x509: Set IKE compliance flag depending on keyUsage
authorTobias Brunner <tobias@strongswan.org>
Wed, 25 Apr 2018 08:50:03 +0000 (10:50 +0200)
committerTobias Brunner <tobias@strongswan.org>
Tue, 22 May 2018 07:50:47 +0000 (09:50 +0200)
src/libstrongswan/plugins/x509/x509_cert.c

index d1f9d9a..bc3a443 100644 (file)
@@ -704,6 +704,9 @@ static void parse_keyUsage(chunk_t blob, private_x509_cert_t *this)
                KU_DECIPHER_ONLY =              8,
        };
 
+       /* to be compliant with RFC 4945 specific KUs have to be included */
+       this->flags &= ~X509_IKE_COMPLIANT;
+
        if (asn1_unwrap(&blob, &blob) == ASN1_BIT_STRING && blob.len)
        {
                int bit, byte, unused = blob.ptr[0];
@@ -724,10 +727,12 @@ static void parse_keyUsage(chunk_t blob, private_x509_cert_t *this)
                                                case KU_CRL_SIGN:
                                                        this->flags |= X509_CRL_SIGN;
                                                        break;
-                                               case KU_KEY_CERT_SIGN:
-                                                       /* we use the caBasicConstraint, MUST be set */
                                                case KU_DIGITAL_SIGNATURE:
                                                case KU_NON_REPUDIATION:
+                                                       this->flags |= X509_IKE_COMPLIANT;
+                                                       break;
+                                               case KU_KEY_CERT_SIGN:
+                                                       /* we use the caBasicConstraint, MUST be set */
                                                case KU_KEY_ENCIPHERMENT:
                                                case KU_DATA_ENCIPHERMENT:
                                                case KU_KEY_AGREEMENT:
@@ -1381,6 +1386,9 @@ static bool parse_certificate(private_x509_cert_t *this)
 
        parser = asn1_parser_create(certObjects, this->encoding);
 
+       /* unless we see a keyUsage extension we are compliant with RFC 4945 */
+       this->flags |= X509_IKE_COMPLIANT;
+
        while (parser->iterate(parser, &objectID, &object))
        {
                u_int level = parser->get_level(parser)+1;