Hello Mike, it was never my intention to encode the X509_AA flag in an X.509 certificate. The X509_AA flag is used by strongSwan to mark certificates read from /etc/ipsec.d/aacerts/ in the internal certificate linked list storage structure so that they can be extracted again during the trust chain verification of an X.509 attribute certificate. Of course an authorization authority extended key usage (EKU) OID similar to ocspSigner would be helpful so that AA certs could be fetched from some public places.
Best regards Andreas On 06/23/2010 09:02 PM, Mike Ryan wrote: > The X509_AA flag parallels the X509_CA flag. Its basic meaning is: the > holder if this certificate has the authority to issue X.509 attribute > certificates. > > According to RFC3281, there is no provision to encode a simple boolean > flag with the meaning of X509_AA in an X.509 certificate. > > AA controls, an optional sequence described in section 7.1, provide a > rich set of controls over which attributes may be issued by an AA. There > IS a boolean flag in there: permitUnSpecified. If this is true, then the > holder is allowed to issue any attribute. > > This flag is semantically subtly different from a boolean meaning 'is an > attribute authority'. > > The handling of the X509_AA flag is buggy as well. Setting the X509_AA > flag on a certificate sets a flag in the data structure, but when the > certificate is encoded into ASN.1 there is no difference between a cert > with and without this flag. > > - > > To exercise this bug, create a cert with the X509_AA flag, save its > encoding to a file, and then load it again. The X509_AA flag will not be > set. > > To create a cert with the AA flag, I modified pki/commands/self.c and > added X509_AA to the --ca flag like so: > > case 'b': > flags |= X509_CA; > flags |= X509_AA; > continue; > > Then generate a self-signed cert with the CA flag and print the cert: > > $ pki --self --dn cn=test --ca --in private.der> test.der > $ pki --print --in test.der | grep AA > > No mention of the AA flag is made. The cert is identical to a cert > without the AA flag specified. > > _______________________________________________ > Dev mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/dev -- ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
