipient, 6=Object signer,\n"
- "\t\t\t 9=ProtectedObjectSigner, 10=OCSP responder, 11=Any CA\n"
+ "\t\t\t 9=ProtectedObjectSigner, 10=OCSP responder, 11=Any CA,\n"
+ "\t\t\t 12=IPsec\n"
"\t-T\t\t Trust both explicit trust anchors (-t) and the database.\n"
"\t\t\t (Default is to only trust certificates marked -t, if there are any,\n"
"\t\t\t or to trust the database if there are certificates marked -t.)\n"
diff --git a/lib/certdb/certdb.c b/lib/certdb/certdb.c
index 1a676a720..85b5f2917 100644
--- a/lib/certdb/certdb.c
+++ b/lib/certdb/certdb.c
@@ -446,6 +446,74 @@ cert_GetCertType(CERTCertificate *cert)
return SECSuccess;
}
+PRBool
+cert_EKUAllowsIPsecIKE(CERTCertificate *cert, PRBool *isCritical)
+{
+ SECStatus rv;
+ SECItem encodedExtKeyUsage;
+ CERTOidSequence *extKeyUsage = NULL;
+ PRBool result = PR_FALSE;
+
+ rv = CERT_GetExtenCriticality(cert->extensions,
+ SEC_OID_X509_EXT_KEY_USAGE,
+ isCritical);
+ if (rv != SECSuccess) {
+ *isCritical = PR_FALSE;
+ }
+
+ encodedExtKeyUsage.data = NULL;
+ rv = CERT_FindCertExtension(cert, SEC_OID_X509_EXT_KEY_USAGE,
+ &encodedExtKeyUsage);
+ if (rv != SECSuccess) {
+ /* EKU not present, allowed. */
+ result = PR_TRUE;
+ goto done;
+ }
+
+ extKeyUsage = CERT_DecodeOidSequence(&encodedExtKeyUsage);
+ if (!extKeyUsage) {
+ /* failure */
+ goto done;
+ }
+
+ if (findOIDinOIDSeqByTagNum(extKeyUsage,
+ SEC_OID_X509_ANY_EXT_KEY_USAGE) ==
+ SECSuccess) {
+ result = PR_TRUE;
+ goto done;
+ }
+
+ if (findOIDinOIDSeqByTagNum(extKeyUsage,
+ SEC_OID_EXT_KEY_USAGE_IPSEC_IKE) ==
+ SECSuccess) {
+ result = PR_TRUE;
+ goto done;
+ }
+
+ if (findOIDinOIDSeqByTagNum(extKeyUsage,
+ SEC_OID_IPSEC_IKE_END) ==
+ SECSuccess) {
+ result = PR_TRUE;
+ goto done;
+ }
+
+ if (findOIDinOIDSeqByTagNum(extKeyUsage,
+ SEC_OID_IPSEC_IKE_INTERMEDIATE) ==
+ SECSuccess) {
+ result = PR_TRUE;
+ goto done;
+ }
+
+done:
+ if (encodedExtKeyUsage.data != NULL) {
+ PORT_Free(encodedExtKeyUsage.data);
+ }
+ if (extKeyUsage != NULL) {
+ CERT_DestroyOidSequence(extKeyUsage);
+ }
+ return result;
+}
+
PRUint32
cert_ComputeCertType(CERTCertificate *cert)
{
@@ -1083,6 +1151,10 @@ CERT_KeyUsageAndTypeForCertUsage(SECCertUsage usage, PRBool ca,
requiredKeyUsage = KU_KEY_CERT_SIGN;
requiredCertType = NS_CERT_TYPE_SSL_CA;
break;
+ case certUsageIPsec:
+ requiredKeyUsage = KU_KEY_CERT_SIGN;
+ requiredCertType = NS_CERT_TYPE_SSL_CA;
+ break;
case certUsageSSLCA:
requiredKeyUsage = KU_KEY_CERT_SIGN;
requiredCertType = NS_CERT_TYPE_SSL_CA;
@@ -1125,6 +1197,11 @@ CERT_KeyUsageAndTypeForCertUsage(SECCertUsage usage, PRBool ca,
requiredKeyUsage = KU_KEY_AGREEMENT_OR_ENCIPHERMENT;
requiredCertType = NS_CERT_TYPE_SSL_SERVER;
break;
+ case certUsageIPsec:
+ /* RFC 4945 Section 5.1.3.2 */
+ requiredKeyUsage = KU_DIGITAL_SIGNATURE_OR_NON_REPUDIATION;
+ requiredCertType = 0;
+ break;
case certUsageSSLServerWithStepUp:
requiredKeyUsage =
KU_KEY_AGREEMENT_OR_ENCIPHERMENT | KU_NS_GOVT_APPROVED;
diff --git a/lib/certdb/certi.h b/lib/certdb/certi.h
index 456f2fc4e..2a8ae2758 100644
--- a/lib/certdb/certi.h
+++ b/lib/certdb/certi.h
@@ -294,6 +294,9 @@ extern SECStatus cert_GetCertType(CERTCertificate* cert);
*/
extern PRUint32 cert_ComputeCertType(CERTCertificate* cert);
+extern PRBool cert_EKUAllowsIPsecIKE(CERTCertificate* cert,
+ PRBool* isCritical);
+
void cert_AddToVerifyLog(CERTVerifyLog* log, CERTCertificate* cert,
long errorCode, unsigned int depth, void* arg);
diff --git a/lib/certdb/certt.h b/lib/certdb/certt.h
index 797f9f585..9cac70ca6 100644
--- a/lib/certdb/certt.h
+++ b/lib/certdb/certt.h
@@ -447,7 +447,8 @@ typedef enum SECCertUsageEnum {
certUsageVerifyCA = 8,
certUsageProtectedObjectSigner = 9,
certUsageStatusResponder = 10,
- certUsageAnyCA = 11
+ certUsageAnyCA = 11,
+ certUsageIPsec = 12
} SECCertUsage;
typedef PRInt64 SECCertificateUsage;
@@ -465,8 +466,9 @@ typedef PRInt64 SECCertificateUsage;
#define certificateUsageProtectedObjectSigner (0x0200)
#define certificateUsageStatusResponder (0x0400)
#define certificateUsageAnyCA (0x0800)
+#define certificateUsageIPsec (0x1000)
-#define certificateUsageHighest certificateUsageAnyCA
+#define certificateUsageHighest certificateUsageIPsec
/*
* Does the cert belong to the user, a peer, or a CA.
diff --git a/lib/certhigh/certvfy.c b/lib/certhigh/certvfy.c
index ccd38e660..37dc07e19 100644
--- a/lib/certhigh/certvfy.c
+++ b/lib/certhigh/certvfy.c
@@ -289,6 +289,10 @@ CERT_TrustFlagsForCACertUsage(SECCertUsage usage,
requiredFlags = CERTDB_TRUSTED_CA;
trustType = trustSSL;
break;
+ case certUsageIPsec:
+ requiredFlags = CERTDB_TRUSTED_CA;
+ trustType = trustSSL;
+ break;
case certUsageSSLServerWithStepUp:
requiredFlags = CERTDB_TRUSTED_CA | CERTDB_GOVT_APPROVED_CA;
trustType = trustSSL;
@@ -579,6 +583,7 @@ cert_VerifyCertChainOld(CERTCertDBHandle *handle, CERTCertificate *cert,
switch (certUsage) {
case certUsageSSLClient:
case certUsageSSLServer:
+ case certUsageIPsec:
case certUsageSSLCA:
case certUsageSSLServerWithStepUp:
case certUsageEmailSigner:
@@ -645,7 +650,8 @@ cert_VerifyCertChainOld(CERTCertDBHandle *handle, CERTCertificate *cert,
CERTGeneralName *subjectNameList;
int subjectNameListLen;
int i;
- PRBool getSubjectCN = (!count && certUsage == certUsageSSLServer);
+ PRBool getSubjectCN = (!count &&
+ (certUsage == certUsageSSLServer || certUsage == certUsageIPsec));
subjectNameList =
CERT_GetConstrainedCertificateNames(subjectCert, arena,
getSubjectCN);
@@ -986,6 +992,7 @@ CERT_VerifyCACertForUsage(CERTCertDBHandle *handle, CERTCertificate *cert,
switch (certUsage) {
case certUsageSSLClient:
case certUsageSSLServer:
+ case certUsageIPsec:
case certUsageSSLCA:
case certUsageSSLServerWithStepUp:
case certUsageEmailSigner:
@@ -1171,6 +1178,7 @@ cert_CheckLeafTrust(CERTCertificate *cert, SECCertUsage certUsage,
switch (certUsage) {
case certUsageSSLClient:
case certUsageSSLServer:
+ case certUsageIPsec:
flags = trust.sslFlags;
/* is the cert directly trusted or not trusted ? */
@@ -1347,7 +1355,8 @@ CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert,
/* make sure that the cert is valid at time t */
allowOverride = (PRBool)((requiredUsages & certificateUsageSSLServer) ||
- (requiredUsages & certificateUsageSSLServerWithStepUp));
+ (requiredUsages & certificateUsageSSLServerWithStepUp) ||
+ (requiredUsages & certificateUsageIPsec));
validity = CERT_CheckCertValidTimes(cert, t, allowOverride);
if (validity != secCertTimeValid) {
valid = SECFailure;
@@ -1360,6 +1369,7 @@ CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert,
for (i = 1; i <= certificateUsageHighest &&
(SECSuccess == valid || returnedUsages || log);) {
+ PRBool typeAndEKUAllowed = PR_TRUE;
PRBool requiredUsage = (i & requiredUsages) ? PR_TRUE : PR_FALSE;
if (PR_FALSE == requiredUsage && PR_FALSE == checkAllUsages) {
NEXT_USAGE();
@@ -1376,6 +1386,7 @@ CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert,
case certUsageEmailRecipient:
case certUsageObjectSigner:
case certUsageStatusResponder:
+ case certUsageIPsec:
rv = CERT_KeyUsageAndTypeForCertUsage(certUsage, PR_FALSE,
&requiredKeyUsage,
&requiredCertType);
@@ -1408,7 +1419,19 @@ CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert,
LOG_ERROR(log, cert, 0, requiredKeyUsage);
INVALID_USAGE();
}
- if (!(certType & requiredCertType)) {
+ if (certUsage != certUsageIPsec) {
+ if (!(certType & requiredCertType)) {
+ typeAndEKUAllowed = PR_FALSE;
+ }
+ } else {
+ PRBool isCritical;
+ PRBool allowed = cert_EKUAllowsIPsecIKE(cert, &isCritical);
+ /* If the extension isn't critical, we allow any EKU value. */
+ if (isCritical && !allowed) {
+ typeAndEKUAllowed = PR_FALSE;
+ }
+ }
+ if (!typeAndEKUAllowed) {
if (PR_TRUE == requiredUsage) {
PORT_SetError(SEC_ERROR_INADEQUATE_CERT_TYPE);
}
@@ -1508,7 +1531,8 @@ cert_VerifyCertWithFlags(CERTCertDBHandle *handle, CERTCertificate *cert,
/* make sure that the cert is valid at time t */
allowOverride = (PRBool)((certUsage == certUsageSSLServer) ||
- (certUsage == certUsageSSLServerWithStepUp));
+ (certUsage == certUsageSSLServerWithStepUp) ||
+ (certUsage == certUsageIPsec));
validity = CERT_CheckCertValidTimes(cert, t, allowOverride);
if (validity != secCertTimeValid) {
LOG_ERROR_OR_EXIT(log, cert, 0, validity);
@@ -1521,6 +1545,7 @@ cert_VerifyCertWithFlags(CERTCertDBHandle *handle, CERTCertificate *cert,
case certUsageSSLClient:
case certUsageSSLServer:
case certUsageSSLServerWithStepUp:
+ case certUsageIPsec:
case certUsageSSLCA:
case certUsageEmailSigner:
case certUsageEmailRecipient:
@@ -1633,6 +1658,7 @@ CERT_VerifyCertNow(CERTCertDBHandle *handle, CERTCertificate *cert,
* certUsageSSLClient
* certUsageSSLServer
* certUsageSSLServerWithStepUp
+ * certUsageIPsec
* certUsageEmailSigner
* certUsageEmailRecipient
* certUsageObjectSigner
diff --git a/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c b/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
index fa8f1851e..145dcff9a 100644
--- a/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
+++ b/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
@@ -2914,7 +2914,8 @@ PKIX_PL_Cert_CheckValidity(
requiredUsages = ((PKIX_PL_NssContext*)plContext)->certificateUsage;
allowOverride =
(PRBool)((requiredUsages & certificateUsageSSLServer) ||
- (requiredUsages & certificateUsageSSLServerWithStepUp));
+ (requiredUsages & certificateUsageSSLServerWithStepUp) ||
+ (requiredUsages & certificateUsageIPsec));
val = CERT_CheckCertValidTimes(cert->nssCert, timeToCheck, allowOverride);
if (val != secCertTimeValid){
PKIX_ERROR(PKIX_CERTCHECKCERTVALIDTIMESFAILED);
@@ -3001,8 +3002,17 @@ PKIX_PL_Cert_VerifyCertAndKeyType(
if (CERT_CheckKeyUsage(cert->nssCert, requiredKeyUsage) != SECSuccess) {
PKIX_ERROR(PKIX_CERTCHECKKEYUSAGEFAILED);
}
- if (!(certType & requiredCertType)) {
- PKIX_ERROR(PKIX_CERTCHECKCERTTYPEFAILED);
+ if (certUsage != certUsageIPsec) {
+ if (!(certType & requiredCertType)) {
+ PKIX_ERROR(PKIX_CERTCHECKCERTTYPEFAILED);
+ }
+ } else {
+ PRBool isCritical;
+ PRBool allowed = cert_EKUAllowsIPsecIKE(cert->nssCert, &isCritical);
+ /* If the extension isn't critical, we allow any EKU value. */
+ if (isCritical && !allowed) {
+ PKIX_ERROR(PKIX_CERTCHECKCERTTYPEFAILED);
+ }
}
cleanup:
PKIX_DECREF(basicConstraints);
diff --git a/lib/util/secoid.c b/lib/util/secoid.c
index a05621c59..06b0cbcc4 100644
--- a/lib/util/secoid.c
+++ b/lib/util/secoid.c
@@ -122,7 +122,9 @@ const char __nss_util_version[] = "Version: NSS " NSSUTIL_VERSION _DEBUG_STRING;
#define VERISIGN 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x45
-#define PKIX 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07
+#define INTERNET_SECURITY_MECH 0x2b, 0x06, 0x01, 0x05, 0x05
+
+#define PKIX INTERNET_SECURITY_MECH, 0x07
#define PKIX_CERT_EXTENSIONS PKIX, 1
#define PKIX_POLICY_QUALIFIERS PKIX, 2
#define PKIX_KEY_USAGE PKIX, 3
@@ -360,6 +362,7 @@ CONST_OID x509FreshestCRL[] = { ID_CE_OID, 46 };
CONST_OID x509InhibitAnyPolicy[] = { ID_CE_OID, 54 };
CONST_OID x509CertificatePoliciesAnyPolicy[] = { ID_CE_OID, 32, 0 };
+CONST_OID x509ExtKeyUsageAnyUsage[] = { ID_CE_OID, 37, 0 };
CONST_OID x509AuthInfoAccess[] = { PKIX_CERT_EXTENSIONS, 1 };
CONST_OID x509SubjectInfoAccess[] = { PKIX_CERT_EXTENSIONS, 11 };
@@ -454,8 +457,13 @@ CONST_OID pkixExtendedKeyUsageCodeSign[] = { PKIX_KEY_USAGE, 3 };
CONST_OID pkixExtendedKeyUsageEMailProtect[] = { PKIX_KEY_USAGE, 4 };
CONST_OID pkixExtendedKeyUsageTimeStamp[] = { PKIX_KEY_USAGE, 8 };
CONST_OID pkixOCSPResponderExtendedKeyUsage[] = { PKIX_KEY_USAGE, 9 };
+/* 17 replaces 5 + 6 + 7 (declared obsolete in RFC 4945) */
+CONST_OID pkixExtendedKeyUsageIPsecIKE[] = { PKIX_KEY_USAGE, 17 };
CONST_OID msExtendedKeyUsageTrustListSigning[] = { MS_CRYPTO_EKU, 1 };
+CONST_OID ipsecIKEEnd[] = { INTERNET_SECURITY_MECH, 0x08, 0x02, 0x01 };
+CONST_OID ipsecIKEIntermediate[] = { INTERNET_SECURITY_MECH, 0x08, 0x02, 0x02 };
+
/* OIDs for Netscape defined algorithms */
CONST_OID netscapeSMimeKEA[] = { NETSCAPE_ALGS, 0x01 };
@@ -1754,6 +1762,22 @@ const static SECOidData oids[SEC_OID_TOTAL] = {
"Curve25519", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
ODE(SEC_OID_TLS13_KEA_ANY,
"TLS 1.3 fake key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
+
+ OD(x509ExtKeyUsageAnyUsage, SEC_OID_X509_ANY_EXT_KEY_USAGE,
+ "Any Extended Key Usage",
+ CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
+ OD(pkixExtendedKeyUsageIPsecIKE,
+ SEC_OID_EXT_KEY_USAGE_IPSEC_IKE,
+ "IPsec IKE Certificate",
+ CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
+ OD(ipsecIKEEnd,
+ SEC_OID_IPSEC_IKE_END,
+ "IPsec IKE End",
+ CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
+ OD(ipsecIKEIntermediate,
+ SEC_OID_IPSEC_IKE_INTERMEDIATE,
+ "IPsec IKE Intermediate",
+ CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
};
/* PRIVATE EXTENDED SECOID Table
diff --git a/lib/util/secoidt.h b/lib/util/secoidt.h
index 0a40f29fd..c77aeb19f 100644
--- a/lib/util/secoidt.h
+++ b/lib/util/secoidt.h
@@ -494,6 +494,11 @@ typedef enum {
SEC_OID_TLS13_KEA_ANY = 356,
+ SEC_OID_X509_ANY_EXT_KEY_USAGE = 357,
+ SEC_OID_EXT_KEY_USAGE_IPSEC_IKE = 358,
+ SEC_OID_IPSEC_IKE_END = 359,
+ SEC_OID_IPSEC_IKE_INTERMEDIATE = 360,
+
SEC_OID_TOTAL
} SECOidTag;
diff --git a/tests/chains/chains.sh b/tests/chains/chains.sh
index 62d961a29..32c7ef54c 100755
--- a/tests/chains/chains.sh
+++ b/tests/chains/chains.sh
@@ -352,6 +352,12 @@ create_cert_req()
-1
y
"
+ else
+ CA_FLAG="-2"
+ EXT_DATA="n
+-1
+y
+"
fi
process_crldp
@@ -1258,6 +1264,12 @@ process_scenario()
rm ${AIA_FILES}
}
+# process ipsec.cfg separately
+chains_ipsec()
+{
+ process_scenario "ipsec.cfg"
+}
+
# process ocspd.cfg separately
chains_ocspd()
{
@@ -1279,6 +1291,7 @@ chains_main()
do
[ `echo ${LINE} | cut -b 1` != "#" ] || continue
+ [ ${LINE} != 'ipsec.cfg' ] || continue
[ ${LINE} != 'ocspd.cfg' ] || continue
[ ${LINE} != 'method.cfg' ] || continue
@@ -1292,6 +1305,7 @@ chains_init
VERIFY_CLASSIC_ENGINE_TOO=
chains_ocspd
VERIFY_CLASSIC_ENGINE_TOO=1
+chains_ipsec
chains_run_httpserv get
chains_method
chains_stop_httpserv
diff --git a/tests/chains/scenarios/ipsec.cfg b/tests/chains/scenarios/ipsec.cfg
new file mode 100644
index 000000000..811bf9c09
--- /dev/null
+++ b/tests/chains/scenarios/ipsec.cfg
@@ -0,0 +1,61 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario IPsec
+
+entity Root
+ type Root
+
+entity CA1
+ type Intermediate
+ issuer Root
+
+entity NoKU
+ type EE
+ issuer CA1
+
+entity DigSig
+ type EE
+ issuer CA1
+ ku digitalSignature
+
+entity NonRep
+ type EE
+ issuer CA1
+ ku nonRepudiation
+
+entity DigSigNonRepAndExtra
+ type EE
+ issuer CA1
+ ku digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+
+entity NoMatch
+ type EE
+ issuer CA1
+ ku keyEncipherment,dataEncipherment,keyAgreement
+
+db All
+
+import Root::C,,
+import CA1:Root:
+
+verify NoKU:CA1
+ usage 12
+ result pass
+
+verify DigSig:CA1
+ usage 12
+ result pass
+
+verify NonRep:CA1
+ usage 12
+ result pass
+
+verify DigSigNonRepAndExtra:CA1
+ usage 12
+ result pass
+
+verify NoMatch:CA1
+ usage 12
+ result fail
diff --git a/tests/chains/scenarios/scenarios b/tests/chains/scenarios/scenarios
index d26c3f92e..4eafd9c8d 100644
--- a/tests/chains/scenarios/scenarios
+++ b/tests/chains/scenarios/scenarios
@@ -22,3 +22,4 @@ ocsp.cfg
crldp.cfg
trustanchors.cfg
nameconstraints.cfg
+ipsec.cfg
View Lorry Controller Status