x509: Add flag that marks compliance with RFC 4945
authorTobias Brunner <tobias@strongswan.org>
Wed, 25 Apr 2018 08:48:21 +0000 (10:48 +0200)
committerTobias Brunner <tobias@strongswan.org>
Tue, 22 May 2018 07:50:47 +0000 (09:50 +0200)
According to RFC 4945, section 5.1.3.2, a certificate for IKE must
either not contain the keyUsage extension, or, if it does, have at least
one of the digitalSignature or nonReputiation bits set.

src/libstrongswan/credentials/certificates/x509.h

index 2c640e2..3f8af31 100644 (file)
@@ -62,6 +62,9 @@ enum x509_flag_t {
        X509_IKE_INTERMEDIATE =   (1<<8),
        /** cert has Microsoft Smartcard Logon usage */
        X509_MS_SMARTCARD_LOGON = (1<<9),
+       /** cert either lacks keyUsage bits, or includes either digitalSignature
+        *  or nonRepudiation as per RFC 4945, section 5.1.3.2. */
+       X509_IKE_COMPLIANT =      (1<<10),
 };
 
 extern enum_name_t *x509_flag_names;