From 9e5b8b512722c82213db1c6565cef55b9641bf79 Mon Sep 17 00:00:00 2001
From: Alex Wilson <alex@cooperi.net>
Date: Wed, 13 Mar 2024 15:27:47 +1000
Subject: [PATCH] certs: include MS bitlocker EKUs as well as EFS in key-mgmt
 template with ad_upn

---
 piv-certs.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/piv-certs.c b/piv-certs.c
index 6f6cff6..83f6658 100644
--- a/piv-certs.c
+++ b/piv-certs.c
@@ -1577,7 +1577,8 @@ populate_user_key_mgmt(struct cert_var_scope *cs, X509 *cert)
 
 	err = scope_eval(cs, "ad_upn", &upn);
 	if (err == ERRF_OK) {
-		eku = "1.3.6.1.4.1.311.10.3.4";
+		eku = "1.3.6.1.4.1.311.10.3.4,1.3.6.1.4.1.311.10.3.4.1,"
+		    "1.3.6.1.4.1.311.67.1.1,1.3.6.1.4.1.311.67.1.2";
 	} else {
 		errf_free(err);
 		upn = NULL;
@@ -2223,7 +2224,8 @@ rpopulate_user_key_mgmt(struct cert_var_scope *cs, X509_REQ *req)
 
 	err = scope_eval(cs, "ad_upn", &upn);
 	if (err == ERRF_OK) {
-		eku = "1.3.6.1.4.1.311.10.3.4";
+		eku = "1.3.6.1.4.1.311.10.3.4,1.3.6.1.4.1.311.10.3.4.1,"
+		    "1.3.6.1.4.1.311.67.1.1,1.3.6.1.4.1.311.67.1.2";
 	} else {
 		errf_free(err);
 		upn = NULL;