discard certificate with unknown critical extensions
authorAndreas Steffen <andreas.steffen@strongswan.org>
Sun, 20 Dec 2009 14:53:39 +0000 (15:53 +0100)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Sun, 20 Dec 2009 14:53:39 +0000 (15:53 +0100)
src/libstrongswan/plugins/x509/x509_cert.c

index 623a268..fc68cdc 100644 (file)
@@ -905,6 +905,14 @@ static bool parse_certificate(private_x509_cert_t *this)
                                                }
                                                break;
                                        default:
+                                               if (critical && lib->settings->get_bool(lib->settings,
+                                                       "libstrongswan.plugins.x509_cert.enforce_critical", FALSE))
+                                               {
+                                                       DBG1("critical %s extension not supported",
+                                                                (extn_oid == OID_UNKNOWN) ? "unknown" :
+                                                                (char*)oid_names[extn_oid].name); 
+                                                       goto end;
+                                               }
                                                break;
                                }
                                break;