openssl: Set IKE compliance flag depending on keyUsage
authorTobias Brunner <tobias@strongswan.org>
Wed, 25 Apr 2018 08:51:51 +0000 (10:51 +0200)
committerTobias Brunner <tobias@strongswan.org>
Tue, 22 May 2018 07:50:47 +0000 (09:50 +0200)
src/libstrongswan/plugins/openssl/openssl_x509.c

index 60c0877..fae2d67 100644 (file)
@@ -668,6 +668,9 @@ static bool parse_keyUsage_ext(private_openssl_x509_t *this,
 {
        ASN1_BIT_STRING *usage;
 
+       /* to be compliant with RFC 4945 specific KUs have to be included */
+       this->flags &= ~X509_IKE_COMPLIANT;
+
        usage = X509V3_EXT_d2i(ext);
        if (usage)
        {
@@ -682,6 +685,11 @@ static bool parse_keyUsage_ext(private_openssl_x509_t *this,
                        {
                                this->flags |= X509_CRL_SIGN;
                        }
+                       if (flags & X509v3_KU_DIGITAL_SIGNATURE ||
+                               flags & X509v3_KU_NON_REPUDIATION)
+                       {
+                               this->flags |= X509_IKE_COMPLIANT;
+                       }
                        if (flags & X509v3_KU_KEY_CERT_SIGN)
                        {
                                /* we use the caBasicContraint, MUST be set */
@@ -988,6 +996,9 @@ static bool parse_extensions(private_openssl_x509_t *this)
        STACK_OF(X509_EXTENSION) *extensions;
        int i, num;
 
+       /* unless we see a keyUsage extension we are compliant with RFC 4945 */
+       this->flags |= X509_IKE_COMPLIANT;
+
        extensions = X509_get0_extensions(this->x509);
        if (extensions)
        {