According to RFC 4945 ยง 5.1.3.12 section title "ExtendedKeyUsage"[0] the
following extended key usage has been added:
... this document defines an ExtendedKeyUsage keyPurposeID that MAY be
used to limit a certificate's use:
id-kp-ipsecIKE OBJECT IDENTIFIER ::= { id-kp 17 }
where id-kp is defined in RFC 3280 [5]. If a certificate is intended
to be used with both IKE and other applications, and one of the other
applications requires use of an EKU value, then such certificates
MUST contain either the keyPurposeID id-kp-ipsecIKE or
anyExtendedKeyUsage [5], as well as the keyPurposeID values
associated with the other applications. Similarly, if a CA issues
multiple otherwise-similar certificates for multiple applications
including IKE, and it is intended that the IKE certificate NOT be
used with another application, the IKE certificate MAY contain an EKU
extension listing a keyPurposeID of id-kp-ipsecIKE to discourage its
use with the other application. Recall, however, that EKU extensions
in certificates meant for use in IKE are NOT RECOMMENDED.
Conforming IKE implementations are not required to support EKU. If a
critical EKU extension appears in a certificate and EKU is not
supported by the implementation, then RFC 3280 requires that the
certificate be rejected. Implementations that do support EKU MUST
support the following logic for certificate validation:
o If no EKU extension, continue.
o If EKU present AND contains either id-kp-ipsecIKE or
anyExtendedKeyUsage, continue.
o Otherwise, reject cert.
I believe that the attached patch adds the ipsecIKE extended key usage
flag to openssl.
Micah
0. http://tools.ietf.org/html/rfc4945#section-5.1.3.12
--
diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h
index fe46624..e2345fb 100644
--- a/crypto/objects/obj_dat.h
+++ b/crypto/objects/obj_dat.h
@@ -175,6 +175,8 @@ static const unsigned char lvalues[5824]={
0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x03, /* [666] OBJ_code_sign */
0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x04, /* [674] OBJ_email_protect */
0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x08, /* [682] OBJ_time_stamp */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x09, /* [682] OBJ_OSCPSigning */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x17, /* [684] OBJ_ipsecIKE */
0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x02,0x01,0x15,/* [690] OBJ_ms_code_ind */
0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x02,0x01,0x16,/* [700] OBJ_ms_code_com */
0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x0A,0x03,0x01,/* [710] OBJ_ms_ctl_sign */
@@ -1091,6 +1090,8 @@ static const ASN1_OBJECT nid_objs[NUM_NID]={
{"emailProtection","E-mail Protection",NID_email_protect,8,
&(lvalues[674]),0},
{"timeStamping","Time Stamping",NID_time_stamp,8,&(lvalues[682]),0},
+{"OSCPSigning", "OSCP Signing",NID_OSCPSigning,8,&(lvalues[683]),0},
+{"ipsecIKE", "ipsec Internet Key Exchange (IKE)",NID_ipsecIKE,8,&(lvalues[684]),0},
{"msCodeInd","Microsoft Individual Code Signing",NID_ms_code_ind,10,
&(lvalues[690]),0},
{"msCodeCom","Microsoft Commercial Code Signing",NID_ms_code_com,10,
@@ -4636,5 +4627,6 @@
180, /* OBJ_OCSP_sign 1 3 6 1 5 5 7 3 9 */
297, /* OBJ_dvcs 1 3 6 1 5 5 7 3 10 */
+893, /* OBJ_ipsec_IKE 1 3 6 1 5 5 7 3 17 */
298, /* OBJ_id_it_caProtEncCert 1 3 6 1 5 5 7 4 1 */
299, /* OBJ_id_it_signKeyPairTypes 1 3 6 1 5 5 7 4 2 */
300, /* OBJ_id_it_encKeyPairTypes 1 3 6 1 5 5 7 4 3 */
diff --git a/crypto/objects/obj_mac.h b/crypto/objects/obj_mac.h
index 27304e1..decf0cc 100644
--- a/crypto/objects/obj_mac.h
+++ b/crypto/objects/obj_mac.h
@@ -1530,6 +1515,11 @@
#define NID_dvcs 297
#define OBJ_dvcs OBJ_id_kp,10L
+#define SN_ipsec_IKE "ipsecIKE"
+#define LN_ipsec_IKE "ipsec Internet Key Exchange (IKE)"
+#define NID_ipsec_IKE 893
+#define OBJ_ipsec_IKE OBJ_id_kp,17L
+
#define SN_id_it_caProtEncCert "id-it-caProtEncCert"
#define NID_id_it_caProtEncCert 298
#define OBJ_id_it_caProtEncCert OBJ_id_it,1L
diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num
index 8c50aac..4bc3dfb 100644
--- a/crypto/objects/obj_mac.num
+++ b/crypto/objects/obj_mac.num
@@ -890,3 +887,4 @@ houseIdentifier 889
supportedAlgorithms 890
deltaRevocationList 891
dmdName 892
+ipsecIKE 893
\ No newline at end of file
diff --git a/crypto/objects/objects.h b/crypto/objects/objects.h
index bd0ee52..191c895 100644
--- a/crypto/objects/objects.h
+++ b/crypto/objects/objects.h
@@ -714,6 +714,16 @@
#define NID_time_stamp 133
#define OBJ_time_stamp OBJ_id_kp,8L
+#define SN_OCSP_sign "OCSPSigning"
+#define LN_OCSP_sign "OCSP Signing"
+#define NID_OCSP_sign 180
+#define OBJ_OCSP_sign OBJ_id_kp,9L
+
+#define SN_ipsec_IKE "ipsecIKE"
+#define LN_ipsec_IKE "ipsec Internet Key Exchange (IKE)"
+#define NID_ipsec_IKE 893
+#define OBJ_ipsec_IKE OBJ_id_kp,17L
+
/* Additional extended key usage OIDs: Microsoft */
#define SN_ms_code_ind "msCodeInd"
diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt
index 52ac0a6..f477aa5 100644
--- a/crypto/objects/objects.txt
+++ b/crypto/objects/objects.txt
@@ -488,8 +485,12 @@
id-kp 8 : timeStamping : Time Stamping
# From OCSP spec RFC2560
!Cname OCSP-sign
id-kp 9 : OCSPSigning : OCSP Signing
id-kp 10 : DVCS : dvcs
+# From Internet IP Security PKI Profile of IKEv1/ISAKMP, IKEv2, and PKIX RFC4945
+!Cname ipsec-IKE
+id-kp 17 : ipsecIKE : ipsec Internet Key Exchange (IKE)
+
# CMP information types
id-it 1 : id-it-caProtEncCert
diff --git a/doc/apps/x509v3_config.pod b/doc/apps/x509v3_config.pod
index 0450067..e138eb3 100644
--- a/doc/apps/x509v3_config.pod
+++ b/doc/apps/x509v3_config.pod
@@ -115,6 +115,8 @@ following PKIX, NS and MS values are meaningful:
codeSigning Code signing.
emailProtection E-mail Protection (S/MIME).
timeStamping Trusted Timestamping
+ OCSPSigning OCSP Signing
+ ipsecIKE ipsec Internet Key Exchange (IKE)
msCodeInd Microsoft Individual Code Signing (authenticode)
msCodeCom Microsoft Commercial Code Signing (authenticode)
msCTLSign Microsoft Trust List Signing
