Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Extensions for Smartcards 1.3.6.1.4.1.311.25.2 and 1.3.6.1.4.1.311.25.2.1 #10370

Open
alfonsrv opened this issue Feb 8, 2024 · 5 comments
Open

Comments

@alfonsrv
Copy link

alfonsrv commented Feb 8, 2024

There are two new ODIs that are being used with Smartcards for Windows Authentication since 2023 and will be mandatory for "strong authentication" starting 2025 (see KB5014754).

It would nice to have x509.ObjectIdentifier and x509.Extension for following OIDs, 1.3.6.1.4.1.311.25.2 and 1.3.6.1.4.1.311.25.2.1

They require passing an object's Active Directory Security Identifier (objectSid, e.g. S-1-5-21-1468012755-800561317-457473099-500) as value. See here for reference on what ASN.1 encoding looks like: https://elkement.art/2023/03/30/lord-of-the-sid-how-to-add-the-objectsid-attribute-to-a-certificate-manually/
https://blog.qdsecurity.se/2022/05/27/manually-injecting-a-sid-in-a-certificate/

Both of the OIDs are used in Windows Client Certificate Enrollment Protocol.
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wcce/446a0fca-7f27-4436-965d-191635518466
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wcce/e563cff8-1af6-4e6f-a655-7571ca482e71

It was already added by OpenSSL, see openssl/openssl#19630

@alex
Copy link
Member

alex commented Feb 8, 2024

What do you mean when you ask for a NID? We have no concept of a NID in our public API.

Are you asking for constants for these OIDs?

@alfonsrv
Copy link
Author

alfonsrv commented Feb 8, 2024

Pardon; what I mean is an ExtensionType that can be added to a x509.Extension.

@alfonsrv alfonsrv changed the title Add NIDs for 1.3.6.1.4.1.311.25.2 and 1.3.6.1.4.1.311.25.2.1 Extensions for Smartcards 1.3.6.1.4.1.311.25.2 and 1.3.6.1.4.1.311.25.2.1 Feb 9, 2024
@alex alex added this to the Forty Third Release milestone Feb 10, 2024
@reaperhulk
Copy link
Member

Do you have any example certs we could use if we decide to implement parsing? In x509 specs and reality, unfortunately, do not always match. 😄

@alfonsrv
Copy link
Author

Sure! I can totally relate hehe – here you go: sid-certificate.txt

Had to rename it to txt, so GitHub would allow me to upload it directly. SID in the extension should be S-1-5-21-1376704245-510857609-3386413621-500 fyi

@alex
Copy link
Member

alex commented Jul 5, 2024

Sorry for now responding sooner here. We'd be happy to take PRs to add support for these -- we're unlikely to get to them ourselves though.

@alex alex removed this from the Forty Third Release milestone Jul 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

3 participants