[sr #107485] Add new extended key usage ipsecIKE

Micah Anderson INVALID.NOREPLY at gnu.org
Wed Sep 29 06:34:58 CEST 2010


                 Summary: Add new extended key usage ipsecIKE
                 Project: GnuTLS
            Submitted by: micahanderson
            Submitted on: Wed 29 Sep 2010 04:34:57 AM GMT
                Category: None
                Priority: 5 - Normal
                Severity: 3 - Normal
                  Status: None
                 Privacy: Public
             Assigned to: None
        Originator Email: 
             Open/Closed: Open
         Discussion Lock: Any
        Operating System: None



According to RFC 4945 § section title "ExtendedKeyUsage"[0] the
following extended key usage has been added:

 ... this document defines an ExtendedKeyUsage keyPurposeID that MAY be
   used to limit a certificate's use:

   id-kp-ipsecIKE OBJECT IDENTIFIER ::= { id-kp 17 }

   where id-kp is defined in RFC 3280 [5].  If a certificate is intended
   to be used with both IKE and other applications, and one of the other
   applications requires use of an EKU value, then such certificates
   MUST contain either the keyPurposeID id-kp-ipsecIKE or
   anyExtendedKeyUsage [5], as well as the keyPurposeID values
   associated with the other applications.  Similarly, if a CA issues
   multiple otherwise-similar certificates for multiple applications
   including IKE, and it is intended that the IKE certificate NOT be
   used with another application, the IKE certificate MAY contain an EKU
   extension listing a keyPurposeID of id-kp-ipsecIKE to discourage its
   use with the other application.  Recall, however, that EKU extensions
   in certificates meant for use in IKE are NOT RECOMMENDED.

   Conforming IKE implementations are not required to support EKU.  If a
   critical EKU extension appears in a certificate and EKU is not
   supported by the implementation, then RFC 3280 requires that the
   certificate be rejected.  Implementations that do support EKU MUST
   support the following logic for certificate validation:

   o  If no EKU extension, continue.

   o  If EKU present AND contains either id-kp-ipsecIKE or
      anyExtendedKeyUsage, continue.

   o  Otherwise, reject cert.

I believe that the attached patch adds the ipsecIKE extended key usage
flag to openssl. You can also pull my repository, with the patch from: git
clone git://labs.riseup.net/~micah/gnutls


File Attachments:

Date: Wed 29 Sep 2010 04:34:57 AM GMT  Name: gnutls_ipsec_ike.diff  Size: 4kB
  By: micahanderson



Reply to this item at:


  Message sent via/by Savannah

More information about the Gnutls-devel mailing list