3 files changed, 16 insertions, 0 deletions

diff --git a/src/crypto/x509.c b/src/crypto/x509.c
index dc8745dce..a86609340 100644
--- a/src/crypto/x509.c
+++ b/src/crypto/x509.c
@@ -518,6 +518,9 @@ static int x509_parse_key_usage ( struct x509_certificate *cert,
 /** "id-kp-codeSigning" object identifier */
 static uint8_t oid_code_signing[] = { ASN1_OID_CODESIGNING };
 
+/** "id-kp-OCSPSigning" object identifier */
+static uint8_t oid_ocsp_signing[] = { ASN1_OID_OCSPSIGNING };
+
 /** Supported key purposes */
 static struct x509_key_purpose x509_key_purposes[] = {
 	{
@@ -525,6 +528,11 @@ static struct x509_key_purpose x509_key_purposes[] = {
 		.bits = X509_CODE_SIGNING,
 		.oid = ASN1_OID_CURSOR ( oid_code_signing ),
 	},
+	{
+		.name = "ocspSigning",
+		.bits = X509_OCSP_SIGNING,
+		.oid = ASN1_OID_CURSOR ( oid_ocsp_signing ),
+	},
 };
 
 /**
diff --git a/src/include/ipxe/asn1.h b/src/include/ipxe/asn1.h
index 222e32ece..cd5c3306d 100644
--- a/src/include/ipxe/asn1.h
+++ b/src/include/ipxe/asn1.h
@@ -176,6 +176,13 @@ struct asn1_cursor {
 	ASN1_OID_SINGLE ( 5 ), ASN1_OID_SINGLE ( 7 ),		\
 	ASN1_OID_SINGLE ( 48 ), ASN1_OID_SINGLE ( 1 )
 
+/** ASN.1 OID for id-kp-OCSPSigning (1.3.6.1.5.5.7.3.9) */
+#define ASN1_OID_OCSPSIGNING					\
+	ASN1_OID_INITIAL ( 1, 3 ), ASN1_OID_SINGLE ( 6 ),	\
+	ASN1_OID_SINGLE ( 1 ), ASN1_OID_SINGLE ( 5 ),		\
+	ASN1_OID_SINGLE ( 5 ), ASN1_OID_SINGLE ( 7 ),		\
+	ASN1_OID_SINGLE ( 3 ), ASN1_OID_SINGLE ( 9 )
+
 /** Define an ASN.1 cursor containing an OID */
 #define ASN1_OID_CURSOR( oid_value ) {				\
 		.data = oid_value,				\
diff --git a/src/include/ipxe/x509.h b/src/include/ipxe/x509.h
index 8b1dda25f..6dc31b45e 100644
--- a/src/include/ipxe/x509.h
+++ b/src/include/ipxe/x509.h
@@ -119,6 +119,7 @@ struct x509_extended_key_usage {
  */
 enum x509_extended_key_usage_bits {
 	X509_CODE_SIGNING = 0x0001,
+	X509_OCSP_SIGNING = 0x0002,
 };
 
 /** X.509 certificate OCSP responder */