openssl: Adding support for key usage x509 extension.
authorTobias Brunner <tobias@strongswan.org>
Wed, 5 Oct 2011 13:07:07 +0000 (15:07 +0200)
committerTobias Brunner <tobias@strongswan.org>
Wed, 5 Oct 2011 13:10:12 +0000 (15:10 +0200)
src/libstrongswan/plugins/openssl/openssl_x509.c

index f7495b2..73a1a28 100644 (file)
@@ -1,4 +1,7 @@
 /*
+ * Copyright (C) 2011 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2010 Martin Willi
  * Copyright (C) 2010 revosec AG
  *
@@ -597,7 +600,7 @@ static bool parse_basicConstraints_ext(private_openssl_x509_t *this,
                }
                if (constraints->pathlen)
                {
-                       
+
                        pathlen = ASN1_INTEGER_get(constraints->pathlen);
                        this->pathlen = (pathlen >= 0 && pathlen < 128) ?
                                                         pathlen : X509_NO_CONSTRAINT;
@@ -609,6 +612,41 @@ static bool parse_basicConstraints_ext(private_openssl_x509_t *this,
 }
 
 /**
+ * parse key usage
+ */
+static bool parse_keyUsage_ext(private_openssl_x509_t *this,
+                                                          X509_EXTENSION *ext)
+{
+       ASN1_BIT_STRING *usage;
+
+       usage = X509V3_EXT_d2i(ext);
+       if (usage)
+       {
+               if (usage->length > 0)
+               {
+                       int flags = usage->data[0];
+                       if (usage->length > 1)
+                       {
+                               flags |= usage->data[1] << 8;
+                       }
+                       switch (flags)
+                       {
+                               case X509v3_KU_CRL_SIGN:
+                                       this->flags |= X509_CRL_SIGN;
+                                       break;
+                               case X509v3_KU_KEY_CERT_SIGN:
+                                       /* we use the caBasicContraint, MUST be set */
+                               default:
+                                       break;
+                       }
+               }
+               ASN1_BIT_STRING_free(usage);
+               return TRUE;
+       }
+       return FALSE;
+}
+
+/**
  * Parse CRL distribution points
  */
 static bool parse_crlDistributionPoints_ext(private_openssl_x509_t *this,
@@ -804,6 +842,9 @@ static bool parse_extensions(private_openssl_x509_t *this)
                                case NID_basic_constraints:
                                        ok = parse_basicConstraints_ext(this, ext);
                                        break;
+                               case NID_key_usage:
+                                       ok = parse_keyUsage_ext(this, ext);
+                                       break;
                                case NID_crl_distribution_points:
                                        ok = parse_crlDistributionPoints_ext(this, ext);
                                        break;