Extensions for Smartcards 1.3.6.1.4.1.311.25.2 and 1.3.6.1.4.1.311.25.2.1

[alfonsrv]

There are two new ODIs that are being used with Smartcards for Windows Authentication since 2023 and will be mandatory for "strong authentication" starting 2025 (see KB5014754).

It would nice to have x509.ObjectIdentifier and x509.Extension for following OIDs, 1.3.6.1.4.1.311.25.2 and 1.3.6.1.4.1.311.25.2.1

They require passing an object's Active Directory Security Identifier (objectSid, e.g. S-1-5-21-1468012755-800561317-457473099-500) as value. See here for reference on what ASN.1 encoding looks like: https://elkement.art/2023/03/30/lord-of-the-sid-how-to-add-the-objectsid-attribute-to-a-certificate-manually/ https://blog.qdsecurity.se/2022/05/27/manually-injecting-a-sid-in-a-certificate/

Both of the OIDs are used in Windows Client Certificate Enrollment Protocol. https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wcce/446a0fca-7f27-4436-965d-191635518466 https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wcce/e563cff8-1af6-4e6f-a655-7571ca482e71

It was already added by OpenSSL, see https://github.com/openssl/openssl/issues/19630

[alex]

What do you mean when you ask for a NID? We have no concept of a NID in our public API.

Are you asking for constants for these OIDs?

[alfonsrv]

Pardon; what I mean is an ExtensionType that can be added to a x509.Extension.

[reaperhulk]

Do you have any example certs we could use if we decide to implement parsing? In x509 specs and reality, unfortunately, do not always match. 😄

[alfonsrv]

Sure! I can totally relate hehe – here you go: sid-certificate.txt

Had to rename it to txt, so GitHub would allow me to upload it directly. SID in the extension should be S-1-5-21-1376704245-510857609-3386413621-500 fyi

[alex]

Sorry for now responding sooner here. We'd be happy to take PRs to add support for these -- we're unlikely to get to them ourselves though.