-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Extensions for Smartcards 1.3.6.1.4.1.311.25.2 and 1.3.6.1.4.1.311.25.2.1 #10370
Comments
What do you mean when you ask for a NID? We have no concept of a NID in our public API. Are you asking for constants for these OIDs? |
Pardon; what I mean is an |
Do you have any example certs we could use if we decide to implement parsing? In x509 specs and reality, unfortunately, do not always match. 😄 |
Sure! I can totally relate hehe – here you go: sid-certificate.txt Had to rename it to txt, so GitHub would allow me to upload it directly. SID in the extension should be |
Sorry for now responding sooner here. We'd be happy to take PRs to add support for these -- we're unlikely to get to them ourselves though. |
There are two new ODIs that are being used with Smartcards for Windows Authentication since 2023 and will be mandatory for "strong authentication" starting 2025 (see KB5014754).
It would nice to have
x509.ObjectIdentifier
andx509.Extension
for following OIDs, 1.3.6.1.4.1.311.25.2 and 1.3.6.1.4.1.311.25.2.1They require passing an object's Active Directory Security Identifier (
objectSid
, e.g. S-1-5-21-1468012755-800561317-457473099-500) as value. See here for reference on what ASN.1 encoding looks like: https://elkement.art/2023/03/30/lord-of-the-sid-how-to-add-the-objectsid-attribute-to-a-certificate-manually/https://blog.qdsecurity.se/2022/05/27/manually-injecting-a-sid-in-a-certificate/
Both of the OIDs are used in Windows Client Certificate Enrollment Protocol.
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wcce/446a0fca-7f27-4436-965d-191635518466
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wcce/e563cff8-1af6-4e6f-a655-7571ca482e71
It was already added by OpenSSL, see openssl/openssl#19630
The text was updated successfully, but these errors were encountered: